Upgrading server dependancies (#6984)

417 files changed, 87553 insertions, 4200 deletions

diff --git a/vendor/github.com/NYTimes/gziphandler/gzip.go b/vendor/github.com/NYTimes/gziphandler/gzip.go
index cccf79de7..ea6dba1e7 100644
--- a/vendor/github.com/NYTimes/gziphandler/gzip.go
+++ b/vendor/github.com/NYTimes/gziphandler/gzip.go
@@ -97,6 +97,7 @@ func (w *GzipResponseWriter) Write(b []byte) (int, error) {
 	}
 
 	// Save the write into a buffer for later use in GZIP responseWriter (if content is long enough) or at close with regular responseWriter.
+	// On the first write, w.buf changes from nil to a valid slice
 	w.buf = append(w.buf, b...)
 
 	// If the global writes are bigger than the minSize, compression is enable.
@@ -122,7 +123,9 @@ func (w *GzipResponseWriter) startGzip() error {
 	w.Header().Del(contentLength)
 
 	// Write the header to gzip response.
-	w.writeHeader()
+	if w.code != 0 {
+		w.ResponseWriter.WriteHeader(w.code)
+	}
 
 	// Initialize the GZIP response.
 	w.init()
@@ -146,14 +149,6 @@ func (w *GzipResponseWriter) WriteHeader(code int) {
 	w.code = code
 }
 
-// writeHeader uses the saved code to send it to the ResponseWriter.
-func (w *GzipResponseWriter) writeHeader() {
-	if w.code == 0 {
-		w.code = http.StatusOK
-	}
-	w.ResponseWriter.WriteHeader(w.code)
-}
-
 // init graps a new gzip writer from the gzipWriterPool and writes the correct
 // content encoding header.
 func (w *GzipResponseWriter) init() {
@@ -166,19 +161,18 @@ func (w *GzipResponseWriter) init() {
 
 // Close will close the gzip.Writer and will put it back in the gzipWriterPool.
 func (w *GzipResponseWriter) Close() error {
-	// Buffer not nil means the regular response must be returned.
-	if w.buf != nil {
-		w.writeHeader()
-		// Make the write into the regular response.
-		_, writeErr := w.ResponseWriter.Write(w.buf)
-		// Returns the error if any at write.
-		if writeErr != nil {
-			return fmt.Errorf("gziphandler: write to regular responseWriter at close gets error: %q", writeErr.Error())
-		}
-	}
-
-	// If the GZIP responseWriter is not set no needs to close it.
 	if w.gw == nil {
+		// Gzip not trigged yet, write out regular response.
+		if w.code != 0 {
+			w.ResponseWriter.WriteHeader(w.code)
+		}
+		if w.buf != nil {
+			_, writeErr := w.ResponseWriter.Write(w.buf)
+			// Returns the error if any at write.
+			if writeErr != nil {
+				return fmt.Errorf("gziphandler: write to regular responseWriter at close gets error: %q", writeErr.Error())
+			}
+		}
 		return nil
 	}
 
@@ -253,8 +247,6 @@ func NewGzipLevelAndMinSize(level, minSize int) (func(http.Handler) http.Handler
 					ResponseWriter: w,
 					index:          index,
 					minSize:        minSize,
-
-					buf: []byte{},
 				}
 				defer gw.Close()
 
diff --git a/vendor/github.com/NYTimes/gziphandler/gzip_test.go b/vendor/github.com/NYTimes/gziphandler/gzip_test.go
index b9e687c8e..0f6488cae 100644
--- a/vendor/github.com/NYTimes/gziphandler/gzip_test.go
+++ b/vendor/github.com/NYTimes/gziphandler/gzip_test.go
@@ -295,6 +295,30 @@ func TestStatusCodes(t *testing.T) {
 	}
 }
 
+func TestDontWriteWhenNotWrittenTo(t *testing.T) {
+	// When using gzip as middleware without ANY writes in the handler,
+	// ensure the gzip middleware doesn't touch the actual ResponseWriter
+	// either.
+
+	handler0 := GzipHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	}))
+
+	handler1 := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		handler0.ServeHTTP(w, r)
+		w.WriteHeader(404) // this only works if gzip didn't do a WriteHeader(200)
+	})
+
+	r := httptest.NewRequest("GET", "/", nil)
+	r.Header.Set("Accept-Encoding", "gzip")
+	w := httptest.NewRecorder()
+	handler1.ServeHTTP(w, r)
+
+	result := w.Result()
+	if result.StatusCode != 404 {
+		t.Errorf("StatusCode should have been 404 but was %d", result.StatusCode)
+	}
+}
+
 // --------------------------------------------------------------------
 
 func BenchmarkGzipHandler_S2k(b *testing.B)   { benchmark(b, false, 2048) }
diff --git a/vendor/github.com/disintegration/imaging/transform.go b/vendor/github.com/disintegration/imaging/transform.go
index a11601bba..30410c278 100644
--- a/vendor/github.com/disintegration/imaging/transform.go
+++ b/vendor/github.com/disintegration/imaging/transform.go
@@ -2,23 +2,25 @@ package imaging
 
 import (
 	"image"
+	"image/color"
+	"math"
 )
 
-// Rotate90 rotates the image 90 degrees counterclockwise and returns the transformed image.
-func Rotate90(img image.Image) *image.NRGBA {
+// FlipH flips the image horizontally (from left to right) and returns the transformed image.
+func FlipH(img image.Image) *image.NRGBA {
 	src := toNRGBA(img)
 	srcW := src.Bounds().Max.X
 	srcH := src.Bounds().Max.Y
-	dstW := srcH
-	dstH := srcW
+	dstW := srcW
+	dstH := srcH
 	dst := image.NewNRGBA(image.Rect(0, 0, dstW, dstH))
 
 	parallel(dstH, func(partStart, partEnd int) {
 
 		for dstY := partStart; dstY < partEnd; dstY++ {
 			for dstX := 0; dstX < dstW; dstX++ {
-				srcX := dstH - dstY - 1
-				srcY := dstX
+				srcX := dstW - dstX - 1
+				srcY := dstY
 
 				srcOff := srcY*src.Stride + srcX*4
 				dstOff := dstY*dst.Stride + dstX*4
@@ -32,8 +34,8 @@ func Rotate90(img image.Image) *image.NRGBA {
 	return dst
 }
 
-// Rotate180 rotates the image 180 degrees counterclockwise and returns the transformed image.
-func Rotate180(img image.Image) *image.NRGBA {
+// FlipV flips the image vertically (from top to bottom) and returns the transformed image.
+func FlipV(img image.Image) *image.NRGBA {
 	src := toNRGBA(img)
 	srcW := src.Bounds().Max.X
 	srcH := src.Bounds().Max.Y
@@ -45,7 +47,7 @@ func Rotate180(img image.Image) *image.NRGBA {
 
 		for dstY := partStart; dstY < partEnd; dstY++ {
 			for dstX := 0; dstX < dstW; dstX++ {
-				srcX := dstW - dstX - 1
+				srcX := dstX
 				srcY := dstH - dstY - 1
 
 				srcOff := srcY*src.Stride + srcX*4
@@ -60,8 +62,8 @@ func Rotate180(img image.Image) *image.NRGBA {
 	return dst
 }
 
-// Rotate270 rotates the image 270 degrees counterclockwise and returns the transformed image.
-func Rotate270(img image.Image) *image.NRGBA {
+// Transpose flips the image horizontally and rotates 90 degrees counter-clockwise.
+func Transpose(img image.Image) *image.NRGBA {
 	src := toNRGBA(img)
 	srcW := src.Bounds().Max.X
 	srcH := src.Bounds().Max.Y
@@ -74,7 +76,7 @@ func Rotate270(img image.Image) *image.NRGBA {
 		for dstY := partStart; dstY < partEnd; dstY++ {
 			for dstX := 0; dstX < dstW; dstX++ {
 				srcX := dstY
-				srcY := dstW - dstX - 1
+				srcY := dstX
 
 				srcOff := srcY*src.Stride + srcX*4
 				dstOff := dstY*dst.Stride + dstX*4
@@ -88,21 +90,21 @@ func Rotate270(img image.Image) *image.NRGBA {
 	return dst
 }
 
-// FlipH flips the image horizontally (from left to right) and returns the transformed image.
-func FlipH(img image.Image) *image.NRGBA {
+// Transverse flips the image vertically and rotates 90 degrees counter-clockwise.
+func Transverse(img image.Image) *image.NRGBA {
 	src := toNRGBA(img)
 	srcW := src.Bounds().Max.X
 	srcH := src.Bounds().Max.Y
-	dstW := srcW
-	dstH := srcH
+	dstW := srcH
+	dstH := srcW
 	dst := image.NewNRGBA(image.Rect(0, 0, dstW, dstH))
 
 	parallel(dstH, func(partStart, partEnd int) {
 
 		for dstY := partStart; dstY < partEnd; dstY++ {
 			for dstX := 0; dstX < dstW; dstX++ {
-				srcX := dstW - dstX - 1
-				srcY := dstY
+				srcX := dstH - dstY - 1
+				srcY := dstW - dstX - 1
 
 				srcOff := srcY*src.Stride + srcX*4
 				dstOff := dstY*dst.Stride + dstX*4
@@ -116,21 +118,21 @@ func FlipH(img image.Image) *image.NRGBA {
 	return dst
 }
 
-// FlipV flips the image vertically (from top to bottom) and returns the transformed image.
-func FlipV(img image.Image) *image.NRGBA {
+// Rotate90 rotates the image 90 degrees counterclockwise and returns the transformed image.
+func Rotate90(img image.Image) *image.NRGBA {
 	src := toNRGBA(img)
 	srcW := src.Bounds().Max.X
 	srcH := src.Bounds().Max.Y
-	dstW := srcW
-	dstH := srcH
+	dstW := srcH
+	dstH := srcW
 	dst := image.NewNRGBA(image.Rect(0, 0, dstW, dstH))
 
 	parallel(dstH, func(partStart, partEnd int) {
 
 		for dstY := partStart; dstY < partEnd; dstY++ {
 			for dstX := 0; dstX < dstW; dstX++ {
-				srcX := dstX
-				srcY := dstH - dstY - 1
+				srcX := dstH - dstY - 1
+				srcY := dstX
 
 				srcOff := srcY*src.Stride + srcX*4
 				dstOff := dstY*dst.Stride + dstX*4
@@ -144,21 +146,21 @@ func FlipV(img image.Image) *image.NRGBA {
 	return dst
 }
 
-// Transpose flips the image horizontally and rotates 90 degrees counter-clockwise.
-func Transpose(img image.Image) *image.NRGBA {
+// Rotate180 rotates the image 180 degrees counterclockwise and returns the transformed image.
+func Rotate180(img image.Image) *image.NRGBA {
 	src := toNRGBA(img)
 	srcW := src.Bounds().Max.X
 	srcH := src.Bounds().Max.Y
-	dstW := srcH
-	dstH := srcW
+	dstW := srcW
+	dstH := srcH
 	dst := image.NewNRGBA(image.Rect(0, 0, dstW, dstH))
 
 	parallel(dstH, func(partStart, partEnd int) {
 
 		for dstY := partStart; dstY < partEnd; dstY++ {
 			for dstX := 0; dstX < dstW; dstX++ {
-				srcX := dstY
-				srcY := dstX
+				srcX := dstW - dstX - 1
+				srcY := dstH - dstY - 1
 
 				srcOff := srcY*src.Stride + srcX*4
 				dstOff := dstY*dst.Stride + dstX*4
@@ -172,8 +174,8 @@ func Transpose(img image.Image) *image.NRGBA {
 	return dst
 }
 
-// Transverse flips the image vertically and rotates 90 degrees counter-clockwise.
-func Transverse(img image.Image) *image.NRGBA {
+// Rotate270 rotates the image 270 degrees counterclockwise and returns the transformed image.
+func Rotate270(img image.Image) *image.NRGBA {
 	src := toNRGBA(img)
 	srcW := src.Bounds().Max.X
 	srcH := src.Bounds().Max.Y
@@ -185,7 +187,7 @@ func Transverse(img image.Image) *image.NRGBA {
 
 		for dstY := partStart; dstY < partEnd; dstY++ {
 			for dstX := 0; dstX < dstW; dstX++ {
-				srcX := dstH - dstY - 1
+				srcX := dstY
 				srcY := dstW - dstX - 1
 
 				srcOff := srcY*src.Stride + srcX*4
@@ -199,3 +201,131 @@ func Transverse(img image.Image) *image.NRGBA {
 
 	return dst
 }
+
+// Rotate rotates an image by the given angle counter-clockwise .
+// The angle parameter is the rotation angle in degrees.
+// The bgColor parameter specifies the color of the uncovered zone after the rotation.
+func Rotate(img image.Image, angle float64, bgColor color.Color) *image.NRGBA {
+	src := toNRGBA(img)
+	srcW := src.Bounds().Max.X
+	srcH := src.Bounds().Max.Y
+	dstW, dstH := rotatedSize(srcW, srcH, angle)
+	dst := image.NewNRGBA(image.Rect(0, 0, dstW, dstH))
+
+	if dstW <= 0 || dstH <= 0 {
+		return dst
+	}
+
+	srcXOff := float64(srcW)/2 - 0.5
+	srcYOff := float64(srcH)/2 - 0.5
+	dstXOff := float64(dstW)/2 - 0.5
+	dstYOff := float64(dstH)/2 - 0.5
+
+	bgColorNRGBA := color.NRGBAModel.Convert(bgColor).(color.NRGBA)
+	sin, cos := math.Sincos(math.Pi * float64(angle) / 180)
+
+	parallel(dstH, func(partStart, partEnd int) {
+		for dstY := partStart; dstY < partEnd; dstY++ {
+			for dstX := 0; dstX < dstW; dstX++ {
+				xf, yf := rotatePoint(float64(dstX)-dstXOff, float64(dstY)-dstYOff, sin, cos)
+				xf, yf = xf+srcXOff, yf+srcYOff
+				interpolatePoint(dst, dstX, dstY, src, xf, yf, bgColorNRGBA)
+			}
+		}
+	})
+
+	return dst
+}
+
+func rotatePoint(x, y, sin, cos float64) (float64, float64) {
+	return x*cos - y*sin, x*sin + y*cos
+}
+
+func rotatedSize(w, h int, angle float64) (int, int) {
+	if w <= 0 || h <= 0 {
+		return 0, 0
+	}
+
+	sin, cos := math.Sincos(math.Pi * float64(angle) / 180)
+	x1, y1 := rotatePoint(float64(w-1), 0, sin, cos)
+	x2, y2 := rotatePoint(float64(w-1), float64(h-1), sin, cos)
+	x3, y3 := rotatePoint(0, float64(h-1), sin, cos)
+
+	minx := math.Min(x1, math.Min(x2, math.Min(x3, 0)))
+	maxx := math.Max(x1, math.Max(x2, math.Max(x3, 0)))
+	miny := math.Min(y1, math.Min(y2, math.Min(y3, 0)))
+	maxy := math.Max(y1, math.Max(y2, math.Max(y3, 0)))
+
+	neww := maxx - minx + 1
+	if neww-math.Floor(neww) > 0.1 {
+		neww++
+	}
+	newh := maxy - miny + 1
+	if newh-math.Floor(newh) > 0.1 {
+		newh++
+	}
+
+	return int(neww), int(newh)
+}
+
+func interpolatePoint(dst *image.NRGBA, dstX, dstY int, src *image.NRGBA, xf, yf float64, bgColor color.NRGBA) {
+	dstIndex := dstY*dst.Stride + dstX*4
+
+	x0 := int(math.Floor(xf))
+	y0 := int(math.Floor(yf))
+	bounds := src.Bounds()
+	if !image.Pt(x0, y0).In(image.Rect(bounds.Min.X-1, bounds.Min.Y-1, bounds.Max.X, bounds.Max.Y)) {
+		dst.Pix[dstIndex+0] = bgColor.R
+		dst.Pix[dstIndex+1] = bgColor.G
+		dst.Pix[dstIndex+2] = bgColor.B
+		dst.Pix[dstIndex+3] = bgColor.A
+		return
+	}
+
+	xq := xf - float64(x0)
+	yq := yf - float64(y0)
+
+	var pxs [4]color.NRGBA
+	var cfs [4]float64
+
+	for i := 0; i < 2; i++ {
+		for j := 0; j < 2; j++ {
+			k := i*2 + j
+			pt := image.Pt(x0+j, y0+i)
+			if pt.In(bounds) {
+				l := pt.Y*src.Stride + pt.X*4
+				pxs[k].R = src.Pix[l+0]
+				pxs[k].G = src.Pix[l+1]
+				pxs[k].B = src.Pix[l+2]
+				pxs[k].A = src.Pix[l+3]
+			} else {
+				pxs[k] = bgColor
+			}
+		}
+	}
+
+	cfs[0] = (1 - xq) * (1 - yq)
+	cfs[1] = xq * (1 - yq)
+	cfs[2] = (1 - xq) * yq
+	cfs[3] = xq * yq
+
+	var r, g, b, a float64
+	for i := range pxs {
+		wa := float64(pxs[i].A) * cfs[i]
+		r += float64(pxs[i].R) * wa
+		g += float64(pxs[i].G) * wa
+		b += float64(pxs[i].B) * wa
+		a += wa
+	}
+
+	if a != 0 {
+		r /= a
+		g /= a
+		b /= a
+	}
+
+	dst.Pix[dstIndex+0] = clamp(r)
+	dst.Pix[dstIndex+1] = clamp(g)
+	dst.Pix[dstIndex+2] = clamp(b)
+	dst.Pix[dstIndex+3] = clamp(a)
+}
diff --git a/vendor/github.com/disintegration/imaging/transform_test.go b/vendor/github.com/disintegration/imaging/transform_test.go
index 6e64082f4..3772225a3 100644
--- a/vendor/github.com/disintegration/imaging/transform_test.go
+++ b/vendor/github.com/disintegration/imaging/transform_test.go
@@ -2,17 +2,18 @@ package imaging
 
 import (
 	"image"
+	"image/color"
 	"testing"
 )
 
-func TestRotate90(t *testing.T) {
+func TestFlipH(t *testing.T) {
 	td := []struct {
 		desc string
 		src  image.Image
 		want *image.NRGBA
 	}{
 		{
-			"Rotate90 2x3",
+			"FlipH 2x3",
 			&image.NRGBA{
 				Rect:   image.Rect(-1, -1, 1, 2),
 				Stride: 2 * 4,
@@ -23,17 +24,18 @@ func TestRotate90(t *testing.T) {
 				},
 			},
 			&image.NRGBA{
-				Rect:   image.Rect(0, 0, 3, 2),
-				Stride: 3 * 4,
+				Rect:   image.Rect(0, 0, 2, 3),
+				Stride: 2 * 4,
 				Pix: []uint8{
-					0xcc, 0xdd, 0xee, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff,
-					0x00, 0x11, 0x22, 0x33, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00,
+					0xcc, 0xdd, 0xee, 0xff, 0x00, 0x11, 0x22, 0x33,
+					0x00, 0xff, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00,
+					0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0xff, 0x00,
 				},
 			},
 		},
 	}
 	for _, d := range td {
-		got := Rotate90(d.src)
+		got := FlipH(d.src)
 		want := d.want
 		if !compareNRGBA(got, want, 0) {
 			t.Errorf("test [%s] failed: %#v", d.desc, got)
@@ -41,14 +43,14 @@ func TestRotate90(t *testing.T) {
 	}
 }
 
-func TestRotate180(t *testing.T) {
+func TestFlipV(t *testing.T) {
 	td := []struct {
 		desc string
 		src  image.Image
 		want *image.NRGBA
 	}{
 		{
-			"Rotate180 2x3",
+			"FlipV 2x3",
 			&image.NRGBA{
 				Rect:   image.Rect(-1, -1, 1, 2),
 				Stride: 2 * 4,
@@ -62,15 +64,15 @@ func TestRotate180(t *testing.T) {
 				Rect:   image.Rect(0, 0, 2, 3),
 				Stride: 2 * 4,
 				Pix: []uint8{
-					0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0xff, 0x00,
-					0x00, 0xff, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00,
-					0xcc, 0xdd, 0xee, 0xff, 0x00, 0x11, 0x22, 0x33,
+					0x00, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0xff,
+					0xff, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00,
+					0x00, 0x11, 0x22, 0x33, 0xcc, 0xdd, 0xee, 0xff,
 				},
 			},
 		},
 	}
 	for _, d := range td {
-		got := Rotate180(d.src)
+		got := FlipV(d.src)
 		want := d.want
 		if !compareNRGBA(got, want, 0) {
 			t.Errorf("test [%s] failed: %#v", d.desc, got)
@@ -78,14 +80,14 @@ func TestRotate180(t *testing.T) {
 	}
 }
 
-func TestRotate270(t *testing.T) {
+func TestTranspose(t *testing.T) {
 	td := []struct {
 		desc string
 		src  image.Image
 		want *image.NRGBA
 	}{
 		{
-			"Rotate270 2x3",
+			"Transpose 2x3",
 			&image.NRGBA{
 				Rect:   image.Rect(-1, -1, 1, 2),
 				Stride: 2 * 4,
@@ -99,14 +101,14 @@ func TestRotate270(t *testing.T) {
 				Rect:   image.Rect(0, 0, 3, 2),
 				Stride: 3 * 4,
 				Pix: []uint8{
-					0x00, 0x00, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x11, 0x22, 0x33,
-					0x00, 0x00, 0x00, 0xff, 0x00, 0xff, 0x00, 0x00, 0xcc, 0xdd, 0xee, 0xff,
+					0x00, 0x11, 0x22, 0x33, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00,
+					0xcc, 0xdd, 0xee, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff,
 				},
 			},
 		},
 	}
 	for _, d := range td {
-		got := Rotate270(d.src)
+		got := Transpose(d.src)
 		want := d.want
 		if !compareNRGBA(got, want, 0) {
 			t.Errorf("test [%s] failed: %#v", d.desc, got)
@@ -114,14 +116,14 @@ func TestRotate270(t *testing.T) {
 	}
 }
 
-func TestFlipV(t *testing.T) {
+func TestTransverse(t *testing.T) {
 	td := []struct {
 		desc string
 		src  image.Image
 		want *image.NRGBA
 	}{
 		{
-			"FlipV 2x3",
+			"Transverse 2x3",
 			&image.NRGBA{
 				Rect:   image.Rect(-1, -1, 1, 2),
 				Stride: 2 * 4,
@@ -132,18 +134,17 @@ func TestFlipV(t *testing.T) {
 				},
 			},
 			&image.NRGBA{
-				Rect:   image.Rect(0, 0, 2, 3),
-				Stride: 2 * 4,
+				Rect:   image.Rect(0, 0, 3, 2),
+				Stride: 3 * 4,
 				Pix: []uint8{
-					0x00, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0xff,
-					0xff, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00,
-					0x00, 0x11, 0x22, 0x33, 0xcc, 0xdd, 0xee, 0xff,
+					0x00, 0x00, 0x00, 0xff, 0x00, 0xff, 0x00, 0x00, 0xcc, 0xdd, 0xee, 0xff,
+					0x00, 0x00, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x11, 0x22, 0x33,
 				},
 			},
 		},
 	}
 	for _, d := range td {
-		got := FlipV(d.src)
+		got := Transverse(d.src)
 		want := d.want
 		if !compareNRGBA(got, want, 0) {
 			t.Errorf("test [%s] failed: %#v", d.desc, got)
@@ -151,14 +152,14 @@ func TestFlipV(t *testing.T) {
 	}
 }
 
-func TestFlipH(t *testing.T) {
+func TestRotate90(t *testing.T) {
 	td := []struct {
 		desc string
 		src  image.Image
 		want *image.NRGBA
 	}{
 		{
-			"FlipH 2x3",
+			"Rotate90 2x3",
 			&image.NRGBA{
 				Rect:   image.Rect(-1, -1, 1, 2),
 				Stride: 2 * 4,
@@ -169,18 +170,17 @@ func TestFlipH(t *testing.T) {
 				},
 			},
 			&image.NRGBA{
-				Rect:   image.Rect(0, 0, 2, 3),
-				Stride: 2 * 4,
+				Rect:   image.Rect(0, 0, 3, 2),
+				Stride: 3 * 4,
 				Pix: []uint8{
-					0xcc, 0xdd, 0xee, 0xff, 0x00, 0x11, 0x22, 0x33,
-					0x00, 0xff, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00,
-					0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0xff, 0x00,
+					0xcc, 0xdd, 0xee, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff,
+					0x00, 0x11, 0x22, 0x33, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00,
 				},
 			},
 		},
 	}
 	for _, d := range td {
-		got := FlipH(d.src)
+		got := Rotate90(d.src)
 		want := d.want
 		if !compareNRGBA(got, want, 0) {
 			t.Errorf("test [%s] failed: %#v", d.desc, got)
@@ -188,14 +188,14 @@ func TestFlipH(t *testing.T) {
 	}
 }
 
-func TestTranspose(t *testing.T) {
+func TestRotate180(t *testing.T) {
 	td := []struct {
 		desc string
 		src  image.Image
 		want *image.NRGBA
 	}{
 		{
-			"Transpose 2x3",
+			"Rotate180 2x3",
 			&image.NRGBA{
 				Rect:   image.Rect(-1, -1, 1, 2),
 				Stride: 2 * 4,
@@ -206,17 +206,18 @@ func TestTranspose(t *testing.T) {
 				},
 			},
 			&image.NRGBA{
-				Rect:   image.Rect(0, 0, 3, 2),
-				Stride: 3 * 4,
+				Rect:   image.Rect(0, 0, 2, 3),
+				Stride: 2 * 4,
 				Pix: []uint8{
-					0x00, 0x11, 0x22, 0x33, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00,
-					0xcc, 0xdd, 0xee, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff,
+					0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0xff, 0x00,
+					0x00, 0xff, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00,
+					0xcc, 0xdd, 0xee, 0xff, 0x00, 0x11, 0x22, 0x33,
 				},
 			},
 		},
 	}
 	for _, d := range td {
-		got := Transpose(d.src)
+		got := Rotate180(d.src)
 		want := d.want
 		if !compareNRGBA(got, want, 0) {
 			t.Errorf("test [%s] failed: %#v", d.desc, got)
@@ -224,14 +225,14 @@ func TestTranspose(t *testing.T) {
 	}
 }
 
-func TestTransverse(t *testing.T) {
+func TestRotate270(t *testing.T) {
 	td := []struct {
 		desc string
 		src  image.Image
 		want *image.NRGBA
 	}{
 		{
-			"Transverse 2x3",
+			"Rotate270 2x3",
 			&image.NRGBA{
 				Rect:   image.Rect(-1, -1, 1, 2),
 				Stride: 2 * 4,
@@ -245,17 +246,172 @@ func TestTransverse(t *testing.T) {
 				Rect:   image.Rect(0, 0, 3, 2),
 				Stride: 3 * 4,
 				Pix: []uint8{
-					0x00, 0x00, 0x00, 0xff, 0x00, 0xff, 0x00, 0x00, 0xcc, 0xdd, 0xee, 0xff,
 					0x00, 0x00, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x11, 0x22, 0x33,
+					0x00, 0x00, 0x00, 0xff, 0x00, 0xff, 0x00, 0x00, 0xcc, 0xdd, 0xee, 0xff,
 				},
 			},
 		},
 	}
 	for _, d := range td {
-		got := Transverse(d.src)
+		got := Rotate270(d.src)
 		want := d.want
 		if !compareNRGBA(got, want, 0) {
 			t.Errorf("test [%s] failed: %#v", d.desc, got)
 		}
 	}
 }
+
+func TestRotate(t *testing.T) {
+	testCases := []struct {
+		desc  string
+		src   image.Image
+		angle float64
+		bg    color.Color
+		want  *image.NRGBA
+	}{
+		{
+			"Rotate 0",
+			&image.NRGBA{
+				Rect:   image.Rect(-1, -1, 3, 3),
+				Stride: 4 * 4,
+				Pix: []uint8{
+					0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff,
+					0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff,
+					0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff,
+					0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+				},
+			},
+			0,
+			color.Black,
+			&image.NRGBA{
+				Rect:   image.Rect(0, 0, 4, 4),
+				Stride: 4 * 4,
+				Pix: []uint8{
+					0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff,
+					0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff,
+					0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff,
+					0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+				},
+			},
+		},
+		{
+			"Rotate 90",
+			&image.NRGBA{
+				Rect:   image.Rect(-1, -1, 3, 3),
+				Stride: 4 * 4,
+				Pix: []uint8{
+					0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff,
+					0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff,
+					0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff,
+					0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+				},
+			},
+			90,
+			color.Black,
+			&image.NRGBA{
+				Rect:   image.Rect(0, 0, 4, 4),
+				Stride: 4 * 4,
+				Pix: []uint8{
+					0xff, 0x00, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+					0xff, 0x00, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+					0xff, 0x00, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+					0xff, 0x00, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+				},
+			},
+		},
+		{
+			"Rotate 180",
+			&image.NRGBA{
+				Rect:   image.Rect(-1, -1, 3, 3),
+				Stride: 4 * 4,
+				Pix: []uint8{
+					0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff,
+					0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff,
+					0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff,
+					0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+				},
+			},
+			180,
+			color.Black,
+			&image.NRGBA{
+				Rect:   image.Rect(0, 0, 4, 4),
+				Stride: 4 * 4,
+				Pix: []uint8{
+					0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+					0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff,
+					0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff,
+					0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff,
+				},
+			},
+		},
+		{
+			"Rotate 45",
+			&image.NRGBA{
+				Rect:   image.Rect(-1, -1, 3, 3),
+				Stride: 4 * 4,
+				Pix: []uint8{
+					0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff,
+					0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff, 0x00, 0xff,
+					0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff,
+					0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+				},
+			},
+			45,
+			color.Black,
+			&image.NRGBA{
+				Rect:   image.Rect(0, 0, 6, 6),
+				Stride: 6 * 4,
+				Pix: []uint8{
+					0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00, 0xff, 0x61, 0x00, 0x00, 0xff, 0x58, 0x08, 0x00, 0xff, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00, 0xff,
+					0x00, 0x00, 0x00, 0xff, 0x61, 0x00, 0x00, 0xff, 0xe9, 0x16, 0x00, 0xff, 0x35, 0xca, 0x00, 0xff, 0x00, 0x30, 0x30, 0xff, 0x00, 0x00, 0x00, 0xff,
+					0x61, 0x00, 0x00, 0xff, 0xe9, 0x16, 0x00, 0xff, 0x35, 0xca, 0x00, 0xff, 0x00, 0x80, 0x80, 0xff, 0x35, 0x35, 0xff, 0xff, 0x58, 0x58, 0x61, 0xff,
+					0x58, 0x08, 0x00, 0xff, 0x35, 0xca, 0x00, 0xff, 0x00, 0x80, 0x80, 0xff, 0x35, 0x35, 0xff, 0xff, 0xe9, 0xe9, 0xff, 0xff, 0x61, 0x61, 0x61, 0xff,
+					0x00, 0x00, 0x00, 0xff, 0x00, 0x30, 0x30, 0xff, 0x35, 0x35, 0xff, 0xff, 0xe9, 0xe9, 0xff, 0xff, 0x61, 0x61, 0x61, 0xff, 0x00, 0x00, 0x00, 0xff,
+					0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00, 0xff, 0x58, 0x58, 0x61, 0xff, 0x61, 0x61, 0x61, 0xff, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00, 0xff,
+				},
+			},
+		},
+		{
+			"Rotate 0x0",
+			&image.NRGBA{
+				Rect:   image.Rect(0, 0, 0, 0),
+				Stride: 0,
+				Pix:    []uint8{},
+			},
+			123,
+			color.Black,
+			&image.NRGBA{
+				Rect:   image.Rect(0, 0, 0, 0),
+				Stride: 0,
+				Pix:    []uint8{},
+			},
+		},
+		{
+			"Rotate -90",
+			&image.NRGBA{
+				Rect:   image.Rect(-1, -1, 0, 1),
+				Stride: 1 * 4,
+				Pix: []uint8{
+					0xff, 0x00, 0x00, 0xff,
+					0x00, 0xff, 0x00, 0xff,
+				},
+			},
+			-90,
+			color.Black,
+			&image.NRGBA{
+				Rect:   image.Rect(0, 0, 2, 1),
+				Stride: 2 * 4,
+				Pix: []uint8{
+					0x00, 0xff, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff,
+				},
+			},
+		},
+	}
+	for _, test := range testCases {
+		got := Rotate(test.src, test.angle, test.bg)
+		want := test.want
+		if !compareNRGBA(got, want, 0) {
+			t.Errorf("test [%s] failed: %#v", test.desc, got)
+		}
+	}
+}
diff --git a/vendor/github.com/go-ini/ini/.gitignore b/vendor/github.com/go-ini/ini/.gitignore
new file mode 100644
index 000000000..c5203bf6e
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/.gitignore
@@ -0,0 +1,5 @@
+testdata/conf_out.ini
+ini.sublime-project
+ini.sublime-workspace
+testdata/conf_reflect.ini
+.idea
diff --git a/vendor/github.com/go-ini/ini/.travis.yml b/vendor/github.com/go-ini/ini/.travis.yml
new file mode 100644
index 000000000..9a41f64df
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/.travis.yml
@@ -0,0 +1,14 @@
+sudo: false
+language: go
+go:
+  - 1.4
+  - 1.5
+  - 1.6
+  - 1.7
+  - 1.8
+  - master
+
+script: 
+  - go get golang.org/x/tools/cmd/cover
+  - go get github.com/smartystreets/goconvey
+  - go test -v -cover -race
diff --git a/vendor/github.com/go-ini/ini/LICENSE b/vendor/github.com/go-ini/ini/LICENSE
new file mode 100644
index 000000000..37ec93a14
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/LICENSE
@@ -0,0 +1,191 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction, and
+distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by the copyright
+owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all other entities
+that control, are controlled by, or are under common control with that entity.
+For the purposes of this definition, "control" means (i) the power, direct or
+indirect, to cause the direction or management of such entity, whether by
+contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising
+permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications, including
+but not limited to software source code, documentation source, and configuration
+files.
+
+"Object" form shall mean any form resulting from mechanical transformation or
+translation of a Source form, including but not limited to compiled object code,
+generated documentation, and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or Object form, made
+available under the License, as indicated by a copyright notice that is included
+in or attached to the work (an example is provided in the Appendix below).
+
+"Derivative Works" shall mean any work, whether in Source or Object form, that
+is based on (or derived from) the Work and for which the editorial revisions,
+annotations, elaborations, or other modifications represent, as a whole, an
+original work of authorship. For the purposes of this License, Derivative Works
+shall not include works that remain separable from, or merely link (or bind by
+name) to the interfaces of, the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the original version
+of the Work and any modifications or additions to that Work or Derivative Works
+thereof, that is intentionally submitted to Licensor for inclusion in the Work
+by the copyright owner or by an individual or Legal Entity authorized to submit
+on behalf of the copyright owner. For the purposes of this definition,
+"submitted" means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems, and
+issue tracking systems that are managed by, or on behalf of, the Licensor for
+the purpose of discussing and improving the Work, but excluding communication
+that is conspicuously marked or otherwise designated in writing by the copyright
+owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
+of whom a Contribution has been received by Licensor and subsequently
+incorporated within the Work.
+
+2. Grant of Copyright License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the Work and such
+Derivative Works in Source or Object form.
+
+3. Grant of Patent License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable (except as stated in this section) patent license to make, have
+made, use, offer to sell, sell, import, and otherwise transfer the Work, where
+such license applies only to those patent claims licensable by such Contributor
+that are necessarily infringed by their Contribution(s) alone or by combination
+of their Contribution(s) with the Work to which such Contribution(s) was
+submitted. If You institute patent litigation against any entity (including a
+cross-claim or counterclaim in a lawsuit) alleging that the Work or a
+Contribution incorporated within the Work constitutes direct or contributory
+patent infringement, then any patent licenses granted to You under this License
+for that Work shall terminate as of the date such litigation is filed.
+
+4. Redistribution.
+
+You may reproduce and distribute copies of the Work or Derivative Works thereof
+in any medium, with or without modifications, and in Source or Object form,
+provided that You meet the following conditions:
+
+You must give any other recipients of the Work or Derivative Works a copy of
+this License; and
+You must cause any modified files to carry prominent notices stating that You
+changed the files; and
+You must retain, in the Source form of any Derivative Works that You distribute,
+all copyright, patent, trademark, and attribution notices from the Source form
+of the Work, excluding those notices that do not pertain to any part of the
+Derivative Works; and
+If the Work includes a "NOTICE" text file as part of its distribution, then any
+Derivative Works that You distribute must include a readable copy of the
+attribution notices contained within such NOTICE file, excluding those notices
+that do not pertain to any part of the Derivative Works, in at least one of the
+following places: within a NOTICE text file distributed as part of the
+Derivative Works; within the Source form or documentation, if provided along
+with the Derivative Works; or, within a display generated by the Derivative
+Works, if and wherever such third-party notices normally appear. The contents of
+the NOTICE file are for informational purposes only and do not modify the
+License. You may add Your own attribution notices within Derivative Works that
+You distribute, alongside or as an addendum to the NOTICE text from the Work,
+provided that such additional attribution notices cannot be construed as
+modifying the License.
+You may add Your own copyright statement to Your modifications and may provide
+additional or different license terms and conditions for use, reproduction, or
+distribution of Your modifications, or for any such Derivative Works as a whole,
+provided Your use, reproduction, and distribution of the Work otherwise complies
+with the conditions stated in this License.
+
+5. Submission of Contributions.
+
+Unless You explicitly state otherwise, any Contribution intentionally submitted
+for inclusion in the Work by You to the Licensor shall be under the terms and
+conditions of this License, without any additional terms or conditions.
+Notwithstanding the above, nothing herein shall supersede or modify the terms of
+any separate license agreement you may have executed with Licensor regarding
+such Contributions.
+
+6. Trademarks.
+
+This License does not grant permission to use the trade names, trademarks,
+service marks, or product names of the Licensor, except as required for
+reasonable and customary use in describing the origin of the Work and
+reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty.
+
+Unless required by applicable law or agreed to in writing, Licensor provides the
+Work (and each Contributor provides its Contributions) on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,
+including, without limitation, any warranties or conditions of TITLE,
+NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are
+solely responsible for determining the appropriateness of using or
+redistributing the Work and assume any risks associated with Your exercise of
+permissions under this License.
+
+8. Limitation of Liability.
+
+In no event and under no legal theory, whether in tort (including negligence),
+contract, or otherwise, unless required by applicable law (such as deliberate
+and grossly negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special, incidental,
+or consequential damages of any character arising as a result of this License or
+out of the use or inability to use the Work (including but not limited to
+damages for loss of goodwill, work stoppage, computer failure or malfunction, or
+any and all other commercial damages or losses), even if such Contributor has
+been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability.
+
+While redistributing the Work or Derivative Works thereof, You may choose to
+offer, and charge a fee for, acceptance of support, warranty, indemnity, or
+other liability obligations and/or rights consistent with this License. However,
+in accepting such obligations, You may act only on Your own behalf and on Your
+sole responsibility, not on behalf of any other Contributor, and only if You
+agree to indemnify, defend, and hold each Contributor harmless for any liability
+incurred by, or claims asserted against, such Contributor by reason of your
+accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work
+
+To apply the Apache License to your work, attach the following boilerplate
+notice, with the fields enclosed by brackets "[]" replaced with your own
+identifying information. (Don't include the brackets!) The text should be
+enclosed in the appropriate comment syntax for the file format. We also
+recommend that a file or class name and description of purpose be included on
+the same "printed page" as the copyright notice for easier identification within
+third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/go-ini/ini/Makefile b/vendor/github.com/go-ini/ini/Makefile
new file mode 100644
index 000000000..ac034e525
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/Makefile
@@ -0,0 +1,12 @@
+.PHONY: build test bench vet
+
+build: vet bench
+
+test:
+	go test -v -cover -race
+
+bench:
+	go test -v -cover -race -test.bench=. -test.benchmem
+
+vet:
+	go vet
diff --git a/vendor/github.com/go-ini/ini/README.md b/vendor/github.com/go-ini/ini/README.md
new file mode 100644
index 000000000..e67d51f32
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/README.md
@@ -0,0 +1,746 @@
+INI [![Build Status](https://travis-ci.org/go-ini/ini.svg?branch=master)](https://travis-ci.org/go-ini/ini) [![Sourcegraph](https://sourcegraph.com/github.com/go-ini/ini/-/badge.svg)](https://sourcegraph.com/github.com/go-ini/ini?badge)
+===
+
+![](https://avatars0.githubusercontent.com/u/10216035?v=3&s=200)
+
+Package ini provides INI file read and write functionality in Go.
+
+[简体中文](README_ZH.md)
+
+## Feature
+
+- Load multiple data sources(`[]byte`, file and `io.ReadCloser`) with overwrites.
+- Read with recursion values.
+- Read with parent-child sections.
+- Read with auto-increment key names.
+- Read with multiple-line values.
+- Read with tons of helper methods.
+- Read and convert values to Go types.
+- Read and **WRITE** comments of sections and keys.
+- Manipulate sections, keys and comments with ease.
+- Keep sections and keys in order as you parse and save.
+
+## Installation
+
+To use a tagged revision:
+
+	go get gopkg.in/ini.v1
+
+To use with latest changes:
+
+	go get github.com/go-ini/ini
+
+Please add `-u` flag to update in the future.
+
+### Testing
+
+If you want to test on your machine, please apply `-t` flag:
+
+	go get -t gopkg.in/ini.v1
+
+Please add `-u` flag to update in the future.
+
+## Getting Started
+
+### Loading from data sources
+
+A **Data Source** is either raw data in type `[]byte`, a file name with type `string` or `io.ReadCloser`. You can load **as many data sources as you want**. Passing other types will simply return an error.
+
+```go
+cfg, err := ini.Load([]byte("raw data"), "filename", ioutil.NopCloser(bytes.NewReader([]byte("some other data"))))
+```
+
+Or start with an empty object:
+
+```go
+cfg := ini.Empty()
+```
+
+When you cannot decide how many data sources to load at the beginning, you will still be able to **Append()** them later.
+
+```go
+err := cfg.Append("other file", []byte("other raw data"))
+```
+
+If you have a list of files with possibilities that some of them may not available at the time, and you don't know exactly which ones, you can use `LooseLoad` to ignore nonexistent files without returning error.
+
+```go
+cfg, err := ini.LooseLoad("filename", "filename_404")
+```
+
+The cool thing is, whenever the file is available to load while you're calling `Reload` method, it will be counted as usual.
+
+#### Ignore cases of key name
+
+When you do not care about cases of section and key names, you can use `InsensitiveLoad` to force all names to be lowercased while parsing.
+
+```go
+cfg, err := ini.InsensitiveLoad("filename")
+//...
+
+// sec1 and sec2 are the exactly same section object
+sec1, err := cfg.GetSection("Section")
+sec2, err := cfg.GetSection("SecTIOn")
+
+// key1 and key2 are the exactly same key object
+key1, err := sec1.GetKey("Key")
+key2, err := sec2.GetKey("KeY")
+```
+
+#### MySQL-like boolean key 
+
+MySQL's configuration allows a key without value as follows:
+
+```ini
+[mysqld]
+...
+skip-host-cache
+skip-name-resolve
+```
+
+By default, this is considered as missing value. But if you know you're going to deal with those cases, you can assign advanced load options:
+
+```go
+cfg, err := LoadSources(LoadOptions{AllowBooleanKeys: true}, "my.cnf"))
+```
+
+The value of those keys are always `true`, and when you save to a file, it will keep in the same foramt as you read.
+
+To generate such keys in your program, you could use `NewBooleanKey`:
+
+```go
+key, err := sec.NewBooleanKey("skip-host-cache")
+```
+
+#### Comment
+
+Take care that following format will be treated as comment:
+
+1. Line begins with `#` or `;`
+2. Words after `#` or `;`
+3. Words after section name (i.e words after `[some section name]`)
+
+If you want to save a value with `#` or `;`, please quote them with ``` ` ``` or ``` """ ```.
+
+Alternatively, you can use following `LoadOptions` to completely ignore inline comments:
+
+```go
+cfg, err := LoadSources(LoadOptions{IgnoreInlineComment: true}, "app.ini"))
+```
+
+### Working with sections
+
+To get a section, you would need to:
+
+```go
+section, err := cfg.GetSection("section name")
+```
+
+For a shortcut for default section, just give an empty string as name:
+
+```go
+section, err := cfg.GetSection("")
+```
+
+When you're pretty sure the section exists, following code could make your life easier:
+
+```go
+section := cfg.Section("section name")
+```
+
+What happens when the section somehow does not exist? Don't panic, it automatically creates and returns a new section to you.
+
+To create a new section:
+
+```go
+err := cfg.NewSection("new section")
+```
+
+To get a list of sections or section names:
+
+```go
+sections := cfg.Sections()
+names := cfg.SectionStrings()
+```
+
+### Working with keys
+
+To get a key under a section:
+
+```go
+key, err := cfg.Section("").GetKey("key name")
+```
+
+Same rule applies to key operations:
+
+```go
+key := cfg.Section("").Key("key name")
+```
+
+To check if a key exists:
+
+```go
+yes := cfg.Section("").HasKey("key name")
+```
+
+To create a new key:
+
+```go
+err := cfg.Section("").NewKey("name", "value")
+```
+
+To get a list of keys or key names:
+
+```go
+keys := cfg.Section("").Keys()
+names := cfg.Section("").KeyStrings()
+```
+
+To get a clone hash of keys and corresponding values:
+
+```go
+hash := cfg.Section("").KeysHash()
+```
+
+### Working with values
+
+To get a string value:
+
+```go
+val := cfg.Section("").Key("key name").String()
+```
+
+To validate key value on the fly:
+
+```go
+val := cfg.Section("").Key("key name").Validate(func(in string) string {
+	if len(in) == 0 {
+		return "default"
+	}
+	return in
+})
+```
+
+If you do not want any auto-transformation (such as recursive read) for the values, you can get raw value directly (this way you get much better performance):
+
+```go
+val := cfg.Section("").Key("key name").Value()
+```
+
+To check if raw value exists:
+
+```go
+yes := cfg.Section("").HasValue("test value")
+```
+
+To get value with types:
+
+```go
+// For boolean values:
+// true when value is: 1, t, T, TRUE, true, True, YES, yes, Yes, y, ON, on, On
+// false when value is: 0, f, F, FALSE, false, False, NO, no, No, n, OFF, off, Off
+v, err = cfg.Section("").Key("BOOL").Bool()
+v, err = cfg.Section("").Key("FLOAT64").Float64()
+v, err = cfg.Section("").Key("INT").Int()
+v, err = cfg.Section("").Key("INT64").Int64()
+v, err = cfg.Section("").Key("UINT").Uint()
+v, err = cfg.Section("").Key("UINT64").Uint64()
+v, err = cfg.Section("").Key("TIME").TimeFormat(time.RFC3339)
+v, err = cfg.Section("").Key("TIME").Time() // RFC3339
+
+v = cfg.Section("").Key("BOOL").MustBool()
+v = cfg.Section("").Key("FLOAT64").MustFloat64()
+v = cfg.Section("").Key("INT").MustInt()
+v = cfg.Section("").Key("INT64").MustInt64()
+v = cfg.Section("").Key("UINT").MustUint()
+v = cfg.Section("").Key("UINT64").MustUint64()
+v = cfg.Section("").Key("TIME").MustTimeFormat(time.RFC3339)
+v = cfg.Section("").Key("TIME").MustTime() // RFC3339
+
+// Methods start with Must also accept one argument for default value
+// when key not found or fail to parse value to given type.
+// Except method MustString, which you have to pass a default value.
+
+v = cfg.Section("").Key("String").MustString("default")
+v = cfg.Section("").Key("BOOL").MustBool(true)
+v = cfg.Section("").Key("FLOAT64").MustFloat64(1.25)
+v = cfg.Section("").Key("INT").MustInt(10)
+v = cfg.Section("").Key("INT64").MustInt64(99)
+v = cfg.Section("").Key("UINT").MustUint(3)
+v = cfg.Section("").Key("UINT64").MustUint64(6)
+v = cfg.Section("").Key("TIME").MustTimeFormat(time.RFC3339, time.Now())
+v = cfg.Section("").Key("TIME").MustTime(time.Now()) // RFC3339
+```
+
+What if my value is three-line long?
+
+```ini
+[advance]
+ADDRESS = """404 road,
+NotFound, State, 5000
+Earth"""
+```
+
+Not a problem!
+
+```go
+cfg.Section("advance").Key("ADDRESS").String()
+
+/* --- start ---
+404 road,
+NotFound, State, 5000
+Earth
+------  end  --- */
+```
+
+That's cool, how about continuation lines?
+
+```ini
+[advance]
+two_lines = how about \
+	continuation lines?
+lots_of_lines = 1 \
+	2 \
+	3 \
+	4
+```
+
+Piece of cake!
+
+```go
+cfg.Section("advance").Key("two_lines").String() // how about continuation lines?
+cfg.Section("advance").Key("lots_of_lines").String() // 1 2 3 4
+```
+
+Well, I hate continuation lines, how do I disable that?
+
+```go
+cfg, err := ini.LoadSources(ini.LoadOptions{
+	IgnoreContinuation: true,
+}, "filename")
+```
+
+Holy crap! 
+
+Note that single quotes around values will be stripped:
+
+```ini
+foo = "some value" // foo: some value
+bar = 'some value' // bar: some value
+```
+
+That's all? Hmm, no.
+
+#### Helper methods of working with values
+
+To get value with given candidates:
+
+```go
+v = cfg.Section("").Key("STRING").In("default", []string{"str", "arr", "types"})
+v = cfg.Section("").Key("FLOAT64").InFloat64(1.1, []float64{1.25, 2.5, 3.75})
+v = cfg.Section("").Key("INT").InInt(5, []int{10, 20, 30})
+v = cfg.Section("").Key("INT64").InInt64(10, []int64{10, 20, 30})
+v = cfg.Section("").Key("UINT").InUint(4, []int{3, 6, 9})
+v = cfg.Section("").Key("UINT64").InUint64(8, []int64{3, 6, 9})
+v = cfg.Section("").Key("TIME").InTimeFormat(time.RFC3339, time.Now(), []time.Time{time1, time2, time3})
+v = cfg.Section("").Key("TIME").InTime(time.Now(), []time.Time{time1, time2, time3}) // RFC3339
+```
+
+Default value will be presented if value of key is not in candidates you given, and default value does not need be one of candidates.
+
+To validate value in a given range:
+
+```go
+vals = cfg.Section("").Key("FLOAT64").RangeFloat64(0.0, 1.1, 2.2)
+vals = cfg.Section("").Key("INT").RangeInt(0, 10, 20)
+vals = cfg.Section("").Key("INT64").RangeInt64(0, 10, 20)
+vals = cfg.Section("").Key("UINT").RangeUint(0, 3, 9)
+vals = cfg.Section("").Key("UINT64").RangeUint64(0, 3, 9)
+vals = cfg.Section("").Key("TIME").RangeTimeFormat(time.RFC3339, time.Now(), minTime, maxTime)
+vals = cfg.Section("").Key("TIME").RangeTime(time.Now(), minTime, maxTime) // RFC3339
+```
+
+##### Auto-split values into a slice
+
+To use zero value of type for invalid inputs:
+
+```go
+// Input: 1.1, 2.2, 3.3, 4.4 -> [1.1 2.2 3.3 4.4]
+// Input: how, 2.2, are, you -> [0.0 2.2 0.0 0.0]
+vals = cfg.Section("").Key("STRINGS").Strings(",")
+vals = cfg.Section("").Key("FLOAT64S").Float64s(",")
+vals = cfg.Section("").Key("INTS").Ints(",")
+vals = cfg.Section("").Key("INT64S").Int64s(",")
+vals = cfg.Section("").Key("UINTS").Uints(",")
+vals = cfg.Section("").Key("UINT64S").Uint64s(",")
+vals = cfg.Section("").Key("TIMES").Times(",")
+```
+
+To exclude invalid values out of result slice:
+
+```go
+// Input: 1.1, 2.2, 3.3, 4.4 -> [1.1 2.2 3.3 4.4]
+// Input: how, 2.2, are, you -> [2.2]
+vals = cfg.Section("").Key("FLOAT64S").ValidFloat64s(",")
+vals = cfg.Section("").Key("INTS").ValidInts(",")
+vals = cfg.Section("").Key("INT64S").ValidInt64s(",")
+vals = cfg.Section("").Key("UINTS").ValidUints(",")
+vals = cfg.Section("").Key("UINT64S").ValidUint64s(",")
+vals = cfg.Section("").Key("TIMES").ValidTimes(",")
+```
+
+Or to return nothing but error when have invalid inputs:
+
+```go
+// Input: 1.1, 2.2, 3.3, 4.4 -> [1.1 2.2 3.3 4.4]
+// Input: how, 2.2, are, you -> error
+vals = cfg.Section("").Key("FLOAT64S").StrictFloat64s(",")
+vals = cfg.Section("").Key("INTS").StrictInts(",")
+vals = cfg.Section("").Key("INT64S").StrictInt64s(",")
+vals = cfg.Section("").Key("UINTS").StrictUints(",")
+vals = cfg.Section("").Key("UINT64S").StrictUint64s(",")
+vals = cfg.Section("").Key("TIMES").StrictTimes(",")
+```
+
+### Save your configuration
+
+Finally, it's time to save your configuration to somewhere.
+
+A typical way to save configuration is writing it to a file:
+
+```go
+// ...
+err = cfg.SaveTo("my.ini")
+err = cfg.SaveToIndent("my.ini", "\t")
+```
+
+Another way to save is writing to a `io.Writer` interface:
+
+```go
+// ...
+cfg.WriteTo(writer)
+cfg.WriteToIndent(writer, "\t")
+```
+
+By default, spaces are used to align "=" sign between key and values, to disable that:
+
+```go
+ini.PrettyFormat = false
+``` 
+
+## Advanced Usage
+
+### Recursive Values
+
+For all value of keys, there is a special syntax `%(<name>)s`, where `<name>` is the key name in same section or default section, and `%(<name>)s` will be replaced by corresponding value(empty string if key not found). You can use this syntax at most 99 level of recursions.
+
+```ini
+NAME = ini
+
+[author]
+NAME = Unknwon
+GITHUB = https://github.com/%(NAME)s
+
+[package]
+FULL_NAME = github.com/go-ini/%(NAME)s
+```
+
+```go
+cfg.Section("author").Key("GITHUB").String()		// https://github.com/Unknwon
+cfg.Section("package").Key("FULL_NAME").String()	// github.com/go-ini/ini
+```
+
+### Parent-child Sections
+
+You can use `.` in section name to indicate parent-child relationship between two or more sections. If the key not found in the child section, library will try again on its parent section until there is no parent section.
+
+```ini
+NAME = ini
+VERSION = v1
+IMPORT_PATH = gopkg.in/%(NAME)s.%(VERSION)s
+
+[package]
+CLONE_URL = https://%(IMPORT_PATH)s
+
+[package.sub]
+```
+
+```go
+cfg.Section("package.sub").Key("CLONE_URL").String()	// https://gopkg.in/ini.v1
+```
+
+#### Retrieve parent keys available to a child section
+
+```go
+cfg.Section("package.sub").ParentKeys() // ["CLONE_URL"]
+```
+
+### Unparseable Sections
+
+Sometimes, you have sections that do not contain key-value pairs but raw content, to handle such case, you can use `LoadOptions.UnparsableSections`:
+
+```go
+cfg, err := LoadSources(LoadOptions{UnparseableSections: []string{"COMMENTS"}}, `[COMMENTS]
+<1><L.Slide#2> This slide has the fuel listed in the wrong units <e.1>`))
+
+body := cfg.Section("COMMENTS").Body()
+
+/* --- start ---
+<1><L.Slide#2> This slide has the fuel listed in the wrong units <e.1>
+------  end  --- */
+```
+
+### Auto-increment Key Names
+
+If key name is `-` in data source, then it would be seen as special syntax for auto-increment key name start from 1, and every section is independent on counter.
+
+```ini
+[features]
+-: Support read/write comments of keys and sections
+-: Support auto-increment of key names
+-: Support load multiple files to overwrite key values
+```
+
+```go
+cfg.Section("features").KeyStrings()	// []{"#1", "#2", "#3"}
+```
+
+### Map To Struct
+
+Want more objective way to play with INI? Cool.
+
+```ini
+Name = Unknwon
+age = 21
+Male = true
+Born = 1993-01-01T20:17:05Z
+
+[Note]
+Content = Hi is a good man!
+Cities = HangZhou, Boston
+```
+
+```go
+type Note struct {
+	Content string
+	Cities  []string
+}
+
+type Person struct {
+	Name string
+	Age  int `ini:"age"`
+	Male bool
+	Born time.Time
+	Note
+	Created time.Time `ini:"-"`
+}
+
+func main() {
+	cfg, err := ini.Load("path/to/ini")
+	// ...
+	p := new(Person)
+	err = cfg.MapTo(p)
+	// ...
+
+	// Things can be simpler.
+	err = ini.MapTo(p, "path/to/ini")
+	// ...
+
+	// Just map a section? Fine.
+	n := new(Note)
+	err = cfg.Section("Note").MapTo(n)
+	// ...
+}
+```
+
+Can I have default value for field? Absolutely.
+
+Assign it before you map to struct. It will keep the value as it is if the key is not presented or got wrong type.
+
+```go
+// ...
+p := &Person{
+	Name: "Joe",
+}
+// ...
+```
+
+It's really cool, but what's the point if you can't give me my file back from struct?
+
+### Reflect From Struct
+
+Why not?
+
+```go
+type Embeded struct {
+	Dates  []time.Time `delim:"|"`
+	Places []string    `ini:"places,omitempty"`
+	None   []int       `ini:",omitempty"`
+}
+
+type Author struct {
+	Name      string `ini:"NAME"`
+	Male      bool
+	Age       int
+	GPA       float64
+	NeverMind string `ini:"-"`
+	*Embeded
+}
+
+func main() {
+	a := &Author{"Unknwon", true, 21, 2.8, "",
+		&Embeded{
+			[]time.Time{time.Now(), time.Now()},
+			[]string{"HangZhou", "Boston"},
+			[]int{},
+		}}
+	cfg := ini.Empty()
+	err = ini.ReflectFrom(cfg, a)
+	// ...
+}
+```
+
+So, what do I get?
+
+```ini
+NAME = Unknwon
+Male = true
+Age = 21
+GPA = 2.8
+
+[Embeded]
+Dates = 2015-08-07T22:14:22+08:00|2015-08-07T22:14:22+08:00
+places = HangZhou,Boston
+```
+
+#### Name Mapper
+
+To save your time and make your code cleaner, this library supports [`NameMapper`](https://gowalker.org/gopkg.in/ini.v1#NameMapper) between struct field and actual section and key name.
+
+There are 2 built-in name mappers:
+
+- `AllCapsUnderscore`: it converts to format `ALL_CAPS_UNDERSCORE` then match section or key.
+- `TitleUnderscore`: it converts to format `title_underscore` then match section or key.
+
+To use them:
+
+```go
+type Info struct {
+	PackageName string
+}
+
+func main() {
+	err = ini.MapToWithMapper(&Info{}, ini.TitleUnderscore, []byte("package_name=ini"))
+	// ...
+
+	cfg, err := ini.Load([]byte("PACKAGE_NAME=ini"))
+	// ...
+	info := new(Info)
+	cfg.NameMapper = ini.AllCapsUnderscore
+	err = cfg.MapTo(info)
+	// ...
+}
+```
+
+Same rules of name mapper apply to `ini.ReflectFromWithMapper` function.
+
+#### Value Mapper
+
+To expand values (e.g. from environment variables), you can use the `ValueMapper` to transform values:
+
+```go
+type Env struct {
+	Foo string `ini:"foo"`
+}
+
+func main() {
+	cfg, err := ini.Load([]byte("[env]\nfoo = ${MY_VAR}\n")
+	cfg.ValueMapper = os.ExpandEnv
+	// ...
+	env := &Env{}
+	err = cfg.Section("env").MapTo(env)
+}
+```
+
+This would set the value of `env.Foo` to the value of the environment variable `MY_VAR`.
+
+#### Other Notes On Map/Reflect
+
+Any embedded struct is treated as a section by default, and there is no automatic parent-child relations in map/reflect feature:
+
+```go
+type Child struct {
+	Age string
+}
+
+type Parent struct {
+	Name string
+	Child
+}
+
+type Config struct {
+	City string
+	Parent
+}
+```
+
+Example configuration:
+
+```ini
+City = Boston
+
+[Parent]
+Name = Unknwon
+
+[Child]
+Age = 21
+```
+
+What if, yes, I'm paranoid, I want embedded struct to be in the same section. Well, all roads lead to Rome.
+
+```go
+type Child struct {
+	Age string
+}
+
+type Parent struct {
+	Name string
+	Child `ini:"Parent"`
+}
+
+type Config struct {
+	City string
+	Parent
+}
+```
+
+Example configuration:
+
+```ini
+City = Boston
+
+[Parent]
+Name = Unknwon
+Age = 21
+```
+
+## Getting Help
+
+- [API Documentation](https://gowalker.org/gopkg.in/ini.v1)
+- [File An Issue](https://github.com/go-ini/ini/issues/new)
+
+## FAQs
+
+### What does `BlockMode` field do?
+
+By default, library lets you read and write values so we need a locker to make sure your data is safe. But in cases that you are very sure about only reading data through the library, you can set `cfg.BlockMode = false` to speed up read operations about **50-70%** faster.
+
+### Why another INI library?
+
+Many people are using my another INI library [goconfig](https://github.com/Unknwon/goconfig), so the reason for this one is I would like to make more Go style code. Also when you set `cfg.BlockMode = false`, this one is about **10-30%** faster.
+
+To make those changes I have to confirm API broken, so it's safer to keep it in another place and start using `gopkg.in` to version my package at this time.(PS: shorter import path)
+
+## License
+
+This project is under Apache v2 License. See the [LICENSE](LICENSE) file for the full license text.
diff --git a/vendor/github.com/go-ini/ini/README_ZH.md b/vendor/github.com/go-ini/ini/README_ZH.md
new file mode 100644
index 000000000..0cf419449
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/README_ZH.md
@@ -0,0 +1,733 @@
+本包提供了 Go 语言中读写 INI 文件的功能。
+
+## 功能特性
+
+- 支持覆盖加载多个数据源（`[]byte`、文件和 `io.ReadCloser`）
+- 支持递归读取键值
+- 支持读取父子分区
+- 支持读取自增键名
+- 支持读取多行的键值
+- 支持大量辅助方法
+- 支持在读取时直接转换为 Go 语言类型
+- 支持读取和 **写入** 分区和键的注释
+- 轻松操作分区、键值和注释
+- 在保存文件时分区和键值会保持原有的顺序
+
+## 下载安装
+
+使用一个特定版本：
+
+    go get gopkg.in/ini.v1
+
+使用最新版：
+
+	go get github.com/go-ini/ini
+
+如需更新请添加 `-u` 选项。
+
+### 测试安装
+
+如果您想要在自己的机器上运行测试，请使用 `-t` 标记：
+
+	go get -t gopkg.in/ini.v1
+
+如需更新请添加 `-u` 选项。
+
+## 开始使用
+
+### 从数据源加载
+
+一个 **数据源** 可以是 `[]byte` 类型的原始数据，`string` 类型的文件路径或 `io.ReadCloser`。您可以加载 **任意多个** 数据源。如果您传递其它类型的数据源，则会直接返回错误。
+
+```go
+cfg, err := ini.Load([]byte("raw data"), "filename", ioutil.NopCloser(bytes.NewReader([]byte("some other data"))))
+```
+
+或者从一个空白的文件开始：
+
+```go
+cfg := ini.Empty()
+```
+
+当您在一开始无法决定需要加载哪些数据源时，仍可以使用 **Append()** 在需要的时候加载它们。
+
+```go
+err := cfg.Append("other file", []byte("other raw data"))
+```
+
+当您想要加载一系列文件，但是不能够确定其中哪些文件是不存在的，可以通过调用函数 `LooseLoad` 来忽略它们（`Load` 会因为文件不存在而返回错误）：
+
+```go
+cfg, err := ini.LooseLoad("filename", "filename_404")
+```
+
+更牛逼的是，当那些之前不存在的文件在重新调用 `Reload` 方法的时候突然出现了，那么它们会被正常加载。
+
+#### 忽略键名的大小写
+
+有时候分区和键的名称大小写混合非常烦人，这个时候就可以通过 `InsensitiveLoad` 将所有分区和键名在读取里强制转换为小写：
+
+```go
+cfg, err := ini.InsensitiveLoad("filename")
+//...
+
+// sec1 和 sec2 指向同一个分区对象
+sec1, err := cfg.GetSection("Section")
+sec2, err := cfg.GetSection("SecTIOn")
+
+// key1 和 key2 指向同一个键对象
+key1, err := sec1.GetKey("Key")
+key2, err := sec2.GetKey("KeY")
+```
+
+#### 类似 MySQL 配置中的布尔值键
+
+MySQL 的配置文件中会出现没有具体值的布尔类型的键：
+
+```ini
+[mysqld]
+...
+skip-host-cache
+skip-name-resolve
+```
+
+默认情况下这被认为是缺失值而无法完成解析，但可以通过高级的加载选项对它们进行处理：
+
+```go
+cfg, err := LoadSources(LoadOptions{AllowBooleanKeys: true}, "my.cnf"))
+```
+
+这些键的值永远为 `true`，且在保存到文件时也只会输出键名。
+
+如果您想要通过程序来生成此类键，则可以使用 `NewBooleanKey`：
+
+```go
+key, err := sec.NewBooleanKey("skip-host-cache")
+```
+
+#### 关于注释
+
+下述几种情况的内容将被视为注释：
+
+1. 所有以 `#` 或 `;` 开头的行
+2. 所有在 `#` 或 `;` 之后的内容
+3. 分区标签后的文字 (即 `[分区名]` 之后的内容)
+
+如果你希望使用包含 `#` 或 `;` 的值，请使用 ``` ` ``` 或 ``` """ ``` 进行包覆。
+
+除此之外，您还可以通过 `LoadOptions` 完全忽略行内注释：
+
+```go
+cfg, err := LoadSources(LoadOptions{IgnoreInlineComment: true}, "app.ini"))
+```
+
+### 操作分区（Section）
+
+获取指定分区：
+
+```go
+section, err := cfg.GetSection("section name")
+```
+
+如果您想要获取默认分区，则可以用空字符串代替分区名：
+
+```go
+section, err := cfg.GetSection("")
+```
+
+当您非常确定某个分区是存在的，可以使用以下简便方法：
+
+```go
+section := cfg.Section("section name")
+```
+
+如果不小心判断错了，要获取的分区其实是不存在的，那会发生什么呢？没事的，它会自动创建并返回一个对应的分区对象给您。
+
+创建一个分区：
+
+```go
+err := cfg.NewSection("new section")
+```
+
+获取所有分区对象或名称：
+
+```go
+sections := cfg.Sections()
+names := cfg.SectionStrings()
+```
+
+### 操作键（Key）
+
+获取某个分区下的键：
+
+```go
+key, err := cfg.Section("").GetKey("key name")
+```
+
+和分区一样，您也可以直接获取键而忽略错误处理：
+
+```go
+key := cfg.Section("").Key("key name")
+```
+
+判断某个键是否存在：
+
+```go
+yes := cfg.Section("").HasKey("key name")
+```
+
+创建一个新的键：
+
+```go
+err := cfg.Section("").NewKey("name", "value")
+```
+
+获取分区下的所有键或键名：
+
+```go
+keys := cfg.Section("").Keys()
+names := cfg.Section("").KeyStrings()
+```
+
+获取分区下的所有键值对的克隆：
+
+```go
+hash := cfg.Section("").KeysHash()
+```
+
+### 操作键值（Value）
+
+获取一个类型为字符串（string）的值：
+
+```go
+val := cfg.Section("").Key("key name").String()
+```
+
+获取值的同时通过自定义函数进行处理验证：
+
+```go
+val := cfg.Section("").Key("key name").Validate(func(in string) string {
+	if len(in) == 0 {
+		return "default"
+	}
+	return in
+})
+```
+
+如果您不需要任何对值的自动转变功能（例如递归读取），可以直接获取原值（这种方式性能最佳）：
+
+```go
+val := cfg.Section("").Key("key name").Value()
+```
+
+判断某个原值是否存在：
+
+```go
+yes := cfg.Section("").HasValue("test value")
+```
+
+获取其它类型的值：
+
+```go
+// 布尔值的规则：
+// true 当值为：1, t, T, TRUE, true, True, YES, yes, Yes, y, ON, on, On
+// false 当值为：0, f, F, FALSE, false, False, NO, no, No, n, OFF, off, Off
+v, err = cfg.Section("").Key("BOOL").Bool()
+v, err = cfg.Section("").Key("FLOAT64").Float64()
+v, err = cfg.Section("").Key("INT").Int()
+v, err = cfg.Section("").Key("INT64").Int64()
+v, err = cfg.Section("").Key("UINT").Uint()
+v, err = cfg.Section("").Key("UINT64").Uint64()
+v, err = cfg.Section("").Key("TIME").TimeFormat(time.RFC3339)
+v, err = cfg.Section("").Key("TIME").Time() // RFC3339
+
+v = cfg.Section("").Key("BOOL").MustBool()
+v = cfg.Section("").Key("FLOAT64").MustFloat64()
+v = cfg.Section("").Key("INT").MustInt()
+v = cfg.Section("").Key("INT64").MustInt64()
+v = cfg.Section("").Key("UINT").MustUint()
+v = cfg.Section("").Key("UINT64").MustUint64()
+v = cfg.Section("").Key("TIME").MustTimeFormat(time.RFC3339)
+v = cfg.Section("").Key("TIME").MustTime() // RFC3339
+
+// 由 Must 开头的方法名允许接收一个相同类型的参数来作为默认值，
+// 当键不存在或者转换失败时，则会直接返回该默认值。
+// 但是，MustString 方法必须传递一个默认值。
+
+v = cfg.Seciont("").Key("String").MustString("default")
+v = cfg.Section("").Key("BOOL").MustBool(true)
+v = cfg.Section("").Key("FLOAT64").MustFloat64(1.25)
+v = cfg.Section("").Key("INT").MustInt(10)
+v = cfg.Section("").Key("INT64").MustInt64(99)
+v = cfg.Section("").Key("UINT").MustUint(3)
+v = cfg.Section("").Key("UINT64").MustUint64(6)
+v = cfg.Section("").Key("TIME").MustTimeFormat(time.RFC3339, time.Now())
+v = cfg.Section("").Key("TIME").MustTime(time.Now()) // RFC3339
+```
+
+如果我的值有好多行怎么办？
+
+```ini
+[advance]
+ADDRESS = """404 road,
+NotFound, State, 5000
+Earth"""
+```
+
+嗯哼？小 case！
+
+```go
+cfg.Section("advance").Key("ADDRESS").String()
+
+/* --- start ---
+404 road,
+NotFound, State, 5000
+Earth
+------  end  --- */
+```
+
+赞爆了！那要是我属于一行的内容写不下想要写到第二行怎么办？
+
+```ini
+[advance]
+two_lines = how about \
+	continuation lines?
+lots_of_lines = 1 \
+	2 \
+	3 \
+	4
+```
+
+简直是小菜一碟！
+
+```go
+cfg.Section("advance").Key("two_lines").String() // how about continuation lines?
+cfg.Section("advance").Key("lots_of_lines").String() // 1 2 3 4
+```
+
+可是我有时候觉得两行连在一起特别没劲，怎么才能不自动连接两行呢？
+
+```go
+cfg, err := ini.LoadSources(ini.LoadOptions{
+	IgnoreContinuation: true,
+}, "filename")
+```
+
+哇靠给力啊！
+
+需要注意的是，值两侧的单引号会被自动剔除：
+
+```ini
+foo = "some value" // foo: some value
+bar = 'some value' // bar: some value
+```
+
+这就是全部了？哈哈，当然不是。
+
+#### 操作键值的辅助方法
+
+获取键值时设定候选值：
+
+```go
+v = cfg.Section("").Key("STRING").In("default", []string{"str", "arr", "types"})
+v = cfg.Section("").Key("FLOAT64").InFloat64(1.1, []float64{1.25, 2.5, 3.75})
+v = cfg.Section("").Key("INT").InInt(5, []int{10, 20, 30})
+v = cfg.Section("").Key("INT64").InInt64(10, []int64{10, 20, 30})
+v = cfg.Section("").Key("UINT").InUint(4, []int{3, 6, 9})
+v = cfg.Section("").Key("UINT64").InUint64(8, []int64{3, 6, 9})
+v = cfg.Section("").Key("TIME").InTimeFormat(time.RFC3339, time.Now(), []time.Time{time1, time2, time3})
+v = cfg.Section("").Key("TIME").InTime(time.Now(), []time.Time{time1, time2, time3}) // RFC3339
+```
+
+如果获取到的值不是候选值的任意一个，则会返回默认值，而默认值不需要是候选值中的一员。
+
+验证获取的值是否在指定范围内：
+
+```go
+vals = cfg.Section("").Key("FLOAT64").RangeFloat64(0.0, 1.1, 2.2)
+vals = cfg.Section("").Key("INT").RangeInt(0, 10, 20)
+vals = cfg.Section("").Key("INT64").RangeInt64(0, 10, 20)
+vals = cfg.Section("").Key("UINT").RangeUint(0, 3, 9)
+vals = cfg.Section("").Key("UINT64").RangeUint64(0, 3, 9)
+vals = cfg.Section("").Key("TIME").RangeTimeFormat(time.RFC3339, time.Now(), minTime, maxTime)
+vals = cfg.Section("").Key("TIME").RangeTime(time.Now(), minTime, maxTime) // RFC3339
+```
+
+##### 自动分割键值到切片（slice）
+
+当存在无效输入时，使用零值代替：
+
+```go
+// Input: 1.1, 2.2, 3.3, 4.4 -> [1.1 2.2 3.3 4.4]
+// Input: how, 2.2, are, you -> [0.0 2.2 0.0 0.0]
+vals = cfg.Section("").Key("STRINGS").Strings(",")
+vals = cfg.Section("").Key("FLOAT64S").Float64s(",")
+vals = cfg.Section("").Key("INTS").Ints(",")
+vals = cfg.Section("").Key("INT64S").Int64s(",")
+vals = cfg.Section("").Key("UINTS").Uints(",")
+vals = cfg.Section("").Key("UINT64S").Uint64s(",")
+vals = cfg.Section("").Key("TIMES").Times(",")
+```
+
+从结果切片中剔除无效输入：
+
+```go
+// Input: 1.1, 2.2, 3.3, 4.4 -> [1.1 2.2 3.3 4.4]
+// Input: how, 2.2, are, you -> [2.2]
+vals = cfg.Section("").Key("FLOAT64S").ValidFloat64s(",")
+vals = cfg.Section("").Key("INTS").ValidInts(",")
+vals = cfg.Section("").Key("INT64S").ValidInt64s(",")
+vals = cfg.Section("").Key("UINTS").ValidUints(",")
+vals = cfg.Section("").Key("UINT64S").ValidUint64s(",")
+vals = cfg.Section("").Key("TIMES").ValidTimes(",")
+```
+
+当存在无效输入时，直接返回错误：
+
+```go
+// Input: 1.1, 2.2, 3.3, 4.4 -> [1.1 2.2 3.3 4.4]
+// Input: how, 2.2, are, you -> error
+vals = cfg.Section("").Key("FLOAT64S").StrictFloat64s(",")
+vals = cfg.Section("").Key("INTS").StrictInts(",")
+vals = cfg.Section("").Key("INT64S").StrictInt64s(",")
+vals = cfg.Section("").Key("UINTS").StrictUints(",")
+vals = cfg.Section("").Key("UINT64S").StrictUint64s(",")
+vals = cfg.Section("").Key("TIMES").StrictTimes(",")
+```
+
+### 保存配置
+
+终于到了这个时刻，是时候保存一下配置了。
+
+比较原始的做法是输出配置到某个文件：
+
+```go
+// ...
+err = cfg.SaveTo("my.ini")
+err = cfg.SaveToIndent("my.ini", "\t")
+```
+
+另一个比较高级的做法是写入到任何实现 `io.Writer` 接口的对象中：
+
+```go
+// ...
+cfg.WriteTo(writer)
+cfg.WriteToIndent(writer, "\t")
+```
+
+默认情况下，空格将被用于对齐键值之间的等号以美化输出结果，以下代码可以禁用该功能：
+
+```go
+ini.PrettyFormat = false
+``` 
+
+## 高级用法
+
+### 递归读取键值
+
+在获取所有键值的过程中，特殊语法 `%(<name>)s` 会被应用，其中 `<name>` 可以是相同分区或者默认分区下的键名。字符串 `%(<name>)s` 会被相应的键值所替代，如果指定的键不存在，则会用空字符串替代。您可以最多使用 99 层的递归嵌套。
+
+```ini
+NAME = ini
+
+[author]
+NAME = Unknwon
+GITHUB = https://github.com/%(NAME)s
+
+[package]
+FULL_NAME = github.com/go-ini/%(NAME)s
+```
+
+```go
+cfg.Section("author").Key("GITHUB").String()		// https://github.com/Unknwon
+cfg.Section("package").Key("FULL_NAME").String()	// github.com/go-ini/ini
+```
+
+### 读取父子分区
+
+您可以在分区名称中使用 `.` 来表示两个或多个分区之间的父子关系。如果某个键在子分区中不存在，则会去它的父分区中再次寻找，直到没有父分区为止。
+
+```ini
+NAME = ini
+VERSION = v1
+IMPORT_PATH = gopkg.in/%(NAME)s.%(VERSION)s
+
+[package]
+CLONE_URL = https://%(IMPORT_PATH)s
+
+[package.sub]
+```
+
+```go
+cfg.Section("package.sub").Key("CLONE_URL").String()	// https://gopkg.in/ini.v1
+```
+
+#### 获取上级父分区下的所有键名
+
+```go
+cfg.Section("package.sub").ParentKeys() // ["CLONE_URL"]
+```
+
+### 无法解析的分区
+
+如果遇到一些比较特殊的分区，它们不包含常见的键值对，而是没有固定格式的纯文本，则可以使用 `LoadOptions.UnparsableSections` 进行处理：
+
+```go
+cfg, err := LoadSources(LoadOptions{UnparseableSections: []string{"COMMENTS"}}, `[COMMENTS]
+<1><L.Slide#2> This slide has the fuel listed in the wrong units <e.1>`))
+
+body := cfg.Section("COMMENTS").Body()
+
+/* --- start ---
+<1><L.Slide#2> This slide has the fuel listed in the wrong units <e.1>
+------  end  --- */
+```
+
+### 读取自增键名
+
+如果数据源中的键名为 `-`，则认为该键使用了自增键名的特殊语法。计数器从 1 开始，并且分区之间是相互独立的。
+
+```ini
+[features]
+-: Support read/write comments of keys and sections
+-: Support auto-increment of key names
+-: Support load multiple files to overwrite key values
+```
+
+```go
+cfg.Section("features").KeyStrings()	// []{"#1", "#2", "#3"}
+```
+
+### 映射到结构
+
+想要使用更加面向对象的方式玩转 INI 吗？好主意。
+
+```ini
+Name = Unknwon
+age = 21
+Male = true
+Born = 1993-01-01T20:17:05Z
+
+[Note]
+Content = Hi is a good man!
+Cities = HangZhou, Boston
+```
+
+```go
+type Note struct {
+	Content string
+	Cities  []string
+}
+
+type Person struct {
+	Name string
+	Age  int `ini:"age"`
+	Male bool
+	Born time.Time
+	Note
+	Created time.Time `ini:"-"`
+}
+
+func main() {
+	cfg, err := ini.Load("path/to/ini")
+	// ...
+	p := new(Person)
+	err = cfg.MapTo(p)
+	// ...
+
+	// 一切竟可以如此的简单。
+	err = ini.MapTo(p, "path/to/ini")
+	// ...
+
+	// 嗯哼？只需要映射一个分区吗？
+	n := new(Note)
+	err = cfg.Section("Note").MapTo(n)
+	// ...
+}
+```
+
+结构的字段怎么设置默认值呢？很简单，只要在映射之前对指定字段进行赋值就可以了。如果键未找到或者类型错误，该值不会发生改变。
+
+```go
+// ...
+p := &Person{
+	Name: "Joe",
+}
+// ...
+```
+
+这样玩 INI 真的好酷啊！然而，如果不能还给我原来的配置文件，有什么卵用？
+
+### 从结构反射
+
+可是，我有说不能吗？
+
+```go
+type Embeded struct {
+	Dates  []time.Time `delim:"|"`
+	Places []string    `ini:"places,omitempty"`
+	None   []int       `ini:",omitempty"`
+}
+
+type Author struct {
+	Name      string `ini:"NAME"`
+	Male      bool
+	Age       int
+	GPA       float64
+	NeverMind string `ini:"-"`
+	*Embeded
+}
+
+func main() {
+	a := &Author{"Unknwon", true, 21, 2.8, "",
+		&Embeded{
+			[]time.Time{time.Now(), time.Now()},
+			[]string{"HangZhou", "Boston"},
+			[]int{},
+		}}
+	cfg := ini.Empty()
+	err = ini.ReflectFrom(cfg, a)
+	// ...
+}
+```
+
+瞧瞧，奇迹发生了。
+
+```ini
+NAME = Unknwon
+Male = true
+Age = 21
+GPA = 2.8
+
+[Embeded]
+Dates = 2015-08-07T22:14:22+08:00|2015-08-07T22:14:22+08:00
+places = HangZhou,Boston
+```
+
+#### 名称映射器（Name Mapper）
+
+为了节省您的时间并简化代码，本库支持类型为 [`NameMapper`](https://gowalker.org/gopkg.in/ini.v1#NameMapper) 的名称映射器，该映射器负责结构字段名与分区名和键名之间的映射。
+
+目前有 2 款内置的映射器：
+
+- `AllCapsUnderscore`：该映射器将字段名转换至格式 `ALL_CAPS_UNDERSCORE` 后再去匹配分区名和键名。
+- `TitleUnderscore`：该映射器将字段名转换至格式 `title_underscore` 后再去匹配分区名和键名。
+
+使用方法：
+
+```go
+type Info struct{
+	PackageName string
+}
+
+func main() {
+	err = ini.MapToWithMapper(&Info{}, ini.TitleUnderscore, []byte("package_name=ini"))
+	// ...
+
+	cfg, err := ini.Load([]byte("PACKAGE_NAME=ini"))
+	// ...
+	info := new(Info)
+	cfg.NameMapper = ini.AllCapsUnderscore
+	err = cfg.MapTo(info)
+	// ...
+}
+```
+
+使用函数 `ini.ReflectFromWithMapper` 时也可应用相同的规则。
+
+#### 值映射器（Value Mapper）
+
+值映射器允许使用一个自定义函数自动展开值的具体内容，例如：运行时获取环境变量：
+
+```go
+type Env struct {
+	Foo string `ini:"foo"`
+}
+
+func main() {
+	cfg, err := ini.Load([]byte("[env]\nfoo = ${MY_VAR}\n")
+	cfg.ValueMapper = os.ExpandEnv
+	// ...
+	env := &Env{}
+	err = cfg.Section("env").MapTo(env)
+}
+```
+
+本例中，`env.Foo` 将会是运行时所获取到环境变量 `MY_VAR` 的值。
+
+#### 映射/反射的其它说明
+
+任何嵌入的结构都会被默认认作一个不同的分区，并且不会自动产生所谓的父子分区关联：
+
+```go
+type Child struct {
+	Age string
+}
+
+type Parent struct {
+	Name string
+	Child
+}
+
+type Config struct {
+	City string
+	Parent
+}
+```
+
+示例配置文件：
+
+```ini
+City = Boston
+
+[Parent]
+Name = Unknwon
+
+[Child]
+Age = 21
+```
+
+很好，但是，我就是要嵌入结构也在同一个分区。好吧，你爹是李刚！
+
+```go
+type Child struct {
+	Age string
+}
+
+type Parent struct {
+	Name string
+	Child `ini:"Parent"`
+}
+
+type Config struct {
+	City string
+	Parent
+}
+```
+
+示例配置文件：
+
+```ini
+City = Boston
+
+[Parent]
+Name = Unknwon
+Age = 21
+```
+
+## 获取帮助
+
+- [API 文档](https://gowalker.org/gopkg.in/ini.v1)
+- [创建工单](https://github.com/go-ini/ini/issues/new)
+
+## 常见问题
+
+### 字段 `BlockMode` 是什么？
+
+默认情况下，本库会在您进行读写操作时采用锁机制来确保数据时间。但在某些情况下，您非常确定只进行读操作。此时，您可以通过设置 `cfg.BlockMode = false` 来将读操作提升大约 **50-70%** 的性能。
+
+### 为什么要写另一个 INI 解析库？
+
+许多人都在使用我的 [goconfig](https://github.com/Unknwon/goconfig) 来完成对 INI 文件的操作，但我希望使用更加 Go 风格的代码。并且当您设置 `cfg.BlockMode = false` 时，会有大约 **10-30%** 的性能提升。
+
+为了做出这些改变，我必须对 API 进行破坏，所以新开一个仓库是最安全的做法。除此之外，本库直接使用 `gopkg.in` 来进行版本化发布。（其实真相是导入路径更短了）
diff --git a/vendor/github.com/go-ini/ini/error.go b/vendor/github.com/go-ini/ini/error.go
new file mode 100644
index 000000000..80afe7431
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/error.go
@@ -0,0 +1,32 @@
+// Copyright 2016 Unknwon
+//
+// Licensed under the Apache License, Version 2.0 (the "License"): you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations
+// under the License.
+
+package ini
+
+import (
+	"fmt"
+)
+
+type ErrDelimiterNotFound struct {
+	Line string
+}
+
+func IsErrDelimiterNotFound(err error) bool {
+	_, ok := err.(ErrDelimiterNotFound)
+	return ok
+}
+
+func (err ErrDelimiterNotFound) Error() string {
+	return fmt.Sprintf("key-value delimiter not found: %s", err.Line)
+}
diff --git a/vendor/github.com/go-ini/ini/ini.go b/vendor/github.com/go-ini/ini/ini.go
new file mode 100644
index 000000000..f8827ddd2
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/ini.go
@@ -0,0 +1,561 @@
+// Copyright 2014 Unknwon
+//
+// Licensed under the Apache License, Version 2.0 (the "License"): you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations
+// under the License.
+
+// Package ini provides INI file read and write functionality in Go.
+package ini
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"regexp"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+)
+
+const (
+	// Name for default section. You can use this constant or the string literal.
+	// In most of cases, an empty string is all you need to access the section.
+	DEFAULT_SECTION = "DEFAULT"
+
+	// Maximum allowed depth when recursively substituing variable names.
+	_DEPTH_VALUES = 99
+	_VERSION      = "1.28.1"
+)
+
+// Version returns current package version literal.
+func Version() string {
+	return _VERSION
+}
+
+var (
+	// Delimiter to determine or compose a new line.
+	// This variable will be changed to "\r\n" automatically on Windows
+	// at package init time.
+	LineBreak = "\n"
+
+	// Variable regexp pattern: %(variable)s
+	varPattern = regexp.MustCompile(`%\(([^\)]+)\)s`)
+
+	// Indicate whether to align "=" sign with spaces to produce pretty output
+	// or reduce all possible spaces for compact format.
+	PrettyFormat = true
+
+	// Explicitly write DEFAULT section header
+	DefaultHeader = false
+
+	// Indicate whether to put a line between sections
+	PrettySection = true
+)
+
+func init() {
+	if runtime.GOOS == "windows" {
+		LineBreak = "\r\n"
+	}
+}
+
+func inSlice(str string, s []string) bool {
+	for _, v := range s {
+		if str == v {
+			return true
+		}
+	}
+	return false
+}
+
+// dataSource is an interface that returns object which can be read and closed.
+type dataSource interface {
+	ReadCloser() (io.ReadCloser, error)
+}
+
+// sourceFile represents an object that contains content on the local file system.
+type sourceFile struct {
+	name string
+}
+
+func (s sourceFile) ReadCloser() (_ io.ReadCloser, err error) {
+	return os.Open(s.name)
+}
+
+type bytesReadCloser struct {
+	reader io.Reader
+}
+
+func (rc *bytesReadCloser) Read(p []byte) (n int, err error) {
+	return rc.reader.Read(p)
+}
+
+func (rc *bytesReadCloser) Close() error {
+	return nil
+}
+
+// sourceData represents an object that contains content in memory.
+type sourceData struct {
+	data []byte
+}
+
+func (s *sourceData) ReadCloser() (io.ReadCloser, error) {
+	return ioutil.NopCloser(bytes.NewReader(s.data)), nil
+}
+
+// sourceReadCloser represents an input stream with Close method.
+type sourceReadCloser struct {
+	reader io.ReadCloser
+}
+
+func (s *sourceReadCloser) ReadCloser() (io.ReadCloser, error) {
+	return s.reader, nil
+}
+
+// File represents a combination of a or more INI file(s) in memory.
+type File struct {
+	// Should make things safe, but sometimes doesn't matter.
+	BlockMode bool
+	// Make sure data is safe in multiple goroutines.
+	lock sync.RWMutex
+
+	// Allow combination of multiple data sources.
+	dataSources []dataSource
+	// Actual data is stored here.
+	sections map[string]*Section
+
+	// To keep data in order.
+	sectionList []string
+
+	options LoadOptions
+
+	NameMapper
+	ValueMapper
+}
+
+// newFile initializes File object with given data sources.
+func newFile(dataSources []dataSource, opts LoadOptions) *File {
+	return &File{
+		BlockMode:   true,
+		dataSources: dataSources,
+		sections:    make(map[string]*Section),
+		sectionList: make([]string, 0, 10),
+		options:     opts,
+	}
+}
+
+func parseDataSource(source interface{}) (dataSource, error) {
+	switch s := source.(type) {
+	case string:
+		return sourceFile{s}, nil
+	case []byte:
+		return &sourceData{s}, nil
+	case io.ReadCloser:
+		return &sourceReadCloser{s}, nil
+	default:
+		return nil, fmt.Errorf("error parsing data source: unknown type '%s'", s)
+	}
+}
+
+type LoadOptions struct {
+	// Loose indicates whether the parser should ignore nonexistent files or return error.
+	Loose bool
+	// Insensitive indicates whether the parser forces all section and key names to lowercase.
+	Insensitive bool
+	// IgnoreContinuation indicates whether to ignore continuation lines while parsing.
+	IgnoreContinuation bool
+	// IgnoreInlineComment indicates whether to ignore comments at the end of value and treat it as part of value.
+	IgnoreInlineComment bool
+	// AllowBooleanKeys indicates whether to allow boolean type keys or treat as value is missing.
+	// This type of keys are mostly used in my.cnf.
+	AllowBooleanKeys bool
+	// AllowShadows indicates whether to keep track of keys with same name under same section.
+	AllowShadows bool
+	// Some INI formats allow group blocks that store a block of raw content that doesn't otherwise
+	// conform to key/value pairs. Specify the names of those blocks here.
+	UnparseableSections []string
+}
+
+func LoadSources(opts LoadOptions, source interface{}, others ...interface{}) (_ *File, err error) {
+	sources := make([]dataSource, len(others)+1)
+	sources[0], err = parseDataSource(source)
+	if err != nil {
+		return nil, err
+	}
+	for i := range others {
+		sources[i+1], err = parseDataSource(others[i])
+		if err != nil {
+			return nil, err
+		}
+	}
+	f := newFile(sources, opts)
+	if err = f.Reload(); err != nil {
+		return nil, err
+	}
+	return f, nil
+}
+
+// Load loads and parses from INI data sources.
+// Arguments can be mixed of file name with string type, or raw data in []byte.
+// It will return error if list contains nonexistent files.
+func Load(source interface{}, others ...interface{}) (*File, error) {
+	return LoadSources(LoadOptions{}, source, others...)
+}
+
+// LooseLoad has exactly same functionality as Load function
+// except it ignores nonexistent files instead of returning error.
+func LooseLoad(source interface{}, others ...interface{}) (*File, error) {
+	return LoadSources(LoadOptions{Loose: true}, source, others...)
+}
+
+// InsensitiveLoad has exactly same functionality as Load function
+// except it forces all section and key names to be lowercased.
+func InsensitiveLoad(source interface{}, others ...interface{}) (*File, error) {
+	return LoadSources(LoadOptions{Insensitive: true}, source, others...)
+}
+
+// InsensitiveLoad has exactly same functionality as Load function
+// except it allows have shadow keys.
+func ShadowLoad(source interface{}, others ...interface{}) (*File, error) {
+	return LoadSources(LoadOptions{AllowShadows: true}, source, others...)
+}
+
+// Empty returns an empty file object.
+func Empty() *File {
+	// Ignore error here, we sure our data is good.
+	f, _ := Load([]byte(""))
+	return f
+}
+
+// NewSection creates a new section.
+func (f *File) NewSection(name string) (*Section, error) {
+	if len(name) == 0 {
+		return nil, errors.New("error creating new section: empty section name")
+	} else if f.options.Insensitive && name != DEFAULT_SECTION {
+		name = strings.ToLower(name)
+	}
+
+	if f.BlockMode {
+		f.lock.Lock()
+		defer f.lock.Unlock()
+	}
+
+	if inSlice(name, f.sectionList) {
+		return f.sections[name], nil
+	}
+
+	f.sectionList = append(f.sectionList, name)
+	f.sections[name] = newSection(f, name)
+	return f.sections[name], nil
+}
+
+// NewRawSection creates a new section with an unparseable body.
+func (f *File) NewRawSection(name, body string) (*Section, error) {
+	section, err := f.NewSection(name)
+	if err != nil {
+		return nil, err
+	}
+
+	section.isRawSection = true
+	section.rawBody = body
+	return section, nil
+}
+
+// NewSections creates a list of sections.
+func (f *File) NewSections(names ...string) (err error) {
+	for _, name := range names {
+		if _, err = f.NewSection(name); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// GetSection returns section by given name.
+func (f *File) GetSection(name string) (*Section, error) {
+	if len(name) == 0 {
+		name = DEFAULT_SECTION
+	} else if f.options.Insensitive {
+		name = strings.ToLower(name)
+	}
+
+	if f.BlockMode {
+		f.lock.RLock()
+		defer f.lock.RUnlock()
+	}
+
+	sec := f.sections[name]
+	if sec == nil {
+		return nil, fmt.Errorf("section '%s' does not exist", name)
+	}
+	return sec, nil
+}
+
+// Section assumes named section exists and returns a zero-value when not.
+func (f *File) Section(name string) *Section {
+	sec, err := f.GetSection(name)
+	if err != nil {
+		// Note: It's OK here because the only possible error is empty section name,
+		// but if it's empty, this piece of code won't be executed.
+		sec, _ = f.NewSection(name)
+		return sec
+	}
+	return sec
+}
+
+// Section returns list of Section.
+func (f *File) Sections() []*Section {
+	sections := make([]*Section, len(f.sectionList))
+	for i := range f.sectionList {
+		sections[i] = f.Section(f.sectionList[i])
+	}
+	return sections
+}
+
+// ChildSections returns a list of child sections of given section name.
+func (f *File) ChildSections(name string) []*Section {
+	return f.Section(name).ChildSections()
+}
+
+// SectionStrings returns list of section names.
+func (f *File) SectionStrings() []string {
+	list := make([]string, len(f.sectionList))
+	copy(list, f.sectionList)
+	return list
+}
+
+// DeleteSection deletes a section.
+func (f *File) DeleteSection(name string) {
+	if f.BlockMode {
+		f.lock.Lock()
+		defer f.lock.Unlock()
+	}
+
+	if len(name) == 0 {
+		name = DEFAULT_SECTION
+	}
+
+	for i, s := range f.sectionList {
+		if s == name {
+			f.sectionList = append(f.sectionList[:i], f.sectionList[i+1:]...)
+			delete(f.sections, name)
+			return
+		}
+	}
+}
+
+func (f *File) reload(s dataSource) error {
+	r, err := s.ReadCloser()
+	if err != nil {
+		return err
+	}
+	defer r.Close()
+
+	return f.parse(r)
+}
+
+// Reload reloads and parses all data sources.
+func (f *File) Reload() (err error) {
+	for _, s := range f.dataSources {
+		if err = f.reload(s); err != nil {
+			// In loose mode, we create an empty default section for nonexistent files.
+			if os.IsNotExist(err) && f.options.Loose {
+				f.parse(bytes.NewBuffer(nil))
+				continue
+			}
+			return err
+		}
+	}
+	return nil
+}
+
+// Append appends one or more data sources and reloads automatically.
+func (f *File) Append(source interface{}, others ...interface{}) error {
+	ds, err := parseDataSource(source)
+	if err != nil {
+		return err
+	}
+	f.dataSources = append(f.dataSources, ds)
+	for _, s := range others {
+		ds, err = parseDataSource(s)
+		if err != nil {
+			return err
+		}
+		f.dataSources = append(f.dataSources, ds)
+	}
+	return f.Reload()
+}
+
+// WriteToIndent writes content into io.Writer with given indention.
+// If PrettyFormat has been set to be true,
+// it will align "=" sign with spaces under each section.
+func (f *File) WriteToIndent(w io.Writer, indent string) (n int64, err error) {
+	equalSign := "="
+	if PrettyFormat {
+		equalSign = " = "
+	}
+
+	// Use buffer to make sure target is safe until finish encoding.
+	buf := bytes.NewBuffer(nil)
+	for i, sname := range f.sectionList {
+		sec := f.Section(sname)
+		if len(sec.Comment) > 0 {
+			if sec.Comment[0] != '#' && sec.Comment[0] != ';' {
+				sec.Comment = "; " + sec.Comment
+			}
+			if _, err = buf.WriteString(sec.Comment + LineBreak); err != nil {
+				return 0, err
+			}
+		}
+
+		if i > 0 || DefaultHeader {
+			if _, err = buf.WriteString("[" + sname + "]" + LineBreak); err != nil {
+				return 0, err
+			}
+		} else {
+			// Write nothing if default section is empty
+			if len(sec.keyList) == 0 {
+				continue
+			}
+		}
+
+		if sec.isRawSection {
+			if _, err = buf.WriteString(sec.rawBody); err != nil {
+				return 0, err
+			}
+			continue
+		}
+
+		// Count and generate alignment length and buffer spaces using the
+		// longest key. Keys may be modifed if they contain certain characters so
+		// we need to take that into account in our calculation.
+		alignLength := 0
+		if PrettyFormat {
+			for _, kname := range sec.keyList {
+				keyLength := len(kname)
+				// First case will surround key by ` and second by """
+				if strings.ContainsAny(kname, "\"=:") {
+					keyLength += 2
+				} else if strings.Contains(kname, "`") {
+					keyLength += 6
+				}
+
+				if keyLength > alignLength {
+					alignLength = keyLength
+				}
+			}
+		}
+		alignSpaces := bytes.Repeat([]byte(" "), alignLength)
+
+	KEY_LIST:
+		for _, kname := range sec.keyList {
+			key := sec.Key(kname)
+			if len(key.Comment) > 0 {
+				if len(indent) > 0 && sname != DEFAULT_SECTION {
+					buf.WriteString(indent)
+				}
+				if key.Comment[0] != '#' && key.Comment[0] != ';' {
+					key.Comment = "; " + key.Comment
+				}
+				if _, err = buf.WriteString(key.Comment + LineBreak); err != nil {
+					return 0, err
+				}
+			}
+
+			if len(indent) > 0 && sname != DEFAULT_SECTION {
+				buf.WriteString(indent)
+			}
+
+			switch {
+			case key.isAutoIncrement:
+				kname = "-"
+			case strings.ContainsAny(kname, "\"=:"):
+				kname = "`" + kname + "`"
+			case strings.Contains(kname, "`"):
+				kname = `"""` + kname + `"""`
+			}
+
+			for _, val := range key.ValueWithShadows() {
+				if _, err = buf.WriteString(kname); err != nil {
+					return 0, err
+				}
+
+				if key.isBooleanType {
+					if kname != sec.keyList[len(sec.keyList)-1] {
+						buf.WriteString(LineBreak)
+					}
+					continue KEY_LIST
+				}
+
+				// Write out alignment spaces before "=" sign
+				if PrettyFormat {
+					buf.Write(alignSpaces[:alignLength-len(kname)])
+				}
+
+				// In case key value contains "\n", "`", "\"", "#" or ";"
+				if strings.ContainsAny(val, "\n`") {
+					val = `"""` + val + `"""`
+				} else if !f.options.IgnoreInlineComment && strings.ContainsAny(val, "#;") {
+					val = "`" + val + "`"
+				}
+				if _, err = buf.WriteString(equalSign + val + LineBreak); err != nil {
+					return 0, err
+				}
+			}
+		}
+
+		if PrettySection {
+			// Put a line between sections
+			if _, err = buf.WriteString(LineBreak); err != nil {
+				return 0, err
+			}
+		}
+	}
+
+	return buf.WriteTo(w)
+}
+
+// WriteTo writes file content into io.Writer.
+func (f *File) WriteTo(w io.Writer) (int64, error) {
+	return f.WriteToIndent(w, "")
+}
+
+// SaveToIndent writes content to file system with given value indention.
+func (f *File) SaveToIndent(filename, indent string) error {
+	// Note: Because we are truncating with os.Create,
+	// 	so it's safer to save to a temporary file location and rename afte done.
+	tmpPath := filename + "." + strconv.Itoa(time.Now().Nanosecond()) + ".tmp"
+	defer os.Remove(tmpPath)
+
+	fw, err := os.Create(tmpPath)
+	if err != nil {
+		return err
+	}
+
+	if _, err = f.WriteToIndent(fw, indent); err != nil {
+		fw.Close()
+		return err
+	}
+	fw.Close()
+
+	// Remove old file and rename the new one.
+	os.Remove(filename)
+	return os.Rename(tmpPath, filename)
+}
+
+// SaveTo writes content to file system.
+func (f *File) SaveTo(filename string) error {
+	return f.SaveToIndent(filename, "")
+}
diff --git a/vendor/github.com/go-ini/ini/ini_test.go b/vendor/github.com/go-ini/ini/ini_test.go
new file mode 100644
index 000000000..b3dd217c6
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/ini_test.go
@@ -0,0 +1,491 @@
+// Copyright 2014 Unknwon
+//
+// Licensed under the Apache License, Version 2.0 (the "License"): you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations
+// under the License.
+
+package ini
+
+import (
+	"bytes"
+	"io/ioutil"
+	"strings"
+	"testing"
+	"time"
+
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func Test_Version(t *testing.T) {
+	Convey("Get version", t, func() {
+		So(Version(), ShouldEqual, _VERSION)
+	})
+}
+
+const _CONF_DATA = `
+; Package name
+NAME        = ini
+; Package version
+VERSION     = v1
+; Package import path
+IMPORT_PATH = gopkg.in/%(NAME)s.%(VERSION)s
+
+# Information about package author
+# Bio can be written in multiple lines.
+[author]
+NAME   = Unknwon  ; Succeeding comment
+E-MAIL = fake@localhost
+GITHUB = https://github.com/%(NAME)s
+BIO    = """Gopher.
+Coding addict.
+Good man.
+"""  # Succeeding comment
+
+[package]
+CLONE_URL = https://%(IMPORT_PATH)s
+
+[package.sub]
+UNUSED_KEY = should be deleted
+
+[features]
+-: Support read/write comments of keys and sections
+-: Support auto-increment of key names
+-: Support load multiple files to overwrite key values
+
+[types]
+STRING     = str
+BOOL       = true
+BOOL_FALSE = false
+FLOAT64    = 1.25
+INT        = 10
+TIME       = 2015-01-01T20:17:05Z
+DURATION   = 2h45m
+UINT       = 3
+
+[array]
+STRINGS  = en, zh, de
+FLOAT64S = 1.1, 2.2, 3.3
+INTS     = 1, 2, 3
+UINTS    = 1, 2, 3
+TIMES    = 2015-01-01T20:17:05Z,2015-01-01T20:17:05Z,2015-01-01T20:17:05Z
+
+[note]
+empty_lines = next line is empty\
+
+; Comment before the section
+[comments] ; This is a comment for the section too
+; Comment before key
+key  = "value"
+key2 = "value2" ; This is a comment for key2
+key3 = "one", "two", "three"
+
+[advance]
+value with quotes = "some value"
+value quote2 again = 'some value'
+includes comment sign = ` + "`" + "my#password" + "`" + `
+includes comment sign2 = ` + "`" + "my;password" + "`" + `
+true = 2+3=5
+"1+1=2" = true
+"""6+1=7""" = true
+"""` + "`" + `5+5` + "`" + `""" = 10
+` + "`" + `"6+6"` + "`" + ` = 12
+` + "`" + `7-2=4` + "`" + ` = false
+ADDRESS = ` + "`" + `404 road,
+NotFound, State, 50000` + "`" + `
+
+two_lines = how about \
+	continuation lines?
+lots_of_lines = 1 \
+	2 \
+	3 \
+	4 \
+`
+
+func Test_Load(t *testing.T) {
+	Convey("Load from data sources", t, func() {
+
+		Convey("Load with empty data", func() {
+			So(Empty(), ShouldNotBeNil)
+		})
+
+		Convey("Load with multiple data sources", func() {
+			cfg, err := Load([]byte(_CONF_DATA), "testdata/conf.ini", ioutil.NopCloser(bytes.NewReader([]byte(_CONF_DATA))))
+			So(err, ShouldBeNil)
+			So(cfg, ShouldNotBeNil)
+
+			f, err := Load([]byte(_CONF_DATA), "testdata/404.ini")
+			So(err, ShouldNotBeNil)
+			So(f, ShouldBeNil)
+		})
+
+		Convey("Load with io.ReadCloser", func() {
+			cfg, err := Load(ioutil.NopCloser(bytes.NewReader([]byte(_CONF_DATA))))
+			So(err, ShouldBeNil)
+			So(cfg, ShouldNotBeNil)
+
+			So(cfg.Section("").Key("NAME").String(), ShouldEqual, "ini")
+		})
+	})
+
+	Convey("Bad load process", t, func() {
+
+		Convey("Load from invalid data sources", func() {
+			_, err := Load(_CONF_DATA)
+			So(err, ShouldNotBeNil)
+
+			f, err := Load("testdata/404.ini")
+			So(err, ShouldNotBeNil)
+			So(f, ShouldBeNil)
+
+			_, err = Load(1)
+			So(err, ShouldNotBeNil)
+
+			_, err = Load([]byte(""), 1)
+			So(err, ShouldNotBeNil)
+		})
+
+		Convey("Load with bad section name", func() {
+			_, err := Load([]byte("[]"))
+			So(err, ShouldNotBeNil)
+
+			_, err = Load([]byte("["))
+			So(err, ShouldNotBeNil)
+		})
+
+		Convey("Load with bad keys", func() {
+			_, err := Load([]byte(`"""name`))
+			So(err, ShouldNotBeNil)
+
+			_, err = Load([]byte(`"""name"""`))
+			So(err, ShouldNotBeNil)
+
+			_, err = Load([]byte(`""=1`))
+			So(err, ShouldNotBeNil)
+
+			_, err = Load([]byte(`=`))
+			So(err, ShouldNotBeNil)
+
+			_, err = Load([]byte(`name`))
+			So(err, ShouldNotBeNil)
+		})
+
+		Convey("Load with bad values", func() {
+			_, err := Load([]byte(`name="""Unknwon`))
+			So(err, ShouldNotBeNil)
+		})
+	})
+
+	Convey("Get section and key insensitively", t, func() {
+		cfg, err := InsensitiveLoad([]byte(_CONF_DATA), "testdata/conf.ini")
+		So(err, ShouldBeNil)
+		So(cfg, ShouldNotBeNil)
+
+		sec, err := cfg.GetSection("Author")
+		So(err, ShouldBeNil)
+		So(sec, ShouldNotBeNil)
+
+		key, err := sec.GetKey("E-mail")
+		So(err, ShouldBeNil)
+		So(key, ShouldNotBeNil)
+	})
+
+	Convey("Load with ignoring continuation lines", t, func() {
+		cfg, err := LoadSources(LoadOptions{IgnoreContinuation: true}, []byte(`key1=a\b\
+key2=c\d\`))
+		So(err, ShouldBeNil)
+		So(cfg, ShouldNotBeNil)
+
+		So(cfg.Section("").Key("key1").String(), ShouldEqual, `a\b\`)
+		So(cfg.Section("").Key("key2").String(), ShouldEqual, `c\d\`)
+	})
+
+	Convey("Load with ignoring inline comments", t, func() {
+		cfg, err := LoadSources(LoadOptions{IgnoreInlineComment: true}, []byte(`key1=value ;comment
+key2=value #comment2`))
+		So(err, ShouldBeNil)
+		So(cfg, ShouldNotBeNil)
+
+		So(cfg.Section("").Key("key1").String(), ShouldEqual, `value ;comment`)
+		So(cfg.Section("").Key("key2").String(), ShouldEqual, `value #comment2`)
+
+		var buf bytes.Buffer
+		cfg.WriteTo(&buf)
+		So(buf.String(), ShouldEqual, `key1 = value ;comment
+key2 = value #comment2
+
+`)
+	})
+
+	Convey("Load with boolean type keys", t, func() {
+		cfg, err := LoadSources(LoadOptions{AllowBooleanKeys: true}, []byte(`key1=hello
+key2
+#key3
+key4
+key5`))
+		So(err, ShouldBeNil)
+		So(cfg, ShouldNotBeNil)
+
+		So(strings.Join(cfg.Section("").KeyStrings(), ","), ShouldEqual, "key1,key2,key4,key5")
+		So(cfg.Section("").Key("key2").MustBool(false), ShouldBeTrue)
+
+		var buf bytes.Buffer
+		cfg.WriteTo(&buf)
+		// there is always a trailing \n at the end of the section
+		So(buf.String(), ShouldEqual, `key1 = hello
+key2
+#key3
+key4
+key5
+`)
+	})
+}
+
+func Test_File_ChildSections(t *testing.T) {
+	Convey("Find child sections by parent name", t, func() {
+		cfg, err := Load([]byte(`
+[node]
+
+[node.biz1]
+
+[node.biz2]
+
+[node.biz3]
+
+[node.bizN]
+`))
+		So(err, ShouldBeNil)
+		So(cfg, ShouldNotBeNil)
+
+		children := cfg.ChildSections("node")
+		names := make([]string, len(children))
+		for i := range children {
+			names[i] = children[i].name
+		}
+		So(strings.Join(names, ","), ShouldEqual, "node.biz1,node.biz2,node.biz3,node.bizN")
+	})
+}
+
+func Test_LooseLoad(t *testing.T) {
+	Convey("Loose load from data sources", t, func() {
+		Convey("Loose load mixed with nonexistent file", func() {
+			cfg, err := LooseLoad("testdata/404.ini")
+			So(err, ShouldBeNil)
+			So(cfg, ShouldNotBeNil)
+			var fake struct {
+				Name string `ini:"name"`
+			}
+			So(cfg.MapTo(&fake), ShouldBeNil)
+
+			cfg, err = LooseLoad([]byte("name=Unknwon"), "testdata/404.ini")
+			So(err, ShouldBeNil)
+			So(cfg.Section("").Key("name").String(), ShouldEqual, "Unknwon")
+			So(cfg.MapTo(&fake), ShouldBeNil)
+			So(fake.Name, ShouldEqual, "Unknwon")
+		})
+	})
+
+}
+
+func Test_File_Append(t *testing.T) {
+	Convey("Append data sources", t, func() {
+		cfg, err := Load([]byte(""))
+		So(err, ShouldBeNil)
+		So(cfg, ShouldNotBeNil)
+
+		So(cfg.Append([]byte(""), []byte("")), ShouldBeNil)
+
+		Convey("Append bad data sources", func() {
+			So(cfg.Append(1), ShouldNotBeNil)
+			So(cfg.Append([]byte(""), 1), ShouldNotBeNil)
+		})
+	})
+}
+
+func Test_File_WriteTo(t *testing.T) {
+	Convey("Write to somewhere", t, func() {
+		var buf bytes.Buffer
+		cfg := Empty()
+		cfg.WriteTo(&buf)
+	})
+}
+
+func Test_File_SaveTo_WriteTo(t *testing.T) {
+	Convey("Save file", t, func() {
+		cfg, err := Load([]byte(_CONF_DATA), "testdata/conf.ini")
+		So(err, ShouldBeNil)
+		So(cfg, ShouldNotBeNil)
+
+		cfg.Section("").Key("NAME").Comment = "Package name"
+		cfg.Section("author").Comment = `Information about package author
+# Bio can be written in multiple lines.`
+		cfg.Section("advanced").Key("val w/ pound").SetValue("my#password")
+		cfg.Section("advanced").Key("longest key has a colon : yes/no").SetValue("yes")
+		So(cfg.SaveTo("testdata/conf_out.ini"), ShouldBeNil)
+
+		cfg.Section("author").Key("NAME").Comment = "This is author name"
+
+		So(cfg.SaveToIndent("testdata/conf_out.ini", "\t"), ShouldBeNil)
+
+		var buf bytes.Buffer
+		_, err = cfg.WriteToIndent(&buf, "\t")
+		So(err, ShouldBeNil)
+		So(buf.String(), ShouldEqual, `; Package name
+NAME        = ini
+; Package version
+VERSION     = v1
+; Package import path
+IMPORT_PATH = gopkg.in/%(NAME)s.%(VERSION)s
+
+; Information about package author
+# Bio can be written in multiple lines.
+[author]
+	; This is author name
+	NAME   = Unknwon
+	E-MAIL = u@gogs.io
+	GITHUB = https://github.com/%(NAME)s
+	# Succeeding comment
+	BIO    = """Gopher.
+Coding addict.
+Good man.
+"""
+
+[package]
+	CLONE_URL = https://%(IMPORT_PATH)s
+
+[package.sub]
+	UNUSED_KEY = should be deleted
+
+[features]
+	-  = Support read/write comments of keys and sections
+	-  = Support auto-increment of key names
+	-  = Support load multiple files to overwrite key values
+
+[types]
+	STRING     = str
+	BOOL       = true
+	BOOL_FALSE = false
+	FLOAT64    = 1.25
+	INT        = 10
+	TIME       = 2015-01-01T20:17:05Z
+	DURATION   = 2h45m
+	UINT       = 3
+
+[array]
+	STRINGS  = en, zh, de
+	FLOAT64S = 1.1, 2.2, 3.3
+	INTS     = 1, 2, 3
+	UINTS    = 1, 2, 3
+	TIMES    = 2015-01-01T20:17:05Z,2015-01-01T20:17:05Z,2015-01-01T20:17:05Z
+
+[note]
+	empty_lines = next line is empty
+
+; Comment before the section
+; This is a comment for the section too
+[comments]
+	; Comment before key
+	key  = value
+	; This is a comment for key2
+	key2 = value2
+	key3 = "one", "two", "three"
+
+[advance]
+	value with quotes      = some value
+	value quote2 again     = some value
+	includes comment sign  = `+"`"+"my#password"+"`"+`
+	includes comment sign2 = `+"`"+"my;password"+"`"+`
+	true                   = 2+3=5
+	`+"`"+`1+1=2`+"`"+`                = true
+	`+"`"+`6+1=7`+"`"+`                = true
+	"""`+"`"+`5+5`+"`"+`"""            = 10
+	`+"`"+`"6+6"`+"`"+`                = 12
+	`+"`"+`7-2=4`+"`"+`                = false
+	ADDRESS                = """404 road,
+NotFound, State, 50000"""
+	two_lines              = how about continuation lines?
+	lots_of_lines          = 1 2 3 4 
+
+[advanced]
+	val w/ pound                       = `+"`"+`my#password`+"`"+`
+	`+"`"+`longest key has a colon : yes/no`+"`"+` = yes
+
+`)
+	})
+}
+
+func Test_File_WriteTo_SectionRaw(t *testing.T) {
+	Convey("Write a INI with a raw section", t, func() {
+		var buf bytes.Buffer
+		cfg, err := LoadSources(
+			LoadOptions{
+				UnparseableSections: []string{"CORE_LESSON", "COMMENTS"},
+			},
+			"testdata/aicc.ini")
+		So(err, ShouldBeNil)
+		So(cfg, ShouldNotBeNil)
+		cfg.WriteToIndent(&buf, "\t")
+		So(buf.String(), ShouldEqual, `[Core]
+	Lesson_Location = 87
+	Lesson_Status   = C
+	Score           = 3
+	Time            = 00:02:30
+
+[CORE_LESSON]
+my lesson state data – 1111111111111111111000000000000000001110000
+111111111111111111100000000000111000000000 – end my lesson state data
+[COMMENTS]
+<1><L.Slide#2> This slide has the fuel listed in the wrong units <e.1>
+`)
+	})
+}
+
+// Helpers for slice tests.
+func float64sEqual(values []float64, expected ...float64) {
+	So(values, ShouldHaveLength, len(expected))
+	for i, v := range expected {
+		So(values[i], ShouldEqual, v)
+	}
+}
+
+func intsEqual(values []int, expected ...int) {
+	So(values, ShouldHaveLength, len(expected))
+	for i, v := range expected {
+		So(values[i], ShouldEqual, v)
+	}
+}
+
+func int64sEqual(values []int64, expected ...int64) {
+	So(values, ShouldHaveLength, len(expected))
+	for i, v := range expected {
+		So(values[i], ShouldEqual, v)
+	}
+}
+
+func uintsEqual(values []uint, expected ...uint) {
+	So(values, ShouldHaveLength, len(expected))
+	for i, v := range expected {
+		So(values[i], ShouldEqual, v)
+	}
+}
+
+func uint64sEqual(values []uint64, expected ...uint64) {
+	So(values, ShouldHaveLength, len(expected))
+	for i, v := range expected {
+		So(values[i], ShouldEqual, v)
+	}
+}
+
+func timesEqual(values []time.Time, expected ...time.Time) {
+	So(values, ShouldHaveLength, len(expected))
+	for i, v := range expected {
+		So(values[i].String(), ShouldEqual, v.String())
+	}
+}
diff --git a/vendor/github.com/go-ini/ini/key.go b/vendor/github.com/go-ini/ini/key.go
new file mode 100644
index 000000000..838356af0
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/key.go
@@ -0,0 +1,699 @@
+// Copyright 2014 Unknwon
+//
+// Licensed under the Apache License, Version 2.0 (the "License"): you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations
+// under the License.
+
+package ini
+
+import (
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// Key represents a key under a section.
+type Key struct {
+	s               *Section
+	name            string
+	value           string
+	isAutoIncrement bool
+	isBooleanType   bool
+
+	isShadow bool
+	shadows  []*Key
+
+	Comment string
+}
+
+// newKey simply return a key object with given values.
+func newKey(s *Section, name, val string) *Key {
+	return &Key{
+		s:     s,
+		name:  name,
+		value: val,
+	}
+}
+
+func (k *Key) addShadow(val string) error {
+	if k.isShadow {
+		return errors.New("cannot add shadow to another shadow key")
+	} else if k.isAutoIncrement || k.isBooleanType {
+		return errors.New("cannot add shadow to auto-increment or boolean key")
+	}
+
+	shadow := newKey(k.s, k.name, val)
+	shadow.isShadow = true
+	k.shadows = append(k.shadows, shadow)
+	return nil
+}
+
+// AddShadow adds a new shadow key to itself.
+func (k *Key) AddShadow(val string) error {
+	if !k.s.f.options.AllowShadows {
+		return errors.New("shadow key is not allowed")
+	}
+	return k.addShadow(val)
+}
+
+// ValueMapper represents a mapping function for values, e.g. os.ExpandEnv
+type ValueMapper func(string) string
+
+// Name returns name of key.
+func (k *Key) Name() string {
+	return k.name
+}
+
+// Value returns raw value of key for performance purpose.
+func (k *Key) Value() string {
+	return k.value
+}
+
+// ValueWithShadows returns raw values of key and its shadows if any.
+func (k *Key) ValueWithShadows() []string {
+	if len(k.shadows) == 0 {
+		return []string{k.value}
+	}
+	vals := make([]string, len(k.shadows)+1)
+	vals[0] = k.value
+	for i := range k.shadows {
+		vals[i+1] = k.shadows[i].value
+	}
+	return vals
+}
+
+// transformValue takes a raw value and transforms to its final string.
+func (k *Key) transformValue(val string) string {
+	if k.s.f.ValueMapper != nil {
+		val = k.s.f.ValueMapper(val)
+	}
+
+	// Fail-fast if no indicate char found for recursive value
+	if !strings.Contains(val, "%") {
+		return val
+	}
+	for i := 0; i < _DEPTH_VALUES; i++ {
+		vr := varPattern.FindString(val)
+		if len(vr) == 0 {
+			break
+		}
+
+		// Take off leading '%(' and trailing ')s'.
+		noption := strings.TrimLeft(vr, "%(")
+		noption = strings.TrimRight(noption, ")s")
+
+		// Search in the same section.
+		nk, err := k.s.GetKey(noption)
+		if err != nil {
+			// Search again in default section.
+			nk, _ = k.s.f.Section("").GetKey(noption)
+		}
+
+		// Substitute by new value and take off leading '%(' and trailing ')s'.
+		val = strings.Replace(val, vr, nk.value, -1)
+	}
+	return val
+}
+
+// String returns string representation of value.
+func (k *Key) String() string {
+	return k.transformValue(k.value)
+}
+
+// Validate accepts a validate function which can
+// return modifed result as key value.
+func (k *Key) Validate(fn func(string) string) string {
+	return fn(k.String())
+}
+
+// parseBool returns the boolean value represented by the string.
+//
+// It accepts 1, t, T, TRUE, true, True, YES, yes, Yes, y, ON, on, On,
+// 0, f, F, FALSE, false, False, NO, no, No, n, OFF, off, Off.
+// Any other value returns an error.
+func parseBool(str string) (value bool, err error) {
+	switch str {
+	case "1", "t", "T", "true", "TRUE", "True", "YES", "yes", "Yes", "y", "ON", "on", "On":
+		return true, nil
+	case "0", "f", "F", "false", "FALSE", "False", "NO", "no", "No", "n", "OFF", "off", "Off":
+		return false, nil
+	}
+	return false, fmt.Errorf("parsing \"%s\": invalid syntax", str)
+}
+
+// Bool returns bool type value.
+func (k *Key) Bool() (bool, error) {
+	return parseBool(k.String())
+}
+
+// Float64 returns float64 type value.
+func (k *Key) Float64() (float64, error) {
+	return strconv.ParseFloat(k.String(), 64)
+}
+
+// Int returns int type value.
+func (k *Key) Int() (int, error) {
+	return strconv.Atoi(k.String())
+}
+
+// Int64 returns int64 type value.
+func (k *Key) Int64() (int64, error) {
+	return strconv.ParseInt(k.String(), 10, 64)
+}
+
+// Uint returns uint type valued.
+func (k *Key) Uint() (uint, error) {
+	u, e := strconv.ParseUint(k.String(), 10, 64)
+	return uint(u), e
+}
+
+// Uint64 returns uint64 type value.
+func (k *Key) Uint64() (uint64, error) {
+	return strconv.ParseUint(k.String(), 10, 64)
+}
+
+// Duration returns time.Duration type value.
+func (k *Key) Duration() (time.Duration, error) {
+	return time.ParseDuration(k.String())
+}
+
+// TimeFormat parses with given format and returns time.Time type value.
+func (k *Key) TimeFormat(format string) (time.Time, error) {
+	return time.Parse(format, k.String())
+}
+
+// Time parses with RFC3339 format and returns time.Time type value.
+func (k *Key) Time() (time.Time, error) {
+	return k.TimeFormat(time.RFC3339)
+}
+
+// MustString returns default value if key value is empty.
+func (k *Key) MustString(defaultVal string) string {
+	val := k.String()
+	if len(val) == 0 {
+		k.value = defaultVal
+		return defaultVal
+	}
+	return val
+}
+
+// MustBool always returns value without error,
+// it returns false if error occurs.
+func (k *Key) MustBool(defaultVal ...bool) bool {
+	val, err := k.Bool()
+	if len(defaultVal) > 0 && err != nil {
+		k.value = strconv.FormatBool(defaultVal[0])
+		return defaultVal[0]
+	}
+	return val
+}
+
+// MustFloat64 always returns value without error,
+// it returns 0.0 if error occurs.
+func (k *Key) MustFloat64(defaultVal ...float64) float64 {
+	val, err := k.Float64()
+	if len(defaultVal) > 0 && err != nil {
+		k.value = strconv.FormatFloat(defaultVal[0], 'f', -1, 64)
+		return defaultVal[0]
+	}
+	return val
+}
+
+// MustInt always returns value without error,
+// it returns 0 if error occurs.
+func (k *Key) MustInt(defaultVal ...int) int {
+	val, err := k.Int()
+	if len(defaultVal) > 0 && err != nil {
+		k.value = strconv.FormatInt(int64(defaultVal[0]), 10)
+		return defaultVal[0]
+	}
+	return val
+}
+
+// MustInt64 always returns value without error,
+// it returns 0 if error occurs.
+func (k *Key) MustInt64(defaultVal ...int64) int64 {
+	val, err := k.Int64()
+	if len(defaultVal) > 0 && err != nil {
+		k.value = strconv.FormatInt(defaultVal[0], 10)
+		return defaultVal[0]
+	}
+	return val
+}
+
+// MustUint always returns value without error,
+// it returns 0 if error occurs.
+func (k *Key) MustUint(defaultVal ...uint) uint {
+	val, err := k.Uint()
+	if len(defaultVal) > 0 && err != nil {
+		k.value = strconv.FormatUint(uint64(defaultVal[0]), 10)
+		return defaultVal[0]
+	}
+	return val
+}
+
+// MustUint64 always returns value without error,
+// it returns 0 if error occurs.
+func (k *Key) MustUint64(defaultVal ...uint64) uint64 {
+	val, err := k.Uint64()
+	if len(defaultVal) > 0 && err != nil {
+		k.value = strconv.FormatUint(defaultVal[0], 10)
+		return defaultVal[0]
+	}
+	return val
+}
+
+// MustDuration always returns value without error,
+// it returns zero value if error occurs.
+func (k *Key) MustDuration(defaultVal ...time.Duration) time.Duration {
+	val, err := k.Duration()
+	if len(defaultVal) > 0 && err != nil {
+		k.value = defaultVal[0].String()
+		return defaultVal[0]
+	}
+	return val
+}
+
+// MustTimeFormat always parses with given format and returns value without error,
+// it returns zero value if error occurs.
+func (k *Key) MustTimeFormat(format string, defaultVal ...time.Time) time.Time {
+	val, err := k.TimeFormat(format)
+	if len(defaultVal) > 0 && err != nil {
+		k.value = defaultVal[0].Format(format)
+		return defaultVal[0]
+	}
+	return val
+}
+
+// MustTime always parses with RFC3339 format and returns value without error,
+// it returns zero value if error occurs.
+func (k *Key) MustTime(defaultVal ...time.Time) time.Time {
+	return k.MustTimeFormat(time.RFC3339, defaultVal...)
+}
+
+// In always returns value without error,
+// it returns default value if error occurs or doesn't fit into candidates.
+func (k *Key) In(defaultVal string, candidates []string) string {
+	val := k.String()
+	for _, cand := range candidates {
+		if val == cand {
+			return val
+		}
+	}
+	return defaultVal
+}
+
+// InFloat64 always returns value without error,
+// it returns default value if error occurs or doesn't fit into candidates.
+func (k *Key) InFloat64(defaultVal float64, candidates []float64) float64 {
+	val := k.MustFloat64()
+	for _, cand := range candidates {
+		if val == cand {
+			return val
+		}
+	}
+	return defaultVal
+}
+
+// InInt always returns value without error,
+// it returns default value if error occurs or doesn't fit into candidates.
+func (k *Key) InInt(defaultVal int, candidates []int) int {
+	val := k.MustInt()
+	for _, cand := range candidates {
+		if val == cand {
+			return val
+		}
+	}
+	return defaultVal
+}
+
+// InInt64 always returns value without error,
+// it returns default value if error occurs or doesn't fit into candidates.
+func (k *Key) InInt64(defaultVal int64, candidates []int64) int64 {
+	val := k.MustInt64()
+	for _, cand := range candidates {
+		if val == cand {
+			return val
+		}
+	}
+	return defaultVal
+}
+
+// InUint always returns value without error,
+// it returns default value if error occurs or doesn't fit into candidates.
+func (k *Key) InUint(defaultVal uint, candidates []uint) uint {
+	val := k.MustUint()
+	for _, cand := range candidates {
+		if val == cand {
+			return val
+		}
+	}
+	return defaultVal
+}
+
+// InUint64 always returns value without error,
+// it returns default value if error occurs or doesn't fit into candidates.
+func (k *Key) InUint64(defaultVal uint64, candidates []uint64) uint64 {
+	val := k.MustUint64()
+	for _, cand := range candidates {
+		if val == cand {
+			return val
+		}
+	}
+	return defaultVal
+}
+
+// InTimeFormat always parses with given format and returns value without error,
+// it returns default value if error occurs or doesn't fit into candidates.
+func (k *Key) InTimeFormat(format string, defaultVal time.Time, candidates []time.Time) time.Time {
+	val := k.MustTimeFormat(format)
+	for _, cand := range candidates {
+		if val == cand {
+			return val
+		}
+	}
+	return defaultVal
+}
+
+// InTime always parses with RFC3339 format and returns value without error,
+// it returns default value if error occurs or doesn't fit into candidates.
+func (k *Key) InTime(defaultVal time.Time, candidates []time.Time) time.Time {
+	return k.InTimeFormat(time.RFC3339, defaultVal, candidates)
+}
+
+// RangeFloat64 checks if value is in given range inclusively,
+// and returns default value if it's not.
+func (k *Key) RangeFloat64(defaultVal, min, max float64) float64 {
+	val := k.MustFloat64()
+	if val < min || val > max {
+		return defaultVal
+	}
+	return val
+}
+
+// RangeInt checks if value is in given range inclusively,
+// and returns default value if it's not.
+func (k *Key) RangeInt(defaultVal, min, max int) int {
+	val := k.MustInt()
+	if val < min || val > max {
+		return defaultVal
+	}
+	return val
+}
+
+// RangeInt64 checks if value is in given range inclusively,
+// and returns default value if it's not.
+func (k *Key) RangeInt64(defaultVal, min, max int64) int64 {
+	val := k.MustInt64()
+	if val < min || val > max {
+		return defaultVal
+	}
+	return val
+}
+
+// RangeTimeFormat checks if value with given format is in given range inclusively,
+// and returns default value if it's not.
+func (k *Key) RangeTimeFormat(format string, defaultVal, min, max time.Time) time.Time {
+	val := k.MustTimeFormat(format)
+	if val.Unix() < min.Unix() || val.Unix() > max.Unix() {
+		return defaultVal
+	}
+	return val
+}
+
+// RangeTime checks if value with RFC3339 format is in given range inclusively,
+// and returns default value if it's not.
+func (k *Key) RangeTime(defaultVal, min, max time.Time) time.Time {
+	return k.RangeTimeFormat(time.RFC3339, defaultVal, min, max)
+}
+
+// Strings returns list of string divided by given delimiter.
+func (k *Key) Strings(delim string) []string {
+	str := k.String()
+	if len(str) == 0 {
+		return []string{}
+	}
+
+	vals := strings.Split(str, delim)
+	for i := range vals {
+		// vals[i] = k.transformValue(strings.TrimSpace(vals[i]))
+		vals[i] = strings.TrimSpace(vals[i])
+	}
+	return vals
+}
+
+// StringsWithShadows returns list of string divided by given delimiter.
+// Shadows will also be appended if any.
+func (k *Key) StringsWithShadows(delim string) []string {
+	vals := k.ValueWithShadows()
+	results := make([]string, 0, len(vals)*2)
+	for i := range vals {
+		if len(vals) == 0 {
+			continue
+		}
+
+		results = append(results, strings.Split(vals[i], delim)...)
+	}
+
+	for i := range results {
+		results[i] = k.transformValue(strings.TrimSpace(results[i]))
+	}
+	return results
+}
+
+// Float64s returns list of float64 divided by given delimiter. Any invalid input will be treated as zero value.
+func (k *Key) Float64s(delim string) []float64 {
+	vals, _ := k.parseFloat64s(k.Strings(delim), true, false)
+	return vals
+}
+
+// Ints returns list of int divided by given delimiter. Any invalid input will be treated as zero value.
+func (k *Key) Ints(delim string) []int {
+	vals, _ := k.parseInts(k.Strings(delim), true, false)
+	return vals
+}
+
+// Int64s returns list of int64 divided by given delimiter. Any invalid input will be treated as zero value.
+func (k *Key) Int64s(delim string) []int64 {
+	vals, _ := k.parseInt64s(k.Strings(delim), true, false)
+	return vals
+}
+
+// Uints returns list of uint divided by given delimiter. Any invalid input will be treated as zero value.
+func (k *Key) Uints(delim string) []uint {
+	vals, _ := k.parseUints(k.Strings(delim), true, false)
+	return vals
+}
+
+// Uint64s returns list of uint64 divided by given delimiter. Any invalid input will be treated as zero value.
+func (k *Key) Uint64s(delim string) []uint64 {
+	vals, _ := k.parseUint64s(k.Strings(delim), true, false)
+	return vals
+}
+
+// TimesFormat parses with given format and returns list of time.Time divided by given delimiter.
+// Any invalid input will be treated as zero value (0001-01-01 00:00:00 +0000 UTC).
+func (k *Key) TimesFormat(format, delim string) []time.Time {
+	vals, _ := k.parseTimesFormat(format, k.Strings(delim), true, false)
+	return vals
+}
+
+// Times parses with RFC3339 format and returns list of time.Time divided by given delimiter.
+// Any invalid input will be treated as zero value (0001-01-01 00:00:00 +0000 UTC).
+func (k *Key) Times(delim string) []time.Time {
+	return k.TimesFormat(time.RFC3339, delim)
+}
+
+// ValidFloat64s returns list of float64 divided by given delimiter. If some value is not float, then
+// it will not be included to result list.
+func (k *Key) ValidFloat64s(delim string) []float64 {
+	vals, _ := k.parseFloat64s(k.Strings(delim), false, false)
+	return vals
+}
+
+// ValidInts returns list of int divided by given delimiter. If some value is not integer, then it will
+// not be included to result list.
+func (k *Key) ValidInts(delim string) []int {
+	vals, _ := k.parseInts(k.Strings(delim), false, false)
+	return vals
+}
+
+// ValidInt64s returns list of int64 divided by given delimiter. If some value is not 64-bit integer,
+// then it will not be included to result list.
+func (k *Key) ValidInt64s(delim string) []int64 {
+	vals, _ := k.parseInt64s(k.Strings(delim), false, false)
+	return vals
+}
+
+// ValidUints returns list of uint divided by given delimiter. If some value is not unsigned integer,
+// then it will not be included to result list.
+func (k *Key) ValidUints(delim string) []uint {
+	vals, _ := k.parseUints(k.Strings(delim), false, false)
+	return vals
+}
+
+// ValidUint64s returns list of uint64 divided by given delimiter. If some value is not 64-bit unsigned
+// integer, then it will not be included to result list.
+func (k *Key) ValidUint64s(delim string) []uint64 {
+	vals, _ := k.parseUint64s(k.Strings(delim), false, false)
+	return vals
+}
+
+// ValidTimesFormat parses with given format and returns list of time.Time divided by given delimiter.
+func (k *Key) ValidTimesFormat(format, delim string) []time.Time {
+	vals, _ := k.parseTimesFormat(format, k.Strings(delim), false, false)
+	return vals
+}
+
+// ValidTimes parses with RFC3339 format and returns list of time.Time divided by given delimiter.
+func (k *Key) ValidTimes(delim string) []time.Time {
+	return k.ValidTimesFormat(time.RFC3339, delim)
+}
+
+// StrictFloat64s returns list of float64 divided by given delimiter or error on first invalid input.
+func (k *Key) StrictFloat64s(delim string) ([]float64, error) {
+	return k.parseFloat64s(k.Strings(delim), false, true)
+}
+
+// StrictInts returns list of int divided by given delimiter or error on first invalid input.
+func (k *Key) StrictInts(delim string) ([]int, error) {
+	return k.parseInts(k.Strings(delim), false, true)
+}
+
+// StrictInt64s returns list of int64 divided by given delimiter or error on first invalid input.
+func (k *Key) StrictInt64s(delim string) ([]int64, error) {
+	return k.parseInt64s(k.Strings(delim), false, true)
+}
+
+// StrictUints returns list of uint divided by given delimiter or error on first invalid input.
+func (k *Key) StrictUints(delim string) ([]uint, error) {
+	return k.parseUints(k.Strings(delim), false, true)
+}
+
+// StrictUint64s returns list of uint64 divided by given delimiter or error on first invalid input.
+func (k *Key) StrictUint64s(delim string) ([]uint64, error) {
+	return k.parseUint64s(k.Strings(delim), false, true)
+}
+
+// StrictTimesFormat parses with given format and returns list of time.Time divided by given delimiter
+// or error on first invalid input.
+func (k *Key) StrictTimesFormat(format, delim string) ([]time.Time, error) {
+	return k.parseTimesFormat(format, k.Strings(delim), false, true)
+}
+
+// StrictTimes parses with RFC3339 format and returns list of time.Time divided by given delimiter
+// or error on first invalid input.
+func (k *Key) StrictTimes(delim string) ([]time.Time, error) {
+	return k.StrictTimesFormat(time.RFC3339, delim)
+}
+
+// parseFloat64s transforms strings to float64s.
+func (k *Key) parseFloat64s(strs []string, addInvalid, returnOnInvalid bool) ([]float64, error) {
+	vals := make([]float64, 0, len(strs))
+	for _, str := range strs {
+		val, err := strconv.ParseFloat(str, 64)
+		if err != nil && returnOnInvalid {
+			return nil, err
+		}
+		if err == nil || addInvalid {
+			vals = append(vals, val)
+		}
+	}
+	return vals, nil
+}
+
+// parseInts transforms strings to ints.
+func (k *Key) parseInts(strs []string, addInvalid, returnOnInvalid bool) ([]int, error) {
+	vals := make([]int, 0, len(strs))
+	for _, str := range strs {
+		val, err := strconv.Atoi(str)
+		if err != nil && returnOnInvalid {
+			return nil, err
+		}
+		if err == nil || addInvalid {
+			vals = append(vals, val)
+		}
+	}
+	return vals, nil
+}
+
+// parseInt64s transforms strings to int64s.
+func (k *Key) parseInt64s(strs []string, addInvalid, returnOnInvalid bool) ([]int64, error) {
+	vals := make([]int64, 0, len(strs))
+	for _, str := range strs {
+		val, err := strconv.ParseInt(str, 10, 64)
+		if err != nil && returnOnInvalid {
+			return nil, err
+		}
+		if err == nil || addInvalid {
+			vals = append(vals, val)
+		}
+	}
+	return vals, nil
+}
+
+// parseUints transforms strings to uints.
+func (k *Key) parseUints(strs []string, addInvalid, returnOnInvalid bool) ([]uint, error) {
+	vals := make([]uint, 0, len(strs))
+	for _, str := range strs {
+		val, err := strconv.ParseUint(str, 10, 0)
+		if err != nil && returnOnInvalid {
+			return nil, err
+		}
+		if err == nil || addInvalid {
+			vals = append(vals, uint(val))
+		}
+	}
+	return vals, nil
+}
+
+// parseUint64s transforms strings to uint64s.
+func (k *Key) parseUint64s(strs []string, addInvalid, returnOnInvalid bool) ([]uint64, error) {
+	vals := make([]uint64, 0, len(strs))
+	for _, str := range strs {
+		val, err := strconv.ParseUint(str, 10, 64)
+		if err != nil && returnOnInvalid {
+			return nil, err
+		}
+		if err == nil || addInvalid {
+			vals = append(vals, val)
+		}
+	}
+	return vals, nil
+}
+
+// parseTimesFormat transforms strings to times in given format.
+func (k *Key) parseTimesFormat(format string, strs []string, addInvalid, returnOnInvalid bool) ([]time.Time, error) {
+	vals := make([]time.Time, 0, len(strs))
+	for _, str := range strs {
+		val, err := time.Parse(format, str)
+		if err != nil && returnOnInvalid {
+			return nil, err
+		}
+		if err == nil || addInvalid {
+			vals = append(vals, val)
+		}
+	}
+	return vals, nil
+}
+
+// SetValue changes key value.
+func (k *Key) SetValue(v string) {
+	if k.s.f.BlockMode {
+		k.s.f.lock.Lock()
+		defer k.s.f.lock.Unlock()
+	}
+
+	k.value = v
+	k.s.keysHash[k.name] = v
+}
diff --git a/vendor/github.com/go-ini/ini/key_test.go b/vendor/github.com/go-ini/ini/key_test.go
new file mode 100644
index 000000000..1281d5bf0
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/key_test.go
@@ -0,0 +1,573 @@
+// Copyright 2014 Unknwon
+//
+// Licensed under the Apache License, Version 2.0 (the "License"): you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations
+// under the License.
+
+package ini
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func Test_Key(t *testing.T) {
+	Convey("Test getting and setting values", t, func() {
+		cfg, err := Load([]byte(_CONF_DATA), "testdata/conf.ini")
+		So(err, ShouldBeNil)
+		So(cfg, ShouldNotBeNil)
+
+		Convey("Get values in default section", func() {
+			sec := cfg.Section("")
+			So(sec, ShouldNotBeNil)
+			So(sec.Key("NAME").Value(), ShouldEqual, "ini")
+			So(sec.Key("NAME").String(), ShouldEqual, "ini")
+			So(sec.Key("NAME").Validate(func(in string) string {
+				return in
+			}), ShouldEqual, "ini")
+			So(sec.Key("NAME").Comment, ShouldEqual, "; Package name")
+			So(sec.Key("IMPORT_PATH").String(), ShouldEqual, "gopkg.in/ini.v1")
+		})
+
+		Convey("Get values in non-default section", func() {
+			sec := cfg.Section("author")
+			So(sec, ShouldNotBeNil)
+			So(sec.Key("NAME").String(), ShouldEqual, "Unknwon")
+			So(sec.Key("GITHUB").String(), ShouldEqual, "https://github.com/Unknwon")
+
+			sec = cfg.Section("package")
+			So(sec, ShouldNotBeNil)
+			So(sec.Key("CLONE_URL").String(), ShouldEqual, "https://gopkg.in/ini.v1")
+		})
+
+		Convey("Get auto-increment key names", func() {
+			keys := cfg.Section("features").Keys()
+			for i, k := range keys {
+				So(k.Name(), ShouldEqual, fmt.Sprintf("#%d", i+1))
+			}
+		})
+
+		Convey("Get parent-keys that are available to the child section", func() {
+			parentKeys := cfg.Section("package.sub").ParentKeys()
+			for _, k := range parentKeys {
+				So(k.Name(), ShouldEqual, "CLONE_URL")
+			}
+		})
+
+		Convey("Get overwrite value", func() {
+			So(cfg.Section("author").Key("E-MAIL").String(), ShouldEqual, "u@gogs.io")
+		})
+
+		Convey("Get sections", func() {
+			sections := cfg.Sections()
+			for i, name := range []string{DEFAULT_SECTION, "author", "package", "package.sub", "features", "types", "array", "note", "comments", "advance"} {
+				So(sections[i].Name(), ShouldEqual, name)
+			}
+		})
+
+		Convey("Get parent section value", func() {
+			So(cfg.Section("package.sub").Key("CLONE_URL").String(), ShouldEqual, "https://gopkg.in/ini.v1")
+			So(cfg.Section("package.fake.sub").Key("CLONE_URL").String(), ShouldEqual, "https://gopkg.in/ini.v1")
+		})
+
+		Convey("Get multiple line value", func() {
+			So(cfg.Section("author").Key("BIO").String(), ShouldEqual, "Gopher.\nCoding addict.\nGood man.\n")
+		})
+
+		Convey("Get values with type", func() {
+			sec := cfg.Section("types")
+			v1, err := sec.Key("BOOL").Bool()
+			So(err, ShouldBeNil)
+			So(v1, ShouldBeTrue)
+
+			v1, err = sec.Key("BOOL_FALSE").Bool()
+			So(err, ShouldBeNil)
+			So(v1, ShouldBeFalse)
+
+			v2, err := sec.Key("FLOAT64").Float64()
+			So(err, ShouldBeNil)
+			So(v2, ShouldEqual, 1.25)
+
+			v3, err := sec.Key("INT").Int()
+			So(err, ShouldBeNil)
+			So(v3, ShouldEqual, 10)
+
+			v4, err := sec.Key("INT").Int64()
+			So(err, ShouldBeNil)
+			So(v4, ShouldEqual, 10)
+
+			v5, err := sec.Key("UINT").Uint()
+			So(err, ShouldBeNil)
+			So(v5, ShouldEqual, 3)
+
+			v6, err := sec.Key("UINT").Uint64()
+			So(err, ShouldBeNil)
+			So(v6, ShouldEqual, 3)
+
+			t, err := time.Parse(time.RFC3339, "2015-01-01T20:17:05Z")
+			So(err, ShouldBeNil)
+			v7, err := sec.Key("TIME").Time()
+			So(err, ShouldBeNil)
+			So(v7.String(), ShouldEqual, t.String())
+
+			Convey("Must get values with type", func() {
+				So(sec.Key("STRING").MustString("404"), ShouldEqual, "str")
+				So(sec.Key("BOOL").MustBool(), ShouldBeTrue)
+				So(sec.Key("FLOAT64").MustFloat64(), ShouldEqual, 1.25)
+				So(sec.Key("INT").MustInt(), ShouldEqual, 10)
+				So(sec.Key("INT").MustInt64(), ShouldEqual, 10)
+				So(sec.Key("UINT").MustUint(), ShouldEqual, 3)
+				So(sec.Key("UINT").MustUint64(), ShouldEqual, 3)
+				So(sec.Key("TIME").MustTime().String(), ShouldEqual, t.String())
+
+				dur, err := time.ParseDuration("2h45m")
+				So(err, ShouldBeNil)
+				So(sec.Key("DURATION").MustDuration().Seconds(), ShouldEqual, dur.Seconds())
+
+				Convey("Must get values with default value", func() {
+					So(sec.Key("STRING_404").MustString("404"), ShouldEqual, "404")
+					So(sec.Key("BOOL_404").MustBool(true), ShouldBeTrue)
+					So(sec.Key("FLOAT64_404").MustFloat64(2.5), ShouldEqual, 2.5)
+					So(sec.Key("INT_404").MustInt(15), ShouldEqual, 15)
+					So(sec.Key("INT64_404").MustInt64(15), ShouldEqual, 15)
+					So(sec.Key("UINT_404").MustUint(6), ShouldEqual, 6)
+					So(sec.Key("UINT64_404").MustUint64(6), ShouldEqual, 6)
+
+					t, err := time.Parse(time.RFC3339, "2014-01-01T20:17:05Z")
+					So(err, ShouldBeNil)
+					So(sec.Key("TIME_404").MustTime(t).String(), ShouldEqual, t.String())
+
+					So(sec.Key("DURATION_404").MustDuration(dur).Seconds(), ShouldEqual, dur.Seconds())
+
+					Convey("Must should set default as key value", func() {
+						So(sec.Key("STRING_404").String(), ShouldEqual, "404")
+						So(sec.Key("BOOL_404").String(), ShouldEqual, "true")
+						So(sec.Key("FLOAT64_404").String(), ShouldEqual, "2.5")
+						So(sec.Key("INT_404").String(), ShouldEqual, "15")
+						So(sec.Key("INT64_404").String(), ShouldEqual, "15")
+						So(sec.Key("UINT_404").String(), ShouldEqual, "6")
+						So(sec.Key("UINT64_404").String(), ShouldEqual, "6")
+						So(sec.Key("TIME_404").String(), ShouldEqual, "2014-01-01T20:17:05Z")
+						So(sec.Key("DURATION_404").String(), ShouldEqual, "2h45m0s")
+					})
+				})
+			})
+		})
+
+		Convey("Get value with candidates", func() {
+			sec := cfg.Section("types")
+			So(sec.Key("STRING").In("", []string{"str", "arr", "types"}), ShouldEqual, "str")
+			So(sec.Key("FLOAT64").InFloat64(0, []float64{1.25, 2.5, 3.75}), ShouldEqual, 1.25)
+			So(sec.Key("INT").InInt(0, []int{10, 20, 30}), ShouldEqual, 10)
+			So(sec.Key("INT").InInt64(0, []int64{10, 20, 30}), ShouldEqual, 10)
+			So(sec.Key("UINT").InUint(0, []uint{3, 6, 9}), ShouldEqual, 3)
+			So(sec.Key("UINT").InUint64(0, []uint64{3, 6, 9}), ShouldEqual, 3)
+
+			zt, err := time.Parse(time.RFC3339, "0001-01-01T01:00:00Z")
+			So(err, ShouldBeNil)
+			t, err := time.Parse(time.RFC3339, "2015-01-01T20:17:05Z")
+			So(err, ShouldBeNil)
+			So(sec.Key("TIME").InTime(zt, []time.Time{t, time.Now(), time.Now().Add(1 * time.Second)}).String(), ShouldEqual, t.String())
+
+			Convey("Get value with candidates and default value", func() {
+				So(sec.Key("STRING_404").In("str", []string{"str", "arr", "types"}), ShouldEqual, "str")
+				So(sec.Key("FLOAT64_404").InFloat64(1.25, []float64{1.25, 2.5, 3.75}), ShouldEqual, 1.25)
+				So(sec.Key("INT_404").InInt(10, []int{10, 20, 30}), ShouldEqual, 10)
+				So(sec.Key("INT64_404").InInt64(10, []int64{10, 20, 30}), ShouldEqual, 10)
+				So(sec.Key("UINT_404").InUint(3, []uint{3, 6, 9}), ShouldEqual, 3)
+				So(sec.Key("UINT_404").InUint64(3, []uint64{3, 6, 9}), ShouldEqual, 3)
+				So(sec.Key("TIME_404").InTime(t, []time.Time{time.Now(), time.Now(), time.Now().Add(1 * time.Second)}).String(), ShouldEqual, t.String())
+			})
+		})
+
+		Convey("Get values in range", func() {
+			sec := cfg.Section("types")
+			So(sec.Key("FLOAT64").RangeFloat64(0, 1, 2), ShouldEqual, 1.25)
+			So(sec.Key("INT").RangeInt(0, 10, 20), ShouldEqual, 10)
+			So(sec.Key("INT").RangeInt64(0, 10, 20), ShouldEqual, 10)
+
+			minT, err := time.Parse(time.RFC3339, "0001-01-01T01:00:00Z")
+			So(err, ShouldBeNil)
+			midT, err := time.Parse(time.RFC3339, "2013-01-01T01:00:00Z")
+			So(err, ShouldBeNil)
+			maxT, err := time.Parse(time.RFC3339, "9999-01-01T01:00:00Z")
+			So(err, ShouldBeNil)
+			t, err := time.Parse(time.RFC3339, "2015-01-01T20:17:05Z")
+			So(err, ShouldBeNil)
+			So(sec.Key("TIME").RangeTime(t, minT, maxT).String(), ShouldEqual, t.String())
+
+			Convey("Get value in range with default value", func() {
+				So(sec.Key("FLOAT64").RangeFloat64(5, 0, 1), ShouldEqual, 5)
+				So(sec.Key("INT").RangeInt(7, 0, 5), ShouldEqual, 7)
+				So(sec.Key("INT").RangeInt64(7, 0, 5), ShouldEqual, 7)
+				So(sec.Key("TIME").RangeTime(t, minT, midT).String(), ShouldEqual, t.String())
+			})
+		})
+
+		Convey("Get values into slice", func() {
+			sec := cfg.Section("array")
+			So(strings.Join(sec.Key("STRINGS").Strings(","), ","), ShouldEqual, "en,zh,de")
+			So(len(sec.Key("STRINGS_404").Strings(",")), ShouldEqual, 0)
+
+			vals1 := sec.Key("FLOAT64S").Float64s(",")
+			float64sEqual(vals1, 1.1, 2.2, 3.3)
+
+			vals2 := sec.Key("INTS").Ints(",")
+			intsEqual(vals2, 1, 2, 3)
+
+			vals3 := sec.Key("INTS").Int64s(",")
+			int64sEqual(vals3, 1, 2, 3)
+
+			vals4 := sec.Key("UINTS").Uints(",")
+			uintsEqual(vals4, 1, 2, 3)
+
+			vals5 := sec.Key("UINTS").Uint64s(",")
+			uint64sEqual(vals5, 1, 2, 3)
+
+			t, err := time.Parse(time.RFC3339, "2015-01-01T20:17:05Z")
+			So(err, ShouldBeNil)
+			vals6 := sec.Key("TIMES").Times(",")
+			timesEqual(vals6, t, t, t)
+		})
+
+		Convey("Get valid values into slice", func() {
+			sec := cfg.Section("array")
+			vals1 := sec.Key("FLOAT64S").ValidFloat64s(",")
+			float64sEqual(vals1, 1.1, 2.2, 3.3)
+
+			vals2 := sec.Key("INTS").ValidInts(",")
+			intsEqual(vals2, 1, 2, 3)
+
+			vals3 := sec.Key("INTS").ValidInt64s(",")
+			int64sEqual(vals3, 1, 2, 3)
+
+			vals4 := sec.Key("UINTS").ValidUints(",")
+			uintsEqual(vals4, 1, 2, 3)
+
+			vals5 := sec.Key("UINTS").ValidUint64s(",")
+			uint64sEqual(vals5, 1, 2, 3)
+
+			t, err := time.Parse(time.RFC3339, "2015-01-01T20:17:05Z")
+			So(err, ShouldBeNil)
+			vals6 := sec.Key("TIMES").ValidTimes(",")
+			timesEqual(vals6, t, t, t)
+		})
+
+		Convey("Get values one type into slice of another type", func() {
+			sec := cfg.Section("array")
+			vals1 := sec.Key("STRINGS").ValidFloat64s(",")
+			So(vals1, ShouldBeEmpty)
+
+			vals2 := sec.Key("STRINGS").ValidInts(",")
+			So(vals2, ShouldBeEmpty)
+
+			vals3 := sec.Key("STRINGS").ValidInt64s(",")
+			So(vals3, ShouldBeEmpty)
+
+			vals4 := sec.Key("STRINGS").ValidUints(",")
+			So(vals4, ShouldBeEmpty)
+
+			vals5 := sec.Key("STRINGS").ValidUint64s(",")
+			So(vals5, ShouldBeEmpty)
+
+			vals6 := sec.Key("STRINGS").ValidTimes(",")
+			So(vals6, ShouldBeEmpty)
+		})
+
+		Convey("Get valid values into slice without errors", func() {
+			sec := cfg.Section("array")
+			vals1, err := sec.Key("FLOAT64S").StrictFloat64s(",")
+			So(err, ShouldBeNil)
+			float64sEqual(vals1, 1.1, 2.2, 3.3)
+
+			vals2, err := sec.Key("INTS").StrictInts(",")
+			So(err, ShouldBeNil)
+			intsEqual(vals2, 1, 2, 3)
+
+			vals3, err := sec.Key("INTS").StrictInt64s(",")
+			So(err, ShouldBeNil)
+			int64sEqual(vals3, 1, 2, 3)
+
+			vals4, err := sec.Key("UINTS").StrictUints(",")
+			So(err, ShouldBeNil)
+			uintsEqual(vals4, 1, 2, 3)
+
+			vals5, err := sec.Key("UINTS").StrictUint64s(",")
+			So(err, ShouldBeNil)
+			uint64sEqual(vals5, 1, 2, 3)
+
+			t, err := time.Parse(time.RFC3339, "2015-01-01T20:17:05Z")
+			So(err, ShouldBeNil)
+			vals6, err := sec.Key("TIMES").StrictTimes(",")
+			So(err, ShouldBeNil)
+			timesEqual(vals6, t, t, t)
+		})
+
+		Convey("Get invalid values into slice", func() {
+			sec := cfg.Section("array")
+			vals1, err := sec.Key("STRINGS").StrictFloat64s(",")
+			So(vals1, ShouldBeEmpty)
+			So(err, ShouldNotBeNil)
+
+			vals2, err := sec.Key("STRINGS").StrictInts(",")
+			So(vals2, ShouldBeEmpty)
+			So(err, ShouldNotBeNil)
+
+			vals3, err := sec.Key("STRINGS").StrictInt64s(",")
+			So(vals3, ShouldBeEmpty)
+			So(err, ShouldNotBeNil)
+
+			vals4, err := sec.Key("STRINGS").StrictUints(",")
+			So(vals4, ShouldBeEmpty)
+			So(err, ShouldNotBeNil)
+
+			vals5, err := sec.Key("STRINGS").StrictUint64s(",")
+			So(vals5, ShouldBeEmpty)
+			So(err, ShouldNotBeNil)
+
+			vals6, err := sec.Key("STRINGS").StrictTimes(",")
+			So(vals6, ShouldBeEmpty)
+			So(err, ShouldNotBeNil)
+		})
+
+		Convey("Get key hash", func() {
+			cfg.Section("").KeysHash()
+		})
+
+		Convey("Set key value", func() {
+			k := cfg.Section("author").Key("NAME")
+			k.SetValue("无闻")
+			So(k.String(), ShouldEqual, "无闻")
+		})
+
+		Convey("Get key strings", func() {
+			So(strings.Join(cfg.Section("types").KeyStrings(), ","), ShouldEqual, "STRING,BOOL,BOOL_FALSE,FLOAT64,INT,TIME,DURATION,UINT")
+		})
+
+		Convey("Delete a key", func() {
+			cfg.Section("package.sub").DeleteKey("UNUSED_KEY")
+			_, err := cfg.Section("package.sub").GetKey("UNUSED_KEY")
+			So(err, ShouldNotBeNil)
+		})
+
+		Convey("Has Key (backwards compatible)", func() {
+			sec := cfg.Section("package.sub")
+			haskey1 := sec.Haskey("UNUSED_KEY")
+			haskey2 := sec.Haskey("CLONE_URL")
+			haskey3 := sec.Haskey("CLONE_URL_NO")
+			So(haskey1, ShouldBeTrue)
+			So(haskey2, ShouldBeTrue)
+			So(haskey3, ShouldBeFalse)
+		})
+
+		Convey("Has Key", func() {
+			sec := cfg.Section("package.sub")
+			haskey1 := sec.HasKey("UNUSED_KEY")
+			haskey2 := sec.HasKey("CLONE_URL")
+			haskey3 := sec.HasKey("CLONE_URL_NO")
+			So(haskey1, ShouldBeTrue)
+			So(haskey2, ShouldBeTrue)
+			So(haskey3, ShouldBeFalse)
+		})
+
+		Convey("Has Value", func() {
+			sec := cfg.Section("author")
+			hasvalue1 := sec.HasValue("Unknwon")
+			hasvalue2 := sec.HasValue("doc")
+			So(hasvalue1, ShouldBeTrue)
+			So(hasvalue2, ShouldBeFalse)
+		})
+	})
+
+	Convey("Test getting and setting bad values", t, func() {
+		cfg, err := Load([]byte(_CONF_DATA), "testdata/conf.ini")
+		So(err, ShouldBeNil)
+		So(cfg, ShouldNotBeNil)
+
+		Convey("Create new key with empty name", func() {
+			k, err := cfg.Section("").NewKey("", "")
+			So(err, ShouldNotBeNil)
+			So(k, ShouldBeNil)
+		})
+
+		Convey("Create new section with empty name", func() {
+			s, err := cfg.NewSection("")
+			So(err, ShouldNotBeNil)
+			So(s, ShouldBeNil)
+		})
+
+		Convey("Create new sections with empty name", func() {
+			So(cfg.NewSections(""), ShouldNotBeNil)
+		})
+
+		Convey("Get section that not exists", func() {
+			s, err := cfg.GetSection("404")
+			So(err, ShouldNotBeNil)
+			So(s, ShouldBeNil)
+
+			s = cfg.Section("404")
+			So(s, ShouldNotBeNil)
+		})
+	})
+
+	Convey("Test key hash clone", t, func() {
+		cfg, err := Load([]byte(strings.Replace("network=tcp,addr=127.0.0.1:6379,db=4,pool_size=100,idle_timeout=180", ",", "\n", -1)))
+		So(err, ShouldBeNil)
+		for _, v := range cfg.Section("").KeysHash() {
+			So(len(v), ShouldBeGreaterThan, 0)
+		}
+	})
+
+	Convey("Key has empty value", t, func() {
+		_conf := `key1=
+key2= ; comment`
+		cfg, err := Load([]byte(_conf))
+		So(err, ShouldBeNil)
+		So(cfg.Section("").Key("key1").Value(), ShouldBeEmpty)
+	})
+}
+
+const _CONF_GIT_CONFIG = `
+[remote "origin"]
+        url = https://github.com/Antergone/test1.git
+        url = https://github.com/Antergone/test2.git
+`
+
+func Test_Key_Shadows(t *testing.T) {
+	Convey("Shadows keys", t, func() {
+		Convey("Disable shadows", func() {
+			cfg, err := Load([]byte(_CONF_GIT_CONFIG))
+			So(err, ShouldBeNil)
+			So(cfg.Section(`remote "origin"`).Key("url").String(), ShouldEqual, "https://github.com/Antergone/test2.git")
+		})
+
+		Convey("Enable shadows", func() {
+			cfg, err := ShadowLoad([]byte(_CONF_GIT_CONFIG))
+			So(err, ShouldBeNil)
+			So(cfg.Section(`remote "origin"`).Key("url").String(), ShouldEqual, "https://github.com/Antergone/test1.git")
+			So(strings.Join(cfg.Section(`remote "origin"`).Key("url").ValueWithShadows(), " "), ShouldEqual,
+				"https://github.com/Antergone/test1.git https://github.com/Antergone/test2.git")
+
+			Convey("Save with shadows", func() {
+				var buf bytes.Buffer
+				_, err := cfg.WriteTo(&buf)
+				So(err, ShouldBeNil)
+				So(buf.String(), ShouldEqual, `[remote "origin"]
+url = https://github.com/Antergone/test1.git
+url = https://github.com/Antergone/test2.git
+
+`)
+			})
+		})
+	})
+}
+
+func newTestFile(block bool) *File {
+	c, _ := Load([]byte(_CONF_DATA))
+	c.BlockMode = block
+	return c
+}
+
+func Benchmark_Key_Value(b *testing.B) {
+	c := newTestFile(true)
+	for i := 0; i < b.N; i++ {
+		c.Section("").Key("NAME").Value()
+	}
+}
+
+func Benchmark_Key_Value_NonBlock(b *testing.B) {
+	c := newTestFile(false)
+	for i := 0; i < b.N; i++ {
+		c.Section("").Key("NAME").Value()
+	}
+}
+
+func Benchmark_Key_Value_ViaSection(b *testing.B) {
+	c := newTestFile(true)
+	sec := c.Section("")
+	for i := 0; i < b.N; i++ {
+		sec.Key("NAME").Value()
+	}
+}
+
+func Benchmark_Key_Value_ViaSection_NonBlock(b *testing.B) {
+	c := newTestFile(false)
+	sec := c.Section("")
+	for i := 0; i < b.N; i++ {
+		sec.Key("NAME").Value()
+	}
+}
+
+func Benchmark_Key_Value_Direct(b *testing.B) {
+	c := newTestFile(true)
+	key := c.Section("").Key("NAME")
+	for i := 0; i < b.N; i++ {
+		key.Value()
+	}
+}
+
+func Benchmark_Key_Value_Direct_NonBlock(b *testing.B) {
+	c := newTestFile(false)
+	key := c.Section("").Key("NAME")
+	for i := 0; i < b.N; i++ {
+		key.Value()
+	}
+}
+
+func Benchmark_Key_String(b *testing.B) {
+	c := newTestFile(true)
+	for i := 0; i < b.N; i++ {
+		_ = c.Section("").Key("NAME").String()
+	}
+}
+
+func Benchmark_Key_String_NonBlock(b *testing.B) {
+	c := newTestFile(false)
+	for i := 0; i < b.N; i++ {
+		_ = c.Section("").Key("NAME").String()
+	}
+}
+
+func Benchmark_Key_String_ViaSection(b *testing.B) {
+	c := newTestFile(true)
+	sec := c.Section("")
+	for i := 0; i < b.N; i++ {
+		_ = sec.Key("NAME").String()
+	}
+}
+
+func Benchmark_Key_String_ViaSection_NonBlock(b *testing.B) {
+	c := newTestFile(false)
+	sec := c.Section("")
+	for i := 0; i < b.N; i++ {
+		_ = sec.Key("NAME").String()
+	}
+}
+
+func Benchmark_Key_SetValue(b *testing.B) {
+	c := newTestFile(true)
+	for i := 0; i < b.N; i++ {
+		c.Section("").Key("NAME").SetValue("10")
+	}
+}
+
+func Benchmark_Key_SetValue_VisSection(b *testing.B) {
+	c := newTestFile(true)
+	sec := c.Section("")
+	for i := 0; i < b.N; i++ {
+		sec.Key("NAME").SetValue("10")
+	}
+}
diff --git a/vendor/github.com/go-ini/ini/parser.go b/vendor/github.com/go-ini/ini/parser.go
new file mode 100644
index 000000000..69d547627
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/parser.go
@@ -0,0 +1,361 @@
+// Copyright 2015 Unknwon
+//
+// Licensed under the Apache License, Version 2.0 (the "License"): you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations
+// under the License.
+
+package ini
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io"
+	"strconv"
+	"strings"
+	"unicode"
+)
+
+type tokenType int
+
+const (
+	_TOKEN_INVALID tokenType = iota
+	_TOKEN_COMMENT
+	_TOKEN_SECTION
+	_TOKEN_KEY
+)
+
+type parser struct {
+	buf     *bufio.Reader
+	isEOF   bool
+	count   int
+	comment *bytes.Buffer
+}
+
+func newParser(r io.Reader) *parser {
+	return &parser{
+		buf:     bufio.NewReader(r),
+		count:   1,
+		comment: &bytes.Buffer{},
+	}
+}
+
+// BOM handles header of UTF-8, UTF-16 LE and UTF-16 BE's BOM format.
+// http://en.wikipedia.org/wiki/Byte_order_mark#Representations_of_byte_order_marks_by_encoding
+func (p *parser) BOM() error {
+	mask, err := p.buf.Peek(2)
+	if err != nil && err != io.EOF {
+		return err
+	} else if len(mask) < 2 {
+		return nil
+	}
+
+	switch {
+	case mask[0] == 254 && mask[1] == 255:
+		fallthrough
+	case mask[0] == 255 && mask[1] == 254:
+		p.buf.Read(mask)
+	case mask[0] == 239 && mask[1] == 187:
+		mask, err := p.buf.Peek(3)
+		if err != nil && err != io.EOF {
+			return err
+		} else if len(mask) < 3 {
+			return nil
+		}
+		if mask[2] == 191 {
+			p.buf.Read(mask)
+		}
+	}
+	return nil
+}
+
+func (p *parser) readUntil(delim byte) ([]byte, error) {
+	data, err := p.buf.ReadBytes(delim)
+	if err != nil {
+		if err == io.EOF {
+			p.isEOF = true
+		} else {
+			return nil, err
+		}
+	}
+	return data, nil
+}
+
+func cleanComment(in []byte) ([]byte, bool) {
+	i := bytes.IndexAny(in, "#;")
+	if i == -1 {
+		return nil, false
+	}
+	return in[i:], true
+}
+
+func readKeyName(in []byte) (string, int, error) {
+	line := string(in)
+
+	// Check if key name surrounded by quotes.
+	var keyQuote string
+	if line[0] == '"' {
+		if len(line) > 6 && string(line[0:3]) == `"""` {
+			keyQuote = `"""`
+		} else {
+			keyQuote = `"`
+		}
+	} else if line[0] == '`' {
+		keyQuote = "`"
+	}
+
+	// Get out key name
+	endIdx := -1
+	if len(keyQuote) > 0 {
+		startIdx := len(keyQuote)
+		// FIXME: fail case -> """"""name"""=value
+		pos := strings.Index(line[startIdx:], keyQuote)
+		if pos == -1 {
+			return "", -1, fmt.Errorf("missing closing key quote: %s", line)
+		}
+		pos += startIdx
+
+		// Find key-value delimiter
+		i := strings.IndexAny(line[pos+startIdx:], "=:")
+		if i < 0 {
+			return "", -1, ErrDelimiterNotFound{line}
+		}
+		endIdx = pos + i
+		return strings.TrimSpace(line[startIdx:pos]), endIdx + startIdx + 1, nil
+	}
+
+	endIdx = strings.IndexAny(line, "=:")
+	if endIdx < 0 {
+		return "", -1, ErrDelimiterNotFound{line}
+	}
+	return strings.TrimSpace(line[0:endIdx]), endIdx + 1, nil
+}
+
+func (p *parser) readMultilines(line, val, valQuote string) (string, error) {
+	for {
+		data, err := p.readUntil('\n')
+		if err != nil {
+			return "", err
+		}
+		next := string(data)
+
+		pos := strings.LastIndex(next, valQuote)
+		if pos > -1 {
+			val += next[:pos]
+
+			comment, has := cleanComment([]byte(next[pos:]))
+			if has {
+				p.comment.Write(bytes.TrimSpace(comment))
+			}
+			break
+		}
+		val += next
+		if p.isEOF {
+			return "", fmt.Errorf("missing closing key quote from '%s' to '%s'", line, next)
+		}
+	}
+	return val, nil
+}
+
+func (p *parser) readContinuationLines(val string) (string, error) {
+	for {
+		data, err := p.readUntil('\n')
+		if err != nil {
+			return "", err
+		}
+		next := strings.TrimSpace(string(data))
+
+		if len(next) == 0 {
+			break
+		}
+		val += next
+		if val[len(val)-1] != '\\' {
+			break
+		}
+		val = val[:len(val)-1]
+	}
+	return val, nil
+}
+
+// hasSurroundedQuote check if and only if the first and last characters
+// are quotes \" or \'.
+// It returns false if any other parts also contain same kind of quotes.
+func hasSurroundedQuote(in string, quote byte) bool {
+	return len(in) >= 2 && in[0] == quote && in[len(in)-1] == quote &&
+		strings.IndexByte(in[1:], quote) == len(in)-2
+}
+
+func (p *parser) readValue(in []byte, ignoreContinuation, ignoreInlineComment bool) (string, error) {
+	line := strings.TrimLeftFunc(string(in), unicode.IsSpace)
+	if len(line) == 0 {
+		return "", nil
+	}
+
+	var valQuote string
+	if len(line) > 3 && string(line[0:3]) == `"""` {
+		valQuote = `"""`
+	} else if line[0] == '`' {
+		valQuote = "`"
+	}
+
+	if len(valQuote) > 0 {
+		startIdx := len(valQuote)
+		pos := strings.LastIndex(line[startIdx:], valQuote)
+		// Check for multi-line value
+		if pos == -1 {
+			return p.readMultilines(line, line[startIdx:], valQuote)
+		}
+
+		return line[startIdx : pos+startIdx], nil
+	}
+
+	// Won't be able to reach here if value only contains whitespace
+	line = strings.TrimSpace(line)
+
+	// Check continuation lines when desired
+	if !ignoreContinuation && line[len(line)-1] == '\\' {
+		return p.readContinuationLines(line[:len(line)-1])
+	}
+
+	// Check if ignore inline comment
+	if !ignoreInlineComment {
+		i := strings.IndexAny(line, "#;")
+		if i > -1 {
+			p.comment.WriteString(line[i:])
+			line = strings.TrimSpace(line[:i])
+		}
+	}
+
+	// Trim single quotes
+	if hasSurroundedQuote(line, '\'') ||
+		hasSurroundedQuote(line, '"') {
+		line = line[1 : len(line)-1]
+	}
+	return line, nil
+}
+
+// parse parses data through an io.Reader.
+func (f *File) parse(reader io.Reader) (err error) {
+	p := newParser(reader)
+	if err = p.BOM(); err != nil {
+		return fmt.Errorf("BOM: %v", err)
+	}
+
+	// Ignore error because default section name is never empty string.
+	section, _ := f.NewSection(DEFAULT_SECTION)
+
+	var line []byte
+	var inUnparseableSection bool
+	for !p.isEOF {
+		line, err = p.readUntil('\n')
+		if err != nil {
+			return err
+		}
+
+		line = bytes.TrimLeftFunc(line, unicode.IsSpace)
+		if len(line) == 0 {
+			continue
+		}
+
+		// Comments
+		if line[0] == '#' || line[0] == ';' {
+			// Note: we do not care ending line break,
+			// it is needed for adding second line,
+			// so just clean it once at the end when set to value.
+			p.comment.Write(line)
+			continue
+		}
+
+		// Section
+		if line[0] == '[' {
+			// Read to the next ']' (TODO: support quoted strings)
+			// TODO(unknwon): use LastIndexByte when stop supporting Go1.4
+			closeIdx := bytes.LastIndex(line, []byte("]"))
+			if closeIdx == -1 {
+				return fmt.Errorf("unclosed section: %s", line)
+			}
+
+			name := string(line[1:closeIdx])
+			section, err = f.NewSection(name)
+			if err != nil {
+				return err
+			}
+
+			comment, has := cleanComment(line[closeIdx+1:])
+			if has {
+				p.comment.Write(comment)
+			}
+
+			section.Comment = strings.TrimSpace(p.comment.String())
+
+			// Reset aotu-counter and comments
+			p.comment.Reset()
+			p.count = 1
+
+			inUnparseableSection = false
+			for i := range f.options.UnparseableSections {
+				if f.options.UnparseableSections[i] == name ||
+					(f.options.Insensitive && strings.ToLower(f.options.UnparseableSections[i]) == strings.ToLower(name)) {
+					inUnparseableSection = true
+					continue
+				}
+			}
+			continue
+		}
+
+		if inUnparseableSection {
+			section.isRawSection = true
+			section.rawBody += string(line)
+			continue
+		}
+
+		kname, offset, err := readKeyName(line)
+		if err != nil {
+			// Treat as boolean key when desired, and whole line is key name.
+			if IsErrDelimiterNotFound(err) && f.options.AllowBooleanKeys {
+				kname, err := p.readValue(line, f.options.IgnoreContinuation, f.options.IgnoreInlineComment)
+				if err != nil {
+					return err
+				}
+				key, err := section.NewBooleanKey(kname)
+				if err != nil {
+					return err
+				}
+				key.Comment = strings.TrimSpace(p.comment.String())
+				p.comment.Reset()
+				continue
+			}
+			return err
+		}
+
+		// Auto increment.
+		isAutoIncr := false
+		if kname == "-" {
+			isAutoIncr = true
+			kname = "#" + strconv.Itoa(p.count)
+			p.count++
+		}
+
+		value, err := p.readValue(line[offset:], f.options.IgnoreContinuation, f.options.IgnoreInlineComment)
+		if err != nil {
+			return err
+		}
+
+		key, err := section.NewKey(kname, value)
+		if err != nil {
+			return err
+		}
+		key.isAutoIncrement = isAutoIncr
+		key.Comment = strings.TrimSpace(p.comment.String())
+		p.comment.Reset()
+	}
+	return nil
+}
diff --git a/vendor/github.com/go-ini/ini/parser_test.go b/vendor/github.com/go-ini/ini/parser_test.go
new file mode 100644
index 000000000..05258195b
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/parser_test.go
@@ -0,0 +1,42 @@
+// Copyright 2016 Unknwon
+//
+// Licensed under the Apache License, Version 2.0 (the "License"): you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations
+// under the License.
+
+package ini
+
+import (
+	"testing"
+
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func Test_BOM(t *testing.T) {
+	Convey("Test handling BOM", t, func() {
+		Convey("UTF-8-BOM", func() {
+			cfg, err := Load("testdata/UTF-8-BOM.ini")
+			So(err, ShouldBeNil)
+			So(cfg, ShouldNotBeNil)
+
+			So(cfg.Section("author").Key("E-MAIL").String(), ShouldEqual, "u@gogs.io")
+		})
+
+		Convey("UTF-16-LE-BOM", func() {
+			cfg, err := Load("testdata/UTF-16-LE-BOM.ini")
+			So(err, ShouldBeNil)
+			So(cfg, ShouldNotBeNil)
+		})
+
+		Convey("UTF-16-BE-BOM", func() {
+		})
+	})
+}
diff --git a/vendor/github.com/go-ini/ini/section.go b/vendor/github.com/go-ini/ini/section.go
new file mode 100644
index 000000000..94f7375ed
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/section.go
@@ -0,0 +1,248 @@
+// Copyright 2014 Unknwon
+//
+// Licensed under the Apache License, Version 2.0 (the "License"): you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations
+// under the License.
+
+package ini
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+)
+
+// Section represents a config section.
+type Section struct {
+	f        *File
+	Comment  string
+	name     string
+	keys     map[string]*Key
+	keyList  []string
+	keysHash map[string]string
+
+	isRawSection bool
+	rawBody      string
+}
+
+func newSection(f *File, name string) *Section {
+	return &Section{
+		f:        f,
+		name:     name,
+		keys:     make(map[string]*Key),
+		keyList:  make([]string, 0, 10),
+		keysHash: make(map[string]string),
+	}
+}
+
+// Name returns name of Section.
+func (s *Section) Name() string {
+	return s.name
+}
+
+// Body returns rawBody of Section if the section was marked as unparseable.
+// It still follows the other rules of the INI format surrounding leading/trailing whitespace.
+func (s *Section) Body() string {
+	return strings.TrimSpace(s.rawBody)
+}
+
+// NewKey creates a new key to given section.
+func (s *Section) NewKey(name, val string) (*Key, error) {
+	if len(name) == 0 {
+		return nil, errors.New("error creating new key: empty key name")
+	} else if s.f.options.Insensitive {
+		name = strings.ToLower(name)
+	}
+
+	if s.f.BlockMode {
+		s.f.lock.Lock()
+		defer s.f.lock.Unlock()
+	}
+
+	if inSlice(name, s.keyList) {
+		if s.f.options.AllowShadows {
+			if err := s.keys[name].addShadow(val); err != nil {
+				return nil, err
+			}
+		} else {
+			s.keys[name].value = val
+		}
+		return s.keys[name], nil
+	}
+
+	s.keyList = append(s.keyList, name)
+	s.keys[name] = newKey(s, name, val)
+	s.keysHash[name] = val
+	return s.keys[name], nil
+}
+
+// NewBooleanKey creates a new boolean type key to given section.
+func (s *Section) NewBooleanKey(name string) (*Key, error) {
+	key, err := s.NewKey(name, "true")
+	if err != nil {
+		return nil, err
+	}
+
+	key.isBooleanType = true
+	return key, nil
+}
+
+// GetKey returns key in section by given name.
+func (s *Section) GetKey(name string) (*Key, error) {
+	// FIXME: change to section level lock?
+	if s.f.BlockMode {
+		s.f.lock.RLock()
+	}
+	if s.f.options.Insensitive {
+		name = strings.ToLower(name)
+	}
+	key := s.keys[name]
+	if s.f.BlockMode {
+		s.f.lock.RUnlock()
+	}
+
+	if key == nil {
+		// Check if it is a child-section.
+		sname := s.name
+		for {
+			if i := strings.LastIndex(sname, "."); i > -1 {
+				sname = sname[:i]
+				sec, err := s.f.GetSection(sname)
+				if err != nil {
+					continue
+				}
+				return sec.GetKey(name)
+			} else {
+				break
+			}
+		}
+		return nil, fmt.Errorf("error when getting key of section '%s': key '%s' not exists", s.name, name)
+	}
+	return key, nil
+}
+
+// HasKey returns true if section contains a key with given name.
+func (s *Section) HasKey(name string) bool {
+	key, _ := s.GetKey(name)
+	return key != nil
+}
+
+// Haskey is a backwards-compatible name for HasKey.
+func (s *Section) Haskey(name string) bool {
+	return s.HasKey(name)
+}
+
+// HasValue returns true if section contains given raw value.
+func (s *Section) HasValue(value string) bool {
+	if s.f.BlockMode {
+		s.f.lock.RLock()
+		defer s.f.lock.RUnlock()
+	}
+
+	for _, k := range s.keys {
+		if value == k.value {
+			return true
+		}
+	}
+	return false
+}
+
+// Key assumes named Key exists in section and returns a zero-value when not.
+func (s *Section) Key(name string) *Key {
+	key, err := s.GetKey(name)
+	if err != nil {
+		// It's OK here because the only possible error is empty key name,
+		// but if it's empty, this piece of code won't be executed.
+		key, _ = s.NewKey(name, "")
+		return key
+	}
+	return key
+}
+
+// Keys returns list of keys of section.
+func (s *Section) Keys() []*Key {
+	keys := make([]*Key, len(s.keyList))
+	for i := range s.keyList {
+		keys[i] = s.Key(s.keyList[i])
+	}
+	return keys
+}
+
+// ParentKeys returns list of keys of parent section.
+func (s *Section) ParentKeys() []*Key {
+	var parentKeys []*Key
+	sname := s.name
+	for {
+		if i := strings.LastIndex(sname, "."); i > -1 {
+			sname = sname[:i]
+			sec, err := s.f.GetSection(sname)
+			if err != nil {
+				continue
+			}
+			parentKeys = append(parentKeys, sec.Keys()...)
+		} else {
+			break
+		}
+
+	}
+	return parentKeys
+}
+
+// KeyStrings returns list of key names of section.
+func (s *Section) KeyStrings() []string {
+	list := make([]string, len(s.keyList))
+	copy(list, s.keyList)
+	return list
+}
+
+// KeysHash returns keys hash consisting of names and values.
+func (s *Section) KeysHash() map[string]string {
+	if s.f.BlockMode {
+		s.f.lock.RLock()
+		defer s.f.lock.RUnlock()
+	}
+
+	hash := map[string]string{}
+	for key, value := range s.keysHash {
+		hash[key] = value
+	}
+	return hash
+}
+
+// DeleteKey deletes a key from section.
+func (s *Section) DeleteKey(name string) {
+	if s.f.BlockMode {
+		s.f.lock.Lock()
+		defer s.f.lock.Unlock()
+	}
+
+	for i, k := range s.keyList {
+		if k == name {
+			s.keyList = append(s.keyList[:i], s.keyList[i+1:]...)
+			delete(s.keys, name)
+			return
+		}
+	}
+}
+
+// ChildSections returns a list of child sections of current section.
+// For example, "[parent.child1]" and "[parent.child12]" are child sections
+// of section "[parent]".
+func (s *Section) ChildSections() []*Section {
+	prefix := s.name + "."
+	children := make([]*Section, 0, 3)
+	for _, name := range s.f.sectionList {
+		if strings.HasPrefix(name, prefix) {
+			children = append(children, s.f.sections[name])
+		}
+	}
+	return children
+}
diff --git a/vendor/github.com/go-ini/ini/section_test.go b/vendor/github.com/go-ini/ini/section_test.go
new file mode 100644
index 000000000..80282c197
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/section_test.go
@@ -0,0 +1,75 @@
+// Copyright 2014 Unknwon
+//
+// Licensed under the Apache License, Version 2.0 (the "License"): you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations
+// under the License.
+
+package ini
+
+import (
+	"strings"
+	"testing"
+
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func Test_Section(t *testing.T) {
+	Convey("Test CRD sections", t, func() {
+		cfg, err := Load([]byte(_CONF_DATA), "testdata/conf.ini")
+		So(err, ShouldBeNil)
+		So(cfg, ShouldNotBeNil)
+
+		Convey("Get section strings", func() {
+			So(strings.Join(cfg.SectionStrings(), ","), ShouldEqual, "DEFAULT,author,package,package.sub,features,types,array,note,comments,advance")
+		})
+
+		Convey("Delete a section", func() {
+			cfg.DeleteSection("")
+			So(cfg.SectionStrings()[0], ShouldNotEqual, DEFAULT_SECTION)
+		})
+
+		Convey("Create new sections", func() {
+			cfg.NewSections("test", "test2")
+			_, err := cfg.GetSection("test")
+			So(err, ShouldBeNil)
+			_, err = cfg.GetSection("test2")
+			So(err, ShouldBeNil)
+		})
+	})
+}
+
+func Test_SectionRaw(t *testing.T) {
+	Convey("Test section raw string", t, func() {
+		cfg, err := LoadSources(
+			LoadOptions{
+				Insensitive: true,
+				UnparseableSections: []string{"core_lesson", "comments"},
+			},
+			"testdata/aicc.ini")
+		So(err, ShouldBeNil)
+		So(cfg, ShouldNotBeNil)
+
+		Convey("Get section strings", func() {
+			So(strings.Join(cfg.SectionStrings(), ","), ShouldEqual, "DEFAULT,core,core_lesson,comments")
+		})
+
+		Convey("Validate non-raw section", func() {
+			val, err := cfg.Section("core").GetKey("lesson_status")
+			So(err, ShouldBeNil)
+			So(val.String(), ShouldEqual, "C")
+		})
+
+		Convey("Validate raw section", func() {
+			So(cfg.Section("core_lesson").Body(), ShouldEqual, `my lesson state data – 1111111111111111111000000000000000001110000
+111111111111111111100000000000111000000000 – end my lesson state data`)
+		})
+	})
+}
\ No newline at end of file
diff --git a/vendor/github.com/go-ini/ini/struct.go b/vendor/github.com/go-ini/ini/struct.go
new file mode 100644
index 000000000..eeb8dabaa
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/struct.go
@@ -0,0 +1,500 @@
+// Copyright 2014 Unknwon
+//
+// Licensed under the Apache License, Version 2.0 (the "License"): you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations
+// under the License.
+
+package ini
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"reflect"
+	"strings"
+	"time"
+	"unicode"
+)
+
+// NameMapper represents a ini tag name mapper.
+type NameMapper func(string) string
+
+// Built-in name getters.
+var (
+	// AllCapsUnderscore converts to format ALL_CAPS_UNDERSCORE.
+	AllCapsUnderscore NameMapper = func(raw string) string {
+		newstr := make([]rune, 0, len(raw))
+		for i, chr := range raw {
+			if isUpper := 'A' <= chr && chr <= 'Z'; isUpper {
+				if i > 0 {
+					newstr = append(newstr, '_')
+				}
+			}
+			newstr = append(newstr, unicode.ToUpper(chr))
+		}
+		return string(newstr)
+	}
+	// TitleUnderscore converts to format title_underscore.
+	TitleUnderscore NameMapper = func(raw string) string {
+		newstr := make([]rune, 0, len(raw))
+		for i, chr := range raw {
+			if isUpper := 'A' <= chr && chr <= 'Z'; isUpper {
+				if i > 0 {
+					newstr = append(newstr, '_')
+				}
+				chr -= ('A' - 'a')
+			}
+			newstr = append(newstr, chr)
+		}
+		return string(newstr)
+	}
+)
+
+func (s *Section) parseFieldName(raw, actual string) string {
+	if len(actual) > 0 {
+		return actual
+	}
+	if s.f.NameMapper != nil {
+		return s.f.NameMapper(raw)
+	}
+	return raw
+}
+
+func parseDelim(actual string) string {
+	if len(actual) > 0 {
+		return actual
+	}
+	return ","
+}
+
+var reflectTime = reflect.TypeOf(time.Now()).Kind()
+
+// setSliceWithProperType sets proper values to slice based on its type.
+func setSliceWithProperType(key *Key, field reflect.Value, delim string, allowShadow, isStrict bool) error {
+	var strs []string
+	if allowShadow {
+		strs = key.StringsWithShadows(delim)
+	} else {
+		strs = key.Strings(delim)
+	}
+
+	numVals := len(strs)
+	if numVals == 0 {
+		return nil
+	}
+
+	var vals interface{}
+	var err error
+
+	sliceOf := field.Type().Elem().Kind()
+	switch sliceOf {
+	case reflect.String:
+		vals = strs
+	case reflect.Int:
+		vals, err = key.parseInts(strs, true, false)
+	case reflect.Int64:
+		vals, err = key.parseInt64s(strs, true, false)
+	case reflect.Uint:
+		vals, err = key.parseUints(strs, true, false)
+	case reflect.Uint64:
+		vals, err = key.parseUint64s(strs, true, false)
+	case reflect.Float64:
+		vals, err = key.parseFloat64s(strs, true, false)
+	case reflectTime:
+		vals, err = key.parseTimesFormat(time.RFC3339, strs, true, false)
+	default:
+		return fmt.Errorf("unsupported type '[]%s'", sliceOf)
+	}
+	if isStrict {
+		return err
+	}
+
+	slice := reflect.MakeSlice(field.Type(), numVals, numVals)
+	for i := 0; i < numVals; i++ {
+		switch sliceOf {
+		case reflect.String:
+			slice.Index(i).Set(reflect.ValueOf(vals.([]string)[i]))
+		case reflect.Int:
+			slice.Index(i).Set(reflect.ValueOf(vals.([]int)[i]))
+		case reflect.Int64:
+			slice.Index(i).Set(reflect.ValueOf(vals.([]int64)[i]))
+		case reflect.Uint:
+			slice.Index(i).Set(reflect.ValueOf(vals.([]uint)[i]))
+		case reflect.Uint64:
+			slice.Index(i).Set(reflect.ValueOf(vals.([]uint64)[i]))
+		case reflect.Float64:
+			slice.Index(i).Set(reflect.ValueOf(vals.([]float64)[i]))
+		case reflectTime:
+			slice.Index(i).Set(reflect.ValueOf(vals.([]time.Time)[i]))
+		}
+	}
+	field.Set(slice)
+	return nil
+}
+
+func wrapStrictError(err error, isStrict bool) error {
+	if isStrict {
+		return err
+	}
+	return nil
+}
+
+// setWithProperType sets proper value to field based on its type,
+// but it does not return error for failing parsing,
+// because we want to use default value that is already assigned to strcut.
+func setWithProperType(t reflect.Type, key *Key, field reflect.Value, delim string, allowShadow, isStrict bool) error {
+	switch t.Kind() {
+	case reflect.String:
+		if len(key.String()) == 0 {
+			return nil
+		}
+		field.SetString(key.String())
+	case reflect.Bool:
+		boolVal, err := key.Bool()
+		if err != nil {
+			return wrapStrictError(err, isStrict)
+		}
+		field.SetBool(boolVal)
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		durationVal, err := key.Duration()
+		// Skip zero value
+		if err == nil && int(durationVal) > 0 {
+			field.Set(reflect.ValueOf(durationVal))
+			return nil
+		}
+
+		intVal, err := key.Int64()
+		if err != nil {
+			return wrapStrictError(err, isStrict)
+		}
+		field.SetInt(intVal)
+	//	byte is an alias for uint8, so supporting uint8 breaks support for byte
+	case reflect.Uint, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		durationVal, err := key.Duration()
+		// Skip zero value
+		if err == nil && int(durationVal) > 0 {
+			field.Set(reflect.ValueOf(durationVal))
+			return nil
+		}
+
+		uintVal, err := key.Uint64()
+		if err != nil {
+			return wrapStrictError(err, isStrict)
+		}
+		field.SetUint(uintVal)
+
+	case reflect.Float32, reflect.Float64:
+		floatVal, err := key.Float64()
+		if err != nil {
+			return wrapStrictError(err, isStrict)
+		}
+		field.SetFloat(floatVal)
+	case reflectTime:
+		timeVal, err := key.Time()
+		if err != nil {
+			return wrapStrictError(err, isStrict)
+		}
+		field.Set(reflect.ValueOf(timeVal))
+	case reflect.Slice:
+		return setSliceWithProperType(key, field, delim, allowShadow, isStrict)
+	default:
+		return fmt.Errorf("unsupported type '%s'", t)
+	}
+	return nil
+}
+
+func parseTagOptions(tag string) (rawName string, omitEmpty bool, allowShadow bool) {
+	opts := strings.SplitN(tag, ",", 3)
+	rawName = opts[0]
+	if len(opts) > 1 {
+		omitEmpty = opts[1] == "omitempty"
+	}
+	if len(opts) > 2 {
+		allowShadow = opts[2] == "allowshadow"
+	}
+	return rawName, omitEmpty, allowShadow
+}
+
+func (s *Section) mapTo(val reflect.Value, isStrict bool) error {
+	if val.Kind() == reflect.Ptr {
+		val = val.Elem()
+	}
+	typ := val.Type()
+
+	for i := 0; i < typ.NumField(); i++ {
+		field := val.Field(i)
+		tpField := typ.Field(i)
+
+		tag := tpField.Tag.Get("ini")
+		if tag == "-" {
+			continue
+		}
+
+		rawName, _, allowShadow := parseTagOptions(tag)
+		fieldName := s.parseFieldName(tpField.Name, rawName)
+		if len(fieldName) == 0 || !field.CanSet() {
+			continue
+		}
+
+		isAnonymous := tpField.Type.Kind() == reflect.Ptr && tpField.Anonymous
+		isStruct := tpField.Type.Kind() == reflect.Struct
+		if isAnonymous {
+			field.Set(reflect.New(tpField.Type.Elem()))
+		}
+
+		if isAnonymous || isStruct {
+			if sec, err := s.f.GetSection(fieldName); err == nil {
+				if err = sec.mapTo(field, isStrict); err != nil {
+					return fmt.Errorf("error mapping field(%s): %v", fieldName, err)
+				}
+				continue
+			}
+		}
+
+		if key, err := s.GetKey(fieldName); err == nil {
+			delim := parseDelim(tpField.Tag.Get("delim"))
+			if err = setWithProperType(tpField.Type, key, field, delim, allowShadow, isStrict); err != nil {
+				return fmt.Errorf("error mapping field(%s): %v", fieldName, err)
+			}
+		}
+	}
+	return nil
+}
+
+// MapTo maps section to given struct.
+func (s *Section) MapTo(v interface{}) error {
+	typ := reflect.TypeOf(v)
+	val := reflect.ValueOf(v)
+	if typ.Kind() == reflect.Ptr {
+		typ = typ.Elem()
+		val = val.Elem()
+	} else {
+		return errors.New("cannot map to non-pointer struct")
+	}
+
+	return s.mapTo(val, false)
+}
+
+// MapTo maps section to given struct in strict mode,
+// which returns all possible error including value parsing error.
+func (s *Section) StrictMapTo(v interface{}) error {
+	typ := reflect.TypeOf(v)
+	val := reflect.ValueOf(v)
+	if typ.Kind() == reflect.Ptr {
+		typ = typ.Elem()
+		val = val.Elem()
+	} else {
+		return errors.New("cannot map to non-pointer struct")
+	}
+
+	return s.mapTo(val, true)
+}
+
+// MapTo maps file to given struct.
+func (f *File) MapTo(v interface{}) error {
+	return f.Section("").MapTo(v)
+}
+
+// MapTo maps file to given struct in strict mode,
+// which returns all possible error including value parsing error.
+func (f *File) StrictMapTo(v interface{}) error {
+	return f.Section("").StrictMapTo(v)
+}
+
+// MapTo maps data sources to given struct with name mapper.
+func MapToWithMapper(v interface{}, mapper NameMapper, source interface{}, others ...interface{}) error {
+	cfg, err := Load(source, others...)
+	if err != nil {
+		return err
+	}
+	cfg.NameMapper = mapper
+	return cfg.MapTo(v)
+}
+
+// StrictMapToWithMapper maps data sources to given struct with name mapper in strict mode,
+// which returns all possible error including value parsing error.
+func StrictMapToWithMapper(v interface{}, mapper NameMapper, source interface{}, others ...interface{}) error {
+	cfg, err := Load(source, others...)
+	if err != nil {
+		return err
+	}
+	cfg.NameMapper = mapper
+	return cfg.StrictMapTo(v)
+}
+
+// MapTo maps data sources to given struct.
+func MapTo(v, source interface{}, others ...interface{}) error {
+	return MapToWithMapper(v, nil, source, others...)
+}
+
+// StrictMapTo maps data sources to given struct in strict mode,
+// which returns all possible error including value parsing error.
+func StrictMapTo(v, source interface{}, others ...interface{}) error {
+	return StrictMapToWithMapper(v, nil, source, others...)
+}
+
+// reflectSliceWithProperType does the opposite thing as setSliceWithProperType.
+func reflectSliceWithProperType(key *Key, field reflect.Value, delim string) error {
+	slice := field.Slice(0, field.Len())
+	if field.Len() == 0 {
+		return nil
+	}
+
+	var buf bytes.Buffer
+	sliceOf := field.Type().Elem().Kind()
+	for i := 0; i < field.Len(); i++ {
+		switch sliceOf {
+		case reflect.String:
+			buf.WriteString(slice.Index(i).String())
+		case reflect.Int, reflect.Int64:
+			buf.WriteString(fmt.Sprint(slice.Index(i).Int()))
+		case reflect.Uint, reflect.Uint64:
+			buf.WriteString(fmt.Sprint(slice.Index(i).Uint()))
+		case reflect.Float64:
+			buf.WriteString(fmt.Sprint(slice.Index(i).Float()))
+		case reflectTime:
+			buf.WriteString(slice.Index(i).Interface().(time.Time).Format(time.RFC3339))
+		default:
+			return fmt.Errorf("unsupported type '[]%s'", sliceOf)
+		}
+		buf.WriteString(delim)
+	}
+	key.SetValue(buf.String()[:buf.Len()-1])
+	return nil
+}
+
+// reflectWithProperType does the opposite thing as setWithProperType.
+func reflectWithProperType(t reflect.Type, key *Key, field reflect.Value, delim string) error {
+	switch t.Kind() {
+	case reflect.String:
+		key.SetValue(field.String())
+	case reflect.Bool:
+		key.SetValue(fmt.Sprint(field.Bool()))
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		key.SetValue(fmt.Sprint(field.Int()))
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		key.SetValue(fmt.Sprint(field.Uint()))
+	case reflect.Float32, reflect.Float64:
+		key.SetValue(fmt.Sprint(field.Float()))
+	case reflectTime:
+		key.SetValue(fmt.Sprint(field.Interface().(time.Time).Format(time.RFC3339)))
+	case reflect.Slice:
+		return reflectSliceWithProperType(key, field, delim)
+	default:
+		return fmt.Errorf("unsupported type '%s'", t)
+	}
+	return nil
+}
+
+// CR: copied from encoding/json/encode.go with modifications of time.Time support.
+// TODO: add more test coverage.
+func isEmptyValue(v reflect.Value) bool {
+	switch v.Kind() {
+	case reflect.Array, reflect.Map, reflect.Slice, reflect.String:
+		return v.Len() == 0
+	case reflect.Bool:
+		return !v.Bool()
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return v.Int() == 0
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		return v.Uint() == 0
+	case reflect.Float32, reflect.Float64:
+		return v.Float() == 0
+	case reflect.Interface, reflect.Ptr:
+		return v.IsNil()
+	case reflectTime:
+		t, ok := v.Interface().(time.Time)
+		return ok && t.IsZero()
+	}
+	return false
+}
+
+func (s *Section) reflectFrom(val reflect.Value) error {
+	if val.Kind() == reflect.Ptr {
+		val = val.Elem()
+	}
+	typ := val.Type()
+
+	for i := 0; i < typ.NumField(); i++ {
+		field := val.Field(i)
+		tpField := typ.Field(i)
+
+		tag := tpField.Tag.Get("ini")
+		if tag == "-" {
+			continue
+		}
+
+		opts := strings.SplitN(tag, ",", 2)
+		if len(opts) == 2 && opts[1] == "omitempty" && isEmptyValue(field) {
+			continue
+		}
+
+		fieldName := s.parseFieldName(tpField.Name, opts[0])
+		if len(fieldName) == 0 || !field.CanSet() {
+			continue
+		}
+
+		if (tpField.Type.Kind() == reflect.Ptr && tpField.Anonymous) ||
+			(tpField.Type.Kind() == reflect.Struct && tpField.Type.Name() != "Time") {
+			// Note: The only error here is section doesn't exist.
+			sec, err := s.f.GetSection(fieldName)
+			if err != nil {
+				// Note: fieldName can never be empty here, ignore error.
+				sec, _ = s.f.NewSection(fieldName)
+			}
+			if err = sec.reflectFrom(field); err != nil {
+				return fmt.Errorf("error reflecting field (%s): %v", fieldName, err)
+			}
+			continue
+		}
+
+		// Note: Same reason as secion.
+		key, err := s.GetKey(fieldName)
+		if err != nil {
+			key, _ = s.NewKey(fieldName, "")
+		}
+		if err = reflectWithProperType(tpField.Type, key, field, parseDelim(tpField.Tag.Get("delim"))); err != nil {
+			return fmt.Errorf("error reflecting field (%s): %v", fieldName, err)
+		}
+
+	}
+	return nil
+}
+
+// ReflectFrom reflects secion from given struct.
+func (s *Section) ReflectFrom(v interface{}) error {
+	typ := reflect.TypeOf(v)
+	val := reflect.ValueOf(v)
+	if typ.Kind() == reflect.Ptr {
+		typ = typ.Elem()
+		val = val.Elem()
+	} else {
+		return errors.New("cannot reflect from non-pointer struct")
+	}
+
+	return s.reflectFrom(val)
+}
+
+// ReflectFrom reflects file from given struct.
+func (f *File) ReflectFrom(v interface{}) error {
+	return f.Section("").ReflectFrom(v)
+}
+
+// ReflectFrom reflects data sources from given struct with name mapper.
+func ReflectFromWithMapper(cfg *File, v interface{}, mapper NameMapper) error {
+	cfg.NameMapper = mapper
+	return cfg.ReflectFrom(v)
+}
+
+// ReflectFrom reflects data sources from given struct.
+func ReflectFrom(cfg *File, v interface{}) error {
+	return ReflectFromWithMapper(cfg, v, nil)
+}
diff --git a/vendor/github.com/go-ini/ini/struct_test.go b/vendor/github.com/go-ini/ini/struct_test.go
new file mode 100644
index 000000000..b8ba25293
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/struct_test.go
@@ -0,0 +1,352 @@
+// Copyright 2014 Unknwon
+//
+// Licensed under the Apache License, Version 2.0 (the "License"): you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations
+// under the License.
+
+package ini
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+type testNested struct {
+	Cities      []string `delim:"|"`
+	Visits      []time.Time
+	Years       []int
+	Numbers     []int64
+	Ages        []uint
+	Populations []uint64
+	Coordinates []float64
+	Note        string
+	Unused      int `ini:"-"`
+}
+
+type testEmbeded struct {
+	GPA float64
+}
+
+type testStruct struct {
+	Name         string `ini:"NAME"`
+	Age          int
+	Male         bool
+	Money        float64
+	Born         time.Time
+	Time         time.Duration `ini:"Duration"`
+	Others       testNested
+	*testEmbeded `ini:"grade"`
+	Unused       int `ini:"-"`
+	Unsigned     uint
+	Omitted      bool     `ini:"omitthis,omitempty"`
+	Shadows      []string `ini:",,allowshadow"`
+	ShadowInts   []int    `ini:"Shadows,,allowshadow"`
+}
+
+const _CONF_DATA_STRUCT = `
+NAME = Unknwon
+Age = 21
+Male = true
+Money = 1.25
+Born = 1993-10-07T20:17:05Z
+Duration = 2h45m
+Unsigned = 3
+omitthis = true
+Shadows = 1, 2
+Shadows = 3, 4
+
+[Others]
+Cities = HangZhou|Boston
+Visits = 1993-10-07T20:17:05Z, 1993-10-07T20:17:05Z
+Years = 1993,1994
+Numbers = 10010,10086
+Ages = 18,19
+Populations = 12345678,98765432
+Coordinates = 192.168,10.11
+Note = Hello world!
+
+[grade]
+GPA = 2.8
+
+[foo.bar]
+Here = there
+When = then
+`
+
+type unsupport struct {
+	Byte byte
+}
+
+type unsupport2 struct {
+	Others struct {
+		Cities byte
+	}
+}
+
+type unsupport3 struct {
+	Cities byte
+}
+
+type unsupport4 struct {
+	*unsupport3 `ini:"Others"`
+}
+
+type defaultValue struct {
+	Name   string
+	Age    int
+	Male   bool
+	Money  float64
+	Born   time.Time
+	Cities []string
+}
+
+type fooBar struct {
+	Here, When string
+}
+
+const _INVALID_DATA_CONF_STRUCT = `
+Name = 
+Age = age
+Male = 123
+Money = money
+Born = nil
+Cities = 
+`
+
+func Test_Struct(t *testing.T) {
+	Convey("Map to struct", t, func() {
+		Convey("Map file to struct", func() {
+			ts := new(testStruct)
+			So(MapTo(ts, []byte(_CONF_DATA_STRUCT)), ShouldBeNil)
+
+			So(ts.Name, ShouldEqual, "Unknwon")
+			So(ts.Age, ShouldEqual, 21)
+			So(ts.Male, ShouldBeTrue)
+			So(ts.Money, ShouldEqual, 1.25)
+			So(ts.Unsigned, ShouldEqual, 3)
+
+			t, err := time.Parse(time.RFC3339, "1993-10-07T20:17:05Z")
+			So(err, ShouldBeNil)
+			So(ts.Born.String(), ShouldEqual, t.String())
+
+			dur, err := time.ParseDuration("2h45m")
+			So(err, ShouldBeNil)
+			So(ts.Time.Seconds(), ShouldEqual, dur.Seconds())
+
+			So(strings.Join(ts.Others.Cities, ","), ShouldEqual, "HangZhou,Boston")
+			So(ts.Others.Visits[0].String(), ShouldEqual, t.String())
+			So(fmt.Sprint(ts.Others.Years), ShouldEqual, "[1993 1994]")
+			So(fmt.Sprint(ts.Others.Numbers), ShouldEqual, "[10010 10086]")
+			So(fmt.Sprint(ts.Others.Ages), ShouldEqual, "[18 19]")
+			So(fmt.Sprint(ts.Others.Populations), ShouldEqual, "[12345678 98765432]")
+			So(fmt.Sprint(ts.Others.Coordinates), ShouldEqual, "[192.168 10.11]")
+			So(ts.Others.Note, ShouldEqual, "Hello world!")
+			So(ts.testEmbeded.GPA, ShouldEqual, 2.8)
+		})
+
+		Convey("Map section to struct", func() {
+			foobar := new(fooBar)
+			f, err := Load([]byte(_CONF_DATA_STRUCT))
+			So(err, ShouldBeNil)
+
+			So(f.Section("foo.bar").MapTo(foobar), ShouldBeNil)
+			So(foobar.Here, ShouldEqual, "there")
+			So(foobar.When, ShouldEqual, "then")
+		})
+
+		Convey("Map to non-pointer struct", func() {
+			cfg, err := Load([]byte(_CONF_DATA_STRUCT))
+			So(err, ShouldBeNil)
+			So(cfg, ShouldNotBeNil)
+
+			So(cfg.MapTo(testStruct{}), ShouldNotBeNil)
+		})
+
+		Convey("Map to unsupported type", func() {
+			cfg, err := Load([]byte(_CONF_DATA_STRUCT))
+			So(err, ShouldBeNil)
+			So(cfg, ShouldNotBeNil)
+
+			cfg.NameMapper = func(raw string) string {
+				if raw == "Byte" {
+					return "NAME"
+				}
+				return raw
+			}
+			So(cfg.MapTo(&unsupport{}), ShouldNotBeNil)
+			So(cfg.MapTo(&unsupport2{}), ShouldNotBeNil)
+			So(cfg.MapTo(&unsupport4{}), ShouldNotBeNil)
+		})
+
+		Convey("Map to omitempty field", func() {
+			ts := new(testStruct)
+			So(MapTo(ts, []byte(_CONF_DATA_STRUCT)), ShouldBeNil)
+
+			So(ts.Omitted, ShouldEqual, true)
+		})
+
+		Convey("Map with shadows", func() {
+			cfg, err := LoadSources(LoadOptions{AllowShadows: true}, []byte(_CONF_DATA_STRUCT))
+			So(err, ShouldBeNil)
+			ts := new(testStruct)
+			So(cfg.MapTo(ts), ShouldBeNil)
+
+			So(strings.Join(ts.Shadows, " "), ShouldEqual, "1 2 3 4")
+			So(fmt.Sprintf("%v", ts.ShadowInts), ShouldEqual, "[1 2 3 4]")
+		})
+
+		Convey("Map from invalid data source", func() {
+			So(MapTo(&testStruct{}, "hi"), ShouldNotBeNil)
+		})
+
+		Convey("Map to wrong types and gain default values", func() {
+			cfg, err := Load([]byte(_INVALID_DATA_CONF_STRUCT))
+			So(err, ShouldBeNil)
+
+			t, err := time.Parse(time.RFC3339, "1993-10-07T20:17:05Z")
+			So(err, ShouldBeNil)
+			dv := &defaultValue{"Joe", 10, true, 1.25, t, []string{"HangZhou", "Boston"}}
+			So(cfg.MapTo(dv), ShouldBeNil)
+			So(dv.Name, ShouldEqual, "Joe")
+			So(dv.Age, ShouldEqual, 10)
+			So(dv.Male, ShouldBeTrue)
+			So(dv.Money, ShouldEqual, 1.25)
+			So(dv.Born.String(), ShouldEqual, t.String())
+			So(strings.Join(dv.Cities, ","), ShouldEqual, "HangZhou,Boston")
+		})
+	})
+
+	Convey("Map to struct in strict mode", t, func() {
+		cfg, err := Load([]byte(`
+name=bruce
+age=a30`))
+		So(err, ShouldBeNil)
+
+		type Strict struct {
+			Name string `ini:"name"`
+			Age  int    `ini:"age"`
+		}
+		s := new(Strict)
+
+		So(cfg.Section("").StrictMapTo(s), ShouldNotBeNil)
+	})
+
+	Convey("Reflect from struct", t, func() {
+		type Embeded struct {
+			Dates       []time.Time `delim:"|"`
+			Places      []string
+			Years       []int
+			Numbers     []int64
+			Ages        []uint
+			Populations []uint64
+			Coordinates []float64
+			None        []int
+		}
+		type Author struct {
+			Name      string `ini:"NAME"`
+			Male      bool
+			Age       int
+			Height    uint
+			GPA       float64
+			Date      time.Time
+			NeverMind string `ini:"-"`
+			*Embeded  `ini:"infos"`
+		}
+
+		t, err := time.Parse(time.RFC3339, "1993-10-07T20:17:05Z")
+		So(err, ShouldBeNil)
+		a := &Author{"Unknwon", true, 21, 100, 2.8, t, "",
+			&Embeded{
+				[]time.Time{t, t},
+				[]string{"HangZhou", "Boston"},
+				[]int{1993, 1994},
+				[]int64{10010, 10086},
+				[]uint{18, 19},
+				[]uint64{12345678, 98765432},
+				[]float64{192.168, 10.11},
+				[]int{},
+			}}
+		cfg := Empty()
+		So(ReflectFrom(cfg, a), ShouldBeNil)
+
+		var buf bytes.Buffer
+		_, err = cfg.WriteTo(&buf)
+		So(err, ShouldBeNil)
+		So(buf.String(), ShouldEqual, `NAME   = Unknwon
+Male   = true
+Age    = 21
+Height = 100
+GPA    = 2.8
+Date   = 1993-10-07T20:17:05Z
+
+[infos]
+Dates       = 1993-10-07T20:17:05Z|1993-10-07T20:17:05Z
+Places      = HangZhou,Boston
+Years       = 1993,1994
+Numbers     = 10010,10086
+Ages        = 18,19
+Populations = 12345678,98765432
+Coordinates = 192.168,10.11
+None        = 
+
+`)
+
+		Convey("Reflect from non-point struct", func() {
+			So(ReflectFrom(cfg, Author{}), ShouldNotBeNil)
+		})
+
+		Convey("Reflect from struct with omitempty", func() {
+			cfg := Empty()
+			type SpecialStruct struct {
+				FirstName  string    `ini:"first_name"`
+				LastName   string    `ini:"last_name"`
+				JustOmitMe string    `ini:"omitempty"`
+				LastLogin  time.Time `ini:"last_login,omitempty"`
+				LastLogin2 time.Time `ini:",omitempty"`
+				NotEmpty   int       `ini:"omitempty"`
+			}
+
+			So(ReflectFrom(cfg, &SpecialStruct{FirstName: "John", LastName: "Doe", NotEmpty: 9}), ShouldBeNil)
+
+			var buf bytes.Buffer
+			_, err = cfg.WriteTo(&buf)
+			So(buf.String(), ShouldEqual, `first_name = John
+last_name  = Doe
+omitempty  = 9
+
+`)
+		})
+	})
+}
+
+type testMapper struct {
+	PackageName string
+}
+
+func Test_NameGetter(t *testing.T) {
+	Convey("Test name mappers", t, func() {
+		So(MapToWithMapper(&testMapper{}, TitleUnderscore, []byte("packag_name=ini")), ShouldBeNil)
+
+		cfg, err := Load([]byte("PACKAGE_NAME=ini"))
+		So(err, ShouldBeNil)
+		So(cfg, ShouldNotBeNil)
+
+		cfg.NameMapper = AllCapsUnderscore
+		tg := new(testMapper)
+		So(cfg.MapTo(tg), ShouldBeNil)
+		So(tg.PackageName, ShouldEqual, "ini")
+	})
+}
diff --git a/vendor/github.com/go-ini/ini/testdata/UTF-16-BE-BOM.ini b/vendor/github.com/go-ini/ini/testdata/UTF-16-BE-BOM.ini
new file mode 100644
index 000000000..c8bf82c8f
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/testdata/UTF-16-BE-BOM.ini
diff --git a/vendor/github.com/go-ini/ini/testdata/UTF-16-LE-BOM.ini b/vendor/github.com/go-ini/ini/testdata/UTF-16-LE-BOM.ini
new file mode 100644
index 000000000..27f62186e
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/testdata/UTF-16-LE-BOM.ini
diff --git a/vendor/github.com/go-ini/ini/testdata/UTF-8-BOM.ini b/vendor/github.com/go-ini/ini/testdata/UTF-8-BOM.ini
new file mode 100644
index 000000000..2ed0ac1d3
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/testdata/UTF-8-BOM.ini
@@ -0,0 +1,2 @@
+[author]
+E-MAIL = u@gogs.io
\ No newline at end of file
diff --git a/vendor/github.com/go-ini/ini/testdata/aicc.ini b/vendor/github.com/go-ini/ini/testdata/aicc.ini
new file mode 100644
index 000000000..59a61970d
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/testdata/aicc.ini
@@ -0,0 +1,11 @@
+[Core]
+  Lesson_Location = 87
+Lesson_Status = C
+    Score = 3
+Time = 00:02:30
+
+[CORE_LESSON]
+my lesson state data – 1111111111111111111000000000000000001110000
+111111111111111111100000000000111000000000 – end my lesson state data
+[COMMENTS]
+<1><L.Slide#2> This slide has the fuel listed in the wrong units <e.1>
diff --git a/vendor/github.com/go-ini/ini/testdata/conf.ini b/vendor/github.com/go-ini/ini/testdata/conf.ini
new file mode 100644
index 000000000..f8e7ec89f
--- /dev/null
+++ b/vendor/github.com/go-ini/ini/testdata/conf.ini
@@ -0,0 +1,2 @@
+[author]
+E-MAIL = u@gogs.io
\ No newline at end of file
diff --git a/vendor/github.com/golang/protobuf/.travis.yml b/vendor/github.com/golang/protobuf/.travis.yml
new file mode 100644
index 000000000..24e22f85a
--- /dev/null
+++ b/vendor/github.com/golang/protobuf/.travis.yml
@@ -0,0 +1,17 @@
+sudo: false
+language: go
+go:
+- 1.6.x
+- 1.7.x
+- 1.8.x
+
+install:
+  - go get -v -d -t github.com/golang/protobuf/...
+  - curl -L https://github.com/google/protobuf/releases/download/v3.3.0/protoc-3.3.0-linux-x86_64.zip -o /tmp/protoc.zip
+  - unzip /tmp/protoc.zip -d $HOME/protoc
+
+env:
+  - PATH=$HOME/protoc/bin:$PATH
+
+script:
+  - make all test
diff --git a/vendor/github.com/golang/protobuf/README.md b/vendor/github.com/golang/protobuf/README.md
index e560b7321..795f53f6f 100644
--- a/vendor/github.com/golang/protobuf/README.md
+++ b/vendor/github.com/golang/protobuf/README.md
@@ -1,5 +1,7 @@
 # Go support for Protocol Buffers
 
+[![Build Status](https://travis-ci.org/golang/protobuf.svg?branch=master)](https://travis-ci.org/golang/protobuf)
+
 Google's data interchange format.
 Copyright 2010 The Go Authors.
 https://github.com/golang/protobuf
diff --git a/vendor/github.com/golang/protobuf/jsonpb/jsonpb.go b/vendor/github.com/golang/protobuf/jsonpb/jsonpb.go
index c7a45d6f0..412ba1ce4 100644
--- a/vendor/github.com/golang/protobuf/jsonpb/jsonpb.go
+++ b/vendor/github.com/golang/protobuf/jsonpb/jsonpb.go
@@ -753,7 +753,7 @@ func (u *Unmarshaler) unmarshalValue(target reflect.Value, inputValue json.RawMe
 			if err != nil {
 				return fmt.Errorf("bad Timestamp: %v", err)
 			}
-			target.Field(0).SetInt(int64(t.Unix()))
+			target.Field(0).SetInt(t.Unix())
 			target.Field(1).SetInt(int64(t.Nanosecond()))
 			return nil
 		case "Struct":
diff --git a/vendor/github.com/golang/protobuf/proto/encode.go b/vendor/github.com/golang/protobuf/proto/encode.go
index 2b30f8462..8b84d1b22 100644
--- a/vendor/github.com/golang/protobuf/proto/encode.go
+++ b/vendor/github.com/golang/protobuf/proto/encode.go
@@ -174,11 +174,11 @@ func sizeFixed32(x uint64) int {
 // This is the format used for the sint64 protocol buffer type.
 func (p *Buffer) EncodeZigzag64(x uint64) error {
 	// use signed number to get arithmetic right shift.
-	return p.EncodeVarint(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+	return p.EncodeVarint((x << 1) ^ uint64((int64(x) >> 63)))
 }
 
 func sizeZigzag64(x uint64) int {
-	return sizeVarint(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+	return sizeVarint((x << 1) ^ uint64((int64(x) >> 63)))
 }
 
 // EncodeZigzag32 writes a zigzag-encoded 32-bit integer
diff --git a/vendor/github.com/golang/protobuf/proto/text_parser.go b/vendor/github.com/golang/protobuf/proto/text_parser.go
index 61f83c1e1..5e14513f2 100644
--- a/vendor/github.com/golang/protobuf/proto/text_parser.go
+++ b/vendor/github.com/golang/protobuf/proto/text_parser.go
@@ -865,7 +865,7 @@ func (p *textParser) readAny(v reflect.Value, props *Properties) error {
 		return p.readStruct(fv, terminator)
 	case reflect.Uint32:
 		if x, err := strconv.ParseUint(tok.value, 0, 32); err == nil {
-			fv.SetUint(uint64(x))
+			fv.SetUint(x)
 			return nil
 		}
 	case reflect.Uint64:
diff --git a/vendor/github.com/gorilla/websocket/.travis.yml b/vendor/github.com/gorilla/websocket/.travis.yml
index 4ea1e7a1f..3d8d29cf3 100644
--- a/vendor/github.com/gorilla/websocket/.travis.yml
+++ b/vendor/github.com/gorilla/websocket/.travis.yml
@@ -7,6 +7,7 @@ matrix:
     - go: 1.5
     - go: 1.6
     - go: 1.7
+    - go: 1.8
     - go: tip
   allow_failures:
     - go: tip
diff --git a/vendor/github.com/gorilla/websocket/client.go b/vendor/github.com/gorilla/websocket/client.go
index 78d932877..43a87c753 100644
--- a/vendor/github.com/gorilla/websocket/client.go
+++ b/vendor/github.com/gorilla/websocket/client.go
@@ -66,8 +66,9 @@ type Dialer struct {
 	// HandshakeTimeout specifies the duration for the handshake to complete.
 	HandshakeTimeout time.Duration
 
-	// Input and output buffer sizes. If the buffer size is zero, then a
-	// default value of 4096 is used.
+	// ReadBufferSize and WriteBufferSize specify I/O buffer sizes. If a buffer
+	// size is zero, then a useful default size is used. The I/O buffer sizes
+	// do not limit the size of the messages that can be sent or received.
 	ReadBufferSize, WriteBufferSize int
 
 	// Subprotocols specifies the client's requested subprotocols.
@@ -368,7 +369,7 @@ func (d *Dialer) Dial(urlStr string, requestHeader http.Header) (*Conn, *http.Re
 		return nil, resp, ErrBadHandshake
 	}
 
-	for _, ext := range parseExtensions(req.Header) {
+	for _, ext := range parseExtensions(resp.Header) {
 		if ext[""] != "permessage-deflate" {
 			continue
 		}
@@ -389,32 +390,3 @@ func (d *Dialer) Dial(urlStr string, requestHeader http.Header) (*Conn, *http.Re
 	netConn = nil // to avoid close in defer.
 	return conn, resp, nil
 }
-
-// cloneTLSConfig clones all public fields except the fields
-// SessionTicketsDisabled and SessionTicketKey. This avoids copying the
-// sync.Mutex in the sync.Once and makes it safe to call cloneTLSConfig on a
-// config in active use.
-func cloneTLSConfig(cfg *tls.Config) *tls.Config {
-	if cfg == nil {
-		return &tls.Config{}
-	}
-	return &tls.Config{
-		Rand:                     cfg.Rand,
-		Time:                     cfg.Time,
-		Certificates:             cfg.Certificates,
-		NameToCertificate:        cfg.NameToCertificate,
-		GetCertificate:           cfg.GetCertificate,
-		RootCAs:                  cfg.RootCAs,
-		NextProtos:               cfg.NextProtos,
-		ServerName:               cfg.ServerName,
-		ClientAuth:               cfg.ClientAuth,
-		ClientCAs:                cfg.ClientCAs,
-		InsecureSkipVerify:       cfg.InsecureSkipVerify,
-		CipherSuites:             cfg.CipherSuites,
-		PreferServerCipherSuites: cfg.PreferServerCipherSuites,
-		ClientSessionCache:       cfg.ClientSessionCache,
-		MinVersion:               cfg.MinVersion,
-		MaxVersion:               cfg.MaxVersion,
-		CurvePreferences:         cfg.CurvePreferences,
-	}
-}
diff --git a/vendor/github.com/gorilla/websocket/client_clone.go b/vendor/github.com/gorilla/websocket/client_clone.go
new file mode 100644
index 000000000..4f0d94372
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/client_clone.go
@@ -0,0 +1,16 @@
+// Copyright 2013 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build go1.8
+
+package websocket
+
+import "crypto/tls"
+
+func cloneTLSConfig(cfg *tls.Config) *tls.Config {
+	if cfg == nil {
+		return &tls.Config{}
+	}
+	return cfg.Clone()
+}
diff --git a/vendor/github.com/gorilla/websocket/client_clone_legacy.go b/vendor/github.com/gorilla/websocket/client_clone_legacy.go
new file mode 100644
index 000000000..babb007fb
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/client_clone_legacy.go
@@ -0,0 +1,38 @@
+// Copyright 2013 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !go1.8
+
+package websocket
+
+import "crypto/tls"
+
+// cloneTLSConfig clones all public fields except the fields
+// SessionTicketsDisabled and SessionTicketKey. This avoids copying the
+// sync.Mutex in the sync.Once and makes it safe to call cloneTLSConfig on a
+// config in active use.
+func cloneTLSConfig(cfg *tls.Config) *tls.Config {
+	if cfg == nil {
+		return &tls.Config{}
+	}
+	return &tls.Config{
+		Rand:                     cfg.Rand,
+		Time:                     cfg.Time,
+		Certificates:             cfg.Certificates,
+		NameToCertificate:        cfg.NameToCertificate,
+		GetCertificate:           cfg.GetCertificate,
+		RootCAs:                  cfg.RootCAs,
+		NextProtos:               cfg.NextProtos,
+		ServerName:               cfg.ServerName,
+		ClientAuth:               cfg.ClientAuth,
+		ClientCAs:                cfg.ClientCAs,
+		InsecureSkipVerify:       cfg.InsecureSkipVerify,
+		CipherSuites:             cfg.CipherSuites,
+		PreferServerCipherSuites: cfg.PreferServerCipherSuites,
+		ClientSessionCache:       cfg.ClientSessionCache,
+		MinVersion:               cfg.MinVersion,
+		MaxVersion:               cfg.MaxVersion,
+		CurvePreferences:         cfg.CurvePreferences,
+	}
+}
diff --git a/vendor/github.com/gorilla/websocket/compression.go b/vendor/github.com/gorilla/websocket/compression.go
index 72c166b2a..813ffb1e8 100644
--- a/vendor/github.com/gorilla/websocket/compression.go
+++ b/vendor/github.com/gorilla/websocket/compression.go
@@ -12,31 +12,45 @@ import (
 	"sync"
 )
 
+const (
+	minCompressionLevel     = -2 // flate.HuffmanOnly not defined in Go < 1.6
+	maxCompressionLevel     = flate.BestCompression
+	defaultCompressionLevel = 1
+)
+
 var (
-	flateWriterPool = sync.Pool{}
+	flateWriterPools [maxCompressionLevel - minCompressionLevel + 1]sync.Pool
+	flateReaderPool  = sync.Pool{New: func() interface{} {
+		return flate.NewReader(nil)
+	}}
 )
 
-func decompressNoContextTakeover(r io.Reader) io.Reader {
+func decompressNoContextTakeover(r io.Reader) io.ReadCloser {
 	const tail =
 	// Add four bytes as specified in RFC
 	"\x00\x00\xff\xff" +
 		// Add final block to squelch unexpected EOF error from flate reader.
 		"\x01\x00\x00\xff\xff"
-	return flate.NewReader(io.MultiReader(r, strings.NewReader(tail)))
+
+	fr, _ := flateReaderPool.Get().(io.ReadCloser)
+	fr.(flate.Resetter).Reset(io.MultiReader(r, strings.NewReader(tail)), nil)
+	return &flateReadWrapper{fr}
 }
 
-func compressNoContextTakeover(w io.WriteCloser) (io.WriteCloser, error) {
+func isValidCompressionLevel(level int) bool {
+	return minCompressionLevel <= level && level <= maxCompressionLevel
+}
+
+func compressNoContextTakeover(w io.WriteCloser, level int) io.WriteCloser {
+	p := &flateWriterPools[level-minCompressionLevel]
 	tw := &truncWriter{w: w}
-	i := flateWriterPool.Get()
-	var fw *flate.Writer
-	var err error
-	if i == nil {
-		fw, err = flate.NewWriter(tw, 3)
+	fw, _ := p.Get().(*flate.Writer)
+	if fw == nil {
+		fw, _ = flate.NewWriter(tw, level)
 	} else {
-		fw = i.(*flate.Writer)
 		fw.Reset(tw)
 	}
-	return &flateWrapper{fw: fw, tw: tw}, err
+	return &flateWriteWrapper{fw: fw, tw: tw, p: p}
 }
 
 // truncWriter is an io.Writer that writes all but the last four bytes of the
@@ -75,24 +89,25 @@ func (w *truncWriter) Write(p []byte) (int, error) {
 	return n + nn, err
 }
 
-type flateWrapper struct {
+type flateWriteWrapper struct {
 	fw *flate.Writer
 	tw *truncWriter
+	p  *sync.Pool
 }
 
-func (w *flateWrapper) Write(p []byte) (int, error) {
+func (w *flateWriteWrapper) Write(p []byte) (int, error) {
 	if w.fw == nil {
 		return 0, errWriteClosed
 	}
 	return w.fw.Write(p)
 }
 
-func (w *flateWrapper) Close() error {
+func (w *flateWriteWrapper) Close() error {
 	if w.fw == nil {
 		return errWriteClosed
 	}
 	err1 := w.fw.Flush()
-	flateWriterPool.Put(w.fw)
+	w.p.Put(w.fw)
 	w.fw = nil
 	if w.tw.p != [4]byte{0, 0, 0xff, 0xff} {
 		return errors.New("websocket: internal error, unexpected bytes at end of flate stream")
@@ -103,3 +118,31 @@ func (w *flateWrapper) Close() error {
 	}
 	return err2
 }
+
+type flateReadWrapper struct {
+	fr io.ReadCloser
+}
+
+func (r *flateReadWrapper) Read(p []byte) (int, error) {
+	if r.fr == nil {
+		return 0, io.ErrClosedPipe
+	}
+	n, err := r.fr.Read(p)
+	if err == io.EOF {
+		// Preemptively place the reader back in the pool. This helps with
+		// scenarios where the application does not call NextReader() soon after
+		// this final read.
+		r.Close()
+	}
+	return n, err
+}
+
+func (r *flateReadWrapper) Close() error {
+	if r.fr == nil {
+		return io.ErrClosedPipe
+	}
+	err := r.fr.Close()
+	flateReaderPool.Put(r.fr)
+	r.fr = nil
+	return err
+}
diff --git a/vendor/github.com/gorilla/websocket/compression_test.go b/vendor/github.com/gorilla/websocket/compression_test.go
index cad70fb51..659cf4215 100644
--- a/vendor/github.com/gorilla/websocket/compression_test.go
+++ b/vendor/github.com/gorilla/websocket/compression_test.go
@@ -2,7 +2,9 @@ package websocket
 
 import (
 	"bytes"
+	"fmt"
 	"io"
+	"io/ioutil"
 	"testing"
 )
 
@@ -29,3 +31,50 @@ func TestTruncWriter(t *testing.T) {
 		}
 	}
 }
+
+func textMessages(num int) [][]byte {
+	messages := make([][]byte, num)
+	for i := 0; i < num; i++ {
+		msg := fmt.Sprintf("planet: %d, country: %d, city: %d, street: %d", i, i, i, i)
+		messages[i] = []byte(msg)
+	}
+	return messages
+}
+
+func BenchmarkWriteNoCompression(b *testing.B) {
+	w := ioutil.Discard
+	c := newConn(fakeNetConn{Reader: nil, Writer: w}, false, 1024, 1024)
+	messages := textMessages(100)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		c.WriteMessage(TextMessage, messages[i%len(messages)])
+	}
+	b.ReportAllocs()
+}
+
+func BenchmarkWriteWithCompression(b *testing.B) {
+	w := ioutil.Discard
+	c := newConn(fakeNetConn{Reader: nil, Writer: w}, false, 1024, 1024)
+	messages := textMessages(100)
+	c.enableWriteCompression = true
+	c.newCompressionWriter = compressNoContextTakeover
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		c.WriteMessage(TextMessage, messages[i%len(messages)])
+	}
+	b.ReportAllocs()
+}
+
+func TestValidCompressionLevel(t *testing.T) {
+	c := newConn(fakeNetConn{}, false, 1024, 1024)
+	for _, level := range []int{minCompressionLevel - 1, maxCompressionLevel + 1} {
+		if err := c.SetCompressionLevel(level); err == nil {
+			t.Errorf("no error for level %d", level)
+		}
+	}
+	for _, level := range []int{minCompressionLevel, maxCompressionLevel} {
+		if err := c.SetCompressionLevel(level); err != nil {
+			t.Errorf("error for level %d", level)
+		}
+	}
+}
diff --git a/vendor/github.com/gorilla/websocket/conn.go b/vendor/github.com/gorilla/websocket/conn.go
index ce7f0a615..97e1dbacb 100644
--- a/vendor/github.com/gorilla/websocket/conn.go
+++ b/vendor/github.com/gorilla/websocket/conn.go
@@ -10,6 +10,7 @@ import (
 	"errors"
 	"io"
 	"io/ioutil"
+	"math/rand"
 	"net"
 	"strconv"
 	"sync"
@@ -180,6 +181,11 @@ var (
 	errInvalidControlFrame = errors.New("websocket: invalid control frame")
 )
 
+func newMaskKey() [4]byte {
+	n := rand.Uint32()
+	return [4]byte{byte(n), byte(n >> 8), byte(n >> 16), byte(n >> 24)}
+}
+
 func hideTempErr(err error) error {
 	if e, ok := err.(net.Error); ok && e.Temporary() {
 		err = &netError{msg: e.Error(), timeout: e.Timeout()}
@@ -235,9 +241,11 @@ type Conn struct {
 	writeErr   error
 
 	enableWriteCompression bool
-	newCompressionWriter   func(io.WriteCloser) (io.WriteCloser, error)
+	compressionLevel       int
+	newCompressionWriter   func(io.WriteCloser, int) io.WriteCloser
 
 	// Read fields
+	reader        io.ReadCloser // the current reader returned to the application
 	readErr       error
 	br            *bufio.Reader
 	readRemaining int64 // bytes remaining in current frame.
@@ -253,31 +261,76 @@ type Conn struct {
 	messageReader *messageReader // the current low-level reader
 
 	readDecompress         bool // whether last read frame had RSV1 set
-	newDecompressionReader func(io.Reader) io.Reader
+	newDecompressionReader func(io.Reader) io.ReadCloser
 }
 
 func newConn(conn net.Conn, isServer bool, readBufferSize, writeBufferSize int) *Conn {
+	return newConnBRW(conn, isServer, readBufferSize, writeBufferSize, nil)
+}
+
+type writeHook struct {
+	p []byte
+}
+
+func (wh *writeHook) Write(p []byte) (int, error) {
+	wh.p = p
+	return len(p), nil
+}
+
+func newConnBRW(conn net.Conn, isServer bool, readBufferSize, writeBufferSize int, brw *bufio.ReadWriter) *Conn {
 	mu := make(chan bool, 1)
 	mu <- true
 
-	if readBufferSize == 0 {
-		readBufferSize = defaultReadBufferSize
+	var br *bufio.Reader
+	if readBufferSize == 0 && brw != nil && brw.Reader != nil {
+		// Reuse the supplied bufio.Reader if the buffer has a useful size.
+		// This code assumes that peek on a reader returns
+		// bufio.Reader.buf[:0].
+		brw.Reader.Reset(conn)
+		if p, err := brw.Reader.Peek(0); err == nil && cap(p) >= 256 {
+			br = brw.Reader
+		}
 	}
-	if readBufferSize < maxControlFramePayloadSize {
-		readBufferSize = maxControlFramePayloadSize
+	if br == nil {
+		if readBufferSize == 0 {
+			readBufferSize = defaultReadBufferSize
+		}
+		if readBufferSize < maxControlFramePayloadSize {
+			readBufferSize = maxControlFramePayloadSize
+		}
+		br = bufio.NewReaderSize(conn, readBufferSize)
+	}
+
+	var writeBuf []byte
+	if writeBufferSize == 0 && brw != nil && brw.Writer != nil {
+		// Use the bufio.Writer's buffer if the buffer has a useful size. This
+		// code assumes that bufio.Writer.buf[:1] is passed to the
+		// bufio.Writer's underlying writer.
+		var wh writeHook
+		brw.Writer.Reset(&wh)
+		brw.Writer.WriteByte(0)
+		brw.Flush()
+		if cap(wh.p) >= maxFrameHeaderSize+256 {
+			writeBuf = wh.p[:cap(wh.p)]
+		}
 	}
-	if writeBufferSize == 0 {
-		writeBufferSize = defaultWriteBufferSize
+
+	if writeBuf == nil {
+		if writeBufferSize == 0 {
+			writeBufferSize = defaultWriteBufferSize
+		}
+		writeBuf = make([]byte, writeBufferSize+maxFrameHeaderSize)
 	}
 
 	c := &Conn{
 		isServer:               isServer,
-		br:                     bufio.NewReaderSize(conn, readBufferSize),
+		br:                     br,
 		conn:                   conn,
 		mu:                     mu,
 		readFinal:              true,
-		writeBuf:               make([]byte, writeBufferSize+maxFrameHeaderSize),
+		writeBuf:               writeBuf,
 		enableWriteCompression: true,
+		compressionLevel:       defaultCompressionLevel,
 	}
 	c.SetCloseHandler(nil)
 	c.SetPingHandler(nil)
@@ -443,11 +496,7 @@ func (c *Conn) NextWriter(messageType int) (io.WriteCloser, error) {
 	}
 	c.writer = mw
 	if c.newCompressionWriter != nil && c.enableWriteCompression && isData(messageType) {
-		w, err := c.newCompressionWriter(c.writer)
-		if err != nil {
-			c.writer = nil
-			return nil, err
-		}
+		w := c.newCompressionWriter(c.writer, c.compressionLevel)
 		mw.compress = true
 		c.writer = w
 	}
@@ -654,12 +703,33 @@ func (w *messageWriter) Close() error {
 	return nil
 }
 
+// WritePreparedMessage writes prepared message into connection.
+func (c *Conn) WritePreparedMessage(pm *PreparedMessage) error {
+	frameType, frameData, err := pm.frame(prepareKey{
+		isServer:         c.isServer,
+		compress:         c.newCompressionWriter != nil && c.enableWriteCompression && isData(pm.messageType),
+		compressionLevel: c.compressionLevel,
+	})
+	if err != nil {
+		return err
+	}
+	if c.isWriting {
+		panic("concurrent write to websocket connection")
+	}
+	c.isWriting = true
+	err = c.write(frameType, c.writeDeadline, frameData, nil)
+	if !c.isWriting {
+		panic("concurrent write to websocket connection")
+	}
+	c.isWriting = false
+	return err
+}
+
 // WriteMessage is a helper method for getting a writer using NextWriter,
 // writing the message and closing the writer.
 func (c *Conn) WriteMessage(messageType int, data []byte) error {
 
 	if c.isServer && (c.newCompressionWriter == nil || !c.enableWriteCompression) {
-
 		// Fast path with no allocations and single frame.
 
 		if err := c.prepWrite(messageType); err != nil {
@@ -855,6 +925,11 @@ func (c *Conn) handleProtocolError(message string) error {
 // permanent. Once this method returns a non-nil error, all subsequent calls to
 // this method return the same error.
 func (c *Conn) NextReader() (messageType int, r io.Reader, err error) {
+	// Close previous reader, only relevant for decompression.
+	if c.reader != nil {
+		c.reader.Close()
+		c.reader = nil
+	}
 
 	c.messageReader = nil
 	c.readLength = 0
@@ -867,11 +942,11 @@ func (c *Conn) NextReader() (messageType int, r io.Reader, err error) {
 		}
 		if frameType == TextMessage || frameType == BinaryMessage {
 			c.messageReader = &messageReader{c}
-			var r io.Reader = c.messageReader
+			c.reader = c.messageReader
 			if c.readDecompress {
-				r = c.newDecompressionReader(r)
+				c.reader = c.newDecompressionReader(c.reader)
 			}
-			return frameType, r, nil
+			return frameType, c.reader, nil
 		}
 	}
 
@@ -933,6 +1008,10 @@ func (r *messageReader) Read(b []byte) (int, error) {
 	return 0, err
 }
 
+func (r *messageReader) Close() error {
+	return nil
+}
+
 // ReadMessage is a helper method for getting a reader using NextReader and
 // reading from that reader to a buffer.
 func (c *Conn) ReadMessage() (messageType int, p []byte, err error) {
@@ -969,6 +1048,15 @@ func (c *Conn) CloseHandler() func(code int, text string) error {
 // The code argument to h is the received close code or CloseNoStatusReceived
 // if the close message is empty. The default close handler sends a close frame
 // back to the peer.
+//
+// The application must read the connection to process close messages as
+// described in the section on Control Frames above.
+//
+// The connection read methods return a CloseError when a close frame is
+// received. Most applications should handle close messages as part of their
+// normal error handling. Applications should only set a close handler when the
+// application must perform some action before sending a close frame back to
+// the peer.
 func (c *Conn) SetCloseHandler(h func(code int, text string) error) {
 	if h == nil {
 		h = func(code int, text string) error {
@@ -991,6 +1079,9 @@ func (c *Conn) PingHandler() func(appData string) error {
 // SetPingHandler sets the handler for ping messages received from the peer.
 // The appData argument to h is the PING frame application data. The default
 // ping handler sends a pong to the peer.
+//
+// The application must read the connection to process ping messages as
+// described in the section on Control Frames above.
 func (c *Conn) SetPingHandler(h func(appData string) error) {
 	if h == nil {
 		h = func(message string) error {
@@ -1014,6 +1105,9 @@ func (c *Conn) PongHandler() func(appData string) error {
 // SetPongHandler sets the handler for pong messages received from the peer.
 // The appData argument to h is the PONG frame application data. The default
 // pong handler does nothing.
+//
+// The application must read the connection to process ping messages as
+// described in the section on Control Frames above.
 func (c *Conn) SetPongHandler(h func(appData string) error) {
 	if h == nil {
 		h = func(string) error { return nil }
@@ -1034,6 +1128,18 @@ func (c *Conn) EnableWriteCompression(enable bool) {
 	c.enableWriteCompression = enable
 }
 
+// SetCompressionLevel sets the flate compression level for subsequent text and
+// binary messages. This function is a noop if compression was not negotiated
+// with the peer. See the compress/flate package for a description of
+// compression levels.
+func (c *Conn) SetCompressionLevel(level int) error {
+	if !isValidCompressionLevel(level) {
+		return errors.New("websocket: invalid compression level")
+	}
+	c.compressionLevel = level
+	return nil
+}
+
 // FormatCloseMessage formats closeCode and text as a WebSocket close message.
 func FormatCloseMessage(closeCode int, text string) []byte {
 	buf := make([]byte, 2+len(text))
diff --git a/vendor/github.com/gorilla/websocket/conn_broadcast_test.go b/vendor/github.com/gorilla/websocket/conn_broadcast_test.go
new file mode 100644
index 000000000..45038e488
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/conn_broadcast_test.go
@@ -0,0 +1,134 @@
+// Copyright 2017 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build go1.7
+
+package websocket
+
+import (
+	"io"
+	"io/ioutil"
+	"sync/atomic"
+	"testing"
+)
+
+// broadcastBench allows to run broadcast benchmarks.
+// In every broadcast benchmark we create many connections, then send the same
+// message into every connection and wait for all writes complete. This emulates
+// an application where many connections listen to the same data - i.e. PUB/SUB
+// scenarios with many subscribers in one channel.
+type broadcastBench struct {
+	w           io.Writer
+	message     *broadcastMessage
+	closeCh     chan struct{}
+	doneCh      chan struct{}
+	count       int32
+	conns       []*broadcastConn
+	compression bool
+	usePrepared bool
+}
+
+type broadcastMessage struct {
+	payload  []byte
+	prepared *PreparedMessage
+}
+
+type broadcastConn struct {
+	conn  *Conn
+	msgCh chan *broadcastMessage
+}
+
+func newBroadcastConn(c *Conn) *broadcastConn {
+	return &broadcastConn{
+		conn:  c,
+		msgCh: make(chan *broadcastMessage, 1),
+	}
+}
+
+func newBroadcastBench(usePrepared, compression bool) *broadcastBench {
+	bench := &broadcastBench{
+		w:           ioutil.Discard,
+		doneCh:      make(chan struct{}),
+		closeCh:     make(chan struct{}),
+		usePrepared: usePrepared,
+		compression: compression,
+	}
+	msg := &broadcastMessage{
+		payload: textMessages(1)[0],
+	}
+	if usePrepared {
+		pm, _ := NewPreparedMessage(TextMessage, msg.payload)
+		msg.prepared = pm
+	}
+	bench.message = msg
+	bench.makeConns(10000)
+	return bench
+}
+
+func (b *broadcastBench) makeConns(numConns int) {
+	conns := make([]*broadcastConn, numConns)
+
+	for i := 0; i < numConns; i++ {
+		c := newConn(fakeNetConn{Reader: nil, Writer: b.w}, true, 1024, 1024)
+		if b.compression {
+			c.enableWriteCompression = true
+			c.newCompressionWriter = compressNoContextTakeover
+		}
+		conns[i] = newBroadcastConn(c)
+		go func(c *broadcastConn) {
+			for {
+				select {
+				case msg := <-c.msgCh:
+					if b.usePrepared {
+						c.conn.WritePreparedMessage(msg.prepared)
+					} else {
+						c.conn.WriteMessage(TextMessage, msg.payload)
+					}
+					val := atomic.AddInt32(&b.count, 1)
+					if val%int32(numConns) == 0 {
+						b.doneCh <- struct{}{}
+					}
+				case <-b.closeCh:
+					return
+				}
+			}
+		}(conns[i])
+	}
+	b.conns = conns
+}
+
+func (b *broadcastBench) close() {
+	close(b.closeCh)
+}
+
+func (b *broadcastBench) runOnce() {
+	for _, c := range b.conns {
+		c.msgCh <- b.message
+	}
+	<-b.doneCh
+}
+
+func BenchmarkBroadcast(b *testing.B) {
+	benchmarks := []struct {
+		name        string
+		usePrepared bool
+		compression bool
+	}{
+		{"NoCompression", false, false},
+		{"WithCompression", false, true},
+		{"NoCompressionPrepared", true, false},
+		{"WithCompressionPrepared", true, true},
+	}
+	for _, bm := range benchmarks {
+		b.Run(bm.name, func(b *testing.B) {
+			bench := newBroadcastBench(bm.usePrepared, bm.compression)
+			defer bench.close()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				bench.runOnce()
+			}
+			b.ReportAllocs()
+		})
+	}
+}
diff --git a/vendor/github.com/gorilla/websocket/conn_test.go b/vendor/github.com/gorilla/websocket/conn_test.go
index 7431383b1..06e9bc3f5 100644
--- a/vendor/github.com/gorilla/websocket/conn_test.go
+++ b/vendor/github.com/gorilla/websocket/conn_test.go
@@ -463,3 +463,35 @@ func TestFailedConnectionReadPanic(t *testing.T) {
 	}
 	t.Fatal("should not get here")
 }
+
+func TestBufioReuse(t *testing.T) {
+	brw := bufio.NewReadWriter(bufio.NewReader(nil), bufio.NewWriter(nil))
+	c := newConnBRW(nil, false, 0, 0, brw)
+
+	if c.br != brw.Reader {
+		t.Error("connection did not reuse bufio.Reader")
+	}
+
+	var wh writeHook
+	brw.Writer.Reset(&wh)
+	brw.WriteByte(0)
+	brw.Flush()
+	if &c.writeBuf[0] != &wh.p[0] {
+		t.Error("connection did not reuse bufio.Writer")
+	}
+
+	brw = bufio.NewReadWriter(bufio.NewReaderSize(nil, 0), bufio.NewWriterSize(nil, 0))
+	c = newConnBRW(nil, false, 0, 0, brw)
+
+	if c.br == brw.Reader {
+		t.Error("connection used bufio.Reader with small size")
+	}
+
+	brw.Writer.Reset(&wh)
+	brw.WriteByte(0)
+	brw.Flush()
+	if &c.writeBuf[0] != &wh.p[0] {
+		t.Error("connection used bufio.Writer with small size")
+	}
+
+}
diff --git a/vendor/github.com/gorilla/websocket/doc.go b/vendor/github.com/gorilla/websocket/doc.go
index 610acf712..e291a952c 100644
--- a/vendor/github.com/gorilla/websocket/doc.go
+++ b/vendor/github.com/gorilla/websocket/doc.go
@@ -118,9 +118,10 @@
 //
 // Applications are responsible for ensuring that no more than one goroutine
 // calls the write methods (NextWriter, SetWriteDeadline, WriteMessage,
-// WriteJSON) concurrently and that no more than one goroutine calls the read
-// methods (NextReader, SetReadDeadline, ReadMessage, ReadJSON, SetPongHandler,
-// SetPingHandler) concurrently.
+// WriteJSON, EnableWriteCompression, SetCompressionLevel) concurrently and
+// that no more than one goroutine calls the read methods (NextReader,
+// SetReadDeadline, ReadMessage, ReadJSON, SetPongHandler, SetPingHandler)
+// concurrently.
 //
 // The Close and WriteControl methods can be called concurrently with all other
 // methods.
@@ -150,19 +151,25 @@
 // application's responsibility to check the Origin header before calling
 // Upgrade.
 //
-// Compression [Experimental]
+// Compression EXPERIMENTAL
 //
 // Per message compression extensions (RFC 7692) are experimentally supported
 // by this package in a limited capacity. Setting the EnableCompression option
 // to true in Dialer or Upgrader will attempt to negotiate per message deflate
-// support. If compression was successfully negotiated with the connection's
-// peer, any message received in compressed form will be automatically
-// decompressed. All Read methods will return uncompressed bytes.
+// support.
+//
+//  var upgrader = websocket.Upgrader{
+//      EnableCompression: true,
+//  }
+//
+// If compression was successfully negotiated with the connection's peer, any
+// message received in compressed form will be automatically decompressed.
+// All Read methods will return uncompressed bytes.
 //
 // Per message compression of messages written to a connection can be enabled
 // or disabled by calling the corresponding Conn method:
 //
-// conn.EnableWriteCompression(true)
+//  conn.EnableWriteCompression(false)
 //
 // Currently this package does not support compression with "context takeover".
 // This means that messages must be compressed and decompressed in isolation,
diff --git a/vendor/github.com/gorilla/websocket/examples/autobahn/fuzzingclient.json b/vendor/github.com/gorilla/websocket/examples/autobahn/fuzzingclient.json
index 27d5a5b14..aa3a0bc0a 100644
--- a/vendor/github.com/gorilla/websocket/examples/autobahn/fuzzingclient.json
+++ b/vendor/github.com/gorilla/websocket/examples/autobahn/fuzzingclient.json
@@ -4,6 +4,7 @@
    "outdir": "./reports/clients",
    "servers": [
         {"agent": "ReadAllWriteMessage", "url": "ws://localhost:9000/m", "options": {"version": 18}},
+        {"agent": "ReadAllWritePreparedMessage", "url": "ws://localhost:9000/p", "options": {"version": 18}},
         {"agent": "ReadAllWrite", "url": "ws://localhost:9000/r", "options": {"version": 18}},
         {"agent": "CopyFull", "url": "ws://localhost:9000/f", "options": {"version": 18}},
         {"agent": "CopyWriterOnly", "url": "ws://localhost:9000/c", "options": {"version": 18}}
diff --git a/vendor/github.com/gorilla/websocket/examples/autobahn/server.go b/vendor/github.com/gorilla/websocket/examples/autobahn/server.go
index e98563be9..3db880f90 100644
--- a/vendor/github.com/gorilla/websocket/examples/autobahn/server.go
+++ b/vendor/github.com/gorilla/websocket/examples/autobahn/server.go
@@ -85,7 +85,7 @@ func echoCopyFull(w http.ResponseWriter, r *http.Request) {
 
 // echoReadAll echoes messages from the client by reading the entire message
 // with ioutil.ReadAll.
-func echoReadAll(w http.ResponseWriter, r *http.Request, writeMessage bool) {
+func echoReadAll(w http.ResponseWriter, r *http.Request, writeMessage, writePrepared bool) {
 	conn, err := upgrader.Upgrade(w, r, nil)
 	if err != nil {
 		log.Println("Upgrade:", err)
@@ -109,9 +109,21 @@ func echoReadAll(w http.ResponseWriter, r *http.Request, writeMessage bool) {
 			}
 		}
 		if writeMessage {
-			err = conn.WriteMessage(mt, b)
-			if err != nil {
-				log.Println("WriteMessage:", err)
+			if !writePrepared {
+				err = conn.WriteMessage(mt, b)
+				if err != nil {
+					log.Println("WriteMessage:", err)
+				}
+			} else {
+				pm, err := websocket.NewPreparedMessage(mt, b)
+				if err != nil {
+					log.Println("NewPreparedMessage:", err)
+					return
+				}
+				err = conn.WritePreparedMessage(pm)
+				if err != nil {
+					log.Println("WritePreparedMessage:", err)
+				}
 			}
 		} else {
 			w, err := conn.NextWriter(mt)
@@ -132,11 +144,15 @@ func echoReadAll(w http.ResponseWriter, r *http.Request, writeMessage bool) {
 }
 
 func echoReadAllWriter(w http.ResponseWriter, r *http.Request) {
-	echoReadAll(w, r, false)
+	echoReadAll(w, r, false, false)
 }
 
 func echoReadAllWriteMessage(w http.ResponseWriter, r *http.Request) {
-	echoReadAll(w, r, true)
+	echoReadAll(w, r, true, false)
+}
+
+func echoReadAllWritePreparedMessage(w http.ResponseWriter, r *http.Request) {
+	echoReadAll(w, r, true, true)
 }
 
 func serveHome(w http.ResponseWriter, r *http.Request) {
@@ -161,6 +177,7 @@ func main() {
 	http.HandleFunc("/f", echoCopyFull)
 	http.HandleFunc("/r", echoReadAllWriter)
 	http.HandleFunc("/m", echoReadAllWriteMessage)
+	http.HandleFunc("/p", echoReadAllWritePreparedMessage)
 	err := http.ListenAndServe(*addr, nil)
 	if err != nil {
 		log.Fatal("ListenAndServe: ", err)
diff --git a/vendor/github.com/gorilla/websocket/examples/chat/client.go b/vendor/github.com/gorilla/websocket/examples/chat/client.go
index 26468477c..ecfd9a7aa 100644
--- a/vendor/github.com/gorilla/websocket/examples/chat/client.go
+++ b/vendor/github.com/gorilla/websocket/examples/chat/client.go
@@ -129,6 +129,9 @@ func serveWs(hub *Hub, w http.ResponseWriter, r *http.Request) {
 	}
 	client := &Client{hub: hub, conn: conn, send: make(chan []byte, 256)}
 	client.hub.register <- client
+
+	// Allow collection of memory referenced by the caller by doing all work in
+	// new goroutines.
 	go client.writePump()
-	client.readPump()
+	go client.readPump()
 }
diff --git a/vendor/github.com/gorilla/websocket/examples/chat/home.html b/vendor/github.com/gorilla/websocket/examples/chat/home.html
index 7262918ec..a39a0c276 100644
--- a/vendor/github.com/gorilla/websocket/examples/chat/home.html
+++ b/vendor/github.com/gorilla/websocket/examples/chat/home.html
@@ -9,7 +9,7 @@ window.onload = function () {
     var log = document.getElementById("log");
 
     function appendLog(item) {
-        var doScroll = log.scrollTop === log.scrollHeight - log.clientHeight;
+        var doScroll = log.scrollTop > log.scrollHeight - log.clientHeight - 1;
         log.appendChild(item);
         if (doScroll) {
             log.scrollTop = log.scrollHeight - log.clientHeight;
@@ -29,7 +29,7 @@ window.onload = function () {
     };
 
     if (window["WebSocket"]) {
-        conn = new WebSocket("ws://{{$}}/ws");
+        conn = new WebSocket("ws://" + document.location.host + "/ws");
         conn.onclose = function (evt) {
             var item = document.createElement("div");
             item.innerHTML = "<b>Connection closed.</b>";
diff --git a/vendor/github.com/gorilla/websocket/examples/chat/main.go b/vendor/github.com/gorilla/websocket/examples/chat/main.go
index a865ffec5..74615d59c 100644
--- a/vendor/github.com/gorilla/websocket/examples/chat/main.go
+++ b/vendor/github.com/gorilla/websocket/examples/chat/main.go
@@ -8,11 +8,9 @@ import (
 	"flag"
 	"log"
 	"net/http"
-	"text/template"
 )
 
 var addr = flag.String("addr", ":8080", "http service address")
-var homeTemplate = template.Must(template.ParseFiles("home.html"))
 
 func serveHome(w http.ResponseWriter, r *http.Request) {
 	log.Println(r.URL)
@@ -24,8 +22,7 @@ func serveHome(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "Method not allowed", 405)
 		return
 	}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	homeTemplate.Execute(w, r.Host)
+	http.ServeFile(w, r, "home.html")
 }
 
 func main() {
diff --git a/vendor/github.com/gorilla/websocket/examples/command/README.md b/vendor/github.com/gorilla/websocket/examples/command/README.md
index c30d3979a..ed6f78684 100644
--- a/vendor/github.com/gorilla/websocket/examples/command/README.md
+++ b/vendor/github.com/gorilla/websocket/examples/command/README.md
@@ -2,7 +2,7 @@
 
 This example connects a websocket connection to stdin and stdout of a command.
 Received messages are written to stdin followed by a `\n`. Each line read from
-from standard out is sent as a message to the client.
+standard out is sent as a message to the client.
 
     $ go get github.com/gorilla/websocket
     $ cd `go list -f '{{.Dir}}' github.com/gorilla/websocket/examples/command`
diff --git a/vendor/github.com/gorilla/websocket/examples/command/home.html b/vendor/github.com/gorilla/websocket/examples/command/home.html
index 72fd02b2a..19c46128a 100644
--- a/vendor/github.com/gorilla/websocket/examples/command/home.html
+++ b/vendor/github.com/gorilla/websocket/examples/command/home.html
@@ -2,47 +2,53 @@
 <html lang="en">
 <head>
 <title>Command Example</title>
-<script src="//ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
 <script type="text/javascript">
-    $(function() {
-
+window.onload = function () {
     var conn;
-    var msg = $("#msg");
-    var log = $("#log");
+    var msg = document.getElementById("msg");
+    var log = document.getElementById("log");
 
-    function appendLog(msg) {
-        var d = log[0]
-        var doScroll = d.scrollTop == d.scrollHeight - d.clientHeight;
-        msg.appendTo(log)
+    function appendLog(item) {
+        var doScroll = log.scrollTop > log.scrollHeight - log.clientHeight - 1;
+        log.appendChild(item);
         if (doScroll) {
-            d.scrollTop = d.scrollHeight - d.clientHeight;
+            log.scrollTop = log.scrollHeight - log.clientHeight;
         }
     }
 
-    $("#form").submit(function() {
+    document.getElementById("form").onsubmit = function () {
         if (!conn) {
             return false;
         }
-        if (!msg.val()) {
+        if (!msg.value) {
             return false;
         }
-        conn.send(msg.val());
-        msg.val("");
-        return false
-    });
+        conn.send(msg.value);
+        msg.value = "";
+        return false;
+    };
 
     if (window["WebSocket"]) {
-        conn = new WebSocket("ws://{{$}}/ws");
-        conn.onclose = function(evt) {
-            appendLog($("<div><b>Connection closed.</b></div>"))
-        }
-        conn.onmessage = function(evt) {
-            appendLog($("<pre/>").text(evt.data))
-        }
+        conn = new WebSocket("ws://" + document.location.host + "/ws");
+        conn.onclose = function (evt) {
+            var item = document.createElement("div");
+            item.innerHTML = "<b>Connection closed.</b>";
+            appendLog(item);
+        };
+        conn.onmessage = function (evt) {
+            var messages = evt.data.split('\n');
+            for (var i = 0; i < messages.length; i++) {
+                var item = document.createElement("div");
+                item.innerText = messages[i];
+                appendLog(item);
+            }
+        };
     } else {
-        appendLog($("<div><b>Your browser does not support WebSockets.</b></div>"))
+        var item = document.createElement("div");
+        item.innerHTML = "<b>Your browser does not support WebSockets.</b>";
+        appendLog(item);
     }
-    });
+};
 </script>
 <style type="text/css">
 html {
diff --git a/vendor/github.com/gorilla/websocket/examples/command/main.go b/vendor/github.com/gorilla/websocket/examples/command/main.go
index 438fb8328..239c5c85c 100644
--- a/vendor/github.com/gorilla/websocket/examples/command/main.go
+++ b/vendor/github.com/gorilla/websocket/examples/command/main.go
@@ -12,16 +12,14 @@ import (
 	"net/http"
 	"os"
 	"os/exec"
-	"text/template"
 	"time"
 
 	"github.com/gorilla/websocket"
 )
 
 var (
-	addr      = flag.String("addr", "127.0.0.1:8080", "http service address")
-	cmdPath   string
-	homeTempl = template.Must(template.ParseFiles("home.html"))
+	addr    = flag.String("addr", "127.0.0.1:8080", "http service address")
+	cmdPath string
 )
 
 const (
@@ -176,8 +174,7 @@ func serveHome(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "Method not allowed", 405)
 		return
 	}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	homeTempl.Execute(w, r.Host)
+	http.ServeFile(w, r, "home.html")
 }
 
 func main() {
diff --git a/vendor/github.com/gorilla/websocket/examples/filewatch/main.go b/vendor/github.com/gorilla/websocket/examples/filewatch/main.go
index 2ac2b324f..f5f9da5c3 100644
--- a/vendor/github.com/gorilla/websocket/examples/filewatch/main.go
+++ b/vendor/github.com/gorilla/websocket/examples/filewatch/main.go
@@ -6,12 +6,12 @@ package main
 
 import (
 	"flag"
+	"html/template"
 	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
 	"strconv"
-	"text/template"
 	"time"
 
 	"github.com/gorilla/websocket"
diff --git a/vendor/github.com/gorilla/websocket/mask.go b/vendor/github.com/gorilla/websocket/mask.go
index 6758a2cb7..6a88bbc74 100644
--- a/vendor/github.com/gorilla/websocket/mask.go
+++ b/vendor/github.com/gorilla/websocket/mask.go
@@ -2,20 +2,14 @@
 // this source code is governed by a BSD-style license that can be found in the
 // LICENSE file.
 
+// +build !appengine
+
 package websocket
 
-import (
-	"math/rand"
-	"unsafe"
-)
+import "unsafe"
 
 const wordSize = int(unsafe.Sizeof(uintptr(0)))
 
-func newMaskKey() [4]byte {
-	n := rand.Uint32()
-	return [4]byte{byte(n), byte(n >> 8), byte(n >> 16), byte(n >> 24)}
-}
-
 func maskBytes(key [4]byte, pos int, b []byte) int {
 
 	// Mask one byte at a time for small buffers.
diff --git a/vendor/github.com/gorilla/websocket/mask_safe.go b/vendor/github.com/gorilla/websocket/mask_safe.go
new file mode 100644
index 000000000..2aac060e5
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/mask_safe.go
@@ -0,0 +1,15 @@
+// Copyright 2016 The Gorilla WebSocket Authors. All rights reserved.  Use of
+// this source code is governed by a BSD-style license that can be found in the
+// LICENSE file.
+
+// +build appengine
+
+package websocket
+
+func maskBytes(key [4]byte, pos int, b []byte) int {
+	for i := range b {
+		b[i] ^= key[pos&3]
+		pos++
+	}
+	return pos & 3
+}
diff --git a/vendor/github.com/gorilla/websocket/mask_test.go b/vendor/github.com/gorilla/websocket/mask_test.go
index de0602993..298a1e509 100644
--- a/vendor/github.com/gorilla/websocket/mask_test.go
+++ b/vendor/github.com/gorilla/websocket/mask_test.go
@@ -3,7 +3,7 @@
 // LICENSE file.
 
 // Require 1.7 for sub-bencmarks
-// +build go1.7
+// +build go1.7,!appengine
 
 package websocket
 
diff --git a/vendor/github.com/gorilla/websocket/prepared.go b/vendor/github.com/gorilla/websocket/prepared.go
new file mode 100644
index 000000000..1efffbd1e
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/prepared.go
@@ -0,0 +1,103 @@
+// Copyright 2017 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package websocket
+
+import (
+	"bytes"
+	"net"
+	"sync"
+	"time"
+)
+
+// PreparedMessage caches on the wire representations of a message payload.
+// Use PreparedMessage to efficiently send a message payload to multiple
+// connections. PreparedMessage is especially useful when compression is used
+// because the CPU and memory expensive compression operation can be executed
+// once for a given set of compression options.
+type PreparedMessage struct {
+	messageType int
+	data        []byte
+	err         error
+	mu          sync.Mutex
+	frames      map[prepareKey]*preparedFrame
+}
+
+// prepareKey defines a unique set of options to cache prepared frames in PreparedMessage.
+type prepareKey struct {
+	isServer         bool
+	compress         bool
+	compressionLevel int
+}
+
+// preparedFrame contains data in wire representation.
+type preparedFrame struct {
+	once sync.Once
+	data []byte
+}
+
+// NewPreparedMessage returns an initialized PreparedMessage. You can then send
+// it to connection using WritePreparedMessage method. Valid wire
+// representation will be calculated lazily only once for a set of current
+// connection options.
+func NewPreparedMessage(messageType int, data []byte) (*PreparedMessage, error) {
+	pm := &PreparedMessage{
+		messageType: messageType,
+		frames:      make(map[prepareKey]*preparedFrame),
+		data:        data,
+	}
+
+	// Prepare a plain server frame.
+	_, frameData, err := pm.frame(prepareKey{isServer: true, compress: false})
+	if err != nil {
+		return nil, err
+	}
+
+	// To protect against caller modifying the data argument, remember the data
+	// copied to the plain server frame.
+	pm.data = frameData[len(frameData)-len(data):]
+	return pm, nil
+}
+
+func (pm *PreparedMessage) frame(key prepareKey) (int, []byte, error) {
+	pm.mu.Lock()
+	frame, ok := pm.frames[key]
+	if !ok {
+		frame = &preparedFrame{}
+		pm.frames[key] = frame
+	}
+	pm.mu.Unlock()
+
+	var err error
+	frame.once.Do(func() {
+		// Prepare a frame using a 'fake' connection.
+		// TODO: Refactor code in conn.go to allow more direct construction of
+		// the frame.
+		mu := make(chan bool, 1)
+		mu <- true
+		var nc prepareConn
+		c := &Conn{
+			conn:                   &nc,
+			mu:                     mu,
+			isServer:               key.isServer,
+			compressionLevel:       key.compressionLevel,
+			enableWriteCompression: true,
+			writeBuf:               make([]byte, defaultWriteBufferSize+maxFrameHeaderSize),
+		}
+		if key.compress {
+			c.newCompressionWriter = compressNoContextTakeover
+		}
+		err = c.WriteMessage(pm.messageType, pm.data)
+		frame.data = nc.buf.Bytes()
+	})
+	return pm.messageType, frame.data, err
+}
+
+type prepareConn struct {
+	buf bytes.Buffer
+	net.Conn
+}
+
+func (pc *prepareConn) Write(p []byte) (int, error)        { return pc.buf.Write(p) }
+func (pc *prepareConn) SetWriteDeadline(t time.Time) error { return nil }
diff --git a/vendor/github.com/gorilla/websocket/prepared_test.go b/vendor/github.com/gorilla/websocket/prepared_test.go
new file mode 100644
index 000000000..cf98c6c10
--- /dev/null
+++ b/vendor/github.com/gorilla/websocket/prepared_test.go
@@ -0,0 +1,74 @@
+// Copyright 2017 The Gorilla WebSocket Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package websocket
+
+import (
+	"bytes"
+	"compress/flate"
+	"math/rand"
+	"testing"
+)
+
+var preparedMessageTests = []struct {
+	messageType            int
+	isServer               bool
+	enableWriteCompression bool
+	compressionLevel       int
+}{
+	// Server
+	{TextMessage, true, false, flate.BestSpeed},
+	{TextMessage, true, true, flate.BestSpeed},
+	{TextMessage, true, true, flate.BestCompression},
+	{PingMessage, true, false, flate.BestSpeed},
+	{PingMessage, true, true, flate.BestSpeed},
+
+	// Client
+	{TextMessage, false, false, flate.BestSpeed},
+	{TextMessage, false, true, flate.BestSpeed},
+	{TextMessage, false, true, flate.BestCompression},
+	{PingMessage, false, false, flate.BestSpeed},
+	{PingMessage, false, true, flate.BestSpeed},
+}
+
+func TestPreparedMessage(t *testing.T) {
+	for _, tt := range preparedMessageTests {
+		var data = []byte("this is a test")
+		var buf bytes.Buffer
+		c := newConn(fakeNetConn{Reader: nil, Writer: &buf}, tt.isServer, 1024, 1024)
+		if tt.enableWriteCompression {
+			c.newCompressionWriter = compressNoContextTakeover
+		}
+		c.SetCompressionLevel(tt.compressionLevel)
+
+		// Seed random number generator for consistent frame mask.
+		rand.Seed(1234)
+
+		if err := c.WriteMessage(tt.messageType, data); err != nil {
+			t.Fatal(err)
+		}
+		want := buf.String()
+
+		pm, err := NewPreparedMessage(tt.messageType, data)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Scribble on data to ensure that NewPreparedMessage takes a snapshot.
+		copy(data, "hello world")
+
+		// Seed random number generator for consistent frame mask.
+		rand.Seed(1234)
+
+		buf.Reset()
+		if err := c.WritePreparedMessage(pm); err != nil {
+			t.Fatal(err)
+		}
+		got := buf.String()
+
+		if got != want {
+			t.Errorf("write message != prepared message for %+v", tt)
+		}
+	}
+}
diff --git a/vendor/github.com/gorilla/websocket/server.go b/vendor/github.com/gorilla/websocket/server.go
index aaedebdbe..3495e0f1a 100644
--- a/vendor/github.com/gorilla/websocket/server.go
+++ b/vendor/github.com/gorilla/websocket/server.go
@@ -28,8 +28,9 @@ type Upgrader struct {
 	HandshakeTimeout time.Duration
 
 	// ReadBufferSize and WriteBufferSize specify I/O buffer sizes. If a buffer
-	// size is zero, then a default value of 4096 is used. The I/O buffer sizes
-	// do not limit the size of the messages that can be sent or received.
+	// size is zero, then buffers allocated by the HTTP server are used. The
+	// I/O buffer sizes do not limit the size of the messages that can be sent
+	// or received.
 	ReadBufferSize, WriteBufferSize int
 
 	// Subprotocols specifies the server's supported protocols in order of
@@ -104,23 +105,23 @@ func (u *Upgrader) selectSubprotocol(r *http.Request, responseHeader http.Header
 // response.
 func (u *Upgrader) Upgrade(w http.ResponseWriter, r *http.Request, responseHeader http.Header) (*Conn, error) {
 	if r.Method != "GET" {
-		return u.returnError(w, r, http.StatusMethodNotAllowed, "websocket: method not GET")
+		return u.returnError(w, r, http.StatusMethodNotAllowed, "websocket: not a websocket handshake: request method is not GET")
 	}
 
 	if _, ok := responseHeader["Sec-Websocket-Extensions"]; ok {
-		return u.returnError(w, r, http.StatusInternalServerError, "websocket: application specific Sec-Websocket-Extensions headers are unsupported")
-	}
-
-	if !tokenListContainsValue(r.Header, "Sec-Websocket-Version", "13") {
-		return u.returnError(w, r, http.StatusBadRequest, "websocket: version != 13")
+		return u.returnError(w, r, http.StatusInternalServerError, "websocket: application specific 'Sec-Websocket-Extensions' headers are unsupported")
 	}
 
 	if !tokenListContainsValue(r.Header, "Connection", "upgrade") {
-		return u.returnError(w, r, http.StatusBadRequest, "websocket: could not find connection header with token 'upgrade'")
+		return u.returnError(w, r, http.StatusBadRequest, "websocket: not a websocket handshake: 'upgrade' token not found in 'Connection' header")
 	}
 
 	if !tokenListContainsValue(r.Header, "Upgrade", "websocket") {
-		return u.returnError(w, r, http.StatusBadRequest, "websocket: could not find upgrade header with token 'websocket'")
+		return u.returnError(w, r, http.StatusBadRequest, "websocket: not a websocket handshake: 'websocket' token not found in 'Upgrade' header")
+	}
+
+	if !tokenListContainsValue(r.Header, "Sec-Websocket-Version", "13") {
+		return u.returnError(w, r, http.StatusBadRequest, "websocket: unsupported version: 13 not found in 'Sec-Websocket-Version' header")
 	}
 
 	checkOrigin := u.CheckOrigin
@@ -128,12 +129,12 @@ func (u *Upgrader) Upgrade(w http.ResponseWriter, r *http.Request, responseHeade
 		checkOrigin = checkSameOrigin
 	}
 	if !checkOrigin(r) {
-		return u.returnError(w, r, http.StatusForbidden, "websocket: origin not allowed")
+		return u.returnError(w, r, http.StatusForbidden, "websocket: 'Origin' header value not allowed")
 	}
 
 	challengeKey := r.Header.Get("Sec-Websocket-Key")
 	if challengeKey == "" {
-		return u.returnError(w, r, http.StatusBadRequest, "websocket: key missing or blank")
+		return u.returnError(w, r, http.StatusBadRequest, "websocket: not a websocket handshake: `Sec-Websocket-Key' header is missing or blank")
 	}
 
 	subprotocol := u.selectSubprotocol(r, responseHeader)
@@ -152,7 +153,6 @@ func (u *Upgrader) Upgrade(w http.ResponseWriter, r *http.Request, responseHeade
 
 	var (
 		netConn net.Conn
-		br      *bufio.Reader
 		err     error
 	)
 
@@ -160,19 +160,18 @@ func (u *Upgrader) Upgrade(w http.ResponseWriter, r *http.Request, responseHeade
 	if !ok {
 		return u.returnError(w, r, http.StatusInternalServerError, "websocket: response does not implement http.Hijacker")
 	}
-	var rw *bufio.ReadWriter
-	netConn, rw, err = h.Hijack()
+	var brw *bufio.ReadWriter
+	netConn, brw, err = h.Hijack()
 	if err != nil {
 		return u.returnError(w, r, http.StatusInternalServerError, err.Error())
 	}
-	br = rw.Reader
 
-	if br.Buffered() > 0 {
+	if brw.Reader.Buffered() > 0 {
 		netConn.Close()
 		return nil, errors.New("websocket: client sent data before handshake is complete")
 	}
 
-	c := newConn(netConn, true, u.ReadBufferSize, u.WriteBufferSize)
+	c := newConnBRW(netConn, true, u.ReadBufferSize, u.WriteBufferSize, brw)
 	c.subprotocol = subprotocol
 
 	if compress {
diff --git a/vendor/github.com/hashicorp/go-multierror/multierror.go b/vendor/github.com/hashicorp/go-multierror/multierror.go
index 2ea082732..89b1422d1 100644
--- a/vendor/github.com/hashicorp/go-multierror/multierror.go
+++ b/vendor/github.com/hashicorp/go-multierror/multierror.go
@@ -40,11 +40,11 @@ func (e *Error) GoString() string {
 }
 
 // WrappedErrors returns the list of errors that this Error is wrapping.
-// It is an implementatin of the errwrap.Wrapper interface so that
+// It is an implementation of the errwrap.Wrapper interface so that
 // multierror.Error can be used with that library.
 //
 // This method is not safe to be called concurrently and is no different
-// than accessing the Errors field directly. It is implementd only to
+// than accessing the Errors field directly. It is implemented only to
 // satisfy the errwrap.Wrapper interface.
 func (e *Error) WrappedErrors() []error {
 	return e.Errors
diff --git a/vendor/github.com/hashicorp/go-sockaddr/route_info_linux.go b/vendor/github.com/hashicorp/go-sockaddr/route_info_linux.go
index b33e4c0d0..c2ec91eaf 100644
--- a/vendor/github.com/hashicorp/go-sockaddr/route_info_linux.go
+++ b/vendor/github.com/hashicorp/go-sockaddr/route_info_linux.go
@@ -5,10 +5,6 @@ import (
 	"os/exec"
 )
 
-var cmds map[string][]string = map[string][]string{
-	"ip": {"/sbin/ip", "route"},
-}
-
 type routeInfo struct {
 	cmds map[string][]string
 }
@@ -16,15 +12,22 @@ type routeInfo struct {
 // NewRouteInfo returns a Linux-specific implementation of the RouteInfo
 // interface.
 func NewRouteInfo() (routeInfo, error) {
+	// CoreOS Container Linux moved ip to /usr/bin/ip, so look it up on
+	// $PATH and fallback to /sbin/ip on error.
+	path, _ := exec.LookPath("ip")
+	if path == "" {
+		path = "/sbin/ip"
+	}
+
 	return routeInfo{
-		cmds: cmds,
+		cmds: map[string][]string{"ip": {path, "route"}},
 	}, nil
 }
 
 // GetDefaultInterfaceName returns the interface name attached to the default
 // route on the default interface.
 func (ri routeInfo) GetDefaultInterfaceName() (string, error) {
-	out, err := exec.Command(cmds["ip"][0], cmds["ip"][1:]...).Output()
+	out, err := exec.Command(ri.cmds["ip"][0], ri.cmds["ip"][1:]...).Output()
 	if err != nil {
 		return "", err
 	}
diff --git a/vendor/github.com/hashicorp/go-sockaddr/sockaddr.go b/vendor/github.com/hashicorp/go-sockaddr/sockaddr.go
index 51389ebe9..826c91c2e 100644
--- a/vendor/github.com/hashicorp/go-sockaddr/sockaddr.go
+++ b/vendor/github.com/hashicorp/go-sockaddr/sockaddr.go
@@ -1,6 +1,7 @@
 package sockaddr
 
 import (
+	"encoding/json"
 	"fmt"
 	"strings"
 )
@@ -176,3 +177,30 @@ func sockAddrInit() {
 func SockAddrAttrs() []AttrName {
 	return sockAddrAttrs
 }
+
+// Although this is pretty trivial to do in a program, having the logic here is
+// useful all around. Note that this marshals into a *string* -- the underlying
+// string representation of the sockaddr. If you then unmarshal into this type
+// in Go, all will work as expected, but externally you can take what comes out
+// and use the string value directly.
+type SockAddrMarshaler struct {
+	SockAddr
+}
+
+func (s *SockAddrMarshaler) MarshalJSON() ([]byte, error) {
+	return json.Marshal(s.SockAddr.String())
+}
+
+func (s *SockAddrMarshaler) UnmarshalJSON(in []byte) error {
+	var str string
+	err := json.Unmarshal(in, &str)
+	if err != nil {
+		return err
+	}
+	sa, err := NewSockAddr(str)
+	if err != nil {
+		return err
+	}
+	s.SockAddr = sa
+	return nil
+}
diff --git a/vendor/github.com/hashicorp/go-sockaddr/sockaddr_test.go b/vendor/github.com/hashicorp/go-sockaddr/sockaddr_test.go
index babaf2a8c..2471beb24 100644
--- a/vendor/github.com/hashicorp/go-sockaddr/sockaddr_test.go
+++ b/vendor/github.com/hashicorp/go-sockaddr/sockaddr_test.go
@@ -1,6 +1,7 @@
 package sockaddr_test
 
 import (
+	"encoding/json"
 	"fmt"
 	"testing"
 
@@ -371,3 +372,69 @@ func TestToFoo(t *testing.T) {
 	}
 
 }
+
+func TestSockAddrMarshaler(t *testing.T) {
+	addr := "192.168.10.24/24"
+	sa, err := sockaddr.NewSockAddr(addr)
+	if err != nil {
+		t.Fatal(err)
+	}
+	sam := &sockaddr.SockAddrMarshaler{
+		SockAddr: sa,
+	}
+	marshaled, err := json.Marshal(sam)
+	if err != nil {
+		t.Fatal(err)
+	}
+	sam2 := &sockaddr.SockAddrMarshaler{}
+	err = json.Unmarshal(marshaled, sam2)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if sam.SockAddr.String() != sam2.SockAddr.String() {
+		t.Fatalf("mismatch after marshaling: %s vs %s", sam.SockAddr.String(), sam2.SockAddr.String())
+	}
+	if sam2.SockAddr.String() != addr {
+		t.Fatalf("mismatch after marshaling: %s vs %s", addr, sam2.SockAddr.String())
+	}
+}
+
+func TestSockAddrMultiMarshaler(t *testing.T) {
+	addr := "192.168.10.24/24"
+	type d struct {
+		Addr  *sockaddr.SockAddrMarshaler
+		Addrs []*sockaddr.SockAddrMarshaler
+	}
+	sa, err := sockaddr.NewSockAddr(addr)
+	if err != nil {
+		t.Fatal(err)
+	}
+	myD := &d{
+		Addr: &sockaddr.SockAddrMarshaler{SockAddr: sa},
+		Addrs: []*sockaddr.SockAddrMarshaler{
+			&sockaddr.SockAddrMarshaler{SockAddr: sa},
+			&sockaddr.SockAddrMarshaler{SockAddr: sa},
+			&sockaddr.SockAddrMarshaler{SockAddr: sa},
+		},
+	}
+	marshaled, err := json.Marshal(myD)
+	if err != nil {
+		t.Fatal(err)
+	}
+	var myD2 d
+	err = json.Unmarshal(marshaled, &myD2)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if myD.Addr.String() != myD2.Addr.String() {
+		t.Fatalf("mismatch after marshaling: %s vs %s", myD.Addr.String(), myD2.Addr.String())
+	}
+	if len(myD.Addrs) != len(myD2.Addrs) {
+		t.Fatalf("mismatch after marshaling: %d vs %d", len(myD.Addrs), len(myD2.Addrs))
+	}
+	for i, v := range myD.Addrs {
+		if v.String() != myD2.Addrs[i].String() {
+			t.Fatalf("mismatch after marshaling: %s vs %s", v.String(), myD2.Addrs[i].String())
+		}
+	}
+}
diff --git a/vendor/github.com/hashicorp/memberlist/Makefile b/vendor/github.com/hashicorp/memberlist/Makefile
index 56ef6c28c..891e8364a 100644
--- a/vendor/github.com/hashicorp/memberlist/Makefile
+++ b/vendor/github.com/hashicorp/memberlist/Makefile
@@ -1,3 +1,4 @@
+DEPS = $(go list -f '{{range .Imports}}{{.}} {{end}}' ./...)
 test: subnet
 	go test ./...
 
