From mje@posix.co.za Thu Nov 9 23:59:59 2023 Return-Path: X-Original-To: v6ops@ietfa.amsl.com Delivered-To: v6ops@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27D85C17C8A8 for ; Thu, 9 Nov 2023 23:59:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.198 X-Spam-Level: X-Spam-Status: No, score=-2.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.091, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=posix.co.za Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kLdaMwTiMHKL for ; Thu, 9 Nov 2023 23:59:53 -0800 (PST) Received: from relay.vweb.co.za (relay.vweb.co.za [IPv6:2001:42a0::73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10016C17C534 for ; Thu, 9 Nov 2023 23:59:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=posix.co.za ; s=2311; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From: References:To:Subject:Reply-To:Sender:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=Q9ZeJ/q4QH/ZzGxK6KLWBEFG4da+JLrLzQnW/+Eh3Tk=; b=n9hLGW8Zc21DSb+2QMM9P7YB3S fj0OPPhVTzwcxRzBeTJpUGgK7bfalP07Ap4GBojSGTNLzEiABUfWXjoU7U6h58/EYxIfud+SIYvry n3GsqZWoV4RBzQRFCYR3SQUx78380UqynQFMW1YdGwBinFJKnPU9nMapdcZ86x7mPbik=; Received: from [165.255.87.210] (port=52422 helo=[160.124.48.9]) by relay.vweb.co.za with esmtpsa (TLS1.3) tls TLS_AES_128_GCM_SHA256 (Exim 4.96.2) (envelope-from ) id 1r1MQc-001QTG-1V for v6ops@ietf.org; Fri, 10 Nov 2023 09:59:46 +0200 Reply-To: mje@posix.co.za To: v6ops@ietf.org References: <2147103.zmpluvigLD@asclepius.adm.tul.cz> From: Mark Elkins Organization: Posix Systems Message-ID: Date: Fri, 10 Nov 2023 09:59:15 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <2147103.zmpluvigLD@asclepius.adm.tul.cz> Content-Type: multipart/alternative; boundary="------------368AB5462CB93339D0B2984E" Content-Language: en-GB Archived-At: Subject: Re: [v6ops] New draft at dnsop a bis for DNS IPv6 Transport Operational Guidelines X-BeenThere: v6ops@ietf.org X-Mailman-Version: 2.1.39 Precedence: list List-Id: v6ops discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Nov 2023 07:59:59 -0000 This is a multi-part message in MIME format. --------------368AB5462CB93339D0B2984E Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Interesting. I administer the EDU.ZA zone. I'm using Algo 13 and some EDU.ZA Nameservers have IPv6 addresses. Looking at Geoff's paper - he gives one particular example.... dig +dnssec DNSKEY org That currently gives me 923 bytes in reply. Checking EDU.ZA - I get either 427 or 399 bytes - depending on whom I ask (with @+ipv6_address) (Warm fuzzy feeling) Some years ago, EDU.ZA with Algo 8 was being used as part of a DDOS Amplification attack - so I moved to Algo 13 On 2023/11/10 01:15, Martin Huněk wrote: > Hi, > > The presented data are somehow disturbing. Could it dependent on the DNSSEC algo used by the authoritative server? We can see the shift from algo 8 to algo 13 which produces smaller replies ... > > However, without the IPv6 address on at least one authoritative server, the domain would not be reachable/visible for the IPv6-only network. What is better? > > Regards, > Martin > > Dne čtvrtek 9. listopadu 2023 20:11:31 CET, Nick Buraglio napsal(a): >> On Thu, Nov 9, 2023 at 10:50 AM Geoff Huston wrote: >> >>> The issue of the way that IPv6 handles fragmentation, the use of DNS over >>> UDP and the use of DNSSEC which creates large responses conspire together >>> to make the recommendation in this draft, namely that "Every >>> authoritative DNS zone SHOULD be served by at least one IPv6-reachable >>> authoritative name server” questionable. >>> >>> In fact I would say that such a SHOULD is operationally highly unwise. In >>> a 2020 measurement study (https://www.potaroo.net/ispcol/2020-07/dns6.html) >>> we had the following result: >>> >>> "In a measurement performed at the end of April 2020 we performed this >>> experiment some 27M times and observed that in 11M cases the client’s DNS >>> systems did not receive a response. That's a failure rate of 41%. … . How >>> well does IPv6 support large DNS responses? Not well at all, with a failure >>> rate of 41% of user experiments.” >>> >> Ooof. That's a harsh number. I am glad you have these measurements and that >> they're freely available. >> >> >>> So trying to shift the DNS to use an IPv6 substrate is at best foolhardy >>> at this point in time. I wish that folk would actually conduct careful >>> measurements, look at behaviours and understand how the protocols interact >>> with the network before proposing broad mandates that every server SHOULD >>> use IPv6. We just look silly and irresponsible when we propose such actions >>> when the measured reality says something completely different. >>> >> Based on your measurements, which are really comprehensive and quite fun to >> read, BTW, it looks like the percentage has jumped by about 10 points since >> then (great to see!). How hard is it to run that experiment again? I >> hadn't considered DNSSEC and fragmentation in my thoughts, but it doesn't >> feel like a totally unsolvable problem. Although admittedly my DNS running >> days are a few years behind me. >> Definitely out of scope for this particular draft, but >> >> *If the response is larger than this size, the DNS response packet is >> truncated such that it is no larger than 512 octets, and the truncation bit >> is set in the response to flag the fact that the response has been >> truncated. A DNS resolver should treat this truncation bit as a signal to >> re-query the server using TCP, so that the larger response can be handled >> by TCP.* >> >> Seems like a not-really-implemented solution, since a requery over TCP >> would solve that problem, yeah? Or would that introduce enough latency to >> appear "slow"? Thinking back to my recursive DNS logs from a while ago, I >> do seem to remember seeing some large packet errors. These caching >> recursive resolvers are upstreamed to only IPv6 systems, and definitely >> have DNSSEC enabled. I'll dig and see if I can find the logs. >> >> If this is potentially detrimental, the real question is how do we get from >> here to there? >> >> >>> On 9 Nov 2023, at 3:04 pm, Nick Buraglio >>> wrote: >>> >>> Thanks for writing this, I found it to be well written and clear. I agree >>> and support this, "promoting" IPv6 to the same level as legacy IP is >>> probably a bit overdue in some guidance documents, and this is an important >>> one to address. >>> One off-the-cuff thought, take it or leave it: >>> It is briefly mentioned it in the draft, but I would emphasize the >>> transition technologies and the part they play in masking problems. This is >>> becoming more and more exposed as we start stripping away IPv4 and exposing >>> where those tools are hiding gaps in plain sight. This is not likely to >>> change, especially as we get further down the transition path, but the more >>> of those gaps we can fill with simple things like dual stacking a resolver >>> the less technical debt we have to dig out of later. And, as we all >>> probably know, when DNS is broken or slow, it looks like the network is >>> broken or slow, which often leads to things like "IPv6 is breaking the >>> network, turn it off" and we definitely do not want that. >>> >>> Thanks, >>> >>> nb >>> >>> >>> >>> >>> On Thu, Nov 9, 2023 at 7:28 AM Momoka Yamamoto >>> wrote: >>> >>>> Hi, >>>> >>>> I've submitted a draft to the dnsop wg >>>> DNS IPv6 Transport Operational Guidelines >>>> draft-momoka-dnsop-3901bis >>>> https://datatracker.ietf.org/doc/draft-momoka-dnsop-3901bis/ >>>> >>>> It has been 20 years since this RFC was published and I think it is time >>>> for an update to have IPv6 to a SHOULD for DNS servers. >>>> >>>> I will be presenting this draft tomorrow morning at dnsop wg so I would >>>> be very grateful if you could give me feedback on this draft. >>>> >>>> Best, >>>> >>>> Momoka >>>> _______________________________________________ >>>> v6ops mailing list >>>> v6ops@ietf.org >>>> https://www.ietf.org/mailman/listinfo/v6ops >>>> >>> _______________________________________________ >>> v6ops mailing list >>> v6ops@ietf.org >>> https://www.ietf.org/mailman/listinfo/v6ops >>> >>> >>> > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops -- Mark James ELKINS  -  Posix Systems - (South) Africa mje@posix.co.za       Tel: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za Posix SystemsVCARD for MJ Elkins --------------368AB5462CB93339D0B2984E Content-Type: multipart/related; boundary="------------6FB1DC3978D8EF45DFD4CDC6" --------------6FB1DC3978D8EF45DFD4CDC6 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

