From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable
Date: Sun, 02 Apr 2017 19:03:47 +0100
Message-ID: <1491156227.12811.1.camel@ipfire.org>
In-Reply-To: <1491151036.13033.2.camel@hughes.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1813372497157858072=="
List-Id: <development.lists.ipfire.org>

--===============1813372497157858072==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

this does help, yes.

You are falling back to recursor mode which is not really what should
happen. That means the test does not indicate correctly what I hoped it
would do.

Are those name servers your ISP is forcing you to use publicly
available? If so I could test on my own.

Best,
-Michael

On Sun, 2017-04-02 at 11:37 -0500, Paul Simmons wrote:
> On Fri, 2017-03-31 at 17:53 +0100, Michael Tremer wrote:
> > No, I don't think that any of the changes after that commit would
> > have helped.
> >=20
> > What I need to have is a test that allows me to identify if these
> > name servers
> > are able to pass on the public key of the root zone.
> >=20
> > If so, then DNSSEC would work fine in recursor mode.
> >=20
> > If not, unbound should now disable DNSSEC validation.
> >=20
> > What is the output of "/etc/init.d/unbound restart" on that system?
> >=20
> > -Michael
> >=20
> > On Thu, 2017-03-30 at 13:21 -0500, Paul Simmons wrote:
> > > On Thu, 2017-03-30 at 17:51 +0100, Michael Tremer wrote:
> > > >=20
> > > > Hey Paul,
> > > >=20
> > > > I really don't want you to switch away from IPFire since there
> > > > is
> > > > no
> > > > need to. We
> > > > will get this fixed.
> > > >=20
> > > > And although this is a corner case I am willing to work on
> > > > this.
> > > > However I
> > > > cannot test.
> > > >=20
> > > > So just to get me up to date again: Did you apply the changes
> > > > from
> > > > Core Update
> > > > 110? Did that work or not?
> > > >=20
> > > > -Michael
> > > >=20
> > > > On Sat, 2017-03-25 at 10:20 -0500, Paul Simmons wrote:
> > > > >=20
> > > > > On Wed, 2017-03-08 at 10:19 -0600, Paul Simmons wrote:
> > > > > >=20
> > > > > > On Wed, 2017-03-08 at 12:09 +0000, Michael Tremer wrote:
> > > > > > >=20
> > > > > > >=20
> > > > > > > Hmm...
> > > > > > >=20
> > > > > > > That's interesting that only AAAA records fail. No idea
> > > > > > > why
> > > > > > > the
> > > > > > > system is
> > > > > > > resolving those any ways, but hey...
> > > > > > >=20
> > > > > > > So when you do
> > > > > > >=20
> > > > > > > =C2=A0 dig @198.41.0.4 a.root-servers.net AAAA +dnssec
> > > > > > >=20
> > > > > > > does that work?
> > > > > > >=20
> > > > > > > What does
> > > > > > >=20
> > > > > > > =C2=A0 dig @8.8.8.8 +sigchase +dnssec www.ipfire.org
> > > > > > >=20
> > > > > > > do?
> > > > > > >=20
> > > > > > > -Michael
> > > > > > >=20
> > > > > > > ---->% massive snippage here %<----
> > > > > >=20
> > > > > > Sorry for the delay. I have to chase everyone off the
> > > > > > network
> > > > > > and
> > > > > > reboot with another disk (development image) to test, then
> > > > > > have
> > > > > > to
> > > > > > reboot with Core105 and DNSSEC disabled to resume email :).
> > > > > >=20
> > > > > > Here are the results:
> > > > > >=20
> > > > > > # dig @198.41.0.4 a.root-servers.net AAAA +dnssec
> > > > > >=20
> > > > > > ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 a.root-servers.net
> > > > > > AAAA
> > > > > > +dnssec
> > > > > > ; (1 server found)
> > > > > > ;; global options: +cmd
> > > > > > ;; Got answer:
> > > > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65258
> > > > > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> > > > > > ADDITIONAL: 0
> > > > > > ;; WARNING: Message has 23 extra bytes at end
> > > > > >=20
> > > > > > ;; QUESTION SECTION:
> > > > > > ;a.root-servers.net.		IN	AAAA
> > > > > >=20
> > > > > > ;; Query time: 1 msec
> > > > > > ;; SERVER: 198.41.0.4#53(198.41.0.4)
> > > > > > ;; WHEN: Wed Mar 08 09:56:11 CST 2017
> > > > > > ;; MSG SIZE=C2=A0=C2=A0rcvd: 59
> > > > > >=20
> > > > > > # dig @8.8.8.8 +sigchase +dnssec www.ipfire.org
> > > > > > ;; Warning: Message parser reports malformed message
> > > > > > packet.