@@ -11,4 +12,8 @@ cov:
 	gocov test github.com/hashicorp/memberlist | gocov-html > /tmp/coverage.html
 	open /tmp/coverage.html
 
+deps:
+	go get -d -v ./...
+	echo $(DEPS) | xargs -n1 go get -d
+
 .PNONY: test cov integ
diff --git a/vendor/github.com/hashicorp/memberlist/README.md b/vendor/github.com/hashicorp/memberlist/README.md
index fc605a59b..0adc075e8 100644
--- a/vendor/github.com/hashicorp/memberlist/README.md
+++ b/vendor/github.com/hashicorp/memberlist/README.md
@@ -23,6 +23,8 @@ Please check your installation with:
 go version
 ```
 
+Run `make deps` to fetch dependencies before building
+
 ## Usage
 
 Memberlist is surprisingly simple to use. An example is shown below:
@@ -63,82 +65,11 @@ For complete documentation, see the associated [Godoc](http://godoc.org/github.c
 
 ## Protocol
 
-memberlist is based on ["SWIM: Scalable Weakly-consistent Infection-style Process Group Membership Protocol"](http://www.cs.cornell.edu/~asdas/research/dsn02-swim.pdf),
-with a few minor adaptations, mostly to increase propagation speed and
+memberlist is based on ["SWIM: Scalable Weakly-consistent Infection-style Process Group Membership Protocol"](http://www.cs.cornell.edu/~asdas/research/dsn02-swim.pdf). However, we extend the protocol in a number of ways:
+
+* Several extensions are made to increase propagation speed and
 convergence rate.
+* Another set of extensions, that we call Lifeguard, are made to make memberlist more robust in the presence of slow message processing (due to factors such as CPU starvation, and network delay or loss).
 
-A high level overview of the memberlist protocol (based on SWIM) is
-described below, but for details please read the full
-[SWIM paper](http://www.cs.cornell.edu/~asdas/research/dsn02-swim.pdf)
-followed by the memberlist source. We welcome any questions related
+For details on all of these extensions, please read our paper "[Lifeguard : SWIM-ing with Situational Awareness](https://arxiv.org/abs/1707.00788)", along with the memberlist source.  We welcome any questions related
 to the protocol on our issue tracker.
-
-### Protocol Description
-
-memberlist begins by joining an existing cluster or starting a new
-cluster. If starting a new cluster, additional nodes are expected to join
-it. New nodes in an existing cluster must be given the address of at
-least one existing member in order to join the cluster. The new member
-does a full state sync with the existing member over TCP and begins gossiping its
-existence to the cluster.
-
-Gossip is done over UDP with a configurable but fixed fanout and interval.
-This ensures that network usage is constant with regards to number of nodes, as opposed to
-exponential growth that can occur with traditional heartbeat mechanisms.
-Complete state exchanges with a random node are done periodically over
-TCP, but much less often than gossip messages. This increases the likelihood
-that the membership list converges properly since the full state is exchanged
-and merged. The interval between full state exchanges is configurable or can
-be disabled entirely.
-
-Failure detection is done by periodic random probing using a configurable interval.
-If the node fails to ack within a reasonable time (typically some multiple
-of RTT), then an indirect probe as well as a direct TCP probe are attempted. An
-indirect probe asks a configurable number of random nodes to probe the same node,
-in case there are network issues causing our own node to fail the probe. The direct
-TCP probe is used to help identify the common situation where networking is
-misconfigured to allow TCP but not UDP. Without the TCP probe, a UDP-isolated node
-would think all other nodes were suspect and could cause churn in the cluster when
-it attempts a TCP-based state exchange with another node. It is not desirable to
-operate with only TCP connectivity because convergence will be much slower, but it
-is enabled so that memberlist can detect this situation and alert operators.
-
-If both our probe, the indirect probes, and the direct TCP probe fail within a
-configurable time, then the node is marked "suspicious" and this knowledge is
-gossiped to the cluster. A suspicious node is still considered a member of
-cluster. If the suspect member of the cluster does not dispute the suspicion
-within a configurable period of time, the node is finally considered dead,
-and this state is then gossiped to the cluster.
-
-This is a brief and incomplete description of the protocol. For a better idea,
-please read the
-[SWIM paper](http://www.cs.cornell.edu/~asdas/research/dsn02-swim.pdf)
-in its entirety, along with the memberlist source code.
-
-### Changes from SWIM
-
-As mentioned earlier, the memberlist protocol is based on SWIM but includes
-minor changes, mostly to increase propagation speed and convergence rates.
-
-The changes from SWIM are noted here:
-
-* memberlist does a full state sync over TCP periodically. SWIM only propagates
-  changes over gossip. While both eventually reach convergence, the full state
-  sync increases the likelihood that nodes are fully converged more quickly,
-  at the expense of more bandwidth usage. This feature can be totally disabled
-  if you wish.
-
-* memberlist has a dedicated gossip layer separate from the failure detection
-  protocol. SWIM only piggybacks gossip messages on top of probe/ack messages.
-  memberlist also piggybacks gossip messages on top of probe/ack messages, but
-  also will periodically send out dedicated gossip messages on their own. This
-  feature lets you have a higher gossip rate (for example once per 200ms)
-  and a slower failure detection rate (such as once per second), resulting
-  in overall faster convergence rates and data propagation speeds. This feature
-  can be totally disabed as well, if you wish.
-
-* memberlist stores around the state of dead nodes for a set amount of time,
-  so that when full syncs are requested, the requester also receives information
-  about dead nodes. Because SWIM doesn't do full syncs, SWIM deletes dead node
-  state immediately upon learning that the node is dead. This change again helps
-  the cluster converge more quickly.
diff --git a/vendor/github.com/hashicorp/memberlist/config.go b/vendor/github.com/hashicorp/memberlist/config.go
index 5cad4ed54..c85b1657a 100644
--- a/vendor/github.com/hashicorp/memberlist/config.go
+++ b/vendor/github.com/hashicorp/memberlist/config.go
@@ -235,7 +235,7 @@ func DefaultLANConfig() *Config {
 		TCPTimeout:              10 * time.Second,       // Timeout after 10 seconds
 		IndirectChecks:          3,                      // Use 3 nodes for the indirect ping
 		RetransmitMult:          4,                      // Retransmit a message 4 * log(N+1) nodes
-		SuspicionMult:           5,                      // Suspect a node for 5 * log(N+1) * Interval
+		SuspicionMult:           4,                      // Suspect a node for 4 * log(N+1) * Interval
 		SuspicionMaxTimeoutMult: 6,                      // For 10k nodes this will give a max timeout of 120 seconds
 		PushPullInterval:        30 * time.Second,       // Low frequency
 		ProbeTimeout:            500 * time.Millisecond, // Reasonable RTT time for LAN
diff --git a/vendor/github.com/hashicorp/memberlist/memberlist.go b/vendor/github.com/hashicorp/memberlist/memberlist.go
index e4b0d7347..9ea195cfc 100644
--- a/vendor/github.com/hashicorp/memberlist/memberlist.go
+++ b/vendor/github.com/hashicorp/memberlist/memberlist.go
@@ -113,14 +113,43 @@ func newMemberlist(conf *Config) (*Memberlist, error) {
 			BindPort:  conf.BindPort,
 			Logger:    logger,
 		}
-		nt, err := NewNetTransport(nc)
+
+		// See comment below for details about the retry in here.
+		makeNetRetry := func(limit int) (*NetTransport, error) {
+			for try := 0; try < limit; try++ {
+				nt, err := NewNetTransport(nc)
+				if err == nil {
+					return nt, nil
+				}
+
+				if strings.Contains(err.Error(), "address already in use") {
+					logger.Printf("[DEBUG] Got bind error: %v", err)
+					continue
+				}
+			}
+
+			return nil, fmt.Errorf("ran out of tries to obtain an address")
+		}
+
+		// The dynamic bind port operation is inherently racy because
+		// even though we are using the kernel to find a port for us, we
+		// are attempting to bind multiple protocols (and potentially
+		// multiple addresses) with the same port number. We build in a
+		// few retries here since this often gets transient errors in
+		// busy unit tests.
+		limit := 1
+		if conf.BindPort == 0 {
+			limit = 10
+		}
+
+		nt, err := makeNetRetry(limit)
 		if err != nil {
 			return nil, fmt.Errorf("Could not set up network transport: %v", err)
 		}
-
 		if conf.BindPort == 0 {
 			port := nt.GetAutoBindPort()
 			conf.BindPort = port
+			conf.AdvertisePort = port
 			logger.Printf("[DEBUG] Using dynamic bind port %d", port)
 		}
 		transport = nt
diff --git a/vendor/github.com/hashicorp/memberlist/net.go b/vendor/github.com/hashicorp/memberlist/net.go
index 65a60159d..58e1fce20 100644
--- a/vendor/github.com/hashicorp/memberlist/net.go
+++ b/vendor/github.com/hashicorp/memberlist/net.go
@@ -55,6 +55,7 @@ const (
 	encryptMsg
 	nackRespMsg
 	hasCrcMsg
+	errMsg
 )
 
 // compressionType is used to specify the compression algorithm
@@ -105,6 +106,11 @@ type nackResp struct {
 	SeqNo uint32
 }
 
+// err response is sent to relay the error from the remote end
+type errResp struct {
+	Error string
+}
+
 // suspect is broadcast when we suspect a node is dead
 type suspect struct {
 	Incarnation uint32
@@ -209,6 +215,19 @@ func (m *Memberlist) handleConn(conn net.Conn) {
 	if err != nil {
 		if err != io.EOF {
 			m.logger.Printf("[ERR] memberlist: failed to receive: %s %s", err, LogConn(conn))
+
+			resp := errResp{err.Error()}
+			out, err := encode(errMsg, &resp)
+			if err != nil {
+				m.logger.Printf("[ERR] memberlist: Failed to encode error response: %s", err)
+				return
+			}
+
+			err = m.rawSendMsgStream(conn, out.Bytes())
+			if err != nil {
+				m.logger.Printf("[ERR] memberlist: Failed to send error: %s %s", err, LogConn(conn))
+				return
+			}
 		}
 		return
 	}
@@ -726,6 +745,14 @@ func (m *Memberlist) sendAndReceiveState(addr string, join bool) ([]pushNodeStat
 		return nil, nil, err
 	}
 
+	if msgType == errMsg {
+		var resp errResp
+		if err := dec.Decode(&resp); err != nil {
+			return nil, nil, err
+		}
+		return nil, nil, fmt.Errorf("remote error: %v", resp.Error)
+	}
+
 	// Quit if not push/pull
 	if msgType != pushPullMsg {
 		err := fmt.Errorf("received invalid msgType (%d), expected pushPullMsg (%d) %s", msgType, pushPullMsg, LogConn(conn))
diff --git a/vendor/github.com/hashicorp/memberlist/net_test.go b/vendor/github.com/hashicorp/memberlist/net_test.go
index 80d3ebb36..860535855 100644
--- a/vendor/github.com/hashicorp/memberlist/net_test.go
+++ b/vendor/github.com/hashicorp/memberlist/net_test.go
@@ -785,3 +785,30 @@ func TestIngestPacket_CRC(t *testing.T) {
 		t.Fatalf("bad: %s", logs.String())
 	}
 }
+
+func TestGossip_MismatchedKeys(t *testing.T) {
+	c1 := testConfig()
+	c2 := testConfig()
+
+	// Create two agents with different gossip keys
+	c1.SecretKey = []byte("4W6DGn2VQVqDEceOdmuRTQ==")
+	c2.SecretKey = []byte("XhX/w702/JKKK7/7OtM9Ww==")
+
+	m1, err := Create(c1)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	defer m1.Shutdown()
+
+	m2, err := Create(c2)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	defer m2.Shutdown()
+
+	// Make sure we get this error on the joining side
+	_, err = m2.Join([]string{c1.BindAddr})
+	if err == nil || !strings.Contains(err.Error(), "No installed keys could decrypt the message") {
+		t.Fatalf("bad: %s", err)
+	}
+}
diff --git a/vendor/github.com/lib/pq/conn.go b/vendor/github.com/lib/pq/conn.go
index 3b322bc06..3747ffcaf 100644
--- a/vendor/github.com/lib/pq/conn.go
+++ b/vendor/github.com/lib/pq/conn.go
@@ -1339,7 +1339,12 @@ func (rs *rows) Close() error {
 		switch err {
 		case nil:
 		case io.EOF:
-			return nil
+			// rs.Next can return io.EOF on both 'Z' (ready for query) and 'T' (row
+			// description, used with HasNextResultSet). We need to fetch messages until
+			// we hit a 'Z', which is done by waiting for done to be set.
+			if rs.done {
+				return nil
+			}
 		default:
 			return err
 		}
diff --git a/vendor/github.com/lib/pq/conn_test.go b/vendor/github.com/lib/pq/conn_test.go
index 8c6187fc6..dfc827201 100644
--- a/vendor/github.com/lib/pq/conn_test.go
+++ b/vendor/github.com/lib/pq/conn_test.go
@@ -1583,3 +1583,32 @@ func TestRowsResultTag(t *testing.T) {
 		}
 	}
 }
+
+// TestQuickClose tests that closing a query early allows a subsequent query to work.
+func TestQuickClose(t *testing.T) {
+	db := openTestConn(t)
+	defer db.Close()
+
+	tx, err := db.Begin()
+	if err != nil {
+		t.Fatal(err)
+	}
+	rows, err := tx.Query("SELECT 1; SELECT 2;")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := rows.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	var id int
+	if err := tx.QueryRow("SELECT 3").Scan(&id); err != nil {
+		t.Fatal(err)
+	}
+	if id != 3 {
+		t.Fatalf("unexpected %d", id)
+	}
+	if err := tx.Commit(); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/vendor/github.com/magiconair/properties/CHANGELOG.md b/vendor/github.com/magiconair/properties/CHANGELOG.md
index 1d86d0c18..4905fec99 100644
--- a/vendor/github.com/magiconair/properties/CHANGELOG.md
+++ b/vendor/github.com/magiconair/properties/CHANGELOG.md
@@ -1,6 +1,6 @@
 ## Changelog
 
-### Unreleased
+### [1.7.3](https://github.com/magiconair/properties/tags/v1.7.3) - 10 Jul 2017
 
  * [Issue #17](https://github.com/magiconair/properties/issues/17): Add [SetValue()](http://godoc.org/github.com/magiconair/properties#Properties.SetValue) method to set values generically
  * [Issue #22](https://github.com/magiconair/properties/issues/22): Add [LoadMap()](http://godoc.org/github.com/magiconair/properties#LoadMap) function to load properties from a string map
diff --git a/vendor/github.com/magiconair/properties/README.md b/vendor/github.com/magiconair/properties/README.md
index 71b6a5359..eb3b8c435 100644
--- a/vendor/github.com/magiconair/properties/README.md
+++ b/vendor/github.com/magiconair/properties/README.md
@@ -1,7 +1,7 @@
 Overview [![Build Status](https://travis-ci.org/magiconair/properties.svg?branch=master)](https://travis-ci.org/magiconair/properties)
 ========
 
-#### Current version: 1.7.2
+#### Current version: 1.7.3
 
 properties is a Go library for reading and writing properties files.
 
diff --git a/vendor/github.com/miekg/dns/client.go b/vendor/github.com/miekg/dns/client.go
index 301dab9c1..1c14a19d8 100644
--- a/vendor/github.com/miekg/dns/client.go
+++ b/vendor/github.com/miekg/dns/client.go
@@ -4,6 +4,7 @@ package dns
 
 import (
 	"bytes"
+	"context"
 	"crypto/tls"
 	"encoding/binary"
 	"io"
@@ -70,6 +71,43 @@ func Exchange(m *Msg, a string) (r *Msg, err error) {
 	return r, err
 }
 
+// ExchangeContext performs a synchronous UDP query, like Exchange. It
+// additionally obeys deadlines from the passed Context.
+func ExchangeContext(ctx context.Context, m *Msg, a string) (r *Msg, err error) {
+	// Combine context deadline with built-in timeout. Context chooses whichever
+	// is sooner.
+	timeoutCtx, cancel := context.WithTimeout(ctx, dnsTimeout)
+	defer cancel()
+	deadline, _ := timeoutCtx.Deadline()
+
+	co := new(Conn)
+	dialer := net.Dialer{}
+	co.Conn, err = dialer.DialContext(timeoutCtx, "udp", a)
+	if err != nil {
+		return nil, err
+	}
+
+	defer co.Conn.Close()
+
+	opt := m.IsEdns0()
+	// If EDNS0 is used use that for size.
+	if opt != nil && opt.UDPSize() >= MinMsgSize {
+		co.UDPSize = opt.UDPSize()
+	}
+
+	co.SetWriteDeadline(deadline)
+	if err = co.WriteMsg(m); err != nil {
+		return nil, err
+	}
+
+	co.SetReadDeadline(deadline)
+	r, err = co.ReadMsg()
+	if err == nil && r.Id != m.Id {
+		err = ErrId
+	}
+	return r, err
+}
+
 // ExchangeConn performs a synchronous query. It sends the message m via the connection
 // c and waits for a reply. The connection c is not closed by ExchangeConn.
 // This function is going away, but can easily be mimicked:
@@ -106,8 +144,18 @@ func ExchangeConn(c net.Conn, m *Msg) (r *Msg, err error) {
 // buffer, see SetEdns0. Messages without an OPT RR will fallback to the historic limit
 // of 512 bytes.
 func (c *Client) Exchange(m *Msg, a string) (r *Msg, rtt time.Duration, err error) {
+	return c.ExchangeContext(context.Background(), m, a)
+}
+
+// ExchangeContext acts like Exchange, but honors the deadline on the provided
+// context, if present. If there is both a context deadline and a configured
+// timeout on the client, the earliest of the two takes effect.
+func (c *Client) ExchangeContext(ctx context.Context, m *Msg, a string) (
+	r *Msg,
+	rtt time.Duration,
+	err error) {
 	if !c.SingleInflight {
-		return c.exchange(m, a)
+		return c.exchange(ctx, m, a)
 	}
 	// This adds a bunch of garbage, TODO(miek).
 	t := "nop"
@@ -119,7 +167,7 @@ func (c *Client) Exchange(m *Msg, a string) (r *Msg, rtt time.Duration, err erro
 		cl = cl1
 	}
 	r, rtt, err, shared := c.group.Do(m.Question[0].Name+t+cl, func() (*Msg, time.Duration, error) {
-		return c.exchange(m, a)
+		return c.exchange(ctx, m, a)
 	})
 	if r != nil && shared {
 		r = r.Copy()
@@ -154,7 +202,7 @@ func (c *Client) writeTimeout() time.Duration {
 	return dnsTimeout
 }
 
-func (c *Client) exchange(m *Msg, a string) (r *Msg, rtt time.Duration, err error) {
+func (c *Client) exchange(ctx context.Context, m *Msg, a string) (r *Msg, rtt time.Duration, err error) {
 	var co *Conn
 	network := "udp"
 	tls := false
@@ -180,10 +228,13 @@ func (c *Client) exchange(m *Msg, a string) (r *Msg, rtt time.Duration, err erro
 		deadline = time.Now().Add(c.Timeout)
 	}
 
+	dialDeadline := deadlineOrTimeoutOrCtx(ctx, deadline, c.dialTimeout())
+	dialTimeout := dialDeadline.Sub(time.Now())
+
 	if tls {
-		co, err = DialTimeoutWithTLS(network, a, c.TLSConfig, c.dialTimeout())
+		co, err = DialTimeoutWithTLS(network, a, c.TLSConfig, dialTimeout)
 	} else {
-		co, err = DialTimeout(network, a, c.dialTimeout())
+		co, err = DialTimeout(network, a, dialTimeout)
 	}
 
 	if err != nil {
@@ -202,12 +253,12 @@ func (c *Client) exchange(m *Msg, a string) (r *Msg, rtt time.Duration, err erro
 	}
 
 	co.TsigSecret = c.TsigSecret
-	co.SetWriteDeadline(deadlineOrTimeout(deadline, c.writeTimeout()))
+	co.SetWriteDeadline(deadlineOrTimeoutOrCtx(ctx, deadline, c.writeTimeout()))
 	if err = co.WriteMsg(m); err != nil {
 		return nil, 0, err
 	}
 
-	co.SetReadDeadline(deadlineOrTimeout(deadline, c.readTimeout()))
+	co.SetReadDeadline(deadlineOrTimeoutOrCtx(ctx, deadline, c.readTimeout()))
 	r, err = co.ReadMsg()
 	if err == nil && r.Id != m.Id {
 		err = ErrId
@@ -459,9 +510,22 @@ func DialTimeoutWithTLS(network, address string, tlsConfig *tls.Config, timeout
 	return conn, nil
 }
 
+// deadlineOrTimeout chooses between the provided deadline and timeout
+// by always preferring the deadline so long as it's non-zero (regardless
+// of which is bigger), and returns the equivalent deadline value.
 func deadlineOrTimeout(deadline time.Time, timeout time.Duration) time.Time {
 	if deadline.IsZero() {
 		return time.Now().Add(timeout)
 	}
 	return deadline
 }
+
+// deadlineOrTimeoutOrCtx returns the earliest of: a context deadline, or the
+// output of deadlineOrtimeout.
+func deadlineOrTimeoutOrCtx(ctx context.Context, deadline time.Time, timeout time.Duration) time.Time {
+	result := deadlineOrTimeout(deadline, timeout)
+	if ctxDeadline, ok := ctx.Deadline(); ok && ctxDeadline.Before(result) {
+		result = ctxDeadline
+	}
+	return result
+}
diff --git a/vendor/github.com/miekg/dns/client_test.go b/vendor/github.com/miekg/dns/client_test.go
index dee585f36..73083dbaf 100644
--- a/vendor/github.com/miekg/dns/client_test.go
+++ b/vendor/github.com/miekg/dns/client_test.go
@@ -1,6 +1,7 @@
 package dns
 
 import (
+	"context"
 	"crypto/tls"
 	"fmt"
 	"net"
@@ -249,6 +250,9 @@ func TestClientConn(t *testing.T) {
 		t.Errorf("failed to exchange: %v", err)
 	}
 	r, err := cn.ReadMsg()
+	if err != nil {
+		t.Errorf("failed to get a valid answer: %v", err)
+	}
 	if r == nil || r.Rcode != RcodeSuccess {
 		t.Errorf("failed to get an valid answer\n%v", r)
 	}
@@ -262,6 +266,9 @@ func TestClientConn(t *testing.T) {
 	if buf == nil {
 		t.Errorf("failed to get an valid answer\n%v", r)
 	}
+	if err != nil {
+		t.Errorf("failed to get a valid answer: %v", err)
+	}
 	if int(h.Bits&0xF) != RcodeSuccess {
 		t.Errorf("failed to get an valid answer in ReadMsgHeader\n%v", r)
 	}
@@ -423,7 +430,7 @@ func TestTimeout(t *testing.T) {
 
 	// Use a channel + timeout to ensure we don't get stuck if the
 	// Client Timeout is not working properly
-	done := make(chan struct{})
+	done := make(chan struct{}, 2)
 
 	timeout := time.Millisecond
 	allowable := timeout + (10 * time.Millisecond)
@@ -435,14 +442,28 @@ func TestTimeout(t *testing.T) {
 		c := &Client{Timeout: timeout}
 		_, _, err := c.Exchange(m, addrstr)
 		if err == nil {
-			t.Error("no timeout using Client")
+			t.Error("no timeout using Client.Exchange")
+		}
+		done <- struct{}{}
+	}()
+
+	go func() {
+		ctx, cancel := context.WithTimeout(context.Background(), timeout)
+		defer cancel()
+		c := &Client{}
+		_, _, err := c.ExchangeContext(ctx, m, addrstr)
+		if err == nil {
+			t.Error("no timeout using Client.ExchangeContext")
 		}
 		done <- struct{}{}
 	}()
 
-	select {
-	case <-done:
-	case <-time.After(abortAfter):
+	// Wait for both the Exchange and ExchangeContext tests to be done.
+	for i := 0; i < 2; i++ {
+		select {
+		case <-done:
+		case <-time.After(abortAfter):
+		}
 	}
 
 	length := time.Since(start)
diff --git a/vendor/github.com/miekg/dns/dns_test.go b/vendor/github.com/miekg/dns/dns_test.go
index dbfe25328..5568c316c 100644
--- a/vendor/github.com/miekg/dns/dns_test.go
+++ b/vendor/github.com/miekg/dns/dns_test.go
@@ -154,6 +154,9 @@ func TestPack(t *testing.T) {
 	}
 	x.Answer = make([]RR, 1)
 	x.Answer[0], err = NewRR(rr[0])
+	if err != nil {
+		t.Fatal(err)
+	}
 	if _, err := x.Pack(); err == nil {
 		t.Error("packing should fail")
 	}
diff --git a/vendor/github.com/miekg/dns/msg_helpers.go b/vendor/github.com/miekg/dns/msg_helpers.go
index 615274ab0..8d415c92a 100644
--- a/vendor/github.com/miekg/dns/msg_helpers.go
+++ b/vendor/github.com/miekg/dns/msg_helpers.go
@@ -96,7 +96,7 @@ func unpackHeader(msg []byte, off int) (rr RR_Header, off1 int, truncmsg []byte,
 		return hdr, len(msg), msg, err
 	}
 	msg, err = truncateMsgFromRdlength(msg, off, hdr.Rdlength)
-	return hdr, off, msg, nil
+	return hdr, off, msg, err
 }
 
 // pack packs an RR header, returning the offset to the end of the header.
diff --git a/vendor/github.com/minio/go-homedir/LICENSE b/vendor/github.com/minio/go-homedir/LICENSE
new file mode 100644
index 000000000..f9c841a51
--- /dev/null
+++ b/vendor/github.com/minio/go-homedir/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Mitchell Hashimoto
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/minio/go-homedir/README.md b/vendor/github.com/minio/go-homedir/README.md
new file mode 100644
index 000000000..085f57775
--- /dev/null
+++ b/vendor/github.com/minio/go-homedir/README.md
@@ -0,0 +1,16 @@
+# go-homedir
+
+This is a Go library for detecting the user's home directory without
+the use of cgo, so the library can be used in cross-compilation environments.
+
+Usage is incredibly simple, just call `homedir.Dir()` to get the home directory
+for a user, and `homedir.Expand()` to expand the `~` in a path to the home
+directory.
+
+**Why not just use `os/user`?** The built-in `os/user` package is not
+available on certain architectures such as i386 or PNaCl. Additionally
+it has a cgo dependency on Darwin systems. This means that any Go code
+that uses that package cannot cross compile. But 99% of the time the
+use for `os/user` is just to retrieve the home directory, which we can
+do for the current user without cgo. This library does that, enabling
+cross-compilation. 
diff --git a/vendor/github.com/minio/go-homedir/dir_posix.go b/vendor/github.com/minio/go-homedir/dir_posix.go
new file mode 100644
index 000000000..4615fe063
--- /dev/null
+++ b/vendor/github.com/minio/go-homedir/dir_posix.go
@@ -0,0 +1,64 @@
+// +build !windows
+
+// Copyright 2016 (C) Mitchell Hashimoto
+// Distributed under the MIT License.
+
+package homedir
+
+import (
+	"bytes"
+	"errors"
+	"os"
+	"os/exec"
+	"os/user"
+	"strconv"
+	"strings"
+)
+
+// dir returns the homedir of current user for all POSIX compatible
+// operating systems.
+func dir() (string, error) {
+	// First prefer the HOME environmental variable
+	if home := os.Getenv("HOME"); home != "" {
+		return home, nil
+	}
+
+	// user.Current is not implemented for i386 and PNaCL like environments.
+	if currUser, err := user.Current(); err == nil {
+		return currUser.HomeDir, nil
+	}
+
+	// If that fails, try getent
+	var stdout bytes.Buffer
+	cmd := exec.Command("getent", "passwd", strconv.Itoa(os.Getuid()))
+	cmd.Stdout = &stdout
+	if err := cmd.Run(); err != nil {
+		// If "getent" is missing, ignore it
+		if err != exec.ErrNotFound {
+			return "", err
+		}
+	} else {
+		if passwd := strings.TrimSpace(stdout.String()); passwd != "" {
+			// username:password:uid:gid:gecos:home:shell
+			passwdParts := strings.SplitN(passwd, ":", 7)
+			if len(passwdParts) > 5 {
+				return passwdParts[5], nil
+			}
+		}
+	}
+
+	// If all else fails, try the shell
+	stdout.Reset()
+	cmd = exec.Command("sh", "-c", "cd && pwd")
+	cmd.Stdout = &stdout
+	if err := cmd.Run(); err != nil {
+		return "", err
+	}
+
+	result := strings.TrimSpace(stdout.String())
+	if result == "" {
+		return "", errors.New("blank output when reading home directory")
+	}
+
+	return result, nil
+}
diff --git a/vendor/github.com/minio/go-homedir/dir_windows.go b/vendor/github.com/minio/go-homedir/dir_windows.go
new file mode 100644
index 000000000..85e5218c7
--- /dev/null
+++ b/vendor/github.com/minio/go-homedir/dir_windows.go
@@ -0,0 +1,28 @@
+// Copyright 2016 (C) Mitchell Hashimoto
+// Distributed under the MIT License.
+
+package homedir
+
+import (
+	"errors"
+	"os"
+)
+
+// dir returns the homedir of current user for MS Windows OS.
+func dir() (string, error) {
+	// First prefer the HOME environmental variable
+	if home := os.Getenv("HOME"); home != "" {
+		return home, nil
+	}
+	drive := os.Getenv("HOMEDRIVE")
+	path := os.Getenv("HOMEPATH")
+	home := drive + path
+	if drive == "" || path == "" {
+		home = os.Getenv("USERPROFILE")
+	}
+	if home == "" {
+		return "", errors.New("HOMEDRIVE, HOMEPATH, and USERPROFILE are blank")
+	}
+
+	return home, nil
+}
diff --git a/vendor/github.com/minio/go-homedir/homedir.go b/vendor/github.com/minio/go-homedir/homedir.go
new file mode 100644
index 000000000..092373801
--- /dev/null
+++ b/vendor/github.com/minio/go-homedir/homedir.go
@@ -0,0 +1,68 @@
+// Copyright 2016 (C) Mitchell Hashimoto
+// Distributed under the MIT License.
+
+// Package homedir implements a portable function to determine current user's homedir.
+package homedir
+
+import (
+	"errors"
+	"path/filepath"
+	"sync"
+)
+
+// DisableCache will disable caching of the home directory. Caching is enabled
+// by default.
+var DisableCache bool
+
+var homedirCache string
+var cacheLock sync.Mutex
+
+// Dir returns the home directory for the executing user.
+//
+// This uses an OS-specific method for discovering the home directory.
+// An error is returned if a home directory cannot be detected.
+func Dir() (string, error) {
+	cacheLock.Lock()
+	defer cacheLock.Unlock()
+
+	// Return cached homedir if available.
+	if !DisableCache {
+		if homedirCache != "" {
+			return homedirCache, nil
+		}
+	}
+
+	// Determine OS speific current homedir.
+	result, err := dir()
+	if err != nil {
+		return "", err
+	}
+
+	// Cache for future lookups.
+	homedirCache = result
+	return result, nil
+}
+
+// Expand expands the path to include the home directory if the path
+// is prefixed with `~`. If it isn't prefixed with `~`, the path is
+// returned as-is.
+func Expand(path string) (string, error) {
+	if len(path) == 0 {
+		return path, nil
+	}
+
+	if path[0] != '~' {
+		return path, nil
+	}
+
+	if len(path) > 1 && path[1] != '/' && path[1] != '\\' {
+		return "", errors.New("cannot expand user-specific home dir")
+	}
+
+	dir, err := Dir()
+	if err != nil {
+		return "", err
+	}
+
+	return filepath.Join(dir, path[1:]), nil
+}
diff --git a/vendor/github.com/minio/go-homedir/homedir_test.go b/vendor/github.com/minio/go-homedir/homedir_test.go
new file mode 100644
index 000000000..a45121ff1
--- /dev/null
+++ b/vendor/github.com/minio/go-homedir/homedir_test.go
@@ -0,0 +1,114 @@
+package homedir
+
+import (
+	"os"
+	"os/user"
+	"path/filepath"
+	"testing"
+)
+
+func patchEnv(key, value string) func() {
+	bck := os.Getenv(key)
+	deferFunc := func() {
+		os.Setenv(key, bck)
+	}
+
+	os.Setenv(key, value)
+	return deferFunc
+}
+
+func BenchmarkDir(b *testing.B) {
+	// We do this for any "warmups"
+	for i := 0; i < 10; i++ {
+		Dir()
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		Dir()
+	}
+}
+
+func TestDir(t *testing.T) {
+	// NOTE: This test is not portable. If user.Current() worked
+	// everywhere, we wouldn't need our package in the first place.
+	u, err := user.Current()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	dir, err := Dir()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	if u.HomeDir != dir {
+		t.Fatalf("%#v != %#v", u.HomeDir, dir)
+	}
+}
+
+func TestExpand(t *testing.T) {
+	u, err := user.Current()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	cases := []struct {
+		Input  string
+		Output string
+		Err    bool
+	}{
+		{
+			"/foo",
+			"/foo",
+			false,
+		},
+
+		{
+			"~/foo",
+			filepath.Join(u.HomeDir, "foo"),
+			false,
+		},
+
+		{
+			"",
+			"",
+			false,
+		},
+
+		{
+			"~",
+			u.HomeDir,
+			false,
+		},
+
+		{
+			"~foo/foo",
+			"",
+			true,
+		},
+	}
+
+	for _, tc := range cases {
+		actual, err := Expand(tc.Input)
+		if (err != nil) != tc.Err {
+			t.Fatalf("Input: %#v\n\nErr: %s", tc.Input, err)
+		}
+
+		if actual != tc.Output {
+			t.Fatalf("Input: %#v\n\nOutput: %#v", tc.Input, actual)
+		}
+	}
+
+	DisableCache = true
+	defer func() { DisableCache = false }()
+	defer patchEnv("HOME", "/custom/path/")()
+	expected := filepath.Join("/", "custom", "path", "foo/bar")
+	actual, err := Expand("~/foo/bar")
+
+	if err != nil {
+		t.Errorf("No error is expected, got: %v", err)
+	} else if actual != expected {
+		t.Errorf("Expected: %v; actual: %v", expected, actual)
+	}
+}
diff --git a/vendor/github.com/minio/minio-go/api-compose-object.go b/vendor/github.com/minio/minio-go/api-compose-object.go
new file mode 100644
index 000000000..6baf09e84
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/api-compose-object.go
@@ -0,0 +1,532 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package minio
+
+import (
+	"encoding/base64"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/minio/minio-go/pkg/s3utils"
+)
+
+// SSEInfo - represents Server-Side-Encryption parameters specified by
+// a user.
+type SSEInfo struct {
+	key  []byte
+	algo string
+}
+
+// NewSSEInfo - specifies (binary or un-encoded) encryption key and
+// algorithm name. If algo is empty, it defaults to "AES256". Ref:
+// https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
+func NewSSEInfo(key []byte, algo string) SSEInfo {
+	if algo == "" {
+		algo = "AES256"
+	}
+	return SSEInfo{key, algo}
+}
+
+// internal method that computes SSE-C headers
+func (s *SSEInfo) getSSEHeaders(isCopySource bool) map[string]string {
+	if s == nil {
+		return nil
+	}
+
+	cs := ""
+	if isCopySource {
+		cs = "copy-source-"
+	}
+	return map[string]string{
+		"x-amz-" + cs + "server-side-encryption-customer-algorithm": s.algo,
+		"x-amz-" + cs + "server-side-encryption-customer-key":       base64.StdEncoding.EncodeToString(s.key),
+		"x-amz-" + cs + "server-side-encryption-customer-key-MD5":   base64.StdEncoding.EncodeToString(sumMD5(s.key)),
+	}
+}
+
+// GetSSEHeaders - computes and returns headers for SSE-C as key-value
+// pairs. They can be set as metadata in PutObject* requests (for
+// encryption) or be set as request headers in `Core.GetObject` (for
+// decryption).
+func (s *SSEInfo) GetSSEHeaders() map[string]string {
+	return s.getSSEHeaders(false)
+}
+
+// DestinationInfo - type with information about the object to be
+// created via server-side copy requests, using the Compose API.
+type DestinationInfo struct {
+	bucket, object string
+
+	// key for encrypting destination
+	encryption *SSEInfo
+
+	// if no user-metadata is provided, it is copied from source
+	// (when there is only once source object in the compose
+	// request)
+	userMetadata map[string]string
+}
+
+// NewDestinationInfo - creates a compose-object/copy-source
+// destination info object.
+//
+// `encSSEC` is the key info for server-side-encryption with customer
+// provided key. If it is nil, no encryption is performed.
+//
+// `userMeta` is the user-metadata key-value pairs to be set on the
+// destination. The keys are automatically prefixed with `x-amz-meta-`
+// if needed. If nil is passed, and if only a single source (of any
+// size) is provided in the ComposeObject call, then metadata from the
+// source is copied to the destination.
+func NewDestinationInfo(bucket, object string, encryptSSEC *SSEInfo,
+	userMeta map[string]string) (d DestinationInfo, err error) {
+
+	// Input validation.
+	if err = s3utils.CheckValidBucketName(bucket); err != nil {
+		return d, err
+	}
+	if err = s3utils.CheckValidObjectName(object); err != nil {
+		return d, err
+	}
+
+	// Process custom-metadata to remove a `x-amz-meta-` prefix if
+	// present and validate that keys are distinct (after this
+	// prefix removal).
+	m := make(map[string]string)
+	for k, v := range userMeta {
+		if strings.HasPrefix(strings.ToLower(k), "x-amz-meta-") {
+			k = k[len("x-amz-meta-"):]
+		}
+		if _, ok := m[k]; ok {
+			return d, fmt.Errorf("Cannot add both %s and x-amz-meta-%s keys as custom metadata", k, k)
+		}
+		m[k] = v
+	}
+
+	return DestinationInfo{
+		bucket:       bucket,
+		object:       object,
+		encryption:   encryptSSEC,
+		userMetadata: m,
+	}, nil
+}
+
+// getUserMetaHeadersMap - construct appropriate key-value pairs to send
+// as headers from metadata map to pass into copy-object request. For
+// single part copy-object (i.e. non-multipart object), enable the
+// withCopyDirectiveHeader to set the `x-amz-metadata-directive` to
+// `REPLACE`, so that metadata headers from the source are not copied
+// over.
+func (d *DestinationInfo) getUserMetaHeadersMap(withCopyDirectiveHeader bool) map[string]string {
+	if len(d.userMetadata) == 0 {
+		return nil
+	}
+	r := make(map[string]string)
+	if withCopyDirectiveHeader {
+		r["x-amz-metadata-directive"] = "REPLACE"
+	}
+	for k, v := range d.userMetadata {
+		r["x-amz-meta-"+k] = v
+	}
+	return r
+}
+
+// SourceInfo - represents a source object to be copied, using
+// server-side copying APIs.
+type SourceInfo struct {
+	bucket, object string
+
+	start, end int64
+
+	decryptKey *SSEInfo
+	// Headers to send with the upload-part-copy request involving
+	// this source object.
+	Headers http.Header
+}
+
+// NewSourceInfo - create a compose-object/copy-object source info
+// object.
+//
+// `decryptSSEC` is the decryption key using server-side-encryption
+// with customer provided key. It may be nil if the source is not
+// encrypted.
+func NewSourceInfo(bucket, object string, decryptSSEC *SSEInfo) SourceInfo {
+	r := SourceInfo{
+		bucket:     bucket,
+		object:     object,
+		start:      -1, // range is unspecified by default
+		decryptKey: decryptSSEC,
+		Headers:    make(http.Header),
+	}
+
+	// Set the source header
+	r.Headers.Set("x-amz-copy-source", s3utils.EncodePath(bucket+"/"+object))
+
+	// Assemble decryption headers for upload-part-copy request
+	for k, v := range decryptSSEC.getSSEHeaders(true) {
+		r.Headers.Set(k, v)
+	}
+
+	return r
+}
+
+// SetRange - Set the start and end offset of the source object to be
+// copied. If this method is not called, the whole source object is
+// copied.
+func (s *SourceInfo) SetRange(start, end int64) error {
+	if start > end || start < 0 {
+		return ErrInvalidArgument("start must be non-negative, and start must be at most end.")
+	}
+	// Note that 0 <= start <= end
+	s.start, s.end = start, end
+	return nil
+}
+
+// SetMatchETagCond - Set ETag match condition. The object is copied
+// only if the etag of the source matches the value given here.
+func (s *SourceInfo) SetMatchETagCond(etag string) error {
+	if etag == "" {
+		return ErrInvalidArgument("ETag cannot be empty.")
+	}
+	s.Headers.Set("x-amz-copy-source-if-match", etag)
+	return nil
+}
+
+// SetMatchETagExceptCond - Set the ETag match exception
+// condition. The object is copied only if the etag of the source is
+// not the value given here.
+func (s *SourceInfo) SetMatchETagExceptCond(etag string) error {
+	if etag == "" {
+		return ErrInvalidArgument("ETag cannot be empty.")
+	}
+	s.Headers.Set("x-amz-copy-source-if-none-match", etag)
+	return nil
+}
+
+// SetModifiedSinceCond - Set the modified since condition.
+func (s *SourceInfo) SetModifiedSinceCond(modTime time.Time) error {
+	if modTime.IsZero() {
+		return ErrInvalidArgument("Input time cannot be 0.")
+	}
+	s.Headers.Set("x-amz-copy-source-if-modified-since", modTime.Format(http.TimeFormat))
+	return nil
+}
+
+// SetUnmodifiedSinceCond - Set the unmodified since condition.
+func (s *SourceInfo) SetUnmodifiedSinceCond(modTime time.Time) error {
+	if modTime.IsZero() {
+		return ErrInvalidArgument("Input time cannot be 0.")
+	}
+	s.Headers.Set("x-amz-copy-source-if-unmodified-since", modTime.Format(http.TimeFormat))
+	return nil
+}
+
+// Helper to fetch size and etag of an object using a StatObject call.
+func (s *SourceInfo) getProps(c Client) (size int64, etag string, userMeta map[string]string, err error) {
+	// Get object info - need size and etag here. Also, decryption
+	// headers are added to the stat request if given.
+	var objInfo ObjectInfo
+	rh := NewGetReqHeaders()
+	for k, v := range s.decryptKey.getSSEHeaders(false) {
+		rh.Set(k, v)
+	}
+	objInfo, err = c.statObject(s.bucket, s.object, rh)
+	if err != nil {
+		err = fmt.Errorf("Could not stat object - %s/%s: %v", s.bucket, s.object, err)
+	} else {
+		size = objInfo.Size
+		etag = objInfo.ETag
+		userMeta = make(map[string]string)
+		for k, v := range objInfo.Metadata {
+			if strings.HasPrefix(k, "x-amz-meta-") {
+				if len(v) > 0 {
+					userMeta[k] = v[0]
+				}
+			}
+		}
+	}
+	return
+}
+
+// uploadPartCopy - helper function to create a part in a multipart
+// upload via an upload-part-copy request
+// https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPartCopy.html
+func (c Client) uploadPartCopy(bucket, object, uploadID string, partNumber int,
+	headers http.Header) (p CompletePart, err error) {
+
+	// Build query parameters
+	urlValues := make(url.Values)
+	urlValues.Set("partNumber", strconv.Itoa(partNumber))
+	urlValues.Set("uploadId", uploadID)
+
+	// Send upload-part-copy request
+	resp, err := c.executeMethod("PUT", requestMetadata{
+		bucketName:   bucket,
+		objectName:   object,
+		customHeader: headers,
+		queryValues:  urlValues,
+	})
+	defer closeResponse(resp)
+	if err != nil {
+		return p, err
+	}
+
+	// Check if we got an error response.
+	if resp.StatusCode != http.StatusOK {
+		return p, httpRespToErrorResponse(resp, bucket, object)
+	}
+
+	// Decode copy-part response on success.
+	cpObjRes := copyObjectResult{}
+	err = xmlDecoder(resp.Body, &cpObjRes)
+	if err != nil {
+		return p, err
+	}
+	p.PartNumber, p.ETag = partNumber, cpObjRes.ETag
+	return p, nil
+}
+
+// ComposeObject - creates an object using server-side copying of
+// existing objects. It takes a list of source objects (with optional
+// offsets) and concatenates them into a new object using only
+// server-side copying operations.
+func (c Client) ComposeObject(dst DestinationInfo, srcs []SourceInfo) error {
+	if len(srcs) < 1 || len(srcs) > maxPartsCount {
+		return ErrInvalidArgument("There must be as least one and upto 10000 source objects.")
+	}
+
+	srcSizes := make([]int64, len(srcs))
+	var totalSize, size, totalParts int64
+	var srcUserMeta map[string]string
+	var etag string
+	var err error
+	for i, src := range srcs {
+		size, etag, srcUserMeta, err = src.getProps(c)
+		if err != nil {
+			return fmt.Errorf("Could not get source props for %s/%s: %v", src.bucket, src.object, err)
+		}
+
+		// Error out if client side encryption is used in this source object when
+		// more than one source objects are given.
+		if len(srcs) > 1 && src.Headers.Get("x-amz-meta-x-amz-key") != "" {
+			return ErrInvalidArgument(
+				fmt.Sprintf("Client side encryption is used in source object %s/%s", src.bucket, src.object))
+		}
+
+		// Since we did a HEAD to get size, we use the ETag
+		// value to make sure the object has not changed by
+		// the time we perform the copy. This is done, only if
+		// the user has not set their own ETag match
+		// condition.
+		if src.Headers.Get("x-amz-copy-source-if-match") == "" {
+			src.SetMatchETagCond(etag)
+		}
+
+		// Check if a segment is specified, and if so, is the
+		// segment within object bounds?
+		if src.start != -1 {
+			// Since range is specified,
+			//    0 <= src.start <= src.end
+			// so only invalid case to check is:
+			if src.end >= size {
+				return ErrInvalidArgument(
+					fmt.Sprintf("SourceInfo %d has invalid segment-to-copy [%d, %d] (size is %d)",
+						i, src.start, src.end, size))
+			}
+			size = src.end - src.start + 1
+		}
+
+		// Only the last source may be less than `absMinPartSize`
+		if size < absMinPartSize && i < len(srcs)-1 {
+			return ErrInvalidArgument(
+				fmt.Sprintf("SourceInfo %d is too small (%d) and it is not the last part", i, size))
+		}
+
+		// Is data to copy too large?
+		totalSize += size
+		if totalSize > maxMultipartPutObjectSize {
+			return ErrInvalidArgument(fmt.Sprintf("Cannot compose an object of size %d (> 5TiB)", totalSize))
+		}
+
+		// record source size
+		srcSizes[i] = size
+
+		// calculate parts needed for current source
+		totalParts += partsRequired(size)
+		// Do we need more parts than we are allowed?
+		if totalParts > maxPartsCount {
+			return ErrInvalidArgument(fmt.Sprintf(
+				"Your proposed compose object requires more than %d parts", maxPartsCount))
+		}
+	}
+
+	// Single source object case (i.e. when only one source is
+	// involved, it is being copied wholly and at most 5GiB in
+	// size).
+	if totalParts == 1 && srcs[0].start == -1 && totalSize <= maxPartSize {
+		h := srcs[0].Headers
+		// Add destination encryption headers
+		for k, v := range dst.encryption.getSSEHeaders(false) {
+			h.Set(k, v)
+		}
+
+		// If no user metadata is specified (and so, the
+		// for-loop below is not entered), metadata from the
+		// source is copied to the destination (due to
+		// single-part copy-object PUT request behaviour).
+		for k, v := range dst.getUserMetaHeadersMap(true) {
+			h.Set(k, v)
+		}
+
+		// Send copy request
+		resp, err := c.executeMethod("PUT", requestMetadata{
+			bucketName:   dst.bucket,
+			objectName:   dst.object,
+			customHeader: h,
+		})
+		defer closeResponse(resp)
+		if err != nil {
+			return err
+		}
+		// Check if we got an error response.
+		if resp.StatusCode != http.StatusOK {
+			return httpRespToErrorResponse(resp, dst.bucket, dst.object)
+		}
+
+		// Return nil on success.
+		return nil
+	}
+
+	// Now, handle multipart-copy cases.
+
+	// 1. Initiate a new multipart upload.
+
+	// Set user-metadata on the destination object. If no
+	// user-metadata is specified, and there is only one source,
+	// (only) then metadata from source is copied.
+	userMeta := dst.getUserMetaHeadersMap(false)
+	metaMap := userMeta
+	if len(userMeta) == 0 && len(srcs) == 1 {
+		metaMap = srcUserMeta
+	}
+	metaHeaders := make(map[string][]string)
+	for k, v := range metaMap {
+		metaHeaders[k] = append(metaHeaders[k], v)
+	}
+	uploadID, err := c.newUploadID(dst.bucket, dst.object, metaHeaders)
+	if err != nil {
+		return fmt.Errorf("Error creating new upload: %v", err)
+	}
+
+	// 2. Perform copy part uploads
+	objParts := []CompletePart{}
+	partIndex := 1
+	for i, src := range srcs {
+		h := src.Headers
+		// Add destination encryption headers
+		for k, v := range dst.encryption.getSSEHeaders(false) {
+			h.Set(k, v)
+		}
+
+		// calculate start/end indices of parts after
+		// splitting.
+		startIdx, endIdx := calculateEvenSplits(srcSizes[i], src)
+		for j, start := range startIdx {
+			end := endIdx[j]
+
+			// Add (or reset) source range header for
+			// upload part copy request.
+			h.Set("x-amz-copy-source-range",
+				fmt.Sprintf("bytes=%d-%d", start, end))
+
+			// make upload-part-copy request
+			complPart, err := c.uploadPartCopy(dst.bucket,
+				dst.object, uploadID, partIndex, h)
+			if err != nil {
+				return fmt.Errorf("Error in upload-part-copy - %v", err)
+			}
+			objParts = append(objParts, complPart)
+			partIndex++
+		}
+	}
+
+	// 3. Make final complete-multipart request.
+	_, err = c.completeMultipartUpload(dst.bucket, dst.object, uploadID,
+		completeMultipartUpload{Parts: objParts})
+	if err != nil {
+		err = fmt.Errorf("Error in complete-multipart request - %v", err)
+	}
+	return err
+}
+
+// partsRequired is ceiling(size / copyPartSize)
+func partsRequired(size int64) int64 {
+	r := size / copyPartSize
+	if size%copyPartSize > 0 {
+		r++
+	}
+	return r
+}
+
+// calculateEvenSplits - computes splits for a source and returns
+// start and end index slices. Splits happen evenly to be sure that no
+// part is less than 5MiB, as that could fail the multipart request if
+// it is not the last part.
+func calculateEvenSplits(size int64, src SourceInfo) (startIndex, endIndex []int64) {
+	if size == 0 {
+		return
+	}
+
+	reqParts := partsRequired(size)
+	startIndex = make([]int64, reqParts)
+	endIndex = make([]int64, reqParts)
+	// Compute number of required parts `k`, as:
+	//
+	// k = ceiling(size / copyPartSize)
+	//
+	// Now, distribute the `size` bytes in the source into
+	// k parts as evenly as possible:
+	//
+	// r parts sized (q+1) bytes, and
+	// (k - r) parts sized q bytes, where
+	//
+	// size = q * k + r (by simple division of size by k,
+	// so that 0 <= r < k)
+	//
+	start := src.start
+	if start == -1 {
+		start = 0
+	}
+	quot, rem := size/reqParts, size%reqParts
+	nextStart := start
+	for j := int64(0); j < reqParts; j++ {
+		curPartSize := quot
+		if j < rem {
+			curPartSize++
+		}
+
+		cStart := nextStart
+		cEnd := cStart + curPartSize - 1
+		nextStart = cEnd + 1
+
+		startIndex[j], endIndex[j] = cStart, cEnd
+	}
+	return
+}
diff --git a/vendor/github.com/minio/minio-go/api-compose-object_test.go b/vendor/github.com/minio/minio-go/api-compose-object_test.go
new file mode 100644
index 000000000..5339d2027
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/api-compose-object_test.go
@@ -0,0 +1,88 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package minio
+
+import (
+	"reflect"
+	"testing"
+)
+
+const (
+	gb1    = 1024 * 1024 * 1024
+	gb5    = 5 * gb1
+	gb5p1  = gb5 + 1
+	gb10p1 = 2*gb5 + 1
+	gb10p2 = 2*gb5 + 2
+)
+
+func TestPartsRequired(t *testing.T) {
+	testCases := []struct {
+		size, ref int64
+	}{
+		{0, 0},
+		{1, 1},
+		{gb5, 1},
+		{2 * gb5, 2},
+		{gb10p1, 3},
+		{gb10p2, 3},
+	}
+
+	for i, testCase := range testCases {
+		res := partsRequired(testCase.size)
+		if res != testCase.ref {
+			t.Errorf("Test %d - output did not match with reference results", i+1)
+		}
+	}
+}
+
+func TestCalculateEvenSplits(t *testing.T) {
+
+	testCases := []struct {
+		// input size and source object
+		size int64
+		src  SourceInfo
+
+		// output part-indexes
+		starts, ends []int64
+	}{
+		{0, SourceInfo{start: -1}, nil, nil},
+		{1, SourceInfo{start: -1}, []int64{0}, []int64{0}},
+		{1, SourceInfo{start: 0}, []int64{0}, []int64{0}},
+
+		{gb1, SourceInfo{start: -1}, []int64{0}, []int64{gb1 - 1}},
+		{gb5, SourceInfo{start: -1}, []int64{0}, []int64{gb5 - 1}},
+
+		// 2 part splits
+		{gb5p1, SourceInfo{start: -1}, []int64{0, gb5/2 + 1}, []int64{gb5 / 2, gb5}},
+		{gb5p1, SourceInfo{start: -1}, []int64{0, gb5/2 + 1}, []int64{gb5 / 2, gb5}},
+
+		// 3 part splits
+		{gb10p1, SourceInfo{start: -1},
+			[]int64{0, gb10p1/3 + 1, 2*gb10p1/3 + 1},
+			[]int64{gb10p1 / 3, 2 * gb10p1 / 3, gb10p1 - 1}},
+
+		{gb10p2, SourceInfo{start: -1},
+			[]int64{0, gb10p2 / 3, 2 * gb10p2 / 3},
+			[]int64{gb10p2/3 - 1, 2*gb10p2/3 - 1, gb10p2 - 1}},
+	}
+
+	for i, testCase := range testCases {
+		resStart, resEnd := calculateEvenSplits(testCase.size, testCase.src)
+		if !reflect.DeepEqual(testCase.starts, resStart) || !reflect.DeepEqual(testCase.ends, resEnd) {
+			t.Errorf("Test %d - output did not match with reference results", i+1)
+		}
+	}
+}
diff --git a/vendor/github.com/minio/minio-go/api-error-response.go b/vendor/github.com/minio/minio-go/api-error-response.go
index ff8b8b109..e0019a334 100644
--- a/vendor/github.com/minio/minio-go/api-error-response.go
+++ b/vendor/github.com/minio/minio-go/api-error-response.go
@@ -161,6 +161,9 @@ func httpRespToErrorResponse(resp *http.Response, bucketName, objectName string)
 	if errResp.Region == "" {
 		errResp.Region = resp.Header.Get("x-amz-bucket-region")
 	}
+	if errResp.Code == "InvalidRegion" && errResp.Region != "" {
+		errResp.Message = fmt.Sprintf("Region does not match, expecting region '%s'.", errResp.Region)
+	}
 
 	// Save headers returned in the API XML error
 	errResp.Headers = resp.Header
diff --git a/vendor/github.com/minio/minio-go/api-get-object-file.go b/vendor/github.com/minio/minio-go/api-get-object-file.go
index 477a0969f..c4193e934 100644
--- a/vendor/github.com/minio/minio-go/api-get-object-file.go
+++ b/vendor/github.com/minio/minio-go/api-get-object-file.go
@@ -20,15 +20,17 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+
+	"github.com/minio/minio-go/pkg/s3utils"
 )
 
 // FGetObject - download contents of an object to a local file.
 func (c Client) FGetObject(bucketName, objectName, filePath string) error {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return err
 	}
 
diff --git a/vendor/github.com/minio/minio-go/api-get-object.go b/vendor/github.com/minio/minio-go/api-get-object.go
index 2abd4608e..1078d2f98 100644
--- a/vendor/github.com/minio/minio-go/api-get-object.go
+++ b/vendor/github.com/minio/minio-go/api-get-object.go
@@ -26,11 +26,12 @@ import (
 	"time"
 
 	"github.com/minio/minio-go/pkg/encrypt"
+	"github.com/minio/minio-go/pkg/s3utils"
 )
 
-// GetEncryptedObject deciphers and streams data stored in the server after applying a specifed encryption materiels
-func (c Client) GetEncryptedObject(bucketName, objectName string, encryptMaterials encrypt.Materials) (io.Reader, error) {
-
+// GetEncryptedObject deciphers and streams data stored in the server after applying a specified encryption materials,
+// returned stream should be closed by the caller.
+func (c Client) GetEncryptedObject(bucketName, objectName string, encryptMaterials encrypt.Materials) (io.ReadCloser, error) {
 	if encryptMaterials == nil {
 		return nil, ErrInvalidArgument("Unable to recognize empty encryption properties")
 	}
@@ -57,10 +58,10 @@ func (c Client) GetEncryptedObject(bucketName, objectName string, encryptMateria
 // GetObject - returns an seekable, readable object.
 func (c Client) GetObject(bucketName, objectName string) (*Object, error) {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return nil, err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return nil, err
 	}
 
@@ -328,14 +329,14 @@ func (o *Object) setOffset(bytesRead int64) error {
 	// Update the currentOffset.
 	o.currOffset += bytesRead
 
-	if o.currOffset >= o.objectInfo.Size {
+	if o.objectInfo.Size > -1 && o.currOffset >= o.objectInfo.Size {
 		return io.EOF
 	}
 	return nil
 }
 
 // Read reads up to len(b) bytes into b. It returns the number of
-// bytes read (0 <= n <= len(p)) and any error encountered. Returns
+// bytes read (0 <= n <= len(b)) and any error encountered. Returns
 // io.EOF upon end of file.
 func (o *Object) Read(b []byte) (n int, err error) {
 	if o == nil {
@@ -442,7 +443,7 @@ func (o *Object) ReadAt(b []byte, offset int64) (n int, err error) {
 	if o.objectInfoSet {
 		// If offset is negative than we return io.EOF.
 		// If offset is greater than or equal to object size we return io.EOF.
-		if offset >= o.objectInfo.Size || offset < 0 {
+		if (o.objectInfo.Size > -1 && offset >= o.objectInfo.Size) || offset < 0 {
 			return 0, io.EOF
 		}
 	}
@@ -542,16 +543,20 @@ func (o *Object) Seek(offset int64, whence int) (n int64, err error) {
 	default:
 		return 0, ErrInvalidArgument(fmt.Sprintf("Invalid whence %d", whence))
 	case 0:
-		if offset > o.objectInfo.Size {
+		if o.objectInfo.Size > -1 && offset > o.objectInfo.Size {
 			return 0, io.EOF
 		}
 		o.currOffset = offset
 	case 1:
-		if o.currOffset+offset > o.objectInfo.Size {
+		if o.objectInfo.Size > -1 && o.currOffset+offset > o.objectInfo.Size {
 			return 0, io.EOF
 		}
 		o.currOffset += offset
 	case 2:
+		// If we don't know the object size return an error for io.SeekEnd
+		if o.objectInfo.Size < 0 {
+			return 0, ErrInvalidArgument("Whence END is not supported when the object size is unknown")
+		}
 		// Seeking to positive offset is valid for whence '2', but
 		// since we are backing a Reader we have reached 'EOF' if
 		// offset is positive.
@@ -623,10 +628,10 @@ func newObject(reqCh chan<- getRequest, resCh <-chan getResponse, doneCh chan<-
 // go to http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35.
 func (c Client) getObject(bucketName, objectName string, reqHeaders RequestHeaders) (io.ReadCloser, ObjectInfo, error) {
 	// Validate input arguments.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return nil, ObjectInfo{}, err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return nil, ObjectInfo{}, err
 	}
 
diff --git a/vendor/github.com/minio/minio-go/api-get-policy.go b/vendor/github.com/minio/minio-go/api-get-policy.go
index 7491df330..10ccdc66b 100644
--- a/vendor/github.com/minio/minio-go/api-get-policy.go
+++ b/vendor/github.com/minio/minio-go/api-get-policy.go
@@ -23,15 +23,16 @@ import (
 	"net/url"
 
 	"github.com/minio/minio-go/pkg/policy"
+	"github.com/minio/minio-go/pkg/s3utils"
 )
 
 // GetBucketPolicy - get bucket policy at a given path.
 func (c Client) GetBucketPolicy(bucketName, objectPrefix string) (bucketPolicy policy.BucketPolicy, err error) {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return policy.BucketPolicyNone, err
 	}
-	if err := isValidObjectPrefix(objectPrefix); err != nil {
+	if err := s3utils.CheckValidObjectNamePrefix(objectPrefix); err != nil {
 		return policy.BucketPolicyNone, err
 	}
 	policyInfo, err := c.getBucketPolicy(bucketName)
@@ -48,10 +49,10 @@ func (c Client) GetBucketPolicy(bucketName, objectPrefix string) (bucketPolicy p
 // ListBucketPolicies - list all policies for a given prefix and all its children.
 func (c Client) ListBucketPolicies(bucketName, objectPrefix string) (bucketPolicies map[string]policy.BucketPolicy, err error) {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return map[string]policy.BucketPolicy{}, err
 	}
-	if err := isValidObjectPrefix(objectPrefix); err != nil {
+	if err := s3utils.CheckValidObjectNamePrefix(objectPrefix); err != nil {
 		return map[string]policy.BucketPolicy{}, err
 	}
 	policyInfo, err := c.getBucketPolicy(bucketName)
diff --git a/vendor/github.com/minio/minio-go/api-list.go b/vendor/github.com/minio/minio-go/api-list.go
index 6a228179e..6de1fe9b3 100644
--- a/vendor/github.com/minio/minio-go/api-list.go
+++ b/vendor/github.com/minio/minio-go/api-list.go
@@ -17,10 +17,13 @@
 package minio
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
+
+	"github.com/minio/minio-go/pkg/s3utils"
 )
 
 // ListBuckets list all buckets owned by this authenticated user.
@@ -69,7 +72,7 @@ func (c Client) ListBuckets() ([]BucketInfo, error) {
 //   // Create a done channel.
 //   doneCh := make(chan struct{})
 //   defer close(doneCh)
-//   // Recurively list all objects in 'mytestbucket'
+//   // Recursively list all objects in 'mytestbucket'
 //   recursive := true
 //   for message := range api.ListObjectsV2("mytestbucket", "starthere", recursive, doneCh) {
 //       fmt.Println(message)
@@ -84,18 +87,21 @@ func (c Client) ListObjectsV2(bucketName, objectPrefix string, recursive bool, d
 		// If recursive we do not delimit.
 		delimiter = ""
 	}
+
 	// Return object owner information by default
 	fetchOwner := true
+
 	// Validate bucket name.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		defer close(objectStatCh)
 		objectStatCh <- ObjectInfo{
 			Err: err,
 		}
 		return objectStatCh
 	}
+
 	// Validate incoming object prefix.
-	if err := isValidObjectPrefix(objectPrefix); err != nil {
+	if err := s3utils.CheckValidObjectNamePrefix(objectPrefix); err != nil {
 		defer close(objectStatCh)
 		objectStatCh <- ObjectInfo{
 			Err: err,
@@ -120,7 +126,6 @@ func (c Client) ListObjectsV2(bucketName, objectPrefix string, recursive bool, d
 
 			// If contents are available loop through and send over channel.
 			for _, object := range result.Contents {
-				// Save the marker.
 				select {
 				// Send object content.
 				case objectStatCh <- object:
@@ -133,12 +138,12 @@ func (c Client) ListObjectsV2(bucketName, objectPrefix string, recursive bool, d
 			// Send all common prefixes if any.
 			// NOTE: prefixes are only present if the request is delimited.
 			for _, obj := range result.CommonPrefixes {
-				object := ObjectInfo{}
-				object.Key = obj.Prefix
-				object.Size = 0
 				select {
 				// Send object prefixes.
-				case objectStatCh <- object:
+				case objectStatCh <- ObjectInfo{
+					Key:  obj.Prefix,
+					Size: 0,
+				}:
 				// If receives done from the caller, return here.
 				case <-doneCh:
 					return
@@ -170,11 +175,11 @@ func (c Client) ListObjectsV2(bucketName, objectPrefix string, recursive bool, d
 // ?max-keys - Sets the maximum number of keys returned in the response body.
 func (c Client) listObjectsV2Query(bucketName, objectPrefix, continuationToken string, fetchOwner bool, delimiter string, maxkeys int) (ListBucketV2Result, error) {
 	// Validate bucket name.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return ListBucketV2Result{}, err
 	}
 	// Validate object prefix.
-	if err := isValidObjectPrefix(objectPrefix); err != nil {
+	if err := s3utils.CheckValidObjectNamePrefix(objectPrefix); err != nil {
 		return ListBucketV2Result{}, err
 	}
 	// Get resources properly escaped and lined up before
@@ -227,10 +232,17 @@ func (c Client) listObjectsV2Query(bucketName, objectPrefix, continuationToken s
 
 	// Decode listBuckets XML.
 	listBucketResult := ListBucketV2Result{}
-	err = xmlDecoder(resp.Body, &listBucketResult)
-	if err != nil {
+	if err = xmlDecoder(resp.Body, &listBucketResult); err != nil {
 		return listBucketResult, err
 	}
+
+	// This is an additional verification check to make
+	// sure proper responses are received.
+	if listBucketResult.IsTruncated && listBucketResult.NextContinuationToken == "" {
+		return listBucketResult, errors.New("Truncated response should have continuation token set")
+	}
+
+	// Success.
 	return listBucketResult, nil
 }
 
@@ -266,7 +278,7 @@ func (c Client) ListObjects(bucketName, objectPrefix string, recursive bool, don
 		delimiter = ""
 	}
 	// Validate bucket name.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		defer close(objectStatCh)
 		objectStatCh <- ObjectInfo{
 			Err: err,
@@ -274,7 +286,7 @@ func (c Client) ListObjects(bucketName, objectPrefix string, recursive bool, don
 		return objectStatCh
 	}
 	// Validate incoming object prefix.
-	if err := isValidObjectPrefix(objectPrefix); err != nil {
+	if err := s3utils.CheckValidObjectNamePrefix(objectPrefix); err != nil {
 		defer close(objectStatCh)
 		objectStatCh <- ObjectInfo{
 			Err: err,
@@ -350,11 +362,11 @@ func (c Client) ListObjects(bucketName, objectPrefix string, recursive bool, don
 // ?max-keys - Sets the maximum number of keys returned in the response body.
 func (c Client) listObjectsQuery(bucketName, objectPrefix, objectMarker, delimiter string, maxkeys int) (ListBucketResult, error) {
 	// Validate bucket name.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return ListBucketResult{}, err
 	}
 	// Validate object prefix.
-	if err := isValidObjectPrefix(objectPrefix); err != nil {
+	if err := s3utils.CheckValidObjectNamePrefix(objectPrefix); err != nil {
 		return ListBucketResult{}, err
 	}
 	// Get resources properly escaped and lined up before
@@ -442,7 +454,7 @@ func (c Client) listIncompleteUploads(bucketName, objectPrefix string, recursive
 		delimiter = ""
 	}
 	// Validate bucket name.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		defer close(objectMultipartStatCh)
 		objectMultipartStatCh <- ObjectMultipartInfo{
 			Err: err,
@@ -450,7 +462,7 @@ func (c Client) listIncompleteUploads(bucketName, objectPrefix string, recursive
 		return objectMultipartStatCh
 	}
 	// Validate incoming object prefix.
-	if err := isValidObjectPrefix(objectPrefix); err != nil {
+	if err := s3utils.CheckValidObjectNamePrefix(objectPrefix); err != nil {
 		defer close(objectMultipartStatCh)
 		objectMultipartStatCh <- ObjectMultipartInfo{
 			Err: err,
diff --git a/vendor/github.com/minio/minio-go/api-notification.go b/vendor/github.com/minio/minio-go/api-notification.go
index cbea1c6da..25a283af5 100644
--- a/vendor/github.com/minio/minio-go/api-notification.go
+++ b/vendor/github.com/minio/minio-go/api-notification.go
@@ -30,7 +30,7 @@ import (
 // GetBucketNotification - get bucket notification at a given path.
 func (c Client) GetBucketNotification(bucketName string) (bucketNotification BucketNotification, err error) {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return BucketNotification{}, err
 	}
 	notification, err := c.getBucketNotification(bucketName)
@@ -140,7 +140,7 @@ func (c Client) ListenBucketNotification(bucketName, prefix, suffix string, even
 		defer close(notificationInfoCh)
 
 		// Validate the bucket name.
-		if err := isValidBucketName(bucketName); err != nil {
+		if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 			notificationInfoCh <- NotificationInfo{
 				Err: err,
 			}
@@ -155,7 +155,7 @@ func (c Client) ListenBucketNotification(bucketName, prefix, suffix string, even
 			return
 		}
 
-		// Continously run and listen on bucket notification.
+		// Continuously run and listen on bucket notification.
 		// Create a done channel to control 'ListObjects' go routine.
 		retryDoneCh := make(chan struct{}, 1)
 
diff --git a/vendor/github.com/minio/minio-go/api-presigned.go b/vendor/github.com/minio/minio-go/api-presigned.go
index f9d05ab9b..8cfcb55fb 100644
--- a/vendor/github.com/minio/minio-go/api-presigned.go
+++ b/vendor/github.com/minio/minio-go/api-presigned.go
@@ -42,10 +42,10 @@ func (c Client) presignURL(method string, bucketName string, objectName string,
 	if method == "" {
 		return nil, ErrInvalidArgument("method cannot be empty.")
 	}
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return nil, err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return nil, err
 	}
 	if err := isValidExpiry(expires); err != nil {
@@ -122,21 +122,38 @@ func (c Client) PresignedPostPolicy(p *PostPolicy) (u *url.URL, formData map[str
 		return nil, nil, err
 	}
 
+	// Get credentials from the configured credentials provider.
+	credValues, err := c.credsProvider.Get()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var (
+		signerType      = credValues.SignerType
+		sessionToken    = credValues.SessionToken
+		accessKeyID     = credValues.AccessKeyID
+		secretAccessKey = credValues.SecretAccessKey
+	)
+
+	if signerType.IsAnonymous() {
+		return nil, nil, ErrInvalidArgument("Presigned operations are not supported for anonymous credentials")
+	}
+
 	// Keep time.
 	t := time.Now().UTC()
 	// For signature version '2' handle here.
-	if c.signature.isV2() {
+	if signerType.IsV2() {
 		policyBase64 := p.base64()
 		p.formData["policy"] = policyBase64
 		// For Google endpoint set this value to be 'GoogleAccessId'.
 		if s3utils.IsGoogleEndpoint(c.endpointURL) {
-			p.formData["GoogleAccessId"] = c.accessKeyID
+			p.formData["GoogleAccessId"] = accessKeyID
 		} else {
 			// For all other endpoints set this value to be 'AWSAccessKeyId'.
-			p.formData["AWSAccessKeyId"] = c.accessKeyID
+			p.formData["AWSAccessKeyId"] = accessKeyID
 		}
 		// Sign the policy.
-		p.formData["signature"] = s3signer.PostPresignSignatureV2(policyBase64, c.secretAccessKey)
+		p.formData["signature"] = s3signer.PostPresignSignatureV2(policyBase64, secretAccessKey)
 		return u, p.formData, nil
 	}
 
@@ -159,7 +176,7 @@ func (c Client) PresignedPostPolicy(p *PostPolicy) (u *url.URL, formData map[str
 	}
 
 	// Add a credential policy.
-	credential := s3signer.GetCredential(c.accessKeyID, location, t)
+	credential := s3signer.GetCredential(accessKeyID, location, t)
 	if err = p.addNewPolicy(policyCondition{
 		matchType: "eq",
 		condition: "$x-amz-credential",
@@ -168,13 +185,27 @@ func (c Client) PresignedPostPolicy(p *PostPolicy) (u *url.URL, formData map[str
 		return nil, nil, err
 	}
 
+	if sessionToken != "" {
+		if err = p.addNewPolicy(policyCondition{
+			matchType: "eq",
+			condition: "$x-amz-security-token",
+			value:     sessionToken,
+		}); err != nil {
+			return nil, nil, err
+		}
+	}
+
 	// Get base64 encoded policy.
 	policyBase64 := p.base64()
+
 	// Fill in the form data.
 	p.formData["policy"] = policyBase64
 	p.formData["x-amz-algorithm"] = signV4Algorithm
 	p.formData["x-amz-credential"] = credential
 	p.formData["x-amz-date"] = t.Format(iso8601DateFormat)
-	p.formData["x-amz-signature"] = s3signer.PostPresignSignatureV4(policyBase64, t, c.secretAccessKey, location)
+	if sessionToken != "" {
+		p.formData["x-amz-security-token"] = sessionToken
+	}
+	p.formData["x-amz-signature"] = s3signer.PostPresignSignatureV4(policyBase64, t, secretAccessKey, location)
 	return u, p.formData, nil
 }
diff --git a/vendor/github.com/minio/minio-go/api-put-bucket.go b/vendor/github.com/minio/minio-go/api-put-bucket.go
index 001da6de3..fd37dc192 100644
--- a/vendor/github.com/minio/minio-go/api-put-bucket.go
+++ b/vendor/github.com/minio/minio-go/api-put-bucket.go
@@ -1,5 +1,6 @@
 /*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015, 2016 Minio, Inc.
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2015, 2016, 2017 Minio, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,18 +19,14 @@ package minio
 
 import (
 	"bytes"
-	"encoding/base64"
-	"encoding/hex"
 	"encoding/json"
 	"encoding/xml"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"net/url"
-	"path"
 
 	"github.com/minio/minio-go/pkg/policy"
-	"github.com/minio/minio-go/pkg/s3signer"
+	"github.com/minio/minio-go/pkg/s3utils"
 )
 
 /// Bucket operations
@@ -50,95 +47,23 @@ func (c Client) MakeBucket(bucketName string, location string) (err error) {
 	}()
 
 	// Validate the input arguments.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketNameStrict(bucketName); err != nil {
 		return err
 	}
 
 	// If location is empty, treat is a default region 'us-east-1'.
 	if location == "" {
 		location = "us-east-1"
-	}
-
-	// Try creating bucket with the provided region, in case of
-	// invalid region error let's guess the appropriate region
-	// from S3 API headers
-
-	// Create a done channel to control 'newRetryTimer' go routine.
-	doneCh := make(chan struct{}, 1)
-
-	// Indicate to our routine to exit cleanly upon return.
-	defer close(doneCh)
-
-	// Blank indentifier is kept here on purpose since 'range' without
-	// blank identifiers is only supported since go1.4
-	// https://golang.org/doc/go1.4#forrange.
-	for _ = range c.newRetryTimer(MaxRetry, DefaultRetryUnit, DefaultRetryCap, MaxJitter, doneCh) {
-		// Initialize the makeBucket request.
-		req, err := c.makeBucketRequest(bucketName, location)
-		if err != nil {
-			return err
-		}
-
-		// Execute make bucket request.
-		resp, err := c.do(req)
-		defer closeResponse(resp)
-		if err != nil {
-			return err
+		// For custom region clients, default
+		// to custom region instead not 'us-east-1'.
+		if c.region != "" {
+			location = c.region
 		}
-
-		if resp.StatusCode != http.StatusOK {
-			err := httpRespToErrorResponse(resp, bucketName, "")
-			errResp := ToErrorResponse(err)
-			if errResp.Code == "InvalidRegion" && errResp.Region != "" {
-				// Fetch bucket region found in headers
-				// of S3 error response, attempt bucket
-				// create again.
-				location = errResp.Region
-				continue
-			}
-			// Nothing to retry, fail.
-			return err
-		}
-
-		// Control reaches here when bucket create was successful,
-		// break out.
-		break
-	}
-
-	// Success.
-	return nil
-}
-
-// Low level wrapper API For makeBucketRequest.
-func (c Client) makeBucketRequest(bucketName string, location string) (*http.Request, error) {
-	// Validate input arguments.
-	if err := isValidBucketName(bucketName); err != nil {
-		return nil, err
 	}
-
-	// In case of Amazon S3.  The make bucket issued on
-	// already existing bucket would fail with
-	// 'AuthorizationMalformed' error if virtual style is
-	// used. So we default to 'path style' as that is the
-	// preferred method here. The final location of the
-	// 'bucket' is provided through XML LocationConstraint
-	// data with the request.
-	targetURL := c.endpointURL
-	targetURL.Path = path.Join(bucketName, "") + "/"
-
-	// get a new HTTP request for the method.
-	req, err := http.NewRequest("PUT", targetURL.String(), nil)
-	if err != nil {
-		return nil, err
-	}
-
-	// set UserAgent for the request.
-	c.setUserAgent(req)
-
-	// set sha256 sum for signature calculation only with
-	// signature version '4'.
-	if c.signature.isV4() {
-		req.Header.Set("X-Amz-Content-Sha256", hex.EncodeToString(sum256([]byte{})))
+	// PUT bucket request metadata.
+	reqMetadata := requestMetadata{
+		bucketName:     bucketName,
+		bucketLocation: location,
 	}
 
 	// If location is not 'us-east-1' create bucket location config.
@@ -148,30 +73,29 @@ func (c Client) makeBucketRequest(bucketName string, location string) (*http.Req
 		var createBucketConfigBytes []byte
 		createBucketConfigBytes, err = xml.Marshal(createBucketConfig)
 		if err != nil {
-			return nil, err
-		}
-		createBucketConfigBuffer := bytes.NewBuffer(createBucketConfigBytes)
-		req.Body = ioutil.NopCloser(createBucketConfigBuffer)
-		req.ContentLength = int64(len(createBucketConfigBytes))
-		// Set content-md5.
-		req.Header.Set("Content-Md5", base64.StdEncoding.EncodeToString(sumMD5(createBucketConfigBytes)))
-		if c.signature.isV4() {
-			// Set sha256.
-			req.Header.Set("X-Amz-Content-Sha256", hex.EncodeToString(sum256(createBucketConfigBytes)))
+			return err
 		}
+		reqMetadata.contentMD5Bytes = sumMD5(createBucketConfigBytes)
+		reqMetadata.contentSHA256Bytes = sum256(createBucketConfigBytes)
+		reqMetadata.contentBody = bytes.NewReader(createBucketConfigBytes)
+		reqMetadata.contentLength = int64(len(createBucketConfigBytes))
 	}
 
-	// Sign the request.
-	if c.signature.isV4() {
-		// Signature calculated for MakeBucket request should be for 'us-east-1',
-		// regardless of the bucket's location constraint.
-		req = s3signer.SignV4(*req, c.accessKeyID, c.secretAccessKey, "us-east-1")
-	} else if c.signature.isV2() {
-		req = s3signer.SignV2(*req, c.accessKeyID, c.secretAccessKey)
+	// Execute PUT to create a new bucket.
+	resp, err := c.executeMethod("PUT", reqMetadata)
+	defer closeResponse(resp)
+	if err != nil {
+		return err
+	}
+
+	if resp != nil {
+		if resp.StatusCode != http.StatusOK {
+			return httpRespToErrorResponse(resp, bucketName, "")
+		}
 	}
 
-	// Return signed request.
-	return req, nil
+	// Success.
+	return nil
 }
 
 // SetBucketPolicy set the access permissions on an existing bucket.
@@ -184,10 +108,10 @@ func (c Client) makeBucketRequest(bucketName string, location string) (*http.Req
 //  writeonly - anonymous put/delete access to a given object prefix.
 func (c Client) SetBucketPolicy(bucketName string, objectPrefix string, bucketPolicy policy.BucketPolicy) error {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return err
 	}
-	if err := isValidObjectPrefix(objectPrefix); err != nil {
+	if err := s3utils.CheckValidObjectNamePrefix(objectPrefix); err != nil {
 		return err
 	}
 
@@ -216,7 +140,7 @@ func (c Client) SetBucketPolicy(bucketName string, objectPrefix string, bucketPo
 // Saves a new bucket policy.
 func (c Client) putBucketPolicy(bucketName string, policyInfo policy.BucketAccessPolicy) error {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return err
 	}
 
@@ -262,7 +186,7 @@ func (c Client) putBucketPolicy(bucketName string, policyInfo policy.BucketAcces
 // Removes all policies on a bucket.
 func (c Client) removeBucketPolicy(bucketName string) error {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return err
 	}
 	// Get resources properly escaped and lined up before
@@ -286,7 +210,7 @@ func (c Client) removeBucketPolicy(bucketName string) error {
 // SetBucketNotification saves a new bucket notification.
 func (c Client) SetBucketNotification(bucketName string, bucketNotification BucketNotification) error {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return err
 	}
 
diff --git a/vendor/github.com/minio/minio-go/api-put-bucket_test.go b/vendor/github.com/minio/minio-go/api-put-bucket_test.go
deleted file mode 100644
index ec33c8492..000000000
--- a/vendor/github.com/minio/minio-go/api-put-bucket_test.go
+++ /dev/null
@@ -1,273 +0,0 @@
-/*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015, 2016 Minio, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package minio
-
-import (
-	"bytes"
-	"encoding/base64"
-	"encoding/hex"
-	"encoding/xml"
-	"io"
-	"io/ioutil"
-	"net/http"
-	"path"
-	"testing"
-
-	"github.com/minio/minio-go/pkg/s3signer"
-)
-
-// Tests validate http request formulated for creation of bucket.
-func TestMakeBucketRequest(t *testing.T) {
-	// Generates expected http request for bucket creation.
-	// Used for asserting with the actual request generated.
-	createExpectedRequest := func(c *Client, bucketName string, location string, req *http.Request) (*http.Request, error) {
-		targetURL := c.endpointURL
-		targetURL.Path = path.Join(bucketName, "") + "/"
-
-		// get a new HTTP request for the method.
-		var err error
-		req, err = http.NewRequest("PUT", targetURL.String(), nil)
-		if err != nil {
-			return nil, err
-		}
-
-		// set UserAgent for the request.
-		c.setUserAgent(req)
-
-		// set sha256 sum for signature calculation only with signature version '4'.
-		if c.signature.isV4() {
-			req.Header.Set("X-Amz-Content-Sha256", hex.EncodeToString(sum256([]byte{})))
-		}
-
-		// If location is not 'us-east-1' create bucket location config.
-		if location != "us-east-1" && location != "" {
-			createBucketConfig := createBucketConfiguration{}
-			createBucketConfig.Location = location
-			var createBucketConfigBytes []byte
-			createBucketConfigBytes, err = xml.Marshal(createBucketConfig)
-			if err != nil {
-				return nil, err
-			}
-			createBucketConfigBuffer := bytes.NewBuffer(createBucketConfigBytes)
-			req.Body = ioutil.NopCloser(createBucketConfigBuffer)
-			req.ContentLength = int64(len(createBucketConfigBytes))
-			// Set content-md5.
-			req.Header.Set("Content-Md5", base64.StdEncoding.EncodeToString(sumMD5(createBucketConfigBytes)))
-			if c.signature.isV4() {
-				// Set sha256.
-				req.Header.Set("X-Amz-Content-Sha256", hex.EncodeToString(sum256(createBucketConfigBytes)))
-			}
-		}
-
-		// Sign the request.
-		if c.signature.isV4() {
-			// Signature calculated for MakeBucket request should be for 'us-east-1',
-			// regardless of the bucket's location constraint.
-			req = s3signer.SignV4(*req, c.accessKeyID, c.secretAccessKey, "us-east-1")
-		} else if c.signature.isV2() {
-			req = s3signer.SignV2(*req, c.accessKeyID, c.secretAccessKey)
-		}
-
-		// Return signed request.
-		return req, nil
-	}
-
-	// Get Request body.
-	getReqBody := func(reqBody io.ReadCloser) (string, error) {
-		contents, err := ioutil.ReadAll(reqBody)
-		if err != nil {
-			return "", err
-		}
-		return string(contents), nil
-	}
-
-	// Info for 'Client' creation.
-	// Will be used as arguments for 'NewClient'.
-	type infoForClient struct {
-		endPoint       string
-		accessKey      string
-		secretKey      string
-		enableInsecure bool
-	}
-	// dataset for 'NewClient' call.
-	info := []infoForClient{
-		// endpoint localhost.
-		// both access-key and secret-key are empty.
-		{"localhost:9000", "", "", false},
-		// both access-key are secret-key exists.
-		{"localhost:9000", "my-access-key", "my-secret-key", false},
-		// one of acess-key and secret-key are empty.
-		{"localhost:9000", "", "my-secret-key", false},
-
-		// endpoint amazon s3.
-		{"s3.amazonaws.com", "", "", false},
-		{"s3.amazonaws.com", "my-access-key", "my-secret-key", false},
-		{"s3.amazonaws.com", "my-acess-key", "", false},
-
-		// endpoint google cloud storage.
-		{"storage.googleapis.com", "", "", false},
-		{"storage.googleapis.com", "my-access-key", "my-secret-key", false},
-		{"storage.googleapis.com", "", "my-secret-key", false},
-
-		// endpoint custom domain running Minio server.
-		{"play.minio.io", "", "", false},
-		{"play.minio.io", "my-access-key", "my-secret-key", false},
-		{"play.minio.io", "my-acess-key", "", false},
-	}
-
-	testCases := []struct {
-		bucketName string
-		location   string
-		// data for new client creation.
-		info infoForClient
-		// error in the output.
-		err error
-		// flag indicating whether tests should pass.
-		shouldPass bool
-	}{
-		// Test cases with Invalid bucket name.
-		{".mybucket", "", infoForClient{}, ErrInvalidBucketName("Bucket name cannot start or end with a '.' dot."), false},
-		{"mybucket.", "", infoForClient{}, ErrInvalidBucketName("Bucket name cannot start or end with a '.' dot."), false},
-		{"mybucket-", "", infoForClient{}, ErrInvalidBucketName("Bucket name contains invalid characters."), false},
-		{"my", "", infoForClient{}, ErrInvalidBucketName("Bucket name cannot be smaller than 3 characters."), false},
-		{"", "", infoForClient{}, ErrInvalidBucketName("Bucket name cannot be empty."), false},
-		{"my..bucket", "", infoForClient{}, ErrInvalidBucketName("Bucket name cannot have successive periods."), false},
-
-		// Test case with all valid values for S3 bucket location.
-		// Client is constructed using the info struct.
-		// case with empty location.
-		{"my-bucket", "", info[0], nil, true},
-		// case with location set to standard 'us-east-1'.
-		{"my-bucket", "us-east-1", info[0], nil, true},
-		// case with location set to a value different from 'us-east-1'.
-		{"my-bucket", "eu-central-1", info[0], nil, true},
-
-		{"my-bucket", "", info[1], nil, true},
-		{"my-bucket", "us-east-1", info[1], nil, true},
-		{"my-bucket", "eu-central-1", info[1], nil, true},
-
-		{"my-bucket", "", info[2], nil, true},
-		{"my-bucket", "us-east-1", info[2], nil, true},
-		{"my-bucket", "eu-central-1", info[2], nil, true},
-
-		{"my-bucket", "", info[3], nil, true},
-		{"my-bucket", "us-east-1", info[3], nil, true},
-		{"my-bucket", "eu-central-1", info[3], nil, true},
-
-		{"my-bucket", "", info[4], nil, true},
-		{"my-bucket", "us-east-1", info[4], nil, true},
-		{"my-bucket", "eu-central-1", info[4], nil, true},
-
-		{"my-bucket", "", info[5], nil, true},
-		{"my-bucket", "us-east-1", info[5], nil, true},
-		{"my-bucket", "eu-central-1", info[5], nil, true},
-
-		{"my-bucket", "", info[6], nil, true},
-		{"my-bucket", "us-east-1", info[6], nil, true},
-		{"my-bucket", "eu-central-1", info[6], nil, true},
-
-		{"my-bucket", "", info[7], nil, true},
-		{"my-bucket", "us-east-1", info[7], nil, true},
-		{"my-bucket", "eu-central-1", info[7], nil, true},
-
-		{"my-bucket", "", info[8], nil, true},
-		{"my-bucket", "us-east-1", info[8], nil, true},
-		{"my-bucket", "eu-central-1", info[8], nil, true},
-
-		{"my-bucket", "", info[9], nil, true},
-		{"my-bucket", "us-east-1", info[9], nil, true},
-		{"my-bucket", "eu-central-1", info[9], nil, true},
-
-		{"my-bucket", "", info[10], nil, true},
-		{"my-bucket", "us-east-1", info[10], nil, true},
-		{"my-bucket", "eu-central-1", info[10], nil, true},
-
-		{"my-bucket", "", info[11], nil, true},
-		{"my-bucket", "us-east-1", info[11], nil, true},
-		{"my-bucket", "eu-central-1", info[11], nil, true},
-	}
-
-	for i, testCase := range testCases {
-		// cannot create a newclient with empty endPoint value.
-		// validates and creates a new client only if the endPoint value is not empty.
-		client := &Client{}
-		var err error
-		if testCase.info.endPoint != "" {
-
-			client, err = New(testCase.info.endPoint, testCase.info.accessKey, testCase.info.secretKey, testCase.info.enableInsecure)
-			if err != nil {
-				t.Fatalf("Test %d: Failed to create new Client: %s", i+1, err.Error())
-			}
-		}
-
-		actualReq, err := client.makeBucketRequest(testCase.bucketName, testCase.location)
-		if err != nil && testCase.shouldPass {
-			t.Errorf("Test %d: Expected to pass, but failed with: <ERROR> %s", i+1, err.Error())
-		}
-		if err == nil && !testCase.shouldPass {
-			t.Errorf("Test %d: Expected to fail with <ERROR> \"%s\", but passed instead", i+1, testCase.err.Error())
-		}
-		// Failed as expected, but does it fail for the expected reason.
-		if err != nil && !testCase.shouldPass {
-			if err.Error() != testCase.err.Error() {
-				t.Errorf("Test %d: Expected to fail with error \"%s\", but instead failed with error \"%s\" instead", i+1, testCase.err.Error(), err.Error())
-			}
-		}
-
-		// Test passes as expected, but the output values are verified for correctness here.
-		if err == nil && testCase.shouldPass {
-			expectedReq := &http.Request{}
-			expectedReq, err = createExpectedRequest(client, testCase.bucketName, testCase.location, expectedReq)
-			if err != nil {
-				t.Fatalf("Test %d: Expected request Creation failed", i+1)
-			}
-			if expectedReq.Method != actualReq.Method {
-				t.Errorf("Test %d: The expected Request method doesn't match with the actual one", i+1)
-			}
-			if expectedReq.URL.String() != actualReq.URL.String() {
-				t.Errorf("Test %d: Expected the request URL to be '%s', but instead found '%s'", i+1, expectedReq.URL.String(), actualReq.URL.String())
-			}
-			if expectedReq.ContentLength != actualReq.ContentLength {
-				t.Errorf("Test %d: Expected the request body Content-Length to be '%d', but found '%d' instead", i+1, expectedReq.ContentLength, actualReq.ContentLength)
-			}
-
-			if expectedReq.Header.Get("X-Amz-Content-Sha256") != actualReq.Header.Get("X-Amz-Content-Sha256") {
-				t.Errorf("Test %d: 'X-Amz-Content-Sha256' header of the expected request doesn't match with that of the actual request", i+1)
-			}
-			if expectedReq.Header.Get("User-Agent") != actualReq.Header.Get("User-Agent") {
-				t.Errorf("Test %d: Expected 'User-Agent' header to be \"%s\",but found \"%s\" instead", i+1, expectedReq.Header.Get("User-Agent"), actualReq.Header.Get("User-Agent"))
-			}
-
-			if testCase.location != "us-east-1" && testCase.location != "" {
-				expectedContent, err := getReqBody(expectedReq.Body)
-				if err != nil {
-					t.Fatalf("Test %d: Coudln't parse request body", i+1)
-				}
-				actualContent, err := getReqBody(actualReq.Body)
-				if err != nil {
-					t.Fatalf("Test %d: Coudln't parse request body", i+1)
-				}
-				if expectedContent != actualContent {
-					t.Errorf("Test %d: Expected request body doesn't match actual content body", i+1)
-				}
-				if expectedReq.Header.Get("Content-Md5") != actualReq.Header.Get("Content-Md5") {
-					t.Errorf("Test %d: Request body Md5 differs from the expected result", i+1)
-				}
-			}
-		}
-	}
-}
diff --git a/vendor/github.com/minio/minio-go/api-put-object-common.go b/vendor/github.com/minio/minio-go/api-put-object-common.go
index 68a459f4a..833f1fe8f 100644
--- a/vendor/github.com/minio/minio-go/api-put-object-common.go
+++ b/vendor/github.com/minio/minio-go/api-put-object-common.go
@@ -17,12 +17,12 @@
 package minio
 
 import (
-	"fmt"
 	"hash"
 	"io"
-	"io/ioutil"
 	"math"
 	"os"
+
+	"github.com/minio/minio-go/pkg/s3utils"
 )
 
 // Verify if reader is *os.File
@@ -43,23 +43,6 @@ func isReadAt(reader io.Reader) (ok bool) {
 	return
 }
 
-// shouldUploadPart - verify if part should be uploaded.
-func shouldUploadPart(objPart ObjectPart, uploadReq uploadPartReq) bool {
-	// If part not found should upload the part.
-	if uploadReq.Part == nil {
-		return true
-	}
-	// if size mismatches should upload the part.
-	if objPart.Size != uploadReq.Part.Size {
-		return true
-	}
-	// if md5sum mismatches should upload the part.
-	if objPart.ETag != uploadReq.Part.ETag {
-		return true
-	}
-	return false
-}
-
 // optimalPartInfo - calculate the optimal part info for a given
 // object size.
 //
@@ -93,55 +76,6 @@ func optimalPartInfo(objectSize int64) (totalPartsCount int, partSize int64, las
 	return totalPartsCount, partSize, lastPartSize, nil
 }
 
-// hashCopyBuffer is identical to hashCopyN except that it doesn't take
-// any size argument but takes a buffer argument and reader should be
-// of io.ReaderAt interface.
-//
-// Stages reads from offsets into the buffer, if buffer is nil it is
-// initialized to optimalBufferSize.
-func hashCopyBuffer(hashAlgorithms map[string]hash.Hash, hashSums map[string][]byte, writer io.Writer, reader io.ReaderAt, buf []byte) (size int64, err error) {
-	hashWriter := writer
-	for _, v := range hashAlgorithms {
-		hashWriter = io.MultiWriter(hashWriter, v)
-	}
-
-	// Buffer is nil, initialize.
-	if buf == nil {
-		buf = make([]byte, optimalReadBufferSize)
-	}
-
-	// Offset to start reading from.
-	var readAtOffset int64
-
-	// Following block reads data at an offset from the input
-	// reader and copies data to into local temporary file.
-	for {
-		readAtSize, rerr := reader.ReadAt(buf, readAtOffset)
-		if rerr != nil {
-			if rerr != io.EOF {
-				return 0, rerr
-			}
-		}
-		writeSize, werr := hashWriter.Write(buf[:readAtSize])
-		if werr != nil {
-			return 0, werr
-		}
-		if readAtSize != writeSize {
-			return 0, fmt.Errorf("Read size was not completely written to writer. wanted %d, got %d - %s", readAtSize, writeSize, reportIssue)
-		}
-		readAtOffset += int64(writeSize)
-		size += int64(writeSize)
-		if rerr == io.EOF {
-			break
-		}
-	}
-
-	for k, v := range hashAlgorithms {
-		hashSums[k] = v.Sum(nil)
-	}
-	return size, err
-}
-
 // hashCopyN - Calculates chosen hashes up to partSize amount of bytes.
 func hashCopyN(hashAlgorithms map[string]hash.Hash, hashSums map[string][]byte, writer io.Writer, reader io.Reader, partSize int64) (size int64, err error) {
 	hashWriter := writer
@@ -168,10 +102,10 @@ func hashCopyN(hashAlgorithms map[string]hash.Hash, hashSums map[string][]byte,
 // or initiate a new request to fetch a new upload id.
 func (c Client) newUploadID(bucketName, objectName string, metaData map[string][]string) (uploadID string, err error) {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return "", err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return "", err
 	}
 
@@ -182,70 +116,3 @@ func (c Client) newUploadID(bucketName, objectName string, metaData map[string][
 	}
 	return initMultipartUploadResult.UploadID, nil
 }
-
-// getMpartUploadSession returns the upload id and the uploaded parts to continue a previous upload session
-// or initiate a new multipart session if no current one found
-func (c Client) getMpartUploadSession(bucketName, objectName string, metaData map[string][]string) (string, map[int]ObjectPart, error) {
-	// A map of all uploaded parts.
-	var partsInfo map[int]ObjectPart
-	var err error
-
-	uploadID, err := c.findUploadID(bucketName, objectName)
-	if err != nil {
-		return "", nil, err
-	}
-
-	if uploadID == "" {
-		// Initiates a new multipart request
-		uploadID, err = c.newUploadID(bucketName, objectName, metaData)
-		if err != nil {
-			return "", nil, err
-		}
-	} else {
-		// Fetch previously upload parts and maximum part size.
-		partsInfo, err = c.listObjectParts(bucketName, objectName, uploadID)
-		if err != nil {
-			// When the server returns NoSuchUpload even if its previouls acknowleged the existance of the upload id,
-			// initiate a new multipart upload
-			if respErr, ok := err.(ErrorResponse); ok && respErr.Code == "NoSuchUpload" {
-				uploadID, err = c.newUploadID(bucketName, objectName, metaData)
-				if err != nil {
-					return "", nil, err
-				}
-			} else {
-				return "", nil, err
-			}
-		}
-	}
-
-	// Allocate partsInfo if not done yet
-	if partsInfo == nil {
-		partsInfo = make(map[int]ObjectPart)
-	}
-
-	return uploadID, partsInfo, nil
-}
-
-// computeHash - Calculates hashes for an input read Seeker.
-func computeHash(hashAlgorithms map[string]hash.Hash, hashSums map[string][]byte, reader io.ReadSeeker) (size int64, err error) {
-	hashWriter := ioutil.Discard
-	for _, v := range hashAlgorithms {
-		hashWriter = io.MultiWriter(hashWriter, v)
-	}
-
-	// If no buffer is provided, no need to allocate just use io.Copy.
-	size, err = io.Copy(hashWriter, reader)
-	if err != nil {
-		return 0, err
-	}
-
-	// Seek back reader to the beginning location.
-	if _, err := reader.Seek(0, 0); err != nil {
-		return 0, err
-	}
-
-	for k, v := range hashAlgorithms {
-		hashSums[k] = v.Sum(nil)
-	}
-	return size, nil
-}
diff --git a/vendor/github.com/minio/minio-go/api-put-object-copy.go b/vendor/github.com/minio/minio-go/api-put-object-copy.go
index 56978d427..32fa873d8 100644
--- a/vendor/github.com/minio/minio-go/api-put-object-copy.go
+++ b/vendor/github.com/minio/minio-go/api-put-object-copy.go
@@ -16,57 +16,7 @@
 
 package minio
 
-import (
-	"net/http"
-
-	"github.com/minio/minio-go/pkg/s3utils"
-)
-
-// CopyObject - copy a source object into a new object with the provided name in the provided bucket
-func (c Client) CopyObject(bucketName string, objectName string, objectSource string, cpCond CopyConditions) error {
-	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
-		return err
-	}
-	if err := isValidObjectName(objectName); err != nil {
-		return err
-	}
-	if objectSource == "" {
-		return ErrInvalidArgument("Object source cannot be empty.")
-	}
-
-	// customHeaders apply headers.
-	customHeaders := make(http.Header)
-	for _, cond := range cpCond.conditions {
-		customHeaders.Set(cond.key, cond.value)
-	}
-
-	// Set copy source.
-	customHeaders.Set("x-amz-copy-source", s3utils.EncodePath(objectSource))
-
-	// Execute PUT on objectName.
-	resp, err := c.executeMethod("PUT", requestMetadata{
-		bucketName:   bucketName,
-		objectName:   objectName,
-		customHeader: customHeaders,
-	})
-	defer closeResponse(resp)
-	if err != nil {
-		return err
-	}
-	if resp != nil {
-		if resp.StatusCode != http.StatusOK {
-			return httpRespToErrorResponse(resp, bucketName, objectName)
-		}
-	}
-
-	// Decode copy response on success.
-	cpObjRes := copyObjectResult{}
-	err = xmlDecoder(resp.Body, &cpObjRes)
-	if err != nil {
-		return err
-	}
-
-	// Return nil on success.
-	return nil
+// CopyObject - copy a source object into a new object
+func (c Client) CopyObject(dst DestinationInfo, src SourceInfo) error {
+	return c.ComposeObject(dst, []SourceInfo{src})
 }
diff --git a/vendor/github.com/minio/minio-go/api-put-object-encrypted.go b/vendor/github.com/minio/minio-go/api-put-object-encrypted.go
new file mode 100644
index 000000000..141b3e91c
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/api-put-object-encrypted.go
@@ -0,0 +1,46 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package minio
+
+import (
+	"io"
+
+	"github.com/minio/minio-go/pkg/encrypt"
+)
+
+// PutEncryptedObject - Encrypt and store object.
+func (c Client) PutEncryptedObject(bucketName, objectName string, reader io.Reader, encryptMaterials encrypt.Materials, metadata map[string][]string, progress io.Reader) (n int64, err error) {
+
+	if encryptMaterials == nil {
+		return 0, ErrInvalidArgument("Unable to recognize empty encryption properties")
+	}
+
+	if err := encryptMaterials.SetupEncryptMode(reader); err != nil {
+		return 0, err
+	}
+
+	if metadata == nil {
+		metadata = make(map[string][]string)
+	}
+
+	// Set the necessary encryption headers, for future decryption.
+	metadata[amzHeaderIV] = []string{encryptMaterials.GetIV()}
+	metadata[amzHeaderKey] = []string{encryptMaterials.GetKey()}
+	metadata[amzHeaderMatDesc] = []string{encryptMaterials.GetDesc()}
+
+	return c.putObjectMultipart(bucketName, objectName, encryptMaterials, -1, metadata, progress)
+}
diff --git a/vendor/github.com/minio/minio-go/api-put-object-file.go b/vendor/github.com/minio/minio-go/api-put-object-file.go
index 09fec769d..81cdf5c2c 100644
--- a/vendor/github.com/minio/minio-go/api-put-object-file.go
+++ b/vendor/github.com/minio/minio-go/api-put-object-file.go
@@ -17,17 +17,9 @@
 package minio
 
 import (
-	"crypto/md5"
-	"crypto/sha256"
-	"encoding/hex"
-	"fmt"
-	"hash"
-	"io"
-	"io/ioutil"
 	"mime"
 	"os"
 	"path/filepath"
-	"sort"
 
 	"github.com/minio/minio-go/pkg/s3utils"
 )
@@ -35,10 +27,10 @@ import (
 // FPutObject - Create an object in a bucket, with contents from file at filePath.
 func (c Client) FPutObject(bucketName, objectName, filePath, contentType string) (n int64, err error) {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return 0, err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return 0, err
 	}
 
@@ -59,11 +51,6 @@ func (c Client) FPutObject(bucketName, objectName, filePath, contentType string)
 	// Save the file size.
 	fileSize := fileStat.Size()
 
-	// Check for largest object size allowed.
-	if fileSize > int64(maxMultipartPutObjectSize) {
-		return 0, ErrEntityTooLarge(fileSize, maxMultipartPutObjectSize, bucketName, objectName)
-	}
-
 	objMetadata := make(map[string][]string)
 
 	// Set contentType based on filepath extension if not given or default
@@ -75,220 +62,5 @@ func (c Client) FPutObject(bucketName, objectName, filePath, contentType string)
 	}
 
 	objMetadata["Content-Type"] = []string{contentType}
-
-	// NOTE: Google Cloud Storage multipart Put is not compatible with Amazon S3 APIs.
-	// Current implementation will only upload a maximum of 5GiB to Google Cloud Storage servers.
-	if s3utils.IsGoogleEndpoint(c.endpointURL) {
-		if fileSize > int64(maxSinglePutObjectSize) {
-			return 0, ErrorResponse{
-				Code:       "NotImplemented",
-				Message:    fmt.Sprintf("Invalid Content-Length %d for file uploads to Google Cloud Storage.", fileSize),
-				Key:        objectName,
-				BucketName: bucketName,
-			}
-		}
-		// Do not compute MD5 for Google Cloud Storage. Uploads up to 5GiB in size.
-		return c.putObjectNoChecksum(bucketName, objectName, fileReader, fileSize, objMetadata, nil)
-	}
-
-	// Small object upload is initiated for uploads for input data size smaller than 5MiB.
-	if fileSize < minPartSize && fileSize >= 0 {
-		return c.putObjectSingle(bucketName, objectName, fileReader, fileSize, objMetadata, nil)
-	}
-
-	// Upload all large objects as multipart.
-	n, err = c.putObjectMultipartFromFile(bucketName, objectName, fileReader, fileSize, objMetadata, nil)
-	if err != nil {
-		errResp := ToErrorResponse(err)
-		// Verify if multipart functionality is not available, if not
-		// fall back to single PutObject operation.
-		if errResp.Code == "NotImplemented" {
-			// If size of file is greater than '5GiB' fail.
-			if fileSize > maxSinglePutObjectSize {
-				return 0, ErrEntityTooLarge(fileSize, maxSinglePutObjectSize, bucketName, objectName)
-			}
-			// Fall back to uploading as single PutObject operation.
-			return c.putObjectSingle(bucketName, objectName, fileReader, fileSize, objMetadata, nil)
-		}
-		return n, err
-	}
-	return n, nil
-}
-
-// putObjectMultipartFromFile - Creates object from contents of *os.File
-//
-// NOTE: This function is meant to be used for readers with local
-// file as in *os.File. This function resumes by skipping all the
-// necessary parts which were already uploaded by verifying them
-// against MD5SUM of each individual parts. This function also
-// effectively utilizes file system capabilities of reading from
-// specific sections and not having to create temporary files.
-func (c Client) putObjectMultipartFromFile(bucketName, objectName string, fileReader io.ReaderAt, fileSize int64, metaData map[string][]string, progress io.Reader) (int64, error) {
-	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
-		return 0, err
-	}
-	if err := isValidObjectName(objectName); err != nil {
-		return 0, err
-	}
-
-	// Get the upload id of a previously partially uploaded object or initiate a new multipart upload
-	uploadID, partsInfo, err := c.getMpartUploadSession(bucketName, objectName, metaData)
-	if err != nil {
-		return 0, err
-	}
-
-	// Total data read and written to server. should be equal to 'size' at the end of the call.
-	var totalUploadedSize int64
-
-	// Complete multipart upload.
-	var complMultipartUpload completeMultipartUpload
-
-	// Calculate the optimal parts info for a given size.
-	totalPartsCount, partSize, lastPartSize, err := optimalPartInfo(fileSize)
-	if err != nil {
-		return 0, err
-	}
-
-	// Create a channel to communicate a part was uploaded.
-	// Buffer this to 10000, the maximum number of parts allowed by S3.
-	uploadedPartsCh := make(chan uploadedPartRes, 10000)
-
-	// Create a channel to communicate which part to upload.
-	// Buffer this to 10000, the maximum number of parts allowed by S3.
-	uploadPartsCh := make(chan uploadPartReq, 10000)
-
-	// Just for readability.
-	lastPartNumber := totalPartsCount
-
-	// Send each part through the partUploadCh to be uploaded.
-	for p := 1; p <= totalPartsCount; p++ {
-		part, ok := partsInfo[p]
-		if ok {
-			uploadPartsCh <- uploadPartReq{PartNum: p, Part: &part}
-		} else {
-			uploadPartsCh <- uploadPartReq{PartNum: p, Part: nil}
-		}
-	}
-	close(uploadPartsCh)
-
-	// Use three 'workers' to upload parts in parallel.
-	for w := 1; w <= totalWorkers; w++ {
-		go func() {
-			// Deal with each part as it comes through the channel.
-			for uploadReq := range uploadPartsCh {
-				// Add hash algorithms that need to be calculated by computeHash()
-				// In case of a non-v4 signature or https connection, sha256 is not needed.
-				hashAlgos := make(map[string]hash.Hash)
-				hashSums := make(map[string][]byte)
-				hashAlgos["md5"] = md5.New()
-				if c.signature.isV4() && !c.secure {
-					hashAlgos["sha256"] = sha256.New()
-				}
-
-				// If partNumber was not uploaded we calculate the missing
-				// part offset and size. For all other part numbers we
-				// calculate offset based on multiples of partSize.
-				readOffset := int64(uploadReq.PartNum-1) * partSize
-				missingPartSize := partSize
-
-				// As a special case if partNumber is lastPartNumber, we
-				// calculate the offset based on the last part size.
-				if uploadReq.PartNum == lastPartNumber {
-					readOffset = (fileSize - lastPartSize)
-					missingPartSize = lastPartSize
-				}
-
-				// Get a section reader on a particular offset.
-				sectionReader := io.NewSectionReader(fileReader, readOffset, missingPartSize)
-				var prtSize int64
-				var err error
-
-				prtSize, err = computeHash(hashAlgos, hashSums, sectionReader)
-				if err != nil {
-					uploadedPartsCh <- uploadedPartRes{
-						Error: err,
-					}
-					// Exit the goroutine.
-					return
-				}
-
-				// Create the part to be uploaded.
-				verifyObjPart := ObjectPart{
-					ETag:       hex.EncodeToString(hashSums["md5"]),
-					PartNumber: uploadReq.PartNum,
-					Size:       partSize,
-				}
-
-				// If this is the last part do not give it the full part size.
-				if uploadReq.PartNum == lastPartNumber {
-					verifyObjPart.Size = lastPartSize
-				}
-
-				// Verify if part should be uploaded.
-				if shouldUploadPart(verifyObjPart, uploadReq) {
-					// Proceed to upload the part.
-					var objPart ObjectPart
-					objPart, err = c.uploadPart(bucketName, objectName, uploadID, sectionReader, uploadReq.PartNum, hashSums["md5"], hashSums["sha256"], prtSize)
-					if err != nil {
-						uploadedPartsCh <- uploadedPartRes{
-							Error: err,
-						}
-						// Exit the goroutine.
-						return
-					}
-					// Save successfully uploaded part metadata.
-					uploadReq.Part = &objPart
-				}
-				// Return through the channel the part size.
-				uploadedPartsCh <- uploadedPartRes{
-					Size:    verifyObjPart.Size,
-					PartNum: uploadReq.PartNum,
-					Part:    uploadReq.Part,
-					Error:   nil,
-				}
-			}
-		}()
-	}
-
-	// Retrieve each uploaded part once it is done.
-	for u := 1; u <= totalPartsCount; u++ {
-		uploadRes := <-uploadedPartsCh
-		if uploadRes.Error != nil {
-			return totalUploadedSize, uploadRes.Error
-		}
-		// Retrieve each uploaded part and store it to be completed.
-		part := uploadRes.Part
-		if part == nil {
-			return totalUploadedSize, ErrInvalidArgument(fmt.Sprintf("Missing part number %d", uploadRes.PartNum))
-		}
-		// Update the total uploaded size.
-		totalUploadedSize += uploadRes.Size
-		// Update the progress bar if there is one.
-		if progress != nil {
-			if _, err = io.CopyN(ioutil.Discard, progress, uploadRes.Size); err != nil {
-				return totalUploadedSize, err
-			}
-		}
-		// Store the part to be completed.
-		complMultipartUpload.Parts = append(complMultipartUpload.Parts, CompletePart{
-			ETag:       part.ETag,
-			PartNumber: part.PartNumber,
-		})
-	}
-
-	// Verify if we uploaded all data.
-	if totalUploadedSize != fileSize {
-		return totalUploadedSize, ErrUnexpectedEOF(totalUploadedSize, fileSize, bucketName, objectName)
-	}
-
-	// Sort all completed parts.
-	sort.Sort(completedParts(complMultipartUpload.Parts))
-	_, err = c.completeMultipartUpload(bucketName, objectName, uploadID, complMultipartUpload)
-	if err != nil {
-		return totalUploadedSize, err
-	}
-
-	// Return final size.
-	return totalUploadedSize, nil
+	return c.putObjectCommon(bucketName, objectName, fileReader, fileSize, objMetadata, nil)
 }
diff --git a/vendor/github.com/minio/minio-go/api-put-object-multipart.go b/vendor/github.com/minio/minio-go/api-put-object-multipart.go
index 3a299f65b..1938378f8 100644
--- a/vendor/github.com/minio/minio-go/api-put-object-multipart.go
+++ b/vendor/github.com/minio/minio-go/api-put-object-multipart.go
@@ -18,204 +18,87 @@ package minio
 
 import (
 	"bytes"
-	"crypto/md5"
-	"crypto/sha256"
-	"encoding/hex"
 	"encoding/xml"
 	"fmt"
-	"hash"
 	"io"
 	"io/ioutil"
 	"net/http"
 	"net/url"
-	"os"
 	"sort"
 	"strconv"
 	"strings"
-)
-
-// Comprehensive put object operation involving multipart resumable uploads.
-//
-// Following code handles these types of readers.
-//
-//  - *os.File
-//  - *minio.Object
-//  - Any reader which has a method 'ReadAt()'
-//
-// If we exhaust all the known types, code proceeds to use stream as
-// is where each part is re-downloaded, checksummed and verified
-// before upload.
-func (c Client) putObjectMultipart(bucketName, objectName string, reader io.Reader, size int64, metaData map[string][]string, progress io.Reader) (n int64, err error) {
-	if size > 0 && size > minPartSize {
-		// Verify if reader is *os.File, then use file system functionalities.
-		if isFile(reader) {
-			return c.putObjectMultipartFromFile(bucketName, objectName, reader.(*os.File), size, metaData, progress)
-		}
-		// Verify if reader is *minio.Object or io.ReaderAt.
-		// NOTE: Verification of object is kept for a specific purpose
-		// while it is going to be duck typed similar to io.ReaderAt.
-		// It is to indicate that *minio.Object implements io.ReaderAt.
-		// and such a functionality is used in the subsequent code
-		// path.
-		if isObject(reader) || isReadAt(reader) {
-			return c.putObjectMultipartFromReadAt(bucketName, objectName, reader.(io.ReaderAt), size, metaData, progress)
-		}
-	}
-	// For any other data size and reader type we do generic multipart
-	// approach by staging data in temporary files and uploading them.
-	return c.putObjectMultipartStream(bucketName, objectName, reader, size, metaData, progress)
-}
-
-// putObjectMultipartStreamNoChecksum - upload a large object using
-// multipart upload and streaming signature for signing payload.
-// N B We don't resume an incomplete multipart upload, we overwrite
-// existing parts of an incomplete upload.
-func (c Client) putObjectMultipartStreamNoChecksum(bucketName, objectName string,
-	reader io.Reader, size int64, metadata map[string][]string, progress io.Reader) (int64, error) {
 
-	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
-		return 0, err
-	}
-	if err := isValidObjectName(objectName); err != nil {
-		return 0, err
-	}
-
-	// Get the upload id of a previously partially uploaded object or initiate a new multipart upload
-	uploadID, err := c.findUploadID(bucketName, objectName)
-	if err != nil {
-		return 0, err
-	}
-	if uploadID == "" {
-		// Initiates a new multipart request
-		uploadID, err = c.newUploadID(bucketName, objectName, metadata)
-		if err != nil {
-			return 0, err
-		}
-	}
+	"github.com/minio/minio-go/pkg/s3utils"
+)
 
-	// Calculate the optimal parts info for a given size.
-	totalPartsCount, partSize, lastPartSize, err := optimalPartInfo(size)
+func (c Client) putObjectMultipart(bucketName, objectName string, reader io.Reader, size int64,
+	metadata map[string][]string, progress io.Reader) (n int64, err error) {
+	n, err = c.putObjectMultipartNoStream(bucketName, objectName, reader, size, metadata, progress)
 	if err != nil {
-		return 0, err
-	}
-
-	// Total data read and written to server. should be equal to 'size' at the end of the call.
-	var totalUploadedSize int64
-
-	// Initialize parts uploaded map.
-	partsInfo := make(map[int]ObjectPart)
-
-	// Part number always starts with '1'.
-	var partNumber int
-	for partNumber = 1; partNumber <= totalPartsCount; partNumber++ {
-		// Update progress reader appropriately to the latest offset
-		// as we read from the source.
-		hookReader := newHook(reader, progress)
-
-		// Proceed to upload the part.
-		if partNumber == totalPartsCount {
-			partSize = lastPartSize
-		}
-
-		var objPart ObjectPart
-		objPart, err = c.uploadPart(bucketName, objectName, uploadID,
-			io.LimitReader(hookReader, partSize), partNumber, nil, nil, partSize)
-		// For unknown size, Read EOF we break away.
-		// We do not have to upload till totalPartsCount.
-		if err == io.EOF && size < 0 {
-			break
-		}
-
-		if err != nil {
-			return totalUploadedSize, err
-		}
-
-		// Save successfully uploaded part metadata.
-		partsInfo[partNumber] = objPart
-
-		// Save successfully uploaded size.
-		totalUploadedSize += partSize
-	}
-
-	// Verify if we uploaded all the data.
-	if size > 0 {
-		if totalUploadedSize != size {
-			return totalUploadedSize, ErrUnexpectedEOF(totalUploadedSize, size, bucketName, objectName)
-		}
-	}
-
-	// Complete multipart upload.
-	var complMultipartUpload completeMultipartUpload
-
-	// Loop over total uploaded parts to save them in
-	// Parts array before completing the multipart request.
-	for i := 1; i < partNumber; i++ {
-		part, ok := partsInfo[i]
-		if !ok {
-			return 0, ErrInvalidArgument(fmt.Sprintf("Missing part number %d", i))
+		errResp := ToErrorResponse(err)
+		// Verify if multipart functionality is not available, if not
+		// fall back to single PutObject operation.
+		if errResp.Code == "AccessDenied" && strings.Contains(errResp.Message, "Access Denied") {
+			// Verify if size of reader is greater than '5GiB'.
+			if size > maxSinglePutObjectSize {
+				return 0, ErrEntityTooLarge(size, maxSinglePutObjectSize, bucketName, objectName)
+			}
+			// Fall back to uploading as single PutObject operation.
+			return c.putObjectNoChecksum(bucketName, objectName, reader, size, metadata, progress)
 		}
-		complMultipartUpload.Parts = append(complMultipartUpload.Parts, CompletePart{
-			ETag:       part.ETag,
-			PartNumber: part.PartNumber,
-		})
-	}
-
-	// Sort all completed parts.
-	sort.Sort(completedParts(complMultipartUpload.Parts))
-	_, err = c.completeMultipartUpload(bucketName, objectName, uploadID, complMultipartUpload)
-	if err != nil {
-		return totalUploadedSize, err
 	}
-
-	// Return final size.
-	return totalUploadedSize, nil
+	return n, err
 }
 
-// putObjectStream uploads files bigger than 64MiB, and also supports
-// special case where size is unknown i.e '-1'.
-func (c Client) putObjectMultipartStream(bucketName, objectName string, reader io.Reader, size int64, metaData map[string][]string, progress io.Reader) (n int64, err error) {
+func (c Client) putObjectMultipartNoStream(bucketName, objectName string, reader io.Reader, size int64,
+	metadata map[string][]string, progress io.Reader) (n int64, err error) {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err = s3utils.CheckValidBucketName(bucketName); err != nil {
 		return 0, err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err = s3utils.CheckValidObjectName(objectName); err != nil {
 		return 0, err
 	}
 
-	// Total data read and written to server. should be equal to 'size' at the end of the call.
+	// Total data read and written to server. should be equal to
+	// 'size' at the end of the call.
 	var totalUploadedSize int64
 
 	// Complete multipart upload.
 	var complMultipartUpload completeMultipartUpload
 
-	// Get the upload id of a previously partially uploaded object or initiate a new multipart upload
-	uploadID, partsInfo, err := c.getMpartUploadSession(bucketName, objectName, metaData)
+	// Calculate the optimal parts info for a given size.
+	totalPartsCount, partSize, _, err := optimalPartInfo(size)
 	if err != nil {
 		return 0, err
 	}
 
-	// Calculate the optimal parts info for a given size.
-	totalPartsCount, partSize, _, err := optimalPartInfo(size)
+	// Initiate a new multipart upload.
+	uploadID, err := c.newUploadID(bucketName, objectName, metadata)
 	if err != nil {
 		return 0, err
 	}
 
+	defer func() {
+		if err != nil {
+			c.abortMultipartUpload(bucketName, objectName, uploadID)
+		}
+	}()
+
 	// Part number always starts with '1'.
 	partNumber := 1
 
 	// Initialize a temporary buffer.
 	tmpBuffer := new(bytes.Buffer)
 
+	// Initialize parts uploaded map.
+	partsInfo := make(map[int]ObjectPart)
+
 	for partNumber <= totalPartsCount {
-		// Choose hash algorithms to be calculated by hashCopyN, avoid sha256
-		// with non-v4 signature request or HTTPS connection
-		hashSums := make(map[string][]byte)
-		hashAlgos := make(map[string]hash.Hash)
-		hashAlgos["md5"] = md5.New()
-		if c.signature.isV4() && !c.secure {
-			hashAlgos["sha256"] = sha256.New()
-		}
+		// Choose hash algorithms to be calculated by hashCopyN,
+		// avoid sha256 with non-v4 signature request or
+		// HTTPS connection.
+		hashAlgos, hashSums := c.hashMaterials()
 
 		// Calculates hash sums while copying partSize bytes into tmpBuffer.
 		prtSize, rErr := hashCopyN(hashAlgos, hashSums, tmpBuffer, reader, partSize)
@@ -228,33 +111,19 @@ func (c Client) putObjectMultipartStream(bucketName, objectName string, reader i
 		// as we read from the source.
 		reader = newHook(tmpBuffer, progress)
 
-		part, ok := partsInfo[partNumber]
-
-		// Verify if part should be uploaded.
-		if !ok || shouldUploadPart(ObjectPart{
-			ETag:       hex.EncodeToString(hashSums["md5"]),
-			PartNumber: partNumber,
-			Size:       prtSize,
-		}, uploadPartReq{PartNum: partNumber, Part: &part}) {
-			// Proceed to upload the part.
-			var objPart ObjectPart
-			objPart, err = c.uploadPart(bucketName, objectName, uploadID, reader, partNumber, hashSums["md5"], hashSums["sha256"], prtSize)
-			if err != nil {
-				// Reset the temporary buffer upon any error.
-				tmpBuffer.Reset()
-				return totalUploadedSize, err
-			}
-			// Save successfully uploaded part metadata.
-			partsInfo[partNumber] = objPart
-		} else {
-			// Update the progress reader for the skipped part.
-			if progress != nil {
-				if _, err = io.CopyN(ioutil.Discard, progress, prtSize); err != nil {
-					return totalUploadedSize, err
-				}
-			}
+		// Proceed to upload the part.
+		var objPart ObjectPart
+		objPart, err = c.uploadPart(bucketName, objectName, uploadID, reader, partNumber,
+			hashSums["md5"], hashSums["sha256"], prtSize, metadata)
+		if err != nil {
+			// Reset the temporary buffer upon any error.
+			tmpBuffer.Reset()
+			return totalUploadedSize, err
 		}
 
+		// Save successfully uploaded part metadata.
+		partsInfo[partNumber] = objPart
+
 		// Reset the temporary buffer.
 		tmpBuffer.Reset()
 
@@ -293,8 +162,7 @@ func (c Client) putObjectMultipartStream(bucketName, objectName string, reader i
 
 	// Sort all completed parts.
 	sort.Sort(completedParts(complMultipartUpload.Parts))
-	_, err = c.completeMultipartUpload(bucketName, objectName, uploadID, complMultipartUpload)
-	if err != nil {
+	if _, err = c.completeMultipartUpload(bucketName, objectName, uploadID, complMultipartUpload); err != nil {
 		return totalUploadedSize, err
 	}
 
@@ -303,12 +171,12 @@ func (c Client) putObjectMultipartStream(bucketName, objectName string, reader i
 }
 
 // initiateMultipartUpload - Initiates a multipart upload and returns an upload ID.
-func (c Client) initiateMultipartUpload(bucketName, objectName string, metaData map[string][]string) (initiateMultipartUploadResult, error) {
+func (c Client) initiateMultipartUpload(bucketName, objectName string, metadata map[string][]string) (initiateMultipartUploadResult, error) {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return initiateMultipartUploadResult{}, err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return initiateMultipartUploadResult{}, err
 	}
 
@@ -318,14 +186,14 @@ func (c Client) initiateMultipartUpload(bucketName, objectName string, metaData
 
 	// Set ContentType header.
 	customHeader := make(http.Header)
-	for k, v := range metaData {
+	for k, v := range metadata {
 		if len(v) > 0 {
 			customHeader.Set(k, v[0])
 		}
 	}
 
 	// Set a default content-type header if the latter is not provided
-	if v, ok := metaData["Content-Type"]; !ok || len(v) == 0 {
+	if v, ok := metadata["Content-Type"]; !ok || len(v) == 0 {
 		customHeader.Set("Content-Type", "application/octet-stream")
 	}
 
@@ -356,13 +224,16 @@ func (c Client) initiateMultipartUpload(bucketName, objectName string, metaData
 	return initiateMultipartUploadResult, nil
 }
 
+const serverEncryptionKeyPrefix = "x-amz-server-side-encryption"
+
 // uploadPart - Uploads a part in a multipart upload.
-func (c Client) uploadPart(bucketName, objectName, uploadID string, reader io.Reader, partNumber int, md5Sum, sha256Sum []byte, size int64) (ObjectPart, error) {
+func (c Client) uploadPart(bucketName, objectName, uploadID string, reader io.Reader,
+	partNumber int, md5Sum, sha256Sum []byte, size int64, metadata map[string][]string) (ObjectPart, error) {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return ObjectPart{}, err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return ObjectPart{}, err
 	}
 	if size > maxPartSize {
@@ -385,10 +256,21 @@ func (c Client) uploadPart(bucketName, objectName, uploadID string, reader io.Re
 	// Set upload id.
 	urlValues.Set("uploadId", uploadID)
 
+	// Set encryption headers, if any.
+	customHeader := make(http.Header)
+	for k, v := range metadata {
+		if len(v) > 0 {
+			if strings.HasPrefix(strings.ToLower(k), serverEncryptionKeyPrefix) {
+				customHeader.Set(k, v[0])
+			}
+		}
+	}
+
 	reqMetadata := requestMetadata{
 		bucketName:         bucketName,
 		objectName:         objectName,
 		queryValues:        urlValues,
+		customHeader:       customHeader,
 		contentBody:        reader,
 		contentLength:      size,
 		contentMD5Bytes:    md5Sum,
@@ -417,12 +299,13 @@ func (c Client) uploadPart(bucketName, objectName, uploadID string, reader io.Re
 }
 
 // completeMultipartUpload - Completes a multipart upload by assembling previously uploaded parts.
-func (c Client) completeMultipartUpload(bucketName, objectName, uploadID string, complete completeMultipartUpload) (completeMultipartUploadResult, error) {
+func (c Client) completeMultipartUpload(bucketName, objectName, uploadID string,
+	complete completeMultipartUpload) (completeMultipartUploadResult, error) {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return completeMultipartUploadResult{}, err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return completeMultipartUploadResult{}, err
 	}
 
diff --git a/vendor/github.com/minio/minio-go/api-put-object-progress.go b/vendor/github.com/minio/minio-go/api-put-object-progress.go
deleted file mode 100644
index f3844127e..000000000
--- a/vendor/github.com/minio/minio-go/api-put-object-progress.go
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015 Minio, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package minio
-
-import (
-	"io"
-	"strings"
-
-	"github.com/minio/minio-go/pkg/encrypt"
-	"github.com/minio/minio-go/pkg/s3utils"
-)
-
-// PutObjectWithProgress - with progress.
-func (c Client) PutObjectWithProgress(bucketName, objectName string, reader io.Reader, contentType string, progress io.Reader) (n int64, err error) {
-	metaData := make(map[string][]string)
-	metaData["Content-Type"] = []string{contentType}
-	return c.PutObjectWithMetadata(bucketName, objectName, reader, metaData, progress)
-}
-
-// PutEncryptedObject - Encrypt and store object.
-func (c Client) PutEncryptedObject(bucketName, objectName string, reader io.Reader, encryptMaterials encrypt.Materials, metaData map[string][]string, progress io.Reader) (n int64, err error) {
-
-	if encryptMaterials == nil {
-		return 0, ErrInvalidArgument("Unable to recognize empty encryption properties")
-	}
-
-	if err := encryptMaterials.SetupEncryptMode(reader); err != nil {
-		return 0, err
-	}
-
-	if metaData == nil {
-		metaData = make(map[string][]string)
-	}
-
-	// Set the necessary encryption headers, for future decryption.
-	metaData[amzHeaderIV] = []string{encryptMaterials.GetIV()}
-	metaData[amzHeaderKey] = []string{encryptMaterials.GetKey()}
-	metaData[amzHeaderMatDesc] = []string{encryptMaterials.GetDesc()}
-
-	return c.PutObjectWithMetadata(bucketName, objectName, encryptMaterials, metaData, progress)
-}
-
-// PutObjectWithMetadata - with metadata.
-func (c Client) PutObjectWithMetadata(bucketName, objectName string, reader io.Reader, metaData map[string][]string, progress io.Reader) (n int64, err error) {
-	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
-		return 0, err
-	}
-	if err := isValidObjectName(objectName); err != nil {
-		return 0, err
-	}
-	if reader == nil {
-		return 0, ErrInvalidArgument("Input reader is invalid, cannot be nil.")
-	}
-
-	// Size of the object.
-	var size int64
-
-	// Get reader size.
-	size, err = getReaderSize(reader)
-	if err != nil {
-		return 0, err
-	}
-
-	// Check for largest object size allowed.
-	if size > int64(maxMultipartPutObjectSize) {
-		return 0, ErrEntityTooLarge(size, maxMultipartPutObjectSize, bucketName, objectName)
-	}
-
-	// NOTE: Google Cloud Storage does not implement Amazon S3 Compatible multipart PUT.
-	// So we fall back to single PUT operation with the maximum limit of 5GiB.
-	if s3utils.IsGoogleEndpoint(c.endpointURL) {
-		if size <= -1 {
-			return 0, ErrorResponse{
-				Code:       "NotImplemented",
-				Message:    "Content-Length cannot be negative for file uploads to Google Cloud Storage.",
-				Key:        objectName,
-				BucketName: bucketName,
-			}
-		}
-		if size > maxSinglePutObjectSize {
-			return 0, ErrEntityTooLarge(size, maxSinglePutObjectSize, bucketName, objectName)
-		}
-		// Do not compute MD5 for Google Cloud Storage. Uploads up to 5GiB in size.
-		return c.putObjectNoChecksum(bucketName, objectName, reader, size, metaData, progress)
-	}
-
-	// putSmall object.
-	if size < minPartSize && size >= 0 {
-		return c.putObjectSingle(bucketName, objectName, reader, size, metaData, progress)
-	}
-	// For all sizes greater than 5MiB do multipart.
-	n, err = c.putObjectMultipart(bucketName, objectName, reader, size, metaData, progress)
-	if err != nil {
-		errResp := ToErrorResponse(err)
-		// Verify if multipart functionality is not available, if not
-		// fall back to single PutObject operation.
-		if errResp.Code == "AccessDenied" && strings.Contains(errResp.Message, "Access Denied") {
-			// Verify if size of reader is greater than '5GiB'.
-			if size > maxSinglePutObjectSize {
-				return 0, ErrEntityTooLarge(size, maxSinglePutObjectSize, bucketName, objectName)
-			}
-			// Fall back to uploading as single PutObject operation.
-			return c.putObjectSingle(bucketName, objectName, reader, size, metaData, progress)
-		}
-		return n, err
-	}
-	return n, nil
-}
-
-// PutObjectStreaming using AWS streaming signature V4
-func (c Client) PutObjectStreaming(bucketName, objectName string, reader io.Reader) (n int64, err error) {
-	return c.PutObjectStreamingWithProgress(bucketName, objectName, reader, nil, nil)
-}
-
-// PutObjectStreamingWithMetadata using AWS streaming signature V4
-func (c Client) PutObjectStreamingWithMetadata(bucketName, objectName string, reader io.Reader, metadata map[string][]string) (n int64, err error) {
-	return c.PutObjectStreamingWithProgress(bucketName, objectName, reader, metadata, nil)
-}
-
-// PutObjectStreamingWithProgress using AWS streaming signature V4
-func (c Client) PutObjectStreamingWithProgress(bucketName, objectName string, reader io.Reader, metadata map[string][]string, progress io.Reader) (n int64, err error) {
-	// NOTE: Streaming signature is not supported by GCS.
-	if s3utils.IsGoogleEndpoint(c.endpointURL) {
-		return 0, ErrorResponse{
-			Code:       "NotImplemented",
-			Message:    "AWS streaming signature v4 is not supported with Google Cloud Storage",
-			Key:        objectName,
-			BucketName: bucketName,
-		}
-	}
-	// This method should return error with signature v2 minioClient.
-	if c.signature.isV2() {
-		return 0, ErrorResponse{
-			Code:       "NotImplemented",
-			Message:    "AWS streaming signature v4 is not supported with minio client initialized for AWS signature v2",
-			Key:        objectName,
-			BucketName: bucketName,
-		}
-	}
-
-	// Size of the object.
-	var size int64
-
-	// Get reader size.
-	size, err = getReaderSize(reader)
-	if err != nil {
-		return 0, err
-	}
-
-	// Check for largest object size allowed.
-	if size > int64(maxMultipartPutObjectSize) {
-		return 0, ErrEntityTooLarge(size, maxMultipartPutObjectSize, bucketName, objectName)
-	}
-
-	// If size cannot be found on a stream, it is not possible
-	// to upload using streaming signature, fall back to multipart.
-	if size < 0 {
-		return c.putObjectMultipartStream(bucketName, objectName, reader, size, metadata, progress)
-	}
-
-	// Set signature type to streaming signature v4.
-	c.signature = SignatureV4Streaming
-
-	if size < minPartSize && size >= 0 {
-		return c.putObjectNoChecksum(bucketName, objectName, reader, size, metadata, progress)
-	}
-
-	// For all sizes greater than 64MiB do multipart.
-	n, err = c.putObjectMultipartStreamNoChecksum(bucketName, objectName, reader, size, metadata, progress)
-	if err != nil {
-		errResp := ToErrorResponse(err)
-		// Verify if multipart functionality is not available, if not
-		// fall back to single PutObject operation.
-		if errResp.Code == "AccessDenied" && strings.Contains(errResp.Message, "Access Denied") {
-			// Verify if size of reader is greater than '5GiB'.
-			if size > maxSinglePutObjectSize {
-				return 0, ErrEntityTooLarge(size, maxSinglePutObjectSize, bucketName, objectName)
-			}
-			// Fall back to uploading as single PutObject operation.
-			return c.putObjectNoChecksum(bucketName, objectName, reader, size, metadata, progress)
-		}
-		return n, err
-	}
-
-	return n, nil
-}
diff --git a/vendor/github.com/minio/minio-go/api-put-object-readat.go b/vendor/github.com/minio/minio-go/api-put-object-readat.go
deleted file mode 100644
index ebf422638..000000000
--- a/vendor/github.com/minio/minio-go/api-put-object-readat.go
+++ /dev/null
@@ -1,247 +0,0 @@
-/*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015, 2016 Minio, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package minio
-
-import (
-	"bytes"
-	"crypto/md5"
-	"crypto/sha256"
-	"fmt"
-	"hash"
-	"io"
-	"io/ioutil"
-	"sort"
-)
-
-// uploadedPartRes - the response received from a part upload.
-type uploadedPartRes struct {
-	Error   error // Any error encountered while uploading the part.
-	PartNum int   // Number of the part uploaded.
-	Size    int64 // Size of the part uploaded.
-	Part    *ObjectPart
-}
-
-type uploadPartReq struct {
-	PartNum int         // Number of the part uploaded.
-	Part    *ObjectPart // Size of the part uploaded.
-}
-
-// shouldUploadPartReadAt - verify if part should be uploaded.
-func shouldUploadPartReadAt(objPart ObjectPart, uploadReq uploadPartReq) bool {
-	// If part not found part should be uploaded.
-	if uploadReq.Part == nil {
-		return true
-	}
-	// if size mismatches part should be uploaded.
-	if uploadReq.Part.Size != objPart.Size {
-		return true
-	}
-	return false
-}
-
-// putObjectMultipartFromReadAt - Uploads files bigger than 5MiB. Supports reader
-// of type which implements io.ReaderAt interface (ReadAt method).
-//
-// NOTE: This function is meant to be used for all readers which
-// implement io.ReaderAt which allows us for resuming multipart
-// uploads but reading at an offset, which would avoid re-read the
-// data which was already uploaded. Internally this function uses
-// temporary files for staging all the data, these temporary files are
-// cleaned automatically when the caller i.e http client closes the
-// stream after uploading all the contents successfully.
-func (c Client) putObjectMultipartFromReadAt(bucketName, objectName string, reader io.ReaderAt, size int64, metaData map[string][]string, progress io.Reader) (n int64, err error) {
-	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
-		return 0, err
-	}
-	if err := isValidObjectName(objectName); err != nil {
-		return 0, err
-	}
-
-	// Get the upload id of a previously partially uploaded object or initiate a new multipart upload
-	uploadID, partsInfo, err := c.getMpartUploadSession(bucketName, objectName, metaData)
-	if err != nil {
-		return 0, err
-	}
-
-	// Total data read and written to server. should be equal to 'size' at the end of the call.
-	var totalUploadedSize int64
-
-	// Complete multipart upload.
-	var complMultipartUpload completeMultipartUpload
-
-	// Calculate the optimal parts info for a given size.
-	totalPartsCount, partSize, lastPartSize, err := optimalPartInfo(size)
-	if err != nil {
-		return 0, err
-	}
-
-	// Used for readability, lastPartNumber is always totalPartsCount.
-	lastPartNumber := totalPartsCount
-
-	// Declare a channel that sends the next part number to be uploaded.
-	// Buffered to 10000 because thats the maximum number of parts allowed
-	// by S3.
-	uploadPartsCh := make(chan uploadPartReq, 10000)
-
-	// Declare a channel that sends back the response of a part upload.
-	// Buffered to 10000 because thats the maximum number of parts allowed
-	// by S3.
-	uploadedPartsCh := make(chan uploadedPartRes, 10000)
-
-	// Send each part number to the channel to be processed.
-	for p := 1; p <= totalPartsCount; p++ {
-		part, ok := partsInfo[p]
-		if ok {
-			uploadPartsCh <- uploadPartReq{PartNum: p, Part: &part}
-		} else {
-			uploadPartsCh <- uploadPartReq{PartNum: p, Part: nil}
-		}
-	}
-	close(uploadPartsCh)
-
-	// Receive each part number from the channel allowing three parallel uploads.
-	for w := 1; w <= totalWorkers; w++ {
-		go func() {
-			// Read defaults to reading at 5MiB buffer.
-			readAtBuffer := make([]byte, optimalReadBufferSize)
-
-			// Each worker will draw from the part channel and upload in parallel.
-			for uploadReq := range uploadPartsCh {
-				// Declare a  new tmpBuffer.
-				tmpBuffer := new(bytes.Buffer)
-
-				// If partNumber was not uploaded we calculate the missing
-				// part offset and size. For all other part numbers we
-				// calculate offset based on multiples of partSize.
-				readOffset := int64(uploadReq.PartNum-1) * partSize
-				missingPartSize := partSize
-
-				// As a special case if partNumber is lastPartNumber, we
-				// calculate the offset based on the last part size.
-				if uploadReq.PartNum == lastPartNumber {
-					readOffset = (size - lastPartSize)
-					missingPartSize = lastPartSize
-				}
-
-				// Get a section reader on a particular offset.
-				sectionReader := io.NewSectionReader(reader, readOffset, missingPartSize)
-
-				// Choose the needed hash algorithms to be calculated by hashCopyBuffer.
-				// Sha256 is avoided in non-v4 signature requests or HTTPS connections
-				hashSums := make(map[string][]byte)
-				hashAlgos := make(map[string]hash.Hash)
-				hashAlgos["md5"] = md5.New()
-				if c.signature.isV4() && !c.secure {
-					hashAlgos["sha256"] = sha256.New()
-				}
-
-				var prtSize int64
-				var err error
-				prtSize, err = hashCopyBuffer(hashAlgos, hashSums, tmpBuffer, sectionReader, readAtBuffer)
-				if err != nil {
-					// Send the error back through the channel.
-					uploadedPartsCh <- uploadedPartRes{
-						Size:  0,
-						Error: err,
-					}
-					// Exit the goroutine.
-					return
-				}
-
-				// Verify object if its uploaded.
-				verifyObjPart := ObjectPart{
-					PartNumber: uploadReq.PartNum,
-					Size:       partSize,
-				}
-				// Special case if we see a last part number, save last part
-				// size as the proper part size.
-				if uploadReq.PartNum == lastPartNumber {
-					verifyObjPart.Size = lastPartSize
-				}
-
-				// Only upload the necessary parts. Otherwise return size through channel
-				// to update any progress bar.
-				if shouldUploadPartReadAt(verifyObjPart, uploadReq) {
-					// Proceed to upload the part.
-					var objPart ObjectPart
-					objPart, err = c.uploadPart(bucketName, objectName, uploadID, tmpBuffer, uploadReq.PartNum, hashSums["md5"], hashSums["sha256"], prtSize)
-					if err != nil {
-						uploadedPartsCh <- uploadedPartRes{
-							Size:  0,
-							Error: err,
-						}
-						// Exit the goroutine.
-						return
-					}
-					// Save successfully uploaded part metadata.
-					uploadReq.Part = &objPart
-				}
-				// Send successful part info through the channel.
-				uploadedPartsCh <- uploadedPartRes{
-					Size:    verifyObjPart.Size,
-					PartNum: uploadReq.PartNum,
-					Part:    uploadReq.Part,
-					Error:   nil,
-				}
-			}
-		}()
-	}
-
-	// Gather the responses as they occur and update any
-	// progress bar.
-	for u := 1; u <= totalPartsCount; u++ {
-		uploadRes := <-uploadedPartsCh
-		if uploadRes.Error != nil {
-			return totalUploadedSize, uploadRes.Error
-		}
-		// Retrieve each uploaded part and store it to be completed.
-		// part, ok := partsInfo[uploadRes.PartNum]
-		part := uploadRes.Part
-		if part == nil {
-			return 0, ErrInvalidArgument(fmt.Sprintf("Missing part number %d", uploadRes.PartNum))
-		}
-		// Update the totalUploadedSize.
-		totalUploadedSize += uploadRes.Size
-		// Update the progress bar if there is one.
-		if progress != nil {
-			if _, err = io.CopyN(ioutil.Discard, progress, uploadRes.Size); err != nil {
-				return totalUploadedSize, err
-			}
-		}
-		// Store the parts to be completed in order.
-		complMultipartUpload.Parts = append(complMultipartUpload.Parts, CompletePart{
-			ETag:       part.ETag,
-			PartNumber: part.PartNumber,
-		})
-	}
-
-	// Verify if we uploaded all the data.
-	if totalUploadedSize != size {
-		return totalUploadedSize, ErrUnexpectedEOF(totalUploadedSize, size, bucketName, objectName)
-	}
-
-	// Sort all completed parts.
-	sort.Sort(completedParts(complMultipartUpload.Parts))
-	_, err = c.completeMultipartUpload(bucketName, objectName, uploadID, complMultipartUpload)
-	if err != nil {
-		return totalUploadedSize, err
-	}
-
-	// Return final size.
-	return totalUploadedSize, nil
-}
diff --git a/vendor/github.com/minio/minio-go/api-put-object-streaming.go b/vendor/github.com/minio/minio-go/api-put-object-streaming.go
new file mode 100644
index 000000000..0d4639e83
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/api-put-object-streaming.go
@@ -0,0 +1,436 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package minio
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"sort"
+	"strings"
+
+	"github.com/minio/minio-go/pkg/s3utils"
+)
+
+// PutObjectStreaming using AWS streaming signature V4
+func (c Client) PutObjectStreaming(bucketName, objectName string, reader io.Reader) (n int64, err error) {
+	return c.PutObjectWithProgress(bucketName, objectName, reader, nil, nil)
+}
+
+// putObjectMultipartStream - upload a large object using
+// multipart upload and streaming signature for signing payload.
+// Comprehensive put object operation involving multipart uploads.
+//
+// Following code handles these types of readers.
+//
+//  - *os.File
+//  - *minio.Object
+//  - Any reader which has a method 'ReadAt()'
+//
+func (c Client) putObjectMultipartStream(bucketName, objectName string,
+	reader io.Reader, size int64, metadata map[string][]string, progress io.Reader) (n int64, err error) {
+
+	// Verify if reader is *minio.Object, *os.File or io.ReaderAt.
+	// NOTE: Verification of object is kept for a specific purpose
+	// while it is going to be duck typed similar to io.ReaderAt.
+	// It is to indicate that *minio.Object implements io.ReaderAt.
+	// and such a functionality is used in the subsequent code path.
+	if isFile(reader) || !isObject(reader) && isReadAt(reader) {
+		n, err = c.putObjectMultipartStreamFromReadAt(bucketName, objectName, reader.(io.ReaderAt), size, metadata, progress)
+	} else {
+		n, err = c.putObjectMultipartStreamNoChecksum(bucketName, objectName, reader, size, metadata, progress)
+	}
+	if err != nil {
+		errResp := ToErrorResponse(err)
+		// Verify if multipart functionality is not available, if not
+		// fall back to single PutObject operation.
+		if errResp.Code == "AccessDenied" && strings.Contains(errResp.Message, "Access Denied") {
+			// Verify if size of reader is greater than '5GiB'.
+			if size > maxSinglePutObjectSize {
+				return 0, ErrEntityTooLarge(size, maxSinglePutObjectSize, bucketName, objectName)
+			}
+			// Fall back to uploading as single PutObject operation.
+			return c.putObjectNoChecksum(bucketName, objectName, reader, size, metadata, progress)
+		}
+	}
+	return n, err
+}
+
+// uploadedPartRes - the response received from a part upload.
+type uploadedPartRes struct {
+	Error   error // Any error encountered while uploading the part.
+	PartNum int   // Number of the part uploaded.
+	Size    int64 // Size of the part uploaded.
+	Part    *ObjectPart
+}
+
+type uploadPartReq struct {
+	PartNum int         // Number of the part uploaded.
+	Part    *ObjectPart // Size of the part uploaded.
+}
+
+// putObjectMultipartFromReadAt - Uploads files bigger than 64MiB.
+// Supports all readers which implements io.ReaderAt interface
+// (ReadAt method).
+//
+// NOTE: This function is meant to be used for all readers which
+// implement io.ReaderAt which allows us for resuming multipart
+// uploads but reading at an offset, which would avoid re-read the
+// data which was already uploaded. Internally this function uses
+// temporary files for staging all the data, these temporary files are
+// cleaned automatically when the caller i.e http client closes the
+// stream after uploading all the contents successfully.
+func (c Client) putObjectMultipartStreamFromReadAt(bucketName, objectName string,
+	reader io.ReaderAt, size int64, metadata map[string][]string, progress io.Reader) (n int64, err error) {
+	// Input validation.
+	if err = s3utils.CheckValidBucketName(bucketName); err != nil {
+		return 0, err
+	}
+	if err = s3utils.CheckValidObjectName(objectName); err != nil {
+		return 0, err
+	}
+
+	// Calculate the optimal parts info for a given size.
+	totalPartsCount, partSize, lastPartSize, err := optimalPartInfo(size)
+	if err != nil {
+		return 0, err
+	}
+
+	// Initiate a new multipart upload.
+	uploadID, err := c.newUploadID(bucketName, objectName, metadata)
+	if err != nil {
+		return 0, err
+	}
+
+	// Aborts the multipart upload in progress, if the
+	// function returns any error, since we do not resume
+	// we should purge the parts which have been uploaded
+	// to relinquish storage space.
+	defer func() {
+		if err != nil {
+			c.abortMultipartUpload(bucketName, objectName, uploadID)
+		}
+	}()
+
+	// Total data read and written to server. should be equal to 'size' at the end of the call.
+	var totalUploadedSize int64
+
+	// Complete multipart upload.
+	var complMultipartUpload completeMultipartUpload
+
+	// Declare a channel that sends the next part number to be uploaded.
+	// Buffered to 10000 because thats the maximum number of parts allowed
+	// by S3.
+	uploadPartsCh := make(chan uploadPartReq, 10000)
+
+	// Declare a channel that sends back the response of a part upload.
+	// Buffered to 10000 because thats the maximum number of parts allowed
+	// by S3.
+	uploadedPartsCh := make(chan uploadedPartRes, 10000)
+
+	// Used for readability, lastPartNumber is always totalPartsCount.
+	lastPartNumber := totalPartsCount
+
+	// Send each part number to the channel to be processed.
+	for p := 1; p <= totalPartsCount; p++ {
+		uploadPartsCh <- uploadPartReq{PartNum: p, Part: nil}
+	}
+	close(uploadPartsCh)
+
+	// Receive each part number from the channel allowing three parallel uploads.
+	for w := 1; w <= totalWorkers; w++ {
+		go func() {
+			// Each worker will draw from the part channel and upload in parallel.
+			for uploadReq := range uploadPartsCh {
+
+				// If partNumber was not uploaded we calculate the missing
+				// part offset and size. For all other part numbers we
+				// calculate offset based on multiples of partSize.
+				readOffset := int64(uploadReq.PartNum-1) * partSize
+
+				// As a special case if partNumber is lastPartNumber, we
+				// calculate the offset based on the last part size.
+				if uploadReq.PartNum == lastPartNumber {
+					readOffset = (size - lastPartSize)
+					partSize = lastPartSize
+				}
+
+				// Get a section reader on a particular offset.
+				sectionReader := newHook(io.NewSectionReader(reader, readOffset, partSize), progress)
+
+				// Proceed to upload the part.
+				var objPart ObjectPart
+				objPart, err = c.uploadPart(bucketName, objectName, uploadID,
+					sectionReader, uploadReq.PartNum,
+					nil, nil, partSize, metadata)
+				if err != nil {
+					uploadedPartsCh <- uploadedPartRes{
+						Size:  0,
+						Error: err,
+					}
+					// Exit the goroutine.
+					return
+				}
+
+				// Save successfully uploaded part metadata.
+				uploadReq.Part = &objPart
+
+				// Send successful part info through the channel.
+				uploadedPartsCh <- uploadedPartRes{
+					Size:    objPart.Size,
+					PartNum: uploadReq.PartNum,
+					Part:    uploadReq.Part,
+					Error:   nil,
+				}
+			}
+		}()
+	}
+
+	// Gather the responses as they occur and update any
+	// progress bar.
+	for u := 1; u <= totalPartsCount; u++ {
+		uploadRes := <-uploadedPartsCh
+		if uploadRes.Error != nil {
+			return totalUploadedSize, uploadRes.Error
+		}
+		// Retrieve each uploaded part and store it to be completed.
+		// part, ok := partsInfo[uploadRes.PartNum]
+		part := uploadRes.Part
+		if part == nil {
+			return 0, ErrInvalidArgument(fmt.Sprintf("Missing part number %d", uploadRes.PartNum))
+		}
+		// Update the totalUploadedSize.
+		totalUploadedSize += uploadRes.Size
+		// Store the parts to be completed in order.
+		complMultipartUpload.Parts = append(complMultipartUpload.Parts, CompletePart{
+			ETag:       part.ETag,
+			PartNumber: part.PartNumber,
+		})
+	}
+
+	// Verify if we uploaded all the data.
+	if totalUploadedSize != size {
+		return totalUploadedSize, ErrUnexpectedEOF(totalUploadedSize, size, bucketName, objectName)
+	}
+
+	// Sort all completed parts.
+	sort.Sort(completedParts(complMultipartUpload.Parts))
+	_, err = c.completeMultipartUpload(bucketName, objectName, uploadID, complMultipartUpload)
+	if err != nil {
+		return totalUploadedSize, err
+	}
+
+	// Return final size.
+	return totalUploadedSize, nil
+}
+
+func (c Client) putObjectMultipartStreamNoChecksum(bucketName, objectName string,
+	reader io.Reader, size int64, metadata map[string][]string, progress io.Reader) (n int64, err error) {
+	// Input validation.
+	if err = s3utils.CheckValidBucketName(bucketName); err != nil {
+		return 0, err
+	}
+	if err = s3utils.CheckValidObjectName(objectName); err != nil {
+		return 0, err
+	}
+
+	// Calculate the optimal parts info for a given size.
+	totalPartsCount, partSize, lastPartSize, err := optimalPartInfo(size)
+	if err != nil {
+		return 0, err
+	}
+
+	// Initiates a new multipart request
+	uploadID, err := c.newUploadID(bucketName, objectName, metadata)
+	if err != nil {
+		return 0, err
+	}
+
+	// Aborts the multipart upload if the function returns
+	// any error, since we do not resume we should purge
+	// the parts which have been uploaded to relinquish
+	// storage space.
+	defer func() {
+		if err != nil {
+			c.abortMultipartUpload(bucketName, objectName, uploadID)
+		}
+	}()
+
+	// Total data read and written to server. should be equal to 'size' at the end of the call.
+	var totalUploadedSize int64
+
+	// Initialize parts uploaded map.
+	partsInfo := make(map[int]ObjectPart)
+
+	// Part number always starts with '1'.
+	var partNumber int
+	for partNumber = 1; partNumber <= totalPartsCount; partNumber++ {
+		// Update progress reader appropriately to the latest offset
+		// as we read from the source.
+		hookReader := newHook(reader, progress)
+
+		// Proceed to upload the part.
+		if partNumber == totalPartsCount {
+			partSize = lastPartSize
+		}
+
+		var objPart ObjectPart
+		objPart, err = c.uploadPart(bucketName, objectName, uploadID,
+			io.LimitReader(hookReader, partSize),
+			partNumber, nil, nil, partSize, metadata)
+		if err != nil {
+			return totalUploadedSize, err
+		}
+
+		// Save successfully uploaded part metadata.
+		partsInfo[partNumber] = objPart
+
+		// Save successfully uploaded size.
+		totalUploadedSize += partSize
+	}
+
+	// Verify if we uploaded all the data.
+	if size > 0 {
+		if totalUploadedSize != size {
+			return totalUploadedSize, ErrUnexpectedEOF(totalUploadedSize, size, bucketName, objectName)
+		}
+	}
+
+	// Complete multipart upload.
+	var complMultipartUpload completeMultipartUpload
+
+	// Loop over total uploaded parts to save them in
+	// Parts array before completing the multipart request.
+	for i := 1; i < partNumber; i++ {
+		part, ok := partsInfo[i]
+		if !ok {
+			return 0, ErrInvalidArgument(fmt.Sprintf("Missing part number %d", i))
+		}
+		complMultipartUpload.Parts = append(complMultipartUpload.Parts, CompletePart{
+			ETag:       part.ETag,
+			PartNumber: part.PartNumber,
+		})
+	}
+
+	// Sort all completed parts.
+	sort.Sort(completedParts(complMultipartUpload.Parts))
+	_, err = c.completeMultipartUpload(bucketName, objectName, uploadID, complMultipartUpload)
+	if err != nil {
+		return totalUploadedSize, err
+	}
+
+	// Return final size.
+	return totalUploadedSize, nil
+}
+
+// putObjectNoChecksum special function used Google Cloud Storage. This special function
+// is used for Google Cloud Storage since Google's multipart API is not S3 compatible.
+func (c Client) putObjectNoChecksum(bucketName, objectName string, reader io.Reader, size int64, metaData map[string][]string, progress io.Reader) (n int64, err error) {
+	// Input validation.
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
+		return 0, err
+	}
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
+		return 0, err
+	}
+
+	// Size -1 is only supported on Google Cloud Storage, we error
+	// out in all other situations.
+	if size < 0 && !s3utils.IsGoogleEndpoint(c.endpointURL) {
+		return 0, ErrEntityTooSmall(size, bucketName, objectName)
+	}
+	if size > 0 {
+		if isReadAt(reader) && !isObject(reader) {
+			reader = io.NewSectionReader(reader.(io.ReaderAt), 0, size)
+		}
+	}
+
+	// Update progress reader appropriately to the latest offset as we
+	// read from the source.
+	readSeeker := newHook(reader, progress)
+
+	// This function does not calculate sha256 and md5sum for payload.
+	// Execute put object.
+	st, err := c.putObjectDo(bucketName, objectName, readSeeker, nil, nil, size, metaData)
+	if err != nil {
+		return 0, err
+	}
+	if st.Size != size {
+		return 0, ErrUnexpectedEOF(st.Size, size, bucketName, objectName)
+	}
+	return size, nil
+}
+
+// putObjectDo - executes the put object http operation.
+// NOTE: You must have WRITE permissions on a bucket to add an object to it.
+func (c Client) putObjectDo(bucketName, objectName string, reader io.Reader, md5Sum []byte, sha256Sum []byte, size int64, metaData map[string][]string) (ObjectInfo, error) {
+	// Input validation.
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
+		return ObjectInfo{}, err
+	}
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
+		return ObjectInfo{}, err
+	}
+
+	// Set headers.
+	customHeader := make(http.Header)
+
+	// Set metadata to headers
+	for k, v := range metaData {
+		if len(v) > 0 {
+			customHeader.Set(k, v[0])
+		}
+	}
+
+	// If Content-Type is not provided, set the default application/octet-stream one
+	if v, ok := metaData["Content-Type"]; !ok || len(v) == 0 {
+		customHeader.Set("Content-Type", "application/octet-stream")
+	}
+
+	// Populate request metadata.
+	reqMetadata := requestMetadata{
+		bucketName:         bucketName,
+		objectName:         objectName,
+		customHeader:       customHeader,
+		contentBody:        reader,
+		contentLength:      size,
+		contentMD5Bytes:    md5Sum,
+		contentSHA256Bytes: sha256Sum,
+	}
+
+	// Execute PUT an objectName.
+	resp, err := c.executeMethod("PUT", reqMetadata)
+	defer closeResponse(resp)
+	if err != nil {
+		return ObjectInfo{}, err
+	}
+	if resp != nil {
+		if resp.StatusCode != http.StatusOK {
+			return ObjectInfo{}, httpRespToErrorResponse(resp, bucketName, objectName)
+		}
+	}
+
+	var objInfo ObjectInfo
+	// Trim off the odd double quotes from ETag in the beginning and end.
+	objInfo.ETag = strings.TrimPrefix(resp.Header.Get("ETag"), "\"")
+	objInfo.ETag = strings.TrimSuffix(objInfo.ETag, "\"")
+	// A success here means data was written to server successfully.
+	objInfo.Size = size
+
+	// Return here.
+	return objInfo, nil
+}
diff --git a/vendor/github.com/minio/minio-go/api-put-object.go b/vendor/github.com/minio/minio-go/api-put-object.go
index e218075df..2ea498789 100644
--- a/vendor/github.com/minio/minio-go/api-put-object.go
+++ b/vendor/github.com/minio/minio-go/api-put-object.go
@@ -17,17 +17,14 @@
 package minio
 
 import (
-	"bytes"
-	"crypto/md5"
-	"crypto/sha256"
-	"hash"
 	"io"
-	"io/ioutil"
-	"net/http"
 	"os"
 	"reflect"
 	"runtime"
 	"strings"
+
+	"github.com/minio/minio-go/pkg/credentials"
+	"github.com/minio/minio-go/pkg/s3utils"
 )
 
 // toInt - converts go value to its integer representation based
@@ -109,14 +106,24 @@ func getReaderSize(reader io.Reader) (size int64, err error) {
 			case "|0", "|1":
 				return
 			}
-			size = st.Size()
+			var pos int64
+			pos, err = v.Seek(0, 1) // SeekCurrent.
+			if err != nil {
+				return -1, err
+			}
+			size = st.Size() - pos
 		case *Object:
 			var st ObjectInfo
 			st, err = v.Stat()
 			if err != nil {
 				return
 			}
-			size = st.Size
+			var pos int64
+			pos, err = v.Seek(0, 1) // SeekCurrent.
+			if err != nil {
+				return -1, err
+			}
+			size = st.Size - pos
 		}
 	}
 	// Returns the size here.
@@ -135,184 +142,77 @@ func (a completedParts) Less(i, j int) bool { return a[i].PartNumber < a[j].Part
 //
 // You must have WRITE permissions on a bucket to create an object.
 //
-//  - For size smaller than 5MiB PutObject automatically does a single atomic Put operation.
-//  - For size larger than 5MiB PutObject automatically does a resumable multipart Put operation.
-//  - For size input as -1 PutObject does a multipart Put operation until input stream reaches EOF.
-//    Maximum object size that can be uploaded through this operation will be 5TiB.
-//
-// NOTE: Google Cloud Storage does not implement Amazon S3 Compatible multipart PUT.
-// So we fall back to single PUT operation with the maximum limit of 5GiB.
-//
+//  - For size smaller than 64MiB PutObject automatically does a
+//    single atomic Put operation.
+//  - For size larger than 64MiB PutObject automatically does a
+//    multipart Put operation.
+//  - For size input as -1 PutObject does a multipart Put operation
+//    until input stream reaches EOF. Maximum object size that can
+//    be uploaded through this operation will be 5TiB.
 func (c Client) PutObject(bucketName, objectName string, reader io.Reader, contentType string) (n int64, err error) {
-	return c.PutObjectWithProgress(bucketName, objectName, reader, contentType, nil)
+	return c.PutObjectWithMetadata(bucketName, objectName, reader, map[string][]string{
+		"Content-Type": []string{contentType},
+	}, nil)
 }
 
-// putObjectNoChecksum special function used Google Cloud Storage. This special function
-// is used for Google Cloud Storage since Google's multipart API is not S3 compatible.
-func (c Client) putObjectNoChecksum(bucketName, objectName string, reader io.Reader, size int64, metaData map[string][]string, progress io.Reader) (n int64, err error) {
-	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
-		return 0, err
-	}
-	if err := isValidObjectName(objectName); err != nil {
-		return 0, err
-	}
-	if size > maxSinglePutObjectSize {
-		return 0, ErrEntityTooLarge(size, maxSinglePutObjectSize, bucketName, objectName)
-	}
-
-	// Update progress reader appropriately to the latest offset as we
-	// read from the source.
-	readSeeker := newHook(reader, progress)
-
-	// This function does not calculate sha256 and md5sum for payload.
-	// Execute put object.
-	st, err := c.putObjectDo(bucketName, objectName, readSeeker, nil, nil, size, metaData)
-	if err != nil {
-		return 0, err
-	}
-	if st.Size != size {
-		return 0, ErrUnexpectedEOF(st.Size, size, bucketName, objectName)
-	}
-	return size, nil
+// PutObjectWithSize - is a helper PutObject similar in behavior to PutObject()
+// but takes the size argument explicitly, this function avoids doing reflection
+// internally to figure out the size of input stream. Also if the input size is
+// lesser than 0 this function returns an error.
+func (c Client) PutObjectWithSize(bucketName, objectName string, reader io.Reader, readerSize int64, metadata map[string][]string, progress io.Reader) (n int64, err error) {
+	return c.putObjectCommon(bucketName, objectName, reader, readerSize, metadata, progress)
 }
 
-// putObjectSingle is a special function for uploading single put object request.
-// This special function is used as a fallback when multipart upload fails.
-func (c Client) putObjectSingle(bucketName, objectName string, reader io.Reader, size int64, metaData map[string][]string, progress io.Reader) (n int64, err error) {
-	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
-		return 0, err
-	}
-	if err := isValidObjectName(objectName); err != nil {
-		return 0, err
-	}
-	if size > maxSinglePutObjectSize {
-		return 0, ErrEntityTooLarge(size, maxSinglePutObjectSize, bucketName, objectName)
-	}
-	// If size is a stream, upload up to 5GiB.
-	if size <= -1 {
-		size = maxSinglePutObjectSize
-	}
+// PutObjectWithMetadata using AWS streaming signature V4
+func (c Client) PutObjectWithMetadata(bucketName, objectName string, reader io.Reader, metadata map[string][]string, progress io.Reader) (n int64, err error) {
+	return c.PutObjectWithProgress(bucketName, objectName, reader, metadata, progress)
+}
 
-	// Add the appropriate hash algorithms that need to be calculated by hashCopyN
-	// In case of non-v4 signature request or HTTPS connection, sha256 is not needed.
-	hashAlgos := make(map[string]hash.Hash)
-	hashSums := make(map[string][]byte)
-	hashAlgos["md5"] = md5.New()
-	if c.signature.isV4() && !c.secure {
-		hashAlgos["sha256"] = sha256.New()
-	}
+// PutObjectWithProgress using AWS streaming signature V4
+func (c Client) PutObjectWithProgress(bucketName, objectName string, reader io.Reader, metadata map[string][]string, progress io.Reader) (n int64, err error) {
+	// Size of the object.
+	var size int64
 
-	if size <= minPartSize {
-		// Initialize a new temporary buffer.
-		tmpBuffer := new(bytes.Buffer)
-		size, err = hashCopyN(hashAlgos, hashSums, tmpBuffer, reader, size)
-		reader = bytes.NewReader(tmpBuffer.Bytes())
-		tmpBuffer.Reset()
-	} else {
-		// Initialize a new temporary file.
-		var tmpFile *tempFile
-		tmpFile, err = newTempFile("single$-putobject-single")
-		if err != nil {
-			return 0, err
-		}
-		defer tmpFile.Close()
-		size, err = hashCopyN(hashAlgos, hashSums, tmpFile, reader, size)
-		if err != nil {
-			return 0, err
-		}
-		// Seek back to beginning of the temporary file.
-		if _, err = tmpFile.Seek(0, 0); err != nil {
-			return 0, err
-		}
-		reader = tmpFile
-	}
-	// Return error if its not io.EOF.
-	if err != nil && err != io.EOF {
-		return 0, err
-	}
-	// Execute put object.
-	st, err := c.putObjectDo(bucketName, objectName, reader, hashSums["md5"], hashSums["sha256"], size, metaData)
+	// Get reader size.
+	size, err = getReaderSize(reader)
 	if err != nil {
 		return 0, err
 	}
-	if st.Size != size {
-		return 0, ErrUnexpectedEOF(st.Size, size, bucketName, objectName)
-	}
-	// Progress the reader to the size if putObjectDo is successful.
-	if progress != nil {
-		if _, err = io.CopyN(ioutil.Discard, progress, size); err != nil {
-			return size, err
-		}
-	}
-	return size, nil
+	return c.putObjectCommon(bucketName, objectName, reader, size, metadata, progress)
 }
 
-// putObjectDo - executes the put object http operation.
-// NOTE: You must have WRITE permissions on a bucket to add an object to it.
-func (c Client) putObjectDo(bucketName, objectName string, reader io.Reader, md5Sum []byte, sha256Sum []byte, size int64, metaData map[string][]string) (ObjectInfo, error) {
-	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
-		return ObjectInfo{}, err
-	}
-	if err := isValidObjectName(objectName); err != nil {
-		return ObjectInfo{}, err
-	}
-
-	if size <= -1 {
-		return ObjectInfo{}, ErrEntityTooSmall(size, bucketName, objectName)
+func (c Client) putObjectCommon(bucketName, objectName string, reader io.Reader, size int64, metadata map[string][]string, progress io.Reader) (n int64, err error) {
+	// Check for largest object size allowed.
+	if size > int64(maxMultipartPutObjectSize) {
+		return 0, ErrEntityTooLarge(size, maxMultipartPutObjectSize, bucketName, objectName)
 	}
 
-	if size > maxSinglePutObjectSize {
-		return ObjectInfo{}, ErrEntityTooLarge(size, maxSinglePutObjectSize, bucketName, objectName)
+	// NOTE: Streaming signature is not supported by GCS.
+	if s3utils.IsGoogleEndpoint(c.endpointURL) {
+		// Do not compute MD5 for Google Cloud Storage.
+		return c.putObjectNoChecksum(bucketName, objectName, reader, size, metadata, progress)
 	}
 
-	// Set headers.
-	customHeader := make(http.Header)
-
-	// Set metadata to headers
-	for k, v := range metaData {
-		if len(v) > 0 {
-			customHeader.Set(k, v[0])
+	if c.overrideSignerType.IsV2() {
+		if size > 0 && size < minPartSize {
+			return c.putObjectNoChecksum(bucketName, objectName, reader, size, metadata, progress)
 		}
+		return c.putObjectMultipart(bucketName, objectName, reader, size, metadata, progress)
 	}
 
-	// If Content-Type is not provided, set the default application/octet-stream one
-	if v, ok := metaData["Content-Type"]; !ok || len(v) == 0 {
-		customHeader.Set("Content-Type", "application/octet-stream")
+	// If size cannot be found on a stream, it is not possible
+	// to upload using streaming signature, fall back to multipart.
+	if size < 0 {
+		return c.putObjectMultipart(bucketName, objectName, reader, size, metadata, progress)
 	}
 
-	// Populate request metadata.
-	reqMetadata := requestMetadata{
-		bucketName:         bucketName,
-		objectName:         objectName,
-		customHeader:       customHeader,
-		contentBody:        reader,
-		contentLength:      size,
-		contentMD5Bytes:    md5Sum,
-		contentSHA256Bytes: sha256Sum,
-	}
+	// Set streaming signature.
+	c.overrideSignerType = credentials.SignatureV4Streaming
 
-	// Execute PUT an objectName.
-	resp, err := c.executeMethod("PUT", reqMetadata)
-	defer closeResponse(resp)
-	if err != nil {
-		return ObjectInfo{}, err
+	if size < minPartSize {
+		return c.putObjectNoChecksum(bucketName, objectName, reader, size, metadata, progress)
 	}
-	if resp != nil {
-		if resp.StatusCode != http.StatusOK {
-			return ObjectInfo{}, httpRespToErrorResponse(resp, bucketName, objectName)
-		}
-	}
-
-	var objInfo ObjectInfo
-	// Trim off the odd double quotes from ETag in the beginning and end.
-	objInfo.ETag = strings.TrimPrefix(resp.Header.Get("ETag"), "\"")
-	objInfo.ETag = strings.TrimSuffix(objInfo.ETag, "\"")
-	// A success here means data was written to server successfully.
-	objInfo.Size = size
 
-	// Return here.
-	return objInfo, nil
+	// For all sizes greater than 64MiB do multipart.
+	return c.putObjectMultipartStream(bucketName, objectName, reader, size, metadata, progress)
 }
diff --git a/vendor/github.com/minio/minio-go/api-remove.go b/vendor/github.com/minio/minio-go/api-remove.go
index 73790f002..3574cbc1a 100644
--- a/vendor/github.com/minio/minio-go/api-remove.go
+++ b/vendor/github.com/minio/minio-go/api-remove.go
@@ -22,6 +22,8 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+
+	"github.com/minio/minio-go/pkg/s3utils"
 )
 
 // RemoveBucket deletes the bucket name.
@@ -30,7 +32,7 @@ import (
 //  in the bucket must be deleted before successfully attempting this request.
 func (c Client) RemoveBucket(bucketName string) error {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return err
 	}
 	// Execute DELETE on bucket.
@@ -57,10 +59,10 @@ func (c Client) RemoveBucket(bucketName string) error {
 // RemoveObject remove an object from a bucket.
 func (c Client) RemoveObject(bucketName, objectName string) error {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return err
 	}
 	// Execute DELETE on objectName.
@@ -132,7 +134,7 @@ func (c Client) RemoveObjects(bucketName string, objectsCh <-chan string) <-chan
 	errorCh := make(chan RemoveObjectError, 1)
 
 	// Validate if bucket name is valid.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		defer close(errorCh)
 		errorCh <- RemoveObjectError{
 			Err: err,
@@ -174,7 +176,7 @@ func (c Client) RemoveObjects(bucketName string, objectsCh <-chan string) <-chan
 				}
 			}
 			if count == 0 {
-				// Multi Objects Delete API doesn't accept empty object list, quit immediatly
+				// Multi Objects Delete API doesn't accept empty object list, quit immediately
 				break
 			}
 			if count < maxEntries {
@@ -212,10 +214,10 @@ func (c Client) RemoveObjects(bucketName string, objectsCh <-chan string) <-chan
 // RemoveIncompleteUpload aborts an partially uploaded object.
 func (c Client) RemoveIncompleteUpload(bucketName, objectName string) error {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return err
 	}
 	// Find multipart upload id of the object to be aborted.
@@ -237,10 +239,10 @@ func (c Client) RemoveIncompleteUpload(bucketName, objectName string) error {
 // uploadID, all previously uploaded parts are deleted.
 func (c Client) abortMultipartUpload(bucketName, objectName, uploadID string) error {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return err
 	}
 
diff --git a/vendor/github.com/minio/minio-go/api-s3-datatypes.go b/vendor/github.com/minio/minio-go/api-s3-datatypes.go
index ec63d6b94..4b297407b 100644
--- a/vendor/github.com/minio/minio-go/api-s3-datatypes.go
+++ b/vendor/github.com/minio/minio-go/api-s3-datatypes.go
@@ -36,8 +36,8 @@ type owner struct {
 	ID          string
 }
 
-// commonPrefix container for prefix response.
-type commonPrefix struct {
+// CommonPrefix container for prefix response.
+type CommonPrefix struct {
 	Prefix string
 }
 
@@ -45,7 +45,7 @@ type commonPrefix struct {
 type ListBucketV2Result struct {
 	// A response can contain CommonPrefixes only if you have
 	// specified a delimiter.
-	CommonPrefixes []commonPrefix
+	CommonPrefixes []CommonPrefix
 	// Metadata about each object returned.
 	Contents  []ObjectInfo
 	Delimiter string
@@ -74,7 +74,7 @@ type ListBucketV2Result struct {
 type ListBucketResult struct {
 	// A response can contain CommonPrefixes only if you have
 	// specified a delimiter.
-	CommonPrefixes []commonPrefix
+	CommonPrefixes []CommonPrefix
 	// Metadata about each object returned.
 	Contents  []ObjectInfo
 	Delimiter string
@@ -116,7 +116,7 @@ type ListMultipartUploadsResult struct {
 	Prefix             string
 	Delimiter          string
 	// A response can contain CommonPrefixes only if you specify a delimiter.
-	CommonPrefixes []commonPrefix
+	CommonPrefixes []CommonPrefix
 }
 
 // initiator container for who initiated multipart upload.
diff --git a/vendor/github.com/minio/minio-go/api-stat.go b/vendor/github.com/minio/minio-go/api-stat.go
index 5b3dfe1b4..4b530327b 100644
--- a/vendor/github.com/minio/minio-go/api-stat.go
+++ b/vendor/github.com/minio/minio-go/api-stat.go
@@ -28,7 +28,7 @@ import (
 // BucketExists verify if bucket exists and you have permission to access it.
 func (c Client) BucketExists(bucketName string) (bool, error) {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return false, err
 	}
 
@@ -55,11 +55,13 @@ func (c Client) BucketExists(bucketName string) (bool, error) {
 // List of header keys to be filtered, usually
 // from all S3 API http responses.
 var defaultFilterKeys = []string{
+	"Connection",
 	"Transfer-Encoding",
 	"Accept-Ranges",
 	"Date",
 	"Server",
 	"Vary",
+	"x-amz-bucket-region",
 	"x-amz-request-id",
 	"x-amz-id-2",
 	// Add new headers to be ignored.
@@ -80,10 +82,10 @@ func extractObjMetadata(header http.Header) http.Header {
 // StatObject verifies if object exists and you have permission to access.
 func (c Client) StatObject(bucketName, objectName string) (ObjectInfo, error) {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return ObjectInfo{}, err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return ObjectInfo{}, err
 	}
 	reqHeaders := NewHeadReqHeaders()
@@ -93,10 +95,10 @@ func (c Client) StatObject(bucketName, objectName string) (ObjectInfo, error) {
 // Lower level API for statObject supporting pre-conditions and range headers.
 func (c Client) statObject(bucketName, objectName string, reqHeaders RequestHeaders) (ObjectInfo, error) {
 	// Input validation.
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return ObjectInfo{}, err
 	}
-	if err := isValidObjectName(objectName); err != nil {
+	if err := s3utils.CheckValidObjectName(objectName); err != nil {
 		return ObjectInfo{}, err
 	}
 
@@ -126,12 +128,13 @@ func (c Client) statObject(bucketName, objectName string, reqHeaders RequestHead
 	md5sum := strings.TrimPrefix(resp.Header.Get("ETag"), "\"")
 	md5sum = strings.TrimSuffix(md5sum, "\"")
 
-	// Content-Length is not valid for Google Cloud Storage, do not verify.
+	// Parse content length is exists
 	var size int64 = -1
-	if !s3utils.IsGoogleEndpoint(c.endpointURL) {
-		// Parse content length.
-		size, err = strconv.ParseInt(resp.Header.Get("Content-Length"), 10, 64)
+	contentLengthStr := resp.Header.Get("Content-Length")
+	if contentLengthStr != "" {
+		size, err = strconv.ParseInt(contentLengthStr, 10, 64)
 		if err != nil {
+			// Content-Length is not valid
 			return ObjectInfo{}, ErrorResponse{
 				Code:       "InternalError",
 				Message:    "Content-Length is invalid. " + reportIssue,
diff --git a/vendor/github.com/minio/minio-go/api.go b/vendor/github.com/minio/minio-go/api.go
index a563a18d4..6fe508aa1 100644
--- a/vendor/github.com/minio/minio-go/api.go
+++ b/vendor/github.com/minio/minio-go/api.go
@@ -1,5 +1,6 @@
 /*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015, 2016 Minio, Inc.
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2015, 2016, 2017 Minio, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,23 +19,27 @@ package minio
 
 import (
 	"bytes"
+	"crypto/md5"
+	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
 	"fmt"
+	"hash"
 	"io"
 	"io/ioutil"
 	"math/rand"
+	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
 	"os"
-	"regexp"
 	"runtime"
 	"strings"
 	"sync"
 	"time"
 
+	"github.com/minio/minio-go/pkg/credentials"
 	"github.com/minio/minio-go/pkg/s3signer"
 	"github.com/minio/minio-go/pkg/s3utils"
 )
@@ -46,14 +51,11 @@ type Client struct {
 	// Parsed endpoint url provided by the user.
 	endpointURL url.URL
 
-	// AccessKeyID required for authorized requests.
-	accessKeyID string
-	// SecretAccessKey required for authorized requests.
-	secretAccessKey string
-	// Choose a signature type if necessary.
-	signature SignatureType
-	// Set to 'true' if Client has no access and secret keys.
-	anonymous bool
+	// Holds various credential providers.
+	credsProvider *credentials.Credentials
+
+	// Custom signerType value overrides all credentials.
+	overrideSignerType credentials.SignatureType
 
 	// User supplied.
 	appInfo struct {
@@ -85,7 +87,7 @@ type Client struct {
 // Global constants.
 const (
 	libraryName    = "minio-go"
-	libraryVersion = "2.1.0"
+	libraryVersion = "3.0.0"
 )
 
 // User Agent should always following the below style.
@@ -100,58 +102,58 @@ const (
 // NewV2 - instantiate minio client with Amazon S3 signature version
 // '2' compatibility.
 func NewV2(endpoint string, accessKeyID, secretAccessKey string, secure bool) (*Client, error) {
-	clnt, err := privateNew(endpoint, accessKeyID, secretAccessKey, secure)
+	creds := credentials.NewStaticV2(accessKeyID, secretAccessKey, "")
+	clnt, err := privateNew(endpoint, creds, secure, "")
 	if err != nil {
 		return nil, err
 	}
-
-	// Set to use signature version '2'.
-	clnt.signature = SignatureV2
+	clnt.overrideSignerType = credentials.SignatureV2
 	return clnt, nil
 }
 
 // NewV4 - instantiate minio client with Amazon S3 signature version
 // '4' compatibility.
 func NewV4(endpoint string, accessKeyID, secretAccessKey string, secure bool) (*Client, error) {
-	clnt, err := privateNew(endpoint, accessKeyID, secretAccessKey, secure)
+	creds := credentials.NewStaticV4(accessKeyID, secretAccessKey, "")
+	clnt, err := privateNew(endpoint, creds, secure, "")
 	if err != nil {
 		return nil, err
 	}
-
-	// Set to use signature version '4'.
-	clnt.signature = SignatureV4
+	clnt.overrideSignerType = credentials.SignatureV4
 	return clnt, nil
 }
 
-// New - instantiate minio client Client, adds automatic verification of signature.
+// New - instantiate minio client, adds automatic verification of signature.
 func New(endpoint, accessKeyID, secretAccessKey string, secure bool) (*Client, error) {
-	return NewWithRegion(endpoint, accessKeyID, secretAccessKey, secure, "")
-}
-
-// NewWithRegion - instantiate minio client, with region configured. Unlike New(),
-// NewWithRegion avoids bucket-location lookup operations and it is slightly faster.
-// Use this function when if your application deals with single region.
-func NewWithRegion(endpoint, accessKeyID, secretAccessKey string, secure bool, region string) (*Client, error) {
-	clnt, err := privateNew(endpoint, accessKeyID, secretAccessKey, secure)
+	creds := credentials.NewStaticV4(accessKeyID, secretAccessKey, "")
+	clnt, err := privateNew(endpoint, creds, secure, "")
 	if err != nil {
 		return nil, err
 	}
-
 	// Google cloud storage should be set to signature V2, force it if not.
 	if s3utils.IsGoogleEndpoint(clnt.endpointURL) {
-		clnt.signature = SignatureV2
+		clnt.overrideSignerType = credentials.SignatureV2
 	}
-
-	// If Amazon S3 set to signature v2.n
+	// If Amazon S3 set to signature v4.
 	if s3utils.IsAmazonEndpoint(clnt.endpointURL) {
-		clnt.signature = SignatureV4
+		clnt.overrideSignerType = credentials.SignatureV4
 	}
+	return clnt, nil
+}
 
-	// Sets custom region, if region is empty bucket location cache is used automatically.
-	clnt.region = region
+// NewWithCredentials - instantiate minio client with credentials provider
+// for retrieving credentials from various credentials provider such as
+// IAM, File, Env etc.
+func NewWithCredentials(endpoint string, creds *credentials.Credentials, secure bool, region string) (*Client, error) {
+	return privateNew(endpoint, creds, secure, region)
+}
 
-	// Success..
-	return clnt, nil
+// NewWithRegion - instantiate minio client, with region configured. Unlike New(),
+// NewWithRegion avoids bucket-location lookup operations and it is slightly faster.
+// Use this function when if your application deals with single region.
+func NewWithRegion(endpoint, accessKeyID, secretAccessKey string, secure bool, region string) (*Client, error) {
+	creds := credentials.NewStaticV4(accessKeyID, secretAccessKey, "")
+	return privateNew(endpoint, creds, secure, region)
 }
 
 // lockedRandSource provides protected rand source, implements rand.Source interface.
@@ -188,7 +190,7 @@ func redirectHeaders(req *http.Request, via []*http.Request) error {
 	return nil
 }
 
-func privateNew(endpoint, accessKeyID, secretAccessKey string, secure bool) (*Client, error) {
+func privateNew(endpoint string, creds *credentials.Credentials, secure bool, region string) (*Client, error) {
 	// construct endpoint.
 	endpointURL, err := getEndpointURL(endpoint, secure)
 	if err != nil {
@@ -197,8 +199,9 @@ func privateNew(endpoint, accessKeyID, secretAccessKey string, secure bool) (*Cl
 
 	// instantiate new Client.
 	clnt := new(Client)
-	clnt.accessKeyID = accessKeyID
-	clnt.secretAccessKey = secretAccessKey
+
+	// Save the credentials.
+	clnt.credsProvider = creds
 
 	// Remember whether we are using https or not
 	clnt.secure = secure
@@ -212,7 +215,10 @@ func privateNew(endpoint, accessKeyID, secretAccessKey string, secure bool) (*Cl
 		CheckRedirect: redirectHeaders,
 	}
 
-	// Instantiae bucket location cache.
+	// Sets custom region, if region is empty bucket location cache is used automatically.
+	clnt.region = region
+
+	// Instantiate bucket location cache.
 	clnt.bucketLocCache = newBucketLocationCache()
 
 	// Introduce a new locked random seed.
@@ -286,6 +292,29 @@ func (c *Client) SetS3TransferAccelerate(accelerateEndpoint string) {
 	}
 }
 
+// Hash materials provides relevant initialized hash algo writers
+// based on the expected signature type.
+//
+//  - For signature v4 request if the connection is insecure compute only sha256.
+//  - For signature v4 request if the connection is secure compute only md5.
+//  - For anonymous request compute md5.
+func (c *Client) hashMaterials() (hashAlgos map[string]hash.Hash, hashSums map[string][]byte) {
+	hashSums = make(map[string][]byte)
+	hashAlgos = make(map[string]hash.Hash)
+	if c.overrideSignerType.IsV4() {
+		if c.secure {
+			hashAlgos["md5"] = md5.New()
+		} else {
+			hashAlgos["sha256"] = sha256.New()
+		}
+	} else {
+		if c.overrideSignerType.IsAnonymous() {
+			hashAlgos["md5"] = md5.New()
+		}
+	}
+	return hashAlgos, hashSums
+}
+
 // requestMetadata - is container for all the values to make a request.
 type requestMetadata struct {
 	// If set newRequest presigns the URL.
@@ -306,40 +335,6 @@ type requestMetadata struct {
 	contentMD5Bytes    []byte
 }
 
-// regCred matches credential string in HTTP header
-var regCred = regexp.MustCompile("Credential=([A-Z0-9]+)/")
-
-// regCred matches signature string in HTTP header
-var regSign = regexp.MustCompile("Signature=([[0-9a-f]+)")
-
-// Filter out signature value from Authorization header.
-func (c Client) filterSignature(req *http.Request) {
-	if _, ok := req.Header["Authorization"]; !ok {
-		return
-	}
-	// Handle if Signature V2.
-	if c.signature.isV2() {
-		// Set a temporary redacted auth
-		req.Header.Set("Authorization", "AWS **REDACTED**:**REDACTED**")
-		return
-	}
-
-	/// Signature V4 authorization header.
-
-	// Save the original auth.
-	origAuth := req.Header.Get("Authorization")
-	// Strip out accessKeyID from:
-	// Credential=<access-key-id>/<date>/<aws-region>/<aws-service>/aws4_request
-	newAuth := regCred.ReplaceAllString(origAuth, "Credential=**REDACTED**/")
-
-	// Strip out 256-bit signature from: Signature=<256-bit signature>
-	newAuth = regSign.ReplaceAllString(newAuth, "Signature=**REDACTED**")
-
-	// Set a temporary redacted auth
-	req.Header.Set("Authorization", newAuth)
-	return
-}
-
 // dumpHTTP - dump HTTP request and response.
 func (c Client) dumpHTTP(req *http.Request, resp *http.Response) error {
 	// Starts http dump.
@@ -349,7 +344,10 @@ func (c Client) dumpHTTP(req *http.Request, resp *http.Response) error {
 	}
 
 	// Filter out Signature field from Authorization header.
-	c.filterSignature(req)
+	origAuth := req.Header.Get("Authorization")
+	if origAuth != "" {
+		req.Header.Set("Authorization", redactSignature(origAuth))
+	}
 
 	// Only display request header.
 	reqTrace, err := httputil.DumpRequestOut(req, false)
@@ -478,6 +476,13 @@ func (c Client) executeMethod(method string, metadata requestMetadata) (res *htt
 		case os.Stdin, os.Stdout, os.Stderr:
 			isRetryable = false
 		}
+		// Figure out if the body can be closed - if yes
+		// we will definitely close it upon the function
+		// return.
+		bodyCloser, ok := metadata.contentBody.(io.Closer)
+		if ok {
+			defer bodyCloser.Close()
+		}
 	}
 
 	// Create a done channel to control 'newRetryTimer' go routine.
@@ -553,9 +558,14 @@ func (c Client) executeMethod(method string, metadata requestMetadata) (res *htt
 		// Bucket region if set in error response and the error
 		// code dictates invalid region, we can retry the request
 		// with the new region.
-		if errResponse.Code == "InvalidRegion" && errResponse.Region != "" {
-			c.bucketLocCache.Set(metadata.bucketName, errResponse.Region)
-			continue // Retry.
+		//
+		// Additionally we should only retry if bucketLocation and custom
+		// region is empty.
+		if metadata.bucketLocation == "" && c.region == "" {
+			if res.StatusCode == http.StatusBadRequest && errResponse.Region != "" {
+				c.bucketLocCache.Set(metadata.bucketName, errResponse.Region)
+				continue // Retry.
+			}
 		}
 
 		// Verify if error response code is retryable.
@@ -581,53 +591,72 @@ func (c Client) newRequest(method string, metadata requestMetadata) (req *http.R
 		method = "POST"
 	}
 
-	// Default all requests to "us-east-1" or "cn-north-1" (china region)
-	location := "us-east-1"
-	if s3utils.IsAmazonChinaEndpoint(c.endpointURL) {
-		// For china specifically we need to set everything to
-		// cn-north-1 for now, there is no easier way until AWS S3
-		// provides a cleaner compatible API across "us-east-1" and
-		// China region.
-		location = "cn-north-1"
-	}
-
-	// Gather location only if bucketName is present.
-	if metadata.bucketName != "" {
-		location, err = c.getBucketLocation(metadata.bucketName)
-		if err != nil {
-			return nil, err
+	location := metadata.bucketLocation
+	if location == "" {
+		if metadata.bucketName != "" {
+			// Gather location only if bucketName is present.
+			location, err = c.getBucketLocation(metadata.bucketName)
+			if err != nil {
+				if ToErrorResponse(err).Code != "AccessDenied" {
+					return nil, err
+				}
+			}
+			// Upon AccessDenied error on fetching bucket location, default
+			// to possible locations based on endpoint URL. This can usually
+			// happen when GetBucketLocation() is disabled using IAM policies.
+		}
+		if location == "" {
+			location = getDefaultLocation(c.endpointURL, c.region)
 		}
 	}
 
-	// Save location.
-	metadata.bucketLocation = location
-
 	// Construct a new target URL.
-	targetURL, err := c.makeTargetURL(metadata.bucketName, metadata.objectName, metadata.bucketLocation, metadata.queryValues)
+	targetURL, err := c.makeTargetURL(metadata.bucketName, metadata.objectName, location, metadata.queryValues)
 	if err != nil {
 		return nil, err
 	}
 
 	// Initialize a new HTTP request for the method.
-	req, err = http.NewRequest(method, targetURL.String(), metadata.contentBody)
+	req, err = http.NewRequest(method, targetURL.String(), nil)
 	if err != nil {
 		return nil, err
 	}
 
-	// Anonymous request.
-	anonymous := c.accessKeyID == "" || c.secretAccessKey == ""
+	// Get credentials from the configured credentials provider.
+	value, err := c.credsProvider.Get()
+	if err != nil {
+		return nil, err
+	}
+
+	var (
+		signerType      = value.SignerType
+		accessKeyID     = value.AccessKeyID
+		secretAccessKey = value.SecretAccessKey
+		sessionToken    = value.SessionToken
+	)
+
+	// Custom signer set then override the behavior.
+	if c.overrideSignerType != credentials.SignatureDefault {
+		signerType = c.overrideSignerType
+	}
+
+	// If signerType returned by credentials helper is anonymous,
+	// then do not sign regardless of signerType override.
+	if value.SignerType == credentials.SignatureAnonymous {
+		signerType = credentials.SignatureAnonymous
+	}
 
 	// Generate presign url if needed, return right here.
 	if metadata.expires != 0 && metadata.presignURL {
-		if anonymous {
-			return nil, ErrInvalidArgument("Requests cannot be presigned with anonymous credentials.")
+		if signerType.IsAnonymous() {
+			return nil, ErrInvalidArgument("Presigned URLs cannot be generated with anonymous credentials.")
 		}
-		if c.signature.isV2() {
+		if signerType.IsV2() {
 			// Presign URL with signature v2.
-			req = s3signer.PreSignV2(*req, c.accessKeyID, c.secretAccessKey, metadata.expires)
-		} else if c.signature.isV4() {
+			req = s3signer.PreSignV2(*req, accessKeyID, secretAccessKey, metadata.expires)
+		} else if signerType.IsV4() {
 			// Presign URL with signature v4.
-			req = s3signer.PreSignV4(*req, c.accessKeyID, c.secretAccessKey, location, metadata.expires)
+			req = s3signer.PreSignV4(*req, accessKeyID, secretAccessKey, sessionToken, location, metadata.expires)
 		}
 		return req, nil
 	}
@@ -640,9 +669,21 @@ func (c Client) newRequest(method string, metadata requestMetadata) (req *http.R
 		req.Header.Set(k, v[0])
 	}
 
-	// set incoming content-length.
-	if metadata.contentLength > 0 {
-		req.ContentLength = metadata.contentLength
+	// Go net/http notoriously closes the request body.
+	// - The request Body, if non-nil, will be closed by the underlying Transport, even on errors.
+	// This can cause underlying *os.File seekers to fail, avoid that
+	// by making sure to wrap the closer as a nop.
+	if metadata.contentLength == 0 {
+		req.Body = nil
+	} else {
+		req.Body = ioutil.NopCloser(metadata.contentBody)
+	}
+
+	// Set incoming content-length.
+	req.ContentLength = metadata.contentLength
+	if req.ContentLength <= -1 {
+		// For unknown content length, we upload using transfer-encoding: chunked.
+		req.TransferEncoding = []string{"chunked"}
 	}
 
 	// set md5Sum for content protection.
@@ -650,17 +691,18 @@ func (c Client) newRequest(method string, metadata requestMetadata) (req *http.R
 		req.Header.Set("Content-Md5", base64.StdEncoding.EncodeToString(metadata.contentMD5Bytes))
 	}
 
-	if anonymous {
+	// For anonymous requests just return.
+	if signerType.IsAnonymous() {
 		return req, nil
-	} // Sign the request for all authenticated requests.
+	}
 
 	switch {
-	case c.signature.isV2():
+	case signerType.IsV2():
 		// Add signature version '2' authorization header.
-		req = s3signer.SignV2(*req, c.accessKeyID, c.secretAccessKey)
-	case c.signature.isStreamingV4() && method == "PUT":
-		req = s3signer.StreamingSignV4(req, c.accessKeyID,
-			c.secretAccessKey, location, metadata.contentLength, time.Now().UTC())
+		req = s3signer.SignV2(*req, accessKeyID, secretAccessKey)
+	case signerType.IsStreamingV4() && method == "PUT":
+		req = s3signer.StreamingSignV4(req, accessKeyID,
+			secretAccessKey, sessionToken, location, metadata.contentLength, time.Now().UTC())
 	default:
 		// Set sha256 sum for signature calculation only with signature version '4'.
 		shaHeader := unsignedPayload
@@ -670,7 +712,7 @@ func (c Client) newRequest(method string, metadata requestMetadata) (req *http.R
 		req.Header.Set("X-Amz-Content-Sha256", shaHeader)
 
 		// Add signature version '4' authorization header.
-		req = s3signer.SignV4(*req, c.accessKeyID, c.secretAccessKey, location)
+		req = s3signer.SignV4(*req, accessKeyID, secretAccessKey, sessionToken, location)
 	}
 
 	// Return request.
@@ -701,14 +743,26 @@ func (c Client) makeTargetURL(bucketName, objectName, bucketLocation string, que
 			// http://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html
 			host = c.s3AccelerateEndpoint
 		} else {
-			// Fetch new host based on the bucket location.
-			host = getS3Endpoint(bucketLocation)
+			// Do not change the host if the endpoint URL is a FIPS S3 endpoint.
+			if !s3utils.IsAmazonFIPSGovCloudEndpoint(c.endpointURL) {
+				// Fetch new host based on the bucket location.
+				host = getS3Endpoint(bucketLocation)
+			}
 		}
 	}
 
 	// Save scheme.
 	scheme := c.endpointURL.Scheme
 
+	// Strip port 80 and 443 so we won't send these ports in Host header.
+	// The reason is that browsers and curl automatically remove :80 and :443
+	// with the generated presigned urls, then a signature mismatch error.
+	if h, p, err := net.SplitHostPort(host); err == nil {
+		if scheme == "http" && p == "80" || scheme == "https" && p == "443" {
+			host = h
+		}
+	}
+
 	urlStr := scheme + "://" + host + "/"
 	// Make URL only if bucketName is available, otherwise use the
 	// endpoint URL.
@@ -732,13 +786,16 @@ func (c Client) makeTargetURL(bucketName, objectName, bucketLocation string, que
 			}
 		}
 	}
+
 	// If there are any query values, add them to the end.
 	if len(queryValues) > 0 {
 		urlStr = urlStr + "?" + s3utils.QueryEncode(queryValues)
 	}
+
 	u, err := url.Parse(urlStr)
 	if err != nil {
 		return nil, err
 	}
+
 	return u, nil
 }
diff --git a/vendor/github.com/minio/minio-go/api_functional_v2_test.go b/vendor/github.com/minio/minio-go/api_functional_v2_test.go
index 7e5933778..e81596ecf 100644
--- a/vendor/github.com/minio/minio-go/api_functional_v2_test.go
+++ b/vendor/github.com/minio/minio-go/api_functional_v2_test.go
@@ -21,10 +21,13 @@ import (
 	"errors"
 	"io"
 	"io/ioutil"
+	"log"
 	"math/rand"
 	"net/http"
 	"net/url"
 	"os"
+	"reflect"
+	"strings"
 	"testing"
 	"time"
 
@@ -36,7 +39,7 @@ func TestMakeBucketErrorV2(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping functional tests for short runs")
 	}
-	if os.Getenv("S3_ADDRESS") != "s3.amazonaws.com" {
+	if os.Getenv(serverEndpoint) != "s3.amazonaws.com" {
 		t.Skip("skipping region functional tests for non s3 runs")
 	}
 
@@ -45,10 +48,10 @@ func TestMakeBucketErrorV2(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := NewV2(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -91,10 +94,10 @@ func TestGetObjectClosedTwiceV2(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := NewV2(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -171,10 +174,10 @@ func TestRemovePartiallyUploadedV2(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := NewV2(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -229,119 +232,6 @@ func TestRemovePartiallyUploadedV2(t *testing.T) {
 	}
 }
 
-// Tests resumable put object cloud to cloud.
-func TestResumablePutObjectV2(t *testing.T) {
-	// By passing 'go test -short' skips these tests.
-	if testing.Short() {
-		t.Skip("skipping functional tests for the short runs")
-	}
-
-	// Seed random based on current time.
-	rand.Seed(time.Now().Unix())
-
-	// Instantiate new minio client object.
-	c, err := NewV2(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
-	)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	// Set user agent.
-	c.SetAppInfo("Minio-go-FunctionalTest", "0.1.0")
-
-	// Enable tracing, write to stdout.
-	// c.TraceOn(os.Stderr)
-
-	// Generate a new random bucket name.
-	bucketName := randString(60, rand.NewSource(time.Now().UnixNano()), "minio-go-test")
-
-	// Make a new bucket.
-	err = c.MakeBucket(bucketName, "us-east-1")
-	if err != nil {
-		t.Fatal("Error:", err, bucketName)
-	}
-
-	// Create a temporary file.
-	file, err := ioutil.TempFile(os.TempDir(), "resumable")
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	r := bytes.NewReader(bytes.Repeat([]byte("b"), 11*1024*1024))
-	// Copy 11MiB worth of random data.
-	n, err := io.CopyN(file, r, 11*1024*1024)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if n != int64(11*1024*1024) {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", 11*1024*1024, n)
-	}
-
-	// Close the file pro-actively for windows.
-	if err = file.Close(); err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	// New object name.
-	objectName := bucketName + "-resumable"
-
-	// Upload the file.
-	n, err = c.FPutObject(bucketName, objectName, file.Name(), "application/octet-stream")
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if n != int64(11*1024*1024) {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", 11*1024*1024, n)
-	}
-
-	// Get the uploaded object.
-	reader, err := c.GetObject(bucketName, objectName)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	// Upload now cloud to cloud.
-	n, err = c.PutObject(bucketName, objectName+"-put", reader, "application/octest-stream")
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	// Get object info.
-	objInfo, err := reader.Stat()
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if n != objInfo.Size {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", objInfo.Size, n)
-	}
-
-	// Remove all temp files, objects and bucket.
-	err = c.RemoveObject(bucketName, objectName)
-	if err != nil {
-		t.Fatal("Error: ", err)
-	}
-
-	err = c.RemoveObject(bucketName, objectName+"-put")
-	if err != nil {
-		t.Fatal("Error: ", err)
-	}
-
-	err = c.RemoveBucket(bucketName)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	err = os.Remove(file.Name())
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-}
-
 // Tests FPutObject hidden contentType setting
 func TestFPutObjectV2(t *testing.T) {
 	if testing.Short() {
@@ -353,10 +243,10 @@ func TestFPutObjectV2(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := NewV2(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -491,90 +381,12 @@ func TestFPutObjectV2(t *testing.T) {
 
 }
 
-// Tests resumable file based put object multipart upload.
-func TestResumableFPutObjectV2(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping functional tests for the short runs")
-	}
-
-	// Seed random based on current time.
-	rand.Seed(time.Now().Unix())
-
-	// Instantiate new minio client object.
-	c, err := NewV2(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
-	)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	// Set user agent.
-	c.SetAppInfo("Minio-go-FunctionalTest", "0.1.0")
-
-	// Enable tracing, write to stdout.
-	// c.TraceOn(os.Stderr)
-
-	// Generate a new random bucket name.
-	bucketName := randString(60, rand.NewSource(time.Now().UnixNano()), "minio-go-test")
-
-	// make a new bucket.
-	err = c.MakeBucket(bucketName, "us-east-1")
-	if err != nil {
-		t.Fatal("Error:", err, bucketName)
-	}
-
-	file, err := ioutil.TempFile(os.TempDir(), "resumable")
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	r := bytes.NewReader(bytes.Repeat([]byte("b"), 11*1024*1024))
-	n, err := io.CopyN(file, r, 11*1024*1024)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if n != int64(11*1024*1024) {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", 11*1024*1024, n)
-	}
-
-	objectName := bucketName + "-resumable"
-
-	n, err = c.FPutObject(bucketName, objectName, file.Name(), "application/octet-stream")
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if n != int64(11*1024*1024) {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", 11*1024*1024, n)
-	}
-
-	// Close the file pro-actively for windows.
-	file.Close()
-
-	err = c.RemoveObject(bucketName, objectName)
-	if err != nil {
-		t.Fatal("Error: ", err)
-	}
-
-	err = c.RemoveBucket(bucketName)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	err = os.Remove(file.Name())
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-}
-
 // Tests various bucket supported formats.
 func TestMakeBucketRegionsV2(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping functional tests for short runs")
 	}
-	if os.Getenv("S3_ADDRESS") != "s3.amazonaws.com" {
+	if os.Getenv(serverEndpoint) != "s3.amazonaws.com" {
 		t.Skip("skipping region functional tests for non s3 runs")
 	}
 
@@ -583,10 +395,10 @@ func TestMakeBucketRegionsV2(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := NewV2(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -634,10 +446,10 @@ func TestGetObjectReadSeekFunctionalV2(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := NewV2(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -767,10 +579,10 @@ func TestGetObjectReadAtFunctionalV2(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := NewV2(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -903,10 +715,10 @@ func TestCopyObjectV2(t *testing.T) {
 
 	// Instantiate new minio client object
 	c, err := NewV2(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -948,18 +760,19 @@ func TestCopyObjectV2(t *testing.T) {
 			len(buf), n)
 	}
 
-	// Set copy conditions.
-	copyConds := CopyConditions{}
-	err = copyConds.SetModified(time.Date(2014, time.April, 0, 0, 0, 0, 0, time.UTC))
+	dst, err := NewDestinationInfo(bucketName+"-copy", objectName+"-copy", nil, nil)
 	if err != nil {
-		t.Fatal("Error:", err)
+		t.Fatal(err)
 	}
 
-	// Copy source.
-	copySource := bucketName + "/" + objectName
+	src := NewSourceInfo(bucketName, objectName, nil)
+	err = src.SetModifiedSinceCond(time.Date(2014, time.April, 0, 0, 0, 0, 0, time.UTC))
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
 
 	// Perform the Copy
-	err = c.CopyObject(bucketName+"-copy", objectName+"-copy", copySource, copyConds)
+	err = c.CopyObject(dst, src)
 	if err != nil {
 		t.Fatal("Error:", err, bucketName+"-copy", objectName+"-copy")
 	}
@@ -1020,10 +833,10 @@ func TestFunctionalV2(t *testing.T) {
 	rand.Seed(time.Now().Unix())
 
 	c, err := NewV2(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -1297,3 +1110,361 @@ func TestFunctionalV2(t *testing.T) {
 		t.Fatal("Error: ", err)
 	}
 }
+
+func testComposeObjectErrorCases(c *Client, t *testing.T) {
+	// Generate a new random bucket name.
+	bucketName := randString(60, rand.NewSource(time.Now().UnixNano()), "minio-go-test")
+
+	// Make a new bucket in 'us-east-1' (source bucket).
+	err := c.MakeBucket(bucketName, "us-east-1")
+	if err != nil {
+		t.Fatal("Error:", err, bucketName)
+	}
+
+	// Test that more than 10K source objects cannot be
+	// concatenated.
+	srcArr := [10001]SourceInfo{}
+	srcSlice := srcArr[:]
+	dst, err := NewDestinationInfo(bucketName, "object", nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.ComposeObject(dst, srcSlice); err == nil {
+		t.Fatal("Error was expected.")
+	} else if err.Error() != "There must be as least one and upto 10000 source objects." {
+		t.Fatal("Got unexpected error: ", err)
+	}
+
+	// Create a source with invalid offset spec and check that
+	// error is returned:
+	// 1. Create the source object.
+	const badSrcSize = 5 * 1024 * 1024
+	buf := bytes.Repeat([]byte("1"), badSrcSize)
+	_, err = c.PutObject(bucketName, "badObject", bytes.NewReader(buf), "")
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+	// 2. Set invalid range spec on the object (going beyond
+	// object size)
+	badSrc := NewSourceInfo(bucketName, "badObject", nil)
+	err = badSrc.SetRange(1, badSrcSize)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+	// 3. ComposeObject call should fail.
+	if err := c.ComposeObject(dst, []SourceInfo{badSrc}); err == nil {
+		t.Fatal("Error was expected.")
+	} else if !strings.Contains(err.Error(), "has invalid segment-to-copy") {
+		t.Fatal("Got unexpected error: ", err)
+	}
+}
+
+// Test expected error cases
+func TestComposeObjectErrorCasesV2(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping functional tests for the short runs")
+	}
+
+	// Instantiate new minio client object
+	c, err := NewV2(
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
+	)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	testComposeObjectErrorCases(c, t)
+}
+
+func testComposeMultipleSources(c *Client, t *testing.T) {
+	// Generate a new random bucket name.
+	bucketName := randString(60, rand.NewSource(time.Now().UnixNano()), "minio-go-test")
+	// Make a new bucket in 'us-east-1' (source bucket).
+	err := c.MakeBucket(bucketName, "us-east-1")
+	if err != nil {
+		t.Fatal("Error:", err, bucketName)
+	}
+
+	// Upload a small source object
+	const srcSize = 1024 * 1024 * 5
+	buf := bytes.Repeat([]byte("1"), srcSize)
+	_, err = c.PutObject(bucketName, "srcObject", bytes.NewReader(buf), "binary/octet-stream")
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	// We will append 10 copies of the object.
+	srcs := []SourceInfo{}
+	for i := 0; i < 10; i++ {
+		srcs = append(srcs, NewSourceInfo(bucketName, "srcObject", nil))
+	}
+	// make the last part very small
+	err = srcs[9].SetRange(0, 0)
+	if err != nil {
+		t.Fatal("unexpected error:", err)
+	}
+
+	dst, err := NewDestinationInfo(bucketName, "dstObject", nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = c.ComposeObject(dst, srcs)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	objProps, err := c.StatObject(bucketName, "dstObject")
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	if objProps.Size != 9*srcSize+1 {
+		t.Fatal("Size mismatched! Expected:", 10000*srcSize, "but got:", objProps.Size)
+	}
+}
+
+// Test concatenating multiple objects objects
+func TestCompose10KSourcesV2(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping functional tests for the short runs")
+	}
+
+	// Instantiate new minio client object
+	c, err := NewV2(
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
+	)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	testComposeMultipleSources(c, t)
+}
+
+func testEncryptedCopyObject(c *Client, t *testing.T) {
+	// Generate a new random bucket name.
+	bucketName := randString(60, rand.NewSource(time.Now().UnixNano()), "minio-go-test")
+	// Make a new bucket in 'us-east-1' (source bucket).
+	err := c.MakeBucket(bucketName, "us-east-1")
+	if err != nil {
+		t.Fatal("Error:", err, bucketName)
+	}
+
+	key1 := NewSSEInfo([]byte("32byteslongsecretkeymustbegiven1"), "AES256")
+	key2 := NewSSEInfo([]byte("32byteslongsecretkeymustbegiven2"), "AES256")
+
+	// 1. create an sse-c encrypted object to copy by uploading
+	const srcSize = 1024 * 1024
+	buf := bytes.Repeat([]byte("abcde"), srcSize) // gives a buffer of 5MiB
+	metadata := make(map[string][]string)
+	for k, v := range key1.GetSSEHeaders() {
+		metadata[k] = append(metadata[k], v)
+	}
+	_, err = c.PutObjectWithSize(bucketName, "srcObject", bytes.NewReader(buf), int64(len(buf)), metadata, nil)
+	if err != nil {
+		t.Fatal("PutObjectWithSize Error:", err)
+	}
+
+	// 2. copy object and change encryption key
+	src := NewSourceInfo(bucketName, "srcObject", &key1)
+	dst, err := NewDestinationInfo(bucketName, "dstObject", &key2, nil)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	err = c.CopyObject(dst, src)
+	if err != nil {
+		t.Fatal("CopyObject Error:", err)
+	}
+
+	// 3. get copied object and check if content is equal
+	reqH := NewGetReqHeaders()
+	for k, v := range key2.GetSSEHeaders() {
+		reqH.Set(k, v)
+	}
+	coreClient := Core{c}
+	reader, _, err := coreClient.GetObject(bucketName, "dstObject", reqH)
+	if err != nil {
+		t.Fatal("GetObject Error:", err)
+	}
+	defer reader.Close()
+
+	decBytes, err := ioutil.ReadAll(reader)
+	if err != nil {
+		log.Fatalln(err)
+	}
+	if !bytes.Equal(decBytes, buf) {
+		log.Fatal("downloaded object mismatched for encrypted object")
+	}
+}
+
+// Test encrypted copy object
+func TestEncryptedCopyObjectV2(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping functional tests for the short runs")
+	}
+
+	// Instantiate new minio client object
+	c, err := NewV2(
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
+	)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	testEncryptedCopyObject(c, t)
+}
+
+func testUserMetadataCopying(c *Client, t *testing.T) {
+	// Generate a new random bucket name.
+	bucketName := randString(60, rand.NewSource(time.Now().UnixNano()), "minio-go-test")
+	// Make a new bucket in 'us-east-1' (source bucket).
+	err := c.MakeBucket(bucketName, "us-east-1")
+	if err != nil {
+		t.Fatal("Error:", err, bucketName)
+	}
+
+	fetchMeta := func(object string) (h http.Header) {
+		objInfo, err := c.StatObject(bucketName, object)
+		if err != nil {
+			t.Fatal("Metadata fetch error:", err)
+		}
+		h = make(http.Header)
+		for k, vs := range objInfo.Metadata {
+			if strings.HasPrefix(strings.ToLower(k), "x-amz-meta-") {
+				for _, v := range vs {
+					h.Add(k, v)
+				}
+			}
+		}
+		return h
+	}
+
+	// 1. create a client encrypted object to copy by uploading
+	const srcSize = 1024 * 1024
+	buf := bytes.Repeat([]byte("abcde"), srcSize) // gives a buffer of 5MiB
+	metadata := make(http.Header)
+	metadata.Set("x-amz-meta-myheader", "myvalue")
+	_, err = c.PutObjectWithMetadata(bucketName, "srcObject",
+		bytes.NewReader(buf), metadata, nil)
+	if err != nil {
+		t.Fatal("Put Error:", err)
+	}
+	if !reflect.DeepEqual(metadata, fetchMeta("srcObject")) {
+		t.Fatal("Unequal metadata")
+	}
+
+	// 2. create source
+	src := NewSourceInfo(bucketName, "srcObject", nil)
+	// 2.1 create destination with metadata set
+	dst1, err := NewDestinationInfo(bucketName, "dstObject-1", nil, map[string]string{"notmyheader": "notmyvalue"})
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	// 3. Check that copying to an object with metadata set resets
+	// the headers on the copy.
+	err = c.CopyObject(dst1, src)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	expectedHeaders := make(http.Header)
+	expectedHeaders.Set("x-amz-meta-notmyheader", "notmyvalue")
+	if !reflect.DeepEqual(expectedHeaders, fetchMeta("dstObject-1")) {
+		t.Fatal("Unequal metadata")
+	}
+
+	// 4. create destination with no metadata set and same source
+	dst2, err := NewDestinationInfo(bucketName, "dstObject-2", nil, nil)
+	if err != nil {
+		t.Fatal("Error:", err)
+
+	}
+	src = NewSourceInfo(bucketName, "srcObject", nil)
+
+	// 5. Check that copying to an object with no metadata set,
+	// copies metadata.
+	err = c.CopyObject(dst2, src)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	expectedHeaders = metadata
+	if !reflect.DeepEqual(expectedHeaders, fetchMeta("dstObject-2")) {
+		t.Fatal("Unequal metadata")
+	}
+
+	// 6. Compose a pair of sources.
+	srcs := []SourceInfo{
+		NewSourceInfo(bucketName, "srcObject", nil),
+		NewSourceInfo(bucketName, "srcObject", nil),
+	}
+	dst3, err := NewDestinationInfo(bucketName, "dstObject-3", nil, nil)
+	if err != nil {
+		t.Fatal("Error:", err)
+
+	}
+
+	err = c.ComposeObject(dst3, srcs)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	// Check that no headers are copied in this case
+	if !reflect.DeepEqual(make(http.Header), fetchMeta("dstObject-3")) {
+		t.Fatal("Unequal metadata")
+	}
+
+	// 7. Compose a pair of sources with dest user metadata set.
+	srcs = []SourceInfo{
+		NewSourceInfo(bucketName, "srcObject", nil),
+		NewSourceInfo(bucketName, "srcObject", nil),
+	}
+	dst4, err := NewDestinationInfo(bucketName, "dstObject-4", nil, map[string]string{"notmyheader": "notmyvalue"})
+	if err != nil {
+		t.Fatal("Error:", err)
+
+	}
+
+	err = c.ComposeObject(dst4, srcs)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	// Check that no headers are copied in this case
+	expectedHeaders = make(http.Header)
+	expectedHeaders.Set("x-amz-meta-notmyheader", "notmyvalue")
+	if !reflect.DeepEqual(expectedHeaders, fetchMeta("dstObject-4")) {
+		t.Fatal("Unequal metadata")
+	}
+}
+
+func TestUserMetadataCopyingV2(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping functional tests for the short runs")
+	}
+
+	// Instantiate new minio client object
+	c, err := NewV2(
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
+	)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	// c.TraceOn(os.Stderr)
+	testUserMetadataCopying(c, t)
+}
diff --git a/vendor/github.com/minio/minio-go/api_functional_v4_test.go b/vendor/github.com/minio/minio-go/api_functional_v4_test.go
index b5e6d128a..e9593ddaf 100644
--- a/vendor/github.com/minio/minio-go/api_functional_v4_test.go
+++ b/vendor/github.com/minio/minio-go/api_functional_v4_test.go
@@ -18,7 +18,6 @@ package minio
 
 import (
 	"bytes"
-	crand "crypto/rand"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -67,7 +66,7 @@ func TestMakeBucketError(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping functional tests for short runs")
 	}
-	if os.Getenv("S3_ADDRESS") != "s3.amazonaws.com" {
+	if os.Getenv(serverEndpoint) != "s3.amazonaws.com" {
 		t.Skip("skipping region functional tests for non s3 runs")
 	}
 
@@ -76,10 +75,10 @@ func TestMakeBucketError(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -109,6 +108,20 @@ func TestMakeBucketError(t *testing.T) {
 	if err = c.RemoveBucket(bucketName); err != nil {
 		t.Fatal("Error:", err, bucketName)
 	}
+	if err = c.MakeBucket(bucketName+"..-1", "eu-central-1"); err == nil {
+		t.Fatal("Error:", err, bucketName+"..-1")
+	}
+	// Verify valid error response.
+	if err != nil && err.Error() != "Bucket name contains invalid characters" {
+		t.Fatal("Error: Invalid error returned by server", err)
+	}
+	if err = c.MakeBucket(bucketName+"AAA-1", "eu-central-1"); err == nil {
+		t.Fatal("Error:", err, bucketName+"..-1")
+	}
+	// Verify valid error response.
+	if err != nil && err.Error() != "Bucket name contains invalid characters" {
+		t.Fatal("Error: Invalid error returned by server", err)
+	}
 }
 
 // Tests various bucket supported formats.
@@ -116,7 +129,7 @@ func TestMakeBucketRegions(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping functional tests for short runs")
 	}
-	if os.Getenv("S3_ADDRESS") != "s3.amazonaws.com" {
+	if os.Getenv(serverEndpoint) != "s3.amazonaws.com" {
 		t.Skip("skipping region functional tests for non s3 runs")
 	}
 
@@ -125,10 +138,10 @@ func TestMakeBucketRegions(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -176,10 +189,10 @@ func TestPutObjectReadAt(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -201,14 +214,10 @@ func TestPutObjectReadAt(t *testing.T) {
 	}
 
 	// Generate data using 4 parts so that all 3 'workers' are utilized and a part is leftover.
-	buf := make([]byte, minPartSize*4)
-	// Use crand.Reader for multipart tests to ensure part order at the end.
-	size, err := io.ReadFull(crand.Reader, buf)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if size != minPartSize*4 {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", minPartSize*4, size)
+	// Use different data for each part for multipart tests to ensure part order at the end.
+	var buf []byte
+	for i := 0; i < 4; i++ {
+		buf = append(buf, bytes.Repeat([]byte(string('a'+i)), minPartSize)...)
 	}
 
 	// Save the data
@@ -270,10 +279,10 @@ func TestPutObjectWithMetadata(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -295,14 +304,10 @@ func TestPutObjectWithMetadata(t *testing.T) {
 	}
 
 	// Generate data using 2 parts
-	buf := make([]byte, minPartSize*2)
-	// Use crand.Reader for multipart tests to ensure part order at the end.
-	size, err := io.ReadFull(crand.Reader, buf)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if size != minPartSize*2 {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", minPartSize*2, size)
+	// Use different data in each part for multipart tests to ensure part order at the end.
+	var buf []byte
+	for i := 0; i < 2; i++ {
+		buf = append(buf, bytes.Repeat([]byte(string('a'+i)), minPartSize)...)
 	}
 
 	// Save the data
@@ -311,7 +316,9 @@ func TestPutObjectWithMetadata(t *testing.T) {
 	// Object custom metadata
 	customContentType := "custom/contenttype"
 
-	n, err := c.PutObjectWithMetadata(bucketName, objectName, bytes.NewReader(buf), map[string][]string{"Content-Type": {customContentType}}, nil)
+	n, err := c.PutObjectWithMetadata(bucketName, objectName, bytes.NewReader(buf), map[string][]string{
+		"Content-Type": {customContentType},
+	}, nil)
 	if err != nil {
 		t.Fatal("Error:", err, bucketName, objectName)
 	}
@@ -366,10 +373,10 @@ func TestPutObjectStreaming(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := NewV4(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -419,8 +426,8 @@ func TestPutObjectStreaming(t *testing.T) {
 	}
 }
 
-// Test listing partially uploaded objects.
-func TestListPartiallyUploaded(t *testing.T) {
+// Test listing no partially uploaded objects upon putObject error.
+func TestListNoPartiallyUploadedObjects(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping function tests for short runs")
 	}
@@ -430,10 +437,10 @@ func TestListPartiallyUploaded(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -475,18 +482,25 @@ func TestListPartiallyUploaded(t *testing.T) {
 	if err == nil {
 		t.Fatal("Error: PutObject should fail.")
 	}
-	if err.Error() != "proactively closed to be verified later" {
+	if !strings.Contains(err.Error(), "proactively closed to be verified later") {
 		t.Fatal("Error:", err)
 	}
 
 	doneCh := make(chan struct{})
 	defer close(doneCh)
+
 	isRecursive := true
 	multiPartObjectCh := c.ListIncompleteUploads(bucketName, objectName, isRecursive, doneCh)
+
+	var activeUploads bool
 	for multiPartObject := range multiPartObjectCh {
 		if multiPartObject.Err != nil {
 			t.Fatalf("Error: Error when listing incomplete upload")
 		}
+		activeUploads = true
+	}
+	if activeUploads {
+		t.Errorf("There should be no active uploads in progress upon error for %s/%s", bucketName, objectName)
 	}
 
 	err = c.RemoveBucket(bucketName)
@@ -506,10 +520,10 @@ func TestGetOjectSeekEnd(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -601,10 +615,10 @@ func TestGetObjectClosedTwice(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -681,10 +695,10 @@ func TestRemoveMultipleObjects(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 
 	if err != nil {
@@ -745,282 +759,6 @@ func TestRemoveMultipleObjects(t *testing.T) {
 	}
 }
 
-// Tests removing partially uploaded objects.
-func TestRemovePartiallyUploaded(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping function tests for short runs")
-	}
-
-	// Seed random based on current time.
-	rand.Seed(time.Now().Unix())
-
-	// Instantiate new minio client object.
-	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
-	)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	// Set user agent.
-	c.SetAppInfo("Minio-go-FunctionalTest", "0.1.0")
-
-	// Enable tracing, write to stdout.
-	// c.TraceOn(os.Stderr)
-
-	// Generate a new random bucket name.
-	bucketName := randString(60, rand.NewSource(time.Now().UnixNano()), "minio-go-test")
-
-	// Make a new bucket.
-	err = c.MakeBucket(bucketName, "us-east-1")
-	if err != nil {
-		t.Fatal("Error:", err, bucketName)
-	}
-
-	r := bytes.NewReader(bytes.Repeat([]byte("a"), 128*1024))
-
-	reader, writer := io.Pipe()
-	go func() {
-		i := 0
-		for i < 25 {
-			_, cerr := io.CopyN(writer, r, 128*1024)
-			if cerr != nil {
-				t.Fatal("Error:", cerr, bucketName)
-			}
-			i++
-			r.Seek(0, 0)
-		}
-		writer.CloseWithError(errors.New("proactively closed to be verified later"))
-	}()
-
-	objectName := bucketName + "-resumable"
-	_, err = c.PutObject(bucketName, objectName, reader, "application/octet-stream")
-	if err == nil {
-		t.Fatal("Error: PutObject should fail.")
-	}
-	if err.Error() != "proactively closed to be verified later" {
-		t.Fatal("Error:", err)
-	}
-	err = c.RemoveIncompleteUpload(bucketName, objectName)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	err = c.RemoveBucket(bucketName)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-}
-
-// Tests resumable put object cloud to cloud.
-func TestResumablePutObject(t *testing.T) {
-	// By passing 'go test -short' skips these tests.
-	if testing.Short() {
-		t.Skip("skipping functional tests for the short runs")
-	}
-
-	// Seed random based on current time.
-	rand.Seed(time.Now().Unix())
-
-	// Instantiate new minio client object.
-	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
-	)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	// Set user agent.
-	c.SetAppInfo("Minio-go-FunctionalTest", "0.1.0")
-
-	// Enable tracing, write to stdout.
-	// c.TraceOn(os.Stderr)
-
-	// Generate a new random bucket name.
-	bucketName := randString(60, rand.NewSource(time.Now().UnixNano()), "minio-go-test")
-
-	// Make a new bucket.
-	err = c.MakeBucket(bucketName, "us-east-1")
-	if err != nil {
-		t.Fatal("Error:", err, bucketName)
-	}
-
-	// Create a temporary file.
-	file, err := ioutil.TempFile(os.TempDir(), "resumable")
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	r := bytes.NewReader(bytes.Repeat([]byte("b"), minPartSize*2))
-	// Copy 11MiB worth of random data.
-	n, err := io.CopyN(file, r, minPartSize*2)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if n != int64(minPartSize*2) {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", minPartSize*2, n)
-	}
-
-	// Close the file pro-actively for windows.
-	if err = file.Close(); err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	// New object name.
-	objectName := bucketName + "-resumable"
-	objectContentType := "application/custom-octet-stream"
-
-	// Upload the file.
-	n, err = c.FPutObject(bucketName, objectName, file.Name(), objectContentType)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if n != int64(minPartSize*2) {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", minPartSize*2, n)
-	}
-
-	// Get the uploaded object.
-	reader, err := c.GetObject(bucketName, objectName)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	// Get object info.
-	objInfo, err := reader.Stat()
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	if objInfo.ContentType != objectContentType {
-		t.Fatalf("Error: Content types don't match, want %v, got %v\n", objectContentType, objInfo.ContentType)
-	}
-
-	// Upload now cloud to cloud.
-	n, err = c.PutObject(bucketName, objectName+"-put", reader, objectContentType)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	if n != objInfo.Size {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", objInfo.Size, n)
-	}
-
-	// Remove all temp files, objects and bucket.
-	err = c.RemoveObject(bucketName, objectName)
-	if err != nil {
-		t.Fatal("Error: ", err)
-	}
-
-	err = c.RemoveObject(bucketName, objectName+"-put")
-	if err != nil {
-		t.Fatal("Error: ", err)
-	}
-
-	err = c.RemoveBucket(bucketName)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	err = os.Remove(file.Name())
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-}
-
-// Tests resumable file based put object multipart upload.
-func TestResumableFPutObject(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping functional tests for the short runs")
-	}
-
-	// Seed random based on current time.
-	rand.Seed(time.Now().Unix())
-
-	// Instantiate new minio client object.
-	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
-	)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	// Set user agent.
-	c.SetAppInfo("Minio-go-FunctionalTest", "0.1.0")
-
-	// Enable tracing, write to stdout.
-	// c.TraceOn(os.Stderr)
-
-	// Generate a new random bucket name.
-	bucketName := randString(60, rand.NewSource(time.Now().UnixNano()), "minio-go-test")
-
-	// Make a new bucket.
-	err = c.MakeBucket(bucketName, "us-east-1")
-	if err != nil {
-		t.Fatal("Error:", err, bucketName)
-	}
-
-	file, err := ioutil.TempFile(os.TempDir(), "resumable")
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	// Upload 4 parts to use all 3 multipart 'workers' and have an extra part.
-	buffer := make([]byte, minPartSize*4)
-	// Use crand.Reader for multipart tests to ensure parts are uploaded in correct order.
-	size, err := io.ReadFull(crand.Reader, buffer)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if size != minPartSize*4 {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", minPartSize*4, size)
-	}
-	size, err = file.Write(buffer)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if size != minPartSize*4 {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", minPartSize*4, size)
-	}
-
-	// Close the file pro-actively for windows.
-	err = file.Close()
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	objectName := bucketName + "-resumable"
-
-	n, err := c.FPutObject(bucketName, objectName, file.Name(), "application/octet-stream")
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if n != int64(minPartSize*4) {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", minPartSize*4, n)
-	}
-
-	err = c.RemoveObject(bucketName, objectName)
-	if err != nil {
-		t.Fatal("Error: ", err)
-	}
-
-	err = c.RemoveBucket(bucketName)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-
-	err = os.Remove(file.Name())
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-}
-
 // Tests FPutObject of a big file to trigger multipart
 func TestFPutObjectMultipart(t *testing.T) {
 	if testing.Short() {
@@ -1032,10 +770,10 @@ func TestFPutObjectMultipart(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -1063,16 +801,12 @@ func TestFPutObjectMultipart(t *testing.T) {
 	}
 
 	// Upload 4 parts to utilize all 3 'workers' in multipart and still have a part to upload.
-	buffer := make([]byte, minPartSize*4)
-
-	size, err := io.ReadFull(crand.Reader, buffer)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if size != minPartSize*4 {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", minPartSize*4, size)
+	var buffer []byte
+	for i := 0; i < 4; i++ {
+		buffer = append(buffer, bytes.Repeat([]byte(string('a'+i)), minPartSize)...)
 	}
-	size, err = file.Write(buffer)
+
+	size, err := file.Write(buffer)
 	if err != nil {
 		t.Fatal("Error:", err)
 	}
@@ -1137,10 +871,10 @@ func TestFPutObject(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -1168,18 +902,14 @@ func TestFPutObject(t *testing.T) {
 	}
 
 	// Upload 4 parts worth of data to use all 3 of multiparts 'workers' and have an extra part.
-	buffer := make([]byte, minPartSize*4)
-	// Use random data for multipart tests to check parts are uploaded in correct order.
-	size, err := io.ReadFull(crand.Reader, buffer)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if size != minPartSize*4 {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", minPartSize*4, size)
+	// Use different data in part for multipart tests to check parts are uploaded in correct order.
+	var buffer []byte
+	for i := 0; i < 4; i++ {
+		buffer = append(buffer, bytes.Repeat([]byte(string('a'+i)), minPartSize)...)
 	}
 
 	// Write the data to the file.
-	size, err = file.Write(buffer)
+	size, err := file.Write(buffer)
 	if err != nil {
 		t.Fatal("Error:", err)
 	}
@@ -1297,10 +1027,10 @@ func TestGetObjectReadSeekFunctional(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -1451,10 +1181,10 @@ func TestGetObjectReadAtFunctional(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -1600,10 +1330,10 @@ func TestPresignedPostPolicy(t *testing.T) {
 
 	// Instantiate new minio client object
 	c, err := NewV4(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -1695,10 +1425,10 @@ func TestCopyObject(t *testing.T) {
 
 	// Instantiate new minio client object
 	c, err := NewV4(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -1750,41 +1480,45 @@ func TestCopyObject(t *testing.T) {
 		t.Fatal("Error:", err)
 	}
 
+	// Copy Source
+	src := NewSourceInfo(bucketName, objectName, nil)
+
 	// Set copy conditions.
-	copyConds := CopyConditions{}
 
-	// Start by setting wrong conditions
-	err = copyConds.SetModified(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC))
+	// All invalid conditions first.
+	err = src.SetModifiedSinceCond(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC))
 	if err == nil {
 		t.Fatal("Error:", err)
 	}
-	err = copyConds.SetUnmodified(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC))
+	err = src.SetUnmodifiedSinceCond(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC))
 	if err == nil {
 		t.Fatal("Error:", err)
 	}
-	err = copyConds.SetMatchETag("")
+	err = src.SetMatchETagCond("")
 	if err == nil {
 		t.Fatal("Error:", err)
 	}
-	err = copyConds.SetMatchETagExcept("")
+	err = src.SetMatchETagExceptCond("")
 	if err == nil {
 		t.Fatal("Error:", err)
 	}
 
-	err = copyConds.SetModified(time.Date(2014, time.April, 0, 0, 0, 0, 0, time.UTC))
+	err = src.SetModifiedSinceCond(time.Date(2014, time.April, 0, 0, 0, 0, 0, time.UTC))
 	if err != nil {
 		t.Fatal("Error:", err)
 	}
-	err = copyConds.SetMatchETag(objInfo.ETag)
+	err = src.SetMatchETagCond(objInfo.ETag)
 	if err != nil {
 		t.Fatal("Error:", err)
 	}
 
-	// Copy source.
-	copySource := bucketName + "/" + objectName
+	dst, err := NewDestinationInfo(bucketName+"-copy", objectName+"-copy", nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
 
 	// Perform the Copy
-	err = c.CopyObject(bucketName+"-copy", objectName+"-copy", copySource, copyConds)
+	err = c.CopyObject(dst, src)
 	if err != nil {
 		t.Fatal("Error:", err, bucketName+"-copy", objectName+"-copy")
 	}
@@ -1814,18 +1548,18 @@ func TestCopyObject(t *testing.T) {
 	}
 
 	// CopyObject again but with wrong conditions
-	copyConds = CopyConditions{}
-	err = copyConds.SetUnmodified(time.Date(2014, time.April, 0, 0, 0, 0, 0, time.UTC))
+	src = NewSourceInfo(bucketName, objectName, nil)
+	err = src.SetUnmodifiedSinceCond(time.Date(2014, time.April, 0, 0, 0, 0, 0, time.UTC))
 	if err != nil {
 		t.Fatal("Error:", err)
 	}
-	err = copyConds.SetMatchETagExcept(objInfo.ETag)
+	err = src.SetMatchETagExceptCond(objInfo.ETag)
 	if err != nil {
 		t.Fatal("Error:", err)
 	}
 
 	// Perform the Copy which should fail
-	err = c.CopyObject(bucketName+"-copy", objectName+"-copy", copySource, copyConds)
+	err = c.CopyObject(dst, src)
 	if err == nil {
 		t.Fatal("Error:", err, bucketName+"-copy", objectName+"-copy should fail")
 	}
@@ -1863,10 +1597,10 @@ func TestEncryptionPutGet(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -1983,6 +1717,7 @@ func TestEncryptionPutGet(t *testing.T) {
 		if err != nil {
 			t.Fatalf("Test %d, error: %v %v %v", i+1, err, bucketName, objectName)
 		}
+		defer r.Close()
 
 		// Compare the sent object with the received one
 		recvBuffer := bytes.NewBuffer([]byte{})
@@ -2029,10 +1764,10 @@ func TestBucketNotification(t *testing.T) {
 	rand.Seed(time.Now().Unix())
 
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -2105,10 +1840,10 @@ func TestFunctional(t *testing.T) {
 	rand.Seed(time.Now().Unix())
 
 	c, err := New(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -2433,10 +2168,10 @@ func TestGetObjectObjectModified(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := NewV4(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -2498,3 +2233,178 @@ func TestGetObjectObjectModified(t *testing.T) {
 		t.Errorf("Expected ReadAt to fail with error %s but received %s", s3ErrorResponseMap["PreconditionFailed"], err.Error())
 	}
 }
+
+// Test validates putObject to upload a file seeked at a given offset.
+func TestPutObjectUploadSeekedObject(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping functional tests for the short runs")
+	}
+
+	// Instantiate new minio client object.
+	c, err := NewV4(
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
+	)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	// Enable tracing, write to stderr.
+	// c.TraceOn(os.Stderr)
+
+	// Set user agent.
+	c.SetAppInfo("Minio-go-FunctionalTest", "0.1.0")
+
+	// Make a new bucket.
+	bucketName := randString(60, rand.NewSource(time.Now().UnixNano()), "minio-go-test")
+	err = c.MakeBucket(bucketName, "us-east-1")
+	if err != nil {
+		t.Fatal("Error:", err, bucketName)
+	}
+	defer c.RemoveBucket(bucketName)
+
+	tempfile, err := ioutil.TempFile("", "minio-go-upload-test-")
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	var length = 120000
+	data := bytes.Repeat([]byte("1"), length)
+
+	if _, err = tempfile.Write(data); err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	objectName := fmt.Sprintf("test-file-%v", rand.Uint32())
+
+	offset := length / 2
+	if _, err := tempfile.Seek(int64(offset), 0); err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	n, err := c.PutObject(bucketName, objectName, tempfile, "binary/octet-stream")
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+	if n != int64(length-offset) {
+		t.Fatalf("Invalid length returned, want %v, got %v", int64(length-offset), n)
+	}
+	tempfile.Close()
+	if err = os.Remove(tempfile.Name()); err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	length = int(n)
+
+	obj, err := c.GetObject(bucketName, objectName)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	n, err = obj.Seek(int64(offset), 0)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+	if n != int64(offset) {
+		t.Fatalf("Invalid offset returned, want %v, got %v", int64(offset), n)
+	}
+
+	n, err = c.PutObject(bucketName, objectName+"getobject", obj, "binary/octet-stream")
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+	if n != int64(length-offset) {
+		t.Fatalf("Invalid length returned, want %v, got %v", int64(length-offset), n)
+	}
+
+	if err = c.RemoveObject(bucketName, objectName); err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	if err = c.RemoveObject(bucketName, objectName+"getobject"); err != nil {
+		t.Fatal("Error:", err)
+	}
+}
+
+// Test expected error cases
+func TestComposeObjectErrorCases(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping functional tests for the short runs")
+	}
+
+	// Instantiate new minio client object
+	c, err := NewV4(
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
+	)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	testComposeObjectErrorCases(c, t)
+}
+
+// Test concatenating 10K objects
+func TestCompose10KSources(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping functional tests for the short runs")
+	}
+
+	// Instantiate new minio client object
+	c, err := NewV4(
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
+	)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	testComposeMultipleSources(c, t)
+}
+
+// Test encrypted copy object
+func TestEncryptedCopyObject(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping functional tests for the short runs")
+	}
+
+	// Instantiate new minio client object
+	c, err := NewV4(
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
+	)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	// c.TraceOn(os.Stderr)
+	testEncryptedCopyObject(c, t)
+}
+
+func TestUserMetadataCopying(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping functional tests for the short runs")
+	}
+
+	// Instantiate new minio client object
+	c, err := NewV4(
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
+	)
+	if err != nil {
+		t.Fatal("Error:", err)
+	}
+
+	// c.TraceOn(os.Stderr)
+	testUserMetadataCopying(c, t)
+}
diff --git a/vendor/github.com/minio/minio-go/api_unit_test.go b/vendor/github.com/minio/minio-go/api_unit_test.go
index c1db0df5d..2a9db3cb6 100644
--- a/vendor/github.com/minio/minio-go/api_unit_test.go
+++ b/vendor/github.com/minio/minio-go/api_unit_test.go
@@ -1,5 +1,6 @@
 /*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015 Minio, Inc.
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2015, 2016, 2017 Minio, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,10 +22,12 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"os"
 	"strings"
 	"testing"
 
+	"github.com/minio/minio-go/pkg/credentials"
 	"github.com/minio/minio-go/pkg/policy"
 )
 
@@ -179,27 +182,6 @@ func TestValidBucketLocation(t *testing.T) {
 	}
 }
 
-// Tests temp file.
-func TestTempFile(t *testing.T) {
-	tmpFile, err := newTempFile("testing")
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	fileName := tmpFile.Name()
-	// Closing temporary file purges the file.
-	err = tmpFile.Close()
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	st, err := os.Stat(fileName)
-	if err != nil && !os.IsNotExist(err) {
-		t.Fatal("Error:", err)
-	}
-	if err == nil && st != nil {
-		t.Fatal("Error: file should be deleted and should not exist.")
-	}
-}
-
 // Tests error response structure.
 func TestErrorResponse(t *testing.T) {
 	var err error
@@ -228,18 +210,18 @@ func TestErrorResponse(t *testing.T) {
 // Tests signature type.
 func TestSignatureType(t *testing.T) {
 	clnt := Client{}
-	if !clnt.signature.isV4() {
+	if !clnt.overrideSignerType.IsV4() {
 		t.Fatal("Error")
 	}
-	clnt.signature = SignatureV2
-	if !clnt.signature.isV2() {
+	clnt.overrideSignerType = credentials.SignatureV2
+	if !clnt.overrideSignerType.IsV2() {
 		t.Fatal("Error")
 	}
-	if clnt.signature.isV4() {
+	if clnt.overrideSignerType.IsV4() {
 		t.Fatal("Error")
 	}
-	clnt.signature = SignatureV4
-	if !clnt.signature.isV4() {
+	clnt.overrideSignerType = credentials.SignatureV4
+	if !clnt.overrideSignerType.IsV4() {
 		t.Fatal("Error")
 	}
 }
@@ -300,3 +282,56 @@ func TestPartSize(t *testing.T) {
 		t.Fatalf("Error: expecting last part size of 241172480: got %v instead", lastPartSize)
 	}
 }
+
+// TestMakeTargetURL - testing makeTargetURL()
+func TestMakeTargetURL(t *testing.T) {
+	testCases := []struct {
+		addr           string
+		secure         bool
+		bucketName     string
+		objectName     string
+		bucketLocation string
+		queryValues    map[string][]string
+		expectedURL    url.URL
+		expectedErr    error
+	}{
+		// Test 1
+		{"localhost:9000", false, "", "", "", nil, url.URL{Host: "localhost:9000", Scheme: "http", Path: "/"}, nil},
+		// Test 2
+		{"localhost", true, "", "", "", nil, url.URL{Host: "localhost", Scheme: "https", Path: "/"}, nil},
+		// Test 3
+		{"localhost:9000", true, "mybucket", "", "", nil, url.URL{Host: "localhost:9000", Scheme: "https", Path: "/mybucket/"}, nil},
+		// Test 4, testing against google storage API
+		{"storage.googleapis.com", true, "mybucket", "", "", nil, url.URL{Host: "mybucket.storage.googleapis.com", Scheme: "https", Path: "/"}, nil},
+		// Test 5, testing against AWS S3 API
+		{"s3.amazonaws.com", true, "mybucket", "myobject", "", nil, url.URL{Host: "mybucket.s3.amazonaws.com", Scheme: "https", Path: "/myobject"}, nil},
+		// Test 6
+		{"localhost:9000", false, "mybucket", "myobject", "", nil, url.URL{Host: "localhost:9000", Scheme: "http", Path: "/mybucket/myobject"}, nil},
+		// Test 7, testing with query
+		{"localhost:9000", false, "mybucket", "myobject", "", map[string][]string{"param": []string{"val"}}, url.URL{Host: "localhost:9000", Scheme: "http", Path: "/mybucket/myobject", RawQuery: "param=val"}, nil},
+		// Test 8, testing with port 80
+		{"localhost:80", false, "mybucket", "myobject", "", nil, url.URL{Host: "localhost", Scheme: "http", Path: "/mybucket/myobject"}, nil},
+		// Test 9, testing with port 443
+		{"localhost:443", true, "mybucket", "myobject", "", nil, url.URL{Host: "localhost", Scheme: "https", Path: "/mybucket/myobject"}, nil},
+	}
+
+	for i, testCase := range testCases {
+		// Initialize a Minio client
+		c, _ := New(testCase.addr, "foo", "bar", testCase.secure)
+		u, err := c.makeTargetURL(testCase.bucketName, testCase.objectName, testCase.bucketLocation, testCase.queryValues)
+		// Check the returned error
+		if testCase.expectedErr == nil && err != nil {
+			t.Fatalf("Test %d: Should succeed but failed with err = %v", i+1, err)
+		}
+		if testCase.expectedErr != nil && err == nil {
+			t.Fatalf("Test %d: Should fail but succeeded", i+1)
+		}
+		if err == nil {
+			// Check if the returned url is equal to what we expect
+			if u.String() != testCase.expectedURL.String() {
+				t.Fatalf("Test %d: Mismatched target url: expected = `%v`, found = `%v`",
+					i+1, testCase.expectedURL.String(), u.String())
+			}
+		}
+	}
+}
diff --git a/vendor/github.com/minio/minio-go/appveyor.yml b/vendor/github.com/minio/minio-go/appveyor.yml
index be746a7bf..4f5c1b390 100644
--- a/vendor/github.com/minio/minio-go/appveyor.yml
+++ b/vendor/github.com/minio/minio-go/appveyor.yml
@@ -17,6 +17,8 @@ install:
   - go version
   - go env
   - go get -u github.com/golang/lint/golint
+  - go get -u github.com/go-ini/ini
+  - go get -u github.com/minio/go-homedir
   - go get -u github.com/remyoudompheng/go-misc/deadcode
   - go get -u github.com/gordonklaus/ineffassign
 
diff --git a/vendor/github.com/minio/minio-go/bucket-cache.go b/vendor/github.com/minio/minio-go/bucket-cache.go
index 28799c69d..6d2a40f78 100644
--- a/vendor/github.com/minio/minio-go/bucket-cache.go
+++ b/vendor/github.com/minio/minio-go/bucket-cache.go
@@ -1,5 +1,6 @@
 /*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015 Minio, Inc.
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2015, 2016, 2017 Minio, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,6 +24,7 @@ import (
 	"path"
 	"sync"
 
+	"github.com/minio/minio-go/pkg/credentials"
 	"github.com/minio/minio-go/pkg/s3signer"
 	"github.com/minio/minio-go/pkg/s3utils"
 )
@@ -71,7 +73,7 @@ func (r *bucketLocationCache) Delete(bucketName string) {
 // GetBucketLocation - get location for the bucket name from location cache, if not
 // fetch freshly by making a new request.
 func (c Client) GetBucketLocation(bucketName string) (string, error) {
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return "", err
 	}
 	return c.getBucketLocation(bucketName)
@@ -80,21 +82,27 @@ func (c Client) GetBucketLocation(bucketName string) (string, error) {
 // getBucketLocation - Get location for the bucketName from location map cache, if not
 // fetch freshly by making a new request.
 func (c Client) getBucketLocation(bucketName string) (string, error) {
-	if err := isValidBucketName(bucketName); err != nil {
+	if err := s3utils.CheckValidBucketName(bucketName); err != nil {
 		return "", err
 	}
 
+	// Region set then no need to fetch bucket location.
+	if c.region != "" {
+		return c.region, nil
+	}
+
 	if s3utils.IsAmazonChinaEndpoint(c.endpointURL) {
 		// For china specifically we need to set everything to
 		// cn-north-1 for now, there is no easier way until AWS S3
 		// provides a cleaner compatible API across "us-east-1" and
 		// China region.
 		return "cn-north-1", nil
-	}
-
-	// Region set then no need to fetch bucket location.
-	if c.region != "" {
-		return c.region, nil
+	} else if s3utils.IsAmazonGovCloudEndpoint(c.endpointURL) {
+		// For us-gov specifically we need to set everything to
+		// us-gov-west-1 for now, there is no easier way until AWS S3
+		// provides a cleaner compatible API across "us-east-1" and
+		// Gov cloud region.
+		return "us-gov-west-1", nil
 	}
 
 	if location, ok := c.bucketLocCache.Get(bucketName); ok {
@@ -181,8 +189,33 @@ func (c Client) getBucketLocationRequest(bucketName string) (*http.Request, erro
 	// Set UserAgent for the request.
 	c.setUserAgent(req)
 
+	// Get credentials from the configured credentials provider.
+	value, err := c.credsProvider.Get()
+	if err != nil {
+		return nil, err
+	}
+
+	var (
+		signerType      = value.SignerType
+		accessKeyID     = value.AccessKeyID
+		secretAccessKey = value.SecretAccessKey
+		sessionToken    = value.SessionToken
+	)
+
+	// Custom signer set then override the behavior.
+	if c.overrideSignerType != credentials.SignatureDefault {
+		signerType = c.overrideSignerType
+	}
+
+	// If signerType returned by credentials helper is anonymous,
+	// then do not sign regardless of signerType override.
+	if value.SignerType == credentials.SignatureAnonymous {
+		signerType = credentials.SignatureAnonymous
+	}
+
 	// Set sha256 sum for signature calculation only with signature version '4'.
-	if c.signature.isV4() {
+	switch {
+	case signerType.IsV4():
 		var contentSha256 string
 		if c.secure {
 			contentSha256 = unsignedPayload
@@ -190,13 +223,10 @@ func (c Client) getBucketLocationRequest(bucketName string) (*http.Request, erro
 			contentSha256 = hex.EncodeToString(sum256([]byte{}))
 		}
 		req.Header.Set("X-Amz-Content-Sha256", contentSha256)
+		req = s3signer.SignV4(*req, accessKeyID, secretAccessKey, sessionToken, "us-east-1")
+	case signerType.IsV2():
+		req = s3signer.SignV2(*req, accessKeyID, secretAccessKey)
 	}
 
-	// Sign the request.
-	if c.signature.isV4() {
-		req = s3signer.SignV4(*req, c.accessKeyID, c.secretAccessKey, "us-east-1")
-	} else if c.signature.isV2() {
-		req = s3signer.SignV2(*req, c.accessKeyID, c.secretAccessKey)
-	}
 	return req, nil
 }
diff --git a/vendor/github.com/minio/minio-go/bucket-cache_test.go b/vendor/github.com/minio/minio-go/bucket-cache_test.go
index 0c068c966..6ae4e7be4 100644
--- a/vendor/github.com/minio/minio-go/bucket-cache_test.go
+++ b/vendor/github.com/minio/minio-go/bucket-cache_test.go
@@ -1,5 +1,6 @@
 /*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2016, 2016 Minio, Inc.
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2015, 2016, 2017 Minio, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,6 +28,7 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/minio/minio-go/pkg/credentials"
 	"github.com/minio/minio-go/pkg/s3signer"
 )
 
@@ -86,17 +88,46 @@ func TestGetBucketLocationRequest(t *testing.T) {
 		// Set UserAgent for the request.
 		c.setUserAgent(req)
 
-		// Set sha256 sum for signature calculation only with signature version '4'.
-		if c.signature.isV4() {
-			req.Header.Set("X-Amz-Content-Sha256", hex.EncodeToString(sum256([]byte{})))
+		// Get credentials from the configured credentials provider.
+		value, err := c.credsProvider.Get()
+		if err != nil {
+			return nil, err
+		}
+
+		var (
+			signerType      = value.SignerType
+			accessKeyID     = value.AccessKeyID
+			secretAccessKey = value.SecretAccessKey
+			sessionToken    = value.SessionToken
+		)
+
+		// Custom signer set then override the behavior.
+		if c.overrideSignerType != credentials.SignatureDefault {
+			signerType = c.overrideSignerType
 		}
 
-		// Sign the request.
-		if c.signature.isV4() {
-			req = s3signer.SignV4(*req, c.accessKeyID, c.secretAccessKey, "us-east-1")
-		} else if c.signature.isV2() {
-			req = s3signer.SignV2(*req, c.accessKeyID, c.secretAccessKey)
+		// If signerType returned by credentials helper is anonymous,
+		// then do not sign regardless of signerType override.
+		if value.SignerType == credentials.SignatureAnonymous {
+			signerType = credentials.SignatureAnonymous
 		}
+
+		// Set sha256 sum for signature calculation only
+		// with signature version '4'.
+		switch {
+		case signerType.IsV4():
+			var contentSha256 string
+			if c.secure {
+				contentSha256 = unsignedPayload
+			} else {
+				contentSha256 = hex.EncodeToString(sum256([]byte{}))
+			}
+			req.Header.Set("X-Amz-Content-Sha256", contentSha256)
+			req = s3signer.SignV4(*req, accessKeyID, secretAccessKey, sessionToken, "us-east-1")
+		case signerType.IsV2():
+			req = s3signer.SignV2(*req, accessKeyID, secretAccessKey)
+		}
+
 		return req, nil
 
 	}
diff --git a/vendor/github.com/minio/minio-go/constants.go b/vendor/github.com/minio/minio-go/constants.go
index 6055bfdad..9771d2f92 100644
--- a/vendor/github.com/minio/minio-go/constants.go
+++ b/vendor/github.com/minio/minio-go/constants.go
@@ -18,10 +18,18 @@ package minio
 
 /// Multipart upload defaults.
 
-// miniPartSize - minimum part size 64MiB per object after which
+// absMinPartSize - absolute minimum part size (5 MiB) below which
+// a part in a multipart upload may not be uploaded.
+const absMinPartSize = 1024 * 1024 * 5
+
+// minPartSize - minimum part size 64MiB per object after which
 // putObject behaves internally as multipart.
 const minPartSize = 1024 * 1024 * 64
 
+// copyPartSize - default (and maximum) part size to copy in a
+// copy-object request (5GiB)
+const copyPartSize = 1024 * 1024 * 1024 * 5
+
 // maxPartsCount - maximum number of parts for a single multipart session.
 const maxPartsCount = 10000
 
@@ -37,10 +45,6 @@ const maxSinglePutObjectSize = 1024 * 1024 * 1024 * 5
 // Multipart operation.
 const maxMultipartPutObjectSize = 1024 * 1024 * 1024 * 1024 * 5
 
-// optimalReadBufferSize - optimal buffer 5MiB used for reading
-// through Read operation.
-const optimalReadBufferSize = 1024 * 1024 * 5
-
 // unsignedPayload - value to be set to X-Amz-Content-Sha256 header when
 // we don't want to sign the request payload
 const unsignedPayload = "UNSIGNED-PAYLOAD"
diff --git a/vendor/github.com/minio/minio-go/copy-conditions.go b/vendor/github.com/minio/minio-go/copy-conditions.go
deleted file mode 100644
index 65018aa09..000000000
--- a/vendor/github.com/minio/minio-go/copy-conditions.go
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2016 Minio, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package minio
-
-import (
-	"net/http"
-	"time"
-)
-
-// copyCondition explanation:
-// http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html
-//
-// Example:
-//
-//   copyCondition {
-//       key: "x-amz-copy-if-modified-since",
-//       value: "Tue, 15 Nov 1994 12:45:26 GMT",
-//   }
-//
-type copyCondition struct {
-	key   string
-	value string
-}
-
-// CopyConditions - copy conditions.
-type CopyConditions struct {
-	conditions []copyCondition
-}
-
-// NewCopyConditions - Instantiate new list of conditions.  This
-// function is left behind for backward compatibility. The idiomatic
-// way to set an empty set of copy conditions is,
-//    ``copyConditions := CopyConditions{}``.
-//
-func NewCopyConditions() CopyConditions {
-	return CopyConditions{}
-}
-
-// SetMatchETag - set match etag.
-func (c *CopyConditions) SetMatchETag(etag string) error {
-	if etag == "" {
-		return ErrInvalidArgument("ETag cannot be empty.")
-	}
-	c.conditions = append(c.conditions, copyCondition{
-		key:   "x-amz-copy-source-if-match",
-		value: etag,
-	})
-	return nil
-}
-
-// SetMatchETagExcept - set match etag except.
-func (c *CopyConditions) SetMatchETagExcept(etag string) error {
-	if etag == "" {
-		return ErrInvalidArgument("ETag cannot be empty.")
-	}
-	c.conditions = append(c.conditions, copyCondition{
-		key:   "x-amz-copy-source-if-none-match",
-		value: etag,
-	})
-	return nil
-}
-
-// SetUnmodified - set unmodified time since.
-func (c *CopyConditions) SetUnmodified(modTime time.Time) error {
-	if modTime.IsZero() {
-		return ErrInvalidArgument("Modified since cannot be empty.")
-	}
-	c.conditions = append(c.conditions, copyCondition{
-		key:   "x-amz-copy-source-if-unmodified-since",
-		value: modTime.Format(http.TimeFormat),
-	})
-	return nil
-}
-
-// SetModified - set modified time since.
-func (c *CopyConditions) SetModified(modTime time.Time) error {
-	if modTime.IsZero() {
-		return ErrInvalidArgument("Modified since cannot be empty.")
-	}
-	c.conditions = append(c.conditions, copyCondition{
-		key:   "x-amz-copy-source-if-modified-since",
-		value: modTime.Format(http.TimeFormat),
-	})
-	return nil
-}
diff --git a/vendor/github.com/minio/minio-go/core.go b/vendor/github.com/minio/minio-go/core.go
index be9388cec..4b1054a69 100644
--- a/vendor/github.com/minio/minio-go/core.go
+++ b/vendor/github.com/minio/minio-go/core.go
@@ -70,7 +70,13 @@ func (c Core) ListMultipartUploads(bucket, prefix, keyMarker, uploadIDMarker, de
 
 // PutObjectPart - Upload an object part.
 func (c Core) PutObjectPart(bucket, object, uploadID string, partID int, size int64, data io.Reader, md5Sum, sha256Sum []byte) (ObjectPart, error) {
-	return c.uploadPart(bucket, object, uploadID, data, partID, md5Sum, sha256Sum, size)
+	return c.PutObjectPartWithMetadata(bucket, object, uploadID, partID, size, data, md5Sum, sha256Sum, nil)
+}
+
+// PutObjectPartWithMetadata - upload an object part with additional request metadata.
+func (c Core) PutObjectPartWithMetadata(bucket, object, uploadID string, partID int,
+	size int64, data io.Reader, md5Sum, sha256Sum []byte, metadata map[string][]string) (ObjectPart, error) {
+	return c.uploadPart(bucket, object, uploadID, data, partID, md5Sum, sha256Sum, size, metadata)
 }
 
 // ListObjectParts - List uploaded parts of an incomplete upload.x
@@ -80,7 +86,9 @@ func (c Core) ListObjectParts(bucket, object, uploadID string, partNumberMarker
 
 // CompleteMultipartUpload - Concatenate uploaded parts and commit to an object.
 func (c Core) CompleteMultipartUpload(bucket, object, uploadID string, parts []CompletePart) error {
-	_, err := c.completeMultipartUpload(bucket, object, uploadID, completeMultipartUpload{Parts: parts})
+	_, err := c.completeMultipartUpload(bucket, object, uploadID, completeMultipartUpload{
+		Parts: parts,
+	})
 	return err
 }
 
diff --git a/vendor/github.com/minio/minio-go/core_test.go b/vendor/github.com/minio/minio-go/core_test.go
index c7c73d4c7..81e1cd5bf 100644
--- a/vendor/github.com/minio/minio-go/core_test.go
+++ b/vendor/github.com/minio/minio-go/core_test.go
@@ -19,7 +19,6 @@ package minio
 import (
 	"bytes"
 	"crypto/md5"
-	crand "crypto/rand"
 
 	"io"
 	"math/rand"
@@ -29,6 +28,13 @@ import (
 	"time"
 )
 
+const (
+	serverEndpoint = "SERVER_ENDPOINT"
+	accessKey      = "ACCESS_KEY"
+	secretKey      = "SECRET_KEY"
+	enableSecurity = "ENABLE_HTTPS"
+)
+
 // Tests for Core GetObject() function.
 func TestGetObjectCore(t *testing.T) {
 	if testing.Short() {
@@ -40,10 +46,10 @@ func TestGetObjectCore(t *testing.T) {
 
 	// Instantiate new minio core client object.
 	c, err := NewCore(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -214,10 +220,10 @@ func TestGetBucketPolicy(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := NewCore(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -277,10 +283,10 @@ func TestCorePutObject(t *testing.T) {
 
 	// Instantiate new minio client object.
 	c, err := NewCore(
-		os.Getenv("S3_ADDRESS"),
-		os.Getenv("ACCESS_KEY"),
-		os.Getenv("SECRET_KEY"),
-		mustParseBool(os.Getenv("S3_SECURE")),
+		os.Getenv(serverEndpoint),
+		os.Getenv(accessKey),
+		os.Getenv(secretKey),
+		mustParseBool(os.Getenv(enableSecurity)),
 	)
 	if err != nil {
 		t.Fatal("Error:", err)
@@ -301,15 +307,7 @@ func TestCorePutObject(t *testing.T) {
 		t.Fatal("Error:", err, bucketName)
 	}
 
-	buf := make([]byte, minPartSize)
-
-	size, err := io.ReadFull(crand.Reader, buf)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	if size != minPartSize {
-		t.Fatalf("Error: number of bytes does not match, want %v, got %v\n", minPartSize, size)
-	}
+	buf := bytes.Repeat([]byte("a"), minPartSize)
 
 	// Save the data
 	objectName := randString(60, rand.NewSource(time.Now().UnixNano()), "")
diff --git a/vendor/github.com/minio/minio-go/docs/API.md b/vendor/github.com/minio/minio-go/docs/API.md
index 06735427e..e0d0a11e6 100644
--- a/vendor/github.com/minio/minio-go/docs/API.md
+++ b/vendor/github.com/minio/minio-go/docs/API.md
@@ -50,17 +50,21 @@ func main() {
 }
 ```
 
-| Bucket operations  |Object operations | Encrypted Object operations  | Presigned operations  | Bucket Policy/Notification Operations | Client custom settings |
-|:---|:---|:---|:---|:---|:---|
-|[`MakeBucket`](#MakeBucket)   |[`GetObject`](#GetObject) | [`NewSymmetricKey`](#NewSymmetricKey) | [`PresignedGetObject`](#PresignedGetObject)  |[`SetBucketPolicy`](#SetBucketPolicy)   | [`SetAppInfo`](#SetAppInfo) |
-|[`ListBuckets`](#ListBuckets)   |[`PutObject`](#PutObject) | [`NewAsymmetricKey`](#NewAsymmetricKey) |[`PresignedPutObject`](#PresignedPutObject)   | [`GetBucketPolicy`](#GetBucketPolicy)  | [`SetCustomTransport`](#SetCustomTransport) |
-|[`BucketExists`](#BucketExists)   |[`CopyObject`](#CopyObject) |  [`GetEncryptedObject`](#GetEncryptedObject)  |[`PresignedPostPolicy`](#PresignedPostPolicy)   |  [`ListBucketPolicies`](#ListBucketPolicies)  | [`TraceOn`](#TraceOn) |
-| [`RemoveBucket`](#RemoveBucket)  |[`StatObject`](#StatObject) | [`PutObjectStreaming`](#PutObjectStreaming) |   |  [`SetBucketNotification`](#SetBucketNotification)  | [`TraceOff`](#TraceOff) |
-|[`ListObjects`](#ListObjects)  |[`RemoveObject`](#RemoveObject) | [`PutEncryptedObject`](#PutEncryptedObject) |   |  [`GetBucketNotification`](#GetBucketNotification)  | [`SetS3TransferAccelerate`](#SetS3TransferAccelerate) |
-|[`ListObjectsV2`](#ListObjectsV2) | [`RemoveObjects`](#RemoveObjects) |  |   | [`RemoveAllBucketNotification`](#RemoveAllBucketNotification)  |
-|[`ListIncompleteUploads`](#ListIncompleteUploads) | [`RemoveIncompleteUpload`](#RemoveIncompleteUpload) |  |  |  [`ListenBucketNotification`](#ListenBucketNotification)  |
-|   | [`FPutObject`](#FPutObject)  | |   |   |
-|   | [`FGetObject`](#FGetObject)  | |   |   |
+| Bucket operations                                 | Object operations                                   | Encrypted Object operations                 | Presigned operations                          | Bucket Policy/Notification Operations                         | Client custom settings                                |
+| :---                                              | :---                                                | :---                                        | :---                                          | :---                                                          | :---                                                  |
+| [`MakeBucket`](#MakeBucket)                       | [`GetObject`](#GetObject)                           | [`NewSymmetricKey`](#NewSymmetricKey)       | [`PresignedGetObject`](#PresignedGetObject)   | [`SetBucketPolicy`](#SetBucketPolicy)                         | [`SetAppInfo`](#SetAppInfo)                           |
+| [`ListBuckets`](#ListBuckets)                     | [`PutObject`](#PutObject)                           | [`NewAsymmetricKey`](#NewAsymmetricKey)     | [`PresignedPutObject`](#PresignedPutObject)   | [`GetBucketPolicy`](#GetBucketPolicy)                         | [`SetCustomTransport`](#SetCustomTransport)           |
+| [`BucketExists`](#BucketExists)                   | [`CopyObject`](#CopyObject)                         | [`GetEncryptedObject`](#GetEncryptedObject) | [`PresignedPostPolicy`](#PresignedPostPolicy) | [`ListBucketPolicies`](#ListBucketPolicies)                   | [`TraceOn`](#TraceOn)                                 |
+| [`RemoveBucket`](#RemoveBucket)                   | [`StatObject`](#StatObject)                         | [`PutObjectStreaming`](#PutObjectStreaming) |                                               | [`SetBucketNotification`](#SetBucketNotification)             | [`TraceOff`](#TraceOff)                               |
+| [`ListObjects`](#ListObjects)                     | [`RemoveObject`](#RemoveObject)                     | [`PutEncryptedObject`](#PutEncryptedObject) |                                               | [`GetBucketNotification`](#GetBucketNotification)             | [`SetS3TransferAccelerate`](#SetS3TransferAccelerate) |
+| [`ListObjectsV2`](#ListObjectsV2)                 | [`RemoveObjects`](#RemoveObjects)                   | [`NewSSEInfo`](#NewSSEInfo)                 |                                               | [`RemoveAllBucketNotification`](#RemoveAllBucketNotification) |                                                       |
+| [`ListIncompleteUploads`](#ListIncompleteUploads) | [`RemoveIncompleteUpload`](#RemoveIncompleteUpload) |                                             |                                               | [`ListenBucketNotification`](#ListenBucketNotification)       |                                                       |
+|                                                   | [`FPutObject`](#FPutObject)                         |                                             |                                               |                                                               |                                                       |
+|                                                   | [`FGetObject`](#FGetObject)                         |                                             |                                               |                                                               |                                                       |
+|                                                   | [`ComposeObject`](#ComposeObject)                   |                                             |                                               |                                                               |                                                       |
+|                                                   | [`NewSourceInfo`](#NewSourceInfo)                   |                                             |                                               |                                                               |                                                       |
+|                                                   | [`NewDestinationInfo`](#NewDestinationInfo)         |                                             |                                               |                                                               |                                                       |
+
 
 ## 1. Constructor
 <a name="Minio"></a>
@@ -438,9 +442,6 @@ if err != nil {
 
 Uploads objects that are less than 64MiB in a single PUT operation. For objects that are greater than 64MiB in size, PutObject seamlessly uploads the object as parts of 64MiB or more depending on the actual file size. The max upload size for an object is 5TB.
 
-In the event that PutObject fails to upload an object, the user may attempt to re-upload the same object. If the same object is being uploaded, PutObject API examines the previous partial attempt to upload this object and resumes automatically from where it left off.
-
-
 __Parameters__
 
 
@@ -505,9 +506,11 @@ if err != nil {
 
 
 <a name="CopyObject"></a>
-### CopyObject(bucketName, objectName, objectSource string, conditions CopyConditions) error
+### CopyObject(dst DestinationInfo, src SourceInfo) error
 
-Copy a source object into a new object with the provided name in the provided bucket.
+Create or replace an object through server-side copying of an existing object. It supports conditional copying, copying a part of an object and server-side encryption of destination and decryption of source. See the `SourceInfo` and `DestinationInfo` types for further details.
+
+To copy multiple source objects into a single destination object see the `ComposeObject` API.
 
 
 __Parameters__
@@ -515,50 +518,161 @@ __Parameters__
 
 |Param   |Type   |Description   |
 |:---|:---| :---|
-|`bucketName`  | _string_  |Name of the bucket |
-|`objectName` | _string_  |Name of the object   |
-|`objectSource` | _string_  |Name of the source object  |
-|`conditions` | _CopyConditions_  |Collection of supported CopyObject conditions. [`x-amz-copy-source`, `x-amz-copy-source-if-match`, `x-amz-copy-source-if-none-match`, `x-amz-copy-source-if-unmodified-since`, `x-amz-copy-source-if-modified-since`]|
+|`dst`  | _DestinationInfo_  |Argument describing the destination object |
+|`src` | _SourceInfo_  |Argument describing the source object |
 
 
 __Example__
 
 
 ```go
-// Use-case-1
-// To copy an existing object to a new object with _no_ copy conditions.
-copyConds := minio.CopyConditions{}
-err := minioClient.CopyObject("mybucket", "myobject", "my-sourcebucketname/my-sourceobjectname", copyConds)
+// Use-case 1: Simple copy object with no conditions, etc
+// Source object
+src := minio.NewSourceInfo("my-sourcebucketname", "my-sourceobjectname", nil)
+
+// Destination object
+dst := minio.NewDestinationInfo("my-bucketname", "my-objectname", nil, nil)
+
+/ Copy object call
+err = s3Client.CopyObject(dst, src)
 if err != nil {
     fmt.Println(err)
     return
 }
 
-// Use-case-2
-// To copy an existing object to a new object with the following copy conditions
+// Use-case 2: Copy object with copy-conditions, and copying only part of the source object.
 // 1. that matches a given ETag
 // 2. and modified after 1st April 2014
 // 3. but unmodified since 23rd April 2014
+// 4. copy only first 1MiB of object.
+
+// Source object
+src := minio.NewSourceInfo("my-sourcebucketname", "my-sourceobjectname", nil)
 
-// Initialize empty copy conditions.
-var copyConds = minio.CopyConditions{}
+// Set matching ETag condition, copy object which matches the following ETag.
+src.SetMatchETagCond("31624deb84149d2f8ef9c385918b653a")
 
-// copy object that matches the given ETag.
-copyConds.SetMatchETag("31624deb84149d2f8ef9c385918b653a")
+// Set modified condition, copy object modified since 2014 April 1.
+src.SetModifiedSinceCond(time.Date(2014, time.April, 1, 0, 0, 0, 0, time.UTC))
 
-// and modified after 1st April 2014
-copyConds.SetModified(time.Date(2014, time.April, 1, 0, 0, 0, 0, time.UTC))
+// Set unmodified condition, copy object unmodified since 2014 April 23.
+src.SetUnmodifiedSinceCond(time.Date(2014, time.April, 23, 0, 0, 0, 0, time.UTC))
 
-// but unmodified since 23rd April 2014
-copyConds.SetUnmodified(time.Date(2014, time.April, 23, 0, 0, 0, 0, time.UTC))
+// Set copy-range of only first 1MiB of file.
+src.SetRange(0, 1024*1024-1)
 
-err := minioClient.CopyObject("mybucket", "myobject", "my-sourcebucketname/my-sourceobjectname", copyConds)
+// Destination object
+dst := minio.NewDestinationInfo("my-bucketname", "my-objectname", nil, nil)
+
+/ Copy object call
+err = s3Client.CopyObject(dst, src)
 if err != nil {
     fmt.Println(err)
     return
 }
 ```
 
+<a name="ComposeObject"></a>
+### ComposeObject(dst DestinationInfo, srcs []SourceInfo) error
+
+Create an object by concatenating a list of source objects using
+server-side copying.
+
+__Parameters__
+
+
+|Param   |Type   |Description   |
+|:---|:---|:---|
+|`dst`  | _minio.DestinationInfo_  |Struct with info about the object to be created. |
+|`srcs` | _[]minio.SourceInfo_  |Slice of struct with info about source objects to be concatenated in order. |
+
+
+__Example__
+
+
+```go
+// Prepare source decryption key (here we assume same key to
+// decrypt all source objects.)
+decKey := minio.NewSSEInfo([]byte{1, 2, 3}, "")
+
+// Source objects to concatenate. We also specify decryption
+// key for each
+src1 := minio.NewSourceInfo("bucket1", "object1", decKey)
+src1.SetMatchETag("31624deb84149d2f8ef9c385918b653a")
+
+src2 := minio.NewSourceInfo("bucket2", "object2", decKey)
+src2.SetMatchETag("f8ef9c385918b653a31624deb84149d2")
+
+src3 := minio.NewSourceInfo("bucket3", "object3", decKey)
+src3.SetMatchETag("5918b653a31624deb84149d2f8ef9c38")
+
+// Create slice of sources.
+srcs := []minio.SourceInfo{src1, src2, src3}
+
+// Prepare destination encryption key
+encKey := minio.NewSSEInfo([]byte{8, 9, 0}, "")
+
+// Create destination info
+dst := minio.NewDestinationInfo("bucket", "object", encKey, nil)
+err = s3Client.ComposeObject(dst, srcs)
+if err != nil {
+	log.Println(err)
+	return
+}
+
+log.Println("Composed object successfully.")
+```
+
+<a name="NewSourceInfo"></a>
+### NewSourceInfo(bucket, object string, decryptSSEC *SSEInfo) SourceInfo
+
+Construct a `SourceInfo` object that can be used as the source for server-side copying operations like `CopyObject` and `ComposeObject`. This object can be used to set copy-conditions on the source.
+
+__Parameters__
+
+| Param         | Type             | Description                                                      |
+| :---          | :---             | :---                                                             |
+| `bucket`      | _string_         | Name of the source bucket                                        |
+| `object`      | _string_         | Name of the source object                                        |
+| `decryptSSEC` | _*minio.SSEInfo_ | Decryption info for the source object (`nil` without encryption) |
+
+__Example__
+
+``` go
+// No decryption parameter.
+src := NewSourceInfo("bucket", "object", nil)
+
+// With decryption parameter.
+decKey := NewSSEKey([]byte{1,2,3}, "")
+src := NewSourceInfo("bucket", "object", decKey)
+```
+
+<a name="NewDestinationInfo"></a>
+### NewDestinationInfo(bucket, object string, encryptSSEC *SSEInfo, userMeta map[string]string) DestinationInfo
+
+Construct a `DestinationInfo` object that can be used as the destination object for server-side copying operations like `CopyObject` and `ComposeObject`.
+
+__Parameters__
+
+| Param         | Type                | Description                                                                                                    |
+| :---          | :---                | :---                                                                                                           |
+| `bucket`      | _string_            | Name of the destination bucket                                                                                 |
+| `object`      | _string_            | Name of the destination object                                                                                 |
+| `encryptSSEC` | _*minio.SSEInfo_    | Encryption info for the source object (`nil` without encryption)                                               |
+| `userMeta`    | _map[string]string_ | User metadata to be set on the destination. If nil, with only one source, user-metadata is copied from source. |
+
+__Example__
+
+``` go
+// No encryption parameter.
+src := NewDestinationInfo("bucket", "object", nil, nil)
+
+// With encryption parameter.
+encKey := NewSSEKey([]byte{1,2,3}, "")
+src := NewDecryptionInfo("bucket", "object", encKey, nil)
+```
+
+
 <a name="FPutObject"></a>
 ### FPutObject(bucketName, objectName, filePath, contentType string) (length int64, err error)
 
@@ -566,8 +680,6 @@ Uploads contents from a file to objectName.
 
