- PDNS_BUILD_PRODUCT=auth
- PDNS_BUILD_PRODUCT=recursor
- PDNS_BUILD_PRODUCT=dnsdist
- - PDNS_BUILD_PRODUCT=docs
matrix:
exclude:
- - compiler: clang
- env: PDNS_BUILD_PRODUCT=docs
- compiler: clang
env: PDNS_BUILD_PRODUCT=recursor
include:
run "sudo chmod 755 /etc/authbind/byport/53"
}
-install_docs() {
- ### documentation requirements
- run "sudo apt-get -qq --no-install-recommends install \
- pandoc \
- xmlto"
-
- # documentation test requirements
- run "virtualenv $HOME/.venv"
- run "source $HOME/.venv/bin/activate"
- run "pip install -q pandocfilters==1.2.3 mkdocs==0.14 linkchecker==9.3 click==5.1 requests==2.9.2"
- run "deactivate"
-}
-
install_recursor() {
# recursor test requirements / setup
run "sudo apt-get -qq --no-install-recommends install \
}
-build_docs() {
- run "./bootstrap"
- run "source $HOME/.venv/bin/activate"
- run "./configure --disable-dependency-tracking --with-modules='' --with-dyn-modules=''"
- run "make -C docs"
- run "deactivate"
-}
-
test_auth() {
run "make -j3 check"
run "test -f pdns/test-suite.log && cat pdns/test-suite.log || true"
run "cd .."
}
-test_docs() {
- run "source $HOME/.venv/bin/activate"
- run "make -C docs check-links"
- run " deactivate"
-}
-
test_dnsdist(){
run "cd regression-tests.dnsdist"
run "DNSDISTBIN=$HOME/dnsdist/bin/dnsdist ./runtests -v"
PDNS_WITH_SQLITE3
-PDNS_CHECK_PANDOC
+PDNS_CHECK_VIRTUALENV
PDNS_FROM_GIT
dnl Checks for library functions.
/*.[0-9]
/Makefile
/Makefile.in
+/.venv
+/html-docs
+/*.pdf
+/latex
+/doctrees
+html-docs.tar.bz2
+/mans
+++ /dev/null
-# Dockerfile for building the markdown docs
-#
-# example usage:
-# docs/$ docker build -t pdns-mkdocs .
-# docs/$ docker run -t -i -v $(pwd)/..:/pdns pdns-mkdocs bash
-# root@07d38c7f88a5:/# useradd -u 1000 peter
-# root@07d38c7f88a5:/# su - peter
-# No directory, logging in with HOME=/
-# $ bash
-# peter@07d38c7f88a5:/$ cd /pdns/docs
-# peter@07d38c7f88a5:/pdns/docs$ make html/index.html
-#
-
-FROM ubuntu:14.04
-RUN apt-get update
-RUN apt-get -y install git build-essential vim-tiny pandoc python-pip
-RUN pip install pandocfilters mkdocs
+++ /dev/null
--- -*- snmpv2 -*-
--- ----------------------------------------------------------------------
--- MIB file for PowerDNS Recursor
--- ----------------------------------------------------------------------
-
-PDNSRECURSOR-MIB DEFINITIONS ::= BEGIN
-
-IMPORTS
- OBJECT-TYPE, MODULE-IDENTITY, enterprises,
- Counter64, NOTIFICATION-TYPE
- FROM SNMPv2-SMI
- CounterBasedGauge64
- FROM HCNUM-TC
- OBJECT-GROUP, MODULE-COMPLIANCE, NOTIFICATION-GROUP
- FROM SNMPv2-CONF;
-
-rec MODULE-IDENTITY
- LAST-UPDATED "201611290000Z"
- ORGANIZATION "PowerDNS BV"
- CONTACT-INFO "support@powerdns.com"
- DESCRIPTION
- "This MIB module describes information gathered through PowerDNS Recursor."
-
- REVISION "201611290000Z"
- DESCRIPTION "Initial revision."
-
- ::= { powerdns 2 }
-
-powerdns OBJECT IDENTIFIER ::= { enterprises 43315 }
-
-stats OBJECT IDENTIFIER ::= { rec 1 }
-
-questions OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of questions"
- ::= { stats 1 }
-
-ipv6Questions OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv6 questions"
- ::= { stats 2 }
-
-tcpQuestions OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of TCP questions"
- ::= { stats 3 }
-
-cacheHits OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of cache hits"
- ::= { stats 4 }
-
-cacheMisses OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of cache misses"
- ::= { stats 5 }
-
-cacheEntries OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of cache entries"
- ::= { stats 6 }
-
-cacheBytes OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Size of the cache in bytes"
- ::= { stats 7 }
-
-packetcacheHits OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of packetcache hits"
- ::= { stats 8 }
-
-packetcacheMisses OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of packetcache misses"
- ::= { stats 9 }
-
-packetcacheEntries OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of packetcache entries"
- ::= { stats 10 }
-
-packetcacheBytes OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Size of the packetcache in bytes"
- ::= { stats 11 }
-
-mallocBytes OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of bytes allocated by malloc"
- ::= { stats 12 }
-
-servfailAnswers OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of servfail answers"
- ::= { stats 13 }
-
-nxdomainAnswers OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of nxdomain answers"
- ::= { stats 14 }
-
-noerrorAnswers OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of noerror answers"
- ::= { stats 15 }
-
-unauthorizedUdp OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of unauthorized UDP queries"
- ::= { stats 16 }
-
-unauthorizedTcp OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of unauthorized TCP queries"
- ::= { stats 17 }
-
-tcpClientOverflow OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of TCP client connections refused because of too many connections"
- ::= { stats 18 }
-
-clientParseErrors OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of client parse errors"
- ::= { stats 19 }
-
-serverParseErrors OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of server parse errors"
- ::= { stats 20 }
-
-tooOldDrops OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of responses dropped because of a timeout"
- ::= { stats 21 }
-
-answers01 OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of queries answered in less than 1 ms"
- ::= { stats 22 }
-
-answers110 OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of queries answered in 1-10 ms"
- ::= { stats 23 }
-
-answers10100 OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of queries answered in 10-100 ms"
- ::= { stats 24 }
-
-answers1001000 OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of queries answered in 100-1000 ms"
- ::= { stats 25 }
-
-answersSlow OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of queries answered in more than 1000 ms"
- ::= { stats 26 }
-
-auth4Answers01 OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv4 queries answered in less than 1 ms"
- ::= { stats 27 }
-
-auth4Answers110 OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv4 queries answered in 1-10 ms"
- ::= { stats 28 }
-
-auth4Answers10100 OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv4 queries answered in 10-100 ms"
- ::= { stats 29 }
-
-auth4Answers1001000 OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv4 queries answered in 100-1000 ms"
- ::= { stats 30 }
-
-auth4Answersslow OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv4 queries answered in more than 1000 ms"
- ::= { stats 31 }
-
-auth6Answers01 OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv6 queries answered in less than 1 ms"
- ::= { stats 32 }
-
-auth6Answers110 OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv6 queries answered in 1-10 ms"
- ::= { stats 33 }
-
-auth6Answers10100 OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv6 queries answered in 10-100 ms"
- ::= { stats 34 }
-
-auth6Answers1001000 OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv6 queries answered in 100-1000 ms"
- ::= { stats 35 }
-
-auth6AnswersSlow OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv6 queries answered in more than 1000 ms"
- ::= { stats 36 }
-
-qaLatency OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Average latency in microseconds"
- ::= { stats 37 }
-
-unexpectedPackets OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of unexpected packets"
- ::= { stats 38 }
-
-caseMismatches OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of case mismatches"
- ::= { stats 39 }
-
-spoofPrevents OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of spoof prevents"
- ::= { stats 40 }
-
-nssetInvalidations OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of nsset invalidations"
- ::= { stats 41 }
-
-resourceLimits OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of resolution aborted because of a local resource limit"
- ::= { stats 42 }
-
-overCapacityDrops OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of queries dropped because the threads limit was reached"
- ::= { stats 43 }
-
-policyDrops OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of queries dropped because of a policy"
- ::= { stats 44 }
-
-noPacketError OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of noPacketError"
- ::= { stats 45 }
-
-dlgOnlyDrops OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of records dropped because of they belonged to a delegation-only zone"
- ::= { stats 46 }
-
-ignoredPackets OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of ignored packets"
- ::= { stats 47 }
-
-maxMthreadStack OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Maximum size of the Mthread stack"
- ::= { stats 48 }
-
-negcacheEntries OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of negcache entries"
- ::= { stats 49 }
-
-throttleEntries OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of throttle entries"
- ::= { stats 50 }
-
-nsspeedsEntries OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of nsspeeds entries"
- ::= { stats 51 }
-
-failedHostEntries OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of failed host entries"
- ::= { stats 52 }
-
-concurrentQueries OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of concurrent queries"
- ::= { stats 53 }
-
-securityStatus OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Current security status"
- ::= { stats 54 }
-
-outgoingTimeouts OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of outgoing timeouts"
- ::= { stats 55 }
-
-outgoing4Timeouts OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv4 outgoing timeouts"
- ::= { stats 56 }
-
-outgoing6Timeouts OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv6 outgoing timeouts"
- ::= { stats 57 }
-
-tcpOutqueries OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of outgoing TCP queries sent"
- ::= { stats 58 }
-
-allOutqueries OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of outgoing queries sent"
- ::= { stats 59 }
-
-ipv6Outqueries OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of IPv6 outgoing queries sent"
- ::= { stats 60 }
-
-throttledOutqueries OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of throttled outgoing queries"
- ::= { stats 61 }
-
-dontOutqueries OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of outgoing queries not sent because of a 'dont-query' setting"
- ::= { stats 62 }
-
-unreachables OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of errors due to an unreachable server"
- ::= { stats 63 }
-
-chainResends OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of chain resends"
- ::= { stats 64 }
-
-tcpClients OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of TCP clients"
- ::= { stats 65 }
-
-udpRecvbufErrors OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of UDP recvbuf errors (Linux only)"
- ::= { stats 66 }
-
-udpSndbufErrors OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of UDP sndbuf errors (Linux only)"
- ::= { stats 67 }
-
-udpNoportErrors OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of UDP noport errors (Linux only)"
- ::= { stats 68 }
-
-udpinErrors OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of UDP in errors (Linux only)"
- ::= { stats 69 }
-
-ednsPingMatches OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of EDNS Ping matches"
- ::= { stats 70 }
-
-ednsPingMismatches OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of EDNS Ping mismatches"
- ::= { stats 71 }
-
-dnssecQueries OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of DNSSEC queries"
- ::= { stats 72 }
-
-nopingOutqueries OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of outgoing queries w/o ping"
- ::= { stats 73 }
-
-noednsOutqueries OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of outgoing queries w/o EDNS"
- ::= { stats 74 }
-
-uptime OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Process uptime in seconds"
- ::= { stats 75 }
-
-realMemoryUsage OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Memory usage"
- ::= { stats 76 }
-
-fdUsage OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "File descriptors usage"
- ::= { stats 77 }
-
-userMsec OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "CPU usage (user) in ms"
- ::= { stats 78 }
-
-sysMsec OBJECT-TYPE
- SYNTAX CounterBasedGauge64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "CPU usage (system) in ms"
- ::= { stats 79 }
-
-dnssecValidations OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of DNSSEC validations"
- ::= { stats 80 }
-
-dnssecResultInsecure OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of DNSSEC insecure results"
- ::= { stats 81 }
-
-dnssecResultSecure OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of DNSSEC secure results"
- ::= { stats 82 }
-
-dnssecResultBogus OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of DNSSEC bogus results"
- ::= { stats 83 }
-
-dnssecResultIndeterminate OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of DNSSEC indeterminate results"
- ::= { stats 84 }
-
-dnssecResultNta OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of DNSSEC NTA results"
- ::= { stats 85 }
-
-policyResultNoaction OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of policy-mandated no-action results"
- ::= { stats 86 }
-
-policyResultDrop OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of policy-mandated drops"
- ::= { stats 87 }
-
-policyResultNxdomain OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of policy-mandated NXdomain results"
- ::= { stats 88 }
-
-policyResultNodata OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of policy-mandated nodata results"
- ::= { stats 89 }
-
-policyResultTruncate OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of policy-mandated truncate results"
- ::= { stats 90 }
-
-policyResultCustom OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of policy-mandated custom results"
- ::= { stats 91 }
-
----
---- Traps / Notifications
----
-
-trap OBJECT IDENTIFIER ::= { rec 10 }
-traps OBJECT IDENTIFIER ::= { trap 0 } --- reverse-mappable
-trapObjects OBJECT IDENTIFIER ::= { rec 11 }
-
-trapReason OBJECT-TYPE
- SYNTAX OCTET STRING
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Reason for this trap"
- ::= { trapObjects 1 }
-
-customTrap NOTIFICATION-TYPE
- OBJECTS {
- trapReason
- }
- STATUS current
- DESCRIPTION "Trap sent by sendCustomTrap"
- ::= { traps 1 }
-
----
---- Conformance
----
-
-recConformance OBJECT IDENTIFIER ::= { rec 100 }
-
-recCompliances MODULE-COMPLIANCE
- STATUS current
- DESCRIPTION "PowerDNS Recursor compliance statement"
- MODULE
- MANDATORY-GROUPS {
- recGroup,
- recTrapsGroup
- }
- ::= { recConformance 1 }
-
-recGroup OBJECT-GROUP
- OBJECTS {
- questions,
- ipv6Questions,
- tcpQuestions,
- cacheHits,
- cacheMisses,
- cacheEntries,
- cacheBytes,
- packetcacheHits,
- packetcacheMisses,
- packetcacheEntries,
- packetcacheBytes,
- mallocBytes,
- servfailAnswers,
- nxdomainAnswers,
- noerrorAnswers,
- unauthorizedUdp,
- unauthorizedTcp,
- tcpClientOverflow,
- clientParseErrors,
- serverParseErrors,
- tooOldDrops,
- answers01,
- answers110,
- answers10100,
- answers1001000,
- answersSlow,
- auth4Answers01,
- auth4Answers110,
- auth4Answers10100,
- auth4Answers1001000,
- auth4Answersslow,
- auth6Answers01,
- auth6Answers110,
- auth6Answers10100,
- auth6Answers1001000,
- auth6AnswersSlow,
- qaLatency,
- unexpectedPackets,
- caseMismatches,
- spoofPrevents,
- nssetInvalidations,
- resourceLimits,
- overCapacityDrops,
- policyDrops,
- noPacketError,
- dlgOnlyDrops,
- ignoredPackets,
- maxMthreadStack,
- negcacheEntries,
- throttleEntries,
- nsspeedsEntries,
- failedHostEntries,
- concurrentQueries,
- securityStatus,
- outgoingTimeouts,
- outgoing4Timeouts,
- outgoing6Timeouts,
- tcpOutqueries,
- allOutqueries,
- ipv6Outqueries,
- throttledOutqueries,
- dontOutqueries,
- unreachables,
- chainResends,
- tcpClients,
- udpRecvbufErrors,
- udpSndbufErrors,
- udpNoportErrors,
- udpinErrors,
- ednsPingMatches,
- ednsPingMismatches,
- dnssecQueries,
- nopingOutqueries,
- noednsOutqueries,
- uptime,
- realMemoryUsage,
- fdUsage,
- userMsec,
- sysMsec,
- dnssecValidations,
- dnssecResultInsecure,
- dnssecResultSecure,
- dnssecResultBogus,
- dnssecResultIndeterminate,
- dnssecResultNta,
- policyResultNoaction,
- policyResultDrop,
- policyResultNxdomain,
- policyResultNodata,
- policyResultTruncate,
- policyResultCustom,
- trapReason
- }
- STATUS current
- DESCRIPTION "Objects conformance group for PowerDNS Recursor"
- ::= { recConformance 2 }
-
-recTrapsGroup NOTIFICATION-GROUP
- NOTIFICATIONS {
- customTrap
- }
- STATUS current
- DESCRIPTION "Traps conformance group for PowerDNS Recursor"
- ::= { recConformance 3 }
-
-END
-MANPAGES_TARGET_AUTH = pdns_server.1 \
+MAIN_MANS = pdns_server.1 \
pdns_control.1 \
pdnsutil.1 \
zone2json.1 \
zone2ldap.1 \
zone2sql.1
+MANPAGES_INSTALL = $(MAIN_MANS)
+MANPAGES_DIST = $(MAIN_MANS)
+
MANPAGES_TARGET_TOOLS = calidns.1 \
dnsgram.1 \
dnsreplay.1 \
saxfr.1 \
sdig.1
+MANPAGES_DIST += $(MANPAGES_TARGET_TOOLS) \
+ dnsbulktest.1 \
+ dnstcpbench.1 \
+ dnspcap2protobuf.1
+
if HAVE_BOOST_GE_148
-MANPAGES_TARGET_TOOLS += dnsbulktest.1 \
+MANPAGES_INSTALL += dnsbulktest.1 \
dnstcpbench.1
endif
if HAVE_PROTOBUF
if HAVE_PROTOC
-MANPAGES_TARGET_TOOLS += dnspcap2protobuf.1
+MANPAGES_INSTALL += dnspcap2protobuf.1
endif
endif
-EXTRA_DIST = manpages markdown/*.md markdown/appendix markdown/authoritative markdown/common markdown/httpapi markdown/recursor markdown/security markdown/tools $(MANPAGES_TARGET_AUTH) $(MANPAGES_TARGET_TOOLS)
-
-# Figure out the manpages to build/install
-MANPAGES_TARGET_ALL=$(MANPAGES_TARGET_AUTH)
-man_MANS = $(MANPAGES_TARGET_AUTH)
-
if TOOLS
-MANPAGES_TARGET_ALL += $(MANPAGES_TARGET_TOOLS)
-man_MANS += $(MANPAGES_TARGET_TOOLS)
+MANPAGES_INSTALL += $(MANPAGES_TARGET_TOOLS)
endif
-all-manpages: $(MANPAGES_TARGET_ALL)
+man_MANS = $(MANPAGES_INSTALL)
-# If we can't rebuild the manpages, don't allow creation or deletion
-if HAVE_PANDOC
-$(MANPAGES_TARGET_ALL): %: manpages/%.md
- $(PANDOC) -s -t man $< -o $@
+EXTRA_DIST = $(MANPAGES_DIST)
-clean:
- rm -rf html html.tar.bz2 *.8 *.1
-else
+if HAVE_VIRTUALENV
if !HAVE_MANPAGES
-$(MANPAGES_TARGET_ALL):
- @echo "Pandoc is required to build $@"
-endif
-endif
+$(MANPAGES_DIST): %: manpages/%.rst .venv
+ .venv/bin/python -msphinx -b man . mans $<
+ mv mans/$@ $@
+endif # if !HAVE_MANPAGES
+
+.venv: requirements.txt
+ virtualenv .venv
+ .venv/bin/pip install -r requirements.txt
+
+html-docs: common/** manpages/** .venv
+ .venv/bin/python -msphinx -b html . html-docs
-# HTML documentation
-html: html/index.html
-
-if FROM_GIT
-html/index.html: process-md.sh mkdocs.yml markdown/** markdown/*/** manpages/*
- mkdir -p doc-build
- rsync -a --delete markdown/. doc-build/.
- cp -r manpages doc-build/
- ./process-md.sh pre
- mkdocs build --clean
- ./process-md.sh post
-
-html.tar.bz2: html
- tar cjf html.tar.bz2 html/
-
-check-links: html
- ./checklinks.sh
-
-publish: html html.tar.bz2
- rsync -crv --no-p --chmod=g=rwX --exclude '*~' ./html/ web1.powerdns.com:/srv/www/doc.powerdns.com/md
- rsync -crv --no-p --chmod=g=rwX --exclude '*~' ./html.tar.bz2 web1.powerdns.com:/srv/www/doc.powerdns.com/html.tar.bz2
-else
-html/index.html:
- @echo "Building the documentation HTML is only"
- @echo "supported from a git checkout"
+latex/PowerDNS-Authoritative.pdf: common/** manpages/** .venv
+ .venv/bin/python -msphinx -M latexpdf . .
+
+PowerDNS-Authoritative.pdf: latex/PowerDNS-Authoritative.pdf
+ mv $< $@
+
+html-docs.tar.bz2: html-docs
+ tar cjf $@ $<
+
+all-docs: PowerDNS-Authoritative.pdf html-docs html-docs.tar.bz2
+
+upload-docs: all-docs
+ rsync -crv --delete --no-p --chmod=g=rwX --exclude '*~' ./html-docs/ web1.powerdns.com:/srv/www/doc.powerdns.com/authoritative/
+ rsync -crv --no-p --chmod=g=rwX --exclude '*~' ./html-docs.tar.bz2 web1.powerdns.com:/srv/www/doc.powerdns.com/authoritative/
+ rsync -crv --no-p --chmod=g=rwX --exclude '*~' ./PowerDNS-Authoritative.pdf web1.powerdns.com:/srv/www/doc.powerdns.com/authoritative/
+
+else # if HAVE_VIRTUALENV
+$(dist_MANS):
+ echo "You need virtualenv to generate the manpages"
+ exit 1
+
+PowerDNS-Authoritative.pdf:
+ echo "You need virtualenv to generate the PDF"
+ exit 1
+
+html-docs:
+ echo "You need virtualenv to generate the HTML docs"
+ exit 1
endif
-.PHONY: html all-manpages
+
+++ /dev/null
-# The ALIAS record
-
-## Rationale
-It is frequent practice to use CNAME records to direct Internet traffic,
-for example to a CDN. This works well for 'www.example.com', but it does not
-work at the apex of a zone. Currently there are many ad-hoc solutions for this
-problem. This document attempts to document the solution we chose, in hopes
-that interoperability might be achieved.
-
-## Semantics
-The ALIAS record leads authoritative servers to synthesize A or AAAA records
-in case these are not present. The source of the synthesized A or AAAA
-record is specified by the target of the ALIAS record.
-
-ALIAS records, like wildcards, synthesize responses, and are not returned themselves
-unless explicitly queried for.
-
-If a query comes in for the A or AAAA type of a label, but no such type is
-matched, but there is an ALIAS type for that name, a server supporting the
-ALIAS record will return A or AAAA records with addresses associated with the
-target of the ALIAS.
-
-Similarly, if an ANY query arrives for the name, all records from the local store
-for that name are returned, plus the A and AAAA types associated with the ALIAS
-record's target.
-
-As an example:
-
-```
-$ORIGIN example.com
-@ IN SOA ns1 ahu 2014091619 7200 3600 1209600 3600
-@ IN NS ns1
-@ IN NS ns2
-www IN CNAME xs.powerdns.com.
-ns1 IN A 1.2.3.4
-ns2 IN A 4.3.2.1
-@ IN ALIAS www.powerdns.com.
-@ IN MX 25 outpost.ds9a.nl.
-serv IN CNAME @
-```
-
-A query for the A record of example.com has no match in the local store, but there
-is an ALIAS record. In this case, the authoritative server synthesizes an A record
-based on the IPv4 address of www.powerdns.com which was retrieved earlier.
-
-The same applies, mutatis mutandis, for a query for the AAAA record of example.com.
-
-It should be noted that if www.powerdns.com is itself a CNAME chain to A or
-AAAA records, the data returned should be sourced from the eventual A and
-AAAA records. The intermediate CNAMEs should not be returned.
-
-A query for the A of serv.example.com gets normal CNAME processing, and then similarly
-hits the ALIAS record, and returns the synthesized A record for example.com.
-
-A query for the SRV record of example.com will return NODATA, since ALIAS records do
-not synthesize to anything but A and AAAA records.
-
-Finally, a query for ANY for example.com will return the SOA, NS and ALIAS records,
-in addition to any synthesized A and AAAA records matching the IPv4 and IPv6 addresses
-of www.powerdns.com.
-
-The TTL of the synthesized record is the minimum of the TTL on the ALIAS record and the TTL of
-the origin IPv4 or IPv6 addresses.
-
-## NXDOMAIN and NODATA handling
-If the server encounters a NODATA response when retrieving the target's IPv4 or IPv6 addresses,
-a similar NODATA response should be synthesized, in other words, we pretend the ALIAS record
-was not even present.
-
-For an NXDOMAIN response, no similar response is possible, since this would imply that the
-label does not exist, which it does because it has an ALIAS record. So an NXDOMAIN on the ALIAS
-target is presented just like the NODATA situation.
-
-## Failures to lookup the ALIAS target
-Any failures to lookup the ALIAS target's addresses lead to NODATA.
-
-## DNSSEC processing
-If the zone is signed with DNSSEC, the synthesized records will need to be signed too, since
-answers would otherwise be rejected as BOGUS.
-
-An authoritative server is encouraged to perform DNSSEC validation when retrieving the IPv4
-and IPv6 records associated with the target of the ALIAS record.
-
-## Implementation details
-Authoritative servers can either periodically refresh the ALIAS records, or they can look them
-up and cache them as queries come in.
-
-In the PowerDNS implementation, a query with an ALIAS record inside is stored, and a query
-is sent to a defined resolver to gather the A and/or AAAA records. Normal PowerDNS operations
-then resume, until the resolver returns an answer, which is added to the stored packet,
-which is then returned to the original requestor. The result is also cached.
-
-Other implementations might employ periodic 'flattening' to achieve the same effect statically.
-
-## AXFR of ALIAS records
-ALIAS records are AXFRed without further processing, where it should be noted that
-this only makes sense if the retrieving server is also capable of doing ALIAS processing.
-
-## EDNS Subnet
-Authoritative servers sometimes give out different answers based on the IP
-address of the resolver asking. As a further refinement, some resolvers can
-pass along (part) of the actual stub-resolver asking the question, and base
-its answer on that 'real' address.
-
-For ALIAS processing, implementors are encouraged to pass along or use all
-knowledge of the remote client IP address when retrieving A or AAAA records.
-
-## Resolver processing
-Resolvers are not expected to perform processing on ALIAS records. In fact, except when
-querying for ALIAS records directly, or doing an ANY lookup, in normal operations,
-resolver will never see ALIAS records. Compare to the handling of wildcards, which are also
-not expanded by resolvers.
+++ /dev/null
-## The PowerDNS Web/JSON/RESTful APIs
-In order to remotely control PowerDNS, both Authoritative Server and Recursor, various non-web means are available, like pdns_control
-and rec_control.
-
-In addition, recent versions of PowerDNS can be controlled via a JSON API that is available over the web.
-
-To make use of this API, there is a Python, flask, based web application called 'pdnscontrol', which is hosted on https://github.com/PowerDNS/pdnscontrol . pdnscontrol also contains pdns2graphite which sets up a bridge between our statistics and graphite.
-
-Finally, there is a program called 'pdnsmgrd' that also provides an API for stopping PowerDNS, starting it, installing new versions etc.
-
-The JSON API supports JSON and JSONp.
-
-To get you started, try on the Authoritative Server:
-
- $ curl http://127.0.0.1:8081/jsonstat?command=domains
- {"domains":[{"name":"unsigned.workbench.sidnlabs.nl","kind":"Slave","masters":"94.198.152.169","serial":2013061100,"notified_serial":3519254080,"last_check":1371046625}]}
-
- $ curl 'http://127.0.0.1:8081/jsonstat?command=get-zone&zone=unsigned.workbench.sidnlabs.nl'
- [{"content":"nsd.sidnlabs.nl. hostmaster.sidnlabs.nl. 2013061100 3600 600 1814400 3600",
- "name":"unsigned.workbench.sidnlabs.nl","ttl":"86400","type":"SOA"},
- {"content":"nsd.sidnlabs.nl","name":"unsigned.workbench.sidnlabs.nl","ttl":"3600","type":"NS"},...
-
-
-Common API calls
-----------------
- * config
- Returns the currently running configuration, minus passwords
- * log-grep
- Searches the logfile configured with 'experimental-logfile' for the terms specified in 'needle'
- * domains
- Returns a list of all domains, including type, master details, last_check etc
-
-API calls in PowerDNS Authoritative Server
-------------------------------------------
-Available from the built-in webserver as http://servername/jsonstat?command=...
-
-For now, only enabled if the 'experimental-json-interface' parameter is configured, as this API is not yet fully stable.
-
- * get
- Returns all variables found on the rest of the URL request
- * get-zone
- Returns the zone from the 'zone' parameter of the request
- * pdns-control
- Allows you to issue pdns_control commands, as found in a JSON post, in the field 'parameters'
- * zone-rest
- RESTful querying and modifying of a zone, for example, request: http://servername/jsonstat?command=zone-rest&rest=/powerdns.nl/www.powerdns.nl/a
- Supports POST, DELETE, and GET
-
-API calls for the PowerDNS Recursor
------------------------------------
-
-For now, only enabled if the 'experimental-webserver' parameter is configured, as this API is not yet fully stable.
-
- * flush-cache
- Flush from the cache the domain specified in the parameter 'domain'
- * stats
- Returns the rec_control statistics
-
--- /dev/null
+body {
+ background-color: #edf0f2;
+ margin: 0;
+ padding: 0;
+ font-family: "Open Sans", Helvetica, Arial, sans-serif;
+ font-size: 16px;
+ color: #333;
+ line-height: 1.5;
+}
+
+#left-column {
+ float: left;
+ position: fixed;
+ height: 100%;
+ border-right: 1px solid #e0e0e0;
+ width: 300px;
+ overflow: auto;
+ background: #fafafa;
+}
+
+#right-column {
+ padding: 20px 0;
+ margin-left: 300px;
+ background-color: #fff;
+ max-width: 900px;
+}
+
+a.headerlink {
+ visibility: hidden;
+ color: #ddd;
+ padding: 0 4px;
+ text-decoration: none;
+}
+
+h1:hover > a.headerlink,
+h2:hover > a.headerlink,
+h3:hover > a.headerlink,
+h4:hover > a.headerlink,
+h5:hover > a.headerlink,
+h6:hover > a.headerlink,
+dt:hover > a.headerlink {
+ visibility: visible;
+}
+
+h1 > a, h2 > a, h3 > a, h4 > a, h5 > a, h6 > a {
+ color: #5C7C98;
+}
+
+h1, h2, h3, h4, h5, h6 {
+ color: black;
+ font-weight: normal;
+ padding: 0;
+ font-family: "Source Serif Pro", "serif";
+}
+
+h1, h2, h3 {
+ margin-top: 30px;
+ margin-bottom: 20px;
+}
+
+h1 {
+ font-size: 38px;
+ padding: 10px 10px 10px 45px;
+ margin: 20px 0 35px -45px;
+ background-color: aliceblue;
+ width: calc(100% + 90px);
+ border-bottom: 1px solid #D8E4EF;
+}
+
+h1 > pre,
+h1 > code,
+h1 > tt {
+ font-size: 38px;
+}
+
+h2 {
+ font-size: 34px;
+ padding: .2em 0;
+ border-bottom: 1px solid #ddd;
+}
+
+h2 > pre,
+h2 > code,
+h2 > tt {
+ font-size: 34px;
+}
+
+h3 {
+ margin-top: 35px;
+ font-size: 28px;
+}
+
+h3 > pre,
+h3 > code,
+h3 > tt {
+ font-size: 28px;
+}
+
+h4 {
+ margin-top: 30px;
+ font-size: 24px;
+}
+
+h4 > pre,
+h4 > code,
+h4 > tt {
+ font-size: 24px;
+}
+
+h5 {
+ margin-top: 25px;
+ font-size: 20px;
+}
+
+h5 > pre,
+h5 > code,
+h5 > tt {
+ font-size: 20px;
+}
+
+div.clearer {
+ clear: both;
+}
+
+.container-wrapper {
+ padding: 0;
+ position: relative;
+}
+
+div.related {
+ display: none;
+}
+
+p {
+ padding: 0;
+ font-family: inherit;
+ font-size: inherit;
+ color: #333;
+}
+
+code, pre, tt {
+ font-size: 15px;
+ font-family: Consolas, monospace;
+}
+
+code, tt {
+ color: #8D1A38;
+}
+
+tt {
+ padding: 0 2px;
+}
+
+code, pre {
+ line-height: 23px;
+ margin: 20px 0;
+ word-wrap: normal;
+ background-color: #fff;
+}
+
+pre {
+ color: #333;
+ background-color: #fff;
+ overflow: auto;
+ border-width: 0 0 0 2px;
+ border-color: #eee;
+ border-style: solid;
+ padding: 14px 0 14px 20px;
+ padding-right: 0;
+ margin: 20px 0;
+}
+
+div.highlight {
+ background-color: white;
+}
+
+a.internal em {
+ font-style: normal;
+}
+
+dl dd {
+ margin: 3px 0 10px 30px;
+}
+
+dl.method {
+ border-bottom: 1px solid #ccc;
+}
+
+.breadcrumb {
+ font-size: 15px;
+ margin-bottom: 12px;
+ background: #fff;
+}
+
+blockquote {
+ border-width: .1em 0 .1em 0;
+ border-color: #e5eef2;
+ border-style: solid;
+ background-color: #f3f8f9;
+ color: #000;
+ margin: 20px 0;
+ padding: 15px 20px;
+ font-size: 16px;
+}
+
+/* Sphinx sidebar
+-------------------------------------------------- */
+
+div.sphinxsidebar {
+ word-wrap: break-word;
+}
+
+div.sphinxsidebar .panel-default > .panel-heading {
+ background-image: none;
+}
+
+.sidebar-wrapper {
+ padding: 0 22px;
+}
+
+div.sphinxsidebar h3,
+div.sphinxsidebar h4 {
+ color: #444;
+ font-size: 20px;
+ font-weight: normal;
+ margin: 0;
+ padding: 0;
+}
+
+div.sphinxsidebar h4 {
+ font-size: 16px;
+}
+
+div.sphinxsidebar p {
+ color: #555;
+ margin: 10px 0;
+}
+
+.sidebar-toc {
+ font-size: 15px;
+}
+
+div.sphinxsidebar .sidebar-toc ul {
+ margin: 0 0 4px 0;
+ list-style-type: none;
+ color: #000;
+}
+
+div.sphinxsidebar .sidebar-toc a {
+ font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
+ color: #444;
+ text-decoration: none;
+}
+
+.sidebar-toc > ul {
+ padding: 0 !important;
+ list-style-type: none;
+ margin: 0;
+}
+
+.sidebar-toc ul li a {
+ display: block;
+}
+
+.sidebar-toc ul li a:hover {
+ background-color: #428bca;
+ color: #fff;
+}
+
+.sidebar-toc ul li.current > a,
+.sidebar-toc ul li.current > a:hover {
+ background-color: #e6e6e6;
+ color: #444;
+}
+
+.sidebar-toc ul li.toctree-l1 a {
+ padding: 5px 25px;
+}
+
+.sidebar-toc ul li.toctree-l2 a {
+ padding: 5px 50px;
+}
+
+.sidebar-toc ul li.toctree-l3 a {
+ padding: 5px 75px;
+}
+
+div.sphinxsidebar ul.want-points {
+ padding-left: 20px;
+ margin: 0;
+}
+
+div.sphinxsidebar .sidebar-toc ul ul {
+ margin: 0;
+ padding: 0;
+}
+
+.sidebar-localtoc ul {
+ padding-left: 24px;
+}
+
+div.sphinxsidebar input {
+ border: 1px solid #ccc;
+ font-family: Helvetica, arial, freesans, clean, sans-serif;
+ font-size: 1em;
+}
+
+.margin-top-1em {
+ margin-top: 1em;
+}
+
+.sidebar-block {
+ padding: 0;
+ margin: 14px 0 30px 0;
+}
+
+.sidebar-block h2 {
+ border-bottom: none;
+ margin: 0 0 17px 0;
+ font-size: 14px;
+ font-family: "Open Sans", Helvetica, Arial, sans-serif;
+ padding: 0 0 6px 0;
+ font-weight: bold;
+ text-transform: uppercase;
+ color: #606060;
+}
+
+.sidebar-block .bd {
+ font-size: 16px;
+}
+
+.sphinxsidebar > .sidebar-block:not(:last-child):after {
+ content: '';
+ display:block;
+ border-top: 1px solid #ccc;
+ margin: 24px 22px 0 22px;
+}
+
+.text-logo {
+ font-size: 18px;
+ text-align: center;
+ display: block;
+ padding: 8px;
+ color: #fff;
+ font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
+ margin: 0 0 20px 0;
+ font-weight: bold;
+ background-color: #337ab7;
+ border-bottom: 1px solid #fff;
+}
+
+.text-logo:hover {
+ color: #fff;
+}
+
+/* Left-nav search box
+-------------------------------------------------- */
+
+#main-search form .input-group {
+ width: 100%;
+ margin: 0 0 12px 0;
+ padding: 0;
+ border: none;
+}
+
+#main-search form .input-group input {
+ padding: 4px;
+ width: 100%;
+ border-radius: 5px;
+ margin: 0;
+ font-size: 15px;
+}
+
+.search-page-form {
+ width: 350px;
+}
+
+/* Two-pane table list
+-------------------------------------------------- */
+
+.table-bordered>thead>tr>th,
+.table-bordered>tbody>tr>th,
+.table-bordered>tfoot>tr>th,
+.table-bordered>thead>tr>td,
+.table-bordered>tbody>tr>td,
+.table-bordered>tfoot>tr>td,
+table.two-column.table-bordered caption+thead tr:first-child th:first-child,
+table.two-column.table-bordered caption+tbody tr:first-child td:first-child,
+table.two-column.table-bordered colgroup+thead tr:first-child th:first-child,
+table.two-column.table-bordered colgroup+tbody tr:first-child td:first-child,
+table.two-column tbody td
+ border: 0 0 1px 0 solid #eee;
+ border-left: none;
+ padding: 8px 4px;
+ font-size: 16px;
+}
+
+table.two-column {
+ width: 100%;
+ border: 0px none !important;
+ box-shadow: none;
+}
+
+/* Disqus comments styles
+-------------------------------------------------- */
+
+.comment-container {
+ margin: 24px auto;
+}
+
+/* Next and previous links
+-------------------------------------------------- */
+
+.footer-relations {
+ display: relative;
+ border-top: 1px solid #ccc;
+ padding: 12px 45px;
+ margin-top: 30px;
+ font-size: 24px;
+}
+
+.rel-spacer {
+ height: 40px;
+}
+
+/* Footer styling
+-------------------------------------------------- */
+
+div.footer {
+ padding: 25px;
+ font-size: 14px;
+ color: #888;
+ text-align: right;
+ max-width: 1200px;
+ width: 100%;
+}
+
+div.footer a {
+ color: #888;
+}
+
+/* -- relbar ---------------------------------------------------------------- */
+
+div.related {
+ width: 100%;
+ font-size: 90%;
+}
+
+div.related h3 {
+ display: none;
+}
+
+div.related ul {
+ margin: 0;
+ padding: 0 0 0 10px;
+ list-style: none;
+}
+
+div.related li {
+ display: inline;
+}
+
+div.related li.right {
+ float: right;
+ margin-right: 5px;
+}
+
+/* -- search page ----------------------------------------------------------- */
+
+ul.search {
+ margin: 10px 0 0 20px;
+ padding: 0;
+}
+
+ul.search li {
+ padding: 5px 0 5px 20px;
+ background: url(file.png) no-repeat 0 7px;
+}
+
+ul.search li a {
+ font-weight: bold;
+}
+
+ul.search li div.context {
+ color: #888;
+ margin: 2px 0 0 30px;
+ text-align: left;
+}
+
+ul.keywordmatches li.goodmatch a {
+ font-weight: bold;
+}
+
+/* -- general index --------------------------------------------------------- */
+
+table {
+ margin-bottom: 20px;
+}
+
+table.indextable {
+ width: 100%;
+}
+
+table.indextable td {
+ text-align: left;
+ vertical-align: top;
+}
+
+table.indextable dl, table.indextable dd {
+ margin-top: 0;
+ margin-bottom: 0;
+}
+
+table.indextable tr.pcap {
+ height: 10px;
+}
+
+table.indextable tr.cap {
+ margin-top: 10px;
+ background-color: #f2f2f2;
+}
+
+img.toggler {
+ margin-right: 3px;
+ margin-top: 3px;
+ cursor: pointer;
+}
+
+div.modindex-jumpbox {
+ border-top: 1px solid #ddd;
+ border-bottom: 1px solid #ddd;
+ margin: 1em 0 1em 0;
+ padding: 0.4em;
+}
+
+div.genindex-jumpbox {
+ border-top: 1px solid #ddd;
+ border-bottom: 1px solid #ddd;
+ margin: 1em 0 1em 0;
+ padding: 0.4em;
+}
+
+/* -- general body styles --------------------------------------------------- */
+
+.body {
+ padding: 0 45px;
+}
+
+div.body p.caption {
+ text-align: inherit;
+}
+
+table.field-list {
+ border: 1px solid #ddd;
+ border-collapse: collapse;
+ border-spacing: 0;
+ width: 100%;
+}
+
+table.field-list td,
+table.field-list th {
+ border: 1px solid #ddd;
+ padding: 8px;
+ vertical-align: top;
+ line-height: 1.4;
+}
+
+.field-list ul {
+ padding-left: 1em;
+}
+
+.first {
+ margin-top: 0 !important;
+}
+
+p.rubric {
+ margin-top: 30px;
+ font-weight: bold;
+}
+
+img.align-left, .figure.align-left, object.align-left {
+ clear: left;
+ float: left;
+ margin-right: 1em;
+}
+
+img.align-right, .figure.align-right, object.align-right {
+ clear: right;
+ float: right;
+ margin-left: 1em;
+}
+
+img.align-center, .figure.align-center, object.align-center {
+ display: block;
+ margin-left: auto;
+ margin-right: auto;
+}
+
+.align-left {
+ text-align: left;
+}
+
+.align-center {
+ text-align: center;
+}
+
+.align-right {
+ text-align: right;
+}
+
+/* -- topics ---------------------------------------------------------------- */
+
+div.topic {
+ border: 1px solid #e8e8e8;
+ padding: 7px 7px 0 7px;
+ margin: 10px 0 10px 0;
+ background-color: #f8f8f8;
+}
+
+p.topic-title {
+ font-size: 1.1em;
+ font-weight: bold;
+ margin-top: 10px;
+}
+
+/* -- contents-------------------------------------------------------------- */
+
+div.topic.contents {
+ display: inline-block;
+ border-radius: 3px;
+ padding: 24px 36px 18px 36px;
+}
+
+div.topic.contents > ul {
+ padding-left: 20px;
+}
+
+/* -- admonitions ----------------------------------------------------------- */
+
+.admonition {
+ margin: 20px 0;
+ padding: 20px;
+ background-color: #fff;
+ border: 1px solid #eee;
+ border-left-width: 6px;
+ border-radius: 3px;
+}
+
+.admonition dt {
+ font-weight: bold;
+}
+
+.admonition dl {
+ margin-bottom: 0;
+}
+
+.admonition-title {
+ margin: 0px 0 5px;
+ padding: 0;
+ font-weight: bold;
+ font-size: 18px;
+ line-height: 1.1;
+ font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
+}
+
+.admonition.danger,
+.admonition.error {
+ border-left-color: #d9534f;
+}
+
+.admonition.danger .admonition-title,
+.admonition.error .admonition-title {
+ color: #d9534f;
+}
+
+.admonition.important,
+.admonition.warning,
+.admonition.attention,
+.admonition.caution {
+ border-left-color: #f0ad4e;
+}
+
+.admonition.important .admonition-title,
+.admonition.warning .admonition-title,
+.admonition.attention .admonition-title,
+.admonition.caution .admonition-title {
+ color: #9B581F;
+}
+
+.admonition.note,
+.admonition.hint {
+ border-left-color: #31708f;
+}
+
+.admonition.note .admonition-title,
+.admonition.hint .admonition-title {
+ color: #31708f;
+}
+
+.admonition.tip {
+ border-left-color: #3c763d;
+}
+
+.admonition.tip .admonition-title {
+ color: #3c763d;
+}
+
+div.body p.centered {
+ text-align: center;
+ margin-top: 25px;
+}
+
+div.seealso {
+ background-color: #ffc;
+ border: 1px solid #ff6;
+}
+
+div.admonition tt.xref, div.admonition a tt {
+ border-bottom: 1px solid #fafafa;
+}
+
+div.admonition p.last {
+ margin-bottom: 0;
+}
+
+/* -- other body styles ----------------------------------------------------- */
+
+ol.arabic {
+ list-style: decimal;
+}
+
+ol.loweralpha {
+ list-style: lower-alpha;
+}
+
+ol.upperalpha {
+ list-style: upper-alpha;
+}
+
+ol.lowerroman {
+ list-style: lower-roman;
+}
+
+ol.upperroman {
+ list-style: upper-roman;
+}
+
+.highlighted {
+ background-color: #fbe54e;
+}
+
+dl.glossary dt {
+ font-weight: bold;
+ font-size: 1.1em;
+}
+
+.field-list ul {
+ margin: 0;
+ padding-left: 1em;
+}
+
+.refcount {
+ color: #060;
+}
+
+.optional {
+ font-size: 1.3em;
+}
+
+.versionmodified {
+ font-style: italic;
+}
+
+.system-message {
+ background-color: #fda;
+ padding: 5px;
+ border: 3px solid red;
+}
+
+.footnote:target {
+ background-color: #ffa;
+}
+
+.line-block {
+ display: block;
+ margin-top: 1em;
+ margin-bottom: 1em;
+}
+
+.line-block .line-block {
+ margin-top: 0;
+ margin-bottom: 0;
+ margin-left: 1.5em;
+}
+
+.guilabel, .menuselection {
+ font-family: sans-serif;
+}
+
+.accelerator {
+ text-decoration: underline;
+}
+
+.classifier {
+ font-style: oblique;
+}
+
+abbr, acronym {
+ border-bottom: dotted 1px;
+ cursor: help;
+}
+
+dt:target, .highlight {
+ background: #FAF3E8;
+}
+
+/* -- code displays --------------------------------------------------------- */
+
+td.linenos pre {
+ padding: 5px 0px;
+ border: 0;
+ background-color: transparent;
+ color: #aaa;
+}
+
+table.highlighttable {
+ margin-left: 0.5em;
+}
+
+table.highlighttable td {
+ padding: 0 0.5em 0 0.5em;
+}
+
+code.descname {
+ padding: 0px;
+}
+
+code.descclassname {
+ padding: 0px;
+}
+
+tt.descname {
+ background-color: transparent;
+ font-weight: bold;
+ padding-right: 0.08em;
+}
+
+tt.descclassname {
+ background-color: transparent;
+}
+
+tt.descname, tt.descclassname {
+ font-size: 0.95em;
+}
+
+tt.xref, a tt {
+ background-color: transparent;
+ font-weight: bold;
+}
+
+h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt {
+ background-color: transparent;
+}
+
+.viewcode-link {
+ float: right;
+}
+
+.viewcode-back {
+ float: right;
+ font-family: sans-serif;
+}
+
+div.viewcode-block:target {
+ margin: -1px -10px;
+ padding: 0 10px;
+}
+
+/* -- math display ---------------------------------------------------------- */
+
+img.math {
+ vertical-align: middle;
+}
+
+div.body div.math p {
+ text-align: center;
+}
+
+span.eqno {
+ float: right;
+}
+
+/* -- Theme specific classes - */
+
+.overflow-height-500px {
+ overflow: auto;
+ height: 500px;
+}
+
+.overflow-height-250px {
+ overflow: auto;
+ height: 250px;
+}
+
+/* Toggle mobile view
+-------------------------------------------------- */
+
+#mobile-toggle {
+ height: 40px;
+ width: 100%;
+ display: none;
+ padding: 12px;
+ border-bottom: 1px solid #ccc;
+ position: fixed;
+ top: 0;
+ left: 0;
+ background-color: #fff;
+ z-index: 1;
+}
+
+/* Small screen styles
+-------------------------------------------------- */
+
+@media screen and (max-width: 768px) {
+
+ body {
+ padding: 0px;
+ margin: 0px;
+ background-color: #fff;
+ }
+
+ h1 {
+ margin-left: 0;
+ width: 100%;
+ padding: 10px;
+ font-size: 40px;
+ }
+
+ #left-column {
+ position: relative;
+ top: 0;
+ left: 0;
+ display: none;
+ width: 100%;
+ float: none;
+ margin: 40px 0 0 0;
+ }
+
+ .footer-relations {
+ padding: 12px 0;
+ }
+
+ #right-column {
+ margin-left: 0;
+ margin-top: 0;
+ padding: 50px 20px 8px 20px;
+ width: 100%;
+ float: none;
+ }
+
+ .document {
+ position: relative;
+ padding: 0;
+ width: 100%
+ }
+
+ .body {
+ padding: 0px;
+ }
+
+ #mobile-toggle {
+ display: block;
+ }
+
+ p {
+ padding: 0;
+ }
+}
+
+/* Account for when the left column is closed then page is expanded.
+-------------------------------------------------- */
+
+@media screen and (min-width: 769px) {
+ #left-column {
+ display: block !important;
+ }
+}
+
+/* Syntax highlighting
+-------------------------------------------------- */
+
+.hll { background-color: #ffffcc }
+.c { color: #999988; font-style: italic } /* Comment */
+.err { color: #a61717; background-color: #e3d2d2 } /* Error */
+.k { color: #000000; font-weight: bold } /* Keyword */
+.o { color: #000000; font-weight: bold } /* Operator */
+.cm { color: #999988; font-style: italic } /* Comment.Multiline */
+.cp { color: #999999; font-weight: bold; font-style: italic } /* Comment.Preproc */
+.c1 { color: #999988; font-style: italic } /* Comment.Single */
+.cs { color: #999999; font-weight: bold; font-style: italic } /* Comment.Special */
+.gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */
+.ge { color: #000000; font-style: italic } /* Generic.Emph */
+.gr { color: #aa0000 } /* Generic.Error */
+.gh { color: #999999 } /* Generic.Heading */
+.gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */
+.go { color: #888888 } /* Generic.Output */
+.gp { color: #555555 } /* Generic.Prompt */
+.gs { font-weight: bold } /* Generic.Strong */
+.gu { color: #aaaaaa } /* Generic.Subheading */
+.gt { color: #aa0000 } /* Generic.Traceback */
+.kc { color: #000000; font-weight: bold } /* Keyword.Constant */
+.kd { color: #000000; font-weight: bold } /* Keyword.Declaration */
+.kn { color: #000000; font-weight: bold } /* Keyword.Namespace */
+.kp { color: #000000; font-weight: bold } /* Keyword.Pseudo */
+.kr { color: #000000; font-weight: bold } /* Keyword.Reserved */
+.kt { color: #445588; font-weight: bold } /* Keyword.Type */
+.m { color: #009999 } /* Literal.Number */
+.s { color: #d01040 } /* Literal.String */
+.na { color: #008080 } /* Name.Attribute */
+.nb { color: #0086B3 } /* Name.Builtin */
+.nc { color: #445588; font-weight: bold } /* Name.Class */
+.no { color: #008080 } /* Name.Constant */
+.nd { color: #3c5d5d; font-weight: bold } /* Name.Decorator */
+.ni { color: #800080 } /* Name.Entity */
+.ne { color: #990000; font-weight: bold } /* Name.Exception */
+.nf { color: #990000; font-weight: bold } /* Name.Function */
+.nl { color: #990000; font-weight: bold } /* Name.Label */
+.nn { color: #555555 } /* Name.Namespace */
+.nt { color: #000080 } /* Name.Tag */
+.nv { color: #008080 } /* Name.Variable */
+.ow { color: #000000; font-weight: bold } /* Operator.Word */
+.w { color: #bbbbbb } /* Text.Whitespace */
+.mf { color: #009999 } /* Literal.Number.Float */
+.mh { color: #009999 } /* Literal.Number.Hex */
+.mi { color: #009999 } /* Literal.Number.Integer */
+.mo { color: #009999 } /* Literal.Number.Oct */
+.sb { color: #d01040 } /* Literal.String.Backtick */
+.sc { color: #d01040 } /* Literal.String.Char */
+.sd { color: #d01040 } /* Literal.String.Doc */
+.s2 { color: #d01040 } /* Literal.String.Double */
+.se { color: #d01040 } /* Literal.String.Escape */
+.sh { color: #d01040 } /* Literal.String.Heredoc */
+.si { color: #d01040 } /* Literal.String.Interpol */
+.sx { color: #d01040 } /* Literal.String.Other */
+.sr { color: #009926 } /* Literal.String.Regex */
+.s1 { color: #d01040 } /* Literal.String.Single */
+.ss { color: #990073 } /* Literal.String.Symbol */
+.bp { color: #999999 } /* Name.Builtin.Pseudo */
+.vc { color: #008080 } /* Name.Variable.Class */
+.vg { color: #008080 } /* Name.Variable.Global */
+.vi { color: #008080 } /* Name.Variable.Instance */
+.il { color: #009999 } /* Literal.Number.Integer.Long */
--- /dev/null
+Backend writers' guide
+======================
+
+PowerDNS backends are implemented via a simple yet powerful C++
+interface. If your needs are not met by the PipeBackend, you may want to
+write your own. Before doing any PowerDNS development, please read `this blog
+post <http://blog.powerdns.com/2015/06/23/what-is-a-powerdns-backend-and-how-do-i-make-it-send-an-nxdomain/>`__
+which has a FAQ and several pictures that help explain what a backend
+is.
+
+A backend contains zero DNS logic. It need not look for CNAMEs, it need
+not return NS records unless explicitly asked for, etcetera. All DNS
+logic is contained within PowerDNS itself - backends should simply
+return records matching the description asked for.
+
+.. warning::
+ However, please note that your backend can get queries in
+ aNy CAsE! If your database is case sensitive, like most are (with the
+ notable exception of MySQL), you must make sure that you do find answers
+ which differ only in case.
+
+.. warning::
+ PowerDNS may instantiate multiple instances of your
+ backend, or destroy existing copies and instantiate new ones. Backend
+ code should therefore be thread-safe with respect to its static data.
+ Additionally, it is wise if instantiation is a fast operation, with the
+ possible exception of the first construction.
+
+Notes
+-----
+
+Besides regular query types, the DNS also knows the 'ANY' query type.
+When a server receives a question for this ANY type, it should reply
+with all record types available.
+
+Backends should therefore implement being able to answer 'ANY' queries
+in this way, and supply all record types they have when they receive
+such an 'ANY' query. This is reflected in the sample script above, which
+for every qtype answers if the type matches, or if the query is for
+'ANY'.
+
+However, since backends need to implement the ANY query anyhow, PowerDNS
+makes use of this. Since almost all DNS queries internally need to be
+translated first into a CNAME query and then into the actual query,
+possibly followed by a SOA or NS query (this is how DNS works
+internally), it makes sense for PowerDNS to speed this up, and just ask
+the ANY query of a backend.
+
+When it has done so, it gets the data about SOA, CNAME and NS records in
+one go. This speeds things up tremendously.
+
+The upshot of the above is that for any backend, including the PIPE
+backend, implementing the ANY query is NOT optional. And in fact, a
+backend may see almost exclusively ANY queries. This is not a bug.
+
+Simple read-only native backends
+--------------------------------
+
+Implementing a backend consists of inheriting from the DNSBackend class.
+For read-only backends, which do not support slave operation, only the
+following methods are relevant:
+
+.. code-block:: cpp
+
+ class DNSBackend
+ {
+ public:
+
+ virtual void lookup(const QType &qtype, const string &qdomain, DNSPacket *pkt_p=0, int zoneId=-1)=0;
+ virtual bool list(const string &target, int domain_id)=0;
+ virtual bool get(DNSResourceRecord &r)=0;
+ virtual bool getSOA(const string &name, SOAData &soadata, DNSPacket *p=0);
+ };
+
+Note that the first three methods must be implemented. ``getSOA()`` has
+a useful default implementation.
+
+The semantics are simple. Each instance of your class only handles one
+(1) query at a time. There is no need for locking as PowerDNS guarantees
+that your backend will never be called reentrantly.
+
+.. note::
+ Queries for wildcard names should be answered literally,
+ without expansion. So, if a backend gets a question for
+ "\*.powerdns.com", it should only answer with data if there is an actual
+ "\*.powerdns.com" name
+
+Some examples, a more formal specification is down below. A normal
+lookup starts like this:
+
+.. code-block:: cpp
+
+ YourBackend yb;
+ yb.lookup(QType::CNAME,"www.powerdns.com");
+
+Your class should now do everything to start this query. Perform as much
+preparation as possible - handling errors at this stage is better for
+PowerDNS than doing so later on. A real error should be reported by
+throwing an exception.
+
+PowerDNS will then call the ``get()`` method to get
+``DNSResourceRecord``\ s back. The following code illustrates a typical
+query:
+
+.. code-block:: cpp
+
+ yb.lookup(QType::CNAME,"www.powerdns.com");
+
+ DNSResourceRecord rr;
+ while(yb.get(rr))
+ cout<<"Found cname pointing to '"+rr.content+"'"<<endl;
+ }
+
+Each zone starts with a Start of Authority (SOA) record. This record is
+special so many backends will choose to implement it specially. The
+default ``getSOA()`` method performs a regular lookup on your backend to
+figure out the SOA, so if you have no special treatment for SOA records,
+where is no need to implement your own ``getSOA()``.
+
+Besides direct queries, PowerDNS also needs to be able to list a zone,
+to do zone transfers for example. Each zone has an id which should be
+unique within the backend. To list all records belonging to a zone id,
+the ``list()`` method is used. Conveniently, the domain_id is also
+available in the ``SOAData`` structure.
+
+The following lists the contents of a zone called "powerdns.com".
+
+.. code-block:: cpp
+
+ SOAData sd;
+ if(!yb.getSOA("powerdns.com",sd)) // are we authoritative over powerdns.com?
+ return RCode::NotAuth; // no
+
+ yb.list(sd.domain_id);
+ while(yb.get(rr))
+ cout<<rr.qname<<"\t IN "<<rr.qtype.getName()<<"\t"<<rr.content<<endl;
+
+A sample minimal backend
+------------------------
+
+This backend only knows about the host "random.powerdns.com", and
+furthermore, only about its A record:
+
+.. code-block:: cpp
+
+ /* FIRST PART */
+ class RandomBackend : public DNSBackend
+ {
+ public:
+ bool list(const string &target, int id)
+ {
+ return false; // we don't support AXFR
+ }
+
+ void lookup(const QType &type, const string &qdomain, DNSPacket *p, int zoneId)
+ {
+ if(type.getCode()!=QType::A || qdomain!="random.powerdns.com") // we only know about random.powerdns.com A
+ d_answer=""; // no answer
+ else {
+ ostringstream os;
+ os<<random()%256<<"."<<random()%256<<"."<<random()%256<<"."<<random()%256;
+ d_answer=os.str(); // our random ip address
+ }
+ }
+
+ bool get(DNSResourceRecord &rr)
+ {
+ if(!d_answer.empty()) {
+ rr.qname="random.powerdns.com"; // fill in details
+ rr.qtype=QType::A; // A record
+ rr.ttl=86400; // 1 day
+ rr.content=d_answer;
+
+ d_answer=""; // this was the last answer
+
+ return true;
+ }
+ return false; // no more data
+ }
+
+ private:
+ string d_answer;
+ };
+
+ /* SECOND PART */
+
+ class RandomFactory : public BackendFactory
+ {
+ public:
+ RandomFactory() : BackendFactory("random") {}
+
+ DNSBackend *make(const string &suffix)
+ {
+ return new RandomBackend();
+ }
+ };
+
+ /* THIRD PART */
+
+ class RandomLoader
+ {
+ public:
+ RandomLoader()
+ {
+ BackendMakers().report(new RandomFactory);
+ L << Logger::Info << "[randombackend] This is the random backend version " VERSION " reporting" << endl;
+ }
+ };
+
+ static RandomLoader randomloader;
+
+This simple backend can be used as an 'overlay'. In other words, it only
+knows about a single record, another loaded backend would have to know
+about the SOA and NS records and such. But nothing prevents us from
+loading it without another backend.
+
+The first part of the code contains the actual logic and should be
+pretty straightforward. The second part is a boilerplate 'factory' class
+which PowerDNS calls to create randombackend instances. Note that a
+'suffix' parameter is passed. Real life backends also declare parameters
+for the configuration file; these get the 'suffix' appended to them.
+Note that the "random" in the constructor denotes the name by which the
+backend will be known.
+
+The third part registers the RandomFactory with PowerDNS. This is a
+simple C++ trick which makes sure that this function is called on
+execution of the binary or when loading the dynamic module.
+
+Please note that a RandomBackend is actually in most PowerDNS releases.
+By default it lives on random.example.com, but you can change that by
+setting :ref:`setting-random-hostname`.
+
+.. note::
+ This simple backend neglects to handle case properly!
+
+Interface definition
+--------------------
+
+Classes
+~~~~~~~
+
+.. cpp:class:: DNSResourceRecord
+
+.. cpp:member:: std::string DNSResourceRecord::qname
+
+ Name of this record
+
+.. cpp:member:: QType DNSResourceRecord::qtype
+
+ Query type of this record
+
+.. cpp:member:: std::string DNSResourceRecord::content
+
+ ASCII representation of the right-hand side
+
+.. cpp:member:: uint32_t DNSResourceRecord::ttl
+
+ Time To Live of this record
+
+.. cpp:member:: int DNSResourceRecord::domain_id
+
+ ID of the domain this record belongs to
+
+.. cpp:member:: time_t DNSResourceRecord::last_modified
+
+ If unzero, last time_t this record was changed
+
+.. cpp:member:: bool DNSResourceRecord::auth
+
+ Used for DNSSEC operations. See :doc:`../dnssec/migration`.
+ It is also useful to check out the ``rectifyZone()`` in pdnsutil.cc.
+
+.. cpp:member:: bool DNSResourceRecord::disabled
+
+ If set, this record is not to be served to DNS clients.
+ Backends should not make these records available to PowerDNS unless indicated otherwise.
+
+.. cpp:class:: SOAData
+
+.. cpp:member:: string SOAData::nameserver
+
+ Name of the master nameserver of this zone
+
+.. cpp:member:: string SOAData::hostmaster
+
+ Hostmaster of this domain. May contain an @
+
+.. cpp:member:: uint32_t SOAData::serial
+
+ Serial number of this zone
+
+.. cpp:member:: uint32_t SOAData::refresh
+
+ How often this zone should be refreshed
+
+.. cpp:member:: uint32_t SOAData::retry
+
+ How often a failed zone pull should be retried.
+
+.. cpp:member:: u_int32_t SOAData::expire
+
+ If zone pulls failed for this long, retire records
+
+.. cpp:member:: uint32_t SOAData::default_ttl
+
+ Difficult
+
+.. cpp:member:: int SOAData::domain_id
+
+ The ID of the domain within this backend. Must be filled!
+
+.. cpp:member:: DNSBackend* SOAData::db
+
+ Pointer to the backend that feels authoritative for a domain and can act as a slave
+
+Methods
+~~~~~~~
+
+.. cpp:function:: void DNSBackend::lookup(const QType &qtype, const string &qdomain, DNSPacket *pkt=0, int zoneId=-1)
+
+ This function is used to initiate a straight lookup for a record of name
+ 'qdomain' and type 'qtype'. A QType can be converted into an integer by
+ invoking its ``getCode()`` method and into a string with the
+ ``getCode()``.
+
+ The original question may or may not be passed in the pointer pkt. If it
+ is, you can retrieve information about who asked the question with the
+ ``pkt->getRemote()`` method.
+
+ Note that **qdomain** can be of any case and that your backend should
+ make sure it is in effect case insensitive. Furthermore, the case of the
+ original question should be retained in answers returned by ``get()``!
+
+ Finally, the domain_id might also be passed indicating that only
+ answers from the indicated zone need apply. This can both be used as a
+ restriction or as a possible speedup, hinting your backend where the
+ answer might be found.
+
+ If initiated successfully, as indicated by returning **true**, answers
+ should be made available over the ``get()`` method.
+
+ Should throw an PDNSException if an error occurred accessing the
+ database. Returning otherwise indicates that the query was started
+ successfully. If it is known that no data is available, no exception
+ should be thrown! An exception indicates that the backend considers
+ itself broken - not that no answers are available for a question.
+
+ It is legal to return here, and have the first call to ``get()`` return
+ false. This is interpreted as 'no data'.
+
+.. cpp:function:: bool DNSBackend::list(int domain_id, bool include_disabled=false)
+
+ Initiates a list of the indicated domain. Records should then be made
+ available via the ``get()`` method. Need not include the SOA record. If
+ it is, PowerDNS will not get confused. If include_disabled is given as
+ true, records that are configured but should not be served to DNS
+ clients must also be made available.
+
+ Should return false if the backend does not consider itself
+ authoritative for this zone. Should throw an PDNSException if an error
+ occurred accessing the database. Returning true indicates that data is
+ or should be available.
+
+.. cpp:function:: bool DNSBackend::get(DNSResourceRecord &rr)
+
+ Request a DNSResourceRecord from a query started by ``get()`` of
+ ``list()``. If this functions returns **true**, **rr** has been filled
+ with data. When it returns false, no more data is available, and **rr**
+ does not contain new data. A backend should make sure that it either
+ fills out all fields of the DNSResourceRecord or resets them to their
+ default values.
+
+ The qname field of the DNSResourceRecord should be filled out with the
+ exact ``qdomain`` passed to lookup, preserving its case. So if a query
+ for 'CaSe.yourdomain.com' comes in and your database contains data for
+ 'case.yourdomain.com', the qname field of rr should contain
+ 'CaSe.yourdomain.com'!
+
+ Should throw an PDNSException in case a database error occurred.
+
+.. cpp:function:: bool DNSBackend::getSOA(const string &name, SOAData &soadata)
+
+ If the backend considers itself authoritative over domain ``name``, this
+ method should fill out the passed **SOAData** structure and return a
+ positive number. If the backend is functioning correctly, but does not
+ consider itself authoritative, it should return 0. In case of errors, an
+ PDNSException should be thrown.
+
+Reporting errors
+----------------
+
+To report errors, the Logger class is available which works mostly like
+an iostream. Example usage is as shown above in the RandomBackend. Note
+that it is very important that each line is ended with **endl** as your
+message won't be visible otherwise.
+
+To indicate the importance of an error, the standard syslog errorlevels
+are available. They can be set by outputting ``Logger::Critical``,
+``Logger::Error``, ``Logger::Warning``, ``Logger::Notice``,
+``Logger::Info`` or ``Logger::Debug`` to ``L``, in descending order of
+graveness.
+
+Declaring and reading configuration details
+-------------------------------------------
+
+It is highly likely that a backend needs configuration details. On
+launch, these parameters need to be declared with PowerDNS so it knows
+it should accept them in the configuration file and on the command line.
+Furthermore, they will be listed in the output of ``--help``.
+
+Declaring arguments is done by implementing the member function
+``declareArguments()`` in the factory class of your backend. PowerDNS
+will call this method after launching the backend.
+
+In the ``declareArguments()`` method, the function ``declare()`` is
+available. The exact definitions:
+
+.. cpp:function:: void DNSBackend::declareArguments(const string &suffix="")
+
+ This method is called to allow a backend to register configurable
+ parameters. The suffix is the sub-name of this module. There is no need
+ to touch this suffix, just pass it on to the declare method.
+
+.. cpp:function:: void DNSBackend::declare(const string &suffix, const string ¶m, const string &explanation, const string &value)
+
+ The suffix is passed to your method, and can be passed on to declare.
+ **param** is the name of your parameter. **explanation** is what will
+ appear in the output of --help. Furthermore, a default value can be
+ supplied in the **value** parameter.
+
+ A sample implementation:
+
+ .. code-block:: cpp
+
+ void declareArguments(const string &suffix)
+ {
+ declare(suffix,"dbname","Pdns backend database name to connect to","powerdns");
+ declare(suffix,"user","Pdns backend user to connect as","powerdns");
+ declare(suffix,"host","Pdns backend host to connect to","");
+ declare(suffix,"password","Pdns backend password to connect with","");
+ }
+
+ After the arguments have been declared, they can be accessed from your
+ backend using the ``mustDo()``, ``getArg()`` and ``getArgAsNum()``
+ methods. The are defined as follows in the DNSBackend class:
+
+.. cpp:function:: void DNSBackend::setArgPrefix(const string &prefix)
+
+ Must be called before any of the other accessing functions are used.
+ Typical usage is '``setArgPrefix("mybackend"+suffix)``' in the
+ constructor of a backend.
+
+.. cpp:function:: bool DNSBackend::mustDo(const string &key)
+
+ Returns true if the variable ``key`` is set to anything but 'no'.
+
+.. cpp:function:: const string& DNSBackend::getArg(const string &key)
+
+ Returns the exact value of a parameter.
+
+.. cpp:function:: int DNSBackend::getArgAsNum(const string &key)
+
+ Returns the numerical value of a parameter. Uses ``atoi()`` internally
+
+ Sample usage from the BindBackend: getting the 'check-interval' setting:
+
+ .. code-block:: cpp
+
+ if(!safeGetBBDomainInfo(i->name, &bbd)) {
+ bbd.d_id=domain_id++;
+ bbd.setCheckInterval(getArgAsNum("check-interval"));
+ bbd.d_lastnotified=0;
+ bbd.d_loaded=false;
+ }
+
+
+.. _rw-slave:
+
+Read/write slave-capable backends
+---------------------------------
+
+The backends above are 'natively capable' in that they contain all data
+relevant for a domain and do not pull in data from other nameservers. To
+enable storage of information, a backend must be able to do more.
+
+Before diving into the details of the implementation some theory is in
+order. Slave domains are pulled from the master. PowerDNS needs to know
+for which domains it is to be a slave, and for each slave domain, what
+the IP address of the master is.
+
+A slave zone is pulled from a master, after which it is 'fresh', but
+this is only temporary. In the SOA record of a zone there is a field
+which specifies the 'refresh' interval. After that interval has elapsed,
+the slave nameserver needs to check at the master ff the serial number
+there is higher than what is stored in the backend locally.
+
+If this is the case, PowerDNS dubs the domain 'stale', and schedules a
+transfer of data from the remote. This transfer remains scheduled until
+the serial numbers remote and locally are identical again.
+
+This theory is implemented by the ``getUnfreshSlaveInfos`` method, which
+is called on all backends periodically. This method fills a vector of
+**SlaveDomain**\ s with domains that are unfresh and possibly stale.
+
+PowerDNS then retrieves the SOA of those domains remotely and locally
+and creates a list of stale domains. For each of these domains, PowerDNS
+starts a zone transfer to resynchronise. Because zone transfers can
+fail, it is important that the interface to the backend allows for
+transaction semantics because a zone might otherwise be left in a
+halfway updated situation.
+
+The following excerpt from the DNSBackend shows the relevant functions:
+
+.. code-block:: cpp
+
+ class DNSBackend {
+ public:
+ /* ... */
+ virtual bool getDomainInfo(const string &domain, DomainInfo &di);
+ virtual bool isMaster(const string &name, const string &ip);
+ virtual bool startTransaction(const string &qname, int id);
+ virtual bool commitTransaction();
+ virtual bool abortTransaction();
+ virtual bool feedRecord(const DNSResourceRecord &rr, string *ordername=0);
+ virtual void getUnfreshSlaveInfos(vector<DomainInfo>* domains);
+ virtual void setFresh(uint32_t id);
+ /* ... */
+ }
+
+The mentioned DomainInfo struct looks like this:
+
+.. cpp:class:: DomainInfo
+
+.. cpp:member:: uint32_t DomainInfo::id
+
+ ID of this zone within this backend
+
+.. cpp:member:: string DomainInfo::master
+
+ IP address of the master of this domain, if any
+
+.. cpp:member:: uint32_t DomainInfo::serial
+
+ Serial number of this zone
+
+.. cpp:member:: uint32_t DomainInfo::notified_serial
+
+ Last serial number of this zone that slaves have seen
+
+.. cpp:member:: time_t DomainInfo::last_check
+
+ Last time this zone was checked over at the master for changes
+
+.. cpp:member:: enum DomainKind DomainInfo::kind
+
+ Type of zone
+
+.. cpp:member:: DNSBackend* DomainInfo::backend
+
+ Pointer to the backend that feels authoritative for a domain and can act as a slave
+
+.. cpp:enum:: DomainKind
+
+ The kind of domain, one of {Master,Slave,Native}.
+
+These functions all have a default implementation that returns false -
+which explains that these methods can be omitted in simple backends.
+Furthermore, unlike with simple backends, a slave capable backend must
+make sure that the 'DNSBackend \*db' field of the SOAData record is
+filled out correctly - it is used to determine which backend will house
+this zone.
+
+.. cpp:function:: bool DomainInfo::isMaster(const string &name, const string &ip)
+
+ If a backend considers itself a slave for the domain **name** and if the
+ IP address in **ip** is indeed a master, it should return true. False
+ otherwise. This is a first line of checks to guard against reloading a
+ domain unnecessarily.
+
+.. cpp:function:: void DomainInfo::getUnfreshSlaveInfos(vector\<DomainInfo\>* domains)
+
+ When called, the backend should examine its list of slave domains and
+ add any unfresh ones to the domains vector.
+
+.. cpp:function:: bool DomainInfo::getDomainInfo(const string &name, DomainInfo & di)
+
+ This is like ``getUnfreshSlaveInfos``, but for a specific domain. If the
+ backend considers itself authoritative for the named zone, ``di`` should
+ be filled out, and 'true' be returned. Otherwise return false.
+
+.. cpp:function:: bool DomainInfo::startTransaction(const string &qname, int id)
+
+ When called, the backend should start a transaction that can be
+ committed or rolled back atomically later on. In SQL terms, this
+ function should **BEGIN** a transaction and **DELETE** all records.
+
+.. cpp:function:: bool DomainInfo::feedRecord(const DNSResourceRecord &rr, string *ordername)
+
+ Insert this record.
+
+.. cpp:function:: bool DomainInfo::commitTransaction()
+
+ Make the changes effective. In SQL terms, execute **COMMIT**.
+
+.. cpp:function:: bool DomainInfo::abortTransaction()
+
+ Abort changes. In SQL terms, execute **ABORT**.
+
+.. cpp:function:: bool DomainInfo::setFresh()
+
+ Indicate that a domain has either been updated or refreshed without the
+ need for a retransfer. This causes the domain to vanish from the vector
+ modified by ``getUnfreshSlaveInfos()``.
+
+PowerDNS will always call ``startTransaction()`` before making calls to
+``feedRecord()``. Although it is likely that ``abortTransaction()`` will
+be called in case of problems, backends should also be prepared to abort
+from their destructor.
+
+The actual code in PowerDNS is currently:
+
+.. code-block:: cpp
+
+ Resolver resolver;
+ resolver.axfr(remote,domain.c_str());
+
+ db->startTransaction(domain, domain_id);
+ L<<Logger::Error<<"AXFR started for '"<<domain<<"'"<<endl;
+ Resolver::res_t recs;
+
+ while(resolver.axfrChunk(recs)) {
+ for(Resolver::res_t::const_iterator i=recs.begin();i!=recs.end();++i) {
+ db->feedRecord(*i);
+ }
+ }
+ db->commitTransaction();
+ db->setFresh(domain_id);
+ L<<Logger::Error<<"AXFR done for '"<<domain<<"'"<<endl;
+
+Supermaster/Superslave capability
+---------------------------------
+
+A backend that wants to act as a 'superslave' for a master should
+implement the following method:
+
+::
+
+ class DNSBackend
+ {
+ virtual bool superMasterBackend(const string &ip, const string &domain, const vector<DNSResourceRecord>&nsset, string *account, DNSBackend **db)
+ };
+
+This function gets called with the IP address of the potential
+supermaster, the domain it is sending a notification for and the set of
+NS records for this domain at that IP address.
+
+Using the supplied data, the backend needs to determine if this is a
+bonafide 'supernotification' which should be honoured. If it decides
+that it should, the supplied pointer to 'account' needs to be filled
+with the configured name of the supermaster (if accounting is desired),
+and the db needs to be filled with a pointer to your backend.
+
+Supermaster/superslave is a complicated concept, if this is all unclear
+see the :ref:`Supermaster and Superslave <supermaster-operation>`
+documentation.
+
+Read/write master-capable backends
+----------------------------------
+
+In order to be a useful master for a domain, notifies must be sent out
+whenever a domain is changed. Periodically, PowerDNS queries backends
+for domains that may have changed, and sends out notifications for slave
+nameservers.
+
+In order to do so, PowerDNS calls the ``getUpdatedMasters()`` method.
+Like the ``getUnfreshSlaveInfos()`` function mentioned above, this
+should add changed domain names to the vector passed.
+
+The following excerpt from the DNSBackend shows the relevant functions:
+
+.. code-block:: cpp
+
+ class DNSBackend {
+ public:
+ /* ... */
+ virtual void getUpdatedMasters(vector<DomainInfo>* domains);
+ virtual void setNotified(uint32_t id, uint32_t serial);
+ /* ... */
+ }
+
+These functions all have a default implementation that returns false -
+which explains that these methods can be omitted in simple backends.
+Furthermore, unlike with simple backends, a slave capable backend must
+make sure that the 'DNSBackend \*db' field of the SOAData record is
+filled out correctly - it is used to determine which backend will house
+this zone.
+
+.. cpp:function:: void DNSBackend::getUpdatedMasters(vector<DomainInfo>* domains)
+
+ When called, the backend should examine its list of master domains and
+ add any changed ones to the :cpp:class:`DomainInfo` vector.
+
+.. cpp:function:: bool DNSBackend::setNotified(uint32_t domain_id, uint32_t serial)
+
+ Indicate that notifications have been queued for this domain and that it
+ need not be considered 'updated' anymore
+
+DNS update support
+------------------
+
+To make your backend DNS update compatible, it needs to implement a
+number of new functions and functions already used for slave-operation.
+The new functions are not DNS update specific and might be used for
+other update/remove functionality at a later stage.
+
+.. code-block:: cpp
+
+ class DNSBackend {
+ public:
+ /* ... */
+ virtual bool startTransaction(const string &qname, int id);
+ virtual bool commitTransaction();
+ virtual bool abortTransaction();
+ virtual bool feedRecord(const DNSResourceRecord &rr, string *ordername);
+ virtual bool replaceRRSet(uint32_t domain_id, const string& qname, const QType& qt, const vector<DNSResourceRecord>& rrset)
+ virtual bool listSubZone(const string &zone, int domain_id);
+ /* ... */
+ }
+
+.. cpp:function:: virtual bool DNSBackend::startTransaction(const string &qname, int id)
+
+ See :cpp:func:`above <DNSBackend::beginTransaction>`. Please
+ note that this function now receives a negative number (-1), which
+ indicates that the current zone data should NOT be deleted.
+
+.. cpp:function:: virtual bool DNSBackend::commitTransaction()
+
+ See :cpp:func:`above <DNSBackend::commitTransaction>`.
+
+.. cpp:function:: virtual bool DNSBackend::abortTransaction()
+
+ See cpp:func:`above <DNSBackend::abortTransaction>`. Method is called when an
+ exception is received.
+
+.. cpp:function:: virtual bool DNSBackend::feedRecord(const DNSResourceRecord &rr, string *ordername)
+
+ See :cpp:func:`above <DNSBackend::feedRecord>`.
+ Please keep in mind that the zone is not empty because
+ ``startTransaction()`` was called different.
+
+.. cpp:function:: virtual bool DNSBackend::listSubZone(const string &name, int domain_id)
+
+ This method is needed for rectification of a zone after NS-records have
+ been added. For DNSSEC, we need to know which records are below the
+ currently added record. ``listSubZone()`` is used like ``list()`` which
+ means PowerDNS will call ``get()`` after this method. The default SQL
+ query looks something like this::
+
+ // First %s is 'sub.zone.com', second %s is '*.sub.zone.com'
+ select content,ttl,prio,type,domain_id,name from records where (name='%s' OR name like '%s') and domain_id=%d
+
+ The method is not only used when adding records, but also to correct
+ ENT-records in powerdns. Make sure it returns every record in the tree
+ below the given record.
+
+.. cpp:function:: virtual bool DNSBackend::replaceRRSet(uint32_t domain_id, const string& qname, const QType& qt, const vector<DNSResourceRecord>& rrset)
+
+ This method should remove all the records with ``qname`` of type ``qt``.
+ ``qt`` might also be ANY, which means all the records with that
+ ``qname`` need to be removed. After removal, the records in ``rrset``
+ must be added to the zone. ``rrset`` can be empty in which case the
+ method is used to remove a RRset.
+
+DNS update support
+------------------
+
+To make your backend DNS update compatible, it needs to implement a
+number of new functions and functions already used for slave-operation.
+The new functions are not DNS update specific and might be used for
+other update/remove functionality at a later stage.
+
+.. code-block:: cpp
+
+ class DNSBackend {
+ public:
+ /* ... */
+ virtual bool startTransaction(const string &qname, int id);
+ virtual bool commitTransaction();
+ virtual bool abortTransaction();
+ virtual bool feedRecord(const DNSResourceRecord &rr, string *ordername);
+ virtual bool replaceRRSet(uint32_t domain_id, const string& qname, const QType& qt, const vector<DNSResourceRecord>& rrset);
+ virtual bool listSubZone(const string &zone, int domain_id);
+ /* ... */
+ }
+
+.. cpp:function:: virtual bool DNSBackend::startTransaction(const string &qname, int id)
+
+ See :ref:`rw-slave`. Please note that this
+ function now receives a negative number (-1), which indicates that the
+ current zone data should NOT be deleted.
+
+.. cpp:function:: virtual bool DNSBackend::commitTransaction()
+
+ See :ref:`rw-slave`.
+
+.. cpp:function:: virtual bool DNSBackend::abortTransaction()
+
+ See :ref:`rw-slave`. Method is called when an exception is received.
+
+.. cpp:function:: virtual bool DNSBackend::feedRecord(const DNSResourceRecord &rr, string *ordername)
+
+ See :ref:`rw-slave`. Please keep in mind
+ that the zone is not empty because :func:`DNSBackend::startTransaction` was called
+ different.
+
+.. cpp:function:: virtual bool DNSBackend::listSubZone(const string &name, int domain_id)
+
+ This method is needed for rectification of a zone after NS-records
+ have been added. For DNSSEC, we need to know which records are below
+ the currently added record. ``listSubZone()`` is used like ``list()``
+ which means PowerDNS will call ``get()`` after this method. The
+ default SQL query looks something like this::
+
+ // First %s is 'sub.zone.com', second %s is '*.sub.zone.com'
+ select content,ttl,prio,type,domain_id,name from records where (name='%s' OR name like '%s') and domain_id=%d
+
+ The method is not only used when adding records, but also to correct
+ ENT-records in powerdns. Make sure it returns every record in the tree
+ below the given record.
+
+.. cpp:function:: virtual bool DNSBackend::replaceRRSet(uint32_t domain_id, const string& qname, const QType& qt, const vector<DNSResourceRecord>& rrset)
+
+ This method should remove all the records with ``qname`` of type ``qt``.
+ ``qt`` might also be ANY, which means all the records with that
+ ``qname`` need to be removed. After removal, the records in ``rrset``
+ must be added to the zone. ``rrset`` can be empty in which case the
+ method is used to remove a RRset.
+
+Miscellaneous
+-------------
+
+ENT (Empty Non-Terminal)
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+You are expected to reply with a DNSResourceRecord having ``qtype = 0``,
+``ttl = 0`` and ``content`` should be empty string (string length 0)
--- /dev/null
+Internals
+=========
+
+How PowerDNS translates DNS queries into backend queries
+--------------------------------------------------------
+
+A DNS query is not a straightforward lookup. Many DNS queries need to
+check the backend for additional data, for example to determine if an
+unfound record should lead to an NXDOMAIN ('we know about this domain,
+but that record does not exist') or an unauthoritative response.
+
+Simplified, without CNAME processing, wildcards, referrals and DNSSEC,
+the algorithm is like this:
+
+When a query for a ``qname``/``qtype`` tuple comes in, PowerDNS queries
+backends to find the closest matching SOA, thus figuring out what
+backend owns this zone. When the right backend has been found, PowerDNS
+issues a ``qname``/``ANY`` query to the backend. If the response is
+empty, NXDOMAIN is concluded. If the response is not empty, any contents
+matching the original qtype are added to the list of records to return,
+and NOERROR is set.
+
+Each of these records is now investigated to see if it needs 'additional
+processing'. This holds for example for MX records which may point to
+hosts for which the PowerDNS backends also contain data. This involves
+further lookups for A or AAAA records.
+
+After all additional processing has been performed, PowerDNS sieves out
+all double records which may well have appeared. The resulting set of
+records is added to the answer packet, and sent out.
+
+A zone transfer works by looking up the ``domain_id`` of the SOA record
+of the name and then listing all records of that ``domain_id``. This is
+why all records in a domain need to have the same domain\_id.
+
+If no SOA was found, a REFUSED is returned.
+
--- /dev/null
+Supported Record Types
+======================
+
+This chapter lists all record types PowerDNS supports, and how they are
+stored in backends. The list is mostly alphabetical but some types are
+grouped.
+
+.. warning::
+ Host names and the MNAME of a SOA records are NEVER
+ terminated with a '.' in PowerDNS storage! If a trailing '.' is present
+ it will inevitably cause problems, problems that may be hard to debug.
+ Use ``pdnsutil check-zone`` to validate your zone data.
+
+..note::
+ Whenever the storage format is mentioned, this relates only to
+ the way the record should be stored in one of the :doc:`generic SQL <../backends/generic-sql>` backends. The other
+ backends should use their *native* format.
+
+The PowerDNS Recursor can serve and store all record types, regardless
+of whether these are explicitly supported.
+
+.. _types-a:
+
+A
+-
+
+The A record contains an IP address. It is stored as a decimal dotted
+quad string, for example: '203.0.113.210'.
+
+.. _types-aaaa:
+
+AAAA
+----
+
+The AAAA record contains an IPv6 address. An example:
+'2001:DB8:2000:bf0::1'.
+
+.. _types-afsdb:
+
+AFSDB
+-----
+
+A specialised record type for the 'Andrew Filesystem'. Stored as:
+'#subtype hostname', where subtype is a number.
+
+.. _types-alias:
+
+ALIAS
+-----
+
+.. versionadded:: 4.0.0
+
+The ALIAS pseudo-record type is supported to provide
+CNAME-like mechanisms on a zone's apex. See the :doc:`howto <../guides/alias>` for information
+on how to configure PowerDNS to serve records synthesized from ALIAS
+records.
+
+.. _types-caa:
+
+CAA
+---
+
+.. versionadded:: 4.0.0
+
+The "Certification Authority Authorization" record,
+specified in :rfc:`6844`, is used
+to specify Certificate Authorities that may issue certificates for a
+domain.
+
+.. _types-cert:
+
+CERT
+----
+
+Specialised record type for storing certificates, defined in :rfc:`2538`.
+
+.. _types-cdnskey:
+
+CDNSKEY
+-------
+
+.. versionadded:: 4.0.0
+
+The CDNSKEY (:rfc:`Child DNSKEY <7344#section-3.2>`) type is supported.
+
+.. _types-cds:
+
+CDS
+---
+
+.. versionadded:: 4.0.0
+
+The CDS (:rfc:`Child DS <7344#section-3.1>`) type is supported.
+
+.. _types-cname:
+
+CNAME
+-----
+
+The CNAME record specifies the canonical name of a record. It is stored
+plainly. Like all other records, it is not terminated by a dot. A sample
+might be 'webserver-01.yourcompany.com'.
+
+.. _types-dnskey:
+
+DNSKEY
+------
+
+The DNSKEY DNSSEC record type is fully supported, as described in :rfc:`4034`.
+Enabling DNSSEC for domains can be done with :doc:`pdnsutil <../dnssec/pdnsutil>`.
+
+.. _types-dname:
+
+DNAME
+-----
+
+The DNAME record, as specified in :rfc:`6672` is supported. However,
+:ref:`setting-dname-processing` has to be set to ``yes`` for PowerDNS to process these records.
+
+.. _types-ds:
+
+DS
+--
+
+The DS DNSSEC record type is fully supported, as described in :rfc:`4034`.
+Enabling DNSSEC for domains can be done with :doc:`pdnsutil <../dnssec/pdnsutil>`.
+
+.. _types-hinfo:
+
+HINFO
+-----
+
+Hardware Info record, used to specify CPU and operating system. Stored
+with a single space separating these two, example: 'i386 Linux'.
+
+.. _types-key:
+
+KEY
+---
+
+The KEY record is fully supported. For its syntax, see :rfc:`2535`.
+
+.. _types-loc:
+
+LOC
+---
+
+The LOC record is fully supported. For its syntax, see :rfc:`1876`.
+A sample content would be: ``51 56 0.123 N 5 54 0.000 E 4.00m 1.00m 10000.00m 10.00m``
+
+.. _types-mx:
+
+MX
+--
+
+The MX record specifies a mail exchanger host for a domain. Each mail
+exchanger also has a priority or preference. For example
+``10 mx.example.net``. In the generic SQL backends, the ``10`` should go
+in the 'priority field'.
+
+.. _types-naptr:
+
+NAPTR
+-----
+
+Naming Authority Pointer, :rfc:`2915`. Stored as follows:
+
+::
+
+ '100 50 "s" "z3950+I2L+I2C" "" _z3950._tcp.gatech.edu'.
+
+The fields are: order, preference, flags, service, regex, replacement.
+Note that the replacement is not enclosed in quotes, and should not be.
+The replacement may be omitted, in which case it is empty. See also :rfc:`2916`
+for how to use NAPTR for ENUM (E.164) purposes.
+
+.. _types-ns:
+
+NS
+--
+
+Nameserver record. Specifies nameservers for a domain. Stored plainly:
+``ns1.powerdns.com``, as always without a terminating dot.
+
+NSEC, NSEC3, NSEC3PARAM
+-----------------------
+
+The NSEC, NSEC3 and NSEC3PARAM DNSSEC record type are fully supported,
+as described in :rfc:`4034`.
+Enabling DNSSEC for domains can be done with :doc:`pdnsutil <../dnssec/pdnsutil>`.
+
+.. _types-openpgpkey:
+
+OPENPGPKEY
+----------
+
+The OPENPGPKEY records, specified in :rfc:`7929`, are
+used to bind OpenPGP certificates to email addresses.
+
+.. _types-ptr:
+
+PTR
+---
+
+Reverse pointer, used to specify the host name belonging to an IP or
+IPv6 address. Name is stored plainly: ``www.powerdns.com``. As always,
+no terminating dot.
+
+.. _types-rp:
+
+RP
+--
+
+Responsible Person record, as described in :rfc:`1183`. Stored with a single space
+between the mailbox name and the more-information pointer. Example:
+``peter.powerdns.com peter.people.powerdns.com``, to indicate that
+``peter@powerdns.com`` is responsible and that more information about
+peter is available by querying the TXT record of
+peter.people.powerdns.com.
+
+.. _types-rrsig:
+
+RRSIG
+-----
+
+The RRSIG DNSSEC record type is fully supported, as described in :rfc:`4034`.
+
+.. _types-soa:
+
+SOA
+---
+
+The Start of Authority record is one of the most complex available. It
+specifies a lot about a domain: the name of the master nameserver ('the
+primary'), the hostmaster and a set of numbers indicating how the data
+in this domain expires and how often it needs to be checked. Further
+more, it contains a serial number which should rise on each change of
+the domain.
+
+The stored format is:
+
+::
+
+ primary hostmaster serial refresh retry expire default_ttl
+
+Besides the primary and the hostmaster, all fields are numerical.
+PowerDNS has a set of default values:
+
+- primary: :ref:`setting-default-soa-name`
+ configuration option
+- hostmaster: ``hostmaster@domain-name``
+- serial: 0
+- refresh: 10800 (3 hours)
+- retry: 3600 (1 hour)
+- expire: 604800 (1 week)
+- default_ttl: 3600 (1 hour)
+
+The fields have complicated and sometimes controversial meanings. The
+'serial' field is special. If left at 0, the default, PowerDNS will
+perform an internal list of the domain to determine highest change_date
+field of all records within the zone, and use that as the zone serial
+number. This means that the serial number is always raised when changes
+are made to the zone, as long as the change_date field is being set.
+Make sure to check whether your backend of choice supports Autoserial.
+
+.. _types-spf:
+
+SPF
+---
+
+SPF records can be used to store Sender Policy Framework details (:rfc:`4408`).
+
+.. _types-sshfp:
+
+SSHFP
+-----
+
+The SSHFP record type, used for storing Secure Shell (SSH) fingerprints,
+is fully supported. A sample from :rfc:`4255` is::
+
+ 2 1 123456789abcdef67890123456789abcdef67890
+
+.. _types-srv:
+
+SRV
+---
+
+SRV records can be used to encode the location and port of services on a
+domain name. When encoding, the priority field is used to encode the
+priority. For example,
+``_ldap._tcp.dc._msdcs.conaxis.ch SRV 0 100 389 mars.conaxis.ch`` would
+be encoded with ``0`` in the priority field and
+``100 389 mars.conaxis.ch`` in the content field.
+
+TKEY, TSIG
+----------
+
+The TKEY (:rfc:`2930`) and TSIG records (:rfc:`2845`), used for
+key-exchange and authenticated AXFRs, are supported. See the :doc:`../tsig`
+and `DNS update <../dnsupdate>` documentation for more information.
+
+.. _types-tlsa:
+
+TLSA
+----
+
+Since 3.0. The TLSA records, specified in :rfc:`6698`, are used to bind SSL/TLS
+certificate to named hosts and ports.
+
+.. _types-smimea:
+
+SMIMEA
+------
+
+Since 4.1. The SMIMEA record type, specified in :rfc:`8162`, is used to bind S/MIME
+certificates to domains.
+
+.. _types-txt:
+
+TXT
+---
+
+The TXT field can be used to attach textual data to a domain. Text is
+stored plainly, PowerDNS understands content not enclosed in quotes.
+However, all quotes characters (``"``) in the TXT content must be
+preceded with a backslash (``\``).:
+
+::
+
+ "This \"is\" valid"
+
+For a literal backslash in the TXT record, escape it:
+
+::
+
+ "This is also \\ valid"
+
+Unicode characters can be added in two ways, either by adding the
+character itself or the escaped variant to the content field. e.g.
+``"ç"`` is equal to ``"\195\167"``.
+
+When a TXT record is longer than 255 characters/bytes (excluding
+possible enclosing quotes), PowerDNS will cut up the content into 255
+character/byte chunks for transmission to the client.
+
+.. _types-uri:
+
+URI
+---
+
+The URI record, specified in :rfc:`7553`, is used to publish
+mappings from hostnames to URIs.
+
+Other types
+-----------
+
+The following, rarely used or obsolete record types, are also supported:
+
+- A6 (:rfc:`2874`, obsolete)
+- DHCID (:rfc:`4701`)
+- DLV (:rfc:`4431`)
+- EUI48/EUI64 (:rfc:`7043`)
+- IPSECKEY (:rfc:`4025`)
+- KEY (:rfc:`2535`, obsolete)
+- KX (:rfc:`2230`)
+- MAILA (:rfc:`1035`)
+- MAILB (:rfc:`1035`)
+- MINFO (:rfc:`1035`)
+- MR (:rfc:`1035`)
+- RKEY (`draft-reid-dnsext-rkey-00.txt <https://tools.ietf.org/html/draft-reid-dnsext-rkey-00>`__)
+- SIG (:rfc:`2535`, obsolete)
+- WKS (:rfc:`1035`)
+++ /dev/null
-URL: /api/v0/servers/:server\_id/zones/:zone\_name/metadata
------------------------------------------------------------
-
-Collection access.
-
-Allowed methods: ``GET``, ``POST``
-
-GET
-^^^
-
-Returns all metadata entries for the zone.
-
-POST
-^^^^
-
-Creates a set of metadata entries of given kind for the zone.
-
-- existing metadata entries for the zone with the same kind are not
- overwritten.
-
-URL: /api/v1/servers/:server\_id/zones/:zone\_name/metadata/:metadata\_kind
----------------------------------------------------------------------------
-
-Allowed methods: ``GET``, ``PUT``, ``DELETE``
-
-GET
-^^^
-
-Returns all metadata entries of a given kind for the zone.
-
-DELETE
-^^^^^^
-
-Deletes all metadata entries of a given kind for the zone.
-
-PUT
-^^^
-
-Modifies the metadata entries of a given kind for the zone.
-
-This returns ``200 OK`` on success.
-
-Cryptokeys
-==========
-
-cryptokey\_resource
--------------------
-
-::
-
- {
- "type": "Cryptokey",
- "id": <int>,
- "active": <bool>,
- "keytype": <keytype>,
- "dnskey": <string>,
- "privatekey": <string>,
- "ds": [ <ds>,
- <ds>,
- .... ]
- }
-
-Parameters:
-'''''''''''
-
-``id``: read-only.
-
-``keytype``: ``<keytype>`` is one of the following: ``ksk``, ``zsk``,
-``csk``.
-
-``dnskey``: the DNSKEY for this key
-
-``ds``: an array with all DSes for this key
-
-``privatekey``: private key data (in ISC format).
-
-URL: /api/v1/servers/:server\_id/zones/:zone\_name/cryptokeys
--------------------------------------------------------------
-
-Allowed methods: ``GET``, ``POST``
-
-GET
-^^^
-
-Returns all public data about cryptokeys, but not ``privatekey``.
-
-POST
-^^^^
-
-This method adds a new key to a zone. The key can either be generated or
-imported by supplying the content parameter.
-
-Parameters:
-'''''''''''
-
-- ``content`` : "<key>" ``<string>`` (The format used is compatible
- with BIND and NSD/LDNS)
-- ``keytype`` : "ksk\|zsk" ``<string>``
-- ``active``: "true\|false" ``<value>`` (If not set the key will not be
- active by default)
-
-If ``content`` == ``null``, the server generates a new key. In this
-case, the following additional fields MAY be supplied:
-
-- ``bits``: number of bits ``<int>``
-- ``algo``: ``<algo>`` (Default: 13/ECDSA)
-
-Where ``<algo>`` is one of the supported key algorithms in lowercase OR
-the numeric id, see
-```the list`` <../authoritative/dnssec.md#supported-algorithms>`__.
-
-Response:
-'''''''''
-
-- ``422 Unprocessable Entity``:
-
- - keytype is not ksk\|zsk:
-
- - ``{"error" : "Invalid keytype 'keytype'"}``
-
- - The "algo" is not supported:
-
- - ``{"error" : "Unknown algorithm: 'algo'"}``
-
- - Algo <= 10 and the ``bits`` parameter is not set:
-
- - ``{"error" : "Creating an algorithm 'algo' key requires the size (in bits) to be passed."}``
-
- - The provided bit size is not supported by the selected algorithm:
-
- - ``{"error" : "The algorithm does not support the given bit size."}``
-
- - The ``bits`` parameter is not a positive integer value:
-
- - ``{"error" : "'bits' must be a positive integer value"}``
-
- - If the server can not guess the key size:
-
- - ``{"error" : "Can not guess key size for algorithm"}``
-
- - The key-creation failed:
-
- - ``{"error" : "Adding key failed, perhaps DNSSEC not enabled in configuration?"}``
-
- - The key in ``content`` has the wrong format:
-
- - ``{"error" : "Key could not be parsed. Make sure your key format is correct."}``
-
-- ``201 Created``:
-
- - Everything was fine:
-
- - Returns all public data about the new cryptokey. Look at
- cryptokey\_resource.
-
-URL: /api/v1/servers/:server\_id/zones/:zone\_name/cryptokeys/:cryptokey\_id
-----------------------------------------------------------------------------
-
-Allowed methods: ``GET``, ``PUT``, ``DELETE``
-
-GET
-^^^
-
-Returns all public data about cryptokeys, including ``privatekey``.
-
-PUT
-^^^
-
-This method de/activates a key from ``zone_name`` specified by
-``cryptokey_id``.
-
-Parameters:
-'''''''''''
-
-- ``active``: "true\|false" ``<value>``
-
-Responses:
-''''''''''
-
-- ``204 No Content``: The key with ``cryptokey_id`` is de/activated.
-- ``422 Unprocessable Entity``: The backend returns false on
- de/activation. An error occurred.
- ``{"error": "Could not de/activate Key: :cryptokey_id in Zone: :zone_name"}``
-
-DELETE
-^^^^^^
-
-This method deletes a key from ``zone_name`` specified by
-``cryptokey_id``.
-
-Responses:
-''''''''''
-
-- ``200 OK``: The Key is gone.
-- ``422 Unprocessable Entity``: The backend failed to remove the key.
- ``{"error": Could not DELETE :cryptokey_id"}``
-
-Data searching
-==============
-
-URL: /api/v1/servers/localhost/search-data?q=:search\_term&max=:max\_results
-----------------------------------------------------------------------------
-
-**Note**: Authoritative only.
-
-Allowed methods: ``GET``
-
-GET
-^^^
-
-Search the data inside PowerDNS for :search\_term and return at most
-:max\_results. This includes zones, records and comments. The ``*``
-character can be used in :search\_term as a wildcard character and the
-``?`` character can be used as a wildcard for a single character.
-
-Response body is an array of one or more of the following objects:
-
-For a zone:
-
-::
-
- {
- "name": "<zonename>",
- "object_type": "zone",
- "zone_id": "<zoneid>"
- }
-
-For a record:
-
-::
-
- {
- "content": "<content>",
- "disabled": <bool>,
- "name": "<name>",
- "object_type": "record",
- "ttl": <ttl>,
- "type": "<type>",
- "zone": "<zonename>,
- "zone_id": "<zoneid>"
- }
-
-For a comment:
-
-::
-
- {
- "object_type": "comment",
- "name": "<name>",
- "content": "<content>"
- "zone": "<zonename>,
- "zone_id": "<zoneid>"
- }
-
-
--- /dev/null
+Bind zone file backend
+======================
+
+* Native: Yes
+* Master: Yes
+* Slave: Yes
+* Superslave: Experimental
+* Autoserial: No
+* DNSSEC: Yes
+* Disabled data: No
+* Comments: No
+* Module name: bind
+* Launch: ``bind``
+
+The BindBackend started life as a demonstration of the versatility of
+PowerDNS but quickly gained in importance when there appeared to be
+demand for a Bind 'work-alike'.
+
+The BindBackend parses a Bind-style ``named.conf`` and extracts
+information about zones from it. It makes no attempt to honour other
+configuration flags, which you should configure (when available) using
+the PowerDNS native configuration.
+
+Configuration Parameters
+------------------------
+
+.. _setting-bind-config:
+
+``bind-config``
+~~~~~~~~~~~~~~~
+
+Location of the Bind configuration file to parse.
+
+.. _setting-bind-check-interval:
+
+``bind-check-interval``
+~~~~~~~~~~~~~~~~~~~~~~~
+
+How often to check for zone changes. See :ref:`bind-operation` section.
+
+.. _setting-bind-dnssec-db:
+
+``bind-dnssec-db``
+~~~~~~~~~~~~~~~~~~
+
+Filename to store and access our DNSSEC metadatabase, empty for none. To
+slave DNSSEC-enabled domains (where the RRSIGS are in the AXFR), a
+``bind-dnssec-db`` is required. This is because the
+:ref:`metadata-presigned` domain metadata is set
+during the zonetransfer.
+
+.. _setting-bind-hybrid:
+
+``bind-hybrid``
+~~~~~~~~~~~~~~~
+
+Store DNSSEC keys and metadata storage in an other backend. See the
+:ref:`dnssec-modes-hybrid-bind` documentation.
+
+.. _setting-bind-ignore-broken-records:
+
+``bind-ignore-broken-records``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Setting this option to ``yes`` makes PowerDNS ignore out of zone records
+when loading zone files.
+
+.. _bind-operation:
+
+Operation
+---------
+
+On launch, the BindBackend first parses the ``named.conf`` to determine
+which zones need to be loaded. These will then be parsed and made
+available for serving, as they are parsed. So a ``named.conf`` with
+100.000 zones may take 20 seconds to load, but after 10 seconds, 50.000
+zones will already be available. While a domain is being loaded, it is
+not yet available, to prevent incomplete answers.
+
+Reloading is currently done only when a request for a zone comes in, and
+then only after :ref:`setting-bind-check-interval`.
+seconds have passed after the last check. If a change occurred, access
+to the zone is disabled, the file is reloaded, access is restored, and
+the question is answered. For regular zones, reloading is fast enough to
+answer the question which lead to the reload within the DNS timeout.
+
+If :ref:`setting-bind-check-interval` is specified as
+zero, no checks will be performed until the ``pdns_control reload`` is
+given.
+
+pdns\_control commands
+----------------------
+
+``bind-add-zone <domain> <filename>``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Add zone ``domain`` from ``filename`` to PowerDNS's bind backend. Zone
+will be loaded at first request.
+
+.. note::
+ This does not add the zone to the :ref:`setting-bind-config` file.
+
+``bind-domain-status <domain> [domain]``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Output status of domain or domains. Can be one of
+``seen in named.conf, not parsed``, ``parsed successfully at <time>`` or
+``error parsing at line ... at <time>``.
+
+``bind-list-rejects``
+~~~~~~~~~~~~~~~~~~~~~
+
+Lists all zones that have problems, and what those problems are.
+
+``bind-reload-now <domain>``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Reloads a zone from disk NOW, reporting back results.
+
+``rediscover``
+~~~~~~~~~~~~~~
+
+Reread the bind configuration file (``named.conf``). If parsing fails,
+the old configuration remains in force and ``pdns_control`` reports the
+error. Any newly discovered domains are read, discarded domains are
+removed from memory.
+
+``reload``
+~~~~~~~~~~
+
+All zones with a changed timestamp are reloaded at the next incoming
+query for them.
+
+Performance
+-----------
+
+The BindBackend does not benefit from the packet cache as it is fast
+enough on its own. Furthermore, on most systems, there will be no
+benefit in using multiple CPUs for the packetcache, so a noticeable
+speedup can be attained by specifying
+``distributor-threads=1`` in ``pdns.conf``.
+
+Master/slave/native configuration
+---------------------------------
+
+Master
+~~~~~~
+
+Works as expected. At startup, no notification storm is performed as
+this is generally not useful. Perhaps in the future the Bind Backend
+will attempt to store zone metadata in the zone, allowing it to
+determine if a zone has changed its serial since the last time
+notifications were sent out.
+
+Changes which are discovered when reloading zones do lead to
+notifications however.
+
+Slave
+~~~~~
+
+Also works as expected. The Bind backend expects to be able to write to
+a directory where a slave domain lives. The incoming zone is stored as
+'zonename.RANDOM' and atomically renamed if it is retrieved
+successfully, and parsed only then.
+
+In the future, this may be improved so the old zone remains available
+should parsing fail.
+
+Native
+~~~~~~
+
+PowerDNS has the concept of "native" zones that have the
+``type native;`` in the BIND configuration file. These zones are neither
+a master (no notifies are sent) nor a slave zone (it will never be
+AXFR'd in). This means that the replication mechanism for these zone is
+not AXFR but out of band, e.g. using ``rsync``. Changes to native zones
+are picked up in the same way as master and slave zones, see
+:ref:`bind-operation`.
+
+Native zones in the BIND backend are supported since version 4.1.0 of
+the PowerDNS Authoritative Server.
+
+**note**: Any zone with no ``type`` set (an error in BIND) is assumed to
+be native.
--- /dev/null
+Generic MySQL backend
+=====================
+
+* Native: Yes
+* Master: Yes
+* Slave: Yes
+* Superslave: Yes
+* Autoserial: Yes
+* Case: All lower
+* DNSSEC: Yes (set ``gmysql-dnssec``)
+* Disabled data: Yes
+* Comments: Yes
+* Module name: gmysql
+* Launch name: ``gmysql``
+
+.. warning::
+ If using MySQL with 'slave' support enabled in PowerDNS you
+ **must** run MySQL with a table engine that supports transactions. In
+ practice, great results are achieved with the 'InnoDB' tables. PowerDNS
+ will silently function with non-transaction aware MySQLs but at one
+ point this is going to harm your database, for example when an incoming
+ zone transfer fails.
+
+The default schema is included at the bottom of this page.
+:ref:`migration-zone2sql` with the ``--gmysql`` flag also
+assumes this layout is in place. For full migration notes, please see
+:doc:`../migration`. This schema contains all elements needed
+for master, slave and superslave operation.
+
+When using the InnoDB storage engine, we suggest adding foreign key
+contraints to the tables in order to automate deletion of records, key
+material, and other information upon deletion of a domain from the
+domains table. The following SQL does the job:
+
+.. literalinclude:: ../../modules/gmysqlbackend/enable-foreign-keys.mysql.sql
+
+Using MySQL replication
+-----------------------
+
+To support ``NATIVE`` domains, the ``binlog_format`` for the MySQL
+replication **must** be set to ``MIXED`` or ``ROW`` to prevent
+differences in data between replicated servers. See `"Setting
+The Binary Log
+Format" <http://dev.mysql.com/doc/refman/5.7/en/binary-log-setting.html>`__
+for more information.
+
+Settings
+--------
+
+.. _setting-gmysql-host:
+
+``gmysql-host``
+^^^^^^^^^^^^^^^
+
+Host (ip address) to connect to. Mutually exclusive with :ref:`setting-gmysql-socket`.
+
+.. warning::
+ When specified as a hostname a chicken/egg situation might
+ arise where the database is needed to resolve the IP address of the
+ database. It is best to supply an IP address of the database here.
+
+.. _setting-gmysql-port:
+
+``gmysql-port``
+^^^^^^^^^^^^^^^
+
+The port to connect to on :ref:`setting-gmysql-host`. Default: 3306
+
+.. _setting-gmysql-socket:
+
+``gmysql-socket``
+^^^^^^^^^^^^^^^^^
+
+Connect to the UNIX socket at this path. Mutually exclusive with :ref:`setting-gmysql-host`.
+
+.. _setting-gmysql-dbname:
+
+``gmysql-dbname``
+^^^^^^^^^^^^^^^^^
+
+Name of the database to connect to. Default: "pdns".
+
+.. _setting-gmysql-user:
+
+``gmysql-user``
+^^^^^^^^^^^^^^^
+
+User to connect as. Default: "powerdns".
+
+.. _setting-gmysql-group:
+
+``gmysql-group``
+^^^^^^^^^^^^^^^^
+
+Group to connect as. Default: "client".
+
+.. _setting-gmysql-password:
+
+``gmysql-password``
+^^^^^^^^^^^^^^^^^^^
+
+The password to for :ref:`setting-gmysql-user`.
+
+.. _setting-gmysql-dnssec:
+
+``gmysql-dnssec``
+^^^^^^^^^^^^^^^^^
+
+Enable DNSSEC processing for this backend. Default=no.
+
+.. _setting-gmysql-innodb-read-committed:
+
+``gmysql-innodb-read-committed``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Use the InnoDB READ-COMMITTED transaction isolation level. Default=yes.
+
+.. _setting-gmysql-timeout:
+
+``gmysql-timeout``
+^^^^^^^^^^^^^^^^^^
+
+The timeout in seconds for each attempt to read from, or write to the
+server. A value of 0 will disable the timeout. Default: 10
+
+Default Schema
+--------------
+
+.. literalinclude:: ../../modules/gmysqlbackend/schema.mysql.sql
--- /dev/null
+Generic ODBC Backend
+====================
+
+* Native: Yes
+* Master: Yes
+* Slave: Yes
+* Superslave: Yes
+* Autoserial: Yes
+* Case: All lower
+* DNSSEC: Yes
+* Disabled data: Yes
+* Comments: Yes
+* Module name: godbc
+* Launch name: ``godbc``
+
+The Generic ODBC Backend (godbc) is a child of the Generic SQL (gsql)
+backend, similar to the gmysql and gpgsql backends. It uses
+`UnixODBC <http://www.unixodbc.org/>`__ and installed drivers to connect
+to the databases supported by said drivers.
+
+.. warning::
+ When there is a more specific generic sql backend (like
+ goracle or gmysql), it is highly recommended to use that backend
+ instead!
+
+Enabling the backend
+--------------------
+
+When building PowerDNS yourself, append ``godbc`` to ``--with-modules``
+or ``--with-dynmodules``. It is expected that most pre-built packages
+contain this backend or be separately installable.
+
+Configuration Parameters
+------------------------
+
+This section only details the configuration of PowerDNS for use with
+ODBC. For ODBC related configuration, please see UnixODBC
+website/documentation and the documentation for the driver you intend to
+use.
+
+.. _setting-godbc-datasource:
+
+``godbc-datasource``
+^^^^^^^^^^^^^^^^^^^^
+
+- String
+- Default: PowerDNS
+
+The datasource (DSN) to use. This must be configured in the ``odbc.ini``
+file, usually found in ``/etc/``, but this depends your local setup.
+
+.. _setting-godbc-username:
+
+``godbc-username``
+^^^^^^^^^^^^^^^^^^
+
+- String
+- Default: powerdns
+
+The user to connect to the datasource.
+
+.. _setting-godbc-password:
+
+``godbc-password``
+^^^^^^^^^^^^^^^^^^
+
+- String
+- Default is empty
+
+The password to connect with the datasource.
+
+Connecting to Microsoft SQL Server
+----------------------------------
+
+.. note::
+ In order to connect to Microsoft SQL Server, you will need at
+ least version 3.2.0 of UnixODBC. FreeDTS has been tested with versions
+ 0.91 and 0.95.
+
+Install the `FreeTDS <http://www.freetds.org/>`__ driver for UnixODBC,
+either by compiling or getting it from our distribution's repository and
+configure your ``/etc/odbcinst.ini`` with the driver, e.g.:
+
+.. code-block:: ini
+
+ [FreeTDS]
+ Description=v0.95.8 with protocol v7.1
+ Driver=/usr/local/lib/libtdsodbc.so
+ UsageCount=1
+
+And add the datasource to your ``/etc/odbc.ini``, e.g:
+
+.. code-block:: ini
+
+ [pdns1]
+ Driver=FreeTDS
+ Trace=No
+ Server=server.example.net
+ Port=1433
+ Database=pdns-1
+ TDS_Version=7.1
+
+(For our tests, we add ``ClientCharset=UTF-8`` as well. YMMV.)
+
+You can now test the connection with ``isql pdns1 USERNAME PASSWORD``.
+
+Loading the schema into the database
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+For convenience, a schema for MS SQL Server has been created: (Note:
+This schema can also be found in the PowerDNS source as
+``modules/godbcbackend/schema.mssql.sql``).
+
+.. literalinclude:: ../../modules/godbcbackend/schema.mssql.sql
+
+Load this into the database as follows:
+
+.. code-block:: bash
+
+ cat schema.mssql.sql | tr '\n' ' ' | isql pdns1 USERNAME PASSWORD -b.
+
+Loading records into the database
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Loading records is the same as with any SQL backend, just add them using
+SQL-queries. Should you want to use :ref:`zone2sql <migration-zone2sql>`,
+use the ``--sqlite`` option for correctly formatted SQL.
+
+Configuring PowerDNS
+^^^^^^^^^^^^^^^^^^^^
+
+Add the options required to your ``pdns.conf``:
+
+::
+
+ launch=godbc
+ godbc-datasource=pdns1
+ godbc-username=USERNAME
+ godbc-password=PASSWORD
+
+Now restart PowerDNS and you're done. Just don't forget to add zones and
+records to the database.
+
+Possible issues
+^^^^^^^^^^^^^^^
+
+It might be that you need to compile FreeTDS with the
+``--tds-version=7.1`` to connect to SQL Server.
+
+When connecting to a database hosted with Microsoft Azure, FreeTDS must
+be compiled with OpenSSL, use the ``--with-openssl`` configure flag.
--- /dev/null
+Generic Oracle backend
+======================
+
+* Native: Yes
+* Master: Yes
+* Slave: Yes
+* Superslave: Yes
+* Autoserial: Yes
+* Case: All lower
+* DNSSEC: Yes (set ``goracle-dnssec``)
+* Disabled data: Yes
+* Comments: Yes
+* Module name: goracle
+* Launch name: ``goracle``
+
+The Generic Oracle Backend is a :doc:`generic-sql`. The default setup conforms to the
+following schema, which you should add to an Oracle database. You may
+need or want to add ``namespace`` statements.
+
+.. literalinclude:: ../../modules/goraclebackend/schema.goracle.sql
+
+This schema contains all elements needed for master, slave and
+superslave operation.
+
+Inserting records is a bit different compared to MySQL and PostgreSQL,
+you should use:
+
+.. code-block:: SQL
+
+ INSERT INTO domains (id,name,type) VALUES (domains_id_sequence.nextval, 'example.net', 'NATIVE');
+
+Settings
+--------
+
+.. _setting-goracle-tnsname:
+
+``goracle-tnsname``
+^^^^^^^^^^^^^^^^^^^
+
+Which TNSNAME the Generic Oracle Backend should be connecting to. There
+are no ``goracle-dbname``, ``goracle-host`` or ``goracle-port``
+settings, their equivalent is in ``/etc/tnsnames.ora``.
+
+.. _setting-goracle-dnssec:
+
+``goracle-dnssec``
+^^^^^^^^^^^^^^^^^^
+
+Enable DNSSEC processing for this backend. Default=no.
+
+Caveats
+-------
+
+Password Expiry
+^^^^^^^^^^^^^^^
+
+When your password is about to expire, and logging into oracle warns
+about this, the Generic Oracle backend can no longer login, and will a
+OCILogin2 warning.
+
+To work around this, either update the password in time or remove
+expiration from the account used.
--- /dev/null
+Generic PostgreSQL backend
+==========================
+
+* Native: Yes
+* Master: Yes
+* Slave: Yes
+* Superslave: Yes
+* Autoserial: Yes
+* Case: All lower
+* DNSSEC: Yes (set ``gpgsql-dnssec``)
+* Disabled data: Yes
+* Comments: Yes
+* Module name: gpgsql
+* Launch name: ``gpgsql``
+
+This PostgreSQL backend is based on the :doc:`generic-sql`. The default setup conforms to the
+schema at the bottom of this page, note that
+:ref:`zone2sql <migration-zone2sql>` with the ``--gpgsql`` flag also
+assumes this layout is in place.
+
+This schema contains all elements needed for master, slave and
+superslave operation. For full migration notes, please see
+:doc:`Migration <../migration>` docs.
+
+With PostgreSQL, you may have to run ``createdb pdns`` first and then
+connect to that database with ``psql pdns``, and feed it the schema
+above.
+
+Settings
+--------
+
+.. _setting-gpgsql-host:
+
+``gpgsql-host``
+^^^^^^^^^^^^^^^
+
+Host (ip address) to connect to. If ``pgsql-host`` begins with a slash,
+it specifies Unix-domain communication rather than TCP/IP communication;
+the value is the name of the directory in which the socket file is
+stored.
+
+.. warning::
+ When specified as a hostname a chicken/egg situation might
+ arise where the database is needed to resolve the IP address of the
+ database. It is best to supply an IP address of the database here.
+
+.. _setting-gpgsql-port:
+
+``gpgsql-port``
+^^^^^^^^^^^^^^^
+
+The port to connect to on :ref:`setting-gpgsql-host`. Default: 5432
+
+.. _setting-gpgsql-dbname:
+
+``gpgsql-dbname``
+^^^^^^^^^^^^^^^^^
+
+Name of the database to connect to. Default: "pdns".
+
+.. _setting-gpgsql-user:
+
+``gpgsql-user``
+^^^^^^^^^^^^^^^
+
+User to connect as. Default: "powerdns".
+
+.. _setting-gpgsql-password:
+
+``gpgsql-password``
+^^^^^^^^^^^^^^^^^^^
+
+The password to for :ref:`setting-gpgsql-user`.
+
+.. _setting-gpgsql-dnssec:
+
+``gpgsql-dnssec``
+^^^^^^^^^^^^^^^^^
+
+Enable DNSSEC processing for this backend. Default=no.
+
+.. _setting-gpsql-extra-connection-parameters:
+
+``gpsql-extra-connection-parameters``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Extra connection parameters to forward to postgres. If you want to pin a
+specific certificate for the connection you should set this to
+``sslmode=verify-full sslrootcert=<path-to-CA-cert>``. Accepted
+parameters are documented `in the PostgreSQL
+documentation <https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS>`__.
+
+Default schema
+--------------
+
+.. literalinclude:: ../../modules/gpgsqlbackend/schema.pgsql.sql
--- /dev/null
+Generic SQL Backends
+====================
+
+The generic SQL backends (like gmysql, gpgsql and godbc) are backends
+with easily configurable SQL statements, allowing you to graft PowerDNS
+on any SQL database of your choosing. Because all database schemas will
+be different, a generic backend is needed to cover all needs.
+
+.. warning::
+ Host names and the MNAME of a SOA records are NEVER
+ terminated with a '.' in PowerDNS storage! If a trailing '.' is present
+ it will inevitably cause problems, problems that may be hard to debug.
+
+.. note::
+ A root zone or record should have a name of '.'
+ (no quotes). This is the only exception to the 'no terminating dot in
+ SQL storage' rule.
+
+Basic functionality
+-------------------
+
+All domains in the generic SQL backends have a 'type' field that
+describes the :doc:`../modes-of-operation`.
+
+Native operation
+^^^^^^^^^^^^^^^^
+
+To add a domain, issue the following:
+
+.. code-block:: SQL
+
+ INSERT INTO domains (name, type) VALUES ('powerdns.com', 'NATIVE');
+
+The records table can now be filled by with the domain_id set to the id
+of the domains table row just inserted.
+
+Slave operation
+^^^^^^^^^^^^^^^
+
+These backends are fully slave capable. To become a slave of the
+'example.com' domain, execute this:
+
+.. code-block:: SQL
+
+ INSERT INTO domains (name, master, type) VALUES ('example.com', '198.51.100.6', 'SLAVE');
+
+And wait a while for PowerDNS to pick up the addition - which happens
+within one minute (this is determined by the
+:ref:`setting-slave-cycle-interval`
+setting). There is no need to inform PowerDNS that a new domain was
+added. Typical output is:
+
+.. code-block:: SQL
+
+ Apr 09 13:34:29 All slave domains are fresh
+ Apr 09 13:35:29 1 slave domain needs checking
+ Apr 09 13:35:29 Domain powerdns.com is stale, master serial 1, our serial 0
+ Apr 09 13:35:30 [gPgSQLBackend] Connected to database
+ Apr 09 13:35:30 AXFR started for 'powerdns.com'
+ Apr 09 13:35:30 AXFR done for 'powerdns.com'
+ Apr 09 13:35:30 [gPgSQLBackend] Closing connection
+
+From now on, PowerDNS is authoritative for the 'powerdns.com' zone and
+will respond accordingly for queries within that zone.
+
+Periodically, PowerDNS schedules checks to see if domains are still
+fresh. The default
+:ref:`setting-slave-cycle-interval` is 60
+seconds, large installations may need to raise this value. Once a domain
+has been checked, it will not be checked before its SOA refresh timer
+has expired. Domains whose status is unknown get checked every 60
+seconds by default.
+
+PowerDNS has support for multiple masters per zone, separate master IP
+addresses by commas:
+
+.. code-block:: SQL
+
+ INSERT INTO domains (name, master, type) VALUES ('example.com', '198.51.100.6, 2001:0DB8:15:4AF::4', 'SLAVE');
+
+Superslave operation
+^^^^^^^^^^^^^^^^^^^^
+
+To configure a supermaster with IP address 203.0.113.53 which lists this
+installation as 'autoslave.example.com', issue the following:
+
+.. code-block:: SQL
+
+ INSERT INTO supermasters VALUES ('203.0.113.53', 'autoslave.example.com', 'internal');
+
+From now on, valid notifies from 203.0.113.53 that list a NS record
+containing 'autoslave.example.com' will lead to the provisioning of a
+slave domain under the account 'internal'. See :ref:`supermaster-operation`
+for details.
+
+Master operation
+^^^^^^^^^^^^^^^^
+
+The generic SQL backend is fully master capable with automatic discovery
+of serial changes. Raising the serial number of a domain suffices to
+trigger PowerDNS to send out notifications. To configure a domain for
+master operation instead of the default native replication, issue:
+
+.. code-block:: SQL
+
+ INSERT INTO domains (name, type) VALUES ('powerdns.com', 'MASTER');
+
+Make sure that the assigned id in the domains table matches the
+domain_id field in the records table!
+
+.. _generic-sql-disabled-data:
+
+Disabled data
+^^^^^^^^^^^^^
+
+PowerDNS understands the notion of disabled records. They are marked by
+setting "disabled" to ``1`` (for PostgreSQL: ``true``). By extension,
+when the SOA record for a domain is disabled, the entire domain is
+considered to be disabled.
+
+Effects: the record (or domain, respectively) will not be visible to DNS
+clients. The REST API will still see the record (or domain). Even if a
+domain is disabled, slaving still works. Slaving considers a disabled
+domain to have a serial of 0; this implies that a slaved domain will not
+stay disabled.
+
+.. _autoserial:
+
+Autoserial
+^^^^^^^^^^
+
+The autoserial functionality makes PowerDNS generate the SOA serial when
+the SOA serial set to ``0`` in the database. The serial in SOA responses
+is set to what's provided by ``zone-lastchange-query``. By default, this
+is the highest value of the ``change_date`` field in the "records"
+table).
+
+.. _generic-sql-handling-dnssec-signed-zones:
+
+Handling DNSSEC signed zones
+----------------------------
+
+To enable DNSSEC processing, the ``backend-dnssec`` option must be set
+to 'yes'.
+
+.. _rules-for-filling-out-dnssec-fields:
+
+Rules for filling out DNSSEC fields
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Two additional fields in the 'records' table are important: 'auth' and
+'ordername'. These fields are set correctly on an incoming zone
+transfer, and also by running ``pdnsutil rectify-zone``.
+
+The 'auth' field should be set to '1' for data for which the zone itself
+is authoritative, which includes the SOA record and its own NS records.
+
+The 'auth' field should be 0 however for NS records which are used for
+delegation, and also for any glue (A, AAAA) records present for this
+purpose. Do note that the DS record for a secure delegation should be
+authoritative!
+
+The 'ordername' field needs to be filled out depending on the NSEC/NSEC3
+mode. When running in NSEC3 'Narrow' mode, the ordername field is
+ignored and best left empty. In NSEC/NSEC3 mode, the ordername field
+should be NULL for any glue but filled in for all delegation NS records
+and all authoritative records. In NSEC3 opt-out mode, ordername is NULL
+for any glue and insecure delegation NS records, but filled in for
+secure delegation NS records and all authoritative records.
+
+In 'NSEC' mode, it should contain the *relative* part of a domain name,
+in reverse order, with dots replaced by spaces. So
+'www.uk.powerdnssec.org' in the 'powerdnssec.org' zone should have 'uk
+www' as its ordername.
+
+In 'NSEC3' non-narrow mode, the ordername should contain a lowercase
+base32hex encoded representation of the salted & iterated hash of the
+full record name. ``pdnsutil hash-zone-record zone record`` can be used
+to calculate this hash.
+
+In addition, PowerDNS fully supports empty non-terminals. If you have a
+zone example.com, and a host a.b.c.example.com in it, rectify-zone (and
+the AXFR client code) will insert b.c.example.com and c.example.com in
+the records table with type NULL (SQL NULL, not 'NULL'). Having these
+entries provides several benefits. We no longer reply NXDOMAIN for these
+shorter names (this was an RFC violation but not one that caused
+trouble). But more importantly, to do NSEC3 correctly, we need to be
+able to prove existence of these shorter names. The type=NULL records
+entry gives us a place to store the NSEC3 hash of these names.
+
+If your frontend does not add empty non-terminal names to records, you
+will get DNSSEC replies of 3.1-quality, which has served many people
+well, but might lead to issues in the future.
+
+.. _generic-sql-queries:
+
+Queries
+-------
+
+From version 4.0.0 onward, the generic SQL backends use prepared
+statements for their queries. Before 4.0.0, queries were expanded using
+the C function 'snprintf' which implies that substitutions are performed
+on the basis of %-placeholders.
+
+To see the default queries for a backend, run
+``pdns_server --no-config --launch=BACKEND --config``.
+
+Regular Queries
+^^^^^^^^^^^^^^^
+
+For regular operation, several queries are used for record-lookup. These
+queries must return the following fields in order:
+
+- content: This is the 'right hand side' of a DNS record. For an A
+ record, this is the IP address for example.
+- ttl: TTL of this record, in seconds. Must be a positive integer, no
+ checking is performed.
+- prio: For MX and SRV records, this should be the priority of the
+ record specified.
+- qtype: The ASCII representation of the qtype of this record. Examples
+ are 'A', 'MX', 'SOA', 'AAAA'. Make sure that this field returns an
+ exact answer - PowerDNS won't recognise 'A ' as 'A'. This can be
+ achieved by using a VARCHAR instead of a CHAR.
+- domain_id: Unique identifier for this domain. This id must be unique
+ across all backends. Must be a positive integer.
+- name: Actual name of a record. Must not end in a '.' and be fully
+ qualified - it is not relative to the name of the domain!
+- disabled: Boolean, if set to true, this record is hidden from DNS
+ clients, but can still be modified from the REST API. See :ref:`generic-sql-disabled-data`.
+- auth: A boolean describing if PowerDNS is authoritative for this
+ record (DNSSEC)
+
+Please note that the names of the fields are not relevant, but the order
+is!
+
+- ``basic-query``: This is the most used query, needed for doing 1:1
+ lookups of qtype/name values.
+- ``id-query``: Used for doing lookups within a domain.
+- ``any-query``: For doing ANY queries. Also used internally.
+- ``any-id-query``: For doing ANY queries within a domain. Also used
+ internally.
+- ``list-query``: For doing AXFRs, lists all records in the zone. Also
+ used internally.
+- ``list-subzone-query``: For doing RFC 2136 DNS Updates, lists all
+ records below a zone.
+- ``search-records-query``: To search for records on name and content.
+
+DNSSEC queries
+^^^^^^^^^^^^^^
+
+These queries are used by e.g. ``pdnsutil rectify-zone``. Make sure to
+read :ref:`rules-for-filling-out-dnssec-fields`
+if you wish to calculate ordername and auth without using pdns-rectify.
+
+- ``insert-empty-non-terminal-order--query``: Insert empty non-terminal
+ in zone.
+- ``delete-empty-non-terminal-query``: Delete an empty non-terminal in
+ a zone.
+- ``remove-empty-non-terminals-from-zone-query``: remove all empty
+ non-terminals from zone.
+
+- ``get-order-first-query``: DNSSEC Ordering Query, first.
+- ``get-order-before-query``: DNSSEC Ordering Query, before.
+- ``get-order-after-query``: DNSSEC Ordering Query, after.
+- ``get-order-last-query``: DNSSEC Ordering Query, last.
+- ``update-ordername-and-auth-query``: DNSSEC update ordername and auth
+ for a qname query.
+- ``update-ordername-and-auth-type-query``: DNSSEC update ordername and
+ auth for a rrset query.
+- ``nullify-ordername-and-update-auth-query``: DNSSEC nullify ordername
+ and update auth for a qname query.
+- ``nullify-ordername-and-update-auth-type-query``: DNSSEC nullify
+ ordername and update auth for a rrset query.
+
+Domain and zone manipulation
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- ``is-our-domain-query``: Checks if the domain (either id or name) is
+ in the 'domains' table. This query is run before any other (possibly
+ heavy) query.
+
+- ``insert-zone-query``: Add a new domain. This query also requires the
+ type, masters and account fields
+- ``update-kind-query``: Called to update the type of domain.
+- ``delete-zone-query`` Called to delete all records of a zone. Used
+ before an incoming AXFR.
+- ``delete-domain-query``: Called to delete a domain from the
+ domains-table.
+
+- ``get-all-domains-query``: Used to get information on all active
+ domains.
+- ``info-zone-query``: Called to retrieve (nearly) all information for
+ a domain.
+
+- ``insert-record-query``: Called during incoming AXFR.
+- ``update-account-query``: Set the account for a domain.
+- ``delete-names-query``: Called to delete all records of a certain
+ name.
+- ``delete-rrset-query``: Called to delete an RRset based on
+ domain_id, name and type.
+
+- ``get-all-domain-metadata-query``: Get all
+ :doc:`domain metadata <../domainmetadata>` for a domain.
+- ``get-domain-metadata-query``: Get a single piece of
+ :doc:`domain metadata <../domainmetadata>`.
+- ``clear-domain-metadata-query``: Delete a single entry of domain
+ metadata.
+- ``clear-domain-all-metadata-query``: Remove all domain metadata for a
+ domain.
+- ``set-domain-metadata-query``: Add domain metadata for a zone.
+
+- ``add-domain-key-query``: Called to a cryptokey to a domain.
+- ``list-domain-keys-query``: Called to get all cryptokeys for a
+ domain.
+- ``activate-domain-key-query``: Called to set a cryptokey to active.
+- ``deactivate-domain-key-query``: Called to set a cryptokey to
+ inactive.
+- ``clear-domain-all-keys-query``: Called to remove all DNSSEC keys for
+ a zone.
+- ``remove-domain-key-query``: Called to remove a crypto key.
+
+Master/slave queries
+^^^^^^^^^^^^^^^^^^^^
+
+These queries are used to manipulate the master/slave information in the
+database. Most installations will have zero need to change the following
+queries.
+
+On masters
+~~~~~~~~~~
+
+- ``info-all-master-query``: Called to get data on all domains for
+ which the server is master.
+- ``update-serial-query`` Called to update the last notified serial of
+ a master domain.
+- ``zone-lastchange-query``: Called to determine the last change to a
+ zone, used for autoserial.
+
+On slaves
+~~~~~~~~~
+
+- ``info-all-slaves-query``: Called to retrieve all slave domains.
+- ``master-zone-query``: Called to determine the master of a zone.
+- ``update-lastcheck-query``: Called to update the last time a slave
+ domain was successfully checked for freshness.
+- ``update-master-query``: Called to update the master address of a
+ domain.
+
+On superslaves
+~~~~~~~~~~~~~~
+
+- ``supermaster-query``: Called to determine if a certain host is a
+ supermaster for a certain domain name.
+- ``supermaster-name-to-ips``: Called to the IP and account for a
+ supermaster.
+
+TSIG
+^^^^
+
+- ``get-tsig-key-query``: Called to get the algorithm and secret from a
+ named TSIG key.
+- ``get-tsig-keys-query``: Called to get all TSIG keys.
+- ``set-tsig-key-query``: Called to set the algorithm and secret for a
+ named TSIG key.
+- ``delete-tsig-key-query``: Called to delete a named TSIG key.
+
+Comment queries
+^^^^^^^^^^^^^^^
+
+For listing/modifying comments.
+
+- ``list-comments-query``: Called to get all comments in a zone.
+ Returns fields: domain_id, name, type, modified_at, account,
+ comment.
+- ``insert-comment-query`` Called to create a single comment for a
+ specific RRSet. Given fields: domain_id, name, type, modified_at,
+ account, comment
+- ``delete-comment-rrset-query``: Called to delete all comments for a
+ specific RRset. Given fields: domain_id, name, type
+- ``delete-comments-query``: Called to delete all comments for a zone.
+ Usually called before deleting the entire zone. Given fields:
+ domain_id
+- ``search-comments-query``: Called to search for comment by name or
+ content.
+
+Specifying queries
+^^^^^^^^^^^^^^^^^^
+
+The queries above are specified in pdns.conf. For example, the
+basic-query for the Generic MySQL backend would appear as:
+
+::
+
+ gmysql-basic-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type=? and name=?
+
+Queries can span multiple lines, like this:
+
+::
+
+ gmysql-basic-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth \
+ FROM records WHERE disabled=0 and type=? and name=?
--- /dev/null
+Generic SQLite 3 backend
+========================
+
+* Native: Yes
+* Master: Yes
+* Slave: Yes
+* Superslave: Yes
+* DNSSEC: Yes
+* Disabled data: Yes
+* Comments: Yes
+* Module name: gsqlite3
+* Launch name: ``gsqlite3``
+
+.. warning::
+ When importing large amounts of data, be sure to run
+ ``analyze;`` afterwards as SQLite3 has a tendency to use sub-optimal
+ indexes otherwise.
+
+This backend retrieves all data from a SQLite database, which is an
+RDBMS that's embedded into the application itself, so you won't need to
+be running a separate server process. It also reduces overhead, and
+simplifies installation. At `www.sqlite.org <http://www.sqlite.org>`__
+you can find more information about SQLite.
+
+As this is a generic backend, built on top of the gSql framework, you
+can specify all queries as documented in :ref:`Generic SQL Backends <generic-sql-queries>`.
+
+SQLite exists in two incompatible versions, PowerDNS only supports
+version 3. To launch the backend, put ``launch=gsqlite3`` in the
+configuration.
+
+Setting up the database
+------------------------
+
+Before you can use this backend you first have to set it up and fill it
+with data. The default setup conforms to the following schema:
+
+.. literalinclude:: ../../modules/gsqlite3backend/schema.sqlite3.sql
+
+This schema contains all elements needed for master, slave and
+superslave operation.
+
+After you have created the database you probably want to fill it with
+data. If you have a BIND zone file it's as easy as:
+``zone2sql --named-conf=/path/to/named.conf --gsqlite | sqlite3 powerdns.sqlite3``,
+but you can also use AXFR (or insert data manually).
+
+To communicate with a SQLite database, use the ``sqlite3`` program, and
+feed it SQL.
+
+Configuration Parameters
+------------------------
+
+These are the configuration file parameters that are available for the
+gsqlite3 backend.
+
+.. _setting-gsqlite3-database:
+
+``gsqlite3-database``
+~~~~~~~~~~~~~~~~~~~~~
+
+Path to the SQLite3 database.
+
+.. _setting-gsqlite3-pragma-synchronous:
+
+``gsqlite3-pragma-synchronous``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Set this to 0 for blazing speed.
+
+.. _setting-gsqlite3-pragma-foreign-keys:
+
+``gsqlite3-pragma-foreign-keys``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Enable foreign key constraints.
+
+.. _setting-gsqlite3-dnssec:
+
+``gsqlite3-dnssec``
+~~~~~~~~~~~~~~~~~~~
+
+Enable DNSSEC processing.
+
+Using the SQLite backend
+------------------------
+
+The last thing you need to do is telling PowerDNS to use the SQLite
+backend.
+
+::
+
+ # in pdns.conf
+ launch=gsqlite3
+ gsqlite3-database=<path to your SQLite database>
+
+Then you can start PowerDNS and it should notify you that a connection
+to the database was made.
+
+Compiling the SQLite backend
+-----------------------------
+
+Before you can begin compiling PowerDNS with the SQLite backend you need
+to have the SQLite utility and library installed on your system. You can
+download these from http://www.sqlite.org/download.html, or you can use
+packages (if your distribution provides those).
+
+When you've installed the library you can use:
+``./configure --with-modules="gsqlite3"`` to configure PowerDNS to use
+the SQLite backend. Compilation can then proceed as usual.
+
+SQLite is included in most PowerDNS binary releases.
--- /dev/null
+GeoIP backend
+=============
+
+* Native: Yes
+* Master: No
+* Slave: No
+* Superslave: No
+* DNSSEC: Yes
+* Disabled data: No
+* Comments: No
+* Module name: geoip
+* Launch name: ``geoip``
+
+This backend allows visitors to be sent to a server closer to them, with
+no appreciable delay, as would otherwise be incurred with a protocol
+level redirect. Additionally, the Geo Backend can be used to provide
+service over several clusters, any of which can be taken out of use
+easily, for example for maintenance purposes. This backend can utilize
+EDNS Client Subnet extension for decision making, if provided in query
+and you have turned on
+:ref:`setting-edns-subnet-processing`.
+
+Prerequisites
+--------------
+
+To compile the backend, you need libyaml-cpp 0.5 or later and libgeoip.
+
+You must have geoip database available. As of writing, on debian/ubuntu
+systems, you can use apt-get install geoip-database to get one, and the
+backend is configured to use the location where these files are
+installed as source. On other systems you might need to alter the
+database-file and database-file6 attribute. If you don't need ipv4 or
+ipv6 support, set the respective setting to "". Leaving it unset leaves
+it pointing to default location, preventing the software from starting
+up.
+
+Configuration Parameters
+------------------------
+
+These are the configuration file parameters that are available for the
+GeoIP backend. geoip-zones-files is the only thing you must set, if the
+defaults suite you.
+
+.. _setting-geoip-database-files:
+
+``geoip-database-files``
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Comma, tab or space separated list of files to open. You can use
+`geoip-cvs-to-dat <https://github.com/dankamongmen/sprezzos-world/blob/master/packaging/geoip/debian/src/geoip-csv-to-dat.cpp>`__
+to generate your own.
+
+.. _setting-geoip-database-cache:
+
+``geoip-database-cache``
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Specifies the kind of caching that is done on the database. This is one
+of "standard", "memory", "index" or "mmap". These options map to the
+caching options described
+`here <https://github.com/maxmind/geoip-api-c/blob/master/README.md#memory-caching-and-other-options>`__
+
+.. _setting-geoip-zones-file:
+
+``geoip-zones-file``
+~~~~~~~~~~~~~~~~~~~~
+
+Specifies the full path of the zone configuration file to use.
+
+.. _setting-geoip-dnssec-keydir:
+
+``geoip-dnssec-keydir``
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Specifies the full path of a directory that will contain DNSSEC keys.
+This option enables DNSSEC on the backend. Keys can be created/managed
+with ``pdnsutil``, and the backend stores these keys in files with key
+flags and active/disabled state encoded in the key filenames.
+
+Zonefile format
+---------------
+
+Zone configuration file uses YAML syntax. Here is simple example. Note
+that the ‐ before certain keys is part of the syntax.
+
+.. code-block:: yaml
+
+ domains:
+ - domain: geo.example.com
+ ttl: 30
+ records:
+ geo.example.com:
+ - soa: ns1.example.com hostmaster.example.com 2014090125 7200 3600 1209600 3600
+ - ns:
+ content: ns1.example.com
+ ttl: 600
+ - ns: ns2.example.com
+ - mx: 10 mx.example.com
+ fin.eu.service.geo.example.com:
+ - a: 192.0.2.2
+ - txt: hello world
+ - aaaa: 2001:DB8::12:34DE:3
+ # this will result first record being handed out 30% of time
+ swe.eu.service.geo.example.com:
+ - a:
+ content: 192.0.2.3
+ weight: 50
+ - a: 192.0.2.4
+ services:
+ # syntax 1
+ service.geo.example.com: '%co.%cn.service.geo.example.com'
+ # syntax 2
+ service.geo.example.com: [ '%co.%cn.service.geo.example.com', '%cn.service.geo.example.com']
+ # alternative syntax
+ services:
+ service.geo.example.com:
+ default: [ '%co.%cn.service.geo.example.com', '%cn.service.geo.example.com' ]
+ 10.0.0.0/8: 'internal.service.geo.example.com'
+
+Keys explained
+~~~~~~~~~~~~~~
+
+- **domains**: Mandatory root key. All configuration is below this
+- **domain**: Defines a domain. You need ttl, records, services under
+ this.
+- **ttl**: TTL value for all records
+- **records**: Put fully qualified name as subkey, under which you must
+ define at least soa: key. Note that this is an array of records, so ‐
+ is needed for the values.
+- **services**: Defines one or more services for querying. The format
+ supports following placeholders, %% = %, %co = 3-letter country, %cn
+ = continent, %af = v4 or v6. There are also other specifiers that
+ will only work with suitable database and currently are untested.
+ These are %re = region, %na = Name (such as, organisation), %ci =
+ City. If the record which a service points to exists under "records"
+ then it is returned as a direct answer. If it does not exist under
+ "records" then it is returned as a CNAME.
+- From 4.1.0, you can also use %cc = 2 letter country code
+- From 4.0.0, you can also use %as = ASn, %ip = Remote IP
+- From 4.0.0, you can also use additional specifiers. These are %hh =
+ hour, %dd = day, %mo = month, %mos = month as short string, %wd =
+ weekday (as number), %wds weekday as short string.
+- From 4.0.0, scopeMask is set to most specific value, in case of
+ date/time modifiers it will be 32 or 128, but with the others it is
+ set to what geoip says it used for matching.
+- From 4.0.0, You can add per-network overrides for format, they will
+ be formatted with the same placeholders as default. Default is
+ short-hand for adding 0.0.0.0/0 and ::/0. Default is default when
+ only string is given for service name.
+- From 4.0.0, You can use array to specify return values, works only if
+ you have those records specified. It matches the format results to
+ your records, and if it finds match that is used. Otherwise the last
+ is returned.
+- From 4.0.0, You can apply all the attributes for the content of
+ static records too.
+- From 4.0.0, You can use record attributes to set TTL.
+- From 4.0.0, You can use record attributes to define weight. If this
+ is given, only one record is chosen randomly based on the weight.
+ **DO NOT** mix record types for these. It will not work. PROBABILITY
+ is calculated by summing up the weights and dividing each weight with
+ the sum. **WARNING**: If you use ip or time/date specifiers, caching
+ will be disabled for that RR completely. That means, if you have a
+
+something.example.com: - a: 1.2.3.4 - txt: "your ip is %ip"
+
+then caching will not happen for any records of something.example.com.
+If you need to use TXT for debugging, make sure you use dedicated name
+for it.
+
+.. warning::
+ If your services match wildcard records in your zone file
+ then these will be returned as CNAMEs. This will only be an issue if you
+ are trying to use a service record at the apex of your domain where you
+ need other record types to be present (such as NS and SOA records.) Per
+ :rfc:`2181`, CNAME records cannot appear in the same label as NS or SOA
+ records.
--- /dev/null
+Backends
+========
+
+The following table describes the supported backends and some of their capabilities.
+
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| Name | Native | Master | Slave | Super slave | Auto serial | :doc:`DNSSEC <../dnssec/index>` | Launch |
++================================================+========+========+=======+==============+=============+=================================+==============+
+| :doc:`BIND <bind>` | Yes | Yes | Yes | Experimental | No | Yes | ``bind`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`Generic Mysql <generic-mysql>` | Yes | Yes | Yes | Yes | Yes | Yes | ``gmysql`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`Generic ODBC <generic-odbc>` | Yes | Yes | Yes | Yes | Yes | Yes | ``godbc`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`Generic Oracle <generic-oracle>` | Yes | Yes | Yes | Yes | Yes | Yes | ``goracle`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`Generic Postgresql <generic-postgresql>` | Yes | Yes | Yes | Yes | Yes | Yes | ``gpgsql`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`Generic SQLite3 <generic-sqlite3>` | Yes | Yes | Yes | Yes | Yes | Yes | ``gsqlite3`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`GeoIP <geoip>` | Yes | No | No | No | No | Yes | ``geoip`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`LDAP <ldap>` | Yes | No | No | No | No | No | ``ldap`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`MyDNS <mydns>` | Yes | No | No | No | No | No | ``mydns`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`OpenDBX <opendbx>` | Yes | Yes | Yes | Yes | No | No | ``opendbx`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`Oracle <oracle>` | Yes | Yes | Yes | Yes | Yes | Yes | ``oracle`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`Pipe <pipe>` | Yes | No | No | No | No | Partial | ``pipe`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`Random <random>` | Yes | No | No | No | No | Partial | ``random`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`Remote <remote>` | Yes | Yes\* | Yes\* | Yes\* | Yes\* | Yes\* | ``remote`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`TinyDNS <tinydns>` | Yes | Yes | No | No | No | Parti | ``pipe`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+
+All the generic SQL backends have similar functionality, apart from the database they communicate with.
+These backends have :doc:`features unique <generic-sql>` to the generic SQL backends.
+
+.. toctree::
+ :maxdepth: 1
+
+ bind
+ generic-sql
+ generic-mysql
+ generic-odbc
+ generic-oracle
+ generic-postgresql
+ generic-sqlite3
+ geoip
+ ldap
+ lua
+ mydns
+ opendbx
+ oracle
+ pipe
+ random
+ remote
+ tinydns
--- /dev/null
+LDAP backend
+============
+
+* Native: Yes
+* Master: No
+* Slave: No
+* Superslave: No
+* Autoserial: No
+* DNSSEC: No
+* Disabled data: No
+* Comments: No
+* Module name: ldap
+* Launch name: ``ldap``
+
+Introduction
+------------
+As of PowerDNS Authoritative Server 4.0.0, the LDAP backend is fully
+supported.
+
+The original author for this module is Norbert Sendetzky. This page is
+based on the content from his `LDAPbackend wiki
+section <http://wiki.linuxnetworks.de/index.php/PowerDNS_ldapbackend>`__
+as copied in February 2016, and edited from there.
+
+.. warning::
+ Host names and the MNAME of a SOA records are NEVER
+ terminated with a '.' in PowerDNS storage! If a trailing '.' is present
+ it will inevitably cause problems, problems that may be hard to debug.
+
+
+Rationale
+^^^^^^^^^
+
+The LDAP backend enables PowerDNS to retrieve DNS information from any
+standard compliant LDAP server. This is extremely handy if information
+about hosts is already stored in an LDAP tree.
+
+Schemas
+^^^^^^^
+
+The schema is based on the 'uninett' dnszone schema, with a few types
+added by number as designed in that schema:
+
+.. literalinclude:: ../../modules/ldapbackend/dnsdomain2.schema
+
+The LDAP dnsdomain2 schema contains the additional object descriptions
+which are required by the LDAP server to check the validity of entries
+when they are added. Please consult the documentation of the LDAP server
+to find out how to add this schema to the server.
+
+Installation
+------------
+
+The LDAP backend can be compiled by adding ``ldap`` to either the
+``--with-modules`` or ``--with-dynmodules`` ``configure`` options.
+
+When using packages, the ``pdns-backend-ldap`` package should be
+installed.
+
+Configuration options
+---------------------
+
+There are a few options through the LDAP DNS backend can be configured.
+Add them to the ``pdns.conf`` file.
+
+To launch the ldap backend:
+
+::
+
+ launch=ldap
+
+.. _setting-ldap-host:
+
+``ldap-host``
+^^^^^^^^^^^^^
+
+(default "ldap://127.0.0.1:389/") : The values assigned to this
+parameter can be LDAP URIs (e.g. ``ldap://127.0.0.1/`` or
+``ldaps://127.0.0.1/``) describing the connection to the LDAP server.
+There can be multiple LDAP URIs specified for load balancing and high
+availability if they are separated by spaces. In case the used LDAP
+client library doesn't support LDAP URIs as connection parameter, use
+plain host names or IP addresses instead (both may optionally be
+followed by a colon and the port).
+
+.. _setting-ldap-starttls:
+
+``ldap-starttls``
+^^^^^^^^^^^^^^^^^
+
+(default "no") : Use TLS encrypted connections to the LDAP server. This
+is only allowed if ldap-host is a ldap:// URI or a host name / IP
+address.
+
+.. _setting-ldap-timeout:
+
+``ldap-timeout``
+^^^^^^^^^^^^^^^^
+
+(default: "5") : The number of seconds to wait for LDAP operations to
+complete.
+
+.. _setting-ldap-reconnect-attempts:
+
+``ldap-reconnect-attempts``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+(default: "5") : The number of attempts to make to re-establish a lost
+connection to the LDAP server.
+
+.. _setting-ldap-authmethod:
+
+``ldap-authmethod``
+^^^^^^^^^^^^^^^^^^^
+
+(default: "simple") : How to authenticate to the LDAP server. Actually
+only two methods are supported: "simple", which uses the classical DN /
+password, or "gssapi", which requires a Kerberos keytab.
+
+.. _setting-ldap-binddn:
+
+``ldap-binddn``
+^^^^^^^^^^^^^^^
+
+(default "") : Path to the object to authenticate against. Should only
+be used, if the LDAP server doesn't support anonymous binds and with the
+"simple" authmethod.
+
+.. _setting-ldap-secret:
+
+``ldap-secret``
+^^^^^^^^^^^^^^^
+
+(default "") : Password for authentication against the object specified
+by ldap-binddn. Only used when "authmethod" is "simple".
+
+.. _setting-ldap-krb5-keytab:
+
+``ldap-krb5-keytab``
+^^^^^^^^^^^^^^^^^^^^
+
+(default: "") : Full path to the keytab file to use to authenticate.
+This is only used when "authmethod" is set to "gssapi". The keytab must,
+ideally, contain only one principal (or to put it otherwise, only the
+first principal found in the keytab will be used).
+
+.. _setting-ldap-krb5-ccache:
+
+``ldap-krb5-ccache``
+^^^^^^^^^^^^^^^^^^^^
+
+(default: "") : Full path to the Kerberos credential cache file to use.
+Actually only files are supported, and the "FILE:" prefix must not be
+set. The PowerDNS process must be able to write to this file and it
+*must* be the only one able to read it.
+
+.. _setting-ldap-basedn:
+
+``ldap-basedn``
+^^^^^^^^^^^^^^^
+
+(default "") : The PowerDNS LDAP DNS backend searches below this path
+for objects containing the specified DNS information. The retrieval of
+attributes is limited to this subtree. This option must be set to the
+path according to the layout of your LDAP tree, e.g.
+ou=hosts,o=linuxnetworks,c=de is the DN to my objects containing the DNS
+information.
+
+.. _setting-ldap-method:
+
+``ldap-method``
+^^^^^^^^^^^^^^^
+
+(default "simple") :
+
+- ``simple``: Search the requested domain by comparing the
+ associatedDomain attributes with the domain string in the question.
+- ``tree``: Search entires by translating the domain string into a LDAP
+ dn. Your LDAP tree must be designed in the same way as the DNS LDAP
+ tree. The question for "myhost.linuxnetworks.de" would translate into
+ "dc=myhost,dc=linuxnetworks,dc=de,ou=hosts=..." and the entry where
+ this dn points to would be evaluated for dns records.
+- ``strict``: Like simple, but generates PTR records from aRecords or
+ aAAARecords. Using "strict", zone transfers for reverse zones are not
+ possible.
+
+.. _setting-ldap-filter-axfr:
+
+``ldap-filter-axfr``
+^^^^^^^^^^^^^^^^^^^^
+
+(default "(:target:)" ) : LDAP filter for limiting AXFR results (zone
+transfers), e.g. (&(:target:)(active=yes)) for returning only entries
+whose attribute "active" is set to "yes".
+
+.. _setting-ldap-filter-lookup:
+
+``ldap-filter-lookup``
+^^^^^^^^^^^^^^^^^^^^^^
+
+(default "(:target:)" ) : LDAP filter for limiting IP or name lookups,
+e.g. (&(:target:)(active=yes)) for returning only entries whose
+attribute "active" is set to "yes".
+
+Master Mode
+-----------
+
+Schema update
+^^^^^^^^^^^^^
+
+First off adding master support to the LDAP backend needs a schema
+update. This is required as some metadata must be stored by PowerDNS,
+such as the last successful transfer to slaves. The new schema is
+available in schema/pdns-domaininfo.schema.
+
+Once the schema is loaded the zones for which you want to be a master
+must be modified. The dn of the SOA record *must* have the object class
+``PdnsDomain``, and thus the ``PdnsDomainId`` attribute. This attribute
+is an integer that *must* be unique across all zones served by the
+backend. Furthermore the ``PdnsDomainType`` must be equal to 'master'
+(lower case).
+
+Example
+^^^^^^^
+
+Here is an example LDIF of a zone that's ready for master operation
+(assuming the 'tree' style):
+
+::
+
+ dn: dc=example,dc=com,ou=dns,dc=mycompany,dc=com
+ objectClass: top
+ objectClass: domainRelatedObject
+ objectClass: dNSDomain2
+ objectClass: PdnsDomain
+ dc: example
+ associatedDomain: example.com
+ nSRecord: ns1.example.com
+ sOARecord: ns1.example.com. hostmaster.example.com. 2013031101 1800 600 1209600 600
+ mXRecord: 10 mx1.example.com
+ PdnsDomainId: 1
+ PdnsDomainType: master
+ PdnsDomainMaster: 192.168.0.2
+
+You should have one attribute ``PdnsDomainMaster`` per master serving
+this zone.
+
+Example
+-------
+
+Tree design
+^^^^^^^^^^^
+
+The DNS LDAP tree should be designed carefully to prevent mistakes,
+which are hard to correct afterwards. The best solution is to create a
+subtree for all host entries which will contain the DNS records. This
+can be done the simple way or in a tree style.
+
+DN of a simple style example record (e.g. myhost.example.com):
+
+``dn:dc=myhost,dc=example,ou=hosts,...``
+
+DN of a tree style example record (e.g. myhost.test.example.com):
+
+``dn:dc=myhost,dc=test,dc=example,dc=com,ou=hosts,...``
+
+Basic objects
+^^^^^^^^^^^^^
+
+Each domain (or zone for BIND users) must include one object containing
+a SOA (Start Of Authority) record. This requirement applies to both
+forward and reverse zones. This object can also contain the attribute
+for a MX (Mail eXchange) and one or more NS (Name Server) records. These
+attributes allow one or more values, e.g. for a backup mail or name
+server:
+
+::
+
+ dn:dc=example,ou=hosts,o=example,c=com
+ objectclass:top
+ objectclass:dcobject
+ objectclass:dnsdomain
+ objectclass:domainrelatedobject
+ dc:example
+ soarecord:ns.example.com me@example.com 1 1800 3600 86400 7200
+ nsrecord:ns.example.com
+ mxrecord:10 mail.example.com
+ mxrecord:20 mail2.example.com
+ associateddomain:example.com
+
+A simple mapping between name and IP address can be specified by an
+object containing an ``arecord`` and an ``associateddomain``.
+
+::
+
+ dn:dc=server,dc=example,ou=hosts,o=example,c=de
+ objectclass:top
+ objectclass:dnsdomain
+ objectclass:domainrelatedobject
+ dc:server
+ arecord:10.1.0.1
+ arecord:192.168.0.1
+ associateddomain:server.example.com
+
+Be aware of the fact that these examples work if ``ldap-method`` is
+``simple`` or ``strict``. For tree mode, all DNs will have to be
+modified according to the algorithm described in the section above.
+
+Wildcards
+^^^^^^^^^
+
+Wild-card domains are possible by using the asterisk in the
+``associatedDomain`` value like it is used in the bind zone files. The
+"dc" attribute can be set to any value in simple or strict mode - this
+doesn't matter.
+
+::
+
+ dn:dc=any,dc=example,ou=hosts,o=example,c=de
+ objectclass:top
+ objectclass:dnsdomain
+ objectclass:domainrelatedobject
+ dc:any
+ arecord:192.168.0.1
+ associateddomain:*.example.com
+
+In tree mode wild-card entries has to look like this instead:
+
+::
+
+ dn:dc=*,dc=example,dc=de,ou=hosts,o=example,c=de
+ objectclass:top
+ objectclass:dnsdomain
+ objectclass:domainrelatedobject
+ dc:*
+ arecord:192.168.0.1
+ associateddomain:*.example.com
+
+Aliases
+^^^^^^^
+
+Aliases for an existing DNS object have to be defined in a separate LDAP
+object. One object should be create per alias (this is a must in tree
+mode) or add all aliases (as values of ``associateddomain``) to one
+object. The only thing which is not allowed is to create loops by using
+the same name in ``associateddomain`` and in ``cnamerecord``.
+
+::
+
+ dn:dc=server-aliases,dc=example,ou=hosts,o=example,c=de
+ objectclass:top
+ objectclass:dnsdomain
+ objectclass:domainrelatedobject
+ dc:server-aliases
+ cnamerecord:server.example.com
+ associateddomain:proxy.example.com
+ associateddomain:mail2.example.com
+ associateddomain:ns.example.com
+
+Aliases are optional. All alias domains can also be added to the
+associateddomain attribute. The only difference is that these additional
+domains aren't recognized as aliases anymore, but instead as a normal
+``arecord``:
+
+::
+
+ dn:dc=server,dc=example,ou=hosts,o=example,c=de
+ objectclass:top
+ objectclass:dnsdomain
+ objectclass:domainrelatedobject
+ dc:server
+ arecord:10.1.0.1
+ associateddomain:server.example.com
+ associateddomain:proxy.example.com
+ associateddomain:mail2.example.com
+ associateddomain:ns.example.com
+
+Reverse lookups
+^^^^^^^^^^^^^^^
+
+Currently there are two options: Set ``ldap-method`` to ``strict`` to
+have the code automatically derive PTR records from A and AAAA records
+in the tree. Or, in ``simple`` and ``tree`` modes, create additional
+objects explictly mapping each address to a PTR record.
+
+For ``strict`` or ``simple`` modes, first create an object with an SOA
+record for the reverse-lookup zone(s) corresponding to the A and AAAA
+records that will be served:
+
+::
+
+ dn:dc=1.10.in-addr.arpa,ou=hosts,o=example,c=de
+ objectclass:top
+ objectclass:dnsdomain2
+ objectclass:domainrelatedobject
+ dc:1.10.in-addr.arpa
+ soarecord:ns.example.com me@example.com 1 1800 3600 86400 7200
+ nsrecord:ns.example.com
+ associateddomain:1.10.in-addr.arpa
+
+In ``strict`` mode, no other objects are required -- reverse queries
+that correspond to an arecord or aaaarecord of an existing object will
+be automagically serviced using the associateddomain entry of that
+object.
+
+In ``simple`` mode, you must then create objects for each reverse
+mapping:
+
+::
+
+ dn:dc=1.0,dc=1.10.in-addr.arpa,ou=hosts,o=example,c=de
+ objectclass:top
+ objectclass:dnsdomain2
+ objectclass:domainrelatedobject
+ dc:1.0
+ ptrrecord:server.example.com
+ associateddomain:1.0.1.10.in-addr.arpa
+
+Tree mode requires each component to be a dc element of its own:
+
+::
+
+ dn:dc=1,dc=0,dc=1,dc=10,dc=in-addr,dc=arpa,ou=hosts,o=example,c=de
+ objectclass:top
+ objectclass:dnsdomain2
+ objectclass:domainrelatedobject
+ dc:1
+ ptrrecord:server.example.com
+ associateddomain:1.0.1.10.in-addr.arpa
+
+To use this kind of record, add the dnsdomain2 schema to the
+configuration of ther LDAP server.
+
+**CAUTION:** ``ldap-method=strict`` can not be used if zone transfers
+(AXFR) are needed to other name servers. Distributing zones can only be
+done directly via LDAP replication in this case, because for a full zone
+transfer the reverse records are missing.
+
+Migration
+---------
+
+BIND zone files
+^^^^^^^^^^^^^^^
+
+There is a small utility in the PowerDNS distribution available called
+:doc:`../manpages/zone2ldap.1`, which can convert zone
+files used by BIND to the ldif format. Ldif is a text file format
+containing information about LDAP objects and can be read by every
+standard compliant LDAP server. ``zone2ldap`` needs the BIND
+``named.conf`` (usually located in /etc) as input and writes the dns
+record entries in ldif format to stdout:
+
+::
+
+ zone2ldap
+ --basedn=YOUR_BASE_DN \
+ --named-conf=PATH_TO_NAMED_CONF \
+ --resume > zones.ldif
+
+Alternatively zone2ldap can be used to convert only single zone files
+instead all zones:
+
+::
+
+ zone2ldap
+ --basedn=YOUR_BASE_DN \
+ --zone-file=PATH_TO_ZONE_FILE \
+ --zone-name=NAME_OF_ZONE \
+ --resume > zone.ldif
+
+See :doc:`its manpage <../manpages/zone2ldap.1>` for a complete list of
+options.
+
+Bind LDAP backend
+^^^^^^^^^^^^^^^^^
+
+When coming from the `Bind LDAP sdb
+backend <http://bind9-ldap.bayour.com/>`__, the records can be kept in
+the LDAP tree also for the PowerDNS LDAP backend. The schemas both
+backends utilize is almost the same except for one important thing:
+Domains for PowerDNS are stored in the attribute "associatedDomain"
+whereas Bind stores them split in "relativeDomainName" and "zoneName".
+
+There is a `migration
+script <http://www.linuxnetworks.de/pdnsldap/bind2pdns-ldap>`__ which
+creates a file in LDIF format with the necessary LDAP updates including
+the "associatedDomain" and "dc" attributes. The utility is executed on
+the command line by:
+
+::
+
+ ./bind2pdns-ldap
+ --host=HOSTNAME_OR_IP \
+ --basedn=YOUR_BASE_DN \
+ --binddn=ADMIN_DN > update.ldif
+
+The parameter "host" and "basedn" are mandatory, "binddn" is optional.
+If "binddn" is given, the script will prompt for a password, otherwise
+an anonymous bind is executed. The updates in LDIF format are written to
+stdout and can be redirected to a file.
+
+The script requires Perl and the Perl Net::LDAP module and can be
+downloaded
+`here <http://www.linuxnetworks.de/pdnsldap/bind2pdns-ldap>`__.
+
+Updating the entries in the LDAP tree requires to make the dnsdomain2
+schema known to the LDAP server. Unfortunately, both schemas (dnsdomain2
+and dnszone) share the same record types and use the same OIDs so the
+LDAP server can't use both schemas at the same time. The solution is to
+add the `dnsdomain2
+schema <http://www.linuxnetworks.de/pdnsldap/dnsdomain2.schema>`__ and
+replace the dnszone schema by the `dnszone-migrate
+schema <http://www.linuxnetworks.de/pdnsldap/dnszone-migrate.schema>`__.
+After restarting the LDAP server attributes from both schemas can be
+used and updating the objects in the LDAP tree using the LDIF file
+generated from ``bind2pdns-ldap`` will work without errors.
+
+Other name server
+^^^^^^^^^^^^^^^^^
+
+The easiest way for migrating DNS records is to use the output of a zone
+transfer (AXFR). Save the output of the ``dig`` program provided by bind
+into a file and call ``zone2ldap`` with the file name as option to the
+``--zone-file`` parameter. This will generate the appropriate ldif file,
+which can be imported into the LDAP tree. The bash script except below
+automates this:
+
+::
+
+ DNSSERVER=127.0.0.1
+ DOMAINS="example.com 10.10.in-addr.arpa"
+
+ for DOMAIN in $DOMAINS; do
+ dig @$DNSSERVER $DOMAIN AXFR> $DOMAIN.zone;
+ zone2ldap --zone-name=$DOMAIN --zone-file=$DOMAIN.zone> $DOMAIN.ldif;
+ done
+
+Optimization
+------------
+
+LDAP indices
+^^^^^^^^^^^^
+
+To improve performance, the LDAP server can maintain indices on certain
+attributes. This leads to much faster searches for these type of
+attributes.
+
+The LDAP DNS backend mainly searches for values in ``associatedDomain``,
+so maintaining an index (pres,eq,sub) on this attribute is a big
+performance improvement:
+
+::
+
+ indexassociatedDomain pres,eq,sub
+
+Furthermore, if ``ldap-method=strict`` is set, it uses the aRecord and
+aAAARecord attribute for reverse mapping of IP addresses to names. To
+maintain an index (pres,eq) on these attributes also improves
+performance of the LDAP server:
+
+::
+
+ indexaAAARecord pres,eq
+ indexaRecord pres,eq
+
+All other attributes than associatedDomain, aRecord or aAAARecord are
+only read if the object matches the specified criteria. Thus,
+maintaining an index on these attributes is useless.
+
+If the DNS-entries were added before adding these statements to
+``slapd.conf``, the LDAP server will have to be stopped and
+``slapindex`` should be used on the command line. This will generate the
+indices for already existing attributes.
+
+dNSTTL attribute
+^^^^^^^^^^^^^^^^
+
+Converting the string in the dNSTTL attribute to an integer is a time
+consuming task. If no separate TTL value for each entry is requires, use
+the :ref:`setting-default-ttl` parameter in
+``pdns.conf`` instead. This will gain a 7% improvement in performance
+for entries that aren't cached. A dNSTTL attribute can still be added to
+entries that should have a different TTL than the default TTL
+
+Access method
+^^^^^^^^^^^^^
+
+The method of accessing the entries in the directory affects the
+performance too. By default, the "simple" method is used search for
+entries by using their associatedDomain attribute. Alternatively, the
+"tree" method can be used, whereby the search is done along the
+directory tree, e.g. "host.example.com" is translated into
+"dc=host,dc=example,dc=com,...". This requires the LDAP DNS subtree
+layout to be 1:1 to the DNS tree, this will gain an additional 7%
+performance improvement.
+
+Troubleshooting
+---------------
+
+No reverse zone transfer
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+The LDAP tree must contain a separate subtree of PTR records (e.g. for
+1.1.10.10.in-addr.arpa) and ``ldap-method`` can't be set to "strict".
+
+IPv6 reverse lookup doesn't work in strict mode
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+For automatically generated reverse IPv6 records the aAAARecord entries
+must follow two restrictions: They have to be fully expanded ("FFFF::1"
+is not allowed and it must be "FFFF:0:0:0:0:0:0:1" instead) and they
+must not contain leading zeros, e.g. an entry containing "002A" is
+incorrect - use "2A" without zeros instead. These restrictions are due
+to the fact that LDAP DNS AAAA entries are pure text and doesn't allow
+searching by wild-cards.
+
+Future
+------
+
+DNS notification support
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+As soon as the LDAP server implementations begin to provide the features
+of the LDAP client update protocol (LCUP, :rfc:`3928`), it will be possible
+to support the DNS notification feature for the LDAP DNS backend in case
+a record in the LDAP directory was changed.
+
+SASL support
+^^^^^^^^^^^^
+
+Support for more authentication methods would be handy. Anyone
+interested may `contribute <https://github.com/PowerDNS/pdns>`__.?
--- /dev/null
+Lua Backend
+===========
+
+* Native: Yes
+* Master: Yes
+* Slave: No
+* Superslave: No
+* Autoserial: No
+* DNSSEC: Yes
+* Disabled data: Yes
+* Comments: Yes
+* Module name: lua
+* Launch name: ``lua``
+
+The main author for this module is Fredrik Danerklint.
+
+This backend is just a "glue" between PowerDNS and your own Lua
+application.
+
+What this means is that you can not have a working setup that can serve
+you dns-questions directly from start. What you need to do is to program
+your own backend completely in Lua! Which database server to use etc is
+now up to you!
+
+What you have here is the possibility to make your own "dns-server"
+without the knowledge of programming in c/c++.
+
+There is one thing that needs to be said. Remember that each thread
+PowerDNS launches of this backend is completely different so they cannot
+share information between each other!
+
+You will need some kind of a database that can be shared for this.
+
+All the functionnames that PowerDNS accept for a backend should be the
+same in your Lua script, in lowercase. Also, the parameters should be in
+the same order. Where there is a structure in c/c++ there is a table in
+the Lua backend. This is also true for return values. A few functions
+expect that you return a table in a table.
+
+New functions
+-------------
+
+There is a couple of new functions for you to use in Lua:
+
+``logger(log_facility, "your", "messages")``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+All these ``log_facilities`` is available:
+
+ * ``log_all``
+ * ``log_ntlog``
+ * ``log_alert``
+ * ``log_critical``
+ * ``log_error``
+ * ``log_warning``
+ * ``log_notice,``
+ * ``log_info``
+ * ``log_debug``
+ * ``log_none``
+
+``dnspacket()``
+~~~~~~~~~~~~~~~
+
+This will give you back three parameters with ``remote_ip``,
+``remote_port`` and ``local_ip`` in that order.
+
+Can only be used in the functions ``list()`` and ``getsoa()``.
+
+``getarg("PARAMETER")``
+~~~~~~~~~~~~~~~~~~~~~~~
+
+This one tries to get the value of the name ``"lua-PARAMETER"`` from the
+pdns.conf file.
+
+``mustdo("PARAMETER")``
+~~~~~~~~~~~~~~~~~~~~~~~
+
+This is the same as ```getarg()`` <#getarg>`__ but return a boolean
+instead of a string.
+
+You also have all the different QTypes in a table called 'QTypes'.
+
+What has been tested
+--------------------
+
+The only functionality of the minimal functions except zone-transfer has
+been tested.
+
+In the included powerdns-luabackend.lua file there is a example of how
+this can be done. Note that this is more or less a static example since
+there is no possibility for each thread to know when something has
+changed.
+
+However, you can run ``pdns_control reload`` and it should reload the
+whole thing from scratch (does not work for the moment, PowerDNS only
+calls two thread with the reload command - not all of them).
+
+What you will find under the test directory
+-------------------------------------------
+
+The following script can be used to test the server:
+
+This will yield the following result:
+
+::
+
+ $dig any www.test.com @127.0.0.1 -p5300 +multiline
+ ; <<>> DiG 9.7.3 <<>> any www.test.com @127.0.0.1 -p5300 +multiline
+ ;; global options: +cmd
+ ;; Got answer:
+ ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1001
+ ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
+ ;; WARNING: recursion requested but not available
+
+ ;; QUESTION SECTION:
+ ;www.test.com. IN ANY
+
+ ;; ANSWER SECTION:
+ www.test.com. 120 IN CNAME host.test.com.
+ host.test.com. 120 IN A 10.11.12.13
+ host.test.com. 120 IN AAAA 1:2:3:4:5:6:7:8
+
+ ;; Query time: 1 msec
+ ;; SERVER: 127.0.0.1#5300(127.0.0.1)
+ ;; WHEN: Thu Jun 2 22:19:56 2011
+ ;; MSG SIZE rcvd: 93
+
+Parameters
+----------
+
+.. _setting-lua-filename:
+
+``lua-filename``
+~~~~~~~~~~~~~~~~
+
+Path to your lua script, 'powerdns-luabackend.lua' by default.
+
+.. _setting-lua-logging-query:
+
+``lua-logging-query``
+~~~~~~~~~~~~~~~~~~~~~
+
+Log queries. default is 'no'.
+
+.. _setting-lua-f_FUNCTION:
+
+``lua-f_FUNCTION=NEWFUNCTION``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You can also override all the default functionsnames for the
+luafunctions if you want. For example:
+
+.. _setting-lua-f_lookup:
+
+``lua-f_lookup = mynewfunction``
+
+will call the function ``mynewfunction`` for the lookup-routine.
+
+If you want your own configuration parameters you can have that too.
+Just call the function ``getarg("PARAMETER")`` and it will return the
+value of ``lua-PARAMETER``. For boolean you use the function
+``mustdo("PARAMETER")``.
+
+Your own error function in lua
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+You can have an error function in Lua when Lua gives back a error.
+
+First make your error function then you put this in ``pdns.conf``:
+
+``lua-f_exec_error = YOUR_METHOD``
+
+DNSSEC
+------
+
+You can have full dnssec support in our Lua application. You should note
+the following regarding this:
+
+You don't have to implement the function 'updateDNSSECOrderAndAuth'
+since the default code will work correctly for you via the backend
+itself.
+
+The functions activateDomainKey and deactivateDomainKey can be
+implemented via a new function called updateDomainKey, which has three
+parameters (the other two has only two parameters) where the third is a
+boolean which is true or false depending on which function that was
+called from the beginning.
+
+Information for logging
+-----------------------
+
+If you have the parameter ``query-logging`` or ``lua-logging-query`` set
+to true/yes/on, then you will see what is happening in each function
+when PowerDNS calls them.
+
+This can, hopefully, help you with some debugging if you run into some
+kind of trouble with your Lua application.
--- /dev/null
+MyDNS Backend
+=============
+
+* Native: Yes
+* Master: No
+* Slave: No
+* Superslave: No
+* Autoserial: No
+* Case: Depends
+* DNSSEC: No
+* Disabled data: No
+* Comments: No
+* Module name: mydns
+* Launch name: ``mydns``
+
+The MyDNS backend makes PowerDNS a drop-in replacement for the
+`MyDNS <http://mydns.bboy.net/>`__ nameserver, as it uses the same
+database schema.
+
+Configuration Parameters
+------------------------
+
+.. _setting-mydns-host:
+
+``mydns-host``
+~~~~~~~~~~~~~~
+
+Database host to connect to.
+
+.. _setting-mydns-port:
+
+``mydns-port``
+~~~~~~~~~~~~~~
+
+Port on the database server to connect to.
+
+.. _setting-mydns-dbname:
+
+``mydns-dbname``
+~~~~~~~~~~~~~~~~
+
+Name of the database to connect to, "mydns" by default.
+
+.. _setting-mydns-user:
+
+``mydns-user``
+~~~~~~~~~~~~~~
+
+User for the database, "powerdns" by default.
+
+.. _setting-mydns-password:
+
+``mydns-password``
+~~~~~~~~~~~~~~~~~~
+
+The user password.
+
+.. _setting-mydns-socket:
+
+``mydns-socket``
+~~~~~~~~~~~~~~~~
+
+Unix socket to connect to the database.
+
+.. _setting-mydns-rr-table:
+
+``mydns-rr-table``
+~~~~~~~~~~~~~~~~~~
+
+Name of the resource record table in the database, "rr" by default.
+
+.. _setting-mydns-soa-table:
+
+``mydns-soa-table``
+~~~~~~~~~~~~~~~~~~~
+
+Name of the SOA table in the database, "soa" by default.
+
+.. _setting-mydns-soa-where:
+
+``mydns-soa-where``
+~~~~~~~~~~~~~~~~~~~
+
+Additional WHERE clause for SOA, default is "1 = 1".
+
+.. _setting-mydns-rr-where:
+
+``mydns-rr-where``
+~~~~~~~~~~~~~~~~~~
+
+Additional WHERE clause for resource records, default is "1 = 1".
+
+.. _setting-mydns-soa-active:
+
+``mydns-soa-active``
+~~~~~~~~~~~~~~~~~~~~
+
+Use the active column in the SOA table, "yes" by default.
+
+.. _setting-mydns-rr-active:
+
+``mydns-rr-active``
+~~~~~~~~~~~~~~~~~~~
+
+Use the active column in the resource record table, "yes" by default.
+
+.. _setting-mydns-use-minimal-ttl:
+
+``mydns-use-minimal-ttl``
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Setting this to 'yes' will make the backend behave like MyDNS on the TTL
+values. Setting it to 'no' will make it ignore the minimal-ttl of the
+zone. The default is "yes".
--- /dev/null
+OpenDBX Backend
+===============
+
+* Native: Yes
+* Master: Yes
+* Slave: Yes
+* Superslave: Yes
+* Autoserial: Yes
+* DNSSEC: No
+* Disabled data: No
+* Comments: No
+* Module name: opendbx
+* Launch name: ``opendbx``
+
+The OpenDBX backend allows the authoritative server to connect to any
+backend supported by
+`OpenDBX <http://www.linuxnetworks.de/doc/index.php/OpenDBX>`__.
+
+This document contains a subset of the `full
+documentation <http://www.linuxnetworks.de/doc/index.php/PowerDNS_OpenDBX_Backend>`__
+supplied by the author Norbert Sendetzky . This module is fully
+supported (and tested) by PowerDNS.
+
+The OpenDBX backend has a mechanism to connect different database
+servers for read and write actions.
+
+The domains table for the opendbx backend has a "status" column, when
+set to "A", the domain is considered active and is actually served.
+
+Settings
+--------
+
+.. _setting-opendbx-backend:
+
+``opendbx-backend``
+^^^^^^^^^^^^^^^^^^^
+
+Name of the backend used to connect to the database server. Currently
+mysql, pgsql, sqlite, sqlite3 and sybase are available. Default=mysql.
+
+.. _setting-opendbx-host-read:
+
+``opendbx-host-read``
+^^^^^^^^^^^^^^^^^^^^^
+
+One or more host names or IP addresses of the database servers. These
+hosts will be used for retrieving the records via SELECT queries.
+Default=127.0.0.1
+
+.. _setting-opendbx-host-write:
+
+``opendbx-host-write``
+^^^^^^^^^^^^^^^^^^^^^^
+
+One or more host names or IP addresses of the database servers. These
+hosts will be used for INSERT/UPDATE statements (mostly used by
+zonetransfers). Default=127.0.0.1
+
+.. _setting-opendbx-port:
+
+``opendbx-port``
+^^^^^^^^^^^^^^^^
+
+TCP/IP port number where the database server is listening to. Most
+databases will use their default port if you leave this empty.
+
+.. _setting-opendbx-database:
+
+``opendbx-database``
+^^^^^^^^^^^^^^^^^^^^
+
+The database name where all domain and record entries are stored.
+Default=powerdns
+
+.. _setting-opendbx-username:
+
+``opendbx-username``
+^^^^^^^^^^^^^^^^^^^^
+
+Name of the user send to the DBMS for authentication. Default=powerdns.
+
+.. _setting-opendbx-password:
+
+``opendbx-password``
+^^^^^^^^^^^^^^^^^^^^
+
+Clear text password for authentication in combination with the username.
+
+Queries
+-------
+
+As with the :doc:`generic-sql`, queries
+are configurable. Note: If you change one of the SELECT statements must
+not change the order of the retrieved columns! To get the default
+queries, run ``pdns_server --no-config --launch=opendbx --config``. The
+following queries are configurable:
+
+- ``opendbx-sql-list``: Select records which will be returned to
+ clients asking for zone transfers (AXFR).
+- ``opendbx-sql-lookup``: Retrieve DNS records by name.
+- ``opendbx-sql-lookupid``: Retrieve DNS records by id and name.
+- ``opendbx-sql-lookuptype``: Retrieve DNS records by name and type.
+- ``opendbx-sql-lookuptypeid``: Retrieve DNS records by id, name and
+ type.
+- ``opendbx-sql-lookupsoa``: Retrieve SOA record for domain.
+- ``opendbx-sql-zonedelete``: Delete all records from zone before
+ inserting new ones via AXFR.
+- ``opendbx-sql-zoneinfo``: Get stored information about a domain.
+- ``opendbx-sql-transactbegin``: Start transaction before updating a
+ zone via AXFR.
+- ``opendbx-sql-transactend``: Commit transaction after updating a zone
+ via AXFR.
+- ``opendbx-sql-transactabort``: Undo changes if an error occurred
+ while updating a zone via AXFR.
+- ``opendbx-sql-insert-slave``: Adds a new zone from the authoritative
+ DNS server which is currently retrieved via AXFR.
+- ``opendbx-sql-insert-record``: Adds new records of a zone form the
+ authoritative DNS server which are currently retrieved via AXFR.
+- ``opendbx-sql-update-serial``: Set zone serial to value of last
+ update.
+- ``opendbx-sql-update-lastcheck``: Set time of last zone check.
+- ``opendbx-sql-master``: Get master record for zone.
+- ``opendbx-sql-supermaster``: Get supermaster info.
+- ``opendbx-sql-infoslaves``: Get all unfresh slaves.
+- ``opendbx-sql-infomasters``: Get all updates masters.
+
+Database schemas and information
+--------------------------------
+
+Mysql
+^^^^^
+
+The file below also contains trigger definitions which are necessary for
+:ref:`autoserial` support, but they
+are only available in MySQL 5 and later. If you are still using MySQL
+4.x and don't want to utilize the automatically generated zone serials,
+you can safely remove the "CREATE TRIGGER" statements from the file
+before creating the database tables.
+
+.. code-block:: SQL
+
+ SET SESSION sql_mode='ANSI';
+
+ CREATE TABLE "domains" (
+ "id" INTEGER NOT NULL AUTO_INCREMENT,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "master" VARCHAR(40) NOT NULL DEFAULT '',
+ "account" VARCHAR(40) NOT NULL DEFAULT '',
+ "last_check" INTEGER DEFAULT NULL,
+ "notified_serial" INTEGER DEFAULT NULL,
+ "auto_serial" INTEGER NOT NULL DEFAULT 0,
+ "status" CHAR(1) NOT NULL DEFAULT 'A',
+ CONSTRAINT "pdns_pk_domains_id"
+ PRIMARY KEY ("id"),
+ CONSTRAINT "pdns_unq_domains_name"
+ UNIQUE ("name")
+ ) type=InnoDB;
+
+ CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
+
+ CREATE TABLE "records" (
+ "id" INTEGER NOT NULL AUTO_INCREMENT,
+ "domain_id" INTEGER NOT NULL,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "ttl" INTEGER DEFAULT NULL,
+ "prio" INTEGER DEFAULT NULL,
+ "content" VARCHAR(255) NOT NULL,
+ CONSTRAINT "pdns_pk_records_id"
+ PRIMARY KEY ("id"),
+ CONSTRAINT "pdns_fk_records_domainid"
+ FOREIGN KEY ("domain_id")
+ REFERENCES "domains" ("id")
+ ON UPDATE CASCADE
+ ON DELETE CASCADE
+ ) type=InnoDB;
+
+ CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
+ CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
+
+ CREATE TABLE "supermasters" (
+ "ip" VARCHAR(40) NOT NULL,
+ "nameserver" VARCHAR(255) NOT NULL,
+ "account" VARCHAR(40) NOT NULL DEFAULT ''
+ );
+
+ CREATE INDEX "pdns_idx_smaster_ip_ns" ON "supermasters" ("ip","nameserver");
+
+ GRANT SELECT ON "supermasters" TO "powerdns";
+ GRANT ALL ON "domains" TO "powerdns";
+ GRANT ALL ON "records" TO "powerdns";
+
+ DELIMITER :
+
+ CREATE TRIGGER "pdns_trig_records_insert"
+ AFTER INSERT ON "records"
+ FOR EACH ROW BEGIN
+ UPDATE "domains" d SET d."auto_serial" = d."auto_serial" + 1
+ WHERE d."id" = NEW."domain_id";
+ END;:
+
+ CREATE TRIGGER "pdns_trig_records_update"
+ AFTER UPDATE ON "records"
+ FOR EACH ROW BEGIN
+ UPDATE "domains" d SET d."auto_serial" = d."auto_serial" + 1
+ WHERE d."id" = NEW."domain_id";
+ END;:
+
+ CREATE TRIGGER "pdns_trig_records_delete"
+ AFTER DELETE ON "records"
+ FOR EACH ROW BEGIN
+ UPDATE "domains" d SET d."auto_serial" = d."auto_serial" + 1
+ WHERE d."id" = OLD."domain_id";
+ END;:
+
+ DELIMITER ;
+
+PostgreSQL
+^^^^^^^^^^
+
+.. code-block:: SQL
+
+ CREATE TABLE "domains" (
+ "id" SERIAL NOT NULL,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "master" VARCHAR(40) NOT NULL DEFAULT '',
+ "account" VARCHAR(40) NOT NULL DEFAULT '',
+ "last_check" INTEGER DEFAULT NULL,
+ "notified_serial" INTEGER DEFAULT NULL,
+ "auto_serial" INTEGER NOT NULL DEFAULT 0,
+ "status" CHAR(1) NOT NULL DEFAULT 'A',
+ CONSTRAINT "pdns_pk_domains_id"
+ PRIMARY KEY ("id"),
+ CONSTRAINT "pdns_unq_domains_name"
+ UNIQUE ("name")
+ );
+
+ CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
+
+ CREATE TABLE "records" (
+ "id" SERIAL NOT NULL,
+ "domain_id" INTEGER NOT NULL,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "ttl" INTEGER DEFAULT NULL,
+ "prio" INTEGER DEFAULT NULL,
+ "content" VARCHAR(255) NOT NULL,
+ CONSTRAINT "pdns_pk_records_id"
+ PRIMARY KEY ("id"),
+ CONSTRAINT "pdns_fk_records_domainid"
+ FOREIGN KEY ("domain_id")
+ REFERENCES "domains" ("id")
+ ON UPDATE CASCADE
+ ON DELETE CASCADE
+ );
+
+ CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
+ CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
+
+ CREATE TABLE "supermasters" (
+ "ip" VARCHAR(40) NOT NULL,
+ "nameserver" VARCHAR(255) NOT NULL,
+ "account" VARCHAR(40) NOT NULL DEFAULT ''
+ );
+
+ CREATE INDEX "pdns_idx_smaster_ip_ns" ON "supermasters" ("ip","nameserver");
+
+ GRANT SELECT ON "supermasters" TO "powerdns";
+ GRANT ALL ON "domains" TO "powerdns";
+ GRANT ALL ON "domains_id_seq" TO "powerdns";
+ GRANT ALL ON "records" TO "powerdns";
+ GRANT ALL ON "records_id_seq" TO "powerdns";
+
+ CREATE RULE "pdns_rule_records_insert"
+ AS ON INSERT TO "records" DO
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1 WHERE "id" = NEW."domain_id";
+
+ CREATE RULE "pdns_rule_records_update"
+ AS ON UPDATE TO "records" DO
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1 WHERE "id" = NEW."domain_id";
+
+ CREATE RULE "pdns_rule_records_delete"
+ AS ON DELETE TO "records" DO
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1 WHERE "id" = OLD."domain_id";
+
+SQLite and SQLite3
+^^^^^^^^^^^^^^^^^^
+
+Supported without changes since OpenDBX 1.0.0 but requires to set
+:ref:`setting-opendbx-host-read` to the path of the SQLite file
+(including the trailing slash or backslash, depending on your operating
+system) and opendbx-database to the name of the file.
+
+.. code-block:: SQL
+
+ opendbx-host-read = /path/to/file/
+ opendbx-host-write = /path/to/file/
+ opendbx-database = powerdns.sqlite
+
+SQLite Schema
+~~~~~~~~~~~~~
+
+::
+
+ CREATE TABLE "domains" (
+ "id" INTEGER NOT NULL PRIMARY KEY,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "master" VARCHAR(40) NOT NULL DEFAULT '',
+ "account" VARCHAR(40) NOT NULL DEFAULT '',
+ "last_check" INTEGER DEFAULT NULL,
+ "notified_serial" INTEGER DEFAULT NULL,
+ "auto_serial" INTEGER NOT NULL DEFAULT 0,
+ "status" CHAR(1) NOT NULL DEFAULT 'A',
+ CONSTRAINT "pdns_unq_domains_name"
+ UNIQUE ("name")
+ );
+
+ CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
+
+ CREATE TABLE "records" (
+ "id" INTEGER NOT NULL PRIMARY KEY,
+ "domain_id" INTEGER NOT NULL,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "ttl" INTEGER DEFAULT NULL,
+ "prio" INTEGER DEFAULT NULL,
+ "content" VARCHAR(255) NOT NULL,
+ CONSTRAINT "pdns_fk_records_domainid"
+ FOREIGN KEY ("domain_id")
+ REFERENCES "domains" ("id")
+ ON UPDATE CASCADE
+ ON DELETE CASCADE
+ );
+
+ CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
+ CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
+
+ CREATE TABLE "supermasters" (
+ "ip" VARCHAR(40) NOT NULL,
+ "nameserver" VARCHAR(255) NOT NULL,
+ "account" VARCHAR(40) NOT NULL DEFAULT ''
+ );
+
+ CREATE INDEX "pdns_idx_smaster_ip_ns" ON "supermasters" ("ip","nameserver");
+
+ CREATE TRIGGER "pdns_trig_records_insert"
+ AFTER INSERT ON "records"
+ FOR EACH ROW BEGIN
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = NEW."domain_id";
+ END;
+
+ CREATE TRIGGER "pdns_trig_records_update"
+ AFTER UPDATE ON "records"
+ FOR EACH ROW BEGIN
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = NEW."domain_id";
+ END;
+
+ CREATE TRIGGER "pdns_trig_records_delete"
+ AFTER DELETE ON "records"
+ FOR EACH ROW BEGIN
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = OLD."domain_id";
+ END;
+
+SQLite3 Schema
+~~~~~~~~~~~~~~
+
+::
+
+ CREATE TABLE "domains" (
+ "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "master" VARCHAR(40) NOT NULL DEFAULT '',
+ "account" VARCHAR(40) NOT NULL DEFAULT '',
+ "last_check" INTEGER DEFAULT NULL,
+ "notified_serial" INTEGER DEFAULT NULL,
+ "auto_serial" INTEGER NOT NULL DEFAULT 0,
+ "status" CHAR(1) NOT NULL DEFAULT 'A',
+ CONSTRAINT "pdns_unq_domains_name"
+ UNIQUE ("name")
+ );
+
+ CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
+
+ CREATE TABLE "records" (
+ "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+ "domain_id" INTEGER NOT NULL,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "ttl" INTEGER DEFAULT NULL,
+ "prio" INTEGER DEFAULT NULL,
+ "content" VARCHAR(255) NOT NULL,
+ CONSTRAINT "pdns_fk_records_domainid"
+ FOREIGN KEY ("domain_id")
+ REFERENCES "domains" ("id")
+ ON UPDATE CASCADE
+ ON DELETE CASCADE
+ );
+
+ CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
+ CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
+
+ CREATE TABLE "supermasters" (
+ "ip" VARCHAR(40) NOT NULL,
+ "nameserver" VARCHAR(255) NOT NULL,
+ "account" VARCHAR(40) NOT NULL DEFAULT ''
+ );
+
+ CREATE INDEX "pdns_idx_smaster_ip_ns" ON "supermasters" ("ip","nameserver");
+
+ CREATE TRIGGER "pdns_trig_records_insert"
+ AFTER INSERT ON "records"
+ FOR EACH ROW BEGIN
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = NEW."domain_id";
+ END;
+
+ CREATE TRIGGER "pdns_trig_records_update"
+ AFTER UPDATE ON "records"
+ FOR EACH ROW BEGIN
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = NEW."domain_id";
+ END;
+
+ CREATE TRIGGER "pdns_trig_records_delete"
+ AFTER DELETE ON "records"
+ FOR EACH ROW BEGIN
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = OLD."domain_id";
+ END;
+
+Firebird/Interbase
+^^^^^^^^^^^^^^^^^^
+
+Requires :ref:`setting-opendbx-database` set to the path of
+the database file and doesn't support the default statement for starting
+transactions. Please add the following lines to your pdns.conf:
+
+::
+
+ opendbx-database = /var/lib/firebird2/data/powerdns.gdb
+ opendbx-sql-transactbegin = SET TRANSACTION
+
+When creating the database please make sure that you call the ``isql``
+tool with the parameter ``-page 4096``. Otherwise, you will get an error
+(key size exceeds implementation restriction for index
+"pdns\_unq\_domains\_name") when creating the tables.
+
+::
+
+ CREATE TABLE "domains" (
+ "id" INTEGER NOT NULL,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "master" VARCHAR(40) DEFAULT '' NOT NULL,
+ "account" VARCHAR(40) DEFAULT '' NOT NULL,
+ "last_check" INTEGER,
+ "notified_serial" INTEGER,
+ "auto_serial" INTEGER DEFAULT 0 NOT NULL,
+ "status" CHAR(1) DEFAULT 'A' NOT NULL,
+ CONSTRAINT "pdns_pk_domains_id"
+ PRIMARY KEY ("id"),
+ CONSTRAINT "pdns_unq_domains_name"
+ UNIQUE ("name")
+ );
+
+ CREATE GENERATOR "pdns_gen_domains_id";
+
+ SET TERM !!;
+ CREATE TRIGGER "pdns_trig_domains_id" FOR "domains"
+ ACTIVE BEFORE INSERT AS
+ BEGIN
+ IF (NEW."id" IS NULL) THEN
+ NEW."id" = GEN_ID("pdns_gen_domains_id",1);
+ END !!
+ SET TERM ;!!
+
+ CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
+
+ CREATE TABLE "records" (
+ "id" INTEGER NOT NULL,
+ "domain_id" INTEGER NOT NULL,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "ttl" INTEGER DEFAULT NULL,
+ "prio" INTEGER DEFAULT NULL,
+ "content" VARCHAR(255) NOT NULL,
+ CONSTRAINT "pdns_pk_records_id"
+ PRIMARY KEY ("id"),
+ CONSTRAINT "pdns_fk_records_domainid"
+ FOREIGN KEY ("domain_id")
+ REFERENCES "domains" ("id")
+ ON UPDATE CASCADE
+ ON DELETE CASCADE
+ );
+
+ CREATE GENERATOR "pdns_gen_records_id";
+
+ SET TERM !!;
+ CREATE TRIGGER "pdns_trig_records_id" FOR "records"
+ ACTIVE BEFORE INSERT AS
+ BEGIN
+ IF (NEW."id" IS NULL) THEN
+ NEW."id" = GEN_ID("pdns_gen_records_id",1);
+ END !!
+ SET TERM ;!!
+
+ CREATE INDEX "idx_records_name_type" ON "records" ("name","type");
+ CREATE INDEX "idx_records_type" ON "records" ("type");
+
+ CREATE TABLE "supermasters" (
+ "ip" VARCHAR(40) NOT NULL,
+ "nameserver" VARCHAR(255) NOT NULL,
+ "account" VARCHAR(40) DEFAULT '' NOT NULL
+ );
+
+ CREATE INDEX "pdns_idx_smaster_ip_ns" ON "supermasters" ("ip","nameserver");
+
+ GRANT SELECT ON "supermasters" TO "powerdns";
+ GRANT ALL ON "domains" TO "powerdns";
+ GRANT ALL ON "records" TO "powerdns";
+
+ SET TERM !!;
+
+ CREATE TRIGGER "pdns_trig_records_insert" FOR "records"
+ ACTIVE AFTER INSERT AS
+ BEGIN
+ UPDATE "domains" d SET d."auto_serial" = d."auto_serial" + 1
+ WHERE d."id" = NEW."domain_id";
+ END !!
+
+ CREATE TRIGGER "pdns_trig_records_update" FOR "records"
+ ACTIVE AFTER UPDATE AS
+ BEGIN
+ UPDATE "domains" d SET d."auto_serial" = d."auto_serial" + 1
+ WHERE d."id" = NEW."domain_id";
+ END !!
+
+ CREATE TRIGGER "pdns_trig_records_delete" FOR "records"
+ ACTIVE AFTER DELETE AS
+ BEGIN
+ UPDATE "domains" d SET d."auto_serial" = d."auto_serial" + 1
+ WHERE d."id" = OLD."domain_id";
+ END !!
+
+ SET TERM ;!!
+
+Microsoft SQL Server
+^^^^^^^^^^^^^^^^^^^^
+
+Supported using the FreeTDS library. It uses a different scheme for host
+configuration (requires the name of the host section in the
+configuration file of the dblib client library) and doesn't support the
+default statement for starting transactions. Please add the following
+lines to your pdns.conf:
+
+::
+
+ opendbx-host-read = MSSQL2k
+ opendbx-host-write = MSSQL2k
+ opendbx-sql-transactbegin = BEGIN TRANSACTION
+
+::
+
+ SET quoted_identifier ON;
+
+
+ CREATE TABLE "domains" (
+ "id" INTEGER NOT NULL IDENTITY,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "master" VARCHAR(40) DEFAULT '' NOT NULL,
+ "account" VARCHAR(40) DEFAULT '' NOT NULL,
+ "last_check" INTEGER NULL,
+ "notified_serial" INTEGER NULL,
+ "auto_serial" INTEGER NOT NULL DEFAULT 0,
+ "status" CHAR(1) DEFAULT 'A' NOT NULL,
+ CONSTRAINT "pdns_pk_domains_id"
+ PRIMARY KEY ("id"),
+ CONSTRAINT "pdns_unq_domains_name"
+ UNIQUE ("name")
+ );
+
+ CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
+
+ CREATE TABLE "records" (
+ "id" INTEGER NOT NULL IDENTITY,
+ "domain_id" INTEGER NOT NULL,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "ttl" INTEGER NULL,
+ "prio" INTEGER NULL,
+ "content" VARCHAR(255) NOT NULL,
+ "change_date" INTEGER NULL,
+ CONSTRAINT "pdns_pk_records_id"
+ PRIMARY KEY ("id"),
+ CONSTRAINT "pdns_fk_records_domainid"
+ FOREIGN KEY ("domain_id")
+ REFERENCES "domains" ("id")
+ );
+
+ CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
+ CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
+
+ CREATE TABLE "supermasters" (
+ "ip" VARCHAR(40) NOT NULL,
+ "nameserver" VARCHAR(255) NOT NULL,
+ "account" VARCHAR(40) DEFAULT '' NOT NULL
+ );
+
+ CREATE INDEX "pdns_idx_smip_smns" ON "supermasters" ("ip","nameserver");
+
+ GRANT SELECT ON "supermasters" TO "powerdns";
+ GRANT ALL ON "domains" TO "powerdns";
+ GRANT ALL ON "records" TO "powerdns";
+
+ CREATE TRIGGER "pdns_trig_records_insert"
+ ON "records" FOR INSERT AS
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = ANY (
+ SELECT i."domain_id" FROM "inserted" i GROUP BY i."domain_id"
+ );
+
+ CREATE TRIGGER "pdns_trig_records_update"
+ ON "records" FOR UPDATE AS
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = ANY (
+ SELECT i."domain_id" FROM "inserted" i GROUP BY i."domain_id"
+ );
+
+ CREATE TRIGGER "pdns_trig_records_delete"
+ ON "records" FOR DELETE AS
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = ANY (
+ SELECT d."domain_id" FROM "deleted" d GROUP BY d."domain_id"
+ );
+
+Sybase ASE
+^^^^^^^^^^
+
+Supported using the native Sybase ctlib or the FreeTDS library. It uses
+a different scheme for host configuration (requires the name of the host
+section in the configuration file of the ctlib client library) and
+doesn't support the default statement for starting transactions. Please
+add the following lines to your pdns.conf:
+
+::
+
+ opendbx-host-read = SYBASE
+ opendbx-host-write = SYBASE
+ opendbx-sql-transactbegin = BEGIN TRANSACTION
+
+::
+
+ SET quoted_identifier ON;
+
+ CREATE TABLE "domains" (
+ "id" INTEGER NOT NULL IDENTITY,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "master" VARCHAR(40) DEFAULT '' NOT NULL,
+ "account" VARCHAR(40) DEFAULT '' NOT NULL,
+ "last_check" INTEGER NULL,
+ "notified_serial" INTEGER NULL,
+ "auto_serial" INTEGER NOT NULL DEFAULT 0,
+ "status" CHAR(1) DEFAULT 'A' NOT NULL,
+ CONSTRAINT "pdns_pk_domains_id"
+ PRIMARY KEY ("id"),
+ CONSTRAINT "pdns_unq_domains_name"
+ UNIQUE ("name")
+ );
+
+ CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
+
+ CREATE TABLE "records" (
+ "id" INTEGER NOT NULL IDENTITY,
+ "domain_id" INTEGER NOT NULL,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "ttl" INTEGER NULL,
+ "prio" INTEGER NULL,
+ "content" VARCHAR(255) NOT NULL,
+ "change_date" INTEGER NULL,
+ CONSTRAINT "pdns_pk_records_id"
+ PRIMARY KEY ("id"),
+ CONSTRAINT "pdns_fk_records_domainid"
+ FOREIGN KEY ("domain_id")
+ REFERENCES "domains" ("id")
+ );
+
+ CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
+ CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
+
+ CREATE TABLE "supermasters" (
+ "ip" VARCHAR(40) NOT NULL,
+ "nameserver" VARCHAR(255) NOT NULL,
+ "account" VARCHAR(40) DEFAULT '' NOT NULL
+ );
+
+ CREATE INDEX "pdns_idx_smip_smns" ON "supermasters" ("ip","nameserver");
+
+ GRANT SELECT ON "supermasters" TO "powerdns";
+ GRANT ALL ON "domains" TO "powerdns";
+ GRANT ALL ON "records" TO "powerdns";
+
+ CREATE TRIGGER "pdns_trig_records_insert"
+ ON "records" FOR INSERT AS
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = ANY (
+ SELECT i."domain_id" FROM "inserted" i GROUP BY i."domain_id"
+ );
+
+ CREATE TRIGGER "pdns_trig_records_update"
+ ON "records" FOR UPDATE AS
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = ANY (
+ SELECT i."domain_id" FROM "inserted" i GROUP BY i."domain_id"
+ );
+
+ CREATE TRIGGER "pdns_trig_records_delete"
+ ON "records" FOR DELETE AS
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = ANY (
+ SELECT d."domain_id" FROM "deleted" d GROUP BY d."domain_id"
+ );
+
+Oracle
+^^^^^^
+
+Uses a different syntax for transactions and requires the following
+additional line in your pdns.conf:
+
+::
+
+ opendbx-sql-transactbegin = SET TRANSACTION NAME 'AXFR'
+
+::
+
+ CREATE TABLE "domains" (
+ "id" INTEGER NOT NULL,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "master" VARCHAR(40) DEFAULT '',
+ "account" VARCHAR(40) DEFAULT '',
+ "last_check" INTEGER,
+ "notified_serial" INTEGER,
+ "auto_serial" INTEGER DEFAULT 0,
+ "status" CHAR(1) DEFAULT 'A',
+ CONSTRAINT "pdns_pk_domains_id"
+ PRIMARY KEY ("id"),
+ CONSTRAINT "pdns_unq_domains_name"
+ UNIQUE ("name")
+ );
+
+ CREATE SEQUENCE "pdns_seq_domains_id" START WITH 1 INCREMENT BY 1;
+
+ CREATE TRIGGER "pdns_trig_domains_id"
+ BEFORE INSERT ON "domains"
+ FOR EACH ROW
+ BEGIN
+ SELECT "pdns_seq_domains_id".nextval INTO :NEW."id" FROM dual;
+ END;
+
+ CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
+
+ CREATE TABLE "records" (
+ "id" INTEGER NOT NULL,
+ "domain_id" INTEGER NOT NULL,
+ "name" VARCHAR(255) NOT NULL,
+ "type" VARCHAR(6) NOT NULL,
+ "ttl" INTEGER NULL,
+ "prio" INTEGER NULL,
+ "content" VARCHAR(255) NOT NULL,
+ "change_date" INTEGER NULL,
+ CONSTRAINT "pdns_pk_records_id"
+ PRIMARY KEY ("id"),
+ CONSTRAINT "pdns_fk_records_domainid"
+ FOREIGN KEY ("domain_id")
+ REFERENCES "domains" ("id")
+ ON DELETE CASCADE
+ );
+
+ CREATE SEQUENCE "pdns_seq_records_id" START WITH 1 INCREMENT BY 1;
+
+ CREATE TRIGGER "pdns_trig_records_id"
+ BEFORE INSERT ON "records"
+ FOR EACH ROW
+ BEGIN
+ SELECT "pdns_seq_records_id".nextval INTO :NEW."id" FROM dual;
+ END;
+
+ CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
+ CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
+
+ CREATE TABLE "supermasters" (
+ "ip" VARCHAR(40) NOT NULL,
+ "nameserver" VARCHAR(255) NOT NULL,
+ "account" VARCHAR(40) NOT NULL
+ );
+
+ CREATE INDEX "pdns_idx_smaster_ip_ns" ON "supermasters" ("ip","nameserver");
+
+ GRANT SELECT ON "supermasters" TO "powerdns";
+ GRANT ALL ON "domains" TO "powerdns";
+ GRANT ALL ON "records" TO "powerdns";
+
+ CREATE TRIGGER "pdns_trig_records_insert"
+ AFTER INSERT ON "records"
+ FOR EACH ROW BEGIN
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = :NEW."domain_id";
+ END;
+
+ CREATE TRIGGER "pdns_trig_records_update"
+ AFTER UPDATE ON "records"
+ FOR EACH ROW BEGIN
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = :NEW."domain_id";
+ END;
+
+ CREATE TRIGGER "pdns_trig_records_delete"
+ AFTER DELETE ON "records"
+ FOR EACH ROW BEGIN
+ UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
+ WHERE "id" = :OLD."domain_id";
+ END;
--- /dev/null
+Oracle backend
+==============
+
+* Native: Yes
+* Master: Yes
+* Slave: Yes
+* Superslave: Yes
+* Autoserial: Yes
+* DNSSEC: Yes
+* Comments: No
+* Module name: oracle
+* Launch name: ``oracle``
+
+This is the Oracle Database backend with easily configurable SQL statements, allowing you to graft
+PowerDNS functionality onto any Oracle database of your choosing.
+
+The Oracle backend is difficult, and possibly illegal, to distribute in
+binary form. To use it, you will probably need to compile PowerDNS from
+source. OCI headers are expected in ``$ORACLE_HOME/rdbms/public``, and
+OCI libraries in ``$ORACLE_HOME/lib``. That is where they should be with
+a working installation of the full Oracle Database client. Oracle
+InstantClient should work as well, but you will need to make the
+libraries and headers available in appropriate paths.
+
+This backend uses two kinds of database connections. First, it opens a
+session pool. Connections from this pool are used only for queries
+reading DNS data from the database. Second, it opens normal (non-pooled)
+connections on demand for any kind of write access. The reason for this
+split is to allow redundancy by replication. Each DNS frontend server
+can have a local read-only replicated instance of your database. Open
+the session pool to the local replicated copy, and all data will be
+available with high performance, even if the main database goes down.
+The writing connections should go directly to the main database.
+
+Of course, if you do not require this kind of redundancy, or want to
+avoid the substantial Oracle Database licensing costs, all connections
+can just go to the same database with the same credentials. Also, the
+write connections should be entirely unnecessary if you do not plan to
+use either master or slave mode.
+
+Configuration Parameters
+------------------------
+
+.. _setting-oracle-pool:
+
+``oracle-pool-database``, ``oracle-pool-username``, ``oracle-pool-password``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The database to use for read access. OracleBackend will try to create a
+session pool, so make sure this database user has the necessary
+permissions. If your connection requires environment variables to be
+set, e.g. ``ORACLE_HOME``, ``NLS_LANG``, or ``LD_LIBRARY_PATH``, make
+sure these are set when PowerDNS runs. ``/etc/default/pdns`` might help.
+
+.. _setting-oracle-master:
+
+``oracle-master-database``, ``oracle-master-username``, ``oracle-master-password``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The database to use for write access. These are normal connections, not
+a session pool. The backend may open more than one at a time.
+
+.. _setting-oracle-session:
+
+``oracle-session-min``, ``oracle-session-max``, ``oracle-session-inc``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Parameters for the connection pool underlying the session pool. OCI will
+open ``session-min`` connections at startup, and open more connections
+as needed, ``session-inc`` at a time, until ``session-max`` connections
+are open.
+
+.. _setting-oracle-nameserver-name:
+
+``oracle-nameserver-name``
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This can be set to an arbitrary string that will be made available in
+the optional bind variable ``:nsname`` for all SQL statements. You can
+use this to run multiple PowerDNS instances off the same database, while
+serving different zones.
+
+There are many more options that are used to define the different SQL
+statements. These will be discussed after the reference database schema
+has been explained.
+
+The Database Schema
+-------------------
+
+You can find an example database schema in ``schema.sql`` in the
+PowerDNS source distribution. It is intended more as a starting point to
+come up with a schema that works well for your organisation, than as
+something you should run as it is. As long as the semantics of the SQL
+statements still work out, you can store your DNS data any way you like.
+
+You should read this while having ``schema.sql`` to hand. Columns will
+not be specifically explained where their meaning is obvious.
+
+.. note::
+ All FQDNs should be specified in lower case and without a
+ trailing dot. Where things are lexicographically compared or sorted,
+ make sure a sane ordering is used.
+ ``'NLS_LANG=AMERICAN_AMERICA.AL32UTF8'`` should generally work well
+ enough; when in doubt, enforce a plain ordering with
+ ``"NLSSORT(value, 'NLS_SORT = BINARY')"``.
+
+Zones Table
+~~~~~~~~~~~
+
+This table lists the zones for which PowerDNS is supposed to be an
+authoritative nameserver, plus a small amount of information related to
+master/slave mode.
+
+name
+^^^^
+
+The FQDN of the zone apex, e.g. 'example.com'.
+
+type
+^^^^
+
+Describes how PowerDNS should host the zone. Valid values are 'NATIVE',
+'MASTER', and 'SLAVE'. PowerDNS acts as an authoritative nameserver for
+the zone in all modes. In slave mode, it will additionally attempt to
+acquire the zone's content from a master server. In master mode, it will
+additionally send 'NOTIFY' packets to other nameservers for the zone
+when its content changes.
+
+**Tip**: There is a global setting to make PowerDNS send 'NOTIFY'
+packets in slave mode.
+
+last\_check
+^^^^^^^^^^^
+
+This value, updated by PowerDNS, is the unix timestamp of the last
+successful attempt to check this zone for freshness on the master.
+
+refresh
+^^^^^^^
+
+The number of seconds PowerDNS should wait after a successful freshness
+check before performing another one. This value is also found in the
+zone's SOA record. You may want to make sure to put the same thing in
+both places.
+
+serial
+^^^^^^
+
+The serial of the version of the zone's content we are hosting now. This
+value is also found in the zone's SOA record. You may want to make sure
+to put the same thing in both places.
+
+notified\_serial
+^^^^^^^^^^^^^^^^
+
+The latest serial for which we have sent ``NOTIFY`` packets. Updated by
+PowerDNS.
+
+The Zonemasters and ZoneAlsoNotify Tables
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+These are lists of hosts PowerDNS will interact with for a zone in
+master/slave mode. 'Zonemasters' lists the hosts PowerDNS will attempt
+to pull zone transfers from, and accept 'NOTIFY' packets from.
+'ZoneAlsoNotify' lists hosts PowerDNS will send 'NOTIFY' packets to, in
+addition to any hosts that have NS records.
+
+Host entries can be IPv4 or IPv6 addresses, in string representation. If
+you need to specify a port, use ``192.0.2.4:5300`` notation for IPv4 and
+brackets for IPv6: ``[2001:db8::1234]:5300``.
+
+The Supermasters Table
+~~~~~~~~~~~~~~~~~~~~~~
+
+In superslave mode, PowerDNS can accept 'NOTIFY' packets for zones that
+have not been defined in the zone table yet. PowerDNS will then create
+an entry for the zone and attempt a zone transfer. This table defines
+the list of acceptable sources for supernotifications.
+
+name
+^^^^
+
+An identifying string for this entry. Only used for logging.
+
+ip
+^^
+
+The alleged originating IP address of the notification.
+
+nameserver
+^^^^^^^^^^
+
+The FQDN of an authoritative nameserver.
+
+A supernotification will be accepted if an entry is found such that the
+notification came from 'ip' and 'nameserver' appears in an NS record for
+that zone.
+
+The ZoneMetadata Table
+~~~~~~~~~~~~~~~~~~~~~~
+
+This is a per-zone key-value store for various things PowerDNS needs to
+know that are not part of the zone's content or handled by other tables.
+Depending on your needs, you may not want this to exist as an actual
+table, but simulate this in PL/SQL instead.
+
+The currently defined metadata types are:
+
+'PRESIGNED'
+^^^^^^^^^^^
+
+If set to 1, PowerDNS should assume that DNSSEC signatures for this zone
+exist in the database and use them instead of signing records itself.
+For a slave zone, this will also signal to the master that we want
+DNSSEC records when attempting a zone transfer.
+
+'NSEC3PARAM'
+^^^^^^^^^^^^
+
+The NSEC3 hashing parameters for the zone.
+
+'TSIG-ALLOW-AXFR'
+^^^^^^^^^^^^^^^^^
+
+The value is the name of a TSIG key. A client will be allowed to AXFR
+from us if the request is signed with that key.
+
+'AXFR-MASTER-TSIG'
+^^^^^^^^^^^^^^^^^^
+
+The value is the name of a TSIG key. Outgoing ``NOTIFY`` packets for
+this zone will be signed with that key.
+
+The Tables for Cryptographic Keys
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+We have two of them: 'TSIGKeys' for symmetric TSIG keys, and
+'ZoneDNSKeys' for DNSSEC signing keys.
+
+The Records Table
+~~~~~~~~~~~~~~~~~
+
+The actual DNS zone contents are stored here.
+
+zone\_id
+^^^^^^^^
+
+The zone this records belongs to. Normally, this is obvious. When you
+are dealing with zone delegations, you have to insert some records into
+the parent zone of their actual zone. See also ``auth``.
+
+fqdn
+^^^^
+
+The owner name of this record. Again, this is lower case and without a
+trailing dot.
+
+revfqdn
+^^^^^^^
+
+This should be a string that consists of the labels of the owner name,
+in reverse order, with spaces instead of dots separating them, for
+example:
+
+::
+
+ 'www.example.com' => 'com example www'
+
+This is used as a quick and dirty way to get canonical zone ordering.
+You can chose a more correct and much more complicated implementation
+instead if you prefer. In the reference schema, this is automatically
+set by a trigger.
+
+fqdnhash
+^^^^^^^^
+
+The NSEC3 hash of the owner name. The reference schema provides code and
+a trigger to calculate this, but they are not production quality. The
+recommendation is to load the dnsjava classes into your database and use
+their facilities for dealing with DNS names and NSEC3 hashes.
+
+ttl
+^^^
+
+The TTL for the record set. This should be the same for all members of a
+record set, but PowerDNS will quietly use the minimum if it encounters
+different values.
+
+type
+^^^^
+
+The type of the record, as a canonical identification string, e.g.
+'AAAA' or 'MX'. You can set this and 'content' NULL to indicate a name
+that exists, but doesn't carry any record (a so called empty
+non-terminal) for NSEC/NSEC3 ordering purposes.
+
+content
+^^^^^^^
+
+The data part of the DNS record, in canonical string representation,
+except that if this includes FQDNs, they should be specified without a
+trailing dot.
+
+last\_change
+^^^^^^^^^^^^
+
+The unix timestamp of the last change to this record. Used only for the
+deprecated autoserial feature. You can omit this unless you want to use
+that feature.
+
+auth
+^^^^
+
+0 or 1 depending on whether this record is an authoritative member of
+the zone specified in ``zone_id``. These are the rules for determining
+that: A record is an authoritative member of the zone its owner name
+belongs to, except for DS records, which are authoritative members of
+the parent zone. Delegation records, that is, NS records and related
+A/AAAA glue records, are additionally non-authoritative members of the
+parent zone.
+
+PowerDNS has a function to automatically set this. OracleBackend doesn't
+support that. Do it in the database.
+
+The SQL Statements
+~~~~~~~~~~~~~~~~~~
+
+Fetching DNS records
+^^^^^^^^^^^^^^^^^^^^
+
+There are five queries to do this. They all share the same set of return
+columns:
+
+- fqdn: The owner name of the record.
+- ttl: The TTL of the record set.
+- type: The type of the record.
+- content: The content of the record.
+- zone\_id: The numerical identifier of the zone the record belongs to.
+ A record can belong to two zones (delegations/glue), in which case it
+ may be returned twice.
+- last\_change: The unix timestamp of the last time this record was
+ changed. Can safely be set as a constant 0, unless you use the
+ autoserial feature.
+- auth: 1 or 0 depending on the zone membership (authoritative or not).
+
+Record sets (records for the same name of the same type) must appear
+consecutively, which means **ORDER BY** clauses are needed in some
+places. Empty non-terminals should be suppressed.
+
+The queries differ in which columns are restricted by 'WHERE' clauses:
+
+oracle-basic-query
+''''''''''''''''''
+
+Looking for records based on owner name and type. Default:
+
+::
+
+ SELECT fqdn, ttl, type, content, zone_id, last_change, auth
+ FROM Records
+ WHERE type = :type AND fqdn = lower(:name)
+
+oracle-basic-id-query
+'''''''''''''''''''''
+
+Looking for records from one zone based on owner name and type. Default:
+
+::
+
+ SELECT fqdn, ttl, type, content, zone_id, last_change, auth
+ FROM Records
+ WHERE type = :type AND fqdn = lower(:name) AND zone_id = :zoneid
+
+oracle-any-query
+''''''''''''''''
+
+Looking for records based on owner name. Default:
+
+::
+
+ SELECT fqdn, ttl, type, content, zone_id, last_change, auth
+ FROM Records
+ WHERE fqdn = lower(:name)
+ AND type IS NOT NULL
+ ORDER BY type
+
+oracle-any-id-query
+'''''''''''''''''''
+
+Looking for records from one zone based on owner name. Default:
+
+::
+
+ SELECT fqdn, ttl, type, content, zone_id, last_change, auth
+ FROM Records
+ WHERE fqdn = lower(:name)
+ AND zone_id = :zoneid
+ AND type IS NOT NULL
+ ORDER BY type
+
+oracle-list-query
+'''''''''''''''''
+
+Looking for all records from one zone. Default:
+
+::
+
+ SELECT fqdn, ttl, type, content, zone_id, last_change, auth
+ FROM Records
+ WHERE zone_id = :zoneid
+ AND type IS NOT NULL
+ ORDER BY fqdn, type
+
+Zone Metadata and TSIG
+^^^^^^^^^^^^^^^^^^^^^^
+
+oracle-get-zone-metadata-query
+''''''''''''''''''''''''''''''
+
+Fetch the content of the metadata entries of type ':kind' for the zone
+called ':name', in their original order. Default:
+
+::
+
+ SELECT md.meta_content
+ FROM Zones z JOIN ZoneMetadata md ON z.id = md.zone_id
+ WHERE z.name = lower(:name) AND md.meta_type = :kind
+ ORDER BY md.meta_ind
+
+oracle-del-zone-metadata-query
+''''''''''''''''''''''''''''''
+
+Delete all metadata entries of type ':kind' for the zone called ':name'.
+You can skip this if you do not plan to manage zones with the
+``pdnsutil`` tool. Default:
+
+::
+
+ DELETE FROM ZoneMetadata md
+ WHERE zone_id = (SELECT id FROM Zones z WHERE z.name = lower(:name))
+ AND md.meta_type = :kind
+
+oracle-set-zone-metadata-query
+''''''''''''''''''''''''''''''
+
+Create a metadata entry. You can skip this if you do not plan to manage
+zones with the ``pdnsutil`` tool. Default:
+
+::
+
+ INSERT INTO ZoneMetadata (zone_id, meta_type, meta_ind, meta_content)
+ VALUES (
+ (SELECT id FROM Zones WHERE name = lower(:name)),
+ :kind, :i, :content
+ )
+
+oracle-get-tsig-key-query
+'''''''''''''''''''''''''
+
+Retrieved the TSIG key specified by ':name'. Default:
+
+::
+
+ SELECT algorithm, secret
+ FROM TSIGKeys
+ WHERE name = :name
+
+DNSSEC
+^^^^^^
+
+oracle-get-zone-keys-query
+''''''''''''''''''''''''''
+
+Retrieve the DNSSEC signing keys for a zone. Default:
+
+::
+
+ SELECT k.id, k.flags, k.active, k.keydata
+ FROM ZoneDNSKeys k JOIN Zones z ON z.id = k.zone_id
+ WHERE z.name = lower(:name)
+
+oracle-del-zone-key-query
+'''''''''''''''''''''''''
+
+Delete a DNSSEC signing key. You can skip this if you do not plan to
+manage zones with the ``pdnsutil`` tool. Default:
+
+::
+
+ DELETE FROM ZoneDNSKeys WHERE id = :keyid
+
+oracle-add-zone-key-query
+'''''''''''''''''''''''''
+
+Add a DNSSEC signing key. You can skip this if you do not plan to manage
+zones with the ``pdnsutil`` tool. Default:
+
+::
+
+ INSERT INTO ZoneDNSKeys (id, zone_id, flags, active, keydata) "
+ VALUES (
+ zonednskeys_id_seq.NEXTVAL,
+ (SELECT id FROM Zones WHERE name = lower(:name)),
+ :flags,
+ :active,
+ :content
+ ) RETURNING id INTO :keyid
+
+oracle-set-zone-key-state-query
+'''''''''''''''''''''''''''''''
+
+Enable or disable a DNSSEC signing key. You can skip this if you do not
+plan to manage zones with the **pdnsutil** tool. Default:
+
+::
+
+ UPDATE ZoneDNSKeys SET active = :active WHERE id = :keyid
+
+oracle-prev-next-name-query
+'''''''''''''''''''''''''''
+
+Determine the predecessor and successor of an owner name, in canonical
+zone ordering. See the reference implementation for the quick and dirty
+way, and the RFCs for the full definition of canonical zone ordering.
+
+This statement is a PL/SQL block that writes into two of the bind
+variables, not a query.
+
+Default:
+
+::
+
+ BEGIN
+ get_canonical_prev_next(:zoneid, :name, :prev, :next);
+ END;
+
+oracle-prev-next-hash-query
+'''''''''''''''''''''''''''
+
+Given an NSEC3 hash, this call needs to return its predecessor and
+successor in NSEC3 zone ordering into ``:prev`` and ``:next``, and the
+FQDN of the predecessor into ``:unhashed``. Default:
+
+::
+
+ BEGIN
+ get_hashed_prev_next(:zoneid, :hash, :unhashed, :prev, :next);
+ END;
+
+Incoming AXFR
+^^^^^^^^^^^^^
+
+oracle-zone-info-query
+''''''''''''''''''''''
+
+Get some basic information about the named zone before doing
+master/slave things. Default:
+
+::
+
+ SELECT id, name, type, last_check, serial, notified_serial
+ FROM Zones
+ WHERE name = lower(:name)
+
+oracle-delete-zone-query
+''''''''''''''''''''''''
+
+Delete all records for a zone in preparation for an incoming zone
+transfer. This happens inside a transaction, so if the transfer fails,
+the old zone content will still be there. Default:
+
+::
+
+ DELETE FROM Records WHERE zone_id = :zoneid
+
+oracle-insert-record-query
+''''''''''''''''''''''''''
+
+Insert a record into the zone during an incoming zone transfer. This
+happens inside the same transaction as delete-zone, so we will not end
+up with a partially transferred zone. Default:
+
+::
+
+ INSERT INTO Records (id, fqdn, zone_id, ttl, type, content)
+ VALUES (records_id_seq.NEXTVAL, lower(:name), :zoneid, :ttl, :type, :content)
+
+oracle-finalize-axfr-query
+''''''''''''''''''''''''''
+
+A block of PL/SQL to be executed after a zone transfer has successfully
+completed, but before committing the transaction. A good place to locate
+empty non-terminals, set the ``auth`` bit and NSEC3 hashes, and
+generally do any post-processing your schema requires. The do-nothing
+default:
+
+::
+
+ DECLARE
+ zone_id INTEGER := :zoneid;
+ BEGIN
+ NULL;
+ END;
+
+Master/Slave Stuff
+^^^^^^^^^^^^^^^^^^
+
+oracle-unfresh-zones-query
+''''''''''''''''''''''''''
+
+Return a list of zones that need to be checked and their master servers.
+Return multiple rows, identical except for the master address, for zones
+with more than one master. Default:
+
+::
+
+ SELECT z.id, z.name, z.last_check, z.serial, zm.master
+ FROM Zones z JOIN Zonemasters zm ON z.id = zm.zone_id
+ WHERE z.type = 'SLAVE'
+ AND (z.last_check IS NULL OR z.last_check + z.refresh < :ts)
+ ORDER BY z.id
+
+oracle-zone-set-last-check-query
+''''''''''''''''''''''''''''''''
+
+Set the last check timestamp after a successful check. Default:
+
+::
+
+ UPDATE Zones SET last_check = :lastcheck WHERE id = :zoneid
+
+oracle-updated-masters-query
+''''''''''''''''''''''''''''
+
+Return a list of zones that need to have ``NOTIFY`` packets sent out.
+Default:
+
+::
+
+ SELECT id, name, serial, notified_serial
+ FROM Zones
+ WHERE type = 'MASTER'
+ AND (notified_serial IS NULL OR notified_serial < serial)
+
+oracle-zone-set-notified-serial-query
+'''''''''''''''''''''''''''''''''''''
+
+Set the last notified serial after packets have been sent. Default:
+
+::
+
+ UPDATE Zones SET notified_serial = :serial WHERE id = :zoneid
+
+oracle-also-notify-query
+''''''''''''''''''''''''
+
+Return a list of hosts that should be notified, in addition to any
+nameservers in the NS records, when sending ``NOTIFY`` packets for the
+named zone. Default:
+
+::
+
+ SELECT an.hostaddr
+ FROM Zones z JOIN ZoneAlsoNotify an ON z.id = an.zone_id
+ WHERE z.name = lower(:name)
+
+oracle-zone-masters-query
+'''''''''''''''''''''''''
+
+Return a list of masters for the zone specified by id. Default:
+
+::
+
+ SELECT master
+ FROM Zonemasters
+ WHERE zone_id = :zoneid
+
+oracle-is-zone-master-query
+'''''''''''''''''''''''''''
+
+Return a row if the specified host is a registered master for the named
+zone. Default:
+
+::
+
+ SELECT zm.master
+ FROM Zones z JOIN Zonemasters zm ON z.id = zm.zone_id
+ WHERE z.name = lower(:name) AND zm.master = :master
+
+Superslave Stuff
+^^^^^^^^^^^^^^^^
+
+oracle-accept-supernotification-query
+'''''''''''''''''''''''''''''''''''''
+
+If a supernotification should be accepted from ':ip', for the master
+nameserver ':ns', return a label for this supermaster. Default:
+
+::
+
+ SELECT name
+ FROM Supermasters
+ WHERE ip = :ip AND nameserver = lower(:ns)
+
+oracle-insert-slave-query
+'''''''''''''''''''''''''
+
+A supernotification has just been accepted, and we need to create an
+entry for the new zone. Default:
+
+::
+
+ INSERT INTO Zones (id, name, type)
+ VALUES (zones_id_seq.NEXTVAL, lower(:zone), 'SLAVE')
+ RETURNING id INTO :zoneid
+
+oracle-insert-master-query
+''''''''''''''''''''''''''
+
+We need to register the first master server for the newly created zone.
+Default:
+
+::
+
+ INSERT INTO Zonemasters (zone_id, master)
+ VALUES (:zoneid, :ip)
--- /dev/null
+Pipe Backend
+============
+
+* Native: Yes
+* Master: No
+* Slave: No
+* Superslave: No
+* Autoserial: No
+* Case: Depends
+* DNSSEC: Partial, no delegation, no key storage
+* Disabled data: No
+* Comments: No
+* Module name: pipe
+* Launch name: ``pipe``
+
+The PipeBackend allows for easy dynamic resolution based on a
+'Coprocess' which can be written in any programming language that can
+read a question on standard input and answer on standard output.
+
+The PipeBackend is primarily meant for allowing rapid development of new
+backends without tight integration with PowerDNS. It allows end-users to
+write PowerDNS backends in any language, a perl sample is provided. The
+PipeBackend is also very well suited for dynamic resolution of queries.
+Example applications include DNS based load balancing, geo-direction,
+DNS-based failover with low TTLs.
+
+.. note::
+ The :doc:`Remote Backend <remote>` offers a superset of the functionality of the PipeBackend.
+
+.. note::
+ Please do read the :doc:`Backend Writer's guide <../appendices/backend-writers-guide>` carefully. The
+ PipeBackend, like all other backends, must not do any DNS thinking, but
+ answer all questions (INCLUDING THE ANY QUESTION) faithfully.
+ Specifically, the queries that the PipeBackend receives will not
+ correspond to the queries that arrived over DNS. So, a query for an AAAA
+ record may turn into a backend query for an ANY record. There is nothing
+ that can or should be done about this.
+
+Configuration Parameters
+------------------------
+
+.. _setting-pipe-abi-version:
+
+``pipe-abi-version``
+^^^^^^^^^^^^^^^^^^^^
+
+- Integer
+- Default: 1
+
+This is the version of the question format that is sent to the
+co-process (:ref:`setting-pipe-command`) for the pipe backend.
+
+If not set the default :ref:`setting-pipe-abi-version` is 1. When set to 2, the
+local-ip-address field is added after the remote-ip-address, the
+local-ip-address refers to the IP address the question was received on.
+When set to 3, the real remote IP/subnet is added based on edns-subnet
+support (this also requires enabling :ref:`setting-edns-subnet-processing`).
+When set to 4 it sends zone name in AXFR request. See also :ref:`PipeBackend Protocol <pipebackend-protocol>` below.
+
+.. _setting-pipe-command:
+
+``pipe-command``
+^^^^^^^^^^^^^^^^
+
+- String
+- Mandatory
+
+Command to launch as backend or the path to a unix domain socket file.
+The socket should already be open and listening before PowerDNS starts.
+
+.. _setting-pipe-timeout:
+
+``pipe-timeout``
+^^^^^^^^^^^^^^^^
+
+- Integer
+- Default: 2000
+
+Number of milliseconds to wait for an answer from the backend. If this
+time is ever exceeded, the backend is declared dead and a new process is
+spawned.
+
+.. _setting-pipe-regex:
+
+``pipe-regex``
+^^^^^^^^^^^^^^
+
+- String (a regular expression)
+
+If set, only questions matching this regular expression are even sent to
+the backend. This makes sure that most of PowerDNS does not slow down if
+you deploy a slow backend. A query for 'www.powerdns.com' would be
+presented to the regex as 'www.powerdns.com', a matching regex would be
+``^www\.powerdns\.com$``. **Note**: to match the root domain, use a dot,
+e.g. ``^\.$``
+
+.. _pipebackend-protocol:
+
+PipeBackend protocol
+--------------------
+
+Questions come in over a file descriptor, by default standard input.
+Answers are sent out over another file descriptor, standard output by
+default. Questions and answers are terminated by single newline (``\n``)
+characters. Fields in lines must be separated by tab (``\t``)
+characters.
+
+Handshake
+^^^^^^^^^
+
+PowerDNS sends out ``HELO\t1``, indicating that it wants to speak the
+protocol as defined in this document, version 1. For abi-version 2 or 3,
+PowerDNS sends ``HELO\t2`` or ``HELO\t3``. A PowerDNS Coprocess must
+then send out a banner, prefixed by ``OK\t``, indicating it launched
+successfully. If it does not support the indicated version, it should
+respond with ``FAIL``, but not exit. Suggested behaviour is to try and
+read a further line, and wait to be terminated.
+
+.. note::
+ Fields are separated by a tab (``\t``) character,
+ even though they are displayed with spaces in this document.
+
+``Q``: Regular queries for data
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The question format, for type Q questions.
+
+pipe-abi-version = 1 [default]
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ Q qname qclass qtype id remote-ip-address
+
+pipe-abi-version = 2
+~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ Q qname qclass qtype id remote-ip-address local-ip-address
+
+pipe-abi-version = 3
+~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ Q qname qclass qtype id remote-ip-address local-ip-address edns-subnet-address
+
+Fields are tab separated, and terminated with a single ``\n``. The
+``remote-ip-address`` is the IP address of the nameserver asking the
+question, the ``local-ip-address`` is the IP address on which the
+question was received.
+
+Type is the tag above, ``qname`` is the domain the question is about.
+``qclass`` is always 'IN' currently, denoting an INternet question.
+``qtype`` is the kind of information desired, the record type, like A,
+CNAME or AAAA. ``id`` can be specified to help your backend find an
+answer if the ``id`` is already known from an earlier query. You can
+ignore it unless you want to support ``AXFR``.
+
+``edns-subnet-address`` is the actual client subnet as provided via
+edns-subnet support. Note that for the SOA query that precedes an AXFR,
+edns-subnet is always set to 0.0.0.0/0.
+
+**Note**: Queries for wildcard names should be answered literally,
+without expansion. So, if a backend gets a question for
+"\*.powerdns.com", it should only answer with data if there is an actual
+"\*.powerdns.com" name.
+
+**Note**: In some (broken) network setups, the ``remote-ip-address``
+and/or ``local-ip-address``, when it is an IPv6 address, may be suffixed
+with a ``%`` and the name of the network interface (e.g. ``%eth1``).
+Keep this in mind when checking the IP addresses.
+
+``AXFR``: List an entire zone
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+AXFR-queries look like this:
+
+::
+
+ AXFR id zone-name
+
+The ``id`` is gathered from the answer to a SOA query. ``zone-name`` is
+given in ABI version 4.
+
+Answers
+^^^^^^^
+
+Each answer starts with a tag, possibly followed by a TAB and more data.
+
+- ``DATA``: Indicating a successful line of DATA.
+- ``END``: Indicating the end of an answer - no further data.
+- ``FAIL``: Indicating a lookup failure. Also serves as 'END'. No
+ further data.
+- ``LOG``: For specifying things that should be logged. Can only be
+ sent after a query and before an END line. After the tab, the message
+ to be logged.
+
+ABI version 1 and 2
+~~~~~~~~~~~~~~~~~~~
+
+So, letting it be known that there is no data consists of sending 'END'
+without anything else. The answer format (for abi-version 1 and 2):
+
+::
+
+ DATA qname qclass qtype ttl id content
+
+Again, all fields are tab-separated.
+
+``content`` is as specified in :doc:`../appendices/types`. For MX and SRV,
+content consists of the priority, followed by a tab, followed by the
+actual content.
+
+A sample dialogue may look like this (note that in reality, almost all
+queries will actually be for the ANY qtype):
+
+::
+
+ Q www.example.org IN CNAME -1 203.0.113.210
+ DATA www.example.org IN CNAME 3600 1 ws1.example.org
+ END
+ Q ws1.example.org IN CNAME -1 203.0.113.210
+ END
+ Q wd1.example.org IN A -1 203.0.113.210
+ DATA ws1.example.org IN A 3600 1 192.0.2.4
+ DATA ws1.example.org IN A 3600 1 192.0.2.5
+ DATA ws1.example.org IN A 3600 1 192.0.2.6
+ END
+
+This would correspond to a remote webserver 203.0.113.210 wanting to
+resolve the IP address of www.example.org, and PowerDNS traversing the
+CNAMEs to find the IP addresses of ws1.example.org. Another dialogue
+might be:
+
+::
+
+ Q example.org IN SOA -1 203.0.113.210
+ DATA example.org IN SOA 86400 1 ahu.example.org ...
+ END
+ AXFR 1
+ DATA example.org IN SOA 86400 1 ahu.example.org ...
+ DATA example.org IN NS 86400 1 ns1.example.org
+ DATA example.org IN NS 86400 1 ns2.example.org
+ DATA ns1.example.org IN A 86400 1 203.0.113.210
+ DATA ns2.example.org IN A 86400 1 63.123.33.135
+ .
+ .
+ END
+
+This is a typical zone transfer.
+
+ABI version 3 and higher
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+For abi-version 3, DATA-responses get two extra fields:
+
+::
+
+ DATA scopebits auth qname qclass qtype ttl id content
+
+``scopebits`` indicates how many bits from the subnet provided in the
+question (originally from edns-subnet) were used in determining this
+answer. This can aid caching (although PowerDNS does not currently use
+this value).
+
+The ``auth`` field indicates whether this response is authoritative,
+this is for DNSSEC. The ``auth`` field should be set to '1' for data for
+which the zone itself is authoritative, which includes the SOA record
+and its own NS records. The ``auth`` field should be 0 for NS records
+which are used for delegation, and also for any glue (A, AAAA) records
+present for this purpose. Do note that the DS record for a secure
+delegation should be authoritative!
+
+For abi-versions 1 and 2, the two new fields fall back to default
+values. The default value for scopebits is 0. The default for auth is 1
+(meaning authoritative).
+
+Direct backend commands
+^^^^^^^^^^^^^^^^^^^^^^^
+
+With abi-version 5 you can use :doc:`backend-cmd <../dnssec/pdnsutil>` for
+executing commands on your backend. PowerDNS will use the following
+query/answer format:
+
+::
+
+ CMD Whatever you wrote
+ Answer goes here
+ And can be multiple lines
+ until we see
+ END
+
+Sample backends
+---------------
+
+ABI version 1
+^^^^^^^^^^^^^
+
+.. literalinclude:: ../../modules/pipebackend/backend.pl
+ :language: perl
+
+ABI version 3
+^^^^^^^^^^^^^
+
+.. literalinclude:: ../../modules/pipebackend/backend-v3.pl
+ :language: perl
+
+ABI version 5
+^^^^^^^^^^^^^
+
+.. literalinclude:: ../../modules/pipebackend/backend-v5.pl
+ :language: perl
--- /dev/null
+Random Backend
+==============
+
+- Native: Yes
+- Master: No
+- Slave: No
+- Superslave: No
+- Autoserial: No
+- Case: Depends
+- DNSSEC: Yes, no key storage
+- Disabled data: No
+- Comments: No
+- Module name: built in
+- Launch: ``random``
+
+This is a very silly backend which is discussed in the :doc:`Backends
+writer's guide <../appendices/backend-writers-guide>`.
+as a demonstration on how to write a PowerDNS backend.
+
+This backend knows about only one hostname, and only about its IP
+address at that. With every query, a new random IP address is generated.
+
+It only makes sense to load the random backend in combination with a
+regular backend. This can be done by prepending it to the
+:ref:`setting-launch` instruction, such as
+``launch=random,gmysql``.
+
+Configuration Parameters
+------------------------
+
+.. _setting-random-hostname:
+
+``random-hostname``
+~~~~~~~~~~~~~~~~~~~
+
+- String
+
+Hostname for which to supply a random IP address.
--- /dev/null
+Remote Backend
+==============
+
+* Native: Yes
+* Master: Yes\*
+* Slave: Yes\*
+* Superslave: Yes\*
+* Autoserial: Yes\*
+* DNSSEC: Yes\*
+* Multiple instances: Yes
+
+\* If provided by the responder (your script).
+
+This backend provides Unix socket, Pipe, HTTP and ZeroMQ remoting for
+powerdns. You should think this as normal RPC thin client, which
+converts native C++ calls into JSON/RPC and passes them to you via
+connector.
+
+Important notices
+-----------------
+
+Please do not use remotebackend shipped before version 3.3. This version
+has severe bug that can crash the entire process.
+
+There is a breaking change on v4.0 and later. Before version 4.0, the
+DNS names passed in queries were without trailing dot, after version 4.0
+the DNS names are sent with trailing dot. F.ex. example.org is now sent
+as example.org.
+
+In some (broken) network setups, the IP addresses provided in the
+request (when this is an IPv6 address) may be suffixed with a ``%`` and
+the name of the network interface (e.g. ``%eth1``). Keep this in mind
+when checking the IP addresses.
+
+Compiling
+---------
+
+To compile this backend, you need to configure
+``--with-modules="remote"``.
+
+For versions prior to 3.4.0, if you want to use http connector, you need
+libcurl and use ``--enable-remotebackend-http``.
+
+If you want to use ZeroMQ connector, you need libzmq-dev or libzmq3-dev
+and use ``--enable-remotebackend-zeromq``.
+
+Usage
+-----
+
+The only configuration options for backend are remote-connection-string
+and remote-dnssec.
+
+::
+
+ remote-connection-string=<type>:<param>=<value>,<param>=<value>...
+
+You can pass as many parameters as you want. For unix and pipe
+connectors, these are passed along to the remote end as initialization.
+See :ref:`remote-api`. Initialize is not called for http connector.
+
+Unix connector
+^^^^^^^^^^^^^^
+
+parameters: path, timeout (default 2000ms)
+
+::
+
+ remote-connection-string=unix:path=/path/to/socket
+
+Pipe connector
+^^^^^^^^^^^^^^
+
+parameters: command,timeout (default 2000ms)
+
+::
+
+ remote-connection-string=pipe:command=/path/to/executable,timeout=2000
+
+HTTP connector
+^^^^^^^^^^^^^^
+
+parameters: url, url-suffix, post, post_json, timeout (default 2000ms)
+
+::
+
+ remote-connection-string=http:url=http://localhost:63636/dns,url-suffix=.php
+
+HTTP connector tries to do RESTful requests to your server. See
+examples. You can also use post to change behaviour so that it will send
+POST request to url/method + url_suffix with
+parameters=json-formatted-parameters. If you use post and post_json, it
+will POST url with text/javascript containing JSON formatted RPC
+request, just like for pipe and unix. You can use '1', 'yes', 'on' or
+'true' to turn these features on.
+
+URL should not end with /, and url-suffix is optional, but if you define
+it, it's up to you to write the ".php" or ".json". Lack of dot causes
+lack of dot in URL. Timeout is divided by 1000 because libcurl only
+supports seconds, but this is given in milliseconds for consistency with
+other connectors.
+
+HTTPS is not supported, `stunnel <https://www.stunnel.org>`__ is the
+suggested workaround. HTTP Authentication is not supported.
+
+ZeroMQ connector
+^^^^^^^^^^^^^^^^
+
+parameters: endpoint, timeout (default 2000ms)
+
+::
+
+ remote-connection-string=zeromq:endpoint=ipc:///tmp/tmp.sock
+
+0MQ connector implements a REQ/REP RPC model. Please see
+http://zeromq.org/ for more information.
+
+.. _remote-api:
+
+API
+---
+
+Queries
+^^^^^^^
+
+Unix, Pipe and ZeroMQ connectors send JSON formatted strings to the
+remote end. Each JSON query has two sections, 'method' and 'parameters'.
+
+HTTP connector calls methods based on URL and has parameters in the
+query string. Most calls are GET; see the methods listing for details.
+You can change this with post and post_json attributes.
+
+Replies
+^^^^^^^
+
+You **must** always reply with JSON hash with at least one key,
+'result'. This must be boolean false if the query failed. Otherwise it
+must conform to the expected result. For HTTP connector, to signal bare
+success, you can just reply with HTTP 200 OK, and omit any output. This
+will result in same outcome as sending {"result":true}.
+
+You can optionally add an array of strings to the 'log' array; each line
+in this array will be logged in PowerDNS at loglevel ``info`` (6).
+
+Methods
+^^^^^^^
+
+``initialize``
+~~~~~~~~~~~~~~
+
+Called to initialize the backend. This is not called for HTTP connector.
+You should do your initializations here.
+
+- Mandatory: Yes (except HTTP connector)
+- Parameters: all parameters in connection string
+- Reply: true on success / false on failure
+
+Example JSON/RPC
+~~~~~~~~~~~~~~~~
+
+Query:
+
+::
+
+ {"method":"initialize", "parameters":{"command":"/path/to/something", "timeout":"2000", "something":"else"}}
+
+Response:
+
+::
+
+ {"result":true}
+
+.. _remote-lookup:
+
+``lookup``
+~~~~~~~~~~
+
+This method is used to do the basic query. You can omit auth, but if you
+are using DNSSEC this can lead into trouble.
+
+- Mandatory: Yes
+- Parameters: qtype, qname, zone_id
+- Optional parameters: remote, local, real-remote
+- Reply: array of ``qtype,qname,content,ttl,domain_id,scopeMask,auth``
+- Optional values: domain_id, scopeMask and auth
+- Note: priority field is required before 4.0, after 4.0 priority is
+ added to content. This applies to any resource record which uses
+ priority, for example SRV or MX.
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"lookup", "parameters":{"qtype":"ANY", "qname":"www.example.com.", "remote":"192.0.2.24", "local":"192.0.2.1", "real-remote":"192.0.2.24", "zone-id":-1}}
+
+Response:
+
+::
+
+ {"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ GET /dnsapi/lookup/www.example.com./ANY HTTP/1.1
+ X-RemoteBackend-remote: 192.0.2.24
+ X-RemoteBackend-local: 192.0.2.1
+ X-RemoteBackend-real-remote: 192.0.2.24
+ X-RemoteBackend-zone-id: -1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
+
+``list``
+~~~~~~~~
+
+Lists all records for the zonename. If you are running dnssec, you
+should take care of setting auth to appropriate value, otherwise things
+can go wrong.
+
+- Mandatory: No (Gives AXFR support)
+- Parameters: zonename, domain_id
+- Optional parameters: domain_id
+- Reply: array of ``qtype,qname,content,ttl,domain_id,scopeMask,auth``
+- Optional values: domain_id, scopeMask and auth
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"list", "parameters":{"zonename":"example.com.","domain_id":-1}}
+
+Response (split into lines for ease of reading)
+
+::
+
+ {"result":[
+ {"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600},
+ {"qtype":"NS", "qname":"example.com", "content":"ns1.example.com", "ttl": 60},
+ {"qtype":"MX", "qname":"example.com", "content":"10 mx1.example.com.", "ttl": 60},
+ {"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60},
+ {"qtype":"A", "qname":"ns1.example.com", "content":"192.0.2.2", "ttl": 60},
+ {"qtype":"A", "qname":"mx1.example.com", "content":"192.0.2.3", "ttl": 60}
+ ]}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ GET /dnsapi/list/-1/example.com HTTP/1.1
+ X-RemoteBackend-domain-id: -1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":[{"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600},{"qtype":"NS", "qname":"example.com", "content":"ns1.example.com", "ttl": 60},{"qtype":"MX", "qname":"example.com", "content":"10 mx1.example.com.", "ttl": 60},{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60},{"qtype":"A", "qname":"ns1.example.com", "content":"192.0.2.2", "ttl": 60},{"qtype":"A", "qname":"mx1.example.com", "content":"192.0.2.3", "ttl": 60}]}
+
+``getBeforeAndAfterNamesAbsolute``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Asks the names before and after qname. qname is given without dots or
+domain part. The query will be hashed when using NSEC3. Care must be
+taken to handle wrap-around when qname is first or last in the ordered
+list. Do not return nil for either one.
+
+- Mandatory: for NSEC/NSEC3 non-narrow
+- Parameters: id, qname
+- Reply: before, after
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"getbeforeandafternamesabsolute", "params":{"id":0,"qname":"www.example.com"}}
+
+Response:
+
+::
+
+ {”result":{"before":"ns1","after":""}}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ /dnsapi/getbeforeandafternamesabsolute/0/www.example.com
+
+Response:
+
+::
+
+ {”result":{"before":"ns1","after":""}}
+
+``getAllDomainMetadata``
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Returns the value(s) for variable kind for zone name. You **must**
+always return something, if there are no values, you shall return empty
+set or false.
+
+ * Mandatory: No
+ * Parameters: name
+ * Reply: hash of key to array of strings
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"getalldomainmetadata", "parameters":{"name":"example.com"}}
+
+Response:
+
+::
+
+ {"result":{"PRESIGNED":["0"]}}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ GET /dnsapi/getalldomainmetadata/example.com HTTP/1.1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":{"PRESIGNED":["0"]}}
+
+``getDomainMetadata``
+~~~~~~~~~~~~~~~~~~~~~
+
+Returns the value(s) for variable kind for zone name. Most commonly it's
+one of NSEC3PARAM, PRESIGNED, SOA-EDIT. Can be others, too. You **must**
+always return something, if there are no values, you shall return empty
+array or false.
+
+- Mandatory: No
+- Parameters: name, kind
+- Reply: array of strings
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"getdomainmetadata", "parameters":{"name":"example.com.","kind":"PRESIGNED"}}
+
+Response:
+
+::
+
+ {"result":["0"]}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ GET /dnsapi/getdomainmetadata/example.com./PRESIGNED HTTP/1.1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":["0"]}
+
+``setDomainMetadata``
+~~~~~~~~~~~~~~~~~~~~~
+
+Replaces the value(s) on domain name for variable kind to string(s) on
+array value. The old value is discarded. Value can be an empty array,
+which can be interpreted as deletion request.
+
+- Mandatory: No
+- Parameters: name, kind, value
+- Reply: true on success, false on failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"setdomainmetadata","parameters":{"name":"example.com","kind":"PRESIGNED","value":["YES"]}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ PATCH /dnsapi/setdomainmetadata/example.com/PRESIGNED HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 12
+
+ value[]=YES&
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+.. _remote-getdomainkeys:
+
+``getDomainKeys``
+~~~~~~~~~~~~~~~~~
+
+Retrieves any keys of kind. The id, flags are unsigned integers, and
+active is boolean. Content must be valid key record in format that
+PowerDNS understands. You are encouraged to implement :ref:`the section
+called "addDomainKey" <remote-adddomainkey>`, as you can use
+:doc:`../manpages/pdnsutil.1` to provision keys.
+
+- Mandatory: for DNSSEC
+- Parameters: name, kind
+- Reply: array of ``id, flags, active, content``
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"getdomainkeys","parameters":{"name":"example.com."}}
+
+Response:
+
+::
+
+ {"result":[{"id":1,"flags":256,"active":true,"content":"Private-key-format: v1.2
+ Algorithm: 8 (RSASHA256)
+ Modulus: r+vmQll38ndQqNSCx9eqRBUbSOLcH4PZFX824sGhY2NSQChqt1G4ZfndzRwgjXMUwiE7GkkqU2Vbt/g4iP67V/+MYecMV9YHkCRnEzb47nBXvs9JCf8AHMCnma567GQjPECh4HevPE9wmcOfpy/u7UN1oHKSKRWuZJadUwcjbp8=
+ PublicExponent: AQAB
+ PrivateExponent: CYC93UtVnOM6wrFJZ+qA9+Yx+p5yk0CSi0Q7c+/6EVMuABQ5gNyTuu0j65lU3X81bwUk2wHPx6smfgoVDRAW5jjO4jgIFV6nE4inzk5YQKycQSL8YG3Nm9GciLFya1KUXs81sHsQpkvK7MNaSbvkaHZQ6iv16bZ4t73Wascwa/E=
+ Prime1: 6a165cIC0nNsGlTW/s2jRu7idq5+U203iE1HzSIddmWgx5KIKE/s3I+pwfmXYRUmq+4H9ASd/Yot1lSYW98szw==
+ Prime2: wLoCPKxxnuxDx6/9IKOYz8t9ZNLY74iCeQ85koqvTctkFmB9jpOUHTU9BhecaFY2euP9CuHV7z3PLtCoO8s1MQ==
+ Exponent1: CuzJaiR/7UboLvL4ekEy+QYCIHpX/Z6FkiHK0ZRevEJUGgCHzRqvgEBXN3Jr2WYbwL4IMShmGoxzSCn8VY9BkQ==
+ Exponent2: LDR9/tyu0vzuLwc20B22FzNdd5rFF2wAQTQ0yF/3Baj5NAi9w84l0u07KgKQZX4g0N8qUyypnU5YDyzc6ZoagQ==
+ Coefficient: 6S0vhIQITWzqfQSLj+wwRzs6qCvJckHb1+SD1XpwYjSgMTEUlZhf96m8WiaE1/fIt4Zl2PC3fF7YIBoFLln22w=="}]}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ GET /dnsapi/getdomainkeys/example.com/0 HTTP/1.1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":[{"id":1,"flags":256,"active":true,"content":"Private-key-format: v1.2
+ Algorithm: 8 (RSASHA256)
+ Modulus: r+vmQll38ndQqNSCx9eqRBUbSOLcH4PZFX824sGhY2NSQChqt1G4ZfndzRwgjXMUwiE7GkkqU2Vbt/g4iP67V/+MYecMV9YHkCRnEzb47nBXvs9JCf8AHMCnma567GQjPECh4HevPE9wmcOfpy/u7UN1oHKSKRWuZJadUwcjbp8=
+ PublicExponent: AQAB
+ PrivateExponent: CYC93UtVnOM6wrFJZ+qA9+Yx+p5yk0CSi0Q7c+/6EVMuABQ5gNyTuu0j65lU3X81bwUk2wHPx6smfgoVDRAW5jjO4jgIFV6nE4inzk5YQKycQSL8YG3Nm9GciLFya1KUXs81sHsQpkvK7MNaSbvkaHZQ6iv16bZ4t73Wascwa/E=
+ Prime1: 6a165cIC0nNsGlTW/s2jRu7idq5+U203iE1HzSIddmWgx5KIKE/s3I+pwfmXYRUmq+4H9ASd/Yot1lSYW98szw==
+ Prime2: wLoCPKxxnuxDx6/9IKOYz8t9ZNLY74iCeQ85koqvTctkFmB9jpOUHTU9BhecaFY2euP9CuHV7z3PLtCoO8s1MQ==
+ Exponent1: CuzJaiR/7UboLvL4ekEy+QYCIHpX/Z6FkiHK0ZRevEJUGgCHzRqvgEBXN3Jr2WYbwL4IMShmGoxzSCn8VY9BkQ==
+ Exponent2: LDR9/tyu0vzuLwc20B22FzNdd5rFF2wAQTQ0yF/3Baj5NAi9w84l0u07KgKQZX4g0N8qUyypnU5YDyzc6ZoagQ==
+ Coefficient: 6S0vhIQITWzqfQSLj+wwRzs6qCvJckHb1+SD1XpwYjSgMTEUlZhf96m8WiaE1/fIt4Zl2PC3fF7YIBoFLln22w=="}]}
+
+.. _remote-adddomainkey:
+
+``addDomainKey``
+~~~~~~~~~~~~~~~~
+
+Adds key into local storage. See :ref:`remote-getdomainkeys` for more information.
+
+- Mandatory: No
+- Parameters: name, key=\ ``<flags,active,content>``, id
+- Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"adddomainkey", "parameters":{"key":{"id":1,"flags":256,"active":true,"content":"Private-key-format: v1.2
+ Algorithm: 8 (RSASHA256)
+ Modulus: r+vmQll38ndQqNSCx9eqRBUbSOLcH4PZFX824sGhY2NSQChqt1G4ZfndzRwgjXMUwiE7GkkqU2Vbt/g4iP67V/+MYecMV9YHkCRnEzb47nBXvs9JCf8AHMCnma567GQjPECh4HevPE9wmcOfpy/u7UN1oHKSKRWuZJadUwcjbp8=
+ PublicExponent: AQAB
+ PrivateExponent: CYC93UtVnOM6wrFJZ+qA9+Yx+p5yk0CSi0Q7c+/6EVMuABQ5gNyTuu0j65lU3X81bwUk2wHPx6smfgoVDRAW5jjO4jgIFV6nE4inzk5YQKycQSL8YG3Nm9GciLFya1KUXs81sHsQpkvK7MNaSbvkaHZQ6iv16bZ4t73Wascwa/E=
+ Prime1: 6a165cIC0nNsGlTW/s2jRu7idq5+U203iE1HzSIddmWgx5KIKE/s3I+pwfmXYRUmq+4H9ASd/Yot1lSYW98szw==
+ Prime2: wLoCPKxxnuxDx6/9IKOYz8t9ZNLY74iCeQ85koqvTctkFmB9jpOUHTU9BhecaFY2euP9CuHV7z3PLtCoO8s1MQ==
+ Exponent1: CuzJaiR/7UboLvL4ekEy+QYCIHpX/Z6FkiHK0ZRevEJUGgCHzRqvgEBXN3Jr2WYbwL4IMShmGoxzSCn8VY9BkQ==
+ Exponent2: LDR9/tyu0vzuLwc20B22FzNdd5rFF2wAQTQ0yF/3Baj5NAi9w84l0u07KgKQZX4g0N8qUyypnU5YDyzc6ZoagQ==
+ Coefficient: 6S0vhIQITWzqfQSLj+wwRzs6qCvJckHb1+SD1XpwYjSgMTEUlZhf96m8WiaE1/fIt4Zl2PC3fF7YIBoFLln22w=="}}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ PUT /dnsapi/adddomainkey/example.com HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 965
+
+ flags=256&active=1&content=Private-key-format: v1.2
+ Algorithm: 8 (RSASHA256)
+ Modulus: r+vmQll38ndQqNSCx9eqRBUbSOLcH4PZFX824sGhY2NSQChqt1G4ZfndzRwgjXMUwiE7GkkqU2Vbt/g4iP67V/+MYecMV9YHkCRnEzb47nBXvs9JCf8AHMCnma567GQjPECh4HevPE9wmcOfpy/u7UN1oHKSKRWuZJadUwcjbp8=
+ PublicExponent: AQAB
+ PrivateExponent: CYC93UtVnOM6wrFJZ+qA9+Yx+p5yk0CSi0Q7c+/6EVMuABQ5gNyTuu0j65lU3X81bwUk2wHPx6smfgoVDRAW5jjO4jgIFV6nE4inzk5YQKycQSL8YG3Nm9GciLFya1KUXs81sHsQpkvK7MNaSbvkaHZQ6iv16bZ4t73Wascwa/E=
+ Prime1: 6a165cIC0nNsGlTW/s2jRu7idq5+U203iE1HzSIddmWgx5KIKE/s3I+pwfmXYRUmq+4H9ASd/Yot1lSYW98szw==
+ Prime2: wLoCPKxxnuxDx6/9IKOYz8t9ZNLY74iCeQ85koqvTctkFmB9jpOUHTU9BhecaFY2euP9CuHV7z3PLtCoO8s1MQ==
+ Exponent1: CuzJaiR/7UboLvL4ekEy+QYCIHpX/Z6FkiHK0ZRevEJUGgCHzRqvgEBXN3Jr2WYbwL4IMShmGoxzSCn8VY9BkQ==
+ Exponent2: LDR9/tyu0vzuLwc20B22FzNdd5rFF2wAQTQ0yF/3Baj5NAi9w84l0u07KgKQZX4g0N8qUyypnU5YDyzc6ZoagQ==
+ Coefficient: 6S0vhIQITWzqfQSLj+wwRzs6qCvJckHb1+SD1XpwYjSgMTEUlZhf96m8WiaE1/fIt4Zl2PC3fF7YIBoFLln22w==
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+``removeDomainKey``
+~~~~~~~~~~~~~~~~~~~
+
+Removes key id from domain name.
+
+- Mandatory: No
+- Parameters: name, id
+- Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"removedomainkey","parameters":"{"name":"example.com","id":1}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ DELETE /dnsapi/removedomainkey/example.com/1 HTTP/1.1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+``activateDomainKey``
+~~~~~~~~~~~~~~~~~~~~~
+
+Activates key id for domain name.
+
+- Mandatory: No
+- Parameters: name, id
+- Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"activatedomainkey","parameters":{"name":"example.com","id":1}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ POST /dnsapi/activatedomainkey/example.com/1 HTTP/1.1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; utf-8
+
+ {"result": true}
+
+``deactivateDomainKey``
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Deactivates key id for domain name.
+
+- Mandatory: No
+- Parameters: name, id
+- Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"deactivatedomainkey","parameters":{"name":"example.com","id":1}}
+
+Response:
+
+::
+
+ {"result": true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ POST /dnsapi/deactivatedomainkey/example.com/1 HTTP/1.1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; utf-8
+
+ {"result": true}
+
+``getTSIGKey``
+~~~~~~~~~~~~~~
+
+Retrieves the key needed to sign AXFR.
+
+- Mandatory: No
+- Parameters: name
+- Reply: algorithm, content
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"gettsigkey","parameters":{"name":"example.com."}}
+
+Response:
+
+::
+
+ {"result":{"algorithm":"hmac-md5","content:"kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="}}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ GET /dnsapi/gettsigkey/example.com. HTTP/1.1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":{"algorithm":"hmac-md5","content":"kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="}}
+
+``getDomainInfo``
+~~~~~~~~~~~~~~~~~
+
+Retrieves information about given domain from the backend. If your
+return value has no zone attribute, the backend will signal error.
+Everything else will default to something. Default values: serial:0,
+kind:NATIVE, id:-1, notified_serial:-1, last_check:0, masters: [].
+Masters, if present, must be array of strings.
+
+- Mandatory: No
+- Parameters: name
+- Reply: zone
+- Optional values: serial, kind, id, notified_serial, last_check,
+ masters
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"getdomaininfo","parameters":{"name":"example.com"}}
+
+Response:
+
+::
+
+ {"result":{id:1,"zone":"example.com","kind":"NATIVE","serial":2002010100}}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ GET /dnsapi/getdomaininfo/example.com HTTP/1.1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ content-Type: text/javascript: charset=utf-8
+
+ {"result":{id:1,"zone":"example.com","kind":"NATIVE","serial":2002010100}}
+
+``setNotified``
+~~~~~~~~~~~~~~~
+
+Updates last notified serial for the domain id. Any errors are ignored.
+
+- Mandatory: No
+- Parameters: id, serial
+- Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"setnotified","parameters":{"id":1,"serial":2002010100}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ PATCH /dnsapi/setnotified/1 HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 17
+
+ serial=2002010100
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+``isMaster``
+~~~~~~~~~~~~
+
+Determines whether given IP is master for given domain name.
+
+- Mandatory: No
+- Parameters: name,ip
+- Reply: true for success, false for failure.
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"isMaster","parameters":{"name":"example.com","ip":"198.51.100.0.1"}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ GET /dnsapi/isMaster/example.com/198.51.100.0.1 HTTP/1.1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+``superMasterBackend``
+~~~~~~~~~~~~~~~~~~~~~~
+
+Creates new domain with given record(s) as master servers. IP address is
+the address where notify is received from. nsset is array of NS resource
+records.
+
+- Mandatory: No
+- Parameters: ip,domain,nsset,account
+- Reply: true for success, false for failure. can also return
+ account=>name of account< and nameserver.
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"superMasterBackend","parameters":{"ip":"198.51.100.0.1","domain":"example.com","nsset":[{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns1.example.com","ttl":300,"auth":true},{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns2.example.com","ttl":300,"auth":true}]}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Alternative response:
+
+::
+
+ {"result":{"account":"my account","nameserver":"ns2.example.com"}}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ POST /dnsapi/supermasterbackend/198.51.100.0.1/example.com HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 317
+
+ nsset[1][qtype]=NS&nsset[1][qname]=example.com&nsset[1][qclass]=1&nsset[1][content]=ns1.example.com&nsset[1][ttl]=300&nsset[1][auth]=true&nsset[2][qtype]=NS&nsset[2][qname]=example.com&nsset[2][qclass]=1&nsset[2][content]=ns2.example.com&nsset[2][ttl]=300&nsset[2][auth]=true
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+Alternative response
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":{"account":"my account"}}
+
+``createSlaveDomain``
+~~~~~~~~~~~~~~~~~~~~~
+
+Creates new domain. This method is called when NOTIFY is received and
+you are superslaving.
+
+Mandatory: No Parameters: ip, domain Optional parameters: nameserver,
+account Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"createSlaveDomain","parameters":{"ip":"198.51.100.0.1","domain":"pirate.example.net"}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ POST /dnsapi/createslavedomain/198.51.100.0.1/pirate.example.net HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 0
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+``replaceRRSet``
+~~~~~~~~~~~~~~~~
+
+This method replaces a given resource record with new set. The new qtype
+can be different from the old.
+
+- Mandatory: No
+- Parameters: domain_id, qname, qtype, rrset
+- Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"replaceRRSet","parameters":{"domain_id":2,"qname":"replace.example.com","qtype":"A","trxid":1370416133,"rrset":[{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"1.1.1.1","ttl":300,"auth":true}]}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ PATCH /dnsapi/replacerrset/2/replace.example.com/A HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 135
+
+ trxid=1370416133&rrset[qtype]=A&rrset[qname]=replace.example.com&rrset[qclass]=1&rrset[content]=1.1.1.1&rrset[auth]=1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+``feedRecord``
+~~~~~~~~~~~~~~
+
+Asks to feed new record into system. If startTransaction was called,
+trxId identifies a transaction. It is not always called by PowerDNS.
+
+- Mandatory: No
+- Parameters: rr, trxid
+- Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"feedRecord","parameters":{"rr":{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"127.0.0.1","ttl":300,"auth":true},"trxid":1370416133}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ PATCH /dnsapi/feedrecord/1370416133 HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 117
+
+ rr[qtype]=A&rr[qname]=replace.example.com&rr[qclass]=1&rr[content]=127.0.0.1&rr[ttl]=300&rr[auth]=true
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+.. _remote-feedents:
+
+``feedEnts``
+~~~~~~~~~~~~
+
+This method is used by pdnsutil rectify-zone to populate missing
+non-terminals. This is used when you have, say, record like
+_sip._upd.example.com, but no _udp.example.com. PowerDNS requires
+that there exists a non-terminal in between, and this instructs you to
+add one. If startTransaction is called, trxid identifies a transaction.
+
+- Mandatory: No
+- Parameters: nonterm, trxid
+- Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"feedEnts","parameters":{"domain_id":2,"trxid":1370416133,"nonterm":["_sip._udp","_udp"]}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ PATCH /dnsapi/feedents/2 HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 50
+
+ trxid=1370416133&nonterm[]=_udp&nonterm[]=_sip.udp
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+``feedEnts3``
+~~~~~~~~~~~~~
+
+Same as :ref:`remote-feedents`, but provides NSEC3 hashing
+parameters. Note that salt is BYTE value, and can be non-readable text.
+
+- Mandatory: No
+- Parameters: trxid, domain_id, domain, times, salt, narrow, nonterm
+- Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"feedEnts3","parameters":{"domain_id":2,"domain":"example.com","times":1,"salt":"9642","narrow":false,"trxid":1370416356,"nonterm":["_sip._udp","_udp"]}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ PATCH /dnsapi/2/example.com HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 78
+
+ trxid=1370416356×=1&salt=9642&narrow=0&nonterm[]=_sip._udp&nonterm[]=_udp
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+``startTransaction``
+~~~~~~~~~~~~~~~~~~~~
+
+Starts a new transaction. Transaction ID is chosen for you. Used to
+identify f.ex. AXFR transfer.
+
+- Mandatory: No
+- Parameters: domain_id, domain, trxid
+- Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"startTransaction","parameters":{"trxid":1234,"domain_id":1,"domain":"example.com"}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ POST /dnsapi/starttransaction/1/example.com HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 10
+
+ trxid=1234
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+``commitTransaction``
+~~~~~~~~~~~~~~~~~~~~~
+
+Signals successful transfer and asks to commit data into permanent
+storage.
+
+- Mandatory: No
+- Parameters: trxid
+- Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"commitTransaction","parameters":{"trxid":1234}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ POST /dnsapi/committransaction/1234 HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 0
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+``abortTransaction``
+~~~~~~~~~~~~~~~~~~~~
+
+Signals failed transaction, and that you should rollback any changes.
+
+- Mandatory: No
+- Parameters: trxid
+- Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"abortTransaction","parameters":{"trxid":1234}}
+
+Response:
+
+::
+
+ {"result":true}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ POST /dnsapi/aborttransaction/1234 HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 0
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":true}
+
+``calculateSOASerial``
+~~~~~~~~~~~~~~~~~~~~~~
+
+Asks you to calculate a new serial based on the given data and update
+the serial.
+
+- Mandatory: No
+- Parameters: domain,sd
+- Reply: true for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"calculateSOASerial","parameters":{"domain":"unit.test","sd":{"qname":"unit.test","nameserver":"ns.unit.test","hostmaster":"hostmaster.unit.test","ttl":300,"serial":1,"refresh":2,"retry":3,"expire":4,"default_ttl":5,"domain_id":-1,"scopeMask":0}}}
+
+Response:
+
+::
+
+ {"result":2013060501}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ POST /dnsapi/calculatesoaserial/unit.test HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 198
+
+ sd[qname]=unit.test&sd[nameserver]=ns.unit.test&sd[hostmaster]=hostmaster.unit.test&sd[ttl]=300&sd[serial]=1&sd[refresh]=2&sd[retry]=3&sd[expire]=4&sd[default_ttl]=5&sd[domain_id]=-1&sd[scopemask]=0
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":2013060501}
+
+``directBackendCmd``
+~~~~~~~~~~~~~~~~~~~~
+
+Can be used to send arbitrary commands to your backend using
+:doc:`../dnssec/pdnsutil`.
+
+- Mandatory: no
+- Parameters: query
+- Reply: anything but boolean false for success, false for failure
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"directBackendCmd","parameters":{"query":"PING"}}
+
+Response:
+
+::
+
+ {"result":"PONG"}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ POST /dnsapi/directBackendCmd HTTP/1.1
+ Content-Type: application/x-www-form-urlencoded
+ Content-Length: 10
+
+ query=PING
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":"PONG"}
+
+``getAllDomains``
+~~~~~~~~~~~~~~~~~
+
+Get DomainInfo records for all domains in your backend.
+
+- Mandatory: no
+- Parameters: include_disabled
+- Reply: array of DomainInfo
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method": "getAllDomains", "parameters": {"include_disabled": true}}
+
+Response:
+
+::
+
+ {"result":[{"id":1,"zone":"unit.test.","masters":["10.0.0.1"],"notified_serial":2,"serial":2,"last_check":1464693331,"kind":"native"}]}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ GET /dnsapi/getAllDomains?includeDisabled=true HTTP/1.1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+ Content-Length: 135
+ {"result":[{"id":1,"zone":"unit.test.","masters":["10.0.0.1"],"notified_serial":2,"serial":2,"last_check":1464693331,"kind":"native"}]}
+
+``searchRecords``
+~~~~~~~~~~~~~~~~~
+
+Can be used to search records from the backend. This is used by web api.
+
+- Mandatory: no
+- Parameters: pattern, maxResults
+- Reply: same as :ref:`remote-lookup` or false to indicate failed
+ search
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method":"searchRecords","parameters":{"pattern":"www.example*","maxResults":100}}
+
+Response:
+
+::
+
+ {"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ GET /dnsapi/searchRecords?q=www.example*&maxResults=100 HTTP/1.1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+
+ {"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
+
+Examples
+--------
+
+Scenario: SOA lookup via pipe, unix or zeromq connector
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Query:
+
+::
+
+ {
+ "method": "lookup",
+ "parameters": {
+ "qname": "example.com",
+ "qtype": "SOA",
+ "zone_id": "-1"
+ }
+ }
+
+Reply:
+
+::
+
+ {
+ "result":
+ [
+ { "qtype": "SOA",
+ "qname": "example.com",
+ "content": "dns1.icann.org. hostmaster.icann.org. 2012080849 7200 3600 1209600 3600",
+ "ttl": 3600,
+ "domain_id": -1
+ }
+ ]
+ }
+
+Scenario: SOA lookup with HTTP connector
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Query:
+
+::
+
+ /dns/lookup/example.com/SOA
+
+Reply:
+
+::
+
+ {
+ "result":
+ [
+ { "qtype": "SOA",
+ "qname": "example.com",
+ "content": "dns1.icann.org. hostmaster.icann.org. 2012080849 7200 3600 1209600 3600",
+ "ttl": 3600,
+ "domain_id": -1
+ }
+ ]
+ }
--- /dev/null
+TinyDNS Backend
+===============
+
+- Native: Yes
+- Master: Yes
+- Slave: No
+- Superslave: No
+- Autoserial: No
+- DNSSEC: No
+- Multiple Instances: Yes
+- Module name: tinydns
+- Launch: ``tinydns``
+
+The TinyDNS backend allows you to use
+`djbdns's <http://cr.yp.to/djbdns.html>`__ ``data.cdb`` file format as
+the storage of your DNS records. The ``data.cdb`` file is created using
+`tinydns-data <http://cr.yp.to/djbdns/tinydns-data.html>`__. The backend
+is designed to be able to use the ``data.cdb`` files without any
+changes.
+
+Configuration Parameters
+------------------------
+
+These are the configuration file parameters that are available for the
+TinyDNS backend. It is recommended to set the ``tinydns-dbfile``.
+
+.. _setting-tinydns-dbfile:
+
+``tinydns-dbfile``
+~~~~~~~~~~~~~~~~~~
+
+- String
+- Default: data.cdb
+
+Specifies the name of the data file to use.
+
+.. _setting-tinydns-tai-adjust:
+
+``tinydns-tai-adjust``
+~~~~~~~~~~~~~~~~~~~~~~
+
+- Integer
+- Default: 11
+
+This adjusts the `TAI <http://www.tai64.com/>`__ value if timestamps are
+used. These seconds will be added to the start point (1970) and will
+allow you to adjust for leap seconds. The current default is 11. The
+last update was on `june 30th
+2012 <http://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat>`__.
+
+.. _setting-tinydns-notify-on-startup:
+
+``tinydns-notify-on-startup``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- Boolean
+- Default: no
+
+Tell the TinyDNSBackend to notify all the slave nameservers on startup.
+This might cause broadcast storms.
+
+.. _setting-tinydns-ignore-bogus-records:
+
+``tinydns-ignore-bogus-records``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- Boolean
+- Default: no
+
+The ``tinydns-data`` program can create data.cdb files that have
+bad/corrupt RDATA. PowerDNS will crash when it tries to read that
+bad/corrupt data. This option (change to yes), allows you to ignore that
+bad RDATA to make PowerDNS operate when bad data is in your CDB file. Be
+aware that the records are then ignored, where tinydns would still send
+out the bogus data. The option is primarily useful in master mode, as
+that reads all the packets in the zone to find all the SOA records.
+
+.. _setting-tinydns-locations:
+
+``tinydns-locations``
+~~~~~~~~~~~~~~~~~~~~~
+
+- Boolean
+- Default: yes
+
+Enable or Disable location support in the backend. Changing the value to
+'no' will make the backend ignore the locations. This then returns all
+records. When the setting is changed to 'no' an AXFR will also return
+all the records. With the setting on 'yes' an AXFR will only return
+records without a location.
+
+Location and Timestamp support
+------------------------------
+
+Both timestamp and location are supported in the backend.
+Locations support can be changed using the :ref:`setting-tinydns-locations` setting.
+Timestamp and location only work as expected when :ref:`setting-cache-ttl` and :ref:`setting-query-cache-ttl` are set to 0 (which disables these caches).
+Timestamp can operate with :ref:`setting-cache-ttl` if cache is needed, but the
+TTL returned for the timestamped racked will not be totally correct. The
+record will expire once the cache is expired and the backend is queried
+again. Please note that :ref:`setting-cache-ttl` is a
+performance related setting. See :doc:`../performance`. Location support only exists for IPv4!
+
+Master mode
+-----------
+
+The TinyDNSBackend supports master mode. This allows it to notify slave
+nameservers of updates to a zone. You simply need to rewrite the
+``data.cdb`` file with an updated/increased serial and PowerDNS will
+notify the slave nameservers of that domain. The :ref:`setting-tinydns-notify-on-startup`
+configuration setting tells the backend if it should notify all the
+slave nameservers just after startup.
+
+The CDB datafile does not allow PowerDNS to easily query for newly added
+domains or updated serial numbers. The CDB datafile requires us to do a
+full scan of all the records. When running with verbose logging, this
+could lead to a lot of output. The scanning of the CDB file may also
+take a while on systems with large files. The scan happens at an
+interval set by the :ref:`setting-slave-cycle-interval`. It
+might be useful to raise this value to limit the amount of scans on the
+CDB file.
+
+The TinyDNSBackend also keeps a list of all the zones. This is needed to
+detect an updated serial and to give every zone a unique id. The list is
+updated when a zone is added, but not when a zone is removed. This leads
+to some memory loss.
+
+Useful implementation Notes
+---------------------------
+
+This backend might solve some issues you have with the current tinydns
+noted on `Jonathan de Boyne
+Pollard's <http://homepage.ntlworld.com/jonathan.deboynepollard/author.html>`__
+`djbdns known problems
+page <http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/djbdns-problems.html>`__.
+
+The ``data.cdb`` file format support all types of records. They are
+sometimes difficult to create because you need to specify the actual
+content of the rdata. `Tinydns.org <http://tinydns.org/>`__ provides a
+number of links to tools/cgi-scripts that allow you to create records.
+`Anders Brownworth <http://anders.com/>`__ also provides a number of
+useful record building scripts on his
+`djbdnsRecordBuilder <http://anders.com/projects/sysadmin/djbdnsRecordBuilder/>`__.
+
+PowerDNS and TinyDNS handle wildcards differently. Looking up
+foo.www.example.com with the below records on TinyDNS will return
+198.51.100.1, PowerDNS will return NXDOMAIN. According to :rfc:`4592` \*.example.com should only
+match subdomains in under example.com, not \*.\*.example.com. This
+compatibility issue is `noted on the axfer-get page for the djbdns
+suite <https://cr.yp.to/djbdns/axfr-get.html>`__.
+
+::
+
+ *.example.com A 198.51.100.1
+ www.example.com A 198.51.100.1
+
+Compiling the TinyDNS backend requires you to have
+`tinycdb <http://www.corpit.ru/mjt/tinycdb.html>`__ version 0.77.
--- /dev/null
+Changelogs for 4.0.x
+====================
+
+PowerDNS Authoritative Server 4.0.4
+-----------------------------------
+
+Released 23rd of June 2017
+
+This release features a fix for the ed25519 signer. This signer hashed
+the message before signing, resulting in unverifiable signatures. Also
+on the Elliptic Curve front, support was added for ED448 (DNSSEC
+algorithm 16) by using libdecaf.
+
+Bug fixes
+~~~~~~~~~
+
+- `#5423 <https://github.com/PowerDNS/pdns/pull/5423>`__: Do not hash
+ the message in the ed25519 signer (Kees Monshouwer)
+- `#5445 <https://github.com/PowerDNS/pdns/pull/5445>`__: Make URI
+ integers 16 bits, fixes
+ `#5443 <https://github.com/PowerDNS/pdns/issues/5443>`__
+- `#5346 <https://github.com/PowerDNS/pdns/pull/5346>`__: configure.ac:
+ Corrects syntax error in test statement on existance of
+ libcrypto\_ecdsa (shinsterneck)
+- `#5440 <https://github.com/PowerDNS/pdns/pull/5440>`__: configure.ac:
+ Fix quoting issue fixes
+ `#5401 <https://github.com/PowerDNS/pdns/issues/5401>`__
+- `#4824 <https://github.com/PowerDNS/pdns/pull/4824>`__: configure.ac:
+ Check in the detected OpenSSL/libcrypto for ECDSA
+- `#5016 <https://github.com/PowerDNS/pdns/pull/5016>`__: configure.ac:
+ Check if we can link against libatomic if needed
+- `#5341 <https://github.com/PowerDNS/pdns/pull/5341>`__: Fix typo in
+ ldapbackend.cc from issue
+ `#5091 <https://github.com/PowerDNS/pdns/issues/5091>`__
+ (shantikulkarni)
+- `#5289 <https://github.com/PowerDNS/pdns/pull/5289>`__: Sort NSEC
+ record case insensitive (Kees Monshouwer)
+- `#5378 <https://github.com/PowerDNS/pdns/pull/5378>`__: Make sure
+ NSEC ordernames are always lower case
+- `#4781 <https://github.com/PowerDNS/pdns/pull/4781>`__: API:
+ correctly take TTL from first record even if we are at the last
+ comment (Christian Hofstaedtler)
+- `#4901 <https://github.com/PowerDNS/pdns/pull/4901>`__: Fix
+ AtomicCounter unit tests on 32-bit
+- `#4911 <https://github.com/PowerDNS/pdns/pull/4911>`__: Fix negative
+ port detection for IPv6 addresses on 32-bit
+- `#4508 <https://github.com/PowerDNS/pdns/pull/4508>`__: Remove
+ support for 'right' timezones, as this code turned out to be broken
+- `#4961 <https://github.com/PowerDNS/pdns/pull/4961>`__: Lowercase the
+ TSIG algorithm name in hash computation
+- `#5048 <https://github.com/PowerDNS/pdns/pull/5048>`__: Handle
+ exceptions raised by ``closesocket()``
+- `#5297 <https://github.com/PowerDNS/pdns/pull/5297>`__: Don't leak on
+ signing errors during outgoing AXFR; signpipe stumbles over
+ interrupted rrsets; fix memory leak in gmysql backend
+- `#5450 <https://github.com/PowerDNS/pdns/pull/5450>`__: TinyCDB
+ backend: Don't leak a CDB object in case of bogus data
+
+Improvements
+~~~~~~~~~~~~
+
+- `#5071 <https://github.com/PowerDNS/pdns/pull/5071>`__: ODBC backend:
+ Allow query logging
+- `#5441 <https://github.com/PowerDNS/pdns/pull/5441>`__: Add ED25519
+ (algo 15) and ED448 (algo 16) support with libdecaf signer (Kees
+ Monshouwer)
+- `#5325 <https://github.com/PowerDNS/pdns/pull/5325>`__: YaHTTP: Sync
+ with upstream changes
+- `#5298 <https://github.com/PowerDNS/pdns/pull/5298>`__: Send a
+ notification to all slave servers after every dnsupdate (Kees
+ Monshouwer)
+- `#5317 <https://github.com/PowerDNS/pdns/pull/5317>`__: Add option to
+ set a global ``lua-axfr-script`` value (Kees Monshouwer)
+- `#5130 <https://github.com/PowerDNS/pdns/pull/5130>`__: dnsreplay:
+ Add ``--source-ip`` and ``--source-port`` options
+- `#5085 <https://github.com/PowerDNS/pdns/pull/5085>`__: calidns: Use
+ the correct socket family (IPv4 / IPv6)
+- `#5170 <https://github.com/PowerDNS/pdns/pull/5170>`__: Add an option
+ to allow AXFR of zones with a different (higher/lower) serial (Kees
+ Monshouwer)
+- `#4622 <https://github.com/PowerDNS/pdns/pull/4622>`__: API: Make
+ trailing dot handling consistent with pdnsutil (Tuxis Internet
+ Engineering)
+- `#4762 <https://github.com/PowerDNS/pdns/pull/4762>`__:
+ SuffixMatchNode: Fix insertion issue for an existing node
+- `#4861 <https://github.com/PowerDNS/pdns/pull/4861>`__: Do not
+ resolve the NS-records for NOTIFY targets if the "only-notify"
+ whitelist is empty, as a target will never match an empty whitelist.
+- `#5378 <https://github.com/PowerDNS/pdns/pull/5378>`__: Improve the
+ AXFR DNSSEC freshness check; Ignore NSEC3PARAM metadata in an
+ unsigned zone
+- `#5297 <https://github.com/PowerDNS/pdns/pull/5297>`__: Create
+ additional ``reuseport`` sockets before dropping privileges; remove
+ transaction in pgpsql backend
+
+PowerDNS Authoritative Server 4.0.3
+-----------------------------------
+
+Released January 17th 2017
+
+This release fixes an issue when using multiple backends, where one of
+the backends is the BIND backend. This regression was introduced in
+4.0.2.
+
+Bug fix
+~~~~~~~
+
+- `#4905 <https://github.com/PowerDNS/pdns/pull/4905>`__: Revert "auth:
+ In ``Bind2Backend::lookup()``, use the ``zoneId`` when we have it"
+
+PowerDNS Authoritative Server 4.0.2
+-----------------------------------
+
+Released January 13th 2017
+
+This release fixes PowerDNS Security Advisories
+:doc:`2016-02 <../security-advisories/powerdns-advisory-2016-02>`,
+:doc:`2016-03 <../security-advisories/powerdns-advisory-2016-03>`,
+:doc:`2016-04 <../security-advisories/powerdns-advisory-2016-04>` and
+:doc:`2016-05 <../security-advisories/powerdns-advisory-2016-05>` and includes a fix
+for a memory leak in the Postgresql backend.
+
+Bug fixes
+~~~~~~~~~
+
+- `commit f61af48 <https://github.com/PowerDNS/pdns/commit/f61af48>`__:
+ Don't parse spurious RRs in queries when we don't need them (Security
+ Advisory :doc:`2016-02 <../security-advisories/powerdns-advisory-2016-02>`)
+- `commit 592006d <https://github.com/PowerDNS/pdns/commit/592006d>`__:
+ Don't exit if the webserver can't accept a connection (Security
+ Advisory :doc:`2016-03 <../security-advisories/powerdns-advisory-2016-03>`)
+- `commit e85acc6 <https://github.com/PowerDNS/pdns/commit/e85acc6>`__:
+ Check TSIG signature on IXFR (Security Advisory
+ :doc:`2016-04 <../security-advisories/powerdns-advisory-2016-04>`)
+- `commit 3b1e4a2 <https://github.com/PowerDNS/pdns/commit/3b1e4a2>`__:
+ Correctly check unknown record content size (Security Advisory
+ :doc:`2016-05 <../security-advisories/powerdns-advisory-2016-05>`)
+- `commit 9ecbf02 <https://github.com/PowerDNS/pdns/commit/9ecbf02>`__:
+ ODBC backend: actually prepare statements
+- `commit a4d607b <https://github.com/PowerDNS/pdns/commit/a4d607b>`__:
+ Fix incorrect length check in ``DNSName`` when extracting qtype or
+ qclass
+- `commit c816fe3 <https://github.com/PowerDNS/pdns/commit/c816fe3>`__:
+ Fix a possible memory leak in the webserver
+- `#4287 <https://github.com/PowerDNS/pdns/pull/4287>`__: Better
+ handling of invalid serial
+- `#4306 <https://github.com/PowerDNS/pdns/pull/4306>`__: Limit size of
+ mysql cell to 128 kilobytes
+- `#4314 <https://github.com/PowerDNS/pdns/pull/4314>`__: Overload fix:
+ make overload-queue-length work as intended again, add test for it.
+- `#4317 <https://github.com/PowerDNS/pdns/pull/4317>`__: Improve
+ root-zone performance
+- `#4319 <https://github.com/PowerDNS/pdns/pull/4319>`__: pipe:
+ SERVFAIL when needed
+- `#4360 <https://github.com/PowerDNS/pdns/pull/4360>`__: Make sure
+ mariadb (mysql on centos/rhel) is started before pdns (42wim)
+- `#4387 <https://github.com/PowerDNS/pdns/pull/4387>`__: ComboAddress:
+ don't allow invalid ports
+- `#4459 <https://github.com/PowerDNS/pdns/pull/4459>`__: Plug memory
+ leak in postgresql backend (Christian Hofstaedtler)
+- `#4544 <https://github.com/PowerDNS/pdns/pull/4544>`__: Fix a
+ stack-based off-by-one write in the HTTP remote backend
+- `#4755 <https://github.com/PowerDNS/pdns/pull/4755>`__: calidns:
+ Don't crash if we don't have enough 'unknown' queries remaining
+
+Additions and Enhancements
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- `commit 1238e06 <https://github.com/PowerDNS/pdns/commit/1238e06>`__:
+ disable negative getSOA caching if the negcache\_ttl is 0 (Kees
+ Monshouwer)
+- `commit 3a0bded <https://github.com/PowerDNS/pdns/commit/3a0bded>`__,
+ `commit 8c879d4 <https://github.com/PowerDNS/pdns/commit/8c879d4>`__,
+ `commit 8c03126 <https://github.com/PowerDNS/pdns/commit/8c03126>`__,
+ `commit 5656e12 <https://github.com/PowerDNS/pdns/commit/5656e12>`__
+ and `commit
+ c1d283d <https://github.com/PowerDNS/pdns/commit/c1d283d>`__: Improve
+ PacketCache cleaning (Kees Monshouwer)
+- `#4261 <https://github.com/PowerDNS/pdns/pull/4261>`__: Strip
+ trailing dot in PTR content (Kees Monshouwer)
+- `#4269 <https://github.com/PowerDNS/pdns/pull/4269>`__: contrib:
+ simple bash completion for pdnsutil (j0ju)
+- `#4272 <https://github.com/PowerDNS/pdns/pull/4272>`__: Bind backend:
+ update status message on reload, keep the existing zone on failure
+- `#4274 <https://github.com/PowerDNS/pdns/pull/4274>`__: report DHCID
+ type (Kees Monshouwer)
+- `#4310 <https://github.com/PowerDNS/pdns/pull/4310>`__: Fix build
+ with LibreSSL, for which OPENSSL\_VERSION\_NUMBER is irrelevant
+- `#4323 <https://github.com/PowerDNS/pdns/pull/4323>`__: Speedup
+ DNSName creation
+- `#4335 <https://github.com/PowerDNS/pdns/pull/4335>`__: fix TSIG for
+ single thread distributor (Kees Monshouwer)
+- `#4346 <https://github.com/PowerDNS/pdns/pull/4346>`__: change
+ default for any-to-tcp to yes (Kees Monshouwer)
+- `#4356 <https://github.com/PowerDNS/pdns/pull/4356>`__: Don't look up
+ the packet cache for TSIG-enabled queries
+- `#4403 <https://github.com/PowerDNS/pdns/pull/4403>`__: (auth) Fix
+ build with OpenSSL 1.1.0 final (Christian Hofstaedtler)
+- `#4442 <https://github.com/PowerDNS/pdns/pull/4442>`__: geoipbackend:
+ Fix minor naming issue (Aki Tuomi)
+- `#4454 <https://github.com/PowerDNS/pdns/pull/4454>`__: pdnsutil:
+ create-slave-zone accept multiple masters (Hannu Ylitalo)
+- `#4541 <https://github.com/PowerDNS/pdns/pull/4541>`__: Backport of
+ #4542: API: search should not return ENTs (Christian Hofstaedtler)
+- `#4754 <https://github.com/PowerDNS/pdns/pull/4754>`__: In
+ ``Bind2Backend::lookup()``, use the ``zoneId`` when we have it
+
+PowerDNS Authoritative Server 4.0.1
+-----------------------------------
+
+Released July 29th 2016
+
+This release fixes two small issues and adds a setting to limit AXFR and
+IXFR sizes, in response to
+`CVE-2016-6172 <http://www.openwall.com/lists/oss-security/2016/07/06/4>`__.
+
+Bug fixes
+~~~~~~~~~
+
+- `#4126 <https://github.com/PowerDNS/pdns/pull/4126>`__ Wait for the
+ connection to the carbon server to be established
+- `#4206 <https://github.com/PowerDNS/pdns/pull/4206>`__ Don't try to
+ deallocate empty PG statements
+- `#4245 <https://github.com/PowerDNS/pdns/pull/4245>`__ Send the
+ correct response when queried for an NSEC directly (Kees Monshouwer)
+- `#4252 <https://github.com/PowerDNS/pdns/pull/4252>`__ Don't include
+ bind files if length <= 2 or > sizeof(filename)
+- `#4255 <https://github.com/PowerDNS/pdns/pull/4255>`__ Catch
+ runtime\_error when parsing a broken MNAME
+
+Improvements
+~~~~~~~~~~~~
+
+- `#4044 <https://github.com/PowerDNS/pdns/pull/4044>`__ Make DNSPacket
+ return a ComboAddress for local and remote (Aki Tuomi)
+- `#4056 <https://github.com/PowerDNS/pdns/pull/4056>`__ OpenSSL 1.1.0
+ support (Christian Hofstaedtler)
+- `#4169 <https://github.com/PowerDNS/pdns/pull/4169>`__ Fix typos in a
+ logmessage and exception (Christian Hofstaedtler)
+- `#4183 <https://github.com/PowerDNS/pdns/pull/4183>`__ pdnsutil:
+ Remove checking of ctime and always diff the changes (Hannu Ylitalo)
+- `#4192 <https://github.com/PowerDNS/pdns/pull/4192>`__ dnsreplay:
+ Only add Client Subnet stamp when asked
+- `#4250 <https://github.com/PowerDNS/pdns/pull/4250>`__ Use
+ toLogString() for ringAccount (Kees Monshouwer)
+
+Additions
+~~~~~~~~~
+
+- `#4133 <https://github.com/PowerDNS/pdns/pull/4133>`__ Add limits to
+ the size of received {A,I}XFR (CVE-2016-6172)
+- `#4142 <https://github.com/PowerDNS/pdns/pull/4142>`__ Add used
+ filedescriptor statistic (Kees Monshouwer)
+
+PowerDNS Authoritative Server 4.0.0
+-----------------------------------
+
+Released July 11th 2016
+
+PowerDNS Authoritative Server 4.0.0 is part of `the great 4.x "Spring
+Cleaning" <http://blog.powerdns.com/2015/11/28/powerdns-spring-cleaning/>`__
+of PowerDNS which lasted through the end of 2015.
+
+As part of the general cleanup and improvements, we did the following:
+
+- Moved to C++ 2011, a cleaner more powerful version of C++ that has
+ allowed us to `improve the quality of
+ implementation <http://bert-hubert.blogspot.nl/2015/01/on-c2011-quality-of-implementation.html>`__
+ in many places.
+- Implemented dedicated infrastructure for dealing with DNS names that
+ is fully "DNS Native" and needs less escaping and unescaping.
+- All backends derived from the Generic SQL backend use :doc:`prepared
+ statements <../backends/generic-sql>`.
+- Both the server and ``pdns_control`` do the right thing when
+ ``chroot``'ed.
+
+In addition to this cleanup, 4.0.0 brings the following new features:
+
+- A revived ODBC backend
+ (:doc:`godbc <../backends/generic-odbc>`).
+- A revived LDAP backend (:doc:`ldap <../backends/ldap>`).
+- Support for
+ :doc:`CDS/CDNSKEY <../guides/kskrollcdnskey>`
+ and :rfc:`7344` key-rollovers.
+- Support for the :doc:`ALIAS <../guides/alias>` record.
+- The webserver and API are no longer marked experimental.
+
+ - The API-path has moved to ``/api/v1``
+
+- DNSUpdate is no longer experimental.
+- Default ECDSA (algorithms 13 and 14) support without external
+ dependencies.
+- Experimental support for ed25519 DNSSEC signatures (when compiled
+ with libsodium support).
+- IXFR consumption support.
+- Many new ``pdnsutil`` commands
+
+ - ``help`` command now produces the help
+ - Warns if the configuration file cannot be read
+ - Does not check disabled records with ``check-zone`` unless verbose
+ mode is enabled
+ - ``create-zone`` command creates a new zone
+ - ``add-record`` command to add records
+ - ``delete-rrset`` and ``replace-rrset`` commands to delete and add
+ rrsets
+ - ``edit-zone`` command that spawns ``$EDITOR`` with the zone
+ contents in zonefile format regardless of the backend used
+ (`blogpost <https://blog.powerdns.com/2016/02/02/powerdns-authoritative-the-new-old-way-to-manage-domains/>`__
+
+The following backend have been dropped in 4.0.0:
+
+- LMDB.
+- Geo (use the improved :doc:`GeoIP <../backends/geoip>`
+ instead).
+
+Important changes:
+
+- ``pdnssec`` has been renamed to ``pdnsutil``
+- PowerDNS Authoritative Server now listens by default on all IPv6
+ addresses.
+- The default for ``pdnsutil secure-zone`` has been changed from 1 2048
+ bit RSA KSK and 1 1024 bit RSA ZSK to a single 256 bit ECDSA
+ (algorithm 13, ECDSAP256SHA256) key.
+- Several superfluous queries have been dropped from the SQL backend,
+ if you use a non-standard SQL schema, please review the new defaults
+
+ - ``insert-ent-query``, ``insert-empty-non-terminal-query``,
+ ``insert-ent-order-query`` have been replaced by one query named
+ ``insert-empty-non-terminal-order-query``
+ - ``insert-record-order-query`` has been dropped,
+ ``insert-record-query`` now sets the ordername (or NULL)
+ - ``insert-slave-query`` has been dropped, ``insert-zone-query`` now
+ sets the type of zone
+
+- Crypto++ and mbedTLS support is dropped, these are replaced by
+ OpenSSL
+- The INCEPTION, INCEPTION-WEEK and EPOCH SOA-EDIT metadata values are
+ marked as deprecated and will be removed in 4.1
+
+The final release has the following bug fixes compared to rc2:
+
+- `#4071 <https://github.com/PowerDNS/pdns/pull/4071>`__ Abort on
+ backend failures at startup and retry while running (Kees Monshouwer)
+- `#4099 <https://github.com/PowerDNS/pdns/pull/4099>`__ Don't leak TCP
+ connection descriptor if ``pthread_create()`` failed
+- `#4137 <https://github.com/PowerDNS/pdns/pull/4137>`__ gsqlite3:
+ Check whether foreign keys should be turned on (Aki Tuomi)
+
+And the following improvements:
+
+- `#3051 <https://github.com/PowerDNS/pdns/pull/3051>`__ Better error
+ message for unfound new slave domains
+- `#4123 <https://github.com/PowerDNS/pdns/pull/4123>`__ check-zone:
+ warn on mismatch between algo and NSEC mode
+
+PowerDNS Authoritative Server 4.0.0-rc2
+---------------------------------------
+
+Released June 29th 2016
+
+**note**: rc1 was tagged in git but never officially released. Kees
+Monshouwer discovered an issue in the gmysql backend that would
+terminate the daemon on a connection error, this fixed in rc2.
+
+This Release Candidate adds IXFR consumption and fixes some issues with
+prepared statements:
+
+- `#3937 <https://github.com/PowerDNS/pdns/pull/3937>`__ GSQL: use lazy
+ prepared statements (Aki Tuomi)
+- `#3949 <https://github.com/PowerDNS/pdns/pull/3949>`__ Implement
+ IXFR-based slaving for Authoritative, fix duplicate AXFRs
+- `#4066 <https://github.com/PowerDNS/pdns/pull/4066>`__ Don't die on a
+ mysql timeout (Kees Monshouwer)
+
+Other improvements:
+
+- `#4061 <https://github.com/PowerDNS/pdns/pull/4061>`__ Various fixes,
+ a MySQL-query fix that improves performance and one that allows
+ shorter best matches in getAuth()
+- `#3962 <https://github.com/PowerDNS/pdns/pull/3962>`__ Fix OpenBSD
+ support
+- `#3972 <https://github.com/PowerDNS/pdns/pull/3972>`__ API: change
+ PATCH/PUT on zones to return 204 No Content instead of full zone
+ (Christian Hofstaedtler)
+- `#3917 <https://github.com/PowerDNS/pdns/pull/3917>`__ Remotebackend:
+ Add getAllDomains call (Aki Tuomi)
+
+Bug fixes and changes:
+
+- `#3998 <https://github.com/PowerDNS/pdns/pull/3998>`__ remove
+ gsql::isOurDomain for now (Kees Monshouwer)
+- `#3989 <https://github.com/PowerDNS/pdns/pull/3989>`__ Fix usage of
+ std::distance() in DNSName::isPartOf()
+- `#4001 <https://github.com/PowerDNS/pdns/pull/4001>`__ re enable
+ validDNSName() check (Kees Monshouwer)
+- `#3930 <https://github.com/PowerDNS/pdns/pull/3930>`__ Have
+ pdns\_control bind-add-zone check for zonefile
+- `#3400 <https://github.com/PowerDNS/pdns/pull/3400>`__ Fix building
+ on OpenIndiana
+- `#3961 <https://github.com/PowerDNS/pdns/pull/3961>`__ Allow building
+ on CentOS 6 i386
+- `#3940 <https://github.com/PowerDNS/pdns/pull/3940>`__ auth: Don't
+ build dnsbulktest and dnstcpbench if boost is too old, fixes building
+ on CentOS 6
+- `#3931 <https://github.com/PowerDNS/pdns/pull/3931>`__ Rename
+ ``notify`` to ``pdns_notify`` (Christian Hofstaedtler)
+
+PowerDNS Authoritative Server 4.0.0-beta1
+-----------------------------------------
+
+Released May 27th 2016
+
+This release features several small fixes and deprecations.
+
+Improvements and Additions
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- `#3851 <https://github.com/PowerDNS/pdns/pull/3851>`__ Disable
+ algorithm 13 and 14 if OpenSSL does not support ecdsa or the required
+ curves (Kees Monshouwer)
+- `#3857 <https://github.com/PowerDNS/pdns/pull/3857>`__ Add simple
+ stubquery tool for testing the stubresolver
+- `#3859 <https://github.com/PowerDNS/pdns/pull/3859>`__ build scripts:
+ Stop patching config-dir in pdns.conf (Christian Hofstaedtler)
+- `#3872 <https://github.com/PowerDNS/pdns/pull/3872>`__ Add support
+ for multiple carbon servers
+- `#3901 <https://github.com/PowerDNS/pdns/pull/3901>`__ Add support
+ for virtual hosting with systemd
+
+Bug fixes
+~~~~~~~~~
+
+- `#3856 <https://github.com/PowerDNS/pdns/pull/3856>`__ Deal with
+ unset name in nproxy replies
+
+PowerDNS Authoritative Server 4.0.0-alpha3
+------------------------------------------
+
+Released May 11th 2016
+
+Notable changes since 4.0.0-alpha2
+
+- `#3415 <https://github.com/PowerDNS/pdns/pull/3415>`__ pdnsutil: add
+ clear-zone command
+- `#3586 <https://github.com/PowerDNS/pdns/pull/3586>`__ Remove
+ send-root-referral option
+- `#3578 <https://github.com/PowerDNS/pdns/pull/3578>`__ Add
+ disable-syslog option
+- `#3733 <https://github.com/PowerDNS/pdns/pull/3733>`__ ALIAS
+ improvements: DNSSEC and optional on-AXFR expansion of records
+- `#3764 <https://github.com/PowerDNS/pdns/pull/3764>`__ Notify support
+ for systemd
+- `#3807 <https://github.com/PowerDNS/pdns/pull/3807>`__ Add TTL
+ settings for DNSSECKeeper's caches
+
+Bug fixes
+~~~~~~~~~
+
+- `#3553 <https://github.com/PowerDNS/pdns/pull/3553>`__ pdnsutil:
+ properly show key sizes for presigned zones in show-zone
+- `#3507 <https://github.com/PowerDNS/pdns/pull/3507>`__ webserver:
+ mask out the api-key setting (Christian Hofstaedtler)
+- `#3580 <https://github.com/PowerDNS/pdns/pull/3580>`__ bindbackend:
+ set domain in list() (Kees Monshouwer)
+- `#3595 <https://github.com/PowerDNS/pdns/pull/3595>`__ pdnsutil: add
+ NS record without trailing dot with create-zone
+- `#3653 <https://github.com/PowerDNS/pdns/pull/3653>`__ Allow tabs as
+ whitespace in zonefiles
+- `#3666 <https://github.com/PowerDNS/pdns/pull/3666>`__ Restore
+ recycle backend behaviour (Kees Monshouwer)
+- `#3612 <https://github.com/PowerDNS/pdns/pull/3612>`__ Prevent
+ segfault in PostgreSQL backend
+- `#3779 <https://github.com/PowerDNS/pdns/pull/3779>`__,
+ `#3768 <https://github.com/PowerDNS/pdns/pull/3768>`__,
+ `#3766 <https://github.com/PowerDNS/pdns/pull/3766>`__,
+ `#3783 <https://github.com/PowerDNS/pdns/pull/3783>`__ and
+ `#3789 <https://github.com/PowerDNS/pdns/pull/3789>`__ DNSName and
+ other hardening improvements
+- `#3784 <https://github.com/PowerDNS/pdns/pull/3784>`__ fix SOA
+ caching with multiple backends (Kees Monshouwer)
+- `#3827 <https://github.com/PowerDNS/pdns/pull/3827>`__ Force
+ NSEC3PARAM algorithm to 1, fixes validation issues when set to not 1
+
+Improvements
+~~~~~~~~~~~~
+
+- `#3637 <https://github.com/PowerDNS/pdns/pull/3637>`__,
+ `#3678 <https://github.com/PowerDNS/pdns/pull/3678>`__,
+ `#3740 <https://github.com/PowerDNS/pdns/pull/3740>`__ Correct
+ root-zone slaving and serving (Kees Monshouwer and others)
+- `#3495 <https://github.com/PowerDNS/pdns/pull/3495>`__ API: Add
+ discovery endpoint (Christian Hofstaedtler)
+- `#3389 <https://github.com/PowerDNS/pdns/pull/3389>`__ pdnsutil:
+ support chroot
+- `#3596 <https://github.com/PowerDNS/pdns/pull/3596>`__ Remove
+ botan-based ecdsa and rsa signers (Kees Monshouwer)
+- `#3478 <https://github.com/PowerDNS/pdns/pull/3478>`__,
+ `#3603 <https://github.com/PowerDNS/pdns/pull/3603>`__,
+ `#3628 <https://github.com/PowerDNS/pdns/pull/3628>`__ Various build
+ system improvements (Ruben Kerkhof)
+- `#3621 <https://github.com/PowerDNS/pdns/pull/3621>`__ Always
+ lowercase when inserting into the database
+- `#3651 <https://github.com/PowerDNS/pdns/pull/3651>`__ Rename
+ PUBLISH\_\* to PUBLISH-\* domainmetadata
+- `#3656 <https://github.com/PowerDNS/pdns/pull/3656>`__ API: clean up
+ cryptokeys resource (Christian Hofstaedtler)
+- `#3632 <https://github.com/PowerDNS/pdns/pull/3632>`__ pdnsutil: Fix
+ exit statuses to constants and return 0 when success (saltsa)
+- `#3655 <https://github.com/PowerDNS/pdns/pull/3655>`__ API: Fix
+ set-ptr to honor SOA-EDIT-API (Christian Hofstaedtler)
+- `#3720 <https://github.com/PowerDNS/pdns/pull/3720>`__ Many fixes for
+ dnswasher (Robert Edmonds)
+- `#3707 <https://github.com/PowerDNS/pdns/pull/3707>`__,
+ `#3788 <https://github.com/PowerDNS/pdns/pull/3788>`__ Make MySQL
+ timeout configurable (Kees Monshouwer and Brynjar Eide)
+- `#3806 <https://github.com/PowerDNS/pdns/pull/3806>`__ Move key
+ validity check out of ``fromISCMap()``, improves DNSSEC performance
+- `#3820 <https://github.com/PowerDNS/pdns/pull/3820>`__ pdnsutil
+ load-zone: ignore double SOA
+
+PowerDNS Authoritative Server 4.0.0-alpha2
+------------------------------------------
+
+Released February 25th 2016
+
+Notable changes since 4.0.0-alpha1
+
+- `#3037 <https://github.com/PowerDNS/pdns/pull/3037>`__ Remove
+ superfluous gsql queries and stop relying on schema defaults
+- `#3176 <https://github.com/PowerDNS/pdns/pull/3176>`__,
+ `#3139 <https://github.com/PowerDNS/pdns/pull/3139>`__ OpenSSL
+ support (Christian Hofstaedtler and Kees Monshouwer)
+- `#3128 <https://github.com/PowerDNS/pdns/pull/3128>`__ ECDSA support
+ to DNSSEC infra via OpenSSL (Kees Monshouwer)
+- `#3281 <https://github.com/PowerDNS/pdns/pull/3281>`__,
+ `#3283 <https://github.com/PowerDNS/pdns/pull/3283>`__,
+ `#3363 <https://github.com/PowerDNS/pdns/pull/3363>`__ Remove
+ Crypto++ and mbedTLS support
+- `#3298 <https://github.com/PowerDNS/pdns/pull/3298>`__ Implement
+ pdnsutil create-zone zone nsname, add-record, delete-rrset,
+ replace-rrset
+- `#3407 <https://github.com/PowerDNS/pdns/pull/3407>`__ API: Permit
+ wildcard manipulation (Aki Tuomi)
+- `#3230 <https://github.com/PowerDNS/pdns/pull/3230>`__ API: drop
+ JSONP, add web security headers (Christian Hofstaedtler)
+- `#3428 <https://github.com/PowerDNS/pdns/pull/3428>`__ API: Fix
+ zone/records design mistake (Christian Hofstaedtler)
+
+ - **Note**: this is a breaking change from alpha1, please review the
+ `API documentation <../httpapi>`
+
+Bug fixes
+~~~~~~~~~
+
+- `#3124 <https://github.com/PowerDNS/pdns/pull/3124>`__ Fix several
+ bugs with introduced with the change to a single signing key (e.g.
+ the SEP bit is set on these single keys)
+- `#3151 <https://github.com/PowerDNS/pdns/pull/3151>`__ Catch DNSName
+ build errors in dynhandler (Christian Hofstaedtler)
+- `#3264 <https://github.com/PowerDNS/pdns/pull/3264>`__ GeoIP backend:
+ Use correct id numbers for domains (Aki Tuomi)
+- `#3271 <https://github.com/PowerDNS/pdns/pull/3271>`__ ZoneParser:
+ Throw PDNSException on too many SOA data elements
+- `#3302 <https://github.com/PowerDNS/pdns/pull/3302>`__ Fix
+ bindbackend's feedRecord to handle being slave for the root
+- `#3399 <https://github.com/PowerDNS/pdns/pull/3399>`__ Report OpenSSL
+ RSA keysize in bits (Kees Monshouwer)
+
+Improvements
+~~~~~~~~~~~~
+
+- `#3119 <https://github.com/PowerDNS/pdns/pull/3119>`__ Show DNSSEC
+ keys for slaved zone (Aki Tuomi)
+- `#3255 <https://github.com/PowerDNS/pdns/pull/3255>`__ Don't log
+ authentication errors before sending HTTP basic auth challenge (Jan
+ Broer)
+- `#3338 <https://github.com/PowerDNS/pdns/pull/3338>`__ Add weight
+ feature to GeoIP backend (Aki Tuomi)
+- `#3364 <https://github.com/PowerDNS/pdns/pull/3364>`__ Shrink
+ PacketID by 10% by eliminating padding. (Andrew Nelless)
+- `#3443 <https://github.com/PowerDNS/pdns/pull/3443>`__ Many speedup
+ and correctness fixes
+
+PowerDNS Authoritative Server 4.0.0-alpha1
+------------------------------------------
+
+Released December 24th 2015
--- /dev/null
+Changelogs for 4.1.x
+====================
+
+.. changelog::
+ :version: 4.1.0
+
+ This is the first release of the PowerDNS Recursor in the 4.1 release train.
+
+ .. change::
+ :tags: BIND, Improvements
+ :pullreq: 5094
+
+ Make the zone parser adhere to :rfc:`2308` with regards to implicit TTLs.
+
+ Existing zone files may now be interpreted differently.
+ Specifically, where we previously used the SOA minimum field for the default
+ TTL if none was set explictly, or no $TTL was set, we now use the TTL from
+ the previous line.
+
+ .. change::
+ :tags: Internals, Improvements
+ :pullreq: 4373
+
+ Revamp and clean label compression code. Speeds up large packet creation by ~40%.
+
+ .. change::
+ :tags: Internals, Improvements
+ :pullreq: 4332
+ :tickets: 4299
+
+ Apply :ref:`setting-non-local-bind` to :ref:`setting-query-local-address` and :ref:`setting-query-local-address6` when possible.
+
+ .. change::
+ :tags: DNSUpdate, New Features
+ :pullreq: 4058
+
+ Allow the use of a :ref:`Lua script <dnsupdate-lua-dnsupdate-policy-script>` to validate DNS Update requests (Aki Tuomi).
+
+ .. change::
+ :tags: API, Improvements
+ :pullreq: 4408
+ :tickets: 4290
+
+ Enable the webserver when :ref:`setting-api` is 'yes' (Christian Hofstaedtler).
+
+ .. change::
+ :tags: API, New Features
+ :pullreq: 4093, 5038
+
+ Add API endpoints for Domain metadata (Christian Kröger).
+
+ .. change::
+ :tags: API, New Features
+ :pullreq: 4106
+ :tickets: 706
+
+ Implement :json:object:`CryptoKey` in the API (Wolfgang Studier, @MrM0nkey, Tudor Soroceanu, Benjamin Zengin).
+
+ .. change::
+ :tags: Internals, Bug Fixes
+ :pullreq: 4424
+
+ Fix compilation on systems with Boost < 1.54
+
+ .. change::
+ :tags: Internals, Improvements, Bug Fixes
+ :pullreq: 4467, 4492
+
+ A number of fixes and improvements that are difficult to untangle:
+
+ * Remove the ASCII :cpp:class:`DNSResourceRecord` from the hot path of packet assembly.
+ * Hash the storage of records in the BindBackend.
+ * Hash the packetcache.
+ * Fix some bugs in the LDAP backend and in the MyDNS backend.
+ * Make the randombackend go 'native' and directly supply records that can be sent to packets
+ * The performance benefit of this PR is measured in "factors" for being a root-server.
+
+ .. change::
+ :tags: Internals, Improvements
+ :pullreq: 4504
+ :tickets: 4503
+
+ Improve cleaning, remove an unnecessary lock and improve performance of the packetcache (Kees Monshouwer).
+
+ .. change::
+ :tags: Internals, Improvements
+ :pullreq: 4485
+
+ Improve SOA records caching (Kees Monshouwer).
+
+ .. change::
+ :tags: Internals, Bug Fixes
+ :pullreq: 4560, 4548
+ :tickets: 4546
+
+ Fix possible variable shadowing (Kees Monshouwer, Christian Hofstaedtler).
+
+ .. change::
+ :tags: API, Bug Fixes
+ :pullreq: 4526
+ :tickets: 4524
+
+ Make the URL in zone info absolute (Christian Hofstaedtler).
+
+ .. change::
+ :tags: BIND, Bug Fixes
+ :pullreq: 4650
+ :tickets: 4328
+
+ Do not corrupt data supplied by other backends in getAllDomains (Christian Hofstaedtler).
+
+ .. change::
+ :tags: Tools, Improvements
+ :pullreq: 4007
+ :tickets: 4005
+
+ Implement subcommand printing all KSK DS records in pdnsutil (Jonas Wielicki).
+
+ .. change::
+ :tags: Tools, Bug Fixes
+ :pullreq: 4740
+
+ Avoid undefined behaviour in Clang vs. GCC when printing DS records in pdnsutil.
+
+ .. change::
+ :tags: API, Improvements
+ :pullreq: 4751
+ :tickets: 4132
+
+ Prevent sending nameservers list and zone-level NS in rrsets in the API (Christian Hofstaedtler).
+
+ .. change::
+ :tags: Tools, Improvements
+ :pullreq: 4584
+
+ Allow setting the account of a zone via pdnsutil (Tuxis Internet Engineering).
+
+ .. change::
+ :tags: Internals, New Features
+ :pullreq: 4624
+
+ Add TCP management options described in :rfc:`section 10 of RFC 7766 <7766#section-10>`.
+
+ .. change::
+ :tags: Tools, Improvements
+ :pullreq: 4719
+
+ Print "$ORIGIN ." on ``pdnsutil list-zone``, so the output can be used in ``pdnsutil load-zone`` (Tuxis Internet Engineering).
+
+ .. change::
+ :tags: Internals, Bug Fixes
+ :pullreq: 4855
+
+ Fix ``getaddrinfo()`` returning address in triplicate.
+
+ .. change::
+ :tags: Internals, Improvements
+ :pullreq: 4829
+
+ Make sure AXFR only deletes records from a SLAVE domain in a multi backend setup (Kees Monshouwer).
+
+ .. change::
+ :tags: Tools, Improvements
+ :pullreq: 4478
+
+ pdnsutil: clarify error message when set-presigned fails with DNSSEC disabled (Peter Thomassen).
+
+ .. change::
+ :tags: Internals, Improvements
+ :pullreq: 4908
+
+ Tidy up UeberBackend (Christian Hofstaedtler).
+
+ .. change::
+ :tags: Tools, Improvements
+ :pullreq: 3913
+
+ pdnsutil: Validate names with address records to be valid hostnames (Håkan Lindqvist).
+
+ .. change::
+ :tags: Postgresql, Improvements
+ :pullreq: 4711
+ :ticket: 2138
+
+ Enable setting custom pgsql connection parameters, like TLS parameters (Tarjei Husøy).
+
+ .. change::
+ :tags: Internals, Improvements
+ :pullreq: 4944
+
+ Improve API performance by instantiating only one DNSSECKeeper per request.
+
+ .. change::
+ :tags: Remote, Bug Fixes
+ :pullreq: 4997
+
+ Fix two problems with remotebackend (Aki Tuomi):
+
+ * list method used domain-id json parameter, when it was supposed to use domain_id
+ * NULL ordername was not passed as empty string in POST parameters builder, instead it threw an exception
+
+ .. change::
+ :tags: Internals, Improvements
+ :pullreq: 4953
+ :tickets: 349, 602
+
+ Incremental backoff for failed slave checks.
+
+ When a SOA record for a slave domain can't be retrieved, use an increasing interval between checking the domain again.
+ This prevents hammering down on already busy servers.
+
+ .. change::
+ :tags: LDAP, Bug Fixes
+ :pullreq: 4922
+ :tickets: 3165
+
+ Fix ldap-strict autoptr feature.
+
+ .. change::
+ :tags: Internals, Improvements
+ :pullreq: 4549
+
+ Remove d_place from DNSResourceRecord (Christian Hofstaedtler).
+
+ .. change::
+ :tags: MyDNS, New Features
+ :pullreq: 5043
+
+ Add function to the MyDNS backend to allow backend-to-backend migrations (Aki Tuomi).
+
+ .. change::
+ :tags: Internals, Removed Features
+ :pullreq: 4752
+ :tickets: 4616, 4238, 4315, 3337, 2606, 2380
+
+ Remove recursion. See :doc:`../guides/recursion` for migration strategies (Kees Monshouwer).
+
+ .. change::
+ :tags: Internals, Bug Fixes
+ :pullreq: 5117
+
+ Turn exception in a qthread into an error instead of a crash.
+
+ .. change::
+ :tags: Webserver, Improvements
+ :pullreq: 5116
+ :tickets: 1844
+
+ Report query statistics as full numbers, not scientific notation in the webserver.
+
+ .. change::
+ :tags: Tools, Bug Fixes
+ :pullreq: 5125
+ :tickets: 5124
+
+ In ``pdnsutil create-slave-zone``, actually add all slaves.
+
+ .. change::
+ :tags: BIND, New Features
+ :pullreq: 5115
+ :tickets: 1284
+
+ Support "native" zones in the BIND backend.
+
+ .. change::
+ :tags: Postgresql, Bug Fixes
+ :pullreq: 4929
+ :tickets: 4928
+
+ Make statement actually unique (Christian Hofstaedtler).
+
+ .. change::
+ :tags: Tools, Improvements
+ :pullreq: 5118
+
+ Correct pdnsutil help output for add-zone-key.
+
+ .. change::
+ :tags: Internals, Improvements
+ :pullreq: 5169
+
+ Add an option to allow AXFR of zones with a different (higher/lower) serial (Kees Monshouwer).
+
+ .. change::
+ :tags: Tools, Improvements
+ :pullreq: 5062
+ :tickets: 512
+
+ Check for valid hostnames in SRV, NS and MX records.
+
+ .. change::
+ :tags: Postgresql, Improvements
+ :pullreq: 5121, 5221
+ :tickets: 2358, 5193
+
+ Use pkg-config to detect PostgreSQL libraries.
+
+ .. change::
+ :tags: Internals, New Features
+ :pullreq: 5137
+ :tickets: 5129
+
+ Add TCP Fast Open support.
+
+ .. change::
+ :tags: ALIAS, Improvements
+ :pullreq: 5182
+ :tickets: 5119
+
+ Disable ALIAS expansion by default.
+
+ .. change::
+ :tags: Internals, Improvements
+ :pullreq: 5112
+ :tickets: 4655
+
+ Use the :ref:`setting-resolver` setting for the stub resolver, use resolv.conf as fallback.
+
+ .. change::
+ :tags: Internals, New Features
+ :pullreq: 5132, 5258
+ :tickets: 4204
+
+ Hash the entire query in the packet cache, split caches. This makes the authoritative server pass the EDNS compliance test.
+
+ Add cache hit/miss statistics (Kees Monshouwer).
+
+ .. change::
+ :tags: LDAP, New Features
+ :pullreq: 4477
+ :tickets: 3358
+
+ Many improvements and additions to the LDAP backend (Grégory Oestreicher).
+
+ .. change::
+ :tags: Internals, Bug Fixes
+ :pullreq: 5212, 5249
+
+ Remove duplicate dns2_tolower() function and move ascii-related function to one file (Thiago Farina).
+
+ .. change::
+ :tags: Internals, Bug Fixes
+ :pullreq: 5209
+
+ Make copying locks impossible.
+
+ .. change::
+ :tags: Internals, Improvements
+ :pullreq: 5250
+
+ Re-implement the AXFR Filter with LuaContext (Aki Tuomi).
+
+ .. change::
+ :tags: GeoIP, New Features
+ :pullreq: 5266, 5269, 5270
+ :tickets: 4122, 5255
+
+ Support 2-character country codes and the MaxMind cities database in the GeoIP backend (Aki Tuomi).
+
+ .. change::
+ :tags: GeoIP, Bug Fixes
+ :pullreq: 5267
+ :tickets: 4704
+
+ Apply weights consistently during GeoIP lookups (Aki Tuomi).
+
+ .. change::
+ :tags: Tools, Bug Fixes
+ :pullreq: 5303
+
+ Fix off-by-one in dnsreplay --packet-limit
+
+ .. change::
+ :tags: Internals, New Features
+ :pullreq: 5271, 5190
+ :tickets: 3781
+
+ Add an adjustable statistics interval (@phonedph1).
+
+ .. change::
+ :tags: DNSUpdate, New Features
+ :pullreq: 5264, 5263, 5321
+ :tickets: 4821
+
+ Send a notification to all slave servers after every dnsupdate (Kees Monshouwer, Florian Obser).
+
+ .. change::
+ :tags: Remote, Bug Fixes
+ :pullreq: 5308
+ :tickets: 5306
+
+ Don't copy data around in the Remote Backend when sending and receiving in the Unix Connector.
+
+ .. change::
+ :tags: Internals, Bug Fixes
+ :pullreq: 5320
+
+ Properly truncate trailing bits of EDNS Client Subnet masks.
+
+ .. change::
+ :tags: Internals, Bug Fixes
+ :pullreq: 5161, 5083
+
+ Fix regressions in the AXFR rectification code (Kees Monshouwer, Arthur Gautier).
+
+ .. change::
+ :tags: LDAP, Bug Fixes
+ :pullreq: 5340
+ :tickets: 5091
+
+ Fix an erroneous '.' in ".ip6.arpa" (@shantikulkarni).
+
+ .. change::
+ :tags: Internals, New Features
+ :pullreq: 5316
+
+ Add option to set a global :ref:`setting-lua-axfr-script` (Kees Monshouwer).
+
+ .. change::
+ :tags: Tools, New Features
+ :pullreq: 5339
+
+ calidns: add --increment and --want-recursion flags.
+
+ .. change::
+ :tags: Internals, New Features
+ :pullreq: 4965, 4964, 1701
+
+ Allow forwarding of NOTIFY messages using :ref:`setting-forward-notify` (@DrRemorse).
+
+ .. change::
+ :tags: Internals, Bug Fixes
+ :pullreq: 5408
+
+ Zero the port when creating a netmask from a ComboAddress.
+
+ .. change::
+ :tags: API, Improvements
+ :pullreq: 5389
+ :tickets: 5305
+
+ Forbid mixing CNAMEs and other RRSets in the API (Christan Hofstaedtler).
+
+ .. change::
+ :tags: Internals, Improvements
+ :pullreq: 5387
+
+ Allow control socket to listen on IPv6 (@Gibheer).
+
+ .. change::
+ :tags: Types, New Features
+ :pullreq: 5379
+
+ Support the SMIMEA RRType.
+
+ .. change::
+ :tags: Postgresql, MySQL, Bug Fixes
+ :pullreq: 5245
+ :tickets: 5005, 3824
+
+ Reconnect to the server if the My/Pg connection has been closed.
+
+ .. change::
+ :tags: Internals, Removed Features
+ :pullreq: 5468
+
+ Remove the experimental Lua Policy Engine (Aki Tuomi).
+
+ .. change::
+ :tags: Internals, Bug Fixes
+ :pullreq: 5512
+
+ Drop (broken) support for packet-specific SOA replies from backends (Christian Hofstaedtler).
+
+ .. change::
+ :tags: Oracle, Bug Fixes
+ :pullreq: 5506
+
+ Add missing query for last key insert id in the goracle backend (Aki Tuomi).
+
+ .. change::
+ :tags: Postgresql, Improvements
+ :pullreq: 5426
+
+ Use BIGSERIAL for records.id in the gpgsql backend (Arsen Stasic).
--- /dev/null
+Changelogs
+==========
+
+The changelogs for the PowerDNS Authoritative Servr are split between release trains.
+
+.. toctree::
+ :maxdepth: 2
+
+ 4.1
+ 4.0
+ pre-4.0
--- /dev/null
+Changelogs for 3.x and older
+============================
+
+These changelogs are included for historical purposes.
+Broken links may exist.
+
+PowerDNS Authoritative Server 3.4.9
+-----------------------------------
+
+Released 17th of May 2016
+
+This is a minor bugfix and performance release. Two contributions by
+Kees Monshouwer make 3.4.9 fully compatible with the new single key
+ECDSA default that is coming in version 4.0.0.
+
+Changes since 3.4.8:
+
+- `commit 4627ea0 <https://github.com/PowerDNS/pdns/commit/4627ea0>`__,
+ `commit 8350828 <https://github.com/PowerDNS/pdns/commit/8350828>`__:
+ use OpenSSL for ECDSA signing where available (Kees Monshouwer)
+- `commit 558ff84 <https://github.com/PowerDNS/pdns/commit/558ff84>`__:
+ allow common signing key (Kees Monshouwer)
+- `commit 280d665 <https://github.com/PowerDNS/pdns/commit/280d665>`__:
+ Add a disable-syslog setting
+- `commit 58d6ab6 <https://github.com/PowerDNS/pdns/commit/58d6ab6>`__:
+ fix SOA caching with multiple backends (Kees Monshouwer)
+- `commit e9e413f <https://github.com/PowerDNS/pdns/commit/e9e413f>`__,
+ `commit 6af4652 <https://github.com/PowerDNS/pdns/commit/6af4652>`__:
+ whitespace-related zone parsing fixes `ticket
+ #3568 <https://github.com/PowerDNS/pdns/issues/3568>`__
+- `commit 7473a5e <https://github.com/PowerDNS/pdns/commit/7473a5e>`__:
+ bindbackend: fix, set domain in list() (Kees Monshouwer)
+
+PowerDNS Authoritative Server 3.4.8
+-----------------------------------
+
+Released 3rd of February 2016
+
+This is a small bugfix release. Additionally, the deb/RPM packages on
+downloads.powerdns.com (those with -static in the name) for 3.4.8 have
+been built against Botan 1.10.11 instead of Botan 1.10.3 like previous
+packages. Please see `the Botan Security
+page <http://botan.randombit.net/security.html>`__ for more information
+on the fixes in Botan 1.10.11. As a PowerDNS user, these issues only
+affect you if you ran our -static packages *and* allowed your users to
+upload private keys to your configuration.
+
+Changes since 3.4.7:
+
+- `commit edfa60a <https://github.com/PowerDNS/pdns/commit/edfa60a>`__:
+ Use AC\_SEARCH\_LIBS (Ruben Kerkhof)
+- `commit 7b7a3af <https://github.com/PowerDNS/pdns/commit/7b7a3af>`__:
+ Check for inet\_aton in libresolv (Ruben Kerkhof)
+- `commit 9322aee <https://github.com/PowerDNS/pdns/commit/9322aee>`__:
+ Remove hardcoded -lresolv, -lnsl and -lsocket (Ruben Kerkhof)
+- `commit 23d26d8 <https://github.com/PowerDNS/pdns/commit/23d26d8>`__:
+ pdnssec: don't check disabled records (Pieter Lexis)
+- `commit ce92ff1 <https://github.com/PowerDNS/pdns/commit/ce92ff1>`__:
+ pdnssec: check all records (including disabled ones) only in verbose
+ mode (Kees Monshouwer)
+- `commit f745312 <https://github.com/PowerDNS/pdns/commit/f745312>`__:
+ trailing dot in DNAME content (Kees Monshouwer)
+- `commit ed02761 <https://github.com/PowerDNS/pdns/commit/ed02761>`__:
+ Fix luabackend compilation on FreeBSD i386 (RvdE)
+- `commit 07ea6ac <https://github.com/PowerDNS/pdns/commit/07ea6ac>`__:
+ silence g++ 6.0 warnings and error (Kees Monshouwer)
+- `commit c6077b1 <https://github.com/PowerDNS/pdns/commit/c6077b1>`__:
+ add gcc 5.3 and 6.0 support to boost.m4 (Kees Monshouwer)
+
+PowerDNS Authoritative Server 3.4.7
+-----------------------------------
+
+Released 3rd of November 2015
+
+This is a security release fixing `Security Advisory
+2015-03 <security/powerdns-advisory-2015-03.md>`__
+
+Bug fixes:
+
+- `commit b0c04ba <https://github.com/PowerDNS/pdns/commit/b0c04ba>`__:
+ Ignore invalid/empty TKEY and TSIG records (Christian Hofstaedtler)
+- `commit 8044a5d <https://github.com/PowerDNS/pdns/commit/8044a5d>`__:
+ Don't reply to truncated queries (Christian Hofstaedtler)
+- `commit 6a65ae9 <https://github.com/PowerDNS/pdns/commit/6a65ae9>`__:
+ don't log out-of-zone ents during AXFR in (Kees Monshouwer)
+- `commit 416d252 <https://github.com/PowerDNS/pdns/commit/416d252>`__:
+ Prevent XSS by escaping user input. Thanks to Pierre Jaury and Damien
+ Cauquil at Sysdream for pointing this out.
+- `commit df76bda <https://github.com/PowerDNS/pdns/commit/df76bda>`__:
+ Handle NULL and boolean properly in gPGSql (Aki Tuomi)
+- commits
+ `b998fc0 <https://github.com/PowerDNS/pdns/commit/b998fc0>`__,
+ `88516fd <https://github.com/PowerDNS/pdns/commit/88516fd>`__,
+ `ef80925 <https://github.com/PowerDNS/pdns/commit/ef80925>`__,
+ `4549a72 <https://github.com/PowerDNS/pdns/commit/4549a72>`__:
+ Improve negative caching (Kees Monshouwer)
+- `commit be27a9c <https://github.com/PowerDNS/pdns/commit/be27a9c>`__:
+ Do not divide timeout twice (Aki Tuomi)
+- commits
+ `ca1d29c <https://github.com/PowerDNS/pdns/commit/ca1d29c>`__,
+ `df2d20a <https://github.com/PowerDNS/pdns/commit/df2d20a>`__,
+ `2358eea <https://github.com/PowerDNS/pdns/commit/2358eea>`__:
+ Correctly sort records with a priority.
+
+Improvements:
+
+- commits
+ `791bc37 <https://github.com/PowerDNS/pdns/commit/791bc37>`__,
+ `e3301ca <https://github.com/PowerDNS/pdns/commit/e3301ca>`__,
+ `9862779 <https://github.com/PowerDNS/pdns/commit/9862779>`__,
+ `b59a7e3 <https://github.com/PowerDNS/pdns/commit/b59a7e3>`__,
+ `4ca7a06 <https://github.com/PowerDNS/pdns/commit/4ca7a06>`__,
+ `7736530 <https://github.com/PowerDNS/pdns/commit/7736530>`__,
+ `69ea1a6 <https://github.com/PowerDNS/pdns/commit/69ea1a6>`__: Direct
+ query answers and correct zone-rectification in the GeoIP backend
+ (Aki Tuomi)
+- commits
+ `83e0e53 <https://github.com/PowerDNS/pdns/commit/83e0e53>`__,
+ `0ff3037 <https://github.com/PowerDNS/pdns/commit/0ff3037>`__,
+ `9910908 <https://github.com/PowerDNS/pdns/commit/9910908>`__ Use
+ token names to identify PKCS#11 keys (Aki Tuomi)
+- `commit a3801b2 <https://github.com/PowerDNS/pdns/commit/a3801b2>`__:
+ Fix typo in an error message (Arjen Zonneveld)
+- `commit d33ba8e <https://github.com/PowerDNS/pdns/commit/d33ba8e>`__:
+ limit NSEC3 iterations in bindbackend (Kees Monshouwer)
+- `commit 0acca87 <https://github.com/PowerDNS/pdns/commit/0acca87>`__:
+ Initialize minbody (Aki Tuomi)
+
+New features:
+
+- commits
+ `4d51e96 <https://github.com/PowerDNS/pdns/commit/4d51e96>`__,
+ `6873a07 <https://github.com/PowerDNS/pdns/commit/6873a07>`__,
+ `b972356 <https://github.com/PowerDNS/pdns/commit/b972356>`__,
+ `46294b5 <https://github.com/PowerDNS/pdns/commit/46294b5>`__,
+ `6277b14 <https://github.com/PowerDNS/pdns/commit/6277b14>`__:
+ OPENPGPKEY record-type (James Cloos and Kees Monshouwer)
+- `commit ec0ded7 <https://github.com/PowerDNS/pdns/commit/ec0ded7>`__:
+ add global soa-edit settings (Kees Monshouwer)
+
+PowerDNS Authoritative Server 3.4.6
+-----------------------------------
+
+Released 28th of August 2015
+
+This is a security release fixing `Security Advisory
+2015-02 <security/powerdns-advisory-2015-02.md>`__
+
+Bug fixes:
+
+- commits `c849701 <https://github.com/PowerDNS/pdns/commit/c849701>`__
+ and `8c91e2c <https://github.com/PowerDNS/pdns/commit/8c91e2c>`__:
+ Avoid superfluous backend recycling
+- commits
+ `463fcff <https://github.com/PowerDNS/pdns/commit/463fcff>`__,
+ `0fc08e8 <https://github.com/PowerDNS/pdns/commit/0fc08e8>`__,
+ `0fbe69c <https://github.com/PowerDNS/pdns/commit/0fbe69c>`__,
+ `1a6af1c <https://github.com/PowerDNS/pdns/commit/1a6af1c>`__ and
+ `07f69d3 <https://github.com/PowerDNS/pdns/commit/07f69d3>`__:
+ Removal of dnsdist from the authoritative server distribution (Kees
+ Monshouwer among others).