> > > > > > ;; NO ANSWERS: no more
> > > > > > We want to prove the non-existence of a type of rdata 1 or
> > > > > > of
> > > > > > the
> > > > > > zone:=C2=A0
> > > > > > ;; nothing in authority section : impossible to validate
> > > > > > the
> > > > > > non-
> > > > > > existence :
> > > > > > FAILED
> > > > > >=20
> > > > > > ;; Impossible to verify the Non-existence, the NSEC RRset
> > > > > > can't
> > > > > > be
> > > > > > validated: FAILED
> > > > > >=20
> > > > > > Thank you,
> > > > > > Paul
> > > > >=20
> > > > > Additional information:
> > > > >=20
> > > > > On Core105, I have an override in /etc/sysconfig/dnsmasq:
> > > > > ENABLE_DNSSEC=3D0
> > > > >=20
> > > > > If I remove this, DNS resolution outside of my private
> > > > > network
> > > > > fails.
> > > > >=20
> > > > > I've had a long conversation with HughesNet Community Support
> > > > > (such
> > > > > as it is),
> > > > > to no avail.
> > > > >=20
> > > > > Hughes has no plans to support DNSSEC in the near future, and
> > > > > there's no way
> > > > > to prevent the modem (HN9000) from caching / spoofing /
> > > > > mangling
> > > > > DNS traffic.
> > > > >=20
> > > > > There are no other providers available - no DSL, no cable, no
> > > > > fiber, no
> > > > > wireless, no cellular, no anything. If I had the funds, I'd
> > > > > create
> > > > > my own NLOS
> > > > > WISP and make a tidy profit out here "in the sticks".
> > > > > Goodness
> > > > > knows, I'd like
> > > > > a reprieve from high cost, data caps, high latency, rain
> > > > > fade,
> > > > > and
> > > > > miserable
> > > > > throughput.
> > > > >=20
> > > > > Please, is there any way to fall back to insecure DNS with
> > > > > IPFire's
> > > > > unbound
> > > > > configuration? I realize my situation is a "corner case", but
> > > > > I
> > > > > like IPFire,
> > > > > have a lot of time and effort invested, and am loath to
> > > > > switch
> > > > > to a
> > > > > different
> > > > > firewall.
> > > > >=20
> > > > > Best regards,
> > > > > Paul
> > >=20
> > > Hey Michael.=C2=A0=C2=A0Sorry to be a pain.=C2=A0=C2=A0Thank you for yo=
ur help.
> > >=20
> > > I tested with commit c016773b9816ad9be4ffc8643c30457e87c094e3 and
> > > had no luck.
> > >=20
> > > I tried using both the ISP provided DNS and known "good"
> > > validating
> > > servers.
> > >=20
> > > Shall I rebuild the test image with a later commit?
> > >=20
> > > Paul
>=20
> Finally got a test window... made the best of it.
>=20
> ----------------------------------------------------------
> Output from unbound restart:
>=20
> # /etc/init.d/unbound restart
> Stopping Unbound DNS
> Proxy...=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[=C2=A0=C2=A0OK=C2=A0=C2=A0]
> Starting Unbound DNS
> Proxy...=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[=C2=A0=C2=A0OK=C2=A0=C2=A0]
> Ignoring broken upstream name server(s): 67.142.173.10
> 67.142.173.11=C2=A0=C2=A0=C2=A0[ WARN ]
> Falling back to recursor
> mode=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[ WARN ]
> ----------------------------------------------------------
> A couple of simple resolution tests:
>=20
> # nslookup www.google.com
> Server:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0127.0.0.1
> Address:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0127.0.0.1#53
>=20
> ** server can't find www.google.com: SERVFAIL
>=20
> # host www.google.com
> Host www.google.com not found: 2(SERVFAIL)
> ----------------------------------------------------------
> Export of unbound log (reverse chronological):
>=20
> IPFire diagnostics
> Section: unbound
> Date: April 02, 2017
>=20
> 10:48:30 unbound: [3763:1]=C2=A0=C2=A0info: validation failure self-
> repair.mozilla.org. AAAA IN
> 10:47:31 unbound: [3763:0]=C2=A0=C2=A0info: validation failure ns2.cctld.co.