Interesting. I administer the EDU.ZA zone. I'm using Algo 13 and some EDU.ZA Nameservers have IPv6 addresses.
Looking at Geoff's paper - he gives one particular example....    dig +dnssec DNSKEY org
That currently gives me 923 bytes in reply.

Checking EDU.ZA - I get either 427 or 399 bytes - depending on whom I ask (with @+ipv6_address)

(Warm fuzzy feeling)

Some years ago, EDU.ZA with Algo 8 was being used as part of a DDOS Amplification attack - so I moved to Algo 13

On 2023/11/10 01:15, Martin Huněk wrote:
Hi,

The presented data are somehow disturbing. Could it dependent on the DNSSEC algo used by the authoritative server? We can see the shift from algo 8 to algo 13 which produces smaller replies ...

However, without the IPv6 address on at least one authoritative server, the domain would not be reachable/visible for the IPv6-only network. What is better?

Regards,
Martin

Dne čtvrtek 9. listopadu 2023 20:11:31 CET, Nick Buraglio napsal(a):

On Thu, Nov 9, 2023 at 10:50 AM Geoff Huston <gih@apnic.net> wrote:


The issue of the way that IPv6 handles fragmentation, the use of DNS over
UDP and the use of DNSSEC which creates large responses conspire together
to make the recommendation in this draft, namely that "Every
authoritative DNS zone SHOULD be served by at least one IPv6-reachable
authoritative name server” questionable.