+- commits `5cfea4c <https://github.com/PowerDNS/pdns/commit/5cfea4c>`__
+ and `ef011d9 <https://github.com/PowerDNS/pdns/commit/ef011d9>`__:
+ Add EDNS unknown version handling and tests EDNS unknown version
+ handling (Aki Tuomi)
+
+Improvements:
+
+- commits `88dd8a7 <https://github.com/PowerDNS/pdns/commit/88dd8a7>`__
+ and `dc6c63d <https://github.com/PowerDNS/pdns/commit/dc6c63d>`__:
+ Update YaHTTP to v0.1.7 (Aki Tuomi)
+- `commit 0a344bc <https://github.com/PowerDNS/pdns/commit/0a344bc>`__:
+ Make trailing/leading spaces stand out in ``pdnssec check_zone``
+- commits `2e982ad <https://github.com/PowerDNS/pdns/commit/2e982ad>`__
+ and `09bec1f <https://github.com/PowerDNS/pdns/commit/09bec1f>`__:
+ GCC 5.2 support and sync boost.m4 macro with upstream (Kees
+ Monshouwer among others)
+- `commit 1ad4e44 <https://github.com/PowerDNS/pdns/commit/1ad4e44>`__:
+ Log answer packets only if log-dns-details is enabled (Kees
+ Monshouwer)
+
+PowerDNS Authoritative Server 3.3.3
+-----------------------------------
+
+Released 9th of June 2015
+
+This is a security release fixing `Security Advisory
+2015-01 <security/powerdns-advisory-2015-01.md>`__
+
+Bug fixes:
+
+- `commit a0a1482 <https://github.com/PowerDNS/pdns/commit/a0a1482>`__:
+ Limit the maximum length of a qname
+
+PowerDNS Authoritative Server 3.4.5
+-----------------------------------
+
+Released 9th of June 2015
+
+This is a security release fixing `Security Advisory
+2015-01 <security/powerdns-advisory-2015-01.md>`__
+
+Bug fixes:
+
+- `commit ffaae2b <https://github.com/PowerDNS/pdns/commit/ffaae2b>`__:
+ be careful reading empty lines in our config parser and prevent
+ integer overflow.
+- `commit 8e30209 <https://github.com/PowerDNS/pdns/commit/8e30209>`__:
+ prevent crash after ^^list-modules (Ruben Kerkhof)
+- `commit 6cf71cf <https://github.com/PowerDNS/pdns/commit/6cf71cf>`__:
+ Limit the maximum length of a qname
+
+Improvements:
+
+- `commit 28ba3fc <https://github.com/PowerDNS/pdns/commit/28ba3fc>`__,
+ `commit 61b316f <https://github.com/PowerDNS/pdns/commit/61b316f>`__:
+ Support /etc/default for our debian/ubuntu packages (Aki Tuomi)
+- `commit d80e2b6 <https://github.com/PowerDNS/pdns/commit/d80e2b6>`__:
+ Detect GCC 5.1 for boost (Ruben Kerkhof)
+- `commit 68b4834 <https://github.com/PowerDNS/pdns/commit/68b4834>`__,
+ `commit 3b14545 <https://github.com/PowerDNS/pdns/commit/3b14545>`__,
+ `commit 2356d5c <https://github.com/PowerDNS/pdns/commit/2356d5c>`__,
+ `commit 432808b <https://github.com/PowerDNS/pdns/commit/432808b>`__:
+ Various PKCS#11 fixes and improvements (Aki Tuomi)
+- `commit bf357ff <https://github.com/PowerDNS/pdns/commit/bf357ff>`__,
+ `commit 2433d2e <https://github.com/PowerDNS/pdns/commit/2433d2e>`__,
+ `commit 8fabf4d <https://github.com/PowerDNS/pdns/commit/8fabf4d>`__:
+ Fix Coverity issues (Aki Tuomi)
+- `commit 5d02d01 <https://github.com/PowerDNS/pdns/commit/5d02d01>`__
+ `commit 7798aa3 <https://github.com/PowerDNS/pdns/commit/7798aa3>`__,
+ `commit 9f6e411 <https://github.com/PowerDNS/pdns/commit/9f6e411>`__,
+ `commit e25a09c <https://github.com/PowerDNS/pdns/commit/e25a09c>`__:
+ Fix building on OpenBSD (Florian Obser and Ruben Kerkhof)
+- `commit 5c8bba2 <https://github.com/PowerDNS/pdns/commit/5c8bba2>`__:
+ Look for mbedtls before polarssl (Ruben Kerkhof)
+- `commit 5abd150 <https://github.com/PowerDNS/pdns/commit/5abd150>`__:
+ Let pkg-config determine botan dependency libs (Ruben Kerkhof)
+- `commit ba4d623 <https://github.com/PowerDNS/pdns/commit/ba4d623>`__:
+ kill some further mallocs and add note to remind us not to add them
+ back
+- `commit 50346d8 <https://github.com/PowerDNS/pdns/commit/50346d8>`__:
+ Move remotebackend-unix test socket to testsdir (Aki Tuomi)
+- `commit 32e9512 <https://github.com/PowerDNS/pdns/commit/32e9512>`__:
+ Defer launch of coprocess until first question (Aki Tuomi)
+- `commit d9b3ecb <https://github.com/PowerDNS/pdns/commit/d9b3ecb>`__,
+ `commit 561373e <https://github.com/PowerDNS/pdns/commit/561373e>`__:
+ pdnssec: check for glue and delegations in parent zones (Kees
+ Monshouwer)
+
+PowerDNS Authoritative Server 3.3.2
+-----------------------------------
+
+Released 1st of May, 2015
+
+Among other bug fixes and improvements (as listed below), this release
+incorporates a fix for CVE-2015-1868, as detailed in `PowerDNS Security
+Advisory 2015-01 <security/powerdns-advisory-2015-01.md>`__
+
+If you are running DNSSEC with version 3.3.1 or below, and you cannot
+currently upgrade to 3.4.4, please consider upgrading to 3.3.2; it has a
+lot of improvements and bug fixes and tremendously increases compliance.
+
+We want to explicitly thank Kees Monshouwer for digging up all the
+DNSSEC improvements and porting them back to this release.
+
+When upgrading, please run "pdnssec rectify-all-zones" and trigger an
+AXFR for all DNSSEC zones to make sure you benefit from all the
+compliance improvements present in this version.
+
+Security fixes:
+
+- `commit 9df4944 <https://github.com/PowerDNS/pdns/commit/9df4944>`__:
+ import CVE-2015-1868 patch (Peter van Dijk)
+- `commit dbedfc5 <https://github.com/PowerDNS/pdns/commit/dbedfc5>`__:
+ kill some further mallocs and add note to remind us not to add them
+ back (bert hubert)
+
+Improvements:
+
+- `commit d0af589 <https://github.com/PowerDNS/pdns/commit/d0af589>`__
+ , `commit
+ c45b6db <https://github.com/PowerDNS/pdns/commit/c45b6db>`__ ,
+ `commit 88c1f21 <https://github.com/PowerDNS/pdns/commit/88c1f21>`__
+ , `commit
+ 2a4c620 <https://github.com/PowerDNS/pdns/commit/2a4c620>`__ ,
+ `commit 4a4597e <https://github.com/PowerDNS/pdns/commit/4a4597e>`__
+ , `commit
+ 9fa7373 <https://github.com/PowerDNS/pdns/commit/9fa7373>`__ ,
+ `commit 8115a83 <https://github.com/PowerDNS/pdns/commit/8115a83>`__:
+ implement security polling for auth
+- `commit 5bbd868 <https://github.com/PowerDNS/pdns/commit/5bbd868>`__:
+ import suck() from master (Kees Monshouwer)
+- `commit 194f4d2 <https://github.com/PowerDNS/pdns/commit/194f4d2>`__:
+ respond REFUSED instead of NOERROR for "unknown zone" situations
+ (Peter van Dijk)
+- `commit 55b0653 <https://github.com/PowerDNS/pdns/commit/55b0653>`__:
+ set AA on CNAME into referral, fixes `ticket
+ #589 <https://github.com/PowerDNS/pdns/issues/589>`__ (Peter van
+ Dijk)
+- `commit 71232aa <https://github.com/PowerDNS/pdns/commit/71232aa>`__:
+ update l.root ip (Kees Monshouwer)
+
+Bug fixes:
+
+- `commit 88c52fe <https://github.com/PowerDNS/pdns/commit/88c52fe>`__:
+ make makeRelative() case insensitive (Kees Monshouwer)
+
+DNSSEC improvements:
+
+- `commit b3dec9c <https://github.com/PowerDNS/pdns/commit/b3dec9c>`__:
+ change default for add-superfluous-nsec3-for-old-bind config option
+ (Kees Monshouwer)
+- `commit 017a78b <https://github.com/PowerDNS/pdns/commit/017a78b>`__:
+ limit the number of NSEC3 iterations RFC5155 10.3 (Kees Monshouwer)
+- `commit d768d7f <https://github.com/PowerDNS/pdns/commit/d768d7f>`__:
+ NSEC3 and related RRSIGS are not part of the dnstree (Kees
+ Monshouwer)
+- `commit 3a36a1c <https://github.com/PowerDNS/pdns/commit/3a36a1c>`__:
+ import bindbackend rectify code from master (Kees Monshouwer)
+- `commit 1ee7e22 <https://github.com/PowerDNS/pdns/commit/1ee7e22>`__:
+ limit mode 0 closest provable encloser to optout (Kees Monshouwer)
+- `commit bbc0bc5 <https://github.com/PowerDNS/pdns/commit/bbc0bc5>`__:
+ fix for errata 3441 of RFC5155 (Kees Monshouwer)
+- `commit e8bfa7b <https://github.com/PowerDNS/pdns/commit/e8bfa7b>`__:
+ allow covering NSEC3 record in NODATA response (Kees Monshouwer)
+- `commit f0b3b24 <https://github.com/PowerDNS/pdns/commit/f0b3b24>`__:
+ return NOTIMP for direct RRSIG request (Kees Monshouwer)
+- `commit c79addc <https://github.com/PowerDNS/pdns/commit/c79addc>`__:
+ import pdnssec checkZone() from master (Kees Monshouwer)
+- `commit 2f1fec7 <https://github.com/PowerDNS/pdns/commit/2f1fec7>`__:
+ import pdnssec rectifyZone() from master (Kees Monshouwer)
+
+PowerDNS Authoritative Server 3.4.4
+-----------------------------------
+
+Released 23rd of April, 2015
+
+**Warning**: Version 3.4.4 of the PowerDNS Authoritative Server is a
+major upgrade if you are coming from 2.9.x. Additionally, if you are
+coming from any 3.x version (including 3.3.1), there is a mandatory SQL
+schema upgrade. Please refer to the `Upgrade
+documentation <authoritative/upgrading.md>`__ for important information
+on correct and stable operation, as well as notes on performance and
+memory use.
+
+Among other bug fixes and improvements (as listed below), this release
+incorporates a fix for CVE-2015-1868, as detailed in `PowerDNS Security
+Advisory 2015-01 <security/powerdns-advisory-2015-01.md>`__
+
+Bug fixes:
+
+- `commit ac3ae09 <https://github.com/PowerDNS/pdns/commit/ac3ae09>`__:
+ fix rectify-(all)-zones for mixed case domain names
+- `commit 2dea55e <https://github.com/PowerDNS/pdns/commit/2dea55e>`__,
+ `commit 032d565 <https://github.com/PowerDNS/pdns/commit/032d565>`__,
+ `commit 55f2dbf <https://github.com/PowerDNS/pdns/commit/55f2dbf>`__:
+ fix CVE-2015-1868
+- `commit 21cdbe5 <https://github.com/PowerDNS/pdns/commit/21cdbe5>`__:
+ Blocking IO in busy-wait for remote backend (Wieger Opmeer)
+- `commit cc7b2ac <https://github.com/PowerDNS/pdns/commit/cc7b2ac>`__:
+ fix double dot for root MX/SRV in bind slave zone files (Kees
+ Monshouwer)
+- `commit c40307b <https://github.com/PowerDNS/pdns/commit/c40307b>`__:
+ Properly lock lmdb database, fixes `ticket
+ #1954 <https://github.com/PowerDNS/pdns/issues/1954>`__ (Aki Tuomi)
+- `commit 662e76d <https://github.com/PowerDNS/pdns/commit/662e76d>`__:
+ Fix segfault in zone2lmdb (Ruben Kerkhof)
+
+New Features:
+
+- `commit 5ae212e <https://github.com/PowerDNS/pdns/commit/5ae212e>`__:
+ pdnssec: warn for insecure wildcards in opt-out zones
+- commits
+ `cd3f21c <https://github.com/PowerDNS/pdns/commit/cd3f21c>`__,
+ `8b582f6 <https://github.com/PowerDNS/pdns/commit/8b582f6>`__,
+ `0b7e766 <https://github.com/PowerDNS/pdns/commit/0b7e766>`__,
+ `f743af9 <https://github.com/PowerDNS/pdns/commit/f743af9>`__,
+ `dcde3c8 <https://github.com/PowerDNS/pdns/commit/dcde3c8>`__ and
+ `f12fcf7 <https://github.com/PowerDNS/pdns/commit/f12fcf7>`__: TKEY
+ record type (Aki Tuomi)
+- commits
+ `0fda1d9 <https://github.com/PowerDNS/pdns/commit/0fda1d9>`__,
+ `3dd139d <https://github.com/PowerDNS/pdns/commit/3dd139d>`__,
+ `ba146ce <https://github.com/PowerDNS/pdns/commit/ba146ce>`__,
+ `25109e2 <https://github.com/PowerDNS/pdns/commit/25109e2>`__,
+ `c011a01 <https://github.com/PowerDNS/pdns/commit/c011a01>`__,
+ `0600350 <https://github.com/PowerDNS/pdns/commit/0600350>`__,
+ `fc96b5e <https://github.com/PowerDNS/pdns/commit/fc96b5e>`__,
+ `4414468 <https://github.com/PowerDNS/pdns/commit/4414468>`__,
+ `c163d41 <https://github.com/PowerDNS/pdns/commit/c163d41>`__,
+ `f52c7f6 <https://github.com/PowerDNS/pdns/commit/f52c7f6>`__,
+ `8d56a31 <https://github.com/PowerDNS/pdns/commit/8d56a31>`__,
+ `7821417 <https://github.com/PowerDNS/pdns/commit/7821417>`__,
+ `ea62bd9 <https://github.com/PowerDNS/pdns/commit/ea62bd9>`__,
+ `c5ababd <https://github.com/PowerDNS/pdns/commit/c5ababd>`__,
+ `91c8351 <https://github.com/PowerDNS/pdns/commit/91c8351>`__ and
+ `073ac49 <https://github.com/PowerDNS/pdns/commit/073ac49>`__: Many
+ PKCS#11 improvements (Aki Tuomi)
+- commits `6f0d4f1 <https://github.com/PowerDNS/pdns/commit/6f0d4f1>`__
+ and `5eb33cb <https://github.com/PowerDNS/pdns/commit/5eb33cb>`__:
+ Introduce xfrBlobNoSpaces and use them for TSIG (Aki Tuomi)
+
+Improvements:
+
+- `commit e4f48ab <https://github.com/PowerDNS/pdns/commit/e4f48ab>`__:
+ allow "pdnssec set-nsec3 ZONE" for insecure zones; this saves on one
+ rectify when securing a NSEC3 zone
+- commits
+ `cce95b9 <https://github.com/PowerDNS/pdns/commit/cce95b9>`__,
+ `e2e9243 <https://github.com/PowerDNS/pdns/commit/e2e9243>`__ and
+ `e82da97 <https://github.com/PowerDNS/pdns/commit/e82da97>`__:
+ Improvements to the config-file parsing (Aki Tuomi)
+- `commit 2180e21 <https://github.com/PowerDNS/pdns/commit/2180e21>`__:
+ postgresql check should not touch LDFLAGS (Ruben Kerkhof)
+- `commit 0481021 <https://github.com/PowerDNS/pdns/commit/0481021>`__:
+ Log error when remote cannot do AXFR (Aki Tuomi)
+- `commit 1ecc3a5 <https://github.com/PowerDNS/pdns/commit/1ecc3a5>`__:
+ Speed improvements when AXFR is disabled (Christian Hofstaedtler)
+- commits `1f7334e <https://github.com/PowerDNS/pdns/commit/1f7334e>`__
+ and `b17799a <https://github.com/PowerDNS/pdns/commit/b17799a>`__:
+ NSEC3 and related RRSIGS are not part of the dnstree (Kees
+ Monshouwer)
+- commits `dd943dd <https://github.com/PowerDNS/pdns/commit/dd943dd>`__
+ and `58c4834 <https://github.com/PowerDNS/pdns/commit/58c4834>`__:
+ Change ifdef to check for ``__GLIBC__`` instead of ``__linux__`` to
+ prevent errors with other libc's (James Taylor)
+- `commit c929d50 <https://github.com/PowerDNS/pdns/commit/c929d50>`__:
+ Try to raise open files before dropping privileges (Aki Tuomi)
+- `commit 69fd3dc <https://github.com/PowerDNS/pdns/commit/69fd3dc>`__:
+ Add newline to carbon error message on auth (Aki Tuomi)
+- `commit 3064f80 <https://github.com/PowerDNS/pdns/commit/3064f80>`__:
+ Make sure we send servfail on error (Aki Tuomi)
+- `commit b004529 <https://github.com/PowerDNS/pdns/commit/b004529>`__:
+ Ship lmdb-example.pl in tarball (Ruben Kerkhof)
+- `commit 9e6b24f <https://github.com/PowerDNS/pdns/commit/9e6b24f>`__:
+ Allocate TCP buffer dynamically, decreasing stack usage
+- `commit 267fdde <https://github.com/PowerDNS/pdns/commit/267fdde>`__:
+ throw if getSOA gets non-SOA record
+
+PowerDNS Authoritative Server 3.4.3
+-----------------------------------
+
+**Warning**: Version 3.4.3 of the PowerDNS Authoritative Server is a
+major upgrade if you are coming from 2.9.x. Additionally, if you are
+coming from any 3.x version (including 3.3.1), there is a mandatory SQL
+schema upgrade. Please refer to the `Upgrade
+documentation <authoritative/upgrading.md>`__ for important information
+on correct and stable operation, as well as notes on performance and
+memory use.
+
+Released March 2nd, 2015
+
+Find the downloads `on our download
+page <https://www.powerdns.com/downloads.html>`__.
+
+Bug fixes:
+
+- `commit ceb49ce <https://github.com/PowerDNS/pdns/commit/ceb49ce>`__:
+ pdns\_control: exit 1 on unknown command (Ruben Kerkhof)
+- `commit 1406891 <https://github.com/PowerDNS/pdns/commit/1406891>`__:
+ evaluate KSK ZSK pairs per algorithm (Kees Monshouwer)
+- `commit 3ca050f <https://github.com/PowerDNS/pdns/commit/3ca050f>`__:
+ always set di.notified\_serial in getAllDomains (Kees Monshouwer)
+- `commit d9d09e1 <https://github.com/PowerDNS/pdns/commit/d9d09e1>`__:
+ pdns\_control: don't open socket in /tmp (Ruben Kerkhof)
+
+New features:
+
+- `commit 2f67952 <https://github.com/PowerDNS/pdns/commit/2f67952>`__:
+ Limit who can send us AXFR notify queries (Ruben Kerkhof)
+
+Improvements:
+
+- `commit d7bec64 <https://github.com/PowerDNS/pdns/commit/d7bec64>`__:
+ respond REFUSED instead of NOERROR for "unknown zone" situations
+- `commit ebeb9d7 <https://github.com/PowerDNS/pdns/commit/ebeb9d7>`__:
+ Check for Lua 5.3 (Ruben Kerkhof)
+- `commit d09931d <https://github.com/PowerDNS/pdns/commit/d09931d>`__:
+ Check compiler for relro support instead of linker (Ruben Kerkhof)
+- `commit c4b0d0c <https://github.com/PowerDNS/pdns/commit/c4b0d0c>`__:
+ Replace PacketHandler with UeberBackend where possible (Christian
+ Hofstaedtler)
+- `commit 5a85152 <https://github.com/PowerDNS/pdns/commit/5a85152>`__:
+ PacketHandler: Share UeberBackend with DNSSECKeeper (Christian
+ Hofstaedtler)
+- `commit 97bd444 <https://github.com/PowerDNS/pdns/commit/97bd444>`__:
+ fix building with GCC 5
+
+Experimental API changes (Christian Hofstaedtler):
+
+- `commit ca44706 <https://github.com/PowerDNS/pdns/commit/ca44706>`__:
+ API: move shared DomainInfo reader into it's own function
+- `commit 102602f <https://github.com/PowerDNS/pdns/commit/102602f>`__:
+ API: allow writing to domains.account field
+- `commit d82f632 <https://github.com/PowerDNS/pdns/commit/d82f632>`__:
+ API: read and expose domain account field
+- `commit 2b06977 <https://github.com/PowerDNS/pdns/commit/2b06977>`__:
+ API: be more strict when parsing record contents
+- `commit 2f72b7c <https://github.com/PowerDNS/pdns/commit/2f72b7c>`__:
+ API: Reject unknown types (TYPE0)
+- `commit d82f632 <https://github.com/PowerDNS/pdns/commit/d82f632>`__:
+ API: read and expose domain account field
+
+PowerDNS Authoritative Server 3.4.2
+-----------------------------------
+
+**Warning**: Version 3.4.2 of the PowerDNS Authoritative Server is a
+major upgrade if you are coming from 2.9.x. Additionally, if you are
+coming from any 3.x version (including 3.3.1), there is a mandatory SQL
+schema upgrade. Please refer to the `Upgrade
+documentation <authoritative/upgrading.md>`__ for important information
+on correct and stable operation, as well as notes on performance and
+memory use.
+
+Released February 3rd, 2015
+
+Find the downloads `on our download
+page <https://www.powerdns.com/downloads.html>`__.
+
+This is a performance and bugfix update to 3.4.1 and any earlier
+version. For high traffic setups, including those using DNSSEC,
+upgrading to 3.4.2 may show tremendous performance increases.
+
+A list of changes since 3.4.1 follows.
+
+Improvements:
+
+- `commit 73004f1 <https://github.com/PowerDNS/pdns/commit/73004f1>`__:
+ implement CORS for the HTTP API
+- `commit 4d9c289 <https://github.com/PowerDNS/pdns/commit/4d9c289>`__:
+ qtype is now case insensitive in API and database
+- `commit 13af5d8 <https://github.com/PowerDNS/pdns/commit/13af5d8>`__,
+ `commit 223373a <https://github.com/PowerDNS/pdns/commit/223373a>`__,
+ `commit 1d5a68d <https://github.com/PowerDNS/pdns/commit/1d5a68d>`__,
+ `commit 705a73f <https://github.com/PowerDNS/pdns/commit/705a73f>`__,
+ `commit b418d52 <https://github.com/PowerDNS/pdns/commit/b418d52>`__:
+ Allow (optional) PIE hardening
+- `commit 2f86f20 <https://github.com/PowerDNS/pdns/commit/2f86f20>`__:
+ json-api: remove priority from json
+- `commit cefcf9f <https://github.com/PowerDNS/pdns/commit/cefcf9f>`__:
+ backport remotebackend fixes
+- `commit 920f987 <https://github.com/PowerDNS/pdns/commit/920f987>`__,
+ `commit dd8853c <https://github.com/PowerDNS/pdns/commit/dd8853c>`__:
+ Support Lua 5.3
+- `commit 003aae5 <https://github.com/PowerDNS/pdns/commit/003aae5>`__:
+ support single-type ZSK signing
+- `commit 1c57e1d <https://github.com/PowerDNS/pdns/commit/1c57e1d>`__:
+ Potential fix for `ticket
+ #1907 <https://github.com/PowerDNS/pdns/issues/1907>`__, we now try
+ to trigger libgcc\_s.so.1 to load before we chroot. I can't reproduce
+ the bug on my local system, but this "should" help. Seriously.
+- `commit 031ab21 <https://github.com/PowerDNS/pdns/commit/031ab21>`__:
+ update polarssl to 1.3.9
+
+Bug fixes:
+
+- `commit 60b2b7c <https://github.com/PowerDNS/pdns/commit/60b2b7c>`__,
+ `commit d962fbc <https://github.com/PowerDNS/pdns/commit/d962fbc>`__:
+ refuse overly long labels in names
+- `commit a64fd6a <https://github.com/PowerDNS/pdns/commit/a64fd6a>`__:
+ auth: limit long version strings to 63 characters and catch
+ exceptions in secpoll
+- `commit fa52e02 <https://github.com/PowerDNS/pdns/commit/fa52e02>`__:
+ pdnssec: fix ttl check for RRSIG records
+- `commit 0678b25 <https://github.com/PowerDNS/pdns/commit/0678b25>`__:
+ fix up latency reporting for sub-millisecond latencies (would clip to
+ 0)
+- `commit d45c1f1 <https://github.com/PowerDNS/pdns/commit/d45c1f1>`__:
+ make sure we don't throw an exception on "pdns\_control show" of an
+ unknown variable
+- `commit 63c8088 <https://github.com/PowerDNS/pdns/commit/63c8088>`__:
+ fix startup race condition with carbon thread already trying to
+ broadcast uninitialized data
+- `commit 796321c <https://github.com/PowerDNS/pdns/commit/796321c>`__:
+ make qsize-q more robust
+- `commit 407867c <https://github.com/PowerDNS/pdns/commit/407867c>`__:
+ mind04 discovered we count corrupt packets and EAGAIN situations as
+ validly received packets, skewing the udp questions/answers graphs on
+ auth.
+- `commit f06d069 <https://github.com/PowerDNS/pdns/commit/f06d069>`__:
+ make latency & qsize reporting 'live'. Plus fix that we only reported
+ the qsize of the first distributor.
+- `commit 2f3498e <https://github.com/PowerDNS/pdns/commit/2f3498e>`__:
+ fix up statbag for carbon protocol and function pointers
+- `commit 0f2f999 <https://github.com/PowerDNS/pdns/commit/0f2f999>`__:
+ get priority from table in Lua axfrfilter; fixes `ticket
+ #1857 <https://github.com/PowerDNS/pdns/issues/1857>`__
+- `commit 96963e2 <https://github.com/PowerDNS/pdns/commit/96963e2>`__,
+ `commit bbcbbbe <https://github.com/PowerDNS/pdns/commit/bbcbbbe>`__,
+ `commit d5c9c07 <https://github.com/PowerDNS/pdns/commit/d5c9c07>`__:
+ various backends: fix records pointing at root
+- `commit e94c2c4 <https://github.com/PowerDNS/pdns/commit/e94c2c4>`__:
+ remove additional layer of trailing . stripping, which broke MX
+ records to the root in the BIND backend. Should close `ticket
+ #1243 <https://github.com/PowerDNS/pdns/issues/1243>`__.
+- `commit 8f35ba2 <https://github.com/PowerDNS/pdns/commit/8f35ba2>`__:
+ api: use uncached results for getKeys()
+- `commit c574336 <https://github.com/PowerDNS/pdns/commit/c574336>`__:
+ read ALLOW-AXFR-FROM from the backend with the metadata
+
+Minor changes:
+
+- `commit 1e39b4c <https://github.com/PowerDNS/pdns/commit/1e39b4c>`__:
+ move manpages to section 1
+- `commit b3992d9 <https://github.com/PowerDNS/pdns/commit/b3992d9>`__:
+ secpoll: Replace ~ with \_
+- `commit 9799ef5 <https://github.com/PowerDNS/pdns/commit/9799ef5>`__:
+ only zones with an active ksk are secure
+- `commit d02744f <https://github.com/PowerDNS/pdns/commit/d02744f>`__:
+ api: show keys for zones without active ksk
+
+New features:
+
+- `commit 1b97ba0 <https://github.com/PowerDNS/pdns/commit/1b97ba0>`__:
+ add signatures metric to auth, so we can plot signatures/second
+- `commit 92cef2d <https://github.com/PowerDNS/pdns/commit/92cef2d>`__:
+ pdns\_control: make it possible to notify all zones at once
+- `commit f648752 <https://github.com/PowerDNS/pdns/commit/f648752>`__:
+ JSON API: provide flush-cache, notify, axfr-retrieve
+- `commit 02653a7 <https://github.com/PowerDNS/pdns/commit/02653a7>`__:
+ add 'bench-db' to do very simple database backend performance
+ benchmark
+- `commit a83257a <https://github.com/PowerDNS/pdns/commit/a83257a>`__:
+ enable callback based metrics to statbas, and add 5 such metrics:
+ uptime, sys-msec, user-msec, key-cache-size, meta-cache-size,
+ signature-cache-size
+
+Performance improvements:
+
+- `commit a37fe8c <https://github.com/PowerDNS/pdns/commit/a37fe8c>`__:
+ better key for packetcache
+- `commit e5217bb <https://github.com/PowerDNS/pdns/commit/e5217bb>`__:
+ don't do time(0) under signature cache lock
+- `commit d061045 <https://github.com/PowerDNS/pdns/commit/d061045>`__,
+ `commit 135db51 <https://github.com/PowerDNS/pdns/commit/135db51>`__,
+ `commit 7d0f392 <https://github.com/PowerDNS/pdns/commit/7d0f392>`__:
+ shard the packet cache, closing `ticket
+ #1910 <https://github.com/PowerDNS/pdns/issues/1910>`__.
+- `commit d71a712 <https://github.com/PowerDNS/pdns/commit/d71a712>`__:
+ with thanks to Jack Lloyd, this works around the default Botan
+ allocator slowing down for us during production use.
+
+PowerDNS Authoritative Server 3.4.1
+-----------------------------------
+
+**Warning**: Version 3.4.1 of the PowerDNS Authoritative Server is a
+major upgrade if you are coming from 2.9.x. Additionally, if you are
+coming from any 3.x version (including 3.3.1), there is a mandatory SQL
+schema upgrade. Please refer to the `Upgrade
+documentation <authoritative/upgrading.md>`__ for important information
+on correct and stable operation, as well as notes on performance and
+memory use.
+
+Released October 30th, 2014
+
+Find the downloads `on our download
+page <https://www.powerdns.com/downloads.html>`__.
+
+This is a bugfix update to 3.4.0 and any earlier version.
+
+A list of changes since 3.4.0 follows.
+
+- `commit dcd6524 <https://github.com/PowerDNS/pdns/commit/dcd6524>`__,
+ `commit a8750a5 <https://github.com/PowerDNS/pdns/commit/a8750a5>`__,
+ `commit 7dc86bf <https://github.com/PowerDNS/pdns/commit/7dc86bf>`__,
+ `commit 2fda71f <https://github.com/PowerDNS/pdns/commit/2fda71f>`__:
+ PowerDNS now polls the security status of a release at startup and
+ periodically. More detail on this feature, and how to turn it off,
+ can be found in `Security
+ polling <common/security.md#security-polling>`__.
+- `commit 5fe6dc0 <https://github.com/PowerDNS/pdns/commit/5fe6dc0>`__:
+ API: Replace HTTP Basic auth with static key in custom header
+ (X-API-Key)
+- `commit 4a95ab4 <https://github.com/PowerDNS/pdns/commit/4a95ab4>`__:
+ Use transaction for pdnssec increase-serial
+- `commit 6e82a23 <https://github.com/PowerDNS/pdns/commit/6e82a23>`__:
+ Don't empty ordername during pdnssec increase-serial
+- `commit 535f4e3 <https://github.com/PowerDNS/pdns/commit/535f4e3>`__:
+ honor SOA-EDIT while considering "empty IXFR" fallback, fixes `ticket
+ 1835 <https://github.com/PowerDNS/pdns/issues/1835>`__. This fixes
+ slaving of signed zones to IXFR-aware slaves like NSD or BIND.
+
+PowerDNS Authoritative Server 3.4.0
+-----------------------------------
+
+Released September 30th, 2014
+
+This is a performance, feature, bugfix and conformity update to 3.3.1
+and any earlier version. It contains a huge amount of work by various
+contributors, to whom we are very grateful.
+
+**Warning**: Version 3.4.0 of the PowerDNS Authoritative Server is a
+major upgrade if you are coming from 2.9.x. Additionally, if you are
+coming from any 3.x version (including 3.3.1), there is a mandatory SQL
+schema upgrade. Please refer to the `Upgrade
+documentation <authoritative/upgrading.md>`__ for important information
+on correct and stable operation, as well as notes on performance and
+memory use.
+
+Downloads
+^^^^^^^^^
+
+Find the downloads `on our download
+page <https://www.powerdns.com/downloads.html>`__.
+
+A list of changes since 3.3.1 follows.
+
+Changes between RC2 and 3.4.0:
+
+- `commit ad189c9 <https://github.com/PowerDNS/pdns/commit/ad189c9>`__,
+ `commit 445d93c <https://github.com/PowerDNS/pdns/commit/445d93c>`__:
+ also distribute the dnsdist manual page
+- `commit b5a276d <https://github.com/PowerDNS/pdns/commit/b5a276d>`__,
+ `commit 0b346e9 <https://github.com/PowerDNS/pdns/commit/0b346e9>`__,
+ `commit 74caf87 <https://github.com/PowerDNS/pdns/commit/74caf87>`__,
+ `commit 642fd2e <https://github.com/PowerDNS/pdns/commit/642fd2e>`__:
+ Make sure all backends actually work as dynamic modules
+- `commit 14b11c4 <https://github.com/PowerDNS/pdns/commit/14b11c4>`__:
+ raise log level on dlerror(), fixes `ticket
+ 1734 <https://github.com/PowerDNS/pdns/issues/1734>`__, thanks
+ @James-TR
+- `commit 016d810 <https://github.com/PowerDNS/pdns/commit/016d810>`__:
+ improve postgresql detection during ./configure
+- `commit dce1e90 <https://github.com/PowerDNS/pdns/commit/dce1e90>`__:
+ DNAME: don't sign the synthesised CNAME
+- `commit 25e7af3 <https://github.com/PowerDNS/pdns/commit/25e7af3>`__:
+ send empty SERVFAIL after a backend throws a DBException, instead of
+ including useless content
+
+Changes between RC1 and RC2:
+
+- `commit bb6e54f <https://github.com/PowerDNS/pdns/commit/bb6e54f>`__:
+ document udp6-queries, udp4-queries, add rd-queries,
+ recursion-unanswered metrics & document. Closes `ticket
+ 1400 <https://github.com/PowerDNS/pdns/issues/1400>`__.
+- `commit 4a23af7 <https://github.com/PowerDNS/pdns/commit/4a23af7>`__:
+ init script: support DAEMON\_ARGS; `commit
+ 7e5b3a0 <https://github.com/PowerDNS/pdns/commit/7e5b3a0>`__: init
+ script: ensure socket dir exists
+- `commit dd930ed <https://github.com/PowerDNS/pdns/commit/dd930ed>`__:
+ don't import supermaster ips from other accounts
+- `commit ed3afdf <https://github.com/PowerDNS/pdns/commit/ed3afdf>`__:
+ fall back to central bind if reuseport bind fails; improves `ticket
+ 1715 <https://github.com/PowerDNS/pdns/issues/1715>`__
+- `commit 709ca59 <https://github.com/PowerDNS/pdns/commit/709ca59>`__:
+ GeoIP backend implementation. This is a new backend, still
+ experimental!
+- `commit bf5a484 <https://github.com/PowerDNS/pdns/commit/bf5a484>`__:
+ support EVERY future version of OS X, fixes `ticket
+ 1702 <https://github.com/PowerDNS/pdns/issues/1702>`__
+- `commit 4dbaec6 <https://github.com/PowerDNS/pdns/commit/4dbaec6>`__:
+ Check for \_\_FreeBSD\_kernel\_\_ as per
+ https://lists.debian.org/debian-bsd/2006/03/msg00127.html, fixes
+ `ticket 1684 <https://github.com/PowerDNS/pdns/issues/1684>`__;
+ `commit 74f389d <https://github.com/PowerDNS/pdns/commit/74f389d>`__:
+ \_\_FreeBSD\_kernel\_\_ is defined but empty on systems with FreeBSD
+ kernels, breaking compile. Thanks pawal
+- `commit 2e6bbd8 <https://github.com/PowerDNS/pdns/commit/2e6bbd8>`__:
+ Catch PDNSException in Signingpiper::helperWorker to avoid abort
+- `commit 0ffd51d <https://github.com/PowerDNS/pdns/commit/0ffd51d>`__:
+ improve error reporting on malformed labels
+- `commit c48dec7 <https://github.com/PowerDNS/pdns/commit/c48dec7>`__:
+ Fix forwarded TSIG message issue
+- `commit dad70f2 <https://github.com/PowerDNS/pdns/commit/dad70f2>`__:
+ skip TCP\_DEFER\_ACCEPT on platforms that do not have it (like
+ FreeBSD); fixes `ticket
+ 1658 <https://github.com/PowerDNS/pdns/issues/1658>`__
+- `commit c7287b6 <https://github.com/PowerDNS/pdns/commit/c7287b6>`__:
+ should fix `ticket
+ 1662 <https://github.com/PowerDNS/pdns/issues/1662>`__, reloading
+ while checking for domains that need to be notified in BIND, causing
+ lock
+- `commit 3e67ea8 <https://github.com/PowerDNS/pdns/commit/3e67ea8>`__:
+ allow OPT pseudo record type in IXFR query
+- `commit a1caa8b <https://github.com/PowerDNS/pdns/commit/a1caa8b>`__:
+ webserver: htmlescape VERSION and config name
+- `commit df9d980 <https://github.com/PowerDNS/pdns/commit/df9d980>`__:
+ Remove "log-failed-updates" leftover
+- `commit a1fe72a <https://github.com/PowerDNS/pdns/commit/a1fe72a>`__:
+ Remove unused "soa-serial-offset" option
+
+Changes between 3.3.1 and 3.4.0-RC1 follow.
+
+DNSSEC changes
+^^^^^^^^^^^^^^
+
+- `commit bba8413 <https://github.com/PowerDNS/pdns/commit/bba8413>`__:
+ add option (max-signature-cache-entries) to limit the maximum number
+ of cached signatures.
+- `commit 28b66a9 <https://github.com/PowerDNS/pdns/commit/28b66a9>`__:
+ limit the number of NSEC3 iterations (see RFC5155 10.3), with the
+ max-nsec3-iterations option.
+- `commit b50efd6 <https://github.com/PowerDNS/pdns/commit/b50efd6>`__:
+ drop the 'superfluous NSEC3' option that old BIND validators need.
+- The bindbackend 'hybrid' mode was reintroduced by Kees Monshouwer.
+ Enable it with bind-hybrid.
+- Aki Tuomi contributed experimental PKCS#11 support for DNSSEC key
+ management with a (Soft)HSM.
+- Direct RRSIG queries now return NOTIMP.
+- `commit fa37777 <https://github.com/PowerDNS/pdns/commit/fa37777>`__:
+ add secure-all-zones command to pdnssec
+- Unrectified zones can now get rectified 'on the fly' during outgoing
+ AXFR. This makes it possible to run a hidden signing master without
+ rectification.
+- `commit 82fb538 <https://github.com/PowerDNS/pdns/commit/82fb538>`__:
+ AXFR in: don't accept zones with a mixture of Opt-Out NSEC3 RRs and
+ non-Opt-Out NSEC3 RRs
+- Various minor bugfixes, mostly from the unstoppable Kees Monshouwer.
+- `commit 0c4c552 <https://github.com/PowerDNS/pdns/commit/0c4c552>`__:
+ set non-zero exit status in pdnssec if an exception was thrown, for
+ easier automatic usage.
+- `commit b8bd119 <https://github.com/PowerDNS/pdns/commit/b8bd119>`__:
+ pdnssec -v show-zone: Print all keys instead of just entry point
+ keys.
+- `commit 52e0d78 <https://github.com/PowerDNS/pdns/commit/52e0d78>`__:
+ answer direct NSEC queries without DO bit
+- `commit ca2eb01 <https://github.com/PowerDNS/pdns/commit/ca2eb01>`__:
+ output ZSK DNSKEY records if experimental-direct-dnskey support is
+ enabled
+- `commit 83609e2 <https://github.com/PowerDNS/pdns/commit/83609e2>`__:
+ SOA-EDIT: fix INCEPTION-INCREMENT handling
+- `commit ac4a2f1 <https://github.com/PowerDNS/pdns/commit/ac4a2f1>`__:
+ AXFR-out can handle secure and insecure NSEC3 optout delegations
+- `commit ff47302 <https://github.com/PowerDNS/pdns/commit/ff47302>`__:
+ AXFR-in can handle secure and insecure NSEC3 optout delegations
+
+New features
+^^^^^^^^^^^^
+
+- DNAME support. Enable with experimental-dname-processing.
+- PowerDNS can now send stats directly to Carbon servers. Enable with
+ carbon-server, tweak with carbon-ourname and carbon-interval.
+- `commit 767da1a <https://github.com/PowerDNS/pdns/commit/767da1a>`__:
+ Add list-zone capability to pdns\_control
+- `commit 51f6bca <https://github.com/PowerDNS/pdns/commit/51f6bca>`__:
+ Add delete-zone to pdnssec.
+- The gsql backends now support record comments, and disabling records.
+- The new reuseport config option allows setting SO\_REUSEPORT, which
+ allows for some performance improvements.
+- local-address-nonexist-fail and local-ipv6-nonexist-fail allow pdns
+ to start up even if some addresses fail to bind.
+- 'AXFR-SOURCE' in domainmetadata sets the source address for an AXFR
+ retrieval.
+- `commit 451ba51 <https://github.com/PowerDNS/pdns/commit/451ba51>`__:
+ Implement pdnssec get-meta/set-meta
+- Experimental RFC2136/DNS UPDATE support from Ruben d'Arco, with
+ extensive testing by Kees Monshouwer.
+- pdns\_control bind-add-zone
+- New option bind-ignore-broken-records ignores out-of-zone records
+ while loading zone files.
+- pdnssec now has commands for TSIG key management.
+- We now support other algorithms than MD5 for TSIG.
+- `commit ba7244a <https://github.com/PowerDNS/pdns/commit/ba7244a>`__:
+ implement pdns\_control qtypes
+- Support for += syntax for options
+
+Bugfixes
+^^^^^^^^
+
+- We verify the algorithm used for TSIG queries, and use the right
+ algorithm in signing if there is possible confusion. Plus a few minor
+ TSIG-related fixes.
+- `commit ff99a74 <https://github.com/PowerDNS/pdns/commit/ff99a74>`__:
+ making \*-threads settings empty now yields a default of one instead
+ of zero.
+- `commit 9215e60 <https://github.com/PowerDNS/pdns/commit/9215e60>`__:
+ we had a deadly embrace in getUpdatedMasters in bindbackend
+ reimplementation, thanks to Winfried for detailed debugging!
+- `commit 9245fd9 <https://github.com/PowerDNS/pdns/commit/9245fd9>`__:
+ don't addSuckRequest after supermaster zone creation to avoid one
+ cause of simultaneous AXFR for the same zone
+- `commit 719f902 <https://github.com/PowerDNS/pdns/commit/719f902>`__:
+ fix dual-stack superslave when multiple namservers share a ip
+- `commit 33966bf <https://github.com/PowerDNS/pdns/commit/33966bf>`__:
+ avoid address truncation in doNotifications
+- `commit eac85b1 <https://github.com/PowerDNS/pdns/commit/eac85b1>`__:
+ prevent duplicate slave notifications caused by different ipv6
+ address formatting
+- `commit 3c8a711 <https://github.com/PowerDNS/pdns/commit/3c8a711>`__:
+ make notification queue ipv6 compatible
+- `commit 0c13e45 <https://github.com/PowerDNS/pdns/commit/0c13e45>`__:
+ make isMaster ip check more tolerant for different ipv6 notations
+- Various fixes for possible issues reported by Coverity Scan (`commit
+ f17c93b <https://github.com/PowerDNS/pdns/commit/f17c93b>`__, )
+- `commit 9083987 <https://github.com/PowerDNS/pdns/commit/9083987>`__:
+ don't rely on included polarssl header files when using system
+ polarssl. Spotted by Oden Eriksson of Mandriva, thanks!
+- Various users reported pdns\_control hangs, especially when using the
+ guardian. We are confident that all causes of these hangs are now
+ gone.
+- Decreasing the webserver ringbuffer size could cause crashes.
+- `commit 4c89cce <https://github.com/PowerDNS/pdns/commit/4c89cce>`__:
+ nproxy: Add missing chdir("/") after chroot()
+- `commit 016a0ab <https://github.com/PowerDNS/pdns/commit/016a0ab>`__:
+ actually notice timeout during AXFR retrieve, thanks hkraal
+
+REST API changes
+^^^^^^^^^^^^^^^^
+
+- The REST API was much improved and is nearing stability, thanks to
+ Christian Hofstaedtler and others.
+- Mark Schouten at Tuxis contributed a zone importer.
+
+Other changes
+^^^^^^^^^^^^^
+
+- Our tarballs and packages now include \*.sql schema files for the SQL
+ backends.
+- The webserver (including API) now has an ACL (webserver-allow-from).
+- Webserver (including API) is now powered by YaHTTP.
+- Various autotools usage improvements from Ruben Kerkhof.
+- The dist tarball is now bzip2-compressed instead of gzip.
+- Various remotebackend updates, including replacing curl with
+ (included) yahttp.
+- Dynamic module loading is now allowed on Mac OS X.
+- The AXFR ACL (allow-axfr-ips) now defaults to 127.0.0.0/8,::1 instead
+ of the whole world.
+- `commit ba91c2f <https://github.com/PowerDNS/pdns/commit/ba91c2f>`__:
+ remove unused gpgsql-socket option and document postgres socket usage
+- Improved support for Lua 5.2.
+- The edns-subnet option code is now fixed at 8, and the
+ edns-subnet-option-numbers option has been removed.
+- geobackend now has very limited edns-subnet support - it will use the
+ 'real' remote if available.
+- pipebackend ABI v4 adds the zone name to the AXFR command.
+- We now `avoid
+ getaddrinfo() <http://blog.powerdns.com/2014/05/21/a-surprising-discovery-on-converting-ipv6-addresses-we-no-longer-prefer-getaddrinfo/>`__
+ as much as possible.
+- The packet cache now handles (forwarded) recursive answers better,
+ including TTL aging and respecting allow-recursion.
+- `commit ff5ba4f <https://github.com/PowerDNS/pdns/commit/ff5ba4f>`__:
+ pdns\_server ^^help no longer exits with 1.
+- Mark Zealey contributed an experimental LMDB backend. Kees Monshouwer
+ added experimental DNSSEC support to it. Thanks, both!
+- `commit 81859ba <https://github.com/PowerDNS/pdns/commit/81859ba>`__:
+ No longer attempt to answer questions coming in from port 0, reply
+ would not reach them anyhow. Thanks to Niels Bakker and sid3windr for
+ insight & debugging. Closes `ticket
+ 844 <https://github.com/PowerDNS/pdns/issues/844>`__.
+- RCodes are now reported in text in various places, thanks Aki.
+- Kees Monshouwer set up automatic testing for the oracle and goracle
+ backends, and fixed various issues in them.
+- Leftovers of previous support for Windows have been removed, thanks
+ to Kees Monshouwer, Aki Tuomi.
+- Bundled PolarSSL has been upgraded to 1.3.2
+- PolarSSL replaced previously bundled implementations of AES (`commit
+ e22d9b4 <https://github.com/PowerDNS/pdns/commit/e22d9b4>`__) and SHA
+ (`commit
+ 9101035 <https://github.com/PowerDNS/pdns/commit/9101035>`__)
+- bindbackend is now a module
+- `commit 14a2e52 <https://github.com/PowerDNS/pdns/commit/14a2e52>`__:
+ Use the inet data type for supermasters.ip on postgresql.
+- We now send an empty SERVFAIL when a CNAME chain is too long, instead
+ of including the partial chain.
+- `commit 3613a51 <https://github.com/PowerDNS/pdns/commit/3613a51>`__:
+ Show built-in features in ^^version output
+- `commit 4bd7d35 <https://github.com/PowerDNS/pdns/commit/4bd7d35>`__:
+ make domainmetadata queries case insensitive
+- `commit 088c334 <https://github.com/PowerDNS/pdns/commit/088c334>`__:
+ output warning message when no to be notified NS's are found
+- `commit 5631b44 <https://github.com/PowerDNS/pdns/commit/5631b44>`__:
+ gpsqlbackend: use empty defaults for dbname and user; libpq will use
+ the current user name for both by default
+- `commit d87ded3 <https://github.com/PowerDNS/pdns/commit/d87ded3>`__:
+ implement udp-truncation-threshold to override the previous 1680 byte
+ maximum response datagram size - no matter what EDNS0 said. Plus
+ document it.
+- Implement udp-truncation-threshold to override the previous 1680 byte
+ maximum response datagram size - no matter what EDNS0 said.
+- Removed settings related to fancy records, as we haven't supported
+ those since version 3.0
+- Based on earlier work by Mark Zealey, Kees Monshouwer increased our
+ packet cache performance between 200% and 500% depending on the
+ situation, by simplifying some code in `commit
+ 801812e <https://github.com/PowerDNS/pdns/commit/801812e>`__ and
+ `commit 8403ade <https://github.com/PowerDNS/pdns/commit/8403ade>`__.
+
+ PowerDNS Authoritative Server version 3.3.1
+--------------------------------------------
+
+Released December 17th, 2013
+
+This is a bugfix update to 3.3.
+
+Downloads
+^^^^^^^^^
+
+- `Official download
+ page <http://www.powerdns.com/content/downloads.html>`__
+- `native RHEL5/6 packages from Kees
+ Monshouwer <http://www.monshouwer.eu/download/3rd_party/pdns-server/>`__
+
+Changes since 3.3
+^^^^^^^^^^^^^^^^^
+
+- direct-dnskey is no longer experimental, thanks Kees Monshouwer & co
+ for extensive testing (`commit
+ e4b36a4 <https://github.com/PowerDNS/pdns/commit/e4b36a4>`__).
+- Handle signals during poll (`commit
+ 5dde2c6 <https://github.com/PowerDNS/pdns/commit/5dde2c6>`__).
+- `commit 7538e56 <https://github.com/PowerDNS/pdns/commit/7538e56>`__:
+ Fix zone2{sql,json} exit codes
+- `commit 7593c40 <https://github.com/PowerDNS/pdns/commit/7593c40>`__:
+ geobackend: fix possible nullptr deref
+- `commit 3506cc6 <https://github.com/PowerDNS/pdns/commit/3506cc6>`__:
+ gpsqlbackend: don't append empty dbname=/user= values to connect
+ string
+- gpgsql queries were simplified through the use of casting (`commit
+ 9a6e39c <https://github.com/PowerDNS/pdns/commit/9a6e39c>`__).
+- `commit a7aa9be <https://github.com/PowerDNS/pdns/commit/a7aa9be>`__:
+ Replace hardcoded make with variable
+- `commit e4fe901 <https://github.com/PowerDNS/pdns/commit/e4fe901>`__:
+ make sure to run PKG\_PROG\_PKG\_CONFIG before the first PKG\_\*
+ usage
+- `commit 29bf169 <https://github.com/PowerDNS/pdns/commit/29bf169>`__:
+ fix hmac-md5 TSIG key lookup
+- `commit c4e348b <https://github.com/PowerDNS/pdns/commit/c4e348b>`__:
+ fix 64+ character TSIG keys
+- `commit 00a7b25 <https://github.com/PowerDNS/pdns/commit/00a7b25>`__:
+ Fix comparison between signed and unsigned by using uint32\_t for
+ inception on INCEPTION-EPOCH
+- `commit d3f6432 <https://github.com/PowerDNS/pdns/commit/d3f6432>`__:
+ fix building on os x 10.9, thanks Martijn Bakker.
+- We now allow building against Lua 5.2 (`commit
+ bef3000 <https://github.com/PowerDNS/pdns/commit/bef3000>`__, `commit
+ 2bdd03b <https://github.com/PowerDNS/pdns/commit/2bdd03b>`__, `commit
+ 88d9e99 <https://github.com/PowerDNS/pdns/commit/88d9e99>`__).
+- `commit fa1f845 <https://github.com/PowerDNS/pdns/commit/fa1f845>`__:
+ autodetect MySQL 5.5+ connection charset
+- When misconfigured using 'right' timezones, a bug in (g)libc gmtime
+ breaks our signatures. Fixed in `commit
+ e4faf74 <https://github.com/PowerDNS/pdns/commit/e4faf74>`__ by Kees
+ Monshouwer by implementing our own gmtime\_r.
+- When sending SERVFAIL due to a CNAME loop, don't uselessly include
+ the CNAMEs (`commit
+ dfd1b82 <https://github.com/PowerDNS/pdns/commit/dfd1b82>`__).
+- Build fixes for platforms with 'weird' types (like s390/s390x):
+ `commit c669f7c <https://github.com/PowerDNS/pdns/commit/c669f7c>`__
+ (`details <http://blog.powerdns.com/2013/10/28/on-ragel-and-char-types/>`__),
+ `commit 07b904e <https://github.com/PowerDNS/pdns/commit/07b904e>`__
+ and `commit
+ 2400764 <https://github.com/PowerDNS/pdns/commit/2400764>`__.
+- Support for += syntax for options, `commit
+ 98dd325 <https://github.com/PowerDNS/pdns/commit/98dd325>`__ and
+ others.
+- `commit f8f29f4 <https://github.com/PowerDNS/pdns/commit/f8f29f4>`__:
+ nproxy: Add missing chdir("/") after chroot()
+- `commit 2e6e9ad <https://github.com/PowerDNS/pdns/commit/2e6e9ad>`__:
+ fix for "missing" libmysqlclient on RHEL/CentOS based systems
+- pdnssec check-zone improvements in `commit
+ 5205892 <https://github.com/PowerDNS/pdns/commit/5205892>`__, `commit
+ edb255f <https://github.com/PowerDNS/pdns/commit/edb255f>`__, `commit
+ 0dde9d0 <https://github.com/PowerDNS/pdns/commit/0dde9d0>`__, `commit
+ 07ee700 <https://github.com/PowerDNS/pdns/commit/07ee700>`__, `commit
+ 79a3091 <https://github.com/PowerDNS/pdns/commit/79a3091>`__, `commit
+ 08f3452 <https://github.com/PowerDNS/pdns/commit/08f3452>`__, `commit
+ bcf9daf <https://github.com/PowerDNS/pdns/commit/bcf9daf>`__, `commit
+ c9a3dd7 <https://github.com/PowerDNS/pdns/commit/c9a3dd7>`__, `commit
+ 6ebfd08 <https://github.com/PowerDNS/pdns/commit/6ebfd08>`__, `commit
+ fd53bd0 <https://github.com/PowerDNS/pdns/commit/fd53bd0>`__, `commit
+ 7eaa83a <https://github.com/PowerDNS/pdns/commit/7eaa83a>`__, `commit
+ e319467 <https://github.com/PowerDNS/pdns/commit/e319467>`__, ,
+- NSEC/NSEC3 fixes in `commit
+ 3191709 <https://github.com/PowerDNS/pdns/commit/3191709>`__, `commit
+ f75293f <https://github.com/PowerDNS/pdns/commit/f75293f>`__, `commit
+ cd30e94 <https://github.com/PowerDNS/pdns/commit/cd30e94>`__, `commit
+ 74baf86 <https://github.com/PowerDNS/pdns/commit/74baf86>`__, `commit
+ 1fa8b2b <https://github.com/PowerDNS/pdns/commit/1fa8b2b>`__
+- The webserver could crash when the ring buffers were resized, fixed
+ in `commit
+ 3dfb45f <https://github.com/PowerDNS/pdns/commit/3dfb45f>`__.
+- `commit 213ec4a <https://github.com/PowerDNS/pdns/commit/213ec4a>`__:
+ add constraints for name to pg schema
+- `commit f104427 <https://github.com/PowerDNS/pdns/commit/f104427>`__:
+ make domainmetadata queries case insensitive
+- `commit 78fc378 <https://github.com/PowerDNS/pdns/commit/78fc378>`__:
+ no label compression for name in TSIG records
+- `commit 15d6ffb <https://github.com/PowerDNS/pdns/commit/15d6ffb>`__:
+ pdnssec now outputs ZSK DNSKEY records if experimental-direct-dnskey
+ support is enabled (renamed to direct-dnskey before release!)
+- `commit ad67d0e <https://github.com/PowerDNS/pdns/commit/ad67d0e>`__:
+ drop cryptopp from static build as libcryptopp.a is broken on Debian
+ 7, which is what we build on
+- `commit 7632dd8 <https://github.com/PowerDNS/pdns/commit/7632dd8>`__:
+ support polarssl 1.3 externally.
+- Remotebackend was fully updated in various commits.
+- `commit 82def39 <https://github.com/PowerDNS/pdns/commit/82def39>`__:
+ SOA-EDIT: fix INCEPTION-INCREMENT handling
+- `commit a3a546c <https://github.com/PowerDNS/pdns/commit/a3a546c>`__:
+ add innodb-read-committed option to gmysql settings.
+- `commit 9c56e16 <https://github.com/PowerDNS/pdns/commit/9c56e16>`__:
+ actually notice timeout during AXFR retrieve, thanks hkraal
+
+PowerDNS Authoritative Server version 3.3
+-----------------------------------------
+
+Released on July 5th 2013
+
+This a stability, bugfix and conformity update to 3.2. It improves
+interoperability with various validators, either through bugfixes or by
+catering to their needs beyond the specifications.
+
+**Warning**: Version 3.3 of the PowerDNS Authoritative Server is a major
+upgrade if you are coming from 2.9.x. There are also some important
+changes if you are coming from 3.0, 3.1 or 3.2. Please refer to the
+`Upgrade documentation <authoritative/upgrading.md>`__ for important
+information on correct and stable operation, as well as notes on
+performance and memory use.
+
+Downloads
+^^^^^^^^^
+
+- `Official download
+ page <http://www.powerdns.com/content/downloads.html>`__
+- `native RHEL5/6 packages from Kees
+ Monshouwer <http://www.monshouwer.eu/download/3rd_party/pdns-server/>`__
+
+Changes between RC2 and final
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- pdnssec rectify-zone now refuses to operate on presigned zones, as
+ rectification already happens during incoming transfer. Patch by Kees
+ Monshouwer in `commit
+ 9bd211e <https://github.com/PowerDNS/pdns/commit/9bd211e>`__.
+- We now handle zones with a mix of NSEC3 opt-out and non-opt-out
+ ranges correctly during inbound and outbound AXFR. Many thanks to
+ Kees Monshouwer. Code in `commit
+ 5aa7003 <https://github.com/PowerDNS/pdns/commit/5aa7003>`__ and
+ `commit d3e7b17 <https://github.com/PowerDNS/pdns/commit/d3e7b17>`__.
+- More remotebackend fixes (`commit
+ 32d4f44 <https://github.com/PowerDNS/pdns/commit/32d4f44>`__, `commit
+ 44c2ee8 <https://github.com/PowerDNS/pdns/commit/44c2ee8>`__, `commit
+ 1fcc7b7 <https://github.com/PowerDNS/pdns/commit/1fcc7b7>`__, `commit
+ 0b1a3b2 <https://github.com/PowerDNS/pdns/commit/0b1a3b2>`__, `commit
+ 9a319b1 <https://github.com/PowerDNS/pdns/commit/9a319b1>`__), thanks
+ Aki Tuomi.
+- Some compiler warnings were squashed (`commit
+ ed554db <https://github.com/PowerDNS/pdns/commit/ed554db>`__), thanks
+ Morten Stevens.
+- Fix broken memory access in LOC parser (`commit
+ 4eec51b <https://github.com/PowerDNS/pdns/commit/4eec51b>`__, `commit
+ bea513c <https://github.com/PowerDNS/pdns/commit/bea513c>`__), thanks
+ Aki Tuomi.
+- DNSSEC: DS queries at the apex of a zone for which we are not hosting
+ the parent, would wrongly get an 'unauth NOERROR'. Fixed by Kees
+ Monshouwer in `commit
+ 34479a6 <https://github.com/PowerDNS/pdns/commit/34479a6>`__.
+
+Changes between RC1 and RC2
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Added dnstcpbench tool, by popular demand.
+- We always shipped a static tools RPM; we now have a similar Debian
+ package. All packages have been cleaned up a bit, and the binary
+ collections are now consistent between RPM and Deb. New: pass
+ ^^enable-tools to configure to have the tools included in 'make all'
+ and 'make install'.
+- `commit 4d2e3f5 <https://github.com/PowerDNS/pdns/commit/4d2e3f5>`__:
+ add selinux policy files
+- We would sometimes send a single NULL byte, or nothing at all,
+ instead of an OPT record. Fixed in `commit
+ bf7f822 <https://github.com/PowerDNS/pdns/commit/bf7f822>`__, `commit
+ 063076b <https://github.com/PowerDNS/pdns/commit/063076b>`__, `commit
+ 90d361d <https://github.com/PowerDNS/pdns/commit/90d361d>`__.
+- `commit 2ee9ba2 <https://github.com/PowerDNS/pdns/commit/2ee9ba2>`__:
+ expand any-to-tcp to direct RRSIG queries
+- `commit 5fff084 <https://github.com/PowerDNS/pdns/commit/5fff084>`__,
+ `commit e38ef51 <https://github.com/PowerDNS/pdns/commit/e38ef51>`__:
+ drop no-op flag strict-rfc-axfrs, thanks Jelte Jansen.
+- `commit f3d8902 <https://github.com/PowerDNS/pdns/commit/f3d8902>`__,
+ `commit 7c0b859 <https://github.com/PowerDNS/pdns/commit/7c0b859>`__,
+ `commit 5eea730 <https://github.com/PowerDNS/pdns/commit/5eea730>`__:
+ Implement MINFO qtype for better interaction when slaving zones from
+ NSD (that contain MINFO). Thanks to Jelte Jansen.
+- `commit 8655a42 <https://github.com/PowerDNS/pdns/commit/8655a42>`__,
+ `commit bf79c6a <https://github.com/PowerDNS/pdns/commit/bf79c6a>`__,
+ `commit 38c941b <https://github.com/PowerDNS/pdns/commit/38c941b>`__:
+ SRV record can have a '.' as final field, from which we would
+ dutifully strip the trailing ., leaving void, confusing everything.
+ We now remove the trailing . in the right place, and not if we are
+ trying to server '.'. Again thanks to Jelte & SIDN for catching this.
+- `commit 70d5a66 <https://github.com/PowerDNS/pdns/commit/70d5a66>`__:
+ improve error message in ill formed unknown record type, thanks Jelte
+ Jansen for reporting.
+- `commit 3640473 <https://github.com/PowerDNS/pdns/commit/3640473>`__:
+ Built in webserver can now listen on IPv6, fixes `ticket
+ 843 <https://github.com/PowerDNS/pdns/issues/843>`__. Also silences
+ some useless messages about timeouts.
+- `commit 7db735c <https://github.com/PowerDNS/pdns/commit/7db735c>`__,
+ `commit d72166c <https://github.com/PowerDNS/pdns/commit/d72166c>`__:
+ CHANGES BEHAVIOUR: before we launch, check if we can connect to the
+ controlsocket we are about to obliterate. If it works, abort. Fixes
+ `ticket 841 <https://github.com/PowerDNS/pdns/issues/841>`__ and
+ changes standing behaviour. There might be circumstances where
+ PowerDNS now refuses to start, where it previously would. However,
+ starting and making our previous instance mute wasn't good.
+- `commit 9130f9e <https://github.com/PowerDNS/pdns/commit/9130f9e>`__:
+ correctly refuse out-of-zone data in bindbackend, closes `ticket
+ 845 <https://github.com/PowerDNS/pdns/issues/845>`__
+- `commit 3363ef7 <https://github.com/PowerDNS/pdns/commit/3363ef7>`__:
+ initialise server-id after all parsing is done, instead of half way
+ through. Fixes situations where server-id was emptied explicitly.
+ Reported by Wouter de Jong
+- `commit cd4f253 <https://github.com/PowerDNS/pdns/commit/cd4f253>`__:
+ bump boost requirement, thanks Wouter de Jong
+- `commit 58cad74 <https://github.com/PowerDNS/pdns/commit/58cad74>`__:
+ Update pdns auth init script so it works on wheezy
+- `commit 8714c9c <https://github.com/PowerDNS/pdns/commit/8714c9c>`__:
+ clang fixes by Aki Tuomi, thanks!
+- `commit 146601d <https://github.com/PowerDNS/pdns/commit/146601d>`__:
+ stretch supermasters.ip for IPv6, thanks Dennis Krul
+- `commit 1a5c5f9 <https://github.com/PowerDNS/pdns/commit/1a5c5f9>`__:
+ various remotebackend improvements by Aki Tuomi
+- `commit 6ab1a11 <https://github.com/PowerDNS/pdns/commit/6ab1a11>`__:
+ make sure systemd starts PowerDNS after relevant databases have been
+ started, thanks Morten Stevens.
+- `commit 606018f <https://github.com/PowerDNS/pdns/commit/606018f>`__,
+ `commit ee5e175 <https://github.com/PowerDNS/pdns/commit/ee5e175>`__,
+ `commit c76f6f4 <https://github.com/PowerDNS/pdns/commit/c76f6f4>`__:
+ check scopeMask of answer packet, not of query packet!
+- `commit 2b18bcf <https://github.com/PowerDNS/pdns/commit/2b18bcf>`__:
+ Added warning if trailing dot is used, thanks Aki Tuomi.
+- `commit 16cf913 <https://github.com/PowerDNS/pdns/commit/16cf913>`__:
+ make superfluous 'bind' NSEC3 record optional
+
+New features and important changes since 3.2 (these changes are in RC1 and up)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- `commit 04576ee <https://github.com/PowerDNS/pdns/commit/04576ee>`__,
+ `commit b0e15c8 <https://github.com/PowerDNS/pdns/commit/b0e15c8>`__:
+ Implement pdnssec increase-serial, thanks Ruben d'Arco.
+- `commit cee857b <https://github.com/PowerDNS/pdns/commit/cee857b>`__:
+ PowerDNS now sets additional groups while dropping privileges.
+- `commit 7796a3b <https://github.com/PowerDNS/pdns/commit/7796a3b>`__:
+ Merge support for include-dir directive, thanks Aki Tuomi!
+- `commit d725755 <https://github.com/PowerDNS/pdns/commit/d725755>`__:
+ make pdns-static Conflict with pdns-server, closes `ticket
+ 640 <https://github.com/PowerDNS/pdns/issues/640>`__
+- `commit c0d5504 <https://github.com/PowerDNS/pdns/commit/c0d5504>`__:
+ pdnssec now emits 'INSERT INTO domain ..' queries when running
+ without named.conf, thanks Ruben d'Arco.
+- `commit a1d6b0c <https://github.com/PowerDNS/pdns/commit/a1d6b0c>`__:
+ Older versions of the BIND 9 validating recursor need a superfluous
+ NSEC3 record on positive wildcard responses. We now send this extra
+ NSEC3. Closes `ticket
+ 814 <https://github.com/PowerDNS/pdns/issues/814>`__.
+- `commit 07bf35d <https://github.com/PowerDNS/pdns/commit/07bf35d>`__:
+ catch a lot more errors in pdnssec and report them. Fixes `ticket
+ 588 <https://github.com/PowerDNS/pdns/issues/588>`__.
+- `commit 032e390 <https://github.com/PowerDNS/pdns/commit/032e390>`__:
+ make pdnssec exit with 1 on some error conditions, closes `ticket
+ 677 <https://github.com/PowerDNS/pdns/issues/677>`__
+- `commit 4af49b8 <https://github.com/PowerDNS/pdns/commit/4af49b8>`__,
+ `commit 4cec6ac <https://github.com/PowerDNS/pdns/commit/4cec6ac>`__:
+ add ability to create an 'active' or inactive key using add-zone-key
+ and import-zone-key, plus silenced some debugging. Fixes `ticket
+ 707 <https://github.com/PowerDNS/pdns/issues/707>`__.
+- `commit fae4167 <https://github.com/PowerDNS/pdns/commit/fae4167>`__:
+ Compiling against Lua 5.2 (^^with-lua=lua5.2) now disables some code
+ used for regression testing, instead of breaking during compile. This
+ means that Lua 5.2 can be used in production.
+- `commit abc8f3f <https://github.com/PowerDNS/pdns/commit/abc8f3f>`__,
+ `357f6a7 <https://github.com/PowerDNS/pdns/commit/357f6a7>`__:
+ Implement the new any-to-tcp option that, when set, always replies
+ with a truncated response (TC=1) to ANY queries, forcing them to use
+ TCP.
+- `commit 496073b <https://github.com/PowerDNS/pdns/commit/496073b>`__:
+ Since 3.0, pdnssec secure-zone has always generated 3 keys: one KSK
+ and two ZSK, with one ZSK active. For most, if not almost all, users,
+ this inactive ZSK is never used. We now no longer generate this
+ useless ZSK. The resulting smaller DNSKEY RRset improves
+ interoperability with certain validators. Closes `ticket
+ 824 <https://github.com/PowerDNS/pdns/issues/824>`__.
+- `commit df55450 <https://github.com/PowerDNS/pdns/commit/df55450>`__:
+ Non-DNSSEC ANY queries no longer get sent DNSSEC records. This
+ improves interoperability with some old resolvers. Patch by Kees
+ Monshouwer.
+- `commit 04b4bf6 <https://github.com/PowerDNS/pdns/commit/04b4bf6>`__:
+ Merge support for not using opt-out with NSEC3. Many thanks to Kees
+ Monshouwer.
+- `commit 8db49a6 <https://github.com/PowerDNS/pdns/commit/8db49a6>`__:
+ We now try not to NOTIFY ourselves. In convoluted cases involving
+ REUSE\_PORT and binding to 0.0.0.0 and ::, it might be possible that
+ we guess wrong, in which case you can set prevent-self-notification
+ to off.
+
+Important bug fixes
+^^^^^^^^^^^^^^^^^^^
+
+- `commit 63e365d <https://github.com/PowerDNS/pdns/commit/63e365d>`__:
+ don't mess up encoding when copying qname from question to answer in
+ packetcache. Based on reports&debugging by Jimmy Bergman (sigint),
+ Daniel Norman (Loopia) and the fine people at ISC. This avoids most
+ issues related to BIND 9 erroneously blacklisting PowerDNS for lack
+ of EDNS support.
+- `commit 3526186 <https://github.com/PowerDNS/pdns/commit/3526186>`__:
+ fix backslash handling in TXT parser, includes test. Thanks Jan-Piet
+ Mens.
+- `commit 830281f <https://github.com/PowerDNS/pdns/commit/830281f>`__,
+ `aef7330 <https://github.com/PowerDNS/pdns/commit/aef7330>`__: Accept
+ chars >127 ('high ASCII') in TXT records, closing `ticket
+ 541 <https://github.com/PowerDNS/pdns/issues/541>`__ and
+ `723 <https://github.com/PowerDNS/pdns/issues/723>`__.
+- `commit feef1ec <https://github.com/PowerDNS/pdns/commit/feef1ec>`__:
+ fix missing NSEC3 for secure delegation, thanks Kees Monshouwer,
+ closes `ticket 682 <https://github.com/PowerDNS/pdns/issues/682>`__
+- `commit b61e407 <https://github.com/PowerDNS/pdns/commit/b61e407>`__:
+ around Thursday midnight, during signature rollovers, we would update
+ the SOA serial too early. Fixed by reverting `commit
+ d90efbf <https://github.com/PowerDNS/pdns/commit/d90efbf>`__, adding
+ 7 days margin to inception. Fix by Kees Monshouwer.
+- `commit ff64750 <https://github.com/PowerDNS/pdns/commit/ff64750>`__:
+ make sure mixed-case queries get a correct apex NSEC3 type bitmap
+- `commit 4b153d8 <https://github.com/PowerDNS/pdns/commit/4b153d8>`__:
+ always lowercase next name in NSEC to avoid interop troubles with
+ validators, thanks Marco Davids&Matthijs Mekking.
+
+Other changes
+^^^^^^^^^^^^^
+
+- `commit 49977c6 <https://github.com/PowerDNS/pdns/commit/49977c6>`__:
+ fix bug in boost.m4 where it insists on setting -L, causing useless
+ RPATH in our binaries. Closes `ticket
+ 728 <https://github.com/PowerDNS/pdns/issues/728>`__
+- `commit 62ac758 <https://github.com/PowerDNS/pdns/commit/62ac758>`__:
+ use PolarSSL for MD5 hashing instead of shipping our own copy of md5
+ hashing code, thanks Aki Tuomi.
+- `commit 775acd9 <https://github.com/PowerDNS/pdns/commit/775acd9>`__:
+ give a better error on trying to add nsec3 parameters to a weird zone
+ like "1 0 1 ab" (which indicates that you forgot to specify a zone
+ name on the command line). Fixes `ticket
+ 800 <https://github.com/PowerDNS/pdns/issues/800>`__.
+- `commit 315dd2e <https://github.com/PowerDNS/pdns/commit/315dd2e>`__:
+ Simplify socket listening code, and make sure we always set the
+ nonblocking flag correctly. Patch by Mark Zealey, closes `ticket
+ 664 <https://github.com/PowerDNS/pdns/issues/664>`__.
+- `commit b35da1b <https://github.com/PowerDNS/pdns/commit/b35da1b>`__:
+ if\_ether.h is in netinet/ not net/ on OpenBSD, thanks Florian Obser.
+- `commit 71301b6 <https://github.com/PowerDNS/pdns/commit/71301b6>`__:
+ Replicate gsql backend feature of having separate -auth queries for
+ DNSSEC into oraclebackend. Also lets you disable dnssec if you are
+ not ready for it. Closes `ticket
+ 527 <https://github.com/PowerDNS/pdns/issues/527>`__, patch by Aki
+ Tuomi.
+- `commit 2125dac <https://github.com/PowerDNS/pdns/commit/2125dac>`__:
+ drop unused ignore-rd-bit flag
+- `commit 8c1a6d6 <https://github.com/PowerDNS/pdns/commit/8c1a6d6>`__:
+ NSECx optimizations, thanks Kees Monshouwer.
+- `commit 664716a <https://github.com/PowerDNS/pdns/commit/664716a>`__:
+ drop unused variables in lua backend ( `ticket
+ 653 <https://github.com/PowerDNS/pdns/issues/653>`__)
+- `commit d8ec70f <https://github.com/PowerDNS/pdns/commit/d8ec70f>`__:
+ fix db2 backend includes ( `ticket
+ 653 <https://github.com/PowerDNS/pdns/issues/653>`__)
+- `commit 6477102 <https://github.com/PowerDNS/pdns/commit/6477102>`__:
+ add goracle schema, thanks Aki Tuomi.
+- `commit 9118638 <https://github.com/PowerDNS/pdns/commit/9118638>`__:
+ make goraclebackend "at least work", closes `ticket
+ 729 <https://github.com/PowerDNS/pdns/issues/729>`__, thanks Aki
+ Tuomi.
+- `commit e0ad7bb <https://github.com/PowerDNS/pdns/commit/e0ad7bb>`__:
+ add DS digest type 4 to show-zone output; add algorithm names. Based
+ on a patch by Aki Tuomi, closes `ticket
+ 744 <https://github.com/PowerDNS/pdns/issues/744>`__
+- `commit 61a7fac <https://github.com/PowerDNS/pdns/commit/61a7fac>`__:
+ enable AM\_SILENT\_RULES, closing `ticket
+ 647 <https://github.com/PowerDNS/pdns/issues/647>`__
+- `commit 837f4b4 <https://github.com/PowerDNS/pdns/commit/837f4b4>`__:
+ do a better job at escaping TXT, fixes `ticket
+ 795 <https://github.com/PowerDNS/pdns/issues/795>`__
+- `commit 6ca3fa7 <https://github.com/PowerDNS/pdns/commit/6ca3fa7>`__:
+ add SOA-EDIT INCEPTION-INCREMENT mode, thanks stbuehler
+- `commit 6159c49 <https://github.com/PowerDNS/pdns/commit/6159c49>`__:
+ Add connection info to sql-connect message
+- `commit 9f62e34 <https://github.com/PowerDNS/pdns/commit/9f62e34>`__,
+ `commit 0fc965f <https://github.com/PowerDNS/pdns/commit/0fc965f>`__,
+ `commit 2035112 <https://github.com/PowerDNS/pdns/commit/2035112>`__:
+ Added EUI48 and EUI64 record types
+- `commit f9cf6d9 <https://github.com/PowerDNS/pdns/commit/f9cf6d9>`__:
+ cut the number of database queries in half for AXFR-in, thanks Kees
+ Monshouwer.
+- `commit c87f987 <https://github.com/PowerDNS/pdns/commit/c87f987>`__:
+ add default for SOA contact e-mail
+- `commit bb4a573 <https://github.com/PowerDNS/pdns/commit/bb4a573>`__:
+ move random backend to modules, thanks Kees Monshouwer.
+- `commit 1071abd <https://github.com/PowerDNS/pdns/commit/1071abd>`__:
+ restyle builtin webserver page, thanks Christian Hofstaedtler.
+- `commit cd5e158 <https://github.com/PowerDNS/pdns/commit/cd5e158>`__:
+ correct bogus use of poll(2) related constants, improving non-Linux
+ portability. Thanks Wouter de Jong.
+- `commit 27ff60a <https://github.com/PowerDNS/pdns/commit/27ff60a>`__:
+ make sure our NSEC(3)s for names with spaces in them are correct.
+ Reported by Jimmy Bergman. Includes test.
+- `commit 116e28a <https://github.com/PowerDNS/pdns/commit/116e28a>`__:
+ reduce log level of successful gpgsql/gsqlite3 connection to Info
+- `commit b23b90a <https://github.com/PowerDNS/pdns/commit/b23b90a>`__:
+ Metadata update is now in the same transaction as the AXFR. This
+ improves slaving speed tremendously, especially for SQLite users.
+ Patch by Kees Monshouwer.
+- `commit 4620e8a <https://github.com/PowerDNS/pdns/commit/4620e8a>`__:
+ Added zone2json, thanks Aki Tuomi.
+- `commit f0fa8b6 <https://github.com/PowerDNS/pdns/commit/f0fa8b6>`__:
+ Fix remotebackend setdomainmetadata return value handling. Fix by Aki
+ Tuomi, closes `ticket
+ 740 <https://github.com/PowerDNS/pdns/issues/740>`__.
+- `commit 80e82d6 <https://github.com/PowerDNS/pdns/commit/80e82d6>`__:
+ log control listener abort even more explicitly.
+- `commit 7c0cb15 <https://github.com/PowerDNS/pdns/commit/7c0cb15>`__,
+ `a718d74 <https://github.com/PowerDNS/pdns/commit/a718d74>`__:
+ support automake 1.12
+- `commit 3fe22eb <https://github.com/PowerDNS/pdns/commit/3fe22eb>`__,
+ `6707cb1 <https://github.com/PowerDNS/pdns/commit/6707cb1>`__: update
+ autoconf/automake preamble to non-deprecated variant, thanks Morten
+ Stevens
+- `commit 6c4e531 <https://github.com/PowerDNS/pdns/commit/6c4e531>`__:
+ disarm dead code that causes gcc crashes on ARM, thanks Morten
+ Stevens.
+- `commit 36855b5 <https://github.com/PowerDNS/pdns/commit/36855b5>`__:
+ if we failed to make a new UDP socket, we'd report a confusing error
+ about it.
+- `commit 1b8e5e6 <https://github.com/PowerDNS/pdns/commit/1b8e5e6>`__:
+ autoconf support for oracle, thanks Aki Tuomi. Closes `ticket
+ 726 <https://github.com/PowerDNS/pdns/issues/726>`__.
+- `commit 8ac0c06 <https://github.com/PowerDNS/pdns/commit/8ac0c06>`__:
+ allow setting of some oracle env vars. Patch by Aki Tuomi, closes
+ `ticket 725 <https://github.com/PowerDNS/pdns/issues/725>`__.
+- `commit 45e845b <https://github.com/PowerDNS/pdns/commit/45e845b>`__:
+ add example.rb sample script for remotebackend, thanks Aki Tuomi.
+- `commit 950bddd <https://github.com/PowerDNS/pdns/commit/950bddd>`__:
+ add pdnssec generate-zone-key command, thanks Aki. Closes `ticket
+ 711 <https://github.com/PowerDNS/pdns/issues/711>`__.
+- `commit 2c03cde <https://github.com/PowerDNS/pdns/commit/2c03cde>`__:
+ Replace select with waitForData in remotebackend. Patch by Aki Tuomi,
+ closes `ticket 715 <https://github.com/PowerDNS/pdns/issues/715>`__.
+- `commit 450292c <https://github.com/PowerDNS/pdns/commit/450292c>`__:
+ accept ANY responses during recursive forwarding, thanks Jan-Piet
+ Mens.
+- `commit d9dd76b <https://github.com/PowerDNS/pdns/commit/d9dd76b>`__:
+ actually clean up unix domain sockets too after use.
+- `commit 36758d2 <https://github.com/PowerDNS/pdns/commit/36758d2>`__:
+ merge `ticket 476 <https://github.com/PowerDNS/pdns/issues/476>`__ by
+ Aki Tuomi, providing default-ksk/zsk-algorithms/size configuration
+ parameters for pdnssec.
+- `commit 2f2b014 <https://github.com/PowerDNS/pdns/commit/2f2b014>`__:
+ apply variant of code in `ticket
+ 714 <https://github.com/PowerDNS/pdns/issues/714>`__ so we can lauch
+ pipe backend scripts with parameters, plus add experimental code that
+ if pipe-command is a unix domain socket, we use that.
+- `commit 9566683 <https://github.com/PowerDNS/pdns/commit/9566683>`__:
+ merge patch from ticket 712 addressing memory leak in remotebackend,
+ thanks Aki.
+- `commit fb6ed6f <https://github.com/PowerDNS/pdns/commit/fb6ed6f>`__:
+ explicitly set domain id during bindbackend superslave domain create,
+ thanks Kees Monshouwer&Aki Tuomi.
+- `commit 69bae20 <https://github.com/PowerDNS/pdns/commit/69bae20>`__:
+ use private temp dir when running under systemd, thanks Morten
+ Stevens&Ruben Kerkhof.
+- `commit b26a48a <https://github.com/PowerDNS/pdns/commit/b26a48a>`__:
+ fix rapidjson usage in remotebackend, patch by Aki Tuomi. Closes
+ `ticket 697 <https://github.com/PowerDNS/pdns/issues/697>`__.
+- `commit da8e6ae <https://github.com/PowerDNS/pdns/commit/da8e6ae>`__:
+ also answer questions with : in them.
+- `commit ef1c4bf <https://github.com/PowerDNS/pdns/commit/ef1c4bf>`__:
+ also spot trailing dots on CNAME content, thanks Jan-Piet Mens and
+ Ruben d'Arco.
+- `commit fb31631 <https://github.com/PowerDNS/pdns/commit/fb31631>`__:
+ only setCloseOnExec on valid sockets
+
+PowerDNS Authoritative Server 3.2
+---------------------------------
+
+Released January 17th, 2013
+
+This is a stability and conformity update to 3.1. It mostly makes our
+DNSSEC implementation more robust, and improves interoperability with
+various validators. 3.2 has received very extensive testing on a lot of
+edge cases, verifying output both against common validators and compared
+against other authoritative servers.
+
+**Warning**: Version 3.2 of the PowerDNS Authoritative Server is a major
+upgrade if you are coming from 2.9.x. There are also some important
+changes if you are coming from 3.0 or 3.1. Please refer to the `Upgrade
+documentation <authoritative/upgrading.md>`__ for important information
+on correct and stable operation, as well as notes on performance and
+memory use.
+
+Downloads
+^^^^^^^^^
+
+- `Official download
+ page <http://www.powerdns.com/content/downloads.html>`__
+- `native RHEL5/6 packages from Kees
+ Monshouwer <http://www.monshouwer.eu/download/3rd_party/pdns-server/>`__
+- `additional third-party
+ builds <http://wiki.powerdns.com/trac#GettingPowerDNSpackages>`__
+
+In addition to all the changes below, we now auto-build semi-static
+packages. Relevant changes to make that possible are in `commit
+2849 <http://wiki.powerdns.com/projects/trac/changeset/2849>`__, `commit
+2853 <http://wiki.powerdns.com/projects/trac/changeset/2853>`__, 2858,
+`commit 2859 <http://wiki.powerdns.com/projects/trac/changeset/2859>`__,
+`commit 2860 <http://wiki.powerdns.com/projects/trac/changeset/2860>`__.
+
+Changes between 3.2-RC4 and the final 3.2 release
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Aki Tuomi contributed a bunch of fixes to our crypto drivers. Code in
+ `commit
+ 3036 <http://wiki.powerdns.com/projects/trac/changeset/3036>`__ and
+ `commit
+ 3055 <http://wiki.powerdns.com/projects/trac/changeset/3055>`__/`commit
+ 3057 <http://wiki.powerdns.com/projects/trac/changeset/3057>`__.
+- The ksk\|zsk argument for pdnssec import-zone-key was required while
+ it should be optional. Fixed in `commit
+ 3051 <http://wiki.powerdns.com/projects/trac/changeset/3051>`__.
+
+Changes between 3.2-RC3 and 3.2-RC4
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- The experimental undocumented bindbackend superslave mode would break
+ the first added domain until a restart. Fixed by Kees Monshouwer in
+ `commit
+ 3013 <http://wiki.powerdns.com/projects/trac/changeset/3013>`__.
+- Sander Hoentjen reported an issue with our choice of ports for
+ outgoing TCP connections. Investigating it turned up that we were
+ randomizing TCP connections on purpose while leaving UDP port choice
+ to the kernel, which should be the other way around. Fixed in `commit
+ 3014 <http://wiki.powerdns.com/projects/trac/changeset/3014>`__,
+ closing `ticket 643 <https://github.com/PowerDNS/pdns/issues/643>`__
+ and `ticket 644 <https://github.com/PowerDNS/pdns/issues/644>`__.
+- Aki Tuomi contributed some autoconf code to use mysql\_config if it
+ is available. Code in `commit
+ 3015 <http://wiki.powerdns.com/projects/trac/changeset/3015>`__ and
+ `commit
+ 3019 <http://wiki.powerdns.com/projects/trac/changeset/3019>`__,
+ closing `ticket 458 <https://github.com/PowerDNS/pdns/issues/458>`__.
+- The MongoDB backend was removed at the author's request, as it does
+ not work with any current libmongo versions. Change in `commit
+ 3017 <http://wiki.powerdns.com/projects/trac/changeset/3017>`__.
+- Mark Zealey discovered we were retrieving the ascii powerdns version
+ string for each packet, not just for version string queries. Fixed in
+ `commit
+ 3018 <http://wiki.powerdns.com/projects/trac/changeset/3018>`__,
+ closing `ticket 651 <https://github.com/PowerDNS/pdns/issues/651>`__.
+- Our new json code would not compile on solaris 9 and 10 due to lack
+ of strcasestr. Juraj Lutter contributed a portable version in `commit
+ 3020 <http://wiki.powerdns.com/projects/trac/changeset/3020>`__.
+- Mark Zealey noted that RRs with low TTLs could lower our
+ query-cache-ttl persistently. Fixed in `commit
+ 3023 <http://wiki.powerdns.com/projects/trac/changeset/3023>`__,
+ closing `ticket 662 <https://github.com/PowerDNS/pdns/issues/662>`__.
+- pdnssec now honours module-dir, patch by Fredrik Danerklint in
+ `commit
+ 3026 <http://wiki.powerdns.com/projects/trac/changeset/3026>`__.
+
+Changes between 3.2-RC2 and 3.2-RC3
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Michael Scheffler noticed that the lazy-recursion setting had no
+ effect at all. Setting removed in `commit
+ 3003 <http://wiki.powerdns.com/projects/trac/changeset/3003>`__.
+- Mark Zealey found that an earlier performance improvement could cause
+ crashes under high load, with lots of IPs configured in local-address
+ and receiver-threads higher than 1. Fixed in `commit
+ 3005 <http://wiki.powerdns.com/projects/trac/changeset/3005>`__.
+
+Changes between 3.2-RC1 and 3.2-RC2
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- The udp-queries metric would only count on the first thread launched,
+ instead of on all threads. Additionally, it was initialised at MAXINT
+ at startup, instead of at 0. Both issues fixed by Kees Monshouwer in
+ `commit
+ 2999 <http://wiki.powerdns.com/projects/trac/changeset/2999>`__,
+ closing `ticket 491 <https://github.com/PowerDNS/pdns/issues/491>`__
+ and `ticket 582 <https://github.com/PowerDNS/pdns/issues/582>`__.
+- Aki Tuomi contributed zone2json, a great way for programmers to
+ benefit from our zone file parser. Code in `commit
+ 2997 <http://wiki.powerdns.com/projects/trac/changeset/2997>`__,
+ closes `ticket 509 <https://github.com/PowerDNS/pdns/issues/509>`__.
+- Our DNS TXT parser is not 8-bit safe, but our DNS TXT writer assumes
+ the reader is! Reported by Jan-Piet Mens in `ticket
+ 541 <https://github.com/PowerDNS/pdns/issues/541>`__, `commit
+ 2993 <http://wiki.powerdns.com/projects/trac/changeset/2993>`__ fixes
+ our writer but not yet our parser.
+- Ruben d'Arco did some improvements to the MyDNS backend, and provided
+ a full test suite for it, that we now run after every commit. Code in
+ `commit
+ 2988 <http://wiki.powerdns.com/projects/trac/changeset/2988>`__.
+- Some exceptions from backends would lose their meaning while bubbling
+ up. Fixed by Aki Tuomi in `commit
+ 2985 <http://wiki.powerdns.com/projects/trac/changeset/2985>`__,
+ closing `ticket 639 <https://github.com/PowerDNS/pdns/issues/639>`__.
+- The packet-cache honours max reply length while matching cached
+ packets against queries, but not EDNS status. This would mean that
+ EDNS-enabled replies with a 512 reply len could be returned on
+ non-EDNS queries. Spotted while investigating a report from Winfried
+ Angele, patched by Ruben d'Arco in `commit
+ 2982 <http://wiki.powerdns.com/projects/trac/changeset/2982>`__,
+ closing `ticket 630 <https://github.com/PowerDNS/pdns/issues/630>`__.
+- Errors involving creating, deletion or changing permissions on the
+ control socket were unclear. Ruben d'Arco improved this in `commit
+ 2981 <http://wiki.powerdns.com/projects/trac/changeset/2981>`__.
+- pipe-timeout was always documented to be in milliseconds, but it
+ turns out it was in seconds! `commit
+ 2971 <http://wiki.powerdns.com/projects/trac/changeset/2971>`__
+ changes them to actually be in ms, and 'increases' the default from
+ 1000 seconds to 2000 milliseconds.
+- Some exceptions would get dropped during inbound AXFR, yielding a log
+ file that says 'transaction started' and nothing after that, making
+ AXFR fail silently. `commit
+ 2976 <http://wiki.powerdns.com/projects/trac/changeset/2976>`__ and
+ `commit
+ 2977 <http://wiki.powerdns.com/projects/trac/changeset/2977>`__
+ improve this somewhat.
+- We now error out on empty labels inside of names (www..example.com)
+ instead of generating bogus reply packets. Code in `commit
+ 2972 <http://wiki.powerdns.com/projects/trac/changeset/2972>`__,
+ reported by several users.
+- Doing chmod before chown, instead of the other way around, apparently
+ avoids requiring a whole SELinux capability. Reported by Sander
+ Hoentjen, fixed in `commit
+ 2965 <http://wiki.powerdns.com/projects/trac/changeset/2965>`__.
+- Christian Hofstaedtler fixed a bug in our Debian init.d script. Code
+ in `commit
+ 2963 <http://wiki.powerdns.com/projects/trac/changeset/2963>`__.
+- Superslave errors ('Unable to find backend willing to host ..') now
+ include the NSset found at the master, to aid debugging. Code in
+ `commit
+ 2887 <http://wiki.powerdns.com/projects/trac/changeset/2887>`__.
+- `commit
+ 2874 <http://wiki.powerdns.com/projects/trac/changeset/2874>`__ in
+ RC1 broke compilation without SQLite3 and made query logging
+ unreliable. Fixed in `commit
+ 2888 <http://wiki.powerdns.com/projects/trac/changeset/2888>`__,
+ `commit
+ 2889 <http://wiki.powerdns.com/projects/trac/changeset/2889>`__.
+- The dnsreplay tool now processes single packet pcaps. Fix in `commit
+ 2895 <http://wiki.powerdns.com/projects/trac/changeset/2895>`__.
+- PowerDNS always derives NSEC/NSEC3 from the actual zone content. To
+ accommodate this, zone2sql now drops NSEC/NSEC3 records, as those
+ should never be in a PowerDNS backend directly (`commit
+ 2915 <http://wiki.powerdns.com/projects/trac/changeset/2915>`__),
+ bindbackend ignores NSEC/NSEC3 while reading zonefiles (`commit
+ 2917 <http://wiki.powerdns.com/projects/trac/changeset/2917>`__) and
+ pdnssec reports NSEC/NSEC3 in the database as an error condition
+ (`commit
+ 2918 <http://wiki.powerdns.com/projects/trac/changeset/2918>`__).
+- The bindbackend now ignores NSEC/NSEC3 records while reading
+ zonefiles. Change in `commit
+ 2917 <http://wiki.powerdns.com/projects/trac/changeset/2917>`__.
+- An EXPERIMENTAL feature ('direct-dnskey') for reading ZSKs from the
+ records table/your BIND zonefile was added in `commit
+ 2920 <http://wiki.powerdns.com/projects/trac/changeset/2920>`__,
+ `commit
+ 2921 <http://wiki.powerdns.com/projects/trac/changeset/2921>`__,
+ `commit
+ 2922 <http://wiki.powerdns.com/projects/trac/changeset/2922>`__.
+- While fully optional, PowerDNS supports direct RRSIG queries. Kees
+ Monshouwer improved on our behaviour for those queries in `commit
+ 2927 <http://wiki.powerdns.com/projects/trac/changeset/2927>`__.
+- IPv6 glue situations require AAAA records for the receiving end of a
+ delegation in the ADDITIONAL section of a referral. This was
+ supported ('do-ipv6-additional-processing') but not enabled by
+ default. `commit
+ 2929 <http://wiki.powerdns.com/projects/trac/changeset/2929>`__
+ enables it by default.
+- pdnssec check-zone now warns for CNAME-and-other data at names in
+ your zones. Code by Ruben d'Arco in `commit
+ 2930 <http://wiki.powerdns.com/projects/trac/changeset/2930>`__.
+- Positive ANY-responses would include a spurious NSEC3. Corrected in
+ `commit
+ 2932 <http://wiki.powerdns.com/projects/trac/changeset/2932>`__ and
+ `commit
+ 2933 <http://wiki.powerdns.com/projects/trac/changeset/2933>`__,
+ cleaned up by Kees Monshouwer in `commit
+ 2935 <http://wiki.powerdns.com/projects/trac/changeset/2935>`__.
+- The ldapbackend now allows overriding the base dn for AXFR subtree
+ search. Fixed in `commit
+ 2934 <http://wiki.powerdns.com/projects/trac/changeset/2934>`__,
+ closing `ticket 536 <https://github.com/PowerDNS/pdns/issues/536>`__.
+
+Changes below are in 3.2-RC1 and up.
+
+DNSSEC changes in 3.2
+^^^^^^^^^^^^^^^^^^^^^
+
+- Kees Monshouwer did a tremendous amount of work to improve and
+ perfect our DNSSEC implementation, mostly in the NSEC3 area. Code in
+ `commit
+ 2687 <http://wiki.powerdns.com/projects/trac/changeset/2687>`__,
+ `commit
+ 2689 <http://wiki.powerdns.com/projects/trac/changeset/2689>`__,
+ `commit
+ 2691 <http://wiki.powerdns.com/projects/trac/changeset/2691>`__,
+ fixing `ticket 486 <https://github.com/PowerDNS/pdns/issues/486>`__,
+ `ticket 537 <https://github.com/PowerDNS/pdns/issues/537>`__, `ticket
+ 540 <https://github.com/PowerDNS/pdns/issues/540>`__. He also
+ implemented support for Empty Non-Terminals, code in `commit
+ 2721 <http://wiki.powerdns.com/projects/trac/changeset/2721>`__,
+ `commit
+ 2732 <http://wiki.powerdns.com/projects/trac/changeset/2732>`__,
+ `commit
+ 2745 <http://wiki.powerdns.com/projects/trac/changeset/2745>`__,
+ fixing `ticket 127 <https://github.com/PowerDNS/pdns/issues/127>`__
+ and `ticket 558 <https://github.com/PowerDNS/pdns/issues/558>`__.
+- Presigned wildcard operation was improved with the help of many
+ parties (see commit message for `commit
+ 2676 <http://wiki.powerdns.com/projects/trac/changeset/2676>`__).
+ Presigned operation was also changed to be more consistent with
+ master/live-signing operation. Code and a full test suite in `commit
+ 2709 <http://wiki.powerdns.com/projects/trac/changeset/2709>`__,
+ which also improves TTL behaviour for various situations. Fixes
+ `ticket 460 <https://github.com/PowerDNS/pdns/issues/460>`__, `ticket
+ 533 <https://github.com/PowerDNS/pdns/issues/533>`__, `ticket
+ 559 <https://github.com/PowerDNS/pdns/issues/559>`__.
+- Depending on database & locale settings, names starting with
+ underscore would sometimes cause broken records. `commit
+ 2710 <http://wiki.powerdns.com/projects/trac/changeset/2710>`__
+ contains schema and code changes for the gpgsql and gmysql backends
+ to sort this (no pun intended) definitively, closing `ticket
+ 550 <https://github.com/PowerDNS/pdns/issues/550>`__. In addition, a
+ pdnssec test-schema command was added (experimental and incomplete).
+ It can be used to verify underscore sorting and a few other
+ parameters of the database. Code in `commit
+ 2714 <http://wiki.powerdns.com/projects/trac/changeset/2714>`__.
+- We now always include an EDNS section in responses to queries that
+ also had an EDNS section. This was thought to improve BIND
+ interoperability, but this turned out to be false. In any case, this
+ change improves standards compliance. Spotted by Mats Dufberg, code
+ in `commit
+ 2649 <http://wiki.powerdns.com/projects/trac/changeset/2649>`__.
+- It turns out we were storing Botan keys the wrong way. Botan did not
+ care but Polar did, causing interoperability problems. Fixed in
+ `commit
+ 2720 <http://wiki.powerdns.com/projects/trac/changeset/2720>`__, with
+ the kind help of Paul Bakker of PolarSSL. Fixes `ticket
+ 492 <https://github.com/PowerDNS/pdns/issues/492>`__ as reported by
+ Florian Obser via Debian.
+- pdnssec add-zone-key now defaults to RSASHA256, like secure-zone
+ already did. Code in `commit
+ 2692 <http://wiki.powerdns.com/projects/trac/changeset/2692>`__.
+- pdns\_control purge now also purges DNSSEC-related caches (keys and
+ metadata). Code in `commit
+ 2694 <http://wiki.powerdns.com/projects/trac/changeset/2694>`__, by
+ Ruben d'Arco. Fixes `ticket
+ 530 <https://github.com/PowerDNS/pdns/issues/530>`__.
+- The signer thread would die in specific situations, leaving you with
+ a non-working but very busy system. Fixed in `commit
+ 2668 <http://wiki.powerdns.com/projects/trac/changeset/2668>`__,
+ `commit
+ 2670 <http://wiki.powerdns.com/projects/trac/changeset/2670>`__,
+ closing `ticket 517 <https://github.com/PowerDNS/pdns/issues/517>`__.
+- pdnssec secure-zone now warns when you just signed a slave zone.
+ Suggested by Mark Scholten, code in `commit
+ 2795 <http://wiki.powerdns.com/projects/trac/changeset/2795>`__,
+ closes `ticket 592 <https://github.com/PowerDNS/pdns/issues/592>`__.
+- pdnssec check-zone now warns about out-of-zone data. Patch by Kees
+ Monshouwer in `commit
+ 2826 <http://wiki.powerdns.com/projects/trac/changeset/2826>`__,
+ closing `ticket 604 <https://github.com/PowerDNS/pdns/issues/604>`__.
+- pdnssec now honours ^^no-config. Patch by Kees Monshouwer in `commit
+ 2810 <http://wiki.powerdns.com/projects/trac/changeset/2810>`__.
+- Various fixes for bindbackend presigned operation, mostly by Kees
+ Monshouwer. Code in `commit
+ 2815 <http://wiki.powerdns.com/projects/trac/changeset/2815>`__,
+ closing `ticket 600 <https://github.com/PowerDNS/pdns/issues/600>`__.
+- Bindbackend could get confused about domain metadata, sometimes even
+ causing hangs. Fixes by Kees Monshouwer in `commit
+ 2819 <http://wiki.powerdns.com/projects/trac/changeset/2819>`__ and
+ `commit
+ 2834 <http://wiki.powerdns.com/projects/trac/changeset/2834>`__,
+ closing `ticket 600 <https://github.com/PowerDNS/pdns/issues/600>`__
+ and `ticket 603 <https://github.com/PowerDNS/pdns/issues/603>`__.
+- SQL queries in gsql backends that reference the domain\_id column
+ have been made explicit about from what table they want this column.
+ This makes it easier to operate custom schemas without changing the
+ queries. Fix by Nicky Gerritsen in `commit
+ 2821 <http://wiki.powerdns.com/projects/trac/changeset/2821>`__.
+- In various situations involving CNAMEs and wildcards, and for ANY
+ queries involving CNAMEs, we would sometimes return bogus results.
+ Fixed in `commit
+ 2825 <http://wiki.powerdns.com/projects/trac/changeset/2825>`__ by
+ Kees Monshouwer.
+- rectify-zone accidentally set auth=1 on NS records of secure
+ delegations. Reported by George Notaras, fixed by Kees Monshouwer in
+ `commit
+ 2831 <http://wiki.powerdns.com/projects/trac/changeset/2831>`__,
+ closing `ticket 605 <https://github.com/PowerDNS/pdns/issues/605>`__.
+- The DNSSEC signature cache now actually gets cleaned up, avoiding
+ lasting spikes in memory usage every thursday. Code in `commit
+ 2836 <http://wiki.powerdns.com/projects/trac/changeset/2836>`__ and
+ `commit
+ 2843 <http://wiki.powerdns.com/projects/trac/changeset/2843>`__,
+ closing `ticket 594 <https://github.com/PowerDNS/pdns/issues/594>`__.
+- Signatures used to roll at midnight on thursday. We now roll them one
+ hour after midnight, with inception still set to midnight, to allow
+ for some variations in clock quality on resolvers. Code in `commit
+ 2857 <http://wiki.powerdns.com/projects/trac/changeset/2857>`__.
+- Duplicate records (same name/type/content/priority) would sometimes
+ get broken RRSIGs during outgoing AXFR. Fixed in `commit
+ 2856 <http://wiki.powerdns.com/projects/trac/changeset/2856>`__.
+- A root zone (name="") with DNSSEC would cause crashes in some
+ situations. Reported by Luuk Hendriks. Fixed in `commit
+ 2867 <http://wiki.powerdns.com/projects/trac/changeset/2867>`__,
+ `commit
+ 2868 <http://wiki.powerdns.com/projects/trac/changeset/2868>`__,
+ closing `ticket 614 <https://github.com/PowerDNS/pdns/issues/614>`__.
+- Direct RRSIG queries for zones with auto-completed SOA records would
+ cause trouble. Reported by Kees Monshouwer and fixed by him in
+ `commit
+ 2869 <http://wiki.powerdns.com/projects/trac/changeset/2869>`__.
+- When a name is matched only by a wildcard, but the type in the query
+ is not present, we would be lacking one NSEC(3) record to prove the
+ existence of the wildcard. Fixed by Kees Monshouwer in `commit
+ 2872 <http://wiki.powerdns.com/projects/trac/changeset/2872>`__ and
+ `commit
+ 2873 <http://wiki.powerdns.com/projects/trac/changeset/2873>`__.
+- Luuk Hendriks spotted that our PolarSSL RSA key generation code was
+ using inferior entropy. This can be important on virtual machines
+ with badly implemented clocks. Fixed in `commit
+ 2876 <http://wiki.powerdns.com/projects/trac/changeset/2876>`__,
+ closing `ticket 615 <https://github.com/PowerDNS/pdns/issues/615>`__.
+
+Non-DNSSEC improvements/changes
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Bindbackend would sometimes crash on startup, due to a
+ sync\_with\_stdio call. This call has been moved to pdns\_server
+ proper to occur before any threads are spawned, avoiding race
+ conditions in this call. Note that this crash has only been observed
+ twice in thousands of regression test runs and has never been
+ reported in the real world. Change in `commit
+ 2882 <http://wiki.powerdns.com/projects/trac/changeset/2882>`__.
+- Leen Besselink submitted query logging support for the SQLite3 parts
+ in the bindbackend. Code in `commit
+ 2874 <http://wiki.powerdns.com/projects/trac/changeset/2874>`__.
+- Multi-backend operation would sometimes cause garbage domain IDs to
+ be passed to backends. Reported by Kees Monshouwer and fixed by him
+ in `commit
+ 2871 <http://wiki.powerdns.com/projects/trac/changeset/2871>`__.
+- Bindbackend would sometimes crash during reloads/rediscovers. The
+ changes in `commit
+ 2837 <http://wiki.powerdns.com/projects/trac/changeset/2837>`__ get
+ rid of the crash, at the cost of returning SERVFAIL during reloads.
+ Closes `ticket 564 <https://github.com/PowerDNS/pdns/issues/564>`__.
+- Our label decompression code was naive, causing troubles for slaving
+ of very specifically formatted zones. Fix in `ticket
+ 2822 <https://github.com/PowerDNS/pdns/issues/2822>`__, closes
+ `ticket 599 <https://github.com/PowerDNS/pdns/issues/599>`__.
+- Bindbackend slaves would choke on unknown RR types and do silly
+ things with RP and SRV records. Fixed in `commit
+ 2811 <http://wiki.powerdns.com/projects/trac/changeset/2811>`__ and
+ `commit
+ 2812 <http://wiki.powerdns.com/projects/trac/changeset/2812>`__.
+- The luabackend can now compile against Lua 5.2. Patch by Fredrik
+ Danerklint in `commit
+ 2794 <http://wiki.powerdns.com/projects/trac/changeset/2794>`__,
+ additional luabackend compile fixes in `commit
+ 2854 <http://wiki.powerdns.com/projects/trac/changeset/2854>`__.
+- A new backend, the 'Remote backend' `Remote
+ Backend <authoritative/backend-remote.md>`__ was submitted by Aki
+ Tuomi. It aims to replace the pipebackend with a better protocol and
+ support for more connection methods, including HTTP. Code in `commit
+ 2755 <http://wiki.powerdns.com/projects/trac/changeset/2755>`__,
+ `commit
+ 2756 <http://wiki.powerdns.com/projects/trac/changeset/2756>`__,
+ `commit
+ 2757 <http://wiki.powerdns.com/projects/trac/changeset/2757>`__,
+ `commit
+ 2758 <http://wiki.powerdns.com/projects/trac/changeset/2758>`__,
+ `commit
+ 2759 <http://wiki.powerdns.com/projects/trac/changeset/2759>`__,
+ `commit
+ 2824 <http://wiki.powerdns.com/projects/trac/changeset/2824>`__,
+ closing `ticket 529 <https://github.com/PowerDNS/pdns/issues/529>`__,
+ `ticket 597 <https://github.com/PowerDNS/pdns/issues/597>`__.
+- The gsqlite (SQLite 2) backend was removed. We were not aware of any
+ users and it was not actually working anyway. Changes in commits
+ `2773 <http://wiki.powerdns.com/projects/trac/changeset/2773>`__-`2777 <http://wiki.powerdns.com/projects/trac/changeset/2777>`__,
+ closing `ticket 565 <https://github.com/PowerDNS/pdns/issues/565>`__.
+- Various tinydnsbackend improvements: ignore-bogus-records option; TAI
+ offset updated; strip dots on names where suitable; various internal
+ improvements. Code in `commit
+ 2762 <http://wiki.powerdns.com/projects/trac/changeset/2762>`__.
+- gpgsql no longer logs the database password in connection errors.
+ Code in `commit
+ 2609 <http://wiki.powerdns.com/projects/trac/changeset/2609>`__,
+ `commit
+ 2612 <http://wiki.powerdns.com/projects/trac/changeset/2612>`__,
+ closing `ticket 459 <https://github.com/PowerDNS/pdns/issues/459>`__.
+- You can now finally specify 0.0.0.0 or :: as local-address/local-ipv6
+ without getting replies from the wrong address. This much-requested
+ feature is implemented in `commit
+ 2763 <http://wiki.powerdns.com/projects/trac/changeset/2763>`__,
+ `commit
+ 2766 <http://wiki.powerdns.com/projects/trac/changeset/2766>`__,
+ `commit
+ 2779 <http://wiki.powerdns.com/projects/trac/changeset/2779>`__ and
+ `commit
+ 2781 <http://wiki.powerdns.com/projects/trac/changeset/2781>`__.
+ Tested on Linux, FreeBSD and Mac OS X.
+- 3.2 can be reliably built with or without Lua. This and many other
+ configure/compile-related fixes in `commit
+ 2610 <http://wiki.powerdns.com/projects/trac/changeset/2610>`__,
+ `commit
+ 2611 <http://wiki.powerdns.com/projects/trac/changeset/2611>`__ /
+ `ticket 461 <https://github.com/PowerDNS/pdns/issues/461>`__, `commit
+ 2666 <http://wiki.powerdns.com/projects/trac/changeset/2666>`__,
+ `commit
+ 2671 <http://wiki.powerdns.com/projects/trac/changeset/2671>`__,
+ `commit
+ 2672 <http://wiki.powerdns.com/projects/trac/changeset/2672>`__ /
+ `ticket 522 <https://github.com/PowerDNS/pdns/issues/522>`__, `commit
+ 2673 <http://wiki.powerdns.com/projects/trac/changeset/2673>`__ /
+ `ticket 522 <https://github.com/PowerDNS/pdns/issues/522>`__, `commit
+ 2696 <http://wiki.powerdns.com/projects/trac/changeset/2696>`__ /
+ `ticket 555 <https://github.com/PowerDNS/pdns/issues/555>`__, `commit
+ 2697 <http://wiki.powerdns.com/projects/trac/changeset/2697>`__ /
+ `ticket 457 <https://github.com/PowerDNS/pdns/issues/457>`__, `commit
+ 2698 <http://wiki.powerdns.com/projects/trac/changeset/2698>`__,
+ `commit
+ 2708 <http://wiki.powerdns.com/projects/trac/changeset/2708>`__,
+ `commit
+ 2742 <http://wiki.powerdns.com/projects/trac/changeset/2742>`__ /
+ `ticket 462 <https://github.com/PowerDNS/pdns/issues/462>`__),
+ `commit
+ 2752 <http://wiki.powerdns.com/projects/trac/changeset/2752>`__ /
+ `ticket 437 <https://github.com/PowerDNS/pdns/issues/437>`__, `commit
+ 2764 <http://wiki.powerdns.com/projects/trac/changeset/2764>`__,
+ `commit
+ 2809 <http://wiki.powerdns.com/projects/trac/changeset/2809>`__,
+ `commit
+ 2844 <http://wiki.powerdns.com/projects/trac/changeset/2844>`__,
+ `commit
+ 2845 <http://wiki.powerdns.com/projects/trac/changeset/2845>`__,
+ `commit
+ 2846 <http://wiki.powerdns.com/projects/trac/changeset/2846>`__,
+ `commit
+ 2881 <http://wiki.powerdns.com/projects/trac/changeset/2881>`__.
+- Juraj Lutter contributed AXFR-SOURCE per zone metadata settings. Code
+ in `commit
+ 2616 <http://wiki.powerdns.com/projects/trac/changeset/2616>`__.
+- Initscripts now have exit codes, submitted by Sander Hoentjen. Code
+ in `commit
+ 2728 <http://wiki.powerdns.com/projects/trac/changeset/2728>`__.
+ Guardian now returns 0 instead of 1 when receiving SIGTERM, requested
+ by Morten Stevens of Fedora. Code in `commit
+ 2717 <http://wiki.powerdns.com/projects/trac/changeset/2717>`__.
+- Mark Zealey submitted various performance improvement patches and
+ suggestions. Accepted as `commit
+ 2729 <http://wiki.powerdns.com/projects/trac/changeset/2729>`__ /
+ `ticket 579 <https://github.com/PowerDNS/pdns/issues/579>`__, `commit
+ 2730 <http://wiki.powerdns.com/projects/trac/changeset/2730>`__ /
+ `ticket 584 <https://github.com/PowerDNS/pdns/issues/584>`__),
+ `commit
+ 2731 <http://wiki.powerdns.com/projects/trac/changeset/2731>`__ /
+ `ticket 583 <https://github.com/PowerDNS/pdns/issues/583>`__),
+ `commit
+ 2768 <http://wiki.powerdns.com/projects/trac/changeset/2768>`__ /
+ `ticket 578 <https://github.com/PowerDNS/pdns/issues/578>`__). Please
+ see commit messages for more details.
+- pdnssec check-all-zones now reuses database connections, avoiding a
+ socket exhaustion issue in some situations. Code in `commit
+ 2749 <http://wiki.powerdns.com/projects/trac/changeset/2749>`__,
+ closes `ticket 519 <https://github.com/PowerDNS/pdns/issues/519>`__.
+- Ruben d'Arco submitted various improvements regarding trailing dots.
+ Additional lookups now try harder, pdnssec errors about trailing dots
+ in names, pdnssec warns about trailing dots in names inside content
+ fields, AXFR now strips the dot from SRV hostnames. Code in `commit
+ 2748 <http://wiki.powerdns.com/projects/trac/changeset/2748>`__,
+ fixes `ticket 289 <https://github.com/PowerDNS/pdns/issues/289>`__.
+- Pre-3.0, backends would get cycled if they threw the right error. 3.2
+ reinstates this behaviour, as it is more robust. Change in `commit
+ 2734 <http://wiki.powerdns.com/projects/trac/changeset/2734>`__
+ (reverting `commit
+ 2100 <http://wiki.powerdns.com/projects/trac/changeset/2100>`__),
+ fixes `ticket 386 <https://github.com/PowerDNS/pdns/issues/386>`__.
+- PowerDNS auth does not use the select() kernel/library call anymore.
+ This means fd-numbers over 1023 (and, in general, more than 1024
+ sockets, including more than 1024 listening sockets) should now work
+ reliably. Code in `commit
+ 2739 <http://wiki.powerdns.com/projects/trac/changeset/2739>`__,
+ `commit
+ 2740 <http://wiki.powerdns.com/projects/trac/changeset/2740>`__,
+ fixes `ticket 408 <https://github.com/PowerDNS/pdns/issues/408>`__.
+- gmysql users can now specify the 'group' we connect as, using the
+ gmysql-group setting. Submitted by Kees Monshouwer, code in `commit
+ 2770 <http://wiki.powerdns.com/projects/trac/changeset/2770>`__,
+ `commit
+ 2771 <http://wiki.powerdns.com/projects/trac/changeset/2771>`__,
+ `commit
+ 2778 <http://wiki.powerdns.com/projects/trac/changeset/2778>`__,
+ `commit
+ 2780 <http://wiki.powerdns.com/projects/trac/changeset/2780>`__,
+ closing `ticket 463 <https://github.com/PowerDNS/pdns/issues/463>`__.
+- The Linux-only traceback handler is now optional (use
+ traceback-handler=off to disable it). Suggested by Marc Haber. Change
+ in `commit
+ 2798 <http://wiki.powerdns.com/projects/trac/changeset/2798>`__,
+ closes `ticket 497 <https://github.com/PowerDNS/pdns/issues/497>`__.
+- We now use IPV6\_V6ONLY to bind IPv6 sockets. This ensures consistent
+ behaviour between different operating systems. Change in `commit
+ 2799 <http://wiki.powerdns.com/projects/trac/changeset/2799>`__.
+- MySQL connections are now logged at a higher loglevel, reducing log
+ clutter. Change in `commit
+ 2800 <http://wiki.powerdns.com/projects/trac/changeset/2800>`__.
+- We now ship a systemd unit file in contrib/. Added in `commit
+ 2847 <http://wiki.powerdns.com/projects/trac/changeset/2847>`__ and
+ `commit
+ 2848 <http://wiki.powerdns.com/projects/trac/changeset/2848>`__,
+ submitted by Morten Stevens.
+
+Assorted bugfixes
+^^^^^^^^^^^^^^^^^
+
+- If a slave domain is removed while a transfer for it is queued, we no
+ longer try the transfer. This also avoids a rare crash in similar
+ circumstances. Code in `commit
+ 2802 <http://wiki.powerdns.com/projects/trac/changeset/2802>`__,
+ closes `ticket 596 <https://github.com/PowerDNS/pdns/issues/596>`__.
+- When using pdnssec with gsql backends, sometimes an SSqlException
+ would pop up without any useful information. This no longer happens
+ and errors are now in general more meaningful. Fix in `commit
+ 2803 <http://wiki.powerdns.com/projects/trac/changeset/2803>`__.
+- zone2sql now uses correct string syntax for PostgreSQL. This is
+ needed for importing with the changed default settings in PostgreSQL
+ 9.2 and up. Code in `commit
+ 2797 <http://wiki.powerdns.com/projects/trac/changeset/2797>`__,
+ closes `ticket 471 <https://github.com/PowerDNS/pdns/issues/471>`__.
+- We no longer send v6 notifications if v6 is not available. Same for
+ IPv4. Code in `commit
+ 2772 <http://wiki.powerdns.com/projects/trac/changeset/2772>`__,
+ fixes `ticket 515 <https://github.com/PowerDNS/pdns/issues/515>`__.
+- We would sometimes serve stale data after an incoming AXFR. Reported
+ by Martin Draschl, fixed by Ruben d'Arco in `commit
+ 2699 <http://wiki.powerdns.com/projects/trac/changeset/2699>`__,
+ closing `ticket 525 <https://github.com/PowerDNS/pdns/issues/525>`__.
+- Duplicate incoming NOTIFYs could cause PowerDNS to try to insert the
+ same domain name into a database twice. Fixed in `commit
+ 2703 <http://wiki.powerdns.com/projects/trac/changeset/2703>`__,
+ closing `ticket 453 <https://github.com/PowerDNS/pdns/issues/453>`__.
+- pdnssec show-zone now works on a zone that has any number of keys,
+ instead of requiring active keys. Reported by Jeroen Tushuizen of
+ myH2Oservers, code in `commit
+ 2769 <http://wiki.powerdns.com/projects/trac/changeset/2769>`__,
+ closes `ticket 586 <https://github.com/PowerDNS/pdns/issues/586>`__.
+- pdns-control notify-host now accepts v6 literals. Reported by
+ Christof Meerwald, fixed in `commit
+ 2704 <http://wiki.powerdns.com/projects/trac/changeset/2704>`__.
+- The tinydnsbackend no longer chokes on questions longer than 64
+ bytes. Code in `commit
+ 2622 <http://wiki.powerdns.com/projects/trac/changeset/2622>`__.
+- \*-all-domains commands in pdnssec now work with Postgres (gpgsql)
+ too. Code in `commit
+ 2645 <http://wiki.powerdns.com/projects/trac/changeset/2645>`__,
+ closing `ticket 472 <https://github.com/PowerDNS/pdns/issues/472>`__.
+- We would sometimes leave the opcode of an outgoing packet
+ uninitialized. Fixed in `commit
+ 2680 <http://wiki.powerdns.com/projects/trac/changeset/2680>`__,
+ closing `ticket 532 <https://github.com/PowerDNS/pdns/issues/532>`__.
+- nproxy can now listen on a configurable port. Code in `commit
+ 2684 <http://wiki.powerdns.com/projects/trac/changeset/2684>`__,
+ fixes `ticket 534 <https://github.com/PowerDNS/pdns/issues/534>`__.
+- Improve mydnsbackend for SOA queries. Code in `commit
+ 2751 <http://wiki.powerdns.com/projects/trac/changeset/2751>`__,
+ fixes `ticket 439 <https://github.com/PowerDNS/pdns/issues/439>`__,
+ by Ruben d'Arco.
+- Various non-functional fixes that make Valgrind happy (note that
+ Valgrind was right to complain in all of these situations), in
+ `commit
+ 2715 <http://wiki.powerdns.com/projects/trac/changeset/2715>`__,
+ `commit
+ 2716 <http://wiki.powerdns.com/projects/trac/changeset/2716>`__,
+ `commit
+ 2718 <http://wiki.powerdns.com/projects/trac/changeset/2718>`__.
+
+ PowerDNS Authoritative Server 3.1
+----------------------------------
+
+Released on the 4th of May 2012 RC3 released on the 30th of April 2012
+RC2 released on the 14th of April 2012 RC1 released on the 23th of March
+2012
+
+**Warning**: Version 3.1 of the PowerDNS Authoritative Server is a major
+upgrade if you are coming from 2.9.x. There are also some important
+changes if you are coming from 3.0. Please refer to the `Upgrade
+documentation <authoritative/upgrading.md>`__ for important information
+on correct and stable operation, as well as notes on performance and
+memory use.
+
+Version 3.1 of the PowerDNS Authoritative Server represents the 'coming
+of age' of our DNSSEC implementation. In addition, 3.1 solves a lot of
+'.0' issues typically associated with a major new release.
+
+As usual, we are very grateful for the involvement of the PowerDNS
+community. The uptake of 3.0 was rapid, and many users were very helpful
+in shaking out the bugs, and willing to test the fixes we provided or,
+in many cases, provided the fixes themselves.
+
+Of specific note is the giant PowerDNS DNSSEC deployment in Sweden by
+Atomia and Binero. PowerDNS 3.0 now powers over 150000 DNSSEC domains in
+Sweden, around 95% of all DNSSEC domains, in a country were most
+internet service providers actually validate all .SE domains.
+
+Finally, this release has benefited a lot from Peter van Dijk joining
+us, as he has merged a tremendous amount of patches, cleaned up years of
+accumulated dust in the code, and massively improved our regression
+testing into a full blown continuous integration setup with full DNSSEC
+tests!
+
+Additionally, we would like to thank Ruben d'Arco, Jose Arthur Benetasso
+Villanova, Marc Haber, Jimmy Bergman, Aki Tuomi and everyone else who
+helped us out!
+
+Downloads
+^^^^^^^^^
+
+- `Official download
+ page <http://www.powerdns.com/content/downloads.html>`__
+- `CentOS/RHEL 5/6
+ RPMs <http://www.monshouwer.eu/download/3rd_party/pdns-server/>`__
+ kindly provided by Kees Monshouwer.
+- `Additional
+ packages <http://wiki.powerdns.com/trac#GettingPowerDNSpackages>`__
+ kindly provided by various other people.
+
+Changes between RC3 and final
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- pdnssec now honours the default-soa-name setting. Reported by Kees
+ Monshouwer, fixed in `commit
+ 2600 <http://wiki.powerdns.com/projects/trac/changeset/2600>`__.
+
+Changes between RC2 and RC3
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- The hidden test-algorithms command for pdnssec now has a little
+ brother 'test-algorithm X'. Code in `commit
+ 2596 <http://wiki.powerdns.com/projects/trac/changeset/2596>`__, by
+ Aki Tuomi.
+- PolarSSL upgraded to 1.1.2 due to weak RSA key generation (`commit
+ 2586 <http://wiki.powerdns.com/projects/trac/changeset/2586>`__). If
+ you created RSA keys with RC1 or RC2 using PolarSSL, please replace
+ them! This upgrade introduced a slowdown; speedup patch in `commit
+ 2593 <http://wiki.powerdns.com/projects/trac/changeset/2593>`__.
+- It turns out we were using libmysqlclient in a thread-unsafe manner.
+ This issue was reported and painstakingly debugged by Marc Haber.
+ Presumably fixed in `commit
+ 2591 <http://wiki.powerdns.com/projects/trac/changeset/2591>`__.
+- Updated a bunch of internal counters to be threadsafe. Code in
+ `commit
+ 2579 <http://wiki.powerdns.com/projects/trac/changeset/2579>`__.
+- NSEC(3) bitmaps can now cover RRtypes above 255. Reported by Michael
+ Braunoeder, patch by Aki Tuomi in `commit
+ 2590 <http://wiki.powerdns.com/projects/trac/changeset/2590>`__.
+- pdnssec check-zone now reports MBOXFW and URL records (as those are
+ unsupported since 3.0). Reported by Gerwin Krist of Digitalus, patch
+ by Ruben d'Arco. Closes `ticket
+ 446 <https://github.com/PowerDNS/pdns/issues/446>`__.
+- The odbcbackend was removed. It only runs on Windows and Windows is
+ unsupported since 3.0. Removal in `commit
+ 2576 <http://wiki.powerdns.com/projects/trac/changeset/2576>`__.
+- We used to send the chunk length and the actual chunk in two separate
+ writes (often resulting in two separate TCP packets) during outbound
+ AXFR. This confused MSDNS. We now combine those writes. Code in
+ `commit
+ 2575 <http://wiki.powerdns.com/projects/trac/changeset/2575>`__.
+- The bindbackend can now run without SQLite3, as previously intended.
+ Fix in `commit
+ 2574 <http://wiki.powerdns.com/projects/trac/changeset/2574>`__.
+- Some high-concurrency master setups would crash under load. Fixed in
+ `commit
+ 2571 <http://wiki.powerdns.com/projects/trac/changeset/2571>`__.
+
+Changes between RC1 and RC2
+---------------------------
+
+- We imported the TinyDNS backend by Ruben d'Arco. Code mostly in
+ `commit
+ 2559 <http://wiki.powerdns.com/projects/trac/changeset/2559>`__. See
+ `TinyDNS Backend <authoritative/backend-tinydns.md>`__.
+- Overriding C(XX)FLAGS is easier now. Problem pointed out by Jose
+ Arthur Benetasso Villanova and others, fix suggested by Sten Spans.
+ Patch in `commit
+ 2533 <http://wiki.powerdns.com/projects/trac/changeset/2533>`__.
+- TSIG fixes: skip embedded spaces in keys (`commit
+ 2536 <http://wiki.powerdns.com/projects/trac/changeset/2536>`__),
+ compute signatures correctly (by Ruben d'Arco in `commit
+ 2547 <http://wiki.powerdns.com/projects/trac/changeset/2547>`__),
+- nproxy, dnsscan and dnsdemog did not compile at all. Fixes in `commit
+ 2538 <http://wiki.powerdns.com/projects/trac/changeset/2538>`__,
+ `commit
+ 2554 <http://wiki.powerdns.com/projects/trac/changeset/2554>`__.
+- We now allow unescaped tabs in TXT records. Fix in `commit
+ 2539 <http://wiki.powerdns.com/projects/trac/changeset/2539>`__.
+- SOA records no longer disappear during incoming transfers. Fix by
+ Ruben d'Arco in `commit
+ 2540 <http://wiki.powerdns.com/projects/trac/changeset/2540>`__.
+- PowerDNS compiles on OS X (and other platforms that support our auth
+ server but not the recursor) again, fix in `commit
+ 2566 <http://wiki.powerdns.com/projects/trac/changeset/2566>`__.
+- Cleanups related to warnings from gcc and valgrind in `commit
+ 2561 <http://wiki.powerdns.com/projects/trac/changeset/2561>`__,
+ `commit
+ 2562 <http://wiki.powerdns.com/projects/trac/changeset/2562>`__,
+ `commit
+ 2565 <http://wiki.powerdns.com/projects/trac/changeset/2565>`__.
+- Solaris compatibility fixes by Ruben d'Arco, Juraj Lutter and others
+ in `commit
+ 2548 <http://wiki.powerdns.com/projects/trac/changeset/2548>`__,
+ `commit
+ 2552 <http://wiki.powerdns.com/projects/trac/changeset/2552>`__,
+ `commit
+ 2553 <http://wiki.powerdns.com/projects/trac/changeset/2553>`__,
+ `commit
+ 2560 <http://wiki.powerdns.com/projects/trac/changeset/2560>`__.
+ Fixes for \*BSD in `commit
+ 2546 <http://wiki.powerdns.com/projects/trac/changeset/2546>`__.
+- pdns\_control help would report 'version' twice, reported by Gerwin,
+ fix in `commit
+ 2549 <http://wiki.powerdns.com/projects/trac/changeset/2549>`__.
+
+DNSSEC related fixes
+^^^^^^^^^^^^^^^^^^^^
+
+- When slaving zones, PowerDNS now automatically detects that a zone is
+ presigned. Code in `commit
+ 2502 <http://wiki.powerdns.com/projects/trac/changeset/2502>`__,
+ closing `ticket 369 <https://github.com/PowerDNS/pdns/issues/369>`__,
+ `ticket 392 <https://github.com/PowerDNS/pdns/issues/392>`__.
+- The bindbackend can now manage its own SQLite3 database to store key
+ data, removing the need to run it with a gsql backend. Code in
+ `commit
+ 2448 <http://wiki.powerdns.com/projects/trac/changeset/2448>`__,
+ `commit
+ 2449 <http://wiki.powerdns.com/projects/trac/changeset/2449>`__,
+ `commit
+ 2450 <http://wiki.powerdns.com/projects/trac/changeset/2450>`__,
+ `commit
+ 2451 <http://wiki.powerdns.com/projects/trac/changeset/2451>`__,
+ `commit
+ 2452 <http://wiki.powerdns.com/projects/trac/changeset/2452>`__,
+ `commit
+ 2453 <http://wiki.powerdns.com/projects/trac/changeset/2453>`__,
+ `commit
+ 2455 <http://wiki.powerdns.com/projects/trac/changeset/2455>`__,
+ `commit
+ 2482 <http://wiki.powerdns.com/projects/trac/changeset/2482>`__,
+ `commit
+ 2496 <http://wiki.powerdns.com/projects/trac/changeset/2496>`__,
+ `commit
+ 2499 <http://wiki.powerdns.com/projects/trac/changeset/2499>`__.
+- NSEC/NSEC3 logic for picking 'boundary' names was tricky, and got it
+ wrong in some cases. Fixes in `commit
+ 2289 <http://wiki.powerdns.com/projects/trac/changeset/2289>`__,
+ `commit
+ 2429 <http://wiki.powerdns.com/projects/trac/changeset/2429>`__,
+ `commit
+ 2435 <http://wiki.powerdns.com/projects/trac/changeset/2435>`__ and
+ `commit
+ 2473 <http://wiki.powerdns.com/projects/trac/changeset/2473>`__.
+- The subtle differences between 'what records get NSEC', 'what records
+ get NSEC3' and 'what records should get signed' did not translate
+ well to the SQL auth column. We now use 'ordername IS NULL' to map
+ the whole spectrum. Code in `commit
+ 2477 <http://wiki.powerdns.com/projects/trac/changeset/2477>`__,
+ `commit
+ 2480 <http://wiki.powerdns.com/projects/trac/changeset/2480>`__,
+ `commit
+ 2492 <http://wiki.powerdns.com/projects/trac/changeset/2492>`__.
+- Pre-signed AXFR output, although correct, was different from our
+ query responses. Rectified in `commit
+ 2477 <http://wiki.powerdns.com/projects/trac/changeset/2477>`__.
+- Spotted & fixed by Jimmy Bergman of Atomia, CNAMEs and RRSIGs could
+ have bad interactions. Fix in `commit
+ 2314 <http://wiki.powerdns.com/projects/trac/changeset/2314>`__,
+ further refined in `commit
+ 2318 <http://wiki.powerdns.com/projects/trac/changeset/2318>`__.
+ Closes `ticket 411 <https://github.com/PowerDNS/pdns/issues/411>`__.
+- Spotted & fixed by Jimmy Bergman of Atomia, we now allow direct RRSIG
+ queries even when do=0.
+- Spotted by Mark Scholten and Marco Davids, we would sometimes
+ generate duplicate (and wrong) RRSIGs when signing an ANY answer
+ because of record jumbling. Fix in `commit
+ 2381 <http://wiki.powerdns.com/projects/trac/changeset/2381>`__.
+- Several fixes to handling of DS queries, in `commit
+ 2420 <http://wiki.powerdns.com/projects/trac/changeset/2420>`__,
+ `commit
+ 2510 <http://wiki.powerdns.com/projects/trac/changeset/2510>`__,
+ `commit
+ 2512 <http://wiki.powerdns.com/projects/trac/changeset/2512>`__.
+- We now lowercase the signer name in an RRSIG. This is not mandated by
+ DNSSEC specification but it improves compatibility with some
+ validators. Fix in `commit
+ 2426 <http://wiki.powerdns.com/projects/trac/changeset/2426>`__.
+
+Bug fixes
+^^^^^^^^^
+
+- Winfried Angele discovered we would open an additional backend
+ connection per zone in the BIND backend. This only impacted users
+ with multiple simultaneous backends. Fix in `commit
+ 2253 <http://wiki.powerdns.com/projects/trac/changeset/2253>`__,
+ closing `ticket 383 <https://github.com/PowerDNS/pdns/issues/383>`__.
+- All versions of max-cache-entries setting had confusing behaviour
+ when set to 0. Now clarified to mean that 0 truly means 0, and not
+ 'infinite'. Change in `commit
+ 2328 <http://wiki.powerdns.com/projects/trac/changeset/2328>`__.
+- Wildcards in the presence of delegations were broken. Reported by a
+ cast of thousands. Fix & regression test in `commit
+ 2368 <http://wiki.powerdns.com/projects/trac/changeset/2368>`__.
+ Closes `ticket 389 <https://github.com/PowerDNS/pdns/issues/389>`__.
+- Internal caches used an order of magnitude more memory than expected
+ and some were not purged properly, which hindered real life
+ deployments. Spotted by Winfried Angele and others. Fixed in `commit
+ 2287 <http://wiki.powerdns.com/projects/trac/changeset/2287>`__ and
+ `commit
+ 2328 <http://wiki.powerdns.com/projects/trac/changeset/2328>`__.
+- Christof Meerwald discovered our .tar file missed a file of the Lua
+ backend. Change in `commit
+ 2257 <http://wiki.powerdns.com/projects/trac/changeset/2257>`__.
+- Paul Xek found out that the edns-subnet support did not work for
+ subnets tinier than a /25 or /121. Fix in `commit
+ 2258 <http://wiki.powerdns.com/projects/trac/changeset/2258>`__.
+- edns-subnet aware PIPE scripts received bogus remote information on
+ AXFR requests. Fixed in `commit
+ 2284 <http://wiki.powerdns.com/projects/trac/changeset/2284>`__.
+- Fix compilation against older versions of MySQL that do not have
+ MYSQL\_OPT\_RECONNECT. `commit
+ 2264 <http://wiki.powerdns.com/projects/trac/changeset/2264>`__,
+ closing `ticket 378 <https://github.com/PowerDNS/pdns/issues/378>`__.
+- D. Stussy of Snarked.net discovered that PowerDNS could not parse a
+ DNS packet with a trailing blob of unknown length. Fixed in `commit
+ 2267 <http://wiki.powerdns.com/projects/trac/changeset/2267>`__.
+- 'pdnssec' did not work for records with NULL ttls. Fixed in `commit
+ 2266 <http://wiki.powerdns.com/projects/trac/changeset/2266>`__,
+ closing `ticket 432 <https://github.com/PowerDNS/pdns/issues/432>`__.
+- Pipe backend had issues parsing IPv6 records in ABI version 3. Fixed
+ in `commit
+ 2260 <http://wiki.powerdns.com/projects/trac/changeset/2260>`__.
+- We truncated the altitude in LOC records! I hope no one got lost. Fix
+ in `commit
+ 2268 <http://wiki.powerdns.com/projects/trac/changeset/2268>`__.
+- Xander Soldaat discovered that even if the web server was not
+ configured, we'd still listen on the port. Fix in `commit
+ 2269 <http://wiki.powerdns.com/projects/trac/changeset/2269>`__,
+ closes `ticket 402 <https://github.com/PowerDNS/pdns/issues/402>`__.
+- The PIPE backend issues frequent fork()s, leading to potential fd
+ leaks if these are not marked as 'close on exec'. Solved in `commit
+ 2273 <http://wiki.powerdns.com/projects/trac/changeset/2273>`__,
+ closing `ticket 194 <https://github.com/PowerDNS/pdns/issues/194>`__.
+- Robert van der Meulen found that we messed up the interaction between
+ wildcards and CNAMEs. Fixed in `commit
+ 2276 <http://wiki.powerdns.com/projects/trac/changeset/2276>`__,
+ which also adds a regression test to prevent this issue from
+ recurring.
+- Fred Wittekind discovered that our notification proxy 'nproxy' no
+ longer built from source. Fixed in `commit
+ 2278 <http://wiki.powerdns.com/projects/trac/changeset/2278>`__.
+- Grant Keller found that we were inconsistent with spaces in labels,
+ thus breaking DNS-SD. Fix in `commit
+ 2305 <http://wiki.powerdns.com/projects/trac/changeset/2305>`__.
+- Winfried Angele fixed our autoconf script for Lua detection in
+ `commit
+ 2308 <http://wiki.powerdns.com/projects/trac/changeset/2308>`__.
+- BIND backend would leak an fd when including a configuration file
+ from named.conf. Spotted by Hannu Ylitalo of Nebula Oy in `commit
+ 2359 <http://wiki.powerdns.com/projects/trac/changeset/2359>`__.
+- GSQLite3 backend could crash on a network error at the wrong moment,
+ leading to a restart by the guardian. Fix in `commit
+ 2336 <http://wiki.powerdns.com/projects/trac/changeset/2336>`__.
+- './configure ^^enable-verbose-logging' was broken, fixed in `commit
+ 2312 <http://wiki.powerdns.com/projects/trac/changeset/2312>`__.
+- PowerDNS would serve up old SOA data immediately after sending out a
+ notification. Complicated bug documented perfectly in `ticket
+ 427 <https://github.com/PowerDNS/pdns/issues/427>`__, which also came
+ with not one but with two different patches to fix the problem.
+ Thanks to Keith Buck. Code in `commit
+ 2408 <http://wiki.powerdns.com/projects/trac/changeset/2408>`__.
+- Flag '^^start-id' in zone2sql was not functional. Removed for now in
+ `commit
+ 2387 <http://wiki.powerdns.com/projects/trac/changeset/2387>`__,
+ closing `ticket 332 <https://github.com/PowerDNS/pdns/issues/332>`__.
+- Our distribution tarball did not have the SQL schemas. Fixed in
+ `commit
+ 2459 <http://wiki.powerdns.com/projects/trac/changeset/2459>`__ and
+ `commit
+ 2460 <http://wiki.powerdns.com/projects/trac/changeset/2460>`__.
+- "Empty" MX records would confuse one of our parsers. Fixed in `commit
+ 2468 <http://wiki.powerdns.com/projects/trac/changeset/2468>`__,
+ closing Debian bug 533023.
+- The pdns.conf 'wildcards'-setting did not do anything in 3.0, so it
+ was removed. Change in `commit
+ 2508 <http://wiki.powerdns.com/projects/trac/changeset/2508>`__,
+ `commit
+ 2509 <http://wiki.powerdns.com/projects/trac/changeset/2509>`__.
+- Additional processing based on records loaded by the BIND backend
+ might fail because of a trailing dot mismatch. Fix in `commit
+ 2398 <http://wiki.powerdns.com/projects/trac/changeset/2398>`__.
+
+New features
+^^^^^^^^^^^^
+
+- Per-zone AXFR ACLs, based on the allow-axfr-ips zone metadata item.
+ Code in `commit
+ 2274 <http://wiki.powerdns.com/projects/trac/changeset/2274>`__.
+ Also, remove some remains of our previous approach to supporting this
+ in `commit
+ 2326 <http://wiki.powerdns.com/projects/trac/changeset/2326>`__.
+- New SOA Serial Tweak mode INCEPTION-EPOCH for when operating as a
+ 'signing slave', contributed by Jimmy Bergman. Code and documentation
+ in `commit
+ 2320 <http://wiki.powerdns.com/projects/trac/changeset/2320>`__.
+- Newlines in the 'content' field of backends are now allowed,
+ restoring some DKIM setups to working condition. Update in `commit
+ 2394 <http://wiki.powerdns.com/projects/trac/changeset/2394>`__,
+ closing `ticket 395 <https://github.com/PowerDNS/pdns/issues/395>`__.
+
+Improvements
+^^^^^^^^^^^^
+
+- Depending on the encoding used, MySQL could take issue with our
+ 'tsigkeys' table which contained very large rows. Trimmed in `commit
+ 2400 <http://wiki.powerdns.com/projects/trac/changeset/2400>`__,
+ closing `ticket 410 <https://github.com/PowerDNS/pdns/issues/410>`__.
+- Various build/configure-related fixes in `commit
+ 2319 <http://wiki.powerdns.com/projects/trac/changeset/2319>`__,
+ `commit
+ 2373 <http://wiki.powerdns.com/projects/trac/changeset/2373>`__,
+ `commit
+ 2386 <http://wiki.powerdns.com/projects/trac/changeset/2386>`__,
+ closing `ticket 380 <https://github.com/PowerDNS/pdns/issues/380>`__,
+ `ticket 405 <https://github.com/PowerDNS/pdns/issues/405>`__, `ticket
+ 420 <https://github.com/PowerDNS/pdns/issues/420>`__.
+- We now show the SOA serial after zone transfers. Code in `commit
+ 2385 <http://wiki.powerdns.com/projects/trac/changeset/2385>`__,
+ closing `ticket 416 <https://github.com/PowerDNS/pdns/issues/416>`__.
+- Ruben d'Arco submitted a full rework of our slave-side AXFR TSIG
+ handling, closing `ticket
+ 393 <https://github.com/PowerDNS/pdns/issues/393>`__ and `ticket
+ 400 <https://github.com/PowerDNS/pdns/issues/400>`__ in the process.
+ Code in `commit
+ 2506 <http://wiki.powerdns.com/projects/trac/changeset/2506>`__.
+ Additional improvement in `commit
+ 2513 <http://wiki.powerdns.com/projects/trac/changeset/2513>`__.
+- The records.name-column in the gpgsql schema is now constrained to
+ lowercase, as PowerDNS would be unable to find other entries anyway.
+ Fix in `commit
+ 2503 <http://wiki.powerdns.com/projects/trac/changeset/2503>`__,
+ closing `ticket 426 <https://github.com/PowerDNS/pdns/issues/426>`__.
+- The gsql-backends can now handle huge records, thanks to a patch by
+ Ruben d'Arco. Code in `commit
+ 2476 <http://wiki.powerdns.com/projects/trac/changeset/2476>`__,
+ closing `ticket 407 <https://github.com/PowerDNS/pdns/issues/407>`__.
+ Additional changes in `commit
+ 2292 <http://wiki.powerdns.com/projects/trac/changeset/2292>`__,
+ `commit
+ 2487 <http://wiki.powerdns.com/projects/trac/changeset/2487>`__,
+ `commit
+ 2489 <http://wiki.powerdns.com/projects/trac/changeset/2489>`__.
+ Closes `ticket 218 <https://github.com/PowerDNS/pdns/issues/218>`__,
+ `ticket 316 <https://github.com/PowerDNS/pdns/issues/316>`__.
+- Some of PowerDNS' internal classes would work with uninitialized data
+ when repurposed outside of the PowerDNS core logic. Fix in `commit
+ 2469 <http://wiki.powerdns.com/projects/trac/changeset/2469>`__,
+- pdnssec now has 'check-all-zones' and 'rectify-all-zones' commands.
+ Submitted by Ruben d'Arco, code in `commit
+ 2467 <http://wiki.powerdns.com/projects/trac/changeset/2467>`__.
+- 'restart' in our init.d-script would not start pdns if it was down
+ before. Fixed in `commit
+ 2462 <http://wiki.powerdns.com/projects/trac/changeset/2462>`__.
+- 'pdnssec rectify-zone' now honours ^^verbose and is rather quiet
+ without it. Code in `commit
+ 2443 <http://wiki.powerdns.com/projects/trac/changeset/2443>`__.
+- Improved error messages for systems without IPv6. Changes in `commit
+ 2425 <http://wiki.powerdns.com/projects/trac/changeset/2425>`__.
+- The packet- and querycache now honour TTLs from backend data. Code in
+ `commit
+ 2414 <http://wiki.powerdns.com/projects/trac/changeset/2414>`__.
+- 'pdns\_control help' now shows useful usage information. Code in
+ `commit
+ 2410 <http://wiki.powerdns.com/projects/trac/changeset/2410>`__ and
+ `commit
+ 2465 <http://wiki.powerdns.com/projects/trac/changeset/2465>`__.
+- Jasper Spaans improved our init.d script for compliance with Debian
+ Squeeze. Patch in `commit
+ 2251 <http://wiki.powerdns.com/projects/trac/changeset/2251>`__.
+ Further improvement with 'set -e' to initscript contributed by Marc
+ Haber in `commit
+ 2301 <http://wiki.powerdns.com/projects/trac/changeset/2301>`__.
+- Klaus Darilion discovered our configuration file template and ^^help
+ output explained the various cache TTLs wrongly, and he also added
+ documentation for some missing parameters. `commit
+ 2271 <http://wiki.powerdns.com/projects/trac/changeset/2271>`__ and
+ `commit
+ 2272 <http://wiki.powerdns.com/projects/trac/changeset/2272>`__.
+- Add support for building against Botan 1.10 (stable) and drop support
+ for 1.9 (development). Changes in `commit
+ 2334 <http://wiki.powerdns.com/projects/trac/changeset/2334>`__. This
+ fixes several bugs when building against 1.9.
+- Upgrade internal PolarSSL library to their version 1.1.1. Change in
+ `commit
+ 2389 <http://wiki.powerdns.com/projects/trac/changeset/2389>`__ and
+ beyond.
+- Compilation of several backends failed for Boost in non-standard
+ locations. Fixes in `commit
+ 2316 <http://wiki.powerdns.com/projects/trac/changeset/2316>`__..
+- We now do additional processing for SRV records too. Code in `commit
+ 2388 <http://wiki.powerdns.com/projects/trac/changeset/2388>`__,
+ closing `ticket 423 <https://github.com/PowerDNS/pdns/issues/423>`__
+ (which also contained the patch). Regression test updates that flow
+ from this in `commit
+ 2390 <http://wiki.powerdns.com/projects/trac/changeset/2390>`__.
+- Fix compilation on OSX. `commit
+ 2316 <http://wiki.powerdns.com/projects/trac/changeset/2316>`__.
+- Fix pdnssec crash when asked to do DNSSEC without a DNSSEC capable
+ backend. Code in `commit
+ 2369 <http://wiki.powerdns.com/projects/trac/changeset/2369>`__.
+- If PowerDNS was not configured to operate as a DNS master, it would
+ still accept 'pdns\_control notify' commands, but then not do it.
+ Spotted by David Gavarret, patch by Jose Arthur Benetasso Villanova
+ in `commit
+ 2379 <http://wiki.powerdns.com/projects/trac/changeset/2379>`__.
+- In various places we would only accept UPPERCASE DNS typenames. Fixed
+ in `commit
+ 2370 <http://wiki.powerdns.com/projects/trac/changeset/2370>`__,
+ closing `ticket 390 <https://github.com/PowerDNS/pdns/issues/390>`__.
+- We would not always drop supplemental groups correctly. Reported by
+ David Black of Atlassian.
+- Our regression tests have been strengthened a lot, and now cover way
+ more features. Commits in
+ `2280 <http://wiki.powerdns.com/projects/trac/changeset/2280>`__,
+ `2281 <http://wiki.powerdns.com/projects/trac/changeset/2281>`__,
+ `2282 <http://wiki.powerdns.com/projects/trac/changeset/2282>`__,
+ `2317 <http://wiki.powerdns.com/projects/trac/changeset/2317>`__,
+ `2348 <http://wiki.powerdns.com/projects/trac/changeset/2348>`__,
+ `2349 <http://wiki.powerdns.com/projects/trac/changeset/2349>`__,
+ `2350 <http://wiki.powerdns.com/projects/trac/changeset/2350>`__,
+ `2351 <http://wiki.powerdns.com/projects/trac/changeset/2351>`__ and
+ beyond.
+- Update to support the latest draft of DANE/TLSA. Spotted by James
+ Cloos (`commit
+ 2338 <http://wiki.powerdns.com/projects/trac/changeset/2338>`__).
+ Further improvements by Pieter Lexis in `commit
+ 2347 <http://wiki.powerdns.com/projects/trac/changeset/2347>`__,
+ `commit
+ 2358 <http://wiki.powerdns.com/projects/trac/changeset/2358>`__.
+- Compilation on OpenBSD was eased by patches from Brad Smith, which
+ can be found in `commit
+ 2288 <http://wiki.powerdns.com/projects/trac/changeset/2288>`__ and
+ `commit
+ 2291 <http://wiki.powerdns.com/projects/trac/changeset/2291>`__,
+ closing `ticket 95 <https://github.com/PowerDNS/pdns/issues/95>`__.
+- 'make check' failed on the internal PolarSSL. Spotted by Daniel
+ Briley, fix in `commit
+ 2283 <http://wiki.powerdns.com/projects/trac/changeset/2283>`__.
+- The default SQL schemas were expanded to contain far longer content
+ fields. `commit
+ 2292 <http://wiki.powerdns.com/projects/trac/changeset/2292>`__,
+ `commit
+ 2293 <http://wiki.powerdns.com/projects/trac/changeset/2293>`__.
+- Documentation typos, Jake Spencer (`commit
+ 2304 <http://wiki.powerdns.com/projects/trac/changeset/2304>`__),
+ Jose Arthur Benetasso Villanova (`commit
+ 2337 <http://wiki.powerdns.com/projects/trac/changeset/2337>`__).
+ Code typos in `commit
+ 2324 <http://wiki.powerdns.com/projects/trac/changeset/2324>`__
+ (closes `ticket
+ 296 <https://github.com/PowerDNS/pdns/issues/296>`__).
+- Manpage updates from Debian, provided by Matthijs Möhlmann. Content
+ in `commit
+ 2306 <http://wiki.powerdns.com/projects/trac/changeset/2306>`__.
+- pdnssec rectify-zone can now accept multiple zones at the same time.
+ Code in `commit
+ 2383 <http://wiki.powerdns.com/projects/trac/changeset/2383>`__.
+- As suggested in `ticket
+ 416 <https://github.com/PowerDNS/pdns/issues/416>`__, we now log the
+ SOA serial number after committing an AXFRed zone to the backend.
+ Code in `commit
+ 2385 <http://wiki.powerdns.com/projects/trac/changeset/2385>`__.
+- Pick up location of sqlite3 libraries using pkg-config. Implemented
+ using a variation of the patch found in the, now closed, `ticket
+ 380 <https://github.com/PowerDNS/pdns/issues/380>`__. Code in `commit
+ 2386 <http://wiki.powerdns.com/projects/trac/changeset/2386>`__.
+- Documented 'pdnssec ^^verbose' flag is now accepted. Code in `commit
+ 2384 <http://wiki.powerdns.com/projects/trac/changeset/2384>`__,
+ closing `ticket 404 <https://github.com/PowerDNS/pdns/issues/404>`__.
+- 'pdnssec ^^help' now lists all supported signing algorithms.
+ Suggested by Jose Arthur Benetasso Villanova.
+- PIPE backend example script with edns-subnet support was improved to
+ actually use edns-subnet field. Plus update PIPE backend
+ documentation. Code in `commit
+ 2285 <http://wiki.powerdns.com/projects/trac/changeset/2285>`__, more
+ documentation regarding MX and SRV in `commit
+ 2313 <http://wiki.powerdns.com/projects/trac/changeset/2313>`__.
+- edns-subnet fields now also output in logfile when available (`commit
+ 2321 <http://wiki.powerdns.com/projects/trac/changeset/2321>`__).
+- When running with virtualized configuration files, we now allow
+ dashes in the configuration name. Suggested by Marc Haber, code in
+ `commit
+ 2295 <http://wiki.powerdns.com/projects/trac/changeset/2295>`__.
+ Further fixes by Brielle Bruns in `commit
+ 2327 <http://wiki.powerdns.com/projects/trac/changeset/2327>`__.
+- Compilation fixes for GNU/Hurd in `commit
+ 2307 <http://wiki.powerdns.com/projects/trac/changeset/2307>`__ via
+ Matthijs Möhlmann.
+- Marc Haber improved our Debian packaging scripts for smoother
+ upgrades. Code in `commit
+ 2315 <http://wiki.powerdns.com/projects/trac/changeset/2315>`__.
+- When failing to bind to an IP address, report to which one it failed.
+ `commit
+ 2325 <http://wiki.powerdns.com/projects/trac/changeset/2325>`__.
+- Supermaster checks were performed synchronously, leading to the
+ possibilities of slowdowns. Fixed in `commit
+ 2402 <http://wiki.powerdns.com/projects/trac/changeset/2402>`__.
+
+Other changes
+^^^^^^^^^^^^^
+
+- Removed the deprecated non-generic mysqlbackend, in `commit
+ 2488 <http://wiki.powerdns.com/projects/trac/changeset/2488>`__,
+ `commit
+ 2514 <http://wiki.powerdns.com/projects/trac/changeset/2514>`__,
+ `commit
+ 2515 <http://wiki.powerdns.com/projects/trac/changeset/2515>`__.
+- Removed the deprecated 'pdnsbackend', in `commit
+ 2490 <http://wiki.powerdns.com/projects/trac/changeset/2490>`__,
+ `commit
+ 2516 <http://wiki.powerdns.com/projects/trac/changeset/2516>`__.
+- Removed GRANT statements from the gpgsql schema, as we can't assume
+ they will work for everyone. Change in `commit
+ 2493 <http://wiki.powerdns.com/projects/trac/changeset/2493>`__.
+ Tickets closed but not associated with a commit
+- `ticket 125 <https://github.com/PowerDNS/pdns/issues/125>`__:
+ "PowerDNS offers wild card info. when it is not queried for."
+- `ticket 219 <https://github.com/PowerDNS/pdns/issues/219>`__: "Accept
+ NOTIFY from masters on non-standard port"
+- `ticket 247 <https://github.com/PowerDNS/pdns/issues/247>`__: "pdns
+ caching weirdness with recursion-desired flag"
+- `ticket 253 <https://github.com/PowerDNS/pdns/issues/253>`__: "bind
+ backend crashes on long comment line in included file"
+- `ticket 271 <https://github.com/PowerDNS/pdns/issues/271>`__:
+ "PowerDNS Server responding with out-of-zone authority section in
+ case there is a cname"
+- `ticket 304 <https://github.com/PowerDNS/pdns/issues/304>`__:
+ "also-notify option for pdns, also gives also-notify for
+ bindbackend."
+- `ticket 311 <https://github.com/PowerDNS/pdns/issues/311>`__:
+ "PowerDNSSEC responding with SERVFAIL upon IN A query for a CNAME"
+- `ticket 325 <https://github.com/PowerDNS/pdns/issues/325>`__: "CNAME
+ working strange!"
+- `ticket 376 <https://github.com/PowerDNS/pdns/issues/376>`__: "Unable
+ to create long TXT records"
+- `ticket 412 <https://github.com/PowerDNS/pdns/issues/412>`__:
+ "^^without-lua doesn't disable lua"
+- `ticket 415 <https://github.com/PowerDNS/pdns/issues/415>`__:
+ "Signing thread died during AXFR of signed domain"
+- `ticket 422 <https://github.com/PowerDNS/pdns/issues/422>`__:
+ "ecdsa256 keys bug"
+
+Authoritative Server version 2.9.22.6
+-------------------------------------
+
+**Warning**: The 2.9.22.x series of releases is end-of-life and
+unsupported. It contains many issues and potential security problems. We
+urge you to upgrade to a recent version of PowerDNS!
+
+The improvements to the master/slave engine in 2.9.22.5 contained one
+serious bug that can cause crashes on busy setups. 2.9.22.6 fixes this
+crash.
+
+ Authoritative Server version 2.9.22.5
+--------------------------------------
+
+**Warning**: The 2.9.22.x series of releases is end-of-life and
+unsupported. It contains many issues and potential security problems. We
+urge you to upgrade to a recent version of PowerDNS!
+
+2.9.22.5 is an interim release for those not yet ready to make the jump
+to 3.0, but do need a more recent version of the Authoritative Server.
+It also contains the patch from `PowerDNS Security Advisory
+2012-01 <security/powerdns-advisory-2012-01.md>`__.
+
+- Improved performance of master/slave engine, especially when hosting
+ tens or hundreds of thousands of slave zones. Code in commits
+ `1657 <http://wiki.powerdns.com/projects/trac/changeset/1657>`__,
+ `1658 <http://wiki.powerdns.com/projects/trac/changeset/1658>`__,
+ `1661 <http://wiki.powerdns.com/projects/trac/changeset/1661>`__
+ (which also brings multi-master support),
+ `1662 <http://wiki.powerdns.com/projects/trac/changeset/1662>`__
+ (non-standard ports for masters),
+ `1664 <http://wiki.powerdns.com/projects/trac/changeset/1664>`__,
+ `1665 <http://wiki.powerdns.com/projects/trac/changeset/1665>`__,
+ `1666 <http://wiki.powerdns.com/projects/trac/changeset/1666>`__,
+ `1667 <http://wiki.powerdns.com/projects/trac/changeset/1667>`__,
+ `1672 <http://wiki.powerdns.com/projects/trac/changeset/1672>`__,
+ `1673 <http://wiki.powerdns.com/projects/trac/changeset/1673>`__,
+ `2063 <http://wiki.powerdns.com/projects/trac/changeset/2063>`__).
+- Compilation fixes for more modern compilers (`commit
+ 1660 <http://wiki.powerdns.com/projects/trac/changeset/1660>`__,
+ `commit
+ 1694 <http://wiki.powerdns.com/projects/trac/changeset/1694>`__)
+- Don't crash on communication error with pdns\_control (`commit
+ 2015 <http://wiki.powerdns.com/projects/trac/changeset/2015>`__).
+- Packet cache fixes for UltraSPARC (`commit
+ 1663 <http://wiki.powerdns.com/projects/trac/changeset/1663>`__)
+- Fix crashes in the BIND backend (`commit
+ 1693 <http://wiki.powerdns.com/projects/trac/changeset/1693>`__,
+ `commit
+ 1692 <http://wiki.powerdns.com/projects/trac/changeset/1692>`__)
+
+PowerDNS Authoritative Server 3.0.1
+-----------------------------------
+
+**Warning**: The DNSSEC implementation of PowerDNS Authoritative Server
+3.0 and 3.0.1 contains many issues regarding CNAMES, wildcards and
+(in)secure delegations. If you use any of these, and you use DNSSEC you
+MUST upgrade to 3.1 or beyond!
+
+3.0.1 consists of 3.0, plus the patch from `PowerDNS Security Advisory
+2012-01 <security/powerdns-advisory-2012-01.md>`__
+
+PowerDNS Authoritative Server 3.0
+---------------------------------
+
+Released on the 22nd of July 2011 RC1 released on the 4th of April 2011
+RC2 released on the 19th of April 2011 RC3 released on the 19th of July
+2011
+
+**Warning**: Version 3.0 of the PowerDNS Authoritative Server is a major
+upgrade if you are coming from 2.9.x. Please refer to the `Upgrade
+documentation <authoritative/upgrading.md>`__ for important information
+on correct and stable operation, as well as notes on performance and
+memory use.
+
+**Warning**: The DNSSEC implementation of PowerDNS Authoritative Server
+3.0 and 3.0.1 contains many issues regarding CNAMES, wildcards and
+(in)secure delegations. If you use any of these, and you use DNSSEC you
+MUST upgrade to 3.1 or beyond!
+
+Version 3.0 of the PowerDNS Authoritative Server brings a number of
+important features, as well as over two years of accumulated bug fixing.
+
+The largest news in 3.0 is of course the advent of DNSSEC. Not only does
+PowerDNS now (finally) support DNSSEC, we think that our support of this
+important protocol is among the easiest to use available. In addition,
+all important algorithms are supported.
+
+Complete detail can be found in `Serving authoritative DNSSEC
+data <authoritative/dnssec.md>`__. The goal of 'PowerDNSSEC' is to allow
+existing PowerDNS installations to start serving DNSSEC with as little
+hassle as possible, while maintaining performance and achieving high
+levels of security.
+
+Tutorials and examples of how to use DNSSEC in PowerDNS can be found
+linked from http://powerdnssec.org.
+
+PowerDNS Authoritative Server 3.0 development has been made possible by
+the financial and moral support of
+
+- `AFNIC, the French registry <http://www.afnic.fr/>`__
+- `IPCom's RcodeZero Anycast
+ DNS <http://www.ipcom.at/en/dns/rcodezero_anycast/>`__, a subsidiary
+ of NIC.AT, the Austrian registry
+- `SIDN, the Dutch registry <http://www.sidn.nl/>`__
+- .. (awaiting details) ..
+
+This release has received exceptional levels of community support, and
+we'd like to thank the following people in addition to those mentioned
+explicitly below: Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter
+Wijngaards (NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN),
+Leen Besselink, Antoin Verschuren (SIDN), Olafur Guðmundsson (IETF), Dan
+Kaminsky (Recursion Ventures), Roy Arends (Nominet), Miek Gieben (SIDN),
+Stephane Bortzmeyer (AFNIC), Michael Braunoeder (nic.at), Peter van
+Dijk, Maik Zumstrull, Jose Arthur Benetasso Villanova (Locaweb), Stefan
+Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker (Brainspark/Fox-IT),
+Mathew Hennessy, Johannes Kuehrer (Austrian World4You GmbH), Marc van de
+Geijn (bHosted.nl), Stefan Arentz and Martin van Hensbergen (Fox-IT),
+Christof Meerwald, Detlef Peeters, Jack Lloyd, Frank Altpeter, Fredrik
+Danerklint, Vasiliy G Tolstov, Brielle Bruns, Evan Hunt, Ralf van der
+Enden, Marc Laros, Serge Belyshev, Christian Hofstaedtler, Charlie
+Smurthwaite, Nikolaos Milas, ..
+
+Known issues as of RC3
+^^^^^^^^^^^^^^^^^^^^^^
+
+- Not all new features are fully documented yet
+
+Changes between RC3 and final
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Slight tweak to the pipebackend to ease DNSSEC operations (`commit
+ 2239 <http://wiki.powerdns.com/projects/trac/changeset/2239>`__,
+ `commit
+ 2247 <http://wiki.powerdns.com/projects/trac/changeset/2247>`__).
+ Also fix pipebackend support in pdnssec tool (`commit
+ 2244 <http://wiki.powerdns.com/projects/trac/changeset/2244>`__).
+- Upgrade the experimental native Lua backend to the latest version
+ from Fredrik Danerklint (`commit
+ 2240 <http://wiki.powerdns.com/projects/trac/changeset/2240>`__) and
+ include this backend in the .deb packages (`commit
+ 2242 <http://wiki.powerdns.com/projects/trac/changeset/2242>`__)
+- Remove IPv6 dependency, it was only possible to run master/slave
+ operations on a server with at least one IPv6 address. Some very old
+ virtualized setups turned out to have no IPv6 at all. Fix in `commit
+ 2246 <http://wiki.powerdns.com/projects/trac/changeset/2246>`__.
+
+Changes between RC2 and RC3
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- PowerDNS Authoritative Server could not be configured to use an IPv6
+ based resolving backend. Solved in `commit
+ 2191 <http://wiki.powerdns.com/projects/trac/changeset/2191>`__.
+- LDAP backend reconfigured the timezone (TZ) setting of the daemon,
+ leading to confusing logfile entries. Fixed by Christian Hofstaedtler
+ in `commit
+ 2913 <http://wiki.powerdns.com/projects/trac/changeset/2913>`__,
+ closing `ticket 313 <https://github.com/PowerDNS/pdns/issues/313>`__.
+- Non-DNSSEC capable backends could crash on DNSSEC queries. Fixed in
+ `commit
+ 2194 <http://wiki.powerdns.com/projects/trac/changeset/2194>`__ and
+ `commit
+ 2196 <http://wiki.powerdns.com/projects/trac/changeset/2196>`__
+ (thanks to Charlie Smurthwaite) closing `ticket
+ 360 <https://github.com/PowerDNS/pdns/issues/360>`__.
+- Errors looking up a UID or GID were reported confusingly ('Success'),
+ fixed in `commit
+ 2195 <http://wiki.powerdns.com/projects/trac/changeset/2195>`__,
+ closing `ticket 359 <https://github.com/PowerDNS/pdns/issues/359>`__.
+- Fix compilation against older MySQL, client libraries (`commit
+ 2198 <http://wiki.powerdns.com/projects/trac/changeset/2198>`__,
+ `commit
+ 2199 <http://wiki.powerdns.com/projects/trac/changeset/2199>`__,
+ `commit
+ 2204 <http://wiki.powerdns.com/projects/trac/changeset/2204>`__),
+ especially for older RHEL/CentOS. Also addresses the failure to look
+ in lib64 directory for PostgreSQL.
+- Sqlite3 needs write access not just to its database file, but also to
+ the directory it is in. If this wasn't the case, no useful error
+ message was provided. Improvement in `commit
+ 2202 <http://wiki.powerdns.com/projects/trac/changeset/2202>`__.
+- Update of MongoDB backend (`commit
+ 2203 <http://wiki.powerdns.com/projects/trac/changeset/2203>`__,
+ `commit
+ 2212 <http://wiki.powerdns.com/projects/trac/changeset/2212>`__).
+- 'pdnssec hash-zone-record' emitted an inverted warning about narrow
+ NSEC3 hashes. Spotted by Jan-Piet Mens, fix in `commit
+ 2205 <http://wiki.powerdns.com/projects/trac/changeset/2205>`__.
+- PowerDNS can fill out default fields for SOA records, but neglected
+ to do so if the SOA record was matched by an incoming ANY question.
+ Spotted by Marc Laros & others. Fixes `ticket
+ 357 <https://github.com/PowerDNS/pdns/issues/357>`__, code in `commit
+ 2206 <http://wiki.powerdns.com/projects/trac/changeset/2206>`__.
+- PowerDNS would mistreat binary data in TXT records. Fix in `commit
+ 2207 <http://wiki.powerdns.com/projects/trac/changeset/2207>`__.
+ Again spotted by Jan-Piet Mens. Closes `ticket
+ 356 <https://github.com/PowerDNS/pdns/issues/356>`__.
+- Add experimental Lua backend by our star contributor Fredrik
+ Danerklint. `commit
+ 2208 <http://wiki.powerdns.com/projects/trac/changeset/2208>`__.
+- Christoph Meerwald discovered our RRSIG freshness checking checked
+ more than the intended RRSIG (on the SOA record). Fix in `commit
+ 2209 <http://wiki.powerdns.com/projects/trac/changeset/2209>`__.
+- Christoph Meerwald discovered we got confused by TSIG signed
+ EDNS-adorned queries, since we expected the EDNS OPT pseudorecord to
+ be the very last record. Fix in `commit
+ 2214 <http://wiki.powerdns.com/projects/trac/changeset/2214>`__.
+- Christoph Meerwald discovered that when using SOA outgoing editing we
+ would sign and THEN edit. This was not productive. Fixed in `commit
+ 2215 <http://wiki.powerdns.com/projects/trac/changeset/2215>`__.
+- Add missing-but-documented pdnssec command 'disable-dnssec'. Spotted
+ by Craig Whitmore. Plus fixed misleading ^^help output. Code in
+ `commit
+ 2216 <http://wiki.powerdns.com/projects/trac/changeset/2216>`__.
+- By popular demand, a tweak which makes an overloaded database no
+ longer restart PowerDNS but to drop queries until the database is
+ available again. Code in `commit
+ 2217 <http://wiki.powerdns.com/projects/trac/changeset/2217>`__,
+ lightly tested. Enable by setting 'overload-queue-length=100' (for
+ example).
+- By suggestion of Miek Gieben of SIDN, add SOA-EDIT mode 'EPOCH' which
+ sets the SOA serial number to the 'UNIX time'. Implemented in `commit
+ 2218 <http://wiki.powerdns.com/projects/trac/changeset/2218>`__.
+- Added some US export control & ECCN to documentation, needed because
+ of DNSSEC content. Update in `commit
+ 2219 <http://wiki.powerdns.com/projects/trac/changeset/2219>`__.
+- Fix up various spelling mistakes and badly formatted messages
+ (`commit
+ 2220 <http://wiki.powerdns.com/projects/trac/changeset/2220>`__ and
+ `commit
+ 2221 <http://wiki.powerdns.com/projects/trac/changeset/2221>`__) by
+ Maik Zumstrull and 'anonymous'.
+- After a lot of thought, we now handle CNAMEs to names outside our
+ knowledge ('bailiwick') exactly as in BIND 9.8.0, even though our way
+ was standards compliant too. It confused things. Update in `commit
+ 2222 <http://wiki.powerdns.com/projects/trac/changeset/2222>`__ and
+ `commit
+ 2224 <http://wiki.powerdns.com/projects/trac/changeset/2224>`__.
+- Tweak sqlite3 library location detection for newer Ubuntu versions.
+ Change in `commit
+ 2223 <http://wiki.powerdns.com/projects/trac/changeset/2223>`__.
+- DNSSEC SQL schema improvements allowing for the use of constraints
+ and foreign keys in `commit
+ 2225 <http://wiki.powerdns.com/projects/trac/changeset/2225>`__, by
+ Gerald Gruenberg, closing `ticket
+ 371 <https://github.com/PowerDNS/pdns/issues/371>`__.
+- Add support for EDNS option 'edns-subnet', based on
+ draft-vandergaast-edns-client-subnet (`commit
+ 2226 <http://wiki.powerdns.com/projects/trac/changeset/2226>`__,
+ `commit
+ 2228 <http://wiki.powerdns.com/projects/trac/changeset/2228>`__,
+ `commit
+ 2229 <http://wiki.powerdns.com/projects/trac/changeset/2229>`__,
+ `commit
+ 2230 <http://wiki.powerdns.com/projects/trac/changeset/2230>`__,
+ `commit
+ 2231 <http://wiki.powerdns.com/projects/trac/changeset/2231>`__,
+ `commit
+ 2233 <http://wiki.powerdns.com/projects/trac/changeset/2233>`__).
+- Zone2sql sent out the wrong 'COMMIT' statement in sqlite mode. In
+ addition, in this mode, zone2sql would not emit statements to update
+ the domains table unless the 'slave' setting was chosen. Code in
+ `commit
+ 2167 <http://wiki.powerdns.com/projects/trac/changeset/2167>`__.
+- We dropped the Authoritative Answer flag on an out-of-bailiwick CNAME
+ referral, which was unnecessary. Code in `commit
+ 2170 <http://wiki.powerdns.com/projects/trac/changeset/2170>`__.
+- Kees Monshouwer discovered that we failed to detect the location of
+ PostgreSQL on RHEL/CentOS. Fix in `commit
+ 2144 <http://wiki.powerdns.com/projects/trac/changeset/2144>`__. In
+ addition, `commit
+ 2162 <http://wiki.powerdns.com/projects/trac/changeset/2162>`__ eases
+ detection of MySQL on RHEL/CentOS 64 bits systems.
+- Marc Laros re-reported an old bug in the internally used 'pdns'
+ backend where details of the SOA record were not filled out
+ correctly. Resolved in `commit
+ 2145 <http://wiki.powerdns.com/projects/trac/changeset/2145>`__.
+- Jan-Piet Mens found that our TSIG signed SOA zone freshness check was
+ signed incorrectly. Fixed in `commit
+ 2147 <http://wiki.powerdns.com/projects/trac/changeset/2147>`__.
+ Improved error messages that helped debug this issue in `commit
+ 2148 <http://wiki.powerdns.com/projects/trac/changeset/2148>`__,
+ `commit
+ 2149 <http://wiki.powerdns.com/projects/trac/changeset/2149>`__.
+- Jan-Piet Mens helped debug an issue where some servers were "almost
+ always" unable to transfer a TSIG signed zone correctly. Turns out
+ that the TSIG signing code used an internal timestamp and not the
+ remote timestamp. Because of good NTP synchronization this quite
+ often was not a problem. Fix in `commit
+ 2159 <http://wiki.powerdns.com/projects/trac/changeset/2159>`__.
+- Thor Spruyt of Telenet discovered that the PowerDNS code would try to
+ emit DNS answers over TCP of over 65535 bytes long, which failed. We
+ now truncate such answers properly. Code in `commit
+ 2150 <http://wiki.powerdns.com/projects/trac/changeset/2150>`__.
+- The Slave engine now reuses an existing database connection, removing
+ the need to create a new database connection every minute (and worse,
+ log about it). Code in `commit
+ 2153 <http://wiki.powerdns.com/projects/trac/changeset/2153>`__.
+- Fix a potential Year 2106 bug in the TSIG signing code. Because we
+ care (`commit
+ 2156 <http://wiki.powerdns.com/projects/trac/changeset/2156>`__).
+- Added experimental support for the 'DANE' TLSA record which is used
+ to authenticate SSL certificates via DNSSEC. `commit
+ 2161 <http://wiki.powerdns.com/projects/trac/changeset/2161>`__.
+- Added experimental support for the MongoDB 'NoSQL' backend,
+ contributed by Fredrik Danerklint in `commit
+ 2162 <http://wiki.powerdns.com/projects/trac/changeset/2162>`__.
+
+Other major new features
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+- TSIG for authorizing and authenticating AXFR requests & incoming zone
+ transfers (Code in
+ `2024 <http://wiki.powerdns.com/projects/trac/changeset/2024>`__,
+ `2025 <http://wiki.powerdns.com/projects/trac/changeset/2025>`__,
+ `2033 <http://wiki.powerdns.com/projects/trac/changeset/2033>`__,
+ `2034 <http://wiki.powerdns.com/projects/trac/changeset/2034>`__).
+ This allows for retrieving TSIG protected content, as well as serving
+ it.
+- Per zone also-notify.
+- MyDNS compatible backend, allowing for 'instantaneous' migration from
+ this authoritative nameserver. Code in `commit
+ 1418 <http://wiki.powerdns.com/projects/trac/changeset/1418>`__,
+ contributed by Jonathan Oddy.
+- PowerDNS can now slave zones over IPv6 and notify IPv6 remotes of
+ updates. Already. Code in `commit
+ 2009 <http://wiki.powerdns.com/projects/trac/changeset/2009>`__ and
+ beyond.
+- Lua based incoming zone editing, allowing masters or signing slaves
+ to add information to the zone they will (re-)serve. Implemented in
+ `commit
+ 2065 <http://wiki.powerdns.com/projects/trac/changeset/2065>`__. To
+ enable, use LUA-AXFR-SCRIPT zone metadata setting.
+- Native Oracle backend with full DNSSEC support. Contributed by Maik
+ Zumstrull, then at the Steinbuch Centre for Computing at the
+ Karlsruhe Institute of Technology.
+- "Also-notify" support, implemented by Aki Tuomi in `commit
+ 1400 <http://wiki.powerdns.com/projects/trac/changeset/1400>`__.
+ Support for Generic SQL backends and for the BIND backend. Further
+ code in `commit
+ 1360 <http://wiki.powerdns.com/projects/trac/changeset/1360>`__.
+- Support for binding to thousands of IP addresses, code in `commit
+ 1443 <http://wiki.powerdns.com/projects/trac/changeset/1443>`__.
+- Generic MySQL backend now supports stored procedures. Implemented in
+ `commit
+ 2084 <http://wiki.powerdns.com/projects/trac/changeset/2084>`__,
+ closing `ticket 231 <https://github.com/PowerDNS/pdns/issues/231>`__.
+- Generic ODBC backend compiles again, and is reported to work for some
+ users that need it. Code contributed in `ticket
+ 309 <https://github.com/PowerDNS/pdns/issues/309>`__, author unknown.
+- Massively parallel slaving infrastructure, able to check the
+ freshness of thousands of remote zones per second, plus perform many
+ incoming zone transfers simultaneously. Sponsored by Tyler Hall, code
+ in `1449 <http://wiki.powerdns.com/projects/trac/changeset/1449>`__,
+ `1500 <http://wiki.powerdns.com/projects/trac/changeset/1500>`__,
+ `1859 <http://wiki.powerdns.com/projects/trac/changeset/1859>`__
+- Core DNS logic replaced completely to deal with the brave new world
+ of DNSSEC.
+
+Bugs fixed
+^^^^^^^^^^
+
+- sqlite2 and sqlite3 backends used MySQL-style escaping, leading to
+ SQL errors in some cases. Discovered by Sten Spans. Fixed in `commit
+ 1342 <http://wiki.powerdns.com/projects/trac/changeset/1342>`__.
+- Internal webserver no longer prints '1e2%'. Bug rediscovered by Jeff
+ Sipek. Fixed in `commit
+ 1342 <http://wiki.powerdns.com/projects/trac/changeset/1342>`__.
+- PowerDNS would refuse to serve domain names with spaces in them, or
+ otherwise non-printable characters. Addressed in `commit
+ 2081 <http://wiki.powerdns.com/projects/trac/changeset/2081>`__.
+- PowerDNS can now serve escaped labels, as described by RFC 4343. Data
+ should be present in backends in that escaped form. Code in `commit
+ 2089 <http://wiki.powerdns.com/projects/trac/changeset/2089>`__.
+- In some cases, we would include duplicate CNAMEs. In addition, we
+ would hand out a full root-referral when not configured to in some
+ cases (ticket `223 <https://github.com/PowerDNS/pdns/issues/223>`__).
+ Discovered by Andreas Jakum, fixed in `commit
+ 1344 <http://wiki.powerdns.com/projects/trac/changeset/1344>`__.
+- Shane Kerr discovered we would corrupt DNS transaction IDs from the
+ packet cache on big endian systems. Fix in `commit
+ 1346 <http://wiki.powerdns.com/projects/trac/changeset/1346>`__,
+ closing `ticket 222 <https://github.com/PowerDNS/pdns/issues/222>`__.
+- PowerDNS did not use RFC 1982 serial arithmetic, leading to a SOA
+ serial number of 1 to be regarded as older than 4400000000, when in
+ fact it is 'newer'. Issue (re-)discovered by Jan-Piet Mens.
+- BIND backend got confused of a zone's file name changed after a
+ configuration reload. Fix in `commit
+ 1347 <http://wiki.powerdns.com/projects/trac/changeset/1347>`__,
+ closing `ticket 228 <https://github.com/PowerDNS/pdns/issues/228>`__.
+- When restarted by the Guardian, PowerDNS will perform a full
+ multi-threaded cache cleanup, which took a long time and could crash.
+ Fix in `commit
+ 1364 <http://wiki.powerdns.com/projects/trac/changeset/1364>`__.
+- Under artificial circumstances, PowerDNS would never clean its packet
+ cache. Found by Marcus Goller, fix in `commit
+ 1399 <http://wiki.powerdns.com/projects/trac/changeset/1399>`__ and
+ `commit
+ 1408 <http://wiki.powerdns.com/projects/trac/changeset/1408>`__. This
+ update also retunes the cleanup frequency.
+- Packetcache would cache things it should not have been caching. Fixes
+ in commits
+ `1407 <http://wiki.powerdns.com/projects/trac/changeset/1407>`__,
+ `1488 <http://wiki.powerdns.com/projects/trac/changeset/1488>`__,
+ `1869 <http://wiki.powerdns.com/projects/trac/changeset/1869>`__,
+ `1880 <http://wiki.powerdns.com/projects/trac/changeset/1880>`__
+- When processing incoming notifications, the BIND backend was
+ case-sensitive, and would disregard notifications in the wrong case.
+ Discovered by 'Dolphin', fix in `commit
+ 1420 <http://wiki.powerdns.com/projects/trac/changeset/1420>`__.
+- The init.d script did not mention the 'reload' command. Code in
+ `commit
+ 1463 <http://wiki.powerdns.com/projects/trac/changeset/1463>`__,
+ closes `ticket 233 <https://github.com/PowerDNS/pdns/issues/233>`__.
+- Generic SQL Backends would sometimes emit obscure error messages. Fix
+ in `commit
+ 2049 <http://wiki.powerdns.com/projects/trac/changeset/2049>`__.
+- PowerDNS would be confused by embedded NULs in domain names, and
+ would also mess up the escaping of some characters. Fix in `commit
+ 1468 <http://wiki.powerdns.com/projects/trac/changeset/1468>`__,
+ `commit
+ 1469 <http://wiki.powerdns.com/projects/trac/changeset/1469>`__,
+ `commit
+ 1478 <http://wiki.powerdns.com/projects/trac/changeset/1478>`__,
+ `commit
+ 1480 <http://wiki.powerdns.com/projects/trac/changeset/1480>`__,
+- SOA queries for the name of a delegation point were not referred. Fix
+ in `commit
+ 1466 <http://wiki.powerdns.com/projects/trac/changeset/1466>`__,
+ closing `ticket 224 <https://github.com/PowerDNS/pdns/issues/224>`__.
+ In addition, queries for AAAA for a CNAMEd record pointing to a name
+ with no AAAA would deliver a direct SOA, without the CNAME in
+ between. Fix in `commit
+ 1542 <http://wiki.powerdns.com/projects/trac/changeset/1542>`__,
+ `commit
+ 1607 <http://wiki.powerdns.com/projects/trac/changeset/1607>`__.
+ Also, wildcard CNAMEs pointing to a record without the type requested
+ suffered from the same issue, fix in `commit
+ 1543 <http://wiki.powerdns.com/projects/trac/changeset/1543>`__.
+- On processing an incoming AXFR, once an MX or SRV record had been
+ seen, all future fields got a 'priority' entry as well. This had no
+ operational impact, but looked messy. Fixed in `commit
+ 1437 <http://wiki.powerdns.com/projects/trac/changeset/1437>`__.
+- Aki Tuomi discovered that the BIND zone file parser would
+ misrepresent 'something IN MX 15 @'. Fix in `commit
+ 1621 <http://wiki.powerdns.com/projects/trac/changeset/1621>`__.
+- Marco Davids discovered the BIND zone file parser would trip over
+ really long lines. Fix in `commit
+ 1624 <http://wiki.powerdns.com/projects/trac/changeset/1624>`__,
+ `commit
+ 1625 <http://wiki.powerdns.com/projects/trac/changeset/1625>`__.
+- Thomas Mieslinger discovered that our webserver would only be started
+ after dropping privileges, which could cause problems. Fix in `commit
+ 1629 <http://wiki.powerdns.com/projects/trac/changeset/1629>`__.
+- Zone2sql did quite often not do exactly what was required, which
+ users fixed by editing the SQL output. Revamped in `commit
+ 2032 <http://wiki.powerdns.com/projects/trac/changeset/2032>`__.
+- An Ubuntu user discovered in Launchpad bug 600479 that restarting
+ database threads cost a lot of memory. Normally this is rare, except
+ in case of problems. Addressed in `commit
+ 1676 <http://wiki.powerdns.com/projects/trac/changeset/1676>`__.
+- BIND backend could crash under (very) high load with very large
+ numbers of zones (hundreds of thousands). Fixed in `commit
+ 1690 <http://wiki.powerdns.com/projects/trac/changeset/1690>`__.
+- Miek Gieben and Marco Davids spotted that PowerDNS would answer the
+ version.bind query in the IN class too. Bug reported via twitter! Fix
+ in `commit
+ 1709 <http://wiki.powerdns.com/projects/trac/changeset/1709>`__.
+- Marcus Lauer and the OpenDNSSEC project discovered that outgoing
+ notifications did not carry the 'aa' flag. Fixed in `commit
+ 1746 <http://wiki.powerdns.com/projects/trac/changeset/1746>`__.
+- Debugging PowerDNS, or backgrounding it, could cause crashes. Fixed
+ by Anders Kaseorg in `commit
+ 1747 <http://wiki.powerdns.com/projects/trac/changeset/1747>`__.
+- Fixed a bug that could cause crashes on launching thousands of
+ backend connections. Never observed to occur, but who knows. Fix in
+ `commit
+ 1792 <http://wiki.powerdns.com/projects/trac/changeset/1792>`__.
+- Under some circumstances, large answers could be truncated in
+ mid-record. While technically legal, this upset a number of resolver
+ implementations (including the PowerDNS Recursor!). Fixed in `commit
+ 1830 <http://wiki.powerdns.com/projects/trac/changeset/1830>`__,
+ re-closes `ticket
+ 200 <https://github.com/PowerDNS/pdns/issues/200>`__.
+- Jan Piet Mens and Florian Weimer discovered we had problems dealing
+ with escaped labels and escaped TXT fields. Fixed in `commit
+ 2000 <http://wiki.powerdns.com/projects/trac/changeset/2000>`__.
+- After 2.2 billion queries, statistics would wrap oddly. Fix in
+ `commit
+ 2019 <http://wiki.powerdns.com/projects/trac/changeset/2019>`__,
+ closing `ticket 327 <https://github.com/PowerDNS/pdns/issues/327>`__.
+
+Improvements
+^^^^^^^^^^^^
+
+- Long TXT records are now split into 255-byte components
+ automatically. Implemented in `commit
+ 1340 <http://wiki.powerdns.com/projects/trac/changeset/1340>`__,
+ reported by Darren Gamble in `ticket
+ 188 <https://github.com/PowerDNS/pdns/issues/188>`__.
+- When receiving large numbers of notifications, PowerDNS would check
+ these synchronously, leading to a slowdown for other services. Fixed
+ in `commit
+ 2058 <http://wiki.powerdns.com/projects/trac/changeset/2058>`__,
+ problem diagnosed by Richard Poole of Heart Internet.
+- Fixed compilation on newer compilers and newer versions of Boost.
+ Changes in
+ `1345 <http://wiki.powerdns.com/projects/trac/changeset/1345>`__
+ (closes `ticket
+ 227 <https://github.com/PowerDNS/pdns/issues/227>`__),
+ `1391 <http://wiki.powerdns.com/projects/trac/changeset/1391>`__,
+ `1394 <http://wiki.powerdns.com/projects/trac/changeset/1394>`__,
+ `1425 <http://wiki.powerdns.com/projects/trac/changeset/1425>`__,
+ `1427 <http://wiki.powerdns.com/projects/trac/changeset/1427>`__,
+ `1428 <http://wiki.powerdns.com/projects/trac/changeset/1428>`__,
+ `1429 <http://wiki.powerdns.com/projects/trac/changeset/1429>`__,
+ `1440 <http://wiki.powerdns.com/projects/trac/changeset/1440>`__,
+ `1653 <http://wiki.powerdns.com/projects/trac/changeset/1653>`__,
+ thanks to Ruben Kerkhof and others.
+- Moved Generic PostgreSQL backend over to the newer E'' style escapes.
+ `commit
+ 2094 <http://wiki.powerdns.com/projects/trac/changeset/2094>`__.
+- Compilation fixes for Mac OS X 10.5.7 in `commit
+ 1389 <http://wiki.powerdns.com/projects/trac/changeset/1389>`__,
+ thanks to Tobias Markmann.
+- We can now bind to scoped IPv6 addresses, lack spotted by Darren
+ Gamble. Part of the fix is in `commit
+ 2018 <http://wiki.powerdns.com/projects/trac/changeset/2018>`__.
+- Built-in query cache can now also cache queries which lead to
+ multiple answers. Code in `commit
+ 2069 <http://wiki.powerdns.com/projects/trac/changeset/2069>`__.
+- Prodded on by Jan Piet Mens, we now support 'unknown types' (which
+ look like TYPE65534).
+- Add 'slave-renotify' to retransmit notifies for slaved zones, which
+ is helpful when acting as a 'signing slave' for a hidden master. Code
+ in `commit
+ 1950 <http://wiki.powerdns.com/projects/trac/changeset/1950>`__.
+- No longer let zone2sql and zone2ldap import BIND 'hint' zones.
+ `commit
+ 1998 <http://wiki.powerdns.com/projects/trac/changeset/1998>`__.
+- Allow for timestamps to explicitly be specified in (s)econds. Code in
+ `commit
+ 1398 <http://wiki.powerdns.com/projects/trac/changeset/1398>`__,
+ closing `ticket 250 <https://github.com/PowerDNS/pdns/issues/250>`__.
+- Zones with URL and MBOXFW records can be transferred over AXFR, code
+ in `commit
+ 1464 <http://wiki.powerdns.com/projects/trac/changeset/1464>`__.
+- Maik Zumstrull cleaned up the BIND Backend makefile, plus taught our
+ init.d script to read /etc/default/pdns. Code in `commit
+ 1601 <http://wiki.powerdns.com/projects/trac/changeset/1601>`__,
+ `commit
+ 1602 <http://wiki.powerdns.com/projects/trac/changeset/1602>`__.
+- Generic SQL backends now support multiple masters in the domains
+ table. Code in `commit
+ 1857 <http://wiki.powerdns.com/projects/trac/changeset/1857>`__.
+ Additionally, masters can also have :port numbers. Code in `commit
+ 1858 <http://wiki.powerdns.com/projects/trac/changeset/1858>`__.
+
+Authoritative Server version 2.9.22
+-----------------------------------
+
+**Warning**: The 2.9.22.x series of releases is end-of-life and
+unsupported. It contains many issues and potential security problems. We
+urge you to upgrade to a recent version of PowerDNS!
+
+Released on the 27th of January 2009.
+
+This is a huge release, spanning almost 20 months of development.
+Besides fixing a lot of bugs, of note is the addition of the so called
+'Notification Proxy', which allows PowerDNS to function as a master
+server behind a firewall, plus the huge performance improvement of the
+internal caches.
+
+This work has been made possible by UPC Broadband and Directi,
+respectively.
+
+Finally, the release candidates of this version have been tested &
+improved by Jorn Ekkelenkamp, Ton van Rosmalen, Jeff Sipek, Tyler Hall,
+Christof Meerwald and Stefan Schmidt.
+
+Fixed between rc1 and rc2, but not an issue in 2.9.21.
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- **pdns\_control ccounts** again outputs proper cache statistics.
+ Implemented in `commit
+ 1304 <http://wiki.powerdns.com/projects/trac/changeset/1304>`__.
+- Negative query caching was reinstated, leading to 6 times fewer
+ backend queries than rc1 on the Express.powerdns.com servers.
+- Packetcache no longer needlessly parses outgoing packets before
+ sending them.
+- Fancy records work again. This work has been sponsored by ISP
+ Services. Implemented in `commit
+ 1302 <http://wiki.powerdns.com/projects/trac/changeset/1302>`__ and
+ `commit
+ 1299 <http://wiki.powerdns.com/projects/trac/changeset/1299>`__.
+
+New features
+^^^^^^^^^^^^
+
+- **pdns\_control** can now also work over TCP/IP. Sponsored by
+ Directi. Commits
+ `1246 <http://wiki.powerdns.com/projects/trac/changeset/1246>`__,
+ `1251 <http://wiki.powerdns.com/projects/trac/changeset/1251>`__,
+ `1254 <http://wiki.powerdns.com/projects/trac/changeset/1254>`__,
+ `1255 <http://wiki.powerdns.com/projects/trac/changeset/1255>`__.
+- Implemented a notification proxy, see `"Notification proxy
+ (nproxy)" <tools/analysis.md#nproxy%22>`__. This work was sponsored
+ by UPC Broadband. Implemented in commits
+ `1075 <http://wiki.powerdns.com/projects/trac/changeset/1075>`__,
+ `1077 <http://wiki.powerdns.com/projects/trac/changeset/1077>`__,
+ `1082 <http://wiki.powerdns.com/projects/trac/changeset/1082>`__,
+ `1083 <http://wiki.powerdns.com/projects/trac/changeset/1083>`__,
+ `1085 <http://wiki.powerdns.com/projects/trac/changeset/1085>`__ and
+ `1086 <http://wiki.powerdns.com/projects/trac/changeset/1086>`__.
+- IXFR queries are now supported in the sense that we treat them as
+ AXFR queries, silencing warnings in other nameservers. Suggested in
+ `ticket 131 <https://github.com/PowerDNS/pdns/issues/131>`__.
+- The PIPE backend has been extended by David Apgar to allow the
+ reporting of errors using the 'FAIL' command, plus support for
+ responses with whitespace. Implemented in `commit
+ 1114 <http://wiki.powerdns.com/projects/trac/changeset/1114>`__.
+- PowerDNS Authoritative server now parses incoming EDNS options, like
+ maximum allowed packet size. Implemented in `commit
+ 1123 <http://wiki.powerdns.com/projects/trac/changeset/1123>`__ and
+ `commit
+ 1281 <http://wiki.powerdns.com/projects/trac/changeset/1281>`__.
+- Added support for DHCID, IPSECKEY and KX records, thanks Norbert
+ Sendetzky for the hint. Implemented in `commit
+ 1144 <http://wiki.powerdns.com/projects/trac/changeset/1144>`__.
+- Norbert Sendetzky has has added support for all record types
+ supported by PowerDNS to the LDAPBackend. Furthermore, the detection
+ of OpenLDAP in autoconf has been improved. Finally, debian has
+ supplied some fixes to PowerLDAP. Implemented in `commit
+ 1152 <http://wiki.powerdns.com/projects/trac/changeset/1152>`__ and
+ `commit
+ 1153 <http://wiki.powerdns.com/projects/trac/changeset/1153>`__.
+- Implemented EDNS NSID option for retrieving the nameserver ID out of
+ band. Defaults to hostname, can be specified using the **server-id**
+ setting. Code in `commit
+ 1232 <http://wiki.powerdns.com/projects/trac/changeset/1232>`__.
+- Implemented experimental EDNS PING for enhanced forgery resilience.
+ Code in `commit
+ 1232 <http://wiki.powerdns.com/projects/trac/changeset/1232>`__.
+
+Performance
+^^^^^^^^^^^
+
+- Improve packet generation performance, in some cases by 25%. Code in
+ `1258 <http://wiki.powerdns.com/projects/trac/changeset/1258>`__,
+ `1259 <http://wiki.powerdns.com/projects/trac/changeset/1259>`__.
+- Improved access list checking performance. `commit
+ 1261 <http://wiki.powerdns.com/projects/trac/changeset/1261>`__.
+- PowerDNS Authoritative caches were completely redone, and are now
+ based on the same cache that is in the resolver. This work has been
+ sponsored by Directi. In large benchmarks, PowerDNS performance has
+ improved by an order of magnitude or more. This new version allows
+ for near-instantaneous cache purging, plus very rapid purging based
+ on suffix. Purge commands can also be batched. This work is partially
+ based on an innovative reverse-string comparison function authored by
+ Aki Tuomi.
+- Installations which run with very high cache hitrates can now benefit
+ from multiple CPUs by setting **receiver-threads** to the number of
+ desired CPUs to utilize in cache operations. Implemented in `commit
+ 1316 <http://wiki.powerdns.com/projects/trac/changeset/1316>`__.
+- BIND backend speedups in `commit
+ 1108 <http://wiki.powerdns.com/projects/trac/changeset/1108>`__,
+ measured at around a 20% improvement, possibly more on very large
+ setups.
+
+Bugs fixed
+^^^^^^^^^^
+
+- Tyler Hall discovered the PowerDNS configuration file parser had
+ problems with trailing tabs. This turned out to be a wider problem in
+ PowerDNS. Buggy code replaced by a library call in `commit
+ 1237 <http://wiki.powerdns.com/projects/trac/changeset/1237>`__ and
+ `commit
+ 1240 <http://wiki.powerdns.com/projects/trac/changeset/1240>`__.
+- David Apgar of Yahoo discovered that our 'guardian' method of
+ restarting PowerDNS in case of problems was not fool proof, and
+ submitted a fix. A variation of this fix can be found in `commit
+ 1323 <http://wiki.powerdns.com/projects/trac/changeset/1323>`__. Also
+ reported by Directi.
+- Connection reset by peer events in the TCP nameserver no longer lead
+ to the cycling of database connections. Code in `commit
+ 1241 <http://wiki.powerdns.com/projects/trac/changeset/1241>`__.
+- FreeBSD compilation with Generic PostgreSQL backend was fixed.
+ Reported by Wouter de Jong of WideXS, fixed in `commit
+ 1305 <http://wiki.powerdns.com/projects/trac/changeset/1305>`__,
+ closes `ticket 95 <https://github.com/PowerDNS/pdns/issues/95>`__.
+- Webserver no longer prints '1e2%'. Finally closes `ticket
+ 26 <https://github.com/PowerDNS/pdns/issues/26>`__. Much friendly
+ nagging for over 3 years by Jeff Sipek, code in `commit
+ 1303 <http://wiki.powerdns.com/projects/trac/changeset/1303>`__.
+- PowerDNS used to ignore certain queries it could not answer. These
+ queries are no longer ignored, but get a SERVFAIL response.
+ Implemented in `commit
+ 1239 <http://wiki.powerdns.com/projects/trac/changeset/1239>`__.
+- Fix subtle CNAME and wildcard interactions reported by 'zzyzz',
+ implemented in `commit
+ 1147 <http://wiki.powerdns.com/projects/trac/changeset/1147>`__.
+- The generic backends did not honour the **default-ttl** setting.
+ Spotted and implemented by Matti Hiljanen.
+- Matti Hiljanen discovered that the OpenDBX backend did not fill out
+ the SOA ttl value properly. Matti also improved the SQL statements
+ for better compatibility. Implemented in `commit
+ 1181 <http://wiki.powerdns.com/projects/trac/changeset/1181>`__.
+- Treat invalid WWW requests better. Spotted by Maikel Verheijen,
+ implemented in `commit
+ 1092 <http://wiki.powerdns.com/projects/trac/changeset/1092>`__.
+- Documentation errors and typos, spotted by Marco Davids (`commit
+ 1097 <http://wiki.powerdns.com/projects/trac/changeset/1097>`__) and
+ Rejo Zengers (`commit
+ 1119 <http://wiki.powerdns.com/projects/trac/changeset/1119>`__)
+- Properly fill out the 'recursion available'-flag. Spotted by Augie
+ Schwer in `ticket
+ 167 <https://github.com/PowerDNS/pdns/issues/167>`__.
+- Several memory leaks on bad data in the database or other errors have
+ been fixed. Addressed in
+ `1078 <http://wiki.powerdns.com/projects/trac/changeset/1078>`__ and
+ `1079 <http://wiki.powerdns.com/projects/trac/changeset/1079>`__.
+- In contravention to the documentation, the domain type as specified
+ in the database ('MASTER', 'SLAVE' or 'NATIVE') was interpreted case
+ sensitively.
+ `1084 <http://wiki.powerdns.com/projects/trac/changeset/1084>`__.
+- BIND backend could crash on processing information about slave zones
+ to be checked. Spotted by Stefan Schmidt, fixed in
+ `1089 <http://wiki.powerdns.com/projects/trac/changeset/1089>`__.
+- Jelte Jansen of Stichting NLNetLabs discovered PowerDNS in BIND mode
+ couldn't operate as a root-server! Fixed in
+ `1057 <http://wiki.powerdns.com/projects/trac/changeset/1057>`__.
+- 'DPS' discovered there was a rare opportunity for PowerDNS to lock up
+ waiting for new data. Addressed in
+ `1076 <http://wiki.powerdns.com/projects/trac/changeset/1076>`__.
+- Make singlethreaded mode more resilient against errors. `commit
+ 1272 <http://wiki.powerdns.com/projects/trac/changeset/1272>`__.
+- DNSSEC records were part of 2.9.21, but were not actually hooked up.
+ Please note that while PowerDNS can serve most DNSSEC records, it
+ does not do DNSSEC processing. Implemented in
+ `1046 <http://wiki.powerdns.com/projects/trac/changeset/1046>`__.
+- Shawn Starr migrated all his domains to PowerDNS in one evening, from
+ an installation that had been used since BIND4. In doing so, he found
+ 3 bugs in as many hours. An **IN** statement in the BIND
+ ``named.conf`` with a zone with a trailing dot was misparsed, fixed
+ in `commit
+ 1233 <http://wiki.powerdns.com/projects/trac/changeset/1233>`__.
+ Secondly, the zone file parser tripped over a line consisting of
+ nothing but comments in the wrong place. Finally '$ORIGIN .' was
+ misparsed. Last two issues fixed in `commit
+ 1234 <http://wiki.powerdns.com/projects/trac/changeset/1234>`__.
+- Our statistics counters did not wrap correctly after the 2.15 billion
+ mark. Spotted by Stefan Schmidt, reported in `ticket
+ 179 <https://github.com/PowerDNS/pdns/issues/179>`__, fixed in
+ `commit
+ 1284 <http://wiki.powerdns.com/projects/trac/changeset/1284>`__.
+- Bindbackend could sometimes generate very strange error messages
+ while processing a malformed zone file. Sometimes such error messages
+ could cause a crash (reported on HP-UX). Addressed by `commit
+ 1279 <http://wiki.powerdns.com/projects/trac/changeset/1279>`__. This
+ could not be triggered remotely. Closes ticket `ticket
+ 203 <https://github.com/PowerDNS/pdns/issues/203>`__.
+- Pipe backend did not clean up killed coprocesses. Found and fixed by
+ Daniel Drown
+- Installations with tens of thousands of slave domains would never
+ complete the cycle to check the freshness of all zones as each
+ incoming notification disrupted this cycle. Addressed in cooperation
+ with Tyler Hall of EditDNS.
+
+Improvements
+^^^^^^^^^^^^
+
+- Zone parser improvements mean $TTL and $INCLUDES now work a lot
+ better. Implemented in
+ `1056 <http://wiki.powerdns.com/projects/trac/changeset/1056>`__,
+ `1062 <http://wiki.powerdns.com/projects/trac/changeset/1062>`__.
+- No longer report temporary recvfrom errors, which used to spam the
+ log on many systems. Addressed in `commit
+ 1320 <http://wiki.powerdns.com/projects/trac/changeset/1320>`__.
+- Direct queries for 'fancy records' would lead to errors, such queries
+ now fail early. Spotted by Jorn Ekkelenkamp, implemented in
+ `1051 <http://wiki.powerdns.com/projects/trac/changeset/1051>`__.
+- Fix typo in geobackend, closing `ticket
+ 157 <https://github.com/PowerDNS/pdns/issues/157>`__, implemented in
+ `1090 <http://wiki.powerdns.com/projects/trac/changeset/1090>`__.
+- Initial work on TSIG support - not done yet. Spurred on by Marco
+ Davids.
+- Embarrassingly, the 'master' configuration setting was not documented
+ in the list of all settings!
+- Norbert has updated OpenDBX so that SQLite reads and writes no longer
+ deadlock, plus compilation fixes on Solaris, plus the addition of
+ autoserials to backends that support triggers. Implemented in `commit
+ 1154 <http://wiki.powerdns.com/projects/trac/changeset/1154>`__.
+- Random generator is now based on AES, improving the security of
+ certain proxy operations. This is the same random generator that is
+ in the recursor. Implemented in `commit
+ 1256 <http://wiki.powerdns.com/projects/trac/changeset/1256>`__.
+- Documentation for 'supermaster' mode was improved due to popular
+ demand.
+- When binding to a UDP port failed, supply a more precise error
+ message (`commit
+ 1245 <http://wiki.powerdns.com/projects/trac/changeset/1245>`__)
+- The zone parser error messages were vastly improved, partially
+ inspired by Shawn's cowboy migration. Code in `commit
+ 1235 <http://wiki.powerdns.com/projects/trac/changeset/1235>`__.
+- Labels are compressed more efficiently (case-insensitively), leading
+ to smaller packets. Implemented in `commit
+ 1156 <http://wiki.powerdns.com/projects/trac/changeset/1156>`__.
+- Fix handling of TCP timeouts to not cause a reload of the backends.
+ Implemented in `commit
+ 1092 <http://wiki.powerdns.com/projects/trac/changeset/1092>`__.
+- TCP Receiver no longer spams the log with common network errors.
+ Implemented in `commit
+ 1306 <http://wiki.powerdns.com/projects/trac/changeset/1306>`__.
+- Move from select() to poll()-based multiplexing, allowing PowerDNS to
+ listen on more than 1024 sockets simultaneously. One big PowerDNS
+ user needs this. Implemented in
+ `1072 <http://wiki.powerdns.com/projects/trac/changeset/1072>`__.
+- Zone2sql now reads source files in performance enhancing inode order.
+ Additionally, zone2sql no longer dies on a missing zone file if
+ **^^on-error-resume-next** was specified. Finally, statistics of
+ zone2sql conversion have been improved. Implemented in
+ `1055 <http://wiki.powerdns.com/projects/trac/changeset/1055>`__.
+- Address issues found by more recent g++ versions. Spotted and/or
+ fixed by Jorn Ekkelenkamp (`commit
+ 1051 <http://wiki.powerdns.com/projects/trac/changeset/1051>`__),
+ Marcus Rueckert (`commit
+ 1094 <http://wiki.powerdns.com/projects/trac/changeset/1094>`__),
+ Norbert Sendetzky (`commit
+ 1107 <http://wiki.powerdns.com/projects/trac/changeset/1107>`__),
+ Serge Belyshev (`commit
+ 1171 <http://wiki.powerdns.com/projects/trac/changeset/1171>`__).
+- The Intel C Compiler implements certain things differently, causing
+ the master/slave communicator to malfunction. Spotted by Marcus
+ Rueckert, implemented in
+ `1052 <http://wiki.powerdns.com/projects/trac/changeset/1052>`__,
+ plus fallout in
+ `1105 <http://wiki.powerdns.com/projects/trac/changeset/1105>`__.
+- PowerDNS can now be compiled with Boost 1.37.0.
+- Andre Lorbach of Adiscon discovered the Microsoft Windows 2003
+ nameserver adds out of zone data to zone transfers, which we need to
+ ignore, instead of rejecting the entire zone. Implemented in
+ `1048 <http://wiki.powerdns.com/projects/trac/changeset/1048>`__.
+- PowerDNS now skips remote master servers which consistently generate
+ timeout messages, improving the master checking cycle time
+ tremendously. Developed in cooperation with Tyler Hall. Implemented
+ in `commit
+ 1278 <http://wiki.powerdns.com/projects/trac/changeset/1278>`__.
+- When binding to a UDP port failed, supply a more precise error
+ message (`commit
+ 1245 <http://wiki.powerdns.com/projects/trac/changeset/1245>`__)
+- **dnsreplay** now waits for the final answers to arrive, making it
+ possible to process even small pcap files and get meaningful
+ statistics. `commit
+ 1268 <http://wiki.powerdns.com/projects/trac/changeset/1268>`__.
+- **dnsreplay** has a more sane default timeout now, which can be
+ configured too. Suggested by Augie Schwer in `ticket
+ 163 <https://github.com/PowerDNS/pdns/issues/163>`__, implemented in
+ `commit
+ 1287 <http://wiki.powerdns.com/projects/trac/changeset/1287>`__.
+
+Authoritative Server version 2.9.21.2
+-------------------------------------
+
+Released on the 18th of November 2008.
+
+This release consists of a single patch to PowerDNS Authoritative Server
+version 2.9.21.1. In some configurations, notably with configuration
+option 'distributor-threads=1', the PowerDNS Authoritative Server
+crashes easily in some error conditions.
+
+All users are urged to upgrade. Even though PowerDNS restarts itself on
+encountering such error conditions, and even though most PowerDNS
+configurations do not run in single threaded mode, an upgrade is
+recommended.
+
+More detail can be found in `PowerDNS Security Advisory
+2008-02 <security/powerdns-advisory-2008-03.md>`__.
+
+Authoritative Server version 2.9.21.1
+-------------------------------------
+
+Released on the 6th of August 2008.
+
+This release consists of a single patch to PowerDNS Authoritative Server
+version 2.9.21. Brian J. Dowling of Simplicity Communications has
+discovered a security implication of the previous PowerDNS behaviour to
+drop queries it considers malformed. We are grateful that Brian notified
+us quickly about this problem.
+
+This issue has been assigned CVE-2008-3337. The single patch is in
+`commit 1239 <http://wiki.powerdns.com/projects/trac/changeset/1239>`__.
+More detail can be found in `PowerDNS Security Advisory
+2008-02 <security/powerdns-advisory-2008-02.md>`__.
+
+The implication is that while the PowerDNS Authoritative server itself
+does not face a security risk because of dropping these malformed
+queries, other resolving nameservers run a higher risk of accepting
+spoofed answers for domains being hosted by PowerDNS Authoritative
+Servers before 2.9.21.1.
+
+While the dropping of queries does not aid sophisticated spoofing
+attempts, it does facilitate simpler attacks.
+
+It may be good to know that several large sites already run with this
+patch applied, as it has been in the public code base for some weeks
+already.
+
+PowerDNS Authoritative Server version 2.9.21
+--------------------------------------------
+
+Released the 21st of April 2007.
+
+This is the first release the PowerDNS Authoritative Server since the
+Recursor was split off to a separate product, and also marks the
+transfer of the new technology developed specifically for the recursor,
+back to the authoritative server.
+
+This move has reduced the amount of code of the Authoritative server by
+over 2000 lines, while improving the quality of the program enormously.
+
+However, since so much has been changed, care should be taken when
+deploying 2.9.21.
+
+To signify the magnitude of the underlying improvements, the next
+release of the PowerDNS Authoritative Server will be called 3.0.
+
+This release would not have been possible without large amounts of help
+and support from the PowerDNS Community. We specifically want to thank
+Massimo Bandinelli of Italy's `Register.it <http://register.it>`__,
+`Dave Aaldering of Aaldering ICT <http://aaldering-ict.nl>`__, `True
+BV <http://true.nl>`__, `XS4ALL <http://www.xs4all.nl>`__, Daniel Bilik
+of `Neosystem <http://www.neosystem.cz>`__,
+`EasyDNS <http://www.easydns.com>`__, `Heinrich
+Ruthensteiner <http://www.siemens.com>`__ of Siemens, `Augie
+Schwer <http://schwer.us>`__, `Mark
+Bergsma <http://www.wikipedia.org>`__, `Marco
+Davids <http://www.forfun.net>`__, `Marcus Rueckert of
+OpenSUSE <http://www.opensuse.org>`__, Andre Muraro of
+`Locaweb <http://www.locaweb.com.br>`__, Antony Lesuisse, `Norbert
+Sendetzky <http://www.linuxnetworks.de>`__, `Marco
+Chiavacci <http://www.aruba.it>`__, Christoph Haas, Ralf van der Enden
+and Ruben Kerkhof.
+
+Security issues
+^^^^^^^^^^^^^^^
+
+- The previous packet parsing and generating code contained no known
+ bugs, but was however very lengthy and overly complex, and might have
+ had security problems. The new code is 'inherently safe' because it
+ relies on bounds-checking C++ constructs. Therefore, a move to 2.9.21
+ is highly recommended.
+- Pre-2.9.21, communication between master and server nameservers was
+ not checked as rigidly as possible, possibly allowing third parties
+ to disrupt but not modify such communications.
+
+**Warning**: The 'bind1' legacy version of our BIND backend has been
+dropped! There should be no need to rely on this old version anymore, as
+the main BIND backend has been very well tested recently.
+
+Bugs
+^^^^
+
+- Multi-part TXT records weren't supported. This has been fixed, and
+ regression tests have been added. Code in commits
+ `1016 <http://wiki.powerdns.com/projects/trac/changeset/1016>`__,
+ `996 <http://wiki.powerdns.com/projects/trac/changeset/996>`__,
+ `994 <http://wiki.powerdns.com/projects/trac/changeset/994>`__.
+- Email addresses with embedded dots in SOA records were not parsed
+ correctly, nor were other embedded dots. Noted by 'Bastiaan', fixed
+ in `commit
+ 1026 <http://wiki.powerdns.com/projects/trac/changeset/1026>`__.
+- BIND backend treated the 'm' TTL modifier as 'months' and not
+ 'minutes'. Closes Debian bug 406462. Addressed in `commit
+ 1026 <http://wiki.powerdns.com/projects/trac/changeset/1026>`__.
+- Our snapshots were built against a static version of PostgreSQL that
+ was incompatible with many Linux distributions, leading to instant
+ crashes on startup. Fixed in
+ `1022 <http://wiki.powerdns.com/projects/trac/changeset/1022>`__ and
+ `1023 <http://wiki.powerdns.com/projects/trac/changeset/1023>`__.
+- CNAME referrals to child zones gave improper responses. Noted by
+ Augie Schwer in `ticket
+ 123 <https://github.com/PowerDNS/pdns/issues/123>`__, fixed in
+ `commit
+ 992 <http://wiki.powerdns.com/projects/trac/changeset/992>`__.
+- When passing a port number with the **recursor** setting, this would
+ sometimes generate errors during additional processing. Switched off
+ overly helpful additional processing for recursive queries to remove
+ this problem. Implemented in `commit
+ 1031 <http://wiki.powerdns.com/projects/trac/changeset/1031>`__,
+ spotted by Ralf van der Enden.
+- NS to a nameserver with the name of the zone itself generated
+ problems. Spotted by Augie Schwer, fixed in `commit
+ 947 <http://wiki.powerdns.com/projects/trac/changeset/947>`__.
+- Multi-line records in the BIND backend were not always parsed
+ correctly. Fixed in `commit
+ 1014 <http://wiki.powerdns.com/projects/trac/changeset/1014>`__.
+- The LOC-record had problems operating outside of the eastern
+ hemisphere of the northern part of the world! Fixed in `commit
+ 1011 <http://wiki.powerdns.com/projects/trac/changeset/1011>`__.
+- Backends were compiled without multithreading preprocessor flags. As
+ far as we can determine, this would only cause problems for the BIND
+ backend, but we cannot rule out this caused instability in other
+ backends. Fixed in `commit
+ 1001 <http://wiki.powerdns.com/projects/trac/changeset/1001>`__.
+- The BIND backend was highly unstable under reloads, and leaked memory
+ and file descriptors. Thanks to Mark Bergsma and Massimo Bandinelli
+ for respectively pointing this out to us and testing large amounts of
+ patches to fix the problem. The fixes have resulted in better
+ performance, less code, and a remarkable simplification of this
+ backend. Commits
+ `1039 <http://wiki.powerdns.com/projects/trac/changeset/1039>`__,
+ `1034 <http://wiki.powerdns.com/projects/trac/changeset/1034>`__,
+ `1035 <http://wiki.powerdns.com/projects/trac/changeset/1035>`__,
+ `1006 <http://wiki.powerdns.com/projects/trac/changeset/1006>`__,
+ `999 <http://wiki.powerdns.com/projects/trac/changeset/999>`__,
+ `905 <http://wiki.powerdns.com/projects/trac/changeset/905>`__ and
+ previous.
+- BIND backend gave convincing NXDOMAINs on unloaded zones in some
+ cases. Spotted and fixed by Daniel Bilik in `commit
+ 984 <http://wiki.powerdns.com/projects/trac/changeset/984>`__.
+- SOA records in zone transfers sometimes contained the wrong SOA TTL.
+ Spotted by Christian Kuehn, fixed in `commit
+ 902 <http://wiki.powerdns.com/projects/trac/changeset/902>`__.
+- PowerDNS could get confused by very high SOA serial numbers. Spotted
+ and fixed by Dan Bilik, fixed in `commit
+ 626 <http://wiki.powerdns.com/projects/trac/changeset/626>`__.
+- Some versions of FreeBSD perform very strict checks on socket address
+ sizes passed to 'connect', which could lead to problems retrieving
+ zones over AXFR. Fixed in `commit
+ 891 <http://wiki.powerdns.com/projects/trac/changeset/891>`__.
+- Some versions of FreeBSD perform very strict checks on IPv6 socket
+ addresses, leading to problems. Discovered by Sten Spans, fixed in
+ `commit 885 <http://wiki.powerdns.com/projects/trac/changeset/885>`__
+ and `commit
+ 886 <http://wiki.powerdns.com/projects/trac/changeset/886>`__.
+- IXFR requests were not logged properly. Noted by Ralf van der Enden,
+ fixed in `commit
+ 990 <http://wiki.powerdns.com/projects/trac/changeset/990>`__.
+- Some NAPTR records needed an additional space character to encode
+ correctly. Spotted by Heinrich Ruthensteiner, fixed in `commit
+ 1029 <http://wiki.powerdns.com/projects/trac/changeset/1029>`__.
+- Many bugs in the TCP nameserver, leading to a PowerDNS process that
+ did not respond to TCP queries over time. Many fixes provided by Dan
+ Bilik, other problems were fixed by rewriting our TCP handling code.
+ Commits
+ `982 <http://wiki.powerdns.com/projects/trac/changeset/982>`__ and
+ `980 <http://wiki.powerdns.com/projects/trac/changeset/980>`__,
+ `950 <http://wiki.powerdns.com/projects/trac/changeset/950>`__,
+ `924 <http://wiki.powerdns.com/projects/trac/changeset/924>`__,
+ `889 <http://wiki.powerdns.com/projects/trac/changeset/889>`__,
+ `874 <http://wiki.powerdns.com/projects/trac/changeset/874>`__,
+ `869 <http://wiki.powerdns.com/projects/trac/changeset/869>`__,
+ `685 <http://wiki.powerdns.com/projects/trac/changeset/685>`__,
+ `684 <http://wiki.powerdns.com/projects/trac/changeset/684>`__.
+- Fix crashes on the ARM processor due to alignment errors. Thanks to
+ Sjoerd Simons. Closes Debian bug 397031.
+- Missing data in generic SQL backends would sometimes lead to faked
+ SOA serial data. Spotted by Leander Lakkas from True. Fix in `commit
+ 866 <http://wiki.powerdns.com/projects/trac/changeset/866>`__.
+- When receiving two quick notifications in succession, the packet
+ cache would sometimes "process" the second one, leading PowerDNS to
+ ignore it. Spotted by Dan Bilik, fixed in `commit
+ 686 <http://wiki.powerdns.com/projects/trac/changeset/686>`__.
+- Geobackend (by Mark Bergsma) did not properly override the getSOA
+ method, breaking non-overlay operation of this fine backend. The
+ geobackend now also skips '.hidden' configuration files, and now
+ properly disregards empty configuration files. Additionally, the
+ overlapping abilities were improved. Details available in `commit
+ 876 <http://wiki.powerdns.com/projects/trac/changeset/876>`__, by
+ Mark.
+
+Features
+^^^^^^^^
+
+- Thanks to `EasyDNS <http://www.easydns.com>`__, PowerDNS now supports
+ multiple masters per domain. For configuration details, see `Slave
+ operation <authoritative/modes-of-operation.md#slave-operation>`__.
+ Implemented in `commit
+ 1018 <http://wiki.powerdns.com/projects/trac/changeset/1018>`__,
+ `commit
+ 1017 <http://wiki.powerdns.com/projects/trac/changeset/1017>`__.
+- Thanks to `EasyDNS <http://www.easydns.com>`__, PowerDNS now supports
+ the KEY record type, as well the SPF record. In `commit
+ 976 <http://wiki.powerdns.com/projects/trac/changeset/976>`__.
+- Added support for CERT, SSHFP, DNSKEY, DS, NSEC, RRSIG record types,
+ as part of the move to the new DNS parsing/generating code.
+- Support for the AFSDB record type, as requested by 'Bastian'.
+ Implemented in `commit
+ 978 <http://wiki.powerdns.com/projects/trac/changeset/978>`__,
+ closing `ticket 129 <https://github.com/PowerDNS/pdns/issues/129>`__.
+- Support for the MR record type. Implemented in `commit
+ 941 <http://wiki.powerdns.com/projects/trac/changeset/941>`__ and
+ `commit
+ 1019 <http://wiki.powerdns.com/projects/trac/changeset/1019>`__.
+- Gsqlite3 backend was added by Antony Lesuisse in `commit
+ 942 <http://wiki.powerdns.com/projects/trac/changeset/942>`__;
+- Added the ability to send out light-weight root-referrals that save
+ bandwidth yet still placate mediocre resolver implementations.
+ Implemented in `commit
+ 912 <http://wiki.powerdns.com/projects/trac/changeset/912>`__, enable
+ with 'root-referral=lean'.
+
+Improvements
+^^^^^^^^^^^^
+
+- Miscellaneous OpenDBX and LDAP backend improvements by Norbert
+ Sendetzky. Applied in `commit
+ 977 <http://wiki.powerdns.com/projects/trac/changeset/977>`__ and
+ `commit
+ 1040 <http://wiki.powerdns.com/projects/trac/changeset/1040>`__.
+- SGML source of the documentation was cleaned up by Ruben Kerkhof in
+ `commit
+ 936 <http://wiki.powerdns.com/projects/trac/changeset/936>`__.
+- Speedups in core DNS label processing code. Implemented in `commit
+ 928 <http://wiki.powerdns.com/projects/trac/changeset/928>`__,
+ `commit
+ 654 <http://wiki.powerdns.com/projects/trac/changeset/654>`__,
+ `commit
+ 1020 <http://wiki.powerdns.com/projects/trac/changeset/1020>`__.
+- When communicating with master servers and encountering errors, more
+ useful details are logged. Reported by Stefan Arentz in `ticket
+ 137 <https://github.com/PowerDNS/pdns/issues/137>`__, closed by
+ `commit
+ 1015 <http://wiki.powerdns.com/projects/trac/changeset/1015>`__.
+- Database errors are now logged with more details. Addressed in
+ `commit
+ 1004 <http://wiki.powerdns.com/projects/trac/changeset/1004>`__.
+- pdns\_control problems are now logged more verbosely. Change in
+ `commit
+ 910 <http://wiki.powerdns.com/projects/trac/changeset/910>`__.
+- Erroneous address configuration was logged unclearly. Spotted by
+ River Tarnell, fixed in `commit
+ 888 <http://wiki.powerdns.com/projects/trac/changeset/888>`__.
+- Example configuration shipped with PowerDNS was very old. Noted by
+ Leen Besselink, fixed in `commit
+ 946 <http://wiki.powerdns.com/projects/trac/changeset/946>`__.
+- PowerDNS neglected to chdir to the root when chrooted. This closes
+ `ticket 110 <https://github.com/PowerDNS/pdns/issues/110>`__, fixed
+ in `commit
+ 944 <http://wiki.powerdns.com/projects/trac/changeset/944>`__.
+- Microsoft resolver had problems with responses we generated for
+ CNAMEs pointing out of our bailiwick. Fixed in `commit
+ 983 <http://wiki.powerdns.com/projects/trac/changeset/983>`__ and
+ expedited by Locaweb.com.br.
+- Built-in webserver logs errors more verbosely. Closes `ticket
+ 82 <https://github.com/PowerDNS/pdns/issues/82>`__, fixed in `commit
+ 991 <http://wiki.powerdns.com/projects/trac/changeset/991>`__.
+- Queries containing '@' no longer flood the logs. Addressed in `commit
+ 1014 <http://wiki.powerdns.com/projects/trac/changeset/1014>`__.
+- The build process now looks for PostgreSQL in more places.
+ Implemented in `commit
+ 998 <http://wiki.powerdns.com/projects/trac/changeset/998>`__, closes
+ `ticket 90 <https://github.com/PowerDNS/pdns/issues/90>`__.
+- Speedups in the BIND backend now mean large installations enjoy
+ startup times up to 30 times faster than with the original BIND
+ nameserver. Many thanks to Massimo Bandinelli.
+- BIND backend now offers full support for query logging, implemented
+ in `commit
+ 1026 <http://wiki.powerdns.com/projects/trac/changeset/1026>`__,
+ `commit
+ 1029 <http://wiki.powerdns.com/projects/trac/changeset/1029>`__.
+- BIND backend named.conf parsing is now fully case-insensitive for
+ domain names. This closes Debian bug 406461, fixed in `commit
+ 1027 <http://wiki.powerdns.com/projects/trac/changeset/1027>`__.
+- IPv6 and IPv4 address parsing routines have been replaced, which
+ should result in prettier output in some cases. `commit
+ 962 <http://wiki.powerdns.com/projects/trac/changeset/962>`__,
+ `commit
+ 1012 <http://wiki.powerdns.com/projects/trac/changeset/1012>`__ and
+ others.
+- 5 new regression tests have been added to insure old bugs do not
+ return.
+- Fix small issues with very modern compilers and BOOST snapshots.
+ Noted by Marcus Rueckert, addressed in `commit
+ 954 <http://wiki.powerdns.com/projects/trac/changeset/954>`__,
+ `commit 964 <http://wiki.powerdns.com/projects/trac/changeset/964>`__
+ `commit
+ 965 <http://wiki.powerdns.com/projects/trac/changeset/965>`__,
+ `commit
+ 1003 <http://wiki.powerdns.com/projects/trac/changeset/1003>`__.
+
+Version 2.9.20
+--------------
+
+Released the 15th of March 2006
+
+Besides adding OpenDBX, this release is mostly about fixing problems and
+speeding up the recursor. This release has been made possible by
+`XS4ALL <http://www.xs4all.nl>`__ and `True <http://true.nl>`__. Thanks!
+
+Furthermore, we are very grateful for the help of Andrew Pinski, who
+hacks on gcc, and of Joaquín M López Muñoz, the author of
+`boost::multi\_index\_container <http://www.boost.org/libs/multi_index/doc/index.html>`__.
+Without their near-realtime help this release would've been delayed a
+lot. Thanks!
+
+Bugs fixed in the recursor
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Possible stability issues in the recursor on encountering errors
+ (`commit
+ 532 <http://wiki.powerdns.com/projects/trac/changeset/532>`__,
+ `commit
+ 533 <http://wiki.powerdns.com/projects/trac/changeset/533>`__)
+- Memory leaks in recursor fixed (`commit
+ 534 <http://wiki.powerdns.com/projects/trac/changeset/534>`__,
+ `commit
+ 572 <http://wiki.powerdns.com/projects/trac/changeset/572>`__). In a
+ test 800 million real life DNS packets have been sent to the
+ recursor, representing several days of traffic from a major ISP,
+ memory use was high (500MB), but stable.
+- Prune all data in PowerDNS - previously per-nameserver and per-query
+ performance statistics were kept around forever (`commit
+ 535 <http://wiki.powerdns.com/projects/trac/changeset/535>`__)
+- IPv6 additional processing was broken. Reported by Lionel Elie
+ Mamane, who also provided a fix. The problem was fixed differently in
+ the end. `commit
+ 562 <http://wiki.powerdns.com/projects/trac/changeset/562>`__.
+- pdns\_recursor did not shuffle answers since 2.9.19, leading to
+ problems sending mail to the Hotmail servers. Reported in `ticket
+ 54 <https://github.com/PowerDNS/pdns/issues/54>`__, fixed in `commit
+ 567 <http://wiki.powerdns.com/projects/trac/changeset/567>`__.
+- If a single nameserver had multiple IP addresses listed, PowerDNS
+ would only use one of them. Noted by Mark Martin, fixed in `commit
+ 570 <http://wiki.powerdns.com/projects/trac/changeset/570>`__, who
+ depends on a domain with 4 nameserver IP addresses of which 2 are
+ broken.
+
+Improvements to the recursor
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Commits
+ `535 <http://wiki.powerdns.com/projects/trac/changeset/535>`__,
+ `540 <http://wiki.powerdns.com/projects/trac/changeset/540>`__,
+ `541 <http://wiki.powerdns.com/projects/trac/changeset/541>`__,
+ `542 <http://wiki.powerdns.com/projects/trac/changeset/542>`__,
+ `543 <http://wiki.powerdns.com/projects/trac/changeset/543>`__,
+ `544 <http://wiki.powerdns.com/projects/trac/changeset/544>`__,
+ `545 <http://wiki.powerdns.com/projects/trac/changeset/545>`__,
+ `547 <http://wiki.powerdns.com/projects/trac/changeset/547>`__ and
+ `548 <http://wiki.powerdns.com/projects/trac/changeset/548>`__,
+ `574 <http://wiki.powerdns.com/projects/trac/changeset/574>`__ all
+ speed up the recursor by a large factor, without altering the DNS
+ algorithm.
+- Move recursor to the incredible boost::multi\_index\_container
+ (`commit
+ 580 <http://wiki.powerdns.com/projects/trac/changeset/580>`__). This
+ brings a huge improvement in cache pruning times.
+- `commit 549 <http://wiki.powerdns.com/projects/trac/changeset/549>`__
+ and `commit
+ 550 <http://wiki.powerdns.com/projects/trac/changeset/550>`__ work
+ around gcc bug
+ `24704 <http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24704>`__ if
+ requested, which speeds up the recursor a lot, but involves a dirty
+ hack. Enable with **./configure ^^enable-gcc-skip-locking**. No
+ guarantees!
+
+Bugs fixed in the authoritative nameserver
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- PowerDNS would no longer allow a '/' in domain names, fixed by
+ `commit
+ 537 <http://wiki.powerdns.com/projects/trac/changeset/537>`__,
+ reported in `ticket
+ 48 <https://github.com/PowerDNS/pdns/issues/48>`__.
+- Parameters to **pdns\_control notify-host** were not checked, leading
+ to possible crashes. Reported in `ticket
+ 24 <https://github.com/PowerDNS/pdns/issues/24>`__, fixed in `commit
+ 565 <http://wiki.powerdns.com/projects/trac/changeset/565>`__.
+- On some compilers, processing of NAPTR records could cause the server
+ to crash. Reported by Bernd Froemel in `ticket
+ 29 <https://github.com/PowerDNS/pdns/issues/29>`__, fixed in `commit
+ 538 <http://wiki.powerdns.com/projects/trac/changeset/538>`__.
+- Backend errors could make the whole nameserver exit under some
+ circumstances, notably using the LDAP backend. Fixed in `commit
+ 583 <http://wiki.powerdns.com/projects/trac/changeset/583>`__,
+ reported in `ticket
+ 62 <https://github.com/PowerDNS/pdns/issues/62>`__.
+- Referrals were subtly broken by recent CNAME/Wildcard improvements,
+ fixed in `commit
+ 539 <http://wiki.powerdns.com/projects/trac/changeset/539>`__. Fix
+ and other improvements sponsored by `True <http://true.nl>`__.
+- PowerDNS would try to insert records it has no knowledge about in
+ slave zones, which did not work. Reported in `ticket
+ 60 <https://github.com/PowerDNS/pdns/issues/60>`__, fixed in `commit
+ 566 <http://wiki.powerdns.com/projects/trac/changeset/566>`__. A
+ superior fix would be to implement the relevant unknown record
+ standard.
+
+Improvements to the authoritative nameserver
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Pipebackend did not properly propagate the ABI version to its
+ children, fixed in `commit
+ 546 <http://wiki.powerdns.com/projects/trac/changeset/546>`__,
+ reported by kickdaddy@gmail.com in `ticket
+ 45 <https://github.com/PowerDNS/pdns/issues/45>`__.
+- `OpenDBX <http://www.linuxnetworks.de/pdnsodbx/index.html>`__ backend
+ added (`commit
+ 559 <http://wiki.powerdns.com/projects/trac/changeset/559>`__,
+ `commit
+ 560 <http://wiki.powerdns.com/projects/trac/changeset/560>`__,
+ `commit
+ 561 <http://wiki.powerdns.com/projects/trac/changeset/561>`__) by
+ Norbert Sendetzky. From the website: “ The OpenDBX backend enables it
+ to fetch DNS information from every DBMS supported by the OpenDBX
+ library and combines the power of one of the best DNS server
+ implementations with the flexibility of the OpenDBX library. ”
+ OpenDBX adds some other features like database failover. Thanks
+ Norbert!
+- LDAP fixes as reported in `ticket
+ 37 <https://github.com/PowerDNS/pdns/issues/37>`__, fixed in `commit
+ 558 <http://wiki.powerdns.com/projects/trac/changeset/558>`__, which
+ make **pdns\_control notify** work.
+- Arjo Hooimeijer added support for soa-refresh-default,
+ soa-retry-default, soa-expire-default, which were previously
+ hardcoded. `commit
+ 563 <http://wiki.powerdns.com/projects/trac/changeset/563>`__ and
+ fallout in `commit
+ 573 <http://wiki.powerdns.com/projects/trac/changeset/573>`__ (thanks
+ to Wolfram Schlich).
+
+Miscellaneous
+^^^^^^^^^^^^^
+
+- Fixes for g++ 4.1. Compiling with 4.1 realizes notable speedups.
+ `commit
+ 568 <http://wiki.powerdns.com/projects/trac/changeset/568>`__,
+ `commit
+ 569 <http://wiki.powerdns.com/projects/trac/changeset/569>`__.
+- PowerDNS now reports if it is running in 32 or 64 bit mode, useful
+ for bi-arch users that need to know if they are benefitting from
+ `AMD's great processor <http://www.amd.com>`__. `commit
+ 571 <http://wiki.powerdns.com/projects/trac/changeset/571>`__.
+- **dnsscope** compiles again, `commit
+ 551 <http://wiki.powerdns.com/projects/trac/changeset/551>`__,
+ `commit 564 <http://wiki.powerdns.com/projects/trac/changeset/564>`__
+ (FreeBSD 64-bit time\_t).
+- **dnsreplay\_mindex** compiles again, fixed by `commit
+ 572 <http://wiki.powerdns.com/projects/trac/changeset/572>`__. Its
+ performance, and the performance of the recursor was improved by
+ `commit
+ 559 <http://wiki.powerdns.com/projects/trac/changeset/559>`__.
+- Build scripts were added, mostly for internal use but we know some
+ PowerDNS users build their own packages too. `commit
+ 553 <http://wiki.powerdns.com/projects/trac/changeset/553>`__,
+ `commit
+ 554 <http://wiki.powerdns.com/projects/trac/changeset/554>`__,
+ `commit
+ 555 <http://wiki.powerdns.com/projects/trac/changeset/555>`__,
+ `commit
+ 556 <http://wiki.powerdns.com/projects/trac/changeset/556>`__,
+ `commit
+ 557 <http://wiki.powerdns.com/projects/trac/changeset/557>`__.
+- ``bootstrap`` script was not included in release. Thanks to Stefan
+ Arentz for noticing. Fixed in `commit
+ 574 <http://wiki.powerdns.com/projects/trac/changeset/574>`__.
+
+Version 2.9.19
+--------------
+
+Released 29th of October 2005.
+
+As with other recent releases, the usage of PowerDNS appears to have
+skyrocketed. Informal, though strict, measurements show that PowerDNS
+now powers around 50% of all German domains, and somewhere in the order
+of 10-15% of the rest of the world. Furthermore, DNS is set to take a
+central role in connecting Voice over IP providers, with PowerDNS
+offering a very good feature set for these ENUM deployments. PowerDNS is
+already powering the E164.info ENUM zone and also acts as the backend
+for a major VoIP provisioning platform.
+
+Included in this release is the now complete packet parsing/generating,
+record parsing/generating infrastructure. Furthermore, this framework is
+used by the recursor, hopefully making it very fast, memory efficient
+and robust. Many records are now processed using a single line of code.
+This has made the recursor a lot stricter in packet parsing, you will
+see some error messages which did not appear before. Rest assured
+however that these only happen for queries which have no valid answer in
+any case.
+
+Furthermore, support for DNSSEC records is available in the new
+infrastructure, although is should be emphasised that there is more to
+DNSSEC than parsing records. There is no real support for DNSSEC (yet).
+
+Additionally, the BIND Backend has been replaced by what was up to now
+known as the 'Bind2Backend'. Initial benchmarking appears to show that
+this backend is faster, uses less memory and has shorter startup times.
+The code is also shorter.
+
+This release fixes a number of embarrassing bugs and is a recommended
+upgrade.
+
+Thanks are due to `XS4ALL <http://www.xs4all.nl>`__ who are supporting
+continuing development of PowerDNS, the fruits of which can be found in
+this release already. Furthermore, a remarkable number of people have
+helped report bugs, validate solutions or have submitted entire patches.
+Many thanks!
+
+Improvements
+^^^^^^^^^^^^
+
+- dnsreplay now has a help message and has received further massive
+ updates, making the code substantially faster. It turns out that
+ dnsreplay is often 'heavier' than the PowerDNS process being
+ benchmarked.
+- PowerDNS recursor no longer prints out its queries by default as most
+ recursor deployments have too much traffic for this to be useful.
+- PowerDNS recursor is now able to read its root-hints from disk, which
+ is useful to operate with alternate roots, like the `Open Root Server
+ Network <http://www.orsn.org>`__. See `PowerDNS
+ Recursor <recursor/index.md>`__.
+- PowerDNS can now send out old-fashioned root-referrals when queried
+ for domains for which it is not authoritative. Wastes some bandwidth
+ but may solve incoming query floods if domains are delegated to you
+ for which you are not authoritative, but which are queried by broken
+ recursors.
+- PowerDNS now prints out a warning when running with legacy
+ LinuxThreads implementation instead of the high performance NPTL
+ library. `commit
+ 455 <http://wiki.powerdns.com/projects/trac/changeset/455>`__.
+- A lot of superfluous calls to gettimeofday() have been removed,
+ making PowerDNS and especially the recursor faster. Suggested by Kai.
+- SPF records are now supported natively. `commit
+ 472 <http://wiki.powerdns.com/projects/trac/changeset/472>`__,
+ closing `ticket 22 <https://github.com/PowerDNS/pdns/issues/22>`__.
+- Improved IPv6 'bound to' messages. Thanks to Niels Bakker, Wichert
+ Akkerman and Gerty de Wolf for suggestions.
+- Separate graphs can now be made of IPv6 queries and answers. `commit
+ 485 <http://wiki.powerdns.com/projects/trac/changeset/485>`__.
+- Out of zone additional processing is now on by default to better
+ comply with standards. `commit
+ 487 <http://wiki.powerdns.com/projects/trac/changeset/487>`__.
+- Regression tests have been expanded to deal with more record types
+ (SRV, NAPTR, TXT, duplicate SRV).
+- Improved query-logging in Bindbackend, which can be used for
+ debugging purposes.
+- Dropped libpcap dependency, making compilation easier
+- pdns\_control now has a help message.
+- Add RRSIG, DNSKEY, DS and NSEC records for DNSSEC-bis to new parser
+ infrastructure.
+- Recursor now honours EDNS0 allowing it to send out larger answers.
+
+Bugs fixed
+^^^^^^^^^^
+
+- Domain name validation has been made a lot stricter - it turns out
+ PostgreSQL was interpreting some (corrupt) domain names as unicode.
+ Tested and suggested by Register.com (`commit
+ 451 <http://wiki.powerdns.com/projects/trac/changeset/451>`__).
+- LDAP backend did not compile (commits
+ `452 <http://wiki.powerdns.com/projects/trac/changeset/452>`__,
+ `453 <http://wiki.powerdns.com/projects/trac/changeset/453>`__) due
+ to partially applied patch (Norbert Sendetzky)
+- Incoming zone transfers work reliably again. Fixed in `commit
+ 460 <http://wiki.powerdns.com/projects/trac/changeset/460>`__ and
+ beyond. And `commit
+ 523 <http://wiki.powerdns.com/projects/trac/changeset/523>`__ -
+ closing Debian bug 330184.
+- Recent g++ versions exposed a mistake in the PowerDNS recursor cache
+ pruning code, causing random crashes. Fixed in `commit
+ 465 <http://wiki.powerdns.com/projects/trac/changeset/465>`__.
+ Reported by several Red Hat users.
+- PowerDNS recursor, and MTasker in general, did not work on Solaris.
+ Patch by Juergen Ilse, `commit
+ 471 <http://wiki.powerdns.com/projects/trac/changeset/471>`__. Also
+ moved most of PowerDNS over to uint32\_t style typedefs, which eases
+ compilation problems on Solaris, `commit
+ 477 <http://wiki.powerdns.com/projects/trac/changeset/477>`__.
+- Bindbackend2 did not properly search its include path for $INCLUDE
+ statements. Noted by Mark Bergsma, `commit
+ 474 <http://wiki.powerdns.com/projects/trac/changeset/474>`__.
+- Bindbackend did not notice changed zones, this problem has been fixed
+ by the move to Bind2.
+- Pipebackend did not clean up, leading to an additional pipe backend
+ per AXFR or pdns\_control reload. Discovered by Marc Jauvin, fixed by
+ `commit
+ 525 <http://wiki.powerdns.com/projects/trac/changeset/525>`__.
+- Bindbackend (both old and current versions) did not honour 'include'
+ statements in ``named.conf`` on **pdns\_control rediscover**. Noted
+ by Marc Jauvin, fixed by `commit
+ 526 <http://wiki.powerdns.com/projects/trac/changeset/526>`__.
+- Zone transfers were sometimes shuffled, which wastes useless time,
+ `commit
+ 478 <http://wiki.powerdns.com/projects/trac/changeset/478>`__.
+- CNAMEs and Wildcards now work as in Bind, fixing many complaints,
+ `commit
+ 487 <http://wiki.powerdns.com/projects/trac/changeset/487>`__.
+- NAPTR records were compressed, which would work, but was in violation
+ of the RFC, commit 493.
+- NAPTR records were not always parsed correctly from BIND zone files,
+ fixed, commit 494.
+- Geobackend needed additional include statement to compile on more
+ recent Linux distributions, commit 496.
+
+Version 2.9.18
+--------------
+
+Released on the 16th of July 2005.
+
+The '8 million domains' release, which also marks the battle readiness
+of the PowerDNS Recursor. The latest improvements have been made
+possible by financial support and contributions by
+`Register.com <http://register.com>`__ and
+`XS4ALL <http://www.xs4all.nl/>`__. Thanks!
+
+This release brings a number of new features (vastly improved recursor,
+Generic Oracle Support, DNS analysis and replay tools, and more) but
+also has a new build dependency, the `Boost
+library <http://www.boost.org>`__ (version 1.31 or higher).
+
+Currently several big ISPs are evaluating the PowerDNS recursor for
+their resolving needs, some of them have switched already. In the course
+of testing, over 350 million actual queries have been recorded and
+replayed, the answers turn out to be satisfactorily.
+
+This testing has verified that the pdns recursor, as shipped in this
+release, can stand up to heavy duty ISP loads (over 20000
+queries/second) and in fact does so better than major other nameservers,
+giving more complete answers and being faster to boot.
+
+We invite ISPs who note recursor problems to record their problematic
+traffic and replay it using the tools described in `Tools to analyse DNS
+traffic <tools/analysis.md>`__ to discover if PowerDNS does a better
+job, and to let us know the results.
+
+Additionally, the bind2backend is almost ready to replace the stock bind
+backend. If you run with Bind zones, you are cordially invited to
+substitute 'launch=bind2' for 'launch=bind'. This will happen
+automatically in 2.9.19!
+
+In other news, the entire Wikipedia constellation now runs on PowerDNS
+using the Geo Backend! Thanks to Mark Bergsma for keeping us updated.
+
+There are two bugs with security implications, which only apply to
+installations running with the LDAP backend, or installations providing
+recursion to a limited range of IP addresses. If any of these apply to
+you, an upgrade is highly advised
+
+- The LDAP backend did not properly escape all queries, allowing it to
+ fail and not answer questions. We have not investigated further risks
+ involved, but we advise LDAP users to update as quickly as possible
+ (Norbert Sendetzky, Jan de Groot)
+- Questions from clients denied recursion could blank out answers to
+ clients who are allowed recursion services, temporarily. Reported by
+ Wilco Baan. This would've made it possible for outsiders to blank out
+ a domain temporarily to your users. Luckily PowerDNS would send out
+ SERVFAIL or Refused, and not a denial of a domain's existence.
+
+General bugs fixed
+^^^^^^^^^^^^^^^^^^
+
+- TCP authoritative server would not relaunch a backend after failure
+ (reported by Norbert Sendetzky)
+- Fix backend restarting logic (reported, and fix suggested by Norbert
+ Sendetzky)
+- Launching identical backends multiple times, with different settings,
+ did not work. Reported by Mario Manno.
+- Master/slave queries did not honour the **query-local-address**
+ setting. Spotted by David Levy of Register.com. The fix also
+ randomises the local port used, slightly improving security.
+
+Compilation fixes
+^^^^^^^^^^^^^^^^^
+
+- Fix compile on Solaris, they define 'PC' for some reason. Reported by
+ Eric Yiu.
+- PowerDNS recursor would not compile on FreeBSD due to Linux specific
+ defines, as reported in cvstrac ticket 26 (Ralf van der Enden)
+- Several 64 bits issues have been fixed, especially in the Logging
+ subsystem.
+- SSQLite would fail to compile on recent Debian systems (Matthijs
+ Möhlmann)
+- Generic MySQL would not compile on 64-bit platforms.
+
+Improvements
+^^^^^^^^^^^^
+
+- PowerDNS now reports stray command line arguments, like when running
+ '^^local-port 5300' instead of '^^local-port=5300'. Reported by
+ Christian Welzel.
+- We now warn against erroneous logging-facility specification, ie
+ specifying an unknown facility.
+- **^^version** now outputs gcc version used, so we can tell people
+ 2.95 is no longer supported.
+- Extended regression tests, moved them to the new 'sdig' tool (see
+ below).
+- Bind2backend is now blazingly fast, and highly memory efficient to
+ boot. As a special bonus it can read gzipped zones directly. The
+ '.NET' zone is hosted using 401MB of memory, the same size as the
+ zone on disk.
+- The Pipe Backend has been improved such that it can send out
+ different answers based on the IP address the question was received
+ ON. See `PipeBackend
+ protocol <authoritative/backend-pipe.md#pipebackend-protocol>`__ for
+ how this changed the Pipe Backend protocol. Note that you need to set
+ **pipebackend-abi-version** to benefit from this change, existing
+ clients are not affected. Change and documentation contributed by
+ Marc Jauvin of Register4Less.
+- LDAP backend has been updated (Norbert Sendetzky).
+
+Recursor improvements and fixes.
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+See `Recursion <authoritative/recursion.md>`__ for details. The changes
+below mean that all of the caveats listed for the recursor have now been
+addressed.
+
+- After half an hour of uptime, the entire cache would be pruned for
+ each packet, which is a tad slow. It now appears the pdns recursor is
+ among the fastest around.
+- Under high loads, or when unlucky, some query mthreads would get
+ 'stuck', and show up in the statistics as eternally running queries.
+- Lots of redundant gettimeofday() and time() calls were removed, which
+ has resulted in a measurable speedup.
+- pdns\_recursor can now listen on several addresses simultaneously.
+- Now supports setuid and setgid operation to allow running as a less
+ privileged user (Bram Vandoren).
+- Return code of pdns\_recursor binary did not make sense (Matthijs
+ Möhlmann and Thomas Hood)
+- Timeouts and errors are now split out in statistics.
+- Many people reported broken statistics, it turned out that no
+ statistics were being reported if there had been no questions to base
+ them on. We now log a message to that effect.
+- Add **query-local-address** support, which allows the recursor to
+ send questions from a specific IP address. Useful for anycast setups.
+- Add outgoing TCP query support and proper truncated answer support.
+ Needed for Worldnic Denial of Service protection, which sends out
+ truncated packets to force clients to connect over TCP, which
+ prevents spoofing.
+- Properly truncate our own answers.
+- Improve our TCP answers by using writev, which is slightly friendlier
+ to the network.
+- On FreeBSD, TCP errors could cause the recursor to exit suddenly due
+ to a SIGPIPE signal.
+- Maximum number of simultaneous client TCP connections can now be
+ limited with the **max-tcp-clients** setting.
+- Add aggressive timeouts for TCP clients to make sure resources are
+ not wasted. Defaults to two seconds, can be configured with the
+ **client-tcp-timeout** setting.
+
+Backend fixes
+^^^^^^^^^^^^^
+
+- SQLite backend would not slave properly (Darron Broad)
+- Generic MySQL would not compile on 64-bit platforms.
+
+New technology
+^^^^^^^^^^^^^^
+
+- Added the new DNS parser logic, called MOADNSParser. Completely
+ modular, every memory access checked.
+- 'sdig', a simple dig work-alike with 'canonical' output, which is
+ used for the regression tests. Based on the new DNS parser logic.
+- **dnswasher**, **dnsreplay** and **dnsscope**, all DNS analysis
+ tools. See `Tools to analyse DNS traffic <tools/analysis.md>`__ for
+ more details.
+- Generic Oracle Backend, sponsored by Register.COM. See `Oracle
+ specifics <authoritative/backend-generic-oracle.md>`__.
+
+Version 2.9.17
+--------------
+
+See `the new timeline <http://wiki.powerdns.com/trac/timeline>`__ for
+progress reports.
+
+The 'million domains' release - PowerDNS has now firmly established
+itself as a major player with the unofficial count (ie, guesswork) now
+at over two million PowerDNS domains! Also, the GeoBackend has been
+tested by a big website and may soon see wider deployment. Thanks to
+Mark Bergsma for spreading the word!
+
+It is also a release with lots of changes and fixes. Take care when
+deploying!
+
+Security issues
+^^^^^^^^^^^^^^^
+
+- PowerDNS could be temporarily DoSed using a random stream of bytes.
+ Reported cause of this has been fixed.
+
+Enhancements
+^^^^^^^^^^^^
+
+- Reported version can be changed, or removed - see the
+ "version-string" setting.
+- Duplicate MX records are now no longer considered duplicate if their
+ priorities differ. Some people need this feature for spam filtering.
+
+Bug fixes
+^^^^^^^^^
+
+- NAPTR records can now be slaved, patch by Lorens Kockum.
+- GMySQL now works on Solaris
+- PowerDNS could be confused by questions with a %-sign in them -
+ fixing cvstrac ticket #16 (reported by dilinger at voxel.net)
+- An authentication bug in the webserver was possibly fixed, please
+ report if you were suffering from this. Being unable to authenticate
+ to the webserver was what you would've noticed.
+- Fix for cvstrac ticket #2, PowerDNS could lose sync when sending out
+ a very large number of notifications. Excellent bug report by Martin
+ Hoffman, who also improved our original bugfix.
+- Fix the oldest PowerDNS bug in existence - under some circumstances,
+ PowerDNS would log to syslog one character at a time. This was
+ cvstrac ticket #4
+- HINFO records can now be slaved, fixing cvstrac ticket #8.
+- pdns\_recursor could block under some circumstances, especially in
+ case of corrupt UDP packets. Reported by Wichert Akkerman. Fix by
+ Christopher Meer. This was cvstrac ticket #13.
+- Large SOA serial numbers would sometimes be logged as a signed
+ integer, leading to negative numbers in the log.
+- PowerDNS now fully supports 32 bit SOA serial numbers (thanks to Mark
+ Bergsma), closing cvstrac ticket #5.
+- pdns\_recursor ^^local-address help text was wrong.
+- Very devious bug - PowerDNS did not clear its cache before sending
+ out update notifications, leading slaves to conclude there was no
+ update to AXFR. Excellent debugging by mkuchar at wproduction.cz.
+- Probably fixed cvstrac ticket #26, which caused pdns\_recursor to
+ fail on recent FreeBSD 5.3 systems. Please check, I have no such
+ system to test on.
+- Geobackend did not get built for Debian.
+
+Version 2.9.16
+--------------
+
+The 'it must still be Friday somewhere' release. Massive number of
+fixes, portability improvements and the new Geobackend by Mark Bergsma &
+friends.
+
+New
+^^^
+
+- The Geobackend which makes it possible to send different answers to
+ different IP ranges. Initial documentation can be found in
+ pdns/modules/geobackend/README.
+- qgen query generation tool. Nearly completely undocumented and hard
+ to build too, it requires Boost. But very spiffy. Use **cd pdns; make
+ qgen** to build it.
+
+Bugfixes
+^^^^^^^^
+
+- The most reported bug ever was fixed. Zone2sql required the inclusion
+ of unistd.h, except on Debian unstable.
+- PowerDNS tried to listen on its control "pipe" which does not work.
+ Probably harmless, but might have caused some oddities.
+- The Packet Cache did not always set its TTL immediately, causing some
+ packets to be inserted, even when running with the cache disabled
+ (Mark Bergsma).
+- Valgrind found some uninitialized reads, causing bogus values in the
+ priority field when it was not needed.
+- Valgrind found a bug in MTasker where we used delete instead of
+ delete[].
+- SOA serials and other parameters are unsigned. This means that very
+ large SOA serial numbers would be messed up (Michel Stol, Stefano
+ Straus)
+- PowerDNS left its controlsocket around after exit and reported
+ confusing errors if a socket was already in use.
+- The recursor proxy did not work on big endian systems like SPARC and
+ some MIPS processors (Remco Post)
+- We no longer dump core on processing LOC records on UltraSPARC
+ (Andrew Mulholland supplied a testing machine)
+
+Improvements
+^^^^^^^^^^^^
+
+- MySQL can now connect to a specified port again (Chris Anderton).
+- When running chroot()ed and with master or slave support active,
+ PowerDNS needs to resolve domain names to find slaves. This in turn
+ may require access to certain libraries. Previously, these needed to
+ be available in the chroot directory but by forcing an initial
+ lookup, these libraries are now loaded before the chrooting.
+- pdns\_recursor was very slow after having done a larger number of
+ queries because of the checks to see if a query should be throttled.
+ This is now done using a set which is a lot faster than the previous
+ full sequential scan.
+- The throttling code may not have throttled as much as was configured.
+- Yet another big LDAP update. The LDAP backend now load balances
+ connections over several hosts (Norbert Sendetzky)
+- Updated b.root-servers.net address in the recursor
+
+Version 2.9.15
+--------------
+
+This release fixes up some of the shortcomings in 2.9.14, and adds some
+new features too.
+
+Bugfixes
+^^^^^^^^
+
+- **allow-recursion-override** was on by default, it was meant to be
+ off.
+- Logging was still off in daemon mode, fixed.
+- debian/rules forgot to build an sqlite package
+- Recursor accidentally linked in MySQL - this was the result of an
+ experiment with a persistent recursor cache.
+- The PowerDNS recursor had stability problems. It now sorts
+ nameservers (roughly) by responsiveness. The 'roughly' part upset the
+ sorting algorithm used, the speeds being sorted on changed during
+ sorting.
+- The recursor now outputs the nameserver average response times in
+ trace mode
+- LDAP compiles again.
+
+Improvements
+^^^^^^^^^^^^
+
+- zone2sql can now accept ``-`` as a file name which causes it to read
+ stdin. This allows the following to work: **dig axfr example.org \|
+ zone2sql ^^gmysql ^^zone=- \| mysql pdns**, which is a nice way to
+ import a zone.
+- zone2sql now ignores duplicate SOA records which are identical -
+ which also makes the above possible.
+- Remove libpqpp dependencies - since we now use the native C API for
+ PostgreSQL
+
+Version 2.9.14
+--------------
+
+Big release with the fix for the all important 2^30 seconds problem and
+a lot of other news. - errno problems would cause compilation problems
+when using LDAP (Norbert Sendetzky) - The Generic SQL backend could
+cause crashes on PostgreSQL when using pdns\_control notify (Georg
+Bauer) - Debian compatible init.d script (Wichert Akkerman) - If using
+the master or slave features, pdns had the notion of eternity ending in
+2038, except that due to a thinko, eternity ended out to be the 10th of
+January 2004. This caused a loop to timeout immediately. Many thanks to
+Jasper Spaans for spotting the bug within five minutes. - Parts of the
+SOA field were not canonicalized. - The loglevel could in fact cause
+nothing to be logged (Norbert Sendetzky)
+
+Improvements
+^^^^^^^^^^^^
+
+- The recursor now chooses the fastest nameserver, which causes a big
+ speedup!
+- LDAP now has different lookup models
+- Cleanups, better load distribution, better exception handling,
+ zone2ldap improvements
+- The recursor was somewhat chatty about TCP connections
+- PostgreSQL now only depends on the C API and not on the deprecated
+ C++ one
+- PowerDNS can now fully overrule external zones when doing recursion.
+ See `Recursion <authoritative/recursion.md>`__.
+
+Version 2.9.13
+--------------
+
+Big news! Windows is back! Our great friend Michel Stol found the time
+to update the PowerDNS code so it works again under windows.
+
+Furthermore, big thanks go out to Dell who quickly repaired my trusty
+`laptop <http://ds9a.nl/dell-d800>`__.
+
+His changes - Generic SQLite support added - Removed the ODBC backend,
+replaced it by the Generic ODBC Backend, which has all the cool
+configurability of the Generic MySQL and PostgreSQL backends. - The
+PowerDNS Recursor now runs as a Service. It defaults to running on port
+5300, PowerDNS itself is configured to expect the Recursor on port 5300
+now. - The PowerDNS Service is now known as 'PowerDNS' to Windows. - The
+Installer was redone, this time with `NSIS2 <http://nsis.sf.net>`__. -
+General updates and fixes.
+
+Other news
+^^^^^^^^^^
+
+**Note**: There appears to be a problem with PowerDNS on Red Hat 7.3
+with GCC 2.96 and self-compiled binaries. The symptoms are that PowerDNS
+works on the foreground but fails as a daemon. We're working on it.
+
+If you do note problems, let the list know, if you don't, please do so
+as well. Tell us if you use the RPM or compiled yourself.
+
+It is known that not compiling in MySQL support helps solve the problem,
+but then you don't have MySQL.
+
+There have been a number of reports on MySQL connections being dropped
+on FreeBSD 4.x, which sometimes causes PowerDNS to give up and reload
+itself. To combat this, MySQL error messages have been improved in some
+places in hopes of figuring out what is up. The initial indication is
+that MySQL itself sometimes terminates the connection and, amazingly,
+that switching to a Unix domain socket instead of TCP solves the
+problem.
+
+Bug fixes
+^^^^^^^^^
+
+- **allow-axfr-ips** did not work for individual IP addresses (bug &
+ fix by Norbert Sendetzky)
+
+Improvements
+^^^^^^^^^^^^
+
+- Opteron support! Thanks to Jeff Davey for providing a shell on an
+ Opteron. The fixes should also help PowerDNS on other platforms with
+ a 64 bit userspace.
+
+ Btw, the PowerDNS team has a strong desire for an Opteron :-)
+
+- pdns\_recursor jumbles answers now. This means that you can do poor
+ man's round robin by supplying multiple A, MX or AAAA records for a
+ service, and get a random one on top each time. Interestingly, this
+ feature appeared out of nowhere, this change was made to the
+ authoritative code but due to the wonders of code-reuse had an effect
+ on pdns\_recursor too.
+- Big LDAP cleanup. Support for TLS was added. Zone2LDAP also gained
+ the ability to generate ldif files containing a tree or a list of
+ entries. (Norbert Sendetzky)
+- Zone2sql is now somewhat clearer when reporting malformed line errors
+ - it did not always include the name of the file causing a problem,
+ especially for big installations. Problem noted by Thom May.
+- pdns\_recursor now survives the expiration of all its root records,
+ most often caused by prolonged disconnection from the net.
+
+Version 2.9.12
+--------------
+
+Release rich in features. Work on Verisign oddities, addition of SQLite
+backend, pdns\_recursor maturity.
+
+New features
+^^^^^^^^^^^^
+
+- ^^version command (requested by Mike Benoit)
+- delegation-only, a Verisign special.
+- Generic `SQLite <http://www.sqlite.org>`__ support, by Michel 'Who da
+ man?' Stol. See `Generic SQLite
+ backend <authoritative/backend-generic-sqlite.md>`__.
+- init.d script for pdns\_recursor
+- Recursor now actually purges its cache, saving memory.
+- Slave configuration now no longer falls over when presented with a
+ NULL master
+- Bindbackend2 now has supermaster support (Mark Bergsma, untested)
+- Answers are now shuffled! It turns out a few recursors don't do
+ shuffling (pdns\_recursor, djbdns), so we do it now. Requested by
+ Jorn Ekkelenkamp of ISP-Services. This means that if you have
+ multiple IP addresses for one host, they will be returned in
+ differing order every once in a while.
+
+Bugs
+^^^^
+
+- 0.0.0.0/0 didn't use to work (Norbert Sendetzky)
+- pdns\_recursor would try to resolve IP address which to bind to,
+ potentially causing chicken/egg problem
+- gpgsql no longer reports as gmysql (Sherwin Daganoto)
+- SRV would not be parsed right from disk (Christof Meerwald)
+- An AXFR from a zone hosted on the LDAP backend no longer transmits
+ all the reverse entries too (Norbert Sendetzky)
+- PostgreSQL backend now does error checking. It would be a bit too
+ trusting before.
+
+Improvements, cleanups
+^^^^^^^^^^^^^^^^^^^^^^
+
+- PowerDNS now reports the numerical IP addresses it binds to instead
+ of the, possibly, alphanumeric names the operator passed.
+- Removed only-soa hackery (noticed by Norbert Sendetzky)
+- Debian packaging fixes (Wichert Akkerman)
+- Some parameter descriptions were improved.
+- Cleanups by Norbert: getAuth moved to chopOff, arguments::contains
+ massive cleanup, more.
+
+Version 2.9.11
+--------------
+
+Yet another iteration, hopefully this will be the last silly release.
+
+**Warning**: There has been a change in behaviour whereby
+**disable-axfr** does what it means now! From now on, setting
+**allow-axfr-ips** automatically disables AXFR from unmentioned subnets.
+
+This release enables AXFR again, **disable-axfr** did the opposite of
+what it claimed. Furthermore, the pdns\_recursor now cleans its cache,
+which should save some memory in the long run. Norbert contributed some
+small LDAP work which should come in useful in the future.
+
+Version 2.9.10
+--------------
+
+Small bugfixes, LDAP update. Released 3rd of July 2003. Apologies for
+the long delay, real life keeps interfering.
+
+**Warning**: Do not use or try to use 2.9.9, it was a botched release!
+
+**Warning**: There has been a change in behaviour whereby
+**disable-axfr** does what it means now! From now on, setting
+**allow-axfr-ips** automatically disables AXFR from unmentioned subnets.
+
+- 2.9.8 was prone to crash on adding additional records. Thanks to
+ excellent debugging by PowerDNS users worldwide, the bug was found
+ quickly and is in fact present in all earlier PowerDNS releases, but
+ for some reason doesn't cause crashes there.
+- Notifications now jump in front of the queue of domains that need to
+ be checked for changes, giving much greater perceived performance.
+ This is needed if you have tens of thousands of slave domains and
+ your master server is on a high latency link. Thanks to Mark Jeftovic
+ of EasyDNS for suggesting this change and testing it on their
+ platform.
+- Dean Mills reported that PowerDNS does confusing logging about
+ changing GIDs and UIDs, fixed. Cosmetic only.
+- pdns\_recursor may have logged empty lines for some users, fixed.
+ Solution suggested by Norbert Sendetzky.
+- LDAP: DNS TTLs were random values (Norbert Sendetzky, Stefan
+ Pfetzing). New **ldap-default-ttl** option.
+- LDAP: Now works with OpenLDAP 2.1 (Norbert Sendetzky)
+- LDAP: error handling for invalid MX records implemented (Norbert
+ Sendetzky)
+- LDAP: better exception handling (Norbert Sendetzky)
+- LDAP: code cleanup of lookup() (Norbert Sendetzky)
+- LDAP: added support for scoped searches (Norbert Sendetzky)
+
+Version 2.9.8
+-------------
+
+Queen's day release! 30th of April 2003.
+
+Added support for AIX, fixed negative SOA caching. Some other cleanups.
+Not a major release but enough reasons to upgrade.
+
+Bugs fixed
+^^^^^^^^^^
+
+- Recursor had problems expiring negatively cached entries, which
+ wasted memory and also led to the continued non-existence of hosts
+ that since had come into existence.
+- The Generic SQL backends did not lowercase the names of records,
+ which led to new records not being found by case sensitive databases
+ (notably PostgreSQL). Found by Volker Goetz.
+- NS queries for zones for which we did not carry authority, but only
+ had delegation information, had their NS records in the wrong
+ section. Minor detail, but a standards violation nonetheless. Spotted
+ by Stephane Bortzmeyer.
+
+Improvements
+^^^^^^^^^^^^
+
+- Removed crypt.h dependency from powerldap.hh, which was a problem on
+ some platforms (Richard Arends)
+- PowerDNS can't parse so called binary labels which we now detect and
+ ignore, after printing a warning.
+- Specifying allow-axfr-ips now automatically disables AXFR for all
+ non-mentioned addresses.
+- A Solaris ready init.d script is now part of the tar.gz (contributed,
+ but I lost by whom).
+- Added some fixes to PowerDNS can work on AIX (spotted by Markus
+ Heimhilcher).
+- Norbert Sendetzky contributed ``zone2ldap``.
+- Everybody's favorite compiler warning from ``zone2sql.cc`` was
+ removed!
+- Recursor now listens on TCP!
+
+Version 2.9.7
+-------------
+
+Released on 2003-03-20.
+
+This is a sweeping release in the sense of cleanup. There are some new
+features but mostly a lot of cleanup going on. Hiding inside is the
+``bind2backend``, the next generation of the bind backend. A work in
+progress. Those of you with overlapping zones, as mentioned in the
+changelog of 2.9.6, are invited to check it out by replacing
+**launch=bind** by **launch=bind2** and renaming all **bind-**
+parameters to **bind2-**. Be aware that if you run with many small
+zones, this backend is faster, but if you run with a few large ones, it
+is slower. This will improve.
+
+Features
+^^^^^^^^
+
+- Mark Bergsma contributed **query-local-address** which allows the
+ operator to select which source address to use. This is useful on
+ servers with multiple source addresses and the operating system
+ selecting an unintended one, leading to remotes denying access.
+- PowerDNS can now perform AAAA additional processing optionally,
+ turned on by setting **do-ipv6-additional-processing**. Thanks to
+ Stephane Bortzmeyer for pointing out the need.
+- Bind2backend, which is almost in compliance with the new IETF
+ AXFR-clarify (some would say 'redefinition') draft. This backend is
+ not ready for primetime but you may want to try it if you currently
+ have overlapping zones and note problems. An overlapping zone would
+ be having "ipv6.powerdns.com" and "powerdns.com" zones on one server.
+
+Improvements
+^^^^^^^^^^^^
+
+- Zone2sql would happily try to read from a directory and not give a
+ useful error about this.
+- PowerDNS now reports the case where it can't figure out any IP
+ address of slave nameservers for a zone
+- Removed **receiver-threads** setting which was experimental and in
+ fact only made things worse.
+- LDAP backend updates from its author Norbert Sendetzky. Reverse
+ lookups should work now too.
+- An error message about unparseable packets did not include the
+ originating IP address (fixed by Mark Bergsma)
+- PowerDNS can now be started via path resolution while running with a
+ guardian. Suggested by Maurice Nonnekes.
+- ``pdns_recursor`` moved to ``sbin`` (reported by Norbert Sendetzky)
+- Retuned some logger errorlevels, a lot of master/slave chatter was
+ logged as 'Error'. Reported by Willem de Groot.
+
+Bugs fixed
+^^^^^^^^^^
+
+- ``zone2sql`` did not remove trailing dots in SOA records.
+- ldapbackend did not include ``utility.hh`` which caused compilation
+ problems on Solaris (reported by Remco Post)
+- ``pdns_control`` could leave behind remnants in case PowerDNS was not
+ running (reported by dG)
+- Incoming AXFR did not work on Solaris and other big-endian systems
+ (Willem de Groot helped debugging this long standing problem).
+- Recursor could crash on convoluted CNAME loops. Thanks to Dan Faerch
+ for delivering core dumps.
+- Silly 'wuh' debugging output in zone2sql and bindbackend removed
+ (spotted by Ivo van der Wijk).
+- Recursor neglected to differentiate between negative cache of
+ NXDOMAIN and NOERROR, leading to problems with IPv6 enabled Windows
+ clients. Thanks to Stuart Walsh for reporting this and testing the
+ fix.
+- PowerDNS set the 'aa' bit on serving NS records in a zone for which
+ it was authoritative. Most implementations drop the 'aa' bit in this
+ case and Stephane Bortzmeyer informed us of this. PowerDNS now also
+ drops the 'aa' bit in this case.
+- The webserver tended to fail after prolonged operation on FreeBSD,
+ this was due to an uninitialised timeout, other platforms were lucky.
+ Thanks to G.P. de Boer for helping debug this.
+- getAnswers() in dnspacket.cc could be forced to read bytes beyond the
+ end of the packet, leading to crashes in the PowerDNS recursor. This
+ is an ongoing project that needs more work. Reported by Dan Faerch,
+ with a core dump proving the problem.
+
+Version 2.9.6
+-------------
+
+Two new backends - Generic ODBC (windows only) and LDAP. Furthermore, a
+few important bugs have been fixed which may have hampered sites seeing
+a lot of outgoing zone transfers. Additionally, the pdns recursor now
+has 'query throttling' which is pretty cool. In short this makes sure
+that PowerDNS does not send out heaps of queries if a nameserver is
+unable to provide an answer. Many operators of authoritative setups are
+all too aware of recursing nameservers that hammer them for zones they
+don't have, PowerDNS won't do that anymore now, no matter what clients
+request of it.
+
+**Warning**: There is an unresolved issue with the BIND backend and
+'overlapping' slave zones. So if you have 'example.com' and also have a
+separate slave zone called 'external.example.com', things may go wrong
+badly. Thanks to Christian Laursen for working with us a lot in finding
+this issue. We hope to resolve it soon.
+
+- BIND Backend now honours notifies, code to support this was
+ accidentally left out. Thanks to Christian Laursen for noticing this.
+- Massive speedup for those of you using the slightly deprecated MBOXFW
+ records. Thanks to Jorn of `ISP
+ Services <http://www.ISP-Services.nl>`__ for helping and testing this
+ improvement.
+- $GENERATE had an off-by-one bug where it would omit the last record
+ to be generated (Christian Laursen)
+- Simultaneous AXFRs may have been problematic on some backends. Thanks
+ to Jorn of ISP-Services again for helping us resolve this issue.
+- Added LDAP backend by Norbert Sendetzky, see `LDAP
+ Backend <authoritative/backend-ldap.md>`__.
+- Added Generic ODBC backend for Windows by Michel Stol.
+- Simplified 'out of zone data' detection in incoming AXFR support,
+ hopefully removing a case sensitivity bug there. Thanks again to
+ Christian Laursen for reporting this issue.
+- $include in-zonefile was broken under some circumstances, losing the
+ last character of a file name. Thanks to Joris Vandalon for noticing
+ this.
+- The zone parser was more case-sensitive than BIND, refusing to accept
+ 'in' as well as 'IN'. Thanks to Joris Vandalon for noticing this.
+
+Version 2.9.5
+-------------
+
+Released on 2002-02-03.
+
+This version is almost entirely about recursion with major changes to
+both the pdns recursor, which is renamed to '``pdns_recursor``' and to
+the main PowerDNS binary to make it interact better with the recursing
+component.
+
+Sadly, due to `technical
+reasons <http://sources.redhat.com/ml/libc-alpha/2003-01/msg00245.html>`__,
+compiling the pdns recursor and pdns authoritative nameserver into one
+binary is not immediately possible. During the release of 2.9.4 we
+stated that the recursing nameserver would be integrated in the next
+release - this won't happen now.
+
+However, this turns out to not be that bad at all. The recursor can now
+be restarted without having to restart the rest of the nameserver, for
+example. Cooperation between the both halves of PowerDNS is also almost
+seamless. As a result, 'non-lazy recursion' has been dropped. See
+`Recursion <authoritative/recursion.md>`__ for more details.
+
+Furthermore, the recursor only works on Linux, Windows and Solaris (not
+entirely). FreeBSD does not support the required functions. If you know
+any important FreeBSD people, plea with them to support
+set/get/swapcontext! Alternatively, FreeBSD coders could read the
+solution presented here `in figure
+5 <http://www.eng.uwaterloo.ca/~ejones/software/threading.html>`__.
+
+The 'Contributor of the Month' award goes to Mark Bergsma who has
+responded to our plea for help with the label compressor and contributed
+a wonderfully simple and right fix that allows PowerDNS to compress just
+as well as other nameservers out there. An honorary mention goes to Ueli
+Heuer who, despite having no C++ experience, submitted an excellent SRV
+record implementation.
+
+Excellent work was also performed by Michel Stol, the Windows guy, in
+fixing all our non-portable stuff again. Christof Meerwald has also done
+wonderful work in porting MTasker to Windows, which was then used by
+Michel to get the recursor functioning on Windows.
+
+Other changes
+^^^^^^^^^^^^^
+
+- dnspacket.cc was cleaned up by factoring out common operations
+- Heaps of work on the recursing nameserver. Has now achieved *days* of
+ uptime!
+- Recursor renamed from syncres to ``pdns_recursor``
+- PowerDNS can now serve records it does not know about. To benefit
+ from this slightly undocumented feature, add 1024 to the numerical
+ type of a record and include the record in binary form in your
+ database. Used internally by the recursing nameserver but you can use
+ it too.
+- PowerDNS now knows about SIG and KEY records *names*. It does not
+ support them yet but can at least report so now.
+- HINFO records can now be transferred from a master to PowerDNS
+ (thanks to Ueli Heuer for noticing it didn't work).
+- Yet more UltraSPARC alignment issues fixed (Chris Andrews).
+- Dropped non-lazy recursion, nobody was using it. Lazy recursion
+ became even more lazy after Dan Bernstein pointed out that additional
+ processing is not vital, so PowerDNS does its best to do additional
+ processing on recursive queries, but does not scream murder if it
+ does not succeed. Due to caching, the next identical query will be
+ successfully additionally processed.
+- Label compression was improved so we can now fit all . records in 436
+ bytes, this used to be 460! (Code & formal proof of correctness by
+ Mark Bergsma).
+- SRV support (incoming and outgoing), submitted by Ueli Heuer.
+- Generic backends do not support SOA serial autocalculation, it
+ appears. Could lead to random SOA serials in case of a serial of 0 in
+ the database. Fixed so that 0 stays zero in that case. Don't set the
+ SOA serial to 0 when using Generic MySQL or Generic PostgreSQL!
+- J root-server address was updated to its new location.
+- SIGUSR1 now forces the recursor to print out statistics to the log.
+- Meaning of recursor logging was changed a bit - a cache hit is now a
+ question that was answered with 0 outgoing packets needed. Used to be
+ a weighted average of internal cache hits.
+- MySQL compilation did not include -lz which causes problems on some
+ platforms. Thanks to James H. Cloos Jr for reporting this.
+- After a suggestion by Daniel Meyer and Florus Both, the built in
+ webserver now reports the configuration name when multiple PowerDNS
+ instances are active.
+- Brad Knowles noticed that zone2sql had problems with the root.zone,
+ fixed. This also closes some other zone2sql annoyances with
+ converting single zones.
+
+Version 2.9.4
+-------------
+
+Yet another grand release. Big news is the addition of a recursing
+nameserver which has sprung into existence over the past week. It is in
+use on several computers already but it is not ready for prime time.
+Complete integration with PowerDNS is expected around 2.9.5, for now the
+recursor is a separate program.
+
+In preliminary tests, the recursor appears to be four times faster than
+BIND 9 on a naive benchmark starting from a cold cache. BIND 9 managed
+to get through to some slower nameservers however, which were given up
+on by PowerDNS. We will continue to tune the recursor. See `PowerDNS
+Recursor <recursor/index.md>`__ for further details.
+
+The BIND Backend has also been tested (see the **bind-domain-status**
+item below) rather heavily by several parties. After some discussion
+online, one of the BIND authors ventured that the newsgroup
+comp.protocols.dns.bind may now in fact be an appropriate venue for
+discussing PowerDNS. Since this discussion, traffic to the PowerDNS
+pages has increased sixfold and shows no signs of slowing down.
+
+From this, it is apparent that far more people are interested in
+PowerDNS than yet know about it. So spread the word!
+
+In other news, we now have a security page at
+`Security <security/index.md>`__. Furthermore, Maurice Nonnekes
+contributed an OpenBSD port! See `his
+page <http://www.codeninja.nl/openbsd/powerdns/>`__ for more details!
+
+New features and improvements
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- All SQL queries in the generic backends are now available for
+ configuration. (Martin Klebermass, Bert Hubert). See `Generic SQL
+ backends <authoritative/backend-generic-sql.md>`__.
+- A recursing nameserver! See `PowerDNS
+ Recursor <recursor/index.md>`__.
+- An incoming AXFR now only starts a backend zone replacement
+ transaction after the first record arrived successfully, thus making
+ sure no work is done when a remote nameserver is unable/unwilling to
+ AXFR a zone to us.
+- Zone parser error messages were improved slightly (thanks to Stef van
+ Dessel for spotting this shortcoming)
+- XS4ALL's Erik Bos checked how PowerDNS reacted to a BIND installation
+ with almost 60.000 domains, some of which with >100.000 records, and
+ he discovered the pdns\_control **bind-domain-status** command became
+ very slow with larger numbers of domains. Fixed, 60.000 domains are
+ now listed in under one second.
+- If a remote nameserver disconnects during an incoming AXFR, the
+ update is now rolled back, unless the AXFR was properly terminated.
+- The migration chapter mentioned the use of deprecated backends.
+
+A tremendous number of bugs were discovered and fixed
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Zone parser would only accept $include and not $INCLUDE
+- Zone parser had problems with $lines with comments on the end
+- Wildcard ANY queries were broken (thanks Colemarcus for spotting
+ this)
+- A connection failure with the Generic backends would lead to a
+ powerdns reload (cast of many)
+- Generic backends had some semantic problems with slave support.
+ Symptoms were oft-repeated notifications and transfers (thanks to
+ Mark Bergsma for helping resolve this).
+- Solaris version compiles again. Thanks to Mohamed Lrhazi for
+ reporting that it didn't.
+- Some UltraSPARC alignment fixes. Thanks to Mohamed Lrhazi for being
+ helpful in spotting these. One problem is still outstanding, Mohamed
+ sent a core dump that tells us where the problem is. Expect the fix
+ to be in 2.9.5. Volunteers can grep the source for 'UltraSPARC' to
+ find where the problem is.
+- Our support of IPv6 on FreeBSD had phase of moon dependent bugs,
+ fixed by Peter van Dijk.
+- Some crashes of and by pdns\_control were fixed, thanks to Mark
+ Bergsma for helping resolve these.
+- Outgoing AXFR in pdns installations with multiple loaded backends was
+ broken (thanks to Stuart Walsh for reporting this).
+- A failed BIND Backend incoming AXFR would block the zone until it
+ succeeded again.
+- Generic PostgreSQL backend wouldn't compile with newer libpq++, fixed
+ by Julien Lemoine/SpeedBlue.
+- Potential bug (not observed) when listening on multiple interfaces
+ fixed.
+- Some typos in manpages fixed (reported by Marco Davids).
+
+Version 2.9.3a
+--------------
+
+**Note**: 2.9.3a is identical to 2.9.3 except that zone2sql does work
+
+Broad range of huge improvements. We now have an all-static .rpm and
+.deb for Linux users and a link to an OpenBSD port. Major news is that
+work on the Bind backend has progressed to the point that we've just
+retired our last Bind server and replaced it with PowerDNS in Bind mode!
+This server is operating a number of master and slave setups so it
+should stress the Bind backend somewhat.
+
+This version is rapidly approaching the point where it is a
+better-Bind-than-Bind and nearly a drop-in replacement for authoritative
+setups. PowerDNS is now equipped with a powerful master/slave apparatus
+that offers a lot of insight and control to the user, even when
+operating from Bind zone files and a Bind configuration. Observe.
+
+After the SOA of example.org was raised
+
+::
+
+ pdns[17495]: All slave domains are fresh
+ pdns[17495]: 1 domain for which we are master needs notifications
+ pdns[17495]: Queued notification of domain 'example.org' to 195.193.163.3
+ pdns[17495]: Queued notification of domain 'example.org' to 213.156.2.1
+ pdns[17520]: AXFR of domain 'example.org' initiated by 195.193.163.3
+ pdns[17520]: AXFR of domain 'example.org' to 195.193.163.3 finished
+ pdns[17521]: AXFR of domain 'example.org' initiated by 213.156.2.1
+ pdns[17521]: AXFR of domain 'example.org' to 213.156.2.1 finished
+ pdns[17495]: Removed from notification list: 'example.org' to 195.193.163.3 (was acknowledged)
+ pdns[17495]: Removed from notification list: 'example.org' to 213.156.2.1 (was acknowledged)
+ pdns[17495]: No master domains need notifications
+
+If however our slaves would ignore us, as some are prone to do, we can
+send some additional notifications
+
+::
+
+ $ sudo pdns_control notify example.org
+ Added to queue
+ pdns[17492]: Notification request for domain 'example.org' received
+ pdns[17492]: Queued notification of domain 'example.org' to 195.193.163.3
+ pdns[17492]: Queued notification of domain 'example.org' to 213.156.2.1
+ pdns[17495]: Removed from notification list: 'example.org' to 195.193.163.3 (was acknowledged)
+ pdns[17495]: Removed from notification list: 'example.org' to 213.156.2.1 (was acknowledged)
+
+Conversely, if PowerDNS needs to be reminded to retrieve a zone from a
+master, a command is provided
+
+::
+
+ $ sudo pdns_control retrieve forfun.net
+ Added retrieval request for 'forfun.net' from master 212.187.98.67
+ pdns[17495]: AXFR started for 'forfun.net', transaction started
+ pdns[17495]: Zone 'forfun.net' (/var/cache/bind/forfun.net) reloaded
+ pdns[17495]: AXFR done for 'forfun.net', zone committed
+
+Also, you can force PowerDNS to reload a zone from disk immediately with
+**pdns\_control bind-reload-now**. All this happens 'live', per your
+instructions. Without instructions, the right things also happen, but
+the operator is in charge.
+
+For more about all this coolness, see
+`“pdns\_control” <authoritative/running.md#pdnscontrol>`__ and
+`“pdns\_control
+commands” <authoritative/backend-bind.md#bind-control-commands>`__.
+
+**Warning**: Again some changes in compilation instructions. The hybrid
+pgmysql backend has been split up into 'gmysql' and 'gpgsql', sharing a
+common base within the PowerDNS server itself. This means that you can
+no longer compile **^^with-modules="pgmysql" ^^enable-mysql
+^^enable-pgsql** but that you should now use: **^^with-modules="gmysql
+gpgsql"**. The old launch-names remain available.
+
+If you launch the Generic PostgreSQL backend as gpgsql2, all parameters
+will have gpgsql2 as a prefix, for example **gpgsql2-dbname**. If
+launched as gpgsql, the regular names are in effect.
+
+**Warning**: The pdns\_control protocol was changed which means that
+older pdns\_controls cannot talk to 2.9.3. The other way around is
+broken too. This may lead to problems with automatic upgrade scripts, so
+pay attention if your daemon is truly restarted.
+
+Also make sure no old pdns\_control command is around to confuse things.
+
+Improvements
+^^^^^^^^^^^^
+
+- Bind backend can now deal with missing files and try to find them
+ later.
+- Bind backend is now explicitly master capable and triggers the
+ sending of notifications.
+- General robustness improvements in Bind backend - many errors are now
+ non-fatal.
+- Accessibility, Serviceability. New **pdns\_server** commands like
+ **bind-list-rejects** (lists zones that could not be loaded, and the
+ reason why), **bind-reload-now** (reload a zone from disk NOW),
+ **rediscover** (reread named.conf NOW). More is coming up.
+- Added support for retrieving RP (Responsible Person) records from
+ remote masters. Serving them was already possible.
+- Added support for LOC records, which encode the geographical location
+ of a host, both serving and retrieving (thanks to Marco Davids using
+ them on our last Bind server, forcing us to implement this silly
+ record).
+- Configuration file parser now strips leading spaces too, allowing
+ "chroot= /tmp" to work, as well as "chroot=/tmp" (Thanks to Hub
+ Dohmen for reporting this for months on end).
+- Added **bind-domain-status** command that shows the status of all
+ domains (when/if they were parsed, any errors encountered while
+ parsing them).
+- Added **bind-reload-now** command that tries to reload a zone from
+ disk NOW, and reports back errors to the operator immediately.
+- Added **retrieve** command that queues a request to retrieve a zone
+ from its master.
+- Zones retrieved from masters are now stored way smaller on disk
+ because the domain is stripped from records, which is derived from
+ the configuration file. Retrieved zones are now prefixed with some
+ information on where they came from.
+
+Changes
+^^^^^^^
+
+- gpgsql and gmysql backends split out of the hybrid pgmysqlbackend.
+ This again changed compilation instructions!
+- **pdns\_control** now uses the rarely seen SOCK\_STREAM Unix Domain
+ socket variety so it can transport large amounts of text, which is
+ needed for the **bind-domain-status** command, for which see
+ `Pdns\_control
+ commands <authoritative/backend-bind.md#bind-control-commands>`__.
+ This breaks compatibility with older pdns\_control and pdns\_server
+ binaries!
+- Bind backend now ignores 'hint' and 'forward' and other unsupported
+ zone types.
+- AXFRs are now logged more heavily by default. An AXFR is a heavy
+ operation anyhow, some more logging does not further increase the
+ load materially. Does help in clearing up what slaves are doing.
+- A lot of master/slave chatter has been silenced, making output more
+ relevant. No more repetitive 'No master domains need notifications'
+ etc, only changes are reported now.
+
+Bugfixes
+^^^^^^^^
+
+- Windows version did not compile without minor changes.
+- Confusing error reporting on Windows 98 (which does not support
+ PowerDNS) fixed
+- Potential crashes with shortened packets addressed. An upgrade is
+ advised!
+- **notify** (which was already there, just badly documented) no longer
+ prints out debugging garbage.
+- pgmysql backend had problems launching when not compiled in but
+ available as a module. Workaround for 2.9.2 is
+ 'load-modules=pgmysql', but even then gpgsql would not work! gmysql
+ would then, however. These modules are now split out, removing such
+ issues.
+
+ Version 2.9.2
+--------------
+
+Bugfixes galore. Solaris porting created some issues on all platforms.
+Great news is that PowerDNS is now in Debian 'sid' (unstable). The 2.9.1
+packages in there currently aren't very good but the 2.9.2 ones will be.
+Many thanks to Wichert Akkerman, our 'downstream' for making this
+possible.
+
+**Warning**: The Generic MySQL backend, part of the Generic MySQL &
+PostgreSQL backend, is now the DEFAULT! The previous default, the
+'mysql' backend (note the lack of 'g') is now DEPRECATED. This was the
+source of much confusion. The 'mysql' backend does not support MASTER or
+SLAVE operation. The Generic backends do.
+
+To get back the mysql backend, add ^^with-modules="mysql" or
+^^with-dynmodules="mysql" if you prefer to load your modules at runtime.
+
+Bugs fixed
+^^^^^^^^^^
+
+- Silly debugging output removed from the webserver (found by Paul
+ Wouters)
+- SEVERE: due to Solaris portability fixes, qtypes<127 were broken.
+ These include NAPTR, ANY and AXFR. The upshot is that powerdns wasn't
+ performing outgoing AXFRs nor ANY queries. These were the 'question
+ for type -1' warnings in the log
+- incoming AXFR could theoretically miss some trailing records (not
+ observed, but could happen)
+- incoming AXFR did not support TXT records (spotted by Paul Wouters)
+- with some remotes, an incoming AXFR would not terminate until a
+ timeout occurred (observed by Paul Wouters)
+- Documentation bug, pgmysql != mypgsql
+
+Documentation
+^^^^^^^^^^^^^
+
+- Documented the 'random backend', see `Random
+ Backend <authoritative/backend-random.md>`__.
+- Wichert Akkerman contributed three manpages.
+- Building PowerDNS on Unix is now documented somewhat more, see
+ `Compiling PowerDNS on
+ Unix <appendix/compiling-powerdns.md#on-unix>`__.
+
+Features
+^^^^^^^^
+
+- pdns init.d script is now +x by default
+- OpenBSD is on its way of becoming a supported platform! As of 2.9.2,
+ PowerDNS compiles on OpenBSD but swiftly crashes. Help is welcome.
+- ODBC backend (for Windows only) was missing from the distribution,
+ now added.
+- xdb backend added - see `XDB
+ Backend <authoritative/backend-deprecated.md#xdb-backend>`__.
+ Designed for use by root-server operators.
+- Dynamic modules are back which is good news for distributors who want
+ to make a pdns packages that does not depend one every database under
+ the sun.
+
+Version 2.9.1
+-------------
+
+Thanks to the great enthusiasm from around the world, powerdns is now
+available for Solaris and FreeBSD users again! Furthermore, the Windows
+build is back. We are very grateful for the help of
+
+- Michel Stol
+- Wichert Akkerman
+- Edvard Tuinder
+- Koos van den Hout
+- Niels Bakker
+- Erik Bos
+- Alex Bleker
+- Steven Stillaway
+- Roel van der Made
+- Steven Van Steen
+
+We are happy to have been able to work with the open source community to
+improve PowerDNS!
+
+Changes
+^^^^^^^
+
+- The monitor command **set** no longer allows the changing of
+ non-existent variables.
+- IBM Universal Database DB2 backend now included in source
+ distribution (untested!)
+- Oracle backend now included in source distribution (slightly tested!)
+- configure script now searches for postgresql and mysql includes
+- Bind parser now no longer dies on records with a ' in them (Erik Bos)
+- The pipebackend was accidentally left out of 2.9
+- FreeBSD fixes (with help from Erik Bos, Alex Bleeker, Niels Bakker)
+- Heap of Solaris work (with help from Edvard Tuinder, Stefan Van
+ Steen, Koos van den Hout, Roel van der Made and especially Mark
+ Bakker). Now compiles in 2.7 and 2.8, haven't tried 2.9. May be a bit
+ dysfunctional on 2.7 though - it won't do IPv6 and it won't serve
+ AAAA. Patches welcome!
+- Windows 32 build is back! Michel Stol updated his earlier work to the
+ current version.
+- S/Linux (Linux on Sparc) build works now (with help from Steven
+ Stillaway).
+- Silly debugging message ('sd.ttl from cache') removed
+- .deb files are back, hopefully in 'sid' soon! (Wichert Akkerman)
+- Removal of bzero and other less portable constructs. Discovered that
+ recent Linux glibc's need -D\_GNU\_SOURCE (Wichert Akkerman).
+
+Version 2.9
+-----------
+
+Open source release. Do not deploy unless you know what you are doing.
+Stability is expected to return with 2.9.1, as are the binary builds.
+
+- License changed to the GNU General Public License version 2.
+- Cleanups by Erik Bos @ xs4all.
+- Build improvements by Wichert Akkerman
+- Lots of work on the build system, entirely revamped. By PowerDNS.
+
+Version 2.8
+-----------
+
+From this release onwards, we'll concentrate on stabilising for the 3.0
+release. So if you have any must-have features, let us know soonest. The
+2.8 release fixes a bunch of small stability issues and add two new
+features. In the spirit of the move to stability, this release has
+already been running 24 hours on our servers before release.
+
+- pipe backend gains the ability to restricts its invocation to a
+ limited number of requests. This allows a very busy nameserver to
+ still serve packets from a slow perl backend.
+- pipe backend now honors query-logging, which also documents which
+ queries were blocked by the regex.
+- pipe backend now has its own backend chapter.
+- An incoming AXFR timeout at the wrong moment had the ability to crash
+ the binary, forcing a reload. Thanks to our bug spotting champions
+ Mike Benoit and Simon Kirby of NetNation for reporting this.
+
+Version 2.7 and 2.7.1
+---------------------
+
+This version fixes some very long standing issues and adds a few new
+features. If you are still running 2.6, upgrade yesterday. If you were
+running 2.6.1, an upgrade is still strongly advised.
+
+Features
+^^^^^^^^
+
+- The controlsocket is now readable and writable by the 'setgid' user.
+ This allows for non-root access to PowerDNS which is nice for mrtg or
+ cricket graphs.
+- MySQL backend (the non-generic one) gains the ability to read from a
+ different table using the **mysql-table** setting.
+- pipe backend now has a configurable timeout using the
+ **pipe-timeout** setting. Thanks to Steve Bromwich for pointing out
+ the need for this.
+- Experimental backtraces. If PowerDNS crashes, it will log a lot of
+ numbers and sometimes more to the syslog. If you see these, please
+ report them to us. Only available under Linux.
+
+Bugs
+^^^^
+
+- 2.7 briefly broke the mysql backend, so don't use it if you use that.
+ 2.7.1 fixes this.
+- SOA records could sometimes have the wrong TTL. Thanks to Jonas
+ Daugaard for reporting this.
+- An ANY query might lead to duplicate SOA records being returned under
+ exceptional circumstances. Thanks to Jonas Daugaard for reporting
+ this.
+- Underlying the above bug, packet compression could sometimes suddenly
+ be turned off, leading to overly large responses and non-removal of
+ duplicate records.
+- The **allow-axfr-ips** setting did not accept IP ranges
+ (192.0.2.0/24) which the documentation claimed it did (thanks to
+ Florus Both of Ascio technologies for being sufficiently persistent
+ in reporting this).
+- Killed backends were not being respawned, leading to suboptimal
+ behaviour on intermittent database errors. Thanks to Steve Bromwich
+ for reporting this.
+- Corrupt packets during an incoming AXFR when acting as a slave would
+ cause a PowerDNS reload instead of just failing that AXFR. Thanks to
+ Mike Benoit and Simon Kirby of NetNation for reporting this.
+- Label compression in incoming AXFR had problems with large offsets,
+ causing the above mentioned errors. Thanks to Mike Benoit and Simon
+ Kirby of NetNation for reporting this.
+
+Version 2.6.1
+-------------
+
+Quick fix release for a big cache problem.
+
+ Version 2.6
+------------
+
+Performance release. A lot of work has been done to raise PowerDNS
+performance to staggering levels in order to take part in benchmarketing
+efforts. Together with our as yet unnamed partner, PowerDNS has been
+benchmarked at 60.000 mostly cached queries/second on off the shelf PC
+hardware. Uncached performance was 17.000 uncached DNS queries/second on
+the .ORG domain.
+
+Performance has been increased by both making PowerDNS itself quicker
+but also by lowering the number of backend queries typically needed.
+Operators will typically see PowerDNS taking less CPU and the backend
+seeing less load.
+
+Furthermore, some real bugs were fixed. A couple of undocumented
+performance switches may appear in ^^help output but you are advised to
+stay away from these.
+
+Developers: this version needs the pdns-2.5.1 development kit, available
+on http://downloads.powerdns.com/releases/dev. See also `Backend
+writers' guide <appendix/backend-writers-guide.md>`__.
+
+Performance
+^^^^^^^^^^^
+
+- A big error in latency calculations - cached packets were weighed 50
+ times less, leading to inflated latency reporting. Latency
+ calculations are now correct and way lower - often in the
+ microseconds range.
+- It is now possible to run with 0 second cache TTLs. This used to
+ cause very frequent cache cleanups, leading to performance
+ degradation.
+- Many tiny performance improvements, removing duplicate cache key
+ calculations, etc. The cache itself has also been reworked to be more
+ efficient.
+- First 'CNAME' backend query replaced by an 'ANY' query, which most of
+ the time returns the actual record, preventing the need for a
+ separate CNAME lookup, halving query load.
+- Much of the same for same-level-NS records on queries needing
+ delegation.
+
+Bugs fixed
+^^^^^^^^^^
+
+- Incidentally, the cache count would show 'unknown' packets, which was
+ harmless but confusing. Thanks to Mike and Simon of NetNation for
+ reporting this.
+- SOA hostmaster with a . in the local-part would be cached wrongly,
+ leading to a stray backslash in case of multiple successively SOA
+ queries. Thanks to Ascio Technologies for spotting this bug.
+- zone2sql did not parse Verisign zone files correctly as these
+ contained a $TTL statement in mid-record.
+- Sometimes packets would not be accounted, leading to 'udp-queries'
+ and 'udp-answers' divergence.
+
+Features
+^^^^^^^^
+
+- 'cricket' command added to init.d scripts that provides unadorned
+ output for parsing by 'Cricket'.
+
+Version 2.5.1
+-------------
+
+`Brown paper
+bag <http://www.tuxedo.org/~esr/jargon/html/entry/brown-paper-bag-bug.html>`__
+release fixing a huge memory leak in the new Query Cache.
+
+Developers: this version needs the new pdns-2.5.1 development kit,
+available on http://downloads.powerdns.com/releases/dev. See also
+`Backend writers' guide <appendix/backend-writers-guide.md>`__.
+
+And some small changes
+
+- Added support for RFC 2308 compliant negative-answer caching. This
+ allows remotes to cache the fact that a domain does not exist and
+ will not exist for a while. Thanks to Chris Thompson for `pointing
+ out how tiny our minds
+ are <http://ops.ietf.org/lists/namedroppers/namedroppers.2002/msg01697.html>`__.
+ This feature may cause a noticeable reduction in query load.
+- Small speedup to non-packet-cached queries, incidentally fixing the
+ huge memory leak.
+- **pdns\_control ccounts** command outputs statistics on what is in
+ the cache, which is useful to help optimize your caching strategy.
+
+Version 2.5
+-----------
+
+An important release which has seen quite a lot of trial and error
+testing. As a result, PowerDNS can now run with a huge cache and
+concurrent invalidations. This is useful when running of a slower
+database or under high traffic load with a fast database.
+
+Furthermore, the gpgsql2 backend has been validated for use and will
+soon supplant the gpgsql backend entirely. This also bodes well for the
+gmysql backend which is the same code.
+
+Also, a large amount of issues biting large scale slave operators were
+addressed. Most of these issues would only show up after prolonged
+uptime.
+
+New features
+^^^^^^^^^^^^
+
+- Query cache. The old Packet Cache only cached entire questions and
+ their answers. This is very CPU efficient but does not lead to
+ maximum hitrate. Two packets both needing to resolve smtp.you.com
+ internally would not benefit from any caching. Furthermore, many
+ different DNS queries lead to the same backend queries, like 'SOA for
+ .COM?'.
+
+ PowerDNS now also caches backend queries, but only those having no
+ answer (the majority) and those having one answer (almost the rest).
+
+ In tests, these additional caches appear to halve the database
+ backend load numerically and perhaps even more in terms of CPU load.
+ Often, queries with no answer are more expensive than those having
+ one.
+
+ The default **ttl**\ s for the query-cache and negquery-cache are set
+ to safe values (20 and 60 seconds respectively), you should be seeing
+ an improvement in behaviour without sacrificing a lot in terms of
+ quick updates.
+
+ The webserver also displays the efficiency of the new Query Cache.
+
+ The old Packet Cache is still there (and useful) but see
+ `Authoritative Server Performance <authoritative/performance.md>`__
+ for more details.
+
+- There is now the ability to shut off some logging at a very early
+ stage. High performance sites doing thousands of queries/second may
+ in fact spend most of their CPU time on attempting to write out
+ logging, even though it is ignored by syslog. The new flag
+ **log-dns-details**, on by default, allows the operator to kill most
+ informative-only logging before it takes any cpu.
+- Flags which can be switched 'on' and 'off' can now also be set to
+ 'off' instead of only to 'no' to turn them off.
+
+Enhancements
+^^^^^^^^^^^^
+
+- Packet Cache is now case insensitive, leading to a higher hitrate
+ because identical queries only differing in case now both match. Care
+ is taken to restore the proper case in the answer sent out.
+- Packet Cache stores packets more efficiently now, savings are
+ estimated at 50%.
+- The Packet Cache is now asynchronous which means that PowerDNS
+ continues to answer questions while the cache is busy being purged or
+ queried. Incidentally this will mean a cache miss where previously
+ the question would wait until the cache became available again.
+
+ The upshot of this is that operators can call **pdns\_control purge**
+ as often as desired without fearing performance loss. Especially the
+ full, non-specific, purge was sped up tremendously.
+
+ This optimization is of little merit for small sites but is very
+ important when running with a large packetcache, such as when using
+ recursion under high load.
+
+- AXFR log messages now all contain the word 'AXFR' to ease grepping.
+- Linux static version now compiled with gcc 3.2 which is known to
+ output better and faster code than the previously used 3.0.4.
+
+Bugs fixed
+^^^^^^^^^^
+
+- Packetcache would sometimes send packets back with slightly modified
+ flags if these differed from the flags of the cached copy.
+- Resolver code did bad things with file descriptors leading to fd
+ exhaustion after prolonged uptimes and many slave SOA currency
+ checks.
+- Resolver code failed to properly log some errors, leading to operator
+ uncertainty regarding to AXFR problems with remote masters.
+- After prolonged uptime, slave code would try to use privileged ports
+ for originating queries, leading to bad replication efficiency.
+- Masters sending back answers in differing case from questions would
+ lead to bogus 'Master tried to sneak in out-of-zone data' errors and
+ failing AXFRs.
+
+Version 2.4
+-----------
+
+Developers: this version is compatible with the pdns-2.1 development
+kit, available on http://downloads.powerdns.com/releases/dev. See also
+`*Backend writers' guide* <appendix/backend-writers-guide.md>`__.
+
+This version fixes some stability issues with malformed or malcrafted
+packets. An upgrade is advised. Furthermore, there are interesting new
+features.
+
+New features
+^^^^^^^^^^^^
+
+- Recursive queries are now also cached, but in a separate namespace so
+ non-recursive queries don't get recursed answers and vice versa. This
+ should mean way lower database load for sites running with the
+ current default lazy-recursion. Up to now, each and every recursive
+ query would lead to a large amount of SQL queries.
+
+ To prevent the packetcache from becoming huge, a separate
+ **recursive-cache-ttl** can be specified.
+
+- The ability to change parameters at runtime was added. Currently,
+ only the new **query-logging** flag can be changed.
+- Added **query-logging** flag which hints a backend that it should
+ output a textual representation of queries it receives. Currently
+ only gmysql and gpgsql2 honor this flag.
+- Gmysql backend can now also talk to PostgreSQL, leading to less code.
+ Currently, the old postgresql driver ('gpgsql') is still the default,
+ the new driver is available as 'gpgsql2' and has the benefit that it
+ does query logging. In the future, gpgsql2 will become the default
+ gpgsql driver.
+- DNS recursing proxy is now more verbose in logging odd events which
+ may be caused by buggy recursing backends.
+- Webserver now displays peak queries/second 1 minute average.
+
+Bugs fixed
+^^^^^^^^^^
+
+- Failure to connect to database in master/slave communicator thread
+ could lead to an unclean reload, fixed.
+
+Documentation: added details for **strict-rfc-axfrs**. This feature can
+be used if very old clients need to be able to do zone transfers with
+PowerDNS. Very slow.
+
+Version 2.3
+-----------
+
+Developers: this version is compatible with the pdns-2.1 development
+kit, available on http://downloads.powerdns.com/releases/dev. See also
+`Backend writers' guide <appendix/backend-writers-guide.md>`__
+
+This release adds the Generic MySQL backend which allows full
+master/slave semantics with MySQL and InnoDB tables (or other tables
+that support transactions). See `Generic MySQL
+backend <authoritative/backend-generic-mysql.md>`__.
+
+Other new features
+^^^^^^^^^^^^^^^^^^
+
+- Improved error messages in master/slave communicator will help down
+ track problems.
+- **slave-cycle-interval** setting added. Very large sites with
+ thousands of slave domains may need to raise this value above the
+ default of 60. Every cycle, domains in indeterminate state are
+ checked for their condition. Depending on the health of the masters,
+ this may entail many SOA queries or attempted AXFRs.
+
+Bugs fixed
+^^^^^^^^^^
+
+- 'pdns\_control purge **``domain``**' and 'pdns\_control purge
+ **``domain$``**' were broken in version 2.2 and did not in fact purge
+ the cache. There is a slight risk that domain-specific purge commands
+ could force a reload in previous version. Thanks to Mike Benoit of
+ NetNation for discovering this.
+- Master/slave communicator thread got confused in case of delayed
+ answers from slow masters. While not causing harm, this caused
+ inefficient behaviour when testing large amounts of slave domains
+ because additional 'cycles' had to pass before all domains would have
+ their status ascertained.
+- Backends implementing special SOA semantics (currently only the
+ undocumented 'pdns express backend', or homegrown backends) would
+ under some circumstances not answer the SOA record in case of an ANY
+ query. This should put an end to the last DENIC problems. Thanks to
+ DENIC for helping us find the problem.
+
+Version 2.2
+-----------
+
+Developers: this version is compatible with the pdns-2.1 development
+kit, available on http://downloads.powerdns.com/releases/dev. See also
+`Backend writers' guide <appendix/backend-writers-guide.md>`__
+
+Again a big release. PowerDNS is seeing some larger deployments in more
+demanding environments and these are helping shake out remaining issues,
+especially with recursing backends.
+
+The big news is that wildcard CNAMEs are now supported, an oft requested
+feature and nearly the only part in which PowerDNS differed from BIND in
+authoritative capabilities.
+
+If you were seeing signal 6 errors in PowerDNS causing reloads and
+intermittent service disruptions, please upgrade to this version.
+
+For operators of PowerDNS Express trying to host .DE domains, the very
+special **soa-serial-offset** feature has been added to placate the new
+DENIC requirement that the SOA serial be at least six digits. PowerDNS
+Express uses the SOA serial as an actual serial and not to insert dates
+and hence often has single digit soa serial numbers, causing big
+problems with .DE redelegations.
+
+Bugs fixed
+^^^^^^^^^^
+
+- Malformed or shortened TCP recursion queries would cause a signal 6
+ and a reload. Same for EOF from the TCP recursing backend. Thanks to
+ Simon Kirby and Mike Benoit of NetNation for helping debug this.
+- Timeouts on the TCP recursing backend were far too long, leading to
+ possible exhaustion of TCP resolving threads.
+- **pdns\_control purge domain** accidentally cleaned all packets with
+ that name as a prefix. Thanks to Simon Kirby for spotting this.
+- Improved exception error logging - in some circumstances PowerDNS
+ would not properly log the cause of an exception, which hampered
+ problem resolution.
+
+New features
+^^^^^^^^^^^^
+
+- Wildcard CNAMEs now work as expected!
+- **pdns\_control purge** can now also purge based on suffix, allowing
+ operators to purge an entire domain from the packet cache instead of
+ only specific records. See also
+ `pdns\_control <authoritative/running.md#pdnscontrol>`__ Thanks to
+ Mike Benoit for this suggestion.
+- **soa-serial-offset** for installations with small SOA serial numbers
+ wishing to register .DE domains with DENIC which demands six-figure
+ SOA serial numbers. See also `Chapter 21, *Index of all Authoritative
+ Server settings* <authoritative/settings.md>`__.
+
+Version 2.1
+-----------
+
+This is a somewhat bigger release due to pressing demands from
+customers. An upgrade is advised for installations using Recursion. If
+you are using recursion, it is vital that you are aware of changes in
+semantics. Basically, local data will now override data in your
+recursing backend under most circumstances. Old behaviour can be
+restored by turning **lazy-recursion** off.
+
+Developers: this version has a new pdns-2.1 development kit, available
+on http://downloads.powerdns.com/releases/dev. See also `Backend
+writers' guide <appendix/backend-writers-guide.md>`__.
+
+**Warning**: Most users will run a static version of PowerDNS which has
+no dependencies on external libraries. However, some may need to run the
+dynamic version. This warning applies to these users.
+
+To run the dynamic version of PowerDNS, which is needed for backend
+drivers which are only available in source form, gcc 3.0 is required.
+RedHat 7.2 comes with gcc 3.0 as an optional component, RedHat 7.3 does
+not. However, the RedHat 7.2 Update gcc rpms install just fine on RedHat
+7.3. For Debian, we suggest running 'woody' and installing the g++-3.0
+package. We expect to release a FreeBSD dynamic version shortly.
+
+Bugs fixed
+^^^^^^^^^^
+
+- RPM releases sometimes overwrote previous configuration files. Thanks
+ to Jorn Ekkelenkamp of Hubris/ISP Services for reporting this.
+- TCP recursion sent out overly large responses due to a byte order
+ mistake, confusing some clients. Thanks to the capable engineers of
+ NetNation for bringing this to our attention.
+- TCP recursion in combination with a recursing backend on a
+ non-standard port did not work, leading to a non-functioning TCP
+ listener. Thanks to the capable engineers of NetNation for bringing
+ this to our attention.
+
+Unexpected behaviour
+^^^^^^^^^^^^^^^^^^^^
+
+- Wildcard URL records where not implemented because they are a
+ performance penalty. To turn these on, enable **wildcard-url** in the
+ configuration.
+- Unlike other nameservers, local data did not override the internet
+ for recursing queries. This has mostly been brought into conformance
+ with user expectations. If a recursive question can be answered
+ entirely from local data, it is. To restore old behaviour, disable
+ **lazy-recursion**. Also see
+ `Recursion <authoritative/recursion.md>`__.
+
+Features
+^^^^^^^^
+
+- Oracle support has been tuned, leading to the first public release of
+ the Oracle backend. Zone2sql now outputs better SQL and the backend
+ is now fully documented. Furthermore, the queries are compatible with
+ the PowerDNS XML-RPC product, allowing PowerDNS express to run off
+ Oracle. See `Oracle backend <authoritative/backend-oracle.md>`__.
+- Zone2sql now accepts ^^transactions to wrap zones in a transaction
+ for PostgreSQL and Oracle output. This is a major speedup and also
+ makes for better isolation of inserts. See
+ `Zone2sql <authoritative/migration.md#zone2sql>`__.
+- **pdns\_control** now has the ability to purge the PowerDNS cache or
+ parts of it. This enables operators to raise the TTL of the Packet
+ Cache to huge values and only to invalidate the cache when changes
+ are made. See also `Authoritative Server
+ Performance <authoritative/performance.md>`__ and
+ `pdns\_control <authoritative/running.md#pdnscontrol>`__.
+
+Version 2.0.1
+-------------
+
+Maintenance release, fixing three small issues.
+
+Developers: this version is compatible with 1.99.11 backends.
+
+- PowerDNS ignored the **logging-facility** setting unless it was
+ specified on the command line. Thanks to Karl Obermayer from
+ WebMachine Technologies for noticing this.
+- Zone2sql neglected to preserve 'slaveness' of domains when converting
+ to the slave capable PostgreSQL backend. Thanks to Mike Benoit of
+ NetNation for reporting this. Zone2sql now has a **^^slave** option.
+- SOA Hostmaster addresses with dots in them before the @-sign were
+ mis-encoded on the wire.
+
+Version 2.0
+-----------
+
+Two bugfixes, one stability/security related. No new features.
+
+Developers: this version is compatible with 1.99.11 backends.
+
+Bugfixes - zone2sql refused to work under some circumstances, taking
+100% cpu and not functioning. Thanks to Andrew Clark and Mike Benoit for
+reporting this. - Fixed a stability issue where malformed packets could
+force PowerDNS to reload. Present in all earlier 2.0 versions.
+
+Version 2.0 Release Candidate 2
+-------------------------------
+
+Mostly bugfixes, no really new features.
+
+Developers: this version is compatible with 1.99.11 backends.
+
+Bugs fixed
+^^^^^^^^^^
+
+- chroot() works again - 2.0rc1 silently refused to chroot. Thanks to
+ Hub Dohmen for noticing this.
+- setuid() and setgid() security features were silently not being
+ performed in 2.0rc1. Thanks to Hub Dohmen for noticing this.
+- MX preferences over 255 now work as intended. Thanks to Jeff Crowe
+ for noticing this.
+- IPv6 clients can now also benefit from the recursing backend feature.
+ Thanks to Andy Furnell for proving beyond any doubt that this did not
+ work.
+- Extremely bogus code removed from DNS notification reception code -
+ please test! Thanks to Jakub Jermar for working with us in figuring
+ out just how broken this was.
+- AXFR code improved to handle more of the myriad different zone
+ transfer dialects available. Specifically, interoperability with Bind
+ 4 was improved, as well as Bind 8 in 'strict rfc conformance' mode.
+ Thanks again for Jakub Jermar for running many tests for us. If your
+ transfers failed with 'Unknown type 14!!' or words to that effect,
+ this was it.
+
+Features
+^^^^^^^^
+
+- Win32 version now has a zone2sql tool.
+- Win32 version now has support for specifying how urgent messages
+ should be before they go to the NT event log.
+
+Remaining issues
+^^^^^^^^^^^^^^^^
+
+- One persistent report of the default 'chroot=./' configuration not
+ working.
+- One report of disable-axfr and allow-axfr-ips not working as
+ intended.
+- Support for relative paths in zones and in Bind configuration is not
+ bug-for-bug compatible with bind yet.
+
+Version 2.0 Release Candidate 1
+-------------------------------
+
+The MacOS X release! A very experimental OS X 10.2 build has been added.
+Furthermore, the Windows version is now in line with Unix with respect
+to capabilities. The ODBC backend now has the code to function as both a
+master and a slave.
+
+Developers: this version is compatible with 1.99.11 backends.
+
+- Implemented native packet response parsing code, allowing Windows to
+ perform AXFR and NS and SOA queries.
+- This is the first version for which we have added support for Darwin
+ 6.0, which is part of the forthcoming Mac OS X 10.2. Please note that
+ although this version is marked RC1, that we have not done extensive
+ testing yet. Consider this a technology preview.
+
+ - The Darwin version has been developed on Mac OS X 10.2 (6C35).
+ Other versions may or may not work.
+ - Currently only the random, bind, mysql and pdns backends are
+ included.
+ - The menu based installer script does not work, you will have to
+ edit pathconfig by hand as outlined in chapter 2.
+ - On Mac OS X Client, PowerDNS will fail to start because a system
+ service is already bound to port 53.
+
+ This version is distributed as a compressed tar file. You should
+ follow the generic UNIX installation instructions.
+
+Bugs fixed
+^^^^^^^^^^
+
+- Zone2sql PostgreSQL mode neglected to lowercase $ORIGIN. Thanks to
+ Maikel Verheijen of Ladot for spotting this.
+- Zone2sql PostgreSQL mode neglected to remove a trailing dot from
+ $ORIGIN if present. Thanks to Thanks to Maikel Verheijen of Ladot for
+ spotting this.
+- Zone file parser was not compatible with bind when $INCLUDING
+ non-absolute file names. Thanks to Jeff Miller for working out how
+ this should work.
+- Bind configuration parser was not compatible with bind when including
+ non-absolute file names. Thanks to Jeff Miller for working out how
+ this should work.
+- Documentation incorrectly listed the Bind backend as 'slave capable'.
+ This is not yet true, now labeled 'experimental'.
+
+Windows changes. We are indebted to Dimitry Andric who educated us in
+the ways of distributing Windows software.
+
+- ``pdns.conf`` is now read if available.
+- Console version responds to ^c now.
+- Default pdns.conf added to distribution
+- Uninstaller missed several files, leaving remnants behind
+- DLLs are now installed locally, with the pdns executable.
+- pdns\_control is now also available on Windows
+- ODBC backend can now act as master and slave. Experimental.
+- The example zone missed indexes and had other faults.
+- A runtime DLL that is present on most windows systems (but not all!)
+ was missing.
+
+Version 1.99.12 Prerelease
+--------------------------
+
+The Windows release! See `Installing on Microsoft
+Windows <authoritative/installation.md>`__. Beware, windows support is
+still very fresh and untested. Feedback is very welcome.
+
+Developers: this version is compatible with 1.99.11 backends.
+
+- Windows 2000 code base merge completed. This resulted in quite some
+ changes on the Unix end of things, so this may impact reliability.
+- ODBC backend added for Windows. See `ODBC
+ backend <authoritative/backend-deprecated.md#odbc-backend>`__.
+- IBM DB2 Universal Database backend available for Linux. See `DB2
+ backend <authoritative/backend-deprecated.md#db2-backend>`__.
+- Zone2sql now understands $INCLUDE. Thanks to Amaze Internet for
+ nagging about this
+- The SOA Minimum TTL now has a configurable default
+ (**soa-minimum-ttl**)value to placate the DENIC requirements.
+- Added a limit on the simultaneous numbers of TCP connections to
+ accept (**max-tcp-connections**). Defaults to 10.
+
+Bugs fixed
+^^^^^^^^^^
+
+- When operating in virtual hosting mode (See `Virtual
+ hosting <authoritative/running.md#virtual-hosting>`__), the
+ additional init.d scripts would not function correctly and interface
+ with other pdns instances.
+- PowerDNS neglected to conserve case on answers. So a query for
+ WwW.PoWeRdNs.CoM would get an answer listing the address of
+ www.powerdns.com. While this did not confuse resolvers, it is better
+ to conserve case. This has semantic consequences for all backends,
+ which the documentation now spells out.
+- PostgreSQL backend was case sensitive and returned only answers in
+ case an exact match was found. The Generic PostgreSQL backend is now
+ officially all lower case and zone2sql in PostgreSQL mode enforces
+ this. Documentation has been been updated to reflect the case change.
+ Thanks to Maikel Verheijen of Ladot for spotting this!
+- Documentation bug - postgresql create/index statements created a
+ duplicate index. If you've previously copy pasted the commands and
+ not noticed the error, execute **CREATE INDEX rec\_name\_index ON
+ records(name)** to remedy. Thanks to Jeff Miller for reporting this.
+ This also lead to depressingly slow 'ANY' lookups for those of you
+ doing benchmarks.
+
+Features
+^^^^^^^^
+
+- pdns\_control (see
+ `pdns\_control <authoritative/running.md#pdnscontrol>`__) now opens
+ the local end of its socket in ``/tmp`` instead of next to the remote
+ socket (by default ``/var/run``). This eases the way for allowing
+ non-root access to pdns\_control. When running chrooted (see
+ `Chapter 7, *Security settings &
+ considerations* <common/security.md>`__), the local socket again
+ moves back to ``/var/run``.
+- pdns\_control now has a 'version' command. See `Section 1.1,
+ “pdns\_control” <authoritative/running.md#pdnscontrol>`__.
+
+Version 1.99.11 Prerelease
+--------------------------
+
+This release is important because it is the first release which is
+accompanied by an Open Source Backend Development Kit, allowing external
+developers to write backends for PowerDNS. Furthermore, a few bugs have
+been fixed
+
+- Lines with only whitespace in zone files confused PowerDNS (thanks
+ Henk Wevers)
+- PowerDNS did not properly parse TTLs with symbolic suffixes in zone
+ files, ie 2H instead of 7200 (thanks Henk Wevers)
+
+Version 1.99.10 Prerelease
+--------------------------
+
+**IMPORTANT**: there has been a tiny license change involving free
+public webbased dns hosting, check out the changes before deploying!
+
+PowerDNS is now feature complete, or very nearly so. Besides adding
+features, a lot of 'fleshing out' work is done now. There is an
+important performance bug fix which may have lead to disappointing
+benchmarks - so if you saw any of that, please try either this version
+or 1.99.8 which also does not have the bug.
+
+This version has been very stable for us on multiple hosts, as was
+1.99.9.
+
+PostgreSQL users should be aware that while 1.99.10 works with the
+schema as presented in earlier versions, advanced features such as
+master or slave support will not work unless you create the new
+'domains' table as well.
+
+Bugs fixed
+^^^^^^^^^^
+
+- Wildcard AAAA queries sometimes received an NXDOMAIN error where they
+ should have gotten an empty NO ERROR. Thanks to Jeroen Massar for
+ spotting this on the .TK TLD!
+- Do not disable the packetcache for 'recursion desired' packets unless
+ a recursor was configured. Thanks to Greg Schueler for noticing this.
+- A failing backend would not be reinstated. Thanks to 'Webspider' for
+ discovering this problem with PostgreSQL connections that die after
+ prolonged inactivity.
+- Fixed loads of IPv6 transport problems. Thanks to Marco Davids and
+ others for testing. Considered ready for production now.
+- **Zone2sql** printed a debugging statement on range $GENERATE
+ commands. Thanks to Rene van Valkenburg for spotting this.
+
+Features
+^^^^^^^^
+
+- PowerDNS can now act as a master, sending out notifications in case
+ of changes and allowing slaves to AXFR. Big rewording of replication
+ support, domains are now either 'native', 'master' or 'slave'. See
+ `Master/Slave operation &
+ replication <authoritative/modes-of-operation.md>`__ for lots of
+ details.
+- **Zone2sql** in PostgreSQL mode now populates the 'domains' table for
+ easy master, slave or native replication support.
+- Ability to run on IPv6 transport only
+- Logging can now happen under a 'facility' so all PowerDNS messages
+ appear in their own file. See `Operational logging using
+ syslog <common/logging.md>`__.
+- Different OS releases of PowerDNS now get different install path
+ defaults. Thanks to Mark Lastdrager for nagging about this and to
+ Nero Imhard and Frederique Rijsdijk for suggesting saner defaults.
+- Infrastructure for 'also-notify' statements added.
+
+Version 1.99.9 Early Access Prerelease
+--------------------------------------
+
+This is again a feature and an infrastructure release. We are nearly
+feature complete and will soon start work on the backends to make sure
+that they are all master, slave and 'superslave' capable.
+
+Bugs fixed
+^^^^^^^^^^
+
+- PowerDNS sometimes sent out duplicate replies for packets passed to
+ the recursing backend. Mostly a problem on SMP systems. Thanks to
+ Mike Benoit for noticing this.
+- Out-of-bailiwick CNAMEs (ie, a CNAME to a domain not in PowerDNS)
+ caused a 'ServFail' packet in 1.99.8, indicating failure, leading to
+ hosts not resolving. Thanks to Martin Gillstrom for noticing this.
+- Zone2sql balked at zones edited under operating systems terminating
+ files with ^Z (Windows). Thanks Brian Willcott for reporting this.
+- PostgreSQL backend logged the password used to connect. Now only does
+ so in case of failure to connect. Thanks to 'Webspider' for noticing
+ this.
+- Debian unstable distribution wrongly depended on home compiled
+ PostgreSQL libraries. Thanks to Konrad Wojas for noticing this.
+
+Features
+^^^^^^^^
+
+- When operating as a slave, AAAA records are now supported in the
+ zone. They were already supported in master zones.
+- IPv6 transport support - PowerDNS can now listen on an IPv6 socket
+ using the **local-ipv6** setting.
+- Very silly randombackend added which appears in the documentation as
+ a sample backend. See `Backend writers'
+ guide <appendix/backend-writers-guide.md>`__.
+- When transferring a slave zone from a master, out of zone data is now
+ rejected. Malicious operators might try to insert bad records
+ otherwise.
+- 'Supermaster' support for automatic provisioning from masters. See
+ `Supermaster automatic provisioning of
+ slaves <authoritative/modes-of-operation.md#supermaster>`__.
+- Recursing backend can now live on a non-standard (!=53) port. See
+ `Recursion <authoritative/recursion.md>`__.
+- Slave zone retrieval is now queued instead of immediate, which scales
+ better and is more resilient to temporary failures.
+- **max-queue-length** parameter. If this many packets are queued for
+ database attention, consider the situation hopeless and respawn.
+
+Internal
+^^^^^^^^
+
+- SOA records are now 'special' and each backend can optionally
+ generate them in special ways. PostgreSQL backend does so when
+ operating as a slave.
+- Writing backends is now a lot easier. See `Backend writers'
+ guide <appendix/backend-writers-guide.md>`__.
+- Added Bindbackend to internal regression tests, confirming that it is
+ compliant.
+
+Version 1.99.8 Early Access Prerelease
+--------------------------------------
+
+A lot of infrastructure work gearing up to 2.0. Some stability bugs
+fixed and a lot of new features.
+
+Bugs fixed
+^^^^^^^^^^
+
+- Bindbackend was overly complex and crashed on some systems on
+ startup. Simplified launch code.
+- SOA fields were not always properly filled in, causing default values
+ to go out on the wire
+- Obscure bug triggered by malicious packets (we know who you are) in
+ SOA finding code fixed.
+- Magic serial number calculation contained a double free leading to
+ instability.
+- Standards violation, questions for domains for which PowerDNS was
+ unauthoritative now get a SERVFAIL answer. Thanks to the IETF
+ Namedroppers list for helping out with this.
+- Slowly launching backends were being relaunched at a great rate when
+ queries were coming in while launching backends.
+- MySQL-on-unix-domain-socket on SMP systems was overwhelmed by the
+ quick connection rate on launch, inserted a small 50ms delay.
+- Some SMP problems appear to be compiler related. Shifted to GCC 3.0.4
+ for Linux.
+- Ran ispell on documentation.
+
+Feature enhancements
+^^^^^^^^^^^^^^^^^^^^
+
+- Recursing backend. See `Recursion <authoritative/recursion.md>`__.
+ Allows recursive and authoritative DNS on the same IP address.
+- `NAPTR support <types.md#naptr>`__, which is especially useful for
+ the ENUM/E.164 community.
+- Zone transfers can now be allowed per `netmask instead of only per IP
+ address <authoritative/settings.md#allow-axfr-ips>`__.
+- Preliminary support for slave operation included. Only for the
+ adventurous right now! See `Slave
+ operation <authoritative/modes-of-operation.md>`__
+- All record types now documented, see `Supported record types and
+ their storage <types.md>`__.
+
+Known bugs
+^^^^^^^^^^
+
+- Wildcard CNAMEs do not work as they do with bind.
+- Recursion sometimes sends out duplicate packets (fixed in 1.99.9
+ snapshots)
+- Some stability issues which are caught by the guardian
+
+Missing features
+^^^^^^^^^^^^^^^^
+
+Features present in this document, but disabled or withheld from the
+current release - gmysqlbackend, oraclebackend
+
+Version 1.99.7 Early Access Prerelease
+--------------------------------------
+
+Named.conf parsing got a lot of work and many more bind configurations
+can now be parsed. Furthermore, error reporting was improved. Stability
+is looking good.
+
+Bugs fixed
+^^^^^^^^^^
+
+- Bind parser got confused by file names with underscores and colons.
+- Bind parser got confused by spaces in quoted names
+- FreeBSD version now stops and starts when instructed to do so.
+- Wildcards were off by default, which violates standards. Now on by
+ default.
+- ^^oracle was broken in zone2sql
+
+Feature enhancements
+^^^^^^^^^^^^^^^^^^^^
+
+- Line number counting goes on as it should when including files in
+ named.conf
+- Added ^^no-config to enable users to start the pdns daemon without
+ parsing the configuration file.
+- zone2sql now has ^^bare for unformatted output which can be used to
+ generate insert statements for different database layouts
+- zone2sql now has ^^gpgsql, which is an alias for ^^mysql, to output
+ in a format useful for the default Generic PostgreSQL backend
+- zone2sql is now documented.
+
+Known bugs
+^^^^^^^^^^
+
+Wildcard CNAMEs do not work as they do with bind.
+
+Missing features
+^^^^^^^^^^^^^^^^
+
+Features present in this document, but disabled or withheld from the
+current release - gmysqlbackend, oraclebackend
+
+Some of these features will be present in newer releases.
+
+Version 1.99.6 Early Access Prerelease
+--------------------------------------
+
+This version is now running on dns-eu1.powerdns.net and working very
+well for us. But please remain cautious before deploying!
+
+Bugs fixed
+^^^^^^^^^^
+
+- Webserver neglected to show log messages
+- TCP question/answer miscounted multiple questions over one socket.
+ Fixed misnaming of counter
+- Packetcache now detects clock skew and times out entries
+- named.conf parser now reports errors with line number and offending
+ token
+- File names in named.conf can now contain:
+
+Feature enhancements
+^^^^^^^^^^^^^^^^^^^^
+
+- The webserver now by default does not print out configuration
+ statements, which might contain database backends. Use
+ **webserver-print-arguments** to restore the old behaviour.
+- Generic PostgreSQL backend is now included. Still rather beta.
+
+Known bugs
+^^^^^^^^^^
+
+- FreeBSD version does not stop when requested to do so.
+- Wildcard CNAMEs do not work as they do with bind.
+
+Missing features
+^^^^^^^^^^^^^^^^
+
+Features present in this document, but disabled or withheld from the
+current release - gmysqlbackend, oraclebackend
+
+Some of these features will be present in newer releases.
+
+Version 1.99.5 Early Access Prerelease
+--------------------------------------
+
+The main focus of this release is stability and TCP improvements. This
+is the first release PowerDNS-the-company actually considers for running
+on its production servers!
+
+Major bugs fixed
+^^^^^^^^^^^^^^^^
+
+- Zone2sql received a floating point division by zero error on
+ named.confs with less than 100 domains.
+- Huffman encoder failed without specific error on illegal characters
+ in a domain
+- Fixed huge memory leaks in TCP code.
+- Removed further file descriptor leaks in guardian respawning code
+- Pipebackend was too chatty.
+- pdns\_server neglected to close fds 0, 1 & 2 when daemonizing
+
+Feature enhancements
+^^^^^^^^^^^^^^^^^^^^
+
+- bindbackend can be instructed not to check the ctime of a zone by
+ specifying **bind-check-interval=0**, which is also the new default.
+- **pdns\_server ^^list-modules** lists all available modules.
+
+Performance enhancements
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+- TCP code now only creates a new database connection for AXFR.
+- TCP connections timeout rather quickly now, leading to less load on
+ the server.
+
+Known bugs
+^^^^^^^^^^
+
+- FreeBSD version does not stop when requested to do so.
+- Wildcard CNAMEs do not work as they do with bind.
+
+Missing features
+^^^^^^^^^^^^^^^^
+
+Features present in this document, but disabled or withheld from the
+current release - gmysqlbackend, oraclebackend, gpgsqlbackend
+
+Some of these features will be present in newer releases.
+
+Version 1.99.4 Early Access Prerelease
+--------------------------------------
+
+A lot of new named.confs can now be parsed, zone2sql & bindbackend have
+gained features and stability.
+
+Major bugs fixed
+^^^^^^^^^^^^^^^^
+
+- Label compression was not always enabled, leading to large reply
+ packets sometimes.
+- Database errors on TCP server lead to a nameserver reload by the
+ guardian.
+- MySQL backend neglected to close its connection properly.
+- BindParser miss parsed some IP addresses and netmasks.
+- Truncated answers were also truncated on the packetcache, leading to
+ truncated TCP answers.
+
+Feature enhancements
+^^^^^^^^^^^^^^^^^^^^
+
+- Zone2sql and the bindbackend now understand the Bind $GENERATE{}
+ syntax.
+- Zone2sql can optionally gloss over non-existing zones with
+ **^^on-error-resume-next**.
+- Zone2sql and the bindbackend now properly expand @ also on the right
+ hand side of records.
+- Zone2sql now sets a default TTL.
+- DNS UPDATEs and NOTIFYs are now logged properly and sent the right
+ responses.
+
+Performance enhancements
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+- 'Fancy records' are no longer queried for on ANY queries - this is a
+ big speedup.
+
+Known bugs
+^^^^^^^^^^
+
+- FreeBSD version does not stop when requested to do so.
+- Zone2sql refuses named.confs with less than 100 domains.
+- Wildcard CNAMEs do not work as they do with bind.
+
+Missing features
+^^^^^^^^^^^^^^^^
+
+Features present in this document, but disabled or withheld from the
+current release - gmysqlbackend, oraclebackend, gpgsqlbackend
+
+Some of these features will be present in newer releases.
+
+Version 1.99.3 Early Access Prerelease
+--------------------------------------
+
+The big news in this release is the BindBackend which is now capable of
+parsing many more named.conf Bind configurations. Furthermore, PowerDNS
+has successfully parsed very large named.confs with large numbers of
+small domains, as well as small numbers of large domains (TLD).
+
+Zone transfers are now also much improved.
+
+Major bugs fixed - zone2sql leaked file descriptors on each domain, used
+wrong Bison recursion leading to parser stack overflows. This limited
+the amount of domains that could be parsed to 1024. - zone2sql can now
+read all known zone files, with the exception of those containing
+$GENERATE - Guardian relaunching a child lost two file descriptors -
+Don't die on a connection reset by peer during zone transfer. -
+Webserver does not crash anymore on ringbuffer resize
+
+Feature enhancements
+^^^^^^^^^^^^^^^^^^^^
+
+- AXFR can now be disabled, and re-enabled per IP address
+- ^^help accepts a parameter, will then show only help items with that
+ prefix.
+- zone2sql now accepts a ^^zone-name parameter
+- BindBackend maturing - 9500 zones parsed in 3.5 seconds. No longer
+ case sensitive.
+
+Performance enhancements
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Implemented RFC-breaking AXFR format (which is the industry
+ standard). Zone transfers now zoom along at wire speed (many
+ megabits/s).
+
+Known bugs
+^^^^^^^^^^
+
+- FreeBSD version does not stop when requested to do so.
+- BindBackend cannot parse zones with $GENERATE statements.
+
+Missing features
+^^^^^^^^^^^^^^^^
+
+Features present in this document, but disabled or withheld from the
+current release
+
+- gmysqlbackend, oraclebackend, gpgsqlbackend
+
+Some of these features will be present in newer releases.
+
+Version 1.99.2 Early Access Prerelease
+--------------------------------------
+
+Major bugs fixed
+^^^^^^^^^^^^^^^^
+
+- Database backend reload does not hang the daemon anymore
+- Buffer overrun in local socket address initialisation may have caused
+ binding problems
+- setuid changed the uid to the gid of the selected user
+- zone2sql doesn't crash (dump core) on invocation anymore. Fixed lots
+ of small issues.
+- Don't parse configuration file when creating configuration file. This
+ was a problem with reinstalling.
+
+Performance improvements
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+- removed a lot of unnecessary gettimeofday calls
+- removed needless select(2) call in case of listening on only one
+ address
+- removed 3 useless syscalls in the fast path
+
+Having said that, more work may need to be done. Testing on a 486 saw
+packet rates in a simple setup (question/wait/answer/question..) improve
+from 200 queries/second to over 400.
+
+Usability improvements
+^^^^^^^^^^^^^^^^^^^^^^
+
+- Fixed error checking in init.d script (**show**, **mrtg**)
+- Added 'uptime' to the mrtg output
+- removed further GNUisms from installer and init.d scripts for use on
+ FreeBSD
+- Debian package and apt repository, thanks to Wichert Akkerman.
+- FreeBSD /usr/ports, thanks to Peter van Dijk (in progress).
+
+Stability may be an issue as well as performance. This version has a
+tendency to log a bit too much which slows the nameserver down a lot.
+
+Known bugs
+^^^^^^^^^^
+
+- Decreasing a ringbuffer on the website is a sure way to crash the
+ daemon. Zone2sql, while improved, still has problems with a zone in
+ the following format
+
+::
+
+ name IN A 192.0.2.4
+ IN A 192.0.2.5
+
+To fix, add 'name' to the second line.
+
+Zone2sql does not close file descriptors.
+
+FreeBSD version does not stop when requested via the init.d script.
+
+Missing features
+^^^^^^^^^^^^^^^^
+
+Features present in this document, but disabled or withheld from the
+current release - gmysqlbackend, oraclebackend, gpgsqlbackend - fully
+functioning bindbackend - will try to parse named.conf, but probably
+fail
+
+Some of these features will be present in newer releases.
+
+Version 1.99.1 Early Access Prerelease
+--------------------------------------
+
+This is the first public release of what is going to become PowerDNS
+2.0. As such, it is not of production quality. Even PowerDNS-the-company
+does not run this yet.
+
+Stability may be an issue as well as performance. This version has a
+tendency to log a bit too much which slows the nameserver down a lot.
+
+Known bugs
+^^^^^^^^^^
+
+Decreasing a ringbuffer on the website is a sure way to crash the
+daemon. Zone2sql is very buggy.