> AAAA
> IN
> 10:47:28 unbound: [3763:1]=C2=A0=C2=A0info: validation failure c.ns.nic.cz.
> AAAA
> IN
> 10:47:28 unbound: [3763:1]=C2=A0=C2=A0info: validation failure a.ns.nic.cz.
> AAAA
> IN
> 10:47:28 unbound: [3763:1]=C2=A0=C2=A0info: validation failure b.ns.nic.cz.
> AAAA
> IN
> 10:47:28 unbound: [3763:1]=C2=A0=C2=A0info: validation failure d.ns.nic.cz.
> AAAA
> IN
> 10:47:24 unbound: [3763:0]=C2=A0=C2=A0info: validation failure ns4.cctld.co.
> AAAA
> IN
> 10:47:24 unbound: [3763:0]=C2=A0=C2=A0info: validation failure ns3.cctld.co.
> AAAA
> IN
> 10:47:24 unbound: [3763:0]=C2=A0=C2=A0info: validation failure ns5.cctld.co.
> AAAA
> IN
> 10:47:24 unbound: [3763:0]=C2=A0=C2=A0info: validation failure ns1.cctld.co.
> AAAA
> IN
> 10:47:24 unbound: [3763:0]=C2=A0=C2=A0info: validation failure ns6.cctld.co.
> AAAA
> IN
> 10:47:03 unbound: [3763:0]=C2=A0=C2=A0info: validation failure
> ns02.fedoraproject.org. AAAA IN
> 10:47:01 unbound: [3763:0]=C2=A0=C2=A0info: validation failure
> ns05.fedoraproject.org. AAAA IN
> 10:46:51 unbound: [3763:1]=C2=A0=C2=A0info: validation failure
> ns3.cloudflare.com. AAAA IN
> 10:46:51 unbound: [3763:1]=C2=A0=C2=A0info: validation failure
> ns6.cloudflare.com. AAAA IN
> 10:46:50 unbound: [3763:1]=C2=A0=C2=A0info: validation failure
> ns7.cloudflare.com. AAAA IN
> 10:46:49 unbound: [3763:0]=C2=A0=C2=A0info: validation failure
> fedoraproject.org.
> AAAA IN
> 10:46:38 unbound: [3763:1]=C2=A0=C2=A0info: validation failure
> ns5.cloudflare.com. AAAA IN
> 10:46:38 unbound: [3763:1]=C2=A0=C2=A0info: validation failure
> ns4.cloudflare.com. AAAA IN
> 10:44:08 unbound: [3763:0]=C2=A0=C2=A0info: validation failure www.facebook=
.com
> .l
> ocaldomain. AAAA IN
> 10:43:28 unbound: [3763:0]=C2=A0=C2=A0info: start of service (unbound 1.6.1=
).
> 10:43:28 unbound: [3763:0]=C2=A0=C2=A0notice: init module 1: iterator
> 10:43:28 unbound: [3763:0]=C2=A0=C2=A0notice: init module 0: validator
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A032.000000=C2=
=A0=C2=A0=C2=A064.000000 4
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A016.000000=C2=
=A0=C2=A0=C2=A032.000000 5
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A08.000000=
=C2=A0=C2=A0=C2=A016.000000 4
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A04.000000=
=C2=A0=C2=A0=C2=A0=C2=A08.000000 2
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A02.000000=
=C2=A0=C2=A0=C2=A0=C2=A04.000000 3
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A00.524288=
=C2=A0=C2=A0=C2=A0=C2=A01.000000 4
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A00.262144=
=C2=A0=C2=A0=C2=A0=C2=A00.524288 1
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A00.131072=
=C2=A0=C2=A0=C2=A0=C2=A00.262144 1
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A00.004096=
=C2=A0=C2=A0=C2=A0=C2=A00.008192 2
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A00.000000=
=C2=A0=C2=A0=C2=A0=C2=A00.000001 8
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info: lower(secs) upper(secs) recursi=
ons
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info: [25%]=3D0.00512 median[50%]=3D2=
.66667
> [75%]=3D17.6
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info: histogram of recursion processi=
ng
> times
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info: average recursion processing ti=
me
> 10.613770 sec
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info: server stats for thread 1:
> requestlist max 40 avg 6.79412 exceeded 0 jostled 0