 FPutObject uploads objects that are less than 64MiB in a single PUT operation. For objects that are greater than the 64MiB in size, FPutObject seamlessly uploads the object in chunks of 64MiB or more depending on the actual file size. The max upload size for an object is 5TB.
 
-In the event that FPutObject fails to upload an object, the user may attempt to re-upload the same object. If the same object is being uploaded, FPutObject API examines the previous partial attempt to upload this object and resumes automatically from where it left off.
-
 
 __Parameters__
 
@@ -771,7 +883,7 @@ if err != nil {
 ```
 
 <a name="GetEncryptedObject"></a>
-### GetEncryptedObject(bucketName, objectName string, encryptMaterials minio.EncryptionMaterials) (io.Reader, error)
+### GetEncryptedObject(bucketName, objectName string, encryptMaterials minio.EncryptionMaterials) (io.ReadCloser, error)
 
 Returns the decrypted stream of the object data based of the given encryption materiels. Most of the common errors occur when reading the stream.
 
@@ -788,7 +900,7 @@ __Return Value__
 
 |Param   |Type   |Description   |
 |:---|:---| :---|
-|`stream`  | _io.Reader_ | Returns the deciphered object reader. |
+|`stream`  | _io.ReadCloser_ | Returns the deciphered object reader, caller should close after reading. |
 |`err`  | _error | Returns errors. |
 
 
@@ -810,11 +922,14 @@ if err != nil {
     fmt.Println(err)
     return
 }
+defer object.Close()
+
 localFile, err := os.Create("/tmp/local-file.jpg")
 if err != nil {
     fmt.Println(err)
     return
 }
+
 if _, err = io.Copy(localFile, object); err != nil {
     fmt.Println(err)
     return
@@ -883,6 +998,26 @@ if err != nil {
 }
 ```
 
+<a name="NewSSEInfo"></a>
+
+### NewSSEInfo(key []byte, algo string) SSEInfo
+
+Create a key object for use as encryption or decryption parameter in operations involving server-side-encryption with customer provided key (SSE-C).
+
+__Parameters__
+
+| Param  | Type     | Description                                                                                          |
+| :---   | :---     | :---                                                                                                 |
+| `key`  | _[]byte_ | Byte-slice of the raw, un-encoded binary key                                                         |
+| `algo` | _string_ | Algorithm to use in encryption or decryption with the given key. Can be empty (defaults to `AES256`) |
+
+__Example__
+
+``` go
+// Key for use in encryption/decryption
+keyInfo := NewSSEInfo([]byte{1,2,3}, "")
+```
+
 ## 5. Presigned operations
 
 <a name="PresignedGetObject"></a>
@@ -1240,7 +1375,7 @@ __Return Values__
 
 |Param   |Type   |Description   |
 |:---|:---| :---|
-|`chan NotificationInfo` | _chan_ | Read channel for all notificatons on bucket |
+|`chan NotificationInfo` | _chan_ | Read channel for all notifications on bucket |
 |`NotificationInfo` | _object_ | Notification object represents events info |
 |`notificationInfo.Records` | _[]NotificationEvent_ | Collection of notification events |
 |`notificationInfo.Err` | _error_ | Carries any error occurred during the operation |
diff --git a/vendor/github.com/minio/minio-go/examples/s3/composeobject.go b/vendor/github.com/minio/minio-go/examples/s3/composeobject.go
new file mode 100644
index 000000000..555d98bc3
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/examples/s3/composeobject.go
@@ -0,0 +1,74 @@
+// +build ignore
+
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2016 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package main
+
+import (
+	"log"
+
+	minio "github.com/minio/minio-go"
+)
+
+func main() {
+	// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY, my-testfile, my-bucketname and
+	// my-objectname are dummy values, please replace them with original values.
+
+	// Requests are always secure (HTTPS) by default. Set secure=false to enable insecure (HTTP) access.
+	// This boolean value is the last argument for New().
+
+	// New returns an Amazon S3 compatible client object. API compatibility (v2 or v4) is automatically
+	// determined based on the Endpoint value.
+	s3Client, err := minio.New("s3.amazonaws.com", "YOUR-ACCESSKEYID", "YOUR-SECRETACCESSKEY", true)
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	// Enable trace.
+	// s3Client.TraceOn(os.Stderr)
+
+	// Prepare source decryption key (here we assume same key to
+	// decrypt all source objects.)
+	decKey := minio.NewSSEInfo([]byte{1, 2, 3}, "")
+
+	// Source objects to concatenate. We also specify decryption
+	// key for each
+	src1 := minio.NewSourceInfo("bucket1", "object1", decKey)
+	src1.SetMatchETag("31624deb84149d2f8ef9c385918b653a")
+
+	src2 := minio.NewSourceInfo("bucket2", "object2", decKey)
+	src2.SetMatchETag("f8ef9c385918b653a31624deb84149d2")
+
+	src3 := minio.NewSourceInfo("bucket3", "object3", decKey)
+	src3.SetMatchETag("5918b653a31624deb84149d2f8ef9c38")
+
+	// Create slice of sources.
+	srcs := []minio.SourceInfo{src1, src2, src3}
+
+	// Prepare destination encryption key
+	encKey := minio.NewSSEInfo([]byte{8, 9, 0}, "")
+
+	// Create destination info
+	dst := minio.NewDestinationInfo("bucket", "object", encKey)
+	err = s3Client.ComposeObject(dst, srcs)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	log.Println("Composed object successfully.")
+}
diff --git a/vendor/github.com/minio/minio-go/examples/s3/copyobject.go b/vendor/github.com/minio/minio-go/examples/s3/copyobject.go
index a9ec78fee..0de865555 100644
--- a/vendor/github.com/minio/minio-go/examples/s3/copyobject.go
+++ b/vendor/github.com/minio/minio-go/examples/s3/copyobject.go
@@ -42,24 +42,28 @@ func main() {
 	// Enable trace.
 	// s3Client.TraceOn(os.Stderr)
 
+	// Source object
+	src := minio.NewSourceInfo("my-sourcebucketname", "my-sourceobjectname", nil)
+
 	// All following conditions are allowed and can be combined together.
 
-	// Set copy conditions.
-	var copyConds = minio.CopyConditions{}
 	// Set modified condition, copy object modified since 2014 April.
-	copyConds.SetModified(time.Date(2014, time.April, 0, 0, 0, 0, 0, time.UTC))
+	src.SetModifiedSinceCond(time.Date(2014, time.April, 0, 0, 0, 0, 0, time.UTC))
 
 	// Set unmodified condition, copy object unmodified since 2014 April.
-	// copyConds.SetUnmodified(time.Date(2014, time.April, 0, 0, 0, 0, 0, time.UTC))
+	// src.SetUnmodifiedSinceCond(time.Date(2014, time.April, 0, 0, 0, 0, 0, time.UTC))
 
 	// Set matching ETag condition, copy object which matches the following ETag.
-	// copyConds.SetMatchETag("31624deb84149d2f8ef9c385918b653a")
+	// src.SetMatchETagCond("31624deb84149d2f8ef9c385918b653a")
 
 	// Set matching ETag except condition, copy object which does not match the following ETag.
-	// copyConds.SetMatchETagExcept("31624deb84149d2f8ef9c385918b653a")
+	// src.SetMatchETagExceptCond("31624deb84149d2f8ef9c385918b653a")
+
+	// Destination object
+	dst := minio.NewDestinationInfo("my-bucketname", "my-objectname", nil)
 
 	// Initiate copy object.
-	err = s3Client.CopyObject("my-bucketname", "my-objectname", "/my-sourcebucketname/my-sourceobjectname", copyConds)
+	err = s3Client.CopyObject(dst, src)
 	if err != nil {
 		log.Fatalln(err)
 	}
diff --git a/vendor/github.com/minio/minio-go/examples/s3/get-encrypted-object.go b/vendor/github.com/minio/minio-go/examples/s3/get-encrypted-object.go
index e997140be..8f51f26ae 100644
--- a/vendor/github.com/minio/minio-go/examples/s3/get-encrypted-object.go
+++ b/vendor/github.com/minio/minio-go/examples/s3/get-encrypted-object.go
@@ -24,6 +24,7 @@ import (
 	"os"
 
 	"github.com/minio/minio-go"
+	"github.com/minio/minio-go/pkg/encrypt"
 )
 
 func main() {
@@ -59,10 +60,10 @@ func main() {
 	////
 
 	// Build a symmetric key
-	symmetricKey := minio.NewSymmetricKey([]byte("my-secret-key-00"))
+	symmetricKey := encrypt.NewSymmetricKey([]byte("my-secret-key-00"))
 
 	// Build encryption materials which will encrypt uploaded data
-	cbcMaterials, err := minio.NewCBCSecureMaterials(symmetricKey)
+	cbcMaterials, err := encrypt.NewCBCSecureMaterials(symmetricKey)
 	if err != nil {
 		log.Fatalln(err)
 	}
@@ -72,6 +73,7 @@ func main() {
 	if err != nil {
 		log.Fatalln(err)
 	}
+	defer reader.Close()
 
 	// Local file which holds plain data
 	localFile, err := os.Create("my-testfile")
diff --git a/vendor/github.com/minio/minio-go/examples/s3/put-encrypted-object.go b/vendor/github.com/minio/minio-go/examples/s3/put-encrypted-object.go
index f03f82147..b8f7e12f2 100644
--- a/vendor/github.com/minio/minio-go/examples/s3/put-encrypted-object.go
+++ b/vendor/github.com/minio/minio-go/examples/s3/put-encrypted-object.go
@@ -23,6 +23,7 @@ import (
 	"os"
 
 	"github.com/minio/minio-go"
+	"github.com/minio/minio-go/pkg/encrypt"
 )
 
 func main() {
@@ -65,10 +66,10 @@ func main() {
 	////
 
 	// Build a symmetric key
-	symmetricKey := minio.NewSymmetricKey([]byte("my-secret-key-00"))
+	symmetricKey := encrypt.NewSymmetricKey([]byte("my-secret-key-00"))
 
 	// Build encryption materials which will encrypt uploaded data
-	cbcMaterials, err := minio.NewCBCSecureMaterials(symmetricKey)
+	cbcMaterials, err := encrypt.NewCBCSecureMaterials(symmetricKey)
 	if err != nil {
 		log.Fatalln(err)
 	}
diff --git a/vendor/github.com/minio/minio-go/examples/s3/putobject-getobject-sse.go b/vendor/github.com/minio/minio-go/examples/s3/putobject-getobject-sse.go
new file mode 100644
index 000000000..92e6a4840
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/examples/s3/putobject-getobject-sse.go
@@ -0,0 +1,87 @@
+// +build ignore
+
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package main
+
+import (
+	"bytes"
+	"crypto/md5"
+	"encoding/base64"
+	"io/ioutil"
+	"log"
+	"net/http"
+
+	minio "github.com/minio/minio-go"
+)
+
+func main() {
+	// Note: YOUR-ACCESSKEYID, YOUR-SECRETACCESSKEY, my-testfile, my-bucketname and
+	// my-objectname are dummy values, please replace them with original values.
+
+	// New returns an Amazon S3 compatible client object. API compatibility (v2 or v4) is automatically
+	// determined based on the Endpoint value.
+	minioClient, err := minio.New("s3.amazonaws.com", "YOUR-ACCESSKEYID", "YOUR-SECRETACCESSKEY", true)
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	content := bytes.NewReader([]byte("Hello again"))
+	key := []byte("32byteslongsecretkeymustprovided")
+	h := md5.New()
+	h.Write(key)
+	encryptionKey := base64.StdEncoding.EncodeToString(key)
+	encryptionKeyMD5 := base64.StdEncoding.EncodeToString(h.Sum(nil))
+
+	// Amazon S3 does not store the encryption key you provide.
+	// Instead S3 stores a randomly salted HMAC value of the
+	// encryption key in order to validate future requests.
+	// The salted HMAC value cannot be used to derive the value
+	// of the encryption key or to decrypt the contents of the
+	// encrypted object. That means, if you lose the encryption
+	// key, you lose the object.
+	var metadata = map[string][]string{
+		"x-amz-server-side-encryption-customer-algorithm": []string{"AES256"},
+		"x-amz-server-side-encryption-customer-key":       []string{encryptionKey},
+		"x-amz-server-side-encryption-customer-key-MD5":   []string{encryptionKeyMD5},
+	}
+
+	// minioClient.TraceOn(os.Stderr) // Enable to debug.
+	_, err = minioClient.PutObjectWithMetadata("mybucket", "my-encrypted-object.txt", content, metadata, nil)
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	var reqHeaders = minio.RequestHeaders{Header: http.Header{}}
+	for k, v := range metadata {
+		reqHeaders.Set(k, v[0])
+	}
+	coreClient := minio.Core{minioClient}
+	reader, _, err := coreClient.GetObject("mybucket", "my-encrypted-object.txt", reqHeaders)
+	if err != nil {
+		log.Fatalln(err)
+	}
+	defer reader.Close()
+
+	decBytes, err := ioutil.ReadAll(reader)
+	if err != nil {
+		log.Fatalln(err)
+	}
+	if !bytes.Equal(decBytes, []byte("Hello again")) {
+		log.Fatalln("Expected \"Hello, world\", got %s", string(decBytes))
+	}
+}
diff --git a/vendor/github.com/minio/minio-go/examples/s3/putobject-progress.go b/vendor/github.com/minio/minio-go/examples/s3/putobject-progress.go
index f668adf70..1179fd787 100644
--- a/vendor/github.com/minio/minio-go/examples/s3/putobject-progress.go
+++ b/vendor/github.com/minio/minio-go/examples/s3/putobject-progress.go
@@ -50,9 +50,8 @@ func main() {
 		log.Fatalln(err)
 	}
 
-	// progress reader is notified as PutObject makes progress with
-	// the read. For partial resume put object, progress reader is
-	// appropriately advanced.
+	// Progress reader is notified as PutObject makes progress with
+	// the Reads inside.
 	progress := pb.New64(objectInfo.Size)
 	progress.Start()
 
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/chain.go b/vendor/github.com/minio/minio-go/pkg/credentials/chain.go
new file mode 100644
index 000000000..6b0e57440
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/chain.go
@@ -0,0 +1,89 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import "fmt"
+
+// A Chain will search for a provider which returns credentials
+// and cache that provider until Retrieve is called again.
+//
+// The Chain provides a way of chaining multiple providers together
+// which will pick the first available using priority order of the
+// Providers in the list.
+//
+// If none of the Providers retrieve valid credentials Value, ChainProvider's
+// Retrieve() will return the error, collecting all errors from all providers.
+//
+// If a Provider is found which returns valid credentials Value ChainProvider
+// will cache that Provider for all calls to IsExpired(), until Retrieve is
+// called again.
+//
+//     creds := credentials.NewChainCredentials(
+//         []credentials.Provider{
+//             &credentials.EnvAWSS3{},
+//             &credentials.EnvMinio{},
+//         })
+//
+//     // Usage of ChainCredentials.
+//     mc, err := minio.NewWithCredentials(endpoint, creds, secure, "us-east-1")
+//     if err != nil {
+//          log.Fatalln(err)
+//     }
+//
+type Chain struct {
+	Providers []Provider
+	curr      Provider
+}
+
+// NewChainCredentials returns a pointer to a new Credentials object
+// wrapping a chain of providers.
+func NewChainCredentials(providers []Provider) *Credentials {
+	return New(&Chain{
+		Providers: append([]Provider{}, providers...),
+	})
+}
+
+// Retrieve returns the credentials value or error if no provider returned
+// without error.
+//
+// If a provider is found it will be cached and any calls to IsExpired()
+// will return the expired state of the cached provider.
+func (c *Chain) Retrieve() (Value, error) {
+	var errs []error
+	for _, p := range c.Providers {
+		creds, err := p.Retrieve()
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		} // Success.
+		c.curr = p
+		return creds, nil
+	}
+	c.curr = nil
+	return Value{}, fmt.Errorf("No valid providers found %v", errs)
+}
+
+// IsExpired will returned the expired state of the currently cached provider
+// if there is one.  If there is no current provider, true will be returned.
+func (c *Chain) IsExpired() bool {
+	if c.curr != nil {
+		return c.curr.IsExpired()
+	}
+
+	return true
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/chain_test.go b/vendor/github.com/minio/minio-go/pkg/credentials/chain_test.go
new file mode 100644
index 000000000..cb5a6dda5
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/chain_test.go
@@ -0,0 +1,137 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+	"errors"
+	"testing"
+)
+
+type testCredProvider struct {
+	creds   Value
+	expired bool
+	err     error
+}
+
+func (s *testCredProvider) Retrieve() (Value, error) {
+	s.expired = false
+	return s.creds, s.err
+}
+func (s *testCredProvider) IsExpired() bool {
+	return s.expired
+}
+
+func TestChainGet(t *testing.T) {
+	p := &Chain{
+		Providers: []Provider{
+			&credProvider{err: errors.New("FirstError")},
+			&credProvider{err: errors.New("SecondError")},
+			&testCredProvider{
+				creds: Value{
+					AccessKeyID:     "AKIF",
+					SecretAccessKey: "NOSECRET",
+					SessionToken:    "",
+				},
+			},
+			&credProvider{
+				creds: Value{
+					AccessKeyID:     "AKID",
+					SecretAccessKey: "SECRET",
+					SessionToken:    "",
+				},
+			},
+		},
+	}
+
+	creds, err := p.Retrieve()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Also check credentials
+	if creds.AccessKeyID != "AKIF" {
+		t.Fatalf("Expected 'AKIF', got %s", creds.AccessKeyID)
+	}
+	if creds.SecretAccessKey != "NOSECRET" {
+		t.Fatalf("Expected 'NOSECRET', got %s", creds.SecretAccessKey)
+	}
+	if creds.SessionToken != "" {
+		t.Fatalf("Expected empty token, got %s", creds.SessionToken)
+	}
+}
+
+func TestChainIsExpired(t *testing.T) {
+	credProvider := &credProvider{expired: true}
+	p := &Chain{
+		Providers: []Provider{
+			credProvider,
+		},
+	}
+
+	if !p.IsExpired() {
+		t.Fatal("Expected expired to be true before any Retrieve")
+	}
+
+	_, err := p.Retrieve()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if p.IsExpired() {
+		t.Fatal("Expected to be not expired after Retrieve")
+	}
+}
+
+func TestChainWithNoProvider(t *testing.T) {
+	p := &Chain{
+		Providers: []Provider{},
+	}
+	if !p.IsExpired() {
+		t.Fatal("Expected to be expired with no providers")
+	}
+	_, err := p.Retrieve()
+	if err != nil {
+		if err.Error() != "No valid providers found []" {
+			t.Error(err)
+		}
+	}
+}
+
+func TestChainProviderWithNoValidProvider(t *testing.T) {
+	errs := []error{
+		errors.New("FirstError"),
+		errors.New("SecondError"),
+	}
+	p := &Chain{
+		Providers: []Provider{
+			&credProvider{err: errs[0]},
+			&credProvider{err: errs[1]},
+		},
+	}
+
+	if !p.IsExpired() {
+		t.Fatal("Expected to be expired with no providers")
+	}
+
+	_, err := p.Retrieve()
+	if err != nil {
+		if err.Error() != "No valid providers found [FirstError SecondError]" {
+			t.Error(err)
+		}
+	}
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/config.json.sample b/vendor/github.com/minio/minio-go/pkg/credentials/config.json.sample
new file mode 100644
index 000000000..130746f4b
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/config.json.sample
@@ -0,0 +1,17 @@
+{
+	"version": "8",
+	"hosts": {
+		"play": {
+			"url": "https://play.minio.io:9000",
+			"accessKey": "Q3AM3UQ867SPQQA43P2F",
+			"secretKey": "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG",
+			"api": "S3v2"
+		},
+		"s3": {
+			"url": "https://s3.amazonaws.com",
+			"accessKey": "accessKey",
+			"secretKey": "secret",
+			"api": "S3v4"
+		}
+	}
+}
\ No newline at end of file
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/credentials.go b/vendor/github.com/minio/minio-go/pkg/credentials/credentials.go
new file mode 100644
index 000000000..cc3000532
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/credentials.go
@@ -0,0 +1,175 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+	"sync"
+	"time"
+)
+
+// A Value is the AWS credentials value for individual credential fields.
+type Value struct {
+	// AWS Access key ID
+	AccessKeyID string
+
+	// AWS Secret Access Key
+	SecretAccessKey string
+
+	// AWS Session Token
+	SessionToken string
+
+	// Signature Type.
+	SignerType SignatureType
+}
+
+// A Provider is the interface for any component which will provide credentials
+// Value. A provider is required to manage its own Expired state, and what to
+// be expired means.
+type Provider interface {
+	// Retrieve returns nil if it successfully retrieved the value.
+	// Error is returned if the value were not obtainable, or empty.
+	Retrieve() (Value, error)
+
+	// IsExpired returns if the credentials are no longer valid, and need
+	// to be retrieved.
+	IsExpired() bool
+}
+
+// A Expiry provides shared expiration logic to be used by credentials
+// providers to implement expiry functionality.
+//
+// The best method to use this struct is as an anonymous field within the
+// provider's struct.
+//
+// Example:
+//     type IAMCredentialProvider struct {
+//         Expiry
+//         ...
+//     }
+type Expiry struct {
+	// The date/time when to expire on
+	expiration time.Time
+
+	// If set will be used by IsExpired to determine the current time.
+	// Defaults to time.Now if CurrentTime is not set.
+	CurrentTime func() time.Time
+}
+
+// SetExpiration sets the expiration IsExpired will check when called.
+//
+// If window is greater than 0 the expiration time will be reduced by the
+// window value.
+//
+// Using a window is helpful to trigger credentials to expire sooner than
+// the expiration time given to ensure no requests are made with expired
+// tokens.
+func (e *Expiry) SetExpiration(expiration time.Time, window time.Duration) {
+	e.expiration = expiration
+	if window > 0 {
+		e.expiration = e.expiration.Add(-window)
+	}
+}
+
+// IsExpired returns if the credentials are expired.
+func (e *Expiry) IsExpired() bool {
+	if e.CurrentTime == nil {
+		e.CurrentTime = time.Now
+	}
+	return e.expiration.Before(e.CurrentTime())
+}
+
+// Credentials - A container for synchronous safe retrieval of credentials Value.
+// Credentials will cache the credentials value until they expire. Once the value
+// expires the next Get will attempt to retrieve valid credentials.
+//
+// Credentials is safe to use across multiple goroutines and will manage the
+// synchronous state so the Providers do not need to implement their own
+// synchronization.
+//
+// The first Credentials.Get() will always call Provider.Retrieve() to get the
+// first instance of the credentials Value. All calls to Get() after that
+// will return the cached credentials Value until IsExpired() returns true.
+type Credentials struct {
+	sync.Mutex
+
+	creds        Value
+	forceRefresh bool
+	provider     Provider
+}
+
+// New returns a pointer to a new Credentials with the provider set.
+func New(provider Provider) *Credentials {
+	return &Credentials{
+		provider:     provider,
+		forceRefresh: true,
+	}
+}
+
+// Get returns the credentials value, or error if the credentials Value failed
+// to be retrieved.
+//
+// Will return the cached credentials Value if it has not expired. If the
+// credentials Value has expired the Provider's Retrieve() will be called
+// to refresh the credentials.
+//
+// If Credentials.Expire() was called the credentials Value will be force
+// expired, and the next call to Get() will cause them to be refreshed.
+func (c *Credentials) Get() (Value, error) {
+	c.Lock()
+	defer c.Unlock()
+
+	if c.isExpired() {
+		creds, err := c.provider.Retrieve()
+		if err != nil {
+			return Value{}, err
+		}
+		c.creds = creds
+		c.forceRefresh = false
+	}
+
+	return c.creds, nil
+}
+
+// Expire expires the credentials and forces them to be retrieved on the
+// next call to Get().
+//
+// This will override the Provider's expired state, and force Credentials
+// to call the Provider's Retrieve().
+func (c *Credentials) Expire() {
+	c.Lock()
+	defer c.Unlock()
+
+	c.forceRefresh = true
+}
+
+// IsExpired returns if the credentials are no longer valid, and need
+// to be refreshed.
+//
+// If the Credentials were forced to be expired with Expire() this will
+// reflect that override.
+func (c *Credentials) IsExpired() bool {
+	c.Lock()
+	defer c.Unlock()
+
+	return c.isExpired()
+}
+
+// isExpired helper method wrapping the definition of expired credentials.
+func (c *Credentials) isExpired() bool {
+	return c.forceRefresh || c.provider.IsExpired()
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/credentials.sample b/vendor/github.com/minio/minio-go/pkg/credentials/credentials.sample
new file mode 100644
index 000000000..7fc91d9d2
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/credentials.sample
@@ -0,0 +1,12 @@
+[default]
+aws_access_key_id = accessKey
+aws_secret_access_key = secret
+aws_session_token = token
+
+[no_token]
+aws_access_key_id = accessKey
+aws_secret_access_key = secret
+
+[with_colon]
+aws_access_key_id: accessKey
+aws_secret_access_key: secret
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/credentials_test.go b/vendor/github.com/minio/minio-go/pkg/credentials/credentials_test.go
new file mode 100644
index 000000000..cbfb673b7
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/credentials_test.go
@@ -0,0 +1,73 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+	"errors"
+	"testing"
+)
+
+type credProvider struct {
+	creds   Value
+	expired bool
+	err     error
+}
+
+func (s *credProvider) Retrieve() (Value, error) {
+	s.expired = false
+	return s.creds, s.err
+}
+func (s *credProvider) IsExpired() bool {
+	return s.expired
+}
+
+func TestCredentialsGet(t *testing.T) {
+	c := New(&credProvider{
+		creds: Value{
+			AccessKeyID:     "UXHW",
+			SecretAccessKey: "MYSECRET",
+			SessionToken:    "",
+		},
+		expired: true,
+	})
+
+	creds, err := c.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if "UXHW" != creds.AccessKeyID {
+		t.Errorf("Expected \"UXHW\", got %s", creds.AccessKeyID)
+	}
+	if "MYSECRET" != creds.SecretAccessKey {
+		t.Errorf("Expected \"MYSECRET\", got %s", creds.SecretAccessKey)
+	}
+	if creds.SessionToken != "" {
+		t.Errorf("Expected session token to be empty, got %s", creds.SessionToken)
+	}
+}
+
+func TestCredentialsGetWithError(t *testing.T) {
+	c := New(&credProvider{err: errors.New("Custom error")})
+
+	_, err := c.Get()
+	if err != nil {
+		if err.Error() != "Custom error" {
+			t.Errorf("Expected \"Custom error\", got %s", err.Error())
+		}
+	}
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/doc.go b/vendor/github.com/minio/minio-go/pkg/credentials/doc.go
new file mode 100644
index 000000000..fa1908aeb
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/doc.go
@@ -0,0 +1,45 @@
+// Package credentials provides credential retrieval and management
+// for S3 compatible object storage.
+//
+// By default the Credentials.Get() will cache the successful result of a
+// Provider's Retrieve() until Provider.IsExpired() returns true. At which
+// point Credentials will call Provider's Retrieve() to get new credential Value.
+//
+// The Provider is responsible for determining when credentials have expired.
+// It is also important to note that Credentials will always call Retrieve the
+// first time Credentials.Get() is called.
+//
+// Example of using the environment variable credentials.
+//
+//     creds := NewFromEnv()
+//     // Retrieve the credentials value
+//     credValue, err := creds.Get()
+//     if err != nil {
+//         // handle error
+//     }
+//
+// Example of forcing credentials to expire and be refreshed on the next Get().
+// This may be helpful to proactively expire credentials and refresh them sooner
+// than they would naturally expire on their own.
+//
+//     creds := NewFromIAM("")
+//     creds.Expire()
+//     credsValue, err := creds.Get()
+//     // New credentials will be retrieved instead of from cache.
+//
+//
+// Custom Provider
+//
+// Each Provider built into this package also provides a helper method to generate
+// a Credentials pointer setup with the provider. To use a custom Provider just
+// create a type which satisfies the Provider interface and pass it to the
+// NewCredentials method.
+//
+//     type MyProvider struct{}
+//     func (m *MyProvider) Retrieve() (Value, error) {...}
+//     func (m *MyProvider) IsExpired() bool {...}
+//
+//     creds := NewCredentials(&MyProvider{})
+//     credValue, err := creds.Get()
+//
+package credentials
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/env_aws.go b/vendor/github.com/minio/minio-go/pkg/credentials/env_aws.go
new file mode 100644
index 000000000..11934433c
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/env_aws.go
@@ -0,0 +1,71 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import "os"
+
+// A EnvAWS retrieves credentials from the environment variables of the
+// running process. EnvAWSironment credentials never expire.
+//
+// EnvAWSironment variables used:
+//
+// * Access Key ID:     AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY.
+// * Secret Access Key: AWS_SECRET_ACCESS_KEY or AWS_SECRET_KEY.
+// * Secret Token:      AWS_SESSION_TOKEN.
+type EnvAWS struct {
+	retrieved bool
+}
+
+// NewEnvAWS returns a pointer to a new Credentials object
+// wrapping the environment variable provider.
+func NewEnvAWS() *Credentials {
+	return New(&EnvAWS{})
+}
+
+// Retrieve retrieves the keys from the environment.
+func (e *EnvAWS) Retrieve() (Value, error) {
+	e.retrieved = false
+
+	id := os.Getenv("AWS_ACCESS_KEY_ID")
+	if id == "" {
+		id = os.Getenv("AWS_ACCESS_KEY")
+	}
+
+	secret := os.Getenv("AWS_SECRET_ACCESS_KEY")
+	if secret == "" {
+		secret = os.Getenv("AWS_SECRET_KEY")
+	}
+
+	signerType := SignatureV4
+	if id == "" || secret == "" {
+		signerType = SignatureAnonymous
+	}
+
+	e.retrieved = true
+	return Value{
+		AccessKeyID:     id,
+		SecretAccessKey: secret,
+		SessionToken:    os.Getenv("AWS_SESSION_TOKEN"),
+		SignerType:      signerType,
+	}, nil
+}
+
+// IsExpired returns if the credentials have been retrieved.
+func (e *EnvAWS) IsExpired() bool {
+	return !e.retrieved
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/env_minio.go b/vendor/github.com/minio/minio-go/pkg/credentials/env_minio.go
new file mode 100644
index 000000000..791087ef5
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/env_minio.go
@@ -0,0 +1,62 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import "os"
+
+// A EnvMinio retrieves credentials from the environment variables of the
+// running process. EnvMinioironment credentials never expire.
+//
+// EnvMinioironment variables used:
+//
+// * Access Key ID:     MINIO_ACCESS_KEY.
+// * Secret Access Key: MINIO_SECRET_KEY.
+type EnvMinio struct {
+	retrieved bool
+}
+
+// NewEnvMinio returns a pointer to a new Credentials object
+// wrapping the environment variable provider.
+func NewEnvMinio() *Credentials {
+	return New(&EnvMinio{})
+}
+
+// Retrieve retrieves the keys from the environment.
+func (e *EnvMinio) Retrieve() (Value, error) {
+	e.retrieved = false
+
+	id := os.Getenv("MINIO_ACCESS_KEY")
+	secret := os.Getenv("MINIO_SECRET_KEY")
+
+	signerType := SignatureV4
+	if id == "" || secret == "" {
+		signerType = SignatureAnonymous
+	}
+
+	e.retrieved = true
+	return Value{
+		AccessKeyID:     id,
+		SecretAccessKey: secret,
+		SignerType:      signerType,
+	}, nil
+}
+
+// IsExpired returns if the credentials have been retrieved.
+func (e *EnvMinio) IsExpired() bool {
+	return !e.retrieved
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/env_test.go b/vendor/github.com/minio/minio-go/pkg/credentials/env_test.go
new file mode 100644
index 000000000..2f72bea40
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/env_test.go
@@ -0,0 +1,105 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+	"os"
+	"reflect"
+	"testing"
+)
+
+func TestEnvAWSRetrieve(t *testing.T) {
+	os.Clearenv()
+	os.Setenv("AWS_ACCESS_KEY_ID", "access")
+	os.Setenv("AWS_SECRET_ACCESS_KEY", "secret")
+	os.Setenv("AWS_SESSION_TOKEN", "token")
+
+	e := EnvAWS{}
+	if !e.IsExpired() {
+		t.Error("Expect creds to be expired before retrieve.")
+	}
+
+	creds, err := e.Retrieve()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expectedCreds := Value{
+		AccessKeyID:     "access",
+		SecretAccessKey: "secret",
+		SessionToken:    "token",
+		SignerType:      SignatureV4,
+	}
+	if !reflect.DeepEqual(creds, expectedCreds) {
+		t.Errorf("Expected %v, got %v", expectedCreds, creds)
+	}
+
+	if e.IsExpired() {
+		t.Error("Expect creds to not be expired after retrieve.")
+	}
+
+	os.Clearenv()
+	os.Setenv("AWS_ACCESS_KEY", "access")
+	os.Setenv("AWS_SECRET_KEY", "secret")
+
+	expectedCreds = Value{
+		AccessKeyID:     "access",
+		SecretAccessKey: "secret",
+		SignerType:      SignatureV4,
+	}
+
+	creds, err = e.Retrieve()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !reflect.DeepEqual(creds, expectedCreds) {
+		t.Errorf("Expected %v, got %v", expectedCreds, creds)
+	}
+
+}
+
+func TestEnvMinioRetrieve(t *testing.T) {
+	os.Clearenv()
+
+	os.Setenv("MINIO_ACCESS_KEY", "access")
+	os.Setenv("MINIO_SECRET_KEY", "secret")
+
+	e := EnvMinio{}
+	if !e.IsExpired() {
+		t.Error("Expect creds to be expired before retrieve.")
+	}
+
+	creds, err := e.Retrieve()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expectedCreds := Value{
+		AccessKeyID:     "access",
+		SecretAccessKey: "secret",
+		SignerType:      SignatureV4,
+	}
+	if !reflect.DeepEqual(creds, expectedCreds) {
+		t.Errorf("Expected %v, got %v", expectedCreds, creds)
+	}
+
+	if e.IsExpired() {
+		t.Error("Expect creds to not be expired after retrieve.")
+	}
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/file_aws_credentials.go b/vendor/github.com/minio/minio-go/pkg/credentials/file_aws_credentials.go
new file mode 100644
index 000000000..1be621385
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/file_aws_credentials.go
@@ -0,0 +1,120 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/go-ini/ini"
+	homedir "github.com/minio/go-homedir"
+)
+
+// A FileAWSCredentials retrieves credentials from the current user's home
+// directory, and keeps track if those credentials are expired.
+//
+// Profile ini file example: $HOME/.aws/credentials
+type FileAWSCredentials struct {
+	// Path to the shared credentials file.
+	//
+	// If empty will look for "AWS_SHARED_CREDENTIALS_FILE" env variable. If the
+	// env value is empty will default to current user's home directory.
+	// Linux/OSX: "$HOME/.aws/credentials"
+	// Windows:   "%USERPROFILE%\.aws\credentials"
+	filename string
+
+	// AWS Profile to extract credentials from the shared credentials file. If empty
+	// will default to environment variable "AWS_PROFILE" or "default" if
+	// environment variable is also not set.
+	profile string
+
+	// retrieved states if the credentials have been successfully retrieved.
+	retrieved bool
+}
+
+// NewFileAWSCredentials returns a pointer to a new Credentials object
+// wrapping the Profile file provider.
+func NewFileAWSCredentials(filename string, profile string) *Credentials {
+	return New(&FileAWSCredentials{
+		filename: filename,
+		profile:  profile,
+	})
+}
+
+// Retrieve reads and extracts the shared credentials from the current
+// users home directory.
+func (p *FileAWSCredentials) Retrieve() (Value, error) {
+	if p.filename == "" {
+		p.filename = os.Getenv("AWS_SHARED_CREDENTIALS_FILE")
+		if p.filename == "" {
+			homeDir, err := homedir.Dir()
+			if err != nil {
+				return Value{}, err
+			}
+			p.filename = filepath.Join(homeDir, ".aws", "credentials")
+		}
+	}
+	if p.profile == "" {
+		p.profile = os.Getenv("AWS_PROFILE")
+		if p.profile == "" {
+			p.profile = "default"
+		}
+	}
+
+	p.retrieved = false
+
+	iniProfile, err := loadProfile(p.filename, p.profile)
+	if err != nil {
+		return Value{}, err
+	}
+
+	// Default to empty string if not found.
+	id := iniProfile.Key("aws_access_key_id")
+	// Default to empty string if not found.
+	secret := iniProfile.Key("aws_secret_access_key")
+	// Default to empty string if not found.
+	token := iniProfile.Key("aws_session_token")
+
+	p.retrieved = true
+	return Value{
+		AccessKeyID:     id.String(),
+		SecretAccessKey: secret.String(),
+		SessionToken:    token.String(),
+		SignerType:      SignatureV4,
+	}, nil
+}
+
+// IsExpired returns if the shared credentials have expired.
+func (p *FileAWSCredentials) IsExpired() bool {
+	return !p.retrieved
+}
+
+// loadProfiles loads from the file pointed to by shared credentials filename for profile.
+// The credentials retrieved from the profile will be returned or error. Error will be
+// returned if it fails to read from the file, or the data is invalid.
+func loadProfile(filename, profile string) (*ini.Section, error) {
+	config, err := ini.Load(filename)
+	if err != nil {
+		return nil, err
+	}
+	iniProfile, err := config.GetSection(profile)
+	if err != nil {
+		return nil, err
+	}
+	return iniProfile, nil
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/file_minio_client.go b/vendor/github.com/minio/minio-go/pkg/credentials/file_minio_client.go
new file mode 100644
index 000000000..9e26dd302
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/file_minio_client.go
@@ -0,0 +1,129 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+
+	homedir "github.com/minio/go-homedir"
+)
+
+// A FileMinioClient retrieves credentials from the current user's home
+// directory, and keeps track if those credentials are expired.
+//
+// Configuration file example: $HOME/.mc/config.json
+type FileMinioClient struct {
+	// Path to the shared credentials file.
+	//
+	// If empty will look for "MINIO_SHARED_CREDENTIALS_FILE" env variable. If the
+	// env value is empty will default to current user's home directory.
+	// Linux/OSX: "$HOME/.mc/config.json"
+	// Windows:   "%USERALIAS%\mc\config.json"
+	filename string
+
+	// Minio Alias to extract credentials from the shared credentials file. If empty
+	// will default to environment variable "MINIO_ALIAS" or "default" if
+	// environment variable is also not set.
+	alias string
+
+	// retrieved states if the credentials have been successfully retrieved.
+	retrieved bool
+}
+
+// NewFileMinioClient returns a pointer to a new Credentials object
+// wrapping the Alias file provider.
+func NewFileMinioClient(filename string, alias string) *Credentials {
+	return New(&FileMinioClient{
+		filename: filename,
+		alias:    alias,
+	})
+}
+
+// Retrieve reads and extracts the shared credentials from the current
+// users home directory.
+func (p *FileMinioClient) Retrieve() (Value, error) {
+	if p.filename == "" {
+		homeDir, err := homedir.Dir()
+		if err != nil {
+			return Value{}, err
+		}
+		p.filename = filepath.Join(homeDir, ".mc", "config.json")
+		if runtime.GOOS == "windows" {
+			p.filename = filepath.Join(homeDir, "mc", "config.json")
+		}
+	}
+
+	if p.alias == "" {
+		p.alias = os.Getenv("MINIO_ALIAS")
+		if p.alias == "" {
+			p.alias = "s3"
+		}
+	}
+
+	p.retrieved = false
+
+	hostCfg, err := loadAlias(p.filename, p.alias)
+	if err != nil {
+		return Value{}, err
+	}
+
+	p.retrieved = true
+	return Value{
+		AccessKeyID:     hostCfg.AccessKey,
+		SecretAccessKey: hostCfg.SecretKey,
+		SignerType:      parseSignatureType(hostCfg.API),
+	}, nil
+}
+
+// IsExpired returns if the shared credentials have expired.
+func (p *FileMinioClient) IsExpired() bool {
+	return !p.retrieved
+}
+
+// hostConfig configuration of a host.
+type hostConfig struct {
+	URL       string `json:"url"`
+	AccessKey string `json:"accessKey"`
+	SecretKey string `json:"secretKey"`
+	API       string `json:"api"`
+}
+
+// config config version.
+type config struct {
+	Version string                `json:"version"`
+	Hosts   map[string]hostConfig `json:"hosts"`
+}
+
+// loadAliass loads from the file pointed to by shared credentials filename for alias.
+// The credentials retrieved from the alias will be returned or error. Error will be
+// returned if it fails to read from the file.
+func loadAlias(filename, alias string) (hostConfig, error) {
+	cfg := &config{}
+	configBytes, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return hostConfig{}, err
+	}
+	if err = json.Unmarshal(configBytes, cfg); err != nil {
+		return hostConfig{}, err
+	}
+	return cfg.Hosts[alias], nil
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/file_test.go b/vendor/github.com/minio/minio-go/pkg/credentials/file_test.go
new file mode 100644
index 000000000..c62c53365
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/file_test.go
@@ -0,0 +1,189 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestFileAWS(t *testing.T) {
+	os.Clearenv()
+
+	creds := NewFileAWSCredentials("credentials.sample", "")
+	credValues, err := creds.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if credValues.AccessKeyID != "accessKey" {
+		t.Errorf("Expected 'accessKey', got %s'", credValues.AccessKeyID)
+	}
+	if credValues.SecretAccessKey != "secret" {
+		t.Errorf("Expected 'secret', got %s'", credValues.SecretAccessKey)
+	}
+	if credValues.SessionToken != "token" {
+		t.Errorf("Expected 'token', got %s'", credValues.SessionToken)
+	}
+
+	os.Setenv("AWS_SHARED_CREDENTIALS_FILE", "credentials.sample")
+	creds = NewFileAWSCredentials("", "")
+	credValues, err = creds.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if credValues.AccessKeyID != "accessKey" {
+		t.Errorf("Expected 'accessKey', got %s'", credValues.AccessKeyID)
+	}
+	if credValues.SecretAccessKey != "secret" {
+		t.Errorf("Expected 'secret', got %s'", credValues.SecretAccessKey)
+	}
+	if credValues.SessionToken != "token" {
+		t.Errorf("Expected 'token', got %s'", credValues.SessionToken)
+	}
+
+	wd, err := os.Getwd()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	os.Setenv("AWS_SHARED_CREDENTIALS_FILE", filepath.Join(wd, "credentials.sample"))
+	creds = NewFileAWSCredentials("", "")
+	credValues, err = creds.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if credValues.AccessKeyID != "accessKey" {
+		t.Errorf("Expected 'accessKey', got %s'", credValues.AccessKeyID)
+	}
+	if credValues.SecretAccessKey != "secret" {
+		t.Errorf("Expected 'secret', got %s'", credValues.SecretAccessKey)
+	}
+	if credValues.SessionToken != "token" {
+		t.Errorf("Expected 'token', got %s'", credValues.SessionToken)
+	}
+
+	os.Clearenv()
+	os.Setenv("AWS_PROFILE", "no_token")
+
+	creds = NewFileAWSCredentials("credentials.sample", "")
+	credValues, err = creds.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if credValues.AccessKeyID != "accessKey" {
+		t.Errorf("Expected 'accessKey', got %s'", credValues.AccessKeyID)
+	}
+	if credValues.SecretAccessKey != "secret" {
+		t.Errorf("Expected 'secret', got %s'", credValues.SecretAccessKey)
+	}
+
+	os.Clearenv()
+
+	creds = NewFileAWSCredentials("credentials.sample", "no_token")
+	credValues, err = creds.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if credValues.AccessKeyID != "accessKey" {
+		t.Errorf("Expected 'accessKey', got %s'", credValues.AccessKeyID)
+	}
+	if credValues.SecretAccessKey != "secret" {
+		t.Errorf("Expected 'secret', got %s'", credValues.SecretAccessKey)
+	}
+
+	creds = NewFileAWSCredentials("credentials-non-existent.sample", "no_token")
+	_, err = creds.Get()
+	if !os.IsNotExist(err) {
+		t.Errorf("Expected open non-existent.json: no such file or directory, got %s", err)
+	}
+	if !creds.IsExpired() {
+		t.Error("Should be expired if not loaded")
+	}
+}
+
+func TestFileMinioClient(t *testing.T) {
+	os.Clearenv()
+
+	creds := NewFileMinioClient("config.json.sample", "")
+	credValues, err := creds.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if credValues.AccessKeyID != "accessKey" {
+		t.Errorf("Expected 'accessKey', got %s'", credValues.AccessKeyID)
+	}
+	if credValues.SecretAccessKey != "secret" {
+		t.Errorf("Expected 'secret', got %s'", credValues.SecretAccessKey)
+	}
+	if credValues.SignerType != SignatureV4 {
+		t.Errorf("Expected 'S3v4', got %s'", credValues.SignerType)
+	}
+
+	os.Clearenv()
+	os.Setenv("MINIO_ALIAS", "play")
+
+	creds = NewFileMinioClient("config.json.sample", "")
+	credValues, err = creds.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if credValues.AccessKeyID != "Q3AM3UQ867SPQQA43P2F" {
+		t.Errorf("Expected 'Q3AM3UQ867SPQQA43P2F', got %s'", credValues.AccessKeyID)
+	}
+	if credValues.SecretAccessKey != "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG" {
+		t.Errorf("Expected 'zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG', got %s'", credValues.SecretAccessKey)
+	}
+	if credValues.SignerType != SignatureV2 {
+		t.Errorf("Expected 'S3v2', got %s'", credValues.SignerType)
+	}
+
+	os.Clearenv()
+
+	creds = NewFileMinioClient("config.json.sample", "play")
+	credValues, err = creds.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if credValues.AccessKeyID != "Q3AM3UQ867SPQQA43P2F" {
+		t.Errorf("Expected 'Q3AM3UQ867SPQQA43P2F', got %s'", credValues.AccessKeyID)
+	}
+	if credValues.SecretAccessKey != "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG" {
+		t.Errorf("Expected 'zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG', got %s'", credValues.SecretAccessKey)
+	}
+	if credValues.SignerType != SignatureV2 {
+		t.Errorf("Expected 'S3v2', got %s'", credValues.SignerType)
+	}
+
+	creds = NewFileMinioClient("non-existent.json", "play")
+	_, err = creds.Get()
+	if !os.IsNotExist(err) {
+		t.Errorf("Expected open non-existent.json: no such file or directory, got %s", err)
+	}
+	if !creds.IsExpired() {
+		t.Error("Should be expired if not loaded")
+	}
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/iam_aws.go b/vendor/github.com/minio/minio-go/pkg/credentials/iam_aws.go
new file mode 100644
index 000000000..b862cf538
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/iam_aws.go
@@ -0,0 +1,227 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+	"bufio"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"net/url"
+	"path"
+	"time"
+)
+
+// DefaultExpiryWindow - Default expiry window.
+// ExpiryWindow will allow the credentials to trigger refreshing
+// prior to the credentials actually expiring. This is beneficial
+// so race conditions with expiring credentials do not cause
+// request to fail unexpectedly due to ExpiredTokenException exceptions.
+const DefaultExpiryWindow = time.Second * 10 // 10 secs
+
+// A IAM retrieves credentials from the EC2 service, and keeps track if
+// those credentials are expired.
+type IAM struct {
+	Expiry
+
+	// Required http Client to use when connecting to IAM metadata service.
+	Client *http.Client
+
+	// Custom endpoint to fetch IAM role credentials.
+	endpoint string
+}
+
+// redirectHeaders copies all headers when following a redirect URL.
+// This won't be needed anymore from go 1.8 (https://github.com/golang/go/issues/4800)
+func redirectHeaders(req *http.Request, via []*http.Request) error {
+	if len(via) == 0 {
+		return nil
+	}
+	for key, val := range via[0].Header {
+		req.Header[key] = val
+	}
+	return nil
+}
+
+// IAM Roles for Amazon EC2
+// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+const (
+	defaultIAMRoleEndpoint      = "http://169.254.169.254"
+	defaultIAMSecurityCredsPath = "/latest/meta-data/iam/security-credentials"
+)
+
+// NewIAM returns a pointer to a new Credentials object wrapping
+// the IAM. Takes a ConfigProvider to create a EC2Metadata client.
+// The ConfigProvider is satisfied by the session.Session type.
+func NewIAM(endpoint string) *Credentials {
+	if endpoint == "" {
+		endpoint = defaultIAMRoleEndpoint
+	}
+	p := &IAM{
+		Client: &http.Client{
+			Transport:     http.DefaultTransport,
+			CheckRedirect: redirectHeaders,
+		},
+		endpoint: endpoint,
+	}
+	return New(p)
+}
+
+// Retrieve retrieves credentials from the EC2 service.
+// Error will be returned if the request fails, or unable to extract
+// the desired
+func (m *IAM) Retrieve() (Value, error) {
+	roleCreds, err := getCredentials(m.Client, m.endpoint)
+	if err != nil {
+		return Value{}, err
+	}
+
+	// Expiry window is set to 10secs.
+	m.SetExpiration(roleCreds.Expiration, DefaultExpiryWindow)
+
+	return Value{
+		AccessKeyID:     roleCreds.AccessKeyID,
+		SecretAccessKey: roleCreds.SecretAccessKey,
+		SessionToken:    roleCreds.Token,
+		SignerType:      SignatureV4,
+	}, nil
+}
+
+// A ec2RoleCredRespBody provides the shape for unmarshaling credential
+// request responses.
+type ec2RoleCredRespBody struct {
+	// Success State
+	Expiration      time.Time
+	AccessKeyID     string
+	SecretAccessKey string
+	Token           string
+
+	// Error state
+	Code    string
+	Message string
+
+	// Unused params.
+	LastUpdated time.Time
+	Type        string
+}
+
+// Get the final IAM role URL where the request will
+// be sent to fetch the rolling access credentials.
+// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+func getIAMRoleURL(endpoint string) (*url.URL, error) {
+	if endpoint == "" {
+		endpoint = defaultIAMRoleEndpoint
+	}
+	u, err := url.Parse(endpoint)
+	if err != nil {
+		return nil, err
+	}
+	u.Path = defaultIAMSecurityCredsPath
+	return u, nil
+}
+
+// listRoleNames lists of credential role names associated
+// with the current EC2 service. If there are no credentials,
+// or there is an error making or receiving the request.
+// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+func listRoleNames(client *http.Client, u *url.URL) ([]string, error) {
+	req, err := http.NewRequest("GET", u.String(), nil)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return nil, errors.New(resp.Status)
+	}
+
+	credsList := []string{}
+	s := bufio.NewScanner(resp.Body)
+	for s.Scan() {
+		credsList = append(credsList, s.Text())
+	}
+
+	if err := s.Err(); err != nil {
+		return nil, err
+	}
+
+	return credsList, nil
+}
+
+// getCredentials - obtains the credentials from the IAM role name associated with
+// the current EC2 service.
+//
+// If the credentials cannot be found, or there is an error
+// reading the response an error will be returned.
+func getCredentials(client *http.Client, endpoint string) (ec2RoleCredRespBody, error) {
+	// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+	u, err := getIAMRoleURL(endpoint)
+	if err != nil {
+		return ec2RoleCredRespBody{}, err
+	}
+
+	// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+	roleNames, err := listRoleNames(client, u)
+	if err != nil {
+		return ec2RoleCredRespBody{}, err
+	}
+
+	if len(roleNames) == 0 {
+		return ec2RoleCredRespBody{}, errors.New("No IAM roles attached to this EC2 service")
+	}
+
+	// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+	// - An instance profile can contain only one IAM role. This limit cannot be increased.
+	roleName := roleNames[0]
+
+	// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
+	// The following command retrieves the security credentials for an
+	// IAM role named `s3access`.
+	//
+	//    $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
+	//
+	u.Path = path.Join(u.Path, roleName)
+	req, err := http.NewRequest("GET", u.String(), nil)
+	if err != nil {
+		return ec2RoleCredRespBody{}, err
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return ec2RoleCredRespBody{}, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return ec2RoleCredRespBody{}, errors.New(resp.Status)
+	}
+
+	respCreds := ec2RoleCredRespBody{}
+	if err := json.NewDecoder(resp.Body).Decode(&respCreds); err != nil {
+		return ec2RoleCredRespBody{}, err
+	}
+
+	if respCreds.Code != "Success" {
+		// If an error code was returned something failed requesting the role.
+		return ec2RoleCredRespBody{}, errors.New(respCreds.Message)
+	}
+
+	return respCreds, nil
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/iam_aws_test.go b/vendor/github.com/minio/minio-go/pkg/credentials/iam_aws_test.go
new file mode 100644
index 000000000..3e5ad3ec0
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/iam_aws_test.go
@@ -0,0 +1,180 @@
+package credentials
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+)
+
+const credsRespTmpl = `{
+  "Code": "Success",
+  "Type": "AWS-HMAC",
+  "AccessKeyId" : "accessKey",
+  "SecretAccessKey" : "secret",
+  "Token" : "token",
+  "Expiration" : "%s",
+  "LastUpdated" : "2009-11-23T0:00:00Z"
+}`
+
+const credsFailRespTmpl = `{
+  "Code": "ErrorCode",
+  "Message": "ErrorMsg",
+  "LastUpdated": "2009-11-23T0:00:00Z"
+}`
+
+func initTestFailServer() *httptest.Server {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "Not allowed", http.StatusBadRequest)
+	}))
+	return server
+}
+
+func initTestServerNoRoles() *httptest.Server {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte(""))
+	}))
+	return server
+}
+
+func initTestServer(expireOn string, failAssume bool) *httptest.Server {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/latest/meta-data/iam/security-credentials" {
+			fmt.Fprintln(w, "RoleName")
+		} else if r.URL.Path == "/latest/meta-data/iam/security-credentials/RoleName" {
+			if failAssume {
+				fmt.Fprintf(w, credsFailRespTmpl)
+			} else {
+				fmt.Fprintf(w, credsRespTmpl, expireOn)
+			}
+		} else {
+			http.Error(w, "bad request", http.StatusBadRequest)
+		}
+	}))
+
+	return server
+}
+
+func TestIAMMalformedEndpoint(t *testing.T) {
+	creds := NewIAM("%%%%")
+	_, err := creds.Get()
+	if err == nil {
+		t.Fatal("Unexpected should fail here")
+	}
+	if err.Error() != `parse %%%%: invalid URL escape "%%%"` {
+		t.Fatalf("Expected parse %%%%%%%%: invalid URL escape \"%%%%%%\", got %s", err)
+	}
+}
+
+func TestIAMFailServer(t *testing.T) {
+	server := initTestFailServer()
+	defer server.Close()
+
+	creds := NewIAM(server.URL)
+
+	_, err := creds.Get()
+	if err == nil {
+		t.Fatal("Unexpected should fail here")
+	}
+	if err.Error() != "400 Bad Request" {
+		t.Fatalf("Expected '400 Bad Request', got %s", err)
+	}
+}
+
+func TestIAMNoRoles(t *testing.T) {
+	server := initTestServerNoRoles()
+	defer server.Close()
+
+	creds := NewIAM(server.URL)
+	_, err := creds.Get()
+	if err == nil {
+		t.Fatal("Unexpected should fail here")
+	}
+	if err.Error() != "No IAM roles attached to this EC2 service" {
+		t.Fatalf("Expected 'No IAM roles attached to this EC2 service', got %s", err)
+	}
+}
+
+func TestIAM(t *testing.T) {
+	server := initTestServer("2014-12-16T01:51:37Z", false)
+	defer server.Close()
+
+	p := &IAM{
+		Client:   http.DefaultClient,
+		endpoint: server.URL,
+	}
+
+	creds, err := p.Retrieve()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if "accessKey" != creds.AccessKeyID {
+		t.Errorf("Expected \"accessKey\", got %s", creds.AccessKeyID)
+	}
+
+	if "secret" != creds.SecretAccessKey {
+		t.Errorf("Expected \"secret\", got %s", creds.SecretAccessKey)
+	}
+
+	if "token" != creds.SessionToken {
+		t.Errorf("Expected \"token\", got %s", creds.SessionToken)
+	}
+
+	if !p.IsExpired() {
+		t.Error("Expected creds to be expired.")
+	}
+}
+
+func TestIAMFailAssume(t *testing.T) {
+	server := initTestServer("2014-12-16T01:51:37Z", true)
+	defer server.Close()
+
+	p := &IAM{
+		Client:   http.DefaultClient,
+		endpoint: server.URL,
+	}
+
+	_, err := p.Retrieve()
+	if err == nil {
+		t.Fatal("Unexpected success, should fail")
+	}
+	if err.Error() != "ErrorMsg" {
+		t.Errorf("Expected \"ErrorMsg\", got %s", err)
+	}
+}
+
+func TestIAMIsExpired(t *testing.T) {
+	server := initTestServer("2014-12-16T01:51:37Z", false)
+	defer server.Close()
+
+	p := &IAM{
+		Client:   http.DefaultClient,
+		endpoint: server.URL,
+	}
+	p.CurrentTime = func() time.Time {
+		return time.Date(2014, 12, 15, 21, 26, 0, 0, time.UTC)
+	}
+
+	if !p.IsExpired() {
+		t.Error("Expected creds to be expired before retrieve.")
+	}
+
+	_, err := p.Retrieve()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if p.IsExpired() {
+		t.Error("Expected creds to not be expired after retrieve.")
+	}
+
+	p.CurrentTime = func() time.Time {
+		return time.Date(3014, 12, 15, 21, 26, 0, 0, time.UTC)
+	}
+
+	if !p.IsExpired() {
+		t.Error("Expected creds to be expired when curren time has changed")
+	}
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/signature-type.go b/vendor/github.com/minio/minio-go/pkg/credentials/signature-type.go
new file mode 100644
index 000000000..c64ad6c23
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/signature-type.go
@@ -0,0 +1,76 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import "strings"
+
+// SignatureType is type of Authorization requested for a given HTTP request.
+type SignatureType int
+
+// Different types of supported signatures - default is SignatureV4 or SignatureDefault.
+const (
+	// SignatureDefault is always set to v4.
+	SignatureDefault SignatureType = iota
+	SignatureV4
+	SignatureV2
+	SignatureV4Streaming
+	SignatureAnonymous // Anonymous signature signifies, no signature.
+)
+
+// IsV2 - is signature SignatureV2?
+func (s SignatureType) IsV2() bool {
+	return s == SignatureV2
+}
+
+// IsV4 - is signature SignatureV4?
+func (s SignatureType) IsV4() bool {
+	return s == SignatureV4 || s == SignatureDefault
+}
+
+// IsStreamingV4 - is signature SignatureV4Streaming?
+func (s SignatureType) IsStreamingV4() bool {
+	return s == SignatureV4Streaming
+}
+
+// IsAnonymous - is signature empty?
+func (s SignatureType) IsAnonymous() bool {
+	return s == SignatureAnonymous
+}
+
+// Stringer humanized version of signature type,
+// strings returned here are case insensitive.
+func (s SignatureType) String() string {
+	if s.IsV2() {
+		return "S3v2"
+	} else if s.IsV4() {
+		return "S3v4"
+	} else if s.IsStreamingV4() {
+		return "S3v4Streaming"
+	}
+	return "Anonymous"
+}
+
+func parseSignatureType(str string) SignatureType {
+	if strings.EqualFold(str, "S3v4") {
+		return SignatureV4
+	} else if strings.EqualFold(str, "S3v2") {
+		return SignatureV2
+	} else if strings.EqualFold(str, "S3v4Streaming") {
+		return SignatureV4Streaming
+	}
+	return SignatureAnonymous
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/static.go b/vendor/github.com/minio/minio-go/pkg/credentials/static.go
new file mode 100644
index 000000000..25aff5696
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/static.go
@@ -0,0 +1,67 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+// A Static is a set of credentials which are set programmatically,
+// and will never expire.
+type Static struct {
+	Value
+}
+
+// NewStaticV2 returns a pointer to a new Credentials object
+// wrapping a static credentials value provider, signature is
+// set to v2. If access and secret are not specified then
+// regardless of signature type set it Value will return
+// as anonymous.
+func NewStaticV2(id, secret, token string) *Credentials {
+	return NewStatic(id, secret, token, SignatureV2)
+}
+
+// NewStaticV4 is similar to NewStaticV2 with similar considerations.
+func NewStaticV4(id, secret, token string) *Credentials {
+	return NewStatic(id, secret, token, SignatureV4)
+}
+
+// NewStatic returns a pointer to a new Credentials object
+// wrapping a static credentials value provider.
+func NewStatic(id, secret, token string, signerType SignatureType) *Credentials {
+	return New(&Static{
+		Value: Value{
+			AccessKeyID:     id,
+			SecretAccessKey: secret,
+			SessionToken:    token,
+			SignerType:      signerType,
+		},
+	})
+}
+
+// Retrieve returns the static credentials.
+func (s *Static) Retrieve() (Value, error) {
+	if s.AccessKeyID == "" || s.SecretAccessKey == "" {
+		// Anonymous is not an error
+		return Value{SignerType: SignatureAnonymous}, nil
+	}
+	return s.Value, nil
+}
+
+// IsExpired returns if the credentials are expired.
+//
+// For Static, the credentials never expired.
+func (s *Static) IsExpired() bool {
+	return false
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/credentials/static_test.go b/vendor/github.com/minio/minio-go/pkg/credentials/static_test.go
new file mode 100644
index 000000000..491b1554b
--- /dev/null
+++ b/vendor/github.com/minio/minio-go/pkg/credentials/static_test.go
@@ -0,0 +1,68 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage
+ * (C) 2017 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import "testing"
+
+func TestStaticGet(t *testing.T) {
+	creds := NewStatic("UXHW", "SECRET", "", SignatureV4)
+	credValues, err := creds.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if "UXHW" != credValues.AccessKeyID {
+		t.Errorf("Expected access key ID to match \"UXHW\", got %s", credValues.AccessKeyID)
+	}
+	if "SECRET" != credValues.SecretAccessKey {
+		t.Errorf("Expected secret access key to match \"SECRET\", got %s", credValues.SecretAccessKey)
+	}
+
+	if credValues.SessionToken != "" {
+		t.Error("Expected session token to match")
+	}
+
+	if credValues.SignerType != SignatureV4 {
+		t.Errorf("Expected 'S3v4', got %s", credValues.SignerType)
+	}
+
+	if creds.IsExpired() {
+		t.Error("Static credentials should never expire")
+	}
+
+	creds = NewStatic("", "", "", SignatureDefault)
+	credValues, err = creds.Get()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if "" != credValues.AccessKeyID {
+		t.Errorf("Expected access key ID to match empty string, got %s", credValues.AccessKeyID)
+	}
+	if "" != credValues.SecretAccessKey {
+		t.Errorf("Expected secret access key to match empty string, got %s", credValues.SecretAccessKey)
+	}
+
+	if !credValues.SignerType.IsAnonymous() {
+		t.Errorf("Expected 'Anonymous', got %s", credValues.SignerType)
+	}
+
+	if creds.IsExpired() {
+		t.Error("Static credentials should never expire")
+	}
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/encrypt/cbc.go b/vendor/github.com/minio/minio-go/pkg/encrypt/cbc.go
index 7670e68f4..be45e52f4 100644
--- a/vendor/github.com/minio/minio-go/pkg/encrypt/cbc.go
+++ b/vendor/github.com/minio/minio-go/pkg/encrypt/cbc.go
@@ -89,6 +89,15 @@ func NewCBCSecureMaterials(key Key) (*CBCSecureMaterials, error) {
 
 }
 
+// Close implements closes the internal stream.
+func (s *CBCSecureMaterials) Close() error {
+	closer, ok := s.stream.(io.Closer)
+	if ok {
+		return closer.Close()
+	}
+	return nil
+}
+
 // SetupEncryptMode - tells CBC that we are going to encrypt data
 func (s *CBCSecureMaterials) SetupEncryptMode(stream io.Reader) error {
 	// Set mode to encrypt
diff --git a/vendor/github.com/minio/minio-go/pkg/encrypt/interface.go b/vendor/github.com/minio/minio-go/pkg/encrypt/interface.go
index 2fd75033f..8b8554336 100644
--- a/vendor/github.com/minio/minio-go/pkg/encrypt/interface.go
+++ b/vendor/github.com/minio/minio-go/pkg/encrypt/interface.go
@@ -25,6 +25,9 @@ import "io"
 // Materials - provides generic interface to encrypt any stream of data.
 type Materials interface {
 
+	// Closes the wrapped stream properly, initiated by the caller.
+	Close() error
+
 	// Returns encrypted/decrypted data, io.Reader compatible.
 	Read(b []byte) (int, error)
 
diff --git a/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-streaming.go b/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-streaming.go
index 755fd1ac5..22059bb1d 100644
--- a/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-streaming.go
+++ b/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-streaming.go
@@ -21,6 +21,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"strconv"
 	"strings"
@@ -92,9 +93,12 @@ func buildChunkStringToSign(t time.Time, region, previousSig string, chunkData [
 
 // prepareStreamingRequest - prepares a request with appropriate
 // headers before computing the seed signature.
-func prepareStreamingRequest(req *http.Request, dataLen int64, timestamp time.Time) {
+func prepareStreamingRequest(req *http.Request, sessionToken string, dataLen int64, timestamp time.Time) {
 	// Set x-amz-content-sha256 header.
 	req.Header.Set("X-Amz-Content-Sha256", streamingSignAlgorithm)
+	if sessionToken != "" {
+		req.Header.Set("X-Amz-Security-Token", sessionToken)
+	}
 	req.Header.Set("Content-Encoding", streamingEncoding)
 	req.Header.Set("X-Amz-Date", timestamp.Format(iso8601DateFormat))
 
@@ -138,6 +142,7 @@ func (s *StreamingReader) setSeedSignature(req *http.Request) {
 type StreamingReader struct {
 	accessKeyID     string
 	secretAccessKey string
+	sessionToken    string
 	region          string
 	prevSignature   string
 	seedSignature   string
@@ -195,16 +200,21 @@ func (s *StreamingReader) setStreamingAuthHeader(req *http.Request) {
 
 // StreamingSignV4 - provides chunked upload signatureV4 support by
 // implementing io.Reader.
-func StreamingSignV4(req *http.Request, accessKeyID, secretAccessKey,
+func StreamingSignV4(req *http.Request, accessKeyID, secretAccessKey, sessionToken,
 	region string, dataLen int64, reqTime time.Time) *http.Request {
 
 	// Set headers needed for streaming signature.
-	prepareStreamingRequest(req, dataLen, reqTime)
+	prepareStreamingRequest(req, sessionToken, dataLen, reqTime)
+
+	if req.Body == nil {
+		req.Body = ioutil.NopCloser(bytes.NewReader([]byte("")))
+	}
 
 	stReader := &StreamingReader{
 		baseReadCloser:  req.Body,
 		accessKeyID:     accessKeyID,
 		secretAccessKey: secretAccessKey,
+		sessionToken:    sessionToken,
 		region:          region,
 		reqTime:         reqTime,
 		chunkBuf:        make([]byte, payloadChunkSize),
@@ -244,7 +254,18 @@ func (s *StreamingReader) Read(buf []byte) (int, error) {
 		s.chunkBufLen = 0
 		for {
 			n1, err := s.baseReadCloser.Read(s.chunkBuf[s.chunkBufLen:])
-			if err == nil || err == io.ErrUnexpectedEOF {
+			// Usually we validate `err` first, but in this case
+			// we are validating n > 0 for the following reasons.
+			//
+			// 1. n > 0, err is one of io.EOF, nil (near end of stream)
+			// A Reader returning a non-zero number of bytes at the end
+			// of the input stream may return either err == EOF or err == nil
+			//
+			// 2. n == 0, err is io.EOF (actual end of stream)
+			//
+			// Callers should always process the n > 0 bytes returned
+			// before considering the error err.
+			if n1 > 0 {
 				s.chunkBufLen += n1
 				s.bytesRead += int64(n1)
 
@@ -255,25 +276,26 @@ func (s *StreamingReader) Read(buf []byte) (int, error) {
 					s.signChunk(s.chunkBufLen)
 					break
 				}
+			}
+			if err != nil {
+				if err == io.EOF {
+					// No more data left in baseReader - last chunk.
+					// Done reading the last chunk from baseReader.
+					s.done = true
+
+					// bytes read from baseReader different than
+					// content length provided.
+					if s.bytesRead != s.contentLen {
+						return 0, io.ErrUnexpectedEOF
+					}
 
-			} else if err == io.EOF {
-				// No more data left in baseReader - last chunk.
-				// Done reading the last chunk from baseReader.
-				s.done = true
-
-				// bytes read from baseReader different than
-				// content length provided.
-				if s.bytesRead != s.contentLen {
-					return 0, io.ErrUnexpectedEOF
+					// Sign the chunk and write it to s.buf.
+					s.signChunk(0)
+					break
 				}
-
-				// Sign the chunk and write it to s.buf.
-				s.signChunk(0)
-				break
-
-			} else {
 				return 0, err
 			}
+
 		}
 	}
 	return s.buf.Read(buf)
diff --git a/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-streaming_test.go b/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-streaming_test.go
index 084a0dbab..1f49f2234 100644
--- a/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-streaming_test.go
+++ b/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-streaming_test.go
@@ -39,7 +39,7 @@ func TestGetSeedSignature(t *testing.T) {
 		t.Fatalf("Failed to parse time - %v", err)
 	}
 
-	req = StreamingSignV4(req, accessKeyID, secretAccessKeyID, "us-east-1", int64(dataLen), reqTime)
+	req = StreamingSignV4(req, accessKeyID, secretAccessKeyID, "", "us-east-1", int64(dataLen), reqTime)
 	actualSeedSignature := req.Body.(*StreamingReader).seedSignature
 
 	expectedSeedSignature := "007480502de61457e955731b0f5d191f7e6f54a8a0f6cc7974a5ebd887965686"
@@ -72,7 +72,7 @@ func TestSetStreamingAuthorization(t *testing.T) {
 
 	dataLen := int64(65 * 1024)
 	reqTime, _ := time.Parse(iso8601DateFormat, "20130524T000000Z")
-	req = StreamingSignV4(req, accessKeyID, secretAccessKeyID, location, dataLen, reqTime)
+	req = StreamingSignV4(req, accessKeyID, secretAccessKeyID, "", location, dataLen, reqTime)
 
 	expectedAuthorization := "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=content-encoding;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length;x-amz-storage-class,Signature=007480502de61457e955731b0f5d191f7e6f54a8a0f6cc7974a5ebd887965686"
 
@@ -96,7 +96,7 @@ func TestStreamingReader(t *testing.T) {
 
 	baseReader := ioutil.NopCloser(bytes.NewReader(bytes.Repeat([]byte("a"), 65*1024)))
 	req.Body = baseReader
-	req = StreamingSignV4(req, accessKeyID, secretAccessKeyID, location, dataLen, reqTime)
+	req = StreamingSignV4(req, accessKeyID, secretAccessKeyID, "", location, dataLen, reqTime)
 
 	b, err := ioutil.ReadAll(req.Body)
 	if err != nil {
diff --git a/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-v4.go b/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-v4.go
index 245fb08c3..0d75dc162 100644
--- a/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-v4.go
+++ b/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-v4.go
@@ -206,7 +206,7 @@ func getStringToSignV4(t time.Time, location, canonicalRequest string) string {
 
 // PreSignV4 presign the request, in accordance with
 // http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html.
-func PreSignV4(req http.Request, accessKeyID, secretAccessKey, location string, expires int64) *http.Request {
+func PreSignV4(req http.Request, accessKeyID, secretAccessKey, sessionToken, location string, expires int64) *http.Request {
 	// Presign is not needed for anonymous credentials.
 	if accessKeyID == "" || secretAccessKey == "" {
 		return &req
@@ -228,6 +228,10 @@ func PreSignV4(req http.Request, accessKeyID, secretAccessKey, location string,
 	query.Set("X-Amz-Expires", strconv.FormatInt(expires, 10))
 	query.Set("X-Amz-SignedHeaders", signedHeaders)
 	query.Set("X-Amz-Credential", credential)
+	// Set session token if available.
+	if sessionToken != "" {
+		query.Set("X-Amz-Security-Token", sessionToken)
+	}
 	req.URL.RawQuery = query.Encode()
 
 	// Get canonical request.
@@ -260,7 +264,7 @@ func PostPresignSignatureV4(policyBase64 string, t time.Time, secretAccessKey, l
 
 // SignV4 sign the request before Do(), in accordance with
 // http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html.
-func SignV4(req http.Request, accessKeyID, secretAccessKey, location string) *http.Request {
+func SignV4(req http.Request, accessKeyID, secretAccessKey, sessionToken, location string) *http.Request {
 	// Signature calculation is not needed for anonymous credentials.
 	if accessKeyID == "" || secretAccessKey == "" {
 		return &req
@@ -272,6 +276,11 @@ func SignV4(req http.Request, accessKeyID, secretAccessKey, location string) *ht
 	// Set x-amz-date.
 	req.Header.Set("X-Amz-Date", t.Format(iso8601DateFormat))
 
+	// Set session token if available.
+	if sessionToken != "" {
+		req.Header.Set("X-Amz-Security-Token", sessionToken)
+	}
+
 	// Get canonical request.
 	canonicalRequest := getCanonicalRequest(req, v4IgnoredHeaders)
 
diff --git a/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature_test.go b/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature_test.go
index 6f5ba1895..85ff063df 100644
--- a/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature_test.go
+++ b/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature_test.go
@@ -28,12 +28,12 @@ func TestSignatureCalculation(t *testing.T) {
 	if err != nil {
 		t.Fatal("Error:", err)
 	}
-	req = SignV4(*req, "", "", "us-east-1")
+	req = SignV4(*req, "", "", "", "us-east-1")
 	if req.Header.Get("Authorization") != "" {
 		t.Fatal("Error: anonymous credentials should not have Authorization header.")
 	}
 
-	req = PreSignV4(*req, "", "", "us-east-1", 0)
+	req = PreSignV4(*req, "", "", "", "us-east-1", 0)
 	if strings.Contains(req.URL.RawQuery, "X-Amz-Signature") {
 		t.Fatal("Error: anonymous credentials should not have Signature query resource.")
 	}
@@ -48,12 +48,12 @@ func TestSignatureCalculation(t *testing.T) {
 		t.Fatal("Error: anonymous credentials should not have Signature query resource.")
 	}
 
-	req = SignV4(*req, "ACCESS-KEY", "SECRET-KEY", "us-east-1")
+	req = SignV4(*req, "ACCESS-KEY", "SECRET-KEY", "", "us-east-1")
 	if req.Header.Get("Authorization") == "" {
 		t.Fatal("Error: normal credentials should have Authorization header.")
 	}
 
-	req = PreSignV4(*req, "ACCESS-KEY", "SECRET-KEY", "us-east-1", 0)
+	req = PreSignV4(*req, "ACCESS-KEY", "SECRET-KEY", "", "us-east-1", 0)
 	if !strings.Contains(req.URL.RawQuery, "X-Amz-Signature") {
 		t.Fatal("Error: normal credentials should have Signature query resource.")
 	}
diff --git a/vendor/github.com/minio/minio-go/pkg/s3utils/utils.go b/vendor/github.com/minio/minio-go/pkg/s3utils/utils.go
index a3b6ed845..9d6ac4d81 100644
--- a/vendor/github.com/minio/minio-go/pkg/s3utils/utils.go
+++ b/vendor/github.com/minio/minio-go/pkg/s3utils/utils.go
@@ -19,6 +19,7 @@ package s3utils
 import (
 	"bytes"
 	"encoding/hex"
+	"errors"
 	"net"
 	"net/url"
 	"regexp"
@@ -84,10 +85,29 @@ func IsAmazonEndpoint(endpointURL url.URL) bool {
 	if IsAmazonChinaEndpoint(endpointURL) {
 		return true
 	}
-
+	if IsAmazonGovCloudEndpoint(endpointURL) {
+		return true
+	}
 	return endpointURL.Host == "s3.amazonaws.com"
 }
 
+// IsAmazonGovCloudEndpoint - Match if it is exactly Amazon S3 GovCloud endpoint.
+func IsAmazonGovCloudEndpoint(endpointURL url.URL) bool {
+	if endpointURL == sentinelURL {
+		return false
+	}
+	return (endpointURL.Host == "s3-us-gov-west-1.amazonaws.com" ||
+		IsAmazonFIPSGovCloudEndpoint(endpointURL))
+}
+
+// IsAmazonFIPSGovCloudEndpoint - Match if it is exactly Amazon S3 FIPS GovCloud endpoint.
+func IsAmazonFIPSGovCloudEndpoint(endpointURL url.URL) bool {
+	if endpointURL == sentinelURL {
+		return false
+	}
+	return endpointURL.Host == "s3-fips-us-gov-west-1.amazonaws.com"
+}
+
 // IsAmazonChinaEndpoint - Match if it is exactly Amazon S3 China endpoint.
 // Customers who wish to use the new Beijing Region are required
 // to sign up for a separate set of account credentials unique to
@@ -181,3 +201,74 @@ func EncodePath(pathName string) string {
 	}
 	return encodedPathname
 }
+
+// We support '.' with bucket names but we fallback to using path
+// style requests instead for such buckets.
+var (
+	validBucketName       = regexp.MustCompile(`^[A-Za-z0-9][A-Za-z0-9\.\-]{1,61}[A-Za-z0-9]$`)
+	validBucketNameStrict = regexp.MustCompile(`^[a-z0-9][a-z0-9\.\-]{1,61}[a-z0-9]$`)
+	ipAddress             = regexp.MustCompile(`^(\d+\.){3}\d+$`)
+)
+
+// Common checker for both stricter and basic validation.
+func checkBucketNameCommon(bucketName string, strict bool) (err error) {
+	if strings.TrimSpace(bucketName) == "" {
+		return errors.New("Bucket name cannot be empty")
+	}
+	if len(bucketName) < 3 {
+		return errors.New("Bucket name cannot be smaller than 3 characters")
+	}
+	if len(bucketName) > 63 {
+		return errors.New("Bucket name cannot be greater than 63 characters")
+	}
+	if ipAddress.MatchString(bucketName) {
+		return errors.New("Bucket name cannot be an ip address")
+	}
+	if strings.Contains(bucketName, "..") {
+		return errors.New("Bucket name contains invalid characters")
+	}
+	if strict {
+		if !validBucketNameStrict.MatchString(bucketName) {
+			err = errors.New("Bucket name contains invalid characters")
+		}
+		return err
+	}
+	if !validBucketName.MatchString(bucketName) {
+		err = errors.New("Bucket name contains invalid characters")
+	}
+	return err
+}
+
+// CheckValidBucketName - checks if we have a valid input bucket name.
+// This is a non stricter version.
+// - http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html
+func CheckValidBucketName(bucketName string) (err error) {
+	return checkBucketNameCommon(bucketName, false)
+}
+
+// CheckValidBucketNameStrict - checks if we have a valid input bucket name.
+// This is a stricter version.
+func CheckValidBucketNameStrict(bucketName string) (err error) {
+	return checkBucketNameCommon(bucketName, true)
+}
+
+// CheckValidObjectNamePrefix - checks if we have a valid input object name prefix.
+//   - http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html
+func CheckValidObjectNamePrefix(objectName string) error {
+	if len(objectName) > 1024 {
+		return errors.New("Object name cannot be greater than 1024 characters")
+	}
+	if !utf8.ValidString(objectName) {
+		return errors.New("Object name with non UTF-8 strings are not supported")
+	}
+	return nil
+}
+
+// CheckValidObjectName - checks if we have a valid input object name.
+//   - http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html
+func CheckValidObjectName(objectName string) error {
+	if strings.TrimSpace(objectName) == "" {
+		return errors.New("Object name cannot be empty")
+	}
+	return CheckValidObjectNamePrefix(objectName)
+}
diff --git a/vendor/github.com/minio/minio-go/pkg/s3utils/utils_test.go b/vendor/github.com/minio/minio-go/pkg/s3utils/utils_test.go
index f790861cd..6be701d18 100644
--- a/vendor/github.com/minio/minio-go/pkg/s3utils/utils_test.go
+++ b/vendor/github.com/minio/minio-go/pkg/s3utils/utils_test.go
@@ -17,6 +17,7 @@
 package s3utils
 
 import (
+	"errors"
 	"net/url"
 	"testing"
 )
@@ -282,3 +283,87 @@ func TestEncodePath(t *testing.T) {
 		}
 	}
 }
+
+// Tests validate the bucket name validator.
+func TestIsValidBucketName(t *testing.T) {
+	testCases := []struct {
+		// Input.
+		bucketName string
+		// Expected result.
+		err error
+		// Flag to indicate whether test should Pass.
+		shouldPass bool
+	}{
+		{".mybucket", errors.New("Bucket name contains invalid characters"), false},
+		{"$mybucket", errors.New("Bucket name contains invalid characters"), false},
+		{"mybucket-", errors.New("Bucket name contains invalid characters"), false},
+		{"my", errors.New("Bucket name cannot be smaller than 3 characters"), false},
+		{"", errors.New("Bucket name cannot be empty"), false},
+		{"my..bucket", errors.New("Bucket name contains invalid characters"), false},
+		{"192.168.1.168", errors.New("Bucket name cannot be an ip address"), false},
+		{"my.bucket.com", nil, true},
+		{"my-bucket", nil, true},
+		{"123my-bucket", nil, true},
+		{"Mybucket", nil, true},
+	}
+
+	for i, testCase := range testCases {
+		err := CheckValidBucketName(testCase.bucketName)
+		if err != nil && testCase.shouldPass {
+			t.Errorf("Test %d: Expected to pass, but failed with: <ERROR> %s", i+1, err.Error())
+		}
+		if err == nil && !testCase.shouldPass {
+			t.Errorf("Test %d: Expected to fail with <ERROR> \"%s\", but passed instead", i+1, testCase.err.Error())
+		}
+		// Failed as expected, but does it fail for the expected reason.
+		if err != nil && !testCase.shouldPass {
+			if err.Error() != testCase.err.Error() {
+				t.Errorf("Test %d: Expected to fail with error \"%s\", but instead failed with error \"%s\" instead", i+1, testCase.err.Error(), err.Error())
+			}
+		}
+
+	}
+
+}
+
+// Tests validate the bucket name validator stricter.
+func TestIsValidBucketNameStrict(t *testing.T) {
+	testCases := []struct {
+		// Input.
+		bucketName string
+		// Expected result.
+		err error
+		// Flag to indicate whether test should Pass.
+		shouldPass bool
+	}{
+		{".mybucket", errors.New("Bucket name contains invalid characters"), false},
+		{"$mybucket", errors.New("Bucket name contains invalid characters"), false},
+		{"mybucket-", errors.New("Bucket name contains invalid characters"), false},
+		{"my", errors.New("Bucket name cannot be smaller than 3 characters"), false},
+		{"", errors.New("Bucket name cannot be empty"), false},
+		{"my..bucket", errors.New("Bucket name contains invalid characters"), false},
+		{"192.168.1.168", errors.New("Bucket name cannot be an ip address"), false},
+		{"Mybucket", errors.New("Bucket name contains invalid characters"), false},
+		{"my.bucket.com", nil, true},
+		{"my-bucket", nil, true},
+		{"123my-bucket", nil, true},
+	}
+
+	for i, testCase := range testCases {
+		err := CheckValidBucketNameStrict(testCase.bucketName)
+		if err != nil && testCase.shouldPass {
+			t.Errorf("Test %d: Expected to pass, but failed with: <ERROR> %s", i+1, err.Error())
+		}
+		if err == nil && !testCase.shouldPass {
+			t.Errorf("Test %d: Expected to fail with <ERROR> \"%s\", but passed instead", i+1, testCase.err.Error())
+		}
+		// Failed as expected, but does it fail for the expected reason.
+		if err != nil && !testCase.shouldPass {
+			if err.Error() != testCase.err.Error() {
+				t.Errorf("Test %d: Expected to fail with error \"%s\", but instead failed with error \"%s\" instead", i+1, testCase.err.Error(), err.Error())
+			}
+		}
+
+	}
+
+}
diff --git a/vendor/github.com/minio/minio-go/request-headers.go b/vendor/github.com/minio/minio-go/request-headers.go
index fa23b2fe3..76c87202d 100644
--- a/vendor/github.com/minio/minio-go/request-headers.go
+++ b/vendor/github.com/minio/minio-go/request-headers.go
@@ -48,7 +48,7 @@ func (c RequestHeaders) SetMatchETag(etag string) error {
 	if etag == "" {
 		return ErrInvalidArgument("ETag cannot be empty.")
 	}
-	c.Set("If-Match", etag)
+	c.Set("If-Match", "\""+etag+"\"")
 	return nil
 }
 
@@ -57,7 +57,7 @@ func (c RequestHeaders) SetMatchETagExcept(etag string) error {
 	if etag == "" {
 		return ErrInvalidArgument("ETag cannot be empty.")
 	}
-	c.Set("If-None-Match", etag)
+	c.Set("If-None-Match", "\""+etag+"\"")
 	return nil
 }
 
diff --git a/vendor/github.com/minio/minio-go/s3-endpoints.go b/vendor/github.com/minio/minio-go/s3-endpoints.go
index d7fa5e038..c02f3f1fa 100644
--- a/vendor/github.com/minio/minio-go/s3-endpoints.go
+++ b/vendor/github.com/minio/minio-go/s3-endpoints.go
@@ -33,6 +33,7 @@ var awsS3EndpointMap = map[string]string{
 	"ap-northeast-1": "s3-ap-northeast-1.amazonaws.com",
 	"ap-northeast-2": "s3-ap-northeast-2.amazonaws.com",
 	"sa-east-1":      "s3-sa-east-1.amazonaws.com",
+	"us-gov-west-1":  "s3-us-gov-west-1.amazonaws.com",
 	"cn-north-1":     "s3.cn-north-1.amazonaws.com.cn",
 }
 
diff --git a/vendor/github.com/minio/minio-go/s3-error.go b/vendor/github.com/minio/minio-go/s3-error.go
index 11b40a0f8..c5aff9bbc 100644
--- a/vendor/github.com/minio/minio-go/s3-error.go
+++ b/vendor/github.com/minio/minio-go/s3-error.go
@@ -25,7 +25,7 @@ var s3ErrorResponseMap = map[string]string{
 	"EntityTooLarge":                    "Your proposed upload exceeds the maximum allowed object size.",
 	"IncompleteBody":                    "You did not provide the number of bytes specified by the Content-Length HTTP header.",
 	"InternalError":                     "We encountered an internal error, please try again.",
-	"InvalidAccessKeyID":                "The access key ID you provided does not exist in our records.",
+	"InvalidAccessKeyId":                "The access key ID you provided does not exist in our records.",
 	"InvalidBucketName":                 "The specified bucket is not valid.",
 	"InvalidDigest":                     "The Content-Md5 you specified is not valid.",
 	"InvalidRange":                      "The requested range is not satisfiable",
diff --git a/vendor/github.com/minio/minio-go/signature-type.go b/vendor/github.com/minio/minio-go/signature-type.go
deleted file mode 100644
index f9a57c3f1..000000000
--- a/vendor/github.com/minio/minio-go/signature-type.go
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015 Minio, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package minio
-
-// SignatureType is type of Authorization requested for a given HTTP request.
-type SignatureType int
-
-// Different types of supported signatures - default is Latest i.e SignatureV4.
-const (
-	Latest SignatureType = iota
-	SignatureV4
-	SignatureV2
-	SignatureV4Streaming
-)
-
-var emptySHA256 = sum256(nil)
-
-// isV2 - is signature SignatureV2?
-func (s SignatureType) isV2() bool {
-	return s == SignatureV2
-}
-
-// isV4 - is signature SignatureV4?
-func (s SignatureType) isV4() bool {
-	return s == SignatureV4 || s == Latest
-}
-
-// isStreamingV4 - is signature SignatureV4Streaming?
-func (s SignatureType) isStreamingV4() bool {
-	return s == SignatureV4Streaming
-}
diff --git a/vendor/github.com/minio/minio-go/tempfile.go b/vendor/github.com/minio/minio-go/tempfile.go
deleted file mode 100644
index 65c7b0da1..000000000
--- a/vendor/github.com/minio/minio-go/tempfile.go
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015 Minio, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package minio
-
-import (
-	"io/ioutil"
-	"os"
-	"sync"
-)
-
-// tempFile - temporary file container.
-type tempFile struct {
-	*os.File
-	mutex *sync.Mutex
-}
-
-// newTempFile returns a new temporary file, once closed it automatically deletes itself.
-func newTempFile(prefix string) (*tempFile, error) {
-	// use platform specific temp directory.
-	file, err := ioutil.TempFile(os.TempDir(), prefix)
-	if err != nil {
-		return nil, err
-	}
-	return &tempFile{
-		File:  file,
-		mutex: &sync.Mutex{},
-	}, nil
-}
-
-// Close - closer wrapper to close and remove temporary file.
-func (t *tempFile) Close() error {
-	t.mutex.Lock()
-	defer t.mutex.Unlock()
-	if t.File != nil {
-		// Close the file.
-		if err := t.File.Close(); err != nil {
-			return err
-		}
-		// Remove file.
-		if err := os.Remove(t.File.Name()); err != nil {
-			return err
-		}
-		t.File = nil
-	}
-	return nil
-}
diff --git a/vendor/github.com/minio/minio-go/utils.go b/vendor/github.com/minio/minio-go/utils.go
index 93cd1712f..6f54639e0 100644
--- a/vendor/github.com/minio/minio-go/utils.go
+++ b/vendor/github.com/minio/minio-go/utils.go
@@ -28,7 +28,6 @@ import (
 	"regexp"
 	"strings"
 	"time"
-	"unicode/utf8"
 
 	"github.com/minio/minio-go/pkg/s3utils"
 )
@@ -110,6 +109,8 @@ func closeResponse(resp *http.Response) {
 	}
 }
 
+var emptySHA256 = sum256(nil)
+
 // Sentinel URL is the default url value which is invalid.
 var sentinelURL = url.URL{}
 
@@ -121,7 +122,7 @@ func isValidEndpointURL(endpointURL url.URL) error {
 	if endpointURL.Path != "/" && endpointURL.Path != "" {
 		return ErrInvalidArgument("Endpoint url cannot have fully qualified paths.")
 	}
-	if strings.Contains(endpointURL.Host, ".amazonaws.com") {
+	if strings.Contains(endpointURL.Host, ".s3.amazonaws.com") {
 		if !s3utils.IsAmazonEndpoint(endpointURL) {
 			return ErrInvalidArgument("Amazon S3 endpoint should be 's3.amazonaws.com'.")
 		}
@@ -146,63 +147,6 @@ func isValidExpiry(expires time.Duration) error {
 	return nil
 }
 
-// We support '.' with bucket names but we fallback to using path
-// style requests instead for such buckets.
-var validBucketName = regexp.MustCompile(`^[a-z0-9][a-z0-9\.\-]{1,61}[a-z0-9]$`)
-
-// Invalid bucket name with double dot.
-var invalidDotBucketName = regexp.MustCompile(`\.\.`)
-
-// isValidBucketName - verify bucket name in accordance with
-//  - http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html
-func isValidBucketName(bucketName string) error {
-	if strings.TrimSpace(bucketName) == "" {
-		return ErrInvalidBucketName("Bucket name cannot be empty.")
-	}
-	if len(bucketName) < 3 {
-		return ErrInvalidBucketName("Bucket name cannot be smaller than 3 characters.")
-	}
-	if len(bucketName) > 63 {
-		return ErrInvalidBucketName("Bucket name cannot be greater than 63 characters.")
-	}
-	if bucketName[0] == '.' || bucketName[len(bucketName)-1] == '.' {
-		return ErrInvalidBucketName("Bucket name cannot start or end with a '.' dot.")
-	}
-	if invalidDotBucketName.MatchString(bucketName) {
-		return ErrInvalidBucketName("Bucket name cannot have successive periods.")
-	}
-	if !validBucketName.MatchString(bucketName) {
-		return ErrInvalidBucketName("Bucket name contains invalid characters.")
-	}
-	return nil
-}
-
-// isValidObjectName - verify object name in accordance with
-//   - http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html
-func isValidObjectName(objectName string) error {
-	if strings.TrimSpace(objectName) == "" {
-		return ErrInvalidObjectName("Object name cannot be empty.")
-	}
-	if len(objectName) > 1024 {
-		return ErrInvalidObjectName("Object name cannot be greater than 1024 characters.")
-	}
-	if !utf8.ValidString(objectName) {
-		return ErrInvalidBucketName("Object name with non UTF-8 strings are not supported.")
-	}
-	return nil
-}
-
-// isValidObjectPrefix - verify if object prefix is valid.
-func isValidObjectPrefix(objectPrefix string) error {
-	if len(objectPrefix) > 1024 {
-		return ErrInvalidObjectPrefix("Object prefix cannot be greater than 1024 characters.")
-	}
-	if !utf8.ValidString(objectPrefix) {
-		return ErrInvalidObjectPrefix("Object prefix with non UTF-8 strings are not supported.")
-	}
-	return nil
-}
-
 // make a copy of http.Header
 func cloneHeader(h http.Header) http.Header {
 	h2 := make(http.Header, len(h))
@@ -225,3 +169,46 @@ func filterHeader(header http.Header, filterKeys []string) (filteredHeader http.
 	}
 	return filteredHeader
 }
+
+// regCred matches credential string in HTTP header
+var regCred = regexp.MustCompile("Credential=([A-Z0-9]+)/")
+
+// regCred matches signature string in HTTP header
+var regSign = regexp.MustCompile("Signature=([[0-9a-f]+)")
+
+// Redact out signature value from authorization string.
+func redactSignature(origAuth string) string {
+	if !strings.HasPrefix(origAuth, signV4Algorithm) {
+		// Set a temporary redacted auth
+		return "AWS **REDACTED**:**REDACTED**"
+	}
+
+	/// Signature V4 authorization header.
+
+	// Strip out accessKeyID from:
+	// Credential=<access-key-id>/<date>/<aws-region>/<aws-service>/aws4_request
+	newAuth := regCred.ReplaceAllString(origAuth, "Credential=**REDACTED**/")
+
+	// Strip out 256-bit signature from: Signature=<256-bit signature>
+	return regSign.ReplaceAllString(newAuth, "Signature=**REDACTED**")
+}
+
+// Get default location returns the location based on the input
+// URL `u`, if region override is provided then all location
+// defaults to regionOverride.
+//
+// If no other cases match then the location is set to `us-east-1`
+// as a last resort.
+func getDefaultLocation(u url.URL, regionOverride string) (location string) {
+	if regionOverride != "" {
+		return regionOverride
+	}
+	if s3utils.IsAmazonChinaEndpoint(u) {
+		return "cn-north-1"
+	}
+	if s3utils.IsAmazonGovCloudEndpoint(u) {
+		return "us-gov-west-1"
+	}
+	// Default to location to 'us-east-1'.
+	return "us-east-1"
+}
diff --git a/vendor/github.com/minio/minio-go/utils_test.go b/vendor/github.com/minio/minio-go/utils_test.go
index 4e015c855..ba297112e 100644
--- a/vendor/github.com/minio/minio-go/utils_test.go
+++ b/vendor/github.com/minio/minio-go/utils_test.go
@@ -21,8 +21,35 @@ import (
 	"net/url"
 	"testing"
 	"time"
+
+	"github.com/minio/minio-go/pkg/s3utils"
 )
 
+// Tests signature redacting function used
+// in filtering on-wire Authorization header.
+func TestRedactSignature(t *testing.T) {
+	testCases := []struct {
+		authValue                 string
+		expectedRedactedAuthValue string
+	}{
+		{
+			authValue:                 "AWS 1231313:888x000231==",
+			expectedRedactedAuthValue: "AWS **REDACTED**:**REDACTED**",
+		},
+		{
+			authValue:                 "AWS4-HMAC-SHA256 Credential=12312313/20170613/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=02131231312313213",
+			expectedRedactedAuthValue: "AWS4-HMAC-SHA256 Credential=**REDACTED**/20170613/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**",
+		},
+	}
+
+	for i, testCase := range testCases {
+		redactedAuthValue := redactSignature(testCase.authValue)
+		if redactedAuthValue != testCase.expectedRedactedAuthValue {
+			t.Errorf("Test %d: Expected %s, got %s", i+1, testCase.expectedRedactedAuthValue, redactedAuthValue)
+		}
+	}
+}
+
 // Tests filter header function by filtering out
 // some custom header keys.
 func TestFilterHeader(t *testing.T) {
@@ -57,9 +84,9 @@ func TestGetEndpointURL(t *testing.T) {
 		{"s3.cn-north-1.amazonaws.com.cn", false, "http://s3.cn-north-1.amazonaws.com.cn", nil, true},
 		{"192.168.1.1:9000", false, "http://192.168.1.1:9000", nil, true},
 		{"192.168.1.1:9000", true, "https://192.168.1.1:9000", nil, true},
+		{"s3.amazonaws.com:443", true, "https://s3.amazonaws.com:443", nil, true},
 		{"13333.123123.-", true, "", ErrInvalidArgument(fmt.Sprintf("Endpoint: %s does not follow ip address or domain name standards.", "13333.123123.-")), false},
 		{"13333.123123.-", true, "", ErrInvalidArgument(fmt.Sprintf("Endpoint: %s does not follow ip address or domain name standards.", "13333.123123.-")), false},
-		{"s3.amazonaws.com:443", true, "", ErrInvalidArgument("Amazon S3 endpoint should be 's3.amazonaws.com'."), false},
 		{"storage.googleapis.com:4000", true, "", ErrInvalidArgument("Google Cloud Storage endpoint should be 'storage.googleapis.com'."), false},
 		{"s3.aamzza.-", true, "", ErrInvalidArgument(fmt.Sprintf("Endpoint: %s does not follow ip address or domain name standards.", "s3.aamzza.-")), false},
 		{"", true, "", ErrInvalidArgument("Endpoint:  does not follow ip address or domain name standards."), false},
@@ -99,14 +126,17 @@ func TestIsValidEndpointURL(t *testing.T) {
 	}{
 		{"", ErrInvalidArgument("Endpoint url cannot be empty."), false},
 		{"/", nil, true},
-		{"https://s3.am1;4205;0cazonaws.com", nil, true},
+		{"https://s3.amazonaws.com", nil, true},
 		{"https://s3.cn-north-1.amazonaws.com.cn", nil, true},
+		{"https://s3-us-gov-west-1.amazonaws.com", nil, true},
+		{"https://s3-fips-us-gov-west-1.amazonaws.com", nil, true},
 		{"https://s3.amazonaws.com/", nil, true},
 		{"https://storage.googleapis.com/", nil, true},
+		{"https://z3.amazonaws.com", nil, true},
+		{"https://mybalancer.us-east-1.elb.amazonaws.com", nil, true},
 		{"192.168.1.1", ErrInvalidArgument("Endpoint url cannot have fully qualified paths."), false},
 		{"https://amazon.googleapis.com/", ErrInvalidArgument("Google Cloud Storage endpoint should be 'storage.googleapis.com'."), false},
 		{"https://storage.googleapis.com/bucket/", ErrInvalidArgument("Endpoint url cannot have fully qualified paths."), false},
-		{"https://z3.amazonaws.com", ErrInvalidArgument("Amazon S3 endpoint should be 's3.amazonaws.com'."), false},
 		{"https://s3.amazonaws.com/bucket/object", ErrInvalidArgument("Endpoint url cannot have fully qualified paths."), false},
 	}
 
@@ -138,6 +168,52 @@ func TestIsValidEndpointURL(t *testing.T) {
 	}
 }
 
+func TestDefaultBucketLocation(t *testing.T) {
+	testCases := []struct {
+		endpointURL      url.URL
+		regionOverride   string
+		expectedLocation string
+	}{
+		// Region override is set URL is ignored. - Test 1.
+		{
+			endpointURL:      url.URL{Host: "s3-fips-us-gov-west-1.amazonaws.com"},
+			regionOverride:   "us-west-1",
+			expectedLocation: "us-west-1",
+		},
+		// No region override, url based preferenced is honored - Test 2.
+		{
+			endpointURL:      url.URL{Host: "s3-fips-us-gov-west-1.amazonaws.com"},
+			regionOverride:   "",
+			expectedLocation: "us-gov-west-1",
+		},
+		// Region override is honored - Test 3.
+		{
+			endpointURL:      url.URL{Host: "s3.amazonaws.com"},
+			regionOverride:   "us-west-1",
+			expectedLocation: "us-west-1",
+		},
+		// China region should be honored, region override not provided. - Test 4.
+		{
+			endpointURL:      url.URL{Host: "s3.cn-north-1.amazonaws.com.cn"},
+			regionOverride:   "",
+			expectedLocation: "cn-north-1",
+		},
+		// No region provided, no standard region strings provided as well. - Test 5.
+		{
+			endpointURL:      url.URL{Host: "s3.amazonaws.com"},
+			regionOverride:   "",
+			expectedLocation: "us-east-1",
+		},
+	}
+
+	for i, testCase := range testCases {
+		retLocation := getDefaultLocation(testCase.endpointURL, testCase.regionOverride)
+		if testCase.expectedLocation != retLocation {
+			t.Errorf("Test %d: Expected location %s, got %s", i+1, testCase.expectedLocation, retLocation)
+		}
+	}
+}
+
 // Tests validate the expiry time validator.
 func TestIsValidExpiry(t *testing.T) {
 	testCases := []struct {
@@ -184,19 +260,19 @@ func TestIsValidBucketName(t *testing.T) {
 		// Flag to indicate whether test should Pass.
 		shouldPass bool
 	}{
-		{".mybucket", ErrInvalidBucketName("Bucket name cannot start or end with a '.' dot."), false},
-		{"mybucket.", ErrInvalidBucketName("Bucket name cannot start or end with a '.' dot."), false},
-		{"mybucket-", ErrInvalidBucketName("Bucket name contains invalid characters."), false},
-		{"my", ErrInvalidBucketName("Bucket name cannot be smaller than 3 characters."), false},
-		{"", ErrInvalidBucketName("Bucket name cannot be empty."), false},
-		{"my..bucket", ErrInvalidBucketName("Bucket name cannot have successive periods."), false},
+		{".mybucket", ErrInvalidBucketName("Bucket name contains invalid characters"), false},
+		{"mybucket.", ErrInvalidBucketName("Bucket name contains invalid characters"), false},
+		{"mybucket-", ErrInvalidBucketName("Bucket name contains invalid characters"), false},
+		{"my", ErrInvalidBucketName("Bucket name cannot be smaller than 3 characters"), false},
+		{"", ErrInvalidBucketName("Bucket name cannot be empty"), false},
+		{"my..bucket", ErrInvalidBucketName("Bucket name contains invalid characters"), false},
 		{"my.bucket.com", nil, true},
 		{"my-bucket", nil, true},
 		{"123my-bucket", nil, true},
 	}
 
 	for i, testCase := range testCases {
-		err := isValidBucketName(testCase.bucketName)
+		err := s3utils.CheckValidBucketName(testCase.bucketName)
 		if err != nil && testCase.shouldPass {
 			t.Errorf("Test %d: Expected to pass, but failed with: <ERROR> %s", i+1, err.Error())
 		}
diff --git a/vendor/github.com/pborman/uuid/.travis.yml b/vendor/github.com/pborman/uuid/.travis.yml
index a6a98db8a..d8156a60b 100644
--- a/vendor/github.com/pborman/uuid/.travis.yml
+++ b/vendor/github.com/pborman/uuid/.travis.yml
@@ -3,7 +3,6 @@ language: go
 go:
   - 1.4.3
   - 1.5.3
-  - release
   - tip
 
 script:
diff --git a/vendor/github.com/pborman/uuid/CONTRIBUTING.md b/vendor/github.com/pborman/uuid/CONTRIBUTING.md
new file mode 100644
index 000000000..04fdf09f1
--- /dev/null
+++ b/vendor/github.com/pborman/uuid/CONTRIBUTING.md
@@ -0,0 +1,10 @@
+# How to contribute
+
+We definitely welcome patches and contribution to this project!
+
+### Legal requirements
+
+In order to protect both you and ourselves, you will need to sign the
+[Contributor License Agreement](https://cla.developers.google.com/clas).
+
+You may have already signed it for other Google projects.
diff --git a/vendor/github.com/pborman/uuid/README.md b/vendor/github.com/pborman/uuid/README.md
index f023d47ca..b0396b274 100644
--- a/vendor/github.com/pborman/uuid/README.md
+++ b/vendor/github.com/pborman/uuid/README.md
@@ -1,7 +1,7 @@
 This project was automatically exported from code.google.com/p/go-uuid
 
 # uuid ![build status](https://travis-ci.org/pborman/uuid.svg?branch=master)
-The uuid package generates and inspects UUIDs based on [RFC 412](http://tools.ietf.org/html/rfc4122) and DCE 1.1: Authentication and Security Services. 
+The uuid package generates and inspects UUIDs based on [RFC 4122](http://tools.ietf.org/html/rfc4122) and DCE 1.1: Authentication and Security Services. 
 
 ###### Install
 `go get github.com/pborman/uuid`
diff --git a/vendor/github.com/pborman/uuid/dce.go b/vendor/github.com/pborman/uuid/dce.go
index 50a0f2d09..50a0f2d09 100755..100644
--- a/vendor/github.com/pborman/uuid/dce.go
+++ b/vendor/github.com/pborman/uuid/dce.go
diff --git a/vendor/github.com/pborman/uuid/doc.go b/vendor/github.com/pborman/uuid/doc.go
index d8bd013e6..d8bd013e6 100755..100644
--- a/vendor/github.com/pborman/uuid/doc.go
+++ b/vendor/github.com/pborman/uuid/doc.go
diff --git a/vendor/github.com/pborman/uuid/json.go b/vendor/github.com/pborman/uuid/json.go
deleted file mode 100644
index 9dda1dfba..000000000
--- a/vendor/github.com/pborman/uuid/json.go
+++ /dev/null
@@ -1,34 +0,0 @@
-// Copyright 2014 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import "errors"
-
-func (u UUID) MarshalJSON() ([]byte, error) {
-	if len(u) != 16 {
-		return []byte(`""`), nil
-	}
-	var js [38]byte
-	js[0] = '"'
-	encodeHex(js[1:], u)
-	js[37] = '"'
-	return js[:], nil
-}
-
-func (u *UUID) UnmarshalJSON(data []byte) error {
-	if string(data) == `""` {
-		return nil
-	}
-	if data[0] != '"' {
-		return errors.New("invalid UUID format")
-	}
-	data = data[1 : len(data)-1]
-	uu := Parse(string(data))
-	if uu == nil {
-		return errors.New("invalid UUID format")
-	}
-	*u = uu
-	return nil
-}
diff --git a/vendor/github.com/pborman/uuid/json_test.go b/vendor/github.com/pborman/uuid/json_test.go
deleted file mode 100644
index 2866b8dc8..000000000
--- a/vendor/github.com/pborman/uuid/json_test.go
+++ /dev/null
@@ -1,61 +0,0 @@
-// Copyright 2014 Google Inc.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package uuid
-
-import (
-	"encoding/json"
-	"reflect"
-	"testing"
-)
-
-var testUUID = Parse("f47ac10b-58cc-0372-8567-0e02b2c3d479")
-
-func TestJSON(t *testing.T) {
-	type S struct {
-		ID1 UUID
-		ID2 UUID
-	}
-	s1 := S{ID1: testUUID}
-	data, err := json.Marshal(&s1)
-	if err != nil {
-		t.Fatal(err)
-	}
-	var s2 S
-	if err := json.Unmarshal(data, &s2); err != nil {
-		t.Fatal(err)
-	}
-	if !reflect.DeepEqual(&s1, &s2) {
-		t.Errorf("got %#v, want %#v", s2, s1)
-	}
-}
-
-func BenchmarkUUID_MarshalJSON(b *testing.B) {
-	x := &struct {
-		UUID UUID `json:"uuid"`
-	}{}
-	x.UUID = Parse("f47ac10b-58cc-0372-8567-0e02b2c3d479")
-	if x.UUID == nil {
-		b.Fatal("invalid uuid")
-	}
-	for i := 0; i < b.N; i++ {
-		js, err := json.Marshal(x)
-		if err != nil {
-			b.Fatalf("marshal json: %#v (%v)", js, err)
-		}
-	}
-}
-
-func BenchmarkUUID_UnmarshalJSON(b *testing.B) {
-	js := []byte(`{"uuid":"f47ac10b-58cc-0372-8567-0e02b2c3d479"}`)
-	var x *struct {
-		UUID UUID `json:"uuid"`
-	}
-	for i := 0; i < b.N; i++ {
-		err := json.Unmarshal(js, &x)
-		if err != nil {
-			b.Fatalf("marshal json: %#v (%v)", js, err)
-		}
-	}
-}
diff --git a/vendor/github.com/pborman/uuid/marshal.go b/vendor/github.com/pborman/uuid/marshal.go
new file mode 100644
index 000000000..6621dd54b
--- /dev/null
+++ b/vendor/github.com/pborman/uuid/marshal.go
@@ -0,0 +1,83 @@
+// Copyright 2016 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package uuid
+
+import (
+	"errors"
+	"fmt"
+)
+
+// MarshalText implements encoding.TextMarshaler.
+func (u UUID) MarshalText() ([]byte, error) {
+	if len(u) != 16 {
+		return nil, nil
+	}
+	var js [36]byte
+	encodeHex(js[:], u)
+	return js[:], nil
+}
+
+// UnmarshalText implements encoding.TextUnmarshaler.
+func (u *UUID) UnmarshalText(data []byte) error {
+	if len(data) == 0 {
+		return nil
+	}
+	id := Parse(string(data))
+	if id == nil {
+		return errors.New("invalid UUID")
+	}
+	*u = id
+	return nil
+}
+
+// MarshalBinary implements encoding.BinaryMarshaler.
+func (u UUID) MarshalBinary() ([]byte, error) {
+	return u[:], nil
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler.
+func (u *UUID) UnmarshalBinary(data []byte) error {
+	if len(data) == 0 {
+		return nil
+	}
+	if len(data) != 16 {
+		return fmt.Errorf("invalid UUID (got %d bytes)", len(data))
+	}
+	var id [16]byte
+	copy(id[:], data)
+	*u = id[:]
+	return nil
+}
+
+// MarshalText implements encoding.TextMarshaler.
+func (u Array) MarshalText() ([]byte, error) {
+	var js [36]byte
+	encodeHex(js[:], u[:])
+	return js[:], nil
+}
+
+// UnmarshalText implements encoding.TextUnmarshaler.
+func (u *Array) UnmarshalText(data []byte) error {
+	id := Parse(string(data))
+	if id == nil {
+		return errors.New("invalid UUID")
+	}
+	*u = id.Array()
+	return nil
+}
+
+// MarshalBinary implements encoding.BinaryMarshaler.
+func (u Array) MarshalBinary() ([]byte, error) {
+	return u[:], nil
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler.
+func (u *Array) UnmarshalBinary(data []byte) error {
+	if len(data) != 16 {
+		return fmt.Errorf("invalid UUID (got %d bytes)", len(data))
+	}
+	copy(u[:], data)
+	return nil
+}
diff --git a/vendor/github.com/pborman/uuid/marshal_test.go b/vendor/github.com/pborman/uuid/marshal_test.go
new file mode 100644
index 000000000..4e85b6bab
--- /dev/null
+++ b/vendor/github.com/pborman/uuid/marshal_test.go
@@ -0,0 +1,124 @@
+// Copyright 2014 Google Inc.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package uuid
+
+import (
+	"bytes"
+	"encoding/json"
+	"reflect"
+	"testing"
+)
+
+var testUUID = Parse("f47ac10b-58cc-0372-8567-0e02b2c3d479")
+var testArray = testUUID.Array()
+
+func TestJSON(t *testing.T) {
+	type S struct {
+		ID1 UUID
+		ID2 UUID
+	}
+	s1 := S{ID1: testUUID}
+	data, err := json.Marshal(&s1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	var s2 S
+	if err := json.Unmarshal(data, &s2); err != nil {
+		t.Fatal(err)
+	}
+	if !reflect.DeepEqual(&s1, &s2) {
+		t.Errorf("got %#v, want %#v", s2, s1)
+	}
+}
+
+func TestJSONArray(t *testing.T) {
+	type S struct {
+		ID1 Array
+		ID2 Array
+	}
+	s1 := S{ID1: testArray}
+	data, err := json.Marshal(&s1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	var s2 S
+	if err := json.Unmarshal(data, &s2); err != nil {
+		t.Fatal(err)
+	}
+	if !reflect.DeepEqual(&s1, &s2) {
+		t.Errorf("got %#v, want %#v", s2, s1)
+	}
+}
+
+func TestMarshal(t *testing.T) {
+	data, err := testUUID.MarshalBinary()
+	if err != nil {
+		t.Fatalf("MarhsalBinary returned unexpected error %v", err)
+	}
+	if !bytes.Equal(data, testUUID) {
+		t.Fatalf("MarhsalBinary returns %x, want %x", data, testUUID)
+	}
+	var u UUID
+	u.UnmarshalBinary(data)
+	if !Equal(data, u) {
+		t.Fatalf("UnmarhsalBinary returns %v, want %v", u, testUUID)
+	}
+}
+
+func TestMarshalArray(t *testing.T) {
+	data, err := testArray.MarshalBinary()
+	if err != nil {
+		t.Fatalf("MarhsalBinary returned unexpected error %v", err)
+	}
+	if !bytes.Equal(data, testUUID) {
+		t.Fatalf("MarhsalBinary returns %x, want %x", data, testUUID)
+	}
+	var a Array
+	a.UnmarshalBinary(data)
+	if a != testArray {
+		t.Fatalf("UnmarhsalBinary returns %v, want %v", a, testArray)
+	}
+}
+
+func TestMarshalTextArray(t *testing.T) {
+	data, err := testArray.MarshalText()
+	if err != nil {
+		t.Fatalf("MarhsalText returned unexpected error %v", err)
+	}
+	var a Array
+	a.UnmarshalText(data)
+	if a != testArray {
+		t.Fatalf("UnmarhsalText returns %v, want %v", a, testArray)
+	}
+}
+
+func BenchmarkUUID_MarshalJSON(b *testing.B) {
+	x := &struct {
+		UUID UUID `json:"uuid"`
+	}{}
+	x.UUID = Parse("f47ac10b-58cc-0372-8567-0e02b2c3d479")
+	if x.UUID == nil {
+		b.Fatal("invalid uuid")
+	}
+	for i := 0; i < b.N; i++ {
+		js, err := json.Marshal(x)
+		if err != nil {
+			b.Fatalf("marshal json: %#v (%v)", js, err)
+		}
+	}
+}
+
+func BenchmarkUUID_UnmarshalJSON(b *testing.B) {
+	js := []byte(`{"uuid":"f47ac10b-58cc-0372-8567-0e02b2c3d479"}`)
+	var x *struct {
+		UUID UUID `json:"uuid"`
+	}
+	for i := 0; i < b.N; i++ {
+		err := json.Unmarshal(js, &x)
+		if err != nil {
+			b.Fatalf("marshal json: %#v (%v)", js, err)
+		}
+	}
+}
diff --git a/vendor/github.com/pborman/uuid/node.go b/vendor/github.com/pborman/uuid/node.go
index 42d60da8f..42d60da8f 100755..100644
--- a/vendor/github.com/pborman/uuid/node.go
+++ b/vendor/github.com/pborman/uuid/node.go
diff --git a/vendor/github.com/pborman/uuid/sql.go b/vendor/github.com/pborman/uuid/sql.go
index c84f900d5..d015bfd13 100644
--- a/vendor/github.com/pborman/uuid/sql.go
+++ b/vendor/github.com/pborman/uuid/sql.go
@@ -5,6 +5,7 @@
 package uuid
 
 import (
+	"database/sql/driver"
 	"errors"
 	"fmt"
 )
@@ -56,3 +57,10 @@ func (uuid *UUID) Scan(src interface{}) error {
 
 	return nil
 }
+
+// Value implements sql.Valuer so that UUIDs can be written to databases
+// transparently. Currently, UUIDs map to strings. Please consult
+// database-specific driver documentation for matching types.
+func (uuid UUID) Value() (driver.Value, error) {
+	return uuid.String(), nil
+}
diff --git a/vendor/github.com/pborman/uuid/sql_test.go b/vendor/github.com/pborman/uuid/sql_test.go
index 4d26392af..103095156 100644
--- a/vendor/github.com/pborman/uuid/sql_test.go
+++ b/vendor/github.com/pborman/uuid/sql_test.go
@@ -85,3 +85,12 @@ func TestScan(t *testing.T) {
 		t.Error("UUID was not nil after scanning empty string")
 	}
 }
+
+func TestValue(t *testing.T) {
+	stringTest := "f47ac10b-58cc-0372-8567-0e02b2c3d479"
+	uuid := Parse(stringTest)
+	val, _ := uuid.Value()
+	if val != stringTest {
+		t.Error("Value() did not return expected string")
+	}
+}
diff --git a/vendor/github.com/pborman/uuid/time.go b/vendor/github.com/pborman/uuid/time.go
index eedf24219..eedf24219 100755..100644
--- a/vendor/github.com/pborman/uuid/time.go
+++ b/vendor/github.com/pborman/uuid/time.go
diff --git a/vendor/github.com/pborman/uuid/uuid.go b/vendor/github.com/pborman/uuid/uuid.go
index c4482cd87..7c643cf0a 100644
--- a/vendor/github.com/pborman/uuid/uuid.go
+++ b/vendor/github.com/pborman/uuid/uuid.go
@@ -13,6 +13,20 @@ import (
 	"strings"
 )
 
+// Array is a pass-by-value UUID that can be used as an effecient key in a map.
+type Array [16]byte
+
+// UUID converts uuid into a slice.
+func (uuid Array) UUID() UUID {
+	return uuid[:]
+}
+
+// String returns the string representation of uuid,
+// xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
+func (uuid Array) String() string {
+	return uuid.UUID().String()
+}
+
 // A UUID is a 128 bit (16 byte) Universal Unique IDentifier as defined in RFC
 // 4122.
 type UUID []byte
@@ -76,6 +90,17 @@ func Equal(uuid1, uuid2 UUID) bool {
 	return bytes.Equal(uuid1, uuid2)
 }
 
+// Array returns an array representation of uuid that can be used as a map key.
+// Array panics if uuid is not valid.
+func (uuid UUID) Array() Array {
+	if len(uuid) != 16 {
+		panic("invalid uuid")
+	}
+	var a Array
+	copy(a[:], uuid)
+	return a
+}
+
 // String returns the string form of uuid, xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 // , or "" if uuid is invalid.
 func (uuid UUID) String() string {
@@ -161,7 +186,7 @@ func (v Variant) String() string {
 	return fmt.Sprintf("BadVariant%d", int(v))
 }
 
-// SetRand sets the random number generator to r, which implents io.Reader.
+// SetRand sets the random number generator to r, which implements io.Reader.
 // If r.Read returns an error when the package requests random data then
 // a panic will be issued.
 //
diff --git a/vendor/github.com/pborman/uuid/uuid_test.go b/vendor/github.com/pborman/uuid/uuid_test.go
index 3835cc808..038723966 100644
--- a/vendor/github.com/pborman/uuid/uuid_test.go
+++ b/vendor/github.com/pborman/uuid/uuid_test.go
@@ -300,7 +300,7 @@ func TestNode(t *testing.T) {
 		t.Error("nodeid is all zeros")
 	}
 
-	id := []byte{1,2,3,4,5,6,7,8}
+	id := []byte{1, 2, 3, 4, 5, 6, 7, 8}
 	SetNodeID(id)
 	ni = NodeID()
 	if !bytes.Equal(ni, id[:6]) {
@@ -421,13 +421,47 @@ func TestBadRand(t *testing.T) {
 	uuid1 := New()
 	uuid2 := New()
 	if uuid1 != uuid2 {
-		t.Errorf("execpted duplicates, got %q and %q", uuid1, uuid2)
+		t.Errorf("expected duplicates, got %q and %q", uuid1, uuid2)
 	}
 	SetRand(nil)
 	uuid1 = New()
 	uuid2 = New()
 	if uuid1 == uuid2 {
-		t.Errorf("unexecpted duplicates, got %q", uuid1)
+		t.Errorf("unexpected duplicates, got %q", uuid1)
+	}
+}
+
+func TestUUID_Array(t *testing.T) {
+	expect := Array{
+		0xf4, 0x7a, 0xc1, 0x0b,
+		0x58, 0xcc,
+		0x03, 0x72,
+		0x85, 0x67,
+		0x0e, 0x02, 0xb2, 0xc3, 0xd4, 0x79,
+	}
+	uuid := Parse("f47ac10b-58cc-0372-8567-0e02b2c3d479")
+	if uuid == nil {
+		t.Fatal("invalid uuid")
+	}
+	if uuid.Array() != expect {
+		t.Fatal("invalid array")
+	}
+}
+
+func TestArray_UUID(t *testing.T) {
+	array := Array{
+		0xf4, 0x7a, 0xc1, 0x0b,
+		0x58, 0xcc,
+		0x03, 0x72,
+		0x85, 0x67,
+		0x0e, 0x02, 0xb2, 0xc3, 0xd4, 0x79,
+	}
+	expect := Parse("f47ac10b-58cc-0372-8567-0e02b2c3d479")
+	if expect == nil {
+		t.Fatal("invalid uuid")
+	}
+	if !bytes.Equal(array.UUID(), expect) {
+		t.Fatal("invalid uuid")
 	}
 }
 
@@ -469,3 +503,41 @@ func BenchmarkUUID_URN(b *testing.B) {
 		}
 	}
 }
+
+func BenchmarkUUID_Array(b *testing.B) {
+	expect := Array{
+		0xf4, 0x7a, 0xc1, 0x0b,
+		0x58, 0xcc,
+		0x03, 0x72,
+		0x85, 0x67,
+		0x0e, 0x02, 0xb2, 0xc3, 0xd4, 0x79,
+	}
+	uuid := Parse("f47ac10b-58cc-0372-8567-0e02b2c3d479")
+	if uuid == nil {
+		b.Fatal("invalid uuid")
+	}
+	for i := 0; i < b.N; i++ {
+		if uuid.Array() != expect {
+			b.Fatal("invalid array")
+		}
+	}
+}
+
+func BenchmarkArray_UUID(b *testing.B) {
+	array := Array{
+		0xf4, 0x7a, 0xc1, 0x0b,
+		0x58, 0xcc,
+		0x03, 0x72,
+		0x85, 0x67,
+		0x0e, 0x02, 0xb2, 0xc3, 0xd4, 0x79,
+	}
+	expect := Parse("f47ac10b-58cc-0372-8567-0e02b2c3d479")
+	if expect == nil {
+		b.Fatal("invalid uuid")
+	}
+	for i := 0; i < b.N; i++ {
+		if !bytes.Equal(array.UUID(), expect) {
+			b.Fatal("invalid uuid")
+		}
+	}
+}
diff --git a/vendor/github.com/pelletier/go-buffruneio/.gitignore b/vendor/github.com/pelletier/go-buffruneio/.gitignore
deleted file mode 100644
index c56069fe2..000000000
--- a/vendor/github.com/pelletier/go-buffruneio/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-*.test
\ No newline at end of file
diff --git a/vendor/github.com/pelletier/go-buffruneio/.travis.yml b/vendor/github.com/pelletier/go-buffruneio/.travis.yml
deleted file mode 100644
index 9720442cd..000000000
--- a/vendor/github.com/pelletier/go-buffruneio/.travis.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-language: go
-sudo: false
-go:
-    - 1.3.3
-    - 1.4.3
-    - 1.5.3
-    - tip
diff --git a/vendor/github.com/pelletier/go-buffruneio/README.md b/vendor/github.com/pelletier/go-buffruneio/README.md
deleted file mode 100644
index ff608b3ab..000000000
--- a/vendor/github.com/pelletier/go-buffruneio/README.md
+++ /dev/null
@@ -1,62 +0,0 @@
-# buffruneio
-
-[![Tests Status](https://travis-ci.org/pelletier/go-buffruneio.svg?branch=master)](https://travis-ci.org/pelletier/go-buffruneio)
-[![GoDoc](https://godoc.org/github.com/pelletier/go-buffruneio?status.svg)](https://godoc.org/github.com/pelletier/go-buffruneio)
-
-Buffruneio is a wrapper around bufio to provide buffered runes access with
-unlimited unreads.
-
-```go
-import "github.com/pelletier/go-buffruneio"
-```
-
-## Examples
-
-```go
-import (
-    "fmt"
-    "github.com/pelletier/go-buffruneio"
-    "strings"
-)
-
-reader := buffruneio.NewReader(strings.NewReader("abcd"))
-fmt.Println(reader.ReadRune()) // 'a'
-fmt.Println(reader.ReadRune()) // 'b'
-fmt.Println(reader.ReadRune()) // 'c'
-reader.UnreadRune()
-reader.UnreadRune()
-fmt.Println(reader.ReadRune()) // 'b'
-fmt.Println(reader.ReadRune()) // 'c'
-```
-
-## Documentation
-
-The documentation and additional examples are available at
-[godoc.org](http://godoc.org/github.com/pelletier/go-buffruneio).
-
-## Contribute
-
-Feel free to report bugs and patches using GitHub's pull requests system on
-[pelletier/go-toml](https://github.com/pelletier/go-buffruneio). Any feedback is
-much appreciated!
-
-## LICENSE
-
-Copyright (c) 2016 Thomas Pelletier
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the "Software"), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/vendor/github.com/pelletier/go-buffruneio/buffruneio.go b/vendor/github.com/pelletier/go-buffruneio/buffruneio.go
deleted file mode 100644
index 4e6d6ea61..000000000
--- a/vendor/github.com/pelletier/go-buffruneio/buffruneio.go
+++ /dev/null
@@ -1,117 +0,0 @@
-// Package buffruneio is a wrapper around bufio to provide buffered runes access with unlimited unreads.
-package buffruneio
-
-import (
-	"bufio"
-	"container/list"
-	"errors"
-	"io"
-)
-
-// Rune to indicate end of file.
-const (
-	EOF = -(iota + 1)
-)
-
-// ErrNoRuneToUnread is returned by UnreadRune() when the read index is already at the beginning of the buffer.
-var ErrNoRuneToUnread = errors.New("no rune to unwind")
-
-// Reader implements runes buffering for an io.Reader object.
-type Reader struct {
-	buffer  *list.List
-	current *list.Element
-	input   *bufio.Reader
-}
-
-// NewReader returns a new Reader.
-func NewReader(rd io.Reader) *Reader {
-	return &Reader{
-		buffer: list.New(),
-		input:  bufio.NewReader(rd),
-	}
-}
-
-type runeWithSize struct {
-	r    rune
-	size int
-}
-
-func (rd *Reader) feedBuffer() error {
-	r, size, err := rd.input.ReadRune()
-
-	if err != nil {
-		if err != io.EOF {
-			return err
-		}
-		r = EOF
-	}
-
-	newRuneWithSize := runeWithSize{r, size}
-
-	rd.buffer.PushBack(newRuneWithSize)
-	if rd.current == nil {
-		rd.current = rd.buffer.Back()
-	}
-	return nil
-}
-
-// ReadRune reads the next rune from buffer, or from the underlying reader if needed.
-func (rd *Reader) ReadRune() (rune, int, error) {
-	if rd.current == rd.buffer.Back() || rd.current == nil {
-		err := rd.feedBuffer()
-		if err != nil {
-			return EOF, 0, err
-		}
-	}
-
-	runeWithSize := rd.current.Value.(runeWithSize)
-	rd.current = rd.current.Next()
-	return runeWithSize.r, runeWithSize.size, nil
-}
-
-// UnreadRune pushes back the previously read rune in the buffer, extending it if needed.
-func (rd *Reader) UnreadRune() error {
-	if rd.current == rd.buffer.Front() {
-		return ErrNoRuneToUnread
-	}
-	if rd.current == nil {
-		rd.current = rd.buffer.Back()
-	} else {
-		rd.current = rd.current.Prev()
-	}
-	return nil
-}
-
-// Forget removes runes stored before the current stream position index.
-func (rd *Reader) Forget() {
-	if rd.current == nil {
-		rd.current = rd.buffer.Back()
-	}
-	for ; rd.current != rd.buffer.Front(); rd.buffer.Remove(rd.current.Prev()) {
-	}
-}
-
-// PeekRune returns at most the next n runes, reading from the uderlying source if
-// needed. Does not move the current index. It includes EOF if reached.
-func (rd *Reader) PeekRunes(n int) []rune {
-	res := make([]rune, 0, n)
-	cursor := rd.current
-	for i := 0; i < n; i++ {
-		if cursor == nil {
-			err := rd.feedBuffer()
-			if err != nil {
-				return res
-			}
-			cursor = rd.buffer.Back()
-		}
-		if cursor != nil {
-			r := cursor.Value.(runeWithSize).r
-			res = append(res, r)
-			if r == EOF {
-				return res
-			}
-			cursor = cursor.Next()
-		}
-	}
-	return res
-}
diff --git a/vendor/github.com/pelletier/go-buffruneio/buffruneio_test.go b/vendor/github.com/pelletier/go-buffruneio/buffruneio_test.go
deleted file mode 100644
index 67b0cba9b..000000000
--- a/vendor/github.com/pelletier/go-buffruneio/buffruneio_test.go
+++ /dev/null
@@ -1,145 +0,0 @@
-package buffruneio
-
-import (
-	"runtime/debug"
-	"strings"
-	"testing"
-)
-
-func assertNoError(t *testing.T, err error) {
-	if err != nil {
-		t.Log("unexpected error", err)
-		debug.PrintStack()
-		t.FailNow()
-	}
-}
-
-func assumeRunesArray(t *testing.T, expected []rune, got []rune) {
-	if len(expected) != len(got) {
-		t.Fatal("expected", len(expected), "runes, but got", len(got))
-	}
-	for i := 0; i < len(got); i++ {
-		if expected[i] != got[i] {
-			t.Fatal("expected rune", expected[i], "at index", i, "but got", got[i])
-		}
-	}
-}
-
-func assumeRune(t *testing.T, rd *Reader, r rune) {
-	gotRune, size, err := rd.ReadRune()
-	assertNoError(t, err)
-	if gotRune != r {
-		t.Fatal("got", string(gotRune),
-			"(", []byte(string(gotRune)), ")",
-			"expected", string(r),
-			"(", []byte(string(r)), ")")
-		t.Fatal("got size", size,
-			"expected", len([]byte(string(r))))
-	}
-}
-
-func TestReadString(t *testing.T) {
-	s := "hello"
-	rd := NewReader(strings.NewReader(s))
-
-	assumeRune(t, rd, 'h')
-	assumeRune(t, rd, 'e')
-	assumeRune(t, rd, 'l')
-	assumeRune(t, rd, 'l')
-	assumeRune(t, rd, 'o')
-	assumeRune(t, rd, EOF)
-}
-
-func TestMultipleEOF(t *testing.T) {
-	s := ""
-	rd := NewReader(strings.NewReader(s))
-
-	assumeRune(t, rd, EOF)
-	assumeRune(t, rd, EOF)
-}
-
-func TestUnread(t *testing.T) {
-	s := "ab"
-	rd := NewReader(strings.NewReader(s))
-
-	assumeRune(t, rd, 'a')
-	assumeRune(t, rd, 'b')
-	assertNoError(t, rd.UnreadRune())
-	assumeRune(t, rd, 'b')
-	assumeRune(t, rd, EOF)
-}
-
-func TestUnreadEOF(t *testing.T) {
-	s := ""
-	rd := NewReader(strings.NewReader(s))
-
-	_ = rd.UnreadRune()
-	assumeRune(t, rd, EOF)
-	assumeRune(t, rd, EOF)
-	assertNoError(t, rd.UnreadRune())
-	assumeRune(t, rd, EOF)
-}
-
-func TestForget(t *testing.T) {
-	s := "hello"
-	rd := NewReader(strings.NewReader(s))
-
-	assumeRune(t, rd, 'h')
-	assumeRune(t, rd, 'e')
-	assumeRune(t, rd, 'l')
-	assumeRune(t, rd, 'l')
-	rd.Forget()
-	if rd.UnreadRune() != ErrNoRuneToUnread {
-		t.Fatal("no rune should be available")
-	}
-}
-
-func TestForgetEmpty(t *testing.T) {
-	s := ""
-	rd := NewReader(strings.NewReader(s))
-
-	rd.Forget()
-	assumeRune(t, rd, EOF)
-	rd.Forget()
-}
-
-func TestPeekEmpty(t *testing.T) {
-	s := ""
-	rd := NewReader(strings.NewReader(s))
-
-	runes := rd.PeekRunes(1)
-	if len(runes) != 1 {
-		t.Fatal("incorrect number of runes", len(runes))
-	}
-	if runes[0] != EOF {
-		t.Fatal("incorrect rune", runes[0])
-	}
-}
-
-func TestPeek(t *testing.T) {
-	s := "a"
-	rd := NewReader(strings.NewReader(s))
-
-	runes := rd.PeekRunes(1)
-	assumeRunesArray(t, []rune{'a'}, runes)
-
-	runes = rd.PeekRunes(1)
-	assumeRunesArray(t, []rune{'a'}, runes)
-
-	assumeRune(t, rd, 'a')
-	runes = rd.PeekRunes(1)
-	assumeRunesArray(t, []rune{EOF}, runes)
-
-	assumeRune(t, rd, EOF)
-}
-
-func TestPeekLarge(t *testing.T) {
-	s := "abcdefg"
-	rd := NewReader(strings.NewReader(s))
-
-	runes := rd.PeekRunes(100)
-	if len(runes) != len(s)+1 {
-		t.Fatal("incorrect number of runes", len(runes))
-	}
-	assumeRunesArray(t, []rune{'a', 'b', 'c', 'd', 'e', 'f', 'g', EOF}, runes)
-}
diff --git a/vendor/github.com/pelletier/go-toml/benchmark.json b/vendor/github.com/pelletier/go-toml/benchmark.json
new file mode 100644
index 000000000..86f99c6a8
--- /dev/null
+++ b/vendor/github.com/pelletier/go-toml/benchmark.json
@@ -0,0 +1,164 @@
+{
+    "array": {
+        "key1": [
+            1,
+            2,
+            3
+        ],
+        "key2": [
+            "red",
+            "yellow",
+            "green"
+        ],
+        "key3": [
+            [
+                1,
+                2
+            ],
+            [
+                3,
+                4,
+                5
+            ]
+        ],
+        "key4": [
+            [
+                1,
+                2
+            ],
+            [
+                "a",
+                "b",
+                "c"
+            ]
+        ],
+        "key5": [
+            1,
+            2,
+            3
+        ],
+        "key6": [
+            1,
+            2
+        ]
+    },
+    "boolean": {
+        "False": false,
+        "True": true
+    },
+    "datetime": {
+        "key1": "1979-05-27T07:32:00Z",
+        "key2": "1979-05-27T00:32:00-07:00",
+        "key3": "1979-05-27T00:32:00.999999-07:00"
+    },
+    "float": {
+        "both": {
+            "key": 6.626e-34
+        },
+        "exponent": {
+            "key1": 5e+22,
+            "key2": 1000000,
+            "key3": -0.02
+        },
+        "fractional": {
+            "key1": 1,
+            "key2": 3.1415,
+            "key3": -0.01
+        },
+        "underscores": {
+            "key1": 9224617.445991227,
+            "key2": 1e+100
+        }
+    },
+    "fruit": [{
+            "name": "apple",
+            "physical": {
+                "color": "red",
+                "shape": "round"
+            },
+            "variety": [{
+                    "name": "red delicious"
+                },
+                {
+                    "name": "granny smith"
+                }
+            ]
+        },
+        {
+            "name": "banana",
+            "variety": [{
+                "name": "plantain"
+            }]
+        }
+    ],
+    "integer": {
+        "key1": 99,
+        "key2": 42,
+        "key3": 0,
+        "key4": -17,
+        "underscores": {
+            "key1": 1000,
+            "key2": 5349221,
+            "key3": 12345
+        }
+    },
+    "products": [{
+            "name": "Hammer",
+            "sku": 738594937
+        },
+        {},
+        {
+            "color": "gray",
+            "name": "Nail",
+            "sku": 284758393
+        }
+    ],
+    "string": {
+        "basic": {
+            "basic": "I'm a string. \"You can quote me\". Name\tJosé\nLocation\tSF."
+        },
+        "literal": {
+            "multiline": {
+                "lines": "The first newline is\ntrimmed in raw strings.\n   All other whitespace\n   is preserved.\n",
+                "regex2": "I [dw]on't need \\d{2} apples"
+            },
+            "quoted": "Tom \"Dubs\" Preston-Werner",
+            "regex": "\u003c\\i\\c*\\s*\u003e",
+            "winpath": "C:\\Users\\nodejs\\templates",
+            "winpath2": "\\\\ServerX\\admin$\\system32\\"
+        },
+        "multiline": {
+            "continued": {
+                "key1": "The quick brown fox jumps over the lazy dog.",
+                "key2": "The quick brown fox jumps over the lazy dog.",
+                "key3": "The quick brown fox jumps over the lazy dog."
+            },
+            "key1": "One\nTwo",
+            "key2": "One\nTwo",
+            "key3": "One\nTwo"
+        }
+    },
+    "table": {
+        "inline": {
+            "name": {
+                "first": "Tom",
+                "last": "Preston-Werner"
+            },
+            "point": {
+                "x": 1,
+                "y": 2
+            }
+        },
+        "key": "value",
+        "subtable": {
+            "key": "another value"
+        }
+    },
+    "x": {
+        "y": {
+            "z": {
+                "w": {}
+            }
+        }
+    }
+}
diff --git a/vendor/github.com/pelletier/go-toml/benchmark.sh b/vendor/github.com/pelletier/go-toml/benchmark.sh
index cf1dabb4a..8b8bb528e 100755
--- a/vendor/github.com/pelletier/go-toml/benchmark.sh
+++ b/vendor/github.com/pelletier/go-toml/benchmark.sh
@@ -13,7 +13,7 @@ fi
 
 tempdir=`mktemp -d /tmp/go-toml-benchmark-XXXXXX`
 ref_tempdir="${tempdir}/ref"
-ref_benchmark="${ref_tempdir}/benchmark-${reference_ref}.txt"
+ref_benchmark="${ref_tempdir}/benchmark-`echo -n ${reference_ref}|tr -s '/' '-'`.txt"
 local_benchmark="`pwd`/benchmark-local.txt"
 
 echo "=== ${reference_ref} (${ref_tempdir})"
@@ -25,7 +25,7 @@ popd >/dev/null
 
 echo ""
 echo "=== local"
-go test -bench=. -benchmem | tee ${local_benchmark}
+go test -bench=. -benchmem  | tee ${local_benchmark}
 
 echo ""
 echo "=== diff"
diff --git a/vendor/github.com/pelletier/go-toml/benchmark.toml b/vendor/github.com/pelletier/go-toml/benchmark.toml
new file mode 100644
index 000000000..dfd77e096
--- /dev/null
+++ b/vendor/github.com/pelletier/go-toml/benchmark.toml
@@ -0,0 +1,244 @@
+################################################################################
+## Comment
+
+# Speak your mind with the hash symbol. They go from the symbol to the end of
+# the line.
+
+
+################################################################################
+## Table
+
+# Tables (also known as hash tables or dictionaries) are collections of
+# key/value pairs. They appear in square brackets on a line by themselves.
+
+[table]
+
+key = "value" # Yeah, you can do this.
+
+# Nested tables are denoted by table names with dots in them. Name your tables
+# whatever crap you please, just don't use #, ., [ or ].
+
+[table.subtable]
+
+key = "another value"
+
+# You don't need to specify all the super-tables if you don't want to. TOML
+# knows how to do it for you.
+
+# [x] you
+# [x.y] don't
+# [x.y.z] need these
+[x.y.z.w] # for this to work
+
+
+################################################################################
+## Inline Table
+
+# Inline tables provide a more compact syntax for expressing tables. They are
+# especially useful for grouped data that can otherwise quickly become verbose.
+# Inline tables are enclosed in curly braces `{` and `}`. No newlines are
+# allowed between the curly braces unless they are valid within a value.
+
+[table.inline]
+
+name = { first = "Tom", last = "Preston-Werner" }
+point = { x = 1, y = 2 }
+
+
+################################################################################
+## String
+
+# There are four ways to express strings: basic, multi-line basic, literal, and
+# multi-line literal. All strings must contain only valid UTF-8 characters.
+
+[string.basic]
+
+basic = "I'm a string. \"You can quote me\". Name\tJos\u00E9\nLocation\tSF."
+
+[string.multiline]
+
+# The following strings are byte-for-byte equivalent:
+key1 = "One\nTwo"
+key2 = """One\nTwo"""
+key3 = """
+One
+Two"""
+
+[string.multiline.continued]
+
+# The following strings are byte-for-byte equivalent:
+key1 = "The quick brown fox jumps over the lazy dog."
+
+key2 = """
+The quick brown \
+
+
+  fox jumps over \
+    the lazy dog."""
+
+key3 = """\
+       The quick brown \
+       fox jumps over \
+       the lazy dog.\
+       """
+
+[string.literal]
+
+# What you see is what you get.
+winpath  = 'C:\Users\nodejs\templates'
+winpath2 = '\\ServerX\admin$\system32\'
+quoted   = 'Tom "Dubs" Preston-Werner'
+regex    = '<\i\c*\s*>'
+
+
+[string.literal.multiline]
+
+regex2 = '''I [dw]on't need \d{2} apples'''
+lines  = '''
+The first newline is
+trimmed in raw strings.
+   All other whitespace
+   is preserved.
+'''
+
+
+################################################################################
+## Integer
+
+# Integers are whole numbers. Positive numbers may be prefixed with a plus sign.
+# Negative numbers are prefixed with a minus sign.
+
+[integer]
+
+key1 = +99
+key2 = 42
+key3 = 0
+key4 = -17
+
+[integer.underscores]
+
+# For large numbers, you may use underscores to enhance readability. Each
+# underscore must be surrounded by at least one digit.
+key1 = 1_000
+key2 = 5_349_221
+key3 = 1_2_3_4_5     # valid but inadvisable
+
+
+################################################################################
+## Float
+
+# A float consists of an integer part (which may be prefixed with a plus or
+# minus sign) followed by a fractional part and/or an exponent part.
+
+[float.fractional]
+
+key1 = +1.0
+key2 = 3.1415
+key3 = -0.01
+
+[float.exponent]
+
+key1 = 5e+22
+key2 = 1e6
+key3 = -2E-2
+
+[float.both]
+
+key = 6.626e-34
+
+[float.underscores]
+
+key1 = 9_224_617.445_991_228_313
+key2 = 1e1_00
+
+
+################################################################################
+## Boolean
+
+# Booleans are just the tokens you're used to. Always lowercase.
+
+[boolean]
+
+True = true
+False = false
+
+
+################################################################################
+## Datetime
+
+# Datetimes are RFC 3339 dates.
+
+[datetime]
+
+key1 = 1979-05-27T07:32:00Z
+key2 = 1979-05-27T00:32:00-07:00
+key3 = 1979-05-27T00:32:00.999999-07:00
+
+
+################################################################################
+## Array
+
+# Arrays are square brackets with other primitives inside. Whitespace is
+# ignored. Elements are separated by commas. Data types may not be mixed.
+
+[array]
+
+key1 = [ 1, 2, 3 ]
+key2 = [ "red", "yellow", "green" ]
+key3 = [ [ 1, 2 ], [3, 4, 5] ]
+#key4 = [ [ 1, 2 ], ["a", "b", "c"] ] # this is ok
+
+# Arrays can also be multiline. So in addition to ignoring whitespace, arrays
+# also ignore newlines between the brackets.  Terminating commas are ok before
+# the closing bracket.
+
+key5 = [
+  1, 2, 3
+]
+key6 = [
+  1,
+  2, # this is ok
+]
+
+
+################################################################################
+## Array of Tables
+
+# These can be expressed by using a table name in double brackets. Each table
+# with the same double bracketed name will be an element in the array. The
+# tables are inserted in the order encountered.
+
+[[products]]
+
+name = "Hammer"
+sku = 738594937
+
+[[products]]
+
+[[products]]
+
+name = "Nail"
+sku = 284758393
+color = "gray"
+
+
+# You can create nested arrays of tables as well.
+
+[[fruit]]
+  name = "apple"
+
+  [fruit.physical]
+    color = "red"
+    shape = "round"
+
+  [[fruit.variety]]
+    name = "red delicious"
+
+  [[fruit.variety]]
+    name = "granny smith"
+
+[[fruit]]
+  name = "banana"
+
+  [[fruit.variety]]
+    name = "plantain"
diff --git a/vendor/github.com/pelletier/go-toml/benchmark.yml b/vendor/github.com/pelletier/go-toml/benchmark.yml
new file mode 100644
index 000000000..0bd19f08a
--- /dev/null
+++ b/vendor/github.com/pelletier/go-toml/benchmark.yml
@@ -0,0 +1,121 @@
+---
+array:
+  key1:
+  - 1
+  - 2
+  - 3
+  key2:
+  - red
+  - yellow
+  - green
+  key3:
+  - - 1
+    - 2
+  - - 3
+    - 4
+    - 5
+  key4:
+  - - 1
+    - 2
+  - - a
+    - b
+    - c
+  key5:
+  - 1
+  - 2
+  - 3
+  key6:
+  - 1
+  - 2
+boolean:
+  'False': false
+  'True': true
+datetime:
+  key1: '1979-05-27T07:32:00Z'
+  key2: '1979-05-27T00:32:00-07:00'
+  key3: '1979-05-27T00:32:00.999999-07:00'
+float:
+  both:
+    key: 6.626e-34
+  exponent:
+    key1: 5.0e+22
+    key2: 1000000
+    key3: -0.02
+  fractional:
+    key1: 1
+    key2: 3.1415
+    key3: -0.01
+  underscores:
+    key1: 9224617.445991227
+    key2: 1.0e+100
+fruit:
+- name: apple
+  physical:
+    color: red
+    shape: round
+  variety:
+  - name: red delicious
+  - name: granny smith
+- name: banana
+  variety:
+  - name: plantain
+integer:
+  key1: 99
+  key2: 42
+  key3: 0
+  key4: -17
+  underscores:
+    key1: 1000
+    key2: 5349221
+    key3: 12345
+products:
+- name: Hammer
+  sku: 738594937
+- {}
+- color: gray
+  name: Nail
+  sku: 284758393
+string:
+  basic:
+    basic: "I'm a string. \"You can quote me\". Name\tJosé\nLocation\tSF."
+  literal:
+    multiline:
+      lines: |
+        The first newline is
+        trimmed in raw strings.
+           All other whitespace
+           is preserved.
+      regex2: I [dw]on't need \d{2} apples
+    quoted: Tom "Dubs" Preston-Werner
+    regex: "<\\i\\c*\\s*>"
+    winpath: C:\Users\nodejs\templates
+    winpath2: "\\\\ServerX\\admin$\\system32\\"
+  multiline:
+    continued:
+      key1: The quick brown fox jumps over the lazy dog.
+      key2: The quick brown fox jumps over the lazy dog.
+      key3: The quick brown fox jumps over the lazy dog.
+    key1: |-
+      One
+      Two
+    key2: |-
+      One
+      Two
+    key3: |-
+      One
+      Two
+table:
+  inline:
+    name:
+      first: Tom
+      last: Preston-Werner
+    point:
+      x: 1
+      y: 2
+  key: value
+  subtable:
+    key: another value
+x:
+  y:
+    z:
+      w: {}
diff --git a/vendor/github.com/pelletier/go-toml/benchmark_test.go b/vendor/github.com/pelletier/go-toml/benchmark_test.go
new file mode 100644
index 000000000..e1f209dfa
--- /dev/null
+++ b/vendor/github.com/pelletier/go-toml/benchmark_test.go
@@ -0,0 +1,192 @@
+package toml
+
+import (
+	"bytes"
+	"encoding/json"
+	"io/ioutil"
+	"testing"
+	"time"
+
+	burntsushi "github.com/BurntSushi/toml"
+	yaml "gopkg.in/yaml.v2"
+)
+
+type benchmarkDoc struct {
+	Table struct {
+		Key      string
+		Subtable struct {
+			Key string
+		}
+		Inline struct {
+			Name struct {
+				First string
+				Last  string
+			}
+			Point struct {
+				X int64
+				U int64
+			}
+		}
+	}
+	String struct {
+		Basic struct {
+			Basic string
+		}
+		Multiline struct {
+			Key1      string
+			Key2      string
+			Key3      string
+			Continued struct {
+				Key1 string
+				Key2 string
+				Key3 string
+			}
+		}
+		Literal struct {
+			Winpath   string
+			Winpath2  string
+			Quoted    string
+			Regex     string
+			Multiline struct {
+				Regex2 string
+				Lines  string
+			}
+		}
+	}
+	Integer struct {
+		Key1        int64
+		Key2        int64
+		Key3        int64
+		Key4        int64
+		Underscores struct {
+			Key1 int64
+			Key2 int64
+			Key3 int64
+		}
+	}
+	Float struct {
+		Fractional struct {
+			Key1 float64
+			Key2 float64
+			Key3 float64
+		}
+		Exponent struct {
+			Key1 float64
+			Key2 float64
+			Key3 float64
+		}
+		Both struct {
+			Key float64
+		}
+		Underscores struct {
+			Key1 float64
+			Key2 float64
+		}
+	}
+	Boolean struct {
+		True  bool
+		False bool
+	}
+	Datetime struct {
+		Key1 time.Time
+		Key2 time.Time
+		Key3 time.Time
+	}
+	Array struct {
+		Key1 []int64
+		Key2 []string
+		Key3 [][]int64
+		// TODO: Key4 not supported by go-toml's Unmarshal
+		Key5 []int64
+		Key6 []int64
+	}
+	Products []struct {
+		Name  string
+		Sku   int64
+		Color string
+	}
+	Fruit []struct {
+		Name     string
+		Physical struct {
+			Color   string
+			Shape   string
+			Variety []struct {
+				Name string
+			}
+		}
+	}
+}
+
+func BenchmarkParseToml(b *testing.B) {
+	fileBytes, err := ioutil.ReadFile("benchmark.toml")
+	if err != nil {
+		b.Fatal(err)
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, err := LoadReader(bytes.NewReader(fileBytes))
+		if err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func BenchmarkUnmarshalToml(b *testing.B) {
+	bytes, err := ioutil.ReadFile("benchmark.toml")
+	if err != nil {
+		b.Fatal(err)
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		target := benchmarkDoc{}
+		err := Unmarshal(bytes, &target)
+		if err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func BenchmarkUnmarshalBurntSushiToml(b *testing.B) {
+	bytes, err := ioutil.ReadFile("benchmark.toml")
+	if err != nil {
+		b.Fatal(err)
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		target := benchmarkDoc{}
+		err := burntsushi.Unmarshal(bytes, &target)
+		if err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func BenchmarkUnmarshalJson(b *testing.B) {
+	bytes, err := ioutil.ReadFile("benchmark.json")
+	if err != nil {
+		b.Fatal(err)
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		target := benchmarkDoc{}
+		err := json.Unmarshal(bytes, &target)
+		if err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func BenchmarkUnmarshalYaml(b *testing.B) {
+	bytes, err := ioutil.ReadFile("benchmark.yml")
+	if err != nil {
+		b.Fatal(err)
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		target := benchmarkDoc{}
+		err := yaml.Unmarshal(bytes, &target)
+		if err != nil {
+			b.Fatal(err)
+		}
+	}
+}
diff --git a/vendor/github.com/pelletier/go-toml/lexer.go b/vendor/github.com/pelletier/go-toml/lexer.go
index db3ab4e54..1b6647d66 100644
--- a/vendor/github.com/pelletier/go-toml/lexer.go
+++ b/vendor/github.com/pelletier/go-toml/lexer.go
@@ -9,12 +9,9 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
-	"io"
 	"regexp"
 	"strconv"
 	"strings"
-
-	"github.com/pelletier/go-buffruneio"
 )
 
 var dateRegexp *regexp.Regexp
@@ -24,29 +21,29 @@ type tomlLexStateFn func() tomlLexStateFn
 
 // Define lexer
 type tomlLexer struct {
-	input         *buffruneio.Reader // Textual source
-	buffer        bytes.Buffer       // Runes composing the current token
-	tokens        chan token
-	depth         int
-	line          int
-	col           int
-	endbufferLine int
-	endbufferCol  int
+	inputIdx          int
+	input             []rune // Textual source
+	currentTokenStart int
+	currentTokenStop  int
+	tokens            []token
+	depth             int
+	line              int
+	col               int
+	endbufferLine     int
+	endbufferCol      int
 }
 
 // Basic read operations on input
 
 func (l *tomlLexer) read() rune {
-	r, _, err := l.input.ReadRune()
-	if err != nil {
-		panic(err)
-	}
+	r := l.peek()
 	if r == '\n' {
 		l.endbufferLine++
 		l.endbufferCol = 1
 	} else {
 		l.endbufferCol++
 	}
+	l.inputIdx++
 	return r
 }
 
@@ -54,13 +51,13 @@ func (l *tomlLexer) next() rune {
 	r := l.read()
 
 	if r != eof {
-		l.buffer.WriteRune(r)
+		l.currentTokenStop++
 	}
 	return r
 }
 
 func (l *tomlLexer) ignore() {
-	l.buffer.Reset()
+	l.currentTokenStart = l.currentTokenStop
 	l.line = l.endbufferLine
 	l.col = l.endbufferCol
 }
@@ -77,49 +74,46 @@ func (l *tomlLexer) fastForward(n int) {
 }
 
 func (l *tomlLexer) emitWithValue(t tokenType, value string) {
-	l.tokens <- token{
+	l.tokens = append(l.tokens, token{
 		Position: Position{l.line, l.col},
 		typ:      t,
 		val:      value,
-	}
+	})
 	l.ignore()
 }
 
 func (l *tomlLexer) emit(t tokenType) {
-	l.emitWithValue(t, l.buffer.String())
+	l.emitWithValue(t, string(l.input[l.currentTokenStart:l.currentTokenStop]))
 }
 
 func (l *tomlLexer) peek() rune {
-	r, _, err := l.input.ReadRune()
-	if err != nil {
-		panic(err)
+	if l.inputIdx >= len(l.input) {
+		return eof
 	}
-	l.input.UnreadRune()
-	return r
+	return l.input[l.inputIdx]
 }
 
-func (l *tomlLexer) follow(next string) bool {
-	for _, expectedRune := range next {
-		r, _, err := l.input.ReadRune()
-		defer l.input.UnreadRune()
-		if err != nil {
-			panic(err)
-		}
-		if expectedRune != r {
-			return false
-		}
+func (l *tomlLexer) peekString(size int) string {
+	maxIdx := len(l.input)
+	upperIdx := l.inputIdx + size // FIXME: potential overflow
+	if upperIdx > maxIdx {
+		upperIdx = maxIdx
 	}
-	return true
+	return string(l.input[l.inputIdx:upperIdx])
+}
+
+func (l *tomlLexer) follow(next string) bool {
+	return next == l.peekString(len(next))
 }
 
 // Error management
 
 func (l *tomlLexer) errorf(format string, args ...interface{}) tomlLexStateFn {
-	l.tokens <- token{
+	l.tokens = append(l.tokens, token{
 		Position: Position{l.line, l.col},
 		typ:      tokenError,
 		val:      fmt.Sprintf(format, args...),
-	}
+	})
 	return nil
 }
 
@@ -220,7 +214,7 @@ func (l *tomlLexer) lexRvalue() tomlLexStateFn {
 			break
 		}
 
-		possibleDate := string(l.input.PeekRunes(35))
+		possibleDate := l.peekString(35)
 		dateMatch := dateRegexp.FindString(possibleDate)
 		if dateMatch != "" {
 			l.fastForward(len(dateMatch))
@@ -537,7 +531,7 @@ func (l *tomlLexer) lexInsideTableArrayKey() tomlLexStateFn {
 	for r := l.peek(); r != eof; r = l.peek() {
 		switch r {
 		case ']':
-			if l.buffer.Len() > 0 {
+			if l.currentTokenStop > l.currentTokenStart {
 				l.emit(tokenKeyGroupArray)
 			}
 			l.next()
@@ -560,7 +554,7 @@ func (l *tomlLexer) lexInsideTableKey() tomlLexStateFn {
 	for r := l.peek(); r != eof; r = l.peek() {
 		switch r {
 		case ']':
-			if l.buffer.Len() > 0 {
+			if l.currentTokenStop > l.currentTokenStart {
 				l.emit(tokenKeyGroup)
 			}
 			l.next()
@@ -635,7 +629,6 @@ func (l *tomlLexer) run() {
 	for state := l.lexVoid; state != nil; {
 		state = state()
 	}
-	close(l.tokens)
 }
 
 func init() {
@@ -643,16 +636,16 @@ func init() {
 }
 
 // Entry point
-func lexToml(input io.Reader) chan token {
-	bufferedInput := buffruneio.NewReader(input)
+func lexToml(inputBytes []byte) []token {
+	runes := bytes.Runes(inputBytes)
 	l := &tomlLexer{
-		input:         bufferedInput,
-		tokens:        make(chan token),
+		input:         runes,
+		tokens:        make([]token, 0, 256),
 		line:          1,
 		col:           1,
 		endbufferLine: 1,
 		endbufferCol:  1,
 	}
-	go l.run()
+	l.run()
 	return l.tokens
 }
diff --git a/vendor/github.com/pelletier/go-toml/lexer_test.go b/vendor/github.com/pelletier/go-toml/lexer_test.go
index dce7a630a..313b83c5d 100644
--- a/vendor/github.com/pelletier/go-toml/lexer_test.go
+++ b/vendor/github.com/pelletier/go-toml/lexer_test.go
@@ -1,38 +1,14 @@
 package toml
 
 import (
-	"os"
-	"strings"
+	"reflect"
 	"testing"
 )
 
 func testFlow(t *testing.T, input string, expectedFlow []token) {
-	ch := lexToml(strings.NewReader(input))
-	for _, expected := range expectedFlow {
-		token := <-ch
-		if token != expected {
-			t.Log("While testing: ", input)
-			t.Log("compared (got)", token, "to (expected)", expected)
-			t.Log("\tvalue:", token.val, "<->", expected.val)
-			t.Log("\tvalue as bytes:", []byte(token.val), "<->", []byte(expected.val))
-			t.Log("\ttype:", token.typ.String(), "<->", expected.typ.String())
-			t.Log("\tline:", token.Line, "<->", expected.Line)
-			t.Log("\tcolumn:", token.Col, "<->", expected.Col)
-			t.Log("compared", token, "to", expected)
-			t.FailNow()
-		}
-	}
-
-	tok, ok := <-ch
-	if ok {
-		t.Log("channel is not closed!")
-		t.Log(len(ch)+1, "tokens remaining:")
-
-		t.Log("token ->", tok)
-		for token := range ch {
-			t.Log("token ->", token)
-		}
-		t.FailNow()
+	tokens := lexToml([]byte(input))
+	if !reflect.DeepEqual(tokens, expectedFlow) {
+		t.Fatal("Different flows. Expected\n", expectedFlow, "\nGot:\n", tokens)
 	}
 }
 
@@ -767,13 +743,8 @@ pluralizeListTitles = false
 	url = "https://github.com/spf13/hugo/releases"
 	weight = -200
 `
-	rd := strings.NewReader(sample)
-
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		rd.Seek(0, os.SEEK_SET)
-		ch := lexToml(rd)
-		for _ = range ch {
-		}
+		lexToml([]byte(sample))
 	}
 }
diff --git a/vendor/github.com/pelletier/go-toml/marshal.go b/vendor/github.com/pelletier/go-toml/marshal.go
index 9bf6fb988..1a3176f97 100644
--- a/vendor/github.com/pelletier/go-toml/marshal.go
+++ b/vendor/github.com/pelletier/go-toml/marshal.go
@@ -268,15 +268,20 @@ func valueFromTree(mtype reflect.Type, tval *Tree) (reflect.Value, error) {
 			mtypef := mtype.Field(i)
 			opts := tomlOptions(mtypef)
 			if opts.include {
-				key := opts.name
-				exists := tval.Has(key)
-				if exists {
+				baseKey := opts.name
+				keysToTry := []string{baseKey, strings.ToLower(baseKey), strings.ToTitle(baseKey)}
+				for _, key := range keysToTry {
+					exists := tval.Has(key)
+					if !exists {
+						continue
+					}
 					val := tval.Get(key)
 					mvalf, err := valueFromToml(mtypef.Type, val)
 					if err != nil {
 						return mval, formatError(err, tval.GetPosition(key))
 					}
 					mval.Field(i).Set(mvalf)
+					break
 				}
 			}
 		}
diff --git a/vendor/github.com/pelletier/go-toml/parser.go b/vendor/github.com/pelletier/go-toml/parser.go
index 64eb0e587..8ee49cb56 100644
--- a/vendor/github.com/pelletier/go-toml/parser.go
+++ b/vendor/github.com/pelletier/go-toml/parser.go
@@ -13,9 +13,9 @@ import (
 )
 
 type tomlParser struct {
-	flow          chan token
+	flowIdx       int
+	flow          []token
 	tree          *Tree
-	tokensBuffer  []token
 	currentTable  []string
 	seenTableKeys []string
 }
@@ -34,16 +34,10 @@ func (p *tomlParser) run() {
 }
 
 func (p *tomlParser) peek() *token {
-	if len(p.tokensBuffer) != 0 {
-		return &(p.tokensBuffer[0])
-	}
-
-	tok, ok := <-p.flow
-	if !ok {
+	if p.flowIdx >= len(p.flow) {
 		return nil
 	}
-	p.tokensBuffer = append(p.tokensBuffer, tok)
-	return &tok
+	return &p.flow[p.flowIdx]
 }
 
 func (p *tomlParser) assume(typ tokenType) {
@@ -57,16 +51,12 @@ func (p *tomlParser) assume(typ tokenType) {
 }
 
 func (p *tomlParser) getToken() *token {
-	if len(p.tokensBuffer) != 0 {
-		tok := p.tokensBuffer[0]
-		p.tokensBuffer = p.tokensBuffer[1:]
-		return &tok
-	}
-	tok, ok := <-p.flow
-	if !ok {
+	tok := p.peek()
+	if tok == nil {
 		return nil
 	}
-	return &tok
+	p.flowIdx++
+	return tok
 }
 
 func (p *tomlParser) parseStart() tomlParserStateFn {
@@ -374,13 +364,13 @@ func (p *tomlParser) parseArray() interface{} {
 	return array
 }
 
-func parseToml(flow chan token) *Tree {
+func parseToml(flow []token) *Tree {
 	result := newTree()
 	result.position = Position{1, 1}
 	parser := &tomlParser{
+		flowIdx:       0,
 		flow:          flow,
 		tree:          result,
-		tokensBuffer:  make([]token, 0),
 		currentTable:  make([]string, 0),
 		seenTableKeys: make([]string, 0),
 	}
diff --git a/vendor/github.com/pelletier/go-toml/test.sh b/vendor/github.com/pelletier/go-toml/test.sh
index d2d2aed16..91a889670 100755
--- a/vendor/github.com/pelletier/go-toml/test.sh
+++ b/vendor/github.com/pelletier/go-toml/test.sh
@@ -27,6 +27,8 @@ go vet ./...
 
 go get github.com/pelletier/go-buffruneio
 go get github.com/davecgh/go-spew/spew
+go get gopkg.in/yaml.v2
+go get github.com/BurntSushi/toml
 
 # get code for BurntSushi TOML validation
 # pinning all to 'HEAD' for version 0.3.x work (TODO: pin to commit hash when tests stabilize)
diff --git a/vendor/github.com/pelletier/go-toml/toml.go b/vendor/github.com/pelletier/go-toml/toml.go
index 2d2f64049..64f19ed30 100644
--- a/vendor/github.com/pelletier/go-toml/toml.go
+++ b/vendor/github.com/pelletier/go-toml/toml.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"runtime"
 	"strings"
@@ -251,8 +252,8 @@ func (t *Tree) createSubTree(keys []string, pos Position) error {
 	return nil
 }
 
-// LoadReader creates a Tree from any io.Reader.
-func LoadReader(reader io.Reader) (tree *Tree, err error) {
+// LoadBytes creates a Tree from a []byte.
+func LoadBytes(b []byte) (tree *Tree, err error) {
 	defer func() {
 		if r := recover(); r != nil {
 			if _, ok := r.(runtime.Error); ok {
@@ -261,13 +262,23 @@ func LoadReader(reader io.Reader) (tree *Tree, err error) {
 			err = errors.New(r.(string))
 		}
 	}()
-	tree = parseToml(lexToml(reader))
+	tree = parseToml(lexToml(b))
+	return
+}
+
+// LoadReader creates a Tree from any io.Reader.
+func LoadReader(reader io.Reader) (tree *Tree, err error) {
+	inputBytes, err := ioutil.ReadAll(reader)
+	if err != nil {
+		return
+	}
+	tree, err = LoadBytes(inputBytes)
 	return
 }
 
 // Load creates a Tree from a string.
 func Load(content string) (tree *Tree, err error) {
-	return LoadReader(strings.NewReader(content))
+	return LoadBytes([]byte(content))
 }
 
 // LoadFile creates a Tree from a file.
diff --git a/vendor/github.com/pelletier/go-toml/tomltree_write.go b/vendor/github.com/pelletier/go-toml/tomltree_write.go
index cd03f9dba..ca763ed58 100644
--- a/vendor/github.com/pelletier/go-toml/tomltree_write.go
+++ b/vendor/github.com/pelletier/go-toml/tomltree_write.go
@@ -118,8 +118,7 @@ func (t *Tree) writeTo(w io.Writer, indent, keyspace string, bytesCount int64) (
 			return bytesCount, err
 		}
 
-		kvRepr := indent + k + " = " + repr + "\n"
-		writtenBytesCount, err := w.Write([]byte(kvRepr))
+		writtenBytesCount, err := writeStrings(w, indent, k, " = ", repr, "\n")
 		bytesCount += int64(writtenBytesCount)
 		if err != nil {
 			return bytesCount, err
@@ -137,8 +136,7 @@ func (t *Tree) writeTo(w io.Writer, indent, keyspace string, bytesCount int64) (
 		switch node := v.(type) {
 		// node has to be of those two types given how keys are sorted above
 		case *Tree:
-			tableName := "\n" + indent + "[" + combinedKey + "]\n"
-			writtenBytesCount, err := w.Write([]byte(tableName))
+			writtenBytesCount, err := writeStrings(w, "\n", indent, "[", combinedKey, "]\n")
 			bytesCount += int64(writtenBytesCount)
 			if err != nil {
 				return bytesCount, err
@@ -149,8 +147,7 @@ func (t *Tree) writeTo(w io.Writer, indent, keyspace string, bytesCount int64) (
 			}
 		case []*Tree:
 			for _, subTree := range node {
-				tableArrayName := "\n" + indent + "[[" + combinedKey + "]]\n"
-				writtenBytesCount, err := w.Write([]byte(tableArrayName))
+				writtenBytesCount, err := writeStrings(w, "\n", indent, "[[", combinedKey, "]]\n")
 				bytesCount += int64(writtenBytesCount)
 				if err != nil {
 					return bytesCount, err
@@ -167,6 +164,18 @@ func (t *Tree) writeTo(w io.Writer, indent, keyspace string, bytesCount int64) (
 	return bytesCount, nil
 }
 
+func writeStrings(w io.Writer, s ...string) (int, error) {
+	var n int
+	for i := range s {
+		b, err := io.WriteString(w, s[i])
+		n += b
+		if err != nil {
+			return n, err
+		}
+	}
+	return n, nil
+}
+
 // WriteTo encode the Tree as Toml and writes it to the writer w.
 // Returns the number of bytes written in case of success, or an error if anything happened.
 func (t *Tree) WriteTo(w io.Writer) (int64, error) {
diff --git a/vendor/github.com/pelletier/go-toml/tomltree_write_test.go b/vendor/github.com/pelletier/go-toml/tomltree_write_test.go
index 0edf1be46..c2a1ce3b7 100644
--- a/vendor/github.com/pelletier/go-toml/tomltree_write_test.go
+++ b/vendor/github.com/pelletier/go-toml/tomltree_write_test.go
@@ -16,26 +16,26 @@ type failingWriter struct {
 	buffer  bytes.Buffer
 }
 
-func (f failingWriter) Write(p []byte) (n int, err error) {
+func (f *failingWriter) Write(p []byte) (n int, err error) {
 	count := len(p)
-	toWrite := f.failAt - count + f.written
+	toWrite := f.failAt - (count + f.written)
 	if toWrite < 0 {
 		toWrite = 0
 	}
 	if toWrite > count {
 		f.written += count
-		f.buffer.WriteString(string(p))
+		f.buffer.Write(p)
 		return count, nil
 	}
 
-	f.buffer.WriteString(string(p[:toWrite]))
+	f.buffer.Write(p[:toWrite])
 	f.written = f.failAt
-	return f.written, fmt.Errorf("failingWriter failed after writting %d bytes", f.written)
+	return toWrite, fmt.Errorf("failingWriter failed after writting %d bytes", f.written)
 }
 
 func assertErrorString(t *testing.T, expected string, err error) {
 	expectedErr := errors.New(expected)
-	if err.Error() != expectedErr.Error() {
+	if err == nil || err.Error() != expectedErr.Error() {
 		t.Errorf("expecting error %s, but got %s instead", expected, err)
 	}
 }
@@ -175,7 +175,7 @@ func TestTreeWriteToInvalidTreeTomlValueArray(t *testing.T) {
 func TestTreeWriteToFailingWriterInSimpleValue(t *testing.T) {
 	toml, _ := Load(`a = 2`)
 	writer := failingWriter{failAt: 0, written: 0}
-	_, err := toml.WriteTo(writer)
+	_, err := toml.WriteTo(&writer)
 	assertErrorString(t, "failingWriter failed after writting 0 bytes", err)
 }
 
@@ -184,11 +184,11 @@ func TestTreeWriteToFailingWriterInTable(t *testing.T) {
 [b]
 a = 2`)
 	writer := failingWriter{failAt: 2, written: 0}
-	_, err := toml.WriteTo(writer)
+	_, err := toml.WriteTo(&writer)
 	assertErrorString(t, "failingWriter failed after writting 2 bytes", err)
 
 	writer = failingWriter{failAt: 13, written: 0}
-	_, err = toml.WriteTo(writer)
+	_, err = toml.WriteTo(&writer)
 	assertErrorString(t, "failingWriter failed after writting 13 bytes", err)
 }
 
@@ -197,11 +197,11 @@ func TestTreeWriteToFailingWriterInArray(t *testing.T) {
 [[b]]
 a = 2`)
 	writer := failingWriter{failAt: 2, written: 0}
-	_, err := toml.WriteTo(writer)
+	_, err := toml.WriteTo(&writer)
 	assertErrorString(t, "failingWriter failed after writting 2 bytes", err)
 
 	writer = failingWriter{failAt: 15, written: 0}
-	_, err = toml.WriteTo(writer)
+	_, err = toml.WriteTo(&writer)
 	assertErrorString(t, "failingWriter failed after writting 15 bytes", err)
 }
 
diff --git a/vendor/github.com/prometheus/common/config/config.go b/vendor/github.com/prometheus/common/config/config.go
index 33eb922ce..9195c34bf 100644
--- a/vendor/github.com/prometheus/common/config/config.go
+++ b/vendor/github.com/prometheus/common/config/config.go
@@ -28,3 +28,20 @@ func checkOverflow(m map[string]interface{}, ctx string) error {
 	}
 	return nil
 }
+
+// Secret special type for storing secrets.
+type Secret string
+
+// MarshalYAML implements the yaml.Marshaler interface for Secrets.
+func (s Secret) MarshalYAML() (interface{}, error) {
+	if s != "" {
+		return "<secret>", nil
+	}
+	return nil, nil
+}
+
+//UnmarshalYAML implements the yaml.Unmarshaler interface for Secrets.
+func (s *Secret) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	type plain Secret
+	return unmarshal((*plain)(s))
+}
diff --git a/vendor/github.com/prometheus/common/config/http_config.go b/vendor/github.com/prometheus/common/config/http_config.go
new file mode 100644
index 000000000..ff5837fa5
--- /dev/null
+++ b/vendor/github.com/prometheus/common/config/http_config.go
@@ -0,0 +1,279 @@
+// Copyright 2016 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+
+	yaml "gopkg.in/yaml.v2"
+)
+
+// BasicAuth contains basic HTTP authentication credentials.
+type BasicAuth struct {
+	Username string `yaml:"username"`
+	Password Secret `yaml:"password"`
+
+	// Catches all undefined fields and must be empty after parsing.
+	XXX map[string]interface{} `yaml:",inline"`
+}
+
+// URL is a custom URL type that allows validation at configuration load time.
+type URL struct {
+	*url.URL
+}
+
+// UnmarshalYAML implements the yaml.Unmarshaler interface for URLs.
+func (u *URL) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var s string
+	if err := unmarshal(&s); err != nil {
+		return err
+	}
+
+	urlp, err := url.Parse(s)
+	if err != nil {
+		return err
+	}
+	u.URL = urlp
+	return nil
+}
+
+// MarshalYAML implements the yaml.Marshaler interface for URLs.
+func (u URL) MarshalYAML() (interface{}, error) {
+	if u.URL != nil {
+		return u.String(), nil
+	}
+	return nil, nil
+}
+
+// HTTPClientConfig configures an HTTP client.
+type HTTPClientConfig struct {
+	// The HTTP basic authentication credentials for the targets.
+	BasicAuth *BasicAuth `yaml:"basic_auth,omitempty"`
+	// The bearer token for the targets.
+	BearerToken Secret `yaml:"bearer_token,omitempty"`
+	// The bearer token file for the targets.
+	BearerTokenFile string `yaml:"bearer_token_file,omitempty"`
+	// HTTP proxy server to use to connect to the targets.
+	ProxyURL URL `yaml:"proxy_url,omitempty"`
+	// TLSConfig to use to connect to the targets.
+	TLSConfig TLSConfig `yaml:"tls_config,omitempty"`
+
+	// Catches all undefined fields and must be empty after parsing.
+	XXX map[string]interface{} `yaml:",inline"`
+}
+
+func (c *HTTPClientConfig) validate() error {
+	if len(c.BearerToken) > 0 && len(c.BearerTokenFile) > 0 {
+		return fmt.Errorf("at most one of bearer_token & bearer_token_file must be configured")
+	}
+	if c.BasicAuth != nil && (len(c.BearerToken) > 0 || len(c.BearerTokenFile) > 0) {
+		return fmt.Errorf("at most one of basic_auth, bearer_token & bearer_token_file must be configured")
+	}
+	return nil
+}
+
+// UnmarshalYAML implements the yaml.Unmarshaler interface
+func (c *HTTPClientConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	type plain HTTPClientConfig
+	err := unmarshal((*plain)(c))
+	if err != nil {
+		return err
+	}
+	err = c.validate()
+	if err != nil {
+		return c.validate()
+	}
+	return checkOverflow(c.XXX, "http_client_config")
+}
+
+// UnmarshalYAML implements the yaml.Unmarshaler interface.
+func (a *BasicAuth) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	type plain BasicAuth
+	err := unmarshal((*plain)(a))
+	if err != nil {
+		return err
+	}
+	return checkOverflow(a.XXX, "basic_auth")
+}
+
+// NewHTTPClientFromConfig returns a new HTTP client configured for the
+// given config.HTTPClientConfig.
+func NewHTTPClientFromConfig(cfg *HTTPClientConfig) (*http.Client, error) {
+	tlsConfig, err := NewTLSConfig(&cfg.TLSConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	// It's the caller's job to handle timeouts
+	var rt http.RoundTripper = &http.Transport{
+		Proxy:             http.ProxyURL(cfg.ProxyURL.URL),
+		DisableKeepAlives: true,
+		TLSClientConfig:   tlsConfig,
+	}
+
+	// If a bearer token is provided, create a round tripper that will set the
+	// Authorization header correctly on each request.
+	bearerToken := cfg.BearerToken
+	if len(bearerToken) == 0 && len(cfg.BearerTokenFile) > 0 {
+		b, err := ioutil.ReadFile(cfg.BearerTokenFile)
+		if err != nil {
+			return nil, fmt.Errorf("unable to read bearer token file %s: %s", cfg.BearerTokenFile, err)
+		}
+		bearerToken = Secret(strings.TrimSpace(string(b)))
+	}
+
+	if len(bearerToken) > 0 {
+		rt = NewBearerAuthRoundTripper(bearerToken, rt)
+	}
+
+	if cfg.BasicAuth != nil {
+		rt = NewBasicAuthRoundTripper(cfg.BasicAuth.Username, Secret(cfg.BasicAuth.Password), rt)
+	}
+
+	// Return a new client with the configured round tripper.
+	return &http.Client{Transport: rt}, nil
+}
+
+type bearerAuthRoundTripper struct {
+	bearerToken Secret
+	rt          http.RoundTripper
+}
+
+type basicAuthRoundTripper struct {
+	username string
+	password Secret
+	rt       http.RoundTripper
+}
+
+// NewBasicAuthRoundTripper will apply a BASIC auth authorization header to a request unless it has
+// already been set.
+func NewBasicAuthRoundTripper(username string, password Secret, rt http.RoundTripper) http.RoundTripper {
+	return &basicAuthRoundTripper{username, password, rt}
+}
+
+func (rt *bearerAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if len(req.Header.Get("Authorization")) == 0 {
+		req = cloneRequest(req)
+		req.Header.Set("Authorization", "Bearer "+string(rt.bearerToken))
+	}
+
+	return rt.rt.RoundTrip(req)
+}
+
+// NewBearerAuthRoundTripper adds the provided bearer token to a request unless the authorization
+// header has already been set.
+func NewBearerAuthRoundTripper(bearer Secret, rt http.RoundTripper) http.RoundTripper {
+	return &bearerAuthRoundTripper{bearer, rt}
+}
+
+func (rt *basicAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if len(req.Header.Get("Authorization")) != 0 {
+		return rt.RoundTrip(req)
+	}
+	req = cloneRequest(req)
+	req.SetBasicAuth(rt.username, string(rt.password))
+	return rt.rt.RoundTrip(req)
+}
+
+// cloneRequest returns a clone of the provided *http.Request.
+// The clone is a shallow copy of the struct and its Header map.
+func cloneRequest(r *http.Request) *http.Request {
+	// Shallow copy of the struct.
+	r2 := new(http.Request)
+	*r2 = *r
+	// Deep copy of the Header.
+	r2.Header = make(http.Header)
+	for k, s := range r.Header {
+		r2.Header[k] = s
+	}
+	return r2
+}
+
+// NewTLSConfig creates a new tls.Config from the given config.TLSConfig.
+func NewTLSConfig(cfg *TLSConfig) (*tls.Config, error) {
+	tlsConfig := &tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify}
+
+	// If a CA cert is provided then let's read it in so we can validate the
+	// scrape target's certificate properly.
+	if len(cfg.CAFile) > 0 {
+		caCertPool := x509.NewCertPool()
+		// Load CA cert.
+		caCert, err := ioutil.ReadFile(cfg.CAFile)
+		if err != nil {
+			return nil, fmt.Errorf("unable to use specified CA cert %s: %s", cfg.CAFile, err)
+		}
+		caCertPool.AppendCertsFromPEM(caCert)
+		tlsConfig.RootCAs = caCertPool
+	}
+
+	if len(cfg.ServerName) > 0 {
+		tlsConfig.ServerName = cfg.ServerName
+	}
+
+	// If a client cert & key is provided then configure TLS config accordingly.
+	if len(cfg.CertFile) > 0 && len(cfg.KeyFile) == 0 {
+		return nil, fmt.Errorf("client cert file %q specified without client key file", cfg.CertFile)
+	} else if len(cfg.KeyFile) > 0 && len(cfg.CertFile) == 0 {
+		return nil, fmt.Errorf("client key file %q specified without client cert file", cfg.KeyFile)
+	} else if len(cfg.CertFile) > 0 && len(cfg.KeyFile) > 0 {
+		cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile)
+		if err != nil {
+			return nil, fmt.Errorf("unable to use specified client cert (%s) & key (%s): %s", cfg.CertFile, cfg.KeyFile, err)
+		}
+		tlsConfig.Certificates = []tls.Certificate{cert}
+	}
+	tlsConfig.BuildNameToCertificate()
+
+	return tlsConfig, nil
+}
+
+// TLSConfig configures the options for TLS connections.
+type TLSConfig struct {
+	// The CA cert to use for the targets.
+	CAFile string `yaml:"ca_file,omitempty"`
+	// The client cert file for the targets.
+	CertFile string `yaml:"cert_file,omitempty"`
+	// The client key file for the targets.
+	KeyFile string `yaml:"key_file,omitempty"`
+	// Used to verify the hostname for the targets.
+	ServerName string `yaml:"server_name,omitempty"`
+	// Disable target certificate validation.
+	InsecureSkipVerify bool `yaml:"insecure_skip_verify"`
+
+	// Catches all undefined fields and must be empty after parsing.
+	XXX map[string]interface{} `yaml:",inline"`
+}
+
+// UnmarshalYAML implements the yaml.Unmarshaler interface.
+func (c *TLSConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	type plain TLSConfig
+	if err := unmarshal((*plain)(c)); err != nil {
+		return err
+	}
+	return checkOverflow(c.XXX, "TLS config")
+}
+
+func (c HTTPClientConfig) String() string {
+	b, err := yaml.Marshal(c)
+	if err != nil {
+		return fmt.Sprintf("<error creating http client config string: %s>", err)
+	}
+	return string(b)
+}
diff --git a/vendor/github.com/prometheus/common/config/http_config_test.go b/vendor/github.com/prometheus/common/config/http_config_test.go
new file mode 100644
index 000000000..1e2490bbb
--- /dev/null
+++ b/vendor/github.com/prometheus/common/config/http_config_test.go
@@ -0,0 +1,157 @@
+// Copyright 2015 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+	"testing"
+
+	yaml "gopkg.in/yaml.v2"
+)
+
+var invalidHTTPClientConfigs = []struct {
+	httpClientConfigFile string
+	errMsg               string
+}{
+	{
+		httpClientConfigFile: "testdata/http.conf.bearer-token-and-file-set.bad.yml",
+		errMsg:               "at most one of bearer_token & bearer_token_file must be configured",
+	},
+	{
+		httpClientConfigFile: "testdata/http.conf.empty.bad.yml",
+		errMsg:               "at most one of basic_auth, bearer_token & bearer_token_file must be configured",
+	},
+}
+
+func TestAuthRoundTrippers(t *testing.T) {
+
+	cfg, _, err := LoadHTTPConfigFile("testdata/http.conf.good.yml")
+	if err != nil {
+		t.Errorf("Error loading HTTP client config: %v", err)
+	}
+
+	tlsConfig, err := NewTLSConfig(&cfg.TLSConfig)
+	if err != nil {
+		t.Errorf("Error creating new TLS config: %v", err)
+	}
+
+	rt := &http.Transport{
+		Proxy:             http.ProxyURL(cfg.ProxyURL.URL),
+		DisableKeepAlives: true,
+		TLSClientConfig:   tlsConfig,
+	}
+	req := new(http.Request)
+
+	bearerAuthRoundTripper := NewBearerAuthRoundTripper("mysecret", rt)
+	bearerAuthRoundTripper.RoundTrip(req)
+
+	basicAuthRoundTripper := NewBasicAuthRoundTripper("username", "password", rt)
+	basicAuthRoundTripper.RoundTrip(req)
+}
+
+func TestHideHTTPClientConfigSecrets(t *testing.T) {
+	c, _, err := LoadHTTPConfigFile("testdata/http.conf.good.yml")
+	if err != nil {
+		t.Errorf("Error parsing %s: %s", "testdata/http.conf.good.yml", err)
+	}
+
+	// String method must not reveal authentication credentials.
+	s := c.String()
+	if strings.Contains(s, "mysecret") {
+		t.Fatal("http client config's String method reveals authentication credentials.")
+	}
+}
+
+func mustParseURL(u string) *URL {
+	parsed, err := url.Parse(u)
+	if err != nil {
+		panic(err)
+	}
+	return &URL{URL: parsed}
+}
+
+func TestNewClientFromConfig(t *testing.T) {
+	cfg, _, err := LoadHTTPConfigFile("testdata/http.conf.good.yml")
+	if err != nil {
+		t.Errorf("Error loading HTTP client config: %v", err)
+	}
+	_, err = NewHTTPClientFromConfig(cfg)
+	if err != nil {
+		t.Errorf("Error creating new client from config: %v", err)
+	}
+}
+
+func TestNewClientFromInvalidConfig(t *testing.T) {
+	cfg, _, err := LoadHTTPConfigFile("testdata/http.conf.invalid-bearer-token-file.bad.yml")
+	if err != nil {
+		t.Errorf("Error loading HTTP client config: %v", err)
+	}
+	_, err = NewHTTPClientFromConfig(cfg)
+	if err == nil {
+		t.Error("Expected error creating new client from invalid config but got none")
+	}
+	if !strings.Contains(err.Error(), "unable to read bearer token file file: open file: no such file or directory") {
+		t.Errorf("Expected error with config but got: %s", err.Error())
+	}
+}
+
+func TestValidateHTTPConfig(t *testing.T) {
+	cfg, _, err := LoadHTTPConfigFile("testdata/http.conf.good.yml")
+	if err != nil {
+		t.Errorf("Error loading HTTP client config: %v", err)
+	}
+	err = cfg.validate()
+	if err != nil {
+		t.Fatalf("Error validating %s: %s", "testdata/http.conf.good.yml", err)
+	}
+}
+
+func TestInvalidHTTPConfigs(t *testing.T) {
+	for _, ee := range invalidHTTPClientConfigs {
+		_, _, err := LoadHTTPConfigFile(ee.httpClientConfigFile)
+		if err == nil {
+			t.Error("Expected error with config but got none")
+			continue
+		}
+		if !strings.Contains(err.Error(), ee.errMsg) {
+			t.Errorf("Expected error for invalid HTTP client configuration to contain %q but got: %s", ee.errMsg, err)
+		}
+	}
+}
+
+// LoadHTTPConfig parses the YAML input s into a HTTPClientConfig.
+func LoadHTTPConfig(s string) (*HTTPClientConfig, error) {
+	cfg := &HTTPClientConfig{}
+	err := yaml.Unmarshal([]byte(s), cfg)
+	if err != nil {
+		return nil, err
+	}
+	return cfg, nil
+}
+
+// LoadHTTPConfigFile parses the given YAML file into a HTTPClientConfig.
+func LoadHTTPConfigFile(filename string) (*HTTPClientConfig, []byte, error) {
+	content, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return nil, nil, err
+	}
+	cfg, err := LoadHTTPConfig(string(content))
+	if err != nil {
+		return nil, nil, err
+	}
+	return cfg, content, nil
+}
diff --git a/vendor/github.com/prometheus/common/config/testdata/http.conf.bearer-token-and-file-set.bad.yml b/vendor/github.com/prometheus/common/config/testdata/http.conf.bearer-token-and-file-set.bad.yml
new file mode 100644
index 000000000..c613bacb0
--- /dev/null
+++ b/vendor/github.com/prometheus/common/config/testdata/http.conf.bearer-token-and-file-set.bad.yml
@@ -0,0 +1,5 @@
+basic_auth:
+  username: username
+  password: "mysecret"
+bearer_token: mysecret
+bearer_token_file: file
diff --git a/vendor/github.com/prometheus/common/config/testdata/http.conf.empty.bad.yml b/vendor/github.com/prometheus/common/config/testdata/http.conf.empty.bad.yml
new file mode 100644
index 000000000..ea2811f7c
--- /dev/null
+++ b/vendor/github.com/prometheus/common/config/testdata/http.conf.empty.bad.yml
@@ -0,0 +1,4 @@
+basic_auth:
+  username: username
+  password: mysecret
+bearer_token_file: file
diff --git a/vendor/github.com/prometheus/common/config/testdata/http.conf.good.yml b/vendor/github.com/prometheus/common/config/testdata/http.conf.good.yml
new file mode 100644
index 000000000..46ca63908
--- /dev/null
+++ b/vendor/github.com/prometheus/common/config/testdata/http.conf.good.yml
@@ -0,0 +1,4 @@
+basic_auth:
+  username: username
+  password: "mysecret"
+proxy_url: "http://remote.host"
diff --git a/vendor/github.com/prometheus/common/config/testdata/http.conf.invalid-bearer-token-file.bad.yml b/vendor/github.com/prometheus/common/config/testdata/http.conf.invalid-bearer-token-file.bad.yml
new file mode 100644
index 000000000..4b1349bf4
--- /dev/null
+++ b/vendor/github.com/prometheus/common/config/testdata/http.conf.invalid-bearer-token-file.bad.yml
@@ -0,0 +1 @@
+bearer_token_file: file
diff --git a/vendor/github.com/prometheus/common/config/tls_config.go b/vendor/github.com/prometheus/common/config/tls_config.go
deleted file mode 100644
index 7c7e7cb02..000000000
--- a/vendor/github.com/prometheus/common/config/tls_config.go
+++ /dev/null
@@ -1,79 +0,0 @@
-// Copyright 2016 The Prometheus Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package config
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"fmt"
-	"io/ioutil"
-)
-
-// TLSConfig configures the options for TLS connections.
-type TLSConfig struct {
-	// The CA cert to use for the targets.
-	CAFile string `yaml:"ca_file,omitempty"`
-	// The client cert file for the targets.
-	CertFile string `yaml:"cert_file,omitempty"`
-	// The client key file for the targets.
-	KeyFile string `yaml:"key_file,omitempty"`
-	// Disable target certificate validation.
-	InsecureSkipVerify bool `yaml:"insecure_skip_verify"`
-
-	// Catches all undefined fields and must be empty after parsing.
-	XXX map[string]interface{} `yaml:",inline"`
-}
-
-// UnmarshalYAML implements the yaml.Unmarshaler interface.
-func (c *TLSConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
-	type plain TLSConfig
-	if err := unmarshal((*plain)(c)); err != nil {
-		return err
-	}
-	return checkOverflow(c.XXX, "TLS config")
-}
-
-// GenerateConfig produces a tls.Config based on TLS connection options.
-// It loads certificate files from disk if they are defined.
-func (c *TLSConfig) GenerateConfig() (*tls.Config, error) {
-	tlsConfig := &tls.Config{InsecureSkipVerify: c.InsecureSkipVerify}
-
-	// If a CA cert is provided then let's read it in so we can validate the
-	// scrape target's certificate properly.
-	if len(c.CAFile) > 0 {
-		caCertPool := x509.NewCertPool()
-		// Load CA cert.
-		caCert, err := ioutil.ReadFile(c.CAFile)
-		if err != nil {
-			return nil, fmt.Errorf("unable to use specified CA cert %s: %s", c.CAFile, err)
-		}
-		caCertPool.AppendCertsFromPEM(caCert)
-		tlsConfig.RootCAs = caCertPool
-	}
-
-	if len(c.CertFile) > 0 && len(c.KeyFile) == 0 {
-		return nil, fmt.Errorf("client cert file %q specified without client key file", c.CertFile)
-	} else if len(c.KeyFile) > 0 && len(c.CertFile) == 0 {
-		return nil, fmt.Errorf("client key file %q specified without client cert file", c.KeyFile)
-	} else if len(c.CertFile) > 0 && len(c.KeyFile) > 0 {
-		cert, err := tls.LoadX509KeyPair(c.CertFile, c.KeyFile)
-		if err != nil {
-			return nil, fmt.Errorf("unable to use specified client cert (%s) & key (%s): %s", c.CertFile, c.KeyFile, err)
-		}
-		tlsConfig.Certificates = []tls.Certificate{cert}
-	}
-	tlsConfig.BuildNameToCertificate()
-
-	return tlsConfig, nil
-}
diff --git a/vendor/github.com/prometheus/common/config/tls_config_test.go b/vendor/github.com/prometheus/common/config/tls_config_test.go
index 444303532..e2bd68edb 100644
--- a/vendor/github.com/prometheus/common/config/tls_config_test.go
+++ b/vendor/github.com/prometheus/common/config/tls_config_test.go
@@ -33,7 +33,7 @@ func LoadTLSConfig(filename string) (*tls.Config, error) {
 	if err = yaml.Unmarshal(content, cfg); err != nil {
 		return nil, err
 	}
-	return cfg.GenerateConfig()
+	return NewTLSConfig(cfg)
 }
 
 var expectedTLSConfigs = []struct {
@@ -57,7 +57,7 @@ func TestValidTLSConfig(t *testing.T) {
 			t.Errorf("Error parsing %s: %s", cfg.filename, err)
 		}
 		if !reflect.DeepEqual(*got, *cfg.config) {
-			t.Fatalf("%s: unexpected config result: \n\n%s\n expected\n\n%s", cfg.filename, got, cfg.config)
+			t.Fatalf("%v: unexpected config result: \n\n%v\n expected\n\n%v", cfg.filename, got, cfg.config)
 		}
 	}
 }
diff --git a/vendor/github.com/prometheus/common/expfmt/text_parse.go b/vendor/github.com/prometheus/common/expfmt/text_parse.go
index ef9a15077..54bcfde29 100644
--- a/vendor/github.com/prometheus/common/expfmt/text_parse.go
+++ b/vendor/github.com/prometheus/common/expfmt/text_parse.go
@@ -315,6 +315,10 @@ func (p *TextParser) startLabelValue() stateFn {
 	if p.readTokenAsLabelValue(); p.err != nil {
 		return nil
 	}
+	if !model.LabelValue(p.currentToken.String()).IsValid() {
+		p.parseError(fmt.Sprintf("invalid label value %q", p.currentToken.String()))
+		return nil
+	}
 	p.currentLabelPair.Value = proto.String(p.currentToken.String())
 	// Special treatment of summaries:
 	// - Quantile labels are special, will result in dto.Quantile later.
diff --git a/vendor/github.com/prometheus/common/expfmt/text_parse_test.go b/vendor/github.com/prometheus/common/expfmt/text_parse_test.go
index 7e7388ce9..76c951185 100644
--- a/vendor/github.com/prometheus/common/expfmt/text_parse_test.go
+++ b/vendor/github.com/prometheus/common/expfmt/text_parse_test.go
@@ -559,6 +559,11 @@ metric_bucket{le="bla"} 3.14
 `,
 			err: "text format parsing error in line 3: expected float as value for 'le' label",
 		},
+		// 19: Invalid UTF-8 in label value.
+		{
+			in:  "metric{l=\"\xbd\"} 3.14\n",
+			err: "text format parsing error in line 1: invalid label value \"\\xbd\"",
+		},
 	}
 
 	for i, scenario := range scenarios {
diff --git a/vendor/github.com/prometheus/procfs/Makefile b/vendor/github.com/prometheus/procfs/Makefile
index bfa2124eb..dd48afdcd 100644
--- a/vendor/github.com/prometheus/procfs/Makefile
+++ b/vendor/github.com/prometheus/procfs/Makefile
@@ -11,8 +11,8 @@ lint:
 test: sysfs/fixtures/.unpacked
 	go test -v ./...
 
-sysfs/fixtures/.unpacked: sysfs/fixtures.tar.gz
-	cd sysfs && tar xzf fixtures.tar.gz
+sysfs/fixtures/.unpacked: sysfs/fixtures.ttar
+	./ttar -C sysfs -x -f sysfs/fixtures.ttar
 	touch $@
 
 .PHONY: fmt lint test ci
diff --git a/vendor/github.com/prometheus/procfs/sysfs/fixtures.tar.gz b/vendor/github.com/prometheus/procfs/sysfs/fixtures.tar.gz
deleted file mode 100644
index 88035b7ce..000000000
--- a/vendor/github.com/prometheus/procfs/sysfs/fixtures.tar.gz
+++ /dev/null
diff --git a/vendor/github.com/prometheus/procfs/sysfs/fixtures.ttar b/vendor/github.com/prometheus/procfs/sysfs/fixtures.ttar
new file mode 100644
index 000000000..0045e7d56
--- /dev/null
+++ b/vendor/github.com/prometheus/procfs/sysfs/fixtures.ttar
@@ -0,0 +1,721 @@
+Directory: fixtures
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata4
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/dirty_data
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_day
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_day/bypassed
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_day/cache_bypass_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_day/cache_bypass_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_day/cache_hit_ratio
+Lines: 1
+100
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_day/cache_hits
+Lines: 1
+289
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_day/cache_miss_collisions
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_day/cache_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_day/cache_readaheads
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_five_minute
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_five_minute/bypassed
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_five_minute/cache_bypass_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_five_minute/cache_bypass_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_five_minute/cache_hit_ratio
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_five_minute/cache_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_five_minute/cache_miss_collisions
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_five_minute/cache_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_five_minute/cache_readaheads
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_hour
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_hour/bypassed
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_hour/cache_bypass_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_hour/cache_bypass_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_hour/cache_hit_ratio
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_hour/cache_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_hour/cache_miss_collisions
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_hour/cache_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_hour/cache_readaheads
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_total
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_total/bypassed
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_total/cache_bypass_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_total/cache_bypass_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_total/cache_hit_ratio
+Lines: 1
+100
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_total/cache_hits
+Lines: 1
+546
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_total/cache_miss_collisions
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_total/cache_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata4/host3/target3:0:0/3:0:0:0/block/sdb/bcache/stats_total/cache_readaheads
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata5
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata5/host4
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata5/host4/target4:0:0
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata5/host4/target4:0:0/4:0:0:0
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata5/host4/target4:0:0/4:0:0:0/block
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata5/host4/target4:0:0/4:0:0:0/block/sdc
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/devices/pci0000:00/0000:00:0d.0/ata5/host4/target4:0:0/4:0:0:0/block/sdc/bcache
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata5/host4/target4:0:0/4:0:0:0/block/sdc/bcache/io_errors
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata5/host4/target4:0:0/4:0:0:0/block/sdc/bcache/metadata_written
+Lines: 1
+512
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata5/host4/target4:0:0/4:0:0:0/block/sdc/bcache/priority_stats
+Lines: 5
+Unused:		99%
+Metadata:	0%
+Average:	10473
+Sectors per Q:	64
+Quantiles:	[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946]
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/devices/pci0000:00/0000:00:0d.0/ata5/host4/target4:0:0/4:0:0:0/block/sdc/bcache/written
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/bcache
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/average_key_size
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0
+Mode: 777
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/dirty_data
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_day
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_day/bypassed
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_day/cache_bypass_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_day/cache_bypass_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_day/cache_hit_ratio
+Lines: 1
+100
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_day/cache_hits
+Lines: 1
+289
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_day/cache_miss_collisions
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_day/cache_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_day/cache_readaheads
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_five_minute
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_five_minute/bypassed
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_five_minute/cache_bypass_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_five_minute/cache_bypass_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_five_minute/cache_hit_ratio
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_five_minute/cache_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_five_minute/cache_miss_collisions
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_five_minute/cache_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_five_minute/cache_readaheads
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_hour
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_hour/bypassed
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_hour/cache_bypass_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_hour/cache_bypass_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_hour/cache_hit_ratio
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_hour/cache_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_hour/cache_miss_collisions
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_hour/cache_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_hour/cache_readaheads
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_total
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_total/bypassed
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_total/cache_bypass_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_total/cache_bypass_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_total/cache_hit_ratio
+Lines: 1
+100
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_total/cache_hits
+Lines: 1
+546
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_total/cache_miss_collisions
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_total/cache_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/bdev0/stats_total/cache_readaheads
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/btree_cache_size
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/cache0
+Mode: 777
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/cache0/io_errors
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/cache0/metadata_written
+Lines: 1
+512
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/cache0/priority_stats
+Lines: 5
+Unused:		99%
+Metadata:	0%
+Average:	10473
+Sectors per Q:	64
+Quantiles:	[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946 20946]
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/cache0/written
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/cache_available_percent
+Lines: 1
+100
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/congested
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/internal
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/internal/active_journal_entries
+Lines: 1
+1
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/internal/btree_nodes
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/internal/btree_read_average_duration_us
+Lines: 1
+1305
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/internal/cache_read_races
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/root_usage_percent
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_day
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_day/bypassed
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_day/cache_bypass_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_day/cache_bypass_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_day/cache_hit_ratio
+Lines: 1
+100
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_day/cache_hits
+Lines: 1
+289
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_day/cache_miss_collisions
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_day/cache_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_day/cache_readaheads
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_five_minute
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_five_minute/bypassed
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_five_minute/cache_bypass_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_five_minute/cache_bypass_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_five_minute/cache_hit_ratio
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_five_minute/cache_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_five_minute/cache_miss_collisions
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_five_minute/cache_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_five_minute/cache_readaheads
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_hour
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_hour/bypassed
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_hour/cache_bypass_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_hour/cache_bypass_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_hour/cache_hit_ratio
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_hour/cache_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_hour/cache_miss_collisions
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_hour/cache_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_hour/cache_readaheads
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_total
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_total/bypassed
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_total/cache_bypass_hits
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_total/cache_bypass_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_total/cache_hit_ratio
+Lines: 1
+100
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_total/cache_hits
+Lines: 1
+546
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_total/cache_miss_collisions
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_total/cache_misses
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/stats_total/cache_readaheads
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/bcache/deaddd54-c735-46d5-868e-f331c5fd7c74/tree_depth
+Lines: 1
+0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/xfs
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/xfs/sda1
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/xfs/sda1/stats
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/xfs/sda1/stats/stats
+Lines: 1
+extent_alloc 1 0 0 0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/xfs/sdb1
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Directory: fixtures/fs/xfs/sdb1/stats
+Mode: 755
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Path: fixtures/fs/xfs/sdb1/stats/stats
+Lines: 1
+extent_alloc 2 0 0 0
+Mode: 644
+# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
diff --git a/vendor/github.com/prometheus/procfs/ttar b/vendor/github.com/prometheus/procfs/ttar
new file mode 100755
index 000000000..8227a4a37
--- /dev/null
+++ b/vendor/github.com/prometheus/procfs/ttar
@@ -0,0 +1,264 @@
+#!/usr/bin/env bash
+# Purpose: plain text tar format
+# Limitations: - only suitable for text files, directories, and symlinks
+#              - stores only filename, content, and mode
+#              - not designed for untrusted input
+
+# Note: must work with bash version 3.2 (macOS)
+
+set -o errexit -o nounset
+
+# Sanitize environment (for instance, standard sorting of glob matches)
+export LC_ALL=C
+
+path=""
+CMD=""
+
+function usage {
+    bname=$(basename "$0")
+    cat << USAGE
+Usage:   $bname [-C <DIR>] -c -f <ARCHIVE> <FILE...> (create archive)
+         $bname            -t -f <ARCHIVE>           (list archive contents)
+         $bname [-C <DIR>] -x -f <ARCHIVE>           (extract archive)
+
+Options:
+         -C <DIR>                                    (change directory)
+
+Example: Change to sysfs directory, create ttar file from fixtures directory
+         $bname -C sysfs -c -f sysfs/fixtures.ttar fixtures/
+USAGE
+exit "$1"
+}
+
+function vecho {
+    if [ "${VERBOSE:-}" == "yes" ]; then
+        echo >&7 "$@"
+    fi
+}
+
+function set_cmd {
+    if [ -n "$CMD" ]; then
+        echo "ERROR: more than one command given"
+        echo
+        usage 2
+    fi
+    CMD=$1
+}
+
+while getopts :cf:htxvC: opt; do
+    case $opt in
+        c)
+            set_cmd "create"
+            ;;
+        f)
+            ARCHIVE=$OPTARG
+            ;;
+        h)
+            usage 0
+            ;;
+        t)
+            set_cmd "list"
+            ;;
+        x)
+            set_cmd "extract"
+            ;;
+        v)
+            VERBOSE=yes
+            exec 7>&1
+            ;;
+        C)
+            CDIR=$OPTARG
+            ;;
+        *)
+            echo >&2 "ERROR: invalid option -$OPTARG"
+            echo
+            usage 1
+            ;;
+    esac
+done
+
+# Remove processed options from arguments
+shift $(( OPTIND - 1 ));
+
+if [ "${CMD:-}" == "" ]; then
+    echo >&2 "ERROR: no command given"
+    echo
+    usage 1
+elif [ "${ARCHIVE:-}" == "" ]; then
+    echo >&2 "ERROR: no archive name given"
+    echo
+    usage 1
+fi
+
+function list {
+    local path=""
+    local size=0
+    local line_no=0
+    local ttar_file=$1
+    if [ -n "${2:-}" ]; then
+        echo >&2 "ERROR: too many arguments."
+        echo
+        usage 1
+    fi
+    if [ ! -e "$ttar_file" ]; then
+        echo >&2 "ERROR: file not found ($ttar_file)"
+        echo
+        usage 1
+    fi
+    while read -r line; do
+        line_no=$(( line_no + 1 ))
+        if [ $size -gt 0 ]; then
+            size=$(( size - 1 ))
+            continue
+        fi
+        if [[ $line =~ ^Path:\ (.*)$ ]]; then
+            path=${BASH_REMATCH[1]}
+        elif [[ $line =~ ^Lines:\ (.*)$ ]]; then
+            size=${BASH_REMATCH[1]}
+            echo "$path"
+        elif [[ $line =~ ^Directory:\ (.*)$ ]]; then
+            path=${BASH_REMATCH[1]}
+            echo "$path/"
+        elif [[ $line =~ ^SymlinkTo:\ (.*)$ ]]; then
+            echo  "$path -> ${BASH_REMATCH[1]}"
+        fi
+    done < "$ttar_file"
+}
+
+function extract {
+    local path=""
+    local size=0
+    local line_no=0
+    local ttar_file=$1
+    if [ -n "${2:-}" ]; then
+        echo >&2 "ERROR: too many arguments."
+        echo
+        usage 1
+    fi
+    if [ ! -e "$ttar_file" ]; then
+        echo >&2 "ERROR: file not found ($ttar_file)"
+        echo
+        usage 1
+    fi
+    while IFS= read -r line; do
+        line_no=$(( line_no + 1 ))
+        if [ "$size" -gt 0 ]; then
+            echo "$line" >> "$path"
+            size=$(( size - 1 ))
+            continue
+        fi
+        if [[ $line =~ ^Path:\ (.*)$ ]]; then
+            path=${BASH_REMATCH[1]}
+            if [ -e "$path" ] || [ -L "$path" ]; then
+                rm "$path"
+            fi
+        elif [[ $line =~ ^Lines:\ (.*)$ ]]; then
+            size=${BASH_REMATCH[1]}
+            # Create file even if it is zero-length.
+            touch "$path"
+            vecho "    $path"
+        elif [[ $line =~ ^Mode:\ (.*)$ ]]; then
+            mode=${BASH_REMATCH[1]}
+            chmod "$mode" "$path"
+            vecho "$mode"
+        elif [[ $line =~ ^Directory:\ (.*)$ ]]; then
+            path=${BASH_REMATCH[1]}
+            mkdir -p "$path"
+            vecho "    $path/"
+        elif [[ $line =~ ^SymlinkTo:\ (.*)$ ]]; then
+            ln -s "${BASH_REMATCH[1]}" "$path"
+            vecho "    $path -> ${BASH_REMATCH[1]}"
+        elif [[ $line =~ ^# ]]; then
+            # Ignore comments between files
+            continue
+        else
+            echo >&2 "ERROR: Unknown keyword on line $line_no: $line"
+            exit 1
+        fi
+    done < "$ttar_file"
+}
+
+function div {
+    echo "# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -" \
+         "- - - - - -"
+}
+
+function get_mode {
+    local mfile=$1
+    if [ -z "${STAT_OPTION:-}" ]; then
+        if stat -c '%a' "$mfile" >/dev/null 2>&1; then
+            STAT_OPTION='-c'
+            STAT_FORMAT='%a'
+        else
+            STAT_OPTION='-f'
+            STAT_FORMAT='%A'
+        fi
+    fi
+    stat "${STAT_OPTION}" "${STAT_FORMAT}" "$mfile"
+}
+
+function _create {
+    shopt -s nullglob
+    local mode
+    while (( "$#" )); do
+        file=$1
+        if [ -L "$file" ]; then
+            echo "Path: $file"
+            symlinkTo=$(readlink "$file")
+            echo "SymlinkTo: $symlinkTo"
+            vecho "    $file -> $symlinkTo"
+            div
+        elif [ -d "$file" ]; then
+            # Strip trailing slash (if there is one)
+            file=${file%/}
+            echo "Directory: $file"
+            mode=$(get_mode "$file")
+            echo "Mode: $mode"
+            vecho "$mode $file/"
+            div
+            # Find all files and dirs, including hidden/dot files
+            for x in "$file/"{*,.[^.]*}; do
+                _create "$x"
+            done
+        elif [ -f "$file" ]; then
+            echo "Path: $file"
+            lines=$(wc -l "$file"|awk '{print $1}')
+            echo "Lines: $lines"
+            cat "$file"
+            mode=$(get_mode "$file")
+            echo "Mode: $mode"
+            vecho "$mode $file"
+            div
+        else
+            echo >&2 "ERROR: file not found ($file in $(pwd))"
+            exit 2
+        fi
+        shift
+    done
+}
+
+function create {
+    ttar_file=$1
+    shift
+    if [ -z "${1:-}" ]; then
+        echo >&2 "ERROR: missing arguments."
+        echo
+        usage 1
+    fi
+    if [ -e "$ttar_file" ]; then
+        rm "$ttar_file"
+    fi
+    exec > "$ttar_file"
+    _create "$@"
+}
+
+if [ -n "${CDIR:-}" ]; then
+    if [[ "$ARCHIVE" != /* ]]; then
+        # Relative path: preserve the archive's location before changing
+        # directory
+        ARCHIVE="$(pwd)/$ARCHIVE"
+    fi
+    cd "$CDIR"
+fi
+
+"$CMD" "$ARCHIVE" "$@"
diff --git a/vendor/github.com/rsc/letsencrypt/lets.go b/vendor/github.com/rsc/letsencrypt/lets.go
index f112af31c..485abfa1c 100644
--- a/vendor/github.com/rsc/letsencrypt/lets.go
+++ b/vendor/github.com/rsc/letsencrypt/lets.go
@@ -671,7 +671,7 @@ func (m *Manager) verify(host string) (cert *tls.Certificate, refreshTime time.T
 	}
 	c.SetChallengeProvider(acme.TLSSNI01, tlsProvider{m})
 	c.ExcludeChallenges([]acme.Challenge{acme.HTTP01})
-	acmeCert, errmap := c.ObtainCertificate([]string{host}, true, nil)
+	acmeCert, errmap := c.ObtainCertificate([]string{host}, true, nil, false)
 	if len(errmap) > 0 {
 		if debug {
 			log.Printf("ObtainCertificate %v => %v", host, errmap)
@@ -728,7 +728,7 @@ type tlsProvider struct {
 }
 
 func (p tlsProvider) Present(domain, token, keyAuth string) error {
-	cert, dom, err := acme.TLSSNI01ChallengeCertDomain(keyAuth)
+	cert, dom, err := acme.TLSSNI01ChallengeCert(keyAuth)
 	if err != nil {
 		return err
 	}
@@ -741,7 +741,7 @@ func (p tlsProvider) Present(domain, token, keyAuth string) error {
 }
 