+
+Missing features
+^^^^^^^^^^^^^^^^
+
+Features present in this document, but disabled or withheld from the
+current release:
+
+- gmysqlbackend, oraclebackend, gpgsqlbackend
+- fully functioning bindbackend - will not parse configuration files
+
+Some of these features will be present in newer releases.
+
+++ /dev/null
-#!/bin/sh
-OUTPUT=$(linkchecker \
- --anchors \
- --ignore-url=.eot$ \
- --ignore-url=\.svg \
- --ignore-url=mailto \
- --ignore-url=.ttf$ \
- --ignore-url=woff$ \
- html/index.html 2>&1)
-
-# For some reason, the exit code _can_ be misleading. see
-# https://github.com/PowerDNS/pdns/pull/2539#issuecomment-105659608 and
-# https://github.com/wummel/linkchecker/issues/217
-
-echo "$OUTPUT" | grep -q '0 errors found'
-
-if [ $? -ne 0 ]; then
- echo "Errors in links detected, log follows:"
- echo "$OUTPUT"
- exit 1
-else
- echo "Links OK!"
- exit 0
-fi
-
Query the log, filtered by ``search_term``.
Returns a single JSON object with a single array of strings.
- :query server_id: The name of the server
- :query search_term: The string to search for
+ :param server_id: The name of the server
+ :param search_term: The string to search for
Returns all :json:object:`ConfigSetting` for a single server
- :query server_id: The name of the server
+ :param server_id: The name of the server
.. http:post:: /api/v1/servers/:server_id/config
Creates a new config setting.
This is useful for creating configuration for new backends.
- :query server_id: The name of the server
-
+ :param server_id: The name of the server
.. http:get:: /api/v1/servers/:server_id/config/:config_setting_name
Retrieve a single setting
- :query server_id: The name of the server
- :query config_setting_name: The name of the setting to retrieve
-
- .. note::
- only the :ref:`setting-allow-from` configuration setting can be retrieved
-
-.. http:put:: /api/v1/servers/:server_id/config/:config_setting_name
-
- Change a single setting
-
- :query server_id: The name of the server
- :query config_setting_name: The name of the setting to change
-
- .. note::
- only the :ref:`setting-allow-from` configuration setting can be changed
-
- **Example request**
-
- .. sourcecode:: http
-
- PUT /api/v1/servers/localhost/config/allow-from HTTP/1.1
- Host: localhost:8082
- User-Agent: curl/7.54.1
- Accept: application/json
- X-Api-Key: secret
- Content-Type: application/json
- Content-Length: 48
-
- { "name": "allow-from", "value": ["127.0.0.0/8"] }
-
- **Example response**
-
- .. sourcecode:: http
-
- HTTP/1.1 200 OK
- Access-Control-Allow-Origin: *
- Connection: close
- Content-Length: 48
- Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
- Content-Type: application/json
- Server: PowerDNS/0.0.g00799130f
- X-Content-Type-Options: nosniff
- X-Frame-Options: deny
- X-Permitted-Cross-Domain-Policies: none
- X-Xss-Protection: 1; mode=block
-
- {"name": "allow-from", "value": ["127.0.0.0/8"]}
-
-
-
+ :param server_id: The name of the server
+ :param config_setting_name: The name of the setting to retrieve
Returns a single :json:object:`Server`
- :query server_id: The name of the server.
+ :param server_id: The name of the server.
The names and meaning of these items are described :ref:`here <metricnames>`.
- :query server_id: The name of the server
+ :param server_id: The name of the server
**Example response:**
--- /dev/null
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+# PowerDNS Recursor documentation build configuration file, created by
+# sphinx-quickstart on Wed Jun 28 14:56:44 2017.
+#
+# This file is execfile()d with the current directory set to its
+# containing dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+# import os
+import glob
+# import sys
+# sys.path.insert(0, os.path.abspath('.'))
+import guzzle_sphinx_theme
+
+# -- General configuration ------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#
+# needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+#extensions = []
+#extensions = ['redjack.sphinx.lua', 'sphinxcontrib.httpdomain', 'sphinxjsondomain']
+extensions = ['sphinxcontrib.httpdomain', 'sphinxjsondomain',
+ 'sphinxcontrib.fulltoc', 'changelog']
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix(es) of source filenames.
+# You can specify multiple suffix as a list of string:
+#
+# source_suffix = ['.rst', '.md']
+source_suffix = '.rst'
+
+# The master toctree document.
+master_doc = 'indexTOC'
+
+# General information about the project.
+project = 'PowerDNS Recursor'
+copyright = '2017, PowerDNS.COM BV'
+author = 'PowerDNS.COM BV'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+#
+# The short X.Y version.
+version = '4.1'
+# The full version, including alpha/beta/rc tags.
+release = '4.1.0-alpha0'
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#
+# This is also used if you do content translation via gettext catalogs.
+# Usually you set "language" from the command line for these cases.
+language = None
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This patterns also effect to html_static_path and html_extra_path
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store',
+ '.venv',
+ 'security-advisories/security-policy.rst',
+ 'common/secpoll.rst']
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# If true, `todo` and `todoList` produce output, else they produce nothing.
+todo_include_todos = False
+
+
+# -- Changelog Options ----------------------------------------------------
+
+changelog_render_ticket = "https://github.com/PowerDNS/pdns/issues/%s"
+changelog_render_pullreq = "https://github.com/PowerDNS/pdns/pull/%s"
+changelog_render_changeset = "https://github.com/PowerDNS/pdns/commit/%s"
+
+changelog_sections = ['New Features', 'Removed Features', 'Improvements', 'Bug Fixes']
+changelog_inner_tag_sort = ['Internals', 'API', 'Tools', 'ALIAS', 'DNSUpdate', 'BIND', 'MySQL', 'Postgresql', 'Oracle', 'LDAP', 'GeoIP', 'Remote']
+
+changelog_render_tags = False
+
+# -- Options for HTML output ----------------------------------------------
+
+# The theme to use for HTML and HTML Help pages. See the documentation for
+# a list of builtin themes.
+#
+html_theme_path = guzzle_sphinx_theme.html_theme_path()
+html_theme = 'guzzle_sphinx_theme'
+
+extensions.append("guzzle_sphinx_theme")
+
+html_theme_options = {
+ # Set the name of the project to appear in the sidebar
+ "project_nav_name": "PowerDNS Authoritative Server",
+}
+html_favicon = 'common/favicon.ico'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further. For a list of options available for each theme, see the
+# documentation.
+#
+# html_theme_options = {}
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['_static']
+html_style = 'pdns.css'
+
+
+# -- Options for HTMLHelp output ------------------------------------------
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'PowerDNSAuthoritativedoc'
+
+
+# -- Options for LaTeX output ---------------------------------------------
+
+latex_elements = {
+ # The paper size ('letterpaper' or 'a4paper').
+ #
+ 'papersize': 'a4paper',
+
+ # The font size ('10pt', '11pt' or '12pt').
+ #
+ # 'pointsize': '10pt',
+
+ # Additional stuff for the LaTeX preamble.
+ #
+ # 'preamble': '',
+
+ # Latex figure (float) alignment
+ #
+ # 'figure_align': 'htbp',
+}
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title,
+# author, documentclass [howto, manual, or own class]).
+latex_documents = [
+ (master_doc, 'PowerDNS-Authoritative.tex', 'PowerDNS Authoritative Server Documentation',
+ 'PowerDNS.COM BV', 'manual'),
+]
+
+latex_logo = 'common/powerdns-logo-500px.png'
+
+# -- Options for manual page output ---------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = []
+for f in glob.glob('manpages/*.1.rst'):
+ srcname = '.'.join(f.split('.')[:-1])
+ destname = srcname.split('/')[-1][:-2]
+ man_pages.append((srcname, destname, '', [author], 1))
+
+# -- Options for Texinfo output -------------------------------------------
+
+# Grouping the document tree into Texinfo files. List of tuples
+# (source start file, target name, title, author,
+# dir menu entry, description, category)
+#texinfo_documents = [
+# (master_doc, 'PowerDNSRecursor', 'PowerDNS Recursor Documentation',
+# author, 'PowerDNSRecursor', 'One line description of project.',
+# 'Miscellaneous'),
+#]
+
+
+
+# -- Options for Epub output ----------------------------------------------
+
+# Bibliographic Dublin Core info.
+epub_title = project
+epub_author = author
+epub_publisher = author
+epub_copyright = copyright
+
+# The unique identifier of the text. This can be a ISBN number
+# or the project homepage.
+#
+# epub_identifier = ''
+
+# A unique identification for the text.
+#
+# epub_uid = ''
+
+# A list of files that should not be packed into the epub file.
+epub_exclude_files = ['search.html']
--- /dev/null
+DNSSEC advice & precautions
+===========================
+
+DNSSEC is a major change in the way DNS works. Furthermore, there is a
+bewildering array of settings that can be configured.
+
+It is well possible to configure DNSSEC in such a way that your domain
+will not operate reliably, or even, at all. We advise operators to stick
+to the keying defaults of ``pdnsutil secure-zone``.
+
+.. note::
+ GOST may be more widely available in Russia, because it might
+ be mandatory to implement this regional standard there.
+
+It is possible to operate a zone with different keying algorithms
+simultaneously, but it has also been observed that this is not reliable.
+
+Depending on your master/slave setup, you may need to tinker with the
+:ref:`SOA-EDIT <metadata-soa-edit>` metadata on your master.
+This is described in the :ref:`soa-edit-ensure-signature-freshness-on-slaves` section.
+
+Packet sizes, fragments, TCP/IP service
+---------------------------------------
+
+DNSSEC answers contain (bulky) keying material and signatures, and are
+therefore a lot larger than regular DNS answers. Normal DNS responses
+almost always fit in the 'magical' 512 byte limit previously imposed on
+DNS.
+
+In order to support DNSSEC, operators must make sure that their network
+allows for:
+
+- Larger than 512 byte UDP packets on port 53
+- Fragmented UDP packets
+- ICMP packets related to fragmentation
+- TCP queries on port 53
+- EDNS0 queries/responses (filtered by some firewalls)
+
+If any of the conditions outlined above is not met, DNSSEC service will
+suffer or be completely unavailable.
+
+In addition, the larger your DNS answers, the more critical the above
+becomes. It is therefore advised not to provision too many keys, or keys
+that are unnecessarily large.
--- /dev/null
+DNSSEC
+======
+
+PowerDNS contains support for DNSSEC, enabling the easy serving of
+DNSSEC secured data, with minimal administrative overhead.
+
+In PowerDNS, DNS and signatures and keys are (usually) treated as
+separate entities. The domain & record storage is thus almost completely
+devoid of DNSSEC record types.
+
+Instead, keying material is stored separately, allowing operators to
+focus on the already complicated task of keeping DNS data correct. In
+practice, DNSSEC related material is often stored within the same
+database, but within separate tables.
+
+If a DNSSEC configuration is found for a domain, the PowerDNS daemon
+will provide key records, signatures and (hashed) denials of existence
+automatically.
+
+As an example, securing an existing zone can be as simple as:
+
+::
+
+ $ pdnsutil secure-zone powerdnssec.org
+
+Alternatively, PowerDNS can serve pre-signed zones, without knowledge of
+private keys.
+
+.. toctree::
+ :maxdepth: 2
+
+ intro
+ profile
+ modes-of-operation
+ pdnsutil
+ migration
+ operational
+ advice
+ pkcs11
+
+Thanks to, acknowledgements
+---------------------------
+
+PowerDNS DNSSEC has been made possible by the help & contributions of
+many people. We would like to thank:
+
+- Peter Koch (DENIC)
+- Olaf Kolkman (NLNetLabs)
+- Wouter Wijngaards (NLNetLabs)
+- Marco Davids (SIDN)
+- Markus Travaille (SIDN)
+- Antoin Verschuren (SIDN)
+- Olafur Guðmundsson (IETF)
+- Dan Kaminsky (Recursion Ventures)
+- Roy Arends (Nominet)
+- Miek Gieben
+- Stephane Bortzmeyer (AFNIC)
+- Michael Braunoeder (nic.at)
+- Peter van Dijk
+- Maik Zumstrull
+- Jose Arthur Benetasso Villanova
+- Stefan Schmidt (CCC ;-))
+- Roland van Rijswijk (Surfnet)
+- Paul Bakker (Brainspark/Fox-IT)
+- Mathew Hennessy
+- Johannes Kuehrer (Austrian World4You GmbH)
+- Marc van de Geijn (bHosted.nl)
+- Stefan Arentz
+- Martin van Hensbergen (Fox-IT)
+- Christoph Meerwald
+- Leen Besselink
+- Detlef Peeters
+- Christof Meerwald
+- Jack Lloyd
+- Frank Altpeter
+- Fredrik Danerklint
+- Vasiliy G Tolstov
+- Brielle Bruns
+- Evan Hunt (ISC)
+- Ralf van der Enden
+- Jan-Piet Mens
+- Justin Clift
+- Kees Monshouwer
+- Aki Tuomi
+- Ruben Kerkhof
+- Christian Hofstaedtler
+- Ruben d'Arco
+- Morten Stevens
+- Pieter Lexis
+
+This list is far from complete yet ..
--- /dev/null
+A brief introduction to DNSSEC
+==============================
+
+DNSSEC is a complicated subject, but it is not required to know all the
+ins and outs of this protocol to be able to use PowerDNS. In this
+section, we explain the core concepts that are needed to operate a
+PowerDNSSEC installation.
+
+Zone material is enhanced with signatures using 'keys'. Such a signature
+(called an RRSIG) is a cryptographic guarantee that the data served is
+the original data. DNSSEC keys are asymmetric (RSA, DSA, ECSDA or GOST),
+the public part is published in DNS and is called a DNSKEY record, and
+is used for verification. The private part is used for signing and is
+never published.
+
+To make sure that the internet knows that the key that is used for
+signing is the authentic key, confirmation can be gotten from the parent
+zone. This means that to become operational, a zone operator will have
+to publish a representation of the signing key to the parent zone, often
+a ccTLD or a gTLD. This representation is called a DS record, and is a
+shorter (hashed) version of the DNSKEY.
+
+Once the parent zone has the DS, and the zone is signed with the DNSSEC
+key, we are done in theory.
+
+However, for a variety of reasons, most DNSSEC operations run with
+another layer of keys. The so called 'Key Signing Key' is sent to the
+parent zone, and this Key Signing Key is used to sign a new set of keys
+called the Zone Signing Keys.
+
+This setup allows us to change our keys without having to tell the zone
+operator about it.
+
+A final challenge is how to DNSSEC sign the answer 'no such domain'. In
+the language of DNS, the way to say 'there is no such domain' (NXDOMAIN)
+or there is no such record type is to send an empty answer. Such empty
+answers are universal, and can't be signed.
+
+In DNSSEC parlance we therefore sign a record that says 'there are no
+domains between A.powerdnssec.org and C.powerdnssec.org'. This securely
+tells the world that B.powerdnssec.org does not exist. This solution is
+called NSEC, and is simple but has downsides - it also tells the world
+exactly which records DO exist.
+
+So alternatively, we can say that if a certain mathematical operation
+(an 'iterated salted hash') is performed on a question, that no valid
+answers exist that have as outcome of this operation an answer between
+two very large numbers. This leads to the same 'proof of non-existence'.
+This solution is called NSEC3.
+
+A PowerDNS zone can either be operated in NSEC or in one of two NSEC3
+modes ('inclusive' and 'narrow').
--- /dev/null
+Migrating (Signed) Zones to PowerDNS
+====================================
+
+This chapter discusses various migration strategies, from existing
+PowerDNS setups, from existing unsigned installations and finally from
+previous non-PowerDNS DNSSEC deployments.
+
+.. _dnssecfromexisting:
+
+From an existing PowerDNS installation
+--------------------------------------
+
+To migrate an existing database-backed PowerDNS installation, ensure you
+are running at least PowerDNS 3.3.3 and preferably 3.4 or newer.
+
+If you run an older version of PowerDNS, please upgrade to 3.4 and apply
+all the changes in database schemas as shown in the :doc:`upgrade documentation <../upgrading>`.
+
+.. warning::
+ Once the relevant ``backend-dnssec`` switch has been set,
+ stricter rules apply for filling out the database! The short version is:
+ run ``pdnsutil rectify-all-zones``, even those not secured with DNSSEC!
+ For more information, see the :ref:`generic-sql-handling-dnssec-signed-zones`.
+
+To deliver a correctly signed zone with the :ref:`dnssec-pdnsutil-dnssec-defaults`, invoke:
+
+::
+
+ pdnsutil secure-zone ZONE
+
+To view the DS records for this zone (to transfer to the parent zone),
+run
+
+::
+
+ pdnsutil show-zone ZONE
+
+For a more traditional setup with a KSK and a ZSK, use the following
+sequence of commands:
+
+::
+
+ pdnsutil add-zone-key ZONE ksk 2048 active rsasha256
+ pdnsutil add-zone-key ZONE zsk 1024 active rsasha256
+ pdnsutil add-zone-key ZONE zsk 1024 inactive rsasha256
+
+This will add a 2048-bit RSA Key Signing Key and two 1024-bit RSA Zone
+Signing Keys. One of the ZSKs is inactive and can be rolled to if
+needed.
+
+From existing non-DNSSEC, non-PowerDNS setups
+---------------------------------------------
+
+It is recommended to :doc:`migrate to PowerDNS <../migration>` before
+securing your zones. After that, see the instructions
+:ref:`above <dnssecfromexisting>`.
+
+.. _dnssec-migration-presigned:
+
+From existing DNSSEC non-PowerDNS setups, pre-signed
+----------------------------------------------------
+
+Industry standard signed zones can be served natively by PowerDNS,
+without changes. In such cases, signing happens externally to PowerDNS,
+possibly via OpenDNSSEC, ldns-sign or dnssec-sign.
+
+PowerDNS needs to know if a zone should receive DNSSEC processing. To
+configure, run ``pdnsutil set-presigned ZONE``.
+
+If you import presigned zones into your database, please do not import
+the NSEC or NSEC3 records. PowerDNS will synthesize these itself.
+Putting them in the database might cause duplicate records in responses.
+:ref:`zone2sql <migration-zone2sql>` filters NSEC and NSEC3
+automatically.
+
+.. warning::
+ Right now, you will also need to configure NSEC(3) settings
+ for pre-signed zones using ``pdnsutil set-nsec3``. Default is NSEC, in
+ which case no further configuration is necessary.
+
+From existing DNSSEC non-PowerDNS setups, live signing
+------------------------------------------------------
+
+The ``pdnsutil`` tool features the option to import zone keys in the
+industry standard private key format, version 1.2. To import an existing
+KSK, use
+
+::
+
+ pdnsutil import-zone-key ZONE FILENAME ksk
+
+replace 'ksk' by 'zsk' for a Zone Signing Key.
+
+If all keys are imported using this tool, a zone will serve mostly
+identical records to before, with the important change that the RRSIG
+inception dates will be different.
+
+.. note::
+ Within PowerDNS, the 'algorithm' for RSASHA1 keys is modulated
+ based on the NSEC3 setting. So if an algorithm=7 key is imported in a
+ zone with no configured NSEC3, it will appear as algorithm 5!
+
+Secure transfers
+----------------
+
+PowerDNS supports secure DNSSEC transfers as described in
+`draft-koch-dnsop-dnssec-operator-change <https://datatracker.ietf.org/doc/draft-koch-dnsop-dnssec-operator-change/>`__.
+If the :ref:`setting-direct-dnskey` option is
+enabled the foreign DNSKEY records stored in the database are added to
+the keyset and signed with the KSK. Without the :ref:`setting-direct-dnskey` option
+DNSKEY records in the database are silently ignored.
--- /dev/null
+DNSSEC Modes of Operation
+=========================
+
+Traditionally, DNSSEC signatures have been added to unsigned zones, and
+then this signed zone could be served by any DNSSEC capable
+authoritative server. PowerDNS supports this mode fully.
+
+In addition, PowerDNS supports taking care of the signing itself, in
+which case PowerDNS operates differently from most tutorials and
+handbooks. This mode is easier however.
+
+For relevant tradeoffs, please see :doc:`../security` and
+:doc:`../performance`.
+
+.. _dnssec-online-signing:
+
+Online Signing
+--------------
+
+In the simplest situation, there is a single "SQL" database that
+contains, in separate tables, all domain data, keying material and other
+DNSSEC related settings.
+
+This database is then replicated to all PowerDNS instances, which all
+serve identical records, keys and signatures.
+
+In this mode of operation, care should be taken that the database
+replication occurs over a secure network, or over an encrypted
+connection. This is because keying material, if intercepted, could be
+used to counterfeit DNSSEC data using the original keys.
+
+Such a single replicated database requires no further attention beyond
+monitoring already required during non-DNSSEC operations.
+
+Records, Keys, signatures, hashes within PowerDNS in online signing mode
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Within PowerDNS live signing, keys are stored separately from the zone
+records. Zone data are only combined with signatures and keys when
+requests come in over the internet.
+
+Each zone can have a number of keys associated with it, with varying key
+lengths. Typically 1 or at most 2 of these keys are employed as actual
+Zone Signing Keys (ZSKs). During normal operations, this means that only
+1 ZSK is 'active', and the other is inactive.
+
+Should it be desired to 'roll over' to a new key, both keys can
+temporarily be active (and used for signing), and after a while the old
+key can be inactivated. Subsequently it can be removed.
+
+As elucidated above, there are several ways in which DNSSEC can deny the
+existence of a record, and this setting too is stored away from zone
+records, and lives with the DNSSEC keying material.
+
+(Hashed) Denial of Existence
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+PowerDNS supports unhashed secure denial of existence using NSEC
+records. These are generated with the help of the (database) backend,
+which needs to be able to supply the 'previous' and 'next' records in
+canonical ordering.
+
+The Generic SQL Backends have fields that allow them to supply these
+relative record names.
+
+In addition, hashed secure denial of existence is supported using NSEC3
+records, in two modes, one with help from the database, the other with
+the help of some additional calculations.
+
+NSEC3 in 'broad' or 'inclusive' mode works with the aid of the backend,
+where the backend should be able to supply the previous and next domain
+names in hashed order.
+
+NSEC3 in 'narrow' mode uses additional hashing calculations to provide
+hashed secure denial of existence 'on the fly', without further
+involving the database.
+
+.. _dnssec-signatures:
+
+Signatures
+~~~~~~~~~~
+
+In PowerDNS live signing mode, signatures, as served through RRSIG
+records, are calculated on the fly, and heavily cached. All CPU cores
+are used for the calculation.
+
+RRSIGs have a validity period, in PowerDNS by default this period starts
+at most a week in the past, and continues at least a week into the
+future.
+
+Precisely speaking, the time period used is always from the start of the
+previous Thursday until the Thursday two weeks later. This two-week
+interval jumps with one-week increments every Thursday.
+
+.. note::
+ Why Thursday? POSIX-based operating systems count the time
+ since GMT midnight January 1st of 1970, which was a Thursday. PowerDNS
+ inception/expiration times are generated based on an integral number of
+ weeks having passed since the start of the 'epoch'.
+
+PowerDNS also serves the DNSKEY records in live-signing mode. Their TTL
+is derived from the SOA records *minimum* field. When using NSEC3, the
+TTL of the NSEC3PARAM record is also derived from that field.
+
+Pre-signed records
+------------------
+
+In this mode, PowerDNS serves zones that already contain DNSSEC records.
+Such zones can either be slaved from a remote master, or can be signed
+using tools like OpenDNSSEC, ldns-signzone or dnssec-signzone.
+
+Even in this mode, PowerDNS will synthesize NSEC(3) records itself
+because of its architecture. RRSIGs of these NSEC(3) will still need to
+be imported. See the :ref:`Presigned migration guide <dnssec-migration-presigned>`.
+
+Front-signing
+-------------
+
+As a special feature, PowerDNS can operate as a signing server which
+operates as a slave to an unsigned master.
+
+In this way, if keying material is available for an unsigned zone that
+is retrieved from a master server, this keying material will be used
+when serving data from this zone.
+
+As part of the zone retrieval, the equivalent of
+``pdnsutil rectify-zone`` is run to make sure that all DNSSEC-related
+fields are set correctly in the backend.
+
+Signed AXFR
+-----------
+
+An outgoing zone transfer from a signing master contains all information
+required for the receiving party to rectify the zone without knowing the
+keys, such as signed NSEC3 records for empty non-terminals. The zone is
+not required to be rectified on the master.
+
+Signatures and Hashing is similar as described in :ref:`dnssec-online-signing`.
+
+BIND-mode operation
+-------------------
+
+The :doc:`bindbackend <../backends/bind>` can manage keys in an
+SQLite3 database without launching a separate gsqlite3 backend.
+
+To use this mode, add
+``bind-dnssec-db=/var/db/bind-dnssec-db.sqlite3`` to pdns.conf, and run
+``pdnsutil create-bind-db /var/db/bind-dnssec-db.sqlite3``. Then,
+restart PowerDNS.
+
+After this, you can use ``pdnsutil secure-zone`` and all other pdnsutil
+commands on your BIND zones without trouble.
+
+.. _dnssec-modes-hybrid-bind:
+
+Hybrid BIND-mode operation
+--------------------------
+
+PowerDNS can also operate based on 'BIND'-style zone & configuration
+files. This 'bindbackend' has full knowledge of DNSSEC, but has no
+native way of storing keying material.
+
+However, since PowerDNS supports operation with multiple simultaneous
+backends, this is not a problem.
+
+In hybrid mode, keying material and zone records are stored in different
+backends. This allows for 'bindbackend' operation in full DNSSEC mode.
+
+To benefit from this mode, include at least one database-based backend
+in the 'launch' statement. The :doc:`SQLite 3 backend <../backends/generic-sqlite3>` probably complements BIND mode
+best, since it does not require a database server process.
+
+.. warning::
+ For now, it is necessary to execute a manual SQL 'insert'
+ into the domains table of the backend hosting the keying material. This
+ is needed to generate a zone-id for the relevant domain. Sample SQL
+ statement::
+
+ insert into domains (name, type) values ('powerdnssec.org', 'NATIVE');
--- /dev/null
+Operational instructions
+========================
+
+Several How to's describe operational practices with DNSSEC:
+
+- :doc:`../guides/kskroll`
+- :doc:`../guides/kskrollcdnskey`
+- :doc:`../guides/zskroll`
+
+Below, frequently used commands are described:
+
+Publishing a DS
+---------------
+
+To publish a DS to a parent zone, utilize ``pdnsutil show-zone`` and
+take the DS from its output, and transfer it securely to your parent
+zone.
+
+Going insecure
+--------------
+
+::
+
+ pdnsutil disable-dnssec ZONE
+
+.. warning::
+ Going insecure with a zone that has a DS record in the
+ parent zone will make the zone BOGUS. Make sure the parent zone removes
+ the DS record *before* going insecure.
+
+Setting the NSEC modes and parameters
+-------------------------------------
+
+As stated earlier, PowerDNS uses NSEC by default. If you want to use
+NSEC3 instead, issue:
+
+::
+
+ pdnsutil set-nsec3 ZONE [PARAMETERS]
+
+e.g.
+
+::
+
+ pdnsutil set-nsec3 example.net '1 0 1 ab'
+
+The quoted part is the content of the NSEC3PARAM records, as defined in
+:rfc:`5155 <5155#section-4>`, in order:
+
+- Hash algorithm, should always be ``1`` (SHA1)
+- Flags, set to ``1`` for :rfc:`NSEC3 Opt-out <5155#section-6>`, this best
+ set as ``0``
+- Number of iterations of the hash function, read :rfc:`RFC 5155, Section
+ 10.3 <5155#section-10.3>` for recommendations
+- Salt (in hexadecimal) to apply during hashing
+
+To convert a zone from NSEC3 to NSEC operations, run:
+
+::
+
+ pdnsutil unset-nsec3 ZONE
+
+.. warning::
+ Don't change from NSEC to NSEC3 (or the other way around)
+ for zones with algorithm 5 (RSASHA1), 6 (DSA-NSEC3-SHA1) or 7
+ (RSASHA1-NSEC3-SHA1).
+
+.. _soa-edit-ensure-signature-freshness-on-slaves:
+
+SOA-EDIT: ensure signature freshness on slaves
+----------------------------------------------
+
+As RRSIGs can expire, slave servers need to know when to re-transfer the
+zone. In most implementations (BIND, NSD), this is done by re-signing
+the full zone outside of the nameserver, increasing the SOA serial and
+serving the new zone on the master.
+
+With PowerDNS in Live-signing mode, the SOA serial is not increased by
+default when the RRSIG dates are rolled.
+
+For zones that use :ref:`native-operation`
+replication PowerDNS will serve valid RRSIGs on all servers.
+
+For :ref:`master <master-operation>` zones (where
+replication happens by means of AXFR), PowerDNS slaves will
+automatically re-transfer the zone when it notices the RRSIGs have
+changed, even when the SOA serial is not increased. This ensures the
+zone never serves old signatures.
+
+If your DNS setup uses non-PowerDNS slaves, the slaves need to know when
+the signatures have been updated. This can be accomplished by setting
+the :ref:`metadata-soa-edit` metadata for DNSSEC signed
+zones. This value controls how the value of the SOA serial is modified
+by PowerDNS.
+
+.. note::
+ The SOA serial in the datastore will be untouched, SOA-EDIT is
+ applied to DNS answers with the SOA record.
+
+The :ref:`setting-default-soa-edit` or
+:ref:`setting-default-soa-edit-signed`
+configuration options can instead be set to ensure SOA-EDIT is set for
+every zone.
+
+Possible SOA-EDIT values
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+The 'inception' refers to the time the RRSIGs got updated in
+:ref:`live-signing mode <dnssec-online-signing>`. This happens every week (see
+:ref:`dnssec-signatures`). The inception time does not depend on
+local timezone, but some modes below will use localtime for
+representation.
+
+INCREMENT-WEEKS
+^^^^^^^^^^^^^^^
+
+Increments the serial with the number of weeks since the UNIX epoch.
+This should work in every setup; but the result won't look like
+YYYYMMDDSS anymore.
+
+For example: a serial of 12345678 will become 12348079 on Wednesday 13th
+of January 2016 (2401 weeks after the epoch).
+
+INCEPTION-EPOCH
+^^^^^^^^^^^^^^^
+
+Sets the new SOA serial number to the maximum of the old SOA serial
+number, and age in seconds of the last inception. This requires your
+backend zone to use the number of seconds since the UNIX epoch as SOA
+serial. The result is still the age in seconds of the last change to the
+zone, either by operator changes to the zone or the 'addition' of new
+RRSIGs.
+
+As an example, a serial of 12345678 becomes 1452124800 on Wednesday 13th
+of January 2016.
+
+INCEPTION-INCREMENT
+^^^^^^^^^^^^^^^^^^^
+
+Uses YYYYMMDDSS format for SOA serial numbers. If the SOA serial from
+the backend is within two days after inception, it gets incremented by
+two (the backend should keep SS below 98). Otherwise it uses the maximum
+of the backend SOA serial number and inception time in YYYYMMDD01
+format. This requires your backend zone to use YYYYMMDDSS as SOA serial
+format. Uses localtime to find the day for inception time.
+
+This changes a serial of 2015120810 to 2016010701 on Wednesday 13th of
+January 2016.
+
+INCEPTION (not recommended)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Sets the SOA serial to the last inception time in YYYYMMDD01 format.
+Uses localtime to find the day for inception time.
+
+.. warning::
+ The SOA serial will only change on inception day, so
+ changes to the zone will get visible on slaves only on the following
+ inception day.
+
+.. deprecated:: 4.1.0
+
+INCEPTION-WEEK (not recommended)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Sets the SOA serial to the number of weeks since the epoch, which is the
+last inception time in weeks.
+
+.. warning::
+ Same problem as INCEPTION.
+
+.. deprecated:: 4.1.0
+
+EPOCH
+^^^^^
+
+Sets the SOA serial to the number of seconds since the epoch.
+
+.. warning::
+ Don't combine this with AXFR - the slaves would keep
+ refreshing all the time. If you need fast updates, sync the backend
+ databases directly with incremental updates (or use the same database
+ server on the slaves)
+
+.. deprecated:: 4.1.0
+
+NONE
+^^^^
+
+Ignore :ref:`setting-default-soa-edit` and/or
+:ref:`setting-default-soa-edit-signed`
+settings.
+
+Security
+--------
+
+During typical PowerDNS operation, the private part of the signing keys
+are 'online', which can be compared to operating an HTTPS server, where
+the private key is available on the webserver for cryptographic
+purposes.
+
+In some settings, having such (private) keying material available online
+is considered undesirable. In this case, consider running in pre-signed
+mode.
+
+Performance
+-----------
+
+DNSSEC has a performance impact, mostly measured in terms of additional
+memory used for the signature caches. In addition, on startup or
+AXFR-serving, a lot of signing needs to happen.
+
+Most best practices are documented in :rfc:`6781`.
--- /dev/null
+``pdnsutil`` and DNSSEC
+=======================
+
+``pdnsutil`` (previously called ``pdnssec``) is a powerful command that
+is the operator-friendly gateway into PowerDNS configuration. Behind the
+scenes, ``pdnsutil`` manipulates a PowerDNS backend database, which also
+means that for many databases, ``pdnsutil`` can be run remotely, and can
+configure key material on different servers.
+
+For a list of available commands, see the :doc:`manpage <../manpages/pdnsutil.1>`.
+
+.. _dnssec-pdnsutil-dnssec-defaults:
+
+DNSSEC Defaults
+---------------
+
+Since version 4.0, when securing a zone using ``pdnsutil secure-zone``,
+a single ECDSA (algorithm 13, ECDSAP256SHA256) key is generated that is
+used as ZSK. Before 4.0, 3 RSA (algorithm 8) keys were generated, one as
+the KSK and two ZSKs. As all keys are online in the database, it made no
+sense to have this split-key setup.
+
+The default negative answer strategy is NSEC.
+
+.. note::
+ Not all registrars support algorithm 13.
--- /dev/null
+PKCS#11 support
+===============
+
+.. note::
+ This feature is experimental, use at your own risk!
+
+.. deprecated:: 4.0.0
+ slot IDs are deprecated, and you are expected to use slot label instead
+
+To enable it, compile PowerDNS Authoritative Server using
+``--enable-experimental-pkcs11`` flag on configure. This requires you to
+have p11-kit libraries and headers.
+
+You can also log on to the tokens after starting server, in this case
+you need to edit your PKCS#11 cryptokey record and remove PIN or set it
+empty. PIN is required for assigning keys to zone.
+
+Using with SoftHSM
+------------------
+
+To test this feature, a software HSM can be used. It is **not
+recommended** to use this in production.
+
+Instructions on how to setup SoftHSM to work with the feature after
+compilation on ubuntu/debian (tested with Ubuntu 12 and 14). -
+``apt-get install softhsm p11-kit opensc`` - create directory
+/etc/pkcs11/modules - Add file called 'softhsm' there with (on newer
+versions, use softhsm.module)
+``module: /home/cmouse/softhsm/lib/softhsm/libsofthsm.so managed: yes``
+- Verify it works: ``p11-kit -l`` - Create at least two tokens (ksk and
+zsk) with (slot-number starts from 0)
+
+::
+
+ ```
+ sudo softhsm --init-token --slot slot-number --label zone-ksk|zone-zsk --pin some-pin --so-pin another-pin
+ ```
+
+- Using pkcs11-tool, initialize your new keys.
+
+ ::
+
+ sudo pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk|zone-zsk --slot-index slot-number
+
+- Assign the keys using (note that token label is not necessarily same
+ as object label, see p11-kit -l)
+
+ ::
+
+ pdnsutil hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk
+
+- Verify that everything worked, you should see valid data there
+
+ ::
+
+ pdnsutil show-zone zone
+
+- SoftHSM signatures are fast enough to be used in live environment.
+
+Using CryptAS
+-------------
+
+Instructions on how to use CryptAS
+```Athena IDProtect Key USB Token V2J`` <http://www.cryptoshop.com/products/smartcards/idprotect-key-j-laser.html>`__
+Smart Card token on Ubuntu 14. - install the manufacturer\`s support
+software on your system and initialize the Smart Card token as per
+instructions (do not use PIV). - apt-get install p11-kit opensc - create
+directory /etc/pkcs11/modules - Add file called 'athena.module' with
+content
+
+::
+
+ ```
+ module: /lib64/libASEP11.so
+ managed: yes
+ ```
+
+- Verify it worked, it should resemble output below. do not continue if
+ this does not show up.
+
+ ::
+
+ $ p11-kit -l
+ athena: /lib64/libASEP11.so
+ library-description: ASE Cryptoki
+ library-manufacturer: Athena Smartcard Solutions
+ library-version: 3.1
+ token: IDProtect#0A50123456789
+ manufacturer: Athena Smartcard Solutions
+ model: IDProtect
+ serial-number: 0A50123456789
+ hardware-version: 1.0
+ firmware-version: 1.0
+ flags:
+ rng
+ login-required
+ user-pin-initialized
+ token-initialized
+
+- Using pkcs11-tool, initialize your new keys. After this IDProtect
+ Manager no longer can show your token certificates and keys, at least
+ on version v6.23.04.
+
+ ::
+
+ pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk
+ pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-zsk
+
+- Verify that keys are there.
+
+ ::
+
+ $ pkcs11-tool --module=/lib64/libASEP11.so -l -p some-pin -O
+ Using slot 0 with a present token (0x0)
+ Public Key Object; RSA 2048 bits
+ label: zone-ksk
+ Usage: encrypt, verify, wrap
+ Public Key Object; RSA 2048 bits
+ label: zone-zsk
+ Usage: encrypt, verify, wrap
+ Private Key Object; RSA
+ label: zone-ksk
+ Usage: decrypt, sign, unwrap
+ Private Key Object; RSA
+ label: zone-zsk
+ Usage: decrypt, sign, unwrap
+
+- Assign the keys using
+
+ ::
+
+ pdnsutil hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk
+
+- Verify that everything worked, you should see valid data there.
+
+ ::
+
+ pdnsutil show-zone zone
+
+- Note that the physical token is pretty slow, so you have to use it as
+ hidden master. It has been observed to produce about
+ 1.5signatures/second.
+
+
--- /dev/null
+DNSSEC Profile and Support
+==========================
+
+PowerDNS aims to serve unexciting, standards compliant, DNSSEC
+information. One goal is to have relevant parts of our output be
+identical or equivalent to important fellow-traveller software like
+NLNetLabs' NSD.
+
+Particularly, if a PowerDNS secured zone is transferred via AXFR, it
+should be able to contain the same records as when that zone was signed
+using ``ldns-signzone`` using the same keys and settings.
+
+PowerDNS supports serving pre-signed zones, as well as online ('live')
+signed operations. In the last case, Signature Rollover and Key
+Maintenance are fully managed by PowerDNS.
+
+.. _dnssec-supported-algos:
+
+Supported Algorithms
+--------------------
+
+Supported Algorithms (See the `IANA
+website <http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1>`__
+for more information):
+
+- RSASHA1 (algorithm 5, algorithm 7)
+- RSASHA256 (algorithm 8)
+- RSASHA512 (algorithm 10)
+- ECC-GOST (algorithm 12)
+- ECDSA (algorithm 13 and 14)
+- ed25519 (algorithm 15)
+- ed448 (algorithm 16)
+
+For the DS records, these `digest
+types <http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml#ds-rr-types-1>`__
+are supported:
+
+- SHA-1 (algorithm 1)
+- SHA-256 (algorithm 2)
+- GOST R 34.11-94 (algorithm 3)
+- SHA-384 (algorithm 4)
+
+This corresponds to:
+
+- :rfc:`4033`: DNS Security Introduction and Requirements
+- :rfc:`4034`: Resource Records for the DNS Security Extensions, Protocol Modifications for the DNS Security Extensions
+- :rfc:`4035`: Protocol Modifications for the DNS Security Extensions
+- :rfc:`4509`: Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
+- :rfc:`5155`: DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
+- :rfc:`5702`: Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
+- :rfc:`5933`: Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC
+- :rfc:`6605`: Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC
+- :rfc:`8080`: Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC
+
+In order to facilitate interoperability with existing technologies,
+PowerDNS keys can be imported and exported in industry standard formats.
+
+When using OpenSSL for ECDSA signatures (this is default), starting from
+OpenSSL 1.1.0, the algorithm used is resilient against PRNG failure,
+while not strictly conforming to :rfc:`6979`.
+
+.. note::
+ Actual supported algorithms depend on the crypto-libraries
+ PowerDNS was compiled against. To check the supported DNSSEC algoritms
+ in your build of PowerDNS, run ``pdnsutil list-algorithms``.
--- /dev/null
+Dynamic DNS Update (RFC2136)
+============================
+
+Starting with the PowerDNS Authoritative Server 3.4.0, DNS update
+support is available. There are a number of items NOT supported:
+
+- There is no support for GSS\*TSIG and SIG (TSIG is supported);
+- WKS records are specifically mentioned in the RFC, we don't
+ specifically care about WKS records;
+- Anything we forgot....
+
+The implementation requires the backend to support a number of new
+operations. Currently, the following backends have been modified to
+support DNS update:
+
+- :doc:`gmysql <backends/generic-mysql>`
+- :doc:`gpgsql <backends/generic-postgresql>`
+- :doc:`gsqlite3 <backends/generic-sqlite3>`
+- :doc:`goracle <backends/generic-oracle>`
+- :doc:`godbc <backends/generic-odbc>`
+
+.. _dnsupdate-configuration-options:
+
+Configuration options
+---------------------
+
+There are two configuration parameters that can be used within the
+powerdns configuration file.
+
+``dnsupdate``
+~~~~~~~~~~~~~
+
+A setting to enable/disable DNS update support completely. The default
+is no, which means that DNS updates are ignored by PowerDNS (no message
+is logged about this!). Change the setting to ``dnsupdate=yes`` to
+enable DNS update support. Default is ``no``.
+
+``allow-dnsupdate-from``
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+A list of IP ranges that are allowed to perform updates on any domain.
+The default is ``0.0.0.0/0``, which means that all ranges are accepted.
+Multiple entries can be used on this line
+(``allow-dnsupdate-from=198.51.100.0/8 203.0.113.2/32``). The option can
+be left empty to disallow everything, this then should be used in
+combination with the ``ALLOW-DNSUPDATE-FROM`` :doc:`domain metadata <domainmetadata>` setting per
+zone.
+
+``forward-dnsupdate``
+~~~~~~~~~~~~~~~~~~~~~
+
+Tell PowerDNS to forward to the master server if the zone is configured
+as slave. Masters are determined by the masters field in the domains
+table. The default behaviour is enabled (yes), which means that it will
+try to forward. In the processing of the update packet, the
+``allow-dnsupdate-from`` and ``TSIG-ALLOW-DNSUPDATE`` are processed
+first, so those permissions apply before the ``forward-dnsupdate`` is
+used. It will try all masters that you have configured until one is
+successful.
+
+.. _dnsupdate-lua-dnsupdate-policy-script:
+
+``lua-dnsupdate-policy-script``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Use this Lua script containing function ``updatepolicy`` to validate
+each update. This will ``TURN OFF`` all other
+authorization methods, and you are expected to take care of everything
+yourself. See :ref:`dnsupdate-update-policy` for details and
+examples.
+
+The semantics are that first a dynamic update has to be allowed either
+by the global :ref:`setting-allow-dnsupdate-from` setting, or by a per-zone
+``ALLOW-DNSUPDATE-FROM`` metadata setting.
+
+Secondly, if a zone has a ``TSIG-ALLOW-DNSUPDATE`` metadata setting, that
+must match too.
+
+So to only allow dynamic DNS updates to a zone based on TSIG key, and
+regardless of IP address, set :ref:`setting-allow-dnsupdate-from` to empty, set
+``ALLOW-DNSUPDATE-FROM`` to "0.0.0.0/0" and "::/0" and set the
+``TSIG-ALLOW-DNSUPDATE`` to the proper key name.
+
+Further information can be found :ref:`below <dnsupdate-how-it-works>`.
+
+.. _dnsupdate-metadata:
+
+Per zone settings
+-----------------
+
+For permissions, a number of per zone settings are available via the
+:doc:`domain metadata `<domainmetadata>`.
+
+ALLOW-DNSUPDATE-FROM
+~~~~~~~~~~~~~~~~~~~~
+
+This setting has the same function as described in the configuration
+options (See ref:`above <dnsupdate-configuration-options>`). Only one item is
+allowed per row, but multiple rows can be added. An example:
+
+::
+
+ sql> select id from domains where name='example.org';
+ 5
+ sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’198.51.100.0/8’);
+ sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’203.0.113.2/32’);
+
+This will allow 198.51.100.0/8 and 203.0.113.2/32 to send DNS update
+messages for the example.org domain.
+
+TSIG-ALLOW-DNSUPDATE
+~~~~~~~~~~~~~~~~~~~~
+
+This setting allows you to set the TSIG key required to do an DNS
+update. If you have GSS-TSIG enabled, you can use Kerberos principals
+here. An example:
+
+::
+
+ sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
+ sql> select id from domains where name='example.org';
+ 5
+ sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'test');
+
+An example of how to use a TSIG key with the :program:`nsupdate` command:
+
+::
+
+ nsupdate <<!
+ server <ip> <port>
+ zone example.org
+ update add test1.example.org 3600 A 203.0.113.1
+ key test kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=
+ send
+ !
+
+If a TSIG key is set for the domain, it is required to be used for the
+update. The TSIG is extra security on top of the
+``ALLOW-DNSUPDATE-FROM`` setting. If a TSIG key is set, the IP(-range)
+still needs to be allowed via ``ALLOW-DNSUPDATE-FROM``.
+
+FORWARD-DNSUPDATE
+~~~~~~~~~~~~~~~~~
+
+See `Configuration options <dnsupdate-configuration-options>` for what it does,
+but per domain.
+
+::
+
+ sql> select id from domains where name='example.org';
+ 5
+ sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘FORWARD-DNSUPDATE’,’’);
+
+There is no content, the existence of the entry enables the forwarding.
+This domain-specific setting is only useful when the configuration
+option :ref:`setting-forward-dnsupdate` is set to 'no', as that will disable it
+globally. Using the domainmetadata setting than allows you to enable it
+per domain.
+
+NOTIFY-DNSUPDATE
+~~~~~~~~~~~~~~~~
+
+Send a notification to all slave servers after every update. This will
+speed up the propagation of changes and is very useful for acme
+verification.
+
+::
+
+ sql> select id from domains where name='example.org';
+ 5
+ sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘NOTIFY-DNSUPDATE’,’1’);
+
+SOA-EDIT-DNSUPDATE
+~~~~~~~~~~~~~~~~~~
+
+This configures how the soa serial should be updated. See
+:ref:`below <dnsupdate-soa-serial-updates>`.
+
+.. _dnsupdate-soa-serial-updates:
+
+SOA Serial Updates
+------------------
+
+After every update, the soa serial is updated as this is required by
+section 3.7 of :rfc:`2136`. The behaviour is configurable via domainmetadata
+with the ``SOA-EDIT-DNSUPDATE`` option. It has a number of options listed
+below. If no behaviour is specified, DEFAULT is used.
+
+:rfc:`2136, Section 3.6 <2136#section-3.6>` defines some specific behaviour for updates of SOA
+records. Whenever the SOA record is updated via the update message, the
+logic to change the SOA is not executed.
+
+.. note::
+ Powerdns will always use :ref:`metadata-soa-edit` when serving SOA
+ records, thus a query for the SOA record of the recently update domain,
+ might have an unexpected result due to a SOA-EDIT setting.
+
+An example:
+
+::
+
+ sql> select id from domains where name='example.org';
+ 5
+ sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘SOA-EDIT-DNSUPDATE’,’INCREASE’);
+
+This will make the SOA Serial increase by one, for every successful
+update.
+
+SOA-EDIT-DNSUPDATE settings
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+These are the settings available for **SOA-EDIT-DNSUPDATE**.
+
+- DEFAULT: Generate a soa serial of YYYYMMDD01. If the current serial
+ is lower than the generated serial, use the generated serial. If the
+ current serial is higher or equal to the generated serial, increase
+ the current serial by 1.
+- INCREASE: Increase the current serial by 1.
+- EPOCH: Change the serial to the number of seconds since the EPOCH,
+ aka unixtime.
+- SOA-EDIT: Change the serial to whatever SOA-EDIT would provide. See
+ `Domain metadata <domainmetadata>`
+- SOA-EDIT-INCREASE: Change the serial to whatever SOA-EDIT would
+ provide. If what SOA-EDIT provides is lower than the current serial,
+ increase the current serial by 1.
+
+DNS update How-to: Setup dyndns/rfc2136 with dhcpd
+--------------------------------------------------
+
+DNS update is often used with DHCP to automatically provide a hostname
+whenever a new IP-address is assigned by the DHCP server. This section
+describes how you can setup PowerDNS to receive DNS updates from ISC's
+dhcpd (version 4.1.1-P1).
+
+Setting up dhcpd
+~~~~~~~~~~~~~~~~
+
+We're going to use a TSIG key for security. We're going to generate a
+key using the following command:
+
+::
+
+ dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpdupdate
+
+This generates two files (Kdhcpdupdate.*.key and
+Kdhcpdupdate.*.private). You're interested in the .key file:
+
+::
+
+ # ls -l Kdhcp*
+ -rw------- 1 root root 53 Aug 26 19:29 Kdhcpdupdate.+157+20493.key
+ -rw------- 1 root root 165 Aug 26 19:29 Kdhcpdupdate.+157+20493.private
+
+ # cat Kdhcpdupdate.+157+20493.key
+ dhcpdupdate. IN KEY 0 3 157 FYhvwsW1ZtFZqWzsMpqhbg==
+
+The important bits are the name of the key (**dhcpdupdate**) and the
+hash of the key (**FYhvwsW1ZtFZqWzsMpqhbg==**
+
+Using the details from the key you've just generated. Add the following
+to your dhcpd.conf:
+
+::
+
+ key "dhcpdupdate" {
+ algorithm hmac-md5;
+ secret "FYhvwsW1ZtFZqWzsMpqhbg==";
+ };
+
+You must also tell dhcpd that you want dynamic dns to work, add the
+following section:
+
+::
+
+ ddns-updates on;
+ ddns-update-style interim;
+ update-static-leases on;
+
+This tells dhcpd to:
+
+1. Enable Dynamic DNS
+2. Which style it must use (interim)
+3. Update static leases as well
+
+For more information on this, consult the dhcpd.conf manual.
+
+Per subnet, you also have to tell **dhcpd** which (reverse-)domain it
+should update and on which master domain server it is running.
+
+::
+
+ ddns-domainname "example.org";
+ ddns-rev-domainname "in-addr.arpa.";
+
+ zone example.org {
+ primary 127.0.0.1;
+ key dhcpdupdate;
+ }
+
+ zone 1.168.192.in-addr.arpa. {
+ primary 127.0.0.1;
+ key dhcpdupdate;
+ }
+
+This tells **dhcpd** a number of things:
+
+1. Which domain to use (**ddns-domainname "example.org";**)
+2. Which reverse-domain to use (**dnssec-rev-domainname
+ "in-addr.arpa.";**)
+3. For the zones, where the primary master is located (**primary
+ 127.0.0.1;**)
+4. Which TSIG key to use (**key dhcpdupdate;**). We defined the key
+ earlier.
+
+This concludes the changes that are needed to the **dhcpd**
+configuration file.
+
+Setting up PowerDNS
+~~~~~~~~~~~~~~~~~~~
+
+A number of small changes are needed to powerdns to make it accept
+dynamic updates from **dhcpd**.
+
+Enabled DNS update (:rfc:`2136`) support functionality in PowerDNS by adding
+the following to the PowerDNS configuration file (pdns.conf).
+
+::
+
+ dnsupdate=yes
+ allow-dnsupdate-from=
+
+This tells PowerDNS to:
+
+1. Enable DNS update support(:ref:`setting-dnsupdate`)
+2. Allow updates from NO ip-address (":ref:`setting-allow-dnsupdate-from`\ =")
+
+We just told powerdns (via the configuration file) that we accept
+updates from nobody via the :ref:`setting-allow-dnsupdate-from`
+parameter. That's not very useful, so we're going to give permissions
+per zone (including the appropriate reverse zone), via the
+domainmetadata table.
+
+::
+
+ sql> select id from domains where name='example.org';
+ 5
+ sql> insert into domainmetadata(domain_id, kind, content) values(5, 'ALLOW-DNSUPDATE-FROM','127.0.0.1');
+ sql> select id from domains where name='1.168.192.in-addr.arpa';
+ 6
+ sql> insert into domainmetadata(domain_id, kind, content) values(6, 'ALLOW-DNSUPDATE-FROM','127.0.0.1');
+
+This gives the ip '127.0.0.1' access to send update messages. Make sure
+you use the ip address of the machine that runs **dhcpd**.
+
+Another thing we want to do, is add TSIG security. This can only be done
+via the domainmetadata table:
+
+::
+
+ sql> insert into tsigkeys (name, algorithm, secret) values ('dhcpdupdate', 'hmac-md5', 'FYhvwsW1ZtFZqWzsMpqhbg==');
+ sql> select id from domains where name='example.org';
+ 5
+ sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'dhcpdupdate');
+ sql> select id from domains where name='1.168.192.in-addr.arpa';
+ 6
+ sql> insert into domainmetadata (domain_id, kind, content) values (6, 'TSIG-ALLOW-DNSUPDATE', 'dhcpdupdate');
+
+This will:
+
+1. Add the 'dhcpdupdate' key to our PowerDNSinstallation
+2. Associate the domains with the given TSIG key
+
+Restart PowerDNS and you should be ready to go!
+
+.. _dnsupdate-how-it-works:
+
+How it works
+------------
+
+This is a short description of how DNS update messages are processed by
+PowerDNS.
+
+1. The DNS update message is received. If it is TSIG signed, the TSIG
+ is validated against the tsigkeys table. If it is not valid, Refused
+ is returned to the requestor.
+2. A check is performed on the zone to see if it is a valid zone.
+ ServFail is returned when not valid.
+3. The **dnsupdate** setting is checked. Refused is returned when the
+ setting is 'no'.
+4. If update policy Lua script is provided then next two steps are
+ skipped.
+5. If the **ALLOW-DNSUPDATE-FROM** has a value (from both
+ domainmetadata and the configuration file), a check on the value is
+ performed. If the requestor (sender of the update message) does not
+ match the values in **ALLOW-DNSUPDATE-FROM**, Refused is returned.
+6. If the message is TSIG signed, the TSIG keyname is compared with the
+ TSIG keyname in domainmetadata. If they do not match, a Refused is
+ send. The TSIG-ALLOW-DNSUPDATE domainmetadata setting is used to
+ find which key belongs to the domain.
+7. The backends are queried to find the backend for the given domain.
+8. If the domain is a slave domain, the **forward-dnsupdate** option
+ and domainmetadata settings are checked. If forwarding to a master
+ is enabled, the message is forward to the master. If that fails, the
+ next master is tried until all masters are tried. If all masters
+ fail, ServFail is returned. If a master succeeds, the result from
+ that master is returned.
+9. A check is performed to make sure all updates/prerequisites are for
+ the given zone. NotZone is returned if this is not the case.
+10. The transaction with the backend is started.
+11. The prerequisite checks are performed (section 3.2 of :rfc:`2136 <2136#section-3.2>`). If a
+ check fails, the corresponding RCode is returned. No further
+ processing will happen.
+12. Per record in the update message, a the prescan checks are
+ performed. If the prescan fails, the corresponding RCode is
+ returned. If the prescan for the record is correct, the actual
+ update/delete/modify of the record is performed. If the update fails
+ (for whatever reason), ServFail is returned. After changes to the
+ records have been applied, the ordername and auth flag are set to
+ make sure DNSSEC remains working. The cache for that record is
+ purged.
+13. If there are records updated and the SOA record was not modified,
+ the SOA serial is updated. See :ref:`dnsupdate-soa-serial-updates`. The cache for this record is
+ purged.
+14. The transaction with the backend is committed. If this fails,
+ ServFail is returned.
+15. NoError is returned.
+
+.. _dnsupdate-update-policy:
+
+Update policy
+-------------
+
+.. versionadded:: 4.1.0
+
+You can define a Lua script to handle DNS UPDATE message
+authorization. The Lua script is to contain at least function called
+``updatepolicy`` which accepts one parameter. This parameter is an
+object, containing all the information for the request. To permit
+change, return true, otherwise return false. The script is called for
+each record at a time and you can approve or reject any or all.
+
+The object has following methods available:
+
+- DNSName getQName() - name to update
+- DNSName getZonename() - zone name
+- int getQType() - record type, it can be 255(ANY) for delete.
+- ComboAddress getLocal() - local socket address
+- ComboAddress getRemote() - remote socket address
+- Netmask getRealRemote() - real remote address (or netmask if EDNS Subnet is used)
+- DNSName getTsigName() - TSIG **key** name (you can assume it is validated here)
+- string getPeerPrincipal() - Return peer principal name (user@DOMAIN, service/machine.name@DOMAIN, host/MACHINE$@DOMAIN)
+
+There are many same things available as in recursor Lua scripts, but
+there is also resolve(qname, qtype) which returns array of records.
+Example:
+
+::
+
+ resolve("www.google.com", pdns.A)
+
+You can use this to perform DNS lookups. If your resolver cannot find
+your local records, then this will not find them either. In other words,
+resolve does not perform local lookup.
+
+Simple example script:
+
+.. code:: lua
+
+ --- This script is not suitable for production use
+
+ function strpos (haystack, needle, offset)
+ local pattern = string.format("(%s)", needle)
+ local i = string.find (haystack, pattern, (offset or 0))
+ return (i ~= nil and i or false)
+ end
+
+ function updatepolicy(input)
+ princ = input:getPeerPrincipal()
+
+ if princ == ""
+ then
+ return false
+ end
+
+ if princ == "admin@DOMAIN" or input:getRemote():toString() == "192.168.1.1"
+ then
+ return true
+ end
+
+ if (input:getQType() == pdns.A or input:getQType() == pdns.AAAA) and princ:sub(5,5) == '/' and strpos(princ, "@", 0) ~= false
+ then
+ i = strpos(princ, "@", 0)
+ if princ:sub(i) ~= "@DOMAIN"
+ then
+ return false
+ end
+ hostname = princ:sub(6, i-1)
+ if input:getQName():toString() == hostname .. "." or input:getQName():toString() == hostname .. "." .. input:getZoneName():toString()
+ then
+ return true
+ end
+ end
+
+ return false
+ end
--- /dev/null
+Per zone settings: Domain Metadata
+==================================
+
+Each served zone can have "metadata". Such metadata determines how this
+zone behaves in certain circumstances.
+
+.. warning::
+ Domain metadata is only available for DNSSEC capable
+ backends! Make sure to enable the proper '-dnssec' setting to benefit.
+
+For the BIND backend, this information is either stored in the
+:ref:`setting-bind-dnssec-db` or the hybrid database,
+depending on your settings.
+
+For the implementation in non-sql backends, please review your backend's
+documentation.
+
+Apart from raw SQL statements, setting domain metadata can be done with
+``pdnsutil set-meta`` and retrieving metadata is done with ``pdnsutil get-meta``.
+
+.. _metadata-allow-axfr-from:
+
+ALLOW-AXFR-FROM
+---------------
+
+Per-zone AXFR ACLs can be stored in the domainmetadata table.
+
+Each ACL specifies one subnet (v4 or v6), or the magical value 'AUTO-NS'
+that tries to allow all potential slaves in.
+
+Example:
+
+::
+
+ pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM AUTO-NS 2001:db8::/48
+
+Each ACL has its own row in the database:
+
+::
+
+ select id from domains where name='example.com';
+ 7
+ insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','AUTO-NS');
+ insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8::/48');
+
+To disallow all IP's, except those explicitly allowed by domainmetadata
+records, add ``allow-axfr-ips=`` to ``pdns.conf``.
+
+.. _metadata-axfr-source:
+
+AXFR-SOURCE
+-----------
+
+The IP address to use as a source address for sending AXFR and IXFR
+requests.
+
+ALLOW-DNSUPDATE-FROM, TSIG-ALLOW-DNSUPDATE, FORWARD-DNSUPDATE, SOA-EDIT-DNSUPDATE, NOTIFY-DNSUPDATE
+---------------------------------------------------------------------------------------------------
+
+See the documentation on :ref:`Dynamic DNS update <dnsupdate-metadata>`.
+
+.. _metadata-also-notify:
+
+ALSO-NOTIFY
+-----------
+
+When notifying this domain, also notify this nameserver (can occur
+multiple times). The nameserver may have contain an optional port
+number. e.g.:
+
+::
+
+ pdnsutil set-meta powerdns.org ALSO-NOTIFY 192.0.2.1:5300
+ pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM 2001:db8:53::1
+
+Or in SQL:
+
+::
+
+ insert into domainmetadata (domain_id, kind, content) values (7,'ALSO-NOTIFY','192.0.2.1:5300');
+ insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8:53::1');
+
+AXFR-MASTER-TSIG
+----------------
+
+Use this named TSIG key to retrieve this zone from its master, see :ref:`tsig-provision-signed-notify-axfr`.
+
+GSS-ALLOW-AXFR-PRINCIPAL
+------------------------
+
+Allow this GSS principal to perform AXFR retrieval. Most commonly it is
+``host/something@REALM``, ``DNS/something@REALM`` or ``user@REALM``.
+(See :ref:`tsig-gss-tsig`).
+
+GSS-ACCEPTOR-PRINCIPAL
+----------------------
+
+Use this principal for accepting GSS context.
+(See :ref:`tsig-gss-tsig`).
+
+IXFR
+----
+
+If set to 1, attempt IXFR when retrieving zone updates. Otherwise IXFR
+is not attempted.
+
+LUA-AXFR-SCRIPT
+---------------
+
+Script to be used to edit incoming AXFRs, see :ref:`modes-of-operation-axfrfilter`.
+This value will override the :ref:`setting-lua-axfr-script` setting. Use
+'NONE' to remove a global script.
+
+NSEC3NARROW
+-----------
+
+Set to "1" to tell PowerDNS this zone operates in NSEC3 'narrow' mode.
+See ``set-nsec3`` for :doc:`pdnsutil <dnssec/pdnsutil>`.
+
+NSEC3PARAM
+----------
+
+NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the
+NSEC3PARAM record. If present, NSEC3 is used, if not present, zones
+default to NSEC. See ``set-nsec3`` in :doc:`pdnsutil <dnssec/pdnsutil>`.
+Example content: "1 0 1 ab".
+
+.. _metadata-presigned:
+
+PRESIGNED
+---------
+
+This zone carries DNSSEC RRSIGs (signatures), and is presigned. PowerDNS
+sets this flag automatically upon incoming zone transfers (AXFR) if it
+detects DNSSEC records in the zone. However, if you import a presigned
+zone using ``zone2sql`` or ``pdnsutil load-zone`` you must explicitly
+set the zone to be ``PRESIGNED``. Note that PowerDNS will not be able to
+correctly serve the zone if the imported data is bogus or incomplete.
+Also see ``set-presigned`` in :doc:`pdnsutil <dnssec/pdnsutil>`.
+
+If a zone is presigned, the content of the metadata must be "1" (without
+the quotes). Any other value will not signal presignedness.
+
+PUBLISH-CDNSKEY, PUBLISH-CDS
+----------------------------
+
+Whether to publish CDNSKEY and/or CDS recording defined in :rfc:`7344`.
+
+To publish CDNSKEY records of the KSKs for the zone, set
+``PUBLISH-CDNSKEY`` to ``1``.
+
+To publish CDS records for the KSKs in the zone, set ``PUBLISH-CDS`` to
+a comma- separated list of `signature algorithm
+numbers <http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml#ds-rr-types-1>`__.
+
+This metadata can also be set using the
+:doc:`pdnsutil <dnssec/pdnsutil>` commands ``set-publish-cdnskey``
+and ``set-publish-cds``. For an example for an :rfc:`7344` key rollover,
+see the :doc:`guides/kskrollcdnskey`.
+
+.. _metadata-soa-edit:
+
+SOA-EDIT
+--------
+
+When serving this zone, modify the SOA serial number in one of several
+ways. Mostly useful to get slaves to re-transfer a zone regularly to get
+fresh RRSIGs. See the `DNSSEC
+documentation <soa-edit-ensure-signature-freshness-on-slaves>`
+for more information.
+
+TSIG-ALLOW-AXFR
+---------------
+
+Allow these named TSIG keys to AXFR this zone, see :ref:`tsig-provision-signed-notify-axfr`.
+
+TSIG-ALLOW-DNSUPDATE
+--------------------
+
+This setting allows you to set the TSIG key required to do an :doc:`dnsupdate`.
+If :ref:`GSS-TSIG <tsig-gss-tsig>` is enabled, you can put kerberos principals here as well.
+
+Extra metadata
+--------------
+
+Through the API and on the ``pdnsutil set-meta`` commandline, metadata
+unused by PowerDNS can be added. It is mandatory to prefix this extra
+metadata with "X-" and the name of the external application; the API
+will only allow this metadata if it starts with "X-".
--- /dev/null
+Adding new DNS record types
+===========================
+
+Here are the full descriptions on how we added the TLSA record type to
+all PowerDNS products, with links to the actual source code.
+
+First, define the TLSARecordContent class in
+`dnsrecords.hh <https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/dnsrecords.hh#L396>`__:
+
+.. code-block:: cpp
+
+ class TLSARecordContent : public DNSRecordContent
+ {
+ public:
+ includeboilerplate(TLSA)
+
+ private:
+ uint8_t d_certusage, d_selector, d_matchtype;
+ string d_cert;
+ };
+
+The ``includeboilerplate(TLSA)`` macro generates the four methods that
+do everything PowerDNS would ever want to do with a record:
+
+- read TLSA records from zonefile format
+- write out a TLSA record in zonefile format
+- read a TLSA record from a packet
+- write a TLSA record to a packet
+
+The `actual parsing
+code <https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/dnsrecords.cc#L304>`__:
+
+.. code-block:: cpp
+
+ boilerplate_conv(TLSA, 52,
+ conv.xfr8BitInt(d_certusage);
+ conv.xfr8BitInt(d_selector);
+ conv.xfr8BitInt(d_matchtype);
+ conv.xfrHexBlob(d_cert, true);
+ )
+
+This code defines the TLSA rrtype number as 52. Secondly, it says there
+are 3 eight bit fields for Certificate Usage, Selector and Match type.
+Next, it defines that the rest of the record is the actual certificate
+(hash).
+`'conv' <https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/dnsparser.hh#L68>`__
+methods are supplied for all DNS data types in use.
+
+Now add ``TLSARecordContent::report()`` to
+```reportOtherTypes()`` <https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/dnsrecords.cc#L594>`__.
+
+And that's it. For completeness, add TLSA and 52 to the QType enum in
+```qtype.hh`` <https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/qtype.hh#L116>`__,
+which makes it easier to refer to the TLSA record in code if so
+required.
+
--- /dev/null
+Using ALIAS records
+===================
+
+The ALIAS record provides a way to have CNAME-like behaviour on the zone
+apex.
+
+In order to correctly serve ALIAS records in PowerDNS Authoritative
+Server 4.1.0 or higher, set the :ref:`setting-resolver`
+setting to an existing resolver and enable
+:ref:`setting-expand-alias`:
+
+::
+
+ resolver=[::1]:5300
+ expand-alias=yes
+
+.. note::
+ If :ref:`setting-resolver` is unset, ALIAS expension is disabled!
+
+Then add the ALIAS record to your zone apex. e.g.:
+
+::
+
+ $ORIGIN example.net
+ $TTL 1800
+
+ @ IN SOA ns1.example.net. hostmaster.example.net. 2015121101 1H 15 1W 2H
+
+ @ IN NS ns1.example.net.
+
+ @ IN ALIAS mywebapp.paas-provider.net.
+
+When the authoritative server receives a query for the A-record for
+``example.net``, it will resolve the A record for
+``mywebapp.paas-provider.net`` and serve an answer for ``example.net``
+with that A record.
+
+When a zone containing ALIAS records is transferred over AXFR, the
+:ref:`setting-outgoing-axfr-expand-alias`
+setting controls the behaviour of ALIAS records. When set to 'no' (the
+default), ALIAS records are sent as-is (RRType 65401 and a DNSName in
+the RDATA) in the AXFR. When set to 'yes', PowerDNS will lookup the A
+and AAAA records of the name in the ALIAS-record and send the results in
+the AXFR.
+
+Set ``outgoing-axfr-expand-alias`` to 'yes' if your slaves don't
+understand ALIAS or should not look up the addresses themselves. Note
+that slaves will not automatically follow changes in those A/AAAA
+records unless you AXFR regularly.
+
+.. note::
+ The ``expand-alias`` setting does not exist in PowerDNS
+ Authoritative Server 4.0.x. Hence, ALIAS records are always expanded on
+ a direct A or AAAA query.
+
+ALIAS and DNSSEC
+----------------
+
+Starting with the PowerDNS Authoritative Server 4.0.0, DNSSEC 'washing'
+of ALIAS records is supported on AXFR (**not** on live-signing). Set
+``outgoing-axfr-expand-alias`` to 'yes' and enable DNSSEC for the zone
+on the master. PowerDNS will sign the A/AAAA records during the AXFR.
+
+
--- /dev/null
+Basic setup: configuring database connectivity
+==============================================
+
+This shows you how to configure the Generic MySQL backend. This backend
+is called 'gmysql', and needs to be configured in ``pdns.conf``. Add the
+following lines, adjusted for your local setup (specifically, you may
+not want to use the 'root' user):
+
+::
+
+ launch=gmysql
+ gmysql-host=127.0.0.1
+ gmysql-user=root
+ gmysql-dbname=pdns
+ gmysql-password=mysecretpassword
+
+Remove any earlier :ref:`setting-launch` statements and
+other configuration statements for backends.
+
+.. warning::
+ Make sure that you can actually resolve the hostname of
+ your database without accessing the database! It is advised to supply an
+ IP address here to prevent chicken/egg problems!
+
+Now start PowerDNS in the foreground:
+
+::
+
+ # /usr/sbin/pdns_server --daemon=no --guardian=no --loglevel=9
+ (...)
+ Dec 30 13:40:09 About to create 3 backend threads for UDP
+ Dec 30 13:40:09 gmysql Connection failed: Unable to connect to database: Access denied for user 'hubert'@'localhost' to database 'pdns-non-existant'
+ Dec 30 13:40:09 Caught an exception instantiating a backend: Unable to launch gmysql connection: Unable to connect to database: Access denied for user 'hubert'@'localhost' to database 'pdns-non-existant'
+ Dec 30 13:40:09 Cleaning up
+ Dec 30 13:40:10 Done launching threads, ready to distribute questions
+
+This is as to be expected - we did not yet add anything to MySQL for
+PowerDNS to read from. At this point you may also see other errors which
+indicate that PowerDNS either could not find your MySQL server or was
+unable to connect to it. Fix these before proceeding.
+
+General MySQL knowledge is assumed in this chapter, please do not
+interpret these commands as DBA advice!
+
+Example: configuring MySQL
+--------------------------
+
+Connect to MySQL as a user with sufficient privileges and issue the
+following commands:
+
+.. literalinclude:: ../../modules/gmysqlbackend/schema.mysql.sql
+
+Now we have a database and an empty table. PowerDNS should now be able
+to launch in monitor mode and display no errors:
+
+::
+
+ # /usr/sbin/pdns_server --daemon=no --guardian=no --loglevel=9
+ (...)
+ 15:31:30 PowerDNS 1.99.0 (Mar 12 2002, 15:00:28) starting up
+ 15:31:30 About to create 3 backend threads
+ 15:39:55 [gMySQLbackend] MySQL connection succeeded
+ 15:39:55 [gMySQLbackend] MySQL connection succeeded
+ 15:39:55 [gMySQLbackend] MySQL connection succeeded
+
+In a different shell, a sample query sent to the server should now
+return quickly without data:
+
+::
+
+ $ dig +short www.example.com @127.0.0.1
+ $
+
+.. warning::
+ When debugging DNS problems, don't use ``host``. Please use
+ ``dig`` or ``drill``.
+
+And indeed, the output in the first terminal now shows:
+
+::
+
+ Mar 01 16:04:42 Remote 127.0.0.1 wants 'www.example.com|A', do = 0, bufsize = 1680: packetcache MISS
+
+Now we need to add some records to our database (in a separate shell):
+
+::
+
+ # mysql pdnstest
+ mysql> INSERT INTO domains (name, type) values ('example.com', 'NATIVE');
+ INSERT INTO records (domain_id, name, content, type,ttl,prio)
+ VALUES (1,'example.com','localhost admin.example.com 1 10380 3600 604800 3600','SOA',86400,NULL);
+ INSERT INTO records (domain_id, name, content, type,ttl,prio)
+ VALUES (1,'example.com','dns-us1.powerdns.net','NS',86400,NULL);
+ INSERT INTO records (domain_id, name, content, type,ttl,prio)
+ VALUES (1,'example.com','dns-eu1.powerdns.net','NS',86400,NULL);
+ INSERT INTO records (domain_id, name, content, type,ttl,prio)
+ VALUES (1,'www.example.com','192.0.2.10','A',120,NULL);
+ INSERT INTO records (domain_id, name, content, type,ttl,prio)
+ VALUES (1,'mail.example.com','192.0.2.12','A',120,NULL);
+ INSERT INTO records (domain_id, name, content, type,ttl,prio)
+ VALUES (1,'localhost.example.com','127.0.0.1','A',120,NULL);
+ INSERT INTO records (domain_id, name, content, type,ttl,prio)
+ VALUES (1,'example.com','mail.example.com','MX',120,25);
+
+.. warning::
+ Host names and the MNAME of a :ref:`types-soa`
+ records are NEVER terminated with a '.' in PowerDNS storage! If a
+ trailing '.' is present it will inevitably cause problems, problems that
+ may be hard to debug.
+
+If we now requery our database, ``www.example.com`` should be present:
+
+::
+
+ $ dig +short www.example.com @127.0.0.1
+ 192.0.2.10
+
+ $ dig +short example.com MX @127.0.0.1
+ 25 mail.example.com
+
+To confirm what happened, check the statistics:
+
+::
+
+ $ /usr/sbin/pdns_control SHOW \*
+ corrupt-packets=0,latency=0,packetcache-hit=2,packetcache-miss=5,packetcache-size=0,
+ qsize-a=0,qsize-q=0,servfail-packets=0,tcp-answers=0,tcp-queries=0,
+ timedout-packets=0,udp-answers=7,udp-queries=7,
+ %
+
+The actual numbers will vary somewhat. Now hit CTRL+C in the shell where
+PowerDNS runs, start PowerDNS as a regular daemon, and check launch
+status:
+
+On SysV systems:
+
+::
+
+ # /etc/init.d/pdns start
+ pdns: started
+ # /etc/init.d/pdns status
+ pdns: 8239: Child running
+ # /etc/init.d/pdns dump
+ pdns: corrupt-packets=0,latency=0,packetcache-hit=0,packetcache-miss=0,
+ packetcache-size=0,qsize-a=0,qsize-q=0,servfail-packets=0,tcp-answers=0,
+ tcp-queries=0,timedout-packets=0,udp-answers=0,udp-queries=0,
+
+On systemd systems:
+
+::
+
+ # systemctl start pdns.service
+ # systemctl status pdns.service
+ * pdns.service - PowerDNS Authoritative Server
+ Loaded: loaded (/lib/systemd/system/pdns.service; enabled)
+ Active: active (running) since Tue 2017-01-17 15:59:28 UTC; 1 months 12 days ago
+ Docs: man:pdns_server(1)
+ man:pdns_control(1)
+ https://doc.powerdns.com
+ Main PID: 24636 (pdns_server)
+ CGroup: /system.slice/pdns.service
+ `-24636 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --write-pid=no
+
+ (...)
+ # /usr/sbin/pdns_control SHOW \*
+ corrupt-packets=0,latency=0,packetcache-hit=2,packetcache-miss=5,packetcache-size=0,
+ qsize-a=0,qsize-q=0,servfail-packets=0,tcp-answers=0,tcp-queries=0,
+ timedout-packets=0,udp-answers=7,udp-queries=7,
+
+You now have a working database driven nameserver! To convert other
+zones already present, see the :doc:`migration guide <../migration>`.
+
+Common problems
+---------------
+
+Most problems involve PowerDNS not being able to connect to the
+database.
+
+Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Your MySQL installation is probably defaulting to another location for
+its socket. Can be resolved by figuring out this location (often
+``/var/run/mysqld.sock``), and specifying it in the configuration file
+with the :ref:`setting-gmysql-socket` parameter.
+
+Another solution is to not connect to the socket, but to 127.0.0.1,
+which can be achieved by specifying ``gmysql-host=127.0.0.1``.
+
+Host 'x.y.z.w' is not allowed to connect to this MySQL server
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+These errors are generic MySQL errors. Solve them by trying to connect
+to your MySQL database with the MySQL console utility ``mysql`` with the
+parameters specified to PowerDNS. Consult the MySQL documentation.
+
+Typical Errors after Installing
+-------------------------------
+
+At this point some things may have gone wrong. Typical errors include:
+
+binding to UDP socket: Address already in use
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This means that another nameserver is listening on port 53 already. You
+can resolve this problem by determining if it is safe to shutdown the
+nameserver already present, and doing so. If uncertain, it is also
+possible to run PowerDNS on another port. To do so, add
+:ref:`setting-local-port`\ =5300 to ``pdns.conf``, and
+try again. This however implies that you can only test your nameserver
+as clients expect the nameserver to live on port 53.
+
+binding to UDP socket: Permission denied
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You must be superuser in order to be able to bind to port 53. If this is
+not a possibility, it is also possible to run PowerDNS on another port.
+To do so, add :ref:`setting-local-port`\ =5300 to
+``pdns.conf``, and try again. This however implies that you can only
+test your nameserver as clients expect the nameserver to live on port
+53.
+
+Unable to launch, no backends configured for querying
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+PowerDNS did not find the ``launch=bind`` instruction in pdns.conf.
+
+Multiple IP addresses on your server, PowerDNS sending out answers on the wrong one, Massive amounts of 'recvfrom gave error, ignoring: Connection refused'
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you have multiple IP addresses on the internet on one machine, UNIX
+often sends out answers over another interface than which the packet
+came in on. In such cases, use :ref:`setting-local-address` to bind to specific IP
+addresses, which can be comma separated. The second error comes from
+remotes disregarding answers to questions it didn't ask to that IP
+address and sending back ICMP errors.
+
--- /dev/null
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns="http://www.w3.org/2000/svg"
+ xmlns:xlink="http://www.w3.org/1999/xlink"
+ xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+ xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+ width="210mm"
+ height="297mm"
+ viewBox="0 0 210 297"
+ version="1.1"
+ id="svg8"
+ inkscape:version="0.92.1 r"
+ sodipodi:docname="400-410-recursor-scenario-1.svg"
+ inkscape:export-filename="/home/lieter/src/PowerDNS/pdns/docs/markdown/authoritative/400-410-recursor-scenario-1.png"
+ inkscape:export-xdpi="60"
+ inkscape:export-ydpi="60">
+ <defs
+ id="defs2">
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0.0"
+ refX="0.0"
+ id="marker9095"
+ style="overflow:visible;"
+ inkscape:isstock="true">
+ <path
+ id="path9093"
+ d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
+ style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
+ transform="scale(0.4) rotate(180) translate(10,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mstart"
+ orient="auto"
+ refY="0.0"
+ refX="0.0"
+ id="marker9031"
+ style="overflow:visible"
+ inkscape:isstock="true">
+ <path
+ id="path9029"
+ d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
+ style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
+ transform="scale(0.4) translate(10,0)" />
+ </marker>
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible"
+ id="marker8927"
+ refX="0.0"
+ refY="0.0"
+ orient="auto"
+ inkscape:stockid="Arrow1Mstart"
+ inkscape:collect="always">
+ <path
+ transform="scale(0.4) translate(10,0)"
+ style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
+ d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
+ id="path8925" />
+ </marker>
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible;"
+ id="marker8875"
+ refX="0.0"
+ refY="0.0"
+ orient="auto"
+ inkscape:stockid="Arrow1Mend"
+ inkscape:collect="always">
+ <path
+ transform="scale(0.4) rotate(180) translate(10,0)"
+ style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
+ d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
+ id="path8873" />
+ </marker>
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible"
+ id="marker8829"
+ refX="0.0"
+ refY="0.0"
+ orient="auto"
+ inkscape:stockid="Arrow1Mstart">
+ <path
+ transform="scale(0.4) translate(10,0)"
+ style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
+ d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
+ id="path8827" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0.0"
+ refX="0.0"
+ id="Arrow1Mend"
+ style="overflow:visible;"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ id="path8508"
+ d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
+ style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
+ transform="scale(0.4) rotate(180) translate(10,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mstart"
+ orient="auto"
+ refY="0.0"
+ refX="0.0"
+ id="Arrow1Mstart"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ id="path8505"
+ d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
+ style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
+ transform="scale(0.4) translate(10,0)" />
+ </marker>
+ <linearGradient
+ id="linearGradient4386">
+ <stop
+ offset="0"
+ style="stop-color:#d2d2d2;stop-opacity:1"
+ id="stop4388" />
+ <stop
+ offset="1"
+ style="stop-color:#dfdfdf;stop-opacity:1"
+ id="stop4390" />
+ </linearGradient>
+ <linearGradient
+ id="linearGradient4412">
+ <stop
+ offset="0"
+ style="stop-color:#ffffff;stop-opacity:1"
+ id="stop4414" />
+ <stop
+ offset="1"
+ style="stop-color:#ffffff;stop-opacity:0"
+ id="stop4416" />
+ </linearGradient>
+ <linearGradient
+ id="linearGradient4509">
+ <stop
+ offset="0"
+ style="stop-color:#000000;stop-opacity:1"
+ id="stop4511" />
+ <stop
+ offset="1"
+ style="stop-color:#000000;stop-opacity:0"
+ id="stop4513" />
+ </linearGradient>
+ <linearGradient
+ id="linearGradient5048">
+ <stop
+ offset="0"
+ style="stop-color:#000000;stop-opacity:0"
+ id="stop5050" />
+ <stop
+ offset="0.5"
+ style="stop-color:#000000;stop-opacity:1"
+ id="stop5056" />
+ <stop
+ offset="1"
+ style="stop-color:#000000;stop-opacity:0"
+ id="stop5052" />
+ </linearGradient>
+ <linearGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1892.179,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient5048"
+ id="linearGradient25151"
+ y2="609.50507"
+ x2="302.85715"
+ y1="366.64789"
+ x1="302.85715" />
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <linearGradient
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,28.084322,0.8636252)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="linearGradient25284"
+ y2="30.928421"
+ x2="16.36447"
+ y1="39.918777"
+ x1="16.36447" />
+ <linearGradient
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,22.410835,0.8636252)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="linearGradient25287"
+ y2="30.928421"
+ x2="16.36447"
+ y1="39.918777"
+ x1="16.36447" />
+ <linearGradient
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,16.737631,0.8636252)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="linearGradient25290"
+ y2="30.928421"
+ x2="16.36447"
+ y1="39.918777"
+ x1="16.36447" />
+ <linearGradient
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,11.06438,0.8636252)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="linearGradient25293"
+ y2="30.928421"
+ x2="16.36447"
+ y1="39.918777"
+ x1="16.36447" />
+ <linearGradient
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,5.3911289,0.8636252)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="linearGradient25296"
+ y2="30.928421"
+ x2="16.36447"
+ y1="39.918777"
+ x1="16.36447" />
+ <linearGradient
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,-0.2821563,0.8636252)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="linearGradient25299"
+ y2="30.928421"
+ x2="16.36447"
+ y1="39.918777"
+ x1="16.36447" />
+ <linearGradient
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,30.92086,0.8636252)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25302"
+ y2="30.928421"
+ x2="16.36447"
+ y1="39.918777"
+ x1="16.36447" />
+ <linearGradient
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,25.247609,0.8636252)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25305"
+ y2="30.928421"
+ x2="16.36447"
+ y1="39.918777"
+ x1="16.36447" />
+ <linearGradient
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,19.574225,0.8636252)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25308"
+ y2="30.928421"
+ x2="16.36447"
+ y1="39.918777"
+ x1="16.36447" />
+ <linearGradient
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,13.900977,0.8636252)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25311"
+ y2="30.928421"
+ x2="16.36447"
+ y1="39.918777"
+ x1="16.36447" />
+ <linearGradient
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,8.2277282,0.8636252)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25314"
+ y2="30.928421"
+ x2="16.36447"
+ y1="39.918777"
+ x1="16.36447" />
+ <linearGradient
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,2.5545053,0.8636252)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25317"
+ y2="30.928421"
+ x2="16.36447"
+ y1="39.918777"
+ x1="16.36447" />
+ <linearGradient
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25327"
+ y2="26.7868"
+ x2="22.311644"
+ y1="26.887815"
+ x1="27.324621" />
+ <linearGradient
+ gradientTransform="matrix(2.8415131,0,0,2.83799,-5.3545917,0.4858861)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4386"
+ id="linearGradient25335"
+ y2="10.018264"
+ x2="23.233509"
+ y1="34.463955"
+ x1="24.349752" />
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153-4"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155-7"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient5048"
+ id="linearGradient5675"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1892.179,-872.8854)"
+ x1="302.85715"
+ y1="366.64789"
+ x2="302.85715"
+ y2="609.50507" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4386"
+ id="linearGradient5677"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8415131,0,0,2.83799,-5.3545917,0.4858861)"
+ x1="24.349752"
+ y1="34.463955"
+ x2="23.233509"
+ y2="10.018264" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient5679"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient5681"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient5683"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,2.5545053,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient5685"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,8.2277282,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient5687"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,13.900977,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient5689"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,19.574225,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient5691"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,25.247609,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient5693"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,30.92086,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient5695"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,-0.2821563,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient5697"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,5.3911289,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient5699"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,11.06438,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient5701"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,16.737631,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient5703"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,22.410835,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient5705"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,28.084322,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153-4-8"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155-7-7"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153-3"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155-0"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient5048"
+ id="linearGradient6293"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1892.179,-872.8854)"
+ x1="302.85715"
+ y1="366.64789"
+ x2="302.85715"
+ y2="609.50507" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4386"
+ id="linearGradient6295"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8415131,0,0,2.83799,-5.3545917,0.4858861)"
+ x1="24.349752"
+ y1="34.463955"
+ x2="23.233509"
+ y2="10.018264" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6297"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6299"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6301"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,2.5545053,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6303"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,8.2277282,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6305"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,13.900977,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6307"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,19.574225,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6309"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,25.247609,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6311"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,30.92086,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient6313"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,-0.2821563,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient6315"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,5.3911289,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient6317"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,11.06438,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient6319"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,16.737631,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient6321"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,22.410835,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient6323"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,28.084322,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ gradientTransform="translate(-34.00007,207.0001)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13145"
+ y2="-431.96991"
+ x2="285.02859"
+ y1="-441.05182"
+ x1="271.0217" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13147"
+ y2="-436.32199"
+ x2="289.67633"
+ y1="-439.75281"
+ x1="287.5173" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13149"
+ y2="-436.14453"
+ x2="289.85379"
+ y1="-441.29074"
+ x1="286.51172" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13151"
+ y2="-436.4429"
+ x2="289.39124"
+ y1="-439.939"
+ x1="285.94086" />
+ <linearGradient
+ gradientTransform="translate(-35.00007,207.0001)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13153"
+ y2="-431.91833"
+ x2="279.97546"
+ y1="-437.10501"
+ x1="275.94193" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13155"
+ y2="-436.70703"
+ x2="289.76562"
+ y1="-439.48358"
+ x1="286.66589" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13157"
+ y2="-436.83109"
+ x2="288.89954"
+ y1="-441.23294"
+ x1="284.80219" />
+ <linearGradient
+ gradientTransform="translate(69,155)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13495"
+ y2="-379.26862"
+ x2="266.36395"
+ y1="-392.30591"
+ x1="228.50261" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13497"
+ y2="-388.55029"
+ x2="245.82706"
+ y1="-393.4072"
+ x1="240.07379" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13499"
+ y2="-385.35165"
+ x2="252.69785"
+ y1="-391.31381"
+ x1="246.74042" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13501"
+ y2="-386.95901"
+ x2="235.25652"
+ y1="-390.43951"
+ x1="230.87598" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13503"
+ y2="-382.64539"
+ x2="245.65462"
+ y1="-388.47476"
+ x1="238.00478" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,234.76593,185.03806)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9407"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,250.20343,189.03756)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9522"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <linearGradient
+ gradientTransform="translate(69,155)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13495-0"
+ y2="-379.26862"
+ x2="266.36395"
+ y1="-392.30591"
+ x1="228.50261" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13497-1"
+ y2="-388.55029"
+ x2="245.82706"
+ y1="-393.4072"
+ x1="240.07379" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13499-9"
+ y2="-385.35165"
+ x2="252.69785"
+ y1="-391.31381"
+ x1="246.74042" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13501-6"
+ y2="-386.95901"
+ x2="235.25652"
+ y1="-390.43951"
+ x1="230.87598" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13503-9"
+ y2="-382.64539"
+ x2="245.65462"
+ y1="-388.47476"
+ x1="238.00478" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6752-3"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-34.00007,207.0001)"
+ x1="271.0217"
+ y1="-441.05182"
+ x2="285.02859"
+ y2="-431.96991" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6754-3"
+ gradientUnits="userSpaceOnUse"
+ x1="287.5173"
+ y1="-439.75281"
+ x2="289.67633"
+ y2="-436.32199" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6756-8"
+ gradientUnits="userSpaceOnUse"
+ x1="286.51172"
+ y1="-441.29074"
+ x2="289.85379"
+ y2="-436.14453" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6758-0"
+ gradientUnits="userSpaceOnUse"
+ x1="285.94086"
+ y1="-439.939"
+ x2="289.39124"
+ y2="-436.4429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6760-5"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-35.00007,207.0001)"
+ x1="275.94193"
+ y1="-437.10501"
+ x2="279.97546"
+ y2="-431.91833" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6762-6"
+ gradientUnits="userSpaceOnUse"
+ x1="286.66589"
+ y1="-439.48358"
+ x2="289.76562"
+ y2="-436.70703" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6764-6"
+ gradientUnits="userSpaceOnUse"
+ x1="284.80219"
+ y1="-441.23294"
+ x2="288.89954"
+ y2="-436.83109" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,234.76593,185.03806)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9407-4"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,250.20343,189.03756)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9522-5"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7191"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-34.00007,207.0001)"
+ x1="271.0217"
+ y1="-441.05182"
+ x2="285.02859"
+ y2="-431.96991" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7193"
+ gradientUnits="userSpaceOnUse"
+ x1="287.5173"
+ y1="-439.75281"
+ x2="289.67633"
+ y2="-436.32199" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7195"
+ gradientUnits="userSpaceOnUse"
+ x1="286.51172"
+ y1="-441.29074"
+ x2="289.85379"
+ y2="-436.14453" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7197"
+ gradientUnits="userSpaceOnUse"
+ x1="285.94086"
+ y1="-439.939"
+ x2="289.39124"
+ y2="-436.4429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7199"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-35.00007,207.0001)"
+ x1="275.94193"
+ y1="-437.10501"
+ x2="279.97546"
+ y2="-431.91833" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7201"
+ gradientUnits="userSpaceOnUse"
+ x1="286.66589"
+ y1="-439.48358"
+ x2="289.76562"
+ y2="-436.70703" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7203"
+ gradientUnits="userSpaceOnUse"
+ x1="284.80219"
+ y1="-441.23294"
+ x2="288.89954"
+ y2="-436.83109" />
+ <linearGradient
+ id="linearGradient4344">
+ <stop
+ offset="0"
+ style="stop-color:#727e0a;stop-opacity:1"
+ id="stop4346" />
+ <stop
+ offset="1"
+ style="stop-color:#5b6508;stop-opacity:1"
+ id="stop4348" />
+ </linearGradient>
+ <linearGradient
+ id="linearGradient4338">
+ <stop
+ offset="0"
+ style="stop-color:#e9b15e;stop-opacity:1"
+ id="stop4340" />
+ <stop
+ offset="1"
+ style="stop-color:#966416;stop-opacity:1"
+ id="stop4342" />
+ </linearGradient>
+ <linearGradient
+ id="linearGradient4163">
+ <stop
+ offset="0"
+ style="stop-color:#3b74bc;stop-opacity:1"
+ id="stop4165" />
+ <stop
+ offset="1"
+ style="stop-color:#2d5990;stop-opacity:1"
+ id="stop4167" />
+ </linearGradient>
+ <linearGradient
+ id="linearGradient3824">
+ <stop
+ offset="0"
+ style="stop-color:#ffffff;stop-opacity:1"
+ id="stop3826" />
+ <stop
+ offset="1"
+ style="stop-color:#c9c9c9;stop-opacity:1"
+ id="stop3828" />
+ </linearGradient>
+ <linearGradient
+ id="linearGradient3800">
+ <stop
+ offset="0"
+ style="stop-color:#f4d9b1;stop-opacity:1"
+ id="stop3802" />
+ <stop
+ offset="1"
+ style="stop-color:#df9725;stop-opacity:1"
+ id="stop3804" />
+ </linearGradient>
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2476"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <linearGradient
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-32.043584,-34.478579)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="linearGradient2478"
+ y2="36.217758"
+ x2="22.626925"
+ y1="35.817974"
+ x1="20.661695" />
+ <linearGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-129.55196,15.415418)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3824"
+ id="linearGradient2480"
+ y2="35.803486"
+ x2="30.935921"
+ y1="29.553486"
+ x1="30.935921" />
+ <linearGradient
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,27.6662,3.4736145)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="linearGradient2482"
+ y2="35.739632"
+ x2="21.408455"
+ y1="36.3904"
+ x1="22.686766" />
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2484"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <linearGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3824"
+ id="linearGradient2486"
+ y2="35.803486"
+ x2="30.935921"
+ y1="29.553486"
+ x1="30.935921" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2488"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2490"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <linearGradient
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-75.47857,28.023726)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="linearGradient2492"
+ y2="36.217758"
+ x2="22.626925"
+ y1="35.817974"
+ x1="20.661695" />
+ <linearGradient
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,66.23987,24.272598)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="linearGradient2494"
+ y2="35.739632"
+ x2="21.408455"
+ y1="36.3904"
+ x1="22.686766" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2537"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2545"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2549"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2551"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2577"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2579"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2581"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2583"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <linearGradient
+ gradientTransform="matrix(-2.8512357,0.5265033,0.5265033,2.8512357,110.25711,-33.208531)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="linearGradient2585"
+ y2="36.217758"
+ x2="22.626925"
+ y1="35.817974"
+ x1="20.661695" />
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2502"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2504"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2506"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2508"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2502-1"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2504-2"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2506-4"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2508-9"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2476-6"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2484-0"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2488-4"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2490-3"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2537-7"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2545-4"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2549-3"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2551-1"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2577-4"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2579-6"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2581-9"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2583-4"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient8469"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8512357,0.5265033,0.5265033,2.8512357,110.25711,-33.208531)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient8471"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-32.043584,-34.478579)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient8473"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-129.55196,15.415418)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient8475"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,27.6662,3.4736145)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient8477"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient8479"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-75.47857,28.023726)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient8481"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,66.23987,24.272598)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient8483"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-32.043584,-34.478579)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient8485"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-129.55196,15.415418)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient8487"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,27.6662,3.4736145)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient8489"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient8491"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-75.47857,28.023726)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient8493"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,66.23987,24.272598)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient8495"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8512357,0.5265033,0.5265033,2.8512357,110.25711,-33.208531)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <marker
+ inkscape:stockid="Arrow1Mstart"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mstart-9"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8505-2"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(0.4,0,0,0.4,4,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mend-8"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8508-3"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)" />
+ </marker>
+ <linearGradient
+ gradientTransform="translate(69,155)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13495-0-5"
+ y2="-379.26862"
+ x2="266.36395"
+ y1="-392.30591"
+ x1="228.50261" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13497-1-5"
+ y2="-388.55029"
+ x2="245.82706"
+ y1="-393.4072"
+ x1="240.07379" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13499-9-7"
+ y2="-385.35165"
+ x2="252.69785"
+ y1="-391.31381"
+ x1="246.74042" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13501-6-0"
+ y2="-386.95901"
+ x2="235.25652"
+ y1="-390.43951"
+ x1="230.87598" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13503-9-8"
+ y2="-382.64539"
+ x2="245.65462"
+ y1="-388.47476"
+ x1="238.00478" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7191-1"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-34.00007,207.0001)"
+ x1="271.0217"
+ y1="-441.05182"
+ x2="285.02859"
+ y2="-431.96991" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7193-9"
+ gradientUnits="userSpaceOnUse"
+ x1="287.5173"
+ y1="-439.75281"
+ x2="289.67633"
+ y2="-436.32199" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7195-9"
+ gradientUnits="userSpaceOnUse"
+ x1="286.51172"
+ y1="-441.29074"
+ x2="289.85379"
+ y2="-436.14453" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7197-7"
+ gradientUnits="userSpaceOnUse"
+ x1="285.94086"
+ y1="-439.939"
+ x2="289.39124"
+ y2="-436.4429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7199-8"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-35.00007,207.0001)"
+ x1="275.94193"
+ y1="-437.10501"
+ x2="279.97546"
+ y2="-431.91833" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7201-2"
+ gradientUnits="userSpaceOnUse"
+ x1="286.66589"
+ y1="-439.48358"
+ x2="289.76562"
+ y2="-436.70703" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient7203-5"
+ gradientUnits="userSpaceOnUse"
+ x1="284.80219"
+ y1="-441.23294"
+ x2="288.89954"
+ y2="-436.83109" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,234.76593,185.03806)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9407-4-3"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,250.20343,189.03756)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9522-5-6"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13077"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-34.00007,207.0001)"
+ x1="271.0217"
+ y1="-441.05182"
+ x2="285.02859"
+ y2="-431.96991" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13079"
+ gradientUnits="userSpaceOnUse"
+ x1="287.5173"
+ y1="-439.75281"
+ x2="289.67633"
+ y2="-436.32199" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13081"
+ gradientUnits="userSpaceOnUse"
+ x1="286.51172"
+ y1="-441.29074"
+ x2="289.85379"
+ y2="-436.14453" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13083"
+ gradientUnits="userSpaceOnUse"
+ x1="285.94086"
+ y1="-439.939"
+ x2="289.39124"
+ y2="-436.4429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13085"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-35.00007,207.0001)"
+ x1="275.94193"
+ y1="-437.10501"
+ x2="279.97546"
+ y2="-431.91833" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13087"
+ gradientUnits="userSpaceOnUse"
+ x1="286.66589"
+ y1="-439.48358"
+ x2="289.76562"
+ y2="-436.70703" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13089"
+ gradientUnits="userSpaceOnUse"
+ x1="284.80219"
+ y1="-441.23294"
+ x2="288.89954"
+ y2="-436.83109" />
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible"
+ id="marker8927-7"
+ refX="0"
+ refY="0"
+ orient="auto"
+ inkscape:stockid="Arrow1Mstart"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ transform="matrix(0.4,0,0,0.4,4,0)"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.00000003pt;stroke-opacity:1"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ id="path8925-8" />
+ </marker>
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible"
+ id="marker8875-8"
+ refX="0"
+ refY="0"
+ orient="auto"
+ inkscape:stockid="Arrow1Mend"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.00000003pt;stroke-opacity:1"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ id="path8873-6" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mstart"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mstart-9-6"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8505-2-0"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(0.4,0,0,0.4,4,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mend-8-9"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8508-3-7"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)" />
+ </marker>
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2502-1-9"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2504-2-5"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2506-4-8"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2508-9-3"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2476-6-3"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2484-0-7"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2488-4-9"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2490-3-0"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2537-7-8"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2545-4-5"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2549-3-8"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2551-1-4"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2577-4-3"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2579-6-7"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2581-9-1"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2583-4-3"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient16878"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8512357,0.5265033,0.5265033,2.8512357,110.25711,-33.208531)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient16880"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-32.043584,-34.478579)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient16882"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-129.55196,15.415418)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient16884"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,27.6662,3.4736145)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient16886"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient16888"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-75.47857,28.023726)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient16890"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,66.23987,24.272598)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient16892"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-32.043584,-34.478579)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient16894"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-129.55196,15.415418)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient16896"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,27.6662,3.4736145)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient16898"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient16900"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-75.47857,28.023726)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient16902"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,66.23987,24.272598)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient16904"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8512357,0.5265033,0.5265033,2.8512357,110.25711,-33.208531)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ </defs>
+ <sodipodi:namedview
+ id="base"
+ pagecolor="#ffffff"
+ bordercolor="#666666"
+ borderopacity="1.0"
+ inkscape:pageopacity="0.0"
+ inkscape:pageshadow="2"
+ inkscape:zoom="0.39990234"
+ inkscape:cx="668.26732"
+ inkscape:cy="1173.4635"
+ inkscape:document-units="mm"
+ inkscape:current-layer="layer1"
+ showgrid="false"
+ inkscape:window-width="1276"
+ inkscape:window-height="1399"
+ inkscape:window-x="1280"
+ inkscape:window-y="578"
+ inkscape:window-maximized="0" />
+ <metadata
+ id="metadata5">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+ <dc:title></dc:title>
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <g
+ inkscape:label="Layer 1"
+ inkscape:groupmode="layer"
+ id="layer1">
+ <g
+ id="g5380"
+ transform="matrix(0.26458333,0,0,0.26458333,234.65251,5.4559774)">
+ <g
+ style="display:inline"
+ id="layer1-5" />
+ <g
+ style="display:inline"
+ id="layer2">
+ <g
+ style="display:inline"
+ id="g6707"
+ transform="matrix(0.04030136,0,0,0.05919351,98.269348,107.74796)">
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#linearGradient25151);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="rect6709"
+ y="-150.69685"
+ x="-1559.2523"
+ height="478.35718"
+ width="1339.6335" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25153);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6711"
+ d="m -219.61876,-150.68038 c 0,0 0,478.33079 0,478.33079 142.874166,0.90045 345.40022,-107.16966 345.40014,-239.196175 0,-132.026537 -159.436816,-239.134595 -345.40014,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25155);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6713"
+ d="m -1559.2523,-150.68038 c 0,0 0,478.33079 0,478.33079 -142.8742,0.90045 -345.4002,-107.16966 -345.4002,-239.196175 0,-132.026537 159.4368,-239.134595 345.4002,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#linearGradient25335);fill-opacity:1;fill-rule:evenodd;stroke:#5e5e5e;stroke-width:2.83662605px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+ id="path3626"
+ d="m 30.069752,22.03729 v 95.17786 H 92.475495 V 21.46393 L 80.994049,9.423358 H 40.977128 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#ffffff;fill-opacity:0.65536726;fill-rule:evenodd;stroke:none"
+ id="path5791"
+ d="M 41.556086,10.841671 31.488067,25.024802 h 59.56912 l -10.90702,-13.76598 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4553"
+ y="30.698046"
+ x="39.997936"
+ height="11.346502"
+ width="45.386024" />
+ <path
+ style="fill:none;stroke:#ffffff;stroke-width:2.83662724;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ id="path4394"
+ d="M 32.906375,23.771924 V 114.3785 H 89.638911 V 23.248654 L 79.132886,12.260001 H 42.887099 Z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.52571429;fill:url(#linearGradient25327);fill-opacity:1;fill-rule:evenodd;stroke:url(#linearGradient25327);stroke-width:2.83662701;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4408"
+ y="67.574181"
+ x="54.181065"
+ height="11.346499"
+ width="31.202894" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662534;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4398"
+ y="66.155869"
+ x="52.762733"
+ height="11.346502"
+ width="31.202871" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662558;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4551"
+ y="47.7178"
+ x="39.997952"
+ height="11.346502"
+ width="45.386024" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662653;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4430"
+ y="46.299488"
+ x="38.579624"
+ height="11.346502"
+ width="45.386032" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4436"
+ y="29.279736"
+ x="38.579647"
+ height="11.346502"
+ width="45.386032" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#d40000;fill-opacity:1;fill-rule:evenodd;stroke:#979797;stroke-width:1.44772947;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4396"
+ transform="matrix(1.9593699,0,0,1.9593562,-86.509754,21.850696)"
+ d="m 68.185294,26.231213 a 2.171828,2.171828 0 1 1 -4.343656,0 2.171828,2.171828 0 1 1 4.343656,0 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#f44800;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="path4445"
+ transform="matrix(2.5342538,0,0,2.5342343,0.4673221,7.5389146)"
+ d="m 16.667518,25.574614 a 0.5050765,0.5050765 0 1 1 -1.010153,0 0.5050765,0.5050765 0 1 1 1.010153,0 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient25317);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4457"
+ y="84.593979"
+ x="48.507816"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient25314);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4461"
+ y="84.593979"
+ x="54.181038"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient25311);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4465"
+ y="84.593979"
+ x="59.854286"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient25308);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4469"
+ y="84.593979"
+ x="65.527534"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient25305);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4473"
+ y="84.593979"
+ x="71.200821"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.54285709;fill:url(#linearGradient25302);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4477"
+ y="84.593979"
+ x="76.874069"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.16000001;fill:url(#linearGradient25299);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4481"
+ y="84.593979"
+ x="45.671154"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient25296);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4483"
+ y="84.593979"
+ x="51.34444"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient25293);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4485"
+ y="84.593979"
+ x="57.017693"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient25290);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4487"
+ y="84.593979"
+ x="62.690945"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient25287);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4489"
+ y="84.593979"
+ x="68.364159"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22857145;fill:url(#linearGradient25284);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4491"
+ y="84.593979"
+ x="74.037407"
+ height="28.36627"
+ width="2.8366244" />
+ </g>
+ </g>
+ <g
+ id="g5380-5"
+ transform="matrix(0.26458333,0,0,0.26458333,297.38819,-2.9937819)">
+ <g
+ style="display:inline"
+ id="layer1-5-9" />
+ <g
+ style="display:inline"
+ id="layer2-6">
+ <g
+ style="display:inline"
+ id="g6707-2"
+ transform="matrix(0.04030136,0,0,0.05919351,98.269348,107.74796)">
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#linearGradient5675);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="rect6709-1"
+ y="-150.69685"
+ x="-1559.2523"
+ height="478.35718"
+ width="1339.6335" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25153-4);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6711-7"
+ d="m -219.61876,-150.68038 c 0,0 0,478.33079 0,478.33079 142.874166,0.90045 345.40022,-107.16966 345.40014,-239.196175 0,-132.026537 -159.436816,-239.134595 -345.40014,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25155-7);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6713-8"
+ d="m -1559.2523,-150.68038 c 0,0 0,478.33079 0,478.33079 -142.8742,0.90045 -345.4002,-107.16966 -345.4002,-239.196175 0,-132.026537 159.4368,-239.134595 345.4002,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#linearGradient5677);fill-opacity:1;fill-rule:evenodd;stroke:#5e5e5e;stroke-width:2.83662605px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+ id="path3626-5"
+ d="m 30.069752,22.03729 v 95.17786 H 92.475495 V 21.46393 L 80.994049,9.423358 H 40.977128 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#ffffff;fill-opacity:0.65536726;fill-rule:evenodd;stroke:none"
+ id="path5791-7"
+ d="M 41.556086,10.841671 31.488067,25.024802 h 59.56912 l -10.90702,-13.76598 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4553-4"
+ y="30.698046"
+ x="39.997936"
+ height="11.346502"
+ width="45.386024" />
+ <path
+ style="fill:none;stroke:#ffffff;stroke-width:2.83662724;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ id="path4394-1"
+ d="M 32.906375,23.771924 V 114.3785 H 89.638911 V 23.248654 L 79.132886,12.260001 H 42.887099 Z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.52571429;fill:url(#linearGradient5679);fill-opacity:1;fill-rule:evenodd;stroke:url(#linearGradient5681);stroke-width:2.83662701;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4408-8"
+ y="67.574181"
+ x="54.181065"
+ height="11.346499"
+ width="31.202894" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662534;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4398-5"
+ y="66.155869"
+ x="52.762733"
+ height="11.346502"
+ width="31.202871" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662558;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4551-9"
+ y="47.7178"
+ x="39.997952"
+ height="11.346502"
+ width="45.386024" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662653;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4430-7"
+ y="46.299488"
+ x="38.579624"
+ height="11.346502"
+ width="45.386032" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4436-5"
+ y="29.279736"
+ x="38.579647"
+ height="11.346502"
+ width="45.386032" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#d40000;fill-opacity:1;fill-rule:evenodd;stroke:#979797;stroke-width:1.44772947;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4396-3"
+ transform="matrix(1.9593699,0,0,1.9593562,-86.509754,21.850696)"
+ d="m 68.185294,26.231213 a 2.171828,2.171828 0 1 1 -4.343656,0 2.171828,2.171828 0 1 1 4.343656,0 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#f44800;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="path4445-8"
+ transform="matrix(2.5342538,0,0,2.5342343,0.4673221,7.5389146)"
+ d="m 16.667518,25.574614 a 0.5050765,0.5050765 0 1 1 -1.010153,0 0.5050765,0.5050765 0 1 1 1.010153,0 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient5683);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4457-8"
+ y="84.593979"
+ x="48.507816"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient5685);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4461-3"
+ y="84.593979"
+ x="54.181038"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient5687);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4465-1"
+ y="84.593979"
+ x="59.854286"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient5689);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4469-8"
+ y="84.593979"
+ x="65.527534"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient5691);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4473-9"
+ y="84.593979"
+ x="71.200821"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.54285709;fill:url(#linearGradient5693);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4477-6"
+ y="84.593979"
+ x="76.874069"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.16000001;fill:url(#linearGradient5695);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4481-4"
+ y="84.593979"
+ x="45.671154"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient5697);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4483-3"
+ y="84.593979"
+ x="51.34444"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient5699);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4485-3"
+ y="84.593979"
+ x="57.017693"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient5701);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4487-3"
+ y="84.593979"
+ x="62.690945"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient5703);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4489-8"
+ y="84.593979"
+ x="68.364159"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22857145;fill:url(#linearGradient5705);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4491-6"
+ y="84.593979"
+ x="74.037407"
+ height="28.36627"
+ width="2.8366244" />
+ </g>
+ </g>
+ <g
+ id="g5380-9"
+ transform="matrix(0.26458333,0,0,0.26458333,60.217749,34.452312)">
+ <g
+ style="display:inline"
+ id="layer1-5-2" />
+ <g
+ style="display:inline"
+ id="layer2-5">
+ <g
+ style="display:inline"
+ id="g6707-4"
+ transform="matrix(0.04030136,0,0,0.05919351,98.269348,107.74796)">
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#linearGradient6293);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="rect6709-0"
+ y="-150.69685"
+ x="-1559.2523"
+ height="478.35718"
+ width="1339.6335" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25153-3);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6711-5"
+ d="m -219.61876,-150.68038 c 0,0 0,478.33079 0,478.33079 142.874166,0.90045 345.40022,-107.16966 345.40014,-239.196175 0,-132.026537 -159.436816,-239.134595 -345.40014,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25155-0);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6713-9"
+ d="m -1559.2523,-150.68038 c 0,0 0,478.33079 0,478.33079 -142.8742,0.90045 -345.4002,-107.16966 -345.4002,-239.196175 0,-132.026537 159.4368,-239.134595 345.4002,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#linearGradient6295);fill-opacity:1;fill-rule:evenodd;stroke:#5e5e5e;stroke-width:2.83662605px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+ id="path3626-4"
+ d="m 30.069752,22.03729 v 95.17786 H 92.475495 V 21.46393 L 80.994049,9.423358 H 40.977128 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#ffffff;fill-opacity:0.65536726;fill-rule:evenodd;stroke:none"
+ id="path5791-6"
+ d="M 41.556086,10.841671 31.488067,25.024802 h 59.56912 l -10.90702,-13.76598 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4553-9"
+ y="30.698046"
+ x="39.997936"
+ height="11.346502"
+ width="45.386024" />
+ <path
+ style="fill:none;stroke:#ffffff;stroke-width:2.83662724;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ id="path4394-2"
+ d="M 32.906375,23.771924 V 114.3785 H 89.638911 V 23.248654 L 79.132886,12.260001 H 42.887099 Z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.52571429;fill:url(#linearGradient6297);fill-opacity:1;fill-rule:evenodd;stroke:url(#linearGradient6299);stroke-width:2.83662701;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4408-2"
+ y="67.574181"
+ x="54.181065"
+ height="11.346499"
+ width="31.202894" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662534;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4398-4"
+ y="66.155869"
+ x="52.762733"
+ height="11.346502"
+ width="31.202871" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662558;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4551-7"
+ y="47.7178"
+ x="39.997952"
+ height="11.346502"
+ width="45.386024" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662653;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4430-75"
+ y="46.299488"
+ x="38.579624"
+ height="11.346502"
+ width="45.386032" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4436-4"
+ y="29.279736"
+ x="38.579647"
+ height="11.346502"
+ width="45.386032" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#d40000;fill-opacity:1;fill-rule:evenodd;stroke:#979797;stroke-width:1.44772947;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4396-8"
+ transform="matrix(1.9593699,0,0,1.9593562,-86.509754,21.850696)"
+ d="m 68.185294,26.231213 a 2.171828,2.171828 0 1 1 -4.343656,0 2.171828,2.171828 0 1 1 4.343656,0 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#f44800;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="path4445-1"
+ transform="matrix(2.5342538,0,0,2.5342343,0.4673221,7.5389146)"
+ d="m 16.667518,25.574614 a 0.5050765,0.5050765 0 1 1 -1.010153,0 0.5050765,0.5050765 0 1 1 1.010153,0 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient6301);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4457-2"
+ y="84.593979"
+ x="48.507816"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient6303);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4461-8"
+ y="84.593979"
+ x="54.181038"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient6305);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4465-9"
+ y="84.593979"
+ x="59.854286"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient6307);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4469-3"
+ y="84.593979"
+ x="65.527534"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient6309);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4473-6"
+ y="84.593979"
+ x="71.200821"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.54285709;fill:url(#linearGradient6311);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4477-8"
+ y="84.593979"
+ x="76.874069"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.16000001;fill:url(#linearGradient6313);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4481-0"
+ y="84.593979"
+ x="45.671154"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient6315);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4483-2"
+ y="84.593979"
+ x="51.34444"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient6317);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4485-1"
+ y="84.593979"
+ x="57.017693"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient6319);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4487-0"
+ y="84.593979"
+ x="62.690945"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient6321);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4489-5"
+ y="84.593979"
+ x="68.364159"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22857145;fill:url(#linearGradient6323);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4491-1"
+ y="84.593979"
+ x="74.037407"
+ height="28.36627"
+ width="2.8366244" />
+ </g>
+ </g>
+ <g
+ id="g6750-6"
+ transform="matrix(0.26458333,0,0,0.26458333,122.07424,34.785641)">
+ <g
+ style="display:inline"
+ id="layer1-3-9" />
+ <g
+ style="display:inline"
+ id="layer2-4-8">
+ <g
+ id="g12825-7"
+ transform="matrix(2.5313899,0,0,3.0201142,-712.99191,751.20922)">
+ <path
+ style="fill:#555753;fill-opacity:1;stroke:none"
+ id="path12827-2"
+ d="m 311.5,-242.99998 c -2.77242,0 -5.10823,1.57371 -6.40625,3.8125 -0.94436,-0.47504 -1.96519,-0.8125 -3.09375,-0.8125 -3.864,0 -7,3.136 -7,7 0,3.864 3.136,7 7,7 2.41967,0 4.43009,-1.31932 5.6875,-3.1875 1.1342,0.68962 2.38898,1.1875 3.8125,1.1875 0.91312,0 1.75295,-0.23202 2.5625,-0.53125 0.50994,0.86773 1.17912,1.57972 2,2.15625 -0.007,0.13038 -0.0625,0.24282 -0.0625,0.375 0,3.864 3.13599,7 7,7 3.864,0 7,-3.136 7,-7 0,-2.36969 -1.25898,-4.35834 -3.0625,-5.625 0.007,-0.13038 0.0625,-0.24282 0.0625,-0.375 0,-3.864 -3.13599,-7 -7,-7 -0.6227,0 -1.17519,0.22219 -1.75,0.375 -1.19453,-2.55884 -3.74134,-4.375 -6.75,-4.375 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:url(#linearGradient13495-0);fill-opacity:1;stroke:none"
+ id="path12829-8"
+ d="m 311.5,-241.99998 c -2.78048,0 -5.13451,1.76185 -6.0625,4.21875 -0.98542,-0.70944 -2.13143,-1.21875 -3.4375,-1.21875 -3.312,0 -6,2.688 -6,6 0,3.312 2.688,6 6,6 2.42775,0 4.49324,-1.45558 5.4375,-3.53125 1.12076,0.91756 2.50214,1.53125 4.0625,1.53125 1.07454,0 2.04428,-0.31896 2.9375,-0.78125 0.3984,0.99976 1.10114,1.78632 1.9375,2.4375 -0.18001,0.59562 -0.375,1.18965 -0.375,1.84375 0,3.588 2.912,6.5 6.5,6.5 3.588,0 6.5,-2.912 6.5,-6.5 0,-2.36079 -1.33433,-4.33019 -3.21875,-5.46875 0.0626,-0.34723 0.21875,-0.66608 0.21875,-1.03125 0,-3.312 -2.688,-6 -6,-6 -0.85298,0 -1.6713,0.17868 -2.40625,0.5 -0.85377,-2.59388 -3.21524,-4.49999 -6.09375,-4.5 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12831-2"
+ transform="matrix(0.964447,0,0,0.964447,89.28852,144.5262)"
+ d="m 248.54804,-383.6666 c 0,3.72219 -3.01743,6.73961 -6.73962,6.73961 -3.72218,0 -6.73961,-3.01742 -6.73961,-6.73961 0,-3.72219 3.01743,-6.73962 6.73961,-6.73962 3.72219,0 6.73962,3.01743 6.73962,6.73962 z"
+ inkscape:connector-curvature="0" />
+ <g
+ id="g12833-9">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12835-9"
+ transform="matrix(0.88263,0,0,0.88263,96.18078,108.1091)"
+ d="m 250.18322,-389.30136 c 0,3.4415 -2.78988,6.23138 -6.23138,6.23138 -3.4415,0 -6.23138,-2.78988 -6.23138,-6.23138 0,-3.4415 2.78988,-6.23138 6.23138,-6.23138 3.4415,0 6.23138,2.78988 6.23138,6.23138 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient13497-1);fill-opacity:1;stroke:none"
+ id="path12837-6"
+ transform="matrix(0.88263,0,0,0.88263,96.18078,108.1091)"
+ d="m 250.18322,-389.30136 c 0,3.4415 -2.78988,6.23138 -6.23138,6.23138 -3.4415,0 -6.23138,-2.78988 -6.23138,-6.23138 0,-3.4415 2.78988,-6.23138 6.23138,-6.23138 3.4415,0 6.23138,2.78988 6.23138,6.23138 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g12839-0">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12841-2"
+ transform="matrix(0.911728,0,0,0.911728,90.45407,120.2336)"
+ d="m 257.25429,-385.7879 c 0,3.33166 -2.70084,6.03251 -6.03251,6.03251 -3.33166,0 -6.0325,-2.70085 -6.0325,-6.03251 0,-3.33166 2.70084,-6.0325 6.0325,-6.0325 3.33167,0 6.03251,2.70084 6.03251,6.0325 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient13499-9);fill-opacity:1;stroke:none"
+ id="path12843-7"
+ transform="matrix(0.911728,0,0,0.911728,90.45407,120.2336)"
+ d="m 257.25429,-385.7879 c 0,3.33166 -2.70084,6.03251 -6.03251,6.03251 -3.33166,0 -6.0325,-2.70085 -6.0325,-6.03251 0,-3.33166 2.70084,-6.0325 6.0325,-6.0325 3.33167,0 6.03251,2.70084 6.03251,6.0325 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g12845-6">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12847-1"
+ transform="matrix(1.142799,0,0,1.142799,35.23229,210.277)"
+ d="m 237.80885,-387.88715 c 0,2.41637 -1.95885,4.37522 -4.37522,4.37522 -2.41638,0 -4.37523,-1.95885 -4.37523,-4.37522 0,-2.41637 1.95885,-4.37523 4.37523,-4.37523 2.41637,0 4.37522,1.95886 4.37522,4.37523 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient13501-6);fill-opacity:1;stroke:none"
+ id="path12849-3"
+ transform="matrix(1.142799,0,0,1.142799,35.23229,210.277)"
+ d="m 237.80885,-387.88715 c 0,2.41637 -1.95885,4.37522 -4.37522,4.37522 -2.41638,0 -4.37523,-1.95885 -4.37523,-4.37522 0,-2.41637 1.95885,-4.37523 4.37523,-4.37523 2.41637,0 4.37522,1.95886 4.37522,4.37523 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g12851-2">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12853-1"
+ transform="matrix(1.038636,0,0,1.038636,59.84906,169.4899)"
+ d="m 248.54804,-383.6666 c 0,3.72219 -3.01743,6.73961 -6.73962,6.73961 -3.72218,0 -6.73961,-3.01742 -6.73961,-6.73961 0,-3.72219 3.01743,-6.73962 6.73961,-6.73962 3.72219,0 6.73962,3.01743 6.73962,6.73962 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient13503-9);fill-opacity:1;stroke:none"
+ id="path12855-5"
+ transform="matrix(1.038636,0,0,1.038636,59.84907,169.4899)"
+ d="m 248.54804,-383.6666 c 0,3.72219 -3.01743,6.73961 -6.73962,6.73961 -3.72218,0 -6.73961,-3.01742 -6.73961,-6.73961 0,-3.72219 3.01743,-6.73962 6.73961,-6.73962 3.72219,0 6.73962,3.01743 6.73962,6.73962 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ </g>
+ <g
+ id="g9468-9"
+ transform="matrix(2.5313899,0,0,3.0201142,-10.842401,-5.9723708)">
+ <g
+ id="g12891-9"
+ transform="translate(-225.18126,253.09536)">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:#555753;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:2;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+ id="path12893-1"
+ d="m 246.49993,-238.49993 c -2.27083,0 -4.10991,1.55028 -4.71875,3.625 -0.69323,-0.36383 -1.44451,-0.625 -2.28125,-0.625 -2.76,0 -5.00001,2.23999 -5,5 0,0.57893 0.16252,1.1077 0.34375,1.625 -1.37347,0.77074 -2.34375,2.189 -2.34375,3.875 0,2.484 2.016,4.50001 4.5,4.5 0.17713,0 18.82287,0 19,0 2.48399,0 4.5,-2.016 4.5,-4.5 0,-1.686 -0.97028,-3.10426 -2.34375,-3.875 0.18124,-0.51729 0.34375,-1.04608 0.34375,-1.625 0,-2.76 -2.24,-4.99999 -5,-5 -0.83674,0 -1.58802,0.26117 -2.28125,0.625 -0.60884,-2.07472 -2.44792,-3.625 -4.71875,-3.625 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:url(#linearGradient7191);fill-opacity:1;stroke:none"
+ id="path12895-4"
+ d="m 246.49993,-237.99993 c -2.18972,0 -3.7236,1.33577 -4.39555,3.84352 -0.66846,-0.34362 -1.54759,-0.83335 -2.35445,-0.83335 -2.71651,0 -4.75514,1.93882 -4.75513,4.54554 0,0.54677 0.26721,1.33344 0.44196,1.82201 -1.32443,0.72795 -2.43683,1.8905 -2.43683,3.37255 0,2.34605 1.54617,4.25009 4.33928,4.25009 0.17081,0 18.15064,0 18.32144,0 2.77101,0 4.33928,-1.90404 4.33928,-4.25009 0,-1.59237 -1.1124,-2.66669 -2.43683,-3.39464 0.17476,-0.48856 0.46407,-1.25316 0.46407,-1.79992 0,-2.60671 -2.11581,-4.56763 -4.77723,-4.56764 -0.80687,0 -1.64181,0.48974 -2.31027,0.83336 -0.64885,-2.42154 -2.25001,-3.82143 -4.43974,-3.82143 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12897-9"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient7193);fill-opacity:1;stroke:none"
+ id="path12899-1"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="rect12901-0"
+ y="-230.99992"
+ x="236.99994"
+ height="9"
+ width="20" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12903-7"
+ transform="matrix(0.90566,0,0,0.90566,-24.16987,171.3114)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12905-5"
+ transform="matrix(1.056604,0,0,1.056604,-51.19818,231.8633)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient7195);fill-opacity:1;stroke:none"
+ id="path12907-8"
+ transform="matrix(1.056604,0,0,1.056604,-51.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12909-7"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient7197);fill-opacity:1;stroke:none"
+ id="path12911-0"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12913-4"
+ d="m 245.46868,-233.96868 c -3.57938,0 -6.46875,2.92063 -6.46875,6.5 0,2.37068 1.34943,4.33779 3.25,5.46875 h 6.46875 c 1.90057,-1.13096 3.25,-3.12931 3.25,-5.5 0,-3.57938 -2.92063,-6.46875 -6.5,-6.46875 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient7199);fill-opacity:1;stroke:none"
+ id="path12915-8"
+ d="m 245.49993,-233.99993 c -3.588,0 -6.5,2.91201 -6.5,6.5 0,2.3764 1.34485,4.36632 3.25,5.5 h 6.5 c 1.90515,-1.13368 3.25,-3.1236 3.25,-5.5 0,-3.588 -2.912,-6.49999 -6.5,-6.5 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient7201);fill-opacity:1;stroke:none"
+ id="path12917-0"
+ transform="matrix(0.90566,0,0,0.90566,-24.16977,171.3113)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#555753;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ id="path12919-4"
+ d="m 258.95633,-230.33389 c -0.002,2.68456 -3.26926,3.71395 -3.26926,3.71395 0,0 2.34874,-1.62595 2.33685,-3.70501 0,0 0.93241,-0.009 0.93241,-0.009 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12921-2"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient7203);fill-opacity:1;stroke:none"
+ id="path12923-9"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#radialGradient9407-4);fill-opacity:1;stroke:none"
+ id="path11418-6"
+ d="m 21.02789,15.111956 c -2.0001,0 -3.68558,1.0795 -4.53057,2.61494 -0.59491,-0.22191 -1.24464,-0.35337 -1.92595,-0.35337 -2.83021,0 -5.1175304,2.11817 -5.1175304,4.7175 0,0.45375 0.14453,0.85683 0.27514,1.27213 -1.38232,0.86527 -2.34783,2.25357 -2.34783,3.90473 0,2.65283 0.65162,4.99335 5.2275804,4.80585 0.04512,-0.0018 17.45148,0.09698 17.70041,-0.01803 3.08521,0.22595 4.07201,-2.44573 4.07201,-4.69946 0,-1.70051 -0.83694,-3.04985 -2.30927,-3.87759 0.04796,-0.25856 -0.03856,-0.55119 -0.03856,-0.82225 0,-2.59932 -2.30565,-4.71749 -5.13587,-4.71749 -0.39349,0 -0.7324,0.13482 -1.10054,0.21202 -0.73846,-1.76812 -2.58501,-3.03898 -4.76902,-3.03898 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g9488-1"
+ transform="matrix(2.5313899,0,0,3.0201142,-5.7841588,-18.063655)">
+ <g
+ id="g12857-0"
+ transform="translate(-210.16696,257.11136)">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:#555753;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:2;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+ id="path12859-4"
+ d="m 246.49993,-238.49993 c -2.27083,0 -4.10991,1.55028 -4.71875,3.625 -0.69323,-0.36383 -1.44451,-0.625 -2.28125,-0.625 -2.76,0 -5.00001,2.23999 -5,5 0,0.57893 0.16252,1.1077 0.34375,1.625 -1.37347,0.77074 -2.34375,2.189 -2.34375,3.875 0,2.484 2.016,4.50001 4.5,4.5 0.17713,0 18.82287,0 19,0 2.48399,0 4.5,-2.016 4.5,-4.5 0,-1.686 -0.97028,-3.10426 -2.34375,-3.875 0.18124,-0.51729 0.34375,-1.04608 0.34375,-1.625 0,-2.76 -2.24,-4.99999 -5,-5 -0.83674,0 -1.58802,0.26117 -2.28125,0.625 -0.60884,-2.07472 -2.44792,-3.625 -4.71875,-3.625 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:url(#linearGradient6752-3);fill-opacity:1;stroke:none"
+ id="path12861-2"
+ d="m 246.49993,-237.99993 c -2.18972,0 -3.7236,1.33577 -4.39555,3.84352 -0.66846,-0.34362 -1.54759,-0.83335 -2.35445,-0.83335 -2.71651,0 -4.75514,1.93882 -4.75513,4.54554 0,0.54677 0.26721,1.33344 0.44196,1.82201 -1.32443,0.72795 -2.43683,1.8905 -2.43683,3.37255 0,2.34605 1.54617,4.25009 4.33928,4.25009 0.17081,0 18.15064,0 18.32144,0 2.77101,0 4.33928,-1.90404 4.33928,-4.25009 0,-1.59237 -1.1124,-2.66669 -2.43683,-3.39464 0.17476,-0.48856 0.46407,-1.25316 0.46407,-1.79992 0,-2.60671 -2.11581,-4.56763 -4.77723,-4.56764 -0.80687,0 -1.64181,0.48974 -2.31027,0.83336 -0.64885,-2.42154 -2.25001,-3.82143 -4.43974,-3.82143 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12863-2"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient6754-3);fill-opacity:1;stroke:none"
+ id="path12865-2"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="rect12867-0"
+ y="-230.99992"
+ x="236.99994"
+ height="9"
+ width="20" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12869-5"
+ transform="matrix(0.90566,0,0,0.90566,-24.16987,171.3114)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12871-5"
+ transform="matrix(1.056604,0,0,1.056604,-51.19818,231.8633)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient6756-8);fill-opacity:1;stroke:none"
+ id="path12873-2"
+ transform="matrix(1.056604,0,0,1.056604,-51.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12875-9"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient6758-0);fill-opacity:1;stroke:none"
+ id="path12877-0"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12879-2"
+ d="m 245.46868,-233.96868 c -3.57938,0 -6.46875,2.92063 -6.46875,6.5 0,2.37068 1.34943,4.33779 3.25,5.46875 h 6.46875 c 1.90057,-1.13096 3.25,-3.12931 3.25,-5.5 0,-3.57938 -2.92063,-6.46875 -6.5,-6.46875 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient6760-5);fill-opacity:1;stroke:none"
+ id="path12881-8"
+ d="m 245.49993,-233.99993 c -3.588,0 -6.5,2.91201 -6.5,6.5 0,2.3764 1.34485,4.36632 3.25,5.5 h 6.5 c 1.90515,-1.13368 3.25,-3.1236 3.25,-5.5 0,-3.588 -2.912,-6.49999 -6.5,-6.5 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient6762-6);fill-opacity:1;stroke:none"
+ id="path12883-3"
+ transform="matrix(0.90566,0,0,0.90566,-24.16977,171.3113)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#555753;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ id="path12885-8"
+ d="m 258.95633,-230.33389 c -0.002,2.68456 -3.26926,3.71395 -3.26926,3.71395 0,0 2.34874,-1.62595 2.33685,-3.70501 0,0 0.93241,-0.009 0.93241,-0.009 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12887-0"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient6764-6);fill-opacity:1;stroke:none"
+ id="path12889-4"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#radialGradient9522-5);fill-opacity:1;stroke:none"
+ id="path13209-0"
+ d="m 36.46539,19.111476 c -2.0001,0 -3.68558,1.0795 -4.53057,2.61494 -0.59491,-0.22191 -1.24464,-0.35337 -1.92595,-0.35337 -2.83021,0 -5.11753,2.11817 -5.11753,4.7175 0,0.45375 0.14453,0.85683 0.27514,1.27213 -1.38232,0.86527 -2.34783,2.25357 -2.34783,3.90473 0,2.65283 0.65162,4.99335 5.22758,4.80585 0.04512,-0.0018 17.45148,0.09698 17.70041,-0.01803 3.08521,0.22595 4.07201,-2.44573 4.07201,-4.69946 0,-1.70051 -0.83694,-3.04985 -2.30927,-3.87759 0.04796,-0.25856 -0.03856,-0.55119 -0.03856,-0.82225 0,-2.59932 -2.30565,-4.71749 -5.13587,-4.71749 -0.39349,0 -0.7324,0.13482 -1.10054,0.21202 -0.73846,-1.76812 -2.58501,-3.03898 -4.76902,-3.03898 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ </g>
+ </g>
+ <g
+ id="g7957-2"
+ transform="matrix(0.26458333,0,0,0.26458333,-4.6667659,36.368612)">
+ <g
+ id="g2482-2"
+ transform="translate(0.4025314,-0.6040782)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2502-1);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2484-6"
+ d="m 85.387971,95.699904 c 0.0075,8.102006 -19.95928,14.671276 -44.592125,14.671276 -24.63284,0 -44.5996048,-6.56927 -44.5921197,-14.671276 -0.00749,-8.102001 19.9592797,-14.671277 44.5921197,-14.671277 24.632845,0 44.59961,6.569276 44.592125,14.671277 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2504-2);fill-opacity:1;fill-rule:evenodd;stroke:#404604;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2486-4"
+ d="m 25.751776,94.433252 h 30.7532 c 8.7134,0 17.34004,-3.194983 20.50212,-12.301276 3.00278,-8.647507 0.51256,-25.115108 -18.96446,-38.441492 H 21.651356 C 2.1743262,55.99176 -0.25968379,72.814858 4.2245462,82.644527 8.7928862,92.658579 16.525816,94.433252 25.751776,94.433252 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2488-1"
+ d="m 40.455396,51.378784 c 0,0 -6.23763,4.81404 -5.70028,10.613492 -5.91841,-5.221292 -6.08845,-15.226473 -6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2490-2"
+ d="m 26.057566,91.347662 h 29.91256 c 7.65371,0 15.23122,-2.806422 18.00874,-10.805243 2.63758,-7.595834 -0.27465,-22.060711 -17.38295,-33.766392 H 23.180676 C 6.0723762,57.58127 3.2095162,72.358411 7.1483862,80.992635 11.161146,89.78882 17.953636,91.347662 26.057566,91.347662 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2492-8"
+ d="m 41.292286,52.378784 c 0,0 6.23763,4.81404 5.70027,10.613492 5.91841,-5.221292 6.08845,-15.226473 6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2506-4);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2494-8"
+ d="m 65.368498,38.974475 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.122739 25.115105,-25.122739 13.873673,0 25.119324,11.249069 25.115108,25.122739 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2508-9);fill-opacity:1;fill-rule:evenodd;stroke:#6f4709;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2496-9"
+ d="m 65.730928,28.826439 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.1227391 25.115105,-25.1227391 13.873673,0 25.119324,11.2490691 25.115108,25.1227391 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.12658231;fill:none;stroke:#ffffff;stroke-width:2.89944124px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2498-2"
+ d="M 62.644211,28.826474 C 62.647909,40.995 52.784405,50.861502 40.615876,50.861502 28.44735,50.861502 18.583846,40.995 18.587544,28.826474 18.583846,16.657947 28.44735,6.7914452 40.615876,6.7914452 c 12.168529,0 22.032033,9.8665018 22.028335,22.0350288 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient8469);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2500-8"
+ d="m 64.967663,92.704432 c 3.61736,-1.5801 5.23637,-5.38796 5.23637,-5.38796 -2.43925,-11.79821 -10.7857,-20.43007 -10.7857,-20.43007 0,0 6.60875,18.58979 5.54933,25.81803 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ style="display:inline"
+ id="layer1-9-8" />
+ <g
+ id="g2483-8"
+ transform="translate(89.565224,-57.340975)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2476-6);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4177-6"
+ transform="matrix(5.1479827,0,0,2.7810925,-164.41027,100.68378)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient8471);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4368-8"
+ d="M 13.245856,91.434387 C 9.6284962,89.854283 8.0094862,86.046427 8.0094862,86.046427 10.448736,74.248216 18.795186,65.616354 18.795186,65.616354 c 0,0 -6.60875,18.589793 -5.54933,25.818033 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient8473);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4173-3"
+ d="m -28.06643,114.09678 h 12.30128 l -7.17574,-6.66319 -1.53766,2.05021 -1.53767,-1.53766 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient8475);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4370-8"
+ d="m -13.94683,130.64896 c 3.56993,-1.68451 5.2316903,-5.8056 5.2316903,-5.8056 C -11.49605,113.12098 -20.24375,105.00302 -20.24375,105.00302 c 0,0 7.14594,18.38998 6.29692,25.64594 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2484-0);fill-opacity:1;fill-rule:evenodd;stroke:#204a87;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4308-3"
+ d="m -18.20172,156.43265 h 30.75319 c 8.71341,0 17.34005,-3.19499 20.50213,-12.30129 3.00277,-8.64751 0.51255,-25.11511 -18.96447,-38.44149 h -36.39128 c -19.47702,12.30128 -21.91103,29.12437 -17.42681,38.95404 4.56834,10.01406 12.30128,11.78874 21.52724,11.78874 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient8477);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4310-3"
+ d="m -16.15151,110.30285 c 9.2259603,8.20085 13.3263803,37.92894 13.3263803,37.92894 0,0 4.10043,-29.72809 11.27617,-38.44149 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4312-3"
+ d="m -9.5424097,113.37817 c 0,0 -6.2376303,4.81404 -5.7002703,10.61349 -5.91841,-5.22129 -6.08846,-15.22647 -6.08846,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4314-8"
+ d="m -18.40849,153.41112 30.42511,-0.0641 c 7.65372,0 15.23122,-2.80644 18.00874,-10.80526 2.63759,-7.59583 -0.27464,-22.06071 -17.38294,-33.76639 l -33.41524,-0.70476 c -17.1083,10.80524 -20.41965,25.58239 -16.41671,34.92137 4.00294,9.33899 9.84421,10.35504 18.78104,10.4191 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4316-0"
+ d="m -20.009013,106.3071 c 0,0 6.23763,4.81404 5.70027,10.61349 5.9184092,-5.22129 6.0884592,-15.22647 6.0884592,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2488-4);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4318-4"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.90948,45.859526)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2490-3);fill-opacity:1;fill-rule:evenodd;stroke:#c17d11;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4320-7"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.19620254;fill:none;stroke:#ffffff;stroke-width:1.14012825px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4322-6"
+ transform="matrix(2.5430833,0,0,2.5430833,-82.4598,42.485353)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient8479);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4354-8"
+ d="m -30.18912,153.93669 c -3.61736,-1.58011 -5.23637,-5.38797 -5.23637,-5.38797 2.43925,-11.79821 10.7857,-20.43007 10.7857,-20.43007 0,0 -6.60875,18.58979 -5.54933,25.81804 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient8481);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4364-9"
+ d="m 24.62683,151.44795 c 3.56993,-1.68452 5.23168,-5.80562 5.23168,-5.80562 -2.7809,-11.72238 -11.5286,-19.84033 -11.5286,-19.84033 0,0 7.14594,18.38998 6.29692,25.64595 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g2507-0"
+ transform="translate(49.068553,-45.030564)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2537-7);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2509-6"
+ transform="matrix(5.1479827,0,0,2.7810925,-164.41027,100.68378)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient8483);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2511-8"
+ d="M 13.245856,91.434387 C 9.6284962,89.854283 8.0094862,86.046427 8.0094862,86.046427 10.448736,74.248216 18.795186,65.616354 18.795186,65.616354 c 0,0 -6.60875,18.589793 -5.54933,25.818033 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient8485);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2513-7"
+ d="m -28.06643,114.09678 h 12.30128 l -7.17574,-6.66319 -1.53766,2.05021 -1.53767,-1.53766 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient8487);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2515-9"
+ d="m -13.94683,130.64896 c 3.56993,-1.68451 5.2316903,-5.8056 5.2316903,-5.8056 C -11.49605,113.12098 -20.24375,105.00302 -20.24375,105.00302 c 0,0 7.14594,18.38998 6.29692,25.64594 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2545-4);fill-opacity:1;fill-rule:evenodd;stroke:#204a87;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2517-0"
+ d="m -18.20172,156.43265 h 30.75319 c 8.71341,0 17.34005,-3.19499 20.50213,-12.30129 3.00277,-8.64751 0.51255,-25.11511 -18.96447,-38.44149 h -36.39128 c -19.47702,12.30128 -21.91103,29.12437 -17.42681,38.95404 4.56834,10.01406 12.30128,11.78874 21.52724,11.78874 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient8489);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2519-3"
+ d="m -16.15151,110.30285 c 9.2259603,8.20085 13.3263803,37.92894 13.3263803,37.92894 0,0 4.10043,-29.72809 11.27617,-38.44149 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2521-3"
+ d="m -9.5424097,113.37817 c 0,0 -6.2376303,4.81404 -5.7002703,10.61349 -5.91841,-5.22129 -6.08846,-15.22647 -6.08846,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2523-3"
+ d="m -18.40849,153.41112 30.42511,-0.0641 c 7.65372,0 15.23122,-2.80644 18.00874,-10.80526 2.63759,-7.59583 -0.27464,-22.06071 -17.38294,-33.76639 l -33.41524,-0.70476 c -17.1083,10.80524 -20.41965,25.58239 -16.41671,34.92137 4.00294,9.33899 9.84421,10.35504 18.78104,10.4191 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2525-7"
+ d="m -20.009013,106.3071 c 0,0 6.23763,4.81404 5.70027,10.61349 5.9184092,-5.22129 6.0884592,-15.22647 6.0884592,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2549-3);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2527-3"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.90948,45.859526)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2551-1);fill-opacity:1;fill-rule:evenodd;stroke:#c17d11;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2529-2"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.19620254;fill:none;stroke:#ffffff;stroke-width:1.14012825px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2531-6"
+ transform="matrix(2.5430833,0,0,2.5430833,-82.4598,42.485353)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient8491);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2533-5"
+ d="m -30.18912,153.93669 c -3.61736,-1.58011 -5.23637,-5.38797 -5.23637,-5.38797 2.43925,-11.79821 10.7857,-20.43007 10.7857,-20.43007 0,0 -6.60875,18.58979 -5.54933,25.81804 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient8493);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2535-2"
+ d="m 24.62683,151.44795 c 3.56993,-1.68452 5.23168,-5.80562 5.23168,-5.80562 -2.7809,-11.72238 -11.5286,-19.84033 -11.5286,-19.84033 0,0 7.14594,18.38998 6.29692,25.64595 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g2557-6"
+ transform="translate(45.228443,22.71576)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2577-4);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2559-5"
+ d="m 85.387971,95.699904 c 0.0075,8.102006 -19.95928,14.671276 -44.592125,14.671276 -24.63284,0 -44.5996048,-6.56927 -44.5921197,-14.671276 -0.00749,-8.102001 19.9592797,-14.671277 44.5921197,-14.671277 24.632845,0 44.59961,6.569276 44.592125,14.671277 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2579-6);fill-opacity:1;fill-rule:evenodd;stroke:#404604;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2561-8"
+ d="m 25.751776,94.433252 h 30.7532 c 8.7134,0 17.34004,-3.194983 20.50212,-12.301276 3.00278,-8.647507 0.51256,-25.115108 -18.96446,-38.441492 H 21.651356 C 2.1743262,55.99176 -0.25968379,72.814858 4.2245462,82.644527 8.7928862,92.658579 16.525816,94.433252 25.751776,94.433252 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2563-7"
+ d="m 40.455396,51.378784 c 0,0 -6.23763,4.81404 -5.70028,10.613492 -5.91841,-5.221292 -6.08845,-15.226473 -6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2565-9"
+ d="m 26.057566,91.347662 h 29.91256 c 7.65371,0 15.23122,-2.806422 18.00874,-10.805243 2.63758,-7.595834 -0.27465,-22.060711 -17.38295,-33.766392 H 23.180676 C 6.0723762,57.58127 3.2095162,72.358411 7.1483862,80.992635 11.161146,89.78882 17.953636,91.347662 26.057566,91.347662 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2567-6"
+ d="m 41.292286,52.378784 c 0,0 6.23763,4.81404 5.70027,10.613492 5.91841,-5.221292 6.08845,-15.226473 6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2581-9);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2569-0"
+ d="m 65.368498,38.974475 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.122739 25.115105,-25.122739 13.873673,0 25.119324,11.249069 25.115108,25.122739 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2583-4);fill-opacity:1;fill-rule:evenodd;stroke:#6f4709;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2571-4"
+ d="m 65.730928,28.826439 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.1227391 25.115105,-25.1227391 13.873673,0 25.119324,11.2490691 25.115108,25.1227391 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.12658231;fill:none;stroke:#ffffff;stroke-width:2.89944124px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2573-1"
+ d="M 62.644211,28.826474 C 62.647909,40.995 52.784405,50.861502 40.615876,50.861502 28.44735,50.861502 18.583846,40.995 18.587544,28.826474 18.583846,16.657947 28.44735,6.7914452 40.615876,6.7914452 c 12.168529,0 22.032033,9.8665018 22.028335,22.0350288 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient8495);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2575-0"
+ d="m 64.967663,92.704432 c 3.61736,-1.5801 5.23637,-5.38796 5.23637,-5.38796 -2.43925,-11.79821 -10.7857,-20.43007 -10.7857,-20.43007 0,0 6.60875,18.58979 5.54933,25.81803 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ </g>
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;stroke-miterlimit:4;stroke-dasharray:none;marker-start:url(#Arrow1Mstart);marker-end:url(#Arrow1Mend)"
+ d="m 33.450265,55.830599 c 15.438585,-7.953211 30.64325,-5.84795 30.64325,-5.84795 v 0"
+ id="path8497"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#marker8927);marker-end:url(#marker8875)"
+ d="M 87.485312,51.853994 C 101.98822,45.53821 122.80692,48.111306 122.80692,48.111306"
+ id="path8819"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#marker9031);marker-end:url(#marker9095)"
+ d="M 62.690009,36.649326 C 44.210491,23.549922 61.052582,11.152271 71.812808,11.386189 c 10.760226,0.233918 17.788552,7.182405 14.736831,14.268994 -2.119354,4.921484 1.370363,-0.245166 -3.742687,5.84795"
+ id="path9021"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cssc" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="50.994114"
+ y="59.339371"
+ id="text10983"><tspan
+ sodipodi:role="line"
+ id="tspan10981"
+ x="50.994114"
+ y="59.339371"
+ style="stroke-width:0.26458332px">Queries and</tspan><tspan
+ sodipodi:role="line"
+ x="50.994114"
+ y="64.300308"
+ style="stroke-width:0.26458332px"
+ id="tspan11275">responses</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="71.111053"
+ y="4.3686504"
+ id="text10987"><tspan
+ sodipodi:role="line"
+ id="tspan10985"
+ x="71.742798"
+ y="4.3686504"
+ style="stroke-width:0.26458332px">Private domain </tspan><tspan
+ sodipodi:role="line"
+ x="71.111053"
+ y="9.3295879"
+ style="stroke-width:0.26458332px"
+ id="tspan10989">lookups in database</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="103.91389"
+ y="38.712017"
+ id="text10993"><tspan
+ sodipodi:role="line"
+ id="tspan10991"
+ x="103.91389"
+ y="38.712017"
+ style="stroke-width:0.26458332px">Non-private</tspan><tspan
+ sodipodi:role="line"
+ x="103.91389"
+ y="43.672955"
+ style="stroke-width:0.26458332px"
+ id="tspan10995">domain queries</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="11.695897"
+ y="74.544029"
+ id="text11279"><tspan
+ sodipodi:role="line"
+ id="tspan11277"
+ x="11.695897"
+ y="74.544029"
+ style="stroke-width:0.26458332px">Users</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="77.192932"
+ y="70.333511"
+ id="text11283"><tspan
+ sodipodi:role="line"
+ id="tspan11281"
+ x="77.192932"
+ y="70.333511"
+ style="stroke-width:0.26458332px">PowerDNS</tspan><tspan
+ sodipodi:role="line"
+ x="77.192932"
+ y="75.294449"
+ style="stroke-width:0.26458332px"
+ id="tspan11285">Authoritative</tspan><tspan
+ sodipodi:role="line"
+ x="77.192932"
+ y="80.255386"
+ style="stroke-width:0.26458332px"
+ id="tspan11287">Server</tspan><tspan
+ sodipodi:role="line"
+ x="77.192932"
+ y="85.216324"
+ style="stroke-width:0.26458332px"
+ id="tspan11289" /></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="138.94727"
+ y="64.017723"
+ id="text11293"><tspan
+ sodipodi:role="line"
+ id="tspan11291"
+ x="138.94727"
+ y="64.017723"
+ style="stroke-width:0.26458332px">Internet</tspan></text>
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#Arrow1Mstart-9);marker-end:url(#Arrow1Mend-8)"
+ d="m 206.05662,21.832627 c 15.43858,-7.95321 30.64325,-5.84795 30.64325,-5.84795 v 0"
+ id="path8497-0"
+ inkscape:connector-curvature="0" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="223.60033"
+ y="25.341391"
+ id="text10983-1"><tspan
+ sodipodi:role="line"
+ id="tspan10981-7"
+ x="223.60033"
+ y="25.341391"
+ style="stroke-width:0.26458332px">Queries and</tspan><tspan
+ sodipodi:role="line"
+ x="223.60033"
+ y="30.302328"
+ style="stroke-width:0.26458332px"
+ id="tspan11275-8">responses</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="314.46252"
+ y="32.655487"
+ id="text11283-9"><tspan
+ sodipodi:role="line"
+ id="tspan11281-1"
+ x="314.46252"
+ y="32.655487"
+ style="stroke-width:0.26458332px">PowerDNS</tspan><tspan
+ sodipodi:role="line"
+ x="314.46252"
+ y="37.616425"
+ style="stroke-width:0.26458332px"
+ id="tspan11285-5">Authoritative</tspan><tspan
+ sodipodi:role="line"
+ x="314.46252"
+ y="42.577362"
+ style="stroke-width:0.26458332px"
+ id="tspan11287-4">Server</tspan><tspan
+ sodipodi:role="line"
+ x="314.46252"
+ y="47.5383"
+ style="stroke-width:0.26458332px"
+ id="tspan11289-9" /></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="250.53906"
+ y="41.320198"
+ id="text11283-2"><tspan
+ sodipodi:role="line"
+ id="tspan11281-5"
+ x="250.53906"
+ y="41.320198"
+ style="stroke-width:0.26458332px">PowerDNS</tspan><tspan
+ sodipodi:role="line"
+ x="250.53906"
+ y="46.281136"
+ style="stroke-width:0.26458332px"
+ id="tspan11287-49">Recursor</tspan><tspan
+ sodipodi:role="line"
+ x="250.53906"
+ y="51.242073"
+ style="stroke-width:0.26458332px"
+ id="tspan11289-94" /></text>
+ <g
+ id="g6750-6-2"
+ transform="matrix(0.26458333,0,0,0.26458333,292.48875,40.90535)">
+ <g
+ style="display:inline"
+ id="layer1-3-9-1" />
+ <g
+ style="display:inline"
+ id="layer2-4-8-2">
+ <g
+ id="g12825-7-0"
+ transform="matrix(2.5313899,0,0,3.0201142,-712.99191,751.20922)">
+ <path
+ style="fill:#555753;fill-opacity:1;stroke:none"
+ id="path12827-2-7"
+ d="m 311.5,-242.99998 c -2.77242,0 -5.10823,1.57371 -6.40625,3.8125 -0.94436,-0.47504 -1.96519,-0.8125 -3.09375,-0.8125 -3.864,0 -7,3.136 -7,7 0,3.864 3.136,7 7,7 2.41967,0 4.43009,-1.31932 5.6875,-3.1875 1.1342,0.68962 2.38898,1.1875 3.8125,1.1875 0.91312,0 1.75295,-0.23202 2.5625,-0.53125 0.50994,0.86773 1.17912,1.57972 2,2.15625 -0.007,0.13038 -0.0625,0.24282 -0.0625,0.375 0,3.864 3.13599,7 7,7 3.864,0 7,-3.136 7,-7 0,-2.36969 -1.25898,-4.35834 -3.0625,-5.625 0.007,-0.13038 0.0625,-0.24282 0.0625,-0.375 0,-3.864 -3.13599,-7 -7,-7 -0.6227,0 -1.17519,0.22219 -1.75,0.375 -1.19453,-2.55884 -3.74134,-4.375 -6.75,-4.375 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:url(#linearGradient13495-0-5);fill-opacity:1;stroke:none"
+ id="path12829-8-3"
+ d="m 311.5,-241.99998 c -2.78048,0 -5.13451,1.76185 -6.0625,4.21875 -0.98542,-0.70944 -2.13143,-1.21875 -3.4375,-1.21875 -3.312,0 -6,2.688 -6,6 0,3.312 2.688,6 6,6 2.42775,0 4.49324,-1.45558 5.4375,-3.53125 1.12076,0.91756 2.50214,1.53125 4.0625,1.53125 1.07454,0 2.04428,-0.31896 2.9375,-0.78125 0.3984,0.99976 1.10114,1.78632 1.9375,2.4375 -0.18001,0.59562 -0.375,1.18965 -0.375,1.84375 0,3.588 2.912,6.5 6.5,6.5 3.588,0 6.5,-2.912 6.5,-6.5 0,-2.36079 -1.33433,-4.33019 -3.21875,-5.46875 0.0626,-0.34723 0.21875,-0.66608 0.21875,-1.03125 0,-3.312 -2.688,-6 -6,-6 -0.85298,0 -1.6713,0.17868 -2.40625,0.5 -0.85377,-2.59388 -3.21524,-4.49999 -6.09375,-4.5 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12831-2-1"
+ transform="matrix(0.964447,0,0,0.964447,89.28852,144.5262)"
+ d="m 248.54804,-383.6666 c 0,3.72219 -3.01743,6.73961 -6.73962,6.73961 -3.72218,0 -6.73961,-3.01742 -6.73961,-6.73961 0,-3.72219 3.01743,-6.73962 6.73961,-6.73962 3.72219,0 6.73962,3.01743 6.73962,6.73962 z"
+ inkscape:connector-curvature="0" />
+ <g
+ id="g12833-9-1">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12835-9-9"
+ transform="matrix(0.88263,0,0,0.88263,96.18078,108.1091)"
+ d="m 250.18322,-389.30136 c 0,3.4415 -2.78988,6.23138 -6.23138,6.23138 -3.4415,0 -6.23138,-2.78988 -6.23138,-6.23138 0,-3.4415 2.78988,-6.23138 6.23138,-6.23138 3.4415,0 6.23138,2.78988 6.23138,6.23138 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient13497-1-5);fill-opacity:1;stroke:none"
+ id="path12837-6-0"
+ transform="matrix(0.88263,0,0,0.88263,96.18078,108.1091)"
+ d="m 250.18322,-389.30136 c 0,3.4415 -2.78988,6.23138 -6.23138,6.23138 -3.4415,0 -6.23138,-2.78988 -6.23138,-6.23138 0,-3.4415 2.78988,-6.23138 6.23138,-6.23138 3.4415,0 6.23138,2.78988 6.23138,6.23138 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g12839-0-5">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12841-2-6"
+ transform="matrix(0.911728,0,0,0.911728,90.45407,120.2336)"
+ d="m 257.25429,-385.7879 c 0,3.33166 -2.70084,6.03251 -6.03251,6.03251 -3.33166,0 -6.0325,-2.70085 -6.0325,-6.03251 0,-3.33166 2.70084,-6.0325 6.0325,-6.0325 3.33167,0 6.03251,2.70084 6.03251,6.0325 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient13499-9-7);fill-opacity:1;stroke:none"
+ id="path12843-7-7"
+ transform="matrix(0.911728,0,0,0.911728,90.45407,120.2336)"
+ d="m 257.25429,-385.7879 c 0,3.33166 -2.70084,6.03251 -6.03251,6.03251 -3.33166,0 -6.0325,-2.70085 -6.0325,-6.03251 0,-3.33166 2.70084,-6.0325 6.0325,-6.0325 3.33167,0 6.03251,2.70084 6.03251,6.0325 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g12845-6-7">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12847-1-4"
+ transform="matrix(1.142799,0,0,1.142799,35.23229,210.277)"
+ d="m 237.80885,-387.88715 c 0,2.41637 -1.95885,4.37522 -4.37522,4.37522 -2.41638,0 -4.37523,-1.95885 -4.37523,-4.37522 0,-2.41637 1.95885,-4.37523 4.37523,-4.37523 2.41637,0 4.37522,1.95886 4.37522,4.37523 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient13501-6-0);fill-opacity:1;stroke:none"
+ id="path12849-3-0"
+ transform="matrix(1.142799,0,0,1.142799,35.23229,210.277)"
+ d="m 237.80885,-387.88715 c 0,2.41637 -1.95885,4.37522 -4.37522,4.37522 -2.41638,0 -4.37523,-1.95885 -4.37523,-4.37522 0,-2.41637 1.95885,-4.37523 4.37523,-4.37523 2.41637,0 4.37522,1.95886 4.37522,4.37523 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g12851-2-6">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12853-1-4"
+ transform="matrix(1.038636,0,0,1.038636,59.84906,169.4899)"
+ d="m 248.54804,-383.6666 c 0,3.72219 -3.01743,6.73961 -6.73962,6.73961 -3.72218,0 -6.73961,-3.01742 -6.73961,-6.73961 0,-3.72219 3.01743,-6.73962 6.73961,-6.73962 3.72219,0 6.73962,3.01743 6.73962,6.73962 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient13503-9-8);fill-opacity:1;stroke:none"
+ id="path12855-5-7"
+ transform="matrix(1.038636,0,0,1.038636,59.84907,169.4899)"
+ d="m 248.54804,-383.6666 c 0,3.72219 -3.01743,6.73961 -6.73962,6.73961 -3.72218,0 -6.73961,-3.01742 -6.73961,-6.73961 0,-3.72219 3.01743,-6.73962 6.73961,-6.73962 3.72219,0 6.73962,3.01743 6.73962,6.73962 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ </g>
+ <g
+ id="g9468-9-4"
+ transform="matrix(2.5313899,0,0,3.0201142,-10.842401,-5.9723708)">
+ <g
+ id="g12891-9-8"
+ transform="translate(-225.18126,253.09536)">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:#555753;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:2;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+ id="path12893-1-5"
+ d="m 246.49993,-238.49993 c -2.27083,0 -4.10991,1.55028 -4.71875,3.625 -0.69323,-0.36383 -1.44451,-0.625 -2.28125,-0.625 -2.76,0 -5.00001,2.23999 -5,5 0,0.57893 0.16252,1.1077 0.34375,1.625 -1.37347,0.77074 -2.34375,2.189 -2.34375,3.875 0,2.484 2.016,4.50001 4.5,4.5 0.17713,0 18.82287,0 19,0 2.48399,0 4.5,-2.016 4.5,-4.5 0,-1.686 -0.97028,-3.10426 -2.34375,-3.875 0.18124,-0.51729 0.34375,-1.04608 0.34375,-1.625 0,-2.76 -2.24,-4.99999 -5,-5 -0.83674,0 -1.58802,0.26117 -2.28125,0.625 -0.60884,-2.07472 -2.44792,-3.625 -4.71875,-3.625 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:url(#linearGradient13077);fill-opacity:1;stroke:none"
+ id="path12895-4-8"
+ d="m 246.49993,-237.99993 c -2.18972,0 -3.7236,1.33577 -4.39555,3.84352 -0.66846,-0.34362 -1.54759,-0.83335 -2.35445,-0.83335 -2.71651,0 -4.75514,1.93882 -4.75513,4.54554 0,0.54677 0.26721,1.33344 0.44196,1.82201 -1.32443,0.72795 -2.43683,1.8905 -2.43683,3.37255 0,2.34605 1.54617,4.25009 4.33928,4.25009 0.17081,0 18.15064,0 18.32144,0 2.77101,0 4.33928,-1.90404 4.33928,-4.25009 0,-1.59237 -1.1124,-2.66669 -2.43683,-3.39464 0.17476,-0.48856 0.46407,-1.25316 0.46407,-1.79992 0,-2.60671 -2.11581,-4.56763 -4.77723,-4.56764 -0.80687,0 -1.64181,0.48974 -2.31027,0.83336 -0.64885,-2.42154 -2.25001,-3.82143 -4.43974,-3.82143 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12897-9-2"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient13079);fill-opacity:1;stroke:none"
+ id="path12899-1-6"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="rect12901-0-0"
+ y="-230.99992"
+ x="236.99994"
+ height="9"
+ width="20" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12903-7-6"
+ transform="matrix(0.90566,0,0,0.90566,-24.16987,171.3114)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12905-5-6"
+ transform="matrix(1.056604,0,0,1.056604,-51.19818,231.8633)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient13081);fill-opacity:1;stroke:none"
+ id="path12907-8-4"
+ transform="matrix(1.056604,0,0,1.056604,-51.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12909-7-6"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient13083);fill-opacity:1;stroke:none"
+ id="path12911-0-2"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12913-4-8"
+ d="m 245.46868,-233.96868 c -3.57938,0 -6.46875,2.92063 -6.46875,6.5 0,2.37068 1.34943,4.33779 3.25,5.46875 h 6.46875 c 1.90057,-1.13096 3.25,-3.12931 3.25,-5.5 0,-3.57938 -2.92063,-6.46875 -6.5,-6.46875 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient13085);fill-opacity:1;stroke:none"
+ id="path12915-8-9"
+ d="m 245.49993,-233.99993 c -3.588,0 -6.5,2.91201 -6.5,6.5 0,2.3764 1.34485,4.36632 3.25,5.5 h 6.5 c 1.90515,-1.13368 3.25,-3.1236 3.25,-5.5 0,-3.588 -2.912,-6.49999 -6.5,-6.5 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient13087);fill-opacity:1;stroke:none"
+ id="path12917-0-6"
+ transform="matrix(0.90566,0,0,0.90566,-24.16977,171.3113)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#555753;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ id="path12919-4-0"
+ d="m 258.95633,-230.33389 c -0.002,2.68456 -3.26926,3.71395 -3.26926,3.71395 0,0 2.34874,-1.62595 2.33685,-3.70501 0,0 0.93241,-0.009 0.93241,-0.009 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12921-2-7"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient13089);fill-opacity:1;stroke:none"
+ id="path12923-9-0"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#radialGradient9407-4-3);fill-opacity:1;stroke:none"
+ id="path11418-6-1"
+ d="m 21.02789,15.111956 c -2.0001,0 -3.68558,1.0795 -4.53057,2.61494 -0.59491,-0.22191 -1.24464,-0.35337 -1.92595,-0.35337 -2.83021,0 -5.1175304,2.11817 -5.1175304,4.7175 0,0.45375 0.14453,0.85683 0.27514,1.27213 -1.38232,0.86527 -2.34783,2.25357 -2.34783,3.90473 0,2.65283 0.65162,4.99335 5.2275804,4.80585 0.04512,-0.0018 17.45148,0.09698 17.70041,-0.01803 3.08521,0.22595 4.07201,-2.44573 4.07201,-4.69946 0,-1.70051 -0.83694,-3.04985 -2.30927,-3.87759 0.04796,-0.25856 -0.03856,-0.55119 -0.03856,-0.82225 0,-2.59932 -2.30565,-4.71749 -5.13587,-4.71749 -0.39349,0 -0.7324,0.13482 -1.10054,0.21202 -0.73846,-1.76812 -2.58501,-3.03898 -4.76902,-3.03898 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g9488-1-0"
+ transform="matrix(2.5313899,0,0,3.0201142,-5.7841588,-18.063655)">
+ <g
+ id="g12857-0-1"
+ transform="translate(-210.16696,257.11136)">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:#555753;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:2;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+ id="path12859-4-3"
+ d="m 246.49993,-238.49993 c -2.27083,0 -4.10991,1.55028 -4.71875,3.625 -0.69323,-0.36383 -1.44451,-0.625 -2.28125,-0.625 -2.76,0 -5.00001,2.23999 -5,5 0,0.57893 0.16252,1.1077 0.34375,1.625 -1.37347,0.77074 -2.34375,2.189 -2.34375,3.875 0,2.484 2.016,4.50001 4.5,4.5 0.17713,0 18.82287,0 19,0 2.48399,0 4.5,-2.016 4.5,-4.5 0,-1.686 -0.97028,-3.10426 -2.34375,-3.875 0.18124,-0.51729 0.34375,-1.04608 0.34375,-1.625 0,-2.76 -2.24,-4.99999 -5,-5 -0.83674,0 -1.58802,0.26117 -2.28125,0.625 -0.60884,-2.07472 -2.44792,-3.625 -4.71875,-3.625 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:url(#linearGradient7191-1);fill-opacity:1;stroke:none"
+ id="path12861-2-7"
+ d="m 246.49993,-237.99993 c -2.18972,0 -3.7236,1.33577 -4.39555,3.84352 -0.66846,-0.34362 -1.54759,-0.83335 -2.35445,-0.83335 -2.71651,0 -4.75514,1.93882 -4.75513,4.54554 0,0.54677 0.26721,1.33344 0.44196,1.82201 -1.32443,0.72795 -2.43683,1.8905 -2.43683,3.37255 0,2.34605 1.54617,4.25009 4.33928,4.25009 0.17081,0 18.15064,0 18.32144,0 2.77101,0 4.33928,-1.90404 4.33928,-4.25009 0,-1.59237 -1.1124,-2.66669 -2.43683,-3.39464 0.17476,-0.48856 0.46407,-1.25316 0.46407,-1.79992 0,-2.60671 -2.11581,-4.56763 -4.77723,-4.56764 -0.80687,0 -1.64181,0.48974 -2.31027,0.83336 -0.64885,-2.42154 -2.25001,-3.82143 -4.43974,-3.82143 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12863-2-7"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient7193-9);fill-opacity:1;stroke:none"
+ id="path12865-2-2"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="rect12867-0-6"
+ y="-230.99992"
+ x="236.99994"
+ height="9"
+ width="20" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12869-5-4"
+ transform="matrix(0.90566,0,0,0.90566,-24.16987,171.3114)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12871-5-5"
+ transform="matrix(1.056604,0,0,1.056604,-51.19818,231.8633)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient7195-9);fill-opacity:1;stroke:none"
+ id="path12873-2-2"
+ transform="matrix(1.056604,0,0,1.056604,-51.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12875-9-0"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient7197-7);fill-opacity:1;stroke:none"
+ id="path12877-0-2"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12879-2-9"
+ d="m 245.46868,-233.96868 c -3.57938,0 -6.46875,2.92063 -6.46875,6.5 0,2.37068 1.34943,4.33779 3.25,5.46875 h 6.46875 c 1.90057,-1.13096 3.25,-3.12931 3.25,-5.5 0,-3.57938 -2.92063,-6.46875 -6.5,-6.46875 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient7199-8);fill-opacity:1;stroke:none"
+ id="path12881-8-0"
+ d="m 245.49993,-233.99993 c -3.588,0 -6.5,2.91201 -6.5,6.5 0,2.3764 1.34485,4.36632 3.25,5.5 h 6.5 c 1.90515,-1.13368 3.25,-3.1236 3.25,-5.5 0,-3.588 -2.912,-6.49999 -6.5,-6.5 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient7201-2);fill-opacity:1;stroke:none"
+ id="path12883-3-9"
+ transform="matrix(0.90566,0,0,0.90566,-24.16977,171.3113)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#555753;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ id="path12885-8-9"
+ d="m 258.95633,-230.33389 c -0.002,2.68456 -3.26926,3.71395 -3.26926,3.71395 0,0 2.34874,-1.62595 2.33685,-3.70501 0,0 0.93241,-0.009 0.93241,-0.009 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12887-0-4"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient7203-5);fill-opacity:1;stroke:none"
+ id="path12889-4-5"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#radialGradient9522-5-6);fill-opacity:1;stroke:none"
+ id="path13209-0-1"
+ d="m 36.46539,19.111476 c -2.0001,0 -3.68558,1.0795 -4.53057,2.61494 -0.59491,-0.22191 -1.24464,-0.35337 -1.92595,-0.35337 -2.83021,0 -5.11753,2.11817 -5.11753,4.7175 0,0.45375 0.14453,0.85683 0.27514,1.27213 -1.38232,0.86527 -2.34783,2.25357 -2.34783,3.90473 0,2.65283 0.65162,4.99335 5.22758,4.80585 0.04512,-0.0018 17.45148,0.09698 17.70041,-0.01803 3.08521,0.22595 4.07201,-2.44573 4.07201,-4.69946 0,-1.70051 -0.83694,-3.04985 -2.30927,-3.87759 0.04796,-0.25856 -0.03856,-0.55119 -0.03856,-0.82225 0,-2.59932 -2.30565,-4.71749 -5.13587,-4.71749 -0.39349,0 -0.7324,0.13482 -1.10054,0.21202 -0.73846,-1.76812 -2.58501,-3.03898 -4.76902,-3.03898 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ </g>
+ </g>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="309.36182"
+ y="70.137421"
+ id="text11293-0"><tspan
+ sodipodi:role="line"
+ id="tspan11291-3"
+ x="309.36182"
+ y="70.137421"
+ style="stroke-width:0.26458332px">Internet</tspan></text>
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#marker8927-7);marker-end:url(#marker8875-8)"
+ d="m 266.11309,32.723265 c 10.76022,11.695901 28.02716,16.416402 28.02716,16.416402"
+ id="path8819-0"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="275.60944"
+ y="56.956589"
+ id="text10993-4"><tspan
+ sodipodi:role="line"
+ id="tspan10991-6"
+ x="275.60944"
+ y="56.956589"
+ style="stroke-width:0.26458332px">Non-private</tspan><tspan
+ sodipodi:role="line"
+ x="275.60944"
+ y="61.917526"
+ style="stroke-width:0.26458332px"
+ id="tspan10995-7">domain queries</tspan></text>
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#Arrow1Mstart-9-6);marker-end:url(#Arrow1Mend-8-9)"
+ d="m 263.37404,13.958907 c 15.78946,-3.85965 34.61985,-1.63743 34.61985,-1.63743 l 3.95553,1.06682"
+ id="path8497-0-5"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="ccc" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="282.93539"
+ y="18.935207"
+ id="text16372"><tspan
+ sodipodi:role="line"
+ id="tspan16370"
+ x="282.93539"
+ y="18.935207"
+ style="stroke-width:0.26458332px">Forwarded domain</tspan><tspan
+ sodipodi:role="line"
+ x="282.93539"
+ y="23.896145"
+ style="stroke-width:0.26458332px"
+ id="tspan16374">queries</tspan></text>
+ <g
+ id="g7957-2-8"
+ transform="matrix(0.26458333,0,0,0.26458333,169.04633,9.6655174)">
+ <g
+ id="g2482-2-0"
+ transform="translate(0.4025314,-0.6040782)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2502-1-9);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2484-6-9"
+ d="m 85.387971,95.699904 c 0.0075,8.102006 -19.95928,14.671276 -44.592125,14.671276 -24.63284,0 -44.5996048,-6.56927 -44.5921197,-14.671276 -0.00749,-8.102001 19.9592797,-14.671277 44.5921197,-14.671277 24.632845,0 44.59961,6.569276 44.592125,14.671277 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2504-2-5);fill-opacity:1;fill-rule:evenodd;stroke:#404604;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2486-4-7"
+ d="m 25.751776,94.433252 h 30.7532 c 8.7134,0 17.34004,-3.194983 20.50212,-12.301276 3.00278,-8.647507 0.51256,-25.115108 -18.96446,-38.441492 H 21.651356 C 2.1743262,55.99176 -0.25968379,72.814858 4.2245462,82.644527 8.7928862,92.658579 16.525816,94.433252 25.751776,94.433252 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2488-1-9"
+ d="m 40.455396,51.378784 c 0,0 -6.23763,4.81404 -5.70028,10.613492 -5.91841,-5.221292 -6.08845,-15.226473 -6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2490-2-9"
+ d="m 26.057566,91.347662 h 29.91256 c 7.65371,0 15.23122,-2.806422 18.00874,-10.805243 2.63758,-7.595834 -0.27465,-22.060711 -17.38295,-33.766392 H 23.180676 C 6.0723762,57.58127 3.2095162,72.358411 7.1483862,80.992635 11.161146,89.78882 17.953636,91.347662 26.057566,91.347662 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2492-8-3"
+ d="m 41.292286,52.378784 c 0,0 6.23763,4.81404 5.70027,10.613492 5.91841,-5.221292 6.08845,-15.226473 6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2506-4-8);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2494-8-2"
+ d="m 65.368498,38.974475 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.122739 25.115105,-25.122739 13.873673,0 25.119324,11.249069 25.115108,25.122739 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2508-9-3);fill-opacity:1;fill-rule:evenodd;stroke:#6f4709;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2496-9-4"
+ d="m 65.730928,28.826439 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.1227391 25.115105,-25.1227391 13.873673,0 25.119324,11.2490691 25.115108,25.1227391 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.12658231;fill:none;stroke:#ffffff;stroke-width:2.89944124px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2498-2-3"
+ d="M 62.644211,28.826474 C 62.647909,40.995 52.784405,50.861502 40.615876,50.861502 28.44735,50.861502 18.583846,40.995 18.587544,28.826474 18.583846,16.657947 28.44735,6.7914452 40.615876,6.7914452 c 12.168529,0 22.032033,9.8665018 22.028335,22.0350288 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient16878);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2500-8-7"
+ d="m 64.967663,92.704432 c 3.61736,-1.5801 5.23637,-5.38796 5.23637,-5.38796 -2.43925,-11.79821 -10.7857,-20.43007 -10.7857,-20.43007 0,0 6.60875,18.58979 5.54933,25.81803 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ style="display:inline"
+ id="layer1-9-8-1" />
+ <g
+ id="g2483-8-2"
+ transform="translate(89.565224,-57.340975)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2476-6-3);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4177-6-2"
+ transform="matrix(5.1479827,0,0,2.7810925,-164.41027,100.68378)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient16880);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4368-8-0"
+ d="M 13.245856,91.434387 C 9.6284962,89.854283 8.0094862,86.046427 8.0094862,86.046427 10.448736,74.248216 18.795186,65.616354 18.795186,65.616354 c 0,0 -6.60875,18.589793 -5.54933,25.818033 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient16882);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4173-3-2"
+ d="m -28.06643,114.09678 h 12.30128 l -7.17574,-6.66319 -1.53766,2.05021 -1.53767,-1.53766 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient16884);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4370-8-1"
+ d="m -13.94683,130.64896 c 3.56993,-1.68451 5.2316903,-5.8056 5.2316903,-5.8056 C -11.49605,113.12098 -20.24375,105.00302 -20.24375,105.00302 c 0,0 7.14594,18.38998 6.29692,25.64594 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2484-0-7);fill-opacity:1;fill-rule:evenodd;stroke:#204a87;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4308-3-7"
+ d="m -18.20172,156.43265 h 30.75319 c 8.71341,0 17.34005,-3.19499 20.50213,-12.30129 3.00277,-8.64751 0.51255,-25.11511 -18.96447,-38.44149 h -36.39128 c -19.47702,12.30128 -21.91103,29.12437 -17.42681,38.95404 4.56834,10.01406 12.30128,11.78874 21.52724,11.78874 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient16886);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4310-3-5"
+ d="m -16.15151,110.30285 c 9.2259603,8.20085 13.3263803,37.92894 13.3263803,37.92894 0,0 4.10043,-29.72809 11.27617,-38.44149 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4312-3-1"
+ d="m -9.5424097,113.37817 c 0,0 -6.2376303,4.81404 -5.7002703,10.61349 -5.91841,-5.22129 -6.08846,-15.22647 -6.08846,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4314-8-7"
+ d="m -18.40849,153.41112 30.42511,-0.0641 c 7.65372,0 15.23122,-2.80644 18.00874,-10.80526 2.63759,-7.59583 -0.27464,-22.06071 -17.38294,-33.76639 l -33.41524,-0.70476 c -17.1083,10.80524 -20.41965,25.58239 -16.41671,34.92137 4.00294,9.33899 9.84421,10.35504 18.78104,10.4191 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4316-0-4"
+ d="m -20.009013,106.3071 c 0,0 6.23763,4.81404 5.70027,10.61349 5.9184092,-5.22129 6.0884592,-15.22647 6.0884592,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2488-4-9);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4318-4-1"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.90948,45.859526)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2490-3-0);fill-opacity:1;fill-rule:evenodd;stroke:#c17d11;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4320-7-7"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.19620254;fill:none;stroke:#ffffff;stroke-width:1.14012825px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4322-6-1"
+ transform="matrix(2.5430833,0,0,2.5430833,-82.4598,42.485353)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient16888);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4354-8-1"
+ d="m -30.18912,153.93669 c -3.61736,-1.58011 -5.23637,-5.38797 -5.23637,-5.38797 2.43925,-11.79821 10.7857,-20.43007 10.7857,-20.43007 0,0 -6.60875,18.58979 -5.54933,25.81804 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient16890);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4364-9-1"
+ d="m 24.62683,151.44795 c 3.56993,-1.68452 5.23168,-5.80562 5.23168,-5.80562 -2.7809,-11.72238 -11.5286,-19.84033 -11.5286,-19.84033 0,0 7.14594,18.38998 6.29692,25.64595 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g2507-0-7"
+ transform="translate(49.068553,-45.030564)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2537-7-8);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2509-6-0"
+ transform="matrix(5.1479827,0,0,2.7810925,-164.41027,100.68378)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient16892);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2511-8-4"
+ d="M 13.245856,91.434387 C 9.6284962,89.854283 8.0094862,86.046427 8.0094862,86.046427 10.448736,74.248216 18.795186,65.616354 18.795186,65.616354 c 0,0 -6.60875,18.589793 -5.54933,25.818033 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient16894);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2513-7-0"
+ d="m -28.06643,114.09678 h 12.30128 l -7.17574,-6.66319 -1.53766,2.05021 -1.53767,-1.53766 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient16896);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2515-9-8"
+ d="m -13.94683,130.64896 c 3.56993,-1.68451 5.2316903,-5.8056 5.2316903,-5.8056 C -11.49605,113.12098 -20.24375,105.00302 -20.24375,105.00302 c 0,0 7.14594,18.38998 6.29692,25.64594 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2545-4-5);fill-opacity:1;fill-rule:evenodd;stroke:#204a87;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2517-0-5"
+ d="m -18.20172,156.43265 h 30.75319 c 8.71341,0 17.34005,-3.19499 20.50213,-12.30129 3.00277,-8.64751 0.51255,-25.11511 -18.96447,-38.44149 h -36.39128 c -19.47702,12.30128 -21.91103,29.12437 -17.42681,38.95404 4.56834,10.01406 12.30128,11.78874 21.52724,11.78874 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient16898);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2519-3-1"
+ d="m -16.15151,110.30285 c 9.2259603,8.20085 13.3263803,37.92894 13.3263803,37.92894 0,0 4.10043,-29.72809 11.27617,-38.44149 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2521-3-6"
+ d="m -9.5424097,113.37817 c 0,0 -6.2376303,4.81404 -5.7002703,10.61349 -5.91841,-5.22129 -6.08846,-15.22647 -6.08846,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2523-3-6"
+ d="m -18.40849,153.41112 30.42511,-0.0641 c 7.65372,0 15.23122,-2.80644 18.00874,-10.80526 2.63759,-7.59583 -0.27464,-22.06071 -17.38294,-33.76639 l -33.41524,-0.70476 c -17.1083,10.80524 -20.41965,25.58239 -16.41671,34.92137 4.00294,9.33899 9.84421,10.35504 18.78104,10.4191 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2525-7-2"
+ d="m -20.009013,106.3071 c 0,0 6.23763,4.81404 5.70027,10.61349 5.9184092,-5.22129 6.0884592,-15.22647 6.0884592,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2549-3-8);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2527-3-1"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.90948,45.859526)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2551-1-4);fill-opacity:1;fill-rule:evenodd;stroke:#c17d11;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2529-2-9"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.19620254;fill:none;stroke:#ffffff;stroke-width:1.14012825px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2531-6-6"
+ transform="matrix(2.5430833,0,0,2.5430833,-82.4598,42.485353)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient16900);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2533-5-4"
+ d="m -30.18912,153.93669 c -3.61736,-1.58011 -5.23637,-5.38797 -5.23637,-5.38797 2.43925,-11.79821 10.7857,-20.43007 10.7857,-20.43007 0,0 -6.60875,18.58979 -5.54933,25.81804 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient16902);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2535-2-8"
+ d="m 24.62683,151.44795 c 3.56993,-1.68452 5.23168,-5.80562 5.23168,-5.80562 -2.7809,-11.72238 -11.5286,-19.84033 -11.5286,-19.84033 0,0 7.14594,18.38998 6.29692,25.64595 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g2557-6-0"
+ transform="translate(45.228443,22.71576)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2577-4-3);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2559-5-8"
+ d="m 85.387971,95.699904 c 0.0075,8.102006 -19.95928,14.671276 -44.592125,14.671276 -24.63284,0 -44.5996048,-6.56927 -44.5921197,-14.671276 -0.00749,-8.102001 19.9592797,-14.671277 44.5921197,-14.671277 24.632845,0 44.59961,6.569276 44.592125,14.671277 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2579-6-7);fill-opacity:1;fill-rule:evenodd;stroke:#404604;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2561-8-1"
+ d="m 25.751776,94.433252 h 30.7532 c 8.7134,0 17.34004,-3.194983 20.50212,-12.301276 3.00278,-8.647507 0.51256,-25.115108 -18.96446,-38.441492 H 21.651356 C 2.1743262,55.99176 -0.25968379,72.814858 4.2245462,82.644527 8.7928862,92.658579 16.525816,94.433252 25.751776,94.433252 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2563-7-0"
+ d="m 40.455396,51.378784 c 0,0 -6.23763,4.81404 -5.70028,10.613492 -5.91841,-5.221292 -6.08845,-15.226473 -6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2565-9-2"
+ d="m 26.057566,91.347662 h 29.91256 c 7.65371,0 15.23122,-2.806422 18.00874,-10.805243 2.63758,-7.595834 -0.27465,-22.060711 -17.38295,-33.766392 H 23.180676 C 6.0723762,57.58127 3.2095162,72.358411 7.1483862,80.992635 11.161146,89.78882 17.953636,91.347662 26.057566,91.347662 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2567-6-2"
+ d="m 41.292286,52.378784 c 0,0 6.23763,4.81404 5.70027,10.613492 5.91841,-5.221292 6.08845,-15.226473 6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2581-9-1);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2569-0-9"
+ d="m 65.368498,38.974475 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.122739 25.115105,-25.122739 13.873673,0 25.119324,11.249069 25.115108,25.122739 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2583-4-3);fill-opacity:1;fill-rule:evenodd;stroke:#6f4709;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2571-4-7"
+ d="m 65.730928,28.826439 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.1227391 25.115105,-25.1227391 13.873673,0 25.119324,11.2490691 25.115108,25.1227391 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.12658231;fill:none;stroke:#ffffff;stroke-width:2.89944124px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2573-1-5"
+ d="M 62.644211,28.826474 C 62.647909,40.995 52.784405,50.861502 40.615876,50.861502 28.44735,50.861502 18.583846,40.995 18.587544,28.826474 18.583846,16.657947 28.44735,6.7914452 40.615876,6.7914452 c 12.168529,0 22.032033,9.8665018 22.028335,22.0350288 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient16904);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2575-0-6"
+ d="m 64.967663,92.704432 c 3.61736,-1.5801 5.23637,-5.38796 5.23637,-5.38796 -2.43925,-11.79821 -10.7857,-20.43007 -10.7857,-20.43007 0,0 6.60875,18.58979 5.54933,25.81803 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ </g>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="185.40884"
+ y="47.840935"
+ id="text11279-4"><tspan
+ sodipodi:role="line"
+ id="tspan11277-6"
+ x="185.40884"
+ y="47.840935"
+ style="stroke-width:0.26458332px">Users</tspan></text>
+ <rect
+ style="opacity:1;fill:none;fill-opacity:1;stroke:#000000;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ id="rect18641"
+ width="163.74255"
+ height="87.017471"
+ x="-6.0818663"
+ y="-3.8184774"
+ rx="5.004303" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="125.38002"
+ y="3.0150685"
+ id="text18645"><tspan
+ sodipodi:role="line"
+ id="tspan18643"
+ x="125.38002"
+ y="3.0150685"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:6.3499999px;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;writing-mode:lr-tb;text-anchor:middle;stroke-width:0.26458332px">Previous Situation</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="189.35762"
+ y="2.7593491"
+ id="text18645-7"><tspan
+ sodipodi:role="line"
+ id="tspan18643-9"
+ x="189.35762"
+ y="2.7593491"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:6.3499999px;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;writing-mode:lr-tb;text-anchor:middle;stroke-width:0.26458332px">New Situation</tspan></text>
+ <rect
+ style="opacity:1;fill:none;fill-opacity:1;stroke:#000000;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ id="rect18641-7"
+ width="163.74255"
+ height="87.017479"
+ x="165.06892"
+ y="-3.8184774"
+ rx="5.004303" />
+ </g>
+</svg>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns="http://www.w3.org/2000/svg"
+ xmlns:xlink="http://www.w3.org/1999/xlink"
+ xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+ xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+ width="210mm"
+ height="297mm"
+ viewBox="0 0 210 297"
+ version="1.1"
+ id="svg22448"
+ inkscape:version="0.92.1 r"
+ sodipodi:docname="400-410-recursor-scenario-2.svg">
+ <defs
+ id="defs22442">
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible"
+ id="marker40344"
+ refX="0"
+ refY="0"
+ orient="auto"
+ inkscape:stockid="Arrow1Mend">
+ <path
+ transform="matrix(-0.4,0,0,-0.4,-4,0)"
+ style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:#ff0000;stroke-width:1.00000003pt;stroke-opacity:1"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ id="path40342"
+ inkscape:connector-curvature="0" />
+ </marker>
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible"
+ id="marker40190"
+ refX="0"
+ refY="0"
+ orient="auto"
+ inkscape:stockid="Arrow1Mstart">
+ <path
+ transform="matrix(0.4,0,0,0.4,4,0)"
+ style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:#ff0000;stroke-width:1.00000003pt;stroke-opacity:1"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ id="path40188"
+ inkscape:connector-curvature="0" />
+ </marker>
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2502-1-9"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <linearGradient
+ id="linearGradient4509">
+ <stop
+ offset="0"
+ style="stop-color:#000000;stop-opacity:1"
+ id="stop4511" />
+ <stop
+ offset="1"
+ style="stop-color:#000000;stop-opacity:0"
+ id="stop4513" />
+ </linearGradient>
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2504-2-5"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <linearGradient
+ id="linearGradient4344">
+ <stop
+ offset="0"
+ style="stop-color:#727e0a;stop-opacity:1"
+ id="stop4346" />
+ <stop
+ offset="1"
+ style="stop-color:#5b6508;stop-opacity:1"
+ id="stop4348" />
+ </linearGradient>
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2506-4-8"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2508-9-3"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <linearGradient
+ id="linearGradient4338">
+ <stop
+ offset="0"
+ style="stop-color:#e9b15e;stop-opacity:1"
+ id="stop4340" />
+ <stop
+ offset="1"
+ style="stop-color:#966416;stop-opacity:1"
+ id="stop4342" />
+ </linearGradient>
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2476-6-3"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <linearGradient
+ id="linearGradient3824">
+ <stop
+ offset="0"
+ style="stop-color:#ffffff;stop-opacity:1"
+ id="stop3826" />
+ <stop
+ offset="1"
+ style="stop-color:#c9c9c9;stop-opacity:1"
+ id="stop3828" />
+ </linearGradient>
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2484-0-7"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <linearGradient
+ id="linearGradient4163">
+ <stop
+ offset="0"
+ style="stop-color:#3b74bc;stop-opacity:1"
+ id="stop4165" />
+ <stop
+ offset="1"
+ style="stop-color:#2d5990;stop-opacity:1"
+ id="stop4167" />
+ </linearGradient>
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2488-4-9"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2490-3-0"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <linearGradient
+ id="linearGradient3800">
+ <stop
+ offset="0"
+ style="stop-color:#f4d9b1;stop-opacity:1"
+ id="stop3802" />
+ <stop
+ offset="1"
+ style="stop-color:#df9725;stop-opacity:1"
+ id="stop3804" />
+ </linearGradient>
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2537-7-8"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2545-4-5"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2549-3-8"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2551-1-4"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2577-4-3"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2579-6-7"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2581-9-1"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2583-4-3"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <linearGradient
+ gradientTransform="translate(69,155)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13495-0-5"
+ y2="-379.26862"
+ x2="266.36395"
+ y1="-392.30591"
+ x1="228.50261" />
+ <linearGradient
+ id="linearGradient4412">
+ <stop
+ offset="0"
+ style="stop-color:#ffffff;stop-opacity:1"
+ id="stop4414" />
+ <stop
+ offset="1"
+ style="stop-color:#ffffff;stop-opacity:0"
+ id="stop4416" />
+ </linearGradient>
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13497-1-5"
+ y2="-388.55029"
+ x2="245.82706"
+ y1="-393.4072"
+ x1="240.07379" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13499-9-7"
+ y2="-385.35165"
+ x2="252.69785"
+ y1="-391.31381"
+ x1="246.74042" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13501-6-0"
+ y2="-386.95901"
+ x2="235.25652"
+ y1="-390.43951"
+ x1="230.87598" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13503-9-8"
+ y2="-382.64539"
+ x2="245.65462"
+ y1="-388.47476"
+ x1="238.00478" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,234.76593,185.03806)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9407-4-3"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,250.20343,189.03756)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9522-5-6"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <marker
+ inkscape:stockid="Arrow1Mstart"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="marker9031"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path9029"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(0.4,0,0,0.4,4,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="marker9095"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path9093"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)" />
+ </marker>
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible"
+ id="marker8927"
+ refX="0"
+ refY="0"
+ orient="auto"
+ inkscape:stockid="Arrow1Mstart"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ transform="matrix(0.4,0,0,0.4,4,0)"
+ style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:#ff0000;stroke-width:1.00000003pt;stroke-opacity:1"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ id="path8925" />
+ </marker>
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible"
+ id="marker8875"
+ refX="0"
+ refY="0"
+ orient="auto"
+ inkscape:stockid="Arrow1Mend"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)"
+ style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:#ff0000;stroke-width:1.00000003pt;stroke-opacity:1"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ id="path8873" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mstart"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mstart"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8505"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:#ff0000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(0.4,0,0,0.4,4,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mend"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8508"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:#ff0000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)" />
+ </marker>
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2502-1"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2504-2"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2506-4"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2508-9"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2476-6"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2484-0"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2488-4"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2490-3"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2537-7"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2545-4"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2549-3"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2551-1"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2577-4"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2579-6"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2581-9"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2583-4"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,234.76593,185.03806)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9407-4"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,250.20343,189.03756)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9522-5"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient5048"
+ id="linearGradient6293"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1892.179,-872.8854)"
+ x1="302.85715"
+ y1="366.64789"
+ x2="302.85715"
+ y2="609.50507" />
+ <linearGradient
+ id="linearGradient5048">
+ <stop
+ offset="0"
+ style="stop-color:#000000;stop-opacity:0"
+ id="stop5050" />
+ <stop
+ offset="0.5"
+ style="stop-color:#000000;stop-opacity:1"
+ id="stop5056" />
+ <stop
+ offset="1"
+ style="stop-color:#000000;stop-opacity:0"
+ id="stop5052" />
+ </linearGradient>
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153-3"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155-0"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4386"
+ id="linearGradient6295"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8415131,0,0,2.83799,-5.3545917,0.4858861)"
+ x1="24.349752"
+ y1="34.463955"
+ x2="23.233509"
+ y2="10.018264" />
+ <linearGradient
+ id="linearGradient4386">
+ <stop
+ offset="0"
+ style="stop-color:#d2d2d2;stop-opacity:1"
+ id="stop4388" />
+ <stop
+ offset="1"
+ style="stop-color:#dfdfdf;stop-opacity:1"
+ id="stop4390" />
+ </linearGradient>
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6297"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6301"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,2.5545053,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6303"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,8.2277282,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6305"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,13.900977,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6307"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,19.574225,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6309"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,25.247609,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient6311"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,30.92086,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient6313"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,-0.2821563,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient6315"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,5.3911289,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient6317"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,11.06438,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient6319"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,16.737631,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient6321"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,22.410835,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient6323"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,28.084322,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153-4"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155-7"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24632"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(69,155)"
+ x1="228.50261"
+ y1="-392.30591"
+ x2="266.36395"
+ y2="-379.26862" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24634"
+ gradientUnits="userSpaceOnUse"
+ x1="240.07379"
+ y1="-393.4072"
+ x2="245.82706"
+ y2="-388.55029" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24636"
+ gradientUnits="userSpaceOnUse"
+ x1="246.74042"
+ y1="-391.31381"
+ x2="252.69785"
+ y2="-385.35165" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24638"
+ gradientUnits="userSpaceOnUse"
+ x1="230.87598"
+ y1="-390.43951"
+ x2="235.25652"
+ y2="-386.95901" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24640"
+ gradientUnits="userSpaceOnUse"
+ x1="238.00478"
+ y1="-388.47476"
+ x2="245.65462"
+ y2="-382.64539" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24642"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-34.00007,207.0001)"
+ x1="271.0217"
+ y1="-441.05182"
+ x2="285.02859"
+ y2="-431.96991" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24644"
+ gradientUnits="userSpaceOnUse"
+ x1="287.5173"
+ y1="-439.75281"
+ x2="289.67633"
+ y2="-436.32199" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24646"
+ gradientUnits="userSpaceOnUse"
+ x1="286.51172"
+ y1="-441.29074"
+ x2="289.85379"
+ y2="-436.14453" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24648"
+ gradientUnits="userSpaceOnUse"
+ x1="285.94086"
+ y1="-439.939"
+ x2="289.39124"
+ y2="-436.4429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24650"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-35.00007,207.0001)"
+ x1="275.94193"
+ y1="-437.10501"
+ x2="279.97546"
+ y2="-431.91833" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24652"
+ gradientUnits="userSpaceOnUse"
+ x1="286.66589"
+ y1="-439.48358"
+ x2="289.76562"
+ y2="-436.70703" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24654"
+ gradientUnits="userSpaceOnUse"
+ x1="284.80219"
+ y1="-441.23294"
+ x2="288.89954"
+ y2="-436.83109" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24656"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-34.00007,207.0001)"
+ x1="271.0217"
+ y1="-441.05182"
+ x2="285.02859"
+ y2="-431.96991" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24658"
+ gradientUnits="userSpaceOnUse"
+ x1="287.5173"
+ y1="-439.75281"
+ x2="289.67633"
+ y2="-436.32199" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24660"
+ gradientUnits="userSpaceOnUse"
+ x1="286.51172"
+ y1="-441.29074"
+ x2="289.85379"
+ y2="-436.14453" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24662"
+ gradientUnits="userSpaceOnUse"
+ x1="285.94086"
+ y1="-439.939"
+ x2="289.39124"
+ y2="-436.4429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24664"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-35.00007,207.0001)"
+ x1="275.94193"
+ y1="-437.10501"
+ x2="279.97546"
+ y2="-431.91833" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24666"
+ gradientUnits="userSpaceOnUse"
+ x1="286.66589"
+ y1="-439.48358"
+ x2="289.76562"
+ y2="-436.70703" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient24668"
+ gradientUnits="userSpaceOnUse"
+ x1="284.80219"
+ y1="-441.23294"
+ x2="288.89954"
+ y2="-436.83109" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient24670"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8512357,0.5265033,0.5265033,2.8512357,110.25711,-33.208531)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient24672"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-32.043584,-34.478579)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient24674"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-129.55196,15.415418)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient24676"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,27.6662,3.4736145)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient24678"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient24680"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-75.47857,28.023726)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient24682"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,66.23987,24.272598)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient24684"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-32.043584,-34.478579)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient24686"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-129.55196,15.415418)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient24688"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,27.6662,3.4736145)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient24690"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient24692"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-75.47857,28.023726)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient24694"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,66.23987,24.272598)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient24696"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8512357,0.5265033,0.5265033,2.8512357,110.25711,-33.208531)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient5048"
+ id="linearGradient6293-2"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1892.179,-872.8854)"
+ x1="302.85715"
+ y1="366.64789"
+ x2="302.85715"
+ y2="609.50507" />
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153-3-6"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155-0-4"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4386"
+ id="linearGradient25022"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8415131,0,0,2.83799,-5.3545917,0.4858861)"
+ x1="24.349752"
+ y1="34.463955"
+ x2="23.233509"
+ y2="10.018264" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25024"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25026"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25028"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,2.5545053,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25030"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,8.2277282,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25032"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,13.900977,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25034"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,19.574225,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25036"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,25.247609,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient25038"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,30.92086,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient25040"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,-0.2821563,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient25042"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,5.3911289,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient25044"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,11.06438,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient25046"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,16.737631,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient25048"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,22.410835,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient25050"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,28.084322,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <marker
+ inkscape:stockid="Arrow1Mstart"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mstart-2"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8505-1"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#00ffff;fill-opacity:1;fill-rule:evenodd;stroke:#00ffff;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(0.4,0,0,0.4,4,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mend-7"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8508-5"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#00ffff;fill-opacity:1;fill-rule:evenodd;stroke:#00ffff;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)" />
+ </marker>
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153-3-6-8"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155-0-4-2"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <marker
+ inkscape:stockid="Arrow1Mstart"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="marker9031-7"
+ style="overflow:visible"
+ inkscape:isstock="true">
+ <path
+ inkscape:connector-curvature="0"
+ id="path9029-9"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(0.4,0,0,0.4,4,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="marker9095-7"
+ style="overflow:visible"
+ inkscape:isstock="true">
+ <path
+ inkscape:connector-curvature="0"
+ id="path9093-2"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)" />
+ </marker>
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2502-1-5"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2504-2-0"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2506-4-4"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2508-9-6"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2476-6-2"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2484-0-9"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2488-4-6"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2490-3-08"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2537-7-82"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2545-4-1"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2549-3-0"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2551-1-5"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2577-4-8"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2579-6-5"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2581-9-5"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2583-4-0"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,234.76593,185.03806)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9407-4-1"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,250.20343,189.03756)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9522-5-3"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153-3-0"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155-0-6"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2502-1-9-0"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2504-2-5-8"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2506-4-8-9"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2508-9-3-9"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2476-6-3-2"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2484-0-7-0"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2488-4-9-0"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2490-3-0-0"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2537-7-8-9"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(3.7622075,0,0,2.5655134,-117.78202,50.036078)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4163"
+ id="radialGradient2545-4-5-0"
+ fy="27.203083"
+ fx="28.089741"
+ r="13.56536"
+ cy="27.203083"
+ cx="28.089741" />
+ <radialGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2549-3-8-8"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(0.787998,0,0,0.787998,6.221198,3.617627)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient3800"
+ id="radialGradient2551-1-4-3"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <radialGradient
+ gradientTransform="matrix(5.1479827,0,0,1.6932259,-119.37178,63.514015)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2577-4-3-8"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,1.9771767,-11.538414,17.881498)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4344"
+ id="radialGradient2579-6-7-7"
+ fy="19.836468"
+ fx="16.214741"
+ r="13.56536"
+ cy="19.836468"
+ cx="16.214741" />
+ <radialGradient
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-49.955974,-16.13986)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient2581-9-1-3"
+ fy="19.008621"
+ fx="31.112698"
+ r="8.6620579"
+ cy="19.008621"
+ cx="31.112698" />
+ <radialGradient
+ gradientTransform="matrix(2.2847521,0,0,2.2847521,-31.555561,-15.798808)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4338"
+ id="radialGradient2583-4-3-1"
+ fy="17.064077"
+ fx="29.344931"
+ r="9.1620579"
+ cy="17.064077"
+ cx="29.344931" />
+ <marker
+ inkscape:stockid="Arrow1Mstart"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mstart-9-6"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8505-2-0"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:#ff0000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(0.4,0,0,0.4,4,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mend-8-9"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8508-3-7"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:#ff0000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)" />
+ </marker>
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible"
+ id="marker8927-7"
+ refX="0"
+ refY="0"
+ orient="auto"
+ inkscape:stockid="Arrow1Mstart"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ transform="matrix(0.4,0,0,0.4,4,0)"
+ style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:#ff0000;stroke-width:1.00000003pt;stroke-opacity:1"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ id="path8925-8" />
+ </marker>
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible"
+ id="marker8875-8"
+ refX="0"
+ refY="0"
+ orient="auto"
+ inkscape:stockid="Arrow1Mend"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)"
+ style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:#ff0000;stroke-width:1.00000003pt;stroke-opacity:1"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ id="path8873-6" />
+ </marker>
+ <linearGradient
+ gradientTransform="translate(69,155)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13495-0-5-0"
+ y2="-379.26862"
+ x2="266.36395"
+ y1="-392.30591"
+ x1="228.50261" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13497-1-5-0"
+ y2="-388.55029"
+ x2="245.82706"
+ y1="-393.4072"
+ x1="240.07379" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13499-9-7-3"
+ y2="-385.35165"
+ x2="252.69785"
+ y1="-391.31381"
+ x1="246.74042" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13501-6-0-1"
+ y2="-386.95901"
+ x2="235.25652"
+ y1="-390.43951"
+ x1="230.87598" />
+ <linearGradient
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13503-9-8-8"
+ y2="-382.64539"
+ x2="245.65462"
+ y1="-388.47476"
+ x1="238.00478" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13077"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-34.00007,207.0001)"
+ x1="271.0217"
+ y1="-441.05182"
+ x2="285.02859"
+ y2="-431.96991" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13079"
+ gradientUnits="userSpaceOnUse"
+ x1="287.5173"
+ y1="-439.75281"
+ x2="289.67633"
+ y2="-436.32199" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13081"
+ gradientUnits="userSpaceOnUse"
+ x1="286.51172"
+ y1="-441.29074"
+ x2="289.85379"
+ y2="-436.14453" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13083"
+ gradientUnits="userSpaceOnUse"
+ x1="285.94086"
+ y1="-439.939"
+ x2="289.39124"
+ y2="-436.4429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13085"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-35.00007,207.0001)"
+ x1="275.94193"
+ y1="-437.10501"
+ x2="279.97546"
+ y2="-431.91833" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13087"
+ gradientUnits="userSpaceOnUse"
+ x1="286.66589"
+ y1="-439.48358"
+ x2="289.76562"
+ y2="-436.70703" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient13089"
+ gradientUnits="userSpaceOnUse"
+ x1="284.80219"
+ y1="-441.23294"
+ x2="288.89954"
+ y2="-436.83109" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,234.76593,185.03806)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9407-4-3-0"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <radialGradient
+ gradientTransform="matrix(0.930946,0,0,0.448244,250.20343,189.03756)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4412"
+ id="radialGradient9522-5-6-1"
+ fy="-343.95554"
+ fx="-229.75"
+ r="14.50138"
+ cy="-343.95554"
+ cx="-229.75" />
+ <marker
+ inkscape:stockid="Arrow1Mstart"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mstart-9"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8505-2-7"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:#ff0000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(0.4,0,0,0.4,4,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mend-8"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8508-3"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:#ff0000;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)" />
+ </marker>
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient5048"
+ id="linearGradient5675"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1892.179,-872.8854)"
+ x1="302.85715"
+ y1="366.64789"
+ x2="302.85715"
+ y2="609.50507" />
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153-4-3"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155-7-5"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153-8"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155-4"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient5048"
+ id="linearGradient31324"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1892.179,-872.8854)"
+ x1="302.85715"
+ y1="366.64789"
+ x2="302.85715"
+ y2="609.50507" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4386"
+ id="linearGradient31326"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8415131,0,0,2.83799,-5.3545917,0.4858861)"
+ x1="24.349752"
+ y1="34.463955"
+ x2="23.233509"
+ y2="10.018264" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31328"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31330"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31332"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,2.5545053,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31334"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,8.2277282,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31336"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,13.900977,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31338"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,19.574225,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31340"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,25.247609,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31342"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,30.92086,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31344"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,-0.2821563,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31346"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,5.3911289,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31348"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,11.06438,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31350"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,16.737631,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31352"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,22.410835,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31354"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,28.084322,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4386"
+ id="linearGradient31356"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8415131,0,0,2.83799,-5.3545917,0.4858861)"
+ x1="24.349752"
+ y1="34.463955"
+ x2="23.233509"
+ y2="10.018264" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31358"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31360"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31362"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,2.5545053,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31364"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,8.2277282,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31366"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,13.900977,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31368"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,19.574225,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31370"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,25.247609,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31372"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,30.92086,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31374"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,-0.2821563,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31376"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,5.3911289,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31378"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,11.06438,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31380"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,16.737631,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31382"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,22.410835,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31384"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,28.084322,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31386"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-34.00007,207.0001)"
+ x1="271.0217"
+ y1="-441.05182"
+ x2="285.02859"
+ y2="-431.96991" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31388"
+ gradientUnits="userSpaceOnUse"
+ x1="287.5173"
+ y1="-439.75281"
+ x2="289.67633"
+ y2="-436.32199" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31390"
+ gradientUnits="userSpaceOnUse"
+ x1="286.51172"
+ y1="-441.29074"
+ x2="289.85379"
+ y2="-436.14453" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31392"
+ gradientUnits="userSpaceOnUse"
+ x1="285.94086"
+ y1="-439.939"
+ x2="289.39124"
+ y2="-436.4429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31394"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="translate(-35.00007,207.0001)"
+ x1="275.94193"
+ y1="-437.10501"
+ x2="279.97546"
+ y2="-431.91833" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31396"
+ gradientUnits="userSpaceOnUse"
+ x1="286.66589"
+ y1="-439.48358"
+ x2="289.76562"
+ y2="-436.70703" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient31398"
+ gradientUnits="userSpaceOnUse"
+ x1="284.80219"
+ y1="-441.23294"
+ x2="288.89954"
+ y2="-436.83109" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31400"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8512357,0.5265033,0.5265033,2.8512357,110.25711,-33.208531)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31402"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-32.043584,-34.478579)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient31404"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-129.55196,15.415418)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31406"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,27.6662,3.4736145)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient31408"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31410"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-75.47857,28.023726)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31412"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,66.23987,24.272598)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31414"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-32.043584,-34.478579)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient31416"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-129.55196,15.415418)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31418"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,27.6662,3.4736145)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient3824"
+ id="linearGradient31420"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ x1="30.935921"
+ y1="29.553486"
+ x2="30.935921"
+ y2="35.803486" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31422"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8512357,0.5265033,-0.5265033,2.8512357,-75.47857,28.023726)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31424"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8347379,0.6090996,0.6090996,2.8347379,66.23987,24.272598)"
+ x1="22.686766"
+ y1="36.3904"
+ x2="21.408455"
+ y2="35.739632" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient31426"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(-2.8512357,0.5265033,0.5265033,2.8512357,110.25711,-33.208531)"
+ x1="20.661695"
+ y1="35.817974"
+ x2="22.626925"
+ y2="36.217758" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient5048"
+ id="linearGradient31324-9"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1892.179,-872.8854)"
+ x1="302.85715"
+ y1="366.64789"
+ x2="302.85715"
+ y2="609.50507" />
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153-8-4"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155-4-6"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4386"
+ id="linearGradient34449"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8415131,0,0,2.83799,-5.3545917,0.4858861)"
+ x1="24.349752"
+ y1="34.463955"
+ x2="23.233509"
+ y2="10.018264" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient34451"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient34453"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient34455"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,2.5545053,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient34457"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,8.2277282,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient34459"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,13.900977,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient34461"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,19.574225,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient34463"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,25.247609,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient34465"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,30.92086,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient34467"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,-0.2821563,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient34469"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,5.3911289,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient34471"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,11.06438,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient34473"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,16.737631,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient34475"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,22.410835,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient34477"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,28.084322,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <marker
+ inkscape:stockid="Arrow1Mstart"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mstart-9-0"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8505-2-7-5"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#00ffff;fill-opacity:1;fill-rule:evenodd;stroke:#00ffff;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(0.4,0,0,0.4,4,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mend-8-0"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8508-3-4"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#00ffff;fill-opacity:1;fill-rule:evenodd;stroke:#00ffff;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mstart"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mstart-2-6"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8505-1-2"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#00ffff;fill-opacity:1;fill-rule:evenodd;stroke:#00ffff;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(0.4,0,0,0.4,4,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mend-7-1"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path8508-5-2"
+ d="M 0,0 5,-5 -12.5,0 5,5 Z"
+ style="fill:#00ffff;fill-opacity:1;fill-rule:evenodd;stroke:#00ffff;stroke-width:1.00000003pt;stroke-opacity:1"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)" />
+ </marker>
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient5048"
+ id="linearGradient6293-2-5"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1892.179,-872.8854)"
+ x1="302.85715"
+ y1="366.64789"
+ x2="302.85715"
+ y2="609.50507" />
+ <radialGradient
+ gradientTransform="matrix(2.774389,0,0,1.969706,-1891.633,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25153-3-6-88"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <radialGradient
+ gradientTransform="matrix(-2.774389,0,0,1.969706,112.7623,-872.8854)"
+ gradientUnits="userSpaceOnUse"
+ xlink:href="#linearGradient4509"
+ id="radialGradient25155-0-4-5"
+ fy="486.64789"
+ fx="605.71429"
+ r="117.14286"
+ cy="486.64789"
+ cx="605.71429" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4386"
+ id="linearGradient40150"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8415131,0,0,2.83799,-5.3545917,0.4858861)"
+ x1="24.349752"
+ y1="34.463955"
+ x2="23.233509"
+ y2="10.018264" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient40152"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient40154"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.7372324,0,0,2.2504624,-5.011313,14.556065)"
+ x1="27.324621"
+ y1="26.887815"
+ x2="22.311644"
+ y2="26.7868" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient40156"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,2.5545053,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient40158"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,8.2277282,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient40160"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,13.900977,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient40162"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,19.574225,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient40164"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,25.247609,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4412"
+ id="linearGradient40166"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,30.92086,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient40168"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,-0.2821563,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient40170"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,5.3911289,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient40172"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,11.06438,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient40174"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,16.737631,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient40176"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,22.410835,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ <linearGradient
+ inkscape:collect="always"
+ xlink:href="#linearGradient4509"
+ id="linearGradient40178"
+ gradientUnits="userSpaceOnUse"
+ gradientTransform="matrix(2.8081147,0,0,2.8081175,28.084322,0.8636252)"
+ x1="16.36447"
+ y1="39.918777"
+ x2="16.36447"
+ y2="30.928421" />
+ </defs>
+ <sodipodi:namedview
+ id="base"
+ pagecolor="#ffffff"
+ bordercolor="#666666"
+ borderopacity="1.0"
+ inkscape:pageopacity="0.0"
+ inkscape:pageshadow="2"
+ inkscape:zoom="0.39990234"
+ inkscape:cx="441.67211"
+ inkscape:cy="919.96737"
+ inkscape:document-units="mm"
+ inkscape:current-layer="layer1"
+ showgrid="false"
+ inkscape:window-width="1276"
+ inkscape:window-height="1399"
+ inkscape:window-x="1280"
+ inkscape:window-y="578"
+ inkscape:window-maximized="0" />
+ <metadata
+ id="metadata22445">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+ <dc:title></dc:title>
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <g
+ inkscape:label="Layer 1"
+ inkscape:groupmode="layer"
+ id="layer1">
+ <g
+ id="g5380-9"
+ transform="matrix(0.26458333,0,0,0.26458333,-30.036005,62.522459)">
+ <g
+ style="display:inline"
+ id="layer1-5-2" />
+ <g
+ style="display:inline"
+ id="layer2-5">
+ <g
+ style="display:inline"
+ id="g6707-4"
+ transform="matrix(0.04030136,0,0,0.05919351,98.269348,107.74796)">
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#linearGradient6293);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="rect6709-0"
+ y="-150.69685"
+ x="-1559.2523"
+ height="478.35718"
+ width="1339.6335" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25153-3);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6711-5"
+ d="m -219.61876,-150.68038 c 0,0 0,478.33079 0,478.33079 142.874166,0.90045 345.40022,-107.16966 345.40014,-239.196175 0,-132.026537 -159.436816,-239.134595 -345.40014,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25155-0);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6713-9"
+ d="m -1559.2523,-150.68038 c 0,0 0,478.33079 0,478.33079 -142.8742,0.90045 -345.4002,-107.16966 -345.4002,-239.196175 0,-132.026537 159.4368,-239.134595 345.4002,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#linearGradient6295);fill-opacity:1;fill-rule:evenodd;stroke:#5e5e5e;stroke-width:2.83662605px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+ id="path3626-4"
+ d="m 30.069752,22.03729 v 95.17786 H 92.475495 V 21.46393 L 80.994049,9.423358 H 40.977128 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#ffffff;fill-opacity:0.65536726;fill-rule:evenodd;stroke:none"
+ id="path5791-6"
+ d="M 41.556086,10.841671 31.488067,25.024802 h 59.56912 l -10.90702,-13.76598 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4553-9"
+ y="30.698046"
+ x="39.997936"
+ height="11.346502"
+ width="45.386024" />
+ <path
+ style="fill:none;stroke:#ffffff;stroke-width:2.83662724;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ id="path4394-2"
+ d="M 32.906375,23.771924 V 114.3785 H 89.638911 V 23.248654 L 79.132886,12.260001 H 42.887099 Z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.52571429;fill:url(#linearGradient6297);fill-opacity:1;fill-rule:evenodd;stroke:url(#linearGradient6297);stroke-width:2.83662701;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4408-2"
+ y="67.574181"
+ x="54.181065"
+ height="11.346499"
+ width="31.202894" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662534;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4398-4"
+ y="66.155869"
+ x="52.762733"
+ height="11.346502"
+ width="31.202871" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662558;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4551-7"
+ y="47.7178"
+ x="39.997952"
+ height="11.346502"
+ width="45.386024" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662653;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4430-75"
+ y="46.299488"
+ x="38.579624"
+ height="11.346502"
+ width="45.386032" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4436-4"
+ y="29.279736"
+ x="38.579647"
+ height="11.346502"
+ width="45.386032" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#d40000;fill-opacity:1;fill-rule:evenodd;stroke:#979797;stroke-width:1.44772947;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4396-8"
+ transform="matrix(1.9593699,0,0,1.9593562,-86.509754,21.850696)"
+ d="m 68.185294,26.231213 a 2.171828,2.171828 0 1 1 -4.343656,0 2.171828,2.171828 0 1 1 4.343656,0 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#f44800;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="path4445-1"
+ transform="matrix(2.5342538,0,0,2.5342343,0.4673221,7.5389146)"
+ d="m 16.667518,25.574614 a 0.5050765,0.5050765 0 1 1 -1.010153,0 0.5050765,0.5050765 0 1 1 1.010153,0 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient6301);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4457-2"
+ y="84.593979"
+ x="48.507816"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient6303);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4461-8"
+ y="84.593979"
+ x="54.181038"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient6305);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4465-9"
+ y="84.593979"
+ x="59.854286"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient6307);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4469-3"
+ y="84.593979"
+ x="65.527534"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient6309);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4473-6"
+ y="84.593979"
+ x="71.200821"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.54285709;fill:url(#linearGradient6311);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4477-8"
+ y="84.593979"
+ x="76.874069"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.16000001;fill:url(#linearGradient6313);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4481-0"
+ y="84.593979"
+ x="45.671154"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient6315);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4483-2"
+ y="84.593979"
+ x="51.34444"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient6317);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4485-1"
+ y="84.593979"
+ x="57.017693"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient6319);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4487-0"
+ y="84.593979"
+ x="62.690945"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient6321);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4489-5"
+ y="84.593979"
+ x="68.364159"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22857145;fill:url(#linearGradient6323);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4491-1"
+ y="84.593979"
+ x="74.037407"
+ height="28.36627"
+ width="2.8366244" />
+ </g>
+ </g>
+ <g
+ id="g6750-6"
+ transform="matrix(0.26458333,0,0,0.26458333,31.820487,62.855789)">
+ <g
+ style="display:inline"
+ id="layer1-3-9" />
+ <g
+ style="display:inline"
+ id="layer2-4-8">
+ <g
+ id="g12825-7"
+ transform="matrix(2.5313899,0,0,3.0201142,-712.99191,751.20922)">
+ <path
+ style="fill:#555753;fill-opacity:1;stroke:none"
+ id="path12827-2"
+ d="m 311.5,-242.99998 c -2.77242,0 -5.10823,1.57371 -6.40625,3.8125 -0.94436,-0.47504 -1.96519,-0.8125 -3.09375,-0.8125 -3.864,0 -7,3.136 -7,7 0,3.864 3.136,7 7,7 2.41967,0 4.43009,-1.31932 5.6875,-3.1875 1.1342,0.68962 2.38898,1.1875 3.8125,1.1875 0.91312,0 1.75295,-0.23202 2.5625,-0.53125 0.50994,0.86773 1.17912,1.57972 2,2.15625 -0.007,0.13038 -0.0625,0.24282 -0.0625,0.375 0,3.864 3.13599,7 7,7 3.864,0 7,-3.136 7,-7 0,-2.36969 -1.25898,-4.35834 -3.0625,-5.625 0.007,-0.13038 0.0625,-0.24282 0.0625,-0.375 0,-3.864 -3.13599,-7 -7,-7 -0.6227,0 -1.17519,0.22219 -1.75,0.375 -1.19453,-2.55884 -3.74134,-4.375 -6.75,-4.375 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:url(#linearGradient24632);fill-opacity:1;stroke:none"
+ id="path12829-8"
+ d="m 311.5,-241.99998 c -2.78048,0 -5.13451,1.76185 -6.0625,4.21875 -0.98542,-0.70944 -2.13143,-1.21875 -3.4375,-1.21875 -3.312,0 -6,2.688 -6,6 0,3.312 2.688,6 6,6 2.42775,0 4.49324,-1.45558 5.4375,-3.53125 1.12076,0.91756 2.50214,1.53125 4.0625,1.53125 1.07454,0 2.04428,-0.31896 2.9375,-0.78125 0.3984,0.99976 1.10114,1.78632 1.9375,2.4375 -0.18001,0.59562 -0.375,1.18965 -0.375,1.84375 0,3.588 2.912,6.5 6.5,6.5 3.588,0 6.5,-2.912 6.5,-6.5 0,-2.36079 -1.33433,-4.33019 -3.21875,-5.46875 0.0626,-0.34723 0.21875,-0.66608 0.21875,-1.03125 0,-3.312 -2.688,-6 -6,-6 -0.85298,0 -1.6713,0.17868 -2.40625,0.5 -0.85377,-2.59388 -3.21524,-4.49999 -6.09375,-4.5 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12831-2"
+ transform="matrix(0.964447,0,0,0.964447,89.28852,144.5262)"
+ d="m 248.54804,-383.6666 c 0,3.72219 -3.01743,6.73961 -6.73962,6.73961 -3.72218,0 -6.73961,-3.01742 -6.73961,-6.73961 0,-3.72219 3.01743,-6.73962 6.73961,-6.73962 3.72219,0 6.73962,3.01743 6.73962,6.73962 z"
+ inkscape:connector-curvature="0" />
+ <g
+ id="g12833-9">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12835-9"
+ transform="matrix(0.88263,0,0,0.88263,96.18078,108.1091)"
+ d="m 250.18322,-389.30136 c 0,3.4415 -2.78988,6.23138 -6.23138,6.23138 -3.4415,0 -6.23138,-2.78988 -6.23138,-6.23138 0,-3.4415 2.78988,-6.23138 6.23138,-6.23138 3.4415,0 6.23138,2.78988 6.23138,6.23138 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient24634);fill-opacity:1;stroke:none"
+ id="path12837-6"
+ transform="matrix(0.88263,0,0,0.88263,96.18078,108.1091)"
+ d="m 250.18322,-389.30136 c 0,3.4415 -2.78988,6.23138 -6.23138,6.23138 -3.4415,0 -6.23138,-2.78988 -6.23138,-6.23138 0,-3.4415 2.78988,-6.23138 6.23138,-6.23138 3.4415,0 6.23138,2.78988 6.23138,6.23138 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g12839-0">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12841-2"
+ transform="matrix(0.911728,0,0,0.911728,90.45407,120.2336)"
+ d="m 257.25429,-385.7879 c 0,3.33166 -2.70084,6.03251 -6.03251,6.03251 -3.33166,0 -6.0325,-2.70085 -6.0325,-6.03251 0,-3.33166 2.70084,-6.0325 6.0325,-6.0325 3.33167,0 6.03251,2.70084 6.03251,6.0325 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient24636);fill-opacity:1;stroke:none"
+ id="path12843-7"
+ transform="matrix(0.911728,0,0,0.911728,90.45407,120.2336)"
+ d="m 257.25429,-385.7879 c 0,3.33166 -2.70084,6.03251 -6.03251,6.03251 -3.33166,0 -6.0325,-2.70085 -6.0325,-6.03251 0,-3.33166 2.70084,-6.0325 6.0325,-6.0325 3.33167,0 6.03251,2.70084 6.03251,6.0325 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g12845-6">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12847-1"
+ transform="matrix(1.142799,0,0,1.142799,35.23229,210.277)"
+ d="m 237.80885,-387.88715 c 0,2.41637 -1.95885,4.37522 -4.37522,4.37522 -2.41638,0 -4.37523,-1.95885 -4.37523,-4.37522 0,-2.41637 1.95885,-4.37523 4.37523,-4.37523 2.41637,0 4.37522,1.95886 4.37522,4.37523 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient24638);fill-opacity:1;stroke:none"
+ id="path12849-3"
+ transform="matrix(1.142799,0,0,1.142799,35.23229,210.277)"
+ d="m 237.80885,-387.88715 c 0,2.41637 -1.95885,4.37522 -4.37522,4.37522 -2.41638,0 -4.37523,-1.95885 -4.37523,-4.37522 0,-2.41637 1.95885,-4.37523 4.37523,-4.37523 2.41637,0 4.37522,1.95886 4.37522,4.37523 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g12851-2">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12853-1"
+ transform="matrix(1.038636,0,0,1.038636,59.84906,169.4899)"
+ d="m 248.54804,-383.6666 c 0,3.72219 -3.01743,6.73961 -6.73962,6.73961 -3.72218,0 -6.73961,-3.01742 -6.73961,-6.73961 0,-3.72219 3.01743,-6.73962 6.73961,-6.73962 3.72219,0 6.73962,3.01743 6.73962,6.73962 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient24640);fill-opacity:1;stroke:none"
+ id="path12855-5"
+ transform="matrix(1.038636,0,0,1.038636,59.84907,169.4899)"
+ d="m 248.54804,-383.6666 c 0,3.72219 -3.01743,6.73961 -6.73962,6.73961 -3.72218,0 -6.73961,-3.01742 -6.73961,-6.73961 0,-3.72219 3.01743,-6.73962 6.73961,-6.73962 3.72219,0 6.73962,3.01743 6.73962,6.73962 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ </g>
+ <g
+ id="g9468-9"
+ transform="matrix(2.5313899,0,0,3.0201142,-10.842401,-5.9723708)">
+ <g
+ id="g12891-9"
+ transform="translate(-225.18126,253.09536)">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:#555753;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:2;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+ id="path12893-1"
+ d="m 246.49993,-238.49993 c -2.27083,0 -4.10991,1.55028 -4.71875,3.625 -0.69323,-0.36383 -1.44451,-0.625 -2.28125,-0.625 -2.76,0 -5.00001,2.23999 -5,5 0,0.57893 0.16252,1.1077 0.34375,1.625 -1.37347,0.77074 -2.34375,2.189 -2.34375,3.875 0,2.484 2.016,4.50001 4.5,4.5 0.17713,0 18.82287,0 19,0 2.48399,0 4.5,-2.016 4.5,-4.5 0,-1.686 -0.97028,-3.10426 -2.34375,-3.875 0.18124,-0.51729 0.34375,-1.04608 0.34375,-1.625 0,-2.76 -2.24,-4.99999 -5,-5 -0.83674,0 -1.58802,0.26117 -2.28125,0.625 -0.60884,-2.07472 -2.44792,-3.625 -4.71875,-3.625 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:url(#linearGradient24642);fill-opacity:1;stroke:none"
+ id="path12895-4"
+ d="m 246.49993,-237.99993 c -2.18972,0 -3.7236,1.33577 -4.39555,3.84352 -0.66846,-0.34362 -1.54759,-0.83335 -2.35445,-0.83335 -2.71651,0 -4.75514,1.93882 -4.75513,4.54554 0,0.54677 0.26721,1.33344 0.44196,1.82201 -1.32443,0.72795 -2.43683,1.8905 -2.43683,3.37255 0,2.34605 1.54617,4.25009 4.33928,4.25009 0.17081,0 18.15064,0 18.32144,0 2.77101,0 4.33928,-1.90404 4.33928,-4.25009 0,-1.59237 -1.1124,-2.66669 -2.43683,-3.39464 0.17476,-0.48856 0.46407,-1.25316 0.46407,-1.79992 0,-2.60671 -2.11581,-4.56763 -4.77723,-4.56764 -0.80687,0 -1.64181,0.48974 -2.31027,0.83336 -0.64885,-2.42154 -2.25001,-3.82143 -4.43974,-3.82143 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12897-9"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient24644);fill-opacity:1;stroke:none"
+ id="path12899-1"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="rect12901-0"
+ y="-230.99992"
+ x="236.99994"
+ height="9"
+ width="20" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12903-7"
+ transform="matrix(0.90566,0,0,0.90566,-24.16987,171.3114)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12905-5"
+ transform="matrix(1.056604,0,0,1.056604,-51.19818,231.8633)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient24646);fill-opacity:1;stroke:none"
+ id="path12907-8"
+ transform="matrix(1.056604,0,0,1.056604,-51.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12909-7"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient24648);fill-opacity:1;stroke:none"
+ id="path12911-0"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12913-4"
+ d="m 245.46868,-233.96868 c -3.57938,0 -6.46875,2.92063 -6.46875,6.5 0,2.37068 1.34943,4.33779 3.25,5.46875 h 6.46875 c 1.90057,-1.13096 3.25,-3.12931 3.25,-5.5 0,-3.57938 -2.92063,-6.46875 -6.5,-6.46875 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient24650);fill-opacity:1;stroke:none"
+ id="path12915-8"
+ d="m 245.49993,-233.99993 c -3.588,0 -6.5,2.91201 -6.5,6.5 0,2.3764 1.34485,4.36632 3.25,5.5 h 6.5 c 1.90515,-1.13368 3.25,-3.1236 3.25,-5.5 0,-3.588 -2.912,-6.49999 -6.5,-6.5 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient24652);fill-opacity:1;stroke:none"
+ id="path12917-0"
+ transform="matrix(0.90566,0,0,0.90566,-24.16977,171.3113)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#555753;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ id="path12919-4"
+ d="m 258.95633,-230.33389 c -0.002,2.68456 -3.26926,3.71395 -3.26926,3.71395 0,0 2.34874,-1.62595 2.33685,-3.70501 0,0 0.93241,-0.009 0.93241,-0.009 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12921-2"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient24654);fill-opacity:1;stroke:none"
+ id="path12923-9"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#radialGradient9407-4);fill-opacity:1;stroke:none"
+ id="path11418-6"
+ d="m 21.02789,15.111956 c -2.0001,0 -3.68558,1.0795 -4.53057,2.61494 -0.59491,-0.22191 -1.24464,-0.35337 -1.92595,-0.35337 -2.83021,0 -5.1175304,2.11817 -5.1175304,4.7175 0,0.45375 0.14453,0.85683 0.27514,1.27213 -1.38232,0.86527 -2.34783,2.25357 -2.34783,3.90473 0,2.65283 0.65162,4.99335 5.2275804,4.80585 0.04512,-0.0018 17.45148,0.09698 17.70041,-0.01803 3.08521,0.22595 4.07201,-2.44573 4.07201,-4.69946 0,-1.70051 -0.83694,-3.04985 -2.30927,-3.87759 0.04796,-0.25856 -0.03856,-0.55119 -0.03856,-0.82225 0,-2.59932 -2.30565,-4.71749 -5.13587,-4.71749 -0.39349,0 -0.7324,0.13482 -1.10054,0.21202 -0.73846,-1.76812 -2.58501,-3.03898 -4.76902,-3.03898 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g9488-1"
+ transform="matrix(2.5313899,0,0,3.0201142,-5.7841588,-18.063655)">
+ <g
+ id="g12857-0"
+ transform="translate(-210.16696,257.11136)">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:#555753;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:2;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+ id="path12859-4"
+ d="m 246.49993,-238.49993 c -2.27083,0 -4.10991,1.55028 -4.71875,3.625 -0.69323,-0.36383 -1.44451,-0.625 -2.28125,-0.625 -2.76,0 -5.00001,2.23999 -5,5 0,0.57893 0.16252,1.1077 0.34375,1.625 -1.37347,0.77074 -2.34375,2.189 -2.34375,3.875 0,2.484 2.016,4.50001 4.5,4.5 0.17713,0 18.82287,0 19,0 2.48399,0 4.5,-2.016 4.5,-4.5 0,-1.686 -0.97028,-3.10426 -2.34375,-3.875 0.18124,-0.51729 0.34375,-1.04608 0.34375,-1.625 0,-2.76 -2.24,-4.99999 -5,-5 -0.83674,0 -1.58802,0.26117 -2.28125,0.625 -0.60884,-2.07472 -2.44792,-3.625 -4.71875,-3.625 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:url(#linearGradient24656);fill-opacity:1;stroke:none"
+ id="path12861-2"
+ d="m 246.49993,-237.99993 c -2.18972,0 -3.7236,1.33577 -4.39555,3.84352 -0.66846,-0.34362 -1.54759,-0.83335 -2.35445,-0.83335 -2.71651,0 -4.75514,1.93882 -4.75513,4.54554 0,0.54677 0.26721,1.33344 0.44196,1.82201 -1.32443,0.72795 -2.43683,1.8905 -2.43683,3.37255 0,2.34605 1.54617,4.25009 4.33928,4.25009 0.17081,0 18.15064,0 18.32144,0 2.77101,0 4.33928,-1.90404 4.33928,-4.25009 0,-1.59237 -1.1124,-2.66669 -2.43683,-3.39464 0.17476,-0.48856 0.46407,-1.25316 0.46407,-1.79992 0,-2.60671 -2.11581,-4.56763 -4.77723,-4.56764 -0.80687,0 -1.64181,0.48974 -2.31027,0.83336 -0.64885,-2.42154 -2.25001,-3.82143 -4.43974,-3.82143 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12863-2"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient24658);fill-opacity:1;stroke:none"
+ id="path12865-2"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="rect12867-0"
+ y="-230.99992"
+ x="236.99994"
+ height="9"
+ width="20" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12869-5"
+ transform="matrix(0.90566,0,0,0.90566,-24.16987,171.3114)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12871-5"
+ transform="matrix(1.056604,0,0,1.056604,-51.19818,231.8633)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient24660);fill-opacity:1;stroke:none"
+ id="path12873-2"
+ transform="matrix(1.056604,0,0,1.056604,-51.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12875-9"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient24662);fill-opacity:1;stroke:none"
+ id="path12877-0"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12879-2"
+ d="m 245.46868,-233.96868 c -3.57938,0 -6.46875,2.92063 -6.46875,6.5 0,2.37068 1.34943,4.33779 3.25,5.46875 h 6.46875 c 1.90057,-1.13096 3.25,-3.12931 3.25,-5.5 0,-3.57938 -2.92063,-6.46875 -6.5,-6.46875 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient24664);fill-opacity:1;stroke:none"
+ id="path12881-8"
+ d="m 245.49993,-233.99993 c -3.588,0 -6.5,2.91201 -6.5,6.5 0,2.3764 1.34485,4.36632 3.25,5.5 h 6.5 c 1.90515,-1.13368 3.25,-3.1236 3.25,-5.5 0,-3.588 -2.912,-6.49999 -6.5,-6.5 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient24666);fill-opacity:1;stroke:none"
+ id="path12883-3"
+ transform="matrix(0.90566,0,0,0.90566,-24.16977,171.3113)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#555753;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ id="path12885-8"
+ d="m 258.95633,-230.33389 c -0.002,2.68456 -3.26926,3.71395 -3.26926,3.71395 0,0 2.34874,-1.62595 2.33685,-3.70501 0,0 0.93241,-0.009 0.93241,-0.009 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12887-0"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient24668);fill-opacity:1;stroke:none"
+ id="path12889-4"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#radialGradient9522-5);fill-opacity:1;stroke:none"
+ id="path13209-0"
+ d="m 36.46539,19.111476 c -2.0001,0 -3.68558,1.0795 -4.53057,2.61494 -0.59491,-0.22191 -1.24464,-0.35337 -1.92595,-0.35337 -2.83021,0 -5.11753,2.11817 -5.11753,4.7175 0,0.45375 0.14453,0.85683 0.27514,1.27213 -1.38232,0.86527 -2.34783,2.25357 -2.34783,3.90473 0,2.65283 0.65162,4.99335 5.22758,4.80585 0.04512,-0.0018 17.45148,0.09698 17.70041,-0.01803 3.08521,0.22595 4.07201,-2.44573 4.07201,-4.69946 0,-1.70051 -0.83694,-3.04985 -2.30927,-3.87759 0.04796,-0.25856 -0.03856,-0.55119 -0.03856,-0.82225 0,-2.59932 -2.30565,-4.71749 -5.13587,-4.71749 -0.39349,0 -0.7324,0.13482 -1.10054,0.21202 -0.73846,-1.76812 -2.58501,-3.03898 -4.76902,-3.03898 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ </g>
+ </g>
+ <g
+ id="g7957-2"
+ transform="matrix(0.26458333,0,0,0.26458333,-94.920525,64.438759)">
+ <g
+ id="g2482-2"
+ transform="translate(0.4025314,-0.6040782)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2502-1);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2484-6"
+ d="m 85.387971,95.699904 c 0.0075,8.102006 -19.95928,14.671276 -44.592125,14.671276 -24.63284,0 -44.5996048,-6.56927 -44.5921197,-14.671276 -0.00749,-8.102001 19.9592797,-14.671277 44.5921197,-14.671277 24.632845,0 44.59961,6.569276 44.592125,14.671277 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2504-2);fill-opacity:1;fill-rule:evenodd;stroke:#404604;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2486-4"
+ d="m 25.751776,94.433252 h 30.7532 c 8.7134,0 17.34004,-3.194983 20.50212,-12.301276 3.00278,-8.647507 0.51256,-25.115108 -18.96446,-38.441492 H 21.651356 C 2.1743262,55.99176 -0.25968379,72.814858 4.2245462,82.644527 8.7928862,92.658579 16.525816,94.433252 25.751776,94.433252 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2488-1"
+ d="m 40.455396,51.378784 c 0,0 -6.23763,4.81404 -5.70028,10.613492 -5.91841,-5.221292 -6.08845,-15.226473 -6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2490-2"
+ d="m 26.057566,91.347662 h 29.91256 c 7.65371,0 15.23122,-2.806422 18.00874,-10.805243 2.63758,-7.595834 -0.27465,-22.060711 -17.38295,-33.766392 H 23.180676 C 6.0723762,57.58127 3.2095162,72.358411 7.1483862,80.992635 11.161146,89.78882 17.953636,91.347662 26.057566,91.347662 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2492-8"
+ d="m 41.292286,52.378784 c 0,0 6.23763,4.81404 5.70027,10.613492 5.91841,-5.221292 6.08845,-15.226473 6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2506-4);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2494-8"
+ d="m 65.368498,38.974475 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.122739 25.115105,-25.122739 13.873673,0 25.119324,11.249069 25.115108,25.122739 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2508-9);fill-opacity:1;fill-rule:evenodd;stroke:#6f4709;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2496-9"
+ d="m 65.730928,28.826439 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.1227391 25.115105,-25.1227391 13.873673,0 25.119324,11.2490691 25.115108,25.1227391 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.12658231;fill:none;stroke:#ffffff;stroke-width:2.89944124px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2498-2"
+ d="M 62.644211,28.826474 C 62.647909,40.995 52.784405,50.861502 40.615876,50.861502 28.44735,50.861502 18.583846,40.995 18.587544,28.826474 18.583846,16.657947 28.44735,6.7914452 40.615876,6.7914452 c 12.168529,0 22.032033,9.8665018 22.028335,22.0350288 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient24670);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2500-8"
+ d="m 64.967663,92.704432 c 3.61736,-1.5801 5.23637,-5.38796 5.23637,-5.38796 -2.43925,-11.79821 -10.7857,-20.43007 -10.7857,-20.43007 0,0 6.60875,18.58979 5.54933,25.81803 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ style="display:inline"
+ id="layer1-9-8" />
+ <g
+ id="g2483-8"
+ transform="translate(89.565224,-57.340975)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2476-6);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4177-6"
+ transform="matrix(5.1479827,0,0,2.7810925,-164.41027,100.68378)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient24672);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4368-8"
+ d="M 13.245856,91.434387 C 9.6284962,89.854283 8.0094862,86.046427 8.0094862,86.046427 10.448736,74.248216 18.795186,65.616354 18.795186,65.616354 c 0,0 -6.60875,18.589793 -5.54933,25.818033 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient24674);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4173-3"
+ d="m -28.06643,114.09678 h 12.30128 l -7.17574,-6.66319 -1.53766,2.05021 -1.53767,-1.53766 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient24676);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4370-8"
+ d="m -13.94683,130.64896 c 3.56993,-1.68451 5.2316903,-5.8056 5.2316903,-5.8056 C -11.49605,113.12098 -20.24375,105.00302 -20.24375,105.00302 c 0,0 7.14594,18.38998 6.29692,25.64594 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2484-0);fill-opacity:1;fill-rule:evenodd;stroke:#204a87;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4308-3"
+ d="m -18.20172,156.43265 h 30.75319 c 8.71341,0 17.34005,-3.19499 20.50213,-12.30129 3.00277,-8.64751 0.51255,-25.11511 -18.96447,-38.44149 h -36.39128 c -19.47702,12.30128 -21.91103,29.12437 -17.42681,38.95404 4.56834,10.01406 12.30128,11.78874 21.52724,11.78874 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient24678);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4310-3"
+ d="m -16.15151,110.30285 c 9.2259603,8.20085 13.3263803,37.92894 13.3263803,37.92894 0,0 4.10043,-29.72809 11.27617,-38.44149 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4312-3"
+ d="m -9.5424097,113.37817 c 0,0 -6.2376303,4.81404 -5.7002703,10.61349 -5.91841,-5.22129 -6.08846,-15.22647 -6.08846,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4314-8"
+ d="m -18.40849,153.41112 30.42511,-0.0641 c 7.65372,0 15.23122,-2.80644 18.00874,-10.80526 2.63759,-7.59583 -0.27464,-22.06071 -17.38294,-33.76639 l -33.41524,-0.70476 c -17.1083,10.80524 -20.41965,25.58239 -16.41671,34.92137 4.00294,9.33899 9.84421,10.35504 18.78104,10.4191 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4316-0"
+ d="m -20.009013,106.3071 c 0,0 6.23763,4.81404 5.70027,10.61349 5.9184092,-5.22129 6.0884592,-15.22647 6.0884592,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2488-4);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4318-4"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.90948,45.859526)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2490-3);fill-opacity:1;fill-rule:evenodd;stroke:#c17d11;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4320-7"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.19620254;fill:none;stroke:#ffffff;stroke-width:1.14012825px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4322-6"
+ transform="matrix(2.5430833,0,0,2.5430833,-82.4598,42.485353)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient24680);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4354-8"
+ d="m -30.18912,153.93669 c -3.61736,-1.58011 -5.23637,-5.38797 -5.23637,-5.38797 2.43925,-11.79821 10.7857,-20.43007 10.7857,-20.43007 0,0 -6.60875,18.58979 -5.54933,25.81804 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient24682);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4364-9"
+ d="m 24.62683,151.44795 c 3.56993,-1.68452 5.23168,-5.80562 5.23168,-5.80562 -2.7809,-11.72238 -11.5286,-19.84033 -11.5286,-19.84033 0,0 7.14594,18.38998 6.29692,25.64595 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g2507-0"
+ transform="translate(49.068553,-45.030564)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2537-7);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2509-6"
+ transform="matrix(5.1479827,0,0,2.7810925,-164.41027,100.68378)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient24684);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2511-8"
+ d="M 13.245856,91.434387 C 9.6284962,89.854283 8.0094862,86.046427 8.0094862,86.046427 10.448736,74.248216 18.795186,65.616354 18.795186,65.616354 c 0,0 -6.60875,18.589793 -5.54933,25.818033 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient24686);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2513-7"
+ d="m -28.06643,114.09678 h 12.30128 l -7.17574,-6.66319 -1.53766,2.05021 -1.53767,-1.53766 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient24688);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2515-9"
+ d="m -13.94683,130.64896 c 3.56993,-1.68451 5.2316903,-5.8056 5.2316903,-5.8056 C -11.49605,113.12098 -20.24375,105.00302 -20.24375,105.00302 c 0,0 7.14594,18.38998 6.29692,25.64594 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2545-4);fill-opacity:1;fill-rule:evenodd;stroke:#204a87;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2517-0"
+ d="m -18.20172,156.43265 h 30.75319 c 8.71341,0 17.34005,-3.19499 20.50213,-12.30129 3.00277,-8.64751 0.51255,-25.11511 -18.96447,-38.44149 h -36.39128 c -19.47702,12.30128 -21.91103,29.12437 -17.42681,38.95404 4.56834,10.01406 12.30128,11.78874 21.52724,11.78874 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient24690);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2519-3"
+ d="m -16.15151,110.30285 c 9.2259603,8.20085 13.3263803,37.92894 13.3263803,37.92894 0,0 4.10043,-29.72809 11.27617,-38.44149 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2521-3"
+ d="m -9.5424097,113.37817 c 0,0 -6.2376303,4.81404 -5.7002703,10.61349 -5.91841,-5.22129 -6.08846,-15.22647 -6.08846,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2523-3"
+ d="m -18.40849,153.41112 30.42511,-0.0641 c 7.65372,0 15.23122,-2.80644 18.00874,-10.80526 2.63759,-7.59583 -0.27464,-22.06071 -17.38294,-33.76639 l -33.41524,-0.70476 c -17.1083,10.80524 -20.41965,25.58239 -16.41671,34.92137 4.00294,9.33899 9.84421,10.35504 18.78104,10.4191 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2525-7"
+ d="m -20.009013,106.3071 c 0,0 6.23763,4.81404 5.70027,10.61349 5.9184092,-5.22129 6.0884592,-15.22647 6.0884592,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2549-3);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2527-3"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.90948,45.859526)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2551-1);fill-opacity:1;fill-rule:evenodd;stroke:#c17d11;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2529-2"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.19620254;fill:none;stroke:#ffffff;stroke-width:1.14012825px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2531-6"
+ transform="matrix(2.5430833,0,0,2.5430833,-82.4598,42.485353)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient24692);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2533-5"
+ d="m -30.18912,153.93669 c -3.61736,-1.58011 -5.23637,-5.38797 -5.23637,-5.38797 2.43925,-11.79821 10.7857,-20.43007 10.7857,-20.43007 0,0 -6.60875,18.58979 -5.54933,25.81804 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient24694);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2535-2"
+ d="m 24.62683,151.44795 c 3.56993,-1.68452 5.23168,-5.80562 5.23168,-5.80562 -2.7809,-11.72238 -11.5286,-19.84033 -11.5286,-19.84033 0,0 7.14594,18.38998 6.29692,25.64595 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g2557-6"
+ transform="translate(45.228443,22.71576)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2577-4);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2559-5"
+ d="m 85.387971,95.699904 c 0.0075,8.102006 -19.95928,14.671276 -44.592125,14.671276 -24.63284,0 -44.5996048,-6.56927 -44.5921197,-14.671276 -0.00749,-8.102001 19.9592797,-14.671277 44.5921197,-14.671277 24.632845,0 44.59961,6.569276 44.592125,14.671277 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2579-6);fill-opacity:1;fill-rule:evenodd;stroke:#404604;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2561-8"
+ d="m 25.751776,94.433252 h 30.7532 c 8.7134,0 17.34004,-3.194983 20.50212,-12.301276 3.00278,-8.647507 0.51256,-25.115108 -18.96446,-38.441492 H 21.651356 C 2.1743262,55.99176 -0.25968379,72.814858 4.2245462,82.644527 8.7928862,92.658579 16.525816,94.433252 25.751776,94.433252 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2563-7"
+ d="m 40.455396,51.378784 c 0,0 -6.23763,4.81404 -5.70028,10.613492 -5.91841,-5.221292 -6.08845,-15.226473 -6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2565-9"
+ d="m 26.057566,91.347662 h 29.91256 c 7.65371,0 15.23122,-2.806422 18.00874,-10.805243 2.63758,-7.595834 -0.27465,-22.060711 -17.38295,-33.766392 H 23.180676 C 6.0723762,57.58127 3.2095162,72.358411 7.1483862,80.992635 11.161146,89.78882 17.953636,91.347662 26.057566,91.347662 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2567-6"
+ d="m 41.292286,52.378784 c 0,0 6.23763,4.81404 5.70027,10.613492 5.91841,-5.221292 6.08845,-15.226473 6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2581-9);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2569-0"
+ d="m 65.368498,38.974475 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.122739 25.115105,-25.122739 13.873673,0 25.119324,11.249069 25.115108,25.122739 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2583-4);fill-opacity:1;fill-rule:evenodd;stroke:#6f4709;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2571-4"
+ d="m 65.730928,28.826439 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.1227391 25.115105,-25.1227391 13.873673,0 25.119324,11.2490691 25.115108,25.1227391 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.12658231;fill:none;stroke:#ffffff;stroke-width:2.89944124px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2573-1"
+ d="M 62.644211,28.826474 C 62.647909,40.995 52.784405,50.861502 40.615876,50.861502 28.44735,50.861502 18.583846,40.995 18.587544,28.826474 18.583846,16.657947 28.44735,6.7914452 40.615876,6.7914452 c 12.168529,0 22.032033,9.8665018 22.028335,22.0350288 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient24696);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2575-0"
+ d="m 64.967663,92.704432 c 3.61736,-1.5801 5.23637,-5.38796 5.23637,-5.38796 -2.43925,-11.79821 -10.7857,-20.43007 -10.7857,-20.43007 0,0 6.60875,18.58979 5.54933,25.81803 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ </g>
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#ff0000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#Arrow1Mstart);marker-end:url(#Arrow1Mend)"
+ d="m -56.803495,83.900749 c 15.43859,-7.95321 30.64325,-5.84795 30.64325,-5.84795 v 0"
+ id="path8497"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#ff0000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#marker8927);marker-end:url(#marker8875)"
+ d="M -2.7684425,79.924149 C 11.734467,73.608359 32.553167,76.181459 32.553167,76.181459"
+ id="path8819"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#marker9031);marker-end:url(#marker9095)"
+ d="m -27.563745,64.719479 c -18.47952,-13.09941 -1.63743,-25.497056 9.122798,-25.263138 10.7602265,0.233918 17.78855247,7.182408 14.7368295,14.268998 -2.119352,4.92148 1.370364,-0.24517 -3.742685,5.84795"
+ id="path9021"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cssc" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="-39.788815"
+ y="87.938698"
+ id="text10983"><tspan
+ sodipodi:role="line"
+ id="tspan10981"
+ x="-39.788815"
+ y="87.938698"
+ style="stroke-width:0.26458332px">Recursive queries</tspan><tspan
+ sodipodi:role="line"
+ x="-39.788815"
+ y="92.899635"
+ style="stroke-width:0.26458332px"
+ id="tspan24726">and</tspan><tspan
+ sodipodi:role="line"
+ x="-39.788815"
+ y="97.860573"
+ style="stroke-width:0.26458332px"
+ id="tspan11275">responses</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="-19.142696"
+ y="32.438805"
+ id="text10987"><tspan
+ sodipodi:role="line"
+ id="tspan10985"
+ x="-18.510952"
+ y="32.438805"
+ style="stroke-width:0.26458332px">Domain </tspan><tspan
+ sodipodi:role="line"
+ x="-19.142696"
+ y="37.399742"
+ style="stroke-width:0.26458332px"
+ id="tspan10989">lookups in database</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="13.660129"
+ y="66.782173"
+ id="text10993"><tspan
+ sodipodi:role="line"
+ id="tspan10991"
+ x="13.660129"
+ y="66.782173"
+ style="stroke-width:0.26458332px">Non-private</tspan><tspan
+ sodipodi:role="line"
+ x="13.660129"
+ y="71.743111"
+ style="stroke-width:0.26458332px"
+ id="tspan10995">domain queries</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="-78.557854"
+ y="102.61418"
+ id="text11279"><tspan
+ sodipodi:role="line"
+ id="tspan11277"
+ x="-78.557854"
+ y="102.61418"
+ style="stroke-width:0.26458332px">Users</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="-13.060826"
+ y="98.403671"
+ id="text11283"><tspan
+ sodipodi:role="line"
+ id="tspan11281"
+ x="-13.060826"
+ y="98.403671"
+ style="stroke-width:0.26458332px">PowerDNS</tspan><tspan
+ sodipodi:role="line"
+ x="-13.060826"
+ y="103.36461"
+ style="stroke-width:0.26458332px"
+ id="tspan11285">Authoritative</tspan><tspan
+ sodipodi:role="line"
+ x="-13.060826"
+ y="108.32555"
+ style="stroke-width:0.26458332px"
+ id="tspan11287">Server</tspan><tspan
+ sodipodi:role="line"
+ x="-13.060826"
+ y="113.28648"
+ style="stroke-width:0.26458332px"
+ id="tspan11289" /></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="48.693504"
+ y="92.087875"
+ id="text11293"><tspan
+ sodipodi:role="line"
+ id="tspan11291"
+ x="48.693504"
+ y="92.087875"
+ style="stroke-width:0.26458332px">Internet</tspan></text>
+ <rect
+ style="opacity:1;fill:none;fill-opacity:1;stroke:#000000;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ id="rect18641"
+ width="167.01741"
+ height="133.80107"
+ x="-96.335625"
+ y="23.31601"
+ rx="5.004303" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="35.126263"
+ y="31.08522"
+ id="text18645"><tspan
+ sodipodi:role="line"
+ id="tspan18643"
+ x="35.126263"
+ y="31.08522"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:6.3499999px;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;writing-mode:lr-tb;text-anchor:middle;stroke-width:0.26458332px">Previous Situation</tspan></text>
+ <g
+ id="g5380-9-9"
+ transform="matrix(0.26458333,0,0,0.26458333,-89.030882,115.37844)">
+ <g
+ style="display:inline"
+ id="layer1-5-2-3" />
+ <g
+ style="display:inline"
+ id="layer2-5-1">
+ <g
+ style="display:inline"
+ id="g6707-4-4"
+ transform="matrix(0.04030136,0,0,0.05919351,98.269348,107.74796)">
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#linearGradient6293-2);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="rect6709-0-8"
+ y="-150.69685"
+ x="-1559.2523"
+ height="478.35718"
+ width="1339.6335" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25153-3-6);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6711-5-9"
+ d="m -219.61876,-150.68038 c 0,0 0,478.33079 0,478.33079 142.874166,0.90045 345.40022,-107.16966 345.40014,-239.196175 0,-132.026537 -159.436816,-239.134595 -345.40014,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25155-0-4);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6713-9-6"
+ d="m -1559.2523,-150.68038 c 0,0 0,478.33079 0,478.33079 -142.8742,0.90045 -345.4002,-107.16966 -345.4002,-239.196175 0,-132.026537 159.4368,-239.134595 345.4002,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#linearGradient25022);fill-opacity:1;fill-rule:evenodd;stroke:#5e5e5e;stroke-width:2.83662605px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+ id="path3626-4-7"
+ d="m 30.069752,22.03729 v 95.17786 H 92.475495 V 21.46393 L 80.994049,9.423358 H 40.977128 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#ffffff;fill-opacity:0.65536726;fill-rule:evenodd;stroke:none"
+ id="path5791-6-7"
+ d="M 41.556086,10.841671 31.488067,25.024802 h 59.56912 l -10.90702,-13.76598 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4553-9-3"
+ y="30.698046"
+ x="39.997936"
+ height="11.346502"
+ width="45.386024" />
+ <path
+ style="fill:none;stroke:#ffffff;stroke-width:2.83662724;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ id="path4394-2-7"
+ d="M 32.906375,23.771924 V 114.3785 H 89.638911 V 23.248654 L 79.132886,12.260001 H 42.887099 Z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.52571429;fill:url(#linearGradient25024);fill-opacity:1;fill-rule:evenodd;stroke:url(#linearGradient25026);stroke-width:2.83662701;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4408-2-1"
+ y="67.574181"
+ x="54.181065"
+ height="11.346499"
+ width="31.202894" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662534;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4398-4-2"
+ y="66.155869"
+ x="52.762733"
+ height="11.346502"
+ width="31.202871" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662558;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4551-7-2"
+ y="47.7178"
+ x="39.997952"
+ height="11.346502"
+ width="45.386024" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662653;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4430-75-1"
+ y="46.299488"
+ x="38.579624"
+ height="11.346502"
+ width="45.386032" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4436-4-5"
+ y="29.279736"
+ x="38.579647"
+ height="11.346502"
+ width="45.386032" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#d40000;fill-opacity:1;fill-rule:evenodd;stroke:#979797;stroke-width:1.44772947;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4396-8-0"
+ transform="matrix(1.9593699,0,0,1.9593562,-86.509754,21.850696)"
+ d="m 68.185294,26.231213 a 2.171828,2.171828 0 1 1 -4.343656,0 2.171828,2.171828 0 1 1 4.343656,0 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#f44800;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="path4445-1-9"
+ transform="matrix(2.5342538,0,0,2.5342343,0.4673221,7.5389146)"
+ d="m 16.667518,25.574614 a 0.5050765,0.5050765 0 1 1 -1.010153,0 0.5050765,0.5050765 0 1 1 1.010153,0 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient25028);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4457-2-0"
+ y="84.593979"
+ x="48.507816"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient25030);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4461-8-4"
+ y="84.593979"
+ x="54.181038"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient25032);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4465-9-0"
+ y="84.593979"
+ x="59.854286"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient25034);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4469-3-1"
+ y="84.593979"
+ x="65.527534"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient25036);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4473-6-3"
+ y="84.593979"
+ x="71.200821"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.54285709;fill:url(#linearGradient25038);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4477-8-7"
+ y="84.593979"
+ x="76.874069"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.16000001;fill:url(#linearGradient25040);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4481-0-4"
+ y="84.593979"
+ x="45.671154"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient25042);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4483-2-1"
+ y="84.593979"
+ x="51.34444"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient25044);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4485-1-1"
+ y="84.593979"
+ x="57.017693"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient25046);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4487-0-3"
+ y="84.593979"
+ x="62.690945"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient25048);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4489-5-0"
+ y="84.593979"
+ x="68.364159"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22857145;fill:url(#linearGradient25050);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4491-1-3"
+ y="84.593979"
+ x="74.037407"
+ height="28.36627"
+ width="2.8366244" />
+ </g>
+ </g>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="-72.514557"
+ y="150.75133"
+ id="text25054"><tspan
+ sodipodi:role="line"
+ id="tspan25052"
+ x="-72.514557"
+ y="150.75133"
+ style="stroke-width:0.26458332px">Recursors</tspan><tspan
+ sodipodi:role="line"
+ x="-72.514557"
+ y="155.71227"
+ style="stroke-width:0.26458332px"
+ id="tspan25056">on the Internet</tspan></text>
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#00ffff;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#Arrow1Mstart-2);marker-end:url(#Arrow1Mend-7)"
+ d="m -62.210371,128.18695 c 15.43859,-7.95321 20.35086,-12.39765 20.35086,-12.39765 l 14.035077,-9.1228"
+ id="path8497-6"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="ccc" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="-34.903301"
+ y="126.84479"
+ id="text10983-5"><tspan
+ sodipodi:role="line"
+ id="tspan10981-4"
+ x="-34.903301"
+ y="126.84479"
+ style="stroke-width:0.26458332px">Non-recursive</tspan><tspan
+ sodipodi:role="line"
+ x="-34.903301"
+ y="131.80573"
+ style="stroke-width:0.26458332px"
+ id="tspan26889">queries</tspan><tspan
+ sodipodi:role="line"
+ x="-34.903301"
+ y="136.76666"
+ style="stroke-width:0.26458332px"
+ id="tspan24726-2">and</tspan><tspan
+ sodipodi:role="line"
+ x="-34.903301"
+ y="141.7276"
+ style="stroke-width:0.26458332px"
+ id="tspan11275-2">responses</tspan></text>
+ <g
+ id="g5380"
+ transform="matrix(0.26458333,0,0,0.26458333,188.64261,31.484515)">
+ <g
+ style="display:inline"
+ id="layer1-5" />
+ <g
+ style="display:inline"
+ id="layer2">
+ <g
+ style="display:inline"
+ id="g6707"
+ transform="matrix(0.04030136,0,0,0.05919351,98.269348,107.74796)">
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#linearGradient31324);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="rect6709"
+ y="-150.69685"
+ x="-1559.2523"
+ height="478.35718"
+ width="1339.6335" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25153-8);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6711"
+ d="m -219.61876,-150.68038 c 0,0 0,478.33079 0,478.33079 142.874166,0.90045 345.40022,-107.16966 345.40014,-239.196175 0,-132.026537 -159.436816,-239.134595 -345.40014,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25155-4);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6713"
+ d="m -1559.2523,-150.68038 c 0,0 0,478.33079 0,478.33079 -142.8742,0.90045 -345.4002,-107.16966 -345.4002,-239.196175 0,-132.026537 159.4368,-239.134595 345.4002,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#linearGradient31326);fill-opacity:1;fill-rule:evenodd;stroke:#5e5e5e;stroke-width:2.83662605px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+ id="path3626"
+ d="m 30.069752,22.03729 v 95.17786 H 92.475495 V 21.46393 L 80.994049,9.423358 H 40.977128 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#ffffff;fill-opacity:0.65536726;fill-rule:evenodd;stroke:none"
+ id="path5791"
+ d="M 41.556086,10.841671 31.488067,25.024802 h 59.56912 l -10.90702,-13.76598 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4553"
+ y="30.698046"
+ x="39.997936"
+ height="11.346502"
+ width="45.386024" />
+ <path
+ style="fill:none;stroke:#ffffff;stroke-width:2.83662724;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ id="path4394"
+ d="M 32.906375,23.771924 V 114.3785 H 89.638911 V 23.248654 L 79.132886,12.260001 H 42.887099 Z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.52571429;fill:url(#linearGradient31328);fill-opacity:1;fill-rule:evenodd;stroke:url(#linearGradient31330);stroke-width:2.83662701;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4408"
+ y="67.574181"
+ x="54.181065"
+ height="11.346499"
+ width="31.202894" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662534;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4398"
+ y="66.155869"
+ x="52.762733"
+ height="11.346502"
+ width="31.202871" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662558;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4551"
+ y="47.7178"
+ x="39.997952"
+ height="11.346502"
+ width="45.386024" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662653;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4430"
+ y="46.299488"
+ x="38.579624"
+ height="11.346502"
+ width="45.386032" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4436"
+ y="29.279736"
+ x="38.579647"
+ height="11.346502"
+ width="45.386032" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#d40000;fill-opacity:1;fill-rule:evenodd;stroke:#979797;stroke-width:1.44772947;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4396"
+ transform="matrix(1.9593699,0,0,1.9593562,-86.509754,21.850696)"
+ d="m 68.185294,26.231213 a 2.171828,2.171828 0 1 1 -4.343656,0 2.171828,2.171828 0 1 1 4.343656,0 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#f44800;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="path4445"
+ transform="matrix(2.5342538,0,0,2.5342343,0.4673221,7.5389146)"
+ d="m 16.667518,25.574614 a 0.5050765,0.5050765 0 1 1 -1.010153,0 0.5050765,0.5050765 0 1 1 1.010153,0 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31332);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4457"
+ y="84.593979"
+ x="48.507816"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31334);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4461"
+ y="84.593979"
+ x="54.181038"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31336);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4465"
+ y="84.593979"
+ x="59.854286"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31338);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4469"
+ y="84.593979"
+ x="65.527534"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31340);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4473"
+ y="84.593979"
+ x="71.200821"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.54285709;fill:url(#linearGradient31342);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4477"
+ y="84.593979"
+ x="76.874069"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.16000001;fill:url(#linearGradient31344);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4481"
+ y="84.593979"
+ x="45.671154"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient31346);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4483"
+ y="84.593979"
+ x="51.34444"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient31348);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4485"
+ y="84.593979"
+ x="57.017693"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient31350);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4487"
+ y="84.593979"
+ x="62.690945"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient31352);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4489"
+ y="84.593979"
+ x="68.364159"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22857145;fill:url(#linearGradient31354);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4491"
+ y="84.593979"
+ x="74.037407"
+ height="28.36627"
+ width="2.8366244" />
+ </g>
+ </g>
+ <g
+ id="g5380-5"
+ transform="matrix(0.26458333,0,0,0.26458333,189.84764,97.466989)">
+ <g
+ style="display:inline"
+ id="layer1-5-9" />
+ <g
+ style="display:inline"
+ id="layer2-6">
+ <g
+ style="display:inline"
+ id="g6707-2"
+ transform="matrix(0.04030136,0,0,0.05919351,98.269348,107.74796)">
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#linearGradient5675);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="rect6709-1"
+ y="-150.69685"
+ x="-1559.2523"
+ height="478.35718"
+ width="1339.6335" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25153-4-3);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6711-7"
+ d="m -219.61876,-150.68038 c 0,0 0,478.33079 0,478.33079 142.874166,0.90045 345.40022,-107.16966 345.40014,-239.196175 0,-132.026537 -159.436816,-239.134595 -345.40014,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25155-7-5);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6713-8"
+ d="m -1559.2523,-150.68038 c 0,0 0,478.33079 0,478.33079 -142.8742,0.90045 -345.4002,-107.16966 -345.4002,-239.196175 0,-132.026537 159.4368,-239.134595 345.4002,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#linearGradient31356);fill-opacity:1;fill-rule:evenodd;stroke:#5e5e5e;stroke-width:2.83662605px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+ id="path3626-5"
+ d="m 30.069752,22.03729 v 95.17786 H 92.475495 V 21.46393 L 80.994049,9.423358 H 40.977128 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#ffffff;fill-opacity:0.65536726;fill-rule:evenodd;stroke:none"
+ id="path5791-7"
+ d="M 41.556086,10.841671 31.488067,25.024802 h 59.56912 l -10.90702,-13.76598 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4553-4"
+ y="30.698046"
+ x="39.997936"
+ height="11.346502"
+ width="45.386024" />
+ <path
+ style="fill:none;stroke:#ffffff;stroke-width:2.83662724;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ id="path4394-1"
+ d="M 32.906375,23.771924 V 114.3785 H 89.638911 V 23.248654 L 79.132886,12.260001 H 42.887099 Z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.52571429;fill:url(#linearGradient31358);fill-opacity:1;fill-rule:evenodd;stroke:url(#linearGradient31360);stroke-width:2.83662701;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4408-8"
+ y="67.574181"
+ x="54.181065"
+ height="11.346499"
+ width="31.202894" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662534;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4398-5"
+ y="66.155869"
+ x="52.762733"
+ height="11.346502"
+ width="31.202871" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662558;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4551-9"
+ y="47.7178"
+ x="39.997952"
+ height="11.346502"
+ width="45.386024" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662653;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4430-7"
+ y="46.299488"
+ x="38.579624"
+ height="11.346502"
+ width="45.386032" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4436-5"
+ y="29.279736"
+ x="38.579647"
+ height="11.346502"
+ width="45.386032" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#d40000;fill-opacity:1;fill-rule:evenodd;stroke:#979797;stroke-width:1.44772947;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4396-3"
+ transform="matrix(1.9593699,0,0,1.9593562,-86.509754,21.850696)"
+ d="m 68.185294,26.231213 a 2.171828,2.171828 0 1 1 -4.343656,0 2.171828,2.171828 0 1 1 4.343656,0 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#f44800;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="path4445-8"
+ transform="matrix(2.5342538,0,0,2.5342343,0.4673221,7.5389146)"
+ d="m 16.667518,25.574614 a 0.5050765,0.5050765 0 1 1 -1.010153,0 0.5050765,0.5050765 0 1 1 1.010153,0 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31362);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4457-8"
+ y="84.593979"
+ x="48.507816"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31364);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4461-3"
+ y="84.593979"
+ x="54.181038"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31366);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4465-1"
+ y="84.593979"
+ x="59.854286"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31368);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4469-8"
+ y="84.593979"
+ x="65.527534"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31370);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4473-9"
+ y="84.593979"
+ x="71.200821"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.54285709;fill:url(#linearGradient31372);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4477-6"
+ y="84.593979"
+ x="76.874069"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.16000001;fill:url(#linearGradient31374);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4481-4"
+ y="84.593979"
+ x="45.671154"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient31376);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4483-3"
+ y="84.593979"
+ x="51.34444"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient31378);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4485-3"
+ y="84.593979"
+ x="57.017693"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient31380);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4487-3"
+ y="84.593979"
+ x="62.690945"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient31382);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4489-8"
+ y="84.593979"
+ x="68.364159"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22857145;fill:url(#linearGradient31384);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4491-6"
+ y="84.593979"
+ x="74.037407"
+ height="28.36627"
+ width="2.8366244" />
+ </g>
+ </g>
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#ff0000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#Arrow1Mstart-9);marker-end:url(#Arrow1Mend-8)"
+ d="m 124.0816,61.553157 c 8.40259,11.764481 14.84332,31.023404 16.68932,39.047843"
+ id="path8497-0"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="207.91438"
+ y="134.4395"
+ id="text11283-9"><tspan
+ sodipodi:role="line"
+ id="tspan11281-1"
+ x="207.91438"
+ y="134.4395"
+ style="stroke-width:0.26458332px">PowerDNS</tspan><tspan
+ sodipodi:role="line"
+ x="207.91438"
+ y="139.40044"
+ style="stroke-width:0.26458332px"
+ id="tspan11285-5">Authoritative</tspan><tspan
+ sodipodi:role="line"
+ x="207.91438"
+ y="144.36137"
+ style="stroke-width:0.26458332px"
+ id="tspan11287-4">Server</tspan><tspan
+ sodipodi:role="line"
+ x="207.91438"
+ y="149.32231"
+ style="stroke-width:0.26458332px"
+ id="tspan11289-9-9" /></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="205.13402"
+ y="27.965719"
+ id="text11283-2"><tspan
+ sodipodi:role="line"
+ id="tspan11281-5"
+ x="205.13402"
+ y="27.965719"
+ style="stroke-width:0.26458332px">PowerDNS</tspan><tspan
+ sodipodi:role="line"
+ x="205.13402"
+ y="32.926655"
+ style="stroke-width:0.26458332px"
+ id="tspan11287-49">Recursor</tspan><tspan
+ sodipodi:role="line"
+ x="205.13402"
+ y="37.887592"
+ style="stroke-width:0.26458332px"
+ id="tspan11289-94" /></text>
+ <g
+ id="g6750-6-2"
+ transform="matrix(0.26458333,0,0,0.26458333,249.45614,39.476661)">
+ <g
+ style="display:inline"
+ id="layer1-3-9-1" />
+ <g
+ style="display:inline"
+ id="layer2-4-8-2">
+ <g
+ id="g12825-7-0"
+ transform="matrix(2.5313899,0,0,3.0201142,-712.99191,751.20922)">
+ <path
+ style="fill:#555753;fill-opacity:1;stroke:none"
+ id="path12827-2-7"
+ d="m 311.5,-242.99998 c -2.77242,0 -5.10823,1.57371 -6.40625,3.8125 -0.94436,-0.47504 -1.96519,-0.8125 -3.09375,-0.8125 -3.864,0 -7,3.136 -7,7 0,3.864 3.136,7 7,7 2.41967,0 4.43009,-1.31932 5.6875,-3.1875 1.1342,0.68962 2.38898,1.1875 3.8125,1.1875 0.91312,0 1.75295,-0.23202 2.5625,-0.53125 0.50994,0.86773 1.17912,1.57972 2,2.15625 -0.007,0.13038 -0.0625,0.24282 -0.0625,0.375 0,3.864 3.13599,7 7,7 3.864,0 7,-3.136 7,-7 0,-2.36969 -1.25898,-4.35834 -3.0625,-5.625 0.007,-0.13038 0.0625,-0.24282 0.0625,-0.375 0,-3.864 -3.13599,-7 -7,-7 -0.6227,0 -1.17519,0.22219 -1.75,0.375 -1.19453,-2.55884 -3.74134,-4.375 -6.75,-4.375 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:url(#linearGradient13495-0-5-0);fill-opacity:1;stroke:none"
+ id="path12829-8-3-2"
+ d="m 311.5,-241.99998 c -2.78048,0 -5.13451,1.76185 -6.0625,4.21875 -0.98542,-0.70944 -2.13143,-1.21875 -3.4375,-1.21875 -3.312,0 -6,2.688 -6,6 0,3.312 2.688,6 6,6 2.42775,0 4.49324,-1.45558 5.4375,-3.53125 1.12076,0.91756 2.50214,1.53125 4.0625,1.53125 1.07454,0 2.04428,-0.31896 2.9375,-0.78125 0.3984,0.99976 1.10114,1.78632 1.9375,2.4375 -0.18001,0.59562 -0.375,1.18965 -0.375,1.84375 0,3.588 2.912,6.5 6.5,6.5 3.588,0 6.5,-2.912 6.5,-6.5 0,-2.36079 -1.33433,-4.33019 -3.21875,-5.46875 0.0626,-0.34723 0.21875,-0.66608 0.21875,-1.03125 0,-3.312 -2.688,-6 -6,-6 -0.85298,0 -1.6713,0.17868 -2.40625,0.5 -0.85377,-2.59388 -3.21524,-4.49999 -6.09375,-4.5 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12831-2-1"
+ transform="matrix(0.964447,0,0,0.964447,89.28852,144.5262)"
+ d="m 248.54804,-383.6666 c 0,3.72219 -3.01743,6.73961 -6.73962,6.73961 -3.72218,0 -6.73961,-3.01742 -6.73961,-6.73961 0,-3.72219 3.01743,-6.73962 6.73961,-6.73962 3.72219,0 6.73962,3.01743 6.73962,6.73962 z"
+ inkscape:connector-curvature="0" />
+ <g
+ id="g12833-9-1">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12835-9-9"
+ transform="matrix(0.88263,0,0,0.88263,96.18078,108.1091)"
+ d="m 250.18322,-389.30136 c 0,3.4415 -2.78988,6.23138 -6.23138,6.23138 -3.4415,0 -6.23138,-2.78988 -6.23138,-6.23138 0,-3.4415 2.78988,-6.23138 6.23138,-6.23138 3.4415,0 6.23138,2.78988 6.23138,6.23138 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient13497-1-5-0);fill-opacity:1;stroke:none"
+ id="path12837-6-0"
+ transform="matrix(0.88263,0,0,0.88263,96.18078,108.1091)"
+ d="m 250.18322,-389.30136 c 0,3.4415 -2.78988,6.23138 -6.23138,6.23138 -3.4415,0 -6.23138,-2.78988 -6.23138,-6.23138 0,-3.4415 2.78988,-6.23138 6.23138,-6.23138 3.4415,0 6.23138,2.78988 6.23138,6.23138 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g12839-0-5">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12841-2-6"
+ transform="matrix(0.911728,0,0,0.911728,90.45407,120.2336)"
+ d="m 257.25429,-385.7879 c 0,3.33166 -2.70084,6.03251 -6.03251,6.03251 -3.33166,0 -6.0325,-2.70085 -6.0325,-6.03251 0,-3.33166 2.70084,-6.0325 6.0325,-6.0325 3.33167,0 6.03251,2.70084 6.03251,6.0325 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient13499-9-7-3);fill-opacity:1;stroke:none"
+ id="path12843-7-7-9"
+ transform="matrix(0.911728,0,0,0.911728,90.45407,120.2336)"
+ d="m 257.25429,-385.7879 c 0,3.33166 -2.70084,6.03251 -6.03251,6.03251 -3.33166,0 -6.0325,-2.70085 -6.0325,-6.03251 0,-3.33166 2.70084,-6.0325 6.0325,-6.0325 3.33167,0 6.03251,2.70084 6.03251,6.0325 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g12845-6-7">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12847-1-4"
+ transform="matrix(1.142799,0,0,1.142799,35.23229,210.277)"
+ d="m 237.80885,-387.88715 c 0,2.41637 -1.95885,4.37522 -4.37522,4.37522 -2.41638,0 -4.37523,-1.95885 -4.37523,-4.37522 0,-2.41637 1.95885,-4.37523 4.37523,-4.37523 2.41637,0 4.37522,1.95886 4.37522,4.37523 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient13501-6-0-1);fill-opacity:1;stroke:none"
+ id="path12849-3-0"
+ transform="matrix(1.142799,0,0,1.142799,35.23229,210.277)"
+ d="m 237.80885,-387.88715 c 0,2.41637 -1.95885,4.37522 -4.37522,4.37522 -2.41638,0 -4.37523,-1.95885 -4.37523,-4.37522 0,-2.41637 1.95885,-4.37523 4.37523,-4.37523 2.41637,0 4.37522,1.95886 4.37522,4.37523 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g12851-2-6">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12853-1-4"
+ transform="matrix(1.038636,0,0,1.038636,59.84906,169.4899)"
+ d="m 248.54804,-383.6666 c 0,3.72219 -3.01743,6.73961 -6.73962,6.73961 -3.72218,0 -6.73961,-3.01742 -6.73961,-6.73961 0,-3.72219 3.01743,-6.73962 6.73961,-6.73962 3.72219,0 6.73962,3.01743 6.73962,6.73962 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.49444442;fill:url(#linearGradient13503-9-8-8);fill-opacity:1;stroke:none"
+ id="path12855-5-7"
+ transform="matrix(1.038636,0,0,1.038636,59.84907,169.4899)"
+ d="m 248.54804,-383.6666 c 0,3.72219 -3.01743,6.73961 -6.73962,6.73961 -3.72218,0 -6.73961,-3.01742 -6.73961,-6.73961 0,-3.72219 3.01743,-6.73962 6.73961,-6.73962 3.72219,0 6.73962,3.01743 6.73962,6.73962 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ </g>
+ <g
+ id="g9468-9-4"
+ transform="matrix(2.5313899,0,0,3.0201142,-10.842401,-5.9723708)">
+ <g
+ id="g12891-9-8"
+ transform="translate(-225.18126,253.09536)">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:#555753;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:2;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+ id="path12893-1-5"
+ d="m 246.49993,-238.49993 c -2.27083,0 -4.10991,1.55028 -4.71875,3.625 -0.69323,-0.36383 -1.44451,-0.625 -2.28125,-0.625 -2.76,0 -5.00001,2.23999 -5,5 0,0.57893 0.16252,1.1077 0.34375,1.625 -1.37347,0.77074 -2.34375,2.189 -2.34375,3.875 0,2.484 2.016,4.50001 4.5,4.5 0.17713,0 18.82287,0 19,0 2.48399,0 4.5,-2.016 4.5,-4.5 0,-1.686 -0.97028,-3.10426 -2.34375,-3.875 0.18124,-0.51729 0.34375,-1.04608 0.34375,-1.625 0,-2.76 -2.24,-4.99999 -5,-5 -0.83674,0 -1.58802,0.26117 -2.28125,0.625 -0.60884,-2.07472 -2.44792,-3.625 -4.71875,-3.625 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:url(#linearGradient31386);fill-opacity:1;stroke:none"
+ id="path12895-4-8"
+ d="m 246.49993,-237.99993 c -2.18972,0 -3.7236,1.33577 -4.39555,3.84352 -0.66846,-0.34362 -1.54759,-0.83335 -2.35445,-0.83335 -2.71651,0 -4.75514,1.93882 -4.75513,4.54554 0,0.54677 0.26721,1.33344 0.44196,1.82201 -1.32443,0.72795 -2.43683,1.8905 -2.43683,3.37255 0,2.34605 1.54617,4.25009 4.33928,4.25009 0.17081,0 18.15064,0 18.32144,0 2.77101,0 4.33928,-1.90404 4.33928,-4.25009 0,-1.59237 -1.1124,-2.66669 -2.43683,-3.39464 0.17476,-0.48856 0.46407,-1.25316 0.46407,-1.79992 0,-2.60671 -2.11581,-4.56763 -4.77723,-4.56764 -0.80687,0 -1.64181,0.48974 -2.31027,0.83336 -0.64885,-2.42154 -2.25001,-3.82143 -4.43974,-3.82143 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12897-9-2"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient31388);fill-opacity:1;stroke:none"
+ id="path12899-1-6"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="rect12901-0-0"
+ y="-230.99992"
+ x="236.99994"
+ height="9"
+ width="20" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12903-7-6"
+ transform="matrix(0.90566,0,0,0.90566,-24.16987,171.3114)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12905-5-6"
+ transform="matrix(1.056604,0,0,1.056604,-51.19818,231.8633)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient31390);fill-opacity:1;stroke:none"
+ id="path12907-8-4"
+ transform="matrix(1.056604,0,0,1.056604,-51.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12909-7-6"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient31392);fill-opacity:1;stroke:none"
+ id="path12911-0-2"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12913-4-8"
+ d="m 245.46868,-233.96868 c -3.57938,0 -6.46875,2.92063 -6.46875,6.5 0,2.37068 1.34943,4.33779 3.25,5.46875 h 6.46875 c 1.90057,-1.13096 3.25,-3.12931 3.25,-5.5 0,-3.57938 -2.92063,-6.46875 -6.5,-6.46875 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient31394);fill-opacity:1;stroke:none"
+ id="path12915-8-9"
+ d="m 245.49993,-233.99993 c -3.588,0 -6.5,2.91201 -6.5,6.5 0,2.3764 1.34485,4.36632 3.25,5.5 h 6.5 c 1.90515,-1.13368 3.25,-3.1236 3.25,-5.5 0,-3.588 -2.912,-6.49999 -6.5,-6.5 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient31396);fill-opacity:1;stroke:none"
+ id="path12917-0-6"
+ transform="matrix(0.90566,0,0,0.90566,-24.16977,171.3113)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#555753;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ id="path12919-4-0"
+ d="m 258.95633,-230.33389 c -0.002,2.68456 -3.26926,3.71395 -3.26926,3.71395 0,0 2.34874,-1.62595 2.33685,-3.70501 0,0 0.93241,-0.009 0.93241,-0.009 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12921-2-7-0"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient31398);fill-opacity:1;stroke:none"
+ id="path12923-9-0"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#radialGradient9407-4-3-0);fill-opacity:1;stroke:none"
+ id="path11418-6-1"
+ d="m 21.02789,15.111956 c -2.0001,0 -3.68558,1.0795 -4.53057,2.61494 -0.59491,-0.22191 -1.24464,-0.35337 -1.92595,-0.35337 -2.83021,0 -5.1175304,2.11817 -5.1175304,4.7175 0,0.45375 0.14453,0.85683 0.27514,1.27213 -1.38232,0.86527 -2.34783,2.25357 -2.34783,3.90473 0,2.65283 0.65162,4.99335 5.2275804,4.80585 0.04512,-0.0018 17.45148,0.09698 17.70041,-0.01803 3.08521,0.22595 4.07201,-2.44573 4.07201,-4.69946 0,-1.70051 -0.83694,-3.04985 -2.30927,-3.87759 0.04796,-0.25856 -0.03856,-0.55119 -0.03856,-0.82225 0,-2.59932 -2.30565,-4.71749 -5.13587,-4.71749 -0.39349,0 -0.7324,0.13482 -1.10054,0.21202 -0.73846,-1.76812 -2.58501,-3.03898 -4.76902,-3.03898 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g9488-1-0"
+ transform="matrix(2.5313899,0,0,3.0201142,-5.7841588,-18.063655)">
+ <g
+ id="g12857-0-1-3"
+ transform="translate(-210.16696,257.11136)">
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:#555753;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:2;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+ id="path12859-4-3"
+ d="m 246.49993,-238.49993 c -2.27083,0 -4.10991,1.55028 -4.71875,3.625 -0.69323,-0.36383 -1.44451,-0.625 -2.28125,-0.625 -2.76,0 -5.00001,2.23999 -5,5 0,0.57893 0.16252,1.1077 0.34375,1.625 -1.37347,0.77074 -2.34375,2.189 -2.34375,3.875 0,2.484 2.016,4.50001 4.5,4.5 0.17713,0 18.82287,0 19,0 2.48399,0 4.5,-2.016 4.5,-4.5 0,-1.686 -0.97028,-3.10426 -2.34375,-3.875 0.18124,-0.51729 0.34375,-1.04608 0.34375,-1.625 0,-2.76 -2.24,-4.99999 -5,-5 -0.83674,0 -1.58802,0.26117 -2.28125,0.625 -0.60884,-2.07472 -2.44792,-3.625 -4.71875,-3.625 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:url(#linearGradient13077);fill-opacity:1;stroke:none"
+ id="path12861-2-7-0"
+ d="m 246.49993,-237.99993 c -2.18972,0 -3.7236,1.33577 -4.39555,3.84352 -0.66846,-0.34362 -1.54759,-0.83335 -2.35445,-0.83335 -2.71651,0 -4.75514,1.93882 -4.75513,4.54554 0,0.54677 0.26721,1.33344 0.44196,1.82201 -1.32443,0.72795 -2.43683,1.8905 -2.43683,3.37255 0,2.34605 1.54617,4.25009 4.33928,4.25009 0.17081,0 18.15064,0 18.32144,0 2.77101,0 4.33928,-1.90404 4.33928,-4.25009 0,-1.59237 -1.1124,-2.66669 -2.43683,-3.39464 0.17476,-0.48856 0.46407,-1.25316 0.46407,-1.79992 0,-2.60671 -2.11581,-4.56763 -4.77723,-4.56764 -0.80687,0 -1.64181,0.48974 -2.31027,0.83336 -0.64885,-2.42154 -2.25001,-3.82143 -4.43974,-3.82143 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12863-2-7"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient13079);fill-opacity:1;stroke:none"
+ id="path12865-2-2"
+ transform="matrix(1.056604,0,0,1.056604,-58.19825,228.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="rect12867-0-6"
+ y="-230.99992"
+ x="236.99994"
+ height="9"
+ width="20" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12869-5-4"
+ transform="matrix(0.90566,0,0,0.90566,-24.16987,171.3114)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12871-5-5"
+ transform="matrix(1.056604,0,0,1.056604,-51.19818,231.8633)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient13081);fill-opacity:1;stroke:none"
+ id="path12873-2-2"
+ transform="matrix(1.056604,0,0,1.056604,-51.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12875-9-0"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient13083);fill-opacity:1;stroke:none"
+ id="path12877-0-2"
+ transform="matrix(1.056604,0,0,1.056604,-65.19825,231.8634)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12879-2-9"
+ d="m 245.46868,-233.96868 c -3.57938,0 -6.46875,2.92063 -6.46875,6.5 0,2.37068 1.34943,4.33779 3.25,5.46875 h 6.46875 c 1.90057,-1.13096 3.25,-3.12931 3.25,-5.5 0,-3.57938 -2.92063,-6.46875 -6.5,-6.46875 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient13085);fill-opacity:1;stroke:none"
+ id="path12881-8-0"
+ d="m 245.49993,-233.99993 c -3.588,0 -6.5,2.91201 -6.5,6.5 0,2.3764 1.34485,4.36632 3.25,5.5 h 6.5 c 1.90515,-1.13368 3.25,-3.1236 3.25,-5.5 0,-3.588 -2.912,-6.49999 -6.5,-6.5 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient13087);fill-opacity:1;stroke:none"
+ id="path12883-3-9"
+ transform="matrix(0.90566,0,0,0.90566,-24.16977,171.3113)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#555753;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ id="path12885-8-9"
+ d="m 258.95633,-230.33389 c -0.002,2.68456 -3.26926,3.71395 -3.26926,3.71395 0,0 2.34874,-1.62595 2.33685,-3.70501 0,0 0.93241,-0.009 0.93241,-0.009 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#888a85;fill-opacity:1;stroke:none"
+ id="path12887-0-4"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="opacity:0.47777776;fill:url(#linearGradient13089);fill-opacity:1;stroke:none"
+ id="path12889-4-5"
+ transform="matrix(1.207547,0,0,1.207547,-98.22652,302.4154)"
+ d="m 291.6875,-437.59375 c 0,1.82944 -1.48306,3.3125 -3.3125,3.3125 -1.82944,0 -3.3125,-1.48306 -3.3125,-3.3125 0,-1.82944 1.48306,-3.3125 3.3125,-3.3125 1.82944,0 3.3125,1.48306 3.3125,3.3125 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#radialGradient9522-5-6-1);fill-opacity:1;stroke:none"
+ id="path13209-0-1"
+ d="m 36.46539,19.111476 c -2.0001,0 -3.68558,1.0795 -4.53057,2.61494 -0.59491,-0.22191 -1.24464,-0.35337 -1.92595,-0.35337 -2.83021,0 -5.11753,2.11817 -5.11753,4.7175 0,0.45375 0.14453,0.85683 0.27514,1.27213 -1.38232,0.86527 -2.34783,2.25357 -2.34783,3.90473 0,2.65283 0.65162,4.99335 5.22758,4.80585 0.04512,-0.0018 17.45148,0.09698 17.70041,-0.01803 3.08521,0.22595 4.07201,-2.44573 4.07201,-4.69946 0,-1.70051 -0.83694,-3.04985 -2.30927,-3.87759 0.04796,-0.25856 -0.03856,-0.55119 -0.03856,-0.82225 0,-2.59932 -2.30565,-4.71749 -5.13587,-4.71749 -0.39349,0 -0.7324,0.13482 -1.10054,0.21202 -0.73846,-1.76812 -2.58501,-3.03898 -4.76902,-3.03898 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ </g>
+ </g>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="267.32162"
+ y="70.031967"
+ id="text11293-0"><tspan
+ sodipodi:role="line"
+ id="tspan11291-3"
+ x="267.32162"
+ y="70.031967"
+ style="stroke-width:0.26458332px">Internet</tspan></text>
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#ff0000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#marker8927-7);marker-end:url(#marker8875-8)"
+ d="m 217.1259,42.211309 c 14.72994,6.733751 33.9482,7.099588 33.9482,7.099588"
+ id="path8819-0"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="236.87737"
+ y="30.717167"
+ id="text10993-4"><tspan
+ sodipodi:role="line"
+ id="tspan10991-6"
+ x="236.87737"
+ y="30.717167"
+ style="stroke-width:0.26458332px">Queries for</tspan><tspan
+ sodipodi:role="line"
+ x="236.87737"
+ y="35.678104"
+ style="stroke-width:0.26458332px"
+ id="tspan10995-7">domains not</tspan><tspan
+ sodipodi:role="line"
+ x="236.87737"
+ y="40.639042"
+ style="stroke-width:0.26458332px"
+ id="tspan34484">hosted locally</tspan></text>
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#ff0000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#Arrow1Mstart-9-6);marker-end:url(#Arrow1Mend-8-9)"
+ d="m 205.9512,93.247844 c 1.13375,-9.1358 2.23574,-17.88087 2.87652,-27.048192"
+ id="path8497-0-5"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="71.988708"
+ y="-221.76425"
+ id="text16372"
+ transform="rotate(92.331602)"><tspan
+ sodipodi:role="line"
+ id="tspan16370"
+ x="71.988708"
+ y="-221.76425"
+ style="stroke-width:0.26458332px">Forwarded domain</tspan><tspan
+ sodipodi:role="line"
+ x="71.988708"
+ y="-216.80331"
+ style="stroke-width:0.26458332px"
+ id="tspan16374">queries</tspan></text>
+ <g
+ id="g7957-2-8-3"
+ transform="matrix(0.26458333,0,0,0.26458333,86.316525,38.671344)">
+ <g
+ id="g2482-2-0"
+ transform="translate(0.4025314,-0.6040782)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2502-1-9-0);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2484-6-9"
+ d="m 85.387971,95.699904 c 0.0075,8.102006 -19.95928,14.671276 -44.592125,14.671276 -24.63284,0 -44.5996048,-6.56927 -44.5921197,-14.671276 -0.00749,-8.102001 19.9592797,-14.671277 44.5921197,-14.671277 24.632845,0 44.59961,6.569276 44.592125,14.671277 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2504-2-5-8);fill-opacity:1;fill-rule:evenodd;stroke:#404604;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2486-4-7"
+ d="m 25.751776,94.433252 h 30.7532 c 8.7134,0 17.34004,-3.194983 20.50212,-12.301276 3.00278,-8.647507 0.51256,-25.115108 -18.96446,-38.441492 H 21.651356 C 2.1743262,55.99176 -0.25968379,72.814858 4.2245462,82.644527 8.7928862,92.658579 16.525816,94.433252 25.751776,94.433252 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2488-1-9"
+ d="m 40.455396,51.378784 c 0,0 -6.23763,4.81404 -5.70028,10.613492 -5.91841,-5.221292 -6.08845,-15.226473 -6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2490-2-9"
+ d="m 26.057566,91.347662 h 29.91256 c 7.65371,0 15.23122,-2.806422 18.00874,-10.805243 2.63758,-7.595834 -0.27465,-22.060711 -17.38295,-33.766392 H 23.180676 C 6.0723762,57.58127 3.2095162,72.358411 7.1483862,80.992635 11.161146,89.78882 17.953636,91.347662 26.057566,91.347662 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2492-8-3"
+ d="m 41.292286,52.378784 c 0,0 6.23763,4.81404 5.70027,10.613492 5.91841,-5.221292 6.08845,-15.226473 6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2506-4-8-9);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2494-8-2"
+ d="m 65.368498,38.974475 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.122739 25.115105,-25.122739 13.873673,0 25.119324,11.249069 25.115108,25.122739 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2508-9-3-9);fill-opacity:1;fill-rule:evenodd;stroke:#6f4709;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2496-9-4"
+ d="m 65.730928,28.826439 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.1227391 25.115105,-25.1227391 13.873673,0 25.119324,11.2490691 25.115108,25.1227391 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.12658231;fill:none;stroke:#ffffff;stroke-width:2.89944124px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2498-2-3"
+ d="M 62.644211,28.826474 C 62.647909,40.995 52.784405,50.861502 40.615876,50.861502 28.44735,50.861502 18.583846,40.995 18.587544,28.826474 18.583846,16.657947 28.44735,6.7914452 40.615876,6.7914452 c 12.168529,0 22.032033,9.8665018 22.028335,22.0350288 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient31400);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2500-8-7"
+ d="m 64.967663,92.704432 c 3.61736,-1.5801 5.23637,-5.38796 5.23637,-5.38796 -2.43925,-11.79821 -10.7857,-20.43007 -10.7857,-20.43007 0,0 6.60875,18.58979 5.54933,25.81803 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ style="display:inline"
+ id="layer1-9-8-1" />
+ <g
+ id="g2483-8-2"
+ transform="translate(89.565224,-57.340975)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2476-6-3-2);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4177-6-2"
+ transform="matrix(5.1479827,0,0,2.7810925,-164.41027,100.68378)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient31402);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4368-8-0-3"
+ d="M 13.245856,91.434387 C 9.6284962,89.854283 8.0094862,86.046427 8.0094862,86.046427 10.448736,74.248216 18.795186,65.616354 18.795186,65.616354 c 0,0 -6.60875,18.589793 -5.54933,25.818033 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31404);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4173-3-2"
+ d="m -28.06643,114.09678 h 12.30128 l -7.17574,-6.66319 -1.53766,2.05021 -1.53767,-1.53766 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient31406);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4370-8-1"
+ d="m -13.94683,130.64896 c 3.56993,-1.68451 5.2316903,-5.8056 5.2316903,-5.8056 C -11.49605,113.12098 -20.24375,105.00302 -20.24375,105.00302 c 0,0 7.14594,18.38998 6.29692,25.64594 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2484-0-7-0);fill-opacity:1;fill-rule:evenodd;stroke:#204a87;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4308-3-7"
+ d="m -18.20172,156.43265 h 30.75319 c 8.71341,0 17.34005,-3.19499 20.50213,-12.30129 3.00277,-8.64751 0.51255,-25.11511 -18.96447,-38.44149 h -36.39128 c -19.47702,12.30128 -21.91103,29.12437 -17.42681,38.95404 4.56834,10.01406 12.30128,11.78874 21.52724,11.78874 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31408);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4310-3-5"
+ d="m -16.15151,110.30285 c 9.2259603,8.20085 13.3263803,37.92894 13.3263803,37.92894 0,0 4.10043,-29.72809 11.27617,-38.44149 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4312-3-1"
+ d="m -9.5424097,113.37817 c 0,0 -6.2376303,4.81404 -5.7002703,10.61349 -5.91841,-5.22129 -6.08846,-15.22647 -6.08846,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4314-8-7"
+ d="m -18.40849,153.41112 30.42511,-0.0641 c 7.65372,0 15.23122,-2.80644 18.00874,-10.80526 2.63759,-7.59583 -0.27464,-22.06071 -17.38294,-33.76639 l -33.41524,-0.70476 c -17.1083,10.80524 -20.41965,25.58239 -16.41671,34.92137 4.00294,9.33899 9.84421,10.35504 18.78104,10.4191 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4316-0-4-7"
+ d="m -20.009013,106.3071 c 0,0 6.23763,4.81404 5.70027,10.61349 5.9184092,-5.22129 6.0884592,-15.22647 6.0884592,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2488-4-9-0);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4318-4-1"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.90948,45.859526)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2490-3-0-0);fill-opacity:1;fill-rule:evenodd;stroke:#c17d11;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4320-7-7"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.19620254;fill:none;stroke:#ffffff;stroke-width:1.14012825px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4322-6-1"
+ transform="matrix(2.5430833,0,0,2.5430833,-82.4598,42.485353)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient31410);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4354-8-1"
+ d="m -30.18912,153.93669 c -3.61736,-1.58011 -5.23637,-5.38797 -5.23637,-5.38797 2.43925,-11.79821 10.7857,-20.43007 10.7857,-20.43007 0,0 -6.60875,18.58979 -5.54933,25.81804 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient31412);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path4364-9-1"
+ d="m 24.62683,151.44795 c 3.56993,-1.68452 5.23168,-5.80562 5.23168,-5.80562 -2.7809,-11.72238 -11.5286,-19.84033 -11.5286,-19.84033 0,0 7.14594,18.38998 6.29692,25.64595 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g2507-0-7"
+ transform="translate(49.068553,-45.030564)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2537-7-8-9);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2509-6-0"
+ transform="matrix(5.1479827,0,0,2.7810925,-164.41027,100.68378)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient31414);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2511-8-4"
+ d="M 13.245856,91.434387 C 9.6284962,89.854283 8.0094862,86.046427 8.0094862,86.046427 10.448736,74.248216 18.795186,65.616354 18.795186,65.616354 c 0,0 -6.60875,18.589793 -5.54933,25.818033 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31416);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2513-7-0"
+ d="m -28.06643,114.09678 h 12.30128 l -7.17574,-6.66319 -1.53766,2.05021 -1.53767,-1.53766 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient31418);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2515-9-8"
+ d="m -13.94683,130.64896 c 3.56993,-1.68451 5.2316903,-5.8056 5.2316903,-5.8056 C -11.49605,113.12098 -20.24375,105.00302 -20.24375,105.00302 c 0,0 7.14594,18.38998 6.29692,25.64594 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2545-4-5-0);fill-opacity:1;fill-rule:evenodd;stroke:#204a87;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2517-0-5"
+ d="m -18.20172,156.43265 h 30.75319 c 8.71341,0 17.34005,-3.19499 20.50213,-12.30129 3.00277,-8.64751 0.51255,-25.11511 -18.96447,-38.44149 h -36.39128 c -19.47702,12.30128 -21.91103,29.12437 -17.42681,38.95404 4.56834,10.01406 12.30128,11.78874 21.52724,11.78874 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient31420);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2519-3-1"
+ d="m -16.15151,110.30285 c 9.2259603,8.20085 13.3263803,37.92894 13.3263803,37.92894 0,0 4.10043,-29.72809 11.27617,-38.44149 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2521-3-6"
+ d="m -9.5424097,113.37817 c 0,0 -6.2376303,4.81404 -5.7002703,10.61349 -5.91841,-5.22129 -6.08846,-15.22647 -6.08846,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2523-3-6"
+ d="m -18.40849,153.41112 30.42511,-0.0641 c 7.65372,0 15.23122,-2.80644 18.00874,-10.80526 2.63759,-7.59583 -0.27464,-22.06071 -17.38294,-33.76639 l -33.41524,-0.70476 c -17.1083,10.80524 -20.41965,25.58239 -16.41671,34.92137 4.00294,9.33899 9.84421,10.35504 18.78104,10.4191 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#729fcf;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2525-7-2"
+ d="m -20.009013,106.3071 c 0,0 6.23763,4.81404 5.70027,10.61349 5.9184092,-5.22129 6.0884592,-15.22647 6.0884592,-15.22647 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2549-3-8-8);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2527-3-1"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.90948,45.859526)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2551-1-4-3);fill-opacity:1;fill-rule:evenodd;stroke:#c17d11;stroke-width:1px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2529-2-9"
+ transform="matrix(2.8994389,0,0,2.8994389,-93.54705,35.71149)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.19620254;fill:none;stroke:#ffffff;stroke-width:1.14012825px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2531-6-6"
+ transform="matrix(2.5430833,0,0,2.5430833,-82.4598,42.485353)"
+ d="m 39.774755,19.008621 c 0.0015,4.78495 -3.877107,8.66469 -8.662058,8.66469 -4.78495,0 -8.663511,-3.87974 -8.662057,-8.66469 -0.0015,-4.78495 3.877107,-8.66469 8.662057,-8.66469 4.784951,0 8.663512,3.87974 8.662058,8.66469 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient31422);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2533-5-4"
+ d="m -30.18912,153.93669 c -3.61736,-1.58011 -5.23637,-5.38797 -5.23637,-5.38797 2.43925,-11.79821 10.7857,-20.43007 10.7857,-20.43007 0,0 -6.60875,18.58979 -5.54933,25.81804 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient31424);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2535-2-8"
+ d="m 24.62683,151.44795 c 3.56993,-1.68452 5.23168,-5.80562 5.23168,-5.80562 -2.7809,-11.72238 -11.5286,-19.84033 -11.5286,-19.84033 0,0 7.14594,18.38998 6.29692,25.64595 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <g
+ id="g2557-6-0"
+ transform="translate(45.228443,22.71576)">
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2577-4-3-8);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2559-5-8-9"
+ d="m 85.387971,95.699904 c 0.0075,8.102006 -19.95928,14.671276 -44.592125,14.671276 -24.63284,0 -44.5996048,-6.56927 -44.5921197,-14.671276 -0.00749,-8.102001 19.9592797,-14.671277 44.5921197,-14.671277 24.632845,0 44.59961,6.569276 44.592125,14.671277 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2579-6-7-7);fill-opacity:1;fill-rule:evenodd;stroke:#404604;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2561-8-1"
+ d="m 25.751776,94.433252 h 30.7532 c 8.7134,0 17.34004,-3.194983 20.50212,-12.301276 3.00278,-8.647507 0.51256,-25.115108 -18.96446,-38.441492 H 21.651356 C 2.1743262,55.99176 -0.25968379,72.814858 4.2245462,82.644527 8.7928862,92.658579 16.525816,94.433252 25.751776,94.433252 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2563-7-0"
+ d="m 40.455396,51.378784 c 0,0 -6.23763,4.81404 -5.70028,10.613492 -5.91841,-5.221292 -6.08845,-15.226473 -6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.21518986;fill:none;stroke:#ffffff;stroke-width:2.89943814px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2565-9-2"
+ d="m 26.057566,91.347662 h 29.91256 c 7.65371,0 15.23122,-2.806422 18.00874,-10.805243 2.63758,-7.595834 -0.27465,-22.060711 -17.38295,-33.766392 H 23.180676 C 6.0723762,57.58127 3.2095162,72.358411 7.1483862,80.992635 11.161146,89.78882 17.953636,91.347662 26.057566,91.347662 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#9db029;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2567-6-2"
+ d="m 41.292286,52.378784 c 0,0 6.23763,4.81404 5.70027,10.613492 5.91841,-5.221292 6.08845,-15.226473 6.08845,-15.226473 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2581-9-1-3);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2569-0-9"
+ d="m 65.368498,38.974475 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.122739 25.115105,-25.122739 13.873673,0 25.119324,11.249069 25.115108,25.122739 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#radialGradient2583-4-3-1);fill-opacity:1;fill-rule:evenodd;stroke:#6f4709;stroke-width:2.89943886px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2571-4-7"
+ d="m 65.730928,28.826439 c 0.0042,13.87367 -11.241435,25.122739 -25.115108,25.122739 -13.87367,0 -25.119321,-11.249069 -25.115105,-25.122739 -0.0042,-13.87367 11.241435,-25.1227391 25.115105,-25.1227391 13.873673,0 25.119324,11.2490691 25.115108,25.1227391 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.12658231;fill:none;stroke:#ffffff;stroke-width:2.89944124px;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path2573-1-5"
+ d="M 62.644211,28.826474 C 62.647909,40.995 52.784405,50.861502 40.615876,50.861502 28.44735,50.861502 18.583846,40.995 18.587544,28.826474 18.583846,16.657947 28.44735,6.7914452 40.615876,6.7914452 c 12.168529,0 22.032033,9.8665018 22.028335,22.0350288 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22784807;fill:url(#linearGradient31426);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1px;marker:none"
+ id="path2575-0-6"
+ d="m 64.967663,92.704432 c 3.61736,-1.5801 5.23637,-5.38796 5.23637,-5.38796 -2.43925,-11.79821 -10.7857,-20.43007 -10.7857,-20.43007 0,0 6.60875,18.58979 5.54933,25.81803 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ </g>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="102.67904"
+ y="76.846764"
+ id="text11279-4-4"><tspan
+ sodipodi:role="line"
+ id="tspan11277-6"
+ x="102.67904"
+ y="76.846764"
+ style="stroke-width:0.26458332px">Users</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="106.62782"
+ y="31.765177"
+ id="text18645-7"><tspan
+ sodipodi:role="line"
+ id="tspan18643-9"
+ x="106.62782"
+ y="31.765177"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:6.3499999px;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:center;writing-mode:lr-tb;text-anchor:middle;stroke-width:0.26458332px">New Situation</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="134.44556"
+ y="-87.913132"
+ id="text10983-1"
+ transform="rotate(61.442823)"><tspan
+ sodipodi:role="line"
+ id="tspan10981-7-6"
+ x="134.44556"
+ y="-87.913132"
+ style="stroke-width:0.26458332px">Recursive queries</tspan><tspan
+ sodipodi:role="line"
+ x="134.44556"
+ y="-82.952194"
+ style="stroke-width:0.26458332px"
+ id="tspan11275-8">and responses</tspan></text>
+ <g
+ id="g5380-1"
+ transform="matrix(0.26458333,0,0,0.26458333,131.60693,103.68603)">
+ <g
+ style="display:inline"
+ id="layer1-5-1" />
+ <g
+ style="display:inline"
+ id="layer2-4">
+ <g
+ style="display:inline"
+ id="g6707-3"
+ transform="matrix(0.04030136,0,0,0.05919351,98.269348,107.74796)">
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#linearGradient31324-9);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="rect6709-7"
+ y="-150.69685"
+ x="-1559.2523"
+ height="478.35718"
+ width="1339.6335" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25153-8-4);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6711-2"
+ d="m -219.61876,-150.68038 c 0,0 0,478.33079 0,478.33079 142.874166,0.90045 345.40022,-107.16966 345.40014,-239.196175 0,-132.026537 -159.436816,-239.134595 -345.40014,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25155-4-6);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6713-7"
+ d="m -1559.2523,-150.68038 c 0,0 0,478.33079 0,478.33079 -142.8742,0.90045 -345.4002,-107.16966 -345.4002,-239.196175 0,-132.026537 159.4368,-239.134595 345.4002,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#linearGradient34449);fill-opacity:1;fill-rule:evenodd;stroke:#5e5e5e;stroke-width:2.83662605px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+ id="path3626-3"
+ d="m 30.069752,22.03729 v 95.17786 H 92.475495 V 21.46393 L 80.994049,9.423358 H 40.977128 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#ffffff;fill-opacity:0.65536726;fill-rule:evenodd;stroke:none"
+ id="path5791-3"
+ d="M 41.556086,10.841671 31.488067,25.024802 h 59.56912 l -10.90702,-13.76598 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4553-92"
+ y="30.698046"
+ x="39.997936"
+ height="11.346502"
+ width="45.386024" />
+ <path
+ style="fill:none;stroke:#ffffff;stroke-width:2.83662724;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ id="path4394-4"
+ d="M 32.906375,23.771924 V 114.3785 H 89.638911 V 23.248654 L 79.132886,12.260001 H 42.887099 Z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.52571429;fill:url(#linearGradient34451);fill-opacity:1;fill-rule:evenodd;stroke:url(#linearGradient34453);stroke-width:2.83662701;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4408-4"
+ y="67.574181"
+ x="54.181065"
+ height="11.346499"
+ width="31.202894" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662534;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4398-49"
+ y="66.155869"
+ x="52.762733"
+ height="11.346502"
+ width="31.202871" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662558;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4551-93"
+ y="47.7178"
+ x="39.997952"
+ height="11.346502"
+ width="45.386024" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662653;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4430-8"
+ y="46.299488"
+ x="38.579624"
+ height="11.346502"
+ width="45.386032" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4436-3"
+ y="29.279736"
+ x="38.579647"
+ height="11.346502"
+ width="45.386032" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#d40000;fill-opacity:1;fill-rule:evenodd;stroke:#979797;stroke-width:1.44772947;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4396-2"
+ transform="matrix(1.9593699,0,0,1.9593562,-86.509754,21.850696)"
+ d="m 68.185294,26.231213 a 2.171828,2.171828 0 1 1 -4.343656,0 2.171828,2.171828 0 1 1 4.343656,0 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#f44800;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="path4445-9"
+ transform="matrix(2.5342538,0,0,2.5342343,0.4673221,7.5389146)"
+ d="m 16.667518,25.574614 a 0.5050765,0.5050765 0 1 1 -1.010153,0 0.5050765,0.5050765 0 1 1 1.010153,0 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient34455);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4457-5"
+ y="84.593979"
+ x="48.507816"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient34457);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4461-4"
+ y="84.593979"
+ x="54.181038"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient34459);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4465-3"
+ y="84.593979"
+ x="59.854286"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient34461);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4469-9"
+ y="84.593979"
+ x="65.527534"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient34463);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4473-4"
+ y="84.593979"
+ x="71.200821"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.54285709;fill:url(#linearGradient34465);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4477-9"
+ y="84.593979"
+ x="76.874069"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.16000001;fill:url(#linearGradient34467);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4481-5"
+ y="84.593979"
+ x="45.671154"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient34469);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4483-5"
+ y="84.593979"
+ x="51.34444"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient34471);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4485-7"
+ y="84.593979"
+ x="57.017693"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient34473);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4487-39"
+ y="84.593979"
+ x="62.690945"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient34475);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4489-0"
+ y="84.593979"
+ x="68.364159"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22857145;fill:url(#linearGradient34477);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4491-7"
+ y="84.593979"
+ x="74.037407"
+ height="28.36627"
+ width="2.8366244" />
+ </g>
+ </g>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="148.17834"
+ y="139.65004"
+ id="text11283-2-2"><tspan
+ sodipodi:role="line"
+ x="148.17834"
+ y="139.65004"
+ style="stroke-width:0.26458332px"
+ id="tspan11289-94-9">dnsdist</tspan></text>
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#00ffff;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#Arrow1Mstart-9-0);marker-end:url(#Arrow1Mend-8-0)"
+ d="m 162.2439,114.43505 c 13.57819,-4.65472 16.24445,-3.79728 31.98109,-4.0285"
+ id="path8497-0-1"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="179.37651"
+ y="119.38058"
+ id="text10983-1-7"><tspan
+ sodipodi:role="line"
+ x="179.37651"
+ y="119.38058"
+ style="stroke-width:0.26458332px"
+ id="tspan11275-8-3">Queries from</tspan><tspan
+ sodipodi:role="line"
+ x="179.37651"
+ y="124.34151"
+ style="stroke-width:0.26458332px"
+ id="tspan35964">non-users</tspan></text>
+ <g
+ id="g5380-9-9-9"
+ transform="matrix(0.26458333,0,0,0.26458333,70.984056,106.78144)">
+ <g
+ style="display:inline"
+ id="layer1-5-2-3-6" />
+ <g
+ style="display:inline"
+ id="layer2-5-1-3">
+ <g
+ style="display:inline"
+ id="g6707-4-4-6"
+ transform="matrix(0.04030136,0,0,0.05919351,98.269348,107.74796)">
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#linearGradient6293-2-5);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="rect6709-0-8-8"
+ y="-150.69685"
+ x="-1559.2523"
+ height="478.35718"
+ width="1339.6335" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25153-3-6-88);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6711-5-9-4"
+ d="m -219.61876,-150.68038 c 0,0 0,478.33079 0,478.33079 142.874166,0.90045 345.40022,-107.16966 345.40014,-239.196175 0,-132.026537 -159.436816,-239.134595 -345.40014,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.40206185;fill:url(#radialGradient25155-0-4-5);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1;marker:none"
+ id="path6713-9-6-6"
+ d="m -1559.2523,-150.68038 c 0,0 0,478.33079 0,478.33079 -142.8742,0.90045 -345.4002,-107.16966 -345.4002,-239.196175 0,-132.026537 159.4368,-239.134595 345.4002,-239.134615 z"
+ inkscape:connector-curvature="0" />
+ </g>
+ <path
+ style="fill:url(#linearGradient40150);fill-opacity:1;fill-rule:evenodd;stroke:#5e5e5e;stroke-width:2.83662605px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+ id="path3626-4-7-6"
+ d="m 30.069752,22.03729 v 95.17786 H 92.475495 V 21.46393 L 80.994049,9.423358 H 40.977128 Z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#ffffff;fill-opacity:0.65536726;fill-rule:evenodd;stroke:none"
+ id="path5791-6-7-7"
+ d="M 41.556086,10.841671 31.488067,25.024802 h 59.56912 l -10.90702,-13.76598 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4553-9-3-2"
+ y="30.698046"
+ x="39.997936"
+ height="11.346502"
+ width="45.386024" />
+ <path
+ style="fill:none;stroke:#ffffff;stroke-width:2.83662724;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ id="path4394-2-7-7"
+ d="M 32.906375,23.771924 V 114.3785 H 89.638911 V 23.248654 L 79.132886,12.260001 H 42.887099 Z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.52571429;fill:url(#linearGradient40152);fill-opacity:1;fill-rule:evenodd;stroke:url(#linearGradient40154);stroke-width:2.83662701;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4408-2-1-4"
+ y="67.574181"
+ x="54.181065"
+ height="11.346499"
+ width="31.202894" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662534;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4398-4-2-1"
+ y="66.155869"
+ x="52.762733"
+ height="11.346502"
+ width="31.202871" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.34857142;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#ffffff;stroke-width:2.83662558;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4551-7-2-0"
+ y="47.7178"
+ x="39.997952"
+ height="11.346502"
+ width="45.386024" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662653;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4430-75-1-0"
+ y="46.299488"
+ x="38.579624"
+ height="11.346502"
+ width="45.386032" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:#c8c8c8;fill-opacity:1;fill-rule:evenodd;stroke:#acacac;stroke-width:2.83662605;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="rect4436-4-5-6"
+ y="29.279736"
+ x="38.579647"
+ height="11.346502"
+ width="45.386032" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#d40000;fill-opacity:1;fill-rule:evenodd;stroke:#979797;stroke-width:1.44772947;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;marker:none"
+ id="path4396-8-0-4"
+ transform="matrix(1.9593699,0,0,1.9593562,-86.509754,21.850696)"
+ d="m 68.185294,26.231213 a 2.171828,2.171828 0 1 1 -4.343656,0 2.171828,2.171828 0 1 1 4.343656,0 z"
+ inkscape:connector-curvature="0" />
+ <path
+ style="display:inline;overflow:visible;visibility:visible;fill:#f44800;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="path4445-1-9-4"
+ transform="matrix(2.5342538,0,0,2.5342343,0.4673221,7.5389146)"
+ d="m 16.667518,25.574614 a 0.5050765,0.5050765 0 1 1 -1.010153,0 0.5050765,0.5050765 0 1 1 1.010153,0 z"
+ inkscape:connector-curvature="0" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient40156);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4457-2-0-3"
+ y="84.593979"
+ x="48.507816"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient40158);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4461-8-4-7"
+ y="84.593979"
+ x="54.181038"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient40160);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4465-9-0-3"
+ y="84.593979"
+ x="59.854286"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient40162);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4469-3-1-4"
+ y="84.593979"
+ x="65.527534"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;fill:url(#linearGradient40164);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4473-6-3-7"
+ y="84.593979"
+ x="71.200821"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.54285709;fill:url(#linearGradient40166);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4477-8-7-2"
+ y="84.593979"
+ x="76.874069"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.16000001;fill:url(#linearGradient40168);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4481-0-4-1"
+ y="84.593979"
+ x="45.671154"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient40170);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4483-2-1-7"
+ y="84.593979"
+ x="51.34444"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient40172);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4485-1-1-9"
+ y="84.593979"
+ x="57.017693"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient40174);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4487-0-3-5"
+ y="84.593979"
+ x="62.690945"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.29142851;fill:url(#linearGradient40176);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4489-5-0-6"
+ y="84.593979"
+ x="68.364159"
+ height="28.36627"
+ width="2.8366244" />
+ <rect
+ style="display:inline;overflow:visible;visibility:visible;opacity:0.22857145;fill:url(#linearGradient40178);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1;marker:none"
+ id="rect4491-1-3-8"
+ y="84.593979"
+ x="74.037407"
+ height="28.36627"
+ width="2.8366244" />
+ </g>
+ </g>
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="87.500374"
+ y="101.45261"
+ id="text25054-9"><tspan
+ sodipodi:role="line"
+ id="tspan25052-5"
+ x="87.500374"
+ y="101.45261"
+ style="stroke-width:0.26458332px">Recursors</tspan><tspan
+ sodipodi:role="line"
+ x="87.500374"
+ y="106.41355"
+ style="stroke-width:0.26458332px"
+ id="tspan25056-5">on the Internet</tspan></text>
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#00ffff;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#Arrow1Mstart-2-6);marker-end:url(#Arrow1Mend-7-1)"
+ d="m 98.050239,123.14693 c 7.239301,-0.50164 34.003931,-0.24597 38.055241,-0.0178"
+ id="path8497-6-2"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="117.24758"
+ y="130.30893"
+ id="text10983-5-1"><tspan
+ sodipodi:role="line"
+ id="tspan10981-4-5"
+ x="117.24758"
+ y="130.30893"
+ style="stroke-width:0.26458332px">Non-recursive</tspan><tspan
+ sodipodi:role="line"
+ x="117.24758"
+ y="135.26987"
+ style="stroke-width:0.26458332px"
+ id="tspan26889-9">queries</tspan><tspan
+ sodipodi:role="line"
+ x="117.24758"
+ y="140.2308"
+ style="stroke-width:0.26458332px"
+ id="tspan24726-2-9">and</tspan><tspan
+ sodipodi:role="line"
+ x="117.24758"
+ y="145.19174"
+ style="stroke-width:0.26458332px"
+ id="tspan11275-2-1">responses</tspan></text>
+ <path
+ style="fill:none;fill-rule:evenodd;stroke:#ff0000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-start:url(#marker40190);marker-end:url(#marker40344)"
+ d="m 154.98446,102.97997 c 7.60862,-8.601053 18.01574,-31.143639 37.0507,-53.75661"
+ id="path40180"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <text
+ xml:space="preserve"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.96875px;line-height:125%;font-family:'DejaVu Sans';-inkscape-font-specification:'DejaVu Sans, Normal';text-align:center;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458332px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+ x="25.482401"
+ y="184.97829"
+ id="text10983-1-6"
+ transform="rotate(-58.927192)"><tspan
+ sodipodi:role="line"
+ x="25.482401"
+ y="184.97829"
+ style="stroke-width:0.26458332px"
+ id="tspan11275-8-1">Queries from users</tspan></text>
+ <rect
+ style="opacity:1;fill:none;fill-opacity:1;stroke:#000000;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ id="rect18641-0"
+ width="215.2045"
+ height="133.80107"
+ x="70.681786"
+ y="23.31601"
+ rx="5.004303" />
+ </g>
+</svg>
--- /dev/null
+Guides and How Tos
+==================
+
+.. toctree::
+ :maxdepth: 1
+
+ basic-database
+ recursion
+ virtual-instances
+ alias
+ kskroll
+ kskrollcdnskey
+ zskroll
+ addingrecords
+
--- /dev/null
+KSK Rollover
+============
+
+Before attempting a KSK rollover, please read :rfc:`RFC 6581 "DNSSEC
+Operational Practices, Version 2", section 4 <6781#section-4>` carefully to
+understand the terminology, actions and timelines (TTL and RRSIG expiry)
+involved in rolling a KSK.
+
+This How To describes the "Double-Signature Key Signing Key Rollover"
+from the above mentioned RFC.
+
+To start the rollover, add an **active** new KSK to the zone
+(example.net in this case):
+
+::
+
+ pdnsutil add-zone-key example.net ksk active
+
+Note that a key with same algorithm as the KSK to be replaced should be
+created, as this is not an algorithm roll over.
+
+If this zone is of the type 'MASTER', increase the SOA serial. The
+rollover is now in the "New KSK" stage. Retrieve the DS record(s) for
+the new KSK:
+
+::
+
+ pdnsutil show-zone example.net
+
+And communicate this securely to your registrar/parent zone. Now wait
+until the new DS is published in the parent zone and at least the TTL
+for the DS records has passed. The rollover is now in the "DS Change"
+state and can continue to the "DNSKEY Removal" stage by actually
+deleting the old KSK.
+
+.. note::
+ The key-id for the old KSK is shown in the output of
+ ``pdnsutil show-zone example.net``.
+
+::
+
+ pdnsutil remove-zone-key example.net KEY-ID
+
+The rollover is now complete.
--- /dev/null
+KSK Rollover using CDS & CDNSKEY Key Rollover
+=============================================
+
+If the upstream registry supports :rfc:`7344` key rollovers you can use
+several :doc:`pdnsutil <../dnssec/pdnsutil>` commands to do this
+rollover. This HowTo follows the rollover example from the RFCs
+:rfc:`Appendix B <7344#appendix-B>`.
+
+We assume the zone name is example.com and is already DNSSEC signed.
+
+Start by adding a new KSK to the zone:
+``pdnsutil add-zone-key example.com ksk 2048 inactive``. The "inactive"
+means that the key is not used to sign any ZSK records. This limits the
+size of ``ANY`` and DNSKEY responses.
+
+Publish the CDS records: ``pdnsutil set-publish-cds example.com``, these
+records will tell the parent zone to update its DS records. Now wait for
+the DS records to be updated in the parent zone.
+
+Once the DS records are updated, do the actual key-rollover:
+``pdnsutil activate-zone-key example.com new-key-id`` and
+``pdnsutil deactivate-zone-key example.com old-key-id``. You can get the
+``new-key-id`` and ``old-key-id`` by listing them through
+``pdnsutil show-zone example.com``.
+
+After the rollover, wait *at least* until the TTL on the DNSKEY records
+have expired so validating resolvers won't mark the zone as BOGUS. When
+the wait is over, delete the old key from the zone:
+``pdnsutil remove-zone-key example.com old-key-id``. This updates the
+CDS records to reflect only the new key.
+
+Wait for the parent to pick up on the CDS change. Once the upstream DS
+records show only the DS records for the new KSK, you may disable
+sending out the CDS responses:
+``pdnsutil unset-publish-cds example.com``.
+
+Done!
--- /dev/null
+Migrating from using recursion on the Authoritative Server to using a Recursor
+==============================================================================
+
+Recursion was removed from the Authoritative Server in version 4.1.0.
+This chapter discusses two scenarios and how to migrate to a new set up.
+
+The first scenario is the one where the Authoritative Server is used as
+a recursor with some private domains for trusted clients. The second
+scenario is the one where the Authoritative Server serves publicly
+available domains and is a recursor for a subset of clients.
+
+Scenario 1: Authoritative Server as Recursor with private zones
+---------------------------------------------------------------
+
+In this scenario, the Authoritative Server is used as a Recursor for a
+set of users and systems. Its database contains several private domains
+that are not served on the internet.
+
+This means that migrating means that a Recursor should listen on the
+address the Authoritative Server. The Authoritative Server will need to
+listen on the local loopback interface and the Recursor should forward
+queries to the private domains to the Authoritative Server.
+
+.. note::
+ These steps to require restarts and changes where services are
+ bound to, it will inevitably lead to some down time. This guide attempts
+ to prevent downtime to a minimum.
+
+.. figure:: imgs/400-410-recursor-scenario-1.png
+ :align: center
+ :alt: First scenario
+
+Migration plan
+~~~~~~~~~~~~~~
+
+1. Remove all recursion related settings from ``pdns.conf``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+All settings related to recursion need to be commented out or removed
+from ``pdns.conf`` and any files included from there. These settings
+should be removed:
+
+- ``allow-recursion``
+- ``recursive-cache-ttl``
+- ``recursor``
+
+2. Change the listen address and port for the Authoritative Server
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To make the authoritative server listen on the local loopback address
+and port 5300 change the following in ``pdns.conf``:
+
+::
+
+ local-ipv6=
+ local-address=127.0.0.1
+ local-port=5300
+
+3. Install and configure the PowerDNS Recursor
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This is most likely an ``apt-get`` or ``yum install`` away, see the
+`Recursor documentation <https://doc.powerdns.com/recursor/getting-started.html#installation>`__ for more information.
+
+It might be possible that the Recursor can not start as the listen
+address is in use by the Authoritative Server, this is fine for now.
+
+Now configure the listen addresses and ACL for the Recursor to be the
+same as the Authoritative Server had. The following settings should be
+migrated:
+
++-------------------------+---------------------+
+| Authoritative Setting | Recursor Setting |
++=========================+=====================+
+| ``local-address`` | ``local-address`` |
++-------------------------+---------------------+
+| ``local-ipv6`` | ``local-address`` |
++-------------------------+---------------------+
+| ``allow-recursion`` | ``allow-from`` |
++-------------------------+---------------------+
+| ``local-port`` | ``local-port`` |
++-------------------------+---------------------+
+
+Now configure the recursor to forward the private domains to the
+Authoritative Server. This is done using the
+`forward-zones <https://doc.powerdns.com/recursor/settings.html#forward-zones>`__ setting in
+``recursor.conf``. The domains should be forwarded to 127.0.0.1:5300
+(the new address and port of the Authoritative Server):
+
+::
+
+ forward-zones=private.example.com=127.0.0.1:5300
+ forward-zones+=another.example.com=127.0.0.1:5300
+ # etc..
+
+4. Restart the Authoritative Server and the Recursor
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Restart the Authoritative Server first so its bind addresses become free
+for the recursor.
+
+Scenario 2: Authoritative Server as Recursor for clients and serving public domains
+-----------------------------------------------------------------------------------
+
+The best way to "migrate" in this scenario is to seperate the recursive
+service fully from the Authoritative Server. See `Dan Bernstein's
+article <http://cr.yp.to/djbdns/separation.html>`__ on this topic.
+
+If this is not possible, this migration guide will maintain the
+functionality of the existing installation while allowing to upgrade.
+
+.. figure:: imgs/400-410-recursor-scenario-2.png
+ :align: center
+ :alt: First scenario
+
+Migration plan
+~~~~~~~~~~~~~~
+
+1. Remove all recursion related settings from ``pdns.conf``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+All settings related to recursion need to be commented out or removed
+from ``pdns.conf`` and any files included from there. These settings
+should be removed:
+
+- ``allow-recursion``
+- ``recursive-cache-ttl``
+- ``recursor``
+
+2. Change the listen address and port for the Authoritative Server
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To make the authoritative server listen on the local loopback address
+and port 5300 change the following in ``pdns.conf``:
+
+::
+
+ local-ipv6=
+ local-address=127.0.0.1
+ local-port=5300
+
+3. Install and configure the PowerDNS Recursor
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This is most likely an ``apt-get`` or ``yum install`` away, see the
+`Recursor's Install Guide <https://doc.powerdns.com/recursor/getting-started.html#installation>`__ for more
+information.
+
+It might be possible that the Recursor can not start as the listen
+address is in use by the Authoritative Server, this is fine for now.
+
+Configure the recursor to listen on the local loopback interface on a
+different port than the Authoritative Server. Set the following in
+``recursor.conf``:
+
+::
+
+ local-address=127.0.0.1
+ local-port=5301
+
+Now configure the recursor to forward the private domains to the
+Authoritative Server. This is done using the
+`forward-zones <https://doc.powerdns.com/recursor/settings.html#forward-zones>`__ setting in
+``recursor.conf``. The domains should be forwarded to 127.0.0.1:5300
+(the new address and port of the Authoritative Server):
+
+::
+
+ forward-zones=private.example.com=127.0.0.1:5300
+ forward-zones+=another.example.com=127.0.0.1:5300
+ # etc..
+
+4. Install and configure dnsdist
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+`dnsdist <http://dnsdist.org>`__ is a DNS loadbalancer from the people
+behind PowerDNS that balances DNS packets based on rules. See the
+`dnsdist download instructions <http://dnsdist.org/download/>`__ on how
+to install dnsdist.
+
+This guide assumes dnsdist 1.2 or dnsdist master.
+
+After installing, configure dnsdist in ``/etc/dnsdist/dnsdist.conf``.
+This is where several settings from the existing Authoritative Server
+(like listen address and recursive ACL) will be moved to.
+
++-------------------------+--------------------------------------+
+| Authoritative Setting | dnsdist Setting |
++=========================+======================================+
+| ``local-address`` | ``setLocal()`` and ``addLocal()`` |
++-------------------------+--------------------------------------+
+| ``local-ipv6`` | ``setLocal()`` and ``addLocal()`` |
++-------------------------+--------------------------------------+
+| ``local-port`` | ``setLocal()`` and ``addLocal()`` |
++-------------------------+--------------------------------------+
+| ``allow-recursion`` | used in the ``NetmaskGroupRule()`` |
++-------------------------+--------------------------------------+
+
+.. code:: lua
+
+ setLocal('IPADDRESS:PORT')
+ addLocal('ANOTHERIPADDRESS:PORT')
+ setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access
+
+ newServer({'127.0.0.1:5300', pool='auth'})
+ newServer({'127.0.0.1:5301', pool='recursor'})
+
+ recursive_ips = newNMG()
+ recursive_ips:addMask('NETWORKMASK1') -- These network masks are the ones from allow-recursion in the Authoritative Server
+ recursive_ips:addMask('NETWORKMASK2')
+
+ addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
+ addAction(AllRule(), PoolAction('auth'))
+
+This configuration will route all queries from the netmasks that are
+allowed to do recursion to the Recursor and all other queries to the
+Authoritative Server.
+
+4. Restart the Authoritative Server, the Recursor and dnsdist
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Restart the Authoritative Server first so its bind addresses become free
+for the recursor.
--- /dev/null
+Running Virtual Instances
+=========================
+
+It may be advantageous to run multiple separate PowerDNS installations
+on a single host, for example to make sure that different customers
+cannot affect each others zones. PowerDNS fully supports running
+multiple instances on one host.
+
+To generate additional PowerDNS instances, create a ``pdns-NAME.conf``
+in your configuration directory (usually ``/etc/powerdns``), where
+``NAME`` is the name of your virtual configuration.
+
+Following one of the following instructions, PowerDNS will read its
+configuration from the ``pdns-NAME.conf`` instead of ``pdns.conf``.
+
+Starting virtual instances with Sysv init-scripts
+-------------------------------------------------
+
+Symlink the init.d script ``pdns`` to ``pdns-NAME``, where ``NAME`` is
+the name of your virtual configuration.
+
+.. warning::
+ ``NAME`` must not contain a '-' as this will confuse the script.
+
+Internally, the init script calls the binary with the
+:ref:`setting-config-name` option set to ``name``,
+setting in motion the loading of separate configuration files.
+
+When you launch a virtual instance of PowerDNS, the pid-file is saved
+inside :ref:`setting-socket-dir` as ``pdns-name.pid``.
+
+.. warning::
+ Be aware however that the init.d ``force-stop`` will kill all PowerDNS instances!
+
+Starting virtual instances with systemd
+---------------------------------------
+
+With systemd it is as simple as calling the correct service instance.
+Assuming your instance is called ``myinstance`` and
+``pdns-myinstance.conf`` exists in the configuration directory, the
+following command will start the service:
+
+::
+
+ systemctl start pdns@myinstance.service
+
+Similarly you can enable it at boot:
+
+::
+
+ systemctl enable pdns@myinstance.service
+
+
--- /dev/null
+ZSK Rollover
+============
+
+This how to describes the way to roll a ZSK that is not a secure
+entrypoint (a ZSK that is not tied to a DS record in the parent zone)
+using the :rfc:`"RFC 6781 Pre-Publish Zone Signing Key
+Rollover" <6781#section-4.1.1.1>`
+method. The documentation linked above also lists the minimum time
+between stages. **PLEASE READ THAT DOCUMENT CAREFULLY**
+
+First, create a new inactive ZSK for the zone (if one already exists,
+you can skip this step), we add an ECDSA 256 bit key (algorithm 13)
+here:
+
+::
+
+ pdnsutil add-zone-key example.net zsk inactive ecdsa256
+
+You are now almost at the "new DNSKEY"-stage of the rollover, if the
+zone is of type 'MASTER' you'll need to update the SOA serial in the
+database and wait for the slaves to pickup the zone change.
+
+To change the RRSIGs on your records, the new key must be made active.
+Note: you can get the key-ids with ``pdnsutil show-zone example.net``:
+
+::
+
+ pdnsutil activate-zone-key example.net new-key-id
+ pdnsutil deactivate-zone-key example.net previous-key-id
+
+Again, if this is a 'MASTER'-zone, update the SOA serial. You are now at
+the "new RRSIGs" stage of the roll over.
+
+The last step is to remove the old key from the completely:
+
+::
+
+ pdnsutil remove-zone-key example.net previous-key-id
+
+Don't forget to update the SOA serial for 'MASTER' zones. The rollover
+is now at the "DNSKEY removal" stage and complete.
+
--- /dev/null
+Cryptokeys
+==========
+
+CryptoKey
+---------
+
+.. json:object:: CryptoKey
+
+ Represents a DNSSEC crypto key
+
+ :param string type: "Cryptokey"
+ :param int id: The internal identifier, read only
+ :param string keytype: One of the following: ``ksk``, ``zsk``, ``csk``
+ :param bool active: Whether or not the key is in active use
+ :param string dnskey: The DNSKEY record for this key
+ :param [string] ds: An array of DS records for this key
+ :param string privatekey: The private key in ISC format
--- /dev/null
+CryptoKeys endpoint
+===================
+
+.. versionadded:: 4.1.0
+
+These endpoints allow for the manipulation of DNSSEC crypto material.
+
+.. http:get:: /api/v1/servers/:server_id/zones/:zone_id/cryptokeys
+
+ Get all :json:object:`CryptoKeys <CryptoKey>` for a zone, except the privatekey
+
+ :param server_id: The name of the server
+ :param zone_id: The id value of the :json:object:`Zone`
+
+.. http:post:: /api/v1/servers/:server_id/zones/:zone_id/cryptokeys
+
+ This method adds a new key to a zone.
+ The key can either be generated or imported by supplying the ``content`` parameter.
+
+ :param server_id: The name of the server
+ :param zone_id: The id value of the :json:object:`Zone`
+ :reqjson string content: The private key to use (The format used is compatible with BIND and NSD/LDNS)
+ :reqjson string keytype: Either "ksk" or "zsk"
+ :reqjson bool active: If not set the key will not be active by default
+ :reqjson int bits: Number of bits in the key (if ``content`` is not set)
+ :reqjson int,string algo: The DNSSEC algorithm (if ``content`` is not set), see :ref:`dnssec-supported-algos`
+ :statuscode 201: Everything was fine, returns all public data as a :json:object:`CryptoKey`.
+ :statuscode 422: Returned when something is wrong with the content of the request.
+ Contains an error message
+ :resjson string error: Has the error message
+
+.. http:get:: /api/v1/servers/:server_id/zones/:zone_name/cryptokeys/:cryptokey_id
+
+ Returns all data about the :json:object:`CryptoKey`, including the ``privatekey``.
+
+ :param string server_id: The name of the server
+ :param string zone_id: The id value of the :json:object:`Zone`
+ :param string cryptokey_id: The id value of the :json:object:`CryptoKey`
+
+.. http:put:: /api/v1/servers/:server_id/zones/:zone_name/cryptokeys/:cryptokey_id
+
+ This method (de)activates a key from ``zone_name`` specified by ``cryptokey_id``.
+
+ :param string server_id: The name of the server
+ :param string zone_id: The id value of the :json:object:`Zone`
+ :param string cryptokey_id: The id value of the :json:object:`CryptoKey`
+ :reqjson bool active: The new 'active' status of the key
+ :statuscode 204: Everything was fine, the key with ``cryptokey_id`` is de/activated.
+ :statuscode 422: Returned when something is wrong with the content of the request.
+ Contains an error message
+ :resjson string error: Has the error message
+
+.. http:delete:: /api/v1/servers/:server_id/zones/:zone_name/cryptokeys/:cryptokey_id
+
+ This method deletes a key from ``zone_name`` specified by ``cryptokey_id``.
+
+ :param string server_id: The name of the server
+ :param string zone_id: The id value of the :json:object:`Zone`
+ :param string cryptokey_id: The id value of the :json:object:`CryptoKey`
+ :statuscode 200: Everything was fine, the key with ``cryptokey_id`` is gone
+ :statuscode 422: Returned when the key could not be removed.
+ Contains an error message
+ :resjson string error: Has the error message
--- /dev/null
+Data Search Endpoint
+====================
+
+.. http:get:: /api/v1/servers/:server_id/search-data?q=:search_term&max=:max_results
+
+ Search the data inside PowerDNS for ``search_term`` and return at most
+ ``max_results``. This includes zones, records and comments. The ``*``
+ character can be used in ``search_term`` as a wildcard character and the
+ ``?`` character can be used as a wildcard for a single character.
