Private/AzStackHci.DNS.Helpers.ps1
|
# //////////////////////////////////////////////////////////////////////////// # Check DNS to for domain name, and return IP address if found Function Get-DnsRecord { param ( [Parameter(Mandatory=$true)] [ValidateLength(1, 255)] [string]$url, [Parameter(Mandatory=$false)] [switch]$SkipRfc1918Check ) begin { # Write-Debug "Get-DnsRecord: Beginning DNS lookup process" # Initialize variables [bool]$dnsExists = $False } process { Write-Debug "Checking to see if $($url) returns an IP address from DNS" # Remove variables Remove-Variable ipAddress -ErrorAction SilentlyContinue # Call Resolve-DnsName with exponential backoff: retry up to $script:DNS_MAX_RETRIES times # with increasing delays (1s, 2s, 4s + jitter) to avoid flooding DNS on flaky networks. For ($i=1; $i -le $script:DNS_MAX_RETRIES; $i++) { # Remove variables Remove-Variable DNSCheckError -ErrorAction SilentlyContinue # Initialize variables $DNSCheck = @() # Check if the domain name exists in DNS if(-not($dnsExists)){ Write-Debug "DNS attempt $i of 3: Checking DNS server for endpoint '$url'" try { # Check if the domain name exists in DNS using Resolve-DnsName. # //// Use "5>$null" to suppress internal tracing messages such as "DEBUG: 72136". $DNSCheck = Resolve-DnsName -Name $url -Type A -DnsOnly -ErrorAction Stop -ErrorVariable DNSCheckError 5>$null # ///////////////////// # Error handling logic # ///////////////////// } catch [System.Management.Automation.CommandNotFoundException] { # Catch if Resolve-DnsName is not found, not expected throw "Resolve-DnsName cmdlet is not available. This module requires Windows 8/Server 2012 or later." } catch { # Catch DNS Errors # Check if the error message contains 'DNS name does not exist' if($_.Exception.Message.ToString().Contains('DNS name does not exist')) { Write-Debug "DNS Error for '$url' Exception: $($_.Exception.Message)" } else { # All other DNS errors if($i -eq $script:DNS_MAX_RETRIES){ Write-HostAzS "Error: DNS lookup failed for '$url' - Exception Message: $($_.Exception.Message)" -ForegroundColor Red } } # Exponential backoff before next retry: delay = base * 2^(attempt-1) + random jitter if ($i -lt $script:DNS_MAX_RETRIES) { $backoffDelay = $script:DNS_RETRY_BASE_DELAY_SEC * [math]::Pow(2, ($i - 1)) $jitter = Get-Random -Minimum 0.0 -Maximum 0.5 $totalDelay = [math]::Round($backoffDelay + $jitter, 1) Write-HostAzS "DNS lookup failed for '$url' (attempt $i of $($script:DNS_MAX_RETRIES)), retrying in $($totalDelay)s..." -ForegroundColor Yellow Start-Sleep -Milliseconds (($backoffDelay + $jitter) * 1000) } else { Write-HostAzS "DNS lookup failed for '$url' (attempt $i of $($script:DNS_MAX_RETRIES)), no more retries." -ForegroundColor Red } } Finally { # If no DNS errors, set the ipAddress variable to IP address returned from DNS if(-not($DNSCheckError)) { # Check if the DNS name exists, and that $DnsExists is false (IP address not yet found) if($DNSCheck -and (-not($dnsExists))){ if(($DNSCheck.IPAddress).count -gt 1){ # Use first IP address returned from DNS $ipAddress = ($DNSCheck.IPAddress)[0] Write-Debug "Multiple IP addresses returned from DNS for $url, using first IP from list of addresses: $($DNSCheck.IPAddress)" $dnsExists = $True } else { # Only one IP address returned from DNS $ipAddress = $DNSCheck.IPAddress Write-Debug "Single IP address returned from DNS for $url, $ipAddress" $dnsExists = $True } } elseif((-not($DNSCheck))){ # No IP address returned from DNS, but record exists $ipAddress = "No Type A record found in DNS" $dnsExists = $False } else { # Do nothing, DNS already exists } } else { # DNS Error variable exists, set IP address to "DNS Lookup Failed" $ipAddress = "DNS name does not exist" $dnsExists = $False } } # End of Finally block } else { # DNS already exists, skip further checks, but will be on second loop Write-Debug "IP address found from DNS on attempt $($i -1), skipping further name resolution attempts" Break } } # End of For loop three attempts if($dnsExists){ Write-Verbose "DNS lookup successful for $url, returned IP Address: $ipAddress" } else { Write-HostAzS "DNS lookup failed for $url" -ForegroundColor Red Write-Verbose "DNS lookup failed three times for $url - $ipAddress" } # Test if the IP address is RFC1918 private address if(-not($SkipRfc1918Check.IsPresent)){ # Only test if the SkipRfc1918Check switch is not present if($ipAddress -and (-not($ipAddress -in @("No Type A record found in DNS","DNS name does not exist","")))){ # Check if the IP address is in valid IPv4 format if(($IpAddress -match '^(\d{1,3}\.){3}\d{1,3}$')) { # Only test if the IP address is valid Write-Verbose "Testing if returned IP Address '$ipAddress' is an RFC1918 private address" # Check if the IP address is an RFC1918 private address if(Test-IPv4IsRfc1918 -IpAddress $ipAddress){ # IP Address is an RFC1918 private address Remove-Variable testUrl -ErrorAction SilentlyContinue # Ensure URL is lowercase for comparison $testUrl = $url.ToLower() # Tier 1: Check if URL matches critical Arc service Private Link endpoints (NOT SUPPORTED) Remove-Variable isUrlArcServicePrivateLink -ErrorAction SilentlyContinue $isUrlArcServicePrivateLink = $script:PrivateLinkCriticalEndpoints | Where-Object { $testUrl -like $_ } # Tier 2: Check if URL matches PaaS services that support Private Link (proxy bypass needed) Remove-Variable isUrlPaaSPrivateLink -ErrorAction SilentlyContinue $isUrlPaaSPrivateLink = $script:PrivateLinkProxyBypassEndpoints | Where-Object { $testUrl -like $_ } if($isUrlArcServicePrivateLink){ # Tier 1 — RED: Arc Private Link Scopes NOT supported for Azure Local Write-Debug "URL '$url' matches critical Arc service Private Link endpoint pattern for: '$isUrlArcServicePrivateLink'" Write-HostAzS "CRITICAL: RFC1918 address detected for Arc endpoint '$url'!" -ForegroundColor Red Write-HostAzS "`tArc Private Link Scopes are NOT supported for