In fact I would say that such a SHOULD is operationally highly unwise. In
a 2020 measurement study (https://www.potaroo.net/ispcol/2020-07/dns6.html)
we had the following result:

"In a measurement performed at the end of April 2020 we performed this
experiment some 27M times and observed that in 11M cases the client’s DNS
systems did not receive a response. That's a failure rate of 41%. … . How
well does IPv6 support large DNS responses? Not well at all, with a failure
rate of 41% of user experiments.”


Ooof. That's a harsh number. I am glad you have these measurements and that
they're freely available.



So trying to shift the DNS to use an IPv6 substrate is at best foolhardy
at this point in time. I wish that folk would actually conduct careful
measurements, look at behaviours and understand how the protocols interact
with the network before proposing broad mandates that every server SHOULD
use IPv6. We just look silly and irresponsible when we propose such actions
when the measured reality says something completely different.


Based on your measurements, which are really comprehensive and quite fun to
read, BTW, it looks like the percentage has jumped by about 10 points since
then (great to see!). How hard is it to run that experiment again?  I
hadn't considered DNSSEC and fragmentation in my thoughts, but it doesn't
feel like a totally unsolvable problem.  Although admittedly my DNS running
days are a few years behind me.
Definitely out of scope for this particular draft, but

*If the response is larger than this size, the DNS response packet is
truncated such that it is no larger than 512 octets, and the truncation bit
is set in the response to flag the fact that the response has been
truncated. A DNS resolver should treat this truncation bit as a signal to
re-query the server using TCP, so that the larger response can be handled
by TCP.*

Seems like a not-really-implemented solution, since a requery over TCP
would solve that problem, yeah? Or would that introduce enough latency to
appear "slow"? Thinking back to my recursive DNS logs from a while ago, I
do seem to remember seeing some large packet errors. These caching
recursive resolvers are upstreamed to only IPv6 systems, and definitely
have DNSSEC enabled. I'll dig and see if I can find the logs.

If this is potentially detrimental, the real question is how do we get from
here to there?



On 9 Nov 2023, at 3:04 pm, Nick Buraglio <buraglio@forwardingplane.net>
wrote:

Thanks for writing this, I found it to be well written and clear. I agree
and support this, "promoting" IPv6 to the same level as legacy IP is
probably a bit overdue in some guidance documents, and this is an important
one to address.
One off-the-cuff thought, take it or leave it:
It is briefly mentioned it in the draft, but I would emphasize the
transition technologies and the part they play in masking problems. This is
becoming more and more exposed as we start stripping away IPv4 and exposing
where those tools are hiding gaps in plain sight. This is not likely to
change, especially as we get further down the transition path, but the more
of those gaps we can fill with simple things like dual stacking a resolver
the less technical debt we have to dig out of later. And, as we all
probably know, when DNS is broken or slow, it looks like the network is
broken or slow, which often leads to things like "IPv6 is breaking the
network, turn it off" and we definitely do not want that.

Thanks,

nb




On Thu, Nov 9, 2023 at 7:28 AM Momoka Yamamoto <momoka.my6@gmail.com>
wrote:


Hi,

I've submitted a draft to the dnsop wg
DNS IPv6 Transport Operational Guidelines
draft-momoka-dnsop-3901bis
https://datatracker.ietf.org/doc/draft-momoka-dnsop-3901bis/

It has been 20 years since this RFC was published and I think it is time
for an update to have IPv6 to a SHOULD for DNS servers.

I will be presenting this draft tomorrow morning at dnsop wg so I would
be very grateful if you could give me feedback on this draft.

Best,

Momoka
_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops


_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops





      

      

      

      

      
_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops


    

    
-- 

      
      
      
Mark James ELKINS  -  Posix Systems - (South) Africa

        mje@posix.co.za       Tel: +27.826010496

        For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

        

        Posix
          SystemsVCARD for
          MJ Elkins

      

    

  


--------------6FB1DC3978D8EF45DFD4CDC6
Content-Type: image/jpeg;
 name="abessive_logo.jpg"
Content-Transfer-Encoding: base64
Content-ID: 
Content-Disposition: inline;
 filename="abessive_logo.jpg"