+
+ :param server_id: The name of the server
+ :query string search_term: The term to search for
+ :query int max_results: Maximum number of entries to return
+
+ Response body is an array of one or more of the following objects:
+
+ .. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: application/json
+
+ [
+ {
+ "name": "example.com.",
+ "object_type": "zone",
+ "zone_id": "example.com."
+ }
+ ]
+
+
+ For a record:
+
+ .. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: application/json
+
+ [
+ {
+ "content": "192.0.2.1",
+ "disabled": false,
+ "name": "www.example.com",
+ "object_type": "record",
+ "ttl": 1200,
+ "type": "A",
+ "zone": "example.com.",
+ "zone_id": "example.com."
+ }
+ ]
+
+ For a comment:
+
+ .. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: application/json
+
+ [
+ {
+ "object_type": "comment",
+ "name": "www.example.com",
+ "content": "An awesome comment",
+ "zone": "example.com.",
+ "zone_id": "example.com."
+ }
+ ]
--- /dev/null
+Zone Metadata endpoints
+=======================
+
+.. versionadded:: 4.1.0
+
+.. http:get:: /api/v1/servers/:server_id/zones/:zone_id/metadata
+
+ Get all the :json:object:`MetaData` associated with the zone.
+
+ :param server_id: The name of the server
+ :param zone_id: The id number of the :json:object:`Zone`
+
+.. http:post:: /api/v1/servers/:server_id/zones/:zone_id/metadata
+
+ Creates a set of metadata entries of given kind for the zone.
+ Existing metadata entries for the zone with the same kind are not overwritten.
+
+ :param server_id: The name of the server
+ :param zone_id: The id number of the :json:object:`Zone`
+
+.. http:get:: /api/v1/servers/:server_id/zones/:zone_name/metadata/:metadata_kind
+
+ Get the content of a single kind of :doc:`domain metadata <../domainmetadata>` as a list of :json:object:`MetaData` objects.
+
+ :param server_id: The name of the server
+ :param zone_id: The id number of the :json:object:`Zone`
+ :param metadata_kind: The name of the metadata to retrieve
+
+.. http:put:: /api/v1/servers/:server_id/zones/:zone_name/metadata/:metadata_kind
+
+ Modify the content of a single kind of :doc:`domain metadata <../domainmetadata>`.
+
+ :param server_id: The name of the server
+ :param zone_id: The id number of the :json:object:`Zone`
+ :param metadata_kind: The name of the metadata to edit
+ :reqjson MetaData data: The list of :json:object:`MetaData` to set.
+
+.. http:delete:: /api/v1/servers/:server_id/zones/:zone_name/metadata/:metadata_kind
+
+ Delete all items of a single kind of :doc:`domain metadata <../domainmetadata>`.
+
+ :param server_id: The name of the server
+ :param zone_id: The id number of the :json:object:`Zone`
+ :param metadata_kind: The name of the metadata to delete
-Zones endpoint ``/api/v1/servers/:server_id/zones``
-===================================================
+Zones endpoint
+==============
.. http:get:: /api/v1/servers/:server_id/zones
Get all zones from the server.
- :query server_id: The name of the server
+ :param server_id: The name of the server
.. http:post:: /api/v1/servers/:server_id/zones
Creates a new domain.
- :query server_id: The name of the server
-
- **Authoritative Server only:**
+ :param server_id: The name of the server
- ``dnssec``, ``nsec3narrow``, ``presigned``, ``nsec3param``, ``active-keys`` are OPTIONAL.
- ``dnssec``, ``nsec3narrow``, ``presigned`` default to ``false``.
Returns zone information.
- :query server_id: The name of the server
- :query zone_id: The id number of the :json:object:`Zone`
+ :param server_id: The name of the server
+ :param zone_id: The id number of the :json:object:`Zone`
.. http:delete:: /api/v1/servers/:server_id/zones/:zone_id
Deletes this zone, all attached metadata and rrsets.
- :query server_id: The name of the server
- :query zone_id: The id number of the :json:object:`Zone`
+ :param server_id: The name of the server
+ :param zone_id: The id number of the :json:object:`Zone`
.. http:patch:: /api/v1/servers/:server_id/zones/:zone_id
- .. note::
-
- Authoritative only.
-
Modifies present RRsets and comments. Returns ``204 No Content`` on success.
- :query server_id: The name of the server
- :query zone_id: The id number of the :json:object:`Zone`
+ :param server_id: The name of the server
+ :param zone_id: The id number of the :json:object:`Zone`
Example client body for PATCH:
]
}
-
.. http:put:: /api/v1/servers/:server_id/zones/:zone_id
- .. note::
-
- Authoritative only.
-
Modifies basic zone data (metadata).
- :query server_id: The name of the server
- :query zone_id: The id number of the :json:object:`Zone`
+ :param server_id: The name of the server
+ :param zone_id: The id number of the :json:object:`Zone`
Allowed fields in client body: all except ``id`` and ``url``.
Returns ``204 No Content`` on success.
.. http:put:: /api/v1/servers/:server_id/zones/:zone_id/notify
- .. note::
-
- Authoritative only.
-
Send a DNS NOTIFY to all slaves.
- :query server_id: The name of the server
- :query zone_id: The id number of the :json:object:`Zone`
+ :param server_id: The name of the server
+ :param zone_id: The id number of the :json:object:`Zone`
Fails when zone kind is not ``Master`` or ``Slave``, or ``master`` and ``slave`` are disabled in the configuration.
Only works for ``Slave`` if renotify is on.
.. http:put:: /api/v1/servers/:server_id/zones/:zone_id/axfr-retrieve
- .. note::
-
- Authoritative only.
-
Retrieves the zone from the master.
- :query server_id: The name of the server
- :query zone_id: The id number of the :json:object:`Zone`
+ :param server_id: The name of the server
+ :param zone_id: The id number of the :json:object:`Zone`
Fails when zone kind is not ``Slave``, or ``slave`` is disabled in PowerDNS configuration.
.. http:get:: /api/v1/servers/:server_id/zones/:zone_id/export
- .. note::
-
- Authoritative only.
-
Returns the zone in AXFR format.
- :query server_id: The name of the server
- :query zone_id: The id number of the :json:object:`Zone`
+ :param server_id: The name of the server
+ :param zone_id: The id number of the :json:object:`Zone`
.. http:get:: /api/v1/servers/:server_id/zones/:zone_id/check
- .. note::
-
- Not yet implemented
-
Verify zone contents/configuration.
Return format:
"warnings": ["warning message1"]
}
+ :param server_id: The name of the server
+ :param zone_id: The id number of the :json:object:`Zone`
--- /dev/null
+Built-in Webserver and HTTP API
+===============================
+
+The PowerDNS Authoritative Server features a built-in built-in webserver that exposes a JSON/REST API.
+This API allows for controlling several functions and reading statistics.
+
+Webserver
+---------
+
+To launch the internal webserver, add a :ref:`setting-webserver` to the configuration file.
+This will instruct PowerDNS to start a webserver on localhost at port 8081, without password protection.
+Only local users (on the same host) will be able to access the webserver by default, but we still strongly advise the use of a password protection.
+The webserver lists a lot of information about the PowerDNS process, including frequent queries, frequently failing queries, lists of remote hosts sending queries, hosts sending corrupt queries etc.
+The webserver does not allow remote management.
+The following webserver related configuration items are available:
+
+* :ref:`setting-webserver`: If set to anything but 'no', a webserver is launched.
+* :ref:`setting-webserver-address`: Address to bind the webserver to. Defaults to 127.0.0.1, which implies that only the local computer is able to connect to the nameserver! To allow remote hosts to connect, change to 0.0.0.0 or the physical IP address of your nameserver.
+* :ref:`setting-webserver-password`: If set, viewers will have to enter this plaintext password in order to gain access to the statistics.
+* :ref:`setting-webserver-port`: Port to bind the webserver to.
+* :ref:`setting-webserver-allow-from`: Netmasks that are allowed to connect to the webserver
+
+Enabling the API
+----------------
+
+To enable the API, the webserver and the HTTP API need to be enbaled.
+Add these lines to the ``pdns.conf``::
+
+ webserver=yes
+ webserver-port=8082
+ api-key=changeme
+
+And restart, the following examples should start working::
+
+ curl -v -H 'X-API-Key: changeme' http://127.0.0.1:8082/api/v1/servers/localhost | jq .
+ curl -v -H 'X-API-Key: changeme' http://127.0.0.1:8082/api/v1/servers/localhost/zones | jq .
+
+JSON Objects
+------------
+
+The following documents describe the JSON objects available in the API:
+
+.. toctree::
+ :maxdepth: 1
+
+ ../common/api/dataformat
+ ../common/api/server
+ ../common/api/zone
+ ../common/api/configsetting
+ ../common/api/statisticitem
+ cryptokeyitem
+ zonemetadata
+
+URL Endpoints
+-------------
+
+All API endpoints for the PowerDNS Recursor are documented here:
+
+.. toctree::
+ :maxdepth: 1
+
+ ../common/api/endpoint-api
+ ../common/api/endpoint-servers
+ ../common/api/endpoint-servers-config
+ ../common/api/endpoint-statistics
+ ../common/api/endpoint-logging
+ endpoint-search
+ endpoint-zones
+ endpoint-zone-metadata
+ endpoint-cryptokeys
based on the other flags, this includes running the equivalent of
``secure-zone`` and ``rectify-zone``. This also applies to newly created
zones. If ``presigned`` is ``true``, no DNSSEC changes will be made to
-the zone or cryptokeys. **Note**: Authoritative only.
+the zone or cryptokeys. .
**TODO**: ``dnssec``, ``nsec3narrow``, ``nsec3param``, ``presigned`` are
not yet implemented.
SOA-EDIT-API metadata record is created and set to ``DEFAULT``. (If
this record is removed from the backend, the default behaviour is to
not do any SOA editing based on this setting. This is different from
- setting ``DEFAULT``.) **Note**: Authoritative only.
+ setting ``DEFAULT``).
- ``account`` MAY be set. Its value is defined by local policy.
- **Note**: Authoritative only.
- ``notified_serial``, ``serial`` MUST NOT be sent in client bodies.
- **Note**: Authoritative only.
- ``nameservers`` MAY be sent in client bodies during creation, and
MUST NOT be sent by the server. Simple list of strings of nameserver
names, including the trailing dot. Note: Before 4.0.0, names were
- taken without the trailing dot. **Note**: Authoritative only. Not
+ taken without the trailing dot. . Not
required for slave zones.
-- ``servers``: list of forwarded-to servers, including port. **Note**:
- Recursor only.
-
-- ``recursion_desired``: for ``Forwarded`` zones, if the RD bit should
- be set. **Note**: Authoritative only.
-
-- ``rrsets``: list of DNS records and comments in the zone. **Note**:
- Modifications are supported on Authoritative only.
+- ``rrsets``: list of DNS records and comments in the zone.
Please see the description for ``PATCH`` for details on the fields in
``RRset``, ``Record`` and ``Comment``.
-Notes:
-''''''
-
Turning on DNSSEC with custom keys: just create the zone with ``dnssec``
set to ``false``, and add keys using the cryptokeys REST interface. Have
at least one of them ``active`` set to ``true``. **TODO**: not yet
Zone Metadata
=============
-.. warning::
-
- Authoritative Server only.
-
.. versionadded:: 4.1.0.
.. json:object:: Metadata
- Represents zone metadata :doc:`domainmetadata`
+ Represents zone metadata :doc:`../domainmetadata`
:property string kind: Name of the metadata
:property [string] metadata: Array with all values for this metadata kind.
--- /dev/null
+PowerDNS Authoritative Nameserver
+=================================
+
+The PowerDNS Authoritative Server is a versatile nameserver which
+supports a large number of backends. These backends can either be plain
+zone files or be more dynamic in nature.
+
+PowerDNS has the concepts of 'backends'. A backend is a datastore that
+the server will consult that contains DNS records (and some meta-data).
+The backends range from database backends (:doc:`MySQL <backends/generic-mysql>`, :doc:`PostgreSQL <backends/generic-postgresql>`, :doc:`Oracle <backends/oracle>`)
+and :doc:`Bind-zonefiles <backends/bind>` to :doc:`co-processes <backends/pipe>` and :doc:`JSON API's <backends/remote>`.
+
+Multiple backends can be enabled in the configuration by using the
+:ref:`setting-launch` option. Each backend can be configured separately.
+
+See the :doc:`backend <backends/index>` documentation for more information.
+
+Getting Started
+---------------
+
+ * :doc:`Install the Authoritative Server <installation>`
+ * :doc:`Configure the Server <settings>`
+ * :doc:`Configure the backend(s) <backends/index>`
+
+Getting Support
+---------------
+PowerDNS is an open source program so you may get help from the PowerDNS users' community or from its authors.
+You may also help others (please do).
+
+Public support is available via several different channels:
+
+ * This documentation
+ * `The mailing list <https://www.powerdns.com/mailing-lists.html>`_
+ * ``#powerdns`` on `irc.oftc.net <irc://irc.oftc.net/#powerdns>`_
+
+The PowerDNS company can provide help or support you in private as well.
+For first class and rapid support, please contact powerdns.support@powerdns.com, or see the `.com website <https://www.powerdns.com/support-services-consulting.html>`__.
+
+My information is confidential, must I send it to the mailing list or discuss on IRC?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Yes, we have a support policy called `"Open Source Support: out in the open" <https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/>`_.
+
+If you desire privacy, please consider entering a support relationship with us, in which case we invite you to contact powerdns.support.sales@powerdns.com.
+
+I have a question!
+^^^^^^^^^^^^^^^^^^
+This happens, we're here to help!
+Read below on how you can get help
+
+What details should I supply?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Start out with stating what you think should be happening.
+Quite often, wrong expectations are the actual problem.
+Furthermore, your operating system, which version of PowerDNS you use and where you got it from (RPM, .DEB, tar.bz2).
+If you compiled it yourself, what were the ``./configure`` parameters.
+
+If possible, supply the actual name of your domain and the IP address of your server(s).
+
+I found a bug!
+^^^^^^^^^^^^^^
+As much as we'd like to think we are perfect, bugs happen.
+If you have found a bug, please file a bug report on `GitHub <https://github.com/PowerDNS/pdns/issues/new>`_.
+Please fill in the template and we'll try our best to help you.
+
+I found a security issue!
+^^^^^^^^^^^^^^^^^^^^^^^^^
+Please report this in private, see the :ref:`securitypolicy`.
+
+I have a good idea for a feature!
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+We like to work on new things!
+You can file a feature request on `GitHub <https://github.com/PowerDNS/pdns/issues/new>`_.
+
--- /dev/null
+PowerDNS Authoritative Server
+=============================
+
+.. toctree::
+ :maxdepth: 3
+ :glob:
+
+ index
+ installation
+ upgrading
+ modes-of-operation
+ migration
+ running
+ security
+ performance
+ dnssec/index
+ domainmetadata
+ dnsupdate
+ tsig
+ guides/index
+ backends/index
+ http-api/index
+ manpages/index
+ settings
+ security-advisories/index
+ changelog/index
+ appendices/*
--- /dev/null
+Installing PowerDNS
+===================
+
+Installation of the PowerDNS Authoritative server on UNIX systems can be
+done in several ways:
+
+- Binary packages provided by your distribution
+- Binary packages provided by PowerDNS on
+ `repo.powerdns.com <https://repo.powerdns.com>`__
+
+Binary Packages
+---------------
+
+Debian-based Systems
+~~~~~~~~~~~~~~~~~~~~
+
+PowerDNS Authoritative Server is available through the
+`apt <https://packages.debian.org/pdns-server>`__ system.
+
+::
+
+ # apt-get install pdns-server
+
+Debian splits the backends into `several different
+packages <https://packages.debian.org/pdns-backend>`__, install the
+required backend as follows:
+
+::
+
+ # apt-get install pdns-backend-$backend
+
+Redhat-based Systems
+~~~~~~~~~~~~~~~~~~~~
+
+On RedHat based system there are 2 options to install PowerDNS, from
+`EPEL <https://fedoraproject.org/wiki/EPEL>`__, the `repository from
+Kees Monshouwer <https://www.monshouwer.eu/download/3rd_party/pdns/>`__
+or from `the PowerDNS repositories <https://repo.powerdns.com>`__:
+
+Add either to your list of repositories and install PowerDNS by issuing:
+
+::
+
+ # yum install pdns
+
+The different backends can be installed using
+
+::
+
+ # yum install pdns-backend-$backend
+
+FreeBSD
+~~~~~~~
+
+PowerDNS Authoritative Server is available through the
+`ports <http://www.freshports.org/dns/powerdns/>`__ system:
+
+For the package:
+
+::
+
+ # pkg install dns/powerdns
+
+To have your system build the port:
+
+::
+
+ cd /usr/ports/dns/powerdns/ && make install clean
+
+Mac OS X
+~~~~~~~~
+
+PowerDNS Authoritative Server is available through Homebrew:
+
+::
+
+ $ brew install pdns
+
+After installation
+------------------
+
+Once installed, :doc:`guides/basic-database` using MySQL or start :doc:`migrating <migration>` your data.
+++ /dev/null
-% CALIDNS(1)
-% PowerDNS.com BV
-% April 2016
-
-# NAME
-**calidns** - A DNS recursor testing tool
-
-# SYNOPSIS
-**calidns** [*OPTIONS*] *QUERY_FILE* *DESTINATION* *INITIAL_QPS* *HITRATE*
-
-# DESCRIPTION
-**calidns** reads queries from *QUERY_FILE* and sends them as a recursive query to
-*DESTINATION* (an IPv4 or IPv6 address, optionally with a port number), starting
-at INITIAL_QPS queries per second and aims to have a cache hitrate of *HITRATE*
-percent.
-
-It will then try to determine the maximum amount of queries per second the recursor
-can handle with the aforementioned *HITRATE*.
-
-# QUERY_FILE format
-The format of the *QUERY_FILE* is very simple, it should contain "QNAME<space>QTYPE"
-tuples, one per line. For example:
-
-powerdns.com A
-powerdns.com AAAA
-google.com A
-
-This is similar to Alexa top 1 million list.
-
-# OPTIONS
---increment *NUM*
-: On every subsequent run, multiply the number of queries per second by *NUM*.
- By default, this is 1.1.
-
---want-recursion
-: Set this flag to send queries with the Recursion Desired flag set.
--- /dev/null
+calidns
+=======
+
+:program:`calidns` - A DNS recursor testing tool
+
+Synopsis
+--------
+
+:program:`calidns` [*OPTIONS*] *QUERY\_FILE* *DESTINATION* *INITIAL_QPS* *HITRATE*
+
+Description
+-----------
+
+:program:`calidns` reads queries from *QUERY_FILE* and sends them as a
+recursive query to *DESTINATION* (an IPv4 or IPv6 address, optionally
+with a port number), starting at INITIAL_QPS queries per second and
+aims to have a cache hitrate of *HITRATE* percent.
+
+It will then try to determine the maximum amount of queries per second
+the recursor can handle with the aforementioned *HITRATE*.
+
+QUERY_FILE format
+------------------
+
+The format of the *QUERY_FILE* is very simple, it should contain
+"QNAME QTYPE" tuples, one per line. For example::
+
+ powerdns.com A
+ powerdns.com AAAA
+ google.com A
+
+This is similar to Alexa top 1 million list.
+
+Options
+-------
+
+--increment <NUM> On every subsequent run, multiply the number of queries per second
+ by *NUM*. By default, this is 1.1.
+--want-recursion Set this flag to send queries with the Recursion Desired flag set.
+++ /dev/null
-% DNSBULKTEST(1)
-% PowerDNS.com BV
-% April 2015
-
-# NAME
-**dnsbulktest** - A debugging tool for intermittent resolver failures
-
-# SYNOPSIS
-**dnsbulktest** [*OPTION*]... *IPADDRESS* *PORT* [*LIMIT*]
-
-# DESCRIPTION
-**dnsbulktest** sends a large amount of different queries (for up to *LIMIT*
-different domains) to the nameserver at *IPADDRESS* on port *PORT*. It reads the
-domain names from STDIN in the alexa topX format and outputs statistics on STDOUT.
-
-# OPTIONS
---help, -h
-: Show a summary of options.
-
---quiet, -q
-: Don't show information on individual queries.
-
---type, -t *TYPE*
-: Query the nameserver for *TYPE*, A by default.
-
---envoutput, -e
-: Write results on STDOUT as shell environment variables
-
---version
-: Display the version of dnsbulktest
--- /dev/null
+dnsbulktest
+===========
+
+:program:`dnsbulktest` - A debugging tool for intermittent resolver failures
+
+Synopsis
+--------
+
+:program:`dnsbulktest` [*OPTION*]... *IPADDRESS* *PORT* [*LIMIT*]
+
+Description
+-----------
+
+:program:`dnsbulktest` sends a large amount of different queries (for up to
+*LIMIT* different domains) to the nameserver at *IPADDRESS* on port
+*PORT*. It reads the domain names from STDIN in the alexa topX format
+and outputs statistics on STDOUT.
+
+Options
+-------
+
+--help, -h Show a summary of options.
+--quiet, -q Don't show information on individual queries.
+--type, -t <TYPE> Query the nameserver for *TYPE*, A by default.
+--envoutput, -e Write results on STDOUT as shell environment variables
+--version Display the version of dnsbulktest
+++ /dev/null
-% DNSGRAM(1)
-% PowerDNS.com BV
-% April 2015
-
-# NAME
-**dnsgram** - A debugging tool for intermittent resolver failures
-
-# SYNOPSIS
-**dnsgram** *INFILE*...
-
-# DESCRIPTION
-**dnsgram** takes one or more *INFILE*s in PCAP format and generates statistics
-on 5 second segments allowing the study of intermittent resolver issues.
-
-# OPTIONS
-None
-
-# SEE ALSO
-pcap(3PCAP), tcpdump(8)
--- /dev/null
+dnsgram
+=======
+
+:program:`dnsgram` - A debugging tool for intermittent resolver failures
+
+Synopsis
+--------
+
+:program:`dnsgram` *INFILE*...
+
+Description
+-----------
+
+:program:`dnsgram` takes one or more *INFILE*\ s in PCAP format and generates
+statistics on 5 second segments allowing the study of intermittent
+resolver issues.
+
+Options
+-------
+
+None
+
+See also
+--------
+
+pcap(3PCAP), tcpdump(8)
+++ /dev/null
-% DNSPCAP2PROTOBUF(1)
-% PowerDNS.com BV
-% June 2016
-
-# NAME
-**dnspcap2protobuf** - A tool to convert PCAPs of DNS traffic to PowerDNS Protobuf
-
-# SYNOPSIS
-**dnspcap2protobuf** *PCAPFILE* *OUTFILE*
-
-# DESCRIPTION
-**dnspcap2protobuf** reads the PCAP file *PCAPFILE* for DNS queries and responses
-and writes these in the PowerDNS protobuf format to *OUTFILE*.
-
-# OPTIONS
---help
-: Show a summary of options.
-
---version
-: Display the version of dnspcap2protobuf
--- /dev/null
+dnspcap2protobuf
+================
+
+:program:`dnspcap2protobuf` - A tool to convert PCAPs of DNS traffic to
+PowerDNS Protobuf
+
+Synopsis
+--------
+
+:program:`dnspcap2protobuf` *PCAPFILE* *OUTFILE*
+
+Description
+-----------
+
+:program:`dnspcap2protobuf` reads the PCAP file *PCAPFILE* for DNS queries and
+responses and writes these in the PowerDNS protobuf format to *OUTFILE*.
+
+Options
+-------
+
+--help Show a summary of options.
+--version Display the version of dnspcap2protobuf
+++ /dev/null
-% DNSREPLAY(1)
-% Joerg Jungermann (jj+debian At borkum.net)
-% September 2012
-
-# NAME
-**dnsreplay** - A PowerDNS nameserver debugging tool
-
-# SYNOPSIS
-**dnsreplay** [*OPTION*]... *FILENAME* *ADDRESS* [*PORT*]
-
-# DESCRIPTION
-This program takes recorded questions and answers and replays them to the
-specified nameserver and reporting afterwards which percentage of answers
-matched, were worse or better.
-
-dnsreplay compares the answers and some other metrics with the actual ones with
-those found in the dumpfile.
-
-By default it only replay queries with recursion-desired flag set.
-
-# OPTIONS
-FILENAME
-: is expected to be an PCAP file.
- The queries are send to the DNS server specified as *ADDRESS* and
- *PORT*.
-
-ADDRESS
-: IPv4 or IPv6 address of the nameserver to replay *FILENAME* to.
-
-PORT
-: if omitted, 53 will be used.
-
---help | -h
-: Show summary of options.
-
---ecs-mask *VAL*
-: When EDNS forwarding an IP address, mask out first octet with this value
-
---ecs-stamp *FLAG*
-: Add original IP address as EDNS Client Subnet Option when forwarding to
- reference server
-
---packet-limit *NUM*
-: Stop after replaying *NUM* packets. Default for *NUM* is 0, which means no
- limit.
-
---quiet *FLAG*
-: If *FLAG* is set to 1. dnsreplay will not be very noisy with its output.
- This is the default.
-
---recursive *FLAG*
-: If *FLAG* is set to 1. dnsreplay will only replay queries with recursion
- desired flag set. This is the default.
-
---speedup *FACTOR*
-: Replay queries with this speedup *FACTOR*. Default is 1.
-
---timeout-msec *MSEC*
-: Wait at least *MSEC* milliseconds for a reply. Default is 500.
-
-# BUGS
-dnsreplay has no certain handling for timeouts. It handles around at most 65536
-outstanding answers.
-
-# SEE ALSO
-pcap(3PCAP), tcpdump(8), dnswasher(1)
--- /dev/null
+dnsreplay
+=========
+
+:program:`dnsreplay` - A PowerDNS nameserver debugging tool
+
+Synopsis
+--------
+
+:program:`dnsreplay` [*OPTION*]... *FILENAME* *ADDRESS* [*PORT*]
+
+Description
+-----------
+
+This program takes recorded questions and answers and replays them to
+the specified nameserver and reporting afterwards which percentage of
+answers matched, were worse or better.
+
+dnsreplay compares the answers and some other metrics with the actual
+ones with those found in the dumpfile.
+
+By default it only replay queries with recursion-desired flag set.
+
+Options
+-------
+
+FILENAME
+ is expected to be an PCAP file. The queries are send to the DNS
+ server specified as *ADDRESS* and *PORT*.
+ADDRESS
+ IPv4 or IPv6 address of the nameserver to replay *FILENAME* to.
+PORT
+ if omitted, 53 will be used.
+
+--help, -h Show summary of options.
+--ecs-mask <VAL> When EDNS forwarding an IP address, mask out first octet with this value
+--ecs-stamp <FLAG> Add original IP address as EDNS Client Subnet Option when
+ forwarding to reference server
+--packet-limit <NUM> Stop after replaying *NUM* packets. Default for *NUM* is 0, which
+ means no limit.
+--quiet <FLAG> If *FLAG* is set to 1. dnsreplay will not be very noisy with its
+ output. This is the default.
+--recursive <FLAG> If *FLAG* is set to 1. dnsreplay will only replay queries with
+ recursion desired flag set. This is the default.
+--speedup <FACTOR> Replay queries with this speedup *FACTOR*. Default is 1.
+--timeout-msec <MSEC> Wait at least *MSEC* milliseconds for a reply. Default is 500.
+
+Bugs
+----
+
+dnsreplay has no certain handling for timeouts. It handles around at
+most 65536 outstanding answers.
+
+See also
+--------
+
+pcap(3PCAP), tcpdump(8), dnswasher(1)
+++ /dev/null
-% DNSSCAN(1)
-% PowerDNS.com BV
-% April 2015
-
-# NAME
-**dnsscan** - List the amount of queries per qtype in a pcap
-
-# SYNOPSIS
-**dnsscan** *INFILE*...
-
-# DESCRIPTION
-**dnsscan** takes one or more *INFILE*s in PCAP format and generates a list of
-the number of queries per qtype.
-
-# OPTIONS
-None
-
-# SEE ALSO
-pcap(3PCAP), tcpdump(8)
-
--- /dev/null
+dnsscan
+=======
+
+:program:`dnsscan` - List the amount of queries per qtype in a pcap
+
+Synopsis
+--------
+
+:program:`dnsscan` *INFILE*...
+
+Description
+-----------
+
+:program:`dnsscan` takes one or more *INFILE*\ s in PCAP format and generates a
+list of the number of queries per qtype.
+
+Options
+-------
+
+None
+
+See also
+--------
+
+pcap(3PCAP), tcpdump(8)
+++ /dev/null
-% DNSSCOPE(1)
-% Joerg Jungermann (jj+debian At borkum.net)
-% September 2012
-
-# NAME
-**dnsscope** - A PowerDNS nameserver debugging tool
-
-# SYNOPSIS
-**dnsscope** [*OPTION*]... *INFILE*
-
-# DESCRIPTION
-**dnsscope** takes an *INFILE* in PCAP format. It generates some simple
-statistics outputs these to STDOUT.
-
-# OPTIONS
-INFILE
-: Path to a PCAP file.
-
--h | --help
-: Show the help.
-
---rd
-: Only process packets in *INFILE* with the RD (Recursion Desired) flag set.
- By default, we process all DNS packets in *INFILE*.
-
---ipv4
-: Process IPv4 packets. On by default, disable with **--ipv4 false**.
-
---ipv6
-: Process IPv6 packets. On by default, disable with **--ipv6 false**.
-
---servfail-tree
-: Figure out subtrees that generate servfails.
-
--l | --load-stats
-: Emit per-second load statistics (questions, answers, outstanding).
-
--w | --write-failures *FILENAME*
-: Write weird packets to a PCAP file at *FILENAME*.
-
--v | --verbose
-: Be more verbose.
-
-# SEE ALSO
-pcap(3PCAP), tcpdump(8)
--- /dev/null
+dnsscope
+========
+
+:program:`dnsscope` - A PowerDNS nameserver debugging tool
+
+Synopsis
+--------
+
+:program:`dnsscope` [*OPTION*]... *INFILE*
+
+Description
+-----------
+
+:program:`dnsscope` takes an *INFILE* in PCAP format. It generates some simple
+statistics outputs these to STDOUT.
+
+Options
+-------
+
+INFILE
+ Path to a PCAP file.
+
+-h, --help Show the help.
+--rd Only process packets in *INFILE* with the RD (Recursion Desired)
+ flag set. By default, we process all DNS packets in *INFILE*.
+--ipv4=<state> Process IPv4 packets. On by default, disable with **--ipv4 false**.
+--ipv6=<state> Process IPv6 packets. On by default, disable with **--ipv6 false**.
+--servfail-tree Figure out subtrees that generate servfails.
+-l, --load-stats Emit per-second load statistics (questions, answers, outstanding).
+-w <file>, --write-failures <file> Write weird packets to a PCAP file at *FILENAME*.
+-v, --verbose Be more verbose.
+
+See also
+--------
+
+pcap(3PCAP), tcpdump(8)
+++ /dev/null
-% DNSTCPBENCH(1)
-% PowerDNS.COM BV
-% July 2013
-
-# NAME
-**dnstcpbench** - tool to perform TCP benchmarking of nameservers
-
-# SYNOPSIS
-**dnstcpbench** [*OPTION*]... *REMOTE-ADDRESS* [*REMOTE-PORT*]
-
-# DESCRIPTION
-**dnstcpbench** reads DNS queries (by default from standard input) and sends
-them out in parallel to a remote nameserver. By default TCP/IP is used, but
-optionally, UDP is tried first, which allows for the benchmarking of TCP/IP
-fallback.
-
-The program reports both mean and median numbers for queries per second and
-UDP and TCP latency. Each query only counts once, even if it is tried over
-UDP first. This effectively means that passing '-u' can lower query rates if
-many queries get shunted to TCP.
-
-The input format is one query per line: qname single-space qtype. An
-example:
-
-www.powerdns.com ANY
-
-When benchmarking extended runs, it may be necessary to enable TIME_WAIT
-recycling, as TCP/IP port tuples may otherwise run out. On Linux this is
-performed by running:
-
-echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
-
-The equivalent for IPv6 is not known.
-
-# OPTIONS
--f | --file *FILENAME*
-: *FILENAME* from which to read queries. Defaults to standard input if
- unspecified.
-
--h | --help
-: Provide a helpful message.
-
---timeout-msec *MSEC*
-: *MSEC* milliseconds to wait for an answer.
-
--u | --udp-first
-: Attempt resolution via UDP first, only do TCP if truncated answer is
- received.
-
--v | --verbose
-: Be wordy on what the program is doing.
-
---workers *NUM*
-: Use *NUM* parallel worker threads.
-
-
-REMOTE-ADDRESS
-: IPv4 or IPv6 to test against.
-
-REMOTE-PORT
-: Port to test against, defaults to 53.
-
-# BUGS
-Currently the timeout code does not actually perform non-blocking connects
-or writes. So a slow connect or slow writes will still cause low
-performance and delays.
-
-Median queries per second statistics are reported as 0 for sub-second runs.
--- /dev/null
+dnstcpbench
+===========
+
+:program:`dnstcpbench` - tool to perform TCP benchmarking of nameservers
+
+Synopsis
+--------
+
+:program:`dnstcpbench` [*OPTION*]... *REMOTE-ADDRESS* [*REMOTE-PORT*]
+
+Description
+-----------
+
+:program:`dnstcpbench` reads DNS queries (by default from standard input) and
+sends them out in parallel to a remote nameserver. By default TCP/IP is
+used, but optionally, UDP is tried first, which allows for the
+benchmarking of TCP/IP fallback.
+
+The program reports both mean and median numbers for queries per second
+and UDP and TCP latency. Each query only counts once, even if it is
+tried over UDP first. This effectively means that passing '-u' can lower
+query rates if many queries get shunted to TCP.
+
+The input format is one query per line: qname single-space qtype. An
+example::
+
+ www.powerdns.com ANY
+
+When benchmarking extended runs, it may be necessary to enable
+TIME\_WAIT recycling, as TCP/IP port tuples may otherwise run out. On
+Linux this is performed by running::
+
+ echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
+
+The equivalent for IPv6 is not known.
+
+Options
+-------
+
+-f, <FILENAME>, --file <FILENAME> *FILENAME* from which to read queries. Defaults to standard input if unspecified.
+-h, --help Provide a helpful message.
+--timeout-msec <MSEC> *MSEC* milliseconds to wait for an answer.
+-u, --udp-first Attempt resolution via UDP first, only do TCP if truncated answer is received.
+-v, --verbose Be wordy on what the program is doing.
+--workers <NUM> Use *NUM* parallel worker threads.
+
+*REMOTE-ADDRESS*: IPv4 or IPv6 to test against.
+
+*REMOTE-PORT*: Port to test against, defaults to 53.
+
+Bugs
+----
+
+Currently the timeout code does not actually perform non-blocking
+connects or writes. So a slow connect or slow writes will still cause
+low performance and delays.
+
+Median queries per second statistics are reported as 0 for sub-second
+runs.
+++ /dev/null
-% DNSWASHER(1)
-% Joerg Jungermann (jj+debian At borkum.net)
-% September 2012
-
-# NAME
-**dnswasher** - A PowerDNS nameserver debugging tool
-
-# SYNOPSIS
-**dnswasher** *INFILE* [*INFILE*] *OUTFILE*
-
-# DESCRIPTION
-dnswasher takes one or more *INFILE*s in PCAP format and writes out
-*OUTFILE* also in PCAP format, while obfuscating end-user IP addresses.
-
-This is useful to share data with third parties while attempting to protect
-the privacy of your users.
-
-The INFILEs must be of identical PCAP type.
-
-Please check the output of **dnswasher** to make sure no customer IP
-addresses remain. Also realize that sufficient data could allow
-individuals to be re-identified based on the domain names they care about.
-
-# OPTIONS
-None
-
-# SEE ALSO
-pcap(3PCAP), tcpdump(8)
--- /dev/null
+dnswasher
+=========
+
+:program:`dnswasher` - A PowerDNS nameserver debugging tool
+
+Synopsis
+--------
+
+:program:`dnswasher` *INFILE* [*INFILE*] *OUTFILE*
+
+Description
+-----------
+
+dnswasher takes one or more *INFILE*\ s in PCAP format and writes out
+*OUTFILE* also in PCAP format, while obfuscating end-user IP addresses.
+
+This is useful to share data with third parties while attempting to
+protect the privacy of your users.
+
+The INFILEs must be of identical PCAP type.
+
+Please check the output of :program:`dnswasher` to make sure no customer IP
+addresses remain. Also realize that sufficient data could allow
+individuals to be re-identified based on the domain names they care
+about.
+
+Options
+-------
+
+None
+
+See also
+--------
+
+pcap(3PCAP), tcpdump(8)
+++ /dev/null
-% DUMRESP(1)
-% PowerDNS.com BV
-% April 2016
-
-# NAME
-**dumresp** - A dumb DNS responder
-
-# SYNOPSIS
- **dumresp** *LOCAL-ADDRESS* *LOCAL-PORT* *NUMBER-OF-PROCESSES*
-
-# DESCRIPTION
-**dumresp** accepts DNS packets on *LOCAL-ADDRESS*:*LOCAL-PORT* and simply replies
-with the same query, with the QR bit set. When *NUMBER-OF-PROCESSES* is set to
-anything but 1, **dumresp** will spawn *NUMBER-OF-PROCESSES* forks and use the
-SO_REUSEPORT option to bind to the port.
-
-# OPTIONS
-None
-
-# SEE ALSO
-socket(7)
--- /dev/null
+dumresp
+=======
+
+:program:`dumresp` - A dumb DNS responder
+
+Synopsis
+--------
+
+**dumresp** *LOCAL-ADDRESS* *LOCAL-PORT* *NUMBER-OF-PROCESSES*
+
+Description
+-----------
+
+:program:`dumresp` accepts DNS packets on *LOCAL-ADDRESS*:*LOCAL-PORT* and
+simply replies with the same query, with the QR bit set. When
+*NUMBER-OF-PROCESSES* is set to anything but 1, :program:`dumresp` will spawn
+*NUMBER-OF-PROCESSES* forks and use the SO\_REUSEPORT option to bind to
+the port.
+
+Options
+-------
+
+None
+
+See also
+--------
+
+socket(7)
--- /dev/null
+Manual Pages
+============
+
+The PowerDNS Authoritative Server comes with many binaries.
+The manual pages for these programs are included here:
+
+.. toctree::
+ :maxdepth: 1
+ :glob:
+
+ *.1
+++ /dev/null
-% IXPLORE(1)
-% Pieter Lexis (pieter.lexis@powerdns.com)
-% October 2015
-
-# NAME
-**ixplore** - A tool that provides insights into IXFRs
-
-# SYNOPSIS
-**ixplore** *COMMAND* *COMMAND_OPT*...
-
-**ixplore** diff *ZONE* *BEFORE* *AFTER*
-
-**ixplore** track *IP ADDRESS* *PORT* *ZONE* *DIRECTORY*
-
-# DESCRIPTION
-**ixplore** is a tool to work with IXFR (incremental zonetransfers) in two modes
-(specified by *COMMAND*): diff or track.
-
-In the 'diff' mode, it will show a diff(1)-like output between *BEFORE* and *AFTER*.
-
-In the 'track' mode, **ixplore** consumes IXFRs from *IP ADDRESS* and writes the
-resulting zonefiles out to *DIRECTORY*/*ZONE*-serial. If no initial zonefiles
-exist, an initial AXFR will be done first. **ixplore** will then check the SOA
-serial on *IP ADDRESS* for *ZONE* every SOA Refresh seconds and perform an IXFR
-if the serial has increased.
-
-# OPTIONS
-## diff-mode
-ZONE
-: The name of the zone the IXFRs are consumed from.
-
-BEFORE
-: Path to the 'before' zonefile.
-
-AFYER
-: Path to the 'after' zonefile.
-
-
-## track-mode
-IP ADDRESS
-: The IP address to consume IXFRs from.
-
-PORT
-: The port to use on *IP ADDRESS*.
-
-ZONE
-: Name of the zone to track changes of.
-
-DIRECTORY
-: Directory where the zonefiles will be stored.
-
-# SEE ALSO
-diff(1)
--- /dev/null
+ixplore
+=======
+
+:program:`ixplore` - A tool that provides insights into IXFRs
+
+Synopsis
+--------
+
+:program:`ixplore` *COMMAND* *COMMAND_OPT*...
+
+:program:`ixplore` diff *ZONE* *BEFORE* *AFTER*
+
+:program:`ixplore` track *IP ADDRESS* *PORT* *ZONE* *DIRECTORY*
+
+Description
+-----------
+
+:program:`ixplore` is a tool to work with IXFR (incremental zonetransfers) in
+two modes (specified by *COMMAND*): diff or track.
+
+In the 'diff' mode, it will show a diff(1)-like output between *BEFORE*
+and *AFTER*.
+
+In the 'track' mode, :program:`ixplore` consumes IXFRs from *IP ADDRESS* and
+writes the resulting zonefiles out to *DIRECTORY*/*ZONE*-serial. If no
+initial zonefiles exist, an initial AXFR will be done first. :program:`ixplore`
+will then check the SOA serial on *IP ADDRESS* for *ZONE* every SOA
+Refresh seconds and perform an IXFR if the serial has increased.
+
+Options
+-------
+
+diff-mode
+---------
+
+ZONE
+ The name of the zone the IXFRs are consumed from.
+BEFORE
+ Path to the 'before' zonefile.
+AFYER
+ Path to the 'after' zonefile.
+
+track-mode
+----------
+
+IP ADDRESS
+ The IP address to consume IXFRs from.
+PORT
+ The port to use on *IP ADDRESS*.
+ZONE
+ Name of the zone to track changes of.
+DIRECTORY
+ Directory where the zonefiles will be stored.
+
+See also
+--------
+
+diff(1)
+++ /dev/null
-% NPROXY(1)
-% PowerDNS.com BV
-% April 2016
-
-# NAME
-**nproxy** - DNS notification proxy
-
-# SYNOPSIS
-nproxy --powerdns-address *ADDRESS* [*OPTION*]... *ADDRESS*...
-
-# DESCRIPTION
-**nproxy** is a simple daemon that reads DNS NOTIFY queries on one address and
-forwards them to an 'inner' nameserver that will process the notification.
-
-Its usecase is e.g. a private authoritative server inside a NAT or firewalled LAN
-where **nproxy** is deployed in the DMZ.
-
-The PowerDNS Authoritative Server has the trusted-notification-proxy option that
-should be set to the address set with *--origin-address* to accept these proxied
-notifications.
-
-**nproxy** also has a health-check option built in. A query for 'pdns.nproxy.'
-with QType 'TXT' will be responded to with an answer of "OK" (inside the TXT record.
-When the query is for an A-record, '1.2.3.4.' is returned.
-
-# OPTIONS
---powerdns-address *ADDRESS*
-: IP address of the PowerDNS server to forward the notifications to.
-
---chroot *PATH*
-: chroot to *PATH* for additional security.
-
---setuid *UID*
-: setuid to this numerical *UID*.
-
---setgid *GID*
-: setgid to this numerical *GID*.
-
---origin-address *ADDRESS*
-: Set the source of the notifications sent to PowerDNS to *ADDRESS*. By default,
- the best matching address (kernel's choice) is used.
-
---listen-address *ADDRESS*
-: IP addresses to listen on.
-
---listen-port *PORT*
-: Source port to listen on, 53 by default.
-
--d,--daemon *ARG*
-: Set *ARG* to 0 to disable running in the background.
-
--v,--verbose
-: Be verbose
-
--- /dev/null
+nproxy
+======
+
+:program:`nproxy` - DNS notification proxy
+
+Synopsis
+--------
+
+nproxy --powerdns-address *ADDRESS* [*OPTION*]... *ADDRESS*...
+
+Description
+-----------
+
+:program:`nproxy` is a simple daemon that reads DNS NOTIFY queries on one
+address and forwards them to an 'inner' nameserver that will process the
+notification.
+
+Its usecase is e.g. a private authoritative server inside a NAT or
+firewalled LAN where :program:`nproxy` is deployed in the DMZ.
+
+The PowerDNS Authoritative Server has the trusted-notification-proxy
+option that should be set to the address set with *--origin-address* to
+accept these proxied notifications.
+
+:program:`nproxy` also has a health-check option built in. A query for
+'pdns.nproxy.' with QType 'TXT' will be responded to with an answer of
+"OK" (inside the TXT record. When the query is for an A-record,
+'1.2.3.4.' is returned.
+
+Options
+-------
+
+--powerdns-address <ADDRESS> IP address of the PowerDNS server to forward the notifications to.
+--chroot <PATH> chroot to *PATH* for additional security.
+--setuid <UID> setuid to this numerical *UID*.
+--setgid <GID> setgid to this numerical *GID*.
+--origin-address <ADDRESS> Set the source of the notifications sent to PowerDNS to *ADDRESS*. By default, the best matching address (kernel's choice) is used.
+--listen-address <ADDRESS> IP addresses to listen on.
+--listen-port <PORT> Source port to listen on, 53 by default.
+-d, --daemon <ARG> Set *ARG* to 0 to disable running in the background.
+-v, --verbose Be verbose
+
+++ /dev/null
-% NSEC3DIG(1)
-% PowerDNS.com BV
-% April 2015
-
-# NAME
-**nsec3dig** - Show and validate NSEC3 proofs
-
-# SYNOPSIS
-**nsec3dig** *IPADDRESS* *PORT* *QNAME* *QTYPE* [recurse]
-
-# DESCRIPTION
-**nsec3dig** sends a query for *QNAME* and *QTYPE* to the nameserver at *IPADDRESS*
-on port *PORT* and prints whether and why the NSEC3 proofs are correct. Using the
-'recurse' option sets the Recursion Desired (RD) bit in the query.
-
-# EXAMPLE
-`nsec3dig 8.8.8.8 53 doesntexist.isoc.nl TXT recurse`
--- /dev/null
+nsec3dig
+========
+
+:program:`nsec3dig` - Show and validate NSEC3 proofs
+
+Synopsis
+--------
+
+:program:`nsec3dig` *IPADDRESS* *PORT* *QNAME* *QTYPE* [recurse]
+
+Description
+-----------
+
+:program:`nsec3dig` sends a query for *QNAME* and *QTYPE* to the nameserver at
+*IPADDRESS* on port *PORT* and prints whether and why the NSEC3 proofs
+are correct. Using the 'recurse' option sets the Recursion Desired (RD)
+bit in the query.
+
+Example
+-------
+
+``nsec3dig 8.8.8.8 53 doesntexist.isoc.nl TXT recurse``
+++ /dev/null
-% PDNS_CONTROL(1)
-% PowerDNS.com BV
-% December 2002
-
-# NAME
-**pdns_control** - Control the PowerDNS nameserver
-
-# SYNOPSIS
-**pdns_control** [*OPTION*]... *COMMAND*
-
-# DESCRIPTION
-**pdns_control** is used to send commands to a running PowerDNS nameserver.
-
-# OPTIONS
---help
-: Show summary of options.
-
---chroot=*DIR*
-: Directory where PowerDNS is chrooted.
-
---config-dir=*DIR*
-: Location of configuration directory (pdns.conf).
-
---config-name=*NAME*
-: Name of this virtual configuration - will rename the binary image.
-
---remote-address=*ADDRESS*
-: Remote address to query.
-
---remote-port=*PORT*
-: Remote port to query.
-
---secret=*SECRET*
-: Secret needed to connect to remote PowerDNS.
-
---socket-dir=*DIR*
-: Where the controlsocket lives.
-
-
-# COMMANDS
-bind-add-zone *DOMAIN* *FILENAME*
-: When using the bindbackend, add a zone. This zone is added in-memory and served
- immediately. Note that this does not add the zone to the bind-config file.
- *FILENAME* must be an absolute path.
-
-bind-domain-status [*DOMAIN*...]
-: When using the bindbackend, list status of all domains. Optionally, append
- *DOMAIN*s to get the status of specific zones.
-
-bind-list-rejects
-: When using the bindbackend, get a list of all rejected domains.
-
-bind-reload-now *DOMAIN* [*DOMAIN*...]
-: When using the bindbackend, immediately reload *DOMAIN* from disk.
-
-ccounts
-: Show the content of the cache.
-
-current-config
-: Show the currently running configuration. The output has the same format as
- `pdns_server --config`. You'll notice that all the are uncommented. This is
- because PowerDNS simply has values, and the default isn't known at runtime.
-
-cycle
-: Restart the nameserver so it reloads its configuration. Only works when the
- server is running in guardian mode.
-
-list
-: Dump all variables and their values in a comma separated list, equivalent
- to **show \***.
-
-list-zones [master,slave,native]
-: Show a list of zones, optionally filter on the type of zones to show.
-
-notify *DOMAIN*
-: Adds *DOMAIN* to the notification list, causing PowerDNS to send out
- notifications to the nameservers of a domain. Can be used if a slave missed
- previous notifications or is generally hard of hearing. Use \* to notify
- for all domains. (Note that you may need to escape the \* sign in your
- shell.)
-
-notify-host *DOMAIN* *ADDRESS*
-: Same as above but with operator specified IP *ADDRESS* as destination, to be
- used if you know better than PowerDNS.
-
-ping, rping
-: Check if the server is still alive. Will return 'PONG' when it is.
- **ping** works when running inside a guardian, whereas **rping** works when
- running without a guardian.
-
-purge [*RECORD*]
-: Purge entries from the cache. If *RECORD* ends with a dollar ($)
- all entries that end with that name are removed. If no record is specified
- the entire cache is purged.
-
-qtypes
-: Get a count of queries per qtype on standard out.
-
-quit
-: Tell a running pdns_server to quit.
-
-rediscover
-: Instructs backends that new domains may have appeared in the database, or,
- in the case of the Bind backend, in named.conf.
-
-reload
-: Instruct the server to reload all its zones, this will not add new zones.
-
-remotes
-: Get the top number of remote addresses (clients).
-
-respsizes
-: Get a histogram of the response sizes.
-
-retrieve *DOMAIN*
-: Retrieve slave *DOMAIN* from its master. Done nearly immediately.
-
-set *VARIABLE* *VALUE*
-: Set the configuration parameter *VARIABLE* to *VALUE*. Currently only the
- query-logging can be set.
-
-show *VARIABLE*
-: Show a single statistic, as present in the output of the list command.
-
-status
-: Show usage statistics. This only works if the server is running in guardian
- mode.
-
-token-login *MODULE* *SLOT* *PIN*
-: Log on to a PKCS#11 slot. You only need to login once per slot, even if you
- have multiple keys on single slot. Only available if PowerDNS was compiled
- with PKCS#11 support.
-
-uptime
-: Show the uptime of the running server.
-
-version
-: Print the version of the running pdns daemon.
-
-# SEE ALSO
-pdns_server(1)
--- /dev/null
+pdns_control
+============
+
+:program:`pdns_control` - Control the PowerDNS nameserver
+
+Synopsis
+--------
+
+:program:`pdns_control` [*OPTION*]... *COMMAND*
+
+Description
+-----------
+
+:program:`pdns_control` is used to send commands to a running PowerDNS
+nameserver.
+
+Options
+-------
+
+--help Show summary of options.
+--chroot=<DIR> Directory where PowerDNS is chrooted.
+--config-dir=<DIR> Location of configuration directory (pdns.conf).
+--config-name=<NAME> Name of this virtual configuration - will rename the binary image.
+--remote-address=<ADDRESS> Remote address to query.
+--remote-port=<PORT> Remote port to query.
+--secret=<SECRET> Secret needed to connect to remote PowerDNS.
+--socket-dir=<DIR> Where the controlsocket lives.
+
+Commands
+--------
+
+bind-add-zone *DOMAIN* *FILENAME*
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+When using the bindbackend, add a zone. This zone is added in-memory
+and served immediately. Note that this does not add the zone to the
+bind-config file. *FILENAME* must be an absolute path.
+
+bind-domain-status [*DOMAIN*...]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+When using the bindbackend, list status of all domains. Optionally,
+append *DOMAIN*\ s to get the status of specific zones.
+
+bind-list-rejects
+^^^^^^^^^^^^^^^^^
+
+When using the bindbackend, get a list of all rejected domains.
+
+bind-reload-now *DOMAIN* [*DOMAIN*...]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+When using the bindbackend, immediately reload *DOMAIN* from disk.
+
+ccounts
+^^^^^^^
+
+Show the content of the cache.
+
+current-config
+^^^^^^^^^^^^^^
+
+Show the currently running configuration. The output has the same
+format as ``pdns_server --config``. You'll notice that all the are
+uncommented. This is because PowerDNS simply has values, and the
+default isn't known at runtime.
+
+cycle
+^^^^^
+
+Restart the nameserver so it reloads its configuration. Only works
+when the server is running in guardian mode.
+
+list
+^^^^
+
+Dump all variables and their values in a comma separated list,
+equivalent to ``show *``.
+
+list-zones [master,slave,native]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Show a list of zones, optionally filter on the type of zones to
+show.
+
+notify *DOMAIN*
+^^^^^^^^^^^^^^^
+
+Adds *DOMAIN* to the notification list, causing PowerDNS to send out
+notifications to the nameservers of a domain. Can be used if a slave
+missed previous notifications or is generally hard of hearing. Use
+\* to notify for all domains. (Note that you may need to escape the
+\* sign in your shell.)
+
+notify-host *DOMAIN* *ADDRESS*
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Same as above but with operator specified IP *ADDRESS* as
+destination, to be used if you know better than PowerDNS.
+
+ping, rping
+^^^^^^^^^^^
+
+Check if the server is still alive. Will return 'PONG' when it is.
+``ping`` works when running inside a guardian, whereas ``rping``
+works when running without a guardian.
+
+purge [*RECORD*]
+^^^^^^^^^^^^^^^^
+
+Purge entries from the cache. If *RECORD* ends with a dollar ($) all
+entries that end with that name are removed. If no record is
+specified the entire cache is purged.
+
+qtypes
+^^^^^^
+
+Get a count of queries per qtype on standard out.
+
+quit
+^^^^
+
+Tell a running pdns\_server to quit.
+
+rediscover
+^^^^^^^^^^
+
+Instructs backends that new domains may have appeared in the
+database, or, in the case of the Bind backend, in named.conf.
+
+reload
+^^^^^^
+
+Instruct the server to reload all its zones, this will not add new
+zones.
+
+remotes
+^^^^^^^
+
+Get the top number of remote addresses (clients).
+
+respsizes
+^^^^^^^^^
+
+Get a histogram of the response sizes.
+
+retrieve *DOMAIN*
+^^^^^^^^^^^^^^^^^
+
+Retrieve slave *DOMAIN* from its master. Done nearly immediately.
+
+set *VARIABLE* *VALUE*
+^^^^^^^^^^^^^^^^^^^^^^
+
+Set the configuration parameter *VARIABLE* to *VALUE*. Currently
+only the query-logging can be set.
+
+show *VARIABLE*
+^^^^^^^^^^^^^^^
+
+Show a single statistic, as present in the output of the list
+command.
+
+status
+^^^^^^
+
+Show usage statistics. This only works if the server is running in
+guardian mode.
+
+token-login *MODULE* *SLOT* *PIN*
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Log on to a PKCS#11 slot. You only need to login once per slot, even
+if you have multiple keys on single slot. Only available if PowerDNS
+was compiled with PKCS#11 support.
+
+uptime
+^^^^^^
+
+Show the uptime of the running server.
+
+version
+^^^^^^^
+
+Print the version of the running pdns daemon.
+
+See also
+--------
+
+pdns\_server(1)
+++ /dev/null
-% PDNS_NOTIFY(1)
-% PowerDNS.com BV
-% April 2016
-
-# NAME
-**pdns_notify** - A simple DNS NOTIFY sender
-
-# SYNOPSIS
-**pdns_notify** *IP_ADDRESS*[:*PORT*] *DOMAIN*
-
-# DESCRIPTION
-**pdns_notify** sends a DNS NOTIFY message to *IP_ADDRESS*, by default on port 53, for
-*DOMAIN* and prints the remote nameserver's response.
-
-# OPTIONS
-None
--- /dev/null
+pdns_notify
+===========
+
+:program:`pdns_notify` - A simple DNS NOTIFY sender
+
+Synopsis
+--------
+
+:program:`pdns_notify` *IP_ADDRESS*\ [:*PORT*] *DOMAIN*
+
+Description
+-----------
+
+:program:`pdns_notify` sends a DNS NOTIFY message to *IP_ADDRESS*, by default
+on port 53, for *DOMAIN* and prints the remote nameserver's response.
+
+Options
+-------
+
+None
+++ /dev/null
-% PDNS_RECURSOR(1)
-% PowerDNS.COM BV
-% March 2008
-
-# NAME
-**pdns_recursor** - high-performance, simple and secure recursing nameserver
-
-# SYNOPSIS
-**pdns_recursor** [*OPTION*]...
-
-# DESCRIPTION
-pdns_recursor(1) is a high performance, simple and secure recursing
-nameserver. It currently powers over two million internet connections.
-
-The recursor is configured via a configuration file, but each item in
-that file can be overridden on the command line.
-
-This manpage lists the core set of features needed to get the PowerDNS
-recursor working, for full and up to date details head to
-http://doc.powerdns.com/built-in-recursor.html
-
-# EXAMPLES
-To listen on 192.0.2.53 and allow the 192.0.2.0/24 subnet to recurse, and run
-as a daemon, execute:
-
-`# pdns_recursor --local-address=192.0.2.53 --allow-from=192.0.2.0/24 --daemon`
-
-To stop the recursor by hand, run:
-
-`# rec_control quit`
-
-However, the recommended way of starting and stopping the recursor is to use
-the init.d script provided.
-
-# OPTIONS
-For authoritative listing of options, consult the online documentation at
-http://doc.powerdns.com/md/recursor/settings/
-
---allow-from=*NETWORK*[,*NETWORK*]...
-: If set, only allow these comma separated *NETWORK*s, with network mask to
- recurse. For example: 192.0.2.0/24,203.0.113.128/25.
-
---auth-zones=*ZONENAME*=*FILENAME*[,*ZONENAME*=*FILENAME*]...
-: Serve *ZONENAME* from *FILENAME* authoritatively. For example:
- ds9a.nl=/var/zones/ds9a.nl,powerdns.com=/var/zones/powerdns.com.
-
---chroot=*DIRECTORY*
-: chroot the process to *DIRECTORY*.
-
---client-tcp-timeout=*NUM*
-: Timeout in seconds when talking to TCP clients.
-
---config-dir=*DIRECTORY*
-: Location of configuration directory (recursor.conf), the default depends on
- the SYSCONFDIR option at build-time, which is usually /etc/powerdns. The
- default can be found with `pdns_recursor --config | grep ' config-dir='`.
-
---daemon
-: Operate as a daemon.
-
---delegation-only
-: Which domains we only accept delegations from (a Verisign special).
-
---entropy-source=*FILE*
-: Read new entropy from *FILE*, defaults to /dev/urandom.
-
---export-etc-hosts
-: If set, this flag will export the hostnames and IP addresses mentioned in
- /etc/hosts.
-
---forward-zones=*ZONENAME*=*ADDRESS*[,*ZONENAME*=*ADDRESS*]...
-: Queries for *ZONENAME* will be forwarded to *ADDRESS*. *ADDRESS*
- should be an IP address, not a hostname (to prevent chicken and egg
- problems). Example:
- forward-zones= ds9a.nl=213.244.168.210, powerdns.com=127.0.0.1.
-
---forward-zones-file=*FILENAME*
-: Similar to *--forward-zones*, but read the options from *FILENAME*.
- *FILENAME* should contain one zone per line, like: ds9a.nl=213.244.168.210.
-
---help
-: Show a summary of options.
-
---hint-file=*FILENAME*
-: Load root hints from this *FILENAME*
-
---local-address=*ADDRESS*[,*ADDRESS*]...
-: Listen on *ADDRESS*, separated by spaces or commas.
-
---local-port=*PORT*
-: Listen on *PORT*.
-
---log-common-errors
-: If we should log rather common errors.
-
---max-cache-entries=*NUM*
-: Maximum number of entries in the main cache.
-
---max-negative-ttl=*NUM*
-: maximum number of seconds to keep a negative cached entry in memory.
-
---max-tcp-clients=*NUM*
-: Maximum number of simultaneous TCP clients.
-
---max-tcp-per-client
-: If set, maximum number of TCP sessions per client (IP address).
-
---query-local-address=*ADDRESS*
-: Use *ADDRESS* as Source IP address when sending queries.
-
---query-local-address6=*ADDRESS*
-: Send out local IPv6 queries from *ADDRESS*. Disabled by default,
- which also disables outgoing IPv6 support. A useful setting is
- '::0'.
-
---quiet
-: Suppress logging of questions and answers.
-
---server-id=*TEXT*
-: Return *TEXT* when queried for 'server.id' TXT, defaults to hostname.
-
---serve-rfc1918
-: On by default, this makes the server authoritatively aware of:
- 10.in-addr.arpa, 168.192.in-addr.arpa and 16-31.172.in-addr.arpa, which
- saves load on the AS112 servers. Individual parts of these zones can still
- be loaded or forwarded.
-
---setgid=*GID*
-: If set, change group id to *GID* for more security.
-
---setuid=*UID*
-: If set, change user id to *UID* for more security.
-
---single-socket
-: If set, only use a single socket for outgoing queries.
-
---socket-dir=*DIRECTORY*
-: The controlsocket will live in *DIRECTORY*.
-
---spoof-nearmiss-max=*NUM*
-: If non-zero, assume spoofing after this many near misses.
-
---trace
-: if we should output heaps of logging.
-
---version-string=*TEXT*
-: *TEXT* will be reported on version.pdns or version.bind queries.
-
-# BUGS
-None known. File new ones at https://github.com/PowerDNS/pdns/issues.
-
-# RESOURCES
-Website: http://www.powerdns.com, https://github.com/PowerDNS/pdns
-
-# SEE ALSO
-rec_control(1)
+++ /dev/null
-% PDNS_SERVER(1)
-% PowerDNS.COM BV
-% December 2012
-
-# NAME
-**pdns_server** - The PowerDNS Authoritative Namserver
-
-# SYNOPSIS
-**pdns_server** [*OPTION*]
-
-# DESCRIPTION
-The PowerDNS Authoritative Server is a versatile nameserver which supports a
-large number of backends. These backends can either be plain zone files or be
-more dynamic in nature. Please see the online documentation for more
-information.
-
-# OPTIONS
-See the online documentation for all options
-
---daemon={**yes**,**no**}
-: Indicate if the server should run in the background as a real daemon,
- or in the foreground.
-
---guardian={**yes**,**no**}
-: Run **pdns_server** inside a guardian. This guardian monitors the performance
- of the inner **pdns_server** instance. It is also this guardian that
- **pdns_control**(8) talks to.
-
---control-console
-: Run the server in a special monitor mode. This enables detailed logging
- and exposes the raw control socket.
-
---loglevel=*LEVEL*
-: Set the logging level.
-
---help
-To view more options that are available use this program.
-
-# SEE ALSO
-pdns_control(1), pdnsutil(1), http://doc.powerdns.com/md/authoritative/
--- /dev/null
+pdns_server
+===========
+
+:program:`pdns_server` - The PowerDNS Authoritative Namserver
+
+Synopsis
+--------
+
+:program:`pdns_server` [*OPTION*]
+
+Description
+-----------
+
+The PowerDNS Authoritative Server is a versatile nameserver which
+supports a large number of backends. These backends can either be plain
+zone files or be more dynamic in nature. Please see the online
+documentation for more information.
+
+Options
+-------
+
+See the online documentation for all options
+
+--daemon Indicate if the server should run in the background as a real
+ daemon, or in the foreground.
+--guardian Run :program:`pdns_server` inside a guardian. This guardian monitors the
+ performance of the inner :program:`pdns_server` instance. It is also this
+ guardian that :program:`pdns_control`\ talks to.
+--control-console Run the server in a special monitor mode. This enables detailed
+ logging and exposes the raw control socket.
+--loglevel=<LEVEL> Set the logging level.
+--help To view more options that are available use this program.
+
+See also
+--------
+
+pdns_control(1), pdnsutil(1), `<https://doc.powerdns.com/>`__
+++ /dev/null
-% PDNSUTIL(1) PowerDNS DNSSEC command and control
-% Matthijs Möhlmann <matthijs@cacholong.nl>
-% November 2011
-
-# NAME
-pdnsutil - PowerDNS dnssec command and control
-
-# SYNOPSIS
-pdnsutil [OPTION]... *COMMAND*
-
-# DESCRIPTION
-**pdnsutil** (formerly pdnssec) is a powerful command that is the operator-friendly
-gateway into DNSSEC and zone management for PowerDNS. Behind the scenes, **pdnsutil**
-manipulates a PowerDNS backend database, which also means that for many databases,
-**pdnsutil** can be run remotely, and can configure key material on different servers.
-
-# OPTIONS
--h | -help
-: Show summary of options
-
--v | --verbose
-: Be more verbose.
-
---force
-: force an action
-
---config-name *NAME*
-: Virtual configuration name
-
---config-dir *DIR*
-: Location of pdns.conf. Default is /etc/powerdns.
-
-# COMMANDS
-There are many available commands, this section splits them up into their
-respective uses
-
-## DNSSEC RELATED COMMANDS
-Several commands manipulate the DNSSEC keys and options for zones. Some of these
-commands require an *ALGORITHM* to be set. The following algorithms are
-supported:
-
- * rsasha1
- * rsasha256
- * rsasha512
- * gost
- * ecdsa256
- * ecdsa384
-
-activate-zone-key *ZONE* *KEY-ID*
-: Activate a key with id *KEY-ID* within a zone called *ZONE*.
-
-add-zone-key *ZONE* {**KSK**,**ZSK**} [**active**,**inactive**] *KEYBITS* *ALGORITHM*
-: Create a new key for zone *ZONE*, and make it a KSK or a ZSK, with the
- specified algorithm. The key is inactive by default, set it to **active** to
- immediately use it to sign *ZONE*. Prints the id of the added key.
-
-create-bind-db *FILE*
-: Create DNSSEC database (sqlite3) at *FILE* for the BIND backend.
- Remember to set `bind-dnssec-db=*FILE*` in your `pdns.conf`.
-
-deactivate-zone-key *ZONE* *KEY-ID*
-: Deactivate a key with id KEY-ID within a zone called *ZONE*.
-
-disable-dnssec *ZONE*
-: Deactivate all keys and unset PRESIGNED in *ZONE*.
-
-export-zone-dnskey *ZONE* *KEY-ID*
-: Export to standard output DNSKEY and DS of key with key id *KEY-ID* within
- zone called *ZONE*.
-
-export-zone-key *ZONE* *KEY-ID*
-: Export to standard output full (private) key with key id *KEY-ID* within
- zone called *ZONE*. The format used is compatible with BIND and NSD/LDNS.
-
-generate-zone-key {**KSK**,**ZSK**} [*ALGORITHM*] [*KEYBITS*]
-: Generate a ZSK or KSK to stdout with specified algorithm and bits and print
- it on STDOUT. If *ALGORITHM* is not set, RSASHA512 is used. If *KEYBITS* is
- not set, an appropriate keysize is selected for *ALGORITHM*.
-
-import-zone-key *ZONE* *FILE* {**KSK**,**ZSK**}
-: Import from *FILE* a full (private) key for zone called *ZONE*. The format
- used is compatible with BIND and NSD/LDNS. **KSK** or **ZSK** specifies the
- flags this key should have on import. Prints the id of the added key.
-
-remove-zone-key *ZONE* *KEY-ID*
-: Remove a key with id *KEY-ID* from a zone called *ZONE*.
-
-set-nsec3 *ZONE* '*HASH-ALGORITHM* *FLAGS* *ITERATIONS* *SALT*' [**narrow**]
-: Sets NSEC3 parameters for this zone. The quoted parameters are 4 values
- that are used for the the NSEC3PARAM record and decide how NSEC3 records
- are created. The NSEC3 parameters must be quoted on the command line.<br><br>
- *HASH-ALGORITHM* must be 1 (SHA-1).<br><br>
- Setting *FLAGS* to 1 enables NSEC3 opt-out operation. Only do this if you
- know you need it.<br><br>
- For *ITERATIONS*, please consult RFC 5155, section 10.3. And be aware
- that a high number might overload validating resolvers.<br><br>
- The *SALT* is a hexadecimal string encoding the bits for the salt.<br><br>
- Setting **narrow** will make PowerDNS send out "white lies" about the next
- secure record. Instead of looking it up in the database, it will send out
- the hash + 1 as the next secure record. <br><br>
- A sample commandline is: "pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' narrow".<br><br>
- **WARNING**: If running in RSASHA1 mode (algorithm 5 or 7), switching from
- NSEC to NSEC3 will require a DS update in the parent zone.
-
-unset-nsec3 *ZONE*
-: Converts *ZONE* to NSEC operations. **WARNING**: If running in RSASHA1 mode
- (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update
- at the parent zone!
-
-set-publish-cds *ZONE* [*DIGESTALGOS*]
-: Set *ZONE* to respond to queries for its CDS records. the optional argument
- *DIGESTALGOS* should be a comma-separated list of DS algorithms to use. By
- default, this is 1,2 (SHA1 and SHA2-256).
-
-set-publish-cdnskey *ZONE*
-: Set *ZONE* to publish CDNSKEY records.
-
-unset-publish-cds *ZONE*
-: Set *ZONE* to stop responding to queries for its CDS records.
-
-unset-publish-cdnskey *ZONE*
-: Set *ZONE* to stop publishing CDNSKEY records.
-
-## TSIG RELATED COMMANDS
-These commands manipulate TSIG key information in the database. Some commands
-require an *ALGORITHM*, the following are available:
-
- * hmac-md5
- * hmac-sha1
- * hmac-sha224
- * hmac-sha256
- * hmac-sha384
- * hmac-sha512
-
-activate-tsig-key *ZONE* *NAME* {**master**,**slave**}
-: Enable TSIG authenticated AXFR using the key *NAME* for zone *ZONE*.
- This sets the `TSIG-ALLOW-AXFR` (master) or `AXFR-MASTER-TSIG` (slave)
- zone metadata.
-
-deactivate-tsig-key *ZONE* *NAME* {**master**,**slave**}
-: Disable TSIG authenticated AXFR using the key *NAME* for zone *ZONE*.
-
-delete-tsig-key *NAME*
-: Delete the TSIG key *NAME*. Warning, this does not deactivate said key.
-
-generate-tsig-key *NAME* *ALGORITHM*
-: Generate new TSIG key with name *NAME* and the specified algorithm.
-
-import-tsig-key *NAME* *ALGORITHM* *KEY*
-: Import *KEY* of the specified algorithm as *NAME*.
-
-## ZONE MANIPULATION COMMANDS
-create-zone *ZONE*
-: Create an empty zone named *ZONE*.
-
-check-all-zones
-: Check all zones for correctness.
-
-check-zone *ZONE*
-: Check zone *ZONE* for correctness.
-
-clear-zone *ZONE*
-: Clear the records in zone *ZONE*, but leave actual domain and settings unchanged
-
-delete-zone *ZONE*:
-: Delete the zone named *ZONE*.
-
-edit-zone *ZONE*
-: Opens *ZONE* in zonefile format (regardless of backend it was loaded from)
- in the editor set in the environment variable **EDITOR**. if **EDITOR** is
- empty, *pdnsutil* falls back to using *editor*.
-
-get-meta *ZONE* [*ATTRIBUTE*]...
-: Get zone metadata. If no *ATTRIBUTE* given, lists all known.
-
-hash-zone-record *ZONE* *RNAME*
-: This convenience command hashes the name *RNAME* according to the NSEC3
- settings of *ZONE*. Refuses to hash for zones with no NSEC3 settings.
-
-list-keys [*ZONE*]
-: List DNSSEC information for all keys or for *ZONE*.
-
-list-all-zones:
-: List all zone names.
-
-list-zone *ZONE*
-: Show all records for *ZONE*.
-
-load-zone *ZONE* *FILE*
-: Load records for *ZONE* from *FILE*. If *ZONE* already exists, all records
- are overwritten, this operation is atomic. If *ZONE* doesn't exist, it is
- created.
-
-rectify-zone *ZONE*
-: Calculates the 'ordername' and 'auth' fields for a zone called *ZONE* so
- they comply with DNSSEC settings. Can be used to fix up migrated data. Can
- always safely be run, it does no harm.
-
-rectify-all-zones
-: Calculates the 'ordername' and 'auth' fields for all zones so they comply
- with DNSSEC settings. Can be used to fix up migrated data. Can always safely
- be run, it does no harm.
-
-secure-zone *ZONE*
-: Configures a zone called *ZONE* with reasonable DNSSEC settings. You should
- manually run 'pdnsutil rectify-zone' afterwards.
-
-secure-all-zones [**increase-serial**]
-: Configures all zones that are not currently signed with reasonable DNSSEC
- settings. Setting **increase-serial** will increase the serial of those
- zones too. You should manually run 'pdnsutil rectify-all-zones' afterwards.
-
-set-kind *ZONE* *KIND*
-: Change the kind of *ZONE* to *KIND* (master, slave, native).
-
-set-account *ZONE* *ACCOUNT*
-: Change the account (owner) of *ZONE* to *ACCOUNT*.
-
-set-meta *ZONE* *ATTRIBUTE* [*VALUE*]
-: Set domainmetadata *ATTRIBUTE* for *ZONE* to *VALUE*. An empty value clears it.
-
-set-presigned *ZONE*
-: Switches *ZONE* to presigned operation, utilizing in-zone RRSIGs.
-
-show-zone *ZONE*
-: Shows all DNSSEC related settings of a zone called *ZONE*.
-
-test-schema *ZONE*
-: Test database schema, this creates the zone *ZONE*
-
-unset-presigned *ZONE*
-: Disables presigned operation for *ZONE*.
-
-## DEBUGGING TOOLS
-
-backend-cmd *BACKEND* *CMD* [*CMD..*]
-: Send a text command to a backend for execution. GSQL backends will take SQL
- commands, other backends may take different things. Be careful!
-
-# SEE ALSO
-pdns_server (1), pdns_control (1)
--- /dev/null
+pdnsutil
+========
+
+pdnsutil - PowerDNS dnssec command and control
+
+Synopsis
+--------
+
+pdnsutil [OPTION]... *COMMAND*
+
+Description
+-----------
+
+:program:`pdnsutil` (formerly pdnssec) is a powerful command that is the
+operator-friendly gateway into DNSSEC and zone management for PowerDNS.
+Behind the scenes, :program:`pdnsutil` manipulates a PowerDNS backend database,
+which also means that for many databases, :program:`pdnsutil` can be run
+remotely, and can configure key material on different servers.
+
+Options
+-------
+
+-h, --help Show summary of options
+-v, --verbose Be more verbose.
+--force Force an action
+--config-name <NAME> Virtual configuration name
+--config-dir <DIR> Location of pdns.conf. Default is /etc/powerdns.
+
+COMMANDS
+--------
+
+There are many available commands, this section splits them up into
+their respective uses
+
+DNSSEC RELATED COMMANDS
+-----------------------
+
+Several commands manipulate the DNSSEC keys and options for zones. Some
+of these commands require an *ALGORITHM* to be set. The following
+algorithms are supported:
+
+- rsasha1
+- rsasha256
+- rsasha512
+- gost
+- ecdsa256
+- ecdsa384
+
+activate-zone-key *ZONE* *KEY-ID*
+ Activate a key with id *KEY-ID* within a zone called *ZONE*.
+add-zone-key *ZONE* {**KSK**,\ **ZSK**} [**active**,\ **inactive**] *KEYBITS* *ALGORITHM*
+ Create a new key for zone *ZONE*, and make it a KSK or a ZSK, with
+ the specified algorithm. The key is inactive by default, set it to
+ **active** to immediately use it to sign *ZONE*. Prints the id of
+ the added key.
+create-bind-db *FILE*
+ Create DNSSEC database (sqlite3) at *FILE* for the BIND backend.
+ Remember to set ``bind-dnssec-db=*FILE*`` in your ``pdns.conf``.
+deactivate-zone-key *ZONE* *KEY-ID*
+ Deactivate a key with id KEY-ID within a zone called *ZONE*.
+disable-dnssec *ZONE*
+ Deactivate all keys and unset PRESIGNED in *ZONE*.
+export-zone-dnskey *ZONE* *KEY-ID*
+ Export to standard output DNSKEY and DS of key with key id *KEY-ID*
+ within zone called *ZONE*.
+export-zone-key *ZONE* *KEY-ID*
+ Export to standard output full (private) key with key id *KEY-ID*
+ within zone called *ZONE*. The format used is compatible with BIND
+ and NSD/LDNS.
+generate-zone-key {**KSK**,\ **ZSK**} [*ALGORITHM*] [*KEYBITS*]
+ Generate a ZSK or KSK to stdout with specified algorithm and bits
+ and print it on STDOUT. If *ALGORITHM* is not set, RSASHA512 is
+ used. If *KEYBITS* is not set, an appropriate keysize is selected
+ for *ALGORITHM*.
+import-zone-key *ZONE* *FILE* {**KSK**,\ **ZSK**}
+ Import from *FILE* a full (private) key for zone called *ZONE*. The
+ format used is compatible with BIND and NSD/LDNS. **KSK** or **ZSK**
+ specifies the flags this key should have on import. Prints the id of
+ the added key.
+remove-zone-key *ZONE* *KEY-ID*
+ Remove a key with id *KEY-ID* from a zone called *ZONE*.
+set-nsec3 *ZONE* '*HASH-ALGORITHM* *FLAGS* *ITERATIONS* *SALT*' [**narrow**]
+ Sets NSEC3 parameters for this zone. The quoted parameters are 4
+ values that are used for the the NSEC3PARAM record and decide how
+ NSEC3 records are created. The NSEC3 parameters must be quoted on
+ the command line. *HASH-ALGORITHM* must be 1 (SHA-1). Setting
+ *FLAGS* to 1 enables NSEC3 opt-out operation. Only do this if you
+ know you need it. For *ITERATIONS*, please consult RFC 5155, section
+ 10.3. And be aware that a high number might overload validating
+ resolvers. The *SALT* is a hexadecimal string encoding the bits for
+ the salt. Setting **narrow** will make PowerDNS send out "white
+ lies" about the next secure record. Instead of looking it up in the
+ database, it will send out the hash + 1 as the next secure record. A
+ sample commandline is: "pdnsutil set-nsec3 powerdnssec.org '1 1 1
+ ab' narrow". **WARNING**: If running in RSASHA1 mode (algorithm 5 or
+ 7), switching from NSEC to NSEC3 will require a DS update in the
+ parent zone.
+unset-nsec3 *ZONE*
+ Converts *ZONE* to NSEC operations. **WARNING**: If running in
+ RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will
+ require a DS update at the parent zone!
+set-publish-cds *ZONE* [*DIGESTALGOS*]
+ Set *ZONE* to respond to queries for its CDS records. the optional
+ argument *DIGESTALGOS* should be a comma-separated list of DS
+ algorithms to use. By default, this is 1,2 (SHA1 and SHA2-256).
+set-publish-cdnskey *ZONE*
+ Set *ZONE* to publish CDNSKEY records.
+unset-publish-cds *ZONE*
+ Set *ZONE* to stop responding to queries for its CDS records.
+unset-publish-cdnskey *ZONE*
+ Set *ZONE* to stop publishing CDNSKEY records.
+
+TSIG RELATED COMMANDS
+---------------------
+
+These commands manipulate TSIG key information in the database. Some
+commands require an *ALGORITHM*, the following are available:
+
+- hmac-md5
+- hmac-sha1
+- hmac-sha224
+- hmac-sha256
+- hmac-sha384
+- hmac-sha512
+
+activate-tsig-key *ZONE* *NAME* {**master**,\ **slave**}
+ Enable TSIG authenticated AXFR using the key *NAME* for zone *ZONE*.
+ This sets the ``TSIG-ALLOW-AXFR`` (master) or ``AXFR-MASTER-TSIG``
+ (slave) zone metadata.
+deactivate-tsig-key *ZONE* *NAME* {**master**,\ **slave**}
+ Disable TSIG authenticated AXFR using the key *NAME* for zone
+ *ZONE*.
+delete-tsig-key *NAME*
+ Delete the TSIG key *NAME*. Warning, this does not deactivate said
+ key.
+generate-tsig-key *NAME* *ALGORITHM*
+ Generate new TSIG key with name *NAME* and the specified algorithm.
+import-tsig-key *NAME* *ALGORITHM* *KEY*
+ Import *KEY* of the specified algorithm as *NAME*.
+
+ZONE MANIPULATION COMMANDS
+--------------------------
+
+create-zone *ZONE*
+ Create an empty zone named *ZONE*.
+check-all-zones
+ Check all zones for correctness.
+check-zone *ZONE*
+ Check zone *ZONE* for correctness.
+clear-zone *ZONE*
+ Clear the records in zone *ZONE*, but leave actual domain and
+ settings unchanged
+delete-zone *ZONE*:
+ Delete the zone named *ZONE*.
+edit-zone *ZONE*
+ Opens *ZONE* in zonefile format (regardless of backend it was loaded
+ from) in the editor set in the environment variable **EDITOR**. if
+ **EDITOR** is empty, *pdnsutil* falls back to using *editor*.
+get-meta *ZONE* [*ATTRIBUTE*]...
+ Get zone metadata. If no *ATTRIBUTE* given, lists all known.
+hash-zone-record *ZONE* *RNAME*
+ This convenience command hashes the name *RNAME* according to the
+ NSEC3 settings of *ZONE*. Refuses to hash for zones with no NSEC3
+ settings.
+list-keys [*ZONE*]
+ List DNSSEC information for all keys or for *ZONE*.
+list-all-zones:
+ List all zone names.
+list-zone *ZONE*
+ Show all records for *ZONE*.
+load-zone *ZONE* *FILE*
+ Load records for *ZONE* from *FILE*. If *ZONE* already exists, all
+ records are overwritten, this operation is atomic. If *ZONE* doesn't
+ exist, it is created.
+rectify-zone *ZONE*
+ Calculates the 'ordername' and 'auth' fields for a zone called
+ *ZONE* so they comply with DNSSEC settings. Can be used to fix up
+ migrated data. Can always safely be run, it does no harm.
+rectify-all-zones
+ Calculates the 'ordername' and 'auth' fields for all zones so they
+ comply with DNSSEC settings. Can be used to fix up migrated data.
+ Can always safely be run, it does no harm.
+secure-zone *ZONE*
+ Configures a zone called *ZONE* with reasonable DNSSEC settings. You
+ should manually run 'pdnsutil rectify-zone' afterwards.
+secure-all-zones [**increase-serial**]
+ Configures all zones that are not currently signed with reasonable
+ DNSSEC settings. Setting **increase-serial** will increase the
+ serial of those zones too. You should manually run 'pdnsutil
+ rectify-all-zones' afterwards.
+set-kind *ZONE* *KIND*
+ Change the kind of *ZONE* to *KIND* (master, slave, native).
+set-account *ZONE* *ACCOUNT*
+ Change the account (owner) of *ZONE* to *ACCOUNT*.
+set-meta *ZONE* *ATTRIBUTE* [*VALUE*]
+ Set domainmetadata *ATTRIBUTE* for *ZONE* to *VALUE*. An empty value
+ clears it.
+set-presigned *ZONE*
+ Switches *ZONE* to presigned operation, utilizing in-zone RRSIGs.
+show-zone *ZONE*
+ Shows all DNSSEC related settings of a zone called *ZONE*.
+test-schema *ZONE*
+ Test database schema, this creates the zone *ZONE*
+unset-presigned *ZONE*
+ Disables presigned operation for *ZONE*.
+
+DEBUGGING TOOLS
+---------------
+
+backend-cmd *BACKEND* *CMD* [*CMD..*]
+ Send a text command to a backend for execution. GSQL backends will
+ take SQL commands, other backends may take different things. Be
+ careful!
+
+See also
+--------
+
+pdns\_server (1), pdns\_control (1)
+++ /dev/null
-% REC_CONTROL(1)
-% PowerDNS.COM BV
-% April 2006
-
-# NAME
-rec_control - control pdns_recursor
-
-# SYNOPSIS
-**rec_control** [*OPTION*]... *COMMAND* [*COMMAND-OPTION*]...
-
-DESCRIPTION
------------
-**rec_control** allows the operator to control a running instance
-of the pdns_recursor.
-
-The commands that can be passed to the recursor are described on
-http://doc.powerdns.com/md/recursor/running/\#rec_control-commands
-
-# EXAMPLES
-To stop the recursor by hand, run:
-
-`# rec_control quit`
-
-To dump the cache to disk, execute:
-
-`# rec_control dump-cache /tmp/the-cache`
-
-# OPTIONS
---help
-: provide this helpful message.
-
---config-dir=*PATH*
-: Directory where the recursor.conf lives.
-
---config-name=*NAME*
-: Name of the virtual configuration.
-
---socket-dir=*PATH*
-: Where the controlsocket will live, please use **--config-dir** instead.
-
---socket-pid=*PID*
-: When running in SMP mode, pid of **pdns_recursor** to control.
-
---timeout=*NUM*
-: Number of seconds to wait for the remote PowerDNS Recursor to
- respond. Set to 0 for infinite.
-
-# COMMANDS
-add-nta *DOMAIN* [*REASON*]
-: Add a Negative Trust Anchor for *DOMAIN*, suffixed optionally with *REASON*.
-
-add-ta *DOMAIN* *DSRECORD*
-: Add a Trust Anchor for *DOMAIN* with DS record data *DSRECORD*. This adds the
- new Trust Anchor to the existing set of Trust Anchors for *DOMAIN*.
-
-current-queries
-: Shows the currently active queries.
-
-clear-nta *DOMAIN*...
-: Remove Negative Trust Anchor for one or more *DOMAIN*s. Set domain to `'*'`
- to remove all NTA's.
-
-clear-ta [*DOMAIN*]...
-: Remove Trust Anchor for one or more *DOMAIN*s. Note that removing the root
- trust anchor is not possible.
-
-dump-cache *FILENAME*
-: Dumps the entire cache to *FILENAME*. This file should
- not exist already, PowerDNS will refuse to overwrite it. While
- dumping, the recursor will not answer questions.
-
-dump-edns *FILENAME*
-: Dumps the EDNS status to the filename mentioned. This file should
- not exist already, PowerDNS will refuse to overwrite it. While
- dumping, the recursor will not answer questions.
-
-dump-nsspeeds *FILENAME*
-: Dumps the nameserver speed statistics to the *FILENAME* mentioned.
- This file should not exist already, PowerDNS will refuse to
- overwrite it. While dumping, the recursor will not answer questions.
-
-get *STATISTIC* [*STATISTIC*]...
-: Retrieve a statistic. For items that can be queried, see
- http://doc.powerdns.com/md/recursor/stats/
-
-get-all
-: Retrieve all known statistics.
-
-get-ntas
-: Get a list of the currently configured Negative Trust Anchors.
-
-get-tas
-: Get a list of the currently configured Trust Anchors.
-
-get-parameter *KEY* [*KEY*]...
-: Retrieves the specified configuration parameter(s).
-
-get-qtypelist
-: Retrieves QType statistics. Queries from cache aren't being counted yet.
-
-help
-: Shows a list of supported commands.
-
-ping
-: Check if server is alive.
-
-quit
-: Request shutdown of the recursor.
-
-quit-nicely
-: Request nice shutdown of the recursor.
-
-reload-acls
-: Reloads ACLs.
-
-reload-lua-script [*FILENAME*]
-: (Re)loads Lua script *FILENAME*. If *FILENAME* is empty, attempt to reload
- the currently loaded script. This replaces the script currently loaded.
-
-reload-lua-config [*FILENAME*]
-: (Re)loads Lua configuration *FILENAME*. If *FILENAME* is empty, attempt to
- reload the currently loaded file. Note that *FILENAME* will be fully executed,
- any settings changed at runtime that are not modified in this file, will
- still be active. Reloading RPZ, especially by AXFR, can take some time; during
- which the recursor will not answer questions.
-
-reload-zones
-: Reload authoritative and forward zones. Retains current configuration
- in case of errors.
-
-set-carbon-server *CARBON SERVER* [*CARBON OURNAME*]
-: Set the carbon-server setting to *CARBON SERVER*. If *CARBON OURNAME* is not
- empty, also set the carbon-ourname setting to *CARBON OURNAME*.
-
-set-dnssec-log-bogus *SETTING*
-: Set dnssec-log-bogus setting to *SETTING*. Set to 'on' or 'yes' to log DNSSEC
- validation failures and to 'no' or 'off' to disable logging these failures.
-
-set-minimum-ttl *NUM*
-: Set minimum-ttl-override to *NUM*.
-
-top-queries
-: Shows the top-20 queries. Statistics are over the last
- 'stats-ringbuffer-entries' queries.
-
-top-pub-queries
-: Shows the top-20 queries grouped by public suffix list. Statistics are over the last
- 'stats-ringbuffer-entries' queries.
-
-top-largeanswer-remotes
-: Shows the top-20 remote hosts causing large answers. Statistics are over the
- last 'stats-ringbuffer-entries' queries.
-
-top-remotes
-: Shows the top-20 most active remote hosts. Statistics are over the
- last 'stats-ringbuffer-entries' queries.
-
-top-servfail-queries
-: Shows the top-20 queries causing servfail responses. Statistics are
- over the last 'stats-ringbuffer-entries' queries.
-
-top-pub-servfail-queries
-: Shows the top-20 queries causing servfail responses grouped by public suffix list.
- Statistics are over the last 'stats-ringbuffer-entries' queries.
-
-top-servfail-remotes
-: Shows the top-20 most active remote hosts causing servfail responses.
- Statistics are over the last 'stats-ringbuffer-entries' queries.
-
-trace-regex *REGEX*
-: Emit resolution trace for matching queries. Empty regex to disable trace.
-
-unload-lua-script
-: Unloads Lua script.
-
-version
-: Report running version.
-
-wipe-cache *DOMAIN* [*DOMAIN*] [...]
-: Wipe entries for *DOMAIN* (exact name match) from the cache. This is useful
- if, for example, an important server has a new IP address, but the TTL has
- not yet expired. Multiple domain names can be passed. *DOMAIN* can be
- suffixed with a '$' to delete the whole tree from the cache. i.e. 'powerdns.com$'
- will remove all cached entries under and including the powerdns.com name.
-
-# BUGS
-None known. File new ones at https://github.com/PowerDNS/pdns/issues.
-
-# RESOURCES
-Website: https://docs.powerdns.com, https://www.powerdns.com
-
-# SEE ALSO
-pdns_recursor(1)
+++ /dev/null
-% SAXFR(1)
-% PowerDNS.com BV
-% April 2015
-
-# NAME
-**saxfr** - Perform AXFRs and show information about it
-
-# SYNOPSIS
-**saxfr** *IPADDRESS* *PORT* *ZONE* [*OPTIONS*]
-
-# DESCRIPTION
-**saxfr** does a zone-transfer (AXFR) of *ZONE* from the nameserver at *IPADDRESS*
-on port *PORT* and displays the transferred zone with NSEC3 information truncated.
-See below how to show this information.
-
-# OPTIONS
-showdetails
-: Show all the data in the NSEC3 and DNSKEY RDATA.
-
-showflags
-: Show the NSEC3 flags in the RDATA.
-
-unhash
-: Unhash the NSEC3 names to the normal names.
--- /dev/null
+saxfr
+=====
+
+:program:`saxfr` - Perform AXFRs and show information about it
+
+Synopsis
+--------
+
+:program:`saxfr` *IPADDRESS* *PORT* *ZONE* [*Options*]
+
+Description
+-----------
+
+:program:`saxfr` does a zone-transfer (AXFR) of *ZONE* from the nameserver at
+*IPADDRESS* on port *PORT* and displays the transferred zone with NSEC3
+information truncated. See below how to show this information.
+
+Options
+-------
+
+showdetails
+ Show all the data in the NSEC3 and DNSKEY RDATA.
+showflags
+ Show the NSEC3 flags in the RDATA.
+unhash
+ Unhash the NSEC3 names to the normal names.
+++ /dev/null
-% SDIG(1)
-% PowerDNS.com BV
-% September 2015
-
-# NAME
-**sdig** - Perform a DNS query and show the results
-
-# SYNOPSIS
-**sdig** *IPADDRESS* *PORT* *QNAME* *QTYPE* [*OPTIONS*]
-
-# DESCRIPTION
-**sdig** sends a DNS query to *IPADDRESS* on port *PORT* and displays the answer
-in a formatted way.
-
-# OPTIONS
-These options can be added to the commandline in any order.
-dnssec
-: Set the DO bit to request DNSSEC information.
-
-hidesoadetails
-: Don't show the SOA serial in the response.
-
-recurse
-: Set the RD bit in the question.
-
-showflags
-: Show the NSEC3 flags in the response.
-
-tcp
-: Use TCP instead of UDP to send the query.
-
-ednssubnet *SUBNET*
-: Send *SUBNET* in the edns-client-subnet option. If this option is not set,
- no edns-client-subnet option is set in the query.
--- /dev/null
+sdig
+====
+
+:program:`sdig` - Perform a DNS query and show the results
+
+Synopsis
+--------
+
+:program:`sdig` *IPADDRESS* *PORT* *QNAME* *QTYPE* [*OPTION*]
+
+Description
+-----------
+
+:program:`sdig` sends a DNS query to *IPADDRESS* on port *PORT* and displays
+the answer in a formatted way.
+
+Options
+-------
+
+These options can be added to the commandline in any order. dnssec : Set
+the DO bit to request DNSSEC information.
+
+hidesoadetails
+ Don't show the SOA serial in the response.
+recurse
+ Set the RD bit in the question.
+showflags
+ Show the NSEC3 flags in the response.
+tcp
+ Use TCP instead of UDP to send the query.
+ednssubnet *SUBNET*
+ Send *SUBNET* in the edns-client-subnet option. If this option is
+ not set, no edns-client-subnet option is set in the query.
+++ /dev/null
-% ZONE2JSON(1)
-% PowerDNS
-% January 2016
-
-# NAME
-**zone2json** - convert BIND zones to JSON
-
-# SYNOPSIS
-**zone2json** {**--named-conf=***PATH*,**--zone-file=***PATH* [**--zone-name=***NAME*]} [*OPTIONS*]
-
-# DESCRIPTION
-**zone2json** parses Bind named.conf files and zonefiles and outputs JSON
-on standard out, which can then be fed to the PowerDNS API.
-
-**zone2json** understands the Bind master file extension `$GENERATE` and will
-also honour `$ORIGIN` and `$TTL`.
-
-# OPTIONS
-## INPUT OPTIONS
---named-conf=*PATH*
-: Read *PATH* to get the bind configuration
-
---zone=*PATH*
-: Parse only the zone file at *PATH* Conflicts with **--named-conf** parameter.
-
---zone-name=*NAME*
-: When parsing a single zone without $ORIGIN statement, set *ZONE* as the zone
- name.
-
-## OTHER OPTIONS
---help
-: List all options
-
---on-error-resume-next
-: Ignore missing zone files during parsing. Dangerous.
-
---verbose
-: Be verbose during conversion.
-
-# SEE ALSO
-pdns_server(1)
--- /dev/null
+zone2json
+=========
+
+:program:`zone2json` - convert BIND zones to JSON
+
+Synopsis
+--------
+
+:program:`zone2json` {**--named-conf=**\ *PATH*, **--zone-file=**\ *PATH* [**--zone-name=**\ *NAME*]} [*OPTION*]
+
+Description
+-----------
+
+:program:`zone2json` parses Bind named.conf files and zonefiles and outputs
+JSON on standard out, which can then be fed to the PowerDNS API.
+
+:program:`zone2json` understands the Bind master file extension ``$GENERATE``
+and will also honour ``$ORIGIN`` and ``$TTL``.
+
+Options
+-------
+
+INPUT Options
+-------------
+
+--named-conf=<PATH> Read *PATH* to get the bind configuration
+--zone=<PATH> Parse only the zone file at *PATH* Conflicts with ``--named-conf`` parameter.
+--zone-name=<NAME> When parsing a single zone without $ORIGIN statement, set *ZONE* as the zone name.
+
+OTHER Options
+-------------
+
+--help List all options
+--on-error-resume-next Ignore missing zone files during parsing. Dangerous.
+--verbose Be verbose during conversion.
+
+See also
+--------
+
+pdns_server(1)
+++ /dev/null
-% ZONE2LDAP(1)
-% Matthijs Möhlmann <matthijs@cacholong.nl>
-% November 2004
-
-# NAME
-**zone2ldap** - convert zonefiles to ldif
-
-# SYNOPSIS
-**zone2ldap** {**--named-conf=***PATH*,**--zone-file=***PATH*
-**--zone-name=***NAME*} [*OPTION*]...
-
-# DESCRIPTION
-**zone2ldap** is a program that converts bind zonefiles to ldif format which can
-inserted to an LDAP server.
-
-# OPTIONS
---help
-: Show summary of options.
-
---basedn=*DN*
-: Base DN to store objects below
-
---dnsttl
-: Add dnsttl attribute to every entry
-
---layout={**simple,tree**}
-: How to arrange entries in the directory (simple or as tree)
-
---named-conf=*PATH*
-: Path to a Bind 8 named.conf to parse
-
---resume
-: Continue after errors
-
---verbose
-: verbose comments on operation
-
---zone-file=*PATH*
-: Zone file to parse
-
---zone-name=*NAME*
-: Specify a zone name if zone is set
-
-# SEE ALSO
-pdns_server(1)
--- /dev/null
+zone2ldap
+=========
+
+:program:`zone2ldap` - convert zonefiles to ldif
+
+Synopsis
+--------
+
+:program:`zone2ldap` {**--named-conf=**\ *PATH*,\ **--zone-file=**\ *PATH* **--zone-name=**\ *NAME*} [*OPTION*]...
+
+Description
+-----------
+
+:program:`zone2ldap` is a program that converts bind zonefiles to ldif format
+which can inserted to an LDAP server.
+
+Options
+-------
+
+--help Show summary of options.
+--basedn=<DN> Base DN to store objects below
+--dnsttl Add dnsttl attribute to every entry
+--layout=<layout> How to arrange entries in the directory ("simple" or "tree")
+--named-conf=<PATH> Path to a Bind named.conf to parse
+--resume Continue after errors
+--verbose Verbose comments on operation
+--zone-file=<PATH> Zone file to parse
+--zone-name=<NAME> Specify a zone name if zone is set
+
+See also
+--------
+
+pdns_server(1)
+++ /dev/null
-% ZONE2SQL(1)
-% PowerDNS
-% December 2002
-
-# NAME
-**zone2sql** - convert BIND zones to SQL
-
-# SYNOPSIS
-**zone2sql** {**--named-conf=***PATH*,**--zone-file=***PATH* [**--zone-name=***NAME*]} [*OPTIONS*]
-
-# DESCRIPTION
-**zone2sql** parses Bind named.conf files and zonefiles and outputs SQL
-on standard out, which can then be fed to your database.
-
-**zone2sql** understands the Bind master file extension `$GENERATE` and will
-also honour `$ORIGIN` and `$TTL`.
-
-For backends supporting slave operation there is also an option to keep slave
-zones as slaves, and not convert them to native operation.
-
-**zone2sql** can generate SQL for the Generic MySQL, Generic PostgreSQL, Generic
-SQLite3 and Generic Oracle backends.
-
-# OPTIONS
-## INPUT OPTIONS
---named-conf=*PATH*
-: Read *PATH* to get the bind configuration
-
---zone=*PATH*
-: Parse only the zone file at *PATH* Conflicts with **--named-conf** parameter.
-
---zone-name=*NAME*
-: When parsing a single zone without $ORIGIN statement, set *ZONE* as the zone
- name.
-
-## BACKENDS
---gmysql
-: Output in format suitable for the default configuration of the Generic MySQL
- backend.
-
---gpgsql
-: Output in format suitable for the default configuration of the Generic
- PostgreSQL backend.
-
---gsqlite
-: Output in format suitable for the default configuration of the Generic
- SQLite3 backend.
-
---goracle
-: Output in format suitable for the default configuration of the Generic Oracle
- backend.
-
---mydns
-: Output in a format suitable for the MyDNS backend.
-
---oracle
-: Output in format suitable for the default configuration of the Oracle backend.
-
-## OUTPUT OPTIONS
---json-comments
-: Parse JSON in zonefile comments to set the 'disabled' and 'comment' fields
- in the database. See *JSON COMMENTS* for more information.
-
---transactions
-: If the target SQL backend supports transactions, wrap every domain into
- a transaction for integrity and possibly higher speed.
-
-## OTHER OPTIONS
---filter-duplicate-soa
-: If there's more than one SOA record in the zone (possibly because it was
- AXFR'd), ignore it. If this option is not set, all SOA records in the zone
- are emitted.
-
---help
-: List all options
-
---on-error-resume-next
-: Ignore missing zone files during parsing. Dangerous.
-
---slave
-: Maintain slave status of zones listed in named.conf as being slaves. The
- default behaviour is to convert all zones to native operation.
-
---verbose
-: Be verbose during conversion.
-
-# JSON COMMENTS
-The Generic SQL backends have the 'comment' and 'disabled' fields in the 'records'
-table. The 'comment' field contains a comment for this record (if any) and the
-'disabled' field tells PowerDNS if the record can be served to clients.
-
-When a zonefile contains a comment like `; json={"comment": "Something", "disabled": true}`
-and **--json-comments** is provided, the 'comment' field will contain "Something"
-and the 'disabled' field will be set to the database's native true value.
-
-WARNING: Using JSON comments to disable records means that the zone in PowerDNS
-is different from the one served by BIND, as BIND does not handle the disabled
-status in the comment.
-
-# SEE ALSO
-pdns_server(1)
--- /dev/null
+zone2sql
+========
+
+:program:`zone2sql` - convert BIND zones to SQL
+
+Synopsis
+--------
+
+:program:`zone2sql` {**--named-conf=**\ *PATH*,\ **--zone-file=**\ *PATH* [**--zone-name=**\ *NAME*]} [*Options*]
+
+Description
+-----------
+
+:program:`zone2sql` parses Bind named.conf files and zonefiles and outputs SQL
+on standard out, which can then be fed to your database.
+
+:program:`zone2sql` understands the Bind master file extension ``$GENERATE``
+and will also honour ``$ORIGIN`` and ``$TTL``.
+
+For backends supporting slave operation there is also an option to keep
+slave zones as slaves, and not convert them to native operation.
+
+:program:`zone2sql` can generate SQL for the Generic MySQL, Generic PostgreSQL,
+Generic SQLite3 and Generic Oracle backends.
+
+Options
+-------
+
+INPUT Options
+-------------
+
+--named-conf=<PATH> Read *PATH* to get the bind configuration
+--zone=<PATH> Parse only the zone file at *PATH* Conflicts with **--named-conf** parameter.
+--zone-name=<NAME> When parsing a single zone without $ORIGIN statement, set *ZONE* as
+ the zone name.
+
+BACKENDS
+--------
+
+--gmysql
+ Output in format suitable for the default configuration of the
+ Generic MySQL backend.
+--gpgsql
+ Output in format suitable for the default configuration of the
+ Generic PostgreSQL backend.
+--gsqlite
+ Output in format suitable for the default configuration of the
+ Generic SQLite3 backend.
+--goracle
+ Output in format suitable for the default configuration of the
+ Generic Oracle backend.
+--mydns
+ Output in a format suitable for the MyDNS backend.
+--oracle
+ Output in format suitable for the default configuration of the
+ Oracle backend.
+
+OUTPUT Options
+--------------
+
+--json-comments
+ Parse JSON in zonefile comments to set the 'disabled' and 'comment'
+ fields in the database. See *JSON COMMENTS* for more information.
+--transactions
+ If the target SQL backend supports transactions, wrap every domain
+ into a transaction for integrity and possibly higher speed.
+
+OTHER Options
+-------------
+
+--filter-duplicate-soa
+ If there's more than one SOA record in the zone (possibly because it
+ was AXFR'd), ignore it. If this option is not set, all SOA records
+ in the zone are emitted.
+--help
+ List all options
+--on-error-resume-next
+ Ignore missing zone files during parsing. Dangerous.
+--slave
+ Maintain slave status of zones listed in named.conf as being slaves.
+ The default behaviour is to convert all zones to native operation.
+--verbose
+ Be verbose during conversion.
+
+JSON COMMENTS
+-------------
+
+The Generic SQL backends have the 'comment' and 'disabled' fields in the
+'records' table. The 'comment' field contains a comment for this record
+(if any) and the 'disabled' field tells PowerDNS if the record can be
+served to clients.
+
+When a zonefile contains a comment like
+``; json={"comment": "Something", "disabled": true}`` and
+**--json-comments** is provided, the 'comment' field will contain
+"Something" and the 'disabled' field will be set to the database's
+native true value.
+
+WARNING: Using JSON comments to disable records means that the zone in
+PowerDNS is different from the one served by BIND, as BIND does not
+handle the disabled status in the comment.
+
+See also
+--------
+
+pdns_server(1)
+++ /dev/null
-# Backend writers' guide
-PowerDNS backends are implemented via a simple yet powerful C++ interface.
-If your needs are not met by the PipeBackend, you may want to write your
-own. Before doing any PowerDNS development, please visit [the
-wiki](http://wiki.powerdns.com). Also please read [this blog
-post](http://blog.powerdns.com/2015/06/23/what-is-a-powerdns-backend-and-how-do-i-make-it-send-an-nxdomain/)
-which has a FAQ and several pictures that help explain what a backend is.
-
-A backend contains zero DNS logic. It need not look for CNAMEs, it need not return NS records unless explicitly asked for, etcetera. All DNS logic is contained within PowerDNS itself - backends should simply return records matching the description asked for.
-
-**Warning**: However, please note that your backend can get queries in aNy CAsE! If your database is case sensitive, like most are (with the notable exception of MySQL), you must make sure that you do find answers which differ only in case.
-
-**Warning**: PowerDNS may instantiate multiple instances of your backend, or destroy existing copies and instantiate new ones. Backend code should therefore be thread-safe with respect to its static data. Additionally, it is wise if instantiation is a fast operation, with the possible exception of the first construction.
-
-## Notes
-Besides regular query types, the DNS also knows the 'ANY' query type. When a server receives a question for this ANY type, it should reply with all record types available.
-
-Backends should therefore implement being able to answer 'ANY' queries in this way, and supply all record types they have when they receive such an 'ANY' query. This is reflected in the sample script above, which for every qtype answers if the type matches, or if the query is for 'ANY'.
-
-However, since backends need to implement the ANY query anyhow, PowerDNS makes use of this. Since almost all DNS queries internally need to be translated first into a CNAME query and then into the actual query, possibly followed by a SOA or NS query (this is how DNS works internally), it makes sense for PowerDNS to speed this up, and just ask the ANY query of a backend.
-
-When it has done so, it gets the data about SOA, CNAME and NS records in one go. This speeds things up tremendously.
-
-The upshot of the above is that for any backend, including the PIPE backend, implementing the ANY query is NOT optional. And in fact, a backend may see almost exclusively ANY queries. This is not a bug.
-
-## Simple read-only native backends
-Implementing a backend consists of inheriting from the DNSBackend class. For read-only backends, which do not support slave operation, only the following methods are relevant:
-
-```
- class DNSBackend
- {
- public:
-
- virtual void lookup(const QType &qtype, const string &qdomain, DNSPacket *pkt_p=0, int zoneId=-1)=0;
- virtual bool list(const string &target, int domain_id)=0;
- virtual bool get(DNSResourceRecord &r)=0;
- virtual bool getSOA(const DNSName &name, SOAData &soadata);
- };
-```
-
-Note that the first three methods must be implemented. `getSOA()` has a useful default implementation.
-
-The semantics are simple. Each instance of your class only handles one (1) query at a time. There is no need for locking as PowerDNS guarantees that your backend will never be called reentrantly.
-
-**Note**: Queries for wildcard names should be answered literally, without expansion. So, if a backend gets a question for "*.powerdns.com", it should only answer with data if there is an actual "*.powerdns.com" name
-
-Some examples, a more formal specification is down below. A normal lookup starts like this:
-
-```
- YourBackend yb;
- yb.lookup(QType::CNAME,"www.powerdns.com");
-```
-
-Your class should now do everything to start this query. Perform as much preparation as possible - handling errors at this stage is better for PowerDNS than doing so later on. A real error should be reported by throwing an exception.
-
-PowerDNS will then call the `get()` method to get `DNSResourceRecord`s back. The following code illustrates a typical query:
-
-```
- yb.lookup(QType::CNAME,"www.powerdns.com");
-
- DNSResourceRecord rr;
- while(yb.get(rr))
- cout<<"Found cname pointing to '"+rr.content+"'"<<endl;
- }
-```
-
-Each zone starts with a Start of Authority (SOA) record. This record is special so many backends will choose to implement it specially. The default `getSOA()` method performs a regular lookup on your backend to figure out the SOA, so if you have no special treatment for SOA records, where is no need to implement your own `getSOA()`.
-
-Besides direct queries, PowerDNS also needs to be able to list a zone, to do zone transfers for example. Each zone has an id which should be unique within the backend. To list all records belonging to a zone id, the `list()` method is used. Conveniently, the domain\_id is also available in the `SOAData` structure.
-
-The following lists the contents of a zone called "powerdns.com".
-
-```
- SOAData sd;
- if(!yb.getSOA("powerdns.com",sd)) // are we authoritative over powerdns.com?
- return RCode::NotAuth; // no
-
- yb.list(sd.domain_id);
- while(yb.get(rr))
- cout<<rr.qname<<"\t IN "<<rr.qtype.getName()<<"\t"<<rr.content<<endl;
-```
-
-## A sample minimal backend
-
-This backend only knows about the host "random.powerdns.com", and furthermore, only about its A record:
-
-```
-/* FIRST PART */
-class RandomBackend : public DNSBackend
-{
-public:
- bool list(const string &target, int id)
- {
- return false; // we don't support AXFR
- }
-
- void lookup(const QType &type, const string &qdomain, DNSPacket *p, int zoneId)
- {
- if(type.getCode()!=QType::A || qdomain!="random.powerdns.com") // we only know about random.powerdns.com A
- d_answer=""; // no answer
- else {
- ostringstream os;
- os<<random()%256<<"."<<random()%256<<"."<<random()%256<<"."<<random()%256;
- d_answer=os.str(); // our random ip address
- }
- }
-
- bool get(DNSResourceRecord &rr)
- {
- if(!d_answer.empty()) {
- rr.qname="random.powerdns.com"; // fill in details
- rr.qtype=QType::A; // A record
- rr.ttl=86400; // 1 day
- rr.content=d_answer;
-
- d_answer=""; // this was the last answer
-
- return true;
- }
- return false; // no more data
- }
-
-private:
- string d_answer;
-};
-
-/* SECOND PART */
-
-class RandomFactory : public BackendFactory
-{
-public:
- RandomFactory() : BackendFactory("random") {}
-
- DNSBackend *make(const string &suffix)
- {
- return new RandomBackend();
- }
-};
-
-/* THIRD PART */
-
-class RandomLoader
-{
-public:
- RandomLoader()
- {
- BackendMakers().report(new RandomFactory);
- L << Logger::Info << "[randombackend] This is the random backend version " VERSION " reporting" << endl;
- }
-};
-
-static RandomLoader randomloader;
-```
-
-This simple backend can be used as an 'overlay'. In other words, it only knows about a single record, another loaded backend would have to know about the SOA and NS records and such. But nothing prevents us from loading it without another backend.
-
-The first part of the code contains the actual logic and should be pretty straightforward. The second part is a boilerplate 'factory' class which PowerDNS calls to create randombackend instances. Note that a 'suffix' parameter is passed. Real life backends also declare parameters for the configuration file; these get the 'suffix' appended to them. Note that the "random" in the constructor denotes the name by which the backend will be known.
-
-The third part registers the RandomFactory with PowerDNS. This is a simple C++ trick which makes sure that this function is called on execution of the binary or when loading the dynamic module.
-
-Please note that a RandomBackend is actually in most PowerDNS releases. By default it lives on random.example.com, but you can change that by setting [`random-hostname`](../authoritative/backend-random.md#random-hostname).
-
-**Note**: this simple backend neglects to handle case properly!
-
-## Interface definition
-
-### Classes
-
-#### DNSResourceRecord
-| | |
-|:--|:--|
-|QType qtype|QType of this record|
-|string qname|name of this record|
-|string content|ASCII representation of right hand side|
-|uint32\_t ttl|Time To Live of this record|
-|int domain\_id| ID of the domain this record belongs to|
-|time\_t last\_modified| If unzero, last time\_t this record was changed|
-|bool auth| Used for DNSSEC operations. See [DNSSEC](../authoritative/dnssec.md) and more specifically the [Migration](../authoritative/dnssec.md#migration) section. It is also useful to check out the `rectifyZone()` in pdnsutil.cc|
-|bool disabled|If set, this record is not to be served to DNS clients. Backends should not make these records available to PowerDNS unless indicated otherwise.|
-
-#### SOAData
-| | |
-|:--|:--|
-|string nameserver|Name of the master nameserver of this zone|
-|string hostmaster|Hostmaster of this domain. May contain an @|
-|u\_int32\_t serial|Serial number of this zone|
-|u\_int32\_t refresh|How often this zone should be refreshed|
-|u\_int32\_t retry|How often a failed zone pull should be retried.|
-|u\_int32\_t expire|If zone pulls failed for this long, retire records|
-|u\_int32\_t default\_ttl|Difficult|
-|int domain\_id|The ID of the domain within this backend. Must be filled!|
-|DNSBackend *db|Pointer to the backend that feels authoritative for a domain and can act as a slave|
-
-### Methods
-#### `void lookup(const QType &qtype, const string &qdomain, DNSPacket *pkt=0, int zoneId=-1)`
-This function is used to initiate a straight lookup for a record of name 'qdomain' and type 'qtype'. A QType can be converted into an integer by invoking its `getCode()` method and into a string with the `getCode()`.
-
-The original question may or may not be passed in the pointer pkt. If it is, you can retrieve information about who asked the question with the `pkt->getRemote()` method.
-
-Note that **qdomain** can be of any case and that your backend should make sure it is in effect case insensitive. Furthermore, the case of the original question should be retained in answers returned by `get()`!
-
-Finally, the domain\_id might also be passed indicating that only answers from the indicated zone need apply. This can both be used as a restriction or as a possible speedup, hinting your backend where the answer might be found.
-
-If initiated successfully, as indicated by returning **true**, answers should be made available over the `get()` method.
-
-Should throw an PDNSException if an error occurred accessing the database. Returning otherwise indicates that the query was started successfully. If it is known that no data is available, no exception should be thrown! An exception indicates that the backend considers itself broken - not that no answers are available for a question.
-
-It is legal to return here, and have the first call to `get()` return false. This is interpreted as 'no data'.
-
-#### `bool list(int domain_id, bool include_disabled=false)`
-Initiates a list of the indicated domain. Records should then be made available via the `get()` method. Need not include the SOA record. If it is, PowerDNS will not get confused. If include\_disabled is given as true, records that are configured but should not be served to DNS clients must also be made available.
-
-Should return false if the backend does not consider itself authoritative for this zone. Should throw an PDNSException if an error occurred accessing the database. Returning true indicates that data is or should be available.
-
-#### `bool get(DNSResourceRecord &rr)`
-Request a DNSResourceRecord from a query started by `get()` of `list()`. If this functions returns **true**, **rr** has been filled with data. When it returns false, no more data is available, and **rr** does not contain new data. A backend should make sure that it either fills out all fields of the DNSResourceRecord or resets them to their default values.
-
-The qname field of the DNSResourceRecord should be filled out with the exact `qdomain` passed to lookup, preserving its case. So if a query for 'CaSe.yourdomain.com' comes in and your database contains data for 'case.yourdomain.com', the qname field of rr should contain 'CaSe.yourdomain.com'!
-
-Should throw an PDNSException in case a database error occurred.
-
-#### `bool getSOA(const string &name, SOAData &soadata)`
-If the backend considers itself authoritative over domain `name`, this method should fill out the passed **SOAData** structure and return a positive number. If the backend is functioning correctly, but does not consider itself authoritative, it should return 0. In case of errors, an PDNSException should be thrown.
-
-## Reporting errors
-To report errors, the Logger class is available which works mostly like an iostream. Example usage is as shown above in the RandomBackend. Note that it is very important that each line is ended with **endl** as your message won't be visible otherwise.
-
-To indicate the importance of an error, the standard syslog errorlevels are available. They can be set by outputting `Logger::Critical`, `Logger::Error`, `Logger::Warning`, `Logger::Notice`, `Logger::Info` or `Logger::Debug` to `L`, in descending order of graveness.
-
-## Declaring and reading configuration details
-It is highly likely that a backend needs configuration details. On launch, these parameters need to be declared with PowerDNS so it knows it should accept them in the configuration file and on the command line. Furthermore, they will be listed in the output of `--help`.
-
-Declaring arguments is done by implementing the member function `declareArguments()` in the factory class of your backend. PowerDNS will call this method after launching the backend.
-
-In the `declareArguments()` method, the function `declare()` is available. The exact definitions:
-
-### `void declareArguments(const string &suffix="")`
-This method is called to allow a backend to register configurable parameters. The suffix is the sub-name of this module. There is no need to touch this suffix, just pass it on to the declare method.
-
-### `void declare(const string &suffix, const string ¶m, const string &explanation, const string &value)`
-The suffix is passed to your method, and can be passed on to declare. **param** is the name of your parameter. **explanation** is what will appear in the output of --help. Furthermore, a default value can be supplied in the **value** parameter.
-
-A sample implementation:
-
-```
- void declareArguments(const string &suffix)
- {
- declare(suffix,"dbname","Pdns backend database name to connect to","powerdns");
- declare(suffix,"user","Pdns backend user to connect as","powerdns");
- declare(suffix,"host","Pdns backend host to connect to","");
- declare(suffix,"password","Pdns backend password to connect with","");
- }
-```
-
-After the arguments have been declared, they can be accessed from your backend using the `mustDo()`, `getArg()` and `getArgAsNum()` methods. The are defined as follows in the DNSBackend class:
-
-### `void setArgPrefix(const string &prefix)`
-Must be called before any of the other accessing functions are used. Typical usage is '`setArgPrefix("mybackend"+suffix)`' in the constructor of a backend.
-
-### `bool mustDo(const string &key)`
-Returns true if the variable `key` is set to anything but 'no'.
-
-### `const string& getArg(const string &key)`
-Returns the exact value of a parameter.
-
-### `int getArgAsNum(const string &key)`
-Returns the numerical value of a parameter. Uses `atoi()` internally
-
-Sample usage from the BindBackend: getting the 'check-interval' setting:
-
-```
-if(!safeGetBBDomainInfo(i->name, &bbd)) {
- bbd.d_id=domain_id++;
- bbd.setCheckInterval(getArgAsNum("check-interval"));
- bbd.d_lastnotified=0;
- bbd.d_loaded=false;
-}
-```
-
-## Read/write slave-capable backends
-The backends above are 'natively capable' in that they contain all data relevant for a domain and do not pull in data from other nameservers. To enable storage of information, a backend must be able to do more.
-
-Before diving into the details of the implementation some theory is in order. Slave domains are pulled from the master. PowerDNS needs to know for which domains it is to be a slave, and for each slave domain, what the IP address of the master is.
-
-A slave zone is pulled from a master, after which it is 'fresh', but this is only temporary. In the SOA record of a zone there is a field which specifies the 'refresh' interval. After that interval has elapsed, the slave nameserver needs to check at the master ff the serial number there is higher than what is stored in the backend locally.
-
-If this is the case, PowerDNS dubs the domain 'stale', and schedules a transfer of data from the remote. This transfer remains scheduled until the serial numbers remote and locally are identical again.
-
-This theory is implemented by the `getUnfreshSlaveInfos` method, which is called on all backends periodically. This method fills a vector of **SlaveDomain**s with domains that are unfresh and possibly stale.
-
-PowerDNS then retrieves the SOA of those domains remotely and locally and creates a list of stale domains. For each of these domains, PowerDNS starts a zone transfer to resynchronise. Because zone transfers can fail, it is important that the interface to the backend allows for transaction semantics because a zone might otherwise be left in a halfway updated situation.
-
-The following excerpt from the DNSBackend shows the relevant functions:
-
-```
- class DNSBackend {
- public:
- /* ... */
- virtual bool getDomainInfo(const string &domain, DomainInfo &di);
- virtual bool isMaster(const string &name, const string &ip);
- virtual bool startTransaction(const string &qname, int id);
- virtual bool commitTransaction();
- virtual bool abortTransaction();
- virtual bool feedRecord(const DNSResourceRecord &rr, string *ordername=0);
- virtual void getUnfreshSlaveInfos(vector<DomainInfo>* domains);
- virtual void setFresh(uint32_t id);
- /* ... */
- }
-```
-
-The mentioned DomainInfo struct looks like this:
-
-### DomainInfo struct
-| | |
-|:--|:--|
-|uint32\_t id|ID of this zone within this backend|
-|string master|IP address of the master of this domain, if any|
-|uint32\_t serial|Serial number of this zone|
-|uint32\_t notified\_serial|Last serial number of this zone that slaves have seen|
-|time\_t last\_check|Last time this zone was checked over at the master for changes|
-|enum {Master,Slave,Native} kind|Type of zone|
-|DNSBackend *backend|Pointer to the backend that feels authoritative for a domain and can act as a slave|
-
-These functions all have a default implementation that returns false - which explains that these methods can be omitted in simple backends. Furthermore, unlike with simple backends, a slave capable backend must make sure that the 'DNSBackend *db' field of the SOAData record is filled out correctly - it is used to determine which backend will house this zone.
-
-### `bool isMaster(const string &name, const string &ip)`
-If a backend considers itself a slave for the domain **name** and if the IP address in **ip** is indeed a master, it should return true. False otherwise. This is a first line of checks to guard against reloading a domain unnecessarily.
-
-### `void getUnfreshSlaveInfos(vector\<DomainInfo\>* domains)`
-When called, the backend should examine its list of slave domains and add any unfresh ones to the domains vector.
-
-### `bool getDomainInfo(const string &name, DomainInfo & di)`
-This is like `getUnfreshSlaveInfos`, but for a specific domain. If the backend considers itself authoritative for the named zone, `di` should be filled out, and 'true' be returned. Otherwise return false.
-
-### `bool startTransaction(const string &qname, int id)`
-When called, the backend should start a transaction that can be committed or rolled back atomically later on. In SQL terms, this function should **BEGIN** a transaction and **DELETE** all records.
-
-### `bool feedRecord(const DNSResourceRecord &rr, string *ordername)`
-Insert this record.
-
-### `bool commitTransaction()`
-Make the changes effective. In SQL terms, execute **COMMIT**.
-
-### `bool abortTransaction()`
-Abort changes. In SQL terms, execute **ABORT**.
-
-### `bool setFresh()`
-Indicate that a domain has either been updated or refreshed without the need for a retransfer. This causes the domain to vanish from the vector modified by `getUnfreshSlaveInfos()`.
-
-PowerDNS will always call `startTransaction()` before making calls to `feedRecord()`. Although it is likely that `abortTransaction()` will be called in case of problems, backends should also be prepared to abort from their destructor.
-
-The actual code in PowerDNS is currently (1.99.9):
-
-```
- Resolver resolver;
- resolver.axfr(remote,domain.c_str());
-
- db->startTransaction(domain, domain_id);
- L<<Logger::Error<<"AXFR started for '"<<domain<<"'"<<endl;
- Resolver::res_t recs;
-
- while(resolver.axfrChunk(recs)) {
- for(Resolver::res_t::const_iterator i=recs.begin();i!=recs.end();++i) {
- db->feedRecord(*i);
- }
- }
- db->commitTransaction();
- db->setFresh(domain_id);
- L<<Logger::Error<<"AXFR done for '"<<domain<<"'"<<endl;
-```
-
-## Supermaster/Superslave capability
-
-A backend that wants to act as a 'superslave' for a master should implement the following method:
-
-```
- class DNSBackend
- {
- virtual bool superMasterBackend(const string &ip, const string &domain, const vector<DNSResourceRecord>&nsset, string *account, DNSBackend **db)
- };
-```
-
-This function gets called with the IP address of the potential supermaster, the domain it is sending a notification for and the set of NS records for this domain at that IP address.
-
-Using the supplied data, the backend needs to determine if this is a bonafide 'supernotification' which should be honoured. If it decides that it should, the supplied pointer to 'account' needs to be filled with the configured name of the supermaster (if accounting is desired), and the db needs to be filled with a pointer to your backend.
-
-Supermaster/superslave is a complicated concept, if this is all unclear see the [Supermaster and Superslave](../authoritative/modes-of-operation.md#supermaster-automatic-provisioning-of-slaves) documentation.
-
-## Read/write master-capable backends
-In order to be a useful master for a domain, notifies must be sent out whenever a domain is changed. Periodically, PowerDNS queries backends for domains that may have changed, and sends out notifications for slave nameservers.
-
-In order to do so, PowerDNS calls the `getUpdatedMasters()` method. Like the `getUnfreshSlaveInfos()` function mentioned above, this should add changed domain names to the vector passed.
-
-The following excerpt from the DNSBackend shows the relevant functions:
-
-```
- class DNSBackend {
- public:
- /* ... */
- virtual void getUpdatedMasters(vector<DomainInfo>* domains);
- virtual void setNotified(uint32_t id, uint32_t serial);
- /* ... */
- }
-```
-
-These functions all have a default implementation that returns false - which explains that these methods can be omitted in simple backends. Furthermore, unlike with simple backends, a slave capable backend must make sure that the 'DNSBackend *db' field of the SOAData record is filled out correctly - it is used to determine which backend will house this zone.
-
-### `void getUpdatedMasters(vector<DomainInfo>* domains)`
-When called, the backend should examine its list of master domains and add any changed ones to the DomainInfo vector
-
-### `bool setNotified(uint32_t domain_id, uint32_t serial)`
-Indicate that notifications have been queued for this domain and that it need not be considered 'updated' anymore
-
-## DNS update support
-To make your backend DNS update compatible, it needs to implement a number of new functions and functions already used for slave-operation. The new functions are not DNS update specific and might be used for other update/remove functionality at a later stage.
-
-```
-class DNSBackend {
-public:
- /* ... */
- virtual bool startTransaction(const string &qname, int id);
- virtual bool commitTransaction();
- virtual bool abortTransaction();
- virtual bool feedRecord(const DNSResourceRecord &rr, string *ordername);
- virtual bool replaceRRSet(uint32_t domain_id, const string& qname, const QType& qt, const vector<DNSResourceRecord>& rrset)
- virtual bool listSubZone(const string &zone, int domain_id);
- /* ... */
-}
-```
-
-### `virtual bool startTransaction(const string &qname, int id)`
-See [above](#bool-starttransactionconst-string-qname-int-id). Please note that this function now receives a negative number (-1), which indicates that the current zone data should NOT be deleted.
-
-### `virtual bool commitTransaction()`
-See [above](#bool-committransaction)
-
-### `virtual bool abortTransaction()`
-See [above](#bool-aborttransaction). Method is called when an exception is received.
-
-### `virtual bool feedRecord(const DNSResourceRecord &rr, string *ordername)`
-See [above](#bool-feedrecordconst-dnsresourcerecord-rr-string-ordername). Please keep in mind that the zone is not empty because `startTransaction()` was called different.
-
-### `virtual bool listSubZone(const string &name, int domain\_id)`
-This method is needed for rectification of a zone after NS-records have been added. For DNSSEC, we need to know which records are below the currently added record. `listSubZone()` is used like `list()` which means PowerDNS will call `get()` after this method. The default SQL query looks something like this:
-
-```
-// First %s is 'sub.zone.com', second %s is '*.sub.zone.com'
-select content,ttl,prio,type,domain_id,name from records where (name='%s' OR name like '%s') and domain_id=%d
-```
-
-The method is not only used when adding records, but also to correct ENT-records in powerdns. Make sure it returns every record in the tree below the given record.
-
-### `virtual bool replaceRRSet(uint32_t domain_id, const string& qname, const QType& qt, const vector<DNSResourceRecord>& rrset)`
-This method should remove all the records with `qname` of type `qt`. `qt` might also be ANY, which means all the records with that `qname` need to be removed. After removal, the records in `rrset` must be added to the zone. `rrset` can be empty in which case the method is used to remove a RRset.
-
-# DNS update support
-To make your backend DNS update compatible, it needs to implement a number of new functions and functions already used for slave-operation. The new functions are not DNS update specific and might be used for other update/remove functionality at a later stage.
-
-```
-class DNSBackend {
-public:
- /* ... */
- virtual bool startTransaction(const string &qname, int id);
- virtual bool commitTransaction();
- virtual bool abortTransaction();
- virtual bool feedRecord(const DNSResourceRecord &rr, string *ordername);
- virtual bool replaceRRSet(uint32_t domain_id, const string& qname, const QType& qt, const vector<DNSResourceRecord>& rrset)
- virtual bool listSubZone(const string &zone, int domain_id);
- /* ... */
-}
-```
-
-## `virtual bool startTransaction(const string &qname, int id);`
-See [Read/write slave-capable backends](#read-write-slave-capable-backends). Please note that this function now receives a negative number (-1), which indicates that the current zone data should NOT be deleted.
-
-## `virtual bool commitTransaction();`
-See [Read/write slave-capable backends](#read-write-slave-capable-backends).
-
-## `virtual bool abortTransaction();`
-See [Read/write slave-capable backends](#read-write-slave-capable-backends). Method is called when an exception is received.
-
-## `virtual bool feedRecord(const DNSResourceRecord &rr, string *ordername);`
-See [Read/write slave-capable backends](#read-write-slave-capable-backends). Please keep in mind that the zone is not empty because `startTransaction()` was called different.
-
-virtual bool listSubZone(const string &name, int domain\_id);
-This method is needed for rectification of a zone after NS-records have been added. For DNSSEC, we need to know which records are below the currently added record. `listSubZone()` is used like `list()` which means PowerDNS will call `get()` after this method. The default SQL query looks something like this:
-
-```
-// First %s is 'sub.zone.com', second %s is '*.sub.zone.com'
-select content,ttl,prio,type,domain_id,name from records where (name='%s' OR name like '%s') and domain_id=%d
-```
-
-The method is not only used when adding records, but also to correct ENT-records in powerdns. Make sure it returns every record in the tree below the given record.
-
-## virtual bool replaceRRSet(uint32\_t domain\_id, const string& qname, const QType& qt, const vector\<DNSResourceRecord\>& rrset);
-
-This method should remove all the records with `qname` of type `qt`. `qt` might also be ANY, which means all the records with that `qname` need to be removed. After removal, the records in `rrset` must be added to the zone. `rrset` can be empty in which case the method is used to remove a RRset.
-
-# Miscellaneous
-
-## ENT (Empty Non-Terminal)
-
-You are expected to reply with a DNSResourceRecord having `qtype = 0`, `ttl = 0` and `content` should be empty string (string length 0)
+++ /dev/null
-# Compiling PowerDNS
-PowerDNS can be compiled with modules built in, or with modules designed to be
-loaded at runtime. All that is configured before compiling using the well known
-autoconf/automake system.
-
-PowerDNS requires 'Boost' to compile, it is available for most operating
-systems. Otherwise, see [the Boost website](http://www.boost.org).
-
-To compile in modules, specify them as `--with-modules='mod1 mod2 mod3'`,
-substituting the desired module names. Each backend has a module name that you
-look up in this [table](../authoritative/index.md#backend-capabilities).
-
-To compile a module for inclusion at runtime, which is great if you are a unix
-vendor, use `--with-dynmodules='mod1 mod2 mod3'`. These modules then end up as
-.so files in the compiled libdir.
-
-By default, the [bind](../authoritative/backend-bind.md), [mysql](../authoritative/backend-generic-mysql.md)
-and [random](../authoritative/backend-random.md) are compiled into the binary.
-The [pipe](../authoritative/backend-pipe.md) is, by default, compiled as a runtime
-loadable module.
-
-## Getting the sources
-There are 3 ways of getting the source. If you want the bleeding edge, you can
-clone the repository at [GitHub](https://github.com/PowerDNS/pdns) and run
-`./bootstrap` in the clone.
-
-You can also download snapshot tarballs generated by Jenkins and can be found
-[here](https://autotest.powerdns.com/).
-
-You can also download releases on the [website](https://downloads.powerdns.com/releases/).
-These releases are PGP-signed with key-id [FBAE 0323 821C 7706 A5CA 151B DCF5
-13FA 7EED 19F3](https://pgp.mit.edu/pks/lookup?op=get&search=0xDCF513FA7EED19F3),
-[1628 90D0 689D D12D D33E 4696 1C5E
-E990 D2E7 1575](https://pgp.mit.edu/pks/lookup?op=get&search=0x1C5EE990D2E71575)
-or [B76C D467 1C09 68BA A87D E61C 5E50 715B F2FF E1A7](https://pgp.mit.edu/pks/lookup?op=get&search=0x5E50715BF2FFE1A7).
-
-## OS specific gotcha's
-### AIX
-It is unknown if PowerDNS compiles on AIX.
-
-### FreeBSD
-Works fine, but use gmake.
-
-The FreeBSD Boost include files are installed in `/usr/local/include`, so prefix
-`CXXFLAGS=-I/usr/local/include` to your `./configure` invocation.
-
-### Linux
-Linux is probably the best supported platform as most of the main coders are
-Linux users.
-
-### Mac OS X
-The [installation from Homebrew](../authoritative/installation.md#mac-os-x)
-for the authoritative server should work, event though not all commits are
-tested on OS X.
-
-The recursor has been reported to crash for some OS X users.
-
-### OpenBSD 5.8
-Compiles, but use gmake and g++-4.9.3 or higher.
-
-### Solaris
-Solaris 8 and 9 work fine. The 'Sunpro' compiler has not been tried but is
-reported to be lacking large parts of the Standard Template Library, which
-PowerDNS relies on heavily. Use gcc and gmake (if available). Regular Solaris
-make has some issues with some PowerDNS Makefile constructs.
-
-When compiling, make sure that you have `/usr/ccs/bin` in your path.
-Furthermore, with some versions of MySQL, you may have to add `LDFLAGS=-lz`
-before `./configure`.
-
-### OpenIndiana
-Compiles on OpenIndiana Hipster with `developer/gcc-49`. Other required packages
-are:
-
- * bison
- * boost
- * developer/gcc-49
- * flex
- * libtool
- * pkg-config
- * system/header
+++ /dev/null
-# Cryptographic software and export control
-In certain legal climates, PowerDNS might potentially require an export control status, particularly since PowerDNS software contains cryptographic primitives.
-
-PowerDNS does not itself implement any cryptographic algorithms but relies on third party implementations of AES, RSA, ECDSA, GOST, MD5 and various SHA-based hashing algorithms.
-
-Furthermore, RSA, MD5 and the SHA-based algorithms are supplied as a copy of [mbed TLS](https://tls.mbed.org/).
-
-Starting with 4.0.0, PowerDNS will link in hash and cryptographic primitives from
-the open source [OpenSSL](https://openssl.org/) library.
-
-Optionally, PowerDNS can link in a copy of the open source [Botan](http://botan.randombits.org/) cryptographic library.
-
-Optionally, PowerDNS can link in a copy of the open source [Sodium](https://libsodium.org/) library.
-
-## Specific United States Export Control Notes
-
-PowerDNS is not "US Origin" software. For re-export, like most open source,
-publicly available "mass market" projects, PowerDNS is considered to be
-governed by section 740.13(e) of the US EAR, "Unrestricted encryption source
-code", under which PowerDNS source code would be considered re-exportable
-from the US without an export license under License Exception TSU
-(Technology and Software - Unrestricted).
-
-Like most open source projects containing some encryption, the ECCN that
-best fits PowerDNS software is 5D002.
-
-The official link to the publicly available source code is
-<http://downloads.powerdns.com/releases>.
-
-If absolute certainty is required, we recommend consulting an expert in US
-Export Control, or asking the BIS for confirmation.
+++ /dev/null
-# Documentation details
-The PowerDNS documentation started life as SGML DocBook, and was later converted (with great pain) to XML DocBook. Late 2014,
-Pieter Lexis contributed a Markdown conversion, which is the basis of the current documentation.
-
-If you note an issue with the new documentation, please open a ticket on
-[GitHub](https://github.com/powerdns/pdns/issues) and tell us about it. Or, even
-better, fork our repo, and edit the files in docs/markdown to improve things.
-
-If your change is simple (say, a typo or a new paragraph), you can do all this
-entirely from GitHub. Simply fork PowerDNS, find the Markdown file you want to change,
-edit in place, commit, and create a pull request.
-
-## Building and testing
-It's recommended to use a [virtualenv](https://virtualenv.pypa.io/en/latest/)
-with the required packages to build the documentation.
-[Virtualenvwrapper](http://virtualenvwrapper.readthedocs.org/en/latest/) can be
-used to easily create and use a virtualenv.
-
-Once you're in a virtualenv, `pip install mkdocs==0.14 pandocfilters==1.2.3 click==5.1 LinkChecker==9.3`.
-
-To test-build the documentation, `make html/index.html` in the docs
-directory will build the documentation into `html/`.
-
-To test your changes live, use `cd docs/html && mkdocs serve && python -m SimpleHTTPServer`,
-and the new version of your documentation will appear on port 8000 of your machine.
+++ /dev/null
-# Bind zone file backend
-
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|Yes|
-|Slave|Yes|
-|Superslave|Experimental|
-|Autoserial|No|
-|DNSSEC|Yes|
-|Disabled data|No|
-|Comments|No|
-|Module name|bind|
-|Launch|bind|
-
-The BindBackend started life as a demonstration of the versatility of PowerDNS but quickly gained in importance when there appeared to be demand for a Bind 'work-alike'.
-
-The BindBackend parses a Bind-style `named.conf` and extracts information about zones from it. It makes no attempt to honour other configuration flags, which you should configure (when available) using the PowerDNS native configuration.
-
-## Configuration Parameters
-### `bind-config`
-Location of the Bind configuration file to parse.
-
-### `bind-check-interval`
-How often to check for zone changes. See ['Operation'](#operation) section.
-
-### `bind-dnssec-db`
-Filename to store and access our DNSSEC metadatabase, empty for none.
-To slave DNSSEC-enabled domains (where the RRSIGS are in the AXFR), a
-`bind-dnssec-db` is required. This is because the [PRESIGNED](domainmetadata.md#presigned)
-domain metadata is set during the zonetransfer.
-
-### `bind-hybrid`
-Store DNSSEC keys and metadata storage in an other backend. See the
-[hybrid BIND-mode operation](dnssec.md#hybrid-bind-mode-operation)
-
-### `bind-ignore-broken-records`
-Setting this option to `yes` makes PowerDNS ignore out of zone records when
-loading zone files.
-
-## Operation
-On launch, the BindBackend first parses the `named.conf` to determine which zones
-need to be loaded. These will then be parsed and made available for serving, as
-they are parsed. So a `named.conf` with 100.000 zones may take 20 seconds to load,
-but after 10 seconds, 50.000 zones will already be available. While a domain is
-being loaded, it is not yet available, to prevent incomplete answers.
-
-Reloading is currently done only when a request for a zone comes in, and then
-only after [`bind-check-interval`](#bind-check-interval) seconds have passed after
-the last check. If a change occurred, access to the zone is disabled, the file
-is reloaded, access is restored, and the question is answered. For regular zones,
-reloading is fast enough to answer the question which lead to the reload within
-the DNS timeout.
-
-If [`bind-check-interval`](#bind-check-interval) is specified as zero, no checks
-will be performed until the `pdns_control reload` is given.
-
-## pdns\_control commands
-### `bind-add-zone <domain> <filename>`
-Add zone `domain` from `filename` to PowerDNS's bind backend. Zone will be loaded at
-first request. **Note**: this does not add the zone to the [`bind-config`](#bind-config)
-file.
-
-### `bind-domain-status <domain> [domain]`
-Output status of domain or domains. Can be one of `seen in named.conf, not parsed`,
-`parsed successfully at <time>` or `error parsing at line ... at <time>`.
-
-### `bind-list-rejects`
-Lists all zones that have problems, and what those problems are.
-
-### `bind-reload-now <domain>`
-Reloads a zone from disk NOW, reporting back results.
-
-### `rediscover`
-Reread the bind configuration file (`named.conf`). If parsing fails, the old
-configuration remains in force and `pdns_control` reports the error. Any newly
-discovered domains are read, discarded domains are removed from memory.
-
-### `reload`
-All zones with a changed timestamp are reloaded at the next incoming query for them.
-
-## Performance
-The BindBackend does not benefit from the packet cache as it is fast enough on
-its own. Furthermore, on most systems, there will be no benefit in using multiple
-CPUs for the packetcache, so a noticeable speedup can be attained by specifying
-[`distributor-threads`](settings.md#distributor-threads)`=1` in `pdns.conf`.
-
-## Master/slave/native configuration
-
-### Master
-Works as expected. At startup, no notification storm is performed as this is
-generally not useful. Perhaps in the future the Bind Backend will attempt to
-store zone metadata in the zone, allowing it to determine if a zone has changed
-its serial since the last time notifications were sent out.
-
-Changes which are discovered when reloading zones do lead to notifications however.
-
-### Slave
-Also works as expected. The Bind backend expects to be able to write to a
-directory where a slave domain lives. The incoming zone is stored as
-'zonename.RANDOM' and atomically renamed if it is retrieved successfully, and
-parsed only then.
-
-In the future, this may be improved so the old zone remains available should
-parsing fail.
-
-### Native
-PowerDNS has the concept of "native" zones that have the `type native;` in the BIND configuration file.
-These zones are neither a master (no notifies are sent) nor a slave zone (it will never be AXFR'd in).
-This means that the replication mechanism for these zone is not AXFR but out of band, e.g. using `rsync`.
-Changes to native zones are picked up in the same way as master and slave zones, see [Operation](#operation).
-
-Native zones in the BIND backend are supported since version 4.1.0 of the PowerDNS Authoritative Server.
-
-**note**: Any zone with no `type` set (an error in BIND) is assumed to be native.
+++ /dev/null
-This page contains some information about deprecated backends.
-
-# LMDB (high performance) backend
-**Note**: This backend was removed in version 4.0.0.
-
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|No|
-|Slave|No|
-|Superslave|No|
-|Autoserial|No|
-|DNSSEC|No|
-|Module name|lmdb|
-|Launch|lmdb|
-
-Based on the [LMDB key-value database](http://symas.com/mdb/), the LMDB backend turns powerdns into a very high performance and DDOS-resilient authoritative DNS server. Testing on a 32-core server shows the ability to answer up to 400,000 queries per second with instant startup and real-time updates independent of database size.
-
-## Configuration Parameters
-### `lmdb-datapath`
-Location of the database to load
-
-## Operation
-Unlike other backends, LMDB does not require any special configuration. New or updated zones are available the next query after the update transaction is committed. If the underlying database is removed or recreated then the reload command should be sent through to powerdns to get it to close and reopen the database.
-
-## Database Format
-A full example script for generating a database can be found in pdns/modules/lmdbbackend/lmdb-example.pl. Basically the database environment is comprised of three databases to store the data:
-
-### Zone Database
-Each key in the zone database is the reversed lower-cased name of the zone without leading or trailing dots (ie for example.com the key would be moc.elpmaxe).
-
-Each value in the database must contain the following data (tab-separated):
-
-* Zone ID: The Zone's unique integer ID in ASCII (32-bit)
-* TTL: The TTL for the zone's SOA record
-* SOA data: space-separated SOA data eg
-```
-ns.foo.com. hostmaster.foo.com. <serial> <refresh> <retry> <expire> <minimum>
-```
-
-If refresh, retry, expire or minimum are not specified then the powerdns defaults will be used
-
-### Data Database
-This database is required to have been created with the MDB\_DUPSORT flag enabled. It stores the records for each domain. Each key must contain the following data (tab-separated):
-
-* Record name: The reversed lower-cased name of the record and zone without leading or trailing dots
-* Record type: The type of record A, NS, PTR etc. SOA is not allowed as it is automatically created from the zone database records.
-
-The value for each entry must contain the following data (tab-separated). If the length of this record is greater than the LMDB limit of 510 bytes (for DUPSORT databases) an entry of "REF" followed by the tab character and a unique 32-bit ASCII integer which contains a reference into [the section called “extended\_data database”](#extended-data-database).
-
-* Zone ID: The Zone's unique integer ID in ASCII (32-bit)
-* TTL: The TTL for the SOA record
-* Record data: The record's data entry. For MX/SRV records the priority is the first field and space-separated from the rest of the data. Care must be taken to escape the data appropriately for PowerDNS. As in the Pipe backend " and \\ characters are not allowed and any it is advised that any characters outside of ASCII 32-126 are escaped using the \\ character.
-
-### extended\_data database
-If the length of the value that you wish to insert into [the section called “data database”](#data-database) is longer than 510 bytes you need to create the REF entry as described above linked in to this table. The value is a unique 32-bit integer value formatted in ASCII and the value is the exact same format as it would have been in [the section called “data database”](#data-database) but can be however long you require.
-
-### Example database structure
-(as output by the pdns/modules/lmdbbackend/lmdb-example.pl example script and shown by pdns/modules/lmdbbackend/dumpdb.pl)
-
-```
-# perl dumpdb.pl /var/tmp/lmdb zone
-key: moc.elpmaxe; value: 1 300 ns.example.com. hostmaster.example.com. 2012021101 86400 7200 604800 86400
-# perl dumpdb.pl /var/tmp/lmdb data
-key: moc.elpmaxe MX; value: 1 300 10 mail.example.com
-key: moc.elpmaxe NS; value: 1 300 ns.example.com
-key: moc.elpmaxe.tset A; value: 1 300 192.0.2.66
-key: moc.elpmaxe.txet TXT; value: 1 300 test\010123
-key: moc.elpmaxe.txetgnol TXT; value: REF 1
-# perl dumpdb.pl /var/tmp/lmdb extended_data
-key: 1; value: 1 300 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-```
-
-# DB2 Backend
-**Note**: This backend was removed in version 3.5.0.
-
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|No|
-|Slave|No|
-|Superslave|No|
-|Autoserial|Yes|
-|DNSSEC|No|
-|Disabled data|No|
-|Comments|No|
-|Module name|db2
-|Launch name|db2|
-
-PowerDNS is currently ascertaining if this backend can be distributed in binary form without violating IBM DB2 licensing.
-
-## Queries
-The DB2 backend executes the following queries:
-
-### Forward Query
-select Content, TimeToLive, Priority, Type, ZoneId, 0 as ChangeDate, Name from Records where Name = ? and type = ?
-
-### Forward By Zone Query
-select Content, TimeToLive, Priority, Type, ZoneId, 0 as ChangeDate, Name from Records where Name = ? and Type = ? and ZoneId = ?
-
-### Forward Any Query
-select Content, TimeToLive, Priority, Type, ZoneId, 0 as ChangeDate, Name from Records where Name = ?
-
-### List Query
-select Content, TimeToLive, Priority, Type, ZoneId, 0 as ChangeDate, Name from Records where ZoneId = ?
-
-## Configuration Parameters
-
-### `db2-server`
-Server name to connect to. Defaults to 'powerdns'. Make sure that your nameserver is not needed to resolve an IP address needed to connect as this might lead
-
-### `db2-user`
-Username to connect as. Defaults to 'powerdns'.
-
-### `db2-password`
-Password to connect with. Defaults to 'powerdns'.
-
-# ODBC backend
-**Note**: This backend was removed in version 3.1.
-
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|Yes (experimental)|
-|Slave|Yes (experimental)|
-|Superslave|No|
-|Autoserial|Yes|
-
-The ODBC backend can retrieve zone information from any source that has a ODBC driver available.
-
-**Note** This backend is only available on PowerDNS for Windows.
-
-The ODBC backend needs data in a fixed schema which is the same as the data needed by the MySQL backend. The create statement will resemble this:
-
-```
- CREATE TABLE records (
- id int(11) NOT NULL auto_increment,
- domain_id int(11) default NULL,
- name varchar(255) default NULL,
- type varchar(10) default NULL,
- content varchar(255) default NULL,
- ttl int(11) default NULL,
- prio int(11) default NULL,
- change_date int(11) default NULL,
- PRIMARY KEY (id),
- KEY name_index(name),
- KEY nametype_index(name,type),
- KEY domainid_index(domain_id)
- );
-```
-
-To use the ODBC backend an ODBC source has to be created, to do this see the section Installing PowerDNS on Microsoft Windows, not included in the documentation as installation on Windows is not supported.
-
-## Configuration Parameters
-### `odbc-datasource`
-Specifies the name of the data source to use.
-
-### `odbc-user`
-Specifies the username that has to be used to log into the data source.
-
-### `odbc-pass`
-Specifies the user's password.
-
-### `odbc-table`
-Specifies the name of the table containing the zone information.
-
-The ODBC backend has been tested with Microsoft Access, MySQL (via MyODBC) and Microsoft SQLServer. As the SQL statements used are very basic, it is expected to work with many ODBC drivers.
-
-# XDB Backend
-No longer part of PowerDNS.
+++ /dev/null
-# Generic MySQL backend
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|Yes|
-|Slave|Yes|
-|Superslave|Yes|
-|Autoserial|Yes (v3.1 and up)|
-|Case|All lower|
-|DNSSEC|Yes (set `gmysql-dnssec`)|
-|Disabled data|Yes (v3.4.0 and up)|
-|Comments|Yes (v3.4.0 and up)|
-|Module name | gmysql|
-|Launch name| gmysql|
-
-**warning**: If using MySQL with 'slave' support enabled in PowerDNS you **must**
-run MySQL with a table engine that supports transactions.
-In practice, great results are achieved with the 'InnoDB' tables. PowerDNS will
-silently function with non-transaction aware MySQLs but at one point this is
-going to harm your database, for example when an incoming zone transfer fails.
-
-The default schema is included at the bottom of this page. [`zone2sql`](migration.md#zone2sql)
-with the `--gmysql` flag also assumes this layout is in place. For full migration
-notes, please see [Migration](migration.md). This schema contains all elements
-needed for master, slave and superslave operation.
-
-When using the InnoDB storage engine, we suggest adding foreign key contraints
-to the tables in order to automate deletion of records, key material, and other
-information upon deletion of a domain from the domains table. The following SQL
-does the job:
-```
-!!include=../modules/gmysqlbackend/enable-foreign-keys.mysql.sql
-```
-
-# Using MySQL replication
-To support `NATIVE` domains, the `binlog_format` for the MySQL replication **must**
-be set to `MIXED` or `ROW` to prevent differences in data between replicated
-servers. See ["5.2.4.2, Setting The Binary Log Format"](http://dev.mysql.com/doc/refman/5.7/en/binary-log-setting.html)
-for more information.
-
-# Settings
-## `gmysql-host`
-Host (ip address) to connect to. Mutually exclusive with [`gmysql-socket`](#gmysql-socket).
-
-**WARNING:** When specified as a hostname a chicken/egg situation might arise
-where the database is needed to resolve the IP address of the database. It is
-best to supply an IP address of the database here.
-
-## `gmysql-port`
-The port to connect to on [`gmysql-host`](#gmysql-host). Default: 3306
-
-## `gmysql-socket`
-Connect to the UNIX socket at this path. Mutually exclusive with [`gmysql-host`](#gmysql-host).
-
-## `gmysql-dbname`
-Name of the database to connect to. Default: "pdns".
-
-## `gmysql-user`
-User to connect as. Default: "powerdns".
-
-## `gmysql-group`
-Group to connect as. Default: "client".
-
-## `gmysql-password`
-The password to for [`gmysql-user`](#gmysql-user).
-
-## `gmysql-dnssec`
-Enable DNSSEC processing for this backend. Default=no.
-
-## `gmysql-innodb-read-committed`
-Use the InnoDB READ-COMMITTED transaction isolation level. Default=yes.
-
-## `gmysql-timeout`
-The timeout in seconds for each attempt to read from, or write to the server. A value of 0 will disable the timeout. Default: 10
-
-# Default Schema
-```
-!!include=../modules/gmysqlbackend/schema.mysql.sql
-```
+++ /dev/null
-# Generic ODBC Backend
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|Yes|
-|Slave|Yes|
-|Superslave|Yes|
-|Autoserial|Yes|
-|Case|All lower|
-|DNSSEC|Yes|
-|Disabled data|Yes|
-|Comments|Yes|
-|Module name|godbc|
-|Launch name|godbc|
-
-The Generic ODBC Backend (godbc) is a child of the Generic SQL (gsql) backend,
-similar to the gmysql and gpgsql backends. It uses [UnixODBC](http://www.unixodbc.org/)
-and installed drivers to connect to the databases supported by said drivers.
-
-**Warning**: When there is a more specific generic sql backend (like goracle or
-gmysql), it is highly recommended to use that backend instead!
-
-# Enabling the backend
-When building PowerDNS yourself, append `godbc` to `--with-modules` or
-`--with-dynmodules`. It is expected that most pre-built packages contain this
-backend or be separately installable.
-
-# Configuration Parameters
-This section only details the configuration of PowerDNS for use with ODBC. For
-ODBC related configuration, please see UnixODBC website/documentation and the
-documentation for the driver you intend to use.
-
-## `godbc-datasource`
-
-* String
-* Default: PowerDNS
-
-The datasource (DSN) to use. This must be configured in the `odbc.ini` file,
-usually found in `/etc/`, but this depends your local setup.
-
-## `godbc-username`
-
-* String
-* Default: powerdns
-
-The user to connect to the datasource.
-
-## `godbc-password`
-
-* String
-* Default is empty
-
-The password to connect with the datasource.
-
-# Connecting to Microsoft SQL Server
-**note**: In order to connect to Microsoft SQL Server, you will need at least
-version 3.2.0 of UnixODBC. FreeDTS has been tested with versions 0.91 and 0.95.
-
-Install the [FreeTDS](http://www.freetds.org/) driver for UnixODBC, either by
-compiling or getting it from our distribution's repository and configure your
-`/etc/odbcinst.ini` with the driver, e.g.:
-
-```
-[FreeTDS]
-Description=v0.95.8 with protocol v7.1
-Driver=/usr/local/lib/libtdsodbc.so
-UsageCount=1
-```
-
-And add the datasource to your `/etc/odbc.ini`, e.g:
-```
-[pdns1]
-Driver=FreeTDS
-Trace=No
-Server=server.example.net
-Port=1433
-Database=pdns-1
-TDS_Version=7.1
-```
-
-(For our tests, we add `ClientCharset=UTF-8` as well. YMMV.)
-
-You can now test the connection with `isql pdns1 USERNAME PASSWORD`.
-
-## Loading the schema into the database
-For convenience, a schema for MS SQL Server has been created:
-(Note: This schema can also be found in the PowerDNS source as
- `modules/godbcbackend/schema.mssql.sql`).
-
-```
-!!include=../modules/godbcbackend/schema.mssql.sql
-```
-
-Load this into the database as follows:
-`cat schema.mssql.sql | tr '\n' ' ' | isql pdns1 USERNAME PASSWORD -b`.
-
-## Loading records into the database
-Loading records is the same as with any SQL backend, just add them
-using SQL-queries. Should you want to use [`zone2sql`](migration.md#zone2sql),
-use the `--sqlite` option for correctly formatted SQL.
-
-## Configuring PowerDNS
-Add the options required to your `pdns.conf`:
-
-```
-launch=godbc
-godbc-datasource=pdns1
-godbc-username=USERNAME
-godbc-password=PASSWORD
-```
-
-Now restart PowerDNS and you're done. Just don't forget to add zones and
-records to the database.
-
-## Possible issues
-It might be that you need to compile FreeTDS with the `--tds-version=7.1` to
-connect to SQL Server.
-
-When connecting to a database hosted with Microsoft Azure, FreeTDS must be
-compiled with OpenSSL, use the `--with-openssl` configure flag.
+++ /dev/null
-# Generic Oracle backend
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|Yes|
-|Slave|Yes|
-|Superslave|Yes|
-|Autoserial|Yes (v3.1 and up)|
-|Case|All lower|
-|DNSSEC|Yes (set `goracle-dnssec`)|
-|Disabled data|Yes (v3.4.0 and up)|
-|Comments|Yes (v3.4.0 and up)|
-|Module name | goracle|
-|Launch name| goracle|
-
-The Generic Oracle Backend is a [Generic SQL backend](backend-generic-sql.md).
-The default setup conforms to the following schema, which you should add to an
-Oracle database. You may need or want to add `namespace` statements.
-
-```
-!!include=../modules/goraclebackend/schema.goracle.sql
-```
-
-This schema contains all elements needed for master, slave and superslave operation.
-
-Inserting records is a bit different compared to MySQL and PostgreSQL, you should use:
-
-```
-INSERT INTO domains (id,name,type) VALUES (domains_id_sequence.nextval, 'example.net', 'NATIVE');
-```
-
-# Settings
-## `goracle-tnsname`
-Which TNSNAME the Generic Oracle Backend should be connecting to. There are no
-`goracle-dbname`, `goracle-host` or `goracle-port` settings, their equivalent is
-in `/etc/tnsnames.ora`.
-
-## `goracle-dnssec`
-Enable DNSSEC processing for this backend. Default=no.
-
-# Caveats
-## Password Expiry
-When your password is about to expire, and logging into oracle warns about this,
-the Generic Oracle backend can no longer login, and will a OCILogin2 warning.
-
-To work around this, either update the password in time or remove expiration
-from the account used.
+++ /dev/null
-# Generic PostgreSQL backend
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|Yes|
-|Slave|Yes|
-|Superslave|Yes|
-|Autoserial|Yes (v3.1 and up)|
-|Case|All lower|
-|DNSSEC|Yes (set `gpgsql-dnssec`)|
-|Disabled data|Yes (v3.4.0 and up)|
-|Comments|Yes (v3.4.0 and up)|
-|Module name | gpgsql|
-|Launch name| gpgsql|
-
-This PostgreSQL backend is based on the [generic SQL backend](backend-generic-sql.md).
-The default setup conforms to the schema at the bottom of this page, note that
-[`zone2sql`](migration.md#zone2sql) with the `--gpgsql` flag also assumes this layout is in place.
-
-This schema contains all elements needed for master, slave and superslave operation.
-For full migration notes, please see [Migration](migration.md).
-
-With PostgreSQL, you may have to run `createdb pdns` first and then connect
-to that database with `psql pdns`, and feed it the schema above.
-
-# Settings
-## `gpgsql-host`
-Host (ip address) to connect to. If `pgsql-host` begins with a slash, it
-specifies Unix-domain communication rather than TCP/IP communication; the value
-is the name of the directory in which the socket file is stored.
-
-**WARNING:** When specified as a hostname a chicken/egg situation might arise
-where the database is needed to resolve the IP address of the database. It is
-best to supply an IP address of the database here.
-
-## `gpgsql-port`
-The port to connect to on [`gpgsql-host`](#gpgsql-host). Default: 5432
-
-## `gpgsql-dbname`
-Name of the database to connect to. Default: "pdns".
-
-## `gpgsql-user`
-User to connect as. Default: "powerdns".
-
-## `gpgsql-password`
-The password to for [`gpgsql-user`](#gpgsql-user).
-
-## `gpgsql-dnssec`
-Enable DNSSEC processing for this backend. Default=no.
-
-## `gpsql-extra-connection-parameters`
-Extra connection parameters to forward to postgres. If you want to pin a specific certificate for
-the connection you should set this to `sslmode=verify-full sslrootcert=<path-to-CA-cert>`. Accepted
-parameters are documented [in the PostgreSQL documentation](https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS).
-
-# Default schema
-```
-!!include=../modules/gpgsqlbackend/schema.pgsql.sql
-```
-
+++ /dev/null
-# Generic SQL Backends
-The generic SQL backends (like gmysql, gpgsql and godbc) are backends with easily
-configurable SQL statements, allowing you to graft PowerDNS on any SQL database
-of your choosing. Because all database schemas will be different, a generic
-backend is needed to cover all needs.
-
-**Warning**: Host names and the MNAME of a SOA records are NEVER terminated with
-a '.' in PowerDNS storage! If a trailing '.' is present it will inevitably cause
-problems, problems that may be hard to debug.
-
-**Note**: Since 4.0.0, a root zone or record should have a name of '.' (no quotes).
-This is the only exception to the 'no terminating dot in SQL storage' rule.
-
-# Basic functionality
-All domains in the generic SQL backends have a 'type' field that describes the
-[mode of operation](modes-of-operation.md).
-
-## Native operation
-To add a domain, issue the following:
-
-```
-INSERT INTO domains (name, type) VALUES ('powerdns.com', 'NATIVE');
-```
-
-The records table can now be filled by with the domain\_id set to the id of the domains table row just inserted.
-
-## Slave operation
-These backends are fully slave capable. To become a slave of the 'example.com' domain, execute this:
-
-```
-INSERT INTO domains (name, master, type) VALUES ('example.com', '198.51.100.6', 'SLAVE');
-```
-
-And wait a while for PowerDNS to pick up the addition - which happens within one
-minute (this is determined by the [`slave-cycle-interval`](settings.md#slave-cycle-interval)
-setting). There is no need to inform PowerDNS that a new domain was added.
-Typical output is:
-
-```
-Apr 09 13:34:29 All slave domains are fresh
-Apr 09 13:35:29 1 slave domain needs checking
-Apr 09 13:35:29 Domain powerdns.com is stale, master serial 1, our serial 0
-Apr 09 13:35:30 [gPgSQLBackend] Connected to database
-Apr 09 13:35:30 AXFR started for 'powerdns.com'
-Apr 09 13:35:30 AXFR done for 'powerdns.com'
-Apr 09 13:35:30 [gPgSQLBackend] Closing connection
-```
-
-From now on, PowerDNS is authoritative for the 'powerdns.com' zone and will
-respond accordingly for queries within that zone.
-
-Periodically, PowerDNS schedules checks to see if domains are still fresh.
-The default [`slave-cycle-interval`](settings.md#slave-cycle-interval) is 60 seconds,
-large installations may need to raise this value. Once a domain has been checked,
-it will not be checked before its SOA refresh timer has expired. Domains whose
-status is unknown get checked every 60 seconds by default.
-
-PowerDNS has support for multiple masters per zone, separate master IP addresses
-by commas:
-
-```
-INSERT INTO domains (name, master, type) VALUES ('example.com', '198.51.100.6, 2001:0DB8:15:4AF::4', 'SLAVE');
-```
-
-## Superslave operation
-To configure a supermaster with IP address 203.0.113.53 which lists this
-installation as 'autoslave.example.com', issue the following:
-
-```
-INSERT INTO supermasters VALUES ('203.0.113.53', 'autoslave.example.com', 'internal');
-```
-
-From now on, valid notifies from 203.0.113.53 that list a NS record containing
-'autoslave.example.com' will lead to the provisioning of a slave domain under
-the account 'internal'. See [Supermaster](modes-of-operation.md#supermaster-automatic-provisioning-of-slaves)
-for details.
-
-## Master operation
-The generic SQL backend is fully master capable with automatic discovery of serial
-changes. Raising the serial number of a domain suffices to trigger PowerDNS to
-send out notifications. To configure a domain for master operation instead of
-the default native replication, issue:
-
-```
-INSERT INTO domains (name, type) VALUES ('powerdns.com', 'MASTER');
-```
-
-Make sure that the assigned id in the domains table matches the domain\_id field
-in the records table!
-
-## Disabled data
-PowerDNS understands the notion of disabled records. They are marked by setting
-"disabled" to `1` (for PostgreSQL: `true`). By extension, when the SOA record for
-a domain is disabled, the entire domain is considered to be disabled.
-
-Effects: the record (or domain, respectively) will not be visible to DNS clients.
-The REST API will still see the record (or domain). Even if a domain is disabled,
-slaving still works. Slaving considers a disabled domain to have a serial of 0;
-this implies that a slaved domain will not stay disabled.
-
-## Autoserial
-The autoserial functionality makes PowerDNS generate the SOA serial when the SOA
-serial set to `0` in the database. The serial in SOA responses is set to what's
-provided by `zone-lastchange-query`. By default, this is the highest value of the
-`change_date` field in the "records" table).
-
-
-# Handling DNSSEC signed zones
-To enable DNSSEC processing, the `backend-dnssec` option must be set to 'yes'.
-
-## Rules for filling out DNSSEC fields
-Two additional fields in the 'records' table are important: 'auth' and 'ordername'.
-These fields are set correctly on an incoming zone transfer, and also by running
-`pdnsutil rectify-zone`.
-
-The 'auth' field should be set to '1' for data for which the zone itself is
-authoritative, which includes the SOA record and its own NS records.
-
-The 'auth' field should be 0 however for NS records which are used for delegation,
-and also for any glue (A, AAAA) records present for this purpose. Do note that
-the DS record for a secure delegation should be authoritative!
-
-The 'ordername' field needs to be filled out depending on the NSEC/NSEC3 mode.
-When running in NSEC3 'Narrow' mode, the ordername field is ignored and best
-left empty. In NSEC/NSEC3 mode, the ordername field should be NULL for any glue
-but filled in for all delegation NS records and all authoritative records. In
-NSEC3 opt-out mode, ordername is NULL for any glue and insecure delegation NS
-records, but filled in for secure delegation NS records and all authoritative records.
-
-In 'NSEC' mode, it should contain the *relative* part of a domain name, in reverse
-order, with dots replaced by spaces. So 'www.uk.powerdnssec.org' in the
-'powerdnssec.org' zone should have 'uk www' as its ordername.
-
-In 'NSEC3' non-narrow mode, the ordername should contain a lowercase base32hex
-encoded representation of the salted & iterated hash of the full record name.
-`pdnsutil hash-zone-record zone record` can be used to calculate this hash.
-
-In addition, PowerDNS fully supports empty non-terminals. If you have a zone
-example.com, and a host a.b.c.example.com in it, rectify-zone (and the AXFR
-client code) will insert b.c.example.com and c.example.com in the records table
-with type NULL (SQL NULL, not 'NULL'). Having these entries provides several benefits.
-We no longer reply NXDOMAIN for these shorter names (this was an RFC violation
-but not one that caused trouble). But more importantly, to do NSEC3 correctly,
-we need to be able to prove existence of these shorter names. The type=NULL
-records entry gives us a place to store the NSEC3 hash of these names.
-
-If your frontend does not add empty non-terminal names to records, you will get
-DNSSEC replies of 3.1-quality, which has served many people well, but might lead
-to issues in the future.
-
-# Queries
-From version 4.0.0 onward, the generic SQL backends use prepared statements for
-their queries. Before 4.0.0, queries were expanded using the C function 'snprintf'
-which implies that substitutions are performed on the basis of %-placeholders.
-
-To see the default queries for a backend, run
-`pdns_server --no-config --launch=BACKEND --config`.
-
-## Regular Queries
-For regular operation, several queries are used for record-lookup. These queries
-must return the following fields in order:
-
-- content: This is the 'right hand side' of a DNS record. For an A record, this is the IP address for example.
-- ttl: TTL of this record, in seconds. Must be a positive integer, no checking is performed.
-- prio: For MX and SRV records, this should be the priority of the record specified.
-- qtype: The ASCII representation of the qtype of this record. Examples are 'A', 'MX', 'SOA', 'AAAA'. Make sure that this field returns an exact answer - PowerDNS won't recognise 'A ' as 'A'. This can be achieved by using a VARCHAR instead of a CHAR.
-- domain\_id: Unique identifier for this domain. This id must be unique across all backends. Must be a positive integer.
-- name: Actual name of a record. Must not end in a '.' and be fully qualified - it is not relative to the name of the domain!
-- disabled: Boolean, if set to true, this record is hidden from DNS clients, but can still be modified from the REST API. See [Disabled data](#disabled-data). (Available since version 3.4.0.)
-- auth: A boolean describing if PowerDNS is authoritative for this record (DNSSEC)
-
-Please note that the names of the fields are not relevant, but the order is!
-
-- `basic-query`: This is the most used query, needed for doing 1:1 lookups of qtype/name values.
-- `id-query`: Used for doing lookups within a domain.
-- `any-query`: For doing ANY queries. Also used internally.
-- `any-id-query`: For doing ANY queries within a domain. Also used internally.
-- `list-query`: For doing AXFRs, lists all records in the zone. Also used internally.
-- `list-subzone-query`: For doing RFC 2136 DNS Updates, lists all records below a zone.
-- `search-records-query`: To search for records on name and content.
-
-## DNSSEC queries
-These queries are used by e.g. `pdnsutil rectify-zone`. Make sure to read
-[Rules for filling out fields in database backends](dnssec.md#rules-for-filling-out-fields-in-database-backends)
-if you wish to calculate ordername and auth without using pdns-rectify.
-
-- `insert-empty-non-terminal-order--query`: Insert empty non-terminal in zone.
-- `delete-empty-non-terminal-query`: Delete an empty non-terminal in a zone.
-- `remove-empty-non-terminals-from-zone-query`: remove all empty non-terminals from zone.
-
-- `get-order-first-query`: DNSSEC Ordering Query, first.
-- `get-order-before-query`: DNSSEC Ordering Query, before.
-- `get-order-after-query`: DNSSEC Ordering Query, after.
-- `get-order-last-query`: DNSSEC Ordering Query, last.
-- `update-ordername-and-auth-query`: DNSSEC update ordername and auth for a qname query.
-- `update-ordername-and-auth-type-query`: DNSSEC update ordername and auth for a rrset query.
-- `nullify-ordername-and-update-auth-query`: DNSSEC nullify ordername and update auth for a qname query.
-- `nullify-ordername-and-update-auth-type-query`: DNSSEC nullify ordername and update auth for a rrset query.
-
-## Domain and zone manipulation
-
-- `is-our-domain-query`: Checks if the domain (either id or name) is in the 'domains' table. This query is run before any other (possibly heavy) query.
-
-- `insert-zone-query`: Add a new domain. This query also requires the type, masters and account fields
-- `update-kind-query`: Called to update the type of domain.
-- `delete-zone-query` Called to delete all records of a zone. Used before an incoming AXFR.
-- `delete-domain-query`: Called to delete a domain from the domains-table.
-
-- `get-all-domains-query`: Used to get information on all active domains.
-- `info-zone-query`: Called to retrieve (nearly) all information for a domain.
-
-- `insert-record-query`: Called during incoming AXFR.
-- `update-account-query`: Set the account for a domain.
-- `delete-names-query`: Called to delete all records of a certain name.
-- `delete-rrset-query`: Called to delete an RRset based on domain\_id, name and type.
-
-- `get-all-domain-metadata-query`: Get all [`domain metadata`](domainmetadata.md) for a domain.
-- `get-domain-metadata-query`: Get a single piece of [`domain metadata`](domainmetadata.md).
-- `clear-domain-metadata-query`: Delete a single entry of domain metadata.
-- `clear-domain-all-metadata-query`: Remove all domain metadata for a domain.
-- `set-domain-metadata-query`: Add domain metadata for a zone.
-
-- `add-domain-key-query`: Called to a cryptokey to a domain.
-- `list-domain-keys-query`: Called to get all cryptokeys for a domain.
-- `activate-domain-key-query`: Called to set a cryptokey to active.
-- `deactivate-domain-key-query`: Called to set a cryptokey to inactive.
-- `clear-domain-all-keys-query`: Called to remove all DNSSEC keys for a zone.
-- `remove-domain-key-query`: Called to remove a crypto key.
-
-## Master/slave queries
-These queries are used to manipulate the master/slave information in the database.
-Most installations will have zero need to change the following queries.
-
-### On masters
-- `info-all-master-query`: Called to get data on all domains for which the server is master.
-- `update-serial-query` Called to update the last notified serial of a master domain.
-- `zone-lastchange-query`: Called to determine the last change to a zone, used for autoserial.
-
-### On slaves
-- `info-all-slaves-query`: Called to retrieve all slave domains.
-- `master-zone-query`: Called to determine the master of a zone.
-- `update-lastcheck-query`: Called to update the last time a slave domain was successfully checked for freshness.
-- `update-master-query`: Called to update the master address of a domain.
-
-### On superslaves
-- `supermaster-query`: Called to determine if a certain host is a supermaster for a certain domain name.
-- `supermaster-name-to-ips`: Called to the IP and account for a supermaster.
-
-## TSIG
-- `get-tsig-key-query`: Called to get the algorithm and secret from a named TSIG key.
-- `get-tsig-keys-query`: Called to get all TSIG keys.
-- `set-tsig-key-query`: Called to set the algorithm and secret for a named TSIG key.
-- `delete-tsig-key-query`: Called to delete a named TSIG key.
-
-## Comment queries
-For listing/modifying comments.
-
-- `list-comments-query`: Called to get all comments in a zone. Returns fields: domain\_id, name, type, modified\_at, account, comment.
-- `insert-comment-query` Called to create a single comment for a specific RRSet. Given fields: domain\_id, name, type, modified\_at, account, comment
-- `delete-comment-rrset-query`: Called to delete all comments for a specific RRset. Given fields: domain\_id, name, type
-- `delete-comments-query`: Called to delete all comments for a zone. Usually called before deleting the entire zone. Given fields: domain\_id
-- `search-comments-query`: Called to search for comment by name or content.
-
-## Specifying queries
-The queries above are specified in pdns.conf. For example, the basic-query for
-the Generic MySQL backend would appear as:
-
-```
-gmysql-basic-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type=? and name=?
-```
-
-Queries can span multiple lines, like this:
-
-```
-gmysql-basic-query=SELECT content,ttl,prio,type,domain_id,disabled,name,auth \
-FROM records WHERE disabled=0 and type=? and name=?
-```
+++ /dev/null
-# Generic SQLite backend
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|Yes|
-|Slave|Yes|
-|Superslave|Yes|
-|DNSSEC|Yes|
-|Disabled data|Yes|
-|Comments|Yes|
-|Module name|gsqlite3|
-|Launch name|gsqlite3|
-
-**Warning**: When importing large amounts of data, be sure to run 'analyze;'
-afterwards as SQLite3 has a tendency to use sub-optimal indexes otherwise.
-
-This backend retrieves all data from a SQLite database, which is an RDBMS that's
-embedded into the application itself, so you won't need to be running a separate
-server process. It also reduces overhead, and simplifies installation. At
-[www.sqlite.org](http://www.sqlite.org) you can find more information about SQLite.
-
-As this is a generic backend, built on top of the gSql framework, you can
-specify all queries as documented in
-[Generic SQL Backends](backend-generic-sql.md#queries).
-
-SQLite exists in two incompatible versions, PowerDNS only supports version 3. To
-launch the backend, put `launch=gsqlite3` in the configuration.
-
-## Setting up the database
-Before you can use this backend you first have to set it up and fill it with
-data. The default setup conforms to the following schema:
-
-```
-!!include=../modules/gsqlite3backend/schema.sqlite3.sql
-```
-
-This schema contains all elements needed for master, slave and superslave operation.
-
-After you have created the database you probably want to fill it with data. If
-you have a BIND zone file it's as easy as:
-`zone2sql --named-conf=/path/to/named.conf --gsqlite | sqlite3 powerdns.sqlite3`, but you can
-also use AXFR (or insert data manually).
-
-To communicate with a SQLite database, use the `sqlite3` program, and feed it SQL.
-
-## Configuration Parameters
-These are the configuration file parameters that are available for the gsqlite3 backend.
-
-### `gsqlite3-database`
-Path to the SQLite3 database.
-
-### `gsqlite3-pragma-synchronous`
-Set this to 0 for blazing speed.
-
-### `gsqlite3-pragma-foreign-keys`
-Enable foreign key constraints.
-
-### `gsqlite3-dnssec`
-Enable DNSSEC processing.
-
-## Using the SQLite backend
-The last thing you need to do is telling PowerDNS to use the SQLite backend.
-
-```
-# in pdns.conf
-launch=gsqlite3
-gsqlite3-database=<path to your SQLite database>
-```
-
-Then you can start PowerDNS and it should notify you that a connection to the
-database was made.
-
-## Compiling the SQLite backend
-Before you can begin compiling PowerDNS with the SQLite backend you need to have
-the SQLite utility and library installed on your system. You can download these
-from <http://www.sqlite.org/download.html>, or you can use packages
-(if your distribution provides those).
-
-When you've installed the library you can use:
-`./configure --with-modules="gsqlite3"` to configure PowerDNS to use the SQLite
-backend. Compilation can then proceed as usual.
-
-SQLite is included in most PowerDNS binary releases.
-
+++ /dev/null
-# GeoIP backend
-
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|No|
-|Slave|No|
-|Superslave|No|
-|Autoserial|No|
-|DNSSEC|Yes|
-
-This backend allows visitors to be sent to a server closer to them, with no appreciable delay, as would otherwise be incurred with a protocol level redirect. Additionally, the Geo Backend can be used to provide service over several clusters, any of which can be taken out of use easily, for example for maintenance purposes. This backend can utilize EDNS Client Subnet extension for decision making, if provided in query and you have turned on (edns-subnet-processing)[settings.md#edns-subnet-processing].
-
-## Prerequisites
-To compile the backend, you need libyaml-cpp 0.5 or later and libgeoip.
-
-You must have geoip database available. As of writing, on debian/ubuntu systems, you can use apt-get install geoip-database to get one, and the backend is configured to use the location where these files are installed as source. On other systems you might need to alter the database-file and database-file6 attribute. If you don't need ipv4 or ipv6 support, set the respective setting to "". Leaving it unset leaves it pointing to default location, preventing the software from starting up.
-
-## Configuration Parameters
-These are the configuration file parameters that are available for the GeoIP backend. geoip-zones-files is the only thing you must set, if the defaults suite you.
-
-### `geoip-database-file`
-Before 4.0.0. Specifies the full path of the data file for IPv4 to use.
-
-### `geoip-database-file6`
-Before 4.0.0. Specifies the full path of the data file for IPv6 to use.
-
-### `geoip-database-files`
-After 4.0.0. Comma, tab or space separated list of files to open. You can use [geoip-cvs-to-dat](https://github.com/dankamongmen/sprezzos-world/blob/master/packaging/geoip/debian/src/geoip-csv-to-dat.cpp) to generate your own.
-
-### `geoip-database-cache`
-Specifies the kind of caching that is done on the database. This is one of
-"standard", "memory", "index" or "mmap". These options map to the caching
-options described [here](https://github.com/maxmind/geoip-api-c/blob/master/README.md#memory-caching-and-other-options)
-
-### `geoip-zones-file`
-Specifies the full path of the zone configuration file to use.
-
-### `geoip-dnssec-keydir`
-Specifies the full path of a directory that will contain DNSSEC keys. This option enables DNSSEC on the backend. Keys can be created/managed with `pdnsutil`, and the backend stores these keys in files with key flags and active/disabled state encoded in the key filenames.
-
-## Zonefile format
-Zone configuration file uses YAML syntax. Here is simple example. Note that the ‐ before certain keys is part of the syntax.
-
-Before 4.0.0:
-
-```
-domains:
-- domain: geo.example.com
- ttl: 30
- records:
- geo.example.com:
- - soa: ns1.example.com hostmaster.example.com 2014090125 7200 3600 1209600 3600
- - ns: ns1.example.com
- - ns: ns2.example.com
- - mx: 10 mx.example.com
- fin.eu.service.geo.example.com:
- - a: 192.0.2.1
- - txt: hello world
- - aaaa: 2001:DB8::12:34DE:3
- services:
- service.geo.example.com: '%co.%cn.service.geo.example.com'
-```
-
-From 4.0.0:
-
-```
-domains:
-- domain: geo.example.com
- ttl: 30
- records:
- geo.example.com:
- - soa: ns1.example.com hostmaster.example.com 2014090125 7200 3600 1209600 3600
- - ns:
- content: ns1.example.com
- ttl: 600
- - ns: ns2.example.com
- - mx: 10 mx.example.com
- fin.eu.service.geo.example.com:
- - a: 192.0.2.2
- - txt: hello world
- - aaaa: 2001:DB8::12:34DE:3
-# this will result first record being handed out 30% of time
- swe.eu.service.geo.example.com:
- - a:
- content: 192.0.2.3
- weight: 50
- - a: 192.0.2.4
- services:
-# syntax 1
- service.geo.example.com: '%co.%cn.service.geo.example.com'
-# syntax 2
- service.geo.example.com: [ '%co.%cn.service.geo.example.com', '%cn.service.geo.example.com']
-# alternative syntax
- services:
- service.geo.example.com:
- default: [ '%co.%cn.service.geo.example.com', '%cn.service.geo.example.com' ]
- 10.0.0.0/8: 'internal.service.geo.example.com'
-```
-
-### Keys explained
-* **domains**: Mandatory root key. All configuration is below this
-* **domain**: Defines a domain. You need ttl, records, services under this.
-* **ttl**: TTL value for all records
-* **records**: Put fully qualified name as subkey, under which you must define at least soa: key. Note that this is an array of records, so ‐ is needed for the values.
-* **services**: Defines one or more services for querying. The format supports following placeholders, %% = %, %co = 3-letter country, %cn = continent, %af = v4 or v6. There are also other specifiers that will only work with suitable database and currently are untested. These are %re = region, %na = Name (such as, organisation), %ci = City. If the record which a service points to exists under "records" then it is returned as a direct answer. If it does not exist under "records" then it is returned as a CNAME.
-* From 4.1.0, you can also use %cc = 2 letter country code
-* From 4.0.0, you can also use %as = ASn, %ip = Remote IP
-* From 4.0.0, you can also use additional specifiers. These are %hh = hour, %dd = day, %mo = month, %mos = month as short string, %wd = weekday (as number), %wds weekday as short string.
-* From 4.0.0, scopeMask is set to most specific value, in case of date/time modifiers it will be 32 or 128, but with the others it is set to what geoip says it used for matching.
-* From 4.0.0, You can add per-network overrides for format, they will be formatted with the same placeholders as default. Default is short-hand for adding 0.0.0.0/0 and ::/0. Default is default when only string is given for service name.
-* From 4.0.0, You can use array to specify return values, works only if you have those records specified. It matches the format results to your records, and if it finds match that is used. Otherwise the last is returned.
-* From 4.0.0, You can apply all the attributes for the content of static records too.
-* From 4.0.0, You can use record attributes to set TTL.
-* From 4.0.0, You can use record attributes to define weight. If this is given, only one record is chosen randomly based on the weight. **DO NOT** mix record types for these. It will not work. PROBABILITY is calculated by summing up the weights and dividing each weight with the sum.
-**WARNING**: If you use ip or time/date specifiers, caching will be disabled for that RR completely. That means, if you have a
-
- something.example.com:
- - a: 1.2.3.4
- - txt: "your ip is %ip"
-
-then caching will not happen for any records of something.example.com. If you need to use TXT for debugging, make sure you use dedicated name for it.
-
-**WARNING**: If your services match wildcard records in your zone file then these will be returned as CNAMEs. This will only be an issue if you are trying to use a service record at the apex of your domain where you need other record types to be present (such as NS and SOA records.) Per RFC2181, CNAME records cannot appear in the same label as NS or SOA records.
+++ /dev/null
-# LDAP backend
-As of PowerDNS Authoritative Server 4.0.0, the LDAP backend is fully supported.
-
-**Warning**: Grégory Oestreicher has forked the LDAP backend shortly before our 3.2 release, after which a lot of development happened in a short time. We are working to upstream this work.
-
-The original author for this module is Norbert Sendetzky. This page is based on the content from his [LDAPbackend wiki section](http://wiki.linuxnetworks.de/index.php/PowerDNS_ldapbackend) as copied in February 2016, and edited from there.
-
-**Warning**: Host names and the MNAME of a SOA records are NEVER terminated with a '.' in PowerDNS storage! If a trailing '.' is present it will inevitably cause problems, problems that may be hard to debug.
-
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|No|
-|Slave|No|
-|Superslave|No|
-|Autoserial|No|
-|DNSSEC|No|
-|Disabled data|No|
-|Comments|No|
-|Module name|`ldap`|
-|Launch name|`ldap`|
-
-# Introduction
-
-## Rationale
-The LDAP backend enables PowerDNS to retrieve DNS information from any standard compliant LDAP server.
-This is extremely handy if information about hosts is already stored in an LDAP tree.
-
-## Schemas
-
-The schema is based on the 'uninett' dnszone schema, with a few types added by number as designed in that schema:
-
-```
-!!include=../modules/ldapbackend/dnsdomain2.schema
-```
-
-The LDAP dnsdomain2 schema contains the additional object descriptions which are required by the LDAP server to check the validity of entries when they are added.
-Please consult the documentation of the LDAP server to find out how to add this schema to the server.
-
-# Installation
-The LDAP backend can be compiled by adding `ldap` to either the `--with-modules` or `--with-dynmodules` `configure` options.
-
-When using packages, the `pdns-backend-ldap` package should be installed.
-
-# Configuration options
-There are a few options through the LDAP DNS backend can be configured.
-Add them to the `pdns.conf` file.
-
-To launch the ldap backend:
-
-```
-launch=ldap
-```
-
-## `ldap-host`
-(default "ldap://127.0.0.1:389/") : The values assigned to this parameter can be LDAP URIs (e.g. `ldap://127.0.0.1/` or `ldaps://127.0.0.1/`) describing the connection to the LDAP server.
-There can be multiple LDAP URIs specified for load balancing and high availability if they are separated by spaces.
-In case the used LDAP client library doesn't support LDAP URIs as connection parameter, use plain host names or IP addresses instead (both may optionally be followed by a colon and the port).
-
-## `ldap-starttls`
-(default "no") : Use TLS encrypted connections to the LDAP server. This is only allowed if ldap-host is a <ldap://> URI or a host name / IP address.
-
-## `ldap-timeout`
-(default: "5") : The number of seconds to wait for LDAP operations to complete.
-
-## `ldap-reconnect-attempts`
-(default: "5") : The number of attempts to make to re-establish a lost connection to the LDAP server.
-
-## `ldap-authmethod`
-(default: "simple") : How to authenticate to the LDAP server. Actually only two methods are supported: "simple", which uses the classical DN / password, or "gssapi", which requires a Kerberos keytab.
-
-## `ldap-binddn`
-(default "") : Path to the object to authenticate against. Should only be used, if the LDAP server doesn't support anonymous binds and with the "simple" authmethod.
-
-## `ldap-secret`
-(default "") : Password for authentication against the object specified by ldap-binddn. Only used when "authmethod" is "simple".
-
-## `ldap-krb5-keytab`
-(default: "") : Full path to the keytab file to use to authenticate. This is only used when "authmethod" is set to "gssapi". The keytab must, ideally, contain only one principal (or to put it otherwise, only the first principal found in the keytab will be used).
-
-## `ldap-krb5-ccache`
-(default: "") : Full path to the Kerberos credential cache file to use. Actually only files are supported, and the "FILE:" prefix must not be set. The PowerDNS process must be able to write to this file and it *must* be the only one able to read it.
-
-## `ldap-basedn`
-(default "") : The PowerDNS LDAP DNS backend searches below this path for objects containing the specified DNS information. The retrieval of attributes is limited to this subtree. This option must be set to the path according to the layout of your LDAP tree, e.g. ou=hosts,o=linuxnetworks,c=de is the DN to my objects containing the DNS information.
-
-## `ldap-method`
-(default "simple") :
-
- - `simple`: Search the requested domain by comparing the associatedDomain attributes with the domain string in the question.
- - `tree`: Search entires by translating the domain string into a LDAP dn. Your LDAP tree must be designed in the same way as the DNS LDAP tree. The question for "myhost.linuxnetworks.de" would translate into "dc=myhost,dc=linuxnetworks,dc=de,ou=hosts=..." and the entry where this dn points to would be evaluated for dns records.
- - `strict`: Like simple, but generates PTR records from aRecords or aAAARecords. Using "strict", zone transfers for reverse zones are not possible.
-
-## `ldap-filter-axfr`
-(default "(:target:)" ) : LDAP filter for limiting AXFR results (zone transfers), e.g. (&(:target:)(active=yes)) for returning only entries whose attribute "active" is set to "yes".
-
-## `ldap-filter-lookup`
-(default "(:target:)" ) : LDAP filter for limiting IP or name lookups, e.g. (&(:target:)(active=yes)) for returning only entries whose attribute "active" is set to "yes".
-
-# Master Mode
-
-Schema update
--------------
-
-First off adding master support to the LDAP backend needs
-a schema update. This is required as some metadata must
-be stored by PowerDNS, such as the last successful transfer
-to slaves. The new schema is available in
-schema/pdns-domaininfo.schema.
-
-Once the schema is loaded the zones for which you want to
-be a master must be modified. The dn of the SOA record
-*must* have the object class `PdnsDomain`, and thus the
-`PdnsDomainId` attribute. This attribute is an integer
-that *must* be unique across all zones served by the
-backend. Furthermore the `PdnsDomainType` must be equal
-to 'master' (lower case).
-
-Example
--------
-
-Here is an example LDIF of a zone that's ready for master
-operation (assuming the 'tree' style):
-
-```
-dn: dc=example,dc=com,ou=dns,dc=mycompany,dc=com
-objectClass: top
-objectClass: domainRelatedObject
-objectClass: dNSDomain2
-objectClass: PdnsDomain
-dc: example
-associatedDomain: example.com
-nSRecord: ns1.example.com
-sOARecord: ns1.example.com. hostmaster.example.com. 2013031101 1800 600 1209600 600
-mXRecord: 10 mx1.example.com
-PdnsDomainId: 1
-PdnsDomainType: master
-PdnsDomainMaster: 192.168.0.2
-```
-
-You should have one attribute `PdnsDomainMaster` per
-master serving this zone.
-
-# Example
-## Tree design
-The DNS LDAP tree should be designed carefully to prevent mistakes, which are hard to correct afterwards.
-The best solution is to create a subtree for all host entries which will contain the DNS records.
-This can be done the simple way or in a tree style.
-
-DN of a simple style example record (e.g. myhost.example.com):
-
-`dn:dc=myhost,dc=example,ou=hosts,...`
-
-DN of a tree style example record (e.g. myhost.test.example.com):
-
-`dn:dc=myhost,dc=test,dc=example,dc=com,ou=hosts,...`
-
-## Basic objects
-Each domain (or zone for BIND users) must include one object containing a SOA (Start Of Authority) record. This requirement applies to both forward and reverse zones.
-This object can also contain the attribute for a MX (Mail eXchange) and one or more NS (Name Server) records.
-These attributes allow one or more values, e.g. for a backup mail or name server:
-
-```
-dn:dc=example,ou=hosts,o=example,c=com
-objectclass:top
-objectclass:dcobject
-objectclass:dnsdomain
-objectclass:domainrelatedobject
-dc:example
-soarecord:ns.example.com me@example.com 1 1800 3600 86400 7200
-nsrecord:ns.example.com
-mxrecord:10 mail.example.com
-mxrecord:20 mail2.example.com
-associateddomain:example.com
-```
-
-A simple mapping between name and IP address can be specified by an object containing an `arecord` and an `associateddomain`.
-
-```
-dn:dc=server,dc=example,ou=hosts,o=example,c=de
-objectclass:top
-objectclass:dnsdomain
-objectclass:domainrelatedobject
-dc:server
-arecord:10.1.0.1
-arecord:192.168.0.1
-associateddomain:server.example.com
-```
-
-Be aware of the fact that these examples work if `ldap-method` is `simple` or `strict`.
-For tree mode, all DNs will have to be modified according to the algorithm described in the section above.
-
-## Wildcards
-Wild-card domains are possible by using the asterisk in the `associatedDomain` value like it is used in the bind zone files.
-The "dc" attribute can be set to any value in simple or strict mode - this doesn't matter.
-
-```
-dn:dc=any,dc=example,ou=hosts,o=example,c=de
-objectclass:top
-objectclass:dnsdomain
-objectclass:domainrelatedobject
-dc:any
-arecord:192.168.0.1
-associateddomain:*.example.com
-```
-
-In tree mode wild-card entries has to look like this instead:
-
-```
-dn:dc=*,dc=example,dc=de,ou=hosts,o=example,c=de
-objectclass:top
-objectclass:dnsdomain
-objectclass:domainrelatedobject
-dc:*
-arecord:192.168.0.1
-associateddomain:*.example.com
-```
-
-## Aliases
-Aliases for an existing DNS object have to be defined in a separate LDAP object.
-One object should be create per alias (this is a must in tree mode) or add all aliases (as values of `associateddomain`) to one object.
-The only thing which is not allowed is to create loops by using the same name in `associateddomain` and in `cnamerecord`.
-
-```
-dn:dc=server-aliases,dc=example,ou=hosts,o=example,c=de
-objectclass:top
-objectclass:dnsdomain
-objectclass:domainrelatedobject
-dc:server-aliases
-cnamerecord:server.example.com
-associateddomain:proxy.example.com
-associateddomain:mail2.example.com
-associateddomain:ns.example.com
-```
-
-Aliases are optional.
-All alias domains can also be added to the associateddomain attribute.
-The only difference is that these additional domains aren't recognized as aliases anymore, but instead as a normal `arecord`:
-
-```
-dn:dc=server,dc=example,ou=hosts,o=example,c=de
-objectclass:top
-objectclass:dnsdomain
-objectclass:domainrelatedobject
-dc:server
-arecord:10.1.0.1
-associateddomain:server.example.com
-associateddomain:proxy.example.com
-associateddomain:mail2.example.com
-associateddomain:ns.example.com
-```
-
-## Reverse lookups
-Currently there are two options: Set `ldap-method` to `strict` to have the code automatically derive PTR records from A and AAAA records in the tree. Or, in `simple` and `tree` modes, create additional objects explictly mapping each address to a PTR record.
-
-For `strict` or `simple` modes, first create an object with an SOA record for the reverse-lookup zone(s) corresponding to the A and AAAA records that will be served:
-
-```
-dn:dc=1.10.in-addr.arpa,ou=hosts,o=example,c=de
-objectclass:top
-objectclass:dnsdomain2
-objectclass:domainrelatedobject
-dc:1.10.in-addr.arpa
-soarecord:ns.example.com me@example.com 1 1800 3600 86400 7200
-nsrecord:ns.example.com
-associateddomain:1.10.in-addr.arpa
-```
-
-In `strict` mode, no other objects are required -- reverse queries that correspond to an arecord or aaaarecord of an existing object will be automagically serviced using the associateddomain entry of that object.
-
-In `simple` mode, you must then create objects for each reverse mapping:
-```
-dn:dc=1.0,dc=1.10.in-addr.arpa,ou=hosts,o=example,c=de
-objectclass:top
-objectclass:dnsdomain2
-objectclass:domainrelatedobject
-dc:1.0
-ptrrecord:server.example.com
-associateddomain:1.0.1.10.in-addr.arpa
-```
-
-Tree mode requires each component to be a dc element of its own:
-
-```
-dn:dc=1,dc=0,dc=1,dc=10,dc=in-addr,dc=arpa,ou=hosts,o=example,c=de
-objectclass:top
-objectclass:dnsdomain2
-objectclass:domainrelatedobject
-dc:1
-ptrrecord:server.example.com
-associateddomain:1.0.1.10.in-addr.arpa
-```
-
-To use this kind of record, add the dnsdomain2 schema to the configuration of ther LDAP server.
-
-**CAUTION:** `ldap-method=strict` can not be used if zone transfers (AXFR) are needed to other name servers.
-Distributing zones can only be done directly via LDAP replication in this case, because for a full zone transfer the reverse records are missing.
-
-# Migration
-## BIND zone files
-There is a small utility in the PowerDNS distribution available called [`zone2ldap`](../manpages/zone2ldap.1.md), which can convert zone files used by BIND to the ldif format.
-Ldif is a text file format containing information about LDAP objects and can be read by every standard compliant LDAP server.
-`zone2ldap` needs the BIND `named.conf` (usually located in /etc) as input and writes the dns record entries in ldif format to stdout:
-
-```
-zone2ldap
- --basedn=YOUR_BASE_DN \
- --named-conf=PATH_TO_NAMED_CONF \
- --resume > zones.ldif
-```
-
-Alternatively zone2ldap can be used to convert only single zone files instead all zones:
-
-```
-zone2ldap
- --basedn=YOUR_BASE_DN \
- --zone-file=PATH_TO_ZONE_FILE \
- --zone-name=NAME_OF_ZONE \
- --resume > zone.ldif
-```
-
-See [its manpage](../manpages/zone2ldap.1.md) for a complete list of options.
-
-## Bind LDAP backend
-When coming from the [Bind LDAP sdb backend](http://bind9-ldap.bayour.com/), the records can be kept in the LDAP tree also for the PowerDNS LDAP backend.
-The schemas both backends utilize is almost the same except for one important thing:
-Domains for PowerDNS are stored in the attribute "associatedDomain" whereas Bind stores them split in "relativeDomainName" and "zoneName".
-
-There is a [migration script](http://www.linuxnetworks.de/pdnsldap/bind2pdns-ldap) which creates a file in LDIF format with the necessary LDAP updates including the "associatedDomain" and "dc" attributes.
-The utility is executed on the command line by:
-
-```
-./bind2pdns-ldap
- --host=HOSTNAME_OR_IP \
- --basedn=YOUR_BASE_DN \
- --binddn=ADMIN_DN > update.ldif
-```
-
-The parameter "host" and "basedn" are mandatory, "binddn" is optional.
-If "binddn" is given, the script will prompt for a password, otherwise an anonymous bind is executed.
-The updates in LDIF format are written to stdout and can be redirected to a file.
-
-The script requires Perl and the Perl Net::LDAP module and can be downloaded [here](http://www.linuxnetworks.de/pdnsldap/bind2pdns-ldap).
-
-Updating the entries in the LDAP tree requires to make the dnsdomain2 schema known to the LDAP server.
-Unfortunately, both schemas (dnsdomain2 and dnszone) share the same record types and use the same OIDs so the LDAP server can't use both schemas at the same time.
-The solution is to add the [dnsdomain2 schema](http://www.linuxnetworks.de/pdnsldap/dnsdomain2.schema) and replace the dnszone schema by the [dnszone-migrate schema](http://www.linuxnetworks.de/pdnsldap/dnszone-migrate.schema).
-After restarting the LDAP server attributes from both schemas can be used and updating the objects in the LDAP tree using the LDIF file generated from `bind2pdns-ldap` will work without errors.
-
-## Other name server
-The easiest way for migrating DNS records is to use the output of a zone transfer (AXFR).
-Save the output of the `dig` program provided by bind into a file and call `zone2ldap` with the file name as option to the `--zone-file` parameter.
-This will generate the appropriate ldif file, which can be imported into the LDAP tree.
-The bash script except below automates this:
-
-```
-DNSSERVER=127.0.0.1
-DOMAINS="example.com 10.10.in-addr.arpa"
-
-for DOMAIN in $DOMAINS; do
- dig @$DNSSERVER $DOMAIN AXFR> $DOMAIN.zone;
- zone2ldap --zone-name=$DOMAIN --zone-file=$DOMAIN.zone> $DOMAIN.ldif;
-done
-```
-
-# Optimization
-## LDAP indices
-To improve performance, the LDAP server can maintain indices on certain attributes.
-This leads to much faster searches for these type of attributes.
-
-The LDAP DNS backend mainly searches for values in `associatedDomain`, so maintaining an index (pres,eq,sub) on this attribute is a big performance improvement:
-
-```
-indexassociatedDomain pres,eq,sub
-```
-
-Furthermore, if `ldap-method=strict` is set, it uses the aRecord and aAAARecord attribute for reverse mapping of IP addresses to names.
-To maintain an index (pres,eq) on these attributes also improves performance of the LDAP server:
-
-```
-indexaAAARecord pres,eq
-indexaRecord pres,eq
-```
-
-All other attributes than associatedDomain, aRecord or aAAARecord are only read if the object matches the specified criteria.
-Thus, maintaining an index on these attributes is useless.
-
-If the DNS-entries were added before adding these statements to `slapd.conf`, the LDAP server will have to be stopped and `slapindex` should be used on the command line.
-This will generate the indices for already existing attributes.
-
-## dNSTTL attribute
-Converting the string in the dNSTTL attribute to an integer is a time consuming task.
-If no separate TTL value for each entry is requires, use the [`default-ttl`](settings.md#default-ttl) parameter in `pdns.conf` instead.
-This will gain a 7% improvement in performance for entries that aren't cached.
-A dNSTTL attribute can still be added to entries that should have a different TTL than the default TTL
-
-## Access method
-The method of accessing the entries in the directory affects the performance too.
-By default, the "simple" method is used search for entries by using their associatedDomain attribute.
-Alternatively, the "tree" method can be used, whereby the search is done along the directory tree, e.g. "host.example.com" is translated into "dc=host,dc=example,dc=com,...".
-This requires the LDAP DNS subtree layout to be 1:1 to the DNS tree, this will gain an additional 7% performance improvement.
-
-# Troubleshooting
-## No reverse zone transfer
-The LDAP tree must contain a separate subtree of PTR records (e.g. for 1.1.10.10.in-addr.arpa) and `ldap-method` can't be set to "strict".
-
-## IPv6 reverse lookup doesn't work in strict mode
-For automatically generated reverse IPv6 records the aAAARecord entries must follow two restrictions:
-They have to be fully expanded ("FFFF::1" is not allowed and it must be "FFFF:0:0:0:0:0:0:1" instead) and they must not contain leading zeros, e.g. an entry containing "002A" is incorrect - use "2A" without zeros instead.
-These restrictions are due to the fact that LDAP DNS AAAA entries are pure text and doesn't allow searching by wild-cards.
-
-# Future
-## DNS notification support
-As soon as the LDAP server implementations begin to provide the features of the LDAP client update protocol (LCUP, [RFC3928](http://www.ietf.org/rfc/rfc3928.txt)), it will be possible to support the DNS notification feature for the LDAP DNS backend in case a record in the LDAP directory was changed.
-
-## SASL support
-Support for more authentication methods would be handy. Anyone interested may [contribute](https://github.com/PowerDNS/pdns).?
+++ /dev/null
-# Lua Backend
-The main author for this module is Fredrik Danerklint.
-
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|Yes|
-|Slave|No|
-|Superslave|No|
-|Autoserial|No|
-|DNSSEC|Yes|
-
-**Warning**: The Lua Backend is available since PowerDNS Authoritative Server
-3.0. This backend is marked as Experimental!
-
-This backend is just a "glue" between PowerDNS and your own Lua application.
-
-What this means is that you can not have a working setup that can serve you
-dns-questions directly from start. What you need to do is to program your own
-backend completely in Lua! Which database server to use etc is now up to you!
-
-What you have here is the possibility to make your own "dns-server" without the
-knowledge of programming in c/c++.
-
-There is one thing that needs to be said. Remember that each thread
-PowerDNS launches of this backend is completely different so they cannot
-share information between each other!
-
-You will need some kind of a database that can be shared for this.
-
-All the functionnames that PowerDNS accept for a backend should be the same
-in your Lua script, in lowercase. Also, the parameters should be in the same
-order. Where there is a structure in c/c++ there is a table in the Lua backend.
-This is also true for return values. A few functions expect that you return a
-table in a table.
-
-
-## New functions
-There is a couple of new functions for you to use in Lua:
-
-### `logger(log_facility, "your", "messages")`
-
-All these `log_facilities` is available:
-* `log_all`
-* `log_ntlog`
-* `log_alert`
-* `log_critical`
-* `log_error`
-* `log_warning`
-* `log_notice,`
-* `log_info`
-* `log_debug`
-* `log_none`
-
-
-### `dnspacket()`
-This will give you back three parameters with
-`remote_ip`, `remote_port` and `local_ip` in that order.
-
-Can only be used in the functions [`list()`](#list) and [`getsoa()`](#getsoa).
-
-### `getarg("PARAMETER")`
-This one tries to get the value of the name `"lua-PARAMETER"` from the
-pdns.conf file.
-
-### `mustdo("PARAMETER")`
-This is the same as [`getarg()`](#getarg) but return a boolean instead of a string.
-
-You also have all the different QTypes in a table called 'QTypes'.
-
-# What has been tested
-The only functionality of the minimal functions except zone-transfer has
-been tested.
-
-In the included powerdns-luabackend.lua file there is a example of how
-this can be done. Note that this is more or less a static example since
-there is no possibility for each thread to know when something has changed.
-
-However, you can run `pdns_control reload` and it should reload the whole thing
-from scratch (does not work for the moment, PowerDNS only calls two thread with
-the reload command - not all of them).
-
-# What you will find under the test directory
-The following script can be used to test the server:
-```{include='../../modules/luabackend/test/powerdns-luabackend.lua'}
-```
-
-This will yield the following result:
-
-```
-$dig any www.test.com @127.0.0.1 -p5300 +multiline
-; <<>> DiG 9.7.3 <<>> any www.test.com @127.0.0.1 -p5300 +multiline
-;; global options: +cmd
-;; Got answer:
-;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1001
-;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
-;; WARNING: recursion requested but not available
-
-;; QUESTION SECTION:
-;www.test.com. IN ANY
-
-;; ANSWER SECTION:
-www.test.com. 120 IN CNAME host.test.com.
-host.test.com. 120 IN A 10.11.12.13
-host.test.com. 120 IN AAAA 1:2:3:4:5:6:7:8
-
-;; Query time: 1 msec
-;; SERVER: 127.0.0.1#5300(127.0.0.1)
-;; WHEN: Thu Jun 2 22:19:56 2011
-;; MSG SIZE rcvd: 93
-```
-
-# Parameters
-## `lua-filename`
-Path to your lua script, 'powerdns-luabackend.lua' by default.
-
-## `lua-logging-query`
-Log queries. default is 'no'.
-
-## `lua-f_FUNCTION=NEWFUNCTION`
-You can also override all the default functionsnames for the luafunctions if you
-want. For example:
-
-`lua-f_lookup = mynewfunction`
-
-will call the function `mynewfunction` for the lookup-routine.
-
-If you want your own configuration parameters you can have that too.
-Just call the function `getarg("PARAMETER")` and it will return the value
-of `lua-PARAMETER`. For boolean you use the function `mustdo("PARAMETER")`.
-
-## Your own error function in lua
-You can have an error function in Lua when Lua gives back a error.
-
-First make your error function then you put this in `pdns.conf`:
-
-`lua-f_exec_error = YOUR_METHOD`
-
-# DNSSEC
-You can have full dnssec support in our Lua application. You should note the
-following regarding this:
-
-You don't have to implement the function 'updateDNSSECOrderAndAuth' since the
-default code will work correctly for you via the backend itself.
-
-The functions activateDomainKey and deactivateDomainKey can be implemented via a
-new function called updateDomainKey, which has three parameters (the other two
-has only two parameters) where the third is a boolean which is true or false
-depending on which function that was called from the beginning.
-
-# Information for logging
-If you have the parameter `query-logging` or `lua-logging-query` set to
-true/yes/on, then you will see what is happening in each function when PowerDNS
-calls them.
-
-This can, hopefully, help you with some debugging if you run into some kind of
-trouble with your Lua application.
+++ /dev/null
-# MyDNS Backend
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|No|
-|Slave|No|
-|Superslave|No|
-|Autoserial|No|
-|Case|Depends|
-|DNSSEC|No|
-|Disabled data|No|
-|Comments|No|
-|Module name|`mydns`|
-|Launch name|`mydns`|
-
-The MyDNS backend makes PowerDNS a drop-in replacement for the
-[MyDNS](http://mydns.bboy.net/) nameserver, as it uses the same database schema.
-
-## Configuration Parameters
-### `mydns-host`
-Database host to connect to.
-
-### `mydns-port`
-Port on the database server to connect to.
-
-### `mydns-dbname`
-Name of the database to connect to, "mydns" by default.
-
-### `mydns-user`
-User for the database, "powerdns" by default.
-
-### `mydns-password`
-The user password.
-
-### `mydns-socket`
-Unix socket to connect to the database.
-
-### `mydns-rr-table`
-Name of the resource record table in the database, "rr" by default.
-
-### `mydns-soa-table`
-Name of the SOA table in the database, "soa" by default.
-
-### `mydns-soa-where`
-Additional WHERE clause for SOA, default is "1 = 1".
-
-### `mydns-rr-where`
-Additional WHERE clause for resource records, default is "1 = 1".
-
-### `mydns-soa-active`
-Use the active column in the SOA table, "yes" by default.
-
-### `mydns-rr-active`
-Use the active column in the resource record table, "yes" by default.
-
-### `mydns-use-minimal-ttl`
-Setting this to 'yes' will make the backend behave like MyDNS on the TTL values.
-Setting it to 'no' will make it ignore the minimal-ttl of the zone. The default
-is "yes".
-
+++ /dev/null
-# OpenDBX Backend
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|Yes|
-|Slave|Yes|
-|Superslave|Yes|
-|Autoserial|Yes|
-|DNSSEC|No|
-|Module name|opendbx|
-|Launch name|opendbx|
-
-The OpenDBX backend allows the authoritative server to connect to any backend
-supported by [OpenDBX](http://www.linuxnetworks.de/doc/index.php/OpenDBX).
-
-This document contains a subset of the [full documentation](http://www.linuxnetworks.de/doc/index.php/PowerDNS_OpenDBX_Backend)
-supplied by the author Norbert Sendetzky . This module is fully supported (and
-tested) by PowerDNS.
-
-The OpenDBX backend has a mechanism to connect different database servers for
-read and write actions.
-
-The domains table for the opendbx backend has a "status" column, when set to "A",
-the domain is considered active and is actually served.
-
-# Settings
-## opendbx-backend
-Name of the backend used to connect to the database server. Currently mysql,
-pgsql, sqlite, sqlite3 and sybase are available. Default=mysql.
-
-## opendbx-host-read
-One or more host names or IP addresses of the database servers. These hosts will
-be used for retrieving the records via SELECT queries. Default=127.0.0.1
-
-## opendbx-host-write
-One or more host names or IP addresses of the database servers. These hosts will
-be used for INSERT/UPDATE statements (mostly used by zonetransfers). Default=127.0.0.1
-
-## opendbx-port
-TCP/IP port number where the database server is listening to. Most databases will
-use their default port if you leave this empty.
-
-## opendbx-database
-The database name where all domain and record entries are stored. Default=powerdns
-
-## opendbx-username
-Name of the user send to the DBMS for authentication. Default=powerdns.
-
-## opendbx-password
-Clear text password for authentication in combination with the username.
-
-## Queries
-As with the [Generic SQL backends](backend-generic-sql.md), queries are configurable.
-Note: If you change one of the SELECT statements must not change the order of
-the retrieved columns! To get the default queries, run `pdns_server --no-config --launch=opendbx --config`.
-The following queries are configurable:
-
-- `opendbx-sql-list`: Select records which will be returned to clients asking for zone transfers (AXFR).
-- `opendbx-sql-lookup`: Retrieve DNS records by name.
-- `opendbx-sql-lookupid`: Retrieve DNS records by id and name.
-- `opendbx-sql-lookuptype`: Retrieve DNS records by name and type.
-- `opendbx-sql-lookuptypeid`: Retrieve DNS records by id, name and type.
-- `opendbx-sql-lookupsoa`: Retrieve SOA record for domain.
-- `opendbx-sql-zonedelete`: Delete all records from zone before inserting new ones via AXFR.
-- `opendbx-sql-zoneinfo`: Get stored information about a domain.
-- `opendbx-sql-transactbegin`: Start transaction before updating a zone via AXFR.
-- `opendbx-sql-transactend`: Commit transaction after updating a zone via AXFR.
-- `opendbx-sql-transactabort`: Undo changes if an error occurred while updating a zone via AXFR.
-- `opendbx-sql-insert-slave`: Adds a new zone from the authoritative DNS server which is currently retrieved via AXFR.
-- `opendbx-sql-insert-record`: Adds new records of a zone form the authoritative DNS server which are currently retrieved via AXFR.
-- `opendbx-sql-update-serial`: Set zone serial to value of last update.
-- `opendbx-sql-update-lastcheck`: Set time of last zone check.
-- `opendbx-sql-master`: Get master record for zone.
-- `opendbx-sql-supermaster`: Get supermaster info.
-- `opendbx-sql-infoslaves`: Get all unfresh slaves.
-- `opendbx-sql-infomasters`: Get all updates masters.
-
-# Database schemas and information
-## Mysql
-The file below also contains trigger definitions which are necessary for [auto serial](backend-generic-sql.md#autoserial)
-support, but they are only available in MySQL 5 and later. If you are still
-using MySQL 4.x and don't want to utilize the automatically generated zone serials,
-you can safely remove the "CREATE TRIGGER" statements from the file before
-creating the database tables.
-
-```
-SET SESSION sql_mode='ANSI';
-
-CREATE TABLE "domains" (
- "id" INTEGER NOT NULL AUTO_INCREMENT,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "master" VARCHAR(40) NOT NULL DEFAULT '',
- "account" VARCHAR(40) NOT NULL DEFAULT '',
- "last_check" INTEGER DEFAULT NULL,
- "notified_serial" INTEGER DEFAULT NULL,
- "auto_serial" INTEGER NOT NULL DEFAULT 0,
- "status" CHAR(1) NOT NULL DEFAULT 'A',
-CONSTRAINT "pdns_pk_domains_id"
- PRIMARY KEY ("id"),
-CONSTRAINT "pdns_unq_domains_name"
- UNIQUE ("name")
-) type=InnoDB;
-
-CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
-
-CREATE TABLE "records" (
- "id" INTEGER NOT NULL AUTO_INCREMENT,
- "domain_id" INTEGER NOT NULL,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "ttl" INTEGER DEFAULT NULL,
- "prio" INTEGER DEFAULT NULL,
- "content" VARCHAR(255) NOT NULL,
-CONSTRAINT "pdns_pk_records_id"
- PRIMARY KEY ("id"),
-CONSTRAINT "pdns_fk_records_domainid"
- FOREIGN KEY ("domain_id")
- REFERENCES "domains" ("id")
- ON UPDATE CASCADE
- ON DELETE CASCADE
-) type=InnoDB;
-
-CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
-CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
-
-CREATE TABLE "supermasters" (
- "ip" VARCHAR(40) NOT NULL,
- "nameserver" VARCHAR(255) NOT NULL,
- "account" VARCHAR(40) NOT NULL DEFAULT ''
-);
-
-CREATE INDEX "pdns_idx_smaster_ip_ns" ON "supermasters" ("ip","nameserver");
-
-GRANT SELECT ON "supermasters" TO "powerdns";
-GRANT ALL ON "domains" TO "powerdns";
-GRANT ALL ON "records" TO "powerdns";
-
-DELIMITER :
-
-CREATE TRIGGER "pdns_trig_records_insert"
-AFTER INSERT ON "records"
-FOR EACH ROW BEGIN
- UPDATE "domains" d SET d."auto_serial" = d."auto_serial" + 1
- WHERE d."id" = NEW."domain_id";
-END;:
-
-CREATE TRIGGER "pdns_trig_records_update"
-AFTER UPDATE ON "records"
-FOR EACH ROW BEGIN
- UPDATE "domains" d SET d."auto_serial" = d."auto_serial" + 1
- WHERE d."id" = NEW."domain_id";
-END;:
-
-CREATE TRIGGER "pdns_trig_records_delete"
-AFTER DELETE ON "records"
-FOR EACH ROW BEGIN
- UPDATE "domains" d SET d."auto_serial" = d."auto_serial" + 1
- WHERE d."id" = OLD."domain_id";
-END;:
-
-DELIMITER ;
-```
-
-## PostgreSQL
-```
-CREATE TABLE "domains" (
- "id" SERIAL NOT NULL,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "master" VARCHAR(40) NOT NULL DEFAULT '',
- "account" VARCHAR(40) NOT NULL DEFAULT '',
- "last_check" INTEGER DEFAULT NULL,
- "notified_serial" INTEGER DEFAULT NULL,
- "auto_serial" INTEGER NOT NULL DEFAULT 0,
- "status" CHAR(1) NOT NULL DEFAULT 'A',
-CONSTRAINT "pdns_pk_domains_id"
- PRIMARY KEY ("id"),
-CONSTRAINT "pdns_unq_domains_name"
- UNIQUE ("name")
-);
-
-CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
-
-CREATE TABLE "records" (
- "id" SERIAL NOT NULL,
- "domain_id" INTEGER NOT NULL,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "ttl" INTEGER DEFAULT NULL,
- "prio" INTEGER DEFAULT NULL,
- "content" VARCHAR(255) NOT NULL,
-CONSTRAINT "pdns_pk_records_id"
- PRIMARY KEY ("id"),
-CONSTRAINT "pdns_fk_records_domainid"
- FOREIGN KEY ("domain_id")
- REFERENCES "domains" ("id")
- ON UPDATE CASCADE
- ON DELETE CASCADE
-);
-
-CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
-CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
-
-CREATE TABLE "supermasters" (
- "ip" VARCHAR(40) NOT NULL,
- "nameserver" VARCHAR(255) NOT NULL,
- "account" VARCHAR(40) NOT NULL DEFAULT ''
-);
-
-CREATE INDEX "pdns_idx_smaster_ip_ns" ON "supermasters" ("ip","nameserver");
-
-GRANT SELECT ON "supermasters" TO "powerdns";
-GRANT ALL ON "domains" TO "powerdns";
-GRANT ALL ON "domains_id_seq" TO "powerdns";
-GRANT ALL ON "records" TO "powerdns";
-GRANT ALL ON "records_id_seq" TO "powerdns";
-
-CREATE RULE "pdns_rule_records_insert"
-AS ON INSERT TO "records" DO
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1 WHERE "id" = NEW."domain_id";
-
-CREATE RULE "pdns_rule_records_update"
-AS ON UPDATE TO "records" DO
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1 WHERE "id" = NEW."domain_id";
-
-CREATE RULE "pdns_rule_records_delete"
-AS ON DELETE TO "records" DO
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1 WHERE "id" = OLD."domain_id";
-```
-
-## SQLite and SQLite3
-Supported without changes since OpenDBX 1.0.0 but requires to set [`opendbx-host`](#opendbs-host)
-to the path of the SQLite file (including the trailing slash or backslash,
-depending on your operating system) and opendbx-database to the name of the file.
-
-```
-opendbx-host-read = /path/to/file/
-opendbx-host-write = /path/to/file/
-opendbx-database = powerdns.sqlite
-```
-
-### SQLite Schema
-```
-CREATE TABLE "domains" (
- "id" INTEGER NOT NULL PRIMARY KEY,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "master" VARCHAR(40) NOT NULL DEFAULT '',
- "account" VARCHAR(40) NOT NULL DEFAULT '',
- "last_check" INTEGER DEFAULT NULL,
- "notified_serial" INTEGER DEFAULT NULL,
- "auto_serial" INTEGER NOT NULL DEFAULT 0,
- "status" CHAR(1) NOT NULL DEFAULT 'A',
-CONSTRAINT "pdns_unq_domains_name"
- UNIQUE ("name")
-);
-
-CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
-
-CREATE TABLE "records" (
- "id" INTEGER NOT NULL PRIMARY KEY,
- "domain_id" INTEGER NOT NULL,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "ttl" INTEGER DEFAULT NULL,
- "prio" INTEGER DEFAULT NULL,
- "content" VARCHAR(255) NOT NULL,
-CONSTRAINT "pdns_fk_records_domainid"
- FOREIGN KEY ("domain_id")
- REFERENCES "domains" ("id")
- ON UPDATE CASCADE
- ON DELETE CASCADE
-);
-
-CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
-CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
-
-CREATE TABLE "supermasters" (
- "ip" VARCHAR(40) NOT NULL,
- "nameserver" VARCHAR(255) NOT NULL,
- "account" VARCHAR(40) NOT NULL DEFAULT ''
-);
-
-CREATE INDEX "pdns_idx_smaster_ip_ns" ON "supermasters" ("ip","nameserver");
-
-CREATE TRIGGER "pdns_trig_records_insert"
-AFTER INSERT ON "records"
-FOR EACH ROW BEGIN
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = NEW."domain_id";
-END;
-
-CREATE TRIGGER "pdns_trig_records_update"
-AFTER UPDATE ON "records"
-FOR EACH ROW BEGIN
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = NEW."domain_id";
-END;
-
-CREATE TRIGGER "pdns_trig_records_delete"
-AFTER DELETE ON "records"
-FOR EACH ROW BEGIN
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = OLD."domain_id";
-END;
-```
-
-### SQLite3 Schema
-```
-CREATE TABLE "domains" (
- "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "master" VARCHAR(40) NOT NULL DEFAULT '',
- "account" VARCHAR(40) NOT NULL DEFAULT '',
- "last_check" INTEGER DEFAULT NULL,
- "notified_serial" INTEGER DEFAULT NULL,
- "auto_serial" INTEGER NOT NULL DEFAULT 0,
- "status" CHAR(1) NOT NULL DEFAULT 'A',
-CONSTRAINT "pdns_unq_domains_name"
- UNIQUE ("name")
-);
-
-CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
-
-CREATE TABLE "records" (
- "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
- "domain_id" INTEGER NOT NULL,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "ttl" INTEGER DEFAULT NULL,
- "prio" INTEGER DEFAULT NULL,
- "content" VARCHAR(255) NOT NULL,
-CONSTRAINT "pdns_fk_records_domainid"
- FOREIGN KEY ("domain_id")
- REFERENCES "domains" ("id")
- ON UPDATE CASCADE
- ON DELETE CASCADE
-);
-
-CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
-CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
-
-CREATE TABLE "supermasters" (
- "ip" VARCHAR(40) NOT NULL,
- "nameserver" VARCHAR(255) NOT NULL,
- "account" VARCHAR(40) NOT NULL DEFAULT ''
-);
-
-CREATE INDEX "pdns_idx_smaster_ip_ns" ON "supermasters" ("ip","nameserver");
-
-CREATE TRIGGER "pdns_trig_records_insert"
-AFTER INSERT ON "records"
-FOR EACH ROW BEGIN
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = NEW."domain_id";
-END;
-
-CREATE TRIGGER "pdns_trig_records_update"
-AFTER UPDATE ON "records"
-FOR EACH ROW BEGIN
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = NEW."domain_id";
-END;
-
-CREATE TRIGGER "pdns_trig_records_delete"
-AFTER DELETE ON "records"
-FOR EACH ROW BEGIN
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = OLD."domain_id";
-END;
-```
-
-## Firebird/Interbase
-Requires [`opendbx-database`](#opendbx-database) set to the path of the database
-file and doesn't support the default statement for starting transactions. Please
-add the following lines to your pdns.conf:
-
-```
-opendbx-database = /var/lib/firebird2/data/powerdns.gdb
-opendbx-sql-transactbegin = SET TRANSACTION
-```
-
-When creating the database please make sure that you call the `isql` tool with
-the parameter `-page 4096`. Otherwise, you will get an error (key size exceeds
-implementation restriction for index "pdns_unq_domains_name") when creating the tables.
-
-```
-CREATE TABLE "domains" (
- "id" INTEGER NOT NULL,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "master" VARCHAR(40) DEFAULT '' NOT NULL,
- "account" VARCHAR(40) DEFAULT '' NOT NULL,
- "last_check" INTEGER,
- "notified_serial" INTEGER,
- "auto_serial" INTEGER DEFAULT 0 NOT NULL,
- "status" CHAR(1) DEFAULT 'A' NOT NULL,
-CONSTRAINT "pdns_pk_domains_id"
- PRIMARY KEY ("id"),
-CONSTRAINT "pdns_unq_domains_name"
- UNIQUE ("name")
-);
-
-CREATE GENERATOR "pdns_gen_domains_id";
-
-SET TERM !!;
-CREATE TRIGGER "pdns_trig_domains_id" FOR "domains"
-ACTIVE BEFORE INSERT AS
-BEGIN
- IF (NEW."id" IS NULL) THEN
- NEW."id" = GEN_ID("pdns_gen_domains_id",1);
-END !!
-SET TERM ;!!
-
-CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
-
-CREATE TABLE "records" (
- "id" INTEGER NOT NULL,
- "domain_id" INTEGER NOT NULL,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "ttl" INTEGER DEFAULT NULL,
- "prio" INTEGER DEFAULT NULL,
- "content" VARCHAR(255) NOT NULL,
-CONSTRAINT "pdns_pk_records_id"
- PRIMARY KEY ("id"),
-CONSTRAINT "pdns_fk_records_domainid"
- FOREIGN KEY ("domain_id")
- REFERENCES "domains" ("id")
- ON UPDATE CASCADE
- ON DELETE CASCADE
-);
-
-CREATE GENERATOR "pdns_gen_records_id";
-
-SET TERM !!;
-CREATE TRIGGER "pdns_trig_records_id" FOR "records"
-ACTIVE BEFORE INSERT AS
-BEGIN
- IF (NEW."id" IS NULL) THEN
- NEW."id" = GEN_ID("pdns_gen_records_id",1);
-END !!
-SET TERM ;!!
-
-CREATE INDEX "idx_records_name_type" ON "records" ("name","type");
-CREATE INDEX "idx_records_type" ON "records" ("type");
-
-CREATE TABLE "supermasters" (
- "ip" VARCHAR(40) NOT NULL,
- "nameserver" VARCHAR(255) NOT NULL,
- "account" VARCHAR(40) DEFAULT '' NOT NULL
-);
-
-CREATE INDEX "pdns_idx_smaster_ip_ns" ON "supermasters" ("ip","nameserver");
-
-GRANT SELECT ON "supermasters" TO "powerdns";
-GRANT ALL ON "domains" TO "powerdns";
-GRANT ALL ON "records" TO "powerdns";
-
-SET TERM !!;
-
-CREATE TRIGGER "pdns_trig_records_insert" FOR "records"
-ACTIVE AFTER INSERT AS
-BEGIN
- UPDATE "domains" d SET d."auto_serial" = d."auto_serial" + 1
- WHERE d."id" = NEW."domain_id";
-END !!
-
-CREATE TRIGGER "pdns_trig_records_update" FOR "records"
-ACTIVE AFTER UPDATE AS
-BEGIN
- UPDATE "domains" d SET d."auto_serial" = d."auto_serial" + 1
- WHERE d."id" = NEW."domain_id";
-END !!
-
-CREATE TRIGGER "pdns_trig_records_delete" FOR "records"
-ACTIVE AFTER DELETE AS
-BEGIN
- UPDATE "domains" d SET d."auto_serial" = d."auto_serial" + 1
- WHERE d."id" = OLD."domain_id";
-END !!
-
-SET TERM ;!!
-```
-
-## Microsoft SQL Server
-Supported using the FreeTDS library. It uses a different scheme for host
-configuration (requires the name of the host section in the configuration file
-of the dblib client library) and doesn't support the default statement for
-starting transactions. Please add the following lines to your pdns.conf:
-
-```
-opendbx-host-read = MSSQL2k
-opendbx-host-write = MSSQL2k
-opendbx-sql-transactbegin = BEGIN TRANSACTION
-```
-
-```
-SET quoted_identifier ON;
-
-
-CREATE TABLE "domains" (
- "id" INTEGER NOT NULL IDENTITY,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "master" VARCHAR(40) DEFAULT '' NOT NULL,
- "account" VARCHAR(40) DEFAULT '' NOT NULL,
- "last_check" INTEGER NULL,
- "notified_serial" INTEGER NULL,
- "auto_serial" INTEGER NOT NULL DEFAULT 0,
- "status" CHAR(1) DEFAULT 'A' NOT NULL,
-CONSTRAINT "pdns_pk_domains_id"
- PRIMARY KEY ("id"),
-CONSTRAINT "pdns_unq_domains_name"
- UNIQUE ("name")
-);
-
-CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
-
-CREATE TABLE "records" (
- "id" INTEGER NOT NULL IDENTITY,
- "domain_id" INTEGER NOT NULL,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "ttl" INTEGER NULL,
- "prio" INTEGER NULL,
- "content" VARCHAR(255) NOT NULL,
- "change_date" INTEGER NULL,
-CONSTRAINT "pdns_pk_records_id"
- PRIMARY KEY ("id"),
-CONSTRAINT "pdns_fk_records_domainid"
- FOREIGN KEY ("domain_id")
- REFERENCES "domains" ("id")
-);
-
-CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
-CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
-
-CREATE TABLE "supermasters" (
- "ip" VARCHAR(40) NOT NULL,
- "nameserver" VARCHAR(255) NOT NULL,
- "account" VARCHAR(40) DEFAULT '' NOT NULL
-);
-
-CREATE INDEX "pdns_idx_smip_smns" ON "supermasters" ("ip","nameserver");
-
-GRANT SELECT ON "supermasters" TO "powerdns";
-GRANT ALL ON "domains" TO "powerdns";
-GRANT ALL ON "records" TO "powerdns";
-
-CREATE TRIGGER "pdns_trig_records_insert"
-ON "records" FOR INSERT AS
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = ANY (
- SELECT i."domain_id" FROM "inserted" i GROUP BY i."domain_id"
- );
-
-CREATE TRIGGER "pdns_trig_records_update"
-ON "records" FOR UPDATE AS
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = ANY (
- SELECT i."domain_id" FROM "inserted" i GROUP BY i."domain_id"
- );
-
-CREATE TRIGGER "pdns_trig_records_delete"
-ON "records" FOR DELETE AS
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = ANY (
- SELECT d."domain_id" FROM "deleted" d GROUP BY d."domain_id"
- );
-```
-
-## Sybase ASE
-Supported using the native Sybase ctlib or the FreeTDS library. It uses a
-different scheme for host configuration (requires the name of the host section
-in the configuration file of the ctlib client library) and doesn't support the
-default statement for starting transactions. Please add the following lines to
-your pdns.conf:
-
-```
-opendbx-host-read = SYBASE
-opendbx-host-write = SYBASE
-opendbx-sql-transactbegin = BEGIN TRANSACTION
-```
-
-```
-SET quoted_identifier ON;
-
-CREATE TABLE "domains" (
- "id" INTEGER NOT NULL IDENTITY,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "master" VARCHAR(40) DEFAULT '' NOT NULL,
- "account" VARCHAR(40) DEFAULT '' NOT NULL,
- "last_check" INTEGER NULL,
- "notified_serial" INTEGER NULL,
- "auto_serial" INTEGER NOT NULL DEFAULT 0,
- "status" CHAR(1) DEFAULT 'A' NOT NULL,
-CONSTRAINT "pdns_pk_domains_id"
- PRIMARY KEY ("id"),
-CONSTRAINT "pdns_unq_domains_name"
- UNIQUE ("name")
-);
-
-CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
-
-CREATE TABLE "records" (
- "id" INTEGER NOT NULL IDENTITY,
- "domain_id" INTEGER NOT NULL,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "ttl" INTEGER NULL,
- "prio" INTEGER NULL,
- "content" VARCHAR(255) NOT NULL,
- "change_date" INTEGER NULL,
-CONSTRAINT "pdns_pk_records_id"
- PRIMARY KEY ("id"),
-CONSTRAINT "pdns_fk_records_domainid"
- FOREIGN KEY ("domain_id")
- REFERENCES "domains" ("id")
-);
-
-CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
-CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
-
-CREATE TABLE "supermasters" (
- "ip" VARCHAR(40) NOT NULL,
- "nameserver" VARCHAR(255) NOT NULL,
- "account" VARCHAR(40) DEFAULT '' NOT NULL
-);
-
-CREATE INDEX "pdns_idx_smip_smns" ON "supermasters" ("ip","nameserver");
-
-GRANT SELECT ON "supermasters" TO "powerdns";
-GRANT ALL ON "domains" TO "powerdns";
-GRANT ALL ON "records" TO "powerdns";
-
-CREATE TRIGGER "pdns_trig_records_insert"
-ON "records" FOR INSERT AS
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = ANY (
- SELECT i."domain_id" FROM "inserted" i GROUP BY i."domain_id"
- );
-
-CREATE TRIGGER "pdns_trig_records_update"
-ON "records" FOR UPDATE AS
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = ANY (
- SELECT i."domain_id" FROM "inserted" i GROUP BY i."domain_id"
- );
-
-CREATE TRIGGER "pdns_trig_records_delete"
-ON "records" FOR DELETE AS
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = ANY (
- SELECT d."domain_id" FROM "deleted" d GROUP BY d."domain_id"
- );
-```
-
-## Oracle
-Uses a different syntax for transactions and requires the following additional
-line in your pdns.conf:
-
-```
-opendbx-sql-transactbegin = SET TRANSACTION NAME 'AXFR'
-```
-
-```
-CREATE TABLE "domains" (
- "id" INTEGER NOT NULL,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "master" VARCHAR(40) DEFAULT '',
- "account" VARCHAR(40) DEFAULT '',
- "last_check" INTEGER,
- "notified_serial" INTEGER,
- "auto_serial" INTEGER DEFAULT 0,
- "status" CHAR(1) DEFAULT 'A',
-CONSTRAINT "pdns_pk_domains_id"
- PRIMARY KEY ("id"),
-CONSTRAINT "pdns_unq_domains_name"
- UNIQUE ("name")
-);
-
-CREATE SEQUENCE "pdns_seq_domains_id" START WITH 1 INCREMENT BY 1;
-
-CREATE TRIGGER "pdns_trig_domains_id"
-BEFORE INSERT ON "domains"
-FOR EACH ROW
-BEGIN
- SELECT "pdns_seq_domains_id".nextval INTO :NEW."id" FROM dual;
-END;
-
-CREATE INDEX "pdns_idx_domains_status_type" ON "domains" ("status","type");
-
-CREATE TABLE "records" (
- "id" INTEGER NOT NULL,
- "domain_id" INTEGER NOT NULL,
- "name" VARCHAR(255) NOT NULL,
- "type" VARCHAR(6) NOT NULL,
- "ttl" INTEGER NULL,
- "prio" INTEGER NULL,
- "content" VARCHAR(255) NOT NULL,
- "change_date" INTEGER NULL,
-CONSTRAINT "pdns_pk_records_id"
- PRIMARY KEY ("id"),
-CONSTRAINT "pdns_fk_records_domainid"
- FOREIGN KEY ("domain_id")
- REFERENCES "domains" ("id")
- ON DELETE CASCADE
-);
-
-CREATE SEQUENCE "pdns_seq_records_id" START WITH 1 INCREMENT BY 1;
-
-CREATE TRIGGER "pdns_trig_records_id"
-BEFORE INSERT ON "records"
-FOR EACH ROW
-BEGIN
- SELECT "pdns_seq_records_id".nextval INTO :NEW."id" FROM dual;
-END;
-
-CREATE INDEX "pdns_idx_records_name_type" ON "records" ("name","type");
-CREATE INDEX "pdns_idx_records_type" ON "records" ("type");
-
-CREATE TABLE "supermasters" (
- "ip" VARCHAR(40) NOT NULL,
- "nameserver" VARCHAR(255) NOT NULL,
- "account" VARCHAR(40) NOT NULL
-);
-
-CREATE INDEX "pdns_idx_smaster_ip_ns" ON "supermasters" ("ip","nameserver");
-
-GRANT SELECT ON "supermasters" TO "powerdns";
-GRANT ALL ON "domains" TO "powerdns";
-GRANT ALL ON "records" TO "powerdns";
-
-CREATE TRIGGER "pdns_trig_records_insert"
-AFTER INSERT ON "records"
-FOR EACH ROW BEGIN
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = :NEW."domain_id";
-END;
-
-CREATE TRIGGER "pdns_trig_records_update"
-AFTER UPDATE ON "records"
-FOR EACH ROW BEGIN
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = :NEW."domain_id";
-END;
-
-CREATE TRIGGER "pdns_trig_records_delete"
-AFTER DELETE ON "records"
-FOR EACH ROW BEGIN
- UPDATE "domains" SET "auto_serial" = "auto_serial" + 1
- WHERE "id" = :OLD."domain_id";
-END;
-```
+++ /dev/null
-# Oracle backend
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|Yes|
-|Slave|Yes|
-|Superslave|Yes|
-|Autoserial|Yes|
-|DNSSEC|Yes|
-|Comments|No|
-|Module name|oracle|
-|Launch name|oracle|
-
-This is the Oracle Database backend, completely rewritten for the 3.0 release, with easily configurable SQL statements, allowing you to graft PowerDNS functionality onto any Oracle database of your choosing.
-
-The Oracle backend is difficult, and possibly illegal, to distribute in binary form. To use it, you will probably need to compile PowerDNS from source. OCI headers are expected in `$ORACLE_HOME/rdbms/public`, and OCI libraries in `$ORACLE_HOME/lib`. That is where they should be with a working installation of the full Oracle Database client. Oracle InstantClient should work as well, but you will need to make the libraries and headers available in appropriate paths.
-
-This backend uses two kinds of database connections. First, it opens a session pool. Connections from this pool are used only for queries reading DNS data from the database. Second, it opens normal (non-pooled) connections on demand for any kind of write access. The reason for this split is to allow redundancy by replication. Each DNS frontend server can have a local read-only replicated instance of your database. Open the session pool to the local replicated copy, and all data will be available with high performance, even if the main database goes down. The writing connections should go directly to the main database.
-
-Of course, if you do not require this kind of redundancy, or want to avoid the substantial Oracle Database licensing costs, all connections can just go to the same database with the same credentials. Also, the write connections should be entirely unnecessary if you do not plan to use either master or slave mode.
-
-## Configuration Parameters
-### `oracle-pool-database`, `oracle-pool-username`, `oracle-pool-password`
-The database to use for read access. OracleBackend will try to create a session pool, so make sure this database user has the necessary permissions. If your connection requires environment variables to be set, e.g. `ORACLE_HOME`, `NLS_LANG`, or `LD_LIBRARY_PATH`, make sure these are set when PowerDNS runs. `/etc/default/pdns` might help.
-
-### `oracle-master-database`, `oracle-master-username`, `oracle-master-password`
-The database to use for write access. These are normal connections, not a session pool. The backend may open more than one at a time.
-
-### `oracle-session-min`, `oracle-session-max`, `oracle-session-inc`
-Parameters for the connection pool underlying the session pool. OCI will open `session-min` connections at startup, and open more connections as needed, `session-inc` at a time, until `session-max` connections are open.
-
-### `oracle-nameserver-name`
-This can be set to an arbitrary string that will be made available in the optional bind variable `:nsname` for all SQL statements. You can use this to run multiple PowerDNS instances off the same database, while serving different zones.
-
-There are many more options that are used to define the different SQL statements. These will be discussed after the reference database schema has been explained.
-
-## The Database Schema
-You can find an example database schema in `schema.sql` in the PowerDNS source distribution. It is intended more as a starting point to come up with a schema that works well for your organisation, than as something you should run as it is. As long as the semantics of the SQL statements still work out, you can store your DNS data any way you like.
-
-You should read this while having `schema.sql` to hand. Columns will not be specifically explained where their meaning is obvious.
-
-**Note**: All FQDNs should be specified in lower case and without a trailing dot. Where things are lexicographically compared or sorted, make sure a sane ordering is used. `'NLS_LANG=AMERICAN_AMERICA.AL32UTF8'` should generally work well enough; when in doubt, enforce a plain ordering with `"NLSSORT(value, 'NLS_SORT = BINARY')"`.
-
-### Zones Table
-This table lists the zones for which PowerDNS is supposed to be an authoritative nameserver, plus a small amount of information related to master/slave mode.
-
-#### name
-The FQDN of the zone apex, e.g. 'example.com'.
-
-#### type
-Describes how PowerDNS should host the zone. Valid values are 'NATIVE', 'MASTER', and 'SLAVE'. PowerDNS acts as an authoritative nameserver for the zone in all modes. In slave mode, it will additionally attempt to acquire the zone's content from a master server. In master mode, it will additionally send 'NOTIFY' packets to other nameservers for the zone when its content changes.
-
-**Tip**: There is a global setting to make PowerDNS send 'NOTIFY' packets in slave mode.
-
-#### last\_check
-This value, updated by PowerDNS, is the unix timestamp of the last successful attempt to check this zone for freshness on the master.
-
-#### refresh
-The number of seconds PowerDNS should wait after a successful freshness check before performing another one. This value is also found in the zone's SOA record. You may want to make sure to put the same thing in both places.
-
-#### serial
-The serial of the version of the zone's content we are hosting now. This value is also found in the zone's SOA record. You may want to make sure to put the same thing in both places.
-
-#### notified\_serial
-The latest serial for which we have sent `NOTIFY` packets. Updated by PowerDNS.
-
-### The Zonemasters and ZoneAlsoNotify Tables
-These are lists of hosts PowerDNS will interact with for a zone in master/slave mode. 'Zonemasters' lists the hosts PowerDNS will attempt to pull zone transfers from, and accept 'NOTIFY' packets from. 'ZoneAlsoNotify' lists hosts PowerDNS will send 'NOTIFY' packets to, in addition to any hosts that have NS records.
-
-Host entries can be IPv4 or IPv6 addresses, in string representation. If you need to specify a port, use `192.0.2.4:5300` notation for IPv4 and brackets for IPv6: `[2001:db8::1234]:5300`.
-
-### The Supermasters Table
-In superslave mode, PowerDNS can accept 'NOTIFY' packets for zones that have not been defined in the zone table yet. PowerDNS will then create an entry for the zone and attempt a zone transfer. This table defines the list of acceptable sources for supernotifications.
-
-#### name
-An identifying string for this entry. Only used for logging.
-
-#### ip
-The alleged originating IP address of the notification.
-
-#### nameserver
-The FQDN of an authoritative nameserver.
-
-A supernotification will be accepted if an entry is found such that the notification came from 'ip' and 'nameserver' appears in an NS record for that zone.
-
-### The ZoneMetadata Table
-This is a per-zone key-value store for various things PowerDNS needs to know that are not part of the zone's content or handled by other tables. Depending on your needs, you may not want this to exist as an actual table, but simulate this in PL/SQL instead.
-
-The currently defined metadata types are:
-
-#### 'PRESIGNED'
-If set to 1, PowerDNS should assume that DNSSEC signatures for this zone exist in the database and use them instead of signing records itself. For a slave zone, this will also signal to the master that we want DNSSEC records when attempting a zone transfer.
-
-#### 'NSEC3PARAM'
-The NSEC3 hashing parameters for the zone.
-
-#### 'TSIG-ALLOW-AXFR'
-The value is the name of a TSIG key. A client will be allowed to AXFR from us if the request is signed with that key.
-
-#### 'AXFR-MASTER-TSIG'
-The value is the name of a TSIG key. Outgoing `NOTIFY` packets for this zone will be signed with that key.
-
-### The Tables for Cryptographic Keys
-We have two of them: 'TSIGKeys' for symmetric TSIG keys, and 'ZoneDNSKeys' for DNSSEC signing keys.
-
-### The Records Table
-The actual DNS zone contents are stored here.
-
-#### zone\_id
-The zone this records belongs to. Normally, this is obvious. When you are dealing with zone delegations, you have to insert some records into the parent zone of their actual zone. See also `auth`.
-
-#### fqdn
-The owner name of this record. Again, this is lower case and without a trailing dot.
-
-#### revfqdn
-This should be a string that consists of the labels of the owner name, in reverse order, with spaces instead of dots separating them, for example:
-
-```
-'www.example.com' => 'com example www'
-```
-
-This is used as a quick and dirty way to get canonical zone ordering. You can chose a more correct and much more complicated implementation instead if you prefer. In the reference schema, this is automatically set by a trigger.
-
-#### fqdnhash
-The NSEC3 hash of the owner name. The reference schema provides code and a trigger to calculate this, but they are not production quality. The recommendation is to load the dnsjava classes into your database and use their facilities for dealing with DNS names and NSEC3 hashes.
-
-#### ttl
-The TTL for the record set. This should be the same for all members of a record set, but PowerDNS will quietly use the minimum if it encounters different values.
-
-#### type
-The type of the record, as a canonical identification string, e.g. 'AAAA' or 'MX'. You can set this and 'content' NULL to indicate a name that exists, but doesn't carry any record (a so called empty non-terminal) for NSEC/NSEC3 ordering purposes.
-
-#### content
-The data part of the DNS record, in canonical string representation, except that if this includes FQDNs, they should be specified without a trailing dot.
-
-#### last\_change
-The unix timestamp of the last change to this record. Used only for the deprecated autoserial feature. You can omit this unless you want to use that feature.
-
-#### auth
-0 or 1 depending on whether this record is an authoritative member of the zone specified in `zone_id`. These are the rules for determining that: A record is an authoritative member of the zone its owner name belongs to, except for DS records, which are authoritative members of the parent zone. Delegation records, that is, NS records and related A/AAAA glue records, are additionally non-authoritative members of the parent zone.
-
-PowerDNS has a function to automatically set this. OracleBackend doesn't support that. Do it in the database.
-
-### The SQL Statements
-#### Fetching DNS records
-There are five queries to do this. They all share the same set of return columns:
-
-* fqdn: The owner name of the record.
-* ttl: The TTL of the record set.
-* type: The type of the record.
-* content: The content of the record.
-* zone\_id: The numerical identifier of the zone the record belongs to. A record can belong to two zones (delegations/glue), in which case it may be returned twice.
-* last\_change: The unix timestamp of the last time this record was changed. Can safely be set as a constant 0, unless you use the autoserial feature.
-* auth: 1 or 0 depending on the zone membership (authoritative or not).
-
-Record sets (records for the same name of the same type) must appear consecutively, which means **ORDER BY** clauses are needed in some places. Empty non-terminals should be suppressed.
-
-The queries differ in which columns are restricted by 'WHERE' clauses:
-
-##### oracle-basic-query
-Looking for records based on owner name and type. Default:
-
-```
-SELECT fqdn, ttl, type, content, zone_id, last_change, auth
-FROM Records
-WHERE type = :type AND fqdn = lower(:name)
-```
-
-##### oracle-basic-id-query
-Looking for records from one zone based on owner name and type. Default:
-
-```
-SELECT fqdn, ttl, type, content, zone_id, last_change, auth
-FROM Records
-WHERE type = :type AND fqdn = lower(:name) AND zone_id = :zoneid
-```
-
-##### oracle-any-query
-Looking for records based on owner name. Default:
-
-```
-SELECT fqdn, ttl, type, content, zone_id, last_change, auth
-FROM Records
-WHERE fqdn = lower(:name)
- AND type IS NOT NULL
-ORDER BY type
-```
-
-##### oracle-any-id-query
-Looking for records from one zone based on owner name. Default:
-
-```
-SELECT fqdn, ttl, type, content, zone_id, last_change, auth
-FROM Records
-WHERE fqdn = lower(:name)
- AND zone_id = :zoneid
- AND type IS NOT NULL
-ORDER BY type
-```
-
-##### oracle-list-query
-Looking for all records from one zone. Default:
-
-```
-SELECT fqdn, ttl, type, content, zone_id, last_change, auth
-FROM Records
-WHERE zone_id = :zoneid
- AND type IS NOT NULL
-ORDER BY fqdn, type
-```
-
-#### Zone Metadata and TSIG
-
-##### oracle-get-zone-metadata-query
-Fetch the content of the metadata entries of type ':kind' for the zone called ':name', in their original order. Default:
-
-```
-SELECT md.meta_content
-FROM Zones z JOIN ZoneMetadata md ON z.id = md.zone_id
-WHERE z.name = lower(:name) AND md.meta_type = :kind
-ORDER BY md.meta_ind
-```
-
-##### oracle-del-zone-metadata-query
-Delete all metadata entries of type ':kind' for the zone called ':name'. You can skip this if you do not plan to manage zones with the `pdnsutil` tool. Default:
-
-```
-DELETE FROM ZoneMetadata md
-WHERE zone_id = (SELECT id FROM Zones z WHERE z.name = lower(:name))
-AND md.meta_type = :kind
-```
-
-##### oracle-set-zone-metadata-query
-Create a metadata entry. You can skip this if you do not plan to manage zones with the `pdnsutil` tool. Default:
-
-```
-INSERT INTO ZoneMetadata (zone_id, meta_type, meta_ind, meta_content)
-VALUES (
- (SELECT id FROM Zones WHERE name = lower(:name)),
- :kind, :i, :content
-)
-```
-
-##### oracle-get-tsig-key-query
-Retrieved the TSIG key specified by ':name'. Default:
-
-```
-SELECT algorithm, secret
-FROM TSIGKeys
-WHERE name = :name
-```
-
-#### DNSSEC
-##### oracle-get-zone-keys-query
-Retrieve the DNSSEC signing keys for a zone. Default:
-
-```
-SELECT k.id, k.flags, k.active, k.keydata
-FROM ZoneDNSKeys k JOIN Zones z ON z.id = k.zone_id
-WHERE z.name = lower(:name)
-```
-
-##### oracle-del-zone-key-query
-Delete a DNSSEC signing key. You can skip this if you do not plan to manage zones with the `pdnsutil` tool. Default:
-
-```
-DELETE FROM ZoneDNSKeys WHERE id = :keyid
-```
-
-##### oracle-add-zone-key-query
-Add a DNSSEC signing key. You can skip this if you do not plan to manage zones with the `pdnsutil` tool. Default:
-
-```
-INSERT INTO ZoneDNSKeys (id, zone_id, flags, active, keydata) "
-VALUES (
- zonednskeys_id_seq.NEXTVAL,
- (SELECT id FROM Zones WHERE name = lower(:name)),
- :flags,
- :active,
- :content
-) RETURNING id INTO :keyid
-```
-
-##### oracle-set-zone-key-state-query
-Enable or disable a DNSSEC signing key. You can skip this if you do not plan to manage zones with the **pdnsutil** tool. Default:
-
-```
-UPDATE ZoneDNSKeys SET active = :active WHERE id = :keyid
-```
-
-##### oracle-prev-next-name-query
-Determine the predecessor and successor of an owner name, in canonical zone ordering. See the reference implementation for the quick and dirty way, and the RFCs for the full definition of canonical zone ordering.
-
-This statement is a PL/SQL block that writes into two of the bind variables, not a query.
-
-Default:
-
-```
-BEGIN
- get_canonical_prev_next(:zoneid, :name, :prev, :next);
-END;
-```
-
-##### oracle-prev-next-hash-query
-Given an NSEC3 hash, this call needs to return its predecessor and successor in NSEC3 zone ordering into `:prev` and `:next`, and the FQDN of the predecessor into `:unhashed`. Default:
-
-```
-BEGIN
- get_hashed_prev_next(:zoneid, :hash, :unhashed, :prev, :next);
-END;
-```
-
-#### Incoming AXFR
-
-#####oracle-zone-info-query
-Get some basic information about the named zone before doing master/slave things. Default:
-
-```
-SELECT id, name, type, last_check, serial, notified_serial
-FROM Zones
-WHERE name = lower(:name)
-```
-
-##### oracle-delete-zone-query
-Delete all records for a zone in preparation for an incoming zone transfer. This happens inside a transaction, so if the transfer fails, the old zone content will still be there. Default:
-
-```
-DELETE FROM Records WHERE zone_id = :zoneid
-```
-
-##### oracle-insert-record-query
-Insert a record into the zone during an incoming zone transfer. This happens inside the same transaction as delete-zone, so we will not end up with a partially transferred zone. Default:
-
-```
-INSERT INTO Records (id, fqdn, zone_id, ttl, type, content)
-VALUES (records_id_seq.NEXTVAL, lower(:name), :zoneid, :ttl, :type, :content)
-```
-
-##### oracle-finalize-axfr-query
-A block of PL/SQL to be executed after a zone transfer has successfully completed, but before committing the transaction. A good place to locate empty non-terminals, set the `auth` bit and NSEC3 hashes, and generally do any post-processing your schema requires. The do-nothing default:
-
-```
-DECLARE
- zone_id INTEGER := :zoneid;
-BEGIN
- NULL;
-END;
-```
-
-#### Master/Slave Stuff
-
-##### oracle-unfresh-zones-query
-Return a list of zones that need to be checked and their master servers. Return multiple rows, identical except for the master address, for zones with more than one master. Default:
-
-```
-SELECT z.id, z.name, z.last_check, z.serial, zm.master
-FROM Zones z JOIN Zonemasters zm ON z.id = zm.zone_id
-WHERE z.type = 'SLAVE'
- AND (z.last_check IS NULL OR z.last_check + z.refresh < :ts)
-ORDER BY z.id
-```
-
-##### oracle-zone-set-last-check-query
-Set the last check timestamp after a successful check. Default:
-
-```
-UPDATE Zones SET last_check = :lastcheck WHERE id = :zoneid
-```
-
-##### oracle-updated-masters-query
-Return a list of zones that need to have `NOTIFY` packets sent out. Default:
-
-```
-SELECT id, name, serial, notified_serial
-FROM Zones
-WHERE type = 'MASTER'
-AND (notified_serial IS NULL OR notified_serial < serial)
-```
-
-##### oracle-zone-set-notified-serial-query
-Set the last notified serial after packets have been sent. Default:
-
-```
-UPDATE Zones SET notified_serial = :serial WHERE id = :zoneid
-```
-
-##### oracle-also-notify-query
-Return a list of hosts that should be notified, in addition to any nameservers in the NS records, when sending `NOTIFY` packets for the named zone. Default:
-
-```
-SELECT an.hostaddr
-FROM Zones z JOIN ZoneAlsoNotify an ON z.id = an.zone_id
-WHERE z.name = lower(:name)
-```
-
-##### oracle-zone-masters-query
-Return a list of masters for the zone specified by id. Default:
-
-```
-SELECT master
-FROM Zonemasters
-WHERE zone_id = :zoneid
-```
-
-##### oracle-is-zone-master-query
-Return a row if the specified host is a registered master for the named zone. Default:
-
-```
-SELECT zm.master
-FROM Zones z JOIN Zonemasters zm ON z.id = zm.zone_id
-WHERE z.name = lower(:name) AND zm.master = :master
-```
-
-#### Superslave Stuff
-##### oracle-accept-supernotification-query
-If a supernotification should be accepted from ':ip', for the master nameserver ':ns', return a label for this supermaster. Default:
-
-```
-SELECT name
-FROM Supermasters
-WHERE ip = :ip AND nameserver = lower(:ns)
-```
-
-##### oracle-insert-slave-query
-A supernotification has just been accepted, and we need to create an entry for the new zone. Default:
-
-```
-INSERT INTO Zones (id, name, type)
-VALUES (zones_id_seq.NEXTVAL, lower(:zone), 'SLAVE')
-RETURNING id INTO :zoneid
-```
-
-##### oracle-insert-master-query
-We need to register the first master server for the newly created zone. Default:
-
-```
-INSERT INTO Zonemasters (zone_id, master)
-VALUES (:zoneid, :ip)
-```
+++ /dev/null
-# Pipe Backend
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|No|
-|Slave|No|
-|Superslave|No|
-|Autoserial|No|
-|Case|Depends|
-|DNSSEC|Partial, no delegation, no key storage|
-|Disabled data|No|
-|Comments|No|
-|Module name|pipe|
-|Launch name|pipe|
-
-The PipeBackend allows for easy dynamic resolution based on a 'Coprocess' which can be written in any programming language that can read a question on standard input and answer on standard output.
-
-The PipeBackend is primarily meant for allowing rapid development of new backends without tight integration with PowerDNS.
-It allows end-users to write PowerDNS backends in any language, a perl sample is provided.
-The PipeBackend is also very well suited for dynamic resolution of queries.
-Example applications include DNS based load balancing, geo-direction, DNS-based failover with low TTLs.
-
-**Note**: The [Remote Backend](backend-remote.md) offers a superset of the functionality of the PipeBackend.
-
-**Note**: Please do read the [Backend Writer' guide](../appendix/backend-writers-guide.md) carefully.
-The PipeBackend, like all other backends, must not do any DNS thinking, but answer all questions (INCLUDING THE ANY QUESTION) faithfully.
-Specifically, the queries that the PipeBackend receives will not correspond to the queries that arrived over DNS.
-So, a query for an AAAA record may turn into a backend query for an ANY record.
-There is nothing that can or should be done about this.
-
-# Configuration Parameters
-## `pipe-abi-version`
-| | |
-|:-|:-|
-|Type|Integer|
-|Default|1|
-|Mandatory|No|
-
-This is the version of the question format that is sent to the co-process ([`pipe-command`](#pipe-command)) for the pipe backend.
-
-If not set the default `pipe-abi-version` is 1.
-When set to 2, the local-ip-address field is added after the remote-ip-address, the local-ip-address refers to the IP address the question was received on.
-When set to 3, the real remote IP/subnet is added based on edns-subnet support (this also requires enabling [`edns-subnet-processing`](settings.md#edns-subnet-processing)).
-When set to 4 it sends zone name in AXFR request. See also [PipeBackend Protocol](#pipebackend-protocol) below.
-
-## `pipe-command`
-| | |
-|:-|:-|
-|Type|String|
-|Mandatory|Yes|
-
-Command to launch as backend or the path to a unix domain socket file.
-The socket should already be open and listening before PowerDNS starts.
-
-## `pipe-timeout`
-| | |
-|:-|:-|
-|Type|Integer|
-|Default|2000|
-
-Number of milliseconds to wait for an answer from the backend.
-If this time is ever exceeded, the backend is declared dead and a new process is spawned.
-
-## `pipe-regex`
-| | |
-|:-|:-|
-|Type|String (a regex)|
-
-If set, only questions matching this regular expression are even sent to the backend.
-This makes sure that most of PowerDNS does not slow down if you deploy a slow backend.
-A query for 'www.powerdns.com' would be presented to the regex as 'www.powerdns.com', a matching regex would be `^www\.powerdns\.com$`.
-**Note**: to match the root domain, use a dot, e.g. `^\.$`
-
-# PipeBackend protocol
-Questions come in over a file descriptor, by default standard input.
-Answers are sent out over another file descriptor, standard output by default.
-Questions and answers are terminated by single newline (`\n`) characters.
-Fields in lines must be separated by tab ('\t') characters.
-
-## Handshake
-PowerDNS sends out `HELO\t1`, indicating that it wants to speak the protocol as defined in this document, version 1.
-For abi-version 2 or 3, PowerDNS sends `HELO\t2` or `HELO\t3`.
-A PowerDNS Coprocess must then send out a banner, prefixed by `OK\t`, indicating it launched successfully.
-If it does not support the indicated version, it should respond with `FAIL`, but not exit.
-Suggested behaviour is to try and read a further line, and wait to be terminated.
-
-**Note**: fields are separated by a tab ('\t') character, even though they are displayed with spaces in this document.
-
-
-## `Q`: Regular queries for data
-The question format, for type Q questions.
-
-### pipe-abi-version = 1 [default]
-```
-Q qname qclass qtype id remote-ip-address
-```
-
-### pipe-abi-version = 2
-```
-Q qname qclass qtype id remote-ip-address local-ip-address
-```
-
-### pipe-abi-version = 3
-```
-Q qname qclass qtype id remote-ip-address local-ip-address edns-subnet-address
-```
-
-Fields are tab separated, and terminated with a single `\n`.
-The `remote-ip-address` is the IP address of the nameserver asking the question, the `local-ip-address` is the IP address on which the question was received.
-
-Type is the tag above, `qname` is the domain the question is about.
-`qclass` is always 'IN' currently, denoting an INternet question.
-`qtype` is the kind of information desired, the record type, like A, CNAME or AAAA.
-`id` can be specified to help your backend find an answer if the `id` is already known from an earlier query.
-You can ignore it unless you want to support `AXFR`.
-
-`edns-subnet-address` is the actual client subnet as provided via edns-subnet support.
-Note that for the SOA query that precedes an AXFR, edns-subnet is always set to 0.0.0.0/0.
-
-**Note**: Queries for wildcard names should be answered literally, without expansion.
-So, if a backend gets a question for "\*.powerdns.com", it should only answer with data if there is an actual "\*.powerdns.com" name.
-
-**Note**: In some (broken) network setups, the `remote-ip-address` and/or `local-ip-address`, when it is an IPv6 address, may be suffixed with a `%` and
-the name of the network interface (e.g. `%eth1`).
-Keep this in mind when checking the IP addresses.
-
-
-## `AXFR`: List an entire zone
-AXFR-queries look like this:
-
-```
-AXFR id zone-name
-```
-
-The `id` is gathered from the answer to a SOA query. `zone-name` is given in ABI version 4.
-
-## Answers
-Each answer starts with a tag, possibly followed by a TAB and more data.
-
-* `DATA`: Indicating a successful line of DATA.
-* `END`: Indicating the end of an answer - no further data.
-* `FAIL`: Indicating a lookup failure. Also serves as 'END'. No further data.
-* `LOG`: For specifying things that should be logged. Can only be sent after a query and before an END line. After the tab, the message to be logged.
-
-### ABI version 1 and 2
-So, letting it be known that there is no data consists of sending 'END' without anything else.
-The answer format (for abi-version 1 and 2):
-
-```
-DATA qname qclass qtype ttl id content
-```
-
-Again, all fields are tab-separated.
-
-`content` is as specified in [Types](../types.md).
-For MX and SRV, content consists of the priority, followed by a tab, followed by the actual content.
-
-A sample dialogue may look like this (note that in reality, almost all queries will actually be for the ANY qtype):
-
-```
-Q www.example.org IN CNAME -1 203.0.113.210
-DATA www.example.org IN CNAME 3600 1 ws1.example.org
-END
-Q ws1.example.org IN CNAME -1 203.0.113.210
-END
-Q wd1.example.org IN A -1 203.0.113.210
-DATA ws1.example.org IN A 3600 1 192.0.2.4
-DATA ws1.example.org IN A 3600 1 192.0.2.5
-DATA ws1.example.org IN A 3600 1 192.0.2.6
-END
-```
-
-This would correspond to a remote webserver 203.0.113.210 wanting to resolve the IP address of www.example.org, and PowerDNS traversing the CNAMEs to find the IP addresses of ws1.example.org.
-Another dialogue might be:
-
-```
-Q example.org IN SOA -1 203.0.113.210
-DATA example.org IN SOA 86400 1 ahu.example.org ...
-END
-AXFR 1
-DATA example.org IN SOA 86400 1 ahu.example.org ...
-DATA example.org IN NS 86400 1 ns1.example.org
-DATA example.org IN NS 86400 1 ns2.example.org
-DATA ns1.example.org IN A 86400 1 203.0.113.210
-DATA ns2.example.org IN A 86400 1 63.123.33.135
-.
-.
-END
-```
-
-This is a typical zone transfer.
-
-### ABI version 3 and higher
-
-For abi-version 3, DATA-responses get two extra fields:
-
-```
-DATA scopebits auth qname qclass qtype ttl id content
-```
-
-`scopebits` indicates how many bits from the subnet provided in the question (originally from edns-subnet) were used in determining this answer.
-This can aid caching (although PowerDNS does not currently use this value).
-
-The `auth` field indicates whether this response is authoritative, this is for DNSSEC.
-The `auth` field should be set to '1' for data for which the zone itself is authoritative, which includes the SOA record and its own NS records.
-The `auth` field should be 0 for NS records which are used for delegation, and also for any glue (A, AAAA) records present for this purpose. Do note that the DS record for a secure delegation should be authoritative!
-
-For abi-versions 1 and 2, the two new fields fall back to default values.
-The default value for scopebits is 0.
-The default for auth is 1 (meaning authoritative).
-
-## Direct backend commands
-With abi-version 5 you can use [backend-cmd](dnssec.md#pdnsutil) for executing commands on your backend.
-PowerDNS will use the following query/answer format:
-
-```
-CMD Whatever you wrote
-Answer goes here
-And can be multiple lines
-until we see
-END
-```
-
-# Sample backends
-
-* [ABI version 1](https://raw.githubusercontent.com/PowerDNS/pdns/master/modules/pipebackend/backend.pl)
-* [ABI version 3](https://raw.githubusercontent.com/PowerDNS/pdns/master/modules/pipebackend/backend-v3.pl)
-* [ABI version 5](https://raw.githubusercontent.com/PowerDNS/pdns/master/modules/pipebackend/backend-v5.pl)
+++ /dev/null
-# Random Backend
-
-* Native: Yes
-* Master: No
-* Slave: No
-* Superslave: No
-* Autoserial: No
-* Case: Depends
-* DNSSEC: Yes, no key storage
-* Disabled data: No
-* Comments: No
-* Module name: built in
-* Launch: random
-
-This is a very silly backend which is discussed in the [Backends writer's guide](../appendix/backend-writers-guide.md#simple-backends) as a demonstration on how to write a PowerDNS backend.
-
-This backend knows about only one hostname, and only about its IP address at that. With every query, a new random IP address is generated.
-
-It only makes sense to load the random backend in combination with a regular backend. This can be done by prepending it to the [`launch`](settings.md#launch) instruction, such as `launch=random,gmysql`.
-
-## Configuration Parameters
-### `random-hostname`
-* String
-
-Hostname for which to supply a random IP address.
+++ /dev/null
-# Remote Backend
-**Warning**: The Remote Backend is available since PowerDNS Authoritative Server 3.2. This backend is stable on version 3.3, not before.
-
-| | |
-|:--|:--|
-|Native|Yes|
-|Master|Yes*|
-|Slave|Yes*|
-|Superslave|Yes*|
-|Autoserial|Yes*|
-|DNSSEC|Yes*|
-|Multiple instances|Yes|
-
-\* If provided by the responder (your script).
-
-This backend provides Unix socket, Pipe, HTTP and ZeroMQ remoting for powerdns. You should think this as normal RPC thin client, which converts native C++ calls into JSON/RPC and passes them to you via connector.
-
-## Important notices
-Please do not use remotebackend shipped before version 3.3. This version has severe bug that can crash the entire process.
-
-There is a breaking change on v4.0 and later. Before version 4.0, the DNS names passed in queries were without trailing dot, after version 4.0 the DNS names are sent with trailing dot. F.ex. example.org is now sent as example.org.
-
-In some (broken) network setups, the IP addresses provided in the request (when
-this is an IPv6 address) may be suffixed with a `%` and the name of the network
-interface (e.g. `%eth1`). Keep this in mind when checking the IP addresses.
-
-## Compiling
-To compile this backend, you need to configure `--with-modules="remote"`.
-
-For versions prior to 3.4.0, if you want to use http connector, you need libcurl and use `--enable-remotebackend-http`.
-
-If you want to use ZeroMQ connector, you need libzmq-dev or libzmq3-dev and use `--enable-remotebackend-zeromq`.
-
-## Usage
-The only configuration options for backend are remote-connection-string and remote-dnssec.
-
-```
-remote-connection-string=<type>:<param>=<value>,<param>=<value>...
-```
-
-You can pass as many parameters as you want. For unix and pipe connectors, these are passed along to the remote end as initialization. See [API](#api). Initialize is not called for http connector.
-
-### Unix connector
-parameters: path, timeout (default 2000ms)
-
-```
-remote-connection-string=unix:path=/path/to/socket
-```
-
-### Pipe connector
-parameters: command,timeout (default 2000ms)
-
-```
-remote-connection-string=pipe:command=/path/to/executable,timeout=2000
-```
-
-### HTTP connector
-parameters: url, url-suffix, post, post\_json, timeout (default 2000ms)
-
-```
-remote-connection-string=http:url=http://localhost:63636/dns,url-suffix=.php
-```
-
-HTTP connector tries to do RESTful requests to your server. See examples. You can also use post to change behaviour so that it will send POST request to url/method + url\_suffix with parameters=json-formatted-parameters. If you use post and post\_json, it will POST url with text/javascript containing JSON formatted RPC request, just like for pipe and unix. You can use '1', 'yes', 'on' or 'true' to turn these features on.
-
-URL should not end with /, and url-suffix is optional, but if you define it, it's up to you to write the ".php" or ".json". Lack of dot causes lack of dot in URL. Timeout is divided by 1000 because libcurl only supports seconds, but this is given in milliseconds for consistency with other connectors.
-
-HTTPS is not supported, [stunnel](https://www.stunnel.org) is the suggested workaround. HTTP Authentication is not supported.
-
-### ZeroMQ connector
-parameters: endpoint, timeout (default 2000ms)
-
-```
-remote-connection-string=zeromq:endpoint=ipc:///tmp/tmp.sock
-```
-
-0MQ connector implements a REQ/REP RPC model. Please see <http://zeromq.org/> for more information.
-
-# API
-## Queries
-Unix, Pipe and ZeroMQ connectors send JSON formatted strings to the remote end. Each JSON query has two sections, 'method' and 'parameters'.
-
-HTTP connector calls methods based on URL and has parameters in the query string. Most calls are GET; see the methods listing for details. You can change this with post and post\_json attributes.
-
-## Replies
-You **must** always reply with JSON hash with at least one key, 'result'. This must be boolean false if the query failed. Otherwise it must conform to the expected result. For HTTP connector, to signal bare success, you can just reply with HTTP 200 OK, and omit any output. This will result in same outcome as sending {"result":true}.
-
-You can optionally add an array of strings to the 'log' array; each line in this array will be logged in PowerDNS at loglevel `info` (6).
-
-## Methods
-### `initialize`
-Called to initialize the backend. This is not called for HTTP connector. You should do your initializations here.
-
-* Mandatory: Yes (except HTTP connector)
-* Parameters: all parameters in connection string
-* Reply: true on success / false on failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"initialize", "parameters":{"command":"/path/to/something", "timeout":"2000", "something":"else"}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-### `lookup`
-This method is used to do the basic query. You can omit auth, but if you are using DNSSEC this can lead into trouble.
-
-* Mandatory: Yes
-* Parameters: qtype, qname, zone\_id
-* Optional parameters: remote, local, real-remote
-* Reply: array of `qtype,qname,content,ttl,domain\_id,scopeMask,auth`
-* Optional values: domain\_id, scopeMask and auth
-* Note: priority field is required before 4.0, after 4.0 priority is added to content. This applies to any resource record which uses priority, for example SRV or MX.
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"lookup", "parameters":{"qtype":"ANY", "qname":"www.example.com.", "remote":"192.0.2.24", "local":"192.0.2.1", "real-remote":"192.0.2.24", "zone-id":-1}}
-```
-
-Response:
-```
-{"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-GET /dnsapi/lookup/www.example.com./ANY HTTP/1.1
-X-RemoteBackend-remote: 192.0.2.24
-X-RemoteBackend-local: 192.0.2.1
-X-RemoteBackend-real-remote: 192.0.2.24
-X-RemoteBackend-zone-id: -1
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
-```
-
-### `list`
-Lists all records for the zonename. If you are running dnssec, you should take care of setting auth to appropriate value, otherwise things can go wrong.
-
-* Mandatory: No (Gives AXFR support)
-* Parameters: zonename, domain\_id
-* Optional parameters: domain\_id
-* Reply: array of `qtype,qname,content,ttl,domain\_id,scopeMask,auth`
-* Optional values: domain\_id, scopeMask and auth
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"list", "parameters":{"zonename":"example.com.","domain_id":-1}}
-```
-
-Response (split into lines for ease of reading)
-```
-{"result":[
- {"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600},
- {"qtype":"NS", "qname":"example.com", "content":"ns1.example.com", "ttl": 60},
- {"qtype":"MX", "qname":"example.com", "content":"10 mx1.example.com.", "ttl": 60},
- {"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60},
- {"qtype":"A", "qname":"ns1.example.com", "content":"192.0.2.2", "ttl": 60},
- {"qtype":"A", "qname":"mx1.example.com", "content":"192.0.2.3", "ttl": 60}
-]}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-GET /dnsapi/list/-1/example.com HTTP/1.1
-X-RemoteBackend-domain-id: -1
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":[{"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600},{"qtype":"NS", "qname":"example.com", "content":"ns1.example.com", "ttl": 60},{"qtype":"MX", "qname":"example.com", "content":"10 mx1.example.com.", "ttl": 60},{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60},{"qtype":"A", "qname":"ns1.example.com", "content":"192.0.2.2", "ttl": 60},{"qtype":"A", "qname":"mx1.example.com", "content":"192.0.2.3", "ttl": 60}]}
-```
-
-### `getBeforeAndAfterNamesAbsolute`
-Asks the names before and after qname. qname is given without dots or domain part. The query will be hashed when using NSEC3. Care must be taken to handle wrap-around when qname is first or last in the ordered list. Do not return nil for either one.
-
-* Mandatory: for NSEC/NSEC3 non-narrow
-* Parameters: id, qname
-* Reply: before, after
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"getbeforeandafternamesabsolute", "params":{"id":0,"qname":"www.example.com"}}
-```
-
-Response:
-```
-{”result":{"before":"ns1","after":""}}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-/dnsapi/getbeforeandafternamesabsolute/0/www.example.com
-```
-
-Response:
-```
-{”result":{"before":"ns1","after":""}}
-```
-
-### `getAllDomainMetadata`
-Returns the value(s) for variable kind for zone name. You **must** always return something, if there are no values, you shall return empty set or false.
-* Mandatory: No
-* Parameters: name
-* Reply: hash of key to array of strings
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"getalldomainmetadata", "parameters":{"name":"example.com"}}
-```
-
-Response:
-```
-{"result":{"PRESIGNED":["0"]}}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-GET /dnsapi/getalldomainmetadata/example.com HTTP/1.1
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":{"PRESIGNED":["0"]}}
-```
-
-### `getDomainMetadata`
-Returns the value(s) for variable kind for zone name. Most commonly it's one of NSEC3PARAM, PRESIGNED, SOA-EDIT. Can be others, too. You **must** always return something, if there are no values, you shall return empty array or false.
-
-* Mandatory: No
-* Parameters: name, kind
-* Reply: array of strings
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"getdomainmetadata", "parameters":{"name":"example.com.","kind":"PRESIGNED"}}
-```
-
-Response:
-```
-{"result":["0"]}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-GET /dnsapi/getdomainmetadata/example.com./PRESIGNED HTTP/1.1
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":["0"]}
-```
-
-### `setDomainMetadata`
-Replaces the value(s) on domain name for variable kind to string(s) on array value. The old value is discarded. Value can be an empty array, which can be interpreted as deletion request.
-
-* Mandatory: No
-* Parameters: name, kind, value
-* Reply: true on success, false on failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"setdomainmetadata","parameters":{"name":"example.com","kind":"PRESIGNED","value":["YES"]}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-PATCH /dnsapi/setdomainmetadata/example.com/PRESIGNED HTTP/1.1
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 12
-
-value[]=YES&
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-### `getDomainKeys`
-Retrieves any keys of kind. The id, flags are unsigned integers, and active is boolean. Content must be valid key record in format that PowerDNS understands. You are encouraged to implement [the section called "addDomainKey"](#adddomainkey), as you can use [`pdnsutil`](../manpages/pdnsutil.1.md) to provision keys.
-
-* Mandatory: for DNSSEC
-* Parameters: name, kind
-* Reply: array of `id, flags, active, content`
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"getdomainkeys","parameters":{"name":"example.com."}}
-```
-
-Response:
-```
-{"result":[{"id":1,"flags":256,"active":true,"content":"Private-key-format: v1.2
-Algorithm: 8 (RSASHA256)
-Modulus: r+vmQll38ndQqNSCx9eqRBUbSOLcH4PZFX824sGhY2NSQChqt1G4ZfndzRwgjXMUwiE7GkkqU2Vbt/g4iP67V/+MYecMV9YHkCRnEzb47nBXvs9JCf8AHMCnma567GQjPECh4HevPE9wmcOfpy/u7UN1oHKSKRWuZJadUwcjbp8=
-PublicExponent: AQAB
-PrivateExponent: CYC93UtVnOM6wrFJZ+qA9+Yx+p5yk0CSi0Q7c+/6EVMuABQ5gNyTuu0j65lU3X81bwUk2wHPx6smfgoVDRAW5jjO4jgIFV6nE4inzk5YQKycQSL8YG3Nm9GciLFya1KUXs81sHsQpkvK7MNaSbvkaHZQ6iv16bZ4t73Wascwa/E=
-Prime1: 6a165cIC0nNsGlTW/s2jRu7idq5+U203iE1HzSIddmWgx5KIKE/s3I+pwfmXYRUmq+4H9ASd/Yot1lSYW98szw==
-Prime2: wLoCPKxxnuxDx6/9IKOYz8t9ZNLY74iCeQ85koqvTctkFmB9jpOUHTU9BhecaFY2euP9CuHV7z3PLtCoO8s1MQ==
-Exponent1: CuzJaiR/7UboLvL4ekEy+QYCIHpX/Z6FkiHK0ZRevEJUGgCHzRqvgEBXN3Jr2WYbwL4IMShmGoxzSCn8VY9BkQ==
-Exponent2: LDR9/tyu0vzuLwc20B22FzNdd5rFF2wAQTQ0yF/3Baj5NAi9w84l0u07KgKQZX4g0N8qUyypnU5YDyzc6ZoagQ==
-Coefficient: 6S0vhIQITWzqfQSLj+wwRzs6qCvJckHb1+SD1XpwYjSgMTEUlZhf96m8WiaE1/fIt4Zl2PC3fF7YIBoFLln22w=="}]}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-GET /dnsapi/getdomainkeys/example.com/0 HTTP/1.1
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":[{"id":1,"flags":256,"active":true,"content":"Private-key-format: v1.2
-Algorithm: 8 (RSASHA256)
-Modulus: r+vmQll38ndQqNSCx9eqRBUbSOLcH4PZFX824sGhY2NSQChqt1G4ZfndzRwgjXMUwiE7GkkqU2Vbt/g4iP67V/+MYecMV9YHkCRnEzb47nBXvs9JCf8AHMCnma567GQjPECh4HevPE9wmcOfpy/u7UN1oHKSKRWuZJadUwcjbp8=
-PublicExponent: AQAB
-PrivateExponent: CYC93UtVnOM6wrFJZ+qA9+Yx+p5yk0CSi0Q7c+/6EVMuABQ5gNyTuu0j65lU3X81bwUk2wHPx6smfgoVDRAW5jjO4jgIFV6nE4inzk5YQKycQSL8YG3Nm9GciLFya1KUXs81sHsQpkvK7MNaSbvkaHZQ6iv16bZ4t73Wascwa/E=
-Prime1: 6a165cIC0nNsGlTW/s2jRu7idq5+U203iE1HzSIddmWgx5KIKE/s3I+pwfmXYRUmq+4H9ASd/Yot1lSYW98szw==
-Prime2: wLoCPKxxnuxDx6/9IKOYz8t9ZNLY74iCeQ85koqvTctkFmB9jpOUHTU9BhecaFY2euP9CuHV7z3PLtCoO8s1MQ==
-Exponent1: CuzJaiR/7UboLvL4ekEy+QYCIHpX/Z6FkiHK0ZRevEJUGgCHzRqvgEBXN3Jr2WYbwL4IMShmGoxzSCn8VY9BkQ==
-Exponent2: LDR9/tyu0vzuLwc20B22FzNdd5rFF2wAQTQ0yF/3Baj5NAi9w84l0u07KgKQZX4g0N8qUyypnU5YDyzc6ZoagQ==
-Coefficient: 6S0vhIQITWzqfQSLj+wwRzs6qCvJckHb1+SD1XpwYjSgMTEUlZhf96m8WiaE1/fIt4Zl2PC3fF7YIBoFLln22w=="}]}
-```
-
-### `addDomainKey`
-Adds key into local storage. See [`getDomainKeys`](#getdomainkeys) for more information.
-
-* Mandatory: No
-* Parameters: name, key=`<flags,active,content>`, id
-* Reply: true for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"adddomainkey", "parameters":{"key":{"id":1,"flags":256,"active":true,"content":"Private-key-format: v1.2
-Algorithm: 8 (RSASHA256)
-Modulus: r+vmQll38ndQqNSCx9eqRBUbSOLcH4PZFX824sGhY2NSQChqt1G4ZfndzRwgjXMUwiE7GkkqU2Vbt/g4iP67V/+MYecMV9YHkCRnEzb47nBXvs9JCf8AHMCnma567GQjPECh4HevPE9wmcOfpy/u7UN1oHKSKRWuZJadUwcjbp8=
-PublicExponent: AQAB
-PrivateExponent: CYC93UtVnOM6wrFJZ+qA9+Yx+p5yk0CSi0Q7c+/6EVMuABQ5gNyTuu0j65lU3X81bwUk2wHPx6smfgoVDRAW5jjO4jgIFV6nE4inzk5YQKycQSL8YG3Nm9GciLFya1KUXs81sHsQpkvK7MNaSbvkaHZQ6iv16bZ4t73Wascwa/E=
-Prime1: 6a165cIC0nNsGlTW/s2jRu7idq5+U203iE1HzSIddmWgx5KIKE/s3I+pwfmXYRUmq+4H9ASd/Yot1lSYW98szw==
-Prime2: wLoCPKxxnuxDx6/9IKOYz8t9ZNLY74iCeQ85koqvTctkFmB9jpOUHTU9BhecaFY2euP9CuHV7z3PLtCoO8s1MQ==
-Exponent1: CuzJaiR/7UboLvL4ekEy+QYCIHpX/Z6FkiHK0ZRevEJUGgCHzRqvgEBXN3Jr2WYbwL4IMShmGoxzSCn8VY9BkQ==
-Exponent2: LDR9/tyu0vzuLwc20B22FzNdd5rFF2wAQTQ0yF/3Baj5NAi9w84l0u07KgKQZX4g0N8qUyypnU5YDyzc6ZoagQ==
-Coefficient: 6S0vhIQITWzqfQSLj+wwRzs6qCvJckHb1+SD1XpwYjSgMTEUlZhf96m8WiaE1/fIt4Zl2PC3fF7YIBoFLln22w=="}}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-PUT /dnsapi/adddomainkey/example.com
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 965
-
-flags=256&active=1&content=Private-key-format: v1.2
-Algorithm: 8 (RSASHA256)
-Modulus: r+vmQll38ndQqNSCx9eqRBUbSOLcH4PZFX824sGhY2NSQChqt1G4ZfndzRwgjXMUwiE7GkkqU2Vbt/g4iP67V/+MYecMV9YHkCRnEzb47nBXvs9JCf8AHMCnma567GQjPECh4HevPE9wmcOfpy/u7UN1oHKSKRWuZJadUwcjbp8=
-PublicExponent: AQAB
-PrivateExponent: CYC93UtVnOM6wrFJZ+qA9+Yx+p5yk0CSi0Q7c+/6EVMuABQ5gNyTuu0j65lU3X81bwUk2wHPx6smfgoVDRAW5jjO4jgIFV6nE4inzk5YQKycQSL8YG3Nm9GciLFya1KUXs81sHsQpkvK7MNaSbvkaHZQ6iv16bZ4t73Wascwa/E=
-Prime1: 6a165cIC0nNsGlTW/s2jRu7idq5+U203iE1HzSIddmWgx5KIKE/s3I+pwfmXYRUmq+4H9ASd/Yot1lSYW98szw==
-Prime2: wLoCPKxxnuxDx6/9IKOYz8t9ZNLY74iCeQ85koqvTctkFmB9jpOUHTU9BhecaFY2euP9CuHV7z3PLtCoO8s1MQ==
-Exponent1: CuzJaiR/7UboLvL4ekEy+QYCIHpX/Z6FkiHK0ZRevEJUGgCHzRqvgEBXN3Jr2WYbwL4IMShmGoxzSCn8VY9BkQ==
-Exponent2: LDR9/tyu0vzuLwc20B22FzNdd5rFF2wAQTQ0yF/3Baj5NAi9w84l0u07KgKQZX4g0N8qUyypnU5YDyzc6ZoagQ==
-Coefficient: 6S0vhIQITWzqfQSLj+wwRzs6qCvJckHb1+SD1XpwYjSgMTEUlZhf96m8WiaE1/fIt4Zl2PC3fF7YIBoFLln22w==
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-### `removeDomainKey`
-Removes key id from domain name.
-
-* Mandatory: No
-* Parameters: name, id
-* Reply: true for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"removedomainkey","parameters":"{"name":"example.com","id":1}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-DELETE /dnsapi/removedomainkey/example.com/1 HTTP/1.1
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-### `activateDomainKey`
-Activates key id for domain name.
-
-* Mandatory: No
-* Parameters: name, id
-* Reply: true for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"activatedomainkey","parameters":{"name":"example.com","id":1}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-POST /dnsapi/activatedomainkey/example.com/1 HTTP/1.1
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; utf-8
-
-{"result": true}
-```
-
-### `deactivateDomainKey`
-Deactivates key id for domain name.
-
-* Mandatory: No
-* Parameters: name, id
-* Reply: true for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"deactivatedomainkey","parameters":{"name":"example.com","id":1}}
-```
-
-Response:
-```
-{"result": true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-POST /dnsapi/deactivatedomainkey/example.com/1 HTTP/1.1
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; utf-8
-
-{"result": true}
-```
-
-### `getTSIGKey`
-Retrieves the key needed to sign AXFR.
-
-* Mandatory: No
-* Parameters: name
-* Reply: algorithm, content
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"gettsigkey","parameters":{"name":"example.com."}}
-```
-
-Response:
-```
-{"result":{"algorithm":"hmac-md5","content:"kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="}}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-GET /dnsapi/gettsigkey/example.com.
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":{"algorithm":"hmac-md5","content:"kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="}}
-```
-
-### `getDomainInfo`
-Retrieves information about given domain from the backend. If your return value has no zone attribute, the backend will signal error. Everything else will default to something. Default values: serial:0, kind:NATIVE, id:-1, notified\_serial:-1, last\_check:0, masters: []. Masters, if present, must be array of strings.
-
-* Mandatory: No
-* Parameters: name
-* Reply: zone
-* Optional values: serial, kind, id, notified\_serial, last\_check, masters
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"getdomaininfo","parameters":{"name":"example.com"}}
-```
-
-Response:
-```
-{"result":{id:1,"zone":"example.com","kind":"NATIVE","serial":2002010100}}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-GET /dnsapi/getdomaininfo/example.com HTTP/1.1
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-content-Type: text/javascript: charset=utf-8
-
-{"result":{id:1,"zone":"example.com","kind":"NATIVE","serial":2002010100}}
-```
-
-### `setNotified`
-Updates last notified serial for the domain id. Any errors are ignored.
-
-* Mandatory: No
-* Parameters: id, serial
-* Reply: true for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"setnotified","parameters":{"id":1,"serial":2002010100}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-PATCH /dnsapi/setnotified/1
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 17
-
-serial=2002010100
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-### `isMaster`
-Determines whether given IP is master for given domain name.
-
-* Mandatory: No
-* Parameters: name,ip
-* Reply: true for success, false for failure.
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"isMaster","parameters":{"name":"example.com","ip":"198.51.100.0.1"}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-GET /dnsapi/isMaster/example.com/198.51.100.0.1
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-### `superMasterBackend`
-Creates new domain with given record(s) as master servers. IP address is the address where notify is received from. nsset is array of NS resource records.
-
-* Mandatory: No
-* Parameters: ip,domain,nsset,account
-* Reply: true for success, false for failure. can also return account=>name of account< and nameserver.
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"superMasterBackend","parameters":{"ip":"198.51.100.0.1","domain":"example.com","nsset":[{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns1.example.com","ttl":300,"auth":true},{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns2.example.com","ttl":300,"auth":true}]}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-Alternative response:
-```
-{"result":{"account":"my account","nameserver":"ns2.example.com"}}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-POST /dnsapi/supermasterbackend/198.51.100.0.1/example.com
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 317
-
-nsset[1][qtype]=NS&nsset[1][qname]=example.com&nsset[1][qclass]=1&nsset[1][content]=ns1.example.com&nsset[1][ttl]=300&nsset[1][auth]=true&nsset[2][qtype]=NS&nsset[2][qname]=example.com&nsset[2][qclass]=1&nsset[2][content]=ns2.example.com&nsset[2][ttl]=300&nsset[2][auth]=true
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-Alternative response
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":{"account":"my account}}
-```
-
-### `createSlaveDomain`
-Creates new domain. This method is called when NOTIFY is received and you are superslaving.
-
-Mandatory: No
-Parameters: ip, domain
-Optional parameters: nameserver, account
-Reply: true for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"createSlaveDomain","parameters":{"ip":"198.51.100.0.1","domain":"pirate.example.net"}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-POST /dnsapi/createslavedomain/198.51.100.0.1/pirate.example.net
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 0
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-### `replaceRRSet`
-This method replaces a given resource record with new set. The new qtype can be different from the old.
-
-* Mandatory: No
-* Parameters: domain\_id, qname, qtype, rrset
-* Reply: true for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"replaceRRSet","parameters":{"domain_id":2,"qname":"replace.example.com","qtype":"A","trxid":1370416133,"rrset":[{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"1.1.1.1","ttl":300,"auth":true}]}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-PATCH /dnsapi/replacerrset/2/replace.example.com/A
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 135
-
-trxid=1370416133&rrset[qtype]=A&rrset[qname]=replace.example.com&rrset[qclass]=1&rrset[content]=1.1.1.1&rrset[auth]=1
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-### `feedRecord`
-Asks to feed new record into system. If startTransaction was called, trxId identifies a transaction. It is not always called by PowerDNS.
-
-* Mandatory: No
-* Parameters: rr, trxid
-* Reply: true for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"feedRecord","parameters":{"rr":{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"127.0.0.1","ttl":300,"auth":true},"trxid":1370416133}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-PATCH /dnsapi/feedrecord/1370416133
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 117
-
-rr[qtype]=A&rr[qname]=replace.example.com&rr[qclass]=1&rr[content]=127.0.0.1&rr[ttl]=300&rr[auth]=true
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-### `feedEnts`
-This method is used by pdnsutil rectify-zone to populate missing non-terminals. This is used when you have, say, record like \_sip.\_upd.example.com, but no \_udp.example.com. PowerDNS requires that there exists a non-terminal in between, and this instructs you to add one. If startTransaction is called, trxid identifies a transaction.
-
-* Mandatory: No
-* Parameters: nonterm, trxid
-* Reply: true for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"feedEnts","parameters":{"domain_id":2,"trxid":1370416133,"nonterm":["_sip._udp","_udp"]}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-PATCH /dnsapi/feedents/2
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 50
-
-trxid=1370416133&nonterm[]=_udp&nonterm[]=_sip.udp
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-### `feedEnts3`
-Same as [`feedEnts`](#feedents), but provides NSEC3 hashing parameters. Note that salt is BYTE value, and can be non-readable text.
-
-* Mandatory: No
-* Parameters: trxid, domain\_id, domain, times, salt, narrow, nonterm
-* Reply: true for success, false for failure
-
-#### Example JSON/RPC\
-Query:
-```
-{"method":"feedEnts3","parameters":{"domain_id":2,"domain":"example.com","times":1,"salt":"9642","narrow":false,"trxid":1370416356,"nonterm":["_sip._udp","_udp"]}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-PATCH /dnsapi/2/example.com
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 78
-
-trxid=1370416356×=1&salt=9642&narrow=0&nonterm[]=_sip._udp&nonterm[]=_udp
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-### `startTransaction`
-Starts a new transaction. Transaction ID is chosen for you. Used to identify f.ex. AXFR transfer.
-
-* Mandatory: No
-* Parameters: domain\_id, domain, trxid
-* Reply: true for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"startTransaction","parameters":{"trxid":1234,"domain_id":1,"domain":"example.com"}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-POST /dnsapi/starttransaction/1/example.com
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 10
-
-trxid=1234
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-### `commitTransaction`
-Signals successful transfer and asks to commit data into permanent storage.
-
-* Mandatory: No
-* Parameters: trxid
-* Reply: true for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"commitTransaction","parameters":{"trxid":1234}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-POST /dnsapi/committransaction/1234
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 0
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-### `abortTransaction`
-Signals failed transaction, and that you should rollback any changes.
-
-* Mandatory: No
-* Parameters: trxid
-* Reply: true for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"abortTransaction","parameters":{"trxid":1234}}
-```
-
-Response:
-```
-{"result":true}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-POST /dnsapi/aborttransaction/1234
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 0
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":true}
-```
-
-### `calculateSOASerial`
-Asks you to calculate a new serial based on the given data and update the serial.
-
-* Mandatory: No
-* Parameters: domain,sd
-* Reply: true for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"calculateSOASerial","parameters":{"domain":"unit.test","sd":{"qname":"unit.test","nameserver":"ns.unit.test","hostmaster":"hostmaster.unit.test","ttl":300,"serial":1,"refresh":2,"retry":3,"expire":4,"default_ttl":5,"domain_id":-1,"scopeMask":0}}}
-```
-
-Response:
-```
-{"result":2013060501}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-POST /dnsapi/calculatesoaserial/unit.test
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 198
-
-sd[qname]=unit.test&sd[nameserver]=ns.unit.test&sd[hostmaster]=hostmaster.unit.test&sd[ttl]=300&sd[serial]=1&sd[refresh]=2&sd[retry]=3&sd[expire]=4&sd[default_ttl]=5&sd[domain_id]=-1&sd[scopemask]=0
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":2013060501}
-```
-
-### `directBackendCmd`
-Can be used to send arbitrary commands to your backend using (backend-cmd)(dnssec.md#pdnsutil).
-
-* Mandatory: no
-* Parameters: query
-* Reply: anything but boolean false for success, false for failure
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"directBackendCmd","parameters":{"query":"PING"}}
-```
-
-Response:
-```
-{"result":"PONG"}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-POST /dnsapi/directBackendCmd
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 10
-
-query=PING
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":"PONG"}
-```
-
-### `getAllDomains`
-Get DomainInfo records for all domains in your backend.
-
-* Mandatory: no
-* Parameters: include_disabled
-* Reply: array of DomainInfo
-
-#### Example JSON/RPC
-Query:
-```
-{"method": "getAllDomains", "parameters": {"include_disabled": true}}
-```
-
-Response:
-```
-{"result":[{"id":1,"zone":"unit.test.","masters":["10.0.0.1"],"notified_serial":2,"serial":2,"last_check":1464693331,"kind":"native"}]}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-GET /dnsapi/getAllDomains?includeDisabled=true
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-Content-Length: 135
-{"result":[{"id":1,"zone":"unit.test.","masters":["10.0.0.1"],"notified_serial":2,"serial":2,"last_check":1464693331,"kind":"native"}]}
-```
-
-### `searchRecords`
-Can be used to search records from the backend. This is used by web api.
-
-* Mandatory: no
-* Parameters: pattern, maxResults
-* Reply: same as [lookup](#lookup) or false to indicate failed search
-
-#### Example JSON/RPC
-Query:
-```
-{"method":"searchRecords","parameters":{"pattern":"www.example*","maxResults":100}}
-```
-
-Response:
-```
-{"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
-```
-
-#### Example HTTP/RPC
-Query:
-```
-GET /dnsapi/searchRecords?q=www.example*&maxResults=100
-```
-
-Response:
-```
-HTTP/1.1 200 OK
-Content-Type: text/javascript; charset=utf-8
-
-{"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
-```
-
-# Examples
-## Scenario: SOA lookup via pipe, unix or zeromq connector
-Query:
-```
-{
- "method": "lookup",
- "parameters": {
- "qname": "example.com",
- "qtype": "SOA",
- "zone_id": "-1"
- }
-}
-```
-
-Reply:
-```
-{
- "result":
- [
- { "qtype": "SOA",
- "qname": "example.com",
- "content": "dns1.icann.org. hostmaster.icann.org. 2012080849 7200 3600 1209600 3600",
- "ttl": 3600,
- "domain_id": -1
- }
- ]
-}
-```
-
-## Scenario: SOA lookup with HTTP connector
-Query:
-```
-/dns/lookup/example.com/SOA
-```
-
-Reply:
-```
-{
- "result":
- [
- { "qtype": "SOA",
- "qname": "example.com",
- "content": "dns1.icann.org. hostmaster.icann.org. 2012080849 7200 3600 1209600 3600",
- "ttl": 3600,
- "domain_id": -1
- }
- ]
-}
-```
+++ /dev/null
-# TinyDNS Backend
-
-* Native: Yes
-* Master: Yes
-* Slave: No
-* Superslave: No
-* Autoserial: No
-* DNSSEC: No
-* Multiple Instances: Yes
-* Module name: tinydns
-* Launch: tinydns
-
-The TinyDNS backend allows you to use [djbdns's](http://cr.yp.to/djbdns.html) `data.cdb` file format as the storage of your DNS records. The `data.cdb` file is created using [tinydns-data](http://cr.yp.to/djbdns/tinydns-data.html). The backend is designed to be able to use the `data.cdb` files without any changes.
-
-## Configuration Parameters
-These are the configuration file parameters that are available for the TinyDNS backend. It is recommended to set the `tinydns-dbfile`.
-
-### `tinydns-dbfile`
-* String
-* Default: data.cdb
-
-Specifies the name of the data file to use.
-
-### `tinydns-tai-adjust`
-* Integer
-* Default: 11
-
-This adjusts the [TAI](http://www.tai64.com/) value if timestamps are used. These seconds will be added to the start point (1970) and will allow you to adjust for leap seconds. The current default is 11. The last update was on [june 30th 2012](http://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat).
-
-### `tinydns-notify-on-startup`
-* Boolean
-* Default: no
-
-Tell the TinyDNSBackend to notify all the slave nameservers on startup. This might cause broadcast storms.
-
-### `tinydns-ignore-bogus-records`
-* Boolean
-* Default: no
-
-The `tinydns-data` program can create data.cdb files that have bad/corrupt RDATA. PowerDNS will crash when it tries to read that bad/corrupt data. This option (change to yes), allows you to ignore that bad RDATA to make PowerDNS operate when bad data is in your CDB file. Be aware that the records are then ignored, where tinydns would still send out the bogus data. The option is primarily useful in master mode, as that reads all the packets in the zone to find all the SOA records.
-
-### `tinydns-locations`
-* Boolean
-* Default: yes
-
-Enable or Disable location support in the backend. Changing the value to 'no' will make the backend ignore the locations. This then returns all records. When the setting is changed to 'no' an AXFR will also return all the records. With the setting on 'yes' an AXFR will only return records without a location.
-
-## Location and Timestamp support
-Both timestamp and location are supported in the backend. Locations support can be changed using the [`tinydns-locations`](#tinydns-locations) setting. Timestamp and location only work as expected when [`cache-ttl`](settings.md#cache-ttl) and [`query-cache-ttl`](settings.md#query-cache-ttl) are set to 0 (which disables these caches). Timestamp can operate with [`cache-ttl`](settings.md#cache-ttl) if cache is needed, but the TTL returned for the timestamped racked will not be totally correct. The record will expire once the cache is expired and the backend is queried again. Please note that [`cache-ttl`](settings.md#cache-ttl) is a performance related setting. See [Performance related settings](performance.md). Location support only exists for IPv4!
-
-## Master mode
-The TinyDNSBackend supports master mode. This allows it to notify slave nameservers of updates to a zone. You simply need to rewrite the `data.cdb` file with an updated/increased serial and PowerDNS will notify the slave nameservers of that domain. The [`tinydns-notify-on-startup`](#tinydns-notify-on-startup) configuration setting tells the backend if it should notify all the slave nameservers just after startup.
-
-The CDB datafile does not allow PowerDNS to easily query for newly added domains or updated serial numbers. The CDB datafile requires us to do a full scan of all the records. When running with verbose logging, this could lead to a lot of output. The scanning of the CDB file may also take a while on systems with large files. The scan happens at an interval set by the [`slave-cycle-interval`](settings.md#slave-cycle-interval). It might be useful to raise this value to limit the amount of scans on the CDB file.
-
-The TinyDNSBackend also keeps a list of all the zones. This is needed to detect an updated serial and to give every zone a unique id. The list is updated when a zone is added, but not when a zone is removed. This leads to some memory loss.
-
-## Useful implementation Notes
-This backend might solve some issues you have with the current tinydns noted on [Jonathan de Boyne Pollard's](http://homepage.ntlworld.com/jonathan.deboynepollard/author.html) [djbdns known problems page](http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/djbdns-problems.html).
-
-The `data.cdb` file format support all types of records. They are sometimes difficult to create because you need to specify the actual content of the rdata. [Tinydns.org](http://tinydns.org/) provides a number of links to tools/cgi-scripts that allow you to create records. [Anders Brownworth](http://anders.com/) also provides a number of useful record building scripts on his [djbdnsRecordBuilder](http://anders.com/projects/sysadmin/djbdnsRecordBuilder/).
-
-PowerDNS and TinyDNS handle wildcards differently. Looking up foo.www.example.com with the below records on TinyDNS will return 198.51.100.1, PowerDNS will return NXDOMAIN. According to [RFC 4592](https://tools.ietf.org/html/rfc4592) \*.example.com should only match subdomains in under example.com, not \*.\*.example.com. This compatibility issue is [noted on the axfer-get page for the djbdns suite](https://cr.yp.to/djbdns/axfr-get.html).
-
-```
-*.example.com A 198.51.100.1
-www.example.com A 198.51.100.1
-```
-
-Compiling the TinyDNS backend requires you to have [tinycdb](http://www.corpit.ru/mjt/tinycdb.html) version 0.77.
+++ /dev/null
-# Serving authoritative DNSSEC data
-PowerDNS contains support for DNSSEC, enabling the easy serving of DNSSEC secured
-data, with minimal administrative overhead.
-
-In PowerDNS, DNS and signatures and keys are (usually) treated as separate
-entities. The domain & record storage is thus almost completely devoid of DNSSEC
-record types.
-
-Instead, keying material is stored separately, allowing operators to focus on the
-already complicated task of keeping DNS data correct. In practice, DNSSEC related
-material is often stored within the same database, but within separate tables.
-
-If a DNSSEC configuration is found for a domain, the PowerDNS daemon will provide
-key records, signatures and (hashed) denials of existence automatically.
-
-As an example, securing an existing zone can be as simple as:
-
-```
-$ pdnsutil secure-zone powerdnssec.org
-```
-
-Alternatively, PowerDNS can serve pre-signed zones, without knowledge of
-private keys.
-
-# A brief introduction to DNSSEC
-DNSSEC is a complicated subject, but it is not required to know all the ins and
-outs of this protocol to be able to use PowerDNS. In this section, we explain the
-core concepts that are needed to operate a PowerDNSSEC installation.
-
-Zone material is enhanced with signatures using 'keys'. Such a signature (called
-an RRSIG) is a cryptographic guarantee that the data served is the original data.
-DNSSEC keys are asymmetric (RSA, DSA, ECSDA or GOST), the public part is published
-in DNS and is called a DNSKEY record, and is used for verification. The private
-part is used for signing and is never published.
-
-To make sure that the internet knows that the key that is used for signing is the
-authentic key, confirmation can be gotten from the parent zone. This means that
-to become operational, a zone operator will have to publish a representation of
-the signing key to the parent zone, often a ccTLD or a gTLD. This representation
-is called a DS record, and is a shorter (hashed) version of the DNSKEY.
-
-Once the parent zone has the DS, and the zone is signed with the DNSSEC key, we
-are done in theory.
-
-However, for a variety of reasons, most DNSSEC operations run with another layer
-of keys. The so called 'Key Signing Key' is sent to the parent zone, and this Key
-Signing Key is used to sign a new set of keys called the Zone Signing Keys.
-
-This setup allows us to change our keys without having to tell the zone operator
-about it.
-
-A final challenge is how to DNSSEC sign the answer 'no such domain'. In the
-language of DNS, the way to say 'there is no such domain' (NXDOMAIN) or there is
-no such record type is to send an empty answer. Such empty answers are universal,
-and can't be signed.
-
-In DNSSEC parlance we therefore sign a record that says 'there are no domains
-between A.powerdnssec.org and C.powerdnssec.org'. This securely tells the world
-that B.powerdnssec.org does not exist. This solution is called NSEC, and is
-simple but has downsides - it also tells the world exactly which records DO exist.
-
-So alternatively, we can say that if a certain mathematical operation (an
-'iterated salted hash') is performed on a question, that no valid answers exist
-that have as outcome of this operation an answer between two very large numbers.
-This leads to the same 'proof of non-existence'. This solution is called NSEC3.
-
-A PowerDNS zone can either be operated in NSEC or in one of two NSEC3 modes
-('inclusive' and 'narrow').
-
-# Profile, Supported Algorithms and Record Types
-PowerDNS aims to serve unexciting, standards compliant, DNSSEC information. One
-goal is to have relevant parts of our output be identical or equivalent to important
-fellow-traveller software like NLNetLabs' NSD.
-
-Particularly, if a PowerDNS secured zone is transferred via AXFR, it should be
-able to contain the same records as when that zone was signed using `ldns-signzone`
-using the same keys and settings.
-
-PowerDNS supports serving pre-signed zones, as well as online ('live') signed
-operations. In the last case, Signature Rollover and Key Maintenance are fully
-managed by PowerDNS.
-
-## Supported Algorithms
-Supported Algorithms (See the [IANA website](http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1) for more information):
-
-- RSASHA1 (algorithm 5, algorithm 7)
-- RSASHA256 (algorithm 8)
-- RSASHA512 (algorithm 10)
-- ECC-GOST (algorithm 12)
-- ECDSA (algorithm 13 and 14)
-
-For the DS records, these [digest types](http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml#ds-rr-types-1)
-are supported:
-
-- SHA-1 (algorithm 1)
-- SHA-256 (algorithm 2)
-- GOST R 34.11-94 (algorithm 3)
-- SHA-384 (algorithm 4)
-
-This corresponds to:
-- [RFC 4033](http://tools.ietf.org/html/rfc4033): DNS Security Introduction and Requirements
-- [RFC 4034](http://tools.ietf.org/html/rfc4034): Resource Records for the DNS Security Extensions, Protocol Modifications for the DNS Security Extensions
-- [RFC 4035](http://tools.ietf.org/html/rfc4035): Protocol Modifications for the DNS Security Extensions
-- [RFC 4509](http://tools.ietf.org/html/rfc4509): Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
-- [RFC 5155](http://tools.ietf.org/html/rfc5155): DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
-- [RFC 5702](http://tools.ietf.org/html/rfc5702): Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
-- [RFC 5933](http://tools.ietf.org/html/rfc5933): Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC
-- [RFC 6605](http://tools.ietf.org/html/rfc6605): Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC
-
-In order to facilitate interoperability with existing technologies, PowerDNS keys
-can be imported and exported in industry standard formats.
-
-When using OpenSSL for ECDSA signatures (this is default), starting from OpenSSL
-1.1.0, the algorithm used is resilient against PRNG failure, while not
-strictly conforming to [RFC 6979](http://tools.ietf.org/html/rfc6979).
-
-**Note**: Actual supported algorithms depend on the crypto-libraries PowerDNS was
-compiled against. To check the supported DNSSEC algoritms in your build of PowerDNS,
-run `pdnsutil list-algorithms`.
-
-# DNSSEC Modes of Operation
-Traditionally, DNSSEC signatures have been added to unsigned zones, and then this
-signed zone could be served by any DNSSEC capable authoritative server. PowerDNS
-supports this mode fully.
-
-In addition, PowerDNS supports taking care of the signing itself, in which case
-PowerDNS operates differently from most tutorials and handbooks. This mode is
-easier however.
-
-For relevant tradeoffs, please see [Security](#security) and
-[Performance](#performance.html).
-
-## Online Signing
-In the simplest situation, there is a single "SQL" database that contains, in
-separate tables, all domain data, keying material and other DNSSEC related settings.
-
-This database is then replicated to all PowerDNS instances, which all serve
-identical records, keys and signatures.
-
-In this mode of operation, care should be taken that the database replication
-occurs over a secure network, or over an encrypted connection. This is because
-keying material, if intercepted, could be used to counterfeit DNSSEC data using
-the original keys.
-
-Such a single replicated database requires no further attention beyond monitoring
-already required during non-DNSSEC operations.
-
-### Records, Keys, signatures, hashes within PowerDNS in online signing mode
-Within PowerDNS live signing, keys are stored separately from the zone records.
-Zone data are only combined with signatures and keys when requests come in over
-the internet.
-
-Each zone can have a number of keys associated with it, with varying key lengths.
-Typically 1 or at most 2 of these keys are employed as actual Zone Signing Keys (ZSKs).
-During normal operations, this means that only 1 ZSK is 'active', and the other is inactive.
-
-Should it be desired to 'roll over' to a new key, both keys can temporarily be
-active (and used for signing), and after a while the old key can be inactivated.
-Subsequently it can be removed.
-
-As elucidated above, there are several ways in which DNSSEC can deny the existence
-of a record, and this setting too is stored away from zone records, and lives
-with the DNSSEC keying material.
-
-### (Hashed) Denial of Existence
-PowerDNS supports unhashed secure denial of existence using NSEC records. These
-are generated with the help of the (database) backend, which needs to be able
-to supply the 'previous' and 'next' records in canonical ordering.
-
-The Generic SQL Backends have fields that allow them to supply these relative
-record names.
-
-In addition, hashed secure denial of existence is supported using NSEC3 records,
-in two modes, one with help from the database, the other with the help of some
-additional calculations.
-
-NSEC3 in 'broad' or 'inclusive' mode works with the aid of the backend, where
-the backend should be able to supply the previous and next domain names in hashed
-order.
-
-NSEC3 in 'narrow' mode uses additional hashing calculations to provide hashed
-secure denial of existence 'on the fly', without further involving the database.
-
-### Signatures
-In PowerDNS live signing mode, signatures, as served through RRSIG records, are
-calculated on the fly, and heavily cached. All CPU cores are used for the calculation.
-
-RRSIGs have a validity period, in PowerDNS by default this period starts at most
-a week in the past, and continues at least a week into the future.
-
-Precisely speaking, the time period used is always from the start of the previous
-Thursday until the Thursday two weeks later. This two-week interval jumps with
-one-week increments every Thursday.
-
-**Note**: Why Thursday? POSIX-based operating systems count the time since GMT
-midnight January 1st of 1970, which was a Thursday. PowerDNS inception/expiration
-times are generated based on an integral number of weeks having passed since the
-start of the 'epoch'.
-
-PowerDNS also serves the DNSKEY records in live-signing mode. Their TTL is derived
-from the SOA records *minimum* field. When using NSEC3, the TTL of the NSEC3PARAM
-record is also derived from that field.
-
-## Pre-signed records
-In this mode, PowerDNS serves zones that already contain DNSSEC records. Such
-zones can either be slaved from a remote master, or can be signed using tools
-like OpenDNSSEC, ldns-signzone or dnssec-signzone.
-
-Even in this mode, PowerDNS will synthesize NSEC(3) records itself because of its
-architecture. RRSIGs of these NSEC(3) will still need to be imported. See the
-[Presigned migration guide](#From-existing-DNSSEC-non-PowerDNS-setups-pre-signed).
-
-## Front-signing
-As a special feature, PowerDNS can operate as a signing server which operates as
-a slave to an unsigned master.
-
-In this way, if keying material is available for an unsigned zone that is
-retrieved from a master server, this keying material will be used when serving
-data from this zone.
-
-As part of the zone retrieval, the equivalent of `pdnsutil rectify-zone` is run
-to make sure that all DNSSEC-related fields are set correctly in the backend.
-
-## Signed AXFR
-An outgoing zone transfer from a signing master contains all information
-required for the receiving party to rectify the zone without knowing the keys,
-such as signed NSEC3 records for empty non-terminals. The zone is not required
-to be rectified on the master.
-
-Signatures and Hashing is similar as described [above](#online-signing).
-
-## BIND-mode operation
-Starting with PowerDNS 3.1, the bindbackend can manage keys in an SQLite3 database
-without launching a separate gsqlite3 backend.
-
-To use this mode, add [`bind-dnssec-db=/var/db/bind-dnssec-db.sqlite3`](backend-bind.md#bind-dnssec-db)
-to pdns.conf, and run `pdnsutil create-bind-db /var/db/bind-dnssec-db.sqlite3`.
-Then, restart PowerDNS.
-
-After this, you can use `pdnsutil secure-zone` and all other pdnsutil commands
-on your BIND zones without trouble.
-
-## Hybrid BIND-mode operation
-**Warning**: This mode is only supported in 3.0, 3.0.1 and 3.4.0 and up! In 3.1
-to 3.3.1, the bindbackend always did its own key storage. In 3.4.0 and up hybrid
-bind mode operation is optional and enabled with the bindbackend [`hybrid`](backend-bind.md#bind-hybrid)
-config option.
-
-PowerDNS can also operate based on 'BIND'-style zone & configuration files. This
-'bindbackend' has full knowledge of DNSSEC, but has no native way of storing
-keying material.
-
-However, since PowerDNS supports operation with multiple simultaneous backends,
-this is not a problem.
-
-In hybrid mode, keying material and zone records are stored in different backends.
-This allows for 'bindbackend' operation in full DNSSEC mode.
-
-To benefit from this mode, include at least one database-based backend in the
-'launch' statement. The [Generic SQLite backend (gsqlite3)](backend-generic-sqlite.md)
-probably complements BIND mode best, since it does not require a database server
-process.
-
-**Warning**: For now, it is necessary to execute a manual SQL 'insert' into the
-domains table of the backend hosting the keying material. This is needed to
-generate a zone-id for the relevant domain. Sample SQL statement:
-
-```
-insert into domains (name, type) values ('powerdnssec.org', 'NATIVE');
-```
-
-# `pdnsutil`
-`pdnsutil` (previously called `pdnssec`) is a powerful command that is the
-operator-friendly gateway into PowerDNS configuration. Behind the scenes,
-`pdnsutil` manipulates a PowerDNS backend database, which also means that for
-many databases, `pdnsutil` can be run remotely, and can configure key material
-on different servers.
-
-For a list of available commands, see the [manpage](../manpages/pdnsutil.1.md).
-
-## DNSSEC Defaults
-Since version 4.0, when securing a zone using `pdnsutil secure-zone`, a single
-ECDSA (algorithm 13, ECDSAP256SHA256) key is generated that is used as ZSK.
-Before 4.0, 3 RSA (algorithm 8) keys were generated, one as the KSK and two ZSKs.
-As all keys are online in the database, it made no sense to have this split-key
-setup.
-
-The default negative answer strategy is NSEC.
-
-**Note**: not all registrars support algorithm 13.
-
-# Migration
-This chapter discusses various migration strategies, from existing PowerDNS setups,
-from existing unsigned installations and finally from previous non-PowerDNS
-DNSSEC deployments.
-
-## From an existing PowerDNS installation
-To migrate an existing database-backed PowerDNS installation, ensure you are
-running at least PowerDNS 3.3.3 and preferably 3.4 or newer.
-
-If you run an older version of PowerDNS, please upgrade to 3.4 and apply all the
-changes in database schemas as shown in the [upgrade documentation](upgrading.md).
-
-**Warning**: Once the relevant `backend-dnssec` switch has been set, stricter
-rules apply for filling out the database! The short version is: run
-`pdnsutil rectify-all-zones`, even those not secured with DNSSEC! For more
-information, see the [DNSSEC documentation for Generic SQL backends](backend-generic-sql.md#handling-dnssec-signed-zones).
-
-To deliver a correctly signed zone with the [DNSSEC defaults](#dnssec-defaults),
-invoke:
-
-```
-pdnsutil secure-zone ZONE
-```
-
-To view the DS records for this zone (to transfer to the parent zone), run
-
-```
-pdnsutil show-zone ZONE
-```
-
-For a more traditional setup with a KSK and a ZSK, use the following sequence
-of commands:
-
-```
-pdnsutil add-zone-key ZONE ksk 2048 active rsasha256
-pdnsutil add-zone-key ZONE zsk 1024 active rsasha256
-pdnsutil add-zone-key ZONE zsk 1024 inactive rsasha256
-```
-
-This will add a 2048-bit RSA Key Signing Key and two 1024-bit RSA Zone Signing Keys.
-One of the ZSKs is inactive and can be rolled to if needed.
-
-## From existing non-DNSSEC non-PowerDNS setups
-It is recommended to [migrate to PowerDNS](migration.md) before securing your
-zones. After that, see the instructions [above](#from-an-existing-PowerDNS-installation).
-
-## From existing DNSSEC non-PowerDNS setups, pre-signed
-Industry standard signed zones can be served natively by PowerDNS, without
-changes. In such cases, signing happens externally to PowerDNS, possibly via
-OpenDNSSEC, ldns-sign or dnssec-sign.
-
-PowerDNS needs to know if a zone should receive DNSSEC processing. To configure,
-run `pdnsutil set-presigned ZONE`.
-
-If you import presigned zones into your database, please do not import the NSEC
-or NSEC3 records. PowerDNS will synthesize these itself. Putting them in the
-database might cause duplicate records in responses. [`zone2sql`](migration.md#zone2sql)
-filters NSEC and NSEC3 automatically.
-
-**Warning** Right now, you will also need to configure NSEC(3) settings for
-pre-signed zones using `pdnsutil set-nsec3`. Default is NSEC, in which case no
-further configuration is necessary.
-
-## From existing DNSSEC non-PowerDNS setups, live signing
-The `pdnsutil` tool features the option to import zone keys in the industry
-standard private key format, version 1.2. To import an existing KSK, use
-
-```
-pdnsutil import-zone-key ZONE FILENAME ksk
-```
-
-replace 'ksk' by 'zsk' for a Zone Signing Key.
-
-If all keys are imported using this tool, a zone will serve mostly identical
-records to before, with the important change that the RRSIG inception dates will
-be different.
-
-**Note**: Within PowerDNS, the 'algorithm' for RSASHA1 keys is modulated based
-on the NSEC3 setting. So if an algorithm=7 key is imported in a zone with no
-configured NSEC3, it will appear as algorithm 5!
-
-# DNSSEC advice & precautions
-DNSSEC is a major change in the way DNS works. Furthermore, there is a bewildering
-array of settings that can be configured.
-
-It is well possible to configure DNSSEC in such a way that your domain will not
-operate reliably, or even, at all. We advise operators to stick to the keying
-defaults of `pdnsutil secure-zone`.
-
-**Note**: GOST may be more widely available in Russia, because it might be
-mandatory to implement this regional standard there.
-
-It is possible to operate a zone with different keying algorithms simultaneously,
-but it has also been observed that this is not reliable.
-
-Depending on your master/slave setup, you may need to tinker with the
-[`SOA-EDIT`](domainmetadata.md#soa-edit) metadata on your master. This is described
-in the [operational instructions](#soa-edit) below.
-
-## Packet sizes, fragments, TCP/IP service
-DNSSEC answers contain (bulky) keying material and signatures, and are therefore
-a lot larger than regular DNS answers. Normal DNS responses almost always fit in
-the 'magical' 512 byte limit previously imposed on DNS.
-
-In order to support DNSSEC, operators must make sure that their network allows for:
-
-- Larger than 512 byte UDP packets on port 53
-- Fragmented UDP packets
-- ICMP packets related to fragmentation
-- TCP queries on port 53
-- EDNS0 queries/responses (filtered by some firewalls)
-
-If any of the conditions outlined above is not met, DNSSEC service will suffer
-or be completely unavailable.
-
-In addition, the larger your DNS answers, the more critical the above becomes.
-It is therefore advised not to provision too many keys, or keys that are
-unnecessarily large.
-
-# Operational instructions
-Several How to's describe operational practices with DNSSEC:
-
-* [KSK Rollover](howtos.md#ksk-rollover)
-* [ZSK Rollover](howtos.md#zsk-rollover)
-
-Below, frequently used commands are described:
-
-## Publishing a DS
-To publish a DS to a parent zone, utilize `pdnsutil show-zone` and take the DS
-from its output, and transfer it securely to your parent zone.
-
-## Going insecure
-```
-pdnsutil disable-dnssec ZONE
-```
-
-**Warning**: Going insecure with a zone that has a DS record in the parent zone
-will make the zone BOGUS. Make sure the parent zone removes the DS record *before*
-going insecure.
-
-## Setting the NSEC modes and parameters
-As stated earlier, PowerDNS uses NSEC by default. If you want to use NSEC3 instead,
-issue:
-
-```
-pdnsutil set-nsec3 ZONE [PARAMETERS]
-```
-
-e.g.
-
-```
-pdnsutil set-nsec3 example.net '1 0 1 ab'
-```
-
-The quoted part is the content of the NSEC3PARAM records, as defined in [RFC 5155
-](https://tools.ietf.org/html/rfc5155#section-4), in order:
-
-* Hash algorithm, should always be `1` (SHA1)
-* Flags, set to `1` for [NSEC3 Opt-out](https://tools.ietf.org/html/rfc5155#section-6), this best set as `0`
-* Number of iterations of the hash function, read [RFC 5155, Section 10.3](https://tools.ietf.org/html/rfc5155#section-10.3) for recommendations
-* Salt (in hexadecimal) to apply during hashing
-
-To convert a zone from NSEC3 to NSEC operations, run:
-
-```
-pdnsutil unset-nsec3 ZONE
-```
-
-**Warning**: Don't change from NSEC to NSEC3 (or the other way around) for zones
-with algorithm 5 (RSASHA1), 6 (DSA-NSEC3-SHA1) or 7 (RSASHA1-NSEC3-SHA1).
-
-## SOA-EDIT: ensure signature freshness on slaves
-As RRSIGs can expire, slave servers need to know when to re-transfer the zone. In
-most implementations (BIND, NSD), this is done by re-signing the full zone outside
-of the nameserver, increasing the SOA serial and serving the new zone on the master.
-
-With PowerDNS in Live-signing mode, the SOA serial is not increased by default
-when the RRSIG dates are rolled.
-
-For zones that use [native](modes-of-operation.md#native-operation) replication
-PowerDNS will serve valid RRSIGs on all servers.
-
-For [master](modes-of-operation.md#master-operation) zones (where replication
-happens by means of AXFR), PowerDNS slaves will automatically re-transfer the zone
-when it notices the RRSIGs have changed, even when the SOA serial is not increased.
-This ensures the zone never serves old signatures.
-
-If your DNS setup uses non-PowerDNS slaves, the slaves need to know when the
-signatures have been updated. This can be accomplished by setting the
-[SOA-EDIT](domainmetadata.md#soa-edit) metadata for DNSSEC signed zones. This
-value controls how the value of the SOA serial is modified by PowerDNS.
-
-**Note**: The SOA serial in the datastore will be untouched, SOA-EDIT is applied
-to DNS answers with the SOA record.
-
-The [`default-soa-edit`](settings.md#default-soa-edit) or [`default-soa-edit-signed`](settings.md#default-soa-edit-signed)
-configuration options can instead be set to ensure SOA-EDIT is set for every zone.
-
-### Possible SOA-EDIT values
-The 'inception' refers to the time the RRSIGs got updated in
-[live-signing mode](#online-signing). This happens every week (see [Signatures](#signatures)).
-The inception time does not depend on local timezone, but some modes below will
-use localtime for representation.
-
-#### INCREMENT-WEEKS
-Increments the serial with the number of weeks since the UNIX epoch. This should
-work in every setup; but the result won't look like YYYYMMDDSS anymore.
-
-For example: a serial of 12345678 will become 12348079 on Wednesday 13th of January
-2016 (2401 weeks after the epoch).
-
-#### INCEPTION-EPOCH
-Sets the new SOA serial number to the maximum of the old SOA serial number, and
-age in seconds of the last inception. This requires your backend zone to use the
-number of seconds since the UNIX epoch as SOA serial. The result is still the age
-in seconds of the last change to the zone, either by operator changes to the zone
-or the 'addition' of new RRSIGs.
-
-As an example, a serial of 12345678 becomes 1452124800 on Wednesday 13th of January
-2016.
-
-#### INCEPTION-INCREMENT
-Uses YYYYMMDDSS format for SOA serial numbers. If the SOA serial from the backend
-is within two days after inception, it gets incremented by two (the backend should
-keep SS below 98). Otherwise it uses the maximum of the backend SOA serial number
-and inception time in YYYYMMDD01 format. This requires your backend zone to use
-YYYYMMDDSS as SOA serial format. Uses localtime to find the day for inception time.
-
-This changes a serial of 2015120810 to 2016010701 on Wednesday 13th of January
-2016.
-
-#### INCEPTION (not recommended)
-Sets the SOA serial to the last inception time in YYYYMMDD01 format. Uses localtime
-to find the day for inception time.
-
-**Warning**: The SOA serial will only change on inception day, so changes to the
-zone will get visible on slaves only on the following inception day.
-
-**Note**: Will be removed in PowerDNS Authoritative Server 4.1.0
-
-#### INCEPTION-WEEK (not recommended)
-Sets the SOA serial to the number of weeks since the epoch, which is the last
-inception time in weeks.
-
-**Warning**: Same problem as INCEPTION.
-
-**Note**: Will be removed in PowerDNS Authoritative Server 4.1.0
-
-#### EPOCH
-Sets the SOA serial to the number of seconds since the epoch.
-
-**Warning**: Don't combine this with AXFR - the slaves would keep refreshing all
-the time. If you need fast updates, sync the backend databases directly with
-incremental updates (or use the same database server on the slaves)
-
-**Note**: Will be removed in PowerDNS Authoritative Server 4.1.0
-
-#### NONE
-Ignore [`default-soa-edit`](settings.md#default-soa-edit) and/or
-[`default-soa-edit-signed`](settings.md#default-soa-edit-signed) settings.
-
-# PKCS\#11 support
-**Note**: This feature is experimental, and not ready for production. Use at your own risk!
-**Note**: As of version 4.0, slot IDs are deprecated, and you are expected to use slot label instead
-
-To enable it, compile PowerDNS Authoritative Server using
-`--enable-experimental-pkcs11` flag on configure. This requires you to have
-p11-kit libraries and headers.
-
-You can also log on to the tokens after starting server, in this case you need
-to edit your PKCS#11 cryptokey record and remove PIN or set it empty. PIN is
-required for assigning keys to zone.
-
-## Using with SoftHSM
-To test this feature, a software HSM can be used. It is **not recommended** to
-use this in production.
-
-Instructions on how to setup SoftHSM to work with the feature after compilation
-on ubuntu/debian (tested with Ubuntu 12 and 14).
-- `apt-get install softhsm p11-kit opensc`
-- create directory /etc/pkcs11/modules
-- Add file called 'softhsm' there with (on newer versions, use softhsm.module)
- ```
- module: /home/cmouse/softhsm/lib/softhsm/libsofthsm.so
- managed: yes
- ```
-- Verify it works: `p11-kit -l`
-- Create at least two tokens (ksk and zsk) with (slot-number starts from 0)
-
- ```
- sudo softhsm --init-token --slot slot-number --label zone-ksk|zone-zsk --pin some-pin --so-pin another-pin
- ```
-
-- Using pkcs11-tool, initialize your new keys.
-
- ```
- sudo pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk|zone-zsk --slot-index slot-number
- ```
-
-- Assign the keys using (note that token label is not necessarily same as object label, see p11-kit -l)
-
- ```
- pdnsutil hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk
- ```
-
-- Verify that everything worked, you should see valid data there
-
- ```
- pdnsutil show-zone zone
- ```
-
-- SoftHSM signatures are fast enough to be used in live environment.
-
-## Using CryptAS
-Instructions on how to use CryptAS [`Athena IDProtect Key USB Token V2J`](http://www.cryptoshop.com/products/smartcards/idprotect-key-j-laser.html)
-Smart Card token on Ubuntu 14.
-- install the manufacturer`s support software on your system and initialize the Smart Card token as per instructions (do not use PIV).
-- apt-get install p11-kit opensc
-- create directory /etc/pkcs11/modules
-- Add file called 'athena.module' with content
-
- ```
- module: /lib64/libASEP11.so
- managed: yes
- ```
-
-- Verify it worked, it should resemble output below. do not continue if this does not show up.
-
- ```
- $ p11-kit -l
- athena: /lib64/libASEP11.so
- library-description: ASE Cryptoki
- library-manufacturer: Athena Smartcard Solutions
- library-version: 3.1
- token: IDProtect#0A50123456789
- manufacturer: Athena Smartcard Solutions
- model: IDProtect
- serial-number: 0A50123456789
- hardware-version: 1.0
- firmware-version: 1.0
- flags:
- rng
- login-required
- user-pin-initialized
- token-initialized
- ```
-- Using pkcs11-tool, initialize your new keys. After this IDProtect Manager no longer can show your token certificates and keys, at least on version v6.23.04.
-
- ```
- pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk
- pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-zsk
- ```
-
-- Verify that keys are there.
-
- ```
- $ pkcs11-tool --module=/lib64/libASEP11.so -l -p some-pin -O
- Using slot 0 with a present token (0x0)
- Public Key Object; RSA 2048 bits
- label: zone-ksk
- Usage: encrypt, verify, wrap
- Public Key Object; RSA 2048 bits
- label: zone-zsk
- Usage: encrypt, verify, wrap
- Private Key Object; RSA
- label: zone-ksk
- Usage: decrypt, sign, unwrap
- Private Key Object; RSA
- label: zone-zsk
- Usage: decrypt, sign, unwrap
- ```
-
-- Assign the keys using
-
- ```
- pdnsutil hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk
- ```
-
-- Verify that everything worked, you should see valid data there.
-
- ```
- pdnsutil show-zone zone
- ```
-
-- Note that the physical token is pretty slow, so you have to use it as hidden master. It has been observed to produce about 1.5signatures/second.
-
-# Secure transfers
-From 3.3.1 and up, PowerDNS support secure DNSSEC transfers as described in
-[draft-koch-dnsop-dnssec-operator-change](https://datatracker.ietf.org/doc/draft-koch-dnsop-dnssec-operator-change/).
-If the [`direct-dnskey`](settings.md#direct-dnskey) option is enabled the foreign
-DNSKEY records stored in the database are added to the keyset and signed with the
-KSK. Without the direct-dnskey option DNSKEY records in the database are silently
-ignored.
-
-# Security
-During typical PowerDNS operation, the private part of the signing keys are
-'online', which can be compared to operating an HTTPS server, where the
-private key is available on the webserver for cryptographic purposes.
-
-In some settings, having such (private) keying material available online is
-considered undesirable. In this case, consider running in pre-signed mode.
-
-# Performance
-DNSSEC has a performance impact, mostly measured in terms of additional memory
-used for the signature caches. In addition, on startup or AXFR-serving, a lot of
-signing needs to happen.
-
-Most best practices are documented in [RFC 6781](https://tools.ietf.org/html/rfc6781).
-
-# Thanks to, acknowledgements
-PowerDNS DNSSEC has been made possible by the help & contributions of many people.
-We would like to thank:
-
-- Peter Koch (DENIC)
-- Olaf Kolkman (NLNetLabs)
-- Wouter Wijngaards (NLNetLabs)
-- Marco Davids (SIDN)
-- Markus Travaille (SIDN)
-- Antoin Verschuren (SIDN)
-- Olafur Guðmundsson (IETF)
-- Dan Kaminsky (Recursion Ventures)
-- Roy Arends (Nominet)
-- Miek Gieben
-- Stephane Bortzmeyer (AFNIC)
-- Michael Braunoeder (nic.at)
-- Peter van Dijk
-- Maik Zumstrull
-- Jose Arthur Benetasso Villanova
-- Stefan Schmidt (CCC ;-))
-- Roland van Rijswijk (Surfnet)
-- Paul Bakker (Brainspark/Fox-IT)
-- Mathew Hennessy
-- Johannes Kuehrer (Austrian World4You GmbH)
-- Marc van de Geijn (bHosted.nl)
-- Stefan Arentz
-- Martin van Hensbergen (Fox-IT)
-- Christoph Meerwald
-- Leen Besselink
-- Detlef Peeters
-- Christof Meerwald
-- Jack Lloyd
-- Frank Altpeter
-- Fredrik Danerklint
-- Vasiliy G Tolstov
-- Brielle Bruns
-- Evan Hunt (ISC)
-- Ralf van der Enden
-- Jan-Piet Mens
-- Justin Clift
-- Kees Monshouwer
-- Aki Tuomi
-- Ruben Kerkhof
-- Christian Hofstaedtler
-- Ruben d'Arco
-- Morten Stevens
-- Pieter Lexis
-- .. this list is far from complete yet ..
+++ /dev/null
-# Dynamic DNS Update (RFC2136)
-Starting with the PowerDNS Authoritative Server 3.4.0, DNS update support is available. There are a number of items NOT supported:
-
-* There is no support for GSS*TSIG and SIG (TSIG is supported);
-* WKS records are specifically mentioned in the RFC, we don't specifically care about WKS records;
-* Anything we forgot....
-
-The implementation requires the backend to support a number of new operations. Currently, the following backends have been modified to support DNS update:
-
-* [gmysql](backend-generic-mysql.md)
-* [gpgsql](backend-generic-postgresql.md)
-* [gsqlite3](backend-generic-sqlite.md)
-* [goracle](backend-generic-oracle.md)
-* [godbc](backend-generic-odbc.md)
-
-# Configuration options
-There are two configuration parameters that can be used within the powerdns configuration file.
-
-## `dnsupdate`
-A setting to enable/disable DNS update support completely. The default is no, which means that DNS updates are ignored by PowerDNS (no message is logged about this!). Change the setting to **dnsupdate=yes** to enable DNS update support. Default is **no**.
-
-## `allow-dnsupdate-from`
-A list of IP ranges that are allowed to perform updates on any domain. The default is 0.0.0.0/0, which means that all ranges are accepted. Multiple entries can be used on this line (**allow-dnsupdate-from=198.51.100.0/8 203.0.113.2/32**). The option can be left empty to disallow everything, this then should be used in combination with the **allow-dnsupdate-from** domainmetadata setting per zone.
-
-## `forward-dnsupdate`
-Tell PowerDNS to forward to the master server if the zone is configured as slave. Masters are determined by the masters field in the domains table. The default behaviour is enabled (yes), which means that it will try to forward. In the processing of the update packet, the **allow-dnsupdate-from** and **TSIG-ALLOW-DNSUPDATE** are processed first, so those permissions apply before the **forward-dnsupdate** is used. It will try all masters that you have configured until one is successful.
-
-## `lua-dnsupdate-policy-script`
-Use this Lua script containing function `updatepolicy` to validate each update. (since 4.0.0)
-This will **TURN OFF** all other authorization methods, and you are expected to take care of everything yourself.
-See [update policy](#update-policy) for details and examples.
-
-The semantics are that first a dynamic update has to be allowed either by the global allow-dnsupdate-from setting, or by a per-zone ALLOW-DNSUPDATE-FROM metadata setting.
-
-Secondly, if a zone has a TSIG-ALLOW-DNSUPDATE metadata setting, that must match too.
-
-So to only allow dynamic DNS updates to a zone based on TSIG key, and regardless of IP address, set allow-dnsupdate-from to empty, set ALLOW-DNSUPDATE-FROM to "0.0.0.0/0" and "::/0" and set the TSIG-ALLOW-DNSUPDATE to the proper key name.
-
-Further information can be found [below](#how-it-works).
-
-# Per zone settings
-For permissions, a number of per zone settings are available via the domain metadata (See [Per zone settings aka Domain Metadata](domainmetadata.md)).
-
-## ALLOW-DNSUPDATE-FROM
-This setting has the same function as described in the configuration options (See [above](#configuration-options)). Only one item is allowed per row, but multiple rows can be added. An example:
-
-```
-sql> select id from domains where name='example.org';
-5
-sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’198.51.100.0/8’);
-sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’203.0.113.2/32’);
-```
-
-This will allow 198.51.100.0/8 and 203.0.113.2/32 to send DNS update messages for the example.org domain.
-
-## TSIG-ALLOW-DNSUPDATE
-This setting allows you to set the TSIG key required to do an DNS update. If you have GSS-TSIG enabled, you can use Kerberos principals here. An example:
-
-```
-sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
-sql> select id from domains where name='example.org';
-5
-sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'test');
-```
-
-An example of how to use a TSIG key with the **nsupdate** command:
-
-```
-nsupdate <<!