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info: server stats for thread 1: 76
> queries, 42 answers from cache, 34 recursions, 0 prefetch, 0 rejected
> by ip ratelimiting
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A032.000000=C2=
=A0=C2=A0=C2=A064.000000 4
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A016.000000=C2=
=A0=C2=A0=C2=A032.000000 9
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A08.000000=
=C2=A0=C2=A0=C2=A016.000000 6
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A04.000000=
=C2=A0=C2=A0=C2=A0=C2=A08.000000 6
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A02.000000=
=C2=A0=C2=A0=C2=A0=C2=A04.000000 5
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A01.000000=
=C2=A0=C2=A0=C2=A0=C2=A02.000000 3
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A00.524288=
=C2=A0=C2=A0=C2=A0=C2=A01.000000 5
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A00.262144=
=C2=A0=C2=A0=C2=A0=C2=A00.524288 1
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A00.131072=
=C2=A0=C2=A0=C2=A0=C2=A00.262144 6
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A00.016384=
=C2=A0=C2=A0=C2=A0=C2=A00.032768 1
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info:=C2=A0=C2=A0=C2=A0=C2=A00.000000=
=C2=A0=C2=A0=C2=A0=C2=A00.000001 9
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info: lower(secs) upper(secs) recursi=
ons
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info: [25%]=3D0.212992 median[50%]=3D3
> [75%]=3D15
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info: histogram of recursion processi=
ng
> times
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info: average recursion processing ti=
me
> 8.866802 sec
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info: server stats for thread 0:
> requestlist max 63 avg 17.7679 exceeded 0 jostled 0
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info: server stats for thread 0: 83
> queries, 28 answers from cache, 55 recursions, 1 prefetch, 0 rejected
> by ip ratelimiting
> 10:43:26 unbound: [1407:0]=C2=A0=C2=A0info: service stopped (unbound 1.6.1).
> 10:42:07 unbound: [1407:0]=C2=A0=C2=A0info: validation failure sfba.sns-
> pb.isc.org. AAAA IN
> 10:42:03 unbound: [1407:0]=C2=A0=C2=A0info: validation failure adns3.upenn.=
edu.
> AAAA IN
> 10:42:02 unbound: [1407:0]=C2=A0=C2=A0info: validation failure ord.sns-
> pb.isc.org. AAAA IN
> 10:42:01 unbound: [1407:0]=C2=A0=C2=A0info: validation failure ams.sns-
> pb.isc.org. AAAA IN
> 10:41:57 unbound: [1407:0]=C2=A0=C2=A0info: validation failure adns2.upenn.=
edu.
> AAAA IN
> 10:41:51 unbound: [1407:0]=C2=A0=C2=A0info: validation failure adns1.upenn.=
edu.
> AAAA IN
> 10:41:42 unbound: [1407:0]=C2=A0=C2=A0info: validation failure
> ns05.fedoraproject.org. AAAA IN
> 10:41:42 unbound: [1407:0]=C2=A0=C2=A0info: validation failure
> ns02.fedoraproject.org. AAAA IN
> 10:41:41 unbound: [1407:1]=C2=A0=C2=A0info: validation failure
> ns05.fedoraproject.org. AAAA IN
> 10:41:41 unbound: [1407:1]=C2=A0=C2=A0info: validation failure
> ns02.fedoraproject.org. AAAA IN
> 10:41:31 unbound: [1407:0]=C2=A0=C2=A0info: validation failure
> fedoraproject.org.
> AAAA IN
> 10:41:23 unbound: [1407:1]=C2=A0=C2=A0info: validation failure
> fedoraproject.org.
> AAAA IN
> 10:41:19 unbound: [1407:0]=C2=A0=C2=A0info: validation failure ns3.pch.net.
> AAAA
> IN
> 10:41:19 unbound: [1407:0]=C2=A0=C2=A0info: validation failure anyns.pch.ne=
t.
> AAAA IN
> 10:41:18 unbound: [1407:0]=C2=A0=C2=A0info: validation failure ns2.pch.net.