/9j/4AAQSkZJRgABAQEAWQBUAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRof
Hh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwh
MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAAR
CAClAPoDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAA
AgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkK
FhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWG
h4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl
5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREA
AgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYk
NOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOE
hYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk
5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD3+iiigAooooAKKKKACiiigAooooAKKKhk
ureL/WTRr9WAoAmoqi2sWCf8vAJ/2QTTf7Ytz9yOd/8AdjNAGhRWf/ao7WV4f+2X/wBek/tU
/wDPhef9+/8A69AGjRWd/ayj71pdr9YqX+2rMffMif70ZoA0KKppqli/S5T/AIEcfzqykscg
yjqw/wBk5oAfRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFVbq/gtcK7ZkPRFG
WP4UAWqimuYbdd00qoPc1SzqN50xaRH15c/4VLDpdtE29lMsnd5TuNAEf9qGbi0tpZ/9rG1f
zNGzVJ/vSw26+iLuP61oDA4FI8iRqWdgqjqSaTaSuwKH9kpJzcXNxN7M+B+VTR6ZZRfdtoz/
ALwz/OpBeWx6XEX/AH2KmVlYZVgQe4NRCrCfwyT+Y2mtxqxRp9xFX6DFPoorQQUUUUAFGKKK
AIntoJPvwxt9VBqs+kWTnIh2H1QkVeooAzv7Oni/497+ZfaT5xR5up2/34YrhR3jbafyNaNF
AFCPVrcvsmDwP6Srj9avKyuoZWBB6EGmyRRyrtkRXX0YZqi2lLGxezme3b0Byp/A0AaNFZv2
65tOL2DKf89ouR+I7VehnjnQPE6uvqDQBJRRRQAUUUUAFFFFABRRRQAUySRIYy8jBVHUmmXV
1FaQmSU8dAB1J9BVKK0lvnE98MKOUg7D3PqaAD7RdaicWuYLf/nsw+Zv90VatbGC1yUXLnq7
csfxqyAAMDpRQAU2SRYo2dyAqjJNONYWr3ZmQLEwMQbDEetcGY46ODoOo9X0Xf8A4Hc0pU3U
lYjudZnkciHEadjjJqrFI8ouDI7MTEeSc9warVPa8vIPWJv5V+d/XsRiq69tNu/Tprpsep7O
MI+6iCrum3MlvKxDHygpZl9f88VSqdPks5W7uwQfTqf6Vz4KpOlWVSDty3f3f57FVEnGz6nU
xSpNGsiMCpHBpLidbeF5X6KPzrlIppoT+6kZSf7p61YvbmZ1SCSQsU5f/e/+tX1seKFLDyly
Wml8r/1qcTwlpJX0NL+3oP8AnlJ+n+NXLS/hvAfLJDDqrda5Wrli32eZblztjBx7t9K4sBxF
i514qrZx66Wsu9/I0qYWCj7u51FFIrB1DKQQRkEUtfdJ31R5wUUUUwCiiigAooooACM9aoTa
aA5ms3NvN/s/db6ir9FAFCDUGWUW94nkzHof4X+hq/UU9vFcxGOVAyn17VQWWbS3EdwxktSc
JKeqexoA1KKQEMAQcg9CKWgAooooAKjnnS3haWQ4VRk1JWY4/tHUdh5trY/MOzP/APWoAW0t
3uphfXQwf+WUZ6IPX61pUUUAFFFFAEVydtrKfRD/ACrlrd1DGOQ4jk4J9PQ11NyhltpI16sp