 func (p tlsProvider) CleanUp(domain, token, keyAuth string) error {
-	_, dom, err := acme.TLSSNI01ChallengeCertDomain(keyAuth)
+	_, dom, err := acme.TLSSNI01ChallengeCert(keyAuth)
 	if err != nil {
 		return err
 	}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/.gitignore b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/.gitignore
new file mode 100644
index 000000000..776cd950c
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/.gitignore
@@ -0,0 +1,4 @@
+*.6
+tags
+test.out
+a.out
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/.travis.yml b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/.travis.yml
new file mode 100644
index 000000000..bb8b8d40b
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/.travis.yml
@@ -0,0 +1,14 @@
+language: go
+sudo: false
+go:
+  - 1.7.x
+  - 1.8.x
+  - tip
+
+before_install:
+  # don't use the miekg/dns when testing forks
+  - mkdir -p $GOPATH/src/github.com/miekg
+  - ln -s $TRAVIS_BUILD_DIR $GOPATH/src/github.com/miekg/ || true
+
+script:
+  - go test -race -v -bench=.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/AUTHORS b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/AUTHORS
new file mode 100644
index 000000000..196568352
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/AUTHORS
@@ -0,0 +1 @@
+Miek Gieben <miek@miek.nl>
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/CONTRIBUTORS b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/CONTRIBUTORS
new file mode 100644
index 000000000..f77e8a895
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/CONTRIBUTORS
@@ -0,0 +1,9 @@
+Alex A. Skinner
+Andrew Tunnell-Jones
+Ask Bjørn Hansen
+Dave Cheney
+Dusty Wilson
+Marek Majkowski
+Peter van Dijk
+Omri Bahumi
+Alex Sergeyev
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/COPYRIGHT b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/COPYRIGHT
new file mode 100644
index 000000000..35702b10e
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/COPYRIGHT
@@ -0,0 +1,9 @@
+Copyright 2009 The Go Authors. All rights reserved. Use of this source code
+is governed by a BSD-style license that can be found in the LICENSE file.
+Extensions of the original work are copyright (c) 2011 Miek Gieben
+
+Copyright 2011 Miek Gieben. All rights reserved. Use of this source code is
+governed by a BSD-style license that can be found in the LICENSE file.
+
+Copyright 2014 CloudFlare. All rights reserved. Use of this source code is
+governed by a BSD-style license that can be found in the LICENSE file.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/LICENSE b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/LICENSE
new file mode 100644
index 000000000..5763fa7fe
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/LICENSE
@@ -0,0 +1,32 @@
+Extensions of the original work are copyright (c) 2011 Miek Gieben
+
+As this is fork of the official Go code the same license applies:
+
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/README.md b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/README.md
new file mode 100644
index 000000000..32a49cbf5
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/README.md
@@ -0,0 +1,162 @@
+[![Build Status](https://travis-ci.org/miekg/dns.svg?branch=master)](https://travis-ci.org/miekg/dns)
+[![](https://godoc.org/github.com/miekg/dns?status.svg)](https://godoc.org/github.com/miekg/dns)
+
+# Alternative (more granular) approach to a DNS library
+
+> Less is more.
+
+Complete and usable DNS library. All widely used Resource Records are
+supported, including the DNSSEC types. It follows a lean and mean philosophy.
+If there is stuff you should know as a DNS programmer there isn't a convenience
+function for it. Server side and client side programming is supported, i.e. you
+can build servers and resolvers with it.
+
+We try to keep the "master" branch as sane as possible and at the bleeding edge
+of standards, avoiding breaking changes wherever reasonable. We support the last
+two versions of Go, currently: 1.7 and 1.8.
+
+# Goals
+
+* KISS;
+* Fast;
+* Small API. If it's easy to code in Go, don't make a function for it.
+
+# Users
+
+A not-so-up-to-date-list-that-may-be-actually-current:
+
+* https://github.com/coredns/coredns
+* https://cloudflare.com
+* https://github.com/abh/geodns
+* http://www.statdns.com/
+* http://www.dnsinspect.com/
+* https://github.com/chuangbo/jianbing-dictionary-dns
+* http://www.dns-lg.com/
+* https://github.com/fcambus/rrda
+* https://github.com/kenshinx/godns
+* https://github.com/skynetservices/skydns
+* https://github.com/hashicorp/consul
+* https://github.com/DevelopersPL/godnsagent
+* https://github.com/duedil-ltd/discodns
+* https://github.com/StalkR/dns-reverse-proxy
+* https://github.com/tianon/rawdns
+* https://mesosphere.github.io/mesos-dns/
+* https://pulse.turbobytes.com/
+* https://play.google.com/store/apps/details?id=com.turbobytes.dig
+* https://github.com/fcambus/statzone
+* https://github.com/benschw/dns-clb-go
+* https://github.com/corny/dnscheck for http://public-dns.info/
+* https://namesmith.io
+* https://github.com/miekg/unbound
+* https://github.com/miekg/exdns
+* https://dnslookup.org
+* https://github.com/looterz/grimd
+* https://github.com/phamhongviet/serf-dns
+* https://github.com/mehrdadrad/mylg
+* https://github.com/bamarni/dockness
+* https://github.com/fffaraz/microdns
+* http://quilt.io
+* https://github.com/ipdcode/hades (JD.COM)
+* https://github.com/StackExchange/dnscontrol/
+* https://www.dnsperf.com/
+* https://dnssectest.net/
+
+Send pull request if you want to be listed here.
+
+# Features
+
+* UDP/TCP queries, IPv4 and IPv6;
+* RFC 1035 zone file parsing ($INCLUDE, $ORIGIN, $TTL and $GENERATE (for all record types) are supported;
+* Fast:
+    * Reply speed around ~ 80K qps (faster hardware results in more qps);
+    * Parsing RRs ~ 100K RR/s, that's 5M records in about 50 seconds;
+* Server side programming (mimicking the net/http package);
+* Client side programming;
+* DNSSEC: signing, validating and key generation for DSA, RSA and ECDSA;
+* EDNS0, NSID, Cookies;
+* AXFR/IXFR;
+* TSIG, SIG(0);
+* DNS over TLS: optional encrypted connection between client and server;
+* DNS name compression;
+* Depends only on the standard library.
+
+Have fun!
+
+Miek Gieben  -  2010-2012  -  <miek@miek.nl>
+
+# Building
+
+Building is done with the `go` tool. If you have setup your GOPATH
+correctly, the following should work:
+
+    go get github.com/miekg/dns
+    go build github.com/miekg/dns
+
+## Examples
+
+A short "how to use the API" is at the beginning of doc.go (this also will show
+when you call `godoc github.com/miekg/dns`).
+
+Example programs can be found in the `github.com/miekg/exdns` repository.
+
+## Supported RFCs
+
+*all of them*
+
+* 103{4,5} - DNS standard
+* 1348 - NSAP record (removed the record)
+* 1982 - Serial Arithmetic
+* 1876 - LOC record
+* 1995 - IXFR
+* 1996 - DNS notify
+* 2136 - DNS Update (dynamic updates)
+* 2181 - RRset definition - there is no RRset type though, just []RR
+* 2537 - RSAMD5 DNS keys
+* 2065 - DNSSEC (updated in later RFCs)
+* 2671 - EDNS record
+* 2782 - SRV record
+* 2845 - TSIG record
+* 2915 - NAPTR record
+* 2929 - DNS IANA Considerations
+* 3110 - RSASHA1 DNS keys
+* 3225 - DO bit (DNSSEC OK)
+* 340{1,2,3} - NAPTR record
+* 3445 - Limiting the scope of (DNS)KEY
+* 3597 - Unknown RRs
+* 403{3,4,5} - DNSSEC + validation functions
+* 4255 - SSHFP record
+* 4343 - Case insensitivity
+* 4408 - SPF record
+* 4509 - SHA256 Hash in DS
+* 4592 - Wildcards in the DNS
+* 4635 - HMAC SHA TSIG
+* 4701 - DHCID
+* 4892 - id.server
+* 5001 - NSID
+* 5155 - NSEC3 record
+* 5205 - HIP record
+* 5702 - SHA2 in the DNS
+* 5936 - AXFR
+* 5966 - TCP implementation recommendations
+* 6605 - ECDSA
+* 6725 - IANA Registry Update
+* 6742 - ILNP DNS
+* 6840 - Clarifications and Implementation Notes for DNS Security
+* 6844 - CAA record
+* 6891 - EDNS0 update
+* 6895 - DNS IANA considerations
+* 6975 - Algorithm Understanding in DNSSEC
+* 7043 - EUI48/EUI64 records
+* 7314 - DNS (EDNS) EXPIRE Option
+* 7828 - edns-tcp-keepalive EDNS0 Option
+* 7553 - URI record
+* 7858 - DNS over TLS: Initiation and Performance Considerations (draft)
+* 7873 - Domain Name System (DNS) Cookies (draft-ietf-dnsop-cookies)
+* xxxx - EDNS0 DNS Update Lease (draft)
+
+## Loosely based upon
+
+* `ldns`
+* `NSD`
+* `Net::DNS`
+* `GRONG`
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/client.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/client.go
new file mode 100644
index 000000000..301dab9c1
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/client.go
@@ -0,0 +1,467 @@
+package dns
+
+// A client implementation.
+
+import (
+	"bytes"
+	"crypto/tls"
+	"encoding/binary"
+	"io"
+	"net"
+	"time"
+)
+
+const dnsTimeout time.Duration = 2 * time.Second
+const tcpIdleTimeout time.Duration = 8 * time.Second
+
+// A Conn represents a connection to a DNS server.
+type Conn struct {
+	net.Conn                         // a net.Conn holding the connection
+	UDPSize        uint16            // minimum receive buffer for UDP messages
+	TsigSecret     map[string]string // secret(s) for Tsig map[<zonename>]<base64 secret>, zonename must be fully qualified
+	rtt            time.Duration
+	t              time.Time
+	tsigRequestMAC string
+}
+
+// A Client defines parameters for a DNS client.
+type Client struct {
+	Net            string            // if "tcp" or "tcp-tls" (DNS over TLS) a TCP query will be initiated, otherwise an UDP one (default is "" for UDP)
+	UDPSize        uint16            // minimum receive buffer for UDP messages
+	TLSConfig      *tls.Config       // TLS connection configuration
+	Timeout        time.Duration     // a cumulative timeout for dial, write and read, defaults to 0 (disabled) - overrides DialTimeout, ReadTimeout and WriteTimeout when non-zero
+	DialTimeout    time.Duration     // net.DialTimeout, defaults to 2 seconds - overridden by Timeout when that value is non-zero
+	ReadTimeout    time.Duration     // net.Conn.SetReadTimeout value for connections, defaults to 2 seconds - overridden by Timeout when that value is non-zero
+	WriteTimeout   time.Duration     // net.Conn.SetWriteTimeout value for connections, defaults to 2 seconds - overridden by Timeout when that value is non-zero
+	TsigSecret     map[string]string // secret(s) for Tsig map[<zonename>]<base64 secret>, zonename must be fully qualified
+	SingleInflight bool              // if true suppress multiple outstanding queries for the same Qname, Qtype and Qclass
+	group          singleflight
+}
+
+// Exchange performs a synchronous UDP query. It sends the message m to the address
+// contained in a and waits for a reply. Exchange does not retry a failed query, nor
+// will it fall back to TCP in case of truncation.
+// See client.Exchange for more information on setting larger buffer sizes.
+func Exchange(m *Msg, a string) (r *Msg, err error) {
+	var co *Conn
+	co, err = DialTimeout("udp", a, dnsTimeout)
+	if err != nil {
+		return nil, err
+	}
+
+	defer co.Close()
+
+	opt := m.IsEdns0()
+	// If EDNS0 is used use that for size.
+	if opt != nil && opt.UDPSize() >= MinMsgSize {
+		co.UDPSize = opt.UDPSize()
+	}
+
+	co.SetWriteDeadline(time.Now().Add(dnsTimeout))
+	if err = co.WriteMsg(m); err != nil {
+		return nil, err
+	}
+
+	co.SetReadDeadline(time.Now().Add(dnsTimeout))
+	r, err = co.ReadMsg()
+	if err == nil && r.Id != m.Id {
+		err = ErrId
+	}
+	return r, err
+}
+
+// ExchangeConn performs a synchronous query. It sends the message m via the connection
+// c and waits for a reply. The connection c is not closed by ExchangeConn.
+// This function is going away, but can easily be mimicked:
+//
+//	co := &dns.Conn{Conn: c} // c is your net.Conn
+//	co.WriteMsg(m)
+//	in, _  := co.ReadMsg()
+//	co.Close()
+//
+func ExchangeConn(c net.Conn, m *Msg) (r *Msg, err error) {
+	println("dns: this function is deprecated")
+	co := new(Conn)
+	co.Conn = c
+	if err = co.WriteMsg(m); err != nil {
+		return nil, err
+	}
+	r, err = co.ReadMsg()
+	if err == nil && r.Id != m.Id {
+		err = ErrId
+	}
+	return r, err
+}
+
+// Exchange performs a synchronous query. It sends the message m to the address
+// contained in a and waits for a reply. Basic use pattern with a *dns.Client:
+//
+//	c := new(dns.Client)
+//	in, rtt, err := c.Exchange(message, "127.0.0.1:53")
+//
+// Exchange does not retry a failed query, nor will it fall back to TCP in
+// case of truncation.
+// It is up to the caller to create a message that allows for larger responses to be
+// returned. Specifically this means adding an EDNS0 OPT RR that will advertise a larger
+// buffer, see SetEdns0. Messages without an OPT RR will fallback to the historic limit
+// of 512 bytes.
+func (c *Client) Exchange(m *Msg, a string) (r *Msg, rtt time.Duration, err error) {
+	if !c.SingleInflight {
+		return c.exchange(m, a)
+	}
+	// This adds a bunch of garbage, TODO(miek).
+	t := "nop"
+	if t1, ok := TypeToString[m.Question[0].Qtype]; ok {
+		t = t1
+	}
+	cl := "nop"
+	if cl1, ok := ClassToString[m.Question[0].Qclass]; ok {
+		cl = cl1
+	}
+	r, rtt, err, shared := c.group.Do(m.Question[0].Name+t+cl, func() (*Msg, time.Duration, error) {
+		return c.exchange(m, a)
+	})
+	if r != nil && shared {
+		r = r.Copy()
+	}
+	if err != nil {
+		return r, rtt, err
+	}
+	return r, rtt, nil
+}
+
+func (c *Client) dialTimeout() time.Duration {
+	if c.Timeout != 0 {
+		return c.Timeout
+	}
+	if c.DialTimeout != 0 {
+		return c.DialTimeout
+	}
+	return dnsTimeout
+}
+
+func (c *Client) readTimeout() time.Duration {
+	if c.ReadTimeout != 0 {
+		return c.ReadTimeout
+	}
+	return dnsTimeout
+}
+
+func (c *Client) writeTimeout() time.Duration {
+	if c.WriteTimeout != 0 {
+		return c.WriteTimeout
+	}
+	return dnsTimeout
+}
+
+func (c *Client) exchange(m *Msg, a string) (r *Msg, rtt time.Duration, err error) {
+	var co *Conn
+	network := "udp"
+	tls := false
+
+	switch c.Net {
+	case "tcp-tls":
+		network = "tcp"
+		tls = true
+	case "tcp4-tls":
+		network = "tcp4"
+		tls = true
+	case "tcp6-tls":
+		network = "tcp6"
+		tls = true
+	default:
+		if c.Net != "" {
+			network = c.Net
+		}
+	}
+
+	var deadline time.Time
+	if c.Timeout != 0 {
+		deadline = time.Now().Add(c.Timeout)
+	}
+
+	if tls {
+		co, err = DialTimeoutWithTLS(network, a, c.TLSConfig, c.dialTimeout())
+	} else {
+		co, err = DialTimeout(network, a, c.dialTimeout())
+	}
+
+	if err != nil {
+		return nil, 0, err
+	}
+	defer co.Close()
+
+	opt := m.IsEdns0()
+	// If EDNS0 is used use that for size.
+	if opt != nil && opt.UDPSize() >= MinMsgSize {
+		co.UDPSize = opt.UDPSize()
+	}
+	// Otherwise use the client's configured UDP size.
+	if opt == nil && c.UDPSize >= MinMsgSize {
+		co.UDPSize = c.UDPSize
+	}
+
+	co.TsigSecret = c.TsigSecret
+	co.SetWriteDeadline(deadlineOrTimeout(deadline, c.writeTimeout()))
+	if err = co.WriteMsg(m); err != nil {
+		return nil, 0, err
+	}
+
+	co.SetReadDeadline(deadlineOrTimeout(deadline, c.readTimeout()))
+	r, err = co.ReadMsg()
+	if err == nil && r.Id != m.Id {
+		err = ErrId
+	}
+	return r, co.rtt, err
+}
+
+// ReadMsg reads a message from the connection co.
+// If the received message contains a TSIG record the transaction
+// signature is verified.
+func (co *Conn) ReadMsg() (*Msg, error) {
+	p, err := co.ReadMsgHeader(nil)
+	if err != nil {
+		return nil, err
+	}
+
+	m := new(Msg)
+	if err := m.Unpack(p); err != nil {
+		// If ErrTruncated was returned, we still want to allow the user to use
+		// the message, but naively they can just check err if they don't want
+		// to use a truncated message
+		if err == ErrTruncated {
+			return m, err
+		}
+		return nil, err
+	}
+	if t := m.IsTsig(); t != nil {
+		if _, ok := co.TsigSecret[t.Hdr.Name]; !ok {
+			return m, ErrSecret
+		}
+		// Need to work on the original message p, as that was used to calculate the tsig.
+		err = TsigVerify(p, co.TsigSecret[t.Hdr.Name], co.tsigRequestMAC, false)
+	}
+	return m, err
+}
+
+// ReadMsgHeader reads a DNS message, parses and populates hdr (when hdr is not nil).
+// Returns message as a byte slice to be parsed with Msg.Unpack later on.
+// Note that error handling on the message body is not possible as only the header is parsed.
+func (co *Conn) ReadMsgHeader(hdr *Header) ([]byte, error) {
+	var (
+		p   []byte
+		n   int
+		err error
+	)
+
+	switch t := co.Conn.(type) {
+	case *net.TCPConn, *tls.Conn:
+		r := t.(io.Reader)
+
+		// First two bytes specify the length of the entire message.
+		l, err := tcpMsgLen(r)
+		if err != nil {
+			return nil, err
+		}
+		p = make([]byte, l)
+		n, err = tcpRead(r, p)
+		co.rtt = time.Since(co.t)
+	default:
+		if co.UDPSize > MinMsgSize {
+			p = make([]byte, co.UDPSize)
+		} else {
+			p = make([]byte, MinMsgSize)
+		}
+		n, err = co.Read(p)
+		co.rtt = time.Since(co.t)
+	}
+
+	if err != nil {
+		return nil, err
+	} else if n < headerSize {
+		return nil, ErrShortRead
+	}
+
+	p = p[:n]
+	if hdr != nil {
+		dh, _, err := unpackMsgHdr(p, 0)
+		if err != nil {
+			return nil, err
+		}
+		*hdr = dh
+	}
+	return p, err
+}
+
+// tcpMsgLen is a helper func to read first two bytes of stream as uint16 packet length.
+func tcpMsgLen(t io.Reader) (int, error) {
+	p := []byte{0, 0}
+	n, err := t.Read(p)
+	if err != nil {
+		return 0, err
+	}
+
+	// As seen with my local router/switch, retursn 1 byte on the above read,
+	// resulting a a ShortRead. Just write it out (instead of loop) and read the
+	// other byte.
+	if n == 1 {
+		n1, err := t.Read(p[1:])
+		if err != nil {
+			return 0, err
+		}
+		n += n1
+	}
+
+	if n != 2 {
+		return 0, ErrShortRead
+	}
+	l := binary.BigEndian.Uint16(p)
+	if l == 0 {
+		return 0, ErrShortRead
+	}
+	return int(l), nil
+}
+
+// tcpRead calls TCPConn.Read enough times to fill allocated buffer.
+func tcpRead(t io.Reader, p []byte) (int, error) {
+	n, err := t.Read(p)
+	if err != nil {
+		return n, err
+	}
+	for n < len(p) {
+		j, err := t.Read(p[n:])
+		if err != nil {
+			return n, err
+		}
+		n += j
+	}
+	return n, err
+}
+
+// Read implements the net.Conn read method.
+func (co *Conn) Read(p []byte) (n int, err error) {
+	if co.Conn == nil {
+		return 0, ErrConnEmpty
+	}
+	if len(p) < 2 {
+		return 0, io.ErrShortBuffer
+	}
+	switch t := co.Conn.(type) {
+	case *net.TCPConn, *tls.Conn:
+		r := t.(io.Reader)
+
+		l, err := tcpMsgLen(r)
+		if err != nil {
+			return 0, err
+		}
+		if l > len(p) {
+			return int(l), io.ErrShortBuffer
+		}
+		return tcpRead(r, p[:l])
+	}
+	// UDP connection
+	n, err = co.Conn.Read(p)
+	if err != nil {
+		return n, err
+	}
+	return n, err
+}
+
+// WriteMsg sends a message through the connection co.
+// If the message m contains a TSIG record the transaction
+// signature is calculated.
+func (co *Conn) WriteMsg(m *Msg) (err error) {
+	var out []byte
+	if t := m.IsTsig(); t != nil {
+		mac := ""
+		if _, ok := co.TsigSecret[t.Hdr.Name]; !ok {
+			return ErrSecret
+		}
+		out, mac, err = TsigGenerate(m, co.TsigSecret[t.Hdr.Name], co.tsigRequestMAC, false)
+		// Set for the next read, although only used in zone transfers
+		co.tsigRequestMAC = mac
+	} else {
+		out, err = m.Pack()
+	}
+	if err != nil {
+		return err
+	}
+	co.t = time.Now()
+	if _, err = co.Write(out); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Write implements the net.Conn Write method.
+func (co *Conn) Write(p []byte) (n int, err error) {
+	switch t := co.Conn.(type) {
+	case *net.TCPConn, *tls.Conn:
+		w := t.(io.Writer)
+
+		lp := len(p)
+		if lp < 2 {
+			return 0, io.ErrShortBuffer
+		}
+		if lp > MaxMsgSize {
+			return 0, &Error{err: "message too large"}
+		}
+		l := make([]byte, 2, lp+2)
+		binary.BigEndian.PutUint16(l, uint16(lp))
+		p = append(l, p...)
+		n, err := io.Copy(w, bytes.NewReader(p))
+		return int(n), err
+	}
+	n, err = co.Conn.Write(p)
+	return n, err
+}
+
+// Dial connects to the address on the named network.
+func Dial(network, address string) (conn *Conn, err error) {
+	conn = new(Conn)
+	conn.Conn, err = net.Dial(network, address)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+// DialTimeout acts like Dial but takes a timeout.
+func DialTimeout(network, address string, timeout time.Duration) (conn *Conn, err error) {
+	conn = new(Conn)
+	conn.Conn, err = net.DialTimeout(network, address, timeout)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+// DialWithTLS connects to the address on the named network with TLS.
+func DialWithTLS(network, address string, tlsConfig *tls.Config) (conn *Conn, err error) {
+	conn = new(Conn)
+	conn.Conn, err = tls.Dial(network, address, tlsConfig)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+// DialTimeoutWithTLS acts like DialWithTLS but takes a timeout.
+func DialTimeoutWithTLS(network, address string, tlsConfig *tls.Config, timeout time.Duration) (conn *Conn, err error) {
+	var dialer net.Dialer
+	dialer.Timeout = timeout
+
+	conn = new(Conn)
+	conn.Conn, err = tls.DialWithDialer(&dialer, network, address, tlsConfig)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+func deadlineOrTimeout(deadline time.Time, timeout time.Duration) time.Time {
+	if deadline.IsZero() {
+		return time.Now().Add(timeout)
+	}
+	return deadline
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/client_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/client_test.go
new file mode 100644
index 000000000..dee585f36
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/client_test.go
@@ -0,0 +1,511 @@
+package dns
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net"
+	"strconv"
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestClientSync(t *testing.T) {
+	HandleFunc("miek.nl.", HelloServer)
+	defer HandleRemove("miek.nl.")
+
+	s, addrstr, err := RunLocalUDPServer("127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+	defer s.Shutdown()
+
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeSOA)
+
+	c := new(Client)
+	r, _, err := c.Exchange(m, addrstr)
+	if err != nil {
+		t.Errorf("failed to exchange: %v", err)
+	}
+	if r != nil && r.Rcode != RcodeSuccess {
+		t.Errorf("failed to get an valid answer\n%v", r)
+	}
+	// And now with plain Exchange().
+	r, err = Exchange(m, addrstr)
+	if err != nil {
+		t.Errorf("failed to exchange: %v", err)
+	}
+	if r == nil || r.Rcode != RcodeSuccess {
+		t.Errorf("failed to get an valid answer\n%v", r)
+	}
+}
+
+func TestClientTLSSync(t *testing.T) {
+	HandleFunc("miek.nl.", HelloServer)
+	defer HandleRemove("miek.nl.")
+
+	cert, err := tls.X509KeyPair(CertPEMBlock, KeyPEMBlock)
+	if err != nil {
+		t.Fatalf("unable to build certificate: %v", err)
+	}
+
+	config := tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+
+	s, addrstr, err := RunLocalTLSServer("127.0.0.1:0", &config)
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+	defer s.Shutdown()
+
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeSOA)
+
+	c := new(Client)
+	c.Net = "tcp-tls"
+	c.TLSConfig = &tls.Config{
+		InsecureSkipVerify: true,
+	}
+
+	r, _, err := c.Exchange(m, addrstr)
+	if err != nil {
+		t.Errorf("failed to exchange: %v", err)
+	}
+	if r != nil && r.Rcode != RcodeSuccess {
+		t.Errorf("failed to get an valid answer\n%v", r)
+	}
+}
+
+func TestClientSyncBadID(t *testing.T) {
+	HandleFunc("miek.nl.", HelloServerBadID)
+	defer HandleRemove("miek.nl.")
+
+	s, addrstr, err := RunLocalUDPServer("127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+	defer s.Shutdown()
+
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeSOA)
+
+	c := new(Client)
+	if _, _, err := c.Exchange(m, addrstr); err != ErrId {
+		t.Errorf("did not find a bad Id")
+	}
+	// And now with plain Exchange().
+	if _, err := Exchange(m, addrstr); err != ErrId {
+		t.Errorf("did not find a bad Id")
+	}
+}
+
+func TestClientEDNS0(t *testing.T) {
+	HandleFunc("miek.nl.", HelloServer)
+	defer HandleRemove("miek.nl.")
+
+	s, addrstr, err := RunLocalUDPServer("127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+	defer s.Shutdown()
+
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeDNSKEY)
+
+	m.SetEdns0(2048, true)
+
+	c := new(Client)
+	r, _, err := c.Exchange(m, addrstr)
+	if err != nil {
+		t.Errorf("failed to exchange: %v", err)
+	}
+
+	if r != nil && r.Rcode != RcodeSuccess {
+		t.Errorf("failed to get an valid answer\n%v", r)
+	}
+}
+
+// Validates the transmission and parsing of local EDNS0 options.
+func TestClientEDNS0Local(t *testing.T) {
+	optStr1 := "1979:0x0707"
+	optStr2 := strconv.Itoa(EDNS0LOCALSTART) + ":0x0601"
+
+	handler := func(w ResponseWriter, req *Msg) {
+		m := new(Msg)
+		m.SetReply(req)
+
+		m.Extra = make([]RR, 1, 2)
+		m.Extra[0] = &TXT{Hdr: RR_Header{Name: m.Question[0].Name, Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}, Txt: []string{"Hello local edns"}}
+
+		// If the local options are what we expect, then reflect them back.
+		ec1 := req.Extra[0].(*OPT).Option[0].(*EDNS0_LOCAL).String()
+		ec2 := req.Extra[0].(*OPT).Option[1].(*EDNS0_LOCAL).String()
+		if ec1 == optStr1 && ec2 == optStr2 {
+			m.Extra = append(m.Extra, req.Extra[0])
+		}
+
+		w.WriteMsg(m)
+	}
+
+	HandleFunc("miek.nl.", handler)
+	defer HandleRemove("miek.nl.")
+
+	s, addrstr, err := RunLocalUDPServer("127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("unable to run test server: %s", err)
+	}
+	defer s.Shutdown()
+
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeTXT)
+
+	// Add two local edns options to the query.
+	ec1 := &EDNS0_LOCAL{Code: 1979, Data: []byte{7, 7}}
+	ec2 := &EDNS0_LOCAL{Code: EDNS0LOCALSTART, Data: []byte{6, 1}}
+	o := &OPT{Hdr: RR_Header{Name: ".", Rrtype: TypeOPT}, Option: []EDNS0{ec1, ec2}}
+	m.Extra = append(m.Extra, o)
+
+	c := new(Client)
+	r, _, err := c.Exchange(m, addrstr)
+	if err != nil {
+		t.Errorf("failed to exchange: %s", err)
+	}
+
+	if r != nil && r.Rcode != RcodeSuccess {
+		t.Error("failed to get a valid answer")
+		t.Logf("%v\n", r)
+	}
+
+	txt := r.Extra[0].(*TXT).Txt[0]
+	if txt != "Hello local edns" {
+		t.Error("Unexpected result for miek.nl", txt, "!= Hello local edns")
+	}
+
+	// Validate the local options in the reply.
+	got := r.Extra[1].(*OPT).Option[0].(*EDNS0_LOCAL).String()
+	if got != optStr1 {
+		t.Errorf("failed to get local edns0 answer; got %s, expected %s", got, optStr1)
+		t.Logf("%v\n", r)
+	}
+
+	got = r.Extra[1].(*OPT).Option[1].(*EDNS0_LOCAL).String()
+	if got != optStr2 {
+		t.Errorf("failed to get local edns0 answer; got %s, expected %s", got, optStr2)
+		t.Logf("%v\n", r)
+	}
+}
+
+// ExampleTsigSecret_updateLeaseTSIG shows how to update a lease signed with TSIG
+func ExampleTsigSecret_updateLeaseTSIG() {
+	m := new(Msg)
+	m.SetUpdate("t.local.ip6.io.")
+	rr, _ := NewRR("t.local.ip6.io. 30 A 127.0.0.1")
+	rrs := make([]RR, 1)
+	rrs[0] = rr
+	m.Insert(rrs)
+
+	leaseRr := new(OPT)
+	leaseRr.Hdr.Name = "."
+	leaseRr.Hdr.Rrtype = TypeOPT
+	e := new(EDNS0_UL)
+	e.Code = EDNS0UL
+	e.Lease = 120
+	leaseRr.Option = append(leaseRr.Option, e)
+	m.Extra = append(m.Extra, leaseRr)
+
+	c := new(Client)
+	m.SetTsig("polvi.", HmacMD5, 300, time.Now().Unix())
+	c.TsigSecret = map[string]string{"polvi.": "pRZgBrBvI4NAHZYhxmhs/Q=="}
+
+	_, _, err := c.Exchange(m, "127.0.0.1:53")
+	if err != nil {
+		panic(err)
+	}
+}
+
+func TestClientConn(t *testing.T) {
+	HandleFunc("miek.nl.", HelloServer)
+	defer HandleRemove("miek.nl.")
+
+	// This uses TCP just to make it slightly different than TestClientSync
+	s, addrstr, err := RunLocalTCPServer("127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+	defer s.Shutdown()
+
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeSOA)
+
+	cn, err := Dial("tcp", addrstr)
+	if err != nil {
+		t.Errorf("failed to dial %s: %v", addrstr, err)
+	}
+
+	err = cn.WriteMsg(m)
+	if err != nil {
+		t.Errorf("failed to exchange: %v", err)
+	}
+	r, err := cn.ReadMsg()
+	if r == nil || r.Rcode != RcodeSuccess {
+		t.Errorf("failed to get an valid answer\n%v", r)
+	}
+
+	err = cn.WriteMsg(m)
+	if err != nil {
+		t.Errorf("failed to exchange: %v", err)
+	}
+	h := new(Header)
+	buf, err := cn.ReadMsgHeader(h)
+	if buf == nil {
+		t.Errorf("failed to get an valid answer\n%v", r)
+	}
+	if int(h.Bits&0xF) != RcodeSuccess {
+		t.Errorf("failed to get an valid answer in ReadMsgHeader\n%v", r)
+	}
+	if h.Ancount != 0 || h.Qdcount != 1 || h.Nscount != 0 || h.Arcount != 1 {
+		t.Errorf("expected to have question and additional in response; got something else: %+v", h)
+	}
+	if err = r.Unpack(buf); err != nil {
+		t.Errorf("unable to unpack message fully: %v", err)
+	}
+}
+
+func TestTruncatedMsg(t *testing.T) {
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeSRV)
+	cnt := 10
+	for i := 0; i < cnt; i++ {
+		r := &SRV{
+			Hdr:    RR_Header{Name: m.Question[0].Name, Rrtype: TypeSRV, Class: ClassINET, Ttl: 0},
+			Port:   uint16(i + 8000),
+			Target: "target.miek.nl.",
+		}
+		m.Answer = append(m.Answer, r)
+
+		re := &A{
+			Hdr: RR_Header{Name: m.Question[0].Name, Rrtype: TypeA, Class: ClassINET, Ttl: 0},
+			A:   net.ParseIP(fmt.Sprintf("127.0.0.%d", i)).To4(),
+		}
+		m.Extra = append(m.Extra, re)
+	}
+	buf, err := m.Pack()
+	if err != nil {
+		t.Errorf("failed to pack: %v", err)
+	}
+
+	r := new(Msg)
+	if err = r.Unpack(buf); err != nil {
+		t.Errorf("unable to unpack message: %v", err)
+	}
+	if len(r.Answer) != cnt {
+		t.Errorf("answer count after regular unpack doesn't match: %d", len(r.Answer))
+	}
+	if len(r.Extra) != cnt {
+		t.Errorf("extra count after regular unpack doesn't match: %d", len(r.Extra))
+	}
+
+	m.Truncated = true
+	buf, err = m.Pack()
+	if err != nil {
+		t.Errorf("failed to pack truncated: %v", err)
+	}
+
+	r = new(Msg)
+	if err = r.Unpack(buf); err != nil && err != ErrTruncated {
+		t.Errorf("unable to unpack truncated message: %v", err)
+	}
+	if !r.Truncated {
+		t.Errorf("truncated message wasn't unpacked as truncated")
+	}
+	if len(r.Answer) != cnt {
+		t.Errorf("answer count after truncated unpack doesn't match: %d", len(r.Answer))
+	}
+	if len(r.Extra) != cnt {
+		t.Errorf("extra count after truncated unpack doesn't match: %d", len(r.Extra))
+	}
+
+	// Now we want to remove almost all of the extra records
+	// We're going to loop over the extra to get the count of the size of all
+	// of them
+	off := 0
+	buf1 := make([]byte, m.Len())
+	for i := 0; i < len(m.Extra); i++ {
+		off, err = PackRR(m.Extra[i], buf1, off, nil, m.Compress)
+		if err != nil {
+			t.Errorf("failed to pack extra: %v", err)
+		}
+	}
+
+	// Remove all of the extra bytes but 10 bytes from the end of buf
+	off -= 10
+	buf1 = buf[:len(buf)-off]
+
+	r = new(Msg)
+	if err = r.Unpack(buf1); err != nil && err != ErrTruncated {
+		t.Errorf("unable to unpack cutoff message: %v", err)
+	}
+	if !r.Truncated {
+		t.Error("truncated cutoff message wasn't unpacked as truncated")
+	}
+	if len(r.Answer) != cnt {
+		t.Errorf("answer count after cutoff unpack doesn't match: %d", len(r.Answer))
+	}
+	if len(r.Extra) != 0 {
+		t.Errorf("extra count after cutoff unpack is not zero: %d", len(r.Extra))
+	}
+
+	// Now we want to remove almost all of the answer records too
+	buf1 = make([]byte, m.Len())
+	as := 0
+	for i := 0; i < len(m.Extra); i++ {
+		off1 := off
+		off, err = PackRR(m.Extra[i], buf1, off, nil, m.Compress)
+		as = off - off1
+		if err != nil {
+			t.Errorf("failed to pack extra: %v", err)
+		}
+	}
+
+	// Keep exactly one answer left
+	// This should still cause Answer to be nil
+	off -= as
+	buf1 = buf[:len(buf)-off]
+
+	r = new(Msg)
+	if err = r.Unpack(buf1); err != nil && err != ErrTruncated {
+		t.Errorf("unable to unpack cutoff message: %v", err)
+	}
+	if !r.Truncated {
+		t.Error("truncated cutoff message wasn't unpacked as truncated")
+	}
+	if len(r.Answer) != 0 {
+		t.Errorf("answer count after second cutoff unpack is not zero: %d", len(r.Answer))
+	}
+
+	// Now leave only 1 byte of the question
+	// Since the header is always 12 bytes, we just need to keep 13
+	buf1 = buf[:13]
+
+	r = new(Msg)
+	err = r.Unpack(buf1)
+	if err == nil || err == ErrTruncated {
+		t.Errorf("error should not be ErrTruncated from question cutoff unpack: %v", err)
+	}
+
+	// Finally, if we only have the header, we should still return an error
+	buf1 = buf[:12]
+
+	r = new(Msg)
+	if err = r.Unpack(buf1); err == nil || err != ErrTruncated {
+		t.Errorf("error not ErrTruncated from header-only unpack: %v", err)
+	}
+}
+
+func TestTimeout(t *testing.T) {
+	// Set up a dummy UDP server that won't respond
+	addr, err := net.ResolveUDPAddr("udp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("unable to resolve local udp address: %v", err)
+	}
+	conn, err := net.ListenUDP("udp", addr)
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+	defer conn.Close()
+	addrstr := conn.LocalAddr().String()
+
+	// Message to send
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeTXT)
+
+	// Use a channel + timeout to ensure we don't get stuck if the
+	// Client Timeout is not working properly
+	done := make(chan struct{})
+
+	timeout := time.Millisecond
+	allowable := timeout + (10 * time.Millisecond)
+	abortAfter := timeout + (100 * time.Millisecond)
+
+	start := time.Now()
+
+	go func() {
+		c := &Client{Timeout: timeout}
+		_, _, err := c.Exchange(m, addrstr)
+		if err == nil {
+			t.Error("no timeout using Client")
+		}
+		done <- struct{}{}
+	}()
+
+	select {
+	case <-done:
+	case <-time.After(abortAfter):
+	}
+
+	length := time.Since(start)
+
+	if length > allowable {
+		t.Errorf("exchange took longer (%v) than specified Timeout (%v)", length, timeout)
+	}
+}
+
+// Check that responses from deduplicated requests aren't shared between callers
+func TestConcurrentExchanges(t *testing.T) {
+	cases := make([]*Msg, 2)
+	cases[0] = new(Msg)
+	cases[1] = new(Msg)
+	cases[1].Truncated = true
+	for _, m := range cases {
+		block := make(chan struct{})
+		waiting := make(chan struct{})
+
+		handler := func(w ResponseWriter, req *Msg) {
+			r := m.Copy()
+			r.SetReply(req)
+
+			waiting <- struct{}{}
+			<-block
+			w.WriteMsg(r)
+		}
+
+		HandleFunc("miek.nl.", handler)
+		defer HandleRemove("miek.nl.")
+
+		s, addrstr, err := RunLocalUDPServer("127.0.0.1:0")
+		if err != nil {
+			t.Fatalf("unable to run test server: %s", err)
+		}
+		defer s.Shutdown()
+
+		m := new(Msg)
+		m.SetQuestion("miek.nl.", TypeSRV)
+		c := &Client{
+			SingleInflight: true,
+		}
+		r := make([]*Msg, 2)
+
+		var wg sync.WaitGroup
+		wg.Add(len(r))
+		for i := 0; i < len(r); i++ {
+			go func(i int) {
+				r[i], _, _ = c.Exchange(m.Copy(), addrstr)
+				wg.Done()
+			}(i)
+		}
+		select {
+		case <-waiting:
+		case <-time.After(time.Second):
+			t.FailNow()
+		}
+		close(block)
+		wg.Wait()
+
+		if r[0] == r[1] {
+			t.Log("Got same response object, expected non-shared responses")
+			t.Fail()
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/clientconfig.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/clientconfig.go
new file mode 100644
index 000000000..0a1f5a92c
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/clientconfig.go
@@ -0,0 +1,131 @@
+package dns
+
+import (
+	"bufio"
+	"os"
+	"strconv"
+	"strings"
+)
+
+// ClientConfig wraps the contents of the /etc/resolv.conf file.
+type ClientConfig struct {
+	Servers  []string // servers to use
+	Search   []string // suffixes to append to local name
+	Port     string   // what port to use
+	Ndots    int      // number of dots in name to trigger absolute lookup
+	Timeout  int      // seconds before giving up on packet
+	Attempts int      // lost packets before giving up on server, not used in the package dns
+}
+
+// ClientConfigFromFile parses a resolv.conf(5) like file and returns
+// a *ClientConfig.
+func ClientConfigFromFile(resolvconf string) (*ClientConfig, error) {
+	file, err := os.Open(resolvconf)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+	c := new(ClientConfig)
+	scanner := bufio.NewScanner(file)
+	c.Servers = make([]string, 0)
+	c.Search = make([]string, 0)
+	c.Port = "53"
+	c.Ndots = 1
+	c.Timeout = 5
+	c.Attempts = 2
+
+	for scanner.Scan() {
+		if err := scanner.Err(); err != nil {
+			return nil, err
+		}
+		line := scanner.Text()
+		f := strings.Fields(line)
+		if len(f) < 1 {
+			continue
+		}
+		switch f[0] {
+		case "nameserver": // add one name server
+			if len(f) > 1 {
+				// One more check: make sure server name is
+				// just an IP address.  Otherwise we need DNS
+				// to look it up.
+				name := f[1]
+				c.Servers = append(c.Servers, name)
+			}
+
+		case "domain": // set search path to just this domain
+			if len(f) > 1 {
+				c.Search = make([]string, 1)
+				c.Search[0] = f[1]
+			} else {
+				c.Search = make([]string, 0)
+			}
+
+		case "search": // set search path to given servers
+			c.Search = make([]string, len(f)-1)
+			for i := 0; i < len(c.Search); i++ {
+				c.Search[i] = f[i+1]
+			}
+
+		case "options": // magic options
+			for i := 1; i < len(f); i++ {
+				s := f[i]
+				switch {
+				case len(s) >= 6 && s[:6] == "ndots:":
+					n, _ := strconv.Atoi(s[6:])
+					if n < 1 {
+						n = 1
+					}
+					c.Ndots = n
+				case len(s) >= 8 && s[:8] == "timeout:":
+					n, _ := strconv.Atoi(s[8:])
+					if n < 1 {
+						n = 1
+					}
+					c.Timeout = n
+				case len(s) >= 8 && s[:9] == "attempts:":
+					n, _ := strconv.Atoi(s[9:])
+					if n < 1 {
+						n = 1
+					}
+					c.Attempts = n
+				case s == "rotate":
+					/* not imp */
+				}
+			}
+		}
+	}
+	return c, nil
+}
+
+// NameList returns all of the names that should be queried based on the
+// config. It is based off of go's net/dns name building, but it does not
+// check the length of the resulting names.
+func (c *ClientConfig) NameList(name string) []string {
+	// if this domain is already fully qualified, no append needed.
+	if IsFqdn(name) {
+		return []string{name}
+	}
+
+	// Check to see if the name has more labels than Ndots. Do this before making
+	// the domain fully qualified.
+	hasNdots := CountLabel(name) > c.Ndots
+	// Make the domain fully qualified.
+	name = Fqdn(name)
+
+	// Make a list of names based off search.
+	names := []string{}
+
+	// If name has enough dots, try that first.
+	if hasNdots {
+		names = append(names, name)
+	}
+	for _, s := range c.Search {
+		names = append(names, Fqdn(name+s))
+	}
+	// If we didn't have enough dots, try after suffixes.
+	if !hasNdots {
+		names = append(names, name)
+	}
+	return names
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/clientconfig_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/clientconfig_test.go
new file mode 100644
index 000000000..7755a8a6f
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/clientconfig_test.go
@@ -0,0 +1,87 @@
+package dns
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+const normal string = `
+# Comment
+domain somedomain.com
+nameserver 10.28.10.2
+nameserver 11.28.10.1
+`
+
+const missingNewline string = `
+domain somedomain.com
+nameserver 10.28.10.2
+nameserver 11.28.10.1` // <- NOTE: NO newline.
+
+func testConfig(t *testing.T, data string) {
+	tempDir, err := ioutil.TempDir("", "")
+	if err != nil {
+		t.Fatalf("tempDir: %v", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	path := filepath.Join(tempDir, "resolv.conf")
+	if err := ioutil.WriteFile(path, []byte(data), 0644); err != nil {
+		t.Fatalf("writeFile: %v", err)
+	}
+	cc, err := ClientConfigFromFile(path)
+	if err != nil {
+		t.Errorf("error parsing resolv.conf: %v", err)
+	}
+	if l := len(cc.Servers); l != 2 {
+		t.Errorf("incorrect number of nameservers detected: %d", l)
+	}
+	if l := len(cc.Search); l != 1 {
+		t.Errorf("domain directive not parsed correctly: %v", cc.Search)
+	} else {
+		if cc.Search[0] != "somedomain.com" {
+			t.Errorf("domain is unexpected: %v", cc.Search[0])
+		}
+	}
+}
+
+func TestNameserver(t *testing.T)          { testConfig(t, normal) }
+func TestMissingFinalNewLine(t *testing.T) { testConfig(t, missingNewline) }
+
+func TestNameList(t *testing.T) {
+	cfg := ClientConfig{
+		Ndots: 1,
+	}
+	// fqdn should be only result returned
+	names := cfg.NameList("miek.nl.")
+	if len(names) != 1 {
+		t.Errorf("NameList returned != 1 names: %v", names)
+	} else if names[0] != "miek.nl." {
+		t.Errorf("NameList didn't return sent fqdn domain: %v", names[0])
+	}
+
+	cfg.Search = []string{
+		"test",
+	}
+	// Sent domain has NDots and search
+	names = cfg.NameList("miek.nl")
+	if len(names) != 2 {
+		t.Errorf("NameList returned != 2 names: %v", names)
+	} else if names[0] != "miek.nl." {
+		t.Errorf("NameList didn't return sent domain first: %v", names[0])
+	} else if names[1] != "miek.nl.test." {
+		t.Errorf("NameList didn't return search last: %v", names[1])
+	}
+
+	cfg.Ndots = 2
+	// Sent domain has less than NDots and search
+	names = cfg.NameList("miek.nl")
+	if len(names) != 2 {
+		t.Errorf("NameList returned != 2 names: %v", names)
+	} else if names[0] != "miek.nl.test." {
+		t.Errorf("NameList didn't return search first: %v", names[0])
+	} else if names[1] != "miek.nl." {
+		t.Errorf("NameList didn't return sent domain last: %v", names[1])
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/compress_generate.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/compress_generate.go
new file mode 100644
index 000000000..1a301e9f3
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/compress_generate.go
@@ -0,0 +1,184 @@
+//+build ignore
+
+// compression_generate.go is meant to run with go generate. It will use
+// go/{importer,types} to track down all the RR struct types. Then for each type
+// it will look to see if there are (compressible) names, if so it will add that
+// type to compressionLenHelperType and comressionLenSearchType which "fake" the
+// compression so that Len() is fast.
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"go/format"
+	"go/importer"
+	"go/types"
+	"log"
+	"os"
+)
+
+var packageHdr = `
+// *** DO NOT MODIFY ***
+// AUTOGENERATED BY go generate from compress_generate.go
+
+package dns
+
+`
+
+// getTypeStruct will take a type and the package scope, and return the
+// (innermost) struct if the type is considered a RR type (currently defined as
+// those structs beginning with a RR_Header, could be redefined as implementing
+// the RR interface). The bool return value indicates if embedded structs were
+// resolved.
+func getTypeStruct(t types.Type, scope *types.Scope) (*types.Struct, bool) {
+	st, ok := t.Underlying().(*types.Struct)
+	if !ok {
+		return nil, false
+	}
+	if st.Field(0).Type() == scope.Lookup("RR_Header").Type() {
+		return st, false
+	}
+	if st.Field(0).Anonymous() {
+		st, _ := getTypeStruct(st.Field(0).Type(), scope)
+		return st, true
+	}
+	return nil, false
+}
+
+func main() {
+	// Import and type-check the package
+	pkg, err := importer.Default().Import("github.com/miekg/dns")
+	fatalIfErr(err)
+	scope := pkg.Scope()
+
+	domainTypes := map[string]bool{}  // Types that have a domain name in them (either comressible or not).
+	cdomainTypes := map[string]bool{} // Types that have a compressible domain name in them (subset of domainType)
+	for _, name := range scope.Names() {
+		o := scope.Lookup(name)
+		if o == nil || !o.Exported() {
+			continue
+		}
+		st, _ := getTypeStruct(o.Type(), scope)
+		if st == nil {
+			continue
+		}
+		if name == "PrivateRR" {
+			continue
+		}
+
+		if scope.Lookup("Type"+o.Name()) == nil && o.Name() != "RFC3597" {
+			log.Fatalf("Constant Type%s does not exist.", o.Name())
+		}
+
+		for i := 1; i < st.NumFields(); i++ {
+			if _, ok := st.Field(i).Type().(*types.Slice); ok {
+				if st.Tag(i) == `dns:"domain-name"` {
+					domainTypes[o.Name()] = true
+				}
+				if st.Tag(i) == `dns:"cdomain-name"` {
+					cdomainTypes[o.Name()] = true
+					domainTypes[o.Name()] = true
+				}
+				continue
+			}
+
+			switch {
+			case st.Tag(i) == `dns:"domain-name"`:
+				domainTypes[o.Name()] = true
+			case st.Tag(i) == `dns:"cdomain-name"`:
+				cdomainTypes[o.Name()] = true
+				domainTypes[o.Name()] = true
+			}
+		}
+	}
+
+	b := &bytes.Buffer{}
+	b.WriteString(packageHdr)
+
+	// compressionLenHelperType - all types that have domain-name/cdomain-name can be used for compressing names
+
+	fmt.Fprint(b, "func compressionLenHelperType(c map[string]int, r RR) {\n")
+	fmt.Fprint(b, "switch x := r.(type) {\n")
+	for name, _ := range domainTypes {
+		o := scope.Lookup(name)
+		st, _ := getTypeStruct(o.Type(), scope)
+
+		fmt.Fprintf(b, "case *%s:\n", name)
+		for i := 1; i < st.NumFields(); i++ {
+			out := func(s string) { fmt.Fprintf(b, "compressionLenHelper(c, x.%s)\n", st.Field(i).Name()) }
+
+			if _, ok := st.Field(i).Type().(*types.Slice); ok {
+				switch st.Tag(i) {
+				case `dns:"domain-name"`:
+					fallthrough
+				case `dns:"cdomain-name"`:
+					// For HIP we need to slice over the elements in this slice.
+					fmt.Fprintf(b, `for i := range x.%s {
+						compressionLenHelper(c, x.%s[i])
+					}
+`, st.Field(i).Name(), st.Field(i).Name())
+				}
+				continue
+			}
+
+			switch {
+			case st.Tag(i) == `dns:"cdomain-name"`:
+				fallthrough
+			case st.Tag(i) == `dns:"domain-name"`:
+				out(st.Field(i).Name())
+			}
+		}
+	}
+	fmt.Fprintln(b, "}\n}\n\n")
+
+	// compressionLenSearchType - search cdomain-tags types for compressible names.
+
+	fmt.Fprint(b, "func compressionLenSearchType(c map[string]int, r RR) (int, bool) {\n")
+	fmt.Fprint(b, "switch x := r.(type) {\n")
+	for name, _ := range cdomainTypes {
+		o := scope.Lookup(name)
+		st, _ := getTypeStruct(o.Type(), scope)
+
+		fmt.Fprintf(b, "case *%s:\n", name)
+		j := 1
+		for i := 1; i < st.NumFields(); i++ {
+			out := func(s string, j int) {
+				fmt.Fprintf(b, "k%d, ok%d := compressionLenSearch(c, x.%s)\n", j, j, st.Field(i).Name())
+			}
+
+			// There are no slice types with names that can be compressed.
+
+			switch {
+			case st.Tag(i) == `dns:"cdomain-name"`:
+				out(st.Field(i).Name(), j)
+				j++
+			}
+		}
+		k := "k1"
+		ok := "ok1"
+		for i := 2; i < j; i++ {
+			k += fmt.Sprintf(" + k%d", i)
+			ok += fmt.Sprintf(" && ok%d", i)
+		}
+		fmt.Fprintf(b, "return %s, %s\n", k, ok)
+	}
+	fmt.Fprintln(b, "}\nreturn 0, false\n}\n\n")
+
+	// gofmt
+	res, err := format.Source(b.Bytes())
+	if err != nil {
+		b.WriteTo(os.Stderr)
+		log.Fatal(err)
+	}
+
+	f, err := os.Create("zcompress.go")
+	fatalIfErr(err)
+	defer f.Close()
+	f.Write(res)
+}
+
+func fatalIfErr(err error) {
+	if err != nil {
+		log.Fatal(err)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dane.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dane.go
new file mode 100644
index 000000000..8c4a14ef1
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dane.go
@@ -0,0 +1,43 @@
+package dns
+
+import (
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/x509"
+	"encoding/hex"
+	"errors"
+)
+
+// CertificateToDANE converts a certificate to a hex string as used in the TLSA or SMIMEA records.
+func CertificateToDANE(selector, matchingType uint8, cert *x509.Certificate) (string, error) {
+	switch matchingType {
+	case 0:
+		switch selector {
+		case 0:
+			return hex.EncodeToString(cert.Raw), nil
+		case 1:
+			return hex.EncodeToString(cert.RawSubjectPublicKeyInfo), nil
+		}
+	case 1:
+		h := sha256.New()
+		switch selector {
+		case 0:
+			h.Write(cert.Raw)
+			return hex.EncodeToString(h.Sum(nil)), nil
+		case 1:
+			h.Write(cert.RawSubjectPublicKeyInfo)
+			return hex.EncodeToString(h.Sum(nil)), nil
+		}
+	case 2:
+		h := sha512.New()
+		switch selector {
+		case 0:
+			h.Write(cert.Raw)
+			return hex.EncodeToString(h.Sum(nil)), nil
+		case 1:
+			h.Write(cert.RawSubjectPublicKeyInfo)
+			return hex.EncodeToString(h.Sum(nil)), nil
+		}
+	}
+	return "", errors.New("dns: bad MatchingType or Selector")
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/defaults.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/defaults.go
new file mode 100644
index 000000000..c34890eec
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/defaults.go
@@ -0,0 +1,285 @@
+package dns
+
+import (
+	"errors"
+	"net"
+	"strconv"
+)
+
+const hexDigit = "0123456789abcdef"
+
+// Everything is assumed in ClassINET.
+
+// SetReply creates a reply message from a request message.
+func (dns *Msg) SetReply(request *Msg) *Msg {
+	dns.Id = request.Id
+	dns.Response = true
+	dns.Opcode = request.Opcode
+	if dns.Opcode == OpcodeQuery {
+		dns.RecursionDesired = request.RecursionDesired // Copy rd bit
+		dns.CheckingDisabled = request.CheckingDisabled // Copy cd bit
+	}
+	dns.Rcode = RcodeSuccess
+	if len(request.Question) > 0 {
+		dns.Question = make([]Question, 1)
+		dns.Question[0] = request.Question[0]
+	}
+	return dns
+}
+
+// SetQuestion creates a question message, it sets the Question
+// section, generates an Id and sets the RecursionDesired (RD)
+// bit to true.
+func (dns *Msg) SetQuestion(z string, t uint16) *Msg {
+	dns.Id = Id()
+	dns.RecursionDesired = true
+	dns.Question = make([]Question, 1)
+	dns.Question[0] = Question{z, t, ClassINET}
+	return dns
+}
+
+// SetNotify creates a notify message, it sets the Question
+// section, generates an Id and sets the Authoritative (AA)
+// bit to true.
+func (dns *Msg) SetNotify(z string) *Msg {
+	dns.Opcode = OpcodeNotify
+	dns.Authoritative = true
+	dns.Id = Id()
+	dns.Question = make([]Question, 1)
+	dns.Question[0] = Question{z, TypeSOA, ClassINET}
+	return dns
+}
+
+// SetRcode creates an error message suitable for the request.
+func (dns *Msg) SetRcode(request *Msg, rcode int) *Msg {
+	dns.SetReply(request)
+	dns.Rcode = rcode
+	return dns
+}
+
+// SetRcodeFormatError creates a message with FormError set.
+func (dns *Msg) SetRcodeFormatError(request *Msg) *Msg {
+	dns.Rcode = RcodeFormatError
+	dns.Opcode = OpcodeQuery
+	dns.Response = true
+	dns.Authoritative = false
+	dns.Id = request.Id
+	return dns
+}
+
+// SetUpdate makes the message a dynamic update message. It
+// sets the ZONE section to: z, TypeSOA, ClassINET.
+func (dns *Msg) SetUpdate(z string) *Msg {
+	dns.Id = Id()
+	dns.Response = false
+	dns.Opcode = OpcodeUpdate
+	dns.Compress = false // BIND9 cannot handle compression
+	dns.Question = make([]Question, 1)
+	dns.Question[0] = Question{z, TypeSOA, ClassINET}
+	return dns
+}
+
+// SetIxfr creates message for requesting an IXFR.
+func (dns *Msg) SetIxfr(z string, serial uint32, ns, mbox string) *Msg {
+	dns.Id = Id()
+	dns.Question = make([]Question, 1)
+	dns.Ns = make([]RR, 1)
+	s := new(SOA)
+	s.Hdr = RR_Header{z, TypeSOA, ClassINET, defaultTtl, 0}
+	s.Serial = serial
+	s.Ns = ns
+	s.Mbox = mbox
+	dns.Question[0] = Question{z, TypeIXFR, ClassINET}
+	dns.Ns[0] = s
+	return dns
+}
+
+// SetAxfr creates message for requesting an AXFR.
+func (dns *Msg) SetAxfr(z string) *Msg {
+	dns.Id = Id()
+	dns.Question = make([]Question, 1)
+	dns.Question[0] = Question{z, TypeAXFR, ClassINET}
+	return dns
+}
+
+// SetTsig appends a TSIG RR to the message.
+// This is only a skeleton TSIG RR that is added as the last RR in the
+// additional section. The Tsig is calculated when the message is being send.
+func (dns *Msg) SetTsig(z, algo string, fudge uint16, timesigned int64) *Msg {
+	t := new(TSIG)
+	t.Hdr = RR_Header{z, TypeTSIG, ClassANY, 0, 0}
+	t.Algorithm = algo
+	t.Fudge = fudge
+	t.TimeSigned = uint64(timesigned)
+	t.OrigId = dns.Id
+	dns.Extra = append(dns.Extra, t)
+	return dns
+}
+
+// SetEdns0 appends a EDNS0 OPT RR to the message.
+// TSIG should always the last RR in a message.
+func (dns *Msg) SetEdns0(udpsize uint16, do bool) *Msg {
+	e := new(OPT)
+	e.Hdr.Name = "."
+	e.Hdr.Rrtype = TypeOPT
+	e.SetUDPSize(udpsize)
+	if do {
+		e.SetDo()
+	}
+	dns.Extra = append(dns.Extra, e)
+	return dns
+}
+
+// IsTsig checks if the message has a TSIG record as the last record
+// in the additional section. It returns the TSIG record found or nil.
+func (dns *Msg) IsTsig() *TSIG {
+	if len(dns.Extra) > 0 {
+		if dns.Extra[len(dns.Extra)-1].Header().Rrtype == TypeTSIG {
+			return dns.Extra[len(dns.Extra)-1].(*TSIG)
+		}
+	}
+	return nil
+}
+
+// IsEdns0 checks if the message has a EDNS0 (OPT) record, any EDNS0
+// record in the additional section will do. It returns the OPT record
+// found or nil.
+func (dns *Msg) IsEdns0() *OPT {
+	// EDNS0 is at the end of the additional section, start there.
+	// We might want to change this to *only* look at the last two
+	// records. So we see TSIG and/or OPT - this a slightly bigger
+	// change though.
+	for i := len(dns.Extra) - 1; i >= 0; i-- {
+		if dns.Extra[i].Header().Rrtype == TypeOPT {
+			return dns.Extra[i].(*OPT)
+		}
+	}
+	return nil
+}
+
+// IsDomainName checks if s is a valid domain name, it returns the number of
+// labels and true, when a domain name is valid.  Note that non fully qualified
+// domain name is considered valid, in this case the last label is counted in
+// the number of labels.  When false is returned the number of labels is not
+// defined.  Also note that this function is extremely liberal; almost any
+// string is a valid domain name as the DNS is 8 bit protocol. It checks if each
+// label fits in 63 characters, but there is no length check for the entire
+// string s. I.e.  a domain name longer than 255 characters is considered valid.
+func IsDomainName(s string) (labels int, ok bool) {
+	_, labels, err := packDomainName(s, nil, 0, nil, false)
+	return labels, err == nil
+}
+
+// IsSubDomain checks if child is indeed a child of the parent. If child and parent
+// are the same domain true is returned as well.
+func IsSubDomain(parent, child string) bool {
+	// Entire child is contained in parent
+	return CompareDomainName(parent, child) == CountLabel(parent)
+}
+
+// IsMsg sanity checks buf and returns an error if it isn't a valid DNS packet.
+// The checking is performed on the binary payload.
+func IsMsg(buf []byte) error {
+	// Header
+	if len(buf) < 12 {
+		return errors.New("dns: bad message header")
+	}
+	// Header: Opcode
+	// TODO(miek): more checks here, e.g. check all header bits.
+	return nil
+}
+
+// IsFqdn checks if a domain name is fully qualified.
+func IsFqdn(s string) bool {
+	l := len(s)
+	if l == 0 {
+		return false
+	}
+	return s[l-1] == '.'
+}
+
+// IsRRset checks if a set of RRs is a valid RRset as defined by RFC 2181.
+// This means the RRs need to have the same type, name, and class. Returns true
+// if the RR set is valid, otherwise false.
+func IsRRset(rrset []RR) bool {
+	if len(rrset) == 0 {
+		return false
+	}
+	if len(rrset) == 1 {
+		return true
+	}
+	rrHeader := rrset[0].Header()
+	rrType := rrHeader.Rrtype
+	rrClass := rrHeader.Class
+	rrName := rrHeader.Name
+
+	for _, rr := range rrset[1:] {
+		curRRHeader := rr.Header()
+		if curRRHeader.Rrtype != rrType || curRRHeader.Class != rrClass || curRRHeader.Name != rrName {
+			// Mismatch between the records, so this is not a valid rrset for
+			//signing/verifying
+			return false
+		}
+	}
+
+	return true
+}
+
+// Fqdn return the fully qualified domain name from s.
+// If s is already fully qualified, it behaves as the identity function.
+func Fqdn(s string) string {
+	if IsFqdn(s) {
+		return s
+	}
+	return s + "."
+}
+
+// Copied from the official Go code.
+
+// ReverseAddr returns the in-addr.arpa. or ip6.arpa. hostname of the IP
+// address suitable for reverse DNS (PTR) record lookups or an error if it fails
+// to parse the IP address.
+func ReverseAddr(addr string) (arpa string, err error) {
+	ip := net.ParseIP(addr)
+	if ip == nil {
+		return "", &Error{err: "unrecognized address: " + addr}
+	}
+	if ip.To4() != nil {
+		return strconv.Itoa(int(ip[15])) + "." + strconv.Itoa(int(ip[14])) + "." + strconv.Itoa(int(ip[13])) + "." +
+			strconv.Itoa(int(ip[12])) + ".in-addr.arpa.", nil
+	}
+	// Must be IPv6
+	buf := make([]byte, 0, len(ip)*4+len("ip6.arpa."))
+	// Add it, in reverse, to the buffer
+	for i := len(ip) - 1; i >= 0; i-- {
+		v := ip[i]
+		buf = append(buf, hexDigit[v&0xF])
+		buf = append(buf, '.')
+		buf = append(buf, hexDigit[v>>4])
+		buf = append(buf, '.')
+	}
+	// Append "ip6.arpa." and return (buf already has the final .)
+	buf = append(buf, "ip6.arpa."...)
+	return string(buf), nil
+}
+
+// String returns the string representation for the type t.
+func (t Type) String() string {
+	if t1, ok := TypeToString[uint16(t)]; ok {
+		return t1
+	}
+	return "TYPE" + strconv.Itoa(int(t))
+}
+
+// String returns the string representation for the class c.
+func (c Class) String() string {
+	if c1, ok := ClassToString[uint16(c)]; ok {
+		return c1
+	}
+	return "CLASS" + strconv.Itoa(int(c))
+}
+
+// String returns the string representation for the name n.
+func (n Name) String() string {
+	return sprintName(string(n))
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dns.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dns.go
new file mode 100644
index 000000000..b3292287c
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dns.go
@@ -0,0 +1,104 @@
+package dns
+
+import "strconv"
+
+const (
+	year68     = 1 << 31 // For RFC1982 (Serial Arithmetic) calculations in 32 bits.
+	defaultTtl = 3600    // Default internal TTL.
+
+	DefaultMsgSize = 4096  // DefaultMsgSize is the standard default for messages larger than 512 bytes.
+	MinMsgSize     = 512   // MinMsgSize is the minimal size of a DNS packet.
+	MaxMsgSize     = 65535 // MaxMsgSize is the largest possible DNS packet.
+)
+
+// Error represents a DNS error.
+type Error struct{ err string }
+
+func (e *Error) Error() string {
+	if e == nil {
+		return "dns: <nil>"
+	}
+	return "dns: " + e.err
+}
+
+// An RR represents a resource record.
+type RR interface {
+	// Header returns the header of an resource record. The header contains
+	// everything up to the rdata.
+	Header() *RR_Header
+	// String returns the text representation of the resource record.
+	String() string
+
+	// copy returns a copy of the RR
+	copy() RR
+	// len returns the length (in octets) of the uncompressed RR in wire format.
+	len() int
+	// pack packs an RR into wire format.
+	pack([]byte, int, map[string]int, bool) (int, error)
+}
+
+// RR_Header is the header all DNS resource records share.
+type RR_Header struct {
+	Name     string `dns:"cdomain-name"`
+	Rrtype   uint16
+	Class    uint16
+	Ttl      uint32
+	Rdlength uint16 // Length of data after header.
+}
+
+// Header returns itself. This is here to make RR_Header implements the RR interface.
+func (h *RR_Header) Header() *RR_Header { return h }
+
+// Just to implement the RR interface.
+func (h *RR_Header) copy() RR { return nil }
+
+func (h *RR_Header) copyHeader() *RR_Header {
+	r := new(RR_Header)
+	r.Name = h.Name
+	r.Rrtype = h.Rrtype
+	r.Class = h.Class
+	r.Ttl = h.Ttl
+	r.Rdlength = h.Rdlength
+	return r
+}
+
+func (h *RR_Header) String() string {
+	var s string
+
+	if h.Rrtype == TypeOPT {
+		s = ";"
+		// and maybe other things
+	}
+
+	s += sprintName(h.Name) + "\t"
+	s += strconv.FormatInt(int64(h.Ttl), 10) + "\t"
+	s += Class(h.Class).String() + "\t"
+	s += Type(h.Rrtype).String() + "\t"
+	return s
+}
+
+func (h *RR_Header) len() int {
+	l := len(h.Name) + 1
+	l += 10 // rrtype(2) + class(2) + ttl(4) + rdlength(2)
+	return l
+}
+
+// ToRFC3597 converts a known RR to the unknown RR representation from RFC 3597.
+func (rr *RFC3597) ToRFC3597(r RR) error {
+	buf := make([]byte, r.len()*2)
+	off, err := PackRR(r, buf, 0, nil, false)
+	if err != nil {
+		return err
+	}
+	buf = buf[:off]
+	if int(r.Header().Rdlength) > off {
+		return ErrBuf
+	}
+
+	rfc3597, _, err := unpackRFC3597(*r.Header(), buf, off-int(r.Header().Rdlength))
+	if err != nil {
+		return err
+	}
+	*rr = *rfc3597.(*RFC3597)
+	return nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dns_bench_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dns_bench_test.go
new file mode 100644
index 000000000..bccc3d540
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dns_bench_test.go
@@ -0,0 +1,211 @@
+package dns
+
+import (
+	"net"
+	"testing"
+)
+
+func BenchmarkMsgLength(b *testing.B) {
+	b.StopTimer()
+	makeMsg := func(question string, ans, ns, e []RR) *Msg {
+		msg := new(Msg)
+		msg.SetQuestion(Fqdn(question), TypeANY)
+		msg.Answer = append(msg.Answer, ans...)
+		msg.Ns = append(msg.Ns, ns...)
+		msg.Extra = append(msg.Extra, e...)
+		msg.Compress = true
+		return msg
+	}
+	name1 := "12345678901234567890123456789012345.12345678.123."
+	rrMx, _ := NewRR(name1 + " 3600 IN MX 10 " + name1)
+	msg := makeMsg(name1, []RR{rrMx, rrMx}, nil, nil)
+	b.StartTimer()
+	for i := 0; i < b.N; i++ {
+		msg.Len()
+	}
+}
+
+func BenchmarkMsgLengthPack(b *testing.B) {
+	makeMsg := func(question string, ans, ns, e []RR) *Msg {
+		msg := new(Msg)
+		msg.SetQuestion(Fqdn(question), TypeANY)
+		msg.Answer = append(msg.Answer, ans...)
+		msg.Ns = append(msg.Ns, ns...)
+		msg.Extra = append(msg.Extra, e...)
+		msg.Compress = true
+		return msg
+	}
+	name1 := "12345678901234567890123456789012345.12345678.123."
+	rrMx, _ := NewRR(name1 + " 3600 IN MX 10 " + name1)
+	msg := makeMsg(name1, []RR{rrMx, rrMx}, nil, nil)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _ = msg.Pack()
+	}
+}
+
+func BenchmarkPackDomainName(b *testing.B) {
+	name1 := "12345678901234567890123456789012345.12345678.123."
+	buf := make([]byte, len(name1)+1)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _ = PackDomainName(name1, buf, 0, nil, false)
+	}
+}
+
+func BenchmarkUnpackDomainName(b *testing.B) {
+	name1 := "12345678901234567890123456789012345.12345678.123."
+	buf := make([]byte, len(name1)+1)
+	_, _ = PackDomainName(name1, buf, 0, nil, false)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _, _ = UnpackDomainName(buf, 0)
+	}
+}
+
+func BenchmarkUnpackDomainNameUnprintable(b *testing.B) {
+	name1 := "\x02\x02\x02\x025\x02\x02\x02\x02.12345678.123."
+	buf := make([]byte, len(name1)+1)
+	_, _ = PackDomainName(name1, buf, 0, nil, false)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _, _ = UnpackDomainName(buf, 0)
+	}
+}
+
+func BenchmarkCopy(b *testing.B) {
+	b.ReportAllocs()
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeA)
+	rr, _ := NewRR("miek.nl. 2311 IN A 127.0.0.1")
+	m.Answer = []RR{rr}
+	rr, _ = NewRR("miek.nl. 2311 IN NS 127.0.0.1")
+	m.Ns = []RR{rr}
+	rr, _ = NewRR("miek.nl. 2311 IN A 127.0.0.1")
+	m.Extra = []RR{rr}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		m.Copy()
+	}
+}
+
+func BenchmarkPackA(b *testing.B) {
+	a := &A{Hdr: RR_Header{Name: ".", Rrtype: TypeA, Class: ClassANY}, A: net.IPv4(127, 0, 0, 1)}
+
+	buf := make([]byte, a.len())
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _ = PackRR(a, buf, 0, nil, false)
+	}
+}
+
+func BenchmarkUnpackA(b *testing.B) {
+	a := &A{Hdr: RR_Header{Name: ".", Rrtype: TypeA, Class: ClassANY}, A: net.IPv4(127, 0, 0, 1)}
+
+	buf := make([]byte, a.len())
+	PackRR(a, buf, 0, nil, false)
+	a = nil
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _, _ = UnpackRR(buf, 0)
+	}
+}
+
+func BenchmarkPackMX(b *testing.B) {
+	m := &MX{Hdr: RR_Header{Name: ".", Rrtype: TypeA, Class: ClassANY}, Mx: "mx.miek.nl."}
+
+	buf := make([]byte, m.len())
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _ = PackRR(m, buf, 0, nil, false)
+	}
+}
+
+func BenchmarkUnpackMX(b *testing.B) {
+	m := &MX{Hdr: RR_Header{Name: ".", Rrtype: TypeA, Class: ClassANY}, Mx: "mx.miek.nl."}
+
+	buf := make([]byte, m.len())
+	PackRR(m, buf, 0, nil, false)
+	m = nil
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _, _ = UnpackRR(buf, 0)
+	}
+}
+
+func BenchmarkPackAAAAA(b *testing.B) {
+	aaaa, _ := NewRR(". IN A ::1")
+
+	buf := make([]byte, aaaa.len())
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _ = PackRR(aaaa, buf, 0, nil, false)
+	}
+}
+
+func BenchmarkUnpackAAAA(b *testing.B) {
+	aaaa, _ := NewRR(". IN A ::1")
+
+	buf := make([]byte, aaaa.len())
+	PackRR(aaaa, buf, 0, nil, false)
+	aaaa = nil
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _, _ = UnpackRR(buf, 0)
+	}
+}
+
+func BenchmarkPackMsg(b *testing.B) {
+	makeMsg := func(question string, ans, ns, e []RR) *Msg {
+		msg := new(Msg)
+		msg.SetQuestion(Fqdn(question), TypeANY)
+		msg.Answer = append(msg.Answer, ans...)
+		msg.Ns = append(msg.Ns, ns...)
+		msg.Extra = append(msg.Extra, e...)
+		msg.Compress = true
+		return msg
+	}
+	name1 := "12345678901234567890123456789012345.12345678.123."
+	rrMx, _ := NewRR(name1 + " 3600 IN MX 10 " + name1)
+	msg := makeMsg(name1, []RR{rrMx, rrMx}, nil, nil)
+	buf := make([]byte, 512)
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _ = msg.PackBuffer(buf)
+	}
+}
+
+func BenchmarkUnpackMsg(b *testing.B) {
+	makeMsg := func(question string, ans, ns, e []RR) *Msg {
+		msg := new(Msg)
+		msg.SetQuestion(Fqdn(question), TypeANY)
+		msg.Answer = append(msg.Answer, ans...)
+		msg.Ns = append(msg.Ns, ns...)
+		msg.Extra = append(msg.Extra, e...)
+		msg.Compress = true
+		return msg
+	}
+	name1 := "12345678901234567890123456789012345.12345678.123."
+	rrMx, _ := NewRR(name1 + " 3600 IN MX 10 " + name1)
+	msg := makeMsg(name1, []RR{rrMx, rrMx}, nil, nil)
+	msgBuf, _ := msg.Pack()
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_ = msg.Unpack(msgBuf)
+	}
+}
+
+func BenchmarkIdGeneration(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		_ = id()
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dns_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dns_test.go
new file mode 100644
index 000000000..dbfe25328
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dns_test.go
@@ -0,0 +1,450 @@
+package dns
+
+import (
+	"encoding/hex"
+	"net"
+	"testing"
+)
+
+func TestPackUnpack(t *testing.T) {
+	out := new(Msg)
+	out.Answer = make([]RR, 1)
+	key := new(DNSKEY)
+	key = &DNSKEY{Flags: 257, Protocol: 3, Algorithm: RSASHA1}
+	key.Hdr = RR_Header{Name: "miek.nl.", Rrtype: TypeDNSKEY, Class: ClassINET, Ttl: 3600}
+	key.PublicKey = "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"
+
+	out.Answer[0] = key
+	msg, err := out.Pack()
+	if err != nil {
+		t.Error("failed to pack msg with DNSKEY")
+	}
+	in := new(Msg)
+	if in.Unpack(msg) != nil {
+		t.Error("failed to unpack msg with DNSKEY")
+	}
+
+	sig := new(RRSIG)
+	sig = &RRSIG{TypeCovered: TypeDNSKEY, Algorithm: RSASHA1, Labels: 2,
+		OrigTtl: 3600, Expiration: 4000, Inception: 4000, KeyTag: 34641, SignerName: "miek.nl.",
+		Signature: "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"}
+	sig.Hdr = RR_Header{Name: "miek.nl.", Rrtype: TypeRRSIG, Class: ClassINET, Ttl: 3600}
+
+	out.Answer[0] = sig
+	msg, err = out.Pack()
+	if err != nil {
+		t.Error("failed to pack msg with RRSIG")
+	}
+
+	if in.Unpack(msg) != nil {
+		t.Error("failed to unpack msg with RRSIG")
+	}
+}
+
+func TestPackUnpack2(t *testing.T) {
+	m := new(Msg)
+	m.Extra = make([]RR, 1)
+	m.Answer = make([]RR, 1)
+	dom := "miek.nl."
+	rr := new(A)
+	rr.Hdr = RR_Header{Name: dom, Rrtype: TypeA, Class: ClassINET, Ttl: 0}
+	rr.A = net.IPv4(127, 0, 0, 1)
+
+	x := new(TXT)
+	x.Hdr = RR_Header{Name: dom, Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}
+	x.Txt = []string{"heelalaollo"}
+
+	m.Extra[0] = x
+	m.Answer[0] = rr
+	_, err := m.Pack()
+	if err != nil {
+		t.Error("Packing failed: ", err)
+		return
+	}
+}
+
+func TestPackUnpack3(t *testing.T) {
+	m := new(Msg)
+	m.Extra = make([]RR, 2)
+	m.Answer = make([]RR, 1)
+	dom := "miek.nl."
+	rr := new(A)
+	rr.Hdr = RR_Header{Name: dom, Rrtype: TypeA, Class: ClassINET, Ttl: 0}
+	rr.A = net.IPv4(127, 0, 0, 1)
+
+	x1 := new(TXT)
+	x1.Hdr = RR_Header{Name: dom, Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}
+	x1.Txt = []string{}
+
+	x2 := new(TXT)
+	x2.Hdr = RR_Header{Name: dom, Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}
+	x2.Txt = []string{"heelalaollo"}
+
+	m.Extra[0] = x1
+	m.Extra[1] = x2
+	m.Answer[0] = rr
+	b, err := m.Pack()
+	if err != nil {
+		t.Error("packing failed: ", err)
+		return
+	}
+
+	var unpackMsg Msg
+	err = unpackMsg.Unpack(b)
+	if err != nil {
+		t.Error("unpacking failed")
+		return
+	}
+}
+
+func TestBailiwick(t *testing.T) {
+	yes := map[string]string{
+		"miek1.nl": "miek1.nl",
+		"miek.nl":  "ns.miek.nl",
+		".":        "miek.nl",
+	}
+	for parent, child := range yes {
+		if !IsSubDomain(parent, child) {
+			t.Errorf("%s should be child of %s", child, parent)
+			t.Errorf("comparelabels %d", CompareDomainName(parent, child))
+			t.Errorf("lenlabels %d %d", CountLabel(parent), CountLabel(child))
+		}
+	}
+	no := map[string]string{
+		"www.miek.nl":  "ns.miek.nl",
+		"m\\.iek.nl":   "ns.miek.nl",
+		"w\\.iek.nl":   "w.iek.nl",
+		"p\\\\.iek.nl": "ns.p.iek.nl", // p\\.iek.nl , literal \ in domain name
+		"miek.nl":      ".",
+	}
+	for parent, child := range no {
+		if IsSubDomain(parent, child) {
+			t.Errorf("%s should not be child of %s", child, parent)
+			t.Errorf("comparelabels %d", CompareDomainName(parent, child))
+			t.Errorf("lenlabels %d %d", CountLabel(parent), CountLabel(child))
+		}
+	}
+}
+
+func TestPack(t *testing.T) {
+	rr := []string{"US.    86400	IN	NSEC	0-.us. NS SOA RRSIG NSEC DNSKEY TYPE65534"}
+	m := new(Msg)
+	var err error
+	m.Answer = make([]RR, 1)
+	for _, r := range rr {
+		m.Answer[0], err = NewRR(r)
+		if err != nil {
+			t.Errorf("failed to create RR: %v", err)
+			continue
+		}
+		if _, err := m.Pack(); err != nil {
+			t.Errorf("packing failed: %v", err)
+		}
+	}
+	x := new(Msg)
+	ns, _ := NewRR("pool.ntp.org.   390 IN  NS  a.ntpns.org")
+	ns.(*NS).Ns = "a.ntpns.org"
+	x.Ns = append(m.Ns, ns)
+	x.Ns = append(m.Ns, ns)
+	x.Ns = append(m.Ns, ns)
+	// This crashes due to the fact the a.ntpns.org isn't a FQDN
+	// How to recover() from a remove panic()?
+	if _, err := x.Pack(); err == nil {
+		t.Error("packing should fail")
+	}
+	x.Answer = make([]RR, 1)
+	x.Answer[0], err = NewRR(rr[0])
+	if _, err := x.Pack(); err == nil {
+		t.Error("packing should fail")
+	}
+	x.Question = make([]Question, 1)
+	x.Question[0] = Question{";sd#edddds鍛↙赏‘℅∥↙xzztsestxssweewwsssstx@s@Z嵌e@cn.pool.ntp.org.", TypeA, ClassINET}
+	if _, err := x.Pack(); err == nil {
+		t.Error("packing should fail")
+	}
+}
+
+func TestPackNAPTR(t *testing.T) {
+	for _, n := range []string{
+		`apple.com. IN NAPTR   100 50 "se" "SIP+D2U" "" _sip._udp.apple.com.`,
+		`apple.com. IN NAPTR   90 50 "se" "SIP+D2T" "" _sip._tcp.apple.com.`,
+		`apple.com. IN NAPTR   50 50 "se" "SIPS+D2T" "" _sips._tcp.apple.com.`,
+	} {
+		rr, _ := NewRR(n)
+		msg := make([]byte, rr.len())
+		if off, err := PackRR(rr, msg, 0, nil, false); err != nil {
+			t.Errorf("packing failed: %v", err)
+			t.Errorf("length %d, need more than %d", rr.len(), off)
+		} else {
+			t.Logf("buf size needed: %d", off)
+		}
+	}
+}
+
+func TestCompressLength(t *testing.T) {
+	m := new(Msg)
+	m.SetQuestion("miek.nl", TypeMX)
+	ul := m.Len()
+	m.Compress = true
+	if ul != m.Len() {
+		t.Fatalf("should be equal")
+	}
+}
+
+// Does the predicted length match final packed length?
+func TestMsgCompressLength(t *testing.T) {
+	makeMsg := func(question string, ans, ns, e []RR) *Msg {
+		msg := new(Msg)
+		msg.SetQuestion(Fqdn(question), TypeANY)
+		msg.Answer = append(msg.Answer, ans...)
+		msg.Ns = append(msg.Ns, ns...)
+		msg.Extra = append(msg.Extra, e...)
+		msg.Compress = true
+		return msg
+	}
+
+	name1 := "12345678901234567890123456789012345.12345678.123."
+	rrA, _ := NewRR(name1 + " 3600 IN A 192.0.2.1")
+	rrMx, _ := NewRR(name1 + " 3600 IN MX 10 " + name1)
+	tests := []*Msg{
+		makeMsg(name1, []RR{rrA}, nil, nil),
+		makeMsg(name1, []RR{rrMx, rrMx}, nil, nil)}
+
+	for _, msg := range tests {
+		predicted := msg.Len()
+		buf, err := msg.Pack()
+		if err != nil {
+			t.Error(err)
+		}
+		if predicted < len(buf) {
+			t.Errorf("predicted compressed length is wrong: predicted %s (len=%d) %d, actual %d",
+				msg.Question[0].Name, len(msg.Answer), predicted, len(buf))
+		}
+	}
+}
+
+func TestMsgLength(t *testing.T) {
+	makeMsg := func(question string, ans, ns, e []RR) *Msg {
+		msg := new(Msg)
+		msg.SetQuestion(Fqdn(question), TypeANY)
+		msg.Answer = append(msg.Answer, ans...)
+		msg.Ns = append(msg.Ns, ns...)
+		msg.Extra = append(msg.Extra, e...)
+		return msg
+	}
+
+	name1 := "12345678901234567890123456789012345.12345678.123."
+	rrA, _ := NewRR(name1 + " 3600 IN A 192.0.2.1")
+	rrMx, _ := NewRR(name1 + " 3600 IN MX 10 " + name1)
+	tests := []*Msg{
+		makeMsg(name1, []RR{rrA}, nil, nil),
+		makeMsg(name1, []RR{rrMx, rrMx}, nil, nil)}
+
+	for _, msg := range tests {
+		predicted := msg.Len()
+		buf, err := msg.Pack()
+		if err != nil {
+			t.Error(err)
+		}
+		if predicted < len(buf) {
+			t.Errorf("predicted length is wrong: predicted %s (len=%d), actual %d",
+				msg.Question[0].Name, predicted, len(buf))
+		}
+	}
+}
+
+func TestMsgLength2(t *testing.T) {
+	// Serialized replies
+	var testMessages = []string{
+		// google.com. IN A?
+		"064e81800001000b0004000506676f6f676c6503636f6d0000010001c00c00010001000000050004adc22986c00c00010001000000050004adc22987c00c00010001000000050004adc22988c00c00010001000000050004adc22989c00c00010001000000050004adc2298ec00c00010001000000050004adc22980c00c00010001000000050004adc22981c00c00010001000000050004adc22982c00c00010001000000050004adc22983c00c00010001000000050004adc22984c00c00010001000000050004adc22985c00c00020001000000050006036e7331c00cc00c00020001000000050006036e7332c00cc00c00020001000000050006036e7333c00cc00c00020001000000050006036e7334c00cc0d800010001000000050004d8ef200ac0ea00010001000000050004d8ef220ac0fc00010001000000050004d8ef240ac10e00010001000000050004d8ef260a0000290500000000050000",
+		// amazon.com. IN A? (reply has no EDNS0 record)
+		// TODO(miek): this one is off-by-one, need to find out why
+		//"6de1818000010004000a000806616d617a6f6e03636f6d0000010001c00c000100010000000500044815c2d4c00c000100010000000500044815d7e8c00c00010001000000050004b02062a6c00c00010001000000050004cdfbf236c00c000200010000000500140570646e733408756c747261646e73036f726700c00c000200010000000500150570646e733508756c747261646e7304696e666f00c00c000200010000000500160570646e733608756c747261646e7302636f02756b00c00c00020001000000050014036e7331037033310664796e656374036e657400c00c00020001000000050006036e7332c0cfc00c00020001000000050006036e7333c0cfc00c00020001000000050006036e7334c0cfc00c000200010000000500110570646e733108756c747261646e73c0dac00c000200010000000500080570646e7332c127c00c000200010000000500080570646e7333c06ec0cb00010001000000050004d04e461fc0eb00010001000000050004cc0dfa1fc0fd00010001000000050004d04e471fc10f00010001000000050004cc0dfb1fc12100010001000000050004cc4a6c01c121001c000100000005001020010502f3ff00000000000000000001c13e00010001000000050004cc4a6d01c13e001c0001000000050010261000a1101400000000000000000001",
+		// yahoo.com. IN A?
+		"fc2d81800001000300070008057961686f6f03636f6d0000010001c00c00010001000000050004628afd6dc00c00010001000000050004628bb718c00c00010001000000050004cebe242dc00c00020001000000050006036e7336c00cc00c00020001000000050006036e7338c00cc00c00020001000000050006036e7331c00cc00c00020001000000050006036e7332c00cc00c00020001000000050006036e7333c00cc00c00020001000000050006036e7334c00cc00c00020001000000050006036e7335c00cc07b0001000100000005000444b48310c08d00010001000000050004448eff10c09f00010001000000050004cb54dd35c0b100010001000000050004628a0b9dc0c30001000100000005000477a0f77cc05700010001000000050004ca2bdfaac06900010001000000050004caa568160000290500000000050000",
+		// microsoft.com. IN A?
+		"f4368180000100020005000b096d6963726f736f667403636f6d0000010001c00c0001000100000005000440040b25c00c0001000100000005000441373ac9c00c0002000100000005000e036e7331046d736674036e657400c00c00020001000000050006036e7332c04fc00c00020001000000050006036e7333c04fc00c00020001000000050006036e7334c04fc00c00020001000000050006036e7335c04fc04b000100010000000500044137253ec04b001c00010000000500102a010111200500000000000000010001c0650001000100000005000440043badc065001c00010000000500102a010111200600060000000000010001c07700010001000000050004d5c7b435c077001c00010000000500102a010111202000000000000000010001c08900010001000000050004cf2e4bfec089001c00010000000500102404f800200300000000000000010001c09b000100010000000500044137e28cc09b001c00010000000500102a010111200f000100000000000100010000290500000000050000",
+		// google.com. IN MX?
+		"724b8180000100050004000b06676f6f676c6503636f6d00000f0001c00c000f000100000005000c000a056173706d78016cc00cc00c000f0001000000050009001404616c7431c02ac00c000f0001000000050009001e04616c7432c02ac00c000f0001000000050009002804616c7433c02ac00c000f0001000000050009003204616c7434c02ac00c00020001000000050006036e7332c00cc00c00020001000000050006036e7333c00cc00c00020001000000050006036e7334c00cc00c00020001000000050006036e7331c00cc02a00010001000000050004adc2421bc02a001c00010000000500102a00145040080c01000000000000001bc04200010001000000050004adc2461bc05700010001000000050004adc2451bc06c000100010000000500044a7d8f1bc081000100010000000500044a7d191bc0ca00010001000000050004d8ef200ac09400010001000000050004d8ef220ac0a600010001000000050004d8ef240ac0b800010001000000050004d8ef260a0000290500000000050000",
+		// reddit.com. IN A?
+		"12b98180000100080000000c0672656464697403636f6d0000020001c00c0002000100000005000f046175733204616b616d036e657400c00c000200010000000500070475736534c02dc00c000200010000000500070475737733c02dc00c000200010000000500070475737735c02dc00c00020001000000050008056173696131c02dc00c00020001000000050008056173696139c02dc00c00020001000000050008056e73312d31c02dc00c0002000100000005000a076e73312d313935c02dc02800010001000000050004c30a242ec04300010001000000050004451f1d39c05600010001000000050004451f3bc7c0690001000100000005000460073240c07c000100010000000500046007fb81c090000100010000000500047c283484c090001c00010000000500102a0226f0006700000000000000000064c0a400010001000000050004c16c5b01c0a4001c000100000005001026001401000200000000000000000001c0b800010001000000050004c16c5bc3c0b8001c0001000000050010260014010002000000000000000000c30000290500000000050000",
+	}
+
+	for i, hexData := range testMessages {
+		// we won't fail the decoding of the hex
+		input, _ := hex.DecodeString(hexData)
+
+		m := new(Msg)
+		m.Unpack(input)
+		m.Compress = true
+		lenComp := m.Len()
+		b, _ := m.Pack()
+		pacComp := len(b)
+		m.Compress = false
+		lenUnComp := m.Len()
+		b, _ = m.Pack()
+		pacUnComp := len(b)
+		if pacComp+1 != lenComp {
+			t.Errorf("msg.Len(compressed)=%d actual=%d for test %d", lenComp, pacComp, i)
+		}
+		if pacUnComp+1 != lenUnComp {
+			t.Errorf("msg.Len(uncompressed)=%d actual=%d for test %d", lenUnComp, pacUnComp, i)
+		}
+	}
+}
+
+func TestMsgLengthCompressionMalformed(t *testing.T) {
+	// SOA with empty hostmaster, which is illegal
+	soa := &SOA{Hdr: RR_Header{Name: ".", Rrtype: TypeSOA, Class: ClassINET, Ttl: 12345},
+		Ns:      ".",
+		Mbox:    "",
+		Serial:  0,
+		Refresh: 28800,
+		Retry:   7200,
+		Expire:  604800,
+		Minttl:  60}
+	m := new(Msg)
+	m.Compress = true
+	m.Ns = []RR{soa}
+	m.Len() // Should not crash.
+}
+
+func TestMsgCompressLength2(t *testing.T) {
+	msg := new(Msg)
+	msg.Compress = true
+	msg.SetQuestion(Fqdn("bliep."), TypeANY)
+	msg.Answer = append(msg.Answer, &SRV{Hdr: RR_Header{Name: "blaat.", Rrtype: 0x21, Class: 0x1, Ttl: 0x3c}, Port: 0x4c57, Target: "foo.bar."})
+	msg.Extra = append(msg.Extra, &A{Hdr: RR_Header{Name: "foo.bar.", Rrtype: 0x1, Class: 0x1, Ttl: 0x3c}, A: net.IP{0xac, 0x11, 0x0, 0x3}})
+	predicted := msg.Len()
+	buf, err := msg.Pack()
+	if err != nil {
+		t.Error(err)
+	}
+	if predicted != len(buf) {
+		t.Errorf("predicted compressed length is wrong: predicted %s (len=%d) %d, actual %d",
+			msg.Question[0].Name, len(msg.Answer), predicted, len(buf))
+	}
+}
+
+func TestToRFC3597(t *testing.T) {
+	a, _ := NewRR("miek.nl. IN A 10.0.1.1")
+	x := new(RFC3597)
+	x.ToRFC3597(a)
+	if x.String() != `miek.nl.	3600	CLASS1	TYPE1	\# 4 0a000101` {
+		t.Errorf("string mismatch, got: %s", x)
+	}
+
+	b, _ := NewRR("miek.nl. IN MX 10 mx.miek.nl.")
+	x.ToRFC3597(b)
+	if x.String() != `miek.nl.	3600	CLASS1	TYPE15	\# 14 000a026d78046d69656b026e6c00` {
+		t.Errorf("string mismatch, got: %s", x)
+	}
+}
+
+func TestNoRdataPack(t *testing.T) {
+	data := make([]byte, 1024)
+	for typ, fn := range TypeToRR {
+		r := fn()
+		*r.Header() = RR_Header{Name: "miek.nl.", Rrtype: typ, Class: ClassINET, Ttl: 16}
+		_, err := PackRR(r, data, 0, nil, false)
+		if err != nil {
+			t.Errorf("failed to pack RR with zero rdata: %s: %v", TypeToString[typ], err)
+		}
+	}
+}
+
+func TestNoRdataUnpack(t *testing.T) {
+	data := make([]byte, 1024)
+	for typ, fn := range TypeToRR {
+		if typ == TypeSOA || typ == TypeTSIG {
+			// SOA, TSIG will not be seen (like this) in dyn. updates?
+			continue
+		}
+		r := fn()
+		*r.Header() = RR_Header{Name: "miek.nl.", Rrtype: typ, Class: ClassINET, Ttl: 16}
+		off, err := PackRR(r, data, 0, nil, false)
+		if err != nil {
+			// Should always works, TestNoDataPack should have caught this
+			t.Errorf("failed to pack RR: %v", err)
+			continue
+		}
+		rr, _, err := UnpackRR(data[:off], 0)
+		if err != nil {
+			t.Errorf("failed to unpack RR with zero rdata: %s: %v", TypeToString[typ], err)
+		}
+		t.Log(rr)
+	}
+}
+
+func TestRdataOverflow(t *testing.T) {
+	rr := new(RFC3597)
+	rr.Hdr.Name = "."
+	rr.Hdr.Class = ClassINET
+	rr.Hdr.Rrtype = 65280
+	rr.Rdata = hex.EncodeToString(make([]byte, 0xFFFF))
+	buf := make([]byte, 0xFFFF*2)
+	if _, err := PackRR(rr, buf, 0, nil, false); err != nil {
+		t.Fatalf("maximum size rrdata pack failed: %v", err)
+	}
+	rr.Rdata += "00"
+	if _, err := PackRR(rr, buf, 0, nil, false); err != ErrRdata {
+		t.Fatalf("oversize rrdata pack didn't return ErrRdata - instead: %v", err)
+	}
+}
+
+func TestCopy(t *testing.T) {
+	rr, _ := NewRR("miek.nl. 2311 IN A 127.0.0.1") // Weird TTL to avoid catching TTL
+	rr1 := Copy(rr)
+	if rr.String() != rr1.String() {
+		t.Fatalf("Copy() failed %s != %s", rr.String(), rr1.String())
+	}
+}
+
+func TestMsgCopy(t *testing.T) {
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeA)
+	rr, _ := NewRR("miek.nl. 2311 IN A 127.0.0.1")
+	m.Answer = []RR{rr}
+	rr, _ = NewRR("miek.nl. 2311 IN NS 127.0.0.1")
+	m.Ns = []RR{rr}
+
+	m1 := m.Copy()
+	if m.String() != m1.String() {
+		t.Fatalf("Msg.Copy() failed %s != %s", m.String(), m1.String())
+	}
+
+	m1.Answer[0], _ = NewRR("somethingelse.nl. 2311 IN A 127.0.0.1")
+	if m.String() == m1.String() {
+		t.Fatalf("Msg.Copy() failed; change to copy changed template %s", m.String())
+	}
+
+	rr, _ = NewRR("miek.nl. 2311 IN A 127.0.0.2")
+	m1.Answer = append(m1.Answer, rr)
+	if m1.Ns[0].String() == m1.Answer[1].String() {
+		t.Fatalf("Msg.Copy() failed; append changed underlying array %s", m1.Ns[0].String())
+	}
+}
+
+func TestMsgPackBuffer(t *testing.T) {
+	var testMessages = []string{
+		// news.ycombinator.com.in.escapemg.com.	IN	A, response
+		"586285830001000000010000046e6577730b79636f6d62696e61746f7203636f6d02696e086573636170656d6703636f6d0000010001c0210006000100000e10002c036e7332c02103646e730b67726f6f7665736861726bc02d77ed50e600002a3000000e1000093a8000000e10",
+
+		// news.ycombinator.com.in.escapemg.com.	IN	A, question
+		"586201000001000000000000046e6577730b79636f6d62696e61746f7203636f6d02696e086573636170656d6703636f6d0000010001",
+
+		"398781020001000000000000046e6577730b79636f6d62696e61746f7203636f6d0000010001",
+	}
+
+	for i, hexData := range testMessages {
+		// we won't fail the decoding of the hex
+		input, _ := hex.DecodeString(hexData)
+		m := new(Msg)
+		if err := m.Unpack(input); err != nil {
+			t.Errorf("packet %d failed to unpack", i)
+			continue
+		}
+		t.Logf("packet %d %s", i, m.String())
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec.go
new file mode 100644
index 000000000..3bd55388d
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec.go
@@ -0,0 +1,720 @@
+package dns
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	_ "crypto/md5"
+	"crypto/rand"
+	"crypto/rsa"
+	_ "crypto/sha1"
+	_ "crypto/sha256"
+	_ "crypto/sha512"
+	"encoding/asn1"
+	"encoding/binary"
+	"encoding/hex"
+	"math/big"
+	"sort"
+	"strings"
+	"time"
+)
+
+// DNSSEC encryption algorithm codes.
+const (
+	_ uint8 = iota
+	RSAMD5
+	DH
+	DSA
+	_ // Skip 4, RFC 6725, section 2.1
+	RSASHA1
+	DSANSEC3SHA1
+	RSASHA1NSEC3SHA1
+	RSASHA256
+	_ // Skip 9, RFC 6725, section 2.1
+	RSASHA512
+	_ // Skip 11, RFC 6725, section 2.1
+	ECCGOST
+	ECDSAP256SHA256
+	ECDSAP384SHA384
+	INDIRECT   uint8 = 252
+	PRIVATEDNS uint8 = 253 // Private (experimental keys)
+	PRIVATEOID uint8 = 254
+)
+
+// AlgorithmToString is a map of algorithm IDs to algorithm names.
+var AlgorithmToString = map[uint8]string{
+	RSAMD5:           "RSAMD5",
+	DH:               "DH",
+	DSA:              "DSA",
+	RSASHA1:          "RSASHA1",
+	DSANSEC3SHA1:     "DSA-NSEC3-SHA1",
+	RSASHA1NSEC3SHA1: "RSASHA1-NSEC3-SHA1",
+	RSASHA256:        "RSASHA256",
+	RSASHA512:        "RSASHA512",
+	ECCGOST:          "ECC-GOST",
+	ECDSAP256SHA256:  "ECDSAP256SHA256",
+	ECDSAP384SHA384:  "ECDSAP384SHA384",
+	INDIRECT:         "INDIRECT",
+	PRIVATEDNS:       "PRIVATEDNS",
+	PRIVATEOID:       "PRIVATEOID",
+}
+
+// StringToAlgorithm is the reverse of AlgorithmToString.
+var StringToAlgorithm = reverseInt8(AlgorithmToString)
+
+// AlgorithmToHash is a map of algorithm crypto hash IDs to crypto.Hash's.
+var AlgorithmToHash = map[uint8]crypto.Hash{
+	RSAMD5:           crypto.MD5, // Deprecated in RFC 6725
+	RSASHA1:          crypto.SHA1,
+	RSASHA1NSEC3SHA1: crypto.SHA1,
+	RSASHA256:        crypto.SHA256,
+	ECDSAP256SHA256:  crypto.SHA256,
+	ECDSAP384SHA384:  crypto.SHA384,
+	RSASHA512:        crypto.SHA512,
+}
+
+// DNSSEC hashing algorithm codes.
+const (
+	_      uint8 = iota
+	SHA1         // RFC 4034
+	SHA256       // RFC 4509
+	GOST94       // RFC 5933
+	SHA384       // Experimental
+	SHA512       // Experimental
+)
+
+// HashToString is a map of hash IDs to names.
+var HashToString = map[uint8]string{
+	SHA1:   "SHA1",
+	SHA256: "SHA256",
+	GOST94: "GOST94",
+	SHA384: "SHA384",
+	SHA512: "SHA512",
+}
+
+// StringToHash is a map of names to hash IDs.
+var StringToHash = reverseInt8(HashToString)
+
+// DNSKEY flag values.
+const (
+	SEP    = 1
+	REVOKE = 1 << 7
+	ZONE   = 1 << 8
+)
+
+// The RRSIG needs to be converted to wireformat with some of the rdata (the signature) missing.
+type rrsigWireFmt struct {
+	TypeCovered uint16
+	Algorithm   uint8
+	Labels      uint8
+	OrigTtl     uint32
+	Expiration  uint32
+	Inception   uint32
+	KeyTag      uint16
+	SignerName  string `dns:"domain-name"`
+	/* No Signature */
+}
+
+// Used for converting DNSKEY's rdata to wirefmt.
+type dnskeyWireFmt struct {
+	Flags     uint16
+	Protocol  uint8
+	Algorithm uint8
+	PublicKey string `dns:"base64"`
+	/* Nothing is left out */
+}
+
+func divRoundUp(a, b int) int {
+	return (a + b - 1) / b
+}
+
+// KeyTag calculates the keytag (or key-id) of the DNSKEY.
+func (k *DNSKEY) KeyTag() uint16 {
+	if k == nil {
+		return 0
+	}
+	var keytag int
+	switch k.Algorithm {
+	case RSAMD5:
+		// Look at the bottom two bytes of the modules, which the last
+		// item in the pubkey. We could do this faster by looking directly
+		// at the base64 values. But I'm lazy.
+		modulus, _ := fromBase64([]byte(k.PublicKey))
+		if len(modulus) > 1 {
+			x := binary.BigEndian.Uint16(modulus[len(modulus)-2:])
+			keytag = int(x)
+		}
+	default:
+		keywire := new(dnskeyWireFmt)
+		keywire.Flags = k.Flags
+		keywire.Protocol = k.Protocol
+		keywire.Algorithm = k.Algorithm
+		keywire.PublicKey = k.PublicKey
+		wire := make([]byte, DefaultMsgSize)
+		n, err := packKeyWire(keywire, wire)
+		if err != nil {
+			return 0
+		}
+		wire = wire[:n]
+		for i, v := range wire {
+			if i&1 != 0 {
+				keytag += int(v) // must be larger than uint32
+			} else {
+				keytag += int(v) << 8
+			}
+		}
+		keytag += (keytag >> 16) & 0xFFFF
+		keytag &= 0xFFFF
+	}
+	return uint16(keytag)
+}
+
+// ToDS converts a DNSKEY record to a DS record.
+func (k *DNSKEY) ToDS(h uint8) *DS {
+	if k == nil {
+		return nil
+	}
+	ds := new(DS)
+	ds.Hdr.Name = k.Hdr.Name
+	ds.Hdr.Class = k.Hdr.Class
+	ds.Hdr.Rrtype = TypeDS
+	ds.Hdr.Ttl = k.Hdr.Ttl
+	ds.Algorithm = k.Algorithm
+	ds.DigestType = h
+	ds.KeyTag = k.KeyTag()
+
+	keywire := new(dnskeyWireFmt)
+	keywire.Flags = k.Flags
+	keywire.Protocol = k.Protocol
+	keywire.Algorithm = k.Algorithm
+	keywire.PublicKey = k.PublicKey
+	wire := make([]byte, DefaultMsgSize)
+	n, err := packKeyWire(keywire, wire)
+	if err != nil {
+		return nil
+	}
+	wire = wire[:n]
+
+	owner := make([]byte, 255)
+	off, err1 := PackDomainName(strings.ToLower(k.Hdr.Name), owner, 0, nil, false)
+	if err1 != nil {
+		return nil
+	}
+	owner = owner[:off]
+	// RFC4034:
+	// digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
+	// "|" denotes concatenation
+	// DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.
+
+	var hash crypto.Hash
+	switch h {
+	case SHA1:
+		hash = crypto.SHA1
+	case SHA256:
+		hash = crypto.SHA256
+	case SHA384:
+		hash = crypto.SHA384
+	case SHA512:
+		hash = crypto.SHA512
+	default:
+		return nil
+	}
+
+	s := hash.New()
+	s.Write(owner)
+	s.Write(wire)
+	ds.Digest = hex.EncodeToString(s.Sum(nil))
+	return ds
+}
+
+// ToCDNSKEY converts a DNSKEY record to a CDNSKEY record.
+func (k *DNSKEY) ToCDNSKEY() *CDNSKEY {
+	c := &CDNSKEY{DNSKEY: *k}
+	c.Hdr = *k.Hdr.copyHeader()
+	c.Hdr.Rrtype = TypeCDNSKEY
+	return c
+}
+
+// ToCDS converts a DS record to a CDS record.
+func (d *DS) ToCDS() *CDS {
+	c := &CDS{DS: *d}
+	c.Hdr = *d.Hdr.copyHeader()
+	c.Hdr.Rrtype = TypeCDS
+	return c
+}
+
+// Sign signs an RRSet. The signature needs to be filled in with the values:
+// Inception, Expiration, KeyTag, SignerName and Algorithm.  The rest is copied
+// from the RRset. Sign returns a non-nill error when the signing went OK.
+// There is no check if RRSet is a proper (RFC 2181) RRSet.  If OrigTTL is non
+// zero, it is used as-is, otherwise the TTL of the RRset is used as the
+// OrigTTL.
+func (rr *RRSIG) Sign(k crypto.Signer, rrset []RR) error {
+	if k == nil {
+		return ErrPrivKey
+	}
+	// s.Inception and s.Expiration may be 0 (rollover etc.), the rest must be set
+	if rr.KeyTag == 0 || len(rr.SignerName) == 0 || rr.Algorithm == 0 {
+		return ErrKey
+	}
+
+	rr.Hdr.Rrtype = TypeRRSIG
+	rr.Hdr.Name = rrset[0].Header().Name
+	rr.Hdr.Class = rrset[0].Header().Class
+	if rr.OrigTtl == 0 { // If set don't override
+		rr.OrigTtl = rrset[0].Header().Ttl
+	}
+	rr.TypeCovered = rrset[0].Header().Rrtype
+	rr.Labels = uint8(CountLabel(rrset[0].Header().Name))
+
+	if strings.HasPrefix(rrset[0].Header().Name, "*") {
+		rr.Labels-- // wildcard, remove from label count
+	}
+
+	sigwire := new(rrsigWireFmt)
+	sigwire.TypeCovered = rr.TypeCovered
+	sigwire.Algorithm = rr.Algorithm
+	sigwire.Labels = rr.Labels
+	sigwire.OrigTtl = rr.OrigTtl
+	sigwire.Expiration = rr.Expiration
+	sigwire.Inception = rr.Inception
+	sigwire.KeyTag = rr.KeyTag
+	// For signing, lowercase this name
+	sigwire.SignerName = strings.ToLower(rr.SignerName)
+
+	// Create the desired binary blob
+	signdata := make([]byte, DefaultMsgSize)
+	n, err := packSigWire(sigwire, signdata)
+	if err != nil {
+		return err
+	}
+	signdata = signdata[:n]
+	wire, err := rawSignatureData(rrset, rr)
+	if err != nil {
+		return err
+	}
+
+	hash, ok := AlgorithmToHash[rr.Algorithm]
+	if !ok {
+		return ErrAlg
+	}
+
+	h := hash.New()
+	h.Write(signdata)
+	h.Write(wire)
+
+	signature, err := sign(k, h.Sum(nil), hash, rr.Algorithm)
+	if err != nil {
+		return err
+	}
+
+	rr.Signature = toBase64(signature)
+
+	return nil
+}
+
+func sign(k crypto.Signer, hashed []byte, hash crypto.Hash, alg uint8) ([]byte, error) {
+	signature, err := k.Sign(rand.Reader, hashed, hash)
+	if err != nil {
+		return nil, err
+	}
+
+	switch alg {
+	case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512:
+		return signature, nil
+
+	case ECDSAP256SHA256, ECDSAP384SHA384:
+		ecdsaSignature := &struct {
+			R, S *big.Int
+		}{}
+		if _, err := asn1.Unmarshal(signature, ecdsaSignature); err != nil {
+			return nil, err
+		}
+
+		var intlen int
+		switch alg {
+		case ECDSAP256SHA256:
+			intlen = 32
+		case ECDSAP384SHA384:
+			intlen = 48
+		}
+
+		signature := intToBytes(ecdsaSignature.R, intlen)
+		signature = append(signature, intToBytes(ecdsaSignature.S, intlen)...)
+		return signature, nil
+
+	// There is no defined interface for what a DSA backed crypto.Signer returns
+	case DSA, DSANSEC3SHA1:
+		// 	t := divRoundUp(divRoundUp(p.PublicKey.Y.BitLen(), 8)-64, 8)
+		// 	signature := []byte{byte(t)}
+		// 	signature = append(signature, intToBytes(r1, 20)...)
+		// 	signature = append(signature, intToBytes(s1, 20)...)
+		// 	rr.Signature = signature
+	}
+
+	return nil, ErrAlg
+}
+
+// Verify validates an RRSet with the signature and key. This is only the
+// cryptographic test, the signature validity period must be checked separately.
+// This function copies the rdata of some RRs (to lowercase domain names) for the validation to work.
+func (rr *RRSIG) Verify(k *DNSKEY, rrset []RR) error {
+	// First the easy checks
+	if !IsRRset(rrset) {
+		return ErrRRset
+	}
+	if rr.KeyTag != k.KeyTag() {
+		return ErrKey
+	}
+	if rr.Hdr.Class != k.Hdr.Class {
+		return ErrKey
+	}
+	if rr.Algorithm != k.Algorithm {
+		return ErrKey
+	}
+	if strings.ToLower(rr.SignerName) != strings.ToLower(k.Hdr.Name) {
+		return ErrKey
+	}
+	if k.Protocol != 3 {
+		return ErrKey
+	}
+
+	// IsRRset checked that we have at least one RR and that the RRs in
+	// the set have consistent type, class, and name. Also check that type and
+	// class matches the RRSIG record.
+	if rrset[0].Header().Class != rr.Hdr.Class {
+		return ErrRRset
+	}
+	if rrset[0].Header().Rrtype != rr.TypeCovered {
+		return ErrRRset
+	}
+
+	// RFC 4035 5.3.2.  Reconstructing the Signed Data
+	// Copy the sig, except the rrsig data
+	sigwire := new(rrsigWireFmt)
+	sigwire.TypeCovered = rr.TypeCovered
+	sigwire.Algorithm = rr.Algorithm
+	sigwire.Labels = rr.Labels
+	sigwire.OrigTtl = rr.OrigTtl
+	sigwire.Expiration = rr.Expiration
+	sigwire.Inception = rr.Inception
+	sigwire.KeyTag = rr.KeyTag
+	sigwire.SignerName = strings.ToLower(rr.SignerName)
+	// Create the desired binary blob
+	signeddata := make([]byte, DefaultMsgSize)
+	n, err := packSigWire(sigwire, signeddata)
+	if err != nil {
+		return err
+	}
+	signeddata = signeddata[:n]
+	wire, err := rawSignatureData(rrset, rr)
+	if err != nil {
+		return err
+	}
+
+	sigbuf := rr.sigBuf()           // Get the binary signature data
+	if rr.Algorithm == PRIVATEDNS { // PRIVATEOID
+		// TODO(miek)
+		// remove the domain name and assume its ours?
+	}
+
+	hash, ok := AlgorithmToHash[rr.Algorithm]
+	if !ok {
+		return ErrAlg
+	}
+
+	switch rr.Algorithm {
+	case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512, RSAMD5:
+		// TODO(mg): this can be done quicker, ie. cache the pubkey data somewhere??
+		pubkey := k.publicKeyRSA() // Get the key
+		if pubkey == nil {
+			return ErrKey
+		}
+
+		h := hash.New()
+		h.Write(signeddata)
+		h.Write(wire)
+		return rsa.VerifyPKCS1v15(pubkey, hash, h.Sum(nil), sigbuf)
+
+	case ECDSAP256SHA256, ECDSAP384SHA384:
+		pubkey := k.publicKeyECDSA()
+		if pubkey == nil {
+			return ErrKey
+		}
+
+		// Split sigbuf into the r and s coordinates
+		r := new(big.Int).SetBytes(sigbuf[:len(sigbuf)/2])
+		s := new(big.Int).SetBytes(sigbuf[len(sigbuf)/2:])
+
+		h := hash.New()
+		h.Write(signeddata)
+		h.Write(wire)
+		if ecdsa.Verify(pubkey, h.Sum(nil), r, s) {
+			return nil
+		}
+		return ErrSig
+
+	default:
+		return ErrAlg
+	}
+}
+
+// ValidityPeriod uses RFC1982 serial arithmetic to calculate
+// if a signature period is valid. If t is the zero time, the
+// current time is taken other t is. Returns true if the signature
+// is valid at the given time, otherwise returns false.
+func (rr *RRSIG) ValidityPeriod(t time.Time) bool {
+	var utc int64
+	if t.IsZero() {
+		utc = time.Now().UTC().Unix()
+	} else {
+		utc = t.UTC().Unix()
+	}
+	modi := (int64(rr.Inception) - utc) / year68
+	mode := (int64(rr.Expiration) - utc) / year68
+	ti := int64(rr.Inception) + (modi * year68)
+	te := int64(rr.Expiration) + (mode * year68)
+	return ti <= utc && utc <= te
+}
+
+// Return the signatures base64 encodedig sigdata as a byte slice.
+func (rr *RRSIG) sigBuf() []byte {
+	sigbuf, err := fromBase64([]byte(rr.Signature))
+	if err != nil {
+		return nil
+	}
+	return sigbuf
+}
+
+// publicKeyRSA returns the RSA public key from a DNSKEY record.
+func (k *DNSKEY) publicKeyRSA() *rsa.PublicKey {
+	keybuf, err := fromBase64([]byte(k.PublicKey))
+	if err != nil {
+		return nil
+	}
+
+	// RFC 2537/3110, section 2. RSA Public KEY Resource Records
+	// Length is in the 0th byte, unless its zero, then it
+	// it in bytes 1 and 2 and its a 16 bit number
+	explen := uint16(keybuf[0])
+	keyoff := 1
+	if explen == 0 {
+		explen = uint16(keybuf[1])<<8 | uint16(keybuf[2])
+		keyoff = 3
+	}
+	pubkey := new(rsa.PublicKey)
+
+	pubkey.N = big.NewInt(0)
+	shift := uint64((explen - 1) * 8)
+	expo := uint64(0)
+	for i := int(explen - 1); i > 0; i-- {
+		expo += uint64(keybuf[keyoff+i]) << shift
+		shift -= 8
+	}
+	// Remainder
+	expo += uint64(keybuf[keyoff])
+	if expo > (2<<31)+1 {
+		// Larger expo than supported.
+		// println("dns: F5 primes (or larger) are not supported")
+		return nil
+	}
+	pubkey.E = int(expo)
+
+	pubkey.N.SetBytes(keybuf[keyoff+int(explen):])
+	return pubkey
+}
+
+// publicKeyECDSA returns the Curve public key from the DNSKEY record.
+func (k *DNSKEY) publicKeyECDSA() *ecdsa.PublicKey {
+	keybuf, err := fromBase64([]byte(k.PublicKey))
+	if err != nil {
+		return nil
+	}
+	pubkey := new(ecdsa.PublicKey)
+	switch k.Algorithm {
+	case ECDSAP256SHA256:
+		pubkey.Curve = elliptic.P256()
+		if len(keybuf) != 64 {
+			// wrongly encoded key
+			return nil
+		}
+	case ECDSAP384SHA384:
+		pubkey.Curve = elliptic.P384()
+		if len(keybuf) != 96 {
+			// Wrongly encoded key
+			return nil
+		}
+	}
+	pubkey.X = big.NewInt(0)
+	pubkey.X.SetBytes(keybuf[:len(keybuf)/2])
+	pubkey.Y = big.NewInt(0)
+	pubkey.Y.SetBytes(keybuf[len(keybuf)/2:])
+	return pubkey
+}
+
+func (k *DNSKEY) publicKeyDSA() *dsa.PublicKey {
+	keybuf, err := fromBase64([]byte(k.PublicKey))
+	if err != nil {
+		return nil
+	}
+	if len(keybuf) < 22 {
+		return nil
+	}
+	t, keybuf := int(keybuf[0]), keybuf[1:]
+	size := 64 + t*8
+	q, keybuf := keybuf[:20], keybuf[20:]
+	if len(keybuf) != 3*size {
+		return nil
+	}
+	p, keybuf := keybuf[:size], keybuf[size:]
+	g, y := keybuf[:size], keybuf[size:]
+	pubkey := new(dsa.PublicKey)
+	pubkey.Parameters.Q = big.NewInt(0).SetBytes(q)
+	pubkey.Parameters.P = big.NewInt(0).SetBytes(p)
+	pubkey.Parameters.G = big.NewInt(0).SetBytes(g)
+	pubkey.Y = big.NewInt(0).SetBytes(y)
+	return pubkey
+}
+
+type wireSlice [][]byte
+
+func (p wireSlice) Len() int      { return len(p) }
+func (p wireSlice) Swap(i, j int) { p[i], p[j] = p[j], p[i] }
+func (p wireSlice) Less(i, j int) bool {
+	_, ioff, _ := UnpackDomainName(p[i], 0)
+	_, joff, _ := UnpackDomainName(p[j], 0)
+	return bytes.Compare(p[i][ioff+10:], p[j][joff+10:]) < 0
+}
+
+// Return the raw signature data.
+func rawSignatureData(rrset []RR, s *RRSIG) (buf []byte, err error) {
+	wires := make(wireSlice, len(rrset))
+	for i, r := range rrset {
+		r1 := r.copy()
+		r1.Header().Ttl = s.OrigTtl
+		labels := SplitDomainName(r1.Header().Name)
+		// 6.2. Canonical RR Form. (4) - wildcards
+		if len(labels) > int(s.Labels) {
+			// Wildcard
+			r1.Header().Name = "*." + strings.Join(labels[len(labels)-int(s.Labels):], ".") + "."
+		}
+		// RFC 4034: 6.2.  Canonical RR Form. (2) - domain name to lowercase
+		r1.Header().Name = strings.ToLower(r1.Header().Name)
+		// 6.2. Canonical RR Form. (3) - domain rdata to lowercase.
+		//   NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,
+		//   HINFO, MINFO, MX, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX,
+		//   SRV, DNAME, A6
+		//
+		// RFC 6840 - Clarifications and Implementation Notes for DNS Security (DNSSEC):
+		//	Section 6.2 of [RFC4034] also erroneously lists HINFO as a record
+		//	that needs conversion to lowercase, and twice at that.  Since HINFO
+		//	records contain no domain names, they are not subject to case
+		//	conversion.
+		switch x := r1.(type) {
+		case *NS:
+			x.Ns = strings.ToLower(x.Ns)
+		case *CNAME:
+			x.Target = strings.ToLower(x.Target)
+		case *SOA:
+			x.Ns = strings.ToLower(x.Ns)
+			x.Mbox = strings.ToLower(x.Mbox)
+		case *MB:
+			x.Mb = strings.ToLower(x.Mb)
+		case *MG:
+			x.Mg = strings.ToLower(x.Mg)
+		case *MR:
+			x.Mr = strings.ToLower(x.Mr)
+		case *PTR:
+			x.Ptr = strings.ToLower(x.Ptr)
+		case *MINFO:
+			x.Rmail = strings.ToLower(x.Rmail)
+			x.Email = strings.ToLower(x.Email)
+		case *MX:
+			x.Mx = strings.ToLower(x.Mx)
+		case *NAPTR:
+			x.Replacement = strings.ToLower(x.Replacement)
+		case *KX:
+			x.Exchanger = strings.ToLower(x.Exchanger)
+		case *SRV:
+			x.Target = strings.ToLower(x.Target)
+		case *DNAME:
+			x.Target = strings.ToLower(x.Target)
+		}
+		// 6.2. Canonical RR Form. (5) - origTTL
+		wire := make([]byte, r1.len()+1) // +1 to be safe(r)
+		off, err1 := PackRR(r1, wire, 0, nil, false)
+		if err1 != nil {
+			return nil, err1
+		}
+		wire = wire[:off]
+		wires[i] = wire
+	}
+	sort.Sort(wires)
+	for i, wire := range wires {
+		if i > 0 && bytes.Equal(wire, wires[i-1]) {
+			continue
+		}
+		buf = append(buf, wire...)
+	}
+	return buf, nil
+}
+
+func packSigWire(sw *rrsigWireFmt, msg []byte) (int, error) {
+	// copied from zmsg.go RRSIG packing
+	off, err := packUint16(sw.TypeCovered, msg, 0)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(sw.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(sw.Labels, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(sw.OrigTtl, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(sw.Expiration, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(sw.Inception, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(sw.KeyTag, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(sw.SignerName, msg, off, nil, false)
+	if err != nil {
+		return off, err
+	}
+	return off, nil
+}
+
+func packKeyWire(dw *dnskeyWireFmt, msg []byte) (int, error) {
+	// copied from zmsg.go DNSKEY packing
+	off, err := packUint16(dw.Flags, msg, 0)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(dw.Protocol, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(dw.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringBase64(dw.PublicKey, msg, off)
+	if err != nil {
+		return off, err
+	}
+	return off, nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec_keygen.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec_keygen.go
new file mode 100644
index 000000000..5e4b7741a
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec_keygen.go
@@ -0,0 +1,156 @@
+package dns
+
+import (
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"math/big"
+)
+
+// Generate generates a DNSKEY of the given bit size.
+// The public part is put inside the DNSKEY record.
+// The Algorithm in the key must be set as this will define
+// what kind of DNSKEY will be generated.
+// The ECDSA algorithms imply a fixed keysize, in that case
+// bits should be set to the size of the algorithm.
+func (k *DNSKEY) Generate(bits int) (crypto.PrivateKey, error) {
+	switch k.Algorithm {
+	case DSA, DSANSEC3SHA1:
+		if bits != 1024 {
+			return nil, ErrKeySize
+		}
+	case RSAMD5, RSASHA1, RSASHA256, RSASHA1NSEC3SHA1:
+		if bits < 512 || bits > 4096 {
+			return nil, ErrKeySize
+		}
+	case RSASHA512:
+		if bits < 1024 || bits > 4096 {
+			return nil, ErrKeySize
+		}
+	case ECDSAP256SHA256:
+		if bits != 256 {
+			return nil, ErrKeySize
+		}
+	case ECDSAP384SHA384:
+		if bits != 384 {
+			return nil, ErrKeySize
+		}
+	}
+
+	switch k.Algorithm {
+	case DSA, DSANSEC3SHA1:
+		params := new(dsa.Parameters)
+		if err := dsa.GenerateParameters(params, rand.Reader, dsa.L1024N160); err != nil {
+			return nil, err
+		}
+		priv := new(dsa.PrivateKey)
+		priv.PublicKey.Parameters = *params
+		err := dsa.GenerateKey(priv, rand.Reader)
+		if err != nil {
+			return nil, err
+		}
+		k.setPublicKeyDSA(params.Q, params.P, params.G, priv.PublicKey.Y)
+		return priv, nil
+	case RSAMD5, RSASHA1, RSASHA256, RSASHA512, RSASHA1NSEC3SHA1:
+		priv, err := rsa.GenerateKey(rand.Reader, bits)
+		if err != nil {
+			return nil, err
+		}
+		k.setPublicKeyRSA(priv.PublicKey.E, priv.PublicKey.N)
+		return priv, nil
+	case ECDSAP256SHA256, ECDSAP384SHA384:
+		var c elliptic.Curve
+		switch k.Algorithm {
+		case ECDSAP256SHA256:
+			c = elliptic.P256()
+		case ECDSAP384SHA384:
+			c = elliptic.P384()
+		}
+		priv, err := ecdsa.GenerateKey(c, rand.Reader)
+		if err != nil {
+			return nil, err
+		}
+		k.setPublicKeyECDSA(priv.PublicKey.X, priv.PublicKey.Y)
+		return priv, nil
+	default:
+		return nil, ErrAlg
+	}
+}
+
+// Set the public key (the value E and N)
+func (k *DNSKEY) setPublicKeyRSA(_E int, _N *big.Int) bool {
+	if _E == 0 || _N == nil {
+		return false
+	}
+	buf := exponentToBuf(_E)
+	buf = append(buf, _N.Bytes()...)
+	k.PublicKey = toBase64(buf)
+	return true
+}
+
+// Set the public key for Elliptic Curves
+func (k *DNSKEY) setPublicKeyECDSA(_X, _Y *big.Int) bool {
+	if _X == nil || _Y == nil {
+		return false
+	}
+	var intlen int
+	switch k.Algorithm {
+	case ECDSAP256SHA256:
+		intlen = 32
+	case ECDSAP384SHA384:
+		intlen = 48
+	}
+	k.PublicKey = toBase64(curveToBuf(_X, _Y, intlen))
+	return true
+}
+
+// Set the public key for DSA
+func (k *DNSKEY) setPublicKeyDSA(_Q, _P, _G, _Y *big.Int) bool {
+	if _Q == nil || _P == nil || _G == nil || _Y == nil {
+		return false
+	}
+	buf := dsaToBuf(_Q, _P, _G, _Y)
+	k.PublicKey = toBase64(buf)
+	return true
+}
+
+// Set the public key (the values E and N) for RSA
+// RFC 3110: Section 2. RSA Public KEY Resource Records
+func exponentToBuf(_E int) []byte {
+	var buf []byte
+	i := big.NewInt(int64(_E)).Bytes()
+	if len(i) < 256 {
+		buf = make([]byte, 1, 1+len(i))
+		buf[0] = uint8(len(i))
+	} else {
+		buf = make([]byte, 3, 3+len(i))
+		buf[0] = 0
+		buf[1] = uint8(len(i) >> 8)
+		buf[2] = uint8(len(i))
+	}
+	buf = append(buf, i...)
+	return buf
+}
+
+// Set the public key for X and Y for Curve. The two
+// values are just concatenated.
+func curveToBuf(_X, _Y *big.Int, intlen int) []byte {
+	buf := intToBytes(_X, intlen)
+	buf = append(buf, intToBytes(_Y, intlen)...)
+	return buf
+}
+
+// Set the public key for X and Y for Curve. The two
+// values are just concatenated.
+func dsaToBuf(_Q, _P, _G, _Y *big.Int) []byte {
+	t := divRoundUp(divRoundUp(_G.BitLen(), 8)-64, 8)
+	buf := []byte{byte(t)}
+	buf = append(buf, intToBytes(_Q, 20)...)
+	buf = append(buf, intToBytes(_P, 64+t*8)...)
+	buf = append(buf, intToBytes(_G, 64+t*8)...)
+	buf = append(buf, intToBytes(_Y, 64+t*8)...)
+	return buf
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec_keyscan.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec_keyscan.go
new file mode 100644
index 000000000..4f8d830b8
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec_keyscan.go
@@ -0,0 +1,249 @@
+package dns
+
+import (
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"io"
+	"math/big"
+	"strconv"
+	"strings"
+)
+
+// NewPrivateKey returns a PrivateKey by parsing the string s.
+// s should be in the same form of the BIND private key files.
+func (k *DNSKEY) NewPrivateKey(s string) (crypto.PrivateKey, error) {
+	if s == "" || s[len(s)-1] != '\n' { // We need a closing newline
+		return k.ReadPrivateKey(strings.NewReader(s+"\n"), "")
+	}
+	return k.ReadPrivateKey(strings.NewReader(s), "")
+}
+
+// ReadPrivateKey reads a private key from the io.Reader q. The string file is
+// only used in error reporting.
+// The public key must be known, because some cryptographic algorithms embed
+// the public inside the privatekey.
+func (k *DNSKEY) ReadPrivateKey(q io.Reader, file string) (crypto.PrivateKey, error) {
+	m, err := parseKey(q, file)
+	if m == nil {
+		return nil, err
+	}
+	if _, ok := m["private-key-format"]; !ok {
+		return nil, ErrPrivKey
+	}
+	if m["private-key-format"] != "v1.2" && m["private-key-format"] != "v1.3" {
+		return nil, ErrPrivKey
+	}
+	// TODO(mg): check if the pubkey matches the private key
+	algo, err := strconv.ParseUint(strings.SplitN(m["algorithm"], " ", 2)[0], 10, 8)
+	if err != nil {
+		return nil, ErrPrivKey
+	}
+	switch uint8(algo) {
+	case DSA:
+		priv, err := readPrivateKeyDSA(m)
+		if err != nil {
+			return nil, err
+		}
+		pub := k.publicKeyDSA()
+		if pub == nil {
+			return nil, ErrKey
+		}
+		priv.PublicKey = *pub
+		return priv, nil
+	case RSAMD5:
+		fallthrough
+	case RSASHA1:
+		fallthrough
+	case RSASHA1NSEC3SHA1:
+		fallthrough
+	case RSASHA256:
+		fallthrough
+	case RSASHA512:
+		priv, err := readPrivateKeyRSA(m)
+		if err != nil {
+			return nil, err
+		}
+		pub := k.publicKeyRSA()
+		if pub == nil {
+			return nil, ErrKey
+		}
+		priv.PublicKey = *pub
+		return priv, nil
+	case ECCGOST:
+		return nil, ErrPrivKey
+	case ECDSAP256SHA256:
+		fallthrough
+	case ECDSAP384SHA384:
+		priv, err := readPrivateKeyECDSA(m)
+		if err != nil {
+			return nil, err
+		}
+		pub := k.publicKeyECDSA()
+		if pub == nil {
+			return nil, ErrKey
+		}
+		priv.PublicKey = *pub
+		return priv, nil
+	default:
+		return nil, ErrPrivKey
+	}
+}
+
+// Read a private key (file) string and create a public key. Return the private key.
+func readPrivateKeyRSA(m map[string]string) (*rsa.PrivateKey, error) {
+	p := new(rsa.PrivateKey)
+	p.Primes = []*big.Int{nil, nil}
+	for k, v := range m {
+		switch k {
+		case "modulus", "publicexponent", "privateexponent", "prime1", "prime2":
+			v1, err := fromBase64([]byte(v))
+			if err != nil {
+				return nil, err
+			}
+			switch k {
+			case "modulus":
+				p.PublicKey.N = big.NewInt(0)
+				p.PublicKey.N.SetBytes(v1)
+			case "publicexponent":
+				i := big.NewInt(0)
+				i.SetBytes(v1)
+				p.PublicKey.E = int(i.Int64()) // int64 should be large enough
+			case "privateexponent":
+				p.D = big.NewInt(0)
+				p.D.SetBytes(v1)
+			case "prime1":
+				p.Primes[0] = big.NewInt(0)
+				p.Primes[0].SetBytes(v1)
+			case "prime2":
+				p.Primes[1] = big.NewInt(0)
+				p.Primes[1].SetBytes(v1)
+			}
+		case "exponent1", "exponent2", "coefficient":
+			// not used in Go (yet)
+		case "created", "publish", "activate":
+			// not used in Go (yet)
+		}
+	}
+	return p, nil
+}
+
+func readPrivateKeyDSA(m map[string]string) (*dsa.PrivateKey, error) {
+	p := new(dsa.PrivateKey)
+	p.X = big.NewInt(0)
+	for k, v := range m {
+		switch k {
+		case "private_value(x)":
+			v1, err := fromBase64([]byte(v))
+			if err != nil {
+				return nil, err
+			}
+			p.X.SetBytes(v1)
+		case "created", "publish", "activate":
+			/* not used in Go (yet) */
+		}
+	}
+	return p, nil
+}
+
+func readPrivateKeyECDSA(m map[string]string) (*ecdsa.PrivateKey, error) {
+	p := new(ecdsa.PrivateKey)
+	p.D = big.NewInt(0)
+	// TODO: validate that the required flags are present
+	for k, v := range m {
+		switch k {
+		case "privatekey":
+			v1, err := fromBase64([]byte(v))
+			if err != nil {
+				return nil, err
+			}
+			p.D.SetBytes(v1)
+		case "created", "publish", "activate":
+			/* not used in Go (yet) */
+		}
+	}
+	return p, nil
+}
+
+// parseKey reads a private key from r. It returns a map[string]string,
+// with the key-value pairs, or an error when the file is not correct.
+func parseKey(r io.Reader, file string) (map[string]string, error) {
+	s := scanInit(r)
+	m := make(map[string]string)
+	c := make(chan lex)
+	k := ""
+	// Start the lexer
+	go klexer(s, c)
+	for l := range c {
+		// It should alternate
+		switch l.value {
+		case zKey:
+			k = l.token
+		case zValue:
+			if k == "" {
+				return nil, &ParseError{file, "no private key seen", l}
+			}
+			//println("Setting", strings.ToLower(k), "to", l.token, "b")
+			m[strings.ToLower(k)] = l.token
+			k = ""
+		}
+	}
+	return m, nil
+}
+
+// klexer scans the sourcefile and returns tokens on the channel c.
+func klexer(s *scan, c chan lex) {
+	var l lex
+	str := "" // Hold the current read text
+	commt := false
+	key := true
+	x, err := s.tokenText()
+	defer close(c)
+	for err == nil {
+		l.column = s.position.Column
+		l.line = s.position.Line
+		switch x {
+		case ':':
+			if commt {
+				break
+			}
+			l.token = str
+			if key {
+				l.value = zKey
+				c <- l
+				// Next token is a space, eat it
+				s.tokenText()
+				key = false
+				str = ""
+			} else {
+				l.value = zValue
+			}
+		case ';':
+			commt = true
+		case '\n':
+			if commt {
+				// Reset a comment
+				commt = false
+			}
+			l.value = zValue
+			l.token = str
+			c <- l
+			str = ""
+			commt = false
+			key = true
+		default:
+			if commt {
+				break
+			}
+			str += string(x)
+		}
+		x, err = s.tokenText()
+	}
+	if len(str) > 0 {
+		// Send remainder
+		l.token = str
+		l.value = zValue
+		c <- l
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec_privkey.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec_privkey.go
new file mode 100644
index 000000000..56f3ea934
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec_privkey.go
@@ -0,0 +1,85 @@
+package dns
+
+import (
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"math/big"
+	"strconv"
+)
+
+const format = "Private-key-format: v1.3\n"
+
+// PrivateKeyString converts a PrivateKey to a string. This string has the same
+// format as the private-key-file of BIND9 (Private-key-format: v1.3).
+// It needs some info from the key (the algorithm), so its a method of the DNSKEY
+// It supports rsa.PrivateKey, ecdsa.PrivateKey and dsa.PrivateKey
+func (r *DNSKEY) PrivateKeyString(p crypto.PrivateKey) string {
+	algorithm := strconv.Itoa(int(r.Algorithm))
+	algorithm += " (" + AlgorithmToString[r.Algorithm] + ")"
+
+	switch p := p.(type) {
+	case *rsa.PrivateKey:
+		modulus := toBase64(p.PublicKey.N.Bytes())
+		e := big.NewInt(int64(p.PublicKey.E))
+		publicExponent := toBase64(e.Bytes())
+		privateExponent := toBase64(p.D.Bytes())
+		prime1 := toBase64(p.Primes[0].Bytes())
+		prime2 := toBase64(p.Primes[1].Bytes())
+		// Calculate Exponent1/2 and Coefficient as per: http://en.wikipedia.org/wiki/RSA#Using_the_Chinese_remainder_algorithm
+		// and from: http://code.google.com/p/go/issues/detail?id=987
+		one := big.NewInt(1)
+		p1 := big.NewInt(0).Sub(p.Primes[0], one)
+		q1 := big.NewInt(0).Sub(p.Primes[1], one)
+		exp1 := big.NewInt(0).Mod(p.D, p1)
+		exp2 := big.NewInt(0).Mod(p.D, q1)
+		coeff := big.NewInt(0).ModInverse(p.Primes[1], p.Primes[0])
+
+		exponent1 := toBase64(exp1.Bytes())
+		exponent2 := toBase64(exp2.Bytes())
+		coefficient := toBase64(coeff.Bytes())
+
+		return format +
+			"Algorithm: " + algorithm + "\n" +
+			"Modulus: " + modulus + "\n" +
+			"PublicExponent: " + publicExponent + "\n" +
+			"PrivateExponent: " + privateExponent + "\n" +
+			"Prime1: " + prime1 + "\n" +
+			"Prime2: " + prime2 + "\n" +
+			"Exponent1: " + exponent1 + "\n" +
+			"Exponent2: " + exponent2 + "\n" +
+			"Coefficient: " + coefficient + "\n"
+
+	case *ecdsa.PrivateKey:
+		var intlen int
+		switch r.Algorithm {
+		case ECDSAP256SHA256:
+			intlen = 32
+		case ECDSAP384SHA384:
+			intlen = 48
+		}
+		private := toBase64(intToBytes(p.D, intlen))
+		return format +
+			"Algorithm: " + algorithm + "\n" +
+			"PrivateKey: " + private + "\n"
+
+	case *dsa.PrivateKey:
+		T := divRoundUp(divRoundUp(p.PublicKey.Parameters.G.BitLen(), 8)-64, 8)
+		prime := toBase64(intToBytes(p.PublicKey.Parameters.P, 64+T*8))
+		subprime := toBase64(intToBytes(p.PublicKey.Parameters.Q, 20))
+		base := toBase64(intToBytes(p.PublicKey.Parameters.G, 64+T*8))
+		priv := toBase64(intToBytes(p.X, 20))
+		pub := toBase64(intToBytes(p.PublicKey.Y, 64+T*8))
+		return format +
+			"Algorithm: " + algorithm + "\n" +
+			"Prime(p): " + prime + "\n" +
+			"Subprime(q): " + subprime + "\n" +
+			"Base(g): " + base + "\n" +
+			"Private_value(x): " + priv + "\n" +
+			"Public_value(y): " + pub + "\n"
+
+	default:
+		return ""
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec_test.go
new file mode 100644
index 000000000..ca085ed3b
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dnssec_test.go
@@ -0,0 +1,733 @@
+package dns
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"reflect"
+	"strings"
+	"testing"
+	"time"
+)
+
+func getKey() *DNSKEY {
+	key := new(DNSKEY)
+	key.Hdr.Name = "miek.nl."
+	key.Hdr.Class = ClassINET
+	key.Hdr.Ttl = 14400
+	key.Flags = 256
+	key.Protocol = 3
+	key.Algorithm = RSASHA256
+	key.PublicKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
+	return key
+}
+
+func getSoa() *SOA {
+	soa := new(SOA)
+	soa.Hdr = RR_Header{"miek.nl.", TypeSOA, ClassINET, 14400, 0}
+	soa.Ns = "open.nlnetlabs.nl."
+	soa.Mbox = "miekg.atoom.net."
+	soa.Serial = 1293945905
+	soa.Refresh = 14400
+	soa.Retry = 3600
+	soa.Expire = 604800
+	soa.Minttl = 86400
+	return soa
+}
+
+func TestGenerateEC(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode.")
+	}
+	key := new(DNSKEY)
+	key.Hdr.Rrtype = TypeDNSKEY
+	key.Hdr.Name = "miek.nl."
+	key.Hdr.Class = ClassINET
+	key.Hdr.Ttl = 14400
+	key.Flags = 256
+	key.Protocol = 3
+	key.Algorithm = ECDSAP256SHA256
+	privkey, _ := key.Generate(256)
+	t.Log(key.String())
+	t.Log(key.PrivateKeyString(privkey))
+}
+
+func TestGenerateDSA(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode.")
+	}
+	key := new(DNSKEY)
+	key.Hdr.Rrtype = TypeDNSKEY
+	key.Hdr.Name = "miek.nl."
+	key.Hdr.Class = ClassINET
+	key.Hdr.Ttl = 14400
+	key.Flags = 256
+	key.Protocol = 3
+	key.Algorithm = DSA
+	privkey, _ := key.Generate(1024)
+	t.Log(key.String())
+	t.Log(key.PrivateKeyString(privkey))
+}
+
+func TestGenerateRSA(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode.")
+	}
+	key := new(DNSKEY)
+	key.Hdr.Rrtype = TypeDNSKEY
+	key.Hdr.Name = "miek.nl."
+	key.Hdr.Class = ClassINET
+	key.Hdr.Ttl = 14400
+	key.Flags = 256
+	key.Protocol = 3
+	key.Algorithm = RSASHA256
+	privkey, _ := key.Generate(1024)
+	t.Log(key.String())
+	t.Log(key.PrivateKeyString(privkey))
+}
+
+func TestSecure(t *testing.T) {
+	soa := getSoa()
+
+	sig := new(RRSIG)
+	sig.Hdr = RR_Header{"miek.nl.", TypeRRSIG, ClassINET, 14400, 0}
+	sig.TypeCovered = TypeSOA
+	sig.Algorithm = RSASHA256
+	sig.Labels = 2
+	sig.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
+	sig.Inception = 1293942305  // date -u '+%s' -d"2011-01-02 04:25:05"
+	sig.OrigTtl = 14400
+	sig.KeyTag = 12051
+	sig.SignerName = "miek.nl."
+	sig.Signature = "oMCbslaAVIp/8kVtLSms3tDABpcPRUgHLrOR48OOplkYo+8TeEGWwkSwaz/MRo2fB4FxW0qj/hTlIjUGuACSd+b1wKdH5GvzRJc2pFmxtCbm55ygAh4EUL0F6U5cKtGJGSXxxg6UFCQ0doJCmiGFa78LolaUOXImJrk6AFrGa0M="
+
+	key := new(DNSKEY)
+	key.Hdr.Name = "miek.nl."
+	key.Hdr.Class = ClassINET
+	key.Hdr.Ttl = 14400
+	key.Flags = 256
+	key.Protocol = 3
+	key.Algorithm = RSASHA256
+	key.PublicKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
+
+	// It should validate. Period is checked separately, so this will keep on working
+	if sig.Verify(key, []RR{soa}) != nil {
+		t.Error("failure to validate")
+	}
+}
+
+func TestSignature(t *testing.T) {
+	sig := new(RRSIG)
+	sig.Hdr.Name = "miek.nl."
+	sig.Hdr.Class = ClassINET
+	sig.Hdr.Ttl = 3600
+	sig.TypeCovered = TypeDNSKEY
+	sig.Algorithm = RSASHA1
+	sig.Labels = 2
+	sig.OrigTtl = 4000
+	sig.Expiration = 1000 //Thu Jan  1 02:06:40 CET 1970
+	sig.Inception = 800   //Thu Jan  1 01:13:20 CET 1970
+	sig.KeyTag = 34641
+	sig.SignerName = "miek.nl."
+	sig.Signature = "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"
+
+	// Should not be valid
+	if sig.ValidityPeriod(time.Now()) {
+		t.Error("should not be valid")
+	}
+
+	sig.Inception = 315565800   //Tue Jan  1 10:10:00 CET 1980
+	sig.Expiration = 4102477800 //Fri Jan  1 10:10:00 CET 2100
+	if !sig.ValidityPeriod(time.Now()) {
+		t.Error("should be valid")
+	}
+}
+
+func TestSignVerify(t *testing.T) {
+	// The record we want to sign
+	soa := new(SOA)
+	soa.Hdr = RR_Header{"miek.nl.", TypeSOA, ClassINET, 14400, 0}
+	soa.Ns = "open.nlnetlabs.nl."
+	soa.Mbox = "miekg.atoom.net."
+	soa.Serial = 1293945905
+	soa.Refresh = 14400
+	soa.Retry = 3600
+	soa.Expire = 604800
+	soa.Minttl = 86400
+
+	soa1 := new(SOA)
+	soa1.Hdr = RR_Header{"*.miek.nl.", TypeSOA, ClassINET, 14400, 0}
+	soa1.Ns = "open.nlnetlabs.nl."
+	soa1.Mbox = "miekg.atoom.net."
+	soa1.Serial = 1293945905
+	soa1.Refresh = 14400
+	soa1.Retry = 3600
+	soa1.Expire = 604800
+	soa1.Minttl = 86400
+
+	srv := new(SRV)
+	srv.Hdr = RR_Header{"srv.miek.nl.", TypeSRV, ClassINET, 14400, 0}
+	srv.Port = 1000
+	srv.Weight = 800
+	srv.Target = "web1.miek.nl."
+
+	hinfo := &HINFO{
+		Hdr: RR_Header{
+			Name:   "miek.nl.",
+			Rrtype: TypeHINFO,
+			Class:  ClassINET,
+			Ttl:    3789,
+		},
+		Cpu: "X",
+		Os:  "Y",
+	}
+
+	// With this key
+	key := new(DNSKEY)
+	key.Hdr.Rrtype = TypeDNSKEY
+	key.Hdr.Name = "miek.nl."
+	key.Hdr.Class = ClassINET
+	key.Hdr.Ttl = 14400
+	key.Flags = 256
+	key.Protocol = 3
+	key.Algorithm = RSASHA256
+	privkey, _ := key.Generate(512)
+
+	// Fill in the values of the Sig, before signing
+	sig := new(RRSIG)
+	sig.Hdr = RR_Header{"miek.nl.", TypeRRSIG, ClassINET, 14400, 0}
+	sig.TypeCovered = soa.Hdr.Rrtype
+	sig.Labels = uint8(CountLabel(soa.Hdr.Name)) // works for all 3
+	sig.OrigTtl = soa.Hdr.Ttl
+	sig.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
+	sig.Inception = 1293942305  // date -u '+%s' -d"2011-01-02 04:25:05"
+	sig.KeyTag = key.KeyTag()   // Get the keyfrom the Key
+	sig.SignerName = key.Hdr.Name
+	sig.Algorithm = RSASHA256
+
+	for _, r := range []RR{soa, soa1, srv, hinfo} {
+		if err := sig.Sign(privkey.(*rsa.PrivateKey), []RR{r}); err != nil {
+			t.Error("failure to sign the record:", err)
+			continue
+		}
+		if err := sig.Verify(key, []RR{r}); err != nil {
+			t.Error("failure to validate")
+			continue
+		}
+		t.Logf("validated: %s", r.Header().Name)
+	}
+}
+
+func Test65534(t *testing.T) {
+	t6 := new(RFC3597)
+	t6.Hdr = RR_Header{"miek.nl.", 65534, ClassINET, 14400, 0}
+	t6.Rdata = "505D870001"
+	key := new(DNSKEY)
+	key.Hdr.Name = "miek.nl."
+	key.Hdr.Rrtype = TypeDNSKEY
+	key.Hdr.Class = ClassINET
+	key.Hdr.Ttl = 14400
+	key.Flags = 256
+	key.Protocol = 3
+	key.Algorithm = RSASHA256
+	privkey, _ := key.Generate(1024)
+
+	sig := new(RRSIG)
+	sig.Hdr = RR_Header{"miek.nl.", TypeRRSIG, ClassINET, 14400, 0}
+	sig.TypeCovered = t6.Hdr.Rrtype
+	sig.Labels = uint8(CountLabel(t6.Hdr.Name))
+	sig.OrigTtl = t6.Hdr.Ttl
+	sig.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
+	sig.Inception = 1293942305  // date -u '+%s' -d"2011-01-02 04:25:05"
+	sig.KeyTag = key.KeyTag()
+	sig.SignerName = key.Hdr.Name
+	sig.Algorithm = RSASHA256
+	if err := sig.Sign(privkey.(*rsa.PrivateKey), []RR{t6}); err != nil {
+		t.Error(err)
+		t.Error("failure to sign the TYPE65534 record")
+	}
+	if err := sig.Verify(key, []RR{t6}); err != nil {
+		t.Error(err)
+		t.Error("failure to validate")
+	} else {
+		t.Logf("validated: %s", t6.Header().Name)
+	}
+}
+
+func TestDnskey(t *testing.T) {
+	pubkey, err := ReadRR(strings.NewReader(`
+miek.nl.	IN	DNSKEY	256 3 10 AwEAAZuMCu2FdugHkTrXYgl5qixvcDw1aDDlvL46/xJKbHBAHY16fNUb2b65cwko2Js/aJxUYJbZk5dwCDZxYfrfbZVtDPQuc3o8QaChVxC7/JYz2AHc9qHvqQ1j4VrH71RWINlQo6VYjzN/BGpMhOZoZOEwzp1HfsOE3lNYcoWU1smL ;{id = 5240 (zsk), size = 1024b}
+`), "Kmiek.nl.+010+05240.key")
+	if err != nil {
+		t.Fatal(err)
+	}
+	privStr := `Private-key-format: v1.3
+Algorithm: 10 (RSASHA512)
+Modulus: m4wK7YV26AeROtdiCXmqLG9wPDVoMOW8vjr/EkpscEAdjXp81RvZvrlzCSjYmz9onFRgltmTl3AINnFh+t9tlW0M9C5zejxBoKFXELv8ljPYAdz2oe+pDWPhWsfvVFYg2VCjpViPM38EakyE5mhk4TDOnUd+w4TeU1hyhZTWyYs=
+PublicExponent: AQAB
+PrivateExponent: UfCoIQ/Z38l8vB6SSqOI/feGjHEl/fxIPX4euKf0D/32k30fHbSaNFrFOuIFmWMB3LimWVEs6u3dpbB9CQeCVg7hwU5puG7OtuiZJgDAhNeOnxvo5btp4XzPZrJSxR4WNQnwIiYWbl0aFlL1VGgHC/3By89ENZyWaZcMLW4KGWE=
+Prime1: yxwC6ogAu8aVcDx2wg1V0b5M5P6jP8qkRFVMxWNTw60Vkn+ECvw6YAZZBHZPaMyRYZLzPgUlyYRd0cjupy4+fQ==
+Prime2: xA1bF8M0RTIQ6+A11AoVG6GIR/aPGg5sogRkIZ7ID/sF6g9HMVU/CM2TqVEBJLRPp73cv6ZeC3bcqOCqZhz+pw==
+Exponent1: xzkblyZ96bGYxTVZm2/vHMOXswod4KWIyMoOepK6B/ZPcZoIT6omLCgtypWtwHLfqyCz3MK51Nc0G2EGzg8rFQ==
+Exponent2: Pu5+mCEb7T5F+kFNZhQadHUklt0JUHbi3hsEvVoHpEGSw3BGDQrtIflDde0/rbWHgDPM4WQY+hscd8UuTXrvLw==
+Coefficient: UuRoNqe7YHnKmQzE6iDWKTMIWTuoqqrFAmXPmKQnC+Y+BQzOVEHUo9bXdDnoI9hzXP1gf8zENMYwYLeWpuYlFQ==
+`
+	privkey, err := pubkey.(*DNSKEY).ReadPrivateKey(strings.NewReader(privStr),
+		"Kmiek.nl.+010+05240.private")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if pubkey.(*DNSKEY).PublicKey != "AwEAAZuMCu2FdugHkTrXYgl5qixvcDw1aDDlvL46/xJKbHBAHY16fNUb2b65cwko2Js/aJxUYJbZk5dwCDZxYfrfbZVtDPQuc3o8QaChVxC7/JYz2AHc9qHvqQ1j4VrH71RWINlQo6VYjzN/BGpMhOZoZOEwzp1HfsOE3lNYcoWU1smL" {
+		t.Error("pubkey is not what we've read")
+	}
+	if pubkey.(*DNSKEY).PrivateKeyString(privkey) != privStr {
+		t.Error("privkey is not what we've read")
+		t.Errorf("%v", pubkey.(*DNSKEY).PrivateKeyString(privkey))
+	}
+}
+
+func TestTag(t *testing.T) {
+	key := new(DNSKEY)
+	key.Hdr.Name = "miek.nl."
+	key.Hdr.Rrtype = TypeDNSKEY
+	key.Hdr.Class = ClassINET
+	key.Hdr.Ttl = 3600
+	key.Flags = 256
+	key.Protocol = 3
+	key.Algorithm = RSASHA256
+	key.PublicKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
+
+	tag := key.KeyTag()
+	if tag != 12051 {
+		t.Errorf("wrong key tag: %d for key %v", tag, key)
+	}
+}
+
+func TestKeyRSA(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode.")
+	}
+	key := new(DNSKEY)
+	key.Hdr.Name = "miek.nl."
+	key.Hdr.Rrtype = TypeDNSKEY
+	key.Hdr.Class = ClassINET
+	key.Hdr.Ttl = 3600
+	key.Flags = 256
+	key.Protocol = 3
+	key.Algorithm = RSASHA256
+	priv, _ := key.Generate(2048)
+
+	soa := new(SOA)
+	soa.Hdr = RR_Header{"miek.nl.", TypeSOA, ClassINET, 14400, 0}
+	soa.Ns = "open.nlnetlabs.nl."
+	soa.Mbox = "miekg.atoom.net."
+	soa.Serial = 1293945905
+	soa.Refresh = 14400
+	soa.Retry = 3600
+	soa.Expire = 604800
+	soa.Minttl = 86400
+
+	sig := new(RRSIG)
+	sig.Hdr = RR_Header{"miek.nl.", TypeRRSIG, ClassINET, 14400, 0}
+	sig.TypeCovered = TypeSOA
+	sig.Algorithm = RSASHA256
+	sig.Labels = 2
+	sig.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
+	sig.Inception = 1293942305  // date -u '+%s' -d"2011-01-02 04:25:05"
+	sig.OrigTtl = soa.Hdr.Ttl
+	sig.KeyTag = key.KeyTag()
+	sig.SignerName = key.Hdr.Name
+
+	if err := sig.Sign(priv.(*rsa.PrivateKey), []RR{soa}); err != nil {
+		t.Error("failed to sign")
+		return
+	}
+	if err := sig.Verify(key, []RR{soa}); err != nil {
+		t.Error("failed to verify")
+	}
+}
+
+func TestKeyToDS(t *testing.T) {
+	key := new(DNSKEY)
+	key.Hdr.Name = "miek.nl."
+	key.Hdr.Rrtype = TypeDNSKEY
+	key.Hdr.Class = ClassINET
+	key.Hdr.Ttl = 3600
+	key.Flags = 256
+	key.Protocol = 3
+	key.Algorithm = RSASHA256
+	key.PublicKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
+
+	ds := key.ToDS(SHA1)
+	if strings.ToUpper(ds.Digest) != "B5121BDB5B8D86D0CC5FFAFBAAABE26C3E20BAC1" {
+		t.Errorf("wrong DS digest for SHA1\n%v", ds)
+	}
+}
+
+func TestSignRSA(t *testing.T) {
+	pub := "miek.nl. IN DNSKEY 256 3 5 AwEAAb+8lGNCxJgLS8rYVer6EnHVuIkQDghdjdtewDzU3G5R7PbMbKVRvH2Ma7pQyYceoaqWZQirSj72euPWfPxQnMy9ucCylA+FuH9cSjIcPf4PqJfdupHk9X6EBYjxrCLY4p1/yBwgyBIRJtZtAqM3ceAH2WovEJD6rTtOuHo5AluJ"
+
+	priv := `Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: v7yUY0LEmAtLythV6voScdW4iRAOCF2N217APNTcblHs9sxspVG8fYxrulDJhx6hqpZlCKtKPvZ649Z8/FCczL25wLKUD4W4f1xKMhw9/g+ol926keT1foQFiPGsItjinX/IHCDIEhEm1m0Cozdx4AfZai8QkPqtO064ejkCW4k=
+PublicExponent: AQAB
+PrivateExponent: YPwEmwjk5HuiROKU4xzHQ6l1hG8Iiha4cKRG3P5W2b66/EN/GUh07ZSf0UiYB67o257jUDVEgwCuPJz776zfApcCB4oGV+YDyEu7Hp/rL8KcSN0la0k2r9scKwxTp4BTJT23zyBFXsV/1wRDK1A5NxsHPDMYi2SoK63Enm/1ptk=
+Prime1: /wjOG+fD0ybNoSRn7nQ79udGeR1b0YhUA5mNjDx/x2fxtIXzygYk0Rhx9QFfDy6LOBvz92gbNQlzCLz3DJt5hw==
+Prime2: wHZsJ8OGhkp5p3mrJFZXMDc2mbYusDVTA+t+iRPdS797Tj0pjvU2HN4vTnTj8KBQp6hmnY7dLp9Y1qserySGbw==
+Exponent1: N0A7FsSRIg+IAN8YPQqlawoTtG1t1OkJ+nWrurPootScApX6iMvn8fyvw3p2k51rv84efnzpWAYiC8SUaQDNxQ==
+Exponent2: SvuYRaGyvo0zemE3oS+WRm2scxR8eiA8WJGeOc+obwOKCcBgeZblXzfdHGcEC1KaOcetOwNW/vwMA46lpLzJNw==
+Coefficient: 8+7ZN/JgByqv0NfULiFKTjtyegUcijRuyij7yNxYbCBneDvZGxJwKNi4YYXWx743pcAj4Oi4Oh86gcmxLs+hGw==
+Created: 20110302104537
+Publish: 20110302104537
+Activate: 20110302104537`
+
+	xk, _ := NewRR(pub)
+	k := xk.(*DNSKEY)
+	p, err := k.NewPrivateKey(priv)
+	if err != nil {
+		t.Error(err)
+	}
+	switch priv := p.(type) {
+	case *rsa.PrivateKey:
+		if 65537 != priv.PublicKey.E {
+			t.Error("exponenent should be 65537")
+		}
+	default:
+		t.Errorf("we should have read an RSA key: %v", priv)
+	}
+	if k.KeyTag() != 37350 {
+		t.Errorf("keytag should be 37350, got %d %v", k.KeyTag(), k)
+	}
+
+	soa := new(SOA)
+	soa.Hdr = RR_Header{"miek.nl.", TypeSOA, ClassINET, 14400, 0}
+	soa.Ns = "open.nlnetlabs.nl."
+	soa.Mbox = "miekg.atoom.net."
+	soa.Serial = 1293945905
+	soa.Refresh = 14400
+	soa.Retry = 3600
+	soa.Expire = 604800
+	soa.Minttl = 86400
+
+	sig := new(RRSIG)
+	sig.Hdr = RR_Header{"miek.nl.", TypeRRSIG, ClassINET, 14400, 0}
+	sig.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
+	sig.Inception = 1293942305  // date -u '+%s' -d"2011-01-02 04:25:05"
+	sig.KeyTag = k.KeyTag()
+	sig.SignerName = k.Hdr.Name
+	sig.Algorithm = k.Algorithm
+
+	sig.Sign(p.(*rsa.PrivateKey), []RR{soa})
+	if sig.Signature != "D5zsobpQcmMmYsUMLxCVEtgAdCvTu8V/IEeP4EyLBjqPJmjt96bwM9kqihsccofA5LIJ7DN91qkCORjWSTwNhzCv7bMyr2o5vBZElrlpnRzlvsFIoAZCD9xg6ZY7ZyzUJmU6IcTwG4v3xEYajcpbJJiyaw/RqR90MuRdKPiBzSo=" {
+		t.Errorf("signature is not correct: %v", sig)
+	}
+}
+
+func TestSignVerifyECDSA(t *testing.T) {
+	pub := `example.net. 3600 IN DNSKEY 257 3 14 (
+	xKYaNhWdGOfJ+nPrL8/arkwf2EY3MDJ+SErKivBVSum1
+	w/egsXvSADtNJhyem5RCOpgQ6K8X1DRSEkrbYQ+OB+v8
+	/uX45NBwY8rp65F6Glur8I/mlVNgF6W/qTI37m40 )`
+	priv := `Private-key-format: v1.2
+Algorithm: 14 (ECDSAP384SHA384)
+PrivateKey: WURgWHCcYIYUPWgeLmiPY2DJJk02vgrmTfitxgqcL4vwW7BOrbawVmVe0d9V94SR`
+
+	eckey, err := NewRR(pub)
+	if err != nil {
+		t.Fatal(err)
+	}
+	privkey, err := eckey.(*DNSKEY).NewPrivateKey(priv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// TODO: Create separate test for this
+	ds := eckey.(*DNSKEY).ToDS(SHA384)
+	if ds.KeyTag != 10771 {
+		t.Fatal("wrong keytag on DS")
+	}
+	if ds.Digest != "72d7b62976ce06438e9c0bf319013cf801f09ecc84b8d7e9495f27e305c6a9b0563a9b5f4d288405c3008a946df983d6" {
+		t.Fatal("wrong DS Digest")
+	}
+	a, _ := NewRR("www.example.net. 3600 IN A 192.0.2.1")
+	sig := new(RRSIG)
+	sig.Hdr = RR_Header{"example.net.", TypeRRSIG, ClassINET, 14400, 0}
+	sig.Expiration, _ = StringToTime("20100909102025")
+	sig.Inception, _ = StringToTime("20100812102025")
+	sig.KeyTag = eckey.(*DNSKEY).KeyTag()
+	sig.SignerName = eckey.(*DNSKEY).Hdr.Name
+	sig.Algorithm = eckey.(*DNSKEY).Algorithm
+
+	if sig.Sign(privkey.(*ecdsa.PrivateKey), []RR{a}) != nil {
+		t.Fatal("failure to sign the record")
+	}
+
+	if err := sig.Verify(eckey.(*DNSKEY), []RR{a}); err != nil {
+		t.Fatalf("failure to validate:\n%s\n%s\n%s\n\n%s\n\n%v",
+			eckey.(*DNSKEY).String(),
+			a.String(),
+			sig.String(),
+			eckey.(*DNSKEY).PrivateKeyString(privkey),
+			err,
+		)
+	}
+}
+
+func TestSignVerifyECDSA2(t *testing.T) {
+	srv1, err := NewRR("srv.miek.nl. IN SRV 1000 800 0 web1.miek.nl.")
+	if err != nil {
+		t.Fatal(err)
+	}
+	srv := srv1.(*SRV)
+
+	// With this key
+	key := new(DNSKEY)
+	key.Hdr.Rrtype = TypeDNSKEY
+	key.Hdr.Name = "miek.nl."
+	key.Hdr.Class = ClassINET
+	key.Hdr.Ttl = 14400
+	key.Flags = 256
+	key.Protocol = 3
+	key.Algorithm = ECDSAP256SHA256
+	privkey, err := key.Generate(256)
+	if err != nil {
+		t.Fatal("failure to generate key")
+	}
+
+	// Fill in the values of the Sig, before signing
+	sig := new(RRSIG)
+	sig.Hdr = RR_Header{"miek.nl.", TypeRRSIG, ClassINET, 14400, 0}
+	sig.TypeCovered = srv.Hdr.Rrtype
+	sig.Labels = uint8(CountLabel(srv.Hdr.Name)) // works for all 3
+	sig.OrigTtl = srv.Hdr.Ttl
+	sig.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
+	sig.Inception = 1293942305  // date -u '+%s' -d"2011-01-02 04:25:05"
+	sig.KeyTag = key.KeyTag()   // Get the keyfrom the Key
+	sig.SignerName = key.Hdr.Name
+	sig.Algorithm = ECDSAP256SHA256
+
+	if sig.Sign(privkey.(*ecdsa.PrivateKey), []RR{srv}) != nil {
+		t.Fatal("failure to sign the record")
+	}
+
+	err = sig.Verify(key, []RR{srv})
+	if err != nil {
+		t.Logf("failure to validate:\n%s\n%s\n%s\n\n%s\n\n%v",
+			key.String(),
+			srv.String(),
+			sig.String(),
+			key.PrivateKeyString(privkey),
+			err,
+		)
+	}
+}
+
+// Here the test vectors from the relevant RFCs are checked.
+// rfc6605 6.1
+func TestRFC6605P256(t *testing.T) {
+	exDNSKEY := `example.net. 3600 IN DNSKEY 257 3 13 (
+                 GojIhhXUN/u4v54ZQqGSnyhWJwaubCvTmeexv7bR6edb
+                 krSqQpF64cYbcB7wNcP+e+MAnLr+Wi9xMWyQLc8NAA== )`
+	exPriv := `Private-key-format: v1.2
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: GU6SnQ/Ou+xC5RumuIUIuJZteXT2z0O/ok1s38Et6mQ=`
+	rrDNSKEY, err := NewRR(exDNSKEY)
+	if err != nil {
+		t.Fatal(err)
+	}
+	priv, err := rrDNSKEY.(*DNSKEY).NewPrivateKey(exPriv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	exDS := `example.net. 3600 IN DS 55648 13 2 (
+             b4c8c1fe2e7477127b27115656ad6256f424625bf5c1
+             e2770ce6d6e37df61d17 )`
+	rrDS, err := NewRR(exDS)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ourDS := rrDNSKEY.(*DNSKEY).ToDS(SHA256)
+	if !reflect.DeepEqual(ourDS, rrDS.(*DS)) {
+		t.Errorf("DS record differs:\n%v\n%v", ourDS, rrDS.(*DS))
+	}
+
+	exA := `www.example.net. 3600 IN A 192.0.2.1`
+	exRRSIG := `www.example.net. 3600 IN RRSIG A 13 3 3600 (
+                20100909100439 20100812100439 55648 example.net.
+                qx6wLYqmh+l9oCKTN6qIc+bw6ya+KJ8oMz0YP107epXA
+                yGmt+3SNruPFKG7tZoLBLlUzGGus7ZwmwWep666VCw== )`
+	rrA, err := NewRR(exA)
+	if err != nil {
+		t.Fatal(err)
+	}
+	rrRRSIG, err := NewRR(exRRSIG)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err = rrRRSIG.(*RRSIG).Verify(rrDNSKEY.(*DNSKEY), []RR{rrA}); err != nil {
+		t.Errorf("failure to validate the spec RRSIG: %v", err)
+	}
+
+	ourRRSIG := &RRSIG{
+		Hdr: RR_Header{
+			Ttl: rrA.Header().Ttl,
+		},
+		KeyTag:     rrDNSKEY.(*DNSKEY).KeyTag(),
+		SignerName: rrDNSKEY.(*DNSKEY).Hdr.Name,
+		Algorithm:  rrDNSKEY.(*DNSKEY).Algorithm,
+	}
+	ourRRSIG.Expiration, _ = StringToTime("20100909100439")
+	ourRRSIG.Inception, _ = StringToTime("20100812100439")
+	err = ourRRSIG.Sign(priv.(*ecdsa.PrivateKey), []RR{rrA})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err = ourRRSIG.Verify(rrDNSKEY.(*DNSKEY), []RR{rrA}); err != nil {
+		t.Errorf("failure to validate our RRSIG: %v", err)
+	}
+
+	// Signatures are randomized
+	rrRRSIG.(*RRSIG).Signature = ""
+	ourRRSIG.Signature = ""
+	if !reflect.DeepEqual(ourRRSIG, rrRRSIG.(*RRSIG)) {
+		t.Fatalf("RRSIG record differs:\n%v\n%v", ourRRSIG, rrRRSIG.(*RRSIG))
+	}
+}
+
+// rfc6605 6.2
+func TestRFC6605P384(t *testing.T) {
+	exDNSKEY := `example.net. 3600 IN DNSKEY 257 3 14 (
+                 xKYaNhWdGOfJ+nPrL8/arkwf2EY3MDJ+SErKivBVSum1
+                 w/egsXvSADtNJhyem5RCOpgQ6K8X1DRSEkrbYQ+OB+v8
+                 /uX45NBwY8rp65F6Glur8I/mlVNgF6W/qTI37m40 )`
+	exPriv := `Private-key-format: v1.2
+Algorithm: 14 (ECDSAP384SHA384)
+PrivateKey: WURgWHCcYIYUPWgeLmiPY2DJJk02vgrmTfitxgqcL4vwW7BOrbawVmVe0d9V94SR`
+	rrDNSKEY, err := NewRR(exDNSKEY)
+	if err != nil {
+		t.Fatal(err)
+	}
+	priv, err := rrDNSKEY.(*DNSKEY).NewPrivateKey(exPriv)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	exDS := `example.net. 3600 IN DS 10771 14 4 (
+           72d7b62976ce06438e9c0bf319013cf801f09ecc84b8
+           d7e9495f27e305c6a9b0563a9b5f4d288405c3008a94
+           6df983d6 )`
+	rrDS, err := NewRR(exDS)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ourDS := rrDNSKEY.(*DNSKEY).ToDS(SHA384)
+	if !reflect.DeepEqual(ourDS, rrDS.(*DS)) {
+		t.Fatalf("DS record differs:\n%v\n%v", ourDS, rrDS.(*DS))
+	}
+
+	exA := `www.example.net. 3600 IN A 192.0.2.1`
+	exRRSIG := `www.example.net. 3600 IN RRSIG A 14 3 3600 (
+           20100909102025 20100812102025 10771 example.net.
+           /L5hDKIvGDyI1fcARX3z65qrmPsVz73QD1Mr5CEqOiLP
+           95hxQouuroGCeZOvzFaxsT8Glr74hbavRKayJNuydCuz
+           WTSSPdz7wnqXL5bdcJzusdnI0RSMROxxwGipWcJm )`
+	rrA, err := NewRR(exA)
+	if err != nil {
+		t.Fatal(err)
+	}
+	rrRRSIG, err := NewRR(exRRSIG)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err = rrRRSIG.(*RRSIG).Verify(rrDNSKEY.(*DNSKEY), []RR{rrA}); err != nil {
+		t.Errorf("failure to validate the spec RRSIG: %v", err)
+	}
+
+	ourRRSIG := &RRSIG{
+		Hdr: RR_Header{
+			Ttl: rrA.Header().Ttl,
+		},
+		KeyTag:     rrDNSKEY.(*DNSKEY).KeyTag(),
+		SignerName: rrDNSKEY.(*DNSKEY).Hdr.Name,
+		Algorithm:  rrDNSKEY.(*DNSKEY).Algorithm,
+	}
+	ourRRSIG.Expiration, _ = StringToTime("20100909102025")
+	ourRRSIG.Inception, _ = StringToTime("20100812102025")
+	err = ourRRSIG.Sign(priv.(*ecdsa.PrivateKey), []RR{rrA})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err = ourRRSIG.Verify(rrDNSKEY.(*DNSKEY), []RR{rrA}); err != nil {
+		t.Errorf("failure to validate our RRSIG: %v", err)
+	}
+
+	// Signatures are randomized
+	rrRRSIG.(*RRSIG).Signature = ""
+	ourRRSIG.Signature = ""
+	if !reflect.DeepEqual(ourRRSIG, rrRRSIG.(*RRSIG)) {
+		t.Fatalf("RRSIG record differs:\n%v\n%v", ourRRSIG, rrRRSIG.(*RRSIG))
+	}
+}
+
+func TestInvalidRRSet(t *testing.T) {
+	goodRecords := make([]RR, 2)
+	goodRecords[0] = &TXT{Hdr: RR_Header{Name: "name.cloudflare.com.", Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}, Txt: []string{"Hello world"}}
+	goodRecords[1] = &TXT{Hdr: RR_Header{Name: "name.cloudflare.com.", Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}, Txt: []string{"_o/"}}
+
+	// Generate key
+	keyname := "cloudflare.com."
+	key := &DNSKEY{
+		Hdr:       RR_Header{Name: keyname, Rrtype: TypeDNSKEY, Class: ClassINET, Ttl: 0},
+		Algorithm: ECDSAP256SHA256,
+		Flags:     ZONE,
+		Protocol:  3,
+	}
+	privatekey, err := key.Generate(256)
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	// Need to fill in: Inception, Expiration, KeyTag, SignerName and Algorithm
+	curTime := time.Now()
+	signature := &RRSIG{
+		Inception:  uint32(curTime.Unix()),
+		Expiration: uint32(curTime.Add(time.Hour).Unix()),
+		KeyTag:     key.KeyTag(),
+		SignerName: keyname,
+		Algorithm:  ECDSAP256SHA256,
+	}
+
+	// Inconsistent name between records
+	badRecords := make([]RR, 2)
+	badRecords[0] = &TXT{Hdr: RR_Header{Name: "name.cloudflare.com.", Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}, Txt: []string{"Hello world"}}
+	badRecords[1] = &TXT{Hdr: RR_Header{Name: "nama.cloudflare.com.", Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}, Txt: []string{"_o/"}}
+
+	if IsRRset(badRecords) {
+		t.Fatal("Record set with inconsistent names considered valid")
+	}
+
+	badRecords[0] = &TXT{Hdr: RR_Header{Name: "name.cloudflare.com.", Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}, Txt: []string{"Hello world"}}
+	badRecords[1] = &A{Hdr: RR_Header{Name: "name.cloudflare.com.", Rrtype: TypeA, Class: ClassINET, Ttl: 0}}
+
+	if IsRRset(badRecords) {
+		t.Fatal("Record set with inconsistent record types considered valid")
+	}
+
+	badRecords[0] = &TXT{Hdr: RR_Header{Name: "name.cloudflare.com.", Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}, Txt: []string{"Hello world"}}
+	badRecords[1] = &TXT{Hdr: RR_Header{Name: "name.cloudflare.com.", Rrtype: TypeTXT, Class: ClassCHAOS, Ttl: 0}, Txt: []string{"_o/"}}
+
+	if IsRRset(badRecords) {
+		t.Fatal("Record set with inconsistent record class considered valid")
+	}
+
+	// Sign the good record set and then make sure verification fails on the bad record set
+	if err := signature.Sign(privatekey.(crypto.Signer), goodRecords); err != nil {
+		t.Fatal("Signing good records failed")
+	}
+
+	if err := signature.Verify(key, badRecords); err != ErrRRset {
+		t.Fatal("Verification did not return ErrRRset with inconsistent records")
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/doc.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/doc.go
new file mode 100644
index 000000000..e38753d7d
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/doc.go
@@ -0,0 +1,251 @@
+/*
+Package dns implements a full featured interface to the Domain Name System.
+Server- and client-side programming is supported.
+The package allows complete control over what is send out to the DNS. The package
+API follows the less-is-more principle, by presenting a small, clean interface.
+
+The package dns supports (asynchronous) querying/replying, incoming/outgoing zone transfers,
+TSIG, EDNS0, dynamic updates, notifies and DNSSEC validation/signing.
+Note that domain names MUST be fully qualified, before sending them, unqualified
+names in a message will result in a packing failure.
+
+Resource records are native types. They are not stored in wire format.
+Basic usage pattern for creating a new resource record:
+
+     r := new(dns.MX)
+     r.Hdr = dns.RR_Header{Name: "miek.nl.", Rrtype: dns.TypeMX,
+	Class: dns.ClassINET, Ttl: 3600}
+     r.Preference = 10
+     r.Mx = "mx.miek.nl."
+
+Or directly from a string:
+
+     mx, err := dns.NewRR("miek.nl. 3600 IN MX 10 mx.miek.nl.")
+
+Or when the default TTL (3600) and class (IN) suit you:
+
+     mx, err := dns.NewRR("miek.nl. MX 10 mx.miek.nl.")
+
+Or even:
+
+     mx, err := dns.NewRR("$ORIGIN nl.\nmiek 1H IN MX 10 mx.miek")
+
+In the DNS messages are exchanged, these messages contain resource
+records (sets).  Use pattern for creating a message:
+
+     m := new(dns.Msg)
+     m.SetQuestion("miek.nl.", dns.TypeMX)
+
+Or when not certain if the domain name is fully qualified:
+
+	m.SetQuestion(dns.Fqdn("miek.nl"), dns.TypeMX)
+
+The message m is now a message with the question section set to ask
+the MX records for the miek.nl. zone.
+
+The following is slightly more verbose, but more flexible:
+
+     m1 := new(dns.Msg)
+     m1.Id = dns.Id()
+     m1.RecursionDesired = true
+     m1.Question = make([]dns.Question, 1)
+     m1.Question[0] = dns.Question{"miek.nl.", dns.TypeMX, dns.ClassINET}
+
+After creating a message it can be send.
+Basic use pattern for synchronous querying the DNS at a
+server configured on 127.0.0.1 and port 53:
+
+     c := new(dns.Client)
+     in, rtt, err := c.Exchange(m1, "127.0.0.1:53")
+
+Suppressing multiple outstanding queries (with the same question, type and
+class) is as easy as setting:
+
+	c.SingleInflight = true
+
+If these "advanced" features are not needed, a simple UDP query can be send,
+with:
+
+	in, err := dns.Exchange(m1, "127.0.0.1:53")
+
+When this functions returns you will get dns message. A dns message consists
+out of four sections.
+The question section: in.Question, the answer section: in.Answer,
+the authority section: in.Ns and the additional section: in.Extra.
+
+Each of these sections (except the Question section) contain a []RR. Basic
+use pattern for accessing the rdata of a TXT RR as the first RR in
+the Answer section:
+
+	if t, ok := in.Answer[0].(*dns.TXT); ok {
+		// do something with t.Txt
+	}
+
+Domain Name and TXT Character String Representations
+
+Both domain names and TXT character strings are converted to presentation
+form both when unpacked and when converted to strings.
+
+For TXT character strings, tabs, carriage returns and line feeds will be
+converted to \t, \r and \n respectively. Back slashes and quotations marks
+will be escaped. Bytes below 32 and above 127 will be converted to \DDD
+form.
+
+For domain names, in addition to the above rules brackets, periods,
+spaces, semicolons and the at symbol are escaped.
+
+DNSSEC
+
+DNSSEC (DNS Security Extension) adds a layer of security to the DNS. It
+uses public key cryptography to sign resource records. The
+public keys are stored in DNSKEY records and the signatures in RRSIG records.
+
+Requesting DNSSEC information for a zone is done by adding the DO (DNSSEC OK) bit
+to a request.
+
+     m := new(dns.Msg)
+     m.SetEdns0(4096, true)
+
+Signature generation, signature verification and key generation are all supported.
+
+DYNAMIC UPDATES
+
+Dynamic updates reuses the DNS message format, but renames three of
+the sections. Question is Zone, Answer is Prerequisite, Authority is
+Update, only the Additional is not renamed. See RFC 2136 for the gory details.
+
+You can set a rather complex set of rules for the existence of absence of
+certain resource records or names in a zone to specify if resource records
+should be added or removed. The table from RFC 2136 supplemented with the Go
+DNS function shows which functions exist to specify the prerequisites.
+
+ 3.2.4 - Table Of Metavalues Used In Prerequisite Section
+
+  CLASS    TYPE     RDATA    Meaning                    Function
+  --------------------------------------------------------------
+  ANY      ANY      empty    Name is in use             dns.NameUsed
+  ANY      rrset    empty    RRset exists (value indep) dns.RRsetUsed
+  NONE     ANY      empty    Name is not in use         dns.NameNotUsed
+  NONE     rrset    empty    RRset does not exist       dns.RRsetNotUsed
+  zone     rrset    rr       RRset exists (value dep)   dns.Used
+
+The prerequisite section can also be left empty.
+If you have decided on the prerequisites you can tell what RRs should
+be added or deleted. The next table shows the options you have and
+what functions to call.
+
+ 3.4.2.6 - Table Of Metavalues Used In Update Section
+
+  CLASS    TYPE     RDATA    Meaning                     Function
+  ---------------------------------------------------------------
+  ANY      ANY      empty    Delete all RRsets from name dns.RemoveName
+  ANY      rrset    empty    Delete an RRset             dns.RemoveRRset
+  NONE     rrset    rr       Delete an RR from RRset     dns.Remove
+  zone     rrset    rr       Add to an RRset             dns.Insert
+
+TRANSACTION SIGNATURE
+
+An TSIG or transaction signature adds a HMAC TSIG record to each message sent.
+The supported algorithms include: HmacMD5, HmacSHA1, HmacSHA256 and HmacSHA512.
+
+Basic use pattern when querying with a TSIG name "axfr." (note that these key names
+must be fully qualified - as they are domain names) and the base64 secret
+"so6ZGir4GPAqINNh9U5c3A==":
+
+	c := new(dns.Client)
+	c.TsigSecret = map[string]string{"axfr.": "so6ZGir4GPAqINNh9U5c3A=="}
+	m := new(dns.Msg)
+	m.SetQuestion("miek.nl.", dns.TypeMX)
+	m.SetTsig("axfr.", dns.HmacMD5, 300, time.Now().Unix())
+	...
+	// When sending the TSIG RR is calculated and filled in before sending
+
+When requesting an zone transfer (almost all TSIG usage is when requesting zone transfers), with
+TSIG, this is the basic use pattern. In this example we request an AXFR for
+miek.nl. with TSIG key named "axfr." and secret "so6ZGir4GPAqINNh9U5c3A=="
+and using the server 176.58.119.54:
+
+	t := new(dns.Transfer)
+	m := new(dns.Msg)
+	t.TsigSecret = map[string]string{"axfr.": "so6ZGir4GPAqINNh9U5c3A=="}
+	m.SetAxfr("miek.nl.")
+	m.SetTsig("axfr.", dns.HmacMD5, 300, time.Now().Unix())
+	c, err := t.In(m, "176.58.119.54:53")
+	for r := range c { ... }
+
+You can now read the records from the transfer as they come in. Each envelope is checked with TSIG.
+If something is not correct an error is returned.
+
+Basic use pattern validating and replying to a message that has TSIG set.
+
+	server := &dns.Server{Addr: ":53", Net: "udp"}
+	server.TsigSecret = map[string]string{"axfr.": "so6ZGir4GPAqINNh9U5c3A=="}
+	go server.ListenAndServe()
+	dns.HandleFunc(".", handleRequest)
+
+	func handleRequest(w dns.ResponseWriter, r *dns.Msg) {
+		m := new(dns.Msg)
+		m.SetReply(r)
+		if r.IsTsig() != nil {
+			if w.TsigStatus() == nil {
+				// *Msg r has an TSIG record and it was validated
+				m.SetTsig("axfr.", dns.HmacMD5, 300, time.Now().Unix())
+			} else {
+				// *Msg r has an TSIG records and it was not valided
+			}
+		}
+		w.WriteMsg(m)
+	}
+
+PRIVATE RRS
+
+RFC 6895 sets aside a range of type codes for private use. This range
+is 65,280 - 65,534 (0xFF00 - 0xFFFE). When experimenting with new Resource Records these
+can be used, before requesting an official type code from IANA.
+
+see http://miek.nl/2014/September/21/idn-and-private-rr-in-go-dns/ for more
+information.
+
+EDNS0
+
+EDNS0 is an extension mechanism for the DNS defined in RFC 2671 and updated
+by RFC 6891. It defines an new RR type, the OPT RR, which is then completely
+abused.
+Basic use pattern for creating an (empty) OPT RR:
+
+	o := new(dns.OPT)
+	o.Hdr.Name = "." // MUST be the root zone, per definition.
+	o.Hdr.Rrtype = dns.TypeOPT
+
+The rdata of an OPT RR consists out of a slice of EDNS0 (RFC 6891)
+interfaces. Currently only a few have been standardized: EDNS0_NSID
+(RFC 5001) and EDNS0_SUBNET (draft-vandergaast-edns-client-subnet-02). Note
+that these options may be combined in an OPT RR.
+Basic use pattern for a server to check if (and which) options are set:
+
+	// o is a dns.OPT
+	for _, s := range o.Option {
+		switch e := s.(type) {
+		case *dns.EDNS0_NSID:
+			// do stuff with e.Nsid
+		case *dns.EDNS0_SUBNET:
+			// access e.Family, e.Address, etc.
+		}
+	}
+
+SIG(0)
+
+From RFC 2931:
+
+    SIG(0) provides protection for DNS transactions and requests ....
+    ... protection for glue records, DNS requests, protection for message headers
+    on requests and responses, and protection of the overall integrity of a response.
+
+It works like TSIG, except that SIG(0) uses public key cryptography, instead of the shared
+secret approach in TSIG.
+Supported algorithms: DSA, ECDSAP256SHA256, ECDSAP384SHA384, RSASHA1, RSASHA256 and
+RSASHA512.
+
+Signing subsequent messages in multi-message sessions is not implemented.
+*/
+package dns
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dyn_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dyn_test.go
new file mode 100644
index 000000000..09986a5e4
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/dyn_test.go
@@ -0,0 +1,3 @@
+package dns
+
+// Find better solution
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/edns.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/edns.go
new file mode 100644
index 000000000..dbff3714c
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/edns.go
@@ -0,0 +1,597 @@
+package dns
+
+import (
+	"encoding/binary"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"net"
+	"strconv"
+)
+
+// EDNS0 Option codes.
+const (
+	EDNS0LLQ          = 0x1     // long lived queries: http://tools.ietf.org/html/draft-sekar-dns-llq-01
+	EDNS0UL           = 0x2     // update lease draft: http://files.dns-sd.org/draft-sekar-dns-ul.txt
+	EDNS0NSID         = 0x3     // nsid (RFC5001)
+	EDNS0DAU          = 0x5     // DNSSEC Algorithm Understood
+	EDNS0DHU          = 0x6     // DS Hash Understood
+	EDNS0N3U          = 0x7     // NSEC3 Hash Understood
+	EDNS0SUBNET       = 0x8     // client-subnet (RFC6891)
+	EDNS0EXPIRE       = 0x9     // EDNS0 expire
+	EDNS0COOKIE       = 0xa     // EDNS0 Cookie
+	EDNS0TCPKEEPALIVE = 0xb     // EDNS0 tcp keep alive (RFC7828)
+	EDNS0SUBNETDRAFT  = 0x50fa  // Don't use! Use EDNS0SUBNET
+	EDNS0LOCALSTART   = 0xFDE9  // Beginning of range reserved for local/experimental use (RFC6891)
+	EDNS0LOCALEND     = 0xFFFE  // End of range reserved for local/experimental use (RFC6891)
+	_DO               = 1 << 15 // dnssec ok
+)
+
+// OPT is the EDNS0 RR appended to messages to convey extra (meta) information.
+// See RFC 6891.
+type OPT struct {
+	Hdr    RR_Header
+	Option []EDNS0 `dns:"opt"`
+}
+
+func (rr *OPT) String() string {
+	s := "\n;; OPT PSEUDOSECTION:\n; EDNS: version " + strconv.Itoa(int(rr.Version())) + "; "
+	if rr.Do() {
+		s += "flags: do; "
+	} else {
+		s += "flags: ; "
+	}
+	s += "udp: " + strconv.Itoa(int(rr.UDPSize()))
+
+	for _, o := range rr.Option {
+		switch o.(type) {
+		case *EDNS0_NSID:
+			s += "\n; NSID: " + o.String()
+			h, e := o.pack()
+			var r string
+			if e == nil {
+				for _, c := range h {
+					r += "(" + string(c) + ")"
+				}
+				s += "  " + r
+			}
+		case *EDNS0_SUBNET:
+			s += "\n; SUBNET: " + o.String()
+			if o.(*EDNS0_SUBNET).DraftOption {
+				s += " (draft)"
+			}
+		case *EDNS0_COOKIE:
+			s += "\n; COOKIE: " + o.String()
+		case *EDNS0_UL:
+			s += "\n; UPDATE LEASE: " + o.String()
+		case *EDNS0_LLQ:
+			s += "\n; LONG LIVED QUERIES: " + o.String()
+		case *EDNS0_DAU:
+			s += "\n; DNSSEC ALGORITHM UNDERSTOOD: " + o.String()
+		case *EDNS0_DHU:
+			s += "\n; DS HASH UNDERSTOOD: " + o.String()
+		case *EDNS0_N3U:
+			s += "\n; NSEC3 HASH UNDERSTOOD: " + o.String()
+		case *EDNS0_LOCAL:
+			s += "\n; LOCAL OPT: " + o.String()
+		}
+	}
+	return s
+}
+
+func (rr *OPT) len() int {
+	l := rr.Hdr.len()
+	for i := 0; i < len(rr.Option); i++ {
+		l += 4 // Account for 2-byte option code and 2-byte option length.
+		lo, _ := rr.Option[i].pack()
+		l += len(lo)
+	}
+	return l
+}
+
+// return the old value -> delete SetVersion?
+
+// Version returns the EDNS version used. Only zero is defined.
+func (rr *OPT) Version() uint8 {
+	return uint8((rr.Hdr.Ttl & 0x00FF0000) >> 16)
+}
+
+// SetVersion sets the version of EDNS. This is usually zero.
+func (rr *OPT) SetVersion(v uint8) {
+	rr.Hdr.Ttl = rr.Hdr.Ttl&0xFF00FFFF | (uint32(v) << 16)
+}
+
+// ExtendedRcode returns the EDNS extended RCODE field (the upper 8 bits of the TTL).
+func (rr *OPT) ExtendedRcode() int {
+	return int((rr.Hdr.Ttl&0xFF000000)>>24) + 15
+}
+
+// SetExtendedRcode sets the EDNS extended RCODE field.
+func (rr *OPT) SetExtendedRcode(v uint8) {
+	if v < RcodeBadVers { // Smaller than 16.. Use the 4 bits you have!
+		return
+	}
+	rr.Hdr.Ttl = rr.Hdr.Ttl&0x00FFFFFF | (uint32(v-15) << 24)
+}
+
+// UDPSize returns the UDP buffer size.
+func (rr *OPT) UDPSize() uint16 {
+	return rr.Hdr.Class
+}
+
+// SetUDPSize sets the UDP buffer size.
+func (rr *OPT) SetUDPSize(size uint16) {
+	rr.Hdr.Class = size
+}
+
+// Do returns the value of the DO (DNSSEC OK) bit.
+func (rr *OPT) Do() bool {
+	return rr.Hdr.Ttl&_DO == _DO
+}
+
+// SetDo sets the DO (DNSSEC OK) bit.
+// If we pass an argument, set the DO bit to that value.
+// It is possible to pass 2 or more arguments. Any arguments after the 1st is silently ignored.
+func (rr *OPT) SetDo(do ...bool) {
+	if len(do) == 1 {
+		if do[0] {
+			rr.Hdr.Ttl |= _DO
+		} else {
+			rr.Hdr.Ttl &^= _DO
+		}
+	} else {
+		rr.Hdr.Ttl |= _DO
+	}
+}
+
+// EDNS0 defines an EDNS0 Option. An OPT RR can have multiple options appended to it.
+type EDNS0 interface {
+	// Option returns the option code for the option.
+	Option() uint16
+	// pack returns the bytes of the option data.
+	pack() ([]byte, error)
+	// unpack sets the data as found in the buffer. Is also sets
+	// the length of the slice as the length of the option data.
+	unpack([]byte) error
+	// String returns the string representation of the option.
+	String() string
+}
+
+// EDNS0_NSID option is used to retrieve a nameserver
+// identifier. When sending a request Nsid must be set to the empty string
+// The identifier is an opaque string encoded as hex.
+// Basic use pattern for creating an nsid option:
+//
+//	o := new(dns.OPT)
+//	o.Hdr.Name = "."
+//	o.Hdr.Rrtype = dns.TypeOPT
+//	e := new(dns.EDNS0_NSID)
+//	e.Code = dns.EDNS0NSID
+//	e.Nsid = "AA"
+//	o.Option = append(o.Option, e)
+type EDNS0_NSID struct {
+	Code uint16 // Always EDNS0NSID
+	Nsid string // This string needs to be hex encoded
+}
+
+func (e *EDNS0_NSID) pack() ([]byte, error) {
+	h, err := hex.DecodeString(e.Nsid)
+	if err != nil {
+		return nil, err
+	}
+	return h, nil
+}
+
+func (e *EDNS0_NSID) Option() uint16        { return EDNS0NSID }
+func (e *EDNS0_NSID) unpack(b []byte) error { e.Nsid = hex.EncodeToString(b); return nil }
+func (e *EDNS0_NSID) String() string        { return string(e.Nsid) }
+
+// EDNS0_SUBNET is the subnet option that is used to give the remote nameserver
+// an idea of where the client lives. It can then give back a different
+// answer depending on the location or network topology.
+// Basic use pattern for creating an subnet option:
+//
+//	o := new(dns.OPT)
+//	o.Hdr.Name = "."
+//	o.Hdr.Rrtype = dns.TypeOPT
+//	e := new(dns.EDNS0_SUBNET)
+//	e.Code = dns.EDNS0SUBNET
+//	e.Family = 1	// 1 for IPv4 source address, 2 for IPv6
+//	e.SourceNetmask = 32	// 32 for IPV4, 128 for IPv6
+//	e.SourceScope = 0
+//	e.Address = net.ParseIP("127.0.0.1").To4()	// for IPv4
+//	// e.Address = net.ParseIP("2001:7b8:32a::2")	// for IPV6
+//	o.Option = append(o.Option, e)
+//
+// Note: the spec (draft-ietf-dnsop-edns-client-subnet-00) has some insane logic
+// for which netmask applies to the address. This code will parse all the
+// available bits when unpacking (up to optlen). When packing it will apply
+// SourceNetmask. If you need more advanced logic, patches welcome and good luck.
+type EDNS0_SUBNET struct {
+	Code          uint16 // Always EDNS0SUBNET
+	Family        uint16 // 1 for IP, 2 for IP6
+	SourceNetmask uint8
+	SourceScope   uint8
+	Address       net.IP
+	DraftOption   bool // Set to true if using the old (0x50fa) option code
+}
+
+func (e *EDNS0_SUBNET) Option() uint16 {
+	if e.DraftOption {
+		return EDNS0SUBNETDRAFT
+	}
+	return EDNS0SUBNET
+}
+
+func (e *EDNS0_SUBNET) pack() ([]byte, error) {
+	b := make([]byte, 4)
+	binary.BigEndian.PutUint16(b[0:], e.Family)
+	b[2] = e.SourceNetmask
+	b[3] = e.SourceScope
+	switch e.Family {
+	case 1:
+		if e.SourceNetmask > net.IPv4len*8 {
+			return nil, errors.New("dns: bad netmask")
+		}
+		if len(e.Address.To4()) != net.IPv4len {
+			return nil, errors.New("dns: bad address")
+		}
+		ip := e.Address.To4().Mask(net.CIDRMask(int(e.SourceNetmask), net.IPv4len*8))
+		needLength := (e.SourceNetmask + 8 - 1) / 8 // division rounding up
+		b = append(b, ip[:needLength]...)
+	case 2:
+		if e.SourceNetmask > net.IPv6len*8 {
+			return nil, errors.New("dns: bad netmask")
+		}
+		if len(e.Address) != net.IPv6len {
+			return nil, errors.New("dns: bad address")
+		}
+		ip := e.Address.Mask(net.CIDRMask(int(e.SourceNetmask), net.IPv6len*8))
+		needLength := (e.SourceNetmask + 8 - 1) / 8 // division rounding up
+		b = append(b, ip[:needLength]...)
+	default:
+		return nil, errors.New("dns: bad address family")
+	}
+	return b, nil
+}
+
+func (e *EDNS0_SUBNET) unpack(b []byte) error {
+	if len(b) < 4 {
+		return ErrBuf
+	}
+	e.Family = binary.BigEndian.Uint16(b)
+	e.SourceNetmask = b[2]
+	e.SourceScope = b[3]
+	switch e.Family {
+	case 1:
+		if e.SourceNetmask > net.IPv4len*8 || e.SourceScope > net.IPv4len*8 {
+			return errors.New("dns: bad netmask")
+		}
+		addr := make([]byte, net.IPv4len)
+		for i := 0; i < net.IPv4len && 4+i < len(b); i++ {
+			addr[i] = b[4+i]
+		}
+		e.Address = net.IPv4(addr[0], addr[1], addr[2], addr[3])
+	case 2:
+		if e.SourceNetmask > net.IPv6len*8 || e.SourceScope > net.IPv6len*8 {
+			return errors.New("dns: bad netmask")
+		}
+		addr := make([]byte, net.IPv6len)
+		for i := 0; i < net.IPv6len && 4+i < len(b); i++ {
+			addr[i] = b[4+i]
+		}
+		e.Address = net.IP{addr[0], addr[1], addr[2], addr[3], addr[4],
+			addr[5], addr[6], addr[7], addr[8], addr[9], addr[10],
+			addr[11], addr[12], addr[13], addr[14], addr[15]}
+	default:
+		return errors.New("dns: bad address family")
+	}
+	return nil
+}
+
+func (e *EDNS0_SUBNET) String() (s string) {
+	if e.Address == nil {
+		s = "<nil>"
+	} else if e.Address.To4() != nil {
+		s = e.Address.String()
+	} else {
+		s = "[" + e.Address.String() + "]"
+	}
+	s += "/" + strconv.Itoa(int(e.SourceNetmask)) + "/" + strconv.Itoa(int(e.SourceScope))
+	return
+}
+
+// The EDNS0_COOKIE option is used to add a DNS Cookie to a message.
+//
+//	o := new(dns.OPT)
+//	o.Hdr.Name = "."
+//	o.Hdr.Rrtype = dns.TypeOPT
+//	e := new(dns.EDNS0_COOKIE)
+//	e.Code = dns.EDNS0COOKIE
+//	e.Cookie = "24a5ac.."
+//	o.Option = append(o.Option, e)
+//
+// The Cookie field consists out of a client cookie (RFC 7873 Section 4), that is
+// always 8 bytes. It may then optionally be followed by the server cookie. The server
+// cookie is of variable length, 8 to a maximum of 32 bytes. In other words:
+//
+//	cCookie := o.Cookie[:16]
+//	sCookie := o.Cookie[16:]
+//
+// There is no guarantee that the Cookie string has a specific length.
+type EDNS0_COOKIE struct {
+	Code   uint16 // Always EDNS0COOKIE
+	Cookie string // Hex-encoded cookie data
+}
+
+func (e *EDNS0_COOKIE) pack() ([]byte, error) {
+	h, err := hex.DecodeString(e.Cookie)
+	if err != nil {
+		return nil, err
+	}
+	return h, nil
+}
+
+func (e *EDNS0_COOKIE) Option() uint16        { return EDNS0COOKIE }
+func (e *EDNS0_COOKIE) unpack(b []byte) error { e.Cookie = hex.EncodeToString(b); return nil }
+func (e *EDNS0_COOKIE) String() string        { return e.Cookie }
+
+// The EDNS0_UL (Update Lease) (draft RFC) option is used to tell the server to set
+// an expiration on an update RR. This is helpful for clients that cannot clean
+// up after themselves. This is a draft RFC and more information can be found at
+// http://files.dns-sd.org/draft-sekar-dns-ul.txt
+//
+//	o := new(dns.OPT)
+//	o.Hdr.Name = "."
+//	o.Hdr.Rrtype = dns.TypeOPT
+//	e := new(dns.EDNS0_UL)
+//	e.Code = dns.EDNS0UL
+//	e.Lease = 120 // in seconds
+//	o.Option = append(o.Option, e)
+type EDNS0_UL struct {
+	Code  uint16 // Always EDNS0UL
+	Lease uint32
+}
+
+func (e *EDNS0_UL) Option() uint16 { return EDNS0UL }
+func (e *EDNS0_UL) String() string { return strconv.FormatUint(uint64(e.Lease), 10) }
+
+// Copied: http://golang.org/src/pkg/net/dnsmsg.go
+func (e *EDNS0_UL) pack() ([]byte, error) {
+	b := make([]byte, 4)
+	binary.BigEndian.PutUint32(b, e.Lease)
+	return b, nil
+}
+
+func (e *EDNS0_UL) unpack(b []byte) error {
+	if len(b) < 4 {
+		return ErrBuf
+	}
+	e.Lease = binary.BigEndian.Uint32(b)
+	return nil
+}
+
+// EDNS0_LLQ stands for Long Lived Queries: http://tools.ietf.org/html/draft-sekar-dns-llq-01
+// Implemented for completeness, as the EDNS0 type code is assigned.
+type EDNS0_LLQ struct {
+	Code      uint16 // Always EDNS0LLQ
+	Version   uint16
+	Opcode    uint16
+	Error     uint16
+	Id        uint64
+	LeaseLife uint32
+}
+
+func (e *EDNS0_LLQ) Option() uint16 { return EDNS0LLQ }
+
+func (e *EDNS0_LLQ) pack() ([]byte, error) {
+	b := make([]byte, 18)
+	binary.BigEndian.PutUint16(b[0:], e.Version)
+	binary.BigEndian.PutUint16(b[2:], e.Opcode)
+	binary.BigEndian.PutUint16(b[4:], e.Error)
+	binary.BigEndian.PutUint64(b[6:], e.Id)
+	binary.BigEndian.PutUint32(b[14:], e.LeaseLife)
+	return b, nil
+}
+
+func (e *EDNS0_LLQ) unpack(b []byte) error {
+	if len(b) < 18 {
+		return ErrBuf
+	}
+	e.Version = binary.BigEndian.Uint16(b[0:])
+	e.Opcode = binary.BigEndian.Uint16(b[2:])
+	e.Error = binary.BigEndian.Uint16(b[4:])
+	e.Id = binary.BigEndian.Uint64(b[6:])
+	e.LeaseLife = binary.BigEndian.Uint32(b[14:])
+	return nil
+}
+
+func (e *EDNS0_LLQ) String() string {
+	s := strconv.FormatUint(uint64(e.Version), 10) + " " + strconv.FormatUint(uint64(e.Opcode), 10) +
+		" " + strconv.FormatUint(uint64(e.Error), 10) + " " + strconv.FormatUint(uint64(e.Id), 10) +
+		" " + strconv.FormatUint(uint64(e.LeaseLife), 10)
+	return s
+}
+
+type EDNS0_DAU struct {
+	Code    uint16 // Always EDNS0DAU
+	AlgCode []uint8
+}
+
+func (e *EDNS0_DAU) Option() uint16        { return EDNS0DAU }
+func (e *EDNS0_DAU) pack() ([]byte, error) { return e.AlgCode, nil }
+func (e *EDNS0_DAU) unpack(b []byte) error { e.AlgCode = b; return nil }
+
+func (e *EDNS0_DAU) String() string {
+	s := ""
+	for i := 0; i < len(e.AlgCode); i++ {
+		if a, ok := AlgorithmToString[e.AlgCode[i]]; ok {
+			s += " " + a
+		} else {
+			s += " " + strconv.Itoa(int(e.AlgCode[i]))
+		}
+	}
+	return s
+}
+
+type EDNS0_DHU struct {
+	Code    uint16 // Always EDNS0DHU
+	AlgCode []uint8
+}
+
+func (e *EDNS0_DHU) Option() uint16        { return EDNS0DHU }
+func (e *EDNS0_DHU) pack() ([]byte, error) { return e.AlgCode, nil }
+func (e *EDNS0_DHU) unpack(b []byte) error { e.AlgCode = b; return nil }
+
+func (e *EDNS0_DHU) String() string {
+	s := ""
+	for i := 0; i < len(e.AlgCode); i++ {
+		if a, ok := HashToString[e.AlgCode[i]]; ok {
+			s += " " + a
+		} else {
+			s += " " + strconv.Itoa(int(e.AlgCode[i]))
+		}
+	}
+	return s
+}
+
+type EDNS0_N3U struct {
+	Code    uint16 // Always EDNS0N3U
+	AlgCode []uint8
+}
+
+func (e *EDNS0_N3U) Option() uint16        { return EDNS0N3U }
+func (e *EDNS0_N3U) pack() ([]byte, error) { return e.AlgCode, nil }
+func (e *EDNS0_N3U) unpack(b []byte) error { e.AlgCode = b; return nil }
+
+func (e *EDNS0_N3U) String() string {
+	// Re-use the hash map
+	s := ""
+	for i := 0; i < len(e.AlgCode); i++ {
+		if a, ok := HashToString[e.AlgCode[i]]; ok {
+			s += " " + a
+		} else {
+			s += " " + strconv.Itoa(int(e.AlgCode[i]))
+		}
+	}
+	return s
+}
+
+type EDNS0_EXPIRE struct {
+	Code   uint16 // Always EDNS0EXPIRE
+	Expire uint32
+}
+
+func (e *EDNS0_EXPIRE) Option() uint16 { return EDNS0EXPIRE }
+func (e *EDNS0_EXPIRE) String() string { return strconv.FormatUint(uint64(e.Expire), 10) }
+
+func (e *EDNS0_EXPIRE) pack() ([]byte, error) {
+	b := make([]byte, 4)
+	b[0] = byte(e.Expire >> 24)
+	b[1] = byte(e.Expire >> 16)
+	b[2] = byte(e.Expire >> 8)
+	b[3] = byte(e.Expire)
+	return b, nil
+}
+
+func (e *EDNS0_EXPIRE) unpack(b []byte) error {
+	if len(b) < 4 {
+		return ErrBuf
+	}
+	e.Expire = binary.BigEndian.Uint32(b)
+	return nil
+}
+
+// The EDNS0_LOCAL option is used for local/experimental purposes. The option
+// code is recommended to be within the range [EDNS0LOCALSTART, EDNS0LOCALEND]
+// (RFC6891), although any unassigned code can actually be used.  The content of
+// the option is made available in Data, unaltered.
+// Basic use pattern for creating a local option:
+//
+//	o := new(dns.OPT)
+//	o.Hdr.Name = "."
+//	o.Hdr.Rrtype = dns.TypeOPT
+//	e := new(dns.EDNS0_LOCAL)
+//	e.Code = dns.EDNS0LOCALSTART
+//	e.Data = []byte{72, 82, 74}
+//	o.Option = append(o.Option, e)
+type EDNS0_LOCAL struct {
+	Code uint16
+	Data []byte
+}
+
+func (e *EDNS0_LOCAL) Option() uint16 { return e.Code }
+func (e *EDNS0_LOCAL) String() string {
+	return strconv.FormatInt(int64(e.Code), 10) + ":0x" + hex.EncodeToString(e.Data)
+}
+
+func (e *EDNS0_LOCAL) pack() ([]byte, error) {
+	b := make([]byte, len(e.Data))
+	copied := copy(b, e.Data)
+	if copied != len(e.Data) {
+		return nil, ErrBuf
+	}
+	return b, nil
+}
+
+func (e *EDNS0_LOCAL) unpack(b []byte) error {
+	e.Data = make([]byte, len(b))
+	copied := copy(e.Data, b)
+	if copied != len(b) {
+		return ErrBuf
+	}
+	return nil
+}
+
+// EDNS0_TCP_KEEPALIVE is an EDNS0 option that instructs the server to keep
+// the TCP connection alive. See RFC 7828.
+type EDNS0_TCP_KEEPALIVE struct {
+	Code    uint16 // Always EDNSTCPKEEPALIVE
+	Length  uint16 // the value 0 if the TIMEOUT is omitted, the value 2 if it is present;
+	Timeout uint16 // an idle timeout value for the TCP connection, specified in units of 100 milliseconds, encoded in network byte order.
+}
+
+func (e *EDNS0_TCP_KEEPALIVE) Option() uint16 { return EDNS0TCPKEEPALIVE }
+
+func (e *EDNS0_TCP_KEEPALIVE) pack() ([]byte, error) {
+	if e.Timeout != 0 && e.Length != 2 {
+		return nil, errors.New("dns: timeout specified but length is not 2")
+	}
+	if e.Timeout == 0 && e.Length != 0 {
+		return nil, errors.New("dns: timeout not specified but length is not 0")
+	}
+	b := make([]byte, 4+e.Length)
+	binary.BigEndian.PutUint16(b[0:], e.Code)
+	binary.BigEndian.PutUint16(b[2:], e.Length)
+	if e.Length == 2 {
+		binary.BigEndian.PutUint16(b[4:], e.Timeout)
+	}
+	return b, nil
+}
+
+func (e *EDNS0_TCP_KEEPALIVE) unpack(b []byte) error {
+	if len(b) < 4 {
+		return ErrBuf
+	}
+	e.Length = binary.BigEndian.Uint16(b[2:4])
+	if e.Length != 0 && e.Length != 2 {
+		return errors.New("dns: length mismatch, want 0/2 but got " + strconv.FormatUint(uint64(e.Length), 10))
+	}
+	if e.Length == 2 {
+		if len(b) < 6 {
+			return ErrBuf
+		}
+		e.Timeout = binary.BigEndian.Uint16(b[4:6])
+	}
+	return nil
+}
+
+func (e *EDNS0_TCP_KEEPALIVE) String() (s string) {
+	s = "use tcp keep-alive"
+	if e.Length == 0 {
+		s += ", timeout omitted"
+	} else {
+		s += fmt.Sprintf(", timeout %dms", e.Timeout*100)
+	}
+	return
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/edns_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/edns_test.go
new file mode 100644
index 000000000..c290b0c8a
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/edns_test.go
@@ -0,0 +1,68 @@
+package dns
+
+import "testing"
+
+func TestOPTTtl(t *testing.T) {
+	e := &OPT{}
+	e.Hdr.Name = "."
+	e.Hdr.Rrtype = TypeOPT
+
+	// verify the default setting of DO=0
+	if e.Do() {
+		t.Errorf("DO bit should be zero")
+	}
+
+	// There are 6 possible invocations of SetDo():
+	//
+	// 1. Starting with DO=0, using SetDo()
+	// 2. Starting with DO=0, using SetDo(true)
+	// 3. Starting with DO=0, using SetDo(false)
+	// 4. Starting with DO=1, using SetDo()
+	// 5. Starting with DO=1, using SetDo(true)
+	// 6. Starting with DO=1, using SetDo(false)
+
+	// verify that invoking SetDo() sets DO=1 (TEST #1)
+	e.SetDo()
+	if !e.Do() {
+		t.Errorf("DO bit should be non-zero")
+	}
+	// verify that using SetDo(true) works when DO=1 (TEST #5)
+	e.SetDo(true)
+	if !e.Do() {
+		t.Errorf("DO bit should still be non-zero")
+	}
+	// verify that we can use SetDo(false) to set DO=0 (TEST #6)
+	e.SetDo(false)
+	if e.Do() {
+		t.Errorf("DO bit should be zero")
+	}
+	// verify that if we call SetDo(false) when DO=0 that it is unchanged (TEST #3)
+	e.SetDo(false)
+	if e.Do() {
+		t.Errorf("DO bit should still be zero")
+	}
+	// verify that using SetDo(true) works for DO=0 (TEST #2)
+	e.SetDo(true)
+	if !e.Do() {
+		t.Errorf("DO bit should be non-zero")
+	}
+	// verify that using SetDo() works for DO=1 (TEST #4)
+	e.SetDo()
+	if !e.Do() {
+		t.Errorf("DO bit should be non-zero")
+	}
+
+	if e.Version() != 0 {
+		t.Errorf("version should be non-zero")
+	}
+
+	e.SetVersion(42)
+	if e.Version() != 42 {
+		t.Errorf("set 42, expected %d, got %d", 42, e.Version())
+	}
+
+	e.SetExtendedRcode(42)
+	if e.ExtendedRcode() != 42 {
+		t.Errorf("set 42, expected %d, got %d", 42-15, e.ExtendedRcode())
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/example_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/example_test.go
new file mode 100644
index 000000000..64c14962c
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/example_test.go
@@ -0,0 +1,146 @@
+package dns_test
+
+import (
+	"errors"
+	"fmt"
+	"log"
+	"net"
+
+	"github.com/miekg/dns"
+)
+
+// Retrieve the MX records for miek.nl.
+func ExampleMX() {
+	config, _ := dns.ClientConfigFromFile("/etc/resolv.conf")
+	c := new(dns.Client)
+	m := new(dns.Msg)
+	m.SetQuestion("miek.nl.", dns.TypeMX)
+	m.RecursionDesired = true
+	r, _, err := c.Exchange(m, config.Servers[0]+":"+config.Port)
+	if err != nil {
+		return
+	}
+	if r.Rcode != dns.RcodeSuccess {
+		return
+	}
+	for _, a := range r.Answer {
+		if mx, ok := a.(*dns.MX); ok {
+			fmt.Printf("%s\n", mx.String())
+		}
+	}
+}
+
+// Retrieve the DNSKEY records of a zone and convert them
+// to DS records for SHA1, SHA256 and SHA384.
+func ExampleDS() {
+	config, _ := dns.ClientConfigFromFile("/etc/resolv.conf")
+	c := new(dns.Client)
+	m := new(dns.Msg)
+	zone := "miek.nl"
+	m.SetQuestion(dns.Fqdn(zone), dns.TypeDNSKEY)
+	m.SetEdns0(4096, true)
+	r, _, err := c.Exchange(m, config.Servers[0]+":"+config.Port)
+	if err != nil {
+		return
+	}
+	if r.Rcode != dns.RcodeSuccess {
+		return
+	}
+	for _, k := range r.Answer {
+		if key, ok := k.(*dns.DNSKEY); ok {
+			for _, alg := range []uint8{dns.SHA1, dns.SHA256, dns.SHA384} {
+				fmt.Printf("%s; %d\n", key.ToDS(alg).String(), key.Flags)
+			}
+		}
+	}
+}
+
+const TypeAPAIR = 0x0F99
+
+type APAIR struct {
+	addr [2]net.IP
+}
+
+func NewAPAIR() dns.PrivateRdata { return new(APAIR) }
+
+func (rd *APAIR) String() string { return rd.addr[0].String() + " " + rd.addr[1].String() }
+func (rd *APAIR) Parse(txt []string) error {
+	if len(txt) != 2 {
+		return errors.New("two addresses required for APAIR")
+	}
+	for i, s := range txt {
+		ip := net.ParseIP(s)
+		if ip == nil {
+			return errors.New("invalid IP in APAIR text representation")
+		}
+		rd.addr[i] = ip
+	}
+	return nil
+}
+
+func (rd *APAIR) Pack(buf []byte) (int, error) {
+	b := append([]byte(rd.addr[0]), []byte(rd.addr[1])...)
+	n := copy(buf, b)
+	if n != len(b) {
+		return n, dns.ErrBuf
+	}
+	return n, nil
+}
+
+func (rd *APAIR) Unpack(buf []byte) (int, error) {
+	ln := net.IPv4len * 2
+	if len(buf) != ln {
+		return 0, errors.New("invalid length of APAIR rdata")
+	}
+	cp := make([]byte, ln)
+	copy(cp, buf) // clone bytes to use them in IPs
+
+	rd.addr[0] = net.IP(cp[:3])
+	rd.addr[1] = net.IP(cp[4:])
+
+	return len(buf), nil
+}
+
+func (rd *APAIR) Copy(dest dns.PrivateRdata) error {
+	cp := make([]byte, rd.Len())
+	_, err := rd.Pack(cp)
+	if err != nil {
+		return err
+	}
+
+	d := dest.(*APAIR)
+	d.addr[0] = net.IP(cp[:3])
+	d.addr[1] = net.IP(cp[4:])
+	return nil
+}
+
+func (rd *APAIR) Len() int {
+	return net.IPv4len * 2
+}
+
+func ExamplePrivateHandle() {
+	dns.PrivateHandle("APAIR", TypeAPAIR, NewAPAIR)
+	defer dns.PrivateHandleRemove(TypeAPAIR)
+
+	rr, err := dns.NewRR("miek.nl. APAIR (1.2.3.4    1.2.3.5)")
+	if err != nil {
+		log.Fatal("could not parse APAIR record: ", err)
+	}
+	fmt.Println(rr)
+	// Output: miek.nl.	3600	IN	APAIR	1.2.3.4 1.2.3.5
+
+	m := new(dns.Msg)
+	m.Id = 12345
+	m.SetQuestion("miek.nl.", TypeAPAIR)
+	m.Answer = append(m.Answer, rr)
+
+	fmt.Println(m)
+	// ;; opcode: QUERY, status: NOERROR, id: 12345
+	// ;; flags: rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
+	//
+	// ;; QUESTION SECTION:
+	// ;miek.nl.	IN	 APAIR
+	//
+	// ;; ANSWER SECTION:
+	// miek.nl.	3600	IN	APAIR	1.2.3.4 1.2.3.5
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/format.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/format.go
new file mode 100644
index 000000000..3f5303c20
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/format.go
@@ -0,0 +1,87 @@
+package dns
+
+import (
+	"net"
+	"reflect"
+	"strconv"
+)
+
+// NumField returns the number of rdata fields r has.
+func NumField(r RR) int {
+	return reflect.ValueOf(r).Elem().NumField() - 1 // Remove RR_Header
+}
+
+// Field returns the rdata field i as a string. Fields are indexed starting from 1.
+// RR types that holds slice data, for instance the NSEC type bitmap will return a single
+// string where the types are concatenated using a space.
+// Accessing non existing fields will cause a panic.
+func Field(r RR, i int) string {
+	if i == 0 {
+		return ""
+	}
+	d := reflect.ValueOf(r).Elem().Field(i)
+	switch k := d.Kind(); k {
+	case reflect.String:
+		return d.String()
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return strconv.FormatInt(d.Int(), 10)
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		return strconv.FormatUint(d.Uint(), 10)
+	case reflect.Slice:
+		switch reflect.ValueOf(r).Elem().Type().Field(i).Tag {
+		case `dns:"a"`:
+			// TODO(miek): Hmm store this as 16 bytes
+			if d.Len() < net.IPv6len {
+				return net.IPv4(byte(d.Index(0).Uint()),
+					byte(d.Index(1).Uint()),
+					byte(d.Index(2).Uint()),
+					byte(d.Index(3).Uint())).String()
+			}
+			return net.IPv4(byte(d.Index(12).Uint()),
+				byte(d.Index(13).Uint()),
+				byte(d.Index(14).Uint()),
+				byte(d.Index(15).Uint())).String()
+		case `dns:"aaaa"`:
+			return net.IP{
+				byte(d.Index(0).Uint()),
+				byte(d.Index(1).Uint()),
+				byte(d.Index(2).Uint()),
+				byte(d.Index(3).Uint()),
+				byte(d.Index(4).Uint()),
+				byte(d.Index(5).Uint()),
+				byte(d.Index(6).Uint()),
+				byte(d.Index(7).Uint()),
+				byte(d.Index(8).Uint()),
+				byte(d.Index(9).Uint()),
+				byte(d.Index(10).Uint()),
+				byte(d.Index(11).Uint()),
+				byte(d.Index(12).Uint()),
+				byte(d.Index(13).Uint()),
+				byte(d.Index(14).Uint()),
+				byte(d.Index(15).Uint()),
+			}.String()
+		case `dns:"nsec"`:
+			if d.Len() == 0 {
+				return ""
+			}
+			s := Type(d.Index(0).Uint()).String()
+			for i := 1; i < d.Len(); i++ {
+				s += " " + Type(d.Index(i).Uint()).String()
+			}
+			return s
+		default:
+			// if it does not have a tag its a string slice
+			fallthrough
+		case `dns:"txt"`:
+			if d.Len() == 0 {
+				return ""
+			}
+			s := d.Index(0).String()
+			for i := 1; i < d.Len(); i++ {
+				s += " " + d.Index(i).String()
+			}
+			return s
+		}
+	}
+	return ""
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/fuzz_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/fuzz_test.go
new file mode 100644
index 000000000..255869730
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/fuzz_test.go
@@ -0,0 +1,25 @@
+package dns
+
+import "testing"
+
+func TestFuzzString(t *testing.T) {
+	testcases := []string{"", " MINFO ", "	RP ", "	NSEC 0 0", "	\" NSEC 0 0\"", "  \" MINFO \"",
+		";a ", ";a����������",
+		"	NSAP O ", "  NSAP N ",
+		" TYPE4 TYPE6a789a3bc0045c8a5fb42c7d1bd998f5444 IN 9579b47d46817afbd17273e6",
+		" TYPE45 3 3 4147994 TYPE\\(\\)\\)\\(\\)\\(\\(\\)\\(\\)\\)\\)\\(\\)\\(\\)\\(\\(\\R 948\"\")\\(\\)\\)\\)\\(\\ ",
+		"$GENERATE 0-3 ${441189,5039418474430,o}",
+		"$INCLUDE 00 TYPE00000000000n ",
+		"$INCLUDE PE4 TYPE061463623/727071511 \\(\\)\\$GENERATE 6-462/0",
+	}
+	for i, tc := range testcases {
+		rr, err := NewRR(tc)
+		if err == nil {
+			// rr can be nil because we can (for instance) just parse a comment
+			if rr == nil {
+				continue
+			}
+			t.Fatalf("parsed mailformed RR %d: %s", i, rr.String())
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/generate.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/generate.go
new file mode 100644
index 000000000..e4481a4b0
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/generate.go
@@ -0,0 +1,159 @@
+package dns
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+)
+
+// Parse the $GENERATE statement as used in BIND9 zones.
+// See http://www.zytrax.com/books/dns/ch8/generate.html for instance.
+// We are called after '$GENERATE '. After which we expect:
+// * the range (12-24/2)
+// * lhs (ownername)
+// * [[ttl][class]]
+// * type
+// * rhs (rdata)
+// But we are lazy here, only the range is parsed *all* occurrences
+// of $ after that are interpreted.
+// Any error are returned as a string value, the empty string signals
+// "no error".
+func generate(l lex, c chan lex, t chan *Token, o string) string {
+	step := 1
+	if i := strings.IndexAny(l.token, "/"); i != -1 {
+		if i+1 == len(l.token) {
+			return "bad step in $GENERATE range"
+		}
+		if s, err := strconv.Atoi(l.token[i+1:]); err == nil {
+			if s < 0 {
+				return "bad step in $GENERATE range"
+			}
+			step = s
+		} else {
+			return "bad step in $GENERATE range"
+		}
+		l.token = l.token[:i]
+	}
+	sx := strings.SplitN(l.token, "-", 2)
+	if len(sx) != 2 {
+		return "bad start-stop in $GENERATE range"
+	}
+	start, err := strconv.Atoi(sx[0])
+	if err != nil {
+		return "bad start in $GENERATE range"
+	}
+	end, err := strconv.Atoi(sx[1])
+	if err != nil {
+		return "bad stop in $GENERATE range"
+	}
+	if end < 0 || start < 0 || end < start {
+		return "bad range in $GENERATE range"
+	}
+
+	<-c // _BLANK
+	// Create a complete new string, which we then parse again.
+	s := ""
+BuildRR:
+	l = <-c
+	if l.value != zNewline && l.value != zEOF {
+		s += l.token
+		goto BuildRR
+	}
+	for i := start; i <= end; i += step {
+		var (
+			escape bool
+			dom    bytes.Buffer
+			mod    string
+			err    error
+			offset int
+		)
+
+		for j := 0; j < len(s); j++ { // No 'range' because we need to jump around
+			switch s[j] {
+			case '\\':
+				if escape {
+					dom.WriteByte('\\')
+					escape = false
+					continue
+				}
+				escape = true
+			case '$':
+				mod = "%d"
+				offset = 0
+				if escape {
+					dom.WriteByte('$')
+					escape = false
+					continue
+				}
+				escape = false
+				if j+1 >= len(s) { // End of the string
+					dom.WriteString(fmt.Sprintf(mod, i+offset))
+					continue
+				} else {
+					if s[j+1] == '$' {
+						dom.WriteByte('$')
+						j++
+						continue
+					}
+				}
+				// Search for { and }
+				if s[j+1] == '{' { // Modifier block
+					sep := strings.Index(s[j+2:], "}")
+					if sep == -1 {
+						return "bad modifier in $GENERATE"
+					}
+					mod, offset, err = modToPrintf(s[j+2 : j+2+sep])
+					if err != nil {
+						return err.Error()
+					}
+					j += 2 + sep // Jump to it
+				}
+				dom.WriteString(fmt.Sprintf(mod, i+offset))
+			default:
+				if escape { // Pretty useless here
+					escape = false
+					continue
+				}
+				dom.WriteByte(s[j])
+			}
+		}
+		// Re-parse the RR and send it on the current channel t
+		rx, err := NewRR("$ORIGIN " + o + "\n" + dom.String())
+		if err != nil {
+			return err.Error()
+		}
+		t <- &Token{RR: rx}
+		// Its more efficient to first built the rrlist and then parse it in
+		// one go! But is this a problem?
+	}
+	return ""
+}
+
+// Convert a $GENERATE modifier 0,0,d to something Printf can deal with.
+func modToPrintf(s string) (string, int, error) {
+	xs := strings.SplitN(s, ",", 3)
+	if len(xs) != 3 {
+		return "", 0, errors.New("bad modifier in $GENERATE")
+	}
+	// xs[0] is offset, xs[1] is width, xs[2] is base
+	if xs[2] != "o" && xs[2] != "d" && xs[2] != "x" && xs[2] != "X" {
+		return "", 0, errors.New("bad base in $GENERATE")
+	}
+	offset, err := strconv.Atoi(xs[0])
+	if err != nil || offset > 255 {
+		return "", 0, errors.New("bad offset in $GENERATE")
+	}
+	width, err := strconv.Atoi(xs[1])
+	if err != nil || width > 255 {
+		return "", offset, errors.New("bad width in $GENERATE")
+	}
+	switch {
+	case width < 0:
+		return "", offset, errors.New("bad width in $GENERATE")
+	case width == 0:
+		return "%" + xs[1] + xs[2], offset, nil
+	}
+	return "%0" + xs[1] + xs[2], offset, nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/issue_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/issue_test.go
new file mode 100644
index 000000000..265ad56c0
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/issue_test.go
@@ -0,0 +1,68 @@
+package dns
+
+// Tests that solve that an specific issue.
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestTCPRtt(t *testing.T) {
+	m := new(Msg)
+	m.RecursionDesired = true
+	m.SetQuestion("example.org.", TypeA)
+
+	c := &Client{}
+	for _, proto := range []string{"udp", "tcp"} {
+		c.Net = proto
+		_, rtt, err := c.Exchange(m, "8.8.4.4:53")
+		if err != nil {
+			t.Fatal(err)
+		}
+		if rtt == 0 {
+			t.Fatalf("expecting non zero rtt %s, got zero", c.Net)
+		}
+	}
+}
+
+func TestNSEC3MissingSalt(t *testing.T) {
+	rr, err := NewRR("ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd K8UDEMVP1J2F7EG6JEBPS17VP3N8I58H")
+	if err != nil {
+		t.Fatalf("failed to parse example rr: %s", err)
+	}
+	m := new(Msg)
+	m.Answer = []RR{rr}
+	mb, err := m.Pack()
+	if err != nil {
+		t.Fatalf("expected to pack message. err: %s", err)
+	}
+	if err := m.Unpack(mb); err != nil {
+		t.Fatalf("expected to unpack message. missing salt? err: %s", err)
+	}
+	in := rr.(*NSEC3).Salt
+	out := m.Answer[0].(*NSEC3).Salt
+	if in != out {
+		t.Fatalf("expected salts to match. packed: `%s`. returned: `%s`", in, out)
+	}
+}
+
+func TestNSEC3MixedNextDomain(t *testing.T) {
+	rr, err := NewRR("ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 - k8udemvp1j2f7eg6jebps17vp3n8i58h")
+	if err != nil {
+		t.Fatalf("failed to parse example rr: %s", err)
+	}
+	m := new(Msg)
+	m.Answer = []RR{rr}
+	mb, err := m.Pack()
+	if err != nil {
+		t.Fatalf("expected to pack message. err: %s", err)
+	}
+	if err := m.Unpack(mb); err != nil {
+		t.Fatalf("expected to unpack message. err: %s", err)
+	}
+	in := strings.ToUpper(rr.(*NSEC3).NextDomain)
+	out := m.Answer[0].(*NSEC3).NextDomain
+	if in != out {
+		t.Fatalf("expected round trip to produce NextDomain `%s`, instead `%s`", in, out)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/labels.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/labels.go
new file mode 100644
index 000000000..9538d9c3a
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/labels.go
@@ -0,0 +1,171 @@
+package dns
+
+import "strings"
+
+// Holds a bunch of helper functions for dealing with labels.
+
+// SplitDomainName splits a name string into it's labels.
+// www.miek.nl. returns []string{"www", "miek", "nl"}
+// .www.miek.nl. returns []string{"", "www", "miek", "nl"},
+// The root label (.) returns nil. Note that using
+// strings.Split(s) will work in most cases, but does not handle
+// escaped dots (\.) for instance.
+// s must be a syntactically valid domain name, see IsDomainName.
+func SplitDomainName(s string) (labels []string) {
+	if len(s) == 0 {
+		return nil
+	}
+	fqdnEnd := 0 // offset of the final '.' or the length of the name
+	idx := Split(s)
+	begin := 0
+	if s[len(s)-1] == '.' {
+		fqdnEnd = len(s) - 1
+	} else {
+		fqdnEnd = len(s)
+	}
+
+	switch len(idx) {
+	case 0:
+		return nil
+	case 1:
+		// no-op
+	default:
+		end := 0
+		for i := 1; i < len(idx); i++ {
+			end = idx[i]
+			labels = append(labels, s[begin:end-1])
+			begin = end
+		}
+	}
+
+	labels = append(labels, s[begin:fqdnEnd])
+	return labels
+}
+
+// CompareDomainName compares the names s1 and s2 and
+// returns how many labels they have in common starting from the *right*.
+// The comparison stops at the first inequality. The names are not downcased
+// before the comparison.
+//
+// www.miek.nl. and miek.nl. have two labels in common: miek and nl
+// www.miek.nl. and www.bla.nl. have one label in common: nl
+//
+// s1 and s2 must be syntactically valid domain names.
+func CompareDomainName(s1, s2 string) (n int) {
+	s1, s2 = strings.ToLower(s1), strings.ToLower(s2)
+	s1 = Fqdn(s1)
+	s2 = Fqdn(s2)
+	l1 := Split(s1)
+	l2 := Split(s2)
+
+	// the first check: root label
+	if l1 == nil || l2 == nil {
+		return
+	}
+
+	j1 := len(l1) - 1 // end
+	i1 := len(l1) - 2 // start
+	j2 := len(l2) - 1
+	i2 := len(l2) - 2
+	// the second check can be done here: last/only label
+	// before we fall through into the for-loop below
+	if s1[l1[j1]:] == s2[l2[j2]:] {
+		n++
+	} else {
+		return
+	}
+	for {
+		if i1 < 0 || i2 < 0 {
+			break
+		}
+		if s1[l1[i1]:l1[j1]] == s2[l2[i2]:l2[j2]] {
+			n++
+		} else {
+			break
+		}
+		j1--
+		i1--
+		j2--
+		i2--
+	}
+	return
+}
+
+// CountLabel counts the the number of labels in the string s.
+// s must be a syntactically valid domain name.
+func CountLabel(s string) (labels int) {
+	if s == "." {
+		return
+	}
+	off := 0
+	end := false
+	for {
+		off, end = NextLabel(s, off)
+		labels++
+		if end {
+			return
+		}
+	}
+}
+
+// Split splits a name s into its label indexes.
+// www.miek.nl. returns []int{0, 4, 9}, www.miek.nl also returns []int{0, 4, 9}.
+// The root name (.) returns nil. Also see SplitDomainName.
+// s must be a syntactically valid domain name.
+func Split(s string) []int {
+	if s == "." {
+		return nil
+	}
+	idx := make([]int, 1, 3)
+	off := 0
+	end := false
+
+	for {
+		off, end = NextLabel(s, off)
+		if end {
+			return idx
+		}
+		idx = append(idx, off)
+	}
+}
+
+// NextLabel returns the index of the start of the next label in the
+// string s starting at offset.
+// The bool end is true when the end of the string has been reached.
+// Also see PrevLabel.
+func NextLabel(s string, offset int) (i int, end bool) {
+	quote := false
+	for i = offset; i < len(s)-1; i++ {
+		switch s[i] {
+		case '\\':
+			quote = !quote
+		default:
+			quote = false
+		case '.':
+			if quote {
+				quote = !quote
+				continue
+			}
+			return i + 1, false
+		}
+	}
+	return i + 1, true
+}
+
+// PrevLabel returns the index of the label when starting from the right and
+// jumping n labels to the left.
+// The bool start is true when the start of the string has been overshot.
+// Also see NextLabel.
+func PrevLabel(s string, n int) (i int, start bool) {
+	if n == 0 {
+		return len(s), false
+	}
+	lab := Split(s)
+	if lab == nil {
+		return 0, true
+	}
+	if n > len(lab) {
+		return 0, true
+	}
+	return lab[len(lab)-n], false
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/labels_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/labels_test.go
new file mode 100644
index 000000000..9875d6cd9
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/labels_test.go
@@ -0,0 +1,203 @@
+package dns
+
+import "testing"
+
+func TestCompareDomainName(t *testing.T) {
+	s1 := "www.miek.nl."
+	s2 := "miek.nl."
+	s3 := "www.bla.nl."
+	s4 := "nl.www.bla."
+	s5 := "nl"
+	s6 := "miek.nl"
+
+	if CompareDomainName(s1, s2) != 2 {
+		t.Errorf("%s with %s should be %d", s1, s2, 2)
+	}
+	if CompareDomainName(s1, s3) != 1 {
+		t.Errorf("%s with %s should be %d", s1, s3, 1)
+	}
+	if CompareDomainName(s3, s4) != 0 {
+		t.Errorf("%s with %s should be %d", s3, s4, 0)
+	}
+	// Non qualified tests
+	if CompareDomainName(s1, s5) != 1 {
+		t.Errorf("%s with %s should be %d", s1, s5, 1)
+	}
+	if CompareDomainName(s1, s6) != 2 {
+		t.Errorf("%s with %s should be %d", s1, s5, 2)
+	}
+
+	if CompareDomainName(s1, ".") != 0 {
+		t.Errorf("%s with %s should be %d", s1, s5, 0)
+	}
+	if CompareDomainName(".", ".") != 0 {
+		t.Errorf("%s with %s should be %d", ".", ".", 0)
+	}
+	if CompareDomainName("test.com.", "TEST.COM.") != 2 {
+		t.Errorf("test.com. and TEST.COM. should be an exact match")
+	}
+}
+
+func TestSplit(t *testing.T) {
+	splitter := map[string]int{
+		"www.miek.nl.":   3,
+		"www.miek.nl":    3,
+		"www..miek.nl":   4,
+		`www\.miek.nl.`:  2,
+		`www\\.miek.nl.`: 3,
+		".":              0,
+		"nl.":            1,
+		"nl":             1,
+		"com.":           1,
+		".com.":          2,
+	}
+	for s, i := range splitter {
+		if x := len(Split(s)); x != i {
+			t.Errorf("labels should be %d, got %d: %s %v", i, x, s, Split(s))
+		} else {
+			t.Logf("%s %v", s, Split(s))
+		}
+	}
+}
+
+func TestSplit2(t *testing.T) {
+	splitter := map[string][]int{
+		"www.miek.nl.": {0, 4, 9},
+		"www.miek.nl":  {0, 4, 9},
+		"nl":           {0},
+	}
+	for s, i := range splitter {
+		x := Split(s)
+		switch len(i) {
+		case 1:
+			if x[0] != i[0] {
+				t.Errorf("labels should be %v, got %v: %s", i, x, s)
+			}
+		default:
+			if x[0] != i[0] || x[1] != i[1] || x[2] != i[2] {
+				t.Errorf("labels should be %v, got %v: %s", i, x, s)
+			}
+		}
+	}
+}
+
+func TestPrevLabel(t *testing.T) {
+	type prev struct {
+		string
+		int
+	}
+	prever := map[prev]int{
+		prev{"www.miek.nl.", 0}: 12,
+		prev{"www.miek.nl.", 1}: 9,
+		prev{"www.miek.nl.", 2}: 4,
+
+		prev{"www.miek.nl", 0}: 11,
+		prev{"www.miek.nl", 1}: 9,
+		prev{"www.miek.nl", 2}: 4,
+
+		prev{"www.miek.nl.", 5}: 0,
+		prev{"www.miek.nl", 5}:  0,
+
+		prev{"www.miek.nl.", 3}: 0,
+		prev{"www.miek.nl", 3}:  0,
+	}
+	for s, i := range prever {
+		x, ok := PrevLabel(s.string, s.int)
+		if i != x {
+			t.Errorf("label should be %d, got %d, %t: preving %d, %s", i, x, ok, s.int, s.string)
+		}
+	}
+}
+
+func TestCountLabel(t *testing.T) {
+	splitter := map[string]int{
+		"www.miek.nl.": 3,
+		"www.miek.nl":  3,
+		"nl":           1,
+		".":            0,
+	}
+	for s, i := range splitter {
+		x := CountLabel(s)
+		if x != i {
+			t.Errorf("CountLabel should have %d, got %d", i, x)
+		}
+	}
+}
+
+func TestSplitDomainName(t *testing.T) {
+	labels := map[string][]string{
+		"miek.nl":       {"miek", "nl"},
+		".":             nil,
+		"www.miek.nl.":  {"www", "miek", "nl"},
+		"www.miek.nl":   {"www", "miek", "nl"},
+		"www..miek.nl":  {"www", "", "miek", "nl"},
+		`www\.miek.nl`:  {`www\.miek`, "nl"},
+		`www\\.miek.nl`: {`www\\`, "miek", "nl"},
+		".www.miek.nl.": {"", "www", "miek", "nl"},
+	}
+domainLoop:
+	for domain, splits := range labels {
+		parts := SplitDomainName(domain)
+		if len(parts) != len(splits) {
+			t.Errorf("SplitDomainName returned %v for %s, expected %v", parts, domain, splits)
+			continue domainLoop
+		}
+		for i := range parts {
+			if parts[i] != splits[i] {
+				t.Errorf("SplitDomainName returned %v for %s, expected %v", parts, domain, splits)
+				continue domainLoop
+			}
+		}
+	}
+}
+
+func TestIsDomainName(t *testing.T) {
+	type ret struct {
+		ok  bool
+		lab int
+	}
+	names := map[string]*ret{
+		"..":               {false, 1},
+		"@.":               {true, 1},
+		"www.example.com":  {true, 3},
+		"www.e%ample.com":  {true, 3},
+		"www.example.com.": {true, 3},
+		"mi\\k.nl.":        {true, 2},
+		"mi\\k.nl":         {true, 2},
+	}
+	for d, ok := range names {
+		l, k := IsDomainName(d)
+		if ok.ok != k || ok.lab != l {
+			t.Errorf(" got %v %d for %s ", k, l, d)
+			t.Errorf("have %v %d for %s ", ok.ok, ok.lab, d)
+		}
+	}
+}
+
+func BenchmarkSplitLabels(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		Split("www.example.com")
+	}
+}
+
+func BenchmarkLenLabels(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		CountLabel("www.example.com")
+	}
+}
+
+func BenchmarkCompareLabels(b *testing.B) {
+	b.ReportAllocs()
+	for i := 0; i < b.N; i++ {
+		CompareDomainName("www.example.com", "aa.example.com")
+	}
+}
+
+func BenchmarkIsSubDomain(b *testing.B) {
+	b.ReportAllocs()
+	for i := 0; i < b.N; i++ {
+		IsSubDomain("www.example.com", "aa.example.com")
+		IsSubDomain("example.com", "aa.example.com")
+		IsSubDomain("miek.nl", "aa.example.com")
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/msg.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/msg.go
new file mode 100644
index 000000000..605fe6c5c
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/msg.go
@@ -0,0 +1,1159 @@
+// DNS packet assembly, see RFC 1035. Converting from - Unpack() -
+// and to - Pack() - wire format.
+// All the packers and unpackers take a (msg []byte, off int)
+// and return (off1 int, ok bool).  If they return ok==false, they
+// also return off1==len(msg), so that the next unpacker will
+// also fail.  This lets us avoid checks of ok until the end of a
+// packing sequence.
+
+package dns
+
+//go:generate go run msg_generate.go
+//go:generate go run compress_generate.go
+
+import (
+	crand "crypto/rand"
+	"encoding/binary"
+	"fmt"
+	"math/big"
+	"math/rand"
+	"strconv"
+	"sync"
+)
+
+const (
+	maxCompressionOffset    = 2 << 13 // We have 14 bits for the compression pointer
+	maxDomainNameWireOctets = 255     // See RFC 1035 section 2.3.4
+)
+
+var (
+	ErrAlg           error = &Error{err: "bad algorithm"}                  // ErrAlg indicates an error with the (DNSSEC) algorithm.
+	ErrAuth          error = &Error{err: "bad authentication"}             // ErrAuth indicates an error in the TSIG authentication.
+	ErrBuf           error = &Error{err: "buffer size too small"}          // ErrBuf indicates that the buffer used is too small for the message.
+	ErrConnEmpty     error = &Error{err: "conn has no connection"}         // ErrConnEmpty indicates a connection is being used before it is initialized.
+	ErrExtendedRcode error = &Error{err: "bad extended rcode"}             // ErrExtendedRcode ...
+	ErrFqdn          error = &Error{err: "domain must be fully qualified"} // ErrFqdn indicates that a domain name does not have a closing dot.
+	ErrId            error = &Error{err: "id mismatch"}                    // ErrId indicates there is a mismatch with the message's ID.
+	ErrKeyAlg        error = &Error{err: "bad key algorithm"}              // ErrKeyAlg indicates that the algorithm in the key is not valid.
+	ErrKey           error = &Error{err: "bad key"}
+	ErrKeySize       error = &Error{err: "bad key size"}
+	ErrLongDomain    error = &Error{err: fmt.Sprintf("domain name exceeded %d wire-format octets", maxDomainNameWireOctets)}
+	ErrNoSig         error = &Error{err: "no signature found"}
+	ErrPrivKey       error = &Error{err: "bad private key"}
+	ErrRcode         error = &Error{err: "bad rcode"}
+	ErrRdata         error = &Error{err: "bad rdata"}
+	ErrRRset         error = &Error{err: "bad rrset"}
+	ErrSecret        error = &Error{err: "no secrets defined"}
+	ErrShortRead     error = &Error{err: "short read"}
+	ErrSig           error = &Error{err: "bad signature"}                      // ErrSig indicates that a signature can not be cryptographically validated.
+	ErrSoa           error = &Error{err: "no SOA"}                             // ErrSOA indicates that no SOA RR was seen when doing zone transfers.
+	ErrTime          error = &Error{err: "bad time"}                           // ErrTime indicates a timing error in TSIG authentication.
+	ErrTruncated     error = &Error{err: "failed to unpack truncated message"} // ErrTruncated indicates that we failed to unpack a truncated message. We unpacked as much as we had so Msg can still be used, if desired.
+)
+
+// Id by default, returns a 16 bits random number to be used as a
+// message id. The random provided should be good enough. This being a
+// variable the function can be reassigned to a custom function.
+// For instance, to make it return a static value:
+//
+//	dns.Id = func() uint16 { return 3 }
+var Id func() uint16 = id
+
+var (
+	idLock sync.Mutex
+	idRand *rand.Rand
+)
+
+// id returns a 16 bits random number to be used as a
+// message id. The random provided should be good enough.
+func id() uint16 {
+	idLock.Lock()
+
+	if idRand == nil {
+		// This (partially) works around
+		// https://github.com/golang/go/issues/11833 by only
+		// seeding idRand upon the first call to id.
+
+		var seed int64
+		var buf [8]byte
+
+		if _, err := crand.Read(buf[:]); err == nil {
+			seed = int64(binary.LittleEndian.Uint64(buf[:]))
+		} else {
+			seed = rand.Int63()
+		}
+
+		idRand = rand.New(rand.NewSource(seed))
+	}
+
+	// The call to idRand.Uint32 must be within the
+	// mutex lock because *rand.Rand is not safe for
+	// concurrent use.
+	//
+	// There is no added performance overhead to calling
+	// idRand.Uint32 inside a mutex lock over just
+	// calling rand.Uint32 as the global math/rand rng
+	// is internally protected by a sync.Mutex.
+	id := uint16(idRand.Uint32())
+
+	idLock.Unlock()
+	return id
+}
+
+// MsgHdr is a a manually-unpacked version of (id, bits).
+type MsgHdr struct {
+	Id                 uint16
+	Response           bool
+	Opcode             int
+	Authoritative      bool
+	Truncated          bool
+	RecursionDesired   bool
+	RecursionAvailable bool
+	Zero               bool
+	AuthenticatedData  bool
+	CheckingDisabled   bool
+	Rcode              int
+}
+
+// Msg contains the layout of a DNS message.
+type Msg struct {
+	MsgHdr
+	Compress bool       `json:"-"` // If true, the message will be compressed when converted to wire format.
+	Question []Question // Holds the RR(s) of the question section.
+	Answer   []RR       // Holds the RR(s) of the answer section.
+	Ns       []RR       // Holds the RR(s) of the authority section.
+	Extra    []RR       // Holds the RR(s) of the additional section.
+}
+
+// ClassToString is a maps Classes to strings for each CLASS wire type.
+var ClassToString = map[uint16]string{
+	ClassINET:   "IN",
+	ClassCSNET:  "CS",
+	ClassCHAOS:  "CH",
+	ClassHESIOD: "HS",
+	ClassNONE:   "NONE",
+	ClassANY:    "ANY",
+}
+
+// OpcodeToString maps Opcodes to strings.
+var OpcodeToString = map[int]string{
+	OpcodeQuery:  "QUERY",
+	OpcodeIQuery: "IQUERY",
+	OpcodeStatus: "STATUS",
+	OpcodeNotify: "NOTIFY",
+	OpcodeUpdate: "UPDATE",
+}
+
+// RcodeToString maps Rcodes to strings.
+var RcodeToString = map[int]string{
+	RcodeSuccess:        "NOERROR",
+	RcodeFormatError:    "FORMERR",
+	RcodeServerFailure:  "SERVFAIL",
+	RcodeNameError:      "NXDOMAIN",
+	RcodeNotImplemented: "NOTIMPL",
+	RcodeRefused:        "REFUSED",
+	RcodeYXDomain:       "YXDOMAIN", // See RFC 2136
+	RcodeYXRrset:        "YXRRSET",
+	RcodeNXRrset:        "NXRRSET",
+	RcodeNotAuth:        "NOTAUTH",
+	RcodeNotZone:        "NOTZONE",
+	RcodeBadSig:         "BADSIG", // Also known as RcodeBadVers, see RFC 6891
+	//	RcodeBadVers:        "BADVERS",
+	RcodeBadKey:    "BADKEY",
+	RcodeBadTime:   "BADTIME",
+	RcodeBadMode:   "BADMODE",
+	RcodeBadName:   "BADNAME",
+	RcodeBadAlg:    "BADALG",
+	RcodeBadTrunc:  "BADTRUNC",
+	RcodeBadCookie: "BADCOOKIE",
+}
+
+// Domain names are a sequence of counted strings
+// split at the dots. They end with a zero-length string.
+
+// PackDomainName packs a domain name s into msg[off:].
+// If compression is wanted compress must be true and the compression
+// map needs to hold a mapping between domain names and offsets
+// pointing into msg.
+func PackDomainName(s string, msg []byte, off int, compression map[string]int, compress bool) (off1 int, err error) {
+	off1, _, err = packDomainName(s, msg, off, compression, compress)
+	return
+}
+
+func packDomainName(s string, msg []byte, off int, compression map[string]int, compress bool) (off1 int, labels int, err error) {
+	// special case if msg == nil
+	lenmsg := 256
+	if msg != nil {
+		lenmsg = len(msg)
+	}
+	ls := len(s)
+	if ls == 0 { // Ok, for instance when dealing with update RR without any rdata.
+		return off, 0, nil
+	}
+	// If not fully qualified, error out, but only if msg == nil #ugly
+	switch {
+	case msg == nil:
+		if s[ls-1] != '.' {
+			s += "."
+			ls++
+		}
+	case msg != nil:
+		if s[ls-1] != '.' {
+			return lenmsg, 0, ErrFqdn
+		}
+	}
+	// Each dot ends a segment of the name.
+	// We trade each dot byte for a length byte.
+	// Except for escaped dots (\.), which are normal dots.
+	// There is also a trailing zero.
+
+	// Compression
+	nameoffset := -1
+	pointer := -1
+	// Emit sequence of counted strings, chopping at dots.
+	begin := 0
+	bs := []byte(s)
+	roBs, bsFresh, escapedDot := s, true, false
+	for i := 0; i < ls; i++ {
+		if bs[i] == '\\' {
+			for j := i; j < ls-1; j++ {
+				bs[j] = bs[j+1]
+			}
+			ls--
+			if off+1 > lenmsg {
+				return lenmsg, labels, ErrBuf
+			}
+			// check for \DDD
+			if i+2 < ls && isDigit(bs[i]) && isDigit(bs[i+1]) && isDigit(bs[i+2]) {
+				bs[i] = dddToByte(bs[i:])
+				for j := i + 1; j < ls-2; j++ {
+					bs[j] = bs[j+2]
+				}
+				ls -= 2
+			}
+			escapedDot = bs[i] == '.'
+			bsFresh = false
+			continue
+		}
+
+		if bs[i] == '.' {
+			if i > 0 && bs[i-1] == '.' && !escapedDot {
+				// two dots back to back is not legal
+				return lenmsg, labels, ErrRdata
+			}
+			if i-begin >= 1<<6 { // top two bits of length must be clear
+				return lenmsg, labels, ErrRdata
+			}
+			// off can already (we're in a loop) be bigger than len(msg)
+			// this happens when a name isn't fully qualified
+			if off+1 > lenmsg {
+				return lenmsg, labels, ErrBuf
+			}
+			if msg != nil {
+				msg[off] = byte(i - begin)
+			}
+			offset := off
+			off++
+			for j := begin; j < i; j++ {
+				if off+1 > lenmsg {
+					return lenmsg, labels, ErrBuf
+				}
+				if msg != nil {
+					msg[off] = bs[j]
+				}
+				off++
+			}
+			if compress && !bsFresh {
+				roBs = string(bs)
+				bsFresh = true
+			}
+			// Don't try to compress '.'
+			// We should only compress when compress it true, but we should also still pick
+			// up names that can be used for *future* compression(s).
+			if compression != nil && roBs[begin:] != "." {
+				if p, ok := compression[roBs[begin:]]; !ok {
+					// Only offsets smaller than this can be used.
+					if offset < maxCompressionOffset {
+						compression[roBs[begin:]] = offset
+					}
+				} else {
+					// The first hit is the longest matching dname
+					// keep the pointer offset we get back and store
+					// the offset of the current name, because that's
+					// where we need to insert the pointer later
+
+					// If compress is true, we're allowed to compress this dname
+					if pointer == -1 && compress {
+						pointer = p         // Where to point to
+						nameoffset = offset // Where to point from
+						break
+					}
+				}
+			}
+			labels++
+			begin = i + 1
+		}
+		escapedDot = false
+	}
+	// Root label is special
+	if len(bs) == 1 && bs[0] == '.' {
+		return off, labels, nil
+	}
+	// If we did compression and we find something add the pointer here
+	if pointer != -1 {
+		// We have two bytes (14 bits) to put the pointer in
+		// if msg == nil, we will never do compression
+		binary.BigEndian.PutUint16(msg[nameoffset:], uint16(pointer^0xC000))
+		off = nameoffset + 1
+		goto End
+	}
+	if msg != nil && off < len(msg) {
+		msg[off] = 0
+	}
+End:
+	off++
+	return off, labels, nil
+}
+
+// Unpack a domain name.
+// In addition to the simple sequences of counted strings above,
+// domain names are allowed to refer to strings elsewhere in the
+// packet, to avoid repeating common suffixes when returning
+// many entries in a single domain.  The pointers are marked
+// by a length byte with the top two bits set.  Ignoring those
+// two bits, that byte and the next give a 14 bit offset from msg[0]
+// where we should pick up the trail.
+// Note that if we jump elsewhere in the packet,
+// we return off1 == the offset after the first pointer we found,
+// which is where the next record will start.
+// In theory, the pointers are only allowed to jump backward.
+// We let them jump anywhere and stop jumping after a while.
+
+// UnpackDomainName unpacks a domain name into a string.
+func UnpackDomainName(msg []byte, off int) (string, int, error) {
+	s := make([]byte, 0, 64)
+	off1 := 0
+	lenmsg := len(msg)
+	maxLen := maxDomainNameWireOctets
+	ptr := 0 // number of pointers followed
+Loop:
+	for {
+		if off >= lenmsg {
+			return "", lenmsg, ErrBuf
+		}
+		c := int(msg[off])
+		off++
+		switch c & 0xC0 {
+		case 0x00:
+			if c == 0x00 {
+				// end of name
+				break Loop
+			}
+			// literal string
+			if off+c > lenmsg {
+				return "", lenmsg, ErrBuf
+			}
+			for j := off; j < off+c; j++ {
+				switch b := msg[j]; b {
+				case '.', '(', ')', ';', ' ', '@':
+					fallthrough
+				case '"', '\\':
+					s = append(s, '\\', b)
+					// presentation-format \X escapes add an extra byte
+					maxLen += 1
+				default:
+					if b < 32 || b >= 127 { // unprintable, use \DDD
+						var buf [3]byte
+						bufs := strconv.AppendInt(buf[:0], int64(b), 10)
+						s = append(s, '\\')
+						for i := 0; i < 3-len(bufs); i++ {
+							s = append(s, '0')
+						}
+						for _, r := range bufs {
+							s = append(s, r)
+						}
+						// presentation-format \DDD escapes add 3 extra bytes
+						maxLen += 3
+					} else {
+						s = append(s, b)
+					}
+				}
+			}
+			s = append(s, '.')
+			off += c
+		case 0xC0:
+			// pointer to somewhere else in msg.
+			// remember location after first ptr,
+			// since that's how many bytes we consumed.
+			// also, don't follow too many pointers --
+			// maybe there's a loop.
+			if off >= lenmsg {
+				return "", lenmsg, ErrBuf
+			}
+			c1 := msg[off]
+			off++
+			if ptr == 0 {
+				off1 = off
+			}
+			if ptr++; ptr > 10 {
+				return "", lenmsg, &Error{err: "too many compression pointers"}
+			}
+			// pointer should guarantee that it advances and points forwards at least
+			// but the condition on previous three lines guarantees that it's
+			// at least loop-free
+			off = (c^0xC0)<<8 | int(c1)
+		default:
+			// 0x80 and 0x40 are reserved
+			return "", lenmsg, ErrRdata
+		}
+	}
+	if ptr == 0 {
+		off1 = off
+	}
+	if len(s) == 0 {
+		s = []byte(".")
+	} else if len(s) >= maxLen {
+		// error if the name is too long, but don't throw it away
+		return string(s), lenmsg, ErrLongDomain
+	}
+	return string(s), off1, nil
+}
+
+func packTxt(txt []string, msg []byte, offset int, tmp []byte) (int, error) {
+	if len(txt) == 0 {
+		if offset >= len(msg) {
+			return offset, ErrBuf
+		}
+		msg[offset] = 0
+		return offset, nil
+	}
+	var err error
+	for i := range txt {
+		if len(txt[i]) > len(tmp) {
+			return offset, ErrBuf
+		}
+		offset, err = packTxtString(txt[i], msg, offset, tmp)
+		if err != nil {
+			return offset, err
+		}
+	}
+	return offset, nil
+}
+
+func packTxtString(s string, msg []byte, offset int, tmp []byte) (int, error) {
+	lenByteOffset := offset
+	if offset >= len(msg) || len(s) > len(tmp) {
+		return offset, ErrBuf
+	}
+	offset++
+	bs := tmp[:len(s)]
+	copy(bs, s)
+	for i := 0; i < len(bs); i++ {
+		if len(msg) <= offset {
+			return offset, ErrBuf
+		}
+		if bs[i] == '\\' {
+			i++
+			if i == len(bs) {
+				break
+			}
+			// check for \DDD
+			if i+2 < len(bs) && isDigit(bs[i]) && isDigit(bs[i+1]) && isDigit(bs[i+2]) {
+				msg[offset] = dddToByte(bs[i:])
+				i += 2
+			} else {
+				msg[offset] = bs[i]
+			}
+		} else {
+			msg[offset] = bs[i]
+		}
+		offset++
+	}
+	l := offset - lenByteOffset - 1
+	if l > 255 {
+		return offset, &Error{err: "string exceeded 255 bytes in txt"}
+	}
+	msg[lenByteOffset] = byte(l)
+	return offset, nil
+}
+
+func packOctetString(s string, msg []byte, offset int, tmp []byte) (int, error) {
+	if offset >= len(msg) || len(s) > len(tmp) {
+		return offset, ErrBuf
+	}
+	bs := tmp[:len(s)]
+	copy(bs, s)
+	for i := 0; i < len(bs); i++ {
+		if len(msg) <= offset {
+			return offset, ErrBuf
+		}
+		if bs[i] == '\\' {
+			i++
+			if i == len(bs) {
+				break
+			}
+			// check for \DDD
+			if i+2 < len(bs) && isDigit(bs[i]) && isDigit(bs[i+1]) && isDigit(bs[i+2]) {
+				msg[offset] = dddToByte(bs[i:])
+				i += 2
+			} else {
+				msg[offset] = bs[i]
+			}
+		} else {
+			msg[offset] = bs[i]
+		}
+		offset++
+	}
+	return offset, nil
+}
+
+func unpackTxt(msg []byte, off0 int) (ss []string, off int, err error) {
+	off = off0
+	var s string
+	for off < len(msg) && err == nil {
+		s, off, err = unpackTxtString(msg, off)
+		if err == nil {
+			ss = append(ss, s)
+		}
+	}
+	return
+}
+
+func unpackTxtString(msg []byte, offset int) (string, int, error) {
+	if offset+1 > len(msg) {
+		return "", offset, &Error{err: "overflow unpacking txt"}
+	}
+	l := int(msg[offset])
+	if offset+l+1 > len(msg) {
+		return "", offset, &Error{err: "overflow unpacking txt"}
+	}
+	s := make([]byte, 0, l)
+	for _, b := range msg[offset+1 : offset+1+l] {
+		switch b {
+		case '"', '\\':
+			s = append(s, '\\', b)
+		default:
+			if b < 32 || b > 127 { // unprintable
+				var buf [3]byte
+				bufs := strconv.AppendInt(buf[:0], int64(b), 10)
+				s = append(s, '\\')
+				for i := 0; i < 3-len(bufs); i++ {
+					s = append(s, '0')
+				}
+				for _, r := range bufs {
+					s = append(s, r)
+				}
+			} else {
+				s = append(s, b)
+			}
+		}
+	}
+	offset += 1 + l
+	return string(s), offset, nil
+}
+
+// Helpers for dealing with escaped bytes
+func isDigit(b byte) bool { return b >= '0' && b <= '9' }
+
+func dddToByte(s []byte) byte {
+	return byte((s[0]-'0')*100 + (s[1]-'0')*10 + (s[2] - '0'))
+}
+
+// Helper function for packing and unpacking
+func intToBytes(i *big.Int, length int) []byte {
+	buf := i.Bytes()
+	if len(buf) < length {
+		b := make([]byte, length)
+		copy(b[length-len(buf):], buf)
+		return b
+	}
+	return buf
+}
+
+// PackRR packs a resource record rr into msg[off:].
+// See PackDomainName for documentation about the compression.
+func PackRR(rr RR, msg []byte, off int, compression map[string]int, compress bool) (off1 int, err error) {
+	if rr == nil {
+		return len(msg), &Error{err: "nil rr"}
+	}
+
+	off1, err = rr.pack(msg, off, compression, compress)
+	if err != nil {
+		return len(msg), err
+	}
+	// TODO(miek): Not sure if this is needed? If removed we can remove rawmsg.go as well.
+	if rawSetRdlength(msg, off, off1) {
+		return off1, nil
+	}
+	return off, ErrRdata
+}
+
+// UnpackRR unpacks msg[off:] into an RR.
+func UnpackRR(msg []byte, off int) (rr RR, off1 int, err error) {
+	h, off, msg, err := unpackHeader(msg, off)
+	if err != nil {
+		return nil, len(msg), err
+	}
+	end := off + int(h.Rdlength)
+
+	if fn, known := typeToUnpack[h.Rrtype]; !known {
+		rr, off, err = unpackRFC3597(h, msg, off)
+	} else {
+		rr, off, err = fn(h, msg, off)
+	}
+	if off != end {
+		return &h, end, &Error{err: "bad rdlength"}
+	}
+	return rr, off, err
+}
+
+// unpackRRslice unpacks msg[off:] into an []RR.
+// If we cannot unpack the whole array, then it will return nil
+func unpackRRslice(l int, msg []byte, off int) (dst1 []RR, off1 int, err error) {
+	var r RR
+	// Optimistically make dst be the length that was sent
+	dst := make([]RR, 0, l)
+	for i := 0; i < l; i++ {
+		off1 := off
+		r, off, err = UnpackRR(msg, off)
+		if err != nil {
+			off = len(msg)
+			break
+		}
+		// If offset does not increase anymore, l is a lie
+		if off1 == off {
+			l = i
+			break
+		}
+		dst = append(dst, r)
+	}
+	if err != nil && off == len(msg) {
+		dst = nil
+	}
+	return dst, off, err
+}
+
+// Convert a MsgHdr to a string, with dig-like headers:
+//
+//;; opcode: QUERY, status: NOERROR, id: 48404
+//
+//;; flags: qr aa rd ra;
+func (h *MsgHdr) String() string {
+	if h == nil {
+		return "<nil> MsgHdr"
+	}
+
+	s := ";; opcode: " + OpcodeToString[h.Opcode]
+	s += ", status: " + RcodeToString[h.Rcode]
+	s += ", id: " + strconv.Itoa(int(h.Id)) + "\n"
+
+	s += ";; flags:"
+	if h.Response {
+		s += " qr"
+	}
+	if h.Authoritative {
+		s += " aa"
+	}
+	if h.Truncated {
+		s += " tc"
+	}
+	if h.RecursionDesired {
+		s += " rd"
+	}
+	if h.RecursionAvailable {
+		s += " ra"
+	}
+	if h.Zero { // Hmm
+		s += " z"
+	}
+	if h.AuthenticatedData {
+		s += " ad"
+	}
+	if h.CheckingDisabled {
+		s += " cd"
+	}
+
+	s += ";"
+	return s
+}
+
+// Pack packs a Msg: it is converted to to wire format.
+// If the dns.Compress is true the message will be in compressed wire format.
+func (dns *Msg) Pack() (msg []byte, err error) {
+	return dns.PackBuffer(nil)
+}
+
+// PackBuffer packs a Msg, using the given buffer buf. If buf is too small
+// a new buffer is allocated.
+func (dns *Msg) PackBuffer(buf []byte) (msg []byte, err error) {
+	// We use a similar function in tsig.go's stripTsig.
+	var (
+		dh          Header
+		compression map[string]int
+	)
+
+	if dns.Compress {
+		compression = make(map[string]int) // Compression pointer mappings
+	}
+
+	if dns.Rcode < 0 || dns.Rcode > 0xFFF {
+		return nil, ErrRcode
+	}
+	if dns.Rcode > 0xF {
+		// Regular RCODE field is 4 bits
+		opt := dns.IsEdns0()
+		if opt == nil {
+			return nil, ErrExtendedRcode
+		}
+		opt.SetExtendedRcode(uint8(dns.Rcode >> 4))
+		dns.Rcode &= 0xF
+	}
+
+	// Convert convenient Msg into wire-like Header.
+	dh.Id = dns.Id
+	dh.Bits = uint16(dns.Opcode)<<11 | uint16(dns.Rcode)
+	if dns.Response {
+		dh.Bits |= _QR
+	}
+	if dns.Authoritative {
+		dh.Bits |= _AA
+	}
+	if dns.Truncated {
+		dh.Bits |= _TC
+	}
+	if dns.RecursionDesired {
+		dh.Bits |= _RD
+	}
+	if dns.RecursionAvailable {
+		dh.Bits |= _RA
+	}
+	if dns.Zero {
+		dh.Bits |= _Z
+	}
+	if dns.AuthenticatedData {
+		dh.Bits |= _AD
+	}
+	if dns.CheckingDisabled {
+		dh.Bits |= _CD
+	}
+
+	// Prepare variable sized arrays.
+	question := dns.Question
+	answer := dns.Answer
+	ns := dns.Ns
+	extra := dns.Extra
+
+	dh.Qdcount = uint16(len(question))
+	dh.Ancount = uint16(len(answer))
+	dh.Nscount = uint16(len(ns))
+	dh.Arcount = uint16(len(extra))
+
+	// We need the uncompressed length here, because we first pack it and then compress it.
+	msg = buf
+	uncompressedLen := compressedLen(dns, false)
+	if packLen := uncompressedLen + 1; len(msg) < packLen {
+		msg = make([]byte, packLen)
+	}
+
+	// Pack it in: header and then the pieces.
+	off := 0
+	off, err = dh.pack(msg, off, compression, dns.Compress)
+	if err != nil {
+		return nil, err
+	}
+	for i := 0; i < len(question); i++ {
+		off, err = question[i].pack(msg, off, compression, dns.Compress)
+		if err != nil {
+			return nil, err
+		}
+	}
+	for i := 0; i < len(answer); i++ {
+		off, err = PackRR(answer[i], msg, off, compression, dns.Compress)
+		if err != nil {
+			return nil, err
+		}
+	}
+	for i := 0; i < len(ns); i++ {
+		off, err = PackRR(ns[i], msg, off, compression, dns.Compress)
+		if err != nil {
+			return nil, err
+		}
+	}
+	for i := 0; i < len(extra); i++ {
+		off, err = PackRR(extra[i], msg, off, compression, dns.Compress)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return msg[:off], nil
+}
+
+// Unpack unpacks a binary message to a Msg structure.
+func (dns *Msg) Unpack(msg []byte) (err error) {
+	var (
+		dh  Header
+		off int
+	)
+	if dh, off, err = unpackMsgHdr(msg, off); err != nil {
+		return err
+	}
+
+	dns.Id = dh.Id
+	dns.Response = (dh.Bits & _QR) != 0
+	dns.Opcode = int(dh.Bits>>11) & 0xF
+	dns.Authoritative = (dh.Bits & _AA) != 0
+	dns.Truncated = (dh.Bits & _TC) != 0
+	dns.RecursionDesired = (dh.Bits & _RD) != 0
+	dns.RecursionAvailable = (dh.Bits & _RA) != 0
+	dns.Zero = (dh.Bits & _Z) != 0
+	dns.AuthenticatedData = (dh.Bits & _AD) != 0
+	dns.CheckingDisabled = (dh.Bits & _CD) != 0
+	dns.Rcode = int(dh.Bits & 0xF)
+
+	if off == len(msg) {
+		return ErrTruncated
+	}
+
+	// Optimistically use the count given to us in the header
+	dns.Question = make([]Question, 0, int(dh.Qdcount))
+
+	for i := 0; i < int(dh.Qdcount); i++ {
+		off1 := off
+		var q Question
+		q, off, err = unpackQuestion(msg, off)
+		if err != nil {
+			// Even if Truncated is set, we only will set ErrTruncated if we
+			// actually got the questions
+			return err
+		}
+		if off1 == off { // Offset does not increase anymore, dh.Qdcount is a lie!
+			dh.Qdcount = uint16(i)
+			break
+		}
+		dns.Question = append(dns.Question, q)
+	}
+
+	dns.Answer, off, err = unpackRRslice(int(dh.Ancount), msg, off)
+	// The header counts might have been wrong so we need to update it
+	dh.Ancount = uint16(len(dns.Answer))
+	if err == nil {
+		dns.Ns, off, err = unpackRRslice(int(dh.Nscount), msg, off)
+	}
+	// The header counts might have been wrong so we need to update it
+	dh.Nscount = uint16(len(dns.Ns))
+	if err == nil {
+		dns.Extra, off, err = unpackRRslice(int(dh.Arcount), msg, off)
+	}
+	// The header counts might have been wrong so we need to update it
+	dh.Arcount = uint16(len(dns.Extra))
+
+	if off != len(msg) {
+		// TODO(miek) make this an error?
+		// use PackOpt to let people tell how detailed the error reporting should be?
+		// println("dns: extra bytes in dns packet", off, "<", len(msg))
+	} else if dns.Truncated {
+		// Whether we ran into a an error or not, we want to return that it
+		// was truncated
+		err = ErrTruncated
+	}
+	return err
+}
+
+// Convert a complete message to a string with dig-like output.
+func (dns *Msg) String() string {
+	if dns == nil {
+		return "<nil> MsgHdr"
+	}
+	s := dns.MsgHdr.String() + " "
+	s += "QUERY: " + strconv.Itoa(len(dns.Question)) + ", "
+	s += "ANSWER: " + strconv.Itoa(len(dns.Answer)) + ", "
+	s += "AUTHORITY: " + strconv.Itoa(len(dns.Ns)) + ", "
+	s += "ADDITIONAL: " + strconv.Itoa(len(dns.Extra)) + "\n"
+	if len(dns.Question) > 0 {
+		s += "\n;; QUESTION SECTION:\n"
+		for i := 0; i < len(dns.Question); i++ {
+			s += dns.Question[i].String() + "\n"
+		}
+	}
+	if len(dns.Answer) > 0 {
+		s += "\n;; ANSWER SECTION:\n"
+		for i := 0; i < len(dns.Answer); i++ {
+			if dns.Answer[i] != nil {
+				s += dns.Answer[i].String() + "\n"
+			}
+		}
+	}
+	if len(dns.Ns) > 0 {
+		s += "\n;; AUTHORITY SECTION:\n"
+		for i := 0; i < len(dns.Ns); i++ {
+			if dns.Ns[i] != nil {
+				s += dns.Ns[i].String() + "\n"
+			}
+		}
+	}
+	if len(dns.Extra) > 0 {
+		s += "\n;; ADDITIONAL SECTION:\n"
+		for i := 0; i < len(dns.Extra); i++ {
+			if dns.Extra[i] != nil {
+				s += dns.Extra[i].String() + "\n"
+			}
+		}
+	}
+	return s
+}
+
+// Len returns the message length when in (un)compressed wire format.
+// If dns.Compress is true compression it is taken into account. Len()
+// is provided to be a faster way to get the size of the resulting packet,
+// than packing it, measuring the size and discarding the buffer.
+func (dns *Msg) Len() int { return compressedLen(dns, dns.Compress) }
+
+// compressedLen returns the message length when in compressed wire format
+// when compress is true, otherwise the uncompressed length is returned.
+func compressedLen(dns *Msg, compress bool) int {
+	// We always return one more than needed.
+	l := 12 // Message header is always 12 bytes
+	compression := map[string]int{}
+
+	for i := 0; i < len(dns.Question); i++ {
+		l += dns.Question[i].len()
+		if compress {
+			compressionLenHelper(compression, dns.Question[i].Name)
+		}
+	}
+	for i := 0; i < len(dns.Answer); i++ {
+		if dns.Answer[i] == nil {
+			continue
+		}
+		l += dns.Answer[i].len()
+		if compress {
+			k, ok := compressionLenSearch(compression, dns.Answer[i].Header().Name)
+			if ok {
+				l += 1 - k
+			}
+			compressionLenHelper(compression, dns.Answer[i].Header().Name)
+			k, ok = compressionLenSearchType(compression, dns.Answer[i])
+			if ok {
+				l += 1 - k
+			}
+			compressionLenHelperType(compression, dns.Answer[i])
+		}
+	}
+	for i := 0; i < len(dns.Ns); i++ {
+		if dns.Ns[i] == nil {
+			continue
+		}
+		l += dns.Ns[i].len()
+		if compress {
+			k, ok := compressionLenSearch(compression, dns.Ns[i].Header().Name)
+			if ok {
+				l += 1 - k
+			}
+			compressionLenHelper(compression, dns.Ns[i].Header().Name)
+			k, ok = compressionLenSearchType(compression, dns.Ns[i])
+			if ok {
+				l += 1 - k
+			}
+			compressionLenHelperType(compression, dns.Ns[i])
+		}
+	}
+	for i := 0; i < len(dns.Extra); i++ {
+		if dns.Extra[i] == nil {
+			continue
+		}
+		l += dns.Extra[i].len()
+		if compress {
+			k, ok := compressionLenSearch(compression, dns.Extra[i].Header().Name)
+			if ok {
+				l += 1 - k
+			}
+			compressionLenHelper(compression, dns.Extra[i].Header().Name)
+			k, ok = compressionLenSearchType(compression, dns.Extra[i])
+			if ok {
+				l += 1 - k
+			}
+			compressionLenHelperType(compression, dns.Extra[i])
+		}
+	}
+	return l
+}
+
+// Put the parts of the name in the compression map.
+func compressionLenHelper(c map[string]int, s string) {
+	pref := ""
+	lbs := Split(s)
+	for j := len(lbs) - 1; j >= 0; j-- {
+		pref = s[lbs[j]:]
+		if _, ok := c[pref]; !ok {
+			c[pref] = len(pref)
+		}
+	}
+}
+
+// Look for each part in the compression map and returns its length,
+// keep on searching so we get the longest match.
+func compressionLenSearch(c map[string]int, s string) (int, bool) {
+	off := 0
+	end := false
+	if s == "" { // don't bork on bogus data
+		return 0, false
+	}
+	for {
+		if _, ok := c[s[off:]]; ok {
+			return len(s[off:]), true
+		}
+		if end {
+			break
+		}
+		off, end = NextLabel(s, off)
+	}
+	return 0, false
+}
+
+// Copy returns a new RR which is a deep-copy of r.
+func Copy(r RR) RR { r1 := r.copy(); return r1 }
+
+// Len returns the length (in octets) of the uncompressed RR in wire format.
+func Len(r RR) int { return r.len() }
+
+// Copy returns a new *Msg which is a deep-copy of dns.
+func (dns *Msg) Copy() *Msg { return dns.CopyTo(new(Msg)) }
+
+// CopyTo copies the contents to the provided message using a deep-copy and returns the copy.
+func (dns *Msg) CopyTo(r1 *Msg) *Msg {
+	r1.MsgHdr = dns.MsgHdr
+	r1.Compress = dns.Compress
+
+	if len(dns.Question) > 0 {
+		r1.Question = make([]Question, len(dns.Question))
+		copy(r1.Question, dns.Question) // TODO(miek): Question is an immutable value, ok to do a shallow-copy
+	}
+
+	rrArr := make([]RR, len(dns.Answer)+len(dns.Ns)+len(dns.Extra))
+	var rri int
+
+	if len(dns.Answer) > 0 {
+		rrbegin := rri
+		for i := 0; i < len(dns.Answer); i++ {
+			rrArr[rri] = dns.Answer[i].copy()
+			rri++
+		}
+		r1.Answer = rrArr[rrbegin:rri:rri]
+	}
+
+	if len(dns.Ns) > 0 {
+		rrbegin := rri
+		for i := 0; i < len(dns.Ns); i++ {
+			rrArr[rri] = dns.Ns[i].copy()
+			rri++
+		}
+		r1.Ns = rrArr[rrbegin:rri:rri]
+	}
+
+	if len(dns.Extra) > 0 {
+		rrbegin := rri
+		for i := 0; i < len(dns.Extra); i++ {
+			rrArr[rri] = dns.Extra[i].copy()
+			rri++
+		}
+		r1.Extra = rrArr[rrbegin:rri:rri]
+	}
+
+	return r1
+}
+
+func (q *Question) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := PackDomainName(q.Name, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(q.Qtype, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(q.Qclass, msg, off)
+	if err != nil {
+		return off, err
+	}
+	return off, nil
+}
+
+func unpackQuestion(msg []byte, off int) (Question, int, error) {
+	var (
+		q   Question
+		err error
+	)
+	q.Name, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return q, off, err
+	}
+	if off == len(msg) {
+		return q, off, nil
+	}
+	q.Qtype, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return q, off, err
+	}
+	if off == len(msg) {
+		return q, off, nil
+	}
+	q.Qclass, off, err = unpackUint16(msg, off)
+	if off == len(msg) {
+		return q, off, nil
+	}
+	return q, off, err
+}
+
+func (dh *Header) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := packUint16(dh.Id, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(dh.Bits, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(dh.Qdcount, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(dh.Ancount, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(dh.Nscount, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(dh.Arcount, msg, off)
+	return off, err
+}
+
+func unpackMsgHdr(msg []byte, off int) (Header, int, error) {
+	var (
+		dh  Header
+		err error
+	)
+	dh.Id, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return dh, off, err
+	}
+	dh.Bits, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return dh, off, err
+	}
+	dh.Qdcount, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return dh, off, err
+	}
+	dh.Ancount, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return dh, off, err
+	}
+	dh.Nscount, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return dh, off, err
+	}
+	dh.Arcount, off, err = unpackUint16(msg, off)
+	return dh, off, err
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/msg_generate.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/msg_generate.go
new file mode 100644
index 000000000..4d9f81d43
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/msg_generate.go
@@ -0,0 +1,349 @@
+//+build ignore
+
+// msg_generate.go is meant to run with go generate. It will use
+// go/{importer,types} to track down all the RR struct types. Then for each type
+// it will generate pack/unpack methods based on the struct tags. The generated source is
+// written to zmsg.go, and is meant to be checked into git.
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"go/format"
+	"go/importer"
+	"go/types"
+	"log"
+	"os"
+	"strings"
+)
+
+var packageHdr = `
+// *** DO NOT MODIFY ***
+// AUTOGENERATED BY go generate from msg_generate.go
+
+package dns
+
+`
+
+// getTypeStruct will take a type and the package scope, and return the
+// (innermost) struct if the type is considered a RR type (currently defined as
+// those structs beginning with a RR_Header, could be redefined as implementing
+// the RR interface). The bool return value indicates if embedded structs were
+// resolved.
+func getTypeStruct(t types.Type, scope *types.Scope) (*types.Struct, bool) {
+	st, ok := t.Underlying().(*types.Struct)
+	if !ok {
+		return nil, false
+	}
+	if st.Field(0).Type() == scope.Lookup("RR_Header").Type() {
+		return st, false
+	}
+	if st.Field(0).Anonymous() {
+		st, _ := getTypeStruct(st.Field(0).Type(), scope)
+		return st, true
+	}
+	return nil, false
+}
+
+func main() {
+	// Import and type-check the package
+	pkg, err := importer.Default().Import("github.com/miekg/dns")
+	fatalIfErr(err)
+	scope := pkg.Scope()
+
+	// Collect actual types (*X)
+	var namedTypes []string
+	for _, name := range scope.Names() {
+		o := scope.Lookup(name)
+		if o == nil || !o.Exported() {
+			continue
+		}
+		if st, _ := getTypeStruct(o.Type(), scope); st == nil {
+			continue
+		}
+		if name == "PrivateRR" {
+			continue
+		}
+
+		// Check if corresponding TypeX exists
+		if scope.Lookup("Type"+o.Name()) == nil && o.Name() != "RFC3597" {
+			log.Fatalf("Constant Type%s does not exist.", o.Name())
+		}
+
+		namedTypes = append(namedTypes, o.Name())
+	}
+
+	b := &bytes.Buffer{}
+	b.WriteString(packageHdr)
+
+	fmt.Fprint(b, "// pack*() functions\n\n")
+	for _, name := range namedTypes {
+		o := scope.Lookup(name)
+		st, _ := getTypeStruct(o.Type(), scope)
+
+		fmt.Fprintf(b, "func (rr *%s) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {\n", name)
+		fmt.Fprint(b, `off, err := rr.Hdr.pack(msg, off, compression, compress)
+if err != nil {
+	return off, err
+}
+headerEnd := off
+`)
+		for i := 1; i < st.NumFields(); i++ {
+			o := func(s string) {
+				fmt.Fprintf(b, s, st.Field(i).Name())
+				fmt.Fprint(b, `if err != nil {
+return off, err
+}
+`)
+			}
+
+			if _, ok := st.Field(i).Type().(*types.Slice); ok {
+				switch st.Tag(i) {
+				case `dns:"-"`: // ignored
+				case `dns:"txt"`:
+					o("off, err = packStringTxt(rr.%s, msg, off)\n")
+				case `dns:"opt"`:
+					o("off, err = packDataOpt(rr.%s, msg, off)\n")
+				case `dns:"nsec"`:
+					o("off, err = packDataNsec(rr.%s, msg, off)\n")
+				case `dns:"domain-name"`:
+					o("off, err = packDataDomainNames(rr.%s, msg, off, compression, compress)\n")
+				default:
+					log.Fatalln(name, st.Field(i).Name(), st.Tag(i))
+				}
+				continue
+			}
+
+			switch {
+			case st.Tag(i) == `dns:"-"`: // ignored
+			case st.Tag(i) == `dns:"cdomain-name"`:
+				o("off, err = PackDomainName(rr.%s, msg, off, compression, compress)\n")
+			case st.Tag(i) == `dns:"domain-name"`:
+				o("off, err = PackDomainName(rr.%s, msg, off, compression, false)\n")
+			case st.Tag(i) == `dns:"a"`:
+				o("off, err = packDataA(rr.%s, msg, off)\n")
+			case st.Tag(i) == `dns:"aaaa"`:
+				o("off, err = packDataAAAA(rr.%s, msg, off)\n")
+			case st.Tag(i) == `dns:"uint48"`:
+				o("off, err = packUint48(rr.%s, msg, off)\n")
+			case st.Tag(i) == `dns:"txt"`:
+				o("off, err = packString(rr.%s, msg, off)\n")
+
+			case strings.HasPrefix(st.Tag(i), `dns:"size-base32`): // size-base32 can be packed just like base32
+				fallthrough
+			case st.Tag(i) == `dns:"base32"`:
+				o("off, err = packStringBase32(rr.%s, msg, off)\n")
+
+			case strings.HasPrefix(st.Tag(i), `dns:"size-base64`): // size-base64 can be packed just like base64
+				fallthrough
+			case st.Tag(i) == `dns:"base64"`:
+				o("off, err = packStringBase64(rr.%s, msg, off)\n")
+
+			case strings.HasPrefix(st.Tag(i), `dns:"size-hex:SaltLength`):
+				// directly write instead of using o() so we get the error check in the correct place
+				field := st.Field(i).Name()
+				fmt.Fprintf(b, `// Only pack salt if value is not "-", i.e. empty
+if rr.%s != "-" {
+  off, err = packStringHex(rr.%s, msg, off)
+  if err != nil {
+    return off, err
+  }
+}
+`, field, field)
+				continue
+			case strings.HasPrefix(st.Tag(i), `dns:"size-hex`): // size-hex can be packed just like hex
+				fallthrough
+			case st.Tag(i) == `dns:"hex"`:
+				o("off, err = packStringHex(rr.%s, msg, off)\n")
+
+			case st.Tag(i) == `dns:"octet"`:
+				o("off, err = packStringOctet(rr.%s, msg, off)\n")
+			case st.Tag(i) == "":
+				switch st.Field(i).Type().(*types.Basic).Kind() {
+				case types.Uint8:
+					o("off, err = packUint8(rr.%s, msg, off)\n")
+				case types.Uint16:
+					o("off, err = packUint16(rr.%s, msg, off)\n")
+				case types.Uint32:
+					o("off, err = packUint32(rr.%s, msg, off)\n")
+				case types.Uint64:
+					o("off, err = packUint64(rr.%s, msg, off)\n")
+				case types.String:
+					o("off, err = packString(rr.%s, msg, off)\n")
+				default:
+					log.Fatalln(name, st.Field(i).Name())
+				}
+			default:
+				log.Fatalln(name, st.Field(i).Name(), st.Tag(i))
+			}
+		}
+		// We have packed everything, only now we know the rdlength of this RR
+		fmt.Fprintln(b, "rr.Header().Rdlength = uint16(off-headerEnd)")
+		fmt.Fprintln(b, "return off, nil }\n")
+	}
+
+	fmt.Fprint(b, "// unpack*() functions\n\n")
+	for _, name := range namedTypes {
+		o := scope.Lookup(name)
+		st, _ := getTypeStruct(o.Type(), scope)
+
+		fmt.Fprintf(b, "func unpack%s(h RR_Header, msg []byte, off int) (RR, int, error) {\n", name)
+		fmt.Fprintf(b, "rr := new(%s)\n", name)
+		fmt.Fprint(b, "rr.Hdr = h\n")
+		fmt.Fprint(b, `if noRdata(h) {
+return rr, off, nil
+	}
+var err error
+rdStart := off
+_ = rdStart
+
+`)
+		for i := 1; i < st.NumFields(); i++ {
+			o := func(s string) {
+				fmt.Fprintf(b, s, st.Field(i).Name())
+				fmt.Fprint(b, `if err != nil {
+return rr, off, err
+}
+`)
+			}
+
+			// size-* are special, because they reference a struct member we should use for the length.
+			if strings.HasPrefix(st.Tag(i), `dns:"size-`) {
+				structMember := structMember(st.Tag(i))
+				structTag := structTag(st.Tag(i))
+				switch structTag {
+				case "hex":
+					fmt.Fprintf(b, "rr.%s, off, err = unpackStringHex(msg, off, off + int(rr.%s))\n", st.Field(i).Name(), structMember)
+				case "base32":
+					fmt.Fprintf(b, "rr.%s, off, err = unpackStringBase32(msg, off, off + int(rr.%s))\n", st.Field(i).Name(), structMember)
+				case "base64":
+					fmt.Fprintf(b, "rr.%s, off, err = unpackStringBase64(msg, off, off + int(rr.%s))\n", st.Field(i).Name(), structMember)
+				default:
+					log.Fatalln(name, st.Field(i).Name(), st.Tag(i))
+				}
+				fmt.Fprint(b, `if err != nil {
+return rr, off, err
+}
+`)
+				continue
+			}
+
+			if _, ok := st.Field(i).Type().(*types.Slice); ok {
+				switch st.Tag(i) {
+				case `dns:"-"`: // ignored
+				case `dns:"txt"`:
+					o("rr.%s, off, err = unpackStringTxt(msg, off)\n")
+				case `dns:"opt"`:
+					o("rr.%s, off, err = unpackDataOpt(msg, off)\n")
+				case `dns:"nsec"`:
+					o("rr.%s, off, err = unpackDataNsec(msg, off)\n")
+				case `dns:"domain-name"`:
+					o("rr.%s, off, err = unpackDataDomainNames(msg, off, rdStart + int(rr.Hdr.Rdlength))\n")
+				default:
+					log.Fatalln(name, st.Field(i).Name(), st.Tag(i))
+				}
+				continue
+			}
+
+			switch st.Tag(i) {
+			case `dns:"-"`: // ignored
+			case `dns:"cdomain-name"`:
+				fallthrough
+			case `dns:"domain-name"`:
+				o("rr.%s, off, err = UnpackDomainName(msg, off)\n")
+			case `dns:"a"`:
+				o("rr.%s, off, err = unpackDataA(msg, off)\n")
+			case `dns:"aaaa"`:
+				o("rr.%s, off, err = unpackDataAAAA(msg, off)\n")
+			case `dns:"uint48"`:
+				o("rr.%s, off, err = unpackUint48(msg, off)\n")
+			case `dns:"txt"`:
+				o("rr.%s, off, err = unpackString(msg, off)\n")
+			case `dns:"base32"`:
+				o("rr.%s, off, err = unpackStringBase32(msg, off, rdStart + int(rr.Hdr.Rdlength))\n")
+			case `dns:"base64"`:
+				o("rr.%s, off, err = unpackStringBase64(msg, off, rdStart + int(rr.Hdr.Rdlength))\n")
+			case `dns:"hex"`:
+				o("rr.%s, off, err = unpackStringHex(msg, off, rdStart + int(rr.Hdr.Rdlength))\n")
+			case `dns:"octet"`:
+				o("rr.%s, off, err = unpackStringOctet(msg, off)\n")
+			case "":
+				switch st.Field(i).Type().(*types.Basic).Kind() {
+				case types.Uint8:
+					o("rr.%s, off, err = unpackUint8(msg, off)\n")
+				case types.Uint16:
+					o("rr.%s, off, err = unpackUint16(msg, off)\n")
+				case types.Uint32:
+					o("rr.%s, off, err = unpackUint32(msg, off)\n")
+				case types.Uint64:
+					o("rr.%s, off, err = unpackUint64(msg, off)\n")
+				case types.String:
+					o("rr.%s, off, err = unpackString(msg, off)\n")
+				default:
+					log.Fatalln(name, st.Field(i).Name())
+				}
+			default:
+				log.Fatalln(name, st.Field(i).Name(), st.Tag(i))
+			}
+			// If we've hit len(msg) we return without error.
+			if i < st.NumFields()-1 {
+				fmt.Fprintf(b, `if off == len(msg) {
+return rr, off, nil
+	}
+`)
+			}
+		}
+		fmt.Fprintf(b, "return rr, off, err }\n\n")
+	}
+	// Generate typeToUnpack map
+	fmt.Fprintln(b, "var typeToUnpack = map[uint16]func(RR_Header, []byte, int) (RR, int, error){")
+	for _, name := range namedTypes {
+		if name == "RFC3597" {
+			continue
+		}
+		fmt.Fprintf(b, "Type%s: unpack%s,\n", name, name)
+	}
+	fmt.Fprintln(b, "}\n")
+
+	// gofmt
+	res, err := format.Source(b.Bytes())
+	if err != nil {
+		b.WriteTo(os.Stderr)
+		log.Fatal(err)
+	}
+
+	// write result
+	f, err := os.Create("zmsg.go")
+	fatalIfErr(err)
+	defer f.Close()
+	f.Write(res)
+}
+
+// structMember will take a tag like dns:"size-base32:SaltLength" and return the last part of this string.
+func structMember(s string) string {
+	fields := strings.Split(s, ":")
+	if len(fields) == 0 {
+		return ""
+	}
+	f := fields[len(fields)-1]
+	// f should have a closing "
+	if len(f) > 1 {
+		return f[:len(f)-1]
+	}
+	return f
+}
+
+// structTag will take a tag like dns:"size-base32:SaltLength" and return base32.
+func structTag(s string) string {
+	fields := strings.Split(s, ":")
+	if len(fields) < 2 {
+		return ""
+	}
+	return fields[1][len("\"size-"):]
+}
+
+func fatalIfErr(err error) {
+	if err != nil {
+		log.Fatal(err)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/msg_helpers.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/msg_helpers.go
new file mode 100644
index 000000000..615274ab0
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/msg_helpers.go
@@ -0,0 +1,633 @@
+package dns
+
+import (
+	"encoding/base32"
+	"encoding/base64"
+	"encoding/binary"
+	"encoding/hex"
+	"net"
+	"strconv"
+)
+
+// helper functions called from the generated zmsg.go
+
+// These function are named after the tag to help pack/unpack, if there is no tag it is the name
+// of the type they pack/unpack (string, int, etc). We prefix all with unpackData or packData, so packDataA or
+// packDataDomainName.
+
+func unpackDataA(msg []byte, off int) (net.IP, int, error) {
+	if off+net.IPv4len > len(msg) {
+		return nil, len(msg), &Error{err: "overflow unpacking a"}
+	}
+	a := append(make(net.IP, 0, net.IPv4len), msg[off:off+net.IPv4len]...)
+	off += net.IPv4len
+	return a, off, nil
+}
+
+func packDataA(a net.IP, msg []byte, off int) (int, error) {
+	// It must be a slice of 4, even if it is 16, we encode only the first 4
+	if off+net.IPv4len > len(msg) {
+		return len(msg), &Error{err: "overflow packing a"}
+	}
+	switch len(a) {
+	case net.IPv4len, net.IPv6len:
+		copy(msg[off:], a.To4())
+		off += net.IPv4len
+	case 0:
+		// Allowed, for dynamic updates.
+	default:
+		return len(msg), &Error{err: "overflow packing a"}
+	}
+	return off, nil
+}
+
+func unpackDataAAAA(msg []byte, off int) (net.IP, int, error) {
+	if off+net.IPv6len > len(msg) {
+		return nil, len(msg), &Error{err: "overflow unpacking aaaa"}
+	}
+	aaaa := append(make(net.IP, 0, net.IPv6len), msg[off:off+net.IPv6len]...)
+	off += net.IPv6len
+	return aaaa, off, nil
+}
+
+func packDataAAAA(aaaa net.IP, msg []byte, off int) (int, error) {
+	if off+net.IPv6len > len(msg) {
+		return len(msg), &Error{err: "overflow packing aaaa"}
+	}
+
+	switch len(aaaa) {
+	case net.IPv6len:
+		copy(msg[off:], aaaa)
+		off += net.IPv6len
+	case 0:
+		// Allowed, dynamic updates.
+	default:
+		return len(msg), &Error{err: "overflow packing aaaa"}
+	}
+	return off, nil
+}
+
+// unpackHeader unpacks an RR header, returning the offset to the end of the header and a
+// re-sliced msg according to the expected length of the RR.
+func unpackHeader(msg []byte, off int) (rr RR_Header, off1 int, truncmsg []byte, err error) {
+	hdr := RR_Header{}
+	if off == len(msg) {
+		return hdr, off, msg, nil
+	}
+
+	hdr.Name, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return hdr, len(msg), msg, err
+	}
+	hdr.Rrtype, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return hdr, len(msg), msg, err
+	}
+	hdr.Class, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return hdr, len(msg), msg, err
+	}
+	hdr.Ttl, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return hdr, len(msg), msg, err
+	}
+	hdr.Rdlength, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return hdr, len(msg), msg, err
+	}
+	msg, err = truncateMsgFromRdlength(msg, off, hdr.Rdlength)
+	return hdr, off, msg, nil
+}
+
+// pack packs an RR header, returning the offset to the end of the header.
+// See PackDomainName for documentation about the compression.
+func (hdr RR_Header) pack(msg []byte, off int, compression map[string]int, compress bool) (off1 int, err error) {
+	if off == len(msg) {
+		return off, nil
+	}
+
+	off, err = PackDomainName(hdr.Name, msg, off, compression, compress)
+	if err != nil {
+		return len(msg), err
+	}
+	off, err = packUint16(hdr.Rrtype, msg, off)
+	if err != nil {
+		return len(msg), err
+	}
+	off, err = packUint16(hdr.Class, msg, off)
+	if err != nil {
+		return len(msg), err
+	}
+	off, err = packUint32(hdr.Ttl, msg, off)
+	if err != nil {
+		return len(msg), err
+	}
+	off, err = packUint16(hdr.Rdlength, msg, off)
+	if err != nil {
+		return len(msg), err
+	}
+	return off, nil
+}
+
+// helper helper functions.
+
+// truncateMsgFromRdLength truncates msg to match the expected length of the RR.
+// Returns an error if msg is smaller than the expected size.
+func truncateMsgFromRdlength(msg []byte, off int, rdlength uint16) (truncmsg []byte, err error) {
+	lenrd := off + int(rdlength)
+	if lenrd > len(msg) {
+		return msg, &Error{err: "overflowing header size"}
+	}
+	return msg[:lenrd], nil
+}
+
+func fromBase32(s []byte) (buf []byte, err error) {
+	for i, b := range s {
+		if b >= 'a' && b <= 'z' {
+			s[i] = b - 32
+		}
+	}
+	buflen := base32.HexEncoding.DecodedLen(len(s))
+	buf = make([]byte, buflen)
+	n, err := base32.HexEncoding.Decode(buf, s)
+	buf = buf[:n]
+	return
+}
+
+func toBase32(b []byte) string { return base32.HexEncoding.EncodeToString(b) }
+
+func fromBase64(s []byte) (buf []byte, err error) {
+	buflen := base64.StdEncoding.DecodedLen(len(s))
+	buf = make([]byte, buflen)
+	n, err := base64.StdEncoding.Decode(buf, s)
+	buf = buf[:n]
+	return
+}
+
+func toBase64(b []byte) string { return base64.StdEncoding.EncodeToString(b) }
+
+// dynamicUpdate returns true if the Rdlength is zero.
+func noRdata(h RR_Header) bool { return h.Rdlength == 0 }
+
+func unpackUint8(msg []byte, off int) (i uint8, off1 int, err error) {
+	if off+1 > len(msg) {
+		return 0, len(msg), &Error{err: "overflow unpacking uint8"}
+	}
+	return uint8(msg[off]), off + 1, nil
+}
+
+func packUint8(i uint8, msg []byte, off int) (off1 int, err error) {
+	if off+1 > len(msg) {
+		return len(msg), &Error{err: "overflow packing uint8"}
+	}
+	msg[off] = byte(i)
+	return off + 1, nil
+}
+
+func unpackUint16(msg []byte, off int) (i uint16, off1 int, err error) {
+	if off+2 > len(msg) {
+		return 0, len(msg), &Error{err: "overflow unpacking uint16"}
+	}
+	return binary.BigEndian.Uint16(msg[off:]), off + 2, nil
+}
+
+func packUint16(i uint16, msg []byte, off int) (off1 int, err error) {
+	if off+2 > len(msg) {
+		return len(msg), &Error{err: "overflow packing uint16"}
+	}
+	binary.BigEndian.PutUint16(msg[off:], i)
+	return off + 2, nil
+}
+
+func unpackUint32(msg []byte, off int) (i uint32, off1 int, err error) {
+	if off+4 > len(msg) {
+		return 0, len(msg), &Error{err: "overflow unpacking uint32"}
+	}
+	return binary.BigEndian.Uint32(msg[off:]), off + 4, nil
+}
+
+func packUint32(i uint32, msg []byte, off int) (off1 int, err error) {
+	if off+4 > len(msg) {
+		return len(msg), &Error{err: "overflow packing uint32"}
+	}
+	binary.BigEndian.PutUint32(msg[off:], i)
+	return off + 4, nil
+}
+
+func unpackUint48(msg []byte, off int) (i uint64, off1 int, err error) {
+	if off+6 > len(msg) {
+		return 0, len(msg), &Error{err: "overflow unpacking uint64 as uint48"}
+	}
+	// Used in TSIG where the last 48 bits are occupied, so for now, assume a uint48 (6 bytes)
+	i = (uint64(uint64(msg[off])<<40 | uint64(msg[off+1])<<32 | uint64(msg[off+2])<<24 | uint64(msg[off+3])<<16 |
+		uint64(msg[off+4])<<8 | uint64(msg[off+5])))
+	off += 6
+	return i, off, nil
+}
+
+func packUint48(i uint64, msg []byte, off int) (off1 int, err error) {
+	if off+6 > len(msg) {
+		return len(msg), &Error{err: "overflow packing uint64 as uint48"}
+	}
+	msg[off] = byte(i >> 40)
+	msg[off+1] = byte(i >> 32)
+	msg[off+2] = byte(i >> 24)
+	msg[off+3] = byte(i >> 16)
+	msg[off+4] = byte(i >> 8)
+	msg[off+5] = byte(i)
+	off += 6
+	return off, nil
+}
+
+func unpackUint64(msg []byte, off int) (i uint64, off1 int, err error) {
+	if off+8 > len(msg) {
+		return 0, len(msg), &Error{err: "overflow unpacking uint64"}
+	}
+	return binary.BigEndian.Uint64(msg[off:]), off + 8, nil
+}
+
+func packUint64(i uint64, msg []byte, off int) (off1 int, err error) {
+	if off+8 > len(msg) {
+		return len(msg), &Error{err: "overflow packing uint64"}
+	}
+	binary.BigEndian.PutUint64(msg[off:], i)
+	off += 8
+	return off, nil
+}
+
+func unpackString(msg []byte, off int) (string, int, error) {
+	if off+1 > len(msg) {
+		return "", off, &Error{err: "overflow unpacking txt"}
+	}
+	l := int(msg[off])
+	if off+l+1 > len(msg) {
+		return "", off, &Error{err: "overflow unpacking txt"}
+	}
+	s := make([]byte, 0, l)
+	for _, b := range msg[off+1 : off+1+l] {
+		switch b {
+		case '"', '\\':
+			s = append(s, '\\', b)
+		default:
+			if b < 32 || b > 127 { // unprintable
+				var buf [3]byte
+				bufs := strconv.AppendInt(buf[:0], int64(b), 10)
+				s = append(s, '\\')
+				for i := 0; i < 3-len(bufs); i++ {
+					s = append(s, '0')
+				}
+				for _, r := range bufs {
+					s = append(s, r)
+				}
+			} else {
+				s = append(s, b)
+			}
+		}
+	}
+	off += 1 + l
+	return string(s), off, nil
+}
+
+func packString(s string, msg []byte, off int) (int, error) {
+	txtTmp := make([]byte, 256*4+1)
+	off, err := packTxtString(s, msg, off, txtTmp)
+	if err != nil {
+		return len(msg), err
+	}
+	return off, nil
+}
+
+func unpackStringBase32(msg []byte, off, end int) (string, int, error) {
+	if end > len(msg) {
+		return "", len(msg), &Error{err: "overflow unpacking base32"}
+	}
+	s := toBase32(msg[off:end])
+	return s, end, nil
+}
+
+func packStringBase32(s string, msg []byte, off int) (int, error) {
+	b32, err := fromBase32([]byte(s))
+	if err != nil {
+		return len(msg), err
+	}
+	if off+len(b32) > len(msg) {
+		return len(msg), &Error{err: "overflow packing base32"}
+	}
+	copy(msg[off:off+len(b32)], b32)
+	off += len(b32)
+	return off, nil
+}
+
+func unpackStringBase64(msg []byte, off, end int) (string, int, error) {
+	// Rest of the RR is base64 encoded value, so we don't need an explicit length
+	// to be set. Thus far all RR's that have base64 encoded fields have those as their
+	// last one. What we do need is the end of the RR!
+	if end > len(msg) {
+		return "", len(msg), &Error{err: "overflow unpacking base64"}
+	}
+	s := toBase64(msg[off:end])
+	return s, end, nil
+}
+
+func packStringBase64(s string, msg []byte, off int) (int, error) {
+	b64, err := fromBase64([]byte(s))
+	if err != nil {
+		return len(msg), err
+	}
+	if off+len(b64) > len(msg) {
+		return len(msg), &Error{err: "overflow packing base64"}
+	}
+	copy(msg[off:off+len(b64)], b64)
+	off += len(b64)
+	return off, nil
+}
+
+func unpackStringHex(msg []byte, off, end int) (string, int, error) {
+	// Rest of the RR is hex encoded value, so we don't need an explicit length
+	// to be set. NSEC and TSIG have hex fields with a length field.
+	// What we do need is the end of the RR!
+	if end > len(msg) {
+		return "", len(msg), &Error{err: "overflow unpacking hex"}
+	}
+
+	s := hex.EncodeToString(msg[off:end])
+	return s, end, nil
+}
+
+func packStringHex(s string, msg []byte, off int) (int, error) {
+	h, err := hex.DecodeString(s)
+	if err != nil {
+		return len(msg), err
+	}
+	if off+(len(h)) > len(msg) {
+		return len(msg), &Error{err: "overflow packing hex"}
+	}
+	copy(msg[off:off+len(h)], h)
+	off += len(h)
+	return off, nil
+}
+
+func unpackStringTxt(msg []byte, off int) ([]string, int, error) {
+	txt, off, err := unpackTxt(msg, off)
+	if err != nil {
+		return nil, len(msg), err
+	}
+	return txt, off, nil
+}
+
+func packStringTxt(s []string, msg []byte, off int) (int, error) {
+	txtTmp := make([]byte, 256*4+1) // If the whole string consists out of \DDD we need this many.
+	off, err := packTxt(s, msg, off, txtTmp)
+	if err != nil {
+		return len(msg), err
+	}
+	return off, nil
+}
+
+func unpackDataOpt(msg []byte, off int) ([]EDNS0, int, error) {
+	var edns []EDNS0
+Option:
+	code := uint16(0)
+	if off+4 > len(msg) {
+		return nil, len(msg), &Error{err: "overflow unpacking opt"}
+	}
+	code = binary.BigEndian.Uint16(msg[off:])
+	off += 2
+	optlen := binary.BigEndian.Uint16(msg[off:])
+	off += 2
+	if off+int(optlen) > len(msg) {
+		return nil, len(msg), &Error{err: "overflow unpacking opt"}
+	}
+	switch code {
+	case EDNS0NSID:
+		e := new(EDNS0_NSID)
+		if err := e.unpack(msg[off : off+int(optlen)]); err != nil {
+			return nil, len(msg), err
+		}
+		edns = append(edns, e)
+		off += int(optlen)
+	case EDNS0SUBNET, EDNS0SUBNETDRAFT:
+		e := new(EDNS0_SUBNET)
+		if err := e.unpack(msg[off : off+int(optlen)]); err != nil {
+			return nil, len(msg), err
+		}
+		edns = append(edns, e)
+		off += int(optlen)
+		if code == EDNS0SUBNETDRAFT {
+			e.DraftOption = true
+		}
+	case EDNS0COOKIE:
+		e := new(EDNS0_COOKIE)
+		if err := e.unpack(msg[off : off+int(optlen)]); err != nil {
+			return nil, len(msg), err
+		}
+		edns = append(edns, e)
+		off += int(optlen)
+	case EDNS0UL:
+		e := new(EDNS0_UL)
+		if err := e.unpack(msg[off : off+int(optlen)]); err != nil {
+			return nil, len(msg), err
+		}
+		edns = append(edns, e)
+		off += int(optlen)
+	case EDNS0LLQ:
+		e := new(EDNS0_LLQ)
+		if err := e.unpack(msg[off : off+int(optlen)]); err != nil {
+			return nil, len(msg), err
+		}
+		edns = append(edns, e)
+		off += int(optlen)
+	case EDNS0DAU:
+		e := new(EDNS0_DAU)
+		if err := e.unpack(msg[off : off+int(optlen)]); err != nil {
+			return nil, len(msg), err
+		}
+		edns = append(edns, e)
+		off += int(optlen)
+	case EDNS0DHU:
+		e := new(EDNS0_DHU)
+		if err := e.unpack(msg[off : off+int(optlen)]); err != nil {
+			return nil, len(msg), err
+		}
+		edns = append(edns, e)
+		off += int(optlen)
+	case EDNS0N3U:
+		e := new(EDNS0_N3U)
+		if err := e.unpack(msg[off : off+int(optlen)]); err != nil {
+			return nil, len(msg), err
+		}
+		edns = append(edns, e)
+		off += int(optlen)
+	default:
+		e := new(EDNS0_LOCAL)
+		e.Code = code
+		if err := e.unpack(msg[off : off+int(optlen)]); err != nil {
+			return nil, len(msg), err
+		}
+		edns = append(edns, e)
+		off += int(optlen)
+	}
+
+	if off < len(msg) {
+		goto Option
+	}
+
+	return edns, off, nil
+}
+
+func packDataOpt(options []EDNS0, msg []byte, off int) (int, error) {
+	for _, el := range options {
+		b, err := el.pack()
+		if err != nil || off+3 > len(msg) {
+			return len(msg), &Error{err: "overflow packing opt"}
+		}
+		binary.BigEndian.PutUint16(msg[off:], el.Option())      // Option code
+		binary.BigEndian.PutUint16(msg[off+2:], uint16(len(b))) // Length
+		off += 4
+		if off+len(b) > len(msg) {
+			copy(msg[off:], b)
+			off = len(msg)
+			continue
+		}
+		// Actual data
+		copy(msg[off:off+len(b)], b)
+		off += len(b)
+	}
+	return off, nil
+}
+
+func unpackStringOctet(msg []byte, off int) (string, int, error) {
+	s := string(msg[off:])
+	return s, len(msg), nil
+}
+
+func packStringOctet(s string, msg []byte, off int) (int, error) {
+	txtTmp := make([]byte, 256*4+1)
+	off, err := packOctetString(s, msg, off, txtTmp)
+	if err != nil {
+		return len(msg), err
+	}
+	return off, nil
+}
+
+func unpackDataNsec(msg []byte, off int) ([]uint16, int, error) {
+	var nsec []uint16
+	length, window, lastwindow := 0, 0, -1
+	for off < len(msg) {
+		if off+2 > len(msg) {
+			return nsec, len(msg), &Error{err: "overflow unpacking nsecx"}
+		}
+		window = int(msg[off])
+		length = int(msg[off+1])
+		off += 2
+		if window <= lastwindow {
+			// RFC 4034: Blocks are present in the NSEC RR RDATA in
+			// increasing numerical order.
+			return nsec, len(msg), &Error{err: "out of order NSEC block"}
+		}
+		if length == 0 {
+			// RFC 4034: Blocks with no types present MUST NOT be included.
+			return nsec, len(msg), &Error{err: "empty NSEC block"}
+		}
+		if length > 32 {
+			return nsec, len(msg), &Error{err: "NSEC block too long"}
+		}
+		if off+length > len(msg) {
+			return nsec, len(msg), &Error{err: "overflowing NSEC block"}
+		}
+
+		// Walk the bytes in the window and extract the type bits
+		for j := 0; j < length; j++ {
+			b := msg[off+j]
+			// Check the bits one by one, and set the type
+			if b&0x80 == 0x80 {
+				nsec = append(nsec, uint16(window*256+j*8+0))
+			}
+			if b&0x40 == 0x40 {
+				nsec = append(nsec, uint16(window*256+j*8+1))
+			}
+			if b&0x20 == 0x20 {
+				nsec = append(nsec, uint16(window*256+j*8+2))
+			}
+			if b&0x10 == 0x10 {
+				nsec = append(nsec, uint16(window*256+j*8+3))
+			}
+			if b&0x8 == 0x8 {
+				nsec = append(nsec, uint16(window*256+j*8+4))
+			}
+			if b&0x4 == 0x4 {
+				nsec = append(nsec, uint16(window*256+j*8+5))
+			}
+			if b&0x2 == 0x2 {
+				nsec = append(nsec, uint16(window*256+j*8+6))
+			}
+			if b&0x1 == 0x1 {
+				nsec = append(nsec, uint16(window*256+j*8+7))
+			}
+		}
+		off += length
+		lastwindow = window
+	}
+	return nsec, off, nil
+}
+
+func packDataNsec(bitmap []uint16, msg []byte, off int) (int, error) {
+	if len(bitmap) == 0 {
+		return off, nil
+	}
+	var lastwindow, lastlength uint16
+	for j := 0; j < len(bitmap); j++ {
+		t := bitmap[j]
+		window := t / 256
+		length := (t-window*256)/8 + 1
+		if window > lastwindow && lastlength != 0 { // New window, jump to the new offset
+			off += int(lastlength) + 2
+			lastlength = 0
+		}
+		if window < lastwindow || length < lastlength {
+			return len(msg), &Error{err: "nsec bits out of order"}
+		}
+		if off+2+int(length) > len(msg) {
+			return len(msg), &Error{err: "overflow packing nsec"}
+		}
+		// Setting the window #
+		msg[off] = byte(window)
+		// Setting the octets length
+		msg[off+1] = byte(length)
+		// Setting the bit value for the type in the right octet
+		msg[off+1+int(length)] |= byte(1 << (7 - (t % 8)))
+		lastwindow, lastlength = window, length
+	}
+	off += int(lastlength) + 2
+	return off, nil
+}
+
+func unpackDataDomainNames(msg []byte, off, end int) ([]string, int, error) {
+	var (
+		servers []string
+		s       string
+		err     error
+	)
+	if end > len(msg) {
+		return nil, len(msg), &Error{err: "overflow unpacking domain names"}
+	}
+	for off < end {
+		s, off, err = UnpackDomainName(msg, off)
+		if err != nil {
+			return servers, len(msg), err
+		}
+		servers = append(servers, s)
+	}
+	return servers, off, nil
+}
+
+func packDataDomainNames(names []string, msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	var err error
+	for j := 0; j < len(names); j++ {
+		off, err = PackDomainName(names[j], msg, off, compression, false && compress)
+		if err != nil {
+			return len(msg), err
+		}
+	}
+	return off, nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/msg_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/msg_test.go
new file mode 100644
index 000000000..2dbef6260
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/msg_test.go
@@ -0,0 +1,124 @@
+package dns
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+	"testing"
+)
+
+const (
+	maxPrintableLabel = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789x"
+	tooLongLabel      = maxPrintableLabel + "x"
+)
+
+var (
+	longDomain = maxPrintableLabel[:53] + strings.TrimSuffix(
+		strings.Join([]string{".", ".", ".", ".", "."}, maxPrintableLabel[:49]), ".")
+	reChar              = regexp.MustCompile(`.`)
+	i                   = -1
+	maxUnprintableLabel = reChar.ReplaceAllStringFunc(maxPrintableLabel, func(ch string) string {
+		if i++; i >= 32 {
+			i = 0
+		}
+		return fmt.Sprintf("\\%03d", i)
+	})
+)
+
+func TestUnpackDomainName(t *testing.T) {
+	var cases = []struct {
+		label          string
+		input          string
+		expectedOutput string
+		expectedError  string
+	}{
+		{"empty domain",
+			"\x00",
+			".",
+			""},
+		{"long label",
+			string(63) + maxPrintableLabel + "\x00",
+			maxPrintableLabel + ".",
+			""},
+		{"unprintable label",
+			string(63) + regexp.MustCompile(`\\[0-9]+`).ReplaceAllStringFunc(maxUnprintableLabel,
+				func(escape string) string {
+					n, _ := strconv.ParseInt(escape[1:], 10, 8)
+					return string(n)
+				}) + "\x00",
+			maxUnprintableLabel + ".",
+			""},
+		{"long domain",
+			string(53) + strings.Replace(longDomain, ".", string(49), -1) + "\x00",
+			longDomain + ".",
+			""},
+		{"compression pointer",
+			// an unrealistic but functional test referencing an offset _inside_ a label
+			"\x03foo" + "\x05\x03com\x00" + "\x07example" + "\xC0\x05",
+			"foo.\\003com\\000.example.com.",
+			""},
+
+		{"too long domain",
+			string(54) + "x" + strings.Replace(longDomain, ".", string(49), -1) + "\x00",
+			"x" + longDomain + ".",
+			ErrLongDomain.Error()},
+		{"too long by pointer",
+			// a matryoshka doll name to get over 255 octets after expansion via internal pointers
+			string([]byte{
+				// 11 length values, first to last
+				40, 37, 34, 31, 28, 25, 22, 19, 16, 13, 0,
+				// 12 filler values
+				120, 120, 120, 120, 120, 120, 120, 120, 120, 120, 120, 120,
+				// 10 pointers, last to first
+				192, 10, 192, 9, 192, 8, 192, 7, 192, 6, 192, 5, 192, 4, 192, 3, 192, 2, 192, 1,
+			}),
+			"",
+			ErrLongDomain.Error()},
+		{"long by pointer",
+			// a matryoshka doll name _not_ exceeding 255 octets after expansion
+			string([]byte{
+				// 11 length values, first to last
+				37, 34, 31, 28, 25, 22, 19, 16, 13, 10, 0,
+				// 9 filler values
+				120, 120, 120, 120, 120, 120, 120, 120, 120,
+				// 10 pointers, last to first
+				192, 10, 192, 9, 192, 8, 192, 7, 192, 6, 192, 5, 192, 4, 192, 3, 192, 2, 192, 1,
+			}),
+			"" +
+				(`\"\031\028\025\022\019\016\013\010\000xxxxxxxxx` +
+					`\192\010\192\009\192\008\192\007\192\006\192\005\192\004\192\003\192\002.`) +
+				(`\031\028\025\022\019\016\013\010\000xxxxxxxxx` +
+					`\192\010\192\009\192\008\192\007\192\006\192\005\192\004\192\003.`) +
+				(`\028\025\022\019\016\013\010\000xxxxxxxxx` +
+					`\192\010\192\009\192\008\192\007\192\006\192\005\192\004.`) +
+				(`\025\022\019\016\013\010\000xxxxxxxxx` +
+					`\192\010\192\009\192\008\192\007\192\006\192\005.`) +
+				`\022\019\016\013\010\000xxxxxxxxx\192\010\192\009\192\008\192\007\192\006.` +
+				`\019\016\013\010\000xxxxxxxxx\192\010\192\009\192\008\192\007.` +
+				`\016\013\010\000xxxxxxxxx\192\010\192\009\192\008.` +
+				`\013\010\000xxxxxxxxx\192\010\192\009.` +
+				`\010\000xxxxxxxxx\192\010.` +
+				`\000xxxxxxxxx.`,
+			""},
+		{"truncated name", "\x07example\x03", "", "dns: buffer size too small"},
+		{"non-absolute name", "\x07example\x03com", "", "dns: buffer size too small"},
+		{"compression pointer cycle",
+			"\x03foo" + "\x03bar" + "\x07example" + "\xC0\x04",
+			"",
+			"dns: too many compression pointers"},
+		{"reserved compression pointer 0b10", "\x07example\x80", "", "dns: bad rdata"},
+		{"reserved compression pointer 0b01", "\x07example\x40", "", "dns: bad rdata"},
+	}
+	for _, test := range cases {
+		output, idx, err := UnpackDomainName([]byte(test.input), 0)
+		if test.expectedOutput != "" && output != test.expectedOutput {
+			t.Errorf("%s: expected %s, got %s", test.label, test.expectedOutput, output)
+		}
+		if test.expectedError == "" && err != nil {
+			t.Errorf("%s: expected no error, got %d %v", test.label, idx, err)
+		} else if test.expectedError != "" && (err == nil || err.Error() != test.expectedError) {
+			t.Errorf("%s: expected error %s, got %d %v", test.label, test.expectedError, idx, err)
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/nsecx.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/nsecx.go
new file mode 100644
index 000000000..9b908c447
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/nsecx.go
@@ -0,0 +1,106 @@
+package dns
+
+import (
+	"crypto/sha1"
+	"hash"
+	"strings"
+)
+
+type saltWireFmt struct {
+	Salt string `dns:"size-hex"`
+}
+
+// HashName hashes a string (label) according to RFC 5155. It returns the hashed string in uppercase.
+func HashName(label string, ha uint8, iter uint16, salt string) string {
+	saltwire := new(saltWireFmt)
+	saltwire.Salt = salt
+	wire := make([]byte, DefaultMsgSize)
+	n, err := packSaltWire(saltwire, wire)
+	if err != nil {
+		return ""
+	}
+	wire = wire[:n]
+	name := make([]byte, 255)
+	off, err := PackDomainName(strings.ToLower(label), name, 0, nil, false)
+	if err != nil {
+		return ""
+	}
+	name = name[:off]
+	var s hash.Hash
+	switch ha {
+	case SHA1:
+		s = sha1.New()
+	default:
+		return ""
+	}
+
+	// k = 0
+	s.Write(name)
+	s.Write(wire)
+	nsec3 := s.Sum(nil)
+	// k > 0
+	for k := uint16(0); k < iter; k++ {
+		s.Reset()
+		s.Write(nsec3)
+		s.Write(wire)
+		nsec3 = s.Sum(nsec3[:0])
+	}
+	return toBase32(nsec3)
+}
+
+// Cover returns true if a name is covered by the NSEC3 record
+func (rr *NSEC3) Cover(name string) bool {
+	nameHash := HashName(name, rr.Hash, rr.Iterations, rr.Salt)
+	owner := strings.ToUpper(rr.Hdr.Name)
+	labelIndices := Split(owner)
+	if len(labelIndices) < 2 {
+		return false
+	}
+	ownerHash := owner[:labelIndices[1]-1]
+	ownerZone := owner[labelIndices[1]:]
+	if !IsSubDomain(ownerZone, strings.ToUpper(name)) { // name is outside owner zone
+		return false
+	}
+
+	nextHash := rr.NextDomain
+	if ownerHash == nextHash { // empty interval
+		return false
+	}
+	if ownerHash > nextHash { // end of zone
+		if nameHash > ownerHash { // covered since there is nothing after ownerHash
+			return true
+		}
+		return nameHash < nextHash // if nameHash is before beginning of zone it is covered
+	}
+	if nameHash < ownerHash { // nameHash is before ownerHash, not covered
+		return false
+	}
+	return nameHash < nextHash // if nameHash is before nextHash is it covered (between ownerHash and nextHash)
+}
+
+// Match returns true if a name matches the NSEC3 record
+func (rr *NSEC3) Match(name string) bool {
+	nameHash := HashName(name, rr.Hash, rr.Iterations, rr.Salt)
+	owner := strings.ToUpper(rr.Hdr.Name)
+	labelIndices := Split(owner)
+	if len(labelIndices) < 2 {
+		return false
+	}
+	ownerHash := owner[:labelIndices[1]-1]
+	ownerZone := owner[labelIndices[1]:]
+	if !IsSubDomain(ownerZone, strings.ToUpper(name)) { // name is outside owner zone
+		return false
+	}
+	if ownerHash == nameHash {
+		return true
+	}
+	return false
+}
+
+func packSaltWire(sw *saltWireFmt, msg []byte) (int, error) {
+	off, err := packStringHex(sw.Salt, msg, 0)
+	if err != nil {
+		return off, err
+	}
+	return off, nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/nsecx_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/nsecx_test.go
new file mode 100644
index 000000000..8d5f71797
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/nsecx_test.go
@@ -0,0 +1,133 @@
+package dns
+
+import "testing"
+
+func TestPackNsec3(t *testing.T) {
+	nsec3 := HashName("dnsex.nl.", SHA1, 0, "DEAD")
+	if nsec3 != "ROCCJAE8BJJU7HN6T7NG3TNM8ACRS87J" {
+		t.Error(nsec3)
+	}
+
+	nsec3 = HashName("a.b.c.example.org.", SHA1, 2, "DEAD")
+	if nsec3 != "6LQ07OAHBTOOEU2R9ANI2AT70K5O0RCG" {
+		t.Error(nsec3)
+	}
+}
+
+func TestNsec3(t *testing.T) {
+	nsec3, _ := NewRR("sk4e8fj94u78smusb40o1n0oltbblu2r.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM")
+	if !nsec3.(*NSEC3).Match("nl.") { // name hash = sk4e8fj94u78smusb40o1n0oltbblu2r
+		t.Fatal("sk4e8fj94u78smusb40o1n0oltbblu2r.nl. should match sk4e8fj94u78smusb40o1n0oltbblu2r.nl.")
+	}
+	if !nsec3.(*NSEC3).Match("NL.") { // name hash = sk4e8fj94u78smusb40o1n0oltbblu2r
+		t.Fatal("sk4e8fj94u78smusb40o1n0oltbblu2r.NL. should match sk4e8fj94u78smusb40o1n0oltbblu2r.nl.")
+	}
+	if nsec3.(*NSEC3).Match("com.") { //
+		t.Fatal("com. is not in the zone nl.")
+	}
+	if nsec3.(*NSEC3).Match("test.nl.") { // name hash = gd0ptr5bnfpimpu2d3v6gd4n0bai7s0q
+		t.Fatal("gd0ptr5bnfpimpu2d3v6gd4n0bai7s0q.nl. should not match sk4e8fj94u78smusb40o1n0oltbblu2r.nl.")
+	}
+	nsec3, _ = NewRR("nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM")
+	if nsec3.(*NSEC3).Match("nl.") {
+		t.Fatal("sk4e8fj94u78smusb40o1n0oltbblu2r.nl. should not match a record without a owner hash")
+	}
+
+	for _, tc := range []struct {
+		rr     *NSEC3
+		name   string
+		covers bool
+	}{
+		// positive tests
+		{ // name hash between owner hash and next hash
+			rr: &NSEC3{
+				Hdr:        RR_Header{Name: "2N1TB3VAIRUOBL6RKDVII42N9TFMIALP.com."},
+				Hash:       1,
+				Flags:      1,
+				Iterations: 5,
+				Salt:       "F10E9F7EA83FC8F3",
+				NextDomain: "PT3RON8N7PM3A0OE989IB84OOSADP7O8",
+			},
+			name:   "bsd.com.",
+			covers: true,
+		},
+		{ // end of zone, name hash is after owner hash
+			rr: &NSEC3{
+				Hdr:        RR_Header{Name: "3v62ulr0nre83v0rja2vjgtlif9v6rab.com."},
+				Hash:       1,
+				Flags:      1,
+				Iterations: 5,
+				Salt:       "F10E9F7EA83FC8F3",
+				NextDomain: "2N1TB3VAIRUOBL6RKDVII42N9TFMIALP",
+			},
+			name:   "csd.com.",
+			covers: true,
+		},
+		{ // end of zone, name hash is before beginning of zone
+			rr: &NSEC3{
+				Hdr:        RR_Header{Name: "PT3RON8N7PM3A0OE989IB84OOSADP7O8.com."},
+				Hash:       1,
+				Flags:      1,
+				Iterations: 5,
+				Salt:       "F10E9F7EA83FC8F3",
+				NextDomain: "3V62ULR0NRE83V0RJA2VJGTLIF9V6RAB",
+			},
+			name:   "asd.com.",
+			covers: true,
+		},
+		// negative tests
+		{ // too short owner name
+			rr: &NSEC3{
+				Hdr:        RR_Header{Name: "nl."},
+				Hash:       1,
+				Flags:      1,
+				Iterations: 5,
+				Salt:       "F10E9F7EA83FC8F3",
+				NextDomain: "39P99DCGG0MDLARTCRMCF6OFLLUL7PR6",
+			},
+			name:   "asd.com.",
+			covers: false,
+		},
+		{ // outside of zone
+			rr: &NSEC3{
+				Hdr:        RR_Header{Name: "39p91242oslggest5e6a7cci4iaeqvnk.nl."},
+				Hash:       1,
+				Flags:      1,
+				Iterations: 5,
+				Salt:       "F10E9F7EA83FC8F3",
+				NextDomain: "39P99DCGG0MDLARTCRMCF6OFLLUL7PR6",
+			},
+			name:   "asd.com.",
+			covers: false,
+		},
+		{ // empty interval
+			rr: &NSEC3{
+				Hdr:        RR_Header{Name: "2n1tb3vairuobl6rkdvii42n9tfmialp.com."},
+				Hash:       1,
+				Flags:      1,
+				Iterations: 5,
+				Salt:       "F10E9F7EA83FC8F3",
+				NextDomain: "2N1TB3VAIRUOBL6RKDVII42N9TFMIALP",
+			},
+			name:   "asd.com.",
+			covers: false,
+		},
+		{ // name hash is before owner hash, not covered
+			rr: &NSEC3{
+				Hdr:        RR_Header{Name: "3V62ULR0NRE83V0RJA2VJGTLIF9V6RAB.com."},
+				Hash:       1,
+				Flags:      1,
+				Iterations: 5,
+				Salt:       "F10E9F7EA83FC8F3",
+				NextDomain: "PT3RON8N7PM3A0OE989IB84OOSADP7O8",
+			},
+			name:   "asd.com.",
+			covers: false,
+		},
+	} {
+		covers := tc.rr.Cover(tc.name)
+		if tc.covers != covers {
+			t.Fatalf("Cover failed for %s: expected %t, got %t [record: %s]", tc.name, tc.covers, covers, tc.rr)
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/parse_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/parse_test.go
new file mode 100644
index 000000000..fc5bdaf5d
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/parse_test.go
@@ -0,0 +1,1540 @@
+package dns
+
+import (
+	"bytes"
+	"crypto/rsa"
+	"encoding/hex"
+	"fmt"
+	"math/rand"
+	"net"
+	"reflect"
+	"strconv"
+	"strings"
+	"testing"
+	"testing/quick"
+	"time"
+)
+
+func TestDotInName(t *testing.T) {
+	buf := make([]byte, 20)
+	PackDomainName("aa\\.bb.nl.", buf, 0, nil, false)
+	// index 3 must be a real dot
+	if buf[3] != '.' {
+		t.Error("dot should be a real dot")
+	}
+
+	if buf[6] != 2 {
+		t.Error("this must have the value 2")
+	}
+	dom, _, _ := UnpackDomainName(buf, 0)
+	// printing it should yield the backspace again
+	if dom != "aa\\.bb.nl." {
+		t.Error("dot should have been escaped: ", dom)
+	}
+}
+
+func TestDotLastInLabel(t *testing.T) {
+	sample := "aa\\..au."
+	buf := make([]byte, 20)
+	_, err := PackDomainName(sample, buf, 0, nil, false)
+	if err != nil {
+		t.Fatalf("unexpected error packing domain: %v", err)
+	}
+	dom, _, _ := UnpackDomainName(buf, 0)
+	if dom != sample {
+		t.Fatalf("unpacked domain `%s' doesn't match packed domain", dom)
+	}
+}
+
+func TestTooLongDomainName(t *testing.T) {
+	l := "aaabbbcccdddeeefffggghhhiiijjjkkklllmmmnnnooopppqqqrrrsssttt."
+	dom := l + l + l + l + l + l + l
+	_, err := NewRR(dom + " IN A 127.0.0.1")
+	if err == nil {
+		t.Error("should be too long")
+	} else {
+		t.Logf("error is %v", err)
+	}
+	_, err = NewRR("..com. IN A 127.0.0.1")
+	if err == nil {
+		t.Error("should fail")
+	} else {
+		t.Logf("error is %v", err)
+	}
+}
+
+func TestDomainName(t *testing.T) {
+	tests := []string{"r\\.gieben.miek.nl.", "www\\.www.miek.nl.",
+		"www.*.miek.nl.", "www.*.miek.nl.",
+	}
+	dbuff := make([]byte, 40)
+
+	for _, ts := range tests {
+		if _, err := PackDomainName(ts, dbuff, 0, nil, false); err != nil {
+			t.Error("not a valid domain name")
+			continue
+		}
+		n, _, err := UnpackDomainName(dbuff, 0)
+		if err != nil {
+			t.Error("failed to unpack packed domain name")
+			continue
+		}
+		if ts != n {
+			t.Errorf("must be equal: in: %s, out: %s", ts, n)
+		}
+	}
+}
+
+func TestDomainNameAndTXTEscapes(t *testing.T) {
+	tests := []byte{'.', '(', ')', ';', ' ', '@', '"', '\\', 9, 13, 10, 0, 255}
+	for _, b := range tests {
+		rrbytes := []byte{
+			1, b, 0, // owner
+			byte(TypeTXT >> 8), byte(TypeTXT),
+			byte(ClassINET >> 8), byte(ClassINET),
+			0, 0, 0, 1, // TTL
+			0, 2, 1, b, // Data
+		}
+		rr1, _, err := UnpackRR(rrbytes, 0)
+		if err != nil {
+			panic(err)
+		}
+		s := rr1.String()
+		rr2, err := NewRR(s)
+		if err != nil {
+			t.Errorf("Error parsing unpacked RR's string: %v", err)
+			t.Errorf(" Bytes: %v", rrbytes)
+			t.Errorf("String: %v", s)
+		}
+		repacked := make([]byte, len(rrbytes))
+		if _, err := PackRR(rr2, repacked, 0, nil, false); err != nil {
+			t.Errorf("error packing parsed RR: %v", err)
+			t.Errorf(" original Bytes: %v", rrbytes)
+			t.Errorf("unpacked Struct: %v", rr1)
+			t.Errorf("  parsed Struct: %v", rr2)
+		}
+		if !bytes.Equal(repacked, rrbytes) {
+			t.Error("packed bytes don't match original bytes")
+			t.Errorf(" original bytes: %v", rrbytes)
+			t.Errorf("   packed bytes: %v", repacked)
+			t.Errorf("unpacked struct: %v", rr1)
+			t.Errorf("  parsed struct: %v", rr2)
+		}
+	}
+}
+
+func TestTXTEscapeParsing(t *testing.T) {
+	test := [][]string{
+		{`";"`, `";"`},
+		{`\;`, `";"`},
+		{`"\t"`, `"t"`},
+		{`"\r"`, `"r"`},
+		{`"\ "`, `" "`},
+		{`"\;"`, `";"`},
+		{`"\;\""`, `";\""`},
+		{`"\(a\)"`, `"(a)"`},
+		{`"\(a)"`, `"(a)"`},
+		{`"(a\)"`, `"(a)"`},
+		{`"(a)"`, `"(a)"`},
+		{`"\048"`, `"0"`},
+		{`"\` + "\t" + `"`, `"\009"`},
+		{`"\` + "\n" + `"`, `"\010"`},
+		{`"\` + "\r" + `"`, `"\013"`},
+		{`"\` + "\x11" + `"`, `"\017"`},
+		{`"\'"`, `"'"`},
+	}
+	for _, s := range test {
+		rr, err := NewRR(fmt.Sprintf("example.com. IN TXT %v", s[0]))
+		if err != nil {
+			t.Errorf("could not parse %v TXT: %s", s[0], err)
+			continue
+		}
+
+		txt := sprintTxt(rr.(*TXT).Txt)
+		if txt != s[1] {
+			t.Errorf("mismatch after parsing `%v` TXT record: `%v` != `%v`", s[0], txt, s[1])
+		}
+	}
+}
+
+func GenerateDomain(r *rand.Rand, size int) []byte {
+	dnLen := size % 70 // artificially limit size so there's less to intrepret if a failure occurs
+	var dn []byte
+	done := false
+	for i := 0; i < dnLen && !done; {
+		max := dnLen - i
+		if max > 63 {
+			max = 63
+		}
+		lLen := max
+		if lLen != 0 {
+			lLen = int(r.Int31()) % max
+		}
+		done = lLen == 0
+		if done {
+			continue
+		}
+		l := make([]byte, lLen+1)
+		l[0] = byte(lLen)
+		for j := 0; j < lLen; j++ {
+			l[j+1] = byte(rand.Int31())
+		}
+		dn = append(dn, l...)
+		i += 1 + lLen
+	}
+	return append(dn, 0)
+}
+
+func TestDomainQuick(t *testing.T) {
+	r := rand.New(rand.NewSource(0))
+	f := func(l int) bool {
+		db := GenerateDomain(r, l)
+		ds, _, err := UnpackDomainName(db, 0)
+		if err != nil {
+			panic(err)
+		}
+		buf := make([]byte, 255)
+		off, err := PackDomainName(ds, buf, 0, nil, false)
+		if err != nil {
+			t.Errorf("error packing domain: %v", err)
+			t.Errorf(" bytes: %v", db)
+			t.Errorf("string: %v", ds)
+			return false
+		}
+		if !bytes.Equal(db, buf[:off]) {
+			t.Errorf("repacked domain doesn't match original:")
+			t.Errorf("src bytes: %v", db)
+			t.Errorf("   string: %v", ds)
+			t.Errorf("out bytes: %v", buf[:off])
+			return false
+		}
+		return true
+	}
+	if err := quick.Check(f, nil); err != nil {
+		t.Error(err)
+	}
+}
+
+func GenerateTXT(r *rand.Rand, size int) []byte {
+	rdLen := size % 300 // artificially limit size so there's less to intrepret if a failure occurs
+	var rd []byte
+	for i := 0; i < rdLen; {
+		max := rdLen - 1
+		if max > 255 {
+			max = 255
+		}
+		sLen := max
+		if max != 0 {
+			sLen = int(r.Int31()) % max
+		}
+		s := make([]byte, sLen+1)
+		s[0] = byte(sLen)
+		for j := 0; j < sLen; j++ {
+			s[j+1] = byte(rand.Int31())
+		}
+		rd = append(rd, s...)
+		i += 1 + sLen
+	}
+	return rd
+}
+
+// Ok, 2 things. 1) this test breaks with the new functionality of splitting up larger txt
+// chunks into 255 byte pieces. 2) I don't like the random nature of this thing, because I can't
+// place the quotes where they need to be.
+// So either add some code the places the quotes in just the right spots, make this non random
+// or do something else.
+// Disabled for now. (miek)
+func testTXTRRQuick(t *testing.T) {
+	s := rand.NewSource(0)
+	r := rand.New(s)
+	typeAndClass := []byte{
+		byte(TypeTXT >> 8), byte(TypeTXT),
+		byte(ClassINET >> 8), byte(ClassINET),
+		0, 0, 0, 1, // TTL
+	}
+	f := func(l int) bool {
+		owner := GenerateDomain(r, l)
+		rdata := GenerateTXT(r, l)
+		rrbytes := make([]byte, 0, len(owner)+2+2+4+2+len(rdata))
+		rrbytes = append(rrbytes, owner...)
+		rrbytes = append(rrbytes, typeAndClass...)
+		rrbytes = append(rrbytes, byte(len(rdata)>>8))
+		rrbytes = append(rrbytes, byte(len(rdata)))
+		rrbytes = append(rrbytes, rdata...)
+		rr, _, err := UnpackRR(rrbytes, 0)
+		if err != nil {
+			panic(err)
+		}
+		buf := make([]byte, len(rrbytes)*3)
+		off, err := PackRR(rr, buf, 0, nil, false)
+		if err != nil {
+			t.Errorf("pack Error: %v\nRR: %v", err, rr)
+			return false
+		}
+		buf = buf[:off]
+		if !bytes.Equal(buf, rrbytes) {
+			t.Errorf("packed bytes don't match original bytes")
+			t.Errorf("src bytes: %v", rrbytes)
+			t.Errorf("   struct: %v", rr)
+			t.Errorf("out bytes: %v", buf)
+			return false
+		}
+		if len(rdata) == 0 {
+			// string'ing won't produce any data to parse
+			return true
+		}
+		rrString := rr.String()
+		rr2, err := NewRR(rrString)
+		if err != nil {
+			t.Errorf("error parsing own output: %v", err)
+			t.Errorf("struct: %v", rr)
+			t.Errorf("string: %v", rrString)
+			return false
+		}
+		if rr2.String() != rrString {
+			t.Errorf("parsed rr.String() doesn't match original string")
+			t.Errorf("original: %v", rrString)
+			t.Errorf("  parsed: %v", rr2.String())
+			return false
+		}
+
+		buf = make([]byte, len(rrbytes)*3)
+		off, err = PackRR(rr2, buf, 0, nil, false)
+		if err != nil {
+			t.Errorf("error packing parsed rr: %v", err)
+			t.Errorf("unpacked Struct: %v", rr)
+			t.Errorf("         string: %v", rrString)
+			t.Errorf("  parsed Struct: %v", rr2)
+			return false
+		}
+		buf = buf[:off]
+		if !bytes.Equal(buf, rrbytes) {
+			t.Errorf("parsed packed bytes don't match original bytes")
+			t.Errorf("   source bytes: %v", rrbytes)
+			t.Errorf("unpacked struct: %v", rr)
+			t.Errorf("         string: %v", rrString)
+			t.Errorf("  parsed struct: %v", rr2)
+			t.Errorf(" repacked bytes: %v", buf)
+			return false
+		}
+		return true
+	}
+	c := &quick.Config{MaxCountScale: 10}
+	if err := quick.Check(f, c); err != nil {
+		t.Error(err)
+	}
+}
+
+func TestParseDirectiveMisc(t *testing.T) {
+	tests := map[string]string{
+		"$ORIGIN miek.nl.\na IN NS b": "a.miek.nl.\t3600\tIN\tNS\tb.miek.nl.",
+		"$TTL 2H\nmiek.nl. IN NS b.":  "miek.nl.\t7200\tIN\tNS\tb.",
+		"miek.nl. 1D IN NS b.":        "miek.nl.\t86400\tIN\tNS\tb.",
+		`name. IN SOA  a6.nstld.com. hostmaster.nic.name. (
+        203362132 ; serial
+        5m        ; refresh (5 minutes)
+        5m        ; retry (5 minutes)
+        2w        ; expire (2 weeks)
+        300       ; minimum (5 minutes)
+)`: "name.\t3600\tIN\tSOA\ta6.nstld.com. hostmaster.nic.name. 203362132 300 300 1209600 300",
+		". 3600000  IN  NS ONE.MY-ROOTS.NET.":        ".\t3600000\tIN\tNS\tONE.MY-ROOTS.NET.",
+		"ONE.MY-ROOTS.NET. 3600000 IN A 192.168.1.1": "ONE.MY-ROOTS.NET.\t3600000\tIN\tA\t192.168.1.1",
+	}
+	for i, o := range tests {
+		rr, err := NewRR(i)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is     `%s'", i, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestNSEC(t *testing.T) {
+	nsectests := map[string]string{
+		"nl. IN NSEC3PARAM 1 0 5 30923C44C6CBBB8F":                                                                                                 "nl.\t3600\tIN\tNSEC3PARAM\t1 0 5 30923C44C6CBBB8F",
+		"p2209hipbpnm681knjnu0m1febshlv4e.nl. IN NSEC3 1 1 5 30923C44C6CBBB8F P90DG1KE8QEAN0B01613LHQDG0SOJ0TA NS SOA TXT RRSIG DNSKEY NSEC3PARAM": "p2209hipbpnm681knjnu0m1febshlv4e.nl.\t3600\tIN\tNSEC3\t1 1 5 30923C44C6CBBB8F P90DG1KE8QEAN0B01613LHQDG0SOJ0TA NS SOA TXT RRSIG DNSKEY NSEC3PARAM",
+		"localhost.dnssex.nl. IN NSEC www.dnssex.nl. A RRSIG NSEC":                                                                                 "localhost.dnssex.nl.\t3600\tIN\tNSEC\twww.dnssex.nl. A RRSIG NSEC",
+		"localhost.dnssex.nl. IN NSEC www.dnssex.nl. A RRSIG NSEC TYPE65534":                                                                       "localhost.dnssex.nl.\t3600\tIN\tNSEC\twww.dnssex.nl. A RRSIG NSEC TYPE65534",
+		"localhost.dnssex.nl. IN NSEC www.dnssex.nl. A RRSIG NSec Type65534":                                                                       "localhost.dnssex.nl.\t3600\tIN\tNSEC\twww.dnssex.nl. A RRSIG NSEC TYPE65534",
+		"44ohaq2njb0idnvolt9ggthvsk1e1uv8.skydns.test. NSEC3 1 0 0 - 44OHAQ2NJB0IDNVOLT9GGTHVSK1E1UVA":                                             "44ohaq2njb0idnvolt9ggthvsk1e1uv8.skydns.test.\t3600\tIN\tNSEC3\t1 0 0 - 44OHAQ2NJB0IDNVOLT9GGTHVSK1E1UVA",
+	}
+	for i, o := range nsectests {
+		rr, err := NewRR(i)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is     `%s'", i, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestParseLOC(t *testing.T) {
+	lt := map[string]string{
+		"SW1A2AA.find.me.uk.	LOC	51 30 12.748 N 00 07 39.611 W 0.00m 0.00m 0.00m 0.00m": "SW1A2AA.find.me.uk.\t3600\tIN\tLOC\t51 30 12.748 N 00 07 39.611 W 0m 0.00m 0.00m 0.00m",
+		"SW1A2AA.find.me.uk.	LOC	51 0 0.0 N 00 07 39.611 W 0.00m 0.00m 0.00m 0.00m": "SW1A2AA.find.me.uk.\t3600\tIN\tLOC\t51 00 0.000 N 00 07 39.611 W 0m 0.00m 0.00m 0.00m",
+	}
+	for i, o := range lt {
+		rr, err := NewRR(i)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is     `%s'", i, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestParseDS(t *testing.T) {
+	dt := map[string]string{
+		"example.net. 3600 IN DS 40692 12 3 22261A8B0E0D799183E35E24E2AD6BB58533CBA7E3B14D659E9CA09B 2071398F": "example.net.\t3600\tIN\tDS\t40692 12 3 22261A8B0E0D799183E35E24E2AD6BB58533CBA7E3B14D659E9CA09B2071398F",
+	}
+	for i, o := range dt {
+		rr, err := NewRR(i)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is     `%s'", i, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestQuotes(t *testing.T) {
+	tests := map[string]string{
+		`t.example.com. IN TXT "a bc"`: "t.example.com.\t3600\tIN\tTXT\t\"a bc\"",
+		`t.example.com. IN TXT "a
+ bc"`: "t.example.com.\t3600\tIN\tTXT\t\"a\\010 bc\"",
+		`t.example.com. IN TXT ""`:                                                           "t.example.com.\t3600\tIN\tTXT\t\"\"",
+		`t.example.com. IN TXT "a"`:                                                          "t.example.com.\t3600\tIN\tTXT\t\"a\"",
+		`t.example.com. IN TXT "aa"`:                                                         "t.example.com.\t3600\tIN\tTXT\t\"aa\"",
+		`t.example.com. IN TXT "aaa" ;`:                                                      "t.example.com.\t3600\tIN\tTXT\t\"aaa\"",
+		`t.example.com. IN TXT "abc" "DEF"`:                                                  "t.example.com.\t3600\tIN\tTXT\t\"abc\" \"DEF\"",
+		`t.example.com. IN TXT "abc" ( "DEF" )`:                                              "t.example.com.\t3600\tIN\tTXT\t\"abc\" \"DEF\"",
+		`t.example.com. IN TXT aaa ;`:                                                        "t.example.com.\t3600\tIN\tTXT\t\"aaa\"",
+		`t.example.com. IN TXT aaa aaa;`:                                                     "t.example.com.\t3600\tIN\tTXT\t\"aaa\" \"aaa\"",
+		`t.example.com. IN TXT aaa aaa`:                                                      "t.example.com.\t3600\tIN\tTXT\t\"aaa\" \"aaa\"",
+		`t.example.com. IN TXT aaa`:                                                          "t.example.com.\t3600\tIN\tTXT\t\"aaa\"",
+		"cid.urn.arpa. NAPTR 100 50 \"s\" \"z3950+I2L+I2C\"    \"\" _z3950._tcp.gatech.edu.": "cid.urn.arpa.\t3600\tIN\tNAPTR\t100 50 \"s\" \"z3950+I2L+I2C\" \"\" _z3950._tcp.gatech.edu.",
+		"cid.urn.arpa. NAPTR 100 50 \"s\" \"rcds+I2C\"         \"\" _rcds._udp.gatech.edu.":  "cid.urn.arpa.\t3600\tIN\tNAPTR\t100 50 \"s\" \"rcds+I2C\" \"\" _rcds._udp.gatech.edu.",
+		"cid.urn.arpa. NAPTR 100 50 \"s\" \"http+I2L+I2C+I2R\" \"\" _http._tcp.gatech.edu.":  "cid.urn.arpa.\t3600\tIN\tNAPTR\t100 50 \"s\" \"http+I2L+I2C+I2R\" \"\" _http._tcp.gatech.edu.",
+		"cid.urn.arpa. NAPTR 100 10 \"\" \"\" \"/urn:cid:.+@([^\\.]+\\.)(.*)$/\\2/i\" .":     "cid.urn.arpa.\t3600\tIN\tNAPTR\t100 10 \"\" \"\" \"/urn:cid:.+@([^\\.]+\\.)(.*)$/\\2/i\" .",
+	}
+	for i, o := range tests {
+		rr, err := NewRR(i)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is\n`%s'", i, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestParseClass(t *testing.T) {
+	tests := map[string]string{
+		"t.example.com. IN A 127.0.0.1": "t.example.com.	3600	IN	A	127.0.0.1",
+		"t.example.com. CS A 127.0.0.1": "t.example.com.	3600	CS	A	127.0.0.1",
+		"t.example.com. CH A 127.0.0.1": "t.example.com.	3600	CH	A	127.0.0.1",
+		// ClassANY can not occur in zone files
+		// "t.example.com. ANY A 127.0.0.1": "t.example.com.	3600	ANY	A	127.0.0.1",
+		"t.example.com. NONE A 127.0.0.1": "t.example.com.	3600	NONE	A	127.0.0.1",
+	}
+	for i, o := range tests {
+		rr, err := NewRR(i)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is\n`%s'", i, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestBrace(t *testing.T) {
+	tests := map[string]string{
+		"(miek.nl.) 3600 IN A 127.0.1.1":                 "miek.nl.\t3600\tIN\tA\t127.0.1.1",
+		"miek.nl. (3600) IN MX (10) elektron.atoom.net.": "miek.nl.\t3600\tIN\tMX\t10 elektron.atoom.net.",
+		`miek.nl. IN (
+                        3600 A 127.0.0.1)`: "miek.nl.\t3600\tIN\tA\t127.0.0.1",
+		"(miek.nl.) (A) (127.0.2.1)":                          "miek.nl.\t3600\tIN\tA\t127.0.2.1",
+		"miek.nl A 127.0.3.1":                                 "miek.nl.\t3600\tIN\tA\t127.0.3.1",
+		"_ssh._tcp.local. 60 IN (PTR) stora._ssh._tcp.local.": "_ssh._tcp.local.\t60\tIN\tPTR\tstora._ssh._tcp.local.",
+		"miek.nl. NS ns.miek.nl":                              "miek.nl.\t3600\tIN\tNS\tns.miek.nl.",
+		`(miek.nl.) (
+                        (IN)
+                        (AAAA)
+                        (::1) )`: "miek.nl.\t3600\tIN\tAAAA\t::1",
+		`(miek.nl.) (
+                        (IN)
+                        (AAAA)
+                        (::1))`: "miek.nl.\t3600\tIN\tAAAA\t::1",
+		"miek.nl. IN AAAA ::2": "miek.nl.\t3600\tIN\tAAAA\t::2",
+		`((m)(i)ek.(n)l.) (SOA) (soa.) (soa.) (
+                                2009032802 ; serial
+                                21600      ; refresh (6 hours)
+                                7(2)00       ; retry (2 hours)
+                                604()800     ; expire (1 week)
+                                3600       ; minimum (1 hour)
+                        )`: "miek.nl.\t3600\tIN\tSOA\tsoa. soa. 2009032802 21600 7200 604800 3600",
+		"miek\\.nl. IN A 127.0.0.10": "miek\\.nl.\t3600\tIN\tA\t127.0.0.10",
+		"miek.nl. IN A 127.0.0.11":   "miek.nl.\t3600\tIN\tA\t127.0.0.11",
+		"miek.nl. A 127.0.0.12":      "miek.nl.\t3600\tIN\tA\t127.0.0.12",
+		`miek.nl.       86400 IN SOA elektron.atoom.net. miekg.atoom.net. (
+                                2009032802 ; serial
+                                21600      ; refresh (6 hours)
+                                7200       ; retry (2 hours)
+                                604800     ; expire (1 week)
+                                3600       ; minimum (1 hour)
+                        )`: "miek.nl.\t86400\tIN\tSOA\telektron.atoom.net. miekg.atoom.net. 2009032802 21600 7200 604800 3600",
+	}
+	for i, o := range tests {
+		rr, err := NewRR(i)
+		if err != nil {
+			t.Errorf("failed to parse RR: %v\n\t%s", err, i)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is     `%s'", i, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestParseFailure(t *testing.T) {
+	tests := []string{"miek.nl. IN A 327.0.0.1",
+		"miek.nl. IN AAAA ::x",
+		"miek.nl. IN MX a0 miek.nl.",
+		"miek.nl aap IN MX mx.miek.nl.",
+		"miek.nl 200 IN mxx 10 mx.miek.nl.",
+		"miek.nl. inn MX 10 mx.miek.nl.",
+		// "miek.nl. IN CNAME ", // actually valid nowadays, zero size rdata
+		"miek.nl. IN CNAME ..",
+		"miek.nl. PA MX 10 miek.nl.",
+		"miek.nl. ) IN MX 10 miek.nl.",
+	}
+
+	for _, s := range tests {
+		_, err := NewRR(s)
+		if err == nil {
+			t.Errorf("should have triggered an error: \"%s\"", s)
+		}
+	}
+}
+
+func TestZoneParsing(t *testing.T) {
+	// parse_test.db
+	db := `
+a.example.com.                IN A 127.0.0.1
+8db7._openpgpkey.example.com. IN OPENPGPKEY mQCNAzIG
+$ORIGIN a.example.com.
+test                          IN A 127.0.0.1
+                              IN SSHFP   1 2 (
+                                           BC6533CDC95A79078A39A56EA7635984ED655318ADA9
+                                           B6159E30723665DA95BB )
+$ORIGIN b.example.com.
+test                          IN CNAME test.a.example.com.
+`
+	start := time.Now().UnixNano()
+	to := ParseZone(strings.NewReader(db), "", "parse_test.db")
+	var i int
+	for x := range to {
+		i++
+		if x.Error != nil {
+			t.Error(x.Error)
+			continue
+		}
+		t.Log(x.RR)
+	}
+	delta := time.Now().UnixNano() - start
+	t.Logf("%d RRs parsed in %.2f s (%.2f RR/s)", i, float32(delta)/1e9, float32(i)/(float32(delta)/1e9))
+}
+
+func ExampleParseZone() {
+	zone := `$ORIGIN .
+$TTL 3600       ; 1 hour
+name                    IN SOA  a6.nstld.com. hostmaster.nic.name. (
+                                203362132  ; serial
+                                300        ; refresh (5 minutes)
+                                300        ; retry (5 minutes)
+                                1209600    ; expire (2 weeks)
+                                300        ; minimum (5 minutes)
+                                )
+$TTL 10800      ; 3 hours
+name.	10800	IN	NS	name.
+               IN       NS      g6.nstld.com.
+               7200     NS      h6.nstld.com.
+             3600 IN    NS      j6.nstld.com.
+             IN 3600    NS      k6.nstld.com.
+                        NS      l6.nstld.com.
+                        NS      a6.nstld.com.
+                        NS      c6.nstld.com.
+                        NS      d6.nstld.com.
+                        NS      f6.nstld.com.
+                        NS      m6.nstld.com.
+(
+			NS	m7.nstld.com.
+)
+$ORIGIN name.
+0-0onlus                NS      ns7.ehiweb.it.
+                        NS      ns8.ehiweb.it.
+0-g                     MX      10 mx01.nic
+                        MX      10 mx02.nic
+                        MX      10 mx03.nic
+                        MX      10 mx04.nic
+$ORIGIN 0-g.name
+moutamassey             NS      ns01.yahoodomains.jp.
+                        NS      ns02.yahoodomains.jp.
+`
+	to := ParseZone(strings.NewReader(zone), "", "testzone")
+	for x := range to {
+		fmt.Println(x.RR)
+	}
+	// Output:
+	// name.	3600	IN	SOA	a6.nstld.com. hostmaster.nic.name. 203362132 300 300 1209600 300
+	// name.	10800	IN	NS	name.
+	// name.	10800	IN	NS	g6.nstld.com.
+	// name.	7200	IN	NS	h6.nstld.com.
+	// name.	3600	IN	NS	j6.nstld.com.
+	// name.	3600	IN	NS	k6.nstld.com.
+	// name.	10800	IN	NS	l6.nstld.com.
+	// name.	10800	IN	NS	a6.nstld.com.
+	// name.	10800	IN	NS	c6.nstld.com.
+	// name.	10800	IN	NS	d6.nstld.com.
+	// name.	10800	IN	NS	f6.nstld.com.
+	// name.	10800	IN	NS	m6.nstld.com.
+	// name.	10800	IN	NS	m7.nstld.com.
+	// 0-0onlus.name.	10800	IN	NS	ns7.ehiweb.it.
+	// 0-0onlus.name.	10800	IN	NS	ns8.ehiweb.it.
+	// 0-g.name.	10800	IN	MX	10 mx01.nic.name.
+	// 0-g.name.	10800	IN	MX	10 mx02.nic.name.
+	// 0-g.name.	10800	IN	MX	10 mx03.nic.name.
+	// 0-g.name.	10800	IN	MX	10 mx04.nic.name.
+	// moutamassey.0-g.name.name.	10800	IN	NS	ns01.yahoodomains.jp.
+	// moutamassey.0-g.name.name.	10800	IN	NS	ns02.yahoodomains.jp.
+}
+
+func ExampleHIP() {
+	h := `www.example.com     IN  HIP ( 2 200100107B1A74DF365639CC39F1D578
+                AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p
+9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQ
+b1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
+        rvs.example.com. )`
+	if hip, err := NewRR(h); err == nil {
+		fmt.Println(hip.String())
+	}
+	// Output:
+	// www.example.com.	3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com.
+}
+
+func TestHIP(t *testing.T) {
+	h := `www.example.com.      IN  HIP ( 2 200100107B1A74DF365639CC39F1D578
+                                AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p
+9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQ
+b1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
+                                rvs1.example.com.
+                                rvs2.example.com. )`
+	rr, err := NewRR(h)
+	if err != nil {
+		t.Fatalf("failed to parse RR: %v", err)
+	}
+	t.Logf("RR: %s", rr)
+	msg := new(Msg)
+	msg.Answer = []RR{rr, rr}
+	bytes, err := msg.Pack()
+	if err != nil {
+		t.Fatalf("failed to pack msg: %v", err)
+	}
+	if err := msg.Unpack(bytes); err != nil {
+		t.Fatalf("failed to unpack msg: %v", err)
+	}
+	if len(msg.Answer) != 2 {
+		t.Fatalf("2 answers expected: %v", msg)
+	}
+	for i, rr := range msg.Answer {
+		rr := rr.(*HIP)
+		t.Logf("RR: %s", rr)
+		if l := len(rr.RendezvousServers); l != 2 {
+			t.Fatalf("2 servers expected, only %d in record %d:\n%v", l, i, msg)
+		}
+		for j, s := range []string{"rvs1.example.com.", "rvs2.example.com."} {
+			if rr.RendezvousServers[j] != s {
+				t.Fatalf("expected server %d of record %d to be %s:\n%v", j, i, s, msg)
+			}
+		}
+	}
+}
+
+func ExampleSOA() {
+	s := "example.com. 1000 SOA master.example.com. admin.example.com. 1 4294967294 4294967293 4294967295 100"
+	if soa, err := NewRR(s); err == nil {
+		fmt.Println(soa.String())
+	}
+	// Output:
+	// example.com.	1000	IN	SOA	master.example.com. admin.example.com. 1 4294967294 4294967293 4294967295 100
+}
+
+func TestLineNumberError(t *testing.T) {
+	s := "example.com. 1000 SOA master.example.com. admin.example.com. monkey 4294967294 4294967293 4294967295 100"
+	if _, err := NewRR(s); err != nil {
+		if err.Error() != "dns: bad SOA zone parameter: \"monkey\" at line: 1:68" {
+			t.Error("not expecting this error: ", err)
+		}
+	}
+}
+
+// Test with no known RR on the line
+func TestLineNumberError2(t *testing.T) {
+	tests := map[string]string{
+		"example.com. 1000 SO master.example.com. admin.example.com. 1 4294967294 4294967293 4294967295 100": "dns: expecting RR type or class, not this...: \"SO\" at line: 1:21",
+		"example.com 1000 IN TALINK a.example.com. b..example.com.":                                          "dns: bad TALINK NextName: \"b..example.com.\" at line: 1:57",
+		"example.com 1000 IN TALINK ( a.example.com. b..example.com. )":                                      "dns: bad TALINK NextName: \"b..example.com.\" at line: 1:60",
+		`example.com 1000 IN TALINK ( a.example.com.
+	bb..example.com. )`: "dns: bad TALINK NextName: \"bb..example.com.\" at line: 2:18",
+		// This is a bug, it should report an error on line 1, but the new is already processed.
+		`example.com 1000 IN TALINK ( a.example.com.  b...example.com.
+	)`: "dns: bad TALINK NextName: \"b...example.com.\" at line: 2:1"}
+
+	for in, errStr := range tests {
+		_, err := NewRR(in)
+		if err == nil {
+			t.Error("err is nil")
+		} else {
+			if err.Error() != errStr {
+				t.Errorf("%s: error should be %s is %v", in, errStr, err)
+			}
+		}
+	}
+}
+
+// Test if the calculations are correct
+func TestRfc1982(t *testing.T) {
+	// If the current time and the timestamp are more than 68 years apart
+	// it means the date has wrapped. 0 is 1970
+
+	// fall in the current 68 year span
+	strtests := []string{"20120525134203", "19700101000000", "20380119031408"}
+	for _, v := range strtests {
+		if x, _ := StringToTime(v); v != TimeToString(x) {
+			t.Errorf("1982 arithmetic string failure %s (%s:%d)", v, TimeToString(x), x)
+		}
+	}
+
+	inttests := map[uint32]string{0: "19700101000000",
+		1 << 31:   "20380119031408",
+		1<<32 - 1: "21060207062815",
+	}
+	for i, v := range inttests {
+		if TimeToString(i) != v {
+			t.Errorf("1982 arithmetic int failure %d:%s (%s)", i, v, TimeToString(i))
+		}
+	}
+
+	// Future tests, these dates get parsed to a date within the current 136 year span
+	future := map[string]string{"22680119031408": "20631123173144",
+		"19010101121212": "20370206184028",
+		"19210101121212": "20570206184028",
+		"19500101121212": "20860206184028",
+		"19700101000000": "19700101000000",
+		"19690101000000": "21050207062816",
+		"29210101121212": "21040522212236",
+	}
+	for from, to := range future {
+		x, _ := StringToTime(from)
+		y := TimeToString(x)
+		if y != to {
+			t.Errorf("1982 arithmetic future failure %s:%s (%s)", from, to, y)
+		}
+	}
+}
+
+func TestEmpty(t *testing.T) {
+	for range ParseZone(strings.NewReader(""), "", "") {
+		t.Errorf("should be empty")
+	}
+}
+
+func TestLowercaseTokens(t *testing.T) {
+	var testrecords = []string{
+		"example.org. 300 IN a 1.2.3.4",
+		"example.org. 300 in A 1.2.3.4",
+		"example.org. 300 in a 1.2.3.4",
+		"example.org. 300 a 1.2.3.4",
+		"example.org. 300 A 1.2.3.4",
+		"example.org. IN a 1.2.3.4",
+		"example.org. in A 1.2.3.4",
+		"example.org. in a 1.2.3.4",
+		"example.org. a 1.2.3.4",
+		"example.org. A 1.2.3.4",
+		"example.org. a 1.2.3.4",
+		"$ORIGIN example.org.\n a 1.2.3.4",
+		"$Origin example.org.\n a 1.2.3.4",
+		"$origin example.org.\n a 1.2.3.4",
+		"example.org. Class1 Type1 1.2.3.4",
+	}
+	for _, testrr := range testrecords {
+		_, err := NewRR(testrr)
+		if err != nil {
+			t.Errorf("failed to parse %#v, got %v", testrr, err)
+		}
+	}
+}
+
+func ExampleParseZone_generate() {
+	// From the manual: http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#id2566761
+	zone := "$GENERATE 1-2 0 NS SERVER$.EXAMPLE.\n$GENERATE 1-8 $ CNAME $.0"
+	to := ParseZone(strings.NewReader(zone), "0.0.192.IN-ADDR.ARPA.", "")
+	for x := range to {
+		if x.Error == nil {
+			fmt.Println(x.RR.String())
+		}
+	}
+	// Output:
+	// 0.0.0.192.IN-ADDR.ARPA.	3600	IN	NS	SERVER1.EXAMPLE.
+	// 0.0.0.192.IN-ADDR.ARPA.	3600	IN	NS	SERVER2.EXAMPLE.
+	// 1.0.0.192.IN-ADDR.ARPA.	3600	IN	CNAME	1.0.0.0.192.IN-ADDR.ARPA.
+	// 2.0.0.192.IN-ADDR.ARPA.	3600	IN	CNAME	2.0.0.0.192.IN-ADDR.ARPA.
+	// 3.0.0.192.IN-ADDR.ARPA.	3600	IN	CNAME	3.0.0.0.192.IN-ADDR.ARPA.
+	// 4.0.0.192.IN-ADDR.ARPA.	3600	IN	CNAME	4.0.0.0.192.IN-ADDR.ARPA.
+	// 5.0.0.192.IN-ADDR.ARPA.	3600	IN	CNAME	5.0.0.0.192.IN-ADDR.ARPA.
+	// 6.0.0.192.IN-ADDR.ARPA.	3600	IN	CNAME	6.0.0.0.192.IN-ADDR.ARPA.
+	// 7.0.0.192.IN-ADDR.ARPA.	3600	IN	CNAME	7.0.0.0.192.IN-ADDR.ARPA.
+	// 8.0.0.192.IN-ADDR.ARPA.	3600	IN	CNAME	8.0.0.0.192.IN-ADDR.ARPA.
+}
+
+func TestSRVPacking(t *testing.T) {
+	msg := Msg{}
+
+	things := []string{"1.2.3.4:8484",
+		"45.45.45.45:8484",
+		"84.84.84.84:8484",
+	}
+
+	for i, n := range things {
+		h, p, err := net.SplitHostPort(n)
+		if err != nil {
+			continue
+		}
+		port, _ := strconv.ParseUint(p, 10, 16)
+
+		rr := &SRV{
+			Hdr: RR_Header{Name: "somename.",
+				Rrtype: TypeSRV,
+				Class:  ClassINET,
+				Ttl:    5},
+			Priority: uint16(i),
+			Weight:   5,
+			Port:     uint16(port),
+			Target:   h + ".",
+		}
+
+		msg.Answer = append(msg.Answer, rr)
+	}
+
+	_, err := msg.Pack()
+	if err != nil {
+		t.Fatalf("couldn't pack %v: %v", msg, err)
+	}
+}
+
+func TestParseBackslash(t *testing.T) {
+	if r, err := NewRR("nul\\000gap.test.globnix.net. 600 IN	A 192.0.2.10"); err != nil {
+		t.Errorf("could not create RR with \\000 in it")
+	} else {
+		t.Logf("parsed %s", r.String())
+	}
+	if r, err := NewRR(`nul\000gap.test.globnix.net. 600 IN TXT "Hello\123"`); err != nil {
+		t.Errorf("could not create RR with \\000 in it")
+	} else {
+		t.Logf("parsed %s", r.String())
+	}
+	if r, err := NewRR(`m\ @\ iek.nl. IN 3600 A 127.0.0.1`); err != nil {
+		t.Errorf("could not create RR with \\ and \\@ in it")
+	} else {
+		t.Logf("parsed %s", r.String())
+	}
+}
+
+func TestILNP(t *testing.T) {
+	tests := []string{
+		"host1.example.com.\t3600\tIN\tNID\t10 0014:4fff:ff20:ee64",
+		"host1.example.com.\t3600\tIN\tNID\t20 0015:5fff:ff21:ee65",
+		"host2.example.com.\t3600\tIN\tNID\t10 0016:6fff:ff22:ee66",
+		"host1.example.com.\t3600\tIN\tL32\t10 10.1.2.0",
+		"host1.example.com.\t3600\tIN\tL32\t20 10.1.4.0",
+		"host2.example.com.\t3600\tIN\tL32\t10 10.1.8.0",
+		"host1.example.com.\t3600\tIN\tL64\t10 2001:0DB8:1140:1000",
+		"host1.example.com.\t3600\tIN\tL64\t20 2001:0DB8:2140:2000",
+		"host2.example.com.\t3600\tIN\tL64\t10 2001:0DB8:4140:4000",
+		"host1.example.com.\t3600\tIN\tLP\t10 l64-subnet1.example.com.",
+		"host1.example.com.\t3600\tIN\tLP\t10 l64-subnet2.example.com.",
+		"host1.example.com.\t3600\tIN\tLP\t20 l32-subnet1.example.com.",
+	}
+	for _, t1 := range tests {
+		r, err := NewRR(t1)
+		if err != nil {
+			t.Fatalf("an error occurred: %v", err)
+		} else {
+			if t1 != r.String() {
+				t.Fatalf("strings should be equal %s %s", t1, r.String())
+			}
+		}
+	}
+}
+
+func TestGposEidNimloc(t *testing.T) {
+	dt := map[string]string{
+		"444433332222111199990123000000ff. NSAP-PTR foo.bar.com.": "444433332222111199990123000000ff.\t3600\tIN\tNSAP-PTR\tfoo.bar.com.",
+		"lillee. IN  GPOS -32.6882 116.8652 10.0":                 "lillee.\t3600\tIN\tGPOS\t-32.6882 116.8652 10.0",
+		"hinault. IN GPOS -22.6882 116.8652 250.0":                "hinault.\t3600\tIN\tGPOS\t-22.6882 116.8652 250.0",
+		"VENERA.   IN NIMLOC  75234159EAC457800920":               "VENERA.\t3600\tIN\tNIMLOC\t75234159EAC457800920",
+		"VAXA.     IN EID     3141592653589793":                   "VAXA.\t3600\tIN\tEID\t3141592653589793",
+	}
+	for i, o := range dt {
+		rr, err := NewRR(i)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is     `%s'", i, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestPX(t *testing.T) {
+	dt := map[string]string{
+		"*.net2.it. IN PX 10 net2.it. PRMD-net2.ADMD-p400.C-it.":      "*.net2.it.\t3600\tIN\tPX\t10 net2.it. PRMD-net2.ADMD-p400.C-it.",
+		"ab.net2.it. IN PX 10 ab.net2.it. O-ab.PRMD-net2.ADMDb.C-it.": "ab.net2.it.\t3600\tIN\tPX\t10 ab.net2.it. O-ab.PRMD-net2.ADMDb.C-it.",
+	}
+	for i, o := range dt {
+		rr, err := NewRR(i)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is     `%s'", i, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestComment(t *testing.T) {
+	// Comments we must see
+	comments := map[string]bool{"; this is comment 1": true,
+		"; this is comment 4": true, "; this is comment 6": true,
+		"; this is comment 7": true, "; this is comment 8": true}
+	zone := `
+foo. IN A 10.0.0.1 ; this is comment 1
+foo. IN A (
+	10.0.0.2 ; this is comment2
+)
+; this is comment3
+foo. IN A 10.0.0.3
+foo. IN A ( 10.0.0.4 ); this is comment 4
+
+foo. IN A 10.0.0.5
+; this is comment5
+
+foo. IN A 10.0.0.6
+
+foo. IN DNSKEY 256 3 5 AwEAAb+8l ; this is comment 6
+foo. IN NSEC miek.nl. TXT RRSIG NSEC; this is comment 7
+foo. IN TXT "THIS IS TEXT MAN"; this is comment 8
+`
+	for x := range ParseZone(strings.NewReader(zone), ".", "") {
+		if x.Error == nil {
+			if x.Comment != "" {
+				if _, ok := comments[x.Comment]; !ok {
+					t.Errorf("wrong comment %s", x.Comment)
+				}
+			}
+		}
+	}
+}
+
+func TestEUIxx(t *testing.T) {
+	tests := map[string]string{
+		"host.example. IN EUI48 00-00-5e-90-01-2a":       "host.example.\t3600\tIN\tEUI48\t00-00-5e-90-01-2a",
+		"host.example. IN EUI64 00-00-5e-ef-00-00-00-2a": "host.example.\t3600\tIN\tEUI64\t00-00-5e-ef-00-00-00-2a",
+	}
+	for i, o := range tests {
+		r, err := NewRR(i)
+		if err != nil {
+			t.Errorf("failed to parse %s: %v", i, err)
+		}
+		if r.String() != o {
+			t.Errorf("want %s, got %s", o, r.String())
+		}
+	}
+}
+
+func TestUserRR(t *testing.T) {
+	tests := map[string]string{
+		"host.example. IN UID 1234":              "host.example.\t3600\tIN\tUID\t1234",
+		"host.example. IN GID 1234556":           "host.example.\t3600\tIN\tGID\t1234556",
+		"host.example. IN UINFO \"Miek Gieben\"": "host.example.\t3600\tIN\tUINFO\t\"Miek Gieben\"",
+	}
+	for i, o := range tests {
+		r, err := NewRR(i)
+		if err != nil {
+			t.Errorf("failed to parse %s: %v", i, err)
+		}
+		if r.String() != o {
+			t.Errorf("want %s, got %s", o, r.String())
+		}
+	}
+}
+
+func TestTXT(t *testing.T) {
+	// Test single entry TXT record
+	rr, err := NewRR(`_raop._tcp.local. 60 IN TXT "single value"`)
+	if err != nil {
+		t.Error("failed to parse single value TXT record", err)
+	} else if rr, ok := rr.(*TXT); !ok {
+		t.Error("wrong type, record should be of type TXT")
+	} else {
+		if len(rr.Txt) != 1 {
+			t.Error("bad size of TXT value:", len(rr.Txt))
+		} else if rr.Txt[0] != "single value" {
+			t.Error("bad single value")
+		}
+		if rr.String() != `_raop._tcp.local.	60	IN	TXT	"single value"` {
+			t.Error("bad representation of TXT record:", rr.String())
+		}
+		if rr.len() != 28+1+12 {
+			t.Error("bad size of serialized record:", rr.len())
+		}
+	}
+
+	// Test multi entries TXT record
+	rr, err = NewRR(`_raop._tcp.local. 60 IN TXT "a=1" "b=2" "c=3" "d=4"`)
+	if err != nil {
+		t.Error("failed to parse multi-values TXT record", err)
+	} else if rr, ok := rr.(*TXT); !ok {
+		t.Error("wrong type, record should be of type TXT")
+	} else {
+		if len(rr.Txt) != 4 {
+			t.Error("bad size of TXT multi-value:", len(rr.Txt))
+		} else if rr.Txt[0] != "a=1" || rr.Txt[1] != "b=2" || rr.Txt[2] != "c=3" || rr.Txt[3] != "d=4" {
+			t.Error("bad values in TXT records")
+		}
+		if rr.String() != `_raop._tcp.local.	60	IN	TXT	"a=1" "b=2" "c=3" "d=4"` {
+			t.Error("bad representation of TXT multi value record:", rr.String())
+		}
+		if rr.len() != 28+1+3+1+3+1+3+1+3 {
+			t.Error("bad size of serialized multi value record:", rr.len())
+		}
+	}
+
+	// Test empty-string in TXT record
+	rr, err = NewRR(`_raop._tcp.local. 60 IN TXT ""`)
+	if err != nil {
+		t.Error("failed to parse empty-string TXT record", err)
+	} else if rr, ok := rr.(*TXT); !ok {
+		t.Error("wrong type, record should be of type TXT")
+	} else {
+		if len(rr.Txt) != 1 {
+			t.Error("bad size of TXT empty-string value:", len(rr.Txt))
+		} else if rr.Txt[0] != "" {
+			t.Error("bad value for empty-string TXT record")
+		}
+		if rr.String() != `_raop._tcp.local.	60	IN	TXT	""` {
+			t.Error("bad representation of empty-string TXT record:", rr.String())
+		}
+		if rr.len() != 28+1 {
+			t.Error("bad size of serialized record:", rr.len())
+		}
+	}
+
+	// Test TXT record with chunk larger than 255 bytes, they should be split up, by the parser
+	s := ""
+	for i := 0; i < 255; i++ {
+		s += "a"
+	}
+	s += "b"
+	rr, err = NewRR(`test.local. 60 IN TXT "` + s + `"`)
+	if err != nil {
+		t.Error("failed to parse empty-string TXT record", err)
+	}
+	if rr.(*TXT).Txt[1] != "b" {
+		t.Errorf("Txt should have two chunk, last one my be 'b', but is %s", rr.(*TXT).Txt[1])
+	}
+	t.Log(rr.String())
+}
+
+func TestTypeXXXX(t *testing.T) {
+	_, err := NewRR("example.com IN TYPE1234 \\# 4 aabbccdd")
+	if err != nil {
+		t.Errorf("failed to parse TYPE1234 RR: %v", err)
+	}
+	_, err = NewRR("example.com IN TYPE655341 \\# 8 aabbccddaabbccdd")
+	if err == nil {
+		t.Errorf("this should not work, for TYPE655341")
+	}
+	_, err = NewRR("example.com IN TYPE1 \\# 4 0a000001")
+	if err == nil {
+		t.Errorf("this should not work")
+	}
+}
+
+func TestPTR(t *testing.T) {
+	_, err := NewRR("144.2.0.192.in-addr.arpa. 900 IN PTR ilouse03146p0\\(.example.com.")
+	if err != nil {
+		t.Error("failed to parse ", err)
+	}
+}
+
+func TestDigit(t *testing.T) {
+	tests := map[string]byte{
+		"miek\\000.nl. 100 IN TXT \"A\"": 0,
+		"miek\\001.nl. 100 IN TXT \"A\"": 1,
+		"miek\\254.nl. 100 IN TXT \"A\"": 254,
+		"miek\\255.nl. 100 IN TXT \"A\"": 255,
+		"miek\\256.nl. 100 IN TXT \"A\"": 0,
+		"miek\\257.nl. 100 IN TXT \"A\"": 1,
+		"miek\\004.nl. 100 IN TXT \"A\"": 4,
+	}
+	for s, i := range tests {
+		r, err := NewRR(s)
+		buf := make([]byte, 40)
+		if err != nil {
+			t.Fatalf("failed to parse %v", err)
+		}
+		PackRR(r, buf, 0, nil, false)
+		t.Log(buf)
+		if buf[5] != i {
+			t.Fatalf("5 pos must be %d, is %d", i, buf[5])
+		}
+		r1, _, _ := UnpackRR(buf, 0)
+		if r1.Header().Ttl != 100 {
+			t.Fatalf("TTL should %d, is %d", 100, r1.Header().Ttl)
+		}
+	}
+}
+
+func TestParseRRSIGTimestamp(t *testing.T) {
+	tests := map[string]bool{
+		`miek.nl.  IN RRSIG SOA 8 2 43200 20140210031301 20140111031301 12051 miek.nl. MVZUyrYwq0iZhMFDDnVXD2BvuNiUJjSYlJAgzyAE6CF875BMvvZa+Sb0 RlSCL7WODQSQHhCx/fegHhVVF+Iz8N8kOLrmXD1+jO3Bm6Prl5UhcsPx WTBsg/kmxbp8sR1kvH4oZJtVfakG3iDerrxNaf0sQwhZzyfJQAqpC7pcBoc=`: true,
+		`miek.nl.  IN RRSIG SOA 8 2 43200 315565800 4102477800 12051 miek.nl. MVZUyrYwq0iZhMFDDnVXD2BvuNiUJjSYlJAgzyAE6CF875BMvvZa+Sb0 RlSCL7WODQSQHhCx/fegHhVVF+Iz8N8kOLrmXD1+jO3Bm6Prl5UhcsPx WTBsg/kmxbp8sR1kvH4oZJtVfakG3iDerrxNaf0sQwhZzyfJQAqpC7pcBoc=`:          true,
+	}
+	for r := range tests {
+		_, err := NewRR(r)
+		if err != nil {
+			t.Error(err)
+		}
+	}
+}
+
+func TestTxtEqual(t *testing.T) {
+	rr1 := new(TXT)
+	rr1.Hdr = RR_Header{Name: ".", Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}
+	rr1.Txt = []string{"a\"a", "\"", "b"}
+	rr2, _ := NewRR(rr1.String())
+	if rr1.String() != rr2.String() {
+		// This is not an error, but keep this test.
+		t.Errorf("these two TXT records should match:\n%s\n%s", rr1.String(), rr2.String())
+	}
+	t.Logf("%s\n%s", rr1.String(), rr2.String())
+}
+
+func TestTxtLong(t *testing.T) {
+	rr1 := new(TXT)
+	rr1.Hdr = RR_Header{Name: ".", Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}
+	// Make a long txt record, this breaks when sending the packet,
+	// but not earlier.
+	rr1.Txt = []string{"start-"}
+	for i := 0; i < 200; i++ {
+		rr1.Txt[0] += "start-"
+	}
+	str := rr1.String()
+	if len(str) < len(rr1.Txt[0]) {
+		t.Error("string conversion should work")
+	}
+}
+
+// Basically, don't crash.
+func TestMalformedPackets(t *testing.T) {
+	var packets = []string{
+		"0021641c0000000100000000000078787878787878787878787303636f6d0000100001",
+	}
+
+	// com = 63 6f 6d
+	for _, packet := range packets {
+		data, _ := hex.DecodeString(packet)
+		//		for _, v := range data {
+		//			t.Log(v)
+		//		}
+		var msg Msg
+		msg.Unpack(data)
+		//		println(msg.String())
+	}
+}
+
+type algorithm struct {
+	name uint8
+	bits int
+}
+
+func TestNewPrivateKey(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode.")
+	}
+	algorithms := []algorithm{
+		{ECDSAP256SHA256, 256},
+		{ECDSAP384SHA384, 384},
+		{RSASHA1, 1024},
+		{RSASHA256, 2048},
+		{DSA, 1024},
+	}
+
+	for _, algo := range algorithms {
+		key := new(DNSKEY)
+		key.Hdr.Rrtype = TypeDNSKEY
+		key.Hdr.Name = "miek.nl."
+		key.Hdr.Class = ClassINET
+		key.Hdr.Ttl = 14400
+		key.Flags = 256
+		key.Protocol = 3
+		key.Algorithm = algo.name
+		privkey, err := key.Generate(algo.bits)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		newPrivKey, err := key.NewPrivateKey(key.PrivateKeyString(privkey))
+		if err != nil {
+			t.Error(key.String())
+			t.Error(key.PrivateKeyString(privkey))
+			t.Fatal(err)
+		}
+
+		switch newPrivKey := newPrivKey.(type) {
+		case *rsa.PrivateKey:
+			newPrivKey.Precompute()
+		}
+
+		if !reflect.DeepEqual(privkey, newPrivKey) {
+			t.Errorf("[%v] Private keys differ:\n%#v\n%#v", AlgorithmToString[algo.name], privkey, newPrivKey)
+		}
+	}
+}
+
+// special input test
+func TestNewRRSpecial(t *testing.T) {
+	var (
+		rr     RR
+		err    error
+		expect string
+	)
+
+	rr, err = NewRR("; comment")
+	expect = ""
+	if err != nil {
+		t.Errorf("unexpected err: %v", err)
+	}
+	if rr != nil {
+		t.Errorf("unexpected result: [%s] != [%s]", rr, expect)
+	}
+
+	rr, err = NewRR("")
+	expect = ""
+	if err != nil {
+		t.Errorf("unexpected err: %v", err)
+	}
+	if rr != nil {
+		t.Errorf("unexpected result: [%s] != [%s]", rr, expect)
+	}
+
+	rr, err = NewRR("$ORIGIN foo.")
+	expect = ""
+	if err != nil {
+		t.Errorf("unexpected err: %v", err)
+	}
+	if rr != nil {
+		t.Errorf("unexpected result: [%s] != [%s]", rr, expect)
+	}
+
+	rr, err = NewRR(" ")
+	expect = ""
+	if err != nil {
+		t.Errorf("unexpected err: %v", err)
+	}
+	if rr != nil {
+		t.Errorf("unexpected result: [%s] != [%s]", rr, expect)
+	}
+
+	rr, err = NewRR("\n")
+	expect = ""
+	if err != nil {
+		t.Errorf("unexpected err: %v", err)
+	}
+	if rr != nil {
+		t.Errorf("unexpected result: [%s] != [%s]", rr, expect)
+	}
+
+	rr, err = NewRR("foo. A 1.1.1.1\nbar. A 2.2.2.2")
+	expect = "foo.\t3600\tIN\tA\t1.1.1.1"
+	if err != nil {
+		t.Errorf("unexpected err: %v", err)
+	}
+	if rr == nil || rr.String() != expect {
+		t.Errorf("unexpected result: [%s] != [%s]", rr, expect)
+	}
+}
+
+func TestPrintfVerbsRdata(t *testing.T) {
+	x, _ := NewRR("www.miek.nl. IN MX 20 mx.miek.nl.")
+	if Field(x, 1) != "20" {
+		t.Errorf("should be 20")
+	}
+	if Field(x, 2) != "mx.miek.nl." {
+		t.Errorf("should be mx.miek.nl.")
+	}
+
+	x, _ = NewRR("www.miek.nl. IN A 127.0.0.1")
+	if Field(x, 1) != "127.0.0.1" {
+		t.Errorf("should be 127.0.0.1")
+	}
+
+	x, _ = NewRR("www.miek.nl. IN AAAA ::1")
+	if Field(x, 1) != "::1" {
+		t.Errorf("should be ::1")
+	}
+
+	x, _ = NewRR("www.miek.nl. IN NSEC a.miek.nl. A NS SOA MX AAAA")
+	if Field(x, 1) != "a.miek.nl." {
+		t.Errorf("should be a.miek.nl.")
+	}
+	if Field(x, 2) != "A NS SOA MX AAAA" {
+		t.Errorf("should be A NS SOA MX AAAA")
+	}
+
+	x, _ = NewRR("www.miek.nl. IN TXT \"first\" \"second\"")
+	if Field(x, 1) != "first second" {
+		t.Errorf("should be first second")
+	}
+	if Field(x, 0) != "" {
+		t.Errorf("should be empty")
+	}
+}
+
+func TestParseTokenOverflow(t *testing.T) {
+	_, err := NewRR("_443._tcp.example.org. IN TLSA 0 0 0 308205e8308204d0a00302010202100411de8f53b462f6a5a861b712ec6b59300d06092a864886f70d01010b05003070310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312f302d06035504031326446967694365727420534841322048696768204173737572616e636520536572766572204341301e170d3134313130363030303030305a170d3135313131333132303030305a3081a5310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c6f7320416e67656c6573313c303a060355040a1333496e7465726e657420436f72706f726174696f6e20666f722041737369676e6564204e616d657320616e64204e756d6265727331133011060355040b130a546563686e6f6c6f6779311830160603550403130f7777772e6578616d706c652e6f726730820122300d06092a864886f70d01010105000382010f003082010a02820101009e663f52a3d18cb67cdfed547408a4e47e4036538988da2798da3b6655f7240d693ed1cb3fe6d6ad3a9e657ff6efa86b83b0cad24e5d31ff2bf70ec3b78b213f1b4bf61bdc669cbbc07d67154128ca92a9b3cbb4213a836fb823ddd4d7cc04918314d25f06086fa9970ba17e357cca9b458c27eb71760ab95e3f9bc898ae89050ae4d09ba2f7e4259d9ff1e072a6971b18355a8b9e53670c3d5dbdbd283f93a764e71b3a4140ca0746090c08510e2e21078d7d07844bf9c03865b531a0bf2ee766bc401f6451c5a1e6f6fb5d5c1d6a97a0abe91ae8b02e89241e07353909ccd5b41c46de207c06801e08f20713603827f2ae3e68cf15ef881d7e0608f70742e30203010001a382024630820242301f0603551d230418301680145168ff90af0207753cccd9656462a212b859723b301d0603551d0e04160414b000a7f422e9b1ce216117c4c46e7164c8e60c553081810603551d11047a3078820f7777772e6578616d706c652e6f7267820b6578616d706c652e636f6d820b6578616d706c652e656475820b6578616d706c652e6e6574820b6578616d706c652e6f7267820f7777772e6578616d706c652e636f6d820f7777772e6578616d706c652e656475820f7777772e6578616d706c652e6e6574300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b0601050507030230750603551d1f046e306c3034a032a030862e687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d68612d7365727665722d67332e63726c3034a032a030862e687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d68612d7365727665722d67332e63726c30420603551d20043b3039303706096086480186fd6c0101302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f43505330818306082b0601050507010104773075302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304d06082b060105050730028641687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727453484132486967684173737572616e636553657276657243412e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101005eac2124dedb3978a86ff3608406acb542d3cb54cb83facd63aec88144d6a1bf15dbf1f215c4a73e241e582365cba9ea50dd306541653b3513af1a0756c1b2720e8d112b34fb67181efad9c4609bdc670fb025fa6e6d42188161b026cf3089a08369c2f3609fc84bcc3479140c1922ede430ca8dbac2b2a3cdacb305ba15dc7361c4c3a5e6daa99cb446cb221b28078a7a944efba70d96f31ac143d959bccd2fd50e30c325ea2624fb6b6dbe9344dbcf133bfbd5b4e892d635dbf31596451672c6b65ba5ac9b3cddea92b35dab1065cae3c8cb6bb450a62ea2f72ea7c6bdc7b65fa09b012392543734083c7687d243f8d0375304d99ccd2e148966a8637a6797")
+	if err == nil {
+		t.Fatalf("token overflow should return an error")
+	}
+	t.Logf("err: %s\n", err)
+}
+
+func TestParseTLSA(t *testing.T) {
+	lt := []string{
+		"_443._tcp.example.org.\t3600\tIN\tTLSA\t1 1 1 c22be239f483c08957bc106219cc2d3ac1a308dfbbdd0a365f17b9351234cf00",
+		"_443._tcp.example.org.\t3600\tIN\tTLSA\t2 1 2 4e85f45179e9cd6e0e68e2eb5be2e85ec9b92d91c609caf3ef0315213e3f92ece92c38397a607214de95c7fadc0ad0f1c604a469a0387959745032c0d51492f3",
+		"_443._tcp.example.org.\t3600\tIN\tTLSA\t3 0 2 69ec8d2277360b215d0cd956b0e2747108dff34b27d461a41c800629e38ee6c2d1230cc9e8e36711330adc6766e6ff7c5fbb37f106f248337c1a20ad682888d2",
+	}
+	for _, o := range lt {
+		rr, err := NewRR(o)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is     `%s'", o, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestParseSMIMEA(t *testing.T) {
+	lt := map[string]string{
+		"2e85e1db3e62be6ea._smimecert.example.com.\t3600\tIN\tSMIMEA\t1 1 2 bd80f334566928fc18f58df7e4928c1886f48f71ca3fd41cd9b1854aca7c2180aaacad2819612ed68e7bd3701cc39be7f2529b017c0bc6a53e8fb3f0c7d48070":   "2e85e1db3e62be6ea._smimecert.example.com.\t3600\tIN\tSMIMEA\t1 1 2 bd80f334566928fc18f58df7e4928c1886f48f71ca3fd41cd9b1854aca7c2180aaacad2819612ed68e7bd3701cc39be7f2529b017c0bc6a53e8fb3f0c7d48070",
+		"2e85e1db3e62be6ea._smimecert.example.com.\t3600\tIN\tSMIMEA\t0 0 1 cdcf0fc66b182928c5217ddd42c826983f5a4b94160ee6c1c9be62d38199f710":                                                                   "2e85e1db3e62be6ea._smimecert.example.com.\t3600\tIN\tSMIMEA\t0 0 1 cdcf0fc66b182928c5217ddd42c826983f5a4b94160ee6c1c9be62d38199f710",
+		"2e85e1db3e62be6ea._smimecert.example.com.\t3600\tIN\tSMIMEA\t3 0 2 499a1eda2af8828b552cdb9d80c3744a25872fddd73f3898d8e4afa3549595d2dd4340126e759566fe8c26b251fa0c887ba4869f011a65f7e79967c2eb729f5b":   "2e85e1db3e62be6ea._smimecert.example.com.\t3600\tIN\tSMIMEA\t3 0 2 499a1eda2af8828b552cdb9d80c3744a25872fddd73f3898d8e4afa3549595d2dd4340126e759566fe8c26b251fa0c887ba4869f011a65f7e79967c2eb729f5b",
+		"2e85e1db3e62be6eb._smimecert.example.com.\t3600\tIN\tSMIMEA\t3 0 2 499a1eda2af8828b552cdb9d80c3744a25872fddd73f3898d8e4afa3549595d2dd4340126e759566fe8 c26b251fa0c887ba4869f01 1a65f7e79967c2eb729f5b": "2e85e1db3e62be6eb._smimecert.example.com.\t3600\tIN\tSMIMEA\t3 0 2 499a1eda2af8828b552cdb9d80c3744a25872fddd73f3898d8e4afa3549595d2dd4340126e759566fe8c26b251fa0c887ba4869f011a65f7e79967c2eb729f5b",
+	}
+	for i, o := range lt {
+		rr, err := NewRR(i)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is     `%s'", o, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestParseSSHFP(t *testing.T) {
+	lt := []string{
+		"test.example.org.\t300\tSSHFP\t1 2 (\n" +