> AAAA
> IN
> 10:41:04 unbound: [1407:0]=C2=A0=C2=A0info: validation failure
> ns5.cloudflare.net. AAAA IN
> 10:41:04 unbound: [1407:0]=C2=A0=C2=A0info: validation failure
> ns4.cloudflare.net. AAAA IN
> 10:41:03 unbound: [1407:0]=C2=A0=C2=A0info: validation failure
> ns2.cloudflare.net. AAAA IN
> 10:41:03 unbound: [1407:0]=C2=A0=C2=A0info: validation failure
> ns3.cloudflare.net. AAAA IN
> 10:41:02 unbound: [1407:0]=C2=A0=C2=A0info: validation failure
> ns1.cloudflare.net. AAAA IN
> 10:40:55 unbound: [1407:1]=C2=A0=C2=A0info: validation failure
> fireinfo.ipfire.org. AAAA IN
> 10:40:54 unbound: [1407:1]=C2=A0=C2=A0info: validation failure
> ns2.lightningwirelabs.com. AAAA IN
> 10:40:54 unbound: [1407:1]=C2=A0=C2=A0info: validation failure
> ns1.lightningwirelabs.com. AAAA IN
> 10:40:54 unbound: [1407:1]=C2=A0=C2=A0info: validation failure
> ns3.lightningwirelabs.com. AAAA IN
> 10:40:27 unbound: [1407:0]=C2=A0=C2=A0info: validation failure
> fireinfo.ipfire.org.localdomain. AAAA IN
> 10:39:36 unbound: [1407:0]=C2=A0=C2=A0info: start of service (unbound 1.6.1=
).
> 10:39:36 unbound: [1407:0]=C2=A0=C2=A0notice: init module 1: iterator
> 10:39:36 unbound: [1407:0]=C2=A0=C2=A0notice: init module 0: validator
> ----------------------------------------------------------
>=20
>=20
> Hope this helps.=C2=A0=C2=A0Used ISP (HughesNet) DNS servers as provided
> through=C2=A0
> DHCP on RED.=C2=A0=C2=A0Ping of 8.8.4.4 was good during the test window.
>=20
> Best,
> Paul

--===============1813372497157858072==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC
Q2dBR0JRSlk0VDBEQUFvSkVJQjU4UDl2a0FrSEZtd1AvM3Z0ZVhOay81dWdGcU1nZlAwZHIyeGgK
c01NZ0o2L2k1Q1JhRU1sb2V0Tno4VW8zVGlWQUI2d0thYk9PT0t5YzV1SFhNY3dSeUI5dnR6N1Vn
YXVjUE5FTwpDWlRXZU5MSDRMbkRQZWY1V3VYeWtrS1JpSUhYY29SWSs0UEo3QmN1YkhUMXhiNXRL
bkpCeUJuY2IwZFpSeHMyCkRXMTArclp4RmxyQjM4SUJVaUJETytSWG15S1hDODJSYktRSmR6Mi9S
Sm9mbHh4cUN5enNXUkZJS0UxRHJaZVcKQ2pnMWlURGs4RWdZNmMwR08wYnplbjY2TmhiU2FlN1Zp
a1VSZW5aRUxkZ2dLTkhWd3E4bWhYZXRMOEZ5RmlrdApYQ1RsSjdMSW8zVzZBbHB2dldJMENTV1RG
UXg4bHhMbGg1SGQrVDRtcko0Tlo2UUIxay91Yk5SNytpU09oVUVOCktpUEloeTMwZ05MZzN6SDJE
bjhuK1Q3UzJ5ZXFsOUt0YWp4ekVVYzZPQUFJRTROdFhreWE5ZWp0Qmxielh6ZGEKYTRuZFcyQktS
V3Rxcm8ydzdhQmllMUVteURWNldrUzIzcG9PSlYxUDdsUEdFMnpRRW1Uckdhai8zeGhKWTlhWQps
dVIwb1FvZERDUERnWWVoelBtOUpHSGhEdi9HWjdPZ3dEdU8xSjNmT05UZkRNYnZsN2JZS3BrMDB4
ODBRVDZyCkdqaWtWZzIwOEJOclViRmtwYUtOLzNHRDl4SFJIUUFKdDVzK3pQQlhVR2ppVFZ5TFVJ
SUMwcEZKM0trL210ejkKVHpMdHQ2MG4vN2k2dFhtU1IzWG1CM3BMeU5rTEx4YTgzSHFiMzhabzlV
TlQ5U3NNSHJNRThnTzM3MG1RS3VobApCWlFFRWlvc3hUV2pXZ3RjVkE2Tgo9alNTZQotLS0tLUVO
RCBQR1AgU0lHTkFUVVJFLS0tLS0K

--===============1813372497157858072==--