A/KuQIKkgjBHBFfGcUznTrUppaWf/BX3Hfg0nGSHOjRyMjDDA4NS2n/HyB6qw/Q0P+/txJ/y
0jwre69j/T8qLP8A4/IR6sBXzNOChiYOOzaa9L/0jqbvBkFTz/JDBH/s7z9T/wDWAqJELyKg
6scCpZsz3jLGM5bav0HArOnFqnK27sv1/RfeU3qgtwI1a4P8PCD1b/63X8qgJycnrU1w6lhG
hzHGMA+p7miOJVQSzfd/hXu//wBaqnDmapQ2ju+l+r/Rf5sSdvefUI4lCebNnZ2Xu5/w96ZL
K0rbmwMcADoB6CiSRpX3N9AB0A9BSRxvK21FLH2qJS5v3VJafi/66IaVtZGto9/tItpTwfuE
/wAq3K5PZDBy7ea/91DwPqf8PzqdNYu0bO5SvZSOn9a+qyzPY4SiqGLd7bW1aXn/AFfyOOrh
3OXNA6TNLXNvey6hdW6EBQHHC10gr6PAZlTxzm6S92Nlfv8AI5alJ07X3CiiivRMgooooAKK
KKACmuiyIUdQykYIPenUUAZcTNpdwtvISbWQ4ic/wH+6a1KiubdLqB4pB8rD8veq2mzuyvbT
n9/AdpP94djQBeooooAr31x9lspZu6jj69qbp9v9ls0jP3yNzn1Y9ag1T95JZ2/Z5gT7gc1o
0AFFFFABRRRQAVz+s2flTfaEHyP972NdBTJI0ljKOoZW4INefmeAjjsO6T0e6fZmtKo6cuY5
GGTypA2Mr0Yeo7ipVTyL6LByu9WU+ozVu70eWIloAZE9O4/xotrC5ngUNHsKNlGfjjuK+Ehl
2LhU9hODunddvPXz/P1PQdWDXMmVYRsupH/55Bm/HoP1xTY/3MBl/jfKp7Duf6fnWpJpU2Jy
GX964P0XOf8ACqLJukDtGxH3Yoe5A9fb+daVsDWw9lKNnrb5u1/kkrdbtWFGpGWxDHGqIJZh
kH7qf3v/AK1MPm3MvALMegA6CpZAocvcybn/ALiHp9T0FRvcMy7FAjj/ALq9/r6159SMILkk
7Lt1fr0Xp07bs1V3qh3lww/61t7f3EPH4n/CmyTu67BhI/7i8D/69IlvNIMrGxHrjj86f9nC
/wCsniT2B3H9Km1ZxtCPLF/K/q3/AMN5B7t9XdkFFT/6Kn/PWQ/go/rV7S447mdv3Eaogycj
cSfxqsNgHXqxoqau/n+Wn4hOpyx5rC6NZM0ouXGFX7vufWt6kVQoAAwB2FLX6Tl2AhgaCow1
7vuzyqtR1JczCiiiu4zCiiigAooooAKKKKACs29H2W/trwfdY+VJ9D0NaVU9Uj83TJx3C7h+
HNAFyioraTzrWKT+8gP6VLQBnXn/ACFtP9Mv/KtGs7VP3clncdo5gD7A8Vo0AFFFFABRRRQA
UUUUAea6x8XF0bVrmwuNBuA0MjIGaXbvAJAYAr0OM1SHxvs++iT/APf8f4Vy3xg/5Hpv+vaP
+tdXD8FNNkhRzq918yg8RrXreywsacZVFv6nl+0xMqko03t6Gjovxf0XUr5bW7t5bAPwssjB
kz6Ejp9en0rq9VVUcP5xSOQc7FyWP1rxfx98PofCFjaXlteyXEc0hicSKAQcZGMfQ12/gLWb
mb4ZS3E0krtp8jopU5YooDY/AEj8BXkZ5gaVbAyqUfu1/wA0/Lc6sFiaka3s625o6lq+l6Na
NdXZIQdPMblj6ADkn8a4qT4uKrEW+kbVzwRIAf8A0E/zrlri51jx/wCIQC7EDO0McpBH/n8z
XWyeFfCehWcI1ZgzvkebLI67z3wFPFeEsBluVKNLGKVStLXlgrNL/t1pv5t+SN3icTim5UWo
wXV9fvIofinBcXCC8sZkQnmQS79vvjArtra6gvLZLi3lWWGQZV1PBrirnwXoOtaUZ9CcRyAk
JIHZkYjsc5/SsDwxruq+Etd/sydD5UkoSWBwDtJ4DLn/ACR+FctfJ8tzSlOeX80KkL80Jbv7
3+vrYunjMThpJYi0oy2a2/BHrDMqKWZgqgZJJwAKwm+Kmh6KskNvDPfTFuWjwqf99Hr+ArI+
J+r3UemWlijBY7lmMhVACQuMDIHTn9K1vhn4H0W48Owaxf20V7cXJYqso3JGAxGNvQnjOTXT
wxkuHpUVmVWTle6itvJt6vswx2LqzqvDU9Lbsr/8Lxi/6AD/APgUP/iK9B1rxANH8Ky62bbz