+			"\t\t\t\t\tBC6533CDC95A79078A39A56EA7635984ED655318ADA9\n" +
+			"\t\t\t\t\tB6159E30723665DA95BB )",
+		"test.example.org.\t300\tSSHFP\t1 2 ( BC6533CDC  95A79078A39A56EA7635984ED655318AD  A9B6159E3072366 5DA95BB )",
+	}
+	result := "test.example.org.\t300\tIN\tSSHFP\t1 2 BC6533CDC95A79078A39A56EA7635984ED655318ADA9B6159E30723665DA95BB"
+	for _, o := range lt {
+		rr, err := NewRR(o)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != result {
+			t.Errorf("`%s' should be equal to\n\n`%s', but is     \n`%s'", o, result, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestParseHINFO(t *testing.T) {
+	dt := map[string]string{
+		"example.net. HINFO A B": "example.net.	3600	IN	HINFO	\"A\" \"B\"",
+		"example.net. HINFO \"A\" \"B\"": "example.net.	3600	IN	HINFO	\"A\" \"B\"",
+		"example.net. HINFO A B C D E F": "example.net.	3600	IN	HINFO	\"A\" \"B C D E F\"",
+		"example.net. HINFO AB": "example.net.	3600	IN	HINFO	\"AB\" \"\"",
+		// "example.net. HINFO PC-Intel-700mhz \"Redhat Linux 7.1\"": "example.net.	3600	IN	HINFO	\"PC-Intel-700mhz\" \"Redhat Linux 7.1\"",
+		// This one is recommended in Pro Bind book http://www.zytrax.com/books/dns/ch8/hinfo.html
+		// but effectively, even Bind would replace it to correctly formed text when you AXFR
+		// TODO: remove this set of comments or figure support for quoted/unquoted combinations in endingToTxtSlice function
+	}
+	for i, o := range dt {
+		rr, err := NewRR(i)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is     `%s'", i, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestParseCAA(t *testing.T) {
+	lt := map[string]string{
+		"example.net.	CAA	0 issue \"symantec.com\"": "example.net.\t3600\tIN\tCAA\t0 issue \"symantec.com\"",
+		"example.net.	CAA	0 issuewild \"symantec.com; stuff\"": "example.net.\t3600\tIN\tCAA\t0 issuewild \"symantec.com; stuff\"",
+		"example.net.	CAA	128 tbs \"critical\"": "example.net.\t3600\tIN\tCAA\t128 tbs \"critical\"",
+		"example.net.	CAA	2 auth \"0>09\\006\\010+\\006\\001\\004\\001\\214y\\002\\003\\001\\006\\009`\\134H\\001e\\003\\004\\002\\001\\004 y\\209\\012\\221r\\220\\156Q\\218\\150\\150{\\166\\245:\\231\\182%\\157:\\133\\179}\\1923r\\238\\151\\255\\128q\\145\\002\\001\\000\"": "example.net.\t3600\tIN\tCAA\t2 auth \"0>09\\006\\010+\\006\\001\\004\\001\\214y\\002\\003\\001\\006\\009`\\134H\\001e\\003\\004\\002\\001\\004 y\\209\\012\\221r\\220\\156Q\\218\\150\\150{\\166\\245:\\231\\182%\\157:\\133\\179}\\1923r\\238\\151\\255\\128q\\145\\002\\001\\000\"",
+		"example.net.   TYPE257	0 issue \"symantec.com\"": "example.net.\t3600\tIN\tCAA\t0 issue \"symantec.com\"",
+	}
+	for i, o := range lt {
+		rr, err := NewRR(i)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is     `%s'", i, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestPackCAA(t *testing.T) {
+	m := new(Msg)
+	record := new(CAA)
+	record.Hdr = RR_Header{Name: "example.com.", Rrtype: TypeCAA, Class: ClassINET, Ttl: 0}
+	record.Tag = "issue"
+	record.Value = "symantec.com"
+	record.Flag = 1
+
+	m.Answer = append(m.Answer, record)
+	bytes, err := m.Pack()
+	if err != nil {
+		t.Fatalf("failed to pack msg: %v", err)
+	}
+	if err := m.Unpack(bytes); err != nil {
+		t.Fatalf("failed to unpack msg: %v", err)
+	}
+	if len(m.Answer) != 1 {
+		t.Fatalf("incorrect number of answers unpacked")
+	}
+	rr := m.Answer[0].(*CAA)
+	if rr.Tag != "issue" {
+		t.Fatalf("invalid tag for unpacked answer")
+	} else if rr.Value != "symantec.com" {
+		t.Fatalf("invalid value for unpacked answer")
+	} else if rr.Flag != 1 {
+		t.Fatalf("invalid flag for unpacked answer")
+	}
+}
+
+func TestParseURI(t *testing.T) {
+	lt := map[string]string{
+		"_http._tcp. IN URI   10 1 \"http://www.example.com/path\"": "_http._tcp.\t3600\tIN\tURI\t10 1 \"http://www.example.com/path\"",
+		"_http._tcp. IN URI   10 1 \"\"":                            "_http._tcp.\t3600\tIN\tURI\t10 1 \"\"",
+	}
+	for i, o := range lt {
+		rr, err := NewRR(i)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is     `%s'", i, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestParseAVC(t *testing.T) {
+	avcs := map[string]string{
+		`example.org. IN AVC "app-name:WOLFGANG|app-class:OAM|business=yes"`: `example.org.	3600	IN	AVC	"app-name:WOLFGANG|app-class:OAM|business=yes"`,
+	}
+	for avc, o := range avcs {
+		rr, err := NewRR(avc)
+		if err != nil {
+			t.Error("failed to parse RR: ", err)
+			continue
+		}
+		if rr.String() != o {
+			t.Errorf("`%s' should be equal to\n`%s', but is     `%s'", avc, o, rr.String())
+		} else {
+			t.Logf("RR is OK: `%s'", rr.String())
+		}
+	}
+}
+
+func TestUnbalancedParens(t *testing.T) {
+	sig := `example.com. 3600 IN RRSIG MX 15 2 3600 (
+              1440021600 1438207200 3613 example.com. (
+              oL9krJun7xfBOIWcGHi7mag5/hdZrKWw15jPGrHpjQeRAvTdszaPD+QLs3f
+              x8A4M3e23mRZ9VrbpMngwcrqNAg== )`
+	_, err := NewRR(sig)
+	if err == nil {
+		t.Fatalf("Failed to detect extra opening brace")
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/privaterr.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/privaterr.go
new file mode 100644
index 000000000..6b08e6e95
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/privaterr.go
@@ -0,0 +1,149 @@
+package dns
+
+import (
+	"fmt"
+	"strings"
+)
+
+// PrivateRdata is an interface used for implementing "Private Use" RR types, see
+// RFC 6895. This allows one to experiment with new RR types, without requesting an
+// official type code. Also see dns.PrivateHandle and dns.PrivateHandleRemove.
+type PrivateRdata interface {
+	// String returns the text presentaton of the Rdata of the Private RR.
+	String() string
+	// Parse parses the Rdata of the private RR.
+	Parse([]string) error
+	// Pack is used when packing a private RR into a buffer.
+	Pack([]byte) (int, error)
+	// Unpack is used when unpacking a private RR from a buffer.
+	// TODO(miek): diff. signature than Pack, see edns0.go for instance.
+	Unpack([]byte) (int, error)
+	// Copy copies the Rdata.
+	Copy(PrivateRdata) error
+	// Len returns the length in octets of the Rdata.
+	Len() int
+}
+
+// PrivateRR represents an RR that uses a PrivateRdata user-defined type.
+// It mocks normal RRs and implements dns.RR interface.
+type PrivateRR struct {
+	Hdr  RR_Header
+	Data PrivateRdata
+}
+
+func mkPrivateRR(rrtype uint16) *PrivateRR {
+	// Panics if RR is not an instance of PrivateRR.
+	rrfunc, ok := TypeToRR[rrtype]
+	if !ok {
+		panic(fmt.Sprintf("dns: invalid operation with Private RR type %d", rrtype))
+	}
+
+	anyrr := rrfunc()
+	switch rr := anyrr.(type) {
+	case *PrivateRR:
+		return rr
+	}
+	panic(fmt.Sprintf("dns: RR is not a PrivateRR, TypeToRR[%d] generator returned %T", rrtype, anyrr))
+}
+
+// Header return the RR header of r.
+func (r *PrivateRR) Header() *RR_Header { return &r.Hdr }
+
+func (r *PrivateRR) String() string { return r.Hdr.String() + r.Data.String() }
+
+// Private len and copy parts to satisfy RR interface.
+func (r *PrivateRR) len() int { return r.Hdr.len() + r.Data.Len() }
+func (r *PrivateRR) copy() RR {
+	// make new RR like this:
+	rr := mkPrivateRR(r.Hdr.Rrtype)
+	newh := r.Hdr.copyHeader()
+	rr.Hdr = *newh
+
+	err := r.Data.Copy(rr.Data)
+	if err != nil {
+		panic("dns: got value that could not be used to copy Private rdata")
+	}
+	return rr
+}
+func (r *PrivateRR) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := r.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	n, err := r.Data.Pack(msg[off:])
+	if err != nil {
+		return len(msg), err
+	}
+	off += n
+	r.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+// PrivateHandle registers a private resource record type. It requires
+// string and numeric representation of private RR type and generator function as argument.
+func PrivateHandle(rtypestr string, rtype uint16, generator func() PrivateRdata) {
+	rtypestr = strings.ToUpper(rtypestr)
+
+	TypeToRR[rtype] = func() RR { return &PrivateRR{RR_Header{}, generator()} }
+	TypeToString[rtype] = rtypestr
+	StringToType[rtypestr] = rtype
+
+	typeToUnpack[rtype] = func(h RR_Header, msg []byte, off int) (RR, int, error) {
+		if noRdata(h) {
+			return &h, off, nil
+		}
+		var err error
+
+		rr := mkPrivateRR(h.Rrtype)
+		rr.Hdr = h
+
+		off1, err := rr.Data.Unpack(msg[off:])
+		off += off1
+		if err != nil {
+			return rr, off, err
+		}
+		return rr, off, err
+	}
+
+	setPrivateRR := func(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+		rr := mkPrivateRR(h.Rrtype)
+		rr.Hdr = h
+
+		var l lex
+		text := make([]string, 0, 2) // could be 0..N elements, median is probably 1
+	Fetch:
+		for {
+			// TODO(miek): we could also be returning _QUOTE, this might or might not
+			// be an issue (basically parsing TXT becomes hard)
+			switch l = <-c; l.value {
+			case zNewline, zEOF:
+				break Fetch
+			case zString:
+				text = append(text, l.token)
+			}
+		}
+
+		err := rr.Data.Parse(text)
+		if err != nil {
+			return nil, &ParseError{f, err.Error(), l}, ""
+		}
+
+		return rr, nil, ""
+	}
+
+	typeToparserFunc[rtype] = parserFunc{setPrivateRR, true}
+}
+
+// PrivateHandleRemove removes defenitions required to support private RR type.
+func PrivateHandleRemove(rtype uint16) {
+	rtypestr, ok := TypeToString[rtype]
+	if ok {
+		delete(TypeToRR, rtype)
+		delete(TypeToString, rtype)
+		delete(typeToparserFunc, rtype)
+		delete(StringToType, rtypestr)
+		delete(typeToUnpack, rtype)
+	}
+	return
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/privaterr_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/privaterr_test.go
new file mode 100644
index 000000000..72ec8f5c0
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/privaterr_test.go
@@ -0,0 +1,171 @@
+package dns_test
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/miekg/dns"
+)
+
+const TypeISBN uint16 = 0xFF00
+
+// A crazy new RR type :)
+type ISBN struct {
+	x string // rdata with 10 or 13 numbers, dashes or spaces allowed
+}
+
+func NewISBN() dns.PrivateRdata { return &ISBN{""} }
+
+func (rd *ISBN) Len() int       { return len([]byte(rd.x)) }
+func (rd *ISBN) String() string { return rd.x }
+
+func (rd *ISBN) Parse(txt []string) error {
+	rd.x = strings.TrimSpace(strings.Join(txt, " "))
+	return nil
+}
+
+func (rd *ISBN) Pack(buf []byte) (int, error) {
+	b := []byte(rd.x)
+	n := copy(buf, b)
+	if n != len(b) {
+		return n, dns.ErrBuf
+	}
+	return n, nil
+}
+
+func (rd *ISBN) Unpack(buf []byte) (int, error) {
+	rd.x = string(buf)
+	return len(buf), nil
+}
+
+func (rd *ISBN) Copy(dest dns.PrivateRdata) error {
+	isbn, ok := dest.(*ISBN)
+	if !ok {
+		return dns.ErrRdata
+	}
+	isbn.x = rd.x
+	return nil
+}
+
+var testrecord = strings.Join([]string{"example.org.", "3600", "IN", "ISBN", "12-3 456789-0-123"}, "\t")
+
+func TestPrivateText(t *testing.T) {
+	dns.PrivateHandle("ISBN", TypeISBN, NewISBN)
+	defer dns.PrivateHandleRemove(TypeISBN)
+
+	rr, err := dns.NewRR(testrecord)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if rr.String() != testrecord {
+		t.Errorf("record string representation did not match original %#v != %#v", rr.String(), testrecord)
+	} else {
+		t.Log(rr.String())
+	}
+}
+
+func TestPrivateByteSlice(t *testing.T) {
+	dns.PrivateHandle("ISBN", TypeISBN, NewISBN)
+	defer dns.PrivateHandleRemove(TypeISBN)
+
+	rr, err := dns.NewRR(testrecord)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	buf := make([]byte, 100)
+	off, err := dns.PackRR(rr, buf, 0, nil, false)
+	if err != nil {
+		t.Errorf("got error packing ISBN: %v", err)
+	}
+
+	custrr := rr.(*dns.PrivateRR)
+	if ln := custrr.Data.Len() + len(custrr.Header().Name) + 11; ln != off {
+		t.Errorf("offset is not matching to length of Private RR: %d!=%d", off, ln)
+	}
+
+	rr1, off1, err := dns.UnpackRR(buf[:off], 0)
+	if err != nil {
+		t.Errorf("got error unpacking ISBN: %v", err)
+		return
+	}
+
+	if off1 != off {
+		t.Errorf("offset after unpacking differs: %d != %d", off1, off)
+	}
+
+	if rr1.String() != testrecord {
+		t.Errorf("record string representation did not match original %#v != %#v", rr1.String(), testrecord)
+	} else {
+		t.Log(rr1.String())
+	}
+}
+
+const TypeVERSION uint16 = 0xFF01
+
+type VERSION struct {
+	x string
+}
+
+func NewVersion() dns.PrivateRdata { return &VERSION{""} }
+
+func (rd *VERSION) String() string { return rd.x }
+func (rd *VERSION) Parse(txt []string) error {
+	rd.x = strings.TrimSpace(strings.Join(txt, " "))
+	return nil
+}
+
+func (rd *VERSION) Pack(buf []byte) (int, error) {
+	b := []byte(rd.x)
+	n := copy(buf, b)
+	if n != len(b) {
+		return n, dns.ErrBuf
+	}
+	return n, nil
+}
+
+func (rd *VERSION) Unpack(buf []byte) (int, error) {
+	rd.x = string(buf)
+	return len(buf), nil
+}
+
+func (rd *VERSION) Copy(dest dns.PrivateRdata) error {
+	isbn, ok := dest.(*VERSION)
+	if !ok {
+		return dns.ErrRdata
+	}
+	isbn.x = rd.x
+	return nil
+}
+
+func (rd *VERSION) Len() int {
+	return len([]byte(rd.x))
+}
+
+var smallzone = `$ORIGIN example.org.
+@ SOA	sns.dns.icann.org. noc.dns.icann.org. (
+		2014091518 7200 3600 1209600 3600
+)
+    A   1.2.3.4
+ok ISBN 1231-92110-12
+go VERSION (
+	1.3.1 ; comment
+)
+www ISBN 1231-92110-16
+*  CNAME @
+`
+
+func TestPrivateZoneParser(t *testing.T) {
+	dns.PrivateHandle("ISBN", TypeISBN, NewISBN)
+	dns.PrivateHandle("VERSION", TypeVERSION, NewVersion)
+	defer dns.PrivateHandleRemove(TypeISBN)
+	defer dns.PrivateHandleRemove(TypeVERSION)
+
+	r := strings.NewReader(smallzone)
+	for x := range dns.ParseZone(r, ".", "") {
+		if err := x.Error; err != nil {
+			t.Fatal(err)
+		}
+		t.Log(x.RR)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/rawmsg.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/rawmsg.go
new file mode 100644
index 000000000..6e21fba7e
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/rawmsg.go
@@ -0,0 +1,49 @@
+package dns
+
+import "encoding/binary"
+
+// rawSetRdlength sets the rdlength in the header of
+// the RR. The offset 'off' must be positioned at the
+// start of the header of the RR, 'end' must be the
+// end of the RR.
+func rawSetRdlength(msg []byte, off, end int) bool {
+	l := len(msg)
+Loop:
+	for {
+		if off+1 > l {
+			return false
+		}
+		c := int(msg[off])
+		off++
+		switch c & 0xC0 {
+		case 0x00:
+			if c == 0x00 {
+				// End of the domainname
+				break Loop
+			}
+			if off+c > l {
+				return false
+			}
+			off += c
+
+		case 0xC0:
+			// pointer, next byte included, ends domainname
+			off++
+			break Loop
+		}
+	}
+	// The domainname has been seen, we at the start of the fixed part in the header.
+	// Type is 2 bytes, class is 2 bytes, ttl 4 and then 2 bytes for the length.
+	off += 2 + 2 + 4
+	if off+2 > l {
+		return false
+	}
+	//off+1 is the end of the header, 'end' is the end of the rr
+	//so 'end' - 'off+2' is the length of the rdata
+	rdatalen := end - (off + 2)
+	if rdatalen > 0xFFFF {
+		return false
+	}
+	binary.BigEndian.PutUint16(msg[off:], uint16(rdatalen))
+	return true
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/remote_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/remote_test.go
new file mode 100644
index 000000000..4cf701fe4
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/remote_test.go
@@ -0,0 +1,19 @@
+package dns
+
+import "testing"
+
+const LinodeAddr = "176.58.119.54:53"
+
+func TestClientRemote(t *testing.T) {
+	m := new(Msg)
+	m.SetQuestion("go.dns.miek.nl.", TypeTXT)
+
+	c := new(Client)
+	r, _, err := c.Exchange(m, LinodeAddr)
+	if err != nil {
+		t.Errorf("failed to exchange: %v", err)
+	}
+	if r != nil && r.Rcode != RcodeSuccess {
+		t.Errorf("failed to get an valid answer\n%v", r)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/reverse.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/reverse.go
new file mode 100644
index 000000000..f6e7a47a6
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/reverse.go
@@ -0,0 +1,38 @@
+package dns
+
+// StringToType is the reverse of TypeToString, needed for string parsing.
+var StringToType = reverseInt16(TypeToString)
+
+// StringToClass is the reverse of ClassToString, needed for string parsing.
+var StringToClass = reverseInt16(ClassToString)
+
+// StringToOpcode is a map of opcodes to strings.
+var StringToOpcode = reverseInt(OpcodeToString)
+
+// StringToRcode is a map of rcodes to strings.
+var StringToRcode = reverseInt(RcodeToString)
+
+// Reverse a map
+func reverseInt8(m map[uint8]string) map[string]uint8 {
+	n := make(map[string]uint8, len(m))
+	for u, s := range m {
+		n[s] = u
+	}
+	return n
+}
+
+func reverseInt16(m map[uint16]string) map[string]uint16 {
+	n := make(map[string]uint16, len(m))
+	for u, s := range m {
+		n[s] = u
+	}
+	return n
+}
+
+func reverseInt(m map[int]string) map[string]int {
+	n := make(map[string]int, len(m))
+	for u, s := range m {
+		n[s] = u
+	}
+	return n
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/sanitize.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/sanitize.go
new file mode 100644
index 000000000..b489f3f05
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/sanitize.go
@@ -0,0 +1,84 @@
+package dns
+
+// Dedup removes identical RRs from rrs. It preserves the original ordering.
+// The lowest TTL of any duplicates is used in the remaining one. Dedup modifies
+// rrs.
+// m is used to store the RRs temporay. If it is nil a new map will be allocated.
+func Dedup(rrs []RR, m map[string]RR) []RR {
+	if m == nil {
+		m = make(map[string]RR)
+	}
+	// Save the keys, so we don't have to call normalizedString twice.
+	keys := make([]*string, 0, len(rrs))
+
+	for _, r := range rrs {
+		key := normalizedString(r)
+		keys = append(keys, &key)
+		if _, ok := m[key]; ok {
+			// Shortest TTL wins.
+			if m[key].Header().Ttl > r.Header().Ttl {
+				m[key].Header().Ttl = r.Header().Ttl
+			}
+			continue
+		}
+
+		m[key] = r
+	}
+	// If the length of the result map equals the amount of RRs we got,
+	// it means they were all different. We can then just return the original rrset.
+	if len(m) == len(rrs) {
+		return rrs
+	}
+
+	j := 0
+	for i, r := range rrs {
+		// If keys[i] lives in the map, we should copy and remove it.
+		if _, ok := m[*keys[i]]; ok {
+			delete(m, *keys[i])
+			rrs[j] = r
+			j++
+		}
+
+		if len(m) == 0 {
+			break
+		}
+	}
+
+	return rrs[:j]
+}
+
+// normalizedString returns a normalized string from r. The TTL
+// is removed and the domain name is lowercased. We go from this:
+// DomainName<TAB>TTL<TAB>CLASS<TAB>TYPE<TAB>RDATA to:
+// lowercasename<TAB>CLASS<TAB>TYPE...
+func normalizedString(r RR) string {
+	// A string Go DNS makes has: domainname<TAB>TTL<TAB>...
+	b := []byte(r.String())
+
+	// find the first non-escaped tab, then another, so we capture where the TTL lives.
+	esc := false
+	ttlStart, ttlEnd := 0, 0
+	for i := 0; i < len(b) && ttlEnd == 0; i++ {
+		switch {
+		case b[i] == '\\':
+			esc = !esc
+		case b[i] == '\t' && !esc:
+			if ttlStart == 0 {
+				ttlStart = i
+				continue
+			}
+			if ttlEnd == 0 {
+				ttlEnd = i
+			}
+		case b[i] >= 'A' && b[i] <= 'Z' && !esc:
+			b[i] += 32
+		default:
+			esc = false
+		}
+	}
+
+	// remove TTL.
+	copy(b[ttlStart:], b[ttlEnd:])
+	cut := ttlEnd - ttlStart
+	return string(b[:len(b)-cut])
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/sanitize_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/sanitize_test.go
new file mode 100644
index 000000000..2ba3fe9a3
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/sanitize_test.go
@@ -0,0 +1,84 @@
+package dns
+
+import "testing"
+
+func TestDedup(t *testing.T) {
+	// make it []string
+	testcases := map[[3]RR][]string{
+		[...]RR{
+			newRR(t, "mIek.nl. IN A 127.0.0.1"),
+			newRR(t, "mieK.nl. IN A 127.0.0.1"),
+			newRR(t, "miek.Nl. IN A 127.0.0.1"),
+		}: {"mIek.nl.\t3600\tIN\tA\t127.0.0.1"},
+		[...]RR{
+			newRR(t, "miEk.nl. 2000 IN A 127.0.0.1"),
+			newRR(t, "mieK.Nl. 1000 IN A 127.0.0.1"),
+			newRR(t, "Miek.nL. 500 IN A 127.0.0.1"),
+		}: {"miEk.nl.\t500\tIN\tA\t127.0.0.1"},
+		[...]RR{
+			newRR(t, "miek.nl. IN A 127.0.0.1"),
+			newRR(t, "miek.nl. CH A 127.0.0.1"),
+			newRR(t, "miek.nl. IN A 127.0.0.1"),
+		}: {"miek.nl.\t3600\tIN\tA\t127.0.0.1",
+			"miek.nl.\t3600\tCH\tA\t127.0.0.1",
+		},
+		[...]RR{
+			newRR(t, "miek.nl. CH A 127.0.0.1"),
+			newRR(t, "miek.nl. IN A 127.0.0.1"),
+			newRR(t, "miek.de. IN A 127.0.0.1"),
+		}: {"miek.nl.\t3600\tCH\tA\t127.0.0.1",
+			"miek.nl.\t3600\tIN\tA\t127.0.0.1",
+			"miek.de.\t3600\tIN\tA\t127.0.0.1",
+		},
+		[...]RR{
+			newRR(t, "miek.de. IN A 127.0.0.1"),
+			newRR(t, "miek.nl. 200 IN A 127.0.0.1"),
+			newRR(t, "miek.nl. 300 IN A 127.0.0.1"),
+		}: {"miek.de.\t3600\tIN\tA\t127.0.0.1",
+			"miek.nl.\t200\tIN\tA\t127.0.0.1",
+		},
+	}
+
+	for rr, expected := range testcases {
+		out := Dedup([]RR{rr[0], rr[1], rr[2]}, nil)
+		for i, o := range out {
+			if o.String() != expected[i] {
+				t.Fatalf("expected %v, got %v", expected[i], o.String())
+			}
+		}
+	}
+}
+
+func BenchmarkDedup(b *testing.B) {
+	rrs := []RR{
+		newRR(nil, "miEk.nl. 2000 IN A 127.0.0.1"),
+		newRR(nil, "mieK.Nl. 1000 IN A 127.0.0.1"),
+		newRR(nil, "Miek.nL. 500 IN A 127.0.0.1"),
+	}
+	m := make(map[string]RR)
+	for i := 0; i < b.N; i++ {
+		Dedup(rrs, m)
+	}
+}
+
+func TestNormalizedString(t *testing.T) {
+	tests := map[RR]string{
+		newRR(t, "mIEk.Nl. 3600 IN A 127.0.0.1"):     "miek.nl.\tIN\tA\t127.0.0.1",
+		newRR(t, "m\\ iek.nL. 3600 IN A 127.0.0.1"):  "m\\ iek.nl.\tIN\tA\t127.0.0.1",
+		newRR(t, "m\\\tIeK.nl. 3600 in A 127.0.0.1"): "m\\009iek.nl.\tIN\tA\t127.0.0.1",
+	}
+	for tc, expected := range tests {
+		n := normalizedString(tc)
+		if n != expected {
+			t.Errorf("expected %s, got %s", expected, n)
+		}
+	}
+}
+
+func newRR(t *testing.T, s string) RR {
+	r, err := NewRR(s)
+	if err != nil {
+		t.Logf("newRR: %v", err)
+	}
+	return r
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/scan.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/scan.go
new file mode 100644
index 000000000..8d4773c3e
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/scan.go
@@ -0,0 +1,987 @@
+package dns
+
+import (
+	"io"
+	"log"
+	"os"
+	"strconv"
+	"strings"
+)
+
+type debugging bool
+
+const debug debugging = false
+
+func (d debugging) Printf(format string, args ...interface{}) {
+	if d {
+		log.Printf(format, args...)
+	}
+}
+
+const maxTok = 2048 // Largest token we can return.
+const maxUint16 = 1<<16 - 1
+
+// Tokinize a RFC 1035 zone file. The tokenizer will normalize it:
+// * Add ownernames if they are left blank;
+// * Suppress sequences of spaces;
+// * Make each RR fit on one line (_NEWLINE is send as last)
+// * Handle comments: ;
+// * Handle braces - anywhere.
+const (
+	// Zonefile
+	zEOF = iota
+	zString
+	zBlank
+	zQuote
+	zNewline
+	zRrtpe
+	zOwner
+	zClass
+	zDirOrigin   // $ORIGIN
+	zDirTtl      // $TTL
+	zDirInclude  // $INCLUDE
+	zDirGenerate // $GENERATE
+
+	// Privatekey file
+	zValue
+	zKey
+
+	zExpectOwnerDir      // Ownername
+	zExpectOwnerBl       // Whitespace after the ownername
+	zExpectAny           // Expect rrtype, ttl or class
+	zExpectAnyNoClass    // Expect rrtype or ttl
+	zExpectAnyNoClassBl  // The whitespace after _EXPECT_ANY_NOCLASS
+	zExpectAnyNoTtl      // Expect rrtype or class
+	zExpectAnyNoTtlBl    // Whitespace after _EXPECT_ANY_NOTTL
+	zExpectRrtype        // Expect rrtype
+	zExpectRrtypeBl      // Whitespace BEFORE rrtype
+	zExpectRdata         // The first element of the rdata
+	zExpectDirTtlBl      // Space after directive $TTL
+	zExpectDirTtl        // Directive $TTL
+	zExpectDirOriginBl   // Space after directive $ORIGIN
+	zExpectDirOrigin     // Directive $ORIGIN
+	zExpectDirIncludeBl  // Space after directive $INCLUDE
+	zExpectDirInclude    // Directive $INCLUDE
+	zExpectDirGenerate   // Directive $GENERATE
+	zExpectDirGenerateBl // Space after directive $GENERATE
+)
+
+// ParseError is a parsing error. It contains the parse error and the location in the io.Reader
+// where the error occurred.
+type ParseError struct {
+	file string
+	err  string
+	lex  lex
+}
+
+func (e *ParseError) Error() (s string) {
+	if e.file != "" {
+		s = e.file + ": "
+	}
+	s += "dns: " + e.err + ": " + strconv.QuoteToASCII(e.lex.token) + " at line: " +
+		strconv.Itoa(e.lex.line) + ":" + strconv.Itoa(e.lex.column)
+	return
+}
+
+type lex struct {
+	token      string // text of the token
+	tokenUpper string // uppercase text of the token
+	length     int    // length of the token
+	err        bool   // when true, token text has lexer error
+	value      uint8  // value: zString, _BLANK, etc.
+	line       int    // line in the file
+	column     int    // column in the file
+	torc       uint16 // type or class as parsed in the lexer, we only need to look this up in the grammar
+	comment    string // any comment text seen
+}
+
+// Token holds the token that are returned when a zone file is parsed.
+type Token struct {
+	// The scanned resource record when error is not nil.
+	RR
+	// When an error occurred, this has the error specifics.
+	Error *ParseError
+	// A potential comment positioned after the RR and on the same line.
+	Comment string
+}
+
+// NewRR reads the RR contained in the string s. Only the first RR is
+// returned. If s contains no RR, return nil with no error. The class
+// defaults to IN and TTL defaults to 3600. The full zone file syntax
+// like $TTL, $ORIGIN, etc. is supported. All fields of the returned
+// RR are set, except RR.Header().Rdlength which is set to 0.
+func NewRR(s string) (RR, error) {
+	if len(s) > 0 && s[len(s)-1] != '\n' { // We need a closing newline
+		return ReadRR(strings.NewReader(s+"\n"), "")
+	}
+	return ReadRR(strings.NewReader(s), "")
+}
+
+// ReadRR reads the RR contained in q.
+// See NewRR for more documentation.
+func ReadRR(q io.Reader, filename string) (RR, error) {
+	r := <-parseZoneHelper(q, ".", filename, 1)
+	if r == nil {
+		return nil, nil
+	}
+
+	if r.Error != nil {
+		return nil, r.Error
+	}
+	return r.RR, nil
+}
+
+// ParseZone reads a RFC 1035 style zonefile from r. It returns *Tokens on the
+// returned channel, which consist out the parsed RR, a potential comment or an error.
+// If there is an error the RR is nil. The string file is only used
+// in error reporting. The string origin is used as the initial origin, as
+// if the file would start with: $ORIGIN origin .
+// The directives $INCLUDE, $ORIGIN, $TTL and $GENERATE are supported.
+// The channel t is closed by ParseZone when the end of r is reached.
+//
+// Basic usage pattern when reading from a string (z) containing the
+// zone data:
+//
+//	for x := range dns.ParseZone(strings.NewReader(z), "", "") {
+//		if x.Error != nil {
+//                  // log.Println(x.Error)
+//              } else {
+//                  // Do something with x.RR
+//              }
+//	}
+//
+// Comments specified after an RR (and on the same line!) are returned too:
+//
+//	foo. IN A 10.0.0.1 ; this is a comment
+//
+// The text "; this is comment" is returned in Token.Comment. Comments inside the
+// RR are discarded. Comments on a line by themselves are discarded too.
+func ParseZone(r io.Reader, origin, file string) chan *Token {
+	return parseZoneHelper(r, origin, file, 10000)
+}
+
+func parseZoneHelper(r io.Reader, origin, file string, chansize int) chan *Token {
+	t := make(chan *Token, chansize)
+	go parseZone(r, origin, file, t, 0)
+	return t
+}
+
+func parseZone(r io.Reader, origin, f string, t chan *Token, include int) {
+	defer func() {
+		if include == 0 {
+			close(t)
+		}
+	}()
+	s := scanInit(r)
+	c := make(chan lex)
+	// Start the lexer
+	go zlexer(s, c)
+	// 6 possible beginnings of a line, _ is a space
+	// 0. zRRTYPE                              -> all omitted until the rrtype
+	// 1. zOwner _ zRrtype                     -> class/ttl omitted
+	// 2. zOwner _ zString _ zRrtype           -> class omitted
+	// 3. zOwner _ zString _ zClass  _ zRrtype -> ttl/class
+	// 4. zOwner _ zClass  _ zRrtype           -> ttl omitted
+	// 5. zOwner _ zClass  _ zString _ zRrtype -> class/ttl (reversed)
+	// After detecting these, we know the zRrtype so we can jump to functions
+	// handling the rdata for each of these types.
+
+	if origin == "" {
+		origin = "."
+	}
+	origin = Fqdn(origin)
+	if _, ok := IsDomainName(origin); !ok {
+		t <- &Token{Error: &ParseError{f, "bad initial origin name", lex{}}}
+		return
+	}
+
+	st := zExpectOwnerDir // initial state
+	var h RR_Header
+	var defttl uint32 = defaultTtl
+	var prevName string
+	for l := range c {
+		// Lexer spotted an error already
+		if l.err == true {
+			t <- &Token{Error: &ParseError{f, l.token, l}}
+			return
+
+		}
+		switch st {
+		case zExpectOwnerDir:
+			// We can also expect a directive, like $TTL or $ORIGIN
+			h.Ttl = defttl
+			h.Class = ClassINET
+			switch l.value {
+			case zNewline:
+				st = zExpectOwnerDir
+			case zOwner:
+				h.Name = l.token
+				if l.token[0] == '@' {
+					h.Name = origin
+					prevName = h.Name
+					st = zExpectOwnerBl
+					break
+				}
+				if h.Name[l.length-1] != '.' {
+					h.Name = appendOrigin(h.Name, origin)
+				}
+				_, ok := IsDomainName(l.token)
+				if !ok {
+					t <- &Token{Error: &ParseError{f, "bad owner name", l}}
+					return
+				}
+				prevName = h.Name
+				st = zExpectOwnerBl
+			case zDirTtl:
+				st = zExpectDirTtlBl
+			case zDirOrigin:
+				st = zExpectDirOriginBl
+			case zDirInclude:
+				st = zExpectDirIncludeBl
+			case zDirGenerate:
+				st = zExpectDirGenerateBl
+			case zRrtpe:
+				h.Name = prevName
+				h.Rrtype = l.torc
+				st = zExpectRdata
+			case zClass:
+				h.Name = prevName
+				h.Class = l.torc
+				st = zExpectAnyNoClassBl
+			case zBlank:
+				// Discard, can happen when there is nothing on the
+				// line except the RR type
+			case zString:
+				ttl, ok := stringToTtl(l.token)
+				if !ok {
+					t <- &Token{Error: &ParseError{f, "not a TTL", l}}
+					return
+				}
+				h.Ttl = ttl
+				// Don't about the defttl, we should take the $TTL value
+				// defttl = ttl
+				st = zExpectAnyNoTtlBl
+
+			default:
+				t <- &Token{Error: &ParseError{f, "syntax error at beginning", l}}
+				return
+			}
+		case zExpectDirIncludeBl:
+			if l.value != zBlank {
+				t <- &Token{Error: &ParseError{f, "no blank after $INCLUDE-directive", l}}
+				return
+			}
+			st = zExpectDirInclude
+		case zExpectDirInclude:
+			if l.value != zString {
+				t <- &Token{Error: &ParseError{f, "expecting $INCLUDE value, not this...", l}}
+				return
+			}
+			neworigin := origin // There may be optionally a new origin set after the filename, if not use current one
+			l := <-c
+			switch l.value {
+			case zBlank:
+				l := <-c
+				if l.value == zString {
+					if _, ok := IsDomainName(l.token); !ok || l.length == 0 || l.err {
+						t <- &Token{Error: &ParseError{f, "bad origin name", l}}
+						return
+					}
+					// a new origin is specified.
+					if l.token[l.length-1] != '.' {
+						if origin != "." { // Prevent .. endings
+							neworigin = l.token + "." + origin
+						} else {
+							neworigin = l.token + origin
+						}
+					} else {
+						neworigin = l.token
+					}
+				}
+			case zNewline, zEOF:
+				// Ok
+			default:
+				t <- &Token{Error: &ParseError{f, "garbage after $INCLUDE", l}}
+				return
+			}
+			// Start with the new file
+			r1, e1 := os.Open(l.token)
+			if e1 != nil {
+				t <- &Token{Error: &ParseError{f, "failed to open `" + l.token + "'", l}}
+				return
+			}
+			if include+1 > 7 {
+				t <- &Token{Error: &ParseError{f, "too deeply nested $INCLUDE", l}}
+				return
+			}
+			parseZone(r1, l.token, neworigin, t, include+1)
+			st = zExpectOwnerDir
+		case zExpectDirTtlBl:
+			if l.value != zBlank {
+				t <- &Token{Error: &ParseError{f, "no blank after $TTL-directive", l}}
+				return
+			}
+			st = zExpectDirTtl
+		case zExpectDirTtl:
+			if l.value != zString {
+				t <- &Token{Error: &ParseError{f, "expecting $TTL value, not this...", l}}
+				return
+			}
+			if e, _ := slurpRemainder(c, f); e != nil {
+				t <- &Token{Error: e}
+				return
+			}
+			ttl, ok := stringToTtl(l.token)
+			if !ok {
+				t <- &Token{Error: &ParseError{f, "expecting $TTL value, not this...", l}}
+				return
+			}
+			defttl = ttl
+			st = zExpectOwnerDir
+		case zExpectDirOriginBl:
+			if l.value != zBlank {
+				t <- &Token{Error: &ParseError{f, "no blank after $ORIGIN-directive", l}}
+				return
+			}
+			st = zExpectDirOrigin
+		case zExpectDirOrigin:
+			if l.value != zString {
+				t <- &Token{Error: &ParseError{f, "expecting $ORIGIN value, not this...", l}}
+				return
+			}
+			if e, _ := slurpRemainder(c, f); e != nil {
+				t <- &Token{Error: e}
+			}
+			if _, ok := IsDomainName(l.token); !ok {
+				t <- &Token{Error: &ParseError{f, "bad origin name", l}}
+				return
+			}
+			if l.token[l.length-1] != '.' {
+				if origin != "." { // Prevent .. endings
+					origin = l.token + "." + origin
+				} else {
+					origin = l.token + origin
+				}
+			} else {
+				origin = l.token
+			}
+			st = zExpectOwnerDir
+		case zExpectDirGenerateBl:
+			if l.value != zBlank {
+				t <- &Token{Error: &ParseError{f, "no blank after $GENERATE-directive", l}}
+				return
+			}
+			st = zExpectDirGenerate
+		case zExpectDirGenerate:
+			if l.value != zString {
+				t <- &Token{Error: &ParseError{f, "expecting $GENERATE value, not this...", l}}
+				return
+			}
+			if errMsg := generate(l, c, t, origin); errMsg != "" {
+				t <- &Token{Error: &ParseError{f, errMsg, l}}
+				return
+			}
+			st = zExpectOwnerDir
+		case zExpectOwnerBl:
+			if l.value != zBlank {
+				t <- &Token{Error: &ParseError{f, "no blank after owner", l}}
+				return
+			}
+			st = zExpectAny
+		case zExpectAny:
+			switch l.value {
+			case zRrtpe:
+				h.Rrtype = l.torc
+				st = zExpectRdata
+			case zClass:
+				h.Class = l.torc
+				st = zExpectAnyNoClassBl
+			case zString:
+				ttl, ok := stringToTtl(l.token)
+				if !ok {
+					t <- &Token{Error: &ParseError{f, "not a TTL", l}}
+					return
+				}
+				h.Ttl = ttl
+				// defttl = ttl // don't set the defttl here
+				st = zExpectAnyNoTtlBl
+			default:
+				t <- &Token{Error: &ParseError{f, "expecting RR type, TTL or class, not this...", l}}
+				return
+			}
+		case zExpectAnyNoClassBl:
+			if l.value != zBlank {
+				t <- &Token{Error: &ParseError{f, "no blank before class", l}}
+				return
+			}
+			st = zExpectAnyNoClass
+		case zExpectAnyNoTtlBl:
+			if l.value != zBlank {
+				t <- &Token{Error: &ParseError{f, "no blank before TTL", l}}
+				return
+			}
+			st = zExpectAnyNoTtl
+		case zExpectAnyNoTtl:
+			switch l.value {
+			case zClass:
+				h.Class = l.torc
+				st = zExpectRrtypeBl
+			case zRrtpe:
+				h.Rrtype = l.torc
+				st = zExpectRdata
+			default:
+				t <- &Token{Error: &ParseError{f, "expecting RR type or class, not this...", l}}
+				return
+			}
+		case zExpectAnyNoClass:
+			switch l.value {
+			case zString:
+				ttl, ok := stringToTtl(l.token)
+				if !ok {
+					t <- &Token{Error: &ParseError{f, "not a TTL", l}}
+					return
+				}
+				h.Ttl = ttl
+				// defttl = ttl // don't set the def ttl anymore
+				st = zExpectRrtypeBl
+			case zRrtpe:
+				h.Rrtype = l.torc
+				st = zExpectRdata
+			default:
+				t <- &Token{Error: &ParseError{f, "expecting RR type or TTL, not this...", l}}
+				return
+			}
+		case zExpectRrtypeBl:
+			if l.value != zBlank {
+				t <- &Token{Error: &ParseError{f, "no blank before RR type", l}}
+				return
+			}
+			st = zExpectRrtype
+		case zExpectRrtype:
+			if l.value != zRrtpe {
+				t <- &Token{Error: &ParseError{f, "unknown RR type", l}}
+				return
+			}
+			h.Rrtype = l.torc
+			st = zExpectRdata
+		case zExpectRdata:
+			r, e, c1 := setRR(h, c, origin, f)
+			if e != nil {
+				// If e.lex is nil than we have encounter a unknown RR type
+				// in that case we substitute our current lex token
+				if e.lex.token == "" && e.lex.value == 0 {
+					e.lex = l // Uh, dirty
+				}
+				t <- &Token{Error: e}
+				return
+			}
+			t <- &Token{RR: r, Comment: c1}
+			st = zExpectOwnerDir
+		}
+	}
+	// If we get here, we and the h.Rrtype is still zero, we haven't parsed anything, this
+	// is not an error, because an empty zone file is still a zone file.
+}
+
+// zlexer scans the sourcefile and returns tokens on the channel c.
+func zlexer(s *scan, c chan lex) {
+	var l lex
+	str := make([]byte, maxTok) // Should be enough for any token
+	stri := 0                   // Offset in str (0 means empty)
+	com := make([]byte, maxTok) // Hold comment text
+	comi := 0
+	quote := false
+	escape := false
+	space := false
+	commt := false
+	rrtype := false
+	owner := true
+	brace := 0
+	x, err := s.tokenText()
+	defer close(c)
+	for err == nil {
+		l.column = s.position.Column
+		l.line = s.position.Line
+		if stri >= maxTok {
+			l.token = "token length insufficient for parsing"
+			l.err = true
+			debug.Printf("[%+v]", l.token)
+			c <- l
+			return
+		}
+		if comi >= maxTok {
+			l.token = "comment length insufficient for parsing"
+			l.err = true
+			debug.Printf("[%+v]", l.token)
+			c <- l
+			return
+		}
+
+		switch x {
+		case ' ', '\t':
+			if escape {
+				escape = false
+				str[stri] = x
+				stri++
+				break
+			}
+			if quote {
+				// Inside quotes this is legal
+				str[stri] = x
+				stri++
+				break
+			}
+			if commt {
+				com[comi] = x
+				comi++
+				break
+			}
+			if stri == 0 {
+				// Space directly in the beginning, handled in the grammar
+			} else if owner {
+				// If we have a string and its the first, make it an owner
+				l.value = zOwner
+				l.token = string(str[:stri])
+				l.tokenUpper = strings.ToUpper(l.token)
+				l.length = stri
+				// escape $... start with a \ not a $, so this will work
+				switch l.tokenUpper {
+				case "$TTL":
+					l.value = zDirTtl
+				case "$ORIGIN":
+					l.value = zDirOrigin
+				case "$INCLUDE":
+					l.value = zDirInclude
+				case "$GENERATE":
+					l.value = zDirGenerate
+				}
+				debug.Printf("[7 %+v]", l.token)
+				c <- l
+			} else {
+				l.value = zString
+				l.token = string(str[:stri])
+				l.tokenUpper = strings.ToUpper(l.token)
+				l.length = stri
+				if !rrtype {
+					if t, ok := StringToType[l.tokenUpper]; ok {
+						l.value = zRrtpe
+						l.torc = t
+						rrtype = true
+					} else {
+						if strings.HasPrefix(l.tokenUpper, "TYPE") {
+							t, ok := typeToInt(l.token)
+							if !ok {
+								l.token = "unknown RR type"
+								l.err = true
+								c <- l
+								return
+							}
+							l.value = zRrtpe
+							l.torc = t
+						}
+					}
+					if t, ok := StringToClass[l.tokenUpper]; ok {
+						l.value = zClass
+						l.torc = t
+					} else {
+						if strings.HasPrefix(l.tokenUpper, "CLASS") {
+							t, ok := classToInt(l.token)
+							if !ok {
+								l.token = "unknown class"
+								l.err = true
+								c <- l
+								return
+							}
+							l.value = zClass
+							l.torc = t
+						}
+					}
+				}
+				debug.Printf("[6 %+v]", l.token)
+				c <- l
+			}
+			stri = 0
+			// I reverse space stuff here
+			if !space && !commt {
+				l.value = zBlank
+				l.token = " "
+				l.length = 1
+				debug.Printf("[5 %+v]", l.token)
+				c <- l
+			}
+			owner = false
+			space = true
+		case ';':
+			if escape {
+				escape = false
+				str[stri] = x
+				stri++
+				break
+			}
+			if quote {
+				// Inside quotes this is legal
+				str[stri] = x
+				stri++
+				break
+			}
+			if stri > 0 {
+				l.value = zString
+				l.token = string(str[:stri])
+				l.tokenUpper = strings.ToUpper(l.token)
+				l.length = stri
+				debug.Printf("[4 %+v]", l.token)
+				c <- l
+				stri = 0
+			}
+			commt = true
+			com[comi] = ';'
+			comi++
+		case '\r':
+			escape = false
+			if quote {
+				str[stri] = x
+				stri++
+				break
+			}
+			// discard if outside of quotes
+		case '\n':
+			escape = false
+			// Escaped newline
+			if quote {
+				str[stri] = x
+				stri++
+				break
+			}
+			// inside quotes this is legal
+			if commt {
+				// Reset a comment
+				commt = false
+				rrtype = false
+				stri = 0
+				// If not in a brace this ends the comment AND the RR
+				if brace == 0 {
+					owner = true
+					owner = true
+					l.value = zNewline
+					l.token = "\n"
+					l.tokenUpper = l.token
+					l.length = 1
+					l.comment = string(com[:comi])
+					debug.Printf("[3 %+v %+v]", l.token, l.comment)
+					c <- l
+					l.comment = ""
+					comi = 0
+					break
+				}
+				com[comi] = ' ' // convert newline to space
+				comi++
+				break
+			}
+
+			if brace == 0 {
+				// If there is previous text, we should output it here
+				if stri != 0 {
+					l.value = zString
+					l.token = string(str[:stri])
+					l.tokenUpper = strings.ToUpper(l.token)
+
+					l.length = stri
+					if !rrtype {
+						if t, ok := StringToType[l.tokenUpper]; ok {
+							l.value = zRrtpe
+							l.torc = t
+							rrtype = true
+						}
+					}
+					debug.Printf("[2 %+v]", l.token)
+					c <- l
+				}
+				l.value = zNewline
+				l.token = "\n"
+				l.tokenUpper = l.token
+				l.length = 1
+				debug.Printf("[1 %+v]", l.token)
+				c <- l
+				stri = 0
+				commt = false
+				rrtype = false
+				owner = true
+				comi = 0
+			}
+		case '\\':
+			// comments do not get escaped chars, everything is copied
+			if commt {
+				com[comi] = x
+				comi++
+				break
+			}
+			// something already escaped must be in string
+			if escape {
+				str[stri] = x
+				stri++
+				escape = false
+				break
+			}
+			// something escaped outside of string gets added to string
+			str[stri] = x
+			stri++
+			escape = true
+		case '"':
+			if commt {
+				com[comi] = x
+				comi++
+				break
+			}
+			if escape {
+				str[stri] = x
+				stri++
+				escape = false
+				break
+			}
+			space = false
+			// send previous gathered text and the quote
+			if stri != 0 {
+				l.value = zString
+				l.token = string(str[:stri])
+				l.tokenUpper = strings.ToUpper(l.token)
+				l.length = stri
+
+				debug.Printf("[%+v]", l.token)
+				c <- l
+				stri = 0
+			}
+
+			// send quote itself as separate token
+			l.value = zQuote
+			l.token = "\""
+			l.tokenUpper = l.token
+			l.length = 1
+			c <- l
+			quote = !quote
+		case '(', ')':
+			if commt {
+				com[comi] = x
+				comi++
+				break
+			}
+			if escape {
+				str[stri] = x
+				stri++
+				escape = false
+				break
+			}
+			if quote {
+				str[stri] = x
+				stri++
+				break
+			}
+			switch x {
+			case ')':
+				brace--
+				if brace < 0 {
+					l.token = "extra closing brace"
+					l.tokenUpper = l.token
+					l.err = true
+					debug.Printf("[%+v]", l.token)
+					c <- l
+					return
+				}
+			case '(':
+				brace++
+			}
+		default:
+			escape = false
+			if commt {
+				com[comi] = x
+				comi++
+				break
+			}
+			str[stri] = x
+			stri++
+			space = false
+		}
+		x, err = s.tokenText()
+	}
+	if stri > 0 {
+		// Send remainder
+		l.token = string(str[:stri])
+		l.tokenUpper = strings.ToUpper(l.token)
+		l.length = stri
+		l.value = zString
+		debug.Printf("[%+v]", l.token)
+		c <- l
+	}
+	if brace != 0 {
+		l.token = "unbalanced brace"
+		l.tokenUpper = l.token
+		l.err = true
+		c <- l
+	}
+}
+
+// Extract the class number from CLASSxx
+func classToInt(token string) (uint16, bool) {
+	offset := 5
+	if len(token) < offset+1 {
+		return 0, false
+	}
+	class, err := strconv.ParseUint(token[offset:], 10, 16)
+	if err != nil {
+		return 0, false
+	}
+	return uint16(class), true
+}
+
+// Extract the rr number from TYPExxx
+func typeToInt(token string) (uint16, bool) {
+	offset := 4
+	if len(token) < offset+1 {
+		return 0, false
+	}
+	typ, err := strconv.ParseUint(token[offset:], 10, 16)
+	if err != nil {
+		return 0, false
+	}
+	return uint16(typ), true
+}
+
+// Parse things like 2w, 2m, etc, Return the time in seconds.
+func stringToTtl(token string) (uint32, bool) {
+	s := uint32(0)
+	i := uint32(0)
+	for _, c := range token {
+		switch c {
+		case 's', 'S':
+			s += i
+			i = 0
+		case 'm', 'M':
+			s += i * 60
+			i = 0
+		case 'h', 'H':
+			s += i * 60 * 60
+			i = 0
+		case 'd', 'D':
+			s += i * 60 * 60 * 24
+			i = 0
+		case 'w', 'W':
+			s += i * 60 * 60 * 24 * 7
+			i = 0
+		case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9':
+			i *= 10
+			i += uint32(c) - '0'
+		default:
+			return 0, false
+		}
+	}
+	return s + i, true
+}
+
+// Parse LOC records' <digits>[.<digits>][mM] into a
+// mantissa exponent format. Token should contain the entire
+// string (i.e. no spaces allowed)
+func stringToCm(token string) (e, m uint8, ok bool) {
+	if token[len(token)-1] == 'M' || token[len(token)-1] == 'm' {
+		token = token[0 : len(token)-1]
+	}
+	s := strings.SplitN(token, ".", 2)
+	var meters, cmeters, val int
+	var err error
+	switch len(s) {
+	case 2:
+		if cmeters, err = strconv.Atoi(s[1]); err != nil {
+			return
+		}
+		fallthrough
+	case 1:
+		if meters, err = strconv.Atoi(s[0]); err != nil {
+			return
+		}
+	case 0:
+		// huh?
+		return 0, 0, false
+	}
+	ok = true
+	if meters > 0 {
+		e = 2
+		val = meters
+	} else {
+		e = 0
+		val = cmeters
+	}
+	for val > 10 {
+		e++
+		val /= 10
+	}
+	if e > 9 {
+		ok = false
+	}
+	m = uint8(val)
+	return
+}
+
+func appendOrigin(name, origin string) string {
+	if origin == "." {
+		return name + origin
+	}
+	return name + "." + origin
+}
+
+// LOC record helper function
+func locCheckNorth(token string, latitude uint32) (uint32, bool) {
+	switch token {
+	case "n", "N":
+		return LOC_EQUATOR + latitude, true
+	case "s", "S":
+		return LOC_EQUATOR - latitude, true
+	}
+	return latitude, false
+}
+
+// LOC record helper function
+func locCheckEast(token string, longitude uint32) (uint32, bool) {
+	switch token {
+	case "e", "E":
+		return LOC_EQUATOR + longitude, true
+	case "w", "W":
+		return LOC_EQUATOR - longitude, true
+	}
+	return longitude, false
+}
+
+// "Eat" the rest of the "line". Return potential comments
+func slurpRemainder(c chan lex, f string) (*ParseError, string) {
+	l := <-c
+	com := ""
+	switch l.value {
+	case zBlank:
+		l = <-c
+		com = l.comment
+		if l.value != zNewline && l.value != zEOF {
+			return &ParseError{f, "garbage after rdata", l}, ""
+		}
+	case zNewline:
+		com = l.comment
+	case zEOF:
+	default:
+		return &ParseError{f, "garbage after rdata", l}, ""
+	}
+	return nil, com
+}
+
+// Parse a 64 bit-like ipv6 address: "0014:4fff:ff20:ee64"
+// Used for NID and L64 record.
+func stringToNodeID(l lex) (uint64, *ParseError) {
+	if len(l.token) < 19 {
+		return 0, &ParseError{l.token, "bad NID/L64 NodeID/Locator64", l}
+	}
+	// There must be three colons at fixes postitions, if not its a parse error
+	if l.token[4] != ':' && l.token[9] != ':' && l.token[14] != ':' {
+		return 0, &ParseError{l.token, "bad NID/L64 NodeID/Locator64", l}
+	}
+	s := l.token[0:4] + l.token[5:9] + l.token[10:14] + l.token[15:19]
+	u, err := strconv.ParseUint(s, 16, 64)
+	if err != nil {
+		return 0, &ParseError{l.token, "bad NID/L64 NodeID/Locator64", l}
+	}
+	return u, nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/scan_rr.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/scan_rr.go
new file mode 100644
index 000000000..b8b18fd77
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/scan_rr.go
@@ -0,0 +1,2184 @@
+package dns
+
+import (
+	"encoding/base64"
+	"net"
+	"strconv"
+	"strings"
+)
+
+type parserFunc struct {
+	// Func defines the function that parses the tokens and returns the RR
+	// or an error. The last string contains any comments in the line as
+	// they returned by the lexer as well.
+	Func func(h RR_Header, c chan lex, origin string, file string) (RR, *ParseError, string)
+	// Signals if the RR ending is of variable length, like TXT or records
+	// that have Hexadecimal or Base64 as their last element in the Rdata. Records
+	// that have a fixed ending or for instance A, AAAA, SOA and etc.
+	Variable bool
+}
+
+// Parse the rdata of each rrtype.
+// All data from the channel c is either zString or zBlank.
+// After the rdata there may come a zBlank and then a zNewline
+// or immediately a zNewline. If this is not the case we flag
+// an *ParseError: garbage after rdata.
+func setRR(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	parserfunc, ok := typeToparserFunc[h.Rrtype]
+	if ok {
+		r, e, cm := parserfunc.Func(h, c, o, f)
+		if parserfunc.Variable {
+			return r, e, cm
+		}
+		if e != nil {
+			return nil, e, ""
+		}
+		e, cm = slurpRemainder(c, f)
+		if e != nil {
+			return nil, e, ""
+		}
+		return r, nil, cm
+	}
+	// RFC3957 RR (Unknown RR handling)
+	return setRFC3597(h, c, o, f)
+}
+
+// A remainder of the rdata with embedded spaces, return the parsed string (sans the spaces)
+// or an error
+func endingToString(c chan lex, errstr, f string) (string, *ParseError, string) {
+	s := ""
+	l := <-c // zString
+	for l.value != zNewline && l.value != zEOF {
+		if l.err {
+			return s, &ParseError{f, errstr, l}, ""
+		}
+		switch l.value {
+		case zString:
+			s += l.token
+		case zBlank: // Ok
+		default:
+			return "", &ParseError{f, errstr, l}, ""
+		}
+		l = <-c
+	}
+	return s, nil, l.comment
+}
+
+// A remainder of the rdata with embedded spaces, split on unquoted whitespace
+// and return the parsed string slice or an error
+func endingToTxtSlice(c chan lex, errstr, f string) ([]string, *ParseError, string) {
+	// Get the remaining data until we see a zNewline
+	l := <-c
+	if l.err {
+		return nil, &ParseError{f, errstr, l}, ""
+	}
+
+	// Build the slice
+	s := make([]string, 0)
+	quote := false
+	empty := false
+	for l.value != zNewline && l.value != zEOF {
+		if l.err {
+			return nil, &ParseError{f, errstr, l}, ""
+		}
+		switch l.value {
+		case zString:
+			empty = false
+			if len(l.token) > 255 {
+				// split up tokens that are larger than 255 into 255-chunks
+				sx := []string{}
+				p, i := 0, 255
+				for {
+					if i <= len(l.token) {
+						sx = append(sx, l.token[p:i])
+					} else {
+						sx = append(sx, l.token[p:])
+						break
+
+					}
+					p, i = p+255, i+255
+				}
+				s = append(s, sx...)
+				break
+			}
+
+			s = append(s, l.token)
+		case zBlank:
+			if quote {
+				// zBlank can only be seen in between txt parts.
+				return nil, &ParseError{f, errstr, l}, ""
+			}
+		case zQuote:
+			if empty && quote {
+				s = append(s, "")
+			}
+			quote = !quote
+			empty = true
+		default:
+			return nil, &ParseError{f, errstr, l}, ""
+		}
+		l = <-c
+	}
+	if quote {
+		return nil, &ParseError{f, errstr, l}, ""
+	}
+	return s, nil, l.comment
+}
+
+func setA(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(A)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 { // Dynamic updates.
+		return rr, nil, ""
+	}
+	rr.A = net.ParseIP(l.token)
+	if rr.A == nil || l.err {
+		return nil, &ParseError{f, "bad A A", l}, ""
+	}
+	return rr, nil, ""
+}
+
+func setAAAA(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(AAAA)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	rr.AAAA = net.ParseIP(l.token)
+	if rr.AAAA == nil || l.err {
+		return nil, &ParseError{f, "bad AAAA AAAA", l}, ""
+	}
+	return rr, nil, ""
+}
+
+func setNS(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(NS)
+	rr.Hdr = h
+
+	l := <-c
+	rr.Ns = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Ns = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad NS Ns", l}, ""
+	}
+	if rr.Ns[l.length-1] != '.' {
+		rr.Ns = appendOrigin(rr.Ns, o)
+	}
+	return rr, nil, ""
+}
+
+func setPTR(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(PTR)
+	rr.Hdr = h
+
+	l := <-c
+	rr.Ptr = l.token
+	if l.length == 0 { // dynamic update rr.
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Ptr = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad PTR Ptr", l}, ""
+	}
+	if rr.Ptr[l.length-1] != '.' {
+		rr.Ptr = appendOrigin(rr.Ptr, o)
+	}
+	return rr, nil, ""
+}
+
+func setNSAPPTR(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(NSAPPTR)
+	rr.Hdr = h
+
+	l := <-c
+	rr.Ptr = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Ptr = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad NSAP-PTR Ptr", l}, ""
+	}
+	if rr.Ptr[l.length-1] != '.' {
+		rr.Ptr = appendOrigin(rr.Ptr, o)
+	}
+	return rr, nil, ""
+}
+
+func setRP(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(RP)
+	rr.Hdr = h
+
+	l := <-c
+	rr.Mbox = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Mbox = o
+	} else {
+		_, ok := IsDomainName(l.token)
+		if !ok || l.length == 0 || l.err {
+			return nil, &ParseError{f, "bad RP Mbox", l}, ""
+		}
+		if rr.Mbox[l.length-1] != '.' {
+			rr.Mbox = appendOrigin(rr.Mbox, o)
+		}
+	}
+	<-c // zBlank
+	l = <-c
+	rr.Txt = l.token
+	if l.token == "@" {
+		rr.Txt = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad RP Txt", l}, ""
+	}
+	if rr.Txt[l.length-1] != '.' {
+		rr.Txt = appendOrigin(rr.Txt, o)
+	}
+	return rr, nil, ""
+}
+
+func setMR(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(MR)
+	rr.Hdr = h
+
+	l := <-c
+	rr.Mr = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Mr = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad MR Mr", l}, ""
+	}
+	if rr.Mr[l.length-1] != '.' {
+		rr.Mr = appendOrigin(rr.Mr, o)
+	}
+	return rr, nil, ""
+}
+
+func setMB(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(MB)
+	rr.Hdr = h
+
+	l := <-c
+	rr.Mb = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Mb = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad MB Mb", l}, ""
+	}
+	if rr.Mb[l.length-1] != '.' {
+		rr.Mb = appendOrigin(rr.Mb, o)
+	}
+	return rr, nil, ""
+}
+
+func setMG(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(MG)
+	rr.Hdr = h
+
+	l := <-c
+	rr.Mg = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Mg = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad MG Mg", l}, ""
+	}
+	if rr.Mg[l.length-1] != '.' {
+		rr.Mg = appendOrigin(rr.Mg, o)
+	}
+	return rr, nil, ""
+}
+
+func setHINFO(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(HINFO)
+	rr.Hdr = h
+
+	chunks, e, c1 := endingToTxtSlice(c, "bad HINFO Fields", f)
+	if e != nil {
+		return nil, e, c1
+	}
+
+	if ln := len(chunks); ln == 0 {
+		return rr, nil, ""
+	} else if ln == 1 {
+		// Can we split it?
+		if out := strings.Fields(chunks[0]); len(out) > 1 {
+			chunks = out
+		} else {
+			chunks = append(chunks, "")
+		}
+	}
+
+	rr.Cpu = chunks[0]
+	rr.Os = strings.Join(chunks[1:], " ")
+
+	return rr, nil, ""
+}
+
+func setMINFO(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(MINFO)
+	rr.Hdr = h
+
+	l := <-c
+	rr.Rmail = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Rmail = o
+	} else {
+		_, ok := IsDomainName(l.token)
+		if !ok || l.length == 0 || l.err {
+			return nil, &ParseError{f, "bad MINFO Rmail", l}, ""
+		}
+		if rr.Rmail[l.length-1] != '.' {
+			rr.Rmail = appendOrigin(rr.Rmail, o)
+		}
+	}
+	<-c // zBlank
+	l = <-c
+	rr.Email = l.token
+	if l.token == "@" {
+		rr.Email = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad MINFO Email", l}, ""
+	}
+	if rr.Email[l.length-1] != '.' {
+		rr.Email = appendOrigin(rr.Email, o)
+	}
+	return rr, nil, ""
+}
+
+func setMF(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(MF)
+	rr.Hdr = h
+
+	l := <-c
+	rr.Mf = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Mf = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad MF Mf", l}, ""
+	}
+	if rr.Mf[l.length-1] != '.' {
+		rr.Mf = appendOrigin(rr.Mf, o)
+	}
+	return rr, nil, ""
+}
+
+func setMD(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(MD)
+	rr.Hdr = h
+
+	l := <-c
+	rr.Md = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Md = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad MD Md", l}, ""
+	}
+	if rr.Md[l.length-1] != '.' {
+		rr.Md = appendOrigin(rr.Md, o)
+	}
+	return rr, nil, ""
+}
+
+func setMX(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(MX)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad MX Pref", l}, ""
+	}
+	rr.Preference = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	rr.Mx = l.token
+	if l.token == "@" {
+		rr.Mx = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad MX Mx", l}, ""
+	}
+	if rr.Mx[l.length-1] != '.' {
+		rr.Mx = appendOrigin(rr.Mx, o)
+	}
+	return rr, nil, ""
+}
+
+func setRT(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(RT)
+	rr.Hdr = h
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil {
+		return nil, &ParseError{f, "bad RT Preference", l}, ""
+	}
+	rr.Preference = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	rr.Host = l.token
+	if l.token == "@" {
+		rr.Host = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad RT Host", l}, ""
+	}
+	if rr.Host[l.length-1] != '.' {
+		rr.Host = appendOrigin(rr.Host, o)
+	}
+	return rr, nil, ""
+}
+
+func setAFSDB(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(AFSDB)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad AFSDB Subtype", l}, ""
+	}
+	rr.Subtype = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	rr.Hostname = l.token
+	if l.token == "@" {
+		rr.Hostname = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad AFSDB Hostname", l}, ""
+	}
+	if rr.Hostname[l.length-1] != '.' {
+		rr.Hostname = appendOrigin(rr.Hostname, o)
+	}
+	return rr, nil, ""
+}
+
+func setX25(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(X25)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.err {
+		return nil, &ParseError{f, "bad X25 PSDNAddress", l}, ""
+	}
+	rr.PSDNAddress = l.token
+	return rr, nil, ""
+}
+
+func setKX(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(KX)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad KX Pref", l}, ""
+	}
+	rr.Preference = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	rr.Exchanger = l.token
+	if l.token == "@" {
+		rr.Exchanger = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad KX Exchanger", l}, ""
+	}
+	if rr.Exchanger[l.length-1] != '.' {
+		rr.Exchanger = appendOrigin(rr.Exchanger, o)
+	}
+	return rr, nil, ""
+}
+
+func setCNAME(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(CNAME)
+	rr.Hdr = h
+
+	l := <-c
+	rr.Target = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Target = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad CNAME Target", l}, ""
+	}
+	if rr.Target[l.length-1] != '.' {
+		rr.Target = appendOrigin(rr.Target, o)
+	}
+	return rr, nil, ""
+}
+
+func setDNAME(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(DNAME)
+	rr.Hdr = h
+
+	l := <-c
+	rr.Target = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Target = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad CNAME Target", l}, ""
+	}
+	if rr.Target[l.length-1] != '.' {
+		rr.Target = appendOrigin(rr.Target, o)
+	}
+	return rr, nil, ""
+}
+
+func setSOA(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(SOA)
+	rr.Hdr = h
+
+	l := <-c
+	rr.Ns = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	<-c // zBlank
+	if l.token == "@" {
+		rr.Ns = o
+	} else {
+		_, ok := IsDomainName(l.token)
+		if !ok || l.length == 0 || l.err {
+			return nil, &ParseError{f, "bad SOA Ns", l}, ""
+		}
+		if rr.Ns[l.length-1] != '.' {
+			rr.Ns = appendOrigin(rr.Ns, o)
+		}
+	}
+
+	l = <-c
+	rr.Mbox = l.token
+	if l.token == "@" {
+		rr.Mbox = o
+	} else {
+		_, ok := IsDomainName(l.token)
+		if !ok || l.length == 0 || l.err {
+			return nil, &ParseError{f, "bad SOA Mbox", l}, ""
+		}
+		if rr.Mbox[l.length-1] != '.' {
+			rr.Mbox = appendOrigin(rr.Mbox, o)
+		}
+	}
+	<-c // zBlank
+
+	var (
+		v  uint32
+		ok bool
+	)
+	for i := 0; i < 5; i++ {
+		l = <-c
+		if l.err {
+			return nil, &ParseError{f, "bad SOA zone parameter", l}, ""
+		}
+		if j, e := strconv.ParseUint(l.token, 10, 32); e != nil {
+			if i == 0 {
+				// Serial should be a number
+				return nil, &ParseError{f, "bad SOA zone parameter", l}, ""
+			}
+			if v, ok = stringToTtl(l.token); !ok {
+				return nil, &ParseError{f, "bad SOA zone parameter", l}, ""
+
+			}
+		} else {
+			v = uint32(j)
+		}
+		switch i {
+		case 0:
+			rr.Serial = v
+			<-c // zBlank
+		case 1:
+			rr.Refresh = v
+			<-c // zBlank
+		case 2:
+			rr.Retry = v
+			<-c // zBlank
+		case 3:
+			rr.Expire = v
+			<-c // zBlank
+		case 4:
+			rr.Minttl = v
+		}
+	}
+	return rr, nil, ""
+}
+
+func setSRV(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(SRV)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad SRV Priority", l}, ""
+	}
+	rr.Priority = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	i, e = strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad SRV Weight", l}, ""
+	}
+	rr.Weight = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	i, e = strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad SRV Port", l}, ""
+	}
+	rr.Port = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	rr.Target = l.token
+	if l.token == "@" {
+		rr.Target = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad SRV Target", l}, ""
+	}
+	if rr.Target[l.length-1] != '.' {
+		rr.Target = appendOrigin(rr.Target, o)
+	}
+	return rr, nil, ""
+}
+
+func setNAPTR(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(NAPTR)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad NAPTR Order", l}, ""
+	}
+	rr.Order = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	i, e = strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad NAPTR Preference", l}, ""
+	}
+	rr.Preference = uint16(i)
+	// Flags
+	<-c     // zBlank
+	l = <-c // _QUOTE
+	if l.value != zQuote {
+		return nil, &ParseError{f, "bad NAPTR Flags", l}, ""
+	}
+	l = <-c // Either String or Quote
+	if l.value == zString {
+		rr.Flags = l.token
+		l = <-c // _QUOTE
+		if l.value != zQuote {
+			return nil, &ParseError{f, "bad NAPTR Flags", l}, ""
+		}
+	} else if l.value == zQuote {
+		rr.Flags = ""
+	} else {
+		return nil, &ParseError{f, "bad NAPTR Flags", l}, ""
+	}
+
+	// Service
+	<-c     // zBlank
+	l = <-c // _QUOTE
+	if l.value != zQuote {
+		return nil, &ParseError{f, "bad NAPTR Service", l}, ""
+	}
+	l = <-c // Either String or Quote
+	if l.value == zString {
+		rr.Service = l.token
+		l = <-c // _QUOTE
+		if l.value != zQuote {
+			return nil, &ParseError{f, "bad NAPTR Service", l}, ""
+		}
+	} else if l.value == zQuote {
+		rr.Service = ""
+	} else {
+		return nil, &ParseError{f, "bad NAPTR Service", l}, ""
+	}
+
+	// Regexp
+	<-c     // zBlank
+	l = <-c // _QUOTE
+	if l.value != zQuote {
+		return nil, &ParseError{f, "bad NAPTR Regexp", l}, ""
+	}
+	l = <-c // Either String or Quote
+	if l.value == zString {
+		rr.Regexp = l.token
+		l = <-c // _QUOTE
+		if l.value != zQuote {
+			return nil, &ParseError{f, "bad NAPTR Regexp", l}, ""
+		}
+	} else if l.value == zQuote {
+		rr.Regexp = ""
+	} else {
+		return nil, &ParseError{f, "bad NAPTR Regexp", l}, ""
+	}
+	// After quote no space??
+	<-c     // zBlank
+	l = <-c // zString
+	rr.Replacement = l.token
+	if l.token == "@" {
+		rr.Replacement = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad NAPTR Replacement", l}, ""
+	}
+	if rr.Replacement[l.length-1] != '.' {
+		rr.Replacement = appendOrigin(rr.Replacement, o)
+	}
+	return rr, nil, ""
+}
+
+func setTALINK(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(TALINK)
+	rr.Hdr = h
+
+	l := <-c
+	rr.PreviousName = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.PreviousName = o
+	} else {
+		_, ok := IsDomainName(l.token)
+		if !ok || l.length == 0 || l.err {
+			return nil, &ParseError{f, "bad TALINK PreviousName", l}, ""
+		}
+		if rr.PreviousName[l.length-1] != '.' {
+			rr.PreviousName = appendOrigin(rr.PreviousName, o)
+		}
+	}
+	<-c // zBlank
+	l = <-c
+	rr.NextName = l.token
+	if l.token == "@" {
+		rr.NextName = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad TALINK NextName", l}, ""
+	}
+	if rr.NextName[l.length-1] != '.' {
+		rr.NextName = appendOrigin(rr.NextName, o)
+	}
+	return rr, nil, ""
+}
+
+func setLOC(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(LOC)
+	rr.Hdr = h
+	// Non zero defaults for LOC record, see RFC 1876, Section 3.
+	rr.HorizPre = 165 // 10000
+	rr.VertPre = 162  // 10
+	rr.Size = 18      // 1
+	ok := false
+	// North
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 32)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad LOC Latitude", l}, ""
+	}
+	rr.Latitude = 1000 * 60 * 60 * uint32(i)
+
+	<-c // zBlank
+	// Either number, 'N' or 'S'
+	l = <-c
+	if rr.Latitude, ok = locCheckNorth(l.token, rr.Latitude); ok {
+		goto East
+	}
+	i, e = strconv.ParseUint(l.token, 10, 32)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad LOC Latitude minutes", l}, ""
+	}
+	rr.Latitude += 1000 * 60 * uint32(i)
+
+	<-c // zBlank
+	l = <-c
+	if i, e := strconv.ParseFloat(l.token, 32); e != nil || l.err {
+		return nil, &ParseError{f, "bad LOC Latitude seconds", l}, ""
+	} else {
+		rr.Latitude += uint32(1000 * i)
+	}
+	<-c // zBlank
+	// Either number, 'N' or 'S'
+	l = <-c
+	if rr.Latitude, ok = locCheckNorth(l.token, rr.Latitude); ok {
+		goto East
+	}
+	// If still alive, flag an error
+	return nil, &ParseError{f, "bad LOC Latitude North/South", l}, ""
+
+East:
+	// East
+	<-c // zBlank
+	l = <-c
+	if i, e := strconv.ParseUint(l.token, 10, 32); e != nil || l.err {
+		return nil, &ParseError{f, "bad LOC Longitude", l}, ""
+	} else {
+		rr.Longitude = 1000 * 60 * 60 * uint32(i)
+	}
+	<-c // zBlank
+	// Either number, 'E' or 'W'
+	l = <-c
+	if rr.Longitude, ok = locCheckEast(l.token, rr.Longitude); ok {
+		goto Altitude
+	}
+	if i, e := strconv.ParseUint(l.token, 10, 32); e != nil || l.err {
+		return nil, &ParseError{f, "bad LOC Longitude minutes", l}, ""
+	} else {
+		rr.Longitude += 1000 * 60 * uint32(i)
+	}
+	<-c // zBlank
+	l = <-c
+	if i, e := strconv.ParseFloat(l.token, 32); e != nil || l.err {
+		return nil, &ParseError{f, "bad LOC Longitude seconds", l}, ""
+	} else {
+		rr.Longitude += uint32(1000 * i)
+	}
+	<-c // zBlank
+	// Either number, 'E' or 'W'
+	l = <-c
+	if rr.Longitude, ok = locCheckEast(l.token, rr.Longitude); ok {
+		goto Altitude
+	}
+	// If still alive, flag an error
+	return nil, &ParseError{f, "bad LOC Longitude East/West", l}, ""
+
+Altitude:
+	<-c // zBlank
+	l = <-c
+	if l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad LOC Altitude", l}, ""
+	}
+	if l.token[len(l.token)-1] == 'M' || l.token[len(l.token)-1] == 'm' {
+		l.token = l.token[0 : len(l.token)-1]
+	}
+	if i, e := strconv.ParseFloat(l.token, 32); e != nil {
+		return nil, &ParseError{f, "bad LOC Altitude", l}, ""
+	} else {
+		rr.Altitude = uint32(i*100.0 + 10000000.0 + 0.5)
+	}
+
+	// And now optionally the other values
+	l = <-c
+	count := 0
+	for l.value != zNewline && l.value != zEOF {
+		switch l.value {
+		case zString:
+			switch count {
+			case 0: // Size
+				e, m, ok := stringToCm(l.token)
+				if !ok {
+					return nil, &ParseError{f, "bad LOC Size", l}, ""
+				}
+				rr.Size = (e & 0x0f) | (m << 4 & 0xf0)
+			case 1: // HorizPre
+				e, m, ok := stringToCm(l.token)
+				if !ok {
+					return nil, &ParseError{f, "bad LOC HorizPre", l}, ""
+				}
+				rr.HorizPre = (e & 0x0f) | (m << 4 & 0xf0)
+			case 2: // VertPre
+				e, m, ok := stringToCm(l.token)
+				if !ok {
+					return nil, &ParseError{f, "bad LOC VertPre", l}, ""
+				}
+				rr.VertPre = (e & 0x0f) | (m << 4 & 0xf0)
+			}
+			count++
+		case zBlank:
+			// Ok
+		default:
+			return nil, &ParseError{f, "bad LOC Size, HorizPre or VertPre", l}, ""
+		}
+		l = <-c
+	}
+	return rr, nil, ""
+}
+
+func setHIP(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(HIP)
+	rr.Hdr = h
+
+	// HitLength is not represented
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, l.comment
+	}
+	i, e := strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad HIP PublicKeyAlgorithm", l}, ""
+	}
+	rr.PublicKeyAlgorithm = uint8(i)
+	<-c     // zBlank
+	l = <-c // zString
+	if l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad HIP Hit", l}, ""
+	}
+	rr.Hit = l.token // This can not contain spaces, see RFC 5205 Section 6.
+	rr.HitLength = uint8(len(rr.Hit)) / 2
+
+	<-c     // zBlank
+	l = <-c // zString
+	if l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad HIP PublicKey", l}, ""
+	}
+	rr.PublicKey = l.token // This cannot contain spaces
+	rr.PublicKeyLength = uint16(base64.StdEncoding.DecodedLen(len(rr.PublicKey)))
+
+	// RendezvousServers (if any)
+	l = <-c
+	var xs []string
+	for l.value != zNewline && l.value != zEOF {
+		switch l.value {
+		case zString:
+			if l.token == "@" {
+				xs = append(xs, o)
+				l = <-c
+				continue
+			}
+			_, ok := IsDomainName(l.token)
+			if !ok || l.length == 0 || l.err {
+				return nil, &ParseError{f, "bad HIP RendezvousServers", l}, ""
+			}
+			if l.token[l.length-1] != '.' {
+				l.token = appendOrigin(l.token, o)
+			}
+			xs = append(xs, l.token)
+		case zBlank:
+			// Ok
+		default:
+			return nil, &ParseError{f, "bad HIP RendezvousServers", l}, ""
+		}
+		l = <-c
+	}
+	rr.RendezvousServers = xs
+	return rr, nil, l.comment
+}
+
+func setCERT(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(CERT)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, l.comment
+	}
+	if v, ok := StringToCertType[l.token]; ok {
+		rr.Type = v
+	} else if i, e := strconv.ParseUint(l.token, 10, 16); e != nil {
+		return nil, &ParseError{f, "bad CERT Type", l}, ""
+	} else {
+		rr.Type = uint16(i)
+	}
+	<-c     // zBlank
+	l = <-c // zString
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad CERT KeyTag", l}, ""
+	}
+	rr.KeyTag = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	if v, ok := StringToAlgorithm[l.token]; ok {
+		rr.Algorithm = v
+	} else if i, e := strconv.ParseUint(l.token, 10, 8); e != nil {
+		return nil, &ParseError{f, "bad CERT Algorithm", l}, ""
+	} else {
+		rr.Algorithm = uint8(i)
+	}
+	s, e1, c1 := endingToString(c, "bad CERT Certificate", f)
+	if e1 != nil {
+		return nil, e1, c1
+	}
+	rr.Certificate = s
+	return rr, nil, c1
+}
+
+func setOPENPGPKEY(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(OPENPGPKEY)
+	rr.Hdr = h
+
+	s, e, c1 := endingToString(c, "bad OPENPGPKEY PublicKey", f)
+	if e != nil {
+		return nil, e, c1
+	}
+	rr.PublicKey = s
+	return rr, nil, c1
+}
+
+func setSIG(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	r, e, s := setRRSIG(h, c, o, f)
+	if r != nil {
+		return &SIG{*r.(*RRSIG)}, e, s
+	}
+	return nil, e, s
+}
+
+func setRRSIG(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(RRSIG)
+	rr.Hdr = h
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, l.comment
+	}
+	if t, ok := StringToType[l.tokenUpper]; !ok {
+		if strings.HasPrefix(l.tokenUpper, "TYPE") {
+			t, ok = typeToInt(l.tokenUpper)
+			if !ok {
+				return nil, &ParseError{f, "bad RRSIG Typecovered", l}, ""
+			}
+			rr.TypeCovered = t
+		} else {
+			return nil, &ParseError{f, "bad RRSIG Typecovered", l}, ""
+		}
+	} else {
+		rr.TypeCovered = t
+	}
+	<-c // zBlank
+	l = <-c
+	i, err := strconv.ParseUint(l.token, 10, 8)
+	if err != nil || l.err {
+		return nil, &ParseError{f, "bad RRSIG Algorithm", l}, ""
+	}
+	rr.Algorithm = uint8(i)
+	<-c // zBlank
+	l = <-c
+	i, err = strconv.ParseUint(l.token, 10, 8)
+	if err != nil || l.err {
+		return nil, &ParseError{f, "bad RRSIG Labels", l}, ""
+	}
+	rr.Labels = uint8(i)
+	<-c // zBlank
+	l = <-c
+	i, err = strconv.ParseUint(l.token, 10, 32)
+	if err != nil || l.err {
+		return nil, &ParseError{f, "bad RRSIG OrigTtl", l}, ""
+	}
+	rr.OrigTtl = uint32(i)
+	<-c // zBlank
+	l = <-c
+	if i, err := StringToTime(l.token); err != nil {
+		// Try to see if all numeric and use it as epoch
+		if i, err := strconv.ParseInt(l.token, 10, 64); err == nil {
+			// TODO(miek): error out on > MAX_UINT32, same below
+			rr.Expiration = uint32(i)
+		} else {
+			return nil, &ParseError{f, "bad RRSIG Expiration", l}, ""
+		}
+	} else {
+		rr.Expiration = i
+	}
+	<-c // zBlank
+	l = <-c
+	if i, err := StringToTime(l.token); err != nil {
+		if i, err := strconv.ParseInt(l.token, 10, 64); err == nil {
+			rr.Inception = uint32(i)
+		} else {
+			return nil, &ParseError{f, "bad RRSIG Inception", l}, ""
+		}
+	} else {
+		rr.Inception = i
+	}
+	<-c // zBlank
+	l = <-c
+	i, err = strconv.ParseUint(l.token, 10, 16)
+	if err != nil || l.err {
+		return nil, &ParseError{f, "bad RRSIG KeyTag", l}, ""
+	}
+	rr.KeyTag = uint16(i)
+	<-c // zBlank
+	l = <-c
+	rr.SignerName = l.token
+	if l.token == "@" {
+		rr.SignerName = o
+	} else {
+		_, ok := IsDomainName(l.token)
+		if !ok || l.length == 0 || l.err {
+			return nil, &ParseError{f, "bad RRSIG SignerName", l}, ""
+		}
+		if rr.SignerName[l.length-1] != '.' {
+			rr.SignerName = appendOrigin(rr.SignerName, o)
+		}
+	}
+	s, e, c1 := endingToString(c, "bad RRSIG Signature", f)
+	if e != nil {
+		return nil, e, c1
+	}
+	rr.Signature = s
+	return rr, nil, c1
+}
+
+func setNSEC(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(NSEC)
+	rr.Hdr = h
+
+	l := <-c
+	rr.NextDomain = l.token
+	if l.length == 0 {
+		return rr, nil, l.comment
+	}
+	if l.token == "@" {
+		rr.NextDomain = o
+	} else {
+		_, ok := IsDomainName(l.token)
+		if !ok || l.length == 0 || l.err {
+			return nil, &ParseError{f, "bad NSEC NextDomain", l}, ""
+		}
+		if rr.NextDomain[l.length-1] != '.' {
+			rr.NextDomain = appendOrigin(rr.NextDomain, o)
+		}
+	}
+
+	rr.TypeBitMap = make([]uint16, 0)
+	var (
+		k  uint16
+		ok bool
+	)
+	l = <-c
+	for l.value != zNewline && l.value != zEOF {
+		switch l.value {
+		case zBlank:
+			// Ok
+		case zString:
+			if k, ok = StringToType[l.tokenUpper]; !ok {
+				if k, ok = typeToInt(l.tokenUpper); !ok {
+					return nil, &ParseError{f, "bad NSEC TypeBitMap", l}, ""
+				}
+			}
+			rr.TypeBitMap = append(rr.TypeBitMap, k)
+		default:
+			return nil, &ParseError{f, "bad NSEC TypeBitMap", l}, ""
+		}
+		l = <-c
+	}
+	return rr, nil, l.comment
+}
+
+func setNSEC3(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(NSEC3)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, l.comment
+	}
+	i, e := strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad NSEC3 Hash", l}, ""
+	}
+	rr.Hash = uint8(i)
+	<-c // zBlank
+	l = <-c
+	i, e = strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad NSEC3 Flags", l}, ""
+	}
+	rr.Flags = uint8(i)
+	<-c // zBlank
+	l = <-c
+	i, e = strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad NSEC3 Iterations", l}, ""
+	}
+	rr.Iterations = uint16(i)
+	<-c
+	l = <-c
+	if len(l.token) == 0 || l.err {
+		return nil, &ParseError{f, "bad NSEC3 Salt", l}, ""
+	}
+	rr.SaltLength = uint8(len(l.token)) / 2
+	rr.Salt = l.token
+
+	<-c
+	l = <-c
+	if len(l.token) == 0 || l.err {
+		return nil, &ParseError{f, "bad NSEC3 NextDomain", l}, ""
+	}
+	rr.HashLength = 20 // Fix for NSEC3 (sha1 160 bits)
+	rr.NextDomain = l.token
+
+	rr.TypeBitMap = make([]uint16, 0)
+	var (
+		k  uint16
+		ok bool
+	)
+	l = <-c
+	for l.value != zNewline && l.value != zEOF {
+		switch l.value {
+		case zBlank:
+			// Ok
+		case zString:
+			if k, ok = StringToType[l.tokenUpper]; !ok {
+				if k, ok = typeToInt(l.tokenUpper); !ok {
+					return nil, &ParseError{f, "bad NSEC3 TypeBitMap", l}, ""
+				}
+			}
+			rr.TypeBitMap = append(rr.TypeBitMap, k)
+		default:
+			return nil, &ParseError{f, "bad NSEC3 TypeBitMap", l}, ""
+		}
+		l = <-c
+	}
+	return rr, nil, l.comment
+}
+
+func setNSEC3PARAM(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(NSEC3PARAM)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad NSEC3PARAM Hash", l}, ""
+	}
+	rr.Hash = uint8(i)
+	<-c // zBlank
+	l = <-c
+	i, e = strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad NSEC3PARAM Flags", l}, ""
+	}
+	rr.Flags = uint8(i)
+	<-c // zBlank
+	l = <-c
+	i, e = strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad NSEC3PARAM Iterations", l}, ""
+	}
+	rr.Iterations = uint16(i)
+	<-c
+	l = <-c
+	rr.SaltLength = uint8(len(l.token))
+	rr.Salt = l.token
+	return rr, nil, ""
+}
+
+func setEUI48(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(EUI48)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.length != 17 || l.err {
+		return nil, &ParseError{f, "bad EUI48 Address", l}, ""
+	}
+	addr := make([]byte, 12)
+	dash := 0
+	for i := 0; i < 10; i += 2 {
+		addr[i] = l.token[i+dash]
+		addr[i+1] = l.token[i+1+dash]
+		dash++
+		if l.token[i+1+dash] != '-' {
+			return nil, &ParseError{f, "bad EUI48 Address", l}, ""
+		}
+	}
+	addr[10] = l.token[15]
+	addr[11] = l.token[16]
+
+	i, e := strconv.ParseUint(string(addr), 16, 48)
+	if e != nil {
+		return nil, &ParseError{f, "bad EUI48 Address", l}, ""
+	}
+	rr.Address = i
+	return rr, nil, ""
+}
+
+func setEUI64(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(EUI64)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.length != 23 || l.err {
+		return nil, &ParseError{f, "bad EUI64 Address", l}, ""
+	}
+	addr := make([]byte, 16)
+	dash := 0
+	for i := 0; i < 14; i += 2 {
+		addr[i] = l.token[i+dash]
+		addr[i+1] = l.token[i+1+dash]
+		dash++
+		if l.token[i+1+dash] != '-' {
+			return nil, &ParseError{f, "bad EUI64 Address", l}, ""
+		}
+	}
+	addr[14] = l.token[21]
+	addr[15] = l.token[22]
+
+	i, e := strconv.ParseUint(string(addr), 16, 64)
+	if e != nil {
+		return nil, &ParseError{f, "bad EUI68 Address", l}, ""
+	}
+	rr.Address = uint64(i)
+	return rr, nil, ""
+}
+
+func setSSHFP(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(SSHFP)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad SSHFP Algorithm", l}, ""
+	}
+	rr.Algorithm = uint8(i)
+	<-c // zBlank
+	l = <-c
+	i, e = strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad SSHFP Type", l}, ""
+	}
+	rr.Type = uint8(i)
+	<-c // zBlank
+	s, e1, c1 := endingToString(c, "bad SSHFP Fingerprint", f)
+	if e1 != nil {
+		return nil, e1, c1
+	}
+	rr.FingerPrint = s
+	return rr, nil, ""
+}
+
+func setDNSKEYs(h RR_Header, c chan lex, o, f, typ string) (RR, *ParseError, string) {
+	rr := new(DNSKEY)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, l.comment
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad " + typ + " Flags", l}, ""
+	}
+	rr.Flags = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	i, e = strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad " + typ + " Protocol", l}, ""
+	}
+	rr.Protocol = uint8(i)
+	<-c     // zBlank
+	l = <-c // zString
+	i, e = strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad " + typ + " Algorithm", l}, ""
+	}
+	rr.Algorithm = uint8(i)
+	s, e1, c1 := endingToString(c, "bad "+typ+" PublicKey", f)
+	if e1 != nil {
+		return nil, e1, c1
+	}
+	rr.PublicKey = s
+	return rr, nil, c1
+}
+
+func setKEY(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	r, e, s := setDNSKEYs(h, c, o, f, "KEY")
+	if r != nil {
+		return &KEY{*r.(*DNSKEY)}, e, s
+	}
+	return nil, e, s
+}
+
+func setDNSKEY(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	r, e, s := setDNSKEYs(h, c, o, f, "DNSKEY")
+	return r, e, s
+}
+
+func setCDNSKEY(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	r, e, s := setDNSKEYs(h, c, o, f, "CDNSKEY")
+	if r != nil {
+		return &CDNSKEY{*r.(*DNSKEY)}, e, s
+	}
+	return nil, e, s
+}
+
+func setRKEY(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(RKEY)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, l.comment
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad RKEY Flags", l}, ""
+	}
+	rr.Flags = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	i, e = strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad RKEY Protocol", l}, ""
+	}
+	rr.Protocol = uint8(i)
+	<-c     // zBlank
+	l = <-c // zString
+	i, e = strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad RKEY Algorithm", l}, ""
+	}
+	rr.Algorithm = uint8(i)
+	s, e1, c1 := endingToString(c, "bad RKEY PublicKey", f)
+	if e1 != nil {
+		return nil, e1, c1
+	}
+	rr.PublicKey = s
+	return rr, nil, c1
+}
+
+func setEID(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(EID)
+	rr.Hdr = h
+	s, e, c1 := endingToString(c, "bad EID Endpoint", f)
+	if e != nil {
+		return nil, e, c1
+	}
+	rr.Endpoint = s
+	return rr, nil, c1
+}
+
+func setNIMLOC(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(NIMLOC)
+	rr.Hdr = h
+	s, e, c1 := endingToString(c, "bad NIMLOC Locator", f)
+	if e != nil {
+		return nil, e, c1
+	}
+	rr.Locator = s
+	return rr, nil, c1
+}
+
+func setGPOS(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(GPOS)
+	rr.Hdr = h
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	_, e := strconv.ParseFloat(l.token, 64)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad GPOS Longitude", l}, ""
+	}
+	rr.Longitude = l.token
+	<-c // zBlank
+	l = <-c
+	_, e = strconv.ParseFloat(l.token, 64)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad GPOS Latitude", l}, ""
+	}
+	rr.Latitude = l.token
+	<-c // zBlank
+	l = <-c
+	_, e = strconv.ParseFloat(l.token, 64)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad GPOS Altitude", l}, ""
+	}
+	rr.Altitude = l.token
+	return rr, nil, ""
+}
+
+func setDSs(h RR_Header, c chan lex, o, f, typ string) (RR, *ParseError, string) {
+	rr := new(DS)
+	rr.Hdr = h
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, l.comment
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad " + typ + " KeyTag", l}, ""
+	}
+	rr.KeyTag = uint16(i)
+	<-c // zBlank
+	l = <-c
+	if i, e = strconv.ParseUint(l.token, 10, 8); e != nil {
+		i, ok := StringToAlgorithm[l.tokenUpper]
+		if !ok || l.err {
+			return nil, &ParseError{f, "bad " + typ + " Algorithm", l}, ""
+		}
+		rr.Algorithm = i
+	} else {
+		rr.Algorithm = uint8(i)
+	}
+	<-c // zBlank
+	l = <-c
+	i, e = strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad " + typ + " DigestType", l}, ""
+	}
+	rr.DigestType = uint8(i)
+	s, e1, c1 := endingToString(c, "bad "+typ+" Digest", f)
+	if e1 != nil {
+		return nil, e1, c1
+	}
+	rr.Digest = s
+	return rr, nil, c1
+}
+
+func setDS(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	r, e, s := setDSs(h, c, o, f, "DS")
+	return r, e, s
+}
+
+func setDLV(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	r, e, s := setDSs(h, c, o, f, "DLV")
+	if r != nil {
+		return &DLV{*r.(*DS)}, e, s
+	}
+	return nil, e, s
+}
+
+func setCDS(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	r, e, s := setDSs(h, c, o, f, "CDS")
+	if r != nil {
+		return &CDS{*r.(*DS)}, e, s
+	}
+	return nil, e, s
+}
+
+func setTA(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(TA)
+	rr.Hdr = h
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, l.comment
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad TA KeyTag", l}, ""
+	}
+	rr.KeyTag = uint16(i)
+	<-c // zBlank
+	l = <-c
+	if i, e := strconv.ParseUint(l.token, 10, 8); e != nil {
+		i, ok := StringToAlgorithm[l.tokenUpper]
+		if !ok || l.err {
+			return nil, &ParseError{f, "bad TA Algorithm", l}, ""
+		}
+		rr.Algorithm = i
+	} else {
+		rr.Algorithm = uint8(i)
+	}
+	<-c // zBlank
+	l = <-c
+	i, e = strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad TA DigestType", l}, ""
+	}
+	rr.DigestType = uint8(i)
+	s, e, c1 := endingToString(c, "bad TA Digest", f)
+	if e != nil {
+		return nil, e.(*ParseError), c1
+	}
+	rr.Digest = s
+	return rr, nil, c1
+}
+
+func setTLSA(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(TLSA)
+	rr.Hdr = h
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, l.comment
+	}
+	i, e := strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad TLSA Usage", l}, ""
+	}
+	rr.Usage = uint8(i)
+	<-c // zBlank
+	l = <-c
+	i, e = strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad TLSA Selector", l}, ""
+	}
+	rr.Selector = uint8(i)
+	<-c // zBlank
+	l = <-c
+	i, e = strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad TLSA MatchingType", l}, ""
+	}
+	rr.MatchingType = uint8(i)
+	// So this needs be e2 (i.e. different than e), because...??t
+	s, e2, c1 := endingToString(c, "bad TLSA Certificate", f)
+	if e2 != nil {
+		return nil, e2, c1
+	}
+	rr.Certificate = s
+	return rr, nil, c1
+}
+
+func setSMIMEA(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(SMIMEA)
+	rr.Hdr = h
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, l.comment
+	}
+	i, e := strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad SMIMEA Usage", l}, ""
+	}
+	rr.Usage = uint8(i)
+	<-c // zBlank
+	l = <-c
+	i, e = strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad SMIMEA Selector", l}, ""
+	}
+	rr.Selector = uint8(i)
+	<-c // zBlank
+	l = <-c
+	i, e = strconv.ParseUint(l.token, 10, 8)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad SMIMEA MatchingType", l}, ""
+	}
+	rr.MatchingType = uint8(i)
+	// So this needs be e2 (i.e. different than e), because...??t
+	s, e2, c1 := endingToString(c, "bad SMIMEA Certificate", f)
+	if e2 != nil {
+		return nil, e2, c1
+	}
+	rr.Certificate = s
+	return rr, nil, c1
+}
+
+func setRFC3597(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(RFC3597)
+	rr.Hdr = h
+	l := <-c
+	if l.token != "\\#" {
+		return nil, &ParseError{f, "bad RFC3597 Rdata", l}, ""
+	}
+	<-c // zBlank
+	l = <-c
+	rdlength, e := strconv.Atoi(l.token)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad RFC3597 Rdata ", l}, ""
+	}
+
+	s, e1, c1 := endingToString(c, "bad RFC3597 Rdata", f)
+	if e1 != nil {
+		return nil, e1, c1
+	}
+	if rdlength*2 != len(s) {
+		return nil, &ParseError{f, "bad RFC3597 Rdata", l}, ""
+	}
+	rr.Rdata = s
+	return rr, nil, c1
+}
+
+func setSPF(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(SPF)
+	rr.Hdr = h
+
+	s, e, c1 := endingToTxtSlice(c, "bad SPF Txt", f)
+	if e != nil {
+		return nil, e, ""
+	}
+	rr.Txt = s
+	return rr, nil, c1
+}
+
+func setAVC(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(AVC)
+	rr.Hdr = h
+
+	s, e, c1 := endingToTxtSlice(c, "bad AVC Txt", f)
+	if e != nil {
+		return nil, e, ""
+	}
+	rr.Txt = s
+	return rr, nil, c1
+}
+
+func setTXT(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(TXT)
+	rr.Hdr = h
+
+	// no zBlank reading here, because all this rdata is TXT
+	s, e, c1 := endingToTxtSlice(c, "bad TXT Txt", f)
+	if e != nil {
+		return nil, e, ""
+	}
+	rr.Txt = s
+	return rr, nil, c1
+}
+
+// identical to setTXT
+func setNINFO(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(NINFO)
+	rr.Hdr = h
+
+	s, e, c1 := endingToTxtSlice(c, "bad NINFO ZSData", f)
+	if e != nil {
+		return nil, e, ""
+	}
+	rr.ZSData = s
+	return rr, nil, c1
+}
+
+func setURI(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(URI)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 { // Dynamic updates.
+		return rr, nil, ""
+	}
+
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad URI Priority", l}, ""
+	}
+	rr.Priority = uint16(i)
+	<-c // zBlank
+	l = <-c
+	i, e = strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad URI Weight", l}, ""
+	}
+	rr.Weight = uint16(i)
+
+	<-c // zBlank
+	s, err, c1 := endingToTxtSlice(c, "bad URI Target", f)
+	if err != nil {
+		return nil, err, ""
+	}
+	if len(s) > 1 {
+		return nil, &ParseError{f, "bad URI Target", l}, ""
+	}
+	rr.Target = s[0]
+	return rr, nil, c1
+}
+
+func setDHCID(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	// awesome record to parse!
+	rr := new(DHCID)
+	rr.Hdr = h
+
+	s, e, c1 := endingToString(c, "bad DHCID Digest", f)
+	if e != nil {
+		return nil, e, c1
+	}
+	rr.Digest = s
+	return rr, nil, c1
+}
+
+func setNID(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(NID)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad NID Preference", l}, ""
+	}
+	rr.Preference = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	u, err := stringToNodeID(l)
+	if err != nil || l.err {
+		return nil, err, ""
+	}
+	rr.NodeID = u
+	return rr, nil, ""
+}
+
+func setL32(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(L32)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad L32 Preference", l}, ""
+	}
+	rr.Preference = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	rr.Locator32 = net.ParseIP(l.token)
+	if rr.Locator32 == nil || l.err {
+		return nil, &ParseError{f, "bad L32 Locator", l}, ""
+	}
+	return rr, nil, ""
+}
+
+func setLP(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(LP)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad LP Preference", l}, ""
+	}
+	rr.Preference = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	rr.Fqdn = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Fqdn = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad LP Fqdn", l}, ""
+	}
+	if rr.Fqdn[l.length-1] != '.' {
+		rr.Fqdn = appendOrigin(rr.Fqdn, o)
+	}
+	return rr, nil, ""
+}
+
+func setL64(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(L64)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad L64 Preference", l}, ""
+	}
+	rr.Preference = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	u, err := stringToNodeID(l)
+	if err != nil || l.err {
+		return nil, err, ""
+	}
+	rr.Locator64 = u
+	return rr, nil, ""
+}
+
+func setUID(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(UID)
+	rr.Hdr = h
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 32)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad UID Uid", l}, ""
+	}
+	rr.Uid = uint32(i)
+	return rr, nil, ""
+}
+
+func setGID(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(GID)
+	rr.Hdr = h
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 32)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad GID Gid", l}, ""
+	}
+	rr.Gid = uint32(i)
+	return rr, nil, ""
+}
+
+func setUINFO(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(UINFO)
+	rr.Hdr = h
+	s, e, c1 := endingToTxtSlice(c, "bad UINFO Uinfo", f)
+	if e != nil {
+		return nil, e, c1
+	}
+	if ln := len(s); ln == 0 {
+		return rr, nil, c1
+	}
+	rr.Uinfo = s[0] // silently discard anything after the first character-string
+	return rr, nil, c1
+}
+
+func setPX(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(PX)
+	rr.Hdr = h
+
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	i, e := strconv.ParseUint(l.token, 10, 16)
+	if e != nil || l.err {
+		return nil, &ParseError{f, "bad PX Preference", l}, ""
+	}
+	rr.Preference = uint16(i)
+	<-c     // zBlank
+	l = <-c // zString
+	rr.Map822 = l.token
+	if l.length == 0 {
+		return rr, nil, ""
+	}
+	if l.token == "@" {
+		rr.Map822 = o
+		return rr, nil, ""
+	}
+	_, ok := IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad PX Map822", l}, ""
+	}
+	if rr.Map822[l.length-1] != '.' {
+		rr.Map822 = appendOrigin(rr.Map822, o)
+	}
+	<-c     // zBlank
+	l = <-c // zString
+	rr.Mapx400 = l.token
+	if l.token == "@" {
+		rr.Mapx400 = o
+		return rr, nil, ""
+	}
+	_, ok = IsDomainName(l.token)
+	if !ok || l.length == 0 || l.err {
+		return nil, &ParseError{f, "bad PX Mapx400", l}, ""
+	}
+	if rr.Mapx400[l.length-1] != '.' {
+		rr.Mapx400 = appendOrigin(rr.Mapx400, o)
+	}
+	return rr, nil, ""
+}
+
+func setCAA(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
+	rr := new(CAA)
+	rr.Hdr = h
+	l := <-c
+	if l.length == 0 {
+		return rr, nil, l.comment
+	}
+	i, err := strconv.ParseUint(l.token, 10, 8)
+	if err != nil || l.err {
+		return nil, &ParseError{f, "bad CAA Flag", l}, ""
+	}
+	rr.Flag = uint8(i)
+
+	<-c     // zBlank
+	l = <-c // zString
+	if l.value != zString {
+		return nil, &ParseError{f, "bad CAA Tag", l}, ""
+	}
+	rr.Tag = l.token
+
+	<-c // zBlank
+	s, e, c1 := endingToTxtSlice(c, "bad CAA Value", f)
+	if e != nil {
+		return nil, e, ""
+	}
+	if len(s) > 1 {
+		return nil, &ParseError{f, "bad CAA Value", l}, ""
+	}
+	rr.Value = s[0]
+	return rr, nil, c1
+}
+
+var typeToparserFunc = map[uint16]parserFunc{
+	TypeAAAA:       {setAAAA, false},
+	TypeAFSDB:      {setAFSDB, false},
+	TypeA:          {setA, false},
+	TypeCAA:        {setCAA, true},
+	TypeCDS:        {setCDS, true},
+	TypeCDNSKEY:    {setCDNSKEY, true},
+	TypeCERT:       {setCERT, true},
+	TypeCNAME:      {setCNAME, false},
+	TypeDHCID:      {setDHCID, true},
+	TypeDLV:        {setDLV, true},
+	TypeDNAME:      {setDNAME, false},
+	TypeKEY:        {setKEY, true},
+	TypeDNSKEY:     {setDNSKEY, true},
+	TypeDS:         {setDS, true},
+	TypeEID:        {setEID, true},
+	TypeEUI48:      {setEUI48, false},
+	TypeEUI64:      {setEUI64, false},
+	TypeGID:        {setGID, false},
+	TypeGPOS:       {setGPOS, false},
+	TypeHINFO:      {setHINFO, true},
+	TypeHIP:        {setHIP, true},
+	TypeKX:         {setKX, false},
+	TypeL32:        {setL32, false},
+	TypeL64:        {setL64, false},
+	TypeLOC:        {setLOC, true},
+	TypeLP:         {setLP, false},
+	TypeMB:         {setMB, false},
+	TypeMD:         {setMD, false},
+	TypeMF:         {setMF, false},
+	TypeMG:         {setMG, false},
+	TypeMINFO:      {setMINFO, false},
+	TypeMR:         {setMR, false},
+	TypeMX:         {setMX, false},
+	TypeNAPTR:      {setNAPTR, false},
+	TypeNID:        {setNID, false},
+	TypeNIMLOC:     {setNIMLOC, true},
+	TypeNINFO:      {setNINFO, true},
+	TypeNSAPPTR:    {setNSAPPTR, false},
+	TypeNSEC3PARAM: {setNSEC3PARAM, false},
+	TypeNSEC3:      {setNSEC3, true},
+	TypeNSEC:       {setNSEC, true},
+	TypeNS:         {setNS, false},
+	TypeOPENPGPKEY: {setOPENPGPKEY, true},
+	TypePTR:        {setPTR, false},
+	TypePX:         {setPX, false},
+	TypeSIG:        {setSIG, true},
+	TypeRKEY:       {setRKEY, true},
+	TypeRP:         {setRP, false},
+	TypeRRSIG:      {setRRSIG, true},
+	TypeRT:         {setRT, false},
+	TypeSMIMEA:     {setSMIMEA, true},
+	TypeSOA:        {setSOA, false},
+	TypeSPF:        {setSPF, true},
+	TypeAVC:        {setAVC, true},
+	TypeSRV:        {setSRV, false},
+	TypeSSHFP:      {setSSHFP, true},
+	TypeTALINK:     {setTALINK, false},
+	TypeTA:         {setTA, true},
+	TypeTLSA:       {setTLSA, true},
+	TypeTXT:        {setTXT, true},
+	TypeUID:        {setUID, false},
+	TypeUINFO:      {setUINFO, true},
+	TypeURI:        {setURI, true},
+	TypeX25:        {setX25, false},
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/scanner.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/scanner.go
new file mode 100644
index 000000000..c29bc2f38
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/scanner.go
@@ -0,0 +1,43 @@
+package dns
+
+// Implement a simple scanner, return a byte stream from an io reader.
+
+import (
+	"bufio"
+	"io"
+	"text/scanner"
+)
+
+type scan struct {
+	src      *bufio.Reader
+	position scanner.Position
+	eof      bool // Have we just seen a eof
+}
+
+func scanInit(r io.Reader) *scan {
+	s := new(scan)
+	s.src = bufio.NewReader(r)
+	s.position.Line = 1
+	return s
+}
+
+// tokenText returns the next byte from the input
+func (s *scan) tokenText() (byte, error) {
+	c, err := s.src.ReadByte()
+	if err != nil {
+		return c, err
+	}
+	// delay the newline handling until the next token is delivered,
+	// fixes off-by-one errors when reporting a parse error.
+	if s.eof == true {
+		s.position.Line++
+		s.position.Column = 0
+		s.eof = false
+	}
+	if c == '\n' {
+		s.eof = true
+		return c, nil
+	}
+	s.position.Column++
+	return c, nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/server.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/server.go
new file mode 100644
index 000000000..0ca6e008c
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/server.go
@@ -0,0 +1,734 @@
+// DNS server implementation.
+
+package dns
+
+import (
+	"bytes"
+	"crypto/tls"
+	"encoding/binary"
+	"io"
+	"net"
+	"sync"
+	"time"
+)
+
+// Maximum number of TCP queries before we close the socket.
+const maxTCPQueries = 128
+
+// Handler is implemented by any value that implements ServeDNS.
+type Handler interface {
+	ServeDNS(w ResponseWriter, r *Msg)
+}
+
+// A ResponseWriter interface is used by an DNS handler to
+// construct an DNS response.
+type ResponseWriter interface {
+	// LocalAddr returns the net.Addr of the server
+	LocalAddr() net.Addr
+	// RemoteAddr returns the net.Addr of the client that sent the current request.
+	RemoteAddr() net.Addr
+	// WriteMsg writes a reply back to the client.
+	WriteMsg(*Msg) error
+	// Write writes a raw buffer back to the client.
+	Write([]byte) (int, error)
+	// Close closes the connection.
+	Close() error
+	// TsigStatus returns the status of the Tsig.
+	TsigStatus() error
+	// TsigTimersOnly sets the tsig timers only boolean.
+	TsigTimersOnly(bool)
+	// Hijack lets the caller take over the connection.
+	// After a call to Hijack(), the DNS package will not do anything with the connection.
+	Hijack()
+}
+
+type response struct {
+	hijacked       bool // connection has been hijacked by handler
+	tsigStatus     error
+	tsigTimersOnly bool
+	tsigRequestMAC string
+	tsigSecret     map[string]string // the tsig secrets
+	udp            *net.UDPConn      // i/o connection if UDP was used
+	tcp            net.Conn          // i/o connection if TCP was used
+	udpSession     *SessionUDP       // oob data to get egress interface right
+	remoteAddr     net.Addr          // address of the client
+	writer         Writer            // writer to output the raw DNS bits
+}
+
+// ServeMux is an DNS request multiplexer. It matches the
+// zone name of each incoming request against a list of
+// registered patterns add calls the handler for the pattern
+// that most closely matches the zone name. ServeMux is DNSSEC aware, meaning
+// that queries for the DS record are redirected to the parent zone (if that
+// is also registered), otherwise the child gets the query.
+// ServeMux is also safe for concurrent access from multiple goroutines.
+type ServeMux struct {
+	z map[string]Handler
+	m *sync.RWMutex
+}
+
+// NewServeMux allocates and returns a new ServeMux.
+func NewServeMux() *ServeMux { return &ServeMux{z: make(map[string]Handler), m: new(sync.RWMutex)} }
+
+// DefaultServeMux is the default ServeMux used by Serve.
+var DefaultServeMux = NewServeMux()
+
+// The HandlerFunc type is an adapter to allow the use of
+// ordinary functions as DNS handlers.  If f is a function
+// with the appropriate signature, HandlerFunc(f) is a
+// Handler object that calls f.
+type HandlerFunc func(ResponseWriter, *Msg)
+
+// ServeDNS calls f(w, r).
+func (f HandlerFunc) ServeDNS(w ResponseWriter, r *Msg) {
+	f(w, r)
+}
+
+// HandleFailed returns a HandlerFunc that returns SERVFAIL for every request it gets.
+func HandleFailed(w ResponseWriter, r *Msg) {
+	m := new(Msg)
+	m.SetRcode(r, RcodeServerFailure)
+	// does not matter if this write fails
+	w.WriteMsg(m)
+}
+
+func failedHandler() Handler { return HandlerFunc(HandleFailed) }
+
+// ListenAndServe Starts a server on address and network specified Invoke handler
+// for incoming queries.
+func ListenAndServe(addr string, network string, handler Handler) error {
+	server := &Server{Addr: addr, Net: network, Handler: handler}
+	return server.ListenAndServe()
+}
+
+// ListenAndServeTLS acts like http.ListenAndServeTLS, more information in
+// http://golang.org/pkg/net/http/#ListenAndServeTLS
+func ListenAndServeTLS(addr, certFile, keyFile string, handler Handler) error {
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		return err
+	}
+
+	config := tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+
+	server := &Server{
+		Addr:      addr,
+		Net:       "tcp-tls",
+		TLSConfig: &config,
+		Handler:   handler,
+	}
+
+	return server.ListenAndServe()
+}
+
+// ActivateAndServe activates a server with a listener from systemd,
+// l and p should not both be non-nil.
+// If both l and p are not nil only p will be used.
+// Invoke handler for incoming queries.
+func ActivateAndServe(l net.Listener, p net.PacketConn, handler Handler) error {
+	server := &Server{Listener: l, PacketConn: p, Handler: handler}
+	return server.ActivateAndServe()
+}
+
+func (mux *ServeMux) match(q string, t uint16) Handler {
+	mux.m.RLock()
+	defer mux.m.RUnlock()
+	var handler Handler
+	b := make([]byte, len(q)) // worst case, one label of length q
+	off := 0
+	end := false
+	for {
+		l := len(q[off:])
+		for i := 0; i < l; i++ {
+			b[i] = q[off+i]
+			if b[i] >= 'A' && b[i] <= 'Z' {
+				b[i] |= ('a' - 'A')
+			}
+		}
+		if h, ok := mux.z[string(b[:l])]; ok { // causes garbage, might want to change the map key
+			if t != TypeDS {
+				return h
+			}
+			// Continue for DS to see if we have a parent too, if so delegeate to the parent
+			handler = h
+		}
+		off, end = NextLabel(q, off)
+		if end {
+			break
+		}
+	}
+	// Wildcard match, if we have found nothing try the root zone as a last resort.
+	if h, ok := mux.z["."]; ok {
+		return h
+	}
+	return handler
+}
+
+// Handle adds a handler to the ServeMux for pattern.
+func (mux *ServeMux) Handle(pattern string, handler Handler) {
+	if pattern == "" {
+		panic("dns: invalid pattern " + pattern)
+	}
+	mux.m.Lock()
+	mux.z[Fqdn(pattern)] = handler
+	mux.m.Unlock()
+}
+
+// HandleFunc adds a handler function to the ServeMux for pattern.
+func (mux *ServeMux) HandleFunc(pattern string, handler func(ResponseWriter, *Msg)) {
+	mux.Handle(pattern, HandlerFunc(handler))
+}
+
+// HandleRemove deregistrars the handler specific for pattern from the ServeMux.
+func (mux *ServeMux) HandleRemove(pattern string) {
+	if pattern == "" {
+		panic("dns: invalid pattern " + pattern)
+	}
+	mux.m.Lock()
+	delete(mux.z, Fqdn(pattern))
+	mux.m.Unlock()
+}
+
+// ServeDNS dispatches the request to the handler whose
+// pattern most closely matches the request message. If DefaultServeMux
+// is used the correct thing for DS queries is done: a possible parent
+// is sought.
+// If no handler is found a standard SERVFAIL message is returned
+// If the request message does not have exactly one question in the
+// question section a SERVFAIL is returned, unlesss Unsafe is true.
+func (mux *ServeMux) ServeDNS(w ResponseWriter, request *Msg) {
+	var h Handler
+	if len(request.Question) < 1 { // allow more than one question
+		h = failedHandler()
+	} else {
+		if h = mux.match(request.Question[0].Name, request.Question[0].Qtype); h == nil {
+			h = failedHandler()
+		}
+	}
+	h.ServeDNS(w, request)
+}
+
+// Handle registers the handler with the given pattern
+// in the DefaultServeMux. The documentation for
+// ServeMux explains how patterns are matched.
+func Handle(pattern string, handler Handler) { DefaultServeMux.Handle(pattern, handler) }
+
+// HandleRemove deregisters the handle with the given pattern
+// in the DefaultServeMux.
+func HandleRemove(pattern string) { DefaultServeMux.HandleRemove(pattern) }
+
+// HandleFunc registers the handler function with the given pattern
+// in the DefaultServeMux.
+func HandleFunc(pattern string, handler func(ResponseWriter, *Msg)) {
+	DefaultServeMux.HandleFunc(pattern, handler)
+}
+
+// Writer writes raw DNS messages; each call to Write should send an entire message.
+type Writer interface {
+	io.Writer
+}
+
+// Reader reads raw DNS messages; each call to ReadTCP or ReadUDP should return an entire message.
+type Reader interface {
+	// ReadTCP reads a raw message from a TCP connection. Implementations may alter
+	// connection properties, for example the read-deadline.
+	ReadTCP(conn net.Conn, timeout time.Duration) ([]byte, error)
+	// ReadUDP reads a raw message from a UDP connection. Implementations may alter
+	// connection properties, for example the read-deadline.
+	ReadUDP(conn *net.UDPConn, timeout time.Duration) ([]byte, *SessionUDP, error)
+}
+
+// defaultReader is an adapter for the Server struct that implements the Reader interface
+// using the readTCP and readUDP func of the embedded Server.
+type defaultReader struct {
+	*Server
+}
+
+func (dr *defaultReader) ReadTCP(conn net.Conn, timeout time.Duration) ([]byte, error) {
+	return dr.readTCP(conn, timeout)
+}
+
+func (dr *defaultReader) ReadUDP(conn *net.UDPConn, timeout time.Duration) ([]byte, *SessionUDP, error) {
+	return dr.readUDP(conn, timeout)
+}
+
+// DecorateReader is a decorator hook for extending or supplanting the functionality of a Reader.
+// Implementations should never return a nil Reader.
+type DecorateReader func(Reader) Reader
+
+// DecorateWriter is a decorator hook for extending or supplanting the functionality of a Writer.
+// Implementations should never return a nil Writer.
+type DecorateWriter func(Writer) Writer
+
+// A Server defines parameters for running an DNS server.
+type Server struct {
+	// Address to listen on, ":dns" if empty.
+	Addr string
+	// if "tcp" or "tcp-tls" (DNS over TLS) it will invoke a TCP listener, otherwise an UDP one
+	Net string
+	// TCP Listener to use, this is to aid in systemd's socket activation.
+	Listener net.Listener
+	// TLS connection configuration
+	TLSConfig *tls.Config
+	// UDP "Listener" to use, this is to aid in systemd's socket activation.
+	PacketConn net.PacketConn
+	// Handler to invoke, dns.DefaultServeMux if nil.
+	Handler Handler
+	// Default buffer size to use to read incoming UDP messages. If not set
+	// it defaults to MinMsgSize (512 B).
+	UDPSize int
+	// The net.Conn.SetReadTimeout value for new connections, defaults to 2 * time.Second.
+	ReadTimeout time.Duration
+	// The net.Conn.SetWriteTimeout value for new connections, defaults to 2 * time.Second.
+	WriteTimeout time.Duration
+	// TCP idle timeout for multiple queries, if nil, defaults to 8 * time.Second (RFC 5966).
+	IdleTimeout func() time.Duration
+	// Secret(s) for Tsig map[<zonename>]<base64 secret>.
+	TsigSecret map[string]string
+	// Unsafe instructs the server to disregard any sanity checks and directly hand the message to
+	// the handler. It will specifically not check if the query has the QR bit not set.
+	Unsafe bool
+	// If NotifyStartedFunc is set it is called once the server has started listening.
+	NotifyStartedFunc func()
+	// DecorateReader is optional, allows customization of the process that reads raw DNS messages.
+	DecorateReader DecorateReader
+	// DecorateWriter is optional, allows customization of the process that writes raw DNS messages.
+	DecorateWriter DecorateWriter
+
+	// Graceful shutdown handling
+
+	inFlight sync.WaitGroup
+
+	lock    sync.RWMutex
+	started bool
+}
+
+// ListenAndServe starts a nameserver on the configured address in *Server.
+func (srv *Server) ListenAndServe() error {
+	srv.lock.Lock()
+	defer srv.lock.Unlock()
+	if srv.started {
+		return &Error{err: "server already started"}
+	}
+	addr := srv.Addr
+	if addr == "" {
+		addr = ":domain"
+	}
+	if srv.UDPSize == 0 {
+		srv.UDPSize = MinMsgSize
+	}
+	switch srv.Net {
+	case "tcp", "tcp4", "tcp6":
+		a, err := net.ResolveTCPAddr(srv.Net, addr)
+		if err != nil {
+			return err
+		}
+		l, err := net.ListenTCP(srv.Net, a)
+		if err != nil {
+			return err
+		}
+		srv.Listener = l
+		srv.started = true
+		srv.lock.Unlock()
+		err = srv.serveTCP(l)
+		srv.lock.Lock() // to satisfy the defer at the top
+		return err
+	case "tcp-tls", "tcp4-tls", "tcp6-tls":
+		network := "tcp"
+		if srv.Net == "tcp4-tls" {
+			network = "tcp4"
+		} else if srv.Net == "tcp6-tls" {
+			network = "tcp6"
+		}
+
+		l, err := tls.Listen(network, addr, srv.TLSConfig)
+		if err != nil {
+			return err
+		}
+		srv.Listener = l
+		srv.started = true
+		srv.lock.Unlock()
+		err = srv.serveTCP(l)
+		srv.lock.Lock() // to satisfy the defer at the top
+		return err
+	case "udp", "udp4", "udp6":
+		a, err := net.ResolveUDPAddr(srv.Net, addr)
+		if err != nil {
+			return err
+		}
+		l, err := net.ListenUDP(srv.Net, a)
+		if err != nil {
+			return err
+		}
+		if e := setUDPSocketOptions(l); e != nil {
+			return e
+		}
+		srv.PacketConn = l
+		srv.started = true
+		srv.lock.Unlock()
+		err = srv.serveUDP(l)
+		srv.lock.Lock() // to satisfy the defer at the top
+		return err
+	}
+	return &Error{err: "bad network"}
+}
+
+// ActivateAndServe starts a nameserver with the PacketConn or Listener
+// configured in *Server. Its main use is to start a server from systemd.
+func (srv *Server) ActivateAndServe() error {
+	srv.lock.Lock()
+	defer srv.lock.Unlock()
+	if srv.started {
+		return &Error{err: "server already started"}
+	}
+	pConn := srv.PacketConn
+	l := srv.Listener
+	if pConn != nil {
+		if srv.UDPSize == 0 {
+			srv.UDPSize = MinMsgSize
+		}
+		// Check PacketConn interface's type is valid and value
+		// is not nil
+		if t, ok := pConn.(*net.UDPConn); ok && t != nil {
+			if e := setUDPSocketOptions(t); e != nil {
+				return e
+			}
+			srv.started = true
+			srv.lock.Unlock()
+			e := srv.serveUDP(t)
+			srv.lock.Lock() // to satisfy the defer at the top
+			return e
+		}
+	}
+	if l != nil {
+		srv.started = true
+		srv.lock.Unlock()
+		e := srv.serveTCP(l)
+		srv.lock.Lock() // to satisfy the defer at the top
+		return e
+	}
+	return &Error{err: "bad listeners"}
+}
+
+// Shutdown gracefully shuts down a server. After a call to Shutdown, ListenAndServe and
+// ActivateAndServe will return. All in progress queries are completed before the server
+// is taken down. If the Shutdown is taking longer than the reading timeout an error
+// is returned.
+func (srv *Server) Shutdown() error {
+	srv.lock.Lock()
+	if !srv.started {
+		srv.lock.Unlock()
+		return &Error{err: "server not started"}
+	}
+	srv.started = false
+	srv.lock.Unlock()
+
+	if srv.PacketConn != nil {
+		srv.PacketConn.Close()
+	}
+	if srv.Listener != nil {
+		srv.Listener.Close()
+	}
+
+	fin := make(chan bool)
+	go func() {
+		srv.inFlight.Wait()
+		fin <- true
+	}()
+
+	select {
+	case <-time.After(srv.getReadTimeout()):
+		return &Error{err: "server shutdown is pending"}
+	case <-fin:
+		return nil
+	}
+}
+
+// getReadTimeout is a helper func to use system timeout if server did not intend to change it.
+func (srv *Server) getReadTimeout() time.Duration {
+	rtimeout := dnsTimeout
+	if srv.ReadTimeout != 0 {
+		rtimeout = srv.ReadTimeout
+	}
+	return rtimeout
+}
+
+// serveTCP starts a TCP listener for the server.
+// Each request is handled in a separate goroutine.
+func (srv *Server) serveTCP(l net.Listener) error {
+	defer l.Close()
+
+	if srv.NotifyStartedFunc != nil {
+		srv.NotifyStartedFunc()
+	}
+
+	reader := Reader(&defaultReader{srv})
+	if srv.DecorateReader != nil {
+		reader = srv.DecorateReader(reader)
+	}
+
+	handler := srv.Handler
+	if handler == nil {
+		handler = DefaultServeMux
+	}
+	rtimeout := srv.getReadTimeout()
+	// deadline is not used here
+	for {
+		rw, err := l.Accept()
+		if err != nil {
+			if neterr, ok := err.(net.Error); ok && neterr.Temporary() {
+				continue
+			}
+			return err
+		}
+		m, err := reader.ReadTCP(rw, rtimeout)
+		srv.lock.RLock()
+		if !srv.started {
+			srv.lock.RUnlock()
+			return nil
+		}
+		srv.lock.RUnlock()
+		if err != nil {
+			continue
+		}
+		srv.inFlight.Add(1)
+		go srv.serve(rw.RemoteAddr(), handler, m, nil, nil, rw)
+	}
+}
+
+// serveUDP starts a UDP listener for the server.
+// Each request is handled in a separate goroutine.
+func (srv *Server) serveUDP(l *net.UDPConn) error {
+	defer l.Close()
+
+	if srv.NotifyStartedFunc != nil {
+		srv.NotifyStartedFunc()
+	}
+
+	reader := Reader(&defaultReader{srv})
+	if srv.DecorateReader != nil {
+		reader = srv.DecorateReader(reader)
+	}
+
+	handler := srv.Handler
+	if handler == nil {
+		handler = DefaultServeMux
+	}
+	rtimeout := srv.getReadTimeout()
+	// deadline is not used here
+	for {
+		m, s, err := reader.ReadUDP(l, rtimeout)
+		srv.lock.RLock()
+		if !srv.started {
+			srv.lock.RUnlock()
+			return nil
+		}
+		srv.lock.RUnlock()
+		if err != nil {
+			continue
+		}
+		srv.inFlight.Add(1)
+		go srv.serve(s.RemoteAddr(), handler, m, l, s, nil)
+	}
+}
+
+// Serve a new connection.
+func (srv *Server) serve(a net.Addr, h Handler, m []byte, u *net.UDPConn, s *SessionUDP, t net.Conn) {
+	defer srv.inFlight.Done()
+
+	w := &response{tsigSecret: srv.TsigSecret, udp: u, tcp: t, remoteAddr: a, udpSession: s}
+	if srv.DecorateWriter != nil {
+		w.writer = srv.DecorateWriter(w)
+	} else {
+		w.writer = w
+	}
+
+	q := 0 // counter for the amount of TCP queries we get
+
+	reader := Reader(&defaultReader{srv})
+	if srv.DecorateReader != nil {
+		reader = srv.DecorateReader(reader)
+	}
+Redo:
+	req := new(Msg)
+	err := req.Unpack(m)
+	if err != nil { // Send a FormatError back
+		x := new(Msg)
+		x.SetRcodeFormatError(req)
+		w.WriteMsg(x)
+		goto Exit
+	}
+	if !srv.Unsafe && req.Response {
+		goto Exit
+	}
+
+	w.tsigStatus = nil
+	if w.tsigSecret != nil {
+		if t := req.IsTsig(); t != nil {
+			secret := t.Hdr.Name
+			if _, ok := w.tsigSecret[secret]; !ok {
+				w.tsigStatus = ErrKeyAlg
+			}
+			w.tsigStatus = TsigVerify(m, w.tsigSecret[secret], "", false)
+			w.tsigTimersOnly = false
+			w.tsigRequestMAC = req.Extra[len(req.Extra)-1].(*TSIG).MAC
+		}
+	}
+	h.ServeDNS(w, req) // Writes back to the client
+
+Exit:
+	if w.tcp == nil {
+		return
+	}
+	// TODO(miek): make this number configurable?
+	if q > maxTCPQueries { // close socket after this many queries
+		w.Close()
+		return
+	}
+
+	if w.hijacked {
+		return // client calls Close()
+	}
+	if u != nil { // UDP, "close" and return
+		w.Close()
+		return
+	}
+	idleTimeout := tcpIdleTimeout
+	if srv.IdleTimeout != nil {
+		idleTimeout = srv.IdleTimeout()
+	}
+	m, err = reader.ReadTCP(w.tcp, idleTimeout)
+	if err == nil {
+		q++
+		goto Redo
+	}
+	w.Close()
+	return
+}
+
+func (srv *Server) readTCP(conn net.Conn, timeout time.Duration) ([]byte, error) {
+	conn.SetReadDeadline(time.Now().Add(timeout))
+	l := make([]byte, 2)
+	n, err := conn.Read(l)
+	if err != nil || n != 2 {
+		if err != nil {
+			return nil, err
+		}
+		return nil, ErrShortRead
+	}
+	length := binary.BigEndian.Uint16(l)
+	if length == 0 {
+		return nil, ErrShortRead
+	}
+	m := make([]byte, int(length))
+	n, err = conn.Read(m[:int(length)])
+	if err != nil || n == 0 {
+		if err != nil {
+			return nil, err
+		}
+		return nil, ErrShortRead
+	}
+	i := n
+	for i < int(length) {
+		j, err := conn.Read(m[i:int(length)])
+		if err != nil {
+			return nil, err
+		}
+		i += j
+	}
+	n = i
+	m = m[:n]
+	return m, nil
+}
+
+func (srv *Server) readUDP(conn *net.UDPConn, timeout time.Duration) ([]byte, *SessionUDP, error) {
+	conn.SetReadDeadline(time.Now().Add(timeout))
+	m := make([]byte, srv.UDPSize)
+	n, s, err := ReadFromSessionUDP(conn, m)
+	if err != nil || n == 0 {
+		if err != nil {
+			return nil, nil, err
+		}
+		return nil, nil, ErrShortRead
+	}
+	m = m[:n]
+	return m, s, nil
+}
+
+// WriteMsg implements the ResponseWriter.WriteMsg method.
+func (w *response) WriteMsg(m *Msg) (err error) {
+	var data []byte
+	if w.tsigSecret != nil { // if no secrets, dont check for the tsig (which is a longer check)
+		if t := m.IsTsig(); t != nil {
+			data, w.tsigRequestMAC, err = TsigGenerate(m, w.tsigSecret[t.Hdr.Name], w.tsigRequestMAC, w.tsigTimersOnly)
+			if err != nil {
+				return err
+			}
+			_, err = w.writer.Write(data)
+			return err
+		}
+	}
+	data, err = m.Pack()
+	if err != nil {
+		return err
+	}
+	_, err = w.writer.Write(data)
+	return err
+}
+
+// Write implements the ResponseWriter.Write method.
+func (w *response) Write(m []byte) (int, error) {
+	switch {
+	case w.udp != nil:
+		n, err := WriteToSessionUDP(w.udp, m, w.udpSession)
+		return n, err
+	case w.tcp != nil:
+		lm := len(m)
+		if lm < 2 {
+			return 0, io.ErrShortBuffer
+		}
+		if lm > MaxMsgSize {
+			return 0, &Error{err: "message too large"}
+		}
+		l := make([]byte, 2, 2+lm)
+		binary.BigEndian.PutUint16(l, uint16(lm))
+		m = append(l, m...)
+
+		n, err := io.Copy(w.tcp, bytes.NewReader(m))
+		return int(n), err
+	}
+	panic("not reached")
+}
+
+// LocalAddr implements the ResponseWriter.LocalAddr method.
+func (w *response) LocalAddr() net.Addr {
+	if w.tcp != nil {
+		return w.tcp.LocalAddr()
+	}
+	return w.udp.LocalAddr()
+}
+
+// RemoteAddr implements the ResponseWriter.RemoteAddr method.
+func (w *response) RemoteAddr() net.Addr { return w.remoteAddr }
+
+// TsigStatus implements the ResponseWriter.TsigStatus method.
+func (w *response) TsigStatus() error { return w.tsigStatus }
+
+// TsigTimersOnly implements the ResponseWriter.TsigTimersOnly method.
+func (w *response) TsigTimersOnly(b bool) { w.tsigTimersOnly = b }
+
+// Hijack implements the ResponseWriter.Hijack method.
+func (w *response) Hijack() { w.hijacked = true }
+
+// Close implements the ResponseWriter.Close method
+func (w *response) Close() error {
+	// Can't close the udp conn, as that is actually the listener.
+	if w.tcp != nil {
+		e := w.tcp.Close()
+		w.tcp = nil
+		return e
+	}
+	return nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/server_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/server_test.go
new file mode 100644
index 000000000..f17a2f90f
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/server_test.go
@@ -0,0 +1,719 @@
+package dns
+
+import (
+	"crypto/tls"
+	"fmt"
+	"io"
+	"net"
+	"runtime"
+	"sync"
+	"testing"
+	"time"
+)
+
+func HelloServer(w ResponseWriter, req *Msg) {
+	m := new(Msg)
+	m.SetReply(req)
+
+	m.Extra = make([]RR, 1)
+	m.Extra[0] = &TXT{Hdr: RR_Header{Name: m.Question[0].Name, Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}, Txt: []string{"Hello world"}}
+	w.WriteMsg(m)
+}
+
+func HelloServerBadID(w ResponseWriter, req *Msg) {
+	m := new(Msg)
+	m.SetReply(req)
+	m.Id++
+
+	m.Extra = make([]RR, 1)
+	m.Extra[0] = &TXT{Hdr: RR_Header{Name: m.Question[0].Name, Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}, Txt: []string{"Hello world"}}
+	w.WriteMsg(m)
+}
+
+func AnotherHelloServer(w ResponseWriter, req *Msg) {
+	m := new(Msg)
+	m.SetReply(req)
+
+	m.Extra = make([]RR, 1)
+	m.Extra[0] = &TXT{Hdr: RR_Header{Name: m.Question[0].Name, Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}, Txt: []string{"Hello example"}}
+	w.WriteMsg(m)
+}
+
+func RunLocalUDPServer(laddr string) (*Server, string, error) {
+	server, l, _, err := RunLocalUDPServerWithFinChan(laddr)
+
+	return server, l, err
+}
+
+func RunLocalUDPServerWithFinChan(laddr string) (*Server, string, chan struct{}, error) {
+	pc, err := net.ListenPacket("udp", laddr)
+	if err != nil {
+		return nil, "", nil, err
+	}
+	server := &Server{PacketConn: pc, ReadTimeout: time.Hour, WriteTimeout: time.Hour}
+
+	waitLock := sync.Mutex{}
+	waitLock.Lock()
+	server.NotifyStartedFunc = waitLock.Unlock
+
+	fin := make(chan struct{}, 0)
+
+	go func() {
+		server.ActivateAndServe()
+		close(fin)
+		pc.Close()
+	}()
+
+	waitLock.Lock()
+	return server, pc.LocalAddr().String(), fin, nil
+}
+
+func RunLocalUDPServerUnsafe(laddr string) (*Server, string, error) {
+	pc, err := net.ListenPacket("udp", laddr)
+	if err != nil {
+		return nil, "", err
+	}
+	server := &Server{PacketConn: pc, Unsafe: true,
+		ReadTimeout: time.Hour, WriteTimeout: time.Hour}
+
+	waitLock := sync.Mutex{}
+	waitLock.Lock()
+	server.NotifyStartedFunc = waitLock.Unlock
+
+	go func() {
+		server.ActivateAndServe()
+		pc.Close()
+	}()
+
+	waitLock.Lock()
+	return server, pc.LocalAddr().String(), nil
+}
+
+func RunLocalTCPServer(laddr string) (*Server, string, error) {
+	l, err := net.Listen("tcp", laddr)
+	if err != nil {
+		return nil, "", err
+	}
+
+	server := &Server{Listener: l, ReadTimeout: time.Hour, WriteTimeout: time.Hour}
+
+	waitLock := sync.Mutex{}
+	waitLock.Lock()
+	server.NotifyStartedFunc = waitLock.Unlock
+
+	go func() {
+		server.ActivateAndServe()
+		l.Close()
+	}()
+
+	waitLock.Lock()
+	return server, l.Addr().String(), nil
+}
+
+func RunLocalTLSServer(laddr string, config *tls.Config) (*Server, string, error) {
+	l, err := tls.Listen("tcp", laddr, config)
+	if err != nil {
+		return nil, "", err
+	}
+
+	server := &Server{Listener: l, ReadTimeout: time.Hour, WriteTimeout: time.Hour}
+
+	waitLock := sync.Mutex{}
+	waitLock.Lock()
+	server.NotifyStartedFunc = waitLock.Unlock
+
+	go func() {
+		server.ActivateAndServe()
+		l.Close()
+	}()
+
+	waitLock.Lock()
+	return server, l.Addr().String(), nil
+}
+
+func TestServing(t *testing.T) {
+	HandleFunc("miek.nl.", HelloServer)
+	HandleFunc("example.com.", AnotherHelloServer)
+	defer HandleRemove("miek.nl.")
+	defer HandleRemove("example.com.")
+
+	s, addrstr, err := RunLocalUDPServer("127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+	defer s.Shutdown()
+
+	c := new(Client)
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeTXT)
+	r, _, err := c.Exchange(m, addrstr)
+	if err != nil || len(r.Extra) == 0 {
+		t.Fatal("failed to exchange miek.nl", err)
+	}
+	txt := r.Extra[0].(*TXT).Txt[0]
+	if txt != "Hello world" {
+		t.Error("unexpected result for miek.nl", txt, "!= Hello world")
+	}
+
+	m.SetQuestion("example.com.", TypeTXT)
+	r, _, err = c.Exchange(m, addrstr)
+	if err != nil {
+		t.Fatal("failed to exchange example.com", err)
+	}
+	txt = r.Extra[0].(*TXT).Txt[0]
+	if txt != "Hello example" {
+		t.Error("unexpected result for example.com", txt, "!= Hello example")
+	}
+
+	// Test Mixes cased as noticed by Ask.
+	m.SetQuestion("eXaMplE.cOm.", TypeTXT)
+	r, _, err = c.Exchange(m, addrstr)
+	if err != nil {
+		t.Error("failed to exchange eXaMplE.cOm", err)
+	}
+	txt = r.Extra[0].(*TXT).Txt[0]
+	if txt != "Hello example" {
+		t.Error("unexpected result for example.com", txt, "!= Hello example")
+	}
+}
+
+func TestServingTLS(t *testing.T) {
+	HandleFunc("miek.nl.", HelloServer)
+	HandleFunc("example.com.", AnotherHelloServer)
+	defer HandleRemove("miek.nl.")
+	defer HandleRemove("example.com.")
+
+	cert, err := tls.X509KeyPair(CertPEMBlock, KeyPEMBlock)
+	if err != nil {
+		t.Fatalf("unable to build certificate: %v", err)
+	}
+
+	config := tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+
+	s, addrstr, err := RunLocalTLSServer("127.0.0.1:0", &config)
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+	defer s.Shutdown()
+
+	c := new(Client)
+	c.Net = "tcp-tls"
+	c.TLSConfig = &tls.Config{
+		InsecureSkipVerify: true,
+	}
+
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeTXT)
+	r, _, err := c.Exchange(m, addrstr)
+	if err != nil || len(r.Extra) == 0 {
+		t.Fatal("failed to exchange miek.nl", err)
+	}
+	txt := r.Extra[0].(*TXT).Txt[0]
+	if txt != "Hello world" {
+		t.Error("unexpected result for miek.nl", txt, "!= Hello world")
+	}
+
+	m.SetQuestion("example.com.", TypeTXT)
+	r, _, err = c.Exchange(m, addrstr)
+	if err != nil {
+		t.Fatal("failed to exchange example.com", err)
+	}
+	txt = r.Extra[0].(*TXT).Txt[0]
+	if txt != "Hello example" {
+		t.Error("unexpected result for example.com", txt, "!= Hello example")
+	}
+
+	// Test Mixes cased as noticed by Ask.
+	m.SetQuestion("eXaMplE.cOm.", TypeTXT)
+	r, _, err = c.Exchange(m, addrstr)
+	if err != nil {
+		t.Error("failed to exchange eXaMplE.cOm", err)
+	}
+	txt = r.Extra[0].(*TXT).Txt[0]
+	if txt != "Hello example" {
+		t.Error("unexpected result for example.com", txt, "!= Hello example")
+	}
+}
+
+func BenchmarkServe(b *testing.B) {
+	b.StopTimer()
+	HandleFunc("miek.nl.", HelloServer)
+	defer HandleRemove("miek.nl.")
+	a := runtime.GOMAXPROCS(4)
+
+	s, addrstr, err := RunLocalUDPServer("127.0.0.1:0")
+	if err != nil {
+		b.Fatalf("unable to run test server: %v", err)
+	}
+	defer s.Shutdown()
+
+	c := new(Client)
+	m := new(Msg)
+	m.SetQuestion("miek.nl", TypeSOA)
+
+	b.StartTimer()
+	for i := 0; i < b.N; i++ {
+		c.Exchange(m, addrstr)
+	}
+	runtime.GOMAXPROCS(a)
+}
+
+func benchmarkServe6(b *testing.B) {
+	b.StopTimer()
+	HandleFunc("miek.nl.", HelloServer)
+	defer HandleRemove("miek.nl.")
+	a := runtime.GOMAXPROCS(4)
+	s, addrstr, err := RunLocalUDPServer("[::1]:0")
+	if err != nil {
+		b.Fatalf("unable to run test server: %v", err)
+	}
+	defer s.Shutdown()
+
+	c := new(Client)
+	m := new(Msg)
+	m.SetQuestion("miek.nl", TypeSOA)
+
+	b.StartTimer()
+	for i := 0; i < b.N; i++ {
+		c.Exchange(m, addrstr)
+	}
+	runtime.GOMAXPROCS(a)
+}
+
+func HelloServerCompress(w ResponseWriter, req *Msg) {
+	m := new(Msg)
+	m.SetReply(req)
+	m.Extra = make([]RR, 1)
+	m.Extra[0] = &TXT{Hdr: RR_Header{Name: m.Question[0].Name, Rrtype: TypeTXT, Class: ClassINET, Ttl: 0}, Txt: []string{"Hello world"}}
+	m.Compress = true
+	w.WriteMsg(m)
+}
+
+func BenchmarkServeCompress(b *testing.B) {
+	b.StopTimer()
+	HandleFunc("miek.nl.", HelloServerCompress)
+	defer HandleRemove("miek.nl.")
+	a := runtime.GOMAXPROCS(4)
+	s, addrstr, err := RunLocalUDPServer("127.0.0.1:0")
+	if err != nil {
+		b.Fatalf("unable to run test server: %v", err)
+	}
+	defer s.Shutdown()
+
+	c := new(Client)
+	m := new(Msg)
+	m.SetQuestion("miek.nl", TypeSOA)
+	b.StartTimer()
+	for i := 0; i < b.N; i++ {
+		c.Exchange(m, addrstr)
+	}
+	runtime.GOMAXPROCS(a)
+}
+
+func TestDotAsCatchAllWildcard(t *testing.T) {
+	mux := NewServeMux()
+	mux.Handle(".", HandlerFunc(HelloServer))
+	mux.Handle("example.com.", HandlerFunc(AnotherHelloServer))
+
+	handler := mux.match("www.miek.nl.", TypeTXT)
+	if handler == nil {
+		t.Error("wildcard match failed")
+	}
+
+	handler = mux.match("www.example.com.", TypeTXT)
+	if handler == nil {
+		t.Error("example.com match failed")
+	}
+
+	handler = mux.match("a.www.example.com.", TypeTXT)
+	if handler == nil {
+		t.Error("a.www.example.com match failed")
+	}
+
+	handler = mux.match("boe.", TypeTXT)
+	if handler == nil {
+		t.Error("boe. match failed")
+	}
+}
+
+func TestCaseFolding(t *testing.T) {
+	mux := NewServeMux()
+	mux.Handle("_udp.example.com.", HandlerFunc(HelloServer))
+
+	handler := mux.match("_dns._udp.example.com.", TypeSRV)
+	if handler == nil {
+		t.Error("case sensitive characters folded")
+	}
+
+	handler = mux.match("_DNS._UDP.EXAMPLE.COM.", TypeSRV)
+	if handler == nil {
+		t.Error("case insensitive characters not folded")
+	}
+}
+
+func TestRootServer(t *testing.T) {
+	mux := NewServeMux()
+	mux.Handle(".", HandlerFunc(HelloServer))
+
+	handler := mux.match(".", TypeNS)
+	if handler == nil {
+		t.Error("root match failed")
+	}
+}
+
+type maxRec struct {
+	max int
+	sync.RWMutex
+}
+
+var M = new(maxRec)
+
+func HelloServerLargeResponse(resp ResponseWriter, req *Msg) {
+	m := new(Msg)
+	m.SetReply(req)
+	m.Authoritative = true
+	m1 := 0
+	M.RLock()
+	m1 = M.max
+	M.RUnlock()
+	for i := 0; i < m1; i++ {
+		aRec := &A{
+			Hdr: RR_Header{
+				Name:   req.Question[0].Name,
+				Rrtype: TypeA,
+				Class:  ClassINET,
+				Ttl:    0,
+			},
+			A: net.ParseIP(fmt.Sprintf("127.0.0.%d", i+1)).To4(),
+		}
+		m.Answer = append(m.Answer, aRec)
+	}
+	resp.WriteMsg(m)
+}
+
+func TestServingLargeResponses(t *testing.T) {
+	HandleFunc("example.", HelloServerLargeResponse)
+	defer HandleRemove("example.")
+
+	s, addrstr, err := RunLocalUDPServer("127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+	defer s.Shutdown()
+
+	// Create request
+	m := new(Msg)
+	m.SetQuestion("web.service.example.", TypeANY)
+
+	c := new(Client)
+	c.Net = "udp"
+	M.Lock()
+	M.max = 2
+	M.Unlock()
+	_, _, err = c.Exchange(m, addrstr)
+	if err != nil {
+		t.Errorf("failed to exchange: %v", err)
+	}
+	// This must fail
+	M.Lock()
+	M.max = 20
+	M.Unlock()
+	_, _, err = c.Exchange(m, addrstr)
+	if err == nil {
+		t.Error("failed to fail exchange, this should generate packet error")
+	}
+	// But this must work again
+	c.UDPSize = 7000
+	_, _, err = c.Exchange(m, addrstr)
+	if err != nil {
+		t.Errorf("failed to exchange: %v", err)
+	}
+}
+
+func TestServingResponse(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode.")
+	}
+	HandleFunc("miek.nl.", HelloServer)
+	s, addrstr, err := RunLocalUDPServer("127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+
+	c := new(Client)
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeTXT)
+	m.Response = false
+	_, _, err = c.Exchange(m, addrstr)
+	if err != nil {
+		t.Fatal("failed to exchange", err)
+	}
+	m.Response = true
+	_, _, err = c.Exchange(m, addrstr)
+	if err == nil {
+		t.Fatal("exchanged response message")
+	}
+
+	s.Shutdown()
+	s, addrstr, err = RunLocalUDPServerUnsafe("127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+	defer s.Shutdown()
+
+	m.Response = true
+	_, _, err = c.Exchange(m, addrstr)
+	if err != nil {
+		t.Fatal("could exchanged response message in Unsafe mode")
+	}
+}
+
+func TestShutdownTCP(t *testing.T) {
+	s, _, err := RunLocalTCPServer("127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+	err = s.Shutdown()
+	if err != nil {
+		t.Errorf("could not shutdown test TCP server, %v", err)
+	}
+}
+
+func TestShutdownTLS(t *testing.T) {
+	cert, err := tls.X509KeyPair(CertPEMBlock, KeyPEMBlock)
+	if err != nil {
+		t.Fatalf("unable to build certificate: %v", err)
+	}
+
+	config := tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+
+	s, _, err := RunLocalTLSServer("127.0.0.1:0", &config)
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+	err = s.Shutdown()
+	if err != nil {
+		t.Errorf("could not shutdown test TLS server, %v", err)
+	}
+}
+
+type trigger struct {
+	done bool
+	sync.RWMutex
+}
+
+func (t *trigger) Set() {
+	t.Lock()
+	defer t.Unlock()
+	t.done = true
+}
+func (t *trigger) Get() bool {
+	t.RLock()
+	defer t.RUnlock()
+	return t.done
+}
+
+func TestHandlerCloseTCP(t *testing.T) {
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		panic(err)
+	}
+	addr := ln.Addr().String()
+
+	server := &Server{Addr: addr, Net: "tcp", Listener: ln}
+
+	hname := "testhandlerclosetcp."
+	triggered := &trigger{}
+	HandleFunc(hname, func(w ResponseWriter, r *Msg) {
+		triggered.Set()
+		w.Close()
+	})
+	defer HandleRemove(hname)
+
+	go func() {
+		defer server.Shutdown()
+		c := &Client{Net: "tcp"}
+		m := new(Msg).SetQuestion(hname, 1)
+		tries := 0
+	exchange:
+		_, _, err := c.Exchange(m, addr)
+		if err != nil && err != io.EOF {
+			t.Logf("exchange failed: %s\n", err)
+			if tries == 3 {
+				return
+			}
+			time.Sleep(time.Second / 10)
+			tries++
+			goto exchange
+		}
+	}()
+	server.ActivateAndServe()
+	if !triggered.Get() {
+		t.Fatalf("handler never called")
+	}
+}
+
+func TestShutdownUDP(t *testing.T) {
+	s, _, fin, err := RunLocalUDPServerWithFinChan("127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("unable to run test server: %v", err)
+	}
+	err = s.Shutdown()
+	if err != nil {
+		t.Errorf("could not shutdown test UDP server, %v", err)
+	}
+	select {
+	case <-fin:
+	case <-time.After(2 * time.Second):
+		t.Error("Could not shutdown test UDP server. Gave up waiting")
+	}
+}
+
+type ExampleFrameLengthWriter struct {
+	Writer
+}
+
+func (e *ExampleFrameLengthWriter) Write(m []byte) (int, error) {
+	fmt.Println("writing raw DNS message of length", len(m))
+	return e.Writer.Write(m)
+}
+
+func ExampleDecorateWriter() {
+	// instrument raw DNS message writing
+	wf := DecorateWriter(func(w Writer) Writer {
+		return &ExampleFrameLengthWriter{w}
+	})
+
+	// simple UDP server
+	pc, err := net.ListenPacket("udp", "127.0.0.1:0")
+	if err != nil {
+		fmt.Println(err.Error())
+		return
+	}
+	server := &Server{
+		PacketConn:     pc,
+		DecorateWriter: wf,
+		ReadTimeout:    time.Hour, WriteTimeout: time.Hour,
+	}
+
+	waitLock := sync.Mutex{}
+	waitLock.Lock()
+	server.NotifyStartedFunc = waitLock.Unlock
+	defer server.Shutdown()
+
+	go func() {
+		server.ActivateAndServe()
+		pc.Close()
+	}()
+
+	waitLock.Lock()
+
+	HandleFunc("miek.nl.", HelloServer)
+
+	c := new(Client)
+	m := new(Msg)
+	m.SetQuestion("miek.nl.", TypeTXT)
+	_, _, err = c.Exchange(m, pc.LocalAddr().String())
+	if err != nil {
+		fmt.Println("failed to exchange", err.Error())
+		return
+	}
+	// Output: writing raw DNS message of length 56
+}
+
+var (
+	// CertPEMBlock is a X509 data used to test TLS servers (used with tls.X509KeyPair)
+	CertPEMBlock = []byte(`-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIRAJFYMkcn+b8dpU15wjf++GgwDQYJKoZIhvcNAQELBQAw
+EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xNjAxMDgxMjAzNTNaFw0xNzAxMDcxMjAz
+NTNaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDXjqO6skvP03k58CNjQggd9G/mt+Wa+xRU+WXiKCCHttawM8x+slq5
+yfsHCwxlwsGn79HmJqecNqgHb2GWBXAvVVokFDTcC1hUP4+gp2gu9Ny27UHTjlLm
+O0l/xZ5MN8tfKyYlFw18tXu3fkaPyHj8v/D1RDkuo4ARdFvGSe8TqisbhLk2+9ow
+xfIGbEM9Fdiw8qByC2+d+FfvzIKz3GfQVwn0VoRom8L6NBIANq1IGrB5JefZB6nv
+DnfuxkBmY7F1513HKuEJ8KsLWWZWV9OPU4j4I4Rt+WJNlKjbD2srHxyrS2RDsr91
+8nCkNoWVNO3sZq0XkWKecdc921vL4ginAgMBAAGjVDBSMA4GA1UdDwEB/wQEAwIC
+pDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MBoGA1UdEQQT
+MBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAGcU3iyLBIVZj
+aDzSvEDHUd1bnLBl1C58Xu/CyKlPqVU7mLfK0JcgEaYQTSX6fCJVNLbbCrcGLsPJ
+fbjlBbyeLjTV413fxPVuona62pBFjqdtbli2Qe8FRH2KBdm41JUJGdo+SdsFu7nc
+BFOcubdw6LLIXvsTvwndKcHWx1rMX709QU1Vn1GAIsbJV/DWI231Jyyb+lxAUx/C
+8vce5uVxiKcGS+g6OjsN3D3TtiEQGSXLh013W6Wsih8td8yMCMZ3w8LQ38br1GUe
+ahLIgUJ9l6HDguM17R7kGqxNvbElsMUHfTtXXP7UDQUiYXDakg8xDP6n9DCDhJ8Y
+bSt7OLB7NQ==
+-----END CERTIFICATE-----`)
+
+	// KeyPEMBlock is a X509 data used to test TLS servers (used with tls.X509KeyPair)
+	KeyPEMBlock = []byte(`-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA146jurJLz9N5OfAjY0IIHfRv5rflmvsUVPll4iggh7bWsDPM
+frJaucn7BwsMZcLBp+/R5iannDaoB29hlgVwL1VaJBQ03AtYVD+PoKdoLvTctu1B
+045S5jtJf8WeTDfLXysmJRcNfLV7t35Gj8h4/L/w9UQ5LqOAEXRbxknvE6orG4S5
+NvvaMMXyBmxDPRXYsPKgcgtvnfhX78yCs9xn0FcJ9FaEaJvC+jQSADatSBqweSXn
+2Qep7w537sZAZmOxdeddxyrhCfCrC1lmVlfTj1OI+COEbfliTZSo2w9rKx8cq0tk
+Q7K/dfJwpDaFlTTt7GatF5FinnHXPdtby+IIpwIDAQABAoIBAAJK4RDmPooqTJrC
+JA41MJLo+5uvjwCT9QZmVKAQHzByUFw1YNJkITTiognUI0CdzqNzmH7jIFs39ZeG
+proKusO2G6xQjrNcZ4cV2fgyb5g4QHStl0qhs94A+WojduiGm2IaumAgm6Mc5wDv
+ld6HmknN3Mku/ZCyanVFEIjOVn2WB7ZQLTBs6ZYaebTJG2Xv6p9t2YJW7pPQ9Xce
+s9ohAWohyM4X/OvfnfnLtQp2YLw/BxwehBsCR5SXM3ibTKpFNtxJC8hIfTuWtxZu
+2ywrmXShYBRB1WgtZt5k04bY/HFncvvcHK3YfI1+w4URKtwdaQgPUQRbVwDwuyBn
+flfkCJECgYEA/eWt01iEyE/lXkGn6V9lCocUU7lCU6yk5UT8VXVUc5If4KZKPfCk
+p4zJDOqwn2eM673aWz/mG9mtvAvmnugaGjcaVCyXOp/D/GDmKSoYcvW5B/yjfkLy
+dK6Yaa5LDRVYlYgyzcdCT5/9Qc626NzFwKCZNI4ncIU8g7ViATRxWJ8CgYEA2Ver
+vZ0M606sfgC0H3NtwNBxmuJ+lIF5LNp/wDi07lDfxRR1rnZMX5dnxjcpDr/zvm8J
+WtJJX3xMgqjtHuWKL3yKKony9J5ZPjichSbSbhrzfovgYIRZLxLLDy4MP9L3+CX/
+yBXnqMWuSnFX+M5fVGxdDWiYF3V+wmeOv9JvavkCgYEAiXAPDFzaY+R78O3xiu7M
+r0o3wqqCMPE/wav6O/hrYrQy9VSO08C0IM6g9pEEUwWmzuXSkZqhYWoQFb8Lc/GI
+T7CMXAxXQLDDUpbRgG79FR3Wr3AewHZU8LyiXHKwxcBMV4WGmsXGK3wbh8fyU1NO
+6NsGk+BvkQVOoK1LBAPzZ1kCgYEAsBSmD8U33T9s4dxiEYTrqyV0lH3g/SFz8ZHH
+pAyNEPI2iC1ONhyjPWKlcWHpAokiyOqeUpVBWnmSZtzC1qAydsxYB6ShT+sl9BHb
+RMix/QAauzBJhQhUVJ3OIys0Q1UBDmqCsjCE8SfOT4NKOUnA093C+YT+iyrmmktZ
+zDCJkckCgYEAndqM5KXGk5xYo+MAA1paZcbTUXwaWwjLU+XSRSSoyBEi5xMtfvUb
+7+a1OMhLwWbuz+pl64wFKrbSUyimMOYQpjVE/1vk/kb99pxbgol27hdKyTH1d+ov
+kFsxKCqxAnBVGEWAvVZAiiTOxleQFjz5RnL0BQp9Lg2cQe+dvuUmIAA=
+-----END RSA PRIVATE KEY-----`)
+)
+
+func testShutdownBindPort(t *testing.T, protocol string, port string) {
+	handler := NewServeMux()
+	handler.HandleFunc(".", func(w ResponseWriter, r *Msg) {})
+	startedCh := make(chan struct{})
+	s := &Server{
+		Addr:    net.JoinHostPort("127.0.0.1", port),
+		Net:     protocol,
+		Handler: handler,
+		NotifyStartedFunc: func() {
+			startedCh <- struct{}{}
+		},
+	}
+	go func() {
+		if err := s.ListenAndServe(); err != nil {
+			t.Log(err)
+		}
+	}()
+	<-startedCh
+	t.Logf("DNS server is started on: %s", s.Addr)
+	if err := s.Shutdown(); err != nil {
+		t.Fatal(err)
+	}
+	time.Sleep(100 * time.Millisecond)
+	go func() {
+		if err := s.ListenAndServe(); err != nil {
+			t.Fatal(err)
+		}
+	}()
+	<-startedCh
+	t.Logf("DNS server is started on: %s", s.Addr)
+}
+
+func TestShutdownBindPortUDP(t *testing.T) {
+	testShutdownBindPort(t, "udp", "1153")
+}
+
+func TestShutdownBindPortTCP(t *testing.T) {
+	testShutdownBindPort(t, "tcp", "1154")
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/sig0.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/sig0.go
new file mode 100644
index 000000000..f31e9e684
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/sig0.go
@@ -0,0 +1,218 @@
+package dns
+
+import (
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"encoding/binary"
+	"math/big"
+	"strings"
+	"time"
+)
+
+// Sign signs a dns.Msg. It fills the signature with the appropriate data.
+// The SIG record should have the SignerName, KeyTag, Algorithm, Inception
+// and Expiration set.
+func (rr *SIG) Sign(k crypto.Signer, m *Msg) ([]byte, error) {
+	if k == nil {
+		return nil, ErrPrivKey
+	}
+	if rr.KeyTag == 0 || len(rr.SignerName) == 0 || rr.Algorithm == 0 {
+		return nil, ErrKey
+	}
+	rr.Header().Rrtype = TypeSIG
+	rr.Header().Class = ClassANY
+	rr.Header().Ttl = 0
+	rr.Header().Name = "."
+	rr.OrigTtl = 0
+	rr.TypeCovered = 0
+	rr.Labels = 0
+
+	buf := make([]byte, m.Len()+rr.len())
+	mbuf, err := m.PackBuffer(buf)
+	if err != nil {
+		return nil, err
+	}
+	if &buf[0] != &mbuf[0] {
+		return nil, ErrBuf
+	}
+	off, err := PackRR(rr, buf, len(mbuf), nil, false)
+	if err != nil {
+		return nil, err
+	}
+	buf = buf[:off:cap(buf)]
+
+	hash, ok := AlgorithmToHash[rr.Algorithm]
+	if !ok {
+		return nil, ErrAlg
+	}
+
+	hasher := hash.New()
+	// Write SIG rdata
+	hasher.Write(buf[len(mbuf)+1+2+2+4+2:])
+	// Write message
+	hasher.Write(buf[:len(mbuf)])
+
+	signature, err := sign(k, hasher.Sum(nil), hash, rr.Algorithm)
+	if err != nil {
+		return nil, err
+	}
+
+	rr.Signature = toBase64(signature)
+
+	buf = append(buf, signature...)
+	if len(buf) > int(^uint16(0)) {
+		return nil, ErrBuf
+	}
+	// Adjust sig data length
+	rdoff := len(mbuf) + 1 + 2 + 2 + 4
+	rdlen := binary.BigEndian.Uint16(buf[rdoff:])
+	rdlen += uint16(len(signature))
+	binary.BigEndian.PutUint16(buf[rdoff:], rdlen)
+	// Adjust additional count
+	adc := binary.BigEndian.Uint16(buf[10:])
+	adc++
+	binary.BigEndian.PutUint16(buf[10:], adc)
+	return buf, nil
+}
+
+// Verify validates the message buf using the key k.
+// It's assumed that buf is a valid message from which rr was unpacked.
+func (rr *SIG) Verify(k *KEY, buf []byte) error {
+	if k == nil {
+		return ErrKey
+	}
+	if rr.KeyTag == 0 || len(rr.SignerName) == 0 || rr.Algorithm == 0 {
+		return ErrKey
+	}
+
+	var hash crypto.Hash
+	switch rr.Algorithm {
+	case DSA, RSASHA1:
+		hash = crypto.SHA1
+	case RSASHA256, ECDSAP256SHA256:
+		hash = crypto.SHA256
+	case ECDSAP384SHA384:
+		hash = crypto.SHA384
+	case RSASHA512:
+		hash = crypto.SHA512
+	default:
+		return ErrAlg
+	}
+	hasher := hash.New()
+
+	buflen := len(buf)
+	qdc := binary.BigEndian.Uint16(buf[4:])
+	anc := binary.BigEndian.Uint16(buf[6:])
+	auc := binary.BigEndian.Uint16(buf[8:])
+	adc := binary.BigEndian.Uint16(buf[10:])
+	offset := 12
+	var err error
+	for i := uint16(0); i < qdc && offset < buflen; i++ {
+		_, offset, err = UnpackDomainName(buf, offset)
+		if err != nil {
+			return err
+		}
+		// Skip past Type and Class
+		offset += 2 + 2
+	}
+	for i := uint16(1); i < anc+auc+adc && offset < buflen; i++ {
+		_, offset, err = UnpackDomainName(buf, offset)
+		if err != nil {
+			return err
+		}
+		// Skip past Type, Class and TTL
+		offset += 2 + 2 + 4
+		if offset+1 >= buflen {
+			continue
+		}
+		var rdlen uint16
+		rdlen = binary.BigEndian.Uint16(buf[offset:])
+		offset += 2
+		offset += int(rdlen)
+	}
+	if offset >= buflen {
+		return &Error{err: "overflowing unpacking signed message"}
+	}
+
+	// offset should be just prior to SIG
+	bodyend := offset
+	// owner name SHOULD be root
+	_, offset, err = UnpackDomainName(buf, offset)
+	if err != nil {
+		return err
+	}
+	// Skip Type, Class, TTL, RDLen
+	offset += 2 + 2 + 4 + 2
+	sigstart := offset
+	// Skip Type Covered, Algorithm, Labels, Original TTL
+	offset += 2 + 1 + 1 + 4
+	if offset+4+4 >= buflen {
+		return &Error{err: "overflow unpacking signed message"}
+	}
+	expire := binary.BigEndian.Uint32(buf[offset:])
+	offset += 4
+	incept := binary.BigEndian.Uint32(buf[offset:])
+	offset += 4
+	now := uint32(time.Now().Unix())
+	if now < incept || now > expire {
+		return ErrTime
+	}
+	// Skip key tag
+	offset += 2
+	var signername string
+	signername, offset, err = UnpackDomainName(buf, offset)
+	if err != nil {
+		return err
+	}
+	// If key has come from the DNS name compression might
+	// have mangled the case of the name
+	if strings.ToLower(signername) != strings.ToLower(k.Header().Name) {
+		return &Error{err: "signer name doesn't match key name"}
+	}
+	sigend := offset
+	hasher.Write(buf[sigstart:sigend])
+	hasher.Write(buf[:10])
+	hasher.Write([]byte{
+		byte((adc - 1) << 8),
+		byte(adc - 1),
+	})
+	hasher.Write(buf[12:bodyend])
+
+	hashed := hasher.Sum(nil)
+	sig := buf[sigend:]
+	switch k.Algorithm {
+	case DSA:
+		pk := k.publicKeyDSA()
+		sig = sig[1:]
+		r := big.NewInt(0)
+		r.SetBytes(sig[:len(sig)/2])
+		s := big.NewInt(0)
+		s.SetBytes(sig[len(sig)/2:])
+		if pk != nil {
+			if dsa.Verify(pk, hashed, r, s) {
+				return nil
+			}
+			return ErrSig
+		}
+	case RSASHA1, RSASHA256, RSASHA512:
+		pk := k.publicKeyRSA()
+		if pk != nil {
+			return rsa.VerifyPKCS1v15(pk, hash, hashed, sig)
+		}
+	case ECDSAP256SHA256, ECDSAP384SHA384:
+		pk := k.publicKeyECDSA()
+		r := big.NewInt(0)
+		r.SetBytes(sig[:len(sig)/2])
+		s := big.NewInt(0)
+		s.SetBytes(sig[len(sig)/2:])
+		if pk != nil {
+			if ecdsa.Verify(pk, hashed, r, s) {
+				return nil
+			}
+			return ErrSig
+		}
+	}
+	return ErrKeyAlg
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/sig0_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/sig0_test.go
new file mode 100644
index 000000000..122de6a8e
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/sig0_test.go
@@ -0,0 +1,89 @@
+package dns
+
+import (
+	"crypto"
+	"testing"
+	"time"
+)
+
+func TestSIG0(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode.")
+	}
+	m := new(Msg)
+	m.SetQuestion("example.org.", TypeSOA)
+	for _, alg := range []uint8{ECDSAP256SHA256, ECDSAP384SHA384, RSASHA1, RSASHA256, RSASHA512} {
+		algstr := AlgorithmToString[alg]
+		keyrr := new(KEY)
+		keyrr.Hdr.Name = algstr + "."
+		keyrr.Hdr.Rrtype = TypeKEY
+		keyrr.Hdr.Class = ClassINET
+		keyrr.Algorithm = alg
+		keysize := 1024
+		switch alg {
+		case ECDSAP256SHA256:
+			keysize = 256
+		case ECDSAP384SHA384:
+			keysize = 384
+		}
+		pk, err := keyrr.Generate(keysize)
+		if err != nil {
+			t.Errorf("failed to generate key for “%s”: %v", algstr, err)
+			continue
+		}
+		now := uint32(time.Now().Unix())
+		sigrr := new(SIG)
+		sigrr.Hdr.Name = "."
+		sigrr.Hdr.Rrtype = TypeSIG
+		sigrr.Hdr.Class = ClassANY
+		sigrr.Algorithm = alg
+		sigrr.Expiration = now + 300
+		sigrr.Inception = now - 300
+		sigrr.KeyTag = keyrr.KeyTag()
+		sigrr.SignerName = keyrr.Hdr.Name
+		mb, err := sigrr.Sign(pk.(crypto.Signer), m)
+		if err != nil {
+			t.Errorf("failed to sign message using “%s”: %v", algstr, err)
+			continue
+		}
+		m := new(Msg)
+		if err := m.Unpack(mb); err != nil {
+			t.Errorf("failed to unpack message signed using “%s”: %v", algstr, err)
+			continue
+		}
+		if len(m.Extra) != 1 {
+			t.Errorf("missing SIG for message signed using “%s”", algstr)
+			continue
+		}
+		var sigrrwire *SIG
+		switch rr := m.Extra[0].(type) {
+		case *SIG:
+			sigrrwire = rr
+		default:
+			t.Errorf("expected SIG RR, instead: %v", rr)
+			continue
+		}
+		for _, rr := range []*SIG{sigrr, sigrrwire} {
+			id := "sigrr"
+			if rr == sigrrwire {
+				id = "sigrrwire"
+			}
+			if err := rr.Verify(keyrr, mb); err != nil {
+				t.Errorf("failed to verify “%s” signed SIG(%s): %v", algstr, id, err)
+				continue
+			}
+		}
+		mb[13]++
+		if err := sigrr.Verify(keyrr, mb); err == nil {
+			t.Errorf("verify succeeded on an altered message using “%s”", algstr)
+			continue
+		}
+		sigrr.Expiration = 2
+		sigrr.Inception = 1
+		mb, _ = sigrr.Sign(pk.(crypto.Signer), m)
+		if err := sigrr.Verify(keyrr, mb); err == nil {
+			t.Errorf("verify succeeded on an expired message using “%s”", algstr)
+			continue
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/singleinflight.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/singleinflight.go
new file mode 100644
index 000000000..9573c7d0b
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/singleinflight.go
@@ -0,0 +1,57 @@
+// Copyright 2013 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Adapted for dns package usage by Miek Gieben.
+
+package dns
+
+import "sync"
+import "time"
+
+// call is an in-flight or completed singleflight.Do call
+type call struct {
+	wg   sync.WaitGroup
+	val  *Msg
+	rtt  time.Duration
+	err  error
+	dups int
+}
+
+// singleflight represents a class of work and forms a namespace in
+// which units of work can be executed with duplicate suppression.
+type singleflight struct {
+	sync.Mutex                  // protects m
+	m          map[string]*call // lazily initialized
+}
+
+// Do executes and returns the results of the given function, making
+// sure that only one execution is in-flight for a given key at a
+// time. If a duplicate comes in, the duplicate caller waits for the
+// original to complete and receives the same results.
+// The return value shared indicates whether v was given to multiple callers.
+func (g *singleflight) Do(key string, fn func() (*Msg, time.Duration, error)) (v *Msg, rtt time.Duration, err error, shared bool) {
+	g.Lock()
+	if g.m == nil {
+		g.m = make(map[string]*call)
+	}
+	if c, ok := g.m[key]; ok {
+		c.dups++
+		g.Unlock()
+		c.wg.Wait()
+		return c.val, c.rtt, c.err, true
+	}
+	c := new(call)
+	c.wg.Add(1)
+	g.m[key] = c
+	g.Unlock()
+
+	c.val, c.rtt, c.err = fn()
+	c.wg.Done()
+
+	g.Lock()
+	delete(g.m, key)
+	g.Unlock()
+
+	return c.val, c.rtt, c.err, c.dups > 0
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/smimea.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/smimea.go
new file mode 100644
index 000000000..4e7ded4b3
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/smimea.go
@@ -0,0 +1,47 @@
+package dns
+
+import (
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/hex"
+)
+
+// Sign creates a SMIMEA record from an SSL certificate.
+func (r *SMIMEA) Sign(usage, selector, matchingType int, cert *x509.Certificate) (err error) {
+	r.Hdr.Rrtype = TypeSMIMEA
+	r.Usage = uint8(usage)
+	r.Selector = uint8(selector)
+	r.MatchingType = uint8(matchingType)
+
+	r.Certificate, err = CertificateToDANE(r.Selector, r.MatchingType, cert)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// Verify verifies a SMIMEA record against an SSL certificate. If it is OK
+// a nil error is returned.
+func (r *SMIMEA) Verify(cert *x509.Certificate) error {
+	c, err := CertificateToDANE(r.Selector, r.MatchingType, cert)
+	if err != nil {
+		return err // Not also ErrSig?
+	}
+	if r.Certificate == c {
+		return nil
+	}
+	return ErrSig // ErrSig, really?
+}
+
+// SMIMEAName returns the ownername of a SMIMEA resource record as per the
+// format specified in RFC 'draft-ietf-dane-smime-12' Section 2 and 3
+func SMIMEAName(email, domain string) (string, error) {
+	hasher := sha256.New()
+	hasher.Write([]byte(email))
+
+	// RFC Section 3: "The local-part is hashed using the SHA2-256
+	// algorithm with the hash truncated to 28 octets and
+	// represented in its hexadecimal representation to become the
+	// left-most label in the prepared domain name"
+	return hex.EncodeToString(hasher.Sum(nil)[:28]) + "." + "_smimecert." + domain, nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/tlsa.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/tlsa.go
new file mode 100644
index 000000000..431e2fb5a
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/tlsa.go
@@ -0,0 +1,47 @@
+package dns
+
+import (
+	"crypto/x509"
+	"net"
+	"strconv"
+)
+
+// Sign creates a TLSA record from an SSL certificate.
+func (r *TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) (err error) {
+	r.Hdr.Rrtype = TypeTLSA
+	r.Usage = uint8(usage)
+	r.Selector = uint8(selector)
+	r.MatchingType = uint8(matchingType)
+
+	r.Certificate, err = CertificateToDANE(r.Selector, r.MatchingType, cert)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// Verify verifies a TLSA record against an SSL certificate. If it is OK
+// a nil error is returned.
+func (r *TLSA) Verify(cert *x509.Certificate) error {
+	c, err := CertificateToDANE(r.Selector, r.MatchingType, cert)
+	if err != nil {
+		return err // Not also ErrSig?
+	}
+	if r.Certificate == c {
+		return nil
+	}
+	return ErrSig // ErrSig, really?
+}
+
+// TLSAName returns the ownername of a TLSA resource record as per the
+// rules specified in RFC 6698, Section 3.
+func TLSAName(name, service, network string) (string, error) {
+	if !IsFqdn(name) {
+		return "", ErrFqdn
+	}
+	p, err := net.LookupPort(network, service)
+	if err != nil {
+		return "", err
+	}
+	return "_" + strconv.Itoa(p) + "._" + network + "." + name, nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/tsig.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/tsig.go
new file mode 100644
index 000000000..24013096b
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/tsig.go
@@ -0,0 +1,383 @@
+package dns
+
+import (
+	"crypto/hmac"
+	"crypto/md5"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/binary"
+	"encoding/hex"
+	"hash"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// HMAC hashing codes. These are transmitted as domain names.
+const (
+	HmacMD5    = "hmac-md5.sig-alg.reg.int."
+	HmacSHA1   = "hmac-sha1."
+	HmacSHA256 = "hmac-sha256."
+	HmacSHA512 = "hmac-sha512."
+)
+
+// TSIG is the RR the holds the transaction signature of a message.
+// See RFC 2845 and RFC 4635.
+type TSIG struct {
+	Hdr        RR_Header
+	Algorithm  string `dns:"domain-name"`
+	TimeSigned uint64 `dns:"uint48"`
+	Fudge      uint16
+	MACSize    uint16
+	MAC        string `dns:"size-hex:MACSize"`
+	OrigId     uint16
+	Error      uint16
+	OtherLen   uint16
+	OtherData  string `dns:"size-hex:OtherLen"`
+}
+
+// TSIG has no official presentation format, but this will suffice.
+
+func (rr *TSIG) String() string {
+	s := "\n;; TSIG PSEUDOSECTION:\n"
+	s += rr.Hdr.String() +
+		" " + rr.Algorithm +
+		" " + tsigTimeToString(rr.TimeSigned) +
+		" " + strconv.Itoa(int(rr.Fudge)) +
+		" " + strconv.Itoa(int(rr.MACSize)) +
+		" " + strings.ToUpper(rr.MAC) +
+		" " + strconv.Itoa(int(rr.OrigId)) +
+		" " + strconv.Itoa(int(rr.Error)) + // BIND prints NOERROR
+		" " + strconv.Itoa(int(rr.OtherLen)) +
+		" " + rr.OtherData
+	return s
+}
+
+// The following values must be put in wireformat, so that the MAC can be calculated.
+// RFC 2845, section 3.4.2. TSIG Variables.
+type tsigWireFmt struct {
+	// From RR_Header
+	Name  string `dns:"domain-name"`
+	Class uint16
+	Ttl   uint32
+	// Rdata of the TSIG
+	Algorithm  string `dns:"domain-name"`
+	TimeSigned uint64 `dns:"uint48"`
+	Fudge      uint16
+	// MACSize, MAC and OrigId excluded
+	Error     uint16
+	OtherLen  uint16
+	OtherData string `dns:"size-hex:OtherLen"`
+}
+
+// If we have the MAC use this type to convert it to wiredata. Section 3.4.3. Request MAC
+type macWireFmt struct {
+	MACSize uint16
+	MAC     string `dns:"size-hex:MACSize"`
+}
+
+// 3.3. Time values used in TSIG calculations
+type timerWireFmt struct {
+	TimeSigned uint64 `dns:"uint48"`
+	Fudge      uint16
+}
+
+// TsigGenerate fills out the TSIG record attached to the message.
+// The message should contain
+// a "stub" TSIG RR with the algorithm, key name (owner name of the RR),
+// time fudge (defaults to 300 seconds) and the current time
+// The TSIG MAC is saved in that Tsig RR.
+// When TsigGenerate is called for the first time requestMAC is set to the empty string and
+// timersOnly is false.
+// If something goes wrong an error is returned, otherwise it is nil.
+func TsigGenerate(m *Msg, secret, requestMAC string, timersOnly bool) ([]byte, string, error) {
+	if m.IsTsig() == nil {
+		panic("dns: TSIG not last RR in additional")
+	}
+	// If we barf here, the caller is to blame
+	rawsecret, err := fromBase64([]byte(secret))
+	if err != nil {
+		return nil, "", err
+	}
+
+	rr := m.Extra[len(m.Extra)-1].(*TSIG)
+	m.Extra = m.Extra[0 : len(m.Extra)-1] // kill the TSIG from the msg
+	mbuf, err := m.Pack()
+	if err != nil {
+		return nil, "", err
+	}
+	buf := tsigBuffer(mbuf, rr, requestMAC, timersOnly)
+
+	t := new(TSIG)
+	var h hash.Hash
+	switch strings.ToLower(rr.Algorithm) {
+	case HmacMD5:
+		h = hmac.New(md5.New, []byte(rawsecret))
+	case HmacSHA1:
+		h = hmac.New(sha1.New, []byte(rawsecret))
+	case HmacSHA256:
+		h = hmac.New(sha256.New, []byte(rawsecret))
+	case HmacSHA512:
+		h = hmac.New(sha512.New, []byte(rawsecret))
+	default:
+		return nil, "", ErrKeyAlg
+	}
+	h.Write(buf)
+	t.MAC = hex.EncodeToString(h.Sum(nil))
+	t.MACSize = uint16(len(t.MAC) / 2) // Size is half!
+
+	t.Hdr = RR_Header{Name: rr.Hdr.Name, Rrtype: TypeTSIG, Class: ClassANY, Ttl: 0}
+	t.Fudge = rr.Fudge
+	t.TimeSigned = rr.TimeSigned
+	t.Algorithm = rr.Algorithm
+	t.OrigId = m.Id
+
+	tbuf := make([]byte, t.len())
+	if off, err := PackRR(t, tbuf, 0, nil, false); err == nil {
+		tbuf = tbuf[:off] // reset to actual size used
+	} else {
+		return nil, "", err
+	}
+	mbuf = append(mbuf, tbuf...)
+	// Update the ArCount directly in the buffer.
+	binary.BigEndian.PutUint16(mbuf[10:], uint16(len(m.Extra)+1))
+
+	return mbuf, t.MAC, nil
+}
+
+// TsigVerify verifies the TSIG on a message.
+// If the signature does not validate err contains the
+// error, otherwise it is nil.
+func TsigVerify(msg []byte, secret, requestMAC string, timersOnly bool) error {
+	rawsecret, err := fromBase64([]byte(secret))
+	if err != nil {
+		return err
+	}
+	// Strip the TSIG from the incoming msg
+	stripped, tsig, err := stripTsig(msg)
+	if err != nil {
+		return err
+	}
+
+	msgMAC, err := hex.DecodeString(tsig.MAC)
+	if err != nil {
+		return err
+	}
+
+	buf := tsigBuffer(stripped, tsig, requestMAC, timersOnly)
+
+	// Fudge factor works both ways. A message can arrive before it was signed because
+	// of clock skew.
+	now := uint64(time.Now().Unix())
+	ti := now - tsig.TimeSigned
+	if now < tsig.TimeSigned {
+		ti = tsig.TimeSigned - now
+	}
+	if uint64(tsig.Fudge) < ti {
+		return ErrTime
+	}
+
+	var h hash.Hash
+	switch strings.ToLower(tsig.Algorithm) {
+	case HmacMD5:
+		h = hmac.New(md5.New, rawsecret)
+	case HmacSHA1:
+		h = hmac.New(sha1.New, rawsecret)
+	case HmacSHA256:
+		h = hmac.New(sha256.New, rawsecret)
+	case HmacSHA512:
+		h = hmac.New(sha512.New, rawsecret)
+	default:
+		return ErrKeyAlg
+	}
+	h.Write(buf)
+	if !hmac.Equal(h.Sum(nil), msgMAC) {
+		return ErrSig
+	}
+	return nil
+}
+
+// Create a wiredata buffer for the MAC calculation.
+func tsigBuffer(msgbuf []byte, rr *TSIG, requestMAC string, timersOnly bool) []byte {
+	var buf []byte
+	if rr.TimeSigned == 0 {
+		rr.TimeSigned = uint64(time.Now().Unix())
+	}
+	if rr.Fudge == 0 {
+		rr.Fudge = 300 // Standard (RFC) default.
+	}
+
+	if requestMAC != "" {
+		m := new(macWireFmt)
+		m.MACSize = uint16(len(requestMAC) / 2)
+		m.MAC = requestMAC
+		buf = make([]byte, len(requestMAC)) // long enough
+		n, _ := packMacWire(m, buf)
+		buf = buf[:n]
+	}
+
+	tsigvar := make([]byte, DefaultMsgSize)
+	if timersOnly {
+		tsig := new(timerWireFmt)
+		tsig.TimeSigned = rr.TimeSigned
+		tsig.Fudge = rr.Fudge
+		n, _ := packTimerWire(tsig, tsigvar)
+		tsigvar = tsigvar[:n]
+	} else {
+		tsig := new(tsigWireFmt)
+		tsig.Name = strings.ToLower(rr.Hdr.Name)
+		tsig.Class = ClassANY
+		tsig.Ttl = rr.Hdr.Ttl
+		tsig.Algorithm = strings.ToLower(rr.Algorithm)
+		tsig.TimeSigned = rr.TimeSigned
+		tsig.Fudge = rr.Fudge
+		tsig.Error = rr.Error
+		tsig.OtherLen = rr.OtherLen
+		tsig.OtherData = rr.OtherData
+		n, _ := packTsigWire(tsig, tsigvar)
+		tsigvar = tsigvar[:n]
+	}
+
+	if requestMAC != "" {
+		x := append(buf, msgbuf...)
+		buf = append(x, tsigvar...)
+	} else {
+		buf = append(msgbuf, tsigvar...)
+	}
+	return buf
+}
+
+// Strip the TSIG from the raw message.
+func stripTsig(msg []byte) ([]byte, *TSIG, error) {
+	// Copied from msg.go's Unpack() Header, but modified.
+	var (
+		dh  Header
+		err error
+	)
+	off, tsigoff := 0, 0
+
+	if dh, off, err = unpackMsgHdr(msg, off); err != nil {
+		return nil, nil, err
+	}
+	if dh.Arcount == 0 {
+		return nil, nil, ErrNoSig
+	}
+
+	// Rcode, see msg.go Unpack()
+	if int(dh.Bits&0xF) == RcodeNotAuth {
+		return nil, nil, ErrAuth
+	}
+
+	for i := 0; i < int(dh.Qdcount); i++ {
+		_, off, err = unpackQuestion(msg, off)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	_, off, err = unpackRRslice(int(dh.Ancount), msg, off)
+	if err != nil {
+		return nil, nil, err
+	}
+	_, off, err = unpackRRslice(int(dh.Nscount), msg, off)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	rr := new(TSIG)
+	var extra RR
+	for i := 0; i < int(dh.Arcount); i++ {
+		tsigoff = off
+		extra, off, err = UnpackRR(msg, off)
+		if err != nil {
+			return nil, nil, err
+		}
+		if extra.Header().Rrtype == TypeTSIG {
+			rr = extra.(*TSIG)
+			// Adjust Arcount.
+			arcount := binary.BigEndian.Uint16(msg[10:])
+			binary.BigEndian.PutUint16(msg[10:], arcount-1)
+			break
+		}
+	}
+	if rr == nil {
+		return nil, nil, ErrNoSig
+	}
+	return msg[:tsigoff], rr, nil
+}
+
+// Translate the TSIG time signed into a date. There is no
+// need for RFC1982 calculations as this date is 48 bits.
+func tsigTimeToString(t uint64) string {
+	ti := time.Unix(int64(t), 0).UTC()
+	return ti.Format("20060102150405")
+}
+
+func packTsigWire(tw *tsigWireFmt, msg []byte) (int, error) {
+	// copied from zmsg.go TSIG packing
+	// RR_Header
+	off, err := PackDomainName(tw.Name, msg, 0, nil, false)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(tw.Class, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(tw.Ttl, msg, off)
+	if err != nil {
+		return off, err
+	}
+
+	off, err = PackDomainName(tw.Algorithm, msg, off, nil, false)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint48(tw.TimeSigned, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(tw.Fudge, msg, off)
+	if err != nil {
+		return off, err
+	}
+
+	off, err = packUint16(tw.Error, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(tw.OtherLen, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringHex(tw.OtherData, msg, off)
+	if err != nil {
+		return off, err
+	}
+	return off, nil
+}
+
+func packMacWire(mw *macWireFmt, msg []byte) (int, error) {
+	off, err := packUint16(mw.MACSize, msg, 0)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringHex(mw.MAC, msg, off)
+	if err != nil {
+		return off, err
+	}
+	return off, nil
+}
+
+func packTimerWire(tw *timerWireFmt, msg []byte) (int, error) {
+	off, err := packUint48(tw.TimeSigned, msg, 0)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(tw.Fudge, msg, off)
+	if err != nil {
+		return off, err
+	}
+	return off, nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/tsig_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/tsig_test.go
new file mode 100644
index 000000000..48b9988b6
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/tsig_test.go
@@ -0,0 +1,37 @@
+package dns
+
+import (
+	"testing"
+	"time"
+)
+
+func newTsig(algo string) *Msg {
+	m := new(Msg)
+	m.SetQuestion("example.org.", TypeA)
+	m.SetTsig("example.", algo, 300, time.Now().Unix())
+	return m
+}
+
+func TestTsig(t *testing.T) {
+	m := newTsig(HmacMD5)
+	buf, _, err := TsigGenerate(m, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = TsigVerify(buf, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestTsigCase(t *testing.T) {
+	m := newTsig("HmAc-mD5.sig-ALg.rEg.int.") // HmacMD5
+	buf, _, err := TsigGenerate(m, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = TsigVerify(buf, "pRZgBrBvI4NAHZYhxmhs/Q==", "", false)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/types.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/types.go
new file mode 100644
index 000000000..53da4755c
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/types.go
@@ -0,0 +1,1287 @@
+package dns
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+	"time"
+)
+
+type (
+	// Type is a DNS type.
+	Type uint16
+	// Class is a DNS class.
+	Class uint16
+	// Name is a DNS domain name.
+	Name string
+)
+
+// Packet formats
+
+// Wire constants and supported types.
+const (
+	// valid RR_Header.Rrtype and Question.qtype
+
+	TypeNone       uint16 = 0
+	TypeA          uint16 = 1
+	TypeNS         uint16 = 2
+	TypeMD         uint16 = 3
+	TypeMF         uint16 = 4
+	TypeCNAME      uint16 = 5
+	TypeSOA        uint16 = 6
+	TypeMB         uint16 = 7
+	TypeMG         uint16 = 8
+	TypeMR         uint16 = 9
+	TypeNULL       uint16 = 10
+	TypePTR        uint16 = 12
+	TypeHINFO      uint16 = 13
+	TypeMINFO      uint16 = 14
+	TypeMX         uint16 = 15
+	TypeTXT        uint16 = 16
+	TypeRP         uint16 = 17
+	TypeAFSDB      uint16 = 18
+	TypeX25        uint16 = 19
+	TypeISDN       uint16 = 20
+	TypeRT         uint16 = 21
+	TypeNSAPPTR    uint16 = 23
+	TypeSIG        uint16 = 24
+	TypeKEY        uint16 = 25
+	TypePX         uint16 = 26
+	TypeGPOS       uint16 = 27
+	TypeAAAA       uint16 = 28
+	TypeLOC        uint16 = 29
+	TypeNXT        uint16 = 30
+	TypeEID        uint16 = 31
+	TypeNIMLOC     uint16 = 32
+	TypeSRV        uint16 = 33
+	TypeATMA       uint16 = 34
+	TypeNAPTR      uint16 = 35
+	TypeKX         uint16 = 36
+	TypeCERT       uint16 = 37
+	TypeDNAME      uint16 = 39
+	TypeOPT        uint16 = 41 // EDNS
+	TypeDS         uint16 = 43
+	TypeSSHFP      uint16 = 44
+	TypeRRSIG      uint16 = 46
+	TypeNSEC       uint16 = 47
+	TypeDNSKEY     uint16 = 48
+	TypeDHCID      uint16 = 49
+	TypeNSEC3      uint16 = 50
+	TypeNSEC3PARAM uint16 = 51
+	TypeTLSA       uint16 = 52
+	TypeSMIMEA     uint16 = 53
+	TypeHIP        uint16 = 55
+	TypeNINFO      uint16 = 56
+	TypeRKEY       uint16 = 57
+	TypeTALINK     uint16 = 58
+	TypeCDS        uint16 = 59
+	TypeCDNSKEY    uint16 = 60
+	TypeOPENPGPKEY uint16 = 61
+	TypeSPF        uint16 = 99
+	TypeUINFO      uint16 = 100
+	TypeUID        uint16 = 101
+	TypeGID        uint16 = 102
+	TypeUNSPEC     uint16 = 103
+	TypeNID        uint16 = 104
+	TypeL32        uint16 = 105
+	TypeL64        uint16 = 106
+	TypeLP         uint16 = 107
+	TypeEUI48      uint16 = 108
+	TypeEUI64      uint16 = 109
+	TypeURI        uint16 = 256
+	TypeCAA        uint16 = 257
+	TypeAVC        uint16 = 258
+
+	TypeTKEY uint16 = 249
+	TypeTSIG uint16 = 250
+
+	// valid Question.Qtype only
+	TypeIXFR  uint16 = 251
+	TypeAXFR  uint16 = 252
+	TypeMAILB uint16 = 253
+	TypeMAILA uint16 = 254
+	TypeANY   uint16 = 255
+
+	TypeTA       uint16 = 32768
+	TypeDLV      uint16 = 32769
+	TypeReserved uint16 = 65535
+
+	// valid Question.Qclass
+	ClassINET   = 1
+	ClassCSNET  = 2
+	ClassCHAOS  = 3
+	ClassHESIOD = 4
+	ClassNONE   = 254
+	ClassANY    = 255
+
+	// Message Response Codes.
+	RcodeSuccess        = 0
+	RcodeFormatError    = 1
+	RcodeServerFailure  = 2
+	RcodeNameError      = 3
+	RcodeNotImplemented = 4
+	RcodeRefused        = 5
+	RcodeYXDomain       = 6
+	RcodeYXRrset        = 7
+	RcodeNXRrset        = 8
+	RcodeNotAuth        = 9
+	RcodeNotZone        = 10
+	RcodeBadSig         = 16 // TSIG
+	RcodeBadVers        = 16 // EDNS0
+	RcodeBadKey         = 17
+	RcodeBadTime        = 18
+	RcodeBadMode        = 19 // TKEY
+	RcodeBadName        = 20
+	RcodeBadAlg         = 21
+	RcodeBadTrunc       = 22 // TSIG
+	RcodeBadCookie      = 23 // DNS Cookies
+
+	// Message Opcodes. There is no 3.
+	OpcodeQuery  = 0
+	OpcodeIQuery = 1
+	OpcodeStatus = 2
+	OpcodeNotify = 4
+	OpcodeUpdate = 5
+)
+
+// Header is the wire format for the DNS packet header.
+type Header struct {
+	Id                                 uint16
+	Bits                               uint16
+	Qdcount, Ancount, Nscount, Arcount uint16
+}
+
+const (
+	headerSize = 12
+
+	// Header.Bits
+	_QR = 1 << 15 // query/response (response=1)
+	_AA = 1 << 10 // authoritative
+	_TC = 1 << 9  // truncated
+	_RD = 1 << 8  // recursion desired
+	_RA = 1 << 7  // recursion available
+	_Z  = 1 << 6  // Z
+	_AD = 1 << 5  // authticated data
+	_CD = 1 << 4  // checking disabled
+
+	LOC_EQUATOR       = 1 << 31 // RFC 1876, Section 2.
+	LOC_PRIMEMERIDIAN = 1 << 31 // RFC 1876, Section 2.
+
+	LOC_HOURS   = 60 * 1000
+	LOC_DEGREES = 60 * LOC_HOURS
+
+	LOC_ALTITUDEBASE = 100000
+)
+
+// Different Certificate Types, see RFC 4398, Section 2.1
+const (
+	CertPKIX = 1 + iota
+	CertSPKI
+	CertPGP
+	CertIPIX
+	CertISPKI
+	CertIPGP
+	CertACPKIX
+	CertIACPKIX
+	CertURI = 253
+	CertOID = 254
+)
+
+// CertTypeToString converts the Cert Type to its string representation.
+// See RFC 4398 and RFC 6944.
+var CertTypeToString = map[uint16]string{
+	CertPKIX:    "PKIX",
+	CertSPKI:    "SPKI",
+	CertPGP:     "PGP",
+	CertIPIX:    "IPIX",
+	CertISPKI:   "ISPKI",
+	CertIPGP:    "IPGP",
+	CertACPKIX:  "ACPKIX",
+	CertIACPKIX: "IACPKIX",
+	CertURI:     "URI",
+	CertOID:     "OID",
+}
+
+// StringToCertType is the reverseof CertTypeToString.
+var StringToCertType = reverseInt16(CertTypeToString)
+
+//go:generate go run types_generate.go
+
+// Question holds a DNS question. There can be multiple questions in the
+// question section of a message. Usually there is just one.
+type Question struct {
+	Name   string `dns:"cdomain-name"` // "cdomain-name" specifies encoding (and may be compressed)
+	Qtype  uint16
+	Qclass uint16
+}
+
+func (q *Question) len() int {
+	return len(q.Name) + 1 + 2 + 2
+}
+
+func (q *Question) String() (s string) {
+	// prefix with ; (as in dig)
+	s = ";" + sprintName(q.Name) + "\t"
+	s += Class(q.Qclass).String() + "\t"
+	s += " " + Type(q.Qtype).String()
+	return s
+}
+
+// ANY is a wildcard record. See RFC 1035, Section 3.2.3. ANY
+// is named "*" there.
+type ANY struct {
+	Hdr RR_Header
+	// Does not have any rdata
+}
+
+func (rr *ANY) String() string { return rr.Hdr.String() }
+
+type CNAME struct {
+	Hdr    RR_Header
+	Target string `dns:"cdomain-name"`
+}
+
+func (rr *CNAME) String() string { return rr.Hdr.String() + sprintName(rr.Target) }
+
+type HINFO struct {
+	Hdr RR_Header
+	Cpu string
+	Os  string
+}
+
+func (rr *HINFO) String() string {
+	return rr.Hdr.String() + sprintTxt([]string{rr.Cpu, rr.Os})
+}
+
+type MB struct {
+	Hdr RR_Header
+	Mb  string `dns:"cdomain-name"`
+}
+
+func (rr *MB) String() string { return rr.Hdr.String() + sprintName(rr.Mb) }
+
+type MG struct {
+	Hdr RR_Header
+	Mg  string `dns:"cdomain-name"`
+}
+
+func (rr *MG) String() string { return rr.Hdr.String() + sprintName(rr.Mg) }
+
+type MINFO struct {
+	Hdr   RR_Header
+	Rmail string `dns:"cdomain-name"`
+	Email string `dns:"cdomain-name"`
+}
+
+func (rr *MINFO) String() string {
+	return rr.Hdr.String() + sprintName(rr.Rmail) + " " + sprintName(rr.Email)
+}
+
+type MR struct {
+	Hdr RR_Header
+	Mr  string `dns:"cdomain-name"`
+}
+
+func (rr *MR) String() string {
+	return rr.Hdr.String() + sprintName(rr.Mr)
+}
+
+type MF struct {
+	Hdr RR_Header
+	Mf  string `dns:"cdomain-name"`
+}
+
+func (rr *MF) String() string {
+	return rr.Hdr.String() + sprintName(rr.Mf)
+}
+
+type MD struct {
+	Hdr RR_Header
+	Md  string `dns:"cdomain-name"`
+}
+
+func (rr *MD) String() string {
+	return rr.Hdr.String() + sprintName(rr.Md)
+}
+
+type MX struct {
+	Hdr        RR_Header
+	Preference uint16
+	Mx         string `dns:"cdomain-name"`
+}
+
+func (rr *MX) String() string {
+	return rr.Hdr.String() + strconv.Itoa(int(rr.Preference)) + " " + sprintName(rr.Mx)
+}
+
+type AFSDB struct {
+	Hdr      RR_Header
+	Subtype  uint16
+	Hostname string `dns:"cdomain-name"`
+}
+
+func (rr *AFSDB) String() string {
+	return rr.Hdr.String() + strconv.Itoa(int(rr.Subtype)) + " " + sprintName(rr.Hostname)
+}
+
+type X25 struct {
+	Hdr         RR_Header
+	PSDNAddress string
+}
+
+func (rr *X25) String() string {
+	return rr.Hdr.String() + rr.PSDNAddress
+}
+
+type RT struct {
+	Hdr        RR_Header
+	Preference uint16
+	Host       string `dns:"cdomain-name"`
+}
+
+func (rr *RT) String() string {
+	return rr.Hdr.String() + strconv.Itoa(int(rr.Preference)) + " " + sprintName(rr.Host)
+}
+
+type NS struct {
+	Hdr RR_Header
+	Ns  string `dns:"cdomain-name"`
+}
+
+func (rr *NS) String() string {
+	return rr.Hdr.String() + sprintName(rr.Ns)
+}
+
+type PTR struct {
+	Hdr RR_Header
+	Ptr string `dns:"cdomain-name"`
+}
+
+func (rr *PTR) String() string {
+	return rr.Hdr.String() + sprintName(rr.Ptr)
+}
+
+type RP struct {
+	Hdr  RR_Header
+	Mbox string `dns:"domain-name"`
+	Txt  string `dns:"domain-name"`
+}
+
+func (rr *RP) String() string {
+	return rr.Hdr.String() + rr.Mbox + " " + sprintTxt([]string{rr.Txt})
+}
+
+type SOA struct {
+	Hdr     RR_Header
+	Ns      string `dns:"cdomain-name"`
+	Mbox    string `dns:"cdomain-name"`
+	Serial  uint32
+	Refresh uint32
+	Retry   uint32
+	Expire  uint32
+	Minttl  uint32
+}
+
+func (rr *SOA) String() string {
+	return rr.Hdr.String() + sprintName(rr.Ns) + " " + sprintName(rr.Mbox) +
+		" " + strconv.FormatInt(int64(rr.Serial), 10) +
+		" " + strconv.FormatInt(int64(rr.Refresh), 10) +
+		" " + strconv.FormatInt(int64(rr.Retry), 10) +
+		" " + strconv.FormatInt(int64(rr.Expire), 10) +
+		" " + strconv.FormatInt(int64(rr.Minttl), 10)
+}
+
+type TXT struct {
+	Hdr RR_Header
+	Txt []string `dns:"txt"`
+}
+
+func (rr *TXT) String() string { return rr.Hdr.String() + sprintTxt(rr.Txt) }
+
+func sprintName(s string) string {
+	src := []byte(s)
+	dst := make([]byte, 0, len(src))
+	for i := 0; i < len(src); {
+		if i+1 < len(src) && src[i] == '\\' && src[i+1] == '.' {
+			dst = append(dst, src[i:i+2]...)
+			i += 2
+		} else {
+			b, n := nextByte(src, i)
+			if n == 0 {
+				i++ // dangling back slash
+			} else if b == '.' {
+				dst = append(dst, b)
+			} else {
+				dst = appendDomainNameByte(dst, b)
+			}
+			i += n
+		}
+	}
+	return string(dst)
+}
+
+func sprintTxtOctet(s string) string {
+	src := []byte(s)
+	dst := make([]byte, 0, len(src))
+	dst = append(dst, '"')
+	for i := 0; i < len(src); {
+		if i+1 < len(src) && src[i] == '\\' && src[i+1] == '.' {
+			dst = append(dst, src[i:i+2]...)
+			i += 2
+		} else {
+			b, n := nextByte(src, i)
+			if n == 0 {
+				i++ // dangling back slash
+			} else if b == '.' {
+				dst = append(dst, b)
+			} else {
+				if b < ' ' || b > '~' {
+					dst = appendByte(dst, b)
+				} else {
+					dst = append(dst, b)
+				}
+			}
+			i += n
+		}
+	}
+	dst = append(dst, '"')
+	return string(dst)
+}
+
+func sprintTxt(txt []string) string {
+	var out []byte
+	for i, s := range txt {
+		if i > 0 {
+			out = append(out, ` "`...)
+		} else {
+			out = append(out, '"')
+		}
+		bs := []byte(s)
+		for j := 0; j < len(bs); {
+			b, n := nextByte(bs, j)
+			if n == 0 {
+				break
+			}
+			out = appendTXTStringByte(out, b)
+			j += n
+		}
+		out = append(out, '"')
+	}
+	return string(out)
+}
+
+func appendDomainNameByte(s []byte, b byte) []byte {
+	switch b {
+	case '.', ' ', '\'', '@', ';', '(', ')': // additional chars to escape
+		return append(s, '\\', b)
+	}
+	return appendTXTStringByte(s, b)
+}
+
+func appendTXTStringByte(s []byte, b byte) []byte {
+	switch b {
+	case '"', '\\':
+		return append(s, '\\', b)
+	}
+	if b < ' ' || b > '~' {
+		return appendByte(s, b)
+	}
+	return append(s, b)
+}
+
+func appendByte(s []byte, b byte) []byte {
+	var buf [3]byte
+	bufs := strconv.AppendInt(buf[:0], int64(b), 10)
+	s = append(s, '\\')
+	for i := 0; i < 3-len(bufs); i++ {
+		s = append(s, '0')
+	}
+	for _, r := range bufs {
+		s = append(s, r)
+	}
+	return s
+}
+
+func nextByte(b []byte, offset int) (byte, int) {
+	if offset >= len(b) {
+		return 0, 0
+	}
+	if b[offset] != '\\' {
+		// not an escape sequence
+		return b[offset], 1
+	}
+	switch len(b) - offset {
+	case 1: // dangling escape
+		return 0, 0
+	case 2, 3: // too short to be \ddd
+	default: // maybe \ddd
+		if isDigit(b[offset+1]) && isDigit(b[offset+2]) && isDigit(b[offset+3]) {
+			return dddToByte(b[offset+1:]), 4
+		}
+	}
+	// not \ddd, just an RFC 1035 "quoted" character
+	return b[offset+1], 2
+}
+
+type SPF struct {
+	Hdr RR_Header
+	Txt []string `dns:"txt"`
+}
+
+func (rr *SPF) String() string { return rr.Hdr.String() + sprintTxt(rr.Txt) }
+
+type AVC struct {
+	Hdr RR_Header
+	Txt []string `dns:"txt"`
+}
+
+func (rr *AVC) String() string { return rr.Hdr.String() + sprintTxt(rr.Txt) }
+
+type SRV struct {
+	Hdr      RR_Header
+	Priority uint16
+	Weight   uint16
+	Port     uint16
+	Target   string `dns:"domain-name"`
+}
+
+func (rr *SRV) String() string {
+	return rr.Hdr.String() +
+		strconv.Itoa(int(rr.Priority)) + " " +
+		strconv.Itoa(int(rr.Weight)) + " " +
+		strconv.Itoa(int(rr.Port)) + " " + sprintName(rr.Target)
+}
+
+type NAPTR struct {
+	Hdr         RR_Header
+	Order       uint16
+	Preference  uint16
+	Flags       string
+	Service     string
+	Regexp      string
+	Replacement string `dns:"domain-name"`
+}
+
+func (rr *NAPTR) String() string {
+	return rr.Hdr.String() +
+		strconv.Itoa(int(rr.Order)) + " " +
+		strconv.Itoa(int(rr.Preference)) + " " +
+		"\"" + rr.Flags + "\" " +
+		"\"" + rr.Service + "\" " +
+		"\"" + rr.Regexp + "\" " +
+		rr.Replacement
+}
+
+// The CERT resource record, see RFC 4398.
+type CERT struct {
+	Hdr         RR_Header
+	Type        uint16
+	KeyTag      uint16
+	Algorithm   uint8
+	Certificate string `dns:"base64"`
+}
+
+func (rr *CERT) String() string {
+	var (
+		ok                  bool
+		certtype, algorithm string
+	)
+	if certtype, ok = CertTypeToString[rr.Type]; !ok {
+		certtype = strconv.Itoa(int(rr.Type))
+	}
+	if algorithm, ok = AlgorithmToString[rr.Algorithm]; !ok {
+		algorithm = strconv.Itoa(int(rr.Algorithm))
+	}
+	return rr.Hdr.String() + certtype +
+		" " + strconv.Itoa(int(rr.KeyTag)) +
+		" " + algorithm +
+		" " + rr.Certificate
+}
+
+// The DNAME resource record, see RFC 2672.
+type DNAME struct {
+	Hdr    RR_Header
+	Target string `dns:"domain-name"`
+}
+
+func (rr *DNAME) String() string {
+	return rr.Hdr.String() + sprintName(rr.Target)
+}
+
+type A struct {
+	Hdr RR_Header
+	A   net.IP `dns:"a"`
+}
+
+func (rr *A) String() string {
+	if rr.A == nil {
+		return rr.Hdr.String()
+	}
+	return rr.Hdr.String() + rr.A.String()
+}
+
+type AAAA struct {
+	Hdr  RR_Header
+	AAAA net.IP `dns:"aaaa"`
+}
+
+func (rr *AAAA) String() string {
+	if rr.AAAA == nil {
+		return rr.Hdr.String()
+	}
+	return rr.Hdr.String() + rr.AAAA.String()
+}
+
+type PX struct {
+	Hdr        RR_Header
+	Preference uint16
+	Map822     string `dns:"domain-name"`
+	Mapx400    string `dns:"domain-name"`
+}
+
+func (rr *PX) String() string {
+	return rr.Hdr.String() + strconv.Itoa(int(rr.Preference)) + " " + sprintName(rr.Map822) + " " + sprintName(rr.Mapx400)
+}
+
+type GPOS struct {
+	Hdr       RR_Header
+	Longitude string
+	Latitude  string
+	Altitude  string
+}
+
+func (rr *GPOS) String() string {
+	return rr.Hdr.String() + rr.Longitude + " " + rr.Latitude + " " + rr.Altitude
+}
+
+type LOC struct {
+	Hdr       RR_Header
+	Version   uint8
+	Size      uint8
+	HorizPre  uint8
+	VertPre   uint8
+	Latitude  uint32
+	Longitude uint32
+	Altitude  uint32
+}
+
+// cmToM takes a cm value expressed in RFC1876 SIZE mantissa/exponent
+// format and returns a string in m (two decimals for the cm)
+func cmToM(m, e uint8) string {
+	if e < 2 {
+		if e == 1 {
+			m *= 10
+		}
+
+		return fmt.Sprintf("0.%02d", m)
+	}
+
+	s := fmt.Sprintf("%d", m)
+	for e > 2 {
+		s += "0"
+		e--
+	}
+	return s
+}
+
+func (rr *LOC) String() string {
+	s := rr.Hdr.String()
+
+	lat := rr.Latitude
+	ns := "N"
+	if lat > LOC_EQUATOR {
+		lat = lat - LOC_EQUATOR
+	} else {
+		ns = "S"
+		lat = LOC_EQUATOR - lat
+	}
+	h := lat / LOC_DEGREES
+	lat = lat % LOC_DEGREES
+	m := lat / LOC_HOURS
+	lat = lat % LOC_HOURS
+	s += fmt.Sprintf("%02d %02d %0.3f %s ", h, m, (float64(lat) / 1000), ns)
+
+	lon := rr.Longitude
+	ew := "E"
+	if lon > LOC_PRIMEMERIDIAN {
+		lon = lon - LOC_PRIMEMERIDIAN
+	} else {
+		ew = "W"
+		lon = LOC_PRIMEMERIDIAN - lon
+	}
+	h = lon / LOC_DEGREES
+	lon = lon % LOC_DEGREES
+	m = lon / LOC_HOURS
+	lon = lon % LOC_HOURS
+	s += fmt.Sprintf("%02d %02d %0.3f %s ", h, m, (float64(lon) / 1000), ew)
+
+	var alt = float64(rr.Altitude) / 100
+	alt -= LOC_ALTITUDEBASE
+	if rr.Altitude%100 != 0 {
+		s += fmt.Sprintf("%.2fm ", alt)
+	} else {
+		s += fmt.Sprintf("%.0fm ", alt)
+	}
+
+	s += cmToM((rr.Size&0xf0)>>4, rr.Size&0x0f) + "m "
+	s += cmToM((rr.HorizPre&0xf0)>>4, rr.HorizPre&0x0f) + "m "
+	s += cmToM((rr.VertPre&0xf0)>>4, rr.VertPre&0x0f) + "m"
+
+	return s
+}
+
+// SIG is identical to RRSIG and nowadays only used for SIG(0), RFC2931.
+type SIG struct {
+	RRSIG
+}
+
+type RRSIG struct {
+	Hdr         RR_Header
+	TypeCovered uint16
+	Algorithm   uint8
+	Labels      uint8
+	OrigTtl     uint32
+	Expiration  uint32
+	Inception   uint32
+	KeyTag      uint16
+	SignerName  string `dns:"domain-name"`
+	Signature   string `dns:"base64"`
+}
+
+func (rr *RRSIG) String() string {
+	s := rr.Hdr.String()
+	s += Type(rr.TypeCovered).String()
+	s += " " + strconv.Itoa(int(rr.Algorithm)) +
+		" " + strconv.Itoa(int(rr.Labels)) +
+		" " + strconv.FormatInt(int64(rr.OrigTtl), 10) +
+		" " + TimeToString(rr.Expiration) +
+		" " + TimeToString(rr.Inception) +
+		" " + strconv.Itoa(int(rr.KeyTag)) +
+		" " + sprintName(rr.SignerName) +
+		" " + rr.Signature
+	return s
+}
+
+type NSEC struct {
+	Hdr        RR_Header
+	NextDomain string   `dns:"domain-name"`
+	TypeBitMap []uint16 `dns:"nsec"`
+}
+
+func (rr *NSEC) String() string {
+	s := rr.Hdr.String() + sprintName(rr.NextDomain)
+	for i := 0; i < len(rr.TypeBitMap); i++ {
+		s += " " + Type(rr.TypeBitMap[i]).String()
+	}
+	return s
+}
+
+func (rr *NSEC) len() int {
+	l := rr.Hdr.len() + len(rr.NextDomain) + 1
+	lastwindow := uint32(2 ^ 32 + 1)
+	for _, t := range rr.TypeBitMap {
+		window := t / 256
+		if uint32(window) != lastwindow {
+			l += 1 + 32
+		}
+		lastwindow = uint32(window)
+	}
+	return l
+}
+
+type DLV struct {
+	DS
+}
+
+type CDS struct {
+	DS
+}
+
+type DS struct {
+	Hdr        RR_Header
+	KeyTag     uint16
+	Algorithm  uint8
+	DigestType uint8
+	Digest     string `dns:"hex"`
+}
+
+func (rr *DS) String() string {
+	return rr.Hdr.String() + strconv.Itoa(int(rr.KeyTag)) +
+		" " + strconv.Itoa(int(rr.Algorithm)) +
+		" " + strconv.Itoa(int(rr.DigestType)) +
+		" " + strings.ToUpper(rr.Digest)
+}
+
+type KX struct {
+	Hdr        RR_Header
+	Preference uint16
+	Exchanger  string `dns:"domain-name"`
+}
+
+func (rr *KX) String() string {
+	return rr.Hdr.String() + strconv.Itoa(int(rr.Preference)) +
+		" " + sprintName(rr.Exchanger)
+}
+
+type TA struct {
+	Hdr        RR_Header
+	KeyTag     uint16
+	Algorithm  uint8
+	DigestType uint8
+	Digest     string `dns:"hex"`
+}
+
+func (rr *TA) String() string {
+	return rr.Hdr.String() + strconv.Itoa(int(rr.KeyTag)) +
+		" " + strconv.Itoa(int(rr.Algorithm)) +
+		" " + strconv.Itoa(int(rr.DigestType)) +
+		" " + strings.ToUpper(rr.Digest)
+}
+
+type TALINK struct {
+	Hdr          RR_Header
+	PreviousName string `dns:"domain-name"`
+	NextName     string `dns:"domain-name"`
+}
+
+func (rr *TALINK) String() string {
+	return rr.Hdr.String() +
+		sprintName(rr.PreviousName) + " " + sprintName(rr.NextName)
+}
+
+type SSHFP struct {
+	Hdr         RR_Header
+	Algorithm   uint8
+	Type        uint8
+	FingerPrint string `dns:"hex"`
+}
+
+func (rr *SSHFP) String() string {
+	return rr.Hdr.String() + strconv.Itoa(int(rr.Algorithm)) +
+		" " + strconv.Itoa(int(rr.Type)) +
+		" " + strings.ToUpper(rr.FingerPrint)
+}
+
+type KEY struct {
+	DNSKEY
+}
+
+type CDNSKEY struct {
+	DNSKEY
+}
+
+type DNSKEY struct {
+	Hdr       RR_Header
+	Flags     uint16
+	Protocol  uint8
+	Algorithm uint8
+	PublicKey string `dns:"base64"`
+}
+
+func (rr *DNSKEY) String() string {
+	return rr.Hdr.String() + strconv.Itoa(int(rr.Flags)) +
+		" " + strconv.Itoa(int(rr.Protocol)) +
+		" " + strconv.Itoa(int(rr.Algorithm)) +
+		" " + rr.PublicKey
+}
+
+type RKEY struct {
+	Hdr       RR_Header
+	Flags     uint16
+	Protocol  uint8
+	Algorithm uint8
+	PublicKey string `dns:"base64"`
+}
+
+func (rr *RKEY) String() string {
+	return rr.Hdr.String() + strconv.Itoa(int(rr.Flags)) +
+		" " + strconv.Itoa(int(rr.Protocol)) +
+		" " + strconv.Itoa(int(rr.Algorithm)) +
+		" " + rr.PublicKey
+}
+
+type NSAPPTR struct {
+	Hdr RR_Header
+	Ptr string `dns:"domain-name"`
+}
+
+func (rr *NSAPPTR) String() string { return rr.Hdr.String() + sprintName(rr.Ptr) }
+
+type NSEC3 struct {
+	Hdr        RR_Header
+	Hash       uint8
+	Flags      uint8
+	Iterations uint16
+	SaltLength uint8
+	Salt       string `dns:"size-hex:SaltLength"`
+	HashLength uint8
+	NextDomain string   `dns:"size-base32:HashLength"`
+	TypeBitMap []uint16 `dns:"nsec"`
+}
+
+func (rr *NSEC3) String() string {
+	s := rr.Hdr.String()
+	s += strconv.Itoa(int(rr.Hash)) +
+		" " + strconv.Itoa(int(rr.Flags)) +
+		" " + strconv.Itoa(int(rr.Iterations)) +
+		" " + saltToString(rr.Salt) +
+		" " + rr.NextDomain
+	for i := 0; i < len(rr.TypeBitMap); i++ {
+		s += " " + Type(rr.TypeBitMap[i]).String()
+	}
+	return s
+}
+
+func (rr *NSEC3) len() int {
+	l := rr.Hdr.len() + 6 + len(rr.Salt)/2 + 1 + len(rr.NextDomain) + 1
+	lastwindow := uint32(2 ^ 32 + 1)
+	for _, t := range rr.TypeBitMap {
+		window := t / 256
+		if uint32(window) != lastwindow {
+			l += 1 + 32
+		}
+		lastwindow = uint32(window)
+	}
+	return l
+}
+
+type NSEC3PARAM struct {
+	Hdr        RR_Header
+	Hash       uint8
+	Flags      uint8
+	Iterations uint16
+	SaltLength uint8
+	Salt       string `dns:"size-hex:SaltLength"`
+}
+
+func (rr *NSEC3PARAM) String() string {
+	s := rr.Hdr.String()
+	s += strconv.Itoa(int(rr.Hash)) +
+		" " + strconv.Itoa(int(rr.Flags)) +
+		" " + strconv.Itoa(int(rr.Iterations)) +
+		" " + saltToString(rr.Salt)
+	return s
+}
+
+type TKEY struct {
+	Hdr        RR_Header
+	Algorithm  string `dns:"domain-name"`
+	Inception  uint32
+	Expiration uint32
+	Mode       uint16
+	Error      uint16
+	KeySize    uint16
+	Key        string
+	OtherLen   uint16
+	OtherData  string
+}
+
+func (rr *TKEY) String() string {
+	// It has no presentation format
+	return ""
+}
+
+// RFC3597 represents an unknown/generic RR.
+type RFC3597 struct {
+	Hdr   RR_Header
+	Rdata string `dns:"hex"`
+}
+
+func (rr *RFC3597) String() string {
+	// Let's call it a hack
+	s := rfc3597Header(rr.Hdr)
+
+	s += "\\# " + strconv.Itoa(len(rr.Rdata)/2) + " " + rr.Rdata
+	return s
+}
+
+func rfc3597Header(h RR_Header) string {
+	var s string
+
+	s += sprintName(h.Name) + "\t"
+	s += strconv.FormatInt(int64(h.Ttl), 10) + "\t"
+	s += "CLASS" + strconv.Itoa(int(h.Class)) + "\t"
+	s += "TYPE" + strconv.Itoa(int(h.Rrtype)) + "\t"
+	return s
+}
+
+type URI struct {
+	Hdr      RR_Header
+	Priority uint16
+	Weight   uint16
+	Target   string `dns:"octet"`
+}
+
+func (rr *URI) String() string {
+	return rr.Hdr.String() + strconv.Itoa(int(rr.Priority)) +
+		" " + strconv.Itoa(int(rr.Weight)) + " " + sprintTxtOctet(rr.Target)
+}
+
+type DHCID struct {
+	Hdr    RR_Header
+	Digest string `dns:"base64"`
+}
+
+func (rr *DHCID) String() string { return rr.Hdr.String() + rr.Digest }
+
+type TLSA struct {
+	Hdr          RR_Header
+	Usage        uint8
+	Selector     uint8
+	MatchingType uint8
+	Certificate  string `dns:"hex"`
+}
+
+func (rr *TLSA) String() string {
+	return rr.Hdr.String() +
+		strconv.Itoa(int(rr.Usage)) +
+		" " + strconv.Itoa(int(rr.Selector)) +
+		" " + strconv.Itoa(int(rr.MatchingType)) +
+		" " + rr.Certificate
+}
+
+type SMIMEA struct {
+	Hdr          RR_Header
+	Usage        uint8
+	Selector     uint8
+	MatchingType uint8
+	Certificate  string `dns:"hex"`
+}
+
+func (rr *SMIMEA) String() string {
+	s := rr.Hdr.String() +
+		strconv.Itoa(int(rr.Usage)) +
+		" " + strconv.Itoa(int(rr.Selector)) +
+		" " + strconv.Itoa(int(rr.MatchingType))
+
+	// Every Nth char needs a space on this output. If we output
+	// this as one giant line, we can't read it can in because in some cases
+	// the cert length overflows scan.maxTok (2048).
+	sx := splitN(rr.Certificate, 1024) // conservative value here
+	s += " " + strings.Join(sx, " ")
+	return s
+}
+
+type HIP struct {
+	Hdr                RR_Header
+	HitLength          uint8
+	PublicKeyAlgorithm uint8
+	PublicKeyLength    uint16
+	Hit                string   `dns:"size-hex:HitLength"`
+	PublicKey          string   `dns:"size-base64:PublicKeyLength"`
+	RendezvousServers  []string `dns:"domain-name"`
+}
+
+func (rr *HIP) String() string {
+	s := rr.Hdr.String() +
+		strconv.Itoa(int(rr.PublicKeyAlgorithm)) +
+		" " + rr.Hit +
+		" " + rr.PublicKey
+	for _, d := range rr.RendezvousServers {
+		s += " " + sprintName(d)
+	}
+	return s
+}
+
+type NINFO struct {
+	Hdr    RR_Header
+	ZSData []string `dns:"txt"`
+}
+
+func (rr *NINFO) String() string { return rr.Hdr.String() + sprintTxt(rr.ZSData) }
+
+type NID struct {
+	Hdr        RR_Header
+	Preference uint16
+	NodeID     uint64
+}
+
+func (rr *NID) String() string {
+	s := rr.Hdr.String() + strconv.Itoa(int(rr.Preference))
+	node := fmt.Sprintf("%0.16x", rr.NodeID)
+	s += " " + node[0:4] + ":" + node[4:8] + ":" + node[8:12] + ":" + node[12:16]
+	return s
+}
+
+type L32 struct {
+	Hdr        RR_Header
+	Preference uint16
+	Locator32  net.IP `dns:"a"`
+}
+
+func (rr *L32) String() string {
+	if rr.Locator32 == nil {
+		return rr.Hdr.String() + strconv.Itoa(int(rr.Preference))
+	}
+	return rr.Hdr.String() + strconv.Itoa(int(rr.Preference)) +
+		" " + rr.Locator32.String()
+}
+
+type L64 struct {
+	Hdr        RR_Header
+	Preference uint16
+	Locator64  uint64
+}
+
+func (rr *L64) String() string {
+	s := rr.Hdr.String() + strconv.Itoa(int(rr.Preference))
+	node := fmt.Sprintf("%0.16X", rr.Locator64)
+	s += " " + node[0:4] + ":" + node[4:8] + ":" + node[8:12] + ":" + node[12:16]
+	return s
+}
+
+type LP struct {
+	Hdr        RR_Header
+	Preference uint16
+	Fqdn       string `dns:"domain-name"`
+}
+
+func (rr *LP) String() string {
+	return rr.Hdr.String() + strconv.Itoa(int(rr.Preference)) + " " + sprintName(rr.Fqdn)
+}
+
+type EUI48 struct {
+	Hdr     RR_Header
+	Address uint64 `dns:"uint48"`
+}
+
+func (rr *EUI48) String() string { return rr.Hdr.String() + euiToString(rr.Address, 48) }
+
+type EUI64 struct {
+	Hdr     RR_Header
+	Address uint64
+}
+
+func (rr *EUI64) String() string { return rr.Hdr.String() + euiToString(rr.Address, 64) }
+
+type CAA struct {
+	Hdr   RR_Header
+	Flag  uint8
+	Tag   string
+	Value string `dns:"octet"`
+}
+
+func (rr *CAA) String() string {
+	return rr.Hdr.String() + strconv.Itoa(int(rr.Flag)) + " " + rr.Tag + " " + sprintTxtOctet(rr.Value)
+}
+
+type UID struct {
+	Hdr RR_Header
+	Uid uint32
+}
+
+func (rr *UID) String() string { return rr.Hdr.String() + strconv.FormatInt(int64(rr.Uid), 10) }
+
+type GID struct {
+	Hdr RR_Header
+	Gid uint32
+}
+
+func (rr *GID) String() string { return rr.Hdr.String() + strconv.FormatInt(int64(rr.Gid), 10) }
+
+type UINFO struct {
+	Hdr   RR_Header
+	Uinfo string
+}
+
+func (rr *UINFO) String() string { return rr.Hdr.String() + sprintTxt([]string{rr.Uinfo}) }
+
+type EID struct {
+	Hdr      RR_Header
+	Endpoint string `dns:"hex"`
+}
+
+func (rr *EID) String() string { return rr.Hdr.String() + strings.ToUpper(rr.Endpoint) }
+
+type NIMLOC struct {
+	Hdr     RR_Header
+	Locator string `dns:"hex"`
+}
+
+func (rr *NIMLOC) String() string { return rr.Hdr.String() + strings.ToUpper(rr.Locator) }
+
+type OPENPGPKEY struct {
+	Hdr       RR_Header
+	PublicKey string `dns:"base64"`
+}
+
+func (rr *OPENPGPKEY) String() string { return rr.Hdr.String() + rr.PublicKey }
+
+// TimeToString translates the RRSIG's incep. and expir. times to the
+// string representation used when printing the record.
+// It takes serial arithmetic (RFC 1982) into account.
+func TimeToString(t uint32) string {
+	mod := ((int64(t) - time.Now().Unix()) / year68) - 1
+	if mod < 0 {
+		mod = 0
+	}
+	ti := time.Unix(int64(t)-(mod*year68), 0).UTC()
+	return ti.Format("20060102150405")
+}
+
+// StringToTime translates the RRSIG's incep. and expir. times from
+// string values like "20110403154150" to an 32 bit integer.
+// It takes serial arithmetic (RFC 1982) into account.
+func StringToTime(s string) (uint32, error) {
+	t, err := time.Parse("20060102150405", s)
+	if err != nil {
+		return 0, err
+	}
+	mod := (t.Unix() / year68) - 1
+	if mod < 0 {
+		mod = 0
+	}
+	return uint32(t.Unix() - (mod * year68)), nil
+}
+
+// saltToString converts a NSECX salt to uppercase and returns "-" when it is empty.
+func saltToString(s string) string {
+	if len(s) == 0 {
+		return "-"
+	}
+	return strings.ToUpper(s)
+}
+
+func euiToString(eui uint64, bits int) (hex string) {
+	switch bits {
+	case 64:
+		hex = fmt.Sprintf("%16.16x", eui)
+		hex = hex[0:2] + "-" + hex[2:4] + "-" + hex[4:6] + "-" + hex[6:8] +
+			"-" + hex[8:10] + "-" + hex[10:12] + "-" + hex[12:14] + "-" + hex[14:16]
+	case 48:
+		hex = fmt.Sprintf("%12.12x", eui)
+		hex = hex[0:2] + "-" + hex[2:4] + "-" + hex[4:6] + "-" + hex[6:8] +
+			"-" + hex[8:10] + "-" + hex[10:12]
+	}
+	return
+}
+
+// copyIP returns a copy of ip.
+func copyIP(ip net.IP) net.IP {
+	p := make(net.IP, len(ip))
+	copy(p, ip)
+	return p
+}
+
+// SplitN splits a string into N sized string chunks.
+// This might become an exported function once.
+func splitN(s string, n int) []string {
+	if len(s) < n {
+		return []string{s}
+	}
+	sx := []string{}
+	p, i := 0, n
+	for {
+		if i <= len(s) {
+			sx = append(sx, s[p:i])
+		} else {
+			sx = append(sx, s[p:])
+			break
+
+		}
+		p, i = p+n, i+n
+	}
+
+	return sx
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/types_generate.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/types_generate.go
new file mode 100644
index 000000000..dd1310942
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/types_generate.go
@@ -0,0 +1,271 @@
+//+build ignore
+
+// types_generate.go is meant to run with go generate. It will use
+// go/{importer,types} to track down all the RR struct types. Then for each type
+// it will generate conversion tables (TypeToRR and TypeToString) and banal
+// methods (len, Header, copy) based on the struct tags. The generated source is
+// written to ztypes.go, and is meant to be checked into git.
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"go/format"
+	"go/importer"
+	"go/types"
+	"log"
+	"os"
+	"strings"
+	"text/template"
+)
+
+var skipLen = map[string]struct{}{
+	"NSEC":  {},
+	"NSEC3": {},
+	"OPT":   {},
+}
+
+var packageHdr = `
+// *** DO NOT MODIFY ***
+// AUTOGENERATED BY go generate from type_generate.go
+
+package dns
+
+import (
+	"encoding/base64"
+	"net"
+)
+
+`
+
+var TypeToRR = template.Must(template.New("TypeToRR").Parse(`
+// TypeToRR is a map of constructors for each RR type.
+var TypeToRR = map[uint16]func() RR{
+{{range .}}{{if ne . "RFC3597"}}  Type{{.}}:  func() RR { return new({{.}}) },
+{{end}}{{end}}                    }
+
+`))
+
+var typeToString = template.Must(template.New("typeToString").Parse(`
+// TypeToString is a map of strings for each RR type.
+var TypeToString = map[uint16]string{
+{{range .}}{{if ne . "NSAPPTR"}}  Type{{.}}: "{{.}}",
+{{end}}{{end}}                    TypeNSAPPTR:    "NSAP-PTR",
+}
+
+`))
+
+var headerFunc = template.Must(template.New("headerFunc").Parse(`
+// Header() functions
+{{range .}}  func (rr *{{.}}) Header() *RR_Header { return &rr.Hdr }
+{{end}}
+
+`))
+
+// getTypeStruct will take a type and the package scope, and return the
+// (innermost) struct if the type is considered a RR type (currently defined as
+// those structs beginning with a RR_Header, could be redefined as implementing
+// the RR interface). The bool return value indicates if embedded structs were
+// resolved.
+func getTypeStruct(t types.Type, scope *types.Scope) (*types.Struct, bool) {
+	st, ok := t.Underlying().(*types.Struct)
+	if !ok {
+		return nil, false
+	}
+	if st.Field(0).Type() == scope.Lookup("RR_Header").Type() {
+		return st, false
+	}
+	if st.Field(0).Anonymous() {
+		st, _ := getTypeStruct(st.Field(0).Type(), scope)
+		return st, true
+	}
+	return nil, false
+}
+
+func main() {
+	// Import and type-check the package
+	pkg, err := importer.Default().Import("github.com/miekg/dns")
+	fatalIfErr(err)
+	scope := pkg.Scope()
+
+	// Collect constants like TypeX
+	var numberedTypes []string
+	for _, name := range scope.Names() {
+		o := scope.Lookup(name)
+		if o == nil || !o.Exported() {
+			continue
+		}
+		b, ok := o.Type().(*types.Basic)
+		if !ok || b.Kind() != types.Uint16 {
+			continue
+		}
+		if !strings.HasPrefix(o.Name(), "Type") {
+			continue
+		}
+		name := strings.TrimPrefix(o.Name(), "Type")
+		if name == "PrivateRR" {
+			continue
+		}
+		numberedTypes = append(numberedTypes, name)
+	}
+
+	// Collect actual types (*X)
+	var namedTypes []string
+	for _, name := range scope.Names() {
+		o := scope.Lookup(name)
+		if o == nil || !o.Exported() {
+			continue
+		}
+		if st, _ := getTypeStruct(o.Type(), scope); st == nil {
+			continue
+		}
+		if name == "PrivateRR" {
+			continue
+		}
+
+		// Check if corresponding TypeX exists
+		if scope.Lookup("Type"+o.Name()) == nil && o.Name() != "RFC3597" {
+			log.Fatalf("Constant Type%s does not exist.", o.Name())
+		}
+
+		namedTypes = append(namedTypes, o.Name())
+	}
+
+	b := &bytes.Buffer{}
+	b.WriteString(packageHdr)
+
+	// Generate TypeToRR
+	fatalIfErr(TypeToRR.Execute(b, namedTypes))
+
+	// Generate typeToString
+	fatalIfErr(typeToString.Execute(b, numberedTypes))
+
+	// Generate headerFunc
+	fatalIfErr(headerFunc.Execute(b, namedTypes))
+
+	// Generate len()
+	fmt.Fprint(b, "// len() functions\n")
+	for _, name := range namedTypes {
+		if _, ok := skipLen[name]; ok {
+			continue
+		}
+		o := scope.Lookup(name)
+		st, isEmbedded := getTypeStruct(o.Type(), scope)
+		if isEmbedded {
+			continue
+		}
+		fmt.Fprintf(b, "func (rr *%s) len() int {\n", name)
+		fmt.Fprintf(b, "l := rr.Hdr.len()\n")
+		for i := 1; i < st.NumFields(); i++ {
+			o := func(s string) { fmt.Fprintf(b, s, st.Field(i).Name()) }
+
+			if _, ok := st.Field(i).Type().(*types.Slice); ok {
+				switch st.Tag(i) {
+				case `dns:"-"`:
+					// ignored
+				case `dns:"cdomain-name"`, `dns:"domain-name"`, `dns:"txt"`:
+					o("for _, x := range rr.%s { l += len(x) + 1 }\n")
+				default:
+					log.Fatalln(name, st.Field(i).Name(), st.Tag(i))
+				}
+				continue
+			}
+
+			switch {
+			case st.Tag(i) == `dns:"-"`:
+				// ignored
+			case st.Tag(i) == `dns:"cdomain-name"`, st.Tag(i) == `dns:"domain-name"`:
+				o("l += len(rr.%s) + 1\n")
+			case st.Tag(i) == `dns:"octet"`:
+				o("l += len(rr.%s)\n")
+			case strings.HasPrefix(st.Tag(i), `dns:"size-base64`):
+				fallthrough
+			case st.Tag(i) == `dns:"base64"`:
+				o("l += base64.StdEncoding.DecodedLen(len(rr.%s))\n")
+			case strings.HasPrefix(st.Tag(i), `dns:"size-hex`):
+				fallthrough
+			case st.Tag(i) == `dns:"hex"`:
+				o("l += len(rr.%s)/2 + 1\n")
+			case st.Tag(i) == `dns:"a"`:
+				o("l += net.IPv4len // %s\n")
+			case st.Tag(i) == `dns:"aaaa"`:
+				o("l += net.IPv6len // %s\n")
+			case st.Tag(i) == `dns:"txt"`:
+				o("for _, t := range rr.%s { l += len(t) + 1 }\n")
+			case st.Tag(i) == `dns:"uint48"`:
+				o("l += 6 // %s\n")
+			case st.Tag(i) == "":
+				switch st.Field(i).Type().(*types.Basic).Kind() {
+				case types.Uint8:
+					o("l++ // %s\n")
+				case types.Uint16:
+					o("l += 2 // %s\n")
+				case types.Uint32:
+					o("l += 4 // %s\n")
+				case types.Uint64:
+					o("l += 8 // %s\n")
+				case types.String:
+					o("l += len(rr.%s) + 1\n")
+				default:
+					log.Fatalln(name, st.Field(i).Name())
+				}
+			default:
+				log.Fatalln(name, st.Field(i).Name(), st.Tag(i))
+			}
+		}
+		fmt.Fprintf(b, "return l }\n")
+	}
+
+	// Generate copy()
+	fmt.Fprint(b, "// copy() functions\n")
+	for _, name := range namedTypes {
+		o := scope.Lookup(name)
+		st, isEmbedded := getTypeStruct(o.Type(), scope)
+		if isEmbedded {
+			continue
+		}
+		fmt.Fprintf(b, "func (rr *%s) copy() RR {\n", name)
+		fields := []string{"*rr.Hdr.copyHeader()"}
+		for i := 1; i < st.NumFields(); i++ {
+			f := st.Field(i).Name()
+			if sl, ok := st.Field(i).Type().(*types.Slice); ok {
+				t := sl.Underlying().String()
+				t = strings.TrimPrefix(t, "[]")
+				if strings.Contains(t, ".") {
+					splits := strings.Split(t, ".")
+					t = splits[len(splits)-1]
+				}
+				fmt.Fprintf(b, "%s := make([]%s, len(rr.%s)); copy(%s, rr.%s)\n",
+					f, t, f, f, f)
+				fields = append(fields, f)
+				continue
+			}
+			if st.Field(i).Type().String() == "net.IP" {
+				fields = append(fields, "copyIP(rr."+f+")")
+				continue
+			}
+			fields = append(fields, "rr."+f)
+		}
+		fmt.Fprintf(b, "return &%s{%s}\n", name, strings.Join(fields, ","))
+		fmt.Fprintf(b, "}\n")
+	}
+
+	// gofmt
+	res, err := format.Source(b.Bytes())
+	if err != nil {
+		b.WriteTo(os.Stderr)
+		log.Fatal(err)
+	}
+
+	// write result
+	f, err := os.Create("ztypes.go")
+	fatalIfErr(err)
+	defer f.Close()
+	f.Write(res)
+}
+
+func fatalIfErr(err error) {
+	if err != nil {
+		log.Fatal(err)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/types_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/types_test.go
new file mode 100644
index 000000000..c117cfbc7
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/types_test.go
@@ -0,0 +1,74 @@
+package dns
+
+import (
+	"testing"
+)
+
+func TestCmToM(t *testing.T) {
+	s := cmToM(0, 0)
+	if s != "0.00" {
+		t.Error("0, 0")
+	}
+
+	s = cmToM(1, 0)
+	if s != "0.01" {
+		t.Error("1, 0")
+	}
+
+	s = cmToM(3, 1)
+	if s != "0.30" {
+		t.Error("3, 1")
+	}
+
+	s = cmToM(4, 2)
+	if s != "4" {
+		t.Error("4, 2")
+	}
+
+	s = cmToM(5, 3)
+	if s != "50" {
+		t.Error("5, 3")
+	}
+
+	s = cmToM(7, 5)
+	if s != "7000" {
+		t.Error("7, 5")
+	}
+
+	s = cmToM(9, 9)
+	if s != "90000000" {
+		t.Error("9, 9")
+	}
+}
+
+func TestSplitN(t *testing.T) {
+	xs := splitN("abc", 5)
+	if len(xs) != 1 && xs[0] != "abc" {
+		t.Errorf("Failure to split abc")
+	}
+
+	s := ""
+	for i := 0; i < 255; i++ {
+		s += "a"
+	}
+
+	xs = splitN(s, 255)
+	if len(xs) != 1 && xs[0] != s {
+		t.Errorf("failure to split 255 char long string")
+	}
+
+	s += "b"
+	xs = splitN(s, 255)
+	if len(xs) != 2 || xs[1] != "b" {
+		t.Errorf("failure to split 256 char long string: %d", len(xs))
+	}
+
+	// Make s longer
+	for i := 0; i < 255; i++ {
+		s += "a"
+	}
+	xs = splitN(s, 255)
+	if len(xs) != 3 || xs[2] != "a" {
+		t.Errorf("failure to split 510 char long string: %d", len(xs))
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/udp.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/udp.go
new file mode 100644
index 000000000..af111b9a8
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/udp.go
@@ -0,0 +1,34 @@
+// +build !windows
+
+package dns
+
+import (
+	"net"
+)
+
+// SessionUDP holds the remote address and the associated
+// out-of-band data.
+type SessionUDP struct {
+	raddr   *net.UDPAddr
+	context []byte
+}
+
+// RemoteAddr returns the remote network address.
+func (s *SessionUDP) RemoteAddr() net.Addr { return s.raddr }
+
+// ReadFromSessionUDP acts just like net.UDPConn.ReadFrom(), but returns a session object instead of a
+// net.UDPAddr.
+func ReadFromSessionUDP(conn *net.UDPConn, b []byte) (int, *SessionUDP, error) {
+	oob := make([]byte, 40)
+	n, oobn, _, raddr, err := conn.ReadMsgUDP(b, oob)
+	if err != nil {
+		return n, nil, err
+	}
+	return n, &SessionUDP{raddr, oob[:oobn]}, err
+}
+
+// WriteToSessionUDP acts just like net.UDPConn.WritetTo(), but uses a *SessionUDP instead of a net.Addr.
+func WriteToSessionUDP(conn *net.UDPConn, b []byte, session *SessionUDP) (int, error) {
+	n, _, err := conn.WriteMsgUDP(b, session.context, session.raddr)
+	return n, err
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/udp_linux.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/udp_linux.go
new file mode 100644
index 000000000..033df4239
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/udp_linux.go
@@ -0,0 +1,105 @@
+// +build linux,!appengine
+
+package dns
+
+// See:
+// * http://stackoverflow.com/questions/3062205/setting-the-source-ip-for-a-udp-socket and
+// * http://blog.powerdns.com/2012/10/08/on-binding-datagram-udp-sockets-to-the-any-addresses/
+//
+// Why do we need this: When listening on 0.0.0.0 with UDP so kernel decides what is the outgoing
+// interface, this might not always be the correct one. This code will make sure the egress
+// packet's interface matched the ingress' one.
+
+import (
+	"net"
+	"syscall"
+)
+
+// setUDPSocketOptions sets the UDP socket options.
+// This function is implemented on a per platform basis. See udp_*.go for more details
+func setUDPSocketOptions(conn *net.UDPConn) error {
+	sa, err := getUDPSocketName(conn)
+	if err != nil {
+		return err
+	}
+	switch sa.(type) {
+	case *syscall.SockaddrInet6:
+		v6only, err := getUDPSocketOptions6Only(conn)
+		if err != nil {
+			return err
+		}
+		setUDPSocketOptions6(conn)
+		if !v6only {
+			setUDPSocketOptions4(conn)
+		}
+	case *syscall.SockaddrInet4:
+		setUDPSocketOptions4(conn)
+	}
+	return nil
+}
+
+// setUDPSocketOptions4 prepares the v4 socket for sessions.
+func setUDPSocketOptions4(conn *net.UDPConn) error {
+	file, err := conn.File()
+	if err != nil {
+		return err
+	}
+	if err := syscall.SetsockoptInt(int(file.Fd()), syscall.IPPROTO_IP, syscall.IP_PKTINFO, 1); err != nil {
+		file.Close()
+		return err
+	}
+	// Calling File() above results in the connection becoming blocking, we must fix that.
+	// See https://github.com/miekg/dns/issues/279
+	err = syscall.SetNonblock(int(file.Fd()), true)
+	if err != nil {
+		file.Close()
+		return err
+	}
+	file.Close()
+	return nil
+}
+
+// setUDPSocketOptions6 prepares the v6 socket for sessions.
+func setUDPSocketOptions6(conn *net.UDPConn) error {
+	file, err := conn.File()
+	if err != nil {
+		return err
+	}
+	if err := syscall.SetsockoptInt(int(file.Fd()), syscall.IPPROTO_IPV6, syscall.IPV6_RECVPKTINFO, 1); err != nil {
+		file.Close()
+		return err
+	}
+	err = syscall.SetNonblock(int(file.Fd()), true)
+	if err != nil {
+		file.Close()
+		return err
+	}
+	file.Close()
+	return nil
+}
+
+// getUDPSocketOption6Only return true if the socket is v6 only and false when it is v4/v6 combined
+// (dualstack).
+func getUDPSocketOptions6Only(conn *net.UDPConn) (bool, error) {
+	file, err := conn.File()
+	if err != nil {
+		return false, err
+	}
+	// dual stack. See http://stackoverflow.com/questions/1618240/how-to-support-both-ipv4-and-ipv6-connections
+	v6only, err := syscall.GetsockoptInt(int(file.Fd()), syscall.IPPROTO_IPV6, syscall.IPV6_V6ONLY)
+	if err != nil {
+		file.Close()
+		return false, err
+	}
+	file.Close()
+	return v6only == 1, nil
+}
+
+func getUDPSocketName(conn *net.UDPConn) (syscall.Sockaddr, error) {
+	file, err := conn.File()
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+	return syscall.Getsockname(int(file.Fd()))
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/udp_other.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/udp_other.go
new file mode 100644
index 000000000..488a282b2
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/udp_other.go
@@ -0,0 +1,15 @@
+// +build !linux appengine
+
+package dns
+
+import (
+	"net"
+)
+
+// These do nothing. See udp_linux.go for an example of how to implement this.
+
+// We tried to adhire to some kind of naming scheme.
+func setUDPSocketOptions(conn *net.UDPConn) error                  { return nil }
+func setUDPSocketOptions4(conn *net.UDPConn) error                 { return nil }
+func setUDPSocketOptions6(conn *net.UDPConn) error                 { return nil }
+func getUDPSocketOptions6Only(conn *net.UDPConn) (bool, error)     { return false, nil }
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/udp_windows.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/udp_windows.go
new file mode 100644
index 000000000..51e532ac2
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/udp_windows.go
@@ -0,0 +1,29 @@
+// +build windows
+
+package dns
+
+import "net"
+
+type SessionUDP struct {
+	raddr *net.UDPAddr
+}
+
+func (s *SessionUDP) RemoteAddr() net.Addr { return s.raddr }
+
+// ReadFromSessionUDP acts just like net.UDPConn.ReadFrom(), but returns a session object instead of a
+// net.UDPAddr.
+func ReadFromSessionUDP(conn *net.UDPConn, b []byte) (int, *SessionUDP, error) {
+	n, raddr, err := conn.ReadFrom(b)
+	if err != nil {
+		return n, nil, err
+	}
+	session := &SessionUDP{raddr.(*net.UDPAddr)}
+	return n, session, err
+}
+
+// WriteToSessionUDP acts just like net.UDPConn.WritetTo(), but uses a *SessionUDP instead of a net.Addr.
+func WriteToSessionUDP(conn *net.UDPConn, b []byte, session *SessionUDP) (int, error) {
+	n, err := conn.WriteTo(b, session.raddr)
+	return n, err
+}
+
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/update.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/update.go
new file mode 100644
index 000000000..e90c5c968
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/update.go
@@ -0,0 +1,106 @@
+package dns
+
+// NameUsed sets the RRs in the prereq section to
+// "Name is in use" RRs. RFC 2136 section 2.4.4.
+func (u *Msg) NameUsed(rr []RR) {
+	if u.Answer == nil {
+		u.Answer = make([]RR, 0, len(rr))
+	}
+	for _, r := range rr {
+		u.Answer = append(u.Answer, &ANY{Hdr: RR_Header{Name: r.Header().Name, Ttl: 0, Rrtype: TypeANY, Class: ClassANY}})
+	}
+}
+
+// NameNotUsed sets the RRs in the prereq section to
+// "Name is in not use" RRs. RFC 2136 section 2.4.5.
+func (u *Msg) NameNotUsed(rr []RR) {
+	if u.Answer == nil {
+		u.Answer = make([]RR, 0, len(rr))
+	}
+	for _, r := range rr {
+		u.Answer = append(u.Answer, &ANY{Hdr: RR_Header{Name: r.Header().Name, Ttl: 0, Rrtype: TypeANY, Class: ClassNONE}})
+	}
+}
+
+// Used sets the RRs in the prereq section to
+// "RRset exists (value dependent -- with rdata)" RRs. RFC 2136 section 2.4.2.
+func (u *Msg) Used(rr []RR) {
+	if len(u.Question) == 0 {
+		panic("dns: empty question section")
+	}
+	if u.Answer == nil {
+		u.Answer = make([]RR, 0, len(rr))
+	}
+	for _, r := range rr {
+		r.Header().Class = u.Question[0].Qclass
+		u.Answer = append(u.Answer, r)
+	}
+}
+
+// RRsetUsed sets the RRs in the prereq section to
+// "RRset exists (value independent -- no rdata)" RRs. RFC 2136 section 2.4.1.
+func (u *Msg) RRsetUsed(rr []RR) {
+	if u.Answer == nil {
+		u.Answer = make([]RR, 0, len(rr))
+	}
+	for _, r := range rr {
+		u.Answer = append(u.Answer, &ANY{Hdr: RR_Header{Name: r.Header().Name, Ttl: 0, Rrtype: r.Header().Rrtype, Class: ClassANY}})
+	}
+}
+
+// RRsetNotUsed sets the RRs in the prereq section to
+// "RRset does not exist" RRs. RFC 2136 section 2.4.3.
+func (u *Msg) RRsetNotUsed(rr []RR) {
+	if u.Answer == nil {
+		u.Answer = make([]RR, 0, len(rr))
+	}
+	for _, r := range rr {
+		u.Answer = append(u.Answer, &ANY{Hdr: RR_Header{Name: r.Header().Name, Ttl: 0, Rrtype: r.Header().Rrtype, Class: ClassNONE}})
+	}
+}
+
+// Insert creates a dynamic update packet that adds an complete RRset, see RFC 2136 section 2.5.1.
+func (u *Msg) Insert(rr []RR) {
+	if len(u.Question) == 0 {
+		panic("dns: empty question section")
+	}
+	if u.Ns == nil {
+		u.Ns = make([]RR, 0, len(rr))
+	}
+	for _, r := range rr {
+		r.Header().Class = u.Question[0].Qclass
+		u.Ns = append(u.Ns, r)
+	}
+}
+
+// RemoveRRset creates a dynamic update packet that deletes an RRset, see RFC 2136 section 2.5.2.
+func (u *Msg) RemoveRRset(rr []RR) {
+	if u.Ns == nil {
+		u.Ns = make([]RR, 0, len(rr))
+	}
+	for _, r := range rr {
+		u.Ns = append(u.Ns, &ANY{Hdr: RR_Header{Name: r.Header().Name, Ttl: 0, Rrtype: r.Header().Rrtype, Class: ClassANY}})
+	}
+}
+
+// RemoveName creates a dynamic update packet that deletes all RRsets of a name, see RFC 2136 section 2.5.3
+func (u *Msg) RemoveName(rr []RR) {
+	if u.Ns == nil {
+		u.Ns = make([]RR, 0, len(rr))
+	}
+	for _, r := range rr {
+		u.Ns = append(u.Ns, &ANY{Hdr: RR_Header{Name: r.Header().Name, Ttl: 0, Rrtype: TypeANY, Class: ClassANY}})
+	}
+}
+
+// Remove creates a dynamic update packet deletes RR from a RRSset, see RFC 2136 section 2.5.4
+func (u *Msg) Remove(rr []RR) {
+	if u.Ns == nil {
+		u.Ns = make([]RR, 0, len(rr))
+	}
+	for _, r := range rr {
+		r.Header().Class = ClassNONE
+		r.Header().Ttl = 0
+		u.Ns = append(u.Ns, r)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/update_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/update_test.go
new file mode 100644
index 000000000..12760a1ee
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/update_test.go
@@ -0,0 +1,145 @@
+package dns
+
+import (
+	"bytes"
+	"testing"
+)
+
+func TestDynamicUpdateParsing(t *testing.T) {
+	prefix := "example.com. IN "
+	for _, typ := range TypeToString {
+		if typ == "OPT" || typ == "AXFR" || typ == "IXFR" || typ == "ANY" || typ == "TKEY" ||
+			typ == "TSIG" || typ == "ISDN" || typ == "UNSPEC" || typ == "NULL" || typ == "ATMA" ||
+			typ == "Reserved" || typ == "None" || typ == "NXT" || typ == "MAILB" || typ == "MAILA" {
+			continue
+		}
+		r, err := NewRR(prefix + typ)
+		if err != nil {
+			t.Errorf("failure to parse: %s %s: %v", prefix, typ, err)
+		} else {
+			t.Logf("parsed: %s", r.String())
+		}
+	}
+}
+
+func TestDynamicUpdateUnpack(t *testing.T) {
+	// From https://github.com/miekg/dns/issues/150#issuecomment-62296803
+	// It should be an update message for the zone "example.",
+	// deleting the A RRset "example." and then adding an A record at "example.".
+	// class ANY, TYPE A
+	buf := []byte{171, 68, 40, 0, 0, 1, 0, 0, 0, 2, 0, 0, 7, 101, 120, 97, 109, 112, 108, 101, 0, 0, 6, 0, 1, 192, 12, 0, 1, 0, 255, 0, 0, 0, 0, 0, 0, 192, 12, 0, 1, 0, 1, 0, 0, 0, 0, 0, 4, 127, 0, 0, 1}
+	msg := new(Msg)
+	err := msg.Unpack(buf)
+	if err != nil {
+		t.Errorf("failed to unpack: %v\n%s", err, msg.String())
+	}
+}
+
+func TestDynamicUpdateZeroRdataUnpack(t *testing.T) {
+	m := new(Msg)
+	rr := &RR_Header{Name: ".", Rrtype: 0, Class: 1, Ttl: ^uint32(0), Rdlength: 0}
+	m.Answer = []RR{rr, rr, rr, rr, rr}
+	m.Ns = m.Answer
+	for n, s := range TypeToString {
+		rr.Rrtype = n
+		bytes, err := m.Pack()
+		if err != nil {
+			t.Errorf("failed to pack %s: %v", s, err)
+			continue
+		}
+		if err := new(Msg).Unpack(bytes); err != nil {
+			t.Errorf("failed to unpack %s: %v", s, err)
+		}
+	}
+}
+
+func TestRemoveRRset(t *testing.T) {
+	// Should add a zero data RR in Class ANY with a TTL of 0
+	// for each set mentioned in the RRs provided to it.
+	rr, err := NewRR(". 100 IN A 127.0.0.1")
+	if err != nil {
+		t.Fatalf("error constructing RR: %v", err)
+	}
+	m := new(Msg)
+	m.Ns = []RR{&RR_Header{Name: ".", Rrtype: TypeA, Class: ClassANY, Ttl: 0, Rdlength: 0}}
+	expectstr := m.String()
+	expect, err := m.Pack()
+	if err != nil {
+		t.Fatalf("error packing expected msg: %v", err)
+	}
+
+	m.Ns = nil
+	m.RemoveRRset([]RR{rr})
+	actual, err := m.Pack()
+	if err != nil {
+		t.Fatalf("error packing actual msg: %v", err)
+	}
+	if !bytes.Equal(actual, expect) {
+		tmp := new(Msg)
+		if err := tmp.Unpack(actual); err != nil {
+			t.Fatalf("error unpacking actual msg: %v\nexpected: %v\ngot: %v\n", err, expect, actual)
+		}
+		t.Errorf("expected msg:\n%s", expectstr)
+		t.Errorf("actual msg:\n%v", tmp)
+	}
+}
+
+func TestPreReqAndRemovals(t *testing.T) {
+	// Build a list of multiple prereqs and then somes removes followed by an insert.
+	// We should be able to add multiple prereqs and updates.
+	m := new(Msg)
+	m.SetUpdate("example.org.")
+	m.Id = 1234
+
+	// Use a full set of RRs each time, so we are sure the rdata is stripped.
+	rrName1, _ := NewRR("name_used. 3600 IN A 127.0.0.1")
+	rrName2, _ := NewRR("name_not_used. 3600 IN A 127.0.0.1")
+	rrRemove1, _ := NewRR("remove1. 3600 IN A 127.0.0.1")
+	rrRemove2, _ := NewRR("remove2. 3600 IN A 127.0.0.1")
+	rrRemove3, _ := NewRR("remove3. 3600 IN A 127.0.0.1")
+	rrInsert, _ := NewRR("insert. 3600 IN A 127.0.0.1")
+	rrRrset1, _ := NewRR("rrset_used1. 3600 IN A 127.0.0.1")
+	rrRrset2, _ := NewRR("rrset_used2. 3600 IN A 127.0.0.1")
+	rrRrset3, _ := NewRR("rrset_not_used. 3600 IN A 127.0.0.1")
+
+	// Handle the prereqs.
+	m.NameUsed([]RR{rrName1})
+	m.NameNotUsed([]RR{rrName2})
+	m.RRsetUsed([]RR{rrRrset1})
+	m.Used([]RR{rrRrset2})
+	m.RRsetNotUsed([]RR{rrRrset3})
+
+	// and now the updates.
+	m.RemoveName([]RR{rrRemove1})
+	m.RemoveRRset([]RR{rrRemove2})
+	m.Remove([]RR{rrRemove3})
+	m.Insert([]RR{rrInsert})
+
+	// This test function isn't a Example function because we print these RR with tabs at the
+	// end and the Example function trim these, thus they never match.
+	// TODO(miek): don't print these tabs and make this into an Example function.
+	expect := `;; opcode: UPDATE, status: NOERROR, id: 1234
+;; flags:; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;example.org.	IN	 SOA
+
+;; ANSWER SECTION:
+name_used.	0	ANY	ANY	
+name_not_used.	0	NONE	ANY	
+rrset_used1.	0	ANY	A	
+rrset_used2.	3600	IN	A	127.0.0.1
+rrset_not_used.	0	NONE	A	
+
+;; AUTHORITY SECTION:
+remove1.	0	ANY	ANY	
+remove2.	0	ANY	A	
+remove3.	0	NONE	A	127.0.0.1
+insert.	3600	IN	A	127.0.0.1
+`
+
+	if m.String() != expect {
+		t.Errorf("expected msg:\n%s", expect)
+		t.Errorf("actual msg:\n%v", m.String())
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/xfr.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/xfr.go
new file mode 100644
index 000000000..576c5590a
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/xfr.go
@@ -0,0 +1,255 @@
+package dns
+
+import (
+	"fmt"
+	"time"
+)
+
+// Envelope is used when doing a zone transfer with a remote server.
+type Envelope struct {
+	RR    []RR  // The set of RRs in the answer section of the xfr reply message.
+	Error error // If something went wrong, this contains the error.
+}
+
+// A Transfer defines parameters that are used during a zone transfer.
+type Transfer struct {
+	*Conn
+	DialTimeout    time.Duration     // net.DialTimeout, defaults to 2 seconds
+	ReadTimeout    time.Duration     // net.Conn.SetReadTimeout value for connections, defaults to 2 seconds
+	WriteTimeout   time.Duration     // net.Conn.SetWriteTimeout value for connections, defaults to 2 seconds
+	TsigSecret     map[string]string // Secret(s) for Tsig map[<zonename>]<base64 secret>, zonename must be fully qualified
+	tsigTimersOnly bool
+}
+
+// Think we need to away to stop the transfer
+
+// In performs an incoming transfer with the server in a.
+// If you would like to set the source IP, or some other attribute
+// of a Dialer for a Transfer, you can do so by specifying the attributes
+// in the Transfer.Conn:
+//
+//	d := net.Dialer{LocalAddr: transfer_source}
+//	con, err := d.Dial("tcp", master)
+//	dnscon := &dns.Conn{Conn:con}
+//	transfer = &dns.Transfer{Conn: dnscon}
+//	channel, err := transfer.In(message, master)
+//
+func (t *Transfer) In(q *Msg, a string) (env chan *Envelope, err error) {
+	timeout := dnsTimeout
+	if t.DialTimeout != 0 {
+		timeout = t.DialTimeout
+	}
+	if t.Conn == nil {
+		t.Conn, err = DialTimeout("tcp", a, timeout)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if err := t.WriteMsg(q); err != nil {
+		return nil, err
+	}
+	env = make(chan *Envelope)
+	go func() {
+		if q.Question[0].Qtype == TypeAXFR {
+			go t.inAxfr(q.Id, env)
+			return
+		}
+		if q.Question[0].Qtype == TypeIXFR {
+			go t.inIxfr(q.Id, env)
+			return
+		}
+	}()
+	return env, nil
+}
+
+func (t *Transfer) inAxfr(id uint16, c chan *Envelope) {
+	first := true
+	defer t.Close()
+	defer close(c)
+	timeout := dnsTimeout
+	if t.ReadTimeout != 0 {
+		timeout = t.ReadTimeout
+	}
+	for {
+		t.Conn.SetReadDeadline(time.Now().Add(timeout))
+		in, err := t.ReadMsg()
+		if err != nil {
+			c <- &Envelope{nil, err}
+			return
+		}
+		if id != in.Id {
+			c <- &Envelope{in.Answer, ErrId}
+			return
+		}
+		if first {
+			if in.Rcode != RcodeSuccess {
+				c <- &Envelope{in.Answer, &Error{err: fmt.Sprintf(errXFR, in.Rcode)}}
+				return
+			}
+			if !isSOAFirst(in) {
+				c <- &Envelope{in.Answer, ErrSoa}
+				return
+			}
+			first = !first
+			// only one answer that is SOA, receive more
+			if len(in.Answer) == 1 {
+				t.tsigTimersOnly = true
+				c <- &Envelope{in.Answer, nil}
+				continue
+			}
+		}
+
+		if !first {
+			t.tsigTimersOnly = true // Subsequent envelopes use this.
+			if isSOALast(in) {
+				c <- &Envelope{in.Answer, nil}
+				return
+			}
+			c <- &Envelope{in.Answer, nil}
+		}
+	}
+}
+
+func (t *Transfer) inIxfr(id uint16, c chan *Envelope) {
+	serial := uint32(0) // The first serial seen is the current server serial
+	first := true
+	defer t.Close()
+	defer close(c)
+	timeout := dnsTimeout
+	if t.ReadTimeout != 0 {
+		timeout = t.ReadTimeout
+	}
+	for {
+		t.SetReadDeadline(time.Now().Add(timeout))
+		in, err := t.ReadMsg()
+		if err != nil {
+			c <- &Envelope{nil, err}
+			return
+		}
+		if id != in.Id {
+			c <- &Envelope{in.Answer, ErrId}
+			return
+		}
+		if first {
+			if in.Rcode != RcodeSuccess {
+				c <- &Envelope{in.Answer, &Error{err: fmt.Sprintf(errXFR, in.Rcode)}}
+				return
+			}
+			// A single SOA RR signals "no changes"
+			if len(in.Answer) == 1 && isSOAFirst(in) {
+				c <- &Envelope{in.Answer, nil}
+				return
+			}
+
+			// Check if the returned answer is ok
+			if !isSOAFirst(in) {
+				c <- &Envelope{in.Answer, ErrSoa}
+				return
+			}
+			// This serial is important
+			serial = in.Answer[0].(*SOA).Serial
+			first = !first
+		}
+
+		// Now we need to check each message for SOA records, to see what we need to do
+		if !first {
+			t.tsigTimersOnly = true
+			// If the last record in the IXFR contains the servers' SOA,  we should quit
+			if v, ok := in.Answer[len(in.Answer)-1].(*SOA); ok {
+				if v.Serial == serial {
+					c <- &Envelope{in.Answer, nil}
+					return
+				}
+			}
+			c <- &Envelope{in.Answer, nil}
+		}
+	}
+}
+
+// Out performs an outgoing transfer with the client connecting in w.
+// Basic use pattern:
+//
+//	ch := make(chan *dns.Envelope)
+//	tr := new(dns.Transfer)
+//	go tr.Out(w, r, ch)
+//	ch <- &dns.Envelope{RR: []dns.RR{soa, rr1, rr2, rr3, soa}}
+//	close(ch)
+//	w.Hijack()
+//	// w.Close() // Client closes connection
+//
+// The server is responsible for sending the correct sequence of RRs through the
+// channel ch.
+func (t *Transfer) Out(w ResponseWriter, q *Msg, ch chan *Envelope) error {
+	for x := range ch {
+		r := new(Msg)
+		// Compress?
+		r.SetReply(q)
+		r.Authoritative = true
+		// assume it fits TODO(miek): fix
+		r.Answer = append(r.Answer, x.RR...)
+		if err := w.WriteMsg(r); err != nil {
+			return err
+		}
+	}
+	w.TsigTimersOnly(true)
+	return nil
+}
+
+// ReadMsg reads a message from the transfer connection t.
+func (t *Transfer) ReadMsg() (*Msg, error) {
+	m := new(Msg)
+	p := make([]byte, MaxMsgSize)
+	n, err := t.Read(p)
+	if err != nil && n == 0 {
+		return nil, err
+	}
+	p = p[:n]
+	if err := m.Unpack(p); err != nil {
+		return nil, err
+	}
+	if ts := m.IsTsig(); ts != nil && t.TsigSecret != nil {
+		if _, ok := t.TsigSecret[ts.Hdr.Name]; !ok {
+			return m, ErrSecret
+		}
+		// Need to work on the original message p, as that was used to calculate the tsig.
+		err = TsigVerify(p, t.TsigSecret[ts.Hdr.Name], t.tsigRequestMAC, t.tsigTimersOnly)
+		t.tsigRequestMAC = ts.MAC
+	}
+	return m, err
+}
+
+// WriteMsg writes a message through the transfer connection t.
+func (t *Transfer) WriteMsg(m *Msg) (err error) {
+	var out []byte
+	if ts := m.IsTsig(); ts != nil && t.TsigSecret != nil {
+		if _, ok := t.TsigSecret[ts.Hdr.Name]; !ok {
+			return ErrSecret
+		}
+		out, t.tsigRequestMAC, err = TsigGenerate(m, t.TsigSecret[ts.Hdr.Name], t.tsigRequestMAC, t.tsigTimersOnly)
+	} else {
+		out, err = m.Pack()
+	}
+	if err != nil {
+		return err
+	}
+	if _, err = t.Write(out); err != nil {
+		return err
+	}
+	return nil
+}
+
+func isSOAFirst(in *Msg) bool {
+	if len(in.Answer) > 0 {
+		return in.Answer[0].Header().Rrtype == TypeSOA
+	}
+	return false
+}
+
+func isSOALast(in *Msg) bool {
+	if len(in.Answer) > 0 {
+		return in.Answer[len(in.Answer)-1].Header().Rrtype == TypeSOA
+	}
+	return false
+}
+
+const errXFR = "bad xfr rcode: %d"
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/xfr_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/xfr_test.go
new file mode 100644
index 000000000..a478963a3
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/xfr_test.go
@@ -0,0 +1,184 @@
+// +build net
+
+package dns
+
+import (
+	"net"
+	"strings"
+	"testing"
+	"time"
+)
+
+func getIP(s string) string {
+	a, err := net.LookupAddr(s)
+	if err != nil {
+		return ""
+	}
+	return a[0]
+}
+
+// flaky, need to setup local server and test from that.
+func TestAXFR_Miek(t *testing.T) {
+	// This test runs against a server maintained by Miek
+	if testing.Short() {
+		return
+	}
+	m := new(Msg)
+	m.SetAxfr("miek.nl.")
+
+	server := getIP("linode.atoom.net")
+
+	tr := new(Transfer)
+
+	if a, err := tr.In(m, net.JoinHostPort(server, "53")); err != nil {
+		t.Fatal("failed to setup axfr: ", err)
+	} else {
+		for ex := range a {
+			if ex.Error != nil {
+				t.Errorf("error %v", ex.Error)
+				break
+			}
+			for _, rr := range ex.RR {
+				t.Log(rr.String())
+			}
+		}
+	}
+}
+
+// fails.
+func TestAXFR_NLNL_MultipleEnvelopes(t *testing.T) {
+	// This test runs against a server maintained by NLnet Labs
+	if testing.Short() {
+		return
+	}
+	m := new(Msg)
+	m.SetAxfr("nlnetlabs.nl.")
+
+	server := getIP("open.nlnetlabs.nl.")
+
+	tr := new(Transfer)
+	if a, err := tr.In(m, net.JoinHostPort(server, "53")); err != nil {
+		t.Fatalf("failed to setup axfr %v for server: %v", err, server)
+	} else {
+		for ex := range a {
+			if ex.Error != nil {
+				t.Errorf("error %v", ex.Error)
+				break
+			}
+		}
+	}
+}
+
+func TestAXFR_Miek_Tsig(t *testing.T) {
+	// This test runs against a server maintained by Miek
+	if testing.Short() {
+		return
+	}
+	m := new(Msg)
+	m.SetAxfr("example.nl.")
+	m.SetTsig("axfr.", HmacMD5, 300, time.Now().Unix())
+
+	tr := new(Transfer)
+	tr.TsigSecret = map[string]string{"axfr.": "so6ZGir4GPAqINNh9U5c3A=="}
+
+	if a, err := tr.In(m, "176.58.119.54:53"); err != nil {
+		t.Fatal("failed to setup axfr: ", err)
+	} else {
+		for ex := range a {
+			if ex.Error != nil {
+				t.Errorf("error %v", ex.Error)
+				break
+			}
+			for _, rr := range ex.RR {
+				t.Log(rr.String())
+			}
+		}
+	}
+}
+
+func TestAXFR_SIDN_NSD3_NONE(t *testing.T)   { testAXFRSIDN(t, "nsd", "") }
+func TestAXFR_SIDN_NSD3_MD5(t *testing.T)    { testAXFRSIDN(t, "nsd", HmacMD5) }
+func TestAXFR_SIDN_NSD3_SHA1(t *testing.T)   { testAXFRSIDN(t, "nsd", HmacSHA1) }
+func TestAXFR_SIDN_NSD3_SHA256(t *testing.T) { testAXFRSIDN(t, "nsd", HmacSHA256) }
+
+func TestAXFR_SIDN_NSD4_NONE(t *testing.T)   { testAXFRSIDN(t, "nsd4", "") }
+func TestAXFR_SIDN_NSD4_MD5(t *testing.T)    { testAXFRSIDN(t, "nsd4", HmacMD5) }
+func TestAXFR_SIDN_NSD4_SHA1(t *testing.T)   { testAXFRSIDN(t, "nsd4", HmacSHA1) }
+func TestAXFR_SIDN_NSD4_SHA256(t *testing.T) { testAXFRSIDN(t, "nsd4", HmacSHA256) }
+
+func TestAXFR_SIDN_BIND9_NONE(t *testing.T)   { testAXFRSIDN(t, "bind9", "") }
+func TestAXFR_SIDN_BIND9_MD5(t *testing.T)    { testAXFRSIDN(t, "bind9", HmacMD5) }
+func TestAXFR_SIDN_BIND9_SHA1(t *testing.T)   { testAXFRSIDN(t, "bind9", HmacSHA1) }
+func TestAXFR_SIDN_BIND9_SHA256(t *testing.T) { testAXFRSIDN(t, "bind9", HmacSHA256) }
+
+func TestAXFR_SIDN_KNOT_NONE(t *testing.T)   { testAXFRSIDN(t, "knot", "") }
+func TestAXFR_SIDN_KNOT_MD5(t *testing.T)    { testAXFRSIDN(t, "knot", HmacMD5) }
+func TestAXFR_SIDN_KNOT_SHA1(t *testing.T)   { testAXFRSIDN(t, "knot", HmacSHA1) }
+func TestAXFR_SIDN_KNOT_SHA256(t *testing.T) { testAXFRSIDN(t, "knot", HmacSHA256) }
+
+func TestAXFR_SIDN_POWERDNS_NONE(t *testing.T)   { testAXFRSIDN(t, "powerdns", "") }
+func TestAXFR_SIDN_POWERDNS_MD5(t *testing.T)    { testAXFRSIDN(t, "powerdns", HmacMD5) }
+func TestAXFR_SIDN_POWERDNS_SHA1(t *testing.T)   { testAXFRSIDN(t, "powerdns", HmacSHA1) }
+func TestAXFR_SIDN_POWERDNS_SHA256(t *testing.T) { testAXFRSIDN(t, "powerdns", HmacSHA256) }
+
+func TestAXFR_SIDN_YADIFA_NONE(t *testing.T)   { testAXFRSIDN(t, "yadifa", "") }
+func TestAXFR_SIDN_YADIFA_MD5(t *testing.T)    { testAXFRSIDN(t, "yadifa", HmacMD5) }
+func TestAXFR_SIDN_YADIFA_SHA1(t *testing.T)   { testAXFRSIDN(t, "yadifa", HmacSHA1) }
+func TestAXFR_SIDN_YADIFA_SHA256(t *testing.T) { testAXFRSIDN(t, "yadifa", HmacSHA256) }
+
+func testAXFRSIDN(t *testing.T, host, alg string) {
+	// This tests run against a server maintained by SIDN labs, see:
+	// https://workbench.sidnlabs.nl/
+	if testing.Short() {
+		return
+	}
+	x := new(Transfer)
+	x.TsigSecret = map[string]string{
+		"wb_md5.":          "Wu/utSasZUkoeCNku152Zw==",
+		"wb_sha1_longkey.": "uhMpEhPq/RAD9Bt4mqhfmi+7ZdKmjLQb/lcrqYPXR4s/nnbsqw==",
+		"wb_sha256.":       "npfrIJjt/MJOjGJoBNZtsjftKMhkSpIYMv2RzRZt1f8=",
+	}
+	keyname := map[string]string{
+		HmacMD5:    "wb_md5.",
+		HmacSHA1:   "wb_sha1_longkey.",
+		HmacSHA256: "wb_sha256.",
+	}[alg]
+
+	m := new(Msg)
+	m.SetAxfr("types.wb.sidnlabs.nl.")
+	if keyname != "" {
+		m.SetTsig(keyname, alg, 300, time.Now().Unix())
+	}
+	c, err := x.In(m, host+".sidnlabs.nl:53")
+	if err != nil {
+		t.Fatal(err)
+	}
+	for e := range c {
+		if e.Error != nil {
+			t.Fatal(e.Error)
+		}
+	}
+}
+
+func TestAXFRFailNotAuth(t *testing.T) {
+	// This tests run against a server maintained by SIDN labs, see:
+	// https://workbench.sidnlabs.nl/
+	if testing.Short() {
+		return
+	}
+	x := new(Transfer)
+
+	m := new(Msg)
+	m.SetAxfr("sidnlabs.nl.")
+	c, err := x.In(m, "yadifa.sidnlabs.nl:53")
+	if err != nil {
+		t.Fatal(err)
+	}
+	for e := range c {
+		if e.Error != nil {
+			if !strings.HasPrefix(e.Error.Error(), "dns: bad xfr rcode:") {
+				t.Fatal(e.Error)
+			}
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/zcompress.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/zcompress.go
new file mode 100644
index 000000000..b277978b9
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/zcompress.go
@@ -0,0 +1,119 @@
+// *** DO NOT MODIFY ***
+// AUTOGENERATED BY go generate from compress_generate.go
+
+package dns
+
+func compressionLenHelperType(c map[string]int, r RR) {
+	switch x := r.(type) {
+	case *PTR:
+		compressionLenHelper(c, x.Ptr)
+	case *SOA:
+		compressionLenHelper(c, x.Ns)
+		compressionLenHelper(c, x.Mbox)
+	case *AFSDB:
+		compressionLenHelper(c, x.Hostname)
+	case *HIP:
+		for i := range x.RendezvousServers {
+			compressionLenHelper(c, x.RendezvousServers[i])
+		}
+	case *LP:
+		compressionLenHelper(c, x.Fqdn)
+	case *CNAME:
+		compressionLenHelper(c, x.Target)
+	case *MB:
+		compressionLenHelper(c, x.Mb)
+	case *RP:
+		compressionLenHelper(c, x.Mbox)
+		compressionLenHelper(c, x.Txt)
+	case *RRSIG:
+		compressionLenHelper(c, x.SignerName)
+	case *MF:
+		compressionLenHelper(c, x.Mf)
+	case *MINFO:
+		compressionLenHelper(c, x.Rmail)
+		compressionLenHelper(c, x.Email)
+	case *SIG:
+		compressionLenHelper(c, x.SignerName)
+	case *SRV:
+		compressionLenHelper(c, x.Target)
+	case *TSIG:
+		compressionLenHelper(c, x.Algorithm)
+	case *KX:
+		compressionLenHelper(c, x.Exchanger)
+	case *MG:
+		compressionLenHelper(c, x.Mg)
+	case *NSAPPTR:
+		compressionLenHelper(c, x.Ptr)
+	case *PX:
+		compressionLenHelper(c, x.Map822)
+		compressionLenHelper(c, x.Mapx400)
+	case *DNAME:
+		compressionLenHelper(c, x.Target)
+	case *MR:
+		compressionLenHelper(c, x.Mr)
+	case *MX:
+		compressionLenHelper(c, x.Mx)
+	case *TKEY:
+		compressionLenHelper(c, x.Algorithm)
+	case *NSEC:
+		compressionLenHelper(c, x.NextDomain)
+	case *TALINK:
+		compressionLenHelper(c, x.PreviousName)
+		compressionLenHelper(c, x.NextName)
+	case *MD:
+		compressionLenHelper(c, x.Md)
+	case *NAPTR:
+		compressionLenHelper(c, x.Replacement)
+	case *NS:
+		compressionLenHelper(c, x.Ns)
+	case *RT:
+		compressionLenHelper(c, x.Host)
+	}
+}
+
+func compressionLenSearchType(c map[string]int, r RR) (int, bool) {
+	switch x := r.(type) {
+	case *MG:
+		k1, ok1 := compressionLenSearch(c, x.Mg)
+		return k1, ok1
+	case *PTR:
+		k1, ok1 := compressionLenSearch(c, x.Ptr)
+		return k1, ok1
+	case *AFSDB:
+		k1, ok1 := compressionLenSearch(c, x.Hostname)
+		return k1, ok1
+	case *MB:
+		k1, ok1 := compressionLenSearch(c, x.Mb)
+		return k1, ok1
+	case *MD:
+		k1, ok1 := compressionLenSearch(c, x.Md)
+		return k1, ok1
+	case *MF:
+		k1, ok1 := compressionLenSearch(c, x.Mf)
+		return k1, ok1
+	case *NS:
+		k1, ok1 := compressionLenSearch(c, x.Ns)
+		return k1, ok1
+	case *RT:
+		k1, ok1 := compressionLenSearch(c, x.Host)
+		return k1, ok1
+	case *SOA:
+		k1, ok1 := compressionLenSearch(c, x.Ns)
+		k2, ok2 := compressionLenSearch(c, x.Mbox)
+		return k1 + k2, ok1 && ok2
+	case *CNAME:
+		k1, ok1 := compressionLenSearch(c, x.Target)
+		return k1, ok1
+	case *MINFO:
+		k1, ok1 := compressionLenSearch(c, x.Rmail)
+		k2, ok2 := compressionLenSearch(c, x.Email)
+		return k1 + k2, ok1 && ok2
+	case *MR:
+		k1, ok1 := compressionLenSearch(c, x.Mr)
+		return k1, ok1
+	case *MX:
+		k1, ok1 := compressionLenSearch(c, x.Mx)
+		return k1, ok1
+	}
+	return 0, false
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/zmsg.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/zmsg.go
new file mode 100644
index 000000000..418fb1fe3
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/zmsg.go
@@ -0,0 +1,3565 @@
+// *** DO NOT MODIFY ***
+// AUTOGENERATED BY go generate from msg_generate.go
+
+package dns
+
+// pack*() functions
+
+func (rr *A) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packDataA(rr.A, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *AAAA) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packDataAAAA(rr.AAAA, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *AFSDB) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Subtype, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.Hostname, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *ANY) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *AVC) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packStringTxt(rr.Txt, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *CAA) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint8(rr.Flag, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packString(rr.Tag, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringOctet(rr.Value, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *CDNSKEY) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Flags, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Protocol, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringBase64(rr.PublicKey, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *CDS) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.KeyTag, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.DigestType, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringHex(rr.Digest, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *CERT) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Type, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.KeyTag, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringBase64(rr.Certificate, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *CNAME) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Target, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *DHCID) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packStringBase64(rr.Digest, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *DLV) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.KeyTag, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.DigestType, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringHex(rr.Digest, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *DNAME) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Target, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *DNSKEY) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Flags, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Protocol, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringBase64(rr.PublicKey, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *DS) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.KeyTag, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.DigestType, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringHex(rr.Digest, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *EID) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packStringHex(rr.Endpoint, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *EUI48) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint48(rr.Address, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *EUI64) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint64(rr.Address, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *GID) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint32(rr.Gid, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *GPOS) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packString(rr.Longitude, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packString(rr.Latitude, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packString(rr.Altitude, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *HINFO) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packString(rr.Cpu, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packString(rr.Os, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *HIP) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint8(rr.HitLength, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.PublicKeyAlgorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.PublicKeyLength, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringHex(rr.Hit, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringBase64(rr.PublicKey, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packDataDomainNames(rr.RendezvousServers, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *KEY) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Flags, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Protocol, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringBase64(rr.PublicKey, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *KX) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Preference, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.Exchanger, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *L32) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Preference, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packDataA(rr.Locator32, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *L64) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Preference, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint64(rr.Locator64, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *LOC) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint8(rr.Version, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Size, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.HorizPre, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.VertPre, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Latitude, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Longitude, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Altitude, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *LP) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Preference, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.Fqdn, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *MB) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Mb, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *MD) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Md, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *MF) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Mf, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *MG) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Mg, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *MINFO) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Rmail, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.Email, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *MR) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Mr, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *MX) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Preference, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.Mx, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *NAPTR) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Order, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.Preference, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packString(rr.Flags, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packString(rr.Service, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packString(rr.Regexp, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.Replacement, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *NID) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Preference, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint64(rr.NodeID, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *NIMLOC) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packStringHex(rr.Locator, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *NINFO) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packStringTxt(rr.ZSData, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *NS) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Ns, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *NSAPPTR) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Ptr, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *NSEC) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.NextDomain, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	off, err = packDataNsec(rr.TypeBitMap, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *NSEC3) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint8(rr.Hash, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Flags, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.Iterations, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.SaltLength, msg, off)
+	if err != nil {
+		return off, err
+	}
+	// Only pack salt if value is not "-", i.e. empty
+	if rr.Salt != "-" {
+		off, err = packStringHex(rr.Salt, msg, off)
+		if err != nil {
+			return off, err
+		}
+	}
+	off, err = packUint8(rr.HashLength, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringBase32(rr.NextDomain, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packDataNsec(rr.TypeBitMap, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *NSEC3PARAM) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint8(rr.Hash, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Flags, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.Iterations, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.SaltLength, msg, off)
+	if err != nil {
+		return off, err
+	}
+	// Only pack salt if value is not "-", i.e. empty
+	if rr.Salt != "-" {
+		off, err = packStringHex(rr.Salt, msg, off)
+		if err != nil {
+			return off, err
+		}
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *OPENPGPKEY) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packStringBase64(rr.PublicKey, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *OPT) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packDataOpt(rr.Option, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *PTR) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Ptr, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *PX) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Preference, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.Map822, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.Mapx400, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *RFC3597) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packStringHex(rr.Rdata, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *RKEY) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Flags, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Protocol, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringBase64(rr.PublicKey, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *RP) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Mbox, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.Txt, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *RRSIG) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.TypeCovered, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Labels, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.OrigTtl, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Expiration, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Inception, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.KeyTag, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.SignerName, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringBase64(rr.Signature, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *RT) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Preference, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.Host, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *SIG) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.TypeCovered, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Labels, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.OrigTtl, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Expiration, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Inception, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.KeyTag, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.SignerName, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringBase64(rr.Signature, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *SMIMEA) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint8(rr.Usage, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Selector, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.MatchingType, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringHex(rr.Certificate, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *SOA) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Ns, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.Mbox, msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Serial, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Refresh, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Retry, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Expire, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Minttl, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *SPF) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packStringTxt(rr.Txt, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *SRV) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Priority, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.Weight, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.Port, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.Target, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *SSHFP) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint8(rr.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Type, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringHex(rr.FingerPrint, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *TA) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.KeyTag, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Algorithm, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.DigestType, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringHex(rr.Digest, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *TALINK) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.PreviousName, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	off, err = PackDomainName(rr.NextName, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *TKEY) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Algorithm, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Inception, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint32(rr.Expiration, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.Mode, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.Error, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.KeySize, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packString(rr.Key, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.OtherLen, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packString(rr.OtherData, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *TLSA) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint8(rr.Usage, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.Selector, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint8(rr.MatchingType, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringHex(rr.Certificate, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *TSIG) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = PackDomainName(rr.Algorithm, msg, off, compression, false)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint48(rr.TimeSigned, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.Fudge, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.MACSize, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringHex(rr.MAC, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.OrigId, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.Error, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.OtherLen, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringHex(rr.OtherData, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *TXT) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packStringTxt(rr.Txt, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *UID) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint32(rr.Uid, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *UINFO) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packString(rr.Uinfo, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *URI) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packUint16(rr.Priority, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packUint16(rr.Weight, msg, off)
+	if err != nil {
+		return off, err
+	}
+	off, err = packStringOctet(rr.Target, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+func (rr *X25) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
+	off, err := rr.Hdr.pack(msg, off, compression, compress)
+	if err != nil {
+		return off, err
+	}
+	headerEnd := off
+	off, err = packString(rr.PSDNAddress, msg, off)
+	if err != nil {
+		return off, err
+	}
+	rr.Header().Rdlength = uint16(off - headerEnd)
+	return off, nil
+}
+
+// unpack*() functions
+
+func unpackA(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(A)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.A, off, err = unpackDataA(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackAAAA(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(AAAA)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.AAAA, off, err = unpackDataAAAA(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackAFSDB(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(AFSDB)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Subtype, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Hostname, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackANY(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(ANY)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	return rr, off, err
+}
+
+func unpackAVC(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(AVC)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Txt, off, err = unpackStringTxt(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackCAA(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(CAA)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Flag, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Tag, off, err = unpackString(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Value, off, err = unpackStringOctet(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackCDNSKEY(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(CDNSKEY)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Flags, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Protocol, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Algorithm, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.PublicKey, off, err = unpackStringBase64(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackCDS(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(CDS)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.KeyTag, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Algorithm, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.DigestType, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Digest, off, err = unpackStringHex(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackCERT(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(CERT)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Type, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.KeyTag, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Algorithm, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Certificate, off, err = unpackStringBase64(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackCNAME(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(CNAME)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Target, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackDHCID(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(DHCID)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Digest, off, err = unpackStringBase64(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackDLV(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(DLV)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.KeyTag, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Algorithm, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.DigestType, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Digest, off, err = unpackStringHex(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackDNAME(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(DNAME)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Target, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackDNSKEY(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(DNSKEY)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Flags, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Protocol, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Algorithm, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.PublicKey, off, err = unpackStringBase64(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackDS(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(DS)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.KeyTag, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Algorithm, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.DigestType, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Digest, off, err = unpackStringHex(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackEID(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(EID)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Endpoint, off, err = unpackStringHex(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackEUI48(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(EUI48)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Address, off, err = unpackUint48(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackEUI64(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(EUI64)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Address, off, err = unpackUint64(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackGID(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(GID)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Gid, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackGPOS(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(GPOS)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Longitude, off, err = unpackString(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Latitude, off, err = unpackString(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Altitude, off, err = unpackString(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackHINFO(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(HINFO)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Cpu, off, err = unpackString(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Os, off, err = unpackString(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackHIP(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(HIP)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.HitLength, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.PublicKeyAlgorithm, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.PublicKeyLength, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Hit, off, err = unpackStringHex(msg, off, off+int(rr.HitLength))
+	if err != nil {
+		return rr, off, err
+	}
+	rr.PublicKey, off, err = unpackStringBase64(msg, off, off+int(rr.PublicKeyLength))
+	if err != nil {
+		return rr, off, err
+	}
+	rr.RendezvousServers, off, err = unpackDataDomainNames(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackKEY(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(KEY)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Flags, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Protocol, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Algorithm, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.PublicKey, off, err = unpackStringBase64(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackKX(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(KX)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Preference, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Exchanger, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackL32(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(L32)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Preference, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Locator32, off, err = unpackDataA(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackL64(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(L64)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Preference, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Locator64, off, err = unpackUint64(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackLOC(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(LOC)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Version, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Size, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.HorizPre, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.VertPre, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Latitude, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Longitude, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Altitude, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackLP(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(LP)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Preference, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Fqdn, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackMB(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(MB)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Mb, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackMD(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(MD)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Md, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackMF(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(MF)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Mf, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackMG(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(MG)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Mg, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackMINFO(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(MINFO)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Rmail, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Email, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackMR(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(MR)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Mr, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackMX(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(MX)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Preference, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Mx, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackNAPTR(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(NAPTR)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Order, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Preference, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Flags, off, err = unpackString(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Service, off, err = unpackString(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Regexp, off, err = unpackString(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Replacement, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackNID(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(NID)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Preference, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.NodeID, off, err = unpackUint64(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackNIMLOC(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(NIMLOC)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Locator, off, err = unpackStringHex(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackNINFO(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(NINFO)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.ZSData, off, err = unpackStringTxt(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackNS(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(NS)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Ns, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackNSAPPTR(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(NSAPPTR)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Ptr, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackNSEC(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(NSEC)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.NextDomain, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.TypeBitMap, off, err = unpackDataNsec(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackNSEC3(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(NSEC3)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Hash, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Flags, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Iterations, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.SaltLength, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Salt, off, err = unpackStringHex(msg, off, off+int(rr.SaltLength))
+	if err != nil {
+		return rr, off, err
+	}
+	rr.HashLength, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.NextDomain, off, err = unpackStringBase32(msg, off, off+int(rr.HashLength))
+	if err != nil {
+		return rr, off, err
+	}
+	rr.TypeBitMap, off, err = unpackDataNsec(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackNSEC3PARAM(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(NSEC3PARAM)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Hash, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Flags, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Iterations, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.SaltLength, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Salt, off, err = unpackStringHex(msg, off, off+int(rr.SaltLength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackOPENPGPKEY(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(OPENPGPKEY)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.PublicKey, off, err = unpackStringBase64(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackOPT(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(OPT)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Option, off, err = unpackDataOpt(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackPTR(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(PTR)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Ptr, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackPX(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(PX)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Preference, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Map822, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Mapx400, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackRFC3597(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(RFC3597)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Rdata, off, err = unpackStringHex(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackRKEY(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(RKEY)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Flags, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Protocol, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Algorithm, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.PublicKey, off, err = unpackStringBase64(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackRP(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(RP)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Mbox, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Txt, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackRRSIG(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(RRSIG)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.TypeCovered, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Algorithm, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Labels, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.OrigTtl, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Expiration, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Inception, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.KeyTag, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.SignerName, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Signature, off, err = unpackStringBase64(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackRT(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(RT)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Preference, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Host, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackSIG(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(SIG)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.TypeCovered, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Algorithm, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Labels, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.OrigTtl, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Expiration, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Inception, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.KeyTag, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.SignerName, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Signature, off, err = unpackStringBase64(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackSMIMEA(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(SMIMEA)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Usage, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Selector, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.MatchingType, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Certificate, off, err = unpackStringHex(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackSOA(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(SOA)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Ns, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Mbox, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Serial, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Refresh, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Retry, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Expire, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Minttl, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackSPF(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(SPF)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Txt, off, err = unpackStringTxt(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackSRV(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(SRV)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Priority, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Weight, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Port, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Target, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackSSHFP(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(SSHFP)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Algorithm, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Type, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.FingerPrint, off, err = unpackStringHex(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackTA(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(TA)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.KeyTag, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Algorithm, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.DigestType, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Digest, off, err = unpackStringHex(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackTALINK(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(TALINK)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.PreviousName, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.NextName, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackTKEY(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(TKEY)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Algorithm, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Inception, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Expiration, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Mode, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Error, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.KeySize, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Key, off, err = unpackString(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.OtherLen, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.OtherData, off, err = unpackString(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackTLSA(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(TLSA)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Usage, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Selector, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.MatchingType, off, err = unpackUint8(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Certificate, off, err = unpackStringHex(msg, off, rdStart+int(rr.Hdr.Rdlength))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackTSIG(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(TSIG)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Algorithm, off, err = UnpackDomainName(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.TimeSigned, off, err = unpackUint48(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Fudge, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.MACSize, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.MAC, off, err = unpackStringHex(msg, off, off+int(rr.MACSize))
+	if err != nil {
+		return rr, off, err
+	}
+	rr.OrigId, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Error, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.OtherLen, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.OtherData, off, err = unpackStringHex(msg, off, off+int(rr.OtherLen))
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackTXT(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(TXT)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Txt, off, err = unpackStringTxt(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackUID(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(UID)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Uid, off, err = unpackUint32(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackUINFO(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(UINFO)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Uinfo, off, err = unpackString(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackURI(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(URI)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.Priority, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Weight, off, err = unpackUint16(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	if off == len(msg) {
+		return rr, off, nil
+	}
+	rr.Target, off, err = unpackStringOctet(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+func unpackX25(h RR_Header, msg []byte, off int) (RR, int, error) {
+	rr := new(X25)
+	rr.Hdr = h
+	if noRdata(h) {
+		return rr, off, nil
+	}
+	var err error
+	rdStart := off
+	_ = rdStart
+
+	rr.PSDNAddress, off, err = unpackString(msg, off)
+	if err != nil {
+		return rr, off, err
+	}
+	return rr, off, err
+}
+
+var typeToUnpack = map[uint16]func(RR_Header, []byte, int) (RR, int, error){
+	TypeA:          unpackA,
+	TypeAAAA:       unpackAAAA,
+	TypeAFSDB:      unpackAFSDB,
+	TypeANY:        unpackANY,
+	TypeAVC:        unpackAVC,
+	TypeCAA:        unpackCAA,
+	TypeCDNSKEY:    unpackCDNSKEY,
+	TypeCDS:        unpackCDS,
+	TypeCERT:       unpackCERT,
+	TypeCNAME:      unpackCNAME,
+	TypeDHCID:      unpackDHCID,
+	TypeDLV:        unpackDLV,
+	TypeDNAME:      unpackDNAME,
+	TypeDNSKEY:     unpackDNSKEY,
+	TypeDS:         unpackDS,
+	TypeEID:        unpackEID,
+	TypeEUI48:      unpackEUI48,
+	TypeEUI64:      unpackEUI64,
+	TypeGID:        unpackGID,
+	TypeGPOS:       unpackGPOS,
+	TypeHINFO:      unpackHINFO,
+	TypeHIP:        unpackHIP,
+	TypeKEY:        unpackKEY,
+	TypeKX:         unpackKX,
+	TypeL32:        unpackL32,
+	TypeL64:        unpackL64,
+	TypeLOC:        unpackLOC,
+	TypeLP:         unpackLP,
+	TypeMB:         unpackMB,
+	TypeMD:         unpackMD,
+	TypeMF:         unpackMF,
+	TypeMG:         unpackMG,
+	TypeMINFO:      unpackMINFO,
+	TypeMR:         unpackMR,
+	TypeMX:         unpackMX,
+	TypeNAPTR:      unpackNAPTR,
+	TypeNID:        unpackNID,
+	TypeNIMLOC:     unpackNIMLOC,
+	TypeNINFO:      unpackNINFO,
+	TypeNS:         unpackNS,
+	TypeNSAPPTR:    unpackNSAPPTR,
+	TypeNSEC:       unpackNSEC,
+	TypeNSEC3:      unpackNSEC3,
+	TypeNSEC3PARAM: unpackNSEC3PARAM,
+	TypeOPENPGPKEY: unpackOPENPGPKEY,
+	TypeOPT:        unpackOPT,
+	TypePTR:        unpackPTR,
+	TypePX:         unpackPX,
+	TypeRKEY:       unpackRKEY,
+	TypeRP:         unpackRP,
+	TypeRRSIG:      unpackRRSIG,
+	TypeRT:         unpackRT,
+	TypeSIG:        unpackSIG,
+	TypeSMIMEA:     unpackSMIMEA,
+	TypeSOA:        unpackSOA,
+	TypeSPF:        unpackSPF,
+	TypeSRV:        unpackSRV,
+	TypeSSHFP:      unpackSSHFP,
+	TypeTA:         unpackTA,
+	TypeTALINK:     unpackTALINK,
+	TypeTKEY:       unpackTKEY,
+	TypeTLSA:       unpackTLSA,
+	TypeTSIG:       unpackTSIG,
+	TypeTXT:        unpackTXT,
+	TypeUID:        unpackUID,
+	TypeUINFO:      unpackUINFO,
+	TypeURI:        unpackURI,
+	TypeX25:        unpackX25,
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/ztypes.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/ztypes.go
new file mode 100644
index 000000000..3e534f12e
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/miekg/dns/ztypes.go
@@ -0,0 +1,857 @@
+// *** DO NOT MODIFY ***
+// AUTOGENERATED BY go generate from type_generate.go
+
+package dns
+
+import (
+	"encoding/base64"
+	"net"
+)
+
+// TypeToRR is a map of constructors for each RR type.
+var TypeToRR = map[uint16]func() RR{
+	TypeA:          func() RR { return new(A) },
+	TypeAAAA:       func() RR { return new(AAAA) },
+	TypeAFSDB:      func() RR { return new(AFSDB) },
+	TypeANY:        func() RR { return new(ANY) },
+	TypeAVC:        func() RR { return new(AVC) },
+	TypeCAA:        func() RR { return new(CAA) },
+	TypeCDNSKEY:    func() RR { return new(CDNSKEY) },
+	TypeCDS:        func() RR { return new(CDS) },
+	TypeCERT:       func() RR { return new(CERT) },
+	TypeCNAME:      func() RR { return new(CNAME) },
+	TypeDHCID:      func() RR { return new(DHCID) },
+	TypeDLV:        func() RR { return new(DLV) },
+	TypeDNAME:      func() RR { return new(DNAME) },
+	TypeDNSKEY:     func() RR { return new(DNSKEY) },
+	TypeDS:         func() RR { return new(DS) },
+	TypeEID:        func() RR { return new(EID) },
+	TypeEUI48:      func() RR { return new(EUI48) },
+	TypeEUI64:      func() RR { return new(EUI64) },
+	TypeGID:        func() RR { return new(GID) },
+	TypeGPOS:       func() RR { return new(GPOS) },
+	TypeHINFO:      func() RR { return new(HINFO) },
+	TypeHIP:        func() RR { return new(HIP) },
+	TypeKEY:        func() RR { return new(KEY) },
+	TypeKX:         func() RR { return new(KX) },
+	TypeL32:        func() RR { return new(L32) },
+	TypeL64:        func() RR { return new(L64) },
+	TypeLOC:        func() RR { return new(LOC) },
+	TypeLP:         func() RR { return new(LP) },
+	TypeMB:         func() RR { return new(MB) },
+	TypeMD:         func() RR { return new(MD) },
+	TypeMF:         func() RR { return new(MF) },
+	TypeMG:         func() RR { return new(MG) },
+	TypeMINFO:      func() RR { return new(MINFO) },
+	TypeMR:         func() RR { return new(MR) },
+	TypeMX:         func() RR { return new(MX) },
+	TypeNAPTR:      func() RR { return new(NAPTR) },
+	TypeNID:        func() RR { return new(NID) },
+	TypeNIMLOC:     func() RR { return new(NIMLOC) },
+	TypeNINFO:      func() RR { return new(NINFO) },
+	TypeNS:         func() RR { return new(NS) },
+	TypeNSAPPTR:    func() RR { return new(NSAPPTR) },
+	TypeNSEC:       func() RR { return new(NSEC) },
+	TypeNSEC3:      func() RR { return new(NSEC3) },
+	TypeNSEC3PARAM: func() RR { return new(NSEC3PARAM) },
+	TypeOPENPGPKEY: func() RR { return new(OPENPGPKEY) },
+	TypeOPT:        func() RR { return new(OPT) },
+	TypePTR:        func() RR { return new(PTR) },
+	TypePX:         func() RR { return new(PX) },
+	TypeRKEY:       func() RR { return new(RKEY) },
+	TypeRP:         func() RR { return new(RP) },
+	TypeRRSIG:      func() RR { return new(RRSIG) },
+	TypeRT:         func() RR { return new(RT) },
+	TypeSIG:        func() RR { return new(SIG) },
+	TypeSMIMEA:     func() RR { return new(SMIMEA) },
+	TypeSOA:        func() RR { return new(SOA) },
+	TypeSPF:        func() RR { return new(SPF) },
+	TypeSRV:        func() RR { return new(SRV) },
+	TypeSSHFP:      func() RR { return new(SSHFP) },
+	TypeTA:         func() RR { return new(TA) },
+	TypeTALINK:     func() RR { return new(TALINK) },
+	TypeTKEY:       func() RR { return new(TKEY) },
+	TypeTLSA:       func() RR { return new(TLSA) },
+	TypeTSIG:       func() RR { return new(TSIG) },
+	TypeTXT:        func() RR { return new(TXT) },
+	TypeUID:        func() RR { return new(UID) },
+	TypeUINFO:      func() RR { return new(UINFO) },
+	TypeURI:        func() RR { return new(URI) },
+	TypeX25:        func() RR { return new(X25) },
+}
+
+// TypeToString is a map of strings for each RR type.
+var TypeToString = map[uint16]string{
+	TypeA:          "A",
+	TypeAAAA:       "AAAA",
+	TypeAFSDB:      "AFSDB",
+	TypeANY:        "ANY",
+	TypeATMA:       "ATMA",
+	TypeAVC:        "AVC",
+	TypeAXFR:       "AXFR",
+	TypeCAA:        "CAA",
+	TypeCDNSKEY:    "CDNSKEY",
+	TypeCDS:        "CDS",
+	TypeCERT:       "CERT",
+	TypeCNAME:      "CNAME",
+	TypeDHCID:      "DHCID",
+	TypeDLV:        "DLV",
+	TypeDNAME:      "DNAME",
+	TypeDNSKEY:     "DNSKEY",
+	TypeDS:         "DS",
+	TypeEID:        "EID",
+	TypeEUI48:      "EUI48",
+	TypeEUI64:      "EUI64",
+	TypeGID:        "GID",
+	TypeGPOS:       "GPOS",
+	TypeHINFO:      "HINFO",
+	TypeHIP:        "HIP",
+	TypeISDN:       "ISDN",
+	TypeIXFR:       "IXFR",
+	TypeKEY:        "KEY",
+	TypeKX:         "KX",
+	TypeL32:        "L32",
+	TypeL64:        "L64",
+	TypeLOC:        "LOC",
+	TypeLP:         "LP",
+	TypeMAILA:      "MAILA",
+	TypeMAILB:      "MAILB",
+	TypeMB:         "MB",
+	TypeMD:         "MD",
+	TypeMF:         "MF",
+	TypeMG:         "MG",
+	TypeMINFO:      "MINFO",
+	TypeMR:         "MR",
+	TypeMX:         "MX",
+	TypeNAPTR:      "NAPTR",
+	TypeNID:        "NID",
+	TypeNIMLOC:     "NIMLOC",
+	TypeNINFO:      "NINFO",
+	TypeNS:         "NS",
+	TypeNSEC:       "NSEC",
+	TypeNSEC3:      "NSEC3",
+	TypeNSEC3PARAM: "NSEC3PARAM",
+	TypeNULL:       "NULL",
+	TypeNXT:        "NXT",
+	TypeNone:       "None",
+	TypeOPENPGPKEY: "OPENPGPKEY",
+	TypeOPT:        "OPT",
+	TypePTR:        "PTR",
+	TypePX:         "PX",
+	TypeRKEY:       "RKEY",
+	TypeRP:         "RP",
+	TypeRRSIG:      "RRSIG",
+	TypeRT:         "RT",
+	TypeReserved:   "Reserved",
+	TypeSIG:        "SIG",
+	TypeSMIMEA:     "SMIMEA",
+	TypeSOA:        "SOA",
+	TypeSPF:        "SPF",
+	TypeSRV:        "SRV",
+	TypeSSHFP:      "SSHFP",
+	TypeTA:         "TA",
+	TypeTALINK:     "TALINK",
+	TypeTKEY:       "TKEY",
+	TypeTLSA:       "TLSA",
+	TypeTSIG:       "TSIG",
+	TypeTXT:        "TXT",
+	TypeUID:        "UID",
+	TypeUINFO:      "UINFO",
+	TypeUNSPEC:     "UNSPEC",
+	TypeURI:        "URI",
+	TypeX25:        "X25",
+	TypeNSAPPTR:    "NSAP-PTR",
+}
+
+// Header() functions
+func (rr *A) Header() *RR_Header          { return &rr.Hdr }
+func (rr *AAAA) Header() *RR_Header       { return &rr.Hdr }
+func (rr *AFSDB) Header() *RR_Header      { return &rr.Hdr }
+func (rr *ANY) Header() *RR_Header        { return &rr.Hdr }
+func (rr *AVC) Header() *RR_Header        { return &rr.Hdr }
+func (rr *CAA) Header() *RR_Header        { return &rr.Hdr }
+func (rr *CDNSKEY) Header() *RR_Header    { return &rr.Hdr }
+func (rr *CDS) Header() *RR_Header        { return &rr.Hdr }
+func (rr *CERT) Header() *RR_Header       { return &rr.Hdr }
+func (rr *CNAME) Header() *RR_Header      { return &rr.Hdr }
+func (rr *DHCID) Header() *RR_Header      { return &rr.Hdr }
+func (rr *DLV) Header() *RR_Header        { return &rr.Hdr }
+func (rr *DNAME) Header() *RR_Header      { return &rr.Hdr }
+func (rr *DNSKEY) Header() *RR_Header     { return &rr.Hdr }
+func (rr *DS) Header() *RR_Header         { return &rr.Hdr }
+func (rr *EID) Header() *RR_Header        { return &rr.Hdr }
+func (rr *EUI48) Header() *RR_Header      { return &rr.Hdr }
+func (rr *EUI64) Header() *RR_Header      { return &rr.Hdr }
+func (rr *GID) Header() *RR_Header        { return &rr.Hdr }
+func (rr *GPOS) Header() *RR_Header       { return &rr.Hdr }
+func (rr *HINFO) Header() *RR_Header      { return &rr.Hdr }
+func (rr *HIP) Header() *RR_Header        { return &rr.Hdr }
+func (rr *KEY) Header() *RR_Header        { return &rr.Hdr }
+func (rr *KX) Header() *RR_Header         { return &rr.Hdr }
+func (rr *L32) Header() *RR_Header        { return &rr.Hdr }
+func (rr *L64) Header() *RR_Header        { return &rr.Hdr }
+func (rr *LOC) Header() *RR_Header        { return &rr.Hdr }
+func (rr *LP) Header() *RR_Header         { return &rr.Hdr }
+func (rr *MB) Header() *RR_Header         { return &rr.Hdr }
+func (rr *MD) Header() *RR_Header         { return &rr.Hdr }
+func (rr *MF) Header() *RR_Header         { return &rr.Hdr }
+func (rr *MG) Header() *RR_Header         { return &rr.Hdr }
+func (rr *MINFO) Header() *RR_Header      { return &rr.Hdr }
+func (rr *MR) Header() *RR_Header         { return &rr.Hdr }
+func (rr *MX) Header() *RR_Header         { return &rr.Hdr }
+func (rr *NAPTR) Header() *RR_Header      { return &rr.Hdr }
+func (rr *NID) Header() *RR_Header        { return &rr.Hdr }
+func (rr *NIMLOC) Header() *RR_Header     { return &rr.Hdr }
+func (rr *NINFO) Header() *RR_Header      { return &rr.Hdr }
+func (rr *NS) Header() *RR_Header         { return &rr.Hdr }
+func (rr *NSAPPTR) Header() *RR_Header    { return &rr.Hdr }
+func (rr *NSEC) Header() *RR_Header       { return &rr.Hdr }
+func (rr *NSEC3) Header() *RR_Header      { return &rr.Hdr }
+func (rr *NSEC3PARAM) Header() *RR_Header { return &rr.Hdr }
+func (rr *OPENPGPKEY) Header() *RR_Header { return &rr.Hdr }
+func (rr *OPT) Header() *RR_Header        { return &rr.Hdr }
+func (rr *PTR) Header() *RR_Header        { return &rr.Hdr }
+func (rr *PX) Header() *RR_Header         { return &rr.Hdr }
+func (rr *RFC3597) Header() *RR_Header    { return &rr.Hdr }
+func (rr *RKEY) Header() *RR_Header       { return &rr.Hdr }
+func (rr *RP) Header() *RR_Header         { return &rr.Hdr }
+func (rr *RRSIG) Header() *RR_Header      { return &rr.Hdr }
+func (rr *RT) Header() *RR_Header         { return &rr.Hdr }
+func (rr *SIG) Header() *RR_Header        { return &rr.Hdr }
+func (rr *SMIMEA) Header() *RR_Header     { return &rr.Hdr }
+func (rr *SOA) Header() *RR_Header        { return &rr.Hdr }
+func (rr *SPF) Header() *RR_Header        { return &rr.Hdr }
+func (rr *SRV) Header() *RR_Header        { return &rr.Hdr }
+func (rr *SSHFP) Header() *RR_Header      { return &rr.Hdr }
+func (rr *TA) Header() *RR_Header         { return &rr.Hdr }
+func (rr *TALINK) Header() *RR_Header     { return &rr.Hdr }
+func (rr *TKEY) Header() *RR_Header       { return &rr.Hdr }
+func (rr *TLSA) Header() *RR_Header       { return &rr.Hdr }
+func (rr *TSIG) Header() *RR_Header       { return &rr.Hdr }
+func (rr *TXT) Header() *RR_Header        { return &rr.Hdr }
+func (rr *UID) Header() *RR_Header        { return &rr.Hdr }
+func (rr *UINFO) Header() *RR_Header      { return &rr.Hdr }
+func (rr *URI) Header() *RR_Header        { return &rr.Hdr }
+func (rr *X25) Header() *RR_Header        { return &rr.Hdr }
+
+// len() functions
+func (rr *A) len() int {
+	l := rr.Hdr.len()
+	l += net.IPv4len // A
+	return l
+}
+func (rr *AAAA) len() int {
+	l := rr.Hdr.len()
+	l += net.IPv6len // AAAA
+	return l
+}
+func (rr *AFSDB) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Subtype
+	l += len(rr.Hostname) + 1
+	return l
+}
+func (rr *ANY) len() int {
+	l := rr.Hdr.len()
+	return l
+}
+func (rr *AVC) len() int {
+	l := rr.Hdr.len()
+	for _, x := range rr.Txt {
+		l += len(x) + 1
+	}
+	return l
+}
+func (rr *CAA) len() int {
+	l := rr.Hdr.len()
+	l++ // Flag
+	l += len(rr.Tag) + 1
+	l += len(rr.Value)
+	return l
+}
+func (rr *CERT) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Type
+	l += 2 // KeyTag
+	l++    // Algorithm
+	l += base64.StdEncoding.DecodedLen(len(rr.Certificate))
+	return l
+}
+func (rr *CNAME) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Target) + 1
+	return l
+}
+func (rr *DHCID) len() int {
+	l := rr.Hdr.len()
+	l += base64.StdEncoding.DecodedLen(len(rr.Digest))
+	return l
+}
+func (rr *DNAME) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Target) + 1
+	return l
+}
+func (rr *DNSKEY) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Flags
+	l++    // Protocol
+	l++    // Algorithm
+	l += base64.StdEncoding.DecodedLen(len(rr.PublicKey))
+	return l
+}
+func (rr *DS) len() int {
+	l := rr.Hdr.len()
+	l += 2 // KeyTag
+	l++    // Algorithm
+	l++    // DigestType
+	l += len(rr.Digest)/2 + 1
+	return l
+}
+func (rr *EID) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Endpoint)/2 + 1
+	return l
+}
+func (rr *EUI48) len() int {
+	l := rr.Hdr.len()
+	l += 6 // Address
+	return l
+}
+func (rr *EUI64) len() int {
+	l := rr.Hdr.len()
+	l += 8 // Address
+	return l
+}
+func (rr *GID) len() int {
+	l := rr.Hdr.len()
+	l += 4 // Gid
+	return l
+}
+func (rr *GPOS) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Longitude) + 1
+	l += len(rr.Latitude) + 1
+	l += len(rr.Altitude) + 1
+	return l
+}
+func (rr *HINFO) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Cpu) + 1
+	l += len(rr.Os) + 1
+	return l
+}
+func (rr *HIP) len() int {
+	l := rr.Hdr.len()
+	l++    // HitLength
+	l++    // PublicKeyAlgorithm
+	l += 2 // PublicKeyLength
+	l += len(rr.Hit)/2 + 1
+	l += base64.StdEncoding.DecodedLen(len(rr.PublicKey))
+	for _, x := range rr.RendezvousServers {
+		l += len(x) + 1
+	}
+	return l
+}
+func (rr *KX) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Preference
+	l += len(rr.Exchanger) + 1
+	return l
+}
+func (rr *L32) len() int {
+	l := rr.Hdr.len()
+	l += 2           // Preference
+	l += net.IPv4len // Locator32
+	return l
+}
+func (rr *L64) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Preference
+	l += 8 // Locator64
+	return l
+}
+func (rr *LOC) len() int {
+	l := rr.Hdr.len()
+	l++    // Version
+	l++    // Size
+	l++    // HorizPre
+	l++    // VertPre
+	l += 4 // Latitude
+	l += 4 // Longitude
+	l += 4 // Altitude
+	return l
+}
+func (rr *LP) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Preference
+	l += len(rr.Fqdn) + 1
+	return l
+}
+func (rr *MB) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Mb) + 1
+	return l
+}
+func (rr *MD) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Md) + 1
+	return l
+}
+func (rr *MF) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Mf) + 1
+	return l
+}
+func (rr *MG) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Mg) + 1
+	return l
+}
+func (rr *MINFO) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Rmail) + 1
+	l += len(rr.Email) + 1
+	return l
+}
+func (rr *MR) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Mr) + 1
+	return l
+}
+func (rr *MX) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Preference
+	l += len(rr.Mx) + 1
+	return l
+}
+func (rr *NAPTR) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Order
+	l += 2 // Preference
+	l += len(rr.Flags) + 1
+	l += len(rr.Service) + 1
+	l += len(rr.Regexp) + 1
+	l += len(rr.Replacement) + 1
+	return l
+}
+func (rr *NID) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Preference
+	l += 8 // NodeID
+	return l
+}
+func (rr *NIMLOC) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Locator)/2 + 1
+	return l
+}
+func (rr *NINFO) len() int {
+	l := rr.Hdr.len()
+	for _, x := range rr.ZSData {
+		l += len(x) + 1
+	}
+	return l
+}
+func (rr *NS) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Ns) + 1
+	return l
+}
+func (rr *NSAPPTR) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Ptr) + 1
+	return l
+}
+func (rr *NSEC3PARAM) len() int {
+	l := rr.Hdr.len()
+	l++    // Hash
+	l++    // Flags
+	l += 2 // Iterations
+	l++    // SaltLength
+	l += len(rr.Salt)/2 + 1
+	return l
+}
+func (rr *OPENPGPKEY) len() int {
+	l := rr.Hdr.len()
+	l += base64.StdEncoding.DecodedLen(len(rr.PublicKey))
+	return l
+}
+func (rr *PTR) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Ptr) + 1
+	return l
+}
+func (rr *PX) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Preference
+	l += len(rr.Map822) + 1
+	l += len(rr.Mapx400) + 1
+	return l
+}
+func (rr *RFC3597) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Rdata)/2 + 1
+	return l
+}
+func (rr *RKEY) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Flags
+	l++    // Protocol
+	l++    // Algorithm
+	l += base64.StdEncoding.DecodedLen(len(rr.PublicKey))
+	return l
+}
+func (rr *RP) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Mbox) + 1
+	l += len(rr.Txt) + 1
+	return l
+}
+func (rr *RRSIG) len() int {
+	l := rr.Hdr.len()
+	l += 2 // TypeCovered
+	l++    // Algorithm
+	l++    // Labels
+	l += 4 // OrigTtl
+	l += 4 // Expiration
+	l += 4 // Inception
+	l += 2 // KeyTag
+	l += len(rr.SignerName) + 1
+	l += base64.StdEncoding.DecodedLen(len(rr.Signature))
+	return l
+}
+func (rr *RT) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Preference
+	l += len(rr.Host) + 1
+	return l
+}
+func (rr *SMIMEA) len() int {
+	l := rr.Hdr.len()
+	l++ // Usage
+	l++ // Selector
+	l++ // MatchingType
+	l += len(rr.Certificate)/2 + 1
+	return l
+}
+func (rr *SOA) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Ns) + 1
+	l += len(rr.Mbox) + 1
+	l += 4 // Serial
+	l += 4 // Refresh
+	l += 4 // Retry
+	l += 4 // Expire
+	l += 4 // Minttl
+	return l
+}
+func (rr *SPF) len() int {
+	l := rr.Hdr.len()
+	for _, x := range rr.Txt {
+		l += len(x) + 1
+	}
+	return l
+}
+func (rr *SRV) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Priority
+	l += 2 // Weight
+	l += 2 // Port
+	l += len(rr.Target) + 1
+	return l
+}
+func (rr *SSHFP) len() int {
+	l := rr.Hdr.len()
+	l++ // Algorithm
+	l++ // Type
+	l += len(rr.FingerPrint)/2 + 1
+	return l
+}
+func (rr *TA) len() int {
+	l := rr.Hdr.len()
+	l += 2 // KeyTag
+	l++    // Algorithm
+	l++    // DigestType
+	l += len(rr.Digest)/2 + 1
+	return l
+}
+func (rr *TALINK) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.PreviousName) + 1
+	l += len(rr.NextName) + 1
+	return l
+}
+func (rr *TKEY) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Algorithm) + 1
+	l += 4 // Inception
+	l += 4 // Expiration
+	l += 2 // Mode
+	l += 2 // Error
+	l += 2 // KeySize
+	l += len(rr.Key) + 1
+	l += 2 // OtherLen
+	l += len(rr.OtherData) + 1
+	return l
+}
+func (rr *TLSA) len() int {
+	l := rr.Hdr.len()
+	l++ // Usage
+	l++ // Selector
+	l++ // MatchingType
+	l += len(rr.Certificate)/2 + 1
+	return l
+}
+func (rr *TSIG) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Algorithm) + 1
+	l += 6 // TimeSigned
+	l += 2 // Fudge
+	l += 2 // MACSize
+	l += len(rr.MAC)/2 + 1
+	l += 2 // OrigId
+	l += 2 // Error
+	l += 2 // OtherLen
+	l += len(rr.OtherData)/2 + 1
+	return l
+}
+func (rr *TXT) len() int {
+	l := rr.Hdr.len()
+	for _, x := range rr.Txt {
+		l += len(x) + 1
+	}
+	return l
+}
+func (rr *UID) len() int {
+	l := rr.Hdr.len()
+	l += 4 // Uid
+	return l
+}
+func (rr *UINFO) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.Uinfo) + 1
+	return l
+}
+func (rr *URI) len() int {
+	l := rr.Hdr.len()
+	l += 2 // Priority
+	l += 2 // Weight
+	l += len(rr.Target)
+	return l
+}
+func (rr *X25) len() int {
+	l := rr.Hdr.len()
+	l += len(rr.PSDNAddress) + 1
+	return l
+}
+
+// copy() functions
+func (rr *A) copy() RR {
+	return &A{*rr.Hdr.copyHeader(), copyIP(rr.A)}
+}
+func (rr *AAAA) copy() RR {
+	return &AAAA{*rr.Hdr.copyHeader(), copyIP(rr.AAAA)}
+}
+func (rr *AFSDB) copy() RR {
+	return &AFSDB{*rr.Hdr.copyHeader(), rr.Subtype, rr.Hostname}
+}
+func (rr *ANY) copy() RR {
+	return &ANY{*rr.Hdr.copyHeader()}
+}
+func (rr *AVC) copy() RR {
+	Txt := make([]string, len(rr.Txt))
+	copy(Txt, rr.Txt)
+	return &AVC{*rr.Hdr.copyHeader(), Txt}
+}
+func (rr *CAA) copy() RR {
+	return &CAA{*rr.Hdr.copyHeader(), rr.Flag, rr.Tag, rr.Value}
+}
+func (rr *CERT) copy() RR {
+	return &CERT{*rr.Hdr.copyHeader(), rr.Type, rr.KeyTag, rr.Algorithm, rr.Certificate}
+}
+func (rr *CNAME) copy() RR {
+	return &CNAME{*rr.Hdr.copyHeader(), rr.Target}
+}
+func (rr *DHCID) copy() RR {
+	return &DHCID{*rr.Hdr.copyHeader(), rr.Digest}
+}
+func (rr *DNAME) copy() RR {
+	return &DNAME{*rr.Hdr.copyHeader(), rr.Target}
+}
+func (rr *DNSKEY) copy() RR {
+	return &DNSKEY{*rr.Hdr.copyHeader(), rr.Flags, rr.Protocol, rr.Algorithm, rr.PublicKey}
+}
+func (rr *DS) copy() RR {
+	return &DS{*rr.Hdr.copyHeader(), rr.KeyTag, rr.Algorithm, rr.DigestType, rr.Digest}
+}
+func (rr *EID) copy() RR {
+	return &EID{*rr.Hdr.copyHeader(), rr.Endpoint}
+}
+func (rr *EUI48) copy() RR {
+	return &EUI48{*rr.Hdr.copyHeader(), rr.Address}
+}
+func (rr *EUI64) copy() RR {
+	return &EUI64{*rr.Hdr.copyHeader(), rr.Address}
+}
+func (rr *GID) copy() RR {
+	return &GID{*rr.Hdr.copyHeader(), rr.Gid}
+}
+func (rr *GPOS) copy() RR {
+	return &GPOS{*rr.Hdr.copyHeader(), rr.Longitude, rr.Latitude, rr.Altitude}
+}
+func (rr *HINFO) copy() RR {
+	return &HINFO{*rr.Hdr.copyHeader(), rr.Cpu, rr.Os}
+}
+func (rr *HIP) copy() RR {
+	RendezvousServers := make([]string, len(rr.RendezvousServers))
+	copy(RendezvousServers, rr.RendezvousServers)
+	return &HIP{*rr.Hdr.copyHeader(), rr.HitLength, rr.PublicKeyAlgorithm, rr.PublicKeyLength, rr.Hit, rr.PublicKey, RendezvousServers}
+}
+func (rr *KX) copy() RR {
+	return &KX{*rr.Hdr.copyHeader(), rr.Preference, rr.Exchanger}
+}
+func (rr *L32) copy() RR {
+	return &L32{*rr.Hdr.copyHeader(), rr.Preference, copyIP(rr.Locator32)}
+}
+func (rr *L64) copy() RR {
+	return &L64{*rr.Hdr.copyHeader(), rr.Preference, rr.Locator64}
+}
+func (rr *LOC) copy() RR {
+	return &LOC{*rr.Hdr.copyHeader(), rr.Version, rr.Size, rr.HorizPre, rr.VertPre, rr.Latitude, rr.Longitude, rr.Altitude}
+}
+func (rr *LP) copy() RR {
+	return &LP{*rr.Hdr.copyHeader(), rr.Preference, rr.Fqdn}
+}
+func (rr *MB) copy() RR {
+	return &MB{*rr.Hdr.copyHeader(), rr.Mb}
+}
+func (rr *MD) copy() RR {
+	return &MD{*rr.Hdr.copyHeader(), rr.Md}
+}
+func (rr *MF) copy() RR {
+	return &MF{*rr.Hdr.copyHeader(), rr.Mf}
+}
+func (rr *MG) copy() RR {
+	return &MG{*rr.Hdr.copyHeader(), rr.Mg}
+}
+func (rr *MINFO) copy() RR {
+	return &MINFO{*rr.Hdr.copyHeader(), rr.Rmail, rr.Email}
+}
+func (rr *MR) copy() RR {
+	return &MR{*rr.Hdr.copyHeader(), rr.Mr}
+}
+func (rr *MX) copy() RR {
+	return &MX{*rr.Hdr.copyHeader(), rr.Preference, rr.Mx}
+}
+func (rr *NAPTR) copy() RR {
+	return &NAPTR{*rr.Hdr.copyHeader(), rr.Order, rr.Preference, rr.Flags, rr.Service, rr.Regexp, rr.Replacement}
+}
+func (rr *NID) copy() RR {
+	return &NID{*rr.Hdr.copyHeader(), rr.Preference, rr.NodeID}
+}
+func (rr *NIMLOC) copy() RR {
+	return &NIMLOC{*rr.Hdr.copyHeader(), rr.Locator}
+}
+func (rr *NINFO) copy() RR {
+	ZSData := make([]string, len(rr.ZSData))
+	copy(ZSData, rr.ZSData)
+	return &NINFO{*rr.Hdr.copyHeader(), ZSData}
+}
+func (rr *NS) copy() RR {
+	return &NS{*rr.Hdr.copyHeader(), rr.Ns}
+}
+func (rr *NSAPPTR) copy() RR {
+	return &NSAPPTR{*rr.Hdr.copyHeader(), rr.Ptr}
+}
+func (rr *NSEC) copy() RR {
+	TypeBitMap := make([]uint16, len(rr.TypeBitMap))
+	copy(TypeBitMap, rr.TypeBitMap)
+	return &NSEC{*rr.Hdr.copyHeader(), rr.NextDomain, TypeBitMap}
+}
+func (rr *NSEC3) copy() RR {
+	TypeBitMap := make([]uint16, len(rr.TypeBitMap))
+	copy(TypeBitMap, rr.TypeBitMap)
+	return &NSEC3{*rr.Hdr.copyHeader(), rr.Hash, rr.Flags, rr.Iterations, rr.SaltLength, rr.Salt, rr.HashLength, rr.NextDomain, TypeBitMap}
+}
+func (rr *NSEC3PARAM) copy() RR {
+	return &NSEC3PARAM{*rr.Hdr.copyHeader(), rr.Hash, rr.Flags, rr.Iterations, rr.SaltLength, rr.Salt}
+}
+func (rr *OPENPGPKEY) copy() RR {
+	return &OPENPGPKEY{*rr.Hdr.copyHeader(), rr.PublicKey}
+}
+func (rr *OPT) copy() RR {
+	Option := make([]EDNS0, len(rr.Option))
+	copy(Option, rr.Option)
+	return &OPT{*rr.Hdr.copyHeader(), Option}
+}
+func (rr *PTR) copy() RR {
+	return &PTR{*rr.Hdr.copyHeader(), rr.Ptr}
+}
+func (rr *PX) copy() RR {
+	return &PX{*rr.Hdr.copyHeader(), rr.Preference, rr.Map822, rr.Mapx400}
+}
+func (rr *RFC3597) copy() RR {
+	return &RFC3597{*rr.Hdr.copyHeader(), rr.Rdata}
+}
+func (rr *RKEY) copy() RR {
+	return &RKEY{*rr.Hdr.copyHeader(), rr.Flags, rr.Protocol, rr.Algorithm, rr.PublicKey}
+}
+func (rr *RP) copy() RR {
+	return &RP{*rr.Hdr.copyHeader(), rr.Mbox, rr.Txt}
+}
+func (rr *RRSIG) copy() RR {
+	return &RRSIG{*rr.Hdr.copyHeader(), rr.TypeCovered, rr.Algorithm, rr.Labels, rr.OrigTtl, rr.Expiration, rr.Inception, rr.KeyTag, rr.SignerName, rr.Signature}
+}
+func (rr *RT) copy() RR {
+	return &RT{*rr.Hdr.copyHeader(), rr.Preference, rr.Host}
+}
+func (rr *SMIMEA) copy() RR {
+	return &SMIMEA{*rr.Hdr.copyHeader(), rr.Usage, rr.Selector, rr.MatchingType, rr.Certificate}
+}
+func (rr *SOA) copy() RR {
+	return &SOA{*rr.Hdr.copyHeader(), rr.Ns, rr.Mbox, rr.Serial, rr.Refresh, rr.Retry, rr.Expire, rr.Minttl}
+}
+func (rr *SPF) copy() RR {
+	Txt := make([]string, len(rr.Txt))
+	copy(Txt, rr.Txt)
+	return &SPF{*rr.Hdr.copyHeader(), Txt}
+}
+func (rr *SRV) copy() RR {
+	return &SRV{*rr.Hdr.copyHeader(), rr.Priority, rr.Weight, rr.Port, rr.Target}
+}
+func (rr *SSHFP) copy() RR {
+	return &SSHFP{*rr.Hdr.copyHeader(), rr.Algorithm, rr.Type, rr.FingerPrint}
+}
+func (rr *TA) copy() RR {
+	return &TA{*rr.Hdr.copyHeader(), rr.KeyTag, rr.Algorithm, rr.DigestType, rr.Digest}
+}
+func (rr *TALINK) copy() RR {
+	return &TALINK{*rr.Hdr.copyHeader(), rr.PreviousName, rr.NextName}
+}
+func (rr *TKEY) copy() RR {
+	return &TKEY{*rr.Hdr.copyHeader(), rr.Algorithm, rr.Inception, rr.Expiration, rr.Mode, rr.Error, rr.KeySize, rr.Key, rr.OtherLen, rr.OtherData}
+}
+func (rr *TLSA) copy() RR {
+	return &TLSA{*rr.Hdr.copyHeader(), rr.Usage, rr.Selector, rr.MatchingType, rr.Certificate}
+}
+func (rr *TSIG) copy() RR {
+	return &TSIG{*rr.Hdr.copyHeader(), rr.Algorithm, rr.TimeSigned, rr.Fudge, rr.MACSize, rr.MAC, rr.OrigId, rr.Error, rr.OtherLen, rr.OtherData}
+}
+func (rr *TXT) copy() RR {
+	Txt := make([]string, len(rr.Txt))
+	copy(Txt, rr.Txt)
+	return &TXT{*rr.Hdr.copyHeader(), Txt}
+}
+func (rr *UID) copy() RR {
+	return &UID{*rr.Hdr.copyHeader(), rr.Uid}
+}
+func (rr *UINFO) copy() RR {
+	return &UINFO{*rr.Hdr.copyHeader(), rr.Uinfo}
+}
+func (rr *URI) copy() RR {
+	return &URI{*rr.Hdr.copyHeader(), rr.Priority, rr.Weight, rr.Target}
+}
+func (rr *X25) copy() RR {
+	return &X25{*rr.Hdr.copyHeader(), rr.PSDNAddress}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/.gitcookies.enc b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/.gitcookies.enc
new file mode 100644
index 000000000..09c303c94
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/.gitcookies.enc
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/.gitignore b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/.gitignore
new file mode 100644
index 000000000..74d32f0ab
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/.gitignore
@@ -0,0 +1,4 @@
+lego.exe
+lego
+.lego
+.idea
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/.travis.yml b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/.travis.yml
new file mode 100644
index 000000000..ff9ae963a
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/.travis.yml
@@ -0,0 +1,16 @@
+language: go
+go:
+- 1.7
+- 1.8
+- tip
+services:
+  - memcached
+env:
+  - MEMCACHED_HOSTS=localhost:11211
+install:
+- go get -t ./...
+script:
+- go vet ./...
+- go test -v ./...
+before_install:
+- '[ "${TRAVIS_PULL_REQUEST}" = "false" ] && openssl aes-256-cbc -K $encrypted_26c593b079d9_key -iv $encrypted_26c593b079d9_iv -in .gitcookies.enc -out .gitcookies -d || true'
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/CHANGELOG.md b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/CHANGELOG.md
new file mode 100644
index 000000000..c43c4a936
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/CHANGELOG.md
@@ -0,0 +1,94 @@
+# Changelog
+
+## [0.3.1] - 2016-04-19
+
+### Added:
+- lib: A new DNS provider for Vultr.
+
+### Fixed:
+- lib: DNS Provider for DigitalOcean could not handle subdomains properly.
+- lib: handleHTTPError should only try to JSON decode error messages with the right content type.
+- lib: The propagation checker for the DNS challenge would not retry on send errors.
+
+
+## [0.3.0] - 2016-03-19
+
+### Added:
+- CLI: The `--dns` switch. To include the DNS challenge for consideration. When using this switch, all other solvers are disabled. Supported are the following solvers: cloudflare, digitalocean, dnsimple, dyn, gandi, googlecloud, namecheap, route53, rfc2136 and manual.
+- CLI: The `--accept-tos`  switch. Indicates your acceptance of the Let's Encrypt terms of service without prompting you.
+- CLI: The `--webroot` switch. The HTTP-01 challenge may now be completed by dropping a file into a webroot. When using this switch, all other solvers are disabled.
+- CLI: The `--key-type` switch. This replaces the `--rsa-key-size` switch and supports the following key types: EC256, EC384, RSA2048, RSA4096 and RSA8192.
+- CLI: The `--dnshelp` switch. This displays a more in-depth help topic for DNS solvers.
+- CLI: The `--no-bundle` sub switch for the `run` and `renew` commands. When this switch is set, the CLI will not bundle the issuer certificate with your certificate.
+- lib: A new type for challenge identifiers `Challenge`
+- lib: A new interface for custom challenge providers `acme.ChallengeProvider`
+- lib: A new interface for DNS-01 providers to allow for custom timeouts for the validation function `acme.ChallengeProviderTimeout`
+- lib: SetChallengeProvider function. Pass a challenge identifier and a Provider to replace the default behaviour of a challenge.
+- lib: The DNS-01 challenge has been implemented with modular solvers using the `ChallengeProvider` interface. Included solvers are: cloudflare, digitalocean, dnsimple, gandi, namecheap, route53, rfc2136 and manual.
+- lib: The `acme.KeyType` type was added and is used for the configuration of crypto parameters for RSA and EC keys. Valid KeyTypes are: EC256, EC384, RSA2048, RSA4096 and RSA8192.
+
+### Changed
+- lib: ExcludeChallenges now expects to be passed an array of `Challenge` types.
+- lib: HTTP-01 now supports custom solvers using the `ChallengeProvider` interface.
+- lib: TLS-SNI-01 now supports custom solvers using the `ChallengeProvider` interface.
+- lib: The `GetPrivateKey` function in the `acme.User` interface is now expected to return a `crypto.PrivateKey` instead of an `rsa.PrivateKey` for EC compat.
+- lib: The `acme.NewClient` function now expects an `acme.KeyType` instead of the keyBits parameter.
+ 
+### Removed
+- CLI: The `rsa-key-size` switch was removed in favor of `key-type` to support EC keys.
+
+### Fixed
+- lib: Fixed a race condition in HTTP-01
+- lib: Fixed an issue where status codes on ACME challenge responses could lead to no action being taken.
+- lib: Fixed a regression when calling the Renew function with a SAN certificate.
+
+## [0.2.0] - 2016-01-09
+
+### Added:
+- CLI: The `--exclude` or `-x` switch. To exclude a challenge from being solved.
+- CLI: The `--http` switch. To set the listen address and port of HTTP based challenges. Supports `host:port` and `:port` for any interface.
+- CLI: The `--tls` switch. To set the listen address and port of TLS based challenges. Supports `host:port` and `:port` for any interface.
+- CLI: The `--reuse-key` switch for the `renew` operation. This lets you reuse an existing private key for renewals.
+- lib: ExcludeChallenges function. Pass an array of challenge identifiers to exclude them from solving.
+- lib: SetHTTPAddress function. Pass a port to set the listen port for HTTP based challenges.
+- lib: SetTLSAddress function. Pass a port to set the listen port of TLS based challenges.
+- lib: acme.UserAgent variable. Use this to customize the user agent on all requests sent by lego.
+
+### Changed:
+- lib: NewClient does no longer accept the optPort parameter
+- lib: ObtainCertificate now returns a SAN certificate if you pass more then one domain.
+- lib: GetOCSPForCert now returns the parsed OCSP response instead of just the status.
+- lib: ObtainCertificate has a new parameter `privKey crypto.PrivateKey` which lets you reuse an existing private key for new certificates.
+- lib: RenewCertificate now expects the PrivateKey property of the CertificateResource to be set only if you want to reuse the key.
+
+### Removed:
+- CLI: The `--port` switch was removed.
+- lib: RenewCertificate does no longer offer to also revoke your old certificate.
+
+### Fixed:
+- CLI: Fix logic using the `--days` parameter for renew
+
+## [0.1.1] - 2015-12-18
+
+### Added:
+- CLI: Added a way to automate renewal through a cronjob using the --days parameter to renew
+
+### Changed:
+- lib: Improved log output on challenge failures.
+
+### Fixed:
+- CLI: The short parameter for domains would not get accepted
+- CLI: The cli did not return proper exit codes on error library errors.
+- lib: RenewCertificate did not properly renew SAN certificates.
+
+### Security
+- lib: Fix possible DOS on GetOCSPForCert
+
+## [0.1.0] - 2015-12-03
+- Initial release
+
+[0.3.1]: https://github.com/xenolf/lego/compare/v0.3.0...v0.3.1
+[0.3.0]: https://github.com/xenolf/lego/compare/v0.2.0...v0.3.0
+[0.2.0]: https://github.com/xenolf/lego/compare/v0.1.1...v0.2.0
+[0.1.1]: https://github.com/xenolf/lego/compare/v0.1.0...v0.1.1
+[0.1.0]: https://github.com/xenolf/lego/tree/v0.1.0
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/CONTRIBUTING.md b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/CONTRIBUTING.md
new file mode 100644
index 000000000..9939a5ab3
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/CONTRIBUTING.md
@@ -0,0 +1,32 @@
+# How to contribute to lego
+
+Contributions in the form of patches and proposals are essential to keep lego great and to make it even better.
+To ensure a great and easy experience for everyone, please review the few guidelines in this document.
+
+## Bug reports
+
+- Use the issue search to see if the issue has already been reported.
+- Also look for closed issues to see if your issue has already been fixed.
+- If both of the above do not apply create a new issue and include as much information as possible.
+
+Bug reports should include all information a person could need to reproduce your problem without the need to
+follow up for more information. If possible, provide detailed steps for us to reproduce it, the expected behaviour and the actual behaviour.
+
+## Feature proposals and requests
+
+Feature requests are welcome and should be discussed in an issue.
+Please keep proposals focused on one thing at a time and be as detailed as possible.
+It is up to you to make a strong point about your proposal and convince us of the merits and the added complexity of this feature.
+
+## Pull requests
+
+Patches, new features and improvements are a great way to help the project. 
+Please keep them focused on one thing and do not include unrelated commits.
+
+All pull requests which alter the behaviour of the program, add new behaviour or somehow alter code in a non-trivial way should **always** include tests.
+
+If you want to contribute a significant pull request (with a non-trivial workload for you) please **ask first**. We do not want you to spend
+a lot of time on something the project's developers might not want to merge into the project.
+
+**IMPORTANT**: By submitting a patch, you agree to allow the project
+owners to license your work under the terms of the [MIT License](LICENSE).
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/Dockerfile b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/Dockerfile
new file mode 100644
index 000000000..c03964076
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/Dockerfile
@@ -0,0 +1,14 @@
+FROM alpine:3.4
+
+ENV GOPATH /go
+
+RUN apk update && apk add ca-certificates go git && \
+    rm -rf /var/cache/apk/* && \
+    go get -u github.com/xenolf/lego && \
+    cd /go/src/github.com/xenolf/lego && \
+    go build -o /usr/bin/lego . && \
+    apk del go git && \
+    rm -rf /var/cache/apk/* && \
+    rm -rf /go
+
+ENTRYPOINT [ "/usr/bin/lego" ]
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/README.md b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/README.md
new file mode 100644
index 000000000..5dc9d550d
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/README.md
@@ -0,0 +1,267 @@
+# lego
+Let's Encrypt client and ACME library written in Go
+
+[![GoDoc](https://godoc.org/github.com/xenolf/lego/acme?status.svg)](https://godoc.org/github.com/xenolf/lego/acme)
+[![Build Status](https://travis-ci.org/xenolf/lego.svg?branch=master)](https://travis-ci.org/xenolf/lego)
+[![Dev Chat](https://img.shields.io/badge/dev%20chat-gitter-blue.svg?label=dev+chat)](https://gitter.im/xenolf/lego)
+
+#### General
+This is a work in progress. Please do *NOT* run this on a production server and please report any bugs you find!
+
+#### Installation
+lego supports both binary installs and install from source.
+
+To get the binary just download the latest release for your OS/Arch from [the release page](https://github.com/xenolf/lego/releases)
+and put the binary somewhere convenient. lego does not assume anything about the location you run it from.
+
+To install from source, just run 
+```
+go get -u github.com/xenolf/lego
+```
+
+To build lego inside a Docker container, just run
+```
+docker build -t lego .
+```
+##### From the package manager
+- [ArchLinux (AUR)](https://aur.archlinux.org/packages/lego-git):
+```
+yaourt -S lego-git
+```
+#### Features
+
+- Register with CA
+- Obtain certificates, both from scratch or with an existing CSR
+- Renew certificates
+- Revoke certificates
+- Robust implementation of all ACME challenges
+  - HTTP (http-01)
+  - TLS with Server Name Indication (tls-sni-01)
+  - DNS (dns-01)
+- SAN certificate support
+- Comes with multiple optional [DNS providers](https://github.com/xenolf/lego/tree/master/providers/dns)
+- [Custom challenge solvers](https://github.com/xenolf/lego/wiki/Writing-a-Challenge-Solver)
+- Certificate bundling
+- OCSP helper function
+
+Please keep in mind that CLI switches and APIs are still subject to change.
+
+When using the standard `--path` option, all certificates and account configurations are saved to a folder *.lego* in the current working directory.
+
+#### Sudo
+The CLI does not require root permissions but needs to bind to port 80 and 443 for certain challenges. 
+To run the CLI without sudo, you have four options:
+
+- Use setcap 'cap_net_bind_service=+ep' /path/to/program
+- Pass the `--http` or/and the `--tls` option and specify a custom port to bind to. In this case you have to forward port 80/443 to these custom ports (see [Port Usage](#port-usage)).
+- Pass the `--webroot` option and specify the path to your webroot folder. In this case the challenge will be written in a file in `.well-known/acme-challenge/` inside your webroot.
+- Pass the `--dns` option and specify a DNS provider.
+
+#### Port Usage
+By default lego assumes it is able to bind to ports 80 and 443 to solve challenges.
+If this is not possible in your environment, you can use the `--http` and `--tls` options to instruct
+lego to listen on that interface:port for any incoming challenges.
+
+If you are using this option, make sure you proxy all of the following traffic to these ports.
+
+HTTP Port:
+- All plaintext HTTP requests to port 80 which begin with a request path of `/.well-known/acme-challenge/` for the HTTP challenge.
+
+TLS Port:
+- All TLS handshakes on port 443 for the TLS-SNI challenge.
+
+This traffic redirection is only needed as long as lego solves challenges. As soon as you have received your certificates you can deactivate the forwarding.
+
+#### Usage
+
+```
+NAME:
+   lego - Let's Encrypt client written in Go
+
+USAGE:
+   lego [global options] command [command options] [arguments...]
+   
+VERSION:
+   0.3.1
+   
+COMMANDS:
+   run		Register an account, then create and install a certificate
+   revoke	Revoke a certificate
+   renew	Renew a certificate
+   dnshelp	Shows additional help for the --dns global option
+   help, h	Shows a list of commands or help for one command
+   
+GLOBAL OPTIONS:
+   --domains, -d [--domains option --domains option]			Add domains to the process
+   --csr, -c                Certificate signing request filename, if an external CSR is to be used
+   --server, -s "https://acme-v01.api.letsencrypt.org/directory"	CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client.
+   --email, -m 								Email used for registration and recovery contact.
+   --accept-tos, -a							By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
+   --key-type, -k "rsa2048"						Key type to use for private keys. Supported: rsa2048, rsa4096, rsa8192, ec256, ec384
+   --path "${CWD}/.lego"	Directory to use for storing the data
+   --exclude, -x [--exclude option --exclude option]			Explicitly disallow solvers by name from being used. Solvers: "http-01", "tls-sni-01".
+   --webroot 								Set the webroot folder to use for HTTP based challenges to write directly in a file in .well-known/acme-challenge
+   --http 								Set the port and interface to use for HTTP based challenges to listen on. Supported: interface:port or :port
+   --tls 								Set the port and interface to use for TLS based challenges to listen on. Supported: interface:port or :port
+   --dns 								Solve a DNS challenge using the specified provider. Disables all other challenges. Run 'lego dnshelp' for help on usage.
+   --help, -h								show help
+   --version, -v							print the version
+```
+
+##### CLI Example
+
+Assumes the `lego` binary has permission to bind to ports 80 and 443. You can get a pre-built binary from the [releases](https://github.com/xenolf/lego/releases) page.
+If your environment does not allow you to bind to these ports, please read [Port Usage](#port-usage).
+
+Obtain a certificate:
+
+```bash
+$ lego --email="foo@bar.com" --domains="example.com" run
+```
+
+(Find your certificate in the `.lego` folder of current working directory.)
+
+To renew the certificate:
+
+```bash
+$ lego --email="foo@bar.com" --domains="example.com" renew
+```
+
+To renew the certificate only if it's older than 30 days
+
+```bash
+$ lego --email="foo@bar.com" --domains="example.com" renew --days 30
+```
+
+Obtain a certificate using the DNS challenge and AWS Route 53:
+
+```bash
+$ AWS_REGION=us-east-1 AWS_ACCESS_KEY_ID=my_id AWS_SECRET_ACCESS_KEY=my_key lego --email="foo@bar.com" --domains="example.com" --dns="route53" run
+```
+
+Note that `--dns=foo` implies `--exclude=http-01` and `--exclude=tls-sni-01`. lego will not attempt other challenges if you've told it to use DNS instead.
+
+Obtain a certificate given a certificate signing request (CSR) generated by something else:
+
+```bash
+$ lego --email="foo@bar.com" --csr=/path/to/csr.pem run
+```
+
+(lego will infer the domains to be validated based on the contents of the CSR, so make sure the CSR's Common Name and optional SubjectAltNames are set correctly.)
+
+lego defaults to communicating with the production Let's Encrypt ACME server. If you'd like to test something without issuing real certificates, consider using the staging endpoint instead:
+
+```bash
+$ lego --server=https://acme-staging.api.letsencrypt.org/directory …
+```
+
+#### DNS Challenge API Details
+
+##### AWS Route 53
+
+The following AWS IAM policy document describes the permissions required for lego to complete the DNS challenge.
+Replace `<INSERT_YOUR_HOSTED_ZONE_ID_HERE>` with the Route 53 zone ID of the domain you are authorizing.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "route53:GetChange",
+                "route53:ListHostedZonesByName"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "route53:ChangeResourceRecordSets"
+            ],
+            "Resource": [
+                "arn:aws:route53:::hostedzone/<INSERT_YOUR_HOSTED_ZONE_ID_HERE>"
+            ]
+        }
+    ]
+}
+```
+
+#### ACME Library Usage
+
+A valid, but bare-bones example use of the acme package:
+
+```go
+// You'll need a user or account type that implements acme.User
+type MyUser struct {
+	Email        string
+	Registration *acme.RegistrationResource
+	key          crypto.PrivateKey
+}
+func (u MyUser) GetEmail() string {
+	return u.Email
+}
+func (u MyUser) GetRegistration() *acme.RegistrationResource {
+	return u.Registration
+}
+func (u MyUser) GetPrivateKey() crypto.PrivateKey {
+	return u.key
+}
+
+// Create a user. New accounts need an email and private key to start.
+const rsaKeySize = 2048
+privateKey, err := rsa.GenerateKey(rand.Reader, rsaKeySize)
+if err != nil {
+	log.Fatal(err)
+}
+myUser := MyUser{
+	Email: "you@yours.com",
+	key: privateKey,
+}
+
+// A client facilitates communication with the CA server. This CA URL is
+// configured for a local dev instance of Boulder running in Docker in a VM.
+client, err := acme.NewClient("http://192.168.99.100:4000", &myUser, acme.RSA2048)
+if err != nil {
+  log.Fatal(err)
+}
+
+// We specify an http port of 5002 and an tls port of 5001 on all interfaces
+// because we aren't running as root and can't bind a listener to port 80 and 443 
+// (used later when we attempt to pass challenges). Keep in mind that we still
+// need to proxy challenge traffic to port 5002 and 5001.
+client.SetHTTPAddress(":5002")
+client.SetTLSAddress(":5001")
+
+// New users will need to register
+reg, err := client.Register()
+if err != nil {
+	log.Fatal(err)
+}
+myUser.Registration = reg
+
+// SAVE THE USER.
+
+// The client has a URL to the current Let's Encrypt Subscriber
+// Agreement. The user will need to agree to it.
+err = client.AgreeToTOS()
+if err != nil {
+	log.Fatal(err)
+}
+
+// The acme library takes care of completing the challenges to obtain the certificate(s).
+// The domains must resolve to this machine or you have to use the DNS challenge.
+bundle := false
+certificates, failures := client.ObtainCertificate([]string{"mydomain.com"}, bundle, nil, false)
+if len(failures) > 0 {
+	log.Fatal(failures)
+}
+
+// Each certificate comes back with the cert bytes, the bytes of the client's
+// private key, and a certificate URL. SAVE THESE TO DISK.
+fmt.Printf("%#v\n", certificates)
+
+// ... all done.
+```
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/client.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/client.go
index 16e4cbe00..bcb844371 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/client.go
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/client.go
@@ -11,6 +11,7 @@ import (
 	"io/ioutil"
 	"log"
 	"net"
+	"net/http"
 	"regexp"
 	"strconv"
 	"strings"
@@ -22,6 +23,16 @@ var (
 	Logger *log.Logger
 )
 