-server <ip> <port>
-zone example.org
-update add test1.example.org 3600 A 203.0.113.1
-key test kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=
-send
-!
-```
-
-If a TSIG key is set for the domain, it is required to be used for the update. The TSIG is extra security on top of the **ALLOW-DNSUPDATE-FROM** setting. If a TSIG key is set, the IP(-range) still needs to be allowed via **ALLOW-DNSUPDATE-FROM**.
-
-## FORWARD-DNSUPDATE
-See [Configuration options](#configuration-options) for what it does, but per domain.
-
-```
-sql> select id from domains where name='example.org';
-5
-sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘FORWARD-DNSUPDATE’,’’);
-```
-
-There is no content, the existence of the entry enables the forwarding. This domain-specific setting is only useful when the configuration option **forward-dnsupdate** is set to 'no', as that will disable it globally. Using the domainmetadata setting than allows you to enable it per domain.
-
-## NOTIFY-DNSUPDATE
-Send a notification to all slave servers after every update. This will speed up the propagation of changes and is very useful for acme verification.
-
-```
-sql> select id from domains where name='example.org';
-5
-sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘NOTIFY-DNSUPDATE’,’1’);
-```
-
-## SOA-EDIT-DNSUPDATE
-This configures how the soa serial should be updated. See [below](#soa-serial-updates).
-
-# SOA Serial Updates
-After every update, the soa serial is updated as this is required by section 3.7 of RFC2136. The behaviour is configurable via domainmetadata with the SOA-EDIT-DNSUPDATE option. It has a number of options listed below. If no behaviour is specified, DEFAULT is used.
-
-RFC2136 (Section 3.6) defines some specific behaviour for updates of SOA records. Whenever the SOA record is updated via the update message, the logic to change the SOA is not executed.
-
-**Note**: Powerdns will always use **SOA-EDIT** when serving SOA records, thus a query for the SOA record of the recently update domain, might have an unexpected result due to a SOA-EDIT setting.
-
-An example:
-
-```
-sql> select id from domains where name='example.org';
-5
-sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘SOA-EDIT-DNSUPDATE’,’INCREASE’);
-```
-
-This will make the SOA Serial increase by one, for every successful update.
-
-## SOA-EDIT-DNSUPDATE settings
-These are the settings available for **SOA-EDIT-DNSUPDATE**.
-
-* DEFAULT: Generate a soa serial of YYYYMMDD01. If the current serial is lower than the generated serial, use the generated serial. If the current serial is higher or equal to the generated serial, increase the current serial by 1.
-* INCREASE: Increase the current serial by 1.
-* EPOCH: Change the serial to the number of seconds since the EPOCH, aka unixtime.
-* SOA-EDIT: Change the serial to whatever SOA-EDIT would provide. See [Domain metadata](domainmetadata.md)
-* SOA-EDIT-INCREASE: Change the serial to whatever SOA-EDIT would provide. If what SOA-EDIT provides is lower than the current serial, increase the current serial by 1.
-
-# DNS update How-to: Setup dyndns/rfc2136 with dhcpd
-DNS update is often used with DHCP to automatically provide a hostname whenever a new IP-address is assigned by the DHCP server. This section describes how you can setup PowerDNS to receive DNS updates from ISC's dhcpd (version 4.1.1-P1).
-
-## Setting up dhcpd
-We're going to use a TSIG key for security. We're going to generate a key using the following command:
-
-```
-dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpdupdate
-```
-
-This generates two files (Kdhcpdupdate.*.key and Kdhcpdupdate.*.private). You're interested in the .key file:
-
-```
-# ls -l Kdhcp*
--rw------- 1 root root 53 Aug 26 19:29 Kdhcpdupdate.+157+20493.key
--rw------- 1 root root 165 Aug 26 19:29 Kdhcpdupdate.+157+20493.private
-
-# cat Kdhcpdupdate.+157+20493.key
-dhcpdupdate. IN KEY 0 3 157 FYhvwsW1ZtFZqWzsMpqhbg==
-```
-
-The important bits are the name of the key (**dhcpdupdate**) and the hash of the key (**FYhvwsW1ZtFZqWzsMpqhbg==**
-
-Using the details from the key you've just generated. Add the following to your dhcpd.conf:
-
-```
-key "dhcpdupdate" {
- algorithm hmac-md5;
- secret "FYhvwsW1ZtFZqWzsMpqhbg==";
-};
-```
-
-You must also tell dhcpd that you want dynamic dns to work, add the following section:
-
-```
-ddns-updates on;
-ddns-update-style interim;
-update-static-leases on;
-```
-
-This tells dhcpd to:
-
-1. Enable Dynamic DNS
-2. Which style it must use (interim)
-3. Update static leases as well
-
-For more information on this, consult the dhcpd.conf manual.
-
-Per subnet, you also have to tell **dhcpd** which (reverse-)domain it should update and on which master domain server it is running.
-
-```
-ddns-domainname "example.org";
-ddns-rev-domainname "in-addr.arpa.";
-
-zone example.org {
- primary 127.0.0.1;
- key dhcpdupdate;
-}
-
-zone 1.168.192.in-addr.arpa. {
- primary 127.0.0.1;
- key dhcpdupdate;
-}
-```
-
-This tells **dhcpd** a number of things:
-
-1. Which domain to use (**ddns-domainname "example.org";**)
-2. Which reverse-domain to use (**dnssec-rev-domainname "in-addr.arpa.";**)
-3. For the zones, where the primary master is located (**primary 127.0.0.1;**)
-4. Which TSIG key to use (**key dhcpdupdate;**). We defined the key earlier.
-
-This concludes the changes that are needed to the **dhcpd** configuration file.
-
-## Setting up PowerDNS
-A number of small changes are needed to powerdns to make it accept dynamic updates from **dhcpd**.
-
-Enabled DNS update (RFC2136) support functionality in PowerDNS by adding the following to the PowerDNS configuration file (pdns.conf).
-
-```
-dnsupdate=yes
-allow-dnsupdate-from=
-```
-
-This tells PowerDNS to:
-
-1. Enable DNS update support([`dnsupdate`](settings.md#dnsupdate))
-2. Allow updates from NO ip-address ([`allow-dnsupdate-from=`](settings.md#allow-dnsupdate-from))
-
-We just told powerdns (via the configuration file) that we accept updates from nobody via the [`allow-dnsupdate-from`](settings.md#allow-dnsupdate-from) parameter. That's not very useful, so we're going to give permissions per zone (including the appropriate reverse zone), via the domainmetadata table.
-
-```
-sql> select id from domains where name='example.org';
-5
-sql> insert into domainmetadata(domain_id, kind, content) values(5, 'ALLOW-DNSUPDATE-FROM','127.0.0.1');
-sql> select id from domains where name='1.168.192.in-addr.arpa';
-6
-sql> insert into domainmetadata(domain_id, kind, content) values(6, 'ALLOW-DNSUPDATE-FROM','127.0.0.1');
-```
-
-This gives the ip '127.0.0.1' access to send update messages. Make sure you use the ip address of the machine that runs **dhcpd**.
-
-Another thing we want to do, is add TSIG security. This can only be done via the domainmetadata table:
-
-```
-sql> insert into tsigkeys (name, algorithm, secret) values ('dhcpdupdate', 'hmac-md5', 'FYhvwsW1ZtFZqWzsMpqhbg==');
-sql> select id from domains where name='example.org';
-5
-sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'dhcpdupdate');
-sql> select id from domains where name='1.168.192.in-addr.arpa';
-6
-sql> insert into domainmetadata (domain_id, kind, content) values (6, 'TSIG-ALLOW-DNSUPDATE', 'dhcpdupdate');
-```
-
-This will:
-
-1. Add the 'dhcpdupdate' key to our PowerDNSinstallation
-2. Associate the domains with the given TSIG key
-
-Restart PowerDNS and you should be ready to go!
-
-# How it works
-This is a short description of how DNS update messages are processed by PowerDNS.
-
-1. The DNS update message is received. If it is TSIG signed, the TSIG is validated against the tsigkeys table. If it is not valid, Refused is returned to the requestor.
-1. A check is performed on the zone to see if it is a valid zone. ServFail is returned when not valid.
-1. The **dnsupdate** setting is checked. Refused is returned when the setting is 'no'.
-1. If update policy Lua script is provided then next two steps are skipped.
-1. If the **ALLOW-DNSUPDATE-FROM** has a value (from both domainmetadata and the configuration file), a check on the value is performed. If the requestor (sender of the update message) does not match the values in **ALLOW-DNSUPDATE-FROM**, Refused is returned.
-1. If the message is TSIG signed, the TSIG keyname is compared with the TSIG keyname in domainmetadata. If they do not match, a Refused is send. The TSIG-ALLOW-DNSUPDATE domainmetadata setting is used to find which key belongs to the domain.
-1. The backends are queried to find the backend for the given domain.
-1. If the domain is a slave domain, the **forward-dnsupdate** option and domainmetadata settings are checked. If forwarding to a master is enabled, the message is forward to the master. If that fails, the next master is tried until all masters are tried. If all masters fail, ServFail is returned. If a master succeeds, the result from that master is returned.
-1. A check is performed to make sure all updates/prerequisites are for the given zone. NotZone is returned if this is not the case.
-1. The transaction with the backend is started.
-1. The prerequisite checks are performed (section 3.2 of RFC2136). If a check fails, the corresponding RCode is returned. No further processing will happen.
-1. Per record in the update message, a the prescan checks are performed. If the prescan fails, the corresponding RCode is returned. If the prescan for the record is correct, the actual update/delete/modify of the record is performed. If the update fails (for whatever reason), ServFail is returned. After changes to the records have been applied, the ordername and auth flag are set to make sure DNSSEC remains working. The cache for that record is purged.
-1. If there are records updated and the SOA record was not modified, the SOA serial is updated. See [SOA Serial Updates](#soa-serial-updates). The cache for this record is purged.
-1. The transaction with the backend is committed. If this fails, ServFail is returned.
-1. NoError is returned.
-
-# Update policy
-
-Since 4.1.0, you can define a Lua script to handle DNS UPDATE message authorization.
-The Lua script is to contain at least function called `updatepolicy` which accepts one parameter.
-This parameter is an object, containing all the information for the request.
-To permit change, return true, otherwise return false.
-The script is called for each record at a time and you can approve or reject any or all.
-
-The object has following methods available:
-- DNSName getQName() - name to update
-- DNSName getZonename() - zone name
-- int getQType() - record type, it can be 255(ANY) for delete.
-- ComboAddress getLocal() - local socket address
-- ComboAddress getRemote() - remote socket address
-- Netmask getRealRemote() - real remote address (or netmask if EDNS Subnet is used)
-- DNSName getTsigName() - TSIG **key** name (you can assume it is validated here)
-- string getPeerPrincipal() - Return peer principal name (user@DOMAIN, service/machine.name@DOMAIN, host/MACHINE$@DOMAIN)
-
-There are many same things available as in recursor Lua scripts, but there is also resolve(qname, qtype) which returns array of records.
-Example:
-
-```
-resolve("www.google.com", pdns.A)
-```
-
-You can use this to perform DNS lookups.
-If your resolver cannot find your local records, then this will not find them either.
-In other words, resolve does not perform local lookup.
-
-Simple example script:
-```lua
---- This script is not suitable for production use
-
-function strpos (haystack, needle, offset)
- local pattern = string.format("(%s)", needle)
- local i = string.find (haystack, pattern, (offset or 0))
- return (i ~= nil and i or false)
-end
-
-function updatepolicy(input)
- princ = input:getPeerPrincipal()
-
- if princ == ""
- then
- return false
- end
-
- if princ == "admin@DOMAIN" or input:getRemote():toString() == "192.168.1.1"
- then
- return true
- end
-
- if (input:getQType() == pdns.A or input:getQType() == pdns.AAAA) and princ:sub(5,5) == '/' and strpos(princ, "@", 0) ~= false
- then
- i = strpos(princ, "@", 0)
- if princ:sub(i) ~= "@DOMAIN"
- then
- return false
- end
- hostname = princ:sub(6, i-1)
- if input:getQName():toString() == hostname .. "." or input:getQName():toString() == hostname .. "." .. input:getZoneName():toString()
- then
- return true
- end
- end
-
- return false
-end
-```
+++ /dev/null
-# Per zone settings aka Domain Metadata
-Each served zone can have "metadata". Such metadata determines how this zone
-behaves in certain circumstances.
-
-**Warning**: Domain metadata is only available for DNSSEC capable backends! Make
-sure to enable the proper '-dnssec' setting to benefit, and to have performed
-the DNSSEC schema update.
-
-For the BIND backend, this information is either stored in the
-[`bind-dnssec-db`](backend-bind.md) or the hybrid database, depending on your
-settings.
-
-For the implementation in non-sql backends, please review your backend's documentation.
-
-Apart from raw SQL statements, setting domain metadata can be done with [`pdnsutil set-meta`](dnssec.md#pdnsutil) and retrieving metadata is done with [`pdnsutil get-meta`](dnssec.md#pdnsutil).
-
-## ALLOW-AXFR-FROM
-Starting with the PowerDNS Authoritative Server 3.1, per-zone AXFR ACLs can be
-stored in the domainmetadata table.
-
-Each ACL specifies one subnet (v4 or v6), or the magical value 'AUTO-NS' that tries to allow all potential slaves in.
-
-Example:
-
-```
-pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM AUTO-NS 2001:db8::/48
-```
-
-Each ACL has its own row in the database:
-
-```
-select id from domains where name='example.com';
-7
-insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','AUTO-NS');
-insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8::/48');
-```
-
-To disallow all IP's, except those explicitly allowed by domainmetadata records, add `allow-axfr-ips=` to `pdns.conf`.
-
-## AXFR-SOURCE
-The IP address to use as a source address for sending AXFR and IXFR requests.
-
-## ALLOW-DNSUPDATE-FROM, TSIG-ALLOW-DNSUPDATE, FORWARD-DNSUPDATE, SOA-EDIT-DNSUPDATE, NOTIFY-DNSUPDATE
-See the documentation on [Dynamic DNS update](dnsupdate.md)
-
-## ALSO-NOTIFY
-When notifying this domain, also notify this nameserver (can occur multiple times).
-The nameserver may have contain an optional port number. e.g.:
-
-```
-pdnsutil set-meta powerdns.org ALSO-NOTIFY 192.0.2.1:5300
-pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM 2001:db8:53::1
-```
-
-Or in SQL:
-
-```
-insert into domainmetadata (domain_id, kind, content) values (7,'ALSO-NOTIFY','192.0.2.1:5300');
-insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8:53::1');
-```
-
-## AXFR-MASTER-TSIG
-Use this named TSIG key to retrieve this zone from its master, see
-[Provisioning signed notification and AXFR requests](tsig.md#provisioning-signed-notification-and-axfr-requests).
-
-## GSS-ALLOW-AXFR-PRINCIPAL
-Allow this GSS principal to perform AXFR retrieval. Most commonly it is
-`host/something@REALM`, `DNS/something@REALM` or `user@REALM`. (See
-[GSS-TSIG support](tsig.md#gss-tsig-support)).
-
-## GSS-ACCEPTOR-PRINCIPAL
-Use this principal for accepting GSS context. (See [GSS-TSIG support](tsig.md#gss-tsig-support)).
-
-## IXFR
-If set to 1, attempt IXFR when retrieving zone updates. Otherwise IXFR is not attempted.
-
-## LUA-AXFR-SCRIPT
-Script to be used to edit incoming AXFRs, see [Modifying a slave zone using a script](modes-of-operation.md#modifying-a-slave-zone-using-a-script).
-This value will override the [`lua-axfr-script`](settings.md#lua-axfr-scriptmaster) setting.
-Use 'NONE' to remove a global script.
-
-## NSEC3NARROW
-Set to "1" to tell PowerDNS this zone operates in NSEC3 'narrow' mode. See
-`set-nsec3` for [`pdnsutil`](dnssec.md#pdnsutil).
-
-## NSEC3PARAM
-NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the NSEC3PARAM
-record. If present, NSEC3 is used, if not present, zones default to NSEC. See
-`set-nsec3` in [`pdnsutil`](dnssec.md#pdnsutil). Example content: "1 0 1 ab".
-
-## PRESIGNED
-This zone carries DNSSEC RRSIGs (signatures), and is presigned. PowerDNS sets
-this flag automatically upon incoming zone transfers (AXFR) if it detects DNSSEC
-records in the zone. However, if you import a presigned zone using `zone2sql` or
-`pdnsutil load-zone` you must explicitly set the zone to be `PRESIGNED`. Note that
-PowerDNS will not be able to correctly serve the zone if the imported data is
-bogus or incomplete. Also see `set-presigned` in [`pdnsutil`](dnssec.md#pdnsutil).
-
-If a zone is presigned, the content of the metadata must be "1" (without the
-quotes). Any other value will not signal presignedness.
-
-## PUBLISH-CDNSKEY, PUBLISH-CDS
-Whether to publish CDNSKEY and/or CDS recording defined in [RFC 7344](https://tools.ietf.org/html/rfc7344).
-
-To publish CDNSKEY records of the KSKs for the zone, set `PUBLISH-CDNSKEY` to `1`.
-
-To publish CDS records for the KSKs in the zone, set `PUBLISH-CDS` to a comma-
-separated list of [signature algorithm numbers](http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml#ds-rr-types-1).
-
-This metadata can also be set using the [`pdnsutil`](dnssec.md#pdnsutil) options
-`set-publish-cdnskey` and `set-publish-cds`. For an example for an RFC 7344
-key rollover, see the [CDS and CDNSKEY howto](howtos.md#cds-dnskey-key-rollover).
-
-## SOA-EDIT
-When serving this zone, modify the SOA serial number in one of several ways.
-Mostly useful to get slaves to re-transfer a zone regularly to get fresh RRSIGs.
-See the [DNSSEC documentation](dnssec.md#soa-edit-ensure-signature-freshness-on-slaves)
-for more information.
-
-## TSIG-ALLOW-AXFR
-Allow these named TSIG keys to AXFR this zone, see [Provisioning outbound AXFR access](tsig.md#provisioning-outbound-axfr-access).
-
-## TSIG-ALLOW-DNSUPDATE
-This setting allows you to set the TSIG key required to do an [DNS update](dnsupdate.md). If
-[GSS-TSIG](tsig.md#gss-tsig) is enabled, you can put kerberos principals here as well.
-
-## Extra metadata
-Through the API and on the [`pdnsutil set-meta`](dnssec.md#pdnsutil) commandline, metadata unused by PowerDNS can be added.
-It is mandatory to prefix this extra metadata with "X-" and the name of the external application; the API will only allow this metadata if it starts with "X-".
+++ /dev/null
-# Basic setup: configuring database connectivity
-This shows you how to configure the Generic MySQL backend. This backend
-is called 'gmysql', and needs to be configured in `pdns.conf`. Add the
-following lines, adjusted for your local setup (specifically, you may not
-want to use the 'root' user):
-
-```
-launch=gmysql
-gmysql-host=127.0.0.1
-gmysql-user=root
-gmysql-dbname=pdns
-gmysql-password=mysecretpassword
-```
-
-Remove any earlier [`launch`](settings.md#launch) statements and other configuration
-statements for backends.
-
-**Warning**: Make sure that you can actually resolve the hostname of your database without accessing the database! It is advised to supply an IP address here to prevent chicken/egg problems!
-
-Now start PowerDNS in the foreground:
-
-```
-# /usr/sbin/pdns_server --daemon=no --guardian=no --loglevel=9
-(...)
-Dec 30 13:40:09 About to create 3 backend threads for UDP
-Dec 30 13:40:09 gmysql Connection failed: Unable to connect to database: Access denied for user 'hubert'@'localhost' to database 'pdns-non-existant'
-Dec 30 13:40:09 Caught an exception instantiating a backend: Unable to launch gmysql connection: Unable to connect to database: Access denied for user 'hubert'@'localhost' to database 'pdns-non-existant'
-Dec 30 13:40:09 Cleaning up
-Dec 30 13:40:10 Done launching threads, ready to distribute questions
-```
-
-This is as to be expected - we did not yet add anything to MySQL for PowerDNS to read from. At this point you may also see other errors which indicate that PowerDNS either could not find your MySQL server or was unable to connect to it. Fix these before proceeding.
-
-General MySQL knowledge is assumed in this chapter, please do not interpret these commands as DBA advice!
-
-## Example: configuring MySQL
-Connect to MySQL as a user with sufficient privileges and issue the following commands:
-
-```
-!!include=../modules/gmysqlbackend/schema.mysql.sql
-```
-
-Now we have a database and an empty table. PowerDNS should now be able to launch in monitor mode and display no errors:
-
-```
-# /usr/sbin/pdns_server --daemon=no --guardian=no --loglevel=9
-(...)
-15:31:30 PowerDNS 1.99.0 (Mar 12 2002, 15:00:28) starting up
-15:31:30 About to create 3 backend threads
-15:39:55 [gMySQLbackend] MySQL connection succeeded
-15:39:55 [gMySQLbackend] MySQL connection succeeded
-15:39:55 [gMySQLbackend] MySQL connection succeeded
-```
-
-In a different shell, a sample query sent to the server should now return quickly without data:
-
-```
-$ dig +short www.example.com @127.0.0.1
-$
-```
-
-**Warning**: When debugging DNS problems, don't use `host`. Please use `dig` or `drill`.
-
-And indeed, the output in the first terminal now shows:
-
-```
-Mar 01 16:04:42 Remote 127.0.0.1 wants 'www.example.com|A', do = 0, bufsize = 1680: packetcache MISS
-```
-
-Now we need to add some records to our database (in a separate shell):
-
-```
-# mysql pdnstest
-mysql> INSERT INTO domains (name, type) values ('example.com', 'NATIVE');
-INSERT INTO records (domain_id, name, content, type,ttl,prio)
-VALUES (1,'example.com','localhost admin.example.com 1 10380 3600 604800 3600','SOA',86400,NULL);
-INSERT INTO records (domain_id, name, content, type,ttl,prio)
-VALUES (1,'example.com','dns-us1.powerdns.net','NS',86400,NULL);
-INSERT INTO records (domain_id, name, content, type,ttl,prio)
-VALUES (1,'example.com','dns-eu1.powerdns.net','NS',86400,NULL);
-INSERT INTO records (domain_id, name, content, type,ttl,prio)
-VALUES (1,'www.example.com','192.0.2.10','A',120,NULL);
-INSERT INTO records (domain_id, name, content, type,ttl,prio)
-VALUES (1,'mail.example.com','192.0.2.12','A',120,NULL);
-INSERT INTO records (domain_id, name, content, type,ttl,prio)
-VALUES (1,'localhost.example.com','127.0.0.1','A',120,NULL);
-INSERT INTO records (domain_id, name, content, type,ttl,prio)
-VALUES (1,'example.com','mail.example.com','MX',120,25);
-```
-
-**Warning**: Host names and the MNAME of a [SOA](../types.md#soa) records are NEVER terminated with a '.' in PowerDNS storage! If a trailing '.' is present it will inevitably cause problems, problems that may be hard to debug.
-
-If we now requery our database, `www.example.com` should be present:
-
-```
-$ dig +short www.example.com @127.0.0.1
-192.0.2.10
-
-$ dig +short example.com MX @127.0.0.1
-25 mail.example.com
-```
-
-To confirm what happened, check the statistics:
-
-```
-$ /usr/sbin/pdns_control SHOW \*
-corrupt-packets=0,latency=0,packetcache-hit=2,packetcache-miss=5,packetcache-size=0,
-qsize-a=0,qsize-q=0,servfail-packets=0,tcp-answers=0,tcp-queries=0,
-timedout-packets=0,udp-answers=7,udp-queries=7,
-%
-```
-
-The actual numbers will vary somewhat. Now hit CTRL+C in the shell where PowerDNS runs, start PowerDNS as a regular daemon, and check launch status:
-
-On SysV systems:
-
-```
-# /etc/init.d/pdns start
-pdns: started
-# /etc/init.d/pdns status
-pdns: 8239: Child running
-# /etc/init.d/pdns dump
-pdns: corrupt-packets=0,latency=0,packetcache-hit=0,packetcache-miss=0,
-packetcache-size=0,qsize-a=0,qsize-q=0,servfail-packets=0,tcp-answers=0,
-tcp-queries=0,timedout-packets=0,udp-answers=0,udp-queries=0,
-```
-
-On systemd systems:
-
-```
-# systemctl start pdns.service
-# systemctl status pdns.service
-* pdns.service - PowerDNS Authoritative Server
- Loaded: loaded (/lib/systemd/system/pdns.service; enabled)
- Active: active (running) since Tue 2017-01-17 15:59:28 UTC; 1 months 12 days ago
- Docs: man:pdns_server(1)
- man:pdns_control(1)
- https://doc.powerdns.com
- Main PID: 24636 (pdns_server)
- CGroup: /system.slice/pdns.service
- `-24636 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --write-pid=no
-
-(...)
-# /usr/sbin/pdns_control SHOW \*
-corrupt-packets=0,latency=0,packetcache-hit=2,packetcache-miss=5,packetcache-size=0,
-qsize-a=0,qsize-q=0,servfail-packets=0,tcp-answers=0,tcp-queries=0,
-timedout-packets=0,udp-answers=7,udp-queries=7,
-```
-
-You now have a working database driven nameserver! To convert other zones already present, use the [`zone2sql`](migration.md#zone2sql) tool.
-
-## Common problems
-Most problems involve PowerDNS not being able to connect to the database.
-
-### Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
-Your MySQL installation is probably defaulting to another location for its socket. Can be resolved by figuring out this location (often `/var/run/mysqld.sock`), and specifying it in the configuration file with the [`gmysql-socket`](backend-generic-mysql.md#gmysql-socket) parameter.
-
-Another solution is to not connect to the socket, but to 127.0.0.1, which can be achieved by specifying [`gmysql-host=127.0.0.1`](backend-generic-mysql.md#gmysql-host).
-
-### Host 'x.y.z.w' is not allowed to connect to this MySQL server
-These errors are generic MySQL errors. Solve them by trying to connect to your MySQL database with the MySQL console utility `mysql` with the parameters specified to PowerDNS. Consult the MySQL documentation.
-
-## Typical Errors after Installing
-At this point some things may have gone wrong. Typical errors include:
-
-### binding to UDP socket: Address already in use
-This means that another nameserver is listening on port 53 already. You can resolve this problem by determining if it is safe to shutdown the nameserver already present, and doing so. If uncertain, it is also possible to run PowerDNS on another port. To do so, add [`local-port=5300`](settings.md#local-port) to `pdns.conf`, and try again. This however implies that you can only test your nameserver as clients expect the nameserver to live on port 53.
-
-### binding to UDP socket: Permission denied
-You must be superuser in order to be able to bind to port 53. If this is not a possibility, it is also possible to run PowerDNS on another port. To do so, add [`local-port=5300`](settings.md#local-port) to `pdns.conf`, and try again. This however implies that you can only test your nameserver as clients expect the nameserver to live on port 53.
-
-### Unable to launch, no backends configured for querying
-PowerDNS did not find the `launch=bind` instruction in pdns.conf.
-
-### Multiple IP addresses on your server, PowerDNS sending out answers on the wrong one, Massive amounts of 'recvfrom gave error, ignoring: Connection refused'
-If you have multiple IP addresses on the internet on one machine, UNIX often sends out answers over another interface than which the packet came in on. In such cases, use [`local-address`](settings.md#local-address) to bind to specific IP addresses, which can be comma separated. The second error comes from remotes disregarding answers to questions it didn't ask to that IP address and sending back ICMP errors.
-
-# Using ALIAS records
-The ALIAS record provides a way to have CNAME-like behaviour on the zone apex.
-
-In order to correctly serve ALIAS records in PowerDNS Authoritative Server 4.1.0 or higher, set the [`resolver`](settings.md#resolver) setting to an existing resolver and enable [`expand-alias`](settings.md#expand-alias):
-
-```
-resolver=[::1]:5300
-expand-alias=yes
-```
-
-**note**: If `resolver` is unset, ALIAS expension is disabled!
-
-**note**: In PowerDNS Authoritative Server 4.0.x, the setting [`recursor`](settings.md#recursor) is used instead, and you should omit the [`expand-alias`](settings.md#expand-alias) setting. Note that setting [`recursor`](settings.md#recursor) will allow recursive queries to all clients by default, which you likely do not want for security reasons, so you should restrict this:
-
-```
-recursor=[::1]:5300
-allow-recursion=::1, 127.0.0.1
-```
-
-Then add the ALIAS record to your zone apex. e.g.:
-
-```
-$ORIGIN example.net
-$TTL 1800
-
-@ IN SOA ns1.example.net. hostmaster.example.net. 2015121101 1H 15 1W 2H
-
-@ IN NS ns1.example.net.
-
-@ IN ALIAS mywebapp.paas-provider.net.
-```
-
-When the authoritative server receives a query for the A-record for `example.net`,
-it will resolve the A record for `mywebapp.paas-provider.net` and serve an answer
-for `example.net` with that A record.
-
-When a zone containing ALIAS records is transferred over AXFR, the
-[`outgoing-axfr-expand-alias`](settings.md#outgoing-axfr-expand-alias) setting
-controls the behaviour of ALIAS records. When set to 'no' (the default), ALIAS
-records are sent as-is (RRType 65401 and a DNSName in the RDATA) in the AXFR.
-When set to 'yes', PowerDNS will lookup the A and AAAA records of the name in the
-ALIAS-record and send the results in the AXFR.
-
-Set `outgoing-axfr-expand-alias` to 'yes' if your slaves don't understand ALIAS
-or should not look up the addresses themselves. Note that slaves will not
-automatically follow changes in those A/AAAA records unless you AXFR regularly.
-
-**note:** The `expand-alias` setting does not exist in PowerDNS Authoritative Server 4.0.x.
-Hence, ALIAS records are always expanded on a direct A or AAAA query.
-
-## ALIAS and DNSSEC
-Starting with the PowerDNS Authoritative Server 4.0.0, DNSSEC 'washing' of ALIAS
-records is supported on AXFR (**not** on live-signing). Set `outgoing-axfr-expand-alias`
-to 'yes' and enable DNSSEC for the zone on the master. PowerDNS will sign the
-A/AAAA records during the AXFR.
-
-# KSK Rollover
-Before attempting a KSK rollover, please read [RFC 6581 "DNSSEC Operational
-Practices, Version 2", section 4](https://tools.ietf.org/html/rfc6781#section-4)
-carefully to understand the terminology, actions and timelines (TTL and RRSIG
-expiry) involved in rolling a KSK.
-
-This How To describes the "Double-Signature Key Signing Key Rollover" from the
-above mentioned RFC.
-
-To start the rollover, add an **active** new KSK to the zone (example.net in this
-case):
-
-```
-pdnsutil add-zone-key example.net ksk active
-```
-
-Note that a key with same algorithm as the KSK to be replaced should be created,
-as this is not an algorithm roll over.
-
-If this zone is of the type 'MASTER', increase the SOA serial. The rollover is
-now in the "New KSK" stage. Retrieve the DS record(s) for the new KSK:
-
-```
-pdnsutil show-zone example.net
-```
-
-And communicate this securely to your registrar/parent zone. Now wait until the
-new DS is published in the parent zone and at least the TTL for the DS records
-has passed. The rollover is now in the "DS Change" state and can continue to the
-"DNSKEY Removal" stage by actually deleting the old KSK.
-
-**Note**: The key-id for the old KSK is shown in the output of `pdnsutil show-zone
-example.net`.
-
-```
-pdnsutil remove-zone-key example.net KEY-ID
-```
-
-The rollover is now complete.
-
-# ZSK Rollover
-This how to describes the way to roll a ZSK that is not a secure entrypoint (a
-ZSK that is not tied to a DS record in the parent zone) using the ["RFC 6781
-Pre-Publish Zone Signing Key Rollover"](https://tools.ietf.org/html/rfc6781#section-4.1.1.1)
-method. The documentation linked above also lists the minimum time between
-stages. **PLEASE READ THAT DOCUMENT CAREFULLY**
-
-First, create a new inactive ZSK for the zone (if one already exists, you can
-skip this step), we add an ECDSA 256 bit key (algorithm 13) here:
-
-```
-pdnsutil add-zone-key example.net zsk inactive ecdsa256
-
-```
-
-You are now almost at the "new DNSKEY"-stage of the rollover, if the zone is of
-type 'MASTER' you'll need to update the SOA serial in the database and wait for
-the slaves to pickup the zone change.
-
-To change the RRSIGs on your records, the new key must be made active. Note: you
-can get the key-ids with `pdnsutil show-zone example.net`:
-
-```
-pdnsutil activate-zone-key example.net new-key-id
-pdnsutil deactivate-zone-key example.net previous-key-id
-```
-
-Again, if this is a 'MASTER'-zone, update the SOA serial. You are now at the "new
-RRSIGs" stage of the roll over.
-
-The last step is to remove the old key from the completely:
-
-```
-pdnsutil remove-zone-key example.net previous-key-id
-```
-
-Don't forget to update the SOA serial for 'MASTER' zones. The rollover is now at
-the "DNSKEY removal" stage and complete.
-
-# CDS & CDNSKEY Key Rollover
-If the upstream registry supports [RFC 7344](https://tools.ietf.org/html/rfc7344)
-key rollovers you can use several [`pdnsutil`](dnssec.md#pdnsutil) commands to do
-this rollover. This HowTo follows the rollover example from the RFCs [Appendix B](https://tools.ietf.org/html/rfc7344#appendix-B).
-
-We assume the zone name is example.com and is already DNSSEC signed.
-
-Start by adding a new KSK to the zone: `pdnsutil add-zone-key example.com ksk 2048 inactive`.
-The "inactive" means that the key is not used to sign any ZSK records. This limits
-the size of `ANY` and DNSKEY responses.
-
-Publish the CDS records: `pdnsutil set-publish-cds example.com`, these records
-will tell the parent zone to update its DS records. Now wait for the DS records
-to be updated in the parent zone.
-
-Once the DS records are updated, do the actual key-rollover: `pdnsutil activate-zone-key example.com new-key-id`
-and `pdnsutil deactivate-zone-key example.com old-key-id`. You can get the `new-key-id`
-and `old-key-id` by listing them through `pdnsutil show-zone example.com`.
-
-After the rollover, wait *at least* until the TTL on the DNSKEY records have
-expired so validating resolvers won't mark the zone as BOGUS. When the wait is
-over, delete the old key from the zone: `pdnsutil remove-zone-key example.com old-key-id`.
-This updates the CDS records to reflect only the new key.
-
-Wait for the parent to pick up on the CDS change. Once the upstream DS records
-show only the DS records for the new KSK, you may disable sending out the CDS
-responses: `pdnsutil unset-publish-cds example.com`.
-
-Done!
-
-# Adding new DNS record types
-Here are the full descriptions on how we added the TLSA record type to all
-PowerDNS products, with links to the actual source code.
-
-First, define the TLSARecordContent class in [dnsrecords.hh](https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/dnsrecords.hh#L396):
-
-```
-class TLSARecordContent : public DNSRecordContent
-{
-public:
- includeboilerplate(TLSA)
-
-private:
- uint8_t d_certusage, d_selector, d_matchtype;
- string d_cert;
-};
-```
-
-The `includeboilerplate(TLSA)` macro generates the four methods that do everything
-PowerDNS would ever want to do with a record:
-
-- read TLSA records from zonefile format
-- write out a TLSA record in zonefile format
-- read a TLSA record from a packet
-- write a TLSA record to a packet
-
-The [actual parsing code](https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/dnsrecords.cc#L304):
-
-```
-boilerplate_conv(TLSA, 52,
- conv.xfr8BitInt(d_certusage);
- conv.xfr8BitInt(d_selector);
- conv.xfr8BitInt(d_matchtype);
- conv.xfrHexBlob(d_cert, true);
- )
-```
-
-This code defines the TLSA rrtype number as 52. Secondly, it says there are 3
-eight bit fields for Certificate Usage, Selector and Match type. Next, it defines
-that the rest of the record is the actual certificate (hash).
-['conv'](https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/dnsparser.hh#L68)
-methods are supplied for all DNS data types in use.
-
-Now add `TLSARecordContent::report()` to [`reportOtherTypes()`](https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/dnsrecords.cc#L594).
-
-And that's it. For completeness, add TLSA and 52 to the QType enum in [`qtype.hh`](https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/qtype.hh#L116),
-which makes it easier to refer to the TLSA record in code if so required.
+++ /dev/null
-# PowerDNS Authoritative Nameserver
-The PowerDNS Authoritative Server is a versatile nameserver which supports a large number of backends. These backends can either be plain zone files or be more dynamic in nature.
-
-Examples of backends include relational databases, other DNS data formats and coprocesses.
-
-# Backends
-PowerDNS has the concepts of 'backends'. A backend is a datastore that the server will consult that contains DNS records (and some meta-data).
-The backends range from database backends (Mysql, PostgreSQL, Oracle) and Bind-zonefiles to co-processes and JSON API's.
-
-Multiple backends can be enabled in the configuration by using the [`launch`](settings.md#launch) option. Each backend can be configured separately.
-
-## Backend Capabilities
-The following table describes the capabilities of the backends.
-
-| Name | Status | Native | Master | Slave | Superslave | [Autoserial](backend-generic-sql.md#autoserial) | DNSSEC | [Disabled Data](backend-generic-sql.md#disabled-data) | Comments | Launch Name |
-|:---|:---|:---|:---|:---|:---|:---|:---|:---|:---|:---|
-| [BIND](backend-bind.md) | Supported | Yes | Yes | Yes | Experimental | No | Yes | No | No\* | `bind` |
-| [Generic MySQL](backend-generic-mysql.md) | Supported | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | `gmysql` |
-| [Generic ODBC](backend-generic-odbc.md) | Supported | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes| `godbc` |
-| [Generic Oracle](backend-generic-oracle.md) | Supported | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | `goracle` |
-| [Generic PostgreSQL](backend-generic-postgresql.md) | Supported | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | `gpgsql` |
-| [Generic SQLite 3](backend-generic-sqlite.md) 3 | Supported | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | `gsqlite3` |
-| [GeoIP](backend-geoip.md) | Supported | Yes | No | No | No | No | Yes | No | No | `geoip` |
-| [LDAP](backend-ldap.md) | Supported | Yes | No | No | No | No | No | No | No | `ldap` |
-| [MyDNS](backend-mydns.md) | Supported | Yes | No | No | No | No | No | No | No | `mydns` |
-| [OpenDBX](backend-opendbx.md) | Supported | Yes | Yes | Yes | Yes | No | No | No | No | `opendbx` |
-| [Oracle](backend-oracle.md) | Supported | Yes | Yes | Yes | Yes | Yes | Yes | No | No | `oracle` |
-| [Pipe](backend-pipe.md) | Supported | Yes | No | No | No | No | Partial (no delegation, no key storage) | No | No | `pipe` |
-| [Random](backend-random.md) | Supported | Yes | No | No | No | No | Yes (no key storage) | No | No | `random` |
-| [Remote](backend-remote.md) | Supported | Yes | Yes\* | Yes\* | Yes\* | Yes\* | Yes\* | No | No | `remote` |
-| [TinyDNS](backend-tinydns.md) | Experimental | Yes | Yes | No | No | No | No | No | No | `tinydns` |
-
-\*: Please read the backend-specific documentation.
-
-### Native, Master, Slave, Superslave
-Which [Mode of Operation](modes-of-operation.md) (DNS data replication) is supported.
-
-### Autoserial
-Can the backend [automatically](backend-generic-sql.md#autoserial) generate a SOA serial
-
-### DNSSEC
-Is serving DNSSEC signed data supported?
-
-### Disabled Data
-Can a record be [marked 'disabled'](backend-generic-sql.md#disabled-data) and not be served but still be in the datastore?
-
-### Comments
-Are comments on records supported?
+++ /dev/null
-# Installing PowerDNS
-Installation of the PowerDNS Authoritative server on UNIX systems can be done in several ways:
-
- * Binary packages provided by your distribution
- * Binary packages provided by PowerDNS on [repo.powerdns.com](https://repo.powerdns.com)
- * Compiling from source
-
-## Binary Packages
-### Debian-based Systems
-PowerDNS Authoritative Server is available through the [apt](https://packages.debian.org/pdns-server) system.
-
-```
-# apt-get install pdns-server
-```
-
-Debian splits the backends into [several different packages](https://packages.debian.org/pdns-backend), install the required backend as follows:
-
-```
-# apt-get install pdns-backend-$backend
-```
-
-### Redhat-based Systems
-On RedHat based system there are 2 options to install PowerDNS, from
-[EPEL](https://fedoraproject.org/wiki/EPEL), the [repository from Kees
-Monshouwer](https://www.monshouwer.eu/download/3rd_party/pdns/) or from
-[the PowerDNS repositories](https://repo.powerdns.com):
-
-Add either to your list of repositories and install PowerDNS by issuing:
-
-```
-# yum install pdns
-```
-
-The different backends can be installed using
-
-```
-# yum install pdns-backend-$backend
-```
-
-### FreeBSD
-PowerDNS Authoritative Server is available through the [ports](http://www.freshports.org/dns/powerdns/) system:
-
-For the package:
-
-```
-# pkg install dns/powerdns
-```
-
-To have your system build the port:
-```
-cd /usr/ports/dns/powerdns/ && make install clean
-```
-
-### Mac OS X
-PowerDNS Authoritative Server is available through Homebrew:
-
-```
-$ brew install pdns
-```
-
-## From source
-See the [Compiling PowerDNS](../appendix/compiling-powerdns.md) chapter
-
-# After installation
-Once installed, [set your first steps](howtos.md#basic-setup-configuring-database-connectivity)
-using MySQL or start [migrating](migration.md) your data.
+++ /dev/null
-# Migrating to PowerDNS
-Before migrating to PowerDNS a few things should be considered.
-
-PowerDNS does not operate as a ['slave'](modes-of-operation.md#slave-operation)
-or ['master'](modes-of-operation.md#master-operation) server with all backends.
-The [Generic SQL](backend-generic-sql.md), [BIND](backend-bind.md) backends have
-the ability to act as master or slave. See the [table of backends](index.md#backend-capabilities)
-which other backends support these modes.
-
-# Using AXFR to a Slave-Capable Backend
-The easiest way to migrate all your zones from your old infrastructure to PowerDNS
-is to add all your domains as a slave domain with your current master as the
-master, wait for the zones to be transferred and change the zones to master.
-Make sure [`slave`](settings.md#slave) is set to "yes" in your pdns.conf.
-
-## To A Generic SQL Backend
-**Note**: This assumes the schema provided with PowerDNS is in place
-
-In order to migrate to a Generic SQL backend, add all your domains to the 'domains'
-table with the IP of your current master. On your current master, make sure that
-this master allows AXFRs to this new slave.
-
-```
-INSERT INTO domains (name,type,master) VALUES ('example.net', 'SLAVE', '198.51.100.101');
-```
-
-Then start PowerDNS and wait for all the zones to be transferred. If this server
-is the new [master](modes-of-operation.md#master-operation), change the type of
-domain in the database:
-
-```
-UPDATE domains set type='MASTER' where type='SLAVE';
-```
-
-And set [`master`](settings.md#master) to "yes" in your pdns.conf and restart
-PowerDNS.
-
-Or, if you want to use [native](modes-of-operation.md#native-operation):
-
-```
-UPDATE domains set type='NATIVE' where type='SLAVE';
-```
-
-## To the BIND backend
-Create a named.conf with all the domains as slave domains, e.g.:
-
-```
-zone "example.net" in {
- type slave;
- file "/var/lib/powerdns/zones/example.net.zone";
- masters {
- 198.51.100.101;
- };
-};
-```
-
-Make sure the directory is writable for the `pdns_server` process and that [`bind-config`](backend-bind.md#bind-config)
-parameter references this file. Now start PowerDNS and wait untill all zones are
-transferred. Now you can change the zone type to master:
-
-```
-zone "example.net" in {
- type master;
- file "/var/lib/powerdns/zones/example.net.zone";
-};
-```
-
-Don't forget to enable [`master`](settings.md#master) in your pdns.conf and restart,
-or if this setting was already set, use `pdns_control rediscover` to load these
-zones as master zones.
-
-# From zonefiles to PowerDNS
-## Using the BIND backend
-To use the bind backend, set `launch=bind` and `bind-config=/path/to/named.conf`
-in your `pdns.conf`. Note that PowerDNS will not honor any options from named.conf,
-it will only use the `zone` statements. See the [Bind backend](backend-bind.md)
-documentation for more information.
-
-## To a Generic SQL backend
-There are several methods to migrate to a [Generic SQL](backend-generic-sql.md)
-backend.
-
-### Using `zone2sql`
-To migrate, the `zone2sql` tool is provided. This tool parses a BIND `named.conf`
-file and zone files and outputs SQL on standard out, which can then be fed to your
-database. It understands the Bind master file extension `$GENERATE` and will also
-honour `$ORIGIN` and `$TTL`.
-
-For backends supporting slave operation, there is also an option to keep slave
-zones as slaves, and not convert them to native operation.
-
-`zone2sql` can generate SQL for nearly all the Generic SQL backends. See [its
-manpage](../manpages/zone2sql.1.md) for more information.
-
-An example call to `zone2sql` could be:
-
-```
-zone2sql --named-conf=/path/to/named.conf --gmysql | mysql -u pdns -p pdns-db
-```
-
-This will generate the SQL statements for the [Generic MySQL](backend-generic-mysql.md)
-and pipe them into the pdns-db database in MySQL.
-
-### Using `pdnsutil load-zone`
-The [`pdnsutil`](../manpages/pdnsutil.1.md) tool has a `load-zone` command that ingests a zone file and imports it into the first backend that is capable of hosting it.
-
-To import, configure the backend and run `pdnsutil load-zone example.com /tmp/example.com.com.zone` to import the `example.com` domain from the `/tmp/example.com.zone` file.
-The zone is imported atomically (i.e. it is fully imported, or not) and any existing records for that zone are overwritten.
-
-# Migrating Data from one Backend to Another Backend
-NB! This is experimental feature.
-
-Syntax: `pdnsutil b2b-migrate old new`
-
-This tool lets you migrate data from one backend to another, it moves all data,
-including zones, metadata and crypto keys (if present). Some example use cases
-are moving from Bind style zonefiles to SQL based, or other way around, or moving
-from MyDNS to gMySQL.
-
-## Prerequisites
-
- - Target backend must support same features as source from set of domains, zones, metadata, DNSSEC and TSIG. See [Backend Capabilities](index.md)
- - There must be no data in the target backend, otherwise the migration will fail. This is checked.
-
-You can perform live upgrade with this tool, provided you follow the procedure.
-
-## Moving from source to target.
-
-- Take backups of everything.
-- Configure both backends to pdns.conf, if you have source configured, you can just add target backend. **DO NOT RESTART AUTH SERVER BEFORE YOU HAVE FINISHED**
-- Then run `pdnsutil b2b-migrate old new`, the old and new being configuration prefixes in pdns.conf. If something goes wrong, make sure you properly clear **ALL** data from target backend before retrying.
-- Remove (or comment out) old backend from pdns.conf, and run `pdnsutil rectify-all-zones` and `pdnsutil check-all-zones` to make sure everything is OK.
-- If everything is OK, then go ahead to restart your PowerDNS service. Check logs to make sure everything went ok.
+++ /dev/null
-PowerDNS offers full master and slave semantics for replicating domain information.
-Furthermore, PowerDNS can benefit from native database replication.
-
-# Native replication
-Native replication is the default, unless other operation is specifically
-configured. Native replication basically means that PowerDNS will not send out DNS
-update notifications, nor will react to them. PowerDNS assumes that the backend is
-taking care of replication unaided.
-
-MySQL replication has proven to be very robust and well suited, even over
-transatlantic connections between badly peering ISPs. Other PowerDNS users employ
-Oracle replication which also works very well.
-
-To use native replication, configure your backend storage to do the replication
-and do not configure PowerDNS to do so.
-
-# Master operation
-When operating as a master, PowerDNS sends out notifications of changes to slaves,
-which react to these notifications by querying PowerDNS to see if the zone changed,
-and transferring its contents if it has. Notifications are a way to promptly
-propagate zone changes to slaves, as described in [RFC 1996](http://tools.ietf.org/html/rfc1996).
-Since version 4.0.0, the NOTIFY messages have a TSIG record added (transaction
-signature) if zone has been configured to use TSIG and feature has been enabled.
-
-**Warning**: Master support is OFF by default, turn it on by adding
-[`master`](settings.md#master) to the configuration.
-
-**Warning**: If you have DNSSEC-signed zones and non-PowerDNS slaves, please
-check your [`SOA-EDIT`](domainmetadata.md#SOA-EDIT) settings.
-
-**Warning**: Notifications are only sent for domains with type MASTER in your backend.
-
-Left open by RFC 1996 is who is to be notified - which is harder to figure out
-than it sounds. All slaves for this domain must receive a notification but the
-nameserver only knows the names of the slaves - not the IP addresses, which is
-where the problem lies. The nameserver itself might be authoritative for the name
-of its secondary, but not have the data available.
-
-To resolve this issue, PowerDNS tries multiple tactics to figure out the IP
-addresses of the slaves, and notifies everybody. In contrived configurations this
-may lead to duplicate notifications being sent out, which shouldn't hurt.
-
-Some backends may be able to detect zone changes, others may chose to let the
-operator indicate which zones have changed and which haven't. Consult the
-documentation for your backend to see how it processes changes in zones.
-
-To help deal with slaves that may have missed notifications, or have failed to
-respond to them, several override commands are available via the
-[`pdns_control`](../authoritative/running.md#pdnscontrol) tool:
-
-* `pdns_control notify <domain>`
-This instructs PowerDNS to notify all IP addresses it considers to be slaves of this domain.
-
-* `pdns_control notify-host <domain> <ip-address>`
-This is truly an override and sends a notification to an arbitrary IP address.
-Can be used in [`also-notify`](settings.md#also-notify) situations or when PowerDNS
-has trouble figuring out who to notify - which may happen in contrived configurations.
-
-# Slave operation
-On launch, PowerDNS requests from all backends a list of domains which have not been
-checked recently for changes. This should happen every '**refresh**' seconds, as
-specified in the SOA record. All domains that are unfresh are then checked for
-changes over at their master. If the [SOA](../types.md#soa) serial number there
-is higher, the domain is retrieved and inserted into the database. In any case,
-after the check the domain is declared 'fresh', and will only be checked again
-after '**refresh**' seconds have passed.
-
-When the freshness of a domain cannot be checked, e.g. because the master is offline, PowerDNS will retry the domain after [`slave-cycle-interval`](settings.md#slave-cycle-interval) seconds.
-Every time the domain fails it's freshness check, PowerDNS will hold back on checking the domain for `amount of failures * slave-cycle-interval` seconds, with a maximum of [`soa-retry-default`](settings.md#soa-retry-default) seconds between checks.
-With default settings, this means that PowerDNS will back off for 1, then 2, then 3 etc. minutes, to a maximum of 60 minutes between checks.
-
-**Warning**: Slave support is OFF by default, turn it on by adding [`slave`](settings.md#slave) to the configuration.
-**Note**: When running PowerDNS via the provided systemd service file, [`ProtectSystem`](http://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=) is set to `full`, this means PowerDNS is unable to write to e.g. `/etc` and `/home`, possibly being unable to write AXFR's zones.
-
-PowerDNS also reacts to notifies by immediately checking if the zone has updated
-and if so, retransfering it.
-
-All backends which implement this feature must make sure that they can handle
-transactions so as to not leave the zone in a half updated state. MySQL configured
-with either BerkeleyDB or InnoDB meets this requirement, as do PostgreSQL and
-Oracle. The Bindbackend implements transaction semantics by renaming files if and
-only if they have been retrieved completely and parsed correctly.
-
-Slave operation can also be programmed using several [`pdns_control`](running.md#pdnscontrol)
-commands. The `retrieve` command is especially useful as it triggers an immediate
-retrieval of the zone from the configured master.
-
-PowerDNS supports multiple masters. For the BIND backend, the native BIND
-configuration language suffices to specify multiple masters, for SQL based backends,
-list all master servers separated by commas in the 'master' field of the domains table.
-
-Since version 4.0.0, PowerDNS requires that masters sign their
-notifications. During transition and interoperation with other nameservers,
-you can use options **allow-unsigned-notify** to permit unsigned
-notifications. For 4.0.0 this is turned on by default, but it might be
-turned off permanently in future releases.
-
-# Master/Slave Setup Requirements
-Generally to enable a Master/Slave setup you have to take care of following properties.
-* The [master](settings.md#master)/[slave](settings.md#slave) state has to be enabled in the respective `/etc/powerdns/pdns.conf` config files.
-* The nameservers have to be set up correctly as NS domain records i.e. defining a NS and A record for each slave.
-* Master/Slave state has to be configured on a per domain basis in the `<+pdns_database_name+>.domains` table. Namely the `type` column has to be either `MASTER` or `SLAVE` respectively and the slave needs a comma separated list of master node IP addresses in the `master` column in the `pdns_db.domains` table. [more to this topic](backend-generic-sql)
-
-## IXFR: incremental zone transfers
-If the 'IXFR' zone metadata item is set to 1 for a zone, PowerDNS will attempt to retrieve
-zone updates via IXFR.
-
-As of 4.0.0, if a slave zone changes from non-DNSSEC to DNSSEC, an IXFR
-update will not set the PRESIGNED flag. In addition, a change in NSEC3 mode
-will also not be picked up.
-
-In such cases, make sure to delete the zone contents to force a fresh retrieval.
-
-Finally, IXFR updates that "plug" Empty Non Terminals do not yet remove ENT
-records. A 'pdnsutil rectify-zone' may be required.
-
-PowerDNS itself is currently only able to retrieve updates via IXFR. It can not serve IXFR updates.
-
-## Supermaster: automatic provisioning of slaves
-PowerDNS can recognize so called 'supermasters'. A supermaster is a host which is
-master for domains and for which we are to be a slave. When a master (re)loads a
-domain, it sends out a notification to its slaves. Normally, such a notification
-is only accepted if PowerDNS already knows that it is a slave for a domain.
-
-However, a notification from a supermaster carries more persuasion. When PowerDNS
-determines that a notification comes from a supermaster and it is bonafide, it
-can provision the domain automatically, and configure itself as a slave for that zone.
-
-Before a supermaster notification succeeds, the following conditions must be met:
-- The supermaster must carry a SOA record for the notified domain
-- The supermaster IP must be present in the 'supermaster' table
-- The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table
-- If your master sends signed NOTIFY it will mark that TSIG key as the TSIG key used for retrieval as well
-- If you turn off **allow-unsigned-supermaster*, then your supermaster(s) are required to sign their notifications.
-
-**Warning**: If you use another PowerDNS server as master and have DNSSEC enabled
-on that server please don't forget to rectify the domains after every change. If
-you don't do this there is no SOA record available and one requirement will fail.
-
-So, to benefit from this feature, a backend needs to know about the IP address
-of the supermaster, and how PowerDNS will be listed in the set of NS records
-remotely, and the 'account' name of your supermaster. There is no need to fill
-the account name out but it does help keep track of where a domain comes from.
-
-**Note**: Removal of zones provisioned using the supermaster must be done on the
-slaves themselves. As there is no way to signal this removal from the master to
-the slave.
-
-## Modifying a slave zone using a script
-The PowerDNS Authoritative Server can invoke a Lua script on an incoming AXFR
-zone transfer. The user-defined function `axfrfilter` within your script is
-invoked for each resource record read during the transfer, and the outcome of
-the function defines what PowerDNS does with the records.
-
-What you can accomplish using a Lua script:
-- Ensure consistent values on SOA
-- Change incoming SOA serial number to a YYYYMMDDnn format
-- Ensure consistent NS RRset
-- Timestamp the zone transfer with a TXT record
-
-To enable a Lua script for a particular slave zone, determine the `domain_id`
-for the zone from the `domains` table, and add a row to the `domainmetadata`
-table for the domain. Supposing the domain we want has an `id` of 3, the
-following SQL statement will enable the Lua script `my.lua` for that domain:
-
-```
-INSERT INTO domainmetadata (domain_id, kind, content) VALUES (3, "LUA-AXFR-SCRIPT", "/lua/my.lua");
-```
-
-**Warning**: The Lua script must both exist and be syntactically correct; if not,
-the zone transfer is not performed.
-
-Your Lua functions have access to the query codes through a pre-defined Lua table
-called `pdns`. For example if you want to check for a CNAME record you can either
-compare `qtype` to the numeric constant 5 or the value `pdns.CNAME` -- they are equivalent.
-
-If your function decides to handle a resource record it must return a result code
-of 0 together with a Lua table containing one or more replacement records to be
-stored in the back-end database (if the table is empty, no record is added).
-If you want your record(s) to be appended after the matching record, return 1 and table of record(s).
-If, on the other hand, your function decides not to modify a record, it must
-return -1 and an empty table indicating that PowerDNS should handle the
-incoming record as normal.
-
-Consider the following simple example:
-
-```
- function axfrfilter(remoteip, zone, record)
-
- -- Replace each HINFO records with this TXT
- if record:qtype() == pdns.HINFO then
- resp = {}
- resp[1] = {
- qname = record:qname:toString(),
- qtype = pdns.TXT,
- ttl = 99,
- content = "Hello Ahu!"
- }
- return 0, resp
- end
-
- -- Grab each _tstamp TXT record and add a time stamp
- if record:qtype() == pdns.TXT and string.starts(record:qname:toString(), "_tstamp.") then
- resp = {}
- resp[1] = {
- qname = record:qname():toString(),
- qtype = record:qtype(),
- ttl = record:ttl(),
- content = os.date("Ver %Y%m%d-%H:%M")
- }
- return 0, resp
- end
-
- -- Append A records with this TXT
- if record:qtype() == pdns.A then
- resp = {}
- resp[1] = {
- qname = record:qname:toString(),
- qtype = pdns.TXT,
- ttl = 99,
- content = "Hello Ahu, again!"
- }
- return 1, resp
- end
-
- resp = {}
- return -1, resp
- end
-
- function string.starts(s, start)
- return s.sub(s, 1, s.len(start)) == start
- end
-```
-
-Upon an incoming AXFR, PowerDNS calls our `axfrfilter` function for each record.
-All HINFO records are replaced by a TXT record with a TTL of 99 seconds and the
-specified string. TXT Records with names starting with `_tstamp.` get their value
-(rdata) set to the current time stamp.
-A records are appended with a TXT record.
-All other records are unhandled.
+++ /dev/null
-# Performance and Tuning
-In general, best performance is achieved on recent Linux 3.x kernels and using MySQL, although many of the largest PowerDNS installations are based on PostgreSQL. FreeBSD also performs very well.
-
-Database servers can require configuration to achieve decent performance. It is especially worth noting that several vendors ship PostgreSQL with a slow default configuration.
-
-**Warning**: When deploying (large scale) IPv6, please be aware some Linux distributions leave IPv6 routing cache tables at very small default values. Please check and if necessary raise `sysctl net.ipv6.route.max_size`.
-
-# Performance related settings
-When PowerDNS starts up it creates a number of threads to listen for packets. This is configurable with the [`receiver-threads`](settings.md#receiver-threads) setting which defines how many sockets will be opened by the powerdns process. In versions of linux before kernel 3.9 having too many receiver threads set up resulted in decreased performance due to socket contention between multiple CPUs - the typical sweet spot was 3 or 4. For optimal performance on kernel 3.9 and following with [`reuseport`](settings.md#reuseport) enabled you'll typically want a receiver thread for each core on your box if backend latency/performance is not an issue and you want top performance.
-
-Different backends will have different characteristics - some will want to have more parallel instances than others. In general, if your backend is latency bound, like most relational databases are, it pays to open more backends.
-
-This is done with the [`distributor-threads`](settings.md#distributor-threads) setting which says how many distributors will be opened for each receiver thread. Of special importance is the choice between 1 or more backends. In case of only 1 thread, PowerDNS reverts to unthreaded operation which may be a lot faster, depending on your operating system and architecture.
-
-Other very important settings are [`cache-ttl`](settings.md#cache-ttl). PowerDNS caches entire packets it sends out so as to save the time to query backends to assemble all data. The default setting of 20 seconds may be low for high traffic sites, a value of 60 seconds rarely leads to problems. Please be aware that if any TTL in the answer is shorter than this setting, the packet cache will respect the answer's shortest TTL.
-
-Some PowerDNS operators set cache-ttl to many hours or even days, and use [`pdns_control`](running.md#pdns_control)` purge` to selectively or globally notify PowerDNS of changes made in the backend. Also look at the [Query Cache](#query-cache) described in this chapter. It may materially improve your performance.
-
-To determine if PowerDNS is unable to keep up with packets, determine the value of the [`qsize-q`](../common/logging.md#counters) variable. This represents the number of packets waiting for database attention. During normal operations the queue should be small.
-
-Logging truly kills performance as answering a question from the cache is an order of magnitude less work than logging a line about it. Busy sites will prefer to turn [`log-dns-details`](settings.md#log-dns-details) off.
-
-# Packet Cache
-PowerDNS by default uses the 'Packet Cache' to recognise identical questions and supply them with identical answers, without any further processing. The default time to live is 20 seconds and can be changed by setting `cache-ttl`. It has been observed that the utility of the packet cache increases with the load on your nameserver.
-
-Not all backends may benefit from the packet cache. If your backend is memory based and does not lead to context switches, the packet cache may actually hurt performance.
-
-The maximum size of the packet cache is controlled by the `max-packet-cache-entries` entries since 4.1. Before that both the query cache and the packet cache used the `max-cache-entries` setting.
-
-# Query Cache
-Besides entire packets, PowerDNS can also cache individual backend queries. Each DNS query leads to a number of backend queries, the most obvious additional backend query is the check for a possible CNAME. So, when a query comes in for the 'A' record for 'www.powerdns.com', PowerDNS must first check for a CNAME for 'www.powerdns.com'.
-
-The Query Cache caches these backend queries, many of which are quite repetitive. The maximum number of entries in the cache is controlled by the `max-cache-entries` setting. Before 4.1 this setting also controls the maximum number of entries in the packet cache.
-
-Most gain is made from caching negative entries, ie, queries that have no answer. As these take little memory to store and are typically not a real problem in terms of speed-of-propagation, the default TTL for negative queries is a rather high 60 seconds.
-
-This only is a problem when first doing a query for a record, adding it, and immediately doing a query for that record again. It may then take up to 60 seconds to appear. Changes to existing records however do not fall under the negative query ttl ([`negquery-cache-ttl`](settings.md#negquery-cache-ttl)), but under the generic [`query-cache-ttl`](settings.md#query-cache-ttl) which defaults to 20 seconds.
-
-The default values should work fine for many sites. When tuning, keep in mind that the Query Cache mostly saves database access but that the Packet Cache also saves a lot of CPU because 0 internal processing is done when answering a question from the Packet Cache.
-
-# Performance Monitoring
-## Counters & variables
-A number of counters and variables are set during PowerDNS Authoritative Server operation.
-
-### Counters
-All counters that show the "number of X" count since the last startup of the
-daemon.
-
-* `corrupt-packets`: Number of corrupt packets received
-* `deferred-cache-inserts`: Number of cache inserts that were deferred because of maintenance
-* `deferred-cache-lookup`: Number of cache lookups that were deferred because of maintenance
-* `deferred-packetcache-inserts`: Number of packet cache inserts that were deferred because of maintenance
-* `deferred-packetcache-lookup`: Number of packet cache lookups that were deferred because of maintenance
-* `dnsupdate-answers`: Number of DNS update packets successfully answered
-* `dnsupdate-changes`: Total number of changes to records from DNS update
-* `dnsupdate-queries`: Number of DNS update packets received
-* `dnsupdate-refused`: Number of DNS update packets that were refused
-* `incoming-notifications`: Number of NOTIFY packets that were received
-* `key-cache-size`: Number of entries in the key cache
-* `latency`: Average number of microseconds a packet spends within PowerDNS
-* `meta-cache-size`: Number of entries in the metadata cache
-* `overload-drops`: Number of questions dropped because backends overloaded
-* `packetcache-hit`: Number of packets which were answered out of the cache
-* `packetcache-miss`: Number of times a packet could not be answered out of the cache
-* `packetcache-size`: Amount of packets in the packetcache
-* `qsize-q`: Number of packets waiting for database attention
-* `query-cache-hit`: Number of hits on the [query cache](performance.md#query-cache)
-* `query-cache-miss`: Number of misses on the [query cache](performance.md#query-cache)
-* `query-cache-size`: Number of entries in the query cache
-* `rd-queries`: Number of packets sent by clients requesting recursion (regardless of if we'll be providing them with recursion). Since 3.4.0.
-* `recursing-answers`: Number of packets we supplied an answer to after recursive processing
-* `recursing-questions`: Number of packets we performed recursive processing for
-* `recursion-unanswered`: Number of packets we sent to our recursor, but did not get a timely answer for. Since 3.4.0.
-* `security-status`: Security status based on [security polling](../common/security.md#implementation)
-* `servfail-packets`: Amount of packets that could not be answered due to database problems
-* `signature-cache-size`: Number of entries in the signature cache
-* `signatures`: Number of DNSSEC signatures created
-* `sys-msec`: Number of CPU milliseconds sent in system time
-* `tcp-answers-bytes`: Total number of answer bytes sent over TCP (since 4.0.0)
-* `tcp-answers`: Number of answers sent out over TCP
-* `tcp-queries`: Number of questions received over TCP
-* `tcp4-answers-bytes`: Total number of answer bytes sent over TCPv4 (since 4.0.0)
-* `tcp4-answers`: Number of answers sent out over TCPv4
-* `tcp4-queries`: Number of questions received over TCPv4
-* `tcp6-answers-bytes`: Total number of answer bytes sent over TCPv6 (since 4.0.0)
-* `tcp6-answers`: Number of answers sent out over TCPv6
-* `tcp6-queries`: Number of questions received over TCPv6
-* `timedout-packets`: Amount of packets that were dropped because they had to wait too long internally
-* `udp-answers-bytes`: Total number of answer bytes sent over UDP
-* `udp-answers`: Number of answers sent out over UDP
-* `udp-do-queries`: Number of queries received with the DO (DNSSEC OK) bit set
-* `udp-in-errors`: Number of packets, received faster than the OS could process them
-* `udp-noport-errors`: Number of UDP packets where an ICMP response was received that the remote port was not listening
-* `udp-queries`: Number of questions received over UDP
-* `udp-recvbuf-errors`: Number of errors caused in the UDP receive buffer
-* `udp-sndbuf-errors`: Number of errors caused in the UDP send buffer
-* `udp4-answers-bytes`: Total number of answer bytes sent over UDPv4 (Since 4.0.0)
-* `udp4-answers`: Number of answers sent out over UDPv4
-* `udp4-queries`: Number of questions received over UDPv4
-* `udp6-answers-bytes`: Total number of answer bytes sent over UDPv6 (Since 4.0.0)
-* `udp6-answers`: Number of answers sent out over UDPv6
-* `udp6-queries`: Number of questions received over UDPv6
-* `uptime`: Uptime in seconds of the daemon
-* `user-msec`: Number of milliseconds spend in CPU 'user' time
-
-### Ring buffers
-Besides counters, PowerDNS also maintains the ringbuffers. A ringbuffer records events, each new event gets a place in the buffer until it is full. When full, earlier entries get overwritten, hence the name 'ring'.
-
-By counting the entries in the buffer, statistics can be generated. These statistics can currently only be viewed using the webserver and are in fact not even collected without the webserver running.
-
-The following ringbuffers are available:
-
-* **logmessages**: All messages logged
-* **noerror-queries**: Queries for existing records but for a type we don't have.
-Queries for, say, the AAAA record of a domain, when only an A is available. Queries are listed in the following format: name/type. So an AAAA query for pdns.powerdns.com looks like pdns.powerdns.com/AAAA.
-* **nxdomain-queries**: Queries for non-existing records within existing domains.
-If PowerDNS knows it is authoritative over a domain, and it sees a question for a record in that domain that does not exist, it is able to send out an authoritative 'no such domain' message. Indicates that hosts are trying to connect to services really not in your zone.
-* **udp-queries**: All UDP queries seen.
-* **remotes**: Remote server IP addresses.
-Number of hosts querying PowerDNS. Be aware that UDP is anonymous - person A can send queries that appear to be coming from person B.
-* **remote-corrupts**: Remotes sending corrupt packets.
-Hosts sending PowerDNS broken packets, possibly meant to disrupt service. Be aware that UDP is anonymous - person A can send queries that appear to be coming from person B.
-* **remote-unauth**: Remotes querying domains for which we are not authoritative.
-It may happen that there are misconfigured hosts on the internet which are configured to think that a PowerDNS installation is in fact a resolving nameserver. These hosts will not get useful answers from PowerDNS. This buffer lists hosts sending queries for domains which PowerDNS does not know about.
-* **servfail-queries**: Queries that could not be answered due to backend errors.
-For one reason or another, a backend may be unable to extract answers for a certain domain from its storage. This may be due to a corrupt database or to inconsistent data. When this happens, PowerDNS sends out a 'servfail' packet indicating that it was unable to answer the question. This buffer shows which queries have been causing servfails.
-* **unauth-queries**: Queries for domains that we are not authoritative for.
-If a domain is delegated to a PowerDNS instance, but the backend is not made aware of this fact, questions come in for which no answer is available, nor is the authority. Use this ringbuffer to spot such queries.
+++ /dev/null
-**Warning**: Recursion was removed from the Authoritative Server in version 4.1.0
-
-# Recursion with the Authoritative Server
-From 2.9.5 onwards, PowerDNS offers both authoritative nameserving capabilities
-and a [recursive nameserver](../recursor/index.md) component. These two halves
-are normally separate but many users insist on combining both recursion and
-authoritative service on one IP address. This can be likened to running Apache
-and Squid both on port 80.
-
-However, many sites want to do this anyhow and some with good reason. For
-example, a setup like this allows the creation of fake domains which only exist
-for local users. Such domains often don't end on ".com" or ".org" but on
-".intern" or ".name-of-isp".
-
-PowerDNS can cooperate with either its own recursor or any other you have
-available to deliver recursive service on its port.
-
-By specifying the [`recursor`](settings.md#recursor) option in the configuration
-file, questions requiring recursive treatment will be handed over to the IP
-address specified. An example configuration might be `recursor=203.0.113.7`,
-which designates 203.0.113.7 as the nameserver to handle recursive queries.
-
-**Warning**: Using `recursor` is NOT RECOMMENDED as it comes with many
-potentially nasty surprises. For more info, you can read
-[Dan Bernstein's article](http://cr.yp.to/djbdns/separation.html) on this topic.
-
-Take care not to point [`recursor`](settings.md#recursor) to the PowerDNS
-Authoritative Server itself, which leads to a very tight packet loop!
-
-By specifying [`allow-recursion`](settings.md#allow-recursion), recursion can be
-restricted to netmasks specified. The default is to allow recursion from
-everywhere. Example: `allow-recursion=203.0.113.0/24, 198.51.100.0/26, 192.0.2.4`, `::1`.
-
-## Details
-Questions carry a number of flags. One of these is called 'Recursion Desired'.
-If PowerDNS is configured to allow recursion, AND such a flag is seen, AND the
-IP address of the client is allowed to recurse via PowerDNS, then the packet may
-be handed to the recursing backend.
-
-If a Recursion Desired packet arrives and PowerDNS is configured to allow
-recursion, but not to the IP address of the client, resolution will proceed as
-if the RD flag were unset and the answer will indicate that recursion was not
-available.
-
-It is also possible to use a resolver living on a different port. To do so,
-specify a recursor like this: `recursor=192.0.2.1:5300`.
-
-**Reminder:** [according to RFC3986](https://tools.ietf.org/html/rfc3986#section-3.2.2) for IPv6, the notation is to
-encode the IPv6 IP number in square brackets like this: `recursor=[::1]:5300`, as
-they explain in section 3.2.2: Host:
-
-> A host identified by an Internet Protocol literal address, version 6 [RFC3513] or
-later, is distinguished by enclosing the IP literal within square brackets ("[" and "]").
-This is the only place where square bracket characters are allowed in the URI syntax.
-In anticipation of future, as-yet-undefined IP literal address formats, an
-implementation may use an optional version flag to indicate such a format explicitly
-rather than rely on heuristic determination.
-
-So, be careful! The authoritative `pdns` service won't communicate with `pdns-recursor`
-if you write wrongly the IPv6 IP number in the `recursor` line of `pdns.conf`. Therefore,
-~~`recursor=::1:5300`~~ won't work because of the missing required square brackets ("[" and "]")
-enclosing the IP literal. Please respect IPv6 notation.
-
-If the backend does not answer a question within a large amount of time, this is
-logged as 'Recursive query for remote 198.51.100.15 with internal id 0 was not
-answered by backend within timeout, reusing id'. This may happen when using
-'BIND' as a recursor as it is prone to drop queries which it can't answer
-immediately.
-
-To make sure that the local authoritative database overrides recursive
-information, PowerDNS first tries to answer a question from its own database.
-If that succeeds, the answer packet is sent back immediately without involving
-the recursor in any way. This means that for questions for which there is no
-answer, PowerDNS will consult the recursor for an recursive query, even if
-PowerDNS is authoritative for a domain! This will only cause problems if you
-'fake' domains which don't really exist. This also means that if you delegate a
-subzone to another set or authoritative servers, when a request comes in for
-that sub-zone, PowerDNS will respond with a delegation response (as that is the
-answer from the authoritative perspective) and will *not* involve the recursor.
-
-If you want to create such fake domains or override existing domains, please set
-the `allow-recursion-override` feature (available from 2.9.14 until 2.9.22.6).
-
-Some packets, like those asking for MX records which are needed for SMTP
-transport of email, can be subject to 'additional processing'. This means that a
-recursing nameserver is obliged to try to add A records (IP addresses) for any
-of the mail servers mentioned in the packet, should it have these addresses
-available.
-
-If PowerDNS encounters records needing such processing and finds that it does
-not have the data in its authoritative database, it will send an opportunistic
-quick query to the recursing component to see if it perhaps has such data. This
-question is worded such that the recursing nameserver should return immediately
-such as not to block the authoritative nameserver.
-
-This marks a change from pre-2.9.5 behaviour where a packet was handed wholesale
-to the recursor in case it needed additional processing which could not proceed
-from the authoritative database.
+++ /dev/null
-# Running and Operating PowerDNS
-PowerDNS is normally controlled via a SysV-style init.d script, often located in
-`/etc/init.d` or `/etc/rc.d/init.d`. For Linux distributions with systemd, a
-service file is provided (either in the package or in the contrib directory of
-the tarball).
-
-Furthermore, PowerDNS can be run on the foreground for testing or in other init-
-systems that supervise processes.
-
-## Guardian
-When the init-system of the Operating System does not properly supervises processes,
-like SysV init, it is recommended to run PowerDNS with the [`guardian`](settings.md#guardian)
-option set to 'yes'.
-
-When launched with `guardian=yes`, `pdns_server` wraps itself inside a 'guardian'.
-This guardian monitors the performance of the inner `pdns_server` instance which
-shows up in the process list of your OS as `pdns_server-instance`. It is also
-this guardian that [`pdns_control`](#pdns_control) talks to. A **STOP** is
-interpreted by the guardian, which causes the guardian to sever the connection
-to the inner process and terminate it, after which it terminates itself. Requests
-that require data from the actual nameserver are passed to the inner process as well.
-
-## Logging to syslog on systemd-based operating systems
-By default, logging to syslog is disabled in the the systemd unit file to prevent the service logging twice, as the systemd journal picks up the output from the process itself.
-
-Removing the `--disable-syslog` option from the `ExecStart` line using `systemctl edit --full pdns` enables logging to syslog.
-
-# Controlling A Running PowerDNS Server
-As a DNS server is critical infrastructure, downtimes should be avoided as much
-as possible. Even though PowerDNS (re)starts very fast, it offers a way to
-control it while running.
-
-## Control Socket
-The controlsocket is the means to contact a running PowerDNS process. Over this
-socket, instructions can be sent using the `pdns_control` program. The control
-socket is called `pdns.controlsocket` and is created inside the [`socket-dir`](settings.md#socket-dir).
-
-## `pdns_control`
-To communicate with PowerDNS Authoritative Server over the controlsocket, the
-`pdns_control` command is used. The syntax is simple: `pdns_control command arguments`.
-Currently this is most useful for telling backends to rediscover domains or to
-force the transmission of notifications. See [Master Operation](../authoritative/modes-of-operation.md#master-operation).
-
-For all supported `pdns_control` commands and options, see [the manpage](../manpages/pdns_control.1)
-and the output of `pdns_control --help` on your system.
-
-# The SysV init
-This script supplied with the PowerDNS source accepts the following commands:
-
-* `monitor`: Monitor is a special way to view the daemon. It executes PowerDNS in the foreground with a lot of logging turned on, which helps in determining startup problems. Besides running in the foreground, the raw PowerDNS control socket is made available. All external communication with the daemon is normally sent over this socket. While useful, the control console is not an officially supported feature. Commands which work are: `QUIT`, `SHOW *`, `SHOW varname`, `RPING`.
-* `start`: Start PowerDNS in the background. Launches the daemon but makes no special effort to determine success, as making database connections may take a while. Use `status` to query success. You can safely run `start` many times, it will not start additional PowerDNS instances.
-* `restart`: Restarts PowerDNS if it was running, starts it otherwise.
-* `status`: Query PowerDNS for status. This can be used to figure out if a launch was successful. The status found is prefixed by the PID of the main PowerDNS process.
-* `stop`: Requests that PowerDNS stop. Again, does not confirm success. Success can be ascertained with the `status` command.
-* `dump`: Dumps a lot of statistics of a running PowerDNS daemon. It is also possible to single out specific variable by using the `show` command.
-* `show variable`: Show a single statistic, as present in the output of the `dump`.
-* `mrtg`: Dump statistics in mrtg format. See the performance [monitoring](../common/logging.md#performance-monitoring) documentation.
-
-**Note**: Packages provided by Operating System vendors might support different
-or less commands.
-
-# Running in the foreground
-One can run PowerDNS in the foreground by invoking the `pdns_server` executable.
-Without any options, it will load the `pdns.conf` and run. To make sure PowerDNS
-starts in the foreground, add the `--daemon=no` option.
-
-All [settings](settings.md) can be added on the commandline. e.g. to test a new
-database config, you could start PowerDNS like this:
-
-```
-pdns_server --no-config --daemon=no --local-port=5300 --launch=gmysql --gmysql-user=my_user --gmysql-password=mypassword
-```
-
-This starts PowerDNS without loading on-disk config, in the foreground, on all
-network interfaces on port 5300 and starting the [gmysql](backend-generic-mysql.md)
-backend.
-
-## Commandline Parameters
-There are several important command-line switches for `pdns_server`. All [settings](settings.md)
-can also be added as a commandline option (e.g. `pdns_server --daemon=no`) and
-will overwrite any options set in pdns.conf.
-
-### `--help`
-Outputs all known parameters, including those of launched backends, see below.
-
-To run on the command line, use the `pdns_server` binary. For example, to see
-options for the gpgsql backend, use the following:
-
-```
- $ /usr/sbin/pdns_server --launch=gpgsql --help=gpgsql
-```
-
-### `--list-modules`
-Will list all available modules, both compiled in and in dynamically loadable modules.
-
-### `--config`
-This will dump the config to standard out. Should you combine this with e.g. a
-[`launch`](settings.md#launch) statement (`pdns_server --launch=gpgsql --config`),
-all settings related to that backend (and their defaults) are included in the dump.
-
-# Virtual Hosting
-It may be advantageous to run multiple separate PowerDNS installations on a
-single host, for example to make sure that different customers cannot affect
-each others zones. PowerDNS fully supports running multiple instances on one host.
-
-To generate additional PowerDNS instances, create a `pdns-NAME.conf` in your
-configuration directory (usually `/etc/powerdns`), where `NAME` is the name of
-your virtual configuration.
-
-Following one of the following instructions, PowerDNS will read its configuration
-from the `pdns-NAME.conf` instead of `pdns.conf`.
-
-## Starting virtual instances with Sysv init-scripts
-Symlink the init.d script `pdns` to `pdns-NAME`, where `NAME` is the name of your
-virtual configuration. **Note**: `NAME` must not contain a '-' as this will
-confuse the script.
-
-Internally, the init script calls the binary with the
-[`config-name`](settings.md#config-name) option set to `name`, setting in motion
-the loading of separate configuration files.
-
-When you launch a virtual instance of PowerDNS, the pid-file is saved inside
-[`socket-dir`](settings.md#socket-dir) as `pdns-name.pid`.
-
-**Warning**: Be aware however that the init.d `force-stop` will kill all
-PowerDNS instances!
-
-## Starting virtual instances with systemd
-With systemd it is as simple as calling the correct service instance. Assuming your
-instance is called `myinstance` and `pdns-myinstance.conf` exists in the configuration
-directory, the following command will start the service:
-```
-systemctl start pdns@myinstance.service
-```
-
-Similarly you can enable it at boot:
-```
-systemctl enable pdns@myinstance.service
-```
-
-# Internals
-## How PowerDNS translates DNS queries into backend queries
-A DNS query is not a straightforward lookup. Many DNS queries need to check the
-backend for additional data, for example to determine if an unfound record should
-lead to an NXDOMAIN ('we know about this domain, but that record does not exist')
-or an unauthoritative response.
-
-Simplified, without CNAME processing, wildcards, referrals and DNSSEC, the
-algorithm is like this:
-
-When a query for a `qname`/`qtype` tuple comes in, PowerDNS queries backends to
-find the closest matching SOA, thus figuring out what backend owns this zone.
-When the right backend has been found, PowerDNS issues a `qname`/`ANY` query to
-the backend. If the response is empty, NXDOMAIN is concluded. If the response is
-not empty, any contents matching the original qtype are added to the list of
-records to return, and NOERROR is set.
-
-Each of these records is now investigated to see if it needs 'additional processing'.
-This holds for example for MX records which may point to hosts for which the PowerDNS
-backends also contain data. This involves further lookups for A or AAAA records.
-
-After all additional processing has been performed, PowerDNS sieves out all
-double records which may well have appeared. The resulting set of records is
-added to the answer packet, and sent out.
-
-A zone transfer works by looking up the `domain_id` of the SOA record of the
-name and then listing all records of that `domain_id`. This is why all records
-in a domain need to have the same domain\_id.
-
-If no SOA was found, a REFUSED is returned.
+++ /dev/null
-# All Authoritative Server settings
-All PowerDNS Authoritative Server settings are listed here, excluding those that
-originate from backends, which are documented in the relevant chapters. These
-settings can be set inside `pdns.conf` or on the commandline when invoking the
-`pdns` binary.
-
-You can use `+=` syntax to set some variables incrementally, but this requires
-you to have at least one non-incremental setting for the variable to act as base
-setting. This is mostly useful for [`include-dir`](#include-dir) directive.
-
-For boolean settings, specifying the name of the setting without a value means
-`yes`.
-
-## `8bit-dns`
-* Allow 8 bit dns queries
-* Default: no
-* Available since: 4.0.0
-
-Allow 8 bit DNS queries.
-
-## `allow-axfr-ips`
-* IP ranges, separated by commas
-* Default: 127.0.0.0/8,::1
-
-If set, only these IP addresses or netmasks will be able to perform AXFR.
-
-## `allow-dnsupdate-from`
-* IP ranges, separated by commas
-
-Allow DNS updates from these IP ranges.
-
-## `allow-notify-from`
-* IP ranges, separated by commas
-* Default: 0.0.0.0/0,::/0
-* Available since: 3.5.0
-
-Allow AXFR NOTIFY from these IP ranges.
-Setting this to an empty string will drop all incoming notifies.
-
-## `allow-unsigned-notify`
-* Boolean
-* Default: yes
-* Available since: 4.0
-
-Turning this off requires all notifications that are received to be signed by valid TSIG signature for the zone.
-
-## `allow-unsigned-supermaster`
-* Boolean
-* Default: yes
-* Available since: 4.0
-
-Turning this off requires all supermaster notifications to be signed by valid TSIG signature. It will accept any existing key on slave.
-
-## `allow-recursion`
-* IP ranges, separated by commas
-* Default: 0.0.0.0/0
-* Removed in: 4.1.0
-
-By specifying `allow-recursion`, recursion can be restricted to netmasks
-specified. The default is to allow recursion from everywhere. Example:
-`allow-recursion=198.51.100.0/24, 10.0.0.0/8, 192.0.2.4`.
-
-## `also-notify`
-* IP addresses, separated by commas
-
-When notifying a domain, also notify these nameservers. Example:
-`also-notify=192.0.2.1, 203.0.113.167`. The IP addresses listed in `also-notify`
-always receive a notification. Even if they do not match the list in
-[`only-notify`](#also-notify).
-
-## `any-to-tcp`
-* Boolean
-* Default: yes (no, in <= 4.0.1)
-* Available since: 3.3
-
-Answer questions for the ANY on UDP with a truncated packet that refers the
-remote server to TCP. Useful for mitigating reflection attacks.
-
-## `api`
-* Boolean
-* Default: no
-* Available since: 4.0
-
-Enable/disable the [REST API](../httpapi/README.md).
-
-## `api-key`
-* String
-* Available since: 4.0
-
-Static pre-shared authentication key for access to the REST API.
-
-## `api-readonly`
-* Boolean
-* Default: no
-* Available since: 4.0
-
-Disallow data modification through the REST API when set.
-
-## `axfr-lower-serial`
-* Boolean
-* Default: no
-* Available since: 4.0.4
-
-Also AXFR a zone from a master with a lower serial.
-
-## `cache-ttl`
-* Integer
-* Default: 20
-
-Seconds to store packets in the PacketCache. See
-["Packet Cache"](performance.md#packet-cache).
-
-## `carbon-ourname`
-
-* String
-* Default: the hostname of the server
-* Available since: 3.3.1
-
-If sending carbon updates, if set, this will override our hostname. Be careful not to include any dots in this setting, unless you know what you are doing. See
-["PowerDNS Metrics"](../common/logging.md#sending-to-carbongraphitemetronome).
-
-## `carbon-server`
-* IP Address
-* Available since: 3.3.1
-
-Send all available metrics to this server via the carbon protocol, which is used
-by graphite and metronome. It has to be an address (no hostnames).
-You may specify an alternate port by appending :port,
-ex: 127.0.0.1:2004. See
-["PowerDNS Metrics"](../common/logging.md#sending-to-carbongraphitemetronome).
-
-## `carbon-interval`
-* Integer
-* Default: 30
-* Available since: 3.3.1
-
-If sending carbon updates, this is the interval between them in seconds. See
-["PowerDNS Metrics"](../common/logging.md#sending-to-carbongraphitemetronome).
-
-## `chroot`
-* Path
-
-If set, chroot to this directory for more security. See
-["Security settings & considerations"](../common/security.md).
-
-Make sure that `/dev/log` is available from within the chroot. Logging will
-silently fail over time otherwise (on logrotate).
-
-When setting `chroot`, all other paths in the config (except for
-[`config-dir`](#config-dir) and [`module-dir`](#module-dir)) set in the configuration
-are relative to the new root.
-
-When running on a system where systemd manages services, `chroot` does not work out of the box, as PowerDNS cannot use the `NOTIFY_SOCKET`.
-Either don't `chroot` on these systems or set the 'Type' of the this service to 'simple' instead of 'notify' (refer to the systemd documentation on how to modify unit-files)
-
-## `config-dir`
-* Path
-
-Location of configuration directory (`pdns.conf`). Usually `/etc/powerdns`, but
-this depends on `SYSCONFDIR` during compile-time.
-
-## `config-name`
-* String
-
-Name of this virtual configuration - will rename the binary image. See
-["Virtual hosting"](running.md#virtual-hosting).
-
-## `control-console`
-Debugging switch - don't use.
-
-## `daemon`
-* Boolean
-* Default: no
-
-Operate as a daemon.
-
-## `default-ksk-algorithms`
-* String
-* Default: ecdsa256
-
-The algorithm that should be used for the KSK when running
-[`pdnsutil secure-zone`](../manpages/pdnsutil.1.md).
-Must be one of:
-* rsamd5
-* dh
-* dsa
-* ecc
-* rsasha1
-* rsasha256
-* rsasha512
-* ecc-gost
-* ecdsa256 (ECDSA P-256 with SHA256)
-* ecdsa384 (ECDSA P-384 with SHA384)
-* ed25519
-
-## `default-ksk-size`
-* Integer
-* Default: whichever is default for `default-ksk-algorithms`
-
-The default keysize for the KSK generated with
-[`pdnsutil secure-zone`](../manpages/pdnsutil.1.md).
-
-## `default-soa-name`
-* String
-* Default: a.misconfigured.powerdns.server
-
-Name to insert in the SOA record if none set in the backend.
-
-## `default-soa-edit`
-* String
-* Default: empty
-* Available since: 3.4.7
-
-Use this soa-edit value for all zones if no [`SOA-EDIT`](domainmetadata.md#SOA-EDIT) metadata value is set.
-
-## `default-soa-edit-signed`
-* String
-* Default: empty
-* Available since: 3.4.7
-
-Use this soa-edit value for all signed zones if no [`SOA-EDIT`](domainmetadata.md#SOA-EDIT) metadata value is set. Overrides [`default-soa-edit`](#default-soa-edit)
-
-## `default-soa-mail`
-* String
-
-Mail address to insert in the SOA record if none set in the backend.
-
-## `default-ttl`
-* Integer
-* Default: 3600
-
-TTL to use when none is provided.
-
-## `default-zsk-algorithms`
-* String
-* Default: (empty)
-
-The algorithm that should be used for the ZSK when running
-[`pdnsutil secure-zone`](../manpages/pdnsutil.1.md).
-Must be one of:
-* rsamd5
-* dh
-* dsa
-* ecc
-* rsasha1
-* rsasha256
-* rsasha512
-* ecc-gost
-* ecdsa256 (ECDSA P-256 with SHA256)
-* ecdsa384 (ECDSA P-384 with SHA384)
-* ed25519
-
-## `default-zsk-size`
-* Integer
-* Default: whichever is default for `default-zsk-algorithms`
-
-The default keysize for the ZSK generated with
-[`pdnsutil secure-zone`](../manpages/pdnsutil.1.md).
-
-## `direct-dnskey`
-* Boolean
-* Default: no
-
-Read additional ZSKs from the records table/your BIND zonefile. If not set,
-DNSKEY records in the zonefiles are ignored.
-
-## `disable-axfr`
-* Boolean
-* Default: no
-
-Do not allow zone transfers.
-
-## `disable-axfr-rectify`
-* Boolean
-* Default: no
-
-Disable the rectify step during an outgoing AXFR. Only required for regression
-testing.
-
-## `disable-syslog`
-* Boolean
-* Default: no
-
-Do not log to syslog, only to stdout. Use this setting when running inside a
-supervisor that handles logging (like systemd). **Note**: do not use this setting
-in combination with [`daemon`](#daemon) as all logging will disappear.
-
-## `disable-tcp`
-* Boolean
-* Default: no
-
-Do not listen to TCP queries. Breaks RFC compliance.
-
-## `distributor-threads`
-* Integer
-* Default: 3
-
-Number of Distributor (backend) threads to start per receiver thread. See
-["Authoritative Server Performance"](performance.md).
-
-## `dname-processing`
-* Boolean
-* Default: no
-
-Synthesise CNAME records from DNAME records as required. This approximately
-doubles query load. **Do not combine with DNSSEC!**
-
-## `dnssec-key-cache-ttl`
-* Integer
-* Default: 30
-
-Seconds to cache DNSSEC keys from the database. A value of 0 disables caching.
-
-## `dnsupdate`
-* Boolean
-* Default: no
-
-Enable/Disable DNS update (RFC2136) support.
-
-## `do-ipv6-additional-processing`
-* Boolean
-* Default: yes
-
-Perform AAAA additional processing. This sends AAAA records in the ADDITIONAL
-section when sending a referral.
-
-## `domain-metadata-cache-ttl`
-* Integer
-* Default: 60
-
-Seconds to cache domain metadata from the database. A value of 0 disables caching.
-
-## `edns-subnet-processing`
-* Boolean
-* Default: no
-
-Enables EDNS subnet processing, for backends that support it.
-
-## `entropy-source`
-* Path
-* Default: /dev/urandom
-
-Entropy source file to use.
-
-## `expand-alias`
-* Boolean
-* Default: no
-* Since: 4.1.0
-
-If this is enabled, ALIAS records are expanded (synthesised to their A/AAAA).
-
-If this is disabled (the default), ALIAS records will not expanded and the server will will return NODATA for A/AAAA queries for such names.
-
-**note**: [`resolver`](#resolver) must also be set for ALIAS expansion to work!
-
-**note**: In PowerDNS Authoritative Server 4.0.x, this setting did not exist and ALIAS was always expanded.
-
-## `forward-dnsupdate`
-* Boolean
-* Default: no
-
-Forward DNS updates sent to a slave to the master.
-
-## `forward-notify`
-* IP addresses, separated by commas
-
-IP addresses to forward received notifications to regardless of master or slave settings.
-
-Note: The intended use is in anycast environments where it might be necessary for a
-proxy server to perform the AXFR. The usual checks are performed before any received
-notification is forwarded.
-
-## `guardian`
-* Boolean
-* Default: no
-
-Run within a guardian process. See ["Guardian"](running.md#guardian).
-
-## `include-dir`
-* Path
-
-Directory to scan for additional config files. All files that end with .conf are
-loaded in order using `POSIX` as locale.
-
-## `launch`
-* Backend names, separated by commas
-
-Which backends to launch and order to query them in. Launches backends. In its
-most simple form, supply all backends that need to be launched. e.g.
-
-```
-launch=bind,gmysql,remote
-```
-
-If you find that you need to query a backend multiple times with different configuration,
-you can specify a name for later instantiations. e.g.:
-
-```
-launch=gmysql,gmysql:server2
-```
-
-In this case, there are 2 instances of the gmysql backend, one by the normal name
-and the second one is called 'server2'. The backend configuration item names
-change: e.g. `gmysql-host` is available to configure the `host` setting of the
-first or main instance, and `gmysql-server2-host` for the second one.
-
-## `load-modules`
-* Paths, separated by commas
-
-If backends are available in nonstandard directories, specify their location here.
-Multiple files can be loaded if separated by commas. Only available in non-static
-distributions.
-
-## `local-address`
-* IPv4 Addresses, separated by commas or whitespace
-* Default: 0.0.0.0
-
-Local IP address to which we bind. It is highly advised to bind to specific
-interfaces and not use the default 'bind to any'. This causes big problems if
-you have multiple IP addresses. Unix does not provide a way of figuring out what
-IP address a packet was sent to when binding to any.
-
-## `non-local-bind`
-* Boolean
-* Default: no
-
-Bind to addresses even if one or more of the [`local-address`'s](#local-address)
-do not exist on this server. Setting this option will enable the needed socket
-options to allow binding to non-local addresses.
-This feature is intended to facilitate ip-failover setups, but it may also
-mask configuration issues and for this reason it is disabled by default.
-
-## `lua-axfr-script`
-
-* String
-* Default: empty
-* Available since: 4.0.4
-
-Script to be used to edit incoming AXFRs, see [Modifying a slave zone using a script](modes-of-operation.md#modifying-a-slave-zone-using-a-script).
-
-## `local-address-nonexist-fail`
-* Boolean
-* Default: no
-
-Fail to start if one or more of the [`local-address`'s](#local-address) do not
-exist on this server.
-
-## `local-ipv6`
-* IPv6 Addresses, separated by commas or whitespace
-* Default: ::
-
-Local IPv6 address to which we bind. It is highly advised to bind to specific
-interfaces and not use the default 'bind to any'. This causes big problems if
-you have multiple IP addresses.
-
-## `local-ipv6-nonexist-fail`
-* Boolean
-* Default: no
-
-Fail to start if one or more of the [`local-ipv6`](#local-ipv6) addresses do not
-exist on this server.
-
-## `local-port`
-* Integer
-* Default: 53
-
-The port on which we listen. Only one port possible.
-
-## `log-dns-details`
-* Boolean
-* Default: no
-
-If set to 'no', informative-only DNS details will not even be sent to syslog,
-improving performance. Available from 2.5 and onwards.
-
-## `logging-facility`
-If set to a digit, logging is performed under this LOCAL facility. See
-["Operational logging using syslog"](../common/logging.md#logging).
-Available from 1.99.9 and onwards. Do not pass names like 'local0'!
-
-## `loglevel`
-* Integer
-* Default: 4
-
-Amount of logging. Higher is more. Do not set below 3
-
-## `log-dns-queries`
-* Boolean
-* Default: no
-
-Tell PowerDNS to log all incoming DNS queries. This will lead to a lot of
-logging! Only enable for debugging! Set [`loglevel`](#loglevel) to at least 5
-to see the logs.
-
-## `lua-prequery-script`
-* Path
-
-Lua script to run before answering a query. This is a feature used internally
-for regression testing. The API of this functionality is not guaranteed to be
-stable, and is in fact likely to change.
-
-## `master`
-* Boolean
-* Default: no
-
-Turn on master support. See ["Modes of operation"](modes-of-operation.md#master-operation).
-
-## `max-cache-entries`
-* Integer
-* Default: 1000000
-
-Maximum number of entries in the query cache. 1 million (the default) will generally suffice
-for most installations. Starting with 4.1, the packet and query caches are distinct so you might
-also want to see `max-packet-cache-entries`.
-
-## `max-ent-entries`
-* Integer
-* Default: 100000
-
-Maximum number of empty non-terminals to add to a zone. This is a protection
-measure to avoid database explosion due to long names.
-
-## `max-nsec3-iterations`
-* Integer
-* Default: 500
-
-Limit the number of NSEC3 hash iterations
-
-## `max-packet-cache-entries`
-* Integer
-* Default: 1000000
-
-Maximum number of entries in the packet cache. 1 million (the default) will generally suffice
-for most installations. This setting has been introduced in 4.1, previous used the `max-cache-entries`
-setting for both the packet and query caches.
-
-## `max-queue-length`
-* Integer
-* Default: 5000
-
-If this many packets are waiting for database attention, consider the situation
-hopeless and respawn.
-
-## `max-signature-cache-entries`
-* Integer
-* Default: 2^64 (on 64-bit systems)
-
-Maximum number of signatures cache entries
-
-## `max-tcp-connection-duration`
-* Integer
-* Default: 0
-
-Maximum time in seconds that a TCP DNS connection is allowed to stay open.
-0 means unlimited.
-Note that exchanges related to an AXFR or IXFR are not affected by this setting.
-
-## `max-tcp-connections`
-* Integer
-* Default: 20
-
-Allow this many incoming TCP DNS connections simultaneously.
-
-## `max-tcp-connections-per-client`
-* Integer
-* Default: 0
-
-Maximum number of simultaneous TCP connections per client. 0 means unlimited.
-
-## `max-tcp-transactions-per-conn`
-* Integer
-* Default: 0
-
-Allow this many DNS queries in a single TCP transaction. 0 means unlimited.
-Note that exchanges related to an AXFR or IXFR are not affected by this setting.
-
-## `module-dir`
-* Path
-
-Directory for modules. Default depends on `PKGLIBDIR` during compile-time.
-
-## `negquery-cache-ttl`
-* Integer
-* Default: 60
-
-Seconds to store queries with no answer in the Query Cache. See
-["Query Cache"](performance.md#query-cache).
-
-## `no-config`
-* Boolean
-* Default: no
-
-Do not attempt to read the configuration file.
-
-## `no-shuffle`
-* Boolean
-* Default: no
-
-Do not attempt to shuffle query results, used for regression testing.
-
-## `overload-queue-length`
-* Integer
-* Default: 0 (disabled)
-
-If this many packets are waiting for database attention, answer any new
-questions strictly from the packet cache.
-
-## `reuseport`
-* Boolean
-* Default: No
-
-On Linux 3.9 and some BSD kernels the `SO_REUSEPORT` option allows each
-receiver-thread to open a new socket on the same port which allows for much
-higher performance on multi-core boxes. Setting this option will enable use of
-`SO_REUSEPORT` when available and seamlessly fall back to a single socket when
-it is not available. A side-effect is that you can start multiple servers on the
-same IP/port combination which may or may not be a good idea. You could use this
-to enable transparent restarts, but it may also mask configuration issues and
-for this reason it is disabled by default.
-
-## `security-poll-suffix`
-* String
-* Default: secpoll.powerdns.com.
-* Available since: 3.4.1
-
-Domain name from which to query security update notifications. Setting this to
-an empty string disables secpoll.
-
-## `server-id`
-* String
-* Default: The hostname of the server
-
-This is the server ID that will be returned on an EDNS NSID query.
-
-## `only-notify`
-* IP Ranges, separated by commas or whitespace
-* Default: 0.0.0.0/0, ::/0
-
-For type=MASTER zones (or SLAVE zones with slave-renotify enabled) PowerDNS
-automatically sends NOTIFYs to the name servers specified in the NS records.
-By specifying networks/mask as whitelist, the targets can be limited. The default
-is to notify the world. To completely disable these NOTIFYs set `only-notify` to an
-empty value. Independent of this setting, the IP addresses or netmasks configured
-with [`also-notify`](#also-notify) and `ALSO-NOTIFY` domain metadata always receive
-AXFR NOTIFYs.
-
-Note: Even if NOTIFYs are limited by a netmask, PowerDNS first has to resolve all the
-hostnames to check their IP addresses against the specified whitelist. The resolving
-may take considerable time, especially if those hostnames are slow to resolve. If you
-do not need to NOTIFY the slaves defined in the NS records (e.g. you are using another
-method to distribute the zone data to the slaves), then set `only-notify` to an empty
-value and specify the notification targets explicitly using [`also-notify`](#also-notify)
-and/or `ALSO-NOTIFY` domain metadata to avoid this potential bottleneck.
-
-## `out-of-zone-additional-processing`
-* Boolean
-* Default: yes
-
-Do out of zone additional processing. This means that if a malicious user adds a
-'.com' zone to your server, it is not used for other domains and will not
-contaminate answers. Do not enable this setting if you run a public DNS service
-with untrusted users.
-
-The docs had previously indicated that the default was "no", but the default has
-been "yes" since 2005.
-
-## `outgoing-axfr-expand-alias`
-* Boolean
-* Default: no
-
-If this is enabled, ALIAS records are expanded (synthesised to their A/AAAA)
-during outgoing AXFR. This means slaves will not automatically follow changes
-in those A/AAAA records unless you AXFR regularly!
-
-If this is disabled (the default), ALIAS records are sent verbatim during
-outgoing AXFR. Note that if your slaves do not support ALIAS, they will return
-NODATA for A/AAAA queries for such names.
-
-## `prevent-self-notification`
-* Boolean
-* Default: yes
-* Available since: 3.3
-
-PowerDNS Authoritative Server attempts to not send out notifications to itself
-in master mode. In very complicated situations we could guess wrong and not
-notify a server that should be notified. In that case, set
-prevent-self-notification to "no".
-
-## `query-cache-ttl`
-* Integer
-* Default: 20
-
-Seconds to store queries with an answer in the Query Cache. See
-["Query Cache"](performance.md#query-cache).
-
-## `query-local-address`
-* IPv4 Address
-* Default: 0.0.0.0
-
-The IP address to use as a source address for sending queries. Useful if you
-have multiple IPs and PowerDNS is not bound to the IP address your operating
-system uses by default for outgoing packets.
-
-## `query-local-address6`
-* IPv6 Address
-* Default: ::
-
-Source IP address for sending IPv6 queries.
-
-## `query-logging`
-* Boolean
-* Default: no
-
-Boolean, hints to a backend that it should log a textual representation of
-queries it performs. Can be set at runtime.
-
-## `queue-limit`
-* Integer
-* Default: 1500
-
-Maximum number of milliseconds to queue a query. See
-["Authoritative Server Performance"](performance.md).
-
-## `receiver-threads`
-* Integer
-* Default: 1
-
-Number of receiver (listening) threads to start. See
-["Authoritative Server Performance"](performance.md) for tuning details.
-
-## `recursive-cache-ttl`
-* Integer
-* Default: 10
-* Removed in: 4.1.0
-
-Seconds to store recursive packets in the PacketCache. See
-["Packet Cache"](performance.md#packet-cache).
-
-## `recursor`
-* IP Address
-* Removed in: 4.1.0
-
-If set, recursive queries will be handed to the recursor specified here. See
-["Recursion"](recursion.md).
-
-## `resolver`
-* IP Addresses with optional port, separated by commas
-* Added in: 4.1.0
-
-Use these resolver addresses for ALIAS and the internal stub resolver.
-If this is not set, `/etc/resolv.conf` is parsed for upstream resolvers.
-
-## `retrieval-threads`
-* Integer
-* Default: 2
-
-Number of AXFR slave threads to start.
-
-## `setgid`
-* String
-
-If set, change group id to this gid for more security. See
-["Security settings & considerations"](../common/security.md).
-
-## `setuid`
-* String
-
-If set, change user id to this uid for more security. See
-["Security settings & considerations](../common/security.md).
-
-## `slave`
-* Boolean
-* Default: no
-
-Turn on slave support. See ["Modes of operation"](modes-of-operation.md#slave-operation).
-
-## `slave-cycle-interval`
-* Integer
-* 60
-
-On a master, this is the amounts of seconds between the master checking the SOA
-serials in its database to determine to send out NOTIFYs to the slaves. On slaves,
-this is the number of seconds between the slave checking for updates to zones.
-
-## `slave-renotify`
-* Boolean
-* Default: no
-
-This setting will make PowerDNS renotify the slaves after an AXFR is *received*
-from a master. This is useful when using when running a signing-slave.
-
-## `signing-threads`
-* Integer
-* Default: 3
-
-Tell PowerDNS how many threads to use for signing. It might help improve signing
-speed by changing this number.
-
-## `soa-expire-default`
-* Integer
-* Default: 604800
-
-Default [SOA](../types.md#soa) expire.
-
-## `soa-minimum-ttl`
-* Integer
-* Default: 3600
-
-Default [SOA](../types.md#soa) minimum ttl.
-
-## `soa-refresh-default`
-* Integer
-* Default: 10800
-
-Default [SOA](../types.md#soa) refresh.
-
-## `soa-retry-default`
-* Integer
-* Default: 3600
-
-Default [SOA](../types.md#soa) retry.
-
-## `socket-dir`
-* Path
-
-Where the controlsocket will live. The default depends on `LOCALSTATEDIR` during
-compile-time (usually `/var/run` or `/run`). See
-["Controlsocket"](running.md#controlsocket).
-
-This path will also contain the pidfile for this instance of PowerDNS called
-`pdns.pid` by default. See [`config-name`](#config-name) and
-[Virtual Hosting](running.md#virtual-hosting) how this can differ.
-
-## `tcp-control-address`
-* IP Address
-
-Address to bind to for TCP control.
-
-## `tcp-control-port`
-* Integer
-* Default: 53000
-
-Port to bind to for TCP control.
-
-## `tcp-control-range`
-* IP Ranges, separated by commas or whitespace
-
-Limit TCP control to a specific client range.
-
-## `tcp-control-secret`
-* String
-
-Password for TCP control.
-
-## `tcp-fast-open`
-* Integer
-* Default: 0 (Disabled)
-* Available since: 4.1
-
-Enable TCP Fast Open support, if available, on the listening sockets. The numerical
-value supplied is used as the queue size, 0 meaning disabled.
-
-## `tcp-idle-timeout`
-* Integer
-* Default: 5
-
-Maximum time in seconds that a TCP DNS connection is allowed to stay open
-while being idle, meaning without PowerDNS receiving or sending even a single byte.
-
-## `traceback-handler`
-* Boolean
-* Default: yes
-
-Enable the Linux-only traceback handler.
-
-## `trusted-notification-proxy`
-* String
-
-IP address of incoming notification proxy
-
-## `udp-truncation-threshold`
-* Integer
-* Default: 1680
-
-EDNS0 allows for large UDP response datagrams, which can potentially raise
-performance. Large responses however also have downsides in terms of reflection
-attacks. Up till PowerDNS Authoritative Server 3.3, the truncation limit was set
-at 1680 bytes, regardless of EDNS0 buffer size indications from the client.
-Beyond 3.3, this setting makes our truncation limit configurable. Maximum value
-is 65535, but values above 4096 should probably not be attempted.
-
-## `version-string`
-* Any of: `anonymous`, `powerdns`, `full`, String
-* Default: full
-
-When queried for its version over DNS
-(`dig chaos txt version.bind @pdns.ip.address`), PowerDNS normally responds
-truthfully. With this setting you can overrule what will be returned. Set the
-`version-string` to `full` to get the default behaviour, to `powerdns` to just
-make it state `served by PowerDNS - http://www.powerdns.com`. The `anonymous`
-setting will return a ServFail, much like Microsoft nameservers do. You can set
-this response to a custom value as well.
-
-## `webserver`
-* Boolean
-* Default: no
-
-Start a webserver for monitoring. See
-["Performance Monitoring"](../common/logging.md#performance-monitoring).
-Before 4.1.0, it was necessary to enable the webserver to use the REST API,
-this is no longer the case.
-
-## `webserver-address`
-* IP Address
-* Default: 127.0.0.1
-
-IP Address for webserver/API to listen on. See
-["Performance Monitoring"](../common/logging.md#performance-monitoring).
-
-## `webserver-allow-from`
-* IP ranges, separated by commas or whitespace
-* Default: 0.0.0.0/0,::/0
-
-Webserver/API access is only allowed from these subnets.
-
-## `webserver-password`
-* String
-
-The plaintext password required for accessing the webserver. See
-["Performance Monitoring"](../common/logging.md#performance-monitoring).
-
-## `webserver-port`
-* Integer
-* Default: 8001
-
-The port where webserver/API will listen on. See ["Performance Monitoring"](../common/logging.md#performance-monitoring).
-
-## `webserver-print-arguments`
-* Boolean
-* Default: no
-
-If the webserver should print arguments. See ["Performance Monitoring"](../common/logging.md#performance-monitoring).
-
-## `write-pid`
-* Boolean
-* Default: yes
-
-If a PID file should be written. Available since 4.0.
-
-## `xfr-max-received-mbytes`
-* Integer
-* Default: 100
-
-Specifies the maximum number of received megabytes allowed on an incoming AXFR/IXFR update, to prevent
-resource exhaustion. A value of 0 means no restriction.
+++ /dev/null
-# TSIG: shared secret authorization and authentication
-TSIG, as defined in [RFC 2845](http://tools.ietf.org/html/rfc2845), is a method
-for signing DNS messages using shared secrets. Each TSIG shared secret has a name,
-and PowerDNS can be told to allow zone transfer of a domain if the request is
-signed with an authorized name.
-
-In PowerDNS, TSIG shared secrets are stored by the various backends. In case of
-the [`Generic SQL backends`](backend-generic-sql.md), they can be found in the
-'tsigkeys' table. The name can be chosen freely, but the algorithm name will
-typically be 'hmac-md5'. Other supported algorithms are 'hmac-sha1', 'hmac-shaX'
-where X is 224, 256, 384 or 512. The content is a Base64-encoded secret.
-
-**Note**: Most backends require DNSSEC support enabled to support TSIG. For the
-Generic SQL Backend make sure to use the DNSSEC enabled schema and to turn on
-the relevant '-dnssec' flag (for example, `gmysql-dnssec`)!
-
-## Provisioning outbound AXFR access
-To actually provision a named secret permission to AXFR a zone, set a metadata
-item in the 'domainmetadata' table called `TSIG-ALLOW-AXFR` with the key name in
-the content field. For example:
-
-```
-insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
-select id from domains where name='powerdnssec.org';
-5
-insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-AXFR', 'test');
-
-$ dig -t axfr powerdnssec.org @127.0.0.1 -y 'test:kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
-```
-
-Another of importing and activating TSIG keys into the database is using [`pdnsutil`](../manpages/pdnsutil.1.md):
-
-```
-pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
-pdnsutil activate-tsig-key powerdnssec.org test master
-```
-
-To ease interoperability, the equivalent configuration above in BIND would look like this:
-
-```
-key test. {
- algorithm hmac-md5;
- secret "kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=";
-};
-
-zone "powerdnssec.org" {
- type master;
- file "powerdnssec.org";
- allow-transfer { key test.; };
-};
-```
-
-A packet authorized and authenticated by a TSIG signature will gain access to a
-zone even if the remote IP address is not otherwise allowed to AXFR a zone.
-
-## Provisioning signed notification and AXFR requests
-To configure PowerDNS to send out TSIG signed AXFR requests for a zone to its
-master(s), set the `AXFR-MASTER-TSIG` metadata item for the relevant domain to
-the key that must be used.
-
-The actual TSIG key must also be provisioned, as outlined in the previous section.
-
-For the Generic SQL backends, configuring the use of TSIG for AXFR requests could
-be achieved as follows:
-
-```
-insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
-select id from domains where name='powerdnssec.org';
-5
-insert into domainmetadata (domain_id, kind, content) values (5, 'AXFR-MASTER-TSIG', 'test');
-```
-
-This can also be done using [`pdnsutil`](../manpages/pdnsutil.1.md):
-
-```
-pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
-pdnsutil activate-tsig-key powerdnssec.org test slave
-```
-
-This setup corresponds to the `TSIG-ALLOW-AXFR` access rule defined in the previous section.
-
-In the interest of interoperability, the configuration above is (not quite)
-similar to the following BIND statements:
-
-```
-key test. {
- algorithm hmac-md5;
- secret "kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=";
-};
-
-server 127.0.0.1 {
- keys { test.; };
-};
-
-zone "powerdnssec.org" {
- type slave;
- masters { 127.0.0.1; };
- file "powerdnssec.org";
-};
-```
-
-Except that in this case, TSIG will be used for all communications with the master,
-not just those about AXFR requests.
-
-# GSS-TSIG support
-GSS-TSIG allows authentication and authorization of DNS updates or AXFR using
-Kerberos with TSIG signatures.
-
-**Note**: this feature is experimental and subject to change on future releases.
-
-## Prerequisites
-
-- Working Kerberos environment. Please refer to your Kerberos vendor documentation on how to setup it.
-- Principal (such as `DNS/<your.dns.server.name>@REALM`) in either per-user keytab or system keytab.
-
-In particular, if something does not work, read logs and ensure that your kerberos
-environment is ok before filing an issue. Most common problems are time
-synchronization or changes done to the principal.
-
-## Setting up
-To allow AXFR / DNS update to work, you need to configure `GSS-ACCEPTOR-PRINCIPAL`
-in [`domain metadata`](domainmetadata.md). This will define the principal that is
-used to accept any GSS context requests. This *must* match to your keytab. Next
-you need to define one or more `GSS-ALLOW-AXFR-PRINCIPAL` entries for AXFR, or
-`TSIG-ALLOW-DNSUPDATE` entries for DNS update. These must be set to the exact
-initiator principal names you intend to use. No wildcards accepted.
+++ /dev/null
-Before proceeding, it is advised to check the release notes for your PowerDNS version, as specified in the name of the distribution file.
-
-Please upgrade to the PowerDNS Authoritative Server 4.0.0 from 3.4.2+. See the [3.X](https://doc.powerdns.com/3/authoritative/upgrading/) upgrade notes if your version is older than 3.4.2.
-
-# 4.0.X to 4.1.0
-
-## Changed options
-
- * `experimental-lua-policy-script` option and the feature itself have been completely dropped. We invite you to use (PowerDNS dnsdist)[http://dnsdist.org] instead.
-
-### Changed defaults
-
-## Other changes
-
-The `--with-pgsql`, `--with-pgsql-libs`, `--with-pgsql-includes` and `--with-pgsql-config` `configure` options have been deprecated.
-`configure` now attempts to find the Postgresql client libraries via `pkg-config`, falling back to detecting `pg_config`.
-Use `--with-pg-config` to specify a path to a non-default `pg_config` if you have Postgresql installed in a non-default location.
-
-# 4.0.X to 4.0.2
-
-## Changed options
-
-### Changed defaults
-
- * [`any-to-tcp`](settings.md#any-to-tcp) changed from `no` to `yes`
-
-# 3.4.X to 4.0.0
-
-## Database changes
-No changes have been made to the database schema.
-However, several superfluous queries have been dropped from the SQL backend.
-Furthermore, the generic SQL backends switched to prepared statements.
-If you use a non-standard SQL schema, please review the new defaults.
-
- - `insert-ent-query`, `insert-empty-non-terminal-query`, `insert-ent-order-query` have been replaced by one query named `insert-empty-non-terminal-order-query`
- - `insert-record-order-query` has been dropped, `insert-record-query` now sets the ordername (or NULL)
- - `insert-slave-query` has been dropped, `insert-zone-query` now sets the type of zone
-
-## Changed options
-Several options have been removed or renamed, for the full overview of all options, see [settings](settings.md).
-
-### Renamed options
-The following options have been renamed:
-
- * `experimental-json-interface` ==> [`api`](settings.md#api)
- * `experimental-api-readonly` ==> [`api-readonly`](settings.md#api-readonly)
- * `experimental-api-key` ==> [`api-key`](settings.md#api-key)
- * `experimental-dname-processing` ==> [`dname-processing`](settings.md#dname-processing)
- * `experimental-dnsupdate` ==> [`dnsupdate`](settings.md#dnsupdate)
- * `allow-dns-update-from` ==> [`allow-dnsupdate-from`](settings.md#allow-dnsupdate-from)
- * `forward-dnsupdates` ==> [`forward-dnsupdate`](settings.md#forward-dnsupdate)
-
-### Changed defaults
-
- * [`default-ksk-algorithms`](settings.md#default-ksk-algorithms) changed from rsasha256 to ecdsa256
- * [`default-zsk-algorithms`](settings.md#default-zsk-algorithms) changed from rsasha256 to empty
-
-### Removed options
-The following options are removed:
-
- * `pipebackend-abi-version`, it now a setting per-pipe backend.
- * `strict-rfc-axfrs`
- * `send-root-referral`
-
-## API
-The API path has changed to `/api/v1`.
-
-Incompatible change: `SOA-EDIT-API` now follows `SOA-EDIT-DNSUPDATE` instead of `SOA-EDIT` (incl. the fact that it now has a default value of `DEFAULT`).
-You must update your existing `SOA-EDIT-API` metadata (set `SOA-EDIT` to your previous `SOA-EDIT-API` value, and `SOA-EDIT-API` to `SOA-EDIT` to keep the old behaviour).
-
-## Resource Record Changes
-Since PowerDNS 4.0.0 the CAA resource record (type 257) is supported. Before PowerDNS 4.0.0 type 257 was used for a proprietary MBOXFW resource record, which
-was removed from PowerDNS 4.0. Hence, if you used CAA records with 3.4.x (stored in the DB with wrong type=MBOXFW but worked fine) and upgrade to 4.0,
-PowerDNS will fail to parse this records and will throw an exception on all queries for a label with MBOXFW records. Thus, make sure to clean up the
-records in the DB.
+++ /dev/null
-**Note**: Beyond PowerDNS 2.9.20, the Authoritative Server and Recursor are released separately.
-
-<!--
-# PowerDNS Authoritative Server 4.1.0
-Unreleased
-
-Note: this released includes a change in the BIND zonefile parser which
-affects TTLs for records that did not have an explicit TTL. With this
-change, we are compliant with RFC2308, but your existing zone files may now
-be interpreted differently.
-
-Specifically, where we previously used the SOA minimum field for the default
-TTL if none was set explictly, or no $TTL was set, we now use the TTL from
-the previous line.
-
-- [#5094](https://github.com/PowerDNS/pdns/pull/5094): make our zone parser adhere to RFC2308 wrt implicit TTLs and add test
--->
-
-# PowerDNS Recursor 4.0.6
-Released 6th of July 2017
-
-This release features a fix for the ed25519 verifier. This verifier hashed the message before verifying, resulting in unverifiable signatures. Also on the Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16) by using libdecaf.
-
-Besides that, this release features massive improvements to our edns-client-subnet handling, and some IXFR fixes. Note that this release changes `use-incoming-edns-subnet` to disabled by default.
-
-## Bug fixes
-
-- commit c24288b87: Use the incoming ECS for cache lookup if `use-incoming-edns-subnet` is set
-- commit b91dc6e92: when making a netmask from a comboaddress, we neglected to zero the port. This could lead to a proliferation of netmasks.
-- commit 261591b6f: Don't take the initial ECS source for a scope one if EDNS is off
-- commit 66f894b7a: also set d_requestor without Lua: the ECS logic needs it
-- commit c2086f265: Fix IXFR skipping the additions part of the last sequence
-- commit a5c9534d0: Treat requestor's payload size lower than 512 as equal to 512
-- commit 61b1ea2f4: make URI integers 16 bits, fixes [ticket #5443](https://github.com/PowerDNS/pdns/issues/5443)
-- commit 27f9da3c2: unbreak quoting; fixes [ticket #5401](https://github.com/PowerDNS/pdns/issues/5401)
-
-## Improvements
-
-- commit 2325010e6: with this, EDNS Client Subnet becomes compatible with the packet cache, using the existing variable answer facility.
-- commit 2ec8d8148: Remove just enough entries from the cache, not one more than asked
-- commit 71df15677: Move expired cache entries to the front so they are expunged
-- commit d84834c4c: changed IPv6 addr of b.root-servers.net (Arsen Stasic)
-- commit bcce047bc: e.root-servers.net has IPv6 now (phonedph1)
-- commit cef8ec7c2: hello decaf signers (ED25519 and ED448) Testing algorithm 15: 'Decaf ED25519' ->'Decaf ED25519' -> 'Decaf ED25519' Signature & verify ok, signature 68usec, verify 93usec Testing algorithm 16: 'Decaf ED448' ->'Decaf ED448' -> 'Decaf ED448' Signature & verify ok, signature 163usec, verify 252usec (Kees Monshouwer)
-- commit 68490a4b5: don't use the libdecaf ed25519 signer when libsodium is enabled (Kees Monshouwer)
-- commit 5a88a8ed5: do not hash the message in the ed25519 signer (Kees Monshouwer)
-- commit 0e7893bf4: Disable use-incoming-edns-subnet by default
-
-# PowerDNS Authoritative Server 4.0.4
-Released 23rd of June 2017
-
-This release features a fix for the ed25519 signer. This signer hashed the message before signing, resulting in unverifiable signatures. Also on the Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16) by using libdecaf.
-
-## Bug fixes
-- [#5423](https://github.com/PowerDNS/pdns/pull/5423): Do not hash the message in the ed25519 signer (Kees Monshouwer)
-- [#5445](https://github.com/PowerDNS/pdns/pull/5445): Make URI integers 16 bits, fixes [#5443](https://github.com/PowerDNS/pdns/issues/5443)
-- [#5346](https://github.com/PowerDNS/pdns/pull/5346): configure.ac: Corrects syntax error in test statement on existance of libcrypto_ecdsa (shinsterneck)
-- [#5440](https://github.com/PowerDNS/pdns/pull/5440): configure.ac: Fix quoting issue fixes [#5401](https://github.com/PowerDNS/pdns/issues/5401)
-- [#4824](https://github.com/PowerDNS/pdns/pull/4824): configure.ac: Check in the detected OpenSSL/libcrypto for ECDSA
-- [#5016](https://github.com/PowerDNS/pdns/pull/5016): configure.ac: Check if we can link against libatomic if needed
-- [#5341](https://github.com/PowerDNS/pdns/pull/5341): Fix typo in ldapbackend.cc from issue [#5091](https://github.com/PowerDNS/pdns/issues/5091) (shantikulkarni)
-- [#5289](https://github.com/PowerDNS/pdns/pull/5289): Sort NSEC record case insensitive (Kees Monshouwer)
-- [#5378](https://github.com/PowerDNS/pdns/pull/5378): Make sure NSEC ordernames are always lower case
-- [#4781](https://github.com/PowerDNS/pdns/pull/4781): API: correctly take TTL from first record even if we are at the last comment (Christian Hofstaedtler)
-- [#4901](https://github.com/PowerDNS/pdns/pull/4901): Fix AtomicCounter unit tests on 32-bit
-- [#4911](https://github.com/PowerDNS/pdns/pull/4911): Fix negative port detection for IPv6 addresses on 32-bit
-- [#4508](https://github.com/PowerDNS/pdns/pull/4508): Remove support for 'right' timezones, as this code turned out to be broken
-- [#4961](https://github.com/PowerDNS/pdns/pull/4961): Lowercase the TSIG algorithm name in hash computation
-- [#5048](https://github.com/PowerDNS/pdns/pull/5048): Handle exceptions raised by `closesocket()`
-- [#5297](https://github.com/PowerDNS/pdns/pull/5297): Don't leak on signing errors during outgoing AXFR; signpipe stumbles over interrupted rrsets; fix memory leak in gmysql backend
-- [#5450](https://github.com/PowerDNS/pdns/pull/5450): TinyCDB backend: Don't leak a CDB object in case of bogus data
-
-## Improvements
-- [#5071](https://github.com/PowerDNS/pdns/pull/5071): ODBC backend: Allow query logging
-- [#5441](https://github.com/PowerDNS/pdns/pull/5441): Add ED25519 (algo 15) and ED448 (algo 16) support with libdecaf signer (Kees Monshouwer)
-- [#5325](https://github.com/PowerDNS/pdns/pull/5325): YaHTTP: Sync with upstream changes
-- [#5298](https://github.com/PowerDNS/pdns/pull/5298): Send a notification to all slave servers after every dnsupdate (Kees Monshouwer)
-- [#5317](https://github.com/PowerDNS/pdns/pull/5317): Add option to set a global `lua-axfr-script` value (Kees Monshouwer)
-- [#5130](https://github.com/PowerDNS/pdns/pull/5130): dnsreplay: Add `--source-ip` and `--source-port` options
-- [#5085](https://github.com/PowerDNS/pdns/pull/5085): calidns: Use the correct socket family (IPv4 / IPv6)
-- [#5170](https://github.com/PowerDNS/pdns/pull/5170): Add an option to allow AXFR of zones with a different (higher/lower) serial (Kees Monshouwer)
-- [#4622](https://github.com/PowerDNS/pdns/pull/4622): API: Make trailing dot handling consistent with pdnsutil (Tuxis Internet Engineering)
-- [#4762](https://github.com/PowerDNS/pdns/pull/4762): SuffixMatchNode: Fix insertion issue for an existing node
-- [#4861](https://github.com/PowerDNS/pdns/pull/4861): Do not resolve the NS-records for NOTIFY targets if the "only-notify" whitelist is empty, as a target will never match an empty whitelist.
-- [#5378](https://github.com/PowerDNS/pdns/pull/5378): Improve the AXFR DNSSEC freshness check; Ignore NSEC3PARAM metadata in an unsigned zone
-- [#5297](https://github.com/PowerDNS/pdns/pull/5297): Create additional `reuseport` sockets before dropping privileges; remove transaction in pgpsql backend
-
-# PowerDNS Recursor 4.0.5
-Released 13th of June 2017
-
-This release adds ed25519 (algorithm 15) support for DNSSEC and adds the 2017 DNSSEC root key. If you do DNSSEC validation, this upgrade is **mandatory** to continue validating after October 2017.
-
-## Bug fixes
-
-- [commit af76224](https://github.com/PowerDNS/pdns/commit/af76224): Correctly lowercase the TSIG algorithm name in hash computation, fixes [#4942](https://github.com/PowerDNS/pdns/issues/4942)
-- [commit 86c4ed0](https://github.com/PowerDNS/pdns/commit/86c4ed0): Clear the RPZ NS IP table when clearing the policy, this prevents false positives
-- [commit 5e660e9](https://github.com/PowerDNS/pdns/commit/5e660e9): Fix cache-only queries against a forward-zone, fixes [#5211](https://github.com/PowerDNS/pdns/issues/5211)
-- [commit 2875033](https://github.com/PowerDNS/pdns/commit/2875033): Only delegate if NSes are below apex in auth-zones, fixes [#4771](https://github.com/PowerDNS/pdns/issues/4771)
-- [commit e7c183d](https://github.com/PowerDNS/pdns/commit/e7c183d): Remove hardcoding of port 53 for TCP/IP forwarded zones in recursor, fixes [#4799](https://github.com/PowerDNS/pdns/issues/4799)
-- [commit 5bec36e](https://github.com/PowerDNS/pdns/commit/5bec36e): Make sure `labelsToAdd` is not empty in `getZoneCuts()`
-- [commit 0f59e05](https://github.com/PowerDNS/pdns/commit/0f59e05): Wait until after daemonizing to start the outgoing protobuf thread, prevents hangs when the protobuf server is not available
-- [commit 233e144](https://github.com/PowerDNS/pdns/commit/233e144): Ensure (re)priming the root never fails
-- [commit 3642cb3](https://github.com/PowerDNS/pdns/commit/3642cb3): Don't age the root, fixes a regression from 3.x
-- [commit 83f9226](https://github.com/PowerDNS/pdns/commit/83f9226): Fix exception when sending a protobuf message for an empty question
-- [commit ffdd813](https://github.com/PowerDNS/pdns/commit/ffdd813): LuaWrapper: Allow embedded NULs in strings received from Lua
-- [commit c5ffd90](https://github.com/PowerDNS/pdns/commit/c5ffd90): Fix coredumps on illumos/SmartOS, fixes [#4579](https://github.com/PowerDNS/pdns/issues/4579) (Roman Dayneko)
-- [commit 651c0e9](https://github.com/PowerDNS/pdns/commit/651c0e9): StateHolder: Allocate (and copy if needed) before taking the lock
-- [commit 547d68f](https://github.com/PowerDNS/pdns/commit/547d68f): SuffixMatchNode: Fix insertion issue for an existing node
-- [commit 3ada4e2](https://github.com/PowerDNS/pdns/commit/3ada4e2): Fix negative port detection for IPv6 addresses on 32-bit systems
-
-## Additions and Enhancements
-
-- [commit 7705e1c](https://github.com/PowerDNS/pdns/commit/7705e1c): Add support for RPZ wildcarded target names. Fixes [#5237](https://github.com/PowerDNS/pdns/issues/5237)
-- [#5165](https://github.com/PowerDNS/pdns/pull/5165): Speed up RPZ zone loading and add a `zoneSizeHint` parameter to `rpzFile` and `rpzMaster` for faster reloads
-- [#4794](https://github.com/PowerDNS/pdns/issues/4794): Make the RPZ summary consistent (Fixes [#4342](https://github.com/PowerDNS/pdns/issues/4342)) and log additions/removals at debug level, not info
-- [commit 1909556](https://github.com/PowerDNS/pdns/commit/1909556): Add the 2017 root key
-- [commit abfe671](https://github.com/PowerDNS/pdns/commit/abfe671) and [commit 7abbb2c](https://github.com/PowerDNS/pdns/commit/7abbb2c): Update Ed25519 [algorithm number and mnemonic](http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml) and hook up to the Recursor (Kees Monshouwer)
-- [#5355](https://github.com/PowerDNS/pdns/pull/5355): Add `use-incoming-edns-subnet` option to process and pass along ECS and fix some ECS bugs in the process
-- [commit dff1a11](https://github.com/PowerDNS/pdns/commit/dff1a11): Refuse to start with chroot set in a systemd env (Fixes [#4848](https://github.com/PowerDNS/pdns/issues/4848))
-- [commit 5a38a56](https://github.com/PowerDNS/pdns/commit/5a38a56): Handle exceptions raised by `closesocket()` to prevent process termination
-- [#4619](https://github.com/PowerDNS/pdns/issues/4619): Document missing `top-pub-queries` and `top-pub-servfail-queries` commands for `rec_control` (phonedph1)
-- [commit 502a850](https://github.com/PowerDNS/pdns/commit/502a850): IPv6 address for g.root-servers.net added (Kevin Otte)
-- [commit 7a2a645](https://github.com/PowerDNS/pdns/commit/7a2a645): Log outgoing queries / incoming responses via protobuf
-
-# PowerDNS Authoritative Server 4.0.3
-Released January 17th 2017
-
-This release fixes an issue when using multiple backends, where one of the backends is the BIND backend.
-This regression was introduced in 4.0.2.
-
-## Bug fix
-
-- [#4905](https://github.com/PowerDNS/pdns/pull/4905): Revert "auth: In `Bind2Backend::lookup()`, use the `zoneId` when we have it"
-
-# PowerDNS Recursor 4.0.4
-Released January 13th 2017
-
-The 4.0.4 version of the PowerDNS Recursor fixes PowerDNS Security Advisories [2016-02](security/powerdns-advisory-2016-02.md) and [2016-04](security/powerdns-advisory-2016-04.md).
-
-## Bug fixes
-
-- [commit 658d9e4](https://github.com/PowerDNS/pdns/commit/658d9e4): Check TSIG signature on IXFR (Security Advisory [2016-04](security/powerdns-advisory-2016-04.md))
-- [commit 91acd82](https://github.com/PowerDNS/pdns/commit/91acd82): Don't parse spurious RRs in queries when we don't need them (Security Advisory [2016-02](security/powerdns-advisory-2016-02.md))
-- [commit 400e28d](https://github.com/PowerDNS/pdns/commit/400e28d): Fix incorrect length check in `DNSName` when extracting qtype or qclass
-- [commit 2168188](https://github.com/PowerDNS/pdns/commit/2168188): rec: Wait until after daemonizing to start the RPZ and protobuf threads
-- [commit 3beb3b2](https://github.com/PowerDNS/pdns/commit/3beb3b2): On (re-)priming, fetch the root NS records
-- [commit cfeb109](https://github.com/PowerDNS/pdns/commit/cfeb109): rec: Fix src/dest inversion in the protobuf message for TCP queries
-- [commit 46a6666](https://github.com/PowerDNS/pdns/commit/46a6666): NSEC3 optout and Bogus insecure forward fixes
-- [commit bb437d4](https://github.com/PowerDNS/pdns/commit/bb437d4): On RPZ customPolicy, follow the resulting CNAME
-- [commit 6b5a8f3](https://github.com/PowerDNS/pdns/commit/6b5a8f3): DNSSEC: don't go bogus on zero configured DSs
-- [commit 1fa6e1b](https://github.com/PowerDNS/pdns/commit/1fa6e1b): Don't crash on an empty query ring
-- [commit bfb7e5d](https://github.com/PowerDNS/pdns/commit/bfb7e5d): Set the result to NoError before calling `preresolve`
-
-## Additions and Enhancements
-
-- [commit 7c3398a](https://github.com/PowerDNS/pdns/commit/7c3398a): Add `max-recursion-depth` to limit the number of internal recursion
-- [commit 3d59c6f](https://github.com/PowerDNS/pdns/commit/3d59c6f): Fix building with ECDSA support disabled in libcrypto
-- [commit 0170a3b](https://github.com/PowerDNS/pdns/commit/0170a3b): Add requestorId and some comments to the protobuf definition file
-- [commit d8cd67b](https://github.com/PowerDNS/pdns/commit/d8cd67b): Make the negcache forwarded zones aware
-- [commit 46ccbd6](https://github.com/PowerDNS/pdns/commit/46ccbd6): Cache records for zones that were delegated to from a forwarded zone
-- [commit 5aa64e6](https://github.com/PowerDNS/pdns/commit/5aa64e6), [commit 5f4242e](https://github.com/PowerDNS/pdns/commit/5f4242e) and [commit 0f707cd](https://github.com/PowerDNS/pdns/commit/0f707cd): DNSSEC: Implement keysearch based on zone-cuts
-- [commit ddf6fa5](https://github.com/PowerDNS/pdns/commit/ddf6fa5): rec: Add support for boost::context >= 1.61
-- [commit bb6bd6e](https://github.com/PowerDNS/pdns/commit/bb6bd6e): Add `getRecursorThreadId()` to Lua, identifying the current thread
-- [commit d8baf17](https://github.com/PowerDNS/pdns/commit/d8baf17): Handle CNAMEs at the apex of secure zones to other secure zones
-
-# PowerDNS Authoritative Server 4.0.2
-Released January 13th 2017
-
-This release fixes PowerDNS Security Advisories [2016-02](security/powerdns-advisory-2016-02.md), [2016-03](security/powerdns-advisory-2016-03.md), [2016-04](security/powerdns-advisory-2016-04.md) and [2016-05](security/powerdns-advisory-2016-05.md) and includes a fix for a memory leak in the Postgresql backend.
-
-## Bug fixes
-
-- [commit f61af48](https://github.com/PowerDNS/pdns/commit/f61af48): Don't parse spurious RRs in queries when we don't need them (Security Advisory [2016-02](security/powerdns-advisory-2016-02.md))
-- [commit 592006d](https://github.com/PowerDNS/pdns/commit/592006d): Don't exit if the webserver can't accept a connection (Security Advisory [2016-03](security/powerdns-advisory-2016-03.md))
-- [commit e85acc6](https://github.com/PowerDNS/pdns/commit/e85acc6): Check TSIG signature on IXFR (Security Advisory [2016-04](security/powerdns-advisory-2016-04.md))
-- [commit 3b1e4a2](https://github.com/PowerDNS/pdns/commit/3b1e4a2): Correctly check unknown record content size (Security Advisory [2016-05](security/powerdns-advisory-2016-05.md))
-- [commit 9ecbf02](https://github.com/PowerDNS/pdns/commit/9ecbf02): ODBC backend: actually prepare statements
-- [commit a4d607b](https://github.com/PowerDNS/pdns/commit/a4d607b): Fix incorrect length check in `DNSName` when extracting qtype or qclass
-- [commit c816fe3](https://github.com/PowerDNS/pdns/commit/c816fe3): Fix a possible memory leak in the webserver
-- [#4287](https://github.com/PowerDNS/pdns/pull/4287): Better handling of invalid serial
-- [#4306](https://github.com/PowerDNS/pdns/pull/4306): Limit size of mysql cell to 128 kilobytes
-- [#4314](https://github.com/PowerDNS/pdns/pull/4314): Overload fix: make overload-queue-length work as intended again, add test for it.
-- [#4317](https://github.com/PowerDNS/pdns/pull/4317): Improve root-zone performance
-- [#4319](https://github.com/PowerDNS/pdns/pull/4319): pipe: SERVFAIL when needed
-- [#4360](https://github.com/PowerDNS/pdns/pull/4360): Make sure mariadb (mysql on centos/rhel) is started before pdns (42wim)
-- [#4387](https://github.com/PowerDNS/pdns/pull/4387): ComboAddress: don't allow invalid ports
-- [#4459](https://github.com/PowerDNS/pdns/pull/4459): Plug memory leak in postgresql backend (Christian Hofstaedtler)
-- [#4544](https://github.com/PowerDNS/pdns/pull/4544): Fix a stack-based off-by-one write in the HTTP remote backend
-- [#4755](https://github.com/PowerDNS/pdns/pull/4755): calidns: Don't crash if we don't have enough 'unknown' queries remaining
-
-## Additions and Enhancements
-
-- [commit 1238e06](https://github.com/PowerDNS/pdns/commit/1238e06): disable negative getSOA caching if the negcache_ttl is 0 (Kees Monshouwer)
-- [commit 3a0bded](https://github.com/PowerDNS/pdns/commit/3a0bded), [commit 8c879d4](https://github.com/PowerDNS/pdns/commit/8c879d4), [commit 8c03126](https://github.com/PowerDNS/pdns/commit/8c03126), [commit 5656e12](https://github.com/PowerDNS/pdns/commit/5656e12) and [commit c1d283d](https://github.com/PowerDNS/pdns/commit/c1d283d): Improve PacketCache cleaning (Kees Monshouwer)
-- [#4261](https://github.com/PowerDNS/pdns/pull/4261): Strip trailing dot in PTR content (Kees Monshouwer)
-- [#4269](https://github.com/PowerDNS/pdns/pull/4269): contrib: simple bash completion for pdnsutil (j0ju)
-- [#4272](https://github.com/PowerDNS/pdns/pull/4272): Bind backend: update status message on reload, keep the existing zone on failure
-- [#4274](https://github.com/PowerDNS/pdns/pull/4274): report DHCID type (Kees Monshouwer)
-- [#4310](https://github.com/PowerDNS/pdns/pull/4310): Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is irrelevant
-- [#4323](https://github.com/PowerDNS/pdns/pull/4323): Speedup DNSName creation
-- [#4335](https://github.com/PowerDNS/pdns/pull/4335): fix TSIG for single thread distributor (Kees Monshouwer)
-- [#4346](https://github.com/PowerDNS/pdns/pull/4346): change default for any-to-tcp to yes (Kees Monshouwer)
-- [#4356](https://github.com/PowerDNS/pdns/pull/4356): Don't look up the packet cache for TSIG-enabled queries
-- [#4403](https://github.com/PowerDNS/pdns/pull/4403): (auth) Fix build with OpenSSL 1.1.0 final (Christian Hofstaedtler)
-- [#4442](https://github.com/PowerDNS/pdns/pull/4442): geoipbackend: Fix minor naming issue (Aki Tuomi)
-- [#4454](https://github.com/PowerDNS/pdns/pull/4454): pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo)
-- [#4541](https://github.com/PowerDNS/pdns/pull/4541): Backport of #4542: API: search should not return ENTs (Christian Hofstaedtler)
-- [#4754](https://github.com/PowerDNS/pdns/pull/4754): In `Bind2Backend::lookup()`, use the `zoneId` when we have it
-
-# PowerDNS Recursor 4.0.3
-Released September 6th 2016
-
-The 4.0.3 version of the PowerDNS Recursor features many improvements to the Policy Engine (RPZ) and the Lua bindings to it. We would like to thank Wim ([42wim](https://github.com/42wim)) for testing and reporting on the RPZ module.
-
-## Bug fixes
-
-- [#4350](https://github.com/PowerDNS/pdns/pull/4350): Call `gettag()` for TCP queries
-- [#4376](https://github.com/PowerDNS/pdns/pull/4376): Fix the use of an uninitialized filtering policy
-- [#4381](https://github.com/PowerDNS/pdns/pull/4381): Parse query-local-address before lua-config-file
-- [#4383](https://github.com/PowerDNS/pdns/pull/4383): Fix accessing an empty policyCustom, policyName from Lua
-- [#4387](https://github.com/PowerDNS/pdns/pull/4387): ComboAddress: don't allow invalid ports
-- [#4388](https://github.com/PowerDNS/pdns/pull/4388): Fix RPZ default policy not being applied over IXFR
-- [#4391](https://github.com/PowerDNS/pdns/pull/4391): DNSSEC: Actually follow RFC 7646 §2.1
-- [#4396](https://github.com/PowerDNS/pdns/pull/4396): Add boost context ldflags so freebsd builds can find the libs
-- [#4402](https://github.com/PowerDNS/pdns/pull/4402): Ignore NS records in a RPZ zone received over IXFR
-- [#4403](https://github.com/PowerDNS/pdns/pull/4403): Fix build with OpenSSL 1.1.0 final
-- [#4404](https://github.com/PowerDNS/pdns/pull/4404): Don't validate when a Lua hook took the query
-- [#4425](https://github.com/PowerDNS/pdns/pull/4425): Fix a protobuf regression (requestor/responder mix-up)
-
-## Additions and Enhancements
-
-- [#4394](https://github.com/PowerDNS/pdns/pull/4394): Support Boost 1.61+ fcontext
-- [#4402](https://github.com/PowerDNS/pdns/pull/4402): Add Lua binding for DNSRecord::d_place
-
-# PowerDNS Recursor 4.0.2
-Released August 26th 2016
-
-This release fixes a regression in 4.x where CNAME records for DNSSEC signed domains were not sorted before the final answers, leading to some clients (notably some versions of Chrome) not being able to extract the required answer from the packet. This happened exclusively for DNSSEC signed domains, but the problem happens even for clients not requesting DNSSEC validation.
-
-Further fixes and changes can be found below:
-
-## Bug fixes
-
- - [#4264](https://github.com/PowerDNS/pdns/pull/4264): Set `dq.rcode` before calling postresolve
- - [#4294](https://github.com/PowerDNS/pdns/pull/4294): Honor PIE flags.
- - [#4310](https://github.com/PowerDNS/pdns/pull/4310): Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is irrelevant
- - [#4340](https://github.com/PowerDNS/pdns/pull/4340): Don't shuffle CNAME records.
- - [#4354](https://github.com/PowerDNS/pdns/pull/4354): Fix delegation-only
-
-## Additions and enhancements
-
- - [#4288](https://github.com/PowerDNS/pdns/pull/4288): Respect the timeout when connecting to a protobuf server
- - [#4300](https://github.com/PowerDNS/pdns/pull/4300): allow newDN to take a DNSName in; document missing methods
- - [#4301](https://github.com/PowerDNS/pdns/pull/4301): expose SMN toString to lua
- - [#4318](https://github.com/PowerDNS/pdns/pull/4318): Anonymize the protobuf ECS value as well
- - [#4324](https://github.com/PowerDNS/pdns/pull/4324): Allow Lua access to the result of the Policy Engine decision, skip RPZ, finish RPZ implementation
- - [#4349](https://github.com/PowerDNS/pdns/pull/4349): Remove unused `DNSPacket::d_qlen`
- - [#4351](https://github.com/PowerDNS/pdns/pull/4351): RPZ: Use query-local-address(6) by default
- - [#4357](https://github.com/PowerDNS/pdns/pull/4357): Move the root DNSSEC data to a header file
-
-# PowerDNS Recursor 4.0.1
-Released July 29th 2016
-
-This release has several improvements with regards to DNSSEC validation and it improves interoperability with DNSSEC clients that expect an AD-bit on validated data when they query with only the DO-bit set.
-
-## Bug fixes
-
- - [#4119](https://github.com/PowerDNS/pdns/pull/4119) Improve DNSSEC record skipping for non dnssec queries (Kees Monshouwer)
- - [#4162](https://github.com/PowerDNS/pdns/pull/4162) Don't validate zones from the local auth store, go one level down while validating when there is a CNAME
- - [#4187](https://github.com/PowerDNS/pdns/pull/4187):
- * Don't go bogus on islands of security
- * Check all possible chains for Insecures
- * Don't go Bogus on a CNAME at the apex
- - [#4215](https://github.com/PowerDNS/pdns/pull/4215) RPZ: default policy should also override local data RRs
- - [#4243](https://github.com/PowerDNS/pdns/pull/4243) Fix a crash when the next name in a chained query is empty and `rec_control current-queries` is invoked
-
-## Improvements
-
- - [#4056](https://github.com/PowerDNS/pdns/pull/4056) OpenSSL 1.1.0 support (Christian Hofstaedtler)
- - [#4133](https://github.com/PowerDNS/pdns/pull/4133) Add limits to the size of received {A,I}XFR (CVE-2016-6172)
- - [#4140](https://github.com/PowerDNS/pdns/pull/4140) Fix warnings with gcc on musl-libc (James Taylor)
- - [#4160](https://github.com/PowerDNS/pdns/pull/4160) Also validate on +DO
- - [#4164](https://github.com/PowerDNS/pdns/pull/4164) Fail to start when the lua-dns-script does not exist
- - [#4168](https://github.com/PowerDNS/pdns/pull/4168) Add more Netmask methods for Lua (Aki Tuomi)
- - [#4210](https://github.com/PowerDNS/pdns/pull/4210) Validate DNSSEC for security polling
- - [#4217](https://github.com/PowerDNS/pdns/pull/4217) Turn on root-nx-trust by default and log-common-errors=off
- - [#4207](https://github.com/PowerDNS/pdns/pull/4207) Allow for multiple trust anchors per zone
- - [#4242](https://github.com/PowerDNS/pdns/pull/4242) Fix compilation warning when building without Protobuf
-
-# PowerDNS Authoritative Server 4.0.1
-Released July 29th 2016
-
-This release fixes two small issues and adds a setting to limit AXFR and IXFR sizes, in response to [CVE-2016-6172](http://www.openwall.com/lists/oss-security/2016/07/06/4).
-
-## Bug fixes
-
- - [#4126](https://github.com/PowerDNS/pdns/pull/4126) Wait for the connection to the carbon server to be established
- - [#4206](https://github.com/PowerDNS/pdns/pull/4206) Don't try to deallocate empty PG statements
- - [#4245](https://github.com/PowerDNS/pdns/pull/4245) Send the correct response when queried for an NSEC directly (Kees Monshouwer)
- - [#4252](https://github.com/PowerDNS/pdns/pull/4252) Don't include bind files if length <= 2 or > sizeof(filename)
- - [#4255](https://github.com/PowerDNS/pdns/pull/4255) Catch runtime_error when parsing a broken MNAME
-
-## Improvements
-
- - [#4044](https://github.com/PowerDNS/pdns/pull/4044) Make DNSPacket return a ComboAddress for local and remote (Aki Tuomi)
- - [#4056](https://github.com/PowerDNS/pdns/pull/4056) OpenSSL 1.1.0 support (Christian Hofstaedtler)
- - [#4169](https://github.com/PowerDNS/pdns/pull/4169) Fix typos in a logmessage and exception (Christian Hofstaedtler)
- - [#4183](https://github.com/PowerDNS/pdns/pull/4183) pdnsutil: Remove checking of ctime and always diff the changes (Hannu Ylitalo)
- - [#4192](https://github.com/PowerDNS/pdns/pull/4192) dnsreplay: Only add Client Subnet stamp when asked
- - [#4250](https://github.com/PowerDNS/pdns/pull/4250) Use toLogString() for ringAccount (Kees Monshouwer)
-
-## Additions
-
- - [#4133](https://github.com/PowerDNS/pdns/pull/4133) Add limits to the size of received {A,I}XFR (CVE-2016-6172)
- - [#4142](https://github.com/PowerDNS/pdns/pull/4142) Add used filedescriptor statistic (Kees Monshouwer)
-
-# PowerDNS Recursor 4.0.0
-Released July 11th 2016
-
-PowerDNS Recursor 4.0.0 is part of [the great 4.x "Spring Cleaning"](http://blog.powerdns.com/2015/11/28/powerdns-spring-cleaning/) of PowerDNS which lasted through the end of 2015.
-
-As part of the general cleanup, we did the following:
-
-- Moved to C++ 2011, a cleaner more powerful version of C++ that has allowed us to [improve the quality of implementation](http://bert-hubert.blogspot.nl/2015/01/on-c2011-quality-of-implementation.html) in many places.
-- Implemented dedicated infrastructure for dealing with DNS names that is fully "DNS Native" and needs less escaping and unescaping
-- Switched to binary storage of DNS records in all places
-- Moved ACLs to a dedicated Netmask Tree
-- Implemented a version of [RCU](https://en.wikipedia.org/wiki/Read-copy-update) for configuration changes
-- Instrumented our use of the memory allocator, reduced number of malloc calls substantially.
-- The Lua hook infrastructure was redone using LuaWrapper; old scripts will no longer work, but new scripts are easier to write under the new interface.
-
-In addition to this cleanup, which has many internal benefits and solves longstanding issues with escaped domain names, 4.0.0 brings the following major new features:
-
-- RPZ aka Response Policy Zone support
-- IXFR slaving in the PowerDNS Recursor for RPZ
-- DNSSEC processing in Recursor (Authoritative has had this for years)
-- DNSSEC validation (without NSEC(3) proof validation)
-- EDNS Client Subnet support in PowerDNS Recursor (Authoritative has had this for years)
-- Lua asynchronous queries for per-IP/per-domain status
-- Caches that can now be wiped per whole zone instead of per name
-- Statistics on authoritative server response times (split for IPv4 and IPv6)
-- APIs are no longer marked as 'experimental' and had one final URL change
-- New metric: tcp-answer-bytes to measure DNS TCP/IP bandwidth, and many other new metrics
-
-Please be aware that beyond the items listed here, there have been heaps of tiny changes. As always, please carefully test a new release before deploying it.
-
-This release features the following fixes compared to rc1:
-
- - [#3989](https://github.com/PowerDNS/pdns/pull/3989) Fix usage of std::distance() in DNSName::isPartOf() (signed/unsigned comparisons)
- - [#4017](https://github.com/PowerDNS/pdns/pull/4017) Fix building without Lua. Add `isTcp` to `dq`.
- - [#4023](https://github.com/PowerDNS/pdns/pull/4023) Actually log on dnssec=log-fail
- - [#4028](https://github.com/PowerDNS/pdns/pull/4028) DNSSEC fixes (NSEC casing, send DO-bit over TCP, DNSSEC trace additions)
- - [#4052](https://github.com/PowerDNS/pdns/pull/4052) Don't fail configure on missing fcontext.hpp
- - [#4096](https://github.com/PowerDNS/pdns/pull/4096) Don't call `commit()` if we skipped all the records
-
-It has the following improvements:
-
- - [#3400](https://github.com/PowerDNS/pdns/pull/3400) Enable building on OpenIndiana
- - [#4016](https://github.com/PowerDNS/pdns/pull/4016) Log protobuf messages for cache hits. Add policy tags in gettag()
- - [#4040](https://github.com/PowerDNS/pdns/pull/4040) Allow DNSSEC validation when chrooted
- - [#4094](https://github.com/PowerDNS/pdns/pull/4094) Sort included html files for improved reproducibility (Christian Hofstaedtler)
-
-And these additions:
-
- - [#3981](https://github.com/PowerDNS/pdns/pull/3981) Import JavaScript sources for libs shipped with Recursor (Christian Hofstaedtler)
- - [#4012](https://github.com/PowerDNS/pdns/pull/4012) add tags support to ProtobufLogger.py
- - [#4032](https://github.com/PowerDNS/pdns/pull/4032) Set the existing policy tags in `dq` for `{pre,post}resolve`
- - [#4077](https://github.com/PowerDNS/pdns/pull/4077) Add DNSSEC validation statistics
- - [#4090](https://github.com/PowerDNS/pdns/pull/4090) Allow reloading the lua-config-file at runtime
- - [#4097](https://github.com/PowerDNS/pdns/pull/4097) Allow logging DNSSEC bogus in any mode
- - [#4125](https://github.com/PowerDNS/pdns/pull/4125) Add protobuf fields for the query's time in the response
-
-## PowerDNS Recursor 4.0.0-rc1
-Released June 9th 2016
-
-This first (and hopefully last) Release Candidate contains the finishing touches
-to the experimental DNSSEC support by adding (Negative) Trust Anchor support and
-fixing a possible issue with DNSSEC and forwarded domains:
-
-- [#3910](https://github.com/PowerDNS/pdns/pull/3910) Add (Negative) Trust Anchor management
-- [#3926](https://github.com/PowerDNS/pdns/pull/3926) Set +CD on forwarded recursive queries
-
-Other changes:
-
-- [#3941](https://github.com/PowerDNS/pdns/pull/3941) Ensure delegations from local auth zones are followed
-- [#3924](https://github.com/PowerDNS/pdns/pull/3924) Add a virtual hosting unit-file
-- [#3929](https://github.com/PowerDNS/pdns/pull/3929) Set the FDs in the unit file to a sane value
-
-Bug fixes:
-
-- [#3961](https://github.com/PowerDNS/pdns/pull/3961) Fix building on EL6 i386
-- [#3957](https://github.com/PowerDNS/pdns/pull/3957) Add error reporting when parsing forward-zones(-recurse) (Aki Tuomi)
-
-## PowerDNS Recursor 4.0.0-beta1
-Released May 27th 2016
-
-This release fixes a bug in the DNSSEC implementation where a name would we validated as bogus when talking to non-compliant authoritative servers:
-
-- [#3875](https://github.com/PowerDNS/pdns/pull/3875) Disable DNSSEC for domain where the auth responds with FORMERR or NOTIMP
-
-## Improvements
-
-- [#3866](https://github.com/PowerDNS/pdns/pull/3866) Increase max FDs in systemd unit file
-- [#3905](https://github.com/PowerDNS/pdns/pull/3905) Add a dnssec=process-no-validate option and make it default
-
-## Bug fixes
-
-- [#3881](https://github.com/PowerDNS/pdns/pull/3881) Fix the `noEdnsOutQueries` counter
-- [#3892](https://github.com/PowerDNS/pdns/pull/3892) support `clock_gettime` for platforms that require -lrt
-
-## PowerDNS Recursor 4.0.0-alpha3
-Released May 10th 2016
-
-This release features several leaps in the correctness and stability of the DNSSEC implementation.
-
-Notable changes are:
-
-- [#3752](https://github.com/PowerDNS/pdns/pull/3752) Correct handling of query flags in conformance with [RFC 6840](https://tools.ietf.org/html/rfc6840)
-
-## Bug fixes
-
-- [#3804](https://github.com/PowerDNS/pdns/pull/3804) Fix a memory leak in DNSSEC validation
-- [#3785](https://github.com/PowerDNS/pdns/pull/3785) and [#3390](https://github.com/PowerDNS/pdns/pull/3390) Correctly validate insecure delegations
-- [#3606](https://github.com/PowerDNS/pdns/pull/3606) Various DNSSEC fixes, disabling DNSSEC on forward-zones
-- [#3681](https://github.com/PowerDNS/pdns/pull/3681) Catch exception with a malformed DNSName in `rec_control wipe-cache`
-- [#3779](https://github.com/PowerDNS/pdns/pull/3779), [#3768](https://github.com/PowerDNS/pdns/pull/3768), [#3766](https://github.com/PowerDNS/pdns/pull/3766), [#3783](https://github.com/PowerDNS/pdns/pull/3783) and [#3789](https://github.com/PowerDNS/pdns/pull/3789) DNSName and other hardening improvements
-
-## Improvements
-
-- [#3801](https://github.com/PowerDNS/pdns/pull/3801) Add missing Lua rcodes bindings
-- [#3587](https://github.com/PowerDNS/pdns/pull/3587) Update L-Root addresses
-
-## PowerDNS Recursor 4.0.0-alpha2
-Released March 9th 2016
-
-Note that the DNSSEC implementation has several bugs in this release, it is advised to set `dnssec=off` in your recursor.conf.
-
-This release features many low-level performance fixes. Other notable changes since 4.0.0-alpha1 are:
-
-- [#3259](https://github.com/PowerDNS/pdns/pull/3259), [#3280](https://github.com/PowerDNS/pdns/pull/3280) The PowerDNS Recursor now properly uses GNU autoconf and autotools for building and installing
-- OpenSSL crypto primitives are now used for DNSSEC validation
-- [#3313](https://github.com/PowerDNS/pdns/pull/3313) Implement the logic we need to generate EDNS MAC fields in dnsdist & read them in recursor ([blogpost](http://blog.powerdns.com/2016/01/27/per-device-dns-settings-selective-parental-control/)
-- [#3350](https://github.com/PowerDNS/pdns/pull/3350) Add lowercase-outgoing feature to Recursor
-- [#3410](https://github.com/PowerDNS/pdns/pull/3410) Recuweb is now built-in to the daemon
-- [#3230](https://github.com/PowerDNS/pdns/pull/3230) API: drop JSONP, add web security headers (Christian Hofstaedtler)
-- [#3485](https://github.com/PowerDNS/pdns/pull/3485) Allow multiple carbon-servers
-- [#3427](https://github.com/PowerDNS/pdns/pull/3427), [#3479](https://github.com/PowerDNS/pdns/pull/3479), [#3472](https://github.com/PowerDNS/pdns/pull/3472) MTasker modernization (Andrew Nelless)
-
-### Bug fixes
-
-- [#3444](https://github.com/PowerDNS/pdns/pull/3444), [#3442](https://github.com/PowerDNS/pdns/pull/3442) RPZ IXFR fixes
-- [#3448](https://github.com/PowerDNS/pdns/pull/3448) Remove edns-subnet-whitelist whitelist pointing to powerdns.com (Christian Hofstaedtler)
-- [#3293](https://github.com/PowerDNS/pdns/pull/3293) make asynchronous UDP Lua queries work again in 4.x
-- [#3365](https://github.com/PowerDNS/pdns/pull/3365) Apply rcode set in UDPQueryResponse callback (Jan Broers)
-- [#3244](https://github.com/PowerDNS/pdns/pull/3244) Fix the forward zones in the recursor
-- [#3135](https://github.com/PowerDNS/pdns/pull/3135) Use 56 bits instead of 64 in EDNS Client Subnet option (Winfried Angele)
-- [#3527](https://github.com/PowerDNS/pdns/pull/3527) Make the recursor counters atomic
-
-### Improvements
-
-- [#3435](https://github.com/PowerDNS/pdns/pull/3435) Add `toStringNoDot` and `chopOff` functions to Lua
-- [#3437](https://github.com/PowerDNS/pdns/pull/3437) Add `pdns.now` timeval struct to recursor Lua
-- [#3352](https://github.com/PowerDNS/pdns/pull/3352) Cache improvements
-- [#3502](https://github.com/PowerDNS/pdns/pull/3502) Make second argument to pdnslog optional (Thiago Farina)
-- [#3520](https://github.com/PowerDNS/pdns/pull/3520) Reduce log level of periodic statistics to notice (Jan Broers)
-
-## PowerDNS Recursor 4.0.0-alpha1
-Released December 24th 2015
-
-# PowerDNS Authoritative Server 4.0.0
-Released July 11th 2016
-
-PowerDNS Authoritative Server 4.0.0 is part of [the great 4.x "Spring Cleaning"](http://blog.powerdns.com/2015/11/28/powerdns-spring-cleaning/)
-of PowerDNS which lasted through the end of 2015.
-
-As part of the general cleanup and improvements, we did the following:
-
-- Moved to C++ 2011, a cleaner more powerful version of C++ that has allowed us to [improve the quality of implementation](http://bert-hubert.blogspot.nl/2015/01/on-c2011-quality-of-implementation.html) in many places.
-- Implemented dedicated infrastructure for dealing with DNS names that is fully "DNS Native" and needs less escaping and unescaping.
-- All backends derived from the Generic SQL backend use [prepared statements](authoritative/backend-generic-sql.md).
-- Both the server and `pdns_control` do the right thing when `chroot`'ed.
-
-In addition to this cleanup, 4.0.0 brings the following new features:
-
-- A revived ODBC backend ([godbc](authoritative/backend-generic-odbc.md)).
-- A revived LDAP backend ([ldap](authoritative/backend-ldap.md)).
-- Support for [CDS/CDNSKEY](authoritative/howtos.md#cds-cdnskey-key-rollover) and [RFC 7344](https://tools.ietf.org/html/rfc7344) key-rollovers.
-- Support for the [ALIAS](authoritative/howtos.md#using-alias-records) record.
-- The webserver and API are no longer marked experimental.
- - The API-path has moved to `/api/v1`
-- DNSUpdate is no longer experimental.
-- Default ECDSA (algorithms 13 and 14) support without external dependencies.
-- Experimental support for ed25519 DNSSEC signatures (when compiled with libsodium support).
-- IXFR consumption support.
-- Many new `pdnsutil` commands
- - `help` command now produces the help
- - Warns if the configuration file cannot be read
- - Does not check disabled records with `check-zone` unless verbose mode is enabled
- - `create-zone` command creates a new zone
- - `add-record` command to add records
- - `delete-rrset` and `replace-rrset` commands to delete and add rrsets
- - `edit-zone` command that spawns `$EDITOR` with the zone contents in zonefile format regardless of the backend used ([blogpost](http://blog.powerdns.com/2016/02/02/powerdns-authoritative-the-new-old-way-to-manage-domains/)
-
-The following backend have been dropped in 4.0.0:
-
-- LMDB.
-- Geo (use the improved [GeoIP](authoritative/backend-geoip.md) instead).
-
-Important changes:
-
-- `pdnssec` has been renamed to `pdnsutil`
-- PowerDNS Authoritative Server now listens by default on all IPv6 addresses.
-- The default for `pdnsutil secure-zone` has been changed from 1 2048 bit RSA KSK and 1 1024 bit RSA ZSK to a single 256 bit ECDSA (algorithm 13, ECDSAP256SHA256) key.
-- Several superfluous queries have been dropped from the SQL backend, if you use a non-standard SQL schema, please review the new defaults
- - `insert-ent-query`, `insert-empty-non-terminal-query`, `insert-ent-order-query` have been replaced by one query named `insert-empty-non-terminal-order-query`
- - `insert-record-order-query` has been dropped, `insert-record-query` now sets the ordername (or NULL)
- - `insert-slave-query` has been dropped, `insert-zone-query` now sets the type of zone
-- Crypto++ and mbedTLS support is dropped, these are replaced by OpenSSL
-- The INCEPTION, INCEPTION-WEEK and EPOCH SOA-EDIT metadata values are marked as deprecated and will be removed in 4.1
-
-The final release has the following bug fixes compared to rc2:
-
- - [#4071](https://github.com/PowerDNS/pdns/pull/4071) Abort on backend failures at startup and retry while running (Kees Monshouwer)
- - [#4099](https://github.com/PowerDNS/pdns/pull/4099) Don't leak TCP connection descriptor if `pthread_create()` failed
- - [#4137](https://github.com/PowerDNS/pdns/pull/4137) gsqlite3: Check whether foreign keys should be turned on (Aki Tuomi)
-
-And the following improvements:
-
- - [#3051](https://github.com/PowerDNS/pdns/pull/3051) Better error message for unfound new slave domains
- - [#4123](https://github.com/PowerDNS/pdns/pull/4123) check-zone: warn on mismatch between algo and NSEC mode
-
-## PowerDNS Authoritative Server 4.0.0-rc2
-Released June 29th 2016
-
-**note**: rc1 was tagged in git but never officially released.
-Kees Monshouwer discovered an issue in the gmysql backend that would terminate the daemon on a connection error, this fixed in rc2.
-
-This Release Candidate adds IXFR consumption and fixes some issues with prepared statements:
-
- - [#3937](https://github.com/PowerDNS/pdns/pull/3937) GSQL: use lazy prepared statements (Aki Tuomi)
- - [#3949](https://github.com/PowerDNS/pdns/pull/3949) Implement IXFR-based slaving for Authoritative, fix duplicate AXFRs
- - [#4066](https://github.com/PowerDNS/pdns/pull/4066) Don't die on a mysql timeout (Kees Monshouwer)
-
-Other improvements:
-
- - [#4061](https://github.com/PowerDNS/pdns/pull/4061) Various fixes, a MySQL-query fix that improves performance and one that allows shorter best matches in getAuth()
- - [#3962](https://github.com/PowerDNS/pdns/pull/3962) Fix OpenBSD support
- - [#3972](https://github.com/PowerDNS/pdns/pull/3972) API: change PATCH/PUT on zones to return 204 No Content instead of full zone (Christian Hofstaedtler)
- - [#3917](https://github.com/PowerDNS/pdns/pull/3917) Remotebackend: Add getAllDomains call (Aki Tuomi)
-
-Bug fixes and changes:
-
- - [#3998](https://github.com/PowerDNS/pdns/pull/3998) remove gsql::isOurDomain for now (Kees Monshouwer)
- - [#3989](https://github.com/PowerDNS/pdns/pull/3989) Fix usage of std::distance() in DNSName::isPartOf()
- - [#4001](https://github.com/PowerDNS/pdns/pull/4001) re enable validDNSName() check (Kees Monshouwer)
- - [#3930](https://github.com/PowerDNS/pdns/pull/3930) Have pdns_control bind-add-zone check for zonefile
- - [#3400](https://github.com/PowerDNS/pdns/pull/3400) Fix building on OpenIndiana
- - [#3961](https://github.com/PowerDNS/pdns/pull/3961) Allow building on CentOS 6 i386
- - [#3940](https://github.com/PowerDNS/pdns/pull/3940) auth: Don't build dnsbulktest and dnstcpbench if boost is too old, fixes building on CentOS 6
- - [#3931](https://github.com/PowerDNS/pdns/pull/3931) Rename `notify` to `pdns_notify` (Christian Hofstaedtler)
-
-## PowerDNS Authoritative Server 4.0.0-beta1
-Released May 27th 2016
-
-This release features several small fixes and deprecations.
-
-## Improvements and Additions
-
-- [#3851](https://github.com/PowerDNS/pdns/pull/3851) Disable algorithm 13 and 14 if OpenSSL does not support ecdsa or the required curves (Kees Monshouwer)
-- [#3857](https://github.com/PowerDNS/pdns/pull/3857) Add simple stubquery tool for testing the stubresolver
-- [#3859](https://github.com/PowerDNS/pdns/pull/3859) build scripts: Stop patching config-dir in pdns.conf (Christian Hofstaedtler)
-- [#3872](https://github.com/PowerDNS/pdns/pull/3872) Add support for multiple carbon servers
-- [#3901](https://github.com/PowerDNS/pdns/pull/3901) Add support for virtual hosting with systemd
-
-## Bug fixes
-
-- [#3856](https://github.com/PowerDNS/pdns/pull/3856) Deal with unset name in nproxy replies
-
-## PowerDNS Authoritative Server 4.0.0-alpha3
-Released May 11th 2016
-
-Notable changes since 4.0.0-alpha2
-
-- [#3415](https://github.com/PowerDNS/pdns/pull/3415) pdnsutil: add clear-zone command
-- [#3586](https://github.com/PowerDNS/pdns/pull/3586) Remove send-root-referral option
-- [#3578](https://github.com/PowerDNS/pdns/pull/3578) Add disable-syslog option
-- [#3733](https://github.com/PowerDNS/pdns/pull/3733) ALIAS improvements: DNSSEC and optional on-AXFR expansion of records
-- [#3764](https://github.com/PowerDNS/pdns/pull/3764) Notify support for systemd
-- [#3807](https://github.com/PowerDNS/pdns/pull/3807) Add TTL settings for DNSSECKeeper's caches
-
-### Bug fixes
-
-- [#3553](https://github.com/PowerDNS/pdns/pull/3553) pdnsutil: properly show key sizes for presigned zones in show-zone
-- [#3507](https://github.com/PowerDNS/pdns/pull/3507) webserver: mask out the api-key setting (Christian Hofstaedtler)
-- [#3580](https://github.com/PowerDNS/pdns/pull/3580) bindbackend: set domain in list() (Kees Monshouwer)
-- [#3595](https://github.com/PowerDNS/pdns/pull/3595) pdnsutil: add NS record without trailing dot with create-zone
-- [#3653](https://github.com/PowerDNS/pdns/pull/3653) Allow tabs as whitespace in zonefiles
-- [#3666](https://github.com/PowerDNS/pdns/pull/3666) Restore recycle backend behaviour (Kees Monshouwer)
-- [#3612](https://github.com/PowerDNS/pdns/pull/3612) Prevent segfault in PostgreSQL backend
-- [#3779](https://github.com/PowerDNS/pdns/pull/3779), [#3768](https://github.com/PowerDNS/pdns/pull/3768), [#3766](https://github.com/PowerDNS/pdns/pull/3766), [#3783](https://github.com/PowerDNS/pdns/pull/3783) and [#3789](https://github.com/PowerDNS/pdns/pull/3789) DNSName and other hardening improvements
-- [#3784](https://github.com/PowerDNS/pdns/pull/3784) fix SOA caching with multiple backends (Kees Monshouwer)
-- [#3827](https://github.com/PowerDNS/pdns/pull/3827) Force NSEC3PARAM algorithm to 1, fixes validation issues when set to not 1
-
-### Improvements
-
-- [#3637](https://github.com/PowerDNS/pdns/pull/3637), [#3678](https://github.com/PowerDNS/pdns/pull/3678), [#3740](https://github.com/PowerDNS/pdns/pull/3740) Correct root-zone slaving and serving (Kees Monshouwer and others)
-- [#3495](https://github.com/PowerDNS/pdns/pull/3495) API: Add discovery endpoint (Christian Hofstaedtler)
-- [#3389](https://github.com/PowerDNS/pdns/pull/3389) pdnsutil: support chroot
-- [#3596](https://github.com/PowerDNS/pdns/pull/3596) Remove botan-based ecdsa and rsa signers (Kees Monshouwer)
-- [#3478](https://github.com/PowerDNS/pdns/pull/3478), [#3603](https://github.com/PowerDNS/pdns/pull/3603), [#3628](https://github.com/PowerDNS/pdns/pull/3628) Various build system improvements (Ruben Kerkhof)
-- [#3621](https://github.com/PowerDNS/pdns/pull/3621) Always lowercase when inserting into the database
-- [#3651](https://github.com/PowerDNS/pdns/pull/3651) Rename PUBLISH\_\* to PUBLISH-\* domainmetadata
-- [#3656](https://github.com/PowerDNS/pdns/pull/3656) API: clean up cryptokeys resource (Christian Hofstaedtler)
-- [#3632](https://github.com/PowerDNS/pdns/pull/3632) pdnsutil: Fix exit statuses to constants and return 0 when success (saltsa)
-- [#3655](https://github.com/PowerDNS/pdns/pull/3655) API: Fix set-ptr to honor SOA-EDIT-API (Christian Hofstaedtler)
-- [#3720](https://github.com/PowerDNS/pdns/pull/3720) Many fixes for dnswasher (Robert Edmonds)
-- [#3707](https://github.com/PowerDNS/pdns/pull/3707), [#3788](https://github.com/PowerDNS/pdns/pull/3788) Make MySQL timeout configurable (Kees Monshouwer and Brynjar Eide)
-- [#3806](https://github.com/PowerDNS/pdns/pull/3806) Move key validity check out of `fromISCMap()`, improves DNSSEC performance
-- [#3820](https://github.com/PowerDNS/pdns/pull/3820) pdnsutil load-zone: ignore double SOA
-
-## PowerDNS Authoritative Server 4.0.0-alpha2
-Released February 25th 2016
-
-Notable changes since 4.0.0-alpha1
-
-- [#3037](https://github.com/PowerDNS/pdns/pull/3037) Remove superfluous gsql queries and stop relying on schema defaults
-- [#3176](https://github.com/PowerDNS/pdns/pull/3176), [#3139](https://github.com/PowerDNS/pdns/pull/3139) OpenSSL support (Christian Hofstaedtler and Kees Monshouwer)
-- [#3128](https://github.com/PowerDNS/pdns/pull/3128) ECDSA support to DNSSEC infra via OpenSSL (Kees Monshouwer)
-- [#3281](https://github.com/PowerDNS/pdns/pull/3281), [#3283](https://github.com/PowerDNS/pdns/pull/3283), [#3363](https://github.com/PowerDNS/pdns/pull/3363) Remove Crypto++ and mbedTLS support
-- [#3298](https://github.com/PowerDNS/pdns/pull/3298) Implement pdnsutil create-zone zone nsname, add-record, delete-rrset, replace-rrset
-- [#3407](https://github.com/PowerDNS/pdns/pull/3407) API: Permit wildcard manipulation (Aki Tuomi)
-- [#3230](https://github.com/PowerDNS/pdns/pull/3230) API: drop JSONP, add web security headers (Christian Hofstaedtler)
-- [#3428](https://github.com/PowerDNS/pdns/pull/3428) API: Fix zone/records design mistake (Christian Hofstaedtler)
- - **Note**: this is a breaking change from alpha1, please review the [API documentation](httpapi/api_spec.md)
-
-### Bug fixes
-
-- [#3124](https://github.com/PowerDNS/pdns/pull/3124) Fix several bugs with introduced with the change to a single signing key (e.g. the SEP bit is set on these single keys)
-- [#3151](https://github.com/PowerDNS/pdns/pull/3151) Catch DNSName build errors in dynhandler (Christian Hofstaedtler)
-- [#3264](https://github.com/PowerDNS/pdns/pull/3264) GeoIP backend: Use correct id numbers for domains (Aki Tuomi)
-- [#3271](https://github.com/PowerDNS/pdns/pull/3271) ZoneParser: Throw PDNSException on too many SOA data elements
-- [#3302](https://github.com/PowerDNS/pdns/pull/3302) Fix bindbackend's feedRecord to handle being slave for the root
-- [#3399](https://github.com/PowerDNS/pdns/pull/3399) Report OpenSSL RSA keysize in bits (Kees Monshouwer)
-
-### Improvements
-
-- [#3119](https://github.com/PowerDNS/pdns/pull/3119) Show DNSSEC keys for slaved zone (Aki Tuomi)
-- [#3255](https://github.com/PowerDNS/pdns/pull/3255) Don't log authentication errors before sending HTTP basic auth challenge (Jan Broer)
-- [#3338](https://github.com/PowerDNS/pdns/pull/3338) Add weight feature to GeoIP backend (Aki Tuomi)
-- [#3364](https://github.com/PowerDNS/pdns/pull/3364) Shrink PacketID by 10% by eliminating padding. (Andrew Nelless)
-- [#3443](https://github.com/PowerDNS/pdns/pull/3443) Many speedup and correctness fixes
-
-## PowerDNS Authoritative Server 4.0.0-alpha1
-Released December 24th 2015
-
-
-# PowerDNS Authoritative Server 3.4.9
-Released 17th of May 2016
-
-This is a minor bugfix and performance release. Two contributions by Kees Monshouwer make 3.4.9 fully compatible with the new single key ECDSA default that is coming in version 4.0.0.
-
-Changes since 3.4.8:
-
-- [commit 4627ea0](https://github.com/PowerDNS/pdns/commit/4627ea0), [commit 8350828](https://github.com/PowerDNS/pdns/commit/8350828): use OpenSSL for ECDSA signing where available (Kees Monshouwer)
-- [commit 558ff84](https://github.com/PowerDNS/pdns/commit/558ff84): allow common signing key (Kees Monshouwer)
-- [commit 280d665](https://github.com/PowerDNS/pdns/commit/280d665): Add a disable-syslog setting
-- [commit 58d6ab6](https://github.com/PowerDNS/pdns/commit/58d6ab6): fix SOA caching with multiple backends (Kees Monshouwer)
-- [commit e9e413f](https://github.com/PowerDNS/pdns/commit/e9e413f), [commit 6af4652](https://github.com/PowerDNS/pdns/commit/6af4652): whitespace-related zone parsing fixes [ticket #3568](https://github.com/PowerDNS/pdns/issues/3568)
-- [commit 7473a5e](https://github.com/PowerDNS/pdns/commit/7473a5e): bindbackend: fix, set domain in list() (Kees Monshouwer)
-
-# PowerDNS Authoritative Server 3.4.8
-Released 3rd of February 2016
-
-This is a small bugfix release. Additionally, the deb/RPM packages on downloads.powerdns.com (those with -static in the name) for 3.4.8 have been built against Botan 1.10.11 instead of Botan 1.10.3 like previous packages. Please see [the Botan Security page](http://botan.randombit.net/security.html) for more information on the fixes in Botan 1.10.11. As a PowerDNS user, these issues only affect you if you ran our -static packages *and* allowed your users to upload private keys to your configuration.
-
-Changes since 3.4.7:
-
-- [commit edfa60a](https://github.com/PowerDNS/pdns/commit/edfa60a): Use AC_SEARCH_LIBS (Ruben Kerkhof)
-- [commit 7b7a3af](https://github.com/PowerDNS/pdns/commit/7b7a3af): Check for inet_aton in libresolv (Ruben Kerkhof)
-- [commit 9322aee](https://github.com/PowerDNS/pdns/commit/9322aee): Remove hardcoded -lresolv, -lnsl and -lsocket (Ruben Kerkhof)
-- [commit 23d26d8](https://github.com/PowerDNS/pdns/commit/23d26d8): pdnssec: don't check disabled records (Pieter Lexis)
-- [commit ce92ff1](https://github.com/PowerDNS/pdns/commit/ce92ff1): pdnssec: check all records (including disabled ones) only in verbose mode (Kees Monshouwer)
-- [commit f745312](https://github.com/PowerDNS/pdns/commit/f745312): trailing dot in DNAME content (Kees Monshouwer)
-- [commit ed02761](https://github.com/PowerDNS/pdns/commit/ed02761): Fix luabackend compilation on FreeBSD i386 (RvdE)
-- [commit 07ea6ac](https://github.com/PowerDNS/pdns/commit/07ea6ac): silence g++ 6.0 warnings and error (Kees Monshouwer)
-- [commit c6077b1](https://github.com/PowerDNS/pdns/commit/c6077b1): add gcc 5.3 and 6.0 support to boost.m4 (Kees Monshouwer)
-
-# PowerDNS Authoritative Server 3.4.7
-Released 3rd of November 2015
-
-This is a security release fixing [Security Advisory
-2015-03](security/powerdns-advisory-2015-03.md)
-
-Bug fixes:
-
-- [commit b0c04ba](https://github.com/PowerDNS/pdns/commit/b0c04ba): Ignore invalid/empty TKEY and TSIG records (Christian Hofstaedtler)
-- [commit 8044a5d](https://github.com/PowerDNS/pdns/commit/8044a5d): Don't reply to truncated queries (Christian Hofstaedtler)
-- [commit 6a65ae9](https://github.com/PowerDNS/pdns/commit/6a65ae9): don't log out-of-zone ents during AXFR in (Kees Monshouwer)
-- [commit 416d252](https://github.com/PowerDNS/pdns/commit/416d252): Prevent XSS by escaping user input. Thanks to Pierre Jaury and Damien Cauquil at Sysdream for pointing this out.
-- [commit df76bda](https://github.com/PowerDNS/pdns/commit/df76bda): Handle NULL and boolean properly in gPGSql (Aki Tuomi)
-- commits [b998fc0](https://github.com/PowerDNS/pdns/commit/b998fc0),
- [88516fd](https://github.com/PowerDNS/pdns/commit/88516fd),
- [ef80925](https://github.com/PowerDNS/pdns/commit/ef80925),
- [4549a72](https://github.com/PowerDNS/pdns/commit/4549a72): Improve negative caching (Kees Monshouwer)
-- [commit be27a9c](https://github.com/PowerDNS/pdns/commit/be27a9c): Do not divide timeout twice (Aki Tuomi)
-- commits [ca1d29c](https://github.com/PowerDNS/pdns/commit/ca1d29c),
- [df2d20a](https://github.com/PowerDNS/pdns/commit/df2d20a),
- [2358eea](https://github.com/PowerDNS/pdns/commit/2358eea): Correctly sort records with a priority.
-
-
-Improvements:
-
-- commits [791bc37](https://github.com/PowerDNS/pdns/commit/791bc37),
- [e3301ca](https://github.com/PowerDNS/pdns/commit/e3301ca),
- [9862779](https://github.com/PowerDNS/pdns/commit/9862779),
- [b59a7e3](https://github.com/PowerDNS/pdns/commit/b59a7e3),
- [4ca7a06](https://github.com/PowerDNS/pdns/commit/4ca7a06),
- [7736530](https://github.com/PowerDNS/pdns/commit/7736530),
- [69ea1a6](https://github.com/PowerDNS/pdns/commit/69ea1a6): Direct query answers and correct zone-rectification in the GeoIP backend (Aki Tuomi)
-- commits [83e0e53](https://github.com/PowerDNS/pdns/commit/83e0e53),
- [0ff3037](https://github.com/PowerDNS/pdns/commit/0ff3037),
- [9910908](https://github.com/PowerDNS/pdns/commit/9910908) Use token names to identify PKCS#11 keys (Aki Tuomi)
-- [commit a3801b2](https://github.com/PowerDNS/pdns/commit/a3801b2): Fix typo in an error message (Arjen Zonneveld)
-- [commit d33ba8e](https://github.com/PowerDNS/pdns/commit/d33ba8e): limit NSEC3 iterations in bindbackend (Kees Monshouwer)
-- [commit 0acca87](https://github.com/PowerDNS/pdns/commit/0acca87): Initialize minbody (Aki Tuomi)
-
-
-New features:
-
-- commits [4d51e96](https://github.com/PowerDNS/pdns/commit/4d51e96),
- [6873a07](https://github.com/PowerDNS/pdns/commit/6873a07),
- [b972356](https://github.com/PowerDNS/pdns/commit/b972356),
- [46294b5](https://github.com/PowerDNS/pdns/commit/46294b5),
- [6277b14](https://github.com/PowerDNS/pdns/commit/6277b14): OPENPGPKEY record-type (James Cloos and Kees Monshouwer)
-- [commit ec0ded7](https://github.com/PowerDNS/pdns/commit/ec0ded7): add global soa-edit settings (Kees Monshouwer)
-
-# PowerDNS Authoritative Server 3.4.6
-Released 28th of August 2015
-
-This is a security release fixing [Security Advisory
-2015-02](security/powerdns-advisory-2015-02.md)
-
-Bug fixes:
-
-- commits [c849701](https://github.com/PowerDNS/pdns/commit/c849701) and
-[8c91e2c](https://github.com/PowerDNS/pdns/commit/8c91e2c): Avoid
-superfluous backend recycling
-- commits [463fcff](https://github.com/PowerDNS/pdns/commit/463fcff),
-[0fc08e8](https://github.com/PowerDNS/pdns/commit/0fc08e8),
-[0fbe69c](https://github.com/PowerDNS/pdns/commit/0fbe69c),
-[1a6af1c](https://github.com/PowerDNS/pdns/commit/1a6af1c) and
-[07f69d3](https://github.com/PowerDNS/pdns/commit/07f69d3): Removal of
-dnsdist from the authoritative server distribution (Kees Monshouwer among others).
-- commits [5cfea4c](https://github.com/PowerDNS/pdns/commit/5cfea4c) and
-[ef011d9](https://github.com/PowerDNS/pdns/commit/ef011d9): Add EDNS
-unknown version handling and tests EDNS unknown version handling (Aki Tuomi)
-
-Improvements:
-
-- commits [88dd8a7](https://github.com/PowerDNS/pdns/commit/88dd8a7) and
-[dc6c63d](https://github.com/PowerDNS/pdns/commit/dc6c63d): Update
-YaHTTP to v0.1.7 (Aki Tuomi)
-- [commit 0a344bc](https://github.com/PowerDNS/pdns/commit/0a344bc): Make
-trailing/leading spaces stand out in `pdnssec check_zone`
-- commits [2e982ad](https://github.com/PowerDNS/pdns/commit/2e982ad) and
-[09bec1f](https://github.com/PowerDNS/pdns/commit/09bec1f): GCC 5.2 support
-and sync boost.m4 macro with upstream (Kees Monshouwer among others)
-- [commit 1ad4e44](https://github.com/PowerDNS/pdns/commit/1ad4e44): Log
-answer packets only if log-dns-details is enabled (Kees Monshouwer)
-
-# PowerDNS Recursor 3.6.4
-Released 9th of June 2015
-
-This is a security release fixing [Security Advisory
-2015-01](security/powerdns-advisory-2015-01.md)
-
-Bug fixes:
-
-- [commit bccd068](https://github.com/PowerDNS/pdns/commit/bccd068): Limit the
-maximum length of a qname
-
-# PowerDNS Recursor 3.7.3
-Released 9th of June 2015
-
-Bug fixes:
-
-- [commit 92f7b2b](https://github.com/PowerDNS/pdns/commit/92f7b2b): Limit the
-maximum length of a qname
-
-This is a security release fixing [Security Advisory
-2015-01](security/powerdns-advisory-2015-01.md)
-
-Improvements:
-
-- [commit 46366a5](https://github.com/PowerDNS/pdns/commit/46366a5),
-[commit f318a7d](https://github.com/PowerDNS/pdns/commit/f318a7d): pdnssec:
-check for glue and delegations in parent zones (Kees Monshouwer)
-
-# PowerDNS Authoritative Server 3.3.3
-Released 9th of June 2015
-
-This is a security release fixing [Security Advisory
-2015-01](security/powerdns-advisory-2015-01.md)
-
-Bug fixes:
-
-- [commit a0a1482](https://github.com/PowerDNS/pdns/commit/a0a1482): Limit the
-maximum length of a qname
-
-# PowerDNS Authoritative Server 3.4.5
-Released 9th of June 2015
-
-This is a security release fixing [Security Advisory
-2015-01](security/powerdns-advisory-2015-01.md)
-
-Bug fixes:
-
-- [commit ffaae2b](https://github.com/PowerDNS/pdns/commit/ffaae2b): be
-careful reading empty lines in our config parser and prevent integer overflow.
-- [commit 8e30209](https://github.com/PowerDNS/pdns/commit/8e30209): prevent
-crash after --list-modules (Ruben Kerkhof)
-- [commit 6cf71cf](https://github.com/PowerDNS/pdns/commit/6cf71cf): Limit the
-maximum length of a qname
-
-Improvements:
-
-- [commit 28ba3fc](https://github.com/PowerDNS/pdns/commit/28ba3fc),
-[commit 61b316f](https://github.com/PowerDNS/pdns/commit/61b316f): Support
-/etc/default for our debian/ubuntu packages (Aki Tuomi)
-- [commit d80e2b6](https://github.com/PowerDNS/pdns/commit/d80e2b6): Detect
-GCC 5.1 for boost (Ruben Kerkhof)
-- [commit 68b4834](https://github.com/PowerDNS/pdns/commit/68b4834),
-[commit 3b14545](https://github.com/PowerDNS/pdns/commit/3b14545),
-[commit 2356d5c](https://github.com/PowerDNS/pdns/commit/2356d5c),
-[commit 432808b](https://github.com/PowerDNS/pdns/commit/432808b):
-Various PKCS#11 fixes and improvements (Aki Tuomi)
-- [commit bf357ff](https://github.com/PowerDNS/pdns/commit/bf357ff),
-[commit 2433d2e](https://github.com/PowerDNS/pdns/commit/2433d2e),
-[commit 8fabf4d](https://github.com/PowerDNS/pdns/commit/8fabf4d): Fix
-Coverity issues (Aki Tuomi)
-- [commit 5d02d01](https://github.com/PowerDNS/pdns/commit/5d02d01)
-[commit 7798aa3](https://github.com/PowerDNS/pdns/commit/7798aa3),
-[commit 9f6e411](https://github.com/PowerDNS/pdns/commit/9f6e411),
-[commit e25a09c](https://github.com/PowerDNS/pdns/commit/e25a09c): Fix
-building on OpenBSD (Florian Obser and Ruben Kerkhof)
-- [commit 5c8bba2](https://github.com/PowerDNS/pdns/commit/5c8bba2): Look for
-mbedtls before polarssl (Ruben Kerkhof)
-- [commit 5abd150](https://github.com/PowerDNS/pdns/commit/5abd150): Let
-pkg-config determine botan dependency libs (Ruben Kerkhof)
-- [commit ba4d623](https://github.com/PowerDNS/pdns/commit/ba4d623): kill some
-further mallocs and add note to remind us not to add them back
-- [commit 50346d8](https://github.com/PowerDNS/pdns/commit/50346d8): Move
-remotebackend-unix test socket to testsdir (Aki Tuomi)
-- [commit 32e9512](https://github.com/PowerDNS/pdns/commit/32e9512): Defer
-launch of coprocess until first question (Aki Tuomi)
-- [commit d9b3ecb](https://github.com/PowerDNS/pdns/commit/d9b3ecb),
-[commit 561373e](https://github.com/PowerDNS/pdns/commit/561373e): pdnssec:
-check for glue and delegations in parent zones (Kees Monshouwer)
-
-# PowerDNS Authoritative Server 3.3.2
-
-Released 1st of May, 2015
-
-Among other bug fixes and improvements (as listed below), this release
-incorporates a fix for CVE-2015-1868, as detailed in [PowerDNS Security
-Advisory 2015-01](security/powerdns-advisory-2015-01.md)
-
-If you are running DNSSEC with version 3.3.1 or below, and you cannot
-currently upgrade to 3.4.4, please consider upgrading to 3.3.2; it has a lot
-of improvements and bug fixes and tremendously increases compliance.
-
-We want to explicitly thank Kees Monshouwer for digging up all the DNSSEC
-improvements and porting them back to this release.
-
-When upgrading, please run "pdnssec rectify-all-zones" and trigger an AXFR for
-all DNSSEC zones to make sure you benefit from all the compliance improvements
-present in this version.
-
-Security fixes:
-
-- [commit 9df4944](https://github.com/PowerDNS/pdns/commit/9df4944): import CVE-2015-1868 patch (Peter van Dijk)
-- [commit dbedfc5](https://github.com/PowerDNS/pdns/commit/dbedfc5): kill some further mallocs and add note to remind us not to add them back (bert hubert)
-
-Improvements:
-
-- [commit d0af589](https://github.com/PowerDNS/pdns/commit/d0af589)
-, [commit c45b6db](https://github.com/PowerDNS/pdns/commit/c45b6db)
-, [commit 88c1f21](https://github.com/PowerDNS/pdns/commit/88c1f21)
-, [commit 2a4c620](https://github.com/PowerDNS/pdns/commit/2a4c620)
-, [commit 4a4597e](https://github.com/PowerDNS/pdns/commit/4a4597e)
-, [commit 9fa7373](https://github.com/PowerDNS/pdns/commit/9fa7373)
-, [commit 8115a83](https://github.com/PowerDNS/pdns/commit/8115a83):
-implement security polling for auth
-- [commit 5bbd868](https://github.com/PowerDNS/pdns/commit/5bbd868): import suck() from master (Kees Monshouwer)
-- [commit 194f4d2](https://github.com/PowerDNS/pdns/commit/194f4d2): respond REFUSED instead of NOERROR for "unknown zone" situations (Peter van Dijk)
-- [commit 55b0653](https://github.com/PowerDNS/pdns/commit/55b0653): set AA on CNAME into referral, fixes [ticket #589](https://github.com/PowerDNS/pdns/issues/589) (Peter van Dijk)
-- [commit 71232aa](https://github.com/PowerDNS/pdns/commit/71232aa): update l.root ip (Kees Monshouwer)
-
-Bug fixes:
-
-- [commit 88c52fe](https://github.com/PowerDNS/pdns/commit/88c52fe): make makeRelative() case insensitive (Kees Monshouwer)
-
-DNSSEC improvements:
-
-- [commit b3dec9c](https://github.com/PowerDNS/pdns/commit/b3dec9c): change default for add-superfluous-nsec3-for-old-bind config option (Kees Monshouwer)
-- [commit 017a78b](https://github.com/PowerDNS/pdns/commit/017a78b): limit the number of NSEC3 iterations RFC5155 10.3 (Kees Monshouwer)
-- [commit d768d7f](https://github.com/PowerDNS/pdns/commit/d768d7f): NSEC3 and related RRSIGS are not part of the dnstree (Kees Monshouwer)
-- [commit 3a36a1c](https://github.com/PowerDNS/pdns/commit/3a36a1c): import bindbackend rectify code from master (Kees Monshouwer)
-- [commit 1ee7e22](https://github.com/PowerDNS/pdns/commit/1ee7e22): limit mode 0 closest provable encloser to optout (Kees Monshouwer)
-- [commit bbc0bc5](https://github.com/PowerDNS/pdns/commit/bbc0bc5): fix for errata 3441 of RFC5155 (Kees Monshouwer)
-- [commit e8bfa7b](https://github.com/PowerDNS/pdns/commit/e8bfa7b): allow covering NSEC3 record in NODATA response (Kees Monshouwer)
-- [commit f0b3b24](https://github.com/PowerDNS/pdns/commit/f0b3b24): return NOTIMP for direct RRSIG request (Kees Monshouwer)
-- [commit c79addc](https://github.com/PowerDNS/pdns/commit/c79addc): import pdnssec checkZone() from master (Kees Monshouwer)
-- [commit 2f1fec7](https://github.com/PowerDNS/pdns/commit/2f1fec7): import pdnssec rectifyZone() from master (Kees Monshouwer)
-
-# PowerDNS Recursor 3.7.2
-
-Released 23rd of April, 2015
-
-Among other bug fixes and improvements (as listed below), this release incorporates a fix for
-CVE-2015-1868, as detailed in [PowerDNS Security Advisory 2015-01](security/powerdns-advisory-2015-01.md)
-
-Bug fixes:
-
-- [commit adb10be](https://github.com/PowerDNS/pdns/commit/adb10be) [commit 3ec3e0f](https://github.com/PowerDNS/pdns/commit/3ec3e0f) [commit dc02ebf](https://github.com/PowerDNS/pdns/commit/dc02ebf) Fix handling of forward references in label compressed packets; fixes CVE-2015-1868
-- [commit a7be3f1](https://github.com/PowerDNS/pdns/commit/a7be3f1): make sure
-we never call sendmsg with msg_control!=NULL && msg_controllen>0. Fixes
-[ticket #2227](https://github.com/PowerDNS/pdns/issues/2227)
-- [commit 9d835ed](https://github.com/PowerDNS/pdns/commit/9d835ed): Improve
-robustness of root-nx-trust.
-
-Improvements:
-
-- [commit 99c595b](https://github.com/PowerDNS/pdns/commit/99c595b): Silence
-warnings that always occur on FreeBSD (Ruben Kerkhof)
-
-# PowerDNS Recursor 3.6.3
-
-Released 23rd of April, 2015
-
-The only difference between Recursor 3.6.2 and 3.6.3 is a fix for CVE-2015-1868, as detailed in [PowerDNS Security Advisory 2015-01](security/powerdns-advisory-2015-01.md)
-
-# PowerDNS Authoritative Server 3.4.4
-
-Released 23rd of April, 2015
-
-**Warning**: Version 3.4.4 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the [Upgrade documentation](authoritative/upgrading.md) for important information on correct and stable operation, as well as notes on performance and memory use.
-
-Among other bug fixes and improvements (as listed below), this release incorporates a fix for
-CVE-2015-1868, as detailed in [PowerDNS Security Advisory 2015-01](security/powerdns-advisory-2015-01.md)
-
-Bug fixes:
-
-- [commit ac3ae09](https://github.com/PowerDNS/pdns/commit/ac3ae09): fix rectify-(all)-zones for mixed case domain names
-- [commit 2dea55e](https://github.com/PowerDNS/pdns/commit/2dea55e), [commit 032d565](https://github.com/PowerDNS/pdns/commit/032d565), [commit 55f2dbf](https://github.com/PowerDNS/pdns/commit/55f2dbf): fix CVE-2015-1868
-- [commit 21cdbe5](https://github.com/PowerDNS/pdns/commit/21cdbe5): Blocking
-IO in busy-wait for remote backend (Wieger Opmeer)
-- [commit cc7b2ac](https://github.com/PowerDNS/pdns/commit/cc7b2ac): fix
-double dot for root MX/SRV in bind slave zone files (Kees Monshouwer)
-- [commit c40307b](https://github.com/PowerDNS/pdns/commit/c40307b): Properly
-lock lmdb database, fixes [ticket #1954](https://github.com/PowerDNS/pdns/issues/1954)
-(Aki Tuomi)
-- [commit 662e76d](https://github.com/PowerDNS/pdns/commit/662e76d): Fix
-segfault in zone2lmdb (Ruben Kerkhof)
-
-New Features:
-
-- [commit 5ae212e](https://github.com/PowerDNS/pdns/commit/5ae212e): pdnssec: warn for insecure wildcards in opt-out zones
-- commits [cd3f21c](https://github.com/PowerDNS/pdns/commit/cd3f21c),
-[8b582f6](https://github.com/PowerDNS/pdns/commit/8b582f6),
-[0b7e766](https://github.com/PowerDNS/pdns/commit/0b7e766),
-[f743af9](https://github.com/PowerDNS/pdns/commit/f743af9),
-[dcde3c8](https://github.com/PowerDNS/pdns/commit/dcde3c8) and
-[f12fcf7](https://github.com/PowerDNS/pdns/commit/f12fcf7):
-TKEY record type (Aki Tuomi)
-- commits [0fda1d9](https://github.com/PowerDNS/pdns/commit/0fda1d9),
-[3dd139d](https://github.com/PowerDNS/pdns/commit/3dd139d),
-[ba146ce](https://github.com/PowerDNS/pdns/commit/ba146ce),
-[25109e2](https://github.com/PowerDNS/pdns/commit/25109e2),
-[c011a01](https://github.com/PowerDNS/pdns/commit/c011a01),
-[0600350](https://github.com/PowerDNS/pdns/commit/0600350),
-[fc96b5e](https://github.com/PowerDNS/pdns/commit/fc96b5e),
-[4414468](https://github.com/PowerDNS/pdns/commit/4414468),
-[c163d41](https://github.com/PowerDNS/pdns/commit/c163d41),
-[f52c7f6](https://github.com/PowerDNS/pdns/commit/f52c7f6),
-[8d56a31](https://github.com/PowerDNS/pdns/commit/8d56a31),
-[7821417](https://github.com/PowerDNS/pdns/commit/7821417),
-[ea62bd9](https://github.com/PowerDNS/pdns/commit/ea62bd9),
-[c5ababd](https://github.com/PowerDNS/pdns/commit/c5ababd),
-[91c8351](https://github.com/PowerDNS/pdns/commit/91c8351) and
-[073ac49](https://github.com/PowerDNS/pdns/commit/073ac49): Many
-PKCS#11 improvements (Aki Tuomi)
-- commits [6f0d4f1](https://github.com/PowerDNS/pdns/commit/6f0d4f1) and
-[5eb33cb](https://github.com/PowerDNS/pdns/commit/5eb33cb): Introduce
-xfrBlobNoSpaces and use them for TSIG (Aki Tuomi)
-
-Improvements:
-
-- [commit e4f48ab](https://github.com/PowerDNS/pdns/commit/e4f48ab): allow "pdnssec set-nsec3 ZONE" for insecure zones; this saves on one rectify when securing a NSEC3 zone
-- commits [cce95b9](https://github.com/PowerDNS/pdns/commit/cce95b9),
-[e2e9243](https://github.com/PowerDNS/pdns/commit/e2e9243) and
-[e82da97](https://github.com/PowerDNS/pdns/commit/e82da97): Improvements
-to the config-file parsing (Aki Tuomi)
-- [commit 2180e21](https://github.com/PowerDNS/pdns/commit/2180e21):
-postgresql check should not touch LDFLAGS (Ruben Kerkhof)
-- [commit 0481021](https://github.com/PowerDNS/pdns/commit/0481021): Log error
-when remote cannot do AXFR (Aki Tuomi)
-- [commit 1ecc3a5](https://github.com/PowerDNS/pdns/commit/1ecc3a5): Speed
-improvements when AXFR is disabled (Christian Hofstaedtler)
-- commits [1f7334e](https://github.com/PowerDNS/pdns/commit/1f7334e) and
-[b17799a](https://github.com/PowerDNS/pdns/commit/b17799a): NSEC3 and
-related RRSIGS are not part of the dnstree (Kees Monshouwer)
-- commits [dd943dd](https://github.com/PowerDNS/pdns/commit/dd943dd) and
-[58c4834](https://github.com/PowerDNS/pdns/commit/58c4834): Change
-ifdef to check for `__GLIBC__` instead of `__linux__` to prevent errors with other
-libc's (James Taylor)
-- [commit c929d50](https://github.com/PowerDNS/pdns/commit/c929d50): Try to
-raise open files before dropping privileges (Aki Tuomi)
-- [commit 69fd3dc](https://github.com/PowerDNS/pdns/commit/69fd3dc): Add
-newline to carbon error message on auth (Aki Tuomi)
-- [commit 3064f80](https://github.com/PowerDNS/pdns/commit/3064f80): Make sure
-we send servfail on error (Aki Tuomi)
-- [commit b004529](https://github.com/PowerDNS/pdns/commit/b004529): Ship
-lmdb-example.pl in tarball (Ruben Kerkhof)
-- [commit 9e6b24f](https://github.com/PowerDNS/pdns/commit/9e6b24f): Allocate
-TCP buffer dynamically, decreasing stack usage
-- [commit 267fdde](https://github.com/PowerDNS/pdns/commit/267fdde): throw if getSOA gets non-SOA record
-
-# PowerDNS Authoritative Server 3.4.3
-
-**Warning**: Version 3.4.3 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the [Upgrade documentation](authoritative/upgrading.md) for important information on correct and stable operation, as well as notes on performance and memory use.
-
-Released March 2nd, 2015
-
-Find the downloads [on our download page](https://www.powerdns.com/downloads.html).
-
-Bug fixes:
-
-- [commit ceb49ce](https://github.com/PowerDNS/pdns/commit/ceb49ce):
-pdns_control: exit 1 on unknown command (Ruben Kerkhof)
-- [commit 1406891](https://github.com/PowerDNS/pdns/commit/1406891): evaluate
-KSK ZSK pairs per algorithm (Kees Monshouwer)
-- [commit 3ca050f](https://github.com/PowerDNS/pdns/commit/3ca050f): always
-set di.notified_serial in getAllDomains (Kees Monshouwer)
-- [commit d9d09e1](https://github.com/PowerDNS/pdns/commit/d9d09e1):
-pdns_control: don't open socket in /tmp (Ruben Kerkhof)
-
-New features:
-
-- [commit 2f67952](https://github.com/PowerDNS/pdns/commit/2f67952): Limit who
-can send us AXFR notify queries (Ruben Kerkhof)
-
-Improvements:
-
-- [commit d7bec64](https://github.com/PowerDNS/pdns/commit/d7bec64): respond
-REFUSED instead of NOERROR for "unknown zone" situations
-- [commit ebeb9d7](https://github.com/PowerDNS/pdns/commit/ebeb9d7): Check for
-Lua 5.3 (Ruben Kerkhof)
-- [commit d09931d](https://github.com/PowerDNS/pdns/commit/d09931d): Check
-compiler for relro support instead of linker (Ruben Kerkhof)
-- [commit c4b0d0c](https://github.com/PowerDNS/pdns/commit/c4b0d0c): Replace
-PacketHandler with UeberBackend where possible (Christian Hofstaedtler)
-- [commit 5a85152](https://github.com/PowerDNS/pdns/commit/5a85152):
-PacketHandler: Share UeberBackend with DNSSECKeeper (Christian Hofstaedtler)
-- [commit 97bd444](https://github.com/PowerDNS/pdns/commit/97bd444): fix
-building with GCC 5
-
-Experimental API changes (Christian Hofstaedtler):
-
-- [commit ca44706](https://github.com/PowerDNS/pdns/commit/ca44706): API: move
-shared DomainInfo reader into it's own function
-- [commit 102602f](https://github.com/PowerDNS/pdns/commit/102602f): API:
-allow writing to domains.account field
-- [commit d82f632](https://github.com/PowerDNS/pdns/commit/d82f632): API: read
-and expose domain account field
-- [commit 2b06977](https://github.com/PowerDNS/pdns/commit/2b06977): API: be
-more strict when parsing record contents
-- [commit 2f72b7c](https://github.com/PowerDNS/pdns/commit/2f72b7c): API:
-Reject unknown types (TYPE0)
-- [commit d82f632](https://github.com/PowerDNS/pdns/commit/d82f632): API: read
-and expose domain account field
-
-# PowerDNS Authoritative Server 3.4.2
-
-**Warning**: Version 3.4.2 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the [Upgrade documentation](authoritative/upgrading.md) for important information on correct and stable operation, as well as notes on performance and memory use.
-
-Released February 3rd, 2015
-
-Find the downloads [on our download page](https://www.powerdns.com/downloads.html).
-
-This is a performance and bugfix update to 3.4.1 and any earlier version. For high traffic setups, including
-those using DNSSEC, upgrading to 3.4.2 may show tremendous performance increases.
-
-A list of changes since 3.4.1 follows.
-
-Improvements:
-
-- [commit 73004f1](https://github.com/PowerDNS/pdns/commit/73004f1): implement CORS for the HTTP API
-- [commit 4d9c289](https://github.com/PowerDNS/pdns/commit/4d9c289): qtype is now case insensitive in API and database
-- [commit 13af5d8](https://github.com/PowerDNS/pdns/commit/13af5d8), [commit 223373a](https://github.com/PowerDNS/pdns/commit/223373a), [commit 1d5a68d](https://github.com/PowerDNS/pdns/commit/1d5a68d), [commit 705a73f](https://github.com/PowerDNS/pdns/commit/705a73f), [commit b418d52](https://github.com/PowerDNS/pdns/commit/b418d52): Allow (optional) PIE hardening
-- [commit 2f86f20](https://github.com/PowerDNS/pdns/commit/2f86f20): json-api: remove priority from json
-- [commit cefcf9f](https://github.com/PowerDNS/pdns/commit/cefcf9f): backport remotebackend fixes
-- [commit 920f987](https://github.com/PowerDNS/pdns/commit/920f987), [commit dd8853c](https://github.com/PowerDNS/pdns/commit/dd8853c): Support Lua 5.3
-- [commit 003aae5](https://github.com/PowerDNS/pdns/commit/003aae5): support single-type ZSK signing
-- [commit 1c57e1d](https://github.com/PowerDNS/pdns/commit/1c57e1d): Potential fix for [ticket #1907](https://github.com/PowerDNS/pdns/issues/1907), we now try to trigger libgcc_s.so.1 to load before we chroot. I can't reproduce the bug on my local system, but this "should" help. Seriously.
-- [commit 031ab21](https://github.com/PowerDNS/pdns/commit/031ab21): update polarssl to 1.3.9
-
-Bug fixes:
-
-- [commit 60b2b7c](https://github.com/PowerDNS/pdns/commit/60b2b7c), [commit d962fbc](https://github.com/PowerDNS/pdns/commit/d962fbc): refuse overly long labels in names
-- [commit a64fd6a](https://github.com/PowerDNS/pdns/commit/a64fd6a): auth: limit long version strings to 63 characters and catch exceptions in secpoll
-- [commit fa52e02](https://github.com/PowerDNS/pdns/commit/fa52e02): pdnssec: fix ttl check for RRSIG records
-- [commit 0678b25](https://github.com/PowerDNS/pdns/commit/0678b25): fix up latency reporting for sub-millisecond latencies (would clip to 0)
-- [commit d45c1f1](https://github.com/PowerDNS/pdns/commit/d45c1f1): make sure we don't throw an exception on "pdns_control show" of an unknown variable
-- [commit 63c8088](https://github.com/PowerDNS/pdns/commit/63c8088): fix startup race condition with carbon thread already trying to broadcast uninitialized data
-- [commit 796321c](https://github.com/PowerDNS/pdns/commit/796321c): make qsize-q more robust
-- [commit 407867c](https://github.com/PowerDNS/pdns/commit/407867c): mind04 discovered we count corrupt packets and EAGAIN situations as validly received packets, skewing the udp questions/answers graphs on auth.
-- [commit f06d069](https://github.com/PowerDNS/pdns/commit/f06d069): make latency & qsize reporting 'live'. Plus fix that we only reported the qsize of the first distributor.
-- [commit 2f3498e](https://github.com/PowerDNS/pdns/commit/2f3498e): fix up statbag for carbon protocol and function pointers
-- [commit 0f2f999](https://github.com/PowerDNS/pdns/commit/0f2f999): get priority from table in Lua axfrfilter; fixes [ticket #1857](https://github.com/PowerDNS/pdns/issues/1857)
-- [commit 96963e2](https://github.com/PowerDNS/pdns/commit/96963e2), [commit bbcbbbe](https://github.com/PowerDNS/pdns/commit/bbcbbbe), [commit d5c9c07](https://github.com/PowerDNS/pdns/commit/d5c9c07): various backends: fix records pointing at root
-- [commit e94c2c4](https://github.com/PowerDNS/pdns/commit/e94c2c4): remove additional layer of trailing . stripping, which broke MX records to the root in the BIND backend. Should close [ticket #1243](https://github.com/PowerDNS/pdns/issues/1243).
-- [commit 8f35ba2](https://github.com/PowerDNS/pdns/commit/8f35ba2): api: use uncached results for getKeys()
-- [commit c574336](https://github.com/PowerDNS/pdns/commit/c574336): read ALLOW-AXFR-FROM from the backend with the metadata
-
-Minor changes:
-
-- [commit 1e39b4c](https://github.com/PowerDNS/pdns/commit/1e39b4c): move manpages to section 1
-- [commit b3992d9](https://github.com/PowerDNS/pdns/commit/b3992d9): secpoll: Replace ~ with _
-- [commit 9799ef5](https://github.com/PowerDNS/pdns/commit/9799ef5): only zones with an active ksk are secure
-- [commit d02744f](https://github.com/PowerDNS/pdns/commit/d02744f): api: show keys for zones without active ksk
-
-New features:
-
-- [commit 1b97ba0](https://github.com/PowerDNS/pdns/commit/1b97ba0): add signatures metric to auth, so we can plot signatures/second
-- [commit 92cef2d](https://github.com/PowerDNS/pdns/commit/92cef2d): pdns_control: make it possible to notify all zones at once
-- [commit f648752](https://github.com/PowerDNS/pdns/commit/f648752): JSON API: provide flush-cache, notify, axfr-retrieve
-- [commit 02653a7](https://github.com/PowerDNS/pdns/commit/02653a7): add 'bench-db' to do very simple database backend performance benchmark
-- [commit a83257a](https://github.com/PowerDNS/pdns/commit/a83257a): enable callback based metrics to statbas, and add 5 such metrics: uptime, sys-msec, user-msec, key-cache-size, meta-cache-size, signature-cache-size
-
-Performance improvements:
-
-- [commit a37fe8c](https://github.com/PowerDNS/pdns/commit/a37fe8c): better key for packetcache
-- [commit e5217bb](https://github.com/PowerDNS/pdns/commit/e5217bb): don't do time(0) under signature cache lock
-- [commit d061045](https://github.com/PowerDNS/pdns/commit/d061045), [commit 135db51](https://github.com/PowerDNS/pdns/commit/135db51), [commit 7d0f392](https://github.com/PowerDNS/pdns/commit/7d0f392): shard the packet cache, closing [ticket #1910](https://github.com/PowerDNS/pdns/issues/1910).
-- [commit d71a712](https://github.com/PowerDNS/pdns/commit/d71a712): with thanks to Jack Lloyd, this works around the default Botan allocator slowing down for us during production use.
-
-
-# PowerDNS Recursor 3.7.0
-
-Unreleased, please see the 3.7.1 changelog below.
-
-# PowerDNS Recursor 3.7.1
-
-Released February 12th, 2015.
-
-This version contains a mix of speedups and improvements, the combined effect of which is vastly
-improved resilience against traffic spikes and malicious query overloads.
-
-Of further note is the massive community contribution, mostly over
-Christmas. Especially Ruben Kerkhof, Pieter Lexis, Kees Monshouwer and Aki
-Tuomi delivered a lot of love. Thanks!
-
-Minor changes:
-
-- Removal of dead code here and there 04dc6d618734fc630122de4c56dff641ebaf0988
-- Per-qtype response counters are now 64 bit 297bb6acf7902068693a4aae1443c424d0e8dd52 on 64 bit systems
-- Add IPv6 addresses for b and c.root-servers.net hints efc2595423c9a1be6f2d8f4da25445198ceb8b57
-- Add IP address to logging about terminated queries 37aa9904d1cc967ba4b5d5e17dbe41485f8cdece
-- Improve qtype name logging fab3ed3453e15ae88e29a0e4071b214eb19caad9 (Aki Tuomi)
-- Redefine 'BAD_NETS' for dont-query based on newer IANA guidance 12cd44ee0fcde5893f85dccc499bfc35152c5fff (lochiiconnectivity)
-- Add documentation links to systemd unit eb154adfdffa5c78624e2ea98e938d7b5787119e (Ruben Kerkhof)
-
-Improvements:
-
-- Upgrade embedded PolarSSL to 1.3.9: d330a2ea1a93d7675ef680311f8aa0306aeefcf1
-- yahttp upgrade c290975778942ed1082ca66918695a5bd2d6bac4 c65a57e888ee48eaa948e590c90c51420bffa847 (Aki Tuomi)
-- Replace . in hostnames by - for Carbon so as not to confuse Metronome 46541751ed1c3bc051d78217543d5fc76733e212
-- Manpages got a lot of love and are now built from Markdown (Pieter Lexis)
-- Move to PolarSSL base64 488360551009784ab35c43ee4580e773a2a8a227 (Kees Monshouwer)
-- The quiet=no query logging is now more informative 461df9d20c560d240285f772c09b3beb89d46daa
-- We can finally bind to 0.0.0.0 and :: and guarantee answers from the correct source b71b60ee73ef3c86f80a2179981eda2e61c4363f
-- We use per-packet timestamps to drop ancient traffic in case of overload b71b60ee73ef3c86f80a2179981eda2e61c4363f, non-Linux portability in d63f0d83631c41eff203d30b0b7c475a88f1db59
-- Builtin webserver can be queried with the API key in the URL again c89f8cd022c4a9409b95d22ffa3b03e4e98dc400
-- Ringbuffers are now available via API c89f8cd022c4a9409b95d22ffa3b03e4e98dc400
-- Lua 5.3 compatibility 59c6fc3e3931ca87d484337daee512e716bc4cf4 (Kees Monshouwer)
-- No longer leave a stale UNIX domain socket around from rec_control if the recursor was down 524e4f4d81f4ed9eb218715cbc8a59f0b9868234,
- ticket #2061
-- Running with 'quiet=no' would strangely actually prevent debug messages from being logged f48d7b657ec32517f8bfcada3bfe6353ca313314
-- Webserver now implements CORS for the API ea89a97e864c43c1cb03f2959ad04c4ebe7580ad, fixing ticket #1984
-- Houskeeping thread would sometimes run multiple times simultaneously, which worked, but was odd cc59bce675e62e2b9657b42614ce8be3312cae82
-
-New features:
-
-- New `root-nx-trust` flag makes PowerDNS generalize NXDOMAIN responses from the root-servers 01402d56846a3a61811ebd4e6bc97e53f908e568
-- `getregisteredname()` for Lua, which turns 'www.bbc.co.uk' into 'bbc.co.uk' 8cd4851beb78bc6ab320926fb5cb6a09282016b1
-- Lua preoutquery filter 3457a2a0ec41d3b3aff7640f30008788e1228a6e
-- Lua IP-based filter (ipfilter) before parsing packets 4ea949413c495254acb0bd19335142761c1efc0c
-- `iputils` class for Lua, to quickly process IP addresses and netmasks in their native format
-- `getregisteredname` function for Lua, to find the registered domain for a given name
-- Various new ringbuffers: top-servfail-remotes, top-largeanswer-remotes, top-servfail-queries
-
-Speedups:
-
-- Remove unneeded malloc traffic 93d4a89096e64d53740790f58fadec56f6a0af14 8682c32bc45b6ffa7c0f6da778e1b223ae7f03ce a903b39cfe7364c56324038264d3db50b8cece87
-- Our nameserver-loop detection carried around a lot of baggage for complex domain names, plus did not differentiate IPv4 and IPv6 well enough 891fbf888ccac074e3edc38864641ca774f2f03c
-- Prioritize new queries over nameserver responses, improving latency under query bursts bf3b0cec366c090af000b066267b6f6bbb3a512a
-- Remove escaping in case there was nothing to escape 83b746fd1d94c8742d8bd87a44beb44c154230c7
-- Our logging infrastructure had a lot of locking d1449e4d073595e1e1581804f121fc90e37158bf
-- Reduce logging level of certain common messages, which locked up synchronously logging systems 854d44e31c76aa650520e6d462dd3a02b5936f7a
-- Add limit on total wall-clock time spent on a query 9de3e0340fa066d4c59449e1643a1de8c343f8f2
-- Packet cache is now case-insensitive, which increases hitrate 90974597aadaf1096e3fd0dc450be7422ea591a5
-
-Security relevant:
-
-- Check for PIE, RELRO and stack protector during configure 8d0354b189c12e1e14f5309d3b49935c17f9eeb0 (Aki Tuomi)
-- Testing for support of PIE etc was improved in b2053c28ccb9609e2ce7bcb6beda83f98a062aa3 and beyond, fixes #2125 (Ruben Kerkhof)
-- Max query-per-query limit (max-qperq) is now configurable 173d790ead08f67733010ca4c6fc404a040fe699
-
-Bugs fixed:
-
-- IPv6 outgoing queries had a disproportionate effect on our query load. Fixed in 76f190f2a0877cd79ede2994124c1a58dc69ae49 and beyond.
-- rec_control gave incorrect output on a timeout 12997e9d800734da51b808767e1e2477244c30eb
-- When using the webserver AND having an error in the Lua script, recursor could crash during startup 62f0ae62984adadab687c23fe1b287c1f219b2cb
-- Hugely long version strings would trip up security polling 18b7333828a1275ae5f5574a9c8330290d8557ff (Kees Monshouwer)
-- The 'remotes' ringbuffer was sized incorrectly f8f243b01215d6adcb59389f09ef494f1309041f
-- Cache sizes had an off-by-one scaling problem, with the wrong number of entries allocated per thread f8f243b01215d6adcb59389f09ef494f1309041f
-- Our automatic file descriptor limit raising was attempted *after* setuid, which made it a lot less effective. Found and fixed by Aki Tuomi
- a6414fdce9b0ec32c340d1f2eea2254f3fedc1c1
-- Timestamps used for dropping packets were occasionally wrong 183eb8774e4bc2569f06d5894fec65740f4b70b6 and 4c4765c104bacc146533217bcc843efb244a8086
- (RC2) with thanks to Winfried for debugging.
-- In RC1, our new DoS protection measures would crash the Recursor if too many root servers were unreachable.
- 6a6fb05ad81c519b4002ed1db00f3ed9b7bce6b4. Debugging and testing by Fusl.
-
-
-Various other documentation changes by Christian Hofstaedtler and Ruben
-Kerkhof. Lots of improvements all over the place by Kees Monshouwer.
-
-# PowerDNS Recursor 3.6.2
-
-**Note**: Version 3.6.2 is a bugfix update to 3.6.1. Released on the 30th of October 2014.
-
-[Official download page](https://www.powerdns.com/downloads.html)
-
-A list of changes since 3.6.1 follows.
-
-- [commit ab14b4f](https://github.com/PowerDNS/pdns/commit/ab14b4f): expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries). This also prevents the issue documented in [PowerDNS Security Advisory 2014-02](security/powerdns-advisory-2014-02/) (CVE-2014-8601)
-- [commit 42025be](https://github.com/PowerDNS/pdns/commit/42025be): PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in [Security polling](common/security.md#security-polling).
-- [commit 5027429](https://github.com/PowerDNS/pdns/commit/5027429): We did not transmit the right 'local' socket address to Lua for TCP/IP queries in the recursor. In addition, we would attempt to lookup a filedescriptor that wasn't there in an unlocked map which could conceivably lead to crashes. Closes [ticket 1828](https://github.com/PowerDNS/pdns/issues/1828), thanks Winfried for reporting
-- [commit 752756c](https://github.com/PowerDNS/pdns/commit/752756c): Sync embedded yahttp copy. API: Replace HTTP Basic auth with static key in custom header
-- [commit 6fdd40d](https://github.com/PowerDNS/pdns/commit/6fdd40d): add missing `#include <pthread.h>` to rec-channel.hh (this fixes building on OS X).
-
-# PowerDNS Authoritative Server 3.4.1
-
-**Warning**: Version 3.4.1 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the [Upgrade documentation](authoritative/upgrading.md) for important information on correct and stable operation, as well as notes on performance and memory use.
-
-Released October 30th, 2014
-
-Find the downloads [on our download page](https://www.powerdns.com/downloads.html).
-
-This is a bugfix update to 3.4.0 and any earlier version.
-
-A list of changes since 3.4.0 follows.
-
-- [commit dcd6524](https://github.com/PowerDNS/pdns/commit/dcd6524), [commit a8750a5](https://github.com/PowerDNS/pdns/commit/a8750a5), [commit 7dc86bf](https://github.com/PowerDNS/pdns/commit/7dc86bf), [commit 2fda71f](https://github.com/PowerDNS/pdns/commit/2fda71f): PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in [Security polling](common/security.md#security-polling).
-- [commit 5fe6dc0](https://github.com/PowerDNS/pdns/commit/5fe6dc0): API: Replace HTTP Basic auth with static key in custom header (X-API-Key)
-- [commit 4a95ab4](https://github.com/PowerDNS/pdns/commit/4a95ab4): Use transaction for pdnssec increase-serial
-- [commit 6e82a23](https://github.com/PowerDNS/pdns/commit/6e82a23): Don't empty ordername during pdnssec increase-serial
-- [commit 535f4e3](https://github.com/PowerDNS/pdns/commit/535f4e3): honor SOA-EDIT while considering "empty IXFR" fallback, fixes [ticket 1835](https://github.com/PowerDNS/pdns/issues/1835). This fixes slaving of signed zones to IXFR-aware slaves like NSD or BIND.
-
-# PowerDNS Authoritative Server 3.4.0
-Released September 30th, 2014
-
-This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful.
-
-**Warning**: Version 3.4.0 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the [Upgrade documentation](authoritative/upgrading.md) for important information on correct and stable operation, as well as notes on performance and memory use.
-
-## Downloads
-Find the downloads [on our download page](https://www.powerdns.com/downloads.html).
-
-A list of changes since 3.3.1 follows.
-
-Changes between RC2 and 3.4.0:
-
-- [commit ad189c9](https://github.com/PowerDNS/pdns/commit/ad189c9), [commit 445d93c](https://github.com/PowerDNS/pdns/commit/445d93c): also distribute the dnsdist manual page
-- [commit b5a276d](https://github.com/PowerDNS/pdns/commit/b5a276d), [commit 0b346e9](https://github.com/PowerDNS/pdns/commit/0b346e9), [commit 74caf87](https://github.com/PowerDNS/pdns/commit/74caf87), [commit 642fd2e](https://github.com/PowerDNS/pdns/commit/642fd2e): Make sure all backends actually work as dynamic modules
-- [commit 14b11c4](https://github.com/PowerDNS/pdns/commit/14b11c4): raise log level on dlerror(), fixes [ticket 1734](https://github.com/PowerDNS/pdns/issues/1734), thanks @James-TR
-- [commit 016d810](https://github.com/PowerDNS/pdns/commit/016d810): improve postgresql detection during ./configure
-- [commit dce1e90](https://github.com/PowerDNS/pdns/commit/dce1e90): DNAME: don't sign the synthesised CNAME
-- [commit 25e7af3](https://github.com/PowerDNS/pdns/commit/25e7af3): send empty SERVFAIL after a backend throws a DBException, instead of including useless content
-
-Changes between RC1 and RC2:
-
-- [commit bb6e54f](https://github.com/PowerDNS/pdns/commit/bb6e54f): document udp6-queries, udp4-queries, add rd-queries, recursion-unanswered metrics & document. Closes [ticket 1400](https://github.com/PowerDNS/pdns/issues/1400).
-- [commit 4a23af7](https://github.com/PowerDNS/pdns/commit/4a23af7): init script: support DAEMON\_ARGS; [commit 7e5b3a0](https://github.com/PowerDNS/pdns/commit/7e5b3a0): init script: ensure socket dir exists
-- [commit dd930ed](https://github.com/PowerDNS/pdns/commit/dd930ed): don't import supermaster ips from other accounts
-- [commit ed3afdf](https://github.com/PowerDNS/pdns/commit/ed3afdf): fall back to central bind if reuseport bind fails; improves [ticket 1715](https://github.com/PowerDNS/pdns/issues/1715)
-- [commit 709ca59](https://github.com/PowerDNS/pdns/commit/709ca59): GeoIP backend implementation. This is a new backend, still experimental!
-- [commit bf5a484](https://github.com/PowerDNS/pdns/commit/bf5a484): support EVERY future version of OS X, fixes [ticket 1702](https://github.com/PowerDNS/pdns/issues/1702)
-- [commit 4dbaec6](https://github.com/PowerDNS/pdns/commit/4dbaec6): Check for \_\_FreeBSD\_kernel\_\_ as per https://lists.debian.org/debian-bsd/2006/03/msg00127.html, fixes [ticket 1684](https://github.com/PowerDNS/pdns/issues/1684); [commit 74f389d](https://github.com/PowerDNS/pdns/commit/74f389d): \_\_FreeBSD\_kernel\_\_ is defined but empty on systems with FreeBSD kernels, breaking compile. Thanks pawal
-- [commit 2e6bbd8](https://github.com/PowerDNS/pdns/commit/2e6bbd8): Catch PDNSException in Signingpiper::helperWorker to avoid abort
-- [commit 0ffd51d](https://github.com/PowerDNS/pdns/commit/0ffd51d): improve error reporting on malformed labels
-- [commit c48dec7](https://github.com/PowerDNS/pdns/commit/c48dec7): Fix forwarded TSIG message issue
-- [commit dad70f2](https://github.com/PowerDNS/pdns/commit/dad70f2): skip TCP\_DEFER\_ACCEPT on platforms that do not have it (like FreeBSD); fixes [ticket 1658](https://github.com/PowerDNS/pdns/issues/1658)
-- [commit c7287b6](https://github.com/PowerDNS/pdns/commit/c7287b6): should fix [ticket 1662](https://github.com/PowerDNS/pdns/issues/1662), reloading while checking for domains that need to be notified in BIND, causing lock
-- [commit 3e67ea8](https://github.com/PowerDNS/pdns/commit/3e67ea8): allow OPT pseudo record type in IXFR query
-- [commit a1caa8b](https://github.com/PowerDNS/pdns/commit/a1caa8b): webserver: htmlescape VERSION and config name
-- [commit df9d980](https://github.com/PowerDNS/pdns/commit/df9d980): Remove "log-failed-updates" leftover
-- [commit a1fe72a](https://github.com/PowerDNS/pdns/commit/a1fe72a): Remove unused "soa-serial-offset" option
-
-Changes between 3.3.1 and 3.4.0-RC1 follow.
-
-## DNSSEC changes
-- [commit bba8413](https://github.com/PowerDNS/pdns/commit/bba8413): add option (max-signature-cache-entries) to limit the maximum number of cached signatures.
-- [commit 28b66a9](https://github.com/PowerDNS/pdns/commit/28b66a9): limit the number of NSEC3 iterations (see RFC5155 10.3), with the max-nsec3-iterations option.
-- [commit b50efd6](https://github.com/PowerDNS/pdns/commit/b50efd6): drop the 'superfluous NSEC3' option that old BIND validators need.
-- The bindbackend 'hybrid' mode was reintroduced by Kees Monshouwer. Enable it with bind-hybrid.
-- Aki Tuomi contributed experimental PKCS\#11 support for DNSSEC key management with a (Soft)HSM.
-- Direct RRSIG queries now return NOTIMP.
-- [commit fa37777](https://github.com/PowerDNS/pdns/commit/fa37777): add secure-all-zones command to pdnssec
-- Unrectified zones can now get rectified 'on the fly' during outgoing AXFR. This makes it possible to run a hidden signing master without rectification.
-- [commit 82fb538](https://github.com/PowerDNS/pdns/commit/82fb538): AXFR in: don't accept zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs
-- Various minor bugfixes, mostly from the unstoppable Kees Monshouwer.
-- [commit 0c4c552](https://github.com/PowerDNS/pdns/commit/0c4c552): set non-zero exit status in pdnssec if an exception was thrown, for easier automatic usage.
-- [commit b8bd119](https://github.com/PowerDNS/pdns/commit/b8bd119): pdnssec -v show-zone: Print all keys instead of just entry point keys.
-- [commit 52e0d78](https://github.com/PowerDNS/pdns/commit/52e0d78): answer direct NSEC queries without DO bit
-- [commit ca2eb01](https://github.com/PowerDNS/pdns/commit/ca2eb01): output ZSK DNSKEY records if experimental-direct-dnskey support is enabled
-- [commit 83609e2](https://github.com/PowerDNS/pdns/commit/83609e2): SOA-EDIT: fix INCEPTION-INCREMENT handling
-- [commit ac4a2f1](https://github.com/PowerDNS/pdns/commit/ac4a2f1): AXFR-out can handle secure and insecure NSEC3 optout delegations
-- [commit ff47302](https://github.com/PowerDNS/pdns/commit/ff47302): AXFR-in can handle secure and insecure NSEC3 optout delegations
-
-## New features
-- DNAME support. Enable with experimental-dname-processing.
-- PowerDNS can now send stats directly to Carbon servers. Enable with carbon-server, tweak with carbon-ourname and carbon-interval.
-- [commit 767da1a](https://github.com/PowerDNS/pdns/commit/767da1a): Add list-zone capability to pdns\_control
-- [commit 51f6bca](https://github.com/PowerDNS/pdns/commit/51f6bca): Add delete-zone to pdnssec.
-- The gsql backends now support record comments, and disabling records.
-- The new reuseport config option allows setting SO\_REUSEPORT, which allows for some performance improvements.
-- local-address-nonexist-fail and local-ipv6-nonexist-fail allow pdns to start up even if some addresses fail to bind.
-- 'AXFR-SOURCE' in domainmetadata sets the source address for an AXFR retrieval.
-- [commit 451ba51](https://github.com/PowerDNS/pdns/commit/451ba51): Implement pdnssec get-meta/set-meta
-- Experimental RFC2136/DNS UPDATE support from Ruben d'Arco, with extensive testing by Kees Monshouwer.
-- pdns\_control bind-add-zone
-- New option bind-ignore-broken-records ignores out-of-zone records while loading zone files.
-- pdnssec now has commands for TSIG key management.
-- We now support other algorithms than MD5 for TSIG.
-- [commit ba7244a](https://github.com/PowerDNS/pdns/commit/ba7244a): implement pdns\_control qtypes
-- Support for += syntax for options
-
-## Bugfixes
-- We verify the algorithm used for TSIG queries, and use the right algorithm in signing if there is possible confusion. Plus a few minor TSIG-related fixes.
-- [commit ff99a74](https://github.com/PowerDNS/pdns/commit/ff99a74): making *-threads settings empty now yields a default of one instead of zero.
-- [commit 9215e60](https://github.com/PowerDNS/pdns/commit/9215e60): we had a deadly embrace in getUpdatedMasters in bindbackend reimplementation, thanks to Winfried for detailed debugging!
-- [commit 9245fd9](https://github.com/PowerDNS/pdns/commit/9245fd9): don't addSuckRequest after supermaster zone creation to avoid one cause of simultaneous AXFR for the same zone
-- [commit 719f902](https://github.com/PowerDNS/pdns/commit/719f902): fix dual-stack superslave when multiple namservers share a ip
-- [commit 33966bf](https://github.com/PowerDNS/pdns/commit/33966bf): avoid address truncation in doNotifications
-- [commit eac85b1](https://github.com/PowerDNS/pdns/commit/eac85b1): prevent duplicate slave notifications caused by different ipv6 address formatting
-- [commit 3c8a711](https://github.com/PowerDNS/pdns/commit/3c8a711): make notification queue ipv6 compatible
-- [commit 0c13e45](https://github.com/PowerDNS/pdns/commit/0c13e45): make isMaster ip check more tolerant for different ipv6 notations
-- Various fixes for possible issues reported by Coverity Scan ([commit f17c93b](https://github.com/PowerDNS/pdns/commit/f17c93b), )
-- [commit 9083987](https://github.com/PowerDNS/pdns/commit/9083987): don't rely on included polarssl header files when using system polarssl. Spotted by Oden Eriksson of Mandriva, thanks!
-- Various users reported pdns\_control hangs, especially when using the guardian. We are confident that all causes of these hangs are now gone.
-- Decreasing the webserver ringbuffer size could cause crashes.
-- [commit 4c89cce](https://github.com/PowerDNS/pdns/commit/4c89cce): nproxy: Add missing chdir("/") after chroot()
-- [commit 016a0ab](https://github.com/PowerDNS/pdns/commit/016a0ab): actually notice timeout during AXFR retrieve, thanks hkraal
-
-## REST API changes
-- The REST API was much improved and is nearing stability, thanks to Christian Hofstaedtler and others.
-- Mark Schouten at Tuxis contributed a zone importer.
-
-## Other changes
-- Our tarballs and packages now include *.sql schema files for the SQL backends.
-- The webserver (including API) now has an ACL (webserver-allow-from).
-- Webserver (including API) is now powered by YaHTTP.
-- Various autotools usage improvements from Ruben Kerkhof.
-- The dist tarball is now bzip2-compressed instead of gzip.
-- Various remotebackend updates, including replacing curl with (included) yahttp.
-- Dynamic module loading is now allowed on Mac OS X.
-- The AXFR ACL (allow-axfr-ips) now defaults to 127.0.0.0/8,::1 instead of the whole world.
-- [commit ba91c2f](https://github.com/PowerDNS/pdns/commit/ba91c2f): remove unused gpgsql-socket option and document postgres socket usage
-- Improved support for Lua 5.2.
-- The edns-subnet option code is now fixed at 8, and the edns-subnet-option-numbers option has been removed.
-- geobackend now has very limited edns-subnet support - it will use the 'real' remote if available.
-- pipebackend ABI v4 adds the zone name to the AXFR command.
-- We now [avoid getaddrinfo()](http://blog.powerdns.com/2014/05/21/a-surprising-discovery-on-converting-ipv6-addresses-we-no-longer-prefer-getaddrinfo/) as much as possible.
-- The packet cache now handles (forwarded) recursive answers better, including TTL aging and respecting allow-recursion.
-- [commit ff5ba4f](https://github.com/PowerDNS/pdns/commit/ff5ba4f): pdns\_server --help no longer exits with 1.
-- Mark Zealey contributed an experimental LMDB backend. Kees Monshouwer added experimental DNSSEC support to it. Thanks, both!
-- [commit 81859ba](https://github.com/PowerDNS/pdns/commit/81859ba): No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and sid3windr for insight & debugging. Closes [ticket 844](https://github.com/PowerDNS/pdns/issues/844).
-- RCodes are now reported in text in various places, thanks Aki.
-- Kees Monshouwer set up automatic testing for the oracle and goracle backends, and fixed various issues in them.
-- Leftovers of previous support for Windows have been removed, thanks to Kees Monshouwer, Aki Tuomi.
-- Bundled PolarSSL has been upgraded to 1.3.2
-- PolarSSL replaced previously bundled implementations of AES ([commit e22d9b4](https://github.com/PowerDNS/pdns/commit/e22d9b4)) and SHA ([commit 9101035](https://github.com/PowerDNS/pdns/commit/9101035))
-- bindbackend is now a module
-- [commit 14a2e52](https://github.com/PowerDNS/pdns/commit/14a2e52): Use the inet data type for supermasters.ip on postgresql.
-- We now send an empty SERVFAIL when a CNAME chain is too long, instead of including the partial chain.
-- [commit 3613a51](https://github.com/PowerDNS/pdns/commit/3613a51): Show built-in features in --version output
-- [commit 4bd7d35](https://github.com/PowerDNS/pdns/commit/4bd7d35): make domainmetadata queries case insensitive
-- [commit 088c334](https://github.com/PowerDNS/pdns/commit/088c334): output warning message when no to be notified NS's are found
-- [commit 5631b44](https://github.com/PowerDNS/pdns/commit/5631b44): gpsqlbackend: use empty defaults for dbname and user; libpq will use the current user name for both by default
-- [commit d87ded3](https://github.com/PowerDNS/pdns/commit/d87ded3): implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. Plus document it.
-- Implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said.
-- Removed settings related to fancy records, as we haven't supported those since version 3.0
-- Based on earlier work by Mark Zealey, Kees Monshouwer increased our packet cache performance between 200% and 500% depending on the situation, by simplifying some code in [commit 801812e](https://github.com/PowerDNS/pdns/commit/801812e) and [commit 8403ade](https://github.com/PowerDNS/pdns/commit/8403ade).
-
-# PowerDNS Recursor 3.6.1
-**Warning**: Version 3.6.1 is a mandatory security upgrade to 3.6.0! Released on the 10th of September 2014.
-
-PowerDNS Recursor 3.6.0 could crash with a specific sequence of packets. For more details, see [the advisory](security/powerdns-advisory-2014-01.md). PowerDNS Recursor 3.6.1 was very well tested, and is in full production already, so it should be a safe upgrade.
-
-## Downloads
-- [Official download page](https://www.powerdns.com/downloads.html)
-
-In addition to various fixes related to this potential crash, 3.6.1 fixes a few minor issues and adds a debugging feature:
-
-- We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some cases (:ffff.1.2.3.4). Fixed in [commit c90fcbd](https://github.com/PowerDNS/pdns/commit/c90fcbd) , closing [ticket 1663](https://github.com/PowerDNS/pdns/issues/1663).
-- Improve systemd startup timing with respect to network availability ([commit cf86c6a](https://github.com/PowerDNS/pdns/commit/cf86c6a)), thanks to Morten Stevens.
-- Realtime telemetry can now be enabled at runtime, for example with 'rec\_control carbon-server 82.94.213.34 ourname1234'. This ties in to our existing carbon-server and carbon-ourname settings, but now at runtime. This specific invocation will make your stats appear automatically on our [public telemetry server](http://xs.powerdns.com/metronome/?server=pdns.xs.recursor&beginTime=-3600).
-
-# PowerDNS Recursor version 3.6.0
-This is a performance, feature and bugfix update to 3.5/3.5.3. It contains important fixes for slightly broken domain names, which your users expect to work anyhow. It also brings robust resilience against certain classes of attacks.
-
-## Downloads
-- [Official download page](https://www.powerdns.com/downloads.html)
-- [native RHEL5/6 packages from Kees Monshouwer](https://www.monshouwer.eu/download/3rd_party/pdns-recursor/)
-
-## Changes between RC1 and release
-- [commit 30b13ef](https://github.com/PowerDNS/pdns/commit/30b13ef): do not apply some of our filters to root and gtlds, plus remove some useless {}
-- [commit cc81d90](https://github.com/PowerDNS/pdns/commit/cc81d90): fix yahttp copy in dist-recursor for BSD cp
-- [commit b798618](https://github.com/PowerDNS/pdns/commit/b798618): define \_\_APPLE\_USE\_RFC\_3542 during recursor build on Darwin, fixes [ticket 1449](https://github.com/PowerDNS/pdns/issues/1449)
-- [commit 1d7f863](https://github.com/PowerDNS/pdns/commit/1d7f863): Merge pull request [ticket 1443](https://github.com/PowerDNS/pdns/issues/1443) from zeha/recursor-nostrip
-- [commit 5cdeede](https://github.com/PowerDNS/pdns/commit/5cdeede): remove (non-working) [aaaa-]additional-processing flags from the recursor. Closes [ticket 1448](https://github.com/PowerDNS/pdns/issues/1448)
-- [commit 984d747](https://github.com/PowerDNS/pdns/commit/984d747): Support building recursor on kFreeBSD and Hurd
-- [commit 79240f1](https://github.com/PowerDNS/pdns/commit/79240f1): Allow not stripping of binaries in recursor's make install
-- [commit e9c2ad3](https://github.com/PowerDNS/pdns/commit/e9c2ad3): document pdns.DROP for recursor, add policy-drops metric for it
-
-## New features
-- [commit aadceba](https://github.com/PowerDNS/pdns/commit/aadceba): Implement minimum-ttl-override config setting, plus runtime configurability via 'rec\_control set-minimum-ttl'.
-- Lots of work on the JSON API, which is exposed via Aki Tuomi's 'yahttp'. Massive thanks to Christian Hofstaedtler for delivering this exciting new functionality. Documentation & demo forthcoming, but code to use it is available [on GitHub](https://github.com/powerdns/pdnscontrol).
-- Lua modules can now use 'pdnslog(INFO..'), as described in [ticket 1074](https://github.com/PowerDNS/pdns/issues/1074), implemented in [commit 674a305](https://github.com/PowerDNS/pdns/commit/674a305)
-- Adopt any-to-tcp feature to the recursor. Based on a patch by Winfried Angele. Closes [ticket 836](https://github.com/PowerDNS/pdns/issues/836), [commit 56b4d21](https://github.com/PowerDNS/pdns/commit/56b4d21) and [commit e661a20](https://github.com/PowerDNS/pdns/commit/e661a20).
-- [commit 2c78bd5](https://github.com/PowerDNS/pdns/commit/2c78bd5): implement built-in statistics dumper using the 'carbon' protocol, which is also understood by metronome (our mini-graphite). Use 'carbon-server', 'carbon-ourname' and 'carbon-interval' settings.
-- New setting 'udp-truncation-threshold' to configure from how many bytes we should truncate. [commit a09a8ce](https://github.com/PowerDNS/pdns/commit/a09a8ce).
-- Proper support for CHaos class for CHAOS TXT queries. [commit c86e1f2](https://github.com/PowerDNS/pdns/commit/c86e1f2), addition for lua in [commit f94c53d](https://github.com/PowerDNS/pdns/commit/f94c53d), some warnings in [commit 438db54](https://github.com/PowerDNS/pdns/commit/438db54) however.
-- Added support for Lua scripts to drop queries w/o further processing. [commit 0478c54](https://github.com/PowerDNS/pdns/commit/0478c54).
-- Kevin Holly added qtype statistics to recursor and rec\_control (get-qtypelist) ([commit 79332bf](https://github.com/PowerDNS/pdns/commit/79332bf))
-- Add support for include-files in configuration, also reload ACLs and zones defined in them ([commit 829849d](https://github.com/PowerDNS/pdns/commit/829849d), [commit 242b90e](https://github.com/PowerDNS/pdns/commit/242b90e), [commit 302df81](https://github.com/PowerDNS/pdns/commit/302df81)).
-- Paulo Anes contributed server-down-max-fails which helps combat Recursive DNS based amplification attacks. Described in [this post](http://blog.powerdns.com/2014/04/03/further-dos-guidance-packages-and-patches-available/). Also comes with new metric 'failed-host-entries' in [commit 406f46f](https://github.com/PowerDNS/pdns/commit/406f46f).
-- [commit 21e7976](https://github.com/PowerDNS/pdns/commit/21e7976): Implement "followCNAMERecords" feature in the Lua hooks.
-
-## Improvements
-- [commit 06ea901](https://github.com/PowerDNS/pdns/commit/06ea901): make pdns-distributes-queries use a hash so related queries get sent to the same thread. Original idea by Winfried Angele. Astoundingly effective, approximately halves CPU usage!
-- [commit b13e737](https://github.com/PowerDNS/pdns/commit/b13e737): --help now writes to stdout instead of stderr. Thanks Winfried Angele.
-- To aid in limiting DoS attacks, when truncating a response, we actually truncate all the way so only the question remains. Suggested in [ticket 1092](https://github.com/PowerDNS/pdns/issues/1092), code in [commit add935a](https://github.com/PowerDNS/pdns/commit/add935a).
-- No longer experimental, the switch 'pdns-distributes-queries' can improve multi-threaded performance on Linux (various cleanup commits).
-- Update to embedded PolarSSL, plus remove previous AES implementation and shift to PolarSSL ([commit e22d9b4](https://github.com/PowerDNS/pdns/commit/e22d9b4), [commit 990ad9a](https://github.com/PowerDNS/pdns/commit/990ad9a))
-- [commit 92c0733](https://github.com/PowerDNS/pdns/commit/92c0733) moves various Lua magic constants into an enum namespace.
-- set group and supplementary groups before chroot ([commit 6ee50ce](https://github.com/PowerDNS/pdns/commit/6ee50ce), [ticket 1198](https://github.com/PowerDNS/pdns/issues/1198)).
-- [commit 4e9a20e](https://github.com/PowerDNS/pdns/commit/4e9a20e): raise our socket buffer setting so it no longer generates a warning about lowering it.
-- [commit 4e9a20e](https://github.com/PowerDNS/pdns/commit/4e9a20e): warn about Linux suboptimal IPv6 settings if we detect them.
-- SIGUSR2 turns on a 'trace' of all DNS traffic, a second SIGUSR2 now turns it off again. [commit 4f217ce](https://github.com/PowerDNS/pdns/commit/4f217ce).
-- Various fixes for Lua 5.2.
-- [commit 81859ba](https://github.com/PowerDNS/pdns/commit/81859ba): No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and 'sid3windr' for insight & debugging. Closes [ticket 844](https://github.com/PowerDNS/pdns/issues/844).
-- [commit b1a2d6c](https://github.com/PowerDNS/pdns/commit/b1a2d6c): now, I'm not one to get OCD over things, but that log message about stats based on 1801 seconds got to me. 1800 now.
-
-## Fixes
-- 0c9de4fc: stay away from getaddrinfo unless we really can't help it for ascii ipv6 conversions to binary
-- [commit 08f3f63](https://github.com/PowerDNS/pdns/commit/08f3f63): fix average latency calculation, closing [ticket 424](https://github.com/PowerDNS/pdns/issues/424).
-- [commit 75ba907](https://github.com/PowerDNS/pdns/commit/75ba907): Some of our counters were still 32 bits, now 64.
-- [commit 2f22827](https://github.com/PowerDNS/pdns/commit/2f22827): Fix statistics and stability when running with pdns-distributes-queries.
-- [commit 6196f90](https://github.com/PowerDNS/pdns/commit/6196f90): avoid merging old and new additional data, fixes an issue caused by weird (but probably legal) Akamai behaviour
-- [commit 3a8a4d6](https://github.com/PowerDNS/pdns/commit/3a8a4d6): make sure we don't exceed the number of available filedescriptors for mthreads. Raises performance in case of DoS. See [this post](http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/) for further details.
-- [commit 7313fe6](https://github.com/PowerDNS/pdns/commit/7313fe6): implement indexed packet cache wiping for recursor, orders of magnitude faster. Important when reloading all zones, which causes massive cache cleaning.
-- rec\_control get-all would include 'cache-bytes' and 'packetcache-bytes', which were expensive operations, too expensive for frequent polling. Removed in [commit 8e42d27](https://github.com/PowerDNS/pdns/commit/8e42d27).
-- All old workarounds for supporting Windows of the XP era have been removed.
-- Fix issues on S390X based systems which have unsigned characters ([commit 916a0fd](https://github.com/PowerDNS/pdns/commit/916a0fd))
-
-# PowerDNS Authoritative Server version 3.3.1
-Released December 17th, 2013
-
-This is a bugfix update to 3.3.
-
-## Downloads
-- [Official download page](http://www.powerdns.com/content/downloads.html)
-- [native RHEL5/6 packages from Kees Monshouwer](http://www.monshouwer.eu/download/3rd_party/pdns-server/)
-
-## Changes since 3.3
-- direct-dnskey is no longer experimental, thanks Kees Monshouwer & co for extensive testing ([commit e4b36a4](https://github.com/PowerDNS/pdns/commit/e4b36a4)).
-- Handle signals during poll ([commit 5dde2c6](https://github.com/PowerDNS/pdns/commit/5dde2c6)).
-- [commit 7538e56](https://github.com/PowerDNS/pdns/commit/7538e56): Fix zone2{sql,json} exit codes
-- [commit 7593c40](https://github.com/PowerDNS/pdns/commit/7593c40): geobackend: fix possible nullptr deref
-- [commit 3506cc6](https://github.com/PowerDNS/pdns/commit/3506cc6): gpsqlbackend: don't append empty dbname=/user= values to connect string
-- gpgsql queries were simplified through the use of casting ([commit 9a6e39c](https://github.com/PowerDNS/pdns/commit/9a6e39c)).
-- [commit a7aa9be](https://github.com/PowerDNS/pdns/commit/a7aa9be): Replace hardcoded make with variable
-- [commit e4fe901](https://github.com/PowerDNS/pdns/commit/e4fe901): make sure to run PKG\_PROG\_PKG\_CONFIG before the first PKG\_* usage
-- [commit 29bf169](https://github.com/PowerDNS/pdns/commit/29bf169): fix hmac-md5 TSIG key lookup
-- [commit c4e348b](https://github.com/PowerDNS/pdns/commit/c4e348b): fix 64+ character TSIG keys
-- [commit 00a7b25](https://github.com/PowerDNS/pdns/commit/00a7b25): Fix comparison between signed and unsigned by using uint32\_t for inception on INCEPTION-EPOCH
-- [commit d3f6432](https://github.com/PowerDNS/pdns/commit/d3f6432): fix building on os x 10.9, thanks Martijn Bakker.
-- We now allow building against Lua 5.2 ([commit bef3000](https://github.com/PowerDNS/pdns/commit/bef3000), [commit 2bdd03b](https://github.com/PowerDNS/pdns/commit/2bdd03b), [commit 88d9e99](https://github.com/PowerDNS/pdns/commit/88d9e99)).
-- [commit fa1f845](https://github.com/PowerDNS/pdns/commit/fa1f845): autodetect MySQL 5.5+ connection charset
-- When misconfigured using 'right' timezones, a bug in (g)libc gmtime breaks our signatures. Fixed in [commit e4faf74](https://github.com/PowerDNS/pdns/commit/e4faf74) by Kees Monshouwer by implementing our own gmtime\_r.
-- When sending SERVFAIL due to a CNAME loop, don't uselessly include the CNAMEs ([commit dfd1b82](https://github.com/PowerDNS/pdns/commit/dfd1b82)).
-- Build fixes for platforms with 'weird' types (like s390/s390x): [commit c669f7c](https://github.com/PowerDNS/pdns/commit/c669f7c) ([details](http://blog.powerdns.com/2013/10/28/on-ragel-and-char-types/)), [commit 07b904e](https://github.com/PowerDNS/pdns/commit/07b904e) and [commit 2400764](https://github.com/PowerDNS/pdns/commit/2400764).
-- Support for += syntax for options, [commit 98dd325](https://github.com/PowerDNS/pdns/commit/98dd325) and others.
-- [commit f8f29f4](https://github.com/PowerDNS/pdns/commit/f8f29f4): nproxy: Add missing chdir("/") after chroot()
-- [commit 2e6e9ad](https://github.com/PowerDNS/pdns/commit/2e6e9ad): fix for "missing" libmysqlclient on RHEL/CentOS based systems
-- pdnssec check-zone improvements in [commit 5205892](https://github.com/PowerDNS/pdns/commit/5205892), [commit edb255f](https://github.com/PowerDNS/pdns/commit/edb255f), [commit 0dde9d0](https://github.com/PowerDNS/pdns/commit/0dde9d0), [commit 07ee700](https://github.com/PowerDNS/pdns/commit/07ee700), [commit 79a3091](https://github.com/PowerDNS/pdns/commit/79a3091), [commit 08f3452](https://github.com/PowerDNS/pdns/commit/08f3452), [commit bcf9daf](https://github.com/PowerDNS/pdns/commit/bcf9daf), [commit c9a3dd7](https://github.com/PowerDNS/pdns/commit/c9a3dd7), [commit 6ebfd08](https://github.com/PowerDNS/pdns/commit/6ebfd08), [commit fd53bd0](https://github.com/PowerDNS/pdns/commit/fd53bd0), [commit 7eaa83a](https://github.com/PowerDNS/pdns/commit/7eaa83a), [commit e319467](https://github.com/PowerDNS/pdns/commit/e319467), ,
-- NSEC/NSEC3 fixes in [commit 3191709](https://github.com/PowerDNS/pdns/commit/3191709), [commit f75293f](https://github.com/PowerDNS/pdns/commit/f75293f), [commit cd30e94](https://github.com/PowerDNS/pdns/commit/cd30e94), [commit 74baf86](https://github.com/PowerDNS/pdns/commit/74baf86), [commit 1fa8b2b](https://github.com/PowerDNS/pdns/commit/1fa8b2b)
-- The webserver could crash when the ring buffers were resized, fixed in [commit 3dfb45f](https://github.com/PowerDNS/pdns/commit/3dfb45f).
-- [commit 213ec4a](https://github.com/PowerDNS/pdns/commit/213ec4a): add constraints for name to pg schema
-- [commit f104427](https://github.com/PowerDNS/pdns/commit/f104427): make domainmetadata queries case insensitive
-- [commit 78fc378](https://github.com/PowerDNS/pdns/commit/78fc378): no label compression for name in TSIG records
-- [commit 15d6ffb](https://github.com/PowerDNS/pdns/commit/15d6ffb): pdnssec now outputs ZSK DNSKEY records if experimental-direct-dnskey support is enabled (renamed to direct-dnskey before release!)
-- [commit ad67d0e](https://github.com/PowerDNS/pdns/commit/ad67d0e): drop cryptopp from static build as libcryptopp.a is broken on Debian 7, which is what we build on
-- [commit 7632dd8](https://github.com/PowerDNS/pdns/commit/7632dd8): support polarssl 1.3 externally.
-- Remotebackend was fully updated in various commits.
-- [commit 82def39](https://github.com/PowerDNS/pdns/commit/82def39): SOA-EDIT: fix INCEPTION-INCREMENT handling
-- [commit a3a546c](https://github.com/PowerDNS/pdns/commit/a3a546c): add innodb-read-committed option to gmysql settings.
-- [commit 9c56e16](https://github.com/PowerDNS/pdns/commit/9c56e16): actually notice timeout during AXFR retrieve, thanks hkraal
-
-# PowerDNS Recursor version 3.5.3
-Released September 17th, 2013
-
-This is a bugfix and performance update to 3.5.2. It brings serious performance improvements for dual stack users.
-
-## Downloads
-- [Official download page](https://www.powerdns.com/downloads.html)
-- [native RHEL5/6 packages from Kees Monshouwer](http://www.monshouwer.eu/download/3rd_party/pdns-recursor/)
-
-## Changes since 3.5.2
-- 3.5 replaced our ANY query with A+AAAA for users with IPv6 enabled. Extensive measurements by Darren Gamble showed that this change had a non-trivial performance impact. We now do the ANY query like before, but fall back to the individual A+AAAA queries when necessary. Change in [commit 1147a8b](https://github.com/PowerDNS/pdns/commit/1147a8b).
-- The IPv6 address for d.root-servers.net was added in [commit 66cf384](https://github.com/PowerDNS/pdns/commit/66cf384), thanks Ralf van der Enden.
-- We now drop packets with a non-zero opcode (i.e. special packets like DNS UPDATE) earlier on. If the experimental pdns-distributes-queries flag is enabled, this fix avoids a crash. Normal setups were never susceptible to this crash. Code in [commit 35bc40d](https://github.com/PowerDNS/pdns/commit/35bc40d), closes [ticket 945](https://github.com/PowerDNS/pdns/issues/945).
-- TXT handling was somewhat improved in [commit 4b57460](https://github.com/PowerDNS/pdns/commit/4b57460), closing [ticket 795](https://github.com/PowerDNS/pdns/issues/795).
-
-# PowerDNS Recursor version 3.5.2
-Released June 7th, 2013
-
-This is a stability and bugfix update to 3.5.1. It contains important fixes that improve operation for certain domains.
-
-## Downloads
-- [Official download page](https://www.powerdns.com/downloads.html)
-- [native RHEL5/6 packages from Kees Monshouwer](http://www.monshouwer.eu/download/3rd_party/pdns-recursor/)
-
-## Changes since 3.5.1
-- Responses without the QR bit set now get matched up to an outstanding query, so that resolution can be aborted early instead of waiting for a timeout. Code in [commit ee90f02](https://github.com/PowerDNS/pdns/commit/ee90f02).
-- The depth limiter changes in 3.5.1 broke some legal domains with lots of indirection. Improved in [commit d393c2d](https://github.com/PowerDNS/pdns/commit/d393c2d).
-- Slightly improved logging to aid debugging. Code in [commit 437824d](https://github.com/PowerDNS/pdns/commit/437824d) and [commit 182005e](https://github.com/PowerDNS/pdns/commit/182005e).
-
-# PowerDNS Authoritative Server version 3.3
-Released on July 5th 2013
-
-This a stability, bugfix and conformity update to 3.2. It improves interoperability with various validators, either through bugfixes or by catering to their needs beyond the specifications.
-
-**Warning**: Version 3.3 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. There are also some important changes if you are coming from 3.0, 3.1 or 3.2. Please refer to the [Upgrade documentation](authoritative/upgrading.md) for important information on correct and stable operation, as well as notes on performance and memory use.
-
-## Downloads
-- [Official download page](http://www.powerdns.com/content/downloads.html)
-- [native RHEL5/6 packages from Kees Monshouwer](http://www.monshouwer.eu/download/3rd_party/pdns-server/)
-
-## Changes between RC2 and final
-- pdnssec rectify-zone now refuses to operate on presigned zones, as rectification already happens during incoming transfer. Patch by Kees Monshouwer in [commit 9bd211e](https://github.com/PowerDNS/pdns/commit/9bd211e).
-- We now handle zones with a mix of NSEC3 opt-out and non-opt-out ranges correctly during inbound and outbound AXFR. Many thanks to Kees Monshouwer. Code in [commit 5aa7003](https://github.com/PowerDNS/pdns/commit/5aa7003) and [commit d3e7b17](https://github.com/PowerDNS/pdns/commit/d3e7b17).
-- More remotebackend fixes ([commit 32d4f44](https://github.com/PowerDNS/pdns/commit/32d4f44), [commit 44c2ee8](https://github.com/PowerDNS/pdns/commit/44c2ee8), [commit 1fcc7b7](https://github.com/PowerDNS/pdns/commit/1fcc7b7), [commit 0b1a3b2](https://github.com/PowerDNS/pdns/commit/0b1a3b2), [commit 9a319b1](https://github.com/PowerDNS/pdns/commit/9a319b1)), thanks Aki Tuomi.
-- Some compiler warnings were squashed ([commit ed554db](https://github.com/PowerDNS/pdns/commit/ed554db)), thanks Morten Stevens.
-- Fix broken memory access in LOC parser ([commit 4eec51b](https://github.com/PowerDNS/pdns/commit/4eec51b), [commit bea513c](https://github.com/PowerDNS/pdns/commit/bea513c)), thanks Aki Tuomi.
-- DNSSEC: DS queries at the apex of a zone for which we are not hosting the parent, would wrongly get an 'unauth NOERROR'. Fixed by Kees Monshouwer in [commit 34479a6](https://github.com/PowerDNS/pdns/commit/34479a6).
-
-## Changes between RC1 and RC2
-- Added dnstcpbench tool, by popular demand.
-- We always shipped a static tools RPM; we now have a similar Debian package. All packages have been cleaned up a bit, and the binary collections are now consistent between RPM and Deb. New: pass --enable-tools to configure to have the tools included in 'make all' and 'make install'.
-- [commit 4d2e3f5](https://github.com/PowerDNS/pdns/commit/4d2e3f5): add selinux policy files
-- We would sometimes send a single NULL byte, or nothing at all, instead of an OPT record. Fixed in [commit bf7f822](https://github.com/PowerDNS/pdns/commit/bf7f822), [commit 063076b](https://github.com/PowerDNS/pdns/commit/063076b), [commit 90d361d](https://github.com/PowerDNS/pdns/commit/90d361d).
-- [commit 2ee9ba2](https://github.com/PowerDNS/pdns/commit/2ee9ba2): expand any-to-tcp to direct RRSIG queries
-- [commit 5fff084](https://github.com/PowerDNS/pdns/commit/5fff084), [commit e38ef51](https://github.com/PowerDNS/pdns/commit/e38ef51): drop no-op flag strict-rfc-axfrs, thanks Jelte Jansen.
-- [commit f3d8902](https://github.com/PowerDNS/pdns/commit/f3d8902), [commit 7c0b859](https://github.com/PowerDNS/pdns/commit/7c0b859), [commit 5eea730](https://github.com/PowerDNS/pdns/commit/5eea730): Implement MINFO qtype for better interaction when slaving zones from NSD (that contain MINFO). Thanks to Jelte Jansen.
-- [commit 8655a42](https://github.com/PowerDNS/pdns/commit/8655a42), [commit bf79c6a](https://github.com/PowerDNS/pdns/commit/bf79c6a), [commit 38c941b](https://github.com/PowerDNS/pdns/commit/38c941b): SRV record can have a '.' as final field, from which we would dutifully strip the trailing ., leaving void, confusing everything. We now remove the trailing . in the right place, and not if we are trying to server '.'. Again thanks to Jelte & SIDN for catching this.
-- [commit 70d5a66](https://github.com/PowerDNS/pdns/commit/70d5a66): improve error message in ill formed unknown record type, thanks Jelte Jansen for reporting.
-- [commit 3640473](https://github.com/PowerDNS/pdns/commit/3640473): Built in webserver can now listen on IPv6, fixes [ticket 843](https://github.com/PowerDNS/pdns/issues/843). Also silences some useless messages about timeouts.
-- [commit 7db735c](https://github.com/PowerDNS/pdns/commit/7db735c), [commit d72166c](https://github.com/PowerDNS/pdns/commit/d72166c): CHANGES BEHAVIOUR: before we launch, check if we can connect to the controlsocket we are about to obliterate. If it works, abort. Fixes [ticket 841](https://github.com/PowerDNS/pdns/issues/841) and changes standing behaviour. There might be circumstances where PowerDNS now refuses to start, where it previously would. However, starting and making our previous instance mute wasn't good.
-- [commit 9130f9e](https://github.com/PowerDNS/pdns/commit/9130f9e): correctly refuse out-of-zone data in bindbackend, closes [ticket 845](https://github.com/PowerDNS/pdns/issues/845)
-- [commit 3363ef7](https://github.com/PowerDNS/pdns/commit/3363ef7): initialise server-id after all parsing is done, instead of half way through. Fixes situations where server-id was emptied explicitly. Reported by Wouter de Jong
-- [commit cd4f253](https://github.com/PowerDNS/pdns/commit/cd4f253): bump boost requirement, thanks Wouter de Jong
-- [commit 58cad74](https://github.com/PowerDNS/pdns/commit/58cad74): Update pdns auth init script so it works on wheezy
-- [commit 8714c9c](https://github.com/PowerDNS/pdns/commit/8714c9c): clang fixes by Aki Tuomi, thanks!
-- [commit 146601d](https://github.com/PowerDNS/pdns/commit/146601d): stretch supermasters.ip for IPv6, thanks Dennis Krul
-- [commit 1a5c5f9](https://github.com/PowerDNS/pdns/commit/1a5c5f9): various remotebackend improvements by Aki Tuomi
-- [commit 6ab1a11](https://github.com/PowerDNS/pdns/commit/6ab1a11): make sure systemd starts PowerDNS after relevant databases have been started, thanks Morten Stevens.
-- [commit 606018f](https://github.com/PowerDNS/pdns/commit/606018f), [commit ee5e175](https://github.com/PowerDNS/pdns/commit/ee5e175), [commit c76f6f4](https://github.com/PowerDNS/pdns/commit/c76f6f4): check scopeMask of answer packet, not of query packet!
-- [commit 2b18bcf](https://github.com/PowerDNS/pdns/commit/2b18bcf): Added warning if trailing dot is used, thanks Aki Tuomi.
-- [commit 16cf913](https://github.com/PowerDNS/pdns/commit/16cf913): make superfluous 'bind' NSEC3 record optional
-
-## New features and important changes since 3.2 (these changes are in RC1 and up)
-- [commit 04576ee](https://github.com/PowerDNS/pdns/commit/04576ee), [commit b0e15c8](https://github.com/PowerDNS/pdns/commit/b0e15c8): Implement pdnssec increase-serial, thanks Ruben d'Arco.
-- [commit cee857b](https://github.com/PowerDNS/pdns/commit/cee857b): PowerDNS now sets additional groups while dropping privileges.
-- [commit 7796a3b](https://github.com/PowerDNS/pdns/commit/7796a3b): Merge support for include-dir directive, thanks Aki Tuomi!
-- [commit d725755](https://github.com/PowerDNS/pdns/commit/d725755): make pdns-static Conflict with pdns-server, closes [ticket 640](https://github.com/PowerDNS/pdns/issues/640)
-- [commit c0d5504](https://github.com/PowerDNS/pdns/commit/c0d5504): pdnssec now emits 'INSERT INTO domain ..' queries when running without named.conf, thanks Ruben d'Arco.
-- [commit a1d6b0c](https://github.com/PowerDNS/pdns/commit/a1d6b0c): Older versions of the BIND 9 validating recursor need a superfluous NSEC3 record on positive wildcard responses. We now send this extra NSEC3. Closes [ticket 814](https://github.com/PowerDNS/pdns/issues/814).
-- [commit 07bf35d](https://github.com/PowerDNS/pdns/commit/07bf35d): catch a lot more errors in pdnssec and report them. Fixes [ticket 588](https://github.com/PowerDNS/pdns/issues/588).
-- [commit 032e390](https://github.com/PowerDNS/pdns/commit/032e390): make pdnssec exit with 1 on some error conditions, closes [ticket 677](https://github.com/PowerDNS/pdns/issues/677)
-- [commit 4af49b8](https://github.com/PowerDNS/pdns/commit/4af49b8), [commit 4cec6ac](https://github.com/PowerDNS/pdns/commit/4cec6ac): add ability to create an 'active' or inactive key using add-zone-key and import-zone-key, plus silenced some debugging. Fixes [ticket 707](https://github.com/PowerDNS/pdns/issues/707).
-- [commit fae4167](https://github.com/PowerDNS/pdns/commit/fae4167): Compiling against Lua 5.2 (--with-lua=lua5.2) now disables some code used for regression testing, instead of breaking during compile. This means that Lua 5.2 can be used in production.
-- [commit abc8f3f](https://github.com/PowerDNS/pdns/commit/abc8f3f), [357f6a7](https://github.com/PowerDNS/pdns/commit/357f6a7): Implement the new any-to-tcp option that, when set, always replies with a truncated response (TC=1) to ANY queries, forcing them to use TCP.
-- [commit 496073b](https://github.com/PowerDNS/pdns/commit/496073b): Since 3.0, pdnssec secure-zone has always generated 3 keys: one KSK and two ZSK, with one ZSK active. For most, if not almost all, users, this inactive ZSK is never used. We now no longer generate this useless ZSK. The resulting smaller DNSKEY RRset improves interoperability with certain validators. Closes [ticket 824](https://github.com/PowerDNS/pdns/issues/824).
-- [commit df55450](https://github.com/PowerDNS/pdns/commit/df55450): Non-DNSSEC ANY queries no longer get sent DNSSEC records. This improves interoperability with some old resolvers. Patch by Kees Monshouwer.
-- [commit 04b4bf6](https://github.com/PowerDNS/pdns/commit/04b4bf6): Merge support for not using opt-out with NSEC3. Many thanks to Kees Monshouwer.
-- [commit 8db49a6](https://github.com/PowerDNS/pdns/commit/8db49a6): We now try not to NOTIFY ourselves. In convoluted cases involving REUSE\_PORT and binding to 0.0.0.0 and ::, it might be possible that we guess wrong, in which case you can set prevent-self-notification to off.
-
-## Important bug fixes
-- [commit 63e365d](https://github.com/PowerDNS/pdns/commit/63e365d): don't mess up encoding when copying qname from question to answer in packetcache. Based on reports&debugging by Jimmy Bergman (sigint), Daniel Norman (Loopia) and the fine people at ISC. This avoids most issues related to BIND 9 erroneously blacklisting PowerDNS for lack of EDNS support.
-- [commit 3526186](https://github.com/PowerDNS/pdns/commit/3526186): fix backslash handling in TXT parser, includes test. Thanks Jan-Piet Mens.
-- [commit 830281f](https://github.com/PowerDNS/pdns/commit/830281f), [aef7330](https://github.com/PowerDNS/pdns/commit/aef7330): Accept chars \>127 ('high ASCII') in TXT records, closing [ticket 541](https://github.com/PowerDNS/pdns/issues/541) and [723](https://github.com/PowerDNS/pdns/issues/723).
-- [commit feef1ec](https://github.com/PowerDNS/pdns/commit/feef1ec): fix missing NSEC3 for secure delegation, thanks Kees Monshouwer, closes [ticket 682](https://github.com/PowerDNS/pdns/issues/682)
-- [commit b61e407](https://github.com/PowerDNS/pdns/commit/b61e407): around Thursday midnight, during signature rollovers, we would update the SOA serial too early. Fixed by reverting [commit d90efbf](https://github.com/PowerDNS/pdns/commit/d90efbf), adding 7 days margin to inception. Fix by Kees Monshouwer.
-- [commit ff64750](https://github.com/PowerDNS/pdns/commit/ff64750): make sure mixed-case queries get a correct apex NSEC3 type bitmap
-- [commit 4b153d8](https://github.com/PowerDNS/pdns/commit/4b153d8): always lowercase next name in NSEC to avoid interop troubles with validators, thanks Marco Davids&Matthijs Mekking.
-
-## Other changes
-- [commit 49977c6](https://github.com/PowerDNS/pdns/commit/49977c6): fix bug in boost.m4 where it insists on setting -L, causing useless RPATH in our binaries. Closes [ticket 728](https://github.com/PowerDNS/pdns/issues/728)
-- [commit 62ac758](https://github.com/PowerDNS/pdns/commit/62ac758): use PolarSSL for MD5 hashing instead of shipping our own copy of md5 hashing code, thanks Aki Tuomi.
-- [commit 775acd9](https://github.com/PowerDNS/pdns/commit/775acd9): give a better error on trying to add nsec3 parameters to a weird zone like "1 0 1 ab" (which indicates that you forgot to specify a zone name on the command line). Fixes [ticket 800](https://github.com/PowerDNS/pdns/issues/800).
-- [commit 315dd2e](https://github.com/PowerDNS/pdns/commit/315dd2e): Simplify socket listening code, and make sure we always set the nonblocking flag correctly. Patch by Mark Zealey, closes [ticket 664](https://github.com/PowerDNS/pdns/issues/664).
-- [commit b35da1b](https://github.com/PowerDNS/pdns/commit/b35da1b): if\_ether.h is in netinet/ not net/ on OpenBSD, thanks Florian Obser.
-- [commit 71301b6](https://github.com/PowerDNS/pdns/commit/71301b6): Replicate gsql backend feature of having separate -auth queries for DNSSEC into oraclebackend. Also lets you disable dnssec if you are not ready for it. Closes [ticket 527](https://github.com/PowerDNS/pdns/issues/527), patch by Aki Tuomi.
-- [commit 2125dac](https://github.com/PowerDNS/pdns/commit/2125dac): drop unused ignore-rd-bit flag
-- [commit 8c1a6d6](https://github.com/PowerDNS/pdns/commit/8c1a6d6): NSECx optimizations, thanks Kees Monshouwer.
-- [commit 664716a](https://github.com/PowerDNS/pdns/commit/664716a): drop unused variables in lua backend ( [ticket 653](https://github.com/PowerDNS/pdns/issues/653))
-- [commit d8ec70f](https://github.com/PowerDNS/pdns/commit/d8ec70f): fix db2 backend includes ( [ticket 653](https://github.com/PowerDNS/pdns/issues/653))
-- [commit 6477102](https://github.com/PowerDNS/pdns/commit/6477102): add goracle schema, thanks Aki Tuomi.
-- [commit 9118638](https://github.com/PowerDNS/pdns/commit/9118638): make goraclebackend "at least work", closes [ticket 729](https://github.com/PowerDNS/pdns/issues/729), thanks Aki Tuomi.
-- [commit e0ad7bb](https://github.com/PowerDNS/pdns/commit/e0ad7bb): add DS digest type 4 to show-zone output; add algorithm names. Based on a patch by Aki Tuomi, closes [ticket 744](https://github.com/PowerDNS/pdns/issues/744)
-- [commit 61a7fac](https://github.com/PowerDNS/pdns/commit/61a7fac): enable AM\_SILENT\_RULES, closing [ticket 647](https://github.com/PowerDNS/pdns/issues/647)
-- [commit 837f4b4](https://github.com/PowerDNS/pdns/commit/837f4b4): do a better job at escaping TXT, fixes [ticket 795](https://github.com/PowerDNS/pdns/issues/795)
-- [commit 6ca3fa7](https://github.com/PowerDNS/pdns/commit/6ca3fa7): add SOA-EDIT INCEPTION-INCREMENT mode, thanks stbuehler
-- [commit 6159c49](https://github.com/PowerDNS/pdns/commit/6159c49): Add connection info to sql-connect message
-- [commit 9f62e34](https://github.com/PowerDNS/pdns/commit/9f62e34), [commit 0fc965f](https://github.com/PowerDNS/pdns/commit/0fc965f), [commit 2035112](https://github.com/PowerDNS/pdns/commit/2035112): Added EUI48 and EUI64 record types
-- [commit f9cf6d9](https://github.com/PowerDNS/pdns/commit/f9cf6d9): cut the number of database queries in half for AXFR-in, thanks Kees Monshouwer.
-- [commit c87f987](https://github.com/PowerDNS/pdns/commit/c87f987): add default for SOA contact e-mail
-- [commit bb4a573](https://github.com/PowerDNS/pdns/commit/bb4a573): move random backend to modules, thanks Kees Monshouwer.
-- [commit 1071abd](https://github.com/PowerDNS/pdns/commit/1071abd): restyle builtin webserver page, thanks Christian Hofstaedtler.
-- [commit cd5e158](https://github.com/PowerDNS/pdns/commit/cd5e158): correct bogus use of poll(2) related constants, improving non-Linux portability. Thanks Wouter de Jong.
-- [commit 27ff60a](https://github.com/PowerDNS/pdns/commit/27ff60a): make sure our NSEC(3)s for names with spaces in them are correct. Reported by Jimmy Bergman. Includes test.
-- [commit 116e28a](https://github.com/PowerDNS/pdns/commit/116e28a): reduce log level of successful gpgsql/gsqlite3 connection to Info
-- [commit b23b90a](https://github.com/PowerDNS/pdns/commit/b23b90a): Metadata update is now in the same transaction as the AXFR. This improves slaving speed tremendously, especially for SQLite users. Patch by Kees Monshouwer.
-- [commit 4620e8a](https://github.com/PowerDNS/pdns/commit/4620e8a): Added zone2json, thanks Aki Tuomi.
-- [commit f0fa8b6](https://github.com/PowerDNS/pdns/commit/f0fa8b6): Fix remotebackend setdomainmetadata return value handling. Fix by Aki Tuomi, closes [ticket 740](https://github.com/PowerDNS/pdns/issues/740).
-- [commit 80e82d6](https://github.com/PowerDNS/pdns/commit/80e82d6): log control listener abort even more explicitly.
-- [commit 7c0cb15](https://github.com/PowerDNS/pdns/commit/7c0cb15), [a718d74](https://github.com/PowerDNS/pdns/commit/a718d74): support automake 1.12
-- [commit 3fe22eb](https://github.com/PowerDNS/pdns/commit/3fe22eb), [6707cb1](https://github.com/PowerDNS/pdns/commit/6707cb1): update autoconf/automake preamble to non-deprecated variant, thanks Morten Stevens
-- [commit 6c4e531](https://github.com/PowerDNS/pdns/commit/6c4e531): disarm dead code that causes gcc crashes on ARM, thanks Morten Stevens.
-- [commit 36855b5](https://github.com/PowerDNS/pdns/commit/36855b5): if we failed to make a new UDP socket, we'd report a confusing error about it.
-- [commit 1b8e5e6](https://github.com/PowerDNS/pdns/commit/1b8e5e6): autoconf support for oracle, thanks Aki Tuomi. Closes [ticket 726](https://github.com/PowerDNS/pdns/issues/726).
-- [commit 8ac0c06](https://github.com/PowerDNS/pdns/commit/8ac0c06): allow setting of some oracle env vars. Patch by Aki Tuomi, closes [ticket 725](https://github.com/PowerDNS/pdns/issues/725).
-- [commit 45e845b](https://github.com/PowerDNS/pdns/commit/45e845b): add example.rb sample script for remotebackend, thanks Aki Tuomi.
-- [commit 950bddd](https://github.com/PowerDNS/pdns/commit/950bddd): add pdnssec generate-zone-key command, thanks Aki. Closes [ticket 711](https://github.com/PowerDNS/pdns/issues/711).
-- [commit 2c03cde](https://github.com/PowerDNS/pdns/commit/2c03cde): Replace select with waitForData in remotebackend. Patch by Aki Tuomi, closes [ticket 715](https://github.com/PowerDNS/pdns/issues/715).
-- [commit 450292c](https://github.com/PowerDNS/pdns/commit/450292c): accept ANY responses during recursive forwarding, thanks Jan-Piet Mens.
-- [commit d9dd76b](https://github.com/PowerDNS/pdns/commit/d9dd76b): actually clean up unix domain sockets too after use.
-- [commit 36758d2](https://github.com/PowerDNS/pdns/commit/36758d2): merge [ticket 476](https://github.com/PowerDNS/pdns/issues/476) by Aki Tuomi, providing default-ksk/zsk-algorithms/size configuration parameters for pdnssec.
-- [commit 2f2b014](https://github.com/PowerDNS/pdns/commit/2f2b014): apply variant of code in [ticket 714](https://github.com/PowerDNS/pdns/issues/714) so we can lauch pipe backend scripts with parameters, plus add experimental code that if pipe-command is a unix domain socket, we use that.
-- [commit 9566683](https://github.com/PowerDNS/pdns/commit/9566683): merge patch from ticket 712 addressing memory leak in remotebackend, thanks Aki.
-- [commit fb6ed6f](https://github.com/PowerDNS/pdns/commit/fb6ed6f): explicitly set domain id during bindbackend superslave domain create, thanks Kees Monshouwer&Aki Tuomi.
-- [commit 69bae20](https://github.com/PowerDNS/pdns/commit/69bae20): use private temp dir when running under systemd, thanks Morten Stevens&Ruben Kerkhof.
-- [commit b26a48a](https://github.com/PowerDNS/pdns/commit/b26a48a): fix rapidjson usage in remotebackend, patch by Aki Tuomi. Closes [ticket 697](https://github.com/PowerDNS/pdns/issues/697).
-- [commit da8e6ae](https://github.com/PowerDNS/pdns/commit/da8e6ae): also answer questions with : in them.
-- [commit ef1c4bf](https://github.com/PowerDNS/pdns/commit/ef1c4bf): also spot trailing dots on CNAME content, thanks Jan-Piet Mens and Ruben d'Arco.
-- [commit fb31631](https://github.com/PowerDNS/pdns/commit/fb31631): only setCloseOnExec on valid sockets
-
-# PowerDNS Recursor version 3.5.1
-Released May 3rd, 2013
-
-This is a stability and bugfix update to 3.5. It contains important fixes that improve operation for certain domains.
-
-## Downloads
-- [Official download page](https://www.powerdns.com/downloads.html)
-- [native RHEL5/6 packages from Kees Monshouwer](http://www.monshouwer.eu/download/3rd_party/pdns-recursor/)
-
-## Changes since 3.5
-
-- We now abort earlier while following endless glue or CNAME chains. Fix in [commit 02d1742](https://github.com/PowerDNS/pdns/commit/02d1742).
-- Some unused code would crash certain gcc versions on ARM. Reported by Morten Stevens, fixed in [commit 5b188e8](https://github.com/PowerDNS/pdns/commit/5b188e8).
-- The 3.5 fix for [ticket 731](https://github.com/PowerDNS/pdns/issues/731) was too strict, causing trouble with at least one domain. Reported by Aki Tuomi, check slightly relaxed in [commit 4134690](https://github.com/PowerDNS/pdns/commit/4134690).
-- Automake/autoconf now use non-deprecated syntax. Reported by Morten Stevens, change in [commit ca17ef2](https://github.com/PowerDNS/pdns/commit/ca17ef2).
-
-# PowerDNS Recursor version 3.5
-Released April 15th, 2013
-
-This is a stability, security and bugfix update to 3.3/3.3.1. It contains important fixes for slightly broken domain names, which your users expect to work anyhow.
-**Note**: Because a semi-sanctioned 3.4-pre was distributed for a long time, and people have come to call that 3.4, we are skipping an actual 3.4 release to avoid confusion.
-
-## Downloads
-- [Official download page](https://www.powerdns.com/downloads.html)
-- [native RHEL5/6 packages from Kees Monshouwer](http://www.monshouwer.eu/download/3rd_party/pdns-recursor/)
-
-## Changes between RC5 and the final 3.5 release
-- Winfried Angele reported that restarting a very busy recursor could lead to crashes. Fixed in r3153, closing [ticket 735](https://github.com/PowerDNS/pdns/issues/735).
-
-## Changes between RC4 and RC5
-- Bernd-René Predota of Liberty Global reported that Recursor 3.3 would treat empty non-AA NOERROR responses as authoritative NXDATA responses. This bug turned out to be in 3.5-RC4 too. Fixed in [commit 3146](http://wiki.powerdns.com/projects/trac/changeset/3146), related to [ticket 731](https://github.com/PowerDNS/pdns/issues/731).
-
-## Changes between RC3 (unreleased) and RC4
-- Winfried Angele spotted, even before release, that [commit 3132](http://wiki.powerdns.com/projects/trac/changeset/3132) in RC3 broke outgoing IPv6 queries. We are grateful for his attention to detail! Fixed in [commit 3141](http://wiki.powerdns.com/projects/trac/changeset/3141).
-Changes between RC2 and RC3 (unreleased)
-- Use private temp dir when running under systemd, thanks Morten Stevens and Ruben Kerkhof. Change in [commit 3105](http://wiki.powerdns.com/projects/trac/changeset/3105).
-- NSD mistakenly compresses labels for RP and other types, violating a MUST in RFC 3597. Recursor does not decompress these labels, violating a SHOULD in RFC3597. We now decompress these labels, and reportedly NSD will stop compressing them. Reported by Jan-Piet Mens, fixed in [commit 3109](http://wiki.powerdns.com/projects/trac/changeset/3109).
-- When forwarding to another recursor, we would handle responses to ANY queries incorrectly. Spotted by Jan-Piet Mens, fixed in [commit 3116](http://wiki.powerdns.com/projects/trac/changeset/3116), closes [ticket 704](https://github.com/PowerDNS/pdns/issues/704).
-- Our local-nets definition (used as a default for some settings) now includes the networks from RFC 3927 and RFC 6598. Reported by Maik Zumstrull, fixed in [commit 3122](http://wiki.powerdns.com/projects/trac/changeset/3122).
-- The RC1 change to stop using ANY queries to get A+AAAA for name servers in one go had a 5% performance impact. This impact is corrected in [commit 3132](http://wiki.powerdns.com/projects/trac/changeset/3132). Thanks to Winfried Angele for measuring and reporting this. Closes [ticket 710](https://github.com/PowerDNS/pdns/issues/710).
-- New command 'rec\_control dump-nsspeeds' will dump our NS speeds (latency) cache. Code in [commit 3131](http://wiki.powerdns.com/projects/trac/changeset/3131).
-
-## Changes between RC1 and RC2
-- While Recursor 3.3 was not vulnerable to the specific attack noted in 'Ghost Domain Names: Revoked Yet Still Resolvable' (more information at [A New DNS Exploitation Technique: Ghost Domain Names](http://resources.infosecinstitute.com/ghost-domain-names/)), further investigation showed that a variant of the attack could work. This was fixed in [commit 3085](http://wiki.powerdns.com/projects/trac/changeset/3085). This should also close the slightly bogus [CVE-2012-1193](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1193). Closes [ticket 668](https://github.com/PowerDNS/pdns/issues/668).
-- The auth-can-lower-ttl flag was removed, as it did not have any effect in most situations, and thus did not operate as advertised. We now always comply with the related parts of RFC 2181. Change in [commit 3092](http://wiki.powerdns.com/projects/trac/changeset/3092), closing [ticket 88](https://github.com/PowerDNS/pdns/issues/88).
-
-## New features
-- The local zone server now understands wildcards, code in [commit 2062](http://wiki.powerdns.com/projects/trac/changeset/2062).
-- The Lua postresolve and nodata hooks, that had been distributed as a '3.3-hooks' snapshot earlier, have been merged. Code in [commit 2309](http://wiki.powerdns.com/projects/trac/changeset/2309).
-- A new feature, rec\_control trace-regex allows the tracing of lookups for specific names. Code in [commit 3044](http://wiki.powerdns.com/projects/trac/changeset/3044), [commit 3073](http://wiki.powerdns.com/projects/trac/changeset/3073).
-- A new setting, export-etc-hosts-search-suffix, adds a configurable suffix to names imported from /etc/hosts. Code in [commit 2544](http://wiki.powerdns.com/projects/trac/changeset/2544), [commit 2545](http://wiki.powerdns.com/projects/trac/changeset/2545).
-
-## Improvements
-- We now throttle queries that don't work less aggressively, code in [commit 1766](http://wiki.powerdns.com/projects/trac/changeset/1766).
-- Various improvements in tolerance against broken auths, code in [commit 1996](http://wiki.powerdns.com/projects/trac/changeset/1996), [commit 2188](http://wiki.powerdns.com/projects/trac/changeset/2188), [commit 3074](http://wiki.powerdns.com/projects/trac/changeset/3074) (thanks Winfried).
-- Additional processing is now optional, and disabled by default. Presumably this yields a performance improvement. Change in [commit 2542](http://wiki.powerdns.com/projects/trac/changeset/2542).
-- rec\_control reload-lua-script now reports errors. Code in [commit 2627](http://wiki.powerdns.com/projects/trac/changeset/2627), closing [ticket 278](https://github.com/PowerDNS/pdns/issues/278).
-- rec\_control help now lists commands. Code in [commit 2628](http://wiki.powerdns.com/projects/trac/changeset/2628).
-- rec\_control wipe-cache now also wipes the recursor's packet cache. Code in [commit 2880](http://wiki.powerdns.com/projects/trac/changeset/2880) from [ticket 333](https://github.com/PowerDNS/pdns/issues/333).
-- Morten Stevens contributed a systemd file. Import in [commit 2966](http://wiki.powerdns.com/projects/trac/changeset/2966), now part of the recursor tarball.
-- [commit 2990](http://wiki.powerdns.com/projects/trac/changeset/2990) updates the address of D.root-servers.net.
-- Winfried Angele implemented and documented the ipv6-questions metric. Merge in [commit 3034](http://wiki.powerdns.com/projects/trac/changeset/3034), closing [ticket 619](https://github.com/PowerDNS/pdns/issues/619).
-- We no longer use ANY to get A+AAAA for nameservers, because some auth operators have decided to break ANY lookups. As a bonus, we now track v4 and v6 latency separately. Change in [commit 3064](http://wiki.powerdns.com/projects/trac/changeset/3064).
-
-## Bugs fixed
-- Some unaligned memory access was corrected, code in [commit 2060](http://wiki.powerdns.com/projects/trac/changeset/2060), [commit 2122](http://wiki.powerdns.com/projects/trac/changeset/2122), [commit 2123](http://wiki.powerdns.com/projects/trac/changeset/2123), which would cause problems on UltraSPARC.
-- Garbage encountered during reload-acls could cause crashes. Fixed in [commit 2323](http://wiki.powerdns.com/projects/trac/changeset/2323), closing [ticket 330](https://github.com/PowerDNS/pdns/issues/330).
-- The recursor would lose its root hints in a very rare situation. Corrected in [commit 2380](http://wiki.powerdns.com/projects/trac/changeset/2380).
-- We did not always drop supplemental groups while dropping privileges. Reported by David Black of Atlassian, fixed in [commit 2524](http://wiki.powerdns.com/projects/trac/changeset/2524).
-- Cache aging would sometimes get confused when we had a mix of expired and non-expired records in cache. Spotted and fixed by Winfried Angele in [commit 3068](http://wiki.powerdns.com/projects/trac/changeset/3068), closing [ticket 438](https://github.com/PowerDNS/pdns/issues/438).
-- rec\_control reload-acl no longer ignores arguments. Fix in [commit 3037](http://wiki.powerdns.com/projects/trac/changeset/3037), closing [ticket 490](https://github.com/PowerDNS/pdns/issues/490).
-- Since we re-parse our commandline in rec\_control we've been doubling the commands on the commandline, causing weird output. Reported by Winfried Angele. Fixed in [commit 2992](http://wiki.powerdns.com/projects/trac/changeset/2992), closing [ticket 618](https://github.com/PowerDNS/pdns/issues/618). This issue was not present in any officially released versions.
-- [commit 2879](http://wiki.powerdns.com/projects/trac/changeset/2879) drops some spurious stderr logging from Lua scripts, and makes sure 'place' is always valid.
-- We would sometimes refuse to resolve domains with just one nameserver living at the apex. Fixed in [commit 2817](http://wiki.powerdns.com/projects/trac/changeset/2817).
-- We would sometimes stick RRs in the wrong parts of response packets. Fixed in [commit 2625](http://wiki.powerdns.com/projects/trac/changeset/2625).
-- The ACL parser was too liberal, sometimes causing recursors to be very open. Fixed in [commit 2629](http://wiki.powerdns.com/projects/trac/changeset/2629), closing [ticket 331](https://github.com/PowerDNS/pdns/issues/331).
-- rec\_control now honours socket-dir from recursor.conf. Fixed in [commit 2630](http://wiki.powerdns.com/projects/trac/changeset/2630).
-- When traversing CNAME chains, sometimes we would end up with multiple SOAs in the result. Fixed in [commit 2633](http://wiki.powerdns.com/projects/trac/changeset/2633).
-
-# PowerDNS Authoritative Server 3.2
-Released January 17th, 2013
-
-This is a stability and conformity update to 3.1. It mostly makes our DNSSEC implementation more robust, and improves interoperability with various validators. 3.2 has received very extensive testing on a lot of edge cases, verifying output both against common validators and compared against other authoritative servers.
-
-**Warning**: Version 3.2 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. There are also some important changes if you are coming from 3.0 or 3.1. Please refer to the [Upgrade documentation](authoritative/upgrading.md) for important information on correct and stable operation, as well as notes on performance and memory use.
-
-## Downloads
-- [Official download page](http://www.powerdns.com/content/downloads.html)
-- [native RHEL5/6 packages from Kees Monshouwer](http://www.monshouwer.eu/download/3rd_party/pdns-server/)
-- [additional third-party builds](http://wiki.powerdns.com/trac#GettingPowerDNSpackages)
-
-In addition to all the changes below, we now auto-build semi-static packages. Relevant changes to make that possible are in [commit 2849](http://wiki.powerdns.com/projects/trac/changeset/2849), [commit 2853](http://wiki.powerdns.com/projects/trac/changeset/2853), 2858, [commit 2859](http://wiki.powerdns.com/projects/trac/changeset/2859), [commit 2860](http://wiki.powerdns.com/projects/trac/changeset/2860).
-
-## Changes between 3.2-RC4 and the final 3.2 release
-- Aki Tuomi contributed a bunch of fixes to our crypto drivers. Code in [commit 3036](http://wiki.powerdns.com/projects/trac/changeset/3036) and [commit 3055](http://wiki.powerdns.com/projects/trac/changeset/3055)/[commit 3057](http://wiki.powerdns.com/projects/trac/changeset/3057).
-- The ksk|zsk argument for pdnssec import-zone-key was required while it should be optional. Fixed in [commit 3051](http://wiki.powerdns.com/projects/trac/changeset/3051).
-
-## Changes between 3.2-RC3 and 3.2-RC4
-- The experimental undocumented bindbackend superslave mode would break the first added domain until a restart. Fixed by Kees Monshouwer in [commit 3013](http://wiki.powerdns.com/projects/trac/changeset/3013).
-- Sander Hoentjen reported an issue with our choice of ports for outgoing TCP connections. Investigating it turned up that we were randomizing TCP connections on purpose while leaving UDP port choice to the kernel, which should be the other way around. Fixed in [commit 3014](http://wiki.powerdns.com/projects/trac/changeset/3014), closing [ticket 643](https://github.com/PowerDNS/pdns/issues/643) and [ticket 644](https://github.com/PowerDNS/pdns/issues/644).
-- Aki Tuomi contributed some autoconf code to use mysql\_config if it is available. Code in [commit 3015](http://wiki.powerdns.com/projects/trac/changeset/3015) and [commit 3019](http://wiki.powerdns.com/projects/trac/changeset/3019), closing [ticket 458](https://github.com/PowerDNS/pdns/issues/458).
-- The MongoDB backend was removed at the author's request, as it does not work with any current libmongo versions. Change in [commit 3017](http://wiki.powerdns.com/projects/trac/changeset/3017).
-- Mark Zealey discovered we were retrieving the ascii powerdns version string for each packet, not just for version string queries. Fixed in [commit 3018](http://wiki.powerdns.com/projects/trac/changeset/3018), closing [ticket 651](https://github.com/PowerDNS/pdns/issues/651).
-- Our new json code would not compile on solaris 9 and 10 due to lack of strcasestr. Juraj Lutter contributed a portable version in [commit 3020](http://wiki.powerdns.com/projects/trac/changeset/3020).
-- Mark Zealey noted that RRs with low TTLs could lower our query-cache-ttl persistently. Fixed in [commit 3023](http://wiki.powerdns.com/projects/trac/changeset/3023), closing [ticket 662](https://github.com/PowerDNS/pdns/issues/662).
-- pdnssec now honours module-dir, patch by Fredrik Danerklint in [commit 3026](http://wiki.powerdns.com/projects/trac/changeset/3026).
-
-## Changes between 3.2-RC2 and 3.2-RC3
-- Michael Scheffler noticed that the lazy-recursion setting had no effect at all. Setting removed in [commit 3003](http://wiki.powerdns.com/projects/trac/changeset/3003).
-- Mark Zealey found that an earlier performance improvement could cause crashes under high load, with lots of IPs configured in local-address and receiver-threads higher than 1. Fixed in [commit 3005](http://wiki.powerdns.com/projects/trac/changeset/3005).
-
-## Changes between 3.2-RC1 and 3.2-RC2
-- The udp-queries metric would only count on the first thread launched, instead of on all threads. Additionally, it was initialised at MAXINT at startup, instead of at 0. Both issues fixed by Kees Monshouwer in [commit 2999](http://wiki.powerdns.com/projects/trac/changeset/2999), closing [ticket 491](https://github.com/PowerDNS/pdns/issues/491) and [ticket 582](https://github.com/PowerDNS/pdns/issues/582).
-- Aki Tuomi contributed zone2json, a great way for programmers to benefit from our zone file parser. Code in [commit 2997](http://wiki.powerdns.com/projects/trac/changeset/2997), closes [ticket 509](https://github.com/PowerDNS/pdns/issues/509).
-- Our DNS TXT parser is not 8-bit safe, but our DNS TXT writer assumes the reader is! Reported by Jan-Piet Mens in [ticket 541](https://github.com/PowerDNS/pdns/issues/541), [commit 2993](http://wiki.powerdns.com/projects/trac/changeset/2993) fixes our writer but not yet our parser.
-- Ruben d'Arco did some improvements to the MyDNS backend, and provided a full test suite for it, that we now run after every commit. Code in [commit 2988](http://wiki.powerdns.com/projects/trac/changeset/2988).
-- Some exceptions from backends would lose their meaning while bubbling up. Fixed by Aki Tuomi in [commit 2985](http://wiki.powerdns.com/projects/trac/changeset/2985), closing [ticket 639](https://github.com/PowerDNS/pdns/issues/639).
-- The packet-cache honours max reply length while matching cached packets against queries, but not EDNS status. This would mean that EDNS-enabled replies with a 512 reply len could be returned on non-EDNS queries. Spotted while investigating a report from Winfried Angele, patched by Ruben d'Arco in [commit 2982](http://wiki.powerdns.com/projects/trac/changeset/2982), closing [ticket 630](https://github.com/PowerDNS/pdns/issues/630).
-- Errors involving creating, deletion or changing permissions on the control socket were unclear. Ruben d'Arco improved this in [commit 2981](http://wiki.powerdns.com/projects/trac/changeset/2981).
-- pipe-timeout was always documented to be in milliseconds, but it turns out it was in seconds! [commit 2971](http://wiki.powerdns.com/projects/trac/changeset/2971) changes them to actually be in ms, and 'increases' the default from 1000 seconds to 2000 milliseconds.
-- Some exceptions would get dropped during inbound AXFR, yielding a log file that says 'transaction started' and nothing after that, making AXFR fail silently. [commit 2976](http://wiki.powerdns.com/projects/trac/changeset/2976) and [commit 2977](http://wiki.powerdns.com/projects/trac/changeset/2977) improve this somewhat.
-- We now error out on empty labels inside of names (www..example.com) instead of generating bogus reply packets. Code in [commit 2972](http://wiki.powerdns.com/projects/trac/changeset/2972), reported by several users.
-- Doing chmod before chown, instead of the other way around, apparently avoids requiring a whole SELinux capability. Reported by Sander Hoentjen, fixed in [commit 2965](http://wiki.powerdns.com/projects/trac/changeset/2965).
-- Christian Hofstaedtler fixed a bug in our Debian init.d script. Code in [commit 2963](http://wiki.powerdns.com/projects/trac/changeset/2963).
-- Superslave errors ('Unable to find backend willing to host ..') now include the NSset found at the master, to aid debugging. Code in [commit 2887](http://wiki.powerdns.com/projects/trac/changeset/2887).
-- [commit 2874](http://wiki.powerdns.com/projects/trac/changeset/2874) in RC1 broke compilation without SQLite3 and made query logging unreliable. Fixed in [commit 2888](http://wiki.powerdns.com/projects/trac/changeset/2888), [commit 2889](http://wiki.powerdns.com/projects/trac/changeset/2889).
-- The dnsreplay tool now processes single packet pcaps. Fix in [commit 2895](http://wiki.powerdns.com/projects/trac/changeset/2895).
-- PowerDNS always derives NSEC/NSEC3 from the actual zone content. To accommodate this, zone2sql now drops NSEC/NSEC3 records, as those should never be in a PowerDNS backend directly ([commit 2915](http://wiki.powerdns.com/projects/trac/changeset/2915)), bindbackend ignores NSEC/NSEC3 while reading zonefiles ([commit 2917](http://wiki.powerdns.com/projects/trac/changeset/2917)) and pdnssec reports NSEC/NSEC3 in the database as an error condition ([commit 2918](http://wiki.powerdns.com/projects/trac/changeset/2918)).
-- The bindbackend now ignores NSEC/NSEC3 records while reading zonefiles. Change in [commit 2917](http://wiki.powerdns.com/projects/trac/changeset/2917).
-- An EXPERIMENTAL feature ('direct-dnskey') for reading ZSKs from the records table/your BIND zonefile was added in [commit 2920](http://wiki.powerdns.com/projects/trac/changeset/2920), [commit 2921](http://wiki.powerdns.com/projects/trac/changeset/2921), [commit 2922](http://wiki.powerdns.com/projects/trac/changeset/2922).
-- While fully optional, PowerDNS supports direct RRSIG queries. Kees Monshouwer improved on our behaviour for those queries in [commit 2927](http://wiki.powerdns.com/projects/trac/changeset/2927).
-- IPv6 glue situations require AAAA records for the receiving end of a delegation in the ADDITIONAL section of a referral. This was supported ('do-ipv6-additional-processing') but not enabled by default. [commit 2929](http://wiki.powerdns.com/projects/trac/changeset/2929) enables it by default.
-- pdnssec check-zone now warns for CNAME-and-other data at names in your zones. Code by Ruben d'Arco in [commit 2930](http://wiki.powerdns.com/projects/trac/changeset/2930).
-- Positive ANY-responses would include a spurious NSEC3. Corrected in [commit 2932](http://wiki.powerdns.com/projects/trac/changeset/2932) and [commit 2933](http://wiki.powerdns.com/projects/trac/changeset/2933), cleaned up by Kees Monshouwer in [commit 2935](http://wiki.powerdns.com/projects/trac/changeset/2935).
-- The ldapbackend now allows overriding the base dn for AXFR subtree search. Fixed in [commit 2934](http://wiki.powerdns.com/projects/trac/changeset/2934), closing [ticket 536](https://github.com/PowerDNS/pdns/issues/536).
-
-Changes below are in 3.2-RC1 and up.
-
-## DNSSEC changes in 3.2
-- Kees Monshouwer did a tremendous amount of work to improve and perfect our DNSSEC implementation, mostly in the NSEC3 area. Code in [commit 2687](http://wiki.powerdns.com/projects/trac/changeset/2687), [commit 2689](http://wiki.powerdns.com/projects/trac/changeset/2689), [commit 2691](http://wiki.powerdns.com/projects/trac/changeset/2691), fixing [ticket 486](https://github.com/PowerDNS/pdns/issues/486), [ticket 537](https://github.com/PowerDNS/pdns/issues/537), [ticket 540](https://github.com/PowerDNS/pdns/issues/540). He also implemented support for Empty Non-Terminals, code in [commit 2721](http://wiki.powerdns.com/projects/trac/changeset/2721), [commit 2732](http://wiki.powerdns.com/projects/trac/changeset/2732), [commit 2745](http://wiki.powerdns.com/projects/trac/changeset/2745), fixing [ticket 127](https://github.com/PowerDNS/pdns/issues/127) and [ticket 558](https://github.com/PowerDNS/pdns/issues/558).
-- Presigned wildcard operation was improved with the help of many parties (see commit message for [commit 2676](http://wiki.powerdns.com/projects/trac/changeset/2676)). Presigned operation was also changed to be more consistent with master/live-signing operation. Code and a full test suite in [commit 2709](http://wiki.powerdns.com/projects/trac/changeset/2709), which also improves TTL behaviour for various situations. Fixes [ticket 460](https://github.com/PowerDNS/pdns/issues/460), [ticket 533](https://github.com/PowerDNS/pdns/issues/533), [ticket 559](https://github.com/PowerDNS/pdns/issues/559).
-- Depending on database & locale settings, names starting with underscore would sometimes cause broken records. [commit 2710](http://wiki.powerdns.com/projects/trac/changeset/2710) contains schema and code changes for the gpgsql and gmysql backends to sort this (no pun intended) definitively, closing [ticket 550](https://github.com/PowerDNS/pdns/issues/550). In addition, a pdnssec test-schema command was added (experimental and incomplete). It can be used to verify underscore sorting and a few other parameters of the database. Code in [commit 2714](http://wiki.powerdns.com/projects/trac/changeset/2714).
-- We now always include an EDNS section in responses to queries that also had an EDNS section. This was thought to improve BIND interoperability, but this turned out to be false. In any case, this change improves standards compliance. Spotted by Mats Dufberg, code in [commit 2649](http://wiki.powerdns.com/projects/trac/changeset/2649).
-- It turns out we were storing Botan keys the wrong way. Botan did not care but Polar did, causing interoperability problems. Fixed in [commit 2720](http://wiki.powerdns.com/projects/trac/changeset/2720), with the kind help of Paul Bakker of PolarSSL. Fixes [ticket 492](https://github.com/PowerDNS/pdns/issues/492) as reported by Florian Obser via Debian.
-- pdnssec add-zone-key now defaults to RSASHA256, like secure-zone already did. Code in [commit 2692](http://wiki.powerdns.com/projects/trac/changeset/2692).
-- pdns\_control purge now also purges DNSSEC-related caches (keys and metadata). Code in [commit 2694](http://wiki.powerdns.com/projects/trac/changeset/2694), by Ruben d'Arco. Fixes [ticket 530](https://github.com/PowerDNS/pdns/issues/530).
-- The signer thread would die in specific situations, leaving you with a non-working but very busy system. Fixed in [commit 2668](http://wiki.powerdns.com/projects/trac/changeset/2668), [commit 2670](http://wiki.powerdns.com/projects/trac/changeset/2670), closing [ticket 517](https://github.com/PowerDNS/pdns/issues/517).
-- pdnssec secure-zone now warns when you just signed a slave zone. Suggested by Mark Scholten, code in [commit 2795](http://wiki.powerdns.com/projects/trac/changeset/2795), closes [ticket 592](https://github.com/PowerDNS/pdns/issues/592).
-- pdnssec check-zone now warns about out-of-zone data. Patch by Kees Monshouwer in [commit 2826](http://wiki.powerdns.com/projects/trac/changeset/2826), closing [ticket 604](https://github.com/PowerDNS/pdns/issues/604).
-- pdnssec now honours --no-config. Patch by Kees Monshouwer in [commit 2810](http://wiki.powerdns.com/projects/trac/changeset/2810).
-- Various fixes for bindbackend presigned operation, mostly by Kees Monshouwer. Code in [commit 2815](http://wiki.powerdns.com/projects/trac/changeset/2815), closing [ticket 600](https://github.com/PowerDNS/pdns/issues/600).
-- Bindbackend could get confused about domain metadata, sometimes even causing hangs. Fixes by Kees Monshouwer in [commit 2819](http://wiki.powerdns.com/projects/trac/changeset/2819) and [commit 2834](http://wiki.powerdns.com/projects/trac/changeset/2834), closing [ticket 600](https://github.com/PowerDNS/pdns/issues/600) and [ticket 603](https://github.com/PowerDNS/pdns/issues/603).
-- SQL queries in gsql backends that reference the domain\_id column have been made explicit about from what table they want this column. This makes it easier to operate custom schemas without changing the queries. Fix by Nicky Gerritsen in [commit 2821](http://wiki.powerdns.com/projects/trac/changeset/2821).
-- In various situations involving CNAMEs and wildcards, and for ANY queries involving CNAMEs, we would sometimes return bogus results. Fixed in [commit 2825](http://wiki.powerdns.com/projects/trac/changeset/2825) by Kees Monshouwer.
-- rectify-zone accidentally set auth=1 on NS records of secure delegations. Reported by George Notaras, fixed by Kees Monshouwer in [commit 2831](http://wiki.powerdns.com/projects/trac/changeset/2831), closing [ticket 605](https://github.com/PowerDNS/pdns/issues/605).
-- The DNSSEC signature cache now actually gets cleaned up, avoiding lasting spikes in memory usage every thursday. Code in [commit 2836](http://wiki.powerdns.com/projects/trac/changeset/2836) and [commit 2843](http://wiki.powerdns.com/projects/trac/changeset/2843), closing [ticket 594](https://github.com/PowerDNS/pdns/issues/594).
-- Signatures used to roll at midnight on thursday. We now roll them one hour after midnight, with inception still set to midnight, to allow for some variations in clock quality on resolvers. Code in [commit 2857](http://wiki.powerdns.com/projects/trac/changeset/2857).
-- Duplicate records (same name/type/content/priority) would sometimes get broken RRSIGs during outgoing AXFR. Fixed in [commit 2856](http://wiki.powerdns.com/projects/trac/changeset/2856).
-- A root zone (name="") with DNSSEC would cause crashes in some situations. Reported by Luuk Hendriks. Fixed in [commit 2867](http://wiki.powerdns.com/projects/trac/changeset/2867), [commit 2868](http://wiki.powerdns.com/projects/trac/changeset/2868), closing [ticket 614](https://github.com/PowerDNS/pdns/issues/614).
-- Direct RRSIG queries for zones with auto-completed SOA records would cause trouble. Reported by Kees Monshouwer and fixed by him in [commit 2869](http://wiki.powerdns.com/projects/trac/changeset/2869).
-- When a name is matched only by a wildcard, but the type in the query is not present, we would be lacking one NSEC(3) record to prove the existence of the wildcard. Fixed by Kees Monshouwer in [commit 2872](http://wiki.powerdns.com/projects/trac/changeset/2872) and [commit 2873](http://wiki.powerdns.com/projects/trac/changeset/2873).
-- Luuk Hendriks spotted that our PolarSSL RSA key generation code was using inferior entropy. This can be important on virtual machines with badly implemented clocks. Fixed in [commit 2876](http://wiki.powerdns.com/projects/trac/changeset/2876), closing [ticket 615](https://github.com/PowerDNS/pdns/issues/615).
-
-## Non-DNSSEC improvements/changes
-- Bindbackend would sometimes crash on startup, due to a sync\_with\_stdio call. This call has been moved to pdns\_server proper to occur before any threads are spawned, avoiding race conditions in this call. Note that this crash has only been observed twice in thousands of regression test runs and has never been reported in the real world. Change in [commit 2882](http://wiki.powerdns.com/projects/trac/changeset/2882).
-- Leen Besselink submitted query logging support for the SQLite3 parts in the bindbackend. Code in [commit 2874](http://wiki.powerdns.com/projects/trac/changeset/2874).
-- Multi-backend operation would sometimes cause garbage domain IDs to be passed to backends. Reported by Kees Monshouwer and fixed by him in [commit 2871](http://wiki.powerdns.com/projects/trac/changeset/2871).
-- Bindbackend would sometimes crash during reloads/rediscovers. The changes in [commit 2837](http://wiki.powerdns.com/projects/trac/changeset/2837) get rid of the crash, at the cost of returning SERVFAIL during reloads. Closes [ticket 564](https://github.com/PowerDNS/pdns/issues/564).
-- Our label decompression code was naive, causing troubles for slaving of very specifically formatted zones. Fix in [ticket 2822](https://github.com/PowerDNS/pdns/issues/2822), closes [ticket 599](https://github.com/PowerDNS/pdns/issues/599).
-- Bindbackend slaves would choke on unknown RR types and do silly things with RP and SRV records. Fixed in [commit 2811](http://wiki.powerdns.com/projects/trac/changeset/2811) and [commit 2812](http://wiki.powerdns.com/projects/trac/changeset/2812).
-- The luabackend can now compile against Lua 5.2. Patch by Fredrik Danerklint in [commit 2794](http://wiki.powerdns.com/projects/trac/changeset/2794), additional luabackend compile fixes in [commit 2854](http://wiki.powerdns.com/projects/trac/changeset/2854).
-- A new backend, the 'Remote backend' [Remote Backend](authoritative/backend-remote.md "Remote Backend") was submitted by Aki Tuomi. It aims to replace the pipebackend with a better protocol and support for more connection methods, including HTTP. Code in [commit 2755](http://wiki.powerdns.com/projects/trac/changeset/2755), [commit 2756](http://wiki.powerdns.com/projects/trac/changeset/2756), [commit 2757](http://wiki.powerdns.com/projects/trac/changeset/2757), [commit 2758](http://wiki.powerdns.com/projects/trac/changeset/2758), [commit 2759](http://wiki.powerdns.com/projects/trac/changeset/2759), [commit 2824](http://wiki.powerdns.com/projects/trac/changeset/2824), closing [ticket 529](https://github.com/PowerDNS/pdns/issues/529), [ticket 597](https://github.com/PowerDNS/pdns/issues/597).
-- The gsqlite (SQLite 2) backend was removed. We were not aware of any users and it was not actually working anyway. Changes in commits [2773](http://wiki.powerdns.com/projects/trac/changeset/2773)-[2777](http://wiki.powerdns.com/projects/trac/changeset/2777), closing [ticket 565](https://github.com/PowerDNS/pdns/issues/565).
-- Various tinydnsbackend improvements: ignore-bogus-records option; TAI offset updated; strip dots on names where suitable; various internal improvements. Code in [commit 2762](http://wiki.powerdns.com/projects/trac/changeset/2762).
-- gpgsql no longer logs the database password in connection errors. Code in [commit 2609](http://wiki.powerdns.com/projects/trac/changeset/2609), [commit 2612](http://wiki.powerdns.com/projects/trac/changeset/2612), closing [ticket 459](https://github.com/PowerDNS/pdns/issues/459).
-- You can now finally specify 0.0.0.0 or :: as local-address/local-ipv6 without getting replies from the wrong address. This much-requested feature is implemented in [commit 2763](http://wiki.powerdns.com/projects/trac/changeset/2763), [commit 2766](http://wiki.powerdns.com/projects/trac/changeset/2766), [commit 2779](http://wiki.powerdns.com/projects/trac/changeset/2779) and [commit 2781](http://wiki.powerdns.com/projects/trac/changeset/2781). Tested on Linux, FreeBSD and Mac OS X.
-- 3.2 can be reliably built with or without Lua. This and many other configure/compile-related fixes in [commit 2610](http://wiki.powerdns.com/projects/trac/changeset/2610), [commit 2611](http://wiki.powerdns.com/projects/trac/changeset/2611) / [ticket 461](https://github.com/PowerDNS/pdns/issues/461), [commit 2666](http://wiki.powerdns.com/projects/trac/changeset/2666), [commit 2671](http://wiki.powerdns.com/projects/trac/changeset/2671), [commit 2672](http://wiki.powerdns.com/projects/trac/changeset/2672) / [ticket 522](https://github.com/PowerDNS/pdns/issues/522), [commit 2673](http://wiki.powerdns.com/projects/trac/changeset/2673) / [ticket 522](https://github.com/PowerDNS/pdns/issues/522), [commit 2696](http://wiki.powerdns.com/projects/trac/changeset/2696) / [ticket 555](https://github.com/PowerDNS/pdns/issues/555), [commit 2697](http://wiki.powerdns.com/projects/trac/changeset/2697) / [ticket 457](https://github.com/PowerDNS/pdns/issues/457), [commit 2698](http://wiki.powerdns.com/projects/trac/changeset/2698), [commit 2708](http://wiki.powerdns.com/projects/trac/changeset/2708), [commit 2742](http://wiki.powerdns.com/projects/trac/changeset/2742) / [ticket 462](https://github.com/PowerDNS/pdns/issues/462)), [commit 2752](http://wiki.powerdns.com/projects/trac/changeset/2752) / [ticket 437](https://github.com/PowerDNS/pdns/issues/437), [commit 2764](http://wiki.powerdns.com/projects/trac/changeset/2764), [commit 2809](http://wiki.powerdns.com/projects/trac/changeset/2809), [commit 2844](http://wiki.powerdns.com/projects/trac/changeset/2844), [commit 2845](http://wiki.powerdns.com/projects/trac/changeset/2845), [commit 2846](http://wiki.powerdns.com/projects/trac/changeset/2846), [commit 2881](http://wiki.powerdns.com/projects/trac/changeset/2881).
-- Juraj Lutter contributed AXFR-SOURCE per zone metadata settings. Code in [commit 2616](http://wiki.powerdns.com/projects/trac/changeset/2616).
-- Initscripts now have exit codes, submitted by Sander Hoentjen. Code in [commit 2728](http://wiki.powerdns.com/projects/trac/changeset/2728). Guardian now returns 0 instead of 1 when receiving SIGTERM, requested by Morten Stevens of Fedora. Code in [commit 2717](http://wiki.powerdns.com/projects/trac/changeset/2717).
-- Mark Zealey submitted various performance improvement patches and suggestions. Accepted as [commit 2729](http://wiki.powerdns.com/projects/trac/changeset/2729) / [ticket 579](https://github.com/PowerDNS/pdns/issues/579), [commit 2730](http://wiki.powerdns.com/projects/trac/changeset/2730) / [ticket 584](https://github.com/PowerDNS/pdns/issues/584)), [commit 2731](http://wiki.powerdns.com/projects/trac/changeset/2731) / [ticket 583](https://github.com/PowerDNS/pdns/issues/583)), [commit 2768](http://wiki.powerdns.com/projects/trac/changeset/2768) / [ticket 578](https://github.com/PowerDNS/pdns/issues/578)). Please see commit messages for more details.
-- pdnssec check-all-zones now reuses database connections, avoiding a socket exhaustion issue in some situations. Code in [commit 2749](http://wiki.powerdns.com/projects/trac/changeset/2749), closes [ticket 519](https://github.com/PowerDNS/pdns/issues/519).
-- Ruben d'Arco submitted various improvements regarding trailing dots. Additional lookups now try harder, pdnssec errors about trailing dots in names, pdnssec warns about trailing dots in names inside content fields, AXFR now strips the dot from SRV hostnames. Code in [commit 2748](http://wiki.powerdns.com/projects/trac/changeset/2748), fixes [ticket 289](https://github.com/PowerDNS/pdns/issues/289).
-- Pre-3.0, backends would get cycled if they threw the right error. 3.2 reinstates this behaviour, as it is more robust. Change in [commit 2734](http://wiki.powerdns.com/projects/trac/changeset/2734) (reverting [commit 2100](http://wiki.powerdns.com/projects/trac/changeset/2100)), fixes [ticket 386](https://github.com/PowerDNS/pdns/issues/386).
-- PowerDNS auth does not use the select() kernel/library call anymore. This means fd-numbers over 1023 (and, in general, more than 1024 sockets, including more than 1024 listening sockets) should now work reliably. Code in [commit 2739](http://wiki.powerdns.com/projects/trac/changeset/2739), [commit 2740](http://wiki.powerdns.com/projects/trac/changeset/2740), fixes [ticket 408](https://github.com/PowerDNS/pdns/issues/408).
-- gmysql users can now specify the 'group' we connect as, using the gmysql-group setting. Submitted by Kees Monshouwer, code in [commit 2770](http://wiki.powerdns.com/projects/trac/changeset/2770), [commit 2771](http://wiki.powerdns.com/projects/trac/changeset/2771), [commit 2778](http://wiki.powerdns.com/projects/trac/changeset/2778), [commit 2780](http://wiki.powerdns.com/projects/trac/changeset/2780), closing [ticket 463](https://github.com/PowerDNS/pdns/issues/463).
-- The Linux-only traceback handler is now optional (use traceback-handler=off to disable it). Suggested by Marc Haber. Change in [commit 2798](http://wiki.powerdns.com/projects/trac/changeset/2798), closes [ticket 497](https://github.com/PowerDNS/pdns/issues/497).
-- We now use IPV6\_V6ONLY to bind IPv6 sockets. This ensures consistent behaviour between different operating systems. Change in [commit 2799](http://wiki.powerdns.com/projects/trac/changeset/2799).
-- MySQL connections are now logged at a higher loglevel, reducing log clutter. Change in [commit 2800](http://wiki.powerdns.com/projects/trac/changeset/2800).
-- We now ship a systemd unit file in contrib/. Added in [commit 2847](http://wiki.powerdns.com/projects/trac/changeset/2847) and [commit 2848](http://wiki.powerdns.com/projects/trac/changeset/2848), submitted by Morten Stevens.
-
-## Assorted bugfixes
-- If a slave domain is removed while a transfer for it is queued, we no longer try the transfer. This also avoids a rare crash in similar circumstances. Code in [commit 2802](http://wiki.powerdns.com/projects/trac/changeset/2802), closes [ticket 596](https://github.com/PowerDNS/pdns/issues/596).
-- When using pdnssec with gsql backends, sometimes an SSqlException would pop up without any useful information. This no longer happens and errors are now in general more meaningful. Fix in [commit 2803](http://wiki.powerdns.com/projects/trac/changeset/2803).
-- zone2sql now uses correct string syntax for PostgreSQL. This is needed for importing with the changed default settings in PostgreSQL 9.2 and up. Code in [commit 2797](http://wiki.powerdns.com/projects/trac/changeset/2797), closes [ticket 471](https://github.com/PowerDNS/pdns/issues/471).
-- We no longer send v6 notifications if v6 is not available. Same for IPv4. Code in [commit 2772](http://wiki.powerdns.com/projects/trac/changeset/2772), fixes [ticket 515](https://github.com/PowerDNS/pdns/issues/515).
-- We would sometimes serve stale data after an incoming AXFR. Reported by Martin Draschl, fixed by Ruben d'Arco in [commit 2699](http://wiki.powerdns.com/projects/trac/changeset/2699), closing [ticket 525](https://github.com/PowerDNS/pdns/issues/525).
-- Duplicate incoming NOTIFYs could cause PowerDNS to try to insert the same domain name into a database twice. Fixed in [commit 2703](http://wiki.powerdns.com/projects/trac/changeset/2703), closing [ticket 453](https://github.com/PowerDNS/pdns/issues/453).
-- pdnssec show-zone now works on a zone that has any number of keys, instead of requiring active keys. Reported by Jeroen Tushuizen of myH2Oservers, code in [commit 2769](http://wiki.powerdns.com/projects/trac/changeset/2769), closes [ticket 586](https://github.com/PowerDNS/pdns/issues/586).
-- pdns-control notify-host now accepts v6 literals. Reported by Christof Meerwald, fixed in [commit 2704](http://wiki.powerdns.com/projects/trac/changeset/2704).
-- The tinydnsbackend no longer chokes on questions longer than 64 bytes. Code in [commit 2622](http://wiki.powerdns.com/projects/trac/changeset/2622).
-- *-all-domains commands in pdnssec now work with Postgres (gpgsql) too. Code in [commit 2645](http://wiki.powerdns.com/projects/trac/changeset/2645), closing [ticket 472](https://github.com/PowerDNS/pdns/issues/472).
-- We would sometimes leave the opcode of an outgoing packet uninitialized. Fixed in [commit 2680](http://wiki.powerdns.com/projects/trac/changeset/2680), closing [ticket 532](https://github.com/PowerDNS/pdns/issues/532).
-- nproxy can now listen on a configurable port. Code in [commit 2684](http://wiki.powerdns.com/projects/trac/changeset/2684), fixes [ticket 534](https://github.com/PowerDNS/pdns/issues/534).
-- Improve mydnsbackend for SOA queries. Code in [commit 2751](http://wiki.powerdns.com/projects/trac/changeset/2751), fixes [ticket 439](https://github.com/PowerDNS/pdns/issues/439), by Ruben d'Arco.
-- Various non-functional fixes that make Valgrind happy (note that Valgrind was right to complain in all of these situations), in [commit 2715](http://wiki.powerdns.com/projects/trac/changeset/2715), [commit 2716](http://wiki.powerdns.com/projects/trac/changeset/2716), [commit 2718](http://wiki.powerdns.com/projects/trac/changeset/2718).
-
-# PowerDNS Authoritative Server 3.1
-Released on the 4th of May 2012
-RC3 released on the 30th of April 2012
-RC2 released on the 14th of April 2012
-RC1 released on the 23th of March 2012
-
-**Warning**: Version 3.1 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. There are also some important changes if you are coming from 3.0. Please refer to the [Upgrade documentation](authoritative/upgrading.md) for important information on correct and stable operation, as well as notes on performance and memory use.
-
-Version 3.1 of the PowerDNS Authoritative Server represents the 'coming of age' of our DNSSEC implementation. In addition, 3.1 solves a lot of '.0' issues typically associated with a major new release.
-
-As usual, we are very grateful for the involvement of the PowerDNS community. The uptake of 3.0 was rapid, and many users were very helpful in shaking out the bugs, and willing to test the fixes we provided or, in many cases, provided the fixes themselves.
-
-Of specific note is the giant PowerDNS DNSSEC deployment in Sweden by Atomia and Binero. PowerDNS 3.0 now powers over 150000 DNSSEC domains in Sweden, around 95% of all DNSSEC domains, in a country were most internet service providers actually validate all .SE domains.
-
-Finally, this release has benefited a lot from Peter van Dijk joining us, as he has merged a tremendous amount of patches, cleaned up years of accumulated dust in the code, and massively improved our regression testing into a full blown continuous integration setup with full DNSSEC tests!
-
-Additionally, we would like to thank Ruben d'Arco, Jose Arthur Benetasso Villanova, Marc Haber, Jimmy Bergman, Aki Tuomi and everyone else who helped us out!
-
-## Downloads
-- [Official download page](http://www.powerdns.com/content/downloads.html)
-- [CentOS/RHEL 5/6 RPMs](http://www.monshouwer.eu/download/3rd_party/pdns-server/) kindly provided by Kees Monshouwer.
-- [Additional packages](http://wiki.powerdns.com/trac#GettingPowerDNSpackages) kindly provided by various other people.
-
-## Changes between RC3 and final
-- pdnssec now honours the default-soa-name setting. Reported by Kees Monshouwer, fixed in [commit 2600](http://wiki.powerdns.com/projects/trac/changeset/2600).
-
-## Changes between RC2 and RC3
-- The hidden test-algorithms command for pdnssec now has a little brother 'test-algorithm X'. Code in [commit 2596](http://wiki.powerdns.com/projects/trac/changeset/2596), by Aki Tuomi.
-- PolarSSL upgraded to 1.1.2 due to weak RSA key generation ([commit 2586](http://wiki.powerdns.com/projects/trac/changeset/2586)). If you created RSA keys with RC1 or RC2 using PolarSSL, please replace them! This upgrade introduced a slowdown; speedup patch in [commit 2593](http://wiki.powerdns.com/projects/trac/changeset/2593).
-- It turns out we were using libmysqlclient in a thread-unsafe manner. This issue was reported and painstakingly debugged by Marc Haber. Presumably fixed in [commit 2591](http://wiki.powerdns.com/projects/trac/changeset/2591).
-- Updated a bunch of internal counters to be threadsafe. Code in [commit 2579](http://wiki.powerdns.com/projects/trac/changeset/2579).
-- NSEC(3) bitmaps can now cover RRtypes above 255. Reported by Michael Braunoeder, patch by Aki Tuomi in [commit 2590](http://wiki.powerdns.com/projects/trac/changeset/2590).
-- pdnssec check-zone now reports MBOXFW and URL records (as those are unsupported since 3.0). Reported by Gerwin Krist of Digitalus, patch by Ruben d'Arco. Closes [ticket 446](https://github.com/PowerDNS/pdns/issues/446).
-- The odbcbackend was removed. It only runs on Windows and Windows is unsupported since 3.0. Removal in [commit 2576](http://wiki.powerdns.com/projects/trac/changeset/2576).
-- We used to send the chunk length and the actual chunk in two separate writes (often resulting in two separate TCP packets) during outbound AXFR. This confused MSDNS. We now combine those writes. Code in [commit 2575](http://wiki.powerdns.com/projects/trac/changeset/2575).
-- The bindbackend can now run without SQLite3, as previously intended. Fix in [commit 2574](http://wiki.powerdns.com/projects/trac/changeset/2574).
-- Some high-concurrency master setups would crash under load. Fixed in [commit 2571](http://wiki.powerdns.com/projects/trac/changeset/2571).
-
-# Changes between RC1 and RC2
-- We imported the TinyDNS backend by Ruben d'Arco. Code mostly in [commit 2559](http://wiki.powerdns.com/projects/trac/changeset/2559). See [TinyDNS Backend](authoritative/backend-tinydns.md "TinyDNS Backend").
-- Overriding C(XX)FLAGS is easier now. Problem pointed out by Jose Arthur Benetasso Villanova and others, fix suggested by Sten Spans. Patch in [commit 2533](http://wiki.powerdns.com/projects/trac/changeset/2533).
-- TSIG fixes: skip embedded spaces in keys ([commit 2536](http://wiki.powerdns.com/projects/trac/changeset/2536)), compute signatures correctly (by Ruben d'Arco in [commit 2547](http://wiki.powerdns.com/projects/trac/changeset/2547)),
-- nproxy, dnsscan and dnsdemog did not compile at all. Fixes in [commit 2538](http://wiki.powerdns.com/projects/trac/changeset/2538), [commit 2554](http://wiki.powerdns.com/projects/trac/changeset/2554).
-- We now allow unescaped tabs in TXT records. Fix in [commit 2539](http://wiki.powerdns.com/projects/trac/changeset/2539).
-- SOA records no longer disappear during incoming transfers. Fix by Ruben d'Arco in [commit 2540](http://wiki.powerdns.com/projects/trac/changeset/2540).
-- PowerDNS compiles on OS X (and other platforms that support our auth server but not the recursor) again, fix in [commit 2566](http://wiki.powerdns.com/projects/trac/changeset/2566).
-- Cleanups related to warnings from gcc and valgrind in [commit 2561](http://wiki.powerdns.com/projects/trac/changeset/2561), [commit 2562](http://wiki.powerdns.com/projects/trac/changeset/2562), [commit 2565](http://wiki.powerdns.com/projects/trac/changeset/2565).
-- Solaris compatibility fixes by Ruben d'Arco, Juraj Lutter and others in [commit 2548](http://wiki.powerdns.com/projects/trac/changeset/2548), [commit 2552](http://wiki.powerdns.com/projects/trac/changeset/2552), [commit 2553](http://wiki.powerdns.com/projects/trac/changeset/2553), [commit 2560](http://wiki.powerdns.com/projects/trac/changeset/2560). Fixes for *BSD in [commit 2546](http://wiki.powerdns.com/projects/trac/changeset/2546).
-- pdns\_control help would report 'version' twice, reported by Gerwin, fix in [commit 2549](http://wiki.powerdns.com/projects/trac/changeset/2549).
-
-## DNSSEC related fixes
-- When slaving zones, PowerDNS now automatically detects that a zone is presigned. Code in [commit 2502](http://wiki.powerdns.com/projects/trac/changeset/2502), closing [ticket 369](https://github.com/PowerDNS/pdns/issues/369), [ticket 392](https://github.com/PowerDNS/pdns/issues/392).
-- The bindbackend can now manage its own SQLite3 database to store key data, removing the need to run it with a gsql backend. Code in [commit 2448](http://wiki.powerdns.com/projects/trac/changeset/2448), [commit 2449](http://wiki.powerdns.com/projects/trac/changeset/2449), [commit 2450](http://wiki.powerdns.com/projects/trac/changeset/2450), [commit 2451](http://wiki.powerdns.com/projects/trac/changeset/2451), [commit 2452](http://wiki.powerdns.com/projects/trac/changeset/2452), [commit 2453](http://wiki.powerdns.com/projects/trac/changeset/2453), [commit 2455](http://wiki.powerdns.com/projects/trac/changeset/2455), [commit 2482](http://wiki.powerdns.com/projects/trac/changeset/2482), [commit 2496](http://wiki.powerdns.com/projects/trac/changeset/2496), [commit 2499](http://wiki.powerdns.com/projects/trac/changeset/2499).
-- NSEC/NSEC3 logic for picking 'boundary' names was tricky, and got it wrong in some cases. Fixes in [commit 2289](http://wiki.powerdns.com/projects/trac/changeset/2289), [commit 2429](http://wiki.powerdns.com/projects/trac/changeset/2429), [commit 2435](http://wiki.powerdns.com/projects/trac/changeset/2435) and [commit 2473](http://wiki.powerdns.com/projects/trac/changeset/2473).
-- The subtle differences between 'what records get NSEC', 'what records get NSEC3' and 'what records should get signed' did not translate well to the SQL auth column. We now use 'ordername IS NULL' to map the whole spectrum. Code in [commit 2477](http://wiki.powerdns.com/projects/trac/changeset/2477), [commit 2480](http://wiki.powerdns.com/projects/trac/changeset/2480), [commit 2492](http://wiki.powerdns.com/projects/trac/changeset/2492).
-- Pre-signed AXFR output, although correct, was different from our query responses. Rectified in [commit 2477](http://wiki.powerdns.com/projects/trac/changeset/2477).
-- Spotted & fixed by Jimmy Bergman of Atomia, CNAMEs and RRSIGs could have bad interactions. Fix in [commit 2314](http://wiki.powerdns.com/projects/trac/changeset/2314), further refined in [commit 2318](http://wiki.powerdns.com/projects/trac/changeset/2318). Closes [ticket 411](https://github.com/PowerDNS/pdns/issues/411).
-- Spotted & fixed by Jimmy Bergman of Atomia, we now allow direct RRSIG queries even when do=0.
-- Spotted by Mark Scholten and Marco Davids, we would sometimes generate duplicate (and wrong) RRSIGs when signing an ANY answer because of record jumbling. Fix in [commit 2381](http://wiki.powerdns.com/projects/trac/changeset/2381).
-- Several fixes to handling of DS queries, in [commit 2420](http://wiki.powerdns.com/projects/trac/changeset/2420), [commit 2510](http://wiki.powerdns.com/projects/trac/changeset/2510), [commit 2512](http://wiki.powerdns.com/projects/trac/changeset/2512).
-- We now lowercase the signer name in an RRSIG. This is not mandated by DNSSEC specification but it improves compatibility with some validators. Fix in [commit 2426](http://wiki.powerdns.com/projects/trac/changeset/2426).
-
-## Bug fixes
-- Winfried Angele discovered we would open an additional backend connection per zone in the BIND backend. This only impacted users with multiple simultaneous backends. Fix in [commit 2253](http://wiki.powerdns.com/projects/trac/changeset/2253), closing [ticket 383](https://github.com/PowerDNS/pdns/issues/383).
-- All versions of max-cache-entries setting had confusing behaviour when set to 0. Now clarified to mean that 0 truly means 0, and not 'infinite'. Change in [commit 2328](http://wiki.powerdns.com/projects/trac/changeset/2328).
-- Wildcards in the presence of delegations were broken. Reported by a cast of thousands. Fix & regression test in [commit 2368](http://wiki.powerdns.com/projects/trac/changeset/2368). Closes [ticket 389](https://github.com/PowerDNS/pdns/issues/389).
-- Internal caches used an order of magnitude more memory than expected and some were not purged properly, which hindered real life deployments. Spotted by Winfried Angele and others. Fixed in [commit 2287](http://wiki.powerdns.com/projects/trac/changeset/2287) and [commit 2328](http://wiki.powerdns.com/projects/trac/changeset/2328).