RHEknk79udxAxnHv6Vy3jzwDZ3uhMdB0S3XURIu3yAsXy9+4FdzaW+NMt4J4wSsSqytgjIAr
6qq6DUZU111VzkpKveUZv0djy4fHGLvoD/hdD/4iu8TxMsngo+IxakKLVrnyC/PAJxux7ele
J2iJ/wALgCbRs/thhtxxjzDX0SqKq7QoC+gFaYunSp8vLHfXf8CMLOrU5uaW2mx5dpvxlTUN
UtLIaGY/tEyRb/tWdu5gM42+9ep14f8AFvw82l65Br9mCkd0wDlONky9D7ZAz9Qa7qz8e27/
AA5PiGUqbiKPy5I/WccAficH6GivQhKEKlFaPT5jo1pRnKFV6r8jI1z4vLo2t3mmnRTKbaUx
+Z9p27sd8beK7nw5rI8QaBaaoIPIFwpby927bgkdcD0rxr4Y6HN4k8WTa1f5litX852b+OZj
kfly34D1r3gAAYFTi4UqbVOC1W7HhZ1al5yenRC0UUVxHYFQ3f8Ax5z5/wCebfyqaqeqyeVp
k57ldo/HigBdM/5Blvn+4Kt1FbR+TaxR/wB1AP0qWgCvfW/2qzlh7sOPr2pun3P2qzRz98fK
49COtWqzHP8AZ2o+Z0trg4b0V/X8aANOiiigAooooAKKKKAPn/4v/wDI9N/17R/1r3T7Xb2O
krdXUqQwRwhnkc4CjFeF/F//AJHpv+vaP+tQnVPFPxKubXSECLBCBuWJSsSgcb3OTk/5Ar2J
0Pa0abbsktTyYV/ZVqiSu29C54h1bUPif4ph03SImFjCT5e/gAfxSP6e3+Jr0mfw/beG/h/N
pdqSyrE2+Qjl2IOWP+fStPwr4UsPCmmC1tF3ytgzTsPmkb+g9BVjxHJs0mRcZDhlZfUbTXjZ
tiY/VpQjpBf1c78LQalzz1k/6sePfCmYxyaqu1GBERIZc/3q6Lxn4dk8SwWiWjxW7QuxcyMS
CCB04z2rkvhjcRR6jewPIqySxqUUnlsE5x+ddF428R33h+OyNkIiZi+7zFz0xjHPvXzmaPG/
6y8mEtzuzjzLT4Ndfv2NcL7H+zb1fh629TZ8LeHbjRNFWya4guHEjPmIkdfYgGuD8YKw+I1n
GylSGgBBGP4q7TwpqtxrOgxXl0EErMynYMDg4rh9euo7r4m2jRyLKI7iBCc5GQRkVOSe0lm+
JlXVqijPma2v1t/w48byrCUlD4W1budr4q8OP4k0xbe3x9sjbfDk4DHuv4/0FcZ4Q8aaj4Fv
5dOv7aVrPf8AvrZxteJu7Ln+XQ17JphjmvkPkhWUFsqePyNS+IfCWj+JrcpqFqplAwk6fLIn
0b+h4r0OEq/JgZUqr5oczt5ff5izHDuVZVKekrfeWtF13TfEFkLvTbpJ4/4gOGQ+jDqDWlXz
vqmna18MPFEU9rcFon+aKXGFmTurD+Y+hFe7aDrEOvaHaapbjCXCbtpOdp6EfgQRX0GIw6pp
Tg7xZhh67qNwmrSR4Raf8lkH/YZb/wBGmvomvna0/wCSyD/sMt/6NNfRNbY/eHoY4HafqZPi
XQ4fEXh+70yXAMqfu2P8DjlT+dfMsq39u8ujv5oIuMPb/wDTUZXp68kV9LeK9ei8N+HLrUnw
XRdsKH+KQ8KP6/QGvml4dQuIZtZZZWj+0bXuP+mrZbr68E10ZZzcsr7fqYZjy8ytv+h9I+Df
DyeGvDVrYYHn48ydh/FIev5cD6Ct+uc8EeI18TeGLa8ZgblB5VwB2cdT+Iwfxro68urzc759
z0qXLyLl2CiiiszQKzb0/ar+3tByqnzZPoOgq7c3CWtu80h+VR+ftVbTYHVHuZx+/nO5v9kd
hQBeooooAKjnhS4haKQZVhg1JRQBm2k72kwsrpsn/ljIejj0+taVQ3NrFdwmOUZHYjqD6iqU
d1LYOIL47ozwk/Y+zehoA06KQEEAg5BpaACiig0AfP8A8X/+R6b/AK9o/wCtezeGNE0/QtDt
7ewgEasiu7dWdiOrHvXJaz8JoNb1e51C41u73zSM4UoGCAkkKMnoM1ueGPBsvhy+kuH1y+v0
aLyhFOxKryDkcn0x+Nd9arTnQjCMtvXU4aNKcK0puO51dUtUtftVmygZZfmA9fartFeViKEa
9KVKezVj0IycWmj598W+E5tIuf7Y0cMkKtvdI+sJ9R/s/wAvpV7TvGeiarZRx+I4IftEPAZ4