+const (
+	// maxBodySize is the maximum size of body that we will read.
+	maxBodySize = 1024 * 1024
+
+	// overallRequestLimit is the overall number of request per second limited on the
+	// “new-reg”, “new-authz” and “new-cert” endpoints. From the documentation the
+	// limitation is 20 requests per second, but using 20 as value doesn't work but 18 do
+	overallRequestLimit = 18
+)
+
 // logf writes a log entry. It uses Logger if not
 // nil, otherwise it uses the default log.Logger.
 func logf(format string, args ...interface{}) {
@@ -49,17 +60,17 @@ type validateFunc func(j *jws, domain, uri string, chlng challenge) error
 
 // Client is the user-friendy way to ACME
 type Client struct {
-	directory  directory
-	user       User
-	jws        *jws
-	keyType    KeyType
-	issuerCert []byte
-	solvers    map[Challenge]solver
+	directory directory
+	user      User
+	jws       *jws
+	keyType   KeyType
+	solvers   map[Challenge]solver
 }
 
 // NewClient creates a new ACME client on behalf of the user. The client will depend on
-// the ACME directory located at caDirURL for the rest of its actions. It will
-// generate private keys for certificates of size keyBits.
+// the ACME directory located at caDirURL for the rest of its actions.  A private
+// key of type keyType (see KeyType contants) will be generated when requesting a new
+// certificate if one isn't provided.
 func NewClient(caDirURL string, user User, keyType KeyType) (*Client, error) {
 	privKey := user.GetPrivateKey()
 	if privKey == nil {
@@ -96,13 +107,15 @@ func NewClient(caDirURL string, user User, keyType KeyType) (*Client, error) {
 	return &Client{directory: dir, user: user, jws: jws, keyType: keyType, solvers: solvers}, nil
 }
 
-// SetChallengeProvider specifies a custom provider that will make the solution available
+// SetChallengeProvider specifies a custom provider p that can solve the given challenge type.
 func (c *Client) SetChallengeProvider(challenge Challenge, p ChallengeProvider) error {
 	switch challenge {
 	case HTTP01:
 		c.solvers[challenge] = &httpChallenge{jws: c.jws, validate: validate, provider: p}
 	case TLSSNI01:
 		c.solvers[challenge] = &tlsSNIChallenge{jws: c.jws, validate: validate, provider: p}
+	case DNS01:
+		c.solvers[challenge] = &dnsChallenge{jws: c.jws, validate: validate, provider: p}
 	default:
 		return fmt.Errorf("Unknown challenge %v", challenge)
 	}
@@ -112,6 +125,9 @@ func (c *Client) SetChallengeProvider(challenge Challenge, p ChallengeProvider)
 // SetHTTPAddress specifies a custom interface:port to be used for HTTP based challenges.
 // If this option is not used, the default port 80 and all interfaces will be used.
 // To only specify a port and no interface use the ":port" notation.
+//
+// NOTE: This REPLACES any custom HTTP provider previously set by calling
+// c.SetChallengeProvider with the default HTTP challenge provider.
 func (c *Client) SetHTTPAddress(iface string) error {
 	host, port, err := net.SplitHostPort(iface)
 	if err != nil {
@@ -128,6 +144,9 @@ func (c *Client) SetHTTPAddress(iface string) error {
 // SetTLSAddress specifies a custom interface:port to be used for TLS based challenges.
 // If this option is not used, the default port 443 and all interfaces will be used.
 // To only specify a port and no interface use the ":port" notation.
+//
+// NOTE: This REPLACES any custom TLS-SNI provider previously set by calling
+// c.SetChallengeProvider with the default TLS-SNI challenge provider.
 func (c *Client) SetTLSAddress(iface string) error {
 	host, port, err := net.SplitHostPort(iface)
 	if err != nil {
@@ -165,15 +184,31 @@ func (c *Client) Register() (*RegistrationResource, error) {
 	}
 
 	var serverReg Registration
+	var regURI string
 	hdr, err := postJSON(c.jws, c.directory.NewRegURL, regMsg, &serverReg)
 	if err != nil {
-		return nil, err
+		remoteErr, ok := err.(RemoteError)
+		if ok && remoteErr.StatusCode == 409 {
+			regURI = hdr.Get("Location")
+			regMsg = registrationMessage{
+				Resource: "reg",
+			}
+			if hdr, err = postJSON(c.jws, regURI, regMsg, &serverReg); err != nil {
+				return nil, err
+			}
+		} else {
+			return nil, err
+		}
 	}
 
 	reg := &RegistrationResource{Body: serverReg}
 
 	links := parseLinks(hdr["Link"])
-	reg.URI = hdr.Get("Location")
+
+	if regURI == "" {
+		regURI = hdr.Get("Location")
+	}
+	reg.URI = regURI
 	if links["terms-of-service"] != "" {
 		reg.TosURL = links["terms-of-service"]
 	}
@@ -187,6 +222,68 @@ func (c *Client) Register() (*RegistrationResource, error) {
 	return reg, nil
 }
 
+// DeleteRegistration deletes the client's user registration from the ACME
+// server.
+func (c *Client) DeleteRegistration() error {
+	if c == nil || c.user == nil {
+		return errors.New("acme: cannot unregister a nil client or user")
+	}
+	logf("[INFO] acme: Deleting account for %s", c.user.GetEmail())
+
+	regMsg := registrationMessage{
+		Resource: "reg",
+		Delete:   true,
+	}
+
+	_, err := postJSON(c.jws, c.user.GetRegistration().URI, regMsg, nil)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// QueryRegistration runs a POST request on the client's registration and
+// returns the result.
+//
+// This is similar to the Register function, but acting on an existing
+// registration link and resource.
+func (c *Client) QueryRegistration() (*RegistrationResource, error) {
+	if c == nil || c.user == nil {
+		return nil, errors.New("acme: cannot query the registration of a nil client or user")
+	}
+	// Log the URL here instead of the email as the email may not be set
+	logf("[INFO] acme: Querying account for %s", c.user.GetRegistration().URI)
+
+	regMsg := registrationMessage{
+		Resource: "reg",
+	}
+
+	var serverReg Registration
+	hdr, err := postJSON(c.jws, c.user.GetRegistration().URI, regMsg, &serverReg)
+	if err != nil {
+		return nil, err
+	}
+
+	reg := &RegistrationResource{Body: serverReg}
+
+	links := parseLinks(hdr["Link"])
+	// Location: header is not returned so this needs to be populated off of
+	// existing URI
+	reg.URI = c.user.GetRegistration().URI
+	if links["terms-of-service"] != "" {
+		reg.TosURL = links["terms-of-service"]
+	}
+
+	if links["next"] != "" {
+		reg.NewAuthzURL = links["next"]
+	} else {
+		return nil, errors.New("acme: No new-authz link in response to registration query")
+	}
+
+	return reg, nil
+}
+
 // AgreeToTOS updates the Client registration and sends the agreement to
 // the server.
 func (c *Client) AgreeToTOS() error {
@@ -198,6 +295,69 @@ func (c *Client) AgreeToTOS() error {
 	return err
 }
 
+// ObtainCertificateForCSR tries to obtain a certificate matching the CSR passed into it.
+// The domains are inferred from the CommonName and SubjectAltNames, if any. The private key
+// for this CSR is not required.
+// If bundle is true, the []byte contains both the issuer certificate and
+// your issued certificate as a bundle.
+// This function will never return a partial certificate. If one domain in the list fails,
+// the whole certificate will fail.
+func (c *Client) ObtainCertificateForCSR(csr x509.CertificateRequest, bundle bool) (CertificateResource, map[string]error) {
+	// figure out what domains it concerns
+	// start with the common name
+	domains := []string{csr.Subject.CommonName}
+
+	// loop over the SubjectAltName DNS names
+DNSNames:
+	for _, sanName := range csr.DNSNames {
+		for _, existingName := range domains {
+			if existingName == sanName {
+				// duplicate; skip this name
+				continue DNSNames
+			}
+		}
+
+		// name is unique
+		domains = append(domains, sanName)
+	}
+
+	if bundle {
+		logf("[INFO][%s] acme: Obtaining bundled SAN certificate given a CSR", strings.Join(domains, ", "))
+	} else {
+		logf("[INFO][%s] acme: Obtaining SAN certificate given a CSR", strings.Join(domains, ", "))
+	}
+
+	challenges, failures := c.getChallenges(domains)
+	// If any challenge fails - return. Do not generate partial SAN certificates.
+	if len(failures) > 0 {
+		for _, auth := range challenges {
+			c.disableAuthz(auth)
+		}
+
+		return CertificateResource{}, failures
+	}
+
+	errs := c.solveChallenges(challenges)
+	// If any challenge fails - return. Do not generate partial SAN certificates.
+	if len(errs) > 0 {
+		return CertificateResource{}, errs
+	}
+
+	logf("[INFO][%s] acme: Validations succeeded; requesting certificates", strings.Join(domains, ", "))
+
+	cert, err := c.requestCertificateForCsr(challenges, bundle, csr.Raw, nil)
+	if err != nil {
+		for _, chln := range challenges {
+			failures[chln.Domain] = err
+		}
+	}
+
+	// Add the CSR to the certificate so that it can be used for renewals.
+	cert.CSR = pemEncode(&csr)
+
+	return cert, failures
+}
+
 // ObtainCertificate tries to obtain a single certificate using all domains passed into it.
 // The first domain in domains is used for the CommonName field of the certificate, all other
 // domains are added using the Subject Alternate Names extension. A new private key is generated
@@ -207,7 +367,7 @@ func (c *Client) AgreeToTOS() error {
 // your issued certificate as a bundle.
 // This function will never return a partial certificate. If one domain in the list fails,
 // the whole certificate will fail.
-func (c *Client) ObtainCertificate(domains []string, bundle bool, privKey crypto.PrivateKey) (CertificateResource, map[string]error) {
+func (c *Client) ObtainCertificate(domains []string, bundle bool, privKey crypto.PrivateKey, mustStaple bool) (CertificateResource, map[string]error) {
 	if bundle {
 		logf("[INFO][%s] acme: Obtaining bundled SAN certificate", strings.Join(domains, ", "))
 	} else {
@@ -217,6 +377,10 @@ func (c *Client) ObtainCertificate(domains []string, bundle bool, privKey crypto
 	challenges, failures := c.getChallenges(domains)
 	// If any challenge fails - return. Do not generate partial SAN certificates.
 	if len(failures) > 0 {
+		for _, auth := range challenges {
+			c.disableAuthz(auth)
+		}
+
 		return CertificateResource{}, failures
 	}
 
@@ -228,7 +392,7 @@ func (c *Client) ObtainCertificate(domains []string, bundle bool, privKey crypto
 
 	logf("[INFO][%s] acme: Validations succeeded; requesting certificates", strings.Join(domains, ", "))
 
-	cert, err := c.requestCertificate(challenges, bundle, privKey)
+	cert, err := c.requestCertificate(challenges, bundle, privKey, mustStaple)
 	if err != nil {
 		for _, chln := range challenges {
 			failures[chln.Domain] = err
@@ -264,7 +428,7 @@ func (c *Client) RevokeCertificate(certificate []byte) error {
 // If bundle is true, the []byte contains both the issuer certificate and
 // your issued certificate as a bundle.
 // For private key reuse the PrivateKey property of the passed in CertificateResource should be non-nil.
-func (c *Client) RenewCertificate(cert CertificateResource, bundle bool) (CertificateResource, error) {
+func (c *Client) RenewCertificate(cert CertificateResource, bundle, mustStaple bool) (CertificateResource, error) {
 	// Input certificate is PEM encoded. Decode it here as we may need the decoded
 	// cert later on in the renewal process. The input may be a bundle or a single certificate.
 	certificates, err := parsePEMBundle(cert.Certificate)
@@ -281,47 +445,16 @@ func (c *Client) RenewCertificate(cert CertificateResource, bundle bool) (Certif
 	timeLeft := x509Cert.NotAfter.Sub(time.Now().UTC())
 	logf("[INFO][%s] acme: Trying renewal with %d hours remaining", cert.Domain, int(timeLeft.Hours()))
 
-	// The first step of renewal is to check if we get a renewed cert
-	// directly from the cert URL.
-	resp, err := httpGet(cert.CertURL)
-	if err != nil {
-		return CertificateResource{}, err
-	}
-	defer resp.Body.Close()
-	serverCertBytes, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return CertificateResource{}, err
-	}
-
-	serverCert, err := x509.ParseCertificate(serverCertBytes)
-	if err != nil {
-		return CertificateResource{}, err
-	}
-
-	// If the server responds with a different certificate we are effectively renewed.
-	// TODO: Further test if we can actually use the new certificate (Our private key works)
-	if !x509Cert.Equal(serverCert) {
-		logf("[INFO][%s] acme: Server responded with renewed certificate", cert.Domain)
-		issuedCert := pemEncode(derCertificateBytes(serverCertBytes))
-		// If bundle is true, we want to return a certificate bundle.
-		// To do this, we need the issuer certificate.
-		if bundle {
-			// The issuer certificate link is always supplied via an "up" link
-			// in the response headers of a new certificate.
-			links := parseLinks(resp.Header["Link"])
-			issuerCert, err := c.getIssuerCertificate(links["up"])
-			if err != nil {
-				// If we fail to acquire the issuer cert, return the issued certificate - do not fail.
-				logf("[ERROR][%s] acme: Could not bundle issuer certificate: %v", cert.Domain, err)
-			} else {
-				// Success - append the issuer cert to the issued cert.
-				issuerCert = pemEncode(derCertificateBytes(issuerCert))
-				issuedCert = append(issuedCert, issuerCert...)
-			}
+	// We always need to request a new certificate to renew.
+	// Start by checking to see if the certificate was based off a CSR, and
+	// use that if it's defined.
+	if len(cert.CSR) > 0 {
+		csr, err := pemDecodeTox509CSR(cert.CSR)
+		if err != nil {
+			return CertificateResource{}, err
 		}
-
-		cert.Certificate = issuedCert
-		return cert, nil
+		newCert, failures := c.ObtainCertificateForCSR(*csr, bundle)
+		return newCert, failures[cert.Domain]
 	}
 
 	var privKey crypto.PrivateKey
@@ -347,7 +480,7 @@ func (c *Client) RenewCertificate(cert CertificateResource, bundle bool) (Certif
 		domains = append(domains, x509Cert.Subject.CommonName)
 	}
 
-	newCert, failures := c.ObtainCertificate(domains, bundle, privKey)
+	newCert, failures := c.ObtainCertificate(domains, bundle, privKey, mustStaple)
 	return newCert, failures[cert.Domain]
 }
 
@@ -357,16 +490,23 @@ func (c *Client) solveChallenges(challenges []authorizationResource) map[string]
 	// loop through the resources, basically through the domains.
 	failures := make(map[string]error)
 	for _, authz := range challenges {
+		if authz.Body.Status == "valid" {
+			// Boulder might recycle recent validated authz (see issue #267)
+			logf("[INFO][%s] acme: Authorization already valid; skipping challenge", authz.Domain)
+			continue
+		}
 		// no solvers - no solving
 		if solvers := c.chooseSolvers(authz.Body, authz.Domain); solvers != nil {
 			for i, solver := range solvers {
 				// TODO: do not immediately fail if one domain fails to validate.
 				err := solver.Solve(authz.Body.Challenges[i], authz.Domain)
 				if err != nil {
+					c.disableAuthz(authz)
 					failures[authz.Domain] = err
 				}
 			}
 		} else {
+			c.disableAuthz(authz)
 			failures[authz.Domain] = fmt.Errorf("[%s] acme: Could not determine solvers", authz.Domain)
 		}
 	}
@@ -399,7 +539,11 @@ func (c *Client) chooseSolvers(auth authorization, domain string) map[int]solver
 func (c *Client) getChallenges(domains []string) ([]authorizationResource, map[string]error) {
 	resc, errc := make(chan authorizationResource), make(chan domainError)
 
+	delay := time.Second / overallRequestLimit
+
 	for _, domain := range domains {
+		time.Sleep(delay)
+
 		go func(domain string) {
 			authMsg := authorization{Resource: "new-authz", Identifier: identifier{Type: "dns", Value: domain}}
 			var authz authorization
@@ -412,6 +556,7 @@ func (c *Client) getChallenges(domains []string) ([]authorizationResource, map[s
 			links := parseLinks(hdr["Link"])
 			if links["next"] == "" {
 				logf("[ERROR][%s] acme: Server did not provide next link to proceed", domain)
+				errc <- domainError{Domain: domain, Error: errors.New("Server did not provide next link to proceed")}
 				return
 			}
 
@@ -437,18 +582,32 @@ func (c *Client) getChallenges(domains []string) ([]authorizationResource, map[s
 		}
 	}
 
+	logAuthz(challenges)
+
 	close(resc)
 	close(errc)
 
 	return challenges, failures
 }
 
-func (c *Client) requestCertificate(authz []authorizationResource, bundle bool, privKey crypto.PrivateKey) (CertificateResource, error) {
+func logAuthz(authz []authorizationResource) {
+	for _, auth := range authz {
+		logf("[INFO][%s] AuthURL: %s", auth.Domain, auth.AuthURL)
+	}
+}
+
+// cleanAuthz loops through the passed in slice and disables any auths which are not "valid"
+func (c *Client) disableAuthz(auth authorizationResource) error {
+	var disabledAuth authorization
+	_, err := postJSON(c.jws, auth.AuthURL, deactivateAuthMessage{Resource: "authz", Status: "deactivated"}, &disabledAuth)
+	return err
+}
+
+func (c *Client) requestCertificate(authz []authorizationResource, bundle bool, privKey crypto.PrivateKey, mustStaple bool) (CertificateResource, error) {
 	if len(authz) == 0 {
 		return CertificateResource{}, errors.New("Passed no authorizations to requestCertificate!")
 	}
 
-	commonName := authz[0]
 	var err error
 	if privKey == nil {
 		privKey, err = generatePrivateKey(c.keyType)
@@ -457,19 +616,30 @@ func (c *Client) requestCertificate(authz []authorizationResource, bundle bool,
 		}
 	}
 
+	// determine certificate name(s) based on the authorization resources
+	commonName := authz[0]
 	var san []string
-	var authURLs []string
 	for _, auth := range authz[1:] {
 		san = append(san, auth.Domain)
-		authURLs = append(authURLs, auth.AuthURL)
 	}
 
 	// TODO: should the CSR be customizable?
-	csr, err := generateCsr(privKey, commonName.Domain, san)
+	csr, err := generateCsr(privKey, commonName.Domain, san, mustStaple)
 	if err != nil {
 		return CertificateResource{}, err
 	}
 
+	return c.requestCertificateForCsr(authz, bundle, csr, pemEncode(privKey))
+}
+
+func (c *Client) requestCertificateForCsr(authz []authorizationResource, bundle bool, csr []byte, privateKeyPem []byte) (CertificateResource, error) {
+	commonName := authz[0]
+
+	var authURLs []string
+	for _, auth := range authz[1:] {
+		authURLs = append(authURLs, auth.AuthURL)
+	}
+
 	csrString := base64.URLEncoding.EncodeToString(csr)
 	jsonBytes, err := json.Marshal(csrMessage{Resource: "new-cert", Csr: csrString, Authorizations: authURLs})
 	if err != nil {
@@ -481,90 +651,108 @@ func (c *Client) requestCertificate(authz []authorizationResource, bundle bool,
 		return CertificateResource{}, err
 	}
 
-	privateKeyPem := pemEncode(privKey)
-	cerRes := CertificateResource{
+	certRes := CertificateResource{
 		Domain:     commonName.Domain,
 		CertURL:    resp.Header.Get("Location"),
-		PrivateKey: privateKeyPem}
+		PrivateKey: privateKeyPem,
+	}
 
-	for {
-		switch resp.StatusCode {
-		case 201, 202:
-			cert, err := ioutil.ReadAll(limitReader(resp.Body, 1024*1024))
-			resp.Body.Close()
-			if err != nil {
-				return CertificateResource{}, err
-			}
+	maxChecks := 1000
+	for i := 0; i < maxChecks; i++ {
+		done, err := c.checkCertResponse(resp, &certRes, bundle)
+		resp.Body.Close()
+		if err != nil {
+			return CertificateResource{}, err
+		}
+		if done {
+			break
+		}
+		if i == maxChecks-1 {
+			return CertificateResource{}, fmt.Errorf("polled for certificate %d times; giving up", i)
+		}
+		resp, err = httpGet(certRes.CertURL)
+		if err != nil {
+			return CertificateResource{}, err
+		}
+	}
 
-			// The server returns a body with a length of zero if the
-			// certificate was not ready at the time this request completed.
-			// Otherwise the body is the certificate.
-			if len(cert) > 0 {
+	return certRes, nil
+}
 
-				cerRes.CertStableURL = resp.Header.Get("Content-Location")
-				cerRes.AccountRef = c.user.GetRegistration().URI
+// checkCertResponse checks resp to see if a certificate is contained in the
+// response, and if so, loads it into certRes and returns true. If the cert
+// is not yet ready, it returns false. This function honors the waiting period
+// required by the Retry-After header of the response, if specified. This
+// function may read from resp.Body but does NOT close it. The certRes input
+// should already have the Domain (common name) field populated. If bundle is
+// true, the certificate will be bundled with the issuer's cert.
+func (c *Client) checkCertResponse(resp *http.Response, certRes *CertificateResource, bundle bool) (bool, error) {
+	switch resp.StatusCode {
+	case 201, 202:
+		cert, err := ioutil.ReadAll(limitReader(resp.Body, maxBodySize))
+		if err != nil {
+			return false, err
+		}
 
-				issuedCert := pemEncode(derCertificateBytes(cert))
-				// If bundle is true, we want to return a certificate bundle.
-				// To do this, we need the issuer certificate.
-				if bundle {
-					// The issuer certificate link is always supplied via an "up" link
-					// in the response headers of a new certificate.
-					links := parseLinks(resp.Header["Link"])
-					issuerCert, err := c.getIssuerCertificate(links["up"])
-					if err != nil {
-						// If we fail to acquire the issuer cert, return the issued certificate - do not fail.
-						logf("[WARNING][%s] acme: Could not bundle issuer certificate: %v", commonName.Domain, err)
-					} else {
-						// Success - append the issuer cert to the issued cert.
-						issuerCert = pemEncode(derCertificateBytes(issuerCert))
-						issuedCert = append(issuedCert, issuerCert...)
-					}
-				}
+		// The server returns a body with a length of zero if the
+		// certificate was not ready at the time this request completed.
+		// Otherwise the body is the certificate.
+		if len(cert) > 0 {
+			certRes.CertStableURL = resp.Header.Get("Content-Location")
+			certRes.AccountRef = c.user.GetRegistration().URI
 
-				cerRes.Certificate = issuedCert
-				logf("[INFO][%s] Server responded with a certificate.", commonName.Domain)
-				return cerRes, nil
-			}
+			issuedCert := pemEncode(derCertificateBytes(cert))
 
-			// The certificate was granted but is not yet issued.
-			// Check retry-after and loop.
-			ra := resp.Header.Get("Retry-After")
-			retryAfter, err := strconv.Atoi(ra)
+			// The issuer certificate link is always supplied via an "up" link
+			// in the response headers of a new certificate.
+			links := parseLinks(resp.Header["Link"])
+			issuerCert, err := c.getIssuerCertificate(links["up"])
 			if err != nil {
-				return CertificateResource{}, err
-			}
+				// If we fail to acquire the issuer cert, return the issued certificate - do not fail.
+				logf("[WARNING][%s] acme: Could not bundle issuer certificate: %v", certRes.Domain, err)
+			} else {
+				issuerCert = pemEncode(derCertificateBytes(issuerCert))
 
-			logf("[INFO][%s] acme: Server responded with status 202; retrying after %ds", commonName.Domain, retryAfter)
-			time.Sleep(time.Duration(retryAfter) * time.Second)
+				// If bundle is true, we want to return a certificate bundle.
+				// To do this, we append the issuer cert to the issued cert.
+				if bundle {
+					issuedCert = append(issuedCert, issuerCert...)
+				}
+			}
 
-			break
-		default:
-			return CertificateResource{}, handleHTTPError(resp)
+			certRes.Certificate = issuedCert
+			certRes.IssuerCertificate = issuerCert
+			logf("[INFO][%s] Server responded with a certificate.", certRes.Domain)
+			return true, nil
 		}
 
-		resp, err = httpGet(cerRes.CertURL)
+		// The certificate was granted but is not yet issued.
+		// Check retry-after and loop.
+		ra := resp.Header.Get("Retry-After")
+		retryAfter, err := strconv.Atoi(ra)
 		if err != nil {
-			return CertificateResource{}, err
+			return false, err
 		}
+
+		logf("[INFO][%s] acme: Server responded with status 202; retrying after %ds", certRes.Domain, retryAfter)
+		time.Sleep(time.Duration(retryAfter) * time.Second)
+
+		return false, nil
+	default:
+		return false, handleHTTPError(resp)
 	}
 }
 
-// getIssuerCertificate requests the issuer certificate and caches it for
-// subsequent requests.
+// getIssuerCertificate requests the issuer certificate
 func (c *Client) getIssuerCertificate(url string) ([]byte, error) {
 	logf("[INFO] acme: Requesting issuer cert from %s", url)
-	if c.issuerCert != nil {
-		return c.issuerCert, nil
-	}
-
 	resp, err := httpGet(url)
 	if err != nil {
 		return nil, err
 	}
 	defer resp.Body.Close()
 
-	issuerBytes, err := ioutil.ReadAll(limitReader(resp.Body, 1024*1024))
+	issuerBytes, err := ioutil.ReadAll(limitReader(resp.Body, maxBodySize))
 	if err != nil {
 		return nil, err
 	}
@@ -574,7 +762,6 @@ func (c *Client) getIssuerCertificate(url string) ([]byte, error) {
 		return nil, err
 	}
 
-	c.issuerCert = issuerBytes
 	return issuerBytes, err
 }
 
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/client_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/client_test.go
index e309554f3..b18334c8a 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/client_test.go
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/client_test.go
@@ -10,6 +10,7 @@ import (
 	"net/http/httptest"
 	"strings"
 	"testing"
+	"time"
 )
 
 func TestNewClient(t *testing.T) {
@@ -118,6 +119,39 @@ func TestClientOptPort(t *testing.T) {
 	}
 }
 
+func TestNotHoldingLockWhileMakingHTTPRequests(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		time.Sleep(250 * time.Millisecond)
+		w.Header().Add("Replay-Nonce", "12345")
+		w.Header().Add("Retry-After", "0")
+		writeJSONResponse(w, &challenge{Type: "http-01", Status: "Valid", URI: "http://example.com/", Token: "token"})
+	}))
+	defer ts.Close()
+
+	privKey, _ := rsa.GenerateKey(rand.Reader, 512)
+	j := &jws{privKey: privKey, directoryURL: ts.URL}
+	ch := make(chan bool)
+	resultCh := make(chan bool)
+	go func() {
+		j.Nonce()
+		ch <- true
+	}()
+	go func() {
+		j.Nonce()
+		ch <- true
+	}()
+	go func() {
+		<-ch
+		<-ch
+		resultCh <- true
+	}()
+	select {
+	case <-resultCh:
+	case <-time.After(400 * time.Millisecond):
+		t.Fatal("JWS is probably holding a lock while making HTTP request")
+	}
+}
+
 func TestValidate(t *testing.T) {
 	var statuses []string
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -168,6 +202,43 @@ func TestValidate(t *testing.T) {
 	}
 }
 
+func TestGetChallenges(t *testing.T) {
+	var ts *httptest.Server
+	ts = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.Method {
+		case "GET", "HEAD":
+			w.Header().Add("Replay-Nonce", "12345")
+			w.Header().Add("Retry-After", "0")
+			writeJSONResponse(w, directory{NewAuthzURL: ts.URL, NewCertURL: ts.URL, NewRegURL: ts.URL, RevokeCertURL: ts.URL})
+		case "POST":
+			writeJSONResponse(w, authorization{})
+		}
+	}))
+	defer ts.Close()
+
+	keyBits := 512 // small value keeps test fast
+	keyType := RSA2048
+	key, err := rsa.GenerateKey(rand.Reader, keyBits)
+	if err != nil {
+		t.Fatal("Could not generate test key:", err)
+	}
+	user := mockUser{
+		email:      "test@test.com",
+		regres:     &RegistrationResource{NewAuthzURL: ts.URL},
+		privatekey: key,
+	}
+
+	client, err := NewClient(ts.URL, user, keyType)
+	if err != nil {
+		t.Fatalf("Could not create client: %v", err)
+	}
+
+	_, failures := client.getChallenges([]string{"example.com"})
+	if failures["example.com"] == nil {
+		t.Fatal("Expecting \"Server did not provide next link to proceed\" error, got nil")
+	}
+}
+
 // writeJSONResponse marshals the body as JSON and writes it to the response.
 func writeJSONResponse(w http.ResponseWriter, body interface{}) {
 	bs, err := json.Marshal(body)
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/crypto.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/crypto.go
index fc20442f7..fa868a90d 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/crypto.go
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/crypto.go
@@ -20,6 +20,8 @@ import (
 	"strings"
 	"time"
 
+	"encoding/asn1"
+
 	"golang.org/x/crypto/ocsp"
 )
 
@@ -47,6 +49,12 @@ const (
 	OCSPServerFailed = ocsp.ServerFailed
 )
 
+// Constants for OCSP must staple
+var (
+	tlsFeatureExtensionOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24}
+	ocspMustStapleFeature  = []byte{0x30, 0x03, 0x02, 0x01, 0x05}
+)
+
 // GetOCSPForCert takes a PEM encoded cert or cert bundle returning the raw OCSP response,
 // the parsed response, and an error, if any. The returned []byte can be passed directly
 // into the OCSPStaple property of a tls.Certificate. If the bundle only contains the
@@ -115,13 +123,6 @@ func GetOCSPForCert(bundle []byte) ([]byte, *ocsp.Response, error) {
 		return nil, nil, err
 	}
 
-	if ocspRes.Certificate == nil {
-		err = ocspRes.CheckSignatureFrom(issuerCert)
-		if err != nil {
-			return nil, nil, err
-		}
-	}
-
 	return ocspResBytes, ocspRes, nil
 }
 
@@ -213,7 +214,7 @@ func generatePrivateKey(keyType KeyType) (crypto.PrivateKey, error) {
 	return nil, fmt.Errorf("Invalid KeyType: %s", keyType)
 }
 
-func generateCsr(privateKey crypto.PrivateKey, domain string, san []string) ([]byte, error) {
+func generateCsr(privateKey crypto.PrivateKey, domain string, san []string, mustStaple bool) ([]byte, error) {
 	template := x509.CertificateRequest{
 		Subject: pkix.Name{
 			CommonName: domain,
@@ -224,6 +225,13 @@ func generateCsr(privateKey crypto.PrivateKey, domain string, san []string) ([]b
 		template.DNSNames = san
 	}
 
+	if mustStaple {
+		template.ExtraExtensions = append(template.ExtraExtensions, pkix.Extension{
+			Id:    tlsFeatureExtensionOID,
+			Value: ocspMustStapleFeature,
+		})
+	}
+
 	return x509.CreateCertificateRequest(rand.Reader, &template, privateKey)
 }
 
@@ -236,6 +244,9 @@ func pemEncode(data interface{}) []byte {
 	case *rsa.PrivateKey:
 		pemBlock = &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}
 		break
+	case *x509.CertificateRequest:
+		pemBlock = &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: key.Raw}
+		break
 	case derCertificateBytes:
 		pemBlock = &pem.Block{Type: "CERTIFICATE", Bytes: []byte(data.(derCertificateBytes))}
 	}
@@ -261,6 +272,19 @@ func pemDecodeTox509(pem []byte) (*x509.Certificate, error) {
 	return x509.ParseCertificate(pemBlock.Bytes)
 }
 
+func pemDecodeTox509CSR(pem []byte) (*x509.CertificateRequest, error) {
+	pemBlock, err := pemDecode(pem)
+	if pemBlock == nil {
+		return nil, err
+	}
+
+	if pemBlock.Type != "CERTIFICATE REQUEST" {
+		return nil, fmt.Errorf("PEM block is not a certificate request")
+	}
+
+	return x509.ParseCertificateRequest(pemBlock.Bytes)
+}
+
 // GetPEMCertExpiration returns the "NotAfter" date of a PEM encoded certificate.
 // The certificate has to be PEM encoded. Any other encodings like DER will fail.
 func GetPEMCertExpiration(cert []byte) (time.Time, error) {
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/crypto_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/crypto_test.go
index d2fc5088b..6f43835fb 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/crypto_test.go
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/crypto_test.go
@@ -24,7 +24,7 @@ func TestGenerateCSR(t *testing.T) {
 		t.Fatal("Error generating private key:", err)
 	}
 
-	csr, err := generateCsr(key, "fizz.buzz", nil)
+	csr, err := generateCsr(key, "fizz.buzz", nil, true)
 	if err != nil {
 		t.Error("Error generating CSR:", err)
 	}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge.go
new file mode 100644
index 000000000..30f2170ff
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge.go
@@ -0,0 +1,305 @@
+package acme
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"log"
+	"net"
+	"strings"
+	"time"
+
+	"github.com/miekg/dns"
+	"golang.org/x/net/publicsuffix"
+)
+
+type preCheckDNSFunc func(fqdn, value string) (bool, error)
+
+var (
+	// PreCheckDNS checks DNS propagation before notifying ACME that
+	// the DNS challenge is ready.
+	PreCheckDNS preCheckDNSFunc = checkDNSPropagation
+	fqdnToZone                  = map[string]string{}
+)
+
+const defaultResolvConf = "/etc/resolv.conf"
+
+var defaultNameservers = []string{
+	"google-public-dns-a.google.com:53",
+	"google-public-dns-b.google.com:53",
+}
+
+var RecursiveNameservers = getNameservers(defaultResolvConf, defaultNameservers)
+
+// DNSTimeout is used to override the default DNS timeout of 10 seconds.
+var DNSTimeout = 10 * time.Second
+
+// getNameservers attempts to get systems nameservers before falling back to the defaults
+func getNameservers(path string, defaults []string) []string {
+	config, err := dns.ClientConfigFromFile(path)
+	if err != nil || len(config.Servers) == 0 {
+		return defaults
+	}
+
+	systemNameservers := []string{}
+	for _, server := range config.Servers {
+		// ensure all servers have a port number
+		if _, _, err := net.SplitHostPort(server); err != nil {
+			systemNameservers = append(systemNameservers, net.JoinHostPort(server, "53"))
+		} else {
+			systemNameservers = append(systemNameservers, server)
+		}
+	}
+	return systemNameservers
+}
+
+// DNS01Record returns a DNS record which will fulfill the `dns-01` challenge
+func DNS01Record(domain, keyAuth string) (fqdn string, value string, ttl int) {
+	keyAuthShaBytes := sha256.Sum256([]byte(keyAuth))
+	// base64URL encoding without padding
+	keyAuthSha := base64.URLEncoding.EncodeToString(keyAuthShaBytes[:sha256.Size])
+	value = strings.TrimRight(keyAuthSha, "=")
+	ttl = 120
+	fqdn = fmt.Sprintf("_acme-challenge.%s.", domain)
+	return
+}
+
+// dnsChallenge implements the dns-01 challenge according to ACME 7.5
+type dnsChallenge struct {
+	jws      *jws
+	validate validateFunc
+	provider ChallengeProvider
+}
+
+func (s *dnsChallenge) Solve(chlng challenge, domain string) error {
+	logf("[INFO][%s] acme: Trying to solve DNS-01", domain)
+
+	if s.provider == nil {
+		return errors.New("No DNS Provider configured")
+	}
+
+	// Generate the Key Authorization for the challenge
+	keyAuth, err := getKeyAuthorization(chlng.Token, s.jws.privKey)
+	if err != nil {
+		return err
+	}
+
+	err = s.provider.Present(domain, chlng.Token, keyAuth)
+	if err != nil {
+		return fmt.Errorf("Error presenting token: %s", err)
+	}
+	defer func() {
+		err := s.provider.CleanUp(domain, chlng.Token, keyAuth)
+		if err != nil {
+			log.Printf("Error cleaning up %s: %v ", domain, err)
+		}
+	}()
+
+	fqdn, value, _ := DNS01Record(domain, keyAuth)
+
+	logf("[INFO][%s] Checking DNS record propagation using %+v", domain, RecursiveNameservers)
+
+	var timeout, interval time.Duration
+	switch provider := s.provider.(type) {
+	case ChallengeProviderTimeout:
+		timeout, interval = provider.Timeout()
+	default:
+		timeout, interval = 60*time.Second, 2*time.Second
+	}
+
+	err = WaitFor(timeout, interval, func() (bool, error) {
+		return PreCheckDNS(fqdn, value)
+	})
+	if err != nil {
+		return err
+	}
+
+	return s.validate(s.jws, domain, chlng.URI, challenge{Resource: "challenge", Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth})
+}
+
+// checkDNSPropagation checks if the expected TXT record has been propagated to all authoritative nameservers.
+func checkDNSPropagation(fqdn, value string) (bool, error) {
+	// Initial attempt to resolve at the recursive NS
+	r, err := dnsQuery(fqdn, dns.TypeTXT, RecursiveNameservers, true)
+	if err != nil {
+		return false, err
+	}
+	if r.Rcode == dns.RcodeSuccess {
+		// If we see a CNAME here then use the alias
+		for _, rr := range r.Answer {
+			if cn, ok := rr.(*dns.CNAME); ok {
+				if cn.Hdr.Name == fqdn {
+					fqdn = cn.Target
+					break
+				}
+			}
+		}
+	}
+
+	authoritativeNss, err := lookupNameservers(fqdn)
+	if err != nil {
+		return false, err
+	}
+
+	return checkAuthoritativeNss(fqdn, value, authoritativeNss)
+}
+
+// checkAuthoritativeNss queries each of the given nameservers for the expected TXT record.
+func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, error) {
+	for _, ns := range nameservers {
+		r, err := dnsQuery(fqdn, dns.TypeTXT, []string{net.JoinHostPort(ns, "53")}, false)
+		if err != nil {
+			return false, err
+		}
+
+		if r.Rcode != dns.RcodeSuccess {
+			return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn)
+		}
+
+		var found bool
+		for _, rr := range r.Answer {
+			if txt, ok := rr.(*dns.TXT); ok {
+				if strings.Join(txt.Txt, "") == value {
+					found = true
+					break
+				}
+			}
+		}
+
+		if !found {
+			return false, fmt.Errorf("NS %s did not return the expected TXT record", ns)
+		}
+	}
+
+	return true, nil
+}
+
+// dnsQuery will query a nameserver, iterating through the supplied servers as it retries
+// The nameserver should include a port, to facilitate testing where we talk to a mock dns server.
+func dnsQuery(fqdn string, rtype uint16, nameservers []string, recursive bool) (in *dns.Msg, err error) {
+	m := new(dns.Msg)
+	m.SetQuestion(fqdn, rtype)
+	m.SetEdns0(4096, false)
+
+	if !recursive {
+		m.RecursionDesired = false
+	}
+
+	// Will retry the request based on the number of servers (n+1)
+	for i := 1; i <= len(nameservers)+1; i++ {
+		ns := nameservers[i%len(nameservers)]
+		udp := &dns.Client{Net: "udp", Timeout: DNSTimeout}
+		in, _, err = udp.Exchange(m, ns)
+
+		if err == dns.ErrTruncated {
+			tcp := &dns.Client{Net: "tcp", Timeout: DNSTimeout}
+			// If the TCP request suceeds, the err will reset to nil
+			in, _, err = tcp.Exchange(m, ns)
+		}
+
+		if err == nil {
+			break
+		}
+	}
+	return
+}
+
+// lookupNameservers returns the authoritative nameservers for the given fqdn.
+func lookupNameservers(fqdn string) ([]string, error) {
+	var authoritativeNss []string
+
+	zone, err := FindZoneByFqdn(fqdn, RecursiveNameservers)
+	if err != nil {
+		return nil, fmt.Errorf("Could not determine the zone: %v", err)
+	}
+
+	r, err := dnsQuery(zone, dns.TypeNS, RecursiveNameservers, true)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, rr := range r.Answer {
+		if ns, ok := rr.(*dns.NS); ok {
+			authoritativeNss = append(authoritativeNss, strings.ToLower(ns.Ns))
+		}
+	}
+
+	if len(authoritativeNss) > 0 {
+		return authoritativeNss, nil
+	}
+	return nil, fmt.Errorf("Could not determine authoritative nameservers")
+}
+
+// FindZoneByFqdn determines the zone apex for the given fqdn by recursing up the
+// domain labels until the nameserver returns a SOA record in the answer section.
+func FindZoneByFqdn(fqdn string, nameservers []string) (string, error) {
+	// Do we have it cached?
+	if zone, ok := fqdnToZone[fqdn]; ok {
+		return zone, nil
+	}
+
+	labelIndexes := dns.Split(fqdn)
+	for _, index := range labelIndexes {
+		domain := fqdn[index:]
+		// Give up if we have reached the TLD
+		if isTLD(domain) {
+			break
+		}
+
+		in, err := dnsQuery(domain, dns.TypeSOA, nameservers, true)
+		if err != nil {
+			return "", err
+		}
+
+		// Any response code other than NOERROR and NXDOMAIN is treated as error
+		if in.Rcode != dns.RcodeNameError && in.Rcode != dns.RcodeSuccess {
+			return "", fmt.Errorf("Unexpected response code '%s' for %s",
+				dns.RcodeToString[in.Rcode], domain)
+		}
+
+		// Check if we got a SOA RR in the answer section
+		if in.Rcode == dns.RcodeSuccess {
+			for _, ans := range in.Answer {
+				if soa, ok := ans.(*dns.SOA); ok {
+					zone := soa.Hdr.Name
+					fqdnToZone[fqdn] = zone
+					return zone, nil
+				}
+			}
+		}
+	}
+
+	return "", fmt.Errorf("Could not find the start of authority")
+}
+
+func isTLD(domain string) bool {
+	publicsuffix, _ := publicsuffix.PublicSuffix(UnFqdn(domain))
+	if publicsuffix == UnFqdn(domain) {
+		return true
+	}
+	return false
+}
+
+// ClearFqdnCache clears the cache of fqdn to zone mappings. Primarily used in testing.
+func ClearFqdnCache() {
+	fqdnToZone = map[string]string{}
+}
+
+// ToFqdn converts the name into a fqdn appending a trailing dot.
+func ToFqdn(name string) string {
+	n := len(name)
+	if n == 0 || name[n-1] == '.' {
+		return name
+	}
+	return name + "."
+}
+
+// UnFqdn converts the fqdn into a name removing the trailing dot.
+func UnFqdn(name string) string {
+	n := len(name)
+	if n != 0 && name[n-1] == '.' {
+		return name[:n-1]
+	}
+	return name
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge_manual.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge_manual.go
new file mode 100644
index 000000000..240384e60
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge_manual.go
@@ -0,0 +1,53 @@
+package acme
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+)
+
+const (
+	dnsTemplate = "%s %d IN TXT \"%s\""
+)
+
+// DNSProviderManual is an implementation of the ChallengeProvider interface
+type DNSProviderManual struct{}
+
+// NewDNSProviderManual returns a DNSProviderManual instance.
+func NewDNSProviderManual() (*DNSProviderManual, error) {
+	return &DNSProviderManual{}, nil
+}
+
+// Present prints instructions for manually creating the TXT record
+func (*DNSProviderManual) Present(domain, token, keyAuth string) error {
+	fqdn, value, ttl := DNS01Record(domain, keyAuth)
+	dnsRecord := fmt.Sprintf(dnsTemplate, fqdn, ttl, value)
+
+	authZone, err := FindZoneByFqdn(fqdn, RecursiveNameservers)
+	if err != nil {
+		return err
+	}
+
+	logf("[INFO] acme: Please create the following TXT record in your %s zone:", authZone)
+	logf("[INFO] acme: %s", dnsRecord)
+	logf("[INFO] acme: Press 'Enter' when you are done")
+
+	reader := bufio.NewReader(os.Stdin)
+	_, _ = reader.ReadString('\n')
+	return nil
+}
+
+// CleanUp prints instructions for manually removing the TXT record
+func (*DNSProviderManual) CleanUp(domain, token, keyAuth string) error {
+	fqdn, _, ttl := DNS01Record(domain, keyAuth)
+	dnsRecord := fmt.Sprintf(dnsTemplate, fqdn, ttl, "...")
+
+	authZone, err := FindZoneByFqdn(fqdn, RecursiveNameservers)
+	if err != nil {
+		return err
+	}
+
+	logf("[INFO] acme: You can now remove this TXT record from your %s zone:", authZone)
+	logf("[INFO] acme: %s", dnsRecord)
+	return nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge_test.go
new file mode 100644
index 000000000..597aaac17
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/dns_challenge_test.go
@@ -0,0 +1,206 @@
+package acme
+
+import (
+	"bufio"
+	"crypto/rand"
+	"crypto/rsa"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"reflect"
+	"sort"
+	"strings"
+	"testing"
+	"time"
+)
+
+var lookupNameserversTestsOK = []struct {
+	fqdn string
+	nss  []string
+}{
+	{"books.google.com.ng.",
+		[]string{"ns1.google.com.", "ns2.google.com.", "ns3.google.com.", "ns4.google.com."},
+	},
+	{"www.google.com.",
+		[]string{"ns1.google.com.", "ns2.google.com.", "ns3.google.com.", "ns4.google.com."},
+	},
+	{"physics.georgetown.edu.",
+		[]string{"ns1.georgetown.edu.", "ns2.georgetown.edu.", "ns3.georgetown.edu."},
+	},
+}
+
+var lookupNameserversTestsErr = []struct {
+	fqdn  string
+	error string
+}{
+	// invalid tld
+	{"_null.n0n0.",
+		"Could not determine the zone",
+	},
+	// invalid domain
+	{"_null.com.",
+		"Could not determine the zone",
+	},
+	// invalid domain
+	{"in-valid.co.uk.",
+		"Could not determine the zone",
+	},
+}
+
+var findZoneByFqdnTests = []struct {
+	fqdn string
+	zone string
+}{
+	{"mail.google.com.", "google.com."}, // domain is a CNAME
+	{"foo.google.com.", "google.com."},  // domain is a non-existent subdomain
+}
+
+var checkAuthoritativeNssTests = []struct {
+	fqdn, value string
+	ns          []string
+	ok          bool
+}{
+	// TXT RR w/ expected value
+	{"8.8.8.8.asn.routeviews.org.", "151698.8.8.024", []string{"asnums.routeviews.org."},
+		true,
+	},
+	// No TXT RR
+	{"ns1.google.com.", "", []string{"ns2.google.com."},
+		false,
+	},
+}
+
+var checkAuthoritativeNssTestsErr = []struct {
+	fqdn, value string
+	ns          []string
+	error       string
+}{
+	// TXT RR /w unexpected value
+	{"8.8.8.8.asn.routeviews.org.", "fe01=", []string{"asnums.routeviews.org."},
+		"did not return the expected TXT record",
+	},
+	// No TXT RR
+	{"ns1.google.com.", "fe01=", []string{"ns2.google.com."},
+		"did not return the expected TXT record",
+	},
+}
+
+var checkResolvConfServersTests = []struct {
+	fixture  string
+	expected []string
+	defaults []string
+}{
+	{"testdata/resolv.conf.1", []string{"10.200.3.249:53", "10.200.3.250:5353", "[2001:4860:4860::8844]:53", "[10.0.0.1]:5353"}, []string{"127.0.0.1:53"}},
+	{"testdata/resolv.conf.nonexistant", []string{"127.0.0.1:53"}, []string{"127.0.0.1:53"}},
+}
+
+func TestDNSValidServerResponse(t *testing.T) {
+	PreCheckDNS = func(fqdn, value string) (bool, error) {
+		return true, nil
+	}
+	privKey, _ := rsa.GenerateKey(rand.Reader, 512)
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Add("Replay-Nonce", "12345")
+		w.Write([]byte("{\"type\":\"dns01\",\"status\":\"valid\",\"uri\":\"http://some.url\",\"token\":\"http8\"}"))
+	}))
+
+	manualProvider, _ := NewDNSProviderManual()
+	jws := &jws{privKey: privKey, directoryURL: ts.URL}
+	solver := &dnsChallenge{jws: jws, validate: validate, provider: manualProvider}
+	clientChallenge := challenge{Type: "dns01", Status: "pending", URI: ts.URL, Token: "http8"}
+
+	go func() {
+		time.Sleep(time.Second * 2)
+		f := bufio.NewWriter(os.Stdout)
+		defer f.Flush()
+		f.WriteString("\n")
+	}()
+
+	if err := solver.Solve(clientChallenge, "example.com"); err != nil {
+		t.Errorf("VALID: Expected Solve to return no error but the error was -> %v", err)
+	}
+}
+
+func TestPreCheckDNS(t *testing.T) {
+	ok, err := PreCheckDNS("acme-staging.api.letsencrypt.org", "fe01=")
+	if err != nil || !ok {
+		t.Errorf("preCheckDNS failed for acme-staging.api.letsencrypt.org")
+	}
+}
+
+func TestLookupNameserversOK(t *testing.T) {
+	for _, tt := range lookupNameserversTestsOK {
+		nss, err := lookupNameservers(tt.fqdn)
+		if err != nil {
+			t.Fatalf("#%s: got %q; want nil", tt.fqdn, err)
+		}
+
+		sort.Strings(nss)
+		sort.Strings(tt.nss)
+
+		if !reflect.DeepEqual(nss, tt.nss) {
+			t.Errorf("#%s: got %v; want %v", tt.fqdn, nss, tt.nss)
+		}
+	}
+}
+
+func TestLookupNameserversErr(t *testing.T) {
+	for _, tt := range lookupNameserversTestsErr {
+		_, err := lookupNameservers(tt.fqdn)
+		if err == nil {
+			t.Fatalf("#%s: expected %q (error); got <nil>", tt.fqdn, tt.error)
+		}
+
+		if !strings.Contains(err.Error(), tt.error) {
+			t.Errorf("#%s: expected %q (error); got %q", tt.fqdn, tt.error, err)
+			continue
+		}
+	}
+}
+
+func TestFindZoneByFqdn(t *testing.T) {
+	for _, tt := range findZoneByFqdnTests {
+		res, err := FindZoneByFqdn(tt.fqdn, RecursiveNameservers)
+		if err != nil {
+			t.Errorf("FindZoneByFqdn failed for %s: %v", tt.fqdn, err)
+		}
+		if res != tt.zone {
+			t.Errorf("%s: got %s; want %s", tt.fqdn, res, tt.zone)
+		}
+	}
+}
+
+func TestCheckAuthoritativeNss(t *testing.T) {
+	for _, tt := range checkAuthoritativeNssTests {
+		ok, _ := checkAuthoritativeNss(tt.fqdn, tt.value, tt.ns)
+		if ok != tt.ok {
+			t.Errorf("%s: got %t; want %t", tt.fqdn, ok, tt.ok)
+		}
+	}
+}
+
+func TestCheckAuthoritativeNssErr(t *testing.T) {
+	for _, tt := range checkAuthoritativeNssTestsErr {
+		_, err := checkAuthoritativeNss(tt.fqdn, tt.value, tt.ns)
+		if err == nil {
+			t.Fatalf("#%s: expected %q (error); got <nil>", tt.fqdn, tt.error)
+		}
+		if !strings.Contains(err.Error(), tt.error) {
+			t.Errorf("#%s: expected %q (error); got %q", tt.fqdn, tt.error, err)
+			continue
+		}
+	}
+}
+
+func TestResolveConfServers(t *testing.T) {
+	for _, tt := range checkResolvConfServersTests {
+		result := getNameservers(tt.fixture, tt.defaults)
+
+		sort.Strings(result)
+		sort.Strings(tt.expected)
+		if !reflect.DeepEqual(result, tt.expected) {
+			t.Errorf("#%s: expected %q; got %q", tt.fixture, tt.expected, result)
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/error.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/error.go
index b32561a3a..e4bc934c2 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/error.go
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/error.go
@@ -3,12 +3,14 @@ package acme
 import (
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"strings"
 )
 
 const (
 	tosAgreementError = "Must agree to subscriber agreement before any further actions"
+	invalidNonceError = "JWS has invalid anti-replay nonce"
 )
 
 // RemoteError is the base type for all errors specific to the ACME protocol.
@@ -29,6 +31,12 @@ type TOSError struct {
 	RemoteError
 }
 
+// NonceError represents the error which is returned if the
+// nonce sent by the client was not accepted by the server.
+type NonceError struct {
+	RemoteError
+}
+
 type domainError struct {
 	Domain string
 	Error  error
@@ -52,10 +60,19 @@ func (c challengeError) Error() string {
 
 func handleHTTPError(resp *http.Response) error {
 	var errorDetail RemoteError
-	decoder := json.NewDecoder(resp.Body)
-	err := decoder.Decode(&errorDetail)
-	if err != nil {
-		return err
+
+	contentType := resp.Header.Get("Content-Type")
+	if contentType == "application/json" || contentType == "application/problem+json" {
+		err := json.NewDecoder(resp.Body).Decode(&errorDetail)
+		if err != nil {
+			return err
+		}
+	} else {
+		detailBytes, err := ioutil.ReadAll(limitReader(resp.Body, maxBodySize))
+		if err != nil {
+			return err
+		}
+		errorDetail.Detail = string(detailBytes)
 	}
 
 	errorDetail.StatusCode = resp.StatusCode
@@ -65,6 +82,10 @@ func handleHTTPError(resp *http.Response) error {
 		return TOSError{errorDetail}
 	}
 
+	if errorDetail.StatusCode == http.StatusBadRequest && strings.HasPrefix(errorDetail.Detail, invalidNonceError) {
+		return NonceError{errorDetail}
+	}
+
 	return errorDetail
 }
 
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/http.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/http.go
index 410aead6d..a858b5a75 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/http.go
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/http.go
@@ -14,8 +14,8 @@ import (
 // UserAgent (if non-empty) will be tacked onto the User-Agent string in requests.
 var UserAgent string
 
-// defaultClient is an HTTP client with a reasonable timeout value.
-var defaultClient = http.Client{Timeout: 10 * time.Second}
+// HTTPClient is an HTTP client with a reasonable timeout value.
+var HTTPClient = http.Client{Timeout: 10 * time.Second}
 
 const (
 	// defaultGoUserAgent is the Go HTTP package user agent string. Too
@@ -31,14 +31,14 @@ const (
 func httpHead(url string) (resp *http.Response, err error) {
 	req, err := http.NewRequest("HEAD", url, nil)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to head %q: %v", url, err)
 	}
 
 	req.Header.Set("User-Agent", userAgent())
 
-	resp, err = defaultClient.Do(req)
+	resp, err = HTTPClient.Do(req)
 	if err != nil {
-		return resp, err
+		return resp, fmt.Errorf("failed to do head %q: %v", url, err)
 	}
 	resp.Body.Close()
 	return resp, err
@@ -49,12 +49,12 @@ func httpHead(url string) (resp *http.Response, err error) {
 func httpPost(url string, bodyType string, body io.Reader) (resp *http.Response, err error) {
 	req, err := http.NewRequest("POST", url, body)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to post %q: %v", url, err)
 	}
 	req.Header.Set("Content-Type", bodyType)
 	req.Header.Set("User-Agent", userAgent())
 
-	return defaultClient.Do(req)
+	return HTTPClient.Do(req)
 }
 
 // httpGet performs a GET request with a proper User-Agent string.
@@ -62,11 +62,11 @@ func httpPost(url string, bodyType string, body io.Reader) (resp *http.Response,
 func httpGet(url string) (resp *http.Response, err error) {
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to get %q: %v", url, err)
 	}
 	req.Header.Set("User-Agent", userAgent())
 
-	return defaultClient.Do(req)
+	return HTTPClient.Do(req)
 }
 
 // getJSON performs an HTTP GET request and parses the response body
@@ -74,7 +74,7 @@ func httpGet(url string) (resp *http.Response, err error) {
 func getJSON(uri string, respBody interface{}) (http.Header, error) {
 	resp, err := httpGet(uri)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get %q: %v", uri, err)
+		return nil, fmt.Errorf("failed to get json %q: %v", uri, err)
 	}
 	defer resp.Body.Close()
 
@@ -97,10 +97,41 @@ func postJSON(j *jws, uri string, reqBody, respBody interface{}) (http.Header, e
 	if err != nil {
 		return nil, fmt.Errorf("Failed to post JWS message. -> %v", err)
 	}
+
 	defer resp.Body.Close()
 
 	if resp.StatusCode >= http.StatusBadRequest {
-		return resp.Header, handleHTTPError(resp)
+
+		err := handleHTTPError(resp)
+
+		switch err.(type) {
+
+		case NonceError:
+
+			// Retry once if the nonce was invalidated
+
+			retryResp, err := j.post(uri, jsonBytes)
+			if err != nil {
+				return nil, fmt.Errorf("Failed to post JWS message. -> %v", err)
+			}
+
+			defer retryResp.Body.Close()
+
+			if retryResp.StatusCode >= http.StatusBadRequest {
+				return retryResp.Header, handleHTTPError(retryResp)
+			}
+
+			if respBody == nil {
+				return retryResp.Header, nil
+			}
+
+			return retryResp.Header, json.NewDecoder(retryResp.Body).Decode(respBody)
+
+		default:
+			return resp.Header, err
+
+		}
+
 	}
 
 	if respBody == nil {
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/http_challenge_server.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/http_challenge_server.go
index 42541380c..64c6a8280 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/http_challenge_server.go
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/http_challenge_server.go
@@ -63,7 +63,7 @@ func (s *HTTPProviderServer) serve(domain, token, keyAuth string) {
 			w.Write([]byte(keyAuth))
 			logf("[INFO][%s] Served key authentication", domain)
 		} else {
-			logf("[INFO] Received request for domain %s with method %s", r.Host, r.Method)
+			logf("[WARN] Received request for domain %s with method %s but the domain did not match any challenge. Please ensure your are passing the HOST header properly.", r.Host, r.Method)
 			w.Write([]byte("TEST"))
 		}
 	})
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/http_challenge_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/http_challenge_test.go
index fdd8f4d27..7400f56d4 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/http_challenge_test.go
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/http_challenge_test.go
@@ -51,7 +51,7 @@ func TestHTTPChallengeInvalidPort(t *testing.T) {
 
 	if err := solver.Solve(clientChallenge, "localhost:123456"); err == nil {
 		t.Errorf("Solve error: got %v, want error", err)
-	} else if want := "invalid port 123456"; !strings.HasSuffix(err.Error(), want) {
+	} else if want, want18 := "invalid port 123456", "123456: invalid port"; !strings.HasSuffix(err.Error(), want) && !strings.HasSuffix(err.Error(), want18) {
 		t.Errorf("Solve error: got %q, want suffix %q", err.Error(), want)
 	}
 }
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/jws.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/jws.go
index 8435d0cfc..a39434342 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/jws.go
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/jws.go
@@ -8,6 +8,7 @@ import (
 	"crypto/rsa"
 	"fmt"
 	"net/http"
+	"sync"
 
 	"gopkg.in/square/go-jose.v1"
 )
@@ -15,7 +16,7 @@ import (
 type jws struct {
 	directoryURL string
 	privKey      crypto.PrivateKey
-	nonces       []string
+	nonces       nonceManager
 }
 
 func keyAsJWK(key interface{}) *jose.JsonWebKey {
@@ -30,21 +31,26 @@ func keyAsJWK(key interface{}) *jose.JsonWebKey {
 	}
 }
 
-// Posts a JWS signed message to the specified URL
+// Posts a JWS signed message to the specified URL.
+// It does NOT close the response body, so the caller must
+// do that if no error was returned.
 func (j *jws) post(url string, content []byte) (*http.Response, error) {
 	signedContent, err := j.signContent(content)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("Failed to sign content -> %s", err.Error())
 	}
 
 	resp, err := httpPost(url, "application/jose+json", bytes.NewBuffer([]byte(signedContent.FullSerialize())))
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("Failed to HTTP POST to %s -> %s", url, err.Error())
 	}
 
-	j.getNonceFromResponse(resp)
+	nonce, nonceErr := getNonceFromResponse(resp)
+	if nonceErr == nil {
+		j.nonces.Push(nonce)
+	}
 
-	return resp, err
+	return resp, nil
 }
 
 func (j *jws) signContent(content []byte) (*jose.JsonWebSignature, error) {
@@ -63,45 +69,63 @@ func (j *jws) signContent(content []byte) (*jose.JsonWebSignature, error) {
 
 	signer, err := jose.NewSigner(alg, j.privKey)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("Failed to create jose signer -> %s", err.Error())
 	}
 	signer.SetNonceSource(j)
 
 	signed, err := signer.Sign(content)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("Failed to sign content -> %s", err.Error())
 	}
 	return signed, nil
 }
 
-func (j *jws) getNonceFromResponse(resp *http.Response) error {
-	nonce := resp.Header.Get("Replay-Nonce")
-	if nonce == "" {
-		return fmt.Errorf("Server did not respond with a proper nonce header.")
+func (j *jws) Nonce() (string, error) {
+	if nonce, ok := j.nonces.Pop(); ok {
+		return nonce, nil
 	}
 
-	j.nonces = append(j.nonces, nonce)
-	return nil
+	return getNonce(j.directoryURL)
 }
 
-func (j *jws) getNonce() error {
-	resp, err := httpHead(j.directoryURL)
+type nonceManager struct {
+	nonces []string
+	sync.Mutex
+}
+
+func (n *nonceManager) Pop() (string, bool) {
+	n.Lock()
+	defer n.Unlock()
+
+	if len(n.nonces) == 0 {
+		return "", false
+	}
+
+	nonce := n.nonces[len(n.nonces)-1]
+	n.nonces = n.nonces[:len(n.nonces)-1]
+	return nonce, true
+}
+
+func (n *nonceManager) Push(nonce string) {
+	n.Lock()
+	defer n.Unlock()
+	n.nonces = append(n.nonces, nonce)
+}
+
+func getNonce(url string) (string, error) {
+	resp, err := httpHead(url)
 	if err != nil {
-		return err
+		return "", fmt.Errorf("Failed to get nonce from HTTP HEAD -> %s", err.Error())
 	}
 
-	return j.getNonceFromResponse(resp)
+	return getNonceFromResponse(resp)
 }
 
-func (j *jws) Nonce() (string, error) {
-	nonce := ""
-	if len(j.nonces) == 0 {
-		err := j.getNonce()
-		if err != nil {
-			return nonce, err
-		}
+func getNonceFromResponse(resp *http.Response) (string, error) {
+	nonce := resp.Header.Get("Replay-Nonce")
+	if nonce == "" {
+		return "", fmt.Errorf("Server did not respond with a proper nonce header.")
 	}
 
-	nonce, j.nonces = j.nonces[len(j.nonces)-1], j.nonces[:len(j.nonces)-1]
 	return nonce, nil
 }
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/messages.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/messages.go
index d1fac9200..79ccf154e 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/messages.go
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/messages.go
@@ -13,16 +13,10 @@ type directory struct {
 	RevokeCertURL string `json:"revoke-cert"`
 }
 
-type recoveryKeyMessage struct {
-	Length int             `json:"length,omitempty"`
-	Client jose.JsonWebKey `json:"client,omitempty"`
-	Server jose.JsonWebKey `json:"client,omitempty"`
-}
-
 type registrationMessage struct {
 	Resource string   `json:"resource"`
 	Contact  []string `json:"contact"`
-	//	RecoveryKey recoveryKeyMessage `json:"recoveryKey,omitempty"`
+	Delete   bool     `json:"delete,omitempty"`
 }
 
 // Registration is returned by the ACME server after the registration
@@ -35,7 +29,6 @@ type Registration struct {
 	Agreement      string          `json:"agreement,omitempty"`
 	Authorizations string          `json:"authorizations,omitempty"`
 	Certificates   string          `json:"certificates,omitempty"`
-	//	RecoveryKey    recoveryKeyMessage `json:"recoveryKey,omitempty"`
 }
 
 // RegistrationResource represents all important informations about a registration
@@ -100,16 +93,23 @@ type revokeCertMessage struct {
 	Certificate string `json:"certificate"`
 }
 
+type deactivateAuthMessage struct {
+	Resource string `json:"resource,omitempty"`
+	Status   string `jsom:"status"`
+}
+
 // CertificateResource represents a CA issued certificate.
-// PrivateKey and Certificate are both already PEM encoded
-// and can be directly written to disk. Certificate may
-// be a certificate bundle, depending on the options supplied
-// to create it.
+// PrivateKey, Certificate and IssuerCertificate are all
+// already PEM encoded and can be directly written to disk.
+// Certificate may be a certificate bundle, depending on the
+// options supplied to create it.
 type CertificateResource struct {
-	Domain        string `json:"domain"`
-	CertURL       string `json:"certUrl"`
-	CertStableURL string `json:"certStableUrl"`
-	AccountRef    string `json:"accountRef,omitempty"`
-	PrivateKey    []byte `json:"-"`
-	Certificate   []byte `json:"-"`
+	Domain            string `json:"domain"`
+	CertURL           string `json:"certUrl"`
+	CertStableURL     string `json:"certStableUrl"`
+	AccountRef        string `json:"accountRef,omitempty"`
+	PrivateKey        []byte `json:"-"`
+	Certificate       []byte `json:"-"`
+	IssuerCertificate []byte `json:"-"`
+	CSR               []byte `json:"-"`
 }
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/pop_challenge.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/pop_challenge.go
new file mode 100644
index 000000000..8d2a213b0
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/pop_challenge.go
@@ -0,0 +1 @@
+package acme
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/testdata/resolv.conf.1 b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/testdata/resolv.conf.1
new file mode 100644
index 000000000..3098f99b5
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/testdata/resolv.conf.1
@@ -0,0 +1,5 @@
+domain company.com
+nameserver 10.200.3.249
+nameserver 10.200.3.250:5353
+nameserver 2001:4860:4860::8844
+nameserver [10.0.0.1]:5353
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/tls_sni_challenge.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/tls_sni_challenge.go
index f184b17a5..34383cbfa 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/tls_sni_challenge.go
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/tls_sni_challenge.go
@@ -41,7 +41,7 @@ func (t *tlsSNIChallenge) Solve(chlng challenge, domain string) error {
 }
 
 // TLSSNI01ChallengeCert returns a certificate and target domain for the `tls-sni-01` challenge
-func TLSSNI01ChallengeCertDomain(keyAuth string) (tls.Certificate, string, error) {
+func TLSSNI01ChallengeCert(keyAuth string) (tls.Certificate, string, error) {
 	// generate a new RSA key for the certificates
 	tempPrivKey, err := generatePrivateKey(RSA2048)
 	if err != nil {
@@ -65,9 +65,3 @@ func TLSSNI01ChallengeCertDomain(keyAuth string) (tls.Certificate, string, error
 
 	return certificate, domain, nil
 }
-
-// TLSSNI01ChallengeCert returns a certificate for the `tls-sni-01` challenge
-func TLSSNI01ChallengeCert(keyAuth string) (tls.Certificate, error) {
-	cert, _, err := TLSSNI01ChallengeCertDomain(keyAuth)
-	return cert, err
-}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/tls_sni_challenge_server.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/tls_sni_challenge_server.go
index faaf16f6b..df00fbb5a 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/tls_sni_challenge_server.go
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/tls_sni_challenge_server.go
@@ -30,7 +30,7 @@ func (s *TLSProviderServer) Present(domain, token, keyAuth string) error {
 		s.port = "443"
 	}
 
-	cert, err := TLSSNI01ChallengeCert(keyAuth)
+	cert, _, err := TLSSNI01ChallengeCert(keyAuth)
 	if err != nil {
 		return err
 	}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/tls_sni_challenge_test.go b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/tls_sni_challenge_test.go
index 3aec74565..83b2833a9 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/tls_sni_challenge_test.go
+++ b/vendor/github.com/rsc/letsencrypt/vendor/github.com/xenolf/lego/acme/tls_sni_challenge_test.go
@@ -59,7 +59,7 @@ func TestTLSSNIChallengeInvalidPort(t *testing.T) {
 