-- Christof Meerwald discovered our .tar file missed a file of the Lua backend. Change in [commit 2257](http://wiki.powerdns.com/projects/trac/changeset/2257).
-- Paul Xek found out that the edns-subnet support did not work for subnets tinier than a /25 or /121. Fix in [commit 2258](http://wiki.powerdns.com/projects/trac/changeset/2258).
-- edns-subnet aware PIPE scripts received bogus remote information on AXFR requests. Fixed in [commit 2284](http://wiki.powerdns.com/projects/trac/changeset/2284).
-- Fix compilation against older versions of MySQL that do not have MYSQL\_OPT\_RECONNECT. [commit 2264](http://wiki.powerdns.com/projects/trac/changeset/2264), closing [ticket 378](https://github.com/PowerDNS/pdns/issues/378).
-- D. Stussy of Snarked.net discovered that PowerDNS could not parse a DNS packet with a trailing blob of unknown length. Fixed in [commit 2267](http://wiki.powerdns.com/projects/trac/changeset/2267).
-- 'pdnssec' did not work for records with NULL ttls. Fixed in [commit 2266](http://wiki.powerdns.com/projects/trac/changeset/2266), closing [ticket 432](https://github.com/PowerDNS/pdns/issues/432).
-- Pipe backend had issues parsing IPv6 records in ABI version 3. Fixed in [commit 2260](http://wiki.powerdns.com/projects/trac/changeset/2260).
-- We truncated the altitude in LOC records! I hope no one got lost. Fix in [commit 2268](http://wiki.powerdns.com/projects/trac/changeset/2268).
-- Xander Soldaat discovered that even if the web server was not configured, we'd still listen on the port. Fix in [commit 2269](http://wiki.powerdns.com/projects/trac/changeset/2269), closes [ticket 402](https://github.com/PowerDNS/pdns/issues/402).
-- The PIPE backend issues frequent fork()s, leading to potential fd leaks if these are not marked as 'close on exec'. Solved in [commit 2273](http://wiki.powerdns.com/projects/trac/changeset/2273), closing [ticket 194](https://github.com/PowerDNS/pdns/issues/194).
-- Robert van der Meulen found that we messed up the interaction between wildcards and CNAMEs. Fixed in [commit 2276](http://wiki.powerdns.com/projects/trac/changeset/2276), which also adds a regression test to prevent this issue from recurring.
-- Fred Wittekind discovered that our notification proxy 'nproxy' no longer built from source. Fixed in [commit 2278](http://wiki.powerdns.com/projects/trac/changeset/2278).
-- Grant Keller found that we were inconsistent with spaces in labels, thus breaking DNS-SD. Fix in [commit 2305](http://wiki.powerdns.com/projects/trac/changeset/2305).
-- Winfried Angele fixed our autoconf script for Lua detection in [commit 2308](http://wiki.powerdns.com/projects/trac/changeset/2308).
-- BIND backend would leak an fd when including a configuration file from named.conf. Spotted by Hannu Ylitalo of Nebula Oy in [commit 2359](http://wiki.powerdns.com/projects/trac/changeset/2359).
-- GSQLite3 backend could crash on a network error at the wrong moment, leading to a restart by the guardian. Fix in [commit 2336](http://wiki.powerdns.com/projects/trac/changeset/2336).
-- './configure --enable-verbose-logging' was broken, fixed in [commit 2312](http://wiki.powerdns.com/projects/trac/changeset/2312).
-- PowerDNS would serve up old SOA data immediately after sending out a notification. Complicated bug documented perfectly in [ticket 427](https://github.com/PowerDNS/pdns/issues/427), which also came with not one but with two different patches to fix the problem. Thanks to Keith Buck. Code in [commit 2408](http://wiki.powerdns.com/projects/trac/changeset/2408).
-- Flag '--start-id' in zone2sql was not functional. Removed for now in [commit 2387](http://wiki.powerdns.com/projects/trac/changeset/2387), closing [ticket 332](https://github.com/PowerDNS/pdns/issues/332).
-- Our distribution tarball did not have the SQL schemas. Fixed in [commit 2459](http://wiki.powerdns.com/projects/trac/changeset/2459) and [commit 2460](http://wiki.powerdns.com/projects/trac/changeset/2460).
-- "Empty" MX records would confuse one of our parsers. Fixed in [commit 2468](http://wiki.powerdns.com/projects/trac/changeset/2468), closing Debian bug 533023.
-- The pdns.conf 'wildcards'-setting did not do anything in 3.0, so it was removed. Change in [commit 2508](http://wiki.powerdns.com/projects/trac/changeset/2508), [commit 2509](http://wiki.powerdns.com/projects/trac/changeset/2509).
-- Additional processing based on records loaded by the BIND backend might fail because of a trailing dot mismatch. Fix in [commit 2398](http://wiki.powerdns.com/projects/trac/changeset/2398).
-
-## New features
-- Per-zone AXFR ACLs, based on the allow-axfr-ips zone metadata item. Code in [commit 2274](http://wiki.powerdns.com/projects/trac/changeset/2274). Also, remove some remains of our previous approach to supporting this in [commit 2326](http://wiki.powerdns.com/projects/trac/changeset/2326).
-- New SOA Serial Tweak mode INCEPTION-EPOCH for when operating as a 'signing slave', contributed by Jimmy Bergman. Code and documentation in [commit 2320](http://wiki.powerdns.com/projects/trac/changeset/2320).
-- Newlines in the 'content' field of backends are now allowed, restoring some DKIM setups to working condition. Update in [commit 2394](http://wiki.powerdns.com/projects/trac/changeset/2394), closing [ticket 395](https://github.com/PowerDNS/pdns/issues/395).
-
-## Improvements
-- Depending on the encoding used, MySQL could take issue with our 'tsigkeys' table which contained very large rows. Trimmed in [commit 2400](http://wiki.powerdns.com/projects/trac/changeset/2400), closing [ticket 410](https://github.com/PowerDNS/pdns/issues/410).
-- Various build/configure-related fixes in [commit 2319](http://wiki.powerdns.com/projects/trac/changeset/2319), [commit 2373](http://wiki.powerdns.com/projects/trac/changeset/2373), [commit 2386](http://wiki.powerdns.com/projects/trac/changeset/2386), closing [ticket 380](https://github.com/PowerDNS/pdns/issues/380), [ticket 405](https://github.com/PowerDNS/pdns/issues/405), [ticket 420](https://github.com/PowerDNS/pdns/issues/420).
-- We now show the SOA serial after zone transfers. Code in [commit 2385](http://wiki.powerdns.com/projects/trac/changeset/2385), closing [ticket 416](https://github.com/PowerDNS/pdns/issues/416).
-- Ruben d'Arco submitted a full rework of our slave-side AXFR TSIG handling, closing [ticket 393](https://github.com/PowerDNS/pdns/issues/393) and [ticket 400](https://github.com/PowerDNS/pdns/issues/400) in the process. Code in [commit 2506](http://wiki.powerdns.com/projects/trac/changeset/2506). Additional improvement in [commit 2513](http://wiki.powerdns.com/projects/trac/changeset/2513).
-- The records.name-column in the gpgsql schema is now constrained to lowercase, as PowerDNS would be unable to find other entries anyway. Fix in [commit 2503](http://wiki.powerdns.com/projects/trac/changeset/2503), closing [ticket 426](https://github.com/PowerDNS/pdns/issues/426).
-- The gsql-backends can now handle huge records, thanks to a patch by Ruben d'Arco. Code in [commit 2476](http://wiki.powerdns.com/projects/trac/changeset/2476), closing [ticket 407](https://github.com/PowerDNS/pdns/issues/407). Additional changes in [commit 2292](http://wiki.powerdns.com/projects/trac/changeset/2292), [commit 2487](http://wiki.powerdns.com/projects/trac/changeset/2487), [commit 2489](http://wiki.powerdns.com/projects/trac/changeset/2489). Closes [ticket 218](https://github.com/PowerDNS/pdns/issues/218), [ticket 316](https://github.com/PowerDNS/pdns/issues/316).
-- Some of PowerDNS' internal classes would work with uninitialized data when repurposed outside of the PowerDNS core logic. Fix in [commit 2469](http://wiki.powerdns.com/projects/trac/changeset/2469),
-- pdnssec now has 'check-all-zones' and 'rectify-all-zones' commands. Submitted by Ruben d'Arco, code in [commit 2467](http://wiki.powerdns.com/projects/trac/changeset/2467).
-- 'restart' in our init.d-script would not start pdns if it was down before. Fixed in [commit 2462](http://wiki.powerdns.com/projects/trac/changeset/2462).
-- 'pdnssec rectify-zone' now honours --verbose and is rather quiet without it. Code in [commit 2443](http://wiki.powerdns.com/projects/trac/changeset/2443).
-- Improved error messages for systems without IPv6. Changes in [commit 2425](http://wiki.powerdns.com/projects/trac/changeset/2425).
-- The packet- and querycache now honour TTLs from backend data. Code in [commit 2414](http://wiki.powerdns.com/projects/trac/changeset/2414).
-- 'pdns\_control help' now shows useful usage information. Code in [commit 2410](http://wiki.powerdns.com/projects/trac/changeset/2410) and [commit 2465](http://wiki.powerdns.com/projects/trac/changeset/2465).
-- Jasper Spaans improved our init.d script for compliance with Debian Squeeze. Patch in [commit 2251](http://wiki.powerdns.com/projects/trac/changeset/2251). Further improvement with 'set -e' to initscript contributed by Marc Haber in [commit 2301](http://wiki.powerdns.com/projects/trac/changeset/2301).
-- Klaus Darilion discovered our configuration file template and --help output explained the various cache TTLs wrongly, and he also added documentation for some missing parameters. [commit 2271](http://wiki.powerdns.com/projects/trac/changeset/2271) and [commit 2272](http://wiki.powerdns.com/projects/trac/changeset/2272).
-- Add support for building against Botan 1.10 (stable) and drop support for 1.9 (development). Changes in [commit 2334](http://wiki.powerdns.com/projects/trac/changeset/2334). This fixes several bugs when building against 1.9.
-- Upgrade internal PolarSSL library to their version 1.1.1. Change in [commit 2389](http://wiki.powerdns.com/projects/trac/changeset/2389) and beyond.
-- Compilation of several backends failed for Boost in non-standard locations. Fixes in [commit 2316](http://wiki.powerdns.com/projects/trac/changeset/2316)..
-- We now do additional processing for SRV records too. Code in [commit 2388](http://wiki.powerdns.com/projects/trac/changeset/2388), closing [ticket 423](https://github.com/PowerDNS/pdns/issues/423) (which also contained the patch). Regression test updates that flow from this in [commit 2390](http://wiki.powerdns.com/projects/trac/changeset/2390).
-- Fix compilation on OSX. [commit 2316](http://wiki.powerdns.com/projects/trac/changeset/2316).
-- Fix pdnssec crash when asked to do DNSSEC without a DNSSEC capable backend. Code in [commit 2369](http://wiki.powerdns.com/projects/trac/changeset/2369).
-- If PowerDNS was not configured to operate as a DNS master, it would still accept 'pdns\_control notify' commands, but then not do it. Spotted by David Gavarret, patch by Jose Arthur Benetasso Villanova in [commit 2379](http://wiki.powerdns.com/projects/trac/changeset/2379).
-- In various places we would only accept UPPERCASE DNS typenames. Fixed in [commit 2370](http://wiki.powerdns.com/projects/trac/changeset/2370), closing [ticket 390](https://github.com/PowerDNS/pdns/issues/390).
-- We would not always drop supplemental groups correctly. Reported by David Black of Atlassian.
-- Our regression tests have been strengthened a lot, and now cover way more features. Commits in [2280](http://wiki.powerdns.com/projects/trac/changeset/2280), [2281](http://wiki.powerdns.com/projects/trac/changeset/2281), [2282](http://wiki.powerdns.com/projects/trac/changeset/2282), [2317](http://wiki.powerdns.com/projects/trac/changeset/2317), [2348](http://wiki.powerdns.com/projects/trac/changeset/2348), [2349](http://wiki.powerdns.com/projects/trac/changeset/2349), [2350](http://wiki.powerdns.com/projects/trac/changeset/2350), [2351](http://wiki.powerdns.com/projects/trac/changeset/2351) and beyond.
-- Update to support the latest draft of DANE/TLSA. Spotted by James Cloos ([commit 2338](http://wiki.powerdns.com/projects/trac/changeset/2338)). Further improvements by Pieter Lexis in [commit 2347](http://wiki.powerdns.com/projects/trac/changeset/2347), [commit 2358](http://wiki.powerdns.com/projects/trac/changeset/2358).
-- Compilation on OpenBSD was eased by patches from Brad Smith, which can be found in [commit 2288](http://wiki.powerdns.com/projects/trac/changeset/2288) and [commit 2291](http://wiki.powerdns.com/projects/trac/changeset/2291), closing [ticket 95](https://github.com/PowerDNS/pdns/issues/95).
-- 'make check' failed on the internal PolarSSL. Spotted by Daniel Briley, fix in [commit 2283](http://wiki.powerdns.com/projects/trac/changeset/2283).
-- The default SQL schemas were expanded to contain far longer content fields. [commit 2292](http://wiki.powerdns.com/projects/trac/changeset/2292), [commit 2293](http://wiki.powerdns.com/projects/trac/changeset/2293).
-- Documentation typos, Jake Spencer ([commit 2304](http://wiki.powerdns.com/projects/trac/changeset/2304)), Jose Arthur Benetasso Villanova ([commit 2337](http://wiki.powerdns.com/projects/trac/changeset/2337)). Code typos in [commit 2324](http://wiki.powerdns.com/projects/trac/changeset/2324) (closes [ticket 296](https://github.com/PowerDNS/pdns/issues/296)).
-- Manpage updates from Debian, provided by Matthijs Möhlmann. Content in [commit 2306](http://wiki.powerdns.com/projects/trac/changeset/2306).
-- pdnssec rectify-zone can now accept multiple zones at the same time. Code in [commit 2383](http://wiki.powerdns.com/projects/trac/changeset/2383).
-- As suggested in [ticket 416](https://github.com/PowerDNS/pdns/issues/416), we now log the SOA serial number after committing an AXFRed zone to the backend. Code in [commit 2385](http://wiki.powerdns.com/projects/trac/changeset/2385).
-- Pick up location of sqlite3 libraries using pkg-config. Implemented using a variation of the patch found in the, now closed, [ticket 380](https://github.com/PowerDNS/pdns/issues/380). Code in [commit 2386](http://wiki.powerdns.com/projects/trac/changeset/2386).
-- Documented 'pdnssec --verbose' flag is now accepted. Code in [commit 2384](http://wiki.powerdns.com/projects/trac/changeset/2384), closing [ticket 404](https://github.com/PowerDNS/pdns/issues/404).
-- 'pdnssec --help' now lists all supported signing algorithms. Suggested by Jose Arthur Benetasso Villanova.
-- PIPE backend example script with edns-subnet support was improved to actually use edns-subnet field. Plus update PIPE backend documentation. Code in [commit 2285](http://wiki.powerdns.com/projects/trac/changeset/2285), more documentation regarding MX and SRV in [commit 2313](http://wiki.powerdns.com/projects/trac/changeset/2313).
-- edns-subnet fields now also output in logfile when available ([commit 2321](http://wiki.powerdns.com/projects/trac/changeset/2321)).
-- When running with virtualized configuration files, we now allow dashes in the configuration name. Suggested by Marc Haber, code in [commit 2295](http://wiki.powerdns.com/projects/trac/changeset/2295). Further fixes by Brielle Bruns in [commit 2327](http://wiki.powerdns.com/projects/trac/changeset/2327).
-- Compilation fixes for GNU/Hurd in [commit 2307](http://wiki.powerdns.com/projects/trac/changeset/2307) via Matthijs Möhlmann.
-- Marc Haber improved our Debian packaging scripts for smoother upgrades. Code in [commit 2315](http://wiki.powerdns.com/projects/trac/changeset/2315).
-- When failing to bind to an IP address, report to which one it failed. [commit 2325](http://wiki.powerdns.com/projects/trac/changeset/2325).
-- Supermaster checks were performed synchronously, leading to the possibilities of slowdowns. Fixed in [commit 2402](http://wiki.powerdns.com/projects/trac/changeset/2402).
-
-## Other changes
-- Removed the deprecated non-generic mysqlbackend, in [commit 2488](http://wiki.powerdns.com/projects/trac/changeset/2488), [commit 2514](http://wiki.powerdns.com/projects/trac/changeset/2514), [commit 2515](http://wiki.powerdns.com/projects/trac/changeset/2515).
-- Removed the deprecated 'pdnsbackend', in [commit 2490](http://wiki.powerdns.com/projects/trac/changeset/2490), [commit 2516](http://wiki.powerdns.com/projects/trac/changeset/2516).
-- Removed GRANT statements from the gpgsql schema, as we can't assume they will work for everyone. Change in [commit 2493](http://wiki.powerdns.com/projects/trac/changeset/2493).
-Tickets closed but not associated with a commit
-- [ticket 125](https://github.com/PowerDNS/pdns/issues/125): "PowerDNS offers wild card info. when it is not queried for."
-- [ticket 219](https://github.com/PowerDNS/pdns/issues/219): "Accept NOTIFY from masters on non-standard port"
-- [ticket 247](https://github.com/PowerDNS/pdns/issues/247): "pdns caching weirdness with recursion-desired flag"
-- [ticket 253](https://github.com/PowerDNS/pdns/issues/253): "bind backend crashes on long comment line in included file"
-- [ticket 271](https://github.com/PowerDNS/pdns/issues/271): "PowerDNS Server responding with out-of-zone authority section in case there is a cname"
-- [ticket 304](https://github.com/PowerDNS/pdns/issues/304): "also-notify option for pdns, also gives also-notify for bindbackend."
-- [ticket 311](https://github.com/PowerDNS/pdns/issues/311): "PowerDNSSEC responding with SERVFAIL upon IN A query for a CNAME"
-- [ticket 325](https://github.com/PowerDNS/pdns/issues/325): "CNAME working strange!"
-- [ticket 376](https://github.com/PowerDNS/pdns/issues/376): "Unable to create long TXT records"
-- [ticket 412](https://github.com/PowerDNS/pdns/issues/412): "--without-lua doesn't disable lua"
-- [ticket 415](https://github.com/PowerDNS/pdns/issues/415): "Signing thread died during AXFR of signed domain"
-- [ticket 422](https://github.com/PowerDNS/pdns/issues/422): "ecdsa256 keys bug"
-
-# Authoritative Server version 2.9.22.6
-**Warning**: The 2.9.22.x series of releases is end-of-life and unsupported. It contains many issues and potential security problems. We urge you to upgrade to a recent version of PowerDNS!
-
-The improvements to the master/slave engine in 2.9.22.5 contained one serious bug that can cause crashes on busy setups. 2.9.22.6 fixes this crash.
-
-# Authoritative Server version 2.9.22.5
-**Warning**: The 2.9.22.x series of releases is end-of-life and unsupported. It contains many issues and potential security problems. We urge you to upgrade to a recent version of PowerDNS!
-
-2.9.22.5 is an interim release for those not yet ready to make the jump to 3.0, but do need a more recent version of the Authoritative Server. It also contains the patch from [PowerDNS Security Advisory 2012-01](security/powerdns-advisory-2012-01.md "PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop").
-
-- Improved performance of master/slave engine, especially when hosting tens or hundreds of thousands of slave zones. Code in commits [1657](http://wiki.powerdns.com/projects/trac/changeset/1657), [1658](http://wiki.powerdns.com/projects/trac/changeset/1658), [1661](http://wiki.powerdns.com/projects/trac/changeset/1661) (which also brings multi-master support), [1662](http://wiki.powerdns.com/projects/trac/changeset/1662) (non-standard ports for masters), [1664](http://wiki.powerdns.com/projects/trac/changeset/1664), [1665](http://wiki.powerdns.com/projects/trac/changeset/1665), [1666](http://wiki.powerdns.com/projects/trac/changeset/1666), [1667](http://wiki.powerdns.com/projects/trac/changeset/1667), [1672](http://wiki.powerdns.com/projects/trac/changeset/1672), [1673](http://wiki.powerdns.com/projects/trac/changeset/1673), [2063](http://wiki.powerdns.com/projects/trac/changeset/2063)).
-- Compilation fixes for more modern compilers ([commit 1660](http://wiki.powerdns.com/projects/trac/changeset/1660), [commit 1694](http://wiki.powerdns.com/projects/trac/changeset/1694))
-- Don't crash on communication error with pdns\_control ([commit 2015](http://wiki.powerdns.com/projects/trac/changeset/2015)).
-- Packet cache fixes for UltraSPARC ([commit 1663](http://wiki.powerdns.com/projects/trac/changeset/1663))
-- Fix crashes in the BIND backend ([commit 1693](http://wiki.powerdns.com/projects/trac/changeset/1693), [commit 1692](http://wiki.powerdns.com/projects/trac/changeset/1692))
-
-# PowerDNS Authoritative Server 3.0.1
-**Warning**: The DNSSEC implementation of PowerDNS Authoritative Server 3.0 and 3.0.1 contains many issues regarding CNAMES, wildcards and (in)secure delegations. If you use any of these, and you use DNSSEC you MUST upgrade to 3.1 or beyond!
-
-3.0.1 consists of 3.0, plus the patch from [PowerDNS Security Advisory 2012-01](security/powerdns-advisory-2012-01.md "PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop")
-
-# PowerDNS Authoritative Server 3.0
-Released on the 22nd of July 2011
-RC1 released on the 4th of April 2011
-RC2 released on the 19th of April 2011
-RC3 released on the 19th of July 2011
-
-**Warning**: Version 3.0 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Please refer to the [Upgrade documentation](authoritative/upgrading.md) for important information on correct and stable operation, as well as notes on performance and memory use.
-
-**Warning**: The DNSSEC implementation of PowerDNS Authoritative Server 3.0 and 3.0.1 contains many issues regarding CNAMES, wildcards and (in)secure delegations. If you use any of these, and you use DNSSEC you MUST upgrade to 3.1 or beyond!
-
-Version 3.0 of the PowerDNS Authoritative Server brings a number of important features, as well as over two years of accumulated bug fixing.
-
-The largest news in 3.0 is of course the advent of DNSSEC. Not only does PowerDNS now (finally) support DNSSEC, we think that our support of this important protocol is among the easiest to use available. In addition, all important algorithms are supported.
-
-Complete detail can be found in [Serving authoritative DNSSEC data](authoritative/dnssec.md "Serving authoritative DNSSEC data"). The goal of 'PowerDNSSEC' is to allow existing PowerDNS installations to start serving DNSSEC with as little hassle as possible, while maintaining performance and achieving high levels of security.
-
-Tutorials and examples of how to use DNSSEC in PowerDNS can be found linked from [http://powerdnssec.org](http://powerdnssec.org).
-
-PowerDNS Authoritative Server 3.0 development has been made possible by the financial and moral support of
-
-- [AFNIC, the French registry](http://www.afnic.fr/)
-- [IPCom's RcodeZero Anycast DNS](http://www.ipcom.at/en/dns/rcodezero_anycast/), a subsidiary of NIC.AT, the Austrian registry
-- [SIDN, the Dutch registry](http://www.sidn.nl/)
-- .. (awaiting details) ..
-
-This release has received exceptional levels of community support, and we'd like to thank the following people in addition to those mentioned explicitly below: Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter Wijngaards (NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN), Leen Besselink, Antoin Verschuren (SIDN), Olafur Guðmundsson (IETF), Dan Kaminsky (Recursion Ventures), Roy Arends (Nominet), Miek Gieben (SIDN), Stephane Bortzmeyer (AFNIC), Michael Braunoeder (nic.at), Peter van Dijk, Maik Zumstrull, Jose Arthur Benetasso Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker (Brainspark/Fox-IT), Mathew Hennessy, Johannes Kuehrer (Austrian World4You GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and Martin van Hensbergen (Fox-IT), Christof Meerwald, Detlef Peeters, Jack Lloyd, Frank Altpeter, Fredrik Danerklint, Vasiliy G Tolstov, Brielle Bruns, Evan Hunt, Ralf van der Enden, Marc Laros, Serge Belyshev, Christian Hofstaedtler, Charlie Smurthwaite, Nikolaos Milas, ..
-
-## Known issues as of RC3
-- Not all new features are fully documented yet
-
-## Changes between RC3 and final
-- Slight tweak to the pipebackend to ease DNSSEC operations ([commit 2239](http://wiki.powerdns.com/projects/trac/changeset/2239), [commit 2247](http://wiki.powerdns.com/projects/trac/changeset/2247)). Also fix pipebackend support in pdnssec tool ([commit 2244](http://wiki.powerdns.com/projects/trac/changeset/2244)).
-- Upgrade the experimental native Lua backend to the latest version from Fredrik Danerklint ([commit 2240](http://wiki.powerdns.com/projects/trac/changeset/2240)) and include this backend in the .deb packages ([commit 2242](http://wiki.powerdns.com/projects/trac/changeset/2242))
-- Remove IPv6 dependency, it was only possible to run master/slave operations on a server with at least one IPv6 address. Some very old virtualized setups turned out to have no IPv6 at all. Fix in [commit 2246](http://wiki.powerdns.com/projects/trac/changeset/2246).
-
-## Changes between RC2 and RC3
-- PowerDNS Authoritative Server could not be configured to use an IPv6 based resolving backend. Solved in [commit 2191](http://wiki.powerdns.com/projects/trac/changeset/2191).
-- LDAP backend reconfigured the timezone (TZ) setting of the daemon, leading to confusing logfile entries. Fixed by Christian Hofstaedtler in [commit 2913](http://wiki.powerdns.com/projects/trac/changeset/2913), closing [ticket 313](https://github.com/PowerDNS/pdns/issues/313).
-- Non-DNSSEC capable backends could crash on DNSSEC queries. Fixed in [commit 2194](http://wiki.powerdns.com/projects/trac/changeset/2194) and [commit 2196](http://wiki.powerdns.com/projects/trac/changeset/2196) (thanks to Charlie Smurthwaite) closing [ticket 360](https://github.com/PowerDNS/pdns/issues/360).
-- Errors looking up a UID or GID were reported confusingly ('Success'), fixed in [commit 2195](http://wiki.powerdns.com/projects/trac/changeset/2195), closing [ticket 359](https://github.com/PowerDNS/pdns/issues/359).
-- Fix compilation against older MySQL, client libraries ([commit 2198](http://wiki.powerdns.com/projects/trac/changeset/2198), [commit 2199](http://wiki.powerdns.com/projects/trac/changeset/2199), [commit 2204](http://wiki.powerdns.com/projects/trac/changeset/2204)), especially for older RHEL/CentOS. Also addresses the failure to look in lib64 directory for PostgreSQL.
-- Sqlite3 needs write access not just to its database file, but also to the directory it is in. If this wasn't the case, no useful error message was provided. Improvement in [commit 2202](http://wiki.powerdns.com/projects/trac/changeset/2202).
-- Update of MongoDB backend ([commit 2203](http://wiki.powerdns.com/projects/trac/changeset/2203), [commit 2212](http://wiki.powerdns.com/projects/trac/changeset/2212)).
-- 'pdnssec hash-zone-record' emitted an inverted warning about narrow NSEC3 hashes. Spotted by Jan-Piet Mens, fix in [commit 2205](http://wiki.powerdns.com/projects/trac/changeset/2205).
-- PowerDNS can fill out default fields for SOA records, but neglected to do so if the SOA record was matched by an incoming ANY question. Spotted by Marc Laros & others. Fixes [ticket 357](https://github.com/PowerDNS/pdns/issues/357), code in [commit 2206](http://wiki.powerdns.com/projects/trac/changeset/2206).
-- PowerDNS would mistreat binary data in TXT records. Fix in [commit 2207](http://wiki.powerdns.com/projects/trac/changeset/2207). Again spotted by Jan-Piet Mens. Closes [ticket 356](https://github.com/PowerDNS/pdns/issues/356).
-- Add experimental Lua backend by our star contributor Fredrik Danerklint. [commit 2208](http://wiki.powerdns.com/projects/trac/changeset/2208).
-- Christoph Meerwald discovered our RRSIG freshness checking checked more than the intended RRSIG (on the SOA record). Fix in [commit 2209](http://wiki.powerdns.com/projects/trac/changeset/2209).
-- Christoph Meerwald discovered we got confused by TSIG signed EDNS-adorned queries, since we expected the EDNS OPT pseudorecord to be the very last record. Fix in [commit 2214](http://wiki.powerdns.com/projects/trac/changeset/2214).
-- Christoph Meerwald discovered that when using SOA outgoing editing we would sign and THEN edit. This was not productive. Fixed in [commit 2215](http://wiki.powerdns.com/projects/trac/changeset/2215).
-- Add missing-but-documented pdnssec command 'disable-dnssec'. Spotted by Craig Whitmore. Plus fixed misleading --help output. Code in [commit 2216](http://wiki.powerdns.com/projects/trac/changeset/2216).
-- By popular demand, a tweak which makes an overloaded database no longer restart PowerDNS but to drop queries until the database is available again. Code in [commit 2217](http://wiki.powerdns.com/projects/trac/changeset/2217), lightly tested. Enable by setting 'overload-queue-length=100' (for example).
-- By suggestion of Miek Gieben of SIDN, add SOA-EDIT mode 'EPOCH' which sets the SOA serial number to the 'UNIX time'. Implemented in [commit 2218](http://wiki.powerdns.com/projects/trac/changeset/2218).
-- Added some US export control & ECCN to documentation, needed because of DNSSEC content. Update in [commit 2219](http://wiki.powerdns.com/projects/trac/changeset/2219).
-- Fix up various spelling mistakes and badly formatted messages ([commit 2220](http://wiki.powerdns.com/projects/trac/changeset/2220) and [commit 2221](http://wiki.powerdns.com/projects/trac/changeset/2221)) by Maik Zumstrull and 'anonymous'.
-- After a lot of thought, we now handle CNAMEs to names outside our knowledge ('bailiwick') exactly as in BIND 9.8.0, even though our way was standards compliant too. It confused things. Update in [commit 2222](http://wiki.powerdns.com/projects/trac/changeset/2222) and [commit 2224](http://wiki.powerdns.com/projects/trac/changeset/2224).
-- Tweak sqlite3 library location detection for newer Ubuntu versions. Change in [commit 2223](http://wiki.powerdns.com/projects/trac/changeset/2223).
-- DNSSEC SQL schema improvements allowing for the use of constraints and foreign keys in [commit 2225](http://wiki.powerdns.com/projects/trac/changeset/2225), by Gerald Gruenberg, closing [ticket 371](https://github.com/PowerDNS/pdns/issues/371).
-- Add support for EDNS option 'edns-subnet', based on draft-vandergaast-edns-client-subnet ([commit 2226](http://wiki.powerdns.com/projects/trac/changeset/2226), [commit 2228](http://wiki.powerdns.com/projects/trac/changeset/2228), [commit 2229](http://wiki.powerdns.com/projects/trac/changeset/2229), [commit 2230](http://wiki.powerdns.com/projects/trac/changeset/2230), [commit 2231](http://wiki.powerdns.com/projects/trac/changeset/2231), [commit 2233](http://wiki.powerdns.com/projects/trac/changeset/2233)).
-- Zone2sql sent out the wrong 'COMMIT' statement in sqlite mode. In addition, in this mode, zone2sql would not emit statements to update the domains table unless the 'slave' setting was chosen. Code in [commit 2167](http://wiki.powerdns.com/projects/trac/changeset/2167).
-- We dropped the Authoritative Answer flag on an out-of-bailiwick CNAME referral, which was unnecessary. Code in [commit 2170](http://wiki.powerdns.com/projects/trac/changeset/2170).
-- Kees Monshouwer discovered that we failed to detect the location of PostgreSQL on RHEL/CentOS. Fix in [commit 2144](http://wiki.powerdns.com/projects/trac/changeset/2144). In addition, [commit 2162](http://wiki.powerdns.com/projects/trac/changeset/2162) eases detection of MySQL on RHEL/CentOS 64 bits systems.
-- Marc Laros re-reported an old bug in the internally used 'pdns' backend where details of the SOA record were not filled out correctly. Resolved in [commit 2145](http://wiki.powerdns.com/projects/trac/changeset/2145).
-- Jan-Piet Mens found that our TSIG signed SOA zone freshness check was signed incorrectly. Fixed in [commit 2147](http://wiki.powerdns.com/projects/trac/changeset/2147). Improved error messages that helped debug this issue in [commit 2148](http://wiki.powerdns.com/projects/trac/changeset/2148), [commit 2149](http://wiki.powerdns.com/projects/trac/changeset/2149).
-- Jan-Piet Mens helped debug an issue where some servers were "almost always" unable to transfer a TSIG signed zone correctly. Turns out that the TSIG signing code used an internal timestamp and not the remote timestamp. Because of good NTP synchronization this quite often was not a problem. Fix in [commit 2159](http://wiki.powerdns.com/projects/trac/changeset/2159).
-- Thor Spruyt of Telenet discovered that the PowerDNS code would try to emit DNS answers over TCP of over 65535 bytes long, which failed. We now truncate such answers properly. Code in [commit 2150](http://wiki.powerdns.com/projects/trac/changeset/2150).
-- The Slave engine now reuses an existing database connection, removing the need to create a new database connection every minute (and worse, log about it). Code in [commit 2153](http://wiki.powerdns.com/projects/trac/changeset/2153).
-- Fix a potential Year 2106 bug in the TSIG signing code. Because we care ([commit 2156](http://wiki.powerdns.com/projects/trac/changeset/2156)).
-- Added experimental support for the 'DANE' TLSA record which is used to authenticate SSL certificates via DNSSEC. [commit 2161](http://wiki.powerdns.com/projects/trac/changeset/2161).
-- Added experimental support for the MongoDB 'NoSQL' backend, contributed by Fredrik Danerklint in [commit 2162](http://wiki.powerdns.com/projects/trac/changeset/2162).
-
-## Other major new features
-- TSIG for authorizing and authenticating AXFR requests & incoming zone transfers (Code in [2024](http://wiki.powerdns.com/projects/trac/changeset/2024), [2025](http://wiki.powerdns.com/projects/trac/changeset/2025), [2033](http://wiki.powerdns.com/projects/trac/changeset/2033), [2034](http://wiki.powerdns.com/projects/trac/changeset/2034)). This allows for retrieving TSIG protected content, as well as serving it.
-- Per zone also-notify.
-- MyDNS compatible backend, allowing for 'instantaneous' migration from this authoritative nameserver. Code in [commit 1418](http://wiki.powerdns.com/projects/trac/changeset/1418), contributed by Jonathan Oddy.
-- PowerDNS can now slave zones over IPv6 and notify IPv6 remotes of updates. Already. Code in [commit 2009](http://wiki.powerdns.com/projects/trac/changeset/2009) and beyond.
-- Lua based incoming zone editing, allowing masters or signing slaves to add information to the zone they will (re-)serve. Implemented in [commit 2065](http://wiki.powerdns.com/projects/trac/changeset/2065). To enable, use LUA-AXFR-SCRIPT zone metadata setting.
-- Native Oracle backend with full DNSSEC support. Contributed by Maik Zumstrull, then at the Steinbuch Centre for Computing at the Karlsruhe Institute of Technology.
-- "Also-notify" support, implemented by Aki Tuomi in [commit 1400](http://wiki.powerdns.com/projects/trac/changeset/1400). Support for Generic SQL backends and for the BIND backend. Further code in [commit 1360](http://wiki.powerdns.com/projects/trac/changeset/1360).
-- Support for binding to thousands of IP addresses, code in [commit 1443](http://wiki.powerdns.com/projects/trac/changeset/1443).
-- Generic MySQL backend now supports stored procedures. Implemented in [commit 2084](http://wiki.powerdns.com/projects/trac/changeset/2084), closing [ticket 231](https://github.com/PowerDNS/pdns/issues/231).
-- Generic ODBC backend compiles again, and is reported to work for some users that need it. Code contributed in [ticket 309](https://github.com/PowerDNS/pdns/issues/309), author unknown.
-- Massively parallel slaving infrastructure, able to check the freshness of thousands of remote zones per second, plus perform many incoming zone transfers simultaneously. Sponsored by Tyler Hall, code in [1449](http://wiki.powerdns.com/projects/trac/changeset/1449), [1500](http://wiki.powerdns.com/projects/trac/changeset/1500), [1859](http://wiki.powerdns.com/projects/trac/changeset/1859)
-- Core DNS logic replaced completely to deal with the brave new world of DNSSEC.
-
-## Bugs fixed
-- sqlite2 and sqlite3 backends used MySQL-style escaping, leading to SQL errors in some cases. Discovered by Sten Spans. Fixed in [commit 1342](http://wiki.powerdns.com/projects/trac/changeset/1342).
-- Internal webserver no longer prints '1e2%'. Bug rediscovered by Jeff Sipek. Fixed in [commit 1342](http://wiki.powerdns.com/projects/trac/changeset/1342).
-- PowerDNS would refuse to serve domain names with spaces in them, or otherwise non-printable characters. Addressed in [commit 2081](http://wiki.powerdns.com/projects/trac/changeset/2081).
-- PowerDNS can now serve escaped labels, as described by RFC 4343. Data should be present in backends in that escaped form. Code in [commit 2089](http://wiki.powerdns.com/projects/trac/changeset/2089).
-- In some cases, we would include duplicate CNAMEs. In addition, we would hand out a full root-referral when not configured to in some cases (ticket [223](https://github.com/PowerDNS/pdns/issues/223)). Discovered by Andreas Jakum, fixed in [commit 1344](http://wiki.powerdns.com/projects/trac/changeset/1344).
-- Shane Kerr discovered we would corrupt DNS transaction IDs from the packet cache on big endian systems. Fix in [commit 1346](http://wiki.powerdns.com/projects/trac/changeset/1346), closing [ticket 222](https://github.com/PowerDNS/pdns/issues/222).
-- PowerDNS did not use RFC 1982 serial arithmetic, leading to a SOA serial number of 1 to be regarded as older than 4400000000, when in fact it is 'newer'. Issue (re-)discovered by Jan-Piet Mens.
-- BIND backend got confused of a zone's file name changed after a configuration reload. Fix in [commit 1347](http://wiki.powerdns.com/projects/trac/changeset/1347), closing [ticket 228](https://github.com/PowerDNS/pdns/issues/228).
-- When restarted by the Guardian, PowerDNS will perform a full multi-threaded cache cleanup, which took a long time and could crash. Fix in [commit 1364](http://wiki.powerdns.com/projects/trac/changeset/1364).
-- Under artificial circumstances, PowerDNS would never clean its packet cache. Found by Marcus Goller, fix in [commit 1399](http://wiki.powerdns.com/projects/trac/changeset/1399) and [commit 1408](http://wiki.powerdns.com/projects/trac/changeset/1408). This update also retunes the cleanup frequency.
-- Packetcache would cache things it should not have been caching. Fixes in commits [1407](http://wiki.powerdns.com/projects/trac/changeset/1407), [1488](http://wiki.powerdns.com/projects/trac/changeset/1488), [1869](http://wiki.powerdns.com/projects/trac/changeset/1869), [1880](http://wiki.powerdns.com/projects/trac/changeset/1880)
-- When processing incoming notifications, the BIND backend was case-sensitive, and would disregard notifications in the wrong case. Discovered by 'Dolphin', fix in [commit 1420](http://wiki.powerdns.com/projects/trac/changeset/1420).
-- The init.d script did not mention the 'reload' command. Code in [commit 1463](http://wiki.powerdns.com/projects/trac/changeset/1463), closes [ticket 233](https://github.com/PowerDNS/pdns/issues/233).
-- Generic SQL Backends would sometimes emit obscure error messages. Fix in [commit 2049](http://wiki.powerdns.com/projects/trac/changeset/2049).
-- PowerDNS would be confused by embedded NULs in domain names, and would also mess up the escaping of some characters. Fix in [commit 1468](http://wiki.powerdns.com/projects/trac/changeset/1468), [commit 1469](http://wiki.powerdns.com/projects/trac/changeset/1469), [commit 1478](http://wiki.powerdns.com/projects/trac/changeset/1478), [commit 1480](http://wiki.powerdns.com/projects/trac/changeset/1480),
-- SOA queries for the name of a delegation point were not referred. Fix in [commit 1466](http://wiki.powerdns.com/projects/trac/changeset/1466), closing [ticket 224](https://github.com/PowerDNS/pdns/issues/224). In addition, queries for AAAA for a CNAMEd record pointing to a name with no AAAA would deliver a direct SOA, without the CNAME in between. Fix in [commit 1542](http://wiki.powerdns.com/projects/trac/changeset/1542), [commit 1607](http://wiki.powerdns.com/projects/trac/changeset/1607). Also, wildcard CNAMEs pointing to a record without the type requested suffered from the same issue, fix in [commit 1543](http://wiki.powerdns.com/projects/trac/changeset/1543).
-- On processing an incoming AXFR, once an MX or SRV record had been seen, all future fields got a 'priority' entry as well. This had no operational impact, but looked messy. Fixed in [commit 1437](http://wiki.powerdns.com/projects/trac/changeset/1437).
-- Aki Tuomi discovered that the BIND zone file parser would misrepresent 'something IN MX 15 @'. Fix in [commit 1621](http://wiki.powerdns.com/projects/trac/changeset/1621).
-- Marco Davids discovered the BIND zone file parser would trip over really long lines. Fix in [commit 1624](http://wiki.powerdns.com/projects/trac/changeset/1624), [commit 1625](http://wiki.powerdns.com/projects/trac/changeset/1625).
-- Thomas Mieslinger discovered that our webserver would only be started after dropping privileges, which could cause problems. Fix in [commit 1629](http://wiki.powerdns.com/projects/trac/changeset/1629).
-- Zone2sql did quite often not do exactly what was required, which users fixed by editing the SQL output. Revamped in [commit 2032](http://wiki.powerdns.com/projects/trac/changeset/2032).
-- An Ubuntu user discovered in Launchpad bug 600479 that restarting database threads cost a lot of memory. Normally this is rare, except in case of problems. Addressed in [commit 1676](http://wiki.powerdns.com/projects/trac/changeset/1676).
-- BIND backend could crash under (very) high load with very large numbers of zones (hundreds of thousands). Fixed in [commit 1690](http://wiki.powerdns.com/projects/trac/changeset/1690).
-- Miek Gieben and Marco Davids spotted that PowerDNS would answer the version.bind query in the IN class too. Bug reported via twitter! Fix in [commit 1709](http://wiki.powerdns.com/projects/trac/changeset/1709).
-- Marcus Lauer and the OpenDNSSEC project discovered that outgoing notifications did not carry the 'aa' flag. Fixed in [commit 1746](http://wiki.powerdns.com/projects/trac/changeset/1746).
-- Debugging PowerDNS, or backgrounding it, could cause crashes. Fixed by Anders Kaseorg in [commit 1747](http://wiki.powerdns.com/projects/trac/changeset/1747).
-- Fixed a bug that could cause crashes on launching thousands of backend connections. Never observed to occur, but who knows. Fix in [commit 1792](http://wiki.powerdns.com/projects/trac/changeset/1792).
-- Under some circumstances, large answers could be truncated in mid-record. While technically legal, this upset a number of resolver implementations (including the PowerDNS Recursor!). Fixed in [commit 1830](http://wiki.powerdns.com/projects/trac/changeset/1830), re-closes [ticket 200](https://github.com/PowerDNS/pdns/issues/200).
-- Jan Piet Mens and Florian Weimer discovered we had problems dealing with escaped labels and escaped TXT fields. Fixed in [commit 2000](http://wiki.powerdns.com/projects/trac/changeset/2000).
-- After 2.2 billion queries, statistics would wrap oddly. Fix in [commit 2019](http://wiki.powerdns.com/projects/trac/changeset/2019), closing [ticket 327](https://github.com/PowerDNS/pdns/issues/327).
-
-## Improvements
-- Long TXT records are now split into 255-byte components automatically. Implemented in [commit 1340](http://wiki.powerdns.com/projects/trac/changeset/1340), reported by Darren Gamble in [ticket 188](https://github.com/PowerDNS/pdns/issues/188).
-- When receiving large numbers of notifications, PowerDNS would check these synchronously, leading to a slowdown for other services. Fixed in [commit 2058](http://wiki.powerdns.com/projects/trac/changeset/2058), problem diagnosed by Richard Poole of Heart Internet.
-- Fixed compilation on newer compilers and newer versions of Boost. Changes in [1345](http://wiki.powerdns.com/projects/trac/changeset/1345) (closes [ticket 227](https://github.com/PowerDNS/pdns/issues/227)), [1391](http://wiki.powerdns.com/projects/trac/changeset/1391), [1394](http://wiki.powerdns.com/projects/trac/changeset/1394), [1425](http://wiki.powerdns.com/projects/trac/changeset/1425), [1427](http://wiki.powerdns.com/projects/trac/changeset/1427), [1428](http://wiki.powerdns.com/projects/trac/changeset/1428), [1429](http://wiki.powerdns.com/projects/trac/changeset/1429), [1440](http://wiki.powerdns.com/projects/trac/changeset/1440), [1653](http://wiki.powerdns.com/projects/trac/changeset/1653), thanks to Ruben Kerkhof and others.
-- Moved Generic PostgreSQL backend over to the newer E'' style escapes. [commit 2094](http://wiki.powerdns.com/projects/trac/changeset/2094).
-- Compilation fixes for Mac OS X 10.5.7 in [commit 1389](http://wiki.powerdns.com/projects/trac/changeset/1389), thanks to Tobias Markmann.
-- We can now bind to scoped IPv6 addresses, lack spotted by Darren Gamble. Part of the fix is in [commit 2018](http://wiki.powerdns.com/projects/trac/changeset/2018).
-- Built-in query cache can now also cache queries which lead to multiple answers. Code in [commit 2069](http://wiki.powerdns.com/projects/trac/changeset/2069).
-- Prodded on by Jan Piet Mens, we now support 'unknown types' (which look like TYPE65534).
-- Add 'slave-renotify' to retransmit notifies for slaved zones, which is helpful when acting as a 'signing slave' for a hidden master. Code in [commit 1950](http://wiki.powerdns.com/projects/trac/changeset/1950).
-- No longer let zone2sql and zone2ldap import BIND 'hint' zones. [commit 1998](http://wiki.powerdns.com/projects/trac/changeset/1998).
-- Allow for timestamps to explicitly be specified in (s)econds. Code in [commit 1398](http://wiki.powerdns.com/projects/trac/changeset/1398), closing [ticket 250](https://github.com/PowerDNS/pdns/issues/250).
-- Zones with URL and MBOXFW records can be transferred over AXFR, code in [commit 1464](http://wiki.powerdns.com/projects/trac/changeset/1464).
-- Maik Zumstrull cleaned up the BIND Backend makefile, plus taught our init.d script to read /etc/default/pdns. Code in [commit 1601](http://wiki.powerdns.com/projects/trac/changeset/1601), [commit 1602](http://wiki.powerdns.com/projects/trac/changeset/1602).
-- Generic SQL backends now support multiple masters in the domains table. Code in [commit 1857](http://wiki.powerdns.com/projects/trac/changeset/1857). Additionally, masters can also have :port numbers. Code in [commit 1858](http://wiki.powerdns.com/projects/trac/changeset/1858).
-
-# Recursor version 3.3.1
-**Warning**:Unreleased
-
-Version 3.3.1 contains a small number of important fixes, adds some memory usage statistics, but no new features.
-
-- Discovered by John J and Robin J, the PowerDNS Recursor did not process packets that were truncated in mid-record, and also did not act on the 'truncated' (TC) flag in that case. This broke a very small number of domains, most of them served by very old versions of the PowerDNS Authoritative Server. Fix in [commit 1740](http://wiki.powerdns.com/projects/trac/changeset/1740).
-- PowerDNS emitted a harmless, but irritating, error message on receiving certain very short packets. Discovered by Winfried A and John J, fix in [commit 1729](http://wiki.powerdns.com/projects/trac/changeset/1729).
-- PowerDNS could crash on startup if configured to provide service on malformed IPv6 addresses on FreeBSD, or in case when the FreeBSD kernel was compiled without any form of IPv6 support. Debugged by Bryan Seitz, fix in [commit 1727](http://wiki.powerdns.com/projects/trac/changeset/1727).
-- Add max-mthread-stack metric to debug rare crashes. Could be used to save memory on constrained systems. Implemented in [commit 1745](http://wiki.powerdns.com/projects/trac/changeset/1745).
-- Add cache-bytes and packetcache-bytes metrics to measure our 'pre-malloc' memory utilization. Implemented in [commit 1750](http://wiki.powerdns.com/projects/trac/changeset/1750).
-
-# Recursor version 3.3
-Released on the 22nd of September 2010.
-
-**Warning**: Version 3.3 fixes a number of small but persistent issues, rounds off our IPv6 %link-level support and adds an important feature for many users of the Lua scripts.
-
-In addition, scalability on Solaris 10 is improved.
-
-## Bug fixes
-- 'dist-recursor' script was not compatible with pure POSIX /bin/sh, discovered by Simon Kirby. Fix in [commit 1545](http://wiki.powerdns.com/projects/trac/changeset/1545).
-- Simon Bedford, Brad Dameron and Laurient Papier discovered relatively high TCP/IP loads could cause TCP/IP service to shut down over time. Addressed in commits [1546](http://wiki.powerdns.com/projects/trac/changeset/1546), [1640](http://wiki.powerdns.com/projects/trac/changeset/1640), [1652](http://wiki.powerdns.com/projects/trac/changeset/1652), [1685](http://wiki.powerdns.com/projects/trac/changeset/1685), [1698](http://wiki.powerdns.com/projects/trac/changeset/1698). Additional information provided by Zwane Mwaikambo, Nicholas Miell and Jeff Roberson. Testing by Christian Hofstaedtler and Michael Renner.
-- The PowerDNS Recursor could not read the 'root zone' (this is something else than the root hints) because of an unquoted TXT record. This has now been addressed, allowing operators to hardcode the root zone. This can improve security if the root zone used is kept up to date. Change in [commit 1547](http://wiki.powerdns.com/projects/trac/changeset/1547).
-- A return of an old bug, when a domain gets new nameservers, but the old nameservers continue to contain a copy of the domain, PowerDNS could get 'stuck' with the old servers. Fixed in [commit 1548](http://wiki.powerdns.com/projects/trac/changeset/1548).
-- Discovered & reported by Alexander Gall of SWITCH, the Recursor used to try to resolve 'AXFR' records over UDP. Fix in [commit 1619](http://wiki.powerdns.com/projects/trac/changeset/1619).
-- The Recursor embedded authoritative server messed up parsing a record like '@ IN MX 15 @'. Spotted by Aki Tuomi, fix in [commit 1621](http://wiki.powerdns.com/projects/trac/changeset/1621).
-- The Recursor embedded authoritative server messed up parsing really really long lines. Spotted by Marco Davids, fix in [commit 1624](http://wiki.powerdns.com/projects/trac/changeset/1624), [commit 1625](http://wiki.powerdns.com/projects/trac/changeset/1625).
-- Packet cache was not DNS class correct. Spotted by "Robin", fix in [commit 1688](http://wiki.powerdns.com/projects/trac/changeset/1688).
-- The packet cache would cache some NXDOMAINs for too long. Solving this bug exposed an underlying oddity where the initial NXDOMAIN response had an overly long (untruncated) TTL, whereas all the next ones would be ok. Solved in [commit 1679](http://wiki.powerdns.com/projects/trac/changeset/1679), closing [ticket 281](https://github.com/PowerDNS/pdns/issues/281). Especially important for RBL operators. Fixed after some nagging by Alex Broens (thanks).
-
-## Improvements
-- The priming of the root now uses more IPv6 addresses. Change in [commit 1550](http://wiki.powerdns.com/projects/trac/changeset/1550), closes [ticket 287](https://github.com/PowerDNS/pdns/issues/287). Also, the IPv6 address of I.ROOT-SERVERS.NET was added in [commit 1650](http://wiki.powerdns.com/projects/trac/changeset/1650).
-- The `rec_control dump-cache` command now also dumps the 'negative query' cache. Code in [commit 1713](http://wiki.powerdns.com/projects/trac/changeset/1713).
-- PowerDNS Recursor can now bind to fe80 IPv6 space with '%eth0' link selection. Suggested by Darren Gamble, implemented with help from Niels Bakker. Change in [commit 1620](http://wiki.powerdns.com/projects/trac/changeset/1620).
-- Solaris on x86 has a long standing bug in port\_getn(), which we now work around. Spotted by 'Dirk' and 'AS'. Solution suggested by the Apache runtime library, update in [commit 1622](http://wiki.powerdns.com/projects/trac/changeset/1622).
-- New runtime statistic: 'tcp-clients' which lists the number of currently active TCP/IP clients. Code in [commit 1623](http://wiki.powerdns.com/projects/trac/changeset/1623).
-- Deal better with UltraDNS style CNAME redirects containing SOA records. Spotted by Andy Fletcher from UKDedicated in [ticket 303](https://github.com/PowerDNS/pdns/issues/303), fix in [commit 1628](http://wiki.powerdns.com/projects/trac/changeset/1628).
-- The packet cache, which has 'ready to use' packets containing answers, now artificially ages the ready to use packets. Code in [commit 1630](http://wiki.powerdns.com/projects/trac/changeset/1630).
-- Lua scripts can now indicate that certain queries will have 'variable' answers, which means that the packet cache will not touch these answers. This is great for overriding some domains for some users, but not all of them. Use setvariable() in Lua to indicate such domains. Code in [commit 1636](http://wiki.powerdns.com/projects/trac/changeset/1636).
-- Add query statistic called 'dont-outqueries', plus add IPv6 address :: and IPv4 address 0.0.0.0 to the default "dont-query" set, preventing the Recursor from talking to itself. Code in [commit 1637](http://wiki.powerdns.com/projects/trac/changeset/1637).
-- Work around a gcc 4.1 bug, still in wide use on common platforms. Code in [commit 1653](http://wiki.powerdns.com/projects/trac/changeset/1653).
-- Add 'ARCHFLAGS' to PowerDNS Recursor Makefile, easing 64 bit compilation on mainly 32 bit platforms (and vice versa).
-- Under rare circumstances, querying the Recursor for statistics under very high load could lead to a crash (although this has never been observed). Bad code removed & good code unified in [commit 1675](http://wiki.powerdns.com/projects/trac/changeset/1675).
-- Spotted by Jeff Sipek, the rec\_control manpage did not list the new get-all command. [commit 1677](http://wiki.powerdns.com/projects/trac/changeset/1677).
-- On some platforms, it may be better to have PowerDNS itself distribute queries over threads (instead of leaving it up to the kernel). This experimental feature can be enabled with the 'pdns-distributes-queries' setting. Code in [commit 1678](http://wiki.powerdns.com/projects/trac/changeset/1678) and beyond. Speeds up Solaris measurably.
-- Cache cleaning code was cleaned up, unified and expanded to cover the 'negative cache', which used to be cleaned rather bluntly. Code in [commit 1702](http://wiki.powerdns.com/projects/trac/changeset/1702), further tweaks in [commit 1712](http://wiki.powerdns.com/projects/trac/changeset/1712), spotted by Darren Gamble, Imre Gergely and Christian Kovacic.
-
-## Changes between RC1, RC2 and RC3.
-- RC2: Fixed linking on RHEL5/CentOS5, which both ship with a gcc compiler that claims to support atomic operations, but doesn't. Code in [commit 1714](http://wiki.powerdns.com/projects/trac/changeset/1714). Spotted by 'Bas' and Imre Gergely.
-- RC2: Negative query cache was configured to grow too large, and was not cleaned efficiently. Code in [commit 1712](http://wiki.powerdns.com/projects/trac/changeset/1712), spotted by Imre Gergely.
-- RC3: Root failed to be renewed automatically, relied on fallback to make this happen. Code in [commit 1716](http://wiki.powerdns.com/projects/trac/changeset/1716), spotted by Detlef Peeters.
-
-# Recursor version 3.2
-Released on the 7th of March 2010.
-
-**Warning**: Lua scripts from version 3.1.7.* are fully compatible with version 3.2. However, scripts written for development snapshot releases, are NOT. Please see [Scripting](recursor/scripting.md "Scripting") for details!
-
-The 3.2 release is the first major release of the PowerDNS Recursor in a long time. Partly this is because 3.1.7.* functioned very well, and delivered satisfying performance, partly this is because in order to really move forward, some heavy lifting had to be done.
-
-As always, we are grateful for the large PowerDNS community that is actively involved in improving the quality of our software, be it by submitting patches, by testing development versions of our software or helping debug interesting issues. We specifically want to thank Stefan Schmidt and Florian Weimer, who both over the years have helped tremendously in keeping PowerDNS fast, stable and secure.
-
-This version of the PowerDNS Recursor contains a rather novel form of lock-free multithreading, a situation that comes close to the old '--fork' trick, but allows the Recursor to fully utilize multiple CPUs, while delivering unified statistics and operational control.
-
-In effect, this delivers the best of both worlds: near linear scaling, with almost no administrative overhead.
-
-Compared to 'regular multithreading', whereby threads cooperate more closely, more memory is used, since each thread maintains its own DNS cache. However, given the economics, and the relatively limited total amount of memory needed for high performance, this price is well worth it.
-
-In practical numbers, over 40,000 queries/second sustained performance has now been measured by a third party, with a 100.0% packet response rate. This means that the needs of around 400,000 residential connections can now be met by a single commodity server.
-
-In addition to the above, the PowerDNS Recursor is now providing resolver service for many more Internet users than ever before. This has brought with it 24/7 Service Level Agreements, and 24/7 operational monitoring by networking personnel at some of the largest telecommunications companies in the world.
-
-In order to facilitate such operation, more statistics are now provided that allow the visual verification of proper PowerDNS Recursor operation. As an example of this there are now graphs that plot how many queries were dropped by the operating system because of a CPU overload, plus statistics that can be monitored to determine if the PowerDNS deployment is under a spoofing attack.
-All in all, this is a large and important PowerDNS Release, paving the way for further innovation.
-
-**Note**: This release removes support for the 'fork' multi-processor option. In addition, the default is now to spawn two threads. This has been done in such a way that total memory usage will remain identical, so each thread will use half of the allocated maximum number of cache entries.
-
-## Changes between RC2 and -release
-- 'Make install' when an existing configuration file contained a 'fork' statement has been fixed. Spotted by Darren Gamble, code in [commit 1534](http://wiki.powerdns.com/projects/trac/changeset/1534).
-- Reloading a non-existent allow-from-file caused the control thread to stop working. Spotted by Imre Gergely, code in [commit 1532](http://wiki.powerdns.com/projects/trac/changeset/1532).
-- Parser got confused by reading en empty line in auth-forward-zones. Spotted by Imre Gergely, code in [commit 1533](http://wiki.powerdns.com/projects/trac/changeset/1533).
-- David Gavarret discovered undocumented and not-working settings to set the owner, group and access modes of the control socket. Code by Aki Tuomi and documentation in [commit 1535](http://wiki.powerdns.com/projects/trac/changeset/1535). Fixup in [commit 1536](http://wiki.powerdns.com/projects/trac/changeset/1536) for FreeBSD as found by Ralf van der Enden.
-- Tiny improvement possibly solving an issue on Solaris 10's completion port event multiplexer ([commit 1537](http://wiki.powerdns.com/projects/trac/changeset/1537)).
-
-## Changes between RC1 and RC2
-- Compilation on Solaris 10 has been fixed (various patchlevels had different issues), code in [commit 1522](http://wiki.powerdns.com/projects/trac/changeset/1522).
-- Compatibility with CentOS4/RHEL4 has been restored, the gcc and glibc versions shipped with this distribution contain a Thread Local Storage bug which we now work around. Thanks to Darren Gamble and Imre Gergely for debugging this issue, code in [commit 1527](http://wiki.powerdns.com/projects/trac/changeset/1527).
-- A failed setuid operation, because of misconfiguration, would result in a crash instead of an error message. Fixed in [commit 1523](http://wiki.powerdns.com/projects/trac/changeset/1523).
-- Imre Gergely discovered that PowerDNS was doing spurious root repriming when invalidating nssets. Fixed in [commit 1531](http://wiki.powerdns.com/projects/trac/changeset/1531).
-- Imre Gergely discovered our rrd graphs had not been changed for the new multithreaded world, and did not allow scaling beyond 200% cpu use. In addition, CPU usage graphs did not add up correctly. Implemented in [commit 1524](http://wiki.powerdns.com/projects/trac/changeset/1524).
-- Andreas Jakum discovered the description of 'max-packetcache-entries' and 'forward-zones-recurse' was wrong in the output of '--help' and '--config'. In addition, some stray backup files made it into the RC1 release. Addressed in [commit 1529](http://wiki.powerdns.com/projects/trac/changeset/1529).
-Full release notes follow, including some overlap with the incremental release notes above. Improvements
-- Multithreading, allowing near linear scaling to multiple CPUs or cores. Configured using 'threads=' (many commits). This also deprecates the '--fork' option.
-- Added ability to read a configuration item of a running PowerDNS Recursor using 'rec\_control get-parameter' ([commit 1243](http://wiki.powerdns.com/projects/trac/changeset/1243)), suggested by Wouter de Jong.
-- Added ability to read all statistics in one go of a running PowerDNS Recursor using 'rec\_control get-all' ([commit 1496](http://wiki.powerdns.com/projects/trac/changeset/1496)), suggested by Michael Renner.
-- Speedups in packet generation (Commits [1258](http://wiki.powerdns.com/projects/trac/changeset/1258), [1259](http://wiki.powerdns.com/projects/trac/changeset/1259), [1262](http://wiki.powerdns.com/projects/trac/changeset/1262))
-- TCP deferred accept() filter is turned on again for slight DoS protection. Code in [commit 1414](http://wiki.powerdns.com/projects/trac/changeset/1414).
-- PowerDNS Recursor can now do TCP/IP queries to remote IPv6 addresses ([commit 1412](http://wiki.powerdns.com/projects/trac/changeset/1412)).
-- Solaris 9 '/dev/poll' support added, Solaris 8 now deprecated. Changes in [commit 1421](http://wiki.powerdns.com/projects/trac/changeset/1421), [commit 1422](http://wiki.powerdns.com/projects/trac/changeset/1422), [commit 1424](http://wiki.powerdns.com/projects/trac/changeset/1424), [commit 1413](http://wiki.powerdns.com/projects/trac/changeset/1413).
-- Lua functions can now also see the address \_to\_ which a question was sent, using getlocaladdress(). Implemented in [commit 1309](http://wiki.powerdns.com/projects/trac/changeset/1309) and [commit 1315](http://wiki.powerdns.com/projects/trac/changeset/1315).
-- Maximum cache sizes now default to a sensible value. Suggested by Roel van der Made, implemented in [commit 1354](http://wiki.powerdns.com/projects/trac/changeset/1354).
-- Domains can now be forwarded to IPv6 addresses too, using either ::1 syntax or [::1]:25. Thanks to Wijnand Modderman for discovering this issue, fixed in [commit 1349](http://wiki.powerdns.com/projects/trac/changeset/1349).
-- Lua scripts can now load libraries at runtime, for example to calculate md5 hashes. Code by Winfried Angele in [commit 1405](http://wiki.powerdns.com/projects/trac/changeset/1405).
-- Periodic statistics output now includes average queries per second, as well as packet cache numbers ([commit 1493](http://wiki.powerdns.com/projects/trac/changeset/1493)).
-- New metrics are available for graphing, plus added to the default graphs ([commit 1495](http://wiki.powerdns.com/projects/trac/changeset/1495), [commit 1498](http://wiki.powerdns.com/projects/trac/changeset/1498), [commit 1503](http://wiki.powerdns.com/projects/trac/changeset/1503))
-- Fix errors/crashes on more recent versions of Solaris 10, where the ports functions could return ENOENT under some circumstances. Reported and debugged by Jan Gyselinck, fixed in [commit 1372](http://wiki.powerdns.com/projects/trac/changeset/1372).
-
-## New features
-- Add pdnslog() function for Lua scripts, so errors or other messages can be logged properly.
-- New settings to set the owner, group and access modes of the control socket (socket-owner, socket-group, socket-mode). Code by Aki Tuomi and documentation in [commit 1535](http://wiki.powerdns.com/projects/trac/changeset/1535). Fixup in [commit 1536](http://wiki.powerdns.com/projects/trac/changeset/1536) for FreeBSD as found by Ralf van der Enden.
-- rec\_control now accepts a --timeout parameter, which can be useful when reloading huge Lua scripts. Implemented in [commit 1366](http://wiki.powerdns.com/projects/trac/changeset/1366).
-- Domains can now be forwarded with the 'recursion-desired' bit on or off, using either **forward-zones-recurse** or by prefixing the name of a zone with a '+' in **forward-zones-file**. Feature suggested by Darren Gamble, implemented in [commit 1451](http://wiki.powerdns.com/projects/trac/changeset/1451).
-- Access control lists can now be reloaded at runtime (implemented in [commit 1457](http://wiki.powerdns.com/projects/trac/changeset/1457)).
-- PowerDNS Recursor can now use a pool of query-local-addresses to further increase resilience against spoofing. Suggested by Ad Spelt, implemented in [commit 1426](http://wiki.powerdns.com/projects/trac/changeset/1426).
-- PowerDNS Recursor now also has a packet cache, greatly speeding up operations. Implemented in [commit 1426](http://wiki.powerdns.com/projects/trac/changeset/1426), [commit 1433](http://wiki.powerdns.com/projects/trac/changeset/1433) and further.
-- Cache can be limited in how long it maximally stores records, for BIND compatibility (TTL limiting), by setting **max-cache-ttl**.Idea by Winfried Angele, implemented in [commit 1438](http://wiki.powerdns.com/projects/trac/changeset/1438).
-- Cache cleaning turned out to be scanning more of the cache than necessary for cache maintenance. In addition, far more frequent but smaller cache cleanups improve responsiveness. Thanks to Winfried Angele for discovering this issue. (commits [1501](http://wiki.powerdns.com/projects/trac/changeset/1501), [1507](http://wiki.powerdns.com/projects/trac/changeset/1507))
-- Performance graphs enhanced with separate CPU load and cache effectiveness plots, plus display of various overload situations (commits [1503](http://wiki.powerdns.com/projects/trac/changeset/1503))
-
-## Compiler/Operating system/Library updates
-- PowerDNS Recursor can now compile against newer versions of Boost (verified up to and including 1.42.0). Reported & fixed by Darix in [commit 1274](http://wiki.powerdns.com/projects/trac/changeset/1274). Further fixes in [commit 1275](http://wiki.powerdns.com/projects/trac/changeset/1275), [commit 1276](http://wiki.powerdns.com/projects/trac/changeset/1276), [commit 1277](http://wiki.powerdns.com/projects/trac/changeset/1277), [commit 1283](http://wiki.powerdns.com/projects/trac/changeset/1283).
-- Fix compatibility with newer versions of GCC (closes ticket [ticket 227](https://github.com/PowerDNS/pdns/issues/227), spotted by Ruben Kerkhof, code in [commit 1345](http://wiki.powerdns.com/projects/trac/changeset/1345), more fixes in commit [1394](http://wiki.powerdns.com/projects/trac/changeset/1394), [1416](http://wiki.powerdns.com/projects/trac/changeset/1416), [1440](http://wiki.powerdns.com/projects/trac/changeset/1440)).
-- Rrdtool update graph is now compatible with FreeBSD out of the box. Thanks to Bryan Seitz ([commit 1517](http://wiki.powerdns.com/projects/trac/changeset/1517)).
-- Fix up Makefile for older versions of Make ([commit 1229](http://wiki.powerdns.com/projects/trac/changeset/1229)).
-- Solaris compilation improvements (out of the box, no handwork needed).
-- Solaris 9 MTasker compilation fixes, as suggested by John Levon. Changes in [commit 1431](http://wiki.powerdns.com/projects/trac/changeset/1431).
-
-## Bug fixes
-- Under rare circumstances, the recursor could crash on 64 bit Linux systems running glibc 2.7, as found in Debian Lenny. These circumstances became a lot less rare for the 3.2 release. Discovered by Andreas Jakum and debugged by \#powerdns, fix in [commit 1519](http://wiki.powerdns.com/projects/trac/changeset/1519).
-- Imre Gergely discovered that PowerDNS was doing spurious root repriming when invalidating nssets. Fixed in [commit 1531](http://wiki.powerdns.com/projects/trac/changeset/1531).
-- Configuration parser is now resistant against trailing tabs and other whitespace ([commit 1242](http://wiki.powerdns.com/projects/trac/changeset/1242))
-- Fix typo in a Lua error message. Close [ticket 210](https://github.com/PowerDNS/pdns/issues/210), as reported by Stefan Schmidt ([commit 1319](http://wiki.powerdns.com/projects/trac/changeset/1319)).
-- Profiled-build instructions were broken, discovered & fixes suggested by Stefan Schmidt. [ticket 239](https://github.com/PowerDNS/pdns/issues/239), fix in [commit 1462](http://wiki.powerdns.com/projects/trac/changeset/1462).
-- Fix up duplicate SOA from a remote authoritative server from showing up in our output ([commit 1475](http://wiki.powerdns.com/projects/trac/changeset/1475)).
-- All security fixes from 3.1.7.2 are included.
-- Under highly exceptional circumstances on FreeBSD the PowerDNS Recursor could crash because of a TCP/IP error. Reported and fixed by Andrei Poelov in [ticket 192](https://github.com/PowerDNS/pdns/issues/192), fixed in [commit 1280](http://wiki.powerdns.com/projects/trac/changeset/1280).
-- PowerDNS Recursor can be a root-server again. Error spotted by the ever vigilant Darren Gamble (ticket [229](https://github.com/PowerDNS/pdns/issues/229)), fix in [commit 1458](http://wiki.powerdns.com/projects/trac/changeset/1458).
-- Rare TCP/IP errors no longer lead to PowerDNS Recursor logging errors or becoming confused. Debugged by Josh Berry of Plusnet PLC. Code in [commit 1457](http://wiki.powerdns.com/projects/trac/changeset/1457).
-- Do not hammer parent servers in case child zones are misconfigured, requery at most once every 10 seconds. Reported & investigated by Stefan Schmidt and Andreas Jakum, fixed in [commit 1265](http://wiki.powerdns.com/projects/trac/changeset/1265).
-- Properly process answers from remote authoritative servers that send error answers without including the original question ([commit 1329](http://wiki.powerdns.com/projects/trac/changeset/1329), [commit 1327](http://wiki.powerdns.com/projects/trac/changeset/1327)).
-- No longer spontaneously turn on 'export-etc-hosts' after reloading zones. Discovered by Paul Cairney, reported in [ticket 225](https://github.com/PowerDNS/pdns/issues/225), addressed in [commit 1348](http://wiki.powerdns.com/projects/trac/changeset/1348).
-- Very abrupt server failure of large numbers of high-volume authoritative servers could trigger an out of memory situation. Addressed in [commit 1505](http://wiki.powerdns.com/projects/trac/changeset/1505).
-- Make timeouts for queries to remote authoritative servers configurable with millisecond granularity. In addition, the old code turned out to consider the timeout expired when the integral number of seconds since 1970 increased by 1 - which *on average* is after 500ms. This might have caused spurious timeouts! New default timeout is 1500ms. See **network-timeout** setting for more details. Code in [commit 1402](http://wiki.powerdns.com/projects/trac/changeset/1402).
-
-# Recursor version 3.1.7.2
-Released on the 6th of January 2010.
-
-This release consist of a number of vital security updates. These updates address issues that can in all likelihood lead to a full system compromise. In addition, it is possible for third parties to pollute your cache with dangerous data, exposing your users to possible harm.
-
-This version has been well tested, and at the time of this release is already powering millions of internet connections, and should therefore be a risk-free upgrade from 3.1.7.1 or any earlier version of the PowerDNS Recursor.
-
-All known versions of the PowerDNS Recursor are impacted to a greater or lesser extent, so an immediate update is advised.
-
-These vulnerabilities were discovered by a third party that can't yet be named, but who we thank for their contribution to a more secure PowerDNS Recursor.
-
-For more information, see [PowerDNS Security Advisory 2010-01](security/powerdns-advisory-2010-01.md "PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited") and [PowerDNS Security Advisory 2010-02](security/powerdns-advisory-2010-02.md "PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data").
-
-# Recursor version 3.1.7.1
-Released on the 2nd of August 2009.
-
-This release consists entirely of fixes for tiny bugs that have been reported over the past year. In addition, compatibility has been restored with the latest versions of the gcc compiler and the 'boost' libraries.
-
-No features have been added, but some debugging code that very slightly impacted performance (and polluted the console when operating in the foreground) has been removed.
-
-FreeBSD users may want to upgrade because of a very remote chance of 3.1.7 and previous crashing once every few years. For other operators not currently experiencing problems, there is no reason to upgrade.
-
-- Improved error messages when parsing zones for authoritative serving ([commit 1235](http://wiki.powerdns.com/projects/trac/changeset/1235)).
-- Better resilience against whitespace in configuration (changesets [1237](http://wiki.powerdns.com/projects/trac/changeset/1237), [1240](http://wiki.powerdns.com/projects/trac/changeset/1240), [1242](http://wiki.powerdns.com/projects/trac/changeset/1242))
-- Slight performance increase ([commit 1378](http://wiki.powerdns.com/projects/trac/changeset/1378))
-- Fix rare case where timeouts were not being reported to the right query-thread ([commit 1260](http://wiki.powerdns.com/projects/trac/changeset/1260))
-- Fix compilation against newer versions of the Boost C++ libraries ([commit 1381](http://wiki.powerdns.com/projects/trac/changeset/1381))
-- Close very rare issue with TCP/IP close reporting ECONNRESET on FreeBSD. Reported by Andrei Poelov in [ticket 192](https://github.com/PowerDNS/pdns/issues/192).
-- Silence debugging output ([commit 1286](http://wiki.powerdns.com/projects/trac/changeset/1286)).
-- Fix compilation against newer versions of gcc ([commit 1384](http://wiki.powerdns.com/projects/trac/changeset/1384))
-- No longer set export-etc-hosts to 'on' on reload-zones. Discovered by Paul Cairney, closes [ticket 225](https://github.com/PowerDNS/pdns/issues/225).
-- Sane default for the maximum cache size in the Recursor, suggested by Roel van der Made ([commit 1354](http://wiki.powerdns.com/projects/trac/changeset/1354)).
-- No longer exit because of the changed behaviour of the Solaris 'completion ports' in more recent versions of Solaris. Fix in [commit 1372](http://wiki.powerdns.com/projects/trac/changeset/1372), reported by Jan Gyselinck.
-
-# Authoritative Server version 2.9.22
-**Warning**: The 2.9.22.x series of releases is end-of-life and unsupported. It contains many issues and potential security problems. We urge you to upgrade to a recent version of PowerDNS!
-
-Released on the 27th of January 2009.
-
-This is a huge release, spanning almost 20 months of development. Besides fixing a lot of bugs, of note is the addition of the so called 'Notification Proxy', which allows PowerDNS to function as a master server behind a firewall, plus the huge performance improvement of the internal caches.
-
-This work has been made possible by UPC Broadband and Directi, respectively.
-
-Finally, the release candidates of this version have been tested & improved by Jorn Ekkelenkamp, Ton van Rosmalen, Jeff Sipek, Tyler Hall, Christof Meerwald and Stefan Schmidt.
-
-## Fixed between rc1 and rc2, but not an issue in 2.9.21.
-- **pdns\_control ccounts** again outputs proper cache statistics. Implemented in [commit 1304](http://wiki.powerdns.com/projects/trac/changeset/1304).
-- Negative query caching was reinstated, leading to 6 times fewer backend queries than rc1 on the Express.powerdns.com servers.
-- Packetcache no longer needlessly parses outgoing packets before sending them.
-- Fancy records work again. This work has been sponsored by ISP Services. Implemented in [commit 1302](http://wiki.powerdns.com/projects/trac/changeset/1302) and [commit 1299](http://wiki.powerdns.com/projects/trac/changeset/1299).
-
-## New features
-- **pdns\_control** can now also work over TCP/IP. Sponsored by Directi. Commits [1246](http://wiki.powerdns.com/projects/trac/changeset/1246), [1251](http://wiki.powerdns.com/projects/trac/changeset/1251), [1254](http://wiki.powerdns.com/projects/trac/changeset/1254), [1255](http://wiki.powerdns.com/projects/trac/changeset/1255).
-- Implemented a notification proxy, see ["Notification proxy (nproxy)"](tools/analysis.md#nproxy"). This work was sponsored by UPC Broadband. Implemented in commits [1075](http://wiki.powerdns.com/projects/trac/changeset/1075), [1077](http://wiki.powerdns.com/projects/trac/changeset/1077), [1082](http://wiki.powerdns.com/projects/trac/changeset/1082), [1083](http://wiki.powerdns.com/projects/trac/changeset/1083), [1085](http://wiki.powerdns.com/projects/trac/changeset/1085) and [1086](http://wiki.powerdns.com/projects/trac/changeset/1086).
-- IXFR queries are now supported in the sense that we treat them as AXFR queries, silencing warnings in other nameservers. Suggested in [ticket 131](https://github.com/PowerDNS/pdns/issues/131).
-- The PIPE backend has been extended by David Apgar to allow the reporting of errors using the 'FAIL' command, plus support for responses with whitespace. Implemented in [commit 1114](http://wiki.powerdns.com/projects/trac/changeset/1114).
-- PowerDNS Authoritative server now parses incoming EDNS options, like maximum allowed packet size. Implemented in [commit 1123](http://wiki.powerdns.com/projects/trac/changeset/1123) and [commit 1281](http://wiki.powerdns.com/projects/trac/changeset/1281).
-- Added support for DHCID, IPSECKEY and KX records, thanks Norbert Sendetzky for the hint. Implemented in [commit 1144](http://wiki.powerdns.com/projects/trac/changeset/1144).
-- Norbert Sendetzky has has added support for all record types supported by PowerDNS to the LDAPBackend. Furthermore, the detection of OpenLDAP in autoconf has been improved. Finally, debian has supplied some fixes to PowerLDAP. Implemented in [commit 1152](http://wiki.powerdns.com/projects/trac/changeset/1152) and [commit 1153](http://wiki.powerdns.com/projects/trac/changeset/1153).
-- Implemented EDNS NSID option for retrieving the nameserver ID out of band. Defaults to hostname, can be specified using the **server-id** setting. Code in [commit 1232](http://wiki.powerdns.com/projects/trac/changeset/1232).
-- Implemented experimental EDNS PING for enhanced forgery resilience. Code in [commit 1232](http://wiki.powerdns.com/projects/trac/changeset/1232).
-
-## Performance
-- Improve packet generation performance, in some cases by 25%. Code in [1258](http://wiki.powerdns.com/projects/trac/changeset/1258), [1259](http://wiki.powerdns.com/projects/trac/changeset/1259).
-- Improved access list checking performance. [commit 1261](http://wiki.powerdns.com/projects/trac/changeset/1261).
-- PowerDNS Authoritative caches were completely redone, and are now based on the same cache that is in the resolver. This work has been sponsored by Directi. In large benchmarks, PowerDNS performance has improved by an order of magnitude or more. This new version allows for near-instantaneous cache purging, plus very rapid purging based on suffix. Purge commands can also be batched. This work is partially based on an innovative reverse-string comparison function authored by Aki Tuomi.
-- Installations which run with very high cache hitrates can now benefit from multiple CPUs by setting **receiver-threads** to the number of desired CPUs to utilize in cache operations. Implemented in [commit 1316](http://wiki.powerdns.com/projects/trac/changeset/1316).
-- BIND backend speedups in [commit 1108](http://wiki.powerdns.com/projects/trac/changeset/1108), measured at around a 20% improvement, possibly more on very large setups.
-
-## Bugs fixed
-- Tyler Hall discovered the PowerDNS configuration file parser had problems with trailing tabs. This turned out to be a wider problem in PowerDNS. Buggy code replaced by a library call in [commit 1237](http://wiki.powerdns.com/projects/trac/changeset/1237) and [commit 1240](http://wiki.powerdns.com/projects/trac/changeset/1240).
-- David Apgar of Yahoo discovered that our 'guardian' method of restarting PowerDNS in case of problems was not fool proof, and submitted a fix. A variation of this fix can be found in [commit 1323](http://wiki.powerdns.com/projects/trac/changeset/1323). Also reported by Directi.
-- Connection reset by peer events in the TCP nameserver no longer lead to the cycling of database connections. Code in [commit 1241](http://wiki.powerdns.com/projects/trac/changeset/1241).
-- FreeBSD compilation with Generic PostgreSQL backend was fixed. Reported by Wouter de Jong of WideXS, fixed in [commit 1305](http://wiki.powerdns.com/projects/trac/changeset/1305), closes [ticket 95](https://github.com/PowerDNS/pdns/issues/95).
-- Webserver no longer prints '1e2%'. Finally closes [ticket 26](https://github.com/PowerDNS/pdns/issues/26). Much friendly nagging for over 3 years by Jeff Sipek, code in [commit 1303](http://wiki.powerdns.com/projects/trac/changeset/1303).
-- PowerDNS used to ignore certain queries it could not answer. These queries are no longer ignored, but get a SERVFAIL response. Implemented in [commit 1239](http://wiki.powerdns.com/projects/trac/changeset/1239).
-- Fix subtle CNAME and wildcard interactions reported by 'zzyzz', implemented in [commit 1147](http://wiki.powerdns.com/projects/trac/changeset/1147).
-- The generic backends did not honour the **default-ttl** setting. Spotted and implemented by Matti Hiljanen.
-- Matti Hiljanen discovered that the OpenDBX backend did not fill out the SOA ttl value properly. Matti also improved the SQL statements for better compatibility. Implemented in [commit 1181](http://wiki.powerdns.com/projects/trac/changeset/1181).
-- Treat invalid WWW requests better. Spotted by Maikel Verheijen, implemented in [commit 1092](http://wiki.powerdns.com/projects/trac/changeset/1092).
-- Documentation errors and typos, spotted by Marco Davids ([commit 1097](http://wiki.powerdns.com/projects/trac/changeset/1097)) and Rejo Zengers ([commit 1119](http://wiki.powerdns.com/projects/trac/changeset/1119))
-- Properly fill out the 'recursion available'-flag. Spotted by Augie Schwer in [ticket 167](https://github.com/PowerDNS/pdns/issues/167).
-- Several memory leaks on bad data in the database or other errors have been fixed. Addressed in [1078](http://wiki.powerdns.com/projects/trac/changeset/1078) and [1079](http://wiki.powerdns.com/projects/trac/changeset/1079).
-- In contravention to the documentation, the domain type as specified in the database ('MASTER', 'SLAVE' or 'NATIVE') was interpreted case sensitively. [1084](http://wiki.powerdns.com/projects/trac/changeset/1084).
-- BIND backend could crash on processing information about slave zones to be checked. Spotted by Stefan Schmidt, fixed in [1089](http://wiki.powerdns.com/projects/trac/changeset/1089).
-- Jelte Jansen of Stichting NLNetLabs discovered PowerDNS in BIND mode couldn't operate as a root-server! Fixed in [1057](http://wiki.powerdns.com/projects/trac/changeset/1057).
-- 'DPS' discovered there was a rare opportunity for PowerDNS to lock up waiting for new data. Addressed in [1076](http://wiki.powerdns.com/projects/trac/changeset/1076).
-- Make singlethreaded mode more resilient against errors. [commit 1272](http://wiki.powerdns.com/projects/trac/changeset/1272).
-- DNSSEC records were part of 2.9.21, but were not actually hooked up. Please note that while PowerDNS can serve most DNSSEC records, it does not do DNSSEC processing. Implemented in [1046](http://wiki.powerdns.com/projects/trac/changeset/1046).
-- Shawn Starr migrated all his domains to PowerDNS in one evening, from an installation that had been used since BIND4. In doing so, he found 3 bugs in as many hours. An **IN** statement in the BIND `named.conf` with a zone with a trailing dot was misparsed, fixed in [commit 1233](http://wiki.powerdns.com/projects/trac/changeset/1233). Secondly, the zone file parser tripped over a line consisting of nothing but comments in the wrong place. Finally '$ORIGIN .' was misparsed. Last two issues fixed in [commit 1234](http://wiki.powerdns.com/projects/trac/changeset/1234).
-- Our statistics counters did not wrap correctly after the 2.15 billion mark. Spotted by Stefan Schmidt, reported in [ticket 179](https://github.com/PowerDNS/pdns/issues/179), fixed in [commit 1284](http://wiki.powerdns.com/projects/trac/changeset/1284).
-- Bindbackend could sometimes generate very strange error messages while processing a malformed zone file. Sometimes such error messages could cause a crash (reported on HP-UX). Addressed by [commit 1279](http://wiki.powerdns.com/projects/trac/changeset/1279). This could not be triggered remotely. Closes ticket [ticket 203](https://github.com/PowerDNS/pdns/issues/203).
-- Pipe backend did not clean up killed coprocesses. Found and fixed by Daniel Drown
-- Installations with tens of thousands of slave domains would never complete the cycle to check the freshness of all zones as each incoming notification disrupted this cycle. Addressed in cooperation with Tyler Hall of EditDNS.
-
-## Improvements
-- Zone parser improvements mean $TTL and $INCLUDES now work a lot better. Implemented in [1056](http://wiki.powerdns.com/projects/trac/changeset/1056), [1062](http://wiki.powerdns.com/projects/trac/changeset/1062).
-- No longer report temporary recvfrom errors, which used to spam the log on many systems. Addressed in [commit 1320](http://wiki.powerdns.com/projects/trac/changeset/1320).
-- Direct queries for 'fancy records' would lead to errors, such queries now fail early. Spotted by Jorn Ekkelenkamp, implemented in [1051](http://wiki.powerdns.com/projects/trac/changeset/1051).
-- Fix typo in geobackend, closing [ticket 157](https://github.com/PowerDNS/pdns/issues/157), implemented in [1090](http://wiki.powerdns.com/projects/trac/changeset/1090).
-- Initial work on TSIG support - not done yet. Spurred on by Marco Davids.
-- Embarrassingly, the 'master' configuration setting was not documented in the list of all settings!
-- Norbert has updated OpenDBX so that SQLite reads and writes no longer deadlock, plus compilation fixes on Solaris, plus the addition of autoserials to backends that support triggers. Implemented in [commit 1154](http://wiki.powerdns.com/projects/trac/changeset/1154).
-- Random generator is now based on AES, improving the security of certain proxy operations. This is the same random generator that is in the recursor. Implemented in [commit 1256](http://wiki.powerdns.com/projects/trac/changeset/1256).
-- Documentation for 'supermaster' mode was improved due to popular demand.
-- When binding to a UDP port failed, supply a more precise error message ([commit 1245](http://wiki.powerdns.com/projects/trac/changeset/1245))
-- The zone parser error messages were vastly improved, partially inspired by Shawn's cowboy migration. Code in [commit 1235](http://wiki.powerdns.com/projects/trac/changeset/1235).
-- Labels are compressed more efficiently (case-insensitively), leading to smaller packets. Implemented in [commit 1156](http://wiki.powerdns.com/projects/trac/changeset/1156).
-- Fix handling of TCP timeouts to not cause a reload of the backends. Implemented in [commit 1092](http://wiki.powerdns.com/projects/trac/changeset/1092).
-- TCP Receiver no longer spams the log with common network errors. Implemented in [commit 1306](http://wiki.powerdns.com/projects/trac/changeset/1306).
-- Move from select() to poll()-based multiplexing, allowing PowerDNS to listen on more than 1024 sockets simultaneously. One big PowerDNS user needs this. Implemented in [1072](http://wiki.powerdns.com/projects/trac/changeset/1072).
-- Zone2sql now reads source files in performance enhancing inode order. Additionally, zone2sql no longer dies on a missing zone file if **--on-error-resume-next** was specified. Finally, statistics of zone2sql conversion have been improved. Implemented in [1055](http://wiki.powerdns.com/projects/trac/changeset/1055).
-- Address issues found by more recent g++ versions. Spotted and/or fixed by Jorn Ekkelenkamp ([commit 1051](http://wiki.powerdns.com/projects/trac/changeset/1051)), Marcus Rueckert ([commit 1094](http://wiki.powerdns.com/projects/trac/changeset/1094)), Norbert Sendetzky ([commit 1107](http://wiki.powerdns.com/projects/trac/changeset/1107)), Serge Belyshev ([commit 1171](http://wiki.powerdns.com/projects/trac/changeset/1171)).
-- The Intel C Compiler implements certain things differently, causing the master/slave communicator to malfunction. Spotted by Marcus Rueckert, implemented in [1052](http://wiki.powerdns.com/projects/trac/changeset/1052), plus fallout in [1105](http://wiki.powerdns.com/projects/trac/changeset/1105).
-- PowerDNS can now be compiled with Boost 1.37.0.
-- Andre Lorbach of Adiscon discovered the Microsoft Windows 2003 nameserver adds out of zone data to zone transfers, which we need to ignore, instead of rejecting the entire zone. Implemented in [1048](http://wiki.powerdns.com/projects/trac/changeset/1048).
-- PowerDNS now skips remote master servers which consistently generate timeout messages, improving the master checking cycle time tremendously. Developed in cooperation with Tyler Hall. Implemented in [commit 1278](http://wiki.powerdns.com/projects/trac/changeset/1278).
-- When binding to a UDP port failed, supply a more precise error message ([commit 1245](http://wiki.powerdns.com/projects/trac/changeset/1245))
-- **dnsreplay** now waits for the final answers to arrive, making it possible to process even small pcap files and get meaningful statistics. [commit 1268](http://wiki.powerdns.com/projects/trac/changeset/1268).
-- **dnsreplay** has a more sane default timeout now, which can be configured too. Suggested by Augie Schwer in [ticket 163](https://github.com/PowerDNS/pdns/issues/163), implemented in [commit 1287](http://wiki.powerdns.com/projects/trac/changeset/1287).
-
-# Authoritative Server version 2.9.21.2
-Released on the 18th of November 2008.
-
-This release consists of a single patch to PowerDNS Authoritative Server version 2.9.21.1. In some configurations, notably with configuration option 'distributor-threads=1', the PowerDNS Authoritative Server crashes easily in some error conditions.
-
-All users are urged to upgrade. Even though PowerDNS restarts itself on encountering such error conditions, and even though most PowerDNS configurations do not run in single threaded mode, an upgrade is recommended.
-
-More detail can be found in [PowerDNS Security Advisory 2008-02](security/powerdns-advisory-2008-03.md "PowerDNS Security Advisory 2008-02: Some PowerDNS Configurations can be forced to restart remotely").
-
-# Authoritative Server version 2.9.21.1
-Released on the 6th of August 2008.
-
-This release consists of a single patch to PowerDNS Authoritative Server version 2.9.21. Brian J. Dowling of Simplicity Communications has discovered a security implication of the previous PowerDNS behaviour to drop queries it considers malformed. We are grateful that Brian notified us quickly about this problem.
-
-This issue has been assigned CVE-2008-3337. The single patch is in [commit 1239](http://wiki.powerdns.com/projects/trac/changeset/1239). More detail can be found in [PowerDNS Security Advisory 2008-02](security/powerdns-advisory-2008-02.md "PowerDNS Security Advisory 2008-02: By not responding to certain queries, domains become easier to spoof").
-
-The implication is that while the PowerDNS Authoritative server itself does not face a security risk because of dropping these malformed queries, other resolving nameservers run a higher risk of accepting spoofed answers for domains being hosted by PowerDNS Authoritative Servers before 2.9.21.1.
-
-While the dropping of queries does not aid sophisticated spoofing attempts, it does facilitate simpler attacks.
-
-It may be good to know that several large sites already run with this patch applied, as it has been in the public code base for some weeks already.
-
-# Recursor version 3.1.7
-Released the 25th of June 2008.
-
-This version contains powerful scripting abilities, allowing operators to modify DNS responses in many interesting ways. Among other things, these abilities can be used to filter out malware domains, to perform load balancing, to comply with legal and other requirements and finally, to implement 'NXDOMAIN' redirection.
-
-It is hoped that the addition of Lua scripting will enable responsible DNS modification for those that need it.
-
-For more details about the Lua scripting, which can be modified, loaded and unloaded at runtime, see [Scripting](recursor/scripting.md "Scripting"). Many thanks are due to the \#lua irc channel, for excellent near-realtime Lua support. In addition, a number of PowerDNS users have been enthusiastically testing prereleases of the scripting support, and have found and solved many issues.
-
-In addition, 3.1.7 fixes a number of bugs
-
-- In 3.1.5 and 3.1.6, an authoritative server could continue to renew its authority, even though a domain had been delegated to other servers in the meantime.
-
- In the rare cases where this happened, and the old servers were not shut down, the observed effect is that users were fed outdated data. Bug spotted and analysed by Darren Gamble, fix in [commit 1182](http://wiki.powerdns.com/projects/trac/changeset/1182) and [commit 1183](http://wiki.powerdns.com/projects/trac/changeset/1183).
-
-- Thanks to long time PowerDNS contributor Stefan Arentz, for the first time, Mac OS X 10.5 users can compile and run the PowerDNS Recursor! Patch in [commit 1185](http://wiki.powerdns.com/projects/trac/changeset/1185).
-- Sten Spans spotted that for outgoing TCP/IP queries, the **query-local-address** setting was not honored. Fixed in [commit 1190](http://wiki.powerdns.com/projects/trac/changeset/1190).
-- **rec\_control wipe-cache** now also wipes domains from the negative cache, hurrying up the expiry of negatively cached records. Suggested by Simon Kirby, implemented in [commit 1204](http://wiki.powerdns.com/projects/trac/changeset/1204).
-- When a forwarder server is configured for a domain, using the **forward-zones** setting, this server IP address was filtered using the **dont-query** setting, which is generally not what is desired: the server to which queries are forwarded will often live in private IP space, and the operator should be trusted to know what he is doing. Reported and argued by Simon Kirby, fix in [commit 1211](http://wiki.powerdns.com/projects/trac/changeset/1211).
-- Marcus Rueckert of OpenSUSE reported that very recent gcc versions emitted a (correct) warning on an overly complicated line in syncres.cc, fixed in [commit 1189](http://wiki.powerdns.com/projects/trac/changeset/1189).
-- Stefan Schmidt discovered that the netmask matching code, used by the new Lua scripts, but also by all other parts of PowerDNS, had problems with explicit '/32' matches. Fixed in [commit 1205](http://wiki.powerdns.com/projects/trac/changeset/1205).
-
-# Recursor version 3.1.6
-Released on the 1st of May 2008.
-
-This version fixes two important problems, each on its own important enough to justify a quick upgrade.
-
-- Version 3.1.5 had problems resolving several slightly misconfigured domains, including for a time 'juniper.net'. Nameserver timeouts were not being processed correctly, leading PowerDNS to not update the internal clock, which in turn meant that any queries immediately following an error would time out as well. Because of retries, this would usually not be a problem except on very busy servers, for domains with different nameservers at different levels of the DNS-hierarchy, like 'juniper.net'.
-
- This issue was fixed rapidly because of the help of [XS4ALL](http://www.xs4all.nl) (Eric Veldhuyzen, Kai Storbeck), Brad Dameron and Kees Monshouwer. Fix in [commit 1178](http://wiki.powerdns.com/projects/trac/changeset/1178).
-
-- The new high-quality random generator was not used for all random numbers, especially in source port selection. This means that 3.1.5 is still a lot more secure than 3.1.4 was, and its algorithms more secure than most other nameservers, but it also means 3.1.5 is not as secure as it could be. A quick upgrade is recommended. Discovered by Thomas Biege of Novell (SUSE), fixed in [commit 1179](http://wiki.powerdns.com/projects/trac/changeset/1179).
-
-# Recursor version 3.1.5
-Released on the 31st of March 2008.
-
-Much like 3.1.4, this release does not add a lot of major features. Instead, performance has been improved significantly (estimated at around 20%), and many rare and not so rare issues were addressed. Multi-part TXT records now work as expected - the only significant functional bug found in 15 months. One of the oldest feature requests was fulfilled: version 3.1.5 can finally forward queries for designated domains to multiple servers, on differing port numbers if needed. Previously only one forwarder address was supported. This lack held back a number of migrations to PowerDNS.
-
-We would like to thank Amit Klein of Trusteer for bringing a serious vulnerability to our attention which would enable a smart attacker to 'spoof' previous versions of the PowerDNS Recursor into accepting possibly malicious data.
-
-Details can be found on [this Trusteer page](http://www.trusteer.com/docs/powerdnsrecursor.html).
-
-It is recommended that all users of the PowerDNS Recursor upgrade to 3.1.5 as soon as practicable, while we simultaneously note that busy servers are less susceptible to the attack, but not immune.
-
-The PowerDNS Security Advisory can be found in [PowerDNS Security Advisory 2008-01](security/powerdns-advisory-2008-01.md "PowerDNS Security Advisory 2008-01: System random generator can be predicted, leading to the potential to 'spoof' PowerDNS Recursor").
-
-This version can properly benefit from all IPv4 and IPv6 addresses in use at the root-servers as of early February 2008. In order to implement this, changes were made to how the Recursor deals internally with A and AAAA queries for nameservers, see below for more details.
-
-Additionally, newer releases of the G++ compiler required some fixes (see [ticket 173](https://github.com/PowerDNS/pdns/issues/173)).
-
-This release was made possible by the help of Wichert Akkerman, Winfried Angele, Arnoud Bakker (Fox-IT), Niels Bakker (no relation!), Leo Baltus (Nederlandse Publieke Omroep), Marco Davids (SIDN), David Gavarret (Neuf Cegetel), Peter Gervai, Marcus Goller (UPC), Matti Hiljanen (Saunalahti/Elisa), Ruben Kerkhof, Alex Kiernan, Amit Klein (Trusteer), Kenneth Marshall (Rice University), Thomas Rietz, Marcus Rueckert (OpenSUSE), Augie Schwer (Sonix), Sten Spans (Bit), Stefan Schmidt (Freenet), Kai Storbeck (xs4all), Alex Trull, Andrew Turnbull (No Wires) and Aaron Thompson, and many more who filed bugs anonymously, or who we forgot to mention.
-
-## Security related issues
-- Amit Klein has informed us that System random generator output can be predicted based on its past behaviour, allowing a smart attacker to 'spoof' our nameserver. Full details in [PowerDNS Security Advisory 2008-01](security/powerdns-advisory-2008-01.md "PowerDNS Security Advisory 2008-01: System random generator can be predicted, leading to the potential to 'spoof' PowerDNS Recursor").
-- The Recursor will by default no longer query private-space nameservers. This closes a slight security risk and simultaneously improves performance and stability. For more information, see **dont-query** in [pdns\_recursor settings](recursor/settings.md#dont-query "pdns_recursor settings"). Implemented in [commit 923](http://wiki.powerdns.com/projects/trac/changeset/923).
-- Applied fix for [ticket 110](https://github.com/PowerDNS/pdns/issues/110) ('PowerDNS should change directory to '/' in chroot), implemented in [commit 944](http://wiki.powerdns.com/projects/trac/changeset/944).
-
-## Performance
-- The DNS packet writing and parsing infrastructure performance was improved in several ways, see commits [925](http://wiki.powerdns.com/projects/trac/changeset/925), [926](http://wiki.powerdns.com/projects/trac/changeset/926), [928](http://wiki.powerdns.com/projects/trac/changeset/928), [931](http://wiki.powerdns.com/projects/trac/changeset/931), [1021](http://wiki.powerdns.com/projects/trac/changeset/1021), [1050](http://wiki.powerdns.com/projects/trac/changeset/1050).
-- Remove multithreading overhead from the Recursor ([commit 999](http://wiki.powerdns.com/projects/trac/changeset/999)).
-
-## Bug fixes
-- Built-in authoritative server now properly derives the TTL from the SOA record if not specified. Implemented in [commit 1165](http://wiki.powerdns.com/projects/trac/changeset/1165). Additionally, even when TTL was specified for the built-in authoritative server, it was ignored. Reported by Stefan Schmidt, closing [ticket 147](https://github.com/PowerDNS/pdns/issues/147).
-- Empty TXT record components can now be served. Implemented in [commit 1166](http://wiki.powerdns.com/projects/trac/changeset/1166), closing [ticket 178](https://github.com/PowerDNS/pdns/issues/178). Spotted by Matti Hiljanen.
-- The Recursor would not properly override old data with new, sometimes serving old and new data concurrently. Fixed in [commit 1137](http://wiki.powerdns.com/projects/trac/changeset/1137).
-- SOA records with embedded carriage-return characters are now parsed correctly. Implemented in [commit 1167](http://wiki.powerdns.com/projects/trac/changeset/1167), closing [ticket 162](https://github.com/PowerDNS/pdns/issues/162).
-- Some routing conditions could cause UDP connected sockets to generate an error which PowerDNS did not deal with properly, leading to a leaked file descriptor. As these run out over time, the recursor could crash. This would also happen for IPv6 queries on a host with no IPv6 connectivity. Thanks to Kai of xs4all and Wichert Akkerman for reporting this issue. Fix in [commit 1133](http://wiki.powerdns.com/projects/trac/changeset/1133).
-- Empty unknown record types can now be stored without generating a scary error ([commit 1129](http://wiki.powerdns.com/projects/trac/changeset/1129))
-- Applied fix for [ticket 111](https://github.com/PowerDNS/pdns/issues/111), [ticket 112](https://github.com/PowerDNS/pdns/issues/112) and [ticket 153](https://github.com/PowerDNS/pdns/issues/153) - large (multipart) TXT records are now retrieved and served properly. Fix in [commit 996](http://wiki.powerdns.com/projects/trac/changeset/996).
-- Solaris compilation instructions in Recursor documentation were wrong, leading to an instant crash on startup. Luckily nobody reads the documentation, except for Marcus Goller who found the error. Fixed in [commit 1124](http://wiki.powerdns.com/projects/trac/changeset/1124).
-- On Solaris, finally fix the issue where queries get distributed strangely over CPUs, or not get distributed at all. Much debugging and analysing performed by Alex Kiernan, who also supplied fixes. Implemented in [commit 1091](http://wiki.powerdns.com/projects/trac/changeset/1091), [commit 1093](http://wiki.powerdns.com/projects/trac/changeset/1093).
-- Various fixes for modern G++ versions, most spotted by Marcus Rueckert (commits [964](http://wiki.powerdns.com/projects/trac/changeset/964), [965](http://wiki.powerdns.com/projects/trac/changeset/965), [1028](http://wiki.powerdns.com/projects/trac/changeset/1028), [1052](http://wiki.powerdns.com/projects/trac/changeset/1052)), and Ruben Kerkhof ([commit 1136](http://wiki.powerdns.com/projects/trac/changeset/1136), closing [ticket 175](https://github.com/PowerDNS/pdns/issues/175)).
-- Recursor would not properly clean up pidfile and control socket, closing [ticket 120](https://github.com/PowerDNS/pdns/issues/120), code in [commit 988](http://wiki.powerdns.com/projects/trac/changeset/988), [commit 1098](http://wiki.powerdns.com/projects/trac/changeset/1098) (part of fix by Matti Hiljanen, spotted by Leo Baltus)
-- Recursor can now serve multi-line records from its limited authoritative server ([commit 1014](http://wiki.powerdns.com/projects/trac/changeset/1014)).
-- When parsing zones, the 'm' time specification stands for minutes, not months! Closing Debian bug 406462 ([commit 1026](http://wiki.powerdns.com/projects/trac/changeset/1026))
-- Authoritative zone parser did not support '@' in the content of records. Spotted by Marco Davids, fixed in [commit 1030](http://wiki.powerdns.com/projects/trac/changeset/1030).
-- Authoritative zone parser could be confused by trailing TABs on record lines ([commit 1062](http://wiki.powerdns.com/projects/trac/changeset/1062)).
-- EINTR error code could block entire server if received at the wrong time. Spotted by Arnoud Bakker, fix in [commit 1059](http://wiki.powerdns.com/projects/trac/changeset/1059).
-- Fix crash on NetBSD on Alpha CPUs, might improve startup behaviour on empty caches on other architectures as well ([commit 1061](http://wiki.powerdns.com/projects/trac/changeset/1061)).
-- Outbound TCP queries were being performed sub-optimally because of an interaction with the 'MPlexer'. Fixes in [commit 1115](http://wiki.powerdns.com/projects/trac/changeset/1115), [commit 1116](http://wiki.powerdns.com/projects/trac/changeset/1116).
-
-## New features
-- Implemented **rec\_control** command **get uptime**, as suggested by Niels Bakker ([commit 935](http://wiki.powerdns.com/projects/trac/changeset/935)). Added to default rrdtool scripts in [commit 940](http://wiki.powerdns.com/projects/trac/changeset/940).
-- The Recursor Authoritative component, meant for having the Recursor serve some zones authoritatively, now supports $INCLUDE and $GENERATE. Implemented in [commit 951](http://wiki.powerdns.com/projects/trac/changeset/951) and [commit 952](http://wiki.powerdns.com/projects/trac/changeset/952), [commit 967](http://wiki.powerdns.com/projects/trac/changeset/967) (discovered by Thomas Rietz),
-- Implemented **forward-zones-file** option in order to support larger amounts of zones which should be forwarded to another nameserver ([commit 963](http://wiki.powerdns.com/projects/trac/changeset/963)).
-- Both **forward-zones** and **forward-zones-file** can now specify multiple forwarders per domain, implemented in [commit 1168](http://wiki.powerdns.com/projects/trac/changeset/1168), closing [ticket 81](https://github.com/PowerDNS/pdns/issues/81). Additionally, both these settings can also specify non-standard port numbers, as suggested in ticket [ticket 122](https://github.com/PowerDNS/pdns/issues/122). Patch authored by Aaron Thompson, with additional work by Augie Schwer.
-- Sten Spans contributed **allow-from-file**, implemented in [commit 1150](http://wiki.powerdns.com/projects/trac/changeset/1150). This feature allows the Recursor to read access rules from a (large) file.
-
-## General improvements
-- Ruben Kerkhof fixed up weird permission bits as well as our SGML documentation code in [commit 936](http://wiki.powerdns.com/projects/trac/changeset/936) and [commit 937](http://wiki.powerdns.com/projects/trac/changeset/937).
-- Full IPv6 parity. If configured to use IPv6 for outgoing queries (using **query-local-address6=::0** for example), IPv6 and IPv4 addresses are finally treated 100% identically, instead of 'mostly'. This feature is implemented using 'ANY' queries to find A and AAAA addresses in one query, which is a new approach. Treat with caution.
-- Now perform EDNS0 root refreshing queries, so as to benefit from all returned addresses. Relevant since early February 2008 when the root-servers started to respond with IPv6 addresses, which made the default non-EDNS0 maximum packet length reply no longer contain all records. Implemented in [commit 1130](http://wiki.powerdns.com/projects/trac/changeset/1130). Thanks to dns-operations AT mail.oarc.isc.org for quick suggestions on how to deal with this change.
-- **rec\_control** now has a timeout in case the Recursor does not respond. Implemented in [commit 945](http://wiki.powerdns.com/projects/trac/changeset/945).
-- (Error) messages are now logged with saner priorities ([commit 955](http://wiki.powerdns.com/projects/trac/changeset/955)).
-- Outbound query IP interface stemmed from 1997 (!) and was in dire need of a cleanup ([commit 1117](http://wiki.powerdns.com/projects/trac/changeset/1117)).
-- L.ROOT-SERVERS.NET moved ([commit 1118](http://wiki.powerdns.com/projects/trac/changeset/1118)).
-
-# PowerDNS Authoritative Server version 2.9.21
-Released the 21st of April 2007.
-
-This is the first release the PowerDNS Authoritative Server since the Recursor was split off to a separate product, and also marks the transfer of the new technology developed specifically for the recursor, back to the authoritative server.
-
-This move has reduced the amount of code of the Authoritative server by over 2000 lines, while improving the quality of the program enormously.
-
-However, since so much has been changed, care should be taken when deploying 2.9.21.
-
-To signify the magnitude of the underlying improvements, the next release of the PowerDNS Authoritative Server will be called 3.0.
-
-This release would not have been possible without large amounts of help and support from the PowerDNS Community. We specifically want to thank Massimo Bandinelli of Italy's [Register.it](http://register.it), [Dave Aaldering of Aaldering ICT](http://aaldering-ict.nl), [True BV](http://true.nl), [XS4ALL](http://www.xs4all.nl), Daniel Bilik of [Neosystem](http://www.neosystem.cz), [EasyDNS](http://www.easydns.com), [Heinrich Ruthensteiner](http://www.siemens.com) of Siemens, [Augie Schwer](http://schwer.us), [Mark Bergsma](http://www.wikipedia.org), [Marco Davids](http://www.forfun.net), [Marcus Rueckert of OpenSUSE](http://www.opensuse.org), Andre Muraro of [Locaweb](http://www.locaweb.com.br), Antony Lesuisse, [Norbert Sendetzky](http://www.linuxnetworks.de), [Marco Chiavacci](http://www.aruba.it), Christoph Haas, Ralf van der Enden and Ruben Kerkhof.
-
-## Security issues
-- The previous packet parsing and generating code contained no known bugs, but was however very lengthy and overly complex, and might have had security problems. The new code is 'inherently safe' because it relies on bounds-checking C++ constructs. Therefore, a move to 2.9.21 is highly recommended.
-- Pre-2.9.21, communication between master and server nameservers was not checked as rigidly as possible, possibly allowing third parties to disrupt but not modify such communications.
-
-**Warning**: The 'bind1' legacy version of our BIND backend has been dropped! There should be no need to rely on this old version anymore, as the main BIND backend has been very well tested recently.
-
-## Bugs
-- Multi-part TXT records weren't supported. This has been fixed, and regression tests have been added. Code in commits [1016](http://wiki.powerdns.com/projects/trac/changeset/1016), [996](http://wiki.powerdns.com/projects/trac/changeset/996), [994](http://wiki.powerdns.com/projects/trac/changeset/994).
-- Email addresses with embedded dots in SOA records were not parsed correctly, nor were other embedded dots. Noted by 'Bastiaan', fixed in [commit 1026](http://wiki.powerdns.com/projects/trac/changeset/1026).
-- BIND backend treated the 'm' TTL modifier as 'months' and not 'minutes'. Closes Debian bug 406462. Addressed in [commit 1026](http://wiki.powerdns.com/projects/trac/changeset/1026).
-- Our snapshots were built against a static version of PostgreSQL that was incompatible with many Linux distributions, leading to instant crashes on startup. Fixed in [1022](http://wiki.powerdns.com/projects/trac/changeset/1022) and [1023](http://wiki.powerdns.com/projects/trac/changeset/1023).
-- CNAME referrals to child zones gave improper responses. Noted by Augie Schwer in [ticket 123](https://github.com/PowerDNS/pdns/issues/123), fixed in [commit 992](http://wiki.powerdns.com/projects/trac/changeset/992).
-- When passing a port number with the **recursor** setting, this would sometimes generate errors during additional processing. Switched off overly helpful additional processing for recursive queries to remove this problem. Implemented in [commit 1031](http://wiki.powerdns.com/projects/trac/changeset/1031), spotted by Ralf van der Enden.
-- NS to a nameserver with the name of the zone itself generated problems. Spotted by Augie Schwer, fixed in [commit 947](http://wiki.powerdns.com/projects/trac/changeset/947).
-- Multi-line records in the BIND backend were not always parsed correctly. Fixed in [commit 1014](http://wiki.powerdns.com/projects/trac/changeset/1014).
-- The LOC-record had problems operating outside of the eastern hemisphere of the northern part of the world! Fixed in [commit 1011](http://wiki.powerdns.com/projects/trac/changeset/1011).
-- Backends were compiled without multithreading preprocessor flags. As far as we can determine, this would only cause problems for the BIND backend, but we cannot rule out this caused instability in other backends. Fixed in [commit 1001](http://wiki.powerdns.com/projects/trac/changeset/1001).
-- The BIND backend was highly unstable under reloads, and leaked memory and file descriptors. Thanks to Mark Bergsma and Massimo Bandinelli for respectively pointing this out to us and testing large amounts of patches to fix the problem. The fixes have resulted in better performance, less code, and a remarkable simplification of this backend. Commits [1039](http://wiki.powerdns.com/projects/trac/changeset/1039), [1034](http://wiki.powerdns.com/projects/trac/changeset/1034), [1035](http://wiki.powerdns.com/projects/trac/changeset/1035), [1006](http://wiki.powerdns.com/projects/trac/changeset/1006), [999](http://wiki.powerdns.com/projects/trac/changeset/999), [905](http://wiki.powerdns.com/projects/trac/changeset/905) and previous.
-- BIND backend gave convincing NXDOMAINs on unloaded zones in some cases. Spotted and fixed by Daniel Bilik in [commit 984](http://wiki.powerdns.com/projects/trac/changeset/984).
-- SOA records in zone transfers sometimes contained the wrong SOA TTL. Spotted by Christian Kuehn, fixed in [commit 902](http://wiki.powerdns.com/projects/trac/changeset/902).
-- PowerDNS could get confused by very high SOA serial numbers. Spotted and fixed by Dan Bilik, fixed in [commit 626](http://wiki.powerdns.com/projects/trac/changeset/626).
-- Some versions of FreeBSD perform very strict checks on socket address sizes passed to 'connect', which could lead to problems retrieving zones over AXFR. Fixed in [commit 891](http://wiki.powerdns.com/projects/trac/changeset/891).
-- Some versions of FreeBSD perform very strict checks on IPv6 socket addresses, leading to problems. Discovered by Sten Spans, fixed in [commit 885](http://wiki.powerdns.com/projects/trac/changeset/885) and [commit 886](http://wiki.powerdns.com/projects/trac/changeset/886).
-- IXFR requests were not logged properly. Noted by Ralf van der Enden, fixed in [commit 990](http://wiki.powerdns.com/projects/trac/changeset/990).
-- Some NAPTR records needed an additional space character to encode correctly. Spotted by Heinrich Ruthensteiner, fixed in [commit 1029](http://wiki.powerdns.com/projects/trac/changeset/1029).
-- Many bugs in the TCP nameserver, leading to a PowerDNS process that did not respond to TCP queries over time. Many fixes provided by Dan Bilik, other problems were fixed by rewriting our TCP handling code. Commits [982](http://wiki.powerdns.com/projects/trac/changeset/982) and [980](http://wiki.powerdns.com/projects/trac/changeset/980), [950](http://wiki.powerdns.com/projects/trac/changeset/950), [924](http://wiki.powerdns.com/projects/trac/changeset/924), [889](http://wiki.powerdns.com/projects/trac/changeset/889), [874](http://wiki.powerdns.com/projects/trac/changeset/874), [869](http://wiki.powerdns.com/projects/trac/changeset/869), [685](http://wiki.powerdns.com/projects/trac/changeset/685), [684](http://wiki.powerdns.com/projects/trac/changeset/684).
-- Fix crashes on the ARM processor due to alignment errors. Thanks to Sjoerd Simons. Closes Debian bug 397031.
-- Missing data in generic SQL backends would sometimes lead to faked SOA serial data. Spotted by Leander Lakkas from True. Fix in [commit 866](http://wiki.powerdns.com/projects/trac/changeset/866).
-- When receiving two quick notifications in succession, the packet cache would sometimes "process" the second one, leading PowerDNS to ignore it. Spotted by Dan Bilik, fixed in [commit 686](http://wiki.powerdns.com/projects/trac/changeset/686).
-- Geobackend (by Mark Bergsma) did not properly override the getSOA method, breaking non-overlay operation of this fine backend. The geobackend now also skips '.hidden' configuration files, and now properly disregards empty configuration files. Additionally, the overlapping abilities were improved. Details available in [commit 876](http://wiki.powerdns.com/projects/trac/changeset/876), by Mark.
-
-## Features
-- Thanks to [EasyDNS](http://www.easydns.com), PowerDNS now supports multiple masters per domain. For configuration details, see [Slave operation](authoritative/modes-of-operation.md#slave-operation "Slave operation"). Implemented in [commit 1018](http://wiki.powerdns.com/projects/trac/changeset/1018), [commit 1017](http://wiki.powerdns.com/projects/trac/changeset/1017).
-- Thanks to [EasyDNS](http://www.easydns.com), PowerDNS now supports the KEY record type, as well the SPF record. In [commit 976](http://wiki.powerdns.com/projects/trac/changeset/976).
-- Added support for CERT, SSHFP, DNSKEY, DS, NSEC, RRSIG record types, as part of the move to the new DNS parsing/generating code.
-- Support for the AFSDB record type, as requested by 'Bastian'. Implemented in [commit 978](http://wiki.powerdns.com/projects/trac/changeset/978), closing [ticket 129](https://github.com/PowerDNS/pdns/issues/129).
-- Support for the MR record type. Implemented in [commit 941](http://wiki.powerdns.com/projects/trac/changeset/941) and [commit 1019](http://wiki.powerdns.com/projects/trac/changeset/1019).
-- Gsqlite3 backend was added by Antony Lesuisse in [commit 942](http://wiki.powerdns.com/projects/trac/changeset/942);
-- Added the ability to send out light-weight root-referrals that save bandwidth yet still placate mediocre resolver implementations. Implemented in [commit 912](http://wiki.powerdns.com/projects/trac/changeset/912), enable with 'root-referral=lean'.
-
-## Improvements
-- Miscellaneous OpenDBX and LDAP backend improvements by Norbert Sendetzky. Applied in [commit 977](http://wiki.powerdns.com/projects/trac/changeset/977) and [commit 1040](http://wiki.powerdns.com/projects/trac/changeset/1040).
-- SGML source of the documentation was cleaned up by Ruben Kerkhof in [commit 936](http://wiki.powerdns.com/projects/trac/changeset/936).
-- Speedups in core DNS label processing code. Implemented in [commit 928](http://wiki.powerdns.com/projects/trac/changeset/928), [commit 654](http://wiki.powerdns.com/projects/trac/changeset/654), [commit 1020](http://wiki.powerdns.com/projects/trac/changeset/1020).
-- When communicating with master servers and encountering errors, more useful details are logged. Reported by Stefan Arentz in [ticket 137](https://github.com/PowerDNS/pdns/issues/137), closed by [commit 1015](http://wiki.powerdns.com/projects/trac/changeset/1015).
-- Database errors are now logged with more details. Addressed in [commit 1004](http://wiki.powerdns.com/projects/trac/changeset/1004).
-- pdns\_control problems are now logged more verbosely. Change in [commit 910](http://wiki.powerdns.com/projects/trac/changeset/910).
-- Erroneous address configuration was logged unclearly. Spotted by River Tarnell, fixed in [commit 888](http://wiki.powerdns.com/projects/trac/changeset/888).
-- Example configuration shipped with PowerDNS was very old. Noted by Leen Besselink, fixed in [commit 946](http://wiki.powerdns.com/projects/trac/changeset/946).
-- PowerDNS neglected to chdir to the root when chrooted. This closes [ticket 110](https://github.com/PowerDNS/pdns/issues/110), fixed in [commit 944](http://wiki.powerdns.com/projects/trac/changeset/944).
-- Microsoft resolver had problems with responses we generated for CNAMEs pointing out of our bailiwick. Fixed in [commit 983](http://wiki.powerdns.com/projects/trac/changeset/983) and expedited by Locaweb.com.br.
-- Built-in webserver logs errors more verbosely. Closes [ticket 82](https://github.com/PowerDNS/pdns/issues/82), fixed in [commit 991](http://wiki.powerdns.com/projects/trac/changeset/991).
-- Queries containing '@' no longer flood the logs. Addressed in [commit 1014](http://wiki.powerdns.com/projects/trac/changeset/1014).
-- The build process now looks for PostgreSQL in more places. Implemented in [commit 998](http://wiki.powerdns.com/projects/trac/changeset/998), closes [ticket 90](https://github.com/PowerDNS/pdns/issues/90).
-- Speedups in the BIND backend now mean large installations enjoy startup times up to 30 times faster than with the original BIND nameserver. Many thanks to Massimo Bandinelli.
-- BIND backend now offers full support for query logging, implemented in [commit 1026](http://wiki.powerdns.com/projects/trac/changeset/1026), [commit 1029](http://wiki.powerdns.com/projects/trac/changeset/1029).
-- BIND backend named.conf parsing is now fully case-insensitive for domain names. This closes Debian bug 406461, fixed in [commit 1027](http://wiki.powerdns.com/projects/trac/changeset/1027).
-- IPv6 and IPv4 address parsing routines have been replaced, which should result in prettier output in some cases. [commit 962](http://wiki.powerdns.com/projects/trac/changeset/962), [commit 1012](http://wiki.powerdns.com/projects/trac/changeset/1012) and others.
-- 5 new regression tests have been added to insure old bugs do not return.
-- Fix small issues with very modern compilers and BOOST snapshots. Noted by Marcus Rueckert, addressed in [commit 954](http://wiki.powerdns.com/projects/trac/changeset/954), [commit 964](http://wiki.powerdns.com/projects/trac/changeset/964) [commit 965](http://wiki.powerdns.com/projects/trac/changeset/965), [commit 1003](http://wiki.powerdns.com/projects/trac/changeset/1003).
-
-# Recursor version 3.1.4
-Released the 13th of November 2006.
-
-This release contains almost no new features, but consists mostly of minor and major bug fixes. It also addresses two major security issues, which makes this release a highly recommended upgrade.
-
-## Security issues
-- Large TCP questions followed by garbage could cause the recursor to crash. This critical security issue has been assigned CVE-2006-4251, and is fixed in [commit 915](http://wiki.powerdns.com/projects/trac/changeset/915). More information can be found in [Section 5, “PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a buffer overflow which might be exploitable”](security/powerdns-advisory-2006-01.md "5. PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a buffer overflow which might be exploitable").
-- CNAME loops with zero second TTLs could cause crashes in some conditions. These loops could be constructed by malicious parties, making this issue a potential denial of service attack. This security issue has been assigned CVE-2006-4252 and is fixed by [commit 919](http://wiki.powerdns.com/projects/trac/changeset/919). More information can be found in [Section 6, “PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash”](security/powerdns-advisory-2006-02.md "PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash"). Many thanks to David Gavarret for helping pin down this problem.
-
-## Bugs
-- On certain error conditions, PowerDNS would neglect to close a socket, which might therefore eventually run out. Spotted by Stefan Schmidt, fixed in commits [892](http://wiki.powerdns.com/projects/trac/changeset/892), [897](http://wiki.powerdns.com/projects/trac/changeset/897), [899](http://wiki.powerdns.com/projects/trac/changeset/899).
-- Some nameservers (including PowerDNS in rare circumstances) emit a SOA record in the authority section. The recursor mistakenly interpreted this as an authoritative "NXRRSET". Spotted by Bryan Seitz, fixed in [commit 893](http://wiki.powerdns.com/projects/trac/changeset/893).
-- In some circumstances, PowerDNS could end up with a useless (not working, or no longer working) set of nameserver records for a domain. This release contains logic to invalidate such broken NSSETs, without overloading authoritative servers. This problem had previously been spotted by Bryan Seitz, 'Cerb' and Darren Gamble. Invalidations of NSSETs can be plotted using the "nsset-invalidations" metric, available through **rec\_control get**. Implemented in [commit 896](http://wiki.powerdns.com/projects/trac/changeset/896) and [commit 901](http://wiki.powerdns.com/projects/trac/changeset/901).
-- PowerDNS could crash while dumping the cache using **rec\_control dump-cache**. Reported by Wouter of WideXS and Stefan Schmidt and many others, fixed in [commit 900](http://wiki.powerdns.com/projects/trac/changeset/900).
-- Under rare circumstances (depleted TCP buffers), PowerDNS might send out incomplete questions to remote servers. Additionally, on big-endian systems (non-Intel and non-AMD generally), sending out large TCP answers questions would not work at all, and possibly crash. Brought to our attention by David Gavarret, fixed in [commit 903](http://wiki.powerdns.com/projects/trac/changeset/903).
-- The recursor contained the potential for a dead-lock processing an invalid domain name. It is not known how this might be triggered, but it has been observed by 'Cerb' on \#powerdns. Several dead-locks where PowerDNS consumed all CPU, but did not answer questions, have been reported in the past few months. These might be fixed by [commit 904](http://wiki.powerdns.com/projects/trac/changeset/904).
-- IPv6 'allow-from' matching had problems with the least significant bits, sometimes allowing disallowed addresses, but mostly disallowing allowed addresses. Spotted by Wouter from WideXS, fixed in [commit 916](http://wiki.powerdns.com/projects/trac/changeset/916).
-
-## Improvements
-- PowerDNS has support to drop answers from so called 'delegation only' zones. A statistic ("dlg-only-drops") is now available to plot how often this happens. Implemented in [commit 890](http://wiki.powerdns.com/projects/trac/changeset/890).
-- Hint-file parameter was mistakenly named "hints-file" in the documentation. Spotted by my Marco Davids, fixed in [commit 898](http://wiki.powerdns.com/projects/trac/changeset/898).
-- **rec\_control quit** should be near instantaneous now, as it no longer meticulously cleans up memory before exiting. Problem spotted by Darren Gamble, fixed in [commit 914](http://wiki.powerdns.com/projects/trac/changeset/914), closing [ticket 84](https://github.com/PowerDNS/pdns/issues/84).
-- init.d script no longer refers to the Recursor as the Authoritative Server. Spotted by Wouter of WideXS, fixed in [commit 913](http://wiki.powerdns.com/projects/trac/changeset/913).
-- A potentially serious warning for users of the GNU C Library version 2.5 was fixed. Spotted by Marcus Rueckert, fixed in [commit 920](http://wiki.powerdns.com/projects/trac/changeset/920).
-
-# Recursor version 3.1.3
-Released the 12th of September 2006.
-
-Compared to 3.1.2, this release again consists of a number of mostly minor bug fixes, and some slight improvements.
-
-Many thanks are again due to Darren Gamble who together with his team has discovered many misconfigured domains that do work with some other name servers. DNS has long been tolerant of misconfigurations, PowerDNS intends to uphold that tradition. Almost all of the domains found by Darren now work as well in PowerDNS as in other name server implementations.
-
-Thanks to some recent migrations, this release, or something very close to it, is powering over 40 million internet connections that we know of. We appreciate hearing about successful as well as unsuccessful migrations, please feel free to notify pdns.bd@powerdns.com of your experiences, good or bad.
-
-## Bug-fixes
-- The MThread default stack size was too small, which led to problems, mostly on 64-bit platforms. This stack size is now configurable using the **stack-size** setting should our estimate be off. Discovered by Darren Gamble, Sten Spans and a number of others. Fixed in [commit 868](http://wiki.powerdns.com/projects/trac/changeset/868).
-- Plug a small memory leak discovered by Kai and Darren Gamble, fixed in [commit 870](http://wiki.powerdns.com/projects/trac/changeset/870).
-- Switch from the excellent nedmalloc to dlmalloc, based on advice by the nedmalloc author. Nedmalloc is optimised for multithreaded operation, whereas the PowerDNS recursor is single threaded. The version of nedmalloc shipped contained a number of possible bugs, which are probably resolved by moving to dlmalloc. Some reported crashes on hitting 2G of allocated memory on 64 bit systems might be solved by this switch, which should also increase performance. See [commit 873](http://wiki.powerdns.com/projects/trac/changeset/873) for details.
-
-## Improvements
-- The cache is now explicitly aware of the difference between authoritative and unauthoritative data, allowing it to deal with some domains that have different data in the parent zone than in the authoritative zone. Patch in [commit 867](http://wiki.powerdns.com/projects/trac/changeset/867).
-- No longer try to parse DNS updates as if they were queries. Discovered and fixed by Jan Gyselinck, fix in [commit 871](http://wiki.powerdns.com/projects/trac/changeset/871).
-- Rebalance logging priorities for less log cluttering and add IP address to a remote server error message. Noticed and fixed by Jan Gyselinck ([commit 877](http://wiki.powerdns.com/projects/trac/changeset/877)).
-- Add **logging-facility** setting, allowing syslog to send PowerDNS logging to a separate file. Added in [commit 871](http://wiki.powerdns.com/projects/trac/changeset/871).
-
-# Recursor version 3.1.2
-Released Monday 26th of June 2006.
-
-Compared to 3.1.1, this release consists almost exclusively of bug-fixes and speedups. A quick update is recommended, as some of the bugs impact operators of authoritative zones on the internet. This version has been tested by some of the largest internet providers on the planet, and is expected to perform well for everybody.
-
-Many thanks are due to Darren Gamble, Stefan Schmidt and Bryan Seitz who all provided excellent feedback based on their large-scale tests of the recursor.
-
-## Bug-fixes
-- Internal authoritative server did not differentiate between 'NXDOMAIN' and 'NXRRSET', in other words, it would answer 'no such host' when an AAAA query came in for a domain that did exist, but did not have an AAAA record. This only affects users with **auth-zones** configured. Discovered by Bryan Seitz, fixed in [commit 848](http://wiki.powerdns.com/projects/trac/changeset/848).
-- ANY queries for hosts where nothing was present in the cache would not work. This did not cause real problems as ANY queries are not reliable (by design) for anything other than debugging, but did slow down the nameserver and cause unnecessary load on remote nameservers. Fixed in [commit 854](http://wiki.powerdns.com/projects/trac/changeset/854).
-- When exceeding the configured maximum amount of TCP sessions, TCP support would break and the nameserver would waste CPU trying to accept TCP connections on UDP ports. Noted by Bryan Seitz, fixed in [commit 849](http://wiki.powerdns.com/projects/trac/changeset/849).
-- DNS queries come in two flavours: recursion desired and non-recursion desired. The latter is not very useful for a recursor, but is sometimes (erroneously) used by monitoring software or load balancers to detect nameserver availability. A non-rd query would not only not recurse, but also not query authoritative zones, which is confusing. Fixed in [commit 847](http://wiki.powerdns.com/projects/trac/changeset/847).
-- Non-standard DNS TCP queries, that did occur however, could drive the recursor to 100% CPU usage for extended periods of time. This did not disrupt service immediately, but does waste a lot of CPU, possibly exhausting resources. Discovered by Bryan Seitz, fixed in [commit 858](http://wiki.powerdns.com/projects/trac/changeset/858), which is post-3.1.2-rc1.
-- The PowerDNS recursor did not honour the rare but standardised 'ANY' query class (normally 'ANY' refers to the query type, not class), upsetting the Wildfire Jabber server. Discovered and debugged by Daniel Nauck, fixed in [commit 859](http://wiki.powerdns.com/projects/trac/changeset/859), which is post-3.1.2-rc1.
-- Everybody's favorite, when starting up under high load, a bogus line of statistics was sometimes logged. Fixed in [commit 851](http://wiki.powerdns.com/projects/trac/changeset/851).
-- Remove some spurious debugging output on dropping a packet by an unauthorized host. Discovered by Kai. Fixed in [commit 854](http://wiki.powerdns.com/projects/trac/changeset/854).
-
-## Improvements
-- Misconfigured domains, with a broken nameserver in the parent zone, should now work better. Changes motivated and suggested by Darren Gamble. This makes PowerDNS more compliant with RFC 2181 by making it prefer authoritative data over non-authoritative data. Implemented in [commit 856](http://wiki.powerdns.com/projects/trac/changeset/856).
-- PowerDNS can now listen on multiple ports, using the **local-address** setting. Added in [commit 845](http://wiki.powerdns.com/projects/trac/changeset/845).
-- A number of speedups which should have a noticeable impact, implemented in commits [850](http://wiki.powerdns.com/projects/trac/changeset/850), [852](http://wiki.powerdns.com/projects/trac/changeset/852), [853](http://wiki.powerdns.com/projects/trac/changeset/853), [855](http://wiki.powerdns.com/projects/trac/changeset/855)
-- The recursor now works around an issue with the Linux kernel 2.6.8, as shipped by Debian. Fixed by Christof Meerwald in [commit 860](http://wiki.powerdns.com/projects/trac/changeset/860), which is post 3.1.2-rc1.
-
-# Recursor version 3.1.1
-Released on the 23rd of May 2006.
-
-**Warning**: 3.1.1 is identical to 3.1 except for a bug in the packet chaining code which would mainly manifest itself for IPv6 enabled Konqueror users with very fast connections to their PowerDNS installation. However, all 3.1 users are urged to upgrade to 3.1.1. Many thanks to Alessandro Bono for his quick aid in solving this problem.
-
- Many thanks are due to the operators of some of the largest internet access providers in the world, each having many millions of customers, who have tested the various 3.1 pre-releases for suitability. They have uncovered and helped fix bugs that could impact us all, but are only (quickly) noticeable with such vast amounts of DNS traffic.
-
-After version 3.0.1 has proved to hold up very well under tremendous loads, 3.1 adds important new features
-
-- Ability to serve authoritative data from 'BIND' style zone files (using **auth-zones** statement).
-- Ability to forward domains so configured to external servers (using **forward-zones**).
-- Possibility of 'serving' the contents of `/etc/hosts` over DNS, which is very well suited to simple domestic router/DNS setups. Enabled using **export-etc-hosts**.
-- As recommended by recent standards documents, the PowerDNS recursor is now authoritative for RFC-1918 private IP space zones by default (suggested by Paul Vixie).
-- Full outgoing IPv6 support (off by default) with IPv6 servers getting equal treatment with IPv4, nameserver addresses are chosen based on average response speed, irrespective of protocol.
-- Initial Windows support, including running as a service ('NET START "POWERDNS RECURSOR"'). **rec\_channel** is still missing, the rest should work. Performance appears to be below that of the UNIX versions, this situation is expected to improve.
-
-## Bug fixes
-- No longer send out SRV and MX record priorities as zero on big-endian platforms (UltraSPARC). Discovered by Eric Sproul, fixed in [commit 773](http://wiki.powerdns.com/projects/trac/changeset/773).
-- SRV records need additional processing, especially in an Active Directory setting. Reported by Kenneth Marshall, fixed in [commit 774](http://wiki.powerdns.com/projects/trac/changeset/774).
-- The root-records were not being refreshed, which could lead to problems under inconceivable conditions. Fixed in [commit 780](http://wiki.powerdns.com/projects/trac/changeset/780).
-- Fix resolving domain names for nameservers with multiple IP addresses, with one of these addresses being lame. Other nameserver implementations were also unable to resolve these domains, so not a big bug. Fixed in [commit 780](http://wiki.powerdns.com/projects/trac/changeset/780).
-- For a period of 5 minutes after expiring a negative cache entry, the domain would not be re-cached negatively, leading to a lot of duplicate outgoing queries for this short period. This fix has raised the average cache hit rate of the recursor by a few percent. Fixed in [commit 783](http://wiki.powerdns.com/projects/trac/changeset/783).
-- Query throttling was not aggressive enough and not all sorts of queries were throttled. Implemented in [commit 786](http://wiki.powerdns.com/projects/trac/changeset/786).
-- Fix possible crash during startup when parsing empty configuration lines ([commit 807](http://wiki.powerdns.com/projects/trac/changeset/807)).
-- Fix possible crash when the first query after wiping a cache entry was for the just deleted entry. Rare in production servers. Fixed in [commit 820](http://wiki.powerdns.com/projects/trac/changeset/820).
-- Recursor would send out differing TTLs when receiving a misconfigured, standards violating, RRSET with different TTLs. Implement fix as mandated by RFC 2181, paragraph 5.2. Reported by Stephen Harker ([commit 819](http://wiki.powerdns.com/projects/trac/changeset/819)).
-- The **top-remotes** would list remotes more than once, once per source port. Discovered by Jorn Ekkelenkamp, fixed in [commit 827](http://wiki.powerdns.com/projects/trac/changeset/827), which is post 3.1-pre1.
-- Default **allow-from** allowed queries from fe80::/16, corrected to fe80::/10. Spotted by Niels Bakker, fixed in [commit 829](http://wiki.powerdns.com/projects/trac/changeset/829), which is post 3.1-pre1.
-- While PowerDNS blocks failing queries quickly, multiple packets could briefly be in flight for the same domain and nameserver. This situation is now explicitly detected and queries are chained to identical queries already in flight. Fixed in [commit 833](http://wiki.powerdns.com/projects/trac/changeset/833) and [commit 834](http://wiki.powerdns.com/projects/trac/changeset/834), post 3.1-pre1.
-
-## Improvements
-- ANY queries are now implemented as in other nameserver implementations, leading to a decrease in outgoing queries. The RFCs are not very clear on desired behaviour, what is implemented now saves bandwidth and CPU and brings us in line with existing practice. Previously ANY queries were not cached by the PowerDNS recursor. Implemented in [commit 784](http://wiki.powerdns.com/projects/trac/changeset/784).
-- **rec\_control** was very sparse in its error reporting, and user unfriendly as well. Reported by Erik Bos, fixed in [commit 818](http://wiki.powerdns.com/projects/trac/changeset/818) and [commit 820](http://wiki.powerdns.com/projects/trac/changeset/820).
-- IPv6 addresses were printed in a non-standard way, fixed in [commit 788](http://wiki.powerdns.com/projects/trac/changeset/788).
-- TTLs of records are now capped at two weeks, [commit 820](http://wiki.powerdns.com/projects/trac/changeset/820).
-- **allow-from** IPv4 netmasks now automatically work for IP4-to-IPv6 mapper IPv4 addresses, which appear when running on the wildcard **::** IPv6 address. Lack of feature noted by Marcus 'darix' Rueckert. Fixed in [commit 826](http://wiki.powerdns.com/projects/trac/changeset/826), which is post 3.1-pre1.
-- Errors before daemonizing are now also sent to syslog. Suggested by Marcus 'darix' Rueckert. Fixed in [commit 825](http://wiki.powerdns.com/projects/trac/changeset/825), which is post 3.1-pre1.
-- When launching without any form of configured network connectivity, all root-servers would be cached as 'down' for some time. Detect this special case and treat it as a resource-constraint, which is not accounted against specific nameservers. Spotted by Seth Arnold, fixed in [commit 835](http://wiki.powerdns.com/projects/trac/changeset/835), which is post 3.1-pre1.
-- The recursor now does not allow authoritative servers to keep supplying its own NS records into perpetuity, which causes problems when a domain is redelegated but the old authoritative servers are not updated to this effect. Noticed and explained at length by Darren Gamble of Shaw Communications, addressed by [commit 837](http://wiki.powerdns.com/projects/trac/changeset/837), which is post 3.1-pre2.
-- Some operators may want to follow RFC 2181 paragraph 5.2 and 5.4. This harms performance and does not solve any real problem, but does make PowerDNS more compliant. If you want this, enable **auth-can-lower-ttl**. Implemented in [commit 838](http://wiki.powerdns.com/projects/trac/changeset/838), which is post 3.1-pre2.
-
-# Recursor version 3.0.1
-Released 25th of April 2006, [download](http://www.powerdns.com/en/downloads.aspx).
-
-This release consists of nothing but tiny fixes to 3.0, including one with security implications. An upgrade is highly recommended.
-
-- Compilation used both `cc` and `gcc`, leading to the possibility of compiling with different compiler versions ([commit 766](http://wiki.powerdns.com/projects/trac/changeset/766)).
-- **rec\_control** would leave files named `lsockXXXXXX` around in the configured socket-dir. Operators may wish to remove these files from their socket-dir (often `/var/run`), quite a few might have accumulated already ([commit 767](http://wiki.powerdns.com/projects/trac/changeset/767)).
-- Certain malformed packets could crash the recursor. As far as we can determine these packets could only lead to a crash, but as always, there are no guarantees. A quick upgrade is highly recommended (commits [760](http://wiki.powerdns.com/projects/trac/changeset/760), [761](http://wiki.powerdns.com/projects/trac/changeset/761)). Reported by David Gavarret.
-- Recursor would not distinguish between NXDOMAIN and NXRRSET ([commit 756](http://wiki.powerdns.com/projects/trac/changeset/756)). Reported and debugged by Jorn Ekkelenkamp.
-- Some error messages and trace logging statements were improved (commits [756](http://wiki.powerdns.com/projects/trac/changeset/756), [758](http://wiki.powerdns.com/projects/trac/changeset/758), [759](http://wiki.powerdns.com/projects/trac/changeset/759)).
-- stderr was closed during daemonizing, but not dupped to /dev/null, leading to slight chance of odd behaviour on reporting errors ([commit 757](http://wiki.powerdns.com/projects/trac/changeset/757))
-
-## Operating system specific fixes
-- The stock Debian sarge Linux kernel, 2.6.8, claims to support epoll but fails at runtime. The epoll self-testing code has been improved, and PowerDNS will fall back to a select based multiplexer if needed ([commit 758](http://wiki.powerdns.com/projects/trac/changeset/758)) Reported by Michiel van Es.
-- Solaris 8 compilation and runtime issues were addressed. See the README for details ([commit 765](http://wiki.powerdns.com/projects/trac/changeset/765)). Reported by Juergen Georgi and Kenneth Marshall.
-- Solaris 10 x86\_64 compilation issues were addressed ([commit 755](http://wiki.powerdns.com/projects/trac/changeset/755)). Reported and debugged by Eric Sproul.
-
-# Recursor version 3.0
-Released 20th of April 2006, [download](http://www.powerdns.com/en/downloads.aspx).
-
-This is the first separate release of the PowerDNS Recursor. There are many reasons for this, one of the most important ones is that previously we could only do a release when both the recursor and the authoritative nameserver were fully tested and in good shape. The split allows us to release new versions when each part is ready.
-
-Now for the real news. This version of the PowerDNS recursor powers the network access of over two million internet connections. Two large access providers have been running pre-releases of 3.0 for the past few weeks and results are good. Furthermore, the various pre-releases have been tested nearly non-stop with DNS traffic replayed at 3000 queries/second.
-
-As expected, the 2 million households shook out some very rare bugs. But even a rare bug happens once in a while when there are this many users.
-
-We consider this version of the PowerDNS recursor to be the most advanced resolver publicly available. Given current levels of spam, phishing and other forms of internet crime we think no recursor should offer less than the best in spoofing protection. We urge all operators of resolvers without proper spoofing countermeasures to consider PowerDNS, as it is a Better Internet Nameserver Daemon.
-
-A good article on DNS spoofing can be found [here](http://www.securesphere.net/download/papers/dnsspoof.htm). Some more information, based on a previous version of PowerDNS, can be found on the [PowerDNS development blog](http://blog.netherlabs.nl/articles/2006/04/14/holy-cow-1-3-million-additional-ip-addresses-served-by-powerdns).
-
-**Warning**: Because of recent DNS based denial of service attacks, running an open recursor has become a security risk. Therefore, unless configured otherwise this version of PowerDNS will only listen on localhost, which means it does not resolve for hosts on your network. To fix, configure the **local-address** setting with all addresses you want to listen on. Additionally, by default service is restricted to RFC 1918 private IP addresses. Use **allow-from** to selectively open up the recursor for your own network. See [pdns\_recursor settings](recursor/settings.md#allow-from "pdns_recursor settings") for details.
-
-## Important new features of the PowerDNS recursor 3.0
-- Best spoofing protection and detection we know of. Not only is spoofing made harder by using a new network address for each query, PowerDNS detects when an attempt is made to spoof it, and temporarily ignores the data. For details, see [Anti-spoofing](recursor/security.md "Anti-spoofing").
-- First nameserver to benefit from epoll/kqueue/Solaris completion ports event reporting framework, for stellar performance.
-- Best statistics of any recursing nameserver we know of, see [Statistics](recursor/stats.md "Statistics").
-- Last-recently-used based cache cleanup algorithm, keeping the 'best' records in memory
-- First class Solaris support, built on a 'try and buy' Sun CoolThreads T 2000.
-- Full IPv6 support, implemented natively.
-- Access filtering, both for IPv4 and IPv6.
-- Experimental SMP support for nearly double performance. See [PowerDNS Recursor performance](recursor/performance.md "PowerDNS Recursor performance").
-
-Many people helped package and test this release. Jorn Ekkelenkamp of ISP-Services helped find the '8000 SOAs' bug and spotted many other oddities and [XS4ALL](http://www.xs4all.nl) internet funded a lot of the recent development. Joaquín M López Muñoz of the boost::multi\_index\_container was again of great help.
-
-# Version 2.9.20
-Released the 15th of March 2006
-
-Besides adding OpenDBX, this release is mostly about fixing problems and speeding up the recursor. This release has been made possible by [XS4ALL](http://www.xs4all.nl) and [True](http://true.nl). Thanks!
-
-Furthermore, we are very grateful for the help of Andrew Pinski, who hacks on gcc, and of Joaquín M López Muñoz, the author of [boost::multi\_index\_container](http://www.boost.org/libs/multi_index/doc/index.html). Without their near-realtime help this release would've been delayed a lot. Thanks!
-
-## Bugs fixed in the recursor
-- Possible stability issues in the recursor on encountering errors ([commit 532](http://wiki.powerdns.com/projects/trac/changeset/532), [commit 533](http://wiki.powerdns.com/projects/trac/changeset/533))
-- Memory leaks in recursor fixed ([commit 534](http://wiki.powerdns.com/projects/trac/changeset/534), [commit 572](http://wiki.powerdns.com/projects/trac/changeset/572)). In a test 800 million real life DNS packets have been sent to the recursor, representing several days of traffic from a major ISP, memory use was high (500MB), but stable.
-- Prune all data in PowerDNS - previously per-nameserver and per-query performance statistics were kept around forever ([commit 535](http://wiki.powerdns.com/projects/trac/changeset/535))
-- IPv6 additional processing was broken. Reported by Lionel Elie Mamane, who also provided a fix. The problem was fixed differently in the end. [commit 562](http://wiki.powerdns.com/projects/trac/changeset/562).
-- pdns\_recursor did not shuffle answers since 2.9.19, leading to problems sending mail to the Hotmail servers. Reported in [ticket 54](https://github.com/PowerDNS/pdns/issues/54), fixed in [commit 567](http://wiki.powerdns.com/projects/trac/changeset/567).
-- If a single nameserver had multiple IP addresses listed, PowerDNS would only use one of them. Noted by Mark Martin, fixed in [commit 570](http://wiki.powerdns.com/projects/trac/changeset/570), who depends on a domain with 4 nameserver IP addresses of which 2 are broken.
-
-## Improvements to the recursor
-- Commits [535](http://wiki.powerdns.com/projects/trac/changeset/535), [540](http://wiki.powerdns.com/projects/trac/changeset/540), [541](http://wiki.powerdns.com/projects/trac/changeset/541), [542](http://wiki.powerdns.com/projects/trac/changeset/542), [543](http://wiki.powerdns.com/projects/trac/changeset/543), [544](http://wiki.powerdns.com/projects/trac/changeset/544), [545](http://wiki.powerdns.com/projects/trac/changeset/545), [547](http://wiki.powerdns.com/projects/trac/changeset/547) and [548](http://wiki.powerdns.com/projects/trac/changeset/548), [574](http://wiki.powerdns.com/projects/trac/changeset/574) all speed up the recursor by a large factor, without altering the DNS algorithm.
-- Move recursor to the incredible boost::multi\_index\_container ([commit 580](http://wiki.powerdns.com/projects/trac/changeset/580)). This brings a huge improvement in cache pruning times.
-- [commit 549](http://wiki.powerdns.com/projects/trac/changeset/549) and [commit 550](http://wiki.powerdns.com/projects/trac/changeset/550) work around gcc bug [24704](http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24704) if requested, which speeds up the recursor a lot, but involves a dirty hack. Enable with **./configure --enable-gcc-skip-locking**. No guarantees!
-
-## Bugs fixed in the authoritative nameserver
-- PowerDNS would no longer allow a '/' in domain names, fixed by [commit 537](http://wiki.powerdns.com/projects/trac/changeset/537), reported in [ticket 48](https://github.com/PowerDNS/pdns/issues/48).
-- Parameters to **pdns\_control notify-host** were not checked, leading to possible crashes. Reported in [ticket 24](https://github.com/PowerDNS/pdns/issues/24), fixed in [commit 565](http://wiki.powerdns.com/projects/trac/changeset/565).
-- On some compilers, processing of NAPTR records could cause the server to crash. Reported by Bernd Froemel in [ticket 29](https://github.com/PowerDNS/pdns/issues/29), fixed in [commit 538](http://wiki.powerdns.com/projects/trac/changeset/538).
-- Backend errors could make the whole nameserver exit under some circumstances, notably using the LDAP backend. Fixed in [commit 583](http://wiki.powerdns.com/projects/trac/changeset/583), reported in [ticket 62](https://github.com/PowerDNS/pdns/issues/62).
-- Referrals were subtly broken by recent CNAME/Wildcard improvements, fixed in [commit 539](http://wiki.powerdns.com/projects/trac/changeset/539). Fix and other improvements sponsored by [True](http://true.nl).
-- PowerDNS would try to insert records it has no knowledge about in slave zones, which did not work. Reported in [ticket 60](https://github.com/PowerDNS/pdns/issues/60), fixed in [commit 566](http://wiki.powerdns.com/projects/trac/changeset/566). A superior fix would be to implement the relevant unknown record standard.
-
-## Improvements to the authoritative nameserver
-- Pipebackend did not properly propagate the ABI version to its children, fixed in [commit 546](http://wiki.powerdns.com/projects/trac/changeset/546), reported by kickdaddy@gmail.com in [ticket 45](https://github.com/PowerDNS/pdns/issues/45).
-- [OpenDBX](http://www.linuxnetworks.de/pdnsodbx/index.html) backend added ([commit 559](http://wiki.powerdns.com/projects/trac/changeset/559), [commit 560](http://wiki.powerdns.com/projects/trac/changeset/560), [commit 561](http://wiki.powerdns.com/projects/trac/changeset/561)) by Norbert Sendetzky. From the website: “ The OpenDBX backend enables it to fetch DNS information from every DBMS supported by the OpenDBX library and combines the power of one of the best DNS server implementations with the flexibility of the OpenDBX library. ” OpenDBX adds some other features like database failover. Thanks Norbert!
-- LDAP fixes as reported in [ticket 37](https://github.com/PowerDNS/pdns/issues/37), fixed in [commit 558](http://wiki.powerdns.com/projects/trac/changeset/558), which make **pdns\_control notify** work.
-- Arjo Hooimeijer added support for soa-refresh-default, soa-retry-default, soa-expire-default, which were previously hardcoded. [commit 563](http://wiki.powerdns.com/projects/trac/changeset/563) and fallout in [commit 573](http://wiki.powerdns.com/projects/trac/changeset/573) (thanks to Wolfram Schlich).
-
-## Miscellaneous
-- Fixes for g++ 4.1. Compiling with 4.1 realizes notable speedups. [commit 568](http://wiki.powerdns.com/projects/trac/changeset/568), [commit 569](http://wiki.powerdns.com/projects/trac/changeset/569).
-- PowerDNS now reports if it is running in 32 or 64 bit mode, useful for bi-arch users that need to know if they are benefitting from [AMD's great processor](http://www.amd.com). [commit 571](http://wiki.powerdns.com/projects/trac/changeset/571).
-- **dnsscope** compiles again, [commit 551](http://wiki.powerdns.com/projects/trac/changeset/551), [commit 564](http://wiki.powerdns.com/projects/trac/changeset/564) (FreeBSD 64-bit time\_t).
-- **dnsreplay\_mindex** compiles again, fixed by [commit 572](http://wiki.powerdns.com/projects/trac/changeset/572). Its performance, and the performance of the recursor was improved by [commit 559](http://wiki.powerdns.com/projects/trac/changeset/559).
-- Build scripts were added, mostly for internal use but we know some PowerDNS users build their own packages too. [commit 553](http://wiki.powerdns.com/projects/trac/changeset/553), [commit 554](http://wiki.powerdns.com/projects/trac/changeset/554), [commit 555](http://wiki.powerdns.com/projects/trac/changeset/555), [commit 556](http://wiki.powerdns.com/projects/trac/changeset/556), [commit 557](http://wiki.powerdns.com/projects/trac/changeset/557).
-- `bootstrap` script was not included in release. Thanks to Stefan Arentz for noticing. Fixed in [commit 574](http://wiki.powerdns.com/projects/trac/changeset/574).
-
-# Version 2.9.19
-Released 29th of October 2005.
-
-As with other recent releases, the usage of PowerDNS appears to have skyrocketed. Informal, though strict, measurements show that PowerDNS now powers around 50% of all German domains, and somewhere in the order of 10-15% of the rest of the world. Furthermore, DNS is set to take a central role in connecting Voice over IP providers, with PowerDNS offering a very good feature set for these ENUM deployments. PowerDNS is already powering the E164.info ENUM zone and also acts as the backend for a major VoIP provisioning platform.
-
-Included in this release is the now complete packet parsing/generating, record parsing/generating infrastructure. Furthermore, this framework is used by the recursor, hopefully making it very fast, memory efficient and robust. Many records are now processed using a single line of code. This has made the recursor a lot stricter in packet parsing, you will see some error messages which did not appear before. Rest assured however that these only happen for queries which have no valid answer in any case.
-
-Furthermore, support for DNSSEC records is available in the new infrastructure, although is should be emphasised that there is more to DNSSEC than parsing records. There is no real support for DNSSEC (yet).
-
-Additionally, the BIND Backend has been replaced by what was up to now known as the 'Bind2Backend'. Initial benchmarking appears to show that this backend is faster, uses less memory and has shorter startup times. The code is also shorter.
-
-This release fixes a number of embarrassing bugs and is a recommended upgrade.
-
-Thanks are due to [XS4ALL](http://www.xs4all.nl) who are supporting continuing development of PowerDNS, the fruits of which can be found in this release already. Furthermore, a remarkable number of people have helped report bugs, validate solutions or have submitted entire patches. Many thanks!
-
-## Improvements
-- dnsreplay now has a help message and has received further massive updates, making the code substantially faster. It turns out that dnsreplay is often 'heavier' than the PowerDNS process being benchmarked.
-- PowerDNS recursor no longer prints out its queries by default as most recursor deployments have too much traffic for this to be useful.
-- PowerDNS recursor is now able to read its root-hints from disk, which is useful to operate with alternate roots, like the [Open Root Server Network](http://www.orsn.org). See [PowerDNS Recursor](recursor/index.md).
-- PowerDNS can now send out old-fashioned root-referrals when queried for domains for which it is not authoritative. Wastes some bandwidth but may solve incoming query floods if domains are delegated to you for which you are not authoritative, but which are queried by broken recursors.
-- PowerDNS now prints out a warning when running with legacy LinuxThreads implementation instead of the high performance NPTL library. [commit 455](http://wiki.powerdns.com/projects/trac/changeset/455).
-- A lot of superfluous calls to gettimeofday() have been removed, making PowerDNS and especially the recursor faster. Suggested by Kai.
-- SPF records are now supported natively. [commit 472](http://wiki.powerdns.com/projects/trac/changeset/472), closing [ticket 22](https://github.com/PowerDNS/pdns/issues/22).
-- Improved IPv6 'bound to' messages. Thanks to Niels Bakker, Wichert Akkerman and Gerty de Wolf for suggestions.
-- Separate graphs can now be made of IPv6 queries and answers. [commit 485](http://wiki.powerdns.com/projects/trac/changeset/485).
-- Out of zone additional processing is now on by default to better comply with standards. [commit 487](http://wiki.powerdns.com/projects/trac/changeset/487).
-- Regression tests have been expanded to deal with more record types (SRV, NAPTR, TXT, duplicate SRV).
-- Improved query-logging in Bindbackend, which can be used for debugging purposes.
-- Dropped libpcap dependency, making compilation easier
-- pdns\_control now has a help message.
-- Add RRSIG, DNSKEY, DS and NSEC records for DNSSEC-bis to new parser infrastructure.
-- Recursor now honours EDNS0 allowing it to send out larger answers.
-
-## Bugs fixed
-- Domain name validation has been made a lot stricter - it turns out PostgreSQL was interpreting some (corrupt) domain names as unicode. Tested and suggested by Register.com ([commit 451](http://wiki.powerdns.com/projects/trac/changeset/451)).
-- LDAP backend did not compile (commits [452](http://wiki.powerdns.com/projects/trac/changeset/452), [453](http://wiki.powerdns.com/projects/trac/changeset/453)) due to partially applied patch (Norbert Sendetzky)
-- Incoming zone transfers work reliably again. Fixed in [commit 460](http://wiki.powerdns.com/projects/trac/changeset/460) and beyond. And [commit 523](http://wiki.powerdns.com/projects/trac/changeset/523) - closing Debian bug 330184.
-- Recent g++ versions exposed a mistake in the PowerDNS recursor cache pruning code, causing random crashes. Fixed in [commit 465](http://wiki.powerdns.com/projects/trac/changeset/465). Reported by several Red Hat users.
-- PowerDNS recursor, and MTasker in general, did not work on Solaris. Patch by Juergen Ilse, [commit 471](http://wiki.powerdns.com/projects/trac/changeset/471). Also moved most of PowerDNS over to uint32\_t style typedefs, which eases compilation problems on Solaris, [commit 477](http://wiki.powerdns.com/projects/trac/changeset/477).
-- Bindbackend2 did not properly search its include path for $INCLUDE statements. Noted by Mark Bergsma, [commit 474](http://wiki.powerdns.com/projects/trac/changeset/474).
-- Bindbackend did not notice changed zones, this problem has been fixed by the move to Bind2.
-- Pipebackend did not clean up, leading to an additional pipe backend per AXFR or pdns\_control reload. Discovered by Marc Jauvin, fixed by [commit 525](http://wiki.powerdns.com/projects/trac/changeset/525).
-- Bindbackend (both old and current versions) did not honour 'include' statements in `named.conf` on **pdns\_control rediscover**. Noted by Marc Jauvin, fixed by [commit 526](http://wiki.powerdns.com/projects/trac/changeset/526).
-- Zone transfers were sometimes shuffled, which wastes useless time, [commit 478](http://wiki.powerdns.com/projects/trac/changeset/478).
-- CNAMEs and Wildcards now work as in Bind, fixing many complaints, [commit 487](http://wiki.powerdns.com/projects/trac/changeset/487).
-- NAPTR records were compressed, which would work, but was in violation of the RFC, commit 493.
-- NAPTR records were not always parsed correctly from BIND zone files, fixed, commit 494.
-- Geobackend needed additional include statement to compile on more recent Linux distributions, commit 496.
-
-# Version 2.9.18
-Released on the 16th of July 2005.
-
-The '8 million domains' release, which also marks the battle readiness of the PowerDNS Recursor. The latest improvements have been made possible by financial support and contributions by [Register.com](http://register.com) and [XS4ALL](http://www.xs4all.nl/). Thanks!
-
-This release brings a number of new features (vastly improved recursor, Generic Oracle Support, DNS analysis and replay tools, and more) but also has a new build dependency, the [Boost library](http://www.boost.org) (version 1.31 or higher).
-
-Currently several big ISPs are evaluating the PowerDNS recursor for their resolving needs, some of them have switched already. In the course of testing, over 350 million actual queries have been recorded and replayed, the answers turn out to be satisfactorily.
-
-This testing has verified that the pdns recursor, as shipped in this release, can stand up to heavy duty ISP loads (over 20000 queries/second) and in fact does so better than major other nameservers, giving more complete answers and being faster to boot.
-
-We invite ISPs who note recursor problems to record their problematic traffic and replay it using the tools described in [Tools to analyse DNS traffic](tools/analysis.md "Tools to analyse DNS traffic") to discover if PowerDNS does a better job, and to let us know the results.
-
-Additionally, the bind2backend is almost ready to replace the stock bind backend. If you run with Bind zones, you are cordially invited to substitute 'launch=bind2' for 'launch=bind'. This will happen automatically in 2.9.19!
-
-In other news, the entire Wikipedia constellation now runs on PowerDNS using the Geo Backend! Thanks to Mark Bergsma for keeping us updated.
-
-There are two bugs with security implications, which only apply to installations running with the LDAP backend, or installations providing recursion to a limited range of IP addresses. If any of these apply to you, an upgrade is highly advised
-
-- The LDAP backend did not properly escape all queries, allowing it to fail and not answer questions. We have not investigated further risks involved, but we advise LDAP users to update as quickly as possible (Norbert Sendetzky, Jan de Groot)
-- Questions from clients denied recursion could blank out answers to clients who are allowed recursion services, temporarily. Reported by Wilco Baan. This would've made it possible for outsiders to blank out a domain temporarily to your users. Luckily PowerDNS would send out SERVFAIL or Refused, and not a denial of a domain's existence.
-
-## General bugs fixed
-
-- TCP authoritative server would not relaunch a backend after failure (reported by Norbert Sendetzky)
-- Fix backend restarting logic (reported, and fix suggested by Norbert Sendetzky)
-- Launching identical backends multiple times, with different settings, did not work. Reported by Mario Manno.
-- Master/slave queries did not honour the **query-local-address** setting. Spotted by David Levy of Register.com. The fix also randomises the local port used, slightly improving security.
-
-## Compilation fixes
-- Fix compile on Solaris, they define 'PC' for some reason. Reported by Eric Yiu.
-- PowerDNS recursor would not compile on FreeBSD due to Linux specific defines, as reported in cvstrac ticket 26 (Ralf van der Enden)
-- Several 64 bits issues have been fixed, especially in the Logging subsystem.
-- SSQLite would fail to compile on recent Debian systems (Matthijs Möhlmann)
-- Generic MySQL would not compile on 64-bit platforms.
-
-## Improvements
-- PowerDNS now reports stray command line arguments, like when running '--local-port 5300' instead of '--local-port=5300'. Reported by Christian Welzel.
-- We now warn against erroneous logging-facility specification, ie specifying an unknown facility.
-- **--version** now outputs gcc version used, so we can tell people 2.95 is no longer supported.
-- Extended regression tests, moved them to the new 'sdig' tool (see below).
-- Bind2backend is now blazingly fast, and highly memory efficient to boot. As a special bonus it can read gzipped zones directly. The '.NET' zone is hosted using 401MB of memory, the same size as the zone on disk.
-- The Pipe Backend has been improved such that it can send out different answers based on the IP address the question was received ON. See [PipeBackend protocol](authoritative/backend-pipe.md#pipebackend-protocol) for how this changed the Pipe Backend protocol. Note that you need to set **pipebackend-abi-version** to benefit from this change, existing clients are not affected. Change and documentation contributed by Marc Jauvin of Register4Less.
-- LDAP backend has been updated (Norbert Sendetzky).
-
-## Recursor improvements and fixes.
-See [Recursion](authoritative/recursion.md "Recursion") for details. The changes below mean that all of the caveats listed for the recursor have now been addressed.
-
-- After half an hour of uptime, the entire cache would be pruned for each packet, which is a tad slow. It now appears the pdns recursor is among the fastest around.
-- Under high loads, or when unlucky, some query mthreads would get 'stuck', and show up in the statistics as eternally running queries.
-- Lots of redundant gettimeofday() and time() calls were removed, which has resulted in a measurable speedup.
-- pdns\_recursor can now listen on several addresses simultaneously.
-- Now supports setuid and setgid operation to allow running as a less privileged user (Bram Vandoren).
-- Return code of pdns\_recursor binary did not make sense (Matthijs Möhlmann and Thomas Hood)
-- Timeouts and errors are now split out in statistics.
-- Many people reported broken statistics, it turned out that no statistics were being reported if there had been no questions to base them on. We now log a message to that effect.
-- Add **query-local-address** support, which allows the recursor to send questions from a specific IP address. Useful for anycast setups.
-- Add outgoing TCP query support and proper truncated answer support. Needed for Worldnic Denial of Service protection, which sends out truncated packets to force clients to connect over TCP, which prevents spoofing.
-- Properly truncate our own answers.
-- Improve our TCP answers by using writev, which is slightly friendlier to the network.
-- On FreeBSD, TCP errors could cause the recursor to exit suddenly due to a SIGPIPE signal.
-- Maximum number of simultaneous client TCP connections can now be limited with the **max-tcp-clients** setting.
-- Add aggressive timeouts for TCP clients to make sure resources are not wasted. Defaults to two seconds, can be configured with the **client-tcp-timeout** setting.
-
-## Backend fixes
-- SQLite backend would not slave properly (Darron Broad)
-- Generic MySQL would not compile on 64-bit platforms.
-
-## New technology
-- Added the new DNS parser logic, called MOADNSParser. Completely modular, every memory access checked.
-- 'sdig', a simple dig work-alike with 'canonical' output, which is used for the regression tests. Based on the new DNS parser logic.
-- **dnswasher**, **dnsreplay** and **dnsscope**, all DNS analysis tools. See [Tools to analyse DNS traffic](tools/analysis.md "Tools to analyse DNS traffic") for more details.
-- Generic Oracle Backend, sponsored by Register.COM. See [Oracle specifics](authoritative/backend-generic-oracle.md "Oracle specifics").
-
-# Version 2.9.17
-
-See [the new timeline](http://wiki.powerdns.com/trac/timeline) for progress reports.
-
-The 'million domains' release - PowerDNS has now firmly established itself as a major player with the unofficial count (ie, guesswork) now at over two million PowerDNS domains! Also, the GeoBackend has been tested by a big website and may soon see wider deployment. Thanks to Mark Bergsma for spreading the word!
-
-It is also a release with lots of changes and fixes. Take care when deploying!
-
-## Security issues
-- PowerDNS could be temporarily DoSed using a random stream of bytes. Reported cause of this has been fixed.
-
-## Enhancements
-- Reported version can be changed, or removed - see the "version-string" setting.
-- Duplicate MX records are now no longer considered duplicate if their priorities differ. Some people need this feature for spam filtering.
-
-## Bug fixes
-- NAPTR records can now be slaved, patch by Lorens Kockum.
-- GMySQL now works on Solaris
-- PowerDNS could be confused by questions with a %-sign in them - fixing cvstrac ticket \#16 (reported by dilinger at voxel.net)
-- An authentication bug in the webserver was possibly fixed, please report if you were suffering from this. Being unable to authenticate to the webserver was what you would've noticed.
-- Fix for cvstrac ticket \#2, PowerDNS could lose sync when sending out a very large number of notifications. Excellent bug report by Martin Hoffman, who also improved our original bugfix.
-- Fix the oldest PowerDNS bug in existence - under some circumstances, PowerDNS would log to syslog one character at a time. This was cvstrac ticket \#4
-- HINFO records can now be slaved, fixing cvstrac ticket \#8.
-- pdns\_recursor could block under some circumstances, especially in case of corrupt UDP packets. Reported by Wichert Akkerman. Fix by Christopher Meer. This was cvstrac ticket \#13.
-- Large SOA serial numbers would sometimes be logged as a signed integer, leading to negative numbers in the log.
-- PowerDNS now fully supports 32 bit SOA serial numbers (thanks to Mark Bergsma), closing cvstrac ticket \#5.
-- pdns\_recursor --local-address help text was wrong.
-- Very devious bug - PowerDNS did not clear its cache before sending out update notifications, leading slaves to conclude there was no update to AXFR. Excellent debugging by mkuchar at wproduction.cz.
-- Probably fixed cvstrac ticket \#26, which caused pdns\_recursor to fail on recent FreeBSD 5.3 systems. Please check, I have no such system to test on.
-- Geobackend did not get built for Debian.
-
-# Version 2.9.16
-The 'it must still be Friday somewhere' release. Massive number of fixes, portability improvements and the new Geobackend by Mark Bergsma & friends.
-
-## New
-- The Geobackend which makes it possible to send different answers to different IP ranges. Initial documentation can be found in pdns/modules/geobackend/README.
-- qgen query generation tool. Nearly completely undocumented and hard to build too, it requires Boost. But very spiffy. Use **cd pdns; make qgen** to build it.
-
-## Bugfixes
-- The most reported bug ever was fixed. Zone2sql required the inclusion of unistd.h, except on Debian unstable.
-- PowerDNS tried to listen on its control "pipe" which does not work. Probably harmless, but might have caused some oddities.
-- The Packet Cache did not always set its TTL immediately, causing some packets to be inserted, even when running with the cache disabled (Mark Bergsma).
-- Valgrind found some uninitialized reads, causing bogus values in the priority field when it was not needed.
-- Valgrind found a bug in MTasker where we used delete instead of delete[].
-- SOA serials and other parameters are unsigned. This means that very large SOA serial numbers would be messed up (Michel Stol, Stefano Straus)
-- PowerDNS left its controlsocket around after exit and reported confusing errors if a socket was already in use.
-- The recursor proxy did not work on big endian systems like SPARC and some MIPS processors (Remco Post)
-- We no longer dump core on processing LOC records on UltraSPARC (Andrew Mulholland supplied a testing machine)
-
-## Improvements
-- MySQL can now connect to a specified port again (Chris Anderton).
-- When running chroot()ed and with master or slave support active, PowerDNS needs to resolve domain names to find slaves. This in turn may require access to certain libraries. Previously, these needed to be available in the chroot directory but by forcing an initial lookup, these libraries are now loaded before the chrooting.
-- pdns\_recursor was very slow after having done a larger number of queries because of the checks to see if a query should be throttled. This is now done using a set which is a lot faster than the previous full sequential scan.
-- The throttling code may not have throttled as much as was configured.
-- Yet another big LDAP update. The LDAP backend now load balances connections over several hosts (Norbert Sendetzky)
-- Updated b.root-servers.net address in the recursor
-
-# Version 2.9.15
-This release fixes up some of the shortcomings in 2.9.14, and adds some new features too.
-
-## Bugfixes
-- **allow-recursion-override** was on by default, it was meant to be off.
-- Logging was still off in daemon mode, fixed.
-- debian/rules forgot to build an sqlite package
-- Recursor accidentally linked in MySQL - this was the result of an experiment with a persistent recursor cache.
-- The PowerDNS recursor had stability problems. It now sorts nameservers (roughly) by responsiveness. The 'roughly' part upset the sorting algorithm used, the speeds being sorted on changed during sorting.
-- The recursor now outputs the nameserver average response times in trace mode
-- LDAP compiles again.
-
-## Improvements
-- zone2sql can now accept `-` as a file name which causes it to read stdin. This allows the following to work: **dig axfr example.org | zone2sql --gmysql --zone=- | mysql pdns**, which is a nice way to import a zone.
-- zone2sql now ignores duplicate SOA records which are identical - which also makes the above possible.
-- Remove libpqpp dependencies - since we now use the native C API for PostgreSQL
-
-# Version 2.9.14
-
-Big release with the fix for the all important 2^30 seconds problem and a lot of other news.
-- errno problems would cause compilation problems when using LDAP (Norbert Sendetzky)
-- The Generic SQL backend could cause crashes on PostgreSQL when using pdns\_control notify (Georg Bauer)
-- Debian compatible init.d script (Wichert Akkerman)
-- If using the master or slave features, pdns had the notion of eternity ending in 2038, except that due to a thinko, eternity ended out to be the 10th of January 2004. This caused a loop to timeout immediately. Many thanks to Jasper Spaans for spotting the bug within five minutes.
-- Parts of the SOA field were not canonicalized.
-- The loglevel could in fact cause nothing to be logged (Norbert Sendetzky)
-
-## Improvements
-- The recursor now chooses the fastest nameserver, which causes a big speedup!
-- LDAP now has different lookup models
-- Cleanups, better load distribution, better exception handling, zone2ldap improvements
-- The recursor was somewhat chatty about TCP connections
-- PostgreSQL now only depends on the C API and not on the deprecated C++ one
-- PowerDNS can now fully overrule external zones when doing recursion. See [Recursion](authoritative/recursion.md "Recursion").
-
-# Version 2.9.13
-
-Big news! Windows is back! Our great friend Michel Stol found the time to update the PowerDNS code so it works again under windows.
-
-Furthermore, big thanks go out to Dell who quickly repaired my trusty [laptop](http://ds9a.nl/dell-d800).
-
-His changes
-- Generic SQLite support added
-- Removed the ODBC backend, replaced it by the Generic ODBC Backend, which has all the cool configurability of the Generic MySQL and PostgreSQL backends.
-- The PowerDNS Recursor now runs as a Service. It defaults to running on port 5300, PowerDNS itself is configured to expect the Recursor on port 5300 now.
-- The PowerDNS Service is now known as 'PowerDNS' to Windows.
-- The Installer was redone, this time with [NSIS2](http://nsis.sf.net).
-- General updates and fixes.
-
-## Other news
-**Note**: There appears to be a problem with PowerDNS on Red Hat 7.3 with GCC 2.96 and self-compiled binaries. The symptoms are that PowerDNS works on the foreground but fails as a daemon. We're working on it.
-
-If you do note problems, let the list know, if you don't, please do so as well. Tell us if you use the RPM or compiled yourself.
-
-It is known that not compiling in MySQL support helps solve the problem, but then you don't have MySQL.
-
-There have been a number of reports on MySQL connections being dropped on FreeBSD 4.x, which sometimes causes PowerDNS to give up and reload itself. To combat this, MySQL error messages have been improved in some places in hopes of figuring out what is up. The initial indication is that MySQL itself sometimes terminates the connection and, amazingly, that switching to a Unix domain socket instead of TCP solves the problem.
-
-## Bug fixes
-- **allow-axfr-ips** did not work for individual IP addresses (bug & fix by Norbert Sendetzky)
-
-## Improvements
-- Opteron support! Thanks to Jeff Davey for providing a shell on an Opteron. The fixes should also help PowerDNS on other platforms with a 64 bit userspace.
-
- Btw, the PowerDNS team has a strong desire for an Opteron :-)
-
-- pdns\_recursor jumbles answers now. This means that you can do poor man's round robin by supplying multiple A, MX or AAAA records for a service, and get a random one on top each time. Interestingly, this feature appeared out of nowhere, this change was made to the authoritative code but due to the wonders of code-reuse had an effect on pdns\_recursor too.
-- Big LDAP cleanup. Support for TLS was added. Zone2LDAP also gained the ability to generate ldif files containing a tree or a list of entries. (Norbert Sendetzky)
-- Zone2sql is now somewhat clearer when reporting malformed line errors - it did not always include the name of the file causing a problem, especially for big installations. Problem noted by Thom May.
-- pdns\_recursor now survives the expiration of all its root records, most often caused by prolonged disconnection from the net.
-
-# Version 2.9.12
-
-Release rich in features. Work on Verisign oddities, addition of SQLite backend, pdns\_recursor maturity.
-
-## New features
-- --version command (requested by Mike Benoit)
-- delegation-only, a Verisign special.
-- Generic [SQLite](http://www.sqlite.org) support, by Michel 'Who da man?' Stol. See [Generic SQLite backend](authoritative/backend-generic-sqlite.md).
-- init.d script for pdns\_recursor
-- Recursor now actually purges its cache, saving memory.
-- Slave configuration now no longer falls over when presented with a NULL master
-- Bindbackend2 now has supermaster support (Mark Bergsma, untested)
-- Answers are now shuffled! It turns out a few recursors don't do shuffling (pdns\_recursor, djbdns), so we do it now. Requested by Jorn Ekkelenkamp of ISP-Services. This means that if you have multiple IP addresses for one host, they will be returned in differing order every once in a while.
-
-## Bugs
-- 0.0.0.0/0 didn't use to work (Norbert Sendetzky)
-- pdns\_recursor would try to resolve IP address which to bind to, potentially causing chicken/egg problem
-- gpgsql no longer reports as gmysql (Sherwin Daganoto)
-- SRV would not be parsed right from disk (Christof Meerwald)
-- An AXFR from a zone hosted on the LDAP backend no longer transmits all the reverse entries too (Norbert Sendetzky)
-- PostgreSQL backend now does error checking. It would be a bit too trusting before.
-
-## Improvements, cleanups
-- PowerDNS now reports the numerical IP addresses it binds to instead of the, possibly, alphanumeric names the operator passed.
-- Removed only-soa hackery (noticed by Norbert Sendetzky)
-- Debian packaging fixes (Wichert Akkerman)
-- Some parameter descriptions were improved.
-- Cleanups by Norbert: getAuth moved to chopOff, arguments::contains massive cleanup, more.
-
-# Version 2.9.11
-Yet another iteration, hopefully this will be the last silly release.
-
-**Warning**: There has been a change in behaviour whereby **disable-axfr** does what it means now! From now on, setting **allow-axfr-ips** automatically disables AXFR from unmentioned subnets.
-
-This release enables AXFR again, **disable-axfr** did the opposite of what it claimed. Furthermore, the pdns\_recursor now cleans its cache, which should save some memory in the long run. Norbert contributed some small LDAP work which should come in useful in the future.
-
-# Version 2.9.10
-Small bugfixes, LDAP update. Released 3rd of July 2003. Apologies for the long delay, real life keeps interfering.
-
-**Warning**: Do not use or try to use 2.9.9, it was a botched release!
-
-**Warning**: There has been a change in behaviour whereby **disable-axfr** does what it means now! From now on, setting **allow-axfr-ips** automatically disables AXFR from unmentioned subnets.
-
-- 2.9.8 was prone to crash on adding additional records. Thanks to excellent debugging by PowerDNS users worldwide, the bug was found quickly and is in fact present in all earlier PowerDNS releases, but for some reason doesn't cause crashes there.
-- Notifications now jump in front of the queue of domains that need to be checked for changes, giving much greater perceived performance. This is needed if you have tens of thousands of slave domains and your master server is on a high latency link. Thanks to Mark Jeftovic of EasyDNS for suggesting this change and testing it on their platform.
-- Dean Mills reported that PowerDNS does confusing logging about changing GIDs and UIDs, fixed. Cosmetic only.
-- pdns\_recursor may have logged empty lines for some users, fixed. Solution suggested by Norbert Sendetzky.
-- LDAP: DNS TTLs were random values (Norbert Sendetzky, Stefan Pfetzing). New **ldap-default-ttl** option.
-- LDAP: Now works with OpenLDAP 2.1 (Norbert Sendetzky)
-- LDAP: error handling for invalid MX records implemented (Norbert Sendetzky)
-- LDAP: better exception handling (Norbert Sendetzky)
-- LDAP: code cleanup of lookup() (Norbert Sendetzky)
-- LDAP: added support for scoped searches (Norbert Sendetzky)
-
-# Version 2.9.8
-Queen's day release! 30th of April 2003.
-
-Added support for AIX, fixed negative SOA caching. Some other cleanups. Not a major release but enough reasons to upgrade.
-
-## Bugs fixed
-- Recursor had problems expiring negatively cached entries, which wasted memory and also led to the continued non-existence of hosts that since had come into existence.
-- The Generic SQL backends did not lowercase the names of records, which led to new records not being found by case sensitive databases (notably PostgreSQL). Found by Volker Goetz.
-- NS queries for zones for which we did not carry authority, but only had delegation information, had their NS records in the wrong section. Minor detail, but a standards violation nonetheless. Spotted by Stephane Bortzmeyer.
-
-## Improvements
-- Removed crypt.h dependency from powerldap.hh, which was a problem on some platforms (Richard Arends)
-- PowerDNS can't parse so called binary labels which we now detect and ignore, after printing a warning.
-- Specifying allow-axfr-ips now automatically disables AXFR for all non-mentioned addresses.
-- A Solaris ready init.d script is now part of the tar.gz (contributed, but I lost by whom).
-- Added some fixes to PowerDNS can work on AIX (spotted by Markus Heimhilcher).
-- Norbert Sendetzky contributed `zone2ldap`.
-- Everybody's favorite compiler warning from `zone2sql.cc` was removed!
-- Recursor now listens on TCP!
-
-# Version 2.9.7
-Released on 2003-03-20.
-
-This is a sweeping release in the sense of cleanup. There are some new features but mostly a lot of cleanup going on. Hiding inside is the `bind2backend`, the next generation of the bind backend. A work in progress. Those of you with overlapping zones, as mentioned in the changelog of 2.9.6, are invited to check it out by replacing **launch=bind** by **launch=bind2** and renaming all **bind-** parameters to **bind2-**. Be aware that if you run with many small zones, this backend is faster, but if you run with a few large ones, it is slower. This will improve.
-
-## Features
-- Mark Bergsma contributed **query-local-address** which allows the operator to select which source address to use. This is useful on servers with multiple source addresses and the operating system selecting an unintended one, leading to remotes denying access.
-- PowerDNS can now perform AAAA additional processing optionally, turned on by setting **do-ipv6-additional-processing**. Thanks to Stephane Bortzmeyer for pointing out the need.
-- Bind2backend, which is almost in compliance with the new IETF AXFR-clarify (some would say 'redefinition') draft.
- This backend is not ready for primetime but you may want to try it if you currently have overlapping zones and note problems. An overlapping zone would be having "ipv6.powerdns.com" and "powerdns.com" zones on one server.
-
-## Improvements
-- Zone2sql would happily try to read from a directory and not give a useful error about this.
-- PowerDNS now reports the case where it can't figure out any IP address of slave nameservers for a zone
-- Removed **receiver-threads** setting which was experimental and in fact only made things worse.
-- LDAP backend updates from its author Norbert Sendetzky. Reverse lookups should work now too.
-- An error message about unparseable packets did not include the originating IP address (fixed by Mark Bergsma)
-- PowerDNS can now be started via path resolution while running with a guardian. Suggested by Maurice Nonnekes.
-- `pdns_recursor` moved to `sbin` (reported by Norbert Sendetzky)
-- Retuned some logger errorlevels, a lot of master/slave chatter was logged as 'Error'. Reported by Willem de Groot.
-
-## Bugs fixed
-- `zone2sql` did not remove trailing dots in SOA records.
-- ldapbackend did not include `utility.hh` which caused compilation problems on Solaris (reported by Remco Post)
-- `pdns_control` could leave behind remnants in case PowerDNS was not running (reported by dG)
-- Incoming AXFR did not work on Solaris and other big-endian systems (Willem de Groot helped debugging this long standing problem).
-- Recursor could crash on convoluted CNAME loops. Thanks to Dan Faerch for delivering core dumps.
-- Silly 'wuh' debugging output in zone2sql and bindbackend removed (spotted by Ivo van der Wijk).
-- Recursor neglected to differentiate between negative cache of NXDOMAIN and NOERROR, leading to problems with IPv6 enabled Windows clients. Thanks to Stuart Walsh for reporting this and testing the fix.
-- PowerDNS set the 'aa' bit on serving NS records in a zone for which it was authoritative. Most implementations drop the 'aa' bit in this case and Stephane Bortzmeyer informed us of this. PowerDNS now also drops the 'aa' bit in this case.
-- The webserver tended to fail after prolonged operation on FreeBSD, this was due to an uninitialised timeout, other platforms were lucky. Thanks to G.P. de Boer for helping debug this.
-- getAnswers() in dnspacket.cc could be forced to read bytes beyond the end of the packet, leading to crashes in the PowerDNS recursor. This is an ongoing project that needs more work. Reported by Dan Faerch, with a core dump proving the problem.
-
-# Version 2.9.6
-Two new backends - Generic ODBC (windows only) and LDAP. Furthermore, a few important bugs have been fixed which may have hampered sites seeing a lot of outgoing zone transfers. Additionally, the pdns recursor now has 'query throttling' which is pretty cool. In short this makes sure that PowerDNS does not send out heaps of queries if a nameserver is unable to provide an answer. Many operators of authoritative setups are all too aware of recursing nameservers that hammer them for zones they don't have, PowerDNS won't do that anymore now, no matter what clients request of it.
-
-**Warning**: There is an unresolved issue with the BIND backend and 'overlapping' slave zones. So if you have 'example.com' and also have a separate slave zone called 'external.example.com', things may go wrong badly. Thanks to Christian Laursen for working with us a lot in finding this issue. We hope to resolve it soon.
-
-- BIND Backend now honours notifies, code to support this was accidentally left out. Thanks to Christian Laursen for noticing this.
-- Massive speedup for those of you using the slightly deprecated MBOXFW records. Thanks to Jorn of [ISP Services](http://www.ISP-Services.nl) for helping and testing this improvement.
-- $GENERATE had an off-by-one bug where it would omit the last record to be generated (Christian Laursen)
-- Simultaneous AXFRs may have been problematic on some backends. Thanks to Jorn of ISP-Services again for helping us resolve this issue.
-- Added LDAP backend by Norbert Sendetzky, see [LDAP Backend](authoritative/backend-ldap.md).
-- Added Generic ODBC backend for Windows by Michel Stol.
-- Simplified 'out of zone data' detection in incoming AXFR support, hopefully removing a case sensitivity bug there. Thanks again to Christian Laursen for reporting this issue.
-- $include in-zonefile was broken under some circumstances, losing the last character of a file name. Thanks to Joris Vandalon for noticing this.
-- The zone parser was more case-sensitive than BIND, refusing to accept 'in' as well as 'IN'. Thanks to Joris Vandalon for noticing this.
-
-# Version 2.9.5
-Released on 2002-02-03.
-
-This version is almost entirely about recursion with major changes to both the pdns recursor, which is renamed to '`pdns_recursor`' and to the main PowerDNS binary to make it interact better with the recursing component.
-
-Sadly, due to [technical reasons](http://sources.redhat.com/ml/libc-alpha/2003-01/msg00245.html), compiling the pdns recursor and pdns authoritative nameserver into one binary is not immediately possible. During the release of 2.9.4 we stated that the recursing nameserver would be integrated in the next release - this won't happen now.
-
-However, this turns out to not be that bad at all. The recursor can now be restarted without having to restart the rest of the nameserver, for example. Cooperation between the both halves of PowerDNS is also almost seamless. As a result, 'non-lazy recursion' has been dropped. See [Recursion](authoritative/recursion.md "Recursion") for more details.
-
-Furthermore, the recursor only works on Linux, Windows and Solaris (not entirely). FreeBSD does not support the required functions. If you know any important FreeBSD people, plea with them to support set/get/swapcontext! Alternatively, FreeBSD coders could read the solution presented here [in figure 5](http://www.eng.uwaterloo.ca/~ejones/software/threading.html).
-
-The 'Contributor of the Month' award goes to Mark Bergsma who has responded to our plea for help with the label compressor and contributed a wonderfully simple and right fix that allows PowerDNS to compress just as well as other nameservers out there. An honorary mention goes to Ueli Heuer who, despite having no C++ experience, submitted an excellent SRV record implementation.
-
-Excellent work was also performed by Michel Stol, the Windows guy, in fixing all our non-portable stuff again. Christof Meerwald has also done wonderful work in porting MTasker to Windows, which was then used by Michel to get the recursor functioning on Windows.
-
-## Other changes
-- dnspacket.cc was cleaned up by factoring out common operations
-- Heaps of work on the recursing nameserver. Has now achieved *days* of uptime!
-- Recursor renamed from syncres to `pdns_recursor`
-- PowerDNS can now serve records it does not know about. To benefit from this slightly undocumented feature, add 1024 to the numerical type of a record and include the record in binary form in your database. Used internally by the recursing nameserver but you can use it too.
-- PowerDNS now knows about SIG and KEY records *names*. It does not support them yet but can at least report so now.
-- HINFO records can now be transferred from a master to PowerDNS (thanks to Ueli Heuer for noticing it didn't work).
-- Yet more UltraSPARC alignment issues fixed (Chris Andrews).
-- Dropped non-lazy recursion, nobody was using it. Lazy recursion became even more lazy after Dan Bernstein pointed out that additional processing is not vital, so PowerDNS does its best to do additional processing on recursive queries, but does not scream murder if it does not succeed. Due to caching, the next identical query will be successfully additionally processed.
-- Label compression was improved so we can now fit all . records in 436 bytes, this used to be 460! (Code & formal proof of correctness by Mark Bergsma).
-- SRV support (incoming and outgoing), submitted by Ueli Heuer.
-- Generic backends do not support SOA serial autocalculation, it appears. Could lead to random SOA serials in case of a serial of 0 in the database. Fixed so that 0 stays zero in that case. Don't set the SOA serial to 0 when using Generic MySQL or Generic PostgreSQL!
-- J root-server address was updated to its new location.
-- SIGUSR1 now forces the recursor to print out statistics to the log.
-- Meaning of recursor logging was changed a bit - a cache hit is now a question that was answered with 0 outgoing packets needed. Used to be a weighted average of internal cache hits.
-- MySQL compilation did not include -lz which causes problems on some platforms. Thanks to James H. Cloos Jr for reporting this.
-- After a suggestion by Daniel Meyer and Florus Both, the built in webserver now reports the configuration name when multiple PowerDNS instances are active.
-- Brad Knowles noticed that zone2sql had problems with the root.zone, fixed. This also closes some other zone2sql annoyances with converting single zones.
-
-# Version 2.9.4
-Yet another grand release. Big news is the addition of a recursing nameserver which has sprung into existence over the past week. It is in use on several computers already but it is not ready for prime time. Complete integration with PowerDNS is expected around 2.9.5, for now the recursor is a separate program.
-
-In preliminary tests, the recursor appears to be four times faster than BIND 9 on a naive benchmark starting from a cold cache. BIND 9 managed to get through to some slower nameservers however, which were given up on by PowerDNS. We will continue to tune the recursor. See [PowerDNS Recursor](recursor/index.md) for further details.
-
-The BIND Backend has also been tested (see the **bind-domain-status** item below) rather heavily by several parties. After some discussion online, one of the BIND authors ventured that the newsgroup comp.protocols.dns.bind may now in fact be an appropriate venue for discussing PowerDNS. Since this discussion, traffic to the PowerDNS pages has increased sixfold and shows no signs of slowing down.
-
-From this, it is apparent that far more people are interested in PowerDNS than yet know about it. So spread the word!
-
-In other news, we now have a security page at [Security](security/index.md). Furthermore, Maurice Nonnekes contributed an OpenBSD port! See [his page](http://www.codeninja.nl/openbsd/powerdns/) for more details!
-
-## New features and improvements
-- All SQL queries in the generic backends are now available for configuration. (Martin Klebermass, Bert Hubert). See [Generic SQL backends](authoritative/backend-generic-sql.md).
-- A recursing nameserver! See [PowerDNS Recursor](recursor/index.md).
-- An incoming AXFR now only starts a backend zone replacement transaction after the first record arrived successfully, thus making sure no work is done when a remote nameserver is unable/unwilling to AXFR a zone to us.
-- Zone parser error messages were improved slightly (thanks to Stef van Dessel for spotting this shortcoming)
-- XS4ALL's Erik Bos checked how PowerDNS reacted to a BIND installation with almost 60.000 domains, some of which with \>100.000 records, and he discovered the pdns\_control **bind-domain-status** command became very slow with larger numbers of domains. Fixed, 60.000 domains are now listed in under one second.
-- If a remote nameserver disconnects during an incoming AXFR, the update is now rolled back, unless the AXFR was properly terminated.
-- The migration chapter mentioned the use of deprecated backends.
-
-## A tremendous number of bugs were discovered and fixed
-- Zone parser would only accept $include and not $INCLUDE
-- Zone parser had problems with $lines with comments on the end
-- Wildcard ANY queries were broken (thanks Colemarcus for spotting this)
-- A connection failure with the Generic backends would lead to a powerdns reload (cast of many)
-- Generic backends had some semantic problems with slave support. Symptoms were oft-repeated notifications and transfers (thanks to Mark Bergsma for helping resolve this).
-- Solaris version compiles again. Thanks to Mohamed Lrhazi for reporting that it didn't.
-- Some UltraSPARC alignment fixes. Thanks to Mohamed Lrhazi for being helpful in spotting these. One problem is still outstanding, Mohamed sent a core dump that tells us where the problem is. Expect the fix to be in 2.9.5. Volunteers can grep the source for 'UltraSPARC' to find where the problem is.
-- Our support of IPv6 on FreeBSD had phase of moon dependent bugs, fixed by Peter van Dijk.
-- Some crashes of and by pdns\_control were fixed, thanks to Mark Bergsma for helping resolve these.
-- Outgoing AXFR in pdns installations with multiple loaded backends was broken (thanks to Stuart Walsh for reporting this).
-- A failed BIND Backend incoming AXFR would block the zone until it succeeded again.
-- Generic PostgreSQL backend wouldn't compile with newer libpq++, fixed by Julien Lemoine/SpeedBlue.
-- Potential bug (not observed) when listening on multiple interfaces fixed.
-- Some typos in manpages fixed (reported by Marco Davids).
-
-# Version 2.9.3a
-
-**Note**: 2.9.3a is identical to 2.9.3 except that zone2sql does work
-
-Broad range of huge improvements. We now have an all-static .rpm and .deb for Linux users and a link to an OpenBSD port. Major news is that work on the Bind backend has progressed to the point that we've just retired our last Bind server and replaced it with PowerDNS in Bind mode! This server is operating a number of master and slave setups so it should stress the Bind backend somewhat.
-
-This version is rapidly approaching the point where it is a better-Bind-than-Bind and nearly a drop-in replacement for authoritative setups. PowerDNS is now equipped with a powerful master/slave apparatus that offers a lot of insight and control to the user, even when operating from Bind zone files and a Bind configuration. Observe.
-
-After the SOA of example.org was raised
-
-```
-pdns[17495]: All slave domains are fresh
-pdns[17495]: 1 domain for which we are master needs notifications
-pdns[17495]: Queued notification of domain 'example.org' to 195.193.163.3
-pdns[17495]: Queued notification of domain 'example.org' to 213.156.2.1
-pdns[17520]: AXFR of domain 'example.org' initiated by 195.193.163.3
-pdns[17520]: AXFR of domain 'example.org' to 195.193.163.3 finished
-pdns[17521]: AXFR of domain 'example.org' initiated by 213.156.2.1
-pdns[17521]: AXFR of domain 'example.org' to 213.156.2.1 finished
-pdns[17495]: Removed from notification list: 'example.org' to 195.193.163.3 (was acknowledged)
-pdns[17495]: Removed from notification list: 'example.org' to 213.156.2.1 (was acknowledged)
-pdns[17495]: No master domains need notifications
-```
-
-If however our slaves would ignore us, as some are prone to do, we can send some additional notifications
-
-```
-$ sudo pdns_control notify example.org
-Added to queue
-pdns[17492]: Notification request for domain 'example.org' received
-pdns[17492]: Queued notification of domain 'example.org' to 195.193.163.3
-pdns[17492]: Queued notification of domain 'example.org' to 213.156.2.1
-pdns[17495]: Removed from notification list: 'example.org' to 195.193.163.3 (was acknowledged)
-pdns[17495]: Removed from notification list: 'example.org' to 213.156.2.1 (was acknowledged)
-```
-
-Conversely, if PowerDNS needs to be reminded to retrieve a zone from a master, a command is provided
-
-```
-$ sudo pdns_control retrieve forfun.net
-Added retrieval request for 'forfun.net' from master 212.187.98.67
-pdns[17495]: AXFR started for 'forfun.net', transaction started
-pdns[17495]: Zone 'forfun.net' (/var/cache/bind/forfun.net) reloaded
-pdns[17495]: AXFR done for 'forfun.net', zone committed
-```
-
-Also, you can force PowerDNS to reload a zone from disk immediately with **pdns\_control bind-reload-now**. All this happens 'live', per your instructions. Without instructions, the right things also happen, but the operator is in charge.
-
-For more about all this coolness, see [“pdns\_control”](authoritative/running.md#pdnscontrol "pdns_control") and [“pdns\_control commands”](authoritative/backend-bind.md#bind-control-commands "pdns_control commands").
-
-**Warning**: Again some changes in compilation instructions. The hybrid pgmysql backend has been split up into 'gmysql' and 'gpgsql', sharing a common base within the PowerDNS server itself. This means that you can no longer compile **--with-modules="pgmysql" --enable-mysql --enable-pgsql** but that you should now use: **--with-modules="gmysql gpgsql"**. The old launch-names remain available.
-
-If you launch the Generic PostgreSQL backend as gpgsql2, all parameters will have gpgsql2 as a prefix, for example **gpgsql2-dbname**. If launched as gpgsql, the regular names are in effect.
-
-**Warning**: The pdns\_control protocol was changed which means that older pdns\_controls cannot talk to 2.9.3. The other way around is broken too. This may lead to problems with automatic upgrade scripts, so pay attention if your daemon is truly restarted.
-
-Also make sure no old pdns\_control command is around to confuse things.
-
-## Improvements
-- Bind backend can now deal with missing files and try to find them later.
-- Bind backend is now explicitly master capable and triggers the sending of notifications.
-- General robustness improvements in Bind backend - many errors are now non-fatal.
-- Accessibility, Serviceability. New **pdns\_server** commands like **bind-list-rejects** (lists zones that could not be loaded, and the reason why), **bind-reload-now** (reload a zone from disk NOW), **rediscover** (reread named.conf NOW). More is coming up.
-- Added support for retrieving RP (Responsible Person) records from remote masters. Serving them was already possible.
-- Added support for LOC records, which encode the geographical location of a host, both serving and retrieving (thanks to Marco Davids using them on our last Bind server, forcing us to implement this silly record).
-- Configuration file parser now strips leading spaces too, allowing "chroot= /tmp" to work, as well as "chroot=/tmp" (Thanks to Hub Dohmen for reporting this for months on end).
-- Added **bind-domain-status** command that shows the status of all domains (when/if they were parsed, any errors encountered while parsing them).
-- Added **bind-reload-now** command that tries to reload a zone from disk NOW, and reports back errors to the operator immediately.
-- Added **retrieve** command that queues a request to retrieve a zone from its master.
-- Zones retrieved from masters are now stored way smaller on disk because the domain is stripped from records, which is derived from the configuration file. Retrieved zones are now prefixed with some information on where they came from.
-
-## Changes
-- gpgsql and gmysql backends split out of the hybrid pgmysqlbackend. This again changed compilation instructions!
-- **pdns\_control** now uses the rarely seen SOCK\_STREAM Unix Domain socket variety so it can transport large amounts of text, which is needed for the **bind-domain-status** command, for which see [Pdns\_control commands](authoritative/backend-bind.md#bind-control-commands "Pdns_control commands"). This breaks compatibility with older pdns\_control and pdns\_server binaries!
-- Bind backend now ignores 'hint' and 'forward' and other unsupported zone types.
-- AXFRs are now logged more heavily by default. An AXFR is a heavy operation anyhow, some more logging does not further increase the load materially. Does help in clearing up what slaves are doing.
-- A lot of master/slave chatter has been silenced, making output more relevant. No more repetitive 'No master domains need notifications' etc, only changes are reported now.
-
-## Bugfixes
-- Windows version did not compile without minor changes.
-- Confusing error reporting on Windows 98 (which does not support PowerDNS) fixed
-- Potential crashes with shortened packets addressed. An upgrade is advised!
-- **notify** (which was already there, just badly documented) no longer prints out debugging garbage.
-- pgmysql backend had problems launching when not compiled in but available as a module. Workaround for 2.9.2 is 'load-modules=pgmysql', but even then gpgsql would not work! gmysql would then, however. These modules are now split out, removing such issues.
-
-# Version 2.9.2
-Bugfixes galore. Solaris porting created some issues on all platforms. Great news is that PowerDNS is now in Debian 'sid' (unstable). The 2.9.1 packages in there currently aren't very good but the 2.9.2 ones will be. Many thanks to Wichert Akkerman, our 'downstream' for making this possible.
-
-**Warning**: The Generic MySQL backend, part of the Generic MySQL & PostgreSQL backend, is now the DEFAULT! The previous default, the 'mysql' backend (note the lack of 'g') is now DEPRECATED. This was the source of much confusion. The 'mysql' backend does not support MASTER or SLAVE operation. The Generic backends do.
-
-To get back the mysql backend, add --with-modules="mysql" or --with-dynmodules="mysql" if you prefer to load your modules at runtime.
-
-## Bugs fixed
-- Silly debugging output removed from the webserver (found by Paul Wouters)
-- SEVERE: due to Solaris portability fixes, qtypes\<127 were broken. These include NAPTR, ANY and AXFR. The upshot is that powerdns wasn't performing outgoing AXFRs nor ANY queries. These were the 'question for type -1' warnings in the log
-- incoming AXFR could theoretically miss some trailing records (not observed, but could happen)
-- incoming AXFR did not support TXT records (spotted by Paul Wouters)
-- with some remotes, an incoming AXFR would not terminate until a timeout occurred (observed by Paul Wouters)
-- Documentation bug, pgmysql != mypgsql
-
-## Documentation
-- Documented the 'random backend', see [Random Backend](authoritative/backend-random.md "Random Backend").
-- Wichert Akkerman contributed three manpages.
-- Building PowerDNS on Unix is now documented somewhat more, see [Compiling PowerDNS on Unix](appendix/compiling-powerdns.md#on-unix "Compiling PowerDNS on Unix").
-
-## Features
-- pdns init.d script is now +x by default
-- OpenBSD is on its way of becoming a supported platform! As of 2.9.2, PowerDNS compiles on OpenBSD but swiftly crashes. Help is welcome.
-- ODBC backend (for Windows only) was missing from the distribution, now added.
-- xdb backend added - see [XDB Backend](authoritative/backend-deprecated.md#xdb-backend). Designed for use by root-server operators.
-- Dynamic modules are back which is good news for distributors who want to make a pdns packages that does not depend one every database under the sun.
-
-# Version 2.9.1
-Thanks to the great enthusiasm from around the world, powerdns is now available for Solaris and FreeBSD users again! Furthermore, the Windows build is back. We are very grateful for the help of
-
-- Michel Stol
-- Wichert Akkerman
-- Edvard Tuinder
-- Koos van den Hout
-- Niels Bakker
-- Erik Bos
-- Alex Bleker
-- Steven Stillaway
-- Roel van der Made
-- Steven Van Steen
-
-We are happy to have been able to work with the open source community to improve PowerDNS!
-
-## Changes
-- The monitor command **set** no longer allows the changing of non-existent variables.
-- IBM Universal Database DB2 backend now included in source distribution (untested!)
-- Oracle backend now included in source distribution (slightly tested!)
-- configure script now searches for postgresql and mysql includes
-- Bind parser now no longer dies on records with a ' in them (Erik Bos)
-- The pipebackend was accidentally left out of 2.9
-- FreeBSD fixes (with help from Erik Bos, Alex Bleeker, Niels Bakker)
-- Heap of Solaris work (with help from Edvard Tuinder, Stefan Van Steen, Koos van den Hout, Roel van der Made and especially Mark Bakker). Now compiles in 2.7 and 2.8, haven't tried 2.9. May be a bit dysfunctional on 2.7 though - it won't do IPv6 and it won't serve AAAA. Patches welcome!
-- Windows 32 build is back! Michel Stol updated his earlier work to the current version.
-- S/Linux (Linux on Sparc) build works now (with help from Steven Stillaway).
-- Silly debugging message ('sd.ttl from cache') removed
-- .deb files are back, hopefully in 'sid' soon! (Wichert Akkerman)
-- Removal of bzero and other less portable constructs. Discovered that recent Linux glibc's need -D\_GNU\_SOURCE (Wichert Akkerman).
-
-# Version 2.9
-Open source release. Do not deploy unless you know what you are doing. Stability is expected to return with 2.9.1, as are the binary builds.
-
-- License changed to the GNU General Public License version 2.
-- Cleanups by Erik Bos @ xs4all.
-- Build improvements by Wichert Akkerman
-- Lots of work on the build system, entirely revamped. By PowerDNS.
-
-# Version 2.8
-From this release onwards, we'll concentrate on stabilising for the 3.0 release. So if you have any must-have features, let us know soonest. The 2.8 release fixes a bunch of small stability issues and add two new features. In the spirit of the move to stability, this release has already been running 24 hours on our servers before release.
-
-- pipe backend gains the ability to restricts its invocation to a limited number of requests. This allows a very busy nameserver to still serve packets from a slow perl backend.
-- pipe backend now honors query-logging, which also documents which queries were blocked by the regex.
-- pipe backend now has its own backend chapter.
-- An incoming AXFR timeout at the wrong moment had the ability to crash the binary, forcing a reload. Thanks to our bug spotting champions Mike Benoit and Simon Kirby of NetNation for reporting this.
-
-# Version 2.7 and 2.7.1
-This version fixes some very long standing issues and adds a few new features. If you are still running 2.6, upgrade yesterday. If you were running 2.6.1, an upgrade is still strongly advised.
-
-## Features
-- The controlsocket is now readable and writable by the 'setgid' user. This allows for non-root access to PowerDNS which is nice for mrtg or cricket graphs.
-- MySQL backend (the non-generic one) gains the ability to read from a different table using the **mysql-table** setting.
-- pipe backend now has a configurable timeout using the **pipe-timeout** setting. Thanks to Steve Bromwich for pointing out the need for this.
-- Experimental backtraces. If PowerDNS crashes, it will log a lot of numbers and sometimes more to the syslog. If you see these, please report them to us. Only available under Linux.
-
-## Bugs
-- 2.7 briefly broke the mysql backend, so don't use it if you use that. 2.7.1 fixes this.
-- SOA records could sometimes have the wrong TTL. Thanks to Jonas Daugaard for reporting this.
-- An ANY query might lead to duplicate SOA records being returned under exceptional circumstances. Thanks to Jonas Daugaard for reporting this.
-- Underlying the above bug, packet compression could sometimes suddenly be turned off, leading to overly large responses and non-removal of duplicate records.
-- The **allow-axfr-ips** setting did not accept IP ranges (192.0.2.0/24) which the documentation claimed it did (thanks to Florus Both of Ascio technologies for being sufficiently persistent in reporting this).
-- Killed backends were not being respawned, leading to suboptimal behaviour on intermittent database errors. Thanks to Steve Bromwich for reporting this.
-- Corrupt packets during an incoming AXFR when acting as a slave would cause a PowerDNS reload instead of just failing that AXFR. Thanks to Mike Benoit and Simon Kirby of NetNation for reporting this.
-- Label compression in incoming AXFR had problems with large offsets, causing the above mentioned errors. Thanks to Mike Benoit and Simon Kirby of NetNation for reporting this.
-
-# Version 2.6.1
-
-Quick fix release for a big cache problem.
-
-# Version 2.6
-Performance release. A lot of work has been done to raise PowerDNS performance to staggering levels in order to take part in benchmarketing efforts. Together with our as yet unnamed partner, PowerDNS has been benchmarked at 60.000 mostly cached queries/second on off the shelf PC hardware. Uncached performance was 17.000 uncached DNS queries/second on the .ORG domain.
-
-Performance has been increased by both making PowerDNS itself quicker but also by lowering the number of backend queries typically needed. Operators will typically see PowerDNS taking less CPU and the backend seeing less load.
-
-Furthermore, some real bugs were fixed. A couple of undocumented performance switches may appear in --help output but you are advised to stay away from these.
-
-Developers: this version needs the pdns-2.5.1 development kit, available on <http://downloads.powerdns.com/releases/dev>. See also [Backend writers' guide](appendix/backend-writers-guide.md "Backend writers' guide").
-
-## Performance
-- A big error in latency calculations - cached packets were weighed 50 times less, leading to inflated latency reporting. Latency calculations are now correct and way lower - often in the microseconds range.
-- It is now possible to run with 0 second cache TTLs. This used to cause very frequent cache cleanups, leading to performance degradation.
-- Many tiny performance improvements, removing duplicate cache key calculations, etc. The cache itself has also been reworked to be more efficient.
-- First 'CNAME' backend query replaced by an 'ANY' query, which most of the time returns the actual record, preventing the need for a separate CNAME lookup, halving query load.
-- Much of the same for same-level-NS records on queries needing delegation.
-
-## Bugs fixed
-- Incidentally, the cache count would show 'unknown' packets, which was harmless but confusing. Thanks to Mike and Simon of NetNation for reporting this.
-- SOA hostmaster with a . in the local-part would be cached wrongly, leading to a stray backslash in case of multiple successively SOA queries. Thanks to Ascio Technologies for spotting this bug.
-- zone2sql did not parse Verisign zone files correctly as these contained a $TTL statement in mid-record.
-- Sometimes packets would not be accounted, leading to 'udp-queries' and 'udp-answers' divergence.
-
-## Features
-- 'cricket' command added to init.d scripts that provides unadorned output for parsing by 'Cricket'.
-
-# Version 2.5.1
-[Brown paper bag](http://www.tuxedo.org/~esr/jargon/html/entry/brown-paper-bag-bug.html) release fixing a huge memory leak in the new Query Cache.
-
-Developers: this version needs the new pdns-2.5.1 development kit, available on <http://downloads.powerdns.com/releases/dev>. See also [Backend writers' guide](appendix/backend-writers-guide.md "Backend writers' guide").
-
-And some small changes
-
-- Added support for RFC 2308 compliant negative-answer caching. This allows remotes to cache the fact that a domain does not exist and will not exist for a while. Thanks to Chris Thompson for [pointing out how tiny our minds are](http://ops.ietf.org/lists/namedroppers/namedroppers.2002/msg01697.html). This feature may cause a noticeable reduction in query load.
-- Small speedup to non-packet-cached queries, incidentally fixing the huge memory leak.
-- **pdns\_control ccounts** command outputs statistics on what is in the cache, which is useful to help optimize your caching strategy.
-
-# Version 2.5
-An important release which has seen quite a lot of trial and error testing. As a result, PowerDNS can now run with a huge cache and concurrent invalidations. This is useful when running of a slower database or under high traffic load with a fast database.
-
-Furthermore, the gpgsql2 backend has been validated for use and will soon supplant the gpgsql backend entirely. This also bodes well for the gmysql backend which is the same code.
-
-Also, a large amount of issues biting large scale slave operators were addressed. Most of these issues would only show up after prolonged uptime.
-
-## New features
-- Query cache. The old Packet Cache only cached entire questions and their answers. This is very CPU efficient but does not lead to maximum hitrate. Two packets both needing to resolve smtp.you.com internally would not benefit from any caching. Furthermore, many different DNS queries lead to the same backend queries, like 'SOA for .COM?'.
-
- PowerDNS now also caches backend queries, but only those having no answer (the majority) and those having one answer (almost the rest).
-
- In tests, these additional caches appear to halve the database backend load numerically and perhaps even more in terms of CPU load. Often, queries with no answer are more expensive than those having one.
-
- The default **ttl**s for the query-cache and negquery-cache are set to safe values (20 and 60 seconds respectively), you should be seeing an improvement in behaviour without sacrificing a lot in terms of quick updates.
-
- The webserver also displays the efficiency of the new Query Cache.
-
- The old Packet Cache is still there (and useful) but see [Authoritative Server Performance](authoritative/performance.md) for more details.
-
-- There is now the ability to shut off some logging at a very early stage. High performance sites doing thousands of queries/second may in fact spend most of their CPU time on attempting to write out logging, even though it is ignored by syslog. The new flag **log-dns-details**, on by default, allows the operator to kill most informative-only logging before it takes any cpu.
-- Flags which can be switched 'on' and 'off' can now also be set to 'off' instead of only to 'no' to turn them off.
-
-## Enhancements
-- Packet Cache is now case insensitive, leading to a higher hitrate because identical queries only differing in case now both match. Care is taken to restore the proper case in the answer sent out.
-- Packet Cache stores packets more efficiently now, savings are estimated at 50%.
-- The Packet Cache is now asynchronous which means that PowerDNS continues to answer questions while the cache is busy being purged or queried. Incidentally this will mean a cache miss where previously the question would wait until the cache became available again.
-
- The upshot of this is that operators can call **pdns\_control purge** as often as desired without fearing performance loss. Especially the full, non-specific, purge was sped up tremendously.
-
- This optimization is of little merit for small sites but is very important when running with a large packetcache, such as when using recursion under high load.
-
-- AXFR log messages now all contain the word 'AXFR' to ease grepping.
-- Linux static version now compiled with gcc 3.2 which is known to output better and faster code than the previously used 3.0.4.
-
-## Bugs fixed
-- Packetcache would sometimes send packets back with slightly modified flags if these differed from the flags of the cached copy.
-- Resolver code did bad things with file descriptors leading to fd exhaustion after prolonged uptimes and many slave SOA currency checks.
-- Resolver code failed to properly log some errors, leading to operator uncertainty regarding to AXFR problems with remote masters.
-- After prolonged uptime, slave code would try to use privileged ports for originating queries, leading to bad replication efficiency.
-- Masters sending back answers in differing case from questions would lead to bogus 'Master tried to sneak in out-of-zone data' errors and failing AXFRs.
-
-# Version 2.4
-
-Developers: this version is compatible with the pdns-2.1 development kit, available on <http://downloads.powerdns.com/releases/dev>. See also [*Backend writers' guide*](appendix/backend-writers-guide.md "Backend writers' guide").
-
-This version fixes some stability issues with malformed or malcrafted packets. An upgrade is advised. Furthermore, there are interesting new features.
-
-## New features
-- Recursive queries are now also cached, but in a separate namespace so non-recursive queries don't get recursed answers and vice versa. This should mean way lower database load for sites running with the current default lazy-recursion. Up to now, each and every recursive query would lead to a large amount of SQL queries.
-
- To prevent the packetcache from becoming huge, a separate **recursive-cache-ttl** can be specified.
-
-- The ability to change parameters at runtime was added. Currently, only the new **query-logging** flag can be changed.
-- Added **query-logging** flag which hints a backend that it should output a textual representation of queries it receives. Currently only gmysql and gpgsql2 honor this flag.
-- Gmysql backend can now also talk to PostgreSQL, leading to less code. Currently, the old postgresql driver ('gpgsql') is still the default, the new driver is available as 'gpgsql2' and has the benefit that it does query logging. In the future, gpgsql2 will become the default gpgsql driver.
-- DNS recursing proxy is now more verbose in logging odd events which may be caused by buggy recursing backends.
-- Webserver now displays peak queries/second 1 minute average.
-
-## Bugs fixed
-- Failure to connect to database in master/slave communicator thread could lead to an unclean reload, fixed.
-
-Documentation: added details for **strict-rfc-axfrs**. This feature can be used if very old clients need to be able to do zone transfers with PowerDNS. Very slow.
-
-# Version 2.3
-
-Developers: this version is compatible with the pdns-2.1 development kit, available on <http://downloads.powerdns.com/releases/dev>. See also [Backend writers' guide](appendix/backend-writers-guide.md "Backend writers' guide")
-
-This release adds the Generic MySQL backend which allows full master/slave semantics with MySQL and InnoDB tables (or other tables that support transactions). See [Generic MySQL backend](authoritative/backend-generic-mysql.md "Generic MySQL backend").
-
-## Other new features
-- Improved error messages in master/slave communicator will help down track problems.
-- **slave-cycle-interval** setting added. Very large sites with thousands of slave domains may need to raise this value above the default of 60. Every cycle, domains in indeterminate state are checked for their condition. Depending on the health of the masters, this may entail many SOA queries or attempted AXFRs.
-
-## Bugs fixed
-- 'pdns\_control purge **`domain`**' and 'pdns\_control purge **`domain$`**' were broken in version 2.2 and did not in fact purge the cache. There is a slight risk that domain-specific purge commands could force a reload in previous version. Thanks to Mike Benoit of NetNation for discovering this.
-- Master/slave communicator thread got confused in case of delayed answers from slow masters. While not causing harm, this caused inefficient behaviour when testing large amounts of slave domains because additional 'cycles' had to pass before all domains would have their status ascertained.
-- Backends implementing special SOA semantics (currently only the undocumented 'pdns express backend', or homegrown backends) would under some circumstances not answer the SOA record in case of an ANY query. This should put an end to the last DENIC problems. Thanks to DENIC for helping us find the problem.
-
-# Version 2.2
-Developers: this version is compatible with the pdns-2.1 development kit, available on <http://downloads.powerdns.com/releases/dev>. See also [Backend writers' guide](appendix/backend-writers-guide.md "Backend writers' guide")
-
-Again a big release. PowerDNS is seeing some larger deployments in more demanding environments and these are helping shake out remaining issues, especially with recursing backends.
-
-The big news is that wildcard CNAMEs are now supported, an oft requested feature and nearly the only part in which PowerDNS differed from BIND in authoritative capabilities.
-
-If you were seeing signal 6 errors in PowerDNS causing reloads and intermittent service disruptions, please upgrade to this version.
-
-For operators of PowerDNS Express trying to host .DE domains, the very special **soa-serial-offset** feature has been added to placate the new DENIC requirement that the SOA serial be at least six digits. PowerDNS Express uses the SOA serial as an actual serial and not to insert dates and hence often has single digit soa serial numbers, causing big problems with .DE redelegations.
-
-## Bugs fixed
-
-- Malformed or shortened TCP recursion queries would cause a signal 6 and a reload. Same for EOF from the TCP recursing backend. Thanks to Simon Kirby and Mike Benoit of NetNation for helping debug this.
-- Timeouts on the TCP recursing backend were far too long, leading to possible exhaustion of TCP resolving threads.
-- **pdns\_control purge domain** accidentally cleaned all packets with that name as a prefix. Thanks to Simon Kirby for spotting this.
-- Improved exception error logging - in some circumstances PowerDNS would not properly log the cause of an exception, which hampered problem resolution.
-
-## New features
-- Wildcard CNAMEs now work as expected!
-- **pdns\_control purge** can now also purge based on suffix, allowing operators to purge an entire domain from the packet cache instead of only specific records. See also [pdns\_control](authoritative/running.md#pdnscontrol "pdns_control") Thanks to Mike Benoit for this suggestion.
-- **soa-serial-offset** for installations with small SOA serial numbers wishing to register .DE domains with DENIC which demands six-figure SOA serial numbers. See also [Chapter 21, *Index of all Authoritative Server settings*](authoritative/settings.md "Index of all Authoritative Server settings").
-
-# Version 2.1
-This is a somewhat bigger release due to pressing demands from customers. An upgrade is advised for installations using Recursion. If you are using recursion, it is vital that you are aware of changes in semantics. Basically, local data will now override data in your recursing backend under most circumstances. Old behaviour can be restored by turning **lazy-recursion** off.
-
-Developers: this version has a new pdns-2.1 development kit, available on <http://downloads.powerdns.com/releases/dev>. See also [Backend writers' guide](appendix/backend-writers-guide.md).
-
-**Warning**: Most users will run a static version of PowerDNS which has no dependencies on external libraries. However, some may need to run the dynamic version. This warning applies to these users.
-
-To run the dynamic version of PowerDNS, which is needed for backend drivers which are only available in source form, gcc 3.0 is required. RedHat 7.2 comes with gcc 3.0 as an optional component, RedHat 7.3 does not. However, the RedHat 7.2 Update gcc rpms install just fine on RedHat 7.3. For Debian, we suggest running 'woody' and installing the g++-3.0 package. We expect to release a FreeBSD dynamic version shortly.
-
-## Bugs fixed
-- RPM releases sometimes overwrote previous configuration files. Thanks to Jorn Ekkelenkamp of Hubris/ISP Services for reporting this.
-- TCP recursion sent out overly large responses due to a byte order mistake, confusing some clients. Thanks to the capable engineers of NetNation for bringing this to our attention.
-- TCP recursion in combination with a recursing backend on a non-standard port did not work, leading to a non-functioning TCP listener. Thanks to the capable engineers of NetNation for bringing this to our attention.
-
-## Unexpected behaviour
-- Wildcard URL records where not implemented because they are a performance penalty. To turn these on, enable **wildcard-url** in the configuration.
-- Unlike other nameservers, local data did not override the internet for recursing queries. This has mostly been brought into conformance with user expectations. If a recursive question can be answered entirely from local data, it is. To restore old behaviour, disable **lazy-recursion**. Also see [Recursion](authoritative/recursion.md "Recursion").
-
-## Features
-- Oracle support has been tuned, leading to the first public release of the Oracle backend. Zone2sql now outputs better SQL and the backend is now fully documented. Furthermore, the queries are compatible with the PowerDNS XML-RPC product, allowing PowerDNS express to run off Oracle. See [Oracle backend](authoritative/backend-oracle.md "Oracle backend").
-- Zone2sql now accepts --transactions to wrap zones in a transaction for PostgreSQL and Oracle output. This is a major speedup and also makes for better isolation of inserts. See [Zone2sql](authoritative/migration.md#zone2sql "Zone2sql").
-- **pdns\_control** now has the ability to purge the PowerDNS cache or parts of it. This enables operators to raise the TTL of the Packet Cache to huge values and only to invalidate the cache when changes are made. See also [Authoritative Server Performance](authoritative/performance.md "Authoritative Server Performance") and [pdns\_control](authoritative/running.md#pdnscontrol "pdns_control").
-
-# Version 2.0.1
-Maintenance release, fixing three small issues.
-
-Developers: this version is compatible with 1.99.11 backends.
-
-- PowerDNS ignored the **logging-facility** setting unless it was specified on the command line. Thanks to Karl Obermayer from WebMachine Technologies for noticing this.
-- Zone2sql neglected to preserve 'slaveness' of domains when converting to the slave capable PostgreSQL backend. Thanks to Mike Benoit of NetNation for reporting this. Zone2sql now has a **--slave** option.
-- SOA Hostmaster addresses with dots in them before the @-sign were mis-encoded on the wire.
-
-# Version 2.0
-Two bugfixes, one stability/security related. No new features.
-
-Developers: this version is compatible with 1.99.11 backends.
-
-Bugfixes
-- zone2sql refused to work under some circumstances, taking 100% cpu and not functioning. Thanks to Andrew Clark and Mike Benoit for reporting this.
-- Fixed a stability issue where malformed packets could force PowerDNS to reload. Present in all earlier 2.0 versions.
-
-# Version 2.0 Release Candidate 2
-Mostly bugfixes, no really new features.
-
-Developers: this version is compatible with 1.99.11 backends.
-
-## Bugs fixed
-- chroot() works again - 2.0rc1 silently refused to chroot. Thanks to Hub Dohmen for noticing this.
-- setuid() and setgid() security features were silently not being performed in 2.0rc1. Thanks to Hub Dohmen for noticing this.
-- MX preferences over 255 now work as intended. Thanks to Jeff Crowe for noticing this.
-- IPv6 clients can now also benefit from the recursing backend feature. Thanks to Andy Furnell for proving beyond any doubt that this did not work.
-- Extremely bogus code removed from DNS notification reception code - please test! Thanks to Jakub Jermar for working with us in figuring out just how broken this was.
-- AXFR code improved to handle more of the myriad different zone transfer dialects available. Specifically, interoperability with Bind 4 was improved, as well as Bind 8 in 'strict rfc conformance' mode. Thanks again for Jakub Jermar for running many tests for us. If your transfers failed with 'Unknown type 14!!' or words to that effect, this was it.
-
-## Features
-- Win32 version now has a zone2sql tool.
-- Win32 version now has support for specifying how urgent messages should be before they go to the NT event log.
-
-## Remaining issues
-- One persistent report of the default 'chroot=./' configuration not working.
-- One report of disable-axfr and allow-axfr-ips not working as intended.
-- Support for relative paths in zones and in Bind configuration is not bug-for-bug compatible with bind yet.
-
-# Version 2.0 Release Candidate 1
-The MacOS X release! A very experimental OS X 10.2 build has been added. Furthermore, the Windows version is now in line with Unix with respect to capabilities. The ODBC backend now has the code to function as both a master and a slave.
-
-Developers: this version is compatible with 1.99.11 backends.
-
-- Implemented native packet response parsing code, allowing Windows to perform AXFR and NS and SOA queries.
-- This is the first version for which we have added support for Darwin 6.0, which is part of the forthcoming Mac OS X 10.2. Please note that although this version is marked RC1, that we have not done extensive testing yet. Consider this a technology preview.
- - The Darwin version has been developed on Mac OS X 10.2 (6C35). Other versions may or may not work.
- - Currently only the random, bind, mysql and pdns backends are included.
- - The menu based installer script does not work, you will have to edit pathconfig by hand as outlined in chapter 2.
- - On Mac OS X Client, PowerDNS will fail to start because a system service is already bound to port 53.
-
- This version is distributed as a compressed tar file. You should follow the generic UNIX installation instructions.
-
-## Bugs fixed
-- Zone2sql PostgreSQL mode neglected to lowercase $ORIGIN. Thanks to Maikel Verheijen of Ladot for spotting this.
-- Zone2sql PostgreSQL mode neglected to remove a trailing dot from $ORIGIN if present. Thanks to Thanks to Maikel Verheijen of Ladot for spotting this.
-- Zone file parser was not compatible with bind when $INCLUDING non-absolute file names. Thanks to Jeff Miller for working out how this should work.
-- Bind configuration parser was not compatible with bind when including non-absolute file names. Thanks to Jeff Miller for working out how this should work.
-- Documentation incorrectly listed the Bind backend as 'slave capable'. This is not yet true, now labeled 'experimental'.
-
-Windows changes. We are indebted to Dimitry Andric who educated us in the ways of distributing Windows software.
-
-- `pdns.conf` is now read if available.
-- Console version responds to ^c now.
-- Default pdns.conf added to distribution
-- Uninstaller missed several files, leaving remnants behind
-- DLLs are now installed locally, with the pdns executable.
-- pdns\_control is now also available on Windows
-- ODBC backend can now act as master and slave. Experimental.
-- The example zone missed indexes and had other faults.
-- A runtime DLL that is present on most windows systems (but not all!) was missing.
-
-# Version 1.99.12 Prerelease
-The Windows release! See [Installing on Microsoft Windows](authoritative/installation.md). Beware, windows support is still very fresh and untested. Feedback is very welcome.
-
-Developers: this version is compatible with 1.99.11 backends.
-
-- Windows 2000 code base merge completed. This resulted in quite some changes on the Unix end of things, so this may impact reliability.
-- ODBC backend added for Windows. See [ODBC backend](authoritative/backend-deprecated.md#odbc-backend).
-- IBM DB2 Universal Database backend available for Linux. See [DB2 backend](authoritative/backend-deprecated.md#db2-backend "DB2 backend").
-- Zone2sql now understands $INCLUDE. Thanks to Amaze Internet for nagging about this
-- The SOA Minimum TTL now has a configurable default (**soa-minimum-ttl**)value to placate the DENIC requirements.
-- Added a limit on the simultaneous numbers of TCP connections to accept (**max-tcp-connections**). Defaults to 10.
-
-## Bugs fixed
-- When operating in virtual hosting mode (See [Virtual hosting](authoritative/running.md#virtual-hosting "Virtual hosting")), the additional init.d scripts would not function correctly and interface with other pdns instances.
-- PowerDNS neglected to conserve case on answers. So a query for WwW.PoWeRdNs.CoM would get an answer listing the address of www.powerdns.com. While this did not confuse resolvers, it is better to conserve case. This has semantic consequences for all backends, which the documentation now spells out.
-- PostgreSQL backend was case sensitive and returned only answers in case an exact match was found. The Generic PostgreSQL backend is now officially all lower case and zone2sql in PostgreSQL mode enforces this. Documentation has been been updated to reflect the case change. Thanks to Maikel Verheijen of Ladot for spotting this!
-- Documentation bug - postgresql create/index statements created a duplicate index. If you've previously copy pasted the commands and not noticed the error, execute **CREATE INDEX rec\_name\_index ON records(name)** to remedy. Thanks to Jeff Miller for reporting this. This also lead to depressingly slow 'ANY' lookups for those of you doing benchmarks.
-
-## Features
-- pdns\_control (see [pdns\_control](authoritative/running.md#pdnscontrol "pdns_control")) now opens the local end of its socket in `/tmp` instead of next to the remote socket (by default `/var/run`). This eases the way for allowing non-root access to pdns\_control. When running chrooted (see [Chapter 7, *Security settings & considerations*](common/security.md "Security settings & considerations")), the local socket again moves back to `/var/run`.
-- pdns\_control now has a 'version' command. See [Section 1.1, “pdns\_control”](authoritative/running.md#pdnscontrol "1.1. pdns_control").
-
-# Version 1.99.11 Prerelease
-This release is important because it is the first release which is accompanied by an Open Source Backend Development Kit, allowing external developers to write backends for PowerDNS. Furthermore, a few bugs have been fixed
-
-- Lines with only whitespace in zone files confused PowerDNS (thanks Henk Wevers)
-- PowerDNS did not properly parse TTLs with symbolic suffixes in zone files, ie 2H instead of 7200 (thanks Henk Wevers)
-
-# Version 1.99.10 Prerelease
-**IMPORTANT**: there has been a tiny license change involving free public webbased dns hosting, check out the changes before deploying!
-
-PowerDNS is now feature complete, or very nearly so. Besides adding features, a lot of 'fleshing out' work is done now. There is an important performance bug fix which may have lead to disappointing benchmarks - so if you saw any of that, please try either this version or 1.99.8 which also does not have the bug.
-
-This version has been very stable for us on multiple hosts, as was 1.99.9.
-
-PostgreSQL users should be aware that while 1.99.10 works with the schema as presented in earlier versions, advanced features such as master or slave support will not work unless you create the new 'domains' table as well.
-
-## Bugs fixed
-- Wildcard AAAA queries sometimes received an NXDOMAIN error where they should have gotten an empty NO ERROR. Thanks to Jeroen Massar for spotting this on the .TK TLD!
-- Do not disable the packetcache for 'recursion desired' packets unless a recursor was configured. Thanks to Greg Schueler for noticing this.
-- A failing backend would not be reinstated. Thanks to 'Webspider' for discovering this problem with PostgreSQL connections that die after prolonged inactivity.
-- Fixed loads of IPv6 transport problems. Thanks to Marco Davids and others for testing. Considered ready for production now.
-- **Zone2sql** printed a debugging statement on range $GENERATE commands. Thanks to Rene van Valkenburg for spotting this.
-
-## Features
-- PowerDNS can now act as a master, sending out notifications in case of changes and allowing slaves to AXFR. Big rewording of replication support, domains are now either 'native', 'master' or 'slave'. See [Master/Slave operation & replication](authoritative/modes-of-operation.md "Master/Slave operation & replication") for lots of details.
-- **Zone2sql** in PostgreSQL mode now populates the 'domains' table for easy master, slave or native replication support.
-- Ability to run on IPv6 transport only
-- Logging can now happen under a 'facility' so all PowerDNS messages appear in their own file. See [Operational logging using syslog](common/logging.md "Operational logging using syslog").
-- Different OS releases of PowerDNS now get different install path defaults. Thanks to Mark Lastdrager for nagging about this and to Nero Imhard and Frederique Rijsdijk for suggesting saner defaults.
-- Infrastructure for 'also-notify' statements added.
-
-# Version 1.99.9 Early Access Prerelease
-This is again a feature and an infrastructure release. We are nearly feature complete and will soon start work on the backends to make sure that they are all master, slave and 'superslave' capable.
-
-## Bugs fixed
-- PowerDNS sometimes sent out duplicate replies for packets passed to the recursing backend. Mostly a problem on SMP systems. Thanks to Mike Benoit for noticing this.
-- Out-of-bailiwick CNAMEs (ie, a CNAME to a domain not in PowerDNS) caused a 'ServFail' packet in 1.99.8, indicating failure, leading to hosts not resolving. Thanks to Martin Gillstrom for noticing this.
-- Zone2sql balked at zones edited under operating systems terminating files with ^Z (Windows). Thanks Brian Willcott for reporting this.
-- PostgreSQL backend logged the password used to connect. Now only does so in case of failure to connect. Thanks to 'Webspider' for noticing this.
-- Debian unstable distribution wrongly depended on home compiled PostgreSQL libraries. Thanks to Konrad Wojas for noticing this.
-
-## Features
-- When operating as a slave, AAAA records are now supported in the zone. They were already supported in master zones.
-- IPv6 transport support - PowerDNS can now listen on an IPv6 socket using the **local-ipv6** setting.
-- Very silly randombackend added which appears in the documentation as a sample backend. See [Backend writers' guide](appendix/backend-writers-guide.md).
-- When transferring a slave zone from a master, out of zone data is now rejected. Malicious operators might try to insert bad records otherwise.
-- 'Supermaster' support for automatic provisioning from masters. See [Supermaster automatic provisioning of slaves](authoritative/modes-of-operation.md#supermaster "Supermaster automatic provisioning of slaves").
-- Recursing backend can now live on a non-standard (!=53) port. See [Recursion](authoritative/recursion.md "Recursion").
-- Slave zone retrieval is now queued instead of immediate, which scales better and is more resilient to temporary failures.
-- **max-queue-length** parameter. If this many packets are queued for database attention, consider the situation hopeless and respawn.
-
-## Internal
-- SOA records are now 'special' and each backend can optionally generate them in special ways. PostgreSQL backend does so when operating as a slave.
-- Writing backends is now a lot easier. See [Backend writers' guide](appendix/backend-writers-guide.md "Backend writers' guide").
-- Added Bindbackend to internal regression tests, confirming that it is compliant.
-
-# Version 1.99.8 Early Access Prerelease
-A lot of infrastructure work gearing up to 2.0. Some stability bugs fixed and a lot of new features.
-
-## Bugs fixed
-- Bindbackend was overly complex and crashed on some systems on startup. Simplified launch code.
-- SOA fields were not always properly filled in, causing default values to go out on the wire
-- Obscure bug triggered by malicious packets (we know who you are) in SOA finding code fixed.
-- Magic serial number calculation contained a double free leading to instability.
-- Standards violation, questions for domains for which PowerDNS was unauthoritative now get a SERVFAIL answer. Thanks to the IETF Namedroppers list for helping out with this.
-- Slowly launching backends were being relaunched at a great rate when queries were coming in while launching backends.
-- MySQL-on-unix-domain-socket on SMP systems was overwhelmed by the quick connection rate on launch, inserted a small 50ms delay.
-- Some SMP problems appear to be compiler related. Shifted to GCC 3.0.4 for Linux.
-- Ran ispell on documentation.
-
-## Feature enhancements
-- Recursing backend. See [Recursion](authoritative/recursion.md "Recursion"). Allows recursive and authoritative DNS on the same IP address.
-- [NAPTR support](types.md#naptr), which is especially useful for the ENUM/E.164 community.
-- Zone transfers can now be allowed per [netmask instead of only per IP address](authoritative/settings.md#allow-axfr-ips).
-- Preliminary support for slave operation included. Only for the adventurous right now! See [Slave operation](authoritative/modes-of-operation.md "Slave operation")
-- All record types now documented, see [Supported record types and their storage](types.md "Supported record types and their storage").
-
-## Known bugs
-- Wildcard CNAMEs do not work as they do with bind.
-- Recursion sometimes sends out duplicate packets (fixed in 1.99.9 snapshots)
-- Some stability issues which are caught by the guardian
-
-## Missing features
-Features present in this document, but disabled or withheld from the current release
-- gmysqlbackend, oraclebackend
-
-# Version 1.99.7 Early Access Prerelease
-Named.conf parsing got a lot of work and many more bind configurations can now be parsed. Furthermore, error reporting was improved. Stability is looking good.
-
-## Bugs fixed
-- Bind parser got confused by file names with underscores and colons.
-- Bind parser got confused by spaces in quoted names
-- FreeBSD version now stops and starts when instructed to do so.
-- Wildcards were off by default, which violates standards. Now on by default.
-- --oracle was broken in zone2sql
-
-## Feature enhancements
-- Line number counting goes on as it should when including files in named.conf
-- Added --no-config to enable users to start the pdns daemon without parsing the configuration file.
-- zone2sql now has --bare for unformatted output which can be used to generate insert statements for different database layouts
-- zone2sql now has --gpgsql, which is an alias for --mysql, to output in a format useful for the default Generic PostgreSQL backend
-- zone2sql is now documented.
-
-## Known bugs
-Wildcard CNAMEs do not work as they do with bind.
-
-## Missing features
-Features present in this document, but disabled or withheld from the current release
-- gmysqlbackend, oraclebackend
-
-Some of these features will be present in newer releases.
-
-# Version 1.99.6 Early Access Prerelease
-
-This version is now running on dns-eu1.powerdns.net and working very well for us. But please remain cautious before deploying!
-
-## Bugs fixed
-- Webserver neglected to show log messages
-- TCP question/answer miscounted multiple questions over one socket. Fixed misnaming of counter
-- Packetcache now detects clock skew and times out entries
-- named.conf parser now reports errors with line number and offending token
-- File names in named.conf can now contain:
-
-## Feature enhancements
-- The webserver now by default does not print out configuration statements, which might contain database backends. Use **webserver-print-arguments** to restore the old behaviour.
-- Generic PostgreSQL backend is now included. Still rather beta.
-
-## Known bugs
-- FreeBSD version does not stop when requested to do so.
-- Wildcard CNAMEs do not work as they do with bind.
-
-## Missing features
-Features present in this document, but disabled or withheld from the current release
-- gmysqlbackend, oraclebackend
-
-Some of these features will be present in newer releases.
-
-# Version 1.99.5 Early Access Prerelease
-The main focus of this release is stability and TCP improvements. This is the first release PowerDNS-the-company actually considers for running on its production servers!
-
-## Major bugs fixed
-- Zone2sql received a floating point division by zero error on named.confs with less than 100 domains.
-- Huffman encoder failed without specific error on illegal characters in a domain
-- Fixed huge memory leaks in TCP code.
-- Removed further file descriptor leaks in guardian respawning code
-- Pipebackend was too chatty.
-- pdns\_server neglected to close fds 0, 1 & 2 when daemonizing
-
-## Feature enhancements
-- bindbackend can be instructed not to check the ctime of a zone by specifying **bind-check-interval=0**, which is also the new default.
-- **pdns\_server --list-modules** lists all available modules.
-
-## Performance enhancements
-- TCP code now only creates a new database connection for AXFR.
-- TCP connections timeout rather quickly now, leading to less load on the server.
-
-## Known bugs
-- FreeBSD version does not stop when requested to do so.
-- Wildcard CNAMEs do not work as they do with bind.
-
-## Missing features
-Features present in this document, but disabled or withheld from the current release
-- gmysqlbackend, oraclebackend, gpgsqlbackend
-
-Some of these features will be present in newer releases.
-
-# Version 1.99.4 Early Access Prerelease
-A lot of new named.confs can now be parsed, zone2sql & bindbackend have gained features and stability.
-
-## Major bugs fixed
-- Label compression was not always enabled, leading to large reply packets sometimes.
-- Database errors on TCP server lead to a nameserver reload by the guardian.
-- MySQL backend neglected to close its connection properly.
-- BindParser miss parsed some IP addresses and netmasks.
-- Truncated answers were also truncated on the packetcache, leading to truncated TCP answers.
-
-## Feature enhancements
-- Zone2sql and the bindbackend now understand the Bind $GENERATE{} syntax.
-- Zone2sql can optionally gloss over non-existing zones with **--on-error-resume-next**.
-- Zone2sql and the bindbackend now properly expand @ also on the right hand side of records.
-- Zone2sql now sets a default TTL.
-- DNS UPDATEs and NOTIFYs are now logged properly and sent the right responses.
-
-## Performance enhancements
-- 'Fancy records' are no longer queried for on ANY queries - this is a big speedup.
-
-## Known bugs
-- FreeBSD version does not stop when requested to do so.
-- Zone2sql refuses named.confs with less than 100 domains.
-- Wildcard CNAMEs do not work as they do with bind.
-
-## Missing features
-Features present in this document, but disabled or withheld from the current release
-- gmysqlbackend, oraclebackend, gpgsqlbackend
-
-Some of these features will be present in newer releases.
-
-# Version 1.99.3 Early Access Prerelease
-The big news in this release is the BindBackend which is now capable of parsing many more named.conf Bind configurations. Furthermore, PowerDNS has successfully parsed very large named.confs with large numbers of small domains, as well as small numbers of large domains (TLD).
-
-Zone transfers are now also much improved.
-
-Major bugs fixed
-- zone2sql leaked file descriptors on each domain, used wrong Bison recursion leading to parser stack overflows. This limited the amount of domains that could be parsed to 1024.
-- zone2sql can now read all known zone files, with the exception of those containing $GENERATE
-- Guardian relaunching a child lost two file descriptors
-- Don't die on a connection reset by peer during zone transfer.
-- Webserver does not crash anymore on ringbuffer resize
-
-## Feature enhancements
-- AXFR can now be disabled, and re-enabled per IP address
-- --help accepts a parameter, will then show only help items with that prefix.
-- zone2sql now accepts a --zone-name parameter
-- BindBackend maturing - 9500 zones parsed in 3.5 seconds. No longer case sensitive.
-
-## Performance enhancements
-- Implemented RFC-breaking AXFR format (which is the industry standard). Zone transfers now zoom along at wire speed (many megabits/s).
-
-## Known bugs
-- FreeBSD version does not stop when requested to do so.
-- BindBackend cannot parse zones with $GENERATE statements.
-
-## Missing features
-Features present in this document, but disabled or withheld from the current release
-
-- gmysqlbackend, oraclebackend, gpgsqlbackend
-
-Some of these features will be present in newer releases.
-
-# Version 1.99.2 Early Access Prerelease
-
-## Major bugs fixed
-- Database backend reload does not hang the daemon anymore
-- Buffer overrun in local socket address initialisation may have caused binding problems
-- setuid changed the uid to the gid of the selected user
-- zone2sql doesn't crash (dump core) on invocation anymore. Fixed lots of small issues.
-- Don't parse configuration file when creating configuration file. This was a problem with reinstalling.
-
-## Performance improvements
-- removed a lot of unnecessary gettimeofday calls
-- removed needless select(2) call in case of listening on only one address
-- removed 3 useless syscalls in the fast path
-
-Having said that, more work may need to be done. Testing on a 486 saw packet rates in a simple setup (question/wait/answer/question..) improve from 200 queries/second to over 400.
-
-## Usability improvements
-- Fixed error checking in init.d script (**show**, **mrtg**)
-- Added 'uptime' to the mrtg output
-- removed further GNUisms from installer and init.d scripts for use on FreeBSD
-- Debian package and apt repository, thanks to Wichert Akkerman.
-- FreeBSD /usr/ports, thanks to Peter van Dijk (in progress).
-
-Stability may be an issue as well as performance. This version has a tendency to log a bit too much which slows the nameserver down a lot.
-
-## Known bugs
-- Decreasing a ringbuffer on the website is a sure way to crash the daemon. Zone2sql, while improved, still has problems with a zone in the following format
-
-```
-name IN A 192.0.2.4
- IN A 192.0.2.5
-```
-
-To fix, add 'name' to the second line.
-
-Zone2sql does not close file descriptors.
-
-FreeBSD version does not stop when requested via the init.d script.
-
-## Missing features
-Features present in this document, but disabled or withheld from the current release
-- gmysqlbackend, oraclebackend, gpgsqlbackend
-- fully functioning bindbackend - will try to parse named.conf, but probably fail
-
-Some of these features will be present in newer releases.
-
-# Version 1.99.1 Early Access Prerelease
-This is the first public release of what is going to become PowerDNS 2.0. As such, it is not of production quality. Even PowerDNS-the-company does not run this yet.
-
-Stability may be an issue as well as performance. This version has a tendency to log a bit too much which slows the nameserver down a lot.
-
-## Known bugs
-Decreasing a ringbuffer on the website is a sure way to crash the daemon. Zone2sql is very buggy.
-
-## Missing features
-Features present in this document, but disabled or withheld from the current release:
-
-- gmysqlbackend, oraclebackend, gpgsqlbackend
-- fully functioning bindbackend - will not parse configuration files
-
-Some of these features will be present in newer releases.
+++ /dev/null
-In a production environment, you will want to be able to monitor PowerDNS performance. Furthermore, PowerDNS can perform a configurable amount of operational logging. This chapter also explains how to configure syslog for best results.
-
-# Logging
-This chapter assumes familiarity with syslog, the unix logging device. PowerDNS logs messages with different levels. The more urgent the message, the lower the 'priority'. By default, PowerDNS will only log messages with an urgency of 3 or lower, but this can be changed using the [loglevel](../authoritative/settings.md#loglevel) setting in the configuration file. Setting it to 0 will eliminate all logging, 9 will log everything.
-
-By default, logging is performed under the 'DAEMON' facility which is shared with lots of other programs. If you regard nameserving as important, you may want to have it under a dedicated facility so PowerDNS can log to its own files, and not clutter generic files.
-
-For this purpose, syslog knows about 'local' facilities, numbered from LOCAL0 to LOCAL7. To move PowerDNS logging to LOCAL0, add [`logging-facility`](../authoritative/settings.md#logging-facility)`=0` to your configuration.
-
-Furthermore, you may want to have separate files for the differing priorities - preventing lower priority messages from obscuring important ones.
-
-A sample syslog.conf might be:
-
-```
-local0.info -/var/log/pdns.info
-local0.warn -/var/log/pdns.warn
-local0.err /var/log/pdns.err
-```
-
-Where local0.err would store the really important messages. For performance and disk space reasons, it is advised to audit your `syslog.conf` for statements also logging PowerDNS activities. Many `syslog.conf`s have a '\*.\*' statement to /var/log/syslog, which you may want to remove.
-
-For performance reasons, be especially certain that no large amounts of synchronous logging take place. Under Linux, this is indicated by file names not starting with a '-' - indicating a synchronous log, which hurts performance.
-
-Be aware that syslog by default logs messages at the configured priority and higher! To log only info messages, use `local0.=info`
-
-# Performance Monitoring
-Both PowerDNS daemons generate ample metrics which can be used to monitor performance. These metrics can be polled using the rec\_control and pdns\_control commands, and they are also available via the http-based API. Finally, they can be pushed to a Carbon/Graphite server, either native carbon, or our own Metronome implementation.
-
-## Webserver
-To launch the internal webserver, add a [`webserver`](../authoritative/settings.md#webserver) statement to the `pdns.conf`. This will instruct the PowerDNS daemon to start a webserver on localhost at port 8081, without password protection. Only local users (on the same host) will be able to access the webserver by default, but we still strongly advise the use of a password protection. The webserver lists a lot of information about the PowerDNS process, including frequent queries, frequently failing queries, lists of remote hosts sending queries, hosts sending corrupt queries etc. The webserver does not allow remote management of the daemon. The following webserver related configuration items are available:
-
-* `webserver`: If set to anything but 'no', a webserver is launched.
-* `webserver-address`: Address to bind the webserver to. Defaults to 127.0.0.1, which implies that only the local computer is able to connect to the nameserver! To allow remote hosts to connect, change to 0.0.0.0 or the physical IP address of your nameserver.
-* `webserver-password`: If set, viewers will have to enter this plaintext password in order to gain access to the statistics.
-* `webserver-port`: Port to bind the webserver to.
-* `webserver-print-arguments`: Whether or not the webserver should print the server arguments.
-
-## Via init.d commands
-As mentioned before, the init.d commands **dump**, **show** and **mrtg** fetch data from a running PowerDNS process. Especially **mrtg** is powerful - it outputs data in a format that is ready for processing by the MRTG graphing tool.
-
-MRTG can make insightful graphics on the performance of your nameserver, enabling the operator to easily spot trends. MRTG can be found on the [MRTG website](http://oss.oetiker.ch/mrtg/).
-
-A sample mrtg.conf:
-
-```
-Interval: 5
-WorkDir: /var/www/mrtg
-WriteExpires: yes
-Options[_]: growright,nopercent
-XSize[_]: 600
-
-#---------------------------------------------------------------
-
-Target[udp-queries]: `/etc/init.d/pdns mrtg udp-queries udp-answers`
-Options[udp-queries]: growright,nopercent,perminute
-MaxBytes[udp-queries]: 600000
-AbsMax[udp-queries]: 600000
-Title[udp-queries]: Queries per minute
-PageTop[udp-queries]: <H2>Queries per minute</H2>
-WithPeak[udp-queries]: ymwd
-YLegend[udp-queries]: queries/minute
-ShortLegend[udp-queries]: q/m
-LegendI[udp-queries]: udp-questions
-LegendO[udp-queries]: udp-answers
-
-
-Target[perc-failed]: `/etc/init.d/pdns mrtg udp-queries udp-answers`
-Options[perc-failed]: growright,dorelpercent,perminute
-MaxBytes[perc-failed]: 600000
-AbsMax[perc-failed]: 600000
-Title[perc-failed]: Queries per minute, with percentage success
-PageTop[perc-failed]: <H2>Queries per minute, with percentage success</H2>
-WithPeak[perc-failed]: ymwd
-YLegend[perc-failed]: queries/minute
-ShortLegend[perc-failed]: q/m
-LegendI[perc-failed]: udp-questions
-LegendO[perc-failed]: udp-answers
-
-
-Target[packetcache-rate]: `/etc/init.d/pdns mrtg packetcache-hit udp-queries`
-Options[packetcache-rate]: growright,dorelpercent,perminute
-Title[packetcache-rate]: packetcache hitrate
-MaxBytes[packetcache-rate]: 600000
-AbsMax[packetcache-rate]: 600000
-PageTop[packetcache-rate]: <H2>packetcache hitrate</H2>
-WithPeak[packetcache-rate]: ymwd
-YLegend[packetcache-rate]: queries/minute
-ShortLegend[packetcache-rate]: q/m
-LegendO[packetcache-rate]: total
-LegendI[packetcache-rate]: hit
-
-Target[packetcache-missrate]: `/etc/init.d/pdns mrtg packetcache-miss udp-queries`
-Options[packetcache-missrate]: growright,dorelpercent,perminute
-Title[packetcache-missrate]: packetcache MISSrate
-MaxBytes[packetcache-missrate]: 600000
-AbsMax[packetcache-missrate]: 600000
-PageTop[packetcache-missrate]: <H2>packetcache MISSrate</H2>
-WithPeak[packetcache-missrate]: ymwd
-YLegend[packetcache-missrate]: queries/minute
-ShortLegend[packetcache-missrate]: q/m
-LegendO[packetcache-missrate]: total
-LegendI[packetcache-missrate]: MISS
-
-Target[latency]: `/etc/init.d/pdns mrtg latency`
-Options[latency]: growright,nopercent,gauge
-MaxBytes[latency]: 600000
-AbsMax[latency]: 600000
-Title[latency]: Query/answer latency
-PageTop[latency]: <H2>Query/answer latency</H2>
-WithPeak[latency]: ymwd
-YLegend[latency]: usec
-ShortLegend[latency]: usec
-LegendO[latency]: latency
-LegendI[latency]: latency
-
-Target[recursing]: `/etc/init.d/pdns mrtg recursing-questions recursing-answers`
-Options[recursing]: growright,nopercent,gauge
-MaxBytes[recursing]: 600000
-AbsMax[recursing]: 600000
-Title[recursing]: Recursive questions/answers
-PageTop[recursing]: <H2>Recursing questions/answers</H2>
-WithPeak[recursing]: ymwd
-YLegend[recursing]: queries/minute
-ShortLegend[recursing]: q/m
-LegendO[recursing]: recursing-questions
-LegendI[recursing]: recursing-answers
-```
-
-## Sending to Carbon/Graphite/Metronome
-For carbon/graphite/metronome, we use the following namespace. Everything starts with 'pdns.', which is then followed by the local hostname. Thirdly, we add either 'auth' or 'recursor' to signify the daemon generating the metrics. This is then rounded off with the actual name of the metric. As an example: 'pdns.ns1.recursor.questions'.
-
-**Warning**: If your hostname includes dots, beyond 3.6.2 they will be
-replaced by underscores so as not to confuse the namespace. In 3.6.2 and earlier,
-any dots will remain unchanged. See below for how to override the hostname.
-
-Care has been taken to make the sending of statistics as unobtrusive as possible, the daemons will not be hindered by an unreachable carbon server, timeouts or connection refused situations.
-
-To benefit from our carbon/graphite support, either install Graphite, or use our own lightweight statistics daemon, Metronome, currently available on [GitHub](https://github.com/ahupowerdns/metronome/).
-
-Secondly, set [`carbon-server`](../authoritative/settings.md#carbon-server),
-possibly [`carbon-interval`](../authoritative/settings.md#carbon-interval)
-and possibly [`carbon-ourname`](../authoritative/settings.md#carbon-ourname)
-in the configuration.
-
-**Warning**: If you include dots in `carbon-ourname`, they will not be replaced by underscores,
-since PowerDNS assumes you know what you are doing if you override your hostname.
-
-## SNMP
-
-Starting with 4.1.0, the recursor can export statistics over `SNMP` and send traps from `Lua`, provided support is enabled and [`snmp-agent`](../recursor/settings.md#snmp-agent) is set.
-
+++ /dev/null
-# Security Settings
-PowerDNS has several options to easily allow it to run more securely. Most notable are the [`chroot`](../authoritative/settings.md#chroot), [`setuid`](../authoritative/settings.md#setuid) and [`setgid`](../authoritative/settings.md#setgid) options which can be specified.
-
-For additional information on PowerDNS security, PowerDNS security incidents and PowerDNS security policy, see [our security policy](../security/index.md).
-
-## Running as a less privileged identity
-
-By specifying [`setuid`](../authoritative/settings.md#setuid) and [`setgid`](../authoritative/settings.md#setgid), PowerDNS changes to this identity shortly after binding to the privileged DNS ports. These options are highly recommended. It is suggested that a separate identity is created for PowerDNS as the user 'nobody' is in fact quite powerful on most systems.
-
-Both these parameters can be specified either numerically or as real names. You should set these parameters immediately if they are not set!
-
-## Jailing the process in a chroot
-
-The [`chroot`](../authoritative/settings.md#chroot) option secures PowerDNS to its own directory so that even if it should become compromised and under control of external influences, it will have a hard time affecting the rest of the system.
-
-Even though this will hamper hackers a lot, chroot jails have been known to be broken.
-
-**Warning**: When chrooting PowerDNS, take care that backends will be able to get to their files. Many databases need access to a UNIX domain socket which should live within the chroot. It is often possible to hardlink such a socket into the chroot dir.
-
-When running with master or slave support, be aware that many operating systems need access to specific libraries (often `/lib/libnss*`) in order to support resolution of domain names! You can also hardlink these.
-
-In addition, make sure that `/dev/log` is available from within the chroot. Logging will silently fail over time otherwise (on logrotate).
-
-The default PowerDNS configuration is best chrooted to `./`, which boils down to the configured location of the controlsocket.
-
-This is achieved by adding the following to pdns.conf: `chroot=./`, and restarting PowerDNS.
-
-# Security Considerations
-In general, make sure that the PowerDNS process is unable to execute commands on your backend database. Most database backends will only need SELECT privilege. Take care to not connect to your database as the 'root' or 'sa' user, and configure the chosen user to have very slight privileges.
-
-Databases empathically do not need to run on the same machine that runs PowerDNS! In fact, in benchmarks it has been discovered that having a separate database machine actually improves performance.
-
-Separation will enhance your database security highly. Recommended.
-
-# Security Polling
-As of Authoritative Server 3.4.1 and Recursor 3.6.2, PowerDNS products can poll the security status of their respective versions. This polling, naturally, happens over DNS. If the result is that a given version has a security problem, the software will report this at level 'Error' during startup, and repeatedly during operations.
-
-By default, security polling happens on the domain 'secpoll.powerdns.com', but this can be changed with the security-poll-suffix. If this setting is made empty, no polling will take place. Organizations wanting to host their own security zones can do so by changing this setting to a domain name under their control.
-
-To make this easier, the zone used to host secpoll.powerdns.com is available [here](https://github.com/PowerDNS/pdns/blob/master/docs/secpoll.zone).
-
-To enable distributors of PowerDNS to signal that they have backported versions, the PACKAGEVERSION compilation-time macro can be used to set a distributor suffix.
-
-## Details
-PowerDNS software sadly sometimes has critical security bugs. Even though we send out notifications of these via all channels available, we find that not everybody actually find out about our security releases.
-
-To solve this, PowerDNS software will start polling for security notifications, and log these periodically. Secondly, the security status of the software will be reported using the built-in metrics. This allows operators to poll for the PowerDNS security status and alert on it.
-
-In the implementation of this idea, we have taken the unique role of operating system distributors into account. Specifically, we can deal with backported security fixes.
-
-Finally, this feature can be disabled, or operators can have the automated queries point at their own status service.
-
-### Implementation
-PowerDNS software periodically tries to resolve 'auth-x.y.z.security-status.secpoll.powerdns.com|TXT' or 'recursor-x.y.z.security-status.secpoll.powerdns.com'.
-
-The data returned is in one of the following forms:
-
-* NXDOMAIN or resolution failure -> 0
-* "1 Ok" -> 1
-* "2 Upgrade recommended for security reasons, see http://powerdns.com/..." -> 2
-* "3 Upgrade mandatory for security reasons, see http://powerdns.com/..." -> 3
-
-In cases 2 or 3, periodic logging commences. The metric security-status is set to 2 or 3 respectively. If at a later date, resolution fails, the security-status is not reset to 1. It could be lowered however if we discover the security status is less urgent than we thought.
-
-If resolution fails, and the previous security-status was 1, the new security-status becomes 0 ('no data'). If the security-status was higher than 1, it will remain that way, and not get set to 0.
-
-In this way, security-status of 0 really means 'no data', and can not mask a known problem.
-
-### Distributions
-Distributions frequently backport security fixes to the PowerDNS versions they ship. This might lead to a version number that is known to us to be insecure to be secure in reality.
-
-To solve this issue, PowerDNS can be compiled with a distribution setting which will move the security polls from: 'auth-x.y.z.security-status.secpoll.powerdns.com' to 'auth-x.y.z-n.debian.security-status.secpoll.powerdns.com
-
-Note two things, one, there is a separate namespace for debian, and secondly, we use the package version of this release. This allows us to know that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not.
-
-### Configuration Details
-The configuration setting 'security-poll-suffix' is by default set to 'secpoll.powerdns.com'. If empty, nothing is polled. This can be moved to 'secpoll.yourorganization.com'.
-
-If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to "auth-3.1.6-abcde.debian.security-status.security-poll-suffix".
-
-### Delegation
-If a distribution wants to host its own file with version information, we can delegate dist.security-status.secpoll.powerdns.com to their nameservers directly.
+++ /dev/null
-# Getting support, free and paid FAQ
-PowerDNS is an open source program so you may get help from the PowerDNS users'
-community or from its authors. You may also help others (please do).
-
-The PowerDNS company provides free support on the public mailing lists, and can
-help or support you in private as well. For first class and rapid support,
-please contact <a href="mailto:powerdns.support@powerdns.com">powerdns.support@powerdns.com</a>
-, or see [www.powerdns.com](http://www.powerdns.com).
-
-More information about the PowerDNS community, and its mailing lists, can be
-found on [its Wiki](http://wiki.powerdns.com). On the wiki, you will also find
-information on how to file bugs.
-
-Below, please find a list of common questions asked on our public mailing lists.
-
-## Help!
-Please try harder :-) Specifically, before people will be able to help you,
-they need to know a lot about your system. If you list more details, chances are
-you'll get better answers.
-
-## I have a question, what details should I supply?
-Start out with stating what you think should be happening. Quite often, wrong
-expectations are the actual problem. Furthermore, which database backend you
-use, your operating system, which version of PowerDNS you use and where you got
-it from (RPM, .DEB, tar.bz2). If you compiled it yourself, what were the
-./configure parameters.
-
-If at **all** possible, supply the actual name of your domain and the IP address
-of your server(s).
-
-## Where should I send my question?
-To a mailing list. Please email the authors directly only if you previously
-entered a support contract with them, or are considering doing so. For mailing
-list details, see [the mailing lists page](http://mailman.powerdns.com/mailman/listinfo/).
-
-Questions about using PowerDNS should be sent to the pdns-users list, questions
-about compiler errors or feature requests to pdns-dev.
-
-Before posting, read all FAQs.
-
-## My information is confidential, must I send it to the mailing list?
-If you desire privacy, please consider entering a support relationship with us,
-in which case we invite you to contact <a href="mailto:powerdns.support.sales@netherlabs.eu">powerdns.support.sales@netherlabs.eu</a>.
+++ /dev/null
-# End of life statements
-The currently supported release train of PowerDNS, for both the Authoritative Server and the Recursor is 4.x.
-
-PowerDNS Authoritative Server 3.4 is considered legacy and will only receive critical bug fixes and security fixes.
-
-PowerDNS Authoritative Server 3.3 will only receive security fixes.
-
-PowerDNS Recursor 3.7 is considered legacy and will only receive critical bug fixes and security fixes.
-
-PowerDNS Recursor 3.6 will only receive security fixes.
-
-PowerDNS Authoritative Server and Recursor 2.x are end of life.
-
-## PowerDNS Authoritative Server 2.x
-21st of May 2015 (updated January 2017)
-
-PowerDNS Authoritative Server 2.9.22 was released in January 2009.
-Because of its immense and durable popularity, some patch releases have been provided, the last one of which (2.9.22.6) was made available in January 2012.
-
-The 2.9.22.x series contains a number of probable and actual violations of the DNS standards.
-In addition, some behaviours of 2.9.22.x are standards conforming but cause interoperability problems today.
-Finally, 2.9.22.4 and earlier are impacted by [PowerDNS Security Advisory 2012-01](https://doc.powerdns.com/md/security/powerdns-advisory-2012-01/), which means PowerDNS can be used in a Denial of Service attack.
-
-Although we have long been telling users that we can no longer support the use of 2.x, and urging upgrading, with this statement we formally declare 2.x end of life.
-
-This means that any 2.x issues will not be addressed.
-This has been the case for a long time, but with this statement we make it formal.
-
-To upgrade to 3.x, please consult the [instructions on how to upgrade the database](https://doc.powerdns.com/3/authoritative/upgrading/#29x-to-30).
-To upgrade from 3.x to 4.x, [follow these instructions](authoritative/upgrading.md).
-If you need help with upgrading, we provide [migration services](https://www.powerdns.com/support-services-consulting.html) to our supported users.
-If you are currently running 2.9.22 and need help to tide you over, we can also provide that as part of a [support agreement](https://www.powerdns.com/support-services-consulting.html).
-
-But we urge everyone to move on to PowerDNS Authoritative Server 4.0 or later - it is a faster, more standards conforming and more powerful nameserver!
+++ /dev/null
-PowerDNS API
-============
-
-PowerDNS features a built-in API. For the Authoritative Server, starting with
-version 3.4, for the Recursor starting with version 3.6.
-
-In 3.x, all of the API was considered experimental and authentication
-initially used the standard webserver password. On 4.x, a static API key
-is used (see below).
-
-Try it
-------
-
-Install PowerDNS Authoritative with one of the gsql backends (i.e. MySQL,
-PostgreSQL or SQLite3).
-
-Then configure as follows:
-
- api=yes
- api-key=changeme
- # Needed before 4.1.0
- webserver=yes
-
-
-After restarting `pdns_server`, the following examples should start working:
-
- # List zones
- curl -H 'X-API-Key: changeme' http://127.0.0.1:8081/api/v1/servers/localhost/zones | jq .
-
- # Create new zone "example.org" with nameservers ns1.example.org, ns2.example.org
- curl -X POST --data '{"name":"example.org.", "kind": "Native", "masters": [], "nameservers": ["ns1.example.org.", "ns2.example.org."]}' -v -H 'X-API-Key: changeme' http://127.0.0.1:8081/api/v1/servers/localhost/zones | jq .
-
- # Show the new zone
- curl -H 'X-API-Key: changeme' http://127.0.0.1:8081/api/v1/servers/localhost/zones/example.org. | jq .
-
- # Add a new record to the new zone (would replace any existing test.example.org/A records)
- curl -X PATCH --data '{"rrsets": [ {"name": "test.example.org.", "type": "A", "ttl": 86400, "changetype": "REPLACE", "records": [ {"content": "192.0.5.4", "disabled": false } ] } ] }' -H 'X-API-Key: changeme' http://127.0.0.1:8081/api/v1/servers/localhost/zones/example.org. | jq .
-
- # Combined replacement of multiple RRsets
- curl -X PATCH --data '{"rrsets": [
- {"name": "test1.example.org.",
- "type": "A",
- "ttl": 86400,
- "changetype": "REPLACE",
- "records": [ {"content": "192.0.2.5", "disabled": false} ]
- },
- {"name": "test2.example.org.",
- "type": "AAAA",
- "ttl": 86400,
- "changetype": "REPLACE",
- "records": [ {"content": "2001:db8::6", "disabled": false} ]
- }
- ] }' -H 'X-API-Key: changeme' http://127.0.0.1:8081/api/v1/servers/localhost/zones/example.org. | jq .
-
-`jq` is a highly recommended tool for pretty-printing JSON. If you don't have
-`jq`, try `json_pp` or `python -mjson.tool` instead.
-
-When running multiple instances you might want to specify on which address the web server should run:
-
- # IP Address of web server to listen on
- webserver-address=127.0.0.1
- # Port of web server to listen on
- webserver-port=8081
- # Web server access is only allowed from these subnets
- webserver-allow-from=0.0.0.0/0,::/0
-
-Try it (Recursor edition)
--------------------------
-
-Install PowerDNS Recursor, configured as follows:
-
- webserver=yes
- api-key=changeme
- auth-zones=
- forward-zones=
- forward-zones-recurse=
-
-
-After restarting `pdns_recursor`, the following examples should start working:
-
- curl -v -H 'X-API-Key: changeme' http://127.0.0.1:8082/api/v1/servers/localhost | jq .
- curl -v -H 'X-API-Key: changeme' http://127.0.0.1:8082/api/v1/servers/localhost/zones | jq .
-
-
-API Specification
------------------
-
-The complete API docs are available in [`api_spec.md`](http://doc.powerdns.com/md/httpapi/api_spec/).
-
-
-Additional help
----------------
-
-For additional help, come to the `#powerdns` IRC channel on `irc.oftc.net`.
-
-
-Examples (Authoritative Server)
-===============================
-
-Show zone information and records
----------------------------------
-
- curl -H 'X-API-Key: changeme' \
- http://127.0.0.1:8081/api/v1/servers/localhost/zones/example.org. | jq .
-
-Response:
-
- {
- "id": "example.org.",
- "url": "api/v1/servers/localhost/zones/example.org.",
- "name": "example.org.",
- "kind": "Master",
- "dnssec": false,
- "account": "",
- "masters": [],
- "serial": 2015120401,
- "notified_serial": 0,
- "last_check": 0,
- "soa_edit_api": "",
- "soa_edit": "",
- "rrsets": [
- {
- "comments": [],
- "name": "example.org.",
- "records": [
- {
- "content": "ns2.example.org.",
- "disabled": false
- },
- {
- "content": "ns1.example.org.",
- "disabled": false
- }
- ],
- "ttl": 86400,
- "type": "NS"
- },
- {
- "comments": [],
- "name": "example.org.",
- "type": "SOA",
- "ttl": 86400,
- "records": [
- {
- "disabled": false,
- "content": "ns1.example.org. hostmaster.example.org. 2015120401 10800 15 604800 10800"
- }
- ]
- },
- {
- "comments": [],
- "name": "ns1.example.org.",
- "type": "A",
- "ttl": 86400,
- "records": [
- {
- "content": "192.168.0.1",
- "disabled": false
- }
- ]
- },
- {
- "comments": [],
- "name": "www.example.org.",
- "type": "A",
- "ttl": 86400,
- "records": [
- {
- "disabled": false,
- "content": "192.168.0.2"
- }
- }
- }
- ]
- }
-
-
-Replace ns1.example.org
------------------------
-
-Based on the example.org zone above, replace the ns1.example.org A record with
-192.0.2.5:
-
- curl -X PATCH --data '{"rrsets": [{
- "name": "ns1.example.org.",
- "type": "A",
- "changetype": "REPLACE",
- "records": [ {
- "content": "192.0.2.5",
- "disabled": false,
- "name": "ns1.example.org.",
- "ttl": 86400,
- "type": "A"
- }]
- }]}' -H 'X-API-Key: changeme' \
- http://127.0.0.1:8081/api/v1/servers/localhost/zones/example.org. | jq .
-
-Response:
-
- {
- "id": "example.org.",
- ...
- "records": [
- {
- "name": "ns1.example.org.",
- "type": "A",
- "ttl": 86400,
- "disabled": false,
- "content": "192.0.2.5"
- },
- ...
- ],
- ...
- }
+++ /dev/null
-API Spec
-========
-
-This API runs over HTTP, preferably HTTPS.
-
-Design Goals
-------------
-
-* Discovery endpoint
-* Unified API Scheme for Daemons & Console.
- Think of the Console Server as a proxy for all your PowerDNS deployments.
-* Have API documentation (this!) for other consumers
-
-Data format
------------
-
-Input data format: JSON.
-
-Output data formats: JSON.
-
-The `Accept:` header determines the output format. An unknown value or
-`*/*` will cause a `400 Bad Request`.
-
-All text is UTF-8 and HTTP headers will reflect this.
-
-Data types:
-
- * empty fields: `null` but present
- * Regex: implementation defined
- * Dates: ISO 8601
-
-
-REST
-----
-
-* GET: List/Retrieve. Success reply: `200 OK`
-* POST: Create. Success reply: `201 Created`, with new object as body.
-* PUT: Update. Success reply: `200 OK`, with modified object as body. For some operations, `204 No Content` is returned instead (and the modified object is not given in the body).
-* DELETE: Delete. Success reply: `200 OK`, no body.
-
-not-so-REST
------------
-
-For interactions that do not directly map onto CRUD, we use these:
-
-* GET: Query. Success reply: `200 OK`
-* PUT: Action/Execute. Success reply: `200 OK`
-
-Action/Execute methods return a JSON body of this format:
-
- {
- "message": "result message"
- }
-
-
-Authentication
---------------
-
-The PowerDNS daemons accept a static API Key, configured with the
-[`api-key`]('../authoritative/settings.md#api-key')
-option, which has to be sent in the `X-API-Key` header.
-
-Note: Authoritative Server 3.4.0 and Recursor 3.6.0 and 3.6.1 use HTTP
-Basic Authentication instead.
-
-
-Errors
-------
-
-Response code `4xx` or `5xx`, depending on the situation. Never return `2xx`
-for an error!
-
-* Invalid JSON body from client: `400 Bad Request`
-* JSON body from client not a hash: `400 Bad Request`
-* Input validation failed: `422 Unprocessable Entity`
-
-Error responses have a JSON body of this format:
-
- {
- "error": "short error message",
- "errors": [
- { ... },
- ]
- }
-
-Where `errors` is optional, and the contents are error-specific.
-
-
-Common Error Causes
--------------------
-
-##### 400 Bad Request
-
-1. The client body was not a JSON document, or it could not be parsed, or the root element of the JSON document was not a hash.
-2. The client did not send an `Accept:` header, or it was set to `*/*`.
-3. For requests that operate on a zone, the `zone_id` URL part was invalid. To get a valid `zone_id`, list the zones with the `/api/v1/servers/:server_id/zones` endpoint.
-
-
-URL: /api
----------
-
-Version discovery endpoint.
-
-Allowed methods: `GET`
-
- [
- {
- "url": "/api/v1",
- "version": 1
- }
- ]
-
-
-URL: /api/v1
-------------
-
-Allowed methods: `GET`
-
- {
- "server_url": "/api/v1/servers{/server}",
- "api_features": []
- }
-
-**TODO**:
-
-* Not yet implemented.
-* `api_features`
- * `servers_modifiable`
- * `oauth`
-
-
-General Collections Interface
-=============================
-
-Collections generally support `GET` and `POST` with these meanings:
-
-GET
----
-
-Retrieve a list of all entries.
-
-The special `type` and `url` fields are included in the response objects:
-
- * `type`: name of the resource type
- * `url`: url to the object
-
-
-Response format:
-
- [
- obj1
- [, further objs]
- ]
-
-Example:
-
- [
- {
- "type": "AType",
- "id": "anid",
- "url": "/atype/anid",
- "a_field": "a_value"
- },
- {
- "type": "AType",
- "id": "anotherid",
- "url": "/atype/anotherid",
- "a_field": "another_value"
- }
- ]
-
-
-POST
-----
-
-Create a new entry. The client has to supply the entry in the request body,
-in JSON format. `application/x-www-form-urlencoded` data MUST NOT be sent.
-
-Clients SHOULD not send the 'url' field.
-
-Client body:
-
- obj1
-
-Example:
-
- {
- "type": "AType",
- "id": "anewid",
- "a_field": "anew_value"
- }
-
-
-
-
-Servers
-=======
-
-**TODO**: further routes
-
-
-server_resource
----------------
-
-Example with server `"localhost"`, which is the only server returned by
-pdns\_server or pdns\_recursor.
-
-pdnsmgrd and pdnscontrol MUST NOT return “localhost”, but SHOULD return
-other servers.
-
- {
- "type": "Server",
- "id": "localhost",
- "url": "/api/v1/servers/localhost",
- "daemon_type": "recursor",
- "version": "VERSION",
- "config_url": "/api/v1/servers/localhost/config{/config_setting}",
- "zones_url": "/api/v1/servers/localhost/zones{/zone}",
- }
-
-Note: On a pdns\_server or pdns\_recursor, the servers collection is read-only,
-and the only allowed returned server is read-only as well.
-On a pdnscontrol server, the servers collection is read-write, and the
-returned server resources are read-write as well. Write permissions may
-depend on the credentials you have supplied.
-
-* daemon_type
- May be one of `authoritative`, `recursor`.
-
-
-URL: /api/v1/servers
---------------------
-
-Collection access.
-
-Allowed REST methods:
-
-* pdns\_server: `GET`
-* pdns\_recursor: `GET`
-* pdnsmgrd: `GET`
-* pdnscontrol: `GET`, `PUT`, `POST`, `DELETE`
-
-
-URL: /api/v1/servers/:server\_id
---------------------------------
-
-Returns a single server_resource.
-
-
-
-Config
-======
-
-
-config\_setting\_resource
--------------------------
-
- {
- "type": "ConfigSetting",
- "name": "config_setting_name",
- "value": "config_setting_value"
- }
-
-
-URL: /api/v1/servers/:server\_id/config
----------------------------------------
-
-Collection access.
-
-Allowed REST methods: `GET`, `POST`
-
-#### POST
-
-Creates a new config setting. This is useful for creating configuration for new backends.
-
-**TODO**: Not yet implemented.
-
-
-URL: /api/v1/servers/:server\_id/config/:config\_setting\_name
---------------------------------------------------------------
-
-Allowed REST methods: `GET`, `PUT`
-
-**NOTE**: only the Recursors `allow_from` configuration setting can be retrieved or modified.
-
-
-Zones
-=====
-
-Authoritative DNS Zones.
-
-A Resource Record Set (below as "RRset") are all records for a given name and type.
-
-Comments are per-RRset.
-
-
-zone_collection
----------------
-
- {
- "id": "<id>",
- "name": "<string>",
- "type": "Zone",
- "url": "/api/v1/servers/:server_id/zones/:id",
- "kind": "<kind>",
- "serial": <int>,
- "notified_serial": <int>,
- "masters": ["<ip>", ...],
- "dnssec": <bool>,
- "nsec3param": "<nsec3param record>",
- "nsec3narrow": <bool>,
- "presigned": <bool>,
- "soa_edit": "<string>",
- "soa_edit_api": "<string>",
- "account": "<string>",
- "nameservers": ["<string>", ...],
- "servers": ["<string>", ...],
- "recursion_desired": <bool>,
- "rrsets": [<RRset>, ...],
- }
-
-
-Where `RRset` is defined as:
-
- {
- "name": "<string>",
- "type": "<type>",
- "ttl": <int>,
- "records": [<Record>, ...],
- "comments": [<Comment>, ...]
- }
-
-
-Where `Record` is defined as:
-
- {
- "content": "<string>",
- "disabled": <bool>
- }
-
-
-Where `Comment` is defined as:
-
- {
- "content": "<string>",
- "account": "<string>",
- "modified_at": <int>
- }
-
-
-##### Parameters:
-
-* `id`
- Opaque zone id (string), assigned by the Server. Do not interpret.
- Guaranteed to be safe for embedding in URLs.
-
-* `name`
- Zone name, always including the trailing dot. Example: `example.org.`
- Note: Before 4.0.0, zone names were taken/given without the trailing dot.
-
-* `kind`
- Authoritative: `<kind>`: `Native`, `Master` or `Slave`
- Recursor: `<kind>`: `Native`, or `Forwarded`
-
-* `dnssec`
- inferred from `presigned` being `true` XOR presence of at
- least one cryptokey with `active` being `true`.
-
- Switching `dnssec` to `true` (from `false`) sets up DNSSEC signing
- based on the other flags, this includes running the equivalent of
- `secure-zone` and `rectify-zone`. This also applies to newly created
- zones.
- If `presigned` is `true`, no DNSSEC changes will be made to the zone
- or cryptokeys.
- **Note**: Authoritative only.
-
- **TODO**: `dnssec`, `nsec3narrow`, `nsec3param`, `presigned` are not yet implemented.
-
-* `soa_edit` MAY be set to change the `SOA-EDIT` zone setting. See
- [the `SOA-EDIT` documentation](../authoritative/domainmetadata.md#soa-edit)
- for more information.
- **Note**: Authoritative only.
-
-* `soa_edit_api` MAY be set. If it is set, on changes to the contents of
- a zone made through the API, the SOA record will be edited according to
- the SOA-EDIT-API rules. (Which are the same as the SOA-EDIT-DNSUPDATE rules.)
- If not set during zone creation, a SOA-EDIT-API metadata record is created
- and set to `DEFAULT`. (If this record is removed from the backend, the
- default behaviour is to not do any SOA editing based on this setting. This
- is different from setting `DEFAULT`.)
- **Note**: Authoritative only.
-
-* `account` MAY be set. Its value is defined by local policy.
- **Note**: Authoritative only.
-
-* `notified_serial`, `serial` MUST NOT be sent in client bodies.
- **Note**: Authoritative only.
-
-* `nameservers` MAY be sent in client bodies during creation, and MUST
- NOT be sent by the server. Simple list of strings of nameserver names,
- including the trailing dot. Note: Before 4.0.0, names were taken without
- the trailing dot.
- **Note**: Authoritative only. Not required for slave zones.
-
-* `servers`: list of forwarded-to servers, including port.
- **Note**: Recursor only.
-
-* `recursion_desired`: for `Forwarded` zones, if the RD bit should
- be set.
- **Note**: Authoritative only.
-
-* `rrsets`: list of DNS records and comments in the zone.
- **Note**: Modifications are supported on Authoritative only.
-
-Please see the description for `PATCH` for details on the fields in
-`RRset`, `Record` and `Comment`.
-
-##### Notes:
-
-Turning on DNSSEC with custom keys: just create the zone with `dnssec`
-set to `false`, and add keys using the cryptokeys REST interface. Have
-at least one of them `active` set to `true`. **TODO**: not yet
-implemented.
-
-Changes made through the Zones API will always yield valid zone data,
-and the zone will be properly "rectified" (**TODO**: not yet
-implemented). If changes are made through other means (e.g. direct
-database access), this is not guaranteed to be true and clients SHOULD
-trigger rectify.
-
-Backends might implement additional features (by coincidence or not).
-These things are not supported through the API.
-
-When creating a slave zone, it is recommended to not set any of
-`nameservers`, `records`.
-
-
-URL: /api/v1/servers/:server\_id/zones
---------------------------------------
-
-Allowed REST methods: `GET`, `POST`
-
-#### POST
-Creates a new domain.
-
-* `dnssec`, `nsec3narrow`, `presigned`, `nsec3param`, `active-keys` are OPTIONAL.
-* `dnssec`, `nsec3narrow`, `presigned` default to `false`.
-* The server MUST create a SOA record. The created SOA record SHOULD have
-serial set to the value given as `serial` (or 0 if missing), use the
-nameserver name, email, TTL values as specified in the PowerDNS configuration
-(`default-soa-name`, `default-soa-mail`, etc).
-These default values can be overridden by supplying a custom SOA record in
-the records list.
-If `soa_edit_api` is set, the SOA record is edited according to the SOA-EDIT-API
-rules before storing it. (Also applies to custom SOA records.)
-
-**TODO**: `dnssec`, `nsec3narrow`, `nsec3param`, `presigned` are not yet implemented.
-
-URL: /api/v1/servers/:server\_id/zones/:zone\_id
-------------------------------------------------
-
-Allowed methods: `GET`, `PUT`, `DELETE`, `PATCH`.
-
-#### GET
-Returns zone information.
-
-#### DELETE
-Deletes this zone, all attached metadata and rrsets.
-
-#### PATCH
-
-Modifies present RRsets and comments.
-Returns `204 No Content` on success.
-
-**Note**: Authoritative only.
-
-Client body for PATCH:
-
- { "rrsets":
- [
- {
- "name": <string>,
- "type": <string>,
- "ttl": <int>,
- "changetype": <changetype>,
- "records":
- [
- {
- "content": <string>,
- "disabled": <bool>,
- "set-ptr": <bool>
- }, ...
- ],
- "comments":
- [
- {
- "account": <string>,
- "content": <string>,
- "modified_at": <int>
- }, ...
- ]
- },
- { ... }
- ]
- }
-
-
-* `name`
- Full name of the RRset to modify. (Example: `foo.example.org.`)
-
-* `type`
- Type of the RRset to modify. (Example: `AAAA`)
-
-* `ttl`
- DNS TTL to apply to records replaced, in seconds. MUST NOT be included when `changetype` is set to `DELETE`.
-
-* `changetype`
- Must be `REPLACE` or `DELETE`.
- With `DELETE`, all existing RRs matching `name` and `type` will be deleted, including all comments.
- With `REPLACE`: when `records` is present, all existing RRs matching `name` and `type` will be deleted, and then new records given in `records` will be created.
- If no records are left, any existing comments will be deleted as well.
- When `comments` is present, all existing comments for the RRs matching `name` and `type` will be deleted, and then new comments given in `comments` will be created.
-
-* `records`
- List of new records (replacing the old ones). Must be empty when `changetype` is set to `DELETE`.
- An empty list results in deletion of all records (and comments).
- A record consists of these fields:
- * `content`: the record content. Must confirm to the DNS content rules for the specified `type`. (PowerDNS hint: includes the backend's `priority` field.)
- * `disabled`: if this record will be hidden from DNS. (true: hidden, false: visible (the default)).
- * `set-ptr`: If set to true, the server will find the matching reverse zone and create a `PTR` there. Existing `PTR` records are replaced. If no matching reverse Zone, an error is thrown. Only valid in client bodies, only valid for `A` and `AAAA` types. Not returned by the server. Only valid for the Authoritative server.
-
-* `comments`
- List of new comments (replacing the old ones). Must be empty when `changetype` is set to `DELETE`.
- An empty list results in deletion of all comments.
- `modified_at` is optional and defaults to the current server time.
- `account` is a field with user-defined meaning.
-
-#### PUT
-
-Modifies basic zone data (metadata).
-
-Allowed fields in client body: all except `id` and `url`.
-Returns `204 No Content` on success.
-
-Changing `name` renames the zone, as expected.
-
-
-URL: /api/v1/servers/:server\_id/zones/:zone\_id/notify
--------------------------------------------------------
-
-Allowed methods: `PUT`
-
-Send a DNS NOTIFY to all slaves.
-
-Fails when zone kind is not `Master` or `Slave`, or `master` and `slave` are
-disabled in pdns configuration. Only works for `Slave` if renotify is on.
-
-Not supported for recursors.
-
-Clients MUST NOT send a body.
-
-
-URL: /api/v1/servers/:server\_id/zones/:zone\_id/axfr-retrieve
---------------------------------------------------------------
-
-Allowed methods: `PUT`
-
-Retrieves the zone from the master.
-
-Fails when zone kind is not `Slave`, or `slave` is disabled in PowerDNS.
-configuration.
-
-Not supported for recursors.
-
-**Note**: Added in 3.4.2
-
-
-URL: /api/v1/servers/:server\_id/zones/:zone\_id/export
--------------------------------------------------------
-
-Allowed methods: `GET`
-
-Returns the zone in AXFR format.
-
-Not supported for recursors.
-
-
-URL: /api/v1/servers/:server\_id/zones/:zone\_id/check
-------------------------------------------------------
-
-Allowed methods: `GET`
-
-Verify zone contents/configuration.
-
-Return format:
-
- {
- "zone": "<zone_name>",
- "errors": ["error message1", ...],
- "warnings": ["warning message1", ...]
- }
-
-**TODO**: Not yet implemented.
-
-Zone Metadata
-=============
-
-**Note:** Available since PowerDNS Authoritative Server 4.1.0.
-
-zone\_metadata\_resource
-------------------------
-
- {
- "type": "Metadata",
- "kind": <metadata_kind>,
- "metadata": [
- "value1",
- ...
- ]
- }
-
-##### Parameters:
-
-`kind`: valid values for `<metadata_kind>` are specified in
-[the `domainmetadata` documentation](../authoritative/domainmetadata.md).
-
-`metadata`: an array with all values for this metadata kind.
-
-Clients MUST NOT modify `NSEC3PARAM`, `NSEC3NARROW`, `PRESIGNED` and
-`LUA-AXFR-SCRIPT` through this interface. The server rejects updates to
-these metadata. Modifications to custom metadata kinds starting with `X-` is allowed as well.
-
-
-URL: /api/v1/servers/:server\_id/zones/:zone\_name/metadata
------------------------------------------------------------
-
-Collection access.
-
-Allowed methods: `GET`, `POST`
-
-#### GET
-
-Returns all metadata entries for the zone.
-
-
-#### POST
-
-Creates a set of metadata entries of given kind for the zone.
-
-* existing metadata entries for the zone with the same kind are not overwritten.
-
-
-URL: /api/v1/servers/:server\_id/zones/:zone\_name/metadata/:metadata\_kind
----------------------------------------------------------------------------
-
-Allowed methods: `GET`, `PUT`, `DELETE`
-
-#### GET
-
-Returns all metadata entries of a given kind for the zone.
-
-
-#### DELETE
-
-Deletes all metadata entries of a given kind for the zone.
-
-
-#### PUT
-
-Modifies the metadata entries of a given kind for the zone.
-
-This returns `200 OK` on success.
-
-
-Cryptokeys
-==========
-
-cryptokey\_resource
--------------------
-
- {
- "type": "Cryptokey",
- "id": <int>,
- "active": <bool>,
- "keytype": <keytype>,
- "dnskey": <string>,
- "privatekey": <string>,
- "ds": [ <ds>,
- <ds>,
- .... ]
- }
-
-
-##### Parameters:
-
-`id`: read-only.
-
-`keytype`: `<keytype>` is one of the following: `ksk`, `zsk`, `csk`.
-
-`dnskey`: the DNSKEY for this key
-
-`ds`: an array with all DSes for this key
-
-`privatekey`: private key data (in ISC format).
-
-
-URL: /api/v1/servers/:server\_id/zones/:zone\_name/cryptokeys
--------------------------------------------------------------
-
-Allowed methods: `GET`, `POST`
-
-#### GET
-
-Returns all public data about cryptokeys, but not `privatekey`.
-
-#### POST
-
-This method adds a new key to a zone. The key can either be generated or imported by supplying the content parameter.
-
-##### Parameters:
-
-* `content` : "\<key\>" `<string>` (The format used is compatible with BIND and NSD/LDNS)
-* `keytype` : "ksk|zsk" `<string>`
-* `active`: "true|false" `<value>` (If not set the key will not be active by default)
-
-If `content` == `null`, the server generates a new key. In this case, the
-following additional fields MAY be supplied:
-
-* `bits`: number of bits `<int>`
-* `algo`: `<algo>` (Default: 13/ECDSA)
-
-Where `<algo>` is one of the supported key algorithms in lowercase OR the
-numeric id, see [`the list`](../authoritative/dnssec.md#supported-algorithms).
-
-##### Response:
-* `422 Unprocessable Entity`:
- * keytype is not ksk|zsk:
- * `{"error" : "Invalid keytype 'keytype'"}`
- * The "algo" is not supported:
- * `{"error" : "Unknown algorithm: 'algo'"}`
- * Algo <= 10 and the `bits` parameter is not set:
- * `{"error" : "Creating an algorithm 'algo' key requires the size (in bits) to be passed."}`
- * The provided bit size is not supported by the selected algorithm:
- * `{"error" : "The algorithm does not support the given bit size."}`
- * The `bits` parameter is not a positive integer value:
- * `{"error" : "'bits' must be a positive integer value"}`
- * If the server can not guess the key size:
- * `{"error" : "Can not guess key size for algorithm"}`
- * The key-creation failed:
- * `{"error" : "Adding key failed, perhaps DNSSEC not enabled in configuration?"}`
- * The key in `content` has the wrong format:
- * `{"error" : "Key could not be parsed. Make sure your key format is correct."}`
-* `201 Created`:
- * Everything was fine:
- * Returns all public data about the new cryptokey. Look at cryptokey\_resource.
-
-URL: /api/v1/servers/:server\_id/zones/:zone\_name/cryptokeys/:cryptokey\_id
-----------------------------------------------------------------------------
-
-Allowed methods: `GET`, `PUT`, `DELETE`
-
-#### GET
-
-Returns all public data about cryptokeys, including `privatekey`.
-
-#### PUT
-
-This method de/activates a key from `zone_name` specified by `cryptokey_id`.
-
-##### Parameters:
-
-* `active`: "true|false" `<value>`
-
-##### Responses:
-* `204 No Content`: The key with `cryptokey_id` is de/activated.
-* `422 Unprocessable Entity`:
- The backend returns false on de/activation. An error occurred.
- `{"error": "Could not de/activate Key: :cryptokey_id in Zone: :zone_name"}`
-
-#### DELETE
-
-This method deletes a key from `zone_name` specified by `cryptokey_id`.
-
-##### Responses:
-
-* `200 OK`: The Key is gone.
-* `422 Unprocessable Entity`:
- The backend failed to remove the key.
- `{"error": Could not DELETE :cryptokey_id"}`
-
-Data searching
-==============
-
-URL: /api/v1/servers/localhost/search-data?q=:search\_term&max=:max\_results
----------------------------------------------------------------------------
-
-**Note**: Authoritative only.
-
-Allowed methods: `GET`
-
-#### GET
-
-Search the data inside PowerDNS for :search\_term and return at most
-:max\_results. This includes zones, records and comments.
-The `*` character can be used in :search\_term as a wildcard character and the `?` character can be used as a wildcard for a single character.
-
-Response body is an array of one or more of the following objects:
-
-For a zone:
-
- {
- "name": "<zonename>",
- "object_type": "zone",
- "zone_id": "<zoneid>"
- }
-
-For a record:
-
- {
- "content": "<content>",
- "disabled": <bool>,
- "name": "<name>",
- "object_type": "record",
- "ttl": <ttl>,
- "type": "<type>",
- "zone": "<zonename>,
- "zone_id": "<zoneid>"
- }
-
-For a comment:
-
- {
- "object_type": "comment",
- "name": "<name>",
- "content": "<content>"
- "zone": "<zonename>,
- "zone_id": "<zoneid>"
- }
-
-Cache Access
-============
-
-**TODO**: Not yet implemented: Peek at the cache, clear the cache, possibly read cache?
-
-URL: /api/v1/servers/:server\_id/cache/flush?domain=:domain
---------------------------------------------
-
-Allowed methods: `PUT` (Execute)
-
-#### PUT (Execute)
-
-Flush the cache for a given domain name `:domain`. Response body:
-
- {
- "count": 10,
- "result": "Flushed cache."
- }
-
-Implementation detail: On Authoritative servers, this clears the packet cache.
-On Recursors, this clears the positive, negative and packet cache.
-
-
-Logging & Statistics
-====================
-
-URL: /api/v1/servers/:server\_id/search-log?q=:search\_term
------------------------------------------------------------
-
-Allowed methods: `GET` (Query)
-
-#### GET (Query)
-
-Query the log, filtered by `:search_term` (query parameter). Response body:
-
- [
- "<log_line>",
- ...
- ]
-
-URL: /api/v1/servers/:server\_id/statistics
--------------------------------------------
-
-Allowed methods: `GET` (Query)
-
-#### GET (Query)
-
-Query PowerDNS internal statistics. Response body:
-
- [
- {
- "type": "StatisticItem",
- "name": "<name>",
- "value": "<value>"
- },
- ...
- ]
-
-The statistic entries are dependent on the daemon type.
-Values are returned as strings.
-
-
-URL: /api/v1/servers/:server\_id/trace
---------------------------------------
-
-**TODO**: Not yet implemented.
-
-#### PUT (Configure)
-
-Configure query tracing.
-
-Client body:
-
- {
- "domains": "<regex_string>"
- }
-
-Set `domains` to `null` to turn off tracing.
-
-#### GET (Query)
-
-Retrieve query tracing log and current config. Response body:
-
- {
- "domains": "<Regex>",
- log: [
- "<log_line>",
- ...
- ]
- }
-
-
-URL: /api/v1/servers/:server\_id/failures
------------------------------------------
-
-**TODO**: Not yet implemented.
-
-#### PUT
-
-Configure query failure logging.
-
-Client body:
-
- {
- "top-domains": <int>,
- "domains": "<Regex>",
- }
-
-##### Parameters:
-
-`top-domains` are the number of top resolved domains that are
-automatically monitored for failures.
-
-`domains` is a Regex of domains that are additionally monitored for
-resolve failures.
-
-
-#### GET
-
-Retrieve query failure logging and current config.
-
-Response body:
-
- {
- "top-domains": <int>,
- "domains": "<Regex>",
- "log": [
- {
- "first_occurred": <timestamp>,
- "domain": "<full domain>",
- "qtype": "<qtype>",
- "failure": <failure_code>,
- "failed_parent": "<full parent domain>",
- "details": "<log message>",
- "queried_servers": [
- {
- "name": <name>,
- "address": <address>
- }, ...
- ]
- },
- ...
- ]
- }
-
-##### Parameters:
-
-`failed_parent` is generally OPTIONAL.
-
-Where `<failure_code>` is one of these:
-
- + `dnssec-validation-failed`
-
- DNSSEC Validation failed for this domain.
-
- + `dnssec-parent-validation-failed`
-
- DNSSEC Validation failed for one of the parent domains. Response
- MUST contain failed\_parent.
-
- + `nxdomain`
-
- This domain was not present on the authoritative nameservers.
-
- + `nodata`
- + `all-servers-unreachable`
-
- All auth nameservers that have been tried did not respond.
-
- + `parent-unresolvable`
-
- Response MUST contain `failed_parent`.
-
- + `refused`
-
- All auth nameservers that have been tried responded with REFUSED.
-
- + `servfail`
-
- All auth nameservers that have been tried responded with SERVFAIL.
-
- + **TODO**: further failures
-
-Data Overrides
-==============
-
-**TODO**: Not yet implemented.
-
-override\_type
---------------
-
-`created` is filled by the Server.
-
-
- {
- "type": "Override",
- "id": <int>,
- "override": "ignore-dnssec",
- "domain": "nl",
- "until": <timestamp>,
- "created": <timestamp>
- }
-
-
- {
- "type": "Override",
- "id": <int>,
- "override": "replace",
- "domain": "www.cnn.com.",
- "rrtype": "AAAA",
- "values": ["203.0.113.4", "203.0.113..2"],
- "until": <timestamp>,
- "created": <timestamp>
- }
-
-**TODO**: what about validation here?
-
- {
- "type": "Override",
- "id": <int>,
- "override": "purge",
- "domain": "example.net.",
- "created": <timestamp>
- }
-
-Clears recursively all cached data ("plain" DNS + DNSSEC)
-
-**TODO**: should this be stored? (for history)
-
-URL: /api/v1/servers/:server\_id/overrides
-------------------------------------------
-
-**TODO**: Not yet implemented.
-
-Collection access.
-
-Allowed Methods: `GET`, `POST`
-
-URL: /api/v1/servers/:server\_id/overrides/:override\_id
---------------------------------------------------------
-
-**TODO**: Not yet implemented.
-
-Allowed methods: `GET`, `PUT`, `DELETE`
+++ /dev/null
-
-Features that should be doable using the API
-============================================
-
-New Console Features
---------------------
-
-* RBAC
-* User Management
-* Audit Trail, light Edition
-* Cache Viewing
-* Versioning / Rollback
- * for Zone data?
-* pcap capture triggering (-> pdnsmgr)
-* Zone (de)provisioning
- * with DNSSEC
-* Improved Graphite
-
-DNSSEC Console for Recursor
----------------------------
-
-* recent failures (not just DNSSEC)
-* trigger live logging (e.g. for “*.nl”)
-* DNSSEC partial blanking (“don’t check *.gov”)
-* DNSSEC temporary blanking (“not for next 24h”)
-
-Meta Features enabled by pdnsmgrd
----------------------------------
-
-* start
-* stop
-* upgrade
-* restart
- * TODO: can/should we do this inproc?
-* *pcap*
- * TODO: How will this work?
- * Should this happen in-daemon?
-
+++ /dev/null
-Everything open for discussion.
-
-TODO:
-
- * Everything marked as **TODO**
- * Finish data management (tsigkeys, …)
- * Incorporate applicable ideas from http://mailman.powerdns.com/pipermail/pdns-users/2013-February/009613.html
-
-Big Picture
-===========
-
-* HTTP with SSL in-process in Auth & Recursor
-* JSON API
- * make it really great for us and other consumers
- * “unified” API across Daemons and Console
-* pdnsmgrd
- * cease to do SSL proxying
- * become completely optional component
- * only for “meta” features
-* Console
- * get rid of all the API hacks
- * new features as detailed below
-* CLI tool
- * should talk to daemons and Console (if there)
-* “Pure” OOTB install
- * miniature single page js app for users not installing pdnscontrol
-
-“Secondary” goals
-=================
-
-* keep everything lean
-* minimal intrusions into existing code
+++ /dev/null
-> It is a book about a Spanish guy called Manual. You should read it.
->
-> -- Dilbert
-
-# PowerDNS Nameserver
-There are two PowerDNS nameserver products: the [Authoritative Server](authoritative/index.md) and the [Recursor](recursor/index.md). While most other nameservers fully combine these functions, PowerDNS offers them separately, but can mix both authoritative and recursive usage seamlessly.
-The Authoritative Server will answer questions about domains it knows about, but will not go out on the net to resolve queries about other domains. However, it can use a recursing backend to provide that functionality. Depending on your needs, this backend can either be the PowerDNS recursor or an external one.
-When the Authoritative Server answers a question, it comes out of the database, and can be trusted as being authoritative. There is no way to pollute the cache or to confuse the daemon.
-
-The Recursor, conversely, by default has no knowledge of domains itself, but will always consult other authoritative servers to answer questions given to it.
-
-PowerDNS has been designed to serve both the needs of small installations by
-being easy to setup, as well as for serving very large query volumes on
-large numbers of domains. Additionally, through use of clever programming
-techniques, PowerDNS offers very high domain resolution performance.
-
-Another prime goal is security. By the use of language features, the PowerDNS
-source code is reasonably small which makes auditing easy. In the same way,
-library features have been used to mitigate the risks of buffer overflows.
-
-Finally, PowerDNS is able to give a lot of statistics on its operation which
-is both helpful in determining the scalability of an installation as well as
-for spotting problems.
-
-# Getting help
-There are several ways of getting help:
-
-* [The pretty .com website](https://www.powerdns.com) for commercial support
-* This documentation => [Getting support](common/support.md)
-* [The mailing lists](https://www.powerdns.com/mailing-lists.html)
-* \#powerdns on [irc.oftc.net](irc://irc.oftc.net/#powerdns)
-
-# About this document
-If you are reading this document from disk, you may want to check <http://doc.powerdns.com> for updates.
-
-To add to the PowerDNS documentation, or to fix mistakes, head to [Documentation details](appendix/documentation.md).
+++ /dev/null
-#!/usr/bin/env python
-
-"""
-Pandoc filter to process code blocks with class "include" and
-replace their content with the included file
-"""
-
-from pandocfilters import toJSONFilter, CodeBlock
-
-
-def code_include(key, value, format, meta):
- if key == 'CodeBlock':
- [[ident, classes, namevals], code] = value
- if code.startswith('!!include='):
- source_file = code.split('=')[1]
- with open(source_file, 'rb') as content_file:
- content = content_file.read()
- content.decode('utf-8')
- return CodeBlock([ident, classes, namevals], content)
-
-if __name__ == "__main__":
- toJSONFilter(code_include)
+++ /dev/null
-# DNS64 support in the PowerDNS Recursor
-DNS64, described in [RFC 6147](https://tools.ietf.org/html/rfc6147) is a technology
-to allow IPv6-only clients to receive special IPv6 addresses that are proxied to
-IPv4 addresses. This proxy service is then called NAT64.
-
-So, as an example, let's say an IPv6 only client would want to connect to
-`www.example.com`, it would request the AAAA records for that name. However, if
-`example.com` does not actually have an IPv6 address, what we do is 'fake up' an
-IPv6 address. We do this by retrieving the A records for `www.example.com`, and
-translating them to AAAA records. Elsewhere, a NAT64 device listens on these IPv6
-addresses, and extracts the IPv4 address from each packet, and proxies it on.
-
-For maximum flexibility, DNS64 support is included in the [Lua scripting engine](scripting.md).
-This allows for example to hand out custom IPv6 gateway ranges depending on the
-location of the requestor, enabling the use of NAT64 services close to the user.
-
-
-Apart from faking AAAA records, it is also possible to also generate the
-associated PTR records. This makes sure that reverse lookup of DNS64-generated
-IPv6 addresses generate the right name. The procedure is similar, a request for
-an IPv6 PTR is converted into one for the corresponding IPv4 address.
-
-To setup DNS64, with both forward and reverse records, create the following Lua
-script and save it to a file called `dns64.lua`
-
-```
-!!include=../pdns/recursordist/contrib/dns64.lua
-```
-
-Where fe80::21b::77ff:0:0 is your "Pref64" translation prefix and the "ip6.arpa"
-string is the reversed form of this Pref64 address. Now ensure your script gets
-loaded by specifying it with [`lua-dns-script=dns64.lua`](#settings.md#lua-dns-script).
-
-To enhance DNS64, see the [Lua scripting](scripting.md) documentation.
+++ /dev/null
-# DNSSEC in the PowerDNS Recursor
-As of 4.0.0, the PowerDNS Recursor has support for DNSSEC processing and
-experimental support for DNSSEC validation.
-
-# DNSSEC settings
-The PowerDNS Recursor has 5 different levels of DNSSEC processing, which can be
-set with the [`dnssec`](settings.md#dnssec) setting in the `recursor.conf`. In
-order from least to most processing, these are:
-
-## `off`
-In this mode, **no** DNSSEC processing takes place. The PowerDNS Recursor will
-not set the DNSSEC OK (DO) bit in the outgoing queries and will ignore the DO and
-AD bits in queries. In this mode, the behaviour is equal to the PowerDNS Recursor
-3.X.
-
-## `process-no-validate`
-The default mode. In this mode the Recursor acts as a "security aware, non-validating"
-nameserver, meaning it will set the DO-bit on outgoing queries and will provide
-DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for them (by means of a
-DO-bit in the query), except for zones provided through the `auth-zones` setting.
-It will not do any validation in this mode, not even when requested by the client.
-
-## `process`
-When `dnssec` is set to `process` the behaviour is similar to [`process-no-validate`](#process-no-validate).
-However, the recursor will try to validate the data if at least one of the DO or AD bits is set in the query; in that case, it will set the AD-bit in the response when the data is validated successfully, or send SERVFAIL when the validation comes up bogus.
-
-**Note:** in 4.0.0, only the AD-bit was considered when determining whether to validate.
-This lead to interoperability issues with older client software.
-From 4.0.1-onward, the DO-bit is also taken into account when determining whether to validate.
-
-## `log-fail`
-In this mode, the recursor will attempt to validate all data it retrieves from
-authoritative servers, regardless of the client's DNSSEC desires, and will log the
-validation result. This mode can be used to determine the extra load and amount
-of possibly bogus answers before turning on full-blown validation. Responses to
-client queries are the same as with `process`.
-
-## `validate`
-The highest mode of DNSSEC processing. In this mode, all queries will be be validated
-and will be answered with a SERVFAIL in case of bogus data, regardless of the
-client's request.
-
-## What, when?
-The descriptions above are a bit terse, here's a table describing different scenarios
-with regards to the `dnssec` mode.
-
-| | `off` | `process-no-validate` | `process` | `log-fail` | `validate` |
-|:------------|:-------|:-------------|:-------------|:-------------|:-------------|
-|Perform validation| No | No | Only on +AD or +DO from client | Always (logs result) | Always |
-|SERVFAIL on bogus| No | No | Only on +AD or +DO from client | Only on +AD or +DO from client | Always |
-|AD in response on authenticated data| Never | Never | Only on +AD or +DO from client | Only on +AD or +DO from client | Only on +AD or +DO from client |
-|RRSIGs/NSECs in answer on +DO from client| No | Yes | Yes | Yes | Yes |
-
-**Note**: the `dig` tool sets the AD-bit in the query. This might lead to unexpected
-query results when testing. Set `+noad` on the `dig` commandline when this is the
-case.
-
-# Trust Anchor Management
-In the PowerDNS Recursor, both positive and negative trust anchors can be configured
-during startup (from a persistent configuration file) and at runtime (which is
-volatile).
-However, all trust anchors are configurable.
-
-## Trust Anchors
-The PowerDNS Recursor ships with the DNSSEC Root key built-in. **Note**: is has
-no support yet for [RFC 5011](https://tools.ietf.org/html/rfc5011) key rollover
-and does not persist a changed root trust anchor to disk.
-
-Configuring DNSSEC key material must be done in the [`lua-config-file`](settings.md#lua-config-file),
-using `addDS`. This function takes 2 arguments, the node in the DNS-tree and the
-data of the corresponding DS record. To e.g. add a trust anchor for the root and
-powerdns.com, use the following config in the Lua file:
-
-```lua
-addDS('.', "63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a") -- This is not an ICANN root
-addDS('powerdns.com', "44030 8 2 D4C3D5552B8679FAEEBC317E5F048B614B2E5F607DC57F1553182D49 AB2179F7")
-```
-
-Now (re)start the recursor to load these trust anchors.
-
-### Runtime Configuration of Trust Anchors
-To change or add trust anchors at runtime, use the [`rec_control`](running.md)
-tool. These runtime settings are not saved to disk. To make them permanent, they
-should be added to the `lua-config-file` as described above.
-
-Adding a trust anchor is done with the `add-ta` command:
-
-```
-$ rec_control add-ta domain.example 63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a
-Added Trust Anchor for domain.example. with data 63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a
-```
-
-To view the currently configured trust anchors, run `get-tas`:
-
-```
-$ rec_control get-tas
-Configured Trust Anchors:
-. 63149 13 1 a59da3f5c1b97fcd5fa2b3b2b0ac91d38a60d33a
-net. 2574 13 1 a5c5acb889a7ba9b5aa5bef2b0ac9fe1565ddaab
-```
-
-To remove a trust anchor, run `clear-ta`:
-
-```
-$ rec_control clear-ta domain.example
-Removed Trust Anchor for subdomain.example
-```
-
-**Note**: The root trust anchor cannot be removed in this manner.
-
-## Negative Trust Anchors
-Negative trust anchors (defined in [RFC 7646](https://tools.ietf.org/html/rfc7646)
-can be used to temporarily disable DNSSEC validation for a part of the DNS-tree.
-This can be done when e.g. a TLD or high-traffic zone goes bogus. Note that it is
-good practice to verify that this is indeed the case and not because of malicious
-actions.
-
-To configure a negative trust anchor, use the `addNTA()` function in the
-[`lua-config-file`](settings.md#lua-config-file) and restart the recursor. This
-function requires the name of the zone and an optional reason:
-
-```lua
-addNTA('example.', "Someone messed up the delegation")
-addNTA('powerdns.com') -- No reason given
-```
-
-### Runtime Configuration of Negative Trust Anchors
-The [`rec_control`](running.md) command can be used to manage the negative trust
-anchors of a running instance. These runtime settings are lost when restarting
-the recursor, more permanent NTAs should be added to the `lua-config-file` with
-`addNTA()`.
-
-Adding a negative trust anchor is done with the `add-nta` command (that optionally
-accepts a reason):
-
-```
-$ rec_control add-nta domain.example botched keyroll
-Added Negative Trust Anchor for domain.example. with reason 'botched keyroll'
-```
-
-To view the currently configured negative trust anchors, run `get-ntas`:
-
-```
-$ rec_control get-ntas
-Configured Negative Trust Anchors:
-subdomain.example. Operator failed key-roll
-otherdomain.example. DS in parent, no DNSKEY in zone
-```
-
-To remove negative trust anchor(s), run `clear-nta`:
-
-```
-$ rec_control clear-nta subdomain.example
-Removed Negative Trust Anchors for subdomain.example
-```
-
-`clear-nta` accepts multiple domain-names and accepts '*' (beware the shell quoting)
-to remove all negative trust anchors.
+++ /dev/null
-# PowerDNS Recursor
-The PowerDNS recursor is part of the source tarball of the main PowerDNS distribution, but it is released separately. It is known to power the resolving needs of over 150 million internet connections.
-
-The documentation is only for the 4.0 series, users of older versions are urged to upgrade!
-
-**Note**: [Improved documentation](/recursor) for the master version, the upcoming 4.1 release and the 4.0 is available.
-
-## Notable features:
-- Uses [MTasker](http://ds9a.nl/mtasker)
-- Can handle tens of thousands of concurrent questions. A quad Xeon 3GHz has been measured functioning very well at 400000 real life replayed packets per second.
-- Powered by a highly modern DNS packet parser that should be resistant against many forms of buffer overflows.
-- Best spoofing protection that we know about, involving both source port randomisation and spoofing detection.
-- Uses 'connected' UDP sockets which allow the recursor to react quickly to unreachable hosts or hosts for which the server is running, but the nameserver is down. This makes the recursor faster to respond in case of misconfigured domains, which are sadly very frequent.
-- Special support for FreeBSD, Linux and Solaris stateful multiplexing (kqueue, epoll, completion ports, /dev/poll).
-- Very fast, and contains innovative query-throttling code to save time talking to obsolete or broken nameservers.
-- Code is written linearly, sequentially, which means that there are no problems with 'query restart' or anything.
-- Relies heavily on Standard C++ Library infrastructure, which makes for little code.
-- Is very verbose in showing how recursion actually works, when enabled to do so with --verbose.
-- The algorithm is simple and quite nifty.
-
-The PowerDNS recursor is controlled and queried using the `rec_control` tool.
-
-## Configuration
-At startup, the recursing nameserver reads the file `recursor.conf` from the configuration directory, often `/etc/powerdns` or `/usr/local/etc`. Each setting can appear on the command line, prefixed by '--', or in the configuration file. The command line overrides the configuration file.
-
-A switch can be set to on simply by passing it, like '--daemon', and turned off explicitly by '--daemon=off' or '--daemon=no'.
-
-All settings can be found [here](settings.md)
-
-# `pdns_recursor` command line
-All configuration settings from the previous section can also be passed on the command line, and will override the configuration file. In addition, the following options make sense on the command line:
-
-* --config: Emit a default configuration file.
-* --help: Output all configuration settings and command line flags.
+++ /dev/null
-# Design and Engineering of the PowerDNS Recursor
-**Warning**: This section is aimed at programmers wanting to contribute to the recursor, or to help fix bugs. It is not required reading for a PowerDNS operator, although it might prove interesting.
-
-The PowerDNS Recursor consists of very little code, the core DNS logic is less than a thousand lines.
-
-This smallness is achieved through the use of some fine infrastructure: MTasker, MOADNSParser, MPlexer and the C++ Standard Library/Boost. This page will explain the conceptual relation between these components, and the route of a packet through the program.
-
-# The PowerDNS Recursor
-
-The Recursor started out as a tiny project, mostly a technology demonstration. These days it consists of the core plus 9000 lines of features. This combined with a need for very high performance has made the recursor code less accessible than it was. The page you are reading hopes to rectify this situation.
-
-# Synchronous code using MTasker
-
-The original name of the program was **syncres**, which is still reflected in the file name `syncres.cc`, and the class SyncRes. This means that PowerDNS is written naively, with one thread of execution per query, synchronously waiting for packets, Normally this would lead to very bad performance (unless running on a computer with very fast threading, like possibly the Sun CoolThreads family), so PowerDNS employs [MTasker](http://ds9a.nl/mtasker) for very fast userspace threading.
-
-MTasker, which was developed separately from PowerDNS, does not provide a full multithreading system but restricts itself to those features a nameserver needs. It offers cooperative multitasking, which means there is no forced preemption of threads. This in turn means that no two **MThreads** ever really run at the same time.
-
-This is both good and bad, but mostly good. It means PowerDNS does not have to think about locking. No two threads will ever be talking to the DNS cache at the same time, for example.
-
-It also means that the recursor could block if any operation takes too long.
-
-The core interaction with MTasker are the waitEvent() and sendEvent() functions. These pass around PacketID objects. Everything PowerDNS needs to wait for is described by a PacketID event, so the name is a bit misleading. Waiting for a TCP socket to have data available is also passed via a PacketID, for example.
-
-The version of MTasker in PowerDNS is newer than that described at the MTasker site, with a vital difference being that the waitEvent() structure passes along a copy of the exact PacketID sendEvent() transmitted. Furthermore, threads can trawl through the list of events being waited for and modify the respective PacketIDs. This is used for example with **near miss** packets: packets that appear to answer questions we asked, but differ in the DNS id. On seeing such a packet, the recursor trawls through all PacketIDs and if it finds any nearmisses, it updates the PacketID::nearMisses counter. The actual PacketID thus lives inside MTasker while any thread is waiting for it.
-
-# MPlexer
-
-The Recursor uses a separate socket per outgoing query. This has the important benefit of making spoofing 64000 times harder, and additionally means that ICMP errors are reported back to the program. In measurements this appears to happen to one in ten queries, which would otherwise take a two-second timeout before PowerDNS moves on to another nameserver.
-
-However, this means that the program routinely needs to wait on hundreds or even thousands of sockets. Different operating systems offer various ways to monitor the state of sockets or more generally, file descriptors. To abstract out the differing strategies (`select`, `epoll`, `kqueue`, `completion ports`), PowerDNS contains **MPlexer** classes, all of which descend from the FDMultiplexer class.
-
-This class is very simple and offers only five important methods: addReadFD(), addWriteFD(), removeReadFD(), removeWriteFD() and run.
-
-The arguments to the **add** functions consist of an fd, a callback, and a boost::any variable that is passed as a reference to the callback.
-
-This might remind you of the MTasker above, and it is indeed the same trick: state is stored within the MPlexer. As long as a file descriptor remains within either the Read or Write active list, its state will remain stored.
-
-On arrival of a packet (or more generally, when an FD becomes readable or writable, which for example might mean a new TCP connection), the callback is called with the aforementioned reference to its parameter.
-
-The callback is free to call removeReadFD() or removeWriteFD() to remove itself from the active list.
-
-PowerDNS defines such callbacks as newUDPQuestion(), newTCPConnection(), handleRunningTCPConnection().
-
-Finally, the run() method needs to be called whenever the program is ready for new data. This happens in the main loop in pdns\_recursor.cc. This loop is what MTasker refers to as **the kernel**. In this loop, any packets or other MPlexer events get translated either into new MThreads within MTasker, or into calls to sendEvent(), which in turn wakes up other MThreads.
-
-# MOADNSParser
-
-Yes, this does stand for **the Mother of All DNS Parsers**. And even that name does not do it justice! The MOADNSParser is the third attempt I've made at writing DNS packet parser and after two miserable failures, I think I've finally gotten it right.
-
-Writing and parsing DNS packets, and the DNS records it contains, consists of four things:
-
-1. Parsing a DNS record (from packet) into memory
-2. Generating a DNS record from memory (to packet)
-3. Writing out memory to user-readable zone format
-4. Reading said zone format into memory
-
-This gets tedious very quickly, as one needs to implement all four operations for each new record type, and there are dozens of them.
-
-While writing the MOADNSParser, it was discovered there is a remarkable symmetry between these four transitions. DNS Records are nearly always laid out in the same order in memory as in their zone format representation. And reading is nothing but inverse writing.
-
-So, the MOADNSParser is built around the notion of a **Conversion**, and we write all Conversion types once. So we have a Conversion from IP address in memory to an IP address in a DNS packet, and vice versa. And we have a Conversion from an IP address in zone format to memory, and vice versa.
-
-This in turn means that the entire implementation of the ARecordContent is as follows (wait for it!)
-
-```
-conv.xfrIP(d_ip);
-```
-
-Through the use of the magic called `c++ Templates`, this one line does everything needed to perform the four operations mentioned above.
-
-At one point, I got really obsessed with PowerDNS memory use. So, how do we store DNS data in the PowerDNS recursor? I mentioned **memory** above a lot - this means we could just store the DNSRecordContent objects. However, this would be wasteful.
-
-For example, storing the following:
-
-```
-www.example.org 3600 IN CNAME outpost.example.org.
-```
-
-Would duplicate a lot of data. So, what is actually stored is a partial DNS packet. To store the CNAMEDNSRecordContent that corresponds to the above, we generate a DNS packet that has **www.example.org IN CNAME** as its question. Then we add **3600 IN CNAME outpost.example.org**. as its answer. Then we chop off the question part, and store the rest in the **www.example.org IN CNAME** key in our cache.
-
-When we need to retrieve **www.example.org IN CNAME**, the inverse happens. We find the proper partial packet, prefix it with a question for **www.example.org IN CNAME**, and expand the resulting packet into the answer **3600 IN CNAME outpost.example.org.**.
-
-Why do we go through all these motions? Because of DNS compression, which allows us to omit the whole **.example.org.** part, saving us 9 bytes. This is amplified when storing multiple MX records which all look more or less alike. This optimization is not performed yet though.
-
-Even without compression, it makes sense as all records are automatically stored very compactly.
-
-The PowerDNS recursor only parses a number of **well known record types** and passes all other information across verbatim - it doesn't have to know about the content it is serving.
-
-# The C++ Standard Library / Boost
-C++ is a powerful language. Perhaps a bit too powerful at times, you can turn a program into a real freakshow if you so desire.
-
-PowerDNS generally tries not to go overboard in this respect, but we do build upon a very advanced part of the [Boost](http://www.boost.org) C++ library: [boost::multi index container](http://boost.org/libs/multi_index/doc/index.html).
-
-This container provides the equivalent of SQL indexes on multiple keys. It also implements compound keys, which PowerDNS uses as well.
-
-The main DNS cache is implemented as a multi index container object, with a compound key on the name and type of a record. Furthermore, the cache is sequenced, each time a record is accessed it is moved to the end of the list. When cleanup is performed, we start at the beginning. New records also get inserted at the end. For DNS correctness, the sort order of the cache is case insensitive.
-
-The multi index container appears in other parts of PowerDNS, and MTasker as well.
-
-# Actual DNS Algorithm
-The DNS RFCs do define the DNS algorithm, but you can't actually implement it exactly that way, it was written in 1987.
-
-Also, like what happened to HTML, it is expected that even non-standards conforming domains work, and a sizable fraction of them is misconfigured these days.
-
-Everything begins with SyncRes::beginResolve(), which knows nothing about sockets, and needs to be passed a domain name, dns type and dns class which we are interested in. It returns a vector of DNSResourceRecord objects, ready for writing either into an answer packet, or for internal use.
-
-After checking if the query is for any of the hardcoded domains (localhost, version.bind, id.server), the query is passed to SyncRes::doResolve, together with two vital parameters: the `depth` and `beenthere` set. As the word **recursor** implies, we will need to recurse for answers. The **depth** parameter documents how deep we've recursed already.
-
-The `beenthere` set prevents loops. At each step, when a nameserver is queried, it is added to the `beenthere` set. No nameserver in the set will ever be queried again for the same question in the recursion process - we know for a fact it won't help us further. This prevents the process from getting stuck in loops.
-
-SyncRes::doResolve first checks if there is a CNAME in cache, using SyncRes::doCNAMECacheCheck, for the domain name and type queried and if so, changes the query (which is passed by reference) to the domain the CNAME points to. This is the cause of many DNS problems, a CNAME record really means **start over with this query**.
-
-This is followed by a call do SyncRes::doCacheCheck, which consults the cache for a straight answer to the question (as possibly rerouted by a CNAME). This function also consults the so called negative cache, but we won't go into that just yet.
-
-If this function finds the correct answer, and the answer hasn't expired yet, it gets returned and we are (almost) done. This happens in 80 to 90% of all queries. Which is good, as what follows is a lot of work.
-
-To recap:
-
-1. beginResolve() - entry point, does checks for hardcoded domains
-2. doResolve() - start of recursion process, gets passed `depth` of 0 and empty `beenthere` set
-3. doCNAMECacheCheck() - check if there is a CNAME in cache which would reroute the query
-4. doCacheCheck() - see if cache contains straight answer to possibly rerouted query.
-
-If the data we were queried for was in the cache, we are almost done. One final step, which might as well be optional as nobody benefits from it, is SyncRes::addCruft. This function does additional processing, which means that if the query was for the MX record of a domain, we also add the IP address of the mail exchanger.
-
-## The non-cached case
-This is where things get interesting, because we start out with a nearly empty cache and have to go out to the net to get answers to fill it.
-
-The way DNS works, if you don't know the answer to a question, you find somebody who does. Initially you have no other place to go than the root servers. This is embodied in the SyncRes::getBestNSNamesFromCache method, which gets passed the domain we are interested in, as well as the `depth` and `beenthere` parameters mentioned earlier.
-
-From now on, assume our query will be for **`www.powerdns.com.`**. SyncRes::getBestNSNamesFromCache will first check if there are NS records in cache for `www.powerdns.com.`, but there won't be. It then checks `powerdns.com. NS`, and while these records do exist on the internet, the recursor doesn't know about them yet. So, we go on to check the cache for `com. NS`, for which the same holds. Finally we end up checking for `. NS`, and these we do know about: they are the root servers and were loaded into PowerDNS on startup.
-
-So, SyncRes::getBestNSNamesFromCache fills out a set with the **names** of nameservers it knows about for the **`.`** zone.
-
-This set, together with the original query **`www.powerdns.com`** gets passed to SyncRes::doResolveAt. This function can't yet go to work immediately though, it only knows the names of nameservers it can try. This is like asking for directions and instead of hearing **take the third right** you are told **go to 123 Fifth Avenue, and take a right** - the answer doesn't help you further unless you know where 123 Fifth Avenue is.
-
-SyncRes::doResolveAt first shuffles the nameservers both randomly and on performance order. If it knows a nameserver was fast in the past, it will get queried first. More about this later.
-
-Ok, here is the part where things get a bit scary. How does SyncRes::doResolveAt find the IP address of a nameserver? Well, by calling SyncRes::getAs (**get A records**), which in turn calls.. SyncRes::doResolve. Hang on! That's where we came from! Massive potential for loops here. Well, it turns out that for any domain which can be resolved, this loop terminates. We do pass the `beenthere` set again, which makes sure we don't keep on asking the same questions to the same nameservers.
-
-Ok, SyncRes::getAs will give us the IP addresses of the chosen root-server, because these IP addresses were loaded on startup. We then ask these IP addresses (nameservers can have several) for its best answer for **`www.powerdns.com.`**. This is done using the LWRes class and specifically LWRes::asyncresolve, which gets passed domain name, type and IP address. This function interacts with MTasker and MPlexer above in ways which needn't concern us now. When it returns, the LWRes object contains the best answers the queried server had for our domain, which in this case means it tells us about the nameservers of `com.`, and their IP addresses.
-
-All the relevant answers it gives are stored in the cache (or actually, merged), after which SyncRes::doResolveAt (which we are still in) evaluates what to do now.
-
-There are 6 options:
-
-1. The final answer is in, we are done, return to SyncRes::doResolve and SyncRes::beginResolve
-2. The nameserver we queried tells us the domain we asked for authoritatively does not exist. In case of the root-servers, this happens when we query for *`www.powerdns.kom.`* for example, there is no *`kom.`*. Return to SyncRes::beginResolve, we are done.
-3. A lesser form - it tells us it is authoritative for the query we asked about, but there is no record matching our type. This happens when querying for the IPv6 address of a host which only has an IPv4 address. Return to SyncRes::beginResolve, we are done.
-4. The nameserver passed us a CNAME to another domain, and we need to reroute. Go to SyncRes::doResolve for the new domain.
-5. The nameserver did not know about the domain, but does know who does, a *referral*. Stay within doResolveAt and loop to these new nameservers.
-6. The nameserver replied saying *no idea*. This is called a *lame delegation*. Stay within SyncRes::doResolveAt and try the other nameservers we have for this domain.
-
-When not redirected using a CNAME, this function will loop until it has exhausted all nameservers and all their IP addresses. DNS is surprisingly resilient that there is often only a single non-broken nameserver left to answer queries, and we need to be prepared for that.
-
-This is the whole DNS algorithm in PowerDNS, all in less than 700 lines of code. It contains a lot of tricky bits though, related to the cache.
-
-# Some of the things we glossed over
-Whenever a packet is sent to a remote nameserver, the response time is stored in the SyncRes::s\_nsSpeeds map, using an exponentially weighted moving average. This EWMA averages out different response times, and also makes them decrease over time. This means that a nameserver that hasn't been queried recently gradually becomes **faster** in the eyes of PowerDNS, giving it a chance again.
-
-A timeout is accounted as a 1s response time, which should take that server out of the running for a while.
-
-Furthermore, queries are throttled. This means that each query to a nameserver that has failed is accounted in the `s_throttle` object. Before performing a new query, the query and the nameserver are looked up via shouldThrottle. If so, the query is assumed to have failed without even being performed. This saves a lot of network traffic and makes PowerDNS quick to respond to lame servers.
-
-It also offers a modicum of protection against birthday attack powered spoofing attempts, as PowerDNS will not inundate a broken server with queries.
-
-The negative query cache we mentioned earlier caches the cases 2 and 3 in the enumeration above. This data needs to be stored separately, as it represents **non-data**. Each negcache query entry is the name of the SOA record that was presented with the evidence of non-existence. This SOA record is then retrieved from the regular cache, but with the TTL that originally came with the NXDOMAIN (case 2) or NXRRSET (case 3).
-
-# The Recursor Cache
-As mentioned before, the cache stores partial packets. It also stores not the **Time To Live** of records, but in fact the **Time To Die**. If the cache contains data, but it is expired, that data should not be deemed present. This bit of PowerDNS has proven tricky, leading to deadlocks in the past.
-
-There are some other very tricky things to deal with. For example, through a process called **more details**, a domain might have more nameservers than listed in its parent zone. So, there might only be two nameservers for `powerdns.com.` in the **`com.`** zone, but the **`powerdns.com`** zone might list more.
-
-This means that the cache should not, when talking to the **`com.`** servers later on, overwrite these four nameservers with only the two copies the **`com.`** servers pass us.
-
-However, in other cases (like for example for SOA and CNAME records), new data should overwrite old data.
-
-Note that PowerDNS deviates from RFC 2181 (section 5.4.1) in this respect.
-
-# Some small things
-The server-side part of PowerDNS (`pdns_recursor.cc`), which listens to queries by end-users, is fully IPv6 capable using the ComboAddress class. This class is in fact a union of a `struct sockaddr_in` and a `struct sockaddr_in6`. As long as the `sin_family` (or `sin6_family`) and `sin_port` members are in the same place, this works just fine, allowing us to pass a ComboAddress*, cast to a `sockaddr*` to the socket functions. For convenience, the ComboAddress also offers a length() method which can be used to indicate the length - either sizeof(sockaddr\_in) or sizeof(sockaddr\_in6).
-
-Access to the recursor is governed through the NetmaskGroup class, which internally contains Netmask, which in turn contain a ComboAddress.
+++ /dev/null
-# PowerDNS Recursor performance
-To get the best out of the PowerDNS recursor, which is important if you are doing thousands of queries per second, please consider the following.
-
-- A busy server may need hundreds of file descriptors on startup, and deals with spikes better if it has that many available later on. Linux by default restricts processes to 1024 file descriptors, which should suffice most of the time, but Solaris has a default limit of 256. This can be raised using the `ulimit` command or via the `LimitNOFILE` unit directive when `systemd` is used. FreeBSD has a default limit that is high enough for even very heavy duty use.
-- Limit the size of the caches to a sensible value. Cache hit rate does not improve meaningfully beyond 4 million `max-cache-entries` per thread, reducing the memory footprint reduces CPU cache misses. See below for more information about the various caches.
-- When deploying (large scale) IPv6, please be aware some Linux distributions leave IPv6 routing cache tables at very small default values. Please check and if necessary raise `sysctl net.ipv6.route.max\_size`.
-- For 3.2 and higher, set `threads` to your number of CPU cores (but values above 8 rarely improve performance). For older versions <3.2: If you need it, try `--fork`, this will fork the daemon into two halves, allowing it to benefit from a second CPU. This feature almost doubles performance, but is a bit of a hack.
-
- When running with several threads, you can either ask PowerDNS to start a special thread to dispatch the incoming queries to the workers by setting `pdns-distributes-queries` to true, or let the worker threads handle the incoming queries themselves. The dispatched thread enabled by `pdns-distributes-queries` tries to send the same queries to the same thread to maximize the cache-hit ratio, but it might become a bottleneck if the incoming queries rate is too high to be handled by a single thread.
- If `pdns-distributes-queries` is set to false and either `SO\_REUSEPORT` support is not available or the `reuseport` directive is set to false, all worker threads share the same listening sockets. This prevents a single thread from having to handle every incoming queries, but can lead to thundering herd issues where all threads are awoken at once when a query arrives. If `SO\_REUSEPORT` support is available and `reuseport` is set to true, separate listening sockets are opened for each worker thread and the query distributions is handled by the kernel, avoiding any thundering herd issue as well as preventing the distributor thread from becoming the bottleneck.
-
- From 4.1 onwards, the `cpu-map` parameter can be used to pin worker threads to specific CPUs, in order to keep caches as warm as possible and optimize memory access on NUMA systems.
-
-- For best PowerDNS Recursor performance, use a recent version of your operating system, since this generally offers the best event multiplexer implementation available (`kqueue`, `epoll`, `ports` or `/dev/poll`).
-- Compile using `g++ 4.1` or later. This compiler really does a good job on PowerDNS, much better than 3.4 or 4.0.
-- On AMD/Intel hardware, wherever possible, run a 64-bit binary. This delivers a nearly twofold performance increase. On UltraSPARC, there is no need to run with 64 bits.
-
-- Consider performing a 'profiled build' by building with `gprof` support enabled, running the recursor a bit then feed that info into the next build. This is good for a 20% performance boost in some cases.
-- When running with >3000 queries per second, and running Linux versions prior to 2.6.17 on some motherboards, your computer may spend an inordinate amount of time working around an ACPI bug for each call to gettimeofday. This is solved by rebooting with `clock=tsc` or upgrading to a 2.6.17 kernel.
-
- The above is relevant if dmesg shows **Using pmtmr for high-res timesource**
-
-- A Recursor under high load puts a severe stress on any stateful (connection tracking) firewall, so much so that the firewall may fail.
-
- Specifically, many Linux distributions run with a connection tracking firewall configured. For high load operation (thousands of queries/second), It is advised to either turn off iptables completely, or use the `NOTRACK` feature to make sure DNS traffic bypasses the connection tracking.
-
- Sample Linux command lines would be:
-
-```
-## IPv4
-iptables -t raw -I OUTPUT -p udp --dport 53 -j CT --notrack
-iptables -t raw -I OUTPUT -p udp --sport 53 -j CT --notrack
-iptables -t raw -I PREROUTING -p udp --dport 53 -j CT --notrack
-iptables -t raw -I PREROUTING -p udp --sport 53 -j CT --notrack
-iptables -I INPUT -p udp --dport 53 -j ACCEPT
-iptables -I INPUT -p udp --sport 53 -j ACCEPT
-iptables -I OUTPUT -p udp --dport 53 -j ACCEPT
-iptables -I OUTPUT -p udp --sport 53 -j ACCEPT
-
-## IPv6
-ip6tables -t raw -I OUTPUT -p udp --dport 53 -j CT --notrack
-ip6tables -t raw -I OUTPUT -p udp --sport 53 -j CT --notrack
-ip6tables -t raw -I PREROUTING -p udp --sport 53 -j CT --notrack
-ip6tables -t raw -I PREROUTING -p udp --dport 53 -j CT --notrack
-ip6tables -I INPUT -p udp --dport 53 -j ACCEPT
-ip6tables -I INPUT -p udp --sport 53 -j ACCEPT
-ip6tables -I OUTPUT -p udp --dport 53 -j ACCEPT
-ip6tables -I OUTPUT -p udp --sport 53 -j ACCEPT
-```
-
-
-When using FirewallD (Centos 7+ / RedHat 7+ / Fedora 21+) connection tracking can be disabled via direct rules.
-The settings can be made permanent by using the `--permanent` flag.
-```
-## IPv4
-firewall-cmd --direct --add-rule ipv4 raw OUTPUT 0 -p udp --dport 53 -j CT --notrack
-firewall-cmd --direct --add-rule ipv4 raw OUTPUT 0 -p udp --sport 53 -j CT --notrack
-firewall-cmd --direct --add-rule ipv4 raw PREROUTING 0 -p udp --dport 53 -j CT --notrack
-firewall-cmd --direct --add-rule ipv4 raw PREROUTING 0 -p udp --sport 53 -j CT --notrack
-firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 53 -j ACCEPT
-firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --sport 53 -j ACCEPT
-firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p udp --dport 53 -j ACCEPT
-firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p udp --sport 53 -j ACCEPT
-
-## IPv6
-firewall-cmd --direct --add-rule ipv6 raw OUTPUT 0 -p udp --dport 53 -j CT --notrack
-firewall-cmd --direct --add-rule ipv6 raw OUTPUT 0 -p udp --sport 53 -j CT --notrack
-firewall-cmd --direct --add-rule ipv6 raw PREROUTING 0 -p udp --dport 53 -j CT --notrack
-firewall-cmd --direct --add-rule ipv6 raw PREROUTING 0 -p udp --sport 53 -j CT --notrack
-firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -p udp --dport 53 -j ACCEPT
-firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -p udp --sport 53 -j ACCEPT
-firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -p udp --dport 53 -j ACCEPT
-firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -p udp --sport 53 -j ACCEPT
-```
-
-
-Following the instructions above, you should be able to attain very high query rates.
-
-## Recursor Caches
-The PowerDNS Recursor contains a number of caches, or information stores:
-
-### Nameserver speeds cache
-The "NSSpeeds" cache contains the average latency to all remote authoritative servers.
-
-### Negative cache
-The "Negcache" contains all domains known not to exist, or record types not to exist for a domain.
-
-### Recursor Cache
-The Recursor Cache contains all DNS knowledge gathered over time.
-
-### Packet Cache
-The Packet Cache contains previous answers sent to clients. If a question comes in that matches a previous answer, this is sent back directly.
-
-The Packet Cache is consulted first, immediately after receiving a packet. This means that a high hitrate for the Packet Cache automatically lowers the cache hitrate of subsequent caches. This explains why releases 3.2 and beyond see dramatically lower DNS cache hitrates, since this is the first version with a Packet Cache.
+++ /dev/null
-# Controlling and querying the recursor
-To control and query the PowerDNS recursor, the tool `rec_control` is provided. This program talks to the recursor over the 'controlsocket', often stored in `/var/run`.
-
-As a sample command, try:
-
-```
-# rec_control ping
-pong
-```
-
-When not running as root, `--socket-dir=/tmp` might be appropriate.
-
-## `rec_control` commands
-dump-cache filename
-Dumps the entire cache to the filename mentioned. This file should not exist already, PowerDNS will refuse to overwrite it. While dumping, the recursor will not answer questions.
-
-### `current-queries`
-Show currently outstanding queries.
-
-### `dump-cache <filename>`
-Dump cache contents to the named file `filename`. Note that the file MUST NOT exist beforehand. \\
-Typical PowerDNS Recursors run multiple threads, therefore you'll see duplicate, different entries for the same domains. The negative cache is also dumped to the same file. The per-thread positive and negative cache dumps are separated with an appropriate comment.