Azure Local." -ForegroundColor Red Write-HostAzS "`tThis endpoint must resolve to a public IP address. IP returned from DNS: '$ipAddress'" -ForegroundColor Red Write-HostAzS "`tCheck for CNAME Alias in your DNS zones configuration." -ForegroundColor Red Write-HostAzS "`tReference: https://learn.microsoft.com/en-us/azure/azure-local/concepts/firewall-requirements" -ForegroundColor Red Write-HostAzS "Sleeping for 10 seconds..." -ForegroundColor Red Start-Sleep -Seconds 10 $script:PrivateLinkCriticalArray += $url } elseif($isUrlPaaSPrivateLink){ # Tier 2 — YELLOW: PaaS Private Link supported, but proxy bypass required Write-Debug "URL '$url' matches PaaS Private Link endpoint pattern for: '$isUrlPaaSPrivateLink'" Write-HostAzS "WARNING: RFC1918 address detected for '$url' - Private endpoint in use." -ForegroundColor Yellow Write-HostAzS "`tIP Address returned from DNS: '$ipAddress'" -ForegroundColor Yellow if($script:Proxy.Enabled){ Write-HostAzS "`tProxy detected - ensure this FQDN is on the proxy bypass/exception list." -ForegroundColor Yellow Write-HostAzS "`tTraffic to Private Link endpoints must route via ExpressRoute or VPN, not through the proxy." -ForegroundColor Yellow } else { Write-HostAzS "`tEnsure routing is configured to send traffic via ExpressRoute or Site-to-Site VPN." -ForegroundColor Yellow } $script:PrivateLinkProxyBypassArray += $url } else { # Tier 3 — YELLOW: Other RFC1918 address, informational Write-HostAzS "INFO: RFC1918 private address detected for '$url'. IP returned from DNS: '$ipAddress'" -ForegroundColor Yellow Write-HostAzS "`tCheck for CNAME Alias of endpoint in your DNS zones configuration." -ForegroundColor Yellow } $script:PrivateLinkDetected = $true $script:PrivateLinkDetectedArray += $url } else { # Do nothing Write-Verbose "Returned IP Address is NOT an RFC1918 private address." } } else { Write-Verbose "Returned IP Address '$ipAddress' is not in valid IPv4 format, skipping RFC1918 private address test" } } else { Write-Debug "Not testing if returned IP Address '$ipAddress' is an RFC1918 private address, as it is not a valid IP address" } } else { Write-Debug "SkipRfc1918Check switch present, skipping RFC1918 private address test" } } # End of process block end { # Write-Debug "Get-DnsRecord: DNS lookup process completed" # Return True/False and IP Address output as a PSObject. $DNSReturnVariable = New-Object PsObject -Property @{ # True/False DNSExists = $dnsExists # IP Address, or "DNS Lookup Failed" IPAddress = $ipAddress } return $DNSReturnVariable } # End of end block } # End of Get-DnsRecord function # //////////////////////////////////////////////////////////////////////////// # Function to test if an IP address is in the RFC 1918 private IP range. # Returns $true if the IP address is in the private range, otherwise returns $false. Function Test-IPv4IsRfc1918 { param ( [Parameter(Mandatory = $true)] [ValidateNotNull()] [ipaddress]$IpAddress ) begin { # Write-Debug "Test-IPv4IsRfc1918: Beginning RFC1918 private IP address check for '$IpAddress'" } process { $IpAddressString = $IpAddress.ToString() # Validated IP is correct IPv4 format if (-not ($IpAddressString -match '^(\d{1,3}\.){3}\d{1,3}$')) { Write-Error "Invalid IPv4 address format." Return $false } $octets = $IpAddressString.Split('.') if ($octets.Count -ne 4) { Return $false } # Convert octets to integers $o1 = [int]$octets[0] $o2 = [int]$octets[1] # 10.0.0.0/8 (10.0.0.0 - 10.255.255.255) if ($o1 -eq 10) { Return $true } # 172.16.0.0/12 (172.16.0.0 - 172.31.255.255) if ($o1 -eq 172 -and $o2 -ge 16 -and $o2 -le 31) { Return $true } # 192.168.0.0/16 (192.168.0.0 - 192.168.255.255) if ($o1 -eq 192 -and $o2 -eq 168) { Return $true } # Not in RFC 1918 private IP range Return $false } # End of process block end { # Write-Debug "Test-IPv4IsRfc1918: RFC1918 private IP address check completed" } } # End Function Test-IPv4IsRfc1918 # SIG # Begin signature block # MIInSAYJKoZIhvcNAQcCoIInOTCCJzUCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD0tVRAY/f03WRf # +ETjqdoeQqqaDJTf4J3Z++QWJS/zW6CCDLowggX1MIID3aADAgECAhMzAAACHU0Z # yE7XD1dIAAAAAAIdMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYTAlVTMR4wHAYD # VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBD # b2RlIFNpZ25pbmcgUENBIDIwMjQwHhcNMjYwNDE2MTg1OTQzWhcNMjcwNDE1MTg1 # OTQzWjB0MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYD # VQQDExVNaWNyb3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IB # DwAwggEKAoIBAQDQvewXxx9gZZFC6Ys1WBay8BJ8kGA4JQnH5CMafqOASlTpK9H8 # o5ZXTXt0caVQTNMUPt445wXYD+dFtaKWTwDn1I52oUSrC9vJin1Gsqt+zyKJL5Dg # 3eQXbQNR61DmMy20GLTIO3SFed9Rfi/ophgCLGFLDR3r0KvHjwMb/jYWS0celV/4 # Lz27LfAekm8v9E5IXaeiXbAUYZKK090n4CVl3JBtbN+9DtI9SNu/yjvozW52/u7R # X/Ttpa/KDlpuokZ+Zcbvmtd9ur9gFLvZzh41o9MsE/clQtdaFWGvuo6Jua/ntpgk # ey3E5/vBFe+MJPG6phdnuo6r57ZudCudiI1bAgMBAAGjggGbMIIBlzAOBgNVHQ8B # Af8EBAMCB4AwHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYBBQUHAwMwHQYDVR0O # BBYEFH6QuMwqcPG0hQlQ6c5jCtTTLrVeMEUGA1UdEQQ+MDykOjA4MR4wHAYDVQQL # ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAUTDTIzMDAxMis1MDc1NTkw # HwYDVR0jBBgwFoAUf1k/VCHarU/vBeXmo9ctBpQSCDEwYAYDVR0fBFkwVzBVoFOg # UYZPaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0 # JTIwQ29kZSUyMFNpZ25pbmclMjBQQ0ElMjAyMDI0LmNybDBtBggrBgEFBQcBAQRh # MF8wXQYIKwYBBQUHMAKGUWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMv # Y2VydHMvTWljcm9zb2Z0JTIwQ29kZSUyMFNpZ25pbmclMjBQQ0ElMjAyMDI0LmNy # dDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBKTbYOjzwTG/DXGaz9 # s6+fQeaTtDcFmMY+5UyVFCyj7Pv+5i37qfX8lSL/tBIfYQfWsMuBQlfZurJD6r4H # VJ2CeH+1fgiq8dcHdVKoZ3Sa2qXoX3cq9iS8cVb06B7+5/XJ7I0OxHH9fDsvJ3T3 # w5V/ZtAIFmLrl+P0CtG+92uzRsn0nTbdFjOkLMLWPLAU3THohKRlSEMgFJpPkm5n # 5UAZ35xX6FWCrDLsSKb555bTifwa8mJBwdlof0bmfYidH+dxZ1FdDxvLnNl9zeKs # A4kejaaIqqIPguhwAti5Ql7BlTNoJNwxCvBmqW2MQLnCkYN/VVUsR3V2x/rcTNzo # Bf/Z/SpROvdaA2ZOOd1uioXJt3tdLQ7vHpqpib0KfWr/FWXW10q38VxfCnRQBqzb # SuztR7nEMuzX7Ck+B/XaPDXd1qh72+QYyB0Z2VzWmO9zsnb9Uq/dwu8LGeQqnyu6 # 7SDGACvnXii2fb9+US492VTnXSnFKyqwgzUyFMtZK1/sHYTv6bG4TtQUygQxTN+Z # V+aJIlKO2MqZ7bKrAnOzS9m6NgoTdWOq11bTOZwKlIEV/EhV9SWkDmdpR/hPPT2v # 6TEj4F8PT/zHjRezIU5c/DGlt/VhY/pK0XkJtEyMmmS1BMtjU/rqBZVMIm3dnxQs # /TBByr+Cf8Z1r7aifQVQ+WSqzjCCBr0wggSloAMCAQICEzMAAAA5O7Y3Gb8GHWcA # AAAAADkwDQYJKoZIhvcNAQEMBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX # YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg # Q29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRl # IEF1dGhvcml0eSAyMDExMB4XDTI0MDgwODIwNTQxOFoXDTM2MDMyMjIyMTMwNFow # VzELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEo # MCYGA1UEAxMfTWljcm9zb2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAyNDCCAiIwDQYJ # KoZIhvcNAQEBBQADggIPADCCAgoCggIBANgBnB7jOMeqlRYHNa265v4IY9fH8TKh # emHfPINe1gpLaV3dhg324WwH06LcHbpnsBukCDNitryo0dtS/EW6I/yEL/bLSY8h # KpbfQuWusBPr9qazYcDxCW/qnjb5JsI1s8bNOg3bVATvQVL4tcf03aTycsz8QeCd # M0l/yHRObJ9QqazM1r6VPEOJ7LL+uEEb73w6QCuhs89a1uv1zerOYMnsneRRwCbp # yW11IcggU0cRKDDq1pjVJzIbIF6+oiXXbReOsgeI8zu1FyQfK0fVkaya8SmVHQ/t # Of23mZ4W9k0Ri22QW9p3UgSC5OUDktKxxcCmGL6tXLfOGSWHIIV4YrTJTT6PNty5 # REojHJuZHArkF9VnHTERWoTjAzfI3kP+5b4alUdhgAZ7ttOu1bVnXfHaqPYl2rPs # 20ji03LOVWsh/radgE17es5hL+t6lV0eVHrVhsssROWJuz2MXMCt7iw7lFPG9LXK # Gjsmonn2gotGdHIuEg5JnJMJVmixd5LRlkmgYRZKzhxSCwyoGIq0PhaA7Y+VPct5 # pCHkijcIIDm0nlkK+0KyepolcqGm0T/GYQRMhHJlGOOmVQop36wUVUYklUy++vDW # eEgEo4s7hxN6mIbf2MSIQ/iIfMZgJxC69oukMUXCrOC3SkE/xIkgpfl22MM1itkZ # 35nNXkMolU1lAgMBAAGjggFOMIIBSjAOBgNVHQ8BAf8EBAMCAYYwEAYJKwYBBAGC # NxUBBAMCAQAwHQYDVR0OBBYEFH9ZP1Qh2q1P7wXl5qPXLQaUEggxMBkGCSsGAQQB # gjcUAgQMHgoAUwB1AGIAQwBBMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU # ci06AjGQQ7kUBU7h6qfHMdEjiTQwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2Ny # bC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0MjAx # MV8yMDExXzAzXzIyLmNybDBeBggrBgEFBQcBAQRSMFAwTgYIKwYBBQUHMAKGQmh0 # dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0MjAx # MV8yMDExXzAzXzIyLmNydDANBgkqhkiG9w0BAQwFAAOCAgEAFJQfOChP7onn6fLI # MKrSlN1WYKwDFgAddymOUO3FrM8d7B/W/iQ6DxXsDn7D5W4wMwYeLystcEqfkjz4 # NURRgazyMu5yRzQh4LqjA4tStTcJh1opExo7nn5PuPBYnbu0+THSuVHTe0VTTPVh # ily/piFrDo3axQ9P4C+Ol5yet+2gTfekICS5xS+cYfSIvgn0JksVBVMYVI5QFu/q # hnLhsEFEUzG8fvv0hjgkO+lkpV9ty6GkN4vdnd7ya6Q6aR9y34aiM1qmxaxBi6OU # nyNl6fkuun/diTFnYDLTppOkr/mg5WSfCiDVMNCxtj4wPKC5OmHm1DQIt/MNokbb # H3UGsFP1QbzsLocuSqLCvH09Io3fDPTmscR9Y75G4qX7RTX8AdBPo0I6OEojf39z # uFZt0qOHm65YWQE69cZM2ueE1MB05dNNgHK9gTE7zKvK/fg8B2qjW88MT/WF5V5u # vZGtqa9FSL2RazArA+rDPuf6JGYz4HpgMZHB4S6szWSKYBv0VisCzfxgeU+dquXW # 9bd0auYlOB58DPcOYKdc3Se94g+xL4pcEhbB54JOgAkwYTu/9dLeH2pDqeJZAABV # DWRQCaXfO5LgyKwKCLYXpigrZYCjUSBcr+Ve8PFWMhVTQl0v4q8J/AUmQN5W4n10 # 1cY2L4A7GTQG1h32HHAvfQESWP0xghnkMIIZ4AIBATBuMFcxCzAJBgNVBAYTAlVT # MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jv # c29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMjQCEzMAAAIdTRnITtcPV0gAAAAAAh0w # DQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYK # KwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIJs9pq34 # RWUkjdK0gBxye4R2NddEnSi3TLj7IAYqjfBHMEIGCisGAQQBgjcCAQwxNDAyoBSA # EgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20w # DQYJKoZIhvcNAQEBBQAEggEApOYm7d/ZAs5mEgQKdYAksyOOI3MRh+eWGd7Z48MS # bn27nW4sAWJSp1SFoTj2n0rNQazCuVRGaHCPonFSdN2kqnggDHE/75oLRpySWo95 # VaLSYumsWG1FEJulKTGqKGvH3q9syS5bFxrQXoTj+YGW7T22YjGgtz+7oju/UZvj # dmdtTnMww0p7UczsZ6rTXB5xfQuGwuANrbz0p+Uh4udPkVZKSwFN0HuFmf3GtDMp # SJAgM9cSmBfE1SKufYY+uiuDeD+MBRR5l9h58uG9tddNIiFURO6rnFIBtHAAp0fL # MJoHIPVE1ZrZgoc90OL3gDhA7NFQP7qtkFVTbis/LuysRqGCF5YwgheSBgorBgEE # AYI3AwMBMYIXgjCCF34GCSqGSIb3DQEHAqCCF28wghdrAgEDMQ8wDQYJYIZIAWUD # BAIBBQAwggFRBgsqhkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGEWQoD # ATAxMA0GCWCGSAFlAwQCAQUABCDS18WtXu4tuo+f4sdzzLlVifScCwqYRqlIKbfm # R/IVGgIGaeeMXoQWGBIyMDI2MDQyODIxNTI1Mi41NlowBIACAfSggdGkgc4wgcsx # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1p # Y3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJzAlBgNVBAsTHm5TaGllbGQgVFNT # IEVTTjpEQzAwLTA1RTAtRDk0NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3Rh # bXAgU2VydmljZaCCEe0wggcgMIIFCKADAgECAhMzAAACJDuEIbAsrGQiAAEAAAIk # MA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n # dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y # YXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMB4X # DTI2MDIxOTE5Mzk1OVoXDTI3MDUxNzE5Mzk1OVowgcsxCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNh # IE9wZXJhdGlvbnMxJzAlBgNVBAsTHm5TaGllbGQgVFNTIEVTTjpEQzAwLTA1RTAt # RDk0NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCCAiIw # DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKPpbdRpDZmviE29LLuPtQw8VXKz # toTEYH4kXDKTPNeDeNrJib2A4tcnu02FTZ6aGstAI5lyAu/PoWSqaCHNDHOaSAq0 # tiIpoTOGiA79x7SVOF0s11W0zBA5iCj5e1cBlxWIFfgtweTfxG6xmIXvDFJrm38v # GJzTj5n+GXLWAlCkh4UOqnhr0+4u3yux8fTm9b2lT26uIZ0PF8lef+Vzj0LFteoD # cRfXsvbhtzq36YW48MAkoqlqLddeoXacmWlM992sDb2xZNI0qKD0K0ELm3NCPR+V # uxr/jCo7275GS7CllvdvuqdbkV0WsNHW9CZd+OXJQ/1k7fzzf03BK6Ie2+wUI2RM # 0hfw4vldWrWewrK7/8Z4hn1i7Gx8sF52obTbg8MRHKsCzSm99RY4tqlVBqMc+gKe # 41Iq9sSHuzkhDRiC6kaOL4fusgPHb+YgQj7pDxbAG2TdjHKGOPQZfD3T2LQSRORX # LL7XIAOPBILxvDaozj4xziHLK2VnNJzQg9QGrVgadjAKMjBrn+UxbSkWf8ekl0Hp # d4y5O1hM6lo+ijrgWNCvItdaN3ii+nDmU7Dtf6/cT2TA31UEL7AkRIEQILWBkwJL # lNpXB8TXDimdddvWpP1uOBGw+Dh2SWu5RN2if/dI23RrRDk1zZSX6syVDFeg/2Kx # fAw2co7kkmSpENFVAgMBAAGjggFJMIIBRTAdBgNVHQ4EFgQUcx+RfW7/MksIx7SC # piK3HW0Ad6gwHwYDVR0jBBgwFoAUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXwYDVR0f # BFgwVjBUoFKgUIZOaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwv # TWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3JsMGwGCCsG # AQUFBwEBBGAwXjBcBggrBgEFBQcwAoZQaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAx # MCgxKS5jcnQwDAYDVR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAO # BgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAD7AdJuaEikzwJFVni2T # rbiFD4t1lcTiqh5C6LvsJ41reOrUU7OLsxEqSSjp2IQMdc81a8BqDFqy0J7A/Obl # MI2HWzioIeHhHYb+vjzBT8ylzrz9YOYnLkIhCf8XCmzWxs1QS7sHODTTipQshUn3 # reOj9qbjHAqDCH69JUvv92Gx9Pt2+GlF11tgtBMdmDC40HpCFwQSyCiAtXA1GPft # URZkOLCgx3HILthitC7owJW2LMec62RJfsWoiiLqOVx+p+jrX24Mf2vyTaoA4cJ4 # QCopcrKYhcMxwYaUR0MVtiINmA8IEzQgeAB6KVRKifTvCMe7R7SywGa0Fp89vgZ3 # 7kW5GdYbdcZ73U0KksqqYVr/gaRXP04zNlSDyhzPEL/glPcd/jkkS2zNOhfA2yRX # ck0Jy7Ygi2vpIkeaLcQNUAMNFI2F3MVGliamUYSU+XkZGg+0mIMS9Ehu/kwUojDb # H2Cd6F/ki8GMLhmQGD7gZOmoYTeaafMXech6Q6Rfi6DT/SY3YJJquG5KL02Ycg6l # Q3Z5AdS2BNv/4aaruCS0IzAir8k4JgiJNiqm/WhuMAYp1Yw8KuVLI0CzSNljOSFr # nfnXnw0zH7AEa+x8WhWwIwbk5ynq9boJfK5ZFtRWoxTU6tBsd93LMmluEkLU9sBk # jIkJs35UGANMDNMpjzDghJLBMIIHcTCCBVmgAwIBAgITMwAAABXF52ueAptJmQAA # AAAAFTANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh # c2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD # b3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUg # QXV0aG9yaXR5IDIwMTAwHhcNMjEwOTMwMTgyMjI1WhcNMzAwOTMwMTgzMjI1WjB8 # MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk # bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1N # aWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCAiIwDQYJKoZIhvcNAQEBBQAD # ggIPADCCAgoCggIBAOThpkzntHIhC3miy9ckeb0O1YLT/e6cBwfSqWxOdcjKNVf2 # AX9sSuDivbk+F2Az/1xPx2b3lVNxWuJ+Slr+uDZnhUYjDLWNE893MsAQGOhgfWpS # g0S3po5GawcU88V29YZQ3MFEyHFcUTE3oAo4bo3t1w/YJlN8OWECesSq/XJprx2r # rPY2vjUmZNqYO7oaezOtgFt+jBAcnVL+tuhiJdxqD89d9P6OU8/W7IVWTe/dvI2k # 45GPsjksUZzpcGkNyjYtcI4xyDUoveO0hyTD4MmPfrVUj9z6BVWYbWg7mka97aSu # eik3rMvrg0XnRm7KMtXAhjBcTyziYrLNueKNiOSWrAFKu75xqRdbZ2De+JKRHh09 # /SDPc31BmkZ1zcRfNN0Sidb9pSB9fvzZnkXftnIv231fgLrbqn427DZM9ituqBJR # 6L8FA6PRc6ZNN3SUHDSCD/AQ8rdHGO2n6Jl8P0zbr17C89XYcz1DTsEzOUyOArxC # aC4Q6oRRRuLRvWoYWmEBc8pnol7XKHYC4jMYctenIPDC+hIK12NvDMk2ZItboKaD # IV1fMHSRlJTYuVD5C4lh8zYGNRiER9vcG9H9stQcxWv2XFJRXRLbJbqvUAV6bMUR # HXLvjflSxIUXk8A8FdsaN8cIFRg/eKtFtvUeh17aj54WcmnGrnu3tz5q4i6tAgMB # AAGjggHdMIIB2TASBgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQWBBQq # p1L+ZMSavoKRPEY1Kc8Q/y8E7jAdBgNVHQ4EFgQUn6cVXQBeYl2D9OXSZacbUzUZ # 6XIwXAYDVR0gBFUwUzBRBgwrBgEEAYI3TIN9AQEwQTA/BggrBgEFBQcCARYzaHR0 # cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9Eb2NzL1JlcG9zaXRvcnkuaHRt # MBMGA1UdJQQMMAoGCCsGAQUFBwMIMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBB # MAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2VsuP # 6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWlj # cm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEwLTA2 # LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMu # Y3J0MA0GCSqGSIb3DQEBCwUAA4ICAQCdVX38Kq3hLB9nATEkW+Geckv8qW/qXBS2 # Pk5HZHixBpOXPTEztTnXwnE2P9pkbHzQdTltuw8x5MKP+2zRoZQYIu7pZmc6U03d # mLq2HnjYNi6cqYJWAAOwBb6J6Gngugnue99qb74py27YP0h1AdkY3m2CDPVtI1Tk # eFN1JFe53Z/zjj3G82jfZfakVqr3lbYoVSfQJL1AoL8ZthISEV09J+BAljis9/kp # icO8F7BUhUKz/AyeixmJ5/ALaoHCgRlCGVJ1ijbCHcNhcy4sa3tuPywJeBTpkbKp # W99Jo3QMvOyRgNI95ko+ZjtPu4b6MhrZlvSP9pEB9s7GdP32THJvEKt1MMU0sHrY # UP4KWN1APMdUbZ1jdEgssU5HLcEUBHG/ZPkkvnNtyo4JvbMBV0lUZNlz138eW0QB # jloZkWsNn6Qo3GcZKCS6OEuabvshVGtqRRFHqfG3rsjoiV5PndLQTHa1V1QJsWkB # RH58oWFsc/4Ku+xBZj1p/cvBQUl+fpO+y/g75LcVv7TOPqUxUYS8vwLBgqJ7Fx0V # iY1w/ue10CgaiQuPNtq6TPmb/wrpNPgkNWcr4A245oyZ1uEi6vAnQj0llOZ0dFtq # 0Z4+7X6gMTN9vMvpe784cETRkPHIqzqKOghif9lwY1NNje6CbaUFEMFxBmoQtB1V # M1izoXBm8qGCA1AwggI4AgEBMIH5oYHRpIHOMIHLMQswCQYDVQQGEwJVUzETMBEG # A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj # cm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBP # cGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046REMwMC0wNUUwLUQ5 # NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoBATAH # BgUrDgMCGgMVAKYI8duax4BJ97/9sa1f15Ab7T7joIGDMIGApH4wfDELMAkGA1UE # BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc # BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0 # IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQELBQACBQDtm0Q8MCIYDzIw # MjYwNDI4MTQzNTQwWhgPMjAyNjA0MjkxNDM1NDBaMHcwPQYKKwYBBAGEWQoEATEv # MC0wCgIFAO2bRDwCAQAwCgIBAAICBgECAf8wBwIBAAICEicwCgIFAO2clbwCAQAw # NgYKKwYBBAGEWQoEAjEoMCYwDAYKKwYBBAGEWQoDAqAKMAgCAQACAwehIKEKMAgC # AQACAwGGoDANBgkqhkiG9w0BAQsFAAOCAQEAX0z1xT+eXy5kdaxUsHmnXRyJj7ZX # phafGWlMbMbiIczXJBp19k7CKLvRmoPUYG+j+nV9tHquCqf1G88e2V6z4Nnpbskv # c3AEQ0i2hRaOqiyeoOcwHyEb6jU40do+xdUrJU/GWQNWYd08+On6IGxVI1qaD4my # 4ytmww60h21yymZCgmCCRDdxRPoU2+uoopXWC4i90NAcC+8LHnupAM+TrrkQcLa4 # x13wvajTG69ll1DH2ileLytiCXsGftu2dHrM3MPxWMiQLdOrbmr2ybb3WHO9r4I9 # BkgRLtm+evDQua5/f8NLN+IhTuvyf/MxPB+ZvEYRUF1o1i7yUSfVfq7XiTGCBA0w # ggQJAgEBMIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw # DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x # JjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAACJDuE # IbAsrGQiAAEAAAIkMA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYL # KoZIhvcNAQkQAQQwLwYJKoZIhvcNAQkEMSIEIBpOYiu56gsIH/2Nv9ZqwMlayRrk # MNcXQf+CCaz0exZVMIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQgSCE9N2qb # 91HJnQFzNdx2WhUSogJ1yalU1sf0IRXNZI4wgZgwgYCkfjB8MQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGlt # ZS1TdGFtcCBQQ0EgMjAxMAITMwAAAiQ7hCGwLKxkIgABAAACJDAiBCB3H0Ouj1Nt # /mZFfttHjTw8/Ql5hmeW050BE/7haI6R1DANBgkqhkiG9w0BAQsFAASCAgCUvl8B # JQpIZDJYmxeRIHPmDlIzkXJYfUWuH9YGYbUP8Xl9HNEBMcU3VWUl/0L9FKBOlOIL # 8LTSvmFE8oVCbHClgHsAOPqhZ/8/tuDU/6pwg7kiV2KTQDgtQAIPmqSPQcCUS2// # 0IgboyUShwLoaDuE7yW2diJvcQyPKS9aQ/7TazTPgBakzE4efgPcR7ZIbyZQCOIx # ShFN4R5h1ZPEz0+w7PudOEvi0LgCSoS9+cDXv3DeGTLq0bQLlQ5HpTlR1JAM+bRf # rME9yI8eA5CaGCyHLfkpzj8cAJqurzV1To4+4JmshMZQAtVa/Ep6lvNbryxVPzWb # CgTijZFV+E5vQHgdOYHyDd/92UvKD3e1e4tVvO/cewsYVon1oT99TgNDRP2EK/H5 # TMX/BPNsldJWxKQzebVTmoMQYK9moA4amAZ7f53gnadSxd+X6ZMhijtN5iDNUlBA # vvs3K/tJ669+VQS88FLr/o6YEJZzXR61Gp2G3hJWJoxsTz0AMywry1IhiuLd2XfR # IhF7UeQci3DPT2wFaUfl4Ca1fLuOWuYZLmb12yg+XVxiKb8NMnqSTiLD3rViSc+p # X/smbD2tnmKdjjiLUhS3R4uoqsIFlvbEFxp2ax68zl3ym7u/hwVGhylxJOJ+eblE # DNrjMwjzxKBLaix1eWGb5Uvtn9ZuD+n2f3JHGg== # SIG # End signature block |