 	if err := solver.Solve(clientChallenge, "localhost:123456"); err == nil {
 		t.Errorf("Solve error: got %v, want error", err)
-	} else if want := "invalid port 123456"; !strings.HasSuffix(err.Error(), want) {
+	} else if want, want18 := "invalid port 123456", "123456: invalid port"; !strings.HasSuffix(err.Error(), want) && !strings.HasSuffix(err.Error(), want18) {
 		t.Errorf("Solve error: got %q, want suffix %q", err.Error(), want)
 	}
 }
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/.gitattributes b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/.gitattributes
new file mode 100644
index 000000000..d2f212e5d
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/.gitattributes
@@ -0,0 +1,10 @@
+# Treat all files in this repo as binary, with no git magic updating
+# line endings. Windows users contributing to Go will need to use a
+# modern version of git and editors capable of LF line endings.
+#
+# We'll prevent accidental CRLF line endings from entering the repo
+# via the git-review gofmt checks.
+#
+# See golang.org/issue/9281
+
+* -text
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/.gitignore b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/.gitignore
new file mode 100644
index 000000000..8339fd61d
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/.gitignore
@@ -0,0 +1,2 @@
+# Add no patterns to .hgignore except for files generated by the build.
+last-change
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/AUTHORS b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/AUTHORS
new file mode 100644
index 000000000..15167cd74
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/AUTHORS
@@ -0,0 +1,3 @@
+# This source code refers to The Go Authors for copyright purposes.
+# The master list of authors is in the main Go distribution,
+# visible at http://tip.golang.org/AUTHORS.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/CONTRIBUTING.md b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/CONTRIBUTING.md
new file mode 100644
index 000000000..88dff59bc
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/CONTRIBUTING.md
@@ -0,0 +1,31 @@
+# Contributing to Go
+
+Go is an open source project.
+
+It is the work of hundreds of contributors. We appreciate your help!
+
+
+## Filing issues
+
+When [filing an issue](https://golang.org/issue/new), make sure to answer these five questions:
+
+1. What version of Go are you using (`go version`)?
+2. What operating system and processor architecture are you using?
+3. What did you do?
+4. What did you expect to see?
+5. What did you see instead?
+
+General questions should go to the [golang-nuts mailing list](https://groups.google.com/group/golang-nuts) instead of the issue tracker.
+The gophers there will answer or ask you to file an issue if you've tripped over a bug.
+
+## Contributing code
+
+Please read the [Contribution Guidelines](https://golang.org/doc/contribute.html)
+before sending patches.
+
+**We do not accept GitHub pull requests**
+(we use [Gerrit](https://code.google.com/p/gerrit/) instead for code review).
+
+Unless otherwise noted, the Go source files are distributed under
+the BSD-style license found in the LICENSE file.
+
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/CONTRIBUTORS b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/CONTRIBUTORS
new file mode 100644
index 000000000..1c4577e96
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/CONTRIBUTORS
@@ -0,0 +1,3 @@
+# This source code was written by the Go contributors.
+# The master list of contributors is in the main Go distribution,
+# visible at http://tip.golang.org/CONTRIBUTORS.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/LICENSE b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/LICENSE
new file mode 100644
index 000000000..6a66aea5e
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/PATENTS b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/PATENTS
new file mode 100644
index 000000000..733099041
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/PATENTS
@@ -0,0 +1,22 @@
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Google as part of the Go project.
+
+Google hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section)
+patent license to make, have made, use, offer to sell, sell, import,
+transfer and otherwise run, modify and propagate the contents of this
+implementation of Go, where such license applies only to those patent
+claims, both currently owned or controlled by Google and acquired in
+the future, licensable by Google that are necessarily infringed by this
+implementation of Go.  This grant does not include claims that would be
+infringed only as a consequence of further modification of this
+implementation.  If you or your agent or exclusive licensee institute or
+order or agree to the institution of patent litigation against any
+entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that this implementation of Go or any code incorporated within this
+implementation of Go constitutes direct or contributory patent
+infringement, or inducement of patent infringement, then any patent
+rights granted to you under this License for this implementation of Go
+shall terminate as of the date such litigation is filed.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/README b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/README
new file mode 100644
index 000000000..f1e0cbf94
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/README
@@ -0,0 +1,3 @@
+This repository holds supplementary Go cryptography libraries.
+
+To submit changes to this repository, see http://golang.org/doc/contribute.html.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/codereview.cfg b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/codereview.cfg
new file mode 100644
index 000000000..3f8b14b64
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/codereview.cfg
@@ -0,0 +1 @@
+issuerepo: golang/go
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/ocsp/ocsp.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/ocsp/ocsp.go
new file mode 100644
index 000000000..6bd347e28
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/ocsp/ocsp.go
@@ -0,0 +1,778 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package ocsp parses OCSP responses as specified in RFC 2560. OCSP responses
+// are signed messages attesting to the validity of a certificate for a small
+// period of time. This is used to manage revocation for X.509 certificates.
+package ocsp // import "golang.org/x/crypto/ocsp"
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	_ "crypto/sha1"
+	_ "crypto/sha256"
+	_ "crypto/sha512"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"errors"
+	"fmt"
+	"math/big"
+	"strconv"
+	"time"
+)
+
+var idPKIXOCSPBasic = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 1})
+
+// ResponseStatus contains the result of an OCSP request. See
+// https://tools.ietf.org/html/rfc6960#section-2.3
+type ResponseStatus int
+
+const (
+	Success       ResponseStatus = 0
+	Malformed     ResponseStatus = 1
+	InternalError ResponseStatus = 2
+	TryLater      ResponseStatus = 3
+	// Status code four is unused in OCSP. See
+	// https://tools.ietf.org/html/rfc6960#section-4.2.1
+	SignatureRequired ResponseStatus = 5
+	Unauthorized      ResponseStatus = 6
+)
+
+func (r ResponseStatus) String() string {
+	switch r {
+	case Success:
+		return "success"
+	case Malformed:
+		return "malformed"
+	case InternalError:
+		return "internal error"
+	case TryLater:
+		return "try later"
+	case SignatureRequired:
+		return "signature required"
+	case Unauthorized:
+		return "unauthorized"
+	default:
+		return "unknown OCSP status: " + strconv.Itoa(int(r))
+	}
+}
+
+// ResponseError is an error that may be returned by ParseResponse to indicate
+// that the response itself is an error, not just that its indicating that a
+// certificate is revoked, unknown, etc.
+type ResponseError struct {
+	Status ResponseStatus
+}
+
+func (r ResponseError) Error() string {
+	return "ocsp: error from server: " + r.Status.String()
+}
+
+// These are internal structures that reflect the ASN.1 structure of an OCSP
+// response. See RFC 2560, section 4.2.
+
+type certID struct {
+	HashAlgorithm pkix.AlgorithmIdentifier
+	NameHash      []byte
+	IssuerKeyHash []byte
+	SerialNumber  *big.Int
+}
+
+// https://tools.ietf.org/html/rfc2560#section-4.1.1
+type ocspRequest struct {
+	TBSRequest tbsRequest
+}
+
+type tbsRequest struct {
+	Version       int              `asn1:"explicit,tag:0,default:0,optional"`
+	RequestorName pkix.RDNSequence `asn1:"explicit,tag:1,optional"`
+	RequestList   []request
+}
+
+type request struct {
+	Cert certID
+}
+
+type responseASN1 struct {
+	Status   asn1.Enumerated
+	Response responseBytes `asn1:"explicit,tag:0,optional"`
+}
+
+type responseBytes struct {
+	ResponseType asn1.ObjectIdentifier
+	Response     []byte
+}
+
+type basicResponse struct {
+	TBSResponseData    responseData
+	SignatureAlgorithm pkix.AlgorithmIdentifier
+	Signature          asn1.BitString
+	Certificates       []asn1.RawValue `asn1:"explicit,tag:0,optional"`
+}
+
+type responseData struct {
+	Raw            asn1.RawContent
+	Version        int `asn1:"optional,default:0,explicit,tag:0"`
+	RawResponderID asn1.RawValue
+	ProducedAt     time.Time `asn1:"generalized"`
+	Responses      []singleResponse
+}
+
+type singleResponse struct {
+	CertID           certID
+	Good             asn1.Flag        `asn1:"tag:0,optional"`
+	Revoked          revokedInfo      `asn1:"tag:1,optional"`
+	Unknown          asn1.Flag        `asn1:"tag:2,optional"`
+	ThisUpdate       time.Time        `asn1:"generalized"`
+	NextUpdate       time.Time        `asn1:"generalized,explicit,tag:0,optional"`
+	SingleExtensions []pkix.Extension `asn1:"explicit,tag:1,optional"`
+}
+
+type revokedInfo struct {
+	RevocationTime time.Time       `asn1:"generalized"`
+	Reason         asn1.Enumerated `asn1:"explicit,tag:0,optional"`
+}
+
+var (
+	oidSignatureMD2WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
+	oidSignatureMD5WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
+	oidSignatureSHA1WithRSA     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
+	oidSignatureSHA256WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
+	oidSignatureSHA384WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
+	oidSignatureSHA512WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
+	oidSignatureDSAWithSHA1     = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3}
+	oidSignatureDSAWithSHA256   = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2}
+	oidSignatureECDSAWithSHA1   = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1}
+	oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
+	oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3}
+	oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}
+)
+
+var hashOIDs = map[crypto.Hash]asn1.ObjectIdentifier{
+	crypto.SHA1:   asn1.ObjectIdentifier([]int{1, 3, 14, 3, 2, 26}),
+	crypto.SHA256: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 1}),
+	crypto.SHA384: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 2}),
+	crypto.SHA512: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 3}),
+}
+
+// TODO(rlb): This is also from crypto/x509, so same comment as AGL's below
+var signatureAlgorithmDetails = []struct {
+	algo       x509.SignatureAlgorithm
+	oid        asn1.ObjectIdentifier
+	pubKeyAlgo x509.PublicKeyAlgorithm
+	hash       crypto.Hash
+}{
+	{x509.MD2WithRSA, oidSignatureMD2WithRSA, x509.RSA, crypto.Hash(0) /* no value for MD2 */},
+	{x509.MD5WithRSA, oidSignatureMD5WithRSA, x509.RSA, crypto.MD5},
+	{x509.SHA1WithRSA, oidSignatureSHA1WithRSA, x509.RSA, crypto.SHA1},
+	{x509.SHA256WithRSA, oidSignatureSHA256WithRSA, x509.RSA, crypto.SHA256},
+	{x509.SHA384WithRSA, oidSignatureSHA384WithRSA, x509.RSA, crypto.SHA384},
+	{x509.SHA512WithRSA, oidSignatureSHA512WithRSA, x509.RSA, crypto.SHA512},
+	{x509.DSAWithSHA1, oidSignatureDSAWithSHA1, x509.DSA, crypto.SHA1},
+	{x509.DSAWithSHA256, oidSignatureDSAWithSHA256, x509.DSA, crypto.SHA256},
+	{x509.ECDSAWithSHA1, oidSignatureECDSAWithSHA1, x509.ECDSA, crypto.SHA1},
+	{x509.ECDSAWithSHA256, oidSignatureECDSAWithSHA256, x509.ECDSA, crypto.SHA256},
+	{x509.ECDSAWithSHA384, oidSignatureECDSAWithSHA384, x509.ECDSA, crypto.SHA384},
+	{x509.ECDSAWithSHA512, oidSignatureECDSAWithSHA512, x509.ECDSA, crypto.SHA512},
+}
+
+// TODO(rlb): This is also from crypto/x509, so same comment as AGL's below
+func signingParamsForPublicKey(pub interface{}, requestedSigAlgo x509.SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) {
+	var pubType x509.PublicKeyAlgorithm
+
+	switch pub := pub.(type) {
+	case *rsa.PublicKey:
+		pubType = x509.RSA
+		hashFunc = crypto.SHA256
+		sigAlgo.Algorithm = oidSignatureSHA256WithRSA
+		sigAlgo.Parameters = asn1.RawValue{
+			Tag: 5,
+		}
+
+	case *ecdsa.PublicKey:
+		pubType = x509.ECDSA
+
+		switch pub.Curve {
+		case elliptic.P224(), elliptic.P256():
+			hashFunc = crypto.SHA256
+			sigAlgo.Algorithm = oidSignatureECDSAWithSHA256
+		case elliptic.P384():
+			hashFunc = crypto.SHA384
+			sigAlgo.Algorithm = oidSignatureECDSAWithSHA384
+		case elliptic.P521():
+			hashFunc = crypto.SHA512
+			sigAlgo.Algorithm = oidSignatureECDSAWithSHA512
+		default:
+			err = errors.New("x509: unknown elliptic curve")
+		}
+
+	default:
+		err = errors.New("x509: only RSA and ECDSA keys supported")
+	}
+
+	if err != nil {
+		return
+	}
+
+	if requestedSigAlgo == 0 {
+		return
+	}
+
+	found := false
+	for _, details := range signatureAlgorithmDetails {
+		if details.algo == requestedSigAlgo {
+			if details.pubKeyAlgo != pubType {
+				err = errors.New("x509: requested SignatureAlgorithm does not match private key type")
+				return
+			}
+			sigAlgo.Algorithm, hashFunc = details.oid, details.hash
+			if hashFunc == 0 {
+				err = errors.New("x509: cannot sign with hash function requested")
+				return
+			}
+			found = true
+			break
+		}
+	}
+
+	if !found {
+		err = errors.New("x509: unknown SignatureAlgorithm")
+	}
+
+	return
+}
+
+// TODO(agl): this is taken from crypto/x509 and so should probably be exported
+// from crypto/x509 or crypto/x509/pkix.
+func getSignatureAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.SignatureAlgorithm {
+	for _, details := range signatureAlgorithmDetails {
+		if oid.Equal(details.oid) {
+			return details.algo
+		}
+	}
+	return x509.UnknownSignatureAlgorithm
+}
+
+// TODO(rlb): This is not taken from crypto/x509, but it's of the same general form.
+func getHashAlgorithmFromOID(target asn1.ObjectIdentifier) crypto.Hash {
+	for hash, oid := range hashOIDs {
+		if oid.Equal(target) {
+			return hash
+		}
+	}
+	return crypto.Hash(0)
+}
+
+func getOIDFromHashAlgorithm(target crypto.Hash) asn1.ObjectIdentifier {
+	for hash, oid := range hashOIDs {
+		if hash == target {
+			return oid
+		}
+	}
+	return nil
+}
+
+// This is the exposed reflection of the internal OCSP structures.
+
+// The status values that can be expressed in OCSP.  See RFC 6960.
+const (
+	// Good means that the certificate is valid.
+	Good = iota
+	// Revoked means that the certificate has been deliberately revoked.
+	Revoked
+	// Unknown means that the OCSP responder doesn't know about the certificate.
+	Unknown
+	// ServerFailed is unused and was never used (see
+	// https://go-review.googlesource.com/#/c/18944). ParseResponse will
+	// return a ResponseError when an error response is parsed.
+	ServerFailed
+)
+
+// The enumerated reasons for revoking a certificate.  See RFC 5280.
+const (
+	Unspecified          = iota
+	KeyCompromise        = iota
+	CACompromise         = iota
+	AffiliationChanged   = iota
+	Superseded           = iota
+	CessationOfOperation = iota
+	CertificateHold      = iota
+	_                    = iota
+	RemoveFromCRL        = iota
+	PrivilegeWithdrawn   = iota
+	AACompromise         = iota
+)
+
+// Request represents an OCSP request. See RFC 6960.
+type Request struct {
+	HashAlgorithm  crypto.Hash
+	IssuerNameHash []byte
+	IssuerKeyHash  []byte
+	SerialNumber   *big.Int
+}
+
+// Marshal marshals the OCSP request to ASN.1 DER encoded form.
+func (req *Request) Marshal() ([]byte, error) {
+	hashAlg := getOIDFromHashAlgorithm(req.HashAlgorithm)
+	if hashAlg == nil {
+		return nil, errors.New("Unknown hash algorithm")
+	}
+	return asn1.Marshal(ocspRequest{
+		tbsRequest{
+			Version: 0,
+			RequestList: []request{
+				{
+					Cert: certID{
+						pkix.AlgorithmIdentifier{
+							Algorithm:  hashAlg,
+							Parameters: asn1.RawValue{Tag: 5 /* ASN.1 NULL */},
+						},
+						req.IssuerNameHash,
+						req.IssuerKeyHash,
+						req.SerialNumber,
+					},
+				},
+			},
+		},
+	})
+}
+
+// Response represents an OCSP response containing a single SingleResponse. See
+// RFC 6960.
+type Response struct {
+	// Status is one of {Good, Revoked, Unknown}
+	Status                                        int
+	SerialNumber                                  *big.Int
+	ProducedAt, ThisUpdate, NextUpdate, RevokedAt time.Time
+	RevocationReason                              int
+	Certificate                                   *x509.Certificate
+	// TBSResponseData contains the raw bytes of the signed response. If
+	// Certificate is nil then this can be used to verify Signature.
+	TBSResponseData    []byte
+	Signature          []byte
+	SignatureAlgorithm x509.SignatureAlgorithm
+
+	// IssuerHash is the hash used to compute the IssuerNameHash and IssuerKeyHash.
+	// Valid values are crypto.SHA1, crypto.SHA256, crypto.SHA384, and crypto.SHA512.
+	// If zero, the default is crypto.SHA1.
+	IssuerHash crypto.Hash
+
+	// RawResponderName optionally contains the DER-encoded subject of the
+	// responder certificate. Exactly one of RawResponderName and
+	// ResponderKeyHash is set.
+	RawResponderName []byte
+	// ResponderKeyHash optionally contains the SHA-1 hash of the
+	// responder's public key. Exactly one of RawResponderName and
+	// ResponderKeyHash is set.
+	ResponderKeyHash []byte
+
+	// Extensions contains raw X.509 extensions from the singleExtensions field
+	// of the OCSP response. When parsing certificates, this can be used to
+	// extract non-critical extensions that are not parsed by this package. When
+	// marshaling OCSP responses, the Extensions field is ignored, see
+	// ExtraExtensions.
+	Extensions []pkix.Extension
+
+	// ExtraExtensions contains extensions to be copied, raw, into any marshaled
+	// OCSP response (in the singleExtensions field). Values override any
+	// extensions that would otherwise be produced based on the other fields. The
+	// ExtraExtensions field is not populated when parsing certificates, see
+	// Extensions.
+	ExtraExtensions []pkix.Extension
+}
+
+// These are pre-serialized error responses for the various non-success codes
+// defined by OCSP. The Unauthorized code in particular can be used by an OCSP
+// responder that supports only pre-signed responses as a response to requests
+// for certificates with unknown status. See RFC 5019.
+var (
+	MalformedRequestErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x01}
+	InternalErrorErrorResponse    = []byte{0x30, 0x03, 0x0A, 0x01, 0x02}
+	TryLaterErrorResponse         = []byte{0x30, 0x03, 0x0A, 0x01, 0x03}
+	SigRequredErrorResponse       = []byte{0x30, 0x03, 0x0A, 0x01, 0x05}
+	UnauthorizedErrorResponse     = []byte{0x30, 0x03, 0x0A, 0x01, 0x06}
+)
+
+// CheckSignatureFrom checks that the signature in resp is a valid signature
+// from issuer. This should only be used if resp.Certificate is nil. Otherwise,
+// the OCSP response contained an intermediate certificate that created the
+// signature. That signature is checked by ParseResponse and only
+// resp.Certificate remains to be validated.
+func (resp *Response) CheckSignatureFrom(issuer *x509.Certificate) error {
+	return issuer.CheckSignature(resp.SignatureAlgorithm, resp.TBSResponseData, resp.Signature)
+}
+
+// ParseError results from an invalid OCSP response.
+type ParseError string
+
+func (p ParseError) Error() string {
+	return string(p)
+}
+
+// ParseRequest parses an OCSP request in DER form. It only supports
+// requests for a single certificate. Signed requests are not supported.
+// If a request includes a signature, it will result in a ParseError.
+func ParseRequest(bytes []byte) (*Request, error) {
+	var req ocspRequest
+	rest, err := asn1.Unmarshal(bytes, &req)
+	if err != nil {
+		return nil, err
+	}
+	if len(rest) > 0 {
+		return nil, ParseError("trailing data in OCSP request")
+	}
+
+	if len(req.TBSRequest.RequestList) == 0 {
+		return nil, ParseError("OCSP request contains no request body")
+	}
+	innerRequest := req.TBSRequest.RequestList[0]
+
+	hashFunc := getHashAlgorithmFromOID(innerRequest.Cert.HashAlgorithm.Algorithm)
+	if hashFunc == crypto.Hash(0) {
+		return nil, ParseError("OCSP request uses unknown hash function")
+	}
+
+	return &Request{
+		HashAlgorithm:  hashFunc,
+		IssuerNameHash: innerRequest.Cert.NameHash,
+		IssuerKeyHash:  innerRequest.Cert.IssuerKeyHash,
+		SerialNumber:   innerRequest.Cert.SerialNumber,
+	}, nil
+}
+
+// ParseResponse parses an OCSP response in DER form. It only supports
+// responses for a single certificate. If the response contains a certificate
+// then the signature over the response is checked. If issuer is not nil then
+// it will be used to validate the signature or embedded certificate.
+//
+// Invalid responses and parse failures will result in a ParseError.
+// Error responses will result in a ResponseError.
+func ParseResponse(bytes []byte, issuer *x509.Certificate) (*Response, error) {
+	return ParseResponseForCert(bytes, nil, issuer)
+}
+
+// ParseResponseForCert parses an OCSP response in DER form and searches for a
+// Response relating to cert. If such a Response is found and the OCSP response
+// contains a certificate then the signature over the response is checked. If
+// issuer is not nil then it will be used to validate the signature or embedded
+// certificate.
+//
+// Invalid responses and parse failures will result in a ParseError.
+// Error responses will result in a ResponseError.
+func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Response, error) {
+	var resp responseASN1
+	rest, err := asn1.Unmarshal(bytes, &resp)
+	if err != nil {
+		return nil, err
+	}
+	if len(rest) > 0 {
+		return nil, ParseError("trailing data in OCSP response")
+	}
+
+	if status := ResponseStatus(resp.Status); status != Success {
+		return nil, ResponseError{status}
+	}
+
+	if !resp.Response.ResponseType.Equal(idPKIXOCSPBasic) {
+		return nil, ParseError("bad OCSP response type")
+	}
+
+	var basicResp basicResponse
+	rest, err = asn1.Unmarshal(resp.Response.Response, &basicResp)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(basicResp.Certificates) > 1 {
+		return nil, ParseError("OCSP response contains bad number of certificates")
+	}
+
+	if n := len(basicResp.TBSResponseData.Responses); n == 0 || cert == nil && n > 1 {
+		return nil, ParseError("OCSP response contains bad number of responses")
+	}
+
+	var singleResp singleResponse
+	if cert == nil {
+		singleResp = basicResp.TBSResponseData.Responses[0]
+	} else {
+		match := false
+		for _, resp := range basicResp.TBSResponseData.Responses {
+			if cert == nil || cert.SerialNumber.Cmp(resp.CertID.SerialNumber) == 0 {
+				singleResp = resp
+				match = true
+				break
+			}
+		}
+		if !match {
+			return nil, ParseError("no response matching the supplied certificate")
+		}
+	}
+
+	ret := &Response{
+		TBSResponseData:    basicResp.TBSResponseData.Raw,
+		Signature:          basicResp.Signature.RightAlign(),
+		SignatureAlgorithm: getSignatureAlgorithmFromOID(basicResp.SignatureAlgorithm.Algorithm),
+		Extensions:         singleResp.SingleExtensions,
+		SerialNumber:       singleResp.CertID.SerialNumber,
+		ProducedAt:         basicResp.TBSResponseData.ProducedAt,
+		ThisUpdate:         singleResp.ThisUpdate,
+		NextUpdate:         singleResp.NextUpdate,
+	}
+
+	// Handle the ResponderID CHOICE tag. ResponderID can be flattened into
+	// TBSResponseData once https://go-review.googlesource.com/34503 has been
+	// released.
+	rawResponderID := basicResp.TBSResponseData.RawResponderID
+	switch rawResponderID.Tag {
+	case 1: // Name
+		var rdn pkix.RDNSequence
+		if rest, err := asn1.Unmarshal(rawResponderID.Bytes, &rdn); err != nil || len(rest) != 0 {
+			return nil, ParseError("invalid responder name")
+		}
+		ret.RawResponderName = rawResponderID.Bytes
+	case 2: // KeyHash
+		if rest, err := asn1.Unmarshal(rawResponderID.Bytes, &ret.ResponderKeyHash); err != nil || len(rest) != 0 {
+			return nil, ParseError("invalid responder key hash")
+		}
+	default:
+		return nil, ParseError("invalid responder id tag")
+	}
+
+	if len(basicResp.Certificates) > 0 {
+		ret.Certificate, err = x509.ParseCertificate(basicResp.Certificates[0].FullBytes)
+		if err != nil {
+			return nil, err
+		}
+
+		if err := ret.CheckSignatureFrom(ret.Certificate); err != nil {
+			return nil, ParseError("bad signature on embedded certificate: " + err.Error())
+		}
+
+		if issuer != nil {
+			if err := issuer.CheckSignature(ret.Certificate.SignatureAlgorithm, ret.Certificate.RawTBSCertificate, ret.Certificate.Signature); err != nil {
+				return nil, ParseError("bad OCSP signature: " + err.Error())
+			}
+		}
+	} else if issuer != nil {
+		if err := ret.CheckSignatureFrom(issuer); err != nil {
+			return nil, ParseError("bad OCSP signature: " + err.Error())
+		}
+	}
+
+	for _, ext := range singleResp.SingleExtensions {
+		if ext.Critical {
+			return nil, ParseError("unsupported critical extension")
+		}
+	}
+
+	for h, oid := range hashOIDs {
+		if singleResp.CertID.HashAlgorithm.Algorithm.Equal(oid) {
+			ret.IssuerHash = h
+			break
+		}
+	}
+	if ret.IssuerHash == 0 {
+		return nil, ParseError("unsupported issuer hash algorithm")
+	}
+
+	switch {
+	case bool(singleResp.Good):
+		ret.Status = Good
+	case bool(singleResp.Unknown):
+		ret.Status = Unknown
+	default:
+		ret.Status = Revoked
+		ret.RevokedAt = singleResp.Revoked.RevocationTime
+		ret.RevocationReason = int(singleResp.Revoked.Reason)
+	}
+
+	return ret, nil
+}
+
+// RequestOptions contains options for constructing OCSP requests.
+type RequestOptions struct {
+	// Hash contains the hash function that should be used when
+	// constructing the OCSP request. If zero, SHA-1 will be used.
+	Hash crypto.Hash
+}
+
+func (opts *RequestOptions) hash() crypto.Hash {
+	if opts == nil || opts.Hash == 0 {
+		// SHA-1 is nearly universally used in OCSP.
+		return crypto.SHA1
+	}
+	return opts.Hash
+}
+
+// CreateRequest returns a DER-encoded, OCSP request for the status of cert. If
+// opts is nil then sensible defaults are used.
+func CreateRequest(cert, issuer *x509.Certificate, opts *RequestOptions) ([]byte, error) {
+	hashFunc := opts.hash()
+
+	// OCSP seems to be the only place where these raw hash identifiers are
+	// used. I took the following from
+	// http://msdn.microsoft.com/en-us/library/ff635603.aspx
+	_, ok := hashOIDs[hashFunc]
+	if !ok {
+		return nil, x509.ErrUnsupportedAlgorithm
+	}
+
+	if !hashFunc.Available() {
+		return nil, x509.ErrUnsupportedAlgorithm
+	}
+	h := opts.hash().New()
+
+	var publicKeyInfo struct {
+		Algorithm pkix.AlgorithmIdentifier
+		PublicKey asn1.BitString
+	}
+	if _, err := asn1.Unmarshal(issuer.RawSubjectPublicKeyInfo, &publicKeyInfo); err != nil {
+		return nil, err
+	}
+
+	h.Write(publicKeyInfo.PublicKey.RightAlign())
+	issuerKeyHash := h.Sum(nil)
+
+	h.Reset()
+	h.Write(issuer.RawSubject)
+	issuerNameHash := h.Sum(nil)
+
+	req := &Request{
+		HashAlgorithm:  hashFunc,
+		IssuerNameHash: issuerNameHash,
+		IssuerKeyHash:  issuerKeyHash,
+		SerialNumber:   cert.SerialNumber,
+	}
+	return req.Marshal()
+}
+
+// CreateResponse returns a DER-encoded OCSP response with the specified contents.
+// The fields in the response are populated as follows:
+//
+// The responder cert is used to populate the responder's name field, and the
+// certificate itself is provided alongside the OCSP response signature.
+//
+// The issuer cert is used to puplate the IssuerNameHash and IssuerKeyHash fields.
+//
+// The template is used to populate the SerialNumber, RevocationStatus, RevokedAt,
+// RevocationReason, ThisUpdate, and NextUpdate fields.
+//
+// If template.IssuerHash is not set, SHA1 will be used.
+//
+// The ProducedAt date is automatically set to the current date, to the nearest minute.
+func CreateResponse(issuer, responderCert *x509.Certificate, template Response, priv crypto.Signer) ([]byte, error) {
+	var publicKeyInfo struct {
+		Algorithm pkix.AlgorithmIdentifier
+		PublicKey asn1.BitString
+	}
+	if _, err := asn1.Unmarshal(issuer.RawSubjectPublicKeyInfo, &publicKeyInfo); err != nil {
+		return nil, err
+	}
+
+	if template.IssuerHash == 0 {
+		template.IssuerHash = crypto.SHA1
+	}
+	hashOID := getOIDFromHashAlgorithm(template.IssuerHash)
+	if hashOID == nil {
+		return nil, errors.New("unsupported issuer hash algorithm")
+	}
+
+	if !template.IssuerHash.Available() {
+		return nil, fmt.Errorf("issuer hash algorithm %v not linked into binary", template.IssuerHash)
+	}
+	h := template.IssuerHash.New()
+	h.Write(publicKeyInfo.PublicKey.RightAlign())
+	issuerKeyHash := h.Sum(nil)
+
+	h.Reset()
+	h.Write(issuer.RawSubject)
+	issuerNameHash := h.Sum(nil)
+
+	innerResponse := singleResponse{
+		CertID: certID{
+			HashAlgorithm: pkix.AlgorithmIdentifier{
+				Algorithm:  hashOID,
+				Parameters: asn1.RawValue{Tag: 5 /* ASN.1 NULL */},
+			},
+			NameHash:      issuerNameHash,
+			IssuerKeyHash: issuerKeyHash,
+			SerialNumber:  template.SerialNumber,
+		},
+		ThisUpdate:       template.ThisUpdate.UTC(),
+		NextUpdate:       template.NextUpdate.UTC(),
+		SingleExtensions: template.ExtraExtensions,
+	}
+
+	switch template.Status {
+	case Good:
+		innerResponse.Good = true
+	case Unknown:
+		innerResponse.Unknown = true
+	case Revoked:
+		innerResponse.Revoked = revokedInfo{
+			RevocationTime: template.RevokedAt.UTC(),
+			Reason:         asn1.Enumerated(template.RevocationReason),
+		}
+	}
+
+	rawResponderID := asn1.RawValue{
+		Class:      2, // context-specific
+		Tag:        1, // Name (explicit tag)
+		IsCompound: true,
+		Bytes:      responderCert.RawSubject,
+	}
+	tbsResponseData := responseData{
+		Version:        0,
+		RawResponderID: rawResponderID,
+		ProducedAt:     time.Now().Truncate(time.Minute).UTC(),
+		Responses:      []singleResponse{innerResponse},
+	}
+
+	tbsResponseDataDER, err := asn1.Marshal(tbsResponseData)
+	if err != nil {
+		return nil, err
+	}
+
+	hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(priv.Public(), template.SignatureAlgorithm)
+	if err != nil {
+		return nil, err
+	}
+
+	responseHash := hashFunc.New()
+	responseHash.Write(tbsResponseDataDER)
+	signature, err := priv.Sign(rand.Reader, responseHash.Sum(nil), hashFunc)
+	if err != nil {
+		return nil, err
+	}
+
+	response := basicResponse{
+		TBSResponseData:    tbsResponseData,
+		SignatureAlgorithm: signatureAlgorithm,
+		Signature: asn1.BitString{
+			Bytes:     signature,
+			BitLength: 8 * len(signature),
+		},
+	}
+	if template.Certificate != nil {
+		response.Certificates = []asn1.RawValue{
+			asn1.RawValue{FullBytes: template.Certificate.Raw},
+		}
+	}
+	responseDER, err := asn1.Marshal(response)
+	if err != nil {
+		return nil, err
+	}
+
+	return asn1.Marshal(responseASN1{
+		Status: asn1.Enumerated(Success),
+		Response: responseBytes{
+			ResponseType: idPKIXOCSPBasic,
+			Response:     responseDER,
+		},
+	})
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/ocsp/ocsp_test.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/ocsp/ocsp_test.go
new file mode 100644
index 000000000..df674b374
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/crypto/ocsp/ocsp_test.go
@@ -0,0 +1,875 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build go1.7
+
+package ocsp
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/sha1"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"encoding/hex"
+	"math/big"
+	"reflect"
+	"testing"
+	"time"
+)
+
+func TestOCSPDecode(t *testing.T) {
+	responseBytes, _ := hex.DecodeString(ocspResponseHex)
+	resp, err := ParseResponse(responseBytes, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	responderCert, _ := hex.DecodeString(startComResponderCertHex)
+	responder, err := x509.ParseCertificate(responderCert)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expected := Response{
+		Status:           Good,
+		SerialNumber:     big.NewInt(0x1d0fa),
+		RevocationReason: Unspecified,
+		ThisUpdate:       time.Date(2010, 7, 7, 15, 1, 5, 0, time.UTC),
+		NextUpdate:       time.Date(2010, 7, 7, 18, 35, 17, 0, time.UTC),
+		RawResponderName: responder.RawSubject,
+	}
+
+	if !reflect.DeepEqual(resp.ThisUpdate, expected.ThisUpdate) {
+		t.Errorf("resp.ThisUpdate: got %d, want %d", resp.ThisUpdate, expected.ThisUpdate)
+	}
+
+	if !reflect.DeepEqual(resp.NextUpdate, expected.NextUpdate) {
+		t.Errorf("resp.NextUpdate: got %d, want %d", resp.NextUpdate, expected.NextUpdate)
+	}
+
+	if resp.Status != expected.Status {
+		t.Errorf("resp.Status: got %d, want %d", resp.Status, expected.Status)
+	}
+
+	if resp.SerialNumber.Cmp(expected.SerialNumber) != 0 {
+		t.Errorf("resp.SerialNumber: got %x, want %x", resp.SerialNumber, expected.SerialNumber)
+	}
+
+	if resp.RevocationReason != expected.RevocationReason {
+		t.Errorf("resp.RevocationReason: got %d, want %d", resp.RevocationReason, expected.RevocationReason)
+	}
+
+	if !bytes.Equal(resp.RawResponderName, expected.RawResponderName) {
+		t.Errorf("resp.RawResponderName: got %x, want %x", resp.RawResponderName, expected.RawResponderName)
+	}
+
+	if !bytes.Equal(resp.ResponderKeyHash, expected.ResponderKeyHash) {
+		t.Errorf("resp.ResponderKeyHash: got %x, want %x", resp.ResponderKeyHash, expected.ResponderKeyHash)
+	}
+}
+
+func TestOCSPDecodeWithoutCert(t *testing.T) {
+	responseBytes, _ := hex.DecodeString(ocspResponseWithoutCertHex)
+	_, err := ParseResponse(responseBytes, nil)
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+func TestOCSPDecodeWithExtensions(t *testing.T) {
+	responseBytes, _ := hex.DecodeString(ocspResponseWithCriticalExtensionHex)
+	_, err := ParseResponse(responseBytes, nil)
+	if err == nil {
+		t.Error(err)
+	}
+
+	responseBytes, _ = hex.DecodeString(ocspResponseWithExtensionHex)
+	response, err := ParseResponse(responseBytes, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(response.Extensions) != 1 {
+		t.Errorf("len(response.Extensions): got %v, want %v", len(response.Extensions), 1)
+	}
+
+	extensionBytes := response.Extensions[0].Value
+	expectedBytes, _ := hex.DecodeString(ocspExtensionValueHex)
+	if !bytes.Equal(extensionBytes, expectedBytes) {
+		t.Errorf("response.Extensions[0]: got %x, want %x", extensionBytes, expectedBytes)
+	}
+}
+
+func TestOCSPSignature(t *testing.T) {
+	issuerCert, _ := hex.DecodeString(startComHex)
+	issuer, err := x509.ParseCertificate(issuerCert)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	response, _ := hex.DecodeString(ocspResponseHex)
+	if _, err := ParseResponse(response, issuer); err != nil {
+		t.Error(err)
+	}
+}
+
+func TestOCSPRequest(t *testing.T) {
+	leafCert, _ := hex.DecodeString(leafCertHex)
+	cert, err := x509.ParseCertificate(leafCert)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	issuerCert, _ := hex.DecodeString(issuerCertHex)
+	issuer, err := x509.ParseCertificate(issuerCert)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	request, err := CreateRequest(cert, issuer, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expectedBytes, _ := hex.DecodeString(ocspRequestHex)
+	if !bytes.Equal(request, expectedBytes) {
+		t.Errorf("request: got %x, wanted %x", request, expectedBytes)
+	}
+
+	decodedRequest, err := ParseRequest(expectedBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if decodedRequest.HashAlgorithm != crypto.SHA1 {
+		t.Errorf("request.HashAlgorithm: got %v, want %v", decodedRequest.HashAlgorithm, crypto.SHA1)
+	}
+
+	var publicKeyInfo struct {
+		Algorithm pkix.AlgorithmIdentifier
+		PublicKey asn1.BitString
+	}
+	_, err = asn1.Unmarshal(issuer.RawSubjectPublicKeyInfo, &publicKeyInfo)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	h := sha1.New()
+	h.Write(publicKeyInfo.PublicKey.RightAlign())
+	issuerKeyHash := h.Sum(nil)
+
+	h.Reset()
+	h.Write(issuer.RawSubject)
+	issuerNameHash := h.Sum(nil)
+
+	if got := decodedRequest.IssuerKeyHash; !bytes.Equal(got, issuerKeyHash) {
+		t.Errorf("request.IssuerKeyHash: got %x, want %x", got, issuerKeyHash)
+	}
+
+	if got := decodedRequest.IssuerNameHash; !bytes.Equal(got, issuerNameHash) {
+		t.Errorf("request.IssuerKeyHash: got %x, want %x", got, issuerNameHash)
+	}
+
+	if got := decodedRequest.SerialNumber; got.Cmp(cert.SerialNumber) != 0 {
+		t.Errorf("request.SerialNumber: got %x, want %x", got, cert.SerialNumber)
+	}
+
+	marshaledRequest, err := decodedRequest.Marshal()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if bytes.Compare(expectedBytes, marshaledRequest) != 0 {
+		t.Errorf(
+			"Marshaled request doesn't match expected: wanted %x, got %x",
+			expectedBytes,
+			marshaledRequest,
+		)
+	}
+}
+
+func TestOCSPResponse(t *testing.T) {
+	leafCert, _ := hex.DecodeString(leafCertHex)
+	leaf, err := x509.ParseCertificate(leafCert)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	issuerCert, _ := hex.DecodeString(issuerCertHex)
+	issuer, err := x509.ParseCertificate(issuerCert)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	responderCert, _ := hex.DecodeString(responderCertHex)
+	responder, err := x509.ParseCertificate(responderCert)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	responderPrivateKeyDER, _ := hex.DecodeString(responderPrivateKeyHex)
+	responderPrivateKey, err := x509.ParsePKCS1PrivateKey(responderPrivateKeyDER)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	extensionBytes, _ := hex.DecodeString(ocspExtensionValueHex)
+	extensions := []pkix.Extension{
+		pkix.Extension{
+			Id:       ocspExtensionOID,
+			Critical: false,
+			Value:    extensionBytes,
+		},
+	}
+
+	thisUpdate := time.Date(2010, 7, 7, 15, 1, 5, 0, time.UTC)
+	nextUpdate := time.Date(2010, 7, 7, 18, 35, 17, 0, time.UTC)
+	template := Response{
+		Status:           Revoked,
+		SerialNumber:     leaf.SerialNumber,
+		ThisUpdate:       thisUpdate,
+		NextUpdate:       nextUpdate,
+		RevokedAt:        thisUpdate,
+		RevocationReason: KeyCompromise,
+		Certificate:      responder,
+		ExtraExtensions:  extensions,
+	}
+
+	template.IssuerHash = crypto.MD5
+	_, err = CreateResponse(issuer, responder, template, responderPrivateKey)
+	if err == nil {
+		t.Fatal("CreateResponse didn't fail with non-valid template.IssuerHash value crypto.MD5")
+	}
+
+	testCases := []struct {
+		name       string
+		issuerHash crypto.Hash
+	}{
+		{"Zero value", 0},
+		{"crypto.SHA1", crypto.SHA1},
+		{"crypto.SHA256", crypto.SHA256},
+		{"crypto.SHA384", crypto.SHA384},
+		{"crypto.SHA512", crypto.SHA512},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			template.IssuerHash = tc.issuerHash
+			responseBytes, err := CreateResponse(issuer, responder, template, responderPrivateKey)
+			if err != nil {
+				t.Fatalf("CreateResponse failed: %s", err)
+			}
+
+			resp, err := ParseResponse(responseBytes, nil)
+			if err != nil {
+				t.Fatalf("ParseResponse failed: %s", err)
+			}
+
+			if !reflect.DeepEqual(resp.ThisUpdate, template.ThisUpdate) {
+				t.Errorf("resp.ThisUpdate: got %d, want %d", resp.ThisUpdate, template.ThisUpdate)
+			}
+
+			if !reflect.DeepEqual(resp.NextUpdate, template.NextUpdate) {
+				t.Errorf("resp.NextUpdate: got %d, want %d", resp.NextUpdate, template.NextUpdate)
+			}
+
+			if !reflect.DeepEqual(resp.RevokedAt, template.RevokedAt) {
+				t.Errorf("resp.RevokedAt: got %d, want %d", resp.RevokedAt, template.RevokedAt)
+			}
+
+			if !reflect.DeepEqual(resp.Extensions, template.ExtraExtensions) {
+				t.Errorf("resp.Extensions: got %v, want %v", resp.Extensions, template.ExtraExtensions)
+			}
+
+			delay := time.Since(resp.ProducedAt)
+			if delay < -time.Hour || delay > time.Hour {
+				t.Errorf("resp.ProducedAt: got %s, want close to current time (%s)", resp.ProducedAt, time.Now())
+			}
+
+			if resp.Status != template.Status {
+				t.Errorf("resp.Status: got %d, want %d", resp.Status, template.Status)
+			}
+
+			if resp.SerialNumber.Cmp(template.SerialNumber) != 0 {
+				t.Errorf("resp.SerialNumber: got %x, want %x", resp.SerialNumber, template.SerialNumber)
+			}
+
+			if resp.RevocationReason != template.RevocationReason {
+				t.Errorf("resp.RevocationReason: got %d, want %d", resp.RevocationReason, template.RevocationReason)
+			}
+
+			expectedHash := tc.issuerHash
+			if tc.issuerHash == 0 {
+				expectedHash = crypto.SHA1
+			}
+
+			if resp.IssuerHash != expectedHash {
+				t.Errorf("resp.IssuerHash: got %d, want %d", resp.IssuerHash, expectedHash)
+			}
+		})
+	}
+}
+
+func TestErrorResponse(t *testing.T) {
+	responseBytes, _ := hex.DecodeString(errorResponseHex)
+	_, err := ParseResponse(responseBytes, nil)
+
+	respErr, ok := err.(ResponseError)
+	if !ok {
+		t.Fatalf("expected ResponseError from ParseResponse but got %#v", err)
+	}
+	if respErr.Status != Malformed {
+		t.Fatalf("expected Malformed status from ParseResponse but got %d", respErr.Status)
+	}
+}
+
+func TestOCSPDecodeMultiResponse(t *testing.T) {
+	inclCert, _ := hex.DecodeString(ocspMultiResponseCertHex)
+	cert, err := x509.ParseCertificate(inclCert)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	responseBytes, _ := hex.DecodeString(ocspMultiResponseHex)
+	resp, err := ParseResponseForCert(responseBytes, cert, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if resp.SerialNumber.Cmp(cert.SerialNumber) != 0 {
+		t.Errorf("resp.SerialNumber: got %x, want %x", resp.SerialNumber, cert.SerialNumber)
+	}
+}
+
+func TestOCSPDecodeMultiResponseWithoutMatchingCert(t *testing.T) {
+	wrongCert, _ := hex.DecodeString(startComHex)
+	cert, err := x509.ParseCertificate(wrongCert)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	responseBytes, _ := hex.DecodeString(ocspMultiResponseHex)
+	_, err = ParseResponseForCert(responseBytes, cert, nil)
+	want := ParseError("no response matching the supplied certificate")
+	if err != want {
+		t.Errorf("err: got %q, want %q", err, want)
+	}
+}
+
+// This OCSP response was taken from Thawte's public OCSP responder.
+// To recreate:
+//   $ openssl s_client -tls1 -showcerts -servername www.google.com -connect www.google.com:443
+// Copy and paste the first certificate into /tmp/cert.crt and the second into
+// /tmp/intermediate.crt
+//   $ openssl ocsp -issuer /tmp/intermediate.crt -cert /tmp/cert.crt -url http://ocsp.thawte.com -resp_text -respout /tmp/ocsp.der
+// Then hex encode the result:
+//   $ python -c 'print file("/tmp/ocsp.der", "r").read().encode("hex")'
+
+const ocspResponseHex = "308206bc0a0100a08206b5308206b106092b0601050507300101048206a23082069e3081" +
+	"c9a14e304c310b300906035504061302494c31163014060355040a130d5374617274436f" +
+	"6d204c74642e312530230603550403131c5374617274436f6d20436c6173732031204f43" +
+	"5350205369676e6572180f32303130303730373137333531375a30663064303c30090605" +
+	"2b0e03021a050004146568874f40750f016a3475625e1f5c93e5a26d580414eb4234d098" +
+	"b0ab9ff41b6b08f7cc642eef0e2c45020301d0fa8000180f323031303037303731353031" +
+	"30355aa011180f32303130303730373138333531375a300d06092a864886f70d01010505" +
+	"000382010100ab557ff070d1d7cebbb5f0ec91a15c3fed22eb2e1b8244f1b84545f013a4" +
+	"fb46214c5e3fbfbebb8a56acc2b9db19f68fd3c3201046b3824d5ba689f99864328710cb" +
+	"467195eb37d84f539e49f859316b32964dc3e47e36814ce94d6c56dd02733b1d0802f7ff" +
+	"4eebdbbd2927dcf580f16cbc290f91e81b53cb365e7223f1d6e20a88ea064104875e0145" +
+	"672b20fc14829d51ca122f5f5d77d3ad6c83889c55c7dc43680ba2fe3cef8b05dbcabdc0" +
+	"d3e09aaf9725597f8c858c2fa38c0d6aed2e6318194420dd1a1137445d13e1c97ab47896" +
+	"17a4e08925f46f867b72e3a4dc1f08cb870b2b0717f7207faa0ac512e628a029aba7457a" +
+	"e63dcf3281e2162d9349a08204ba308204b6308204b23082039aa003020102020101300d" +
+	"06092a864886f70d010105050030818c310b300906035504061302494c31163014060355" +
+	"040a130d5374617274436f6d204c74642e312b3029060355040b13225365637572652044" +
+	"69676974616c204365727469666963617465205369676e696e6731383036060355040313" +
+	"2f5374617274436f6d20436c6173732031205072696d61727920496e7465726d65646961" +
+	"746520536572766572204341301e170d3037313032353030323330365a170d3132313032" +
+	"333030323330365a304c310b300906035504061302494c31163014060355040a130d5374" +
+	"617274436f6d204c74642e312530230603550403131c5374617274436f6d20436c617373" +
+	"2031204f435350205369676e657230820122300d06092a864886f70d0101010500038201" +
+	"0f003082010a0282010100b9561b4c45318717178084e96e178df2255e18ed8d8ecc7c2b" +
+	"7b51a6c1c2e6bf0aa3603066f132fe10ae97b50e99fa24b83fc53dd2777496387d14e1c3" +
+	"a9b6a4933e2ac12413d085570a95b8147414a0bc007c7bcf222446ef7f1a156d7ea1c577" +
+	"fc5f0facdfd42eb0f5974990cb2f5cefebceef4d1bdc7ae5c1075c5a99a93171f2b0845b" +
+	"4ff0864e973fcfe32f9d7511ff87a3e943410c90a4493a306b6944359340a9ca96f02b66" +
+	"ce67f028df2980a6aaee8d5d5d452b8b0eb93f923cc1e23fcccbdbe7ffcb114d08fa7a6a" +
+	"3c404f825d1a0e715935cf623a8c7b59670014ed0622f6089a9447a7a19010f7fe58f841" +
+	"29a2765ea367824d1c3bb2fda308530203010001a382015c30820158300c0603551d1301" +
+	"01ff04023000300b0603551d0f0404030203a8301e0603551d250417301506082b060105" +
+	"0507030906092b0601050507300105301d0603551d0e0416041445e0a36695414c5dd449" +
+	"bc00e33cdcdbd2343e173081a80603551d230481a030819d8014eb4234d098b0ab9ff41b" +
+	"6b08f7cc642eef0e2c45a18181a47f307d310b300906035504061302494c311630140603" +
+	"55040a130d5374617274436f6d204c74642e312b3029060355040b132253656375726520" +
+	"4469676974616c204365727469666963617465205369676e696e67312930270603550403" +
+	"13205374617274436f6d2043657274696669636174696f6e20417574686f726974798201" +
+	"0a30230603551d12041c301a8618687474703a2f2f7777772e737461727473736c2e636f" +
+	"6d2f302c06096086480186f842010d041f161d5374617274436f6d205265766f63617469" +
+	"6f6e20417574686f72697479300d06092a864886f70d01010505000382010100182d2215" +
+	"8f0fc0291324fa8574c49bb8ff2835085adcbf7b7fc4191c397ab6951328253fffe1e5ec" +
+	"2a7da0d50fca1a404e6968481366939e666c0a6209073eca57973e2fefa9ed1718e8176f" +
+	"1d85527ff522c08db702e3b2b180f1cbff05d98128252cf0f450f7dd2772f4188047f19d" +
+	"c85317366f94bc52d60f453a550af58e308aaab00ced33040b62bf37f5b1ab2a4f7f0f80" +
+	"f763bf4d707bc8841d7ad9385ee2a4244469260b6f2bf085977af9074796048ecc2f9d48" +
+	"a1d24ce16e41a9941568fec5b42771e118f16c106a54ccc339a4b02166445a167902e75e" +
+	"6d8620b0825dcd18a069b90fd851d10fa8effd409deec02860d26d8d833f304b10669b42"
+
+const startComResponderCertHex = "308204b23082039aa003020102020101300d06092a864886f70d010105050030818c310b" +
+	"300906035504061302494c31163014060355040a130d5374617274436f6d204c74642e31" +
+	"2b3029060355040b1322536563757265204469676974616c204365727469666963617465" +
+	"205369676e696e67313830360603550403132f5374617274436f6d20436c617373203120" +
+	"5072696d61727920496e7465726d65646961746520536572766572204341301e170d3037" +
+	"313032353030323330365a170d3132313032333030323330365a304c310b300906035504" +
+	"061302494c31163014060355040a130d5374617274436f6d204c74642e31253023060355" +
+	"0403131c5374617274436f6d20436c6173732031204f435350205369676e657230820122" +
+	"300d06092a864886f70d01010105000382010f003082010a0282010100b9561b4c453187" +
+	"17178084e96e178df2255e18ed8d8ecc7c2b7b51a6c1c2e6bf0aa3603066f132fe10ae97" +
+	"b50e99fa24b83fc53dd2777496387d14e1c3a9b6a4933e2ac12413d085570a95b8147414" +
+	"a0bc007c7bcf222446ef7f1a156d7ea1c577fc5f0facdfd42eb0f5974990cb2f5cefebce" +
+	"ef4d1bdc7ae5c1075c5a99a93171f2b0845b4ff0864e973fcfe32f9d7511ff87a3e94341" +
+	"0c90a4493a306b6944359340a9ca96f02b66ce67f028df2980a6aaee8d5d5d452b8b0eb9" +
+	"3f923cc1e23fcccbdbe7ffcb114d08fa7a6a3c404f825d1a0e715935cf623a8c7b596700" +
+	"14ed0622f6089a9447a7a19010f7fe58f84129a2765ea367824d1c3bb2fda30853020301" +
+	"0001a382015c30820158300c0603551d130101ff04023000300b0603551d0f0404030203" +
+	"a8301e0603551d250417301506082b0601050507030906092b0601050507300105301d06" +
+	"03551d0e0416041445e0a36695414c5dd449bc00e33cdcdbd2343e173081a80603551d23" +
+	"0481a030819d8014eb4234d098b0ab9ff41b6b08f7cc642eef0e2c45a18181a47f307d31" +
+	"0b300906035504061302494c31163014060355040a130d5374617274436f6d204c74642e" +
+	"312b3029060355040b1322536563757265204469676974616c2043657274696669636174" +
+	"65205369676e696e6731293027060355040313205374617274436f6d2043657274696669" +
+	"636174696f6e20417574686f7269747982010a30230603551d12041c301a861868747470" +
+	"3a2f2f7777772e737461727473736c2e636f6d2f302c06096086480186f842010d041f16" +
+	"1d5374617274436f6d205265766f636174696f6e20417574686f72697479300d06092a86" +
+	"4886f70d01010505000382010100182d22158f0fc0291324fa8574c49bb8ff2835085adc" +
+	"bf7b7fc4191c397ab6951328253fffe1e5ec2a7da0d50fca1a404e6968481366939e666c" +
+	"0a6209073eca57973e2fefa9ed1718e8176f1d85527ff522c08db702e3b2b180f1cbff05" +
+	"d98128252cf0f450f7dd2772f4188047f19dc85317366f94bc52d60f453a550af58e308a" +
+	"aab00ced33040b62bf37f5b1ab2a4f7f0f80f763bf4d707bc8841d7ad9385ee2a4244469" +
+	"260b6f2bf085977af9074796048ecc2f9d48a1d24ce16e41a9941568fec5b42771e118f1" +
+	"6c106a54ccc339a4b02166445a167902e75e6d8620b0825dcd18a069b90fd851d10fa8ef" +
+	"fd409deec02860d26d8d833f304b10669b42"
+
+const startComHex = "308206343082041ca003020102020118300d06092a864886f70d0101050500307d310b30" +
+	"0906035504061302494c31163014060355040a130d5374617274436f6d204c74642e312b" +
+	"3029060355040b1322536563757265204469676974616c20436572746966696361746520" +
+	"5369676e696e6731293027060355040313205374617274436f6d20436572746966696361" +
+	"74696f6e20417574686f72697479301e170d3037313032343230353431375a170d313731" +
+	"3032343230353431375a30818c310b300906035504061302494c31163014060355040a13" +
+	"0d5374617274436f6d204c74642e312b3029060355040b13225365637572652044696769" +
+	"74616c204365727469666963617465205369676e696e67313830360603550403132f5374" +
+	"617274436f6d20436c6173732031205072696d61727920496e7465726d65646961746520" +
+	"53657276657220434130820122300d06092a864886f70d01010105000382010f00308201" +
+	"0a0282010100b689c6acef09527807ac9263d0f44418188480561f91aee187fa3250b4d3" +
+	"4706f0e6075f700e10f71dc0ce103634855a0f92ac83c6ac58523fba38e8fce7a724e240" +
+	"a60876c0926e9e2a6d4d3f6e61200adb59ded27d63b33e46fefa215118d7cd30a6ed076e" +
+	"3b7087b4f9faebee823c056f92f7a4dc0a301e9373fe07cad75f809d225852ae06da8b87" +
+	"2369b0e42ad8ea83d2bdf371db705a280faf5a387045123f304dcd3baf17e50fcba0a95d" +
+	"48aab16150cb34cd3c5cc30be810c08c9bf0030362feb26c3e720eee1c432ac9480e5739" +
+	"c43121c810c12c87fe5495521f523c31129b7fe7c0a0a559d5e28f3ef0d5a8e1d77031a9" +
+	"c4b3cfaf6d532f06f4a70203010001a38201ad308201a9300f0603551d130101ff040530" +
+	"030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414eb4234d098" +
+	"b0ab9ff41b6b08f7cc642eef0e2c45301f0603551d230418301680144e0bef1aa4405ba5" +
+	"17698730ca346843d041aef2306606082b06010505070101045a3058302706082b060105" +
+	"05073001861b687474703a2f2f6f6373702e737461727473736c2e636f6d2f6361302d06" +
+	"082b060105050730028621687474703a2f2f7777772e737461727473736c2e636f6d2f73" +
+	"667363612e637274305b0603551d1f045430523027a025a0238621687474703a2f2f7777" +
+	"772e737461727473736c2e636f6d2f73667363612e63726c3027a025a023862168747470" +
+	"3a2f2f63726c2e737461727473736c2e636f6d2f73667363612e63726c3081800603551d" +
+	"20047930773075060b2b0601040181b5370102013066302e06082b060105050702011622" +
+	"687474703a2f2f7777772e737461727473736c2e636f6d2f706f6c6963792e7064663034" +
+	"06082b060105050702011628687474703a2f2f7777772e737461727473736c2e636f6d2f" +
+	"696e7465726d6564696174652e706466300d06092a864886f70d01010505000382020100" +
+	"2109493ea5886ee00b8b48da314d8ff75657a2e1d36257e9b556f38545753be5501f048b" +
+	"e6a05a3ee700ae85d0fbff200364cbad02e1c69172f8a34dd6dee8cc3fa18aa2e37c37a7" +
+	"c64f8f35d6f4d66e067bdd21d9cf56ffcb302249fe8904f385e5aaf1e71fe875904dddf9" +
+	"46f74234f745580c110d84b0c6da5d3ef9019ee7e1da5595be741c7bfc4d144fac7e5547" +
+	"7d7bf4a50d491e95e8f712c1ccff76a62547d0f37535be97b75816ebaa5c786fec5330af" +
+	"ea044dcca902e3f0b60412f630b1113d904e5664d7dc3c435f7339ef4baf87ebf6fe6888" +
+	"4472ead207c669b0c1a18bef1749d761b145485f3b2021e95bb2ccf4d7e931f50b15613b" +
+	"7a94e3ebd9bc7f94ae6ae3626296a8647cb887f399327e92a252bebbf865cfc9f230fc8b" +
+	"c1c2a696d75f89e15c3480f58f47072fb491bfb1a27e5f4b5ad05b9f248605515a690365" +
+	"434971c5e06f94346bf61bd8a9b04c7e53eb8f48dfca33b548fa364a1a53a6330cd089cd" +
+	"4915cd89313c90c072d7654b52358a461144b93d8e2865a63e799e5c084429adb035112e" +
+	"214eb8d2e7103e5d8483b3c3c2e4d2c6fd094b7409ddf1b3d3193e800da20b19f038e7c5" +
+	"c2afe223db61e29d5c6e2089492e236ab262c145b49faf8ba7f1223bf87de290d07a19fb" +
+	"4a4ce3d27d5f4a8303ed27d6239e6b8db459a2d9ef6c8229dd75193c3f4c108defbb7527" +
+	"d2ae83a7a8ce5ba7"
+
+const ocspResponseWithoutCertHex = "308201d40a0100a08201cd308201c906092b0601050507300101048201ba3082" +
+	"01b630819fa2160414884451ff502a695e2d88f421bad90cf2cecbea7c180f3230313330" +
+	"3631383037323434335a30743072304a300906052b0e03021a0500041448b60d38238df8" +
+	"456e4ee5843ea394111802979f0414884451ff502a695e2d88f421bad90cf2cecbea7c02" +
+	"1100f78b13b946fc9635d8ab49de9d2148218000180f3230313330363138303732343433" +
+	"5aa011180f32303133303632323037323434335a300d06092a864886f70d010105050003" +
+	"82010100103e18b3d297a5e7a6c07a4fc52ac46a15c0eba96f3be17f0ffe84de5b8c8e05" +
+	"5a8f577586a849dc4abd6440eb6fedde4622451e2823c1cbf3558b4e8184959c9fe96eff" +
+	"8bc5f95866c58c6d087519faabfdae37e11d9874f1bc0db292208f645dd848185e4dd38b" +
+	"6a8547dfa7b74d514a8470015719064d35476b95bebb03d4d2845c5ca15202d2784878f2" +
+	"0f904c24f09736f044609e9c271381713400e563023d212db422236440c6f377bbf24b2b" +
+	"9e7dec8698e36a8df68b7592ad3489fb2937afb90eb85d2aa96b81c94c25057dbd4759d9" +
+	"20a1a65c7f0b6427a224b3c98edd96b9b61f706099951188b0289555ad30a216fb774651" +
+	"5a35fca2e054dfa8"
+
+// PKIX nonce extension
+var ocspExtensionOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 2}
+var ocspExtensionValueHex = "0403000000"
+
+const ocspResponseWithCriticalExtensionHex = "308204fe0a0100a08204f7308204f306092b0601050507300101048204e4308204e03081" +
+	"dba003020100a11b3019311730150603550403130e4f43535020526573706f6e64657218" +
+	"0f32303136303130343137303130305a3081a53081a23049300906052b0e03021a050004" +
+	"14c0fe0278fc99188891b3f212e9c7e1b21ab7bfc004140dfc1df0a9e0f01ce7f2b21317" +
+	"7e6f8d157cd4f60210017f77deb3bcbb235d44ccc7dba62e72a116180f32303130303730" +
+	"373135303130355aa0030a0101180f32303130303730373135303130355aa011180f3230" +
+	"3130303730373138333531375aa1193017301506092b06010505073001020101ff040504" +
+	"03000000300d06092a864886f70d01010b0500038201010031c730ca60a7a0d92d8e4010" +
+	"911b469de95b4d27e89de6537552436237967694f76f701cf6b45c932bd308bca4a8d092" +
+	"5c604ba94796903091d9e6c000178e72c1f0a24a277dd262835af5d17d3f9d7869606c9f" +
+	"e7c8e708a41645699895beee38bfa63bb46296683761c5d1d65439b8ab868dc3017c9eeb" +
+	"b70b82dbf3a31c55b457d48bb9e82b335ed49f445042eaf606b06a3e0639824924c89c63" +
+	"eccddfe85e6694314138b2536f5e15e07085d0f6e26d4b2f8244bab0d70de07283ac6384" +
+	"a0501fc3dea7cf0adfd4c7f34871080900e252ddc403e3f0265f2a704af905d3727504ed" +
+	"28f3214a219d898a022463c78439799ca81c8cbafdbcec34ea937cd6a08202ea308202e6" +
+	"308202e2308201caa003020102020101300d06092a864886f70d01010b05003019311730" +
+	"150603550403130e4f43535020526573706f6e646572301e170d31353031333031353530" +
+	"33335a170d3136303133303135353033335a3019311730150603550403130e4f43535020" +
+	"526573706f6e64657230820122300d06092a864886f70d01010105000382010f00308201" +
+	"0a0282010100e8155f2d3e6f2e8d14c62a788bd462f9f844e7a6977c83ef1099f0f6616e" +
+	"c5265b56f356e62c5400f0b06a2e7945a82752c636df32a895152d6074df1701dc6ccfbc" +
+	"bec75a70bd2b55ae2be7e6cad3b5fd4cd5b7790ab401a436d3f5f346074ffde8a99d5b72" +
+	"3350f0a112076614b12ef79c78991b119453445acf2416ab0046b540db14c9fc0f27b898" +
+	"9ad0f63aa4b8aefc91aa8a72160c36307c60fec78a93d3fddf4259902aa77e7332971c7d" +
+	"285b6a04f648993c6922a3e9da9adf5f81508c3228791843e5d49f24db2f1290bafd97e6" +
+	"55b1049a199f652cd603c4fafa330c390b0da78fbbc67e8fa021cbd74eb96222b12ace31" +
+	"a77dcf920334dc94581b0203010001a3353033300e0603551d0f0101ff04040302078030" +
+	"130603551d25040c300a06082b06010505070309300c0603551d130101ff04023000300d" +
+	"06092a864886f70d01010b05000382010100718012761b5063e18f0dc44644d8e6ab8612" +
+	"31c15fd5357805425d82aec1de85bf6d3e30fce205e3e3b8b795bbe52e40a439286d2288" +
+	"9064f4aeeb150359b9425f1da51b3a5c939018555d13ac42c565a0603786a919328f3267" +
+	"09dce52c22ad958ecb7873b9771d1148b1c4be2efe80ba868919fc9f68b6090c2f33c156" +
+	"d67156e42766a50b5d51e79637b7e58af74c2a951b1e642fa7741fec982cc937de37eff5" +
+	"9e2005d5939bfc031589ca143e6e8ab83f40ee08cc20a6b4a95a318352c28d18528dcaf9" +
+	"66705de17afa19d6e8ae91ddf33179d16ebb6ac2c69cae8373d408ebf8c55308be6c04d9" +
+	"3a25439a94299a65a709756c7a3e568be049d5c38839"
+
+const ocspResponseWithExtensionHex = "308204fb0a0100a08204f4308204f006092b0601050507300101048204e1308204dd3081" +
+	"d8a003020100a11b3019311730150603550403130e4f43535020526573706f6e64657218" +
+	"0f32303136303130343136353930305a3081a230819f3049300906052b0e03021a050004" +
+	"14c0fe0278fc99188891b3f212e9c7e1b21ab7bfc004140dfc1df0a9e0f01ce7f2b21317" +
+	"7e6f8d157cd4f60210017f77deb3bcbb235d44ccc7dba62e72a116180f32303130303730" +
+	"373135303130355aa0030a0101180f32303130303730373135303130355aa011180f3230" +
+	"3130303730373138333531375aa1163014301206092b0601050507300102040504030000" +
+	"00300d06092a864886f70d01010b05000382010100c09a33e0b2324c852421bb83f85ac9" +
+	"9113f5426012bd2d2279a8166e9241d18a33c870894250622ffc7ed0c4601b16d624f90b" +
+	"779265442cdb6868cf40ab304ab4b66e7315ed02cf663b1601d1d4751772b31bc299db23" +
+	"9aebac78ed6797c06ed815a7a8d18d63cfbb609cafb47ec2e89e37db255216eb09307848" +
+	"d01be0a3e943653c78212b96ff524b74c9ec456b17cdfb950cc97645c577b2e09ff41dde" +
+	"b03afb3adaa381cc0f7c1d95663ef22a0f72f2c45613ae8e2b2d1efc96e8463c7d1d8a1d" +
+	"7e3b35df8fe73a301fc3f804b942b2b3afa337ff105fc1462b7b1c1d75eb4566c8665e59" +
+	"f80393b0adbf8004ff6c3327ed34f007cb4a3348a7d55e06e3a08202ea308202e6308202" +
+	"e2308201caa003020102020101300d06092a864886f70d01010b05003019311730150603" +
+	"550403130e4f43535020526573706f6e646572301e170d3135303133303135353033335a" +
+	"170d3136303133303135353033335a3019311730150603550403130e4f43535020526573" +
+	"706f6e64657230820122300d06092a864886f70d01010105000382010f003082010a0282" +
+	"010100e8155f2d3e6f2e8d14c62a788bd462f9f844e7a6977c83ef1099f0f6616ec5265b" +
+	"56f356e62c5400f0b06a2e7945a82752c636df32a895152d6074df1701dc6ccfbcbec75a" +
+	"70bd2b55ae2be7e6cad3b5fd4cd5b7790ab401a436d3f5f346074ffde8a99d5b723350f0" +
+	"a112076614b12ef79c78991b119453445acf2416ab0046b540db14c9fc0f27b8989ad0f6" +
+	"3aa4b8aefc91aa8a72160c36307c60fec78a93d3fddf4259902aa77e7332971c7d285b6a" +
+	"04f648993c6922a3e9da9adf5f81508c3228791843e5d49f24db2f1290bafd97e655b104" +
+	"9a199f652cd603c4fafa330c390b0da78fbbc67e8fa021cbd74eb96222b12ace31a77dcf" +
+	"920334dc94581b0203010001a3353033300e0603551d0f0101ff04040302078030130603" +
+	"551d25040c300a06082b06010505070309300c0603551d130101ff04023000300d06092a" +
+	"864886f70d01010b05000382010100718012761b5063e18f0dc44644d8e6ab861231c15f" +
+	"d5357805425d82aec1de85bf6d3e30fce205e3e3b8b795bbe52e40a439286d22889064f4" +
+	"aeeb150359b9425f1da51b3a5c939018555d13ac42c565a0603786a919328f326709dce5" +
+	"2c22ad958ecb7873b9771d1148b1c4be2efe80ba868919fc9f68b6090c2f33c156d67156" +
+	"e42766a50b5d51e79637b7e58af74c2a951b1e642fa7741fec982cc937de37eff59e2005" +
+	"d5939bfc031589ca143e6e8ab83f40ee08cc20a6b4a95a318352c28d18528dcaf966705d" +
+	"e17afa19d6e8ae91ddf33179d16ebb6ac2c69cae8373d408ebf8c55308be6c04d93a2543" +
+	"9a94299a65a709756c7a3e568be049d5c38839"
+
+const ocspMultiResponseHex = "30820ee60a0100a0820edf30820edb06092b060105050730010104820ecc30820ec83082" +
+	"0839a216041445ac2ecd75f53f1cf6e4c51d3de0047ad0aa7465180f3230313530363032" +
+	"3130303033305a3082080c3065303d300906052b0e03021a05000414f7452a0080601527" +
+	"72e4a135e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f0204" +
+	"5456656a8000180f32303135303630323039303230375aa011180f323031353036303331" +
+	"30303033305a3065303d300906052b0e03021a05000414f7452a008060152772e4a135e7" +
+	"6e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f02045456656b80" +
+	"00180f32303135303630323039303230375aa011180f3230313530363033313030303330" +
+	"5a3065303d300906052b0e03021a05000414f7452a008060152772e4a135e76e9e52fde0" +
+	"f1580414edd8f2ee977252853a330b297a18f5c993853b3f02045456656c8000180f3230" +
+	"3135303630323039303230375aa011180f32303135303630333130303033305a3065303d" +
+	"300906052b0e03021a05000414f7452a008060152772e4a135e76e9e52fde0f1580414ed" +
+	"d8f2ee977252853a330b297a18f5c993853b3f02045456656d8000180f32303135303630" +
+	"323039303230375aa011180f32303135303630333130303033305a3065303d300906052b" +
+	"0e03021a05000414f7452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee9772" +
+	"52853a330b297a18f5c993853b3f02045456656e8000180f323031353036303230393032" +
+	"30375aa011180f32303135303630333130303033305a3065303d300906052b0e03021a05" +
+	"000414f7452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee977252853a330b" +
+	"297a18f5c993853b3f02045456656f8000180f32303135303630323039303230375aa011" +
+	"180f32303135303630333130303033305a3065303d300906052b0e03021a05000414f745" +
+	"2a008060152772e4a135e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c9" +
+	"93853b3f0204545665708000180f32303135303630323039303230375aa011180f323031" +
+	"35303630333130303033305a3065303d300906052b0e03021a05000414f7452a00806015" +
+	"2772e4a135e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f02" +
+	"04545665718000180f32303135303630323039303230375aa011180f3230313530363033" +
+	"3130303033305a3065303d300906052b0e03021a05000414f7452a008060152772e4a135" +
+	"e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f020454566572" +
+	"8000180f32303135303630323039303230375aa011180f32303135303630333130303033" +
+	"305a3065303d300906052b0e03021a05000414f7452a008060152772e4a135e76e9e52fd" +
+	"e0f1580414edd8f2ee977252853a330b297a18f5c993853b3f0204545665738000180f32" +
+	"303135303630323039303230375aa011180f32303135303630333130303033305a306530" +
+	"3d300906052b0e03021a05000414f7452a008060152772e4a135e76e9e52fde0f1580414" +
+	"edd8f2ee977252853a330b297a18f5c993853b3f0204545665748000180f323031353036" +
+	"30323039303230375aa011180f32303135303630333130303033305a3065303d30090605" +
+	"2b0e03021a05000414f7452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee97" +
+	"7252853a330b297a18f5c993853b3f0204545665758000180f3230313530363032303930" +
+	"3230375aa011180f32303135303630333130303033305a3065303d300906052b0e03021a" +
+	"05000414f7452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee977252853a33" +
+	"0b297a18f5c993853b3f0204545665768000180f32303135303630323039303230375aa0" +
+	"11180f32303135303630333130303033305a3065303d300906052b0e03021a05000414f7" +
+	"452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5" +
+	"c993853b3f0204545665778000180f32303135303630323039303230375aa011180f3230" +
+	"3135303630333130303033305a3065303d300906052b0e03021a05000414f7452a008060" +
+	"152772e4a135e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f" +
+	"0204545665788000180f32303135303630323039303230375aa011180f32303135303630" +
+	"333130303033305a3065303d300906052b0e03021a05000414f7452a008060152772e4a1" +
+	"35e76e9e52fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f0204545665" +
+	"798000180f32303135303630323039303230375aa011180f323031353036303331303030" +
+	"33305a3065303d300906052b0e03021a05000414f7452a008060152772e4a135e76e9e52" +
+	"fde0f1580414edd8f2ee977252853a330b297a18f5c993853b3f02045456657a8000180f" +
+	"32303135303630323039303230375aa011180f32303135303630333130303033305a3065" +
+	"303d300906052b0e03021a05000414f7452a008060152772e4a135e76e9e52fde0f15804" +
+	"14edd8f2ee977252853a330b297a18f5c993853b3f02045456657b8000180f3230313530" +
+	"3630323039303230375aa011180f32303135303630333130303033305a3065303d300906" +
+	"052b0e03021a05000414f7452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee" +
+	"977252853a330b297a18f5c993853b3f02045456657c8000180f32303135303630323039" +
+	"303230375aa011180f32303135303630333130303033305a3065303d300906052b0e0302" +
+	"1a05000414f7452a008060152772e4a135e76e9e52fde0f1580414edd8f2ee977252853a" +
+	"330b297a18f5c993853b3f02045456657d8000180f32303135303630323039303230375a" +
+	"a011180f32303135303630333130303033305a300d06092a864886f70d01010505000382" +
+	"01010016b73b92859979f27d15eb018cf069eed39c3d280213565f3026de11ba15bdb94d" +
+	"764cf2d0fdd204ef926c588d7b183483c8a2b1995079c7ed04dcefcc650c1965be4b6832" +
+	"a8839e832f7f60f638425eccdf9bc3a81fbe700fda426ddf4f06c29bee431bbbe81effda" +
+	"a60b7da5b378f199af2f3c8380be7ba6c21c8e27124f8a4d8989926aea19055700848d33" +
+	"799e833512945fd75364edbd2dd18b783c1e96e332266b17979a0b88c35b43f47c87c493" +
+	"19155056ad8dbbae5ff2afad3c0e1c69ed111206ffda49875e8e4efc0926264823bc4423" +
+	"c8a002f34288c4bc22516f98f54fc609943721f590ddd8d24f989457526b599b0eb75cb5" +
+	"a80da1ad93a621a08205733082056f3082056b30820453a0030201020204545638c4300d" +
+	"06092a864886f70d01010b0500308182310b300906035504061302555331183016060355" +
+	"040a130f552e532e20476f7665726e6d656e7431233021060355040b131a446570617274" +
+	"6d656e74206f662074686520547265617375727931223020060355040b13194365727469" +
+	"6669636174696f6e20417574686f7269746965733110300e060355040b13074f43494f20" +
+	"4341301e170d3135303332303131353531335a170d3135303633303034303030305a3081" +
+	"98310b300906035504061302555331183016060355040a130f552e532e20476f7665726e" +
+	"6d656e7431233021060355040b131a4465706172746d656e74206f662074686520547265" +
+	"617375727931223020060355040b131943657274696669636174696f6e20417574686f72" +
+	"69746965733110300e060355040b13074f43494f204341311430120603550403130b4f43" +
+	"5350205369676e657230820122300d06092a864886f70d01010105000382010f00308201" +
+	"0a0282010100c1b6fe1ba1ad50bb98c855811acbd67fe68057f48b8e08d3800e7f2c51b7" +
+	"9e20551934971fd92b9c9e6c49453097927cba83a94c0b2fea7124ba5ac442b38e37dba6" +
+	"7303d4962dd7d92b22a04b0e0e182e9ea67620b1c6ce09ee607c19e0e6e3adae81151db1" +
+	"2bb7f706149349a292e21c1eb28565b6839df055e1a838a772ff34b5a1452618e2c26042" +
+	"705d53f0af4b57aae6163f58216af12f3887813fe44b0321827b3a0c52b0e47d0aab94a2" +
+	"f768ab0ba3901d22f8bb263823090b0e37a7f8856db4b0d165c42f3aa7e94f5f6ce1855e" +
+	"98dc57adea0ae98ad39f67ecdec00b88685566e9e8d69f6cefb6ddced53015d0d3b862bc" +
+	"be21f3d72251eefcec730203010001a38201cf308201cb300e0603551d0f0101ff040403" +
+	"020780306b0603551d2004643062300c060a60864801650302010502300c060a60864801" +
+	"650302010503300c060a60864801650302010504300c060a60864801650302010507300c" +
+	"060a60864801650302010508300c060a6086480165030201030d300c060a608648016503" +
+	"020103113081e506082b060105050701010481d83081d5303006082b0601050507300286" +
+	"24687474703a2f2f706b692e74726561732e676f762f746f63615f65655f6169612e7037" +
+	"633081a006082b060105050730028681936c6461703a2f2f6c6461702e74726561732e67" +
+	"6f762f6f753d4f43494f25323043412c6f753d43657274696669636174696f6e25323041" +
+	"7574686f7269746965732c6f753d4465706172746d656e742532306f6625323074686525" +
+	"323054726561737572792c6f3d552e532e253230476f7665726e6d656e742c633d55533f" +
+	"634143657274696669636174653b62696e61727930130603551d25040c300a06082b0601" +
+	"0505070309300f06092b060105050730010504020500301f0603551d23041830168014a2" +
+	"13a8e5c607546c243d4eb72b27a2a7711ab5af301d0603551d0e0416041451f98046818a" +
+	"e46d953ac90c210ccfaa1a06980c300d06092a864886f70d01010b050003820101003a37" +
+	"0b301d14ffdeb370883639bec5ae6f572dcbddadd672af16ee2a8303316b14e1fbdca8c2" +
+	"8f4bad9c7b1410250e149c14e9830ca6f17370a8d13151205d956e28c141cc0500379596" +
+	"c5b9239fcfa3d2de8f1d4f1a2b1bf2d1851bed1c86012ee8135bdc395cd4496ce69fadd0" +
+	"3b682b90350ca7b4f458190b7a0ab5c33a04cf1347a77d541877a380a4c94988c5658908" +
+	"44fdc22637a72b9fa410333e2caf969477f9fe07f50e3681c204fb3bf073b9da01cd8d91" +
+	"8044c40b1159955af12a3263ab1d34119d7f59bfa6cae88ed058addc4e08250263f8f836" +
+	"2f5bdffd45636fea7474c60a55c535954477b2f286e1b2535f0dd12c162f1b353c370e08" +
+	"be67"
+
+const ocspMultiResponseCertHex = "308207943082067ca003020102020454566573300d06092a864886f70d01010b05003081" +
+	"82310b300906035504061302555331183016060355040a130f552e532e20476f7665726e" +
+	"6d656e7431233021060355040b131a4465706172746d656e74206f662074686520547265" +
+	"617375727931223020060355040b131943657274696669636174696f6e20417574686f72" +
+	"69746965733110300e060355040b13074f43494f204341301e170d313530343130313535" +
+	"3733385a170d3138303431303136323733385a30819d310b300906035504061302555331" +
+	"183016060355040a130f552e532e20476f7665726e6d656e7431233021060355040b131a" +
+	"4465706172746d656e74206f662074686520547265617375727931253023060355040b13" +
+	"1c427572656175206f66207468652046697363616c20536572766963653110300e060355" +
+	"040b130744657669636573311630140603550403130d706b692e74726561732e676f7630" +
+	"820122300d06092a864886f70d01010105000382010f003082010a0282010100c7273623" +
+	"8c49c48bf501515a2490ef6e5ae0c06e0ad2aa9a6bb77f3d0370d846b2571581ebf38fd3" +
+	"1948daad3dec7a4da095f1dcbe9654e65bcf7acdfd4ee802421dad9b90536c721d2bca58" +
+	"8413e6bfd739a72470560bb7d64f9a09284f90ff8af1d5a3c5c84d0f95a00f9c6d988dd0" +
+	"d87f1d0d3344580901c955139f54d09de0acdbd3322b758cb0c58881bf04913243401f44" +
+	"013fd9f6d8348044cc8bb0a71978ad93366b2a4687a5274b2ee07d0fb40225453eb244ed" +
+	"b20152251ac77c59455260ff07eeceb3cb3c60fb8121cf92afd3daa2a4650e1942ccb555" +
+	"de10b3d481feb299838ef05d0fd1810b146753472ae80da65dd34da25ca1f89971f10039" +
+	"0203010001a38203f3308203ef300e0603551d0f0101ff0404030205a030170603551d20" +
+	"0410300e300c060a60864801650302010503301106096086480186f84201010404030206" +
+	"4030130603551d25040c300a06082b060105050703013082010806082b06010505070101" +
+	"0481fb3081f8303006082b060105050730028624687474703a2f2f706b692e7472656173" +
+	"2e676f762f746f63615f65655f6169612e7037633081a006082b06010505073002868193" +
+	"6c6461703a2f2f6c6461702e74726561732e676f762f6f753d4f43494f25323043412c6f" +
+	"753d43657274696669636174696f6e253230417574686f7269746965732c6f753d446570" +
+	"6172746d656e742532306f6625323074686525323054726561737572792c6f3d552e532e" +
+	"253230476f7665726e6d656e742c633d55533f634143657274696669636174653b62696e" +
+	"617279302106082b060105050730018615687474703a2f2f6f6373702e74726561732e67" +
+	"6f76307b0603551d1104743072811c6373612d7465616d4066697363616c2e7472656173" +
+	"7572792e676f768210706b692e74726561737572792e676f768210706b692e64696d632e" +
+	"6468732e676f76820d706b692e74726561732e676f76811f6563622d686f7374696e6740" +
+	"66697363616c2e74726561737572792e676f76308201890603551d1f048201803082017c" +
+	"3027a025a0238621687474703a2f2f706b692e74726561732e676f762f4f43494f5f4341" +
+	"332e63726c3082014fa082014ba0820147a48197308194310b3009060355040613025553" +
+	"31183016060355040a130f552e532e20476f7665726e6d656e7431233021060355040b13" +
+	"1a4465706172746d656e74206f662074686520547265617375727931223020060355040b" +
+	"131943657274696669636174696f6e20417574686f7269746965733110300e060355040b" +
+	"13074f43494f2043413110300e0603550403130743524c313430398681aa6c6461703a2f" +
+	"2f6c6461702e74726561732e676f762f636e3d43524c313430392c6f753d4f43494f2532" +
+	"3043412c6f753d43657274696669636174696f6e253230417574686f7269746965732c6f" +
+	"753d4465706172746d656e742532306f6625323074686525323054726561737572792c6f" +
+	"3d552e532e253230476f7665726e6d656e742c633d55533f636572746966696361746552" +
+	"65766f636174696f6e4c6973743b62696e617279302b0603551d1004243022800f323031" +
+	"35303431303135353733385a810f32303138303431303136323733385a301f0603551d23" +
+	"041830168014a213a8e5c607546c243d4eb72b27a2a7711ab5af301d0603551d0e041604" +
+	"14b0869c12c293914cd460e33ed43e6c5a26e0d68f301906092a864886f67d074100040c" +
+	"300a1b0456382e31030203a8300d06092a864886f70d01010b050003820101004968d182" +
+	"8f9efdc147e747bb5dda15536a42a079b32d3d7f87e619b483aeee70b7e26bda393c6028" +
+	"7c733ecb468fe8b8b11bf809ff76add6b90eb25ad8d3a1052e43ee281e48a3a1ebe7efb5" +
+	"9e2c4a48765dedeb23f5346242145786cc988c762d230d28dd33bf4c2405d80cbb2cb1d6" +
+	"4c8f10ba130d50cb174f6ffb9cfc12808297a2cefba385f4fad170f39b51ebd87c12abf9" +
+	"3c51fc000af90d8aaba78f48923908804a5eb35f617ccf71d201e3708a559e6d16f9f13e" +
+	"074361eb9007e28d86bb4e0bfa13aad0e9ddd9124e84519de60e2fc6040b18d9fd602b02" +
+	"684b4c071c3019fc842197d00c120c41654bcbfbc4a096a1c637b79112b81ce1fa3899f9"
+
+const ocspRequestHex = "3051304f304d304b3049300906052b0e03021a05000414c0fe0278fc99188891b3f212e9" +
+	"c7e1b21ab7bfc004140dfc1df0a9e0f01ce7f2b213177e6f8d157cd4f60210017f77deb3" +
+	"bcbb235d44ccc7dba62e72"
+
+const leafCertHex = "308203c830820331a0030201020210017f77deb3bcbb235d44ccc7dba62e72300d06092a" +
+	"864886f70d01010505003081ba311f301d060355040a1316566572695369676e20547275" +
+	"7374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e31" +
+	"333031060355040b132a566572695369676e20496e7465726e6174696f6e616c20536572" +
+	"766572204341202d20436c617373203331493047060355040b13407777772e7665726973" +
+	"69676e2e636f6d2f43505320496e636f72702e6279205265662e204c494142494c495459" +
+	"204c54442e286329393720566572695369676e301e170d3132303632313030303030305a" +
+	"170d3133313233313233353935395a3068310b3009060355040613025553311330110603" +
+	"550408130a43616c69666f726e6961311230100603550407130950616c6f20416c746f31" +
+	"173015060355040a130e46616365626f6f6b2c20496e632e311730150603550403140e2a" +
+	"2e66616365626f6f6b2e636f6d30819f300d06092a864886f70d010101050003818d0030" +
+	"818902818100ae94b171e2deccc1693e051063240102e0689ae83c39b6b3e74b97d48d7b" +
+	"23689100b0b496ee62f0e6d356bcf4aa0f50643402f5d1766aa972835a7564723f39bbef" +
+	"5290ded9bcdbf9d3d55dfad23aa03dc604c54d29cf1d4b3bdbd1a809cfae47b44c7eae17" +
+	"c5109bee24a9cf4a8d911bb0fd0415ae4c3f430aa12a557e2ae10203010001a382011e30" +
+	"82011a30090603551d130402300030440603551d20043d303b3039060b6086480186f845" +
+	"01071703302a302806082b06010505070201161c68747470733a2f2f7777772e76657269" +
+	"7369676e2e636f6d2f727061303c0603551d1f043530333031a02fa02d862b687474703a" +
+	"2f2f535652496e746c2d63726c2e766572697369676e2e636f6d2f535652496e746c2e63" +
+	"726c301d0603551d250416301406082b0601050507030106082b06010505070302300b06" +
+	"03551d0f0404030205a0303406082b0601050507010104283026302406082b0601050507" +
+	"30018618687474703a2f2f6f6373702e766572697369676e2e636f6d30270603551d1104" +
+	"20301e820e2a2e66616365626f6f6b2e636f6d820c66616365626f6f6b2e636f6d300d06" +
+	"092a864886f70d0101050500038181005b6c2b75f8ed30aa51aad36aba595e555141951f" +
+	"81a53b447910ac1f76ff78fc2781616b58f3122afc1c87010425e9ed43df1a7ba6498060" +
+	"67e2688af03db58c7df4ee03309a6afc247ccb134dc33e54c6bc1d5133a532a73273b1d7" +
+	"9cadc08e7e1a83116d34523340b0305427a21742827c98916698ee7eaf8c3bdd71700817"
+
+const issuerCertHex = "30820383308202eca003020102021046fcebbab4d02f0f926098233f93078f300d06092a" +
+	"864886f70d0101050500305f310b300906035504061302555331173015060355040a130e" +
+	"566572695369676e2c20496e632e31373035060355040b132e436c617373203320507562" +
+	"6c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930" +
+	"1e170d3937303431373030303030305a170d3136313032343233353935395a3081ba311f" +
+	"301d060355040a1316566572695369676e205472757374204e6574776f726b3117301506" +
+	"0355040b130e566572695369676e2c20496e632e31333031060355040b132a5665726953" +
+	"69676e20496e7465726e6174696f6e616c20536572766572204341202d20436c61737320" +
+	"3331493047060355040b13407777772e766572697369676e2e636f6d2f43505320496e63" +
+	"6f72702e6279205265662e204c494142494c495459204c54442e28632939372056657269" +
+	"5369676e30819f300d06092a864886f70d010101050003818d0030818902818100d88280" +
+	"e8d619027d1f85183925a2652be1bfd405d3bce6363baaf04c6c5bb6e7aa3c734555b2f1" +
+	"bdea9742ed9a340a15d4a95cf54025ddd907c132b2756cc4cabba3fe56277143aa63f530" +
+	"3e9328e5faf1093bf3b74d4e39f75c495ab8c11dd3b28afe70309542cbfe2b518b5a3c3a" +
+	"f9224f90b202a7539c4f34e7ab04b27b6f0203010001a381e33081e0300f0603551d1304" +
+	"0830060101ff02010030440603551d20043d303b3039060b6086480186f8450107010130" +
+	"2a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e" +
+	"636f6d2f43505330340603551d25042d302b06082b0601050507030106082b0601050507" +
+	"030206096086480186f8420401060a6086480186f845010801300b0603551d0f04040302" +
+	"0106301106096086480186f842010104040302010630310603551d1f042a30283026a024" +
+	"a0228620687474703a2f2f63726c2e766572697369676e2e636f6d2f706361332e63726c" +
+	"300d06092a864886f70d010105050003818100408e4997968a73dd8e4def3e61b7caa062" +
+	"adf40e0abb753de26ed82cc7bff4b98c369bcaa2d09c724639f6a682036511c4bcbf2da6" +
+	"f5d93b0ab598fab378b91ef22b4c62d5fdb27a1ddf33fd73f9a5d82d8c2aead1fcb028b6" +
+	"e94948134b838a1b487b24f738de6f4154b8ab576b06dfc7a2d4a9f6f136628088f28b75" +
+	"d68071"
+
+// Key and certificate for the OCSP responder were not taken from the Thawte
+// responder, since CreateResponse requires that we have the private key.
+// Instead, they were generated randomly.
+const responderPrivateKeyHex = "308204a40201000282010100e8155f2d3e6f2e8d14c62a788bd462f9f844e7a6977c83ef" +
+	"1099f0f6616ec5265b56f356e62c5400f0b06a2e7945a82752c636df32a895152d6074df" +
+	"1701dc6ccfbcbec75a70bd2b55ae2be7e6cad3b5fd4cd5b7790ab401a436d3f5f346074f" +
+	"fde8a99d5b723350f0a112076614b12ef79c78991b119453445acf2416ab0046b540db14" +
+	"c9fc0f27b8989ad0f63aa4b8aefc91aa8a72160c36307c60fec78a93d3fddf4259902aa7" +
+	"7e7332971c7d285b6a04f648993c6922a3e9da9adf5f81508c3228791843e5d49f24db2f" +
+	"1290bafd97e655b1049a199f652cd603c4fafa330c390b0da78fbbc67e8fa021cbd74eb9" +
+	"6222b12ace31a77dcf920334dc94581b02030100010282010100bcf0b93d7238bda329a8" +
+	"72e7149f61bcb37c154330ccb3f42a85c9002c2e2bdea039d77d8581cd19bed94078794e" +
+	"56293d601547fc4bf6a2f9002fe5772b92b21b254403b403585e3130cc99ccf08f0ef81a" +
+	"575b38f597ba4660448b54f44bfbb97072b5a2bf043bfeca828cf7741d13698e3f38162b" +
+	"679faa646b82abd9a72c5c7d722c5fc577a76d2c2daac588accad18516d1bbad10b0dfa2" +
+	"05cfe246b59e28608a43942e1b71b0c80498075121de5b900d727c31c42c78cf1db5c0aa" +
+	"5b491e10ea4ed5c0962aaf2ae025dd81fa4ce490d9d6b4a4465411d8e542fc88617e5695" +
+	"1aa4fc8ea166f2b4d0eb89ef17f2b206bd5f1014bf8fe0e71fe62f2cccf102818100f2dc" +
+	"ddf878d553286daad68bac4070a82ffec3dc4666a2750f47879eec913f91836f1d976b60" +
+	"daf9356e078446dafab5bd2e489e5d64f8572ba24a4ba4f3729b5e106c4dd831cc2497a7" +
+	"e6c7507df05cb64aeb1bbc81c1e340d58b5964cf39cff84ea30c29ec5d3f005ee1362698" +
+	"07395037955955655292c3e85f6187fa1f9502818100f4a33c102630840705f8c778a47b" +
+	"87e8da31e68809af981ac5e5999cf1551685d761cdf0d6520361b99aebd5777a940fa64d" +
+	"327c09fa63746fbb3247ec73a86edf115f1fe5c83598db803881ade71c33c6e956118345" +
+	"497b98b5e07bb5be75971465ec78f2f9467e1b74956ca9d4c7c3e314e742a72d8b33889c" +
+	"6c093a466cef0281801d3df0d02124766dd0be98349b19eb36a508c4e679e793ba0a8bef" +
+	"4d786888c1e9947078b1ea28938716677b4ad8c5052af12eb73ac194915264a913709a0b" +
+	"7b9f98d4a18edd781a13d49899f91c20dbd8eb2e61d991ba19b5cdc08893f5cb9d39e5a6" +
+	"0629ea16d426244673b1b3ee72bd30e41fac8395acac40077403de5efd028180050731dd" +
+	"d71b1a2b96c8d538ba90bb6b62c8b1c74c03aae9a9f59d21a7a82b0d572ef06fa9c807bf" +
+	"c373d6b30d809c7871df96510c577421d9860c7383fda0919ece19996b3ca13562159193" +
+	"c0c246471e287f975e8e57034e5136aaf44254e2650def3d51292474c515b1588969112e" +
+	"0a85cc77073e9d64d2c2fc497844284b02818100d71d63eabf416cf677401ebf965f8314" +
+	"120b568a57dd3bd9116c629c40dc0c6948bab3a13cc544c31c7da40e76132ef5dd3f7534" +
+	"45a635930c74326ae3df0edd1bfb1523e3aa259873ac7cf1ac31151ec8f37b528c275622" +
+	"48f99b8bed59fd4da2576aa6ee20d93a684900bf907e80c66d6e2261ae15e55284b4ed9d" +
+	"6bdaa059"
+
+const responderCertHex = "308202e2308201caa003020102020101300d06092a864886f70d01010b05003019311730" +
+	"150603550403130e4f43535020526573706f6e646572301e170d31353031333031353530" +
+	"33335a170d3136303133303135353033335a3019311730150603550403130e4f43535020" +
+	"526573706f6e64657230820122300d06092a864886f70d01010105000382010f00308201" +
+	"0a0282010100e8155f2d3e6f2e8d14c62a788bd462f9f844e7a6977c83ef1099f0f6616e" +
+	"c5265b56f356e62c5400f0b06a2e7945a82752c636df32a895152d6074df1701dc6ccfbc" +
+	"bec75a70bd2b55ae2be7e6cad3b5fd4cd5b7790ab401a436d3f5f346074ffde8a99d5b72" +
+	"3350f0a112076614b12ef79c78991b119453445acf2416ab0046b540db14c9fc0f27b898" +
+	"9ad0f63aa4b8aefc91aa8a72160c36307c60fec78a93d3fddf4259902aa77e7332971c7d" +
+	"285b6a04f648993c6922a3e9da9adf5f81508c3228791843e5d49f24db2f1290bafd97e6" +
+	"55b1049a199f652cd603c4fafa330c390b0da78fbbc67e8fa021cbd74eb96222b12ace31" +
+	"a77dcf920334dc94581b0203010001a3353033300e0603551d0f0101ff04040302078030" +
+	"130603551d25040c300a06082b06010505070309300c0603551d130101ff04023000300d" +
+	"06092a864886f70d01010b05000382010100718012761b5063e18f0dc44644d8e6ab8612" +
+	"31c15fd5357805425d82aec1de85bf6d3e30fce205e3e3b8b795bbe52e40a439286d2288" +
+	"9064f4aeeb150359b9425f1da51b3a5c939018555d13ac42c565a0603786a919328f3267" +
+	"09dce52c22ad958ecb7873b9771d1148b1c4be2efe80ba868919fc9f68b6090c2f33c156" +
+	"d67156e42766a50b5d51e79637b7e58af74c2a951b1e642fa7741fec982cc937de37eff5" +
+	"9e2005d5939bfc031589ca143e6e8ab83f40ee08cc20a6b4a95a318352c28d18528dcaf9" +
+	"66705de17afa19d6e8ae91ddf33179d16ebb6ac2c69cae8373d408ebf8c55308be6c04d9" +
+	"3a25439a94299a65a709756c7a3e568be049d5c38839"
+
+const errorResponseHex = "30030a0101"
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/.gitattributes b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/.gitattributes
new file mode 100644
index 000000000..d2f212e5d
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/.gitattributes
@@ -0,0 +1,10 @@
+# Treat all files in this repo as binary, with no git magic updating
+# line endings. Windows users contributing to Go will need to use a
+# modern version of git and editors capable of LF line endings.
+#
+# We'll prevent accidental CRLF line endings from entering the repo
+# via the git-review gofmt checks.
+#
+# See golang.org/issue/9281
+
+* -text
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/.gitignore b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/.gitignore
new file mode 100644
index 000000000..8339fd61d
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/.gitignore
@@ -0,0 +1,2 @@
+# Add no patterns to .hgignore except for files generated by the build.
+last-change
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/AUTHORS b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/AUTHORS
new file mode 100644
index 000000000..15167cd74
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/AUTHORS
@@ -0,0 +1,3 @@
+# This source code refers to The Go Authors for copyright purposes.
+# The master list of authors is in the main Go distribution,
+# visible at http://tip.golang.org/AUTHORS.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/CONTRIBUTING.md b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/CONTRIBUTING.md
new file mode 100644
index 000000000..88dff59bc
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/CONTRIBUTING.md
@@ -0,0 +1,31 @@
+# Contributing to Go
+
+Go is an open source project.
+
+It is the work of hundreds of contributors. We appreciate your help!
+
+
+## Filing issues
+
+When [filing an issue](https://golang.org/issue/new), make sure to answer these five questions:
+
+1. What version of Go are you using (`go version`)?
+2. What operating system and processor architecture are you using?
+3. What did you do?
+4. What did you expect to see?
+5. What did you see instead?
+
+General questions should go to the [golang-nuts mailing list](https://groups.google.com/group/golang-nuts) instead of the issue tracker.
+The gophers there will answer or ask you to file an issue if you've tripped over a bug.
+
+## Contributing code
+
+Please read the [Contribution Guidelines](https://golang.org/doc/contribute.html)
+before sending patches.
+
+**We do not accept GitHub pull requests**
+(we use [Gerrit](https://code.google.com/p/gerrit/) instead for code review).
+
+Unless otherwise noted, the Go source files are distributed under
+the BSD-style license found in the LICENSE file.
+
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/CONTRIBUTORS b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/CONTRIBUTORS
new file mode 100644
index 000000000..1c4577e96
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/CONTRIBUTORS
@@ -0,0 +1,3 @@
+# This source code was written by the Go contributors.
+# The master list of contributors is in the main Go distribution,
+# visible at http://tip.golang.org/CONTRIBUTORS.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/LICENSE b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/LICENSE
new file mode 100644
index 000000000..6a66aea5e
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/PATENTS b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/PATENTS
new file mode 100644
index 000000000..733099041
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/PATENTS
@@ -0,0 +1,22 @@
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Google as part of the Go project.
+
+Google hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section)
+patent license to make, have made, use, offer to sell, sell, import,
+transfer and otherwise run, modify and propagate the contents of this
+implementation of Go, where such license applies only to those patent
+claims, both currently owned or controlled by Google and acquired in
+the future, licensable by Google that are necessarily infringed by this
+implementation of Go.  This grant does not include claims that would be
+infringed only as a consequence of further modification of this
+implementation.  If you or your agent or exclusive licensee institute or
+order or agree to the institution of patent litigation against any
+entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that this implementation of Go or any code incorporated within this
+implementation of Go constitutes direct or contributory patent
+infringement, or inducement of patent infringement, then any patent
+rights granted to you under this License for this implementation of Go
+shall terminate as of the date such litigation is filed.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/README b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/README
new file mode 100644
index 000000000..6b13d8e50
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/README
@@ -0,0 +1,3 @@
+This repository holds supplementary Go networking libraries.
+
+To submit changes to this repository, see http://golang.org/doc/contribute.html.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/codereview.cfg b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/codereview.cfg
new file mode 100644
index 000000000..3f8b14b64
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/codereview.cfg
@@ -0,0 +1 @@
+issuerepo: golang/go
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/context.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/context.go
new file mode 100644
index 000000000..f143ed6a1
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/context.go
@@ -0,0 +1,156 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package context defines the Context type, which carries deadlines,
+// cancelation signals, and other request-scoped values across API boundaries
+// and between processes.
+//
+// Incoming requests to a server should create a Context, and outgoing calls to
+// servers should accept a Context. The chain of function calls between must
+// propagate the Context, optionally replacing it with a modified copy created
+// using WithDeadline, WithTimeout, WithCancel, or WithValue.
+//
+// Programs that use Contexts should follow these rules to keep interfaces
+// consistent across packages and enable static analysis tools to check context
+// propagation:
+//
+// Do not store Contexts inside a struct type; instead, pass a Context
+// explicitly to each function that needs it. The Context should be the first
+// parameter, typically named ctx:
+//
+// 	func DoSomething(ctx context.Context, arg Arg) error {
+// 		// ... use ctx ...
+// 	}
+//
+// Do not pass a nil Context, even if a function permits it. Pass context.TODO
+// if you are unsure about which Context to use.
+//
+// Use context Values only for request-scoped data that transits processes and
+// APIs, not for passing optional parameters to functions.
+//
+// The same Context may be passed to functions running in different goroutines;
+// Contexts are safe for simultaneous use by multiple goroutines.
+//
+// See http://blog.golang.org/context for example code for a server that uses
+// Contexts.
+package context // import "golang.org/x/net/context"
+
+import "time"
+
+// A Context carries a deadline, a cancelation signal, and other values across
+// API boundaries.
+//
+// Context's methods may be called by multiple goroutines simultaneously.
+type Context interface {
+	// Deadline returns the time when work done on behalf of this context
+	// should be canceled. Deadline returns ok==false when no deadline is
+	// set. Successive calls to Deadline return the same results.
+	Deadline() (deadline time.Time, ok bool)
+
+	// Done returns a channel that's closed when work done on behalf of this
+	// context should be canceled. Done may return nil if this context can
+	// never be canceled. Successive calls to Done return the same value.
+	//
+	// WithCancel arranges for Done to be closed when cancel is called;
+	// WithDeadline arranges for Done to be closed when the deadline
+	// expires; WithTimeout arranges for Done to be closed when the timeout
+	// elapses.
+	//
+	// Done is provided for use in select statements:
+	//
+	//  // Stream generates values with DoSomething and sends them to out
+	//  // until DoSomething returns an error or ctx.Done is closed.
+	//  func Stream(ctx context.Context, out chan<- Value) error {
+	//  	for {
+	//  		v, err := DoSomething(ctx)
+	//  		if err != nil {
+	//  			return err
+	//  		}
+	//  		select {
+	//  		case <-ctx.Done():
+	//  			return ctx.Err()
+	//  		case out <- v:
+	//  		}
+	//  	}
+	//  }
+	//
+	// See http://blog.golang.org/pipelines for more examples of how to use
+	// a Done channel for cancelation.
+	Done() <-chan struct{}
+
+	// Err returns a non-nil error value after Done is closed. Err returns
+	// Canceled if the context was canceled or DeadlineExceeded if the
+	// context's deadline passed. No other values for Err are defined.
+	// After Done is closed, successive calls to Err return the same value.
+	Err() error
+
+	// Value returns the value associated with this context for key, or nil
+	// if no value is associated with key. Successive calls to Value with
+	// the same key returns the same result.
+	//
+	// Use context values only for request-scoped data that transits
+	// processes and API boundaries, not for passing optional parameters to
+	// functions.
+	//
+	// A key identifies a specific value in a Context. Functions that wish
+	// to store values in Context typically allocate a key in a global
+	// variable then use that key as the argument to context.WithValue and
+	// Context.Value. A key can be any type that supports equality;
+	// packages should define keys as an unexported type to avoid
+	// collisions.
+	//
+	// Packages that define a Context key should provide type-safe accessors
+	// for the values stores using that key:
+	//
+	// 	// Package user defines a User type that's stored in Contexts.
+	// 	package user
+	//
+	// 	import "golang.org/x/net/context"
+	//
+	// 	// User is the type of value stored in the Contexts.
+	// 	type User struct {...}
+	//
+	// 	// key is an unexported type for keys defined in this package.
+	// 	// This prevents collisions with keys defined in other packages.
+	// 	type key int
+	//
+	// 	// userKey is the key for user.User values in Contexts. It is
+	// 	// unexported; clients use user.NewContext and user.FromContext
+	// 	// instead of using this key directly.
+	// 	var userKey key = 0
+	//
+	// 	// NewContext returns a new Context that carries value u.
+	// 	func NewContext(ctx context.Context, u *User) context.Context {
+	// 		return context.WithValue(ctx, userKey, u)
+	// 	}
+	//
+	// 	// FromContext returns the User value stored in ctx, if any.
+	// 	func FromContext(ctx context.Context) (*User, bool) {
+	// 		u, ok := ctx.Value(userKey).(*User)
+	// 		return u, ok
+	// 	}
+	Value(key interface{}) interface{}
+}
+
+// Background returns a non-nil, empty Context. It is never canceled, has no
+// values, and has no deadline. It is typically used by the main function,
+// initialization, and tests, and as the top-level Context for incoming
+// requests.
+func Background() Context {
+	return background
+}
+
+// TODO returns a non-nil, empty Context. Code should use context.TODO when
+// it's unclear which Context to use or it is not yet available (because the
+// surrounding function has not yet been extended to accept a Context
+// parameter).  TODO is recognized by static analysis tools that determine
+// whether Contexts are propagated correctly in a program.
+func TODO() Context {
+	return todo
+}
+
+// A CancelFunc tells an operation to abandon its work.
+// A CancelFunc does not wait for the work to stop.
+// After the first call, subsequent calls to a CancelFunc do nothing.
+type CancelFunc func()
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/context_test.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/context_test.go
new file mode 100644
index 000000000..62844131b
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/context_test.go
@@ -0,0 +1,583 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !go1.7
+
+package context
+
+import (
+	"fmt"
+	"math/rand"
+	"runtime"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+)
+
+// otherContext is a Context that's not one of the types defined in context.go.
+// This lets us test code paths that differ based on the underlying type of the
+// Context.
+type otherContext struct {
+	Context
+}
+
+func TestBackground(t *testing.T) {
+	c := Background()
+	if c == nil {
+		t.Fatalf("Background returned nil")
+	}
+	select {
+	case x := <-c.Done():
+		t.Errorf("<-c.Done() == %v want nothing (it should block)", x)
+	default:
+	}
+	if got, want := fmt.Sprint(c), "context.Background"; got != want {
+		t.Errorf("Background().String() = %q want %q", got, want)
+	}
+}
+
+func TestTODO(t *testing.T) {
+	c := TODO()
+	if c == nil {
+		t.Fatalf("TODO returned nil")
+	}
+	select {
+	case x := <-c.Done():
+		t.Errorf("<-c.Done() == %v want nothing (it should block)", x)
+	default:
+	}
+	if got, want := fmt.Sprint(c), "context.TODO"; got != want {
+		t.Errorf("TODO().String() = %q want %q", got, want)
+	}
+}
+
+func TestWithCancel(t *testing.T) {
+	c1, cancel := WithCancel(Background())
+
+	if got, want := fmt.Sprint(c1), "context.Background.WithCancel"; got != want {
+		t.Errorf("c1.String() = %q want %q", got, want)
+	}
+
+	o := otherContext{c1}
+	c2, _ := WithCancel(o)
+	contexts := []Context{c1, o, c2}
+
+	for i, c := range contexts {
+		if d := c.Done(); d == nil {
+			t.Errorf("c[%d].Done() == %v want non-nil", i, d)
+		}
+		if e := c.Err(); e != nil {
+			t.Errorf("c[%d].Err() == %v want nil", i, e)
+		}
+
+		select {
+		case x := <-c.Done():
+			t.Errorf("<-c.Done() == %v want nothing (it should block)", x)
+		default:
+		}
+	}
+
+	cancel()
+	time.Sleep(100 * time.Millisecond) // let cancelation propagate
+
+	for i, c := range contexts {
+		select {
+		case <-c.Done():
+		default:
+			t.Errorf("<-c[%d].Done() blocked, but shouldn't have", i)
+		}
+		if e := c.Err(); e != Canceled {
+			t.Errorf("c[%d].Err() == %v want %v", i, e, Canceled)
+		}
+	}
+}
+
+func TestParentFinishesChild(t *testing.T) {
+	// Context tree:
+	// parent -> cancelChild
+	// parent -> valueChild -> timerChild
+	parent, cancel := WithCancel(Background())
+	cancelChild, stop := WithCancel(parent)
+	defer stop()
+	valueChild := WithValue(parent, "key", "value")
+	timerChild, stop := WithTimeout(valueChild, 10000*time.Hour)
+	defer stop()
+
+	select {
+	case x := <-parent.Done():
+		t.Errorf("<-parent.Done() == %v want nothing (it should block)", x)
+	case x := <-cancelChild.Done():
+		t.Errorf("<-cancelChild.Done() == %v want nothing (it should block)", x)
+	case x := <-timerChild.Done():
+		t.Errorf("<-timerChild.Done() == %v want nothing (it should block)", x)
+	case x := <-valueChild.Done():
+		t.Errorf("<-valueChild.Done() == %v want nothing (it should block)", x)
+	default:
+	}
+
+	// The parent's children should contain the two cancelable children.
+	pc := parent.(*cancelCtx)
+	cc := cancelChild.(*cancelCtx)
+	tc := timerChild.(*timerCtx)
+	pc.mu.Lock()
+	if len(pc.children) != 2 || !pc.children[cc] || !pc.children[tc] {
+		t.Errorf("bad linkage: pc.children = %v, want %v and %v",
+			pc.children, cc, tc)
+	}
+	pc.mu.Unlock()
+
+	if p, ok := parentCancelCtx(cc.Context); !ok || p != pc {
+		t.Errorf("bad linkage: parentCancelCtx(cancelChild.Context) = %v, %v want %v, true", p, ok, pc)
+	}
+	if p, ok := parentCancelCtx(tc.Context); !ok || p != pc {
+		t.Errorf("bad linkage: parentCancelCtx(timerChild.Context) = %v, %v want %v, true", p, ok, pc)
+	}
+
+	cancel()
+
+	pc.mu.Lock()
+	if len(pc.children) != 0 {
+		t.Errorf("pc.cancel didn't clear pc.children = %v", pc.children)
+	}
+	pc.mu.Unlock()
+
+	// parent and children should all be finished.
+	check := func(ctx Context, name string) {
+		select {
+		case <-ctx.Done():
+		default:
+			t.Errorf("<-%s.Done() blocked, but shouldn't have", name)
+		}
+		if e := ctx.Err(); e != Canceled {
+			t.Errorf("%s.Err() == %v want %v", name, e, Canceled)
+		}
+	}
+	check(parent, "parent")
+	check(cancelChild, "cancelChild")
+	check(valueChild, "valueChild")
+	check(timerChild, "timerChild")
+
+	// WithCancel should return a canceled context on a canceled parent.
+	precanceledChild := WithValue(parent, "key", "value")
+	select {
+	case <-precanceledChild.Done():
+	default:
+		t.Errorf("<-precanceledChild.Done() blocked, but shouldn't have")
+	}
+	if e := precanceledChild.Err(); e != Canceled {
+		t.Errorf("precanceledChild.Err() == %v want %v", e, Canceled)
+	}
+}
+
+func TestChildFinishesFirst(t *testing.T) {
+	cancelable, stop := WithCancel(Background())
+	defer stop()
+	for _, parent := range []Context{Background(), cancelable} {
+		child, cancel := WithCancel(parent)
+
+		select {
+		case x := <-parent.Done():
+			t.Errorf("<-parent.Done() == %v want nothing (it should block)", x)
+		case x := <-child.Done():
+			t.Errorf("<-child.Done() == %v want nothing (it should block)", x)
+		default:
+		}
+
+		cc := child.(*cancelCtx)
+		pc, pcok := parent.(*cancelCtx) // pcok == false when parent == Background()
+		if p, ok := parentCancelCtx(cc.Context); ok != pcok || (ok && pc != p) {
+			t.Errorf("bad linkage: parentCancelCtx(cc.Context) = %v, %v want %v, %v", p, ok, pc, pcok)
+		}
+
+		if pcok {
+			pc.mu.Lock()
+			if len(pc.children) != 1 || !pc.children[cc] {
+				t.Errorf("bad linkage: pc.children = %v, cc = %v", pc.children, cc)
+			}
+			pc.mu.Unlock()
+		}
+
+		cancel()
+
+		if pcok {
+			pc.mu.Lock()
+			if len(pc.children) != 0 {
+				t.Errorf("child's cancel didn't remove self from pc.children = %v", pc.children)
+			}
+			pc.mu.Unlock()
+		}
+
+		// child should be finished.
+		select {
+		case <-child.Done():
+		default:
+			t.Errorf("<-child.Done() blocked, but shouldn't have")
+		}
+		if e := child.Err(); e != Canceled {
+			t.Errorf("child.Err() == %v want %v", e, Canceled)
+		}
+
+		// parent should not be finished.
+		select {
+		case x := <-parent.Done():
+			t.Errorf("<-parent.Done() == %v want nothing (it should block)", x)
+		default:
+		}
+		if e := parent.Err(); e != nil {
+			t.Errorf("parent.Err() == %v want nil", e)
+		}
+	}
+}
+
+func testDeadline(c Context, wait time.Duration, t *testing.T) {
+	select {
+	case <-time.After(wait):
+		t.Fatalf("context should have timed out")
+	case <-c.Done():
+	}
+	if e := c.Err(); e != DeadlineExceeded {
+		t.Errorf("c.Err() == %v want %v", e, DeadlineExceeded)
+	}
+}
+
+func TestDeadline(t *testing.T) {
+	t.Parallel()
+	const timeUnit = 500 * time.Millisecond
+	c, _ := WithDeadline(Background(), time.Now().Add(1*timeUnit))
+	if got, prefix := fmt.Sprint(c), "context.Background.WithDeadline("; !strings.HasPrefix(got, prefix) {
+		t.Errorf("c.String() = %q want prefix %q", got, prefix)
+	}
+	testDeadline(c, 2*timeUnit, t)
+
+	c, _ = WithDeadline(Background(), time.Now().Add(1*timeUnit))
+	o := otherContext{c}
+	testDeadline(o, 2*timeUnit, t)
+
+	c, _ = WithDeadline(Background(), time.Now().Add(1*timeUnit))
+	o = otherContext{c}
+	c, _ = WithDeadline(o, time.Now().Add(3*timeUnit))
+	testDeadline(c, 2*timeUnit, t)
+}
+
+func TestTimeout(t *testing.T) {
+	t.Parallel()
+	const timeUnit = 500 * time.Millisecond
+	c, _ := WithTimeout(Background(), 1*timeUnit)
+	if got, prefix := fmt.Sprint(c), "context.Background.WithDeadline("; !strings.HasPrefix(got, prefix) {
+		t.Errorf("c.String() = %q want prefix %q", got, prefix)
+	}
+	testDeadline(c, 2*timeUnit, t)
+
+	c, _ = WithTimeout(Background(), 1*timeUnit)
+	o := otherContext{c}
+	testDeadline(o, 2*timeUnit, t)
+
+	c, _ = WithTimeout(Background(), 1*timeUnit)
+	o = otherContext{c}
+	c, _ = WithTimeout(o, 3*timeUnit)
+	testDeadline(c, 2*timeUnit, t)
+}
+
+func TestCanceledTimeout(t *testing.T) {
+	t.Parallel()
+	const timeUnit = 500 * time.Millisecond
+	c, _ := WithTimeout(Background(), 2*timeUnit)
+	o := otherContext{c}
+	c, cancel := WithTimeout(o, 4*timeUnit)
+	cancel()
+	time.Sleep(1 * timeUnit) // let cancelation propagate
+	select {
+	case <-c.Done():
+	default:
+		t.Errorf("<-c.Done() blocked, but shouldn't have")
+	}
+	if e := c.Err(); e != Canceled {
+		t.Errorf("c.Err() == %v want %v", e, Canceled)
+	}
+}
+
+type key1 int
+type key2 int
+
+var k1 = key1(1)
+var k2 = key2(1) // same int as k1, different type
+var k3 = key2(3) // same type as k2, different int
+
+func TestValues(t *testing.T) {
+	check := func(c Context, nm, v1, v2, v3 string) {
+		if v, ok := c.Value(k1).(string); ok == (len(v1) == 0) || v != v1 {
+			t.Errorf(`%s.Value(k1).(string) = %q, %t want %q, %t`, nm, v, ok, v1, len(v1) != 0)
+		}
+		if v, ok := c.Value(k2).(string); ok == (len(v2) == 0) || v != v2 {
+			t.Errorf(`%s.Value(k2).(string) = %q, %t want %q, %t`, nm, v, ok, v2, len(v2) != 0)
+		}
+		if v, ok := c.Value(k3).(string); ok == (len(v3) == 0) || v != v3 {
+			t.Errorf(`%s.Value(k3).(string) = %q, %t want %q, %t`, nm, v, ok, v3, len(v3) != 0)
+		}
+	}
+
+	c0 := Background()
+	check(c0, "c0", "", "", "")
+
+	c1 := WithValue(Background(), k1, "c1k1")
+	check(c1, "c1", "c1k1", "", "")
+
+	if got, want := fmt.Sprint(c1), `context.Background.WithValue(1, "c1k1")`; got != want {
+		t.Errorf("c.String() = %q want %q", got, want)
+	}
+
+	c2 := WithValue(c1, k2, "c2k2")
+	check(c2, "c2", "c1k1", "c2k2", "")
+
+	c3 := WithValue(c2, k3, "c3k3")
+	check(c3, "c2", "c1k1", "c2k2", "c3k3")
+
+	c4 := WithValue(c3, k1, nil)
+	check(c4, "c4", "", "c2k2", "c3k3")
+
+	o0 := otherContext{Background()}
+	check(o0, "o0", "", "", "")
+
+	o1 := otherContext{WithValue(Background(), k1, "c1k1")}
+	check(o1, "o1", "c1k1", "", "")
+
+	o2 := WithValue(o1, k2, "o2k2")
+	check(o2, "o2", "c1k1", "o2k2", "")
+
+	o3 := otherContext{c4}
+	check(o3, "o3", "", "c2k2", "c3k3")
+
+	o4 := WithValue(o3, k3, nil)
+	check(o4, "o4", "", "c2k2", "")
+}
+
+func TestAllocs(t *testing.T) {
+	bg := Background()
+	for _, test := range []struct {
+		desc       string
+		f          func()
+		limit      float64
+		gccgoLimit float64
+	}{
+		{
+			desc:       "Background()",
+			f:          func() { Background() },
+			limit:      0,
+			gccgoLimit: 0,
+		},
+		{
+			desc: fmt.Sprintf("WithValue(bg, %v, nil)", k1),
+			f: func() {
+				c := WithValue(bg, k1, nil)
+				c.Value(k1)
+			},
+			limit:      3,
+			gccgoLimit: 3,
+		},
+		{
+			desc: "WithTimeout(bg, 15*time.Millisecond)",
+			f: func() {
+				c, _ := WithTimeout(bg, 15*time.Millisecond)
+				<-c.Done()
+			},
+			limit:      8,
+			gccgoLimit: 16,
+		},
+		{
+			desc: "WithCancel(bg)",
+			f: func() {
+				c, cancel := WithCancel(bg)
+				cancel()
+				<-c.Done()
+			},
+			limit:      5,
+			gccgoLimit: 8,
+		},
+		{
+			desc: "WithTimeout(bg, 100*time.Millisecond)",
+			f: func() {
+				c, cancel := WithTimeout(bg, 100*time.Millisecond)
+				cancel()
+				<-c.Done()
+			},
+			limit:      8,
+			gccgoLimit: 25,
+		},
+	} {
+		limit := test.limit
+		if runtime.Compiler == "gccgo" {
+			// gccgo does not yet do escape analysis.
+			// TODO(iant): Remove this when gccgo does do escape analysis.
+			limit = test.gccgoLimit
+		}
+		if n := testing.AllocsPerRun(100, test.f); n > limit {
+			t.Errorf("%s allocs = %f want %d", test.desc, n, int(limit))
+		}
+	}
+}
+
+func TestSimultaneousCancels(t *testing.T) {
+	root, cancel := WithCancel(Background())
+	m := map[Context]CancelFunc{root: cancel}
+	q := []Context{root}
+	// Create a tree of contexts.
+	for len(q) != 0 && len(m) < 100 {
+		parent := q[0]
+		q = q[1:]
+		for i := 0; i < 4; i++ {
+			ctx, cancel := WithCancel(parent)
+			m[ctx] = cancel
+			q = append(q, ctx)
+		}
+	}
+	// Start all the cancels in a random order.
+	var wg sync.WaitGroup
+	wg.Add(len(m))
+	for _, cancel := range m {
+		go func(cancel CancelFunc) {
+			cancel()
+			wg.Done()
+		}(cancel)
+	}
+	// Wait on all the contexts in a random order.
+	for ctx := range m {
+		select {
+		case <-ctx.Done():
+		case <-time.After(1 * time.Second):
+			buf := make([]byte, 10<<10)
+			n := runtime.Stack(buf, true)
+			t.Fatalf("timed out waiting for <-ctx.Done(); stacks:\n%s", buf[:n])
+		}
+	}
+	// Wait for all the cancel functions to return.
+	done := make(chan struct{})
+	go func() {
+		wg.Wait()
+		close(done)
+	}()
+	select {
+	case <-done:
+	case <-time.After(1 * time.Second):
+		buf := make([]byte, 10<<10)
+		n := runtime.Stack(buf, true)
+		t.Fatalf("timed out waiting for cancel functions; stacks:\n%s", buf[:n])
+	}
+}
+
+func TestInterlockedCancels(t *testing.T) {
+	parent, cancelParent := WithCancel(Background())
+	child, cancelChild := WithCancel(parent)
+	go func() {
+		parent.Done()
+		cancelChild()
+	}()
+	cancelParent()
+	select {
+	case <-child.Done():
+	case <-time.After(1 * time.Second):
+		buf := make([]byte, 10<<10)
+		n := runtime.Stack(buf, true)
+		t.Fatalf("timed out waiting for child.Done(); stacks:\n%s", buf[:n])
+	}
+}
+
+func TestLayersCancel(t *testing.T) {
+	testLayers(t, time.Now().UnixNano(), false)
+}
+
+func TestLayersTimeout(t *testing.T) {
+	testLayers(t, time.Now().UnixNano(), true)
+}
+
+func testLayers(t *testing.T, seed int64, testTimeout bool) {
+	rand.Seed(seed)
+	errorf := func(format string, a ...interface{}) {
+		t.Errorf(fmt.Sprintf("seed=%d: %s", seed, format), a...)
+	}
+	const (
+		timeout   = 200 * time.Millisecond
+		minLayers = 30
+	)
+	type value int
+	var (
+		vals      []*value
+		cancels   []CancelFunc
+		numTimers int
+		ctx       = Background()
+	)
+	for i := 0; i < minLayers || numTimers == 0 || len(cancels) == 0 || len(vals) == 0; i++ {
+		switch rand.Intn(3) {
+		case 0:
+			v := new(value)
+			ctx = WithValue(ctx, v, v)
+			vals = append(vals, v)
+		case 1:
+			var cancel CancelFunc
+			ctx, cancel = WithCancel(ctx)
+			cancels = append(cancels, cancel)
+		case 2:
+			var cancel CancelFunc
+			ctx, cancel = WithTimeout(ctx, timeout)
+			cancels = append(cancels, cancel)
+			numTimers++
+		}
+	}
+	checkValues := func(when string) {
+		for _, key := range vals {
+			if val := ctx.Value(key).(*value); key != val {
+				errorf("%s: ctx.Value(%p) = %p want %p", when, key, val, key)
+			}
+		}
+	}
+	select {
+	case <-ctx.Done():
+		errorf("ctx should not be canceled yet")
+	default:
+	}
+	if s, prefix := fmt.Sprint(ctx), "context.Background."; !strings.HasPrefix(s, prefix) {
+		t.Errorf("ctx.String() = %q want prefix %q", s, prefix)
+	}
+	t.Log(ctx)
+	checkValues("before cancel")
+	if testTimeout {
+		select {
+		case <-ctx.Done():
+		case <-time.After(timeout + 100*time.Millisecond):
+			errorf("ctx should have timed out")
+		}
+		checkValues("after timeout")
+	} else {
+		cancel := cancels[rand.Intn(len(cancels))]
+		cancel()
+		select {
+		case <-ctx.Done():
+		default:
+			errorf("ctx should be canceled")
+		}
+		checkValues("after cancel")
+	}
+}
+
+func TestCancelRemoves(t *testing.T) {
+	checkChildren := func(when string, ctx Context, want int) {
+		if got := len(ctx.(*cancelCtx).children); got != want {
+			t.Errorf("%s: context has %d children, want %d", when, got, want)
+		}
+	}
+
+	ctx, _ := WithCancel(Background())
+	checkChildren("after creation", ctx, 0)
+	_, cancel := WithCancel(ctx)
+	checkChildren("with WithCancel child ", ctx, 1)
+	cancel()
+	checkChildren("after cancelling WithCancel child", ctx, 0)
+
+	ctx, _ = WithCancel(Background())
+	checkChildren("after creation", ctx, 0)
+	_, cancel = WithTimeout(ctx, 60*time.Minute)
+	checkChildren("with WithTimeout child ", ctx, 1)
+	cancel()
+	checkChildren("after cancelling WithTimeout child", ctx, 0)
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/go17.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/go17.go
new file mode 100644
index 000000000..d20f52b7d
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/go17.go
@@ -0,0 +1,72 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build go1.7
+
+package context
+
+import (
+	"context" // standard library's context, as of Go 1.7
+	"time"
+)
+
+var (
+	todo       = context.TODO()
+	background = context.Background()
+)
+
+// Canceled is the error returned by Context.Err when the context is canceled.
+var Canceled = context.Canceled
+
+// DeadlineExceeded is the error returned by Context.Err when the context's
+// deadline passes.
+var DeadlineExceeded = context.DeadlineExceeded
+
+// WithCancel returns a copy of parent with a new Done channel. The returned
+// context's Done channel is closed when the returned cancel function is called
+// or when the parent context's Done channel is closed, whichever happens first.
+//
+// Canceling this context releases resources associated with it, so code should
+// call cancel as soon as the operations running in this Context complete.
+func WithCancel(parent Context) (ctx Context, cancel CancelFunc) {
+	ctx, f := context.WithCancel(parent)
+	return ctx, CancelFunc(f)
+}
+
+// WithDeadline returns a copy of the parent context with the deadline adjusted
+// to be no later than d. If the parent's deadline is already earlier than d,
+// WithDeadline(parent, d) is semantically equivalent to parent. The returned
+// context's Done channel is closed when the deadline expires, when the returned
+// cancel function is called, or when the parent context's Done channel is
+// closed, whichever happens first.
+//
+// Canceling this context releases resources associated with it, so code should
+// call cancel as soon as the operations running in this Context complete.
+func WithDeadline(parent Context, deadline time.Time) (Context, CancelFunc) {
+	ctx, f := context.WithDeadline(parent, deadline)
+	return ctx, CancelFunc(f)
+}
+
+// WithTimeout returns WithDeadline(parent, time.Now().Add(timeout)).
+//
+// Canceling this context releases resources associated with it, so code should
+// call cancel as soon as the operations running in this Context complete:
+//
+// 	func slowOperationWithTimeout(ctx context.Context) (Result, error) {
+// 		ctx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
+// 		defer cancel()  // releases resources if slowOperation completes before timeout elapses
+// 		return slowOperation(ctx)
+// 	}
+func WithTimeout(parent Context, timeout time.Duration) (Context, CancelFunc) {
+	return WithDeadline(parent, time.Now().Add(timeout))
+}
+
+// WithValue returns a copy of parent in which the value associated with key is
+// val.
+//
+// Use context Values only for request-scoped data that transits processes and
+// APIs, not for passing optional parameters to functions.
+func WithValue(parent Context, key interface{}, val interface{}) Context {
+	return context.WithValue(parent, key, val)
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/pre_go17.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/pre_go17.go
new file mode 100644
index 000000000..0f35592df
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/pre_go17.go
@@ -0,0 +1,300 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !go1.7
+
+package context
+
+import (
+	"errors"
+	"fmt"
+	"sync"
+	"time"
+)
+
+// An emptyCtx is never canceled, has no values, and has no deadline. It is not
+// struct{}, since vars of this type must have distinct addresses.
+type emptyCtx int
+
+func (*emptyCtx) Deadline() (deadline time.Time, ok bool) {
+	return
+}
+
+func (*emptyCtx) Done() <-chan struct{} {
+	return nil
+}
+
+func (*emptyCtx) Err() error {
+	return nil
+}
+
+func (*emptyCtx) Value(key interface{}) interface{} {
+	return nil
+}
+
+func (e *emptyCtx) String() string {
+	switch e {
+	case background:
+		return "context.Background"
+	case todo:
+		return "context.TODO"
+	}
+	return "unknown empty Context"
+}
+
+var (
+	background = new(emptyCtx)
+	todo       = new(emptyCtx)
+)
+
+// Canceled is the error returned by Context.Err when the context is canceled.
+var Canceled = errors.New("context canceled")
+
+// DeadlineExceeded is the error returned by Context.Err when the context's
+// deadline passes.
+var DeadlineExceeded = errors.New("context deadline exceeded")
+
+// WithCancel returns a copy of parent with a new Done channel. The returned
+// context's Done channel is closed when the returned cancel function is called
+// or when the parent context's Done channel is closed, whichever happens first.
+//
+// Canceling this context releases resources associated with it, so code should
+// call cancel as soon as the operations running in this Context complete.
+func WithCancel(parent Context) (ctx Context, cancel CancelFunc) {
+	c := newCancelCtx(parent)
+	propagateCancel(parent, c)
+	return c, func() { c.cancel(true, Canceled) }
+}
+
+// newCancelCtx returns an initialized cancelCtx.
+func newCancelCtx(parent Context) *cancelCtx {
+	return &cancelCtx{
+		Context: parent,
+		done:    make(chan struct{}),
+	}
+}
+
+// propagateCancel arranges for child to be canceled when parent is.
+func propagateCancel(parent Context, child canceler) {
+	if parent.Done() == nil {
+		return // parent is never canceled
+	}
+	if p, ok := parentCancelCtx(parent); ok {
+		p.mu.Lock()
+		if p.err != nil {
+			// parent has already been canceled
+			child.cancel(false, p.err)
+		} else {
+			if p.children == nil {
+				p.children = make(map[canceler]bool)
+			}
+			p.children[child] = true
+		}
+		p.mu.Unlock()
+	} else {
+		go func() {
+			select {
+			case <-parent.Done():
+				child.cancel(false, parent.Err())
+			case <-child.Done():
+			}
+		}()
+	}
+}
+
+// parentCancelCtx follows a chain of parent references until it finds a
+// *cancelCtx. This function understands how each of the concrete types in this
+// package represents its parent.
+func parentCancelCtx(parent Context) (*cancelCtx, bool) {
+	for {
+		switch c := parent.(type) {
+		case *cancelCtx:
+			return c, true
+		case *timerCtx:
+			return c.cancelCtx, true
+		case *valueCtx:
+			parent = c.Context
+		default:
+			return nil, false
+		}
+	}
+}
+
+// removeChild removes a context from its parent.
+func removeChild(parent Context, child canceler) {
+	p, ok := parentCancelCtx(parent)
+	if !ok {
+		return
+	}
+	p.mu.Lock()
+	if p.children != nil {
+		delete(p.children, child)
+	}
+	p.mu.Unlock()
+}
+
+// A canceler is a context type that can be canceled directly. The
+// implementations are *cancelCtx and *timerCtx.
+type canceler interface {
+	cancel(removeFromParent bool, err error)
+	Done() <-chan struct{}
+}
+
+// A cancelCtx can be canceled. When canceled, it also cancels any children
+// that implement canceler.
+type cancelCtx struct {
+	Context
+
+	done chan struct{} // closed by the first cancel call.
+
+	mu       sync.Mutex
+	children map[canceler]bool // set to nil by the first cancel call
+	err      error             // set to non-nil by the first cancel call
+}
+
+func (c *cancelCtx) Done() <-chan struct{} {
+	return c.done
+}
+
+func (c *cancelCtx) Err() error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.err
+}
+
+func (c *cancelCtx) String() string {
+	return fmt.Sprintf("%v.WithCancel", c.Context)
+}
+
+// cancel closes c.done, cancels each of c's children, and, if
+// removeFromParent is true, removes c from its parent's children.
+func (c *cancelCtx) cancel(removeFromParent bool, err error) {
+	if err == nil {
+		panic("context: internal error: missing cancel error")
+	}
+	c.mu.Lock()
+	if c.err != nil {
+		c.mu.Unlock()
+		return // already canceled
+	}
+	c.err = err
+	close(c.done)
+	for child := range c.children {
+		// NOTE: acquiring the child's lock while holding parent's lock.
+		child.cancel(false, err)
+	}
+	c.children = nil
+	c.mu.Unlock()
+
+	if removeFromParent {
+		removeChild(c.Context, c)
+	}
+}
+
+// WithDeadline returns a copy of the parent context with the deadline adjusted
+// to be no later than d. If the parent's deadline is already earlier than d,
+// WithDeadline(parent, d) is semantically equivalent to parent. The returned
+// context's Done channel is closed when the deadline expires, when the returned
+// cancel function is called, or when the parent context's Done channel is
+// closed, whichever happens first.
+//
+// Canceling this context releases resources associated with it, so code should
+// call cancel as soon as the operations running in this Context complete.
+func WithDeadline(parent Context, deadline time.Time) (Context, CancelFunc) {
+	if cur, ok := parent.Deadline(); ok && cur.Before(deadline) {
+		// The current deadline is already sooner than the new one.
+		return WithCancel(parent)
+	}
+	c := &timerCtx{
+		cancelCtx: newCancelCtx(parent),
+		deadline:  deadline,
+	}
+	propagateCancel(parent, c)
+	d := deadline.Sub(time.Now())
+	if d <= 0 {
+		c.cancel(true, DeadlineExceeded) // deadline has already passed
+		return c, func() { c.cancel(true, Canceled) }
+	}
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.err == nil {
+		c.timer = time.AfterFunc(d, func() {
+			c.cancel(true, DeadlineExceeded)
+		})
+	}
+	return c, func() { c.cancel(true, Canceled) }
+}
+
+// A timerCtx carries a timer and a deadline. It embeds a cancelCtx to
+// implement Done and Err. It implements cancel by stopping its timer then
+// delegating to cancelCtx.cancel.
+type timerCtx struct {
+	*cancelCtx
+	timer *time.Timer // Under cancelCtx.mu.
+
+	deadline time.Time
+}
+
+func (c *timerCtx) Deadline() (deadline time.Time, ok bool) {
+	return c.deadline, true
+}
+
+func (c *timerCtx) String() string {
+	return fmt.Sprintf("%v.WithDeadline(%s [%s])", c.cancelCtx.Context, c.deadline, c.deadline.Sub(time.Now()))
+}
+
+func (c *timerCtx) cancel(removeFromParent bool, err error) {
+	c.cancelCtx.cancel(false, err)
+	if removeFromParent {
+		// Remove this timerCtx from its parent cancelCtx's children.
+		removeChild(c.cancelCtx.Context, c)
+	}
+	c.mu.Lock()
+	if c.timer != nil {
+		c.timer.Stop()
+		c.timer = nil
+	}
+	c.mu.Unlock()
+}
+
+// WithTimeout returns WithDeadline(parent, time.Now().Add(timeout)).
+//
+// Canceling this context releases resources associated with it, so code should
+// call cancel as soon as the operations running in this Context complete:
+//
+// 	func slowOperationWithTimeout(ctx context.Context) (Result, error) {
+// 		ctx, cancel := context.WithTimeout(ctx, 100*time.Millisecond)
+// 		defer cancel()  // releases resources if slowOperation completes before timeout elapses
+// 		return slowOperation(ctx)
+// 	}
+func WithTimeout(parent Context, timeout time.Duration) (Context, CancelFunc) {
+	return WithDeadline(parent, time.Now().Add(timeout))
+}
+
+// WithValue returns a copy of parent in which the value associated with key is
+// val.
+//
+// Use context Values only for request-scoped data that transits processes and
+// APIs, not for passing optional parameters to functions.
+func WithValue(parent Context, key interface{}, val interface{}) Context {
+	return &valueCtx{parent, key, val}
+}
+
+// A valueCtx carries a key-value pair. It implements Value for that key and
+// delegates all other calls to the embedded Context.
+type valueCtx struct {
+	Context
+	key, val interface{}
+}
+
+func (c *valueCtx) String() string {
+	return fmt.Sprintf("%v.WithValue(%#v, %#v)", c.Context, c.key, c.val)
+}
+
+func (c *valueCtx) Value(key interface{}) interface{} {
+	if c.key == key {
+		return c.val
+	}
+	return c.Context.Value(key)
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/withtimeout_test.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/withtimeout_test.go
new file mode 100644
index 000000000..a6754dc36
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/context/withtimeout_test.go
@@ -0,0 +1,26 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package context_test
+
+import (
+	"fmt"
+	"time"
+
+	"golang.org/x/net/context"
+)
+
+func ExampleWithTimeout() {
+	// Pass a context with a timeout to tell a blocking function that it
+	// should abandon its work after the timeout elapses.
+	ctx, _ := context.WithTimeout(context.Background(), 100*time.Millisecond)
+	select {
+	case <-time.After(200 * time.Millisecond):
+		fmt.Println("overslept")
+	case <-ctx.Done():
+		fmt.Println(ctx.Err()) // prints "context deadline exceeded"
+	}
+	// Output:
+	// context deadline exceeded
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/gen.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/gen.go
new file mode 100644
index 000000000..a2d499529
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/gen.go
@@ -0,0 +1,713 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build ignore
+
+package main
+
+// This program generates table.go and table_test.go based on the authoritative
+// public suffix list at https://publicsuffix.org/list/effective_tld_names.dat
+//
+// The version is derived from
+// https://api.github.com/repos/publicsuffix/list/commits?path=public_suffix_list.dat
+// and a human-readable form is at
+// https://github.com/publicsuffix/list/commits/master/public_suffix_list.dat
+//
+// To fetch a particular git revision, such as 5c70ccd250, pass
+// -url "https://raw.githubusercontent.com/publicsuffix/list/5c70ccd250/public_suffix_list.dat"
+// and -version "an explicit version string".
+
+import (
+	"bufio"
+	"bytes"
+	"flag"
+	"fmt"
+	"go/format"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"regexp"
+	"sort"
+	"strings"
+
+	"golang.org/x/net/idna"
+)
+
+const (
+	// These sum of these four values must be no greater than 32.
+	nodesBitsChildren   = 9
+	nodesBitsICANN      = 1
+	nodesBitsTextOffset = 15
+	nodesBitsTextLength = 6
+
+	// These sum of these four values must be no greater than 32.
+	childrenBitsWildcard = 1
+	childrenBitsNodeType = 2
+	childrenBitsHi       = 14
+	childrenBitsLo       = 14
+)
+
+var (
+	maxChildren   int
+	maxTextOffset int
+	maxTextLength int
+	maxHi         uint32
+	maxLo         uint32
+)
+
+func max(a, b int) int {
+	if a < b {
+		return b
+	}
+	return a
+}
+
+func u32max(a, b uint32) uint32 {
+	if a < b {
+		return b
+	}
+	return a
+}
+
+const (
+	nodeTypeNormal     = 0
+	nodeTypeException  = 1
+	nodeTypeParentOnly = 2
+	numNodeType        = 3
+)
+
+func nodeTypeStr(n int) string {
+	switch n {
+	case nodeTypeNormal:
+		return "+"
+	case nodeTypeException:
+		return "!"
+	case nodeTypeParentOnly:
+		return "o"
+	}
+	panic("unreachable")
+}
+
+const (
+	defaultURL   = "https://publicsuffix.org/list/effective_tld_names.dat"
+	gitCommitURL = "https://api.github.com/repos/publicsuffix/list/commits?path=public_suffix_list.dat"
+)
+
+var (
+	labelEncoding = map[string]uint32{}
+	labelsList    = []string{}
+	labelsMap     = map[string]bool{}
+	rules         = []string{}
+
+	// validSuffixRE is used to check that the entries in the public suffix
+	// list are in canonical form (after Punycode encoding). Specifically,
+	// capital letters are not allowed.
+	validSuffixRE = regexp.MustCompile(`^[a-z0-9_\!\*\-\.]+$`)
+
+	shaRE  = regexp.MustCompile(`"sha":"([^"]+)"`)
+	dateRE = regexp.MustCompile(`"committer":{[^{]+"date":"([^"]+)"`)
+
+	comments = flag.Bool("comments", false, "generate table.go comments, for debugging")
+	subset   = flag.Bool("subset", false, "generate only a subset of the full table, for debugging")
+	url      = flag.String("url", defaultURL, "URL of the publicsuffix.org list. If empty, stdin is read instead")
+	v        = flag.Bool("v", false, "verbose output (to stderr)")
+	version  = flag.String("version", "", "the effective_tld_names.dat version")
+)
+
+func main() {
+	if err := main1(); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+}
+
+func main1() error {
+	flag.Parse()
+	if nodesBitsTextLength+nodesBitsTextOffset+nodesBitsICANN+nodesBitsChildren > 32 {
+		return fmt.Errorf("not enough bits to encode the nodes table")
+	}
+	if childrenBitsLo+childrenBitsHi+childrenBitsNodeType+childrenBitsWildcard > 32 {
+		return fmt.Errorf("not enough bits to encode the children table")
+	}
+	if *version == "" {
+		if *url != defaultURL {
+			return fmt.Errorf("-version was not specified, and the -url is not the default one")
+		}
+		sha, date, err := gitCommit()
+		if err != nil {
+			return err
+		}
+		*version = fmt.Sprintf("publicsuffix.org's public_suffix_list.dat, git revision %s (%s)", sha, date)
+	}
+	var r io.Reader = os.Stdin
+	if *url != "" {
+		res, err := http.Get(*url)
+		if err != nil {
+			return err
+		}
+		if res.StatusCode != http.StatusOK {
+			return fmt.Errorf("bad GET status for %s: %d", *url, res.Status)
+		}
+		r = res.Body
+		defer res.Body.Close()
+	}
+
+	var root node
+	icann := false
+	br := bufio.NewReader(r)
+	for {
+		s, err := br.ReadString('\n')
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return err
+		}
+		s = strings.TrimSpace(s)
+		if strings.Contains(s, "BEGIN ICANN DOMAINS") {
+			icann = true
+			continue
+		}
+		if strings.Contains(s, "END ICANN DOMAINS") {
+			icann = false
+			continue
+		}
+		if s == "" || strings.HasPrefix(s, "//") {
+			continue
+		}
+		s, err = idna.ToASCII(s)
+		if err != nil {
+			return err
+		}
+		if !validSuffixRE.MatchString(s) {
+			return fmt.Errorf("bad publicsuffix.org list data: %q", s)
+		}
+
+		if *subset {
+			switch {
+			case s == "ac.jp" || strings.HasSuffix(s, ".ac.jp"):
+			case s == "ak.us" || strings.HasSuffix(s, ".ak.us"):
+			case s == "ao" || strings.HasSuffix(s, ".ao"):
+			case s == "ar" || strings.HasSuffix(s, ".ar"):
+			case s == "arpa" || strings.HasSuffix(s, ".arpa"):
+			case s == "cy" || strings.HasSuffix(s, ".cy"):
+			case s == "dyndns.org" || strings.HasSuffix(s, ".dyndns.org"):
+			case s == "jp":
+			case s == "kobe.jp" || strings.HasSuffix(s, ".kobe.jp"):
+			case s == "kyoto.jp" || strings.HasSuffix(s, ".kyoto.jp"):
+			case s == "om" || strings.HasSuffix(s, ".om"):
+			case s == "uk" || strings.HasSuffix(s, ".uk"):
+			case s == "uk.com" || strings.HasSuffix(s, ".uk.com"):
+			case s == "tw" || strings.HasSuffix(s, ".tw"):
+			case s == "zw" || strings.HasSuffix(s, ".zw"):
+			case s == "xn--p1ai" || strings.HasSuffix(s, ".xn--p1ai"):
+				// xn--p1ai is Russian-Cyrillic "рф".
+			default:
+				continue
+			}
+		}
+
+		rules = append(rules, s)
+
+		nt, wildcard := nodeTypeNormal, false
+		switch {
+		case strings.HasPrefix(s, "*."):
+			s, nt = s[2:], nodeTypeParentOnly
+			wildcard = true
+		case strings.HasPrefix(s, "!"):
+			s, nt = s[1:], nodeTypeException
+		}
+		labels := strings.Split(s, ".")
+		for n, i := &root, len(labels)-1; i >= 0; i-- {
+			label := labels[i]
+			n = n.child(label)
+			if i == 0 {
+				if nt != nodeTypeParentOnly && n.nodeType == nodeTypeParentOnly {
+					n.nodeType = nt
+				}
+				n.icann = n.icann && icann
+				n.wildcard = n.wildcard || wildcard
+			}
+			labelsMap[label] = true
+		}
+	}
+	labelsList = make([]string, 0, len(labelsMap))
+	for label := range labelsMap {
+		labelsList = append(labelsList, label)
+	}
+	sort.Strings(labelsList)
+
+	if err := generate(printReal, &root, "table.go"); err != nil {
+		return err
+	}
+	if err := generate(printTest, &root, "table_test.go"); err != nil {
+		return err
+	}
+	return nil
+}
+
+func generate(p func(io.Writer, *node) error, root *node, filename string) error {
+	buf := new(bytes.Buffer)
+	if err := p(buf, root); err != nil {
+		return err
+	}
+	b, err := format.Source(buf.Bytes())
+	if err != nil {
+		return err
+	}
+	return ioutil.WriteFile(filename, b, 0644)
+}
+
+func gitCommit() (sha, date string, retErr error) {
+	res, err := http.Get(gitCommitURL)
+	if err != nil {
+		return "", "", err
+	}
+	if res.StatusCode != http.StatusOK {
+		return "", "", fmt.Errorf("bad GET status for %s: %d", gitCommitURL, res.Status)
+	}
+	defer res.Body.Close()
+	b, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return "", "", err
+	}
+	if m := shaRE.FindSubmatch(b); m != nil {
+		sha = string(m[1])
+	}
+	if m := dateRE.FindSubmatch(b); m != nil {
+		date = string(m[1])
+	}
+	if sha == "" || date == "" {
+		retErr = fmt.Errorf("could not find commit SHA and date in %s", gitCommitURL)
+	}
+	return sha, date, retErr
+}
+
+func printTest(w io.Writer, n *node) error {
+	fmt.Fprintf(w, "// generated by go run gen.go; DO NOT EDIT\n\n")
+	fmt.Fprintf(w, "package publicsuffix\n\nvar rules = [...]string{\n")
+	for _, rule := range rules {
+		fmt.Fprintf(w, "%q,\n", rule)
+	}
+	fmt.Fprintf(w, "}\n\nvar nodeLabels = [...]string{\n")
+	if err := n.walk(w, printNodeLabel); err != nil {
+		return err
+	}
+	fmt.Fprintf(w, "}\n")
+	return nil
+}
+
+func printReal(w io.Writer, n *node) error {
+	const header = `// generated by go run gen.go; DO NOT EDIT
+
+package publicsuffix
+
+const version = %q
+
+const (
+	nodesBitsChildren   = %d
+	nodesBitsICANN      = %d
+	nodesBitsTextOffset = %d
+	nodesBitsTextLength = %d
+
+	childrenBitsWildcard = %d
+	childrenBitsNodeType = %d
+	childrenBitsHi       = %d
+	childrenBitsLo       = %d
+)
+
+const (
+	nodeTypeNormal     = %d
+	nodeTypeException  = %d
+	nodeTypeParentOnly = %d
+)
+
+// numTLD is the number of top level domains.
+const numTLD = %d
+
+`
+	fmt.Fprintf(w, header, *version,
+		nodesBitsChildren, nodesBitsICANN, nodesBitsTextOffset, nodesBitsTextLength,
+		childrenBitsWildcard, childrenBitsNodeType, childrenBitsHi, childrenBitsLo,
+		nodeTypeNormal, nodeTypeException, nodeTypeParentOnly, len(n.children))
+
+	text := combineText(labelsList)
+	if text == "" {
+		return fmt.Errorf("internal error: makeText returned no text")
+	}
+	for _, label := range labelsList {
+		offset, length := strings.Index(text, label), len(label)
+		if offset < 0 {
+			return fmt.Errorf("internal error: could not find %q in text %q", label, text)
+		}
+		maxTextOffset, maxTextLength = max(maxTextOffset, offset), max(maxTextLength, length)
+		if offset >= 1<<nodesBitsTextOffset {
+			return fmt.Errorf("text offset %d is too large, or nodeBitsTextOffset is too small", offset)
+		}
+		if length >= 1<<nodesBitsTextLength {
+			return fmt.Errorf("text length %d is too large, or nodeBitsTextLength is too small", length)
+		}
+		labelEncoding[label] = uint32(offset)<<nodesBitsTextLength | uint32(length)
+	}
+	fmt.Fprintf(w, "// Text is the combined text of all labels.\nconst text = ")
+	for len(text) > 0 {
+		n, plus := len(text), ""
+		if n > 64 {
+			n, plus = 64, " +"
+		}
+		fmt.Fprintf(w, "%q%s\n", text[:n], plus)
+		text = text[n:]
+	}
+
+	if err := n.walk(w, assignIndexes); err != nil {
+		return err
+	}
+
+	fmt.Fprintf(w, `
+
+// nodes is the list of nodes. Each node is represented as a uint32, which
+// encodes the node's children, wildcard bit and node type (as an index into
+// the children array), ICANN bit and text.
+//
+// If the table was generated with the -comments flag, there is a //-comment
+// after each node's data. In it is the nodes-array indexes of the children,
+// formatted as (n0x1234-n0x1256), with * denoting the wildcard bit. The
+// nodeType is printed as + for normal, ! for exception, and o for parent-only
+// nodes that have children but don't match a domain label in their own right.
+// An I denotes an ICANN domain.
+//
+// The layout within the uint32, from MSB to LSB, is:
+//	[%2d bits] unused
+//	[%2d bits] children index
+//	[%2d bits] ICANN bit
+//	[%2d bits] text index
+//	[%2d bits] text length
+var nodes = [...]uint32{
+`,
+		32-nodesBitsChildren-nodesBitsICANN-nodesBitsTextOffset-nodesBitsTextLength,
+		nodesBitsChildren, nodesBitsICANN, nodesBitsTextOffset, nodesBitsTextLength)
+	if err := n.walk(w, printNode); err != nil {
+		return err
+	}
+	fmt.Fprintf(w, `}
+
+// children is the list of nodes' children, the parent's wildcard bit and the
+// parent's node type. If a node has no children then their children index
+// will be in the range [0, 6), depending on the wildcard bit and node type.
+//
+// The layout within the uint32, from MSB to LSB, is:
+//	[%2d bits] unused
+//	[%2d bits] wildcard bit
+//	[%2d bits] node type
+//	[%2d bits] high nodes index (exclusive) of children
+//	[%2d bits] low nodes index (inclusive) of children
+var children=[...]uint32{
+`,
+		32-childrenBitsWildcard-childrenBitsNodeType-childrenBitsHi-childrenBitsLo,
+		childrenBitsWildcard, childrenBitsNodeType, childrenBitsHi, childrenBitsLo)
+	for i, c := range childrenEncoding {
+		s := "---------------"
+		lo := c & (1<<childrenBitsLo - 1)
+		hi := (c >> childrenBitsLo) & (1<<childrenBitsHi - 1)
+		if lo != hi {
+			s = fmt.Sprintf("n0x%04x-n0x%04x", lo, hi)
+		}
+		nodeType := int(c>>(childrenBitsLo+childrenBitsHi)) & (1<<childrenBitsNodeType - 1)
+		wildcard := c>>(childrenBitsLo+childrenBitsHi+childrenBitsNodeType) != 0
+		if *comments {
+			fmt.Fprintf(w, "0x%08x, // c0x%04x (%s)%s %s\n",
+				c, i, s, wildcardStr(wildcard), nodeTypeStr(nodeType))
+		} else {
+			fmt.Fprintf(w, "0x%x,\n", c)
+		}
+	}
+	fmt.Fprintf(w, "}\n\n")
+	fmt.Fprintf(w, "// max children %d (capacity %d)\n", maxChildren, 1<<nodesBitsChildren-1)
+	fmt.Fprintf(w, "// max text offset %d (capacity %d)\n", maxTextOffset, 1<<nodesBitsTextOffset-1)
+	fmt.Fprintf(w, "// max text length %d (capacity %d)\n", maxTextLength, 1<<nodesBitsTextLength-1)
+	fmt.Fprintf(w, "// max hi %d (capacity %d)\n", maxHi, 1<<childrenBitsHi-1)
+	fmt.Fprintf(w, "// max lo %d (capacity %d)\n", maxLo, 1<<childrenBitsLo-1)
+	return nil
+}
+
+type node struct {
+	label    string
+	nodeType int
+	icann    bool
+	wildcard bool
+	// nodesIndex and childrenIndex are the index of this node in the nodes
+	// and the index of its children offset/length in the children arrays.
+	nodesIndex, childrenIndex int
+	// firstChild is the index of this node's first child, or zero if this
+	// node has no children.
+	firstChild int
+	// children are the node's children, in strictly increasing node label order.
+	children []*node
+}
+
+func (n *node) walk(w io.Writer, f func(w1 io.Writer, n1 *node) error) error {
+	if err := f(w, n); err != nil {
+		return err
+	}
+	for _, c := range n.children {
+		if err := c.walk(w, f); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// child returns the child of n with the given label. The child is created if
+// it did not exist beforehand.
+func (n *node) child(label string) *node {
+	for _, c := range n.children {
+		if c.label == label {
+			return c
+		}
+	}
+	c := &node{
+		label:    label,
+		nodeType: nodeTypeParentOnly,
+		icann:    true,
+	}
+	n.children = append(n.children, c)
+	sort.Sort(byLabel(n.children))
+	return c
+}
+
+type byLabel []*node
+
+func (b byLabel) Len() int           { return len(b) }
+func (b byLabel) Swap(i, j int)      { b[i], b[j] = b[j], b[i] }
+func (b byLabel) Less(i, j int) bool { return b[i].label < b[j].label }
+
+var nextNodesIndex int
+
+// childrenEncoding are the encoded entries in the generated children array.
+// All these pre-defined entries have no children.
+var childrenEncoding = []uint32{
+	0 << (childrenBitsLo + childrenBitsHi), // Without wildcard bit, nodeTypeNormal.
+	1 << (childrenBitsLo + childrenBitsHi), // Without wildcard bit, nodeTypeException.
+	2 << (childrenBitsLo + childrenBitsHi), // Without wildcard bit, nodeTypeParentOnly.
+	4 << (childrenBitsLo + childrenBitsHi), // With wildcard bit, nodeTypeNormal.
+	5 << (childrenBitsLo + childrenBitsHi), // With wildcard bit, nodeTypeException.
+	6 << (childrenBitsLo + childrenBitsHi), // With wildcard bit, nodeTypeParentOnly.
+}
+
+var firstCallToAssignIndexes = true
+
+func assignIndexes(w io.Writer, n *node) error {
+	if len(n.children) != 0 {
+		// Assign nodesIndex.
+		n.firstChild = nextNodesIndex
+		for _, c := range n.children {
+			c.nodesIndex = nextNodesIndex
+			nextNodesIndex++
+		}
+
+		// The root node's children is implicit.
+		if firstCallToAssignIndexes {
+			firstCallToAssignIndexes = false
+			return nil
+		}
+
+		// Assign childrenIndex.
+		maxChildren = max(maxChildren, len(childrenEncoding))
+		if len(childrenEncoding) >= 1<<nodesBitsChildren {
+			return fmt.Errorf("children table size %d is too large, or nodeBitsChildren is too small", len(childrenEncoding))
+		}
+		n.childrenIndex = len(childrenEncoding)
+		lo := uint32(n.firstChild)
+		hi := lo + uint32(len(n.children))
+		maxLo, maxHi = u32max(maxLo, lo), u32max(maxHi, hi)
+		if lo >= 1<<childrenBitsLo {
+			return fmt.Errorf("children lo %d is too large, or childrenBitsLo is too small", lo)
+		}
+		if hi >= 1<<childrenBitsHi {
+			return fmt.Errorf("children hi %d is too large, or childrenBitsHi is too small", hi)
+		}
+		enc := hi<<childrenBitsLo | lo
+		enc |= uint32(n.nodeType) << (childrenBitsLo + childrenBitsHi)
+		if n.wildcard {
+			enc |= 1 << (childrenBitsLo + childrenBitsHi + childrenBitsNodeType)
+		}
+		childrenEncoding = append(childrenEncoding, enc)
+	} else {
+		n.childrenIndex = n.nodeType
+		if n.wildcard {
+			n.childrenIndex += numNodeType
+		}
+	}
+	return nil
+}
+
+func printNode(w io.Writer, n *node) error {
+	for _, c := range n.children {
+		s := "---------------"
+		if len(c.children) != 0 {
+			s = fmt.Sprintf("n0x%04x-n0x%04x", c.firstChild, c.firstChild+len(c.children))
+		}
+		encoding := labelEncoding[c.label]
+		if c.icann {
+			encoding |= 1 << (nodesBitsTextLength + nodesBitsTextOffset)
+		}
+		encoding |= uint32(c.childrenIndex) << (nodesBitsTextLength + nodesBitsTextOffset + nodesBitsICANN)
+		if *comments {
+			fmt.Fprintf(w, "0x%08x, // n0x%04x c0x%04x (%s)%s %s %s %s\n",
+				encoding, c.nodesIndex, c.childrenIndex, s, wildcardStr(c.wildcard),
+				nodeTypeStr(c.nodeType), icannStr(c.icann), c.label,
+			)
+		} else {
+			fmt.Fprintf(w, "0x%x,\n", encoding)
+		}
+	}
+	return nil
+}
+
+func printNodeLabel(w io.Writer, n *node) error {
+	for _, c := range n.children {
+		fmt.Fprintf(w, "%q,\n", c.label)
+	}
+	return nil
+}
+
+func icannStr(icann bool) string {
+	if icann {
+		return "I"
+	}
+	return " "
+}
+
+func wildcardStr(wildcard bool) string {
+	if wildcard {
+		return "*"
+	}
+	return " "
+}
+
+// combineText combines all the strings in labelsList to form one giant string.
+// Overlapping strings will be merged: "arpa" and "parliament" could yield
+// "arparliament".
+func combineText(labelsList []string) string {
+	beforeLength := 0
+	for _, s := range labelsList {
+		beforeLength += len(s)
+	}
+
+	text := crush(removeSubstrings(labelsList))
+	if *v {
+		fmt.Fprintf(os.Stderr, "crushed %d bytes to become %d bytes\n", beforeLength, len(text))
+	}
+	return text
+}
+
+type byLength []string
+
+func (s byLength) Len() int           { return len(s) }
+func (s byLength) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
+func (s byLength) Less(i, j int) bool { return len(s[i]) < len(s[j]) }
+
+// removeSubstrings returns a copy of its input with any strings removed
+// that are substrings of other provided strings.
+func removeSubstrings(input []string) []string {
+	// Make a copy of input.
+	ss := append(make([]string, 0, len(input)), input...)
+	sort.Sort(byLength(ss))
+
+	for i, shortString := range ss {
+		// For each string, only consider strings higher than it in sort order, i.e.
+		// of equal length or greater.
+		for _, longString := range ss[i+1:] {
+			if strings.Contains(longString, shortString) {
+				ss[i] = ""
+				break
+			}
+		}
+	}
+
+	// Remove the empty strings.
+	sort.Strings(ss)
+	for len(ss) > 0 && ss[0] == "" {
+		ss = ss[1:]
+	}
+	return ss
+}
+
+// crush combines a list of strings, taking advantage of overlaps. It returns a
+// single string that contains each input string as a substring.
+func crush(ss []string) string {
+	maxLabelLen := 0
+	for _, s := range ss {
+		if maxLabelLen < len(s) {
+			maxLabelLen = len(s)
+		}
+	}
+
+	for prefixLen := maxLabelLen; prefixLen > 0; prefixLen-- {
+		prefixes := makePrefixMap(ss, prefixLen)
+		for i, s := range ss {
+			if len(s) <= prefixLen {
+				continue
+			}
+			mergeLabel(ss, i, prefixLen, prefixes)
+		}
+	}
+
+	return strings.Join(ss, "")
+}
+
+// mergeLabel merges the label at ss[i] with the first available matching label
+// in prefixMap, where the last "prefixLen" characters in ss[i] match the first
+// "prefixLen" characters in the matching label.
+// It will merge ss[i] repeatedly until no more matches are available.
+// All matching labels merged into ss[i] are replaced by "".
+func mergeLabel(ss []string, i, prefixLen int, prefixes prefixMap) {
+	s := ss[i]
+	suffix := s[len(s)-prefixLen:]
+	for _, j := range prefixes[suffix] {
+		// Empty strings mean "already used." Also avoid merging with self.
+		if ss[j] == "" || i == j {
+			continue
+		}
+		if *v {
+			fmt.Fprintf(os.Stderr, "%d-length overlap at (%4d,%4d): %q and %q share %q\n",
+				prefixLen, i, j, ss[i], ss[j], suffix)
+		}
+		ss[i] += ss[j][prefixLen:]
+		ss[j] = ""
+		// ss[i] has a new suffix, so merge again if possible.
+		// Note: we only have to merge again at the same prefix length. Shorter
+		// prefix lengths will be handled in the next iteration of crush's for loop.
+		// Can there be matches for longer prefix lengths, introduced by the merge?
+		// I believe that any such matches would by necessity have been eliminated
+		// during substring removal or merged at a higher prefix length. For
+		// instance, in crush("abc", "cde", "bcdef"), combining "abc" and "cde"
+		// would yield "abcde", which could be merged with "bcdef." However, in
+		// practice "cde" would already have been elimintated by removeSubstrings.
+		mergeLabel(ss, i, prefixLen, prefixes)
+		return
+	}
+}
+
+// prefixMap maps from a prefix to a list of strings containing that prefix. The
+// list of strings is represented as indexes into a slice of strings stored
+// elsewhere.
+type prefixMap map[string][]int
+
+// makePrefixMap constructs a prefixMap from a slice of strings.
+func makePrefixMap(ss []string, prefixLen int) prefixMap {
+	prefixes := make(prefixMap)
+	for i, s := range ss {
+		// We use < rather than <= because if a label matches on a prefix equal to
+		// its full length, that's actually a substring match handled by
+		// removeSubstrings.
+		if prefixLen < len(s) {
+			prefix := s[:prefixLen]
+			prefixes[prefix] = append(prefixes[prefix], i)
+		}
+	}
+
+	return prefixes
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/list.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/list.go
new file mode 100644
index 000000000..8bbf3bcd7
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/list.go
@@ -0,0 +1,135 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:generate go run gen.go
+
+// Package publicsuffix provides a public suffix list based on data from
+// http://publicsuffix.org/. A public suffix is one under which Internet users
+// can directly register names.
+package publicsuffix // import "golang.org/x/net/publicsuffix"
+
+// TODO: specify case sensitivity and leading/trailing dot behavior for
+// func PublicSuffix and func EffectiveTLDPlusOne.
+
+import (
+	"fmt"
+	"net/http/cookiejar"
+	"strings"
+)
+
+// List implements the cookiejar.PublicSuffixList interface by calling the
+// PublicSuffix function.
+var List cookiejar.PublicSuffixList = list{}
+
+type list struct{}
+
+func (list) PublicSuffix(domain string) string {
+	ps, _ := PublicSuffix(domain)
+	return ps
+}
+
+func (list) String() string {
+	return version
+}
+
+// PublicSuffix returns the public suffix of the domain using a copy of the
+// publicsuffix.org database compiled into the library.
+//
+// icann is whether the public suffix is managed by the Internet Corporation
+// for Assigned Names and Numbers. If not, the public suffix is privately
+// managed. For example, foo.org and foo.co.uk are ICANN domains,
+// foo.dyndns.org and foo.blogspot.co.uk are private domains.
+//
+// Use cases for distinguishing ICANN domains like foo.com from private
+// domains like foo.appspot.com can be found at
+// https://wiki.mozilla.org/Public_Suffix_List/Use_Cases
+func PublicSuffix(domain string) (publicSuffix string, icann bool) {
+	lo, hi := uint32(0), uint32(numTLD)
+	s, suffix, wildcard := domain, len(domain), false
+loop:
+	for {
+		dot := strings.LastIndex(s, ".")
+		if wildcard {
+			suffix = 1 + dot
+		}
+		if lo == hi {
+			break
+		}
+		f := find(s[1+dot:], lo, hi)
+		if f == notFound {
+			break
+		}
+
+		u := nodes[f] >> (nodesBitsTextOffset + nodesBitsTextLength)
+		icann = u&(1<<nodesBitsICANN-1) != 0
+		u >>= nodesBitsICANN
+		u = children[u&(1<<nodesBitsChildren-1)]
+		lo = u & (1<<childrenBitsLo - 1)
+		u >>= childrenBitsLo
+		hi = u & (1<<childrenBitsHi - 1)
+		u >>= childrenBitsHi
+		switch u & (1<<childrenBitsNodeType - 1) {
+		case nodeTypeNormal:
+			suffix = 1 + dot
+		case nodeTypeException:
+			suffix = 1 + len(s)
+			break loop
+		}
+		u >>= childrenBitsNodeType
+		wildcard = u&(1<<childrenBitsWildcard-1) != 0
+
+		if dot == -1 {
+			break
+		}
+		s = s[:dot]
+	}
+	if suffix == len(domain) {
+		// If no rules match, the prevailing rule is "*".
+		return domain[1+strings.LastIndex(domain, "."):], icann
+	}
+	return domain[suffix:], icann
+}
+
+const notFound uint32 = 1<<32 - 1
+
+// find returns the index of the node in the range [lo, hi) whose label equals
+// label, or notFound if there is no such node. The range is assumed to be in
+// strictly increasing node label order.
+func find(label string, lo, hi uint32) uint32 {
+	for lo < hi {
+		mid := lo + (hi-lo)/2
+		s := nodeLabel(mid)
+		if s < label {
+			lo = mid + 1
+		} else if s == label {
+			return mid
+		} else {
+			hi = mid
+		}
+	}
+	return notFound
+}
+
+// nodeLabel returns the label for the i'th node.
+func nodeLabel(i uint32) string {
+	x := nodes[i]
+	length := x & (1<<nodesBitsTextLength - 1)
+	x >>= nodesBitsTextLength
+	offset := x & (1<<nodesBitsTextOffset - 1)
+	return text[offset : offset+length]
+}
+
+// EffectiveTLDPlusOne returns the effective top level domain plus one more
+// label. For example, the eTLD+1 for "foo.bar.golang.org" is "golang.org".
+func EffectiveTLDPlusOne(domain string) (string, error) {
+	suffix, _ := PublicSuffix(domain)
+	if len(domain) <= len(suffix) {
+		return "", fmt.Errorf("publicsuffix: cannot derive eTLD+1 for domain %q", domain)
+	}
+	i := len(domain) - len(suffix) - 1
+	if domain[i] != '.' {
+		return "", fmt.Errorf("publicsuffix: invalid public suffix %q for domain %q", suffix, domain)
+	}
+	return domain[1+strings.LastIndex(domain[:i], "."):], nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/list_test.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/list_test.go
new file mode 100644
index 000000000..42d79cc43
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/list_test.go
@@ -0,0 +1,416 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package publicsuffix
+
+import (
+	"sort"
+	"strings"
+	"testing"
+)
+
+func TestNodeLabel(t *testing.T) {
+	for i, want := range nodeLabels {
+		got := nodeLabel(uint32(i))
+		if got != want {
+			t.Errorf("%d: got %q, want %q", i, got, want)
+		}
+	}
+}
+
+func TestFind(t *testing.T) {
+	testCases := []string{
+		"",
+		"a",
+		"a0",
+		"aaaa",
+		"ao",
+		"ap",
+		"ar",
+		"aro",
+		"arp",
+		"arpa",
+		"arpaa",
+		"arpb",
+		"az",
+		"b",
+		"b0",
+		"ba",
+		"z",
+		"zu",
+		"zv",
+		"zw",
+		"zx",
+		"zy",
+		"zz",
+		"zzzz",
+	}
+	for _, tc := range testCases {
+		got := find(tc, 0, numTLD)
+		want := notFound
+		for i := uint32(0); i < numTLD; i++ {
+			if tc == nodeLabel(i) {
+				want = i
+				break
+			}
+		}
+		if got != want {
+			t.Errorf("%q: got %d, want %d", tc, got, want)
+		}
+	}
+}
+
+func TestICANN(t *testing.T) {
+	testCases := map[string]bool{
+		"foo.org":            true,
+		"foo.co.uk":          true,
+		"foo.dyndns.org":     false,
+		"foo.go.dyndns.org":  false,
+		"foo.blogspot.co.uk": false,
+		"foo.intranet":       false,
+	}
+	for domain, want := range testCases {
+		_, got := PublicSuffix(domain)
+		if got != want {
+			t.Errorf("%q: got %v, want %v", domain, got, want)
+		}
+	}
+}
+
+var publicSuffixTestCases = []struct {
+	domain, want string
+}{
+	// Empty string.
+	{"", ""},
+
+	// The .ao rules are:
+	// ao
+	// ed.ao
+	// gv.ao
+	// og.ao
+	// co.ao
+	// pb.ao
+	// it.ao
+	{"ao", "ao"},
+	{"www.ao", "ao"},
+	{"pb.ao", "pb.ao"},
+	{"www.pb.ao", "pb.ao"},
+	{"www.xxx.yyy.zzz.pb.ao", "pb.ao"},
+
+	// The .ar rules are:
+	// ar
+	// com.ar
+	// edu.ar
+	// gob.ar
+	// gov.ar
+	// int.ar
+	// mil.ar
+	// net.ar
+	// org.ar
+	// tur.ar
+	// blogspot.com.ar
+	{"ar", "ar"},
+	{"www.ar", "ar"},
+	{"nic.ar", "ar"},
+	{"www.nic.ar", "ar"},
+	{"com.ar", "com.ar"},
+	{"www.com.ar", "com.ar"},
+	{"blogspot.com.ar", "blogspot.com.ar"},
+	{"www.blogspot.com.ar", "blogspot.com.ar"},
+	{"www.xxx.yyy.zzz.blogspot.com.ar", "blogspot.com.ar"},
+	{"logspot.com.ar", "com.ar"},
+	{"zlogspot.com.ar", "com.ar"},
+	{"zblogspot.com.ar", "com.ar"},
+
+	// The .arpa rules are:
+	// arpa
+	// e164.arpa
+	// in-addr.arpa
+	// ip6.arpa
+	// iris.arpa
+	// uri.arpa
+	// urn.arpa
+	{"arpa", "arpa"},
+	{"www.arpa", "arpa"},
+	{"urn.arpa", "urn.arpa"},
+	{"www.urn.arpa", "urn.arpa"},
+	{"www.xxx.yyy.zzz.urn.arpa", "urn.arpa"},
+
+	// The relevant {kobe,kyoto}.jp rules are:
+	// jp
+	// *.kobe.jp
+	// !city.kobe.jp
+	// kyoto.jp
+	// ide.kyoto.jp
+	{"jp", "jp"},
+	{"kobe.jp", "jp"},
+	{"c.kobe.jp", "c.kobe.jp"},
+	{"b.c.kobe.jp", "c.kobe.jp"},
+	{"a.b.c.kobe.jp", "c.kobe.jp"},
+	{"city.kobe.jp", "kobe.jp"},
+	{"www.city.kobe.jp", "kobe.jp"},
+	{"kyoto.jp", "kyoto.jp"},
+	{"test.kyoto.jp", "kyoto.jp"},
+	{"ide.kyoto.jp", "ide.kyoto.jp"},
+	{"b.ide.kyoto.jp", "ide.kyoto.jp"},
+	{"a.b.ide.kyoto.jp", "ide.kyoto.jp"},
+
+	// The .tw rules are:
+	// tw
+	// edu.tw
+	// gov.tw
+	// mil.tw
+	// com.tw
+	// net.tw
+	// org.tw
+	// idv.tw
+	// game.tw
+	// ebiz.tw
+	// club.tw
+	// 網路.tw (xn--zf0ao64a.tw)
+	// 組織.tw (xn--uc0atv.tw)
+	// 商業.tw (xn--czrw28b.tw)
+	// blogspot.tw
+	{"tw", "tw"},
+	{"aaa.tw", "tw"},
+	{"www.aaa.tw", "tw"},
+	{"xn--czrw28b.aaa.tw", "tw"},
+	{"edu.tw", "edu.tw"},
+	{"www.edu.tw", "edu.tw"},
+	{"xn--czrw28b.edu.tw", "edu.tw"},
+	{"xn--czrw28b.tw", "xn--czrw28b.tw"},
+	{"www.xn--czrw28b.tw", "xn--czrw28b.tw"},
+	{"xn--uc0atv.xn--czrw28b.tw", "xn--czrw28b.tw"},
+	{"xn--kpry57d.tw", "tw"},
+
+	// The .uk rules are:
+	// uk
+	// ac.uk
+	// co.uk
+	// gov.uk
+	// ltd.uk
+	// me.uk
+	// net.uk
+	// nhs.uk
+	// org.uk
+	// plc.uk
+	// police.uk
+	// *.sch.uk
+	// blogspot.co.uk
+	{"uk", "uk"},
+	{"aaa.uk", "uk"},
+	{"www.aaa.uk", "uk"},
+	{"mod.uk", "uk"},
+	{"www.mod.uk", "uk"},
+	{"sch.uk", "uk"},
+	{"mod.sch.uk", "mod.sch.uk"},
+	{"www.sch.uk", "www.sch.uk"},
+	{"blogspot.co.uk", "blogspot.co.uk"},
+	{"blogspot.nic.uk", "uk"},
+	{"blogspot.sch.uk", "blogspot.sch.uk"},
+
+	// The .рф rules are
+	// рф (xn--p1ai)
+	{"xn--p1ai", "xn--p1ai"},
+	{"aaa.xn--p1ai", "xn--p1ai"},
+	{"www.xxx.yyy.xn--p1ai", "xn--p1ai"},
+
+	// The .bd rules are:
+	// *.bd
+	{"bd", "bd"},
+	{"www.bd", "www.bd"},
+	{"zzz.bd", "zzz.bd"},
+	{"www.zzz.bd", "zzz.bd"},
+	{"www.xxx.yyy.zzz.bd", "zzz.bd"},
+
+	// There are no .nosuchtld rules.
+	{"nosuchtld", "nosuchtld"},
+	{"foo.nosuchtld", "nosuchtld"},
+	{"bar.foo.nosuchtld", "nosuchtld"},
+}
+
+func BenchmarkPublicSuffix(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		for _, tc := range publicSuffixTestCases {
+			List.PublicSuffix(tc.domain)
+		}
+	}
+}
+
+func TestPublicSuffix(t *testing.T) {
+	for _, tc := range publicSuffixTestCases {
+		got := List.PublicSuffix(tc.domain)
+		if got != tc.want {
+			t.Errorf("%q: got %q, want %q", tc.domain, got, tc.want)
+		}
+	}
+}
+
+func TestSlowPublicSuffix(t *testing.T) {
+	for _, tc := range publicSuffixTestCases {
+		got := slowPublicSuffix(tc.domain)
+		if got != tc.want {
+			t.Errorf("%q: got %q, want %q", tc.domain, got, tc.want)
+		}
+	}
+}
+
+// slowPublicSuffix implements the canonical (but O(number of rules)) public
+// suffix algorithm described at http://publicsuffix.org/list/.
+//
+// 1. Match domain against all rules and take note of the matching ones.
+// 2. If no rules match, the prevailing rule is "*".
+// 3. If more than one rule matches, the prevailing rule is the one which is an exception rule.
+// 4. If there is no matching exception rule, the prevailing rule is the one with the most labels.
+// 5. If the prevailing rule is a exception rule, modify it by removing the leftmost label.
+// 6. The public suffix is the set of labels from the domain which directly match the labels of the prevailing rule (joined by dots).
+// 7. The registered or registrable domain is the public suffix plus one additional label.
+//
+// This function returns the public suffix, not the registrable domain, and so
+// it stops after step 6.
+func slowPublicSuffix(domain string) string {
+	match := func(rulePart, domainPart string) bool {
+		switch rulePart[0] {
+		case '*':
+			return true
+		case '!':
+			return rulePart[1:] == domainPart
+		}
+		return rulePart == domainPart
+	}
+
+	domainParts := strings.Split(domain, ".")
+	var matchingRules [][]string
+
+loop:
+	for _, rule := range rules {
+		ruleParts := strings.Split(rule, ".")
+		if len(domainParts) < len(ruleParts) {
+			continue
+		}
+		for i := range ruleParts {
+			rulePart := ruleParts[len(ruleParts)-1-i]
+			domainPart := domainParts[len(domainParts)-1-i]
+			if !match(rulePart, domainPart) {
+				continue loop
+			}
+		}
+		matchingRules = append(matchingRules, ruleParts)
+	}
+	if len(matchingRules) == 0 {
+		matchingRules = append(matchingRules, []string{"*"})
+	} else {
+		sort.Sort(byPriority(matchingRules))
+	}
+	prevailing := matchingRules[0]
+	if prevailing[0][0] == '!' {
+		prevailing = prevailing[1:]
+	}
+	if prevailing[0][0] == '*' {
+		replaced := domainParts[len(domainParts)-len(prevailing)]
+		prevailing = append([]string{replaced}, prevailing[1:]...)
+	}
+	return strings.Join(prevailing, ".")
+}
+
+type byPriority [][]string
+
+func (b byPriority) Len() int      { return len(b) }
+func (b byPriority) Swap(i, j int) { b[i], b[j] = b[j], b[i] }
+func (b byPriority) Less(i, j int) bool {
+	if b[i][0][0] == '!' {
+		return true
+	}
+	if b[j][0][0] == '!' {
+		return false
+	}
+	return len(b[i]) > len(b[j])
+}
+
+// eTLDPlusOneTestCases come from
+// https://github.com/publicsuffix/list/blob/master/tests/test_psl.txt
+var eTLDPlusOneTestCases = []struct {
+	domain, want string
+}{
+	// Empty input.
+	{"", ""},
+	// Unlisted TLD.
+	{"example", ""},
+	{"example.example", "example.example"},
+	{"b.example.example", "example.example"},
+	{"a.b.example.example", "example.example"},
+	// TLD with only 1 rule.
+	{"biz", ""},
+	{"domain.biz", "domain.biz"},
+	{"b.domain.biz", "domain.biz"},
+	{"a.b.domain.biz", "domain.biz"},
+	// TLD with some 2-level rules.
+	{"com", ""},
+	{"example.com", "example.com"},
+	{"b.example.com", "example.com"},
+	{"a.b.example.com", "example.com"},
+	{"uk.com", ""},
+	{"example.uk.com", "example.uk.com"},
+	{"b.example.uk.com", "example.uk.com"},
+	{"a.b.example.uk.com", "example.uk.com"},
+	{"test.ac", "test.ac"},
+	// TLD with only 1 (wildcard) rule.
+	{"mm", ""},
+	{"c.mm", ""},
+	{"b.c.mm", "b.c.mm"},
+	{"a.b.c.mm", "b.c.mm"},
+	// More complex TLD.
+	{"jp", ""},
+	{"test.jp", "test.jp"},
+	{"www.test.jp", "test.jp"},
+	{"ac.jp", ""},
+	{"test.ac.jp", "test.ac.jp"},
+	{"www.test.ac.jp", "test.ac.jp"},
+	{"kyoto.jp", ""},
+	{"test.kyoto.jp", "test.kyoto.jp"},
+	{"ide.kyoto.jp", ""},
+	{"b.ide.kyoto.jp", "b.ide.kyoto.jp"},
+	{"a.b.ide.kyoto.jp", "b.ide.kyoto.jp"},
+	{"c.kobe.jp", ""},
+	{"b.c.kobe.jp", "b.c.kobe.jp"},
+	{"a.b.c.kobe.jp", "b.c.kobe.jp"},
+	{"city.kobe.jp", "city.kobe.jp"},
+	{"www.city.kobe.jp", "city.kobe.jp"},
+	// TLD with a wildcard rule and exceptions.
+	{"ck", ""},
+	{"test.ck", ""},
+	{"b.test.ck", "b.test.ck"},
+	{"a.b.test.ck", "b.test.ck"},
+	{"www.ck", "www.ck"},
+	{"www.www.ck", "www.ck"},
+	// US K12.
+	{"us", ""},
+	{"test.us", "test.us"},
+	{"www.test.us", "test.us"},
+	{"ak.us", ""},
+	{"test.ak.us", "test.ak.us"},
+	{"www.test.ak.us", "test.ak.us"},
+	{"k12.ak.us", ""},
+	{"test.k12.ak.us", "test.k12.ak.us"},
+	{"www.test.k12.ak.us", "test.k12.ak.us"},
+	// Punycoded IDN labels
+	{"xn--85x722f.com.cn", "xn--85x722f.com.cn"},
+	{"xn--85x722f.xn--55qx5d.cn", "xn--85x722f.xn--55qx5d.cn"},
+	{"www.xn--85x722f.xn--55qx5d.cn", "xn--85x722f.xn--55qx5d.cn"},
+	{"shishi.xn--55qx5d.cn", "shishi.xn--55qx5d.cn"},
+	{"xn--55qx5d.cn", ""},
+	{"xn--85x722f.xn--fiqs8s", "xn--85x722f.xn--fiqs8s"},
+	{"www.xn--85x722f.xn--fiqs8s", "xn--85x722f.xn--fiqs8s"},
+	{"shishi.xn--fiqs8s", "shishi.xn--fiqs8s"},
+	{"xn--fiqs8s", ""},
+}
+
+func TestEffectiveTLDPlusOne(t *testing.T) {
+	for _, tc := range eTLDPlusOneTestCases {
+		got, _ := EffectiveTLDPlusOne(tc.domain)
+		if got != tc.want {
+			t.Errorf("%q: got %q, want %q", tc.domain, got, tc.want)
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/table.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/table.go
new file mode 100644
index 000000000..50f070a92
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/table.go
@@ -0,0 +1,9253 @@
+// generated by go run gen.go; DO NOT EDIT
+
+package publicsuffix
+
+const version = "publicsuffix.org's public_suffix_list.dat, git revision f47d806df99585862c8426c3e064a50eb5a278f5 (2017-06-14T11:49:01Z)"
+
+const (
+	nodesBitsChildren   = 9
+	nodesBitsICANN      = 1
+	nodesBitsTextOffset = 15
+	nodesBitsTextLength = 6
+
+	childrenBitsWildcard = 1
+	childrenBitsNodeType = 2
+	childrenBitsHi       = 14
+	childrenBitsLo       = 14
+)
+
+const (
+	nodeTypeNormal     = 0
+	nodeTypeException  = 1
+	nodeTypeParentOnly = 2
+)
+
+// numTLD is the number of top level domains.
+const numTLD = 1549
+
+// Text is the combined text of all labels.
+const text = "bifukagawalterbihorologybikedagestangeorgeorgiaxasnesoddenmarkha" +
+	"ngelskjakdnepropetrovskiervaapsteiermarkaragandabruzzoologicalvi" +
+	"nklein-addrammenuernberggfarmerseine12bilbaogakidsmynasushiobara" +
+	"gusartsalangeninohekinannestadray-dnsiskinkyotobetsumidatlantica" +
+	"tholicheltenham-radio-opencraftranagatorodoybillustrationinomiya" +
+	"konojosoyrorosalondonetskarpaczeladzjavald-aostarnbergladegreevj" +
+	"e-og-hornnesaltdalimitedraydnsupdaternopilawabioceanographiquebi" +
+	"rdartcenterprisesakikuchikuseikarugamvikaruizawabirkenesoddtange" +
+	"novaraumalopolskanlandrivelandrobaknoluoktachikawakembuchikumaga" +
+	"yagawakkanaibetsubamericanfamilydscloudcontrolledekafjordrudunsa" +
+	"lvadordalibabalatinord-aurdalvdalaskanittedallasalleasinglesuran" +
+	"certmgretagajobojinzais-a-candidatebirthplacebjarkoybjerkreimbal" +
+	"sfjordgcahcesuolocus-1bjugnirasakis-a-catererblockbustermezlglas" +
+	"sassinationalheritagematsubarakawagoebloombergbauernishiazais-a-" +
+	"celticsfanishigoddabloxcmsalzburgliwicebluedancebmoattachmentsam" +
+	"egawabmsamnangerbmwegroweibolzanordkappgafanquannefrankfurtjmaxx" +
+	"xboxenapponazure-mobilebnpparibaselburglobalashovhachinohedmarka" +
+	"rumaifarmsteadupontariomutashinais-a-chefarsundurbanamexnethnolo" +
+	"gybnrweirbonnishiharabookinglobodoes-itvedestrandurhamburglogowf" +
+	"ashionishiizunazukis-a-conservativefsnillfjordvrcambridgestonexu" +
+	"s-2bootsamsclubindalimoliserniaboschaefflerdalindashorokanaiebos" +
+	"tikasaokaminokawanishiaizubangebostonakijinsekikogentingloppenza" +
+	"ogashimadachicagoboatsamsungmbhartiffanybotanicalgardenishikatak" +
+	"ayamatta-varjjatjometlifeinsurancebotanicgardenishikatsuragithub" +
+	"usercontentjxfinitybotanybouncemerckmsdnipropetrovskjervoyagebou" +
+	"nty-fullensakerrypropertiesandvikcoromantovalle-d-aostatic-acces" +
+	"sanfranciscofreakunemurorangeiseiyoichippubetsubetsugaruhrboutiq" +
+	"uebecngminakamichiharabozentsujiiebplacedogawarabikomaezakirunor" +
+	"dlandvrdnsangoppdalindesnesanjournalismailillesandefjordyndns-at" +
+	"-workinggroupaleobrandywinevalleybrasiliabresciabrindisibenikebr" +
+	"istoloslocalhistorybritishcolumbialowiezachpomorskienishikawazuk" +
+	"amitondabayashiogamagoriziabroadcastlegallocalhostrodawaravennag" +
+	"asukebroadwaybroke-itkmaxxjaworznowtvalled-aostavangerbrokerbron" +
+	"noysundyndns-blogdnsannanishimerabrothermesaverdeatnurembergmode" +
+	"nakasatsunais-a-cpadualstackspace-to-rentalstomakomaibarabrowser" +
+	"safetymarketsannohelplfinancialivornobrumunddalombardiamondsanok" +
+	"ashibatakashimaseratis-a-cubicle-slavellinotteroybrunelasticbean" +
+	"stalkashiharabrusselsantabarbarabruxellesantacruzsantafedjeffers" +
+	"onishinomiyashironobryanskleppalermomahachijorpelandyndns-freebo" +
+	"x-ostrowwlkpmgmxn--0trq7p7nnishinoomotegobrynewhollandyndns-home" +
+	"dnsanukis-a-democratmpalmspringsakerbuskerudinewmexicodyn-vpnplu" +
+	"sterbuzenishinoshimattelefonicarbonia-iglesias-carboniaiglesiasc" +
+	"arboniabuzzpamperedchefastlylbaltimore-og-romsdalwaysdatabasebal" +
+	"langenoamishirasatochigiessensiositelemarkarateu-1bwhalingrimsta" +
+	"dyndns-ipirangaulardalombardynamisches-dnsaotomemergencyachtsapo" +
+	"dlasiellaktyubinskiptveterinairealtorlandyndns-mailomzaporizhzhe" +
+	"guris-a-designerimarumorimachidabzhitomirumalselvendrellorenskog" +
+	"ripescaravantaacondoshichinohealth-carereformitakeharaconference" +
+	"constructionconsuladoesntexistanbullensvanguardyndns1consultanth" +
+	"ropologyconsultingvolluroycontactoyotsukaidownloadynnsaskatchewa" +
+	"ncontemporaryarteducationalchikugodoharuovatoyouracontractorsken" +
+	"conventureshinodesashibetsuikinderoycookingchannelblagdenesnaase" +
+	"ralingenkainanaejrietisalatinabenonichernivtsiciliacoolkuszczytn" +
+	"ore-og-uvdalutskasuyameldaluxembourgrpanamacooperaunitenrightath" +
+	"omeftpanasonichernovtsykkylvenetogakushimotoganewspapercopenhage" +
+	"ncyclopedichirurgiens-dentistes-en-francecorsicagliaridagawarsza" +
+	"washingtondclkaszubycorvettevadsoccertificationcosenzagancosidns" +
+	"dojoetsuwanouchikujogaszkoladbrokesassaris-a-huntercostumedio-ca" +
+	"mpidano-mediocampidanomediocouchpotatofriesatxn--11b4c3dynv6coun" +
+	"ciluxurycouponsaudacoursesauheradynvpnchiryukyuragifuchungbukhar" +
+	"acq-acranbrookuwanalyticsavannahgacreditcardyroyrvikingruecredit" +
+	"unioncremonashgabadaddjambyluzerncrewiiheyakagecricketrzyncrimea" +
+	"st-kazakhstanangercrotonextdirectoystre-slidrettozawacrownprovid" +
+	"ercrsvparaglidinguitarsaves-the-whalessandria-trani-barletta-and" +
+	"riatranibarlettaandriacruisesavonaplesaxocryptonomichigangwoncui" +
+	"sinellahppiacenzakopanerairguardiannakadomarinebraskaunjargalsac" +
+	"eoculturalcentertainmentozsdeltaitogliattiresbschokoladencuneocu" +
+	"pcakecxn--12c1fe0bradescorporationcyberlevagangaviikanonjis-a-kn" +
+	"ightpointtokaizukamikitayamatsuris-a-landscapercymrussiacyonabar" +
+	"ulvikatowicecyouthdfcbankatsushikabeeldengeluidfidonnakamurataji" +
+	"mibuildingulenfieldfiguerestaurantraniandriabarlettatraniandriaf" +
+	"ilateliafilegearthachiojiyahoofilminamidaitomangotsukisosakitaga" +
+	"wafinalfinancefineartschwarzgwangjuifminamiechizenfinlandfinnoyf" +
+	"irebaseapparisor-fronfirenzefirestonefirmdaleirvikaufenfishingol" +
+	"ffanschweizwildlifedorainfracloudfrontdoorfitjarmeniafitnessettl" +
+	"ementranoyfjalerflesbergunmarburguovdageaidnuslivinghistoryflick" +
+	"ragerotikakamigaharaflightsciencecentersciencehistoryflirflogint" +
+	"ogurafloraflorencefloridavvesiidazaifudaigojomedizinhistorisches" +
+	"cientistoragefloripaderbornfloristanohatakahamangyshlakasamatsud" +
+	"ontexisteingeekautokeinoflorogerscjohnsonflowerscotlandflynnhuba" +
+	"mblefrakkestadiscountysnes3-sa-east-1fndfoodnetworkshoppingushik" +
+	"amifuranortonsbergxn--12co0c3b4evalleaostatoilfor-ourfor-someetn" +
+	"edalfor-theaterforexrothachirogatakahatakaishimogosenforgotdnscr" +
+	"apper-siteforli-cesena-forlicesenaforlikescandynamic-dnscrapping" +
+	"forsaleitungsenforsandasuolodingenfortmissoulair-traffic-control" +
+	"leyfortworthadanosegawaforuminamifuranofosneserveftparliamentran" +
+	"sportransurlfotaruis-a-lawyerfoxfordedyn-ip24freeboxoservegame-s" +
+	"erversailleservehalflifestylefreemasonryfreetlservehttparmafreib" +
+	"urgfreightcminamiiselectrapaniimimatakatoris-a-liberalfresenius-" +
+	"3fribourgfriuli-v-giuliafriuli-ve-giuliafriuli-vegiuliafriuli-ve" +
+	"nezia-giuliafriuli-veneziagiuliafriuli-vgiuliafriuliv-giuliafriu" +
+	"live-giuliafriulivegiuliafriulivenezia-giuliafriuliveneziagiulia" +
+	"friulivgiuliafrlfroganservehumourfrognfrolandfrom-akrehamnfrom-a" +
+	"lfrom-arqhadselfiparocherkasyno-dserveirchitachinakagawassamukaw" +
+	"ataricohdatsunanjoburgriwataraidyndns-office-on-the-webcampobass" +
+	"ociatesapporofrom-azfrom-capebretonamiastapleserveminecraftravel" +
+	"channelfrom-collectionfrom-ctravelersinsurancefrom-dchitosetogit" +
+	"suldalotenkawafrom-defenseljordfrom-flanderservemp3from-gausdalf" +
+	"rom-higashiagatsumagoizumizakirkeneservep2parservepicservequakef" +
+	"rom-iafrom-idfrom-ilfrom-incheonfrom-kservesarcasmatartanddesign" +
+	"from-kyowariasahikawafrom-lajollamericanexpressexyfrom-maniwakur" +
+	"atextileksvikazofrom-mdfrom-megurokunohealthcareerservicesettsur" +
+	"geonshalloffamemorialfrom-microsoftbankazunofrom-mnfrom-modellin" +
+	"gfrom-msevastopolefrom-mtnfrom-nchloefrom-ndfrom-nefrom-nhktrdfr" +
+	"om-njcbnlfrom-nminamiizukamisatokamachintaifun-dnsaliasdaburfrom" +
+	"-nvalledaostavernfrom-nyfrom-ohkurafrom-oketohmannorth-kazakhsta" +
+	"nfrom-orfrom-padovaksdalfrom-pratohnoshoooshikamaishimodatefrom-" +
+	"rivnefrom-schoenbrunnfrom-sdfrom-tnfrom-txn--1ck2e1bananarepubli" +
+	"caseihichisobetsuitainairforcechirealminamiawajikibmdiscoveryomb" +
+	"ondishakotanavigationavoiitatebayashiibahcavuotnagaraholtaleniwa" +
+	"izumiotsukumiyamazonawsadodgemologicallyngenvironmentalconservat" +
+	"ionavuotnaklodzkodairassnasabaerobaticketselinogradultashkentata" +
+	"motors3-ap-northeast-2from-utazuerichardlillehammerfeste-ipartis" +
+	"-a-libertarianfrom-val-daostavalleyfrom-vtrentino-a-adigefrom-wa" +
+	"from-wielunnerfrom-wvallee-aosteroyfrom-wyfrosinonefrostalowa-wo" +
+	"lawafroyahikobeardubaiduckdnsevenassisicilyfstcgroupartnersewill" +
+	"iamhillfujiiderafujikawaguchikonefujiminohtawaramotoineppubologn" +
+	"akanotoddenfujinomiyadafujiokayamansionsfranziskanerdpolicefujis" +
+	"atoshonairtelecityeatsharis-a-linux-useranishiaritabashijonawate" +
+	"fujisawafujishiroishidakabiratoridefinimakanegasakindlegokasells" +
+	"-for-lessharpartshawaiijimarugame-hostrolekameokameyamatotakadaf" +
+	"ujitsurugashimaritimekeepingfujixeroxn--1ctwolominamatakkokamino" +
+	"yamaxunusualpersonfujiyoshidafukayabeatshellaspeziafukuchiyamada" +
+	"fukudominichocolatemasekashiwazakiyosatokashikiyosemitefukuis-a-" +
+	"llamarylandfukumitsubishigakirovogradoyfukuokazakiryuohaebarumin" +
+	"amimakis-a-musicianfukuroishikarikaturindalfukusakisarazurewebsi" +
+	"teshikagamiishibukawafukuyamagatakaharustkanoyakumoldeloittexasc" +
+	"olipicenoipifonynysaarlandfunabashiriuchinadafunagatakahashimama" +
+	"kishiwadafunahashikamiamakusatsumasendaisennangonohejis-a-nascar" +
+	"fanfundaciofuoiskujukuriyamanxn--1lqs03nfuosskoczowinbarcelonaga" +
+	"sakijobserverisignieznord-frontiereviewskrakowedeployomitanobihi" +
+	"rosakikamijimastronomy-gatewaybomloans3-ap-south-1furnituredston" +
+	"efurubiraquarelleborkangerfurudonostiaarpartyfurukawairtrafficho" +
+	"funatoriginsurecifedexhibitionishiokoppegardyndns-picsardegnamss" +
+	"koganeis-a-doctorayfusodegaurafussaikisofukushimaoris-a-nurserve" +
+	"bbshimojis-a-painteractivegarsheis-a-patsfanfutabayamaguchinomig" +
+	"awafutboldlygoingnowhere-for-moregontrailroadfuttsurugimperiafut" +
+	"urehostingfuturemailingfvgfyis-a-personaltrainerfylkesbiblackfri" +
+	"dayfyresdalhangoutsystemscloudfunctionshimokawahannanmokuizumode" +
+	"rnhannotaireshimokitayamahanyuzenhapmirhareidsbergenharstadharve" +
+	"stcelebrationhasamarcheapassagenshimonitayanagitlaborhasaminami-" +
+	"alpssells-itrentino-aadigehashbanghasudahasura-appassenger-assoc" +
+	"iationhasvikddielddanuorrikuzentakataiwanairlinedre-eikerhatogay" +
+	"aitakamoriokalmykiahatoyamazakitahiroshimarnardalhatsukaichikais" +
+	"eis-a-republicancerresearchaeologicaliforniahattfjelldalhayashim" +
+	"amotobungotakadapliernewjerseyhazuminobusellsyourhomegoodshimono" +
+	"sekikawahboehringerikehelsinkitakamiizumisanofidelitysvardollshi" +
+	"mosuwalkis-a-rockstarachowicehembygdsforbundhemneshimotsukehemse" +
+	"dalhepforgeherokussldheroyhgtvalleeaosteigenhigashichichibunkyon" +
+	"anaoshimageandsoundandvisionhigashihiroshimanehigashiizumozakita" +
+	"katakanabeautydalhigashikagawahigashikagurasoedahigashikawakitaa" +
+	"ikitakyushuaiahigashikurumeiwamarriottrentino-alto-adigehigashim" +
+	"atsushimarshallstatebankfhappouhigashimatsuyamakitaakitadaitoiga" +
+	"wahigashimurayamamotorcycleshimotsumahigashinarusembokukitamidor" +
+	"is-a-socialistmein-vigorgehigashinehigashiomihachimanchesterhiga" +
+	"shiosakasayamanakakogawahigashishirakawamatakanezawahigashisumiy" +
+	"oshikawaminamiaikitamotosumitakagildeskaliszhigashitsunotogawahi" +
+	"gashiurausukitanakagusukumoduminamiminowahigashiyamatokoriyamana" +
+	"shifteditchyouripaviancarrierhigashiyodogawahigashiyoshinogaris-" +
+	"a-soxfanhiraizumisatohobby-sitehirakatashinagawahiranais-a-stude" +
+	"ntalhirarahiratsukagawahirayaizuwakamatsubushikusakadogawahistor" +
+	"ichouseshinichinanhitachiomiyaginankokubunjis-a-teacherkassymant" +
+	"echnologyhitachiotagooglecodespotrentino-altoadigehitraeumtgerad" +
+	"elmenhorstalbanshinjournalistjohnhjartdalhjelmelandholeckobierzy" +
+	"ceholidayhomeipfizerhomelinkhakassiahomelinuxn--1lqs71dhomeoffic" +
+	"ehomesecuritymaceratakaokaluganskolevangerhomesecuritypccwindmil" +
+	"lhomesenseminehomeunixn--1qqw23ahondahoneywellbeingzonehongopocz" +
+	"northwesternmutualhonjyoitakarazukamakurazakitashiobarahornindal" +
+	"horseoulminamiogunicomcastresistancehortendofinternet-dnshinjuku" +
+	"manohospitalhoteleshinkamigotoyohashimotoshimahotmailhoyangerhoy" +
+	"landetroitskydivinghumanitieshinshinotsurgeryhurdalhurumajis-a-t" +
+	"echietis-a-therapistoiahyllestadhyogoris-an-accountantshinshiroh" +
+	"yugawarahyundaiwafunehzchoseiroumuenchenishitosashimizunaminamia" +
+	"shigarajfkhmelnitskiyamashikejgorajlchoyodobashichikashukujitawa" +
+	"rajlljmpharmacienshiojirishirifujiedajnjcpgfoggiajoyokaichibahcc" +
+	"avuotnagareyamalborkdalpha-myqnapcloudapplebesbyglandjpmorganjpn" +
+	"jprshioyanaizujuniperjurkoshimizumakis-an-engineeringkoshunantok" +
+	"igawakosugekotohiradomainshirakofuefukihaboromskoguchikuzenkotou" +
+	"rakouhokutamakis-an-entertainerkounosupplieshiranukamogawakouyam" +
+	"ashikokuchuokouzushimasoykozagawakozakis-bykpnkppspdnshiraois-ce" +
+	"rtifieducatorahimeshimamateramochizukirakrasnodarkredirectmelhus" +
+	"cultureggio-calabriakristiansandcatshiraokanagawakristiansundkro" +
+	"dsheradkrokstadelvaldaostarostwodzislawindowshiratakahagivestbyk" +
+	"ryminamisanrikubetsupportrentino-sued-tirolkumatorinokumejimasud" +
+	"akumenanyokkaichiropractichristmasakikugawatchandclockasukabedzi" +
+	"n-the-bandaikawachinaganoharamcoachampionshiphoptobishimaizurugb" +
+	"ydgoszczecinemakeupowiathletajimabariakeisenbahnishiwakis-a-fina" +
+	"ncialadvisor-aurdalottokonamegatakasugais-a-geekgalaxykunisakis-" +
+	"foundationkunitachiarailwaykunitomigusukumamotoyamassa-carrara-m" +
+	"assacarraramassabusinessebytomaritimobarakunneppulawykunstsammlu" +
+	"ngkunstunddesignkuokgrouphdkureggio-emilia-romagnakatsugawakurga" +
+	"nkurobelaudiblebtimnetzkurogimilanokuroisoftwarendalenugkuromats" +
+	"unais-gonekurotakikawasakis-into-animelbournekushirogawakustanai" +
+	"s-into-carshintomikasaharakusupplykutchanelkutnokuzumakis-into-c" +
+	"artoonshinyoshitomiokamitsuekvafjordkvalsundkvamfamberkeleykvana" +
+	"ngenkvinesdalkvinnheradkviteseidskogkvitsoykwpspiegelkzmissilewi" +
+	"smillermisugitokorozawamitourismolancastermitoyoakemiuramiyazumi" +
+	"yotamanomjondalenmlbfanmonmouthagebostadmonstermonticellolmontre" +
+	"alestatefarmequipmentrentino-suedtirolmonza-brianzaporizhzhiamon" +
+	"za-e-della-brianzapposhishikuis-not-certifiedunetbankharkovanylv" +
+	"enicemonzabrianzaptokuyamatsusakahoginowaniihamatamakawajimaphil" +
+	"adelphiaareadmyblogsitemonzaebrianzaramonzaedellabrianzamoonscal" +
+	"exusdecorativeartshisognemoparachutingmordoviajessheiminamitanem" +
+	"oriyamatsushigemoriyoshimilitarymormoneymoroyamatsuuramortgagemo" +
+	"scowinnershisuifuelveruminamiuonumatsumotofukemoseushistorymosjo" +
+	"enmoskeneshitaramamosshizukuishimofusaitamatsukuris-savedmosvikn" +
+	"x-serveronakatombetsunndalmoteginozawaonsenmoviemovistargardmtpc" +
+	"hromedicaltanissettairamtranbymuenstermugithubcloudusercontentre" +
+	"ntinoa-adigemuikamishihoronobeauxartsandcraftshizuokananporovigo" +
+	"tpantheonsitemukochikushinonsenergymulhouservebeermunakatanemunc" +
+	"ieszynmuosattemuphilatelymurmanskolobrzegersundmurotorcraftrenti" +
+	"noaadigemusashimurayamatsuzakis-slickhersonmusashinoharamuseetre" +
+	"ntinoalto-adigemuseumverenigingmusicargodaddynaliascoli-picenogi" +
+	"ftshoujis-uberleetrentino-stirolmutsuzawamy-vigorlicemy-wanggouv" +
+	"icenzamyactivedirectorymyasustor-elvdalmycdn77-securechtrainingm" +
+	"ydissentrentinoaltoadigemydrobofagemydshowamyeffectrentinos-tiro" +
+	"lmyfirewallonieruchomoscienceandindustrynmyfritzmyftpaccesshowti" +
+	"meteorapphilipsynology-diskstationmyfusionmyhome-serverrankoshig" +
+	"ayanagawamykolaivaporcloudmymailermymediapchryslermyokohamamatsu" +
+	"damypepsongdalenviknakanojohanamakinoharamypetshriramlidlugoleka" +
+	"gaminoduminamiyamashirokawanabelembroideryggeelvincklabudhabikin" +
+	"okawabarthagakhanamigawamyphotoshibajddarchaeologyeongnamegawalb" +
+	"rzycharternidmypsxn--30rr7ymysecuritycamerakermyshopblocksienara" +
+	"shinomytis-a-bookkeeperugiamyvnchungnamdalseidfjordyndns-remotew" +
+	"dyndns-serverdalouvreggioemiliaromagnakayamatsumaebashikshacknet" +
+	"oyookanmakiwakunigamidsundyndns-weberlincolnissandnessjoenissayo" +
+	"koshibahikariwanumatakazakis-a-greenissedalowiczest-le-patrondhe" +
+	"immobilienisshingugepicturesilkomaganepiemontepilotsimple-urlpim" +
+	"ientaketomisatolgapinkomakiyosumy-routerpioneerpippuphonefossigd" +
+	"alpiszpittsburghofauskedsmokorsetagayasells-for-unzenpiwatepizza" +
+	"pkomatsushimashikizunokunimihoboleslawiechristiansburgroks-thisa" +
+	"yamanobeokakudamatsueplanetariuminanoplantationplantsirdalplatfo" +
+	"rmshangrilanciaplaystationplazaplchurchaseljeepostfoldnavyplumbi" +
+	"ngopmnpodzonepohlpoivronpokerpokrovskomforbarclays3-us-gov-west-" +
+	"1politiendapolkowicepoltavalle-aostathellezajskommunalforbundpom" +
+	"orzeszowioslingpordenonepornporsangerporsanguidellogliastradingp" +
+	"orsgrunnanpoznanpraxis-a-bruinsfanprdpreservationpresidioprgmrpr" +
+	"imeloyalistockholmestrandprincipeprivatizehealthinsuranceprochow" +
+	"iceproductionslupskommuneprofbsbxn--12cfi8ixb8lvivano-frankivska" +
+	"tsuyamasfjordenprogressivegasiapromombetsurfbx-oscholarshipschoo" +
+	"lpropertyprotectionprotonetrentinosud-tirolprudentialpruszkowitd" +
+	"komonoprzeworskogptplusgardenpvtrentinosudtirolpwcirclegnicafede" +
+	"rationiyodogawapzqldqponqslgbtrentinosued-tirolquicksytesnoasait" +
+	"omobellevuelosangelesjaguarchitecturealtychyattorneyagawalesundq" +
+	"uipelementsokanazawaqvcircustomerstuff-4-salestufftoread-booksne" +
+	"solognestuttgartritonsusakis-very-evillagesusonosuzakaneyamazoes" +
+	"uzukaniepcesuzukis-very-goodhandsonsvalbardunloppacificitadelive" +
+	"rysveiosvelvikongsbergsvizzeraswedenswidnicartierswiebodzindiana" +
+	"polis-a-bloggerswiftcoversicherungswinoujscienceandhistoryswissh" +
+	"ikis-very-nicesynology-dsolundbeckomorotsukamiokamikoaniikappugl" +
+	"iatushuissier-justicetuvalle-daostaticsomatuxfamilytwmailvennesl" +
+	"askerrylogisticsomnaritakurashikis-very-badajozoravestfoldvestne" +
+	"soovestre-slidreamhostersopotrentinosuedtirolvestre-totennishiaw" +
+	"akuravestvagoyvevelstadvibo-valentiavibovalentiavideovillaskimit" +
+	"subatamicable-modembetsukuis-very-sweetpeppervinnicartoonartdeco" +
+	"ffeedbackplaneappspotagervinnytsiavipsinaappiagetmyiphoenixn--32" +
+	"vp30haibarakitahatakamatsukawavirginiavirtualvirtueeldomeindianm" +
+	"arketingvirtuelvisakegawavistaprinternationalfirearmsor-odalvite" +
+	"rboltrogstadvivoldavixn--3bst00minnesotaketakatsukis-into-gamess" +
+	"inatsukigatakasagotembaixadavlaanderenvladikavkazimierz-dolnyvla" +
+	"dimirvlogoipictetrentinostirolvolkswagentsor-varangervologdansko" +
+	"ninjamisonvolvolkenkundenvolyngdalvossevangenvotevotingvotoyonak" +
+	"agyokutoursorfoldwloclawekonskowolayangroupharmacyshirahamatonbe" +
+	"tsurnadalwmflabsorreisahayakawakamiichikawamisatotalworldworse-t" +
+	"handawowithgoogleapisa-hockeynutsiracusakatakinouewritesthisblog" +
+	"sytewroclawithyoutubeneventoeidsvollwtcitichernigovernmentoyonow" +
+	"tfbxoschulewuozuwwwiwatsukiyonowruzhgorodeowzmiuwajimaxn--45brj9" +
+	"civilaviationxn--45q11civilisationxn--4gbriminingxn--4it168dxn--" +
+	"4it797konyveloftrentino-sudtirolxn--4pvxs4allxn--54b7fta0ccivili" +
+	"zationxn--55qw42gxn--55qx5dxn--5js045dxn--5rtp49civilwarmanageme" +
+	"ntoyosatoyakokonoexn--5rtq34kooris-an-anarchistoricalsocietyxn--" +
+	"5su34j936bgsgxn--5tzm5gxn--6btw5axn--6frz82gxn--6orx2rxn--6qq986" +
+	"b3xlxn--7t0a264claimsarlucaniaxn--80adxhksortlandxn--80ao21axn--" +
+	"80aqecdr1axn--80asehdbarreauctionflfanfshostrowiecasertaipeiheij" +
+	"iiyamanouchikuhokuryugasakitaurayasudaukraanghkeymachineustarhub" +
+	"alsanagochihayaakasakawaharanzanpachigasakicks-assedicasadelamon" +
+	"edatingjemnes3-ap-southeast-2xn--80aswgxn--80audnedalnxn--8ltr62" +
+	"kopervikhmelnytskyivaolbia-tempio-olbiatempioolbialystokkepnogat" +
+	"aijis-an-actresshintokushimaxn--8pvr4uxn--8y0a063axn--90a3academ" +
+	"y-firewall-gatewayxn--90aishobaraomoriguchiharahkkeravjuedisches" +
+	"apeakebayernrtromsakakinokiaxn--90azhytomyrxn--9dbhblg6dietcimdb" +
+	"arrel-of-knowledgeologyonagoyaurskog-holandroverhalla-speziaerop" +
+	"ortalaheadjudaicaaarborteaches-yogasawaracingroks-theatree164xn-" +
+	"-9dbq2axn--9et52uxn--9krt00axn--andy-iraxn--aroport-byandexn--3d" +
+	"s443gxn--asky-iraxn--aurskog-hland-jnbarrell-of-knowledgeometre-" +
+	"experts-comptables3-us-west-1xn--avery-yuasakuhokkaidoomdnshome-" +
+	"webservercellikes-piedmontblancomeeresorumincommbankmpspbarclayc" +
+	"ards3-us-east-2xn--b-5gaxn--b4w605ferdxn--bck1b9a5dre4cldmailucc" +
+	"apitalonewportlligatoyotaris-a-gurulsandoyxn--bdddj-mrabdxn--bea" +
+	"ralvhki-y4axn--berlevg-jxaxn--bhcavuotna-s4axn--bhccavuotna-k7ax" +
+	"n--bidr-5nachikatsuuraxn--bievt-0qa2xn--bjarky-fyaotsurreyxn--bj" +
+	"ddar-ptamayufuettertdasnetzxn--blt-elabourxn--bmlo-graingerxn--b" +
+	"od-2naroyxn--brnny-wuaccident-investigation-aptibleaseating-orga" +
+	"nicbcn-north-1xn--brnnysund-m8accident-prevention-webhopenairbus" +
+	"antiquest-a-la-maisondre-landebudapest-a-la-masionionjukudoyamag" +
+	"entositelekommunikationthewifiat-band-campaniaxn--brum-voagatrom" +
+	"sojampagefrontapphotographysioxn--btsfjord-9zaxn--c1avgxn--c2br7" +
+	"gxn--c3s14mintelligencexn--cck2b3barsyonlinewhampshirebungoonord" +
+	"-odalazioceanographics3-us-west-2xn--cg4bkis-with-thebandovre-ei" +
+	"kerxn--ciqpnxn--clchc0ea0b2g2a9gcdn77-sslattumisakis-leetrentino" +
+	"-s-tirollagrigentomologyeongbukharkivgucciprianiigataishinomakim" +
+	"obetsuliguriaxn--comunicaes-v6a2oxn--correios-e-telecomunicaes-g" +
+	"hc29axn--czr694bashkiriaustevollarvikarasjohkamiminers3-ca-centr" +
+	"al-1xn--czrs0trusteexn--czru2dxn--czrw28basilicataniaustinnatura" +
+	"lsciencesnaturelles3-eu-central-1xn--d1acj3basketballfinanzgorau" +
+	"straliaisondriodejaneirochesterepbodynathomebuiltatarantottoribe" +
+	"staddnskingjerdrumckinseyokosukanzakiwienaturbruksgymnaturhistor" +
+	"isches3-eu-west-1xn--d1alfaromeoxn--d1atrvarggatroandinosaureise" +
+	"nxn--d5qv7z876clickasumigaurawa-mazowszextraspacekitagatajirissa" +
+	"gamiharaxn--davvenjrga-y4axn--djrs72d6uyxn--djty4koryokamikawane" +
+	"honbetsurutaharaxn--dnna-grajewolterskluwerxn--drbak-wuaxn--dyry" +
+	"-iraxn--e1a4clinichernihivanovodkagoshimalvikashiwaraxn--eckvdtc" +
+	"9dxn--efvn9southcarolinazawaxn--efvy88hair-surveillancexn--ehqz5" +
+	"6nxn--elqq16hakatanoshiroomuraxn--estv75gxn--eveni-0qa01gaxn--f6" +
+	"qx53axn--fct429kosaigawaxn--fhbeiarnxn--finny-yuaxn--fiq228c5hso" +
+	"uthwestfalenxn--fiq64batodayonaguniversityoriikariyaltakasakiyok" +
+	"awaraustrheimatunduhrennesoyokoteastcoastaldefencebinagisochildr" +
+	"ensgardenatuurwetenschappenaumburgjerstadotsuruokakegawaetnagaha" +
+	"maroygardenebakkeshibechambagriculturennebudejjudygarlandd-dnsfo" +
+	"r-better-thanawawdev-myqnapcloudcontrolapplinzi234xn--fiqs8sowax" +
+	"n--fiqz9spjelkavikomvuxn--2m4a15exn--fjord-lraxn--fjq720axn--fl-" +
+	"ziaxn--flor-jraxn--flw351exn--fpcrj9c3dxn--frde-grandrapidspread" +
+	"bettingxn--frna-woaraisaijotrysiljanxn--frya-hraxn--fzc2c9e2clin" +
+	"iquenoharaxn--fzys8d69uvgmailxn--g2xx48clintonoshoesarpsborgrond" +
+	"arxn--gckr3f0fedorapeopleirfjordxn--gecrj9clothingrongaxn--ggavi" +
+	"ika-8ya47hakodatexn--gildeskl-g0axn--givuotna-8yasakaiminatoyone" +
+	"zawaxn--gjvik-wuaxn--gk3at1exn--gls-elacaixaxn--gmq050isleofmand" +
+	"alxn--gmqw5axn--h-2failxn--h1aeghakonexn--h2brj9cnsarufutsunomiy" +
+	"awakasaikaitakoelnxn--h3cuzk1digitalxn--hbmer-xqaxn--hcesuolo-7y" +
+	"a35batsfjordivtasvuodnakaiwamizawauthordalandroiddnss3-eu-west-2" +
+	"xn--hery-iraxn--hgebostad-g3axn--hmmrfeasta-s4acctulangevagrarbo" +
+	"retumbriaxn--hnefoss-q1axn--hobl-iraxn--holtlen-hxaxn--hpmir-xqa" +
+	"xn--hxt814exn--hyanger-q1axn--hylandet-54axn--i1b6b1a6a2exn--imr" +
+	"513nxn--indery-fyasugissmarterthanyouxn--io0a7iwchoshibuyachiyod" +
+	"avvenjargapartmentsardiniaxn--j1aefedoraprojectrani-andria-barle" +
+	"tta-trani-andriaxn--j1amhakubaghdadxn--j6w193gxn--jlq61u9w7bauha" +
+	"usposts-and-telecommunicationsncfdivttasvuotnakamagayahababyklec" +
+	"lercasinordre-landiyoshiokaracoldwarmiamihamadautomotivecoalipay" +
+	"okozebinorfolkebibleikangereportateshinanomachimkentateyamagroce" +
+	"rybnikahokutobamaintenancebetsukubank12xn--jlster-byasuokanraxn-" +
+	"-jrpeland-54axn--jvr189misasaguris-lostre-toteneis-an-actorxn--k" +
+	"7yn95exn--karmy-yuaxn--kbrq7oxn--kcrx77d1x4axn--kfjord-iuaxn--kl" +
+	"bu-woaxn--klt787dxn--kltp7dxn--kltx9axn--klty5xn--3e0b707exn--ko" +
+	"luokta-7ya57hakuis-a-photographerokuappasadenamsosnowiechonanbui" +
+	"lderschmidtre-gauldalottexn--kprw13dxn--kpry57dxn--kpu716fermoda" +
+	"lenxn--kput3ixn--krager-gyatomitamamuraxn--kranghke-b0axn--krdsh" +
+	"erad-m8axn--krehamn-dxaxn--krjohka-hwab49jeonnamerikawauexn--ksn" +
+	"es-uuaxn--kvfjord-nxaxn--kvitsy-fyatsukanumazuryxn--kvnangen-k0a" +
+	"xn--l-1fairwindspydebergxn--l1accentureklamborghiniizaxn--lahead" +
+	"ju-7yatsushiroxn--langevg-jxaxn--lcvr32dxn--ldingen-q1axn--leaga" +
+	"viika-52bbcateringebugattipschlesisches3-website-ap-northeast-1x" +
+	"n--lesund-huaxn--lgbbat1ad8jetztrentino-sud-tirolxn--lgrd-poacnt" +
+	"oyotomiyazakis-a-hard-workerxn--lhppi-xqaxn--linds-pramericanart" +
+	"unesolutionsokndalxn--lns-qlansrlxn--loabt-0qaxn--lrdal-sraxn--l" +
+	"renskog-54axn--lt-liacolonialwilliamsburgrossetouchijiwadell-ogl" +
+	"iastraderxn--lten-granexn--lury-iraxn--m3ch0j3axn--mely-iraxn--m" +
+	"erker-kuaxn--mgb2ddesrtrentoyokawaxn--mgb9awbferraraxn--mgba3a3e" +
+	"jtunkongsvingerxn--mgba3a4f16axn--mgba3a4franamizuholdingsmilelx" +
+	"n--mgba7c0bbn0axn--mgbaakc7dvferrarittogoldpoint2thisamitsukexn-" +
+	"-mgbaam7a8hakusandiegoodyearxn--mgbab2bdxn--mgbai9a5eva00bbtatto" +
+	"olsztynsettlers3-website-ap-southeast-1xn--mgbai9azgqp6jevnakers" +
+	"huscountryestateofdelawarezzoologyxn--mgbayh7gpagespeedmobilizer" +
+	"oxn--mgbb9fbpobanazawaxn--mgbbh1a71exn--mgbc0a9azcgxn--mgbca7dzd" +
+	"oxn--mgberp4a5d4a87gxn--mgberp4a5d4arxn--mgbi4ecexposedxn--mgbpl" +
+	"2fhskodjejuegoshikiminokamoenairportland-4-salernoboribetsucksrv" +
+	"areserveblogspotrevisohughesolarssonxn--mgbqly7c0a67fbcoloradopl" +
+	"ateaudioxn--mgbqly7cvafredrikstadtvstordalxn--mgbt3dhdxn--mgbtf8" +
+	"flatangerxn--mgbtx2bbvacationswatch-and-clockerhcloudns3-website" +
+	"-ap-southeast-2xn--mgbx4cd0abbotturystykannamifunexn--mix082ferr" +
+	"eroticanonoichinomiyakexn--mix891fetsundxn--mjndalen-64axn--mk0a" +
+	"xindustriesteambulancexn--mk1bu44columbusheyxn--mkru45ixn--mlatv" +
+	"uopmi-s4axn--mli-tlanxesstorehabmerxn--mlselv-iuaxn--moreke-juax" +
+	"n--mori-qsakuragawaxn--mosjen-eyawaraxn--mot-tlapyatigorskypexn-" +
+	"-mre-og-romsdal-qqbentleyukinfinitintuitaxihuanhlfanhs3-website-" +
+	"eu-west-1xn--msy-ula0haldenxn--mtta-vrjjat-k7afamilycompanycommu" +
+	"nitysfjordyndns-wikinkobayashikaoirminamibosogndalucernexn--muos" +
+	"t-0qaxn--mxtq1misawaxn--ngbc5azdxn--ngbe9e0axn--ngbrxn--3oq18vl8" +
+	"pn36axn--nit225kosakaerodromegallupinbarefootballooningjovikarat" +
+	"suginamikatagamiharuconnectatsunobiraugustowadaegubs3-ap-southea" +
+	"st-1xn--nmesjevuemie-tcbalestrandabergamoarekexn--nnx388axn--nod" +
+	"exn--nqv7fs00emaxn--nry-yla5gxn--ntso0iqx3axn--ntsq17gxn--nttery" +
+	"-byaeservecounterstrikexn--nvuotna-hwaxn--nyqy26axn--o1achattano" +
+	"oganordreisa-geekoseis-an-artisteinkjerusalemrxn--o3cw4halsaintl" +
+	"ouis-a-anarchistoiredumbrellanbibaidarxn--o3cyx2axn--od0algxn--o" +
+	"d0aq3beppublishproxyzgorzeleccolognewyorkshirecipesaro-urbino-pe" +
+	"sarourbinopesaromasvuotnaharimamurogawatches3-website-sa-east-1x" +
+	"n--ogbpf8flekkefjordxn--oppegrd-ixaxn--ostery-fyawatahamaxn--osy" +
+	"ro-wuaxn--p1acfgujolsterxn--p1aixn--pbt977comobilyxn--pgbs0dhlxn" +
+	"--porsgu-sta26fhvalerxn--pssu33lxn--pssy2uxn--q9jyb4comparemarke" +
+	"rryhotelsasayamaxn--qcka1pmcdonaldstorfjordxn--qqqt11misconfused" +
+	"xn--qxamuneuestorjelenia-goraxn--rady-iraxn--rdal-poaxn--rde-ula" +
+	"quilancashireggiocalabriaxn--rdy-0nabarixn--rennesy-v1axn--rhkke" +
+	"rvju-01aflakstadaokagakibichuoxn--rholt-mragowoodsidexn--rhqv96g" +
+	"xn--rht27zxn--rht3dxn--rht61exn--risa-5narusawaxn--risr-iraxn--r" +
+	"land-uuaxn--rlingen-mxaxn--rmskog-byaxn--rny31hammarfeastafricap" +
+	"etownnews-stagingxn--rovu88bernuorockartuzyukuhashimoichinosekig" +
+	"aharautoscanadaejeonbukarasjokarasuyamarylhurstjordalshalsenaust" +
+	"dalavagiskebizenakaniikawatanaguramusementarnobrzegyptianaturalh" +
+	"istorymuseumcenterepaircraftarumizusawabogadocscbgdyniabkhaziama" +
+	"llamagazineat-url-o-g-i-nativeamericanantiques3-ap-northeast-1ka" +
+	"ppchizippodhaleangaviikadenadexetereit3l3p0rtargets-itargiving12" +
+	"000emmafanconagawakayamadridvagsoyericssonyoursidealerimo-i-rana" +
+	"amesjevuemielno-ip6xn--rros-granvindafjordxn--rskog-uuaxn--rst-0" +
+	"narutokyotangovtuscanyxn--rsta-francaiseharaxn--ryken-vuaxn--ryr" +
+	"vik-byaxn--s-1faithruherecreationxn--s9brj9compute-1xn--sandness" +
+	"jen-ogbizxn--sandy-yuaxn--seral-lraxn--ses554gxn--sgne-gratangen" +
+	"xn--skierv-utazaskoyabearalvahkihokumakogengerdalcestpetersburgx" +
+	"n--skjervy-v1axn--skjk-soaxn--sknit-yqaxn--sknland-fxaxn--slat-5" +
+	"narviikamisunagawaxn--slt-elabbvieeexn--smla-hraxn--smna-gratis-" +
+	"a-bulls-fanxn--snase-nraxn--sndre-land-0cbremangerxn--snes-poaxn" +
+	"--snsa-roaxn--sr-aurdal-l8axn--sr-fron-q1axn--sr-odal-q1axn--sr-" +
+	"varanger-ggbeskidyn-o-saurlandes3-website-us-east-1xn--srfold-by" +
+	"axn--srreisa-q1axn--srum-grazxn--stfold-9xaxn--stjrdal-s1axn--st" +
+	"jrdalshalsen-sqbestbuyshouses3-website-us-west-1xn--stre-toten-z" +
+	"cbstreamsterdamnserverbaniaxn--t60b56axn--tckweatherchannelxn--t" +
+	"iq49xqyjewelryxn--tjme-hraxn--tn0agrinet-freakstudioxn--tnsberg-" +
+	"q1axn--tor131oxn--trany-yuaxn--trgstad-r1axn--trna-woaxn--troms-" +
+	"zuaxn--tysvr-vraxn--uc0atvaroyxn--uc0ay4axn--uist22hamurakamigor" +
+	"is-a-playerxn--uisz3gxn--unjrga-rtaobaokinawashirosatochiokinosh" +
+	"imalatvuopmiasakuchinotsuchiurakawakuyabukievenestudyndns-at-hom" +
+	"edepotenzamamicrolightingxn--unup4yxn--uuwu58axn--vads-jraxn--va" +
+	"rd-jraxn--vegrshei-c0axn--vermgensberater-ctbetainaboxfusejnyuri" +
+	"honjoyentgoryusuharaveroykenglandds3-external-1xn--vermgensberat" +
+	"ung-pwbieigersundnpalaceu-3utilitiesquare7xn--vestvgy-ixa6oxn--v" +
+	"g-yiabcgxn--vgan-qoaxn--vgsy-qoa0jewishartgalleryxn--vgu402compu" +
+	"terhistoryofscience-fictionxn--vhquvbargainstitutelevisionayorov" +
+	"nobninskarelianceu-2xn--vler-qoaxn--vre-eiker-k8axn--vrggt-xqadx" +
+	"n--vry-yla5gxn--vuq861bielawalmartjeldsundrangedalillyusuisserve" +
+	"exchangevents3-website-us-west-2xn--w4r85el8fhu5dnraxn--w4rs40lx" +
+	"n--wcvs22dxn--wgbh1comsecuritytacticsaseboknowsitallukowhoswhokk" +
+	"sundyndns-workisboringroundhandlingroznyxn--wgbl6axn--xhq521biel" +
+	"laakesvuemielecceverbankarlsoyuufcfanikinuyamashinashikitchenikk" +
+	"oebenhavnikolaevennodessagaeroclubmedecincinnationwidealstahauge" +
+	"sunderseaportsinfolldalabamagasakishimabarackmazerbaijan-mayendo" +
+	"ftheinternetflixilovecollegefantasyleaguernseyuzawavocatanzarowe" +
+	"ddingjesdalavangenaval-d-aosta-valleyolasitehimejibigawaskvolloa" +
+	"bathsbc66xn--xkc2al3hye2axn--xkc2dl3a5ee0hangglidingxn--y9a3aqua" +
+	"riumishimatsunoxn--yer-znarvikosherbrookegawaxn--yfro4i67oxn--yg" +
+	"arden-p1axn--ygbi2ammxn--3pxu8konsulatrobeepilepsydneyxn--ystre-" +
+	"slidre-ujbieszczadygeyachimataikikonaioirasebastopologyeonggieht" +
+	"avuoatnagaivuotnagaokakyotambabia-goracleaningatlantabuseekloges" +
+	"t-mon-blogueurovisionikonantankarmoyxn--zbx025dxn--zf0ao64axn--z" +
+	"f0avxn--42c2d9axn--zfr164bievatmallorcadaquesakurainvestmentsaky" +
+	"otanabellunorddalimanowarudavoues3-fips-us-gov-west-1xperiaxz"
+
+// nodes is the list of nodes. Each node is represented as a uint32, which
+// encodes the node's children, wildcard bit and node type (as an index into
+// the children array), ICANN bit and text.
+//
+// If the table was generated with the -comments flag, there is a //-comment
+// after each node's data. In it is the nodes-array indexes of the children,
+// formatted as (n0x1234-n0x1256), with * denoting the wildcard bit. The
+// nodeType is printed as + for normal, ! for exception, and o for parent-only
+// nodes that have children but don't match a domain label in their own right.
+// An I denotes an ICANN domain.
+//
+// The layout within the uint32, from MSB to LSB, is:
+//	[ 1 bits] unused
+//	[ 9 bits] children index
+//	[ 1 bits] ICANN bit
+//	[15 bits] text index
+//	[ 6 bits] text length
+var nodes = [...]uint32{
+	0x31a403,
+	0x284944,
+	0x2dd106,
+	0x3706c3,
+	0x3706c6,
+	0x398706,
+	0x3a8103,
+	0x2fe244,
+	0x38e987,
+	0x2dcd48,
+	0x1a05702,
+	0x316e87,
+	0x35c789,
+	0x2abb0a,
+	0x2abb0b,
+	0x22f383,
+	0x287506,
+	0x232dc5,
+	0x1e021c2,
+	0x2161c4,
+	0x238743,
+	0x26fc45,
+	0x2214902,
+	0x347743,
+	0x266f744,
+	0x33ddc5,
+	0x2a04702,
+	0x376b4e,
+	0x24c4c3,
+	0x38ae46,
+	0x2e00142,
+	0x2dd287,
+	0x236f46,
+	0x3209282,
+	0x229d83,
+	0x24d9c4,
+	0x325e86,
+	0x26c588,
+	0x2761c6,
+	0x2011c4,
+	0x3600242,
+	0x3335c9,
+	0x20a1c7,
+	0x351e86,
+	0x330c89,
+	0x298308,
+	0x26e904,
+	0x241ec6,
+	0x222a46,
+	0x3a022c2,
+	0x26480f,
+	0x20948e,
+	0x211d04,
+	0x2c2b85,
+	0x2fe145,
+	0x39e189,
+	0x23c409,
+	0x349a87,
+	0x20fa86,
+	0x275a83,
+	0x3e02a82,
+	0x315503,
+	0x34e24a,
+	0x20f903,
+	0x2af985,
+	0x284202,
+	0x284209,
+	0x4200ec2,
+	0x212484,
+	0x2b9686,
+	0x2f3645,
+	0x3552c4,
+	0x4a05644,
+	0x2030c3,
+	0x232344,
+	0x4e00c02,
+	0x268d44,
+	0x52ef6c4,
+	0x25ef4a,
+	0x5603dc2,
+	0x2ba587,
+	0x2f3b08,
+	0x6208142,
+	0x311687,
+	0x2bf204,
+	0x2bf207,
+	0x36e0c5,
+	0x34ffc7,
+	0x349846,
+	0x24f3c4,
+	0x38c105,
+	0x29e447,
+	0x72001c2,
+	0x26e503,
+	0x200b82,
+	0x200b83,
+	0x760de02,
+	0x2102c5,
+	0x7a02a42,
+	0x350e04,
+	0x2734c5,
+	0x211c47,
+	0x26bcce,
+	0x2b9184,
+	0x245544,
+	0x202f03,
+	0x281d49,
+	0x31ee0b,
+	0x2e9a88,
+	0x379948,
+	0x3a9908,
+	0x22ae48,
+	0x330aca,
+	0x34fec7,
+	0x318186,
+	0x7e87002,
+	0x35e203,
+	0x367e43,
+	0x36f4c4,
+	0x3a8143,
+	0x3250c3,
+	0x1720b82,
+	0x8202502,
+	0x27a8c5,
+	0x296206,
+	0x2d1b84,
+	0x375487,
+	0x2e1886,
+	0x331f84,
+	0x39d3c7,
+	0x203bc3,
+	0x86c54c2,
+	0x8b0f242,
+	0x8e16742,
+	0x216746,
+	0x9200002,
+	0x3523c5,
+	0x3220c3,
+	0x200604,
+	0x2e8f84,
+	0x2e8f85,
+	0x206b43,
+	0x978d2c3,
+	0x9a0bb42,
+	0x289e05,
+	0x289e0b,
+	0x31e686,
+	0x20cb4b,
+	0x221344,
+	0x20d949,
+	0x20e9c4,
+	0x9e0ec02,
+	0x20f143,
+	0x20f403,
+	0x16105c2,
+	0x268183,
+	0x2105ca,
+	0xa20b382,
+	0x216445,
+	0x29224a,
+	0x2d7744,
+	0x283783,
+	0x26cfc4,
+	0x212543,
+	0x212544,
+	0x212547,
+	0x2140c5,
+	0x2147c5,
+	0x214f46,
+	0x2157c6,
+	0x216a03,
+	0x21ae88,
+	0x210043,
+	0xa601c02,
+	0x243448,
+	0x213ccb,
+	0x220148,
+	0x220d86,
+	0x221847,
+	0x225348,
+	0xb642b42,
+	0xbabf3c2,
+	0x326788,
+	0x35e4c7,
+	0x246085,
+	0x357f48,
+	0x2bd408,
+	0x34dd83,
+	0x22a1c4,
+	0x36f502,
+	0xbe2bc82,
+	0xc238482,
+	0xca2e802,
+	0x22e803,
+	0xce01ec2,
+	0x2fe203,
+	0x2f1e84,
+	0x201ec3,
+	0x26e8c4,
+	0x201ecb,
+	0x213c03,
+	0x2de946,
+	0x239f84,
+	0x29034e,
+	0x371145,
+	0x38af48,
+	0x31ffc7,
+	0x31ffca,
+	0x229743,
+	0x22f147,
+	0x31efc5,
+	0x22f8c4,
+	0x265b06,
+	0x265b07,
+	0x2c11c4,
+	0x2f7a87,
+	0x313d44,
+	0x26c004,
+	0x26c006,
+	0x387184,
+	0x3510c6,
+	0x203f83,
+	0x35e288,
+	0x203f88,
+	0x245503,
+	0x268143,
+	0x399a04,
+	0x39e003,
+	0xd219f02,
+	0xd6d6a42,
+	0x20bac3,
+	0x207146,
+	0x241fc3,
+	0x377cc4,
+	0xdaee982,
+	0x3af843,
+	0x3507c3,
+	0x217a02,
+	0xde04142,
+	0x2c1946,
+	0x233ac7,
+	0x2e8945,
+	0x37de04,
+	0x28c505,
+	0x268907,
+	0x267805,
+	0x2b8649,
+	0x2cefc6,
+	0x2daa88,
+	0x2e8846,
+	0xe21a1c2,
+	0x32ca08,
+	0x2f1c46,
+	0x21a1c5,
+	0x2f6d87,
+	0x309984,
+	0x309985,
+	0x276384,
+	0x276388,
+	0xe60cc02,
+	0xea09882,
+	0x3103c6,
+	0x3b8988,
+	0x334385,
+	0x337306,
+	0x342f08,
+	0x344a88,
+	0xee09885,
+	0xf2142c4,
+	0x3b0787,
+	0xf60e5c2,
+	0xfa1b102,
+	0x10a099c2,
+	0x2b9785,
+	0x2a2645,
+	0x2fef86,
+	0x3b2547,
+	0x380747,
+	0x112a84c3,
+	0x2a84c7,
+	0x31eb08,
+	0x376ec9,
+	0x376d07,
+	0x384d07,
+	0x3a8ec8,
+	0x3ad4c6,
+	0x22f3c6,
+	0x23000c,
+	0x23120a,
+	0x231687,
+	0x232c8b,
+	0x233907,
+	0x23390e,
+	0x234cc4,
+	0x235ac4,
+	0x237a47,
+	0x3690c7,
+	0x23b206,
+	0x23b207,
+	0x23b4c7,
+	0x19604682,
+	0x23c886,
+	0x23c88a,
+	0x23ce8b,
+	0x23dbc7,
+	0x23ed45,
+	0x23f083,
+	0x240586,
+	0x240587,
+	0x38eb43,
+	0x19a0c442,
+	0x240f4a,
+	0x19f5d882,
+	0x1a2a5e02,
+	0x1a643142,
+	0x1aa2cd82,
+	0x244bc5,
+	0x245304,
+	0x1b205742,
+	0x268dc5,
+	0x23d483,
+	0x20eac5,
+	0x22ad44,
+	0x206804,
+	0x314046,
+	0x25e206,
+	0x28a003,
+	0x238284,
+	0x3a6803,
+	0x1b600dc2,
+	0x391c04,
+	0x391c06,
+	0x3b0d05,
+	0x205e06,
+	0x2f6e88,
+	0x266e84,
+	0x27ed08,
+	0x2426c5,
+	0x228308,
+	0x29ff86,
+	0x237587,
+	0x22e204,
+	0x22e206,
+	0x33f443,
+	0x383ec3,
+	0x223d08,
+	0x318dc4,
+	0x348747,
+	0x23e6c6,
+	0x2d6389,
+	0x250348,
+	0x26cd08,
+	0x26d084,
+	0x351443,
+	0x225e02,
+	0x1c60f882,
+	0x1ca10e82,
+	0x3a7403,
+	0x1ce04a42,
+	0x38eac4,
+	0x2862c6,
+	0x26e605,
+	0x21ba03,
+	0x232884,
+	0x2b14c7,
+	0x33da03,
+	0x231a88,
+	0x208545,
+	0x36e803,
+	0x273445,
+	0x273584,
+	0x2f6a86,
+	0x209ec4,
+	0x211346,
+	0x211b86,
+	0x3916c4,
+	0x213b43,
+	0x1d205882,
+	0x247345,
+	0x221c03,
+	0x1d61b0c2,
+	0x22ffc3,
+	0x209bc5,
+	0x232403,
+	0x232409,
+	0x1da05f02,
+	0x1e205e42,
+	0x2893c5,
+	0x218786,
+	0x2d1746,
+	0x2b0a88,
+	0x2b0a8b,
+	0x20718b,
+	0x2e8b45,
+	0x2db145,
+	0x2c6309,
+	0x1600302,
+	0x391888,
+	0x20dc44,
+	0x1ea007c2,
+	0x3a7883,
+	0x1f2c6086,
+	0x20ae88,
+	0x1f601402,
+	0x2344c8,
+	0x1fa2bb82,
+	0x3b92ca,
+	0x1feccc43,
+	0x3ac1c6,
+	0x3af408,
+	0x3ac008,
+	0x31d006,
+	0x36bc07,
+	0x264a07,
+	0x3349ca,
+	0x2d77c4,
+	0x3474c4,
+	0x35c1c9,
+	0x20794385,
+	0x209686,
+	0x20e1c3,
+	0x24a044,
+	0x20a02644,
+	0x202647,
+	0x212fc7,
+	0x22a584,
+	0x285445,
+	0x2ff048,
+	0x366747,
+	0x370f07,
+	0x20e18342,
+	0x327704,
+	0x292b48,
+	0x245bc4,
+	0x247784,
+	0x248085,
+	0x2481c7,
+	0x223589,
+	0x248fc4,
+	0x249709,
+	0x249948,
+	0x249dc4,
+	0x249dc7,
+	0x2124aa83,
+	0x24ad47,
+	0x1609d02,
+	0x16ad202,
+	0x24bec6,
+	0x24c507,
+	0x24cd44,
+	0x24e6c7,
+	0x24fa47,
+	0x24fdc3,
+	0x248902,
+	0x229642,
+	0x250a03,
+	0x250a04,
+	0x250a0b,
+	0x379a48,
+	0x256804,
+	0x2523c5,
+	0x254007,
+	0x2555c5,
+	0x2bc00a,
+	0x256743,
+	0x2160fc82,
+	0x226e84,
+	0x258d89,
+	0x25c343,
+	0x25c407,
+	0x24a849,
+	0x282688,
+	0x204743,
+	0x278fc7,
+	0x279709,
+	0x268ac3,
+	0x2810c4,
+	0x283c89,
+	0x2880c6,
+	0x289683,
+	0x200182,
+	0x21f983,
+	0x3a8a87,
+	0x21f985,
+	0x379746,
+	0x256e84,
+	0x302e85,
+	0x2e4403,
+	0x216c46,
+	0x20db42,
+	0x395144,
+	0x221402,
+	0x221403,
+	0x21a00782,
+	0x247303,
+	0x215c44,
+	0x215c47,
+	0x200906,
+	0x202602,
+	0x21e025c2,
+	0x2dca84,
+	0x22235e82,
+	0x22600b02,
+	0x2d4f84,
+	0x2d4f85,
+	0x2b6dc5,
+	0x390e06,
+	0x22a05d42,
+	0x205d45,
+	0x20cf05,
+	0x20ae03,
+	0x210986,
+	0x2126c5,
+	0x2166c2,
+	0x343605,
+	0x2166c4,
+	0x221ec3,
+	0x227343,
+	0x22e0c642,
+	0x2d4987,
+	0x3669c4,
+	0x3669c9,
+	0x249f44,
+	0x291d43,
+	0x2f6609,
+	0x367508,
+	0x232a24c4,
+	0x2a24c6,
+	0x21c303,
+	0x247bc3,
+	0x2e9dc3,
+	0x236eb382,
+	0x368cc2,
+	0x23a05e82,
+	0x323cc8,
+	0x32a388,
+	0x398e46,
+	0x2e27c5,
+	0x22efc5,
+	0x352ec7,
+	0x21d205,
+	0x228782,
+	0x23e38182,
+	0x1603002,
+	0x2416c8,
+	0x32c945,
+	0x2e3404,
+	0x2ebac5,
+	0x23f407,
+	0x3207c4,
+	0x240e42,
+	0x24200582,
+	0x338984,
+	0x212cc7,
+	0x28a2c7,
+	0x34ff84,
+	0x292203,
+	0x245444,
+	0x245448,
+	0x22f706,
+	0x26598a,
+	0x223444,
+	0x292588,
+	0x288504,
+	0x221946,
+	0x294684,
+	0x2b9a86,
+	0x366c89,
+	0x25da47,
+	0x3375c3,
+	0x24667e42,
+	0x267e43,
+	0x20ee02,
+	0x24a11ec2,
+	0x3085c6,
+	0x365c88,
+	0x2a4087,
+	0x3a3f49,
+	0x291c49,
+	0x2a5045,
+	0x2a6049,
+	0x2a6805,
+	0x2a6949,
+	0x2a8005,
+	0x2a9108,
+	0x21fb84,
+	0x24e890c7,
+	0x2a9303,
+	0x2a9307,
+	0x3850c6,
+	0x2a9b87,
+	0x2a1085,
+	0x2935c3,
+	0x2521ae02,
+	0x3b40c4,
+	0x2562ce82,
+	0x258203,
+	0x25a17f42,
+	0x36d586,
+	0x2f3a85,
+	0x2ac207,
+	0x26cc43,
+	0x325044,
+	0x20e903,
+	0x33e783,
+	0x25e02bc2,
+	0x266015c2,
+	0x398804,
+	0x2488c3,
+	0x243c85,
+	0x26a029c2,
+	0x27206482,
+	0x2b4506,
+	0x318f04,
+	0x2e3004,
+	0x2e300a,
+	0x27a01fc2,
+	0x37204a,
+	0x3756c8,
+	0x27fb1384,
+	0x20ad83,
+	0x201fc3,
+	0x3a9a49,
+	0x217649,
+	0x285246,
+	0x28244183,
+	0x3292c5,
+	0x30180d,
+	0x375886,
+	0x3bac8b,
+	0x28602e82,
+	0x22c1c8,
+	0x29206e82,
+	0x29606fc2,
+	0x2ae585,
+	0x29a03942,
+	0x258447,
+	0x21c907,
+	0x21e003,
+	0x2306c8,
+	0x29e06502,
+	0x312684,
+	0x212943,
+	0x351d45,
+	0x34db83,
+	0x2f3546,
+	0x205904,
+	0x268103,
+	0x2ae9c3,
+	0x2a205fc2,
+	0x2e8ac4,
+	0x35f6c5,
+	0x39f1c7,
+	0x275643,
+	0x2ad883,
+	0x2ae083,
+	0x160fec2,
+	0x2ae143,
+	0x2ae943,
+	0x2a605102,
+	0x282104,
+	0x25e406,
+	0x342643,
+	0x2aec43,
+	0x2aaafd42,
+	0x2afd48,
+	0x2b0004,
+	0x36c246,
+	0x2b0387,
+	0x249c46,
+	0x28e2c4,
+	0x38600682,
+	0x384f8b,
+	0x2fb08e,
+	0x21930f,
+	0x2985c3,
+	0x38ebbbc2,
+	0x1600f42,
+	0x39201582,
+	0x28f403,
+	0x2fdec3,
+	0x233706,
+	0x277c46,
+	0x3afd87,
+	0x3328c4,
+	0x396188c2,
+	0x39a08882,
+	0x348345,
+	0x2e6047,
+	0x3b5746,
+	0x39e27282,
+	0x227284,
+	0x2b3ac3,
+	0x3a20be02,
+	0x3a759ec3,
+	0x2b4c44,
+	0x2be409,
+	0x16c3ac2,
+	0x3aa03a82,
+	0x203a85,
+	0x3aec3d42,
+	0x3b203202,
+	0x346947,
+	0x239689,
+	0x35ca0b,
+	0x2647c5,
+	0x2c4849,
+	0x2e8246,
+	0x31e6c7,
+	0x3b608484,
+	0x3199c9,
+	0x373487,
+	0x20ab47,
+	0x20a383,
+	0x20a386,
+	0x3b68c7,
+	0x206a43,
+	0x2565c6,
+	0x3be02a02,
+	0x3c232682,
+	0x385803,
+	0x324c45,
+	0x350f47,
+	0x250086,
+	0x21f905,
+	0x277d44,
+	0x2c9fc5,
+	0x2f2684,
+	0x3c6040c2,
+	0x331107,
+	0x2dbd44,
+	0x217544,
+	0x21754d,
+	0x257509,
+	0x3a4448,
+	0x253944,
+	0x3abc45,
+	0x206447,
+	0x2144c4,
+	0x2e1947,
+	0x21c485,
+	0x3caa4604,
+	0x2d92c5,
+	0x25b004,
+	0x24bb86,
+	0x3b2345,
+	0x3ce250c2,
+	0x283844,
+	0x283845,
+	0x36fa46,
+	0x20c3c5,
+	0x30c304,
+	0x2c5dc3,
+	0x2053c6,
+	0x358505,
+	0x2bb485,
+	0x3b2444,
+	0x2234c3,
+	0x2234cc,
+	0x3d288a02,
+	0x3d6010c2,
+	0x3da00282,
+	0x206343,
+	0x206344,
+	0x3de04bc2,
+	0x2f9688,
+	0x379805,
+	0x235684,
+	0x23b086,
+	0x3e201f42,
+	0x3e609782,
+	0x3ea00e82,
+	0x306b85,
+	0x391586,
+	0x211084,
+	0x3263c6,
+	0x2ba346,
+	0x219943,
+	0x3ef0de0a,
+	0x247b05,
+	0x2c8e83,
+	0x223186,
+	0x300fc9,
+	0x223187,
+	0x297788,
+	0x2981c9,
+	0x224348,
+	0x229486,
+	0x20bf03,
+	0x3f2a8542,
+	0x385683,
+	0x385689,
+	0x332448,
+	0x3f649a02,
+	0x3fa02342,
+	0x227f83,
+	0x2da905,
+	0x251ec4,
+	0x2c0909,
+	0x22cb84,
+	0x266348,
+	0x202343,
+	0x202344,
+	0x278b03,
+	0x2187c8,
+	0x217487,
+	0x4020b102,
+	0x274082,
+	0x351905,
+	0x266689,
+	0x209703,
+	0x27b184,
+	0x329284,
+	0x2064c3,
+	0x27c3ca,
+	0x40752bc2,
+	0x40a83802,
+	0x2c5443,
+	0x3739c3,
+	0x1602302,
+	0x38ac03,
+	0x40e0f242,
+	0x4120ec42,
+	0x41610444,
+	0x210446,
+	0x383b06,
+	0x26ad44,
+	0x36c643,
+	0x38bcc3,
+	0x226883,
+	0x23d206,
+	0x2cb8c5,
+	0x2c5a07,
+	0x31e589,
+	0x2ca645,
+	0x2cb806,
+	0x2cbd88,
+	0x2cbf86,
+	0x236a04,
+	0x29944b,
+	0x2ceac3,
+	0x2ceac5,
+	0x2cec08,
+	0x228502,
+	0x346c42,
+	0x41a44c42,
+	0x41e0e602,
+	0x218903,
+	0x422675c2,
+	0x2675c3,
+	0x2cef04,
+	0x2cf5c3,
+	0x42a115c2,
+	0x42ed43c6,
+	0x2a7306,
+	0x43207902,
+	0x4360f442,
+	0x43a27382,
+	0x43e02c82,
+	0x4422dd02,
+	0x44602d02,
+	0x234703,
+	0x390685,
+	0x319606,
+	0x44a11cc4,
+	0x3b0b0a,
+	0x32fe86,
+	0x2e8d84,
+	0x281d03,
+	0x45604642,
+	0x200c82,
+	0x25fd03,
+	0x45a05503,
+	0x2c7b87,
+	0x3b2247,
+	0x47250b07,
+	0x312d87,
+	0x227b03,
+	0x227b0a,
+	0x236b84,
+	0x23e5c4,
+	0x23e5ca,
+	0x213f05,
+	0x47609642,
+	0x24e683,
+	0x47a008c2,
+	0x21c2c3,
+	0x267e03,
+	0x48203342,
+	0x2a8444,
+	0x21de84,
+	0x3b9505,
+	0x305005,
+	0x2e1ac6,
+	0x2e1e46,
+	0x48608442,
+	0x48a033c2,
+	0x3185c5,
+	0x2a7012,
+	0x2511c6,
+	0x220803,
+	0x30a746,
+	0x220805,
+	0x1610602,
+	0x50e120c2,
+	0x353e83,
+	0x2120c3,
+	0x2441c3,
+	0x512023c2,
+	0x376e43,
+	0x5160b482,
+	0x210483,
+	0x282148,
+	0x25e983,
+	0x25e986,
+	0x3a2987,
+	0x306806,
+	0x30680b,
+	0x2e8cc7,
+	0x3b3ec4,
+	0x51e04ec2,
+	0x379685,
+	0x522054c3,
+	0x2a6e03,
+	0x326c05,
+	0x329983,
+	0x52729986,
+	0x391a0a,
+	0x26a9c3,
+	0x204584,
+	0x3b88c6,
+	0x21a5c6,
+	0x52a00983,
+	0x324f07,
+	0x285147,
+	0x29b0c5,
+	0x2318c6,
+	0x224a83,
+	0x54a10bc3,
+	0x54e056c2,
+	0x328144,
+	0x22a2cc,
+	0x236149,
+	0x2414c7,
+	0x249245,
+	0x262a84,
+	0x273cc8,
+	0x278305,
+	0x55284a05,
+	0x28c609,
+	0x351f43,
+	0x2a5d84,
+	0x556013c2,
+	0x2013c3,
+	0x55a94142,
+	0x2a4386,
+	0x160f982,
+	0x55e06e02,
+	0x306a88,
+	0x2be603,
+	0x2d9207,
+	0x2e4d05,
+	0x2dd685,
+	0x32840b,
+	0x2dd686,
+	0x328606,
+	0x2ffac6,
+	0x262c84,
+	0x3042c6,
+	0x2e3508,
+	0x23a043,
+	0x250dc3,
+	0x250dc4,
+	0x2e4484,
+	0x2e4a07,
+	0x2e5ec5,
+	0x562e6002,
+	0x5660ba02,
+	0x20ba05,
+	0x2e83c4,
+	0x2e83cb,
+	0x2e8e88,
+	0x228f44,
+	0x2272c2,
+	0x56e28ec2,
+	0x23b903,
+	0x2e9344,
+	0x2e9605,
+	0x2ea047,
+	0x2eb604,
+	0x2e8b84,
+	0x57201302,
+	0x360cc9,
+	0x2ec405,
+	0x264a85,
+	0x2ecf85,
+	0x57601303,
+	0x2ee0c4,
+	0x2ee0cb,
+	0x2ee644,
+	0x2ef3cb,
+	0x2ef7c5,
+	0x21944a,
+	0x2f0048,
+	0x2f024a,
+	0x2f0ac3,
+	0x2f0aca,
+	0x57a01742,
+	0x57e2d4c2,
+	0x21aa03,
+	0x582f1bc2,
+	0x2f1bc3,
+	0x5875c402,
+	0x58b22842,
+	0x2f2504,
+	0x21afc6,
+	0x326105,
+	0x2f4503,
+	0x31a9c6,
+	0x204405,
+	0x25e704,
+	0x58e05ec2,
+	0x2c9244,
+	0x2c5f8a,
+	0x22d787,
+	0x2f38c6,
+	0x380b07,
+	0x22a403,
+	0x283e48,
+	0x37f48b,
+	0x3736c5,
+	0x333ec5,
+	0x333ec6,
+	0x390884,
+	0x3aa248,
+	0x222943,
+	0x222944,
+	0x222947,
+	0x38e446,
+	0x352686,
+	0x29018a,
+	0x246604,
+	0x24660a,
+	0x59282846,
+	0x282847,
+	0x252447,
+	0x270844,
+	0x270849,
+	0x25e0c5,
+	0x235e0b,
+	0x2e81c3,
+	0x211503,
+	0x22f003,
+	0x22fac4,
+	0x59600482,
+	0x25d4c6,
+	0x293345,
+	0x30a985,
+	0x24f6c6,
+	0x3395c4,
+	0x59a02782,
+	0x23f0c4,
+	0x59e01c42,
+	0x2b9f05,
+	0x21ad84,
+	0x21bec3,
+	0x5a612102,
+	0x212103,
+	0x23ba46,
+	0x5aa03082,
+	0x27f488,
+	0x223004,
+	0x223006,
+	0x374246,
+	0x2540c4,
+	0x205345,
+	0x2141c8,
+	0x216547,
+	0x219687,
+	0x21968f,
+	0x292a46,
+	0x22cf03,
+	0x22cf04,
+	0x310504,
+	0x20d003,
+	0x221a84,
+	0x240944,
+	0x5ae42b02,
+	0x289d43,
+	0x242b03,
+	0x5b209842,
+	0x229f83,
+	0x38eb83,
+	0x21484a,
+	0x358107,
+	0x2efc0c,
+	0x2efec6,
+	0x30a146,
+	0x248547,
+	0x5b64c687,
+	0x24f809,
+	0x243584,
+	0x24fbc4,
+	0x5ba18942,
+	0x5be027c2,
+	0x290546,
+	0x324d04,
+	0x2d6bc6,
+	0x2a5148,
+	0x3b8dc4,
+	0x258486,
+	0x2d1705,
+	0x265c88,
+	0x207383,
+	0x273705,
+	0x273e83,
+	0x264b83,
+	0x264b84,
+	0x2759c3,
+	0x5c2ec082,
+	0x5c602e02,
+	0x2e8089,
+	0x278205,
+	0x278404,
+	0x27a9c5,
+	0x20dd44,
+	0x2e0d07,
+	0x343bc5,
+	0x250cc4,
+	0x250cc8,
+	0x2d5086,
+	0x2d7984,
+	0x2d8e88,
+	0x2dbb87,
+	0x5ca03902,
+	0x2e36c4,
+	0x20d0c4,
+	0x20ad47,
+	0x5ce2b804,
+	0x2ccf42,
+	0x5d201102,
+	0x201543,
+	0x203984,
+	0x2aa283,
+	0x374e05,
+	0x5d61e182,
+	0x2eb285,
+	0x202c42,
+	0x34d5c5,
+	0x365e45,
+	0x5da00c42,
+	0x350744,
+	0x5de00d02,
+	0x2387c6,
+	0x29a146,
+	0x2667c8,
+	0x2bfa08,
+	0x36d504,
+	0x36d6c5,
+	0x3610c9,
+	0x2db1c4,
+	0x3919c4,
+	0x205183,
+	0x5e222705,
+	0x2c3b87,
+	0x2a2744,
+	0x341e8d,
+	0x361782,
+	0x361783,
+	0x364503,
+	0x5e600802,
+	0x388305,
+	0x25f9c7,
+	0x205b44,
+	0x312e47,
+	0x2983c9,
+	0x2c60c9,
+	0x2519c7,
+	0x273b03,
+	0x273b08,
+	0x2ed249,
+	0x24e187,
+	0x373605,
+	0x39e086,
+	0x39fb86,
+	0x3a3c05,
+	0x257605,
+	0x5ea02d82,
+	0x36ce45,
+	0x2b2908,
+	0x2c1706,
+	0x5eeb7487,
+	0x2efa04,
+	0x2aa987,
+	0x2f62c6,
+	0x5f230982,
+	0x36f746,
+	0x2f83ca,
+	0x2f8e85,
+	0x5f6de402,
+	0x5fa36542,
+	0x3b6c06,
+	0x2a1e88,
+	0x5fe8a487,
+	0x60234e42,
+	0x2255c3,
+	0x311d86,
+	0x225044,
+	0x3a2846,
+	0x390b06,
+	0x26ff0a,
+	0x331c05,
+	0x367ec6,
+	0x3759c3,
+	0x3759c4,
+	0x207102,
+	0x309943,
+	0x60606382,
+	0x2f0f83,
+	0x3722c4,
+	0x2a1fc4,
+	0x2a1fca,
+	0x229543,
+	0x276288,
+	0x22954a,
+	0x27b447,
+	0x2fcd86,
+	0x238684,
+	0x290bc2,
+	0x2a2e82,
+	0x60a04002,
+	0x245403,
+	0x252207,
+	0x31ac87,
+	0x2848c4,
+	0x26f8c7,
+	0x2ea146,
+	0x216847,
+	0x35e604,
+	0x242a05,
+	0x2b7985,
+	0x60e0fe82,
+	0x20fe86,
+	0x218283,
+	0x220502,
+	0x220506,
+	0x61203e02,
+	0x6160b0c2,
+	0x3ba785,
+	0x61a21c82,
+	0x61e03b42,
+	0x33b5c5,
+	0x393105,
+	0x367f85,
+	0x267303,
+	0x286385,
+	0x2dd747,
+	0x307bc5,
+	0x306185,
+	0x38b044,
+	0x3204c6,
+	0x23e804,
+	0x62201442,
+	0x62f630c5,
+	0x2ebe07,
+	0x2d6dc8,
+	0x25fe86,
+	0x25fe8d,
+	0x260709,
+	0x260712,
+	0x32f345,
+	0x3339c3,
+	0x6320a9c2,
+	0x309444,
+	0x375903,
+	0x360fc5,
+	0x2fa085,
+	0x63612982,
+	0x36e843,
+	0x63a50b82,
+	0x642bf542,
+	0x6460fb42,
+	0x353805,
+	0x37ac43,
+	0x37a4c8,
+	0x64a07842,
+	0x64e000c2,
+	0x2a8406,
+	0x33b80a,
+	0x21bf03,
+	0x20c343,
+	0x2ee3c3,
+	0x65a02dc2,
+	0x73e35482,
+	0x74601c82,
+	0x201682,
+	0x36f549,
+	0x2c2f04,
+	0x2309c8,
+	0x74af4542,
+	0x74e08602,
+	0x2ef605,
+	0x2330c8,
+	0x282288,
+	0x2f858c,
+	0x22d543,
+	0x25a9c2,
+	0x75201f82,
+	0x2caac6,
+	0x2fdc05,
+	0x26d343,
+	0x23cc46,
+	0x2fdd46,
+	0x201f83,
+	0x2ff883,
+	0x300786,
+	0x3013c4,
+	0x295586,
+	0x2cec85,
+	0x30164a,
+	0x2eebc4,
+	0x302304,
+	0x30370a,
+	0x7566b082,
+	0x337745,
+	0x30478a,
+	0x305285,
+	0x305b44,
+	0x305c46,
+	0x305dc4,
+	0x218dc6,
+	0x75a6dac2,
+	0x2f3206,
+	0x2f3dc5,
+	0x3ab6c7,
+	0x200206,
+	0x248744,
+	0x2d5e07,
+	0x30dd46,
+	0x2b8a45,
+	0x381947,
+	0x39eb47,
+	0x39eb4e,
+	0x25ed06,
+	0x2e1805,
+	0x27dec7,
+	0x282b43,
+	0x3b2f87,
+	0x20f5c5,
+	0x212144,
+	0x212f82,
+	0x3addc7,
+	0x332944,
+	0x377404,
+	0x273f0b,
+	0x21d5c3,
+	0x2b6987,
+	0x21d5c4,
+	0x2cc0c7,
+	0x228bc3,
+	0x33678d,
+	0x388b48,
+	0x21d044,
+	0x250bc5,
+	0x307d05,
+	0x308143,
+	0x75e22f02,
+	0x309903,
+	0x309fc3,
+	0x210004,
+	0x279805,
+	0x218307,
+	0x375a46,
+	0x372003,
+	0x23ab4b,
+	0x26ba4b,
+	0x2a654b,
+	0x2de44a,
+	0x30254b,
+	0x31be8b,
+	0x356b8c,
+	0x378d11,
+	0x3b654a,
+	0x3ba10b,
+	0x30ad8b,
+	0x30b34a,
+	0x30b88a,
+	0x30cb4e,
+	0x30d18b,
+	0x30d44a,
+	0x30ef11,
+	0x30f34a,
+	0x30f84b,
+	0x30fd8e,
+	0x31078c,
+	0x310c4b,
+	0x310f0e,
+	0x31128c,
+	0x31474a,
+	0x31698c,
+	0x76316c8a,
+	0x317489,
+	0x31af4a,
+	0x31b1ca,
+	0x31b44b,
+	0x31f60e,
+	0x31f991,
+	0x328b89,
+	0x328dca,
+	0x3295cb,
+	0x32a84a,
+	0x32b316,
+	0x32e14b,
+	0x32f10a,
+	0x32f50a,
+	0x33084b,
+	0x333449,
+	0x337109,
+	0x337d4d,
+	0x33870b,
+	0x33978b,
+	0x33a14b,
+	0x33a609,
+	0x33ac4e,
+	0x33b30a,
+	0x33fc8a,
+	0x33ffca,
+	0x340b8b,
+	0x3413cb,
+	0x34168d,
+	0x342c0d,
+	0x343290,
+	0x34374b,
+	0x34408c,
+	0x34480b,
+	0x34644b,
+	0x34798b,
+	0x34c00b,
+	0x34ca8f,
+	0x34ce4b,
+	0x34d94a,
+	0x34e689,
+	0x34f409,
+	0x34f8cb,
+	0x34fb8e,
+	0x35434b,
+	0x35574f,
+	0x35864b,
+	0x35890b,
+	0x358bcb,
+	0x3590ca,
+	0x35c609,
+	0x35f34f,
+	0x36424c,
+	0x36488c,
+	0x364d0e,
+	0x3653cf,
+	0x36578e,
+	0x365fd0,
+	0x3663cf,
+	0x366f4e,
+	0x36770c,
+	0x367a12,
+	0x3689d1,
+	0x36988e,
+	0x36a04e,
+	0x36a58e,
+	0x36a90f,
+	0x36acce,
+	0x36b053,
+	0x36b511,
+	0x36b94e,
+	0x36bdcc,
+	0x36d913,
+	0x36e210,
+	0x36ea8c,
+	0x36ed8c,
+	0x36f24b,
+	0x3703ce,
+	0x370c8b,
+	0x3715cb,
+	0x37258c,
+	0x37814a,
+	0x37850c,
+	0x37880c,
+	0x378b09,
+	0x37bb8b,
+	0x37be48,
+	0x37c049,
+	0x37c04f,
+	0x37d98b,
+	0x7677eb8a,
+	0x381fcc,
+	0x383189,
+	0x383608,
+	0x38380b,
+	0x383c8b,
+	0x38480a,
+	0x384a8b,
+	0x38540c,
+	0x386008,
+	0x388d4b,
+	0x38b44b,
+	0x39484b,
+	0x3958cb,
+	0x39e6cb,
+	0x39e989,
+	0x39eecd,
+	0x3a464a,
+	0x3a5597,
+	0x3a6bd8,
+	0x3a96c9,
+	0x3ab30b,
+	0x3ac814,
+	0x3acd0b,
+	0x3ad28a,
+	0x3aea0a,
+	0x3aec8b,
+	0x3b4250,
+	0x3b4651,
+	0x3b4d0a,
+	0x3b5b4d,
+	0x3b624d,
+	0x3ba3cb,
+	0x3bbd46,
+	0x20ff83,
+	0x76b80483,
+	0x22cdc6,
+	0x247645,
+	0x27a007,
+	0x31bd46,
+	0x1656682,
+	0x2ad9c9,
+	0x31a7c4,
+	0x2dacc8,
+	0x232b43,
+	0x309387,
+	0x234f42,
+	0x2ac243,
+	0x76e07b02,
+	0x2c7406,
+	0x2c9884,
+	0x369f44,
+	0x390143,
+	0x390145,
+	0x776c3d82,
+	0x77aa6cc4,
+	0x270787,
+	0x77e4a282,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x204e83,
+	0x205702,
+	0x16d208,
+	0x2099c2,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x214843,
+	0x324556,
+	0x325793,
+	0x26f749,
+	0x3b0688,
+	0x379509,
+	0x304906,
+	0x3389d0,
+	0x254b53,
+	0x38e508,
+	0x28ea47,
+	0x36c747,
+	0x284d0a,
+	0x372349,
+	0x38d849,
+	0x28decb,
+	0x349846,
+	0x379b4a,
+	0x220d86,
+	0x31a3c3,
+	0x2d48c5,
+	0x35e288,
+	0x23888d,
+	0x2b984c,
+	0x2de0c7,
+	0x30b00d,
+	0x2142c4,
+	0x22fd8a,
+	0x230d4a,
+	0x23120a,
+	0x2099c7,
+	0x23af07,
+	0x23d844,
+	0x22e206,
+	0x20c144,
+	0x2b4148,
+	0x22cbc9,
+	0x2b0a86,
+	0x2b0a88,
+	0x2422cd,
+	0x2c6309,
+	0x3ac008,
+	0x264a07,
+	0x2f1f0a,
+	0x24c506,
+	0x2580c7,
+	0x2cc3c4,
+	0x23f287,
+	0x309c0a,
+	0x3ae54e,
+	0x21d205,
+	0x3b4a4b,
+	0x331a09,
+	0x217649,
+	0x21c747,
+	0x2a34ca,
+	0x20ac87,
+	0x2fb1c9,
+	0x38f0c8,
+	0x3533cb,
+	0x2da905,
+	0x3a430a,
+	0x266e09,
+	0x26d2ca,
+	0x2ca6cb,
+	0x23f18b,
+	0x28dc55,
+	0x2e3b85,
+	0x264a85,
+	0x2ee0ca,
+	0x3945ca,
+	0x331787,
+	0x21da83,
+	0x2904c8,
+	0x2d2c4a,
+	0x223006,
+	0x24dfc9,
+	0x265c88,
+	0x2d7984,
+	0x2aa289,
+	0x2bfa08,
+	0x29fec7,
+	0x3630c6,
+	0x2ebe07,
+	0x289a47,
+	0x23d005,
+	0x21d04c,
+	0x250bc5,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2099c2,
+	0x2a84c3,
+	0x205503,
+	0x204e83,
+	0x200983,
+	0x2a84c3,
+	0x205503,
+	0x25e983,
+	0x200983,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x16d208,
+	0x2099c2,
+	0x2006c2,
+	0x231442,
+	0x206502,
+	0x200542,
+	0x2decc2,
+	0x46a84c3,
+	0x232403,
+	0x2163c3,
+	0x2e9dc3,
+	0x244183,
+	0x209703,
+	0x2d47c6,
+	0x205503,
+	0x200983,
+	0x233183,
+	0x16d208,
+	0x31ae44,
+	0x202107,
+	0x392403,
+	0x2ae584,
+	0x22e043,
+	0x21c7c3,
+	0x2e9dc3,
+	0x16fc07,
+	0x205702,
+	0x18d2c3,
+	0x5a099c2,
+	0x88f4d,
+	0x8928d,
+	0x231442,
+	0x1b1384,
+	0x200442,
+	0x5fb1288,
+	0xed844,
+	0x16d208,
+	0x1411d82,
+	0x15054c6,
+	0x231783,
+	0x200c03,
+	0x66a84c3,
+	0x22fd84,
+	0x6a32403,
+	0x6ee9dc3,
+	0x202bc2,
+	0x3b1384,
+	0x205503,
+	0x2f78c3,
+	0x203ec2,
+	0x200983,
+	0x21b5c2,
+	0x2f2443,
+	0x203082,
+	0x211643,
+	0x265d43,
+	0x200202,
+	0x16d208,
+	0x231783,
+	0x2f78c3,
+	0x203ec2,
+	0x2f2443,
+	0x203082,
+	0x211643,
+	0x265d43,
+	0x200202,
+	0x2f2443,
+	0x203082,
+	0x211643,
+	0x265d43,
+	0x200202,
+	0x2a84c3,
+	0x38d2c3,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x3b1384,
+	0x244183,
+	0x209703,
+	0x211cc4,
+	0x205503,
+	0x200983,
+	0x20f942,
+	0x201303,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x38d2c3,
+	0x2099c2,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x3b1384,
+	0x205503,
+	0x200983,
+	0x373605,
+	0x212982,
+	0x205702,
+	0x16d208,
+	0x1456108,
+	0x2e9dc3,
+	0x2274c1,
+	0x202901,
+	0x202941,
+	0x23ad81,
+	0x23ad01,