-
-### `dump-edns[status] <filename>`
-Dump EDNS Status for remotes to the named file `filename`. Note that the file MUST NOT exist beforehand.
-
-### `dump-nsspeeds <filename>`
-Dump remote nameserver speed statistics to the named file `filename`. Note that the file MUST NOT exist beforehand. Again, statistics are kept per thread, and the dumps end up in the same file.
-
-### `get statistic`
-Retrieve a statistic. For items that can be queried, see below.
-
-### `get-all`
-Retrieve all statistics in one go. Available since version 3.2.
-
-### `get-parameter parameter1 [parameter2 ..]`
-Retrieve a configuration parameter. All parameters from the configuration and command line can be queried. Available since version 3.2.
-
-### `help`
-List all commands understood by your running `pdns_recursor` process.
-
-### `ping`
-Check if server is alive.
-
-### `quit`
-Request shutdown of the recursor.
-
-### `quit-nicely`
-Request a nice shutdown of the recursor.
-
-### `reload-acls`
-Reload access control lists.
-
-### `reload-lua-script [filename]`
-(Re-)Load Lua script. Note that loading a script fully replaces the one currently
-loaded.
-
-### `reload-lua-config [filename]`
-(Re-)Load the Lua configuration file.
-Note that *FILENAME* will be fully executed, any settings changed at runtime that are not modified in this file, will still be active.
-Also note that the process will block (not answering queries) when reloading, this might take a long time when an RPZ has to be transferred.
-
-### `reload-zones`
-Reload data about all authoritative and forward zones. The configuration file is also scanned to see if the **auth-domain**, **forward-domain** and **export-etc-hosts** statements have changed, and if so, these changes are incorporated.
-
-### `set-minimum-ttl value`
-Available since 3.6, this setting artificially raises all TTLs to be at least this long. While this is a gross hack, and violates RFCs, under conditions of DoS, it may enable you to continue serving your customers. Corresponds to the configuration file setting 'minimum-ttl-override'.
-
-### `set-carbon-server server ourname`
-Set a Carbon server for telemetry purposes. The parameter `server` corresponds to the configuration setting **carbon-server**, and `ourname` corresponds to **carbon-ourname**.
-
-### `top-remotes`
-Shows the top-20 most active remote hosts. Statistics are over the last **stats-ringbuffer-entries** queries.
-
-### `trace-regex regex`
-Available since 3.5.
-
-Queries matching this regular expression will generate voluminous tracing output. Be aware that matches from the packet cache will still not generate tracing. To unset the regex, pass `trace-regex` without a new regex.
-
-The regular expression is matched against domain queries terminated with a `.`. So, for example the regex `powerdns\.com$` will not match a query for `www.powerdns.com`, since the attempted match will be with `www.powerdns.com.`.
-
-In addition, since this is a regular expression, to exclusively match queries for `www.powerdns.com`, one should escape the dots: `^www\.powerdns\.com\.$`.
-
-Multiple matches can be chained with the | operator. For example, to match all queries for Dutch (.nl) and German (.de) domain names, use: `\.nl\.$|\.de\.$`.
-
-### `unload-lua-script`
-Unload Lua script, if one is loaded.
-
-### `version`
-Available after 3.6.1, report currently running version.
-
-### `wipe-cache domain1. [domain2. ..]`
-Wipe entries from the cache. This is useful if, for example, an important server has a new IP address, but the TTL has not yet expired. Multiple domain names can be passed. For versions before 3.1, you must terminate a domain with a `.`! So to wipe powerdns.org, issue `rec_control wipe-cache powerdns.org.`. For later versions, the dot is optional.
-
-To wipe all subdomain entries, append a $ at the end for example `powerdns.com$` would wipe that domain as well as `doc.powerdns.com` etc.
-
-Note that deletion is exact, wiping `com.` will leave `www.powerdns.com.` untouched!
-
-**Warning**: As of 3.1.7, this command also wipes the negative query cache for the specified domain.
-**Warning**: Don't just wipe "www.somedomain.com", its NS records or CNAME target may still be undesired, so wipe "somedomain.com" as well.
-
-The command `get` can query a large number of statistics, which are detailed in [Performance Monitoring](stats.md).
-
-More details on what "throttled" queries and the like are can be found below in [Security Settings](security.md).
+++ /dev/null
-# Scripting The Recursor
-In the PowerDNS recursor, it is possible to modify resolving behaviour using
-simple scripts written in the [Lua](http://www.lua.org) programming language.
-This page documents the Recursor 4.0.0 and beyond version of the scripting API.
-
-**Note**: This describes the Lua scripts as supported by 4.x. They are very
-different than the ones from 3.x, but tend to be faster and more correct.
-
-These scripts can be used to quickly override dangerous domains, fix things
-that are wrong, for load balancing or for legal or commercial purposes. The
-scripts can also protect you or your users from malicious traffic.
-
-Lua is extremely fast and lightweight, easily supporting hundreds of thousands
-of queries per second. The Lua language is explained very well in the excellent
-book [Programming in Lua](http://www.amazon.com/exec/obidos/ASIN/859037985X/lua-pilindex-20).
-If you already have programming experience,
-[Learn Lua in 15 Minutes](http://tylerneylon.com/a/learn-lua/) is a great primer.
-
-For extra performance, a Just In Time compiled version of Lua called
-[LuaJIT](http://luajit.org/) is supported.
-
-Queries can be intercepted in many places:
-
-* before any packet parsing begins (`ipfilter`)
-* before any filtering policy have been applied (`prerpz`)
-* before the resolving logic starts to work (`preresolve`)
-* after the resolving process failed to find a correct answer for a domain (`nodata`, `nxdomain`)
-* after the whole process is done and an answer is ready for the client (`postresolve`)
-* before an outgoing query is made to an authoritative server (`preoutquery`)
-
-## Configuring Lua scripts
-In order to load scripts, the PowerDNS Recursor must have Lua support built
-in. The packages distributed from the PowerDNS website have this language
-enabled, other distributions may differ. By default, the Recursor's configure
-script will attempt to detect if Lua is available.
-
-**note**: Only one script can be loaded at the same time. If you load a different
-script, the current one will be replaced (safely)!
-
-If Lua support is available, a script can be configured either via the
-configuration file, or at runtime via the `rec_control` tool. Scripts can
-be reloaded or unloaded at runtime with no interruption in operations. If a
-new script contains syntax errors, the old script remains in force.
-
-On the command line, or in the configuration file, the setting
-[`lua-dns-script`](settings.md#lua-dns-script) can be used to supply a full path
-to the Lua script.
-
-At runtime, `rec_control reload-lua-script` can be used to either reload the
-script from its current location, or, when passed a new file name, load one
-from a new location. A failure to parse the new script will leave the old
-script in working order.
-
-**Note**: It is also possible to precompile scripts using `luac`, and have
-PowerDNS load the result. This means that switching scripts is faster, and
-also that you'll be informed about syntax errors at compile time.
-
-Finally, `rec_control unload-lua-script` can be used to remove the currently
-installed script, and revert to unmodified behaviour.
-
-# Writing Lua PowerDNS Recursor scripts
-To get a quick start, we have supplied a sample script that showcases all functionality described below. Please
-find it [here](https://github.com/PowerDNS/pdns/blob/master/pdns/powerdns-example-script.lua).
-
-Addresses and DNS Names are not passed as strings but as native objects. This
-allows for easy checking against [netmasks](#netmask-groups) and [domain sets]().
-It also means that to print such names, the `:toString` method must be used
-(or even `:toStringWithPort` for addresses).
-
-Comparing IP addresses and DNSNames is not done with '==' but with the `:equal` method.
-
-Once a script is loaded, PowerDNS looks for several functions, as detailed below.
-All of these functions are optional.
-
-## The DNSQuestion (`dq`) object
-Apart from the `ipfilter`-function, all functions work on a `dq` (DNSQuestion)
-object. This object contains details about the current state of the question.
-This state can be modified from the various hooks. If a function returns 'true',
-it will indicate that it handled a query. If it returns false, the Recursor will
-continue processing unchanged (with one minor exception).
-
-The DNSQuestion object contains at least the following fields:
-
-* qname - DNS native version of the name this query is for
-* qtype - type this query is for, can be compared against pdns.A, pdns.AAAA etc
-* rcode - current DNS Result Code, which can be overridden, including to several magical values
-* isTcp - whether the query have been received over TCP or UDP
-* remoteaddr - address of the requestor
-* localaddr - address this query was received on
-* variable - a boolean which, if set, indicates the recursor should not packet cache this answer. Honored even when returning 'false'! Important when providing answers that vary over time or based on sender details.
-* followupFunction - a string that signals the nameserver to take one of the following additional actions:
- * followCNAMERecords: When adding a CNAME to the answer, this tells the recursor to follow that CNAME. See [CNAME chain resolution](#cname-chain-resolution)
- * getFakeAAAARecords: Get a fake AAAA record, see [DNS64](#dns64)
- * getFakePTRRecords: Get a fake PTR record, see [DNS64](#dns64)
- * udpQueryResponse: Do a UDP query and call a handler, see [`udpQueryResponse`](#udpqueryresponse)
-* appliedPolicy - The decision that was made by the policy engine, see [Modifying policy decisions](#modifying-policy-decisions). It has the following fields:
- * policyName: The name of the policy (used in e.g. protobuf logging)
- * policyAction: The action taken by the engine
- * policyCustom: The CNAME content for the `pdns.policyactions.Custom` response, a string
- * policyTTL: The TTL in seconds for the `pdns.policyactions.Custom` response
-* wantsRPZ - A boolean that indicates the use of the Policy Engine, can be set to `false` in `prerpz` to disable RPZ for this query
-* data - a Lua object reference that is persistent throughout the lifetime of the `dq` object for a single query. It can be used to store custom data. Most scripts initialise this to an empty table early on so they can store multiple items.
-* requestorId - a string that will be used to set the `requestorId` field in protobuf messages (introduced in 4.1).
-
-It also supports the following methods:
-
-* `addAnswer(type, content, [ttl, name])`: add an answer to the record of `type` with `content`. Optionally supply TTL and the name of
- the answer too, which defaults to the name of the question
-* `addPolicyTag(tag)`: add a policy tag.
-* `discardPolicy(policyname)`: skip the filtering policy (for example RPZ) named `policyname` for this query. This is mostly useful in the `prerpz` hook.
-* `getDH()` - Returns the DNS Header of the query or nil.
-* `getPolicyTags()`: get the current policy tags as a table of strings.
-* `getRecords()`: get a table of DNS Records in this DNS Question (or answer by now)
-* `setPolicyTags(tags)`: update the policy tags, taking a table of strings.
-* `setRecords(records)`: after your edits, update the answers of this question
-* `getEDNSFlag(name)`: returns true if the EDNS flag with `name` is set in the query
-* `getEDNSFlags()`: returns a list of strings with all the EDNS flag mnemonics in the query
-* `getEDNSOption(num)`: get the EDNS Option with number `num`
-* `getEDNSOptions()`: get a map of all EDNS Options
-* `getEDNSSubnet()`: returns the netmask specified in the EDNSSubnet option, or empty if there was none
-* `addPolicyTag(tag)`: Add policyTag `tag` to the list of policyTags
-* `getPolicyTags()`: Get a list the policyTags for this message
-* `setPolicyTags(tags)`: Set the policyTags for this message to `tags` (a list)
-
-A DNS header as returned by `getDH()` offers the following methods:
-* `getRD()`, `getAA()`, `getAD()`, `getCD()`, `getTC()`: query these bits from the DNS Header
-* `getRCODE()`: get the RCODE of the query
-* `getOPCODE()`: get the OPCODE of the query
-* `getID()`: get the ID of the query
-
-## `function ipfilter ( remoteip, localip, dh )`
-This hook gets queried immediately after consulting the packet cache, but before
-parsing the DNS packet. If this hook returns something else than false, the packet is dropped.
-However, because this check is after the packet cache, the IP address might still receive answers
-that require no packet parsing.
-
-With this hook, undesired traffic can be dropped rapidly before using precious CPU cycles
-for parsing.
-
-`remoteip` is the IP(v6) address of the requestor, `localip` is the address on which the query arrived.
-`dh` is the DNS Header of the query, and it offers the same functions as the `dq.getDH()` object described above.
-
-As an example, to filter all queries coming from 1.2.3.0/24, or with the AD bit set:
-
-```
-badips = newNMG()
-badips:addMask("1.2.3.0/24")
-
-function ipfilter(rem, loc, dh)
- return badips:match(rem) or dh:getAD()
-end
-```
-
-This hook does not get the full DNSQuestion object, since filling out the fields
-would require packet parsing, which is what we are trying to prevent with `ipfilter`.
-
-### `function gettag(remote, ednssubnet, local, qname, qtype, ednsoptions, tcp)`
-The `gettag` function is invoked when the Recursor attempts to discover in which
-packetcache an answer is available.
-
-This function must return an integer, which is the tag number of the packetcache.
-In addition to this integer, this function can return a table of policy tags.
-The resulting tag number can be accessed via `dq.tag` in the `preresolve` hook,
-and the policy tags via `dq:getPolicyTags()` in every hook.
-Starting with 4.1.0, it can also return a table whose keys and values are strings
-to fill the upcoming `DNSQuestion`'s `data` table, as well as a `requestorId`
-value to fill the upcoming `DNSQuestion`'s `requestorId` field.
-
-The tagged packetcache can e.g. be used to answer queries from cache that have
-e.g. been filtered for certain IPs (this logic should be implemented in the
-`gettag` function). This ensure that queries are answered quickly compared to
-setting dq.variable to `true`. In the latter case, repeated queries will pass
-through the entire Lua script.
-
-`ednsoptions` is a table whose keys are EDNS option codes and values are
-`EDNSOptionView` objects, with the EDNS option content size in the `size` member
-and the content accessible as a NULL-safe string object via `getContent()`.
-This table is empty unless the `gettag-needs-edns-options` parameter is set.
-
-The `tcp` value (added in 4.1) is a boolean indicating whether the query was
-received over `UDP` (false) or `TCP` (true).
-
-### `function prerpz(dq)`
-
-This hook is called before any filtering policy have been applied, making it
-possible to completely disable filtering by setting `wantsRPZ` to false.
-Using the `discardPolicy()` function, it is also possible to selectively disable
-one or more filtering policy, for example RPZ zones, based on the content of the
-`dq` object.
-
-As an example, to disable the `malware` policy for `example.com` queries:
-
-```
-function prerpz(dq)
- -- disable the RPZ policy named 'malware' for example.com
- if dq.qname:equal('example.com') then
- dq:discardPolicy('malware')
- end
- return false
-end
-```
-
-### `function preresolve(dq)`
-is called before any DNS resolution is attempted, and if this function
-indicates it, it can supply a direct answer to the DNS query, overriding the
-internet. This is useful to combat botnets, or to disable domains
-unacceptable to an organization for whatever reason.
-
-The rcode can be set to pdns.DROP to drop the query. Other statuses are normal DNS
-return codes, like no error, NXDOMAIN etc.
-
-### `function postresolve(dq)`
-is called right before returning a response to a client (and, unless
-`variable` is set, to the packet cache too). It allows inspection
-and modification of almost any detail in the return packet.
-
-### `function nxdomain(dq)`
-is called after the DNS resolution process has run its course, but ended in
-an 'NXDOMAIN' situation, indicating that the domain or the specific record
-does not exist. Works entirely like postresolve, but saves a trip through Lua for
-answers which are not NXDOMAIN.
-
-### `function nodata(dq)`
-is just like `nxdomain`, except it gets called when a domain exists, but the
-requested type does not. This is where one would implement DNS64.
-
-### `function preoutquery(dq)`
-This hook is not called in response to a client packet, but fires when the Recursor
-wants to talk to an authoritative server. When this hook sets the special result code -3,
-the whole DNS client query causing this outquery gets dropped.
-
-However, this function can also return records like the preresolve query above.
-
-## Semantics
-The functions must return `true` if they have taken over the query and wish that
-the nameserver should not proceed with its regular query-processing. When a
-function returns `false`, the nameserver will process the query normally until
-a new function is called.
-
-If a function has taken over a request, it should set an rcode (usually 0),
-and specify a table with records to be put in the answer section of a
-packet. An interesting rcode is NXDOMAIN (3, or `pdns.NXDOMAIN`), which
-specifies the non-existence of a domain.
-
-The `ipfilter` and `preoutquery` hooks are different, in that `ipfilter` can
-only return a true of false value, and that `preoutquery` can also set rcode -3
-to signify that the whole query should be terminated.
-
-A minimal sample script:
-
-```
-function nxdomain(dq)
- print("Intercepting NXDOMAIN for: ",dq.qname:toString())
- if dq.qtype == pdns.A
- then
- dq.rcode=0 -- make it a normal answer
- dq:addAnswer(pdns.A, "192.168.1.1")
- return true
- end
- return false
-end
-```
-
-**Warning**: Please do NOT use the above sample script in production!
-Responsible NXDomain redirection requires more attention to detail.
-
-Useful 'rcodes' include 0 for "no error", `pdns.NXDOMAIN` for
-"NXDOMAIN", `pdns.DROP` to drop the question from further processing (since
-3.6, and such a drop is accounted in the 'policy-drops' metric).
-
-## Helpful functions
-
-### Netmask Groups
-IP addresses are passed to Lua in native format. They can be matched against netmasks objects like this:
-```
-nmg = newNMG()
-nmg:addMask("127.0.0.0/8")
-nmg:addMasks({"213.244.168.0/24", "130.161.0.0/16"})
-nmg:addMasks(dofile("bad.ips")) -- contains return {"ip1","ip2"..}
-
-if nmg:match(dq.remoteaddr) then
- print("Intercepting query from ", dq.remoteaddr)
-end
-```
-
-Prefixing a mask with `!` excludes that mask from matching.
-
-### IP Addresses
-We move IP addresses around in native format, called ComboAddress within PowerDNS.
-ComboAddresses can be IPv4 or IPv6, and unless you want to know, you don't need
-to. You can make a ComboAddress with: `newCA("::1")`, and you can compare
-it against a NetmaskGroup as described above.
-
-To compare the address (so not the port) of two ComboAddresses, use `:equal`.
-
-To convert an address to human-friendly representation, use `:toString()` or
-`:toStringWithPort()`. To get only the port number, use `:getPort()`.
-
-Other functions that can be called on a ComboAddress are:
-
- * `isIPv4` - true if the address is an IPv4 address
- * `isIPv6` - true if the address is an IPv6 address
- * `getRaw` - returns the bytestring representing the address
- * `isMappedIPv4` - true if the address is an IPv4 address mapped into an IPv6 one
- * `mapToIPv4` - if the address is an IPv4 mapped into an IPv6 one, return the corresponding IPv4
- * `truncate(bits)` - truncate to the supplied number of bits
-
-### Netmask
-IP addresses can be matched against a Netmask object, which can be created with
-`newNetmask("192.0.2.1/24")` and supports the following methods:
-
- * `empty` - true if the netmask doesn't contain a valid address
- * `getBits` - the number of bits in the address
- * `getNetwork` - return a ComboAddress representing the network (no mask applied)
- * `getMaskedNetwork` - return a ComboAddress representing the network (truncating according to the mask)
- * `isIpv4` - true if the address is an IPv4 address
- * `isIpv6` - true if the address is an IPv6 address
- * `match(str)` - true if the address passed in str matches
- * `toString` - human-friendly representation
-
-### DNSName
-DNSNames are passed to various functions, and they sport the following methods:
-
-* `:equal`: use this to compare two DNSNames in DNS native fashion. So 'PoWeRdNs.COM' matches 'powerdns.com'
-* `:isPartOf`: returns true if a is a part of b. So: `newDN("www.powerdns.com"):isPartOf(newDN("CoM."))` returns true
-* `:toString` and `:toStringNoDot`: return a string representation of the name, with or without trailing dot.
-* `:chopOff`: removes the leftmost label from the name, returns true if this succeeded.
-* `:countLabels`: returns the number of labels
-* `:wirelength`: returns the length on the wire
-
-You can compare DNSNames using `:equal` or the `==` operator.
-
-To make your own DNSName, use `newDN("domain.name")`. To copy an existing DNSName (please remember to do this before using `chopOff`), use `newDN(mydn)`.
-
-### DNS Suffix Match groups
-The `newDS` function creates a "Suffix Match group" that allows fast checking if
-a DNSName is part of a group. Add domains to this group with the `:add(domain)`
-function of the object: `myDS:add("example.net")`, or with a list:
-`myDS:add({"example.net", "example.com"}).
-
-To check e.g. the dq.qname against this list, use `:check(dq.qname)`. This will
-be `true` if dq.qname is part of any of the Suffix Match group domains.
-
-This could e.g. be used to answer questions for known malware domains.
-
-To see the set of suffixes matched by a Suffix Match Group, use `:toString()`.
-
-### DNS Record
-
-DNS record objects are returned by `dq:getRecords()`, and have the following members:
-
-* `name`: the name of the record as a DNSName
-* `place`: the place where the record is located, 1 for the answer section, 2 for the authority and 3 for the additional one
-* `ttl`: the TTL of the record
-* `type`: the type of the record, for example pdns.A
-
-and the following methods:
-
-* `changeContent(newcontent)`: replace the record content with the string representation passed as `newcontent`. The type and class cannot be changed.
-* `getCA()`: if the record type is A or AAAA, a ComboAddress representing the content is returned, nil otherwise.
-* `getContent()`: return a string representation of the record content
-
-### Metrics
-You can custom metrics which will be shown in the output of 'rec_control get-all'
-and sent to the metrics server over the Carbon protocol, and also appear in the
-JSON HTTP API.
-
-Create a custom metric with: `myMetric= getMetric("name")`. This metric sports
-the following metrics:
-
-* `:inc()`: increase metric by 1
-* `:incBy(amount)`: increase metric by amount
-* `:set(to)`: set metric to value to
-* `:get()`: get value of metric
-
-Metrics are shared across all of PowerDNS and are fully atomic and high
-performance. The myMetric object is effectively a pointer to an atomic value.
-
-Note that metrics live in the same namespace as 'system' metrics. So if you
-generate one that overlaps with a PowerDNS stock metric, you will get double
-output and weird results.
-
-### Statistics
-
-Since 4.1.0, statistics can be retrieved from Lua using the `getStat("name")` call. For example,
-to retrieve the number of cache misses:
-
-```
-cacheMisses = getStat("cache-misses")
-```
-
-Please be aware that retrieving statistics is a relatively costly operation, and as such
-should for example not be done for every query.
-
-### Logging
-To log messages with the main PowerDNS Recursor process, use `pdnslog(message)`.
-pdnslog can also write out to a syslog loglevel if specified.
-Use `pdnslog(message, pdns.loglevels.LEVEL)` with the correct pdns.loglevels
-entry. Entries are listed in the following table:
-
-* All - `pdns.loglevels.All`
-* Alert - `pdns.loglevels.Alert`
-* Critical - `pdns.loglevels.Critical`
-* Error - `pdns.loglevels.Error`
-* Warning - `pdns.loglevels.Warning`
-* Notice - `pdns.loglevels.Notice`
-* Info - `pdns.loglevels.Info`
-* Debug - `pdns.loglevels.Debug`
-* None - `pdns.loglevels.None`
-
-`pdnslog(message)` will write out to Info by default.
-
-`getregisteredname('www.powerdns.com')` returns `powerdns.com.`, based on Mozilla's
-Public Suffix List. In general it will tell you the 'registered domain' for a given
-name.
-
-`getRecursorThreadId()` returns an unsigned integer identifying the thread
-handling the current request.
-
-## DNS64
-The `getFakeAAAARecords` and `getFakePTRRecords` followupFunctions can be used
-to implement DNS64. See [DNS64 support in the PowerDNS Recursor](dns64.md) for
-more information.
-
-To get fake AAAA records for DNS64 usage, set dq.followupFunction to `getFakeAAAARecords`,
-dq.followupPrefix to e.g. "64:ff9b::" and dq.followupName to the name you want to
-synthesize an IPv6 address for.
-
-For fake reverse (PTR) records, set dq.followupFunction to `getFakePTRRecords`
-and set dq.followupName to the name to look up and dq.followupPrefix to the
-same prefix as used with `getFakeAAAARecords`.
-
-## CNAME chain resolution
-It may be useful to return a CNAME record for Lua, and then have the
-PowerDNS Recursor continue resolving that CNAME. This can be achieved by
-setting dq.followupFunction to `followCNAMERecords` and dq.followupDomain to
-"www.powerdns.com". PowerDNS will do the rest.
-
-## `udpQueryResponse`
-The `udpQueryResponse` dq.followupFunction allows you to query a simple key-value
-store over UDP asynchronously.
-
-Several dq variables can be set:
-
-* `udpQueryDest`: destination IP address to send the UDP packet to
-* `udpQuery`: The content of the UDP payload
-* `udpCallback`: The name of the callback function that is called when an answer is received
-
-The callback function must accept the `dq` object and can find the response to
-the UDP query in `dq.udpAnswer`.
-
-In this callback function, `dq.followupFunction` can be set again to any of the
-available functions for further processing.
-
-This example script queries a simple key/value store over UDP to decide on whether
-or not to filter a query:
-
-```
-!!include=../pdns/recursordist/contrib/kv-example-script.lua
-```
-
-## Example Script
-
-```
-!!include=../pdns/recursordist/contrib/powerdns-example-script.lua
-```
-
-### Dropping all traffic from botnet-infected users
-Frequently, DoS attacks are performed where specific IP addresses are attacked,
-often by queries coming in from open resolvers. These queries then lead to a lot of
-queries to 'authoritative servers' which actually often aren't nameservers at all, but
-just targets of attack.
-
-The following script will add a requestor's IP address to a blocking set if they've
-sent a query that caused PowerDNS to attempt to talk to a certain subnet.
-
-This specific script is, as of January 2015, useful to prevent traffic to ezdns.it related
-traffic from creating CPU load. This script requires PowerDNS Recursor 4.x or later.
-
-```
-lethalgroup=newNMG()
-lethalgroup:addMask("192.121.121.0/24") -- touch these nameservers and you die
-
-function preoutquery(dq)
- print("pdns wants to ask "..dq.remoteaddr:toString().." about "..dq.qname:toString().." "..dq.qtype.." on behalf of requestor "..dq.localaddr:toString())
- if(lethalgroup:match(dq.remoteaddr))
- then
- print("We matched the group "..lethalgroup:tostring().."!", "killing query dead & adding requestor "..dq.localaddr:toString().." to block list")
- dq.rcode = -3 -- "kill"
- return true
- end
- return false
-end
-```
-
-## Modifying Policy Decisions
-The PowerDNS Recursor has a [policy engine based on Response Policy Zones (RPZ)](settings.md#response-policy-zone-rpz).
-Starting with version 4.0.1 of the recursor, it is possible to alter this decision inside the Lua hooks.
-If the decision is modified in a Lua hook, `false` should be returned, as the query is not actually handled by Lua so the decision is picked up by the Recursor.
-The result of the policy decision is checked after `preresolve` and `postresolve`.
-
-For example, if a decision is set to `pdns.policykinds.NODATA` by the policy engine and is unchanged in `preresolve`, the query is replied to with a NODATA response immediately after `preresolve`.
-
-### Example script
-```
--- Dont ever block my own domain and IPs
-myDomain = newDN("example.com")
-
-myNetblock = newNMG()
-myNetblock:addMasks("192.0.2.0/24")
-
-function preresolve(dq)
- if dq.qname:isPartOf(myDomain) and dq.appliedPolicy.policyKind != pdns.policykinds.NoAction then
- pdnslog("Not blocking our own domain!")
- dq.appliedPolicy.policyKind = pdns.policykinds.NoAction
- end
-end
-
-function postresolve(dq)
- if dq.appliedPolicy.policyKind != pdns.policykinds.NoAction then
- local records = dq:getRecords()
- for k,v in pairs(records) do
- if v.type == pdns.A then
- local blockedIP = newCA(v:getContent())
- if myNetblock:match(blockedIP) then
- pdnslog("Not blocking our IP space")
- dq.appliedPolicy.policyKind = pdns.policykinds.NoAction
- end
- end
- end
- end
-end
-```
-
-The decision is contained in the `dq` object under `dq.appliedPolicy` and features 4 fields:
-
-### `dq.appliedPolicy.policyName`
-A string with the name of the policy (set by `polName=` in the `rpzFile` and `rpzMaster` configuration items).
-It is advised to overwrite this when modifying the `policyKind`
-
-### `dq.appliedPolicy.policyKind`
-The kind of policy response, there are several policy kinds:
-
- * `pdns.policykinds.Custom` will return a NoError, CNAME answer with the value specified in `dq.appliedPolicy.policyCustom`
- * `pdns.policykinds.Drop` will simply cause the query to be dropped
- * `pdns.policykinds.NoAction` will continue normal processing of the query
- * `pdns.policykinds.NODATA` will return a NoError response with no value in the answer section
- * `pdns.policykinds.NXDOMAIN` will return a response with a NXDomain rcode
- * `pdns.policykinds.Truncate` will return a NoError, no answer, truncated response over UDP. Normal processing will continue over TCP
-
-### `dq.appliedPolicy.policyCustom` and `dq.appliedPolicy.policyTTL`
-These fields are only used when `dq.appliedPolicy.policyKind` is set to `pdns.policykinds.Custom`.
-`dq.appliedPolicy.policyCustom` contains the name for the CNAME target as a string.
-And `dq.appliedPolicy.policyTTL` is the TTL field (in seconds) for the CNAME response.
-
-## SNMP Traps
-PowerDNS Recursor, when compiled with SNMP support, has the ability to act as a
-SNMP agent to provide SNMP statistics and to be able to send traps from Lua.
-
-For example, to send a custom SNMP trap containing the qname from the `preresolve` hook:
-
-```
-function preresolve(dq)
- sendCustomSNMPTrap('Trap from preresolve, qname is '..dq.qname:toString())
- return false
-end
-```
+++ /dev/null
-# Security Measures in the Recursor
-
-## Anti-spoofing
-The PowerDNS recursor 3.0 uses a fresh UDP source port for each outgoing query, making spoofing around 64000 times harder. This raises the bar from 'easily doable given some time' to 'very hard'. Under some circumstances, 'some time' has been measured at 2 seconds. This technique was first used by `dnscache` by Dan J. Bernstein.
-
-In addition, PowerDNS detects when it is being sent too many unexpected answers, and mistrusts a proper answer if found within a clutch of unexpected ones.
-
-This behaviour can be tuned using the **spoof-nearmiss-max**.
-
-## Throttling
-PowerDNS implements a very simple but effective nameserver. Care has been taken not to overload remote servers in case of overly active clients.
-
-This is implemented using the 'throttle'. This accounts all recent traffic and prevents queries that have been sent out recently from going out again.
-
-There are three levels of throttling.
-
-- If a remote server indicates that it is lame for a zone, the exact question won't be repeated in the next 60 seconds.
-- After 4 ServFail responses in 60 seconds, the query gets throttled too.
-- 5 timeouts in 20 seconds also lead to query suppression.
+++ /dev/null
-# All PowerDNS Recursor Settings
-Each setting can appear on the command line, prefixed by '--', or in the configuration file. The command line overrides the configuration file.
-
-**Note**: Settings marked as 'Boolean' can either be set to an empty value, which
-means on, or to 'no' or 'off' which means off. Anything else means on.
-
-So, as an example:
-
- * 'serve-rfc1918' on its own means: do serve those zones.
- * 'serve-rfc1918=off' or 'serve-rfc1918=no' means: do not serve those zones.
- * Anything else means: do serve those zones.
-
-## `aaaa-additional-processing`
-* Boolean
-* Default: No
-* Available until: 3.6.0
-
-If turned on, the recursor will attempt to add AAAA IPv6 records to questions
-for MX records and NS records. Can be quite slow as absence of these records in
-earlier answers does not guarantee their non-existence. Can double the amount of
-queries needed.
-
-## `allow-from`
-* IP ranges, separated by commas
-* Default: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
-
-Netmasks (both IPv4 and IPv6) that are allowed to use the server. The default
-allows access only from RFC 1918 private IP addresses. Due to the aggressive
-nature of the internet these days, it is highly recommended to not open up the
-recursor for the entire internet. Questions from IP addresses not listed here
-are ignored and do not get an answer.
-
-## `allow-from-file`
-* Path
-* Available since: 3.1.5
-
-Like [`allow-from`](#allow-from), except reading from file. Overrides the
-[`allow-from`](#allow-from) setting. To use this feature, supply one netmask per
-line, with optional comments preceded by a \#. Available since version 3.1.5.
-
-## `any-to-tcp`
-* Boolean
-* Default: no
-* Available since: 3.6.0
-
-Answer questions for the ANY type on UDP with a truncated packet that refers the
-remote server to TCP. Useful for mitigating ANY reflection attacks.
-
-## `api-config-dir`
-* Path
-* Default: unset
-* Available since: 4.0
-
-Directory where the REST API stores its configuration and zones.
-
-## `api-key`
-* String
-* Default: unset
-* Available since: 4.0
-
-Static pre-shared authentication key for access to the REST API.
-
-## `api-readonly`
-* Boolean
-* Default: no
-* Available since: 4.0.0
-
-Disallow data modification through the REST API when set.
-
-## `api-logfile`
-* Path
-* Default: unset
-* Available since: 4.0.0
-
-Location of the server logfile (used by the REST API).
-
-## `auth-can-lower-ttl`
-* Boolean
-* Default: no
-* Available until: 3.5
-
-Authoritative zones can transmit a TTL value that is lower than that specified
-in the parent zone. This is called a 'delegation inconsistency'. To follow
-RFC 2181 paragraphs 5.2 and 5.4 to the letter, enable this feature. This will
-mean a slight deterioration of performance, and it will not solve any problems,
-but does make the recursor more standards compliant. Not recommended unless you
-have to tick an 'RFC 2181 compliant' box.
-
-## `auth-zones`
-* Comma separated list of 'zonename=filename' pairs
-* Available since: 3.1
-
-Zones read from these files (in BIND format) are served authoritatively. DNSSEC is not supported. Example:
-`auth-zones=example.org=/var/zones/example.org, powerdns.com=/var/zones/powerdns.com`.
-
-## `statistics-interval`
-* Integer
-* Default: 1800
-* Available since: 4.1.0
-
-Interval between logging statistical summary on recursor performance.
-Use 0 to disable.
-
-## `carbon-interval`
-* Integer
-* Default: 30
-* Available since: 3.6.0
-
-If sending carbon updates, this is the interval between them in seconds. See
-["PowerDNS Metrics"](../common/logging.md#sending-to-carbongraphitemetronome).
-
-## `carbon-ourname`
-* String
-* Available since: 3.6.0
-
-If sending carbon updates, if set, this will override our hostname. Be
-careful not to include any dots in this setting, unless you know what you
-are doing. See ["PowerDNS Metrics"](../common/logging.md#sending-to-carbongraphitemetronome).
-
-## `carbon-server`
-* IP address
-* Available since: 3.6.0
-
-If set to an IP or IPv6 address, will send all available metrics to this server
-via the carbon protocol, which is used by graphite and metronome. You may specify
-an alternate port by appending :port, ex: 127.0.0.1:2004. See
-["PowerDNS Metrics"](../common/logging.md#sending-to-carbongraphitemetronome).
-
-## `chroot`
-* Path to a Directory
-
-If set, chroot to this directory for more security. See [Security](../common/security.md).
-
-Make sure that `/dev/log` is available from within the chroot. Logging will
-silently fail over time otherwise (on logrotate).
-
-When using `chroot`, all other paths (except for [`config-dir`](#config-dir) set
-in the configuration are relative to the new root.
-
-When using `chroot` and the API ([`webserver`](#webserver)), [`api-readonly`](#api-readonly)
-must be set and [`api-config-dir`](#api-config-dir) unset.
-
-When running on a system where systemd manages services, `chroot` does not work out of the box, as PowerDNS cannot use the `NOTIFY_SOCKET`.
-Either do not `chroot` on these systems or set the 'Type' of this service to 'simple' instead of 'notify' (refer to the systemd documentation on how to modify unit-files)
-
-## `client-tcp-timeout`
-* Integer
-* Default: 2
-
-Time to wait for data from TCP clients.
-
-## `config-dir`
-* Path
-
-Location of configuration directory (`recursor.conf`). Usually `/etc/powerdns`, but
-this depends on `SYSCONFDIR` during compile-time.
-
-## `config-name`
-* String
-* Default: unset
-* Available since: 3.6.0
-
-When running multiple recursors on the same server, read settings from
-"recursor-name.conf", this will also rename the binary image.
-
-## `cpu-map`
-* String
-* Default: unset
-* Available since: 4.1.0
-
-Set CPU affinity for worker threads, asking the scheduler to run those threads on a single CPU, or a set of CPUs.
-This parameter accepts a space separated list of thread-id=cpu-id, or thread-id=cpu-id-1,cpu-id-2,...,cpu-id-N.
-For example, to make the worker thread 0 run on CPU id 0 and the worker thread 1 on CPUs 1 and 2:
-
-`cpu-map=0=0 1=1,2`
-
-The number of worker threads is determined by the ['threads'](#threads) setting.
-If [`pdns-distributes-queries`'](#pdns-distributes-queries) is set, an additional thread is started, assigned the id 0,
-and is the only one listening on client sockets and accepting queries, distributing them to the other worker threads afterwards.
-
-This parameter is only available on OS that provides the `pthread_setaffinity_np()` function.
-
-## `daemon`
-* Boolean
-* Default: no (since 4.0.0, 'yes' before 4.0.0)
-
-Operate in the background.
-
-## `delegation-only`
-* Domains, comma separated
-
-Which domains we only accept delegations from (a Verisign special).
-
-## `disable-packetcache`
-* Boolean
-* Default: no
-* Available since: 3.2
-
-Turn off the packet cache. Useful when running with Lua scripts that can not be
-cached.
-
-## `disable-syslog`
-* Boolean
-* Default: no
-* Available since: 4.0.0
-
-Do not log to syslog, only to stdout. Use this setting when running inside a
-supervisor that handles logging (like systemd). **Note**: do not use this setting
-in combination with [`daemon`](#daemon) as all logging will disappear.
-
-## `dnssec`
-* One of `off`, `process-no-validate`, `process`, `log-fail`, `validate`, String
-* Default: `process-no-validate` (**note**: was `process` until 4.0.0-alpha2)
-* Available since: 4.0.0
-
-Set the mode for DNSSEC processing:
-
-### `off`
-No DNSSEC processing whatsoever. Ignore DO-bits in queries, don't request any
-DNSSEC information from authoritative servers. This behaviour is similar to
-PowerDNS Recursor pre-4.0.
-
-### `process-no-validate`
-Respond with DNSSEC records to clients that ask for it, set the DO bit on all
-outgoing queries. Don't do any validation.
-
-### `process`
-Respond with DNSSEC records to clients that ask for it, set the DO bit on all
-outgoing queries. Do validation for clients that request it (by means of the AD-
-bit or DO-bit in the query).
-
-### `log-fail`
-Similar behaviour to `process`, but validate RRSIGs on responses and log bogus
-responses.
-
-#### `validate`
-Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.
-
-## `dnssec-log-bogus`
-* Boolean
-* Default: no
-* Available since: 4.0.0
-
-Log every DNSSEC validation failure.
-**Note**: This is not logged per-query but every time records are validated as Bogus.
-
-## `dont-query`
-* Netmasks, comma separated
-* Default: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,
- 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24,
- 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96,
- ::ffff:0:0/96, 100::/64, 2001:db8::/32
-* Available since: 3.1.5
-
-The DNS is a public database, but sometimes contains delegations to private IP
-addresses, like for example 127.0.0.1. This can have odd effects, depending on
-your network, and may even be a security risk. Therefore, since version 3.1.5,
-the PowerDNS recursor by default does not query private space IP addresses.
-This setting can be used to expand or reduce the limitations.
-
-Queries to addresses for zones as configured in any of the settings
-[`forward-zones`](#forward-zones), [`forward-zones-file`](#forward-zones-file)
-or [`forward-zones-recurse`](#forward-zones-recurse) are performed regardless
-of these limitations.
-
-## `ecs-ipv4-bits`
-* Integer
-* Default: 24
-* Available since: 4.1.0
-
-Number of bits of client IPv4 address to pass when sending EDNS Client Subnet address information.
-
-## `ecs-ipv6-bits`
-* Integer
-* Default: 56
-* Available since: 4.1.0
-
-Number of bits of client IPv6 address to pass when sending EDNS Client Subnet address information.
-
-## `edns-outgoing-bufsize`
-* Integer
-* Default: 1680
-* Available since: 4.0.0
-
-This is the value set for the EDNS0 buffer size in outgoing packets.
-Lower this if you experience timeouts.
-
-## `edns-subnet-whitelist`
-* Comma separated list of domain names and netmasks
-* Default: (none)
-* Available since: 4.0.0
-
-List of netmasks and domains that [EDNS Client Subnet](https://tools.ietf.org/html/rfc7871) should be enabled for in outgoing queries.
-For example, an EDNS Client Subnet option containing the address of the initial requestor will be added to an outgoing query sent to server 192.0.2.1 for domain X if 192.0.2.1 matches one of the supplied netmasks, or if X matches one of the supplied domains.
-The initial requestor address will be truncated to 24 bits for IPv4 and to 56 bits for IPv6, as recommended in the privacy section of RFC 7871.
-By default, this option is empty, meaning no EDNS Client Subnet information is sent.
-
-## `entropy-source`
-* Path
-* Default: /dev/urandom
-* Available since: 3.1.5
-
-PowerDNS can read entropy from a (hardware) source. This is used for generating
-random numbers which are very hard to predict. Generally on UNIX platforms,
-this source will be `/dev/urandom`, which will always supply random numbers,
-even if entropy is lacking. Change to `/dev/random` if PowerDNS should block
-waiting for enough entropy to arrive.
-
-## `etc-hosts-file`
-* Path
-* Default: /etc/hosts
-* Available since: 3.2
-
-The path to the /etc/hosts file, or equivalent. This file can be used to serve
-data authoritatively using [`export-etc-hosts`](#export-etc-hosts).
-
-## `export-etc-hosts`
-* Boolean
-* Default: no
-* Available since: 3.1
-
-If set, this flag will export the host names and IP addresses mentioned in
-`/etc/hosts`.
-
-## `export-etc-hosts-search-suffix`
-* String
-* Available since: 3.4
-
-If set, all hostnames in the [`export-etc-hosts`](#export-etc-hosts) file are
-loaded in canonical form, based on this suffix, unless the name contains a '.',
-in which case the name is unchanged. So an entry called 'pc' with
-`export-etc-hosts-search-suffix='home.com'` will lead to the generation of
-'pc.home.com' within the recursor. An entry called 'server1.home' will be stored
-as 'server1.home', regardless of this setting.
-
-## `fork`
-* Boolean
-* Default: no
-* Available until: 3.2
-
-If running on an SMP system with enough memory, this feature forks PowerDNS so
-it benefits from two processors. Experimental. Renames controlsockets, so care
-is needed to connect to the right one using `rec_control`, using `socket-pid`.
-Available in versions of the Recursor before 3.2, replaced by the
-['threads'](#threads) setting.
-
-## `forward-zones`
-* 'zonename=IP' pairs, comma separated
-* Available since: 3.1
-
-Queries for zones listed here will be forwarded to the IP address listed. i.e.
-`forward-zones=example.org=203.0.113.210, powerdns.com=2001:DB8::BEEF:5`.
-
-Since version 3.1.5, multiple IP addresses can be specified. Additionally, port
-numbers other than 53 can be configured. Sample syntax:
-`forward-zones=example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;198.51.100.10:530;[2001:DB8::1:3]:5300`,
-or on the command line:
-`--forward-zones="example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;9.8.7.6:530;[2001:DB8::1:3]:5300"`.
-
-Forwarded queries have the 'recursion desired' bit set to 0, meaning that this
-setting is intended to forward queries to authoritative servers.
-
-**IMPORTANT**: When using DNSSEC validation (which is default), forwards to non-delegated (e.g. internal) zones that have a DNSSEC signed parent zone will validate as Bogus.
-To prevent this, add a Negative Trust Anchor (NTA) for this zone in the [`lua-config-file`](#lua-config-file) with `addNTA("your.zone", "A comment")`.
-If this forwarded zone is signed, instead of adding NTA, add the DS record to the [`lua-config-file`](#lua-config-file).
-See the [recursor DNSSEC](dnssec.md) documentation for more information.
-
-## `forward-zones-file`
-* Path
-* Available since: 3.1.5
-
-Same as [`forward-zones`](#forward-zones), parsed from a file. Only 1 zone is
-allowed per line, specified as follows: `example.org=203.0.113.210, 192.0.2.4:5300`.
-
-Since version 3.2, zones prefixed with a '+' are forwarded with the
-recursion-desired bit set to one, for which see ['forward-zones-recurse'](#forward-zones-recurse).
-Default behaviour without '+' is as with [`forward-zones`](#forward-zones).
-
-Comments are allowed since version 4.0.0. Everything behind '#' is ignored.
-
-The DNSSEC notes from [`forward-zones`](#forward-zones) apply here as well.
-
-## `forward-zones-recurse`
-* 'zonename=IP' pairs, comma separated
-* Available since: 3.2
-
-Like regular [`forward-zones`](#forward-zones), but forwarded queries have the
-'recursion desired' bit set to 1, meaning that this setting is intended to
-forward queries to other recursive servers.
-
-The DNSSEC notes from [`forward-zones`](#forward-zones) apply here as well.
-
-## `gettag-needs-edns-options`
-* Boolean
-* Default: no
-* Available since: 4.1.0
-
-If set, EDNS options in incoming queries are extracted and passed to the `gettag()`
-hook in the `ednsoptions` table.
-
-## `hint-file`
-* Path
-
-If set, the root-hints are read from this file. If unset, default root hints are
-used.
-
-## `include-dir`
-* Path
-
-Directory to scan for additional config files. All files that end with .conf are
-loaded in order using `POSIX` as locale.
-
-## `latency-statistic-size`
-* Integer
-* Default: 10000
-* Available since 3.6
-
-Indication of how many queries will be averaged to get the average latency
-reported by the 'qa-latency' metric.
-
-## `local-address`
-* IP addresses, comma separated
-* Default: 127.0.0.1
-
-Local IPv4 or IPv6 addresses to bind to. Addresses can also contain port numbers,
-for IPv4 specify like this: `192.0.2.4:5300`, for IPv6: `[::1]:5300`.
-Port specifications are available since version 3.1.2.
-
-**Warning**: When binding to wildcard addresses, UNIX semantics mean that
-answers may not be sent from the address a query was received on. It is highly
-recommended to bind to explicit addresses.
-
-## `local-port`
-* Integer
-* Default: 53
-
-Local port to bind to.
-
-## `non-local-bind`
-* Boolean
-* Default: no
-* Available since: 4.0.0
-
-Bind to addresses even if one or more of the [`local-address`'s](#local-address)
-do not exist on this server. Setting this option will enable the needed socket
-options to allow binding to non-local addresses.
-This feature is intended to facilitate ip-failover setups, but it may also
-mask configuration issues and for this reason it is disabled by default.
-
-## `loglevel`
-* Integer between 0 and 9
-* Default: 6
-* Available since: 3.6
-
-Amount of logging. Higher is more, more logging may destroy performance.
-It is recommended not to set this below 3.
-
-## `log-common-errors`
-* Boolean
-* Default: no
-
-Some DNS errors occur rather frequently and are no cause for alarm.
-
-## `logging-facility`
-* Integer
-* Available since: 3.1.3
-
-If set to a digit, logging is performed under this LOCAL facility. See
-[Logging](../common/logging.md#logging). Do not pass names like 'local0'!
-
-## `lowercase-outgoing`
-* Boolean
-* Default: no
-* Available since: 4.0.0
-
-Set to true to lowercase the outgoing queries. When set to 'no' (the default) a
-query from a client using mixed case in the DNS labels (such as a user entering
-mixed-case names or [draft-vixie-dnsext-dns0x20-00](http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00)),
-PowerDNS preserves the case of the query. Broken authoritative servers might give
-a wrong or broken answer on this encoding. Setting `lowercase-outgoing` to 'yes'
-makes the PowerDNS Recursor lowercase all the labels in the query to the authoritative
-servers, but still return the proper case to the client requesting.
-
-## `lua-config-file`
-* Filename
-* Available since: 4.0.0
-
-If set, and Lua support is compiled in, this will load an additional configuration file
-for newer features and more complicated setups.
-
-### `addSortList`
-Sortlist is a complicated feature which allows for the ordering of A and
-AAAA records in answers to be modified, optionally dependently on who is
-asking. Since clients frequently connect to the 'first' IP address they see,
-this can effectively allow you to make sure that user from, say 10.0.0.0/8
-also preferably connect to servers in 10.0.0.0/8.
-
-The syntax consists of a netmask for which this ordering instruction
-applies, followed by a set of netmask (groups) which describe the desired
-ordering. So an ordering instruction of "1.0.0.0/8", "2.0.0.0/8" will put
-anything within 1/8 first, and anything in 2/8 second. Other IP addresses
-would follow behind the addresses sorted earlier.
-
-If netmasks are grouped, this means these get equal ordering.
-
-`addSortList()` is intended to exactly mirror the semantics of the BIND
-sortlist option, but the syntax is slightly different.
-
-As an example, the following BIND sortlist:
-
-```
-{ 17.50.0.0/16; {17.238.240.0/24; 17.138.149.200;
-{17.218.242.254; 17.218.252.254;}; 17.38.42.80;
-17.208.240.100; }; };
-```
-
-Gets transformed into:
-
-```
-addSortList("17.50.0.0/16", {"17.238.240.0/24", "17.138.149.200",
-{"17.218.242.254", "17.218.252.254"}, "17.38.42.80",
-"17.208.240.100" })
-```
-
-In other words: each IP address is put within quotes, and are separated by
-commas instead of semicolons. For the rest everything is identical.
-
-### Response Policy Zone (RPZ)
-Response Policy Zone is an open standard developed by Paul Vixie (ISC and
-Farsight) and Vernon Schryver (Rhyolite), to modify DNS responses based on a
-policy loaded via a zonefile.
-
-Frequently, Response Policy Zones get to be very large and change quickly,
-so it is customary to update them over IXFR.
-It allows the use of third-party feeds, and near real-time policy updates.
-
-An RPZ can be loaded from file or slaved from a master. To load from file, use for example:
-
-```
-rpzFile("dblfilename", {defpol=Policy.Custom, defcontent="badserver.example.com"})
-```
-
-To slave from a master and start IXFR to get updates, use for example:
-
-```
-rpzMaster("192.0.2.4", "policy.rpz", {defpol=Policy.Drop})
-```
-
-In this example, 'policy.rpz' denotes the name of the zone to query for.
-
-Settings for `rpzFile` and `rpzMaster` can contain:
-
-* defpol = Default policy: Policy.Custom, Policy.Drop, Policy.NXDOMAIN, Policy.NODATA, Policy.Truncate, Policy.NoAction
-* defcontent = CNAME field to return in case of defpol=Policy.Custom
-* defttl = the TTL of the CNAME field to be synthesized for the default policy. The default is to use the zone's TTL
-* maxTTL = the maximum TTL value of the synthesized records, overriding a higher value from `defttl` or the zone. Default is unlimited
-* policyName = the name logged as 'appliedPolicy' in protobuf messages when this policy is applied
-* zoneSizeHint = an indication of the number of expected entries in the zone, speeding up the loading of huge zones by reserving space in advance
-
-In addition to those, `rpzMaster` accepts:
-
-* tsigname = the name of the TSIG key to authenticate to the server (also set tsigalgo, tsigsecret)
-* tsigalgo = the name of the TSIG algorithm (like 'hmac-md5') used
-* tsigsecret = base64 encoded TSIG secret
-* refresh = an integer describing the interval between checks for updates. By default, the RPZ zone's default is used
-* maxReceivedMBytes = the maximum size in megabytes of an AXFR/IXFR update, to prevent resource exhaustion.
-The default value of 0 means no restriction.
-* localAddress = The source IP address to use when transferring the RPZ. When unset, [`query-local-address(6)`](#query-local-address) is used.
-
-If no settings are included, the RPZ is taken literally with no overrides applied.
-
-The policy action are:
-
-* Policy.Custom will return a NoError, CNAME answer with the value specified with `defcontent`, when looking up the result of this CNAME, RPZ is not taken into account
-* Policy.Drop will simply cause the query to be dropped
-* Policy.NoAction will continue normal processing of the query
-* Policy.NODATA will return a NoError response with no value in the answer section
-* Policy.NXDOMAIN will return a response with a NXDomain rcode
-* Policy.Truncate will return a NoError, no answer, truncated response over UDP. Normal processing will continue over TCP
-
-### Protocol Buffers (protobuf)
-PowerDNS Recursor has the ability to emit a stream of protocol buffers messages over TCP,
-containing information about queries, answers and policy decisions.
-
-Messages contain the IP address of the client initiating the query,
-the one on which the message was received, whether it was received over UDP or TCP,
-a timestamp and the qname, qtype and qclass of the question.
-In addition, messages related to responses contain the name, type, class
-and rdata of A, AAAA and CNAME records present in the response, as well as the response
-code.
-
-Finally, if a RPZ or custom Lua policy has been applied, response messages
-also contain the applied policy name and some tags. This is particularly useful
-to detect and act on infected hosts.
-
-Protobuf export to a server is enabled using the `protobufServer()` directive:
-
-```
-protobufServer("192.0.2.1:4242" [[[[[[[, timeout], maxQueuedEntries], reconnectWaitTime], maskV4], maskV6], asyncConnect], taggedOnly])
-```
-
-The optional parameters are:
-
-* timeout = time in seconds to wait when sending a message, default to 2
-* maxQueuedEntries = how many entries will be kept in memory if the server becomes unreachable, default to 100
-* reconnectWaitTime = how long to wait, in seconds, between two reconnection attempts, default to 1
-* maskV4 = network mask to apply to the client IPv4 addresses, for anonymization purpose. The default of 32 means no anonymization
-* maskV6 = same as maskV4, but for IPv6. Default to 128
-* taggedOnly = only entries with a policy or a policy tag set will be sent
-* asyncConnect = if set to false (default) the first connection to the server during startup will block up to `timeout` seconds,
-otherwise the connection is done in a separate thread.
-
-While `protobufServer()` only exports the queries sent to the recursor from clients, with the corresponding responses,
-`outgoingProtobufServer()` can be used to export outgoing queries sent by the recursor to authoritative servers,
-along with the corresponding responses.
-
-```
-outgoingProtobufServer("192.0.2.1:4242" [[[[, timeout], maxQueuedEntries], reconnectWaitTime], asyncConnect])
-```
-
-The optional parameters for `outgoingProtobufServer()` are:
-
-* timeout = time in seconds to wait when sending a message, default to 2
-* maxQueuedEntries = how many entries will be kept in memory if the server becomes unreachable, default to 100
-* reconnectWaitTime = how long to wait, in seconds, between two reconnection attempts, default to 1
-* asyncConnect = if set to false (default) the first connection to the server during startup will block up to `timeout` seconds,
-otherwise the connection is done in a separate thread.
-
-The protocol buffers message types can be found in the [`dnsmessage.proto`](https://github.com/PowerDNS/pdns/blob/master/pdns/dnsmessage.proto) file.
-
-## `lua-dns-script`
-* Path
-* Default: unset
-* Available since: 3.1.7
-
-Path to a lua file to manipulate the recursor's answers. See [Scripting the
-recursor](scripting.md).
-
-## `max-cache-entries`
-* Integer
-* Default: 1000000
-
-Maximum number of DNS cache entries. 1 million per thread will generally suffice
-for most installations.
-
-## `max-cache-ttl`
-* Integer
-* Default: 86400
-* Available since: 3.2
-
-Maximum number of seconds to cache an item in the DNS cache, no matter what the
-original TTL specified.
-Since PowerDNS Recursor 4.1.0, the minimum value of this setting is 15.
-i.e. setting this to lower than 15 will make this value 15.
-
-## `max-mthreads`
-* Integer
-* Default: 2048
-
-Maximum number of simultaneous MTasker threads.
-
-## `max-packetcache-entries`
-* Integer
-* Default: 500000
-* Available since: 3.2
-
-Maximum number of Packet Cache entries. 1 million per thread will generally
-suffice for most installations.
-
-## `max-qperq`
-* Integer
-* Default: 50
-
-The maximum number of outgoing queries that will be sent out during the resolution
-of a single client query. This is used to limit endlessly chasing CNAME redirections.
-
-## `max-negative-ttl`
-* Integer
-* Default: 3600
-
-A query for which there is authoritatively no answer is cached to quickly deny a
-record's existence later on, without putting a heavy load on the remote server.
-In practice, caches can become saturated with hundreds of thousands of hosts
-which are tried only once. This setting, which defaults to 3600 seconds, puts a
-maximum on the amount of time negative entries are cached.
-
-## `max-recursion-depth`
-* Integer
-* Default: 40 (since 4.1.0), unlimited (before 4.1.0)
-* Available since: 4.0.4
-
-Total maximum number of internal recursion calls the server may use to answer
-a single query. 0 means unlimited. The value of `stack-size` should be increased
-together with this one to prevent the stack from overflowing.
-
-## `max-tcp-clients`
-* Integer
-* Default: 128
-
-Maximum number of simultaneous incoming TCP connections allowed.
-
-## `max-tcp-per-client`
-* Integer
-* Default: 0 (unlimited)
-
-Maximum number of simultaneous incoming TCP connections allowed per client
-(remote IP address).
-
-## `max-tcp-queries-per-connection`
-* Integer
-* Default: 0 (unlimited)
-* Available since: 4.1.0
-
-Maximum number of DNS queries in a TCP connection.
-
-## `max-total-msec`
-* Integer
-* Default: 7000
-* Available since: 3.7.1
-
-Total maximum number of milliseconds of wallclock time the server may use to answer
-a single query.
-
-## `minimum-ttl-override`
-* Integer
-* Default: 0 (disabled)
-* Available since: 3.6.0
-
-This setting artificially raises all TTLs to be at least this long. While this
-is a gross hack, and violates RFCs, under conditions of DoS, it may enable you
-to continue serving your customers. Can be set at runtime using
-`rec_control set-minimum-ttl 3600`.
-
-## `network-timeout`
-* Integer
-* Default: 1500
-* Available since: 3.2
-
-Number of milliseconds to wait for a remote authoritative server to respond.
-
-## `nsec3-max-iterations`
-* Integer
-* Default: 2500
-* Available since: 4.1
-
-Maximum number of iterations allowed for an NSEC3 record. If an answer containing an NSEC3 record
-with more iterations is received, its DNSSEC validation status is treated as Insecure.
-
-## `packetcache-ttl`
-* Integer
-* Default: 3600
-* Available since: 3.2
-
-Maximum number of seconds to cache an item in the packet cache, no matter what
-the original TTL specified.
-
-## `packetcache-servfail-ttl`
-* Integer
-* Default: 60
-* Available since: 3.2
-
-Maximum number of seconds to cache a 'server failure' answer in the packet cache.
-From 4.0.0 onward, this settings maximum is capped to [`packetcache-ttl`](#packetcache-ttl).
-i.e. setting `packetcache-ttl=15` and keeping `packetcache-servfail-ttl` at the
-default will lower `packetcache-servfail-ttl` to `15`.
-
-## `pdns-distributes-queries`
-* Boolean
-* Default: yes (since 3.7.0), no (before 3.7.0)
-* Available since: 3.3
-
-If set, PowerDNS will have only 1 thread listening on client sockets, and
-distribute work by itself over threads. Improves performance on Linux. Do not
-use on Recursor versions before 3.6 as the feature was experimental back then,
-and not that stable.
-
-## `query-local-address`
-* IPv4 Address, comma separated
-* Default: 0.0.0.0
-
-Send out local queries from this address, or addresses, by adding multiple
-addresses, increased spoofing resilience is achieved.
-
-## `query-local-address6`
-* IPv6 addresses, comma separated
-* Default: unset
-* Available since: 3.1
-
-Send out local IPv6 queries from this address or addresses. Disabled by default,
-which also disables outgoing IPv6 support.
-
-## `quiet`
-* Boolean
-* Default: yes
-
-Don't log queries.
-
-## `reuseport`
-* Boolean
-* Default: no
-
-If `SO_REUSEPORT` support is available, allows multiple processes to open a
-listening socket on the same port. Since 4.1.0, when `pdns-distributes-queries` is set to
-false and `reuseport` is enabled, every thread will open a separate listening socket to let
-the kernel distribute the incoming queries, avoiding any thundering herd issue as well as
-the distributor thread being a bottleneck, thus leading to much higher performance on multi-core boxes.
-
-## `root-nx-trust`
-* Boolean
-* Default: no (<= 4.0.0), yes
-* Available since: 3.7.1
-
-If set, an NXDOMAIN from the root-servers will serve as a blanket NXDOMAIN for the entire TLD
-the query belonged to. The effect of this is far fewer queries to the root-servers.
-
-## `security-poll-suffix`
-* String
-* Default: secpoll.powerdns.com.
-
-Domain name from which to query security update notifications. Setting this to
-an empty string disables secpoll.
-
-## `serve-rfc1918`
-* Boolean
-* Default: yes
-* Available since: 3.6.2
-
-This makes the server authoritatively aware of: `10.in-addr.arpa`,
-`168.192.in-addr.arpa`, `16-31.172.in-addr.arpa`, which saves load on the AS112
-servers. Individual parts of these zones can still be loaded or forwarded.
-
-## `server-down-max-fails`
-* Integer
-* Default: 64
-* Available since: 3.6.0
-
-If a server has not responded in any way this many times in a row, no longer
-send it any queries for [`server-down-throttle-time`](#server-down-throttle-time)
-seconds. Afterwards, we will try a new packet, and if that also gets no response
-at all, we again throttle for [`server-down-throttle-time-seconds`](#server-down-throttle-time).
-Even a single response packet will drop the block.
-
-## `server-down-throttle-time`
-* Integer
-* Default: 60
-* Available since: 3.6.0
-
-Throttle a server that has failed to respond [`server-down-max-fails`](#server-down-max-fails)
-times for this many seconds.
-
-## `server-id`
-* String
-* Default: The hostname of the server
-
-The PowerDNS recursor by replies to a query for 'id.server' with its hostname,
-useful for in clusters. Use this setting to override the answer it gives.
-
-Query example (where 192.0.2.14 is your server):
-```
-dig @192.0.2.14 CHAOS TXT id.server.
-```
-
-## `setgid`, `setuid`
-* String
-* Default: unset
-
-PowerDNS can change its user and group id after binding to its socket. Can be
-used for better [security](security.md).
-
-## `single-socket`
-* Boolean
-* Default: no
-
-Use only a single socket for outgoing queries.
-
-## `snmp-agent`
-* Boolean
-* Default: no
-
-If set to true and PowerDNS has been compiled with SNMP support, it will register
-as an SNMP agent to provide statistics and be able to send traps.
-
-## `snmp-master-socket`
-* String
-* Default: empty
-
-If not empty and `snmp-agent` is set to true, indicates how PowerDNS should contact
-the SNMP master to register as an SNMP agent.
-
-## `socket-dir`
-* Path
-
-Where to store the control socket and pidfile. The default depends on
-`LOCALSTATEDIR` during compile-time (usually `/var/run` or `/run`).
-
-When using [`chroot`](#chroot) the default becomes to `/`.
-
-## `socket-owner`, `socket-group`, `socket-mode`
-* Available since: 3.2
-
-Owner, group and mode of the controlsocket. Owner and group can be specified by
-name, mode is in octal.
-
-## `spoof-nearmiss-max`
-* Integer
-* Default: 20
-
-If set to non-zero, PowerDNS will assume it is being spoofed after seeing this
-many answers with the wrong id.
-
-## `stack-size`
-* Integer
-* Default: 200000
-* Available since: 3.1.3
-
-Size of the stack per thread.
-
-## `stats-ringbuffer-entries`
-* Integer
-* Default: 10000
-* Available since: 3.7.1
-
-Number of entries in the remotes ringbuffer, which keeps statistics on who is
-querying your server. Can be read out using `rec_control top-remotes`.
-
-## `tcp-fast-open`
-* Integer
-* Default: 0 (Disabled)
-* Available since: 4.1
-
-Enable TCP Fast Open support, if available, on the listening sockets. The numerical
-value supplied is used as the queue size, 0 meaning disabled.
-
-## `threads`
-* Integer
-* Default: 2
-* Available since: 3.2
-
-Spawn this number of threads on startup.
-
-## `trace`
-* Boolean
-* Default: no
-
-If turned on, output impressive heaps of logging. May destroy performance under
-load.
-
-## `udp-truncation-threshold`
-* Integer
-* Default: 1680
-* Available since: 3.6.0
-
-EDNS0 allows for large UDP response datagrams, which can potentially raise
-performance. Large responses however also have downsides in terms of reflection
-attacks. This setting limits the accepted size. Maximum value is 65535, but
-values above 4096 should probably not be attempted.
-
-## `use-incoming-edns-subnet`
-* Boolean
-* Default: no
-
-Whether to process and pass along a received EDNS Client Subnet to authoritative
-servers. The ECS information will only be sent for netmasks and domains listed
-in `edns-subnet-whitelist`, and will be truncated if the received scope exceeds
-`ecs-ipv4-bits` for IPv4 or `ecs-ipv6-bits` for IPv6.
-
-## `version`
-* Available since: 3.1.5
-
-Print version of this binary. Useful for checking which version of the PowerDNS
-recursor is installed on a system. Available since version 3.1.5.
-
-## `version-string`
-* String
-* Default: PowerDNS Recursor version number
-
-By default, PowerDNS replies to the 'version.bind' query with its version number.
-Security conscious users may wish to override the reply PowerDNS issues.
-
-## `webserver`
-* Boolean
-* Default: no
-* Available since: 4.0.0
-
-Start the webserver (for REST API).
-
-## `webserver-address`
-* IP Addresses, separated by spaces
-* Default: 127.0.0.1
-* Available since: 4.0.0
-
-IP address for the webserver to listen on.
-
-## `webserver-allow-from`
-* IP addresses, comma separated
-* Default: 0.0.0.0, ::/0
-* Available since: 3.7.1
-
-These subnets are allowed to access the webserver.
-
-## `webserver-password`
-* String
-* Default: unset
-* Available since: 4.0.0
-
-Password required to access the webserver.
-
-## `webserver-port`
-* Integer
-* Default: 8082
-* Available since: 4.0.0
-
-TCP port where the webserver should listen on.
-
-## `write-pid`
-* Boolean
-* Default: yes
-* Available since: 4.0.0
-
-If a PID file should be written. Available since 4.0.
+++ /dev/null
-# Recursor Statistics
-The `rec_control get` command can be used to query the following statistics, either single keys or multiple statistics at once:
-
-* `all-outqueries`: counts the number of outgoing UDP queries since starting
-* `answers-slow`: counts the number of queries answered after 1 second
-* `answers0-1`: counts the number of queries answered within 1 millisecond
-* `answers1-10`: counts the number of queries answered within 10 milliseconds
-* `answers10-100`: counts the number of queries answered within 100 milliseconds
-* `answers100-1000`: counts the number of queries answered within 1 second
-* `auth4-answers-slow`: counts the number of queries answered by auth4s after 1 second (4.0)
-* `auth4-answers0-1`: counts the number of queries answered by auth4s within 1 millisecond (4.0)
-* `auth4-answers1-10`: counts the number of queries answered by auth4s within 10 milliseconds (4.0)
-* `auth4-answers10-100`: counts the number of queries answered by auth4s within 100 milliseconds (4.0)
-* `auth4-answers100-1000`: counts the number of queries answered by auth4s within 1 second (4.0)
-* `auth6-answers-slow`: counts the number of queries answered by auth6s after 1 second (4.0)
-* `auth6-answers0-1`: counts the number of queries answered by auth6s within 1 millisecond (4.0)
-* `auth6-answers1-10`: counts the number of queries answered by auth6s within 10 milliseconds (4.0)
-* `auth6-answers10-100`: counts the number of queries answered by auth6s within 100 milliseconds (4.0)
-* `auth6-answers100-1000`: counts the number of queries answered by auth6s within 1 second (4.0)
-* `cache-bytes`: size of the cache in bytes (since 3.3.1)
-* `cache-entries`: shows the number of entries in the cache
-* `cache-hits`: counts the number of cache hits since starting, this does **not** include hits that got answered from the packet-cache
-* `cache-misses`: counts the number of cache misses since starting
-* `case-mismatches`: counts the number of mismatches in character case since starting
-* `chain-resends`: number of queries chained to existing outstanding query
-* `client-parse-errors`: counts number of client packets that could not be parsed
-* `concurrent-queries`: shows the number of MThreads currently running
-* `dlg-only-drops`: number of records dropped because of delegation only setting
-* `dnssec-queries`: number of queries received with the DO bit set
-* `dnssec-result-bogus`: number of DNSSEC validations that had the Bogus state
-* `dnssec-result-indeterminate`: number of DNSSEC validations that had the Indeterminate state
-* `dnssec-result-insecure`: number of DNSSEC validations that had the Insecure state
-* `dnssec-result-nta`: number of DNSSEC validations that had the NTA (negative trust anchor) state
-* `dnssec-result-secure`: number of DNSSEC validations that had the Secure state
-* `dnssec-validations`: number of DNSSEC validations performed
-* `dont-outqueries`: number of outgoing queries dropped because of 'dont-query' setting (since 3.3)
-* `edns-ping-matches`: number of servers that sent a valid EDNS PING response
-* `edns-ping-mismatches`: number of servers that sent an invalid EDNS PING response
-* `failed-host-entries`: number of servers that failed to resolve
-* `ignored-packets`: counts the number of non-query packets received on server sockets that should only get query packets
-* `ipv6-outqueries`: number of outgoing queries over IPv6
-* `ipv6-questions`: counts all end-user initiated queries with the RD bit set, received over IPv6 UDP
-* `malloc-bytes`: returns the number of bytes allocated by the process (broken, always returns 0)
-* `max-mthread-stack`: maximum amount of thread stack ever used
-* `negcache-entries`: shows the number of entries in the negative answer cache
-* `no-packet-error`: number of erroneous received packets
-* `noedns-outqueries`: number of queries sent out without EDNS
-* `noerror-answers`: counts the number of times it answered NOERROR since starting
-* `noping-outqueries`: number of queries sent out without ENDS PING
-* `nsset-invalidations`: number of times an nsset was dropped because it no longer worked
-* `nsspeeds-entries`: shows the number of entries in the NS speeds map
-* `nxdomain-answers`: counts the number of times it answered NXDOMAIN since starting
-* `outgoing-timeouts`: counts the number of timeouts on outgoing UDP queries since starting
-* `outgoing4-timeouts`: counts the number of timeouts on outgoing UDP IPv4 queries since starting (since 4.0)
-* `outgoing6-timeouts`: counts the number of timeouts on outgoing UDP IPv6 queries since starting (since 4.0)
-* `over-capacity-drops`: questions dropped because over maximum concurrent query limit (since 3.2)
-* `packetcache-bytes`: size of the packet cache in bytes (since 3.3.1)
-* `packetcache-entries`: size of packet cache (since 3.2)
-* `packetcache-hits`: packet cache hits (since 3.2)
-* `packetcache-misses`: packet cache misses (since 3.2)
-* `policy-drops`: packets dropped because of (Lua) policy decision
-* `policy-result-noaction`: packets that were not actioned upon by the RPZ/filter engine
-* `policy-result-drop`: packets that were dropped by the RPZ/filter engine
-* `policy-result-nxdomain`: packets that were replied to with NXDOMAIN by the RPZ/filter engine
-* `policy-result-nodata`: packets that were replied to with no data by the RPZ/filter engine
-* `policy-result-truncate`: packets that were forced to TCP by the RPZ/filter engine
-* `policy-result-custom`: packets that were sent a custom answer by the RPZ/filter engine
-* `qa-latency`: shows the current latency average, in microseconds, exponentially weighted over past 'latency-statistic-size' packets
-* `questions`: counts all end-user initiated queries with the RD bit set
-* `resource-limits`: counts number of queries that could not be performed because of resource limits
-* `security-status`: security status based on [security polling](../common/security.md#implementation)
-* `server-parse-errors`: counts number of server replied packets that could not be parsed
-* `servfail-answers`: counts the number of times it answered SERVFAIL since starting
-* `spoof-prevents`: number of times PowerDNS considered itself spoofed, and dropped the data
-* `sys-msec`: number of CPU milliseconds spent in 'system' mode
-* `tcp-client-overflow`: number of times an IP address was denied TCP access because it already had too many connections
-* `tcp-clients`: counts the number of currently active TCP/IP clients
-* `tcp-outqueries`: counts the number of outgoing TCP queries since starting
-* `tcp-questions`: counts all incoming TCP queries (since starting)
-* `throttle-entries`: shows the number of entries in the throttle map
-* `throttled-out`: counts the number of throttled outgoing UDP queries since starting
-* `throttled-outqueries`: idem to throttled-out
-* `too-old-drops`: questions dropped that were too old
-* `unauthorized-tcp`: number of TCP questions denied because of allow-from restrictions
-* `unauthorized-udp`: number of UDP questions denied because of allow-from restrictions
-* `unexpected-packets`: number of answers from remote servers that were unexpected (might point to spoofing)
-* `unreachables`: number of times nameservers were unreachable since starting
-* `uptime`: number of seconds process has been running (since 3.1.5)
-* `user-msec`: number of CPU milliseconds spent in 'user' mode
-
-In the `pdns/tools/rrd/` subdirectory a number of rrdtool scripts is provided to
-make nice graphs of all these numbers. Use `rec_control get-all` to get all
-statistics in one go.
-
-It should be noted that answers0-1 + answers1-10 + answers10-100 + answers100-1000 +
-answers-slow + packetcache-hits + over-capacity-drops + policy-drops = questions.
-
-Also note that unauthorized-tcp and unauthorized-udp packets do not end up in
-the 'questions' count.
-
-Every half hour or so, the recursor outputs a line with statistics. More
-infrastructure is planned so as to allow for Cricket or MRTG graphs. To force
-the output of statistics, send the process a SIGUSR1. A line of statistics looks
-like this:
-
-```
-Feb 10 14:16:03 stats: 125784 questions, 13971 cache entries, 309 negative entries, 84% cache hits, outpacket/query ratio 37%, 12% throttled
-```
-
-This means that there are 13791 different names cached, which each may have
-multiple records attached to them. There are 309 items in the negative cache,
-items of which it is known that don't exist and won't do so for the near future.
-84% of incoming questions could be answered without any additional queries going
-out to the net.
-
-The outpacket/query ratio means that on average, 0.37 packets were needed to
-answer a question. Initially this ratio may be well over 100% as additional
-queries may be needed to actually recurse the DNS and figure out the addresses
-of nameservers.
-
-Finally, 12% of queries were not performed because identical queries had gone out
-previously, saving load on servers worldwide.
+++ /dev/null
-Before upgrading, it is advised to read the [changelog](../changelog.md).
-When upgrading several versions, please read **all** notes applying to the upgrade.
-
-# 4.0.x to 4.1.0
-
-[`setting-max-recursion-depth`](settings.md#setting-max-recursion-depth) defaulted to 4 but
-was always overridden to 6 during the startup. The issue has been fixed and the default value
-set to 6 to keep the behavior consistent.
-
-# 4.0.5 to 4.0.6
-
-One default was changed:
-
- - [`use-incoming-edns-subnet`](settings.md#use-incoming-edns-subnet) defaults to off, was on before
-
-# 4.0.3 to 4.0.4
-One setting has been added to limit the risk of overflowing the stack:
-
- - [`max-recursion-depth`](settings.md#max-recursion-depth) defaults to 40 and was unlimited before
-
-# 4.0.0 to 4.0.1
-Two settings have changed defaults, these new defaults decrease CPU usage:
-
- - [`root-nx-trust`](settings.md#root-nx-trust) changed from `no` to `yes`
- - [`log-common-errors`](settings.md#log-common-errors) changed from `yes` to `no`
+++ /dev/null
-# Security Policy
-
-If you have a security problem to report, please email us at both <a href="mailto:security@netherlabs.nl">security@netherlabs.nl</a> and <a href="mailto:ahu@ds9a.nl">ahu@ds9a.nl</a>. Please do not mail security issues to public lists, nor file a ticket, unless we do not get back to you in a timely manner. We fully credit reporters of security issues, and respond quickly, but please allow us a reasonable timeframe to coordinate a response.
-
-We remind PowerDNS users that under the terms of the GNU General Public License, PowerDNS comes with ABSOLUTELY NO WARRANTY. This license is included in this documentation.
-
-As of the 9th of September 2016, no actual security problems with PowerDNS Authoritative Server 3.4.10, Recursor 3.6.3, Recursor 3.7.2, or later are known about. This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications will also be sent to all PowerDNS mailing lists.
-
-Version 3.4.9 and earlier of the PowerDNS Authoritative Server can be made to cause unexpected backend load, see [PowerDNS Security Advisory 2016-01](powerdns-advisory-2016-01.md) for more information.
-
-PowerDNS Authoritative Server 3.4.0 through 3.4.5 can have their threads crashed with a malformed packet, see [PowerDNS Security Advisory 2015-02](powerdns-advisory-2015-02.md) for more information.
-
-All recent Recursor versions up to and including 3.6.2 and 3.7.1, and all recent Authoritative servers up to and including version 3.4.3, can in specific situations be crashed with a malformed packet. For more detail, see [PowerDNS Security Advisory 2015-01](powerdns-advisory-2015-01.md)
-
-All Recursor versions up to and including 3.6.1 can be made to provide degraded service. For more detail, see [PowerDNS Security Advisory 2014-02](powerdns-advisory-2014-02.md)
-
-Version 3.6.0 of the Recursor (but not 3.5.x) can be crashed remotely with a specific packet sequence. For more detail, see [PowerDNS Security Advisory 2014-01](powerdns-advisory-2014-01.md)
-
-Versions 2.9.22 and lower and 3.0 of the PowerDNS Authoritative Server were vulnerable to a temporary denial of service attack. For more detail, see [PowerDNS Security Advisory 2012-01](powerdns-advisory-2012-01.md).
-
-Version 3.1.7.1 and earlier of the PowerDNS Recursor were vulnerable to a probably exploitable buffer overflow and a spoofing attack. For more detail, see [PowerDNS Security Advisory 2010-01](powerdns-advisory-2010-01.md "PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited") and [PowerDNS Security Advisory 2010-02](powerdns-advisory-2010-02.md "PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data").
-
-Version 3.1.4 and earlier of the PowerDNS recursor were vulnerable to a spoofing attack. For more detail, see [PowerDNS Security Advisory 2008-01](powerdns-advisory-2008-01.md "System random generator can be predicted, leading to the potential to 'spoof' PowerDNS Recursor").
-
-Version 3.1.3 and earlier of the PowerDNS recursor contain two security issues, both of which can lead to a denial of service, both of which can be triggered by remote users. One of the issues might be exploited and ead to a system compromise. For more detail, see [PowerDNS Security Advisory 2006-01](powerdns-advisory-2006-01.md "Malformed TCP queries can lead to a buffer overflow which might be exploitable") and [PowerDNS Security Advisory 2006-02](powerdns-advisory-2006-02.md "Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash").
-
-Version 3.0 of the PowerDNS recursor contains a denial of service bug which can be exploited remotely. This bug, which we believe to only lead to a crash, has been fixed in 3.0.1. There are no guarantees however, so an upgrade from 3.0 is highly recommended.
-
-All versions of PowerDNS before 2.9.21.1 do not respond to certain queries. This in itself is not a problem, but since the discovery by Dan Kaminsky of a new spoofing technique, this silence for queries PowerDNS considers invalid, within a valid domain, allows attackers more chances to feed *other* resolvers bad data.
-
-All versions of PowerDNS before 2.9.18 contain the following two bugs, which only apply to installations running with the LDAP backend, or installations providing recursion to a limited range of IP addresses. If any of these apply to you, an upgrade is highly advised:
-
- * The LDAP backend did not properly escape all queries, allowing it to fail and not answer questions. We have not investigated further risks involved, but we advise LDAP users to update as quickly as possible (Norbert Sendetzky, Jan de Groot)
-
- * Questions from clients denied recursion could blank out answers to clients who are allowed recursion services, temporarily. Reported by Wilco Baan. This would've made it possible for outsiders to blank out a domain temporarily to your users. Luckily PowerDNS would send out SERVFAIL or Refused, and not a denial of a domain's existence.
-
-All versions of PowerDNS before 2.9.17 are known to suffer from remote denial of service problems which can disrupt operation. Please upgrade to 2.9.17 as this page will only contain detailed security information from 2.9.17 onwards.
+++ /dev/null
-## PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a buffer overflow which might be exploitable
-
-
- * CVE: CVE-2006-4251
- * Date: 13th of November 2006
- * Affects: PowerDNS Recursor versions 3.1.3 and earlier, on all operating systems.
- * Not affected: No versions of the PowerDNS Authoritative Server ('pdns\_server') are affected.
- * Severity: Critical
- * Impact: Potential remote system compromise.
- * Exploit: As far as we know, no exploit is available as of 11th of November 2006.
- * Solution: Upgrade to PowerDNS Recursor 3.1.4, or apply the patches referred below and recompile
- * Workaround: Disable TCP access to the Recursor. This will have slight operational impact, but it is likely that this will not lead to meaningful degradation of service. Disabling access is best performed at packet level, either by configuring a firewall, or instructing the host operating system to drop TCP connections to port 53. Additionally, exposure can be limited by configuring the `allow-from` setting so only trusted users can query your nameserver.
-
-PowerDNS Recursor 3.1.3 and previous miscalculate the length of incoming TCP DNS queries, and will attempt to read up to 4 gigabytes of query into a 65535 byte buffer.
-
-We have not verified if this problem might actually lead to a system compromise, but are acting on the assumption that it might.
-
-For distributors, a minimal patch is available on [the PowerDNS wiki](http://wiki.powerdns.com/cgi-bin/trac.fcgi/changeset/915). Additionally, those shipping very old versions of the PowerDNS Recursor might benefit from this [patch](http://ds9a.nl/tmp/cve-2006-4251.patch).
-
-The impact of these and other security problems can be lessened by considering the advice in FIXME: security-settings.
+++ /dev/null
-## PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash
-
- * CVE: CVE-2006-4252
- * Date: 13th of November 2006
- * Affects: PowerDNS Recursor versions 3.1.3 and earlier, on all operating systems.
- * Not affected: No versions of the PowerDNS Authoritative Server ('pdns\_server') are affected.
- * Severity: Moderate
- * Impact: Denial of service
- * Exploit: This problem can be triggered by sending queries for specifically configured domains
- * Solution: Upgrade to PowerDNS Recursor 3.1.4, or apply [commit 919](http://wiki.powerdns.com/projects/trac/changeset/919).
- * Workaround: None known. Exposure can be limited by configuring the **allow-from** setting so only trusted users can query your nameserver.
-
-PowerDNS would recurse endlessly on encountering a CNAME loop consisting entirely of zero second CNAME records, eventually exceeding resources and crashing.
+++ /dev/null
-## PowerDNS Security Advisory 2008-01: System random generator can be predicted, leading to the potential to 'spoof' PowerDNS Recursor
-
- * CVE: Not yet assigned
- * Date: 31st of March 2008
- * Affects: PowerDNS Recursor versions 3.1.4 and earlier, on most operating systems
- * Not affected: No versions of the PowerDNS Authoritative Server ('pdns\_server') are affected.
- * Severity:Moderate
- * Impact: Data manipulation; client redirection
- * Exploit: This problem can be triggered by sending queries for specifically configured domains, sending spoofed answer packets immediately afterwards.
- * Solution: Upgrade to PowerDNS Recursor 3.1.5, or apply changesets [1159](http://wiki.powerdns.com/projects/trac/changeset/1159), [1160](http://wiki.powerdns.com/projects/trac/changeset/1160) and [1164](http://wiki.powerdns.com/projects/trac/changeset/1164).
- * Workaround: None known. Exposure can be limited by configuring the **allow-from** setting so only trusted users can query your nameserver.
-
-We would like to thank Amit Klein of Trusteer for bringing a serious vulnerability to our attention which would enable a smart attacker to 'spoof' previous versions of the PowerDNS Recursor into accepting possibly malicious data.
-
-Details can be found on [this Trusteer page](http://www.trusteer.com/docs/powerdnsrecursor.html).
-
-This security problem was announced in [this email message](http://mailman.powerdns.com/pipermail/pdns-users/2008-March/005279.html).
-
-It is recommended that all users of the PowerDNS Recursor upgrade to 3.1.5 as soon as practicable, while we simultaneously note that busy servers are less susceptible to the attack, but not immune.
-
-The vulnerability is present on all operating systems where the behaviour of the libc random() function can be predicted based on its past output. This includes at least all known versions of Linux, as well as Microsoft Windows, and probably FreeBSD and Solaris.
-
-The magnitude of this vulnerability depends on internal details of the system random() generator. For Linux, the mathematics of the random generator are complex, but well understood and Amit Klein has written and published a proof of concept that can successfully predict its output after uninterrupted observation of 40-50 DNS queries.
-
-Because the observation needs to be uninterrupted, busy PowerDNS Recursor instances are harder to subvert - other data is highly likely to be interleaved with traffic generated by an attacker.
-
-Nevertheless, operators are urged to update at their earliest convenience.
+++ /dev/null
-## PowerDNS Security Advisory 2008-02: By not responding to certain queries, domains become easier to spoof
-
- * CVE: CVE-2008-3337
- * Date: 6th of August 2008
- * Affects: PowerDNS Authoritative Server 2.9.21 and earlier
- * Not affected: No versions of the PowerDNS Recursor ('pdns\_recursor') are affected.
- * Severity: Moderate
- * Impact: Data manipulation; client redirection
- * Exploit: Domains with servers that drop certain queries can be spoofed using simpler measures than would usually be required
- * Solution: Upgrade to PowerDNS Authoritative Server 2.9.21.1, or apply [commit 1239](http://wiki.powerdns.com/projects/trac/changeset/1239).
- * Workaround: None known.
-
-Brian J. Dowling of Simplicity Communications has discovered a security implication of the previous PowerDNS behaviour to drop queries it considers malformed. We are grateful that Brian notified us quickly about this problem.
-
-The implication is that while the PowerDNS Authoritative server itself does not face a security risk because of dropping these malformed queries, other resolving nameservers run a higher risk of accepting spoofed answers for domains being hosted by PowerDNS Authoritative Servers before 2.9.21.1.
-
-While the dropping of queries does not aid sophisticated spoofing attempts, it does facilitate simpler attacks.
+++ /dev/null
-## PowerDNS Security Advisory 2008-03: Some PowerDNS Configurations can be forced to restart remotely
-
- * CVE: Not yet assigned
- * Date: 18th of November 2008
- * Affects: PowerDNS Authoritative Server 2.9.21.1 and earlier
- * Not affected: No versions of the PowerDNS Recursor (`pdns_recursor`) are affected. Versions not running in single threaded mode (`distributor-threads=1`) are probably not affected.
- * Severity: Moderate
- * Impact: Denial of Service
- * Exploit: Send PowerDNS an CH HINFO query.
- * Solution: Upgrade to PowerDNS Authoritative Server 2.9.21.2, or wait for 2.9.22.
- * Workaround: Remove `distributor-threads=1` if this is set.
-
-Daniel Drown discovered that his PowerDNS 2.9.21.1 installation crashed on receiving a HINFO CH query. In his enthusiasm, he shared his discovery with the world, forcing a rapid over the weekend release cycle.
-
-While we thank Daniel for his discovery, please study our security policy as outlined in ["Security"](#security) before making vulnerabilities public.
-
-It is believed that this issue only impacts PowerDNS Authoritative Servers operating with `distributor-threads=1`, but even on other configurations a database reconnect occurs on receiving a CH HINFO query.
+++ /dev/null
-## PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited
-
- * CVE: CVE-2009-4009
- * Date: 6th of January 2010
- * Affects: PowerDNS Recursor 3.1.7.1 and earlier
- * Not affected: No versions of the PowerDNS Authoritative ('pdns\_server') are affected.
- * Severity: Critical
- * Impact: Denial of Service, possible full system compromise
- * Exploit: Withheld
- * Solution: Upgrade to PowerDNS Recursor 3.1.7.2 or higher
- * Workaround: None. The risk of exploitation or denial of service can be decreased slightly by using the `allow-from` setting to only provide service to known users. The risk of a full system compromise can be reduced by running with a suitable reduced privilege user and group settings, and possibly chroot environment.
-
-Using specially crafted packets, it is possible to force a buffer overflow in the PowerDNS Recursor, leading to a crash.
-
-This vulnerability was discovered by a third party that (for now) prefers not to be named. PowerDNS is very grateful however for their help in improving PowerDNS security.
+++ /dev/null
-## PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data
-
- * CVE: CVE-2009-4010
- * Date: 6th of January 2010
- * Affects: PowerDNS Recursor 3.1.7.1 and earlier
- * Not affected: No versions of the PowerDNS Authoritative ('pdns\_server') are affected.
- * Severity: High
- * Impact: Using smart techniques, it is possible to fool the PowerDNS Recursor into accepting unauthorized data
- * Exploit: Withheld
- * Solution: Upgrade to PowerDNS Recursor 3.1.7.2 or higher
- * Workaround: None.
-
-Using specially crafted zones, it is possible to fool the PowerDNS Recursor into accepting bogus data. This data might be harmful to your users. An attacker would be able to divert data from, say, bigbank.com to an IP address of his choosing.
-
-This vulnerability was discovered by a third party that (for now) prefers not to be named. PowerDNS is very grateful however for their help in improving PowerDNS security.
+++ /dev/null
-## PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop
-
-
- * CVE: CVE-2012-0206
- * Date: 10th of January 2012
- * Credit: Ray Morris of [BetterCGI.com](http://BetterCGI.com/).
- * Affects: Most PowerDNS Authoritative Server versions < 3.0.1 (with the exception of 2.9.22.5 and 2.9.22.6)
- * Not affected: No versions of the PowerDNS Recursor ('pdns\_recursor') are affected.
- * Severity: High
- * Impact: Using well crafted UDP packets, one or more PowerDNS servers could be made to enter a tight packet loop, causing temporary denial of service
- * Exploit: Proof of concept
- * Risk of system compromise: No
- * Solution: Upgrade to PowerDNS Authoritative Server 2.9.22.5 or 3.0.1
- * Workaround: Several, the easiest is setting: `cache-ttl=0`, which does have a performance impact. Please see below.
-
-Affected versions of the PowerDNS Authoritative Server can be made to respond to DNS responses, thus enabling an attacker to setup a packet loop between two PowerDNS servers, perpetually answering each other's answers. In some scenarios, a server could also be made to talk to itself, achieving the same effect.
-
-If enough bouncing traffic is generated, this will overwhelm the server or network and disrupt service.
-
-As a workaround, if upgrading to a non-affected version is not possible, several options are available. The issue is caused by the packet-cache, which can be disabled by setting 'cache-ttl=0', although this does incur a performance penalty. This can be partially addressed by raising the query-cache-ttl to a (far) higher value.
-
-Alternatively, on Linux systems with a working iptables setup, 'responses' sent to the PowerDNS Authoritative Server 'question' address can be blocked by issuing:
-
-```
- iptables -I INPUT -p udp --dst $AUTHIP --dport 53 \! -f -m u32 --u32 "0>>22&0x3C@8>>15&0x01=1" -j DROP
-
-```
-
-If this command is used on a router or firewall, substitute FORWARD for INPUT.
-
-To solve this issue, we recommend upgrading to the latest packages available for your system. Tarballs and new static builds (32/64bit, RPM/DEB) of 2.9.22.5 and 3.0.1 have been uploaded to [our download site](http://www.powerdns.com/content/downloads.html). Kees Monshouwer has provided updated CentOS/RHEL packages in [his repository](http://www.monshouwer.eu/download/3th_party/). Debian, Fedora and SuSE should have packages available shortly after this announcement.
-
-For those running custom PowerDNS versions, just applying this patch may be easier:
-
-```
---- pdns/common_startup.cc (revision 2326)
-+++ pdns/common_startup.cc (working copy)
-@@ -253,7 +253,9 @@
- numreceived4++;
- else
- numreceived6++;
--
-+ if(P->d.qr)
-+ continue;
-+
- S.ringAccount("queries", P->qdomain+"/"+P->qtype.getName());
- S.ringAccount("remotes",P->getRemote());
- if(logDNSQueries) {
-```
-
-It should apply cleanly to 3.0 and with little trouble to several older releases, including 2.9.22 and 2.9.21.
-
-This bug resurfaced because over time, the check for 'not responding to responses' moved to the wrong place, allowing certain responses to be processed anyhow.
-
-We would like to thank Ray Morris of [BetterCGI.com](http://BetterCGI.com/) for bringing this issue to our attention and Aki Tuomi for helping us reproduce the problem.
+++ /dev/null
-## PowerDNS Security Advisory 2014-01: PowerDNS Recursor 3.6.0 can be crashed remotely
-
-* CVE: CVE-2014-3614
-* Date: 10th of September 2014
-* Credit: Dedicated PowerDNS users willing to study a crash that happens once every few months (thanks)
-* Affects: Only PowerDNS Recursor version 3.6.0.
-* Not affected: No other versions of PowerDNS Recursor, no versions of PowerDNS Authoritative Server
-* Severity: High
-* Impact: Crash
-* Exploit: The sequence of packets required is known
-* Risk of system compromise: No
-* Solution: Upgrade to PowerDNS Recursor 3.6.1
-* Workaround: Restrict service using [`allow-from`](../recursor/settings.md#allow-from), install script that restarts PowerDNS
-
-Recently, we've discovered that PowerDNS Recursor 3.6.0 (but NOT earlier) can crash when exposed to a specific sequence of malformed packets. This sequence happened spontaneously with one of our largest deployments, and the packets did not appear to have a malicious origin.
-
-Yet, this crash can be triggered remotely, leading to a denial of service attack. There appears to be no way to use this crash for system compromise or stack overflow.
-
-Upgrading to 3.6.1 solves the issue.
-
-In addition, if you want to apply a minimal fix to your own tree, it can be found [here](https://xs.powerdns.com/tmp/minipatch-3.6.1)
-
-As for workarounds, only clients in allow-from are able to trigger the crash, so this should be limited to your userbase. Secondly, [this](https://github.com/PowerDNS/pdns/blob/master/contrib/upstart-recursor.conf) and [this](https://github.com/PowerDNS/pdns/blob/master/contrib/systemd-pdns-recursor.service) can be used to enable Upstart and Systemd to restart the PowerDNS Recursor automatically.
+++ /dev/null
-## PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service
-
-* CVE: CVE-2014-8601
-* Date: 8th of December 2014
-* Credit: Florian Maury ([ANSSI](http://www.ssi.gouv.fr/en/))
-* Affects: PowerDNS Recursor versions 3.6.1 and earlier
-* Not affected: PowerDNS Recursor 3.6.2; no versions of PowerDNS Authoritative Server
-* Severity: High
-* Impact: Degraded service
-* Exploit: This problem can be triggered by sending queries for specifically configured domains
-* Risk of system compromise: No
-* Solution: Upgrade to PowerDNS Recursor 3.6.2
-* Workaround: None known. Exposure can be limited by configuring the **allow-from** setting so only trusted users can query your nameserver.
-
-Recently we released PowerDNS Recursor 3.6.2 with a new feature that
-strictly limits the amount of work we'll perform to resolve a single query.
-This feature was inspired by performance degradations noted when resolving
-domains hosted by 'ezdns.it', which can require thousands of queries to
-resolve.
-
-During the 3.6.2 release process, we were contacted by a government security
-agency with news that they had found that all major caching nameservers,
-including PowerDNS, could be negatively impacted by specially configured,
-hard to resolve domain names. With their permission, we continued the 3.6.2
-release process with the fix for the issue already in there.
-
-We recommend that all users upgrade to 3.6.2 if at all possible. Alternatively,
-if you want to apply a minimal fix to your own tree, it can be found
-[here](https://downloads.powerdns.com/patches/2014-02/), including patches for older versions.
-
-As for workarounds, only clients in allow-from are able to trigger the
-degraded service, so this should be limited to your userbase.
+++ /dev/null
-## PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes or CPU spikes
-
-* CVE: CVE-2015-1868 (original), CVE-2015-5470 (update)
-* Date: 23rd of April 2015, updated 7th of July 2015
-* Credit: Aki Tuomi, Toshifumi Sakaguchi
-* Affects: PowerDNS Recursor versions 3.5 and up; Authoritative Server 3.2 and up
-* Not affected: Recursor 3.6.4; Recursor 3.7.3; Auth 3.3.3; Auth 3.4.5
-* Severity: High
-* Impact: Degraded service
-* Exploit: This problem can be triggered by sending queries for specifically configured domains, or by sending specially crafted query packets
-* Risk of system compromise: No
-* Solution: Upgrade to any of the non-affected versions
-* Workaround: Run your Recursor under a supervisor. Exposure can be limited by
- configuring the [`allow-from`](../recursor/settings.md#allow-from) setting so
- only trusted users can query your nameserver. There is no workaround for the
- Authoritative server.
-
-A bug was discovered in our label decompression code, making it possible for
-names to refer to themselves, thus causing a loop during decompression. On
-some platforms, this bug can be abused to cause crashes. On all platforms,
-this bug can be abused to cause service-affecting CPU spikes.
-
-We recommend that all users upgrade to a corrected version if at all possible.
-Alternatively, if you want to apply a minimal fix to your own tree, please
-[find patches here](https://downloads.powerdns.com/patches/2015-01/).
-
-As for workarounds, for the Recursor: only clients in allow-from are able to
-trigger the degraded service, so this should be limited to your userbase;
-further, we recommend running your critical services under supervision such
-as systemd, supervisord, daemontools, etc.
-
-There is no workaround for the Authoritative Server.
-
-We want to thank Aki Tuomi for noticing this in production, and then digging
-until he got to the absolute bottom of what at the time appeared to be a
-random and spurious failure.
-
-We want to thank Toshifumi Sakaguchi for further investigation into the issue
-after the initial announcement, and for demonstrating to us quite clearly the
-CPU spike issues.
-
-Update 7th of July 2015: Toshifumi Sakaguchi discovered that the original fix
-was insufficient in some cases. Updated versions of the Authoritative Server and
-Recursor [were released](../changelog.md#powerdns-recursor-364) on the 9th of June.
-Minimal patches are [available](http://downloads.powerdns.com/patches/2015-01/).
-The insufficient fix was assigned CVE-2015-5470.
+++ /dev/null
-## PowerDNS Security Advisory 2015-02: Packet parsing bug can cause thread or process abortion
-
-* CVE: CVE-2015-5230
-* Date: 2nd of September 2015
-* Credit: Pyry Hakulinen and Ashish Shukla at Automattic
-* Affects: PowerDNS Authoritative Server 3.4.0 through 3.4.5
-* Not affected: PowerDNS Authoritative Server 3.4.6
-* Severity: High
-* Impact: Degraded service or Denial of service
-* Exploit: This problem can be triggered by sending specially crafted query packets
-* Risk of system compromise: No
-* Solution: Upgrade to a non-affected version
-* Workaround: Run the Authoritative Server inside a supervisor when
- `distributor-threads` is set to `1` to prevent Denial of Service.
- No workaround for the degraded service exists
-
-A bug was found in our DNS packet parsing/generation code, which, when exploited,
-can cause individual threads (disabling service) or whole processes (allowing a
-supervisor to restart them) to crash with just one or a few query packets.
-
-PowerDNS Authoritative Server 3.4.0-3.4.5 are affected. No other versions are
-affected. The PowerDNS Recursor is not affected.
-
-[PowerDNS Authoritative Server 3.4.6](../changelog.md#powerdns-authoritative-server-346)
-contains a fix to this issue. A minimal patch is [available here](https://downloads.powerdns.com/patches/2015-02/).
-
-This issue is entirely unrelated to [Security Advisory 2015-01](powerdns-advisory-2015-01.md)/CVE-2015-1868.
-
-We'd like to thank Pyry Hakulinen and Ashish Shukla at Automattic for finding and
-subsequently reporting this bug.
+++ /dev/null
-## PowerDNS Security Advisory 2015-03: Packet parsing bug can lead to crashes
-
-* CVE: CVE-2015-5311
-* Date: November 9th 2015
-* Credit: Christian Hofstaedtler of Deduktiva GmbH
-* Affects: PowerDNS Authoritative Server 3.4.4 through 3.4.6
-* Not affected: PowerDNS Authoritative Server 3.3.x and 3.4.7 and up
-* Severity: High
-* Impact: Degraded service or Denial of service
-* Exploit: This problem can be triggered by sending specially crafted query packets
-* Risk of system compromise: No
-* Solution: Upgrade to a non-affected version
-* Workaround: run the process inside the guardian or inside a supervisor
-
-A bug was found using `afl-fuzz` in our packet parsing code. This bug, when
-exploited, causes an assertion error and consequent termination of the the
-`pdns_server` process, causing a Denial of Service.
-
-When the PowerDNS Authoritative Server is run inside the guardian (`--guardian`),
-or inside a supervisor like supervisord or systemd, it will be automatically
-restarted, limiting the impact to a somewhat degraded service.
-
-PowerDNS Authoritative Server 3.4.4 - 3.4.6 are affected. No other versions are
-affected. The PowerDNS Recursor is not affected.
-
-[PowerDNS Authoritative Server 3.4.7](../changelog.md#powerdns-authoritative-server-347)
-contains a fix to this issue. A minimal patch is [available here](https://downloads.powerdns.com/patches/2015-03/).
-
-This issue is unrelated to the issues in our previous two Security Announcements
-([2015-01](powerdns-advisory-2015-01.md) and [2015-02](powerdns-advisory-2015-02.md)).
-
-We'd like to thank Christian Hofstaedtler of Deduktiva GmbH for finding and reporting this issue.
+++ /dev/null
-## PowerDNS Security Advisory 2016-01: Crafted queries can cause unexpected backend load
-
-* CVE: CVE-2016-5426, CVE-2016-5427
-* Date: 9th of September 2016
-* Credit: Florian Heinz and Martin Kluge
-* Affects: PowerDNS Authoritative Server up to and including 3.4.9
-* Not affected: PowerDNS Authoritative Server 3.4.10, 4.x
-* Severity: Medium
-* Impact: Degraded service or Denial of service
-* Exploit: This problem can be triggered by sending specially crafted query packets
-* Risk of system compromise: No
-* Solution: Upgrade to a non-affected version
-* Workaround: Run dnsdist with the rules provided below in front of potentially affected servers, or dimension the backend capacity so that it can handle the increased load.
-
-Two issues have been found in PowerDNS Authoritative Server allowing a remote, unauthenticated attacker to cause an abnormal load on the PowerDNS backend by sending crafted DNS queries, which might result in a partial denial of service if the backend becomes overloaded. SQL backends for example are particularly vulnerable to this kind of unexpected load if they have not been dimensioned for it.
-The first issue is based on the fact that PowerDNS Authoritative Server accepts queries with a qname's length larger than 255 bytes. This issue has been assigned CVE-2016-5426.
-The second issue is based on the fact that PowerDNS Authoritative Server does not properly handle dot inside labels. This issue has been assigned CVE-2016-5427.
-Both issues have been addressed by this [commit](https://github.com/PowerDNS/pdns/commit/881b5b03a590198d03008e4200dd00cc537712f3).
-
-PowerDNS Authoritative Server up to and including 3.4.9 is affected. No other versions are affected. The PowerDNS Recursor is not affected.
-
-dnsdist can be used to block crafted queries, using QNameWireLengthRule() to block queries with a qname larger than 255 bytes and QNameLabelsCountRule() to block queries with a very large amount of labels. Please note that restricting the number of labels in a query might lead to unexpected issues, especially with DNSSEC-enabled domains.
-
-We'd like to thank Florian Heinz and Martin Kluge for finding and subsequently reporting this issue.
+++ /dev/null
-# PowerDNS Security Advisory 2016-02: Crafted queries can cause abnormal CPU usage
-
- * CVE: CVE-2016-7068
- * Date: December 15th 2016
- * Credit: Florian Heinz and Martin Kluge
- * Affects: PowerDNS Authoritative Server up to and including 3.4.10, 4.0.1, PowerDNS Recursor up to and including 3.7.3, 4.0.3
- * Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2 and PowerDNS Recursor 3.7.4, 4.0.4
- * Severity: Medium
- * Impact: Degraded service or Denial of service
- * Exploit: This issue can be triggered by sending specially crafted query packets
- * Risk of system compromise: No
- * Solution: Upgrade to a non-affected version
- * Workaround: Run dnsdist with the rules provided below in front of potentially affected servers.
-
-An issue has been found in PowerDNS allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the PowerDNS server by sending crafted DNS queries, which might result in a partial denial of service if the system becomes overloaded. This issue is based on the fact that the PowerDNS server parses all records present in a query regardless of whether they are needed or even legitimate. A specially crafted query containing a large number of records can be used to take advantage of that behaviour. This issue has been assigned CVE-2016-7068.
-
-PowerDNS Authoritative Server up to and including 3.4.10 and 4.0.1 are affected. PowerDNS Recursor up to and including 3.7.3 and 4.0.3 are affected.
-
-dnsdist can be used to block crafted queries, using `RecordsCountRule()` and `RecordsTypeCountRule()` to block queries with crafted records.
-
-For those unable to upgrade to a new version, a minimal patch is [available](https://downloads.powerdns.com/patches/2016-02)
-
-We would like to thank Florian Heinz and Martin Kluge for finding and subsequently reporting this issue.
+++ /dev/null
-# PowerDNS Security Advisory 2016-03: Denial of service via the web server
-
- * CVE: CVE-2016-7072
- * Date: December 15th 2016
- * Credit: Mongo
- * Affects: PowerDNS Authoritative Server up to and including 3.4.10, 4.0.1
- * Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2
- * Severity: Medium
- * Impact: Degraded service or Denial of service
- * Exploit: This issue can be triggered by opening a large number of simultaneous connections to the web server
- * Risk of system compromise: No
- * Solution: Upgrade to a non-affected version
- * Workaround: Disable the web server, or restrict access to it via a firewall.
-
-An issue has been found in PowerDNS Authoritative Server allowing a remote, unauthenticated attacker to cause a denial of service by opening a large number of TCP connections to the web server. If the web server runs out of file descriptors, it triggers an exception and terminates the whole PowerDNS process.
-While it's more complicated for an unauthorized attacker to make the web server run out of file descriptors since its connection will be closed just after being accepted, it might still be possible.
-This issue has been assigned CVE-2016-7072.
-
-PowerDNS Authoritative Server up to and including 3.4.10 and 4.0.1 are affected. The PowerDNS Recursor is not affected.
-
-For those unable to upgrade to a new version, a minimal patch is [available](https://downloads.powerdns.com/patches/2016-03)
-
-We would like to thank Mongo for finding and subsequently reporting this issue.
+++ /dev/null
-# PowerDNS Security Advisory 2016-04: Insufficient validation of TSIG signatures
-
- * CVE: CVE-2016-7073 CVE-2016-7074
- * Date: December 15th 2016
- * Credit: Mongo
- * Affects: PowerDNS Authoritative Server up to and including 3.4.10, 4.0.1, PowerDNS Recursor from 4.0.0 and up to and including 4.0.3
- * Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2, PowerDNS Recursor < 4.0.0, 4.0.4
- * Severity: Medium
- * Impact: Zone content alteration
- * Exploit: This problem can be triggered by an attacker in position of man-in-the-middle
- * Risk of system compromise: No
- * Solution: Upgrade to a non-affected version
-
-Two issues have been found in PowerDNS Authoritative Server allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures.
-The first issue is a missing check of the TSIG time and fudge values in `AXFRRetriever`, leading to a possible replay attack. This issue has been assigned CVE-2016-7073.
-The second issue is a missing check that the TSIG record is the last one, leading to the possibility of parsing records that are not covered by the TSIG signature. This issue has been assigned CVE-2016-7074.
-
-PowerDNS Authoritative Server up to and including 3.4.10 and 4.0.1 are affected. PowerDNS Recursor from 4.0.0 up to and including 4.0.3 are affected.
-
-For those unable to upgrade to a new version, a minimal patch is [available](https://downloads.powerdns.com/patches/2016-04)
-
-We would like to thank Mongo for finding and subsequently reporting this issue.
+++ /dev/null
-# PowerDNS Security Advisory 2016-05: Crafted zone record can cause a denial of service
-
- * CVE: CVE-2016-2120
- * Date: December 15th 2016
- * Credit: Mathieu Lafon
- * Affects: PowerDNS Authoritative Server up to and including 3.4.10, 4.0.1
- * Not affected: PowerDNS Authoritative Server 3.4.11, 4.0.2
- * Severity: Medium
- * Impact: Denial of service
- * Exploit: This issue can be triggered by inserting a specially crafted record in a zone
- * Risk of system compromise: No
- * Solution: Upgrade to a non-affected version
-
-An issue has been found in PowerDNS Authoritative Server allowing an authorized user to crash the server by inserting a specially crafted record in a zone under their control then sending a DNS query for that record.
-The issue is due to an integer overflow when checking if the content of the record matches the expected size, allowing an attacker to cause a read past the buffer boundary. This issue has been assigned CVE-2016-2120.
-
-PowerDNS Authoritative Server up to and including 3.4.10 and 4.0.1 are affected. The PowerDNS Recursor is not affected.
-
-For those unable to upgrade to a new version, a minimal patch is [available](https://downloads.powerdns.com/patches/2016-05)
-
-We would like to thank Mathieu Lafon for finding and subsequently reporting this issue.
+++ /dev/null
-<!DOCTYPE html>
-<html lang="en">
- <head>
- <meta charset="utf-8">
- <meta http-equiv="X-UA-Compatible" content="IE=edge">
- <meta name="viewport" content="width=device-width, initial-scale=1.0">
- {% if page_description %}<meta name="description" content="{{ page_description }}">{% endif %}
- {% if site_author %}<meta name="author" content="{{ site_author }}">{% endif %}
- {% if canonical_url %}<link rel="canonical" href="{{ canonical_url }}">{% endif %}
- {% if favicon %}<link rel="shortcut icon" href="{{ favicon }}">
- {% else %}<link rel="shortcut icon" href="{{ base_url }}/img/favicon.ico">{% endif %}
-
- <title>{{ page_title }}</title>
-
- <link href="{{ base_url }}/css/bootstrap-custom.min.css" rel="stylesheet">
- <link href="{{ base_url }}/css/font-awesome-4.0.3.css" rel="stylesheet">
- <link href="{{ base_url }}/css/prettify-1.0.css" rel="stylesheet">
- <link href="{{ base_url }}/css/base.css" rel="stylesheet">
-
- <!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
- <!--[if lt IE 9]>
- <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
- <script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
- <![endif]-->
-
- {% if theme_center_lead %}
- <style>
- div.col-md-9 h1:first-of-type {
- text-align: center;
- font-size: 60px;
- font-weight: 300;
- }
-
- div.col-md-9 p:first-of-type {
- text-align: center;
- }
- </style>
- {% endif %}
- </head>
-
- <body>
-
- {% include "nav.html" %}
-
- <div class="container">
- <div class="col-md-3">{% include "toc.html" %}</div>
- <div class="col-md-9" role="main">{% include "content.html" %}</div>
- </div>
- {% include "footer.html" %}
- {% if include_search %}{% include "search.html" %}{% endif %}
-
- <script src="https://code.jquery.com/jquery-1.10.2.min.js"></script>
- <script src="{{ base_url }}/js/bootstrap-3.0.3.min.js"></script>
- <script src="{{ base_url }}/js/prettify-1.0.min.js"></script>
- <script src="{{ base_url }}/js/base.js"></script>
- </body>
-</html>
+++ /dev/null
-{% if source %}
-<div class="source-links">
-{% for filename in source %}
- <span class="label label-primary">{{ filename }}</span>
-{% endfor %}
-</div>
-{% endif %}
-
-<div class="alert alert-danger">This document is about PowerDNS 4.0. For other versions, please see the <a href="/">documentation index</a>.</div><br>
-
-{{ content }}
+++ /dev/null
-body {
- padding-top: 70px;
- font-size: 13px;
- padding-bottom: 30px;
-}
-
-h1 {
- font-size: 26px;
-}
-
-h2 {
- font-size: 18px;
-}
-
-h3 {
- font-size: 15px;
-}
-
-h4 {
- font-size: 13px;
-}
-
-.dropdown-menu {
- font-size: 13px;
-}
-
-ul.nav li.main {
- font-weight: bold;
-}
-
-div.col-md-3 {
- padding-left: 0;
-}
-
-div.source-links {
- float: right;
-}
-
-/*
- * Side navigation
- *
- * Scrollspy and affixed enhanced navigation to highlight sections and secondary
- * sections of docs content.
- */
-
-/* By default it's not affixed in mobile views, so undo that */
-.bs-sidebar.affix {
- height: 100%;
- overflow: auto;
- position: static;
-}
-
-.bs-sidebar.well {
- padding: 0;
-}
-
-/* First level of nav */
-.bs-sidenav {
- margin-top: 30px;
- margin-bottom: 30px;
- padding-top: 10px;
- padding-bottom: 10px;
- border-radius: 5px;
-}
-
-/* All levels of nav */
-.bs-sidebar .nav > li > a {
- display: block;
- padding: 2px 10px 2px;
-}
-.bs-sidebar .nav > li > a:hover,
-.bs-sidebar .nav > li > a:focus {
- text-decoration: none;
- border-right: 1px solid;
-}
-.bs-sidebar .nav > .active > a,
-.bs-sidebar .nav > .active:hover > a,
-.bs-sidebar .nav > .active:focus > a {
- font-weight: bold;
- background-color: transparent;
- border-right: 1px solid;
-}
-
-/* Nav: second level (shown on .active) */
-.bs-sidebar .nav .nav {
- display: none; /* Hide by default, but at >768px, show it */
- margin-bottom: 8px;
-}
-.bs-sidebar .nav .nav > li > a {
- padding-top: 3px;
- padding-bottom: 3px;
- padding-left: 30px;
- font-size: 90%;
-}
-
-.navbar-nav > li > a {
- padding: 15px 7px;
-}
-
-/* Show and affix the side nav when space allows it */
-@media (min-width: 1200px) {
- .bs-sidebar .nav > .active > ul {
- display: block;
- }
- /* Widen the fixed sidebar */
- .bs-sidebar.affix,
- .bs-sidebar.affix-bottom {
- width: 213px;
- }
- .bs-sidebar.affix {
- position: fixed; /* Undo the static from mobile first approach */
- top: 60px;
- height: 90%;
- }
- .bs-sidebar.affix-bottom {
- position: absolute; /* Undo the static from mobile first approach */
- }
- .bs-sidebar.affix-bottom .bs-sidenav,
- .bs-sidebar.affix .bs-sidenav {
- margin-top: 0;
- margin-bottom: 0;
- }
-}
-@media (min-width: 1200px) {
- /* Widen the fixed sidebar again */
- .bs-sidebar.affix-bottom,
- .bs-sidebar.affix {
- width: 263px;
- }
-}
-
-/* Footer */
-.footer {
- position: fixed;
- bottom: 0px;
- width: 100%;
- height: 30px;
- background-color: #222;
-}
-
-.footer-bar > li > a {
- padding-top: 5px;
- padding-bottom: 5px;
-}
+++ /dev/null
-@import url("//fonts.googleapis.com/css?family=Open+Sans:400italic,700italic,400,700");/*! normalize.css v2.1.3 | MIT License | git.io/normalize */article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,video{display:inline-block}audio:not([controls]){display:none;height:0}[hidden],template{display:none}html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}a{background:transparent}a:focus{outline:thin dotted}a:active,a:hover{outline:0}h1{margin:.67em 0;font-size:2em}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}hr{height:0;-moz-box-sizing:content-box;box-sizing:content-box}mark{color:#000;background:#ff0}code,kbd,pre,samp{font-family:monospace,serif;font-size:1em}pre{white-space:pre-wrap}q{quotes:"\201C" "\201D" "\2018" "\2019"}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:0}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid #c0c0c0}legend{padding:0;border:0}button,input,select,textarea{margin:0;font-family:inherit;font-size:100%}button,input{line-height:normal}button,select{text-transform:none}button,html input[type="button"],input[type="reset"],input[type="submit"]{cursor:pointer;-webkit-appearance:button}button[disabled],html input[disabled]{cursor:default}input[type="checkbox"],input[type="radio"]{padding:0;box-sizing:border-box}input[type="search"]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}textarea{overflow:auto;vertical-align:top}table{border-collapse:collapse;border-spacing:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}@page{margin:2cm .5cm}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff!important}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}*,*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:62.5%;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Open Sans",Calibri,Candara,Arial,sans-serif;font-size:15px;line-height:1.428571429;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#007fff;text-decoration:none}a:hover,a:focus{color:#0059b3;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}img{vertical-align:middle}.img-responsive{display:block;height:auto;max-width:100%}.img-rounded{border-radius:0}.img-thumbnail{display:inline-block;height:auto;max-width:100%;padding:4px;line-height:1.428571429;background-color:#fff;border:1px solid #ddd;border-radius:0;-webkit-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:21px;margin-bottom:21px;border:0;border-top:1px solid #e6e6e6}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:"Open Sans",Calibri,Candara,Arial,sans-serif;font-weight:300;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:normal;line-height:1;color:#999}h1,h2,h3{margin-top:21px;margin-bottom:10.5px}h1 small,h2 small,h3 small,h1 .small,h2 .small,h3 .small{font-size:65%}h4,h5,h6{margin-top:10.5px;margin-bottom:10.5px}h4 small,h5 small,h6 small,h4 .small,h5 .small,h6 .small{font-size:75%}h1,.h1{font-size:39px}h2,.h2{font-size:32px}h3,.h3{font-size:26px}h4,.h4{font-size:19px}h5,.h5{font-size:15px}h6,.h6{font-size:13px}p{margin:0 0 10.5px}.lead{margin-bottom:21px;font-size:17px;font-weight:200;line-height:1.4}@media(min-width:768px){.lead{font-size:22.5px}}small,.small{font-size:85%}cite{font-style:normal}.text-muted{color:#999}.text-primary{color:#007fff}.text-primary:hover{color:#06c}.text-warning{color:#fff}.text-warning:hover{color:#e6e6e6}.text-danger{color:#fff}.text-danger:hover{color:#e6e6e6}.text-success{color:#fff}.text-success:hover{color:#e6e6e6}.text-info{color:#fff}.text-info:hover{color:#e6e6e6}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.page-header{padding-bottom:9.5px;margin:42px 0 21px;border-bottom:1px solid #e6e6e6}ul,ol{margin-top:0;margin-bottom:10.5px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}.list-inline>li:first-child{padding-left:0}dl{margin-top:0;margin-bottom:21px}dt,dd{line-height:1.428571429}dt{font-weight:bold}dd{margin-left:0}@media(min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}.dl-horizontal dd:before,.dl-horizontal dd:after{display:table;content:" "}.dl-horizontal dd:after{clear:both}.dl-horizontal dd:before,.dl-horizontal dd:after{display:table;content:" "}.dl-horizontal dd:after{clear:both}.dl-horizontal dd:before,.dl-horizontal dd:after{display:table;content:" "}.dl-horizontal dd:after{clear:both}.dl-horizontal dd:before,.dl-horizontal dd:after{display:table;content:" "}.dl-horizontal dd:after{clear:both}.dl-horizontal dd:before,.dl-horizontal dd:after{display:table;content:" "}.dl-horizontal dd:after{clear:both}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #999}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10.5px 21px;margin:0 0 21px;border-left:5px solid #e6e6e6}blockquote p{font-size:18.75px;font-weight:300;line-height:1.25}blockquote p:last-child{margin-bottom:0}blockquote small,blockquote .small{display:block;line-height:1.428571429;color:#999}blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #e6e6e6;border-left:0}blockquote.pull-right p,blockquote.pull-right small,blockquote.pull-right .small{text-align:right}blockquote.pull-right small:before,blockquote.pull-right .small:before{content:''}blockquote.pull-right small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:21px;font-style:normal;line-height:1.428571429}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;white-space:nowrap;background-color:#f9f2f4;border-radius:0}pre{display:block;padding:10px;margin:0 0 10.5px;font-size:14px;line-height:1.428571429;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:0}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.container:before,.container:after{display:table;content:" "}.container:after{clear:both}.container:before,.container:after{display:table;content:" "}.container:after{clear:both}.container:before,.container:after{display:table;content:" "}.container:after{clear:both}.container:before,.container:after{display:table;content:" "}.container:after{clear:both}.container:before,.container:after{display:table;content:" "}.container:after{clear:both}@media(min-width:768px){.container{width:750px}}@media(min-width:992px){.container{width:1050px}}@media(min-width:1200px){.container{width:1170px}}.row{margin-right:-15px;margin-left:-15px}.row:before,.row:after{display:table;content:" "}.row:after{clear:both}.row:before,.row:after{display:table;content:" "}.row:after{clear:both}.row:before,.row:after{display:table;content:" "}.row:after{clear:both}.row:before,.row:after{display:table;content:" "}.row:after{clear:both}.row:before,.row:after{display:table;content:" "}.row:after{clear:both}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666666666666%}.col-xs-10{width:83.33333333333334%}.col-xs-9{width:75%}.col-xs-8{width:66.66666666666666%}.col-xs-7{width:58.333333333333336%}.col-xs-6{width:50%}.col-xs-5{width:41.66666666666667%}.col-xs-4{width:33.33333333333333%}.col-xs-3{width:25%}.col-xs-2{width:16.666666666666664%}.col-xs-1{width:8.333333333333332%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666666666666%}.col-xs-pull-10{right:83.33333333333334%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666666666666%}.col-xs-pull-7{right:58.333333333333336%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666666666667%}.col-xs-pull-4{right:33.33333333333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.666666666666664%}.col-xs-pull-1{right:8.333333333333332%}.col-xs-pull-0{right:0}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666666666666%}.col-xs-push-10{left:83.33333333333334%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666666666666%}.col-xs-push-7{left:58.333333333333336%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666666666667%}.col-xs-push-4{left:33.33333333333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.666666666666664%}.col-xs-push-1{left:8.333333333333332%}.col-xs-push-0{left:0}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666666666666%}.col-xs-offset-10{margin-left:83.33333333333334%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666666666666%}.col-xs-offset-7{margin-left:58.333333333333336%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666666666667%}.col-xs-offset-4{margin-left:33.33333333333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.666666666666664%}.col-xs-offset-1{margin-left:8.333333333333332%}.col-xs-offset-0{margin-left:0}@media(min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666666666666%}.col-sm-10{width:83.33333333333334%}.col-sm-9{width:75%}.col-sm-8{width:66.66666666666666%}.col-sm-7{width:58.333333333333336%}.col-sm-6{width:50%}.col-sm-5{width:41.66666666666667%}.col-sm-4{width:33.33333333333333%}.col-sm-3{width:25%}.col-sm-2{width:16.666666666666664%}.col-sm-1{width:8.333333333333332%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666666666666%}.col-sm-pull-10{right:83.33333333333334%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666666666666%}.col-sm-pull-7{right:58.333333333333336%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666666666667%}.col-sm-pull-4{right:33.33333333333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.666666666666664%}.col-sm-pull-1{right:8.333333333333332%}.col-sm-pull-0{right:0}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666666666666%}.col-sm-push-10{left:83.33333333333334%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666666666666%}.col-sm-push-7{left:58.333333333333336%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666666666667%}.col-sm-push-4{left:33.33333333333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.666666666666664%}.col-sm-push-1{left:8.333333333333332%}.col-sm-push-0{left:0}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666666666666%}.col-sm-offset-10{margin-left:83.33333333333334%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666666666666%}.col-sm-offset-7{margin-left:58.333333333333336%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666666666667%}.col-sm-offset-4{margin-left:33.33333333333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.666666666666664%}.col-sm-offset-1{margin-left:8.333333333333332%}.col-sm-offset-0{margin-left:0}}@media(min-width:992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666666666666%}.col-md-10{width:83.33333333333334%}.col-md-9{width:75%}.col-md-8{width:66.66666666666666%}.col-md-7{width:58.333333333333336%}.col-md-6{width:50%}.col-md-5{width:41.66666666666667%}.col-md-4{width:33.33333333333333%}.col-md-3{width:25%}.col-md-2{width:16.666666666666664%}.col-md-1{width:8.333333333333332%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666666666666%}.col-md-pull-10{right:83.33333333333334%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666666666666%}.col-md-pull-7{right:58.333333333333336%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666666666667%}.col-md-pull-4{right:33.33333333333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.666666666666664%}.col-md-pull-1{right:8.333333333333332%}.col-md-pull-0{right:0}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666666666666%}.col-md-push-10{left:83.33333333333334%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666666666666%}.col-md-push-7{left:58.333333333333336%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666666666667%}.col-md-push-4{left:33.33333333333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.666666666666664%}.col-md-push-1{left:8.333333333333332%}.col-md-push-0{left:0}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666666666666%}.col-md-offset-10{margin-left:83.33333333333334%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666666666666%}.col-md-offset-7{margin-left:58.333333333333336%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666666666667%}.col-md-offset-4{margin-left:33.33333333333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.666666666666664%}.col-md-offset-1{margin-left:8.333333333333332%}.col-md-offset-0{margin-left:0}}@media(min-width:1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666666666666%}.col-lg-10{width:83.33333333333334%}.col-lg-9{width:75%}.col-lg-8{width:66.66666666666666%}.col-lg-7{width:58.333333333333336%}.col-lg-6{width:50%}.col-lg-5{width:41.66666666666667%}.col-lg-4{width:33.33333333333333%}.col-lg-3{width:25%}.col-lg-2{width:16.666666666666664%}.col-lg-1{width:8.333333333333332%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666666666666%}.col-lg-pull-10{right:83.33333333333334%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666666666666%}.col-lg-pull-7{right:58.333333333333336%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666666666667%}.col-lg-pull-4{right:33.33333333333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.666666666666664%}.col-lg-pull-1{right:8.333333333333332%}.col-lg-pull-0{right:0}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666666666666%}.col-lg-push-10{left:83.33333333333334%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666666666666%}.col-lg-push-7{left:58.333333333333336%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666666666667%}.col-lg-push-4{left:33.33333333333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.666666666666664%}.col-lg-push-1{left:8.333333333333332%}.col-lg-push-0{left:0}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666666666666%}.col-lg-offset-10{margin-left:83.33333333333334%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666666666666%}.col-lg-offset-7{margin-left:58.333333333333336%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666666666667%}.col-lg-offset-4{margin-left:33.33333333333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.666666666666664%}.col-lg-offset-1{margin-left:8.333333333333332%}.col-lg-offset-0{margin-left:0}}table{max-width:100%;background-color:transparent}th{text-align:left}.table{width:100%;margin-bottom:21px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.428571429;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*="col-"]{position:static;display:table-column;float:none}table td[class*="col-"],table th[class*="col-"]{display:table-cell;float:none}.table>thead>tr>.active,.table>tbody>tr>.active,.table>tfoot>tr>.active,.table>thead>.active>td,.table>tbody>.active>td,.table>tfoot>.active>td,.table>thead>.active>th,.table>tbody>.active>th,.table>tfoot>.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>.active:hover,.table-hover>tbody>.active:hover>td,.table-hover>tbody>.active:hover>th{background-color:#e8e8e8}.table>thead>tr>.success,.table>tbody>tr>.success,.table>tfoot>tr>.success,.table>thead>.success>td,.table>tbody>.success>td,.table>tfoot>.success>td,.table>thead>.success>th,.table>tbody>.success>th,.table>tfoot>.success>th{background-color:#3fb618}.table-hover>tbody>tr>.success:hover,.table-hover>tbody>.success:hover>td,.table-hover>tbody>.success:hover>th{background-color:#379f15}.table>thead>tr>.danger,.table>tbody>tr>.danger,.table>tfoot>tr>.danger,.table>thead>.danger>td,.table>tbody>.danger>td,.table>tfoot>.danger>td,.table>thead>.danger>th,.table>tbody>.danger>th,.table>tfoot>.danger>th{background-color:#ff0039}.table-hover>tbody>tr>.danger:hover,.table-hover>tbody>.danger:hover>td,.table-hover>tbody>.danger:hover>th{background-color:#e60033}.table>thead>tr>.warning,.table>tbody>tr>.warning,.table>tfoot>tr>.warning,.table>thead>.warning>td,.table>tbody>.warning>td,.table>tfoot>.warning>td,.table>thead>.warning>th,.table>tbody>.warning>th,.table>tfoot>.warning>th{background-color:#ff7518}.table-hover>tbody>tr>.warning:hover,.table-hover>tbody>.warning:hover>td,.table-hover>tbody>.warning:hover>th{background-color:#fe6600}@media(max-width:767px){.table-responsive{width:100%;margin-bottom:15.75px;overflow-x:scroll;overflow-y:hidden;border:1px solid #ddd;-ms-overflow-style:-ms-autohiding-scrollbar;-webkit-overflow-scrolling:touch}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:21px;font-size:22.5px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;margin-bottom:5px;font-weight:bold}input[type="search"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type="radio"],input[type="checkbox"]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type="file"]{display:block}select[multiple],select[size]{height:auto}select optgroup{font-family:inherit;font-size:inherit;font-style:inherit}input[type="file"]:focus,input[type="radio"]:focus,input[type="checkbox"]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}input[type="number"]::-webkit-outer-spin-button,input[type="number"]::-webkit-inner-spin-button{height:auto}output{display:block;padding-top:11px;font-size:15px;line-height:1.428571429;color:#333;vertical-align:middle}.form-control{display:block;width:100%;height:43px;padding:10px 18px;font-size:15px;line-height:1.428571429;color:#333;vertical-align:middle;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(102,175,233,0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(102,175,233,0.6)}.form-control:-moz-placeholder{color:#999}.form-control::-moz-placeholder{color:#999;opacity:1}.form-control:-ms-input-placeholder{color:#999}.form-control::-webkit-input-placeholder{color:#999}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#e6e6e6}textarea.form-control{height:auto}.form-group{margin-bottom:15px}.radio,.checkbox{display:block;min-height:21px;padding-left:20px;margin-top:10px;margin-bottom:10px;vertical-align:middle}.radio label,.checkbox label{display:inline;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type="radio"],.radio-inline input[type="radio"],.checkbox input[type="checkbox"],.checkbox-inline input[type="checkbox"]{float:left;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:normal;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type="radio"][disabled],input[type="checkbox"][disabled],.radio[disabled],.radio-inline[disabled],.checkbox[disabled],.checkbox-inline[disabled],fieldset[disabled] input[type="radio"],fieldset[disabled] input[type="checkbox"],fieldset[disabled] .radio,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.input-sm{height:31px;padding:5px 10px;font-size:13px;line-height:1.5;border-radius:0}select.input-sm{height:31px;line-height:31px}textarea.input-sm{height:auto}.input-lg{height:64px;padding:18px 30px;font-size:19px;line-height:1.33;border-radius:0}select.input-lg{height:64px;line-height:64px}textarea.input-lg{height:auto}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#fff}.has-warning .form-control{border-color:#fff;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-warning .form-control:focus{border-color:#e6e6e6;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #fff;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #fff}.has-warning .input-group-addon{color:#fff;background-color:#ff7518;border-color:#fff}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#fff}.has-error .form-control{border-color:#fff;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-error .form-control:focus{border-color:#e6e6e6;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #fff;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #fff}.has-error .input-group-addon{color:#fff;background-color:#ff0039;border-color:#fff}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#fff}.has-success .form-control{border-color:#fff;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-success .form-control:focus{border-color:#e6e6e6;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #fff;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #fff}.has-success .input-group-addon{color:#fff;background-color:#3fb618;border-color:#fff}.form-control-static{margin-bottom:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media(min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block}.form-inline select.form-control{width:auto}.form-inline .radio,.form-inline .checkbox{display:inline-block;padding-left:0;margin-top:0;margin-bottom:0}.form-inline .radio input[type="radio"],.form-inline .checkbox input[type="checkbox"]{float:none;margin-left:0}}.form-horizontal .control-label,.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:11px;margin-top:0;margin-bottom:0}.form-horizontal .radio,.form-horizontal .checkbox{min-height:32px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}.form-horizontal .form-group:before,.form-horizontal .form-group:after{display:table;content:" "}.form-horizontal .form-group:after{clear:both}.form-horizontal .form-group:before,.form-horizontal .form-group:after{display:table;content:" "}.form-horizontal .form-group:after{clear:both}.form-horizontal .form-group:before,.form-horizontal .form-group:after{display:table;content:" "}.form-horizontal .form-group:after{clear:both}.form-horizontal .form-group:before,.form-horizontal .form-group:after{display:table;content:" "}.form-horizontal .form-group:after{clear:both}.form-horizontal .form-group:before,.form-horizontal .form-group:after{display:table;content:" "}.form-horizontal .form-group:after{clear:both}.form-horizontal .form-control-static{padding-top:11px}@media(min-width:768px){.form-horizontal .control-label{text-align:right}}.btn{display:inline-block;padding:10px 18px;margin-bottom:0;font-size:15px;font-weight:normal;line-height:1.428571429;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;background-image:none;border:1px solid transparent;border-radius:0;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;-o-user-select:none;user-select:none}.btn:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#fff;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none}.btn-default{color:#fff;background-color:#222;border-color:#222}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open .dropdown-toggle.btn-default{color:#fff;background-color:#0e0e0e;border-color:#040404}.btn-default:active,.btn-default.active,.open .dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#222;border-color:#222}.btn-default .badge{color:#222;background-color:#fff}.btn-primary{color:#fff;background-color:#007fff;border-color:#007fff}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open .dropdown-toggle.btn-primary{color:#fff;background-color:#006bd6;border-color:#0061c2}.btn-primary:active,.btn-primary.active,.open .dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#007fff;border-color:#007fff}.btn-primary .badge{color:#007fff;background-color:#fff}.btn-warning{color:#fff;background-color:#ff7518;border-color:#ff7518}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open .dropdown-toggle.btn-warning{color:#fff;background-color:#ee6000;border-color:#da5800}.btn-warning:active,.btn-warning.active,.open .dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#ff7518;border-color:#ff7518}.btn-warning .badge{color:#ff7518;background-color:#fff}.btn-danger{color:#fff;background-color:#ff0039;border-color:#ff0039}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open .dropdown-toggle.btn-danger{color:#fff;background-color:#d60030;border-color:#c2002b}.btn-danger:active,.btn-danger.active,.open .dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#ff0039;border-color:#ff0039}.btn-danger .badge{color:#ff0039;background-color:#fff}.btn-success{color:#fff;background-color:#3fb618;border-color:#3fb618}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open .dropdown-toggle.btn-success{color:#fff;background-color:#339213;border-color:#2c8011}.btn-success:active,.btn-success.active,.open .dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#3fb618;border-color:#3fb618}.btn-success .badge{color:#3fb618;background-color:#fff}.btn-info{color:#fff;background-color:#9954bb;border-color:#9954bb}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open .dropdown-toggle.btn-info{color:#fff;background-color:#8441a5;border-color:#783c96}.btn-info:active,.btn-info.active,.open .dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#9954bb;border-color:#9954bb}.btn-info .badge{color:#9954bb;background-color:#fff}.btn-link{font-weight:normal;color:#007fff;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#0059b3;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#999;text-decoration:none}.btn-lg{padding:18px 30px;font-size:19px;line-height:1.33;border-radius:0}.btn-sm{padding:5px 10px;font-size:13px;line-height:1.5;border-radius:0}.btn-xs{padding:1px 5px;font-size:13px;line-height:1.5;border-radius:0}.btn-block{display:block;width:100%;padding-right:0;padding-left:0}.btn-block+.btn-block{margin-top:5px}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;transition:height .35s ease}@font-face{font-family:'Glyphicons Halflings';src:url('../fonts/glyphicons-halflings-regular.eot');src:url('../fonts/glyphicons-halflings-regular.eot?#iefix') format('embedded-opentype'),url('../fonts/glyphicons-halflings-regular.woff') format('woff'),url('../fonts/glyphicons-halflings-regular.ttf') format('truetype'),url('../fonts/glyphicons-halflings-regular.svg#glyphicons-halflingsregular') format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';-webkit-font-smoothing:antialiased;font-style:normal;font-weight:normal;line-height:1;-moz-osx-font-smoothing:grayscale}.glyphicon:empty{width:1em}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:15px;list-style:none;background-color:#fff;border:1px solid #ccc;border:1px solid rgba(0,0,0,0.15);border-radius:0;-webkit-box-shadow:0 6px 12px rgba(0,0,0,0.175);box-shadow:0 6px 12px rgba(0,0,0,0.175);background-clip:padding-box}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9.5px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:normal;line-height:1.428571429;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#fff;text-decoration:none;background-color:#007fff}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#007fff;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#999}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-header{display:block;padding:3px 20px;font-size:13px;line-height:1.428571429;color:#999}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{border-top:0;border-bottom:4px solid;content:""}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media(min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar:before,.btn-toolbar:after{display:table;content:" "}.btn-toolbar:after{clear:both}.btn-toolbar:before,.btn-toolbar:after{display:table;content:" "}.btn-toolbar:after{clear:both}.btn-toolbar:before,.btn-toolbar:after{display:table;content:" "}.btn-toolbar:after{clear:both}.btn-toolbar:before,.btn-toolbar:after{display:table;content:" "}.btn-toolbar:after{clear:both}.btn-toolbar:before,.btn-toolbar:after{display:table;content:" "}.btn-toolbar:after{clear:both}.btn-toolbar .btn-group{float:left}.btn-toolbar>.btn+.btn,.btn-toolbar>.btn-group+.btn,.btn-toolbar>.btn+.btn-group,.btn-toolbar>.btn-group+.btn-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group-xs>.btn{padding:1px 5px;font-size:13px;line-height:1.5;border-radius:0}.btn-group-sm>.btn{padding:5px 10px;font-size:13px;line-height:1.5;border-radius:0}.btn-group-lg>.btn{padding:18px 30px;font-size:19px;line-height:1.33;border-radius:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after{display:table;content:" "}.btn-group-vertical>.btn-group:after{clear:both}.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after{display:table;content:" "}.btn-group-vertical>.btn-group:after{clear:both}.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after{display:table;content:" "}.btn-group-vertical>.btn-group:after{clear:both}.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after{display:table;content:" "}.btn-group-vertical>.btn-group:after{clear:both}.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after{display:table;content:" "}.btn-group-vertical>.btn-group:after{clear:both}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:0;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-right-radius:0;border-bottom-left-radius:0;border-top-left-radius:0}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child>.btn:last-child,.btn-group-vertical>.btn-group:first-child>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;border-collapse:separate;table-layout:fixed}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}[data-toggle="buttons"]>.btn>input[type="radio"],[data-toggle="buttons"]>.btn>input[type="checkbox"]{display:none}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*="col-"]{float:none;padding-right:0;padding-left:0}.input-group .form-control{width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:64px;padding:18px 30px;font-size:19px;line-height:1.33;border-radius:0}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:64px;line-height:64px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:31px;padding:5px 10px;font-size:13px;line-height:1.5;border-radius:0}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:31px;line-height:31px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:10px 18px;font-size:15px;font-weight:normal;line-height:1;color:#333;text-align:center;background-color:#e6e6e6;border:1px solid #ccc;border-radius:0}.input-group-addon.input-sm{padding:5px 10px;font-size:13px;border-radius:0}.input-group-addon.input-lg{padding:18px 30px;font-size:19px;border-radius:0}.input-group-addon input[type="radio"],.input-group-addon input[type="checkbox"]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;white-space:nowrap}.input-group-btn:first-child>.btn{margin-right:-1px}.input-group-btn:last-child>.btn{margin-left:-1px}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-4px}.input-group-btn>.btn:hover,.input-group-btn>.btn:active{z-index:2}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav:before,.nav:after{display:table;content:" "}.nav:after{clear:both}.nav:before,.nav:after{display:table;content:" "}.nav:after{clear:both}.nav:before,.nav:after{display:table;content:" "}.nav:after{clear:both}.nav:before,.nav:after{display:table;content:" "}.nav:after{clear:both}.nav:before,.nav:after{display:table;content:" "}.nav:after{clear:both}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#e6e6e6}.nav>li.disabled>a{color:#999}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#999;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#e6e6e6;border-color:#007fff}.nav .nav-divider{height:1px;margin:9.5px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.428571429;border:1px solid transparent;border-radius:0}.nav-tabs>li>a:hover{border-color:#e6e6e6 #e6e6e6 #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media(min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media(min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:0}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#007fff}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media(min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media(min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:21px;border:1px solid transparent}.navbar:before,.navbar:after{display:table;content:" "}.navbar:after{clear:both}.navbar:before,.navbar:after{display:table;content:" "}.navbar:after{clear:both}.navbar:before,.navbar:after{display:table;content:" "}.navbar:after{clear:both}.navbar:before,.navbar:after{display:table;content:" "}.navbar:after{clear:both}.navbar:before,.navbar:after{display:table;content:" "}.navbar:after{clear:both}@media(min-width:768px){.navbar{border-radius:0}}.navbar-header:before,.navbar-header:after{display:table;content:" "}.navbar-header:after{clear:both}.navbar-header:before,.navbar-header:after{display:table;content:" "}.navbar-header:after{clear:both}.navbar-header:before,.navbar-header:after{display:table;content:" "}.navbar-header:after{clear:both}.navbar-header:before,.navbar-header:after{display:table;content:" "}.navbar-header:after{clear:both}.navbar-header:before,.navbar-header:after{display:table;content:" "}.navbar-header:after{clear:both}@media(min-width:768px){.navbar-header{float:left}}.navbar-collapse{max-height:340px;padding-right:15px;padding-left:15px;overflow-x:visible;border-top:1px solid transparent;box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);-webkit-overflow-scrolling:touch}.navbar-collapse:before,.navbar-collapse:after{display:table;content:" "}.navbar-collapse:after{clear:both}.navbar-collapse:before,.navbar-collapse:after{display:table;content:" "}.navbar-collapse:after{clear:both}.navbar-collapse:before,.navbar-collapse:after{display:table;content:" "}.navbar-collapse:after{clear:both}.navbar-collapse:before,.navbar-collapse:after{display:table;content:" "}.navbar-collapse:after{clear:both}.navbar-collapse:before,.navbar-collapse:after{display:table;content:" "}.navbar-collapse:after{clear:both}.navbar-collapse.in{overflow-y:auto}@media(min-width:768px){.navbar-collapse{width:auto;border-top:0;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-right:0;padding-left:0}}.container>.navbar-header,.container>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media(min-width:768px){.container>.navbar-header,.container>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media(min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030}@media(min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;padding:14.5px 15px;font-size:19px;line-height:21px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media(min-width:768px){.navbar>.container .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media(min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.25px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:21px}@media(max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:21px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media(min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:14.5px;padding-bottom:14.5px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media(min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:3.5px;margin-right:-15px;margin-bottom:3.5px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1)}@media(min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block}.navbar-form select.form-control{width:auto}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;padding-left:0;margin-top:0;margin-bottom:0}.navbar-form .radio input[type="radio"],.navbar-form .checkbox input[type="checkbox"]{float:none;margin-left:0}}@media(max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media(min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-nav.pull-right>li>.dropdown-menu,.navbar-nav>li>.dropdown-menu.pull-right{right:0;left:auto}.navbar-btn{margin-top:3.5px;margin-bottom:3.5px}.navbar-btn.btn-sm{margin-top:9.5px;margin-bottom:9.5px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:14.5px;margin-bottom:14.5px}@media(min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#222;border-color:#121212}.navbar-default .navbar-brand{color:#fff}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#fff;background-color:none}.navbar-default .navbar-text{color:#fff}.navbar-default .navbar-nav>li>a{color:#fff}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#fff;background-color:#090909}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#fff;background-color:#090909}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:transparent}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#090909}.navbar-default .navbar-toggle .icon-bar{background-color:#fff}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#121212}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#fff;background-color:#090909}@media(max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#fff}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:#090909}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#090909}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#fff}.navbar-default .navbar-link:hover{color:#fff}.navbar-inverse{background-color:#007fff;border-color:#06c}.navbar-inverse .navbar-brand{color:#fff}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:none}.navbar-inverse .navbar-text{color:#fff}.navbar-inverse .navbar-nav>li>a{color:#fff}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:#06c}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#06c}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:transparent}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#06c}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#006ddb}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#06c}@media(max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#06c}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#06c}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#fff}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:#06c}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#06c}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#fff;background-color:transparent}}.navbar-inverse .navbar-link{color:#fff}.navbar-inverse .navbar-link:hover{color:#fff}.breadcrumb{padding:8px 15px;margin-bottom:21px;list-style:none;background-color:#f5f5f5;border-radius:0}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#999}.pagination{display:inline-block;padding-left:0;margin:21px 0;border-radius:0}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:10px 18px;margin-left:-1px;line-height:1.428571429;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-bottom-left-radius:0;border-top-left-radius:0}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:0;border-bottom-right-radius:0}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.pagination>li>span:focus{background-color:#e6e6e6}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#999;cursor:default;background-color:#f5f5f5;border-color:#f5f5f5}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#999;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:18px 30px;font-size:19px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-bottom-left-radius:0;border-top-left-radius:0}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:0;border-bottom-right-radius:0}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:13px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:0;border-top-left-radius:0}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:0;border-bottom-right-radius:0}.pager{padding-left:0;margin:21px 0;text-align:center;list-style:none}.pager:before,.pager:after{display:table;content:" "}.pager:after{clear:both}.pager:before,.pager:after{display:table;content:" "}.pager:after{clear:both}.pager:before,.pager:after{display:table;content:" "}.pager:after{clear:both}.pager:before,.pager:after{display:table;content:" "}.pager:after{clear:both}.pager:before,.pager:after{display:table;content:" "}.pager:after{clear:both}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:0}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#e6e6e6}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#999;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}.label[href]:hover,.label[href]:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#222}.label-default[href]:hover,.label-default[href]:focus{background-color:#090909}.label-primary{background-color:#007fff}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#06c}.label-success{background-color:#3fb618}.label-success[href]:hover,.label-success[href]:focus{background-color:#2f8912}.label-info{background-color:#9954bb}.label-info[href]:hover,.label-info[href]:focus{background-color:#7e3f9d}.label-warning{background-color:#ff7518}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#e45c00}.label-danger{background-color:#ff0039}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#cc002e}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:13px;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;background-color:#999;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#007fff;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;font-size:23px;font-weight:200;line-height:2.1428571435;color:inherit;background-color:#e6e6e6}.jumbotron h1,.jumbotron .h1{line-height:1;color:inherit}.jumbotron p{line-height:1.4}.container .jumbotron{border-radius:0}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1,.jumbotron .h1{font-size:67.5px}}.thumbnail{display:block;padding:4px;margin-bottom:21px;line-height:1.428571429;background-color:#fff;border:1px solid #ddd;border-radius:0;-webkit-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{display:block;height:auto;max-width:100%;margin-right:auto;margin-left:auto}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#007fff}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:21px;border:1px solid transparent;border-radius:0}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable{padding-right:35px}.alert-dismissable .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#fff;background-color:#3fb618;border-color:#4e9f15}.alert-success hr{border-top-color:#438912}.alert-success .alert-link{color:#e6e6e6}.alert-info{color:#fff;background-color:#9954bb;border-color:#7643a8}.alert-info hr{border-top-color:#693c96}.alert-info .alert-link{color:#e6e6e6}.alert-warning{color:#fff;background-color:#ff7518;border-color:#ff4309}.alert-warning hr{border-top-color:#ee3800}.alert-warning .alert-link{color:#e6e6e6}.alert-danger{color:#fff;background-color:#ff0039;border-color:#f0005e}.alert-danger hr{border-top-color:#d60054}.alert-danger .alert-link{color:#e6e6e6}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:21px;margin-bottom:21px;overflow:hidden;background-color:#ccc;border-radius:0;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1)}.progress-bar{float:left;width:0;height:100%;font-size:13px;line-height:21px;color:#fff;text-align:center;background-color:#007fff;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-webkit-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-size:40px 40px}.progress.active .progress-bar{-webkit-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar-success{background-color:#3fb618}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#9954bb}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#ff7518}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#ff0039}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-right-radius:0;border-top-left-radius:0}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:0;border-bottom-left-radius:0}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{text-decoration:none;background-color:#f5f5f5}a.list-group-item.active,a.list-group-item.active:hover,a.list-group-item.active:focus{z-index:2;color:#fff;background-color:#007fff;border-color:#007fff}a.list-group-item.active .list-group-item-heading,a.list-group-item.active:hover .list-group-item-heading,a.list-group-item.active:focus .list-group-item-heading{color:inherit}a.list-group-item.active .list-group-item-text,a.list-group-item.active:hover .list-group-item-text,a.list-group-item.active:focus .list-group-item-text{color:#cce5ff}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:21px;background-color:#fff;border:1px solid transparent;border-radius:0;-webkit-box-shadow:0 1px 1px rgba(0,0,0,0.05);box-shadow:0 1px 1px rgba(0,0,0,0.05)}.panel-body{padding:15px}.panel-body:before,.panel-body:after{display:table;content:" "}.panel-body:after{clear:both}.panel-body:before,.panel-body:after{display:table;content:" "}.panel-body:after{clear:both}.panel-body:before,.panel-body:after{display:table;content:" "}.panel-body:after{clear:both}.panel-body:before,.panel-body:after{display:table;content:" "}.panel-body:after{clear:both}.panel-body:before,.panel-body:after{display:table;content:" "}.panel-body:after{clear:both}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0}.panel>.list-group .list-group-item:first-child{border-top-right-radius:0;border-top-left-radius:0}.panel>.list-group .list-group-item:last-child{border-bottom:0}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.panel>.table,.panel>.table-responsive>.table{margin-bottom:0}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child th,.panel>.table>tbody:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:last-child>th,.panel>.table-responsive>.table-bordered>thead>tr:last-child>th,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th,.panel>.table-bordered>thead>tr:last-child>td,.panel>.table-responsive>.table-bordered>thead>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-right-radius:-1;border-top-left-radius:-1}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:17px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:-1;border-bottom-left-radius:-1}.panel-group .panel{margin-bottom:0;overflow:hidden;border-radius:0}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse .panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse .panel-body{border-top-color:#ddd}.panel-default>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#007fff}.panel-primary>.panel-heading{color:#fff;background-color:#007fff;border-color:#007fff}.panel-primary>.panel-heading+.panel-collapse .panel-body{border-top-color:#007fff}.panel-primary>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#007fff}.panel-success{border-color:#4e9f15}.panel-success>.panel-heading{color:#fff;background-color:#3fb618;border-color:#4e9f15}.panel-success>.panel-heading+.panel-collapse .panel-body{border-top-color:#4e9f15}.panel-success>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#4e9f15}.panel-warning{border-color:#ff4309}.panel-warning>.panel-heading{color:#fff;background-color:#ff7518;border-color:#ff4309}.panel-warning>.panel-heading+.panel-collapse .panel-body{border-top-color:#ff4309}.panel-warning>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#ff4309}.panel-danger{border-color:#f0005e}.panel-danger>.panel-heading{color:#fff;background-color:#ff0039;border-color:#f0005e}.panel-danger>.panel-heading+.panel-collapse .panel-body{border-top-color:#f0005e}.panel-danger>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#f0005e}.panel-info{border-color:#7643a8}.panel-info>.panel-heading{color:#fff;background-color:#9954bb;border-color:#7643a8}.panel-info>.panel-heading+.panel-collapse .panel-body{border-top-color:#7643a8}.panel-info>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#7643a8}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.05);box-shadow:inset 0 1px 1px rgba(0,0,0,0.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,0.15)}.well-lg{padding:24px;border-radius:0}.well-sm{padding:9px;border-radius:0}.close{float:right;font-size:22.5px;font-weight:bold;line-height:1;color:#000;text-shadow:0 1px 0 #fff;opacity:.2;filter:alpha(opacity=20)}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;opacity:.5;filter:alpha(opacity=50)}button.close{padding:0;cursor:pointer;background:transparent;border:0;-webkit-appearance:none}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;display:none;overflow:auto;overflow-y:scroll}.modal.fade .modal-dialog{-webkit-transform:translate(0,-25%);-ms-transform:translate(0,-25%);transform:translate(0,-25%);-webkit-transition:-webkit-transform .3s ease-out;-moz-transition:-moz-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate(0,0);-ms-transform:translate(0,0);transform:translate(0,0)}.modal-dialog{position:relative;z-index:1050;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,0.2);border-radius:0;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,0.5);box-shadow:0 3px 9px rgba(0,0,0,0.5);background-clip:padding-box}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1030;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{min-height:16.428571429px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.428571429}.modal-body{position:relative;padding:20px}.modal-footer{padding:19px 20px 20px;margin-top:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer:before,.modal-footer:after{display:table;content:" "}.modal-footer:after{clear:both}.modal-footer:before,.modal-footer:after{display:table;content:" "}.modal-footer:after{clear:both}.modal-footer:before,.modal-footer:after{display:table;content:" "}.modal-footer:after{clear:both}.modal-footer:before,.modal-footer:after{display:table;content:" "}.modal-footer:after{clear:both}.modal-footer:before,.modal-footer:after{display:table;content:" "}.modal-footer:after{clear:both}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}@media screen and (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,0.5);box-shadow:0 5px 15px rgba(0,0,0,0.5)}}.tooltip{position:absolute;z-index:1030;display:block;font-size:13px;line-height:1.4;opacity:0;filter:alpha(opacity=0);visibility:visible}.tooltip.in{opacity:.9;filter:alpha(opacity=90)}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:rgba(0,0,0,0.9);border-radius:0}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-top-color:rgba(0,0,0,0.9);border-width:5px 5px 0}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-top-color:rgba(0,0,0,0.9);border-width:5px 5px 0}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-top-color:rgba(0,0,0,0.9);border-width:5px 5px 0}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-right-color:rgba(0,0,0,0.9);border-width:5px 5px 5px 0}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-left-color:rgba(0,0,0,0.9);border-width:5px 0 5px 5px}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-bottom-color:rgba(0,0,0,0.9);border-width:0 5px 5px}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-bottom-color:rgba(0,0,0,0.9);border-width:0 5px 5px}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-bottom-color:rgba(0,0,0,0.9);border-width:0 5px 5px}.popover{position:absolute;top:0;left:0;z-index:1010;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;border:1px solid #ccc;border:1px solid rgba(0,0,0,0.2);border-radius:0;-webkit-box-shadow:0 5px 10px rgba(0,0,0,0.2);box-shadow:0 5px 10px rgba(0,0,0,0.2);background-clip:padding-box}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:15px;font-weight:normal;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover .arrow,.popover .arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover .arrow{border-width:11px}.popover .arrow:after{border-width:10px;content:""}.popover.top .arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,0.25);border-bottom-width:0}.popover.top .arrow:after{bottom:1px;margin-left:-10px;border-top-color:#fff;border-bottom-width:0;content:" "}.popover.right .arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,0.25);border-left-width:0}.popover.right .arrow:after{bottom:-10px;left:1px;border-right-color:#fff;border-left-width:0;content:" "}.popover.bottom .arrow{top:-11px;left:50%;margin-left:-11px;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,0.25);border-top-width:0}.popover.bottom .arrow:after{top:1px;margin-left:-10px;border-bottom-color:#fff;border-top-width:0;content:" "}.popover.left .arrow{top:50%;right:-11px;margin-top:-11px;border-left-color:#999;border-left-color:rgba(0,0,0,0.25);border-right-width:0}.popover.left .arrow:after{right:1px;bottom:-10px;border-left-color:#fff;border-right-width:0;content:" "}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;height:auto;max-width:100%;line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,0.6);opacity:.5;filter:alpha(opacity=50)}.carousel-control.left{background-image:-webkit-linear-gradient(left,color-stop(rgba(0,0,0,0.5) 0),color-stop(rgba(0,0,0,0.0001) 100%));background-image:linear-gradient(to right,rgba(0,0,0,0.5) 0,rgba(0,0,0,0.0001) 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000',endColorstr='#00000000',GradientType=1)}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,color-stop(rgba(0,0,0,0.0001) 0),color-stop(rgba(0,0,0,0.5) 100%));background-image:linear-gradient(to right,rgba(0,0,0,0.0001) 0,rgba(0,0,0,0.5) 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000',endColorstr='#80000000',GradientType=1)}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;outline:0;opacity:.9;filter:alpha(opacity=90)}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;margin-left:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000 \9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,0.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicons-chevron-left,.carousel-control .glyphicons-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;margin-left:-15px;font-size:30px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.clearfix:after{display:table;content:" "}.clearfix:after{clear:both}.clearfix:before,.clearfix:after{display:table;content:" "}.clearfix:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed}@-ms-viewport{width:device-width}.visible-xs,tr.visible-xs,th.visible-xs,td.visible-xs{display:none!important}@media(max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table}tr.visible-xs{display:table-row!important}th.visible-xs,td.visible-xs{display:table-cell!important}}@media(min-width:768px) and (max-width:991px){.visible-xs.visible-sm{display:block!important}table.visible-xs.visible-sm{display:table}tr.visible-xs.visible-sm{display:table-row!important}th.visible-xs.visible-sm,td.visible-xs.visible-sm{display:table-cell!important}}@media(min-width:992px) and (max-width:1199px){.visible-xs.visible-md{display:block!important}table.visible-xs.visible-md{display:table}tr.visible-xs.visible-md{display:table-row!important}th.visible-xs.visible-md,td.visible-xs.visible-md{display:table-cell!important}}@media(min-width:1200px){.visible-xs.visible-lg{display:block!important}table.visible-xs.visible-lg{display:table}tr.visible-xs.visible-lg{display:table-row!important}th.visible-xs.visible-lg,td.visible-xs.visible-lg{display:table-cell!important}}.visible-sm,tr.visible-sm,th.visible-sm,td.visible-sm{display:none!important}@media(max-width:767px){.visible-sm.visible-xs{display:block!important}table.visible-sm.visible-xs{display:table}tr.visible-sm.visible-xs{display:table-row!important}th.visible-sm.visible-xs,td.visible-sm.visible-xs{display:table-cell!important}}@media(min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table}tr.visible-sm{display:table-row!important}th.visible-sm,td.visible-sm{display:table-cell!important}}@media(min-width:992px) and (max-width:1199px){.visible-sm.visible-md{display:block!important}table.visible-sm.visible-md{display:table}tr.visible-sm.visible-md{display:table-row!important}th.visible-sm.visible-md,td.visible-sm.visible-md{display:table-cell!important}}@media(min-width:1200px){.visible-sm.visible-lg{display:block!important}table.visible-sm.visible-lg{display:table}tr.visible-sm.visible-lg{display:table-row!important}th.visible-sm.visible-lg,td.visible-sm.visible-lg{display:table-cell!important}}.visible-md,tr.visible-md,th.visible-md,td.visible-md{display:none!important}@media(max-width:767px){.visible-md.visible-xs{display:block!important}table.visible-md.visible-xs{display:table}tr.visible-md.visible-xs{display:table-row!important}th.visible-md.visible-xs,td.visible-md.visible-xs{display:table-cell!important}}@media(min-width:768px) and (max-width:991px){.visible-md.visible-sm{display:block!important}table.visible-md.visible-sm{display:table}tr.visible-md.visible-sm{display:table-row!important}th.visible-md.visible-sm,td.visible-md.visible-sm{display:table-cell!important}}@media(min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table}tr.visible-md{display:table-row!important}th.visible-md,td.visible-md{display:table-cell!important}}@media(min-width:1200px){.visible-md.visible-lg{display:block!important}table.visible-md.visible-lg{display:table}tr.visible-md.visible-lg{display:table-row!important}th.visible-md.visible-lg,td.visible-md.visible-lg{display:table-cell!important}}.visible-lg,tr.visible-lg,th.visible-lg,td.visible-lg{display:none!important}@media(max-width:767px){.visible-lg.visible-xs{display:block!important}table.visible-lg.visible-xs{display:table}tr.visible-lg.visible-xs{display:table-row!important}th.visible-lg.visible-xs,td.visible-lg.visible-xs{display:table-cell!important}}@media(min-width:768px) and (max-width:991px){.visible-lg.visible-sm{display:block!important}table.visible-lg.visible-sm{display:table}tr.visible-lg.visible-sm{display:table-row!important}th.visible-lg.visible-sm,td.visible-lg.visible-sm{display:table-cell!important}}@media(min-width:992px) and (max-width:1199px){.visible-lg.visible-md{display:block!important}table.visible-lg.visible-md{display:table}tr.visible-lg.visible-md{display:table-row!important}th.visible-lg.visible-md,td.visible-lg.visible-md{display:table-cell!important}}@media(min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table}tr.visible-lg{display:table-row!important}th.visible-lg,td.visible-lg{display:table-cell!important}}.hidden-xs{display:block!important}table.hidden-xs{display:table}tr.hidden-xs{display:table-row!important}th.hidden-xs,td.hidden-xs{display:table-cell!important}@media(max-width:767px){.hidden-xs,tr.hidden-xs,th.hidden-xs,td.hidden-xs{display:none!important}}@media(min-width:768px) and (max-width:991px){.hidden-xs.hidden-sm,tr.hidden-xs.hidden-sm,th.hidden-xs.hidden-sm,td.hidden-xs.hidden-sm{display:none!important}}@media(min-width:992px) and (max-width:1199px){.hidden-xs.hidden-md,tr.hidden-xs.hidden-md,th.hidden-xs.hidden-md,td.hidden-xs.hidden-md{display:none!important}}@media(min-width:1200px){.hidden-xs.hidden-lg,tr.hidden-xs.hidden-lg,th.hidden-xs.hidden-lg,td.hidden-xs.hidden-lg{display:none!important}}.hidden-sm{display:block!important}table.hidden-sm{display:table}tr.hidden-sm{display:table-row!important}th.hidden-sm,td.hidden-sm{display:table-cell!important}@media(max-width:767px){.hidden-sm.hidden-xs,tr.hidden-sm.hidden-xs,th.hidden-sm.hidden-xs,td.hidden-sm.hidden-xs{display:none!important}}@media(min-width:768px) and (max-width:991px){.hidden-sm,tr.hidden-sm,th.hidden-sm,td.hidden-sm{display:none!important}}@media(min-width:992px) and (max-width:1199px){.hidden-sm.hidden-md,tr.hidden-sm.hidden-md,th.hidden-sm.hidden-md,td.hidden-sm.hidden-md{display:none!important}}@media(min-width:1200px){.hidden-sm.hidden-lg,tr.hidden-sm.hidden-lg,th.hidden-sm.hidden-lg,td.hidden-sm.hidden-lg{display:none!important}}.hidden-md{display:block!important}table.hidden-md{display:table}tr.hidden-md{display:table-row!important}th.hidden-md,td.hidden-md{display:table-cell!important}@media(max-width:767px){.hidden-md.hidden-xs,tr.hidden-md.hidden-xs,th.hidden-md.hidden-xs,td.hidden-md.hidden-xs{display:none!important}}@media(min-width:768px) and (max-width:991px){.hidden-md.hidden-sm,tr.hidden-md.hidden-sm,th.hidden-md.hidden-sm,td.hidden-md.hidden-sm{display:none!important}}@media(min-width:992px) and (max-width:1199px){.hidden-md,tr.hidden-md,th.hidden-md,td.hidden-md{display:none!important}}@media(min-width:1200px){.hidden-md.hidden-lg,tr.hidden-md.hidden-lg,th.hidden-md.hidden-lg,td.hidden-md.hidden-lg{display:none!important}}.hidden-lg{display:block!important}table.hidden-lg{display:table}tr.hidden-lg{display:table-row!important}th.hidden-lg,td.hidden-lg{display:table-cell!important}@media(max-width:767px){.hidden-lg.hidden-xs,tr.hidden-lg.hidden-xs,th.hidden-lg.hidden-xs,td.hidden-lg.hidden-xs{display:none!important}}@media(min-width:768px) and (max-width:991px){.hidden-lg.hidden-sm,tr.hidden-lg.hidden-sm,th.hidden-lg.hidden-sm,td.hidden-lg.hidden-sm{display:none!important}}@media(min-width:992px) and (max-width:1199px){.hidden-lg.hidden-md,tr.hidden-lg.hidden-md,th.hidden-lg.hidden-md,td.hidden-lg.hidden-md{display:none!important}}@media(min-width:1200px){.hidden-lg,tr.hidden-lg,th.hidden-lg,td.hidden-lg{display:none!important}}.visible-print,tr.visible-print,th.visible-print,td.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table}tr.visible-print{display:table-row!important}th.visible-print,td.visible-print{display:table-cell!important}.hidden-print,tr.hidden-print,th.hidden-print,td.hidden-print{display:none!important}}.btn{border:0}.text-primary,.text-primary:hover{color:#007fff}.text-success,.text-success:hover{color:#3fb618}.text-danger,.text-danger:hover{color:#ff0039}.text-warning,.text-warning:hover{color:#ff7518}.text-info,.text-info:hover{color:#9954bb}.table tr.success,.table tr.warning,.table tr.danger{color:#fff}.has-warning .help-block,.has-warning .control-label{color:#ff7518}.has-warning .form-control,.has-warning .form-control:focus{border:1px solid #ff7518}.has-error .help-block,.has-error .control-label{color:#ff0039}.has-error .form-control,.has-error .form-control:focus{border:1px solid #ff0039}.has-success .help-block,.has-success .control-label{color:#3fb618}.has-success .form-control,.has-success .form-control:focus{border:1px solid #3fb618}.nav-pills>li>a{border-radius:0}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{background-image:none}.pagination .active>a,.pagination .active>a:hover{border-color:#ddd}.alert{border:0}.alert .alert-link{color:#fff;text-decoration:underline}.label{border-radius:0}.close{opacity:1}.progress{height:8px;-webkit-box-shadow:none;box-shadow:none}.panel-heading,.panel-footer{border-top-right-radius:0;border-top-left-radius:0}.clearfix:before,.clearfix:after{display:table;content:" "}.clearfix:after{clear:both}.clearfix:before,.clearfix:after{display:table;content:" "}.clearfix:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed}
+++ /dev/null
-/*!
- * Font Awesome 4.0.3 by @davegandy - http://fontawesome.io - @fontawesome
- * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
- */
-/* FONT PATH
- * -------------------------- */
-@font-face {
- font-family: 'FontAwesome';
- src: url('../fonts/fontawesome-webfont.eot?v=4.0.3');
- src: url('../fonts/fontawesome-webfont.eot?#iefix&v=4.0.3') format('embedded-opentype'), url('../fonts/fontawesome-webfont.woff?v=4.0.3') format('woff'), url('../fonts/fontawesome-webfont.ttf?v=4.0.3') format('truetype'), url('../fonts/fontawesome-webfont.svg?v=4.0.3#fontawesomeregular') format('svg');
- font-weight: normal;
- font-style: normal;
-}
-.fa {
- display: inline-block;
- font-family: FontAwesome;
- font-style: normal;
- font-weight: normal;
- line-height: 1;
- -webkit-font-smoothing: antialiased;
- -moz-osx-font-smoothing: grayscale;
-}
-/* makes the font 33% larger relative to the icon container */
-.fa-lg {
- font-size: 1.3333333333333333em;
- line-height: 0.75em;
- vertical-align: -15%;
-}
-.fa-2x {
- font-size: 2em;
-}
-.fa-3x {
- font-size: 3em;
-}
-.fa-4x {
- font-size: 4em;
-}
-.fa-5x {
- font-size: 5em;
-}
-.fa-fw {
- width: 1.2857142857142858em;
- text-align: center;
-}
-.fa-ul {
- padding-left: 0;
- margin-left: 2.142857142857143em;
- list-style-type: none;
-}
-.fa-ul > li {
- position: relative;
-}
-.fa-li {
- position: absolute;
- left: -2.142857142857143em;
- width: 2.142857142857143em;
- top: 0.14285714285714285em;
- text-align: center;
-}
-.fa-li.fa-lg {
- left: -1.8571428571428572em;
-}
-.fa-border {
- padding: .2em .25em .15em;
- border: solid 0.08em #eeeeee;
- border-radius: .1em;
-}
-.pull-right {
- float: right;
-}
-.pull-left {
- float: left;
-}
-.fa.pull-left {
- margin-right: .3em;
-}
-.fa.pull-right {
- margin-left: .3em;
-}
-.fa-spin {
- -webkit-animation: spin 2s infinite linear;
- -moz-animation: spin 2s infinite linear;
- -o-animation: spin 2s infinite linear;
- animation: spin 2s infinite linear;
-}
-@-moz-keyframes spin {
- 0% {
- -moz-transform: rotate(0deg);
- }
- 100% {
- -moz-transform: rotate(359deg);
- }
-}
-@-webkit-keyframes spin {
- 0% {
- -webkit-transform: rotate(0deg);
- }
- 100% {
- -webkit-transform: rotate(359deg);
- }
-}
-@-o-keyframes spin {
- 0% {
- -o-transform: rotate(0deg);
- }
- 100% {
- -o-transform: rotate(359deg);
- }
-}
-@-ms-keyframes spin {
- 0% {
- -ms-transform: rotate(0deg);
- }
- 100% {
- -ms-transform: rotate(359deg);
- }
-}
-@keyframes spin {
- 0% {
- transform: rotate(0deg);
- }
- 100% {
- transform: rotate(359deg);
- }
-}
-.fa-rotate-90 {
- filter: progid:DXImageTransform.Microsoft.BasicImage(rotation=1);
- -webkit-transform: rotate(90deg);
- -moz-transform: rotate(90deg);
- -ms-transform: rotate(90deg);
- -o-transform: rotate(90deg);
- transform: rotate(90deg);
-}
-.fa-rotate-180 {
- filter: progid:DXImageTransform.Microsoft.BasicImage(rotation=2);
- -webkit-transform: rotate(180deg);
- -moz-transform: rotate(180deg);
- -ms-transform: rotate(180deg);
- -o-transform: rotate(180deg);
- transform: rotate(180deg);
-}
-.fa-rotate-270 {
- filter: progid:DXImageTransform.Microsoft.BasicImage(rotation=3);
- -webkit-transform: rotate(270deg);
- -moz-transform: rotate(270deg);
- -ms-transform: rotate(270deg);
- -o-transform: rotate(270deg);
- transform: rotate(270deg);
-}
-.fa-flip-horizontal {
- filter: progid:DXImageTransform.Microsoft.BasicImage(rotation=0, mirror=1);
- -webkit-transform: scale(-1, 1);
- -moz-transform: scale(-1, 1);
- -ms-transform: scale(-1, 1);
- -o-transform: scale(-1, 1);
- transform: scale(-1, 1);
-}
-.fa-flip-vertical {
- filter: progid:DXImageTransform.Microsoft.BasicImage(rotation=2, mirror=1);
- -webkit-transform: scale(1, -1);
- -moz-transform: scale(1, -1);
- -ms-transform: scale(1, -1);
- -o-transform: scale(1, -1);
- transform: scale(1, -1);
-}
-.fa-stack {
- position: relative;
- display: inline-block;
- width: 2em;
- height: 2em;
- line-height: 2em;
- vertical-align: middle;
-}
-.fa-stack-1x,
-.fa-stack-2x {
- position: absolute;
- left: 0;
- width: 100%;
- text-align: center;
-}
-.fa-stack-1x {
- line-height: inherit;
-}
-.fa-stack-2x {
- font-size: 2em;
-}
-.fa-inverse {
- color: #ffffff;
-}
-/* Font Awesome uses the Unicode Private Use Area (PUA) to ensure screen
- readers do not read off random characters that represent icons */
-.fa-glass:before {
- content: "\f000";
-}
-.fa-music:before {
- content: "\f001";
-}
-.fa-search:before {
- content: "\f002";
-}
-.fa-envelope-o:before {
- content: "\f003";
-}
-.fa-heart:before {
- content: "\f004";
-}
-.fa-star:before {
- content: "\f005";
-}
-.fa-star-o:before {
- content: "\f006";
-}
-.fa-user:before {
- content: "\f007";
-}
-.fa-film:before {
- content: "\f008";
-}
-.fa-th-large:before {
- content: "\f009";
-}
-.fa-th:before {
- content: "\f00a";
-}
-.fa-th-list:before {
- content: "\f00b";
-}
-.fa-check:before {
- content: "\f00c";
-}
-.fa-times:before {
- content: "\f00d";
-}
-.fa-search-plus:before {
- content: "\f00e";
-}
-.fa-search-minus:before {
- content: "\f010";
-}
-.fa-power-off:before {
- content: "\f011";
-}
-.fa-signal:before {
- content: "\f012";
-}
-.fa-gear:before,
-.fa-cog:before {
- content: "\f013";
-}
-.fa-trash-o:before {
- content: "\f014";
-}
-.fa-home:before {
- content: "\f015";
-}
-.fa-file-o:before {
- content: "\f016";
-}
-.fa-clock-o:before {
- content: "\f017";
-}
-.fa-road:before {
- content: "\f018";
-}
-.fa-download:before {
- content: "\f019";
-}
-.fa-arrow-circle-o-down:before {
- content: "\f01a";
-}
-.fa-arrow-circle-o-up:before {
- content: "\f01b";
-}
-.fa-inbox:before {
- content: "\f01c";
-}
-.fa-play-circle-o:before {
- content: "\f01d";
-}
-.fa-rotate-right:before,
-.fa-repeat:before {
- content: "\f01e";
-}
-.fa-refresh:before {
- content: "\f021";
-}
-.fa-list-alt:before {
- content: "\f022";
-}
-.fa-lock:before {
- content: "\f023";
-}
-.fa-flag:before {
- content: "\f024";
-}
-.fa-headphones:before {
- content: "\f025";
-}
-.fa-volume-off:before {
- content: "\f026";
-}
-.fa-volume-down:before {
- content: "\f027";
-}
-.fa-volume-up:before {
- content: "\f028";
-}
-.fa-qrcode:before {
- content: "\f029";
-}
-.fa-barcode:before {
- content: "\f02a";
-}
-.fa-tag:before {
- content: "\f02b";
-}
-.fa-tags:before {
- content: "\f02c";
-}
-.fa-book:before {
- content: "\f02d";
-}
-.fa-bookmark:before {
- content: "\f02e";
-}
-.fa-print:before {
- content: "\f02f";
-}
-.fa-camera:before {
- content: "\f030";
-}
-.fa-font:before {
- content: "\f031";
-}
-.fa-bold:before {
- content: "\f032";
-}
-.fa-italic:before {
- content: "\f033";
-}
-.fa-text-height:before {
- content: "\f034";
-}
-.fa-text-width:before {
- content: "\f035";
-}
-.fa-align-left:before {
- content: "\f036";
-}
-.fa-align-center:before {
- content: "\f037";
-}
-.fa-align-right:before {
- content: "\f038";
-}
-.fa-align-justify:before {
- content: "\f039";
-}
-.fa-list:before {
- content: "\f03a";
-}
-.fa-dedent:before,
-.fa-outdent:before {
- content: "\f03b";
-}
-.fa-indent:before {
- content: "\f03c";
-}
-.fa-video-camera:before {
- content: "\f03d";
-}
-.fa-picture-o:before {
- content: "\f03e";
-}
-.fa-pencil:before {
- content: "\f040";
-}
-.fa-map-marker:before {
- content: "\f041";
-}
-.fa-adjust:before {
- content: "\f042";
-}
-.fa-tint:before {
- content: "\f043";
-}
-.fa-edit:before,
-.fa-pencil-square-o:before {
- content: "\f044";
-}
-.fa-share-square-o:before {
- content: "\f045";
-}
-.fa-check-square-o:before {
- content: "\f046";
-}
-.fa-arrows:before {
- content: "\f047";
-}
-.fa-step-backward:before {
- content: "\f048";
-}
-.fa-fast-backward:before {
- content: "\f049";
-}
-.fa-backward:before {
- content: "\f04a";
-}
-.fa-play:before {
- content: "\f04b";
-}
-.fa-pause:before {
- content: "\f04c";
-}
-.fa-stop:before {
- content: "\f04d";
-}
-.fa-forward:before {
- content: "\f04e";
-}
-.fa-fast-forward:before {
- content: "\f050";
-}
-.fa-step-forward:before {
- content: "\f051";
-}
-.fa-eject:before {
- content: "\f052";
-}
-.fa-chevron-left:before {
- content: "\f053";
-}
-.fa-chevron-right:before {
- content: "\f054";
-}
-.fa-plus-circle:before {
- content: "\f055";
-}
-.fa-minus-circle:before {
- content: "\f056";
-}
-.fa-times-circle:before {
- content: "\f057";
-}
-.fa-check-circle:before {
- content: "\f058";
-}
-.fa-question-circle:before {
- content: "\f059";
-}
-.fa-info-circle:before {
- content: "\f05a";
-}
-.fa-crosshairs:before {
- content: "\f05b";
-}
-.fa-times-circle-o:before {
- content: "\f05c";
-}
-.fa-check-circle-o:before {
- content: "\f05d";
-}
-.fa-ban:before {
- content: "\f05e";
-}
-.fa-arrow-left:before {
- content: "\f060";
-}
-.fa-arrow-right:before {
- content: "\f061";
-}
-.fa-arrow-up:before {
- content: "\f062";
-}
-.fa-arrow-down:before {
- content: "\f063";
-}
-.fa-mail-forward:before,
-.fa-share:before {
- content: "\f064";
-}
-.fa-expand:before {
- content: "\f065";
-}
-.fa-compress:before {
- content: "\f066";
-}
-.fa-plus:before {
- content: "\f067";
-}
-.fa-minus:before {
- content: "\f068";
-}
-.fa-asterisk:before {
- content: "\f069";
-}
-.fa-exclamation-circle:before {
- content: "\f06a";
-}
-.fa-gift:before {
- content: "\f06b";
-}
-.fa-leaf:before {
- content: "\f06c";
-}
-.fa-fire:before {
- content: "\f06d";
-}
-.fa-eye:before {
- content: "\f06e";
-}
-.fa-eye-slash:before {
- content: "\f070";
-}
-.fa-warning:before,
-.fa-exclamation-triangle:before {
- content: "\f071";
-}
-.fa-plane:before {
- content: "\f072";
-}
-.fa-calendar:before {
- content: "\f073";
-}
-.fa-random:before {
- content: "\f074";
-}
-.fa-comment:before {
- content: "\f075";
-}
-.fa-magnet:before {
- content: "\f076";
-}
-.fa-chevron-up:before {
- content: "\f077";
-}
-.fa-chevron-down:before {
- content: "\f078";
-}
-.fa-retweet:before {
- content: "\f079";
-}
-.fa-shopping-cart:before {
- content: "\f07a";
-}
-.fa-folder:before {
- content: "\f07b";
-}
-.fa-folder-open:before {
- content: "\f07c";
-}
-.fa-arrows-v:before {
- content: "\f07d";
-}
-.fa-arrows-h:before {
- content: "\f07e";
-}
-.fa-bar-chart-o:before {
- content: "\f080";
-}
-.fa-twitter-square:before {
- content: "\f081";
-}
-.fa-facebook-square:before {
- content: "\f082";
-}
-.fa-camera-retro:before {
- content: "\f083";
-}
-.fa-key:before {
- content: "\f084";
-}
-.fa-gears:before,
-.fa-cogs:before {
- content: "\f085";
-}
-.fa-comments:before {
- content: "\f086";
-}
-.fa-thumbs-o-up:before {
- content: "\f087";
-}
-.fa-thumbs-o-down:before {
- content: "\f088";
-}
-.fa-star-half:before {
- content: "\f089";
-}
-.fa-heart-o:before {
- content: "\f08a";
-}
-.fa-sign-out:before {
- content: "\f08b";
-}
-.fa-linkedin-square:before {
- content: "\f08c";
-}
-.fa-thumb-tack:before {
- content: "\f08d";
-}
-.fa-external-link:before {
- content: "\f08e";
-}
-.fa-sign-in:before {
- content: "\f090";
-}
-.fa-trophy:before {
- content: "\f091";
-}
-.fa-github-square:before {
- content: "\f092";
-}
-.fa-upload:before {
- content: "\f093";
-}
-.fa-lemon-o:before {
- content: "\f094";
-}
-.fa-phone:before {
- content: "\f095";
-}
-.fa-square-o:before {
- content: "\f096";
-}
-.fa-bookmark-o:before {
- content: "\f097";
-}
-.fa-phone-square:before {
- content: "\f098";
-}
-.fa-twitter:before {
- content: "\f099";
-}
-.fa-facebook:before {
- content: "\f09a";
-}
-.fa-github:before {
- content: "\f09b";
-}
-.fa-unlock:before {
- content: "\f09c";
-}
-.fa-credit-card:before {
- content: "\f09d";
-}
-.fa-rss:before {
- content: "\f09e";
-}
-.fa-hdd-o:before {
- content: "\f0a0";
-}
-.fa-bullhorn:before {
- content: "\f0a1";
-}
-.fa-bell:before {
- content: "\f0f3";
-}
-.fa-certificate:before {
- content: "\f0a3";
-}
-.fa-hand-o-right:before {
- content: "\f0a4";
-}
-.fa-hand-o-left:before {
- content: "\f0a5";
-}
-.fa-hand-o-up:before {
- content: "\f0a6";
-}
-.fa-hand-o-down:before {
- content: "\f0a7";
-}
-.fa-arrow-circle-left:before {
- content: "\f0a8";
-}
-.fa-arrow-circle-right:before {
- content: "\f0a9";
-}
-.fa-arrow-circle-up:before {
- content: "\f0aa";
-}
-.fa-arrow-circle-down:before {
- content: "\f0ab";
-}
-.fa-globe:before {
- content: "\f0ac";
-}
-.fa-wrench:before {
- content: "\f0ad";
-}
-.fa-tasks:before {
- content: "\f0ae";
-}
-.fa-filter:before {
- content: "\f0b0";
-}
-.fa-briefcase:before {
- content: "\f0b1";
-}
-.fa-arrows-alt:before {
- content: "\f0b2";
-}
-.fa-group:before,
-.fa-users:before {
- content: "\f0c0";
-}
-.fa-chain:before,
-.fa-link:before {
- content: "\f0c1";
-}
-.fa-cloud:before {
- content: "\f0c2";
-}
-.fa-flask:before {
- content: "\f0c3";
-}
-.fa-cut:before,
-.fa-scissors:before {
- content: "\f0c4";
-}
-.fa-copy:before,
-.fa-files-o:before {
- content: "\f0c5";
-}
-.fa-paperclip:before {
- content: "\f0c6";
-}
-.fa-save:before,
-.fa-floppy-o:before {
- content: "\f0c7";
-}
-.fa-square:before {
- content: "\f0c8";
-}
-.fa-bars:before {
- content: "\f0c9";
-}
-.fa-list-ul:before {
- content: "\f0ca";
-}
-.fa-list-ol:before {
- content: "\f0cb";
-}
-.fa-strikethrough:before {
- content: "\f0cc";
-}
-.fa-underline:before {
- content: "\f0cd";
-}
-.fa-table:before {
- content: "\f0ce";
-}
-.fa-magic:before {
- content: "\f0d0";
-}
-.fa-truck:before {
- content: "\f0d1";
-}
-.fa-pinterest:before {
- content: "\f0d2";
-}
-.fa-pinterest-square:before {
- content: "\f0d3";
-}
-.fa-google-plus-square:before {
- content: "\f0d4";
-}
-.fa-google-plus:before {
- content: "\f0d5";
-}
-.fa-money:before {
- content: "\f0d6";
-}
-.fa-caret-down:before {
- content: "\f0d7";
-}
-.fa-caret-up:before {
- content: "\f0d8";
-}
-.fa-caret-left:before {
- content: "\f0d9";
-}
-.fa-caret-right:before {
- content: "\f0da";
-}
-.fa-columns:before {
- content: "\f0db";
-}
-.fa-unsorted:before,
-.fa-sort:before {
- content: "\f0dc";
-}
-.fa-sort-down:before,
-.fa-sort-asc:before {
- content: "\f0dd";
-}
-.fa-sort-up:before,
-.fa-sort-desc:before {
- content: "\f0de";
-}
-.fa-envelope:before {
- content: "\f0e0";
-}
-.fa-linkedin:before {
- content: "\f0e1";
-}
-.fa-rotate-left:before,
-.fa-undo:before {
- content: "\f0e2";
-}
-.fa-legal:before,
-.fa-gavel:before {
- content: "\f0e3";
-}
-.fa-dashboard:before,
-.fa-tachometer:before {
- content: "\f0e4";
-}
-.fa-comment-o:before {
- content: "\f0e5";
-}
-.fa-comments-o:before {
- content: "\f0e6";
-}
-.fa-flash:before,
-.fa-bolt:before {
- content: "\f0e7";
-}
-.fa-sitemap:before {
- content: "\f0e8";
-}
-.fa-umbrella:before {
- content: "\f0e9";
-}
-.fa-paste:before,
-.fa-clipboard:before {
- content: "\f0ea";
-}
-.fa-lightbulb-o:before {
- content: "\f0eb";
-}
-.fa-exchange:before {
- content: "\f0ec";
-}
-.fa-cloud-download:before {
- content: "\f0ed";
-}
-.fa-cloud-upload:before {
- content: "\f0ee";
-}
-.fa-user-md:before {
- content: "\f0f0";
-}
-.fa-stethoscope:before {
- content: "\f0f1";
-}
-.fa-suitcase:before {
- content: "\f0f2";
-}
-.fa-bell-o:before {
- content: "\f0a2";
-}
-.fa-coffee:before {
- content: "\f0f4";
-}
-.fa-cutlery:before {
- content: "\f0f5";
-}
-.fa-file-text-o:before {
- content: "\f0f6";
-}
-.fa-building-o:before {
- content: "\f0f7";
-}
-.fa-hospital-o:before {
- content: "\f0f8";
-}
-.fa-ambulance:before {
- content: "\f0f9";
-}
-.fa-medkit:before {
- content: "\f0fa";
-}
-.fa-fighter-jet:before {
- content: "\f0fb";
-}
-.fa-beer:before {
- content: "\f0fc";
-}
-.fa-h-square:before {
- content: "\f0fd";
-}
-.fa-plus-square:before {
- content: "\f0fe";
-}
-.fa-angle-double-left:before {
- content: "\f100";
-}
-.fa-angle-double-right:before {
- content: "\f101";
-}
-.fa-angle-double-up:before {
- content: "\f102";
-}
-.fa-angle-double-down:before {
- content: "\f103";
-}
-.fa-angle-left:before {
- content: "\f104";
-}
-.fa-angle-right:before {
- content: "\f105";
-}
-.fa-angle-up:before {
- content: "\f106";
-}
-.fa-angle-down:before {
- content: "\f107";
-}
-.fa-desktop:before {
- content: "\f108";
-}
-.fa-laptop:before {
- content: "\f109";
-}
-.fa-tablet:before {
- content: "\f10a";
-}
-.fa-mobile-phone:before,
-.fa-mobile:before {
- content: "\f10b";
-}
-.fa-circle-o:before {
- content: "\f10c";
-}
-.fa-quote-left:before {
- content: "\f10d";
-}
-.fa-quote-right:before {
- content: "\f10e";
-}
-.fa-spinner:before {
- content: "\f110";
-}
-.fa-circle:before {
- content: "\f111";
-}
-.fa-mail-reply:before,
-.fa-reply:before {
- content: "\f112";
-}
-.fa-github-alt:before {
- content: "\f113";
-}
-.fa-folder-o:before {
- content: "\f114";
-}
-.fa-folder-open-o:before {
- content: "\f115";
-}
-.fa-smile-o:before {
- content: "\f118";
-}
-.fa-frown-o:before {
- content: "\f119";
-}
-.fa-meh-o:before {
- content: "\f11a";
-}
-.fa-gamepad:before {
- content: "\f11b";
-}
-.fa-keyboard-o:before {
- content: "\f11c";
-}
-.fa-flag-o:before {
- content: "\f11d";
-}
-.fa-flag-checkered:before {
- content: "\f11e";
-}
-.fa-terminal:before {
- content: "\f120";
-}
-.fa-code:before {
- content: "\f121";
-}
-.fa-reply-all:before {
- content: "\f122";
-}
-.fa-mail-reply-all:before {
- content: "\f122";
-}
-.fa-star-half-empty:before,
-.fa-star-half-full:before,
-.fa-star-half-o:before {
- content: "\f123";
-}
-.fa-location-arrow:before {
- content: "\f124";
-}
-.fa-crop:before {
- content: "\f125";
-}
-.fa-code-fork:before {
- content: "\f126";
-}
-.fa-unlink:before,
-.fa-chain-broken:before {
- content: "\f127";
-}
-.fa-question:before {
- content: "\f128";
-}
-.fa-info:before {
- content: "\f129";
-}
-.fa-exclamation:before {
- content: "\f12a";
-}
-.fa-superscript:before {
- content: "\f12b";
-}
-.fa-subscript:before {
- content: "\f12c";
-}
-.fa-eraser:before {
- content: "\f12d";
-}
-.fa-puzzle-piece:before {
- content: "\f12e";
-}
-.fa-microphone:before {
- content: "\f130";
-}
-.fa-microphone-slash:before {
- content: "\f131";
-}
-.fa-shield:before {
- content: "\f132";
-}
-.fa-calendar-o:before {
- content: "\f133";
-}
-.fa-fire-extinguisher:before {
- content: "\f134";
-}
-.fa-rocket:before {
- content: "\f135";
-}
-.fa-maxcdn:before {
- content: "\f136";
-}
-.fa-chevron-circle-left:before {
- content: "\f137";
-}
-.fa-chevron-circle-right:before {
- content: "\f138";
-}
-.fa-chevron-circle-up:before {
- content: "\f139";
-}
-.fa-chevron-circle-down:before {
- content: "\f13a";
-}
-.fa-html5:before {
- content: "\f13b";
-}
-.fa-css3:before {
- content: "\f13c";
-}
-.fa-anchor:before {
- content: "\f13d";
-}
-.fa-unlock-alt:before {
- content: "\f13e";
-}
-.fa-bullseye:before {
- content: "\f140";
-}
-.fa-ellipsis-h:before {
- content: "\f141";
-}
-.fa-ellipsis-v:before {
- content: "\f142";
-}
-.fa-rss-square:before {
- content: "\f143";
-}
-.fa-play-circle:before {
- content: "\f144";
-}
-.fa-ticket:before {
- content: "\f145";
-}
-.fa-minus-square:before {
- content: "\f146";
-}
-.fa-minus-square-o:before {
- content: "\f147";
-}
-.fa-level-up:before {
- content: "\f148";
-}
-.fa-level-down:before {
- content: "\f149";
-}
-.fa-check-square:before {
- content: "\f14a";
-}
-.fa-pencil-square:before {
- content: "\f14b";
-}
-.fa-external-link-square:before {
- content: "\f14c";
-}
-.fa-share-square:before {
- content: "\f14d";
-}
-.fa-compass:before {
- content: "\f14e";
-}
-.fa-toggle-down:before,
-.fa-caret-square-o-down:before {
- content: "\f150";
-}
-.fa-toggle-up:before,
-.fa-caret-square-o-up:before {
- content: "\f151";
-}
-.fa-toggle-right:before,
-.fa-caret-square-o-right:before {
- content: "\f152";
-}
-.fa-euro:before,
-.fa-eur:before {
- content: "\f153";
-}
-.fa-gbp:before {
- content: "\f154";
-}
-.fa-dollar:before,
-.fa-usd:before {
- content: "\f155";
-}
-.fa-rupee:before,
-.fa-inr:before {
- content: "\f156";
-}
-.fa-cny:before,
-.fa-rmb:before,
-.fa-yen:before,
-.fa-jpy:before {
- content: "\f157";
-}
-.fa-ruble:before,
-.fa-rouble:before,
-.fa-rub:before {
- content: "\f158";
-}
-.fa-won:before,
-.fa-krw:before {
- content: "\f159";
-}
-.fa-bitcoin:before,
-.fa-btc:before {
- content: "\f15a";
-}
-.fa-file:before {
- content: "\f15b";
-}
-.fa-file-text:before {
- content: "\f15c";
-}
-.fa-sort-alpha-asc:before {
- content: "\f15d";
-}
-.fa-sort-alpha-desc:before {
- content: "\f15e";
-}
-.fa-sort-amount-asc:before {
- content: "\f160";
-}
-.fa-sort-amount-desc:before {
- content: "\f161";
-}
-.fa-sort-numeric-asc:before {
- content: "\f162";
-}
-.fa-sort-numeric-desc:before {
- content: "\f163";
-}
-.fa-thumbs-up:before {
- content: "\f164";
-}
-.fa-thumbs-down:before {
- content: "\f165";
-}
-.fa-youtube-square:before {
- content: "\f166";
-}
-.fa-youtube:before {
- content: "\f167";
-}
-.fa-xing:before {
- content: "\f168";
-}
-.fa-xing-square:before {
- content: "\f169";
-}
-.fa-youtube-play:before {
- content: "\f16a";
-}
-.fa-dropbox:before {
- content: "\f16b";
-}
-.fa-stack-overflow:before {
- content: "\f16c";
-}
-.fa-instagram:before {
- content: "\f16d";
-}
-.fa-flickr:before {
- content: "\f16e";
-}
-.fa-adn:before {
- content: "\f170";
-}
-.fa-bitbucket:before {
- content: "\f171";
-}
-.fa-bitbucket-square:before {
- content: "\f172";
-}
-.fa-tumblr:before {
- content: "\f173";
-}
-.fa-tumblr-square:before {
- content: "\f174";
-}
-.fa-long-arrow-down:before {
- content: "\f175";
-}
-.fa-long-arrow-up:before {
- content: "\f176";
-}
-.fa-long-arrow-left:before {
- content: "\f177";
-}
-.fa-long-arrow-right:before {
- content: "\f178";
-}
-.fa-apple:before {
- content: "\f179";
-}
-.fa-windows:before {
- content: "\f17a";
-}
-.fa-android:before {
- content: "\f17b";
-}
-.fa-linux:before {
- content: "\f17c";
-}
-.fa-dribbble:before {
- content: "\f17d";
-}
-.fa-skype:before {
- content: "\f17e";
-}
-.fa-foursquare:before {
- content: "\f180";
-}
-.fa-trello:before {
- content: "\f181";
-}
-.fa-female:before {
- content: "\f182";
-}
-.fa-male:before {
- content: "\f183";
-}
-.fa-gittip:before {
- content: "\f184";
-}
-.fa-sun-o:before {
- content: "\f185";
-}
-.fa-moon-o:before {
- content: "\f186";
-}
-.fa-archive:before {
- content: "\f187";
-}
-.fa-bug:before {
- content: "\f188";
-}
-.fa-vk:before {
- content: "\f189";
-}
-.fa-weibo:before {
- content: "\f18a";
-}
-.fa-renren:before {
- content: "\f18b";
-}
-.fa-pagelines:before {
- content: "\f18c";
-}
-.fa-stack-exchange:before {
- content: "\f18d";
-}
-.fa-arrow-circle-o-right:before {
- content: "\f18e";
-}
-.fa-arrow-circle-o-left:before {
- content: "\f190";
-}
-.fa-toggle-left:before,
-.fa-caret-square-o-left:before {
- content: "\f191";
-}
-.fa-dot-circle-o:before {
- content: "\f192";
-}
-.fa-wheelchair:before {
- content: "\f193";
-}
-.fa-vimeo-square:before {
- content: "\f194";
-}
-.fa-turkish-lira:before,
-.fa-try:before {
- content: "\f195";
-}
-.fa-plus-square-o:before {
- content: "\f196";
-}
+++ /dev/null
-.com { color: #93a1a1; }
-.lit { color: #195f91; }
-.pun, .opn, .clo { color: #93a1a1; }
-.fun { color: #dc322f; }
-.str, .atv { color: #D14; }
-.kwd, .prettyprint .tag { color: #1e347b; }
-.typ, .atn, .dec, .var { color: teal; }
-.pln { color: #48484c; }
-
-.prettyprint {
- padding: 8px;
-}
-.prettyprint.linenums {
- -webkit-box-shadow: inset 40px 0 0 #fbfbfc, inset 41px 0 0 #ececf0;
- -moz-box-shadow: inset 40px 0 0 #fbfbfc, inset 41px 0 0 #ececf0;
- box-shadow: inset 40px 0 0 #fbfbfc, inset 41px 0 0 #ececf0;
-}
-
-/* Specify class=linenums on a pre to get line numbering */
-ol.linenums {
- margin: 0 0 0 33px; /* IE indents via margin-left */
-}
-ol.linenums li {
- padding-left: 12px;
- color: #bebec5;
- line-height: 20px;
- text-shadow: 0 1px 0 #fff;
-}
+++ /dev/null
-<?xml version="1.0" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" >
-<svg xmlns="http://www.w3.org/2000/svg">
-<metadata></metadata>
-<defs>
-<font id="fontawesomeregular" horiz-adv-x="1536" >
-<font-face units-per-em="1792" ascent="1536" descent="-256" />
-<missing-glyph horiz-adv-x="448" />
-<glyph unicode=" " horiz-adv-x="448" />
-<glyph unicode="	" horiz-adv-x="448" />
-<glyph unicode=" " horiz-adv-x="448" />
-<glyph unicode="¨" horiz-adv-x="1792" />
-<glyph unicode="©" horiz-adv-x="1792" />
-<glyph unicode="®" horiz-adv-x="1792" />
-<glyph unicode="´" horiz-adv-x="1792" />
-<glyph unicode="Æ" horiz-adv-x="1792" />
-<glyph unicode=" " horiz-adv-x="768" />
-<glyph unicode=" " />
-<glyph unicode=" " horiz-adv-x="768" />
-<glyph unicode=" " />
-<glyph unicode=" " horiz-adv-x="512" />
-<glyph unicode=" " horiz-adv-x="384" />
-<glyph unicode=" " horiz-adv-x="256" />
-<glyph unicode=" " horiz-adv-x="256" />
-<glyph unicode=" " horiz-adv-x="192" />
-<glyph unicode=" " horiz-adv-x="307" />
-<glyph unicode=" " horiz-adv-x="85" />
-<glyph unicode=" " horiz-adv-x="307" />
-<glyph unicode=" " horiz-adv-x="384" />
-<glyph unicode="™" horiz-adv-x="1792" />
-<glyph unicode="∞" horiz-adv-x="1792" />
-<glyph unicode="≠" horiz-adv-x="1792" />
-<glyph unicode="" horiz-adv-x="500" d="M0 0z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1699 1350q0 -35 -43 -78l-632 -632v-768h320q26 0 45 -19t19 -45t-19 -45t-45 -19h-896q-26 0 -45 19t-19 45t19 45t45 19h320v768l-632 632q-43 43 -43 78q0 23 18 36.5t38 17.5t43 4h1408q23 0 43 -4t38 -17.5t18 -36.5z" />
-<glyph unicode="" d="M1536 1312v-1120q0 -50 -34 -89t-86 -60.5t-103.5 -32t-96.5 -10.5t-96.5 10.5t-103.5 32t-86 60.5t-34 89t34 89t86 60.5t103.5 32t96.5 10.5q105 0 192 -39v537l-768 -237v-709q0 -50 -34 -89t-86 -60.5t-103.5 -32t-96.5 -10.5t-96.5 10.5t-103.5 32t-86 60.5t-34 89 t34 89t86 60.5t103.5 32t96.5 10.5q105 0 192 -39v967q0 31 19 56.5t49 35.5l832 256q12 4 28 4q40 0 68 -28t28 -68z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1152 704q0 185 -131.5 316.5t-316.5 131.5t-316.5 -131.5t-131.5 -316.5t131.5 -316.5t316.5 -131.5t316.5 131.5t131.5 316.5zM1664 -128q0 -52 -38 -90t-90 -38q-54 0 -90 38l-343 342q-179 -124 -399 -124q-143 0 -273.5 55.5t-225 150t-150 225t-55.5 273.5 t55.5 273.5t150 225t225 150t273.5 55.5t273.5 -55.5t225 -150t150 -225t55.5 -273.5q0 -220 -124 -399l343 -343q37 -37 37 -90z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1664 32v768q-32 -36 -69 -66q-268 -206 -426 -338q-51 -43 -83 -67t-86.5 -48.5t-102.5 -24.5h-1h-1q-48 0 -102.5 24.5t-86.5 48.5t-83 67q-158 132 -426 338q-37 30 -69 66v-768q0 -13 9.5 -22.5t22.5 -9.5h1472q13 0 22.5 9.5t9.5 22.5zM1664 1083v11v13.5t-0.5 13 t-3 12.5t-5.5 9t-9 7.5t-14 2.5h-1472q-13 0 -22.5 -9.5t-9.5 -22.5q0 -168 147 -284q193 -152 401 -317q6 -5 35 -29.5t46 -37.5t44.5 -31.5t50.5 -27.5t43 -9h1h1q20 0 43 9t50.5 27.5t44.5 31.5t46 37.5t35 29.5q208 165 401 317q54 43 100.5 115.5t46.5 131.5z M1792 1120v-1088q0 -66 -47 -113t-113 -47h-1472q-66 0 -113 47t-47 113v1088q0 66 47 113t113 47h1472q66 0 113 -47t47 -113z" />
-<glyph unicode="" horiz-adv-x="1792" d="M896 -128q-26 0 -44 18l-624 602q-10 8 -27.5 26t-55.5 65.5t-68 97.5t-53.5 121t-23.5 138q0 220 127 344t351 124q62 0 126.5 -21.5t120 -58t95.5 -68.5t76 -68q36 36 76 68t95.5 68.5t120 58t126.5 21.5q224 0 351 -124t127 -344q0 -221 -229 -450l-623 -600 q-18 -18 -44 -18z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1664 889q0 -22 -26 -48l-363 -354l86 -500q1 -7 1 -20q0 -21 -10.5 -35.5t-30.5 -14.5q-19 0 -40 12l-449 236l-449 -236q-22 -12 -40 -12q-21 0 -31.5 14.5t-10.5 35.5q0 6 2 20l86 500l-364 354q-25 27 -25 48q0 37 56 46l502 73l225 455q19 41 49 41t49 -41l225 -455 l502 -73q56 -9 56 -46z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1137 532l306 297l-422 62l-189 382l-189 -382l-422 -62l306 -297l-73 -421l378 199l377 -199zM1664 889q0 -22 -26 -48l-363 -354l86 -500q1 -7 1 -20q0 -50 -41 -50q-19 0 -40 12l-449 236l-449 -236q-22 -12 -40 -12q-21 0 -31.5 14.5t-10.5 35.5q0 6 2 20l86 500 l-364 354q-25 27 -25 48q0 37 56 46l502 73l225 455q19 41 49 41t49 -41l225 -455l502 -73q56 -9 56 -46z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1408 131q0 -120 -73 -189.5t-194 -69.5h-874q-121 0 -194 69.5t-73 189.5q0 53 3.5 103.5t14 109t26.5 108.5t43 97.5t62 81t85.5 53.5t111.5 20q9 0 42 -21.5t74.5 -48t108 -48t133.5 -21.5t133.5 21.5t108 48t74.5 48t42 21.5q61 0 111.5 -20t85.5 -53.5t62 -81 t43 -97.5t26.5 -108.5t14 -109t3.5 -103.5zM1088 1024q0 -159 -112.5 -271.5t-271.5 -112.5t-271.5 112.5t-112.5 271.5t112.5 271.5t271.5 112.5t271.5 -112.5t112.5 -271.5z" />
-<glyph unicode="" horiz-adv-x="1920" d="M384 -64v128q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM384 320v128q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM384 704v128q0 26 -19 45t-45 19h-128 q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM1408 -64v512q0 26 -19 45t-45 19h-768q-26 0 -45 -19t-19 -45v-512q0 -26 19 -45t45 -19h768q26 0 45 19t19 45zM384 1088v128q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45 t45 -19h128q26 0 45 19t19 45zM1792 -64v128q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM1408 704v512q0 26 -19 45t-45 19h-768q-26 0 -45 -19t-19 -45v-512q0 -26 19 -45t45 -19h768q26 0 45 19t19 45zM1792 320v128 q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM1792 704v128q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM1792 1088v128q0 26 -19 45t-45 19h-128q-26 0 -45 -19 t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM1920 1248v-1344q0 -66 -47 -113t-113 -47h-1600q-66 0 -113 47t-47 113v1344q0 66 47 113t113 47h1600q66 0 113 -47t47 -113z" />
-<glyph unicode="" horiz-adv-x="1664" d="M768 512v-384q0 -52 -38 -90t-90 -38h-512q-52 0 -90 38t-38 90v384q0 52 38 90t90 38h512q52 0 90 -38t38 -90zM768 1280v-384q0 -52 -38 -90t-90 -38h-512q-52 0 -90 38t-38 90v384q0 52 38 90t90 38h512q52 0 90 -38t38 -90zM1664 512v-384q0 -52 -38 -90t-90 -38 h-512q-52 0 -90 38t-38 90v384q0 52 38 90t90 38h512q52 0 90 -38t38 -90zM1664 1280v-384q0 -52 -38 -90t-90 -38h-512q-52 0 -90 38t-38 90v384q0 52 38 90t90 38h512q52 0 90 -38t38 -90z" />
-<glyph unicode="" horiz-adv-x="1792" d="M512 288v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM512 800v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1152 288v-192q0 -40 -28 -68t-68 -28h-320 q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM512 1312v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1152 800v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28 h320q40 0 68 -28t28 -68zM1792 288v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1152 1312v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1792 800v-192 q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1792 1312v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68z" />
-<glyph unicode="" horiz-adv-x="1792" d="M512 288v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM512 800v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1792 288v-192q0 -40 -28 -68t-68 -28h-960 q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h960q40 0 68 -28t28 -68zM512 1312v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1792 800v-192q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68v192q0 40 28 68t68 28 h960q40 0 68 -28t28 -68zM1792 1312v-192q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h960q40 0 68 -28t28 -68z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1671 970q0 -40 -28 -68l-724 -724l-136 -136q-28 -28 -68 -28t-68 28l-136 136l-362 362q-28 28 -28 68t28 68l136 136q28 28 68 28t68 -28l294 -295l656 657q28 28 68 28t68 -28l136 -136q28 -28 28 -68z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1298 214q0 -40 -28 -68l-136 -136q-28 -28 -68 -28t-68 28l-294 294l-294 -294q-28 -28 -68 -28t-68 28l-136 136q-28 28 -28 68t28 68l294 294l-294 294q-28 28 -28 68t28 68l136 136q28 28 68 28t68 -28l294 -294l294 294q28 28 68 28t68 -28l136 -136q28 -28 28 -68 t-28 -68l-294 -294l294 -294q28 -28 28 -68z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1024 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-224v-224q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v224h-224q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h224v224q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5v-224h224 q13 0 22.5 -9.5t9.5 -22.5zM1152 704q0 185 -131.5 316.5t-316.5 131.5t-316.5 -131.5t-131.5 -316.5t131.5 -316.5t316.5 -131.5t316.5 131.5t131.5 316.5zM1664 -128q0 -53 -37.5 -90.5t-90.5 -37.5q-54 0 -90 38l-343 342q-179 -124 -399 -124q-143 0 -273.5 55.5 t-225 150t-150 225t-55.5 273.5t55.5 273.5t150 225t225 150t273.5 55.5t273.5 -55.5t225 -150t150 -225t55.5 -273.5q0 -220 -124 -399l343 -343q37 -37 37 -90z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1024 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-576q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h576q13 0 22.5 -9.5t9.5 -22.5zM1152 704q0 185 -131.5 316.5t-316.5 131.5t-316.5 -131.5t-131.5 -316.5t131.5 -316.5t316.5 -131.5t316.5 131.5t131.5 316.5z M1664 -128q0 -53 -37.5 -90.5t-90.5 -37.5q-54 0 -90 38l-343 342q-179 -124 -399 -124q-143 0 -273.5 55.5t-225 150t-150 225t-55.5 273.5t55.5 273.5t150 225t225 150t273.5 55.5t273.5 -55.5t225 -150t150 -225t55.5 -273.5q0 -220 -124 -399l343 -343q37 -37 37 -90z " />
-<glyph unicode="" d="M1536 640q0 -156 -61 -298t-164 -245t-245 -164t-298 -61t-298 61t-245 164t-164 245t-61 298q0 182 80.5 343t226.5 270q43 32 95.5 25t83.5 -50q32 -42 24.5 -94.5t-49.5 -84.5q-98 -74 -151.5 -181t-53.5 -228q0 -104 40.5 -198.5t109.5 -163.5t163.5 -109.5 t198.5 -40.5t198.5 40.5t163.5 109.5t109.5 163.5t40.5 198.5q0 121 -53.5 228t-151.5 181q-42 32 -49.5 84.5t24.5 94.5q31 43 84 50t95 -25q146 -109 226.5 -270t80.5 -343zM896 1408v-640q0 -52 -38 -90t-90 -38t-90 38t-38 90v640q0 52 38 90t90 38t90 -38t38 -90z" />
-<glyph unicode="" horiz-adv-x="1792" d="M256 96v-192q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h192q14 0 23 -9t9 -23zM640 224v-320q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v320q0 14 9 23t23 9h192q14 0 23 -9t9 -23zM1024 480v-576q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23 v576q0 14 9 23t23 9h192q14 0 23 -9t9 -23zM1408 864v-960q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v960q0 14 9 23t23 9h192q14 0 23 -9t9 -23zM1792 1376v-1472q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v1472q0 14 9 23t23 9h192q14 0 23 -9t9 -23z" />
-<glyph unicode="" d="M1024 640q0 106 -75 181t-181 75t-181 -75t-75 -181t75 -181t181 -75t181 75t75 181zM1536 749v-222q0 -12 -8 -23t-20 -13l-185 -28q-19 -54 -39 -91q35 -50 107 -138q10 -12 10 -25t-9 -23q-27 -37 -99 -108t-94 -71q-12 0 -26 9l-138 108q-44 -23 -91 -38 q-16 -136 -29 -186q-7 -28 -36 -28h-222q-14 0 -24.5 8.5t-11.5 21.5l-28 184q-49 16 -90 37l-141 -107q-10 -9 -25 -9q-14 0 -25 11q-126 114 -165 168q-7 10 -7 23q0 12 8 23q15 21 51 66.5t54 70.5q-27 50 -41 99l-183 27q-13 2 -21 12.5t-8 23.5v222q0 12 8 23t19 13 l186 28q14 46 39 92q-40 57 -107 138q-10 12 -10 24q0 10 9 23q26 36 98.5 107.5t94.5 71.5q13 0 26 -10l138 -107q44 23 91 38q16 136 29 186q7 28 36 28h222q14 0 24.5 -8.5t11.5 -21.5l28 -184q49 -16 90 -37l142 107q9 9 24 9q13 0 25 -10q129 -119 165 -170q7 -8 7 -22 q0 -12 -8 -23q-15 -21 -51 -66.5t-54 -70.5q26 -50 41 -98l183 -28q13 -2 21 -12.5t8 -23.5z" />
-<glyph unicode="" horiz-adv-x="1408" d="M512 800v-576q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v576q0 14 9 23t23 9h64q14 0 23 -9t9 -23zM768 800v-576q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v576q0 14 9 23t23 9h64q14 0 23 -9t9 -23zM1024 800v-576q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v576 q0 14 9 23t23 9h64q14 0 23 -9t9 -23zM1152 76v948h-896v-948q0 -22 7 -40.5t14.5 -27t10.5 -8.5h832q3 0 10.5 8.5t14.5 27t7 40.5zM480 1152h448l-48 117q-7 9 -17 11h-317q-10 -2 -17 -11zM1408 1120v-64q0 -14 -9 -23t-23 -9h-96v-948q0 -83 -47 -143.5t-113 -60.5h-832 q-66 0 -113 58.5t-47 141.5v952h-96q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h309l70 167q15 37 54 63t79 26h320q40 0 79 -26t54 -63l70 -167h309q14 0 23 -9t9 -23z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1408 544v-480q0 -26 -19 -45t-45 -19h-384v384h-256v-384h-384q-26 0 -45 19t-19 45v480q0 1 0.5 3t0.5 3l575 474l575 -474q1 -2 1 -6zM1631 613l-62 -74q-8 -9 -21 -11h-3q-13 0 -21 7l-692 577l-692 -577q-12 -8 -24 -7q-13 2 -21 11l-62 74q-8 10 -7 23.5t11 21.5 l719 599q32 26 76 26t76 -26l244 -204v195q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-408l219 -182q10 -8 11 -21.5t-7 -23.5z" />
-<glyph unicode="" horiz-adv-x="1280" d="M128 0h1024v768h-416q-40 0 -68 28t-28 68v416h-512v-1280zM768 896h376q-10 29 -22 41l-313 313q-12 12 -41 22v-376zM1280 864v-896q0 -40 -28 -68t-68 -28h-1088q-40 0 -68 28t-28 68v1344q0 40 28 68t68 28h640q40 0 88 -20t76 -48l312 -312q28 -28 48 -76t20 -88z " />
-<glyph unicode="" d="M896 992v-448q0 -14 -9 -23t-23 -9h-320q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h224v352q0 14 9 23t23 9h64q14 0 23 -9t9 -23zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" horiz-adv-x="1920" d="M1111 540v4l-24 320q-1 13 -11 22.5t-23 9.5h-186q-13 0 -23 -9.5t-11 -22.5l-24 -320v-4q-1 -12 8 -20t21 -8h244q12 0 21 8t8 20zM1870 73q0 -73 -46 -73h-704q13 0 22 9.5t8 22.5l-20 256q-1 13 -11 22.5t-23 9.5h-272q-13 0 -23 -9.5t-11 -22.5l-20 -256 q-1 -13 8 -22.5t22 -9.5h-704q-46 0 -46 73q0 54 26 116l417 1044q8 19 26 33t38 14h339q-13 0 -23 -9.5t-11 -22.5l-15 -192q-1 -14 8 -23t22 -9h166q13 0 22 9t8 23l-15 192q-1 13 -11 22.5t-23 9.5h339q20 0 38 -14t26 -33l417 -1044q26 -62 26 -116z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1280 192q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1536 192q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1664 416v-320q0 -40 -28 -68t-68 -28h-1472q-40 0 -68 28t-28 68v320q0 40 28 68t68 28h465l135 -136 q58 -56 136 -56t136 56l136 136h464q40 0 68 -28t28 -68zM1339 985q17 -41 -14 -70l-448 -448q-18 -19 -45 -19t-45 19l-448 448q-31 29 -14 70q17 39 59 39h256v448q0 26 19 45t45 19h256q26 0 45 -19t19 -45v-448h256q42 0 59 -39z" />
-<glyph unicode="" d="M1120 608q0 -12 -10 -24l-319 -319q-11 -9 -23 -9t-23 9l-320 320q-15 16 -7 35q8 20 30 20h192v352q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-352h192q14 0 23 -9t9 -23zM768 1184q-148 0 -273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273 t-73 273t-198 198t-273 73zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1118 660q-8 -20 -30 -20h-192v-352q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v352h-192q-14 0 -23 9t-9 23q0 12 10 24l319 319q11 9 23 9t23 -9l320 -320q15 -16 7 -35zM768 1184q-148 0 -273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198 t73 273t-73 273t-198 198t-273 73zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1023 576h316q-1 3 -2.5 8t-2.5 8l-212 496h-708l-212 -496q-1 -2 -2.5 -8t-2.5 -8h316l95 -192h320zM1536 546v-482q0 -26 -19 -45t-45 -19h-1408q-26 0 -45 19t-19 45v482q0 62 25 123l238 552q10 25 36.5 42t52.5 17h832q26 0 52.5 -17t36.5 -42l238 -552 q25 -61 25 -123z" />
-<glyph unicode="" d="M1184 640q0 -37 -32 -55l-544 -320q-15 -9 -32 -9q-16 0 -32 8q-32 19 -32 56v640q0 37 32 56q33 18 64 -1l544 -320q32 -18 32 -55zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1536 1280v-448q0 -26 -19 -45t-45 -19h-448q-42 0 -59 40q-17 39 14 69l138 138q-148 137 -349 137q-104 0 -198.5 -40.5t-163.5 -109.5t-109.5 -163.5t-40.5 -198.5t40.5 -198.5t109.5 -163.5t163.5 -109.5t198.5 -40.5q119 0 225 52t179 147q7 10 23 12q14 0 25 -9 l137 -138q9 -8 9.5 -20.5t-7.5 -22.5q-109 -132 -264 -204.5t-327 -72.5q-156 0 -298 61t-245 164t-164 245t-61 298t61 298t164 245t245 164t298 61q147 0 284.5 -55.5t244.5 -156.5l130 129q29 31 70 14q39 -17 39 -59z" />
-<glyph unicode="" d="M1511 480q0 -5 -1 -7q-64 -268 -268 -434.5t-478 -166.5q-146 0 -282.5 55t-243.5 157l-129 -129q-19 -19 -45 -19t-45 19t-19 45v448q0 26 19 45t45 19h448q26 0 45 -19t19 -45t-19 -45l-137 -137q71 -66 161 -102t187 -36q134 0 250 65t186 179q11 17 53 117 q8 23 30 23h192q13 0 22.5 -9.5t9.5 -22.5zM1536 1280v-448q0 -26 -19 -45t-45 -19h-448q-26 0 -45 19t-19 45t19 45l138 138q-148 137 -349 137q-134 0 -250 -65t-186 -179q-11 -17 -53 -117q-8 -23 -30 -23h-199q-13 0 -22.5 9.5t-9.5 22.5v7q65 268 270 434.5t480 166.5 q146 0 284 -55.5t245 -156.5l130 129q19 19 45 19t45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1792" d="M384 352v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 608v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M384 864v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM1536 352v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-960q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h960q13 0 22.5 -9.5t9.5 -22.5z M1536 608v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-960q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h960q13 0 22.5 -9.5t9.5 -22.5zM1536 864v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-960q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h960q13 0 22.5 -9.5 t9.5 -22.5zM1664 160v832q0 13 -9.5 22.5t-22.5 9.5h-1472q-13 0 -22.5 -9.5t-9.5 -22.5v-832q0 -13 9.5 -22.5t22.5 -9.5h1472q13 0 22.5 9.5t9.5 22.5zM1792 1248v-1088q0 -66 -47 -113t-113 -47h-1472q-66 0 -113 47t-47 113v1088q0 66 47 113t113 47h1472q66 0 113 -47 t47 -113z" />
-<glyph unicode="" horiz-adv-x="1152" d="M320 768h512v192q0 106 -75 181t-181 75t-181 -75t-75 -181v-192zM1152 672v-576q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68v576q0 40 28 68t68 28h32v192q0 184 132 316t316 132t316 -132t132 -316v-192h32q40 0 68 -28t28 -68z" />
-<glyph unicode="" horiz-adv-x="1792" d="M320 1280q0 -72 -64 -110v-1266q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v1266q-64 38 -64 110q0 53 37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1792 1216v-763q0 -25 -12.5 -38.5t-39.5 -27.5q-215 -116 -369 -116q-61 0 -123.5 22t-108.5 48 t-115.5 48t-142.5 22q-192 0 -464 -146q-17 -9 -33 -9q-26 0 -45 19t-19 45v742q0 32 31 55q21 14 79 43q236 120 421 120q107 0 200 -29t219 -88q38 -19 88 -19q54 0 117.5 21t110 47t88 47t54.5 21q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1664 650q0 -166 -60 -314l-20 -49l-185 -33q-22 -83 -90.5 -136.5t-156.5 -53.5v-32q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v576q0 14 9 23t23 9h64q14 0 23 -9t9 -23v-32q71 0 130 -35.5t93 -95.5l68 12q29 95 29 193q0 148 -88 279t-236.5 209t-315.5 78 t-315.5 -78t-236.5 -209t-88 -279q0 -98 29 -193l68 -12q34 60 93 95.5t130 35.5v32q0 14 9 23t23 9h64q14 0 23 -9t9 -23v-576q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v32q-88 0 -156.5 53.5t-90.5 136.5l-185 33l-20 49q-60 148 -60 314q0 151 67 291t179 242.5 t266 163.5t320 61t320 -61t266 -163.5t179 -242.5t67 -291z" />
-<glyph unicode="" horiz-adv-x="768" d="M768 1184v-1088q0 -26 -19 -45t-45 -19t-45 19l-333 333h-262q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h262l333 333q19 19 45 19t45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1152" d="M768 1184v-1088q0 -26 -19 -45t-45 -19t-45 19l-333 333h-262q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h262l333 333q19 19 45 19t45 -19t19 -45zM1152 640q0 -76 -42.5 -141.5t-112.5 -93.5q-10 -5 -25 -5q-26 0 -45 18.5t-19 45.5q0 21 12 35.5t29 25t34 23t29 35.5 t12 57t-12 57t-29 35.5t-34 23t-29 25t-12 35.5q0 27 19 45.5t45 18.5q15 0 25 -5q70 -27 112.5 -93t42.5 -142z" />
-<glyph unicode="" horiz-adv-x="1664" d="M768 1184v-1088q0 -26 -19 -45t-45 -19t-45 19l-333 333h-262q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h262l333 333q19 19 45 19t45 -19t19 -45zM1152 640q0 -76 -42.5 -141.5t-112.5 -93.5q-10 -5 -25 -5q-26 0 -45 18.5t-19 45.5q0 21 12 35.5t29 25t34 23t29 35.5 t12 57t-12 57t-29 35.5t-34 23t-29 25t-12 35.5q0 27 19 45.5t45 18.5q15 0 25 -5q70 -27 112.5 -93t42.5 -142zM1408 640q0 -153 -85 -282.5t-225 -188.5q-13 -5 -25 -5q-27 0 -46 19t-19 45q0 39 39 59q56 29 76 44q74 54 115.5 135.5t41.5 173.5t-41.5 173.5 t-115.5 135.5q-20 15 -76 44q-39 20 -39 59q0 26 19 45t45 19q13 0 26 -5q140 -59 225 -188.5t85 -282.5zM1664 640q0 -230 -127 -422.5t-338 -283.5q-13 -5 -26 -5q-26 0 -45 19t-19 45q0 36 39 59q7 4 22.5 10.5t22.5 10.5q46 25 82 51q123 91 192 227t69 289t-69 289 t-192 227q-36 26 -82 51q-7 4 -22.5 10.5t-22.5 10.5q-39 23 -39 59q0 26 19 45t45 19q13 0 26 -5q211 -91 338 -283.5t127 -422.5z" />
-<glyph unicode="" horiz-adv-x="1408" d="M384 384v-128h-128v128h128zM384 1152v-128h-128v128h128zM1152 1152v-128h-128v128h128zM128 129h384v383h-384v-383zM128 896h384v384h-384v-384zM896 896h384v384h-384v-384zM640 640v-640h-640v640h640zM1152 128v-128h-128v128h128zM1408 128v-128h-128v128h128z M1408 640v-384h-384v128h-128v-384h-128v640h384v-128h128v128h128zM640 1408v-640h-640v640h640zM1408 1408v-640h-640v640h640z" />
-<glyph unicode="" horiz-adv-x="1792" d="M63 0h-63v1408h63v-1408zM126 1h-32v1407h32v-1407zM220 1h-31v1407h31v-1407zM377 1h-31v1407h31v-1407zM534 1h-62v1407h62v-1407zM660 1h-31v1407h31v-1407zM723 1h-31v1407h31v-1407zM786 1h-31v1407h31v-1407zM943 1h-63v1407h63v-1407zM1100 1h-63v1407h63v-1407z M1226 1h-63v1407h63v-1407zM1352 1h-63v1407h63v-1407zM1446 1h-63v1407h63v-1407zM1635 1h-94v1407h94v-1407zM1698 1h-32v1407h32v-1407zM1792 0h-63v1408h63v-1408z" />
-<glyph unicode="" d="M448 1088q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1515 512q0 -53 -37 -90l-491 -492q-39 -37 -91 -37q-53 0 -90 37l-715 716q-38 37 -64.5 101t-26.5 117v416q0 52 38 90t90 38h416q53 0 117 -26.5t102 -64.5 l715 -714q37 -39 37 -91z" />
-<glyph unicode="" horiz-adv-x="1920" d="M448 1088q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1515 512q0 -53 -37 -90l-491 -492q-39 -37 -91 -37q-53 0 -90 37l-715 716q-38 37 -64.5 101t-26.5 117v416q0 52 38 90t90 38h416q53 0 117 -26.5t102 -64.5 l715 -714q37 -39 37 -91zM1899 512q0 -53 -37 -90l-491 -492q-39 -37 -91 -37q-36 0 -59 14t-53 45l470 470q37 37 37 90q0 52 -37 91l-715 714q-38 38 -102 64.5t-117 26.5h224q53 0 117 -26.5t102 -64.5l715 -714q37 -39 37 -91z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1639 1058q40 -57 18 -129l-275 -906q-19 -64 -76.5 -107.5t-122.5 -43.5h-923q-77 0 -148.5 53.5t-99.5 131.5q-24 67 -2 127q0 4 3 27t4 37q1 8 -3 21.5t-3 19.5q2 11 8 21t16.5 23.5t16.5 23.5q23 38 45 91.5t30 91.5q3 10 0.5 30t-0.5 28q3 11 17 28t17 23 q21 36 42 92t25 90q1 9 -2.5 32t0.5 28q4 13 22 30.5t22 22.5q19 26 42.5 84.5t27.5 96.5q1 8 -3 25.5t-2 26.5q2 8 9 18t18 23t17 21q8 12 16.5 30.5t15 35t16 36t19.5 32t26.5 23.5t36 11.5t47.5 -5.5l-1 -3q38 9 51 9h761q74 0 114 -56t18 -130l-274 -906 q-36 -119 -71.5 -153.5t-128.5 -34.5h-869q-27 0 -38 -15q-11 -16 -1 -43q24 -70 144 -70h923q29 0 56 15.5t35 41.5l300 987q7 22 5 57q38 -15 59 -43zM575 1056q-4 -13 2 -22.5t20 -9.5h608q13 0 25.5 9.5t16.5 22.5l21 64q4 13 -2 22.5t-20 9.5h-608q-13 0 -25.5 -9.5 t-16.5 -22.5zM492 800q-4 -13 2 -22.5t20 -9.5h608q13 0 25.5 9.5t16.5 22.5l21 64q4 13 -2 22.5t-20 9.5h-608q-13 0 -25.5 -9.5t-16.5 -22.5z" />
-<glyph unicode="" horiz-adv-x="1280" d="M1164 1408q23 0 44 -9q33 -13 52.5 -41t19.5 -62v-1289q0 -34 -19.5 -62t-52.5 -41q-19 -8 -44 -8q-48 0 -83 32l-441 424l-441 -424q-36 -33 -83 -33q-23 0 -44 9q-33 13 -52.5 41t-19.5 62v1289q0 34 19.5 62t52.5 41q21 9 44 9h1048z" />
-<glyph unicode="" horiz-adv-x="1664" d="M384 0h896v256h-896v-256zM384 640h896v384h-160q-40 0 -68 28t-28 68v160h-640v-640zM1536 576q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1664 576v-416q0 -13 -9.5 -22.5t-22.5 -9.5h-224v-160q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68 v160h-224q-13 0 -22.5 9.5t-9.5 22.5v416q0 79 56.5 135.5t135.5 56.5h64v544q0 40 28 68t68 28h672q40 0 88 -20t76 -48l152 -152q28 -28 48 -76t20 -88v-256h64q79 0 135.5 -56.5t56.5 -135.5z" />
-<glyph unicode="" horiz-adv-x="1920" d="M960 864q119 0 203.5 -84.5t84.5 -203.5t-84.5 -203.5t-203.5 -84.5t-203.5 84.5t-84.5 203.5t84.5 203.5t203.5 84.5zM1664 1280q106 0 181 -75t75 -181v-896q0 -106 -75 -181t-181 -75h-1408q-106 0 -181 75t-75 181v896q0 106 75 181t181 75h224l51 136 q19 49 69.5 84.5t103.5 35.5h512q53 0 103.5 -35.5t69.5 -84.5l51 -136h224zM960 128q185 0 316.5 131.5t131.5 316.5t-131.5 316.5t-316.5 131.5t-316.5 -131.5t-131.5 -316.5t131.5 -316.5t316.5 -131.5z" />
-<glyph unicode="" horiz-adv-x="1664" d="M725 977l-170 -450q73 -1 153.5 -2t119 -1.5t52.5 -0.5l29 2q-32 95 -92 241q-53 132 -92 211zM21 -128h-21l2 79q22 7 80 18q89 16 110 31q20 16 48 68l237 616l280 724h75h53l11 -21l205 -480q103 -242 124 -297q39 -102 96 -235q26 -58 65 -164q24 -67 65 -149 q22 -49 35 -57q22 -19 69 -23q47 -6 103 -27q6 -39 6 -57q0 -14 -1 -26q-80 0 -192 8q-93 8 -189 8q-79 0 -135 -2l-200 -11l-58 -2q0 45 4 78l131 28q56 13 68 23q12 12 12 27t-6 32l-47 114l-92 228l-450 2q-29 -65 -104 -274q-23 -64 -23 -84q0 -31 17 -43 q26 -21 103 -32q3 0 13.5 -2t30 -5t40.5 -6q1 -28 1 -58q0 -17 -2 -27q-66 0 -349 20l-48 -8q-81 -14 -167 -14z" />
-<glyph unicode="" horiz-adv-x="1408" d="M555 15q76 -32 140 -32q131 0 216 41t122 113q38 70 38 181q0 114 -41 180q-58 94 -141 126q-80 32 -247 32q-74 0 -101 -10v-144l-1 -173l3 -270q0 -15 12 -44zM541 761q43 -7 109 -7q175 0 264 65t89 224q0 112 -85 187q-84 75 -255 75q-52 0 -130 -13q0 -44 2 -77 q7 -122 6 -279l-1 -98q0 -43 1 -77zM0 -128l2 94q45 9 68 12q77 12 123 31q17 27 21 51q9 66 9 194l-2 497q-5 256 -9 404q-1 87 -11 109q-1 4 -12 12q-18 12 -69 15q-30 2 -114 13l-4 83l260 6l380 13l45 1q5 0 14 0.5t14 0.5q1 0 21.5 -0.5t40.5 -0.5h74q88 0 191 -27 q43 -13 96 -39q57 -29 102 -76q44 -47 65 -104t21 -122q0 -70 -32 -128t-95 -105q-26 -20 -150 -77q177 -41 267 -146q92 -106 92 -236q0 -76 -29 -161q-21 -62 -71 -117q-66 -72 -140 -108q-73 -36 -203 -60q-82 -15 -198 -11l-197 4q-84 2 -298 -11q-33 -3 -272 -11z" />
-<glyph unicode="" horiz-adv-x="1024" d="M0 -126l17 85q4 1 77 20q76 19 116 39q29 37 41 101l27 139l56 268l12 64q8 44 17 84.5t16 67t12.5 46.5t9 30.5t3.5 11.5l29 157l16 63l22 135l8 50v38q-41 22 -144 28q-28 2 -38 4l19 103l317 -14q39 -2 73 -2q66 0 214 9q33 2 68 4.5t36 2.5q-2 -19 -6 -38 q-7 -29 -13 -51q-55 -19 -109 -31q-64 -16 -101 -31q-12 -31 -24 -88q-9 -44 -13 -82q-44 -199 -66 -306l-61 -311l-38 -158l-43 -235l-12 -45q-2 -7 1 -27q64 -15 119 -21q36 -5 66 -10q-1 -29 -7 -58q-7 -31 -9 -41q-18 0 -23 -1q-24 -2 -42 -2q-9 0 -28 3q-19 4 -145 17 l-198 2q-41 1 -174 -11q-74 -7 -98 -9z" />
-<glyph unicode="" horiz-adv-x="1792" d="M81 1407l54 -27q20 -5 211 -5h130l19 3l115 1l215 -1h293l34 -2q14 -1 28 7t21 16l7 8l42 1q15 0 28 -1v-104.5t1 -131.5l1 -100l-1 -58q0 -32 -4 -51q-39 -15 -68 -18q-25 43 -54 128q-8 24 -15.5 62.5t-11.5 65.5t-6 29q-13 15 -27 19q-7 2 -42.5 2t-103.5 -1t-111 -1 q-34 0 -67 -5q-10 -97 -8 -136l1 -152v-332l3 -359l-1 -147q-1 -46 11 -85q49 -25 89 -32q2 0 18 -5t44 -13t43 -12q30 -8 50 -18q5 -45 5 -50q0 -10 -3 -29q-14 -1 -34 -1q-110 0 -187 10q-72 8 -238 8q-88 0 -233 -14q-48 -4 -70 -4q-2 22 -2 26l-1 26v9q21 33 79 49 q139 38 159 50q9 21 12 56q8 192 6 433l-5 428q-1 62 -0.5 118.5t0.5 102.5t-2 57t-6 15q-6 5 -14 6q-38 6 -148 6q-43 0 -100 -13.5t-73 -24.5q-13 -9 -22 -33t-22 -75t-24 -84q-6 -19 -19.5 -32t-20.5 -13q-44 27 -56 44v297v86zM1744 128q33 0 42 -18.5t-11 -44.5 l-126 -162q-20 -26 -49 -26t-49 26l-126 162q-20 26 -11 44.5t42 18.5h80v1024h-80q-33 0 -42 18.5t11 44.5l126 162q20 26 49 26t49 -26l126 -162q20 -26 11 -44.5t-42 -18.5h-80v-1024h80z" />
-<glyph unicode="" d="M81 1407l54 -27q20 -5 211 -5h130l19 3l115 1l446 -1h318l34 -2q14 -1 28 7t21 16l7 8l42 1q15 0 28 -1v-104.5t1 -131.5l1 -100l-1 -58q0 -32 -4 -51q-39 -15 -68 -18q-25 43 -54 128q-8 24 -15.5 62.5t-11.5 65.5t-6 29q-13 15 -27 19q-7 2 -58.5 2t-138.5 -1t-128 -1 q-94 0 -127 -5q-10 -97 -8 -136l1 -152v52l3 -359l-1 -147q-1 -46 11 -85q49 -25 89 -32q2 0 18 -5t44 -13t43 -12q30 -8 50 -18q5 -45 5 -50q0 -10 -3 -29q-14 -1 -34 -1q-110 0 -187 10q-72 8 -238 8q-82 0 -233 -13q-45 -5 -70 -5q-2 22 -2 26l-1 26v9q21 33 79 49 q139 38 159 50q9 21 12 56q6 137 6 433l-5 44q0 265 -2 278q-2 11 -6 15q-6 5 -14 6q-38 6 -148 6q-50 0 -168.5 -14t-132.5 -24q-13 -9 -22 -33t-22 -75t-24 -84q-6 -19 -19.5 -32t-20.5 -13q-44 27 -56 44v297v86zM1505 113q26 -20 26 -49t-26 -49l-162 -126 q-26 -20 -44.5 -11t-18.5 42v80h-1024v-80q0 -33 -18.5 -42t-44.5 11l-162 126q-26 20 -26 49t26 49l162 126q26 20 44.5 11t18.5 -42v-80h1024v80q0 33 18.5 42t44.5 -11z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 192v-128q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1408 576v-128q0 -26 -19 -45t-45 -19h-1280q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1280q26 0 45 -19t19 -45zM1664 960v-128q0 -26 -19 -45 t-45 -19h-1536q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1536q26 0 45 -19t19 -45zM1280 1344v-128q0 -26 -19 -45t-45 -19h-1152q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1152q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 192v-128q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1408 576v-128q0 -26 -19 -45t-45 -19h-896q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h896q26 0 45 -19t19 -45zM1664 960v-128q0 -26 -19 -45t-45 -19 h-1408q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1408q26 0 45 -19t19 -45zM1280 1344v-128q0 -26 -19 -45t-45 -19h-640q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h640q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 192v-128q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1792 576v-128q0 -26 -19 -45t-45 -19h-1280q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1280q26 0 45 -19t19 -45zM1792 960v-128q0 -26 -19 -45 t-45 -19h-1536q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1536q26 0 45 -19t19 -45zM1792 1344v-128q0 -26 -19 -45t-45 -19h-1152q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1152q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 192v-128q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1792 576v-128q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1792 960v-128q0 -26 -19 -45 t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1792 1344v-128q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1792" d="M256 224v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-192q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h192q13 0 22.5 -9.5t9.5 -22.5zM256 608v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-192q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h192q13 0 22.5 -9.5 t9.5 -22.5zM256 992v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-192q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h192q13 0 22.5 -9.5t9.5 -22.5zM1792 224v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1344q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1344 q13 0 22.5 -9.5t9.5 -22.5zM256 1376v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-192q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h192q13 0 22.5 -9.5t9.5 -22.5zM1792 608v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1344q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5 t22.5 9.5h1344q13 0 22.5 -9.5t9.5 -22.5zM1792 992v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1344q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1344q13 0 22.5 -9.5t9.5 -22.5zM1792 1376v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1344q-13 0 -22.5 9.5t-9.5 22.5v192 q0 13 9.5 22.5t22.5 9.5h1344q13 0 22.5 -9.5t9.5 -22.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M384 992v-576q0 -13 -9.5 -22.5t-22.5 -9.5q-14 0 -23 9l-288 288q-9 9 -9 23t9 23l288 288q9 9 23 9q13 0 22.5 -9.5t9.5 -22.5zM1792 224v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1728q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1728q13 0 22.5 -9.5 t9.5 -22.5zM1792 608v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1088q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1088q13 0 22.5 -9.5t9.5 -22.5zM1792 992v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1088q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1088 q13 0 22.5 -9.5t9.5 -22.5zM1792 1376v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1728q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1728q13 0 22.5 -9.5t9.5 -22.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M352 704q0 -14 -9 -23l-288 -288q-9 -9 -23 -9q-13 0 -22.5 9.5t-9.5 22.5v576q0 13 9.5 22.5t22.5 9.5q14 0 23 -9l288 -288q9 -9 9 -23zM1792 224v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1728q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1728q13 0 22.5 -9.5 t9.5 -22.5zM1792 608v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1088q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1088q13 0 22.5 -9.5t9.5 -22.5zM1792 992v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1088q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1088 q13 0 22.5 -9.5t9.5 -22.5zM1792 1376v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1728q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1728q13 0 22.5 -9.5t9.5 -22.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 1184v-1088q0 -42 -39 -59q-13 -5 -25 -5q-27 0 -45 19l-403 403v-166q0 -119 -84.5 -203.5t-203.5 -84.5h-704q-119 0 -203.5 84.5t-84.5 203.5v704q0 119 84.5 203.5t203.5 84.5h704q119 0 203.5 -84.5t84.5 -203.5v-165l403 402q18 19 45 19q12 0 25 -5 q39 -17 39 -59z" />
-<glyph unicode="" horiz-adv-x="1920" d="M640 960q0 -80 -56 -136t-136 -56t-136 56t-56 136t56 136t136 56t136 -56t56 -136zM1664 576v-448h-1408v192l320 320l160 -160l512 512zM1760 1280h-1600q-13 0 -22.5 -9.5t-9.5 -22.5v-1216q0 -13 9.5 -22.5t22.5 -9.5h1600q13 0 22.5 9.5t9.5 22.5v1216 q0 13 -9.5 22.5t-22.5 9.5zM1920 1248v-1216q0 -66 -47 -113t-113 -47h-1600q-66 0 -113 47t-47 113v1216q0 66 47 113t113 47h1600q66 0 113 -47t47 -113z" />
-<glyph unicode="" d="M363 0l91 91l-235 235l-91 -91v-107h128v-128h107zM886 928q0 22 -22 22q-10 0 -17 -7l-542 -542q-7 -7 -7 -17q0 -22 22 -22q10 0 17 7l542 542q7 7 7 17zM832 1120l416 -416l-832 -832h-416v416zM1515 1024q0 -53 -37 -90l-166 -166l-416 416l166 165q36 38 90 38 q53 0 91 -38l235 -234q37 -39 37 -91z" />
-<glyph unicode="" horiz-adv-x="1024" d="M768 896q0 106 -75 181t-181 75t-181 -75t-75 -181t75 -181t181 -75t181 75t75 181zM1024 896q0 -109 -33 -179l-364 -774q-16 -33 -47.5 -52t-67.5 -19t-67.5 19t-46.5 52l-365 774q-33 70 -33 179q0 212 150 362t362 150t362 -150t150 -362z" />
-<glyph unicode="" d="M768 96v1088q-148 0 -273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" horiz-adv-x="1024" d="M512 384q0 36 -20 69q-1 1 -15.5 22.5t-25.5 38t-25 44t-21 50.5q-4 16 -21 16t-21 -16q-7 -23 -21 -50.5t-25 -44t-25.5 -38t-15.5 -22.5q-20 -33 -20 -69q0 -53 37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1024 512q0 -212 -150 -362t-362 -150t-362 150t-150 362 q0 145 81 275q6 9 62.5 90.5t101 151t99.5 178t83 201.5q9 30 34 47t51 17t51.5 -17t33.5 -47q28 -93 83 -201.5t99.5 -178t101 -151t62.5 -90.5q81 -127 81 -275z" />
-<glyph unicode="" horiz-adv-x="1792" d="M888 352l116 116l-152 152l-116 -116v-56h96v-96h56zM1328 1072q-16 16 -33 -1l-350 -350q-17 -17 -1 -33t33 1l350 350q17 17 1 33zM1408 478v-190q0 -119 -84.5 -203.5t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h832 q63 0 117 -25q15 -7 18 -23q3 -17 -9 -29l-49 -49q-14 -14 -32 -8q-23 6 -45 6h-832q-66 0 -113 -47t-47 -113v-832q0 -66 47 -113t113 -47h832q66 0 113 47t47 113v126q0 13 9 22l64 64q15 15 35 7t20 -29zM1312 1216l288 -288l-672 -672h-288v288zM1756 1084l-92 -92 l-288 288l92 92q28 28 68 28t68 -28l152 -152q28 -28 28 -68t-28 -68z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1408 547v-259q0 -119 -84.5 -203.5t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h255v0q13 0 22.5 -9.5t9.5 -22.5q0 -27 -26 -32q-77 -26 -133 -60q-10 -4 -16 -4h-112q-66 0 -113 -47t-47 -113v-832q0 -66 47 -113t113 -47h832 q66 0 113 47t47 113v214q0 19 18 29q28 13 54 37q16 16 35 8q21 -9 21 -29zM1645 1043l-384 -384q-18 -19 -45 -19q-12 0 -25 5q-39 17 -39 59v192h-160q-323 0 -438 -131q-119 -137 -74 -473q3 -23 -20 -34q-8 -2 -12 -2q-16 0 -26 13q-10 14 -21 31t-39.5 68.5t-49.5 99.5 t-38.5 114t-17.5 122q0 49 3.5 91t14 90t28 88t47 81.5t68.5 74t94.5 61.5t124.5 48.5t159.5 30.5t196.5 11h160v192q0 42 39 59q13 5 25 5q26 0 45 -19l384 -384q19 -19 19 -45t-19 -45z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1408 606v-318q0 -119 -84.5 -203.5t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h832q63 0 117 -25q15 -7 18 -23q3 -17 -9 -29l-49 -49q-10 -10 -23 -10q-3 0 -9 2q-23 6 -45 6h-832q-66 0 -113 -47t-47 -113v-832 q0 -66 47 -113t113 -47h832q66 0 113 47t47 113v254q0 13 9 22l64 64q10 10 23 10q6 0 12 -3q20 -8 20 -29zM1639 1095l-814 -814q-24 -24 -57 -24t-57 24l-430 430q-24 24 -24 57t24 57l110 110q24 24 57 24t57 -24l263 -263l647 647q24 24 57 24t57 -24l110 -110 q24 -24 24 -57t-24 -57z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 640q0 -26 -19 -45l-256 -256q-19 -19 -45 -19t-45 19t-19 45v128h-384v-384h128q26 0 45 -19t19 -45t-19 -45l-256 -256q-19 -19 -45 -19t-45 19l-256 256q-19 19 -19 45t19 45t45 19h128v384h-384v-128q0 -26 -19 -45t-45 -19t-45 19l-256 256q-19 19 -19 45 t19 45l256 256q19 19 45 19t45 -19t19 -45v-128h384v384h-128q-26 0 -45 19t-19 45t19 45l256 256q19 19 45 19t45 -19l256 -256q19 -19 19 -45t-19 -45t-45 -19h-128v-384h384v128q0 26 19 45t45 19t45 -19l256 -256q19 -19 19 -45z" />
-<glyph unicode="" horiz-adv-x="1024" d="M979 1395q19 19 32 13t13 -32v-1472q0 -26 -13 -32t-32 13l-710 710q-9 9 -13 19v-678q0 -26 -19 -45t-45 -19h-128q-26 0 -45 19t-19 45v1408q0 26 19 45t45 19h128q26 0 45 -19t19 -45v-678q4 11 13 19z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1747 1395q19 19 32 13t13 -32v-1472q0 -26 -13 -32t-32 13l-710 710q-9 9 -13 19v-710q0 -26 -13 -32t-32 13l-710 710q-9 9 -13 19v-678q0 -26 -19 -45t-45 -19h-128q-26 0 -45 19t-19 45v1408q0 26 19 45t45 19h128q26 0 45 -19t19 -45v-678q4 11 13 19l710 710 q19 19 32 13t13 -32v-710q4 11 13 19z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1619 1395q19 19 32 13t13 -32v-1472q0 -26 -13 -32t-32 13l-710 710q-8 9 -13 19v-710q0 -26 -13 -32t-32 13l-710 710q-19 19 -19 45t19 45l710 710q19 19 32 13t13 -32v-710q5 11 13 19z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1384 609l-1328 -738q-23 -13 -39.5 -3t-16.5 36v1472q0 26 16.5 36t39.5 -3l1328 -738q23 -13 23 -31t-23 -31z" />
-<glyph unicode="" d="M1536 1344v-1408q0 -26 -19 -45t-45 -19h-512q-26 0 -45 19t-19 45v1408q0 26 19 45t45 19h512q26 0 45 -19t19 -45zM640 1344v-1408q0 -26 -19 -45t-45 -19h-512q-26 0 -45 19t-19 45v1408q0 26 19 45t45 19h512q26 0 45 -19t19 -45z" />
-<glyph unicode="" d="M1536 1344v-1408q0 -26 -19 -45t-45 -19h-1408q-26 0 -45 19t-19 45v1408q0 26 19 45t45 19h1408q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1664" d="M45 -115q-19 -19 -32 -13t-13 32v1472q0 26 13 32t32 -13l710 -710q8 -8 13 -19v710q0 26 13 32t32 -13l710 -710q19 -19 19 -45t-19 -45l-710 -710q-19 -19 -32 -13t-13 32v710q-5 -10 -13 -19z" />
-<glyph unicode="" horiz-adv-x="1792" d="M45 -115q-19 -19 -32 -13t-13 32v1472q0 26 13 32t32 -13l710 -710q8 -8 13 -19v710q0 26 13 32t32 -13l710 -710q8 -8 13 -19v678q0 26 19 45t45 19h128q26 0 45 -19t19 -45v-1408q0 -26 -19 -45t-45 -19h-128q-26 0 -45 19t-19 45v678q-5 -10 -13 -19l-710 -710 q-19 -19 -32 -13t-13 32v710q-5 -10 -13 -19z" />
-<glyph unicode="" horiz-adv-x="1024" d="M45 -115q-19 -19 -32 -13t-13 32v1472q0 26 13 32t32 -13l710 -710q8 -8 13 -19v678q0 26 19 45t45 19h128q26 0 45 -19t19 -45v-1408q0 -26 -19 -45t-45 -19h-128q-26 0 -45 19t-19 45v678q-5 -10 -13 -19z" />
-<glyph unicode="" horiz-adv-x="1538" d="M14 557l710 710q19 19 45 19t45 -19l710 -710q19 -19 13 -32t-32 -13h-1472q-26 0 -32 13t13 32zM1473 0h-1408q-26 0 -45 19t-19 45v256q0 26 19 45t45 19h1408q26 0 45 -19t19 -45v-256q0 -26 -19 -45t-45 -19z" />
-<glyph unicode="" horiz-adv-x="1152" d="M742 -37l-652 651q-37 37 -37 90.5t37 90.5l652 651q37 37 90.5 37t90.5 -37l75 -75q37 -37 37 -90.5t-37 -90.5l-486 -486l486 -485q37 -38 37 -91t-37 -90l-75 -75q-37 -37 -90.5 -37t-90.5 37z" />
-<glyph unicode="" horiz-adv-x="1152" d="M1099 704q0 -52 -37 -91l-652 -651q-37 -37 -90 -37t-90 37l-76 75q-37 39 -37 91q0 53 37 90l486 486l-486 485q-37 39 -37 91q0 53 37 90l76 75q36 38 90 38t90 -38l652 -651q37 -37 37 -90z" />
-<glyph unicode="" d="M1216 576v128q0 26 -19 45t-45 19h-256v256q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-256h-256q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h256v-256q0 -26 19 -45t45 -19h128q26 0 45 19t19 45v256h256q26 0 45 19t19 45zM1536 640q0 -209 -103 -385.5 t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1216 576v128q0 26 -19 45t-45 19h-768q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h768q26 0 45 19t19 45zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5 t103 -385.5z" />
-<glyph unicode="" d="M1149 414q0 26 -19 45l-181 181l181 181q19 19 19 45q0 27 -19 46l-90 90q-19 19 -46 19q-26 0 -45 -19l-181 -181l-181 181q-19 19 -45 19q-27 0 -46 -19l-90 -90q-19 -19 -19 -46q0 -26 19 -45l181 -181l-181 -181q-19 -19 -19 -45q0 -27 19 -46l90 -90q19 -19 46 -19 q26 0 45 19l181 181l181 -181q19 -19 45 -19q27 0 46 19l90 90q19 19 19 46zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1284 802q0 28 -18 46l-91 90q-19 19 -45 19t-45 -19l-408 -407l-226 226q-19 19 -45 19t-45 -19l-91 -90q-18 -18 -18 -46q0 -27 18 -45l362 -362q19 -19 45 -19q27 0 46 19l543 543q18 18 18 45zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103 t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M896 160v192q0 14 -9 23t-23 9h-192q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h192q14 0 23 9t9 23zM1152 832q0 88 -55.5 163t-138.5 116t-170 41q-243 0 -371 -213q-15 -24 8 -42l132 -100q7 -6 19 -6q16 0 25 12q53 68 86 92q34 24 86 24q48 0 85.5 -26t37.5 -59 q0 -38 -20 -61t-68 -45q-63 -28 -115.5 -86.5t-52.5 -125.5v-36q0 -14 9 -23t23 -9h192q14 0 23 9t9 23q0 19 21.5 49.5t54.5 49.5q32 18 49 28.5t46 35t44.5 48t28 60.5t12.5 81zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5 t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1024 160v160q0 14 -9 23t-23 9h-96v512q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-160q0 -14 9 -23t23 -9h96v-320h-96q-14 0 -23 -9t-9 -23v-160q0 -14 9 -23t23 -9h448q14 0 23 9t9 23zM896 1056v160q0 14 -9 23t-23 9h-192q-14 0 -23 -9t-9 -23v-160q0 -14 9 -23 t23 -9h192q14 0 23 9t9 23zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1197 512h-109q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h109q-32 108 -112.5 188.5t-188.5 112.5v-109q0 -26 -19 -45t-45 -19h-128q-26 0 -45 19t-19 45v109q-108 -32 -188.5 -112.5t-112.5 -188.5h109q26 0 45 -19t19 -45v-128q0 -26 -19 -45t-45 -19h-109 q32 -108 112.5 -188.5t188.5 -112.5v109q0 26 19 45t45 19h128q26 0 45 -19t19 -45v-109q108 32 188.5 112.5t112.5 188.5zM1536 704v-128q0 -26 -19 -45t-45 -19h-143q-37 -161 -154.5 -278.5t-278.5 -154.5v-143q0 -26 -19 -45t-45 -19h-128q-26 0 -45 19t-19 45v143 q-161 37 -278.5 154.5t-154.5 278.5h-143q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h143q37 161 154.5 278.5t278.5 154.5v143q0 26 19 45t45 19h128q26 0 45 -19t19 -45v-143q161 -37 278.5 -154.5t154.5 -278.5h143q26 0 45 -19t19 -45z" />
-<glyph unicode="" d="M1097 457l-146 -146q-10 -10 -23 -10t-23 10l-137 137l-137 -137q-10 -10 -23 -10t-23 10l-146 146q-10 10 -10 23t10 23l137 137l-137 137q-10 10 -10 23t10 23l146 146q10 10 23 10t23 -10l137 -137l137 137q10 10 23 10t23 -10l146 -146q10 -10 10 -23t-10 -23 l-137 -137l137 -137q10 -10 10 -23t-10 -23zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5 t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1171 723l-422 -422q-19 -19 -45 -19t-45 19l-294 294q-19 19 -19 45t19 45l102 102q19 19 45 19t45 -19l147 -147l275 275q19 19 45 19t45 -19l102 -102q19 -19 19 -45t-19 -45zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198t-73 -273t73 -273t198 -198 t273 -73t273 73t198 198t73 273zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1312 643q0 161 -87 295l-754 -753q137 -89 297 -89q111 0 211.5 43.5t173.5 116.5t116 174.5t43 212.5zM313 344l755 754q-135 91 -300 91q-148 0 -273 -73t-198 -199t-73 -274q0 -162 89 -299zM1536 643q0 -157 -61 -300t-163.5 -246t-245 -164t-298.5 -61t-298.5 61 t-245 164t-163.5 246t-61 300t61 299.5t163.5 245.5t245 164t298.5 61t298.5 -61t245 -164t163.5 -245.5t61 -299.5z" />
-<glyph unicode="" d="M1536 640v-128q0 -53 -32.5 -90.5t-84.5 -37.5h-704l293 -294q38 -36 38 -90t-38 -90l-75 -76q-37 -37 -90 -37q-52 0 -91 37l-651 652q-37 37 -37 90q0 52 37 91l651 650q38 38 91 38q52 0 90 -38l75 -74q38 -38 38 -91t-38 -91l-293 -293h704q52 0 84.5 -37.5 t32.5 -90.5z" />
-<glyph unicode="" d="M1472 576q0 -54 -37 -91l-651 -651q-39 -37 -91 -37q-51 0 -90 37l-75 75q-38 38 -38 91t38 91l293 293h-704q-52 0 -84.5 37.5t-32.5 90.5v128q0 53 32.5 90.5t84.5 37.5h704l-293 294q-38 36 -38 90t38 90l75 75q38 38 90 38q53 0 91 -38l651 -651q37 -35 37 -90z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1611 565q0 -51 -37 -90l-75 -75q-38 -38 -91 -38q-54 0 -90 38l-294 293v-704q0 -52 -37.5 -84.5t-90.5 -32.5h-128q-53 0 -90.5 32.5t-37.5 84.5v704l-294 -293q-36 -38 -90 -38t-90 38l-75 75q-38 38 -38 90q0 53 38 91l651 651q35 37 90 37q54 0 91 -37l651 -651 q37 -39 37 -91z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1611 704q0 -53 -37 -90l-651 -652q-39 -37 -91 -37q-53 0 -90 37l-651 652q-38 36 -38 90q0 53 38 91l74 75q39 37 91 37q53 0 90 -37l294 -294v704q0 52 38 90t90 38h128q52 0 90 -38t38 -90v-704l294 294q37 37 90 37q52 0 91 -37l75 -75q37 -39 37 -91z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 896q0 -26 -19 -45l-512 -512q-19 -19 -45 -19t-45 19t-19 45v256h-224q-98 0 -175.5 -6t-154 -21.5t-133 -42.5t-105.5 -69.5t-80 -101t-48.5 -138.5t-17.5 -181q0 -55 5 -123q0 -6 2.5 -23.5t2.5 -26.5q0 -15 -8.5 -25t-23.5 -10q-16 0 -28 17q-7 9 -13 22 t-13.5 30t-10.5 24q-127 285 -127 451q0 199 53 333q162 403 875 403h224v256q0 26 19 45t45 19t45 -19l512 -512q19 -19 19 -45z" />
-<glyph unicode="" d="M755 480q0 -13 -10 -23l-332 -332l144 -144q19 -19 19 -45t-19 -45t-45 -19h-448q-26 0 -45 19t-19 45v448q0 26 19 45t45 19t45 -19l144 -144l332 332q10 10 23 10t23 -10l114 -114q10 -10 10 -23zM1536 1344v-448q0 -26 -19 -45t-45 -19t-45 19l-144 144l-332 -332 q-10 -10 -23 -10t-23 10l-114 114q-10 10 -10 23t10 23l332 332l-144 144q-19 19 -19 45t19 45t45 19h448q26 0 45 -19t19 -45z" />
-<glyph unicode="" d="M768 576v-448q0 -26 -19 -45t-45 -19t-45 19l-144 144l-332 -332q-10 -10 -23 -10t-23 10l-114 114q-10 10 -10 23t10 23l332 332l-144 144q-19 19 -19 45t19 45t45 19h448q26 0 45 -19t19 -45zM1523 1248q0 -13 -10 -23l-332 -332l144 -144q19 -19 19 -45t-19 -45 t-45 -19h-448q-26 0 -45 19t-19 45v448q0 26 19 45t45 19t45 -19l144 -144l332 332q10 10 23 10t23 -10l114 -114q10 -10 10 -23z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1408 800v-192q0 -40 -28 -68t-68 -28h-416v-416q0 -40 -28 -68t-68 -28h-192q-40 0 -68 28t-28 68v416h-416q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h416v416q0 40 28 68t68 28h192q40 0 68 -28t28 -68v-416h416q40 0 68 -28t28 -68z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1408 800v-192q0 -40 -28 -68t-68 -28h-1216q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h1216q40 0 68 -28t28 -68z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1482 486q46 -26 59.5 -77.5t-12.5 -97.5l-64 -110q-26 -46 -77.5 -59.5t-97.5 12.5l-266 153v-307q0 -52 -38 -90t-90 -38h-128q-52 0 -90 38t-38 90v307l-266 -153q-46 -26 -97.5 -12.5t-77.5 59.5l-64 110q-26 46 -12.5 97.5t59.5 77.5l266 154l-266 154 q-46 26 -59.5 77.5t12.5 97.5l64 110q26 46 77.5 59.5t97.5 -12.5l266 -153v307q0 52 38 90t90 38h128q52 0 90 -38t38 -90v-307l266 153q46 26 97.5 12.5t77.5 -59.5l64 -110q26 -46 12.5 -97.5t-59.5 -77.5l-266 -154z" />
-<glyph unicode="" d="M768 1408q209 0 385.5 -103t279.5 -279.5t103 -385.5t-103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103zM896 161v190q0 14 -9 23.5t-22 9.5h-192q-13 0 -23 -10t-10 -23v-190q0 -13 10 -23t23 -10h192 q13 0 22 9.5t9 23.5zM894 505l18 621q0 12 -10 18q-10 8 -24 8h-220q-14 0 -24 -8q-10 -6 -10 -18l17 -621q0 -10 10 -17.5t24 -7.5h185q14 0 23.5 7.5t10.5 17.5z" />
-<glyph unicode="" d="M928 180v56v468v192h-320v-192v-468v-56q0 -25 18 -38.5t46 -13.5h192q28 0 46 13.5t18 38.5zM472 1024h195l-126 161q-26 31 -69 31q-40 0 -68 -28t-28 -68t28 -68t68 -28zM1160 1120q0 40 -28 68t-68 28q-43 0 -69 -31l-125 -161h194q40 0 68 28t28 68zM1536 864v-320 q0 -14 -9 -23t-23 -9h-96v-416q0 -40 -28 -68t-68 -28h-1088q-40 0 -68 28t-28 68v416h-96q-14 0 -23 9t-9 23v320q0 14 9 23t23 9h440q-93 0 -158.5 65.5t-65.5 158.5t65.5 158.5t158.5 65.5q107 0 168 -77l128 -165l128 165q61 77 168 77q93 0 158.5 -65.5t65.5 -158.5 t-65.5 -158.5t-158.5 -65.5h440q14 0 23 -9t9 -23z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1280 832q0 26 -19 45t-45 19q-172 0 -318 -49.5t-259.5 -134t-235.5 -219.5q-19 -21 -19 -45q0 -26 19 -45t45 -19q24 0 45 19q27 24 74 71t67 66q137 124 268.5 176t313.5 52q26 0 45 19t19 45zM1792 1030q0 -95 -20 -193q-46 -224 -184.5 -383t-357.5 -268 q-214 -108 -438 -108q-148 0 -286 47q-15 5 -88 42t-96 37q-16 0 -39.5 -32t-45 -70t-52.5 -70t-60 -32q-30 0 -51 11t-31 24t-27 42q-2 4 -6 11t-5.5 10t-3 9.5t-1.5 13.5q0 35 31 73.5t68 65.5t68 56t31 48q0 4 -14 38t-16 44q-9 51 -9 104q0 115 43.5 220t119 184.5 t170.5 139t204 95.5q55 18 145 25.5t179.5 9t178.5 6t163.5 24t113.5 56.5l29.5 29.5t29.5 28t27 20t36.5 16t43.5 4.5q39 0 70.5 -46t47.5 -112t24 -124t8 -96z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1408 -160v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-1344q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h1344q13 0 22.5 -9.5t9.5 -22.5zM1152 896q0 -78 -24.5 -144t-64 -112.5t-87.5 -88t-96 -77.5t-87.5 -72t-64 -81.5t-24.5 -96.5q0 -96 67 -224l-4 1l1 -1 q-90 41 -160 83t-138.5 100t-113.5 122.5t-72.5 150.5t-27.5 184q0 78 24.5 144t64 112.5t87.5 88t96 77.5t87.5 72t64 81.5t24.5 96.5q0 94 -66 224l3 -1l-1 1q90 -41 160 -83t138.5 -100t113.5 -122.5t72.5 -150.5t27.5 -184z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1664 576q-152 236 -381 353q61 -104 61 -225q0 -185 -131.5 -316.5t-316.5 -131.5t-316.5 131.5t-131.5 316.5q0 121 61 225q-229 -117 -381 -353q133 -205 333.5 -326.5t434.5 -121.5t434.5 121.5t333.5 326.5zM944 960q0 20 -14 34t-34 14q-125 0 -214.5 -89.5 t-89.5 -214.5q0 -20 14 -34t34 -14t34 14t14 34q0 86 61 147t147 61q20 0 34 14t14 34zM1792 576q0 -34 -20 -69q-140 -230 -376.5 -368.5t-499.5 -138.5t-499.5 139t-376.5 368q-20 35 -20 69t20 69q140 229 376.5 368t499.5 139t499.5 -139t376.5 -368q20 -35 20 -69z" />
-<glyph unicode="" horiz-adv-x="1792" d="M555 201l78 141q-87 63 -136 159t-49 203q0 121 61 225q-229 -117 -381 -353q167 -258 427 -375zM944 960q0 20 -14 34t-34 14q-125 0 -214.5 -89.5t-89.5 -214.5q0 -20 14 -34t34 -14t34 14t14 34q0 86 61 147t147 61q20 0 34 14t14 34zM1307 1151q0 -7 -1 -9 q-105 -188 -315 -566t-316 -567l-49 -89q-10 -16 -28 -16q-12 0 -134 70q-16 10 -16 28q0 12 44 87q-143 65 -263.5 173t-208.5 245q-20 31 -20 69t20 69q153 235 380 371t496 136q89 0 180 -17l54 97q10 16 28 16q5 0 18 -6t31 -15.5t33 -18.5t31.5 -18.5t19.5 -11.5 q16 -10 16 -27zM1344 704q0 -139 -79 -253.5t-209 -164.5l280 502q8 -45 8 -84zM1792 576q0 -35 -20 -69q-39 -64 -109 -145q-150 -172 -347.5 -267t-419.5 -95l74 132q212 18 392.5 137t301.5 307q-115 179 -282 294l63 112q95 -64 182.5 -153t144.5 -184q20 -34 20 -69z " />
-<glyph unicode="" horiz-adv-x="1792" d="M1024 161v190q0 14 -9.5 23.5t-22.5 9.5h-192q-13 0 -22.5 -9.5t-9.5 -23.5v-190q0 -14 9.5 -23.5t22.5 -9.5h192q13 0 22.5 9.5t9.5 23.5zM1022 535l18 459q0 12 -10 19q-13 11 -24 11h-220q-11 0 -24 -11q-10 -7 -10 -21l17 -457q0 -10 10 -16.5t24 -6.5h185 q14 0 23.5 6.5t10.5 16.5zM1008 1469l768 -1408q35 -63 -2 -126q-17 -29 -46.5 -46t-63.5 -17h-1536q-34 0 -63.5 17t-46.5 46q-37 63 -2 126l768 1408q17 31 47 49t65 18t65 -18t47 -49z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1376 1376q44 -52 12 -148t-108 -172l-161 -161l160 -696q5 -19 -12 -33l-128 -96q-7 -6 -19 -6q-4 0 -7 1q-15 3 -21 16l-279 508l-259 -259l53 -194q5 -17 -8 -31l-96 -96q-9 -9 -23 -9h-2q-15 2 -24 13l-189 252l-252 189q-11 7 -13 23q-1 13 9 25l96 97q9 9 23 9 q6 0 8 -1l194 -53l259 259l-508 279q-14 8 -17 24q-2 16 9 27l128 128q14 13 30 8l665 -159l160 160q76 76 172 108t148 -12z" />
-<glyph unicode="" horiz-adv-x="1664" d="M128 -128h288v288h-288v-288zM480 -128h320v288h-320v-288zM128 224h288v320h-288v-320zM480 224h320v320h-320v-320zM128 608h288v288h-288v-288zM864 -128h320v288h-320v-288zM480 608h320v288h-320v-288zM1248 -128h288v288h-288v-288zM864 224h320v320h-320v-320z M512 1088v288q0 13 -9.5 22.5t-22.5 9.5h-64q-13 0 -22.5 -9.5t-9.5 -22.5v-288q0 -13 9.5 -22.5t22.5 -9.5h64q13 0 22.5 9.5t9.5 22.5zM1248 224h288v320h-288v-320zM864 608h320v288h-320v-288zM1248 608h288v288h-288v-288zM1280 1088v288q0 13 -9.5 22.5t-22.5 9.5h-64 q-13 0 -22.5 -9.5t-9.5 -22.5v-288q0 -13 9.5 -22.5t22.5 -9.5h64q13 0 22.5 9.5t9.5 22.5zM1664 1152v-1280q0 -52 -38 -90t-90 -38h-1408q-52 0 -90 38t-38 90v1280q0 52 38 90t90 38h128v96q0 66 47 113t113 47h64q66 0 113 -47t47 -113v-96h384v96q0 66 47 113t113 47 h64q66 0 113 -47t47 -113v-96h128q52 0 90 -38t38 -90z" />
-<glyph unicode="" horiz-adv-x="1792" d="M666 1055q-60 -92 -137 -273q-22 45 -37 72.5t-40.5 63.5t-51 56.5t-63 35t-81.5 14.5h-224q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h224q250 0 410 -225zM1792 256q0 -14 -9 -23l-320 -320q-9 -9 -23 -9q-13 0 -22.5 9.5t-9.5 22.5v192q-32 0 -85 -0.5t-81 -1t-73 1 t-71 5t-64 10.5t-63 18.5t-58 28.5t-59 40t-55 53.5t-56 69.5q59 93 136 273q22 -45 37 -72.5t40.5 -63.5t51 -56.5t63 -35t81.5 -14.5h256v192q0 14 9 23t23 9q12 0 24 -10l319 -319q9 -9 9 -23zM1792 1152q0 -14 -9 -23l-320 -320q-9 -9 -23 -9q-13 0 -22.5 9.5t-9.5 22.5 v192h-256q-48 0 -87 -15t-69 -45t-51 -61.5t-45 -77.5q-32 -62 -78 -171q-29 -66 -49.5 -111t-54 -105t-64 -100t-74 -83t-90 -68.5t-106.5 -42t-128 -16.5h-224q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h224q48 0 87 15t69 45t51 61.5t45 77.5q32 62 78 171q29 66 49.5 111 t54 105t64 100t74 83t90 68.5t106.5 42t128 16.5h256v192q0 14 9 23t23 9q12 0 24 -10l319 -319q9 -9 9 -23z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 640q0 -174 -120 -321.5t-326 -233t-450 -85.5q-70 0 -145 8q-198 -175 -460 -242q-49 -14 -114 -22q-17 -2 -30.5 9t-17.5 29v1q-3 4 -0.5 12t2 10t4.5 9.5l6 9t7 8.5t8 9q7 8 31 34.5t34.5 38t31 39.5t32.5 51t27 59t26 76q-157 89 -247.5 220t-90.5 281 q0 130 71 248.5t191 204.5t286 136.5t348 50.5q244 0 450 -85.5t326 -233t120 -321.5z" />
-<glyph unicode="" d="M1536 704v-128q0 -201 -98.5 -362t-274 -251.5t-395.5 -90.5t-395.5 90.5t-274 251.5t-98.5 362v128q0 26 19 45t45 19h384q26 0 45 -19t19 -45v-128q0 -52 23.5 -90t53.5 -57t71 -30t64 -13t44 -2t44 2t64 13t71 30t53.5 57t23.5 90v128q0 26 19 45t45 19h384 q26 0 45 -19t19 -45zM512 1344v-384q0 -26 -19 -45t-45 -19h-384q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h384q26 0 45 -19t19 -45zM1536 1344v-384q0 -26 -19 -45t-45 -19h-384q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h384q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1611 320q0 -53 -37 -90l-75 -75q-38 -38 -91 -38q-54 0 -90 38l-486 485l-486 -485q-36 -38 -90 -38t-90 38l-75 75q-38 36 -38 90q0 53 38 91l651 651q37 37 90 37q52 0 91 -37l650 -651q38 -38 38 -91z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1611 832q0 -53 -37 -90l-651 -651q-38 -38 -91 -38q-54 0 -90 38l-651 651q-38 36 -38 90q0 53 38 91l74 75q39 37 91 37q53 0 90 -37l486 -486l486 486q37 37 90 37q52 0 91 -37l75 -75q37 -39 37 -91z" />
-<glyph unicode="" horiz-adv-x="1920" d="M1280 32q0 -13 -9.5 -22.5t-22.5 -9.5h-960q-8 0 -13.5 2t-9 7t-5.5 8t-3 11.5t-1 11.5v13v11v160v416h-192q-26 0 -45 19t-19 45q0 24 15 41l320 384q19 22 49 22t49 -22l320 -384q15 -17 15 -41q0 -26 -19 -45t-45 -19h-192v-384h576q16 0 25 -11l160 -192q7 -11 7 -21 zM1920 448q0 -24 -15 -41l-320 -384q-20 -23 -49 -23t-49 23l-320 384q-15 17 -15 41q0 26 19 45t45 19h192v384h-576q-16 0 -25 12l-160 192q-7 9 -7 20q0 13 9.5 22.5t22.5 9.5h960q8 0 13.5 -2t9 -7t5.5 -8t3 -11.5t1 -11.5v-13v-11v-160v-416h192q26 0 45 -19t19 -45z " />
-<glyph unicode="" horiz-adv-x="1664" d="M640 0q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1536 0q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1664 1088v-512q0 -24 -16 -42.5t-41 -21.5 l-1044 -122q1 -7 4.5 -21.5t6 -26.5t2.5 -22q0 -16 -24 -64h920q26 0 45 -19t19 -45t-19 -45t-45 -19h-1024q-26 0 -45 19t-19 45q0 14 11 39.5t29.5 59.5t20.5 38l-177 823h-204q-26 0 -45 19t-19 45t19 45t45 19h256q16 0 28.5 -6.5t20 -15.5t13 -24.5t7.5 -26.5 t5.5 -29.5t4.5 -25.5h1201q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1664 928v-704q0 -92 -66 -158t-158 -66h-1216q-92 0 -158 66t-66 158v960q0 92 66 158t158 66h320q92 0 158 -66t66 -158v-32h672q92 0 158 -66t66 -158z" />
-<glyph unicode="" horiz-adv-x="1920" d="M1879 584q0 -31 -31 -66l-336 -396q-43 -51 -120.5 -86.5t-143.5 -35.5h-1088q-34 0 -60.5 13t-26.5 43q0 31 31 66l336 396q43 51 120.5 86.5t143.5 35.5h1088q34 0 60.5 -13t26.5 -43zM1536 928v-160h-832q-94 0 -197 -47.5t-164 -119.5l-337 -396l-5 -6q0 4 -0.5 12.5 t-0.5 12.5v960q0 92 66 158t158 66h320q92 0 158 -66t66 -158v-32h544q92 0 158 -66t66 -158z" />
-<glyph unicode="" horiz-adv-x="768" d="M704 1216q0 -26 -19 -45t-45 -19h-128v-1024h128q26 0 45 -19t19 -45t-19 -45l-256 -256q-19 -19 -45 -19t-45 19l-256 256q-19 19 -19 45t19 45t45 19h128v1024h-128q-26 0 -45 19t-19 45t19 45l256 256q19 19 45 19t45 -19l256 -256q19 -19 19 -45z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 640q0 -26 -19 -45l-256 -256q-19 -19 -45 -19t-45 19t-19 45v128h-1024v-128q0 -26 -19 -45t-45 -19t-45 19l-256 256q-19 19 -19 45t19 45l256 256q19 19 45 19t45 -19t19 -45v-128h1024v128q0 26 19 45t45 19t45 -19l256 -256q19 -19 19 -45z" />
-<glyph unicode="" horiz-adv-x="1920" d="M512 512v-384h-256v384h256zM896 1024v-896h-256v896h256zM1280 768v-640h-256v640h256zM1664 1152v-1024h-256v1024h256zM1792 32v1216q0 13 -9.5 22.5t-22.5 9.5h-1600q-13 0 -22.5 -9.5t-9.5 -22.5v-1216q0 -13 9.5 -22.5t22.5 -9.5h1600q13 0 22.5 9.5t9.5 22.5z M1920 1248v-1216q0 -66 -47 -113t-113 -47h-1600q-66 0 -113 47t-47 113v1216q0 66 47 113t113 47h1600q66 0 113 -47t47 -113z" />
-<glyph unicode="" d="M1280 926q-56 -25 -121 -34q68 40 93 117q-65 -38 -134 -51q-61 66 -153 66q-87 0 -148.5 -61.5t-61.5 -148.5q0 -29 5 -48q-129 7 -242 65t-192 155q-29 -50 -29 -106q0 -114 91 -175q-47 1 -100 26v-2q0 -75 50 -133.5t123 -72.5q-29 -8 -51 -8q-13 0 -39 4 q21 -63 74.5 -104t121.5 -42q-116 -90 -261 -90q-26 0 -50 3q148 -94 322 -94q112 0 210 35.5t168 95t120.5 137t75 162t24.5 168.5q0 18 -1 27q63 45 105 109zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5 t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" d="M1307 618l23 219h-198v109q0 49 15.5 68.5t71.5 19.5h110v219h-175q-152 0 -218 -72t-66 -213v-131h-131v-219h131v-635h262v635h175zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960 q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M928 704q0 14 -9 23t-23 9q-66 0 -113 -47t-47 -113q0 -14 9 -23t23 -9t23 9t9 23q0 40 28 68t68 28q14 0 23 9t9 23zM1152 574q0 -106 -75 -181t-181 -75t-181 75t-75 181t75 181t181 75t181 -75t75 -181zM128 0h1536v128h-1536v-128zM1280 574q0 159 -112.5 271.5 t-271.5 112.5t-271.5 -112.5t-112.5 -271.5t112.5 -271.5t271.5 -112.5t271.5 112.5t112.5 271.5zM256 1216h384v128h-384v-128zM128 1024h1536v118v138h-828l-64 -128h-644v-128zM1792 1280v-1280q0 -53 -37.5 -90.5t-90.5 -37.5h-1536q-53 0 -90.5 37.5t-37.5 90.5v1280 q0 53 37.5 90.5t90.5 37.5h1536q53 0 90.5 -37.5t37.5 -90.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M832 1024q0 80 -56 136t-136 56t-136 -56t-56 -136q0 -42 19 -83q-41 19 -83 19q-80 0 -136 -56t-56 -136t56 -136t136 -56t136 56t56 136q0 42 -19 83q41 -19 83 -19q80 0 136 56t56 136zM1683 320q0 -17 -49 -66t-66 -49q-9 0 -28.5 16t-36.5 33t-38.5 40t-24.5 26 l-96 -96l220 -220q28 -28 28 -68q0 -42 -39 -81t-81 -39q-40 0 -68 28l-671 671q-176 -131 -365 -131q-163 0 -265.5 102.5t-102.5 265.5q0 160 95 313t248 248t313 95q163 0 265.5 -102.5t102.5 -265.5q0 -189 -131 -365l355 -355l96 96q-3 3 -26 24.5t-40 38.5t-33 36.5 t-16 28.5q0 17 49 66t66 49q13 0 23 -10q6 -6 46 -44.5t82 -79.5t86.5 -86t73 -78t28.5 -41z" />
-<glyph unicode="" horiz-adv-x="1920" d="M896 640q0 106 -75 181t-181 75t-181 -75t-75 -181t75 -181t181 -75t181 75t75 181zM1664 128q0 52 -38 90t-90 38t-90 -38t-38 -90q0 -53 37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1664 1152q0 52 -38 90t-90 38t-90 -38t-38 -90q0 -53 37.5 -90.5t90.5 -37.5 t90.5 37.5t37.5 90.5zM1280 731v-185q0 -10 -7 -19.5t-16 -10.5l-155 -24q-11 -35 -32 -76q34 -48 90 -115q7 -10 7 -20q0 -12 -7 -19q-23 -30 -82.5 -89.5t-78.5 -59.5q-11 0 -21 7l-115 90q-37 -19 -77 -31q-11 -108 -23 -155q-7 -24 -30 -24h-186q-11 0 -20 7.5t-10 17.5 l-23 153q-34 10 -75 31l-118 -89q-7 -7 -20 -7q-11 0 -21 8q-144 133 -144 160q0 9 7 19q10 14 41 53t47 61q-23 44 -35 82l-152 24q-10 1 -17 9.5t-7 19.5v185q0 10 7 19.5t16 10.5l155 24q11 35 32 76q-34 48 -90 115q-7 11 -7 20q0 12 7 20q22 30 82 89t79 59q11 0 21 -7 l115 -90q34 18 77 32q11 108 23 154q7 24 30 24h186q11 0 20 -7.5t10 -17.5l23 -153q34 -10 75 -31l118 89q8 7 20 7q11 0 21 -8q144 -133 144 -160q0 -9 -7 -19q-12 -16 -42 -54t-45 -60q23 -48 34 -82l152 -23q10 -2 17 -10.5t7 -19.5zM1920 198v-140q0 -16 -149 -31 q-12 -27 -30 -52q51 -113 51 -138q0 -4 -4 -7q-122 -71 -124 -71q-8 0 -46 47t-52 68q-20 -2 -30 -2t-30 2q-14 -21 -52 -68t-46 -47q-2 0 -124 71q-4 3 -4 7q0 25 51 138q-18 25 -30 52q-149 15 -149 31v140q0 16 149 31q13 29 30 52q-51 113 -51 138q0 4 4 7q4 2 35 20 t59 34t30 16q8 0 46 -46.5t52 -67.5q20 2 30 2t30 -2q51 71 92 112l6 2q4 0 124 -70q4 -3 4 -7q0 -25 -51 -138q17 -23 30 -52q149 -15 149 -31zM1920 1222v-140q0 -16 -149 -31q-12 -27 -30 -52q51 -113 51 -138q0 -4 -4 -7q-122 -71 -124 -71q-8 0 -46 47t-52 68 q-20 -2 -30 -2t-30 2q-14 -21 -52 -68t-46 -47q-2 0 -124 71q-4 3 -4 7q0 25 51 138q-18 25 -30 52q-149 15 -149 31v140q0 16 149 31q13 29 30 52q-51 113 -51 138q0 4 4 7q4 2 35 20t59 34t30 16q8 0 46 -46.5t52 -67.5q20 2 30 2t30 -2q51 71 92 112l6 2q4 0 124 -70 q4 -3 4 -7q0 -25 -51 -138q17 -23 30 -52q149 -15 149 -31z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1408 768q0 -139 -94 -257t-256.5 -186.5t-353.5 -68.5q-86 0 -176 16q-124 -88 -278 -128q-36 -9 -86 -16h-3q-11 0 -20.5 8t-11.5 21q-1 3 -1 6.5t0.5 6.5t2 6l2.5 5t3.5 5.5t4 5t4.5 5t4 4.5q5 6 23 25t26 29.5t22.5 29t25 38.5t20.5 44q-124 72 -195 177t-71 224 q0 139 94 257t256.5 186.5t353.5 68.5t353.5 -68.5t256.5 -186.5t94 -257zM1792 512q0 -120 -71 -224.5t-195 -176.5q10 -24 20.5 -44t25 -38.5t22.5 -29t26 -29.5t23 -25q1 -1 4 -4.5t4.5 -5t4 -5t3.5 -5.5l2.5 -5t2 -6t0.5 -6.5t-1 -6.5q-3 -14 -13 -22t-22 -7 q-50 7 -86 16q-154 40 -278 128q-90 -16 -176 -16q-271 0 -472 132q58 -4 88 -4q161 0 309 45t264 129q125 92 192 212t67 254q0 77 -23 152q129 -71 204 -178t75 -230z" />
-<glyph unicode="" d="M256 192q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1408 768q0 51 -39 89.5t-89 38.5h-352q0 58 48 159.5t48 160.5q0 98 -32 145t-128 47q-26 -26 -38 -85t-30.5 -125.5t-59.5 -109.5q-22 -23 -77 -91q-4 -5 -23 -30t-31.5 -41t-34.5 -42.5 t-40 -44t-38.5 -35.5t-40 -27t-35.5 -9h-32v-640h32q13 0 31.5 -3t33 -6.5t38 -11t35 -11.5t35.5 -12.5t29 -10.5q211 -73 342 -73h121q192 0 192 167q0 26 -5 56q30 16 47.5 52.5t17.5 73.5t-18 69q53 50 53 119q0 25 -10 55.5t-25 47.5q32 1 53.5 47t21.5 81zM1536 769 q0 -89 -49 -163q9 -33 9 -69q0 -77 -38 -144q3 -21 3 -43q0 -101 -60 -178q1 -139 -85 -219.5t-227 -80.5h-36h-93q-96 0 -189.5 22.5t-216.5 65.5q-116 40 -138 40h-288q-53 0 -90.5 37.5t-37.5 90.5v640q0 53 37.5 90.5t90.5 37.5h274q36 24 137 155q58 75 107 128 q24 25 35.5 85.5t30.5 126.5t62 108q39 37 90 37q84 0 151 -32.5t102 -101.5t35 -186q0 -93 -48 -192h176q104 0 180 -76t76 -179z" />
-<glyph unicode="" d="M256 1088q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1408 512q0 35 -21.5 81t-53.5 47q15 17 25 47.5t10 55.5q0 69 -53 119q18 32 18 69t-17.5 73.5t-47.5 52.5q5 30 5 56q0 85 -49 126t-136 41h-128q-131 0 -342 -73q-5 -2 -29 -10.5 t-35.5 -12.5t-35 -11.5t-38 -11t-33 -6.5t-31.5 -3h-32v-640h32q16 0 35.5 -9t40 -27t38.5 -35.5t40 -44t34.5 -42.5t31.5 -41t23 -30q55 -68 77 -91q41 -43 59.5 -109.5t30.5 -125.5t38 -85q96 0 128 47t32 145q0 59 -48 160.5t-48 159.5h352q50 0 89 38.5t39 89.5z M1536 511q0 -103 -76 -179t-180 -76h-176q48 -99 48 -192q0 -118 -35 -186q-35 -69 -102 -101.5t-151 -32.5q-51 0 -90 37q-34 33 -54 82t-25.5 90.5t-17.5 84.5t-31 64q-48 50 -107 127q-101 131 -137 155h-274q-53 0 -90.5 37.5t-37.5 90.5v640q0 53 37.5 90.5t90.5 37.5 h288q22 0 138 40q128 44 223 66t200 22h112q140 0 226.5 -79t85.5 -216v-5q60 -77 60 -178q0 -22 -3 -43q38 -67 38 -144q0 -36 -9 -69q49 -74 49 -163z" />
-<glyph unicode="" horiz-adv-x="896" d="M832 1504v-1339l-449 -236q-22 -12 -40 -12q-21 0 -31.5 14.5t-10.5 35.5q0 6 2 20l86 500l-364 354q-25 27 -25 48q0 37 56 46l502 73l225 455q19 41 49 41z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1664 940q0 81 -21.5 143t-55 98.5t-81.5 59.5t-94 31t-98 8t-112 -25.5t-110.5 -64t-86.5 -72t-60 -61.5q-18 -22 -49 -22t-49 22q-24 28 -60 61.5t-86.5 72t-110.5 64t-112 25.5t-98 -8t-94 -31t-81.5 -59.5t-55 -98.5t-21.5 -143q0 -168 187 -355l581 -560l580 559 q188 188 188 356zM1792 940q0 -221 -229 -450l-623 -600q-18 -18 -44 -18t-44 18l-624 602q-10 8 -27.5 26t-55.5 65.5t-68 97.5t-53.5 121t-23.5 138q0 220 127 344t351 124q62 0 126.5 -21.5t120 -58t95.5 -68.5t76 -68q36 36 76 68t95.5 68.5t120 58t126.5 21.5 q224 0 351 -124t127 -344z" />
-<glyph unicode="" horiz-adv-x="1664" d="M640 96q0 -4 1 -20t0.5 -26.5t-3 -23.5t-10 -19.5t-20.5 -6.5h-320q-119 0 -203.5 84.5t-84.5 203.5v704q0 119 84.5 203.5t203.5 84.5h320q13 0 22.5 -9.5t9.5 -22.5q0 -4 1 -20t0.5 -26.5t-3 -23.5t-10 -19.5t-20.5 -6.5h-320q-66 0 -113 -47t-47 -113v-704 q0 -66 47 -113t113 -47h288h11h13t11.5 -1t11.5 -3t8 -5.5t7 -9t2 -13.5zM1568 640q0 -26 -19 -45l-544 -544q-19 -19 -45 -19t-45 19t-19 45v288h-448q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h448v288q0 26 19 45t45 19t45 -19l544 -544q19 -19 19 -45z" />
-<glyph unicode="" d="M237 122h231v694h-231v-694zM483 1030q-1 52 -36 86t-93 34t-94.5 -34t-36.5 -86q0 -51 35.5 -85.5t92.5 -34.5h1q59 0 95 34.5t36 85.5zM1068 122h231v398q0 154 -73 233t-193 79q-136 0 -209 -117h2v101h-231q3 -66 0 -694h231v388q0 38 7 56q15 35 45 59.5t74 24.5 q116 0 116 -157v-371zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1152" d="M480 672v448q0 14 -9 23t-23 9t-23 -9t-9 -23v-448q0 -14 9 -23t23 -9t23 9t9 23zM1152 320q0 -26 -19 -45t-45 -19h-429l-51 -483q-2 -12 -10.5 -20.5t-20.5 -8.5h-1q-27 0 -32 27l-76 485h-404q-26 0 -45 19t-19 45q0 123 78.5 221.5t177.5 98.5v512q-52 0 -90 38 t-38 90t38 90t90 38h640q52 0 90 -38t38 -90t-38 -90t-90 -38v-512q99 0 177.5 -98.5t78.5 -221.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1408 608v-320q0 -119 -84.5 -203.5t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h704q14 0 23 -9t9 -23v-64q0 -14 -9 -23t-23 -9h-704q-66 0 -113 -47t-47 -113v-832q0 -66 47 -113t113 -47h832q66 0 113 47t47 113v320 q0 14 9 23t23 9h64q14 0 23 -9t9 -23zM1792 1472v-512q0 -26 -19 -45t-45 -19t-45 19l-176 176l-652 -652q-10 -10 -23 -10t-23 10l-114 114q-10 10 -10 23t10 23l652 652l-176 176q-19 19 -19 45t19 45t45 19h512q26 0 45 -19t19 -45z" />
-<glyph unicode="" d="M1184 640q0 -26 -19 -45l-544 -544q-19 -19 -45 -19t-45 19t-19 45v288h-448q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h448v288q0 26 19 45t45 19t45 -19l544 -544q19 -19 19 -45zM1536 992v-704q0 -119 -84.5 -203.5t-203.5 -84.5h-320q-13 0 -22.5 9.5t-9.5 22.5 q0 4 -1 20t-0.5 26.5t3 23.5t10 19.5t20.5 6.5h320q66 0 113 47t47 113v704q0 66 -47 113t-113 47h-288h-11h-13t-11.5 1t-11.5 3t-8 5.5t-7 9t-2 13.5q0 4 -1 20t-0.5 26.5t3 23.5t10 19.5t20.5 6.5h320q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1664" d="M458 653q-74 162 -74 371h-256v-96q0 -78 94.5 -162t235.5 -113zM1536 928v96h-256q0 -209 -74 -371q141 29 235.5 113t94.5 162zM1664 1056v-128q0 -71 -41.5 -143t-112 -130t-173 -97.5t-215.5 -44.5q-42 -54 -95 -95q-38 -34 -52.5 -72.5t-14.5 -89.5q0 -54 30.5 -91 t97.5 -37q75 0 133.5 -45.5t58.5 -114.5v-64q0 -14 -9 -23t-23 -9h-832q-14 0 -23 9t-9 23v64q0 69 58.5 114.5t133.5 45.5q67 0 97.5 37t30.5 91q0 51 -14.5 89.5t-52.5 72.5q-53 41 -95 95q-113 5 -215.5 44.5t-173 97.5t-112 130t-41.5 143v128q0 40 28 68t68 28h288v96 q0 66 47 113t113 47h576q66 0 113 -47t47 -113v-96h288q40 0 68 -28t28 -68z" />
-<glyph unicode="" d="M394 184q-8 -9 -20 3q-13 11 -4 19q8 9 20 -3q12 -11 4 -19zM352 245q9 -12 0 -19q-8 -6 -17 7t0 18q9 7 17 -6zM291 305q-5 -7 -13 -2q-10 5 -7 12q3 5 13 2q10 -5 7 -12zM322 271q-6 -7 -16 3q-9 11 -2 16q6 6 16 -3q9 -11 2 -16zM451 159q-4 -12 -19 -6q-17 4 -13 15 t19 7q16 -5 13 -16zM514 154q0 -11 -16 -11q-17 -2 -17 11q0 11 16 11q17 2 17 -11zM572 164q2 -10 -14 -14t-18 8t14 15q16 2 18 -9zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-224q-16 0 -24.5 1t-19.5 5t-16 14.5t-5 27.5v239q0 97 -52 142q57 6 102.5 18t94 39 t81 66.5t53 105t20.5 150.5q0 121 -79 206q37 91 -8 204q-28 9 -81 -11t-92 -44l-38 -24q-93 26 -192 26t-192 -26q-16 11 -42.5 27t-83.5 38.5t-86 13.5q-44 -113 -7 -204q-79 -85 -79 -206q0 -85 20.5 -150t52.5 -105t80.5 -67t94 -39t102.5 -18q-40 -36 -49 -103 q-21 -10 -45 -15t-57 -5t-65.5 21.5t-55.5 62.5q-19 32 -48.5 52t-49.5 24l-20 3q-21 0 -29 -4.5t-5 -11.5t9 -14t13 -12l7 -5q22 -10 43.5 -38t31.5 -51l10 -23q13 -38 44 -61.5t67 -30t69.5 -7t55.5 3.5l23 4q0 -38 0.5 -103t0.5 -68q0 -22 -11 -33.5t-22 -13t-33 -1.5 h-224q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1280 64q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1536 64q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1664 288v-320q0 -40 -28 -68t-68 -28h-1472q-40 0 -68 28t-28 68v320q0 40 28 68t68 28h427q21 -56 70.5 -92 t110.5 -36h256q61 0 110.5 36t70.5 92h427q40 0 68 -28t28 -68zM1339 936q-17 -40 -59 -40h-256v-448q0 -26 -19 -45t-45 -19h-256q-26 0 -45 19t-19 45v448h-256q-42 0 -59 40q-17 39 14 69l448 448q18 19 45 19t45 -19l448 -448q31 -30 14 -69z" />
-<glyph unicode="" d="M1407 710q0 44 -7 113.5t-18 96.5q-12 30 -17 44t-9 36.5t-4 48.5q0 23 5 68.5t5 67.5q0 37 -10 55q-4 1 -13 1q-19 0 -58 -4.5t-59 -4.5q-60 0 -176 24t-175 24q-43 0 -94.5 -11.5t-85 -23.5t-89.5 -34q-137 -54 -202 -103q-96 -73 -159.5 -189.5t-88 -236t-24.5 -248.5 q0 -40 12.5 -120t12.5 -121q0 -23 -11 -66.5t-11 -65.5t12 -36.5t34 -14.5q24 0 72.5 11t73.5 11q57 0 169.5 -15.5t169.5 -15.5q181 0 284 36q129 45 235.5 152.5t166 245.5t59.5 275zM1535 712q0 -165 -70 -327.5t-196 -288t-281 -180.5q-124 -44 -326 -44 q-57 0 -170 14.5t-169 14.5q-24 0 -72.5 -14.5t-73.5 -14.5q-73 0 -123.5 55.5t-50.5 128.5q0 24 11 68t11 67q0 40 -12.5 120.5t-12.5 121.5q0 111 18 217.5t54.5 209.5t100.5 194t150 156q78 59 232 120q194 78 316 78q60 0 175.5 -24t173.5 -24q19 0 57 5t58 5 q81 0 118 -50.5t37 -134.5q0 -23 -5 -68t-5 -68q0 -10 1 -18.5t3 -17t4 -13.5t6.5 -16t6.5 -17q16 -40 25 -118.5t9 -136.5z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1408 296q0 -27 -10 -70.5t-21 -68.5q-21 -50 -122 -106q-94 -51 -186 -51q-27 0 -52.5 3.5t-57.5 12.5t-47.5 14.5t-55.5 20.5t-49 18q-98 35 -175 83q-128 79 -264.5 215.5t-215.5 264.5q-48 77 -83 175q-3 9 -18 49t-20.5 55.5t-14.5 47.5t-12.5 57.5t-3.5 52.5 q0 92 51 186q56 101 106 122q25 11 68.5 21t70.5 10q14 0 21 -3q18 -6 53 -76q11 -19 30 -54t35 -63.5t31 -53.5q3 -4 17.5 -25t21.5 -35.5t7 -28.5q0 -20 -28.5 -50t-62 -55t-62 -53t-28.5 -46q0 -9 5 -22.5t8.5 -20.5t14 -24t11.5 -19q76 -137 174 -235t235 -174 q2 -1 19 -11.5t24 -14t20.5 -8.5t22.5 -5q18 0 46 28.5t53 62t55 62t50 28.5q14 0 28.5 -7t35.5 -21.5t25 -17.5q25 -15 53.5 -31t63.5 -35t54 -30q70 -35 76 -53q3 -7 3 -21z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1120 1280h-832q-66 0 -113 -47t-47 -113v-832q0 -66 47 -113t113 -47h832q66 0 113 47t47 113v832q0 66 -47 113t-113 47zM1408 1120v-832q0 -119 -84.5 -203.5t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h832 q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1280" d="M1152 1280h-1024v-1242l423 406l89 85l89 -85l423 -406v1242zM1164 1408q23 0 44 -9q33 -13 52.5 -41t19.5 -62v-1289q0 -34 -19.5 -62t-52.5 -41q-19 -8 -44 -8q-48 0 -83 32l-441 424l-441 -424q-36 -33 -83 -33q-23 0 -44 9q-33 13 -52.5 41t-19.5 62v1289 q0 34 19.5 62t52.5 41q21 9 44 9h1048z" />
-<glyph unicode="" d="M1280 343q0 11 -2 16q-3 8 -38.5 29.5t-88.5 49.5l-53 29q-5 3 -19 13t-25 15t-21 5q-18 0 -47 -32.5t-57 -65.5t-44 -33q-7 0 -16.5 3.5t-15.5 6.5t-17 9.5t-14 8.5q-99 55 -170.5 126.5t-126.5 170.5q-2 3 -8.5 14t-9.5 17t-6.5 15.5t-3.5 16.5q0 13 20.5 33.5t45 38.5 t45 39.5t20.5 36.5q0 10 -5 21t-15 25t-13 19q-3 6 -15 28.5t-25 45.5t-26.5 47.5t-25 40.5t-16.5 18t-16 2q-48 0 -101 -22q-46 -21 -80 -94.5t-34 -130.5q0 -16 2.5 -34t5 -30.5t9 -33t10 -29.5t12.5 -33t11 -30q60 -164 216.5 -320.5t320.5 -216.5q6 -2 30 -11t33 -12.5 t29.5 -10t33 -9t30.5 -5t34 -2.5q57 0 130.5 34t94.5 80q22 53 22 101zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1620 1128q-67 -98 -162 -167q1 -14 1 -42q0 -130 -38 -259.5t-115.5 -248.5t-184.5 -210.5t-258 -146t-323 -54.5q-271 0 -496 145q35 -4 78 -4q225 0 401 138q-105 2 -188 64.5t-114 159.5q33 -5 61 -5q43 0 85 11q-112 23 -185.5 111.5t-73.5 205.5v4q68 -38 146 -41 q-66 44 -105 115t-39 154q0 88 44 163q121 -149 294.5 -238.5t371.5 -99.5q-8 38 -8 74q0 134 94.5 228.5t228.5 94.5q140 0 236 -102q109 21 205 78q-37 -115 -142 -178q93 10 186 50z" />
-<glyph unicode="" horiz-adv-x="768" d="M511 980h257l-30 -284h-227v-824h-341v824h-170v284h170v171q0 182 86 275.5t283 93.5h227v-284h-142q-39 0 -62.5 -6.5t-34 -23.5t-13.5 -34.5t-3 -49.5v-142z" />
-<glyph unicode="" d="M1536 640q0 -251 -146.5 -451.5t-378.5 -277.5q-27 -5 -39.5 7t-12.5 30v211q0 97 -52 142q57 6 102.5 18t94 39t81 66.5t53 105t20.5 150.5q0 121 -79 206q37 91 -8 204q-28 9 -81 -11t-92 -44l-38 -24q-93 26 -192 26t-192 -26q-16 11 -42.5 27t-83.5 38.5t-86 13.5 q-44 -113 -7 -204q-79 -85 -79 -206q0 -85 20.5 -150t52.5 -105t80.5 -67t94 -39t102.5 -18q-40 -36 -49 -103q-21 -10 -45 -15t-57 -5t-65.5 21.5t-55.5 62.5q-19 32 -48.5 52t-49.5 24l-20 3q-21 0 -29 -4.5t-5 -11.5t9 -14t13 -12l7 -5q22 -10 43.5 -38t31.5 -51l10 -23 q13 -38 44 -61.5t67 -30t69.5 -7t55.5 3.5l23 4q0 -38 0.5 -89t0.5 -54q0 -18 -13 -30t-40 -7q-232 77 -378.5 277.5t-146.5 451.5q0 209 103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1664 960v-256q0 -26 -19 -45t-45 -19h-64q-26 0 -45 19t-19 45v256q0 106 -75 181t-181 75t-181 -75t-75 -181v-192h96q40 0 68 -28t28 -68v-576q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68v576q0 40 28 68t68 28h672v192q0 185 131.5 316.5t316.5 131.5 t316.5 -131.5t131.5 -316.5z" />
-<glyph unicode="" horiz-adv-x="1920" d="M1760 1408q66 0 113 -47t47 -113v-1216q0 -66 -47 -113t-113 -47h-1600q-66 0 -113 47t-47 113v1216q0 66 47 113t113 47h1600zM160 1280q-13 0 -22.5 -9.5t-9.5 -22.5v-224h1664v224q0 13 -9.5 22.5t-22.5 9.5h-1600zM1760 0q13 0 22.5 9.5t9.5 22.5v608h-1664v-608 q0 -13 9.5 -22.5t22.5 -9.5h1600zM256 128v128h256v-128h-256zM640 128v128h384v-128h-384z" />
-<glyph unicode="" horiz-adv-x="1408" d="M384 192q0 -80 -56 -136t-136 -56t-136 56t-56 136t56 136t136 56t136 -56t56 -136zM896 69q2 -28 -17 -48q-18 -21 -47 -21h-135q-25 0 -43 16.5t-20 41.5q-22 229 -184.5 391.5t-391.5 184.5q-25 2 -41.5 20t-16.5 43v135q0 29 21 47q17 17 43 17h5q160 -13 306 -80.5 t259 -181.5q114 -113 181.5 -259t80.5 -306zM1408 67q2 -27 -18 -47q-18 -20 -46 -20h-143q-26 0 -44.5 17.5t-19.5 42.5q-12 215 -101 408.5t-231.5 336t-336 231.5t-408.5 102q-25 1 -42.5 19.5t-17.5 43.5v143q0 28 20 46q18 18 44 18h3q262 -13 501.5 -120t425.5 -294 q187 -186 294 -425.5t120 -501.5z" />
-<glyph unicode="" d="M1040 320q0 -33 -23.5 -56.5t-56.5 -23.5t-56.5 23.5t-23.5 56.5t23.5 56.5t56.5 23.5t56.5 -23.5t23.5 -56.5zM1296 320q0 -33 -23.5 -56.5t-56.5 -23.5t-56.5 23.5t-23.5 56.5t23.5 56.5t56.5 23.5t56.5 -23.5t23.5 -56.5zM1408 160v320q0 13 -9.5 22.5t-22.5 9.5 h-1216q-13 0 -22.5 -9.5t-9.5 -22.5v-320q0 -13 9.5 -22.5t22.5 -9.5h1216q13 0 22.5 9.5t9.5 22.5zM178 640h1180l-157 482q-4 13 -16 21.5t-26 8.5h-782q-14 0 -26 -8.5t-16 -21.5zM1536 480v-320q0 -66 -47 -113t-113 -47h-1216q-66 0 -113 47t-47 113v320q0 25 16 75 l197 606q17 53 63 86t101 33h782q55 0 101 -33t63 -86l197 -606q16 -50 16 -75z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1664 896q53 0 90.5 -37.5t37.5 -90.5t-37.5 -90.5t-90.5 -37.5v-384q0 -52 -38 -90t-90 -38q-417 347 -812 380q-58 -19 -91 -66t-31 -100.5t40 -92.5q-20 -33 -23 -65.5t6 -58t33.5 -55t48 -50t61.5 -50.5q-29 -58 -111.5 -83t-168.5 -11.5t-132 55.5q-7 23 -29.5 87.5 t-32 94.5t-23 89t-15 101t3.5 98.5t22 110.5h-122q-66 0 -113 47t-47 113v192q0 66 47 113t113 47h480q435 0 896 384q52 0 90 -38t38 -90v-384zM1536 292v954q-394 -302 -768 -343v-270q377 -42 768 -341z" />
-<glyph unicode="" horiz-adv-x="1664" d="M848 -160q0 16 -16 16q-59 0 -101.5 42.5t-42.5 101.5q0 16 -16 16t-16 -16q0 -73 51.5 -124.5t124.5 -51.5q16 0 16 16zM183 128h1298q-164 181 -246.5 411.5t-82.5 484.5q0 256 -320 256t-320 -256q0 -254 -82.5 -484.5t-246.5 -411.5zM1664 128q0 -52 -38 -90t-90 -38 h-448q0 -106 -75 -181t-181 -75t-181 75t-75 181h-448q-52 0 -90 38t-38 90q190 161 287 397.5t97 498.5q0 165 96 262t264 117q-8 18 -8 37q0 40 28 68t68 28t68 -28t28 -68q0 -19 -8 -37q168 -20 264 -117t96 -262q0 -262 97 -498.5t287 -397.5z" />
-<glyph unicode="" d="M1376 640l138 -135q30 -28 20 -70q-12 -41 -52 -51l-188 -48l53 -186q12 -41 -19 -70q-29 -31 -70 -19l-186 53l-48 -188q-10 -40 -51 -52q-12 -2 -19 -2q-31 0 -51 22l-135 138l-135 -138q-28 -30 -70 -20q-41 11 -51 52l-48 188l-186 -53q-41 -12 -70 19q-31 29 -19 70 l53 186l-188 48q-40 10 -52 51q-10 42 20 70l138 135l-138 135q-30 28 -20 70q12 41 52 51l188 48l-53 186q-12 41 19 70q29 31 70 19l186 -53l48 188q10 41 51 51q41 12 70 -19l135 -139l135 139q29 30 70 19q41 -10 51 -51l48 -188l186 53q41 12 70 -19q31 -29 19 -70 l-53 -186l188 -48q40 -10 52 -51q10 -42 -20 -70z" />
-<glyph unicode="" horiz-adv-x="1792" d="M256 192q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1664 768q0 51 -39 89.5t-89 38.5h-576q0 20 15 48.5t33 55t33 68t15 84.5q0 67 -44.5 97.5t-115.5 30.5q-24 0 -90 -139q-24 -44 -37 -65q-40 -64 -112 -145q-71 -81 -101 -106 q-69 -57 -140 -57h-32v-640h32q72 0 167 -32t193.5 -64t179.5 -32q189 0 189 167q0 26 -5 56q30 16 47.5 52.5t17.5 73.5t-18 69q53 50 53 119q0 25 -10 55.5t-25 47.5h331q52 0 90 38t38 90zM1792 769q0 -105 -75.5 -181t-180.5 -76h-169q-4 -62 -37 -119q3 -21 3 -43 q0 -101 -60 -178q1 -139 -85 -219.5t-227 -80.5q-133 0 -322 69q-164 59 -223 59h-288q-53 0 -90.5 37.5t-37.5 90.5v640q0 53 37.5 90.5t90.5 37.5h288q10 0 21.5 4.5t23.5 14t22.5 18t24 22.5t20.5 21.5t19 21.5t14 17q65 74 100 129q13 21 33 62t37 72t40.5 63t55 49.5 t69.5 17.5q125 0 206.5 -67t81.5 -189q0 -68 -22 -128h374q104 0 180 -76t76 -179z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1376 128h32v640h-32q-35 0 -67.5 12t-62.5 37t-50 46t-49 54q-2 3 -3.5 4.5t-4 4.5t-4.5 5q-72 81 -112 145q-14 22 -38 68q-1 3 -10.5 22.5t-18.5 36t-20 35.5t-21.5 30.5t-18.5 11.5q-71 0 -115.5 -30.5t-44.5 -97.5q0 -43 15 -84.5t33 -68t33 -55t15 -48.5h-576 q-50 0 -89 -38.5t-39 -89.5q0 -52 38 -90t90 -38h331q-15 -17 -25 -47.5t-10 -55.5q0 -69 53 -119q-18 -32 -18 -69t17.5 -73.5t47.5 -52.5q-4 -24 -4 -56q0 -85 48.5 -126t135.5 -41q84 0 183 32t194 64t167 32zM1664 192q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45 t45 -19t45 19t19 45zM1792 768v-640q0 -53 -37.5 -90.5t-90.5 -37.5h-288q-59 0 -223 -59q-190 -69 -317 -69q-142 0 -230 77.5t-87 217.5l1 5q-61 76 -61 178q0 22 3 43q-33 57 -37 119h-169q-105 0 -180.5 76t-75.5 181q0 103 76 179t180 76h374q-22 60 -22 128 q0 122 81.5 189t206.5 67q38 0 69.5 -17.5t55 -49.5t40.5 -63t37 -72t33 -62q35 -55 100 -129q2 -3 14 -17t19 -21.5t20.5 -21.5t24 -22.5t22.5 -18t23.5 -14t21.5 -4.5h288q53 0 90.5 -37.5t37.5 -90.5z" />
-<glyph unicode="" d="M1280 -64q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1408 700q0 189 -167 189q-26 0 -56 -5q-16 30 -52.5 47.5t-73.5 17.5t-69 -18q-50 53 -119 53q-25 0 -55.5 -10t-47.5 -25v331q0 52 -38 90t-90 38q-51 0 -89.5 -39t-38.5 -89v-576 q-20 0 -48.5 15t-55 33t-68 33t-84.5 15q-67 0 -97.5 -44.5t-30.5 -115.5q0 -24 139 -90q44 -24 65 -37q64 -40 145 -112q81 -71 106 -101q57 -69 57 -140v-32h640v32q0 72 32 167t64 193.5t32 179.5zM1536 705q0 -133 -69 -322q-59 -164 -59 -223v-288q0 -53 -37.5 -90.5 t-90.5 -37.5h-640q-53 0 -90.5 37.5t-37.5 90.5v288q0 10 -4.5 21.5t-14 23.5t-18 22.5t-22.5 24t-21.5 20.5t-21.5 19t-17 14q-74 65 -129 100q-21 13 -62 33t-72 37t-63 40.5t-49.5 55t-17.5 69.5q0 125 67 206.5t189 81.5q68 0 128 -22v374q0 104 76 180t179 76 q105 0 181 -75.5t76 -180.5v-169q62 -4 119 -37q21 3 43 3q101 0 178 -60q139 1 219.5 -85t80.5 -227z" />
-<glyph unicode="" d="M1408 576q0 84 -32 183t-64 194t-32 167v32h-640v-32q0 -35 -12 -67.5t-37 -62.5t-46 -50t-54 -49q-9 -8 -14 -12q-81 -72 -145 -112q-22 -14 -68 -38q-3 -1 -22.5 -10.5t-36 -18.5t-35.5 -20t-30.5 -21.5t-11.5 -18.5q0 -71 30.5 -115.5t97.5 -44.5q43 0 84.5 15t68 33 t55 33t48.5 15v-576q0 -50 38.5 -89t89.5 -39q52 0 90 38t38 90v331q46 -35 103 -35q69 0 119 53q32 -18 69 -18t73.5 17.5t52.5 47.5q24 -4 56 -4q85 0 126 48.5t41 135.5zM1280 1344q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1536 580 q0 -142 -77.5 -230t-217.5 -87l-5 1q-76 -61 -178 -61q-22 0 -43 3q-54 -30 -119 -37v-169q0 -105 -76 -180.5t-181 -75.5q-103 0 -179 76t-76 180v374q-54 -22 -128 -22q-121 0 -188.5 81.5t-67.5 206.5q0 38 17.5 69.5t49.5 55t63 40.5t72 37t62 33q55 35 129 100 q3 2 17 14t21.5 19t21.5 20.5t22.5 24t18 22.5t14 23.5t4.5 21.5v288q0 53 37.5 90.5t90.5 37.5h640q53 0 90.5 -37.5t37.5 -90.5v-288q0 -59 59 -223q69 -190 69 -317z" />
-<glyph unicode="" d="M1280 576v128q0 26 -19 45t-45 19h-502l189 189q19 19 19 45t-19 45l-91 91q-18 18 -45 18t-45 -18l-362 -362l-91 -91q-18 -18 -18 -45t18 -45l91 -91l362 -362q18 -18 45 -18t45 18l91 91q18 18 18 45t-18 45l-189 189h502q26 0 45 19t19 45zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1285 640q0 27 -18 45l-91 91l-362 362q-18 18 -45 18t-45 -18l-91 -91q-18 -18 -18 -45t18 -45l189 -189h-502q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h502l-189 -189q-19 -19 -19 -45t19 -45l91 -91q18 -18 45 -18t45 18l362 362l91 91q18 18 18 45zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1284 641q0 27 -18 45l-362 362l-91 91q-18 18 -45 18t-45 -18l-91 -91l-362 -362q-18 -18 -18 -45t18 -45l91 -91q18 -18 45 -18t45 18l189 189v-502q0 -26 19 -45t45 -19h128q26 0 45 19t19 45v502l189 -189q19 -19 45 -19t45 19l91 91q18 18 18 45zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1284 639q0 27 -18 45l-91 91q-18 18 -45 18t-45 -18l-189 -189v502q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-502l-189 189q-19 19 -45 19t-45 -19l-91 -91q-18 -18 -18 -45t18 -45l362 -362l91 -91q18 -18 45 -18t45 18l91 91l362 362q18 18 18 45zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M768 1408q209 0 385.5 -103t279.5 -279.5t103 -385.5t-103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103zM1042 887q-2 -1 -9.5 -9.5t-13.5 -9.5q2 0 4.5 5t5 11t3.5 7q6 7 22 15q14 6 52 12q34 8 51 -11 q-2 2 9.5 13t14.5 12q3 2 15 4.5t15 7.5l2 22q-12 -1 -17.5 7t-6.5 21q0 -2 -6 -8q0 7 -4.5 8t-11.5 -1t-9 -1q-10 3 -15 7.5t-8 16.5t-4 15q-2 5 -9.5 10.5t-9.5 10.5q-1 2 -2.5 5.5t-3 6.5t-4 5.5t-5.5 2.5t-7 -5t-7.5 -10t-4.5 -5q-3 2 -6 1.5t-4.5 -1t-4.5 -3t-5 -3.5 q-3 -2 -8.5 -3t-8.5 -2q15 5 -1 11q-10 4 -16 3q9 4 7.5 12t-8.5 14h5q-1 4 -8.5 8.5t-17.5 8.5t-13 6q-8 5 -34 9.5t-33 0.5q-5 -6 -4.5 -10.5t4 -14t3.5 -12.5q1 -6 -5.5 -13t-6.5 -12q0 -7 14 -15.5t10 -21.5q-3 -8 -16 -16t-16 -12q-5 -8 -1.5 -18.5t10.5 -16.5 q2 -2 1.5 -4t-3.5 -4.5t-5.5 -4t-6.5 -3.5l-3 -2q-11 -5 -20.5 6t-13.5 26q-7 25 -16 30q-23 8 -29 -1q-5 13 -41 26q-25 9 -58 4q6 1 0 15q-7 15 -19 12q3 6 4 17.5t1 13.5q3 13 12 23q1 1 7 8.5t9.5 13.5t0.5 6q35 -4 50 11q5 5 11.5 17t10.5 17q9 6 14 5.5t14.5 -5.5 t14.5 -5q14 -1 15.5 11t-7.5 20q12 -1 3 17q-5 7 -8 9q-12 4 -27 -5q-8 -4 2 -8q-1 1 -9.5 -10.5t-16.5 -17.5t-16 5q-1 1 -5.5 13.5t-9.5 13.5q-8 0 -16 -15q3 8 -11 15t-24 8q19 12 -8 27q-7 4 -20.5 5t-19.5 -4q-5 -7 -5.5 -11.5t5 -8t10.5 -5.5t11.5 -4t8.5 -3 q14 -10 8 -14q-2 -1 -8.5 -3.5t-11.5 -4.5t-6 -4q-3 -4 0 -14t-2 -14q-5 5 -9 17.5t-7 16.5q7 -9 -25 -6l-10 1q-4 0 -16 -2t-20.5 -1t-13.5 8q-4 8 0 20q1 4 4 2q-4 3 -11 9.5t-10 8.5q-46 -15 -94 -41q6 -1 12 1q5 2 13 6.5t10 5.5q34 14 42 7l5 5q14 -16 20 -25 q-7 4 -30 1q-20 -6 -22 -12q7 -12 5 -18q-4 3 -11.5 10t-14.5 11t-15 5q-16 0 -22 -1q-146 -80 -235 -222q7 -7 12 -8q4 -1 5 -9t2.5 -11t11.5 3q9 -8 3 -19q1 1 44 -27q19 -17 21 -21q3 -11 -10 -18q-1 2 -9 9t-9 4q-3 -5 0.5 -18.5t10.5 -12.5q-7 0 -9.5 -16t-2.5 -35.5 t-1 -23.5l2 -1q-3 -12 5.5 -34.5t21.5 -19.5q-13 -3 20 -43q6 -8 8 -9q3 -2 12 -7.5t15 -10t10 -10.5q4 -5 10 -22.5t14 -23.5q-2 -6 9.5 -20t10.5 -23q-1 0 -2.5 -1t-2.5 -1q3 -7 15.5 -14t15.5 -13q1 -3 2 -10t3 -11t8 -2q2 20 -24 62q-15 25 -17 29q-3 5 -5.5 15.5 t-4.5 14.5q2 0 6 -1.5t8.5 -3.5t7.5 -4t2 -3q-3 -7 2 -17.5t12 -18.5t17 -19t12 -13q6 -6 14 -19.5t0 -13.5q9 0 20 -10t17 -20q5 -8 8 -26t5 -24q2 -7 8.5 -13.5t12.5 -9.5l16 -8t13 -7q5 -2 18.5 -10.5t21.5 -11.5q10 -4 16 -4t14.5 2.5t13.5 3.5q15 2 29 -15t21 -21 q36 -19 55 -11q-2 -1 0.5 -7.5t8 -15.5t9 -14.5t5.5 -8.5q5 -6 18 -15t18 -15q6 4 7 9q-3 -8 7 -20t18 -10q14 3 14 32q-31 -15 -49 18q0 1 -2.5 5.5t-4 8.5t-2.5 8.5t0 7.5t5 3q9 0 10 3.5t-2 12.5t-4 13q-1 8 -11 20t-12 15q-5 -9 -16 -8t-16 9q0 -1 -1.5 -5.5t-1.5 -6.5 q-13 0 -15 1q1 3 2.5 17.5t3.5 22.5q1 4 5.5 12t7.5 14.5t4 12.5t-4.5 9.5t-17.5 2.5q-19 -1 -26 -20q-1 -3 -3 -10.5t-5 -11.5t-9 -7q-7 -3 -24 -2t-24 5q-13 8 -22.5 29t-9.5 37q0 10 2.5 26.5t3 25t-5.5 24.5q3 2 9 9.5t10 10.5q2 1 4.5 1.5t4.5 0t4 1.5t3 6q-1 1 -4 3 q-3 3 -4 3q7 -3 28.5 1.5t27.5 -1.5q15 -11 22 2q0 1 -2.5 9.5t-0.5 13.5q5 -27 29 -9q3 -3 15.5 -5t17.5 -5q3 -2 7 -5.5t5.5 -4.5t5 0.5t8.5 6.5q10 -14 12 -24q11 -40 19 -44q7 -3 11 -2t4.5 9.5t0 14t-1.5 12.5l-1 8v18l-1 8q-15 3 -18.5 12t1.5 18.5t15 18.5q1 1 8 3.5 t15.5 6.5t12.5 8q21 19 15 35q7 0 11 9q-1 0 -5 3t-7.5 5t-4.5 2q9 5 2 16q5 3 7.5 11t7.5 10q9 -12 21 -2q7 8 1 16q5 7 20.5 10.5t18.5 9.5q7 -2 8 2t1 12t3 12q4 5 15 9t13 5l17 11q3 4 0 4q18 -2 31 11q10 11 -6 20q3 6 -3 9.5t-15 5.5q3 1 11.5 0.5t10.5 1.5 q15 10 -7 16q-17 5 -43 -12zM879 10q206 36 351 189q-3 3 -12.5 4.5t-12.5 3.5q-18 7 -24 8q1 7 -2.5 13t-8 9t-12.5 8t-11 7q-2 2 -7 6t-7 5.5t-7.5 4.5t-8.5 2t-10 -1l-3 -1q-3 -1 -5.5 -2.5t-5.5 -3t-4 -3t0 -2.5q-21 17 -36 22q-5 1 -11 5.5t-10.5 7t-10 1.5t-11.5 -7 q-5 -5 -6 -15t-2 -13q-7 5 0 17.5t2 18.5q-3 6 -10.5 4.5t-12 -4.5t-11.5 -8.5t-9 -6.5t-8.5 -5.5t-8.5 -7.5q-3 -4 -6 -12t-5 -11q-2 4 -11.5 6.5t-9.5 5.5q2 -10 4 -35t5 -38q7 -31 -12 -48q-27 -25 -29 -40q-4 -22 12 -26q0 -7 -8 -20.5t-7 -21.5q0 -6 2 -16z" />