PMVvcYBwfWvSdRgWG9ljAG0nIHsa4fVvhpp1/K15Y3D2YY/vIVQMqt6jkYB9K+dw2ZYXFQeE
zeTU6V+Wcb81lo1om/w29LhVwtWlL2uESalvF7GHr/jS0isRpnhpBFG+d0scezbnsowOT61f
8GeDDZmPU9Tj/wBI+9DC3/LP/aPv/L69NLQfAtho12LuSVrudf8AVl1AVD6getdrY2L3kndY
x95v8K58XmlL2f8AZuTJtT+Kb+KXz7d3p/ndDCTc/rGLtdbLojmbvxg/hrxfp1pceRHp11Fu
mmkRiyjLDjB6ZA7GvRrfULO7txcW11BNCRnzI5Ay/mK47xf8N4vFeoW1yNRa0EEAhCCHfnBJ
zncPWueHwQjAIGvyc/8ATqP/AIuvsMvwWGw2Dp0ea0ktdN31OKrVxDqyko3T21Mv4ueKNP1e
4tNLsJEuPsrM8syHKhiMbQe/v+Feh/DjTbjSvA1jBdKyTPulKN1UMxIH5Y/Os3w58KdH0O7S
7uZX1C4Q5j81QqKfXbzk/U11mu6ZJq+jXNhDeSWckwAE8f3kwQeMEemOveu6tWpuEaNPZdTK
jSqKcq0930PCLT/ksg/7DLf+jTX0QWAGSQB615T/AMKWP2j7R/wkk/n7t/mfZ/m3eud+c13E
nhtpvBbeHpb53ZrfyWumXLH3Iz/Wni6lKo48sttNhYWFSmpc0d9dzyr4ra++t+I4dCsSZYrV
gpVOfMmbjH4cD6k16LZ+B7WL4fnw3KF3yRbpJAP+Wx53fgcfgK53Sfg7HpesWWoDW2kNrOk2
z7NjdtYHGd3HSvUO1KvXioQp0XovzHQoycpTqrV/keCfDnWZvCnjOXSNQPlRXL/Z5lY8JKDh
T+eR+Ne9qwYZUgj1Feb+IPhNFr2u3eqNrDwG4fd5Ytw23gDruHpXZeGNDHhvw9a6StwZxBv/
AHhXbu3MW6ZPrSxc6VW1SL97qh4WFSneElp0Zr02R1iQu7BVUZJNMuLmK1iMkrhVH61QWGbU
3EtypjtQcpCere7f4VxHYEKtqdwtzIpFrGcxIf4j/eNalIAFAAGAKWgAooooAKKKKACmyRpK
hSRQynqCKdRQBmG2utPO60Jmg7wseV/3TVm1v4LrKqxWQdY34YfhVqq1zYW93zImHHR14Yfj
QBZorN26jZ/dIu4h2PDj8e9SQ6rbSNskJhk7pKNpoAvUUgIIyDkUtABRRRQBg61bOJhcAZQj
B9jWdbuyy4Clw3yso7iuuIyMUyOGOMkpGik9cDGa+ZxfDvtsX9Ypz5bu70v/AFc64YrlhytX
Ma20VmkLTNiMHgDqw/pW3HGkSBEUKo6AU6ivXwWW4fBJqjHV9ephUqyqfEFFFFd5mFFFFABR
RRQAUUySWOFd0jqi+rHFUW1TzSUsoHuG/vYwo/E0AaJIAyaz5dTDOYbNPPl7kfdX6mm/YLi7
Ob6f5P8AnjFwv4nvV+KGOBAkSKijsBQBTg08mUXF4/nTdh/Cn0FX6KKACiiigAooooAKKKKA
CiiigAooooAKjmt4Z12yxq4/2hmpKKAM46UIjm0uJYD/AHQdy/kaN2qQfeSG5X/ZO1v8K0aK
AM7+1hH/AMfFrcRe5TI/OpY9VsZOlyg/3vl/nVyopLaCX/WQxv8A7yg0AOSaKT7kiN9GBp9U
n0ixfrbqPoSP5VH/AGNaj7jTJ/uyGgDRorP/ALJQdLu7H0lpP7JH/P7ef9/aANGgkDqazv7I
jP3rm6b6y0o0Wyz86O/+85oAtPd28f3541+riqz6xZKcLKXb0RSakTTLKP7ttH+Iz/OrKRpG
MIiqPYYoAof2jcS/8e9hKfeT5BR5Opz/AOsuI4FPaJcn8zWjRQBQj0m2Vt8u+d/70rbv0q8q
hQAoAA6AUtFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAF
FFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAf/9k=
--------------6FB1DC3978D8EF45DFD4CDC6
Content-Type: image/png;
 name="QR-MJElkins.png"
Content-Transfer-Encoding: base64
Content-ID: 
Content-Disposition: inline;
 filename="QR-MJElkins.png"

iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAYAAACtWK6eAAAIOklEQVR4nO2ZS24lOQwEff9L
z2wMo9EzJYnK5KeeI4C3kipJUQoDjf76BwAe+epuAGAyCAKwAEEAFiAIwAIEAViAIAALEARg
AYIALEAQgAUIArAAQQAWIAjAAgQBWIAgAAsQBGABggAsQBCABTZBvr6+Sn9qP7v96vnc81LP
F+0ne737fRzPxRY0bAAIEgNBHuZiCxo2AASJgSAPc7EFDRsAgsRAkIe52IKSGjzNdz84tR/1
fNXz7BZMBUEQxAqCHObaghDEej4E8da/zrUFIYj1fAjirX+dawsa9oDV/qrr7/ar84vmu7+f
/j4ez2kLGj4ABInlu7+f/j4ez2kLGj4ABInlu7+f/j4ez2kLGj4ABInlu7+f/j4ez2kLah5A
9QPOzs8Wqru/7v5PQRDT9+58BEEQBEncjyAeEMT0vTsfQRCkdQBq/WzBp80j+w/YtPfxk2sL
etkAEKT3fNX1b0EQBGk5X3X9WxAEQVrOV13/ljJBsvOjA3XXd/fTvb97flPyEcRU391P9/7u
+U3JRxBTfXc/3fu75zclH0FM9d39dO/vnt+U/DRBsn+7+qzPXq9+H7cgCOst6wiCIKwv1hEE
QVhfrP86QaZRNcCnemo/2XnReVTPcwofezIE0fa7v38rH3syBNH2u79/Kx97MgTR9ru/fytj
/5Gu5u++d6+r+6NUz2vavKsERRDTuro/CoIgiJS/+969ru6PgiAIIuXvvnevq/ujIMjLBXHv
332v1s9+ANkP1l3fPc/q+btAEARBkNW5bEEIIuUjCIJI+3ffI4i3PoJ810kLLr4At6DdDyxK
db/u/qPnqQJBEARBVn2kBSMIggggCIKE+nHPB0EO+0gLDj7A6Hq0/rQH696ffZ4o085/fY60
YAQZ9UAQ5PIcacEIMuqBIMjlOdKCEWTUA0GQy3PYgpIfZPcAd/XV86o/dV7qPNzr7n6uc21B
CIIgxnV3P9e5tiAEQRDjuruf61xbEIIgiHHd3c91ri3p7+DkB6DW230frRftJ7t+tB/3fUT7
re7nuO+0YARBkEC/CIIgCIIgfwQjCIIE+v11gvynkPhg3AK5+68WNNqf+zy/BQQx9Y8gnwmC
mPpHkM8EQUz9I8hn0vYfhdUXoj7Q6geTPZ9pQk0VEEEu1xEEQWJBCGIFQWaAIJfrCIIgsaDi
B9P9ffaDqe6n+sF3z+8UBLn8vvuCEaQGBLn8vvuCEaQGBLn8vvuCEaSGMYJEB6IO1H0B0Xrq
eboezBPZ8+86P4IgiAUE2QUhCIIgyCIIQRAEQYRC4gGzH3B2nrrfXS87L/sPXBUIcgmCaP0i
yN+FEARBAvsRBEFC+xGkh7TK2QeuHvDbHpzan7v/aB6CJOe/7UFEz5fdn7v/aB6CJOe/7UFE
z5fdn7v/aB6CJOe/7UFEz5fdn7v/aN7HCZJ94erAqh/QLl89v/qbdr6pIMjhugqCrPdPBUEO
11UQZL1/KghyuK6CIOv9U0kTxP0Adt+r/aj9ZQus9qfWr853178FQS7PgyAIEgtCEAQx5rvr
34Igl+dBEATRgs0Hzn4Q6gW656FS/SDV+6mezykIgiAj7gdBNusIgiAIslhHEAT5aEG6H4D7
wtV+svtV/yBkUz3vrPMhCIKkgCB/ByEIggT6n57/U8cWhCAIEuh/ev5PHVvSrpB44dkPrGrg
p/OJ7ncLVD0v9/27QBAEucpDEHchBAnNJ7ofQXJAEAS5ykMQd6HkgVbnq/24H/Buf/X51fzs
+z0FQUz9IgiCaIUQBEEC+QiCIAjymwRxP4BofrVw1RfYnZd9n+76LhDkMh9BtP0IgiAIgiB/
BCEIggT2/zpBtoWKH5B6AeoFZwuW3W90XiruP3AuEOTyewRBECsIgiCZeQiSnI8gCPK/ubYk
kewLzL4A9wNzC5b1gE77zT5/FggypL9o/wiCIKH13X4EQZCrc6UlB0GQWP8I8jJBug+k1ndf
cHS/O0+t777PbGGyQJDD73f7o/1l56n1EeS7ri0IQUL9Zeep9RHku64tCEFC/WXnqfUR5Luu
LUhsuFuwXT/RfqfTPe+3zBdBDvuJ9jud7nm/Zb4IcthPtN/pdM/7LfNFkMN+ov1Op3veb5lv
mSDRC4kOxC1otH+1nvun1nfPZ9p9n4Igpv7Vet0PDEEe6tiCEESq1/3AEOShji0IQaR63Q8M
QR7q2ILMA1Tz3bj7jdZT91cL1P0HwAWCXJ4PQWL7EQRBrP0gCIIgSKCeuh9B7pj/P1qHVAuS
vd5dz93vjup6x32lJReDIN56CPJdNy25GATx1kOQ77ppycUgiLcegnzXtQUFB67+1PrZ593t
n5avUi10FQiSdN7d/mn5KgiyC0IQBEGQRRCCIAiCLIKSD9D9wKoF63oQXf1OPT+CHOYjCIJo
QQginWfqA6nqd+r5EeQwH0EQRAsKPrDsB+zer+IWcNqDjfbj7j/r/hAEQa7y1X4QZLOOILH1
aP8I4gFBEOQqX+0HQTbr2YJE16Pnq77gbKG7H6T7flwgyOX5EARBYkEIgiCF9bP7+cm1BSEI
ghTWz+7nJ9cWNFyQaD9qfjXZgmXf19T5I8jwCzoFQXJAkOEXdAqC5IAgwy/oFATJoUyQ7Pzu
gVf3pz5w9XzqHzyVKmEQBEGuzocg0SAEQRAEWQQhCIIgyCJIHKA68OwLdO/PPo/7wWafv1u4
x3PYghAktB9BEARBEARBfoIQJLQfQX6ZIACfCIIALEAQgAUIArAAQQAWIAjAAgQBWIAgAAsQ
BGABggAsQBCABQgCsABBABYgCMACBAFYgCAACxAEYAGCACz4F4El8eosyP1oAAAAAElFTkSu
QmCC
--------------6FB1DC3978D8EF45DFD4CDC6--

--------------368AB5462CB93339D0B2984E--