-<glyph unicode="" horiz-adv-x="1664" d="M384 64q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1028 484l-682 -682q-37 -37 -90 -37q-52 0 -91 37l-106 108q-38 36 -38 90q0 53 38 91l681 681q39 -98 114.5 -173.5t173.5 -114.5zM1662 919q0 -39 -23 -106q-47 -134 -164.5 -217.5 t-258.5 -83.5q-185 0 -316.5 131.5t-131.5 316.5t131.5 316.5t316.5 131.5q58 0 121.5 -16.5t107.5 -46.5q16 -11 16 -28t-16 -28l-293 -169v-224l193 -107q5 3 79 48.5t135.5 81t70.5 35.5q15 0 23.5 -10t8.5 -25z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1024 128h640v128h-640v-128zM640 640h1024v128h-1024v-128zM1280 1152h384v128h-384v-128zM1792 320v-256q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v256q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1792 832v-256q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19 t-19 45v256q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1792 1344v-256q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v256q0 26 19 45t45 19h1664q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1403 1241q17 -41 -14 -70l-493 -493v-742q0 -42 -39 -59q-13 -5 -25 -5q-27 0 -45 19l-256 256q-19 19 -19 45v486l-493 493q-31 29 -14 70q17 39 59 39h1280q42 0 59 -39z" />
-<glyph unicode="" horiz-adv-x="1792" d="M640 1280h512v128h-512v-128zM1792 640v-480q0 -66 -47 -113t-113 -47h-1472q-66 0 -113 47t-47 113v480h672v-160q0 -26 19 -45t45 -19h320q26 0 45 19t19 45v160h672zM1024 640v-128h-256v128h256zM1792 1120v-384h-1792v384q0 66 47 113t113 47h352v160q0 40 28 68 t68 28h576q40 0 68 -28t28 -68v-160h352q66 0 113 -47t47 -113z" />
-<glyph unicode="" d="M1283 995l-355 -355l355 -355l144 144q29 31 70 14q39 -17 39 -59v-448q0 -26 -19 -45t-45 -19h-448q-42 0 -59 40q-17 39 14 69l144 144l-355 355l-355 -355l144 -144q31 -30 14 -69q-17 -40 -59 -40h-448q-26 0 -45 19t-19 45v448q0 42 40 59q39 17 69 -14l144 -144 l355 355l-355 355l-144 -144q-19 -19 -45 -19q-12 0 -24 5q-40 17 -40 59v448q0 26 19 45t45 19h448q42 0 59 -40q17 -39 -14 -69l-144 -144l355 -355l355 355l-144 144q-31 30 -14 69q17 40 59 40h448q26 0 45 -19t19 -45v-448q0 -42 -39 -59q-13 -5 -25 -5q-26 0 -45 19z " />
-<glyph unicode="" horiz-adv-x="1920" d="M593 640q-162 -5 -265 -128h-134q-82 0 -138 40.5t-56 118.5q0 353 124 353q6 0 43.5 -21t97.5 -42.5t119 -21.5q67 0 133 23q-5 -37 -5 -66q0 -139 81 -256zM1664 3q0 -120 -73 -189.5t-194 -69.5h-874q-121 0 -194 69.5t-73 189.5q0 53 3.5 103.5t14 109t26.5 108.5 t43 97.5t62 81t85.5 53.5t111.5 20q10 0 43 -21.5t73 -48t107 -48t135 -21.5t135 21.5t107 48t73 48t43 21.5q61 0 111.5 -20t85.5 -53.5t62 -81t43 -97.5t26.5 -108.5t14 -109t3.5 -103.5zM640 1280q0 -106 -75 -181t-181 -75t-181 75t-75 181t75 181t181 75t181 -75 t75 -181zM1344 896q0 -159 -112.5 -271.5t-271.5 -112.5t-271.5 112.5t-112.5 271.5t112.5 271.5t271.5 112.5t271.5 -112.5t112.5 -271.5zM1920 671q0 -78 -56 -118.5t-138 -40.5h-134q-103 123 -265 128q81 117 81 256q0 29 -5 66q66 -23 133 -23q59 0 119 21.5t97.5 42.5 t43.5 21q124 0 124 -353zM1792 1280q0 -106 -75 -181t-181 -75t-181 75t-75 181t75 181t181 75t181 -75t75 -181z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1456 320q0 40 -28 68l-208 208q-28 28 -68 28q-42 0 -72 -32q3 -3 19 -18.5t21.5 -21.5t15 -19t13 -25.5t3.5 -27.5q0 -40 -28 -68t-68 -28q-15 0 -27.5 3.5t-25.5 13t-19 15t-21.5 21.5t-18.5 19q-33 -31 -33 -73q0 -40 28 -68l206 -207q27 -27 68 -27q40 0 68 26 l147 146q28 28 28 67zM753 1025q0 40 -28 68l-206 207q-28 28 -68 28q-39 0 -68 -27l-147 -146q-28 -28 -28 -67q0 -40 28 -68l208 -208q27 -27 68 -27q42 0 72 31q-3 3 -19 18.5t-21.5 21.5t-15 19t-13 25.5t-3.5 27.5q0 40 28 68t68 28q15 0 27.5 -3.5t25.5 -13t19 -15 t21.5 -21.5t18.5 -19q33 31 33 73zM1648 320q0 -120 -85 -203l-147 -146q-83 -83 -203 -83q-121 0 -204 85l-206 207q-83 83 -83 203q0 123 88 209l-88 88q-86 -88 -208 -88q-120 0 -204 84l-208 208q-84 84 -84 204t85 203l147 146q83 83 203 83q121 0 204 -85l206 -207 q83 -83 83 -203q0 -123 -88 -209l88 -88q86 88 208 88q120 0 204 -84l208 -208q84 -84 84 -204z" />
-<glyph unicode="" horiz-adv-x="1920" d="M1920 384q0 -159 -112.5 -271.5t-271.5 -112.5h-1088q-185 0 -316.5 131.5t-131.5 316.5q0 132 71 241.5t187 163.5q-2 28 -2 43q0 212 150 362t362 150q158 0 286.5 -88t187.5 -230q70 62 166 62q106 0 181 -75t75 -181q0 -75 -41 -138q129 -30 213 -134.5t84 -239.5z " />
-<glyph unicode="" horiz-adv-x="1664" d="M1527 88q56 -89 21.5 -152.5t-140.5 -63.5h-1152q-106 0 -140.5 63.5t21.5 152.5l503 793v399h-64q-26 0 -45 19t-19 45t19 45t45 19h512q26 0 45 -19t19 -45t-19 -45t-45 -19h-64v-399zM748 813l-272 -429h712l-272 429l-20 31v37v399h-128v-399v-37z" />
-<glyph unicode="" horiz-adv-x="1792" d="M960 640q26 0 45 -19t19 -45t-19 -45t-45 -19t-45 19t-19 45t19 45t45 19zM1260 576l507 -398q28 -20 25 -56q-5 -35 -35 -51l-128 -64q-13 -7 -29 -7q-17 0 -31 8l-690 387l-110 -66q-8 -4 -12 -5q14 -49 10 -97q-7 -77 -56 -147.5t-132 -123.5q-132 -84 -277 -84 q-136 0 -222 78q-90 84 -79 207q7 76 56 147t131 124q132 84 278 84q83 0 151 -31q9 13 22 22l122 73l-122 73q-13 9 -22 22q-68 -31 -151 -31q-146 0 -278 84q-82 53 -131 124t-56 147q-5 59 15.5 113t63.5 93q85 79 222 79q145 0 277 -84q83 -52 132 -123t56 -148 q4 -48 -10 -97q4 -1 12 -5l110 -66l690 387q14 8 31 8q16 0 29 -7l128 -64q30 -16 35 -51q3 -36 -25 -56zM579 836q46 42 21 108t-106 117q-92 59 -192 59q-74 0 -113 -36q-46 -42 -21 -108t106 -117q92 -59 192 -59q74 0 113 36zM494 91q81 51 106 117t-21 108 q-39 36 -113 36q-100 0 -192 -59q-81 -51 -106 -117t21 -108q39 -36 113 -36q100 0 192 59zM672 704l96 -58v11q0 36 33 56l14 8l-79 47l-26 -26q-3 -3 -10 -11t-12 -12q-2 -2 -4 -3.5t-3 -2.5zM896 480l96 -32l736 576l-128 64l-768 -431v-113l-160 -96l9 -8q2 -2 7 -6 q4 -4 11 -12t11 -12l26 -26zM1600 64l128 64l-520 408l-177 -138q-2 -3 -13 -7z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1696 1152q40 0 68 -28t28 -68v-1216q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68v288h-544q-40 0 -68 28t-28 68v672q0 40 20 88t48 76l408 408q28 28 76 48t88 20h416q40 0 68 -28t28 -68v-328q68 40 128 40h416zM1152 939l-299 -299h299v299zM512 1323l-299 -299 h299v299zM708 676l316 316v416h-384v-416q0 -40 -28 -68t-68 -28h-416v-640h512v256q0 40 20 88t48 76zM1664 -128v1152h-384v-416q0 -40 -28 -68t-68 -28h-416v-640h896z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1404 151q0 -117 -79 -196t-196 -79q-135 0 -235 100l-777 776q-113 115 -113 271q0 159 110 270t269 111q158 0 273 -113l605 -606q10 -10 10 -22q0 -16 -30.5 -46.5t-46.5 -30.5q-13 0 -23 10l-606 607q-79 77 -181 77q-106 0 -179 -75t-73 -181q0 -105 76 -181 l776 -777q63 -63 145 -63q64 0 106 42t42 106q0 82 -63 145l-581 581q-26 24 -60 24q-29 0 -48 -19t-19 -48q0 -32 25 -59l410 -410q10 -10 10 -22q0 -16 -31 -47t-47 -31q-12 0 -22 10l-410 410q-63 61 -63 149q0 82 57 139t139 57q88 0 149 -63l581 -581q100 -98 100 -235 z" />
-<glyph unicode="" d="M384 0h768v384h-768v-384zM1280 0h128v896q0 14 -10 38.5t-20 34.5l-281 281q-10 10 -34 20t-39 10v-416q0 -40 -28 -68t-68 -28h-576q-40 0 -68 28t-28 68v416h-128v-1280h128v416q0 40 28 68t68 28h832q40 0 68 -28t28 -68v-416zM896 928v320q0 13 -9.5 22.5t-22.5 9.5 h-192q-13 0 -22.5 -9.5t-9.5 -22.5v-320q0 -13 9.5 -22.5t22.5 -9.5h192q13 0 22.5 9.5t9.5 22.5zM1536 896v-928q0 -40 -28 -68t-68 -28h-1344q-40 0 -68 28t-28 68v1344q0 40 28 68t68 28h928q40 0 88 -20t76 -48l280 -280q28 -28 48 -76t20 -88z" />
-<glyph unicode="" d="M1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" d="M1536 192v-128q0 -26 -19 -45t-45 -19h-1408q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1408q26 0 45 -19t19 -45zM1536 704v-128q0 -26 -19 -45t-45 -19h-1408q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1408q26 0 45 -19t19 -45zM1536 1216v-128q0 -26 -19 -45 t-45 -19h-1408q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1408q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1792" d="M384 128q0 -80 -56 -136t-136 -56t-136 56t-56 136t56 136t136 56t136 -56t56 -136zM384 640q0 -80 -56 -136t-136 -56t-136 56t-56 136t56 136t136 56t136 -56t56 -136zM1792 224v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1216q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5 t22.5 9.5h1216q13 0 22.5 -9.5t9.5 -22.5zM384 1152q0 -80 -56 -136t-136 -56t-136 56t-56 136t56 136t136 56t136 -56t56 -136zM1792 736v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1216q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1216q13 0 22.5 -9.5t9.5 -22.5z M1792 1248v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1216q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1216q13 0 22.5 -9.5t9.5 -22.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M381 -84q0 -80 -54.5 -126t-135.5 -46q-106 0 -172 66l57 88q49 -45 106 -45q29 0 50.5 14.5t21.5 42.5q0 64 -105 56l-26 56q8 10 32.5 43.5t42.5 54t37 38.5v1q-16 0 -48.5 -1t-48.5 -1v-53h-106v152h333v-88l-95 -115q51 -12 81 -49t30 -88zM383 543v-159h-362 q-6 36 -6 54q0 51 23.5 93t56.5 68t66 47.5t56.5 43.5t23.5 45q0 25 -14.5 38.5t-39.5 13.5q-46 0 -81 -58l-85 59q24 51 71.5 79.5t105.5 28.5q73 0 123 -41.5t50 -112.5q0 -50 -34 -91.5t-75 -64.5t-75.5 -50.5t-35.5 -52.5h127v60h105zM1792 224v-192q0 -13 -9.5 -22.5 t-22.5 -9.5h-1216q-13 0 -22.5 9.5t-9.5 22.5v192q0 14 9 23t23 9h1216q13 0 22.5 -9.5t9.5 -22.5zM384 1123v-99h-335v99h107q0 41 0.5 122t0.5 121v12h-2q-8 -17 -50 -54l-71 76l136 127h106v-404h108zM1792 736v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1216q-13 0 -22.5 9.5 t-9.5 22.5v192q0 14 9 23t23 9h1216q13 0 22.5 -9.5t9.5 -22.5zM1792 1248v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1216q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1216q13 0 22.5 -9.5t9.5 -22.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1760 640q14 0 23 -9t9 -23v-64q0 -14 -9 -23t-23 -9h-1728q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h1728zM483 704q-28 35 -51 80q-48 97 -48 188q0 181 134 309q133 127 393 127q50 0 167 -19q66 -12 177 -48q10 -38 21 -118q14 -123 14 -183q0 -18 -5 -45l-12 -3l-84 6 l-14 2q-50 149 -103 205q-88 91 -210 91q-114 0 -182 -59q-67 -58 -67 -146q0 -73 66 -140t279 -129q69 -20 173 -66q58 -28 95 -52h-743zM990 448h411q7 -39 7 -92q0 -111 -41 -212q-23 -55 -71 -104q-37 -35 -109 -81q-80 -48 -153 -66q-80 -21 -203 -21q-114 0 -195 23 l-140 40q-57 16 -72 28q-8 8 -8 22v13q0 108 -2 156q-1 30 0 68l2 37v44l102 2q15 -34 30 -71t22.5 -56t12.5 -27q35 -57 80 -94q43 -36 105 -57q59 -22 132 -22q64 0 139 27q77 26 122 86q47 61 47 129q0 84 -81 157q-34 29 -137 71z" />
-<glyph unicode="" d="M48 1313q-37 2 -45 4l-3 88q13 1 40 1q60 0 112 -4q132 -7 166 -7q86 0 168 3q116 4 146 5q56 0 86 2l-1 -14l2 -64v-9q-60 -9 -124 -9q-60 0 -79 -25q-13 -14 -13 -132q0 -13 0.5 -32.5t0.5 -25.5l1 -229l14 -280q6 -124 51 -202q35 -59 96 -92q88 -47 177 -47 q104 0 191 28q56 18 99 51q48 36 65 64q36 56 53 114q21 73 21 229q0 79 -3.5 128t-11 122.5t-13.5 159.5l-4 59q-5 67 -24 88q-34 35 -77 34l-100 -2l-14 3l2 86h84l205 -10q76 -3 196 10l18 -2q6 -38 6 -51q0 -7 -4 -31q-45 -12 -84 -13q-73 -11 -79 -17q-15 -15 -15 -41 q0 -7 1.5 -27t1.5 -31q8 -19 22 -396q6 -195 -15 -304q-15 -76 -41 -122q-38 -65 -112 -123q-75 -57 -182 -89q-109 -33 -255 -33q-167 0 -284 46q-119 47 -179 122q-61 76 -83 195q-16 80 -16 237v333q0 188 -17 213q-25 36 -147 39zM1536 -96v64q0 14 -9 23t-23 9h-1472 q-14 0 -23 -9t-9 -23v-64q0 -14 9 -23t23 -9h1472q14 0 23 9t9 23z" />
-<glyph unicode="" horiz-adv-x="1664" d="M512 160v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM512 544v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1024 160v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23 v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM512 928v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1024 544v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1536 160v192 q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1024 928v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1536 544v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192 q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1536 928v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1664 1248v-1088q0 -66 -47 -113t-113 -47h-1344q-66 0 -113 47t-47 113v1088q0 66 47 113t113 47h1344q66 0 113 -47t47 -113 z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1190 955l293 293l-107 107l-293 -293zM1637 1248q0 -27 -18 -45l-1286 -1286q-18 -18 -45 -18t-45 18l-198 198q-18 18 -18 45t18 45l1286 1286q18 18 45 18t45 -18l198 -198q18 -18 18 -45zM286 1438l98 -30l-98 -30l-30 -98l-30 98l-98 30l98 30l30 98zM636 1276 l196 -60l-196 -60l-60 -196l-60 196l-196 60l196 60l60 196zM1566 798l98 -30l-98 -30l-30 -98l-30 98l-98 30l98 30l30 98zM926 1438l98 -30l-98 -30l-30 -98l-30 98l-98 30l98 30l30 98z" />
-<glyph unicode="" horiz-adv-x="1792" d="M640 128q0 52 -38 90t-90 38t-90 -38t-38 -90t38 -90t90 -38t90 38t38 90zM256 640h384v256h-158q-13 0 -22 -9l-195 -195q-9 -9 -9 -22v-30zM1536 128q0 52 -38 90t-90 38t-90 -38t-38 -90t38 -90t90 -38t90 38t38 90zM1792 1216v-1024q0 -15 -4 -26.5t-13.5 -18.5 t-16.5 -11.5t-23.5 -6t-22.5 -2t-25.5 0t-22.5 0.5q0 -106 -75 -181t-181 -75t-181 75t-75 181h-384q0 -106 -75 -181t-181 -75t-181 75t-75 181h-64q-3 0 -22.5 -0.5t-25.5 0t-22.5 2t-23.5 6t-16.5 11.5t-13.5 18.5t-4 26.5q0 26 19 45t45 19v320q0 8 -0.5 35t0 38 t2.5 34.5t6.5 37t14 30.5t22.5 30l198 198q19 19 50.5 32t58.5 13h160v192q0 26 19 45t45 19h1024q26 0 45 -19t19 -45z" />
-<glyph unicode="" d="M1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103q-111 0 -218 32q59 93 78 164q9 34 54 211q20 -39 73 -67.5t114 -28.5q121 0 216 68.5t147 188.5t52 270q0 114 -59.5 214t-172.5 163t-255 63q-105 0 -196 -29t-154.5 -77t-109 -110.5t-67 -129.5t-21.5 -134 q0 -104 40 -183t117 -111q30 -12 38 20q2 7 8 31t8 30q6 23 -11 43q-51 61 -51 151q0 151 104.5 259.5t273.5 108.5q151 0 235.5 -82t84.5 -213q0 -170 -68.5 -289t-175.5 -119q-61 0 -98 43.5t-23 104.5q8 35 26.5 93.5t30 103t11.5 75.5q0 50 -27 83t-77 33 q-62 0 -105 -57t-43 -142q0 -73 25 -122l-99 -418q-17 -70 -13 -177q-206 91 -333 281t-127 423q0 209 103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1248 1408q119 0 203.5 -84.5t84.5 -203.5v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-725q85 122 108 210q9 34 53 209q21 -39 73.5 -67t112.5 -28q181 0 295.5 147.5t114.5 373.5q0 84 -35 162.5t-96.5 139t-152.5 97t-197 36.5q-104 0 -194.5 -28.5t-153 -76.5 t-107.5 -109.5t-66.5 -128t-21.5 -132.5q0 -102 39.5 -180t116.5 -110q13 -5 23.5 0t14.5 19q10 44 15 61q6 23 -11 42q-50 62 -50 150q0 150 103.5 256.5t270.5 106.5q149 0 232.5 -81t83.5 -210q0 -168 -67.5 -286t-173.5 -118q-60 0 -97 43.5t-23 103.5q8 34 26.5 92.5 t29.5 102t11 74.5q0 49 -26.5 81.5t-75.5 32.5q-61 0 -103.5 -56.5t-42.5 -139.5q0 -72 24 -121l-98 -414q-24 -100 -7 -254h-183q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960z" />
-<glyph unicode="" d="M678 -57q0 -38 -10 -71h-380q-95 0 -171.5 56.5t-103.5 147.5q24 45 69 77.5t100 49.5t107 24t107 7q32 0 49 -2q6 -4 30.5 -21t33 -23t31 -23t32 -25.5t27.5 -25.5t26.5 -29.5t21 -30.5t17.5 -34.5t9.5 -36t4.5 -40.5zM385 294q-234 -7 -385 -85v433q103 -118 273 -118 q32 0 70 5q-21 -61 -21 -86q0 -67 63 -149zM558 805q0 -100 -43.5 -160.5t-140.5 -60.5q-51 0 -97 26t-78 67.5t-56 93.5t-35.5 104t-11.5 99q0 96 51.5 165t144.5 69q66 0 119 -41t84 -104t47 -130t16 -128zM1536 896v-736q0 -119 -84.5 -203.5t-203.5 -84.5h-468 q39 73 39 157q0 66 -22 122.5t-55.5 93t-72 71t-72 59.5t-55.5 54.5t-22 59.5q0 36 23 68t56 61.5t65.5 64.5t55.5 93t23 131t-26.5 145.5t-75.5 118.5q-6 6 -14 11t-12.5 7.5t-10 9.5t-10.5 17h135l135 64h-437q-138 0 -244.5 -38.5t-182.5 -133.5q0 126 81 213t207 87h960 q119 0 203.5 -84.5t84.5 -203.5v-96h-256v256h-128v-256h-256v-128h256v-256h128v256h256z" />
-<glyph unicode="" horiz-adv-x="1664" d="M876 71q0 21 -4.5 40.5t-9.5 36t-17.5 34.5t-21 30.5t-26.5 29.5t-27.5 25.5t-32 25.5t-31 23t-33 23t-30.5 21q-17 2 -50 2q-54 0 -106 -7t-108 -25t-98 -46t-69 -75t-27 -107q0 -68 35.5 -121.5t93 -84t120.5 -45.5t127 -15q59 0 112.5 12.5t100.5 39t74.5 73.5 t27.5 110zM756 933q0 60 -16.5 127.5t-47 130.5t-84 104t-119.5 41q-93 0 -144 -69t-51 -165q0 -47 11.5 -99t35.5 -104t56 -93.5t78 -67.5t97 -26q97 0 140.5 60.5t43.5 160.5zM625 1408h437l-135 -79h-135q71 -45 110 -126t39 -169q0 -74 -23 -131.5t-56 -92.5t-66 -64.5 t-56 -61t-23 -67.5q0 -26 16.5 -51t43 -48t58.5 -48t64 -55.5t58.5 -66t43 -85t16.5 -106.5q0 -160 -140 -282q-152 -131 -420 -131q-59 0 -119.5 10t-122 33.5t-108.5 58t-77 89t-30 121.5q0 61 37 135q32 64 96 110.5t145 71t155 36t150 13.5q-64 83 -64 149q0 12 2 23.5 t5 19.5t8 21.5t7 21.5q-40 -5 -70 -5q-149 0 -255.5 98t-106.5 246q0 140 95 250.5t234 141.5q94 20 187 20zM1664 1152v-128h-256v-256h-128v256h-256v128h256v256h128v-256h256z" />
-<glyph unicode="" horiz-adv-x="1920" d="M768 384h384v96h-128v448h-114l-148 -137l77 -80q42 37 55 57h2v-288h-128v-96zM1280 640q0 -70 -21 -142t-59.5 -134t-101.5 -101t-138 -39t-138 39t-101.5 101t-59.5 134t-21 142t21 142t59.5 134t101.5 101t138 39t138 -39t101.5 -101t59.5 -134t21 -142zM1792 384 v512q-106 0 -181 75t-75 181h-1152q0 -106 -75 -181t-181 -75v-512q106 0 181 -75t75 -181h1152q0 106 75 181t181 75zM1920 1216v-1152q0 -26 -19 -45t-45 -19h-1792q-26 0 -45 19t-19 45v1152q0 26 19 45t45 19h1792q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1024" d="M1024 832q0 -26 -19 -45l-448 -448q-19 -19 -45 -19t-45 19l-448 448q-19 19 -19 45t19 45t45 19h896q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1024" d="M1024 320q0 -26 -19 -45t-45 -19h-896q-26 0 -45 19t-19 45t19 45l448 448q19 19 45 19t45 -19l448 -448q19 -19 19 -45z" />
-<glyph unicode="" horiz-adv-x="640" d="M640 1088v-896q0 -26 -19 -45t-45 -19t-45 19l-448 448q-19 19 -19 45t19 45l448 448q19 19 45 19t45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="640" d="M576 640q0 -26 -19 -45l-448 -448q-19 -19 -45 -19t-45 19t-19 45v896q0 26 19 45t45 19t45 -19l448 -448q19 -19 19 -45z" />
-<glyph unicode="" horiz-adv-x="1664" d="M160 0h608v1152h-640v-1120q0 -13 9.5 -22.5t22.5 -9.5zM1536 32v1120h-640v-1152h608q13 0 22.5 9.5t9.5 22.5zM1664 1248v-1216q0 -66 -47 -113t-113 -47h-1344q-66 0 -113 47t-47 113v1216q0 66 47 113t113 47h1344q66 0 113 -47t47 -113z" />
-<glyph unicode="" horiz-adv-x="1024" d="M1024 448q0 -26 -19 -45l-448 -448q-19 -19 -45 -19t-45 19l-448 448q-19 19 -19 45t19 45t45 19h896q26 0 45 -19t19 -45zM1024 832q0 -26 -19 -45t-45 -19h-896q-26 0 -45 19t-19 45t19 45l448 448q19 19 45 19t45 -19l448 -448q19 -19 19 -45z" />
-<glyph unicode="" horiz-adv-x="1024" d="M1024 448q0 -26 -19 -45l-448 -448q-19 -19 -45 -19t-45 19l-448 448q-19 19 -19 45t19 45t45 19h896q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1024" d="M1024 832q0 -26 -19 -45t-45 -19h-896q-26 0 -45 19t-19 45t19 45l448 448q19 19 45 19t45 -19l448 -448q19 -19 19 -45z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 826v-794q0 -66 -47 -113t-113 -47h-1472q-66 0 -113 47t-47 113v794q44 -49 101 -87q362 -246 497 -345q57 -42 92.5 -65.5t94.5 -48t110 -24.5h1h1q51 0 110 24.5t94.5 48t92.5 65.5q170 123 498 345q57 39 100 87zM1792 1120q0 -79 -49 -151t-122 -123 q-376 -261 -468 -325q-10 -7 -42.5 -30.5t-54 -38t-52 -32.5t-57.5 -27t-50 -9h-1h-1q-23 0 -50 9t-57.5 27t-52 32.5t-54 38t-42.5 30.5q-91 64 -262 182.5t-205 142.5q-62 42 -117 115.5t-55 136.5q0 78 41.5 130t118.5 52h1472q65 0 112.5 -47t47.5 -113z" />
-<glyph unicode="" d="M349 911v-991h-330v991h330zM370 1217q1 -73 -50.5 -122t-135.5 -49h-2q-82 0 -132 49t-50 122q0 74 51.5 122.5t134.5 48.5t133 -48.5t51 -122.5zM1536 488v-568h-329v530q0 105 -40.5 164.5t-126.5 59.5q-63 0 -105.5 -34.5t-63.5 -85.5q-11 -30 -11 -81v-553h-329 q2 399 2 647t-1 296l-1 48h329v-144h-2q20 32 41 56t56.5 52t87 43.5t114.5 15.5q171 0 275 -113.5t104 -332.5z" />
-<glyph unicode="" d="M1536 640q0 -156 -61 -298t-164 -245t-245 -164t-298 -61q-172 0 -327 72.5t-264 204.5q-7 10 -6.5 22.5t8.5 20.5l137 138q10 9 25 9q16 -2 23 -12q73 -95 179 -147t225 -52q104 0 198.5 40.5t163.5 109.5t109.5 163.5t40.5 198.5t-40.5 198.5t-109.5 163.5 t-163.5 109.5t-198.5 40.5q-98 0 -188 -35.5t-160 -101.5l137 -138q31 -30 14 -69q-17 -40 -59 -40h-448q-26 0 -45 19t-19 45v448q0 42 40 59q39 17 69 -14l130 -129q107 101 244.5 156.5t284.5 55.5q156 0 298 -61t245 -164t164 -245t61 -298z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1771 0q0 -53 -37 -90l-107 -108q-39 -37 -91 -37q-53 0 -90 37l-363 364q-38 36 -38 90q0 53 43 96l-256 256l-126 -126q-14 -14 -34 -14t-34 14q2 -2 12.5 -12t12.5 -13t10 -11.5t10 -13.5t6 -13.5t5.5 -16.5t1.5 -18q0 -38 -28 -68q-3 -3 -16.5 -18t-19 -20.5 t-18.5 -16.5t-22 -15.5t-22 -9t-26 -4.5q-40 0 -68 28l-408 408q-28 28 -28 68q0 13 4.5 26t9 22t15.5 22t16.5 18.5t20.5 19t18 16.5q30 28 68 28q10 0 18 -1.5t16.5 -5.5t13.5 -6t13.5 -10t11.5 -10t13 -12.5t12 -12.5q-14 14 -14 34t14 34l348 348q14 14 34 14t34 -14 q-2 2 -12.5 12t-12.5 13t-10 11.5t-10 13.5t-6 13.5t-5.5 16.5t-1.5 18q0 38 28 68q3 3 16.5 18t19 20.5t18.5 16.5t22 15.5t22 9t26 4.5q40 0 68 -28l408 -408q28 -28 28 -68q0 -13 -4.5 -26t-9 -22t-15.5 -22t-16.5 -18.5t-20.5 -19t-18 -16.5q-30 -28 -68 -28 q-10 0 -18 1.5t-16.5 5.5t-13.5 6t-13.5 10t-11.5 10t-13 12.5t-12 12.5q14 -14 14 -34t-14 -34l-126 -126l256 -256q43 43 96 43q52 0 91 -37l363 -363q37 -39 37 -91z" />
-<glyph unicode="" horiz-adv-x="1792" d="M384 384q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM576 832q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1004 351l101 382q6 26 -7.5 48.5t-38.5 29.5 t-48 -6.5t-30 -39.5l-101 -382q-60 -5 -107 -43.5t-63 -98.5q-20 -77 20 -146t117 -89t146 20t89 117q16 60 -6 117t-72 91zM1664 384q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1024 1024q0 53 -37.5 90.5 t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1472 832q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1792 384q0 -261 -141 -483q-19 -29 -54 -29h-1402q-35 0 -54 29 q-141 221 -141 483q0 182 71 348t191 286t286 191t348 71t348 -71t286 -191t191 -286t71 -348z" />
-<glyph unicode="" horiz-adv-x="1792" d="M896 1152q-204 0 -381.5 -69.5t-282 -187.5t-104.5 -255q0 -112 71.5 -213.5t201.5 -175.5l87 -50l-27 -96q-24 -91 -70 -172q152 63 275 171l43 38l57 -6q69 -8 130 -8q204 0 381.5 69.5t282 187.5t104.5 255t-104.5 255t-282 187.5t-381.5 69.5zM1792 640 q0 -174 -120 -321.5t-326 -233t-450 -85.5q-70 0 -145 8q-198 -175 -460 -242q-49 -14 -114 -22h-5q-15 0 -27 10.5t-16 27.5v1q-3 4 -0.5 12t2 10t4.5 9.5l6 9t7 8.5t8 9q7 8 31 34.5t34.5 38t31 39.5t32.5 51t27 59t26 76q-157 89 -247.5 220t-90.5 281q0 174 120 321.5 t326 233t450 85.5t450 -85.5t326 -233t120 -321.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M704 1152q-153 0 -286 -52t-211.5 -141t-78.5 -191q0 -82 53 -158t149 -132l97 -56l-35 -84q34 20 62 39l44 31l53 -10q78 -14 153 -14q153 0 286 52t211.5 141t78.5 191t-78.5 191t-211.5 141t-286 52zM704 1280q191 0 353.5 -68.5t256.5 -186.5t94 -257t-94 -257 t-256.5 -186.5t-353.5 -68.5q-86 0 -176 16q-124 -88 -278 -128q-36 -9 -86 -16h-3q-11 0 -20.5 8t-11.5 21q-1 3 -1 6.5t0.5 6.5t2 6l2.5 5t3.5 5.5t4 5t4.5 5t4 4.5q5 6 23 25t26 29.5t22.5 29t25 38.5t20.5 44q-124 72 -195 177t-71 224q0 139 94 257t256.5 186.5 t353.5 68.5zM1526 111q10 -24 20.5 -44t25 -38.5t22.5 -29t26 -29.5t23 -25q1 -1 4 -4.5t4.5 -5t4 -5t3.5 -5.5l2.5 -5t2 -6t0.5 -6.5t-1 -6.5q-3 -14 -13 -22t-22 -7q-50 7 -86 16q-154 40 -278 128q-90 -16 -176 -16q-271 0 -472 132q58 -4 88 -4q161 0 309 45t264 129 q125 92 192 212t67 254q0 77 -23 152q129 -71 204 -178t75 -230q0 -120 -71 -224.5t-195 -176.5z" />
-<glyph unicode="" horiz-adv-x="896" d="M885 970q18 -20 7 -44l-540 -1157q-13 -25 -42 -25q-4 0 -14 2q-17 5 -25.5 19t-4.5 30l197 808l-406 -101q-4 -1 -12 -1q-18 0 -31 11q-18 15 -13 39l201 825q4 14 16 23t28 9h328q19 0 32 -12.5t13 -29.5q0 -8 -5 -18l-171 -463l396 98q8 2 12 2q19 0 34 -15z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 288v-320q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v320q0 40 28 68t68 28h96v192h-512v-192h96q40 0 68 -28t28 -68v-320q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v320q0 40 28 68t68 28h96v192h-512v-192h96q40 0 68 -28t28 -68v-320 q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v320q0 40 28 68t68 28h96v192q0 52 38 90t90 38h512v192h-96q-40 0 -68 28t-28 68v320q0 40 28 68t68 28h320q40 0 68 -28t28 -68v-320q0 -40 -28 -68t-68 -28h-96v-192h512q52 0 90 -38t38 -90v-192h96q40 0 68 -28t28 -68 z" />
-<glyph unicode="" horiz-adv-x="1664" d="M896 708v-580q0 -104 -76 -180t-180 -76t-180 76t-76 180q0 26 19 45t45 19t45 -19t19 -45q0 -50 39 -89t89 -39t89 39t39 89v580q33 11 64 11t64 -11zM1664 681q0 -13 -9.5 -22.5t-22.5 -9.5q-11 0 -23 10q-49 46 -93 69t-102 23q-68 0 -128 -37t-103 -97 q-7 -10 -17.5 -28t-14.5 -24q-11 -17 -28 -17q-18 0 -29 17q-4 6 -14.5 24t-17.5 28q-43 60 -102.5 97t-127.5 37t-127.5 -37t-102.5 -97q-7 -10 -17.5 -28t-14.5 -24q-11 -17 -29 -17q-17 0 -28 17q-4 6 -14.5 24t-17.5 28q-43 60 -103 97t-128 37q-58 0 -102 -23t-93 -69 q-12 -10 -23 -10q-13 0 -22.5 9.5t-9.5 22.5q0 5 1 7q45 183 172.5 319.5t298 204.5t360.5 68q140 0 274.5 -40t246.5 -113.5t194.5 -187t115.5 -251.5q1 -2 1 -7zM896 1408v-98q-42 2 -64 2t-64 -2v98q0 26 19 45t45 19t45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1792" d="M768 -128h896v640h-416q-40 0 -68 28t-28 68v416h-384v-1152zM1024 1312v64q0 13 -9.5 22.5t-22.5 9.5h-704q-13 0 -22.5 -9.5t-9.5 -22.5v-64q0 -13 9.5 -22.5t22.5 -9.5h704q13 0 22.5 9.5t9.5 22.5zM1280 640h299l-299 299v-299zM1792 512v-672q0 -40 -28 -68t-68 -28 h-960q-40 0 -68 28t-28 68v160h-544q-40 0 -68 28t-28 68v1344q0 40 28 68t68 28h1088q40 0 68 -28t28 -68v-328q21 -13 36 -28l408 -408q28 -28 48 -76t20 -88z" />
-<glyph unicode="" horiz-adv-x="1024" d="M736 960q0 -13 -9.5 -22.5t-22.5 -9.5t-22.5 9.5t-9.5 22.5q0 46 -54 71t-106 25q-13 0 -22.5 9.5t-9.5 22.5t9.5 22.5t22.5 9.5q50 0 99.5 -16t87 -54t37.5 -90zM896 960q0 72 -34.5 134t-90 101.5t-123 62t-136.5 22.5t-136.5 -22.5t-123 -62t-90 -101.5t-34.5 -134 q0 -101 68 -180q10 -11 30.5 -33t30.5 -33q128 -153 141 -298h228q13 145 141 298q10 11 30.5 33t30.5 33q68 79 68 180zM1024 960q0 -155 -103 -268q-45 -49 -74.5 -87t-59.5 -95.5t-34 -107.5q47 -28 47 -82q0 -37 -25 -64q25 -27 25 -64q0 -52 -45 -81q13 -23 13 -47 q0 -46 -31.5 -71t-77.5 -25q-20 -44 -60 -70t-87 -26t-87 26t-60 70q-46 0 -77.5 25t-31.5 71q0 24 13 47q-45 29 -45 81q0 37 25 64q-25 27 -25 64q0 54 47 82q-4 50 -34 107.5t-59.5 95.5t-74.5 87q-103 113 -103 268q0 99 44.5 184.5t117 142t164 89t186.5 32.5 t186.5 -32.5t164 -89t117 -142t44.5 -184.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 352v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1376v-192q0 -13 -9.5 -22.5t-22.5 -9.5q-12 0 -24 10l-319 320q-9 9 -9 22q0 14 9 23l320 320q9 9 23 9q13 0 22.5 -9.5t9.5 -22.5v-192h1376q13 0 22.5 -9.5t9.5 -22.5zM1792 896q0 -14 -9 -23l-320 -320q-9 -9 -23 -9 q-13 0 -22.5 9.5t-9.5 22.5v192h-1376q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1376v192q0 14 9 23t23 9q12 0 24 -10l319 -319q9 -9 9 -23z" />
-<glyph unicode="" horiz-adv-x="1920" d="M1280 608q0 14 -9 23t-23 9h-224v352q0 13 -9.5 22.5t-22.5 9.5h-192q-13 0 -22.5 -9.5t-9.5 -22.5v-352h-224q-13 0 -22.5 -9.5t-9.5 -22.5q0 -14 9 -23l352 -352q9 -9 23 -9t23 9l351 351q10 12 10 24zM1920 384q0 -159 -112.5 -271.5t-271.5 -112.5h-1088 q-185 0 -316.5 131.5t-131.5 316.5q0 130 70 240t188 165q-2 30 -2 43q0 212 150 362t362 150q156 0 285.5 -87t188.5 -231q71 62 166 62q106 0 181 -75t75 -181q0 -76 -41 -138q130 -31 213.5 -135.5t83.5 -238.5z" />
-<glyph unicode="" horiz-adv-x="1920" d="M1280 672q0 14 -9 23l-352 352q-9 9 -23 9t-23 -9l-351 -351q-10 -12 -10 -24q0 -14 9 -23t23 -9h224v-352q0 -13 9.5 -22.5t22.5 -9.5h192q13 0 22.5 9.5t9.5 22.5v352h224q13 0 22.5 9.5t9.5 22.5zM1920 384q0 -159 -112.5 -271.5t-271.5 -112.5h-1088 q-185 0 -316.5 131.5t-131.5 316.5q0 130 70 240t188 165q-2 30 -2 43q0 212 150 362t362 150q156 0 285.5 -87t188.5 -231q71 62 166 62q106 0 181 -75t75 -181q0 -76 -41 -138q130 -31 213.5 -135.5t83.5 -238.5z" />
-<glyph unicode="" horiz-adv-x="1408" d="M384 192q0 -26 -19 -45t-45 -19t-45 19t-19 45t19 45t45 19t45 -19t19 -45zM1408 131q0 -121 -73 -190t-194 -69h-874q-121 0 -194 69t-73 190q0 68 5.5 131t24 138t47.5 132.5t81 103t120 60.5q-22 -52 -22 -120v-203q-58 -20 -93 -70t-35 -111q0 -80 56 -136t136 -56 t136 56t56 136q0 61 -35.5 111t-92.5 70v203q0 62 25 93q132 -104 295 -104t295 104q25 -31 25 -93v-64q-106 0 -181 -75t-75 -181v-89q-32 -29 -32 -71q0 -40 28 -68t68 -28t68 28t28 68q0 42 -32 71v89q0 52 38 90t90 38t90 -38t38 -90v-89q-32 -29 -32 -71q0 -40 28 -68 t68 -28t68 28t28 68q0 42 -32 71v89q0 68 -34.5 127.5t-93.5 93.5q0 10 0.5 42.5t0 48t-2.5 41.5t-7 47t-13 40q68 -15 120 -60.5t81 -103t47.5 -132.5t24 -138t5.5 -131zM1088 1024q0 -159 -112.5 -271.5t-271.5 -112.5t-271.5 112.5t-112.5 271.5t112.5 271.5t271.5 112.5 t271.5 -112.5t112.5 -271.5z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1280 832q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1408 832q0 -62 -35.5 -111t-92.5 -70v-395q0 -159 -131.5 -271.5t-316.5 -112.5t-316.5 112.5t-131.5 271.5v132q-164 20 -274 128t-110 252v512q0 26 19 45t45 19q6 0 16 -2q17 30 47 48 t65 18q53 0 90.5 -37.5t37.5 -90.5t-37.5 -90.5t-90.5 -37.5q-33 0 -64 18v-402q0 -106 94 -181t226 -75t226 75t94 181v402q-31 -18 -64 -18q-53 0 -90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5q35 0 65 -18t47 -48q10 2 16 2q26 0 45 -19t19 -45v-512q0 -144 -110 -252 t-274 -128v-132q0 -106 94 -181t226 -75t226 75t94 181v395q-57 21 -92.5 70t-35.5 111q0 80 56 136t136 56t136 -56t56 -136z" />
-<glyph unicode="" horiz-adv-x="1792" d="M640 1152h512v128h-512v-128zM288 1152v-1280h-64q-92 0 -158 66t-66 158v832q0 92 66 158t158 66h64zM1408 1152v-1280h-1024v1280h128v160q0 40 28 68t68 28h576q40 0 68 -28t28 -68v-160h128zM1792 928v-832q0 -92 -66 -158t-158 -66h-64v1280h64q92 0 158 -66 t66 -158z" />
-<glyph unicode="" horiz-adv-x="1664" d="M848 -160q0 16 -16 16q-59 0 -101.5 42.5t-42.5 101.5q0 16 -16 16t-16 -16q0 -73 51.5 -124.5t124.5 -51.5q16 0 16 16zM1664 128q0 -52 -38 -90t-90 -38h-448q0 -106 -75 -181t-181 -75t-181 75t-75 181h-448q-52 0 -90 38t-38 90q190 161 287 397.5t97 498.5 q0 165 96 262t264 117q-8 18 -8 37q0 40 28 68t68 28t68 -28t28 -68q0 -19 -8 -37q168 -20 264 -117t96 -262q0 -262 97 -498.5t287 -397.5z" />
-<glyph unicode="" horiz-adv-x="1920" d="M1664 896q0 80 -56 136t-136 56h-64v-384h64q80 0 136 56t56 136zM0 128h1792q0 -106 -75 -181t-181 -75h-1280q-106 0 -181 75t-75 181zM1856 896q0 -159 -112.5 -271.5t-271.5 -112.5h-64v-32q0 -92 -66 -158t-158 -66h-704q-92 0 -158 66t-66 158v736q0 26 19 45 t45 19h1152q159 0 271.5 -112.5t112.5 -271.5z" />
-<glyph unicode="" horiz-adv-x="1408" d="M640 1472v-640q0 -61 -35.5 -111t-92.5 -70v-779q0 -52 -38 -90t-90 -38h-128q-52 0 -90 38t-38 90v779q-57 20 -92.5 70t-35.5 111v640q0 26 19 45t45 19t45 -19t19 -45v-416q0 -26 19 -45t45 -19t45 19t19 45v416q0 26 19 45t45 19t45 -19t19 -45v-416q0 -26 19 -45 t45 -19t45 19t19 45v416q0 26 19 45t45 19t45 -19t19 -45zM1408 1472v-1600q0 -52 -38 -90t-90 -38h-128q-52 0 -90 38t-38 90v512h-224q-13 0 -22.5 9.5t-9.5 22.5v800q0 132 94 226t226 94h256q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1280" d="M1024 352v-64q0 -14 -9 -23t-23 -9h-704q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h704q14 0 23 -9t9 -23zM1024 608v-64q0 -14 -9 -23t-23 -9h-704q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h704q14 0 23 -9t9 -23zM128 0h1024v768h-416q-40 0 -68 28t-28 68v416h-512v-1280z M768 896h376q-10 29 -22 41l-313 313q-12 12 -41 22v-376zM1280 864v-896q0 -40 -28 -68t-68 -28h-1088q-40 0 -68 28t-28 68v1344q0 40 28 68t68 28h640q40 0 88 -20t76 -48l312 -312q28 -28 48 -76t20 -88z" />
-<glyph unicode="" horiz-adv-x="1408" d="M384 224v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M640 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M1152 224v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM896 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M640 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 992v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M1152 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM896 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M640 992v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 1248v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M1152 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM896 992v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M640 1248v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM1152 992v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M896 1248v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM1152 1248v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M896 -128h384v1536h-1152v-1536h384v224q0 13 9.5 22.5t22.5 9.5h320q13 0 22.5 -9.5t9.5 -22.5v-224zM1408 1472v-1664q0 -26 -19 -45t-45 -19h-1280q-26 0 -45 19t-19 45v1664q0 26 19 45t45 19h1280q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1408" d="M384 224v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M640 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M1152 224v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM896 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M640 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM1152 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M896 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM1152 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M896 -128h384v1152h-256v-32q0 -40 -28 -68t-68 -28h-448q-40 0 -68 28t-28 68v32h-256v-1152h384v224q0 13 9.5 22.5t22.5 9.5h320q13 0 22.5 -9.5t9.5 -22.5v-224zM896 1056v320q0 13 -9.5 22.5t-22.5 9.5h-64q-13 0 -22.5 -9.5t-9.5 -22.5v-96h-128v96q0 13 -9.5 22.5 t-22.5 9.5h-64q-13 0 -22.5 -9.5t-9.5 -22.5v-320q0 -13 9.5 -22.5t22.5 -9.5h64q13 0 22.5 9.5t9.5 22.5v96h128v-96q0 -13 9.5 -22.5t22.5 -9.5h64q13 0 22.5 9.5t9.5 22.5zM1408 1088v-1280q0 -26 -19 -45t-45 -19h-1280q-26 0 -45 19t-19 45v1280q0 26 19 45t45 19h320 v288q0 40 28 68t68 28h448q40 0 68 -28t28 -68v-288h320q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1920" d="M640 128q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM256 640h384v256h-158q-14 -2 -22 -9l-195 -195q-7 -12 -9 -22v-30zM1536 128q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5 t90.5 37.5t37.5 90.5zM1664 800v192q0 14 -9 23t-23 9h-224v224q0 14 -9 23t-23 9h-192q-14 0 -23 -9t-9 -23v-224h-224q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h224v-224q0 -14 9 -23t23 -9h192q14 0 23 9t9 23v224h224q14 0 23 9t9 23zM1920 1344v-1152 q0 -26 -19 -45t-45 -19h-192q0 -106 -75 -181t-181 -75t-181 75t-75 181h-384q0 -106 -75 -181t-181 -75t-181 75t-75 181h-128q-26 0 -45 19t-19 45t19 45t45 19v416q0 26 13 58t32 51l198 198q19 19 51 32t58 13h160v320q0 26 19 45t45 19h1152q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1280 416v192q0 14 -9 23t-23 9h-224v224q0 14 -9 23t-23 9h-192q-14 0 -23 -9t-9 -23v-224h-224q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h224v-224q0 -14 9 -23t23 -9h192q14 0 23 9t9 23v224h224q14 0 23 9t9 23zM640 1152h512v128h-512v-128zM256 1152v-1280h-32 q-92 0 -158 66t-66 158v832q0 92 66 158t158 66h32zM1440 1152v-1280h-1088v1280h160v160q0 40 28 68t68 28h576q40 0 68 -28t28 -68v-160h160zM1792 928v-832q0 -92 -66 -158t-158 -66h-32v1280h32q92 0 158 -66t66 -158z" />
-<glyph unicode="" horiz-adv-x="1920" d="M1920 576q-1 -32 -288 -96l-352 -32l-224 -64h-64l-293 -352h69q26 0 45 -4.5t19 -11.5t-19 -11.5t-45 -4.5h-96h-160h-64v32h64v416h-160l-192 -224h-96l-32 32v192h32v32h128v8l-192 24v128l192 24v8h-128v32h-32v192l32 32h96l192 -224h160v416h-64v32h64h160h96 q26 0 45 -4.5t19 -11.5t-19 -11.5t-45 -4.5h-69l293 -352h64l224 -64l352 -32q261 -58 287 -93z" />
-<glyph unicode="" horiz-adv-x="1664" d="M640 640v384h-256v-256q0 -53 37.5 -90.5t90.5 -37.5h128zM1664 192v-192h-1152v192l128 192h-128q-159 0 -271.5 112.5t-112.5 271.5v320l-64 64l32 128h480l32 128h960l32 -192l-64 -32v-800z" />
-<glyph unicode="" d="M1280 192v896q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-320h-512v320q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-896q0 -26 19 -45t45 -19h128q26 0 45 19t19 45v320h512v-320q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM1536 1120v-960 q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" d="M1280 576v128q0 26 -19 45t-45 19h-320v320q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-320h-320q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h320v-320q0 -26 19 -45t45 -19h128q26 0 45 19t19 45v320h320q26 0 45 19t19 45zM1536 1120v-960 q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1024" d="M627 160q0 -13 -10 -23l-50 -50q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23t10 23l466 466q10 10 23 10t23 -10l50 -50q10 -10 10 -23t-10 -23l-393 -393l393 -393q10 -10 10 -23zM1011 160q0 -13 -10 -23l-50 -50q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23 t10 23l466 466q10 10 23 10t23 -10l50 -50q10 -10 10 -23t-10 -23l-393 -393l393 -393q10 -10 10 -23z" />
-<glyph unicode="" horiz-adv-x="1024" d="M595 576q0 -13 -10 -23l-466 -466q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l393 393l-393 393q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l466 -466q10 -10 10 -23zM979 576q0 -13 -10 -23l-466 -466q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23 l393 393l-393 393q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l466 -466q10 -10 10 -23z" />
-<glyph unicode="" horiz-adv-x="1152" d="M1075 224q0 -13 -10 -23l-50 -50q-10 -10 -23 -10t-23 10l-393 393l-393 -393q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l466 466q10 10 23 10t23 -10l466 -466q10 -10 10 -23zM1075 608q0 -13 -10 -23l-50 -50q-10 -10 -23 -10t-23 10l-393 393l-393 -393 q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l466 466q10 10 23 10t23 -10l466 -466q10 -10 10 -23z" />
-<glyph unicode="" horiz-adv-x="1152" d="M1075 672q0 -13 -10 -23l-466 -466q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l393 -393l393 393q10 10 23 10t23 -10l50 -50q10 -10 10 -23zM1075 1056q0 -13 -10 -23l-466 -466q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23 t10 23l50 50q10 10 23 10t23 -10l393 -393l393 393q10 10 23 10t23 -10l50 -50q10 -10 10 -23z" />
-<glyph unicode="" horiz-adv-x="640" d="M627 992q0 -13 -10 -23l-393 -393l393 -393q10 -10 10 -23t-10 -23l-50 -50q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23t10 23l466 466q10 10 23 10t23 -10l50 -50q10 -10 10 -23z" />
-<glyph unicode="" horiz-adv-x="640" d="M595 576q0 -13 -10 -23l-466 -466q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l393 393l-393 393q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l466 -466q10 -10 10 -23z" />
-<glyph unicode="" horiz-adv-x="1152" d="M1075 352q0 -13 -10 -23l-50 -50q-10 -10 -23 -10t-23 10l-393 393l-393 -393q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l466 466q10 10 23 10t23 -10l466 -466q10 -10 10 -23z" />
-<glyph unicode="" horiz-adv-x="1152" d="M1075 800q0 -13 -10 -23l-466 -466q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l393 -393l393 393q10 10 23 10t23 -10l50 -50q10 -10 10 -23z" />
-<glyph unicode="" horiz-adv-x="1920" d="M1792 544v832q0 13 -9.5 22.5t-22.5 9.5h-1600q-13 0 -22.5 -9.5t-9.5 -22.5v-832q0 -13 9.5 -22.5t22.5 -9.5h1600q13 0 22.5 9.5t9.5 22.5zM1920 1376v-1088q0 -66 -47 -113t-113 -47h-544q0 -37 16 -77.5t32 -71t16 -43.5q0 -26 -19 -45t-45 -19h-512q-26 0 -45 19 t-19 45q0 14 16 44t32 70t16 78h-544q-66 0 -113 47t-47 113v1088q0 66 47 113t113 47h1600q66 0 113 -47t47 -113z" />
-<glyph unicode="" horiz-adv-x="1920" d="M416 256q-66 0 -113 47t-47 113v704q0 66 47 113t113 47h1088q66 0 113 -47t47 -113v-704q0 -66 -47 -113t-113 -47h-1088zM384 1120v-704q0 -13 9.5 -22.5t22.5 -9.5h1088q13 0 22.5 9.5t9.5 22.5v704q0 13 -9.5 22.5t-22.5 9.5h-1088q-13 0 -22.5 -9.5t-9.5 -22.5z M1760 192h160v-96q0 -40 -47 -68t-113 -28h-1600q-66 0 -113 28t-47 68v96h160h1600zM1040 96q16 0 16 16t-16 16h-160q-16 0 -16 -16t16 -16h160z" />
-<glyph unicode="" horiz-adv-x="1152" d="M640 128q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1024 288v960q0 13 -9.5 22.5t-22.5 9.5h-832q-13 0 -22.5 -9.5t-9.5 -22.5v-960q0 -13 9.5 -22.5t22.5 -9.5h832q13 0 22.5 9.5t9.5 22.5zM1152 1248v-1088q0 -66 -47 -113t-113 -47h-832 q-66 0 -113 47t-47 113v1088q0 66 47 113t113 47h832q66 0 113 -47t47 -113z" />
-<glyph unicode="" horiz-adv-x="768" d="M464 128q0 33 -23.5 56.5t-56.5 23.5t-56.5 -23.5t-23.5 -56.5t23.5 -56.5t56.5 -23.5t56.5 23.5t23.5 56.5zM672 288v704q0 13 -9.5 22.5t-22.5 9.5h-512q-13 0 -22.5 -9.5t-9.5 -22.5v-704q0 -13 9.5 -22.5t22.5 -9.5h512q13 0 22.5 9.5t9.5 22.5zM480 1136 q0 16 -16 16h-160q-16 0 -16 -16t16 -16h160q16 0 16 16zM768 1152v-1024q0 -52 -38 -90t-90 -38h-512q-52 0 -90 38t-38 90v1024q0 52 38 90t90 38h512q52 0 90 -38t38 -90z" />
-<glyph unicode="" d="M768 1184q-148 0 -273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273t-73 273t-198 198t-273 73zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103 t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" horiz-adv-x="1664" d="M768 576v-384q0 -80 -56 -136t-136 -56h-384q-80 0 -136 56t-56 136v704q0 104 40.5 198.5t109.5 163.5t163.5 109.5t198.5 40.5h64q26 0 45 -19t19 -45v-128q0 -26 -19 -45t-45 -19h-64q-106 0 -181 -75t-75 -181v-32q0 -40 28 -68t68 -28h224q80 0 136 -56t56 -136z M1664 576v-384q0 -80 -56 -136t-136 -56h-384q-80 0 -136 56t-56 136v704q0 104 40.5 198.5t109.5 163.5t163.5 109.5t198.5 40.5h64q26 0 45 -19t19 -45v-128q0 -26 -19 -45t-45 -19h-64q-106 0 -181 -75t-75 -181v-32q0 -40 28 -68t68 -28h224q80 0 136 -56t56 -136z" />
-<glyph unicode="" horiz-adv-x="1664" d="M768 1216v-704q0 -104 -40.5 -198.5t-109.5 -163.5t-163.5 -109.5t-198.5 -40.5h-64q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h64q106 0 181 75t75 181v32q0 40 -28 68t-68 28h-224q-80 0 -136 56t-56 136v384q0 80 56 136t136 56h384q80 0 136 -56t56 -136zM1664 1216 v-704q0 -104 -40.5 -198.5t-109.5 -163.5t-163.5 -109.5t-198.5 -40.5h-64q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h64q106 0 181 75t75 181v32q0 40 -28 68t-68 28h-224q-80 0 -136 56t-56 136v384q0 80 56 136t136 56h384q80 0 136 -56t56 -136z" />
-<glyph unicode="" horiz-adv-x="1568" d="M496 192q0 -60 -42.5 -102t-101.5 -42q-60 0 -102 42t-42 102t42 102t102 42q59 0 101.5 -42t42.5 -102zM928 0q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM320 640q0 -66 -47 -113t-113 -47t-113 47t-47 113 t47 113t113 47t113 -47t47 -113zM1360 192q0 -46 -33 -79t-79 -33t-79 33t-33 79t33 79t79 33t79 -33t33 -79zM528 1088q0 -73 -51.5 -124.5t-124.5 -51.5t-124.5 51.5t-51.5 124.5t51.5 124.5t124.5 51.5t124.5 -51.5t51.5 -124.5zM992 1280q0 -80 -56 -136t-136 -56 t-136 56t-56 136t56 136t136 56t136 -56t56 -136zM1536 640q0 -40 -28 -68t-68 -28t-68 28t-28 68t28 68t68 28t68 -28t28 -68zM1328 1088q0 -33 -23.5 -56.5t-56.5 -23.5t-56.5 23.5t-23.5 56.5t23.5 56.5t56.5 23.5t56.5 -23.5t23.5 -56.5z" />
-<glyph unicode="" d="M1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 416q0 -166 -127 -451q-3 -7 -10.5 -24t-13.5 -30t-13 -22q-12 -17 -28 -17q-15 0 -23.5 10t-8.5 25q0 9 2.5 26.5t2.5 23.5q5 68 5 123q0 101 -17.5 181t-48.5 138.5t-80 101t-105.5 69.5t-133 42.5t-154 21.5t-175.5 6h-224v-256q0 -26 -19 -45t-45 -19t-45 19 l-512 512q-19 19 -19 45t19 45l512 512q19 19 45 19t45 -19t19 -45v-256h224q713 0 875 -403q53 -134 53 -333z" />
-<glyph unicode="" horiz-adv-x="1664" d="M640 320q0 -40 -12.5 -82t-43 -76t-72.5 -34t-72.5 34t-43 76t-12.5 82t12.5 82t43 76t72.5 34t72.5 -34t43 -76t12.5 -82zM1280 320q0 -40 -12.5 -82t-43 -76t-72.5 -34t-72.5 34t-43 76t-12.5 82t12.5 82t43 76t72.5 34t72.5 -34t43 -76t12.5 -82zM1440 320 q0 120 -69 204t-187 84q-41 0 -195 -21q-71 -11 -157 -11t-157 11q-152 21 -195 21q-118 0 -187 -84t-69 -204q0 -88 32 -153.5t81 -103t122 -60t140 -29.5t149 -7h168q82 0 149 7t140 29.5t122 60t81 103t32 153.5zM1664 496q0 -207 -61 -331q-38 -77 -105.5 -133t-141 -86 t-170 -47.5t-171.5 -22t-167 -4.5q-78 0 -142 3t-147.5 12.5t-152.5 30t-137 51.5t-121 81t-86 115q-62 123 -62 331q0 237 136 396q-27 82 -27 170q0 116 51 218q108 0 190 -39.5t189 -123.5q147 35 309 35q148 0 280 -32q105 82 187 121t189 39q51 -102 51 -218 q0 -87 -27 -168q136 -160 136 -398z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1536 224v704q0 40 -28 68t-68 28h-704q-40 0 -68 28t-28 68v64q0 40 -28 68t-68 28h-320q-40 0 -68 -28t-28 -68v-960q0 -40 28 -68t68 -28h1216q40 0 68 28t28 68zM1664 928v-704q0 -92 -66 -158t-158 -66h-1216q-92 0 -158 66t-66 158v960q0 92 66 158t158 66h320 q92 0 158 -66t66 -158v-32h672q92 0 158 -66t66 -158z" />
-<glyph unicode="" horiz-adv-x="1920" d="M1781 605q0 35 -53 35h-1088q-40 0 -85.5 -21.5t-71.5 -52.5l-294 -363q-18 -24 -18 -40q0 -35 53 -35h1088q40 0 86 22t71 53l294 363q18 22 18 39zM640 768h768v160q0 40 -28 68t-68 28h-576q-40 0 -68 28t-28 68v64q0 40 -28 68t-68 28h-320q-40 0 -68 -28t-28 -68 v-853l256 315q44 53 116 87.5t140 34.5zM1909 605q0 -62 -46 -120l-295 -363q-43 -53 -116 -87.5t-140 -34.5h-1088q-92 0 -158 66t-66 158v960q0 92 66 158t158 66h320q92 0 158 -66t66 -158v-32h544q92 0 158 -66t66 -158v-160h192q54 0 99 -24.5t67 -70.5q15 -32 15 -68z " />
-<glyph unicode="" horiz-adv-x="1792" />
-<glyph unicode="" horiz-adv-x="1792" />
-<glyph unicode="" d="M1134 461q-37 -121 -138 -195t-228 -74t-228 74t-138 195q-8 25 4 48.5t38 31.5q25 8 48.5 -4t31.5 -38q25 -80 92.5 -129.5t151.5 -49.5t151.5 49.5t92.5 129.5q8 26 32 38t49 4t37 -31.5t4 -48.5zM640 896q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5 t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1152 896q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1408 640q0 130 -51 248.5t-136.5 204t-204 136.5t-248.5 51t-248.5 -51t-204 -136.5t-136.5 -204t-51 -248.5 t51 -248.5t136.5 -204t204 -136.5t248.5 -51t248.5 51t204 136.5t136.5 204t51 248.5zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1134 307q8 -25 -4 -48.5t-37 -31.5t-49 4t-32 38q-25 80 -92.5 129.5t-151.5 49.5t-151.5 -49.5t-92.5 -129.5q-8 -26 -31.5 -38t-48.5 -4q-26 8 -38 31.5t-4 48.5q37 121 138 195t228 74t228 -74t138 -195zM640 896q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5 t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1152 896q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1408 640q0 130 -51 248.5t-136.5 204t-204 136.5t-248.5 51t-248.5 -51t-204 -136.5t-136.5 -204 t-51 -248.5t51 -248.5t136.5 -204t204 -136.5t248.5 -51t248.5 51t204 136.5t136.5 204t51 248.5zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1152 448q0 -26 -19 -45t-45 -19h-640q-26 0 -45 19t-19 45t19 45t45 19h640q26 0 45 -19t19 -45zM640 896q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1152 896q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5 t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1408 640q0 130 -51 248.5t-136.5 204t-204 136.5t-248.5 51t-248.5 -51t-204 -136.5t-136.5 -204t-51 -248.5t51 -248.5t136.5 -204t204 -136.5t248.5 -51t248.5 51t204 136.5t136.5 204t51 248.5zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" horiz-adv-x="1920" d="M832 448v128q0 14 -9 23t-23 9h-192v192q0 14 -9 23t-23 9h-128q-14 0 -23 -9t-9 -23v-192h-192q-14 0 -23 -9t-9 -23v-128q0 -14 9 -23t23 -9h192v-192q0 -14 9 -23t23 -9h128q14 0 23 9t9 23v192h192q14 0 23 9t9 23zM1408 384q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5 t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1664 640q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1920 512q0 -212 -150 -362t-362 -150q-192 0 -338 128h-220q-146 -128 -338 -128q-212 0 -362 150 t-150 362t150 362t362 150h896q212 0 362 -150t150 -362z" />
-<glyph unicode="" horiz-adv-x="1920" d="M384 368v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM512 624v-96q0 -16 -16 -16h-224q-16 0 -16 16v96q0 16 16 16h224q16 0 16 -16zM384 880v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1408 368v-96q0 -16 -16 -16 h-864q-16 0 -16 16v96q0 16 16 16h864q16 0 16 -16zM768 624v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM640 880v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1024 624v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16 h96q16 0 16 -16zM896 880v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1280 624v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1664 368v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1152 880v-96 q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1408 880v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1664 880v-352q0 -16 -16 -16h-224q-16 0 -16 16v96q0 16 16 16h112v240q0 16 16 16h96q16 0 16 -16zM1792 128v896h-1664v-896 h1664zM1920 1024v-896q0 -53 -37.5 -90.5t-90.5 -37.5h-1664q-53 0 -90.5 37.5t-37.5 90.5v896q0 53 37.5 90.5t90.5 37.5h1664q53 0 90.5 -37.5t37.5 -90.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1664 491v616q-169 -91 -306 -91q-82 0 -145 32q-100 49 -184 76.5t-178 27.5q-173 0 -403 -127v-599q245 113 433 113q55 0 103.5 -7.5t98 -26t77 -31t82.5 -39.5l28 -14q44 -22 101 -22q120 0 293 92zM320 1280q0 -35 -17.5 -64t-46.5 -46v-1266q0 -14 -9 -23t-23 -9 h-64q-14 0 -23 9t-9 23v1266q-29 17 -46.5 46t-17.5 64q0 53 37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1792 1216v-763q0 -39 -35 -57q-10 -5 -17 -9q-218 -116 -369 -116q-88 0 -158 35l-28 14q-64 33 -99 48t-91 29t-114 14q-102 0 -235.5 -44t-228.5 -102 q-15 -9 -33 -9q-16 0 -32 8q-32 19 -32 56v742q0 35 31 55q35 21 78.5 42.5t114 52t152.5 49.5t155 19q112 0 209 -31t209 -86q38 -19 89 -19q122 0 310 112q22 12 31 17q31 16 62 -2q31 -20 31 -55z" />
-<glyph unicode="" horiz-adv-x="1792" d="M832 536v192q-181 -16 -384 -117v-185q205 96 384 110zM832 954v197q-172 -8 -384 -126v-189q215 111 384 118zM1664 491v184q-235 -116 -384 -71v224q-20 6 -39 15q-5 3 -33 17t-34.5 17t-31.5 15t-34.5 15.5t-32.5 13t-36 12.5t-35 8.5t-39.5 7.5t-39.5 4t-44 2 q-23 0 -49 -3v-222h19q102 0 192.5 -29t197.5 -82q19 -9 39 -15v-188q42 -17 91 -17q120 0 293 92zM1664 918v189q-169 -91 -306 -91q-45 0 -78 8v-196q148 -42 384 90zM320 1280q0 -35 -17.5 -64t-46.5 -46v-1266q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v1266 q-29 17 -46.5 46t-17.5 64q0 53 37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1792 1216v-763q0 -39 -35 -57q-10 -5 -17 -9q-218 -116 -369 -116q-88 0 -158 35l-28 14q-64 33 -99 48t-91 29t-114 14q-102 0 -235.5 -44t-228.5 -102q-15 -9 -33 -9q-16 0 -32 8 q-32 19 -32 56v742q0 35 31 55q35 21 78.5 42.5t114 52t152.5 49.5t155 19q112 0 209 -31t209 -86q38 -19 89 -19q122 0 310 112q22 12 31 17q31 16 62 -2q31 -20 31 -55z" />
-<glyph unicode="" horiz-adv-x="1664" d="M585 553l-466 -466q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l393 393l-393 393q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l466 -466q10 -10 10 -23t-10 -23zM1664 96v-64q0 -14 -9 -23t-23 -9h-960q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h960q14 0 23 -9 t9 -23z" />
-<glyph unicode="" horiz-adv-x="1920" d="M617 137l-50 -50q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23t10 23l466 466q10 10 23 10t23 -10l50 -50q10 -10 10 -23t-10 -23l-393 -393l393 -393q10 -10 10 -23t-10 -23zM1208 1204l-373 -1291q-4 -13 -15.5 -19.5t-23.5 -2.5l-62 17q-13 4 -19.5 15.5t-2.5 24.5 l373 1291q4 13 15.5 19.5t23.5 2.5l62 -17q13 -4 19.5 -15.5t2.5 -24.5zM1865 553l-466 -466q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l393 393l-393 393q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l466 -466q10 -10 10 -23t-10 -23z" />
-<glyph unicode="" horiz-adv-x="1792" d="M640 454v-70q0 -42 -39 -59q-13 -5 -25 -5q-27 0 -45 19l-512 512q-19 19 -19 45t19 45l512 512q29 31 70 14q39 -17 39 -59v-69l-397 -398q-19 -19 -19 -45t19 -45zM1792 416q0 -58 -17 -133.5t-38.5 -138t-48 -125t-40.5 -90.5l-20 -40q-8 -17 -28 -17q-6 0 -9 1 q-25 8 -23 34q43 400 -106 565q-64 71 -170.5 110.5t-267.5 52.5v-251q0 -42 -39 -59q-13 -5 -25 -5q-27 0 -45 19l-512 512q-19 19 -19 45t19 45l512 512q29 31 70 14q39 -17 39 -59v-262q411 -28 599 -221q169 -173 169 -509z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1186 579l257 250l-356 52l-66 10l-30 60l-159 322v-963l59 -31l318 -168l-60 355l-12 66zM1638 841l-363 -354l86 -500q5 -33 -6 -51.5t-34 -18.5q-17 0 -40 12l-449 236l-449 -236q-23 -12 -40 -12q-23 0 -34 18.5t-6 51.5l86 500l-364 354q-32 32 -23 59.5t54 34.5 l502 73l225 455q20 41 49 41q28 0 49 -41l225 -455l502 -73q45 -7 54 -34.5t-24 -59.5z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1401 1187l-640 -1280q-17 -35 -57 -35q-5 0 -15 2q-22 5 -35.5 22.5t-13.5 39.5v576h-576q-22 0 -39.5 13.5t-22.5 35.5t4 42t29 30l1280 640q13 7 29 7q27 0 45 -19q15 -14 18.5 -34.5t-6.5 -39.5z" />
-<glyph unicode="" horiz-adv-x="1664" d="M557 256h595v595zM512 301l595 595h-595v-595zM1664 224v-192q0 -14 -9 -23t-23 -9h-224v-224q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v224h-864q-14 0 -23 9t-9 23v864h-224q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h224v224q0 14 9 23t23 9h192q14 0 23 -9t9 -23 v-224h851l246 247q10 9 23 9t23 -9q9 -10 9 -23t-9 -23l-247 -246v-851h224q14 0 23 -9t9 -23z" />
-<glyph unicode="" horiz-adv-x="1024" d="M288 64q0 40 -28 68t-68 28t-68 -28t-28 -68t28 -68t68 -28t68 28t28 68zM288 1216q0 40 -28 68t-68 28t-68 -28t-28 -68t28 -68t68 -28t68 28t28 68zM928 1088q0 40 -28 68t-68 28t-68 -28t-28 -68t28 -68t68 -28t68 28t28 68zM1024 1088q0 -52 -26 -96.5t-70 -69.5 q-2 -287 -226 -414q-68 -38 -203 -81q-128 -40 -169.5 -71t-41.5 -100v-26q44 -25 70 -69.5t26 -96.5q0 -80 -56 -136t-136 -56t-136 56t-56 136q0 52 26 96.5t70 69.5v820q-44 25 -70 69.5t-26 96.5q0 80 56 136t136 56t136 -56t56 -136q0 -52 -26 -96.5t-70 -69.5v-497 q54 26 154 57q55 17 87.5 29.5t70.5 31t59 39.5t40.5 51t28 69.5t8.5 91.5q-44 25 -70 69.5t-26 96.5q0 80 56 136t136 56t136 -56t56 -136z" />
-<glyph unicode="" horiz-adv-x="1664" d="M439 265l-256 -256q-10 -9 -23 -9q-12 0 -23 9q-9 10 -9 23t9 23l256 256q10 9 23 9t23 -9q9 -10 9 -23t-9 -23zM608 224v-320q0 -14 -9 -23t-23 -9t-23 9t-9 23v320q0 14 9 23t23 9t23 -9t9 -23zM384 448q0 -14 -9 -23t-23 -9h-320q-14 0 -23 9t-9 23t9 23t23 9h320 q14 0 23 -9t9 -23zM1648 320q0 -120 -85 -203l-147 -146q-83 -83 -203 -83q-121 0 -204 85l-334 335q-21 21 -42 56l239 18l273 -274q27 -27 68 -27.5t68 26.5l147 146q28 28 28 67q0 40 -28 68l-274 275l18 239q35 -21 56 -42l336 -336q84 -86 84 -204zM1031 1044l-239 -18 l-273 274q-28 28 -68 28q-39 0 -68 -27l-147 -146q-28 -28 -28 -67q0 -40 28 -68l274 -274l-18 -240q-35 21 -56 42l-336 336q-84 86 -84 204q0 120 85 203l147 146q83 83 203 83q121 0 204 -85l334 -335q21 -21 42 -56zM1664 960q0 -14 -9 -23t-23 -9h-320q-14 0 -23 9 t-9 23t9 23t23 9h320q14 0 23 -9t9 -23zM1120 1504v-320q0 -14 -9 -23t-23 -9t-23 9t-9 23v320q0 14 9 23t23 9t23 -9t9 -23zM1527 1353l-256 -256q-11 -9 -23 -9t-23 9q-9 10 -9 23t9 23l256 256q10 9 23 9t23 -9q9 -10 9 -23t-9 -23z" />
-<glyph unicode="" horiz-adv-x="1024" d="M704 280v-240q0 -16 -12 -28t-28 -12h-240q-16 0 -28 12t-12 28v240q0 16 12 28t28 12h240q16 0 28 -12t12 -28zM1020 880q0 -54 -15.5 -101t-35 -76.5t-55 -59.5t-57.5 -43.5t-61 -35.5q-41 -23 -68.5 -65t-27.5 -67q0 -17 -12 -32.5t-28 -15.5h-240q-15 0 -25.5 18.5 t-10.5 37.5v45q0 83 65 156.5t143 108.5q59 27 84 56t25 76q0 42 -46.5 74t-107.5 32q-65 0 -108 -29q-35 -25 -107 -115q-13 -16 -31 -16q-12 0 -25 8l-164 125q-13 10 -15.5 25t5.5 28q160 266 464 266q80 0 161 -31t146 -83t106 -127.5t41 -158.5z" />
-<glyph unicode="" horiz-adv-x="640" d="M640 192v-128q0 -26 -19 -45t-45 -19h-512q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h64v384h-64q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h384q26 0 45 -19t19 -45v-576h64q26 0 45 -19t19 -45zM512 1344v-192q0 -26 -19 -45t-45 -19h-256q-26 0 -45 19t-19 45v192 q0 26 19 45t45 19h256q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="640" d="M512 288v-224q0 -26 -19 -45t-45 -19h-256q-26 0 -45 19t-19 45v224q0 26 19 45t45 19h256q26 0 45 -19t19 -45zM542 1344l-28 -768q-1 -26 -20.5 -45t-45.5 -19h-256q-26 0 -45.5 19t-20.5 45l-28 768q-1 26 17.5 45t44.5 19h320q26 0 44.5 -19t17.5 -45z" />
-<glyph unicode="" d="M897 167v-167h-248l-159 252l-24 42q-8 9 -11 21h-3l-9 -21q-10 -20 -25 -44l-155 -250h-258v167h128l197 291l-185 272h-137v168h276l139 -228q2 -4 23 -42q8 -9 11 -21h3q3 9 11 21l25 42l140 228h257v-168h-125l-184 -267l204 -296h109zM1534 846v-206h-514l-3 27 q-4 28 -4 46q0 64 26 117t65 86.5t84 65t84 54.5t65 54t26 64q0 38 -29.5 62.5t-70.5 24.5q-51 0 -97 -39q-14 -11 -36 -38l-105 92q26 37 63 66q83 65 188 65q110 0 178 -59.5t68 -158.5q0 -56 -24.5 -103t-62 -76.5t-81.5 -58.5t-82 -50.5t-65.5 -51.5t-30.5 -63h232v80 h126z" />
-<glyph unicode="" d="M897 167v-167h-248l-159 252l-24 42q-8 9 -11 21h-3l-9 -21q-10 -20 -25 -44l-155 -250h-258v167h128l197 291l-185 272h-137v168h276l139 -228q2 -4 23 -42q8 -9 11 -21h3q3 9 11 21l25 42l140 228h257v-168h-125l-184 -267l204 -296h109zM1536 -50v-206h-514l-4 27 q-3 45 -3 46q0 64 26 117t65 86.5t84 65t84 54.5t65 54t26 64q0 38 -29.5 62.5t-70.5 24.5q-51 0 -97 -39q-14 -11 -36 -38l-105 92q26 37 63 66q80 65 188 65q110 0 178 -59.5t68 -158.5q0 -66 -34.5 -118.5t-84 -86t-99.5 -62.5t-87 -63t-41 -73h232v80h126z" />
-<glyph unicode="" horiz-adv-x="1920" d="M896 128l336 384h-768l-336 -384h768zM1909 1205q15 -34 9.5 -71.5t-30.5 -65.5l-896 -1024q-38 -44 -96 -44h-768q-38 0 -69.5 20.5t-47.5 54.5q-15 34 -9.5 71.5t30.5 65.5l896 1024q38 44 96 44h768q38 0 69.5 -20.5t47.5 -54.5z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1664 438q0 -81 -44.5 -135t-123.5 -54q-41 0 -77.5 17.5t-59 38t-56.5 38t-71 17.5q-110 0 -110 -124q0 -39 16 -115t15 -115v-5q-22 0 -33 -1q-34 -3 -97.5 -11.5t-115.5 -13.5t-98 -5q-61 0 -103 26.5t-42 83.5q0 37 17.5 71t38 56.5t38 59t17.5 77.5q0 79 -54 123.5 t-135 44.5q-84 0 -143 -45.5t-59 -127.5q0 -43 15 -83t33.5 -64.5t33.5 -53t15 -50.5q0 -45 -46 -89q-37 -35 -117 -35q-95 0 -245 24q-9 2 -27.5 4t-27.5 4l-13 2q-1 0 -3 1q-2 0 -2 1v1024q2 -1 17.5 -3.5t34 -5t21.5 -3.5q150 -24 245 -24q80 0 117 35q46 44 46 89 q0 22 -15 50.5t-33.5 53t-33.5 64.5t-15 83q0 82 59 127.5t144 45.5q80 0 134 -44.5t54 -123.5q0 -41 -17.5 -77.5t-38 -59t-38 -56.5t-17.5 -71q0 -57 42 -83.5t103 -26.5q64 0 180 15t163 17v-2q-1 -2 -3.5 -17.5t-5 -34t-3.5 -21.5q-24 -150 -24 -245q0 -80 35 -117 q44 -46 89 -46q22 0 50.5 15t53 33.5t64.5 33.5t83 15q82 0 127.5 -59t45.5 -143z" />
-<glyph unicode="" horiz-adv-x="1152" d="M1152 832v-128q0 -221 -147.5 -384.5t-364.5 -187.5v-132h256q26 0 45 -19t19 -45t-19 -45t-45 -19h-640q-26 0 -45 19t-19 45t19 45t45 19h256v132q-217 24 -364.5 187.5t-147.5 384.5v128q0 26 19 45t45 19t45 -19t19 -45v-128q0 -185 131.5 -316.5t316.5 -131.5 t316.5 131.5t131.5 316.5v128q0 26 19 45t45 19t45 -19t19 -45zM896 1216v-512q0 -132 -94 -226t-226 -94t-226 94t-94 226v512q0 132 94 226t226 94t226 -94t94 -226z" />
-<glyph unicode="" horiz-adv-x="1408" d="M271 591l-101 -101q-42 103 -42 214v128q0 26 19 45t45 19t45 -19t19 -45v-128q0 -53 15 -113zM1385 1193l-361 -361v-128q0 -132 -94 -226t-226 -94q-55 0 -109 19l-96 -96q97 -51 205 -51q185 0 316.5 131.5t131.5 316.5v128q0 26 19 45t45 19t45 -19t19 -45v-128 q0 -221 -147.5 -384.5t-364.5 -187.5v-132h256q26 0 45 -19t19 -45t-19 -45t-45 -19h-640q-26 0 -45 19t-19 45t19 45t45 19h256v132q-125 13 -235 81l-254 -254q-10 -10 -23 -10t-23 10l-82 82q-10 10 -10 23t10 23l1234 1234q10 10 23 10t23 -10l82 -82q10 -10 10 -23 t-10 -23zM1005 1325l-621 -621v512q0 132 94 226t226 94q102 0 184.5 -59t116.5 -152z" />
-<glyph unicode="" horiz-adv-x="1280" d="M1088 576v640h-448v-1137q119 63 213 137q235 184 235 360zM1280 1344v-768q0 -86 -33.5 -170.5t-83 -150t-118 -127.5t-126.5 -103t-121 -77.5t-89.5 -49.5t-42.5 -20q-12 -6 -26 -6t-26 6q-16 7 -42.5 20t-89.5 49.5t-121 77.5t-126.5 103t-118 127.5t-83 150 t-33.5 170.5v768q0 26 19 45t45 19h1152q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1664" d="M128 -128h1408v1024h-1408v-1024zM512 1088v288q0 14 -9 23t-23 9h-64q-14 0 -23 -9t-9 -23v-288q0 -14 9 -23t23 -9h64q14 0 23 9t9 23zM1280 1088v288q0 14 -9 23t-23 9h-64q-14 0 -23 -9t-9 -23v-288q0 -14 9 -23t23 -9h64q14 0 23 9t9 23zM1664 1152v-1280 q0 -52 -38 -90t-90 -38h-1408q-52 0 -90 38t-38 90v1280q0 52 38 90t90 38h128v96q0 66 47 113t113 47h64q66 0 113 -47t47 -113v-96h384v96q0 66 47 113t113 47h64q66 0 113 -47t47 -113v-96h128q52 0 90 -38t38 -90z" />
-<glyph unicode="" horiz-adv-x="1408" d="M512 1344q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1408 1376v-320q0 -16 -12 -25q-8 -7 -20 -7q-4 0 -7 1l-448 96q-11 2 -18 11t-7 20h-256v-102q111 -23 183.5 -111t72.5 -203v-800q0 -26 -19 -45t-45 -19h-512q-26 0 -45 19t-19 45v800 q0 106 62.5 190.5t161.5 114.5v111h-32q-59 0 -115 -23.5t-91.5 -53t-66 -66.5t-40.5 -53.5t-14 -24.5q-17 -35 -57 -35q-16 0 -29 7q-23 12 -31.5 37t3.5 49q5 10 14.5 26t37.5 53.5t60.5 70t85 67t108.5 52.5q-25 42 -25 86q0 66 47 113t113 47t113 -47t47 -113 q0 -33 -14 -64h302q0 11 7 20t18 11l448 96q3 1 7 1q12 0 20 -7q12 -9 12 -25z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1440 1088q0 40 -28 68t-68 28t-68 -28t-28 -68t28 -68t68 -28t68 28t28 68zM1664 1376q0 -249 -75.5 -430.5t-253.5 -360.5q-81 -80 -195 -176l-20 -379q-2 -16 -16 -26l-384 -224q-7 -4 -16 -4q-12 0 -23 9l-64 64q-13 14 -8 32l85 276l-281 281l-276 -85q-3 -1 -9 -1 q-14 0 -23 9l-64 64q-17 19 -5 39l224 384q10 14 26 16l379 20q96 114 176 195q188 187 358 258t431 71q14 0 24 -9.5t10 -22.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1745 763l-164 -763h-334l178 832q13 56 -15 88q-27 33 -83 33h-169l-204 -953h-334l204 953h-286l-204 -953h-334l204 953l-153 327h1276q101 0 189.5 -40.5t147.5 -113.5q60 -73 81 -168.5t0 -194.5z" />
-<glyph unicode="" d="M909 141l102 102q19 19 19 45t-19 45l-307 307l307 307q19 19 19 45t-19 45l-102 102q-19 19 -45 19t-45 -19l-454 -454q-19 -19 -19 -45t19 -45l454 -454q19 -19 45 -19t45 19zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5 t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M717 141l454 454q19 19 19 45t-19 45l-454 454q-19 19 -45 19t-45 -19l-102 -102q-19 -19 -19 -45t19 -45l307 -307l-307 -307q-19 -19 -19 -45t19 -45l102 -102q19 -19 45 -19t45 19zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5 t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1165 397l102 102q19 19 19 45t-19 45l-454 454q-19 19 -45 19t-45 -19l-454 -454q-19 -19 -19 -45t19 -45l102 -102q19 -19 45 -19t45 19l307 307l307 -307q19 -19 45 -19t45 19zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5 t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M813 237l454 454q19 19 19 45t-19 45l-102 102q-19 19 -45 19t-45 -19l-307 -307l-307 307q-19 19 -45 19t-45 -19l-102 -102q-19 -19 -19 -45t19 -45l454 -454q19 -19 45 -19t45 19zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5 t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1130 939l16 175h-884l47 -534h612l-22 -228l-197 -53l-196 53l-13 140h-175l22 -278l362 -100h4v1l359 99l50 544h-644l-15 181h674zM0 1408h1408l-128 -1438l-578 -162l-574 162z" />
-<glyph unicode="" horiz-adv-x="1792" d="M275 1408h1505l-266 -1333l-804 -267l-698 267l71 356h297l-29 -147l422 -161l486 161l68 339h-1208l58 297h1209l38 191h-1208z" />
-<glyph unicode="" horiz-adv-x="1792" d="M960 1280q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1792 352v-352q0 -22 -20 -30q-8 -2 -12 -2q-13 0 -23 9l-93 93q-119 -143 -318.5 -226.5t-429.5 -83.5t-429.5 83.5t-318.5 226.5l-93 -93q-9 -9 -23 -9q-4 0 -12 2q-20 8 -20 30v352 q0 14 9 23t23 9h352q22 0 30 -20q8 -19 -7 -35l-100 -100q67 -91 189.5 -153.5t271.5 -82.5v647h-192q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h192v163q-58 34 -93 92.5t-35 128.5q0 106 75 181t181 75t181 -75t75 -181q0 -70 -35 -128.5t-93 -92.5v-163h192q26 0 45 -19 t19 -45v-128q0 -26 -19 -45t-45 -19h-192v-647q149 20 271.5 82.5t189.5 153.5l-100 100q-15 16 -7 35q8 20 30 20h352q14 0 23 -9t9 -23z" />
-<glyph unicode="" horiz-adv-x="1152" d="M1056 768q40 0 68 -28t28 -68v-576q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68v576q0 40 28 68t68 28h32v320q0 185 131.5 316.5t316.5 131.5t316.5 -131.5t131.5 -316.5q0 -26 -19 -45t-45 -19h-64q-26 0 -45 19t-19 45q0 106 -75 181t-181 75t-181 -75t-75 -181 v-320h736z" />
-<glyph unicode="" d="M1024 640q0 -106 -75 -181t-181 -75t-181 75t-75 181t75 181t181 75t181 -75t75 -181zM1152 640q0 159 -112.5 271.5t-271.5 112.5t-271.5 -112.5t-112.5 -271.5t112.5 -271.5t271.5 -112.5t271.5 112.5t112.5 271.5zM1280 640q0 -212 -150 -362t-362 -150t-362 150 t-150 362t150 362t362 150t362 -150t150 -362zM1408 640q0 130 -51 248.5t-136.5 204t-204 136.5t-248.5 51t-248.5 -51t-204 -136.5t-136.5 -204t-51 -248.5t51 -248.5t136.5 -204t204 -136.5t248.5 -51t248.5 51t204 136.5t136.5 204t51 248.5zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" horiz-adv-x="1408" d="M384 800v-192q0 -40 -28 -68t-68 -28h-192q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h192q40 0 68 -28t28 -68zM896 800v-192q0 -40 -28 -68t-68 -28h-192q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h192q40 0 68 -28t28 -68zM1408 800v-192q0 -40 -28 -68t-68 -28h-192 q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h192q40 0 68 -28t28 -68z" />
-<glyph unicode="" horiz-adv-x="384" d="M384 288v-192q0 -40 -28 -68t-68 -28h-192q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h192q40 0 68 -28t28 -68zM384 800v-192q0 -40 -28 -68t-68 -28h-192q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h192q40 0 68 -28t28 -68zM384 1312v-192q0 -40 -28 -68t-68 -28h-192 q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h192q40 0 68 -28t28 -68z" />
-<glyph unicode="" d="M512 256q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM863 162q-13 232 -177 396t-396 177q-14 1 -24 -9t-10 -23v-128q0 -13 8.5 -22t21.5 -10q154 -11 264 -121t121 -264q1 -13 10 -21.5t22 -8.5h128q13 0 23 10 t9 24zM1247 161q-5 154 -56 297.5t-139.5 260t-205 205t-260 139.5t-297.5 56q-14 1 -23 -9q-10 -10 -10 -23v-128q0 -13 9 -22t22 -10q204 -7 378 -111.5t278.5 -278.5t111.5 -378q1 -13 10 -22t22 -9h128q13 0 23 10q11 9 9 23zM1536 1120v-960q0 -119 -84.5 -203.5 t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" d="M768 1408q209 0 385.5 -103t279.5 -279.5t103 -385.5t-103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103zM1152 585q32 18 32 55t-32 55l-544 320q-31 19 -64 1q-32 -19 -32 -56v-640q0 -37 32 -56 q16 -8 32 -8q17 0 32 9z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1024 1084l316 -316l-572 -572l-316 316zM813 105l618 618q19 19 19 45t-19 45l-362 362q-18 18 -45 18t-45 -18l-618 -618q-19 -19 -19 -45t19 -45l362 -362q18 -18 45 -18t45 18zM1702 742l-907 -908q-37 -37 -90.5 -37t-90.5 37l-126 126q56 56 56 136t-56 136 t-136 56t-136 -56l-125 126q-37 37 -37 90.5t37 90.5l907 906q37 37 90.5 37t90.5 -37l125 -125q-56 -56 -56 -136t56 -136t136 -56t136 56l126 -125q37 -37 37 -90.5t-37 -90.5z" />
-<glyph unicode="" d="M1280 576v128q0 26 -19 45t-45 19h-896q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h896q26 0 45 19t19 45zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5 t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1152 736v-64q0 -14 -9 -23t-23 -9h-832q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h832q14 0 23 -9t9 -23zM1280 288v832q0 66 -47 113t-113 47h-832q-66 0 -113 -47t-47 -113v-832q0 -66 47 -113t113 -47h832q66 0 113 47t47 113zM1408 1120v-832q0 -119 -84.5 -203.5 t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h832q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1024" d="M1018 933q-18 -37 -58 -37h-192v-864q0 -14 -9 -23t-23 -9h-704q-21 0 -29 18q-8 20 4 35l160 192q9 11 25 11h320v640h-192q-40 0 -58 37q-17 37 9 68l320 384q18 22 49 22t49 -22l320 -384q27 -32 9 -68z" />
-<glyph unicode="" horiz-adv-x="1024" d="M32 1280h704q13 0 22.5 -9.5t9.5 -23.5v-863h192q40 0 58 -37t-9 -69l-320 -384q-18 -22 -49 -22t-49 22l-320 384q-26 31 -9 69q18 37 58 37h192v640h-320q-14 0 -25 11l-160 192q-13 14 -4 34q9 19 29 19z" />
-<glyph unicode="" d="M685 237l614 614q19 19 19 45t-19 45l-102 102q-19 19 -45 19t-45 -19l-467 -467l-211 211q-19 19 -45 19t-45 -19l-102 -102q-19 -19 -19 -45t19 -45l358 -358q19 -19 45 -19t45 19zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5 t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" d="M404 428l152 -152l-52 -52h-56v96h-96v56zM818 818q14 -13 -3 -30l-291 -291q-17 -17 -30 -3q-14 13 3 30l291 291q17 17 30 3zM544 128l544 544l-288 288l-544 -544v-288h288zM1152 736l92 92q28 28 28 68t-28 68l-152 152q-28 28 -68 28t-68 -28l-92 -92zM1536 1120 v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" d="M1280 608v480q0 26 -19 45t-45 19h-480q-42 0 -59 -39q-17 -41 14 -70l144 -144l-534 -534q-19 -19 -19 -45t19 -45l102 -102q19 -19 45 -19t45 19l534 534l144 -144q18 -19 45 -19q12 0 25 5q39 17 39 59zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960 q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" d="M1005 435l352 352q19 19 19 45t-19 45l-352 352q-30 31 -69 14q-40 -17 -40 -59v-160q-119 0 -216 -19.5t-162.5 -51t-114 -79t-76.5 -95.5t-44.5 -109t-21.5 -111.5t-5 -110.5q0 -181 167 -404q10 -12 25 -12q7 0 13 3q22 9 19 33q-44 354 62 473q46 52 130 75.5 t224 23.5v-160q0 -42 40 -59q12 -5 24 -5q26 0 45 19zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" d="M640 448l256 128l-256 128v-256zM1024 1039v-542l-512 -256v542zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103 t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1145 861q18 -35 -5 -66l-320 -448q-19 -27 -52 -27t-52 27l-320 448q-23 31 -5 66q17 35 57 35h640q40 0 57 -35zM1280 160v960q0 13 -9.5 22.5t-22.5 9.5h-960q-13 0 -22.5 -9.5t-9.5 -22.5v-960q0 -13 9.5 -22.5t22.5 -9.5h960q13 0 22.5 9.5t9.5 22.5zM1536 1120 v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" d="M1145 419q-17 -35 -57 -35h-640q-40 0 -57 35q-18 35 5 66l320 448q19 27 52 27t52 -27l320 -448q23 -31 5 -66zM1280 160v960q0 13 -9.5 22.5t-22.5 9.5h-960q-13 0 -22.5 -9.5t-9.5 -22.5v-960q0 -13 9.5 -22.5t22.5 -9.5h960q13 0 22.5 9.5t9.5 22.5zM1536 1120v-960 q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" d="M1088 640q0 -33 -27 -52l-448 -320q-31 -23 -66 -5q-35 17 -35 57v640q0 40 35 57q35 18 66 -5l448 -320q27 -19 27 -52zM1280 160v960q0 14 -9 23t-23 9h-960q-14 0 -23 -9t-9 -23v-960q0 -14 9 -23t23 -9h960q14 0 23 9t9 23zM1536 1120v-960q0 -119 -84.5 -203.5 t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1024" d="M976 229l35 -159q3 -12 -3 -22.5t-17 -14.5l-5 -1q-4 -2 -10.5 -3.5t-16 -4.5t-21.5 -5.5t-25.5 -5t-30 -5t-33.5 -4.5t-36.5 -3t-38.5 -1q-234 0 -409 130.5t-238 351.5h-95q-13 0 -22.5 9.5t-9.5 22.5v113q0 13 9.5 22.5t22.5 9.5h66q-2 57 1 105h-67q-14 0 -23 9 t-9 23v114q0 14 9 23t23 9h98q67 210 243.5 338t400.5 128q102 0 194 -23q11 -3 20 -15q6 -11 3 -24l-43 -159q-3 -13 -14 -19.5t-24 -2.5l-4 1q-4 1 -11.5 2.5l-17.5 3.5t-22.5 3.5t-26 3t-29 2.5t-29.5 1q-126 0 -226 -64t-150 -176h468q16 0 25 -12q10 -12 7 -26 l-24 -114q-5 -26 -32 -26h-488q-3 -37 0 -105h459q15 0 25 -12q9 -12 6 -27l-24 -112q-2 -11 -11 -18.5t-20 -7.5h-387q48 -117 149.5 -185.5t228.5 -68.5q18 0 36 1.5t33.5 3.5t29.5 4.5t24.5 5t18.5 4.5l12 3l5 2q13 5 26 -2q12 -7 15 -21z" />
-<glyph unicode="" horiz-adv-x="1024" d="M1020 399v-367q0 -14 -9 -23t-23 -9h-956q-14 0 -23 9t-9 23v150q0 13 9.5 22.5t22.5 9.5h97v383h-95q-14 0 -23 9.5t-9 22.5v131q0 14 9 23t23 9h95v223q0 171 123.5 282t314.5 111q185 0 335 -125q9 -8 10 -20.5t-7 -22.5l-103 -127q-9 -11 -22 -12q-13 -2 -23 7 q-5 5 -26 19t-69 32t-93 18q-85 0 -137 -47t-52 -123v-215h305q13 0 22.5 -9t9.5 -23v-131q0 -13 -9.5 -22.5t-22.5 -9.5h-305v-379h414v181q0 13 9 22.5t23 9.5h162q14 0 23 -9.5t9 -22.5z" />
-<glyph unicode="" horiz-adv-x="1024" d="M978 351q0 -153 -99.5 -263.5t-258.5 -136.5v-175q0 -14 -9 -23t-23 -9h-135q-13 0 -22.5 9.5t-9.5 22.5v175q-66 9 -127.5 31t-101.5 44.5t-74 48t-46.5 37.5t-17.5 18q-17 21 -2 41l103 135q7 10 23 12q15 2 24 -9l2 -2q113 -99 243 -125q37 -8 74 -8q81 0 142.5 43 t61.5 122q0 28 -15 53t-33.5 42t-58.5 37.5t-66 32t-80 32.5q-39 16 -61.5 25t-61.5 26.5t-62.5 31t-56.5 35.5t-53.5 42.5t-43.5 49t-35.5 58t-21 66.5t-8.5 78q0 138 98 242t255 134v180q0 13 9.5 22.5t22.5 9.5h135q14 0 23 -9t9 -23v-176q57 -6 110.5 -23t87 -33.5 t63.5 -37.5t39 -29t15 -14q17 -18 5 -38l-81 -146q-8 -15 -23 -16q-14 -3 -27 7q-3 3 -14.5 12t-39 26.5t-58.5 32t-74.5 26t-85.5 11.5q-95 0 -155 -43t-60 -111q0 -26 8.5 -48t29.5 -41.5t39.5 -33t56 -31t60.5 -27t70 -27.5q53 -20 81 -31.5t76 -35t75.5 -42.5t62 -50 t53 -63.5t31.5 -76.5t13 -94z" />
-<glyph unicode="" horiz-adv-x="898" d="M898 1066v-102q0 -14 -9 -23t-23 -9h-168q-23 -144 -129 -234t-276 -110q167 -178 459 -536q14 -16 4 -34q-8 -18 -29 -18h-195q-16 0 -25 12q-306 367 -498 571q-9 9 -9 22v127q0 13 9.5 22.5t22.5 9.5h112q132 0 212.5 43t102.5 125h-427q-14 0 -23 9t-9 23v102 q0 14 9 23t23 9h413q-57 113 -268 113h-145q-13 0 -22.5 9.5t-9.5 22.5v133q0 14 9 23t23 9h832q14 0 23 -9t9 -23v-102q0 -14 -9 -23t-23 -9h-233q47 -61 64 -144h171q14 0 23 -9t9 -23z" />
-<glyph unicode="" horiz-adv-x="1027" d="M603 0h-172q-13 0 -22.5 9t-9.5 23v330h-288q-13 0 -22.5 9t-9.5 23v103q0 13 9.5 22.5t22.5 9.5h288v85h-288q-13 0 -22.5 9t-9.5 23v104q0 13 9.5 22.5t22.5 9.5h214l-321 578q-8 16 0 32q10 16 28 16h194q19 0 29 -18l215 -425q19 -38 56 -125q10 24 30.5 68t27.5 61 l191 420q8 19 29 19h191q17 0 27 -16q9 -14 1 -31l-313 -579h215q13 0 22.5 -9.5t9.5 -22.5v-104q0 -14 -9.5 -23t-22.5 -9h-290v-85h290q13 0 22.5 -9.5t9.5 -22.5v-103q0 -14 -9.5 -23t-22.5 -9h-290v-330q0 -13 -9.5 -22.5t-22.5 -9.5z" />
-<glyph unicode="" horiz-adv-x="1280" d="M1043 971q0 100 -65 162t-171 62h-320v-448h320q106 0 171 62t65 162zM1280 971q0 -193 -126.5 -315t-326.5 -122h-340v-118h505q14 0 23 -9t9 -23v-128q0 -14 -9 -23t-23 -9h-505v-192q0 -14 -9.5 -23t-22.5 -9h-167q-14 0 -23 9t-9 23v192h-224q-14 0 -23 9t-9 23v128 q0 14 9 23t23 9h224v118h-224q-14 0 -23 9t-9 23v149q0 13 9 22.5t23 9.5h224v629q0 14 9 23t23 9h539q200 0 326.5 -122t126.5 -315z" />
-<glyph unicode="" horiz-adv-x="1792" d="M514 341l81 299h-159l75 -300q1 -1 1 -3t1 -3q0 1 0.5 3.5t0.5 3.5zM630 768l35 128h-292l32 -128h225zM822 768h139l-35 128h-70zM1271 340l78 300h-162l81 -299q0 -1 0.5 -3.5t1.5 -3.5q0 1 0.5 3t0.5 3zM1382 768l33 128h-297l34 -128h230zM1792 736v-64q0 -14 -9 -23 t-23 -9h-213l-164 -616q-7 -24 -31 -24h-159q-24 0 -31 24l-166 616h-209l-167 -616q-7 -24 -31 -24h-159q-11 0 -19.5 7t-10.5 17l-160 616h-208q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h175l-33 128h-142q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h109l-89 344q-5 15 5 28 q10 12 26 12h137q26 0 31 -24l90 -360h359l97 360q7 24 31 24h126q24 0 31 -24l98 -360h365l93 360q5 24 31 24h137q16 0 26 -12q10 -13 5 -28l-91 -344h111q14 0 23 -9t9 -23v-64q0 -14 -9 -23t-23 -9h-145l-34 -128h179q14 0 23 -9t9 -23z" />
-<glyph unicode="" horiz-adv-x="1280" d="M1167 896q18 -182 -131 -258q117 -28 175 -103t45 -214q-7 -71 -32.5 -125t-64.5 -89t-97 -58.5t-121.5 -34.5t-145.5 -15v-255h-154v251q-80 0 -122 1v-252h-154v255q-18 0 -54 0.5t-55 0.5h-200l31 183h111q50 0 58 51v402h16q-6 1 -16 1v287q-13 68 -89 68h-111v164 l212 -1q64 0 97 1v252h154v-247q82 2 122 2v245h154v-252q79 -7 140 -22.5t113 -45t82.5 -78t36.5 -114.5zM952 351q0 36 -15 64t-37 46t-57.5 30.5t-65.5 18.5t-74 9t-69 3t-64.5 -1t-47.5 -1v-338q8 0 37 -0.5t48 -0.5t53 1.5t58.5 4t57 8.5t55.5 14t47.5 21t39.5 30 t24.5 40t9.5 51zM881 827q0 33 -12.5 58.5t-30.5 42t-48 28t-55 16.5t-61.5 8t-58 2.5t-54 -1t-39.5 -0.5v-307q5 0 34.5 -0.5t46.5 0t50 2t55 5.5t51.5 11t48.5 18.5t37 27t27 38.5t9 51z" />
-<glyph unicode="" horiz-adv-x="1280" d="M1280 768v-800q0 -40 -28 -68t-68 -28h-1088q-40 0 -68 28t-28 68v1344q0 40 28 68t68 28h544v-544q0 -40 28 -68t68 -28h544zM1277 896h-509v509q82 -15 132 -65l312 -312q50 -50 65 -132z" />
-<glyph unicode="" horiz-adv-x="1280" d="M1024 160v64q0 14 -9 23t-23 9h-704q-14 0 -23 -9t-9 -23v-64q0 -14 9 -23t23 -9h704q14 0 23 9t9 23zM1024 416v64q0 14 -9 23t-23 9h-704q-14 0 -23 -9t-9 -23v-64q0 -14 9 -23t23 -9h704q14 0 23 9t9 23zM1280 768v-800q0 -40 -28 -68t-68 -28h-1088q-40 0 -68 28 t-28 68v1344q0 40 28 68t68 28h544v-544q0 -40 28 -68t68 -28h544zM1277 896h-509v509q82 -15 132 -65l312 -312q50 -50 65 -132z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1191 1128h177l-72 218l-12 47q-2 16 -2 20h-4l-3 -20q0 -1 -3.5 -18t-7.5 -29zM736 96q0 -12 -10 -24l-319 -319q-10 -9 -23 -9q-12 0 -23 9l-320 320q-15 16 -7 35q8 20 30 20h192v1376q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1376h192q14 0 23 -9t9 -23zM1572 -23 v-233h-584v90l369 529q12 18 21 27l11 9v3q-2 0 -6.5 -0.5t-7.5 -0.5q-12 -3 -30 -3h-232v-115h-120v229h567v-89l-369 -530q-6 -8 -21 -26l-11 -11v-2l14 2q9 2 30 2h248v119h121zM1661 874v-106h-288v106h75l-47 144h-243l-47 -144h75v-106h-287v106h70l230 662h162 l230 -662h70z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1191 104h177l-72 218l-12 47q-2 16 -2 20h-4l-3 -20q0 -1 -3.5 -18t-7.5 -29zM736 96q0 -12 -10 -24l-319 -319q-10 -9 -23 -9q-12 0 -23 9l-320 320q-15 16 -7 35q8 20 30 20h192v1376q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1376h192q14 0 23 -9t9 -23zM1661 -150 v-106h-288v106h75l-47 144h-243l-47 -144h75v-106h-287v106h70l230 662h162l230 -662h70zM1572 1001v-233h-584v90l369 529q12 18 21 27l11 9v3q-2 0 -6.5 -0.5t-7.5 -0.5q-12 -3 -30 -3h-232v-115h-120v229h567v-89l-369 -530q-6 -8 -21 -26l-11 -10v-3l14 3q9 1 30 1h248 v119h121z" />
-<glyph unicode="" horiz-adv-x="1792" d="M736 96q0 -12 -10 -24l-319 -319q-10 -9 -23 -9q-12 0 -23 9l-320 320q-15 16 -7 35q8 20 30 20h192v1376q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1376h192q14 0 23 -9t9 -23zM1792 -32v-192q0 -14 -9 -23t-23 -9h-832q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h832 q14 0 23 -9t9 -23zM1600 480v-192q0 -14 -9 -23t-23 -9h-640q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h640q14 0 23 -9t9 -23zM1408 992v-192q0 -14 -9 -23t-23 -9h-448q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h448q14 0 23 -9t9 -23zM1216 1504v-192q0 -14 -9 -23t-23 -9h-256 q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h256q14 0 23 -9t9 -23z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1216 -32v-192q0 -14 -9 -23t-23 -9h-256q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h256q14 0 23 -9t9 -23zM736 96q0 -12 -10 -24l-319 -319q-10 -9 -23 -9q-12 0 -23 9l-320 320q-15 16 -7 35q8 20 30 20h192v1376q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1376h192 q14 0 23 -9t9 -23zM1408 480v-192q0 -14 -9 -23t-23 -9h-448q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h448q14 0 23 -9t9 -23zM1600 992v-192q0 -14 -9 -23t-23 -9h-640q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h640q14 0 23 -9t9 -23zM1792 1504v-192q0 -14 -9 -23t-23 -9h-832 q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h832q14 0 23 -9t9 -23z" />
-<glyph unicode="" d="M1346 223q0 63 -44 116t-103 53q-52 0 -83 -37t-31 -94t36.5 -95t104.5 -38q50 0 85 27t35 68zM736 96q0 -12 -10 -24l-319 -319q-10 -9 -23 -9q-12 0 -23 9l-320 320q-15 16 -7 35q8 20 30 20h192v1376q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1376h192q14 0 23 -9t9 -23 zM1486 165q0 -62 -13 -121.5t-41 -114t-68 -95.5t-98.5 -65.5t-127.5 -24.5q-62 0 -108 16q-24 8 -42 15l39 113q15 -7 31 -11q37 -13 75 -13q84 0 134.5 58.5t66.5 145.5h-2q-21 -23 -61.5 -37t-84.5 -14q-106 0 -173 71.5t-67 172.5q0 105 72 178t181 73q123 0 205 -94.5 t82 -252.5zM1456 882v-114h-469v114h167v432q0 7 0.5 19t0.5 17v16h-2l-7 -12q-8 -13 -26 -31l-62 -58l-82 86l192 185h123v-654h165z" />
-<glyph unicode="" d="M1346 1247q0 63 -44 116t-103 53q-52 0 -83 -37t-31 -94t36.5 -95t104.5 -38q50 0 85 27t35 68zM736 96q0 -12 -10 -24l-319 -319q-10 -9 -23 -9q-12 0 -23 9l-320 320q-15 16 -7 35q8 20 30 20h192v1376q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1376h192q14 0 23 -9 t9 -23zM1456 -142v-114h-469v114h167v432q0 7 0.5 19t0.5 17v16h-2l-7 -12q-8 -13 -26 -31l-62 -58l-82 86l192 185h123v-654h165zM1486 1189q0 -62 -13 -121.5t-41 -114t-68 -95.5t-98.5 -65.5t-127.5 -24.5q-62 0 -108 16q-24 8 -42 15l39 113q15 -7 31 -11q37 -13 75 -13 q84 0 134.5 58.5t66.5 145.5h-2q-21 -23 -61.5 -37t-84.5 -14q-106 0 -173 71.5t-67 172.5q0 105 72 178t181 73q123 0 205 -94.5t82 -252.5z" />
-<glyph unicode="" horiz-adv-x="1664" d="M256 192q0 26 -19 45t-45 19q-27 0 -45.5 -19t-18.5 -45q0 -27 18.5 -45.5t45.5 -18.5q26 0 45 18.5t19 45.5zM416 704v-640q0 -26 -19 -45t-45 -19h-288q-26 0 -45 19t-19 45v640q0 26 19 45t45 19h288q26 0 45 -19t19 -45zM1600 704q0 -86 -55 -149q15 -44 15 -76 q3 -76 -43 -137q17 -56 0 -117q-15 -57 -54 -94q9 -112 -49 -181q-64 -76 -197 -78h-36h-76h-17q-66 0 -144 15.5t-121.5 29t-120.5 39.5q-123 43 -158 44q-26 1 -45 19.5t-19 44.5v641q0 25 18 43.5t43 20.5q24 2 76 59t101 121q68 87 101 120q18 18 31 48t17.5 48.5 t13.5 60.5q7 39 12.5 61t19.5 52t34 50q19 19 45 19q46 0 82.5 -10.5t60 -26t40 -40.5t24 -45t12 -50t5 -45t0.5 -39q0 -38 -9.5 -76t-19 -60t-27.5 -56q-3 -6 -10 -18t-11 -22t-8 -24h277q78 0 135 -57t57 -135z" />
-<glyph unicode="" horiz-adv-x="1664" d="M256 960q0 -26 -19 -45t-45 -19q-27 0 -45.5 19t-18.5 45q0 27 18.5 45.5t45.5 18.5q26 0 45 -18.5t19 -45.5zM416 448v640q0 26 -19 45t-45 19h-288q-26 0 -45 -19t-19 -45v-640q0 -26 19 -45t45 -19h288q26 0 45 19t19 45zM1545 597q55 -61 55 -149q-1 -78 -57.5 -135 t-134.5 -57h-277q4 -14 8 -24t11 -22t10 -18q18 -37 27 -57t19 -58.5t10 -76.5q0 -24 -0.5 -39t-5 -45t-12 -50t-24 -45t-40 -40.5t-60 -26t-82.5 -10.5q-26 0 -45 19q-20 20 -34 50t-19.5 52t-12.5 61q-9 42 -13.5 60.5t-17.5 48.5t-31 48q-33 33 -101 120q-49 64 -101 121 t-76 59q-25 2 -43 20.5t-18 43.5v641q0 26 19 44.5t45 19.5q35 1 158 44q77 26 120.5 39.5t121.5 29t144 15.5h17h76h36q133 -2 197 -78q58 -69 49 -181q39 -37 54 -94q17 -61 0 -117q46 -61 43 -137q0 -32 -15 -76z" />
-<glyph unicode="" d="M919 233v157q0 50 -29 50q-17 0 -33 -16v-224q16 -16 33 -16q29 0 29 49zM1103 355h66v34q0 51 -33 51t-33 -51v-34zM532 621v-70h-80v-423h-74v423h-78v70h232zM733 495v-367h-67v40q-39 -45 -76 -45q-33 0 -42 28q-6 16 -6 54v290h66v-270q0 -24 1 -26q1 -15 15 -15 q20 0 42 31v280h67zM985 384v-146q0 -52 -7 -73q-12 -42 -53 -42q-35 0 -68 41v-36h-67v493h67v-161q32 40 68 40q41 0 53 -42q7 -21 7 -74zM1236 255v-9q0 -29 -2 -43q-3 -22 -15 -40q-27 -40 -80 -40q-52 0 -81 38q-21 27 -21 86v129q0 59 20 86q29 38 80 38t78 -38 q21 -28 21 -86v-76h-133v-65q0 -51 34 -51q24 0 30 26q0 1 0.5 7t0.5 16.5v21.5h68zM785 1079v-156q0 -51 -32 -51t-32 51v156q0 52 32 52t32 -52zM1318 366q0 177 -19 260q-10 44 -43 73.5t-76 34.5q-136 15 -412 15q-275 0 -411 -15q-44 -5 -76.5 -34.5t-42.5 -73.5 q-20 -87 -20 -260q0 -176 20 -260q10 -43 42.5 -73t75.5 -35q137 -15 412 -15t412 15q43 5 75.5 35t42.5 73q20 84 20 260zM563 1017l90 296h-75l-51 -195l-53 195h-78l24 -69t23 -69q35 -103 46 -158v-201h74v201zM852 936v130q0 58 -21 87q-29 38 -78 38q-51 0 -78 -38 q-21 -29 -21 -87v-130q0 -58 21 -87q27 -38 78 -38q49 0 78 38q21 27 21 87zM1033 816h67v370h-67v-283q-22 -31 -42 -31q-15 0 -16 16q-1 2 -1 26v272h-67v-293q0 -37 6 -55q11 -27 43 -27q36 0 77 45v-40zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960 q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" d="M971 292v-211q0 -67 -39 -67q-23 0 -45 22v301q22 22 45 22q39 0 39 -67zM1309 291v-46h-90v46q0 68 45 68t45 -68zM343 509h107v94h-312v-94h105v-569h100v569zM631 -60h89v494h-89v-378q-30 -42 -57 -42q-18 0 -21 21q-1 3 -1 35v364h-89v-391q0 -49 8 -73 q12 -37 58 -37q48 0 102 61v-54zM1060 88v197q0 73 -9 99q-17 56 -71 56q-50 0 -93 -54v217h-89v-663h89v48q45 -55 93 -55q54 0 71 55q9 27 9 100zM1398 98v13h-91q0 -51 -2 -61q-7 -36 -40 -36q-46 0 -46 69v87h179v103q0 79 -27 116q-39 51 -106 51q-68 0 -107 -51 q-28 -37 -28 -116v-173q0 -79 29 -116q39 -51 108 -51q72 0 108 53q18 27 21 54q2 9 2 58zM790 1011v210q0 69 -43 69t-43 -69v-210q0 -70 43 -70t43 70zM1509 260q0 -234 -26 -350q-14 -59 -58 -99t-102 -46q-184 -21 -555 -21t-555 21q-58 6 -102.5 46t-57.5 99 q-26 112 -26 350q0 234 26 350q14 59 58 99t103 47q183 20 554 20t555 -20q58 -7 102.5 -47t57.5 -99q26 -112 26 -350zM511 1536h102l-121 -399v-271h-100v271q-14 74 -61 212q-37 103 -65 187h106l71 -263zM881 1203v-175q0 -81 -28 -118q-37 -51 -106 -51q-67 0 -105 51 q-28 38 -28 118v175q0 80 28 117q38 51 105 51q69 0 106 -51q28 -37 28 -117zM1216 1365v-499h-91v55q-53 -62 -103 -62q-46 0 -59 37q-8 24 -8 75v394h91v-367q0 -33 1 -35q3 -22 21 -22q27 0 57 43v381h91z" />
-<glyph unicode="" horiz-adv-x="1408" d="M597 869q-10 -18 -257 -456q-27 -46 -65 -46h-239q-21 0 -31 17t0 36l253 448q1 0 0 1l-161 279q-12 22 -1 37q9 15 32 15h239q40 0 66 -45zM1403 1511q11 -16 0 -37l-528 -934v-1l336 -615q11 -20 1 -37q-10 -15 -32 -15h-239q-42 0 -66 45l-339 622q18 32 531 942 q25 45 64 45h241q22 0 31 -15z" />
-<glyph unicode="" d="M685 771q0 1 -126 222q-21 34 -52 34h-184q-18 0 -26 -11q-7 -12 1 -29l125 -216v-1l-196 -346q-9 -14 0 -28q8 -13 24 -13h185q31 0 50 36zM1309 1268q-7 12 -24 12h-187q-30 0 -49 -35l-411 -729q1 -2 262 -481q20 -35 52 -35h184q18 0 25 12q8 13 -1 28l-260 476v1 l409 723q8 16 0 28zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1280 640q0 37 -30 54l-512 320q-31 20 -65 2q-33 -18 -33 -56v-640q0 -38 33 -56q16 -8 31 -8q20 0 34 10l512 320q30 17 30 54zM1792 640q0 -96 -1 -150t-8.5 -136.5t-22.5 -147.5q-16 -73 -69 -123t-124 -58q-222 -25 -671 -25t-671 25q-71 8 -124.5 58t-69.5 123 q-14 65 -21.5 147.5t-8.5 136.5t-1 150t1 150t8.5 136.5t22.5 147.5q16 73 69 123t124 58q222 25 671 25t671 -25q71 -8 124.5 -58t69.5 -123q14 -65 21.5 -147.5t8.5 -136.5t1 -150z" />
-<glyph unicode="" horiz-adv-x="1792" d="M402 829l494 -305l-342 -285l-490 319zM1388 274v-108l-490 -293v-1l-1 1l-1 -1v1l-489 293v108l147 -96l342 284v2l1 -1l1 1v-2l343 -284zM554 1418l342 -285l-494 -304l-338 270zM1390 829l338 -271l-489 -319l-343 285zM1239 1418l489 -319l-338 -270l-494 304z" />
-<glyph unicode="" horiz-adv-x="1408" d="M928 135v-151l-707 -1v151zM1169 481v-701l-1 -35v-1h-1132l-35 1h-1v736h121v-618h928v618h120zM241 393l704 -65l-13 -150l-705 65zM309 709l683 -183l-39 -146l-683 183zM472 1058l609 -360l-77 -130l-609 360zM832 1389l398 -585l-124 -85l-399 584zM1285 1536 l121 -697l-149 -26l-121 697z" />
-<glyph unicode="" d="M1362 110v648h-135q20 -63 20 -131q0 -126 -64 -232.5t-174 -168.5t-240 -62q-197 0 -337 135.5t-140 327.5q0 68 20 131h-141v-648q0 -26 17.5 -43.5t43.5 -17.5h1069q25 0 43 17.5t18 43.5zM1078 643q0 124 -90.5 211.5t-218.5 87.5q-127 0 -217.5 -87.5t-90.5 -211.5 t90.5 -211.5t217.5 -87.5q128 0 218.5 87.5t90.5 211.5zM1362 1003v165q0 28 -20 48.5t-49 20.5h-174q-29 0 -49 -20.5t-20 -48.5v-165q0 -29 20 -49t49 -20h174q29 0 49 20t20 49zM1536 1211v-1142q0 -81 -58 -139t-139 -58h-1142q-81 0 -139 58t-58 139v1142q0 81 58 139 t139 58h1142q81 0 139 -58t58 -139z" />
-<glyph unicode="" d="M1248 1408q119 0 203.5 -84.5t84.5 -203.5v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960zM698 640q0 88 -62 150t-150 62t-150 -62t-62 -150t62 -150t150 -62t150 62t62 150zM1262 640q0 88 -62 150 t-150 62t-150 -62t-62 -150t62 -150t150 -62t150 62t62 150z" />
-<glyph unicode="" d="M768 914l201 -306h-402zM1133 384h94l-459 691l-459 -691h94l104 160h522zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" horiz-adv-x="1408" d="M815 677q8 -63 -50.5 -101t-111.5 -6q-39 17 -53.5 58t-0.5 82t52 58q36 18 72.5 12t64 -35.5t27.5 -67.5zM926 698q-14 107 -113 164t-197 13q-63 -28 -100.5 -88.5t-34.5 -129.5q4 -91 77.5 -155t165.5 -56q91 8 152 84t50 168zM1165 1240q-20 27 -56 44.5t-58 22 t-71 12.5q-291 47 -566 -2q-43 -7 -66 -12t-55 -22t-50 -43q30 -28 76 -45.5t73.5 -22t87.5 -11.5q228 -29 448 -1q63 8 89.5 12t72.5 21.5t75 46.5zM1222 205q-8 -26 -15.5 -76.5t-14 -84t-28.5 -70t-58 -56.5q-86 -48 -189.5 -71.5t-202 -22t-201.5 18.5q-46 8 -81.5 18 t-76.5 27t-73 43.5t-52 61.5q-25 96 -57 292l6 16l18 9q223 -148 506.5 -148t507.5 148q21 -6 24 -23t-5 -45t-8 -37zM1403 1166q-26 -167 -111 -655q-5 -30 -27 -56t-43.5 -40t-54.5 -31q-252 -126 -610 -88q-248 27 -394 139q-15 12 -25.5 26.5t-17 35t-9 34t-6 39.5 t-5.5 35q-9 50 -26.5 150t-28 161.5t-23.5 147.5t-22 158q3 26 17.5 48.5t31.5 37.5t45 30t46 22.5t48 18.5q125 46 313 64q379 37 676 -50q155 -46 215 -122q16 -20 16.5 -51t-5.5 -54z" />
-<glyph unicode="" d="M848 666q0 43 -41 66t-77 1q-43 -20 -42.5 -72.5t43.5 -70.5q39 -23 81 4t36 72zM928 682q8 -66 -36 -121t-110 -61t-119 40t-56 113q-2 49 25.5 93t72.5 64q70 31 141.5 -10t81.5 -118zM1100 1073q-20 -21 -53.5 -34t-53 -16t-63.5 -8q-155 -20 -324 0q-44 6 -63 9.5 t-52.5 16t-54.5 32.5q13 19 36 31t40 15.5t47 8.5q198 35 408 1q33 -5 51 -8.5t43 -16t39 -31.5zM1142 327q0 7 5.5 26.5t3 32t-17.5 16.5q-161 -106 -365 -106t-366 106l-12 -6l-5 -12q26 -154 41 -210q47 -81 204 -108q249 -46 428 53q34 19 49 51.5t22.5 85.5t12.5 71z M1272 1020q9 53 -8 75q-43 55 -155 88q-216 63 -487 36q-132 -12 -226 -46q-38 -15 -59.5 -25t-47 -34t-29.5 -54q8 -68 19 -138t29 -171t24 -137q1 -5 5 -31t7 -36t12 -27t22 -28q105 -80 284 -100q259 -28 440 63q24 13 39.5 23t31 29t19.5 40q48 267 80 473zM1536 1120 v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1024" d="M390 1408h219v-388h364v-241h-364v-394q0 -136 14 -172q13 -37 52 -60q50 -31 117 -31q117 0 232 76v-242q-102 -48 -178 -65q-77 -19 -173 -19q-105 0 -186 27q-78 25 -138 75q-58 51 -79 105q-22 54 -22 161v539h-170v217q91 30 155 84q64 55 103 132q39 78 54 196z " />
-<glyph unicode="" d="M1123 127v181q-88 -56 -174 -56q-51 0 -88 23q-29 17 -39 45q-11 30 -11 129v295h274v181h-274v291h-164q-11 -90 -40 -147t-78 -99q-48 -40 -116 -63v-163h127v-404q0 -78 17 -121q17 -42 59 -78q43 -37 104 -57q62 -20 140 -20q67 0 129 14q57 13 134 49zM1536 1120 v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="768" d="M765 237q8 -19 -5 -35l-350 -384q-10 -10 -23 -10q-14 0 -24 10l-355 384q-13 16 -5 35q9 19 29 19h224v1248q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1248h224q21 0 29 -19z" />
-<glyph unicode="" horiz-adv-x="768" d="M765 1043q-9 -19 -29 -19h-224v-1248q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v1248h-224q-21 0 -29 19t5 35l350 384q10 10 23 10q14 0 24 -10l355 -384q13 -16 5 -35z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1792 736v-192q0 -14 -9 -23t-23 -9h-1248v-224q0 -21 -19 -29t-35 5l-384 350q-10 10 -10 23q0 14 10 24l384 354q16 14 35 6q19 -9 19 -29v-224h1248q14 0 23 -9t9 -23z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1728 643q0 -14 -10 -24l-384 -354q-16 -14 -35 -6q-19 9 -19 29v224h-1248q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h1248v224q0 21 19 29t35 -5l384 -350q10 -10 10 -23z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1393 321q-39 -125 -123 -250q-129 -196 -257 -196q-49 0 -140 32q-86 32 -151 32q-61 0 -142 -33q-81 -34 -132 -34q-152 0 -301 259q-147 261 -147 503q0 228 113 374q112 144 284 144q72 0 177 -30q104 -30 138 -30q45 0 143 34q102 34 173 34q119 0 213 -65 q52 -36 104 -100q-79 -67 -114 -118q-65 -94 -65 -207q0 -124 69 -223t158 -126zM1017 1494q0 -61 -29 -136q-30 -75 -93 -138q-54 -54 -108 -72q-37 -11 -104 -17q3 149 78 257q74 107 250 148q1 -3 2.5 -11t2.5 -11q0 -4 0.5 -10t0.5 -10z" />
-<glyph unicode="" horiz-adv-x="1664" d="M682 530v-651l-682 94v557h682zM682 1273v-659h-682v565zM1664 530v-786l-907 125v661h907zM1664 1408v-794h-907v669z" />
-<glyph unicode="" horiz-adv-x="1408" d="M493 1053q16 0 27.5 11.5t11.5 27.5t-11.5 27.5t-27.5 11.5t-27 -11.5t-11 -27.5t11 -27.5t27 -11.5zM915 1053q16 0 27 11.5t11 27.5t-11 27.5t-27 11.5t-27.5 -11.5t-11.5 -27.5t11.5 -27.5t27.5 -11.5zM103 869q42 0 72 -30t30 -72v-430q0 -43 -29.5 -73t-72.5 -30 t-73 30t-30 73v430q0 42 30 72t73 30zM1163 850v-666q0 -46 -32 -78t-77 -32h-75v-227q0 -43 -30 -73t-73 -30t-73 30t-30 73v227h-138v-227q0 -43 -30 -73t-73 -30q-42 0 -72 30t-30 73l-1 227h-74q-46 0 -78 32t-32 78v666h918zM931 1255q107 -55 171 -153.5t64 -215.5 h-925q0 117 64 215.5t172 153.5l-71 131q-7 13 5 20q13 6 20 -6l72 -132q95 42 201 42t201 -42l72 132q7 12 20 6q12 -7 5 -20zM1408 767v-430q0 -43 -30 -73t-73 -30q-42 0 -72 30t-30 73v430q0 43 30 72.5t72 29.5q43 0 73 -29.5t30 -72.5z" />
-<glyph unicode="" d="M663 1125q-11 -1 -15.5 -10.5t-8.5 -9.5q-5 -1 -5 5q0 12 19 15h10zM750 1111q-4 -1 -11.5 6.5t-17.5 4.5q24 11 32 -2q3 -6 -3 -9zM399 684q-4 1 -6 -3t-4.5 -12.5t-5.5 -13.5t-10 -13q-7 -10 -1 -12q4 -1 12.5 7t12.5 18q1 3 2 7t2 6t1.5 4.5t0.5 4v3t-1 2.5t-3 2z M1254 325q0 18 -55 42q4 15 7.5 27.5t5 26t3 21.5t0.5 22.5t-1 19.5t-3.5 22t-4 20.5t-5 25t-5.5 26.5q-10 48 -47 103t-72 75q24 -20 57 -83q87 -162 54 -278q-11 -40 -50 -42q-31 -4 -38.5 18.5t-8 83.5t-11.5 107q-9 39 -19.5 69t-19.5 45.5t-15.5 24.5t-13 15t-7.5 7 q-14 62 -31 103t-29.5 56t-23.5 33t-15 40q-4 21 6 53.5t4.5 49.5t-44.5 25q-15 3 -44.5 18t-35.5 16q-8 1 -11 26t8 51t36 27q37 3 51 -30t4 -58q-11 -19 -2 -26.5t30 -0.5q13 4 13 36v37q-5 30 -13.5 50t-21 30.5t-23.5 15t-27 7.5q-107 -8 -89 -134q0 -15 -1 -15 q-9 9 -29.5 10.5t-33 -0.5t-15.5 5q1 57 -16 90t-45 34q-27 1 -41.5 -27.5t-16.5 -59.5q-1 -15 3.5 -37t13 -37.5t15.5 -13.5q10 3 16 14q4 9 -7 8q-7 0 -15.5 14.5t-9.5 33.5q-1 22 9 37t34 14q17 0 27 -21t9.5 -39t-1.5 -22q-22 -15 -31 -29q-8 -12 -27.5 -23.5 t-20.5 -12.5q-13 -14 -15.5 -27t7.5 -18q14 -8 25 -19.5t16 -19t18.5 -13t35.5 -6.5q47 -2 102 15q2 1 23 7t34.5 10.5t29.5 13t21 17.5q9 14 20 8q5 -3 6.5 -8.5t-3 -12t-16.5 -9.5q-20 -6 -56.5 -21.5t-45.5 -19.5q-44 -19 -70 -23q-25 -5 -79 2q-10 2 -9 -2t17 -19 q25 -23 67 -22q17 1 36 7t36 14t33.5 17.5t30 17t24.5 12t17.5 2.5t8.5 -11q0 -2 -1 -4.5t-4 -5t-6 -4.5t-8.5 -5t-9 -4.5t-10 -5t-9.5 -4.5q-28 -14 -67.5 -44t-66.5 -43t-49 -1q-21 11 -63 73q-22 31 -25 22q-1 -3 -1 -10q0 -25 -15 -56.5t-29.5 -55.5t-21 -58t11.5 -63 q-23 -6 -62.5 -90t-47.5 -141q-2 -18 -1.5 -69t-5.5 -59q-8 -24 -29 -3q-32 31 -36 94q-2 28 4 56q4 19 -1 18l-4 -5q-36 -65 10 -166q5 -12 25 -28t24 -20q20 -23 104 -90.5t93 -76.5q16 -15 17.5 -38t-14 -43t-45.5 -23q8 -15 29 -44.5t28 -54t7 -70.5q46 24 7 92 q-4 8 -10.5 16t-9.5 12t-2 6q3 5 13 9.5t20 -2.5q46 -52 166 -36q133 15 177 87q23 38 34 30q12 -6 10 -52q-1 -25 -23 -92q-9 -23 -6 -37.5t24 -15.5q3 19 14.5 77t13.5 90q2 21 -6.5 73.5t-7.5 97t23 70.5q15 18 51 18q1 37 34.5 53t72.5 10.5t60 -22.5zM626 1152 q3 17 -2.5 30t-11.5 15q-9 2 -9 -7q2 -5 5 -6q10 0 7 -15q-3 -20 8 -20q3 0 3 3zM1045 955q-2 8 -6.5 11.5t-13 5t-14.5 5.5q-5 3 -9.5 8t-7 8t-5.5 6.5t-4 4t-4 -1.5q-14 -16 7 -43.5t39 -31.5q9 -1 14.5 8t3.5 20zM867 1168q0 11 -5 19.5t-11 12.5t-9 3q-14 -1 -7 -7l4 -2 q14 -4 18 -31q0 -3 8 2zM921 1401q0 2 -2.5 5t-9 7t-9.5 6q-15 15 -24 15q-9 -1 -11.5 -7.5t-1 -13t-0.5 -12.5q-1 -4 -6 -10.5t-6 -9t3 -8.5q4 -3 8 0t11 9t15 9q1 1 9 1t15 2t9 7zM1486 60q20 -12 31 -24.5t12 -24t-2.5 -22.5t-15.5 -22t-23.5 -19.5t-30 -18.5 t-31.5 -16.5t-32 -15.5t-27 -13q-38 -19 -85.5 -56t-75.5 -64q-17 -16 -68 -19.5t-89 14.5q-18 9 -29.5 23.5t-16.5 25.5t-22 19.5t-47 9.5q-44 1 -130 1q-19 0 -57 -1.5t-58 -2.5q-44 -1 -79.5 -15t-53.5 -30t-43.5 -28.5t-53.5 -11.5q-29 1 -111 31t-146 43q-19 4 -51 9.5 t-50 9t-39.5 9.5t-33.5 14.5t-17 19.5q-10 23 7 66.5t18 54.5q1 16 -4 40t-10 42.5t-4.5 36.5t10.5 27q14 12 57 14t60 12q30 18 42 35t12 51q21 -73 -32 -106q-32 -20 -83 -15q-34 3 -43 -10q-13 -15 5 -57q2 -6 8 -18t8.5 -18t4.5 -17t1 -22q0 -15 -17 -49t-14 -48 q3 -17 37 -26q20 -6 84.5 -18.5t99.5 -20.5q24 -6 74 -22t82.5 -23t55.5 -4q43 6 64.5 28t23 48t-7.5 58.5t-19 52t-20 36.5q-121 190 -169 242q-68 74 -113 40q-11 -9 -15 15q-3 16 -2 38q1 29 10 52t24 47t22 42q8 21 26.5 72t29.5 78t30 61t39 54q110 143 124 195 q-12 112 -16 310q-2 90 24 151.5t106 104.5q39 21 104 21q53 1 106 -13.5t89 -41.5q57 -42 91.5 -121.5t29.5 -147.5q-5 -95 30 -214q34 -113 133 -218q55 -59 99.5 -163t59.5 -191q8 -49 5 -84.5t-12 -55.5t-20 -22q-10 -2 -23.5 -19t-27 -35.5t-40.5 -33.5t-61 -14 q-18 1 -31.5 5t-22.5 13.5t-13.5 15.5t-11.5 20.5t-9 19.5q-22 37 -41 30t-28 -49t7 -97q20 -70 1 -195q-10 -65 18 -100.5t73 -33t85 35.5q59 49 89.5 66.5t103.5 42.5q53 18 77 36.5t18.5 34.5t-25 28.5t-51.5 23.5q-33 11 -49.5 48t-15 72.5t15.5 47.5q1 -31 8 -56.5 t14.5 -40.5t20.5 -28.5t21 -19t21.5 -13t16.5 -9.5z" />
-<glyph unicode="" d="M1024 36q-42 241 -140 498h-2l-2 -1q-16 -6 -43 -16.5t-101 -49t-137 -82t-131 -114.5t-103 -148l-15 11q184 -150 418 -150q132 0 256 52zM839 643q-21 49 -53 111q-311 -93 -673 -93q-1 -7 -1 -21q0 -124 44 -236.5t124 -201.5q50 89 123.5 166.5t142.5 124.5t130.5 81 t99.5 48l37 13q4 1 13 3.5t13 4.5zM732 855q-120 213 -244 378q-138 -65 -234 -186t-128 -272q302 0 606 80zM1416 536q-210 60 -409 29q87 -239 128 -469q111 75 185 189.5t96 250.5zM611 1277q-1 0 -2 -1q1 1 2 1zM1201 1132q-185 164 -433 164q-76 0 -155 -19 q131 -170 246 -382q69 26 130 60.5t96.5 61.5t65.5 57t37.5 40.5zM1424 647q-3 232 -149 410l-1 -1q-9 -12 -19 -24.5t-43.5 -44.5t-71 -60.5t-100 -65t-131.5 -64.5q25 -53 44 -95q2 -6 6.5 -17.5t7.5 -16.5q36 5 74.5 7t73.5 2t69 -1.5t64 -4t56.5 -5.5t48 -6.5t36.5 -6 t25 -4.5zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1173 473q0 50 -19.5 91.5t-48.5 68.5t-73 49t-82.5 34t-87.5 23l-104 24q-30 7 -44 10.5t-35 11.5t-30 16t-16.5 21t-7.5 30q0 77 144 77q43 0 77 -12t54 -28.5t38 -33.5t40 -29t48 -12q47 0 75.5 32t28.5 77q0 55 -56 99.5t-142 67.5t-182 23q-68 0 -132 -15.5 t-119.5 -47t-89 -87t-33.5 -128.5q0 -61 19 -106.5t56 -75.5t80 -48.5t103 -32.5l146 -36q90 -22 112 -36q32 -20 32 -60q0 -39 -40 -64.5t-105 -25.5q-51 0 -91.5 16t-65 38.5t-45.5 45t-46 38.5t-54 16q-50 0 -75.5 -30t-25.5 -75q0 -92 122 -157.5t291 -65.5 q73 0 140 18.5t122.5 53.5t88.5 93.5t33 131.5zM1536 256q0 -159 -112.5 -271.5t-271.5 -112.5q-130 0 -234 80q-77 -16 -150 -16q-143 0 -273.5 55.5t-225 150t-150 225t-55.5 273.5q0 73 16 150q-80 104 -80 234q0 159 112.5 271.5t271.5 112.5q130 0 234 -80 q77 16 150 16q143 0 273.5 -55.5t225 -150t150 -225t55.5 -273.5q0 -73 -16 -150q80 -104 80 -234z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1483 512l-587 -587q-52 -53 -127.5 -53t-128.5 53l-587 587q-53 53 -53 128t53 128l587 587q53 53 128 53t128 -53l265 -265l-398 -399l-188 188q-42 42 -99 42q-59 0 -100 -41l-120 -121q-42 -40 -42 -99q0 -58 42 -100l406 -408q30 -28 67 -37l6 -4h28q60 0 99 41 l619 619l2 -3q53 -53 53 -128t-53 -128zM1406 1138l120 -120q14 -15 14 -36t-14 -36l-730 -730q-17 -15 -37 -15v0q-4 0 -6 1q-18 2 -30 14l-407 408q-14 15 -14 36t14 35l121 120q13 15 35 15t36 -15l252 -252l574 575q15 15 36 15t36 -15z" />
-<glyph unicode="" d="M704 192v1024q0 14 -9 23t-23 9h-480q-14 0 -23 -9t-9 -23v-1024q0 -14 9 -23t23 -9h480q14 0 23 9t9 23zM1376 576v640q0 14 -9 23t-23 9h-480q-14 0 -23 -9t-9 -23v-640q0 -14 9 -23t23 -9h480q14 0 23 9t9 23zM1536 1344v-1408q0 -26 -19 -45t-45 -19h-1408 q-26 0 -45 19t-19 45v1408q0 26 19 45t45 19h1408q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1280" d="M1280 480q0 -40 -28 -68t-68 -28q-51 0 -80 43l-227 341h-45v-132l247 -411q9 -15 9 -33q0 -26 -19 -45t-45 -19h-192v-272q0 -46 -33 -79t-79 -33h-160q-46 0 -79 33t-33 79v272h-192q-26 0 -45 19t-19 45q0 18 9 33l247 411v132h-45l-227 -341q-29 -43 -80 -43 q-40 0 -68 28t-28 68q0 29 16 53l256 384q73 107 176 107h384q103 0 176 -107l256 -384q16 -24 16 -53zM864 1280q0 -93 -65.5 -158.5t-158.5 -65.5t-158.5 65.5t-65.5 158.5t65.5 158.5t158.5 65.5t158.5 -65.5t65.5 -158.5z" />
-<glyph unicode="" horiz-adv-x="1024" d="M1024 832v-416q0 -40 -28 -68t-68 -28t-68 28t-28 68v352h-64v-912q0 -46 -33 -79t-79 -33t-79 33t-33 79v464h-64v-464q0 -46 -33 -79t-79 -33t-79 33t-33 79v912h-64v-352q0 -40 -28 -68t-68 -28t-68 28t-28 68v416q0 80 56 136t136 56h640q80 0 136 -56t56 -136z M736 1280q0 -93 -65.5 -158.5t-158.5 -65.5t-158.5 65.5t-65.5 158.5t65.5 158.5t158.5 65.5t158.5 -65.5t65.5 -158.5z" />
-<glyph unicode="" d="M773 234l350 473q16 22 24.5 59t-6 85t-61.5 79q-40 26 -83 25.5t-73.5 -17.5t-54.5 -45q-36 -40 -96 -40q-59 0 -95 40q-24 28 -54.5 45t-73.5 17.5t-84 -25.5q-46 -31 -60.5 -79t-6 -85t24.5 -59zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103 t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1472 640q0 117 -45.5 223.5t-123 184t-184 123t-223.5 45.5t-223.5 -45.5t-184 -123t-123 -184t-45.5 -223.5t45.5 -223.5t123 -184t184 -123t223.5 -45.5t223.5 45.5t184 123t123 184t45.5 223.5zM1748 363q-4 -15 -20 -20l-292 -96v-306q0 -16 -13 -26q-15 -10 -29 -4 l-292 94l-180 -248q-10 -13 -26 -13t-26 13l-180 248l-292 -94q-14 -6 -29 4q-13 10 -13 26v306l-292 96q-16 5 -20 20q-5 17 4 29l180 248l-180 248q-9 13 -4 29q4 15 20 20l292 96v306q0 16 13 26q15 10 29 4l292 -94l180 248q9 12 26 12t26 -12l180 -248l292 94 q14 6 29 -4q13 -10 13 -26v-306l292 -96q16 -5 20 -20q5 -16 -4 -29l-180 -248l180 -248q9 -12 4 -29z" />
-<glyph unicode="" d="M1262 233q-54 -9 -110 -9q-182 0 -337 90t-245 245t-90 337q0 192 104 357q-201 -60 -328.5 -229t-127.5 -384q0 -130 51 -248.5t136.5 -204t204 -136.5t248.5 -51q144 0 273.5 61.5t220.5 171.5zM1465 318q-94 -203 -283.5 -324.5t-413.5 -121.5q-156 0 -298 61 t-245 164t-164 245t-61 298q0 153 57.5 292.5t156 241.5t235.5 164.5t290 68.5q44 2 61 -39q18 -41 -15 -72q-86 -78 -131.5 -181.5t-45.5 -218.5q0 -148 73 -273t198 -198t273 -73q118 0 228 51q41 18 72 -13q14 -14 17.5 -34t-4.5 -38z" />
-<glyph unicode="" horiz-adv-x="1792" d="M1088 704q0 26 -19 45t-45 19h-256q-26 0 -45 -19t-19 -45t19 -45t45 -19h256q26 0 45 19t19 45zM1664 896v-960q0 -26 -19 -45t-45 -19h-1408q-26 0 -45 19t-19 45v960q0 26 19 45t45 19h1408q26 0 45 -19t19 -45zM1728 1344v-256q0 -26 -19 -45t-45 -19h-1536 q-26 0 -45 19t-19 45v256q0 26 19 45t45 19h1536q26 0 45 -19t19 -45z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1632 576q0 -26 -19 -45t-45 -19h-224q0 -171 -67 -290l208 -209q19 -19 19 -45t-19 -45q-18 -19 -45 -19t-45 19l-198 197q-5 -5 -15 -13t-42 -28.5t-65 -36.5t-82 -29t-97 -13v896h-128v-896q-51 0 -101.5 13.5t-87 33t-66 39t-43.5 32.5l-15 14l-183 -207 q-20 -21 -48 -21q-24 0 -43 16q-19 18 -20.5 44.5t15.5 46.5l202 227q-58 114 -58 274h-224q-26 0 -45 19t-19 45t19 45t45 19h224v294l-173 173q-19 19 -19 45t19 45t45 19t45 -19l173 -173h844l173 173q19 19 45 19t45 -19t19 -45t-19 -45l-173 -173v-294h224q26 0 45 -19 t19 -45zM1152 1152h-640q0 133 93.5 226.5t226.5 93.5t226.5 -93.5t93.5 -226.5z" />
-<glyph unicode="" horiz-adv-x="1920" d="M1917 1016q23 -64 -150 -294q-24 -32 -65 -85q-78 -100 -90 -131q-17 -41 14 -81q17 -21 81 -82h1l1 -1l1 -1l2 -2q141 -131 191 -221q3 -5 6.5 -12.5t7 -26.5t-0.5 -34t-25 -27.5t-59 -12.5l-256 -4q-24 -5 -56 5t-52 22l-20 12q-30 21 -70 64t-68.5 77.5t-61 58 t-56.5 15.5q-3 -1 -8 -3.5t-17 -14.5t-21.5 -29.5t-17 -52t-6.5 -77.5q0 -15 -3.5 -27.5t-7.5 -18.5l-4 -5q-18 -19 -53 -22h-115q-71 -4 -146 16.5t-131.5 53t-103 66t-70.5 57.5l-25 24q-10 10 -27.5 30t-71.5 91t-106 151t-122.5 211t-130.5 272q-6 16 -6 27t3 16l4 6 q15 19 57 19l274 2q12 -2 23 -6.5t16 -8.5l5 -3q16 -11 24 -32q20 -50 46 -103.5t41 -81.5l16 -29q29 -60 56 -104t48.5 -68.5t41.5 -38.5t34 -14t27 5q2 1 5 5t12 22t13.5 47t9.5 81t0 125q-2 40 -9 73t-14 46l-6 12q-25 34 -85 43q-13 2 5 24q17 19 38 30q53 26 239 24 q82 -1 135 -13q20 -5 33.5 -13.5t20.5 -24t10.5 -32t3.5 -45.5t-1 -55t-2.5 -70.5t-1.5 -82.5q0 -11 -1 -42t-0.5 -48t3.5 -40.5t11.5 -39t22.5 -24.5q8 -2 17 -4t26 11t38 34.5t52 67t68 107.5q60 104 107 225q4 10 10 17.5t11 10.5l4 3l5 2.5t13 3t20 0.5l288 2 q39 5 64 -2.5t31 -16.5z" />
-<glyph unicode="" horiz-adv-x="1792" d="M675 252q21 34 11 69t-45 50q-34 14 -73 1t-60 -46q-22 -34 -13 -68.5t43 -50.5t74.5 -2.5t62.5 47.5zM769 373q8 13 3.5 26.5t-17.5 18.5q-14 5 -28.5 -0.5t-21.5 -18.5q-17 -31 13 -45q14 -5 29 0.5t22 18.5zM943 266q-45 -102 -158 -150t-224 -12 q-107 34 -147.5 126.5t6.5 187.5q47 93 151.5 139t210.5 19q111 -29 158.5 -119.5t2.5 -190.5zM1255 426q-9 96 -89 170t-208.5 109t-274.5 21q-223 -23 -369.5 -141.5t-132.5 -264.5q9 -96 89 -170t208.5 -109t274.5 -21q223 23 369.5 141.5t132.5 264.5zM1563 422 q0 -68 -37 -139.5t-109 -137t-168.5 -117.5t-226 -83t-270.5 -31t-275 33.5t-240.5 93t-171.5 151t-65 199.5q0 115 69.5 245t197.5 258q169 169 341.5 236t246.5 -7q65 -64 20 -209q-4 -14 -1 -20t10 -7t14.5 0.5t13.5 3.5l6 2q139 59 246 59t153 -61q45 -63 0 -178 q-2 -13 -4.5 -20t4.5 -12.5t12 -7.5t17 -6q57 -18 103 -47t80 -81.5t34 -116.5zM1489 1046q42 -47 54.5 -108.5t-6.5 -117.5q-8 -23 -29.5 -34t-44.5 -4q-23 8 -34 29.5t-4 44.5q20 63 -24 111t-107 35q-24 -5 -45 8t-25 37q-5 24 8 44.5t37 25.5q60 13 119 -5.5t101 -65.5z M1670 1209q87 -96 112.5 -222.5t-13.5 -241.5q-9 -27 -34 -40t-52 -4t-40 34t-5 52q28 82 10 172t-80 158q-62 69 -148 95.5t-173 8.5q-28 -6 -52 9.5t-30 43.5t9.5 51.5t43.5 29.5q123 26 244 -11.5t208 -134.5z" />
-<glyph unicode="" d="M1133 -34q-171 -94 -368 -94q-196 0 -367 94q138 87 235.5 211t131.5 268q35 -144 132.5 -268t235.5 -211zM638 1394v-485q0 -252 -126.5 -459.5t-330.5 -306.5q-181 215 -181 495q0 187 83.5 349.5t229.5 269.5t325 137zM1536 638q0 -280 -181 -495 q-204 99 -330.5 306.5t-126.5 459.5v485q179 -30 325 -137t229.5 -269.5t83.5 -349.5z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1402 433q-32 -80 -76 -138t-91 -88.5t-99 -46.5t-101.5 -14.5t-96.5 8.5t-86.5 22t-69.5 27.5t-46 22.5l-17 10q-113 -228 -289.5 -359.5t-384.5 -132.5q-19 0 -32 13t-13 32t13 31.5t32 12.5q173 1 322.5 107.5t251.5 294.5q-36 -14 -72 -23t-83 -13t-91 2.5t-93 28.5 t-92 59t-84.5 100t-74.5 146q114 47 214 57t167.5 -7.5t124.5 -56.5t88.5 -77t56.5 -82q53 131 79 291q-7 -1 -18 -2.5t-46.5 -2.5t-69.5 0.5t-81.5 10t-88.5 23t-84 42.5t-75 65t-54.5 94.5t-28.5 127.5q70 28 133.5 36.5t112.5 -1t92 -30t73.5 -50t56 -61t42 -63t27.5 -56 t16 -39.5l4 -16q12 122 12 195q-8 6 -21.5 16t-49 44.5t-63.5 71.5t-54 93t-33 112.5t12 127t70 138.5q73 -25 127.5 -61.5t84.5 -76.5t48 -85t20.5 -89t-0.5 -85.5t-13 -76.5t-19 -62t-17 -42l-7 -15q1 -5 1 -50.5t-1 -71.5q3 7 10 18.5t30.5 43t50.5 58t71 55.5t91.5 44.5 t112 14.5t132.5 -24q-2 -78 -21.5 -141.5t-50 -104.5t-69.5 -71.5t-81.5 -45.5t-84.5 -24t-80 -9.5t-67.5 1t-46.5 4.5l-17 3q-23 -147 -73 -283q6 7 18 18.5t49.5 41t77.5 52.5t99.5 42t117.5 20t129 -23.5t137 -77.5z" />
-<glyph unicode="" horiz-adv-x="1280" d="M1259 283v-66q0 -85 -57.5 -144.5t-138.5 -59.5h-57l-260 -269v269h-529q-81 0 -138.5 59.5t-57.5 144.5v66h1238zM1259 609v-255h-1238v255h1238zM1259 937v-255h-1238v255h1238zM1259 1077v-67h-1238v67q0 84 57.5 143.5t138.5 59.5h846q81 0 138.5 -59.5t57.5 -143.5z " />
-<glyph unicode="" d="M1152 640q0 -14 -9 -23l-320 -320q-9 -9 -23 -9q-13 0 -22.5 9.5t-9.5 22.5v192h-352q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h352v192q0 14 9 23t23 9q12 0 24 -10l319 -319q9 -9 9 -23zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198 t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1152 736v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-352v-192q0 -14 -9 -23t-23 -9q-12 0 -24 10l-319 319q-9 9 -9 23t9 23l320 320q9 9 23 9q13 0 22.5 -9.5t9.5 -22.5v-192h352q13 0 22.5 -9.5t9.5 -22.5zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198 t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" d="M1024 960v-640q0 -26 -19 -45t-45 -19q-20 0 -37 12l-448 320q-27 19 -27 52t27 52l448 320q17 12 37 12q26 0 45 -19t19 -45zM1280 160v960q0 13 -9.5 22.5t-22.5 9.5h-960q-13 0 -22.5 -9.5t-9.5 -22.5v-960q0 -13 9.5 -22.5t22.5 -9.5h960q13 0 22.5 9.5t9.5 22.5z M1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" d="M1024 640q0 -106 -75 -181t-181 -75t-181 75t-75 181t75 181t181 75t181 -75t75 -181zM768 1184q-148 0 -273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273t-73 273t-198 198t-273 73zM1536 640q0 -209 -103 -385.5t-279.5 -279.5 t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="" horiz-adv-x="1664" d="M1023 349l102 -204q-58 -179 -210 -290t-339 -111q-156 0 -288.5 77.5t-210 210t-77.5 288.5q0 181 104.5 330t274.5 211l17 -131q-122 -54 -195 -165.5t-73 -244.5q0 -185 131.5 -316.5t316.5 -131.5q126 0 232.5 65t165 175.5t49.5 236.5zM1571 249l58 -114l-256 -128 q-13 -7 -29 -7q-40 0 -57 35l-239 477h-472q-24 0 -42.5 16.5t-21.5 40.5l-96 779q-2 16 6 42q14 51 57 82.5t97 31.5q66 0 113 -47t47 -113q0 -69 -52 -117.5t-120 -41.5l37 -289h423v-128h-407l16 -128h455q40 0 57 -35l228 -455z" />
-<glyph unicode="" d="M1254 899q16 85 -21 132q-52 65 -187 45q-17 -3 -41 -12.5t-57.5 -30.5t-64.5 -48.5t-59.5 -70t-44.5 -91.5q80 7 113.5 -16t26.5 -99q-5 -52 -52 -143q-43 -78 -71 -99q-44 -32 -87 14q-23 24 -37.5 64.5t-19 73t-10 84t-8.5 71.5q-23 129 -34 164q-12 37 -35.5 69 t-50.5 40q-57 16 -127 -25q-54 -32 -136.5 -106t-122.5 -102v-7q16 -8 25.5 -26t21.5 -20q21 -3 54.5 8.5t58 10.5t41.5 -30q11 -18 18.5 -38.5t15 -48t12.5 -40.5q17 -46 53 -187q36 -146 57 -197q42 -99 103 -125q43 -12 85 -1.5t76 31.5q131 77 250 237 q104 139 172.5 292.5t82.5 226.5zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1152" d="M1152 704q0 -191 -94.5 -353t-256.5 -256.5t-353 -94.5h-160q-14 0 -23 9t-9 23v611l-215 -66q-3 -1 -9 -1q-10 0 -19 6q-13 10 -13 26v128q0 23 23 31l233 71v93l-215 -66q-3 -1 -9 -1q-10 0 -19 6q-13 10 -13 26v128q0 23 23 31l233 71v250q0 14 9 23t23 9h160 q14 0 23 -9t9 -23v-181l375 116q15 5 28 -5t13 -26v-128q0 -23 -23 -31l-393 -121v-93l375 116q15 5 28 -5t13 -26v-128q0 -23 -23 -31l-393 -121v-487q188 13 318 151t130 328q0 14 9 23t23 9h160q14 0 23 -9t9 -23z" />
-<glyph unicode="" horiz-adv-x="1408" d="M1152 736v-64q0 -14 -9 -23t-23 -9h-352v-352q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v352h-352q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h352v352q0 14 9 23t23 9h64q14 0 23 -9t9 -23v-352h352q14 0 23 -9t9 -23zM1280 288v832q0 66 -47 113t-113 47h-832 q-66 0 -113 -47t-47 -113v-832q0 -66 47 -113t113 -47h832q66 0 113 47t47 113zM1408 1120v-832q0 -119 -84.5 -203.5t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h832q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="" horiz-adv-x="1792" />
-<glyph unicode="" horiz-adv-x="1792" />
-<glyph unicode="" horiz-adv-x="1792" />
-<glyph unicode="" horiz-adv-x="1792" />
-<glyph unicode="" horiz-adv-x="1792" />
-<glyph unicode="" horiz-adv-x="1792" />
-<glyph unicode="" horiz-adv-x="1792" />
-<glyph unicode="" horiz-adv-x="1792" />
-<glyph unicode="" horiz-adv-x="1792" />
-</font>
-</defs></svg>
\ No newline at end of file
+++ /dev/null
-<div class="footer hidden-xs hidden-sm">
- <div class="container">
- <ul class="nav navbar-nav navbar-right footer-bar">
- {% if repo_url %}
- <li>
- <a href="{{ repo_url }}">
- {% if repo_name == 'GitHub' %}
- <i class="fa fa-github"></i>
- {% elif repo_name == 'Bitbucket' %}
- <i class="fa fa-bitbucket"></i>
- {% endif %}
- {{ repo_name }}
- </a>
- </li>
- {% endif %}
- <li {% if not previous_page %}class="disabled"{% endif %}>
- <a rel="next" {% if previous_page %}href="{{ previous_page.url }}"{% endif %}>
- <i class="fa fa-arrow-left"></i> Previous
- </a>
- </li>
- <li {% if not next_page %}class="disabled"{% endif %}>
- <a rel="prev" {% if next_page %}href="{{ next_page.url }}"{% endif %}>
- Next <i class="fa fa-arrow-right"></i>
- </a>
- </li>
- </ul>
- </div>
-</div>
+++ /dev/null
-
-/* Prettyify */
-$( document ).ready(function() {
- prettyPrint();
-});
-
-
-/* Scrollspy */
-var navHeight = $('.navbar').outerHeight(true) + 10
-
-$('body').scrollspy({
- target: '.bs-sidebar',
- offset: navHeight
-})
-
-
-/* Prevent disabled links from causing a page reload */
-$("li.disabled a").click(function() {
- event.preventDefault();
-});
-
-
-/* Adjust the scroll height of anchors to compensate for the fixed navbar */
-window.disableShift = false;
-var shiftWindow = function() {
- if (window.disableShift) {
- window.disableShift = false;
- } else {
- /* If we're at the bottom of the page, don't erroneously scroll up */
- var scrolledToBottomOfPage = (
- (window.innerHeight + window.scrollY) >= document.body.offsetHeight
- );
- if (!scrolledToBottomOfPage) {
- scrollBy(0, -60);
- };
- };
-};
-if (location.hash) {shiftWindow();}
-window.addEventListener("hashchange", shiftWindow);
-
-
-/* Deal with clicks on nav links that do not change the current anchor link. */
-$("ul.nav a" ).click(function() {
- var href = this.href;
- var suffix = location.hash;
- var matchesCurrentHash = (href.indexOf(suffix, href.length - suffix.length) !== -1);
- if (location.hash && matchesCurrentHash) {
- /* Force a single 'hashchange' event to occur after the click event */
- window.disableShift = true;
- location.hash='';
- };
-});
+++ /dev/null
-/*!
- * Bootstrap v3.0.3 (http://getbootstrap.com)
- * Copyright 2013 Twitter, Inc.
- * Licensed under http://www.apache.org/licenses/LICENSE-2.0
- */
-
-if("undefined"==typeof jQuery)throw new Error("Bootstrap requires jQuery");+function(a){"use strict";function b(){var a=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in b)if(void 0!==a.style[c])return{end:b[c]}}a.fn.emulateTransitionEnd=function(b){var c=!1,d=this;a(this).one(a.support.transition.end,function(){c=!0});var e=function(){c||a(d).trigger(a.support.transition.end)};return setTimeout(e,b),this},a(function(){a.support.transition=b()})}(jQuery),+function(a){"use strict";var b='[data-dismiss="alert"]',c=function(c){a(c).on("click",b,this.close)};c.prototype.close=function(b){function c(){f.trigger("closed.bs.alert").remove()}var d=a(this),e=d.attr("data-target");e||(e=d.attr("href"),e=e&&e.replace(/.*(?=#[^\s]*$)/,""));var f=a(e);b&&b.preventDefault(),f.length||(f=d.hasClass("alert")?d:d.parent()),f.trigger(b=a.Event("close.bs.alert")),b.isDefaultPrevented()||(f.removeClass("in"),a.support.transition&&f.hasClass("fade")?f.one(a.support.transition.end,c).emulateTransitionEnd(150):c())};var d=a.fn.alert;a.fn.alert=function(b){return this.each(function(){var d=a(this),e=d.data("bs.alert");e||d.data("bs.alert",e=new c(this)),"string"==typeof b&&e[b].call(d)})},a.fn.alert.Constructor=c,a.fn.alert.noConflict=function(){return a.fn.alert=d,this},a(document).on("click.bs.alert.data-api",b,c.prototype.close)}(jQuery),+function(a){"use strict";var b=function(c,d){this.$element=a(c),this.options=a.extend({},b.DEFAULTS,d)};b.DEFAULTS={loadingText:"loading..."},b.prototype.setState=function(a){var b="disabled",c=this.$element,d=c.is("input")?"val":"html",e=c.data();a+="Text",e.resetText||c.data("resetText",c[d]()),c[d](e[a]||this.options[a]),setTimeout(function(){"loadingText"==a?c.addClass(b).attr(b,b):c.removeClass(b).removeAttr(b)},0)},b.prototype.toggle=function(){var a=this.$element.closest('[data-toggle="buttons"]'),b=!0;if(a.length){var c=this.$element.find("input");"radio"===c.prop("type")&&(c.prop("checked")&&this.$element.hasClass("active")?b=!1:a.find(".active").removeClass("active")),b&&c.prop("checked",!this.$element.hasClass("active")).trigger("change")}b&&this.$element.toggleClass("active")};var c=a.fn.button;a.fn.button=function(c){return this.each(function(){var d=a(this),e=d.data("bs.button"),f="object"==typeof c&&c;e||d.data("bs.button",e=new b(this,f)),"toggle"==c?e.toggle():c&&e.setState(c)})},a.fn.button.Constructor=b,a.fn.button.noConflict=function(){return a.fn.button=c,this},a(document).on("click.bs.button.data-api","[data-toggle^=button]",function(b){var c=a(b.target);c.hasClass("btn")||(c=c.closest(".btn")),c.button("toggle"),b.preventDefault()})}(jQuery),+function(a){"use strict";var b=function(b,c){this.$element=a(b),this.$indicators=this.$element.find(".carousel-indicators"),this.options=c,this.paused=this.sliding=this.interval=this.$active=this.$items=null,"hover"==this.options.pause&&this.$element.on("mouseenter",a.proxy(this.pause,this)).on("mouseleave",a.proxy(this.cycle,this))};b.DEFAULTS={interval:5e3,pause:"hover",wrap:!0},b.prototype.cycle=function(b){return b||(this.paused=!1),this.interval&&clearInterval(this.interval),this.options.interval&&!this.paused&&(this.interval=setInterval(a.proxy(this.next,this),this.options.interval)),this},b.prototype.getActiveIndex=function(){return this.$active=this.$element.find(".item.active"),this.$items=this.$active.parent().children(),this.$items.index(this.$active)},b.prototype.to=function(b){var c=this,d=this.getActiveIndex();return b>this.$items.length-1||0>b?void 0:this.sliding?this.$element.one("slid.bs.carousel",function(){c.to(b)}):d==b?this.pause().cycle():this.slide(b>d?"next":"prev",a(this.$items[b]))},b.prototype.pause=function(b){return b||(this.paused=!0),this.$element.find(".next, .prev").length&&a.support.transition.end&&(this.$element.trigger(a.support.transition.end),this.cycle(!0)),this.interval=clearInterval(this.interval),this},b.prototype.next=function(){return this.sliding?void 0:this.slide("next")},b.prototype.prev=function(){return this.sliding?void 0:this.slide("prev")},b.prototype.slide=function(b,c){var d=this.$element.find(".item.active"),e=c||d[b](),f=this.interval,g="next"==b?"left":"right",h="next"==b?"first":"last",i=this;if(!e.length){if(!this.options.wrap)return;e=this.$element.find(".item")[h]()}this.sliding=!0,f&&this.pause();var j=a.Event("slide.bs.carousel",{relatedTarget:e[0],direction:g});if(!e.hasClass("active")){if(this.$indicators.length&&(this.$indicators.find(".active").removeClass("active"),this.$element.one("slid.bs.carousel",function(){var b=a(i.$indicators.children()[i.getActiveIndex()]);b&&b.addClass("active")})),a.support.transition&&this.$element.hasClass("slide")){if(this.$element.trigger(j),j.isDefaultPrevented())return;e.addClass(b),e[0].offsetWidth,d.addClass(g),e.addClass(g),d.one(a.support.transition.end,function(){e.removeClass([b,g].join(" ")).addClass("active"),d.removeClass(["active",g].join(" ")),i.sliding=!1,setTimeout(function(){i.$element.trigger("slid.bs.carousel")},0)}).emulateTransitionEnd(600)}else{if(this.$element.trigger(j),j.isDefaultPrevented())return;d.removeClass("active"),e.addClass("active"),this.sliding=!1,this.$element.trigger("slid.bs.carousel")}return f&&this.cycle(),this}};var c=a.fn.carousel;a.fn.carousel=function(c){return this.each(function(){var d=a(this),e=d.data("bs.carousel"),f=a.extend({},b.DEFAULTS,d.data(),"object"==typeof c&&c),g="string"==typeof c?c:f.slide;e||d.data("bs.carousel",e=new b(this,f)),"number"==typeof c?e.to(c):g?e[g]():f.interval&&e.pause().cycle()})},a.fn.carousel.Constructor=b,a.fn.carousel.noConflict=function(){return a.fn.carousel=c,this},a(document).on("click.bs.carousel.data-api","[data-slide], [data-slide-to]",function(b){var c,d=a(this),e=a(d.attr("data-target")||(c=d.attr("href"))&&c.replace(/.*(?=#[^\s]+$)/,"")),f=a.extend({},e.data(),d.data()),g=d.attr("data-slide-to");g&&(f.interval=!1),e.carousel(f),(g=d.attr("data-slide-to"))&&e.data("bs.carousel").to(g),b.preventDefault()}),a(window).on("load",function(){a('[data-ride="carousel"]').each(function(){var b=a(this);b.carousel(b.data())})})}(jQuery),+function(a){"use strict";var b=function(c,d){this.$element=a(c),this.options=a.extend({},b.DEFAULTS,d),this.transitioning=null,this.options.parent&&(this.$parent=a(this.options.parent)),this.options.toggle&&this.toggle()};b.DEFAULTS={toggle:!0},b.prototype.dimension=function(){var a=this.$element.hasClass("width");return a?"width":"height"},b.prototype.show=function(){if(!this.transitioning&&!this.$element.hasClass("in")){var b=a.Event("show.bs.collapse");if(this.$element.trigger(b),!b.isDefaultPrevented()){var c=this.$parent&&this.$parent.find("> .panel > .in");if(c&&c.length){var d=c.data("bs.collapse");if(d&&d.transitioning)return;c.collapse("hide"),d||c.data("bs.collapse",null)}var e=this.dimension();this.$element.removeClass("collapse").addClass("collapsing")[e](0),this.transitioning=1;var f=function(){this.$element.removeClass("collapsing").addClass("in")[e]("auto"),this.transitioning=0,this.$element.trigger("shown.bs.collapse")};if(!a.support.transition)return f.call(this);var g=a.camelCase(["scroll",e].join("-"));this.$element.one(a.support.transition.end,a.proxy(f,this)).emulateTransitionEnd(350)[e](this.$element[0][g])}}},b.prototype.hide=function(){if(!this.transitioning&&this.$element.hasClass("in")){var b=a.Event("hide.bs.collapse");if(this.$element.trigger(b),!b.isDefaultPrevented()){var c=this.dimension();this.$element[c](this.$element[c]())[0].offsetHeight,this.$element.addClass("collapsing").removeClass("collapse").removeClass("in"),this.transitioning=1;var d=function(){this.transitioning=0,this.$element.trigger("hidden.bs.collapse").removeClass("collapsing").addClass("collapse")};return a.support.transition?(this.$element[c](0).one(a.support.transition.end,a.proxy(d,this)).emulateTransitionEnd(350),void 0):d.call(this)}}},b.prototype.toggle=function(){this[this.$element.hasClass("in")?"hide":"show"]()};var c=a.fn.collapse;a.fn.collapse=function(c){return this.each(function(){var d=a(this),e=d.data("bs.collapse"),f=a.extend({},b.DEFAULTS,d.data(),"object"==typeof c&&c);e||d.data("bs.collapse",e=new b(this,f)),"string"==typeof c&&e[c]()})},a.fn.collapse.Constructor=b,a.fn.collapse.noConflict=function(){return a.fn.collapse=c,this},a(document).on("click.bs.collapse.data-api","[data-toggle=collapse]",function(b){var c,d=a(this),e=d.attr("data-target")||b.preventDefault()||(c=d.attr("href"))&&c.replace(/.*(?=#[^\s]+$)/,""),f=a(e),g=f.data("bs.collapse"),h=g?"toggle":d.data(),i=d.attr("data-parent"),j=i&&a(i);g&&g.transitioning||(j&&j.find('[data-toggle=collapse][data-parent="'+i+'"]').not(d).addClass("collapsed"),d[f.hasClass("in")?"addClass":"removeClass"]("collapsed")),f.collapse(h)})}(jQuery),+function(a){"use strict";function b(){a(d).remove(),a(e).each(function(b){var d=c(a(this));d.hasClass("open")&&(d.trigger(b=a.Event("hide.bs.dropdown")),b.isDefaultPrevented()||d.removeClass("open").trigger("hidden.bs.dropdown"))})}function c(b){var c=b.attr("data-target");c||(c=b.attr("href"),c=c&&/#/.test(c)&&c.replace(/.*(?=#[^\s]*$)/,""));var d=c&&a(c);return d&&d.length?d:b.parent()}var d=".dropdown-backdrop",e="[data-toggle=dropdown]",f=function(b){a(b).on("click.bs.dropdown",this.toggle)};f.prototype.toggle=function(d){var e=a(this);if(!e.is(".disabled, :disabled")){var f=c(e),g=f.hasClass("open");if(b(),!g){if("ontouchstart"in document.documentElement&&!f.closest(".navbar-nav").length&&a('<div class="dropdown-backdrop"/>').insertAfter(a(this)).on("click",b),f.trigger(d=a.Event("show.bs.dropdown")),d.isDefaultPrevented())return;f.toggleClass("open").trigger("shown.bs.dropdown"),e.focus()}return!1}},f.prototype.keydown=function(b){if(/(38|40|27)/.test(b.keyCode)){var d=a(this);if(b.preventDefault(),b.stopPropagation(),!d.is(".disabled, :disabled")){var f=c(d),g=f.hasClass("open");if(!g||g&&27==b.keyCode)return 27==b.which&&f.find(e).focus(),d.click();var h=a("[role=menu] li:not(.divider):visible a",f);if(h.length){var i=h.index(h.filter(":focus"));38==b.keyCode&&i>0&&i--,40==b.keyCode&&i<h.length-1&&i++,~i||(i=0),h.eq(i).focus()}}}};var g=a.fn.dropdown;a.fn.dropdown=function(b){return this.each(function(){var c=a(this),d=c.data("bs.dropdown");d||c.data("bs.dropdown",d=new f(this)),"string"==typeof b&&d[b].call(c)})},a.fn.dropdown.Constructor=f,a.fn.dropdown.noConflict=function(){return a.fn.dropdown=g,this},a(document).on("click.bs.dropdown.data-api",b).on("click.bs.dropdown.data-api",".dropdown form",function(a){a.stopPropagation()}).on("click.bs.dropdown.data-api",e,f.prototype.toggle).on("keydown.bs.dropdown.data-api",e+", [role=menu]",f.prototype.keydown)}(jQuery),+function(a){"use strict";var b=function(b,c){this.options=c,this.$element=a(b),this.$backdrop=this.isShown=null,this.options.remote&&this.$element.load(this.options.remote)};b.DEFAULTS={backdrop:!0,keyboard:!0,show:!0},b.prototype.toggle=function(a){return this[this.isShown?"hide":"show"](a)},b.prototype.show=function(b){var c=this,d=a.Event("show.bs.modal",{relatedTarget:b});this.$element.trigger(d),this.isShown||d.isDefaultPrevented()||(this.isShown=!0,this.escape(),this.$element.on("click.dismiss.modal",'[data-dismiss="modal"]',a.proxy(this.hide,this)),this.backdrop(function(){var d=a.support.transition&&c.$element.hasClass("fade");c.$element.parent().length||c.$element.appendTo(document.body),c.$element.show(),d&&c.$element[0].offsetWidth,c.$element.addClass("in").attr("aria-hidden",!1),c.enforceFocus();var e=a.Event("shown.bs.modal",{relatedTarget:b});d?c.$element.find(".modal-dialog").one(a.support.transition.end,function(){c.$element.focus().trigger(e)}).emulateTransitionEnd(300):c.$element.focus().trigger(e)}))},b.prototype.hide=function(b){b&&b.preventDefault(),b=a.Event("hide.bs.modal"),this.$element.trigger(b),this.isShown&&!b.isDefaultPrevented()&&(this.isShown=!1,this.escape(),a(document).off("focusin.bs.modal"),this.$element.removeClass("in").attr("aria-hidden",!0).off("click.dismiss.modal"),a.support.transition&&this.$element.hasClass("fade")?this.$element.one(a.support.transition.end,a.proxy(this.hideModal,this)).emulateTransitionEnd(300):this.hideModal())},b.prototype.enforceFocus=function(){a(document).off("focusin.bs.modal").on("focusin.bs.modal",a.proxy(function(a){this.$element[0]===a.target||this.$element.has(a.target).length||this.$element.focus()},this))},b.prototype.escape=function(){this.isShown&&this.options.keyboard?this.$element.on("keyup.dismiss.bs.modal",a.proxy(function(a){27==a.which&&this.hide()},this)):this.isShown||this.$element.off("keyup.dismiss.bs.modal")},b.prototype.hideModal=function(){var a=this;this.$element.hide(),this.backdrop(function(){a.removeBackdrop(),a.$element.trigger("hidden.bs.modal")})},b.prototype.removeBackdrop=function(){this.$backdrop&&this.$backdrop.remove(),this.$backdrop=null},b.prototype.backdrop=function(b){var c=this.$element.hasClass("fade")?"fade":"";if(this.isShown&&this.options.backdrop){var d=a.support.transition&&c;if(this.$backdrop=a('<div class="modal-backdrop '+c+'" />').appendTo(document.body),this.$element.on("click.dismiss.modal",a.proxy(function(a){a.target===a.currentTarget&&("static"==this.options.backdrop?this.$element[0].focus.call(this.$element[0]):this.hide.call(this))},this)),d&&this.$backdrop[0].offsetWidth,this.$backdrop.addClass("in"),!b)return;d?this.$backdrop.one(a.support.transition.end,b).emulateTransitionEnd(150):b()}else!this.isShown&&this.$backdrop?(this.$backdrop.removeClass("in"),a.support.transition&&this.$element.hasClass("fade")?this.$backdrop.one(a.support.transition.end,b).emulateTransitionEnd(150):b()):b&&b()};var c=a.fn.modal;a.fn.modal=function(c,d){return this.each(function(){var e=a(this),f=e.data("bs.modal"),g=a.extend({},b.DEFAULTS,e.data(),"object"==typeof c&&c);f||e.data("bs.modal",f=new b(this,g)),"string"==typeof c?f[c](d):g.show&&f.show(d)})},a.fn.modal.Constructor=b,a.fn.modal.noConflict=function(){return a.fn.modal=c,this},a(document).on("click.bs.modal.data-api",'[data-toggle="modal"]',function(b){var c=a(this),d=c.attr("href"),e=a(c.attr("data-target")||d&&d.replace(/.*(?=#[^\s]+$)/,"")),f=e.data("modal")?"toggle":a.extend({remote:!/#/.test(d)&&d},e.data(),c.data());b.preventDefault(),e.modal(f,this).one("hide",function(){c.is(":visible")&&c.focus()})}),a(document).on("show.bs.modal",".modal",function(){a(document.body).addClass("modal-open")}).on("hidden.bs.modal",".modal",function(){a(document.body).removeClass("modal-open")})}(jQuery),+function(a){"use strict";var b=function(a,b){this.type=this.options=this.enabled=this.timeout=this.hoverState=this.$element=null,this.init("tooltip",a,b)};b.DEFAULTS={animation:!0,placement:"top",selector:!1,template:'<div class="tooltip"><div class="tooltip-arrow"></div><div class="tooltip-inner"></div></div>',trigger:"hover focus",title:"",delay:0,html:!1,container:!1},b.prototype.init=function(b,c,d){this.enabled=!0,this.type=b,this.$element=a(c),this.options=this.getOptions(d);for(var e=this.options.trigger.split(" "),f=e.length;f--;){var g=e[f];if("click"==g)this.$element.on("click."+this.type,this.options.selector,a.proxy(this.toggle,this));else if("manual"!=g){var h="hover"==g?"mouseenter":"focus",i="hover"==g?"mouseleave":"blur";this.$element.on(h+"."+this.type,this.options.selector,a.proxy(this.enter,this)),this.$element.on(i+"."+this.type,this.options.selector,a.proxy(this.leave,this))}}this.options.selector?this._options=a.extend({},this.options,{trigger:"manual",selector:""}):this.fixTitle()},b.prototype.getDefaults=function(){return b.DEFAULTS},b.prototype.getOptions=function(b){return b=a.extend({},this.getDefaults(),this.$element.data(),b),b.delay&&"number"==typeof b.delay&&(b.delay={show:b.delay,hide:b.delay}),b},b.prototype.getDelegateOptions=function(){var b={},c=this.getDefaults();return this._options&&a.each(this._options,function(a,d){c[a]!=d&&(b[a]=d)}),b},b.prototype.enter=function(b){var c=b instanceof this.constructor?b:a(b.currentTarget)[this.type](this.getDelegateOptions()).data("bs."+this.type);return clearTimeout(c.timeout),c.hoverState="in",c.options.delay&&c.options.delay.show?(c.timeout=setTimeout(function(){"in"==c.hoverState&&c.show()},c.options.delay.show),void 0):c.show()},b.prototype.leave=function(b){var c=b instanceof this.constructor?b:a(b.currentTarget)[this.type](this.getDelegateOptions()).data("bs."+this.type);return clearTimeout(c.timeout),c.hoverState="out",c.options.delay&&c.options.delay.hide?(c.timeout=setTimeout(function(){"out"==c.hoverState&&c.hide()},c.options.delay.hide),void 0):c.hide()},b.prototype.show=function(){var b=a.Event("show.bs."+this.type);if(this.hasContent()&&this.enabled){if(this.$element.trigger(b),b.isDefaultPrevented())return;var c=this.tip();this.setContent(),this.options.animation&&c.addClass("fade");var d="function"==typeof this.options.placement?this.options.placement.call(this,c[0],this.$element[0]):this.options.placement,e=/\s?auto?\s?/i,f=e.test(d);f&&(d=d.replace(e,"")||"top"),c.detach().css({top:0,left:0,display:"block"}).addClass(d),this.options.container?c.appendTo(this.options.container):c.insertAfter(this.$element);var g=this.getPosition(),h=c[0].offsetWidth,i=c[0].offsetHeight;if(f){var j=this.$element.parent(),k=d,l=document.documentElement.scrollTop||document.body.scrollTop,m="body"==this.options.container?window.innerWidth:j.outerWidth(),n="body"==this.options.container?window.innerHeight:j.outerHeight(),o="body"==this.options.container?0:j.offset().left;d="bottom"==d&&g.top+g.height+i-l>n?"top":"top"==d&&g.top-l-i<0?"bottom":"right"==d&&g.right+h>m?"left":"left"==d&&g.left-h<o?"right":d,c.removeClass(k).addClass(d)}var p=this.getCalculatedOffset(d,g,h,i);this.applyPlacement(p,d),this.$element.trigger("shown.bs."+this.type)}},b.prototype.applyPlacement=function(a,b){var c,d=this.tip(),e=d[0].offsetWidth,f=d[0].offsetHeight,g=parseInt(d.css("margin-top"),10),h=parseInt(d.css("margin-left"),10);isNaN(g)&&(g=0),isNaN(h)&&(h=0),a.top=a.top+g,a.left=a.left+h,d.offset(a).addClass("in");var i=d[0].offsetWidth,j=d[0].offsetHeight;if("top"==b&&j!=f&&(c=!0,a.top=a.top+f-j),/bottom|top/.test(b)){var k=0;a.left<0&&(k=-2*a.left,a.left=0,d.offset(a),i=d[0].offsetWidth,j=d[0].offsetHeight),this.replaceArrow(k-e+i,i,"left")}else this.replaceArrow(j-f,j,"top");c&&d.offset(a)},b.prototype.replaceArrow=function(a,b,c){this.arrow().css(c,a?50*(1-a/b)+"%":"")},b.prototype.setContent=function(){var a=this.tip(),b=this.getTitle();a.find(".tooltip-inner")[this.options.html?"html":"text"](b),a.removeClass("fade in top bottom left right")},b.prototype.hide=function(){function b(){"in"!=c.hoverState&&d.detach()}var c=this,d=this.tip(),e=a.Event("hide.bs."+this.type);return this.$element.trigger(e),e.isDefaultPrevented()?void 0:(d.removeClass("in"),a.support.transition&&this.$tip.hasClass("fade")?d.one(a.support.transition.end,b).emulateTransitionEnd(150):b(),this.$element.trigger("hidden.bs."+this.type),this)},b.prototype.fixTitle=function(){var a=this.$element;(a.attr("title")||"string"!=typeof a.attr("data-original-title"))&&a.attr("data-original-title",a.attr("title")||"").attr("title","")},b.prototype.hasContent=function(){return this.getTitle()},b.prototype.getPosition=function(){var b=this.$element[0];return a.extend({},"function"==typeof b.getBoundingClientRect?b.getBoundingClientRect():{width:b.offsetWidth,height:b.offsetHeight},this.$element.offset())},b.prototype.getCalculatedOffset=function(a,b,c,d){return"bottom"==a?{top:b.top+b.height,left:b.left+b.width/2-c/2}:"top"==a?{top:b.top-d,left:b.left+b.width/2-c/2}:"left"==a?{top:b.top+b.height/2-d/2,left:b.left-c}:{top:b.top+b.height/2-d/2,left:b.left+b.width}},b.prototype.getTitle=function(){var a,b=this.$element,c=this.options;return a=b.attr("data-original-title")||("function"==typeof c.title?c.title.call(b[0]):c.title)},b.prototype.tip=function(){return this.$tip=this.$tip||a(this.options.template)},b.prototype.arrow=function(){return this.$arrow=this.$arrow||this.tip().find(".tooltip-arrow")},b.prototype.validate=function(){this.$element[0].parentNode||(this.hide(),this.$element=null,this.options=null)},b.prototype.enable=function(){this.enabled=!0},b.prototype.disable=function(){this.enabled=!1},b.prototype.toggleEnabled=function(){this.enabled=!this.enabled},b.prototype.toggle=function(b){var c=b?a(b.currentTarget)[this.type](this.getDelegateOptions()).data("bs."+this.type):this;c.tip().hasClass("in")?c.leave(c):c.enter(c)},b.prototype.destroy=function(){this.hide().$element.off("."+this.type).removeData("bs."+this.type)};var c=a.fn.tooltip;a.fn.tooltip=function(c){return this.each(function(){var d=a(this),e=d.data("bs.tooltip"),f="object"==typeof c&&c;e||d.data("bs.tooltip",e=new b(this,f)),"string"==typeof c&&e[c]()})},a.fn.tooltip.Constructor=b,a.fn.tooltip.noConflict=function(){return a.fn.tooltip=c,this}}(jQuery),+function(a){"use strict";var b=function(a,b){this.init("popover",a,b)};if(!a.fn.tooltip)throw new Error("Popover requires tooltip.js");b.DEFAULTS=a.extend({},a.fn.tooltip.Constructor.DEFAULTS,{placement:"right",trigger:"click",content:"",template:'<div class="popover"><div class="arrow"></div><h3 class="popover-title"></h3><div class="popover-content"></div></div>'}),b.prototype=a.extend({},a.fn.tooltip.Constructor.prototype),b.prototype.constructor=b,b.prototype.getDefaults=function(){return b.DEFAULTS},b.prototype.setContent=function(){var a=this.tip(),b=this.getTitle(),c=this.getContent();a.find(".popover-title")[this.options.html?"html":"text"](b),a.find(".popover-content")[this.options.html?"html":"text"](c),a.removeClass("fade top bottom left right in"),a.find(".popover-title").html()||a.find(".popover-title").hide()},b.prototype.hasContent=function(){return this.getTitle()||this.getContent()},b.prototype.getContent=function(){var a=this.$element,b=this.options;return a.attr("data-content")||("function"==typeof b.content?b.content.call(a[0]):b.content)},b.prototype.arrow=function(){return this.$arrow=this.$arrow||this.tip().find(".arrow")},b.prototype.tip=function(){return this.$tip||(this.$tip=a(this.options.template)),this.$tip};var c=a.fn.popover;a.fn.popover=function(c){return this.each(function(){var d=a(this),e=d.data("bs.popover"),f="object"==typeof c&&c;e||d.data("bs.popover",e=new b(this,f)),"string"==typeof c&&e[c]()})},a.fn.popover.Constructor=b,a.fn.popover.noConflict=function(){return a.fn.popover=c,this}}(jQuery),+function(a){"use strict";function b(c,d){var e,f=a.proxy(this.process,this);this.$element=a(c).is("body")?a(window):a(c),this.$body=a("body"),this.$scrollElement=this.$element.on("scroll.bs.scroll-spy.data-api",f),this.options=a.extend({},b.DEFAULTS,d),this.selector=(this.options.target||(e=a(c).attr("href"))&&e.replace(/.*(?=#[^\s]+$)/,"")||"")+" .nav li > a",this.offsets=a([]),this.targets=a([]),this.activeTarget=null,this.refresh(),this.process()}b.DEFAULTS={offset:10},b.prototype.refresh=function(){var b=this.$element[0]==window?"offset":"position";this.offsets=a([]),this.targets=a([]);var c=this;this.$body.find(this.selector).map(function(){var d=a(this),e=d.data("target")||d.attr("href"),f=/^#\w/.test(e)&&a(e);return f&&f.length&&[[f[b]().top+(!a.isWindow(c.$scrollElement.get(0))&&c.$scrollElement.scrollTop()),e]]||null}).sort(function(a,b){return a[0]-b[0]}).each(function(){c.offsets.push(this[0]),c.targets.push(this[1])})},b.prototype.process=function(){var a,b=this.$scrollElement.scrollTop()+this.options.offset,c=this.$scrollElement[0].scrollHeight||this.$body[0].scrollHeight,d=c-this.$scrollElement.height(),e=this.offsets,f=this.targets,g=this.activeTarget;if(b>=d)return g!=(a=f.last()[0])&&this.activate(a);for(a=e.length;a--;)g!=f[a]&&b>=e[a]&&(!e[a+1]||b<=e[a+1])&&this.activate(f[a])},b.prototype.activate=function(b){this.activeTarget=b,a(this.selector).parents(".active").removeClass("active");var c=this.selector+'[data-target="'+b+'"],'+this.selector+'[href="'+b+'"]',d=a(c).parents("li").addClass("active");d.parent(".dropdown-menu").length&&(d=d.closest("li.dropdown").addClass("active")),d.trigger("activate.bs.scrollspy")};var c=a.fn.scrollspy;a.fn.scrollspy=function(c){return this.each(function(){var d=a(this),e=d.data("bs.scrollspy"),f="object"==typeof c&&c;e||d.data("bs.scrollspy",e=new b(this,f)),"string"==typeof c&&e[c]()})},a.fn.scrollspy.Constructor=b,a.fn.scrollspy.noConflict=function(){return a.fn.scrollspy=c,this},a(window).on("load",function(){a('[data-spy="scroll"]').each(function(){var b=a(this);b.scrollspy(b.data())})})}(jQuery),+function(a){"use strict";var b=function(b){this.element=a(b)};b.prototype.show=function(){var b=this.element,c=b.closest("ul:not(.dropdown-menu)"),d=b.data("target");if(d||(d=b.attr("href"),d=d&&d.replace(/.*(?=#[^\s]*$)/,"")),!b.parent("li").hasClass("active")){var e=c.find(".active:last a")[0],f=a.Event("show.bs.tab",{relatedTarget:e});if(b.trigger(f),!f.isDefaultPrevented()){var g=a(d);this.activate(b.parent("li"),c),this.activate(g,g.parent(),function(){b.trigger({type:"shown.bs.tab",relatedTarget:e})})}}},b.prototype.activate=function(b,c,d){function e(){f.removeClass("active").find("> .dropdown-menu > .active").removeClass("active"),b.addClass("active"),g?(b[0].offsetWidth,b.addClass("in")):b.removeClass("fade"),b.parent(".dropdown-menu")&&b.closest("li.dropdown").addClass("active"),d&&d()}var f=c.find("> .active"),g=d&&a.support.transition&&f.hasClass("fade");g?f.one(a.support.transition.end,e).emulateTransitionEnd(150):e(),f.removeClass("in")};var c=a.fn.tab;a.fn.tab=function(c){return this.each(function(){var d=a(this),e=d.data("bs.tab");e||d.data("bs.tab",e=new b(this)),"string"==typeof c&&e[c]()})},a.fn.tab.Constructor=b,a.fn.tab.noConflict=function(){return a.fn.tab=c,this},a(document).on("click.bs.tab.data-api",'[data-toggle="tab"], [data-toggle="pill"]',function(b){b.preventDefault(),a(this).tab("show")})}(jQuery),+function(a){"use strict";var b=function(c,d){this.options=a.extend({},b.DEFAULTS,d),this.$window=a(window).on("scroll.bs.affix.data-api",a.proxy(this.checkPosition,this)).on("click.bs.affix.data-api",a.proxy(this.checkPositionWithEventLoop,this)),this.$element=a(c),this.affixed=this.unpin=null,this.checkPosition()};b.RESET="affix affix-top affix-bottom",b.DEFAULTS={offset:0},b.prototype.checkPositionWithEventLoop=function(){setTimeout(a.proxy(this.checkPosition,this),1)},b.prototype.checkPosition=function(){if(this.$element.is(":visible")){var c=a(document).height(),d=this.$window.scrollTop(),e=this.$element.offset(),f=this.options.offset,g=f.top,h=f.bottom;"object"!=typeof f&&(h=g=f),"function"==typeof g&&(g=f.top()),"function"==typeof h&&(h=f.bottom());var i=null!=this.unpin&&d+this.unpin<=e.top?!1:null!=h&&e.top+this.$element.height()>=c-h?"bottom":null!=g&&g>=d?"top":!1;this.affixed!==i&&(this.unpin&&this.$element.css("top",""),this.affixed=i,this.unpin="bottom"==i?e.top-d:null,this.$element.removeClass(b.RESET).addClass("affix"+(i?"-"+i:"")),"bottom"==i&&this.$element.offset({top:document.body.offsetHeight-h-this.$element.height()}))}};var c=a.fn.affix;a.fn.affix=function(c){return this.each(function(){var d=a(this),e=d.data("bs.affix"),f="object"==typeof c&&c;e||d.data("bs.affix",e=new b(this,f)),"string"==typeof c&&e[c]()})},a.fn.affix.Constructor=b,a.fn.affix.noConflict=function(){return a.fn.affix=c,this},a(window).on("load",function(){a('[data-spy="affix"]').each(function(){var b=a(this),c=b.data();c.offset=c.offset||{},c.offsetBottom&&(c.offset.bottom=c.offsetBottom),c.offsetTop&&(c.offset.top=c.offsetTop),b.affix(c)})})}(jQuery);
\ No newline at end of file
+++ /dev/null
-var q=null;window.PR_SHOULD_USE_CONTINUATION=!0;
-(function(){function L(a){function m(a){var f=a.charCodeAt(0);if(f!==92)return f;var b=a.charAt(1);return(f=r[b])?f:"0"<=b&&b<="7"?parseInt(a.substring(1),8):b==="u"||b==="x"?parseInt(a.substring(2),16):a.charCodeAt(1)}function e(a){if(a<32)return(a<16?"\\x0":"\\x")+a.toString(16);a=String.fromCharCode(a);if(a==="\\"||a==="-"||a==="["||a==="]")a="\\"+a;return a}function h(a){for(var f=a.substring(1,a.length-1).match(/\\u[\dA-Fa-f]{4}|\\x[\dA-Fa-f]{2}|\\[0-3][0-7]{0,2}|\\[0-7]{1,2}|\\[\S\s]|[^\\]/g),a=
-[],b=[],o=f[0]==="^",c=o?1:0,i=f.length;c<i;++c){var j=f[c];if(/\\[bdsw]/i.test(j))a.push(j);else{var j=m(j),d;c+2<i&&"-"===f[c+1]?(d=m(f[c+2]),c+=2):d=j;b.push([j,d]);d<65||j>122||(d<65||j>90||b.push([Math.max(65,j)|32,Math.min(d,90)|32]),d<97||j>122||b.push([Math.max(97,j)&-33,Math.min(d,122)&-33]))}}b.sort(function(a,f){return a[0]-f[0]||f[1]-a[1]});f=[];j=[NaN,NaN];for(c=0;c<b.length;++c)i=b[c],i[0]<=j[1]+1?j[1]=Math.max(j[1],i[1]):f.push(j=i);b=["["];o&&b.push("^");b.push.apply(b,a);for(c=0;c<
-f.length;++c)i=f[c],b.push(e(i[0])),i[1]>i[0]&&(i[1]+1>i[0]&&b.push("-"),b.push(e(i[1])));b.push("]");return b.join("")}function y(a){for(var f=a.source.match(/\[(?:[^\\\]]|\\[\S\s])*]|\\u[\dA-Fa-f]{4}|\\x[\dA-Fa-f]{2}|\\\d+|\\[^\dux]|\(\?[!:=]|[()^]|[^()[\\^]+/g),b=f.length,d=[],c=0,i=0;c<b;++c){var j=f[c];j==="("?++i:"\\"===j.charAt(0)&&(j=+j.substring(1))&&j<=i&&(d[j]=-1)}for(c=1;c<d.length;++c)-1===d[c]&&(d[c]=++t);for(i=c=0;c<b;++c)j=f[c],j==="("?(++i,d[i]===void 0&&(f[c]="(?:")):"\\"===j.charAt(0)&&
-(j=+j.substring(1))&&j<=i&&(f[c]="\\"+d[i]);for(i=c=0;c<b;++c)"^"===f[c]&&"^"!==f[c+1]&&(f[c]="");if(a.ignoreCase&&s)for(c=0;c<b;++c)j=f[c],a=j.charAt(0),j.length>=2&&a==="["?f[c]=h(j):a!=="\\"&&(f[c]=j.replace(/[A-Za-z]/g,function(a){a=a.charCodeAt(0);return"["+String.fromCharCode(a&-33,a|32)+"]"}));return f.join("")}for(var t=0,s=!1,l=!1,p=0,d=a.length;p<d;++p){var g=a[p];if(g.ignoreCase)l=!0;else if(/[a-z]/i.test(g.source.replace(/\\u[\da-f]{4}|\\x[\da-f]{2}|\\[^UXux]/gi,""))){s=!0;l=!1;break}}for(var r=
-{b:8,t:9,n:10,v:11,f:12,r:13},n=[],p=0,d=a.length;p<d;++p){g=a[p];if(g.global||g.multiline)throw Error(""+g);n.push("(?:"+y(g)+")")}return RegExp(n.join("|"),l?"gi":"g")}function M(a){function m(a){switch(a.nodeType){case 1:if(e.test(a.className))break;for(var g=a.firstChild;g;g=g.nextSibling)m(g);g=a.nodeName;if("BR"===g||"LI"===g)h[s]="\n",t[s<<1]=y++,t[s++<<1|1]=a;break;case 3:case 4:g=a.nodeValue,g.length&&(g=p?g.replace(/\r\n?/g,"\n"):g.replace(/[\t\n\r ]+/g," "),h[s]=g,t[s<<1]=y,y+=g.length,
-t[s++<<1|1]=a)}}var e=/(?:^|\s)nocode(?:\s|$)/,h=[],y=0,t=[],s=0,l;a.currentStyle?l=a.currentStyle.whiteSpace:window.getComputedStyle&&(l=document.defaultView.getComputedStyle(a,q).getPropertyValue("white-space"));var p=l&&"pre"===l.substring(0,3);m(a);return{a:h.join("").replace(/\n$/,""),c:t}}function B(a,m,e,h){m&&(a={a:m,d:a},e(a),h.push.apply(h,a.e))}function x(a,m){function e(a){for(var l=a.d,p=[l,"pln"],d=0,g=a.a.match(y)||[],r={},n=0,z=g.length;n<z;++n){var f=g[n],b=r[f],o=void 0,c;if(typeof b===
-"string")c=!1;else{var i=h[f.charAt(0)];if(i)o=f.match(i[1]),b=i[0];else{for(c=0;c<t;++c)if(i=m[c],o=f.match(i[1])){b=i[0];break}o||(b="pln")}if((c=b.length>=5&&"lang-"===b.substring(0,5))&&!(o&&typeof o[1]==="string"))c=!1,b="src";c||(r[f]=b)}i=d;d+=f.length;if(c){c=o[1];var j=f.indexOf(c),k=j+c.length;o[2]&&(k=f.length-o[2].length,j=k-c.length);b=b.substring(5);B(l+i,f.substring(0,j),e,p);B(l+i+j,c,C(b,c),p);B(l+i+k,f.substring(k),e,p)}else p.push(l+i,b)}a.e=p}var h={},y;(function(){for(var e=a.concat(m),
-l=[],p={},d=0,g=e.length;d<g;++d){var r=e[d],n=r[3];if(n)for(var k=n.length;--k>=0;)h[n.charAt(k)]=r;r=r[1];n=""+r;p.hasOwnProperty(n)||(l.push(r),p[n]=q)}l.push(/[\S\s]/);y=L(l)})();var t=m.length;return e}function u(a){var m=[],e=[];a.tripleQuotedStrings?m.push(["str",/^(?:'''(?:[^'\\]|\\[\S\s]|''?(?=[^']))*(?:'''|$)|"""(?:[^"\\]|\\[\S\s]|""?(?=[^"]))*(?:"""|$)|'(?:[^'\\]|\\[\S\s])*(?:'|$)|"(?:[^"\\]|\\[\S\s])*(?:"|$))/,q,"'\""]):a.multiLineStrings?m.push(["str",/^(?:'(?:[^'\\]|\\[\S\s])*(?:'|$)|"(?:[^"\\]|\\[\S\s])*(?:"|$)|`(?:[^\\`]|\\[\S\s])*(?:`|$))/,
-q,"'\"`"]):m.push(["str",/^(?:'(?:[^\n\r'\\]|\\.)*(?:'|$)|"(?:[^\n\r"\\]|\\.)*(?:"|$))/,q,"\"'"]);a.verbatimStrings&&e.push(["str",/^@"(?:[^"]|"")*(?:"|$)/,q]);var h=a.hashComments;h&&(a.cStyleComments?(h>1?m.push(["com",/^#(?:##(?:[^#]|#(?!##))*(?:###|$)|.*)/,q,"#"]):m.push(["com",/^#(?:(?:define|elif|else|endif|error|ifdef|include|ifndef|line|pragma|undef|warning)\b|[^\n\r]*)/,q,"#"]),e.push(["str",/^<(?:(?:(?:\.\.\/)*|\/?)(?:[\w-]+(?:\/[\w-]+)+)?[\w-]+\.h|[a-z]\w*)>/,q])):m.push(["com",/^#[^\n\r]*/,
-q,"#"]));a.cStyleComments&&(e.push(["com",/^\/\/[^\n\r]*/,q]),e.push(["com",/^\/\*[\S\s]*?(?:\*\/|$)/,q]));a.regexLiterals&&e.push(["lang-regex",/^(?:^^\.?|[!+-]|!=|!==|#|%|%=|&|&&|&&=|&=|\(|\*|\*=|\+=|,|-=|->|\/|\/=|:|::|;|<|<<|<<=|<=|=|==|===|>|>=|>>|>>=|>>>|>>>=|[?@[^]|\^=|\^\^|\^\^=|{|\||\|=|\|\||\|\|=|~|break|case|continue|delete|do|else|finally|instanceof|return|throw|try|typeof)\s*(\/(?=[^*/])(?:[^/[\\]|\\[\S\s]|\[(?:[^\\\]]|\\[\S\s])*(?:]|$))+\/)/]);(h=a.types)&&e.push(["typ",h]);a=(""+a.keywords).replace(/^ | $/g,
-"");a.length&&e.push(["kwd",RegExp("^(?:"+a.replace(/[\s,]+/g,"|")+")\\b"),q]);m.push(["pln",/^\s+/,q," \r\n\t\xa0"]);e.push(["lit",/^@[$_a-z][\w$@]*/i,q],["typ",/^(?:[@_]?[A-Z]+[a-z][\w$@]*|\w+_t\b)/,q],["pln",/^[$_a-z][\w$@]*/i,q],["lit",/^(?:0x[\da-f]+|(?:\d(?:_\d+)*\d*(?:\.\d*)?|\.\d\+)(?:e[+-]?\d+)?)[a-z]*/i,q,"0123456789"],["pln",/^\\[\S\s]?/,q],["pun",/^.[^\s\w"-$'./@\\`]*/,q]);return x(m,e)}function D(a,m){function e(a){switch(a.nodeType){case 1:if(k.test(a.className))break;if("BR"===a.nodeName)h(a),
-a.parentNode&&a.parentNode.removeChild(a);else for(a=a.firstChild;a;a=a.nextSibling)e(a);break;case 3:case 4:if(p){var b=a.nodeValue,d=b.match(t);if(d){var c=b.substring(0,d.index);a.nodeValue=c;(b=b.substring(d.index+d[0].length))&&a.parentNode.insertBefore(s.createTextNode(b),a.nextSibling);h(a);c||a.parentNode.removeChild(a)}}}}function h(a){function b(a,d){var e=d?a.cloneNode(!1):a,f=a.parentNode;if(f){var f=b(f,1),g=a.nextSibling;f.appendChild(e);for(var h=g;h;h=g)g=h.nextSibling,f.appendChild(h)}return e}
-for(;!a.nextSibling;)if(a=a.parentNode,!a)return;for(var a=b(a.nextSibling,0),e;(e=a.parentNode)&&e.nodeType===1;)a=e;d.push(a)}var k=/(?:^|\s)nocode(?:\s|$)/,t=/\r\n?|\n/,s=a.ownerDocument,l;a.currentStyle?l=a.currentStyle.whiteSpace:window.getComputedStyle&&(l=s.defaultView.getComputedStyle(a,q).getPropertyValue("white-space"));var p=l&&"pre"===l.substring(0,3);for(l=s.createElement("LI");a.firstChild;)l.appendChild(a.firstChild);for(var d=[l],g=0;g<d.length;++g)e(d[g]);m===(m|0)&&d[0].setAttribute("value",
-m);var r=s.createElement("OL");r.className="linenums";for(var n=Math.max(0,m-1|0)||0,g=0,z=d.length;g<z;++g)l=d[g],l.className="L"+(g+n)%10,l.firstChild||l.appendChild(s.createTextNode("\xa0")),r.appendChild(l);a.appendChild(r)}function k(a,m){for(var e=m.length;--e>=0;){var h=m[e];A.hasOwnProperty(h)?window.console&&console.warn("cannot override language handler %s",h):A[h]=a}}function C(a,m){if(!a||!A.hasOwnProperty(a))a=/^\s*</.test(m)?"default-markup":"default-code";return A[a]}function E(a){var m=
-a.g;try{var e=M(a.h),h=e.a;a.a=h;a.c=e.c;a.d=0;C(m,h)(a);var k=/\bMSIE\b/.test(navigator.userAgent),m=/\n/g,t=a.a,s=t.length,e=0,l=a.c,p=l.length,h=0,d=a.e,g=d.length,a=0;d[g]=s;var r,n;for(n=r=0;n<g;)d[n]!==d[n+2]?(d[r++]=d[n++],d[r++]=d[n++]):n+=2;g=r;for(n=r=0;n<g;){for(var z=d[n],f=d[n+1],b=n+2;b+2<=g&&d[b+1]===f;)b+=2;d[r++]=z;d[r++]=f;n=b}for(d.length=r;h<p;){var o=l[h+2]||s,c=d[a+2]||s,b=Math.min(o,c),i=l[h+1],j;if(i.nodeType!==1&&(j=t.substring(e,b))){k&&(j=j.replace(m,"\r"));i.nodeValue=
-j;var u=i.ownerDocument,v=u.createElement("SPAN");v.className=d[a+1];var x=i.parentNode;x.replaceChild(v,i);v.appendChild(i);e<o&&(l[h+1]=i=u.createTextNode(t.substring(b,o)),x.insertBefore(i,v.nextSibling))}e=b;e>=o&&(h+=2);e>=c&&(a+=2)}}catch(w){"console"in window&&console.log(w&&w.stack?w.stack:w)}}var v=["break,continue,do,else,for,if,return,while"],w=[[v,"auto,case,char,const,default,double,enum,extern,float,goto,int,long,register,short,signed,sizeof,static,struct,switch,typedef,union,unsigned,void,volatile"],
-"catch,class,delete,false,import,new,operator,private,protected,public,this,throw,true,try,typeof"],F=[w,"alignof,align_union,asm,axiom,bool,concept,concept_map,const_cast,constexpr,decltype,dynamic_cast,explicit,export,friend,inline,late_check,mutable,namespace,nullptr,reinterpret_cast,static_assert,static_cast,template,typeid,typename,using,virtual,where"],G=[w,"abstract,boolean,byte,extends,final,finally,implements,import,instanceof,null,native,package,strictfp,super,synchronized,throws,transient"],
-H=[G,"as,base,by,checked,decimal,delegate,descending,dynamic,event,fixed,foreach,from,group,implicit,in,interface,internal,into,is,lock,object,out,override,orderby,params,partial,readonly,ref,sbyte,sealed,stackalloc,string,select,uint,ulong,unchecked,unsafe,ushort,var"],w=[w,"debugger,eval,export,function,get,null,set,undefined,var,with,Infinity,NaN"],I=[v,"and,as,assert,class,def,del,elif,except,exec,finally,from,global,import,in,is,lambda,nonlocal,not,or,pass,print,raise,try,with,yield,False,True,None"],
-J=[v,"alias,and,begin,case,class,def,defined,elsif,end,ensure,false,in,module,next,nil,not,or,redo,rescue,retry,self,super,then,true,undef,unless,until,when,yield,BEGIN,END"],v=[v,"case,done,elif,esac,eval,fi,function,in,local,set,then,until"],K=/^(DIR|FILE|vector|(de|priority_)?queue|list|stack|(const_)?iterator|(multi)?(set|map)|bitset|u?(int|float)\d*)/,N=/\S/,O=u({keywords:[F,H,w,"caller,delete,die,do,dump,elsif,eval,exit,foreach,for,goto,if,import,last,local,my,next,no,our,print,package,redo,require,sub,undef,unless,until,use,wantarray,while,BEGIN,END"+
-I,J,v],hashComments:!0,cStyleComments:!0,multiLineStrings:!0,regexLiterals:!0}),A={};k(O,["default-code"]);k(x([],[["pln",/^[^<?]+/],["dec",/^<!\w[^>]*(?:>|$)/],["com",/^<\!--[\S\s]*?(?:--\>|$)/],["lang-",/^<\?([\S\s]+?)(?:\?>|$)/],["lang-",/^<%([\S\s]+?)(?:%>|$)/],["pun",/^(?:<[%?]|[%?]>)/],["lang-",/^<xmp\b[^>]*>([\S\s]+?)<\/xmp\b[^>]*>/i],["lang-js",/^<script\b[^>]*>([\S\s]*?)(<\/script\b[^>]*>)/i],["lang-css",/^<style\b[^>]*>([\S\s]*?)(<\/style\b[^>]*>)/i],["lang-in.tag",/^(<\/?[a-z][^<>]*>)/i]]),
-["default-markup","htm","html","mxml","xhtml","xml","xsl"]);k(x([["pln",/^\s+/,q," \t\r\n"],["atv",/^(?:"[^"]*"?|'[^']*'?)/,q,"\"'"]],[["tag",/^^<\/?[a-z](?:[\w-.:]*\w)?|\/?>$/i],["atn",/^(?!style[\s=]|on)[a-z](?:[\w:-]*\w)?/i],["lang-uq.val",/^=\s*([^\s"'>]*(?:[^\s"'/>]|\/(?=\s)))/],["pun",/^[/<->]+/],["lang-js",/^on\w+\s*=\s*"([^"]+)"/i],["lang-js",/^on\w+\s*=\s*'([^']+)'/i],["lang-js",/^on\w+\s*=\s*([^\s"'>]+)/i],["lang-css",/^style\s*=\s*"([^"]+)"/i],["lang-css",/^style\s*=\s*'([^']+)'/i],["lang-css",
-/^style\s*=\s*([^\s"'>]+)/i]]),["in.tag"]);k(x([],[["atv",/^[\S\s]+/]]),["uq.val"]);k(u({keywords:F,hashComments:!0,cStyleComments:!0,types:K}),["c","cc","cpp","cxx","cyc","m"]);k(u({keywords:"null,true,false"}),["json"]);k(u({keywords:H,hashComments:!0,cStyleComments:!0,verbatimStrings:!0,types:K}),["cs"]);k(u({keywords:G,cStyleComments:!0}),["java"]);k(u({keywords:v,hashComments:!0,multiLineStrings:!0}),["bsh","csh","sh"]);k(u({keywords:I,hashComments:!0,multiLineStrings:!0,tripleQuotedStrings:!0}),
-["cv","py"]);k(u({keywords:"caller,delete,die,do,dump,elsif,eval,exit,foreach,for,goto,if,import,last,local,my,next,no,our,print,package,redo,require,sub,undef,unless,until,use,wantarray,while,BEGIN,END",hashComments:!0,multiLineStrings:!0,regexLiterals:!0}),["perl","pl","pm"]);k(u({keywords:J,hashComments:!0,multiLineStrings:!0,regexLiterals:!0}),["rb"]);k(u({keywords:w,cStyleComments:!0,regexLiterals:!0}),["js"]);k(u({keywords:"all,and,by,catch,class,else,extends,false,finally,for,if,in,is,isnt,loop,new,no,not,null,of,off,on,or,return,super,then,true,try,unless,until,when,while,yes",
-hashComments:3,cStyleComments:!0,multilineStrings:!0,tripleQuotedStrings:!0,regexLiterals:!0}),["coffee"]);k(x([],[["str",/^[\S\s]+/]]),["regex"]);window.prettyPrintOne=function(a,m,e){var h=document.createElement("PRE");h.innerHTML=a;e&&D(h,e);E({g:m,i:e,h:h});return h.innerHTML};window.prettyPrint=function(a){function m(){for(var e=window.PR_SHOULD_USE_CONTINUATION?l.now()+250:Infinity;p<h.length&&l.now()<e;p++){var n=h[p],k=n.className;if(k.indexOf("prettyprint")>=0){var k=k.match(g),f,b;if(b=
-!k){b=n;for(var o=void 0,c=b.firstChild;c;c=c.nextSibling)var i=c.nodeType,o=i===1?o?b:c:i===3?N.test(c.nodeValue)?b:o:o;b=(f=o===b?void 0:o)&&"CODE"===f.tagName}b&&(k=f.className.match(g));k&&(k=k[1]);b=!1;for(o=n.parentNode;o;o=o.parentNode)if((o.tagName==="pre"||o.tagName==="code"||o.tagName==="xmp")&&o.className&&o.className.indexOf("prettyprint")>=0){b=!0;break}b||((b=(b=n.className.match(/\blinenums\b(?::(\d+))?/))?b[1]&&b[1].length?+b[1]:!0:!1)&&D(n,b),d={g:k,h:n,i:b},E(d))}}p<h.length?setTimeout(m,
-250):a&&a()}for(var e=[document.getElementsByTagName("pre"),document.getElementsByTagName("code"),document.getElementsByTagName("xmp")],h=[],k=0;k<e.length;++k)for(var t=0,s=e[k].length;t<s;++t)h.push(e[k][t]);var e=q,l=Date;l.now||(l={now:function(){return+new Date}});var p=0,d,g=/\blang(?:uage)?-([\w.]+)(?!\S)/;m()};window.PR={createSimpleLexer:x,registerLangHandler:k,sourceDecorator:u,PR_ATTRIB_NAME:"atn",PR_ATTRIB_VALUE:"atv",PR_COMMENT:"com",PR_DECLARATION:"dec",PR_KEYWORD:"kwd",PR_LITERAL:"lit",
-PR_NOCODE:"nocode",PR_PLAIN:"pln",PR_PUNCTUATION:"pun",PR_SOURCE:"src",PR_STRING:"str",PR_TAG:"tag",PR_TYPE:"typ"}})();
+++ /dev/null
-<div class="navbar navbar-default navbar-fixed-top" role="navigation">
- <div class="container">
-
- <!-- Collapsed navigation -->
- <div class="navbar-header">
- <!-- Expander button -->
- <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
- <span class="sr-only">Toggle navigation</span>
- <span class="icon-bar"></span>
- <span class="icon-bar"></span>
- <span class="icon-bar"></span>
- </button>
-
- <!-- Main title -->
- <a class="navbar-brand" href="{{ homepage_url }}">{{ site_name }}</a>
- </div>
-
- <!-- Expanded navigation -->
- <div class="navbar-collapse collapse">
- <!-- Main navigation -->
- <ul class="nav navbar-nav">
- {% for nav_item in nav %}
- {% if nav_item.children %}
- <li class="dropdown{% if nav_item.active %} active{% endif %}">
- <a href="#" class="dropdown-toggle" data-toggle="dropdown">{{ nav_item.title }} <b class="caret"></b></a>
- <ul class="dropdown-menu">
- {% for nav_item in nav_item.children %}
- <li {% if nav_item.active %}class="active"{% endif %}>
- <a href="{{ nav_item.url }}">{{ nav_item.title }}</a>
- </li>
- {% endfor %}
- </ul>
- </li>
- {% else %}
- <li {% if nav_item.active %}class="active"{% endif %}>
- <a href="{{ nav_item.url }}">{{ nav_item.title }}</a>
- </li>
- {% endif %}
- {% endfor %}
- </ul>
-
- <!-- Search, Navigation and Repo links -->
- <ul class="nav navbar-nav navbar-right">
- {% if include_search %}
- <li>
- <a href="#searchModal" data-toggle="modal"><i class="fa fa-search"></i> Search</a>
- </li>
- {% endif %}
- </ul>
- </div>
- </div>
-</div>
+++ /dev/null
-<div class="bs-sidebar hidden-print affix well" role="complementary">
- <ul class="nav bs-sidenav">
- {% for toc_item in toc %}
- <li class="main {% if toc_item.active %}active{% endif %}"><a href="{{ toc_item.url }}">{{ toc_item.title }}</a></li>
- {% for toc_item in toc_item.children %}
- <li><a href="{{ toc_item.url }}">{{ toc_item.title }}</a></li>
- {% endfor %}
- {% endfor %}
- </ul>
-</div>
+++ /dev/null
-# Tools to analyse DNS traffic
-DNS is highly mission critical, it is therefore necessary to be able to
-study and compare DNS traffic. Since version 2.9.18, PowerDNS comes with
-various tools to aid in analysis.
-
-The following tools are available:
-
- * [dnsbulktest](../manpages/dnsbulktest.1.md) - A resolver stress-tester
- * [dnsgram](../manpages/dnsgram.1.md) - Show per 5-second statistics to study intermittent resolver issues
- * [dnsreplay](../manpages/dnsreplay.1.md) - Replay a pcap with DNS queries
- * [dnsscan](../manpages/dnsscan.1.md) - Prints the query-type amounts in a pcap
- * [dnsscope](../manpages/dnsscope.1.md) - Calculates statistics without replaying traffic
- * [dnstcpbench](../manpages/dnstcpbench.1.md) - Perform TCP benchmarking of DNS servers
- * [dnswasher](../manpages/dnswasher.1.md) - Clean a pcap of identifying IP information
- * [nsec3dig](../manpages/nsec3dig.1.md) - Calculate the correctness of NSEC3 proofs
- * [saxfr](../manpages/saxfr.1.md) - AXFR zones and show extra information
-
-# Downloading the tools
-The PowerDNS tools do not (yet) follow an independent release process.
-However, we keep them working, and they are shipped with PowerDNS
-Authoritative Server tarballs.
-
-In addition, our build infrastructure creates fresh Linux packages for every
-commit, and these can be found on:
-
- * <https://autotest.powerdns.com/job/auth-git-semistatic-deb-amd64/>
- * <https://autotest.powerdns.com/job/auth-git-semistatic-deb-i386/>
- * <https://autotest.powerdns.com/job/auth-git-semistatic-rpm-amd64/>
- * <https://autotest.powerdns.com/job/auth-git-semistatic-rpm-i386/>
+++ /dev/null
-# Supported Record Types
-This chapter lists all record types PowerDNS supports, and how they are stored in
-backends. The list is mostly alphabetical but some types are grouped.
-
-**Warning**: Host names and the MNAME of a SOA records are NEVER terminated with
-a '.' in PowerDNS storage! If a trailing '.' is present it will inevitably cause
-problems, problems that may be hard to debug. Use [`pdnsutil check-zone`](authoritative/dnssec.md#pdnsutil)
-to validate your zone data.
-
-**Note**: Whenever the storage format is mentioned, this relates only to the way
-the record should be stored in one of the [generic SQL](authoritative/backend-generic-sql.md)
-backends. The other backends should use their *native* format.
-
-The PowerDNS Recursor can serve and store all record types, regardless of whether
-these are explicitly supported.
-
-## A
-The A record contains an IP address. It is stored as a decimal dotted quad
-string, for example: '203.0.113.210'.
-
-## AAAA
-The AAAA record contains an IPv6 address. An example: '2001:DB8:2000:bf0::1'.
-
-## AFSDB
-A specialised record type for the 'Andrew Filesystem'. Stored as: '\#subtype hostname',
-where subtype is a number.
-
-## ALIAS
-Since 4.0.0, the ALIAS pseudo-record type is supported to provide CNAME-like
-mechanisms on a zone's apex. See the [howto](authoritative/howtos.md#using-alias-records)
-for information on how to configure PowerDNS to serve records synthesized from
-ALIAS records.
-
-## CAA
-Since 4.0.0. The "Certification Authority Authorization" record, specified in
-[RFC 6844](https://tools.ietf.org/html/rfc6844), is used to specify Certificate
-Authorities that may issue certificates for a domain.
-
-## CERT
-Specialised record type for storing certificates, defined in
-[RFC 2538](http://tools.ietf.org/html/rfc2538).
-
-## CDNSKEY
-Since 4.0.0. The CDNSKEY ([Child DNSKEY](https://tools.ietf.org/html/rfc7344#section-3.2))
-type is supported.
-
-## CDS
-Since 4.0.0. The CDS ([Child DS](https://tools.ietf.org/html/rfc7344#section-3.1))
-type is supported.
-
-## CNAME
-The CNAME record specifies the canonical name of a record. It is stored plainly.
-Like all other records, it is not terminated by a dot. A sample might be
-'webserver-01.yourcompany.com'.
-
-## DNSKEY
-The DNSKEY DNSSEC record type is fully supported, as described in [RFC 4034](https://tools.ietf.org/html/rfc4034).
-Enabling DNSSEC for domains can be done with [`pdnsutil`](authoritative/dnssec.md#pdnsutil "'pdnsutil' for PowerDNS command & control").
-
-## DNAME
-The DNAME record, as specified in [RFC 6672](http://tools.ietf.org/html/rfc6672)
-is supported. However, [`dname-processing`](authoritative/settings.md#dname-processing) has
-to be set to `yes` for PowerDNS to process these records.
-
-## DS
-The DS DNSSEC record type is fully supported, as described in [RFC 4034](https://tools.ietf.org/html/rfc4034).
-Enabling DNSSEC for domains can be done with [`pdnsutil`](authoritative/dnssec.md#pdnsutil "'pdnsutil' for PowerDNS command & control").
-
-## HINFO
-Hardware Info record, used to specify CPU and operating system. Stored with a
-single space separating these two, example: 'i386 Linux'.
-
-## KEY
-The KEY record is fully supported. For its syntax, see [RFC 2535](http://tools.ietf.org/html/rfc2535).
-
-## LOC
-The LOC record is fully supported. For its syntax, see [RFC 1876](http://tools.ietf.org/html/rfc1876).
-A sample content would be: `51 56 0.123 N 5 54 0.000 E 4.00m 1.00m 10000.00m 10.00m`
-
-## MX
-The MX record specifies a mail exchanger host for a domain. Each mail exchanger
-also has a priority or preference. For example `10 mx.example.net`. In the generic
-SQL backends, the `10` should go in the 'priority field'.
-
-## NAPTR
-Naming Authority Pointer, [RFC 2915](http://tools.ietf.org/html/rfc2915). Stored as follows:
-
-```
-'100 50 "s" "z3950+I2L+I2C" "" _z3950._tcp.gatech.edu'.
-```
-
-The fields are: order, preference, flags, service, regex, replacement.
-Note that the replacement is not enclosed in quotes, and should not be. The
-replacement may be omitted, in which case it is empty. See also [RFC 2916](http://tools.ietf.org/html/rfc2916)
-for how to use NAPTR for ENUM (E.164) purposes.
-
-## NS
-Nameserver record. Specifies nameservers for a domain. Stored plainly:
-`ns1.powerdns.com`, as always without a terminating dot.
-
-## NSEC, NSEC3, NSEC3PARAM
-The NSEC, NSEC3 and NSEC3PARAM DNSSEC record type are fully supported, as described
-in [RFC 4034](http://tools.ietf.org/html/rfc4034). To enable DNSSEC, use
-[`pdnsutil`](authoritative/dnssec.md#pdnsutil "'pdnsutil' for PowerDNS command & control").
-
-## OPENPGPKEY
-Since 3.4.7. The OPENPGPKEY records, specified in [RFC TBD](https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-06),
-are used to bind OpenPGP certificates to email addresses.
-
-## PTR
-Reverse pointer, used to specify the host name belonging to an IP or IPv6 address.
-Name is stored plainly: `www.powerdns.com`. As always, no terminating dot.
-
-## RP
-Responsible Person record, as described in [RFC 1183](http://tools.ietf.org/html/rfc1183).
-Stored with a single space between the mailbox name and the more-information pointer.
-Example: `peter.powerdns.com peter.people.powerdns.com`, to indicate that
-`peter@powerdns.com` is responsible and that more information about peter is
-available by querying the TXT record of peter.people.powerdns.com.
-
-## RRSIG
-The RRSIG DNSSEC record type is fully supported, as described in [RFC 4034](http://tools.ietf.org/html/rfc4034).
-To enable DNSSEC processing, use [pdnsutil](authoritative/dnssec.md#pdnsutil).
-
-## SOA
-The Start of Authority record is one of the most complex available. It specifies
-a lot about a domain: the name of the master nameserver ('the primary'), the
-hostmaster and a set of numbers indicating how the data in this domain expires
-and how often it needs to be checked. Further more, it contains a serial number
-which should rise on each change of the domain.
-
-The stored format is:
-
-```
- primary hostmaster serial refresh retry expire default_ttl
-```
-
-Besides the primary and the hostmaster, all fields are numerical. PowerDNS has a set of default values:
-
- * primary: [`default-soa-name`](authoritative/settings.md#default-soa-name) configuration option
- * hostmaster: `hostmaster@domain-name`
- * serial: 0
- * refresh: 10800 (3 hours)
- * retry: 3600 (1 hour)
- * expire: 604800 (1 week)
- * default\_ttl: 3600 (1 hour)
-
-The fields have complicated and sometimes controversial meanings. The 'serial'
-field is special. If left at 0, the default, PowerDNS will perform an internal list
-of the domain to determine highest change\_date field of all records within the
-zone, and use that as the zone serial number. This means that the serial number
-is always raised when changes are made to the zone, as long as the change\_date
-field is being set. Make sure to check whether your backend of choice supports
-Autoserial.
-
-## SPF
-SPF records can be used to store Sender Policy Framework details
-([RFC 4408](http://tools.ietf.org/html/rfc4408)).
-
-## SSHFP
-The SSHFP record type, used for storing Secure Shell (SSH) fingerprints, is
-fully supported. A sample from [RFC 4255](http://tools.ietf.org/html/rfc4255) is:
-`2 1 123456789abcdef67890123456789abcdef67890`.
-
-## SRV
-SRV records can be used to encode the location and port of services on a domain
-name. When encoding, the priority field is used to encode the priority. For example,
-`_ldap._tcp.dc._msdcs.conaxis.ch SRV 0 100 389 mars.conaxis.ch` would be encoded
-with `0` in the priority field and `100 389 mars.conaxis.ch` in the content field.
-
-## TKEY, TSIG
-The TKEY ([RFC 2930](http://tools.ietf.org/html/rfc2930)) and TSIG records
-([RFC 2845](http://tools.ietf.org/html/rfc2845), used for key-exchange and
-authenticated AXFRs, are supported. See the
-[Modes of operation](authoritative/modes-of-operation.md#tsig-shared-secret-authorization-and-authentication)
-and [DNS update](authoritative/dnsupdate.md) documentation for more information.
-
-## TLSA
-Since 3.0. The TLSA records, specified in [RFC 6698](http://tools.ietf.org/html/rfc6698),
-are used to bind SSL/TLS certificate to named hosts and ports.
-
-## SMIMEA
-Since 4.1. The SMIMEA record type, specified in [RFC 8162](http://tools.ietf.org/html/rfc8162), is used to bind S/MIME certificates to domains.
-
-## TXT
-The TXT field can be used to attach textual data to a domain. Text is stored
-plainly, PowerDNS understands content not enclosed in quotes. However, all quotes
-characters (`"`) in the TXT content must be preceded with a backslash (`\`).:
-
-```
-"This \"is\" valid"
-```
-
-For a literal backslash in the TXT record, escape it:
-
-```
-"This is also \\ valid"
-```
-
-Unicode characters can be added in two ways, either by adding the character itself
-or the escaped variant to the content field. e.g. `"ç"` is equal to `"\195\167"`.
-
-When a TXT record is longer than 255 characters/bytes (excluding possible enclosing
-quotes), PowerDNS will cut up the content into 255 character/byte chunks for
-transmission to the client.
-
-## URI
-The URI record, specified in [RFC 7553](http://tools.ietf.org/html/rfc7553), is
-used to publish mappings from hostnames to URIs.
-
-## Other types
-The following, rarely used or obsolete record types, are also supported:
-
-* A6 ([RFC 2874](http://tools.ietf.org/html/rfc2874), obsolete)
-* DHCID ([RFC 4701](http://tools.ietf.org/html/rfc4701))
-* DLV ([RFC 4431](http://tools.ietf.org/html/rfc4431))
-* EUI48/EUI64 ([RFC 7043](http://tools.ietf.org/html/rfc7043))
-* IPSECKEY ([RFC 4025](http://tools.ietf.org/html/rfc4024))
-* KEY ([RFC 2535](http://tools.ietf.org/html/rfc2535), obsolete)
-* KX ([RFC 2230](http://tools.ietf.org/html/rfc2230))
-* MAILA ([RFC 1035](http://tools.ietf.org/html/rfc1035))
-* MAILB ([RFC 1035](http://tools.ietf.org/html/rfc1035))
-* MINFO ([RFC 1035](http://tools.ietf.org/html/rfc1035))
-* MR ([RFC 1035](http://tools.ietf.org/html/rfc1035))
-* RKEY ([draft-reid-dnsext-rkey-00.txt](https://tools.ietf.org/html/draft-reid-dnsext-rkey-00))
-* SIG ([RFC 2535](http://tools.ietf.org/html/rfc2535), obsolete)
-* WKS ([RFC 1035](http://tools.ietf.org/html/rfc1035))
--- /dev/null
+Migrating to PowerDNS
+=====================
+
+Before migrating to PowerDNS a few things should be considered.
+
+PowerDNS does not operate as a :ref:`slave-operation` or
+:ref:`master-operation` server with all backends. The :doc:`Generic SQL <backends/generic-sql>` and
+:doc:`BIND <backends/bind>` backends have the ability to act as master or
+slave. See the :doc:`table of backends <backends/index>`
+which other backends support these modes.
+
+Using AXFR to a Slave-Capable Backend
+-------------------------------------
+
+The easiest way to migrate all your zones from your old infrastructure
+to PowerDNS is to add all your domains as a slave domain with your
+current master as the master, wait for the zones to be transferred and
+change the zones to master. Make sure :ref:`setting-slave` is set to "yes"
+in your pdns.conf.
+
+To A Generic SQL Backend
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. note::
+ This assumes the schema provided with PowerDNS is in place
+
+In order to migrate to a Generic SQL backend, add all your domains to
+the 'domains' table with the IP of your current master. On your current
+master, make sure that this master allows AXFRs to this new slave.
+
+::
+
+ INSERT INTO domains (name,type,master) VALUES ('example.net', 'SLAVE', '198.51.100.101');
+
+Then start PowerDNS and wait for all the zones to be transferred. If
+this server is the new :ref:`master <master-operation>`, change the type of
+domain in the database:
+
+::
+
+ UPDATE domains set type='MASTER' where type='SLAVE';
+
+And set :ref:`setting-master` to "yes" in your pdns.conf
+and restart PowerDNS.
+
+Or, if you want to use :ref:`native <native-operation>`:
+
+::
+
+ UPDATE domains set type='NATIVE' where type='SLAVE';
+
+To the BIND backend
+~~~~~~~~~~~~~~~~~~~
+
+Create a named.conf with all the domains as slave domains, e.g.:
+
+::
+
+ zone "example.net" in {
+ type slave;
+ file "/var/lib/powerdns/zones/example.net.zone";
+ masters {
+ 198.51.100.101;
+ };
+ };
+
+Make sure the directory is writable for the ``pdns_server`` process and
+that :ref:`setting-bind-config` parameter
+references this file. Now start PowerDNS and wait untill all zones are
+transferred. Now you can change the zone type to master:
+
+::
+
+ zone "example.net" in {
+ type master;
+ file "/var/lib/powerdns/zones/example.net.zone";
+ };
+
+Don't forget to enable :ref:`setting-master` in your
+pdns.conf and restart, or if this setting was already set, use
+``pdns_control rediscover`` to load these zones as master zones.
+
+From zonefiles to PowerDNS
+--------------------------
+
+Using the BIND backend
+~~~~~~~~~~~~~~~~~~~~~~
+
+To use the bind backend, set ``launch=bind`` and
+``bind-config=/path/to/named.conf`` in your ``pdns.conf``. Note that
+PowerDNS will not honor any options from named.conf, it will only use
+the ``zone`` statements. See the :doc:`Bind backend <backends/bind>`
+documentation for more information.
+
+To a Generic SQL backend
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+There are several methods to migrate to a :doc:`Generic SQL <backends/generic-sql>` backend.
+
+.. _migration-zone2sql:
+
+Using ``zone2sql``
+^^^^^^^^^^^^^^^^^^
+
+To migrate, the ``zone2sql`` tool is provided. This tool parses a BIND
+``named.conf`` file and zone files and outputs SQL on standard out,
+which can then be fed to your database. It understands the Bind master
+file extension ``$GENERATE`` and will also honour ``$ORIGIN`` and
+``$TTL``.
+
+For backends supporting slave operation, there is also an option to keep
+slave zones as slaves, and not convert them to native operation.
+
+``zone2sql`` can generate SQL for nearly all the Generic SQL backends.
+See `its manpage <manpages/zone2sql.1>` for more information.
+
+An example call to ``zone2sql`` could be:
+
+::
+
+ zone2sql --named-conf=/path/to/named.conf --gmysql | mysql -u pdns -p pdns-db
+
+This will generate the SQL statements for the :doc:`Generic MySQL <backends/generic-mysql>` and pipe them into the pdns-db
+database in MySQL.
+
+Using ``pdnsutil load-zone``
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The :doc:`pdnsutil <manpages/pdnsutil.1>` tool has a
+``load-zone`` command that ingests a zone file and imports it into the
+first backend that is capable of hosting it.
+
+To import, configure the backend and run
+``pdnsutil load-zone example.com /tmp/example.com.com.zone`` to import
+the ``example.com`` domain from the ``/tmp/example.com.zone`` file. The
+zone is imported atomically (i.e. it is fully imported, or not) and any
+existing records for that zone are overwritten.
+
+Migrating Data from one Backend to Another Backend
+--------------------------------------------------
+
+.. note::
+ This is experimental feature.
+
+Syntax: ``pdnsutil b2b-migrate OLD NEW``
+
+This tool lets you migrate data from one backend to another, it moves
+all data, including zones, metadata and crypto keys (if present). Some
+example use cases are moving from Bind style zonefiles to SQL based, or
+other way around, or moving from MyDNS to gMySQL.
+
+Prerequisites
+~~~~~~~~~~~~~
+
+- Target backend must support same features as source from set of
+ domains, zones, metadata, DNSSEC and TSIG. See :doc:`Backend
+ Capabilities <backends/index>`
+- There must be no data in the target backend, otherwise the migration
+ will fail. This is checked.
+
+You can perform live upgrade with this tool, provided you follow the
+procedure.
+
+Moving from source to target
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- Take backups of everything.
+- Configure both backends to pdns.conf, if you have source configured,
+ you can just add target backend. **DO NOT RESTART AUTH SERVER BEFORE
+ YOU HAVE FINISHED**
+- Then run ``pdnsutil b2b-migrate old new``, the old and new being
+ configuration prefixes in pdns.conf. If something goes wrong, make
+ sure you properly clear **ALL** data from target backend before
+ retrying.
+- Remove (or comment out) old backend from pdns.conf, and run
+ ``pdnsutil rectify-all-zones`` and ``pdnsutil check-all-zones`` to
+ make sure everything is OK.
+- If everything is OK, then go ahead to restart your PowerDNS service.
+ Check logs to make sure everything went ok.
+++ /dev/null
-site_name: PowerDNS
-repo_url: https://github.com/PowerDNS/pdns
-docs_dir: doc-build
-site_dir: html
-theme_dir: markdown/theme
-pages:
- - PowerDNS Server:
- - Introduction: index.md
- - Changelogs: changelog.md
- - Supported DNS Record Types: types.md
- - Logging and Performance Monitoring: common/logging.md
- - Security settings & considerations: common/security.md
- - Getting support: common/support.md
- - HTTP API - Introduction: httpapi/README.md
-# - HTTP API - Discussion: httpapi/intro.md
- - HTTP API - API Specification: httpapi/api_spec.md
-# - HTTP API - Design and Features: httpapi/features.md
- - End of life statements: end-of-life.md
- - Authoritative:
- - Introduction: authoritative/index.md
- - Installing PowerDNS: authoritative/installation.md
- - Running PowerDNS: authoritative/running.md
- - Upgrade Notes: authoritative/upgrading.md
- - Native, Master and Slave Operation: authoritative/modes-of-operation.md
- - DNSSEC with PowerDNS: authoritative/dnssec.md
- - Domain Metadata: authoritative/domainmetadata.md
- - Dynamic DNS Update: authoritative/dnsupdate.md
- - Using TSIG for AXFR: authoritative/tsig.md
- - Various How To's: authoritative/howtos.md
- - Performance Tuning and Monitoring: authoritative/performance.md
- - Migrating to PowerDNS: authoritative/migration.md
- - Recursion with the Authoritative Server: authoritative/recursion.md
- - List of Settings: authoritative/settings.md
- - 'Manpage: zone2json.1': manpages/zone2json.1.md
- - 'Manpage: zone2ldap.1': manpages/zone2ldap.1.md
- - 'Manpage: zone2sql.1': manpages/zone2sql.1.md
- - 'Manpage: pdns_control.1': manpages/pdns_control.1.md
- - 'Manpage: pdnsutil.1': manpages/pdnsutil.1.md
- - 'Manpage: pdns_server.1': manpages/pdns_server.1.md
- - Authoritative Backends:
- - BIND: authoritative/backend-bind.md
- - Generic SQL Backends: authoritative/backend-generic-sql.md
- - Generic MySQL: authoritative/backend-generic-mysql.md
- - Generic ODBC: authoritative/backend-generic-odbc.md
- - Generic Oracle: authoritative/backend-generic-oracle.md
- - Generic PostgreSQL: authoritative/backend-generic-postgresql.md
- - Generic SQLite3: authoritative/backend-generic-sqlite.md
- - GeoIP: authoritative/backend-geoip.md
- - MyDNS: authoritative/backend-mydns.md
- - LDAP: authoritative/backend-ldap.md
- - Lua: authoritative/backend-lua.md
- - OpenDBX: authoritative/backend-opendbx.md
- - Oracle: authoritative/backend-oracle.md
- - Pipe: authoritative/backend-pipe.md
- - Random: authoritative/backend-random.md
- - Remote: authoritative/backend-remote.md
- - TinyDNS: authoritative/backend-tinydns.md
- - Deprecated Backends: authoritative/backend-deprecated.md
- - Recursor:
- - Introduction: recursor/index.md
- - Upgrade Notes: recursor/upgrading.md
- - Security of the Recursor: recursor/security.md
- - DNSSEC in the Recursor: recursor/dnssec.md
- - Recursor Statistics: recursor/stats.md
- - Controlling & Querying: recursor/running.md
- - 'Manpage: pdns_recursor.1': manpages/pdns_recursor.1.md
- - 'Manpage: rec_control.1': manpages/rec_control.1.md
- - Performance Tuning: recursor/performance.md
- - Scripting: recursor/scripting.md
- - DNS64 support: recursor/dns64.md
- - Internals: recursor/internals.md
- - List of Settings: recursor/settings.md
- - Security:
- - Security Policy: security/index.md
- - Advisory 2016-05: security/powerdns-advisory-2016-05.md
- - Advisory 2016-04: security/powerdns-advisory-2016-04.md
- - Advisory 2016-03: security/powerdns-advisory-2016-03.md
- - Advisory 2016-02: security/powerdns-advisory-2016-02.md
- - Advisory 2016-01: security/powerdns-advisory-2016-01.md
- - Advisory 2015-03: security/powerdns-advisory-2015-03.md
- - Advisory 2015-02: security/powerdns-advisory-2015-02.md
- - Advisory 2015-01: security/powerdns-advisory-2015-01.md
- - Advisory 2014-02: security/powerdns-advisory-2014-02.md
- - Advisory 2014-01: security/powerdns-advisory-2014-01.md
- - Advisory 2012-01: security/powerdns-advisory-2012-01.md
- - Advisory 2010-02: security/powerdns-advisory-2010-02.md
- - Advisory 2010-01: security/powerdns-advisory-2010-01.md
- - Advisory 2008-03: security/powerdns-advisory-2008-03.md
- - Advisory 2008-02: security/powerdns-advisory-2008-02.md
- - Advisory 2008-01: security/powerdns-advisory-2008-01.md
- - Advisory 2006-02: security/powerdns-advisory-2006-02.md
- - Advisory 2006-01: security/powerdns-advisory-2006-01.md
- - Tools and Appendices:
- - Backend Writer's Guide: appendix/backend-writers-guide.md
- - Cryptographic software and export control: appendix/crypto-notes-export.md
- - Documentation details: appendix/documentation.md
- - Compiling PowerDNS: appendix/compiling-powerdns.md
- - DNS Analysis Tools: tools/analysis.md
- - 'Manpage: calidns.1': manpages/calidns.1.md
- - 'Manpage: dnsbulktest.1': manpages/dnsbulktest.1.md
- - 'Manpage: dnsgram.1': manpages/dnsgram.1.md
- - 'Manpage: dnsreplay.1': manpages/dnsreplay.1.md
- - 'Manpage: dnsscan.1': manpages/dnsscan.1.md
- - 'Manpage: dnsscope.1': manpages/dnsscope.1.md
- - 'Manpage: dnstcpbench.1': manpages/dnstcpbench.1.md
- - 'Manpage: dnswasher.1': manpages/dnswasher.1.md
- - 'Manpage: ixplore.1': manpages/ixplore.1.md
- - 'Manpage: pdns_notify.1': manpages/pdns_notify.1.md
- - 'Manpage: nproxy.1': manpages/nproxy.1.md
- - 'Manpage: nsec3dig.1': manpages/nsec3dig.1.md
- - 'Manpage: saxfr.1': manpages/saxfr.1.md
- - 'Manpage: sdig.1': manpages/sdig.1.md
--- /dev/null
+DNS Modes of Operation
+======================
+
+PowerDNS offers full master and slave semantics for replicating domain
+information. Furthermore, PowerDNS can benefit from native database
+replication.
+
+.. _native-operation:
+
+Native replication
+------------------
+
+Native replication is the default, unless other operation is
+specifically configured. Native replication basically means that
+PowerDNS will not send out DNS update notifications, nor will react to
+them. PowerDNS assumes that the backend is taking care of replication
+unaided.
+
+MySQL replication has proven to be very robust and well suited, even
+over transatlantic connections between badly peering ISPs. Other
+PowerDNS users employ Oracle replication which also works very well.
+
+To use native replication, configure your backend storage to do the
+replication and do not configure PowerDNS to do so.
+
+.. _master-operation:
+
+Master operation
+----------------
+
+When operating as a master, PowerDNS sends out notifications of changes
+to slaves, which react to these notifications by querying PowerDNS to
+see if the zone changed, and transferring its contents if it has.
+Notifications are a way to promptly propagate zone changes to slaves, as
+described in :rfc:`1996`. Since
+version 4.0.0, the NOTIFY messages have a TSIG record added (transaction
+signature) if zone has been configured to use TSIG and feature has been
+enabled.
+
+.. warning::
+ Master support is OFF by default, turn it on by adding
+ :ref:`setting-master` to the configuration.
+
+.. warning::
+ If you have DNSSEC-signed zones and non-PowerDNS slaves,
+ please check your :ref:`metadata-soa-edit`
+ settings.
+
+.. warning::
+ Notifications are only sent for domains with type MASTER in
+ your backend.
+
+Left open by :rfc:`1996` is who is to be notified - which is harder to
+figure out than it sounds. All slaves for this domain must receive a
+notification but the nameserver only knows the names of the slaves - not
+the IP addresses, which is where the problem lies. The nameserver itself
+might be authoritative for the name of its secondary, but not have the
+data available.
+
+To resolve this issue, PowerDNS tries multiple tactics to figure out the
+IP addresses of the slaves, and notifies everybody. In contrived
+configurations this may lead to duplicate notifications being sent out,
+which shouldn't hurt.
+
+Some backends may be able to detect zone changes, others may chose to
+let the operator indicate which zones have changed and which haven't.
+Consult the documentation for your backend to see how it processes
+changes in zones.
+
+To help deal with slaves that may have missed notifications, or have
+failed to respond to them, several override commands are available via
+the :ref:`pdns_control <running-pdnscontrol>` tool:
+
+- ``pdns_control notify <domain>`` This instructs PowerDNS to notify
+ all IP addresses it considers to be slaves of this domain.
+
+- ``pdns_control notify-host <domain> <ip-address>`` This is truly an
+ override and sends a notification to an arbitrary IP address. Can be
+ used in :ref:`setting-also-notify` situations or
+ when PowerDNS has trouble figuring out who to notify - which may
+ happen in contrived configurations.
+
+.. _slave-operation:
+
+Slave operation
+---------------
+
+On launch, PowerDNS requests from all backends a list of domains which
+have not been checked recently for changes. This should happen every
+'**refresh**' seconds, as specified in the SOA record. All domains that
+are unfresh are then checked for changes over at their master. If the
+:ref:`types-SOA` serial number there is higher, the domain is
+retrieved and inserted into the database. In any case, after the check
+the domain is declared 'fresh', and will only be checked again after
+'**refresh**' seconds have passed.
+
+When the freshness of a domain cannot be checked, e.g. because the
+master is offline, PowerDNS will retry the domain after
+:ref:`setting-slave-cycle-interval` seconds.
+Every time the domain fails it's freshness check, PowerDNS will hold
+back on checking the domain for
+``amount of failures * slave-cycle-interval`` seconds, with a maximum of
+:ref:`setting-soa-retry-default` seconds
+between checks. With default settings, this means that PowerDNS will
+back off for 1, then 2, then 3 etc. minutes, to a maximum of 60 minutes
+between checks.
+
+.. warning::
+ Slave support is OFF by default, turn it on by adding
+ :ref:`setting-slave` to the configuration.
+
+.. note::
+ When running PowerDNS via the provided systemd service file,
+ `ProtectSystem <http://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=>`_
+ is set to ``full``, this means PowerDNS is unable to write to e.g.
+ ``/etc`` and ``/home``, possibly being unable to write AXFR's zones.
+
+PowerDNS also reacts to notifies by immediately checking if the zone has
+updated and if so, retransfering it.
+
+All backends which implement this feature must make sure that they can
+handle transactions so as to not leave the zone in a half updated state.
+MySQL configured with either BerkeleyDB or InnoDB meets this
+requirement, as do PostgreSQL and Oracle. The Bindbackend implements
+transaction semantics by renaming files if and only if they have been
+retrieved completely and parsed correctly.
+
+Slave operation can also be programmed using several
+:ref:`running-pdnscontrol` commands. The ``retrieve``
+command is especially useful as it triggers an immediate retrieval of
+the zone from the configured master.
+
+PowerDNS supports multiple masters. For the BIND backend, the native
+BIND configuration language suffices to specify multiple masters, for
+SQL based backends, list all master servers separated by commas in the
+'master' field of the domains table.
+
+Since version 4.0.0, PowerDNS requires that masters sign their
+notifications. During transition and interoperation with other
+nameservers, you can use options :ref:`setting-allow-unsigned-notify` to permit
+unsigned notifications. For 4.0.0 this is turned on by default, but it
+might be turned off permanently in future releases.
+
+Master/Slave Setup Requirements
+-------------------------------
+
+Generally to enable a Master/Slave setup you have to take care of
+following properties.
+
+* The :ref:`setting-master`/:ref:`setting-slave` state has to be enabled in the respective ``/etc/powerdns/pdns.conf`` config files.
+* The nameservers have to be set up correctly as NS domain records i.e. defining a NS and A record for each slave.
+* Master/Slave state has to be configured on a per domain basis in the ``domains`` table. Namely the ``type`` column has to be either ``MASTER`` or ``SLAVE`` respectively and the slave needs a comma separated list of master node IP addresses in the ``master`` column in the ``domains`` table. :doc:`more to this topic <backends/generic-sql>`.
+
+IXFR: incremental zone transfers
+--------------------------------
+
+If the 'IXFR' zone metadata item is set to 1 for a zone, PowerDNS will
+attempt to retrieve zone updates via IXFR.
+
+.. warning::
+ If a slave zone changes from non-DNSSEC to DNSSEC, an IXFR
+ update will not set the PRESIGNED flag. In addition, a change in NSEC3
+ mode will also not be picked up.
+
+In such cases, make sure to delete the zone contents to force a fresh
+retrieval.
+
+Finally, IXFR updates that "plug" Empty Non Terminals do not yet remove
+ENT records. A 'pdnsutil rectify-zone' may be required.
+
+PowerDNS itself is currently only able to retrieve updates via IXFR. It
+can not serve IXFR updates.
+
+.. _supermaster-operation:
+
+Supermaster: automatic provisioning of slaves
+---------------------------------------------
+
+PowerDNS can recognize so called 'supermasters'. A supermaster is a host
+which is master for domains and for which we are to be a slave. When a
+master (re)loads a domain, it sends out a notification to its slaves.
+Normally, such a notification is only accepted if PowerDNS already knows
+that it is a slave for a domain.
+
+However, a notification from a supermaster carries more persuasion. When
+PowerDNS determines that a notification comes from a supermaster and it
+is bonafide, it can provision the domain automatically, and configure
+itself as a slave for that zone.
+
+Before a supermaster notification succeeds, the following conditions
+must be met: - The supermaster must carry a SOA record for the notified
+domain - The supermaster IP must be present in the 'supermaster' table -
+The set of NS records for the domain, as retrieved by the slave from the
+supermaster, must include the name that goes with the IP address in the
+supermaster table - If your master sends signed NOTIFY it will mark that
+TSIG key as the TSIG key used for retrieval as well - If you turn off
+:ref:`setting-allow-unsigned-supermaster`, then your supermaster(s) are required
+to sign their notifications.
+
+.. warning::
+ If you use another PowerDNS server as master and have
+ DNSSEC enabled on that server please don't forget to rectify the domains
+ after every change. If you don't do this there is no SOA record
+ available and one requirement will fail.
+
+So, to benefit from this feature, a backend needs to know about the IP
+address of the supermaster, and how PowerDNS will be listed in the set
+of NS records remotely, and the 'account' name of your supermaster.
+There is no need to fill the account name out but it does help keep
+track of where a domain comes from.
+
+.. note::
+ Removal of zones provisioned using the supermaster must be
+ done on the slaves themselves. As there is no way to signal this removal
+ from the master to the slave.
+
+.. _modes-of-operation-axfrfilter:
+
+Modifying a slave zone using a script
+-------------------------------------
+
+The PowerDNS Authoritative Server can invoke a Lua script on an incoming
+AXFR zone transfer. The user-defined function ``axfrfilter`` within your
+script is invoked for each resource record read during the transfer, and
+the outcome of the function defines what PowerDNS does with the records.
+
+What you can accomplish using a Lua script: - Ensure consistent values
+on SOA - Change incoming SOA serial number to a YYYYMMDDnn format -
+Ensure consistent NS RRset - Timestamp the zone transfer with a TXT
+record
+
+To enable a Lua script for a particular slave zone, determine the
+``domain_id`` for the zone from the ``domains`` table, and add a row to
+the ``domainmetadata`` table for the domain. Supposing the domain we
+want has an ``id`` of 3, the following SQL statement will enable the Lua
+script ``my.lua`` for that domain:
+
+::
+
+ INSERT INTO domainmetadata (domain_id, kind, content) VALUES (3, "LUA-AXFR-SCRIPT", "/lua/my.lua");
+
+.. warning::
+ The Lua script must both exist and be syntactically
+ correct; if not, the zone transfer is not performed.
+
+Your Lua functions have access to the query codes through a pre-defined
+Lua table called ``pdns``. For example if you want to check for a CNAME
+record you can either compare ``qtype`` to the numeric constant 5 or the
+value ``pdns.CNAME`` -- they are equivalent.
+
+If your function decides to handle a resource record it must return a
+result code of 0 together with a Lua table containing one or more
+replacement records to be stored in the back-end database (if the table
+is empty, no record is added). If you want your record(s) to be appended
+after the matching record, return 1 and table of record(s). If, on the
+other hand, your function decides not to modify a record, it must return
+-1 and an empty table indicating that PowerDNS should handle the
+incoming record as normal.
+
+Consider the following simple example:
+
+::
+
+ function axfrfilter(remoteip, zone, record)
+
+ -- Replace each HINFO records with this TXT
+ if record:qtype() == pdns.HINFO then
+ resp = {}
+ resp[1] = {
+ qname = record:qname:toString(),
+ qtype = pdns.TXT,
+ ttl = 99,
+ content = "Hello Ahu!"
+ }
+ return 0, resp
+ end
+
+ -- Grab each _tstamp TXT record and add a time stamp
+ if record:qtype() == pdns.TXT and string.starts(record:qname:toString(), "_tstamp.") then
+ resp = {}
+ resp[1] = {
+ qname = record:qname():toString(),
+ qtype = record:qtype(),
+ ttl = record:ttl(),
+ content = os.date("Ver %Y%m%d-%H:%M")
+ }
+ return 0, resp
+ end
+
+ -- Append A records with this TXT
+ if record:qtype() == pdns.A then
+ resp = {}
+ resp[1] = {
+ qname = record:qname:toString(),
+ qtype = pdns.TXT,
+ ttl = 99,
+ content = "Hello Ahu, again!"
+ }
+ return 1, resp
+ end
+
+ resp = {}
+ return -1, resp
+ end
+
+ function string.starts(s, start)
+ return s.sub(s, 1, s.len(start)) == start
+ end
+
+Upon an incoming AXFR, PowerDNS calls our ``axfrfilter`` function for
+each record. All HINFO records are replaced by a TXT record with a TTL
+of 99 seconds and the specified string. TXT Records with names starting
+with ``_tstamp.`` get their value (rdata) set to the current time stamp.
+A records are appended with a TXT record. All other records are
+unhandled.
--- /dev/null
+Performance and Tuning
+======================
+
+In general, best performance is achieved on recent Linux 4.x kernels and
+using MySQL, although many of the largest PowerDNS installations are
+based on PostgreSQL. FreeBSD also performs very well.
+
+Database servers can require configuration to achieve decent
+performance. It is especially worth noting that several vendors ship
+PostgreSQL with a slow default configuration.
+
+.. warning::
+ When deploying (large scale) IPv6, please be aware some
+ Linux distributions leave IPv6 routing cache tables at very small
+ default values. Please check and if necessary raise
+ ``sysctl net.ipv6.route.max_size``.
+
+Performance related settings
+----------------------------
+
+When PowerDNS starts up it creates a number of threads to listen for
+packets. This is configurable with the
+:ref:`setting-receiver-threads` setting which
+defines how many sockets will be opened by the powerdns process. In
+versions of linux before kernel 3.9 having too many receiver threads set
+up resulted in decreased performance due to socket contention between
+multiple CPUs - the typical sweet spot was 3 or 4. For optimal
+performance on kernel 3.9 and following with
+:ref:`setting-reuseport` enabled you'll typically want
+a receiver thread for each core on your box if backend
+latency/performance is not an issue and you want top performance.
+
+Different backends will have different characteristics - some will want
+to have more parallel instances than others. In general, if your backend
+is latency bound, like most relational databases are, it pays to open
+more backends.
+
+This is done with the
+:ref:`setting-distributor-threads` setting
+which says how many distributors will be opened for each receiver
+thread. Of special importance is the choice between 1 or more backends.
+In case of only 1 thread, PowerDNS reverts to unthreaded operation which
+may be a lot faster, depending on your operating system and
+architecture.
+
+Other very important settings are
+:ref:`setting-cache-ttl`. PowerDNS caches entire
+packets it sends out so as to save the time to query backends to
+assemble all data. The default setting of 20 seconds may be low for high
+traffic sites, a value of 60 seconds rarely leads to problems. Please be
+aware that if any TTL in the answer is shorter than this setting, the
+packet cache will respect the answer's shortest TTL.
+
+Some PowerDNS operators set cache-ttl to many hours or even days, and
+use :ref:`pdns_control purge <running-pdnscontrol>` to
+selectively or globally notify PowerDNS of changes made in the backend.
+Also look at the :ref:`query-cache` described in this
+chapter. It may materially improve your performance.
+
+To determine if PowerDNS is unable to keep up with packets, determine
+the value of the :ref:`stat-qsize-q` variable. This represents the number of
+packets waiting for database attention. During normal operations the
+queue should be small.
+
+Logging truly kills performance as answering a question from the cache
+is an order of magnitude less work than logging a line about it. Busy
+sites will prefer to turn :ref:`setting-log-dns-details` off.
+
+.. _packet-cache:
+
+Packet Cache
+------------
+
+PowerDNS by default uses the 'Packet Cache' to recognise identical
+questions and supply them with identical answers, without any further
+processing. The default time to live is 20 seconds and can be changed by
+setting ``cache-ttl``. It has been observed that the utility of the
+packet cache increases with the load on your nameserver.
+
+Not all backends may benefit from the packet cache. If your backend is
+memory based and does not lead to context switches, the packet cache may
+actually hurt performance.
+
+.. versionchanged:: 4.1.0
+ The maximum size of the packet cache is controlled by the
+ :ref:`setting-max-packet-cache-entries` entries. Before that both the
+ query cache and the packet cache used the :ref:`setting-max-cache-entries` setting.
+
+.. _query-cache:
+
+Query Cache
+-----------
+
+Besides entire packets, PowerDNS can also cache individual backend
+queries. Each DNS query leads to a number of backend queries, the most
+obvious additional backend query is the check for a possible CNAME. So,
+when a query comes in for the 'A' record for 'www.powerdns.com',
+PowerDNS must first check for a CNAME for 'www.powerdns.com'.
+
+The Query Cache caches these backend queries, many of which are quite
+repetitive. The maximum number of entries in the cache is controlled by
+the ``max-cache-entries`` setting. Before 4.1 this setting also controls
+the maximum number of entries in the packet cache.
+
+Most gain is made from caching negative entries, ie, queries that have
+no answer. As these take little memory to store and are typically not a
+real problem in terms of speed-of-propagation, the default TTL for
+negative queries is a rather high 60 seconds.
+
+This only is a problem when first doing a query for a record, adding it,
+and immediately doing a query for that record again. It may then take up
+to 60 seconds to appear. Changes to existing records however do not fall
+under the negative query ttl
+(:ref:`setting-negquery-cache-ttl`), but under
+the generic :ref:`setting-query-cache-ttl` which
+defaults to 20 seconds.
+
+The default values should work fine for many sites. When tuning, keep in
+mind that the Query Cache mostly saves database access but that the
+Packet Cache also saves a lot of CPU because 0 internal processing is
+done when answering a question from the Packet Cache.
+
+Performance Monitoring
+----------------------
+
+A number of counters and variables are set during PowerDNS Authoritative
+Server operation.
+
+.. _counters:
+.. _metricnames:
+
+Counters
+~~~~~~~~
+
+All counters that show the "number of X" count since the last startup of the daemon.
+
+.. _stat-corrupt-packets:
+
+corrupt-packets
+^^^^^^^^^^^^^^^
+Number of corrupt packets received
+
+.. _stat-deferred-cache-inserts:
+
+deferred-cache-inserts
+^^^^^^^^^^^^^^^^^^^^^^
+Number of cache inserts that were deferred because of maintenance
+
+.. _stat-deferred-cache-lookup:
+
+deferred-cache-lookup
+^^^^^^^^^^^^^^^^^^^^^
+Number of cache lookups that were deferred
+ because of maintenance
+
+.. _stat-deferred-packetcache-inserts:
+
+deferred-packetcache-inserts
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Number of packet cache inserts that were deferred because of maintenance
+
+.. _stat-deferred-packetcache-lookup:
+
+deferred-packetcache-lookup
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Number of packet cache lookups that were deferred because of maintenance
+
+.. _stat-dnsupdate-answers:
+
+dnsupdate-answers
+^^^^^^^^^^^^^^^^^
+Number of DNS update packets successfully answered
+
+.. _stat-dnsupdate-changes:
+
+dnsupdate-changes
+^^^^^^^^^^^^^^^^^
+Total number of changes to records from DNS update
+
+.. _stat-dnsupdate-queries:
+
+dnsupdate-queries
+^^^^^^^^^^^^^^^^^
+Number of DNS update packets received
+
+.. _stat-dnsupdate-refused:
+
+dnsupdate-refused
+^^^^^^^^^^^^^^^^^
+Number of DNS update packets that were refused
+
+.. _stat-incoming-notifications:
+
+incoming-notifications
+^^^^^^^^^^^^^^^^^^^^^^
+Number of NOTIFY packets that were received
+
+.. _stat-key-cache-size:
+
+key-cache-size
+^^^^^^^^^^^^^^
+Number of entries in the key cache
+
+.. _stat-latency:
+
+latency
+^^^^^^^
+Average number of microseconds a packet spends within PowerDNS
+
+.. _stat-meta-cache-size:
+
+meta-cache-size
+^^^^^^^^^^^^^^^
+Number of entries in the metadata cache
+
+.. _stat-overload-drops:
+
+overload-drops
+^^^^^^^^^^^^^^
+Number of questions dropped because backends overloaded
+
+.. _stat-packetcache-hit:
+
+packetcache-hit
+^^^^^^^^^^^^^^^
+Number of packets which were answered out of the cache
+
+.. _stat-packetcache-miss:
+
+packetcache-miss
+^^^^^^^^^^^^^^^^
+Number of times a packet could not be answered out of the cache
+
+.. _stat-packetcache-size:
+
+packetcache-size
+^^^^^^^^^^^^^^^^
+Amount of packets in the packetcache
+
+.. _stat-qsize-q:
+
+qsize-q
+^^^^^^^
+Number of packets waiting for database attention
+
+.. _stat-query-cache-hit:
+
+query-cache-hit
+^^^^^^^^^^^^^^^
+Number of hits on the :ref:`query-cache`
+
+.. _stat-query-cache-miss:
+
+query-cache-miss
+^^^^^^^^^^^^^^^^
+Number of misses on the :ref:`query-cache`
+
+.. _stat-query-cache-size:
+
+query-cache-size
+^^^^^^^^^^^^^^^^
+Number of entries in the query cache
+
+.. _stat-rd-queries:
+
+rd-queries
+^^^^^^^^^^
+Number of packets sent by clients requesting recursion (regardless of if we'll be providing them with recursion).
+
+.. _stat-recursing-answers:
+
+recursing-answers
+^^^^^^^^^^^^^^^^^
+Number of packets we supplied an answer to after recursive processing
+
+.. _stat-recursing-questions:
+
+recursing-questions
+^^^^^^^^^^^^^^^^^^^
+Number of packets we performed recursive processing for.
+
+.. _stat-recursion-unanswered:
+
+recursion-unanswered
+^^^^^^^^^^^^^^^^^^^^
+Number of packets we sent to our recursor, but did not get a timely answer for.
+
+.. _stat-security-status:
+
+security-status
+^^^^^^^^^^^^^^^
+Security status based on :ref:`securitypolling`.
+
+.. _stat-servfail-packets:
+
+servfail-packets
+^^^^^^^^^^^^^^^^
+Amount of packets that could not be answered due to database problems
+
+.. _stat-signature-cache-size:
+
+signature-cache-size
+^^^^^^^^^^^^^^^^^^^^
+Number of entries in the signature cache
+
+.. _stat-signatures:
+
+signatures
+^^^^^^^^^^
+Number of DNSSEC signatures created
+
+.. _stat-sys-msec:
+
+sys-msec
+^^^^^^^^
+Number of CPU milliseconds sent in system time
+
+.. _stat-tcp-answers-bytes:
+
+tcp-answers-bytes
+^^^^^^^^^^^^^^^^^
+Total number of answer bytes sent over TCP
+
+.. _stat-tcp-answers:
+
+tcp-answers
+^^^^^^^^^^^
+Number of answers sent out over TCP
+
+.. _stat-tcp-queries:
+
+tcp-queries
+^^^^^^^^^^^
+Number of questions received over TCP
+
+.. _stat-tcp4-answers-bytes:
+
+tcp4-answers-bytes
+^^^^^^^^^^^^^^^^^^
+Total number of answer bytes sent over TCPv4
+
+.. _stat-tcp4-answers:
+
+tcp4-answers
+^^^^^^^^^^^^^^^^
+Number of answers sent out over TCPv4
+
+.. _stat-tcp4-queries:
+
+tcp4-queries
+^^^^^^^^^^^^
+Number of questions received over TCPv4
+
+.. _stat-tcp6-answers-bytes:
+
+tcp6-answers-bytes
+^^^^^^^^^^^^^^^^^^
+Total number of answer bytes sent over TCPv6
+
+.. _stat-tcp6-answers:
+
+tcp6-answers
+^^^^^^^^^^^^
+Number of answers sent out over TCPv6
+
+.. _stat-tcp6-queries:
+
+tcp6-queries
+^^^^^^^^^^^^
+Number of questions received over TCPv6
+
+.. _stat-timedout-packets:
+
+timedout-packets
+^^^^^^^^^^^^^^^^
+Amount of packets that were dropped because they had to wait too long internally
+
+.. _stat-udp-answers-bytes:
+
+udp-answers-bytes
+^^^^^^^^^^^^^^^^^
+Total number of answer bytes sent over UDP
+
+.. _stat-udp-answers:
+
+udp-answers
+^^^^^^^^^^^
+Number of answers sent out over UDP
+
+.. _stat-udp-do-queries:
+
+udp-do-queries
+^^^^^^^^^^^^^^
+Number of queries received with the DO (DNSSEC OK) bit set
+
+.. _stat-udp-in-errors:
+
+udp-in-errors
+^^^^^^^^^^^^^
+Number of packets, received faster than the OS could process them
+
+.. _stat-udp-noport-errors:
+
+udp-noport-errors
+^^^^^^^^^^^^^^^^^
+Number of UDP packets where an ICMP response was received that the remote port was not listening
+
+.. _stat-udp-queries:
+
+udp-queries
+^^^^^^^^^^^
+Number of questions received over UDP
+
+.. _stat-udp-recvbuf-errors:
+
+udp-recvbuf-errors
+^^^^^^^^^^^^^^^^^^
+Number of errors caused in the UDP receive
+ buffer
+
+.. _stat-udp-sndbuf-errors:
+
+udp-sndbuf-errors
+^^^^^^^^^^^^^^^^^
+Number of errors caused in the UDP send buffer
+
+.. _stat-udp4-answers-bytes:
+
+udp4-answers-bytes
+^^^^^^^^^^^^^^^^^^
+Total number of answer bytes sent over UDPv4
+
+.. _stat-udp4-answers:
+
+udp4-answers
+^^^^^^^^^^^^
+Number of answers sent out over UDPv4
+
+.. _stat-udp4-queries:
+
+udp4-queries
+^^^^^^^^^^^^
+Number of questions received over UDPv4
+
+.. _stat-udp6-answers-bytes:
+
+udp6-answers-bytes
+^^^^^^^^^^^^^^^^^^
+Total number of answer bytes sent over UDPv6
+
+.. _stat-udp6-answers:
+
+udp6-answers
+^^^^^^^^^^^^
+Number of answers sent out over UDPv6
+
+.. _stat-udp6-queries:
+
+udp6-queries
+^^^^^^^^^^^^
+Number of questions received over UDPv6
+
+.. _stat-uptime:
+
+uptime
+^^^^^^
+Uptime in seconds of the daemon
+
+.. _stat-user-msec:
+
+user-msec
+^^^^^^^^^
+Number of milliseconds spend in CPU 'user' time
+
+Ring buffers
+~~~~~~~~~~~~
+
+Besides counters, PowerDNS also maintains the ringbuffers. A ringbuffer
+records events, each new event gets a place in the buffer until it is
+full. When full, earlier entries get overwritten, hence the name 'ring'.
+
+By counting the entries in the buffer, statistics can be generated.
+These statistics can currently only be viewed using the webserver and
+are in fact not even collected without the webserver running.
+
+The following ringbuffers are available:
+
+- **logmessages**: All messages logged
+- **noerror-queries**: Queries for existing records but for a type we
+ don't have. Queries for, say, the AAAA record of a domain, when only
+ an A is available. Queries are listed in the following format:
+ name/type. So an AAAA query for pdns.powerdns.com looks like
+ pdns.powerdns.com/AAAA.
+- **nxdomain-queries**: Queries for non-existing records within
+ existing domains. If PowerDNS knows it is authoritative over a
+ domain, and it sees a question for a record in that domain that does
+ not exist, it is able to send out an authoritative 'no such domain'
+ message. Indicates that hosts are trying to connect to services
+ really not in your zone.
+- **udp-queries**: All UDP queries seen.
+- **remotes**: Remote server IP addresses. Number of hosts querying
+ PowerDNS. Be aware that UDP is anonymous - person A can send queries
+ that appear to be coming from person B.
+- **remote-corrupts**: Remotes sending corrupt packets. Hosts sending
+ PowerDNS broken packets, possibly meant to disrupt service. Be aware
+ that UDP is anonymous - person A can send queries that appear to be
+ coming from person B.
+- **remote-unauth**: Remotes querying domains for which we are not
+ authoritative. It may happen that there are misconfigured hosts on
+ the internet which are configured to think that a PowerDNS
+ installation is in fact a resolving nameserver. These hosts will not
+ get useful answers from PowerDNS. This buffer lists hosts sending
+ queries for domains which PowerDNS does not know about.
+- **servfail-queries**: Queries that could not be answered due to
+ backend errors. For one reason or another, a backend may be unable to
+ extract answers for a certain domain from its storage. This may be
+ due to a corrupt database or to inconsistent data. When this happens,
+ PowerDNS sends out a 'servfail' packet indicating that it was unable
+ to answer the question. This buffer shows which queries have been
+ causing servfails.
+- **unauth-queries**: Queries for domains that we are not authoritative
+ for. If a domain is delegated to a PowerDNS instance, but the backend
+ is not made aware of this fact, questions come in for which no answer
+ is available, nor is the authority. Use this ringbuffer to spot such
+ queries.
+
+.. _metricscarbon:
+
+Sending metrics to Graphite/Metronome over Carbon
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+For carbon/graphite/metronome, we use the following namespace.
+Everything starts with 'pdns.', which is then followed by the local hostname.
+Thirdly, we add 'auth' to signify the daemon generating the metrics.
+This is then rounded off with the actual name of the metric. As an example: 'pdns.ns1.auth.questions'.
+
+Care has been taken to make the sending of statistics as unobtrusive as possible, the daemons will not be hindered by an unreachable carbon server, timeouts or connection refused situations.
+
+To benefit from our carbon/graphite support, either install Graphite, or use our own lightweight statistics daemon, Metronome, currently available on `GitHub <https://github.com/ahupowerdns/metronome/>`_.
+
+To enable sending metrics, set :ref:`setting-carbon-server`, possibly :ref:`setting-carbon-interval` and possibly :ref:`setting-carbon-ourname` in the configuration.
+
+.. warning::
+
+ If your hostname includes dots, they will be replaced by underscores so as not to confuse the namespace.
+
+ If you include dots in :ref:`setting-carbon-ourname`, they will **not** be replaced by underscores.
+ As PowerDNS assumes you know what you are doing if you override your hostname.
+++ /dev/null
-#!/bin/sh -e
-
-set -x
-
-pre() {
- # Test if there are wrong PR links in the changelog
- CL_PR_LINKS="$(grep -E '\[#([0-9]+)\]\(.*[0-9]+\)' markdown/changelog.raw.md | grep -v -E '\[#([0-9]+)\]\(.*\1\)' || true)"
- if [ -n "${CL_PR_LINKS}" ]; then
- echo "Broken PR links in the changelog:" >&2
- echo "${CL_PR_LINKS}" >&2
- exit 1
- fi
- for file in `find doc-build -name '*.md' -type f -print`; do
- # Remove lines starting with '%' from manpages
- if echo "$file" | grep -q -e '\.1\.md$'; then
- cat $file | perl -n -e '!/^%/ && print;' > ${file}.tmp
- mv -f ${file}.tmp $file
- fi
-
- # Process include statements
- pandoc -f markdown_github+pipe_tables -t markdown_github+pipe_tables -F markdown/process-includes.py $file -o $file
-
- # Remove crap:
- # * Escaped symbols
- perl -i -p \
- -e 's/\\([\$\^><])/\1/g;' \
- $file
- done
- sed 's|\([0-9a-f]\{9\}\)\([0-9a-f]*\)|[\1](https://github.com/PowerDNS/pdns/commit/\1\2)|g' < markdown/changelog.raw.md > doc-build/changelog.md
-}
-
-post() {
- # Change the following:
- # Add class="table-bordered" to tables
- find html -type f -name '*.html' -exec perl -i -p \
- -e 's/\<table>/<table class="table-bordered">/;' \
- -e 's/\<title>None\<\/title>/<title>PowerDNS<\/title>/' \
- {} +
-
- # Remove files we don't need on the site
- rm -rf html/process-* \
- html/changelog.raw.md \
- html/theme
-}
-
-$1
--- /dev/null
+Sphinx>=1.5.0
+git+https://github.com/pieterlexis/sphinx-jsondomain@no-type-links
+git+https://github.com/pieterlexis/sphinx-changelog@render-tags
+sphinxcontrib-httpdomain
+sphinxcontrib-fulltoc
+guzzle_sphinx_theme
--- /dev/null
+Running and Operating
+=====================
+
+PowerDNS is normally controlled via a SysV-style init.d script, often
+located in ``/etc/init.d`` or ``/etc/rc.d/init.d``. For Linux
+distributions with systemd, a service file is provided (either in the
+package or in the contrib directory of the tarball).
+
+Furthermore, PowerDNS can be run on the foreground for testing or in
+other init- systems that supervise processes.
+
+.. _running-guardian:
+
+Guardian
+--------
+
+When the init-system of the Operating System does not properly
+supervises processes, like SysV init, it is recommended to run PowerDNS
+with the :ref:`setting-guardian` option set to 'yes'.
+
+When launched with ``guardian=yes``, ``pdns_server`` wraps itself inside
+a 'guardian'. This guardian monitors the performance of the inner
+``pdns_server`` instance which shows up in the process list of your OS
+as ``pdns_server-instance``. It is also this guardian that
+:ref:`running-pdnscontrol` talks to. A **STOP** is interpreted
+by the guardian, which causes the guardian to sever the connection to
+the inner process and terminate it, after which it terminates itself.
+Requests that require data from the actual nameserver are passed to the
+inner process as well.
+
+Logging to syslog on systemd-based operating systems
+----------------------------------------------------
+
+By default, logging to syslog is disabled in the the systemd unit file
+to prevent the service logging twice, as the systemd journal picks up
+the output from the process itself.
+
+Removing the ``--disable-syslog`` option from the ``ExecStart`` line
+using ``systemctl edit --full pdns`` enables logging to syslog.
+
+.. _logging-to-syslog:
+
+Logging to syslog
+-----------------
+This chapter assumes familiarity with syslog, the unix logging device.
+PowerDNS logs messages with different levels.
+The more urgent the message, the lower the 'priority'.
+
+By default, PowerDNS will only log messages with an urgency of 3 or lower, but this can be changed using the :ref:`setting-loglevel` setting in the configuration file.
+Setting it to 0 will eliminate all logging, 9 will log everything.
+
+By default, logging is performed under the 'DAEMON' facility which is shared with lots of other programs.
+If you regard nameserving as important, you may want to have it under a dedicated facility so PowerDNS can log to its own files, and not clutter generic files.
+
+For this purpose, syslog knows about 'local' facilities, numbered from LOCAL0 to LOCAL7.
+To move PowerDNS logging to LOCAL0, add :ref:`logging-facility=0 <setting-logging-facility>` to your configuration.
+
+Furthermore, you may want to have separate files for the differing priorities - preventing lower priority messages from obscuring important ones.
+A sample ``syslog.conf`` might be::
+
+ local0.info -/var/log/pdns.info
+ local0.warn -/var/log/pdns.warn
+ local0.err /var/log/pdns.err
+
+Where local0.err would store the really important messages.
+For performance and disk space reasons, it is advised to audit your ``syslog.conf`` for statements also logging PowerDNS activities.
+Many ``syslog.conf``\ s have a ``*.*`` statement to ``/var/log/syslog``, which you may want to remove.
+
+For performance reasons, be especially certain that no large amounts of synchronous logging take place.
+Under Linux, this is indicated by file names not starting with a ``-`` - indicating a synchronous log, which hurts performance.
+
+Be aware that syslog by default logs messages at the configured priority and higher!
+To log only info messages, use ``local0.=info``
+
+Controlling A Running PowerDNS Server
+-------------------------------------
+
+As a DNS server is critical infrastructure, downtimes should be avoided
+as much as possible. Even though PowerDNS (re)starts very fast, it
+offers a way to control it while running.
+
+.. _control-socket:
+
+Control Socket
+~~~~~~~~~~~~~~
+
+The controlsocket is the means to contact a running PowerDNS process.
+Over this socket, instructions can be sent using the ``pdns_control``
+program. The control socket is called ``pdns.controlsocket`` and is
+created inside the :ref:`setting-socket-dir`.
+
+.. _running-pdnscontrol:
+
+``pdns_control``
+~~~~~~~~~~~~~~~~
+
+To communicate with PowerDNS Authoritative Server over the
+controlsocket, the ``pdns_control`` command is used. The syntax is
+simple: ``pdns_control command arguments``. Currently this is most
+useful for telling backends to rediscover domains or to force the
+transmission of notifications. See :ref:`master-operation`.
+
+For all supported ``pdns_control`` commands and options, see :doc:`the
+manpage <../manpages/pdns_control.1>` and the output of
+``pdns_control --help`` on your system.
+
+The SysV init script
+--------------------
+
+This script supplied with the PowerDNS source accepts the following
+commands:
+
+- ``monitor``: Monitor is a special way to view the daemon. It executes
+ PowerDNS in the foreground with a lot of logging turned on, which
+ helps in determining startup problems. Besides running in the
+ foreground, the raw PowerDNS control socket is made available. All
+ external communication with the daemon is normally sent over this
+ socket. While useful, the control console is not an officially
+ supported feature. Commands which work are: ``QUIT``, ``SHOW *``,
+ ``SHOW varname``, ``RPING``.
+- ``start``: Start PowerDNS in the background. Launches the daemon but
+ makes no special effort to determine success, as making database
+ connections may take a while. Use ``status`` to query success. You
+ can safely run ``start`` many times, it will not start additional
+ PowerDNS instances.
+- ``restart``: Restarts PowerDNS if it was running, starts it
+ otherwise.
+- ``status``: Query PowerDNS for status. This can be used to figure out
+ if a launch was successful. The status found is prefixed by the PID
+ of the main PowerDNS process.
+- ``stop``: Requests that PowerDNS stop. Again, does not confirm
+ success. Success can be ascertained with the ``status`` command.
+- ``dump``: Dumps a lot of statistics of a running PowerDNS daemon. It
+ is also possible to single out specific variable by using the
+ ``show`` command.
+- ``show variable``: Show a single statistic, as present in the output
+ of the ``dump``.
+- ``mrtg``: Dump statistics in mrtg format. See the performance
+ :ref:`counters` documentation.
+
+ .. note::
+ Packages provided by Operating System vendors might support
+ different or less commands.
+
+Running in the foreground
+-------------------------
+
+One can run PowerDNS in the foreground by invoking the ``pdns_server``
+executable. Without any options, it will load the ``pdns.conf`` and run.
+To make sure PowerDNS starts in the foreground, add the ``--daemon=no``
+option.
+
+All :doc:`settings <settings>` can be added on the commandline. e.g. to
+test a new database config, you could start PowerDNS like this:
+
+.. code-block:: shell
+
+ pdns_server --no-config --daemon=no --local-port=5300 --launch=gmysql --gmysql-user=my_user --gmysql-password=mypassword
+
+This starts PowerDNS without loading on-disk config, in the foreground,
+on all network interfaces on port 5300 and starting the
+:doc:`gmysql <backends/generic-mysql>` backend.
-Older security advisories
-^^^^^^^^^^^^^^^^^^^^^^^^^
-Version 3.0 of the PowerDNS recursor contains a denial of service bug which can be exploited remotely.
-This bug, which we believe to only lead to a crash, has been fixed in 3.0.1.
-There are no guarantees however, so an upgrade from 3.0 is highly recommended.
+Security Advisories
+===================
+All security advisories for the PowerDNS Authoritative Server are listed here.
-All versions of PowerDNS before 2.9.21.1 do not respond to certain queries.
-This in itself is not a problem, but since the discovery by Dan Kaminsky of a new spoofing technique, this silence for queries PowerDNS considers invalid, within a valid domain, allows attackers more chances to feed *other* resolvers bad data.
+.. toctree::
+ :maxdepth: 1
+ :glob:
+ :reversed:
-All versions of PowerDNS before 2.9.18 contain the following two bugs, which only apply to installations running with the LDAP backend, or installations providing recursion to a limited range of IP addresses.
-If any of these apply to you, an upgrade is highly advised:
+ powerdns-advisory*
-- The LDAP backend did not properly escape all queries, allowing it to
- fail and not answer questions. We have not investigated further risks
- involved, but we advise LDAP users to update as quickly as possible
- (Norbert Sendetzky, Jan de Groot)
-
-- Questions from clients denied recursion could blank out answers to
- clients who are allowed recursion services, temporarily. Reported by
- Wilco Baan. This would've made it possible for outsiders to blank out
- a domain temporarily to your users. Luckily PowerDNS would send out
- SERVFAIL or Refused, and not a denial of a domain's existence.
-
-All versions of PowerDNS before 2.9.17 are known to suffer from remote denial of service problems which can disrupt operation.
-Please upgrade to 2.9.17 as this page will only contain detailed security information from 2.9.17 onwards.
+.. include:: older-than-3.0.rst
+++ /dev/null
-PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a buffer overflow which might be exploitable
-------------------------------------------------------------------------------------------------------------------
-
-- CVE: CVE-2006-4251
-- Date: 13th of November 2006
-- Affects: PowerDNS Recursor versions 3.1.3 and earlier, on all
- operating systems.
-- Not affected: No versions of the PowerDNS Authoritative Server
- ('pdns\_server') are affected.
-- Severity: Critical
-- Impact: Potential remote system compromise.
-- Exploit: As far as we know, no exploit is available as of 11th of
- November 2006.
-- Solution: Upgrade to PowerDNS Recursor 3.1.4, or apply the patches
- referred below and recompile
-- Workaround: Disable TCP access to the Recursor. This will have slight
- operational impact, but it is likely that this will not lead to
- meaningful degradation of service. Disabling access is best performed
- at packet level, either by configuring a firewall, or instructing the
- host operating system to drop TCP connections to port 53.
- Additionally, exposure can be limited by configuring the
- ``allow-from`` setting so only trusted users can query your
- nameserver.
-
-PowerDNS Recursor 3.1.3 and previous miscalculate the length of incoming
-TCP DNS queries, and will attempt to read up to 4 gigabytes of query
-into a 65535 byte buffer.
-
-We have not verified if this problem might actually lead to a system
-compromise, but are acting on the assumption that it might.
-
-For distributors, a minimal patch is available on `the PowerDNS
-wiki <http://wiki.powerdns.com/cgi-bin/trac.fcgi/changeset/915>`__.
-Additionally, those shipping very old versions of the PowerDNS Recursor
-might benefit from this
-`patch <http://ds9a.nl/tmp/cve-2006-4251.patch>`__.
-
-The impact of these and other security problems can be lessened by
-considering the advice in FIXME: security-settings.
+++ /dev/null
-PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash
----------------------------------------------------------------------------------------------------------------------
-
-- CVE: CVE-2006-4252
-- Date: 13th of November 2006
-- Affects: PowerDNS Recursor versions 3.1.3 and earlier, on all
- operating systems.
-- Not affected: No versions of the PowerDNS Authoritative Server
- ('pdns\_server') are affected.
-- Severity: Moderate
-- Impact: Denial of service
-- Exploit: This problem can be triggered by sending queries for
- specifically configured domains
-- Solution: Upgrade to PowerDNS Recursor 3.1.4, or apply `commit
- 919 <http://wiki.powerdns.com/projects/trac/changeset/919>`__.
-- Workaround: None known. Exposure can be limited by configuring the
- **allow-from** setting so only trusted users can query your
- nameserver.
-
-PowerDNS would recurse endlessly on encountering a CNAME loop consisting
-entirely of zero second CNAME records, eventually exceeding resources
-and crashing.
+++ /dev/null
-PowerDNS Security Advisory 2008-01: System random generator can be predicted, leading to the potential to 'spoof' PowerDNS Recursor
------------------------------------------------------------------------------------------------------------------------------------
-
-- CVE: Not yet assigned
-- Date: 31st of March 2008
-- Affects: PowerDNS Recursor versions 3.1.4 and earlier, on most
- operating systems
-- Not affected: No versions of the PowerDNS Authoritative Server
- ('pdns\_server') are affected.
-- Severity:Moderate
-- Impact: Data manipulation; client redirection
-- Exploit: This problem can be triggered by sending queries for
- specifically configured domains, sending spoofed answer packets
- immediately afterwards.
-- Solution: Upgrade to PowerDNS Recursor 3.1.5, or apply changesets
- `1159 <http://wiki.powerdns.com/projects/trac/changeset/1159>`__,
- `1160 <http://wiki.powerdns.com/projects/trac/changeset/1160>`__ and
- `1164 <http://wiki.powerdns.com/projects/trac/changeset/1164>`__.
-- Workaround: None known. Exposure can be limited by configuring the
- **allow-from** setting so only trusted users can query your
- nameserver.
-
-We would like to thank Amit Klein of Trusteer for bringing a serious
-vulnerability to our attention which would enable a smart attacker to
-'spoof' previous versions of the PowerDNS Recursor into accepting
-possibly malicious data.
-
-Details can be found on `this Trusteer
-page <http://www.trusteer.com/docs/powerdnsrecursor.html>`__.
-
-This security problem was announced in `this email
-message <http://mailman.powerdns.com/pipermail/pdns-users/2008-March/005279.html>`__.
-
-It is recommended that all users of the PowerDNS Recursor upgrade to
-3.1.5 as soon as practicable, while we simultaneously note that busy
-servers are less susceptible to the attack, but not immune.
-
-The vulnerability is present on all operating systems where the
-behaviour of the libc random() function can be predicted based on its
-past output. This includes at least all known versions of Linux, as well
-as Microsoft Windows, and probably FreeBSD and Solaris.
-
-The magnitude of this vulnerability depends on internal details of the
-system random() generator. For Linux, the mathematics of the random
-generator are complex, but well understood and Amit Klein has written
-and published a proof of concept that can successfully predict its
-output after uninterrupted observation of 40-50 DNS queries.
-
-Because the observation needs to be uninterrupted, busy PowerDNS
-Recursor instances are harder to subvert - other data is highly likely
-to be interleaved with traffic generated by an attacker.
-
-Nevertheless, operators are urged to update at their earliest
-convenience.
+++ /dev/null
-PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited
-----------------------------------------------------------------------------------------------------------------------------
-
-- CVE: CVE-2009-4009
-- Date: 6th of January 2010
-- Affects: PowerDNS Recursor 3.1.7.1 and earlier
-- Not affected: No versions of the PowerDNS Authoritative
- ('pdns\_server') are affected.
-- Severity: Critical
-- Impact: Denial of Service, possible full system compromise
-- Exploit: Withheld
-- Solution: Upgrade to PowerDNS Recursor 3.1.7.2 or higher
-- Workaround: None. The risk of exploitation or denial of service can
- be decreased slightly by using the ``allow-from`` setting to only
- provide service to known users. The risk of a full system compromise
- can be reduced by running with a suitable reduced privilege user and
- group settings, and possibly chroot environment.
-
-Using specially crafted packets, it is possible to force a buffer
-overflow in the PowerDNS Recursor, leading to a crash.
-
-This vulnerability was discovered by a third party that (for now)
-prefers not to be named. PowerDNS is very grateful however for their
-help in improving PowerDNS security.
+++ /dev/null
-PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data
---------------------------------------------------------------------------------------------------------------------------
-
-- CVE: CVE-2009-4010
-- Date: 6th of January 2010
-- Affects: PowerDNS Recursor 3.1.7.1 and earlier
-- Not affected: No versions of the PowerDNS Authoritative
- ('pdns\_server') are affected.
-- Severity: High
-- Impact: Using smart techniques, it is possible to fool the PowerDNS
- Recursor into accepting unauthorized data
-- Exploit: Withheld
-- Solution: Upgrade to PowerDNS Recursor 3.1.7.2 or higher
-- Workaround: None.
-
-Using specially crafted zones, it is possible to fool the PowerDNS
-Recursor into accepting bogus data. This data might be harmful to your
-users. An attacker would be able to divert data from, say, bigbank.com
-to an IP address of his choosing.
-
-This vulnerability was discovered by a third party that (for now)
-prefers not to be named. PowerDNS is very grateful however for their
-help in improving PowerDNS security.
+++ /dev/null
- PowerDNS Security Advisory 2014-01: PowerDNS Recursor 3.6.0 can be crashed remotely
-------------------------------------------------------------------------------------
-
-- CVE: CVE-2014-3614
-- Date: 10th of September 2014
-- Credit: Dedicated PowerDNS users willing to study a crash that
- happens once every few months (thanks)
-- Affects: Only PowerDNS Recursor version 3.6.0.
-- Not affected: No other versions of PowerDNS Recursor, no versions of
- PowerDNS Authoritative Server
-- Severity: High
-- Impact: Crash
-- Exploit: The sequence of packets required is known
-- Risk of system compromise: No
-- Solution: Upgrade to PowerDNS Recursor 3.6.1
-- Workaround: Restrict service using
- ```allow-from`` <../recursor/settings.md#allow-from>`__, install
- script that restarts PowerDNS
-
-Recently, we've discovered that PowerDNS Recursor 3.6.0 (but NOT
-earlier) can crash when exposed to a specific sequence of malformed
-packets. This sequence happened spontaneously with one of our largest
-deployments, and the packets did not appear to have a malicious origin.
-
-Yet, this crash can be triggered remotely, leading to a denial of
-service attack. There appears to be no way to use this crash for system
-compromise or stack overflow.
-
-Upgrading to 3.6.1 solves the issue.
-
-In addition, if you want to apply a minimal fix to your own tree, it can
-be found `here <https://xs.powerdns.com/tmp/minipatch-3.6.1>`__
-
-As for workarounds, only clients in allow-from are able to trigger the
-crash, so this should be limited to your userbase. Secondly,
-`this <https://github.com/PowerDNS/pdns/blob/master/contrib/upstart-recursor.conf>`__
-and
-`this <https://github.com/PowerDNS/pdns/blob/master/contrib/systemd-pdns-recursor.service>`__
-can be used to enable Upstart and Systemd to restart the PowerDNS
-Recursor automatically.
+++ /dev/null
-PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service
-----------------------------------------------------------------------------------------------------------
-
-- CVE: CVE-2014-8601
-- Date: 8th of December 2014
-- Credit: Florian Maury (`ANSSI <http://www.ssi.gouv.fr/en/>`__)
-- Affects: PowerDNS Recursor versions 3.6.1 and earlier
-- Not affected: PowerDNS Recursor 3.6.2; no versions of PowerDNS
- Authoritative Server
-- Severity: High
-- Impact: Degraded service
-- Exploit: This problem can be triggered by sending queries for
- specifically configured domains
-- Risk of system compromise: No
-- Solution: Upgrade to PowerDNS Recursor 3.6.2
-- Workaround: None known. Exposure can be limited by configuring the
- **allow-from** setting so only trusted users can query your
- nameserver.
-
-Recently we released PowerDNS Recursor 3.6.2 with a new feature that
-strictly limits the amount of work we'll perform to resolve a single
-query. This feature was inspired by performance degradations noted when
-resolving domains hosted by 'ezdns.it', which can require thousands of
-queries to resolve.
-
-During the 3.6.2 release process, we were contacted by a government
-security agency with news that they had found that all major caching
-nameservers, including PowerDNS, could be negatively impacted by
-specially configured, hard to resolve domain names. With their
-permission, we continued the 3.6.2 release process with the fix for the
-issue already in there.
-
-We recommend that all users upgrade to 3.6.2 if at all possible.
-Alternatively, if you want to apply a minimal fix to your own tree, it
-can be found `here <https://downloads.powerdns.com/patches/2014-02/>`__,
-including patches for older versions.
-
-As for workarounds, only clients in allow-from are able to trigger the
-degraded service, so this should be limited to your userbase.
-Security Settings
------------------
+Security of PowerDNS
+====================
PowerDNS has several options to easily allow it to run more securely.
Most notable are the :ref:`setting-chroot`, :ref:`setting-setuid` and :ref:`setting-setgid` options.
+For Security Advisories, see the :doc:`dedicated page <security-advisories/index>`.
+
+.. _securitypolicy:
+
+.. include:: common/security-policy.rst
+
For additional information on PowerDNS security, PowerDNS security incidents and PowerDNS security policy, see :ref:`securitypolicy`.
+Securing the Process
+--------------------
+
Running as a less privileged identity
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
By specifying :ref:`setting-setuid` and :ref:`setting-setgid`, PowerDNS changes to this identity shortly after binding to the privileged DNS ports.
Even though this will hamper hackers a lot, chroot jails have been known to be broken.
-**Warning**: When chrooting The PowerDNS, take care that backends will be able to get to their files. Many databases need access to a UNIX domain
-socket which should live within the chroot. It is often possible to
-hardlink such a socket into the chroot dir.
+.. warning::
+ When chrooting The PowerDNS, take care that backends will be able to get to their files. Many databases need access to a UNIX domain
+ socket which should live within the chroot. It is often possible to
+ hardlink such a socket into the chroot dir.
When running with master or slave support, be aware that many operating
systems need access to specific libraries (often ``/lib/libnss*``) in
Separation will enhance your database security highly. Recommended.
+.. _securitypolling:
+
+.. include:: common/secpoll.rst
--- /dev/null
+Authoritative Server Settings
+=============================
+
+All PowerDNS Authoritative Server settings are listed here, excluding
+those that originate from backends, which are documented in the relevant
+chapters. These settings can be set inside ``pdns.conf`` or on the
+commandline when invoking the ``pdns`` binary.
+
+You can use ``+=`` syntax to set some variables incrementally, but this
+requires you to have at least one non-incremental setting for the
+variable to act as base setting. This is mostly useful for
+:ref:`setting-include-dir` directive.
+
+For boolean settings, specifying the name of the setting without a value
+means ``yes``.
+
+.. _setting-8bit-dns:
+
+``8bit-dns``
+------------
+
+- Allow 8 bit dns queries
+- Default: no
+
+.. versionadded:: 4.0.0
+
+Allow 8 bit DNS queries.
+
+.. _setting-allow-axfr-ips:
+
+``allow-axfr-ips``
+------------------
+
+- IP ranges, separated by commas
+- Default: 127.0.0.0/8,::1
+
+If set, only these IP addresses or netmasks will be able to perform
+AXFR.
+
+.. _setting-allow-dnsupdate-from:
+
+``allow-dnsupdate-from``
+------------------------
+
+- IP ranges, separated by commas
+
+Allow DNS updates from these IP ranges.
+
+.. _setting-allow-notify-from:
+
+``allow-notify-from``
+---------------------
+
+- IP ranges, separated by commas
+- Default: 0.0.0.0/0,::/0
+
+Allow AXFR NOTIFY from these IP ranges. Setting this to an empty string
+will drop all incoming notifies.
+
+.. _setting-allow-unsigned-notify:
+
+``allow-unsigned-notify``
+-------------------------
+
+- Boolean
+- Default: yes
+
+.. versionadded:: 4.0.0
+
+Turning this off requires all notifications that are received to be
+signed by valid TSIG signature for the zone.
+
+.. _setting-allow-unsigned-supermaster:
+
+``allow-unsigned-supermaster``
+------------------------------
+
+- Boolean
+- Default: yes
+
+.. versionadded:: 4.0.0
+
+Turning this off requires all supermaster notifications to be signed by
+valid TSIG signature. It will accept any existing key on slave.
+
+.. _setting-allow-recursion:
+
+``allow-recursion``
+-------------------
+
+- IP ranges, separated by commas
+- Default: 0.0.0.0/0
+- Removed in: 4.1.0
+
+By specifying ``allow-recursion``, recursion can be restricted to
+netmasks specified. The default is to allow recursion from everywhere.
+Example: ``allow-recursion=198.51.100.0/24, 10.0.0.0/8, 192.0.2.4``.
+
+.. _setting-also-notify:
+
+``also-notify``
+---------------
+
+- IP addresses, separated by commas
+
+When notifying a domain, also notify these nameservers. Example:
+``also-notify=192.0.2.1, 203.0.113.167``. The IP addresses listed in
+``also-notify`` always receive a notification. Even if they do not match
+the list in :ref:`setting-only-notify`.
+
+.. _setting-any-to-tcp:
+
+``any-to-tcp``
+--------------
+
+- Boolean
+- Default: yes
+
+.. versionchanged:: 4.0.1, was 'no' before.
+
+Answer questions for the ANY on UDP with a truncated packet that refers
+the remote server to TCP. Useful for mitigating reflection attacks.
+
+.. _setting-api:
+
+``api``
+-------
+
+- Boolean
+- Default: no
+
+Enable/disable the :doc:`http-api/index`.
+
+.. _setting-api-key:
+
+``api-key``
+-----------
+
+- String
+
+.. versionadded:: 4.0.0
+
+Static pre-shared authentication key for access to the REST API.
+
+.. _setting-api-readonly:
+
+``api-readonly``
+----------------
+
+- Boolean
+- Default: no
+
+.. versionadded:: 4.0.0
+
+Disallow data modification through the REST API when set.
+
+.. _setting-axfr-lower-serial:
+
+``axfr-lower-serial``
+---------------------
+
+- Boolean
+- Default: no
+
+.. versionadded:: 4.0.4
+
+Also AXFR a zone from a master with a lower serial.
+
+.. _setting-cache-ttl:
+
+``cache-ttl``
+-------------
+
+- Integer
+- Default: 20
+
+Seconds to store packets in the :ref:`packet-cache`.
+
+.. _setting-carbon-ourname:
+
+``carbon-ourname``
+------------------
+
+- String
+- Default: the hostname of the server
+
+If sending carbon updates, if set, this will override our hostname. Be
+careful not to include any dots in this setting, unless you know what
+you are doing. See :ref:`metricscarbon`
+
+.. _setting-carbon-server:
+
+``carbon-server``
+-----------------
+
+- IP Address
+
+Send all available metrics to this server via the carbon protocol, which
+is used by graphite and metronome. It has to be an address (no
+hostnames). You may specify an alternate port by appending :port, ex:
+127.0.0.1:2004. See :ref:`metricscarbon`.
+
+.. _setting-carbon-interval:
+
+``carbon-interval``
+-------------------
+
+- Integer
+- Default: 30
+
+If sending carbon updates, this is the interval between them in seconds.
+See :ref:`metricscarbon`.
+
+.. _setting-chroot:
+
+``chroot``
+----------
+
+- Path
+
+If set, chroot to this directory for more security. See :doc:`security`.
+
+Make sure that ``/dev/log`` is available from within the chroot. Logging
+will silently fail over time otherwise (on logrotate).
+
+When setting ``chroot``, all other paths in the config (except for
+:ref:`setting-config-dir` and :ref:`setting-module-dir`)
+set in the configuration are relative to the new root.
+
+When running on a system where systemd manages services, ``chroot`` does
+not work out of the box, as PowerDNS cannot use the ``NOTIFY_SOCKET``.
+Either don't ``chroot`` on these systems or set the 'Type' of the this
+service to 'simple' instead of 'notify' (refer to the systemd
+documentation on how to modify unit-files)
+
+.. _setting-config-dir:
+
+``config-dir``
+--------------
+
+- Path
+
+Location of configuration directory (``pdns.conf``). Usually
+``/etc/powerdns``, but this depends on ``SYSCONFDIR`` during
+compile-time.
+
+.. _setting-config-name:
+
+``config-name``
+---------------
+
+- String
+
+Name of this virtual configuration - will rename the binary image. See
+:doc:`guides/virtual-instances`.
+
+.. _setting-control-console:
+
+``control-console``
+-------------------
+
+Debugging switch - don't use.
+
+.. _setting-daemon:
+
+``daemon``
+----------
+
+- Boolean
+- Default: no
+
+Operate as a daemon.
+
+.. _setting-default-ksk-algorithms:
+
+``default-ksk-algorithms``
+--------------------------
+
+- String
+- Default: ecdsa256
+
+The algorithm that should be used for the KSK when running
+:doc:`pdnsutil secure-zone <manpages/pdnsutil.1>`. Must be one
+of:
+
+* rsamd5
+* dh
+* dsa
+* ecc
+* rsasha1
+* rsasha256
+* rsasha512
+* ecc-gost
+* ecdsa256 (ECDSA P-256 with SHA256)
+* ecdsa384 (ECDSA P-384 with SHA384)
+* ed25519
+
+.. _setting-default-ksk-size:
+
+``default-ksk-size``
+--------------------
+
+- Integer
+- Default: whichever is default for ``default-ksk-algorithms``
+
+The default keysize for the KSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
+
+.. _setting-default-soa-name:
+
+``default-soa-name``
+--------------------
+
+- String
+- Default: a.misconfigured.powerdns.server
+
+Name to insert in the SOA record if none set in the backend.
+
+.. _setting-default-soa-edit:
+
+``default-soa-edit``
+--------------------
+
+- String
+- Default: empty
+
+Use this soa-edit value for all zones if no
+:ref:`metadata-soa-edit` metadata value is set.
+
+.. _setting-default-soa-edit-signed:
+
+``default-soa-edit-signed``
+---------------------------
+
+- String
+- Default: empty
+
+Use this soa-edit value for all signed zones if no
+:ref:`metadata-soa-edit` metadata value is set.
+Overrides :ref:`setting-default-soa-edit`
+
+.. _setting-default-soa-mail:
+
+``default-soa-mail``
+--------------------
+
+- String
+
+Mail address to insert in the SOA record if none set in the backend.
+
+.. _setting-default-ttl:
+
+``default-ttl``
+---------------
+
+- Integer
+- Default: 3600
+
+TTL to use when none is provided.
+
+.. _setting-default-zsk-algorithms:
+
+``default-zsk-algorithms``
+--------------------------
+
+- String
+- Default: (empty)
+
+The algorithm that should be used for the ZSK when running
+:doc:`pdnsutil secure-zone <manpages/pdnsutil.1>`. Must be one
+of:
+
+* rsamd5
+* dh
+* dsa
+* ecc
+* rsasha1
+* rsasha256
+* rsasha512
+* ecc-gost
+* ecdsa256 (ECDSA P-256 with SHA256)
+* ecdsa384 (ECDSA P-384 with SHA384)
+* ed25519
+
+.. _setting-default-zsk-size:
+
+``default-zsk-size``
+--------------------
+
+- Integer
+- Default: whichever is default for ``default-zsk-algorithms``
+
+The default keysize for the ZSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
+
+.. _setting-direct-dnskey:
+
+``direct-dnskey``
+-----------------
+
+- Boolean
+- Default: no
+
+Read additional ZSKs from the records table/your BIND zonefile. If not
+set, DNSKEY records in the zonefiles are ignored.
+
+.. _setting-disable-axfr:
+
+``disable-axfr``
+----------------
+
+- Boolean
+- Default: no
+
+Do not allow zone transfers.
+
+.. _setting-disable-axfr-rectify:
+
+``disable-axfr-rectify``
+------------------------
+
+- Boolean
+- Default: no
+
+Disable the rectify step during an outgoing AXFR. Only required for
+regression testing.
+
+.. _setting-disable-syslog:
+
+``disable-syslog``
+------------------
+
+- Boolean
+- Default: no
+
+Do not log to syslog, only to stdout. Use this setting when running
+inside a supervisor that handles logging (like systemd).
+
+..warning::
+ Do not use this setting in combination with :ref:`setting-daemon` as all
+ logging will disappear.
+
+.. _setting-disable-tcp:
+
+``disable-tcp``
+---------------
+
+- Boolean
+- Default: no
+
+Do not listen to TCP queries. Breaks RFC compliance.
+
+.. _setting-distributor-threads:
+
+``distributor-threads``
+-----------------------
+
+- Integer
+- Default: 3
+
+Number of Distributor (backend) threads to start per receiver thread.
+See :doc:`performance`.
+
+.. _setting-dname-processing:
+
+``dname-processing``
+--------------------
+
+- Boolean
+- Default: no
+
+Synthesise CNAME records from DNAME records as required. This
+approximately doubles query load. **Do not combine with DNSSEC!**
+
+.. _setting-dnssec-key-cache-ttl:
+
+``dnssec-key-cache-ttl``
+------------------------
+
+- Integer
+- Default: 30
+
+Seconds to cache DNSSEC keys from the database. A value of 0 disables
+caching.
+
+.. _setting-dnsupdate:
+
+``dnsupdate``
+-------------
+
+- Boolean
+- Default: no
+
+Enable/Disable DNS update (RFC2136) support. See :doc:`dnsupdate` for more.
+
+.. _setting-do-ipv6-additional-processing:
+
+``do-ipv6-additional-processing``
+---------------------------------
+
+- Boolean
+- Default: yes
+
+Perform AAAA additional processing. This sends AAAA records in the
+ADDITIONAL section when sending a referral.
+
+.. _setting-domain-metadata-cache-ttl:
+
+``domain-metadata-cache-ttl``
+-----------------------------
+
+- Integer
+- Default: 60
+
+Seconds to cache domain metadata from the database. A value of 0
+disables caching.
+
+.. _setting-edns-subnet-processing:
+
+``edns-subnet-processing``
+--------------------------
+
+- Boolean
+- Default: no
+
+Enables EDNS subnet processing, for backends that support it.
+
+.. _setting-entropy-source:
+
+``entropy-source``
+------------------
+
+- Path
+- Default: /dev/urandom
+
+Entropy source file to use.
+
+.. _setting-expand-alias:
+
+``expand-alias``
+----------------
+
+- Boolean
+- Default: no
+- Since: 4.1.0
+
+If this is enabled, ALIAS records are expanded (synthesised to their
+A/AAAA).
+
+If this is disabled (the default), ALIAS records will not expanded and
+the server will will return NODATA for A/AAAA queries for such names.
+
+**note**: :ref:`setting-resolver` must also be set for ALIAS
+expansion to work!
+
+**note**: In PowerDNS Authoritative Server 4.0.x, this setting did not
+exist and ALIAS was always expanded.
+
+.. _setting-forward-dnsupdate:
+
+``forward-dnsupdate``
+---------------------
+
+- Boolean
+- Default: no
+
+Forward DNS updates sent to a slave to the master.
+
+.. _setting-forward-notify:
+
+``forward-notify``
+------------------
+
+- IP addresses, separated by commas
+
+IP addresses to forward received notifications to regardless of master
+or slave settings.
+
+.. note::
+ The intended use is in anycast environments where it might be
+ necessary for a proxy server to perform the AXFR. The usual checks are
+ performed before any received notification is forwarded.
+
+.. _setting-guardian:
+
+``guardian``
+------------
+
+- Boolean
+- Default: no
+
+Run within a guardian process. See :ref:`running-guardian`.
+
+.. _setting-include-dir:
+
+``include-dir``
+---------------
+
+- Path
+
+Directory to scan for additional config files. All files that end with
+.conf are loaded in order using ``POSIX`` as locale.
+
+.. _setting-launch:
+
+``launch``
+----------
+
+- Backend names, separated by commas
+
+Which backends to launch and order to query them in. Launches backends.
+In its most simple form, supply all backends that need to be launched.
+e.g.
+
+::
+
+ launch=bind,gmysql,remote
+
+If you find that you need to query a backend multiple times with
+different configuration, you can specify a name for later
+instantiations. e.g.:
+
+::
+
+ launch=gmysql,gmysql:server2
+
+In this case, there are 2 instances of the gmysql backend, one by the
+normal name and the second one is called 'server2'. The backend
+configuration item names change: e.g. ``gmysql-host`` is available to
+configure the ``host`` setting of the first or main instance, and
+``gmysql-server2-host`` for the second one.
+
+.. _setting-load-modules:
+
+``load-modules``
+----------------
+
+- Paths, separated by commas
+
+If backends are available in nonstandard directories, specify their
+location here. Multiple files can be loaded if separated by commas. Only
+available in non-static distributions.
+
+.. _setting-local-address:
+
+``local-address``
+-----------------
+
+- IPv4 Addresses, separated by commas or whitespace
+- Default: 0.0.0.0
+
+Local IP address to which we bind. It is highly advised to bind to
+specific interfaces and not use the default 'bind to any'. This causes
+big problems if you have multiple IP addresses. Unix does not provide a
+way of figuring out what IP address a packet was sent to when binding to
+any.
+
+.. _setting-non-local-bind:
+
+``non-local-bind``
+------------------
+
+- Boolean
+- Default: no
+
+Bind to addresses even if one or more of the
+:ref:`setting-local-address`'s do not exist on this server.
+Setting this option will enable the needed socket options to allow
+binding to non-local addresses. This feature is intended to facilitate
+ip-failover setups, but it may also mask configuration issues and for
+this reason it is disabled by default.
+
+.. _setting-lua-axfr-script:
+
+``lua-axfr-script``
+-------------------
+
+- String
+- Default: empty
+
+.. versionadded:: 4.1.0
+
+Script to be used to edit incoming AXFRs, see :ref:_modes-of-operation-axfrfilter`
+
+.. _setting-local-address-nonexist-fail:
+
+``local-address-nonexist-fail``
+-------------------------------
+
+- Boolean
+- Default: no
+
+Fail to start if one or more of the
+:ref:`setting-local-address`'s do not exist on this server.
+
+.. _setting-local-ipv6:
+
+``local-ipv6``
+--------------
+
+- IPv6 Addresses, separated by commas or whitespace
+- Default: '::'
+
+Local IPv6 address to which we bind. It is highly advised to bind to
+specific interfaces and not use the default 'bind to any'. This causes
+big problems if you have multiple IP addresses.
+
+.. _setting-local-ipv6-nonexist-fail:
+
+``local-ipv6-nonexist-fail``
+----------------------------
+
+- Boolean
+- Default: no
+
+Fail to start if one or more of the :ref:`setting-local-ipv6`
+addresses do not exist on this server.
+
+.. _setting-local-port:
+
+``local-port``
+--------------
+
+- Integer
+- Default: 53
+
+The port on which we listen. Only one port possible.
+
+.. _setting-log-dns-details:
+
+``log-dns-details``
+-------------------
+
+- Boolean
+- Default: no
+
+If set to 'no', informative-only DNS details will not even be sent to
+syslog, improving performance.
+
+.. _setting-logging-facility:
+
+``logging-facility``
+--------------------
+
+If set to a digit, logging is performed under this LOCAL facility. See :ref:`logging-to-syslog`.
+Do not pass names like 'local0'!
+
+.. _setting-loglevel:
+
+``loglevel``
+------------
+
+- Integer
+- Default: 4
+
+Amount of logging. Higher is more. Do not set below 3
+
+.. _setting-log-dns-queries:
+
+``log-dns-queries``
+-------------------
+
+- Boolean
+- Default: no
+
+Tell PowerDNS to log all incoming DNS queries. This will lead to a lot
+of logging! Only enable for debugging! Set :ref:`setting-loglevel`
+to at least 5 to see the logs.
+
+.. _setting-lua-prequery-script:
+
+``lua-prequery-script``
+-----------------------
+
+- Path
+
+Lua script to run before answering a query. This is a feature used
+internally for regression testing. The API of this functionality is not
+guaranteed to be stable, and is in fact likely to change.
+
+.. _setting-master:
+
+``master``
+----------
+
+- Boolean
+- Default: no
+
+Turn on master support. See :ref:`master-operation`.
+
+.. _setting-max-cache-entries:
+
+``max-cache-entries``
+---------------------
+
+- Integer
+- Default: 1000000
+
+Maximum number of entries in the query cache. 1 million (the default)
+will generally suffice for most installations. Starting with 4.1, the
+packet and query caches are distinct so you might also want to see
+``max-packet-cache-entries``.
+
+.. _setting-max-ent-entries:
+
+``max-ent-entries``
+-------------------
+
+- Integer
+- Default: 100000
+
+Maximum number of empty non-terminals to add to a zone. This is a
+protection measure to avoid database explosion due to long names.
+
+.. _setting-max-nsec3-iterations:
+
+``max-nsec3-iterations``
+------------------------
+
+- Integer
+- Default: 500
+
+Limit the number of NSEC3 hash iterations
+
+.. _setting-max-packet-cache-entries:
+
+``max-packet-cache-entries``
+----------------------------
+
+- Integer
+- Default: 1000000
+
+Maximum number of entries in the packet cache. 1 million (the default)
+will generally suffice for most installations. This setting has been
+introduced in 4.1, previous used the ``max-cache-entries`` setting for
+both the packet and query caches.
+
+.. _setting-max-queue-length:
+
+``max-queue-length``
+--------------------
+
+- Integer
+- Default: 5000
+
+If this many packets are waiting for database attention, consider the
+situation hopeless and respawn.
+
+.. _setting-max-signature-cache-entries:
+
+``max-signature-cache-entries``
+-------------------------------
+
+- Integer
+- Default: 2^64 (on 64-bit systems)
+
+Maximum number of signatures cache entries
+
+.. _setting-max-tcp-connection-duration:
+
+``max-tcp-connection-duration``
+-------------------------------
+
+- Integer
+- Default: 0
+
+Maximum time in seconds that a TCP DNS connection is allowed to stay
+open. 0 means unlimited. Note that exchanges related to an AXFR or IXFR
+are not affected by this setting.
+
+.. _setting-max-tcp-connections:
+
+``max-tcp-connections``
+-----------------------
+
+- Integer
+- Default: 20
+
+Allow this many incoming TCP DNS connections simultaneously.
+
+.. _setting-max-tcp-connections-per-client:
+
+``max-tcp-connections-per-client``
+----------------------------------
+
+- Integer
+- Default: 0
+
+Maximum number of simultaneous TCP connections per client. 0 means
+unlimited.
+
+.. _setting-max-tcp-transactions-per-conn:
+
+``max-tcp-transactions-per-conn``
+---------------------------------
+
+- Integer
+- Default: 0
+
+Allow this many DNS queries in a single TCP transaction. 0 means
+unlimited. Note that exchanges related to an AXFR or IXFR are not
+affected by this setting.
+
+.. _setting-module-dir:
+
+``module-dir``
+--------------
+
+- Path
+
+Directory for modules. Default depends on ``PKGLIBDIR`` during
+compile-time.
+
+.. _setting-negquery-cache-ttl:
+
+``negquery-cache-ttl``
+----------------------
+
+- Integer
+- Default: 60
+
+Seconds to store queries with no answer in the Query Cache. See ref:`query-cache`.
+
+.. _setting-no-config:
+
+``no-config``
+-------------
+
+- Boolean
+- Default: no
+
+Do not attempt to read the configuration file.
+
+.. _setting-no-shuffle:
+
+``no-shuffle``
+--------------
+
+- Boolean
+- Default: no
+
+Do not attempt to shuffle query results, used for regression testing.
+
+.. _setting-overload-queue-length:
+
+``overload-queue-length``
+-------------------------
+
+- Integer
+- Default: 0 (disabled)
+
+If this many packets are waiting for database attention, answer any new
+questions strictly from the packet cache.
+
+.. _setting-reuseport:
+
+``reuseport``
+-------------
+
+- Boolean
+- Default: No
+
+On Linux 3.9 and some BSD kernels the ``SO_REUSEPORT`` option allows
+each receiver-thread to open a new socket on the same port which allows
+for much higher performance on multi-core boxes. Setting this option
+will enable use of ``SO_REUSEPORT`` when available and seamlessly fall
+back to a single socket when it is not available. A side-effect is that
+you can start multiple servers on the same IP/port combination which may
+or may not be a good idea. You could use this to enable transparent
+restarts, but it may also mask configuration issues and for this reason
+it is disabled by default.
+
+.. _setting-security-poll-suffix:
+
+``security-poll-suffix``
+------------------------
+
+- String
+- Default: secpoll.powerdns.com.
+
+Domain name from which to query security update notifications. Setting
+this to an empty string disables secpoll.
+
+.. _setting-server-id:
+
+``server-id``
+-------------
+
+- String
+- Default: The hostname of the server
+
+This is the server ID that will be returned on an EDNS NSID query.
+
+.. _setting-only-notify:
+
+``only-notify``
+---------------
+
+- IP Ranges, separated by commas or whitespace
+- Default: 0.0.0.0/0, ::/0
+
+For type=MASTER zones (or SLAVE zones with slave-renotify enabled)
+PowerDNS automatically sends NOTIFYs to the name servers specified in
+the NS records. By specifying networks/mask as whitelist, the targets
+can be limited. The default is to notify the world. To completely
+disable these NOTIFYs set ``only-notify`` to an empty value. Independent
+of this setting, the IP addresses or netmasks configured with
+:ref:`setting-also-notify` and ``ALSO-NOTIFY`` domain metadata
+always receive AXFR NOTIFYs.
+
+.. note::
+ Even if NOTIFYs are limited by a netmask, PowerDNS first has to
+ resolve all the hostnames to check their IP addresses against the
+ specified whitelist. The resolving may take considerable time,
+ especially if those hostnames are slow to resolve. If you do not need to
+ NOTIFY the slaves defined in the NS records (e.g. you are using another
+ method to distribute the zone data to the slaves), then set
+ :ref:`setting-only-notify` to an empty value and specify the notification targets
+ explicitly using :ref:`setting-also-notify` and/or
+ :ref:`metadata-also-notify` domain metadata to avoid this potential bottleneck.
+
+.. _setting-out-of-zone-additional-processing:
+
+``out-of-zone-additional-processing``
+-------------------------------------
+
+- Boolean
+- Default: yes
+
+Do out of zone additional processing. This means that if a malicious
+user adds a '.com' zone to your server, it is not used for other domains
+and will not contaminate answers. Do not enable this setting if you run
+a public DNS service with untrusted users.
+
+The docs had previously indicated that the default was "no", but the
+default has been "yes" since 2005.
+
+.. _setting-outgoing-axfr-expand-alias:
+
+``outgoing-axfr-expand-alias``
+------------------------------
+
+- Boolean
+- Default: no
+
+If this is enabled, ALIAS records are expanded (synthesised to their
+A/AAAA) during outgoing AXFR. This means slaves will not automatically
+follow changes in those A/AAAA records unless you AXFR regularly!
+
+If this is disabled (the default), ALIAS records are sent verbatim
+during outgoing AXFR. Note that if your slaves do not support ALIAS,
+they will return NODATA for A/AAAA queries for such names.
+
+.. _setting-prevent-self-notification:
+
+``prevent-self-notification``
+-----------------------------
+
+- Boolean
+- Default: yes
+
+PowerDNS Authoritative Server attempts to not send out notifications to
+itself in master mode. In very complicated situations we could guess
+wrong and not notify a server that should be notified. In that case, set
+prevent-self-notification to "no".
+
+.. _setting-query-cache-ttl:
+
+``query-cache-ttl``
+-------------------
+
+- Integer
+- Default: 20
+
+Seconds to store queries with an answer in the Query Cache. See :ref:`query-cache`.
+
+.. _setting-query-local-address:
+
+``query-local-address``
+-----------------------
+
+- IPv4 Address
+- Default: 0.0.0.0
+
+The IP address to use as a source address for sending queries. Useful if
+you have multiple IPs and PowerDNS is not bound to the IP address your
+operating system uses by default for outgoing packets.
+
+.. _setting-query-local-address6:
+
+``query-local-address6``
+------------------------
+
+- IPv6 Address
+- Default: '::'
+
+Source IP address for sending IPv6 queries.
+
+.. _setting-query-logging:
+
+``query-logging``
+-----------------
+
+- Boolean
+- Default: no
+
+Boolean, hints to a backend that it should log a textual representation
+of queries it performs. Can be set at runtime.
+
+.. _setting-queue-limit:
+
+``queue-limit``
+---------------
+
+- Integer
+- Default: 1500
+
+Maximum number of milliseconds to queue a query. See :doc:`performance`.
+
+.. _setting-receiver-threads:
+
+``receiver-threads``
+--------------------
+
+- Integer
+- Default: 1
+
+Number of receiver (listening) threads to start. See :doc:`performance`.
+
+.. _setting-recursive-cache-ttl:
+
+``recursive-cache-ttl``
+-----------------------
+
+- Integer
+- Default: 10
+- Removed in: 4.1.0
+
+Seconds to store recursive packets in the :ref:`packet-cache`.
+
+.. _setting-recursor:
+
+``recursor``
+------------
+
+- IP Address
+
+.. deprecated:: 4.1.0
+
+If set, recursive queries will be handed to the recursor specified here.
+
+.. _setting-resolver:
+
+``resolver``
+------------
+
+- IP Addresses with optional port, separated by commas
+- Added in: 4.1.0
+
+Use these resolver addresses for ALIAS and the internal stub resolver.
+If this is not set, ``/etc/resolv.conf`` is parsed for upstream
+resolvers.
+
+.. _setting-retrieval-threads:
+
+``retrieval-threads``
+---------------------
+
+- Integer
+- Default: 2
+
+Number of AXFR slave threads to start.
+
+.. _setting-setgid:
+
+``setgid``
+----------
+
+- String
+
+If set, change group id to this gid for more security. See :doc:`security`.
+
+.. _setting-setuid:
+
+``setuid``
+----------
+
+- String
+
+If set, change user id to this uid for more security. See :doc:`security`.
+
+.. _setting-slave:
+
+``slave``
+---------
+
+- Boolean
+- Default: no
+
+Turn on slave support. See :ref:`slave-operation`.
+
+.. _setting-slave-cycle-interval:
+
+``slave-cycle-interval``
+------------------------
+
+- Integer
+- 60
+
+On a master, this is the amounts of seconds between the master checking
+the SOA serials in its database to determine to send out NOTIFYs to the
+slaves. On slaves, this is the number of seconds between the slave
+checking for updates to zones.
+
+.. _setting-slave-renotify:
+
+``slave-renotify``
+------------------
+
+- Boolean
+- Default: no
+
+This setting will make PowerDNS renotify the slaves after an AXFR is
+*received* from a master. This is useful when using when running a
+signing-slave.
+
+.. _setting-signing-threads:
+
+``signing-threads``
+-------------------
+
+- Integer
+- Default: 3
+
+Tell PowerDNS how many threads to use for signing. It might help improve
+signing speed by changing this number.
+
+.. _setting-soa-expire-default:
+
+``soa-expire-default``
+----------------------
+
+- Integer
+- Default: 604800
+
+Default :ref:`types-soa` expire.
+
+.. _setting-soa-minimum-ttl:
+
+``soa-minimum-ttl``
+-------------------
+
+- Integer
+- Default: 3600
+
+Default :ref:`types-soa` minimum ttl.
+
+.. _setting-soa-refresh-default:
+
+``soa-refresh-default``
+-----------------------
+
+- Integer
+- Default: 10800
+
+Default :ref:`types-soa` refresh.
+
+.. _setting-soa-retry-default:
+
+``soa-retry-default``
+---------------------
+
+- Integer
+- Default: 3600
+
+Default :ref:`types-soa` retry.
+
+.. _setting-socket-dir:
+
+``socket-dir``
+--------------
+
+- Path
+
+Where the controlsocket will live. The default depends on
+``LOCALSTATEDIR`` during compile-time (usually ``/var/run`` or
+``/run``). See :ref:`control-socket`.
+
+This path will also contain the pidfile for this instance of PowerDNS
+called ``pdns.pid`` by default. See :ref:`setting-config-name`
+and :doc:`Virtual Hosting <guides/virtual-instances>` how this can differ.
+
+.. _setting-tcp-control-address:
+
+``tcp-control-address``
+-----------------------
+
+- IP Address
+
+Address to bind to for TCP control.
+
+.. _setting-tcp-control-port:
+
+``tcp-control-port``
+--------------------
+
+- Integer
+- Default: 53000
+
+Port to bind to for TCP control.
+
+.. _setting-tcp-control-range:
+
+``tcp-control-range``
+---------------------
+
+- IP Ranges, separated by commas or whitespace
+
+Limit TCP control to a specific client range.
+
+.. _setting-tcp-control-secret:
+
+``tcp-control-secret``
+----------------------
+
+- String
+
+Password for TCP control.
+
+.. _setting-tcp-fast-open:
+
+``tcp-fast-open``
+-----------------
+
+- Integer
+- Default: 0 (Disabled)
+
+.. versionadded:: 4.1.0
+
+Enable TCP Fast Open support, if available, on the listening sockets.
+The numerical value supplied is used as the queue size, 0 meaning
+disabled.
+
+.. _setting-tcp-idle-timeout:
+
+``tcp-idle-timeout``
+--------------------
+
+- Integer
+- Default: 5
+
+Maximum time in seconds that a TCP DNS connection is allowed to stay
+open while being idle, meaning without PowerDNS receiving or sending
+even a single byte.
+
+.. _setting-traceback-handler:
+
+``traceback-handler``
+---------------------
+
+- Boolean
+- Default: yes
+
+Enable the Linux-only traceback handler.
+
+.. _setting-trusted-notification-proxy:
+
+``trusted-notification-proxy``
+------------------------------
+
+- String
+
+IP address of incoming notification proxy
+
+.. _setting-udp-truncation-threshold:
+
+``udp-truncation-threshold``
+----------------------------
+
+- Integer
+- Default: 1680
+
+EDNS0 allows for large UDP response datagrams, which can potentially
+raise performance. Large responses however also have downsides in terms
+of reflection attacks. Up till PowerDNS Authoritative Server 3.3, the
+truncation limit was set at 1680 bytes, regardless of EDNS0 buffer size
+indications from the client. Beyond 3.3, this setting makes our
+truncation limit configurable. Maximum value is 65535, but values above
+4096 should probably not be attempted.
+
+.. _setting-version-string:
+
+``version-string``
+------------------
+
+- Any of: ``anonymous``, ``powerdns``, ``full``, String
+- Default: full
+
+When queried for its version over DNS
+(``dig chaos txt version.bind @pdns.ip.address``), PowerDNS normally
+responds truthfully. With this setting you can overrule what will be
+returned. Set the ``version-string`` to ``full`` to get the default
+behaviour, to ``powerdns`` to just make it state
+``served by PowerDNS - http://www.powerdns.com``. The ``anonymous``
+setting will return a ServFail, much like Microsoft nameservers do. You
+can set this response to a custom value as well.
+
+.. _setting-webserver:
+
+``webserver``
+-------------
+
+- Boolean
+- Default: no
+
+Start a webserver for monitoring. See :doc:`performance`".
+
+.. versionchanged:: 4.1.0
+ It was necessary to enable the webserver to use the REST API, this is no longer the case.
+
+.. _setting-webserver-address:
+
+``webserver-address``
+---------------------
+
+- IP Address
+- Default: 127.0.0.1
+
+IP Address for webserver/API to listen on.
+
+.. _setting-webserver-allow-from:
+
+``webserver-allow-from``
+------------------------
+
+- IP ranges, separated by commas or whitespace
+- Default: 0.0.0.0/0,::/0
+
+Webserver/API access is only allowed from these subnets.
+
+.. _setting-webserver-password:
+
+``webserver-password``
+----------------------
+
+- String
+
+The plaintext password required for accessing the webserver.
+
+.. _setting-webserver-port:
+
+``webserver-port``
+------------------
+
+- Integer
+- Default: 8001
+
+The port where webserver/API will listen on.
+
+.. _setting-webserver-print-arguments:
+
+``webserver-print-arguments``
+-----------------------------
+
+- Boolean
+- Default: no
+
+If the webserver should print arguments.
+
+.. _setting-write-pid:
+
+``write-pid``
+-------------
+
+- Boolean
+- Default: yes
+
+If a PID file should be written.
+
+.. _setting-xfr-max-received-mbytes:
+
+``xfr-max-received-mbytes``
+---------------------------
+
+- Integer
+- Default: 100
+
+Specifies the maximum number of received megabytes allowed on an
+incoming AXFR/IXFR update, to prevent resource exhaustion. A value of 0
+means no restriction.
--- /dev/null
+TSIG
+====
+
+TSIG, as defined in :rfc:`2845`,
+is a method for signing DNS messages using shared secrets. Each TSIG
+shared secret has a name, and PowerDNS can be told to allow zone
+transfer of a domain if the request is signed with an authorized name.
+
+In PowerDNS, TSIG shared secrets are stored by the various backends. In
+case of the :doc:`backends/generic-sql`, they
+can be found in the 'tsigkeys' table. The name can be chosen freely, but
+the algorithm name will typically be 'hmac-md5'. Other supported
+algorithms are 'hmac-sha1', 'hmac-shaX' where X is 224, 256, 384 or 512.
+The content is a Base64-encoded secret.
+
+.. note::
+ Most backends require DNSSEC support enabled to support TSIG.
+ For the Generic SQL Backend make sure to use the DNSSEC enabled schema
+ and to turn on the relevant '-dnssec' flag (for example,
+ ``gmysql-dnssec``)!
+
+Provisioning outbound AXFR access
+---------------------------------
+
+To actually provision a named secret permission to AXFR a zone, set a
+metadata item in the 'domainmetadata' table called ``TSIG-ALLOW-AXFR``
+with the key name in the content field. For example::
+
+ insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
+ select id from domains where name='powerdnssec.org';
+ 5
+ insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-AXFR', 'test');
+
+ $ dig -t axfr powerdnssec.org @127.0.0.1 -y 'test:kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
+
+Another of importing and activating TSIG keys into the database is using
+:doc:`pdnsutil <manpages/pdnsutil.1>`::
+
+ pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
+ pdnsutil activate-tsig-key powerdnssec.org test master
+
+To ease interoperability, the equivalent configuration above in BIND
+would look like this::
+
+ key test. {
+ algorithm hmac-md5;
+ secret "kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=";
+ };
+
+ zone "powerdnssec.org" {
+ type master;
+ file "powerdnssec.org";
+ allow-transfer { key test.; };
+ };
+
+A packet authorized and authenticated by a TSIG signature will gain
+access to a zone even if the remote IP address is not otherwise allowed
+to AXFR a zone.
+
+.. _tsig-provision-signed-notify-axfr:
+
+Provisioning signed notification and AXFR requests
+--------------------------------------------------
+
+To configure PowerDNS to send out TSIG signed AXFR requests for a zone
+to its master(s), set the ``AXFR-MASTER-TSIG`` metadata item for the
+relevant domain to the key that must be used.
+
+The actual TSIG key must also be provisioned, as outlined in the
+previous section.
+
+For the Generic SQL backends, configuring the use of TSIG for AXFR
+requests could be achieved as follows:
+
+::
+
+ insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
+ select id from domains where name='powerdnssec.org';
+ 5
+ insert into domainmetadata (domain_id, kind, content) values (5, 'AXFR-MASTER-TSIG', 'test');
+
+This can also be done using
+:doc:`/manpages/pdnsutil.1`:
+
+::
+
+ pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
+ pdnsutil activate-tsig-key powerdnssec.org test slave
+
+This setup corresponds to the ``TSIG-ALLOW-AXFR`` access rule defined in
+the previous section.
+
+In the interest of interoperability, the configuration above is (not
+quite) similar to the following BIND statements:
+
+::
+
+ key test. {
+ algorithm hmac-md5;
+ secret "kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=";
+ };
+
+ server 127.0.0.1 {
+ keys { test.; };
+ };
+
+ zone "powerdnssec.org" {
+ type slave;
+ masters { 127.0.0.1; };
+ file "powerdnssec.org";
+ };
+
+Except that in this case, TSIG will be used for all communications with
+the master, not just those about AXFR requests.
+
+.. _tsig-gss-tsig:
+
+GSS-TSIG support
+----------------
+
+GSS-TSIG allows authentication and authorization of DNS updates or AXFR
+using Kerberos with TSIG signatures.
+
+.. note::
+ This feature is experimental and subject to change in future releases.
+
+Prerequisites
+~~~~~~~~~~~~~
+
+- Working Kerberos environment. Please refer to your Kerberos vendor
+ documentation on how to setup it.
+- Principal (such as ``DNS/<your.dns.server.name>@REALM``) in either
+ per-user keytab or system keytab.
+
+In particular, if something does not work, read logs and ensure that
+your kerberos environment is ok before filing an issue. Most common
+problems are time synchronization or changes done to the principal.
+
+Setting up
+~~~~~~~~~~
+
+To allow AXFR / DNS update to work, you need to configure
+``GSS-ACCEPTOR-PRINCIPAL`` in
+:doc:`domainmetadata`. This will define the
+principal that is used to accept any GSS context requests. This *must*
+match to your keytab. Next you need to define one or more
+``GSS-ALLOW-AXFR-PRINCIPAL`` entries for AXFR, or
+``TSIG-ALLOW-DNSUPDATE`` entries for DNS update. These must be set to
+the exact initiator principal names you intend to use. No wildcards
+accepted.
--- /dev/null
+Upgrade Notes
+=============
+
+Before proceeding, it is advised to check the release notes for your
+PowerDNS version, as specified in the name of the distribution file.
+
+Please upgrade to the PowerDNS Authoritative Server 4.0.0 from 3.4.2+.
+See the `3.X <https://doc.powerdns.com/3/authoritative/upgrading/>`__
+upgrade notes if your version is older than 3.4.2.
+
+4.0.X to 4.1.0
+--------------
+
+ - Recursion has been removed, see the :doc:`dedicated migration guide <guides/recursion>`.
+ - ALIAS record expension is disabled by default, use :ref:`setting-expand-alias` to enable.
+
+Changed options
+^^^^^^^^^^^^^^^
+
+- ``experimental-lua-policy-script`` option and the feature itself have
+ been completely dropped. We invite you to use (PowerDNS
+ dnsdist)[http://dnsdist.org] instead.
+
+Changed defaults
+~~~~~~~~~~~~~~~~
+
+Other changes
+^^^^^^^^^^^^^
+
+The ``--with-pgsql``, ``--with-pgsql-libs``, ``--with-pgsql-includes``
+and ``--with-pgsql-config`` ``configure`` options have been deprecated.
+``configure`` now attempts to find the Postgresql client libraries via
+``pkg-config``, falling back to detecting ``pg_config``. Use
+``--with-pg-config`` to specify a path to a non-default ``pg_config`` if
+you have Postgresql installed in a non-default location.
+
+4.0.X to 4.0.2
+--------------
+
+Changed options
+^^^^^^^^^^^^^^^
+
+Changed defaults
+~~~~~~~~~~~~~~~~
+
+- :ref:`setting-any-to-tcp` changed from ``no`` to ``yes``
+
+3.4.X to 4.0.0
+--------------
+
+Database changes
+^^^^^^^^^^^^^^^^
+
+No changes have been made to the database schema. However, several
+superfluous queries have been dropped from the SQL backend. Furthermore,
+the generic SQL backends switched to prepared statements. If you use a
+non-standard SQL schema, please review the new defaults.
+
+- ``insert-ent-query``, ``insert-empty-non-terminal-query``,
+ ``insert-ent-order-query`` have been replaced by one query named
+ ``insert-empty-non-terminal-order-query``
+- ``insert-record-order-query`` has been dropped,
+ ``insert-record-query`` now sets the ordername (or NULL)
+- ``insert-slave-query`` has been dropped, ``insert-zone-query`` now
+ sets the type of zone
+
+Changed options
+^^^^^^^^^^^^^^^
+
+Several options have been removed or renamed, for the full overview of
+all options, see :doc:`settings`.
+
+Renamed options
+~~~~~~~~~~~~~~~
+
+The following options have been renamed:
+
+- ``experimental-json-interface`` ==> :ref:`setting-api`
+- ``experimental-api-readonly`` ==> :ref:`setting-api-readonly`
+- ``experimental-api-key`` ==> :ref:`setting-api-key`
+- ``experimental-dname-processing`` ==> :ref:`setting-dname-processing`
+- ``experimental-dnsupdate`` ==> :ref:`setting-dnsupdate`
+- ``allow-dns-update-from`` ==> :ref:`setting-allow-dnsupdate-from`
+- ``forward-dnsupdates`` ==> :ref:`setting-forward-dnsupdate`
+
+Changed defaults
+~~~~~~~~~~~~~~~~
+
+- :ref:`setting-default-ksk-algorithms`
+ changed from rsasha256 to ecdsa256
+- :ref:`setting-default-zsk-algorithms`
+ changed from rsasha256 to empty
+
+Removed options
+~~~~~~~~~~~~~~~
+
+The following options are removed:
+
+- ``pipebackend-abi-version``, it now a setting per-pipe backend.
+- ``strict-rfc-axfrs``
+- ``send-root-referral``
+
+API
+^^^
+
+The API path has changed to ``/api/v1``.
+
+Incompatible change: ``SOA-EDIT-API`` now follows ``SOA-EDIT-DNSUPDATE``
+instead of ``SOA-EDIT`` (incl. the fact that it now has a default value
+of ``DEFAULT``). You must update your existing ``SOA-EDIT-API`` metadata
+(set ``SOA-EDIT`` to your previous ``SOA-EDIT-API`` value, and
+``SOA-EDIT-API`` to ``SOA-EDIT`` to keep the old behaviour).
+
+Resource Record Changes
+^^^^^^^^^^^^^^^^^^^^^^^
+
+Since PowerDNS 4.0.0 the CAA resource record (type 257) is supported.
+Before PowerDNS 4.0.0 type 257 was used for a proprietary MBOXFW
+resource record, which was removed from PowerDNS 4.0. Hence, if you used
+CAA records with 3.4.x (stored in the DB with wrong type=MBOXFW but
+worked fine) and upgrade to 4.0, PowerDNS will fail to parse this
+records and will throw an exception on all queries for a label with
+MBOXFW records. Thus, make sure to clean up the records in the DB.
--- /dev/null
+AC_DEFUN([PDNS_CHECK_VIRTUALENV], [
+ AC_CHECK_PROG([VIRTUALENV], [virtualenv], [virtualenv], [no])
+
+ AS_IF([test "x$VIRTUALENV" = "xno"], [
+ AS_IF([test ! -f "$srcdir/pdns_server.1"],
+ [AC_MSG_WARN([virtualenv is missing, unable to build manpages.])]
+ )
+ ])
+ AM_CONDITIONAL([HAVE_VIRTUALENV], [test "x$VIRTUALENV" != "xno"])
+ AM_CONDITIONAL([HAVE_MANPAGES], [test -e "$srcdir/pdns_server.1"])
+])
+
exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store',
'http-api/override.rst',
'common/zonemetadata.rst',
+ 'common/endpoint-servers-config.rst',
'common/secpoll.rst']
# The name of the Pygments (syntax highlighting) style to use.
--- /dev/null
+Configuration endpoint
+======================
+
+.. include:: ../common/api/endpoint-servers-config.rst
+
+.. http:put:: /api/v1/servers/:server_id/config/:config_setting_name
+
+ Change a single setting
+
+ .. note::
+ Only :ref:`setting-allow-from` can be set.
+
+ :param server_id: The name of the server
+ :param config_setting_name: The name of the setting to change
+
+ **Example request**
+
+ .. sourcecode:: http
+
+ PUT /api/v1/servers/localhost/config/allow-from HTTP/1.1
+ Host: localhost:8082
+ User-Agent: curl/7.54.1
+ Accept: application/json
+ X-Api-Key: secret
+ Content-Type: application/json
+ Content-Length: 48
+
+ { "name": "allow-from", "value": ["127.0.0.0/8"] }
+
+ **Example response**
+
+ .. sourcecode:: http
+
+ HTTP/1.1 200 OK
+ Access-Control-Allow-Origin: *
+ Connection: close
+ Content-Length: 48
+ Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+ Content-Type: application/json
+ Server: PowerDNS/0.0.g00799130f
+ X-Content-Type-Options: nosniff
+ X-Frame-Options: deny
+ X-Permitted-Cross-Domain-Policies: none
+ X-Xss-Protection: 1; mode=block
+
+ {"name": "allow-from", "value": ["127.0.0.0/8"]}
+
+
+
../common/api/endpoint-api
../common/api/endpoint-servers
- ../common/api/endpoint-servers-config
+ endpoint-servers-config
../common/api/endpoint-statistics.rst
endpoint-zones
endpoint-trace
+++ /dev/null
-../../../../docs/security-advisories/powerdns-advisory-2006-01.rst
\ No newline at end of file
--- /dev/null
+PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a buffer overflow which might be exploitable
+------------------------------------------------------------------------------------------------------------------
+
+- CVE: CVE-2006-4251
+- Date: 13th of November 2006
+- Affects: PowerDNS Recursor versions 3.1.3 and earlier, on all
+ operating systems.
+- Not affected: No versions of the PowerDNS Authoritative Server
+ ('pdns\_server') are affected.
+- Severity: Critical
+- Impact: Potential remote system compromise.
+- Exploit: As far as we know, no exploit is available as of 11th of
+ November 2006.
+- Solution: Upgrade to PowerDNS Recursor 3.1.4, or apply the patches
+ referred below and recompile
+- Workaround: Disable TCP access to the Recursor. This will have slight
+ operational impact, but it is likely that this will not lead to
+ meaningful degradation of service. Disabling access is best performed
+ at packet level, either by configuring a firewall, or instructing the
+ host operating system to drop TCP connections to port 53.
+ Additionally, exposure can be limited by configuring the
+ ``allow-from`` setting so only trusted users can query your
+ nameserver.
+
+PowerDNS Recursor 3.1.3 and previous miscalculate the length of incoming
+TCP DNS queries, and will attempt to read up to 4 gigabytes of query
+into a 65535 byte buffer.
+
+We have not verified if this problem might actually lead to a system
+compromise, but are acting on the assumption that it might.
+
+For distributors, a minimal patch is available on `the PowerDNS
+wiki <http://wiki.powerdns.com/cgi-bin/trac.fcgi/changeset/915>`__.
+Additionally, those shipping very old versions of the PowerDNS Recursor
+might benefit from this
+`patch <http://ds9a.nl/tmp/cve-2006-4251.patch>`__.
+
+The impact of these and other security problems can be lessened by
+considering the advice in FIXME: security-settings.
+++ /dev/null
-../../../../docs/security-advisories/powerdns-advisory-2006-02.rst
\ No newline at end of file
--- /dev/null
+PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash
+---------------------------------------------------------------------------------------------------------------------
+
+- CVE: CVE-2006-4252
+- Date: 13th of November 2006
+- Affects: PowerDNS Recursor versions 3.1.3 and earlier, on all
+ operating systems.
+- Not affected: No versions of the PowerDNS Authoritative Server
+ ('pdns\_server') are affected.
+- Severity: Moderate
+- Impact: Denial of service
+- Exploit: This problem can be triggered by sending queries for
+ specifically configured domains
+- Solution: Upgrade to PowerDNS Recursor 3.1.4, or apply `commit
+ 919 <http://wiki.powerdns.com/projects/trac/changeset/919>`__.
+- Workaround: None known. Exposure can be limited by configuring the
+ **allow-from** setting so only trusted users can query your
+ nameserver.
+
+PowerDNS would recurse endlessly on encountering a CNAME loop consisting
+entirely of zero second CNAME records, eventually exceeding resources
+and crashing.
+++ /dev/null
-../../../../docs/security-advisories/powerdns-advisory-2008-01.rst
\ No newline at end of file
--- /dev/null
+PowerDNS Security Advisory 2008-01: System random generator can be predicted, leading to the potential to 'spoof' PowerDNS Recursor
+-----------------------------------------------------------------------------------------------------------------------------------
+
+- CVE: Not yet assigned
+- Date: 31st of March 2008
+- Affects: PowerDNS Recursor versions 3.1.4 and earlier, on most
+ operating systems
+- Not affected: No versions of the PowerDNS Authoritative Server
+ ('pdns\_server') are affected.
+- Severity:Moderate
+- Impact: Data manipulation; client redirection
+- Exploit: This problem can be triggered by sending queries for
+ specifically configured domains, sending spoofed answer packets
+ immediately afterwards.
+- Solution: Upgrade to PowerDNS Recursor 3.1.5, or apply changesets
+ `1159 <http://wiki.powerdns.com/projects/trac/changeset/1159>`__,
+ `1160 <http://wiki.powerdns.com/projects/trac/changeset/1160>`__ and
+ `1164 <http://wiki.powerdns.com/projects/trac/changeset/1164>`__.
+- Workaround: None known. Exposure can be limited by configuring the
+ **allow-from** setting so only trusted users can query your
+ nameserver.
+
+We would like to thank Amit Klein of Trusteer for bringing a serious
+vulnerability to our attention which would enable a smart attacker to
+'spoof' previous versions of the PowerDNS Recursor into accepting
+possibly malicious data.
+
+Details can be found on `this Trusteer
+page <http://www.trusteer.com/docs/powerdnsrecursor.html>`__.
+
+This security problem was announced in `this email
+message <http://mailman.powerdns.com/pipermail/pdns-users/2008-March/005279.html>`__.
+
+It is recommended that all users of the PowerDNS Recursor upgrade to
+3.1.5 as soon as practicable, while we simultaneously note that busy
+servers are less susceptible to the attack, but not immune.
+
+The vulnerability is present on all operating systems where the
+behaviour of the libc random() function can be predicted based on its
+past output. This includes at least all known versions of Linux, as well
+as Microsoft Windows, and probably FreeBSD and Solaris.
+
+The magnitude of this vulnerability depends on internal details of the
+system random() generator. For Linux, the mathematics of the random
+generator are complex, but well understood and Amit Klein has written
+and published a proof of concept that can successfully predict its
+output after uninterrupted observation of 40-50 DNS queries.
+
+Because the observation needs to be uninterrupted, busy PowerDNS
+Recursor instances are harder to subvert - other data is highly likely
+to be interleaved with traffic generated by an attacker.
+
+Nevertheless, operators are urged to update at their earliest
+convenience.
+++ /dev/null
-../../../../docs/security-advisories/powerdns-advisory-2010-01.rst
\ No newline at end of file
--- /dev/null
+PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited
+----------------------------------------------------------------------------------------------------------------------------
+
+- CVE: CVE-2009-4009
+- Date: 6th of January 2010
+- Affects: PowerDNS Recursor 3.1.7.1 and earlier
+- Not affected: No versions of the PowerDNS Authoritative
+ ('pdns\_server') are affected.
+- Severity: Critical
+- Impact: Denial of Service, possible full system compromise
+- Exploit: Withheld
+- Solution: Upgrade to PowerDNS Recursor 3.1.7.2 or higher
+- Workaround: None. The risk of exploitation or denial of service can
+ be decreased slightly by using the ``allow-from`` setting to only
+ provide service to known users. The risk of a full system compromise
+ can be reduced by running with a suitable reduced privilege user and
+ group settings, and possibly chroot environment.
+
+Using specially crafted packets, it is possible to force a buffer
+overflow in the PowerDNS Recursor, leading to a crash.
+
+This vulnerability was discovered by a third party that (for now)
+prefers not to be named. PowerDNS is very grateful however for their
+help in improving PowerDNS security.
+++ /dev/null
-../../../../docs/security-advisories/powerdns-advisory-2010-02.rst
\ No newline at end of file
--- /dev/null
+PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data
+--------------------------------------------------------------------------------------------------------------------------
+
+- CVE: CVE-2009-4010
+- Date: 6th of January 2010
+- Affects: PowerDNS Recursor 3.1.7.1 and earlier
+- Not affected: No versions of the PowerDNS Authoritative
+ ('pdns\_server') are affected.
+- Severity: High
+- Impact: Using smart techniques, it is possible to fool the PowerDNS
+ Recursor into accepting unauthorized data
+- Exploit: Withheld
+- Solution: Upgrade to PowerDNS Recursor 3.1.7.2 or higher
+- Workaround: None.
+
+Using specially crafted zones, it is possible to fool the PowerDNS
+Recursor into accepting bogus data. This data might be harmful to your
+users. An attacker would be able to divert data from, say, bigbank.com
+to an IP address of his choosing.
+
+This vulnerability was discovered by a third party that (for now)
+prefers not to be named. PowerDNS is very grateful however for their
+help in improving PowerDNS security.
+++ /dev/null
-../../../../docs/security-advisories/powerdns-advisory-2014-01.rst
\ No newline at end of file
--- /dev/null
+ PowerDNS Security Advisory 2014-01: PowerDNS Recursor 3.6.0 can be crashed remotely
+------------------------------------------------------------------------------------
+
+- CVE: CVE-2014-3614
+- Date: 10th of September 2014
+- Credit: Dedicated PowerDNS users willing to study a crash that
+ happens once every few months (thanks)
+- Affects: Only PowerDNS Recursor version 3.6.0.
+- Not affected: No other versions of PowerDNS Recursor, no versions of
+ PowerDNS Authoritative Server
+- Severity: High
+- Impact: Crash
+- Exploit: The sequence of packets required is known
+- Risk of system compromise: No
+- Solution: Upgrade to PowerDNS Recursor 3.6.1
+- Workaround: Restrict service using
+ ```allow-from`` <../recursor/settings.md#allow-from>`__, install
+ script that restarts PowerDNS
+
+Recently, we've discovered that PowerDNS Recursor 3.6.0 (but NOT
+earlier) can crash when exposed to a specific sequence of malformed
+packets. This sequence happened spontaneously with one of our largest
+deployments, and the packets did not appear to have a malicious origin.
+
+Yet, this crash can be triggered remotely, leading to a denial of
+service attack. There appears to be no way to use this crash for system
+compromise or stack overflow.
+
+Upgrading to 3.6.1 solves the issue.
+
+In addition, if you want to apply a minimal fix to your own tree, it can
+be found `here <https://xs.powerdns.com/tmp/minipatch-3.6.1>`__
+
+As for workarounds, only clients in allow-from are able to trigger the
+crash, so this should be limited to your userbase. Secondly,
+`this <https://github.com/PowerDNS/pdns/blob/master/contrib/upstart-recursor.conf>`__
+and
+`this <https://github.com/PowerDNS/pdns/blob/master/contrib/systemd-pdns-recursor.service>`__
+can be used to enable Upstart and Systemd to restart the PowerDNS
+Recursor automatically.
+++ /dev/null
-../../../../docs/security-advisories/powerdns-advisory-2014-02.rst
\ No newline at end of file
--- /dev/null
+PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service
+----------------------------------------------------------------------------------------------------------
+
+- CVE: CVE-2014-8601
+- Date: 8th of December 2014
+- Credit: Florian Maury (`ANSSI <http://www.ssi.gouv.fr/en/>`__)
+- Affects: PowerDNS Recursor versions 3.6.1 and earlier
+- Not affected: PowerDNS Recursor 3.6.2; no versions of PowerDNS
+ Authoritative Server
+- Severity: High
+- Impact: Degraded service
+- Exploit: This problem can be triggered by sending queries for
+ specifically configured domains
+- Risk of system compromise: No
+- Solution: Upgrade to PowerDNS Recursor 3.6.2
+- Workaround: None known. Exposure can be limited by configuring the
+ **allow-from** setting so only trusted users can query your
+ nameserver.
+
+Recently we released PowerDNS Recursor 3.6.2 with a new feature that
+strictly limits the amount of work we'll perform to resolve a single
+query. This feature was inspired by performance degradations noted when
+resolving domains hosted by 'ezdns.it', which can require thousands of
+queries to resolve.
+
+During the 3.6.2 release process, we were contacted by a government
+security agency with news that they had found that all major caching
+nameservers, including PowerDNS, could be negatively impacted by
+specially configured, hard to resolve domain names. With their
+permission, we continued the 3.6.2 release process with the fix for the
+issue already in there.
+
+We recommend that all users upgrade to 3.6.2 if at all possible.
+Alternatively, if you want to apply a minimal fix to your own tree, it
+can be found `here <https://downloads.powerdns.com/patches/2014-02/>`__,
+including patches for older versions.
+
+As for workarounds, only clients in allow-from are able to trigger the
+degraded service, so this should be limited to your userbase.
missing_elements=""
for element in $elements; do
- grep -q -e "^$element" ../docs/manpages/rec_control.1.md || missing_elements="$element\n$missing_elements"
+ grep -q -e "^$element" ../pdns/recursordist/docs/manpages/rec_control.rst || missing_elements="$element\n$missing_elements"
done
if [ "x$missing_elements" != "x" ]; then
projects / pdns / commitdiff