+	0x30aec1,
+	0x23aec1,
+	0x2275c1,
+	0x2eea41,
+	0x30afc1,
+	0x200141,
+	0x200001,
+	0x129845,
+	0x16d208,
+	0x201ec1,
+	0x200701,
+	0x200301,
+	0x200081,
+	0x200181,
+	0x200401,
+	0x200041,
+	0x201181,
+	0x200101,
+	0x200281,
+	0x200e81,
+	0x2008c1,
+	0x200441,
+	0x201301,
+	0x206ec1,
+	0x200341,
+	0x200801,
+	0x2002c1,
+	0x2000c1,
+	0x201501,
+	0x200201,
+	0x200bc1,
+	0x2005c1,
+	0x201cc1,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2099c2,
+	0x2a84c3,
+	0x232403,
+	0x200442,
+	0x200983,
+	0x16fc07,
+	0x9807,
+	0x1cdc6,
+	0x13ef8a,
+	0x88648,
+	0x51d48,
+	0x52107,
+	0x191106,
+	0xd8c05,
+	0x192345,
+	0x5d306,
+	0x125c86,
+	0x25ef44,
+	0x311547,
+	0x16d208,
+	0x2d5f04,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2163c3,
+	0x2e9dc3,
+	0x244183,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x212982,
+	0x2c5983,
+	0x2bb143,
+	0x32c243,
+	0x2022c2,
+	0x25d183,
+	0x2030c3,
+	0x204903,
+	0x200001,
+	0x2dc745,
+	0x206b43,
+	0x221344,
+	0x26cc83,
+	0x318ec3,
+	0x21b103,
+	0x35ff43,
+	0xaaa84c3,
+	0x235ac4,
+	0x23dbc3,
+	0x21cc43,
+	0x21b0c3,
+	0x22ffc3,
+	0x232403,
+	0x232143,
+	0x2459c3,
+	0x2a2703,
+	0x318e43,
+	0x2344c3,
+	0x202643,
+	0x24ce44,
+	0x24e347,
+	0x248902,
+	0x250943,
+	0x256303,
+	0x273ac3,
+	0x390f43,
+	0x2025c3,
+	0xaee9dc3,
+	0x20bec3,
+	0x2143c3,
+	0x24a5c3,
+	0x328085,
+	0x209d43,
+	0x2fa383,
+	0xb21f903,
+	0x365f03,
+	0x20d543,
+	0x227f83,
+	0x209703,
+	0x228502,
+	0x27d2c3,
+	0x205503,
+	0x1604e83,
+	0x224a43,
+	0x209a43,
+	0x204a03,
+	0x200983,
+	0x35fe83,
+	0x20f943,
+	0x201303,
+	0x2efe83,
+	0x2ff903,
+	0x2f2603,
+	0x204405,
+	0x23e743,
+	0x285346,
+	0x2f2643,
+	0x36cf43,
+	0x3759c4,
+	0x2d9083,
+	0x2284c3,
+	0x267ec3,
+	0x233183,
+	0x212982,
+	0x22d543,
+	0x3024c3,
+	0x304144,
+	0x377404,
+	0x20ce83,
+	0x16d208,
+	0x205702,
+	0x200242,
+	0x2022c2,
+	0x201702,
+	0x202a42,
+	0x206c02,
+	0x245482,
+	0x2007c2,
+	0x20d882,
+	0x200e82,
+	0x20b102,
+	0x20e602,
+	0x2675c2,
+	0x2056c2,
+	0x2decc2,
+	0x2013c2,
+	0x2069c2,
+	0x201302,
+	0x2172c2,
+	0x202482,
+	0x200482,
+	0x219382,
+	0x202782,
+	0x209842,
+	0x2027c2,
+	0x222702,
+	0x203b42,
+	0x5702,
+	0x242,
+	0x22c2,
+	0x1702,
+	0x2a42,
+	0x6c02,
+	0x45482,
+	0x7c2,
+	0xd882,
+	0xe82,
+	0xb102,
+	0xe602,
+	0x675c2,
+	0x56c2,
+	0xdecc2,
+	0x13c2,
+	0x69c2,
+	0x1302,
+	0x172c2,
+	0x2482,
+	0x482,
+	0x19382,
+	0x2782,
+	0x9842,
+	0x27c2,
+	0x22702,
+	0x3b42,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2099c2,
+	0x200983,
+	0xc6a84c3,
+	0x2e9dc3,
+	0x209703,
+	0x21a2c2,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x7b02,
+	0x201bc2,
+	0x153f3c5,
+	0x25ed82,
+	0x16d208,
+	0x99c2,
+	0x20c182,
+	0x208d02,
+	0x2024c2,
+	0x209642,
+	0x208442,
+	0x192345,
+	0x2038c2,
+	0x203ec2,
+	0x2023c2,
+	0x204dc2,
+	0x2013c2,
+	0x385502,
+	0x201102,
+	0x236582,
+	0x16fc07,
+	0x1b270d,
+	0xd8c89,
+	0x56e8b,
+	0xdd608,
+	0x53dc9,
+	0xfacc6,
+	0x2e9dc3,
+	0x16d208,
+	0x16d208,
+	0x52e06,
+	0x1a78c7,
+	0x205702,
+	0x25ef44,
+	0x2099c2,
+	0x2a84c3,
+	0x2006c2,
+	0x232403,
+	0x20d882,
+	0x2d5f04,
+	0x244183,
+	0x249a02,
+	0x205503,
+	0x200442,
+	0x200983,
+	0x264a86,
+	0x31ba0f,
+	0x70a403,
+	0x16d208,
+	0x2099c2,
+	0x2163c3,
+	0x2e9dc3,
+	0x209703,
+	0x1526f4b,
+	0xd9888,
+	0x142b68a,
+	0x14fa807,
+	0xda405,
+	0x16fc07,
+	0x2099c2,
+	0x2a84c3,
+	0x2e9dc3,
+	0x205503,
+	0x205702,
+	0x20c202,
+	0x20bb42,
+	0xfea84c3,
+	0x23c042,
+	0x232403,
+	0x209d02,
+	0x221402,
+	0x2e9dc3,
+	0x228782,
+	0x251442,
+	0x2a6c82,
+	0x200f82,
+	0x28d742,
+	0x203442,
+	0x202e42,
+	0x267e42,
+	0x24ecc2,
+	0x211ec2,
+	0x2ad882,
+	0x2eab02,
+	0x2182c2,
+	0x2ad342,
+	0x209703,
+	0x20ec42,
+	0x205503,
+	0x200e42,
+	0x281702,
+	0x200983,
+	0x25d202,
+	0x209842,
+	0x218942,
+	0x202e02,
+	0x200c42,
+	0x2de402,
+	0x20fe82,
+	0x250b82,
+	0x220642,
+	0x30d44a,
+	0x34d94a,
+	0x37fc4a,
+	0x3bbec2,
+	0x202cc2,
+	0x2058c2,
+	0x1026e389,
+	0x1072510a,
+	0x1594ac7,
+	0x1410843,
+	0x24d50,
+	0x50642,
+	0x2030c4,
+	0x10ea84c3,
+	0x232403,
+	0x249944,
+	0x2e9dc3,
+	0x3b1384,
+	0x244183,
+	0x209703,
+	0x205503,
+	0xdc105,
+	0x204e83,
+	0x200983,
+	0x23e743,
+	0x25ed03,
+	0x16d208,
+	0x1591084,
+	0x18ff45,
+	0x1a768a,
+	0x116902,
+	0x18ae46,
+	0xaf551,
+	0x1166e389,
+	0x18ffc8,
+	0x13f9c8,
+	0xff387,
+	0xec2,
+	0x12984b,
+	0x1a5b0a,
+	0x21347,
+	0x16d208,
+	0x108f08,
+	0xe4c7,
+	0x17818f4b,
+	0x1b887,
+	0x1c02,
+	0x6c707,
+	0x1a1ca,
+	0x13f6cf,
+	0x988f,
+	0x1b102,
+	0x99c2,
+	0xa2648,
+	0x19e30a,
+	0x1320c8,
+	0xdc2,
+	0x13f44f,
+	0x9e18b,
+	0x68bc8,
+	0x38f47,
+	0x388a,
+	0x304cb,
+	0x4efc9,
+	0x11dd07,
+	0xfc34c,
+	0x2c07,
+	0x19b40a,
+	0xd4ac8,
+	0x1a3cce,
+	0x1cdce,
+	0x2118b,
+	0x26ccb,
+	0x27d4b,
+	0x2c009,
+	0x2da0b,
+	0x5e7cd,
+	0x85acb,
+	0xdfc8d,
+	0xe000d,
+	0xe164a,
+	0x17724b,
+	0x1ae0cb,
+	0x31c45,
+	0x1424d50,
+	0x12618f,
+	0x1268cf,
+	0xe2c0d,
+	0x1b8f90,
+	0x2bb82,
+	0x17fb0388,
+	0x9688,
+	0x182ee705,
+	0x48fcb,
+	0x117090,
+	0x4fdc8,
+	0x26e8a,
+	0x56b49,
+	0x5cb47,
+	0x5ce87,
+	0x5d047,
+	0x5f507,
+	0x60587,
+	0x60b87,
+	0x61387,
+	0x617c7,
+	0x61cc7,
+	0x61fc7,
+	0x62fc7,
+	0x63187,
+	0x63347,
+	0x63507,
+	0x63807,
+	0x64007,
+	0x64c87,
+	0x65407,
+	0x66547,
+	0x66b07,
+	0x66cc7,
+	0x67047,
+	0x67487,
+	0x67687,
+	0x67947,
+	0x67b07,
+	0x67cc7,
+	0x67f87,
+	0x68247,
+	0x68f07,
+	0x69607,
+	0x698c7,
+	0x6a047,
+	0x6a207,
+	0x6a607,
+	0x6aec7,
+	0x6b147,
+	0x6b547,
+	0x6b707,
+	0x6b8c7,
+	0x70587,
+	0x71387,
+	0x718c7,
+	0x71e47,
+	0x72007,
+	0x72387,
+	0x728c7,
+	0xdb42,
+	0xbbb0a,
+	0xffb87,
+	0x184cfa0b,
+	0x14cfa16,
+	0x17e91,
+	0x1082ca,
+	0xa24ca,
+	0x52e06,
+	0xd0f8b,
+	0x5e82,
+	0x2f711,
+	0x157789,
+	0x942c9,
+	0x67e42,
+	0x9f54a,
+	0xa4909,
+	0xa504f,
+	0xa5a8e,
+	0xa6388,
+	0x17f42,
+	0x18ef09,
+	0x17f08e,
+	0xf80cc,
+	0xdf20f,
+	0x198f4e,
+	0xc84c,
+	0x11809,
+	0x13491,
+	0x222c8,
+	0x24512,
+	0x281cd,
+	0x2e0cd,
+	0x8618b,
+	0xbadd5,
+	0xbb9c9,
+	0xe268a,
+	0x120689,
+	0x160310,
+	0x39a0b,
+	0x4480f,
+	0x5648b,
+	0x58a8c,
+	0x70f90,
+	0x7beca,
+	0x7d18d,
+	0x80d4e,
+	0x86cca,
+	0x8720c,
+	0x89714,
+	0x157411,
+	0x1a200b,
+	0x9004f,
+	0x9320d,
+	0x9a00e,
+	0x9fd8c,
+	0xa1acc,
+	0xaae8b,
+	0xab18e,
+	0xab990,
+	0x154c0b,
+	0x1160cd,
+	0x10e80f,
+	0x17e50c,
+	0xb090e,
+	0xb2391,
+	0xb3ecc,
+	0xc00c7,
+	0xc064d,
+	0xc0fcc,
+	0xc1dd0,
+	0x102c8d,
+	0x12bc87,
+	0xc7750,
+	0xd3748,
+	0xd51cb,
+	0x12aa8f,
+	0x17e248,
+	0x1084cd,
+	0x14d550,
+	0x18ba60c6,
+	0xaff43,
+	0xbe02,
+	0x11e309,
+	0x5394a,
+	0x104186,
+	0x18cd9009,
+	0x11d43,
+	0xd6191,
+	0xd65c9,
+	0xd7607,
+	0xaf6cb,
+	0xde6d0,
+	0xdeb8c,
+	0xdf6c5,
+	0x18f248,
+	0x19f94a,
+	0x111947,
+	0x33c2,
+	0x124a4a,
+	0x127549,
+	0x35b4a,
+	0x8a3cf,
+	0x3edcb,
+	0x12814c,
+	0x169b92,
+	0xaea45,
+	0x166aca,
+	0x192ece45,
+	0x18020c,
+	0x122843,
+	0x185502,
+	0xf2bca,
+	0x14f3fcc,
+	0x1b1a48,
+	0xdfe48,
+	0x16fb87,
+	0x1c42,
+	0x3082,
+	0x3f590,
+	0x27c2,
+	0x1ad58f,
+	0x5d306,
+	0x77ece,
+	0xe598b,
+	0x86ec8,
+	0xd1a49,
+	0x17d152,
+	0x1abecd,
+	0x55b08,
+	0x56d49,
+	0x572cd,
+	0x57b89,
+	0x5c58b,
+	0x5d848,
+	0x61ac8,
+	0x628c8,
+	0x62b49,
+	0x62d4a,
+	0x6398c,
+	0xe3cca,
+	0xff947,
+	0x2270d,
+	0xf4b4b,
+	0x11a5cc,
+	0x18b050,
+	0xc2,
+	0x7a14d,
+	0x2dc2,
+	0x35482,
+	0xff88a,
+	0x1081ca,
+	0x10928b,
+	0x1ae28c,
+	0x108c8e,
+	0x100cd,
+	0x1b3908,
+	0x7b02,
+	0x11b5ec4e,
+	0x1227020e,
+	0x12a83a0a,
+	0x1336864e,
+	0x13b143ce,
+	0x1432ee0c,
+	0x1594ac7,
+	0x1594ac9,
+	0x1410843,
+	0x14b3054c,
+	0x15333209,
+	0x15b49dc9,
+	0x50642,
+	0x18fb51,
+	0x70151,
+	0x8394d,
+	0x17acd1,
+	0x114311,
+	0x12ed4f,
+	0x13048f,
+	0x13314c,
+	0x149d0c,
+	0x1a688d,
+	0x1bb815,
+	0x5064c,
+	0x11f0cc,
+	0xe9c50,
+	0x11d44c,
+	0x12a54c,
+	0x15e999,
+	0x168399,
+	0x16fd99,
+	0x175d54,
+	0x181ad4,
+	0x19b7d4,
+	0x19d714,
+	0x1ac314,
+	0x16250709,
+	0x1699ba89,
+	0x1731f189,
+	0x11e224c9,
+	0x50642,
+	0x126224c9,
+	0x50642,
+	0x15e98a,
+	0x50642,
+	0x12e224c9,
+	0x50642,
+	0x15e98a,
+	0x50642,
+	0x136224c9,
+	0x50642,
+	0x13e224c9,
+	0x50642,
+	0x146224c9,
+	0x50642,
+	0x15e98a,
+	0x50642,
+	0x14e224c9,
+	0x50642,
+	0x15e98a,
+	0x50642,
+	0x156224c9,
+	0x50642,
+	0x15e224c9,
+	0x50642,
+	0x15e98a,
+	0x50642,
+	0x166224c9,
+	0x50642,
+	0x16e224c9,
+	0x50642,
+	0x176224c9,
+	0x50642,
+	0x15e98a,
+	0x50642,
+	0xaf545,
+	0x1a5b04,
+	0x2bb84,
+	0x1aa404,
+	0x1a75c4,
+	0xc484,
+	0x13fc4,
+	0x58f44,
+	0xff384,
+	0x14ab3c3,
+	0x143e603,
+	0xfb244,
+	0x1547c03,
+	0x2bb82,
+	0x100c3,
+	0x205702,
+	0x2099c2,
+	0x2006c2,
+	0x218342,
+	0x20d882,
+	0x200442,
+	0x203082,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x24a5c3,
+	0x205503,
+	0x200983,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x205503,
+	0x200983,
+	0x3fc3,
+	0x2e9dc3,
+	0x205702,
+	0x38d2c3,
+	0x1aea84c3,
+	0x3b8e47,
+	0x2e9dc3,
+	0x206343,
+	0x211cc4,
+	0x205503,
+	0x200983,
+	0x255cca,
+	0x264a85,
+	0x201303,
+	0x20b0c2,
+	0x16d208,
+	0x16d208,
+	0x99c2,
+	0x11fd02,
+	0x6c845,
+	0x129845,
+	0x16d208,
+	0x1b887,
+	0xa84c3,
+	0x1ba38e47,
+	0x13ee06,
+	0x1bd49c05,
+	0x11de07,
+	0x66ca,
+	0x3748,
+	0x65c7,
+	0x56948,
+	0x28d87,
+	0x2c6cf,
+	0x30b87,
+	0x3b806,
+	0x117090,
+	0x12330f,
+	0x104204,
+	0x1c11dece,
+	0xa8b4c,
+	0x4f14a,
+	0x9a2c7,
+	0x112b8a,
+	0x18f409,
+	0xbf34a,
+	0x5414a,
+	0x104186,
+	0x9a38a,
+	0x8350a,
+	0xe47c9,
+	0xd5a48,
+	0xd5d46,
+	0xd9a8d,
+	0xb3c45,
+	0x1a78c7,
+	0x5d6c7,
+	0xd9394,
+	0xf938b,
+	0x68a0a,
+	0xa2d0d,
+	0x1cdc3,
+	0x1cdc3,
+	0x1cdc6,
+	0x1cdc3,
+	0x18d2c3,
+	0x16d208,
+	0x99c2,
+	0x49944,
+	0x887c3,
+	0x173605,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2030c3,
+	0x2a84c3,
+	0x232403,
+	0x2163c3,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x294483,
+	0x25ed03,
+	0x2030c3,
+	0x25ef44,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2082c3,
+	0x2a84c3,
+	0x232403,
+	0x218343,
+	0x2163c3,
+	0x2e9dc3,
+	0x3b1384,
+	0x353903,
+	0x227f83,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x201303,
+	0x311dc3,
+	0x1dea84c3,
+	0x232403,
+	0x246383,
+	0x2e9dc3,
+	0x20a203,
+	0x227f83,
+	0x200983,
+	0x2072c3,
+	0x33bac4,
+	0x16d208,
+	0x1e6a84c3,
+	0x232403,
+	0x2a6443,
+	0x2e9dc3,
+	0x209703,
+	0x211cc4,
+	0x205503,
+	0x200983,
+	0x21db03,
+	0x16d208,
+	0x1eea84c3,
+	0x232403,
+	0x2163c3,
+	0x204e83,
+	0x200983,
+	0x16d208,
+	0x1594ac7,
+	0x38d2c3,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x3b1384,
+	0x211cc4,
+	0x205503,
+	0x200983,
+	0x129845,
+	0x16fc07,
+	0xd95cb,
+	0xd69c4,
+	0xb3c45,
+	0x1456108,
+	0xa6a8d,
+	0x20284a05,
+	0x18004,
+	0x169c3,
+	0x186345,
+	0x349a05,
+	0x16d208,
+	0x1cdc2,
+	0x336c3,
+	0xf1446,
+	0x319ec8,
+	0x313bc7,
+	0x25ef44,
+	0x3b2c86,
+	0x3bb6c6,
+	0x16d208,
+	0x30ce43,
+	0x33e589,
+	0x237295,
+	0x3729f,
+	0x2a84c3,
+	0x31d012,
+	0xefac6,
+	0x10a045,
+	0x26e8a,
+	0x56b49,
+	0x31cdcf,
+	0x2d5f04,
+	0x20b145,
+	0x2fa150,
+	0x3b0887,
+	0x204e83,
+	0x28b148,
+	0x125bc6,
+	0x2ae1ca,
+	0x256044,
+	0x2ec883,
+	0x264a86,
+	0x20b0c2,
+	0x22d54b,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x2f1743,
+	0x2099c2,
+	0x2cd83,
+	0x205503,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x206343,
+	0x221f03,
+	0x200983,
+	0x2099c2,
+	0x2a84c3,
+	0x232403,
+	0x205503,
+	0x200983,
+	0x205702,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x9885,
+	0x25ef44,
+	0x2a84c3,
+	0x232403,
+	0x210444,
+	0x205503,
+	0x200983,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2163c3,
+	0x2143c3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x2099c2,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x391683,
+	0x63643,
+	0x6343,
+	0x205503,
+	0x200983,
+	0x30d44a,
+	0x32b0c9,
+	0x346b0b,
+	0x34708a,
+	0x34d94a,
+	0x35d74b,
+	0x371e0a,
+	0x37814a,
+	0x37fc4a,
+	0x37fecb,
+	0x39f689,
+	0x3a140a,
+	0x3a178b,
+	0x3acfcb,
+	0x3b9eca,
+	0x2a84c3,
+	0x232403,
+	0x2163c3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x4589,
+	0x16d208,
+	0x2a84c3,
+	0x25cb44,
+	0x207ac2,
+	0x211cc4,
+	0x26fc45,
+	0x2030c3,
+	0x25ef44,
+	0x2a84c3,
+	0x235ac4,
+	0x232403,
+	0x249944,
+	0x2d5f04,
+	0x3b1384,
+	0x227f83,
+	0x205503,
+	0x200983,
+	0x27a305,
+	0x2082c3,
+	0x201303,
+	0x22ed03,
+	0x250cc4,
+	0x390fc4,
+	0x34ae45,
+	0x16d208,
+	0x302044,
+	0x3510c6,
+	0x276384,
+	0x2099c2,
+	0x371007,
+	0x24c0c7,
+	0x247784,
+	0x2555c5,
+	0x302e85,
+	0x2a9305,
+	0x3b1384,
+	0x3b8ac8,
+	0x239486,
+	0x30c188,
+	0x24ed05,
+	0x2da905,
+	0x236b84,
+	0x200983,
+	0x2ed844,
+	0x35c946,
+	0x264b83,
+	0x250cc4,
+	0x256005,
+	0x32d104,
+	0x334944,
+	0x20b0c2,
+	0x2425c6,
+	0x3962c6,
+	0x2fdc05,
+	0x205702,
+	0x38d2c3,
+	0x262099c2,
+	0x2333c4,
+	0x20d882,
+	0x209703,
+	0x202c82,
+	0x205503,
+	0x200442,
+	0x214843,
+	0x25ed03,
+	0x16d208,
+	0x16d208,
+	0x2e9dc3,
+	0x205702,
+	0x26e099c2,
+	0x2e9dc3,
+	0x245b43,
+	0x353903,
+	0x327344,
+	0x205503,
+	0x200983,
+	0x16d208,
+	0x205702,
+	0x276099c2,
+	0x2a84c3,
+	0x205503,
+	0x200983,
+	0x482,
+	0x20a9c2,
+	0x212982,
+	0x206343,
+	0x2e87c3,
+	0x205702,
+	0x129845,
+	0x16d208,
+	0x16fc07,
+	0x2099c2,
+	0x232403,
+	0x249944,
+	0x2032c3,
+	0x2e9dc3,
+	0x2143c3,
+	0x209703,
+	0x205503,
+	0x216b03,
+	0x200983,
+	0x21da83,
+	0x118fd3,
+	0x11c954,
+	0x16fc07,
+	0x13b46,
+	0x53b4b,
+	0x1cdc6,
+	0x51b87,
+	0x11ab09,
+	0xe6d4a,
+	0x8850d,
+	0x1b240c,
+	0x1ada8a,
+	0x192345,
+	0x6708,
+	0x5d306,
+	0x125c86,
+	0x22bb82,
+	0xff14c,
+	0x1a5cc7,
+	0x22e51,
+	0x2a84c3,
+	0x568c5,
+	0x77848,
+	0x9e04,
+	0x288347c6,
+	0x17e86,
+	0x8cb46,
+	0x8da0a,
+	0xac543,
+	0x28e54b04,
+	0x11aac5,
+	0xde283,
+	0xdc105,
+	0xd104c,
+	0xf04c8,
+	0xb5708,
+	0x9e009,
+	0x134b08,
+	0x141e046,
+	0xda40a,
+	0x82b48,
+	0xf4648,
+	0xff384,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x205702,
+	0x2099c2,
+	0x2e9dc3,
+	0x202bc2,
+	0x205503,
+	0x200983,
+	0x214843,
+	0x3653cf,
+	0x36578e,
+	0x16d208,
+	0x2a84c3,
+	0x42f87,
+	0x232403,
+	0x2e9dc3,
+	0x244183,
+	0x205503,
+	0x200983,
+	0x201bc3,
+	0x201bc7,
+	0x200142,
+	0x32c249,
+	0x200242,
+	0x23f88b,
+	0x297b8a,
+	0x2a2a49,
+	0x200882,
+	0x391206,
+	0x34ed15,
+	0x23f9d5,
+	0x246993,
+	0x23ff53,
+	0x202a82,
+	0x205ac5,
+	0x3b364c,
+	0x27160b,
+	0x2726c5,
+	0x201702,
+	0x284202,
+	0x386fc6,
+	0x200ec2,
+	0x3695c6,
+	0x2d4c4d,
+	0x27ef4c,
+	0x224dc4,
+	0x203dc2,
+	0x205942,
+	0x2248c8,
+	0x202a42,
+	0x312fc6,
+	0x2ba844,
+	0x34eed5,
+	0x246b13,
+	0x210783,
+	0x32fa0a,
+	0x3bb147,
+	0x3094c9,
+	0x37b887,
+	0x30f242,
+	0x200002,
+	0x3aef06,
+	0x20cb42,
+	0x16d208,
+	0x2105c2,
+	0x20b382,
+	0x274e87,
+	0x20f687,
+	0x21b585,
+	0x201c02,
+	0x21da47,
+	0x21dc08,
+	0x242b42,
+	0x2bf3c2,
+	0x22e802,
+	0x201ec2,
+	0x237b88,
+	0x201ec3,
+	0x2b5308,
+	0x2cf1cd,
+	0x213c03,
+	0x327988,
+	0x239f8f,
+	0x23a34e,
+	0x25edca,
+	0x229751,
+	0x229bd0,
+	0x2bcdcd,
+	0x2bd10c,
+	0x311c47,
+	0x32fb87,
+	0x3b2d49,
+	0x224ec2,
+	0x206c02,
+	0x25340c,
+	0x25370b,
+	0x204142,
+	0x2ab046,
+	0x21a1c2,
+	0x209882,
+	0x21b102,
+	0x2099c2,
+	0x383a84,
+	0x238bc7,
+	0x204682,
+	0x23d147,
+	0x23e487,
+	0x20e142,
+	0x2301c2,
+	0x242e45,
+	0x205742,
+	0x362e0e,
+	0x2ebb8d,
+	0x232403,
+	0x2be90e,
+	0x2e064d,
+	0x37eac3,
+	0x200e02,
+	0x21fec4,
+	0x2454c2,
+	0x2175c2,
+	0x358e45,
+	0x364b47,
+	0x383382,
+	0x218342,
+	0x249547,
+	0x24d288,
+	0x248902,
+	0x2aeac6,
+	0x25328c,
+	0x2535cb,
+	0x20fc82,
+	0x25924f,
+	0x259610,
+	0x259a0f,
+	0x259dd5,
+	0x25a314,
+	0x25a80e,
+	0x25ab8e,
+	0x25af0f,
+	0x25b2ce,
+	0x25b654,
+	0x25bb53,
+	0x25c00d,
+	0x272a89,
+	0x2895c3,
+	0x200782,
+	0x22b0c5,
+	0x207f86,
+	0x20d882,
+	0x21f507,
+	0x2e9dc3,
+	0x205e82,
+	0x362a08,
+	0x229991,
+	0x229dd0,
+	0x206482,
+	0x288d87,
+	0x203942,
+	0x214607,
+	0x20be02,
+	0x319cc9,
+	0x386f87,
+	0x27aac8,
+	0x234606,
+	0x2e86c3,
+	0x32a105,
+	0x232682,
+	0x202082,
+	0x3af305,
+	0x380685,
+	0x2040c2,
+	0x24c543,
+	0x32d187,
+	0x223787,
+	0x200502,
+	0x254684,
+	0x223b83,
+	0x223b89,
+	0x22c548,
+	0x200282,
+	0x204bc2,
+	0x3105c7,
+	0x31ff05,
+	0x2a5348,
+	0x219947,
+	0x200e83,
+	0x28c446,
+	0x2bcc4d,
+	0x2bcfcc,
+	0x2b45c6,
+	0x208d02,
+	0x2a8542,
+	0x202342,
+	0x239e0f,
+	0x23a20e,
+	0x302f07,
+	0x203d02,
+	0x2bf745,
+	0x2bf746,
+	0x20f242,
+	0x20ec42,
+	0x221f06,
+	0x214543,
+	0x214546,
+	0x2c6985,
+	0x2c698d,
+	0x2c6f55,
+	0x2c814c,
+	0x2c95cd,
+	0x2c9992,
+	0x20e602,
+	0x2675c2,
+	0x202d02,
+	0x240806,
+	0x2f7f86,
+	0x2033c2,
+	0x208006,
+	0x2023c2,
+	0x38b785,
+	0x200542,
+	0x2ebc89,
+	0x31554c,
+	0x31588b,
+	0x200442,
+	0x24e748,
+	0x203b02,
+	0x2056c2,
+	0x26a346,
+	0x222445,
+	0x226747,
+	0x257d85,
+	0x29e405,
+	0x243002,
+	0x2067c2,
+	0x2013c2,
+	0x2df507,
+	0x380c0d,
+	0x380f8c,
+	0x22f087,
+	0x20f982,
+	0x2069c2,
+	0x241248,
+	0x31e488,
+	0x2e3988,
+	0x308484,
+	0x2ab407,
+	0x2e90c3,
+	0x228ec2,
+	0x2082c2,
+	0x2eb3c9,
+	0x3a40c7,
+	0x201302,
+	0x26a745,
+	0x22d4c2,
+	0x21aa02,
+	0x2f9f03,
+	0x2f9f06,
+	0x2f1742,
+	0x2f23c2,
+	0x201a42,
+	0x202f86,
+	0x21fe07,
+	0x213bc2,
+	0x205ec2,
+	0x2b514f,
+	0x2be74d,
+	0x3872ce,
+	0x2e04cc,
+	0x2009c2,
+	0x207302,
+	0x234445,
+	0x30ba46,
+	0x2018c2,
+	0x202482,
+	0x200482,
+	0x2198c4,
+	0x2cf044,
+	0x2d0e86,
+	0x203082,
+	0x36cac7,
+	0x203083,
+	0x285d48,
+	0x34e488,
+	0x239887,
+	0x240706,
+	0x203902,
+	0x234b03,
+	0x234b07,
+	0x273946,
+	0x2dee45,
+	0x308808,
+	0x200d02,
+	0x331207,
+	0x222702,
+	0x361782,
+	0x20cfc2,
+	0x2c6749,
+	0x230982,
+	0x200842,
+	0x22f303,
+	0x331c87,
+	0x2002c2,
+	0x3156cc,
+	0x3159cb,
+	0x2b4646,
+	0x2de1c5,
+	0x221c82,
+	0x203b42,
+	0x2b7bc6,
+	0x260dc3,
+	0x38c187,
+	0x236102,
+	0x201442,
+	0x34eb95,
+	0x23fb95,
+	0x246853,
+	0x2400d3,
+	0x2585c7,
+	0x271a48,
+	0x271a50,
+	0x28d2cf,
+	0x297953,
+	0x2a2812,
+	0x32be10,
+	0x2d544f,
+	0x35f7d2,
+	0x30c3d1,
+	0x2b7613,
+	0x2c6512,
+	0x2cff4f,
+	0x2d2e8e,
+	0x2d3f52,
+	0x2d71d1,
+	0x2d7c8f,
+	0x30440e,
+	0x2f0691,
+	0x2f17d0,
+	0x2f2752,
+	0x2fc711,
+	0x364586,
+	0x36d3c7,
+	0x372187,
+	0x203142,
+	0x27d8c5,
+	0x3933c7,
+	0x212982,
+	0x209942,
+	0x228a85,
+	0x21e743,
+	0x34b0c6,
+	0x380dcd,
+	0x38110c,
+	0x201682,
+	0x3b34cb,
+	0x2714ca,
+	0x20598a,
+	0x2b6449,
+	0x2ea64b,
+	0x219a8d,
+	0x2fa5cc,
+	0x25180a,
+	0x22090c,
+	0x26908b,
+	0x27250c,
+	0x29474b,
+	0x3154c3,
+	0x36cfc6,
+	0x3a98c2,
+	0x2f4542,
+	0x20a743,
+	0x208602,
+	0x21fe83,
+	0x2366c6,
+	0x259f87,
+	0x2c7fc6,
+	0x39e4c8,
+	0x31e188,
+	0x2ce146,
+	0x201f82,
+	0x2fd5cd,
+	0x2fd90c,
+	0x2d5fc7,
+	0x301f07,
+	0x213b82,
+	0x201502,
+	0x234a82,
+	0x24d642,
+	0x2099c2,
+	0x205503,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x211cc4,
+	0x205503,
+	0x200983,
+	0x214843,
+	0x205702,
+	0x2021c2,
+	0x2ae8fdc5,
+	0x2b247e45,
+	0x2b717806,
+	0x16d208,
+	0x2baaee05,
+	0x2099c2,
+	0x2006c2,
+	0x2bfb3ac5,
+	0x2c27bdc5,
+	0x2c67c9c7,
+	0x2ca86a09,
+	0x2ce3bc44,
+	0x20d882,
+	0x205e82,
+	0x2d24b5c5,
+	0x2d68f849,
+	0x2db1db88,
+	0x2deab805,
+	0x2e300187,
+	0x2e61ed48,
+	0x2eae5d85,
+	0x2ee00106,
+	0x2f337809,
+	0x2f6b5a48,
+	0x2fac0488,
+	0x2fe9704a,
+	0x302732c4,
+	0x306d13c5,
+	0x30abc9c8,
+	0x30e03a85,
+	0x20cec2,
+	0x31248a43,
+	0x316a1686,
+	0x31b60148,
+	0x31eb94c6,
+	0x32281f08,
+	0x32719606,
+	0x32adef04,
+	0x200c82,
+	0x32f2cb87,
+	0x332a75c4,
+	0x336756c7,
+	0x33ba2987,
+	0x200442,
+	0x33e9b0c5,
+	0x34334f84,
+	0x346cd907,
+	0x34a5f187,
+	0x34e80886,
+	0x3527c585,
+	0x356959c7,
+	0x35ad0b48,
+	0x35e2b447,
+	0x363164c9,
+	0x36793105,
+	0x36b31dc7,
+	0x36e8f546,
+	0x37391408,
+	0x2273cd,
+	0x279909,
+	0x28174b,
+	0x2a4b0b,
+	0x34058b,
+	0x2ffe8b,
+	0x30bc4b,
+	0x30bf0b,
+	0x30c809,
+	0x30d6cb,
+	0x30d98b,
+	0x30e48b,
+	0x30f5ca,
+	0x30fb0a,
+	0x31010c,
+	0x314d8b,
+	0x31670a,
+	0x32904a,
+	0x33404e,
+	0x33568e,
+	0x335a0a,
+	0x33808a,
+	0x338dcb,
+	0x33908b,
+	0x339e8b,
+	0x354ecb,
+	0x3554ca,
+	0x35618b,
+	0x35644a,
+	0x3566ca,
+	0x35694a,
+	0x372b0b,
+	0x37914b,
+	0x37c74e,
+	0x37cacb,
+	0x38454b,
+	0x385acb,
+	0x38900a,
+	0x389289,
+	0x3894ca,
+	0x38a94a,
+	0x3a00cb,
+	0x3a1a4b,
+	0x3a22ca,
+	0x3a48cb,
+	0x3a8c4b,
+	0x3b990b,
+	0x3767e648,
+	0x37a87c89,
+	0x37e9de89,
+	0x382dacc8,
+	0x342505,
+	0x217083,
+	0x21c6c4,
+	0x220005,
+	0x23b986,
+	0x25da05,
+	0x2864c4,
+	0x21f408,
+	0x308005,
+	0x291784,
+	0x203447,
+	0x29cf8a,
+	0x3712ca,
+	0x338547,
+	0x3af9c7,
+	0x2f8f07,
+	0x264e87,
+	0x2f60c5,
+	0x33bb86,
+	0x2bb847,
+	0x2b4904,
+	0x2e4646,
+	0x2e4546,
+	0x3b9585,
+	0x26d1c4,
+	0x3519c6,
+	0x29bf47,
+	0x285746,
+	0x2e3247,
+	0x25e443,
+	0x2b1c06,
+	0x2328c5,
+	0x27cac7,
+	0x2641ca,
+	0x260e44,
+	0x217c08,
+	0x2abd89,
+	0x2cd247,
+	0x336286,
+	0x24e9c8,
+	0x2b9c09,
+	0x309684,
+	0x366944,
+	0x244245,
+	0x2bb548,
+	0x2c4b07,
+	0x2a9709,
+	0x364688,
+	0x345e86,
+	0x3204c6,
+	0x298048,
+	0x359646,
+	0x247e45,
+	0x280946,
+	0x275ec8,
+	0x24da46,
+	0x2525cb,
+	0x298646,
+	0x29994d,
+	0x3a6005,
+	0x2a7486,
+	0x208b45,
+	0x2f9bc9,
+	0x2f9a87,
+	0x37a208,
+	0x266986,
+	0x298bc9,
+	0x3793c6,
+	0x264145,
+	0x268686,
+	0x2cae46,
+	0x2cb3c9,
+	0x3530c6,
+	0x339487,
+	0x26ad85,
+	0x202ac3,
+	0x252745,
+	0x299c07,
+	0x33c6c6,
+	0x3a5f09,
+	0x317806,
+	0x280b86,
+	0x210c49,
+	0x280349,
+	0x29fc07,
+	0x282f88,
+	0x28c989,
+	0x27d548,
+	0x378386,
+	0x2d5805,
+	0x2418ca,
+	0x280c06,
+	0x3b7986,
+	0x2c8985,
+	0x265808,
+	0x223307,
+	0x22f50a,
+	0x249e46,
+	0x279d45,
+	0x37aa46,
+	0x21ac47,
+	0x336147,
+	0x21bbc5,
+	0x264305,
+	0x357dc6,
+	0x2ac5c6,
+	0x34dc06,
+	0x2b3204,
+	0x27f689,
+	0x288b46,
+	0x2dd38a,
+	0x21b388,
+	0x3078c8,
+	0x3712ca,
+	0x20b445,
+	0x29be85,
+	0x350b88,
+	0x2b2c88,
+	0x27b5c7,
+	0x258946,
+	0x322388,
+	0x2fdec7,
+	0x27dc48,
+	0x2b3846,
+	0x281408,
+	0x294f06,
+	0x24ee87,
+	0x299ec6,
+	0x3519c6,
+	0x3778ca,
+	0x2bd8c6,
+	0x2d5809,
+	0x26dbc6,
+	0x2af14a,
+	0x2def09,
+	0x2fb486,
+	0x2b4b04,
+	0x22b18d,
+	0x287f07,
+	0x326cc6,
+	0x2c0345,
+	0x379445,
+	0x374246,
+	0x2cd749,
+	0x2b1647,
+	0x277306,
+	0x2cc246,
+	0x286549,
+	0x247d84,
+	0x3482c4,
+	0x352cc8,
+	0x236a86,
+	0x26a808,
+	0x2e41c8,
+	0x312747,
+	0x3b7549,
+	0x34de07,
+	0x2aecca,
+	0x2e1f8f,
+	0x23188a,
+	0x234245,
+	0x276105,
+	0x216e85,
+	0x2ba787,
+	0x21a803,
+	0x283188,
+	0x396786,
+	0x396889,
+	0x2b87c6,
+	0x3b5207,
+	0x298989,
+	0x37a108,
+	0x2c8a47,
+	0x30a343,
+	0x342585,
+	0x21a785,
+	0x2b304b,
+	0x203b44,
+	0x2c2084,
+	0x274646,
+	0x30abc7,
+	0x382bca,
+	0x248ac7,
+	0x311e87,
+	0x27bdc5,
+	0x200645,
+	0x2eef89,
+	0x3519c6,
+	0x24894d,
+	0x353305,
+	0x2b1383,
+	0x205043,
+	0x26f685,
+	0x345c45,
+	0x24e9c8,
+	0x2790c7,
+	0x348046,
+	0x29db06,
+	0x229105,
+	0x2326c7,
+	0x312247,
+	0x239347,
+	0x2d144a,
+	0x2b1cc8,
+	0x2b3204,
+	0x24d7c7,
+	0x27acc7,
+	0x339306,
+	0x262107,
+	0x2dc4c8,
+	0x2e6f08,
+	0x268506,
+	0x303008,
+	0x2c87c4,
+	0x2bb846,
+	0x2353c6,
+	0x33bfc6,
+	0x2ba986,
+	0x286004,
+	0x264f46,
+	0x2bf5c6,
+	0x297546,
+	0x247846,
+	0x204f06,
+	0x26e2c6,
+	0x347f48,
+	0x2b0748,
+	0x2d1c88,
+	0x25dc08,
+	0x350b06,
+	0x20dcc5,
+	0x315ec6,
+	0x2ab885,
+	0x388447,
+	0x215305,
+	0x2125c3,
+	0x211585,
+	0x344cc4,
+	0x205045,
+	0x203b03,
+	0x33a447,
+	0x354648,
+	0x2e3306,
+	0x2c218d,
+	0x2760c6,
+	0x296ac5,
+	0x2b7843,
+	0x2bc389,
+	0x247f06,
+	0x28e7c6,
+	0x29f4c4,
+	0x231807,
+	0x233606,
+	0x2b1905,
+	0x203cc3,
+	0x3abd84,
+	0x27ae86,
+	0x2354c4,
+	0x2da048,
+	0x38ba89,
+	0x215589,
+	0x29f2ca,
+	0x2a070d,
+	0x313447,
+	0x2b9186,
+	0x206804,
+	0x286a09,
+	0x284688,
+	0x287b06,
+	0x33f286,
+	0x262107,
+	0x2b6b46,
+	0x226346,
+	0x26d606,
+	0x3a2a0a,
+	0x21ed48,
+	0x2bacc5,
+	0x262549,
+	0x27e14a,
+	0x2f5d08,
+	0x29b908,
+	0x295f08,
+	0x2a7acc,
+	0x30e705,
+	0x29dd88,
+	0x2e6586,
+	0x37a386,
+	0x3b50c7,
+	0x2489c5,
+	0x280ac5,
+	0x215449,
+	0x20e247,
+	0x396845,
+	0x227887,
+	0x205043,
+	0x2c5045,
+	0x20ef48,
+	0x252ac7,
+	0x29b7c9,
+	0x2d7985,
+	0x2fa984,
+	0x2a03c8,
+	0x32ccc7,
+	0x2c8c08,
+	0x38d688,
+	0x354b05,
+	0x3a3946,
+	0x278cc6,
+	0x244609,
+	0x2b01c7,
+	0x2ac006,
+	0x313787,
+	0x210103,
+	0x23bc44,
+	0x2a1785,
+	0x232804,
+	0x3833c4,
+	0x27fdc7,
+	0x26c147,
+	0x22e704,
+	0x29b610,
+	0x3b3c47,
+	0x200645,
+	0x24c20c,
+	0x20a8c4,
+	0x2c1488,
+	0x24ed89,
+	0x35acc6,
+	0x334c48,
+	0x215244,
+	0x36c4c8,
+	0x22fb06,
+	0x2accc8,
+	0x29c506,
+	0x2bec0b,
+	0x202ac5,
+	0x2c8748,
+	0x215ac4,
+	0x38beca,
+	0x29b7c9,
+	0x245f06,
+	0x216f48,
+	0x256385,
+	0x2b0f44,
+	0x2c1386,
+	0x239208,
+	0x27e648,
+	0x322c06,
+	0x3a9ec4,
+	0x241846,
+	0x34de87,
+	0x2755c7,
+	0x26210f,
+	0x207347,
+	0x2fb547,
+	0x3709c5,
+	0x353e05,
+	0x29f8c9,
+	0x2dd046,
+	0x27cc05,
+	0x280647,
+	0x2e0bc8,
+	0x297645,
+	0x299ec6,
+	0x21b1c8,
+	0x2b94ca,
+	0x2db4c8,
+	0x28ac87,
+	0x2e23c6,
+	0x262506,
+	0x21a5c3,
+	0x216a43,
+	0x27e309,
+	0x28c809,
+	0x2c1286,
+	0x2d7985,
+	0x33bd48,
+	0x216f48,
+	0x3597c8,
+	0x26d68b,
+	0x2c23c7,
+	0x30a589,
+	0x262388,
+	0x343084,
+	0x3514c8,
+	0x28cd89,
+	0x2ac305,
+	0x2ba687,
+	0x23bcc5,
+	0x27e548,
+	0x28fc4b,
+	0x295710,
+	0x2a6dc5,
+	0x215a0c,
+	0x348205,
+	0x27be43,
+	0x2a8f86,
+	0x2be6c4,
+	0x335086,
+	0x29bf47,
+	0x21b244,
+	0x240b88,
+	0x28304d,
+	0x302945,
+	0x29b104,
+	0x2243c4,
+	0x276949,
+	0x2a11c8,
+	0x317687,
+	0x22fb88,
+	0x27f748,
+	0x277605,
+	0x209287,
+	0x277587,
+	0x33e347,
+	0x264309,
+	0x233489,
+	0x214c46,
+	0x2bd306,
+	0x262346,
+	0x37f785,
+	0x3a7184,
+	0x200006,
+	0x200386,
+	0x277648,
+	0x21a90b,
+	0x260d07,
+	0x206804,
+	0x353646,
+	0x2fe447,
+	0x26dec5,
+	0x391d05,
+	0x219644,
+	0x233406,
+	0x200088,
+	0x286a09,
+	0x2510c6,
+	0x284048,
+	0x2b19c6,
+	0x345248,
+	0x306dcc,
+	0x2774c6,
+	0x29678d,
+	0x296c0b,
+	0x339545,
+	0x312387,
+	0x3531c6,
+	0x336008,
+	0x214cc9,
+	0x2d0588,
+	0x200645,
+	0x277987,
+	0x27d648,
+	0x349649,
+	0x28e946,
+	0x250fca,
+	0x335d88,
+	0x2d03cb,
+	0x39818c,
+	0x36c5c8,
+	0x27a7c6,
+	0x208c88,
+	0x3b77c7,
+	0x32cf49,
+	0x28f74d,
+	0x299dc6,
+	0x27b808,
+	0x2b0609,
+	0x2bda48,
+	0x281508,
+	0x2bfe0c,
+	0x2c0b47,
+	0x2c1887,
+	0x264145,
+	0x2ad587,
+	0x2e0a88,
+	0x2c1406,
+	0x2556cc,
+	0x2ef888,
+	0x2ccb88,
+	0x25dec6,
+	0x21a507,
+	0x214e44,
+	0x25dc08,
+	0x22200c,
+	0x2ce24c,
+	0x2342c5,
+	0x2d0d47,
+	0x3a9e46,
+	0x21a486,
+	0x2f9d88,
+	0x3af904,
+	0x28574b,
+	0x36cc0b,
+	0x2e23c6,
+	0x282ec7,
+	0x37a805,
+	0x269a05,
+	0x285886,
+	0x256345,
+	0x203b05,
+	0x2cc9c7,
+	0x274c49,
+	0x2ac784,
+	0x2fbb45,
+	0x2e4bc5,
+	0x2d9dc8,
+	0x329d05,
+	0x2b72c9,
+	0x2ae5c7,
+	0x2ae5cb,
+	0x381306,
+	0x347c89,
+	0x26d108,
+	0x276545,
+	0x33e448,
+	0x2334c8,
+	0x245747,
+	0x3776c7,
+	0x27fe49,
+	0x2acc07,
+	0x28a989,
+	0x2aa70c,
+	0x3163c8,
+	0x2b2ac9,
+	0x2b3d47,
+	0x27f809,
+	0x26c287,
+	0x398288,
+	0x3b7705,
+	0x2bb7c6,
+	0x2c0388,
+	0x308a88,
+	0x27e009,
+	0x203b47,
+	0x269ac5,
+	0x222b09,
+	0x2bd6c6,
+	0x28f544,
+	0x30e1c6,
+	0x35ffc8,
+	0x232ac7,
+	0x21ab08,
+	0x3030c9,
+	0x3a3707,
+	0x29d146,
+	0x312444,
+	0x211609,
+	0x209108,
+	0x25dd87,
+	0x27eb46,
+	0x21a846,
+	0x3b7904,
+	0x2241c6,
+	0x204fc3,
+	0x3b1649,
+	0x202a86,
+	0x303345,
+	0x29db06,
+	0x26cac5,
+	0x27dac8,
+	0x36c307,
+	0x381646,
+	0x3b3b06,
+	0x3078c8,
+	0x29fa47,
+	0x299e05,
+	0x29b408,
+	0x3a1e48,
+	0x335d88,
+	0x3480c5,
+	0x2bb846,
+	0x215349,
+	0x244484,
+	0x26c94b,
+	0x22604b,
+	0x2babc9,
+	0x205043,
+	0x254485,
+	0x2214c6,
+	0x385208,
+	0x2e1f04,
+	0x2e3306,
+	0x2d1589,
+	0x2ca445,
+	0x2cc906,
+	0x32ccc6,
+	0x216f44,
+	0x2a764a,
+	0x303288,
+	0x308a86,
+	0x3b8645,
+	0x37a687,
+	0x2e0fc7,
+	0x3a3944,
+	0x226287,
+	0x2aecc4,
+	0x33bf46,
+	0x2096c3,
+	0x264305,
+	0x32ad45,
+	0x207588,
+	0x24d985,
+	0x277209,
+	0x25da47,
+	0x25da4b,
+	0x2a148c,
+	0x2a224a,
+	0x300187,
+	0x203503,
+	0x3afc08,
+	0x348285,
+	0x2976c5,
+	0x205104,
+	0x398186,
+	0x24ed86,
+	0x224207,
+	0x33448b,
+	0x286004,
+	0x2e6684,
+	0x21f044,
+	0x2cafc6,
+	0x21b244,
+	0x2bb648,
+	0x342445,
+	0x21ba45,
+	0x359707,
+	0x312489,
+	0x345c45,
+	0x37424a,
+	0x26ac89,
+	0x2996ca,
+	0x3a2b49,
+	0x33fec4,
+	0x2cc305,
+	0x2b6c48,
+	0x2cd9cb,
+	0x244245,
+	0x2f2fc6,
+	0x213e84,
+	0x277746,
+	0x3a3589,
+	0x353707,
+	0x3179c8,
+	0x2a0a86,
+	0x34de07,
+	0x27e648,
+	0x3747c6,
+	0x375604,
+	0x365ac7,
+	0x357305,
+	0x367287,
+	0x200104,
+	0x353146,
+	0x2f4308,
+	0x296dc8,
+	0x2e6047,
+	0x274fc8,
+	0x294fc5,
+	0x204e84,
+	0x3711c8,
+	0x2750c4,
+	0x216e05,
+	0x2f5fc4,
+	0x2fdfc7,
+	0x288c07,
+	0x27f948,
+	0x2c8d86,
+	0x24d905,
+	0x277008,
+	0x2db6c8,
+	0x29f209,
+	0x226346,
+	0x22f588,
+	0x38bd4a,
+	0x26df48,
+	0x2e5d85,
+	0x20b306,
+	0x26ab48,
+	0x277a4a,
+	0x210f87,
+	0x284c45,
+	0x292708,
+	0x2ade04,
+	0x265886,
+	0x2c1c08,
+	0x204f06,
+	0x38e7c8,
+	0x28f187,
+	0x203346,
+	0x2b4b04,
+	0x284fc7,
+	0x2b0d84,
+	0x3a3547,
+	0x28e60d,
+	0x27b645,
+	0x2cd54b,
+	0x29c606,
+	0x24e848,
+	0x240b44,
+	0x350d06,
+	0x27ae86,
+	0x208fc7,
+	0x29644d,
+	0x243cc7,
+	0x2b12c8,
+	0x269b85,
+	0x278648,
+	0x2c4a86,
+	0x295048,
+	0x228086,
+	0x33d987,
+	0x300449,
+	0x343ac7,
+	0x287dc8,
+	0x2706c5,
+	0x21b608,
+	0x21a3c5,
+	0x3a4245,
+	0x3a2dc5,
+	0x234543,
+	0x2809c4,
+	0x262545,
+	0x337809,
+	0x27ea46,
+	0x2dc5c8,
+	0x377485,
+	0x2b2e87,
+	0x2a78ca,
+	0x2cc849,
+	0x2cad4a,
+	0x2d1d08,
+	0x2276cc,
+	0x2806cd,
+	0x2fc003,
+	0x38e6c8,
+	0x3abd45,
+	0x2b9286,
+	0x379f86,
+	0x2e58c5,
+	0x313889,
+	0x33cc45,
+	0x277008,
+	0x2552c6,
+	0x347806,
+	0x2a0289,
+	0x393947,
+	0x28ff06,
+	0x2a7848,
+	0x33bec8,
+	0x2daec7,
+	0x2ace4e,
+	0x2c4cc5,
+	0x349545,
+	0x204e08,
+	0x21fcc7,
+	0x21a882,
+	0x2bf984,
+	0x334f8a,
+	0x25de48,
+	0x2fe546,
+	0x298ac8,
+	0x278cc6,
+	0x332608,
+	0x2ac008,
+	0x3a4204,
+	0x2b33c5,
+	0x676384,
+	0x676384,
+	0x676384,
+	0x202b43,
+	0x21a6c6,
+	0x2774c6,
+	0x29cb0c,
+	0x203383,
+	0x27e146,
+	0x2151c4,
+	0x247e88,
+	0x2d13c5,
+	0x335086,
+	0x2bcac8,
+	0x2d2bc6,
+	0x3815c6,
+	0x245d08,
+	0x2a1807,
+	0x2ac9c9,
+	0x2f214a,
+	0x22b484,
+	0x215305,
+	0x2a96c5,
+	0x247c06,
+	0x313486,
+	0x29d546,
+	0x2f5546,
+	0x2acb04,
+	0x2acb0b,
+	0x231804,
+	0x29ccc5,
+	0x2aad85,
+	0x312806,
+	0x3a6308,
+	0x280587,
+	0x317784,
+	0x236203,
+	0x2ad905,
+	0x306047,
+	0x28048b,
+	0x207487,
+	0x2bc9c8,
+	0x2e62c7,
+	0x370b06,
+	0x279bc8,
+	0x2a820b,
+	0x21ff46,
+	0x212309,
+	0x2a8385,
+	0x30a343,
+	0x2cc906,
+	0x28f088,
+	0x213403,
+	0x24f403,
+	0x27e646,
+	0x278cc6,
+	0x35d10a,
+	0x27a805,
+	0x27accb,
+	0x29da4b,
+	0x23ef83,
+	0x202843,
+	0x2aec44,
+	0x278a87,
+	0x28f104,
+	0x244504,
+	0x2e6404,
+	0x26e248,
+	0x3b8588,
+	0x3baf89,
+	0x393188,
+	0x2b9dc7,
+	0x247846,
+	0x2dc20f,
+	0x2c4e06,
+	0x2d1344,
+	0x3b83ca,
+	0x305f47,
+	0x3b9606,
+	0x28f589,
+	0x3baf05,
+	0x2076c5,
+	0x3bb046,
+	0x21b743,
+	0x2ade49,
+	0x21eec6,
+	0x3afa89,
+	0x382bc6,
+	0x264305,
+	0x2346c5,
+	0x207343,
+	0x278bc8,
+	0x20d787,
+	0x396784,
+	0x247d08,
+	0x2e1244,
+	0x2f1006,
+	0x2a8f86,
+	0x23c346,
+	0x2c8609,
+	0x297645,
+	0x3519c6,
+	0x2582c9,
+	0x2c41c6,
+	0x26e2c6,
+	0x387886,
+	0x2160c5,
+	0x2f5fc6,
+	0x33d984,
+	0x3b7705,
+	0x2c0384,
+	0x2b2246,
+	0x3532c4,
+	0x203c43,
+	0x284745,
+	0x2331c8,
+	0x25e607,
+	0x2b8209,
+	0x284b48,
+	0x297e11,
+	0x32cd4a,
+	0x2e2307,
+	0x2e7246,
+	0x2151c4,
+	0x2c0488,
+	0x22e448,
+	0x297fca,
+	0x2b708d,
+	0x268686,
+	0x245e06,
+	0x285086,
+	0x21ba47,
+	0x2b1385,
+	0x3912c7,
+	0x247dc5,
+	0x2ae704,
+	0x2a6206,
+	0x224047,
+	0x2adb4d,
+	0x26aa87,
+	0x21f308,
+	0x277309,
+	0x20b206,
+	0x28e8c5,
+	0x22cb04,
+	0x3600c6,
+	0x3a3846,
+	0x25dfc6,
+	0x299348,
+	0x215f83,
+	0x208fc3,
+	0x352105,
+	0x277dc6,
+	0x2abfc5,
+	0x2a0c88,
+	0x29c10a,
+	0x282084,
+	0x247e88,
+	0x295f08,
+	0x312647,
+	0x377549,
+	0x2bc6c8,
+	0x286a87,
+	0x2587c6,
+	0x204f0a,
+	0x360148,
+	0x2f98c9,
+	0x2a1288,
+	0x221609,
+	0x2e7107,
+	0x2f2f05,
+	0x26d886,
+	0x2c1288,
+	0x27e7c8,
+	0x296088,
+	0x2e24c8,
+	0x29ccc5,
+	0x208a84,
+	0x20d488,
+	0x23e2c4,
+	0x3a2944,
+	0x264305,
+	0x2917c7,
+	0x312249,
+	0x208dc7,
+	0x210cc5,
+	0x274846,
+	0x34f606,
+	0x212444,
+	0x2a05c6,
+	0x24d744,
+	0x278546,
+	0x312006,
+	0x213246,
+	0x200645,
+	0x2a0b47,
+	0x203503,
+	0x2079c9,
+	0x3076c8,
+	0x247d04,
+	0x28690d,
+	0x296ec8,
+	0x2e3788,
+	0x2f9846,
+	0x300549,
+	0x2cc849,
+	0x3a3285,
+	0x29c20a,
+	0x27cf4a,
+	0x29d74c,
+	0x29d8c6,
+	0x275446,
+	0x2c4f86,
+	0x2b4749,
+	0x2b94c6,
+	0x29fa86,
+	0x33cd06,
+	0x25dc08,
+	0x274fc6,
+	0x2ce80b,
+	0x291945,
+	0x21ba45,
+	0x2756c5,
+	0x352a46,
+	0x204ec3,
+	0x23c2c6,
+	0x26aa07,
+	0x2c0345,
+	0x320585,
+	0x379445,
+	0x318446,
+	0x31da84,
+	0x31da86,
+	0x292f49,
+	0x3528cc,
+	0x2ae448,
+	0x239184,
+	0x2f5c06,
+	0x29c706,
+	0x28f088,
+	0x216f48,
+	0x3527c9,
+	0x37a687,
+	0x2367c9,
+	0x24cfc6,
+	0x22e904,
+	0x20ea44,
+	0x280144,
+	0x27e648,
+	0x31208a,
+	0x345bc6,
+	0x353cc7,
+	0x362c47,
+	0x347d85,
+	0x2a9684,
+	0x28cd46,
+	0x2b13c6,
+	0x2336c3,
+	0x307507,
+	0x38d588,
+	0x3a33ca,
+	0x2cbb88,
+	0x281f08,
+	0x353305,
+	0x339645,
+	0x260e05,
+	0x348146,
+	0x3ad906,
+	0x26c085,
+	0x3b1889,
+	0x2a948c,
+	0x260ec7,
+	0x298048,
+	0x2e5c05,
+	0x676384,
+	0x320944,
+	0x252c04,
+	0x22df86,
+	0x29eb0e,
+	0x207747,
+	0x21bc45,
+	0x24440c,
+	0x2e1107,
+	0x223fc7,
+	0x225109,
+	0x217cc9,
+	0x284c45,
+	0x3076c8,
+	0x215349,
+	0x335c45,
+	0x2c0288,
+	0x2c2586,
+	0x371446,
+	0x2def04,
+	0x2553c8,
+	0x20b3c3,
+	0x2af8c4,
+	0x2ad985,
+	0x3bab07,
+	0x21c245,
+	0x38bc09,
+	0x28b30d,
+	0x2a33c6,
+	0x225fc4,
+	0x2588c8,
+	0x274a8a,
+	0x2611c7,
+	0x235d45,
+	0x23b403,
+	0x29dc0e,
+	0x278ccc,
+	0x2f5e07,
+	0x29ecc7,
+	0x200143,
+	0x2b9505,
+	0x252c05,
+	0x298e88,
+	0x295d49,
+	0x239086,
+	0x28f104,
+	0x2e2246,
+	0x27b5cb,
+	0x2cc5cc,
+	0x366d87,
+	0x2d0305,
+	0x3a1d48,
+	0x2dac85,
+	0x3b83c7,
+	0x32cb87,
+	0x247585,
+	0x204ec3,
+	0x26e584,
+	0x21c685,
+	0x2ac685,
+	0x2ac686,
+	0x292008,
+	0x224047,
+	0x37a286,
+	0x26c486,
+	0x3a2d06,
+	0x268789,
+	0x209387,
+	0x25e286,
+	0x2cc746,
+	0x2731c6,
+	0x2a7585,
+	0x3b2b46,
+	0x380145,
+	0x329d88,
+	0x29114b,
+	0x28c346,
+	0x362c84,
+	0x2b4389,
+	0x25da44,
+	0x2c2508,
+	0x30e2c7,
+	0x281404,
+	0x2bbd88,
+	0x2c1684,
+	0x2a75c4,
+	0x286845,
+	0x302986,
+	0x26e187,
+	0x203043,
+	0x29d205,
+	0x323284,
+	0x349586,
+	0x3a3308,
+	0x38d2c5,
+	0x290e09,
+	0x222d05,
+	0x2dbf88,
+	0x215087,
+	0x388588,
+	0x2b8047,
+	0x2fb609,
+	0x264dc6,
+	0x32bb46,
+	0x28cac4,
+	0x258705,
+	0x2fce4c,
+	0x2756c7,
+	0x275fc7,
+	0x362b08,
+	0x2a33c6,
+	0x26a944,
+	0x328004,
+	0x27fcc9,
+	0x2c5086,
+	0x298a07,
+	0x208c04,
+	0x23da46,
+	0x33b785,
+	0x2c88c7,
+	0x2ce786,
+	0x250e89,
+	0x27cd87,
+	0x262107,
+	0x2a0106,
+	0x23d985,
+	0x27c548,
+	0x21ed48,
+	0x247a46,
+	0x38d305,
+	0x390586,
+	0x2034c3,
+	0x298d09,
+	0x29d2ce,
+	0x2b7d48,
+	0x2e1348,
+	0x24784b,
+	0x291046,
+	0x313104,
+	0x2802c4,
+	0x29d3ca,
+	0x215907,
+	0x25e345,
+	0x212309,
+	0x2bf685,
+	0x3a2987,
+	0x245c84,
+	0x287087,
+	0x2e40c8,
+	0x2cd306,
+	0x27b989,
+	0x2bc7ca,
+	0x215886,
+	0x296a06,
+	0x2aad05,
+	0x37d085,
+	0x282d07,
+	0x244e48,
+	0x33b6c8,
+	0x3a4206,
+	0x234745,
+	0x31320e,
+	0x2b3204,
+	0x2479c5,
+	0x2741c9,
+	0x2dce48,
+	0x28abc6,
+	0x29af0c,
+	0x29bd10,
+	0x29e74f,
+	0x29f7c8,
+	0x300187,
+	0x200645,
+	0x262545,
+	0x26e009,
+	0x292909,
+	0x241946,
+	0x2442c7,
+	0x2d0cc5,
+	0x337b09,
+	0x339386,
+	0x2b930d,
+	0x280009,
+	0x244504,
+	0x2b7ac8,
+	0x20d549,
+	0x345d86,
+	0x274945,
+	0x32bb46,
+	0x317889,
+	0x2f3c48,
+	0x20dcc5,
+	0x2553c4,
+	0x29b0cb,
+	0x345c45,
+	0x29b206,
+	0x280a06,
+	0x265e46,
+	0x276d4b,
+	0x290f09,
+	0x26c3c5,
+	0x388347,
+	0x32ccc6,
+	0x334dc6,
+	0x252988,
+	0x302a89,
+	0x21f0cc,
+	0x305e48,
+	0x309e46,
+	0x322c03,
+	0x2ba886,
+	0x276b85,
+	0x27b008,
+	0x234146,
+	0x2c8b08,
+	0x248b45,
+	0x279305,
+	0x32eb08,
+	0x332787,
+	0x379ec7,
+	0x224207,
+	0x334c48,
+	0x3002c8,
+	0x2ad486,
+	0x2b2087,
+	0x23bb07,
+	0x276a4a,
+	0x201e03,
+	0x352a46,
+	0x2392c5,
+	0x334f84,
+	0x277309,
+	0x2fb584,
+	0x25e684,
+	0x29c584,
+	0x29eccb,
+	0x20d6c7,
+	0x313445,
+	0x294cc8,
+	0x274846,
+	0x274848,
+	0x27a746,
+	0x28b085,
+	0x28b645,
+	0x28d886,
+	0x28ee48,
+	0x28f4c8,
+	0x2774c6,
+	0x294b0f,
+	0x2987d0,
+	0x3a6005,
+	0x203503,
+	0x22e9c5,
+	0x30a4c8,
+	0x292809,
+	0x335d88,
+	0x268608,
+	0x2b8d48,
+	0x20d787,
+	0x274509,
+	0x2c8d08,
+	0x265304,
+	0x29c408,
+	0x2d9e89,
+	0x2b27c7,
+	0x299d44,
+	0x208e88,
+	0x2a090a,
+	0x2e77c6,
+	0x268686,
+	0x226209,
+	0x29bf47,
+	0x2cba08,
+	0x204848,
+	0x2ddd88,
+	0x35cc45,
+	0x37e005,
+	0x21ba45,
+	0x252bc5,
+	0x3b5987,
+	0x204ec5,
+	0x2c0345,
+	0x313686,
+	0x335cc7,
+	0x2cd907,
+	0x2a0c06,
+	0x2d2245,
+	0x29b206,
+	0x27ba85,
+	0x2b58c8,
+	0x2f4284,
+	0x2c4246,
+	0x33b5c4,
+	0x2b0f48,
+	0x2c434a,
+	0x2790cc,
+	0x334685,
+	0x21bb06,
+	0x21f286,
+	0x351fc6,
+	0x309ec4,
+	0x33ba45,
+	0x27a587,
+	0x29bfc9,
+	0x2cb4c7,
+	0x676384,
+	0x676384,
+	0x317605,
+	0x37b944,
+	0x29a8ca,
+	0x2746c6,
+	0x279e04,
+	0x3b9585,
+	0x37e405,
+	0x2b12c4,
+	0x280647,
+	0x222c87,
+	0x2cafc8,
+	0x33de88,
+	0x20dcc9,
+	0x29cd88,
+	0x29aa8b,
+	0x2318c4,
+	0x366885,
+	0x27cc85,
+	0x224189,
+	0x302a89,
+	0x2b4288,
+	0x30e048,
+	0x2d6604,
+	0x29c745,
+	0x217083,
+	0x247bc5,
+	0x351a46,
+	0x295b8c,
+	0x208b06,
+	0x36c3c6,
+	0x28ae45,
+	0x3184c8,
+	0x2b7ec6,
+	0x2e73c6,
+	0x268686,
+	0x22920c,
+	0x25e184,
+	0x3a2e4a,
+	0x28ad88,
+	0x2959c7,
+	0x323186,
+	0x239147,
+	0x2ec145,
+	0x27eb46,
+	0x34d406,
+	0x35b847,
+	0x25e6c4,
+	0x2fe0c5,
+	0x2741c4,
+	0x2ae787,
+	0x274408,
+	0x2752ca,
+	0x27d4c7,
+	0x303407,
+	0x300107,
+	0x2dadc9,
+	0x295b8a,
+	0x21f083,
+	0x25e5c5,
+	0x213283,
+	0x2e6449,
+	0x33dc08,
+	0x3709c7,
+	0x335e89,
+	0x21ee46,
+	0x2b88c8,
+	0x33a3c5,
+	0x2db7ca,
+	0x2d3549,
+	0x2683c9,
+	0x3b50c7,
+	0x22e549,
+	0x213148,
+	0x35ba06,
+	0x21bcc8,
+	0x2160c7,
+	0x2acc07,
+	0x26ac87,
+	0x2d0b48,
+	0x2f5a86,
+	0x2a06c5,
+	0x27a587,
+	0x296508,
+	0x33b544,
+	0x2dd244,
+	0x28fe07,
+	0x2ac387,
+	0x2151ca,
+	0x35b986,
+	0x38c74a,
+	0x2bf8c7,
+	0x2b2fc7,
+	0x246004,
+	0x28aa44,
+	0x2ce686,
+	0x202d04,
+	0x202d0c,
+	0x3aff05,
+	0x216d89,
+	0x2d4f04,
+	0x2b1385,
+	0x274a08,
+	0x279fc5,
+	0x374246,
+	0x223ec4,
+	0x293c4a,
+	0x2b00c6,
+	0x29ba8a,
+	0x22b447,
+	0x21ac45,
+	0x21b745,
+	0x347dca,
+	0x28efc5,
+	0x26dfc6,
+	0x23e2c4,
+	0x2aedc6,
+	0x282dc5,
+	0x234206,
+	0x2e604c,
+	0x2cb14a,
+	0x2587c4,
+	0x247846,
+	0x29bf47,
+	0x2cf984,
+	0x25dc08,
+	0x393006,
+	0x313089,
+	0x2c7549,
+	0x3164c9,
+	0x26cb06,
+	0x2161c6,
+	0x21be07,
+	0x3b17c8,
+	0x215fc9,
+	0x20d6c7,
+	0x294e46,
+	0x34de87,
+	0x284f45,
+	0x2b3204,
+	0x21b9c7,
+	0x23bcc5,
+	0x286785,
+	0x226987,
+	0x247448,
+	0x3a1cc6,
+	0x29738d,
+	0x29908f,
+	0x29da4d,
+	0x210d04,
+	0x2332c6,
+	0x2d3c08,
+	0x33ccc5,
+	0x276c08,
+	0x24560a,
+	0x244504,
+	0x27bb46,
+	0x26f3c7,
+	0x286007,
+	0x2a18c9,
+	0x21bc85,
+	0x2b12c4,
+	0x2b330a,
+	0x2bc289,
+	0x22e647,
+	0x265706,
+	0x345d86,
+	0x29c686,
+	0x365b86,
+	0x2d320f,
+	0x2d3ac9,
+	0x274fc6,
+	0x22e346,
+	0x31a809,
+	0x2b2187,
+	0x217443,
+	0x229386,
+	0x216a43,
+	0x2e5788,
+	0x34dcc7,
+	0x29f9c9,
+	0x2a8e08,
+	0x37a008,
+	0x203c86,
+	0x208a49,
+	0x242785,
+	0x2b2244,
+	0x2a99c7,
+	0x2b47c5,
+	0x210d04,
+	0x313508,
+	0x215bc4,
+	0x2b1ec7,
+	0x3545c6,
+	0x357e85,
+	0x2a1288,
+	0x345c4b,
+	0x331dc7,
+	0x348046,
+	0x2c4e84,
+	0x319586,
+	0x264305,
+	0x23bcc5,
+	0x27c2c9,
+	0x280249,
+	0x2acc44,
+	0x2acc85,
+	0x247885,
+	0x2db646,
+	0x3077c8,
+	0x2bf046,
+	0x38d3cb,
+	0x35ab4a,
+	0x2b0e85,
+	0x28b6c6,
+	0x396485,
+	0x2cf485,
+	0x2a54c7,
+	0x352cc8,
+	0x2367c4,
+	0x25f806,
+	0x28f546,
+	0x213307,
+	0x30a304,
+	0x27ae86,
+	0x237cc5,
+	0x237cc9,
+	0x2163c4,
+	0x2a9809,
+	0x2774c6,
+	0x2c0c08,
+	0x247885,
+	0x362d45,
+	0x234206,
+	0x21efc9,
+	0x217cc9,
+	0x36c446,
+	0x2dcf48,
+	0x244508,
+	0x396444,
+	0x2b3644,
+	0x2b3648,
+	0x326dc8,
+	0x2368c9,
+	0x3519c6,
+	0x268686,
+	0x32224d,
+	0x2e3306,
+	0x306c89,
+	0x315fc5,
+	0x3bb046,
+	0x391408,
+	0x31d9c5,
+	0x23bb44,
+	0x264305,
+	0x27fb48,
+	0x29a689,
+	0x274284,
+	0x353146,
+	0x279e8a,
+	0x2f5d08,
+	0x215349,
+	0x38174a,
+	0x335e06,
+	0x299248,
+	0x3b8185,
+	0x2e0908,
+	0x2b8145,
+	0x21ed09,
+	0x36a349,
+	0x20d8c2,
+	0x2a8385,
+	0x269746,
+	0x277407,
+	0x3b05c5,
+	0x308986,
+	0x301448,
+	0x2a33c6,
+	0x2b6b09,
+	0x2760c6,
+	0x252808,
+	0x2a89c5,
+	0x23ebc6,
+	0x33da88,
+	0x27e648,
+	0x2e7008,
+	0x345f08,
+	0x3b2b44,
+	0x22a183,
+	0x2b6d44,
+	0x27d6c6,
+	0x284f84,
+	0x2e1287,
+	0x2e72c9,
+	0x2c45c5,
+	0x204846,
+	0x229386,
+	0x291e4b,
+	0x2b0dc6,
+	0x3b8cc6,
+	0x2c8488,
+	0x3204c6,
+	0x21aa43,
+	0x3af743,
+	0x2b3204,
+	0x22f485,
+	0x2b1807,
+	0x274408,
+	0x27440f,
+	0x27a48b,
+	0x3075c8,
+	0x3531c6,
+	0x3078ce,
+	0x2319c3,
+	0x2b1784,
+	0x2b0d45,
+	0x2b1146,
+	0x28ce4b,
+	0x291886,
+	0x21b249,
+	0x357e85,
+	0x3899c8,
+	0x20c688,
+	0x217b8c,
+	0x29ed06,
+	0x247c06,
+	0x2d7985,
+	0x287b88,
+	0x2790c5,
+	0x343088,
+	0x29b28a,
+	0x29de89,
+	0x676384,
+	0x38a099c2,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x38d2c3,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x3b1384,
+	0x205503,
+	0x200983,
+	0x20cf83,
+	0x25ef44,
+	0x2a84c3,
+	0x235ac4,
+	0x232403,
+	0x2d5f04,
+	0x2e9dc3,
+	0x3b0887,
+	0x209703,
+	0x204e83,
+	0x28b148,
+	0x200983,
+	0x2ae1cb,
+	0x2ec883,
+	0x264a86,
+	0x20b0c2,
+	0x22d54b,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x200983,
+	0x26be43,
+	0x204783,
+	0x205702,
+	0x16d208,
+	0x325f45,
+	0x23bd48,
+	0x2df7c8,
+	0x2099c2,
+	0x37ab45,
+	0x38c347,
+	0x2007c2,
+	0x240d87,
+	0x20d882,
+	0x248707,
+	0x32c589,
+	0x3b7d48,
+	0x2ddc09,
+	0x23e202,
+	0x263647,
+	0x36c1c4,
+	0x38c407,
+	0x35aa47,
+	0x2bbbc2,
+	0x209703,
+	0x20e602,
+	0x200c82,
+	0x200442,
+	0x2013c2,
+	0x205ec2,
+	0x209842,
+	0x2a80c5,
+	0x320885,
+	0x99c2,
+	0x32403,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x12083,
+	0x1ec1,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x3b1384,
+	0x244183,
+	0x205503,
+	0x200983,
+	0x219503,
+	0x3b819d06,
+	0x13f443,
+	0x7df85,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2099c2,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x4a82,
+	0x16d208,
+	0x44e04,
+	0xdb085,
+	0x205702,
+	0x26f544,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x2358c3,
+	0x2a9305,
+	0x244183,
+	0x206343,
+	0x205503,
+	0x21c2c3,
+	0x200983,
+	0x214843,
+	0x2387c3,
+	0x25ed03,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2099c2,
+	0x200983,
+	0x16d208,
+	0x2e9dc3,
+	0x16d208,
+	0x200c03,
+	0x2a84c3,
+	0x22fd84,
+	0x232403,
+	0x2e9dc3,
+	0x202bc2,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x202bc2,
+	0x227f83,
+	0x205503,
+	0x200983,
+	0x2e87c3,
+	0x214843,
+	0x205702,
+	0x2099c2,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x264a85,
+	0xe4886,
+	0x25ef44,
+	0x20b0c2,
+	0x16d208,
+	0x205702,
+	0x1d848,
+	0x1b4183,
+	0x2099c2,
+	0x3fc91386,
+	0x1320c4,
+	0xd95cb,
+	0x13eec6,
+	0x9807,
+	0x232403,
+	0x47208,
+	0x2e9dc3,
+	0xb9b45,
+	0x13fb84,
+	0x260f83,
+	0x4ce87,
+	0xd78c4,
+	0x205503,
+	0x7f1c4,
+	0x200983,
+	0x2ed844,
+	0xd9388,
+	0x125c86,
+	0x82b48,
+	0x6cf05,
+	0x1fa49,
+	0x2099c2,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x204e83,
+	0x200983,
+	0x2ec883,
+	0x20b0c2,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x24a5c3,
+	0x211cc4,
+	0x205503,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2d5f04,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x264a86,
+	0x232403,
+	0x2e9dc3,
+	0x176e43,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x9807,
+	0x16d208,
+	0x2e9dc3,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x426a84c3,
+	0x232403,
+	0x205503,
+	0x200983,
+	0x16d208,
+	0x205702,
+	0x2099c2,
+	0x2a84c3,
+	0x2e9dc3,
+	0x205503,
+	0x200442,
+	0x200983,
+	0x316e87,
+	0x33e6cb,
+	0x22d703,
+	0x241608,
+	0x3b1547,
+	0x20a7c6,
+	0x2c2c45,
+	0x372349,
+	0x209488,
+	0x360d49,
+	0x38f790,
+	0x360d4b,
+	0x39e189,
+	0x201b03,
+	0x20fb89,
+	0x230f06,
+	0x230f0c,
+	0x326008,
+	0x3b4f08,
+	0x34af09,
+	0x2905ce,
+	0x2dd9cb,
+	0x2f364c,
+	0x2030c3,
+	0x263d0c,
+	0x207089,
+	0x2fee47,
+	0x23234c,
+	0x3a89ca,
+	0x2030c4,
+	0x2d084d,
+	0x263bc8,
+	0x20cf8d,
+	0x273846,
+	0x28decb,
+	0x283349,
+	0x3b8b87,
+	0x32fd06,
+	0x330f89,
+	0x351b8a,
+	0x30b148,
+	0x2ec484,
+	0x2fba07,
+	0x34f707,
+	0x2bab04,
+	0x37b5c4,
+	0x22a749,
+	0x281d49,
+	0x22ae48,
+	0x210785,
+	0x3b4005,
+	0x20db86,
+	0x2d0709,
+	0x24588d,
+	0x2f30c8,
+	0x20da87,
+	0x2c2cc8,
+	0x2e1886,
+	0x38b6c4,
+	0x3523c5,
+	0x202986,
+	0x204b04,
+	0x206f87,
+	0x20b8ca,
+	0x212244,
+	0x2157c6,
+	0x216a09,
+	0x216a0f,
+	0x21788d,
+	0x2184c6,
+	0x21d450,
+	0x21d846,
+	0x21df87,
+	0x21e4c7,
+	0x21e4cf,
+	0x21f6c9,
+	0x224c46,
+	0x225347,
+	0x225348,
+	0x225809,
+	0x246088,
+	0x2e52c7,
+	0x20cc83,
+	0x372986,
+	0x3ba948,
+	0x29088a,
+	0x213c09,
+	0x2095c3,
+	0x38c246,
+	0x25f64a,
+	0x29e587,
+	0x2fec8a,
+	0x313d4e,
+	0x21f806,
+	0x2a8587,
+	0x20e006,
+	0x207146,
+	0x37de0b,
+	0x20414a,
+	0x317f0d,
+	0x216287,
+	0x33ce88,
+	0x33ce89,
+	0x33ce8f,
+	0x2b838c,
+	0x27b289,
+	0x2e6a0e,
+	0x3b098a,
+	0x2ba246,
+	0x2f4586,
+	0x30b58c,
+	0x30ce8c,
+	0x30dc08,
+	0x3439c7,
+	0x2b8c45,
+	0x351e04,
+	0x33c90e,
+	0x228d04,
+	0x351747,
+	0x26030a,
+	0x362554,
+	0x36dd8f,
+	0x21e688,
+	0x372848,
+	0x35040d,
+	0x35040e,
+	0x376ec9,
+	0x3a8ec8,
+	0x3a8ecf,
+	0x23204c,
+	0x23204f,
+	0x233007,
+	0x236dca,
+	0x2435cb,
+	0x238508,
+	0x239cc7,
+	0x3690cd,
+	0x250406,
+	0x2d0a06,
+	0x23c149,
+	0x394648,
+	0x242088,
+	0x24208e,
+	0x2b5007,
+	0x243885,
+	0x244bc5,
+	0x2063c4,
+	0x20aa86,
+	0x22ad48,
+	0x202203,
+	0x2ca10e,
+	0x369488,
+	0x2a2fcb,
+	0x200dc7,
+	0x3a4045,
+	0x22e206,
+	0x2aa0c7,
+	0x333d08,
+	0x26cd09,
+	0x292e45,
+	0x284788,
+	0x212c06,
+	0x38ad4a,
+	0x33c809,
+	0x232409,
+	0x23240b,
+	0x38dc48,
+	0x2ba9c9,
+	0x210846,
+	0x22eb8a,
+	0x2dc80a,
+	0x236fcc,
+	0x3a6687,
+	0x32c38a,
+	0x26ea8b,
+	0x26ea99,
+	0x3b6a88,
+	0x264b05,
+	0x2c6086,
+	0x211e49,
+	0x390746,
+	0x28550a,
+	0x209686,
+	0x202644,
+	0x2c620d,
+	0x202647,
+	0x211149,
+	0x246385,
+	0x2464c8,
+	0x246fc9,
+	0x247784,
+	0x248387,
+	0x248388,
+	0x248c87,
+	0x261908,
+	0x24d487,
+	0x26c645,
+	0x25488c,
+	0x2550c9,
+	0x2bc00a,
+	0x3937c9,
+	0x20fc89,
+	0x275a0c,
+	0x25774b,
+	0x257ec8,
+	0x259048,
+	0x25c404,
+	0x2810c8,
+	0x283c89,
+	0x3a8a87,
+	0x216c46,
+	0x2835c7,
+	0x2dcac9,
+	0x26e6cb,
+	0x319407,
+	0x200a07,
+	0x22b587,
+	0x20cf04,
+	0x20cf05,
+	0x29a545,
+	0x341c0b,
+	0x39c644,
+	0x3b2988,
+	0x26614a,
+	0x212cc7,
+	0x2f6707,
+	0x28bed2,
+	0x278446,
+	0x22f706,
+	0x33c24e,
+	0x27aa06,
+	0x292588,
+	0x29374f,
+	0x20d348,
+	0x37f308,
+	0x30eaca,
+	0x30ead1,
+	0x2a0e8e,
+	0x24dd0a,
+	0x24dd0c,
+	0x21e307,
+	0x3a90d0,
+	0x200408,
+	0x2a1085,
+	0x2aa4ca,
+	0x204b4c,
+	0x29518d,
+	0x2f7e46,
+	0x2f7e47,
+	0x2f7e4c,
+	0x300e4c,
+	0x3292cc,
+	0x2873cb,
+	0x284184,
+	0x226384,
+	0x346d89,
+	0x3050c7,
+	0x225e49,
+	0x37e909,
+	0x39f1c7,
+	0x3a8846,
+	0x3a8849,
+	0x2ad1c3,
+	0x21c74a,
+	0x31a287,
+	0x33eb8b,
+	0x317d8a,
+	0x248844,
+	0x22ba46,
+	0x27d749,
+	0x202b84,
+	0x3affca,
+	0x348345,
+	0x2bdd45,
+	0x2bdd4d,
+	0x2be08e,
+	0x28cc05,
+	0x323906,
+	0x264687,
+	0x3870ca,
+	0x39b686,
+	0x3616c4,
+	0x36d747,
+	0x2c3f0b,
+	0x2e1947,
+	0x33fa84,
+	0x24bb86,
+	0x24bb8d,
+	0x21e1cc,
+	0x2053c6,
+	0x2f32ca,
+	0x2e03c6,
+	0x2ed0c8,
+	0x377c47,
+	0x23568a,
+	0x23d6c6,
+	0x216183,
+	0x391586,
+	0x3ba7c8,
+	0x29ac8a,
+	0x275807,
+	0x275808,
+	0x281684,
+	0x24b687,
+	0x279348,
+	0x2bd748,
+	0x27c0c8,
+	0x38c94a,
+	0x2da905,
+	0x2cf0c7,
+	0x24db53,
+	0x31e806,
+	0x266348,
+	0x221a09,
+	0x240c48,
+	0x203d0b,
+	0x2cb608,
+	0x2a5f44,
+	0x32ec06,
+	0x30bac6,
+	0x3027c9,
+	0x2c3dc7,
+	0x254988,
+	0x28af06,
+	0x226884,
+	0x2cb8c5,
+	0x2c55c8,
+	0x2c5bca,
+	0x2c5e88,
+	0x2cbf86,
+	0x29944a,
+	0x2ac808,
+	0x2cf788,
+	0x2d18c8,
+	0x2d1f06,
+	0x2d3e06,
+	0x38e18c,
+	0x2d43d0,
+	0x27d2c5,
+	0x20d148,
+	0x301950,
+	0x20d150,
+	0x38f60e,
+	0x38de0e,
+	0x38de14,
+	0x32fe8f,
+	0x330246,
+	0x332d51,
+	0x33d213,
+	0x33d688,
+	0x3b3445,
+	0x241b48,
+	0x386245,
+	0x329a8c,
+	0x291549,
+	0x228b49,
+	0x3201c7,
+	0x236b89,
+	0x380887,
+	0x2f6146,
+	0x3521c7,
+	0x269c45,
+	0x2120c3,
+	0x2023c9,
+	0x221cc9,
+	0x376e43,
+	0x27f384,
+	0x32a20d,
+	0x206bcf,
+	0x2268c5,
+	0x329986,
+	0x211407,
+	0x325d87,
+	0x288786,
+	0x28878b,
+	0x2a2405,
+	0x256786,
+	0x2f6c07,
+	0x24e489,
+	0x3a7486,
+	0x21d305,
+	0x22854b,
+	0x235946,
+	0x249245,
+	0x357988,
+	0x306a88,
+	0x2c8f0c,
+	0x2c8f10,
+	0x2d2409,
+	0x2ffd07,
+	0x32840b,
+	0x2e3b86,
+	0x2e518a,
+	0x2e754b,
+	0x2e794a,
+	0x2e7bc6,
+	0x2e8685,
+	0x319fc6,
+	0x36c808,
+	0x32028a,
+	0x35009c,
+	0x2ec94c,
+	0x2ecc48,
+	0x264a85,
+	0x34ea07,
+	0x26bec6,
+	0x274e05,
+	0x21afc6,
+	0x288948,
+	0x2bc507,
+	0x2904c8,
+	0x2a868a,
+	0x33130c,
+	0x331589,
+	0x38b847,
+	0x2198c4,
+	0x244c86,
+	0x37ee8a,
+	0x37ea05,
+	0x209f8c,
+	0x20e648,
+	0x367388,
+	0x21a00c,
+	0x22550c,
+	0x225a09,
+	0x225c47,
+	0x231d4c,
+	0x23aa84,
+	0x23c60a,
+	0x35e6cc,
+	0x26b28b,
+	0x242b8b,
+	0x2efec6,
+	0x24a107,
+	0x24c687,
+	0x3a930f,
+	0x2f8a51,
+	0x2d8592,
+	0x24c68d,
+	0x24c68e,
+	0x24c9ce,
+	0x330048,
+	0x330052,
+	0x24fbc8,
+	0x3b1187,
+	0x24aeca,
+	0x3681c8,
+	0x27a9c5,
+	0x3b57ca,
+	0x21dd87,
+	0x2e36c4,
+	0x201543,
+	0x2a57c5,
+	0x30ed47,
+	0x2f5007,
+	0x29538e,
+	0x3382cd,
+	0x33af89,
+	0x222705,
+	0x35c3c3,
+	0x3a78c6,
+	0x36e745,
+	0x2a3208,
+	0x205b49,
+	0x2983c5,
+	0x3692cf,
+	0x2d96c7,
+	0x372285,
+	0x20178a,
+	0x2a36c6,
+	0x2ed249,
+	0x396ccc,
+	0x2f51c9,
+	0x3abdc6,
+	0x265f4c,
+	0x322d06,
+	0x2f7588,
+	0x2f7786,
+	0x3b6c06,
+	0x3b96c4,
+	0x258243,
+	0x2a1fca,
+	0x327191,
+	0x3a9c0a,
+	0x27ee85,
+	0x265047,
+	0x252207,
+	0x279444,
+	0x27944b,
+	0x3b7bc8,
+	0x2b7bc6,
+	0x362b85,
+	0x38b044,
+	0x255f09,
+	0x31ad84,
+	0x254f07,
+	0x32f345,
+	0x32f347,
+	0x33c485,
+	0x2a8183,
+	0x3b1048,
+	0x33b80a,
+	0x203043,
+	0x325f8a,
+	0x203046,
+	0x36904f,
+	0x2b4f89,
+	0x2ca090,
+	0x2f1548,
+	0x2ccc89,
+	0x2971c7,
+	0x24bb0f,
+	0x336244,
+	0x2d5f84,
+	0x21d6c6,
+	0x22f246,
+	0x25708a,
+	0x23cc46,
+	0x2f58c7,
+	0x300788,
+	0x300987,
+	0x301207,
+	0x30370a,
+	0x30534b,
+	0x2f3dc5,
+	0x2d81c8,
+	0x21bb03,
+	0x23800c,
+	0x36f78f,
+	0x2b8a4d,
+	0x2a7147,
+	0x33b0c9,
+	0x22bcc7,
+	0x24a2c8,
+	0x36274c,
+	0x2a5e48,
+	0x250bc8,
+	0x318ace,
+	0x32d354,
+	0x32d864,
+	0x3475ca,
+	0x36148b,
+	0x380944,
+	0x380949,
+	0x27bbc8,
+	0x245345,
+	0x201d0a,
+	0x3696c7,
+	0x26f744,
+	0x38d2c3,
+	0x2a84c3,
+	0x235ac4,
+	0x232403,
+	0x2e9dc3,
+	0x3b1384,
+	0x244183,
+	0x209703,
+	0x2d43c6,
+	0x211cc4,
+	0x205503,
+	0x200983,
+	0x201303,
+	0x205702,
+	0x38d2c3,
+	0x2099c2,
+	0x2a84c3,
+	0x235ac4,
+	0x232403,
+	0x2e9dc3,
+	0x244183,
+	0x2d43c6,
+	0x205503,
+	0x200983,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2163c3,
+	0x205503,
+	0x200983,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x211cc4,
+	0x205503,
+	0x200983,
+	0x205702,
+	0x2bb143,
+	0x2099c2,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x201ec2,
+	0x219f02,
+	0x2099c2,
+	0x2a84c3,
+	0x202242,
+	0x201fc2,
+	0x3b1384,
+	0x210444,
+	0x227382,
+	0x211cc4,
+	0x200442,
+	0x200983,
+	0x201303,
+	0x2efec6,
+	0x212982,
+	0x202dc2,
+	0x222f02,
+	0x44e0d343,
+	0x4521e303,
+	0x52d46,
+	0x52d46,
+	0x25ef44,
+	0x204e83,
+	0x142abca,
+	0x12778c,
+	0x102cc,
+	0x7dd8d,
+	0x129845,
+	0x21347,
+	0x18648,
+	0x1b887,
+	0x20348,
+	0x19d4ca,
+	0x45ed6a45,
+	0x12b809,
+	0xaf848,
+	0x4a70a,
+	0x8a64e,
+	0x1440a4b,
+	0x1320c4,
+	0x77848,
+	0x68bc8,
+	0x38f47,
+	0x12807,
+	0x4efc9,
+	0x2c07,
+	0xd4ac8,
+	0x1318c9,
+	0x3adc5,
+	0x124d4e,
+	0xa8a0d,
+	0x9688,
+	0x4622a586,
+	0x46c2a588,
+	0x70cc8,
+	0x117090,
+	0x5f347,
+	0x601c7,
+	0x64547,
+	0x69447,
+	0xdb42,
+	0x190bc7,
+	0x430c,
+	0x35fc7,
+	0xa4246,
+	0xa4909,
+	0xa6388,
+	0x17f42,
+	0x1fc2,
+	0xb8fcb,
+	0x7f247,
+	0x11809,
+	0xbb9c9,
+	0x17e248,
+	0xafd42,
+	0x113a49,
+	0xcdf8a,
+	0xc9e09,
+	0xd6fc9,
+	0xd7ac8,
+	0xd8a47,
+	0xda889,
+	0xde345,
+	0xde6d0,
+	0x175b86,
+	0x192345,
+	0x5e98d,
+	0xf986,
+	0xe9187,
+	0xed858,
+	0x1b1a48,
+	0xb4c8a,
+	0x1c42,
+	0x52f4d,
+	0x27c2,
+	0x5d306,
+	0x8d108,
+	0x86ec8,
+	0x16d0c9,
+	0x55b08,
+	0x5fb4e,
+	0x1a78c7,
+	0x19d0d,
+	0xf2d05,
+	0x190948,
+	0x194448,
+	0xfacc6,
+	0xc2,
+	0x125c86,
+	0x7b02,
+	0x341,
+	0x57a07,
+	0xc8e83,
+	0x466ee0c4,
+	0x46a94443,
+	0x141,
+	0x10986,
+	0x141,
+	0x1,
+	0x10986,
+	0xc8e83,
+	0x1596bc5,
+	0x2030c4,
+	0x2a84c3,
+	0x249944,
+	0x3b1384,
+	0x205503,
+	0x2218c5,
+	0x219503,
+	0x23e743,
+	0x373605,
+	0x25ed03,
+	0x47ea84c3,
+	0x232403,
+	0x2e9dc3,
+	0x200041,
+	0x209703,
+	0x210444,
+	0x211cc4,
+	0x205503,
+	0x200983,
+	0x214843,
+	0x16d208,
+	0x205702,
+	0x38d2c3,
+	0x2099c2,
+	0x2a84c3,
+	0x232403,
+	0x2163c3,
+	0x201fc2,
+	0x3b1384,
+	0x244183,
+	0x209703,
+	0x205503,
+	0x204e83,
+	0x200983,
+	0x25ed03,
+	0x16d208,
+	0x36f502,
+	0x99c2,
+	0x1456108,
+	0x100b4e,
+	0x48e016c2,
+	0x31a448,
+	0x234386,
+	0x209cc6,
+	0x233d07,
+	0x4920c202,
+	0x49768ec8,
+	0x20884a,
+	0x25cc88,
+	0x200242,
+	0x31a0c9,
+	0x2f3e07,
+	0x216bc6,
+	0x3b0d89,
+	0x2cf204,
+	0x20a6c6,
+	0x2dbcc4,
+	0x26ffc4,
+	0x2544c9,
+	0x326686,
+	0x320945,
+	0x22c445,
+	0x384e07,
+	0x2bfb47,
+	0x28fa44,
+	0x233f46,
+	0x2fb005,
+	0x2fde45,
+	0x3963c5,
+	0x3b3dc7,
+	0x200c05,
+	0x314b49,
+	0x312945,
+	0x333e44,
+	0x39b5c7,
+	0x31974e,
+	0x32e5c9,
+	0x33c109,
+	0x3a64c6,
+	0x23d408,
+	0x26d98b,
+	0x2aeecc,
+	0x37f806,
+	0x2dd887,
+	0x20a305,
+	0x37b5ca,
+	0x22af49,
+	0x20bf49,
+	0x24ff86,
+	0x2f69c5,
+	0x27ce45,
+	0x3490c9,
+	0x39654b,
+	0x273346,
+	0x33a786,
+	0x202504,
+	0x28bb86,
+	0x243908,
+	0x3ba646,
+	0x214386,
+	0x207c08,
+	0x20bb47,
+	0x20bd09,
+	0x20c585,
+	0x16d208,
+	0x212784,
+	0x3ada04,
+	0x283785,
+	0x399a49,
+	0x220f07,
+	0x220f0b,
+	0x22394a,
+	0x227a45,
+	0x49a08d42,
+	0x33ea47,
+	0x49e28908,
+	0x2afb87,
+	0x350e85,
+	0x20c1ca,
+	0x99c2,
+	0x34dfcb,
+	0x24d5ca,
+	0x221bc6,
+	0x282bc3,
+	0x28e34d,
+	0x3492cc,
+	0x35084d,
+	0x245c45,
+	0x32ae05,
+	0x202247,
+	0x3aba49,
+	0x208746,
+	0x23cac5,
+	0x2d29c8,
+	0x28ba83,
+	0x2dfac8,
+	0x28ba88,
+	0x2c3747,
+	0x309708,
+	0x3a7209,
+	0x2cc447,
+	0x33e247,
+	0x396a48,
+	0x251f44,
+	0x251f47,
+	0x273748,
+	0x3a3ac6,
+	0x205f4f,
+	0x211a07,
+	0x2e5446,
+	0x225d85,
+	0x223083,
+	0x371847,
+	0x36c043,
+	0x248e46,
+	0x24aa86,
+	0x24b286,
+	0x290c05,
+	0x261903,
+	0x388208,
+	0x36f009,
+	0x38224b,
+	0x24b408,
+	0x24d145,
+	0x24f605,
+	0x4a248902,
+	0x352289,
+	0x3b1407,
+	0x256805,
+	0x2543c7,
+	0x2559c6,
+	0x365a45,
+	0x36e58b,
+	0x257ec4,
+	0x25c845,
+	0x25c987,
+	0x272cc6,
+	0x273105,
+	0x2812c7,
+	0x281a07,
+	0x2cd884,
+	0x289c0a,
+	0x28a0c8,
+	0x3b8209,
+	0x241e85,
+	0x207886,
+	0x243aca,
+	0x22c346,
+	0x261e07,
+	0x3b7ecd,
+	0x29c809,
+	0x38d185,
+	0x314187,
+	0x332288,
+	0x33d848,
+	0x3b3107,
+	0x379d86,
+	0x215dc7,
+	0x249f43,
+	0x341c04,
+	0x363485,
+	0x392707,
+	0x395dc9,
+	0x22be48,
+	0x344c45,
+	0x23cd84,
+	0x246245,
+	0x24b80d,
+	0x200f82,
+	0x373746,
+	0x25d246,
+	0x2c578a,
+	0x376546,
+	0x37edc5,
+	0x33df85,
+	0x33df87,
+	0x38ab8c,
+	0x270b4a,
+	0x28b846,
+	0x2b9645,
+	0x28b9c6,
+	0x28bd07,
+	0x28e186,
+	0x290b0c,
+	0x3b0ec9,
+	0x4a610e07,
+	0x293b05,
+	0x293b06,
+	0x293ec8,
+	0x23b705,
+	0x2a2c85,
+	0x2a3848,
+	0x2a3a4a,
+	0x4aa4ecc2,
+	0x4ae0ee02,
+	0x2e6705,
+	0x284f83,
+	0x3adf08,
+	0x204043,
+	0x2a3cc4,
+	0x2ed38b,
+	0x26dd48,
+	0x2e4d48,
+	0x4b349909,
+	0x2a7dc9,
+	0x2a8906,
+	0x2a9d48,
+	0x2a9f49,
+	0x2aab46,
+	0x2aacc5,
+	0x3843c6,
+	0x2ab5c9,
+	0x331f47,
+	0x23ea86,
+	0x233747,
+	0x2085c7,
+	0x32c8c4,
+	0x4b7b1d49,
+	0x2cab88,
+	0x368dc8,
+	0x383447,
+	0x2c5246,
+	0x226ac9,
+	0x209c87,
+	0x32e90a,
+	0x38c588,
+	0x3af5c7,
+	0x3b9786,
+	0x24f38a,
+	0x262708,
+	0x2dccc5,
+	0x226645,
+	0x2ee487,
+	0x2f7349,
+	0x36510b,
+	0x315008,
+	0x3129c9,
+	0x24bfc7,
+	0x2b550c,
+	0x2b5c4c,
+	0x2b5f4a,
+	0x2b61cc,
+	0x2c2708,
+	0x2c2908,
+	0x2c2b04,
+	0x2c2ec9,
+	0x2c3109,
+	0x2c334a,
+	0x2c35c9,
+	0x2c3907,
+	0x3af00c,
+	0x241146,
+	0x34acc8,
+	0x22c406,
+	0x32e7c6,
+	0x38d087,
+	0x3b3288,
+	0x39034b,
+	0x2afa47,
+	0x352489,
+	0x3445c9,
+	0x249ac7,
+	0x278a04,
+	0x265187,
+	0x2db346,
+	0x214a06,
+	0x2f3485,
+	0x2a5888,
+	0x291444,
+	0x291446,
+	0x270a0b,
+	0x21ca49,
+	0x214b46,
+	0x21c489,
+	0x3b3f46,
+	0x254688,
+	0x223b83,
+	0x2f6b45,
+	0x22edc9,
+	0x261145,
+	0x2f9684,
+	0x272206,
+	0x231545,
+	0x228f86,
+	0x3056c7,
+	0x26e986,
+	0x3a304b,
+	0x22ea87,
+	0x3379c6,
+	0x346f06,
+	0x384ec6,
+	0x28fa09,
+	0x2ef14a,
+	0x2b3505,
+	0x2170cd,
+	0x2a3b46,
+	0x235546,
+	0x2b4e86,
+	0x2ed045,
+	0x2de9c7,
+	0x2e14c7,
+	0x3581ce,
+	0x209703,
+	0x2c5209,
+	0x391dc9,
+	0x37b9c7,
+	0x358f07,
+	0x29d645,
+	0x27ec45,
+	0x4ba2a88f,
+	0x2ccec7,
+	0x2cd088,
+	0x2cd484,
+	0x2cde46,
+	0x4be44c42,
+	0x2d2186,
+	0x2d43c6,
+	0x391f8e,
+	0x2df90a,
+	0x357b06,
+	0x285eca,
+	0x203549,
+	0x324105,
+	0x398008,
+	0x3b5606,
+	0x38cec8,
+	0x26f088,
+	0x28eb8b,
+	0x233e05,
+	0x200c88,
+	0x207d4c,
+	0x2bd507,
+	0x24ae06,
+	0x2e28c8,
+	0x20a948,
+	0x4c208442,
+	0x20a48b,
+	0x282549,
+	0x329f09,
+	0x3bb287,
+	0x20f7c8,
+	0x4c61bf48,
+	0x3511cb,
+	0x37e0c9,
+	0x234fcd,
+	0x2750c8,
+	0x224a48,
+	0x4ca03ec2,
+	0x20e3c4,
+	0x4ce1a2c2,
+	0x2f4ec6,
+	0x4d2004c2,
+	0x3813ca,
+	0x21c346,
+	0x285908,
+	0x284488,
+	0x2af446,
+	0x22d8c6,
+	0x2f12c6,
+	0x2a3185,
+	0x238c04,
+	0x4d61e144,
+	0x205146,
+	0x272707,
+	0x4dae8bc7,
+	0x35490b,
+	0x319b09,
+	0x32ae4a,
+	0x391804,
+	0x33e0c8,
+	0x23e84d,
+	0x2eb709,
+	0x2eb948,
+	0x2ebfc9,
+	0x2ed844,
+	0x243484,
+	0x27c885,
+	0x317b4b,
+	0x26dcc6,
+	0x3424c5,
+	0x250149,
+	0x234008,
+	0x2047c4,
+	0x37b749,
+	0x208105,
+	0x2bfb88,
+	0x33e907,
+	0x33c508,
+	0x27d946,
+	0x35e387,
+	0x292349,
+	0x2286c9,
+	0x2492c5,
+	0x334ec5,
+	0x4de2d902,
+	0x333c04,
+	0x2049c5,
+	0x32c146,
+	0x318385,
+	0x2b1ac7,
+	0x205245,
+	0x272d04,
+	0x3a6586,
+	0x23cb47,
+	0x232986,
+	0x2dca05,
+	0x203188,
+	0x234585,
+	0x2062c7,
+	0x20f1c9,
+	0x21cb8a,
+	0x2e1b87,
+	0x2e1b8c,
+	0x320906,
+	0x343cc9,
+	0x23b385,
+	0x23b648,
+	0x210803,
+	0x210805,
+	0x2e8a05,
+	0x261607,
+	0x4e20c002,
+	0x22d0c7,
+	0x2e4f06,
+	0x342786,
+	0x2e7d06,
+	0x20a886,
+	0x208388,
+	0x241c85,
+	0x2e5507,
+	0x2e550d,
+	0x201543,
+	0x21ec05,
+	0x201547,
+	0x22d408,
+	0x201105,
+	0x218c88,
+	0x36c0c6,
+	0x32b9c7,
+	0x2c4785,
+	0x233e86,
+	0x26f5c5,
+	0x21390a,
+	0x2f2e06,
+	0x377ac7,
+	0x2ca505,
+	0x3612c7,
+	0x36d6c4,
+	0x2f9606,
+	0x2fb3c5,
+	0x32648b,
+	0x2db1c9,
+	0x2bb24a,
+	0x249348,
+	0x301d08,
+	0x304a4c,
+	0x306287,
+	0x3073c8,
+	0x310a48,
+	0x31e945,
+	0x34020a,
+	0x35c3c9,
+	0x4e600802,
+	0x200806,
+	0x219d04,
+	0x2ea849,
+	0x220b49,
+	0x269287,
+	0x294947,
+	0x37e789,
+	0x38cb48,
+	0x38cb4f,
+	0x315d06,
+	0x2d670b,
+	0x36e8c5,
+	0x36e8c7,
+	0x385889,
+	0x212ac6,
+	0x37b6c7,
+	0x2d8905,
+	0x2303c4,
+	0x261006,
+	0x211ac4,
+	0x2ce4c7,
+	0x307048,
+	0x4eaf68c8,
+	0x2f7085,
+	0x2f71c7,
+	0x236549,
+	0x23e284,
+	0x23e288,
+	0x4ee2b888,
+	0x279444,
+	0x231388,
+	0x32fdc4,
+	0x3ab849,
+	0x2173c5,
+	0x4f20b0c2,
+	0x315d45,
+	0x2e4345,
+	0x251288,
+	0x232e47,
+	0x4f601442,
+	0x204785,
+	0x2cf606,
+	0x24b106,
+	0x333bc8,
+	0x302108,
+	0x318346,
+	0x327f06,
+	0x2e2e49,
+	0x3426c6,
+	0x21298b,
+	0x296305,
+	0x368106,
+	0x377088,
+	0x250506,
+	0x292cc6,
+	0x21914a,
+	0x23084a,
+	0x245005,
+	0x241d47,
+	0x308786,
+	0x4fa01682,
+	0x201687,
+	0x238705,
+	0x243a44,
+	0x243a45,
+	0x391706,
+	0x26a447,
+	0x219a85,
+	0x220c04,
+	0x2c7e88,
+	0x292d85,
+	0x333a47,
+	0x3a1645,
+	0x213845,
+	0x256e04,
+	0x287609,
+	0x2fae48,
+	0x2e0286,
+	0x2d9d06,
+	0x2b6e46,
+	0x4fefbc88,
+	0x2fbe87,
+	0x2fc0cd,
+	0x2fcb4c,
+	0x2fd149,
+	0x2fd389,
+	0x5035b2c2,
+	0x3a8603,
+	0x207943,
+	0x2db405,
+	0x39280a,
+	0x327dc6,
+	0x302385,
+	0x305884,
+	0x30588b,
+	0x31b70c,
+	0x31c14c,
+	0x31c455,
+	0x31d74d,
+	0x320a8f,
+	0x320e52,
+	0x3212cf,
+	0x321692,
+	0x321b13,
+	0x321fcd,
+	0x32258d,
+	0x32290e,
+	0x322e8e,
+	0x3236cc,
+	0x323a8c,
+	0x323ecb,
+	0x32424e,
+	0x325392,
+	0x327b8c,
+	0x328790,
+	0x335212,
+	0x33640c,
+	0x336acd,
+	0x336e0c,
+	0x339a51,
+	0x33a90d,
+	0x34084d,
+	0x340e4a,
+	0x3410cc,
+	0x3419cc,
+	0x3421cc,
+	0x34290c,
+	0x344dd3,
+	0x345450,
+	0x345850,
+	0x34610d,
+	0x34670c,
+	0x347309,
+	0x34890d,
+	0x348c53,
+	0x34a311,
+	0x34a753,
+	0x34b24f,
+	0x34b60c,
+	0x34b90f,
+	0x34bccd,
+	0x34c2cf,
+	0x34c690,
+	0x34d10e,
+	0x3539ce,
+	0x353f50,
+	0x35518d,
+	0x355b0e,
+	0x355e8c,
+	0x356e93,
+	0x35934e,
+	0x3599d0,
+	0x359dd1,
+	0x35a20f,
+	0x35a5d3,
+	0x35ae4d,
+	0x35b18f,
+	0x35b54e,
+	0x35bc10,
+	0x35c009,
+	0x35cd90,
+	0x35d38f,
+	0x35da0f,
+	0x35ddd2,
+	0x35efce,
+	0x35fc4d,
+	0x36070d,
+	0x360a4d,
+	0x36184d,
+	0x361b8d,
+	0x361ed0,
+	0x3622cb,
+	0x36324c,
+	0x3635cc,
+	0x363bcc,
+	0x363ece,
+	0x371a10,
+	0x372dd2,
+	0x37324b,
+	0x3738ce,
+	0x373c4e,
+	0x3744ce,
+	0x37494b,
+	0x50774f56,
+	0x37624d,
+	0x3766d4,
+	0x377e0d,
+	0x37b115,
+	0x37c40d,
+	0x37cd8f,
+	0x37d5cf,
+	0x38250f,
+	0x3828ce,
+	0x382e4d,
+	0x383f91,
+	0x38674c,
+	0x386a4c,
+	0x386d4b,
+	0x38764c,
+	0x387a0f,
+	0x387dd2,
+	0x38878d,
+	0x38974c,
+	0x389bcc,
+	0x389ecd,
+	0x38a20f,
+	0x38a5ce,
+	0x3924cc,
+	0x392a8d,
+	0x392dcb,
+	0x39358c,
+	0x393b0d,
+	0x393e4e,
+	0x3941c9,
+	0x394d13,
+	0x39524d,
+	0x39558d,
+	0x395b8c,
+	0x39600e,
+	0x396fcf,
+	0x39738c,
+	0x39768d,
+	0x3979cf,
+	0x397d8c,
+	0x39848c,
+	0x39890c,
+	0x398c0c,
+	0x3992cd,
+	0x399612,
+	0x399c8c,
+	0x399f8c,
+	0x39a291,
+	0x39a6cf,
+	0x39aa8f,
+	0x39ae53,
+	0x39bcce,
+	0x39c04f,
+	0x39c40c,
+	0x50b9c74e,
+	0x39cacf,
+	0x39ce96,
+	0x39dc12,
+	0x39f38c,
+	0x39fd0f,
+	0x3a038d,
+	0x3a06cf,
+	0x3a0a8c,
+	0x3a0d8d,
+	0x3a10cd,
+	0x3a254e,
+	0x3a4b8c,
+	0x3a4e8c,
+	0x3a5190,
+	0x3a7a91,
+	0x3a7ecb,
+	0x3a820c,
+	0x3a850e,
+	0x3aa811,
+	0x3aac4e,
+	0x3aafcd,
+	0x3b53cb,
+	0x3b5e8f,
+	0x3b6d94,
+	0x228782,
+	0x228782,
+	0x200c83,
+	0x228782,
+	0x200c83,
+	0x228782,
+	0x205142,
+	0x384405,
+	0x3aa50c,
+	0x228782,
+	0x228782,
+	0x205142,
+	0x228782,
+	0x294545,
+	0x21cb85,
+	0x228782,
+	0x228782,
+	0x20b382,
+	0x294545,
+	0x31f3c9,
+	0x34a00c,
+	0x228782,
+	0x228782,
+	0x228782,
+	0x228782,
+	0x384405,
+	0x228782,
+	0x228782,
+	0x228782,
+	0x228782,
+	0x20b382,
+	0x31f3c9,
+	0x228782,
+	0x228782,
+	0x228782,
+	0x21cb85,
+	0x228782,
+	0x21cb85,
+	0x34a00c,
+	0x3aa50c,
+	0x38d2c3,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x3b1384,
+	0x205503,
+	0x200983,
+	0x2708,
+	0x5fc84,
+	0xe0e08,
+	0x205702,
+	0x51a099c2,
+	0x23dbc3,
+	0x24f2c4,
+	0x2032c3,
+	0x393304,
+	0x22f706,
+	0x20e883,
+	0x3328c4,
+	0x286bc5,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x255cca,
+	0x2efec6,
+	0x373fcc,
+	0x16d208,
+	0x2099c2,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x227f83,
+	0x2d43c6,
+	0x205503,
+	0x200983,
+	0x201303,
+	0xa4508,
+	0x129845,
+	0x14902,
+	0x52f86185,
+	0x21347,
+	0xc93c8,
+	0xec0e,
+	0x88192,
+	0xfe20b,
+	0x532d6a45,
+	0x536d6a4c,
+	0xb007,
+	0x16fc07,
+	0x1b254a,
+	0x3a6d0,
+	0x149c05,
+	0xd95cb,
+	0x68bc8,
+	0x38f47,
+	0x304cb,
+	0x4efc9,
+	0x11dd07,
+	0x2c07,
+	0x73587,
+	0x1c106,
+	0xd4ac8,
+	0x53c1cdc6,
+	0xa8a0d,
+	0x1b1f10,
+	0x5402bb82,
+	0x9688,
+	0x4a450,
+	0x14434c,
+	0x5474e88d,
+	0x655c7,
+	0x78749,
+	0x52e06,
+	0x940c8,
+	0x67e42,
+	0x9f54a,
+	0x27f07,
+	0x35fc7,
+	0xa4909,
+	0xa6388,
+	0xb9b45,
+	0xec50e,
+	0xb54e,
+	0xdecf,
+	0x11809,
+	0xbb9c9,
+	0x43e4b,
+	0x7664f,
+	0x8780c,
+	0x9ef4b,
+	0xbbf48,
+	0x154807,
+	0xcdc48,
+	0xfb80b,
+	0xf568c,
+	0xf640c,
+	0xf908c,
+	0xfe68d,
+	0x17e248,
+	0xeab02,
+	0x113a49,
+	0x185d4b,
+	0xc5446,
+	0x116fcb,
+	0xd804a,
+	0xd8c05,
+	0xde6d0,
+	0x111806,
+	0x192345,
+	0xe3f48,
+	0xe9187,
+	0xe9447,
+	0xff487,
+	0xf4d0a,
+	0xc924a,
+	0x5d306,
+	0x91a0d,
+	0x86ec8,
+	0x55b08,
+	0x56d49,
+	0xb3c45,
+	0xf484c,
+	0xfe88b,
+	0x165044,
+	0xfaa89,
+	0xfacc6,
+	0x1af7c6,
+	0x2dc2,
+	0x125c86,
+	0x107247,
+	0x7b02,
+	0xc83c5,
+	0x29544,
+	0x1ec1,
+	0x4c983,
+	0x53a85146,
+	0x94443,
+	0xd882,
+	0x27f04,
+	0x242,
+	0x5ef44,
+	0x3dc2,
+	0x8142,
+	0x2502,
+	0x10f242,
+	0x1ec2,
+	0xd6a42,
+	0x4142,
+	0x1b102,
+	0x2cd82,
+	0x5742,
+	0xdc2,
+	0xf882,
+	0x32403,
+	0x5f02,
+	0x7c2,
+	0x18342,
+	0xfc82,
+	0x5e82,
+	0x1ae02,
+	0x17f42,
+	0x15c2,
+	0x29c2,
+	0x1fc2,
+	0x44183,
+	0x3942,
+	0x6502,
+	0xafd42,
+	0xbe02,
+	0x282,
+	0x4bc2,
+	0x1f42,
+	0xa8542,
+	0x2342,
+	0x152bc2,
+	0x675c2,
+	0x2c82,
+	0x5503,
+	0x8c2,
+	0x8442,
+	0x33c2,
+	0xb482,
+	0x49245,
+	0xba02,
+	0x2d4c2,
+	0x3c083,
+	0x482,
+	0x1c42,
+	0x27c2,
+	0x3902,
+	0x1102,
+	0x1442,
+	0xc2,
+	0x2dc2,
+	0x9885,
+	0x75c47,
+	0x212503,
+	0x205702,
+	0x2a84c3,
+	0x232403,
+	0x2163c3,
+	0x20ad83,
+	0x227f83,
+	0x205503,
+	0x204e83,
+	0x200983,
+	0x294483,
+	0x169c3,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2163c3,
+	0x209703,
+	0x205503,
+	0x204e83,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x200041,
+	0x209703,
+	0x205503,
+	0x21c2c3,
+	0x200983,
+	0x38d2c3,
+	0x2a84c3,
+	0x232403,
+	0x209683,
+	0x2163c3,
+	0x277dc3,
+	0x280b83,
+	0x21c303,
+	0x252c03,
+	0x2e9dc3,
+	0x3b1384,
+	0x205503,
+	0x200983,
+	0x25ed03,
+	0x352e84,
+	0x231a03,
+	0x30c3,
+	0x228483,
+	0x37a908,
+	0x24f3c4,
+	0x3b870a,
+	0x2b8ec6,
+	0x1b6a04,
+	0x39b2c7,
+	0x21e7ca,
+	0x315bc9,
+	0x3ab587,
+	0x3b724a,
+	0x38d2c3,
+	0x2e678b,
+	0x2b9fc9,
+	0x2bd645,
+	0x2d1fc7,
+	0x99c2,
+	0x2a84c3,
+	0x205747,
+	0x2e2b85,
+	0x2dbdc9,
+	0x232403,
+	0x233c06,
+	0x2c1a43,
+	0xdb283,
+	0x104e46,
+	0x18ec46,
+	0xe807,
+	0x212e46,
+	0x21b185,
+	0x282407,
+	0x2d5b87,
+	0x56ae9dc3,
+	0x336647,
+	0x365e03,
+	0x206a05,
+	0x3b1384,
+	0x220688,
+	0x38644c,
+	0x2ad745,
+	0x29c986,
+	0x205607,
+	0x38b907,
+	0x238347,
+	0x245108,
+	0x303b8f,
+	0x315e05,
+	0x23dcc7,
+	0x26f287,
+	0x2a3e0a,
+	0x2d2809,
+	0x304f85,
+	0x30664a,
+	0x82a06,
+	0x2c1ac5,
+	0x374b84,
+	0x2843c6,
+	0x2f1d47,
+	0x2eaa07,
+	0x3bb408,
+	0x22dc85,
+	0x2e2a86,
+	0x214305,
+	0x3adcc5,
+	0x21c984,
+	0x2af347,
+	0x2081ca,
+	0x334808,
+	0x35ba86,
+	0x27f83,
+	0x2da905,
+	0x25f906,
+	0x3af246,
+	0x392246,
+	0x209703,
+	0x388a07,
+	0x26f205,
+	0x205503,
+	0x2d830d,
+	0x204e83,
+	0x3bb508,
+	0x27f404,
+	0x272fc5,
+	0x2a3d06,
+	0x234d46,
+	0x368007,
+	0x2a6ec7,
+	0x267345,
+	0x200983,
+	0x21fbc7,
+	0x2788c9,
+	0x311a49,
+	0x22708a,
+	0x243002,
+	0x2069c4,
+	0x2e5084,
+	0x390207,
+	0x22cf88,
+	0x2ea2c9,
+	0x21eac9,
+	0x2eaf47,
+	0x2ba486,
+	0xec286,
+	0x2ed844,
+	0x2ede4a,
+	0x2f0d48,
+	0x2f1189,
+	0x2bdbc6,
+	0x2b1445,
+	0x3346c8,
+	0x2c5f8a,
+	0x22ed03,
+	0x353006,
+	0x2eb047,
+	0x223ec5,
+	0x3a5e05,
+	0x264b83,
+	0x250cc4,
+	0x226605,
+	0x281b07,
+	0x2faf85,
+	0x2ee346,
+	0xfc605,
+	0x247d83,
+	0x357bc9,
+	0x272d8c,
+	0x29344c,
+	0x2ced08,
+	0x293087,
+	0x2f7908,
+	0x2f7c4a,
+	0x2f888b,
+	0x2ba108,
+	0x234e48,
+	0x239586,
+	0x390d45,
+	0x38da4a,
+	0x3a6205,
+	0x20b0c2,
+	0x2c4647,
+	0x25fe86,
+	0x35c8c5,
+	0x370809,
+	0x2f39c5,
+	0x27e985,
+	0x2ddf09,
+	0x351846,
+	0x237e88,
+	0x33f383,
+	0x20f486,
+	0x272146,
+	0x306445,
+	0x306449,
+	0x2b6789,
+	0x279ac7,
+	0x109104,
+	0x309107,
+	0x21e9c9,
+	0x238d05,
+	0x413c8,
+	0x3b2e85,
+	0x330e85,
+	0x380509,
+	0x201702,
+	0x25e544,
+	0x201e82,
+	0x203942,
+	0x31ecc5,
+	0x3b6788,
+	0x2b3b85,
+	0x2c3ac3,
+	0x2c3ac5,
+	0x2d2383,
+	0x20f442,
+	0x377804,
+	0x2ac783,
+	0x2056c2,
+	0x379884,
+	0x2e5d43,
+	0x2082c2,
+	0x2b3c03,
+	0x28d084,
+	0x2e4c83,
+	0x248684,
+	0x203082,
+	0x218943,
+	0x22ef03,
+	0x200d02,
+	0x361782,
+	0x2b65c9,
+	0x207842,
+	0x288d04,
+	0x203cc2,
+	0x334544,
+	0x2ba444,
+	0x2b74c4,
+	0x202dc2,
+	0x2391c2,
+	0x225bc3,
+	0x2f8403,
+	0x23d904,
+	0x281c84,
+	0x2eb1c4,
+	0x2f0f04,
+	0x30a483,
+	0x26e543,
+	0x282984,
+	0x30a2c4,
+	0x30aac6,
+	0x22a282,
+	0x2099c2,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x205702,
+	0x38d2c3,
+	0x2a84c3,
+	0x232403,
+	0x2007c3,
+	0x2e9dc3,
+	0x3b1384,
+	0x2b6884,
+	0x211cc4,
+	0x205503,
+	0x200983,
+	0x201303,
+	0x2ee644,
+	0x31a403,
+	0x2bd0c3,
+	0x34ab84,
+	0x3b2c86,
+	0x202f03,
+	0x16fc07,
+	0x222403,
+	0x2459c3,
+	0x2b0543,
+	0x206a43,
+	0x227f83,
+	0x2d6cc5,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x282c43,
+	0x2a5143,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x244183,
+	0x205503,
+	0x23a504,
+	0x200983,
+	0x26bec4,
+	0x2bf145,
+	0x16fc07,
+	0x2099c2,
+	0x2006c2,
+	0x20d882,
+	0x200c82,
+	0x200442,
+	0x2a84c3,
+	0x235ac4,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x211cc4,
+	0x205503,
+	0x200983,
+	0x214843,
+	0x25ef44,
+	0x16d208,
+	0x2a84c3,
+	0x204e83,
+	0x169c3,
+	0x2030c4,
+	0x16d208,
+	0x2a84c3,
+	0x249944,
+	0x3b1384,
+	0x204e83,
+	0x203ec2,
+	0x200983,
+	0x23e743,
+	0x50cc4,
+	0x373605,
+	0x20b0c2,
+	0x30a403,
+	0x205702,
+	0x16d208,
+	0x2099c2,
+	0x232403,
+	0x2e9dc3,
+	0x201fc2,
+	0x200983,
+	0x205702,
+	0x1b7407,
+	0x12e3c9,
+	0x6f83,
+	0x16d208,
+	0x18ebc3,
+	0x5a31fd87,
+	0xa84c3,
+	0x708,
+	0x232403,
+	0x2e9dc3,
+	0x1ae886,
+	0x244183,
+	0x8f2c8,
+	0xc0e08,
+	0x41a46,
+	0x209703,
+	0xca988,
+	0xb1b43,
+	0xdf145,
+	0x32607,
+	0x8003,
+	0x174c0a,
+	0x11ed83,
+	0x308d44,
+	0x10398b,
+	0x103f48,
+	0x8d742,
+	0x205702,
+	0x2099c2,
+	0x2a84c3,
+	0x232403,
+	0x2d5f04,
+	0x2e9dc3,
+	0x244183,
+	0x209703,
+	0x205503,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x227f83,
+	0x205503,
+	0x200983,
+	0x21aa03,
+	0x214843,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x169c3,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x3b1384,
+	0x227f83,
+	0x205503,
+	0x200983,
+	0x212982,
+	0x200141,
+	0x205702,
+	0x200001,
+	0x320b82,
+	0x16d208,
+	0x21d445,
+	0x201ec1,
+	0xa84c3,
+	0x200701,
+	0x200301,
+	0x200081,
+	0x298602,
+	0x36c044,
+	0x384383,
+	0x200181,
+	0x200401,
+	0x200041,
+	0x200101,
+	0x2e9907,
+	0x2eab8f,
+	0x340446,
+	0x200281,
+	0x37f6c6,
+	0x200e81,
+	0x2008c1,
+	0x332a0e,
+	0x200441,
+	0x200983,
+	0x201301,
+	0x270e85,
+	0x20f942,
+	0x264a85,
+	0x200341,
+	0x200801,
+	0x2002c1,
+	0x20b0c2,
+	0x2000c1,
+	0x200201,
+	0x200bc1,
+	0x2005c1,
+	0x201cc1,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x219503,
+	0x2a84c3,
+	0x2e9dc3,
+	0x8d688,
+	0x209703,
+	0x205503,
+	0x20803,
+	0x200983,
+	0x14e7e88,
+	0x16d208,
+	0x44e04,
+	0x14e7e8a,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x205503,
+	0x200983,
+	0x2030c3,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2d5f04,
+	0x200983,
+	0x27a305,
+	0x33b804,
+	0x2a84c3,
+	0x205503,
+	0x200983,
+	0x225ca,
+	0xd5284,
+	0x10c9c6,
+	0x2099c2,
+	0x2a84c3,
+	0x230309,
+	0x232403,
+	0x3034c9,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x2ed648,
+	0x22ca47,
+	0x373605,
+	0x18ed88,
+	0x1b7407,
+	0x2d20a,
+	0xecb,
+	0x4ab87,
+	0x3d2c8,
+	0x1b1b8a,
+	0x10a48,
+	0x12e3c9,
+	0x264c7,
+	0x3be87,
+	0x152b08,
+	0x708,
+	0x3df8f,
+	0x11d85,
+	0xa07,
+	0x1ae886,
+	0x137607,
+	0x3d586,
+	0x8f2c8,
+	0xa5606,
+	0x151647,
+	0x19c9,
+	0x1aa1c7,
+	0xa46c9,
+	0xb4a09,
+	0xbeec6,
+	0xc0e08,
+	0xbfcc5,
+	0x4eb4a,
+	0xca988,
+	0xb1b43,
+	0xd2648,
+	0x32607,
+	0x6d505,
+	0x69c50,
+	0x8003,
+	0x1aa047,
+	0x15ec5,
+	0xe9748,
+	0x13ce05,
+	0x11ed83,
+	0x6fd48,
+	0xcd46,
+	0x42849,
+	0xaa147,
+	0x6fa0b,
+	0x14ac44,
+	0xfa544,
+	0x10398b,
+	0x103f48,
+	0x104d47,
+	0x129845,
+	0x2a84c3,
+	0x232403,
+	0x2163c3,
+	0x200983,
+	0x22a403,
+	0x2e9dc3,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x43f8b,
+	0x205702,
+	0x2099c2,
+	0x200983,
+	0x16d208,
+	0x205702,
+	0x2099c2,
+	0x20d882,
+	0x201fc2,
+	0x203d02,
+	0x205503,
+	0x200442,
+	0x205702,
+	0x38d2c3,
+	0x2099c2,
+	0x2a84c3,
+	0x232403,
+	0x20d882,
+	0x2e9dc3,
+	0x244183,
+	0x209703,
+	0x211cc4,
+	0x205503,
+	0x216b03,
+	0x200983,
+	0x308d44,
+	0x25ed03,
+	0x2e9dc3,
+	0x2099c2,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x204e83,
+	0x200983,
+	0x39f847,
+	0x2a84c3,
+	0x2614c7,
+	0x2c7ac6,
+	0x219203,
+	0x218343,
+	0x2e9dc3,
+	0x2143c3,
+	0x3b1384,
+	0x37ef04,
+	0x31ea46,
+	0x20d143,
+	0x205503,
+	0x200983,
+	0x27a305,
+	0x318284,
+	0x3b2a43,
+	0x38b743,
+	0x2c4647,
+	0x33e885,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x28e87,
+	0x205942,
+	0x287003,
+	0x2bf143,
+	0x38d2c3,
+	0x626a84c3,
+	0x202242,
+	0x232403,
+	0x2032c3,
+	0x2e9dc3,
+	0x3b1384,
+	0x353903,
+	0x315e03,
+	0x209703,
+	0x211cc4,
+	0x62a04642,
+	0x205503,
+	0x200983,
+	0x2082c3,
+	0x229543,
+	0x212982,
+	0x25ed03,
+	0x16d208,
+	0x2e9dc3,
+	0x169c3,
+	0x26f744,
+	0x38d2c3,
+	0x2099c2,
+	0x2a84c3,
+	0x235ac4,
+	0x232403,
+	0x2e9dc3,
+	0x3b1384,
+	0x244183,
+	0x282104,
+	0x210444,
+	0x2d43c6,
+	0x211cc4,
+	0x205503,
+	0x200983,
+	0x201303,
+	0x25fe86,
+	0x13f08b,
+	0x1cdc6,
+	0x5eb4a,
+	0x107e4a,
+	0x16d208,
+	0x2142c4,
+	0x63ea84c3,
+	0x38d284,
+	0x232403,
+	0x256e84,
+	0x2e9dc3,
+	0x391683,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x56243,
+	0x32f78b,
+	0x3a140a,
+	0x3b9bcc,
+	0xda688,
+	0x205702,
+	0x2099c2,
+	0x20d882,
+	0x2a9305,
+	0x3b1384,
+	0x202342,
+	0x209703,
+	0x210444,
+	0x200c82,
+	0x200442,
+	0x209842,
+	0x212982,
+	0x18d2c3,
+	0x19f02,
+	0x2a1cc9,
+	0x25d548,
+	0x309a89,
+	0x337449,
+	0x23490a,
+	0x23634a,
+	0x20cc02,
+	0x21b102,
+	0x99c2,
+	0x2a84c3,
+	0x204682,
+	0x23de86,
+	0x35d882,
+	0x201242,
+	0x20124e,
+	0x21898e,
+	0x27b107,
+	0x205487,
+	0x275d02,
+	0x232403,
+	0x2e9dc3,
+	0x200042,
+	0x201fc2,
+	0x4a5c3,
+	0x2eec0f,
+	0x200f42,
+	0x32c787,
+	0x2c7d07,
+	0x2d3907,
+	0x2ad24c,
+	0x3151cc,
+	0x3a3a44,
+	0x27c6ca,
+	0x2188c2,
+	0x20be02,
+	0x2b6fc4,
+	0x2226c2,
+	0x2c2702,
+	0x315404,
+	0x20cec2,
+	0x200282,
+	0x6343,
+	0x2a5687,
+	0x2352c5,
+	0x201f42,
+	0x2eeb84,
+	0x352bc2,
+	0x2da248,
+	0x205503,
+	0x3b0208,
+	0x200d42,
+	0x233385,
+	0x3b04c6,
+	0x200983,
+	0x20ba02,
+	0x2ea507,
+	0xf942,
+	0x26b005,
+	0x3a9f45,
+	0x201642,
+	0x242b02,
+	0x3b7a8a,
+	0x2671ca,
+	0x202c42,
+	0x2e4744,
+	0x2002c2,
+	0x206888,
+	0x201c82,
+	0x30a848,
+	0x2feb47,
+	0x2ff649,
+	0x26b082,
+	0x305645,
+	0x33bc85,
+	0x22dd4b,
+	0x2c6c4c,
+	0x22e848,
+	0x3188c8,
+	0x22a282,
+	0x35f782,
+	0x205702,
+	0x16d208,
+	0x2099c2,
+	0x2a84c3,
+	0x20d882,
+	0x200c82,
+	0x200442,
+	0x200983,
+	0x209842,
+	0x205702,
+	0x652099c2,
+	0x656e9dc3,
+	0x206343,
+	0x202342,
+	0x205503,
+	0x375cc3,
+	0x200983,
+	0x2e87c3,
+	0x275d46,
+	0x1614843,
+	0x16d208,
+	0x192345,
+	0xa6a8d,
+	0xa4dca,
+	0x65c87,
+	0x65e011c2,
+	0x66200242,
+	0x66600ec2,
+	0x66a00c02,
+	0x66e0de02,
+	0x67201ec2,
+	0x16fc07,
+	0x676099c2,
+	0x67a301c2,
+	0x67e09982,
+	0x68200dc2,
+	0x218983,
+	0x9e04,
+	0x225d83,
+	0x686149c2,
+	0x68a00182,
+	0x49f47,
+	0x68e03002,
+	0x69202e42,
+	0x69600b42,
+	0x69a02bc2,
+	0x69e029c2,
+	0x6a201fc2,
+	0xb3985,
+	0x234543,
+	0x202b84,
+	0x6a6226c2,
+	0x6aa03a82,
+	0x6ae03202,
+	0x16c90b,
+	0x6b200e82,
+	0x6ba49a02,
+	0x6be02342,
+	0x6c203d02,
+	0x6c60f242,
+	0x6ca0ec42,
+	0x6ce0e602,
+	0x6d2675c2,
+	0x6d604642,
+	0x6da01b42,
+	0x6de00c82,
+	0x6e2042c2,
+	0x6e61c702,
+	0x6ea00e42,
+	0x7f1c4,
+	0x350703,
+	0x6ee33082,
+	0x6f216982,
+	0x6f603402,
+	0x6fa089c2,
+	0x6fe00442,
+	0x702056c2,
+	0x44107,
+	0x70601302,
+	0x70a07302,
+	0x70e09842,
+	0x71218942,
+	0xf484c,
+	0x71621c82,
+	0x71a3ab02,
+	0x71e11602,
+	0x72201682,
+	0x72601f82,
+	0x72a34a82,
+	0x72e00202,
+	0x7320e8c2,
+	0x736724c2,
+	0x73a56642,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0xa203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x6b753903,
+	0x20a203,
+	0x2d6d44,
+	0x25d446,
+	0x2f1743,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x219f02,
+	0x219f02,
+	0x353903,
+	0x20a203,
+	0x742a84c3,
+	0x232403,
+	0x37ac03,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x16d208,
+	0x2099c2,
+	0x2a84c3,
+	0x205503,
+	0x200983,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x2030c4,
+	0x2099c2,
+	0x2a84c3,
+	0x2028c3,
+	0x232403,
+	0x249944,
+	0x2163c3,
+	0x2e9dc3,
+	0x3b1384,
+	0x244183,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x23e743,
+	0x373605,
+	0x2a1fc3,
+	0x25ed03,
+	0x2099c2,
+	0x2a84c3,
+	0x353903,
+	0x205503,
+	0x200983,
+	0x205702,
+	0x38d2c3,
+	0x16d208,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x22f706,
+	0x3b1384,
+	0x244183,
+	0x211cc4,
+	0x205503,
+	0x200983,
+	0x201303,
+	0x2a84c3,
+	0x232403,
+	0x205503,
+	0x200983,
+	0x14bb147,
+	0x2a84c3,
+	0x1cdc6,
+	0x232403,
+	0x2e9dc3,
+	0xdba46,
+	0x205503,
+	0x200983,
+	0x3149c8,
+	0x318709,
+	0x328b89,
+	0x333808,
+	0x37dc48,
+	0x37dc49,
+	0x24318d,
+	0x2ee80f,
+	0x251490,
+	0x34848d,
+	0x3638cc,
+	0x37f98b,
+	0x98605,
+	0x205702,
+	0x33e6c5,
+	0x200243,
+	0x772099c2,
+	0x232403,
+	0x2e9dc3,
+	0x343ec7,
+	0x206a43,
+	0x209703,
+	0x205503,
+	0x21c2c3,
+	0x20dcc3,
+	0x204e83,
+	0x200983,
+	0x2efec6,
+	0x20b0c2,
+	0x25ed03,
+	0x16d208,
+	0x205702,
+	0x38d2c3,
+	0x2099c2,
+	0x2a84c3,
+	0x232403,
+	0x2e9dc3,
+	0x3b1384,
+	0x209703,
+	0x205503,
+	0x200983,
+	0x214843,
+	0x14f53c6,
+	0x205702,
+	0x2099c2,
+	0x2e9dc3,
+	0x209703,
+	0x200983,
+}
+
+// children is the list of nodes' children, the parent's wildcard bit and the
+// parent's node type. If a node has no children then their children index
+// will be in the range [0, 6), depending on the wildcard bit and node type.
+//
+// The layout within the uint32, from MSB to LSB, is:
+//	[ 1 bits] unused
+//	[ 1 bits] wildcard bit
+//	[ 2 bits] node type
+//	[14 bits] high nodes index (exclusive) of children
+//	[14 bits] low nodes index (inclusive) of children
+var children = [...]uint32{
+	0x0,
+	0x10000000,
+	0x20000000,
+	0x40000000,
+	0x50000000,
+	0x60000000,
+	0x184c60d,
+	0x1850613,
+	0x1870614,
+	0x19cc61c,
+	0x19e0673,
+	0x19f4678,
+	0x1a0467d,
+	0x1a20681,
+	0x1a24688,
+	0x1a3c689,
+	0x1a6468f,
+	0x1a68699,
+	0x1a8069a,
+	0x1a846a0,
+	0x1a886a1,
+	0x1ab06a2,
+	0x1ab46ac,
+	0x21abc6ad,
+	0x1b046af,
+	0x1b086c1,
+	0x1b286c2,
+	0x1b3c6ca,
+	0x1b406cf,
+	0x1b706d0,
+	0x1b8c6dc,
+	0x1bb46e3,
+	0x1bc06ed,
+	0x1bc46f0,
+	0x1c5c6f1,
+	0x1c70717,
+	0x1c8471c,
+	0x1cb4721,
+	0x1cc472d,
+	0x1cd8731,
+	0x1cfc736,
+	0x1e3473f,
+	0x1e3878d,
+	0x1ea478e,
+	0x1f107a9,
+	0x1f247c4,
+	0x1f387c9,
+	0x1f407ce,
+	0x1f507d0,
+	0x1f547d4,
+	0x1f6c7d5,
+	0x1fb87db,
+	0x1fd47ee,
+	0x1fd87f5,
+	0x1fdc7f6,
+	0x1fe87f7,
+	0x20247fa,
+	0x62028809,
+	0x203c80a,
+	0x205080f,
+	0x2054814,
+	0x2064815,
+	0x2114819,
+	0x2118845,
+	0x22124846,
+	0x2212c849,
+	0x216484b,
+	0x2168859,
+	0x25b885a,
+	0x2265896e,
+	0x2265c996,
+	0x22660997,
+	0x2266c998,
+	0x2267099b,
+	0x2267c99c,
+	0x2268099f,
+	0x226849a0,
+	0x226889a1,
+	0x2268c9a2,
+	0x226909a3,
+	0x2269c9a4,
+	0x226a09a7,
+	0x226ac9a8,
+	0x226b09ab,
+	0x226b49ac,
+	0x226b89ad,
+	0x226c49ae,
+	0x226c89b1,
+	0x226cc9b2,
+	0x226d09b3,
+	0x26d49b4,
+	0x226d89b5,
+	0x226e49b6,
+	0x226e89b9,
+	0x26f09ba,
+	0x227089bc,
+	0x2270c9c2,
+	0x27189c3,
+	0x2271c9c6,
+	0x27209c7,
+	0x227249c8,
+	0x27409c9,
+	0x27589d0,
+	0x275c9d6,
+	0x276c9d7,
+	0x27749db,
+	0x27a89dd,
+	0x27ac9ea,
+	0x27bc9eb,
+	0x28609ef,
+	0x22864a18,
+	0x286ca19,
+	0x2870a1b,
+	0x2888a1c,
+	0x289ca22,
+	0x28c4a27,
+	0x28e4a31,
+	0x2914a39,
+	0x293ca45,
+	0x2940a4f,
+	0x2964a50,
+	0x2968a59,
+	0x297ca5a,
+	0x2980a5f,
+	0x2984a60,
+	0x29a4a61,
+	0x29c0a69,
+	0x29c4a70,
+	0x229c8a71,
+	0x29cca72,
+	0x29d0a73,
+	0x29e0a74,
+	0x29e4a78,
+	0x2a5ca79,
+	0x2a78a97,
+	0x2a88a9e,
+	0x2a9caa2,
+	0x2ab4aa7,
+	0x2ac8aad,
+	0x2ae0ab2,
+	0x2ae4ab8,
+	0x2afcab9,
+	0x2b14abf,
+	0x2b30ac5,
+	0x2b48acc,
+	0x2ba8ad2,
+	0x2bc0aea,
+	0x2bc4af0,
+	0x2bd8af1,
+	0x2c1caf6,
+	0x2c9cb07,
+	0x2cc8b27,
+	0x2cccb32,
+	0x2cd4b33,
+	0x2cf4b35,
+	0x2cf8b3d,
+	0x2d18b3e,
+	0x2d20b46,
+	0x2d5cb48,
+	0x2d9cb57,
+	0x2da0b67,
+	0x2e00b68,
+	0x2e04b80,
+	0x22e08b81,
+	0x2e20b82,
+	0x2e44b88,
+	0x2e64b91,
+	0x3428b99,
+	0x3434d0a,
+	0x3454d0d,
+	0x3610d15,
+	0x36e0d84,
+	0x3750db8,
+	0x37a8dd4,
+	0x3890dea,
+	0x38e8e24,
+	0x3924e3a,
+	0x3a20e49,
+	0x3aece88,
+	0x3b84ebb,
+	0x3c14ee1,
+	0x3c78f05,
+	0x3eb0f1e,
+	0x3f68fac,
+	0x4034fda,
+	0x408100d,
+	0x4109020,
+	0x4145042,
+	0x4195051,
+	0x420d065,
+	0x64211083,
+	0x64215084,
+	0x64219085,
+	0x4295086,
+	0x42f10a5,
+	0x436d0bc,
+	0x43e50db,
+	0x44650f9,
+	0x44d1119,
+	0x45fd134,
+	0x465517f,
+	0x64659195,
+	0x46f1196,
+	0x47791bc,
+	0x47c51de,
+	0x482d1f1,
+	0x48d520b,
+	0x499d235,
+	0x4a05267,
+	0x4b19281,
+	0x64b1d2c6,
+	0x64b212c7,
+	0x4b7d2c8,
+	0x4bd92df,
+	0x4c692f6,
+	0x4ce531a,
+	0x4d29339,
+	0x4e0d34a,
+	0x4e41383,
+	0x4ea1390,
+	0x4f153a8,
+	0x4f9d3c5,
+	0x4fdd3e7,
+	0x504d3f7,
+	0x65051413,
+	0x65055414,
+	0x25059415,
+	0x5071416,
+	0x508d41c,
+	0x50d1423,
+	0x50e1434,
+	0x50f9438,
+	0x517143e,
+	0x517945c,
+	0x518d45e,
+	0x51a5463,
+	0x51cd469,
+	0x51d1473,
+	0x51d9474,
+	0x51ed476,
+	0x520947b,
+	0x520d482,
+	0x5215483,
+	0x5251485,
+	0x5265494,
+	0x526d499,
+	0x527549b,
+	0x527949d,
+	0x529d49e,
+	0x52c14a7,
+	0x52d94b0,
+	0x52dd4b6,
+	0x52e54b7,
+	0x52e94b9,
+	0x534d4ba,
+	0x53514d3,
+	0x53754d4,
+	0x53954dd,
+	0x53b14e5,
+	0x53c14ec,
+	0x53d54f0,
+	0x53d94f5,
+	0x53e14f6,
+	0x53f54f8,
+	0x54054fd,
+	0x5409501,
+	0x5425502,
+	0x5cb5509,
+	0x5ced72d,
+	0x5d1973b,
+	0x5d31746,
+	0x5d5174c,
+	0x5d71754,
+	0x5db575c,
+	0x5dbd76d,
+	0x25dc176f,
+	0x25dc5770,
+	0x5dcd771,
+	0x5f29773,
+	0x25f2d7ca,
+	0x25f3d7cb,
+	0x25f457cf,
+	0x25f517d1,
+	0x5f557d4,
+	0x5f597d5,
+	0x5f817d6,
+	0x5fa97e0,
+	0x5fad7ea,
+	0x5fe57eb,
+	0x5ff97f9,
+	0x6b517fe,
+	0x6b55ad4,
+	0x6b59ad5,
+	0x26b5dad6,
+	0x6b61ad7,
+	0x26b65ad8,
+	0x6b69ad9,
+	0x26b75ada,
+	0x6b79add,
+	0x6b7dade,
+	0x26b81adf,
+	0x6b85ae0,
+	0x26b8dae1,
+	0x6b91ae3,
+	0x6b95ae4,
+	0x26ba5ae5,
+	0x6ba9ae9,
+	0x6badaea,
+	0x6bb1aeb,
+	0x6bb5aec,
+	0x26bb9aed,
+	0x6bbdaee,
+	0x6bc1aef,
+	0x6bc5af0,
+	0x6bc9af1,
+	0x26bd1af2,
+	0x6bd5af4,
+	0x6bd9af5,
+	0x6bddaf6,
+	0x26be1af7,
+	0x6be5af8,
+	0x26bedaf9,
+	0x26bf1afb,
+	0x6c0dafc,
+	0x6c19b03,
+	0x6c59b06,
+	0x6c5db16,
+	0x6c81b17,
+	0x6c85b20,
+	0x6c89b21,
+	0x6e01b22,
+	0x26e05b80,
+	0x26e0db81,
+	0x26e11b83,
+	0x26e15b84,
+	0x6e1db85,
+	0x6ef9b87,
+	0x26efdbbe,
+	0x6f01bbf,
+	0x6f2dbc0,
+	0x6f31bcb,
+	0x6f51bcc,
+	0x6f5dbd4,
+	0x6f7dbd7,
+	0x6fb5bdf,
+	0x724dbed,
+	0x7309c93,
+	0x731dcc2,
+	0x7351cc7,
+	0x7381cd4,
+	0x739dce0,
+	0x73c1ce7,
+	0x73ddcf0,
+	0x73f9cf7,
+	0x741dcfe,
+	0x742dd07,
+	0x7431d0b,
+	0x7465d0c,
+	0x7481d19,
+	0x74edd20,
+	0x274f1d3b,
+	0x7515d3c,
+	0x7535d45,
+	0x7549d4d,
+	0x755dd52,
+	0x7561d57,
+	0x7581d58,
+	0x7625d60,
+	0x7641d89,
+	0x7661d90,
+	0x7665d98,
+	0x766dd99,
+	0x7671d9b,
+	0x7685d9c,
+	0x76a5da1,
+	0x76b1da9,
+	0x76bddac,
+	0x76eddaf,
+	0x77bddbb,
+	0x77c1def,
+	0x77d5df0,
+	0x77d9df5,
+	0x77f1df6,
+	0x77f5dfc,
+	0x7801dfd,
+	0x7805e00,
+	0x7821e01,
+	0x785de08,
+	0x7861e17,
+	0x7881e18,
+	0x78d1e20,
+	0x78ede34,
+	0x7941e3b,
+	0x7945e50,
+	0x7949e51,
+	0x794de52,
+	0x7991e53,
+	0x79a1e64,
+	0x79dde68,
+	0x79e1e77,
+	0x7a11e78,
+	0x7b59e84,
+	0x7b7ded6,
+	0x7ba9edf,
+	0x7bb5eea,
+	0x7bbdeed,
+	0x7ccdeef,
+	0x7cd9f33,
+	0x7ce5f36,
+	0x7cf1f39,
+	0x7cfdf3c,
+	0x7d09f3f,
+	0x7d15f42,
+	0x7d21f45,
+	0x7d2df48,
+	0x7d39f4b,
+	0x7d45f4e,
+	0x7d51f51,
+	0x7d5df54,
+	0x7d69f57,
+	0x7d71f5a,
+	0x7d7df5c,
+	0x7d89f5f,
+	0x7d95f62,
+	0x7da1f65,
+	0x7dadf68,
+	0x7db9f6b,
+	0x7dc5f6e,
+	0x7dd1f71,
+	0x7dddf74,
+	0x7de9f77,
+	0x7df5f7a,
+	0x7e01f7d,
+	0x7e0df80,
+	0x7e19f83,
+	0x7e25f86,
+	0x7e31f89,
+	0x7e3df8c,
+	0x7e45f8f,
+	0x7e51f91,
+	0x7e5df94,
+	0x7e69f97,
+	0x7e75f9a,
+	0x7e81f9d,
+	0x7e8dfa0,
+	0x7e99fa3,
+	0x7ea5fa6,
+	0x7eb1fa9,
+	0x7ebdfac,
+	0x7ec9faf,
+	0x7ed5fb2,
+	0x7ee1fb5,
+	0x7ee9fb8,
+	0x7ef5fba,
+	0x7f01fbd,
+	0x7f0dfc0,
+	0x7f19fc3,
+	0x7f25fc6,
+	0x7f31fc9,
+	0x7f3dfcc,
+	0x7f49fcf,
+	0x7f4dfd2,
+	0x7f59fd3,
+	0x7f71fd6,
+	0x7f75fdc,
+	0x7f85fdd,
+	0x7f9dfe1,
+	0x7fe1fe7,
+	0x7ff5ff8,
+	0x8029ffd,
+	0x803a00a,
+	0x805a00e,
+	0x8072016,
+	0x808a01c,
+	0x808e022,
+	0x280d2023,
+	0x80d6034,
+	0x8102035,
+	0x8106040,
+	0x811a041,
+}
+
+// max children 479 (capacity 511)
+// max text offset 28411 (capacity 32767)
+// max text length 36 (capacity 63)
+// max hi 8262 (capacity 16383)
+// max lo 8257 (capacity 16383)
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/table_test.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/table_test.go
new file mode 100644
index 000000000..416512cb9
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/net/publicsuffix/table_test.go
@@ -0,0 +1,16474 @@
+// generated by go run gen.go; DO NOT EDIT
+
+package publicsuffix
+
+var rules = [...]string{
+	"ac",
+	"com.ac",
+	"edu.ac",
+	"gov.ac",
+	"net.ac",
+	"mil.ac",
+	"org.ac",
+	"ad",
+	"nom.ad",
+	"ae",
+	"co.ae",
+	"net.ae",
+	"org.ae",
+	"sch.ae",
+	"ac.ae",
+	"gov.ae",
+	"mil.ae",
+	"aero",
+	"accident-investigation.aero",
+	"accident-prevention.aero",
+	"aerobatic.aero",
+	"aeroclub.aero",
+	"aerodrome.aero",
+	"agents.aero",
+	"aircraft.aero",
+	"airline.aero",
+	"airport.aero",
+	"air-surveillance.aero",
+	"airtraffic.aero",
+	"air-traffic-control.aero",
+	"ambulance.aero",
+	"amusement.aero",
+	"association.aero",
+	"author.aero",
+	"ballooning.aero",
+	"broker.aero",
+	"caa.aero",
+	"cargo.aero",
+	"catering.aero",
+	"certification.aero",
+	"championship.aero",
+	"charter.aero",
+	"civilaviation.aero",
+	"club.aero",
+	"conference.aero",
+	"consultant.aero",
+	"consulting.aero",
+	"control.aero",
+	"council.aero",
+	"crew.aero",
+	"design.aero",
+	"dgca.aero",
+	"educator.aero",
+	"emergency.aero",
+	"engine.aero",
+	"engineer.aero",
+	"entertainment.aero",
+	"equipment.aero",
+	"exchange.aero",
+	"express.aero",
+	"federation.aero",
+	"flight.aero",
+	"freight.aero",
+	"fuel.aero",
+	"gliding.aero",
+	"government.aero",
+	"groundhandling.aero",
+	"group.aero",
+	"hanggliding.aero",
+	"homebuilt.aero",
+	"insurance.aero",
+	"journal.aero",
+	"journalist.aero",
+	"leasing.aero",
+	"logistics.aero",
+	"magazine.aero",
+	"maintenance.aero",
+	"media.aero",
+	"microlight.aero",
+	"modelling.aero",
+	"navigation.aero",
+	"parachuting.aero",
+	"paragliding.aero",
+	"passenger-association.aero",
+	"pilot.aero",
+	"press.aero",
+	"production.aero",
+	"recreation.aero",
+	"repbody.aero",
+	"res.aero",
+	"research.aero",
+	"rotorcraft.aero",
+	"safety.aero",
+	"scientist.aero",
+	"services.aero",
+	"show.aero",
+	"skydiving.aero",
+	"software.aero",
+	"student.aero",
+	"trader.aero",
+	"trading.aero",
+	"trainer.aero",
+	"union.aero",
+	"workinggroup.aero",
+	"works.aero",
+	"af",
+	"gov.af",
+	"com.af",
+	"org.af",
+	"net.af",
+	"edu.af",
+	"ag",
+	"com.ag",
+	"org.ag",
+	"net.ag",
+	"co.ag",
+	"nom.ag",
+	"ai",
+	"off.ai",
+	"com.ai",
+	"net.ai",
+	"org.ai",
+	"al",
+	"com.al",
+	"edu.al",
+	"gov.al",
+	"mil.al",
+	"net.al",
+	"org.al",
+	"am",
+	"ao",
+	"ed.ao",
+	"gv.ao",
+	"og.ao",
+	"co.ao",
+	"pb.ao",
+	"it.ao",
+	"aq",
+	"ar",
+	"com.ar",
+	"edu.ar",
+	"gob.ar",
+	"gov.ar",
+	"int.ar",
+	"mil.ar",
+	"musica.ar",
+	"net.ar",
+	"org.ar",
+	"tur.ar",
+	"arpa",
+	"e164.arpa",
+	"in-addr.arpa",
+	"ip6.arpa",
+	"iris.arpa",
+	"uri.arpa",
+	"urn.arpa",
+	"as",
+	"gov.as",
+	"asia",
+	"at",
+	"ac.at",
+	"co.at",
+	"gv.at",
+	"or.at",
+	"au",
+	"com.au",
+	"net.au",
+	"org.au",
+	"edu.au",
+	"gov.au",
+	"asn.au",
+	"id.au",
+	"info.au",
+	"conf.au",
+	"oz.au",
+	"act.au",
+	"nsw.au",
+	"nt.au",
+	"qld.au",
+	"sa.au",
+	"tas.au",
+	"vic.au",
+	"wa.au",
+	"act.edu.au",
+	"nsw.edu.au",
+	"nt.edu.au",
+	"qld.edu.au",
+	"sa.edu.au",
+	"tas.edu.au",
+	"vic.edu.au",
+	"wa.edu.au",
+	"qld.gov.au",
+	"sa.gov.au",
+	"tas.gov.au",
+	"vic.gov.au",
+	"wa.gov.au",
+	"aw",
+	"com.aw",
+	"ax",
+	"az",
+	"com.az",
+	"net.az",
+	"int.az",
+	"gov.az",
+	"org.az",
+	"edu.az",
+	"info.az",
+	"pp.az",
+	"mil.az",
+	"name.az",
+	"pro.az",
+	"biz.az",
+	"ba",
+	"com.ba",
+	"edu.ba",
+	"gov.ba",
+	"mil.ba",
+	"net.ba",
+	"org.ba",
+	"bb",
+	"biz.bb",
+	"co.bb",
+	"com.bb",
+	"edu.bb",
+	"gov.bb",
+	"info.bb",
+	"net.bb",
+	"org.bb",
+	"store.bb",
+	"tv.bb",
+	"*.bd",
+	"be",
+	"ac.be",
+	"bf",
+	"gov.bf",
+	"bg",
+	"a.bg",
+	"b.bg",
+	"c.bg",
+	"d.bg",
+	"e.bg",
+	"f.bg",
+	"g.bg",
+	"h.bg",
+	"i.bg",
+	"j.bg",
+	"k.bg",
+	"l.bg",
+	"m.bg",
+	"n.bg",
+	"o.bg",
+	"p.bg",
+	"q.bg",
+	"r.bg",
+	"s.bg",
+	"t.bg",
+	"u.bg",
+	"v.bg",
+	"w.bg",
+	"x.bg",
+	"y.bg",
+	"z.bg",
+	"0.bg",
+	"1.bg",
+	"2.bg",
+	"3.bg",
+	"4.bg",
+	"5.bg",
+	"6.bg",
+	"7.bg",
+	"8.bg",
+	"9.bg",
+	"bh",
+	"com.bh",
+	"edu.bh",
+	"net.bh",
+	"org.bh",
+	"gov.bh",
+	"bi",
+	"co.bi",
+	"com.bi",
+	"edu.bi",
+	"or.bi",
+	"org.bi",
+	"biz",
+	"bj",
+	"asso.bj",
+	"barreau.bj",
+	"gouv.bj",
+	"bm",
+	"com.bm",
+	"edu.bm",
+	"gov.bm",
+	"net.bm",
+	"org.bm",
+	"*.bn",
+	"bo",
+	"com.bo",
+	"edu.bo",
+	"gov.bo",
+	"gob.bo",
+	"int.bo",
+	"org.bo",
+	"net.bo",
+	"mil.bo",
+	"tv.bo",
+	"br",
+	"adm.br",
+	"adv.br",
+	"agr.br",
+	"am.br",
+	"arq.br",
+	"art.br",
+	"ato.br",
+	"b.br",
+	"belem.br",
+	"bio.br",
+	"blog.br",
+	"bmd.br",
+	"cim.br",
+	"cng.br",
+	"cnt.br",
+	"com.br",
+	"coop.br",
+	"cri.br",
+	"def.br",
+	"ecn.br",
+	"eco.br",
+	"edu.br",
+	"emp.br",
+	"eng.br",
+	"esp.br",
+	"etc.br",
+	"eti.br",
+	"far.br",
+	"flog.br",
+	"floripa.br",
+	"fm.br",
+	"fnd.br",
+	"fot.br",
+	"fst.br",
+	"g12.br",
+	"ggf.br",
+	"gov.br",
+	"ac.gov.br",
+	"al.gov.br",
+	"am.gov.br",
+	"ap.gov.br",
+	"ba.gov.br",
+	"ce.gov.br",
+	"df.gov.br",
+	"es.gov.br",
+	"go.gov.br",
+	"ma.gov.br",
+	"mg.gov.br",
+	"ms.gov.br",
+	"mt.gov.br",
+	"pa.gov.br",
+	"pb.gov.br",
+	"pe.gov.br",
+	"pi.gov.br",
+	"pr.gov.br",
+	"rj.gov.br",
+	"rn.gov.br",
+	"ro.gov.br",
+	"rr.gov.br",
+	"rs.gov.br",
+	"sc.gov.br",
+	"se.gov.br",
+	"sp.gov.br",
+	"to.gov.br",
+	"imb.br",
+	"ind.br",
+	"inf.br",
+	"jampa.br",
+	"jor.br",
+	"jus.br",
+	"leg.br",
+	"lel.br",
+	"mat.br",
+	"med.br",
+	"mil.br",
+	"mp.br",
+	"mus.br",
+	"net.br",
+	"*.nom.br",
+	"not.br",
+	"ntr.br",
+	"odo.br",
+	"org.br",
+	"poa.br",
+	"ppg.br",
+	"pro.br",
+	"psc.br",
+	"psi.br",
+	"qsl.br",
+	"radio.br",
+	"rec.br",
+	"recife.br",
+	"slg.br",
+	"srv.br",
+	"taxi.br",
+	"teo.br",
+	"tmp.br",
+	"trd.br",
+	"tur.br",
+	"tv.br",
+	"vet.br",
+	"vix.br",
+	"vlog.br",
+	"wiki.br",
+	"zlg.br",
+	"bs",
+	"com.bs",
+	"net.bs",
+	"org.bs",
+	"edu.bs",
+	"gov.bs",
+	"bt",
+	"com.bt",
+	"edu.bt",
+	"gov.bt",
+	"net.bt",
+	"org.bt",
+	"bv",
+	"bw",
+	"co.bw",
+	"org.bw",
+	"by",
+	"gov.by",
+	"mil.by",
+	"com.by",
+	"of.by",
+	"bz",
+	"com.bz",
+	"net.bz",
+	"org.bz",
+	"edu.bz",
+	"gov.bz",
+	"ca",
+	"ab.ca",
+	"bc.ca",
+	"mb.ca",
+	"nb.ca",
+	"nf.ca",
+	"nl.ca",
+	"ns.ca",
+	"nt.ca",
+	"nu.ca",
+	"on.ca",
+	"pe.ca",
+	"qc.ca",
+	"sk.ca",
+	"yk.ca",
+	"gc.ca",
+	"cat",
+	"cc",
+	"cd",
+	"gov.cd",
+	"cf",
+	"cg",
+	"ch",
+	"ci",
+	"org.ci",
+	"or.ci",
+	"com.ci",
+	"co.ci",
+	"edu.ci",
+	"ed.ci",
+	"ac.ci",
+	"net.ci",
+	"go.ci",
+	"asso.ci",
+	"xn--aroport-bya.ci",
+	"int.ci",
+	"presse.ci",
+	"md.ci",
+	"gouv.ci",
+	"*.ck",
+	"!www.ck",
+	"cl",
+	"gov.cl",
+	"gob.cl",
+	"co.cl",
+	"mil.cl",
+	"cm",
+	"co.cm",
+	"com.cm",
+	"gov.cm",
+	"net.cm",
+	"cn",
+	"ac.cn",
+	"com.cn",
+	"edu.cn",
+	"gov.cn",
+	"net.cn",
+	"org.cn",
+	"mil.cn",
+	"xn--55qx5d.cn",
+	"xn--io0a7i.cn",
+	"xn--od0alg.cn",
+	"ah.cn",
+	"bj.cn",
+	"cq.cn",
+	"fj.cn",
+	"gd.cn",
+	"gs.cn",
+	"gz.cn",
+	"gx.cn",
+	"ha.cn",
+	"hb.cn",
+	"he.cn",
+	"hi.cn",
+	"hl.cn",
+	"hn.cn",
+	"jl.cn",
+	"js.cn",
+	"jx.cn",
+	"ln.cn",
+	"nm.cn",
+	"nx.cn",
+	"qh.cn",
+	"sc.cn",
+	"sd.cn",
+	"sh.cn",
+	"sn.cn",
+	"sx.cn",
+	"tj.cn",
+	"xj.cn",
+	"xz.cn",
+	"yn.cn",
+	"zj.cn",
+	"hk.cn",
+	"mo.cn",
+	"tw.cn",
+	"co",
+	"arts.co",
+	"com.co",
+	"edu.co",
+	"firm.co",
+	"gov.co",
+	"info.co",
+	"int.co",
+	"mil.co",
+	"net.co",
+	"nom.co",
+	"org.co",
+	"rec.co",
+	"web.co",
+	"com",
+	"coop",
+	"cr",
+	"ac.cr",
+	"co.cr",
+	"ed.cr",
+	"fi.cr",
+	"go.cr",
+	"or.cr",
+	"sa.cr",
+	"cu",
+	"com.cu",
+	"edu.cu",
+	"org.cu",
+	"net.cu",
+	"gov.cu",
+	"inf.cu",
+	"cv",
+	"cw",
+	"com.cw",
+	"edu.cw",
+	"net.cw",
+	"org.cw",
+	"cx",
+	"gov.cx",
+	"cy",
+	"ac.cy",
+	"biz.cy",
+	"com.cy",
+	"ekloges.cy",
+	"gov.cy",
+	"ltd.cy",
+	"name.cy",
+	"net.cy",
+	"org.cy",
+	"parliament.cy",
+	"press.cy",
+	"pro.cy",
+	"tm.cy",
+	"cz",
+	"de",
+	"dj",
+	"dk",
+	"dm",
+	"com.dm",
+	"net.dm",
+	"org.dm",
+	"edu.dm",
+	"gov.dm",
+	"do",
+	"art.do",
+	"com.do",
+	"edu.do",
+	"gob.do",
+	"gov.do",
+	"mil.do",
+	"net.do",
+	"org.do",
+	"sld.do",
+	"web.do",
+	"dz",
+	"com.dz",
+	"org.dz",
+	"net.dz",
+	"gov.dz",
+	"edu.dz",
+	"asso.dz",
+	"pol.dz",
+	"art.dz",
+	"ec",
+	"com.ec",
+	"info.ec",
+	"net.ec",
+	"fin.ec",
+	"k12.ec",
+	"med.ec",
+	"pro.ec",
+	"org.ec",
+	"edu.ec",
+	"gov.ec",
+	"gob.ec",
+	"mil.ec",
+	"edu",
+	"ee",
+	"edu.ee",
+	"gov.ee",
+	"riik.ee",
+	"lib.ee",
+	"med.ee",
+	"com.ee",
+	"pri.ee",
+	"aip.ee",
+	"org.ee",
+	"fie.ee",
+	"eg",
+	"com.eg",
+	"edu.eg",
+	"eun.eg",
+	"gov.eg",
+	"mil.eg",
+	"name.eg",
+	"net.eg",
+	"org.eg",
+	"sci.eg",
+	"*.er",
+	"es",
+	"com.es",
+	"nom.es",
+	"org.es",
+	"gob.es",
+	"edu.es",
+	"et",
+	"com.et",
+	"gov.et",
+	"org.et",
+	"edu.et",
+	"biz.et",
+	"name.et",
+	"info.et",
+	"net.et",
+	"eu",
+	"fi",
+	"aland.fi",
+	"*.fj",
+	"*.fk",
+	"fm",
+	"fo",
+	"fr",
+	"com.fr",
+	"asso.fr",
+	"nom.fr",
+	"prd.fr",
+	"presse.fr",
+	"tm.fr",
+	"aeroport.fr",
+	"assedic.fr",
+	"avocat.fr",
+	"avoues.fr",
+	"cci.fr",
+	"chambagri.fr",
+	"chirurgiens-dentistes.fr",
+	"experts-comptables.fr",
+	"geometre-expert.fr",
+	"gouv.fr",
+	"greta.fr",
+	"huissier-justice.fr",
+	"medecin.fr",
+	"notaires.fr",
+	"pharmacien.fr",
+	"port.fr",
+	"veterinaire.fr",
+	"ga",
+	"gb",
+	"gd",
+	"ge",
+	"com.ge",
+	"edu.ge",
+	"gov.ge",
+	"org.ge",
+	"mil.ge",
+	"net.ge",
+	"pvt.ge",
+	"gf",
+	"gg",
+	"co.gg",
+	"net.gg",
+	"org.gg",
+	"gh",
+	"com.gh",
+	"edu.gh",
+	"gov.gh",
+	"org.gh",
+	"mil.gh",
+	"gi",
+	"com.gi",
+	"ltd.gi",
+	"gov.gi",
+	"mod.gi",
+	"edu.gi",
+	"org.gi",
+	"gl",
+	"co.gl",
+	"com.gl",
+	"edu.gl",
+	"net.gl",
+	"org.gl",
+	"gm",
+	"gn",
+	"ac.gn",
+	"com.gn",
+	"edu.gn",
+	"gov.gn",
+	"org.gn",
+	"net.gn",
+	"gov",
+	"gp",
+	"com.gp",
+	"net.gp",
+	"mobi.gp",
+	"edu.gp",
+	"org.gp",
+	"asso.gp",
+	"gq",
+	"gr",
+	"com.gr",
+	"edu.gr",
+	"net.gr",
+	"org.gr",
+	"gov.gr",
+	"gs",
+	"gt",
+	"com.gt",
+	"edu.gt",
+	"gob.gt",
+	"ind.gt",
+	"mil.gt",
+	"net.gt",
+	"org.gt",
+	"*.gu",
+	"gw",
+	"gy",
+	"co.gy",
+	"com.gy",
+	"edu.gy",
+	"gov.gy",
+	"net.gy",
+	"org.gy",
+	"hk",
+	"com.hk",
+	"edu.hk",
+	"gov.hk",
+	"idv.hk",
+	"net.hk",
+	"org.hk",
+	"xn--55qx5d.hk",
+	"xn--wcvs22d.hk",
+	"xn--lcvr32d.hk",
+	"xn--mxtq1m.hk",
+	"xn--gmqw5a.hk",
+	"xn--ciqpn.hk",
+	"xn--gmq050i.hk",
+	"xn--zf0avx.hk",
+	"xn--io0a7i.hk",
+	"xn--mk0axi.hk",
+	"xn--od0alg.hk",
+	"xn--od0aq3b.hk",
+	"xn--tn0ag.hk",
+	"xn--uc0atv.hk",
+	"xn--uc0ay4a.hk",
+	"hm",
+	"hn",
+	"com.hn",
+	"edu.hn",
+	"org.hn",
+	"net.hn",
+	"mil.hn",
+	"gob.hn",
+	"hr",
+	"iz.hr",
+	"from.hr",
+	"name.hr",
+	"com.hr",
+	"ht",
+	"com.ht",
+	"shop.ht",
+	"firm.ht",
+	"info.ht",
+	"adult.ht",
+	"net.ht",
+	"pro.ht",
+	"org.ht",
+	"med.ht",
+	"art.ht",
+	"coop.ht",
+	"pol.ht",
+	"asso.ht",
+	"edu.ht",
+	"rel.ht",
+	"gouv.ht",
+	"perso.ht",
+	"hu",
+	"co.hu",
+	"info.hu",
+	"org.hu",
+	"priv.hu",
+	"sport.hu",
+	"tm.hu",
+	"2000.hu",
+	"agrar.hu",
+	"bolt.hu",
+	"casino.hu",
+	"city.hu",
+	"erotica.hu",
+	"erotika.hu",
+	"film.hu",
+	"forum.hu",
+	"games.hu",
+	"hotel.hu",
+	"ingatlan.hu",
+	"jogasz.hu",
+	"konyvelo.hu",
+	"lakas.hu",
+	"media.hu",
+	"news.hu",
+	"reklam.hu",
+	"sex.hu",
+	"shop.hu",
+	"suli.hu",
+	"szex.hu",
+	"tozsde.hu",
+	"utazas.hu",
+	"video.hu",
+	"id",
+	"ac.id",
+	"biz.id",
+	"co.id",
+	"desa.id",
+	"go.id",
+	"mil.id",
+	"my.id",
+	"net.id",
+	"or.id",
+	"sch.id",
+	"web.id",
+	"ie",
+	"gov.ie",
+	"il",
+	"ac.il",
+	"co.il",
+	"gov.il",
+	"idf.il",
+	"k12.il",
+	"muni.il",
+	"net.il",
+	"org.il",
+	"im",
+	"ac.im",
+	"co.im",
+	"com.im",
+	"ltd.co.im",
+	"net.im",
+	"org.im",
+	"plc.co.im",
+	"tt.im",
+	"tv.im",
+	"in",
+	"co.in",
+	"firm.in",
+	"net.in",
+	"org.in",
+	"gen.in",
+	"ind.in",
+	"nic.in",
+	"ac.in",
+	"edu.in",
+	"res.in",
+	"gov.in",
+	"mil.in",
+	"info",
+	"int",
+	"eu.int",
+	"io",
+	"com.io",
+	"iq",
+	"gov.iq",
+	"edu.iq",
+	"mil.iq",
+	"com.iq",
+	"org.iq",
+	"net.iq",
+	"ir",
+	"ac.ir",
+	"co.ir",
+	"gov.ir",
+	"id.ir",
+	"net.ir",
+	"org.ir",
+	"sch.ir",
+	"xn--mgba3a4f16a.ir",
+	"xn--mgba3a4fra.ir",
+	"is",
+	"net.is",
+	"com.is",
+	"edu.is",
+	"gov.is",
+	"org.is",
+	"int.is",
+	"it",
+	"gov.it",
+	"edu.it",
+	"abr.it",
+	"abruzzo.it",
+	"aosta-valley.it",
+	"aostavalley.it",
+	"bas.it",
+	"basilicata.it",
+	"cal.it",
+	"calabria.it",
+	"cam.it",
+	"campania.it",
+	"emilia-romagna.it",
+	"emiliaromagna.it",
+	"emr.it",
+	"friuli-v-giulia.it",
+	"friuli-ve-giulia.it",
+	"friuli-vegiulia.it",
+	"friuli-venezia-giulia.it",
+	"friuli-veneziagiulia.it",
+	"friuli-vgiulia.it",
+	"friuliv-giulia.it",
+	"friulive-giulia.it",
+	"friulivegiulia.it",
+	"friulivenezia-giulia.it",
+	"friuliveneziagiulia.it",
+	"friulivgiulia.it",
+	"fvg.it",
+	"laz.it",
+	"lazio.it",
+	"lig.it",
+	"liguria.it",
+	"lom.it",
+	"lombardia.it",
+	"lombardy.it",
+	"lucania.it",
+	"mar.it",
+	"marche.it",
+	"mol.it",
+	"molise.it",
+	"piedmont.it",
+	"piemonte.it",
+	"pmn.it",
+	"pug.it",
+	"puglia.it",
+	"sar.it",
+	"sardegna.it",
+	"sardinia.it",
+	"sic.it",
+	"sicilia.it",
+	"sicily.it",
+	"taa.it",
+	"tos.it",
+	"toscana.it",
+	"trentino-a-adige.it",
+	"trentino-aadige.it",
+	"trentino-alto-adige.it",
+	"trentino-altoadige.it",
+	"trentino-s-tirol.it",
+	"trentino-stirol.it",
+	"trentino-sud-tirol.it",
+	"trentino-sudtirol.it",
+	"trentino-sued-tirol.it",
+	"trentino-suedtirol.it",
+	"trentinoa-adige.it",
+	"trentinoaadige.it",
+	"trentinoalto-adige.it",
+	"trentinoaltoadige.it",
+	"trentinos-tirol.it",
+	"trentinostirol.it",
+	"trentinosud-tirol.it",
+	"trentinosudtirol.it",
+	"trentinosued-tirol.it",
+	"trentinosuedtirol.it",
+	"tuscany.it",
+	"umb.it",
+	"umbria.it",
+	"val-d-aosta.it",
+	"val-daosta.it",
+	"vald-aosta.it",
+	"valdaosta.it",
+	"valle-aosta.it",
+	"valle-d-aosta.it",
+	"valle-daosta.it",
+	"valleaosta.it",
+	"valled-aosta.it",
+	"valledaosta.it",
+	"vallee-aoste.it",
+	"valleeaoste.it",
+	"vao.it",
+	"vda.it",
+	"ven.it",
+	"veneto.it",
+	"ag.it",
+	"agrigento.it",
+	"al.it",
+	"alessandria.it",
+	"alto-adige.it",
+	"altoadige.it",
+	"an.it",
+	"ancona.it",
+	"andria-barletta-trani.it",
+	"andria-trani-barletta.it",
+	"andriabarlettatrani.it",
+	"andriatranibarletta.it",
+	"ao.it",
+	"aosta.it",
+	"aoste.it",
+	"ap.it",
+	"aq.it",
+	"aquila.it",
+	"ar.it",
+	"arezzo.it",
+	"ascoli-piceno.it",
+	"ascolipiceno.it",
+	"asti.it",
+	"at.it",
+	"av.it",
+	"avellino.it",
+	"ba.it",
+	"balsan.it",
+	"bari.it",
+	"barletta-trani-andria.it",
+	"barlettatraniandria.it",
+	"belluno.it",
+	"benevento.it",
+	"bergamo.it",
+	"bg.it",
+	"bi.it",
+	"biella.it",
+	"bl.it",
+	"bn.it",
+	"bo.it",
+	"bologna.it",
+	"bolzano.it",
+	"bozen.it",
+	"br.it",
+	"brescia.it",
+	"brindisi.it",
+	"bs.it",
+	"bt.it",
+	"bz.it",
+	"ca.it",
+	"cagliari.it",
+	"caltanissetta.it",
+	"campidano-medio.it",
+	"campidanomedio.it",
+	"campobasso.it",
+	"carbonia-iglesias.it",
+	"carboniaiglesias.it",
+	"carrara-massa.it",
+	"carraramassa.it",
+	"caserta.it",
+	"catania.it",
+	"catanzaro.it",
+	"cb.it",
+	"ce.it",
+	"cesena-forli.it",
+	"cesenaforli.it",
+	"ch.it",
+	"chieti.it",
+	"ci.it",
+	"cl.it",
+	"cn.it",
+	"co.it",
+	"como.it",
+	"cosenza.it",
+	"cr.it",
+	"cremona.it",
+	"crotone.it",
+	"cs.it",
+	"ct.it",
+	"cuneo.it",
+	"cz.it",
+	"dell-ogliastra.it",
+	"dellogliastra.it",
+	"en.it",
+	"enna.it",
+	"fc.it",
+	"fe.it",
+	"fermo.it",
+	"ferrara.it",
+	"fg.it",
+	"fi.it",
+	"firenze.it",
+	"florence.it",
+	"fm.it",
+	"foggia.it",
+	"forli-cesena.it",
+	"forlicesena.it",
+	"fr.it",
+	"frosinone.it",
+	"ge.it",
+	"genoa.it",
+	"genova.it",
+	"go.it",
+	"gorizia.it",
+	"gr.it",
+	"grosseto.it",
+	"iglesias-carbonia.it",
+	"iglesiascarbonia.it",
+	"im.it",
+	"imperia.it",
+	"is.it",
+	"isernia.it",
+	"kr.it",
+	"la-spezia.it",
+	"laquila.it",
+	"laspezia.it",
+	"latina.it",
+	"lc.it",
+	"le.it",
+	"lecce.it",
+	"lecco.it",
+	"li.it",
+	"livorno.it",
+	"lo.it",
+	"lodi.it",
+	"lt.it",
+	"lu.it",
+	"lucca.it",
+	"macerata.it",
+	"mantova.it",
+	"massa-carrara.it",
+	"massacarrara.it",
+	"matera.it",
+	"mb.it",
+	"mc.it",
+	"me.it",
+	"medio-campidano.it",
+	"mediocampidano.it",
+	"messina.it",
+	"mi.it",
+	"milan.it",
+	"milano.it",
+	"mn.it",
+	"mo.it",
+	"modena.it",
+	"monza-brianza.it",
+	"monza-e-della-brianza.it",
+	"monza.it",
+	"monzabrianza.it",
+	"monzaebrianza.it",
+	"monzaedellabrianza.it",
+	"ms.it",
+	"mt.it",
+	"na.it",
+	"naples.it",
+	"napoli.it",
+	"no.it",
+	"novara.it",
+	"nu.it",
+	"nuoro.it",
+	"og.it",
+	"ogliastra.it",
+	"olbia-tempio.it",
+	"olbiatempio.it",
+	"or.it",
+	"oristano.it",
+	"ot.it",
+	"pa.it",
+	"padova.it",
+	"padua.it",
+	"palermo.it",
+	"parma.it",
+	"pavia.it",
+	"pc.it",
+	"pd.it",
+	"pe.it",
+	"perugia.it",
+	"pesaro-urbino.it",
+	"pesarourbino.it",
+	"pescara.it",
+	"pg.it",
+	"pi.it",
+	"piacenza.it",
+	"pisa.it",
+	"pistoia.it",
+	"pn.it",
+	"po.it",
+	"pordenone.it",
+	"potenza.it",
+	"pr.it",
+	"prato.it",
+	"pt.it",
+	"pu.it",
+	"pv.it",
+	"pz.it",
+	"ra.it",
+	"ragusa.it",
+	"ravenna.it",
+	"rc.it",
+	"re.it",
+	"reggio-calabria.it",
+	"reggio-emilia.it",
+	"reggiocalabria.it",
+	"reggioemilia.it",
+	"rg.it",
+	"ri.it",
+	"rieti.it",
+	"rimini.it",
+	"rm.it",
+	"rn.it",
+	"ro.it",
+	"roma.it",
+	"rome.it",
+	"rovigo.it",
+	"sa.it",
+	"salerno.it",
+	"sassari.it",
+	"savona.it",
+	"si.it",
+	"siena.it",
+	"siracusa.it",
+	"so.it",
+	"sondrio.it",
+	"sp.it",
+	"sr.it",
+	"ss.it",
+	"suedtirol.it",
+	"sv.it",
+	"ta.it",
+	"taranto.it",
+	"te.it",
+	"tempio-olbia.it",
+	"tempioolbia.it",
+	"teramo.it",
+	"terni.it",
+	"tn.it",
+	"to.it",
+	"torino.it",
+	"tp.it",
+	"tr.it",
+	"trani-andria-barletta.it",
+	"trani-barletta-andria.it",
+	"traniandriabarletta.it",
+	"tranibarlettaandria.it",
+	"trapani.it",
+	"trentino.it",
+	"trento.it",
+	"treviso.it",
+	"trieste.it",
+	"ts.it",
+	"turin.it",
+	"tv.it",
+	"ud.it",
+	"udine.it",
+	"urbino-pesaro.it",
+	"urbinopesaro.it",
+	"va.it",
+	"varese.it",
+	"vb.it",
+	"vc.it",
+	"ve.it",
+	"venezia.it",
+	"venice.it",
+	"verbania.it",
+	"vercelli.it",
+	"verona.it",
+	"vi.it",
+	"vibo-valentia.it",
+	"vibovalentia.it",
+	"vicenza.it",
+	"viterbo.it",
+	"vr.it",
+	"vs.it",
+	"vt.it",
+	"vv.it",
+	"je",
+	"co.je",
+	"net.je",
+	"org.je",
+	"*.jm",
+	"jo",
+	"com.jo",
+	"org.jo",
+	"net.jo",
+	"edu.jo",
+	"sch.jo",
+	"gov.jo",
+	"mil.jo",
+	"name.jo",
+	"jobs",
+	"jp",
+	"ac.jp",
+	"ad.jp",
+	"co.jp",
+	"ed.jp",
+	"go.jp",
+	"gr.jp",
+	"lg.jp",
+	"ne.jp",
+	"or.jp",
+	"aichi.jp",
+	"akita.jp",
+	"aomori.jp",
+	"chiba.jp",
+	"ehime.jp",
+	"fukui.jp",
+	"fukuoka.jp",
+	"fukushima.jp",
+	"gifu.jp",
+	"gunma.jp",
+	"hiroshima.jp",
+	"hokkaido.jp",
+	"hyogo.jp",
+	"ibaraki.jp",
+	"ishikawa.jp",
+	"iwate.jp",
+	"kagawa.jp",
+	"kagoshima.jp",
+	"kanagawa.jp",
+	"kochi.jp",
+	"kumamoto.jp",
+	"kyoto.jp",
+	"mie.jp",
+	"miyagi.jp",
+	"miyazaki.jp",
+	"nagano.jp",
+	"nagasaki.jp",
+	"nara.jp",
+	"niigata.jp",
+	"oita.jp",
+	"okayama.jp",
+	"okinawa.jp",
+	"osaka.jp",
+	"saga.jp",
+	"saitama.jp",
+	"shiga.jp",
+	"shimane.jp",
+	"shizuoka.jp",
+	"tochigi.jp",
+	"tokushima.jp",
+	"tokyo.jp",
+	"tottori.jp",
+	"toyama.jp",
+	"wakayama.jp",
+	"yamagata.jp",
+	"yamaguchi.jp",
+	"yamanashi.jp",
+	"xn--4pvxs.jp",
+	"xn--vgu402c.jp",
+	"xn--c3s14m.jp",
+	"xn--f6qx53a.jp",
+	"xn--8pvr4u.jp",
+	"xn--uist22h.jp",
+	"xn--djrs72d6uy.jp",
+	"xn--mkru45i.jp",
+	"xn--0trq7p7nn.jp",
+	"xn--8ltr62k.jp",
+	"xn--2m4a15e.jp",
+	"xn--efvn9s.jp",
+	"xn--32vp30h.jp",
+	"xn--4it797k.jp",
+	"xn--1lqs71d.jp",
+	"xn--5rtp49c.jp",
+	"xn--5js045d.jp",
+	"xn--ehqz56n.jp",
+	"xn--1lqs03n.jp",
+	"xn--qqqt11m.jp",
+	"xn--kbrq7o.jp",
+	"xn--pssu33l.jp",
+	"xn--ntsq17g.jp",
+	"xn--uisz3g.jp",
+	"xn--6btw5a.jp",
+	"xn--1ctwo.jp",
+	"xn--6orx2r.jp",
+	"xn--rht61e.jp",
+	"xn--rht27z.jp",
+	"xn--djty4k.jp",
+	"xn--nit225k.jp",
+	"xn--rht3d.jp",
+	"xn--klty5x.jp",
+	"xn--kltx9a.jp",
+	"xn--kltp7d.jp",
+	"xn--uuwu58a.jp",
+	"xn--zbx025d.jp",
+	"xn--ntso0iqx3a.jp",
+	"xn--elqq16h.jp",
+	"xn--4it168d.jp",
+	"xn--klt787d.jp",
+	"xn--rny31h.jp",
+	"xn--7t0a264c.jp",
+	"xn--5rtq34k.jp",
+	"xn--k7yn95e.jp",
+	"xn--tor131o.jp",
+	"xn--d5qv7z876c.jp",
+	"*.kawasaki.jp",
+	"*.kitakyushu.jp",
+	"*.kobe.jp",
+	"*.nagoya.jp",
+	"*.sapporo.jp",
+	"*.sendai.jp",
+	"*.yokohama.jp",
+	"!city.kawasaki.jp",
+	"!city.kitakyushu.jp",
+	"!city.kobe.jp",
+	"!city.nagoya.jp",
+	"!city.sapporo.jp",
+	"!city.sendai.jp",
+	"!city.yokohama.jp",
+	"aisai.aichi.jp",
+	"ama.aichi.jp",
+	"anjo.aichi.jp",
+	"asuke.aichi.jp",
+	"chiryu.aichi.jp",
+	"chita.aichi.jp",
+	"fuso.aichi.jp",
+	"gamagori.aichi.jp",
+	"handa.aichi.jp",
+	"hazu.aichi.jp",
+	"hekinan.aichi.jp",
+	"higashiura.aichi.jp",
+	"ichinomiya.aichi.jp",
+	"inazawa.aichi.jp",
+	"inuyama.aichi.jp",
+	"isshiki.aichi.jp",
+	"iwakura.aichi.jp",
+	"kanie.aichi.jp",
+	"kariya.aichi.jp",
+	"kasugai.aichi.jp",
+	"kira.aichi.jp",
+	"kiyosu.aichi.jp",
+	"komaki.aichi.jp",
+	"konan.aichi.jp",
+	"kota.aichi.jp",
+	"mihama.aichi.jp",
+	"miyoshi.aichi.jp",
+	"nishio.aichi.jp",
+	"nisshin.aichi.jp",
+	"obu.aichi.jp",
+	"oguchi.aichi.jp",
+	"oharu.aichi.jp",
+	"okazaki.aichi.jp",
+	"owariasahi.aichi.jp",
+	"seto.aichi.jp",
+	"shikatsu.aichi.jp",
+	"shinshiro.aichi.jp",
+	"shitara.aichi.jp",
+	"tahara.aichi.jp",
+	"takahama.aichi.jp",
+	"tobishima.aichi.jp",
+	"toei.aichi.jp",
+	"togo.aichi.jp",
+	"tokai.aichi.jp",
+	"tokoname.aichi.jp",
+	"toyoake.aichi.jp",
+	"toyohashi.aichi.jp",
+	"toyokawa.aichi.jp",
+	"toyone.aichi.jp",
+	"toyota.aichi.jp",
+	"tsushima.aichi.jp",
+	"yatomi.aichi.jp",
+	"akita.akita.jp",
+	"daisen.akita.jp",
+	"fujisato.akita.jp",
+	"gojome.akita.jp",
+	"hachirogata.akita.jp",
+	"happou.akita.jp",
+	"higashinaruse.akita.jp",
+	"honjo.akita.jp",
+	"honjyo.akita.jp",
+	"ikawa.akita.jp",
+	"kamikoani.akita.jp",
+	"kamioka.akita.jp",
+	"katagami.akita.jp",
+	"kazuno.akita.jp",
+	"kitaakita.akita.jp",
+	"kosaka.akita.jp",
+	"kyowa.akita.jp",
+	"misato.akita.jp",
+	"mitane.akita.jp",
+	"moriyoshi.akita.jp",
+	"nikaho.akita.jp",
+	"noshiro.akita.jp",
+	"odate.akita.jp",
+	"oga.akita.jp",
+	"ogata.akita.jp",
+	"semboku.akita.jp",
+	"yokote.akita.jp",
+	"yurihonjo.akita.jp",
+	"aomori.aomori.jp",
+	"gonohe.aomori.jp",
+	"hachinohe.aomori.jp",
+	"hashikami.aomori.jp",
+	"hiranai.aomori.jp",
+	"hirosaki.aomori.jp",
+	"itayanagi.aomori.jp",
+	"kuroishi.aomori.jp",
+	"misawa.aomori.jp",
+	"mutsu.aomori.jp",
+	"nakadomari.aomori.jp",
+	"noheji.aomori.jp",
+	"oirase.aomori.jp",
+	"owani.aomori.jp",
+	"rokunohe.aomori.jp",
+	"sannohe.aomori.jp",
+	"shichinohe.aomori.jp",
+	"shingo.aomori.jp",
+	"takko.aomori.jp",
+	"towada.aomori.jp",
+	"tsugaru.aomori.jp",
+	"tsuruta.aomori.jp",
+	"abiko.chiba.jp",
+	"asahi.chiba.jp",
+	"chonan.chiba.jp",
+	"chosei.chiba.jp",
+	"choshi.chiba.jp",
+	"chuo.chiba.jp",
+	"funabashi.chiba.jp",
+	"futtsu.chiba.jp",
+	"hanamigawa.chiba.jp",
+	"ichihara.chiba.jp",
+	"ichikawa.chiba.jp",
+	"ichinomiya.chiba.jp",
+	"inzai.chiba.jp",
+	"isumi.chiba.jp",
+	"kamagaya.chiba.jp",
+	"kamogawa.chiba.jp",
+	"kashiwa.chiba.jp",
+	"katori.chiba.jp",
+	"katsuura.chiba.jp",
+	"kimitsu.chiba.jp",
+	"kisarazu.chiba.jp",
+	"kozaki.chiba.jp",
+	"kujukuri.chiba.jp",
+	"kyonan.chiba.jp",
+	"matsudo.chiba.jp",
+	"midori.chiba.jp",
+	"mihama.chiba.jp",
+	"minamiboso.chiba.jp",
+	"mobara.chiba.jp",
+	"mutsuzawa.chiba.jp",
+	"nagara.chiba.jp",
+	"nagareyama.chiba.jp",
+	"narashino.chiba.jp",
+	"narita.chiba.jp",
+	"noda.chiba.jp",
+	"oamishirasato.chiba.jp",
+	"omigawa.chiba.jp",
+	"onjuku.chiba.jp",
+	"otaki.chiba.jp",
+	"sakae.chiba.jp",
+	"sakura.chiba.jp",
+	"shimofusa.chiba.jp",
+	"shirako.chiba.jp",
+	"shiroi.chiba.jp",
+	"shisui.chiba.jp",
+	"sodegaura.chiba.jp",
+	"sosa.chiba.jp",
+	"tako.chiba.jp",
+	"tateyama.chiba.jp",
+	"togane.chiba.jp",
+	"tohnosho.chiba.jp",
+	"tomisato.chiba.jp",
+	"urayasu.chiba.jp",
+	"yachimata.chiba.jp",
+	"yachiyo.chiba.jp",
+	"yokaichiba.chiba.jp",
+	"yokoshibahikari.chiba.jp",
+	"yotsukaido.chiba.jp",
+	"ainan.ehime.jp",
+	"honai.ehime.jp",
+	"ikata.ehime.jp",
+	"imabari.ehime.jp",
+	"iyo.ehime.jp",
+	"kamijima.ehime.jp",
+	"kihoku.ehime.jp",
+	"kumakogen.ehime.jp",
+	"masaki.ehime.jp",
+	"matsuno.ehime.jp",
+	"matsuyama.ehime.jp",
+	"namikata.ehime.jp",
+	"niihama.ehime.jp",
+	"ozu.ehime.jp",
+	"saijo.ehime.jp",
+	"seiyo.ehime.jp",
+	"shikokuchuo.ehime.jp",
+	"tobe.ehime.jp",
+	"toon.ehime.jp",
+	"uchiko.ehime.jp",
+	"uwajima.ehime.jp",
+	"yawatahama.ehime.jp",
+	"echizen.fukui.jp",
+	"eiheiji.fukui.jp",
+	"fukui.fukui.jp",
+	"ikeda.fukui.jp",
+	"katsuyama.fukui.jp",
+	"mihama.fukui.jp",
+	"minamiechizen.fukui.jp",
+	"obama.fukui.jp",
+	"ohi.fukui.jp",
+	"ono.fukui.jp",
+	"sabae.fukui.jp",
+	"sakai.fukui.jp",
+	"takahama.fukui.jp",
+	"tsuruga.fukui.jp",
+	"wakasa.fukui.jp",
+	"ashiya.fukuoka.jp",
+	"buzen.fukuoka.jp",
+	"chikugo.fukuoka.jp",
+	"chikuho.fukuoka.jp",
+	"chikujo.fukuoka.jp",
+	"chikushino.fukuoka.jp",
+	"chikuzen.fukuoka.jp",
+	"chuo.fukuoka.jp",
+	"dazaifu.fukuoka.jp",
+	"fukuchi.fukuoka.jp",
+	"hakata.fukuoka.jp",
+	"higashi.fukuoka.jp",
+	"hirokawa.fukuoka.jp",
+	"hisayama.fukuoka.jp",
+	"iizuka.fukuoka.jp",
+	"inatsuki.fukuoka.jp",
+	"kaho.fukuoka.jp",
+	"kasuga.fukuoka.jp",
+	"kasuya.fukuoka.jp",
+	"kawara.fukuoka.jp",
+	"keisen.fukuoka.jp",
+	"koga.fukuoka.jp",
+	"kurate.fukuoka.jp",
+	"kurogi.fukuoka.jp",
+	"kurume.fukuoka.jp",
+	"minami.fukuoka.jp",
+	"miyako.fukuoka.jp",
+	"miyama.fukuoka.jp",
+	"miyawaka.fukuoka.jp",
+	"mizumaki.fukuoka.jp",
+	"munakata.fukuoka.jp",
+	"nakagawa.fukuoka.jp",
+	"nakama.fukuoka.jp",
+	"nishi.fukuoka.jp",
+	"nogata.fukuoka.jp",
+	"ogori.fukuoka.jp",
+	"okagaki.fukuoka.jp",
+	"okawa.fukuoka.jp",
+	"oki.fukuoka.jp",
+	"omuta.fukuoka.jp",
+	"onga.fukuoka.jp",
+	"onojo.fukuoka.jp",
+	"oto.fukuoka.jp",
+	"saigawa.fukuoka.jp",
+	"sasaguri.fukuoka.jp",
+	"shingu.fukuoka.jp",
+	"shinyoshitomi.fukuoka.jp",
+	"shonai.fukuoka.jp",
+	"soeda.fukuoka.jp",
+	"sue.fukuoka.jp",
+	"tachiarai.fukuoka.jp",
+	"tagawa.fukuoka.jp",
+	"takata.fukuoka.jp",
+	"toho.fukuoka.jp",
+	"toyotsu.fukuoka.jp",
+	"tsuiki.fukuoka.jp",
+	"ukiha.fukuoka.jp",
+	"umi.fukuoka.jp",
+	"usui.fukuoka.jp",
+	"yamada.fukuoka.jp",
+	"yame.fukuoka.jp",
+	"yanagawa.fukuoka.jp",
+	"yukuhashi.fukuoka.jp",
+	"aizubange.fukushima.jp",
+	"aizumisato.fukushima.jp",
+	"aizuwakamatsu.fukushima.jp",
+	"asakawa.fukushima.jp",
+	"bandai.fukushima.jp",
+	"date.fukushima.jp",
+	"fukushima.fukushima.jp",
+	"furudono.fukushima.jp",
+	"futaba.fukushima.jp",
+	"hanawa.fukushima.jp",
+	"higashi.fukushima.jp",
+	"hirata.fukushima.jp",
+	"hirono.fukushima.jp",
+	"iitate.fukushima.jp",
+	"inawashiro.fukushima.jp",
+	"ishikawa.fukushima.jp",
+	"iwaki.fukushima.jp",
+	"izumizaki.fukushima.jp",
+	"kagamiishi.fukushima.jp",
+	"kaneyama.fukushima.jp",
+	"kawamata.fukushima.jp",
+	"kitakata.fukushima.jp",
+	"kitashiobara.fukushima.jp",
+	"koori.fukushima.jp",
+	"koriyama.fukushima.jp",
+	"kunimi.fukushima.jp",
+	"miharu.fukushima.jp",
+	"mishima.fukushima.jp",
+	"namie.fukushima.jp",
+	"nango.fukushima.jp",
+	"nishiaizu.fukushima.jp",
+	"nishigo.fukushima.jp",
+	"okuma.fukushima.jp",
+	"omotego.fukushima.jp",
+	"ono.fukushima.jp",
+	"otama.fukushima.jp",
+	"samegawa.fukushima.jp",
+	"shimogo.fukushima.jp",
+	"shirakawa.fukushima.jp",
+	"showa.fukushima.jp",
+	"soma.fukushima.jp",
+	"sukagawa.fukushima.jp",
+	"taishin.fukushima.jp",
+	"tamakawa.fukushima.jp",
+	"tanagura.fukushima.jp",
+	"tenei.fukushima.jp",
+	"yabuki.fukushima.jp",
+	"yamato.fukushima.jp",
+	"yamatsuri.fukushima.jp",
+	"yanaizu.fukushima.jp",
+	"yugawa.fukushima.jp",
+	"anpachi.gifu.jp",
+	"ena.gifu.jp",
+	"gifu.gifu.jp",
+	"ginan.gifu.jp",
+	"godo.gifu.jp",
+	"gujo.gifu.jp",
+	"hashima.gifu.jp",
+	"hichiso.gifu.jp",
+	"hida.gifu.jp",
+	"higashishirakawa.gifu.jp",
+	"ibigawa.gifu.jp",
+	"ikeda.gifu.jp",
+	"kakamigahara.gifu.jp",
+	"kani.gifu.jp",
+	"kasahara.gifu.jp",
+	"kasamatsu.gifu.jp",
+	"kawaue.gifu.jp",
+	"kitagata.gifu.jp",
+	"mino.gifu.jp",
+	"minokamo.gifu.jp",
+	"mitake.gifu.jp",
+	"mizunami.gifu.jp",
+	"motosu.gifu.jp",
+	"nakatsugawa.gifu.jp",
+	"ogaki.gifu.jp",
+	"sakahogi.gifu.jp",
+	"seki.gifu.jp",
+	"sekigahara.gifu.jp",
+	"shirakawa.gifu.jp",
+	"tajimi.gifu.jp",
+	"takayama.gifu.jp",
+	"tarui.gifu.jp",
+	"toki.gifu.jp",
+	"tomika.gifu.jp",
+	"wanouchi.gifu.jp",
+	"yamagata.gifu.jp",
+	"yaotsu.gifu.jp",
+	"yoro.gifu.jp",
+	"annaka.gunma.jp",
+	"chiyoda.gunma.jp",
+	"fujioka.gunma.jp",
+	"higashiagatsuma.gunma.jp",
+	"isesaki.gunma.jp",
+	"itakura.gunma.jp",
+	"kanna.gunma.jp",
+	"kanra.gunma.jp",
+	"katashina.gunma.jp",
+	"kawaba.gunma.jp",
+	"kiryu.gunma.jp",
+	"kusatsu.gunma.jp",
+	"maebashi.gunma.jp",
+	"meiwa.gunma.jp",
+	"midori.gunma.jp",
+	"minakami.gunma.jp",
+	"naganohara.gunma.jp",
+	"nakanojo.gunma.jp",
+	"nanmoku.gunma.jp",
+	"numata.gunma.jp",
+	"oizumi.gunma.jp",
+	"ora.gunma.jp",
+	"ota.gunma.jp",
+	"shibukawa.gunma.jp",
+	"shimonita.gunma.jp",
+	"shinto.gunma.jp",
+	"showa.gunma.jp",
+	"takasaki.gunma.jp",
+	"takayama.gunma.jp",
+	"tamamura.gunma.jp",
+	"tatebayashi.gunma.jp",
+	"tomioka.gunma.jp",
+	"tsukiyono.gunma.jp",
+	"tsumagoi.gunma.jp",
+	"ueno.gunma.jp",
+	"yoshioka.gunma.jp",
+	"asaminami.hiroshima.jp",
+	"daiwa.hiroshima.jp",
+	"etajima.hiroshima.jp",
+	"fuchu.hiroshima.jp",
+	"fukuyama.hiroshima.jp",
+	"hatsukaichi.hiroshima.jp",
+	"higashihiroshima.hiroshima.jp",
+	"hongo.hiroshima.jp",
+	"jinsekikogen.hiroshima.jp",
+	"kaita.hiroshima.jp",
+	"kui.hiroshima.jp",
+	"kumano.hiroshima.jp",
+	"kure.hiroshima.jp",
+	"mihara.hiroshima.jp",
+	"miyoshi.hiroshima.jp",
+	"naka.hiroshima.jp",
+	"onomichi.hiroshima.jp",
+	"osakikamijima.hiroshima.jp",
+	"otake.hiroshima.jp",
+	"saka.hiroshima.jp",
+	"sera.hiroshima.jp",
+	"seranishi.hiroshima.jp",
+	"shinichi.hiroshima.jp",
+	"shobara.hiroshima.jp",
+	"takehara.hiroshima.jp",
+	"abashiri.hokkaido.jp",
+	"abira.hokkaido.jp",
+	"aibetsu.hokkaido.jp",
+	"akabira.hokkaido.jp",
+	"akkeshi.hokkaido.jp",
+	"asahikawa.hokkaido.jp",
+	"ashibetsu.hokkaido.jp",
+	"ashoro.hokkaido.jp",
+	"assabu.hokkaido.jp",
+	"atsuma.hokkaido.jp",
+	"bibai.hokkaido.jp",
+	"biei.hokkaido.jp",
+	"bifuka.hokkaido.jp",
+	"bihoro.hokkaido.jp",
+	"biratori.hokkaido.jp",
+	"chippubetsu.hokkaido.jp",
+	"chitose.hokkaido.jp",
+	"date.hokkaido.jp",
+	"ebetsu.hokkaido.jp",
+	"embetsu.hokkaido.jp",
+	"eniwa.hokkaido.jp",
+	"erimo.hokkaido.jp",
+	"esan.hokkaido.jp",
+	"esashi.hokkaido.jp",
+	"fukagawa.hokkaido.jp",
+	"fukushima.hokkaido.jp",
+	"furano.hokkaido.jp",
+	"furubira.hokkaido.jp",
+	"haboro.hokkaido.jp",
+	"hakodate.hokkaido.jp",
+	"hamatonbetsu.hokkaido.jp",
+	"hidaka.hokkaido.jp",
+	"higashikagura.hokkaido.jp",
+	"higashikawa.hokkaido.jp",
+	"hiroo.hokkaido.jp",
+	"hokuryu.hokkaido.jp",
+	"hokuto.hokkaido.jp",
+	"honbetsu.hokkaido.jp",
+	"horokanai.hokkaido.jp",
+	"horonobe.hokkaido.jp",
+	"ikeda.hokkaido.jp",
+	"imakane.hokkaido.jp",
+	"ishikari.hokkaido.jp",
+	"iwamizawa.hokkaido.jp",
+	"iwanai.hokkaido.jp",
+	"kamifurano.hokkaido.jp",
+	"kamikawa.hokkaido.jp",
+	"kamishihoro.hokkaido.jp",
+	"kamisunagawa.hokkaido.jp",
+	"kamoenai.hokkaido.jp",
+	"kayabe.hokkaido.jp",
+	"kembuchi.hokkaido.jp",
+	"kikonai.hokkaido.jp",
+	"kimobetsu.hokkaido.jp",
+	"kitahiroshima.hokkaido.jp",
+	"kitami.hokkaido.jp",
+	"kiyosato.hokkaido.jp",
+	"koshimizu.hokkaido.jp",
+	"kunneppu.hokkaido.jp",
+	"kuriyama.hokkaido.jp",
+	"kuromatsunai.hokkaido.jp",
+	"kushiro.hokkaido.jp",
+	"kutchan.hokkaido.jp",
+	"kyowa.hokkaido.jp",
+	"mashike.hokkaido.jp",
+	"matsumae.hokkaido.jp",
+	"mikasa.hokkaido.jp",
+	"minamifurano.hokkaido.jp",
+	"mombetsu.hokkaido.jp",
+	"moseushi.hokkaido.jp",
+	"mukawa.hokkaido.jp",
+	"muroran.hokkaido.jp",
+	"naie.hokkaido.jp",
+	"nakagawa.hokkaido.jp",
+	"nakasatsunai.hokkaido.jp",
+	"nakatombetsu.hokkaido.jp",
+	"nanae.hokkaido.jp",
+	"nanporo.hokkaido.jp",
+	"nayoro.hokkaido.jp",
+	"nemuro.hokkaido.jp",
+	"niikappu.hokkaido.jp",
+	"niki.hokkaido.jp",
+	"nishiokoppe.hokkaido.jp",
+	"noboribetsu.hokkaido.jp",
+	"numata.hokkaido.jp",
+	"obihiro.hokkaido.jp",
+	"obira.hokkaido.jp",
+	"oketo.hokkaido.jp",
+	"okoppe.hokkaido.jp",
+	"otaru.hokkaido.jp",
+	"otobe.hokkaido.jp",
+	"otofuke.hokkaido.jp",
+	"otoineppu.hokkaido.jp",
+	"oumu.hokkaido.jp",
+	"ozora.hokkaido.jp",
+	"pippu.hokkaido.jp",
+	"rankoshi.hokkaido.jp",
+	"rebun.hokkaido.jp",
+	"rikubetsu.hokkaido.jp",
+	"rishiri.hokkaido.jp",
+	"rishirifuji.hokkaido.jp",
+	"saroma.hokkaido.jp",
+	"sarufutsu.hokkaido.jp",
+	"shakotan.hokkaido.jp",
+	"shari.hokkaido.jp",
+	"shibecha.hokkaido.jp",
+	"shibetsu.hokkaido.jp",
+	"shikabe.hokkaido.jp",
+	"shikaoi.hokkaido.jp",
+	"shimamaki.hokkaido.jp",
+	"shimizu.hokkaido.jp",
+	"shimokawa.hokkaido.jp",
+	"shinshinotsu.hokkaido.jp",
+	"shintoku.hokkaido.jp",
+	"shiranuka.hokkaido.jp",
+	"shiraoi.hokkaido.jp",
+	"shiriuchi.hokkaido.jp",
+	"sobetsu.hokkaido.jp",
+	"sunagawa.hokkaido.jp",
+	"taiki.hokkaido.jp",
+	"takasu.hokkaido.jp",
+	"takikawa.hokkaido.jp",
+	"takinoue.hokkaido.jp",
+	"teshikaga.hokkaido.jp",
+	"tobetsu.hokkaido.jp",
+	"tohma.hokkaido.jp",
+	"tomakomai.hokkaido.jp",
+	"tomari.hokkaido.jp",
+	"toya.hokkaido.jp",
+	"toyako.hokkaido.jp",
+	"toyotomi.hokkaido.jp",
+	"toyoura.hokkaido.jp",
+	"tsubetsu.hokkaido.jp",
+	"tsukigata.hokkaido.jp",
+	"urakawa.hokkaido.jp",
+	"urausu.hokkaido.jp",
+	"uryu.hokkaido.jp",
+	"utashinai.hokkaido.jp",
+	"wakkanai.hokkaido.jp",
+	"wassamu.hokkaido.jp",
+	"yakumo.hokkaido.jp",
+	"yoichi.hokkaido.jp",
+	"aioi.hyogo.jp",
+	"akashi.hyogo.jp",
+	"ako.hyogo.jp",
+	"amagasaki.hyogo.jp",
+	"aogaki.hyogo.jp",
+	"asago.hyogo.jp",
+	"ashiya.hyogo.jp",
+	"awaji.hyogo.jp",
+	"fukusaki.hyogo.jp",
+	"goshiki.hyogo.jp",
+	"harima.hyogo.jp",
+	"himeji.hyogo.jp",
+	"ichikawa.hyogo.jp",
+	"inagawa.hyogo.jp",
+	"itami.hyogo.jp",
+	"kakogawa.hyogo.jp",
+	"kamigori.hyogo.jp",
+	"kamikawa.hyogo.jp",
+	"kasai.hyogo.jp",
+	"kasuga.hyogo.jp",
+	"kawanishi.hyogo.jp",
+	"miki.hyogo.jp",
+	"minamiawaji.hyogo.jp",
+	"nishinomiya.hyogo.jp",
+	"nishiwaki.hyogo.jp",
+	"ono.hyogo.jp",
+	"sanda.hyogo.jp",
+	"sannan.hyogo.jp",
+	"sasayama.hyogo.jp",
+	"sayo.hyogo.jp",
+	"shingu.hyogo.jp",
+	"shinonsen.hyogo.jp",
+	"shiso.hyogo.jp",
+	"sumoto.hyogo.jp",
+	"taishi.hyogo.jp",
+	"taka.hyogo.jp",
+	"takarazuka.hyogo.jp",
+	"takasago.hyogo.jp",
+	"takino.hyogo.jp",
+	"tamba.hyogo.jp",
+	"tatsuno.hyogo.jp",
+	"toyooka.hyogo.jp",
+	"yabu.hyogo.jp",
+	"yashiro.hyogo.jp",
+	"yoka.hyogo.jp",
+	"yokawa.hyogo.jp",
+	"ami.ibaraki.jp",
+	"asahi.ibaraki.jp",
+	"bando.ibaraki.jp",
+	"chikusei.ibaraki.jp",
+	"daigo.ibaraki.jp",
+	"fujishiro.ibaraki.jp",
+	"hitachi.ibaraki.jp",
+	"hitachinaka.ibaraki.jp",
+	"hitachiomiya.ibaraki.jp",
+	"hitachiota.ibaraki.jp",
+	"ibaraki.ibaraki.jp",
+	"ina.ibaraki.jp",
+	"inashiki.ibaraki.jp",
+	"itako.ibaraki.jp",
+	"iwama.ibaraki.jp",
+	"joso.ibaraki.jp",
+	"kamisu.ibaraki.jp",
+	"kasama.ibaraki.jp",
+	"kashima.ibaraki.jp",
+	"kasumigaura.ibaraki.jp",
+	"koga.ibaraki.jp",
+	"miho.ibaraki.jp",
+	"mito.ibaraki.jp",
+	"moriya.ibaraki.jp",
+	"naka.ibaraki.jp",
+	"namegata.ibaraki.jp",
+	"oarai.ibaraki.jp",
+	"ogawa.ibaraki.jp",
+	"omitama.ibaraki.jp",
+	"ryugasaki.ibaraki.jp",
+	"sakai.ibaraki.jp",
+	"sakuragawa.ibaraki.jp",
+	"shimodate.ibaraki.jp",
+	"shimotsuma.ibaraki.jp",
+	"shirosato.ibaraki.jp",
+	"sowa.ibaraki.jp",
+	"suifu.ibaraki.jp",
+	"takahagi.ibaraki.jp",
+	"tamatsukuri.ibaraki.jp",
+	"tokai.ibaraki.jp",
+	"tomobe.ibaraki.jp",
+	"tone.ibaraki.jp",
+	"toride.ibaraki.jp",
+	"tsuchiura.ibaraki.jp",
+	"tsukuba.ibaraki.jp",
+	"uchihara.ibaraki.jp",
+	"ushiku.ibaraki.jp",
+	"yachiyo.ibaraki.jp",
+	"yamagata.ibaraki.jp",
+	"yawara.ibaraki.jp",
+	"yuki.ibaraki.jp",
+	"anamizu.ishikawa.jp",
+	"hakui.ishikawa.jp",
+	"hakusan.ishikawa.jp",
+	"kaga.ishikawa.jp",
+	"kahoku.ishikawa.jp",
+	"kanazawa.ishikawa.jp",
+	"kawakita.ishikawa.jp",
+	"komatsu.ishikawa.jp",
+	"nakanoto.ishikawa.jp",
+	"nanao.ishikawa.jp",
+	"nomi.ishikawa.jp",
+	"nonoichi.ishikawa.jp",
+	"noto.ishikawa.jp",
+	"shika.ishikawa.jp",
+	"suzu.ishikawa.jp",
+	"tsubata.ishikawa.jp",
+	"tsurugi.ishikawa.jp",
+	"uchinada.ishikawa.jp",
+	"wajima.ishikawa.jp",
+	"fudai.iwate.jp",
+	"fujisawa.iwate.jp",
+	"hanamaki.iwate.jp",
+	"hiraizumi.iwate.jp",
+	"hirono.iwate.jp",
+	"ichinohe.iwate.jp",
+	"ichinoseki.iwate.jp",
+	"iwaizumi.iwate.jp",
+	"iwate.iwate.jp",
+	"joboji.iwate.jp",
+	"kamaishi.iwate.jp",
+	"kanegasaki.iwate.jp",
+	"karumai.iwate.jp",
+	"kawai.iwate.jp",
+	"kitakami.iwate.jp",
+	"kuji.iwate.jp",
+	"kunohe.iwate.jp",
+	"kuzumaki.iwate.jp",
+	"miyako.iwate.jp",
+	"mizusawa.iwate.jp",
+	"morioka.iwate.jp",
+	"ninohe.iwate.jp",
+	"noda.iwate.jp",
+	"ofunato.iwate.jp",
+	"oshu.iwate.jp",
+	"otsuchi.iwate.jp",
+	"rikuzentakata.iwate.jp",
+	"shiwa.iwate.jp",
+	"shizukuishi.iwate.jp",
+	"sumita.iwate.jp",
+	"tanohata.iwate.jp",
+	"tono.iwate.jp",
+	"yahaba.iwate.jp",
+	"yamada.iwate.jp",
+	"ayagawa.kagawa.jp",
+	"higashikagawa.kagawa.jp",
+	"kanonji.kagawa.jp",
+	"kotohira.kagawa.jp",
+	"manno.kagawa.jp",
+	"marugame.kagawa.jp",
+	"mitoyo.kagawa.jp",
+	"naoshima.kagawa.jp",
+	"sanuki.kagawa.jp",
+	"tadotsu.kagawa.jp",
+	"takamatsu.kagawa.jp",
+	"tonosho.kagawa.jp",
+	"uchinomi.kagawa.jp",
+	"utazu.kagawa.jp",
+	"zentsuji.kagawa.jp",
+	"akune.kagoshima.jp",
+	"amami.kagoshima.jp",
+	"hioki.kagoshima.jp",
+	"isa.kagoshima.jp",
+	"isen.kagoshima.jp",
+	"izumi.kagoshima.jp",
+	"kagoshima.kagoshima.jp",
+	"kanoya.kagoshima.jp",
+	"kawanabe.kagoshima.jp",
+	"kinko.kagoshima.jp",
+	"kouyama.kagoshima.jp",
+	"makurazaki.kagoshima.jp",
+	"matsumoto.kagoshima.jp",
+	"minamitane.kagoshima.jp",
+	"nakatane.kagoshima.jp",
+	"nishinoomote.kagoshima.jp",
+	"satsumasendai.kagoshima.jp",
+	"soo.kagoshima.jp",
+	"tarumizu.kagoshima.jp",
+	"yusui.kagoshima.jp",
+	"aikawa.kanagawa.jp",
+	"atsugi.kanagawa.jp",
+	"ayase.kanagawa.jp",
+	"chigasaki.kanagawa.jp",
+	"ebina.kanagawa.jp",
+	"fujisawa.kanagawa.jp",
+	"hadano.kanagawa.jp",
+	"hakone.kanagawa.jp",
+	"hiratsuka.kanagawa.jp",
+	"isehara.kanagawa.jp",
+	"kaisei.kanagawa.jp",
+	"kamakura.kanagawa.jp",
+	"kiyokawa.kanagawa.jp",
+	"matsuda.kanagawa.jp",
+	"minamiashigara.kanagawa.jp",
+	"miura.kanagawa.jp",
+	"nakai.kanagawa.jp",
+	"ninomiya.kanagawa.jp",
+	"odawara.kanagawa.jp",
+	"oi.kanagawa.jp",
+	"oiso.kanagawa.jp",
+	"sagamihara.kanagawa.jp",
+	"samukawa.kanagawa.jp",
+	"tsukui.kanagawa.jp",
+	"yamakita.kanagawa.jp",
+	"yamato.kanagawa.jp",
+	"yokosuka.kanagawa.jp",
+	"yugawara.kanagawa.jp",
+	"zama.kanagawa.jp",
+	"zushi.kanagawa.jp",
+	"aki.kochi.jp",
+	"geisei.kochi.jp",
+	"hidaka.kochi.jp",
+	"higashitsuno.kochi.jp",
+	"ino.kochi.jp",
+	"kagami.kochi.jp",
+	"kami.kochi.jp",
+	"kitagawa.kochi.jp",
+	"kochi.kochi.jp",
+	"mihara.kochi.jp",
+	"motoyama.kochi.jp",
+	"muroto.kochi.jp",
+	"nahari.kochi.jp",
+	"nakamura.kochi.jp",
+	"nankoku.kochi.jp",
+	"nishitosa.kochi.jp",
+	"niyodogawa.kochi.jp",
+	"ochi.kochi.jp",
+	"okawa.kochi.jp",
+	"otoyo.kochi.jp",
+	"otsuki.kochi.jp",
+	"sakawa.kochi.jp",
+	"sukumo.kochi.jp",
+	"susaki.kochi.jp",
+	"tosa.kochi.jp",
+	"tosashimizu.kochi.jp",
+	"toyo.kochi.jp",
+	"tsuno.kochi.jp",
+	"umaji.kochi.jp",
+	"yasuda.kochi.jp",
+	"yusuhara.kochi.jp",
+	"amakusa.kumamoto.jp",
+	"arao.kumamoto.jp",
+	"aso.kumamoto.jp",
+	"choyo.kumamoto.jp",
+	"gyokuto.kumamoto.jp",
+	"kamiamakusa.kumamoto.jp",
+	"kikuchi.kumamoto.jp",
+	"kumamoto.kumamoto.jp",
+	"mashiki.kumamoto.jp",
+	"mifune.kumamoto.jp",
+	"minamata.kumamoto.jp",
+	"minamioguni.kumamoto.jp",
+	"nagasu.kumamoto.jp",
+	"nishihara.kumamoto.jp",
+	"oguni.kumamoto.jp",
+	"ozu.kumamoto.jp",
+	"sumoto.kumamoto.jp",
+	"takamori.kumamoto.jp",
+	"uki.kumamoto.jp",
+	"uto.kumamoto.jp",
+	"yamaga.kumamoto.jp",
+	"yamato.kumamoto.jp",
+	"yatsushiro.kumamoto.jp",
+	"ayabe.kyoto.jp",
+	"fukuchiyama.kyoto.jp",
+	"higashiyama.kyoto.jp",
+	"ide.kyoto.jp",
+	"ine.kyoto.jp",
+	"joyo.kyoto.jp",
+	"kameoka.kyoto.jp",
+	"kamo.kyoto.jp",
+	"kita.kyoto.jp",
+	"kizu.kyoto.jp",
+	"kumiyama.kyoto.jp",
+	"kyotamba.kyoto.jp",
+	"kyotanabe.kyoto.jp",
+	"kyotango.kyoto.jp",
+	"maizuru.kyoto.jp",
+	"minami.kyoto.jp",
+	"minamiyamashiro.kyoto.jp",
+	"miyazu.kyoto.jp",
+	"muko.kyoto.jp",
+	"nagaokakyo.kyoto.jp",
+	"nakagyo.kyoto.jp",
+	"nantan.kyoto.jp",
+	"oyamazaki.kyoto.jp",
+	"sakyo.kyoto.jp",
+	"seika.kyoto.jp",
+	"tanabe.kyoto.jp",
+	"uji.kyoto.jp",
+	"ujitawara.kyoto.jp",
+	"wazuka.kyoto.jp",
+	"yamashina.kyoto.jp",
+	"yawata.kyoto.jp",
+	"asahi.mie.jp",
+	"inabe.mie.jp",
+	"ise.mie.jp",
+	"kameyama.mie.jp",
+	"kawagoe.mie.jp",
+	"kiho.mie.jp",
+	"kisosaki.mie.jp",
+	"kiwa.mie.jp",
+	"komono.mie.jp",
+	"kumano.mie.jp",
+	"kuwana.mie.jp",
+	"matsusaka.mie.jp",
+	"meiwa.mie.jp",
+	"mihama.mie.jp",
+	"minamiise.mie.jp",
+	"misugi.mie.jp",
+	"miyama.mie.jp",
+	"nabari.mie.jp",
+	"shima.mie.jp",
+	"suzuka.mie.jp",
+	"tado.mie.jp",
+	"taiki.mie.jp",
+	"taki.mie.jp",
+	"tamaki.mie.jp",
+	"toba.mie.jp",
+	"tsu.mie.jp",
+	"udono.mie.jp",
+	"ureshino.mie.jp",
+	"watarai.mie.jp",
+	"yokkaichi.mie.jp",
+	"furukawa.miyagi.jp",
+	"higashimatsushima.miyagi.jp",
+	"ishinomaki.miyagi.jp",
+	"iwanuma.miyagi.jp",
+	"kakuda.miyagi.jp",
+	"kami.miyagi.jp",
+	"kawasaki.miyagi.jp",
+	"marumori.miyagi.jp",
+	"matsushima.miyagi.jp",
+	"minamisanriku.miyagi.jp",
+	"misato.miyagi.jp",
+	"murata.miyagi.jp",
+	"natori.miyagi.jp",
+	"ogawara.miyagi.jp",
+	"ohira.miyagi.jp",
+	"onagawa.miyagi.jp",
+	"osaki.miyagi.jp",
+	"rifu.miyagi.jp",
+	"semine.miyagi.jp",
+	"shibata.miyagi.jp",
+	"shichikashuku.miyagi.jp",
+	"shikama.miyagi.jp",
+	"shiogama.miyagi.jp",
+	"shiroishi.miyagi.jp",
+	"tagajo.miyagi.jp",
+	"taiwa.miyagi.jp",
+	"tome.miyagi.jp",
+	"tomiya.miyagi.jp",
+	"wakuya.miyagi.jp",
+	"watari.miyagi.jp",
+	"yamamoto.miyagi.jp",
+	"zao.miyagi.jp",
+	"aya.miyazaki.jp",
+	"ebino.miyazaki.jp",
+	"gokase.miyazaki.jp",
+	"hyuga.miyazaki.jp",
+	"kadogawa.miyazaki.jp",
+	"kawaminami.miyazaki.jp",
+	"kijo.miyazaki.jp",
+	"kitagawa.miyazaki.jp",
+	"kitakata.miyazaki.jp",
+	"kitaura.miyazaki.jp",
+	"kobayashi.miyazaki.jp",
+	"kunitomi.miyazaki.jp",
+	"kushima.miyazaki.jp",
+	"mimata.miyazaki.jp",
+	"miyakonojo.miyazaki.jp",
+	"miyazaki.miyazaki.jp",
+	"morotsuka.miyazaki.jp",
+	"nichinan.miyazaki.jp",
+	"nishimera.miyazaki.jp",
+	"nobeoka.miyazaki.jp",
+	"saito.miyazaki.jp",
+	"shiiba.miyazaki.jp",
+	"shintomi.miyazaki.jp",
+	"takaharu.miyazaki.jp",
+	"takanabe.miyazaki.jp",
+	"takazaki.miyazaki.jp",
+	"tsuno.miyazaki.jp",
+	"achi.nagano.jp",
+	"agematsu.nagano.jp",
+	"anan.nagano.jp",
+	"aoki.nagano.jp",
+	"asahi.nagano.jp",
+	"azumino.nagano.jp",
+	"chikuhoku.nagano.jp",
+	"chikuma.nagano.jp",
+	"chino.nagano.jp",
+	"fujimi.nagano.jp",
+	"hakuba.nagano.jp",
+	"hara.nagano.jp",
+	"hiraya.nagano.jp",
+	"iida.nagano.jp",
+	"iijima.nagano.jp",
+	"iiyama.nagano.jp",
+	"iizuna.nagano.jp",
+	"ikeda.nagano.jp",
+	"ikusaka.nagano.jp",
+	"ina.nagano.jp",
+	"karuizawa.nagano.jp",
+	"kawakami.nagano.jp",
+	"kiso.nagano.jp",
+	"kisofukushima.nagano.jp",
+	"kitaaiki.nagano.jp",
+	"komagane.nagano.jp",
+	"komoro.nagano.jp",
+	"matsukawa.nagano.jp",
+	"matsumoto.nagano.jp",
+	"miasa.nagano.jp",
+	"minamiaiki.nagano.jp",
+	"minamimaki.nagano.jp",
+	"minamiminowa.nagano.jp",
+	"minowa.nagano.jp",
+	"miyada.nagano.jp",
+	"miyota.nagano.jp",
+	"mochizuki.nagano.jp",
+	"nagano.nagano.jp",
+	"nagawa.nagano.jp",
+	"nagiso.nagano.jp",
+	"nakagawa.nagano.jp",
+	"nakano.nagano.jp",
+	"nozawaonsen.nagano.jp",
+	"obuse.nagano.jp",
+	"ogawa.nagano.jp",
+	"okaya.nagano.jp",
+	"omachi.nagano.jp",
+	"omi.nagano.jp",
+	"ookuwa.nagano.jp",
+	"ooshika.nagano.jp",
+	"otaki.nagano.jp",
+	"otari.nagano.jp",
+	"sakae.nagano.jp",
+	"sakaki.nagano.jp",
+	"saku.nagano.jp",
+	"sakuho.nagano.jp",
+	"shimosuwa.nagano.jp",
+	"shinanomachi.nagano.jp",
+	"shiojiri.nagano.jp",
+	"suwa.nagano.jp",
+	"suzaka.nagano.jp",
+	"takagi.nagano.jp",
+	"takamori.nagano.jp",
+	"takayama.nagano.jp",
+	"tateshina.nagano.jp",
+	"tatsuno.nagano.jp",
+	"togakushi.nagano.jp",
+	"togura.nagano.jp",
+	"tomi.nagano.jp",
+	"ueda.nagano.jp",
+	"wada.nagano.jp",
+	"yamagata.nagano.jp",
+	"yamanouchi.nagano.jp",
+	"yasaka.nagano.jp",
+	"yasuoka.nagano.jp",
+	"chijiwa.nagasaki.jp",
+	"futsu.nagasaki.jp",
+	"goto.nagasaki.jp",
+	"hasami.nagasaki.jp",
+	"hirado.nagasaki.jp",
+	"iki.nagasaki.jp",
+	"isahaya.nagasaki.jp",
+	"kawatana.nagasaki.jp",
+	"kuchinotsu.nagasaki.jp",
+	"matsuura.nagasaki.jp",
+	"nagasaki.nagasaki.jp",
+	"obama.nagasaki.jp",
+	"omura.nagasaki.jp",
+	"oseto.nagasaki.jp",
+	"saikai.nagasaki.jp",
+	"sasebo.nagasaki.jp",
+	"seihi.nagasaki.jp",
+	"shimabara.nagasaki.jp",
+	"shinkamigoto.nagasaki.jp",
+	"togitsu.nagasaki.jp",
+	"tsushima.nagasaki.jp",
+	"unzen.nagasaki.jp",
+	"ando.nara.jp",
+	"gose.nara.jp",
+	"heguri.nara.jp",
+	"higashiyoshino.nara.jp",
+	"ikaruga.nara.jp",
+	"ikoma.nara.jp",
+	"kamikitayama.nara.jp",
+	"kanmaki.nara.jp",
+	"kashiba.nara.jp",
+	"kashihara.nara.jp",
+	"katsuragi.nara.jp",
+	"kawai.nara.jp",
+	"kawakami.nara.jp",
+	"kawanishi.nara.jp",
+	"koryo.nara.jp",
+	"kurotaki.nara.jp",
+	"mitsue.nara.jp",
+	"miyake.nara.jp",
+	"nara.nara.jp",
+	"nosegawa.nara.jp",
+	"oji.nara.jp",
+	"ouda.nara.jp",
+	"oyodo.nara.jp",
+	"sakurai.nara.jp",
+	"sango.nara.jp",
+	"shimoichi.nara.jp",
+	"shimokitayama.nara.jp",
+	"shinjo.nara.jp",
+	"soni.nara.jp",
+	"takatori.nara.jp",
+	"tawaramoto.nara.jp",
+	"tenkawa.nara.jp",
+	"tenri.nara.jp",
+	"uda.nara.jp",
+	"yamatokoriyama.nara.jp",
+	"yamatotakada.nara.jp",
+	"yamazoe.nara.jp",
+	"yoshino.nara.jp",
+	"aga.niigata.jp",
+	"agano.niigata.jp",
+	"gosen.niigata.jp",
+	"itoigawa.niigata.jp",
+	"izumozaki.niigata.jp",
+	"joetsu.niigata.jp",
+	"kamo.niigata.jp",
+	"kariwa.niigata.jp",
+	"kashiwazaki.niigata.jp",
+	"minamiuonuma.niigata.jp",
+	"mitsuke.niigata.jp",
+	"muika.niigata.jp",
+	"murakami.niigata.jp",
+	"myoko.niigata.jp",
+	"nagaoka.niigata.jp",
+	"niigata.niigata.jp",
+	"ojiya.niigata.jp",
+	"omi.niigata.jp",
+	"sado.niigata.jp",
+	"sanjo.niigata.jp",
+	"seiro.niigata.jp",
+	"seirou.niigata.jp",
+	"sekikawa.niigata.jp",
+	"shibata.niigata.jp",
+	"tagami.niigata.jp",
+	"tainai.niigata.jp",
+	"tochio.niigata.jp",
+	"tokamachi.niigata.jp",
+	"tsubame.niigata.jp",
+	"tsunan.niigata.jp",
+	"uonuma.niigata.jp",
+	"yahiko.niigata.jp",
+	"yoita.niigata.jp",
+	"yuzawa.niigata.jp",
+	"beppu.oita.jp",
+	"bungoono.oita.jp",
+	"bungotakada.oita.jp",
+	"hasama.oita.jp",
+	"hiji.oita.jp",
+	"himeshima.oita.jp",
+	"hita.oita.jp",
+	"kamitsue.oita.jp",
+	"kokonoe.oita.jp",
+	"kuju.oita.jp",
+	"kunisaki.oita.jp",
+	"kusu.oita.jp",
+	"oita.oita.jp",
+	"saiki.oita.jp",
+	"taketa.oita.jp",
+	"tsukumi.oita.jp",
+	"usa.oita.jp",
+	"usuki.oita.jp",
+	"yufu.oita.jp",
+	"akaiwa.okayama.jp",
+	"asakuchi.okayama.jp",
+	"bizen.okayama.jp",
+	"hayashima.okayama.jp",
+	"ibara.okayama.jp",
+	"kagamino.okayama.jp",
+	"kasaoka.okayama.jp",
+	"kibichuo.okayama.jp",
+	"kumenan.okayama.jp",
+	"kurashiki.okayama.jp",
+	"maniwa.okayama.jp",
+	"misaki.okayama.jp",
+	"nagi.okayama.jp",
+	"niimi.okayama.jp",
+	"nishiawakura.okayama.jp",
+	"okayama.okayama.jp",
+	"satosho.okayama.jp",
+	"setouchi.okayama.jp",
+	"shinjo.okayama.jp",
+	"shoo.okayama.jp",
+	"soja.okayama.jp",
+	"takahashi.okayama.jp",
+	"tamano.okayama.jp",
+	"tsuyama.okayama.jp",
+	"wake.okayama.jp",
+	"yakage.okayama.jp",
+	"aguni.okinawa.jp",
+	"ginowan.okinawa.jp",
+	"ginoza.okinawa.jp",
+	"gushikami.okinawa.jp",
+	"haebaru.okinawa.jp",
+	"higashi.okinawa.jp",
+	"hirara.okinawa.jp",
+	"iheya.okinawa.jp",
+	"ishigaki.okinawa.jp",
+	"ishikawa.okinawa.jp",
+	"itoman.okinawa.jp",
+	"izena.okinawa.jp",
+	"kadena.okinawa.jp",
+	"kin.okinawa.jp",
+	"kitadaito.okinawa.jp",
+	"kitanakagusuku.okinawa.jp",
+	"kumejima.okinawa.jp",
+	"kunigami.okinawa.jp",
+	"minamidaito.okinawa.jp",
+	"motobu.okinawa.jp",
+	"nago.okinawa.jp",
+	"naha.okinawa.jp",
+	"nakagusuku.okinawa.jp",
+	"nakijin.okinawa.jp",
+	"nanjo.okinawa.jp",
+	"nishihara.okinawa.jp",
+	"ogimi.okinawa.jp",
+	"okinawa.okinawa.jp",
+	"onna.okinawa.jp",
+	"shimoji.okinawa.jp",
+	"taketomi.okinawa.jp",
+	"tarama.okinawa.jp",
+	"tokashiki.okinawa.jp",
+	"tomigusuku.okinawa.jp",
+	"tonaki.okinawa.jp",
+	"urasoe.okinawa.jp",
+	"uruma.okinawa.jp",
+	"yaese.okinawa.jp",
+	"yomitan.okinawa.jp",
+	"yonabaru.okinawa.jp",
+	"yonaguni.okinawa.jp",
+	"zamami.okinawa.jp",
+	"abeno.osaka.jp",
+	"chihayaakasaka.osaka.jp",
+	"chuo.osaka.jp",
+	"daito.osaka.jp",
+	"fujiidera.osaka.jp",
+	"habikino.osaka.jp",
+	"hannan.osaka.jp",
+	"higashiosaka.osaka.jp",
+	"higashisumiyoshi.osaka.jp",
+	"higashiyodogawa.osaka.jp",
+	"hirakata.osaka.jp",
+	"ibaraki.osaka.jp",
+	"ikeda.osaka.jp",
+	"izumi.osaka.jp",
+	"izumiotsu.osaka.jp",
+	"izumisano.osaka.jp",
+	"kadoma.osaka.jp",
+	"kaizuka.osaka.jp",
+	"kanan.osaka.jp",
+	"kashiwara.osaka.jp",
+	"katano.osaka.jp",
+	"kawachinagano.osaka.jp",
+	"kishiwada.osaka.jp",
+	"kita.osaka.jp",
+	"kumatori.osaka.jp",
+	"matsubara.osaka.jp",
+	"minato.osaka.jp",
+	"minoh.osaka.jp",
+	"misaki.osaka.jp",
+	"moriguchi.osaka.jp",
+	"neyagawa.osaka.jp",
+	"nishi.osaka.jp",
+	"nose.osaka.jp",
+	"osakasayama.osaka.jp",
+	"sakai.osaka.jp",
+	"sayama.osaka.jp",
+	"sennan.osaka.jp",
+	"settsu.osaka.jp",
+	"shijonawate.osaka.jp",
+	"shimamoto.osaka.jp",
+	"suita.osaka.jp",
+	"tadaoka.osaka.jp",
+	"taishi.osaka.jp",
+	"tajiri.osaka.jp",
+	"takaishi.osaka.jp",
+	"takatsuki.osaka.jp",
+	"tondabayashi.osaka.jp",
+	"toyonaka.osaka.jp",
+	"toyono.osaka.jp",
+	"yao.osaka.jp",
+	"ariake.saga.jp",
+	"arita.saga.jp",
+	"fukudomi.saga.jp",
+	"genkai.saga.jp",
+	"hamatama.saga.jp",
+	"hizen.saga.jp",
+	"imari.saga.jp",
+	"kamimine.saga.jp",
+	"kanzaki.saga.jp",
+	"karatsu.saga.jp",
+	"kashima.saga.jp",
+	"kitagata.saga.jp",
+	"kitahata.saga.jp",
+	"kiyama.saga.jp",
+	"kouhoku.saga.jp",
+	"kyuragi.saga.jp",
+	"nishiarita.saga.jp",
+	"ogi.saga.jp",
+	"omachi.saga.jp",
+	"ouchi.saga.jp",
+	"saga.saga.jp",
+	"shiroishi.saga.jp",
+	"taku.saga.jp",
+	"tara.saga.jp",
+	"tosu.saga.jp",
+	"yoshinogari.saga.jp",
+	"arakawa.saitama.jp",
+	"asaka.saitama.jp",
+	"chichibu.saitama.jp",
+	"fujimi.saitama.jp",
+	"fujimino.saitama.jp",
+	"fukaya.saitama.jp",
+	"hanno.saitama.jp",
+	"hanyu.saitama.jp",
+	"hasuda.saitama.jp",
+	"hatogaya.saitama.jp",
+	"hatoyama.saitama.jp",
+	"hidaka.saitama.jp",
+	"higashichichibu.saitama.jp",
+	"higashimatsuyama.saitama.jp",
+	"honjo.saitama.jp",
+	"ina.saitama.jp",
+	"iruma.saitama.jp",
+	"iwatsuki.saitama.jp",
+	"kamiizumi.saitama.jp",
+	"kamikawa.saitama.jp",
+	"kamisato.saitama.jp",
+	"kasukabe.saitama.jp",
+	"kawagoe.saitama.jp",
+	"kawaguchi.saitama.jp",
+	"kawajima.saitama.jp",
+	"kazo.saitama.jp",
+	"kitamoto.saitama.jp",
+	"koshigaya.saitama.jp",
+	"kounosu.saitama.jp",
+	"kuki.saitama.jp",
+	"kumagaya.saitama.jp",
+	"matsubushi.saitama.jp",
+	"minano.saitama.jp",
+	"misato.saitama.jp",
+	"miyashiro.saitama.jp",
+	"miyoshi.saitama.jp",
+	"moroyama.saitama.jp",
+	"nagatoro.saitama.jp",
+	"namegawa.saitama.jp",
+	"niiza.saitama.jp",
+	"ogano.saitama.jp",
+	"ogawa.saitama.jp",
+	"ogose.saitama.jp",
+	"okegawa.saitama.jp",
+	"omiya.saitama.jp",
+	"otaki.saitama.jp",
+	"ranzan.saitama.jp",
+	"ryokami.saitama.jp",
+	"saitama.saitama.jp",
+	"sakado.saitama.jp",
+	"satte.saitama.jp",
+	"sayama.saitama.jp",
+	"shiki.saitama.jp",
+	"shiraoka.saitama.jp",
+	"soka.saitama.jp",
+	"sugito.saitama.jp",
+	"toda.saitama.jp",
+	"tokigawa.saitama.jp",
+	"tokorozawa.saitama.jp",
+	"tsurugashima.saitama.jp",
+	"urawa.saitama.jp",
+	"warabi.saitama.jp",
+	"yashio.saitama.jp",
+	"yokoze.saitama.jp",
+	"yono.saitama.jp",
+	"yorii.saitama.jp",
+	"yoshida.saitama.jp",
+	"yoshikawa.saitama.jp",
+	"yoshimi.saitama.jp",
+	"aisho.shiga.jp",
+	"gamo.shiga.jp",
+	"higashiomi.shiga.jp",
+	"hikone.shiga.jp",
+	"koka.shiga.jp",
+	"konan.shiga.jp",
+	"kosei.shiga.jp",
+	"koto.shiga.jp",
+	"kusatsu.shiga.jp",
+	"maibara.shiga.jp",
+	"moriyama.shiga.jp",
+	"nagahama.shiga.jp",
+	"nishiazai.shiga.jp",
+	"notogawa.shiga.jp",
+	"omihachiman.shiga.jp",
+	"otsu.shiga.jp",
+	"ritto.shiga.jp",
+	"ryuoh.shiga.jp",
+	"takashima.shiga.jp",
+	"takatsuki.shiga.jp",
+	"torahime.shiga.jp",
+	"toyosato.shiga.jp",
+	"yasu.shiga.jp",
+	"akagi.shimane.jp",
+	"ama.shimane.jp",
+	"gotsu.shimane.jp",
+	"hamada.shimane.jp",
+	"higashiizumo.shimane.jp",
+	"hikawa.shimane.jp",
+	"hikimi.shimane.jp",
+	"izumo.shimane.jp",
+	"kakinoki.shimane.jp",
+	"masuda.shimane.jp",
+	"matsue.shimane.jp",
+	"misato.shimane.jp",
+	"nishinoshima.shimane.jp",
+	"ohda.shimane.jp",
+	"okinoshima.shimane.jp",
+	"okuizumo.shimane.jp",
+	"shimane.shimane.jp",
+	"tamayu.shimane.jp",
+	"tsuwano.shimane.jp",
+	"unnan.shimane.jp",
+	"yakumo.shimane.jp",
+	"yasugi.shimane.jp",
+	"yatsuka.shimane.jp",
+	"arai.shizuoka.jp",
+	"atami.shizuoka.jp",
+	"fuji.shizuoka.jp",
+	"fujieda.shizuoka.jp",
+	"fujikawa.shizuoka.jp",
+	"fujinomiya.shizuoka.jp",
+	"fukuroi.shizuoka.jp",
+	"gotemba.shizuoka.jp",
+	"haibara.shizuoka.jp",
+	"hamamatsu.shizuoka.jp",
+	"higashiizu.shizuoka.jp",
+	"ito.shizuoka.jp",
+	"iwata.shizuoka.jp",
+	"izu.shizuoka.jp",
+	"izunokuni.shizuoka.jp",
+	"kakegawa.shizuoka.jp",
+	"kannami.shizuoka.jp",
+	"kawanehon.shizuoka.jp",
+	"kawazu.shizuoka.jp",
+	"kikugawa.shizuoka.jp",
+	"kosai.shizuoka.jp",
+	"makinohara.shizuoka.jp",
+	"matsuzaki.shizuoka.jp",
+	"minamiizu.shizuoka.jp",
+	"mishima.shizuoka.jp",
+	"morimachi.shizuoka.jp",
+	"nishiizu.shizuoka.jp",
+	"numazu.shizuoka.jp",
+	"omaezaki.shizuoka.jp",
+	"shimada.shizuoka.jp",
+	"shimizu.shizuoka.jp",
+	"shimoda.shizuoka.jp",
+	"shizuoka.shizuoka.jp",
+	"susono.shizuoka.jp",
+	"yaizu.shizuoka.jp",
+	"yoshida.shizuoka.jp",
+	"ashikaga.tochigi.jp",
+	"bato.tochigi.jp",
+	"haga.tochigi.jp",
+	"ichikai.tochigi.jp",
+	"iwafune.tochigi.jp",
+	"kaminokawa.tochigi.jp",
+	"kanuma.tochigi.jp",
+	"karasuyama.tochigi.jp",
+	"kuroiso.tochigi.jp",
+	"mashiko.tochigi.jp",
+	"mibu.tochigi.jp",
+	"moka.tochigi.jp",
+	"motegi.tochigi.jp",
+	"nasu.tochigi.jp",
+	"nasushiobara.tochigi.jp",
+	"nikko.tochigi.jp",
+	"nishikata.tochigi.jp",
+	"nogi.tochigi.jp",
+	"ohira.tochigi.jp",
+	"ohtawara.tochigi.jp",
+	"oyama.tochigi.jp",
+	"sakura.tochigi.jp",
+	"sano.tochigi.jp",
+	"shimotsuke.tochigi.jp",
+	"shioya.tochigi.jp",
+	"takanezawa.tochigi.jp",
+	"tochigi.tochigi.jp",
+	"tsuga.tochigi.jp",
+	"ujiie.tochigi.jp",
+	"utsunomiya.tochigi.jp",
+	"yaita.tochigi.jp",
+	"aizumi.tokushima.jp",
+	"anan.tokushima.jp",
+	"ichiba.tokushima.jp",
+	"itano.tokushima.jp",
+	"kainan.tokushima.jp",
+	"komatsushima.tokushima.jp",
+	"matsushige.tokushima.jp",
+	"mima.tokushima.jp",
+	"minami.tokushima.jp",
+	"miyoshi.tokushima.jp",
+	"mugi.tokushima.jp",
+	"nakagawa.tokushima.jp",
+	"naruto.tokushima.jp",
+	"sanagochi.tokushima.jp",
+	"shishikui.tokushima.jp",
+	"tokushima.tokushima.jp",
+	"wajiki.tokushima.jp",
+	"adachi.tokyo.jp",
+	"akiruno.tokyo.jp",
+	"akishima.tokyo.jp",
+	"aogashima.tokyo.jp",
+	"arakawa.tokyo.jp",
+	"bunkyo.tokyo.jp",
+	"chiyoda.tokyo.jp",
+	"chofu.tokyo.jp",
+	"chuo.tokyo.jp",
+	"edogawa.tokyo.jp",
+	"fuchu.tokyo.jp",
+	"fussa.tokyo.jp",
+	"hachijo.tokyo.jp",
+	"hachioji.tokyo.jp",
+	"hamura.tokyo.jp",
+	"higashikurume.tokyo.jp",
+	"higashimurayama.tokyo.jp",
+	"higashiyamato.tokyo.jp",
+	"hino.tokyo.jp",
+	"hinode.tokyo.jp",
+	"hinohara.tokyo.jp",
+	"inagi.tokyo.jp",
+	"itabashi.tokyo.jp",
+	"katsushika.tokyo.jp",
+	"kita.tokyo.jp",
+	"kiyose.tokyo.jp",
+	"kodaira.tokyo.jp",
+	"koganei.tokyo.jp",
+	"kokubunji.tokyo.jp",
+	"komae.tokyo.jp",
+	"koto.tokyo.jp",
+	"kouzushima.tokyo.jp",
+	"kunitachi.tokyo.jp",
+	"machida.tokyo.jp",
+	"meguro.tokyo.jp",
+	"minato.tokyo.jp",
+	"mitaka.tokyo.jp",
+	"mizuho.tokyo.jp",
+	"musashimurayama.tokyo.jp",
+	"musashino.tokyo.jp",
+	"nakano.tokyo.jp",
+	"nerima.tokyo.jp",
+	"ogasawara.tokyo.jp",
+	"okutama.tokyo.jp",
+	"ome.tokyo.jp",
+	"oshima.tokyo.jp",
+	"ota.tokyo.jp",
+	"setagaya.tokyo.jp",
+	"shibuya.tokyo.jp",
+	"shinagawa.tokyo.jp",
+	"shinjuku.tokyo.jp",
+	"suginami.tokyo.jp",
+	"sumida.tokyo.jp",
+	"tachikawa.tokyo.jp",
+	"taito.tokyo.jp",
+	"tama.tokyo.jp",
+	"toshima.tokyo.jp",
+	"chizu.tottori.jp",
+	"hino.tottori.jp",
+	"kawahara.tottori.jp",
+	"koge.tottori.jp",
+	"kotoura.tottori.jp",
+	"misasa.tottori.jp",
+	"nanbu.tottori.jp",
+	"nichinan.tottori.jp",
+	"sakaiminato.tottori.jp",
+	"tottori.tottori.jp",
+	"wakasa.tottori.jp",
+	"yazu.tottori.jp",
+	"yonago.tottori.jp",
+	"asahi.toyama.jp",
+	"fuchu.toyama.jp",
+	"fukumitsu.toyama.jp",
+	"funahashi.toyama.jp",
+	"himi.toyama.jp",
+	"imizu.toyama.jp",
+	"inami.toyama.jp",
+	"johana.toyama.jp",
+	"kamiichi.toyama.jp",
+	"kurobe.toyama.jp",
+	"nakaniikawa.toyama.jp",
+	"namerikawa.toyama.jp",
+	"nanto.toyama.jp",
+	"nyuzen.toyama.jp",
+	"oyabe.toyama.jp",
+	"taira.toyama.jp",
+	"takaoka.toyama.jp",
+	"tateyama.toyama.jp",
+	"toga.toyama.jp",
+	"tonami.toyama.jp",
+	"toyama.toyama.jp",
+	"unazuki.toyama.jp",
+	"uozu.toyama.jp",
+	"yamada.toyama.jp",
+	"arida.wakayama.jp",
+	"aridagawa.wakayama.jp",
+	"gobo.wakayama.jp",
+	"hashimoto.wakayama.jp",
+	"hidaka.wakayama.jp",
+	"hirogawa.wakayama.jp",
+	"inami.wakayama.jp",
+	"iwade.wakayama.jp",
+	"kainan.wakayama.jp",
+	"kamitonda.wakayama.jp",
+	"katsuragi.wakayama.jp",
+	"kimino.wakayama.jp",
+	"kinokawa.wakayama.jp",
+	"kitayama.wakayama.jp",
+	"koya.wakayama.jp",
+	"koza.wakayama.jp",
+	"kozagawa.wakayama.jp",
+	"kudoyama.wakayama.jp",
+	"kushimoto.wakayama.jp",
+	"mihama.wakayama.jp",
+	"misato.wakayama.jp",
+	"nachikatsuura.wakayama.jp",
+	"shingu.wakayama.jp",
+	"shirahama.wakayama.jp",
+	"taiji.wakayama.jp",
+	"tanabe.wakayama.jp",
+	"wakayama.wakayama.jp",
+	"yuasa.wakayama.jp",
+	"yura.wakayama.jp",
+	"asahi.yamagata.jp",
+	"funagata.yamagata.jp",
+	"higashine.yamagata.jp",
+	"iide.yamagata.jp",
+	"kahoku.yamagata.jp",
+	"kaminoyama.yamagata.jp",
+	"kaneyama.yamagata.jp",
+	"kawanishi.yamagata.jp",
+	"mamurogawa.yamagata.jp",
+	"mikawa.yamagata.jp",
+	"murayama.yamagata.jp",
+	"nagai.yamagata.jp",
+	"nakayama.yamagata.jp",
+	"nanyo.yamagata.jp",
+	"nishikawa.yamagata.jp",
+	"obanazawa.yamagata.jp",
+	"oe.yamagata.jp",
+	"oguni.yamagata.jp",
+	"ohkura.yamagata.jp",
+	"oishida.yamagata.jp",
+	"sagae.yamagata.jp",
+	"sakata.yamagata.jp",
+	"sakegawa.yamagata.jp",
+	"shinjo.yamagata.jp",
+	"shirataka.yamagata.jp",
+	"shonai.yamagata.jp",
+	"takahata.yamagata.jp",
+	"tendo.yamagata.jp",
+	"tozawa.yamagata.jp",
+	"tsuruoka.yamagata.jp",
+	"yamagata.yamagata.jp",
+	"yamanobe.yamagata.jp",
+	"yonezawa.yamagata.jp",
+	"yuza.yamagata.jp",
+	"abu.yamaguchi.jp",
+	"hagi.yamaguchi.jp",
+	"hikari.yamaguchi.jp",
+	"hofu.yamaguchi.jp",
+	"iwakuni.yamaguchi.jp",
+	"kudamatsu.yamaguchi.jp",
+	"mitou.yamaguchi.jp",
+	"nagato.yamaguchi.jp",
+	"oshima.yamaguchi.jp",
+	"shimonoseki.yamaguchi.jp",
+	"shunan.yamaguchi.jp",
+	"tabuse.yamaguchi.jp",
+	"tokuyama.yamaguchi.jp",
+	"toyota.yamaguchi.jp",
+	"ube.yamaguchi.jp",
+	"yuu.yamaguchi.jp",
+	"chuo.yamanashi.jp",
+	"doshi.yamanashi.jp",
+	"fuefuki.yamanashi.jp",
+	"fujikawa.yamanashi.jp",
+	"fujikawaguchiko.yamanashi.jp",
+	"fujiyoshida.yamanashi.jp",
+	"hayakawa.yamanashi.jp",
+	"hokuto.yamanashi.jp",
+	"ichikawamisato.yamanashi.jp",
+	"kai.yamanashi.jp",
+	"kofu.yamanashi.jp",
+	"koshu.yamanashi.jp",
+	"kosuge.yamanashi.jp",
+	"minami-alps.yamanashi.jp",
+	"minobu.yamanashi.jp",
+	"nakamichi.yamanashi.jp",
+	"nanbu.yamanashi.jp",
+	"narusawa.yamanashi.jp",
+	"nirasaki.yamanashi.jp",
+	"nishikatsura.yamanashi.jp",
+	"oshino.yamanashi.jp",
+	"otsuki.yamanashi.jp",
+	"showa.yamanashi.jp",
+	"tabayama.yamanashi.jp",
+	"tsuru.yamanashi.jp",
+	"uenohara.yamanashi.jp",
+	"yamanakako.yamanashi.jp",
+	"yamanashi.yamanashi.jp",
+	"*.ke",
+	"kg",
+	"org.kg",
+	"net.kg",
+	"com.kg",
+	"edu.kg",
+	"gov.kg",
+	"mil.kg",
+	"*.kh",
+	"ki",
+	"edu.ki",
+	"biz.ki",
+	"net.ki",
+	"org.ki",
+	"gov.ki",
+	"info.ki",
+	"com.ki",
+	"km",
+	"org.km",
+	"nom.km",
+	"gov.km",
+	"prd.km",
+	"tm.km",
+	"edu.km",
+	"mil.km",
+	"ass.km",
+	"com.km",
+	"coop.km",
+	"asso.km",
+	"presse.km",
+	"medecin.km",
+	"notaires.km",
+	"pharmaciens.km",
+	"veterinaire.km",
+	"gouv.km",
+	"kn",
+	"net.kn",
+	"org.kn",
+	"edu.kn",
+	"gov.kn",
+	"kp",
+	"com.kp",
+	"edu.kp",
+	"gov.kp",
+	"org.kp",
+	"rep.kp",
+	"tra.kp",
+	"kr",
+	"ac.kr",
+	"co.kr",
+	"es.kr",
+	"go.kr",
+	"hs.kr",
+	"kg.kr",
+	"mil.kr",
+	"ms.kr",
+	"ne.kr",
+	"or.kr",
+	"pe.kr",
+	"re.kr",
+	"sc.kr",
+	"busan.kr",
+	"chungbuk.kr",
+	"chungnam.kr",
+	"daegu.kr",
+	"daejeon.kr",
+	"gangwon.kr",
+	"gwangju.kr",
+	"gyeongbuk.kr",
+	"gyeonggi.kr",
+	"gyeongnam.kr",
+	"incheon.kr",
+	"jeju.kr",
+	"jeonbuk.kr",
+	"jeonnam.kr",
+	"seoul.kr",
+	"ulsan.kr",
+	"*.kw",
+	"ky",
+	"edu.ky",
+	"gov.ky",
+	"com.ky",
+	"org.ky",
+	"net.ky",
+	"kz",
+	"org.kz",
+	"edu.kz",
+	"net.kz",
+	"gov.kz",
+	"mil.kz",
+	"com.kz",
+	"la",
+	"int.la",
+	"net.la",
+	"info.la",
+	"edu.la",
+	"gov.la",
+	"per.la",
+	"com.la",
+	"org.la",
+	"lb",
+	"com.lb",
+	"edu.lb",
+	"gov.lb",
+	"net.lb",
+	"org.lb",
+	"lc",
+	"com.lc",
+	"net.lc",
+	"co.lc",
+	"org.lc",
+	"edu.lc",
+	"gov.lc",
+	"li",
+	"lk",
+	"gov.lk",
+	"sch.lk",
+	"net.lk",
+	"int.lk",
+	"com.lk",
+	"org.lk",
+	"edu.lk",
+	"ngo.lk",
+	"soc.lk",
+	"web.lk",
+	"ltd.lk",
+	"assn.lk",
+	"grp.lk",
+	"hotel.lk",
+	"ac.lk",
+	"lr",
+	"com.lr",
+	"edu.lr",
+	"gov.lr",
+	"org.lr",
+	"net.lr",
+	"ls",
+	"co.ls",
+	"org.ls",
+	"lt",
+	"gov.lt",
+	"lu",
+	"lv",
+	"com.lv",
+	"edu.lv",
+	"gov.lv",
+	"org.lv",
+	"mil.lv",
+	"id.lv",
+	"net.lv",
+	"asn.lv",
+	"conf.lv",
+	"ly",
+	"com.ly",
+	"net.ly",
+	"gov.ly",
+	"plc.ly",
+	"edu.ly",
+	"sch.ly",
+	"med.ly",
+	"org.ly",
+	"id.ly",
+	"ma",
+	"co.ma",
+	"net.ma",
+	"gov.ma",
+	"org.ma",
+	"ac.ma",
+	"press.ma",
+	"mc",
+	"tm.mc",
+	"asso.mc",
+	"md",
+	"me",
+	"co.me",
+	"net.me",
+	"org.me",
+	"edu.me",
+	"ac.me",
+	"gov.me",
+	"its.me",
+	"priv.me",
+	"mg",
+	"org.mg",
+	"nom.mg",
+	"gov.mg",
+	"prd.mg",
+	"tm.mg",
+	"edu.mg",
+	"mil.mg",
+	"com.mg",
+	"co.mg",
+	"mh",
+	"mil",
+	"mk",
+	"com.mk",
+	"org.mk",
+	"net.mk",
+	"edu.mk",
+	"gov.mk",
+	"inf.mk",
+	"name.mk",
+	"ml",
+	"com.ml",
+	"edu.ml",
+	"gouv.ml",
+	"gov.ml",
+	"net.ml",
+	"org.ml",
+	"presse.ml",
+	"*.mm",
+	"mn",
+	"gov.mn",
+	"edu.mn",
+	"org.mn",
+	"mo",
+	"com.mo",
+	"net.mo",
+	"org.mo",
+	"edu.mo",
+	"gov.mo",
+	"mobi",
+	"mp",
+	"mq",
+	"mr",
+	"gov.mr",
+	"ms",
+	"com.ms",
+	"edu.ms",
+	"gov.ms",
+	"net.ms",
+	"org.ms",
+	"mt",
+	"com.mt",
+	"edu.mt",
+	"net.mt",
+	"org.mt",
+	"mu",
+	"com.mu",
+	"net.mu",
+	"org.mu",
+	"gov.mu",
+	"ac.mu",
+	"co.mu",
+	"or.mu",
+	"museum",
+	"academy.museum",
+	"agriculture.museum",
+	"air.museum",
+	"airguard.museum",
+	"alabama.museum",
+	"alaska.museum",
+	"amber.museum",
+	"ambulance.museum",
+	"american.museum",
+	"americana.museum",
+	"americanantiques.museum",
+	"americanart.museum",
+	"amsterdam.museum",
+	"and.museum",
+	"annefrank.museum",
+	"anthro.museum",
+	"anthropology.museum",
+	"antiques.museum",
+	"aquarium.museum",
+	"arboretum.museum",
+	"archaeological.museum",
+	"archaeology.museum",
+	"architecture.museum",
+	"art.museum",
+	"artanddesign.museum",
+	"artcenter.museum",
+	"artdeco.museum",
+	"arteducation.museum",
+	"artgallery.museum",
+	"arts.museum",
+	"artsandcrafts.museum",
+	"asmatart.museum",
+	"assassination.museum",
+	"assisi.museum",
+	"association.museum",
+	"astronomy.museum",
+	"atlanta.museum",
+	"austin.museum",
+	"australia.museum",
+	"automotive.museum",
+	"aviation.museum",
+	"axis.museum",
+	"badajoz.museum",
+	"baghdad.museum",
+	"bahn.museum",
+	"bale.museum",
+	"baltimore.museum",
+	"barcelona.museum",
+	"baseball.museum",
+	"basel.museum",
+	"baths.museum",
+	"bauern.museum",
+	"beauxarts.museum",
+	"beeldengeluid.museum",
+	"bellevue.museum",
+	"bergbau.museum",
+	"berkeley.museum",
+	"berlin.museum",
+	"bern.museum",
+	"bible.museum",
+	"bilbao.museum",
+	"bill.museum",
+	"birdart.museum",
+	"birthplace.museum",
+	"bonn.museum",
+	"boston.museum",
+	"botanical.museum",
+	"botanicalgarden.museum",
+	"botanicgarden.museum",
+	"botany.museum",
+	"brandywinevalley.museum",
+	"brasil.museum",
+	"bristol.museum",
+	"british.museum",
+	"britishcolumbia.museum",
+	"broadcast.museum",
+	"brunel.museum",
+	"brussel.museum",
+	"brussels.museum",
+	"bruxelles.museum",
+	"building.museum",
+	"burghof.museum",
+	"bus.museum",
+	"bushey.museum",
+	"cadaques.museum",
+	"california.museum",
+	"cambridge.museum",
+	"can.museum",
+	"canada.museum",
+	"capebreton.museum",
+	"carrier.museum",
+	"cartoonart.museum",
+	"casadelamoneda.museum",
+	"castle.museum",
+	"castres.museum",
+	"celtic.museum",
+	"center.museum",
+	"chattanooga.museum",
+	"cheltenham.museum",
+	"chesapeakebay.museum",
+	"chicago.museum",
+	"children.museum",
+	"childrens.museum",
+	"childrensgarden.museum",
+	"chiropractic.museum",
+	"chocolate.museum",
+	"christiansburg.museum",
+	"cincinnati.museum",
+	"cinema.museum",
+	"circus.museum",
+	"civilisation.museum",
+	"civilization.museum",
+	"civilwar.museum",
+	"clinton.museum",
+	"clock.museum",
+	"coal.museum",
+	"coastaldefence.museum",
+	"cody.museum",
+	"coldwar.museum",
+	"collection.museum",
+	"colonialwilliamsburg.museum",
+	"coloradoplateau.museum",
+	"columbia.museum",
+	"columbus.museum",
+	"communication.museum",
+	"communications.museum",
+	"community.museum",
+	"computer.museum",
+	"computerhistory.museum",
+	"xn--comunicaes-v6a2o.museum",
+	"contemporary.museum",
+	"contemporaryart.museum",
+	"convent.museum",
+	"copenhagen.museum",
+	"corporation.museum",
+	"xn--correios-e-telecomunicaes-ghc29a.museum",
+	"corvette.museum",
+	"costume.museum",
+	"countryestate.museum",
+	"county.museum",
+	"crafts.museum",
+	"cranbrook.museum",
+	"creation.museum",
+	"cultural.museum",
+	"culturalcenter.museum",
+	"culture.museum",
+	"cyber.museum",
+	"cymru.museum",
+	"dali.museum",
+	"dallas.museum",
+	"database.museum",
+	"ddr.museum",
+	"decorativearts.museum",
+	"delaware.museum",
+	"delmenhorst.museum",
+	"denmark.museum",
+	"depot.museum",
+	"design.museum",
+	"detroit.museum",
+	"dinosaur.museum",
+	"discovery.museum",
+	"dolls.museum",
+	"donostia.museum",
+	"durham.museum",
+	"eastafrica.museum",
+	"eastcoast.museum",
+	"education.museum",
+	"educational.museum",
+	"egyptian.museum",
+	"eisenbahn.museum",
+	"elburg.museum",
+	"elvendrell.museum",
+	"embroidery.museum",
+	"encyclopedic.museum",
+	"england.museum",
+	"entomology.museum",
+	"environment.museum",
+	"environmentalconservation.museum",
+	"epilepsy.museum",
+	"essex.museum",
+	"estate.museum",
+	"ethnology.museum",
+	"exeter.museum",
+	"exhibition.museum",
+	"family.museum",
+	"farm.museum",
+	"farmequipment.museum",
+	"farmers.museum",
+	"farmstead.museum",
+	"field.museum",
+	"figueres.museum",
+	"filatelia.museum",
+	"film.museum",
+	"fineart.museum",
+	"finearts.museum",
+	"finland.museum",
+	"flanders.museum",
+	"florida.museum",
+	"force.museum",
+	"fortmissoula.museum",
+	"fortworth.museum",
+	"foundation.museum",
+	"francaise.museum",
+	"frankfurt.museum",
+	"franziskaner.museum",
+	"freemasonry.museum",
+	"freiburg.museum",
+	"fribourg.museum",
+	"frog.museum",
+	"fundacio.museum",
+	"furniture.museum",
+	"gallery.museum",
+	"garden.museum",
+	"gateway.museum",
+	"geelvinck.museum",
+	"gemological.museum",
+	"geology.museum",
+	"georgia.museum",
+	"giessen.museum",
+	"glas.museum",
+	"glass.museum",
+	"gorge.museum",
+	"grandrapids.museum",
+	"graz.museum",
+	"guernsey.museum",
+	"halloffame.museum",
+	"hamburg.museum",
+	"handson.museum",
+	"harvestcelebration.museum",
+	"hawaii.museum",
+	"health.museum",
+	"heimatunduhren.museum",
+	"hellas.museum",
+	"helsinki.museum",
+	"hembygdsforbund.museum",
+	"heritage.museum",
+	"histoire.museum",
+	"historical.museum",
+	"historicalsociety.museum",
+	"historichouses.museum",
+	"historisch.museum",
+	"historisches.museum",
+	"history.museum",
+	"historyofscience.museum",
+	"horology.museum",
+	"house.museum",
+	"humanities.museum",
+	"illustration.museum",
+	"imageandsound.museum",
+	"indian.museum",
+	"indiana.museum",
+	"indianapolis.museum",
+	"indianmarket.museum",
+	"intelligence.museum",
+	"interactive.museum",
+	"iraq.museum",
+	"iron.museum",
+	"isleofman.museum",
+	"jamison.museum",
+	"jefferson.museum",
+	"jerusalem.museum",
+	"jewelry.museum",
+	"jewish.museum",
+	"jewishart.museum",
+	"jfk.museum",
+	"journalism.museum",
+	"judaica.museum",
+	"judygarland.museum",
+	"juedisches.museum",
+	"juif.museum",
+	"karate.museum",
+	"karikatur.museum",
+	"kids.museum",
+	"koebenhavn.museum",
+	"koeln.museum",
+	"kunst.museum",
+	"kunstsammlung.museum",
+	"kunstunddesign.museum",
+	"labor.museum",
+	"labour.museum",
+	"lajolla.museum",
+	"lancashire.museum",
+	"landes.museum",
+	"lans.museum",
+	"xn--lns-qla.museum",
+	"larsson.museum",
+	"lewismiller.museum",
+	"lincoln.museum",
+	"linz.museum",
+	"living.museum",
+	"livinghistory.museum",
+	"localhistory.museum",
+	"london.museum",
+	"losangeles.museum",
+	"louvre.museum",
+	"loyalist.museum",
+	"lucerne.museum",
+	"luxembourg.museum",
+	"luzern.museum",
+	"mad.museum",
+	"madrid.museum",
+	"mallorca.museum",
+	"manchester.museum",
+	"mansion.museum",
+	"mansions.museum",
+	"manx.museum",
+	"marburg.museum",
+	"maritime.museum",
+	"maritimo.museum",
+	"maryland.museum",
+	"marylhurst.museum",
+	"media.museum",
+	"medical.museum",
+	"medizinhistorisches.museum",
+	"meeres.museum",
+	"memorial.museum",
+	"mesaverde.museum",
+	"michigan.museum",
+	"midatlantic.museum",
+	"military.museum",
+	"mill.museum",
+	"miners.museum",
+	"mining.museum",
+	"minnesota.museum",
+	"missile.museum",
+	"missoula.museum",
+	"modern.museum",
+	"moma.museum",
+	"money.museum",
+	"monmouth.museum",
+	"monticello.museum",
+	"montreal.museum",
+	"moscow.museum",
+	"motorcycle.museum",
+	"muenchen.museum",
+	"muenster.museum",
+	"mulhouse.museum",
+	"muncie.museum",
+	"museet.museum",
+	"museumcenter.museum",
+	"museumvereniging.museum",
+	"music.museum",
+	"national.museum",
+	"nationalfirearms.museum",
+	"nationalheritage.museum",
+	"nativeamerican.museum",
+	"naturalhistory.museum",
+	"naturalhistorymuseum.museum",
+	"naturalsciences.museum",
+	"nature.museum",
+	"naturhistorisches.museum",
+	"natuurwetenschappen.museum",
+	"naumburg.museum",
+	"naval.museum",
+	"nebraska.museum",
+	"neues.museum",
+	"newhampshire.museum",
+	"newjersey.museum",
+	"newmexico.museum",
+	"newport.museum",
+	"newspaper.museum",
+	"newyork.museum",
+	"niepce.museum",
+	"norfolk.museum",
+	"north.museum",
+	"nrw.museum",
+	"nuernberg.museum",
+	"nuremberg.museum",
+	"nyc.museum",
+	"nyny.museum",
+	"oceanographic.museum",
+	"oceanographique.museum",
+	"omaha.museum",
+	"online.museum",
+	"ontario.museum",
+	"openair.museum",
+	"oregon.museum",
+	"oregontrail.museum",
+	"otago.museum",
+	"oxford.museum",
+	"pacific.museum",
+	"paderborn.museum",
+	"palace.museum",
+	"paleo.museum",
+	"palmsprings.museum",
+	"panama.museum",
+	"paris.museum",
+	"pasadena.museum",
+	"pharmacy.museum",
+	"philadelphia.museum",
+	"philadelphiaarea.museum",
+	"philately.museum",
+	"phoenix.museum",
+	"photography.museum",
+	"pilots.museum",
+	"pittsburgh.museum",
+	"planetarium.museum",
+	"plantation.museum",
+	"plants.museum",
+	"plaza.museum",
+	"portal.museum",
+	"portland.museum",
+	"portlligat.museum",
+	"posts-and-telecommunications.museum",
+	"preservation.museum",
+	"presidio.museum",
+	"press.museum",
+	"project.museum",
+	"public.museum",
+	"pubol.museum",
+	"quebec.museum",
+	"railroad.museum",
+	"railway.museum",
+	"research.museum",
+	"resistance.museum",
+	"riodejaneiro.museum",
+	"rochester.museum",
+	"rockart.museum",
+	"roma.museum",
+	"russia.museum",
+	"saintlouis.museum",
+	"salem.museum",
+	"salvadordali.museum",
+	"salzburg.museum",
+	"sandiego.museum",
+	"sanfrancisco.museum",
+	"santabarbara.museum",
+	"santacruz.museum",
+	"santafe.museum",
+	"saskatchewan.museum",
+	"satx.museum",
+	"savannahga.museum",
+	"schlesisches.museum",
+	"schoenbrunn.museum",
+	"schokoladen.museum",
+	"school.museum",
+	"schweiz.museum",
+	"science.museum",
+	"scienceandhistory.museum",
+	"scienceandindustry.museum",
+	"sciencecenter.museum",
+	"sciencecenters.museum",
+	"science-fiction.museum",
+	"sciencehistory.museum",
+	"sciences.museum",
+	"sciencesnaturelles.museum",
+	"scotland.museum",
+	"seaport.museum",
+	"settlement.museum",
+	"settlers.museum",
+	"shell.museum",
+	"sherbrooke.museum",
+	"sibenik.museum",
+	"silk.museum",
+	"ski.museum",
+	"skole.museum",
+	"society.museum",
+	"sologne.museum",
+	"soundandvision.museum",
+	"southcarolina.museum",
+	"southwest.museum",
+	"space.museum",
+	"spy.museum",
+	"square.museum",
+	"stadt.museum",
+	"stalbans.museum",
+	"starnberg.museum",
+	"state.museum",
+	"stateofdelaware.museum",
+	"station.museum",
+	"steam.museum",
+	"steiermark.museum",
+	"stjohn.museum",
+	"stockholm.museum",
+	"stpetersburg.museum",
+	"stuttgart.museum",
+	"suisse.museum",
+	"surgeonshall.museum",
+	"surrey.museum",
+	"svizzera.museum",
+	"sweden.museum",
+	"sydney.museum",
+	"tank.museum",
+	"tcm.museum",
+	"technology.museum",
+	"telekommunikation.museum",
+	"television.museum",
+	"texas.museum",
+	"textile.museum",
+	"theater.museum",
+	"time.museum",
+	"timekeeping.museum",
+	"topology.museum",
+	"torino.museum",
+	"touch.museum",
+	"town.museum",
+	"transport.museum",
+	"tree.museum",
+	"trolley.museum",
+	"trust.museum",
+	"trustee.museum",
+	"uhren.museum",
+	"ulm.museum",
+	"undersea.museum",
+	"university.museum",
+	"usa.museum",
+	"usantiques.museum",
+	"usarts.museum",
+	"uscountryestate.museum",
+	"usculture.museum",
+	"usdecorativearts.museum",
+	"usgarden.museum",
+	"ushistory.museum",
+	"ushuaia.museum",
+	"uslivinghistory.museum",
+	"utah.museum",
+	"uvic.museum",
+	"valley.museum",
+	"vantaa.museum",
+	"versailles.museum",
+	"viking.museum",
+	"village.museum",
+	"virginia.museum",
+	"virtual.museum",
+	"virtuel.museum",
+	"vlaanderen.museum",
+	"volkenkunde.museum",
+	"wales.museum",
+	"wallonie.museum",
+	"war.museum",
+	"washingtondc.museum",
+	"watchandclock.museum",
+	"watch-and-clock.museum",
+	"western.museum",
+	"westfalen.museum",
+	"whaling.museum",
+	"wildlife.museum",
+	"williamsburg.museum",
+	"windmill.museum",
+	"workshop.museum",
+	"york.museum",
+	"yorkshire.museum",
+	"yosemite.museum",
+	"youth.museum",
+	"zoological.museum",
+	"zoology.museum",
+	"xn--9dbhblg6di.museum",
+	"xn--h1aegh.museum",
+	"mv",
+	"aero.mv",
+	"biz.mv",
+	"com.mv",
+	"coop.mv",
+	"edu.mv",
+	"gov.mv",
+	"info.mv",
+	"int.mv",
+	"mil.mv",
+	"museum.mv",
+	"name.mv",
+	"net.mv",
+	"org.mv",
+	"pro.mv",
+	"mw",
+	"ac.mw",
+	"biz.mw",
+	"co.mw",
+	"com.mw",
+	"coop.mw",
+	"edu.mw",
+	"gov.mw",
+	"int.mw",
+	"museum.mw",
+	"net.mw",
+	"org.mw",
+	"mx",
+	"com.mx",
+	"org.mx",
+	"gob.mx",
+	"edu.mx",
+	"net.mx",
+	"my",
+	"com.my",
+	"net.my",
+	"org.my",
+	"gov.my",
+	"edu.my",
+	"mil.my",
+	"name.my",
+	"mz",
+	"ac.mz",
+	"adv.mz",
+	"co.mz",
+	"edu.mz",
+	"gov.mz",
+	"mil.mz",
+	"net.mz",
+	"org.mz",
+	"na",
+	"info.na",
+	"pro.na",
+	"name.na",
+	"school.na",
+	"or.na",
+	"dr.na",
+	"us.na",
+	"mx.na",
+	"ca.na",
+	"in.na",
+	"cc.na",
+	"tv.na",
+	"ws.na",
+	"mobi.na",
+	"co.na",
+	"com.na",
+	"org.na",
+	"name",
+	"nc",
+	"asso.nc",
+	"nom.nc",
+	"ne",
+	"net",
+	"nf",
+	"com.nf",
+	"net.nf",
+	"per.nf",
+	"rec.nf",
+	"web.nf",
+	"arts.nf",
+	"firm.nf",
+	"info.nf",
+	"other.nf",
+	"store.nf",
+	"ng",
+	"com.ng",
+	"edu.ng",
+	"gov.ng",
+	"i.ng",
+	"mil.ng",
+	"mobi.ng",
+	"name.ng",
+	"net.ng",
+	"org.ng",
+	"sch.ng",
+	"ni",
+	"ac.ni",
+	"biz.ni",
+	"co.ni",
+	"com.ni",
+	"edu.ni",
+	"gob.ni",
+	"in.ni",
+	"info.ni",
+	"int.ni",
+	"mil.ni",
+	"net.ni",
+	"nom.ni",
+	"org.ni",
+	"web.ni",
+	"nl",
+	"bv.nl",
+	"no",
+	"fhs.no",
+	"vgs.no",
+	"fylkesbibl.no",
+	"folkebibl.no",
+	"museum.no",
+	"idrett.no",
+	"priv.no",
+	"mil.no",
+	"stat.no",
+	"dep.no",
+	"kommune.no",
+	"herad.no",
+	"aa.no",
+	"ah.no",
+	"bu.no",
+	"fm.no",
+	"hl.no",
+	"hm.no",
+	"jan-mayen.no",
+	"mr.no",
+	"nl.no",
+	"nt.no",
+	"of.no",
+	"ol.no",
+	"oslo.no",
+	"rl.no",
+	"sf.no",
+	"st.no",
+	"svalbard.no",
+	"tm.no",
+	"tr.no",
+	"va.no",
+	"vf.no",
+	"gs.aa.no",
+	"gs.ah.no",
+	"gs.bu.no",
+	"gs.fm.no",
+	"gs.hl.no",
+	"gs.hm.no",
+	"gs.jan-mayen.no",
+	"gs.mr.no",
+	"gs.nl.no",
+	"gs.nt.no",
+	"gs.of.no",
+	"gs.ol.no",
+	"gs.oslo.no",
+	"gs.rl.no",
+	"gs.sf.no",
+	"gs.st.no",
+	"gs.svalbard.no",
+	"gs.tm.no",
+	"gs.tr.no",
+	"gs.va.no",
+	"gs.vf.no",
+	"akrehamn.no",
+	"xn--krehamn-dxa.no",
+	"algard.no",
+	"xn--lgrd-poac.no",
+	"arna.no",
+	"brumunddal.no",
+	"bryne.no",
+	"bronnoysund.no",
+	"xn--brnnysund-m8ac.no",
+	"drobak.no",
+	"xn--drbak-wua.no",
+	"egersund.no",
+	"fetsund.no",
+	"floro.no",
+	"xn--flor-jra.no",
+	"fredrikstad.no",
+	"hokksund.no",
+	"honefoss.no",
+	"xn--hnefoss-q1a.no",
+	"jessheim.no",
+	"jorpeland.no",
+	"xn--jrpeland-54a.no",
+	"kirkenes.no",
+	"kopervik.no",
+	"krokstadelva.no",
+	"langevag.no",
+	"xn--langevg-jxa.no",
+	"leirvik.no",
+	"mjondalen.no",
+	"xn--mjndalen-64a.no",
+	"mo-i-rana.no",
+	"mosjoen.no",
+	"xn--mosjen-eya.no",
+	"nesoddtangen.no",
+	"orkanger.no",
+	"osoyro.no",
+	"xn--osyro-wua.no",
+	"raholt.no",
+	"xn--rholt-mra.no",
+	"sandnessjoen.no",
+	"xn--sandnessjen-ogb.no",
+	"skedsmokorset.no",
+	"slattum.no",
+	"spjelkavik.no",
+	"stathelle.no",
+	"stavern.no",
+	"stjordalshalsen.no",
+	"xn--stjrdalshalsen-sqb.no",
+	"tananger.no",
+	"tranby.no",
+	"vossevangen.no",
+	"afjord.no",
+	"xn--fjord-lra.no",
+	"agdenes.no",
+	"al.no",
+	"xn--l-1fa.no",
+	"alesund.no",
+	"xn--lesund-hua.no",
+	"alstahaug.no",
+	"alta.no",
+	"xn--lt-liac.no",
+	"alaheadju.no",
+	"xn--laheadju-7ya.no",
+	"alvdal.no",
+	"amli.no",
+	"xn--mli-tla.no",
+	"amot.no",
+	"xn--mot-tla.no",
+	"andebu.no",
+	"andoy.no",
+	"xn--andy-ira.no",
+	"andasuolo.no",
+	"ardal.no",
+	"xn--rdal-poa.no",
+	"aremark.no",
+	"arendal.no",
+	"xn--s-1fa.no",
+	"aseral.no",
+	"xn--seral-lra.no",
+	"asker.no",
+	"askim.no",
+	"askvoll.no",
+	"askoy.no",
+	"xn--asky-ira.no",
+	"asnes.no",
+	"xn--snes-poa.no",
+	"audnedaln.no",
+	"aukra.no",
+	"aure.no",
+	"aurland.no",
+	"aurskog-holand.no",
+	"xn--aurskog-hland-jnb.no",
+	"austevoll.no",
+	"austrheim.no",
+	"averoy.no",
+	"xn--avery-yua.no",
+	"balestrand.no",
+	"ballangen.no",
+	"balat.no",
+	"xn--blt-elab.no",
+	"balsfjord.no",
+	"bahccavuotna.no",
+	"xn--bhccavuotna-k7a.no",
+	"bamble.no",
+	"bardu.no",
+	"beardu.no",
+	"beiarn.no",
+	"bajddar.no",
+	"xn--bjddar-pta.no",
+	"baidar.no",
+	"xn--bidr-5nac.no",
+	"berg.no",
+	"bergen.no",
+	"berlevag.no",
+	"xn--berlevg-jxa.no",
+	"bearalvahki.no",
+	"xn--bearalvhki-y4a.no",
+	"bindal.no",
+	"birkenes.no",
+	"bjarkoy.no",
+	"xn--bjarky-fya.no",
+	"bjerkreim.no",
+	"bjugn.no",
+	"bodo.no",
+	"xn--bod-2na.no",
+	"badaddja.no",
+	"xn--bdddj-mrabd.no",
+	"budejju.no",
+	"bokn.no",
+	"bremanger.no",
+	"bronnoy.no",
+	"xn--brnny-wuac.no",
+	"bygland.no",
+	"bykle.no",
+	"barum.no",
+	"xn--brum-voa.no",
+	"bo.telemark.no",
+	"xn--b-5ga.telemark.no",
+	"bo.nordland.no",
+	"xn--b-5ga.nordland.no",
+	"bievat.no",
+	"xn--bievt-0qa.no",
+	"bomlo.no",
+	"xn--bmlo-gra.no",
+	"batsfjord.no",
+	"xn--btsfjord-9za.no",
+	"bahcavuotna.no",
+	"xn--bhcavuotna-s4a.no",
+	"dovre.no",
+	"drammen.no",
+	"drangedal.no",
+	"dyroy.no",
+	"xn--dyry-ira.no",
+	"donna.no",
+	"xn--dnna-gra.no",
+	"eid.no",
+	"eidfjord.no",
+	"eidsberg.no",
+	"eidskog.no",
+	"eidsvoll.no",
+	"eigersund.no",
+	"elverum.no",
+	"enebakk.no",
+	"engerdal.no",
+	"etne.no",
+	"etnedal.no",
+	"evenes.no",
+	"evenassi.no",
+	"xn--eveni-0qa01ga.no",
+	"evje-og-hornnes.no",
+	"farsund.no",
+	"fauske.no",
+	"fuossko.no",
+	"fuoisku.no",
+	"fedje.no",
+	"fet.no",
+	"finnoy.no",
+	"xn--finny-yua.no",
+	"fitjar.no",
+	"fjaler.no",
+	"fjell.no",
+	"flakstad.no",
+	"flatanger.no",
+	"flekkefjord.no",
+	"flesberg.no",
+	"flora.no",
+	"fla.no",
+	"xn--fl-zia.no",
+	"folldal.no",
+	"forsand.no",
+	"fosnes.no",
+	"frei.no",
+	"frogn.no",
+	"froland.no",
+	"frosta.no",
+	"frana.no",
+	"xn--frna-woa.no",
+	"froya.no",
+	"xn--frya-hra.no",
+	"fusa.no",
+	"fyresdal.no",
+	"forde.no",
+	"xn--frde-gra.no",
+	"gamvik.no",
+	"gangaviika.no",
+	"xn--ggaviika-8ya47h.no",
+	"gaular.no",
+	"gausdal.no",
+	"gildeskal.no",
+	"xn--gildeskl-g0a.no",
+	"giske.no",
+	"gjemnes.no",
+	"gjerdrum.no",
+	"gjerstad.no",
+	"gjesdal.no",
+	"gjovik.no",
+	"xn--gjvik-wua.no",
+	"gloppen.no",
+	"gol.no",
+	"gran.no",
+	"grane.no",
+	"granvin.no",
+	"gratangen.no",
+	"grimstad.no",
+	"grong.no",
+	"kraanghke.no",
+	"xn--kranghke-b0a.no",
+	"grue.no",
+	"gulen.no",
+	"hadsel.no",
+	"halden.no",
+	"halsa.no",
+	"hamar.no",
+	"hamaroy.no",
+	"habmer.no",
+	"xn--hbmer-xqa.no",
+	"hapmir.no",
+	"xn--hpmir-xqa.no",
+	"hammerfest.no",
+	"hammarfeasta.no",
+	"xn--hmmrfeasta-s4ac.no",
+	"haram.no",
+	"hareid.no",
+	"harstad.no",
+	"hasvik.no",
+	"aknoluokta.no",
+	"xn--koluokta-7ya57h.no",
+	"hattfjelldal.no",
+	"aarborte.no",
+	"haugesund.no",
+	"hemne.no",
+	"hemnes.no",
+	"hemsedal.no",
+	"heroy.more-og-romsdal.no",
+	"xn--hery-ira.xn--mre-og-romsdal-qqb.no",
+	"heroy.nordland.no",
+	"xn--hery-ira.nordland.no",
+	"hitra.no",
+	"hjartdal.no",
+	"hjelmeland.no",
+	"hobol.no",
+	"xn--hobl-ira.no",
+	"hof.no",
+	"hol.no",
+	"hole.no",
+	"holmestrand.no",
+	"holtalen.no",
+	"xn--holtlen-hxa.no",
+	"hornindal.no",
+	"horten.no",
+	"hurdal.no",
+	"hurum.no",
+	"hvaler.no",
+	"hyllestad.no",
+	"hagebostad.no",
+	"xn--hgebostad-g3a.no",
+	"hoyanger.no",
+	"xn--hyanger-q1a.no",
+	"hoylandet.no",
+	"xn--hylandet-54a.no",
+	"ha.no",
+	"xn--h-2fa.no",
+	"ibestad.no",
+	"inderoy.no",
+	"xn--indery-fya.no",
+	"iveland.no",
+	"jevnaker.no",
+	"jondal.no",
+	"jolster.no",
+	"xn--jlster-bya.no",
+	"karasjok.no",
+	"karasjohka.no",
+	"xn--krjohka-hwab49j.no",
+	"karlsoy.no",
+	"galsa.no",
+	"xn--gls-elac.no",
+	"karmoy.no",
+	"xn--karmy-yua.no",
+	"kautokeino.no",
+	"guovdageaidnu.no",
+	"klepp.no",
+	"klabu.no",
+	"xn--klbu-woa.no",
+	"kongsberg.no",
+	"kongsvinger.no",
+	"kragero.no",
+	"xn--krager-gya.no",
+	"kristiansand.no",
+	"kristiansund.no",
+	"krodsherad.no",
+	"xn--krdsherad-m8a.no",
+	"kvalsund.no",
+	"rahkkeravju.no",
+	"xn--rhkkervju-01af.no",
+	"kvam.no",
+	"kvinesdal.no",
+	"kvinnherad.no",
+	"kviteseid.no",
+	"kvitsoy.no",
+	"xn--kvitsy-fya.no",
+	"kvafjord.no",
+	"xn--kvfjord-nxa.no",
+	"giehtavuoatna.no",
+	"kvanangen.no",
+	"xn--kvnangen-k0a.no",
+	"navuotna.no",
+	"xn--nvuotna-hwa.no",
+	"kafjord.no",
+	"xn--kfjord-iua.no",
+	"gaivuotna.no",
+	"xn--givuotna-8ya.no",
+	"larvik.no",
+	"lavangen.no",
+	"lavagis.no",
+	"loabat.no",
+	"xn--loabt-0qa.no",
+	"lebesby.no",
+	"davvesiida.no",
+	"leikanger.no",
+	"leirfjord.no",
+	"leka.no",
+	"leksvik.no",
+	"lenvik.no",
+	"leangaviika.no",
+	"xn--leagaviika-52b.no",
+	"lesja.no",
+	"levanger.no",
+	"lier.no",
+	"lierne.no",
+	"lillehammer.no",
+	"lillesand.no",
+	"lindesnes.no",
+	"lindas.no",
+	"xn--linds-pra.no",
+	"lom.no",
+	"loppa.no",
+	"lahppi.no",
+	"xn--lhppi-xqa.no",
+	"lund.no",
+	"lunner.no",
+	"luroy.no",
+	"xn--lury-ira.no",
+	"luster.no",
+	"lyngdal.no",
+	"lyngen.no",
+	"ivgu.no",
+	"lardal.no",
+	"lerdal.no",
+	"xn--lrdal-sra.no",
+	"lodingen.no",
+	"xn--ldingen-q1a.no",
+	"lorenskog.no",
+	"xn--lrenskog-54a.no",
+	"loten.no",
+	"xn--lten-gra.no",
+	"malvik.no",
+	"masoy.no",
+	"xn--msy-ula0h.no",
+	"muosat.no",
+	"xn--muost-0qa.no",
+	"mandal.no",
+	"marker.no",
+	"marnardal.no",
+	"masfjorden.no",
+	"meland.no",
+	"meldal.no",
+	"melhus.no",
+	"meloy.no",
+	"xn--mely-ira.no",
+	"meraker.no",
+	"xn--merker-kua.no",
+	"moareke.no",
+	"xn--moreke-jua.no",
+	"midsund.no",
+	"midtre-gauldal.no",
+	"modalen.no",
+	"modum.no",
+	"molde.no",
+	"moskenes.no",
+	"moss.no",
+	"mosvik.no",
+	"malselv.no",
+	"xn--mlselv-iua.no",
+	"malatvuopmi.no",
+	"xn--mlatvuopmi-s4a.no",
+	"namdalseid.no",
+	"aejrie.no",
+	"namsos.no",
+	"namsskogan.no",
+	"naamesjevuemie.no",
+	"xn--nmesjevuemie-tcba.no",
+	"laakesvuemie.no",
+	"nannestad.no",
+	"narvik.no",
+	"narviika.no",
+	"naustdal.no",
+	"nedre-eiker.no",
+	"nes.akershus.no",
+	"nes.buskerud.no",
+	"nesna.no",
+	"nesodden.no",
+	"nesseby.no",
+	"unjarga.no",
+	"xn--unjrga-rta.no",
+	"nesset.no",
+	"nissedal.no",
+	"nittedal.no",
+	"nord-aurdal.no",
+	"nord-fron.no",
+	"nord-odal.no",
+	"norddal.no",
+	"nordkapp.no",
+	"davvenjarga.no",
+	"xn--davvenjrga-y4a.no",
+	"nordre-land.no",
+	"nordreisa.no",
+	"raisa.no",
+	"xn--risa-5na.no",
+	"nore-og-uvdal.no",
+	"notodden.no",
+	"naroy.no",
+	"xn--nry-yla5g.no",
+	"notteroy.no",
+	"xn--nttery-byae.no",
+	"odda.no",
+	"oksnes.no",
+	"xn--ksnes-uua.no",
+	"oppdal.no",
+	"oppegard.no",
+	"xn--oppegrd-ixa.no",
+	"orkdal.no",
+	"orland.no",
+	"xn--rland-uua.no",
+	"orskog.no",
+	"xn--rskog-uua.no",
+	"orsta.no",
+	"xn--rsta-fra.no",
+	"os.hedmark.no",
+	"os.hordaland.no",
+	"osen.no",
+	"osteroy.no",
+	"xn--ostery-fya.no",
+	"ostre-toten.no",
+	"xn--stre-toten-zcb.no",
+	"overhalla.no",
+	"ovre-eiker.no",
+	"xn--vre-eiker-k8a.no",
+	"oyer.no",
+	"xn--yer-zna.no",
+	"oygarden.no",
+	"xn--ygarden-p1a.no",
+	"oystre-slidre.no",
+	"xn--ystre-slidre-ujb.no",
+	"porsanger.no",
+	"porsangu.no",
+	"xn--porsgu-sta26f.no",
+	"porsgrunn.no",
+	"radoy.no",
+	"xn--rady-ira.no",
+	"rakkestad.no",
+	"rana.no",
+	"ruovat.no",
+	"randaberg.no",
+	"rauma.no",
+	"rendalen.no",
+	"rennebu.no",
+	"rennesoy.no",
+	"xn--rennesy-v1a.no",
+	"rindal.no",
+	"ringebu.no",
+	"ringerike.no",
+	"ringsaker.no",
+	"rissa.no",
+	"risor.no",
+	"xn--risr-ira.no",
+	"roan.no",
+	"rollag.no",
+	"rygge.no",
+	"ralingen.no",
+	"xn--rlingen-mxa.no",
+	"rodoy.no",
+	"xn--rdy-0nab.no",
+	"romskog.no",
+	"xn--rmskog-bya.no",
+	"roros.no",
+	"xn--rros-gra.no",
+	"rost.no",
+	"xn--rst-0na.no",
+	"royken.no",
+	"xn--ryken-vua.no",
+	"royrvik.no",
+	"xn--ryrvik-bya.no",
+	"rade.no",
+	"xn--rde-ula.no",
+	"salangen.no",
+	"siellak.no",
+	"saltdal.no",
+	"salat.no",
+	"xn--slt-elab.no",
+	"xn--slat-5na.no",
+	"samnanger.no",
+	"sande.more-og-romsdal.no",
+	"sande.xn--mre-og-romsdal-qqb.no",
+	"sande.vestfold.no",
+	"sandefjord.no",
+	"sandnes.no",
+	"sandoy.no",
+	"xn--sandy-yua.no",
+	"sarpsborg.no",
+	"sauda.no",
+	"sauherad.no",
+	"sel.no",
+	"selbu.no",
+	"selje.no",
+	"seljord.no",
+	"sigdal.no",
+	"siljan.no",
+	"sirdal.no",
+	"skaun.no",
+	"skedsmo.no",
+	"ski.no",
+	"skien.no",
+	"skiptvet.no",
+	"skjervoy.no",
+	"xn--skjervy-v1a.no",
+	"skierva.no",
+	"xn--skierv-uta.no",
+	"skjak.no",
+	"xn--skjk-soa.no",
+	"skodje.no",
+	"skanland.no",
+	"xn--sknland-fxa.no",
+	"skanit.no",
+	"xn--sknit-yqa.no",
+	"smola.no",
+	"xn--smla-hra.no",
+	"snillfjord.no",
+	"snasa.no",
+	"xn--snsa-roa.no",
+	"snoasa.no",
+	"snaase.no",
+	"xn--snase-nra.no",
+	"sogndal.no",
+	"sokndal.no",
+	"sola.no",
+	"solund.no",
+	"songdalen.no",
+	"sortland.no",
+	"spydeberg.no",
+	"stange.no",
+	"stavanger.no",
+	"steigen.no",
+	"steinkjer.no",
+	"stjordal.no",
+	"xn--stjrdal-s1a.no",
+	"stokke.no",
+	"stor-elvdal.no",
+	"stord.no",
+	"stordal.no",
+	"storfjord.no",
+	"omasvuotna.no",
+	"strand.no",
+	"stranda.no",
+	"stryn.no",
+	"sula.no",
+	"suldal.no",
+	"sund.no",
+	"sunndal.no",
+	"surnadal.no",
+	"sveio.no",
+	"svelvik.no",
+	"sykkylven.no",
+	"sogne.no",
+	"xn--sgne-gra.no",
+	"somna.no",
+	"xn--smna-gra.no",
+	"sondre-land.no",
+	"xn--sndre-land-0cb.no",
+	"sor-aurdal.no",
+	"xn--sr-aurdal-l8a.no",
+	"sor-fron.no",
+	"xn--sr-fron-q1a.no",
+	"sor-odal.no",
+	"xn--sr-odal-q1a.no",
+	"sor-varanger.no",
+	"xn--sr-varanger-ggb.no",
+	"matta-varjjat.no",
+	"xn--mtta-vrjjat-k7af.no",
+	"sorfold.no",
+	"xn--srfold-bya.no",
+	"sorreisa.no",
+	"xn--srreisa-q1a.no",
+	"sorum.no",
+	"xn--srum-gra.no",
+	"tana.no",
+	"deatnu.no",
+	"time.no",
+	"tingvoll.no",
+	"tinn.no",
+	"tjeldsund.no",
+	"dielddanuorri.no",
+	"tjome.no",
+	"xn--tjme-hra.no",
+	"tokke.no",
+	"tolga.no",
+	"torsken.no",
+	"tranoy.no",
+	"xn--trany-yua.no",
+	"tromso.no",
+	"xn--troms-zua.no",
+	"tromsa.no",
+	"romsa.no",
+	"trondheim.no",
+	"troandin.no",
+	"trysil.no",
+	"trana.no",
+	"xn--trna-woa.no",
+	"trogstad.no",
+	"xn--trgstad-r1a.no",
+	"tvedestrand.no",
+	"tydal.no",
+	"tynset.no",
+	"tysfjord.no",
+	"divtasvuodna.no",
+	"divttasvuotna.no",
+	"tysnes.no",
+	"tysvar.no",
+	"xn--tysvr-vra.no",
+	"tonsberg.no",
+	"xn--tnsberg-q1a.no",
+	"ullensaker.no",
+	"ullensvang.no",
+	"ulvik.no",
+	"utsira.no",
+	"vadso.no",
+	"xn--vads-jra.no",
+	"cahcesuolo.no",
+	"xn--hcesuolo-7ya35b.no",
+	"vaksdal.no",
+	"valle.no",
+	"vang.no",
+	"vanylven.no",
+	"vardo.no",
+	"xn--vard-jra.no",
+	"varggat.no",
+	"xn--vrggt-xqad.no",
+	"vefsn.no",
+	"vaapste.no",
+	"vega.no",
+	"vegarshei.no",
+	"xn--vegrshei-c0a.no",
+	"vennesla.no",
+	"verdal.no",
+	"verran.no",
+	"vestby.no",
+	"vestnes.no",
+	"vestre-slidre.no",
+	"vestre-toten.no",
+	"vestvagoy.no",
+	"xn--vestvgy-ixa6o.no",
+	"vevelstad.no",
+	"vik.no",
+	"vikna.no",
+	"vindafjord.no",
+	"volda.no",
+	"voss.no",
+	"varoy.no",
+	"xn--vry-yla5g.no",
+	"vagan.no",
+	"xn--vgan-qoa.no",
+	"voagat.no",
+	"vagsoy.no",
+	"xn--vgsy-qoa0j.no",
+	"vaga.no",
+	"xn--vg-yiab.no",
+	"valer.ostfold.no",
+	"xn--vler-qoa.xn--stfold-9xa.no",
+	"valer.hedmark.no",
+	"xn--vler-qoa.hedmark.no",
+	"*.np",
+	"nr",
+	"biz.nr",
+	"info.nr",
+	"gov.nr",
+	"edu.nr",
+	"org.nr",
+	"net.nr",
+	"com.nr",
+	"nu",
+	"nz",
+	"ac.nz",
+	"co.nz",
+	"cri.nz",
+	"geek.nz",
+	"gen.nz",
+	"govt.nz",
+	"health.nz",
+	"iwi.nz",
+	"kiwi.nz",
+	"maori.nz",
+	"mil.nz",
+	"xn--mori-qsa.nz",
+	"net.nz",
+	"org.nz",
+	"parliament.nz",
+	"school.nz",
+	"om",
+	"co.om",
+	"com.om",
+	"edu.om",
+	"gov.om",
+	"med.om",
+	"museum.om",
+	"net.om",
+	"org.om",
+	"pro.om",
+	"onion",
+	"org",
+	"pa",
+	"ac.pa",
+	"gob.pa",
+	"com.pa",
+	"org.pa",
+	"sld.pa",
+	"edu.pa",
+	"net.pa",
+	"ing.pa",
+	"abo.pa",
+	"med.pa",
+	"nom.pa",
+	"pe",
+	"edu.pe",
+	"gob.pe",
+	"nom.pe",
+	"mil.pe",
+	"org.pe",
+	"com.pe",
+	"net.pe",
+	"pf",
+	"com.pf",
+	"org.pf",
+	"edu.pf",
+	"*.pg",
+	"ph",
+	"com.ph",
+	"net.ph",
+	"org.ph",
+	"gov.ph",
+	"edu.ph",
+	"ngo.ph",
+	"mil.ph",
+	"i.ph",
+	"pk",
+	"com.pk",
+	"net.pk",
+	"edu.pk",
+	"org.pk",
+	"fam.pk",
+	"biz.pk",
+	"web.pk",
+	"gov.pk",
+	"gob.pk",
+	"gok.pk",
+	"gon.pk",
+	"gop.pk",
+	"gos.pk",
+	"info.pk",
+	"pl",
+	"com.pl",
+	"net.pl",
+	"org.pl",
+	"aid.pl",
+	"agro.pl",
+	"atm.pl",
+	"auto.pl",
+	"biz.pl",
+	"edu.pl",
+	"gmina.pl",
+	"gsm.pl",
+	"info.pl",
+	"mail.pl",
+	"miasta.pl",
+	"media.pl",
+	"mil.pl",
+	"nieruchomosci.pl",
+	"nom.pl",
+	"pc.pl",
+	"powiat.pl",
+	"priv.pl",
+	"realestate.pl",
+	"rel.pl",
+	"sex.pl",
+	"shop.pl",
+	"sklep.pl",
+	"sos.pl",
+	"szkola.pl",
+	"targi.pl",
+	"tm.pl",
+	"tourism.pl",
+	"travel.pl",
+	"turystyka.pl",
+	"gov.pl",
+	"ap.gov.pl",
+	"ic.gov.pl",
+	"is.gov.pl",
+	"us.gov.pl",
+	"kmpsp.gov.pl",
+	"kppsp.gov.pl",
+	"kwpsp.gov.pl",
+	"psp.gov.pl",
+	"wskr.gov.pl",
+	"kwp.gov.pl",
+	"mw.gov.pl",
+	"ug.gov.pl",
+	"um.gov.pl",
+	"umig.gov.pl",
+	"ugim.gov.pl",
+	"upow.gov.pl",
+	"uw.gov.pl",
+	"starostwo.gov.pl",
+	"pa.gov.pl",
+	"po.gov.pl",
+	"psse.gov.pl",
+	"pup.gov.pl",
+	"rzgw.gov.pl",
+	"sa.gov.pl",
+	"so.gov.pl",
+	"sr.gov.pl",
+	"wsa.gov.pl",
+	"sko.gov.pl",
+	"uzs.gov.pl",
+	"wiih.gov.pl",
+	"winb.gov.pl",
+	"pinb.gov.pl",
+	"wios.gov.pl",
+	"witd.gov.pl",
+	"wzmiuw.gov.pl",
+	"piw.gov.pl",
+	"wiw.gov.pl",
+	"griw.gov.pl",
+	"wif.gov.pl",
+	"oum.gov.pl",
+	"sdn.gov.pl",
+	"zp.gov.pl",
+	"uppo.gov.pl",
+	"mup.gov.pl",
+	"wuoz.gov.pl",
+	"konsulat.gov.pl",
+	"oirm.gov.pl",
+	"augustow.pl",
+	"babia-gora.pl",
+	"bedzin.pl",
+	"beskidy.pl",
+	"bialowieza.pl",
+	"bialystok.pl",
+	"bielawa.pl",
+	"bieszczady.pl",
+	"boleslawiec.pl",
+	"bydgoszcz.pl",
+	"bytom.pl",
+	"cieszyn.pl",
+	"czeladz.pl",
+	"czest.pl",
+	"dlugoleka.pl",
+	"elblag.pl",
+	"elk.pl",
+	"glogow.pl",
+	"gniezno.pl",
+	"gorlice.pl",
+	"grajewo.pl",
+	"ilawa.pl",
+	"jaworzno.pl",
+	"jelenia-gora.pl",
+	"jgora.pl",
+	"kalisz.pl",
+	"kazimierz-dolny.pl",
+	"karpacz.pl",
+	"kartuzy.pl",
+	"kaszuby.pl",
+	"katowice.pl",
+	"kepno.pl",
+	"ketrzyn.pl",
+	"klodzko.pl",
+	"kobierzyce.pl",
+	"kolobrzeg.pl",
+	"konin.pl",
+	"konskowola.pl",
+	"kutno.pl",
+	"lapy.pl",
+	"lebork.pl",
+	"legnica.pl",
+	"lezajsk.pl",
+	"limanowa.pl",
+	"lomza.pl",
+	"lowicz.pl",
+	"lubin.pl",
+	"lukow.pl",
+	"malbork.pl",
+	"malopolska.pl",
+	"mazowsze.pl",
+	"mazury.pl",
+	"mielec.pl",
+	"mielno.pl",
+	"mragowo.pl",
+	"naklo.pl",
+	"nowaruda.pl",
+	"nysa.pl",
+	"olawa.pl",
+	"olecko.pl",
+	"olkusz.pl",
+	"olsztyn.pl",
+	"opoczno.pl",
+	"opole.pl",
+	"ostroda.pl",
+	"ostroleka.pl",
+	"ostrowiec.pl",
+	"ostrowwlkp.pl",
+	"pila.pl",
+	"pisz.pl",
+	"podhale.pl",
+	"podlasie.pl",
+	"polkowice.pl",
+	"pomorze.pl",
+	"pomorskie.pl",
+	"prochowice.pl",
+	"pruszkow.pl",
+	"przeworsk.pl",
+	"pulawy.pl",
+	"radom.pl",
+	"rawa-maz.pl",
+	"rybnik.pl",
+	"rzeszow.pl",
+	"sanok.pl",
+	"sejny.pl",
+	"slask.pl",
+	"slupsk.pl",
+	"sosnowiec.pl",
+	"stalowa-wola.pl",
+	"skoczow.pl",
+	"starachowice.pl",
+	"stargard.pl",
+	"suwalki.pl",
+	"swidnica.pl",
+	"swiebodzin.pl",
+	"swinoujscie.pl",
+	"szczecin.pl",
+	"szczytno.pl",
+	"tarnobrzeg.pl",
+	"tgory.pl",
+	"turek.pl",
+	"tychy.pl",
+	"ustka.pl",
+	"walbrzych.pl",
+	"warmia.pl",
+	"warszawa.pl",
+	"waw.pl",
+	"wegrow.pl",
+	"wielun.pl",
+	"wlocl.pl",
+	"wloclawek.pl",
+	"wodzislaw.pl",
+	"wolomin.pl",
+	"wroclaw.pl",
+	"zachpomor.pl",
+	"zagan.pl",
+	"zarow.pl",
+	"zgora.pl",
+	"zgorzelec.pl",
+	"pm",
+	"pn",
+	"gov.pn",
+	"co.pn",
+	"org.pn",
+	"edu.pn",
+	"net.pn",
+	"post",
+	"pr",
+	"com.pr",
+	"net.pr",
+	"org.pr",
+	"gov.pr",
+	"edu.pr",
+	"isla.pr",
+	"pro.pr",
+	"biz.pr",
+	"info.pr",
+	"name.pr",
+	"est.pr",
+	"prof.pr",
+	"ac.pr",
+	"pro",
+	"aaa.pro",
+	"aca.pro",
+	"acct.pro",
+	"avocat.pro",
+	"bar.pro",
+	"cpa.pro",
+	"eng.pro",
+	"jur.pro",
+	"law.pro",
+	"med.pro",
+	"recht.pro",
+	"ps",
+	"edu.ps",
+	"gov.ps",
+	"sec.ps",
+	"plo.ps",
+	"com.ps",
+	"org.ps",
+	"net.ps",
+	"pt",
+	"net.pt",
+	"gov.pt",
+	"org.pt",
+	"edu.pt",
+	"int.pt",
+	"publ.pt",
+	"com.pt",
+	"nome.pt",
+	"pw",
+	"co.pw",
+	"ne.pw",
+	"or.pw",
+	"ed.pw",
+	"go.pw",
+	"belau.pw",
+	"py",
+	"com.py",
+	"coop.py",
+	"edu.py",
+	"gov.py",
+	"mil.py",
+	"net.py",
+	"org.py",
+	"qa",
+	"com.qa",
+	"edu.qa",
+	"gov.qa",
+	"mil.qa",
+	"name.qa",
+	"net.qa",
+	"org.qa",
+	"sch.qa",
+	"re",
+	"asso.re",
+	"com.re",
+	"nom.re",
+	"ro",
+	"arts.ro",
+	"com.ro",
+	"firm.ro",
+	"info.ro",
+	"nom.ro",
+	"nt.ro",
+	"org.ro",
+	"rec.ro",
+	"store.ro",
+	"tm.ro",
+	"www.ro",
+	"rs",
+	"ac.rs",
+	"co.rs",
+	"edu.rs",
+	"gov.rs",
+	"in.rs",
+	"org.rs",
+	"ru",
+	"ac.ru",
+	"edu.ru",
+	"gov.ru",
+	"int.ru",
+	"mil.ru",
+	"test.ru",
+	"rw",
+	"gov.rw",
+	"net.rw",
+	"edu.rw",
+	"ac.rw",
+	"com.rw",
+	"co.rw",
+	"int.rw",
+	"mil.rw",
+	"gouv.rw",
+	"sa",
+	"com.sa",
+	"net.sa",
+	"org.sa",
+	"gov.sa",
+	"med.sa",
+	"pub.sa",
+	"edu.sa",
+	"sch.sa",
+	"sb",
+	"com.sb",
+	"edu.sb",
+	"gov.sb",
+	"net.sb",
+	"org.sb",
+	"sc",
+	"com.sc",
+	"gov.sc",
+	"net.sc",
+	"org.sc",
+	"edu.sc",
+	"sd",
+	"com.sd",
+	"net.sd",
+	"org.sd",
+	"edu.sd",
+	"med.sd",
+	"tv.sd",
+	"gov.sd",
+	"info.sd",
+	"se",
+	"a.se",
+	"ac.se",
+	"b.se",
+	"bd.se",
+	"brand.se",
+	"c.se",
+	"d.se",
+	"e.se",
+	"f.se",
+	"fh.se",
+	"fhsk.se",
+	"fhv.se",
+	"g.se",
+	"h.se",
+	"i.se",
+	"k.se",
+	"komforb.se",
+	"kommunalforbund.se",
+	"komvux.se",
+	"l.se",
+	"lanbib.se",
+	"m.se",
+	"n.se",
+	"naturbruksgymn.se",
+	"o.se",
+	"org.se",
+	"p.se",
+	"parti.se",
+	"pp.se",
+	"press.se",
+	"r.se",
+	"s.se",
+	"t.se",
+	"tm.se",
+	"u.se",
+	"w.se",
+	"x.se",
+	"y.se",
+	"z.se",
+	"sg",
+	"com.sg",
+	"net.sg",
+	"org.sg",
+	"gov.sg",
+	"edu.sg",
+	"per.sg",
+	"sh",
+	"com.sh",
+	"net.sh",
+	"gov.sh",
+	"org.sh",
+	"mil.sh",
+	"si",
+	"sj",
+	"sk",
+	"sl",
+	"com.sl",
+	"net.sl",
+	"edu.sl",
+	"gov.sl",
+	"org.sl",
+	"sm",
+	"sn",
+	"art.sn",
+	"com.sn",
+	"edu.sn",
+	"gouv.sn",
+	"org.sn",
+	"perso.sn",
+	"univ.sn",
+	"so",
+	"com.so",
+	"net.so",
+	"org.so",
+	"sr",
+	"st",
+	"co.st",
+	"com.st",
+	"consulado.st",
+	"edu.st",
+	"embaixada.st",
+	"gov.st",
+	"mil.st",
+	"net.st",
+	"org.st",
+	"principe.st",
+	"saotome.st",
+	"store.st",
+	"su",
+	"sv",
+	"com.sv",
+	"edu.sv",
+	"gob.sv",
+	"org.sv",
+	"red.sv",
+	"sx",
+	"gov.sx",
+	"sy",
+	"edu.sy",
+	"gov.sy",
+	"net.sy",
+	"mil.sy",
+	"com.sy",
+	"org.sy",
+	"sz",
+	"co.sz",
+	"ac.sz",
+	"org.sz",
+	"tc",
+	"td",
+	"tel",
+	"tf",
+	"tg",
+	"th",
+	"ac.th",
+	"co.th",
+	"go.th",
+	"in.th",
+	"mi.th",
+	"net.th",
+	"or.th",
+	"tj",
+	"ac.tj",
+	"biz.tj",
+	"co.tj",
+	"com.tj",
+	"edu.tj",
+	"go.tj",
+	"gov.tj",
+	"int.tj",
+	"mil.tj",
+	"name.tj",
+	"net.tj",
+	"nic.tj",
+	"org.tj",
+	"test.tj",
+	"web.tj",
+	"tk",
+	"tl",
+	"gov.tl",
+	"tm",
+	"com.tm",
+	"co.tm",
+	"org.tm",
+	"net.tm",
+	"nom.tm",
+	"gov.tm",
+	"mil.tm",
+	"edu.tm",
+	"tn",
+	"com.tn",
+	"ens.tn",
+	"fin.tn",
+	"gov.tn",
+	"ind.tn",
+	"intl.tn",
+	"nat.tn",
+	"net.tn",
+	"org.tn",
+	"info.tn",
+	"perso.tn",
+	"tourism.tn",
+	"edunet.tn",
+	"rnrt.tn",
+	"rns.tn",
+	"rnu.tn",
+	"mincom.tn",
+	"agrinet.tn",
+	"defense.tn",
+	"turen.tn",
+	"to",
+	"com.to",
+	"gov.to",
+	"net.to",
+	"org.to",
+	"edu.to",
+	"mil.to",
+	"tr",
+	"com.tr",
+	"info.tr",
+	"biz.tr",
+	"net.tr",
+	"org.tr",
+	"web.tr",
+	"gen.tr",
+	"tv.tr",
+	"av.tr",
+	"dr.tr",
+	"bbs.tr",
+	"name.tr",
+	"tel.tr",
+	"gov.tr",
+	"bel.tr",
+	"pol.tr",
+	"mil.tr",
+	"k12.tr",
+	"edu.tr",
+	"kep.tr",
+	"nc.tr",
+	"gov.nc.tr",
+	"travel",
+	"tt",
+	"co.tt",
+	"com.tt",
+	"org.tt",
+	"net.tt",
+	"biz.tt",
+	"info.tt",
+	"pro.tt",
+	"int.tt",
+	"coop.tt",
+	"jobs.tt",
+	"mobi.tt",
+	"travel.tt",
+	"museum.tt",
+	"aero.tt",
+	"name.tt",
+	"gov.tt",
+	"edu.tt",
+	"tv",
+	"tw",
+	"edu.tw",
+	"gov.tw",
+	"mil.tw",
+	"com.tw",
+	"net.tw",
+	"org.tw",
+	"idv.tw",
+	"game.tw",
+	"ebiz.tw",
+	"club.tw",
+	"xn--zf0ao64a.tw",
+	"xn--uc0atv.tw",
+	"xn--czrw28b.tw",
+	"tz",
+	"ac.tz",
+	"co.tz",
+	"go.tz",
+	"hotel.tz",
+	"info.tz",
+	"me.tz",
+	"mil.tz",
+	"mobi.tz",
+	"ne.tz",
+	"or.tz",
+	"sc.tz",
+	"tv.tz",
+	"ua",
+	"com.ua",
+	"edu.ua",
+	"gov.ua",
+	"in.ua",
+	"net.ua",
+	"org.ua",
+	"cherkassy.ua",
+	"cherkasy.ua",
+	"chernigov.ua",
+	"chernihiv.ua",
+	"chernivtsi.ua",
+	"chernovtsy.ua",
+	"ck.ua",
+	"cn.ua",
+	"cr.ua",
+	"crimea.ua",
+	"cv.ua",
+	"dn.ua",
+	"dnepropetrovsk.ua",
+	"dnipropetrovsk.ua",
+	"dominic.ua",
+	"donetsk.ua",
+	"dp.ua",
+	"if.ua",
+	"ivano-frankivsk.ua",
+	"kh.ua",
+	"kharkiv.ua",
+	"kharkov.ua",
+	"kherson.ua",
+	"khmelnitskiy.ua",
+	"khmelnytskyi.ua",
+	"kiev.ua",
+	"kirovograd.ua",
+	"km.ua",
+	"kr.ua",
+	"krym.ua",
+	"ks.ua",
+	"kv.ua",
+	"kyiv.ua",
+	"lg.ua",
+	"lt.ua",
+	"lugansk.ua",
+	"lutsk.ua",
+	"lv.ua",
+	"lviv.ua",
+	"mk.ua",
+	"mykolaiv.ua",
+	"nikolaev.ua",
+	"od.ua",
+	"odesa.ua",
+	"odessa.ua",
+	"pl.ua",
+	"poltava.ua",
+	"rivne.ua",
+	"rovno.ua",
+	"rv.ua",
+	"sb.ua",
+	"sebastopol.ua",
+	"sevastopol.ua",
+	"sm.ua",
+	"sumy.ua",
+	"te.ua",
+	"ternopil.ua",
+	"uz.ua",
+	"uzhgorod.ua",
+	"vinnica.ua",
+	"vinnytsia.ua",
+	"vn.ua",
+	"volyn.ua",
+	"yalta.ua",
+	"zaporizhzhe.ua",
+	"zaporizhzhia.ua",
+	"zhitomir.ua",
+	"zhytomyr.ua",
+	"zp.ua",
+	"zt.ua",
+	"ug",
+	"co.ug",
+	"or.ug",
+	"ac.ug",
+	"sc.ug",
+	"go.ug",
+	"ne.ug",
+	"com.ug",
+	"org.ug",
+	"uk",
+	"ac.uk",
+	"co.uk",
+	"gov.uk",
+	"ltd.uk",
+	"me.uk",
+	"net.uk",
+	"nhs.uk",
+	"org.uk",
+	"plc.uk",
+	"police.uk",
+	"*.sch.uk",
+	"us",
+	"dni.us",
+	"fed.us",
+	"isa.us",
+	"kids.us",
+	"nsn.us",
+	"ak.us",
+	"al.us",
+	"ar.us",
+	"as.us",
+	"az.us",
+	"ca.us",
+	"co.us",
+	"ct.us",
+	"dc.us",
+	"de.us",
+	"fl.us",
+	"ga.us",
+	"gu.us",
+	"hi.us",
+	"ia.us",
+	"id.us",
+	"il.us",
+	"in.us",
+	"ks.us",
+	"ky.us",
+	"la.us",
+	"ma.us",
+	"md.us",
+	"me.us",
+	"mi.us",
+	"mn.us",
+	"mo.us",
+	"ms.us",
+	"mt.us",
+	"nc.us",
+	"nd.us",
+	"ne.us",
+	"nh.us",
+	"nj.us",
+	"nm.us",
+	"nv.us",
+	"ny.us",
+	"oh.us",
+	"ok.us",
+	"or.us",
+	"pa.us",
+	"pr.us",
+	"ri.us",
+	"sc.us",
+	"sd.us",
+	"tn.us",
+	"tx.us",
+	"ut.us",
+	"vi.us",
+	"vt.us",
+	"va.us",
+	"wa.us",
+	"wi.us",
+	"wv.us",
+	"wy.us",
+	"k12.ak.us",
+	"k12.al.us",
+	"k12.ar.us",
+	"k12.as.us",
+	"k12.az.us",
+	"k12.ca.us",
+	"k12.co.us",
+	"k12.ct.us",
+	"k12.dc.us",
+	"k12.de.us",
+	"k12.fl.us",
+	"k12.ga.us",
+	"k12.gu.us",
+	"k12.ia.us",
+	"k12.id.us",
+	"k12.il.us",
+	"k12.in.us",
+	"k12.ks.us",
+	"k12.ky.us",
+	"k12.la.us",
+	"k12.ma.us",
+	"k12.md.us",
+	"k12.me.us",
+	"k12.mi.us",
+	"k12.mn.us",
+	"k12.mo.us",
+	"k12.ms.us",
+	"k12.mt.us",
+	"k12.nc.us",
+	"k12.ne.us",
+	"k12.nh.us",
+	"k12.nj.us",
+	"k12.nm.us",
+	"k12.nv.us",
+	"k12.ny.us",
+	"k12.oh.us",
+	"k12.ok.us",
+	"k12.or.us",
+	"k12.pa.us",
+	"k12.pr.us",
+	"k12.ri.us",
+	"k12.sc.us",
+	"k12.tn.us",
+	"k12.tx.us",
+	"k12.ut.us",
+	"k12.vi.us",
+	"k12.vt.us",
+	"k12.va.us",
+	"k12.wa.us",
+	"k12.wi.us",
+	"k12.wy.us",
+	"cc.ak.us",
+	"cc.al.us",
+	"cc.ar.us",
+	"cc.as.us",
+	"cc.az.us",
+	"cc.ca.us",
+	"cc.co.us",
+	"cc.ct.us",
+	"cc.dc.us",
+	"cc.de.us",
+	"cc.fl.us",
+	"cc.ga.us",
+	"cc.gu.us",
+	"cc.hi.us",
+	"cc.ia.us",
+	"cc.id.us",
+	"cc.il.us",
+	"cc.in.us",
+	"cc.ks.us",
+	"cc.ky.us",
+	"cc.la.us",
+	"cc.ma.us",
+	"cc.md.us",
+	"cc.me.us",
+	"cc.mi.us",
+	"cc.mn.us",
+	"cc.mo.us",
+	"cc.ms.us",
+	"cc.mt.us",
+	"cc.nc.us",
+	"cc.nd.us",
+	"cc.ne.us",
+	"cc.nh.us",
+	"cc.nj.us",
+	"cc.nm.us",
+	"cc.nv.us",
+	"cc.ny.us",
+	"cc.oh.us",
+	"cc.ok.us",
+	"cc.or.us",
+	"cc.pa.us",
+	"cc.pr.us",
+	"cc.ri.us",
+	"cc.sc.us",
+	"cc.sd.us",
+	"cc.tn.us",
+	"cc.tx.us",
+	"cc.ut.us",
+	"cc.vi.us",
+	"cc.vt.us",
+	"cc.va.us",
+	"cc.wa.us",
+	"cc.wi.us",
+	"cc.wv.us",
+	"cc.wy.us",
+	"lib.ak.us",
+	"lib.al.us",
+	"lib.ar.us",
+	"lib.as.us",
+	"lib.az.us",
+	"lib.ca.us",
+	"lib.co.us",
+	"lib.ct.us",
+	"lib.dc.us",
+	"lib.fl.us",
+	"lib.ga.us",
+	"lib.gu.us",
+	"lib.hi.us",
+	"lib.ia.us",
+	"lib.id.us",
+	"lib.il.us",
+	"lib.in.us",
+	"lib.ks.us",
+	"lib.ky.us",
+	"lib.la.us",
+	"lib.ma.us",
+	"lib.md.us",
+	"lib.me.us",
+	"lib.mi.us",
+	"lib.mn.us",
+	"lib.mo.us",
+	"lib.ms.us",
+	"lib.mt.us",
+	"lib.nc.us",
+	"lib.nd.us",
+	"lib.ne.us",
+	"lib.nh.us",
+	"lib.nj.us",
+	"lib.nm.us",
+	"lib.nv.us",
+	"lib.ny.us",
+	"lib.oh.us",
+	"lib.ok.us",
+	"lib.or.us",
+	"lib.pa.us",
+	"lib.pr.us",
+	"lib.ri.us",
+	"lib.sc.us",
+	"lib.sd.us",
+	"lib.tn.us",
+	"lib.tx.us",
+	"lib.ut.us",
+	"lib.vi.us",
+	"lib.vt.us",
+	"lib.va.us",
+	"lib.wa.us",
+	"lib.wi.us",
+	"lib.wy.us",
+	"pvt.k12.ma.us",
+	"chtr.k12.ma.us",
+	"paroch.k12.ma.us",
+	"uy",
+	"com.uy",
+	"edu.uy",
+	"gub.uy",
+	"mil.uy",
+	"net.uy",
+	"org.uy",
+	"uz",
+	"co.uz",
+	"com.uz",
+	"net.uz",
+	"org.uz",
+	"va",
+	"vc",
+	"com.vc",
+	"net.vc",
+	"org.vc",
+	"gov.vc",
+	"mil.vc",
+	"edu.vc",
+	"ve",
+	"arts.ve",
+	"co.ve",
+	"com.ve",
+	"e12.ve",
+	"edu.ve",
+	"firm.ve",
+	"gob.ve",
+	"gov.ve",
+	"info.ve",
+	"int.ve",
+	"mil.ve",
+	"net.ve",
+	"org.ve",
+	"rec.ve",
+	"store.ve",
+	"tec.ve",
+	"web.ve",
+	"vg",
+	"vi",
+	"co.vi",
+	"com.vi",
+	"k12.vi",
+	"net.vi",
+	"org.vi",
+	"vn",
+	"com.vn",
+	"net.vn",
+	"org.vn",
+	"edu.vn",
+	"gov.vn",
+	"int.vn",
+	"ac.vn",
+	"biz.vn",
+	"info.vn",
+	"name.vn",
+	"pro.vn",
+	"health.vn",
+	"vu",
+	"com.vu",
+	"edu.vu",
+	"net.vu",
+	"org.vu",
+	"wf",
+	"ws",
+	"com.ws",
+	"net.ws",
+	"org.ws",
+	"gov.ws",
+	"edu.ws",
+	"yt",
+	"xn--mgbaam7a8h",
+	"xn--y9a3aq",
+	"xn--54b7fta0cc",
+	"xn--90ais",
+	"xn--fiqs8s",
+	"xn--fiqz9s",
+	"xn--lgbbat1ad8j",
+	"xn--wgbh1c",
+	"xn--e1a4c",
+	"xn--node",
+	"xn--qxam",
+	"xn--j6w193g",
+	"xn--h2brj9c",
+	"xn--mgbbh1a71e",
+	"xn--fpcrj9c3d",
+	"xn--gecrj9c",
+	"xn--s9brj9c",
+	"xn--45brj9c",
+	"xn--xkc2dl3a5ee0h",
+	"xn--mgba3a4f16a",
+	"xn--mgba3a4fra",
+	"xn--mgbtx2b",
+	"xn--mgbayh7gpa",
+	"xn--3e0b707e",
+	"xn--80ao21a",
+	"xn--fzc2c9e2c",
+	"xn--xkc2al3hye2a",
+	"xn--mgbc0a9azcg",
+	"xn--d1alf",
+	"xn--l1acc",
+	"xn--mix891f",
+	"xn--mix082f",
+	"xn--mgbx4cd0ab",
+	"xn--mgb9awbf",
+	"xn--mgbai9azgqp6j",
+	"xn--mgbai9a5eva00b",
+	"xn--ygbi2ammx",
+	"xn--90a3ac",
+	"xn--o1ac.xn--90a3ac",
+	"xn--c1avg.xn--90a3ac",
+	"xn--90azh.xn--90a3ac",
+	"xn--d1at.xn--90a3ac",
+	"xn--o1ach.xn--90a3ac",
+	"xn--80au.xn--90a3ac",
+	"xn--p1ai",
+	"xn--wgbl6a",
+	"xn--mgberp4a5d4ar",
+	"xn--mgberp4a5d4a87g",
+	"xn--mgbqly7c0a67fbc",
+	"xn--mgbqly7cvafr",
+	"xn--mgbpl2fh",
+	"xn--yfro4i67o",
+	"xn--clchc0ea0b2g2a9gcd",
+	"xn--ogbpf8fl",
+	"xn--mgbtf8fl",
+	"xn--o3cw4h",
+	"xn--12c1fe0br.xn--o3cw4h",
+	"xn--12co0c3b4eva.xn--o3cw4h",
+	"xn--h3cuzk1di.xn--o3cw4h",
+	"xn--o3cyx2a.xn--o3cw4h",
+	"xn--m3ch0j3a.xn--o3cw4h",
+	"xn--12cfi8ixb8l.xn--o3cw4h",
+	"xn--pgbs0dh",
+	"xn--kpry57d",
+	"xn--kprw13d",
+	"xn--nnx388a",
+	"xn--j1amh",
+	"xn--mgb2ddes",
+	"xxx",
+	"*.ye",
+	"ac.za",
+	"agric.za",
+	"alt.za",
+	"co.za",
+	"edu.za",
+	"gov.za",
+	"grondar.za",
+	"law.za",
+	"mil.za",
+	"net.za",
+	"ngo.za",
+	"nis.za",
+	"nom.za",
+	"org.za",
+	"school.za",
+	"tm.za",
+	"web.za",
+	"zm",
+	"ac.zm",
+	"biz.zm",
+	"co.zm",
+	"com.zm",
+	"edu.zm",
+	"gov.zm",
+	"info.zm",
+	"mil.zm",
+	"net.zm",
+	"org.zm",
+	"sch.zm",
+	"zw",
+	"ac.zw",
+	"co.zw",
+	"gov.zw",
+	"mil.zw",
+	"org.zw",
+	"aaa",
+	"aarp",
+	"abarth",
+	"abb",
+	"abbott",
+	"abbvie",
+	"abc",
+	"able",
+	"abogado",
+	"abudhabi",
+	"academy",
+	"accenture",
+	"accountant",
+	"accountants",
+	"aco",
+	"active",
+	"actor",
+	"adac",
+	"ads",
+	"adult",
+	"aeg",
+	"aetna",
+	"afamilycompany",
+	"afl",
+	"africa",
+	"agakhan",
+	"agency",
+	"aig",
+	"aigo",
+	"airbus",
+	"airforce",
+	"airtel",
+	"akdn",
+	"alfaromeo",
+	"alibaba",
+	"alipay",
+	"allfinanz",
+	"allstate",
+	"ally",
+	"alsace",
+	"alstom",
+	"americanexpress",
+	"americanfamily",
+	"amex",
+	"amfam",
+	"amica",
+	"amsterdam",
+	"analytics",
+	"android",
+	"anquan",
+	"anz",
+	"aol",
+	"apartments",
+	"app",
+	"apple",
+	"aquarelle",
+	"arab",
+	"aramco",
+	"archi",
+	"army",
+	"art",
+	"arte",
+	"asda",
+	"associates",
+	"athleta",
+	"attorney",
+	"auction",
+	"audi",
+	"audible",
+	"audio",
+	"auspost",
+	"author",
+	"auto",
+	"autos",
+	"avianca",
+	"aws",
+	"axa",
+	"azure",
+	"baby",
+	"baidu",
+	"banamex",
+	"bananarepublic",
+	"band",
+	"bank",
+	"bar",
+	"barcelona",
+	"barclaycard",
+	"barclays",
+	"barefoot",
+	"bargains",
+	"baseball",
+	"basketball",
+	"bauhaus",
+	"bayern",
+	"bbc",
+	"bbt",
+	"bbva",
+	"bcg",
+	"bcn",
+	"beats",
+	"beauty",
+	"beer",
+	"bentley",
+	"berlin",
+	"best",
+	"bestbuy",
+	"bet",
+	"bharti",
+	"bible",
+	"bid",
+	"bike",
+	"bing",
+	"bingo",
+	"bio",
+	"black",
+	"blackfriday",
+	"blanco",
+	"blockbuster",
+	"blog",
+	"bloomberg",
+	"blue",
+	"bms",
+	"bmw",
+	"bnl",
+	"bnpparibas",
+	"boats",
+	"boehringer",
+	"bofa",
+	"bom",
+	"bond",
+	"boo",
+	"book",
+	"booking",
+	"boots",
+	"bosch",
+	"bostik",
+	"boston",
+	"bot",
+	"boutique",
+	"box",
+	"bradesco",
+	"bridgestone",
+	"broadway",
+	"broker",
+	"brother",
+	"brussels",
+	"budapest",
+	"bugatti",
+	"build",
+	"builders",
+	"business",
+	"buy",
+	"buzz",
+	"bzh",
+	"cab",
+	"cafe",
+	"cal",
+	"call",
+	"calvinklein",
+	"cam",
+	"camera",
+	"camp",
+	"cancerresearch",
+	"canon",
+	"capetown",
+	"capital",
+	"capitalone",
+	"car",
+	"caravan",
+	"cards",
+	"care",
+	"career",
+	"careers",
+	"cars",
+	"cartier",
+	"casa",
+	"case",
+	"caseih",
+	"cash",
+	"casino",
+	"catering",
+	"catholic",
+	"cba",
+	"cbn",
+	"cbre",
+	"cbs",
+	"ceb",
+	"center",
+	"ceo",
+	"cern",
+	"cfa",
+	"cfd",
+	"chanel",
+	"channel",
+	"chase",
+	"chat",
+	"cheap",
+	"chintai",
+	"chloe",
+	"christmas",
+	"chrome",
+	"chrysler",
+	"church",
+	"cipriani",
+	"circle",
+	"cisco",
+	"citadel",
+	"citi",
+	"citic",
+	"city",
+	"cityeats",
+	"claims",
+	"cleaning",
+	"click",
+	"clinic",
+	"clinique",
+	"clothing",
+	"cloud",
+	"club",
+	"clubmed",
+	"coach",
+	"codes",
+	"coffee",
+	"college",
+	"cologne",
+	"comcast",
+	"commbank",
+	"community",
+	"company",
+	"compare",
+	"computer",
+	"comsec",
+	"condos",
+	"construction",
+	"consulting",
+	"contact",
+	"contractors",
+	"cooking",
+	"cookingchannel",
+	"cool",
+	"corsica",
+	"country",
+	"coupon",
+	"coupons",
+	"courses",
+	"credit",
+	"creditcard",
+	"creditunion",
+	"cricket",
+	"crown",
+	"crs",
+	"cruise",
+	"cruises",
+	"csc",
+	"cuisinella",
+	"cymru",
+	"cyou",
+	"dabur",
+	"dad",
+	"dance",
+	"data",
+	"date",
+	"dating",
+	"datsun",
+	"day",
+	"dclk",
+	"dds",
+	"deal",
+	"dealer",
+	"deals",
+	"degree",
+	"delivery",
+	"dell",
+	"deloitte",
+	"delta",
+	"democrat",
+	"dental",
+	"dentist",
+	"desi",
+	"design",
+	"dev",
+	"dhl",
+	"diamonds",
+	"diet",
+	"digital",
+	"direct",
+	"directory",
+	"discount",
+	"discover",
+	"dish",
+	"diy",
+	"dnp",
+	"docs",
+	"doctor",
+	"dodge",
+	"dog",
+	"doha",
+	"domains",
+	"dot",
+	"download",
+	"drive",
+	"dtv",
+	"dubai",
+	"duck",
+	"dunlop",
+	"duns",
+	"dupont",
+	"durban",
+	"dvag",
+	"dvr",
+	"earth",
+	"eat",
+	"eco",
+	"edeka",
+	"education",
+	"email",
+	"emerck",
+	"energy",
+	"engineer",
+	"engineering",
+	"enterprises",
+	"epost",
+	"epson",
+	"equipment",
+	"ericsson",
+	"erni",
+	"esq",
+	"estate",
+	"esurance",
+	"etisalat",
+	"eurovision",
+	"eus",
+	"events",
+	"everbank",
+	"exchange",
+	"expert",
+	"exposed",
+	"express",
+	"extraspace",
+	"fage",
+	"fail",
+	"fairwinds",
+	"faith",
+	"family",
+	"fan",
+	"fans",
+	"farm",
+	"farmers",
+	"fashion",
+	"fast",
+	"fedex",
+	"feedback",
+	"ferrari",
+	"ferrero",
+	"fiat",
+	"fidelity",
+	"fido",
+	"film",
+	"final",
+	"finance",
+	"financial",
+	"fire",
+	"firestone",
+	"firmdale",
+	"fish",
+	"fishing",
+	"fit",
+	"fitness",
+	"flickr",
+	"flights",
+	"flir",
+	"florist",
+	"flowers",
+	"fly",
+	"foo",
+	"food",
+	"foodnetwork",
+	"football",
+	"ford",
+	"forex",
+	"forsale",
+	"forum",
+	"foundation",
+	"fox",
+	"free",
+	"fresenius",
+	"frl",
+	"frogans",
+	"frontdoor",
+	"frontier",
+	"ftr",
+	"fujitsu",
+	"fujixerox",
+	"fun",
+	"fund",
+	"furniture",
+	"futbol",
+	"fyi",
+	"gal",
+	"gallery",
+	"gallo",
+	"gallup",
+	"game",
+	"games",
+	"gap",
+	"garden",
+	"gbiz",
+	"gdn",
+	"gea",
+	"gent",
+	"genting",
+	"george",
+	"ggee",
+	"gift",
+	"gifts",
+	"gives",
+	"giving",
+	"glade",
+	"glass",
+	"gle",
+	"global",
+	"globo",
+	"gmail",
+	"gmbh",
+	"gmo",
+	"gmx",
+	"godaddy",
+	"gold",
+	"goldpoint",
+	"golf",
+	"goo",
+	"goodhands",
+	"goodyear",
+	"goog",
+	"google",
+	"gop",
+	"got",
+	"grainger",
+	"graphics",
+	"gratis",
+	"green",
+	"gripe",
+	"grocery",
+	"group",
+	"guardian",
+	"gucci",
+	"guge",
+	"guide",
+	"guitars",
+	"guru",
+	"hair",
+	"hamburg",
+	"hangout",
+	"haus",
+	"hbo",
+	"hdfc",
+	"hdfcbank",
+	"health",
+	"healthcare",
+	"help",
+	"helsinki",
+	"here",
+	"hermes",
+	"hgtv",
+	"hiphop",
+	"hisamitsu",
+	"hitachi",
+	"hiv",
+	"hkt",
+	"hockey",
+	"holdings",
+	"holiday",
+	"homedepot",
+	"homegoods",
+	"homes",
+	"homesense",
+	"honda",
+	"honeywell",
+	"horse",
+	"hospital",
+	"host",
+	"hosting",
+	"hot",
+	"hoteles",
+	"hotels",
+	"hotmail",
+	"house",
+	"how",
+	"hsbc",
+	"htc",
+	"hughes",
+	"hyatt",
+	"hyundai",
+	"ibm",
+	"icbc",
+	"ice",
+	"icu",
+	"ieee",
+	"ifm",
+	"ikano",
+	"imamat",
+	"imdb",
+	"immo",
+	"immobilien",
+	"industries",
+	"infiniti",
+	"ing",
+	"ink",
+	"institute",
+	"insurance",
+	"insure",
+	"intel",
+	"international",
+	"intuit",
+	"investments",
+	"ipiranga",
+	"irish",
+	"iselect",
+	"ismaili",
+	"ist",
+	"istanbul",
+	"itau",
+	"itv",
+	"iveco",
+	"iwc",
+	"jaguar",
+	"java",
+	"jcb",
+	"jcp",
+	"jeep",
+	"jetzt",
+	"jewelry",
+	"jio",
+	"jlc",
+	"jll",
+	"jmp",
+	"jnj",
+	"joburg",
+	"jot",
+	"joy",
+	"jpmorgan",
+	"jprs",
+	"juegos",
+	"juniper",
+	"kaufen",
+	"kddi",
+	"kerryhotels",
+	"kerrylogistics",
+	"kerryproperties",
+	"kfh",
+	"kia",
+	"kim",
+	"kinder",
+	"kindle",
+	"kitchen",
+	"kiwi",
+	"koeln",
+	"komatsu",
+	"kosher",
+	"kpmg",
+	"kpn",
+	"krd",
+	"kred",
+	"kuokgroup",
+	"kyoto",
+	"lacaixa",
+	"ladbrokes",
+	"lamborghini",
+	"lamer",
+	"lancaster",
+	"lancia",
+	"lancome",
+	"land",
+	"landrover",
+	"lanxess",
+	"lasalle",
+	"lat",
+	"latino",
+	"latrobe",
+	"law",
+	"lawyer",
+	"lds",
+	"lease",
+	"leclerc",
+	"lefrak",
+	"legal",
+	"lego",
+	"lexus",
+	"lgbt",
+	"liaison",
+	"lidl",
+	"life",
+	"lifeinsurance",
+	"lifestyle",
+	"lighting",
+	"like",
+	"lilly",
+	"limited",
+	"limo",
+	"lincoln",
+	"linde",
+	"link",
+	"lipsy",
+	"live",
+	"living",
+	"lixil",
+	"loan",
+	"loans",
+	"locker",
+	"locus",
+	"loft",
+	"lol",
+	"london",
+	"lotte",
+	"lotto",
+	"love",
+	"lpl",
+	"lplfinancial",
+	"ltd",
+	"ltda",
+	"lundbeck",
+	"lupin",
+	"luxe",
+	"luxury",
+	"macys",
+	"madrid",
+	"maif",
+	"maison",
+	"makeup",
+	"man",
+	"management",
+	"mango",
+	"map",
+	"market",
+	"marketing",
+	"markets",
+	"marriott",
+	"marshalls",
+	"maserati",
+	"mattel",
+	"mba",
+	"mcd",
+	"mcdonalds",
+	"mckinsey",
+	"med",
+	"media",
+	"meet",
+	"melbourne",
+	"meme",
+	"memorial",
+	"men",
+	"menu",
+	"meo",
+	"merckmsd",
+	"metlife",
+	"miami",
+	"microsoft",
+	"mini",
+	"mint",
+	"mit",
+	"mitsubishi",
+	"mlb",
+	"mls",
+	"mma",
+	"mobile",
+	"mobily",
+	"moda",
+	"moe",
+	"moi",
+	"mom",
+	"monash",
+	"money",
+	"monster",
+	"montblanc",
+	"mopar",
+	"mormon",
+	"mortgage",
+	"moscow",
+	"moto",
+	"motorcycles",
+	"mov",
+	"movie",
+	"movistar",
+	"msd",
+	"mtn",
+	"mtpc",
+	"mtr",
+	"mutual",
+	"nab",
+	"nadex",
+	"nagoya",
+	"nationwide",
+	"natura",
+	"navy",
+	"nba",
+	"nec",
+	"netbank",
+	"netflix",
+	"network",
+	"neustar",
+	"new",
+	"newholland",
+	"news",
+	"next",
+	"nextdirect",
+	"nexus",
+	"nfl",
+	"ngo",
+	"nhk",
+	"nico",
+	"nike",
+	"nikon",
+	"ninja",
+	"nissan",
+	"nissay",
+	"nokia",
+	"northwesternmutual",
+	"norton",
+	"now",
+	"nowruz",
+	"nowtv",
+	"nra",
+	"nrw",
+	"ntt",
+	"nyc",
+	"obi",
+	"observer",
+	"off",
+	"office",
+	"okinawa",
+	"olayan",
+	"olayangroup",
+	"oldnavy",
+	"ollo",
+	"omega",
+	"one",
+	"ong",
+	"onl",
+	"online",
+	"onyourside",
+	"ooo",
+	"open",
+	"oracle",
+	"orange",
+	"organic",
+	"origins",
+	"osaka",
+	"otsuka",
+	"ott",
+	"ovh",
+	"page",
+	"pamperedchef",
+	"panasonic",
+	"panerai",
+	"paris",
+	"pars",
+	"partners",
+	"parts",
+	"party",
+	"passagens",
+	"pay",
+	"pccw",
+	"pet",
+	"pfizer",
+	"pharmacy",
+	"phd",
+	"philips",
+	"phone",
+	"photo",
+	"photography",
+	"photos",
+	"physio",
+	"piaget",
+	"pics",
+	"pictet",
+	"pictures",
+	"pid",
+	"pin",
+	"ping",
+	"pink",
+	"pioneer",
+	"pizza",
+	"place",
+	"play",
+	"playstation",
+	"plumbing",
+	"plus",
+	"pnc",
+	"pohl",
+	"poker",
+	"politie",
+	"porn",
+	"pramerica",
+	"praxi",
+	"press",
+	"prime",
+	"prod",
+	"productions",
+	"prof",
+	"progressive",
+	"promo",
+	"properties",
+	"property",
+	"protection",
+	"pru",
+	"prudential",
+	"pub",
+	"pwc",
+	"qpon",
+	"quebec",
+	"quest",
+	"qvc",
+	"racing",
+	"radio",
+	"raid",
+	"read",
+	"realestate",
+	"realtor",
+	"realty",
+	"recipes",
+	"red",
+	"redstone",
+	"redumbrella",
+	"rehab",
+	"reise",
+	"reisen",
+	"reit",
+	"reliance",
+	"ren",
+	"rent",
+	"rentals",
+	"repair",
+	"report",
+	"republican",
+	"rest",
+	"restaurant",
+	"review",
+	"reviews",
+	"rexroth",
+	"rich",
+	"richardli",
+	"ricoh",
+	"rightathome",
+	"ril",
+	"rio",
+	"rip",
+	"rmit",
+	"rocher",
+	"rocks",
+	"rodeo",
+	"rogers",
+	"room",
+	"rsvp",
+	"rugby",
+	"ruhr",
+	"run",
+	"rwe",
+	"ryukyu",
+	"saarland",
+	"safe",
+	"safety",
+	"sakura",
+	"sale",
+	"salon",
+	"samsclub",
+	"samsung",
+	"sandvik",
+	"sandvikcoromant",
+	"sanofi",
+	"sap",
+	"sapo",
+	"sarl",
+	"sas",
+	"save",
+	"saxo",
+	"sbi",
+	"sbs",
+	"sca",
+	"scb",
+	"schaeffler",
+	"schmidt",
+	"scholarships",
+	"school",
+	"schule",
+	"schwarz",
+	"science",
+	"scjohnson",
+	"scor",
+	"scot",
+	"search",
+	"seat",
+	"secure",
+	"security",
+	"seek",
+	"select",
+	"sener",
+	"services",
+	"ses",
+	"seven",
+	"sew",
+	"sex",
+	"sexy",
+	"sfr",
+	"shangrila",
+	"sharp",
+	"shaw",
+	"shell",
+	"shia",
+	"shiksha",
+	"shoes",
+	"shop",
+	"shopping",
+	"shouji",
+	"show",
+	"showtime",
+	"shriram",
+	"silk",
+	"sina",
+	"singles",
+	"site",
+	"ski",
+	"skin",
+	"sky",
+	"skype",
+	"sling",
+	"smart",
+	"smile",
+	"sncf",
+	"soccer",
+	"social",
+	"softbank",
+	"software",
+	"sohu",
+	"solar",
+	"solutions",
+	"song",
+	"sony",
+	"soy",
+	"space",
+	"spiegel",
+	"spot",
+	"spreadbetting",
+	"srl",
+	"srt",
+	"stada",
+	"staples",
+	"star",
+	"starhub",
+	"statebank",
+	"statefarm",
+	"statoil",
+	"stc",
+	"stcgroup",
+	"stockholm",
+	"storage",
+	"store",
+	"stream",
+	"studio",
+	"study",
+	"style",
+	"sucks",
+	"supplies",
+	"supply",
+	"support",
+	"surf",
+	"surgery",
+	"suzuki",
+	"swatch",
+	"swiftcover",
+	"swiss",
+	"sydney",
+	"symantec",
+	"systems",
+	"tab",
+	"taipei",
+	"talk",
+	"taobao",
+	"target",
+	"tatamotors",
+	"tatar",
+	"tattoo",
+	"tax",
+	"taxi",
+	"tci",
+	"tdk",
+	"team",
+	"tech",
+	"technology",
+	"telecity",
+	"telefonica",
+	"temasek",
+	"tennis",
+	"teva",
+	"thd",
+	"theater",
+	"theatre",
+	"tiaa",
+	"tickets",
+	"tienda",
+	"tiffany",
+	"tips",
+	"tires",
+	"tirol",
+	"tjmaxx",
+	"tjx",
+	"tkmaxx",
+	"tmall",
+	"today",
+	"tokyo",
+	"tools",
+	"top",
+	"toray",
+	"toshiba",
+	"total",
+	"tours",
+	"town",
+	"toyota",
+	"toys",
+	"trade",
+	"trading",
+	"training",
+	"travelchannel",
+	"travelers",
+	"travelersinsurance",
+	"trust",
+	"trv",
+	"tube",
+	"tui",
+	"tunes",
+	"tushu",
+	"tvs",
+	"ubank",
+	"ubs",
+	"uconnect",
+	"unicom",
+	"university",
+	"uno",
+	"uol",
+	"ups",
+	"vacations",
+	"vana",
+	"vanguard",
+	"vegas",
+	"ventures",
+	"verisign",
+	"versicherung",
+	"vet",
+	"viajes",
+	"video",
+	"vig",
+	"viking",
+	"villas",
+	"vin",
+	"vip",
+	"virgin",
+	"visa",
+	"vision",
+	"vista",
+	"vistaprint",
+	"viva",
+	"vivo",
+	"vlaanderen",
+	"vodka",
+	"volkswagen",
+	"volvo",
+	"vote",
+	"voting",
+	"voto",
+	"voyage",
+	"vuelos",
+	"wales",
+	"walmart",
+	"walter",
+	"wang",
+	"wanggou",
+	"warman",
+	"watch",
+	"watches",
+	"weather",
+	"weatherchannel",
+	"webcam",
+	"weber",
+	"website",
+	"wed",
+	"wedding",
+	"weibo",
+	"weir",
+	"whoswho",
+	"wien",
+	"wiki",
+	"williamhill",
+	"win",
+	"windows",
+	"wine",
+	"winners",
+	"wme",
+	"wolterskluwer",
+	"woodside",
+	"work",
+	"works",
+	"world",
+	"wow",
+	"wtc",
+	"wtf",
+	"xbox",
+	"xerox",
+	"xfinity",
+	"xihuan",
+	"xin",
+	"xn--11b4c3d",
+	"xn--1ck2e1b",
+	"xn--1qqw23a",
+	"xn--30rr7y",
+	"xn--3bst00m",
+	"xn--3ds443g",
+	"xn--3oq18vl8pn36a",
+	"xn--3pxu8k",
+	"xn--42c2d9a",
+	"xn--45q11c",
+	"xn--4gbrim",
+	"xn--55qw42g",
+	"xn--55qx5d",
+	"xn--5su34j936bgsg",
+	"xn--5tzm5g",
+	"xn--6frz82g",
+	"xn--6qq986b3xl",
+	"xn--80adxhks",
+	"xn--80aqecdr1a",
+	"xn--80asehdb",
+	"xn--80aswg",
+	"xn--8y0a063a",
+	"xn--9dbq2a",
+	"xn--9et52u",
+	"xn--9krt00a",
+	"xn--b4w605ferd",
+	"xn--bck1b9a5dre4c",
+	"xn--c1avg",
+	"xn--c2br7g",
+	"xn--cck2b3b",
+	"xn--cg4bki",
+	"xn--czr694b",
+	"xn--czrs0t",
+	"xn--czru2d",
+	"xn--d1acj3b",
+	"xn--eckvdtc9d",
+	"xn--efvy88h",
+	"xn--estv75g",
+	"xn--fct429k",
+	"xn--fhbei",
+	"xn--fiq228c5hs",
+	"xn--fiq64b",
+	"xn--fjq720a",
+	"xn--flw351e",
+	"xn--fzys8d69uvgm",
+	"xn--g2xx48c",
+	"xn--gckr3f0f",
+	"xn--gk3at1e",
+	"xn--hxt814e",
+	"xn--i1b6b1a6a2e",
+	"xn--imr513n",
+	"xn--io0a7i",
+	"xn--j1aef",
+	"xn--jlq61u9w7b",
+	"xn--jvr189m",
+	"xn--kcrx77d1x4a",
+	"xn--kpu716f",
+	"xn--kput3i",
+	"xn--mgba3a3ejt",
+	"xn--mgba7c0bbn0a",
+	"xn--mgbaakc7dvf",
+	"xn--mgbab2bd",
+	"xn--mgbb9fbpob",
+	"xn--mgbca7dzdo",
+	"xn--mgbi4ecexp",
+	"xn--mgbt3dhd",
+	"xn--mk1bu44c",
+	"xn--mxtq1m",
+	"xn--ngbc5azd",
+	"xn--ngbe9e0a",
+	"xn--ngbrx",
+	"xn--nqv7f",
+	"xn--nqv7fs00ema",
+	"xn--nyqy26a",
+	"xn--p1acf",
+	"xn--pbt977c",
+	"xn--pssy2u",
+	"xn--q9jyb4c",
+	"xn--qcka1pmc",
+	"xn--rhqv96g",
+	"xn--rovu88b",
+	"xn--ses554g",
+	"xn--t60b56a",
+	"xn--tckwe",
+	"xn--tiq49xqyj",
+	"xn--unup4y",
+	"xn--vermgensberater-ctb",
+	"xn--vermgensberatung-pwb",
+	"xn--vhquv",
+	"xn--vuq861b",
+	"xn--w4r85el8fhu5dnra",
+	"xn--w4rs40l",
+	"xn--xhq521b",
+	"xn--zfr164b",
+	"xperia",
+	"xyz",
+	"yachts",
+	"yahoo",
+	"yamaxun",
+	"yandex",
+	"yodobashi",
+	"yoga",
+	"yokohama",
+	"you",
+	"youtube",
+	"yun",
+	"zappos",
+	"zara",
+	"zero",
+	"zip",
+	"zippo",
+	"zone",
+	"zuerich",
+	"cc.ua",
+	"inf.ua",
+	"ltd.ua",
+	"beep.pl",
+	"*.compute.estate",
+	"*.alces.network",
+	"*.alwaysdata.net",
+	"cloudfront.net",
+	"*.compute.amazonaws.com",
+	"*.compute-1.amazonaws.com",
+	"*.compute.amazonaws.com.cn",
+	"us-east-1.amazonaws.com",
+	"elasticbeanstalk.cn-north-1.amazonaws.com.cn",
+	"*.elasticbeanstalk.com",
+	"*.elb.amazonaws.com",
+	"*.elb.amazonaws.com.cn",
+	"s3.amazonaws.com",
+	"s3-ap-northeast-1.amazonaws.com",
+	"s3-ap-northeast-2.amazonaws.com",
+	"s3-ap-south-1.amazonaws.com",
+	"s3-ap-southeast-1.amazonaws.com",
+	"s3-ap-southeast-2.amazonaws.com",
+	"s3-ca-central-1.amazonaws.com",
+	"s3-eu-central-1.amazonaws.com",
+	"s3-eu-west-1.amazonaws.com",
+	"s3-eu-west-2.amazonaws.com",
+	"s3-external-1.amazonaws.com",
+	"s3-fips-us-gov-west-1.amazonaws.com",
+	"s3-sa-east-1.amazonaws.com",
+	"s3-us-gov-west-1.amazonaws.com",
+	"s3-us-east-2.amazonaws.com",
+	"s3-us-west-1.amazonaws.com",
+	"s3-us-west-2.amazonaws.com",
+	"s3.ap-northeast-2.amazonaws.com",
+	"s3.ap-south-1.amazonaws.com",
+	"s3.cn-north-1.amazonaws.com.cn",
+	"s3.ca-central-1.amazonaws.com",
+	"s3.eu-central-1.amazonaws.com",
+	"s3.eu-west-2.amazonaws.com",
+	"s3.us-east-2.amazonaws.com",
+	"s3.dualstack.ap-northeast-1.amazonaws.com",
+	"s3.dualstack.ap-northeast-2.amazonaws.com",
+	"s3.dualstack.ap-south-1.amazonaws.com",
+	"s3.dualstack.ap-southeast-1.amazonaws.com",
+	"s3.dualstack.ap-southeast-2.amazonaws.com",
+	"s3.dualstack.ca-central-1.amazonaws.com",
+	"s3.dualstack.eu-central-1.amazonaws.com",
+	"s3.dualstack.eu-west-1.amazonaws.com",
+	"s3.dualstack.eu-west-2.amazonaws.com",
+	"s3.dualstack.sa-east-1.amazonaws.com",
+	"s3.dualstack.us-east-1.amazonaws.com",
+	"s3.dualstack.us-east-2.amazonaws.com",
+	"s3-website-us-east-1.amazonaws.com",
+	"s3-website-us-west-1.amazonaws.com",
+	"s3-website-us-west-2.amazonaws.com",
+	"s3-website-ap-northeast-1.amazonaws.com",
+	"s3-website-ap-southeast-1.amazonaws.com",
+	"s3-website-ap-southeast-2.amazonaws.com",
+	"s3-website-eu-west-1.amazonaws.com",
+	"s3-website-sa-east-1.amazonaws.com",
+	"s3-website.ap-northeast-2.amazonaws.com",
+	"s3-website.ap-south-1.amazonaws.com",
+	"s3-website.ca-central-1.amazonaws.com",
+	"s3-website.eu-central-1.amazonaws.com",
+	"s3-website.eu-west-2.amazonaws.com",
+	"s3-website.us-east-2.amazonaws.com",
+	"t3l3p0rt.net",
+	"tele.amune.org",
+	"on-aptible.com",
+	"user.party.eus",
+	"pimienta.org",
+	"poivron.org",
+	"potager.org",
+	"sweetpepper.org",
+	"myasustor.com",
+	"myfritz.net",
+	"*.awdev.ca",
+	"*.advisor.ws",
+	"backplaneapp.io",
+	"betainabox.com",
+	"bnr.la",
+	"boxfuse.io",
+	"square7.ch",
+	"bplaced.com",
+	"bplaced.de",
+	"square7.de",
+	"bplaced.net",
+	"square7.net",
+	"browsersafetymark.io",
+	"mycd.eu",
+	"ae.org",
+	"ar.com",
+	"br.com",
+	"cn.com",
+	"com.de",
+	"com.se",
+	"de.com",
+	"eu.com",
+	"gb.com",
+	"gb.net",
+	"hu.com",
+	"hu.net",
+	"jp.net",
+	"jpn.com",
+	"kr.com",
+	"mex.com",
+	"no.com",
+	"qc.com",
+	"ru.com",
+	"sa.com",
+	"se.com",
+	"se.net",
+	"uk.com",
+	"uk.net",
+	"us.com",
+	"uy.com",
+	"za.bz",
+	"za.com",
+	"africa.com",
+	"gr.com",
+	"in.net",
+	"us.org",
+	"co.com",
+	"c.la",
+	"certmgr.org",
+	"xenapponazure.com",
+	"virtueeldomein.nl",
+	"c66.me",
+	"cloudcontrolled.com",
+	"cloudcontrolapp.com",
+	"co.ca",
+	"co.cz",
+	"c.cdn77.org",
+	"cdn77-ssl.net",
+	"r.cdn77.net",
+	"rsc.cdn77.org",
+	"ssl.origin.cdn77-secure.org",
+	"cloudns.asia",
+	"cloudns.biz",
+	"cloudns.club",
+	"cloudns.cc",
+	"cloudns.eu",
+	"cloudns.in",
+	"cloudns.info",
+	"cloudns.org",
+	"cloudns.pro",
+	"cloudns.pw",
+	"cloudns.us",
+	"co.nl",
+	"co.no",
+	"dyn.cosidns.de",
+	"dynamisches-dns.de",
+	"dnsupdater.de",
+	"internet-dns.de",
+	"l-o-g-i-n.de",
+	"dynamic-dns.info",
+	"feste-ip.net",
+	"knx-server.net",
+	"static-access.net",
+	"realm.cz",
+	"*.cryptonomic.net",
+	"cupcake.is",
+	"cyon.link",
+	"cyon.site",
+	"daplie.me",
+	"localhost.daplie.me",
+	"biz.dk",
+	"co.dk",
+	"firm.dk",
+	"reg.dk",
+	"store.dk",
+	"dedyn.io",
+	"dnshome.de",
+	"dreamhosters.com",
+	"mydrobo.com",
+	"drud.io",
+	"drud.us",
+	"duckdns.org",
+	"dy.fi",
+	"tunk.org",
+	"dyndns-at-home.com",
+	"dyndns-at-work.com",
+	"dyndns-blog.com",
+	"dyndns-free.com",
+	"dyndns-home.com",
+	"dyndns-ip.com",
+	"dyndns-mail.com",
+	"dyndns-office.com",
+	"dyndns-pics.com",
+	"dyndns-remote.com",
+	"dyndns-server.com",
+	"dyndns-web.com",
+	"dyndns-wiki.com",
+	"dyndns-work.com",
+	"dyndns.biz",
+	"dyndns.info",
+	"dyndns.org",
+	"dyndns.tv",
+	"at-band-camp.net",
+	"ath.cx",
+	"barrel-of-knowledge.info",
+	"barrell-of-knowledge.info",
+	"better-than.tv",
+	"blogdns.com",
+	"blogdns.net",
+	"blogdns.org",
+	"blogsite.org",
+	"boldlygoingnowhere.org",
+	"broke-it.net",
+	"buyshouses.net",
+	"cechire.com",
+	"dnsalias.com",
+	"dnsalias.net",
+	"dnsalias.org",
+	"dnsdojo.com",
+	"dnsdojo.net",
+	"dnsdojo.org",
+	"does-it.net",
+	"doesntexist.com",
+	"doesntexist.org",
+	"dontexist.com",
+	"dontexist.net",
+	"dontexist.org",
+	"doomdns.com",
+	"doomdns.org",
+	"dvrdns.org",
+	"dyn-o-saur.com",
+	"dynalias.com",
+	"dynalias.net",
+	"dynalias.org",
+	"dynathome.net",
+	"dyndns.ws",
+	"endofinternet.net",
+	"endofinternet.org",
+	"endoftheinternet.org",
+	"est-a-la-maison.com",
+	"est-a-la-masion.com",
+	"est-le-patron.com",
+	"est-mon-blogueur.com",
+	"for-better.biz",
+	"for-more.biz",
+	"for-our.info",
+	"for-some.biz",
+	"for-the.biz",
+	"forgot.her.name",
+	"forgot.his.name",
+	"from-ak.com",
+	"from-al.com",
+	"from-ar.com",
+	"from-az.net",
+	"from-ca.com",
+	"from-co.net",
+	"from-ct.com",
+	"from-dc.com",
+	"from-de.com",
+	"from-fl.com",
+	"from-ga.com",
+	"from-hi.com",
+	"from-ia.com",
+	"from-id.com",
+	"from-il.com",
+	"from-in.com",
+	"from-ks.com",
+	"from-ky.com",
+	"from-la.net",
+	"from-ma.com",
+	"from-md.com",
+	"from-me.org",
+	"from-mi.com",
+	"from-mn.com",
+	"from-mo.com",
+	"from-ms.com",
+	"from-mt.com",
+	"from-nc.com",
+	"from-nd.com",
+	"from-ne.com",
+	"from-nh.com",
+	"from-nj.com",
+	"from-nm.com",
+	"from-nv.com",
+	"from-ny.net",
+	"from-oh.com",
+	"from-ok.com",
+	"from-or.com",
+	"from-pa.com",
+	"from-pr.com",
+	"from-ri.com",
+	"from-sc.com",
+	"from-sd.com",
+	"from-tn.com",
+	"from-tx.com",
+	"from-ut.com",
+	"from-va.com",
+	"from-vt.com",
+	"from-wa.com",
+	"from-wi.com",
+	"from-wv.com",
+	"from-wy.com",
+	"ftpaccess.cc",
+	"fuettertdasnetz.de",
+	"game-host.org",
+	"game-server.cc",
+	"getmyip.com",
+	"gets-it.net",
+	"go.dyndns.org",
+	"gotdns.com",
+	"gotdns.org",
+	"groks-the.info",
+	"groks-this.info",
+	"ham-radio-op.net",
+	"here-for-more.info",
+	"hobby-site.com",
+	"hobby-site.org",
+	"home.dyndns.org",
+	"homedns.org",
+	"homeftp.net",
+	"homeftp.org",
+	"homeip.net",
+	"homelinux.com",
+	"homelinux.net",
+	"homelinux.org",
+	"homeunix.com",
+	"homeunix.net",
+	"homeunix.org",
+	"iamallama.com",
+	"in-the-band.net",
+	"is-a-anarchist.com",
+	"is-a-blogger.com",
+	"is-a-bookkeeper.com",
+	"is-a-bruinsfan.org",
+	"is-a-bulls-fan.com",
+	"is-a-candidate.org",
+	"is-a-caterer.com",
+	"is-a-celticsfan.org",
+	"is-a-chef.com",
+	"is-a-chef.net",
+	"is-a-chef.org",
+	"is-a-conservative.com",
+	"is-a-cpa.com",
+	"is-a-cubicle-slave.com",
+	"is-a-democrat.com",
+	"is-a-designer.com",
+	"is-a-doctor.com",
+	"is-a-financialadvisor.com",
+	"is-a-geek.com",
+	"is-a-geek.net",
+	"is-a-geek.org",
+	"is-a-green.com",
+	"is-a-guru.com",
+	"is-a-hard-worker.com",
+	"is-a-hunter.com",
+	"is-a-knight.org",
+	"is-a-landscaper.com",
+	"is-a-lawyer.com",
+	"is-a-liberal.com",
+	"is-a-libertarian.com",
+	"is-a-linux-user.org",
+	"is-a-llama.com",
+	"is-a-musician.com",
+	"is-a-nascarfan.com",
+	"is-a-nurse.com",
+	"is-a-painter.com",
+	"is-a-patsfan.org",
+	"is-a-personaltrainer.com",
+	"is-a-photographer.com",
+	"is-a-player.com",
+	"is-a-republican.com",
+	"is-a-rockstar.com",
+	"is-a-socialist.com",
+	"is-a-soxfan.org",
+	"is-a-student.com",
+	"is-a-teacher.com",
+	"is-a-techie.com",
+	"is-a-therapist.com",
+	"is-an-accountant.com",
+	"is-an-actor.com",
+	"is-an-actress.com",
+	"is-an-anarchist.com",
+	"is-an-artist.com",
+	"is-an-engineer.com",
+	"is-an-entertainer.com",
+	"is-by.us",
+	"is-certified.com",
+	"is-found.org",
+	"is-gone.com",
+	"is-into-anime.com",
+	"is-into-cars.com",
+	"is-into-cartoons.com",
+	"is-into-games.com",
+	"is-leet.com",
+	"is-lost.org",
+	"is-not-certified.com",
+	"is-saved.org",
+	"is-slick.com",
+	"is-uberleet.com",
+	"is-very-bad.org",
+	"is-very-evil.org",
+	"is-very-good.org",
+	"is-very-nice.org",
+	"is-very-sweet.org",
+	"is-with-theband.com",
+	"isa-geek.com",
+	"isa-geek.net",
+	"isa-geek.org",
+	"isa-hockeynut.com",
+	"issmarterthanyou.com",
+	"isteingeek.de",
+	"istmein.de",
+	"kicks-ass.net",
+	"kicks-ass.org",
+	"knowsitall.info",
+	"land-4-sale.us",
+	"lebtimnetz.de",
+	"leitungsen.de",
+	"likes-pie.com",
+	"likescandy.com",
+	"merseine.nu",
+	"mine.nu",
+	"misconfused.org",
+	"mypets.ws",
+	"myphotos.cc",
+	"neat-url.com",
+	"office-on-the.net",
+	"on-the-web.tv",
+	"podzone.net",
+	"podzone.org",
+	"readmyblog.org",
+	"saves-the-whales.com",
+	"scrapper-site.net",
+	"scrapping.cc",
+	"selfip.biz",
+	"selfip.com",
+	"selfip.info",
+	"selfip.net",
+	"selfip.org",
+	"sells-for-less.com",
+	"sells-for-u.com",
+	"sells-it.net",
+	"sellsyourhome.org",
+	"servebbs.com",
+	"servebbs.net",
+	"servebbs.org",
+	"serveftp.net",
+	"serveftp.org",
+	"servegame.org",
+	"shacknet.nu",
+	"simple-url.com",
+	"space-to-rent.com",
+	"stuff-4-sale.org",
+	"stuff-4-sale.us",
+	"teaches-yoga.com",
+	"thruhere.net",
+	"traeumtgerade.de",
+	"webhop.biz",
+	"webhop.info",
+	"webhop.net",
+	"webhop.org",
+	"worse-than.tv",
+	"writesthisblog.com",
+	"ddnss.de",
+	"dyn.ddnss.de",
+	"dyndns.ddnss.de",
+	"dyndns1.de",
+	"dyn-ip24.de",
+	"home-webserver.de",
+	"dyn.home-webserver.de",
+	"myhome-server.de",
+	"ddnss.org",
+	"definima.net",
+	"definima.io",
+	"dynv6.net",
+	"e4.cz",
+	"enonic.io",
+	"customer.enonic.io",
+	"eu.org",
+	"al.eu.org",
+	"asso.eu.org",
+	"at.eu.org",
+	"au.eu.org",
+	"be.eu.org",
+	"bg.eu.org",
+	"ca.eu.org",
+	"cd.eu.org",
+	"ch.eu.org",
+	"cn.eu.org",
+	"cy.eu.org",
+	"cz.eu.org",
+	"de.eu.org",
+	"dk.eu.org",
+	"edu.eu.org",
+	"ee.eu.org",
+	"es.eu.org",
+	"fi.eu.org",
+	"fr.eu.org",
+	"gr.eu.org",
+	"hr.eu.org",
+	"hu.eu.org",
+	"ie.eu.org",
+	"il.eu.org",
+	"in.eu.org",
+	"int.eu.org",
+	"is.eu.org",
+	"it.eu.org",
+	"jp.eu.org",
+	"kr.eu.org",
+	"lt.eu.org",
+	"lu.eu.org",
+	"lv.eu.org",
+	"mc.eu.org",
+	"me.eu.org",
+	"mk.eu.org",
+	"mt.eu.org",
+	"my.eu.org",
+	"net.eu.org",
+	"ng.eu.org",
+	"nl.eu.org",
+	"no.eu.org",
+	"nz.eu.org",
+	"paris.eu.org",
+	"pl.eu.org",
+	"pt.eu.org",
+	"q-a.eu.org",
+	"ro.eu.org",
+	"ru.eu.org",
+	"se.eu.org",
+	"si.eu.org",
+	"sk.eu.org",
+	"tr.eu.org",
+	"uk.eu.org",
+	"us.eu.org",
+	"eu-1.evennode.com",
+	"eu-2.evennode.com",
+	"eu-3.evennode.com",
+	"us-1.evennode.com",
+	"us-2.evennode.com",
+	"us-3.evennode.com",
+	"twmail.cc",
+	"twmail.net",
+	"twmail.org",
+	"mymailer.com.tw",
+	"url.tw",
+	"apps.fbsbx.com",
+	"ru.net",
+	"adygeya.ru",
+	"bashkiria.ru",
+	"bir.ru",
+	"cbg.ru",
+	"com.ru",
+	"dagestan.ru",
+	"grozny.ru",
+	"kalmykia.ru",
+	"kustanai.ru",
+	"marine.ru",
+	"mordovia.ru",
+	"msk.ru",
+	"mytis.ru",
+	"nalchik.ru",
+	"nov.ru",
+	"pyatigorsk.ru",
+	"spb.ru",
+	"vladikavkaz.ru",
+	"vladimir.ru",
+	"abkhazia.su",
+	"adygeya.su",
+	"aktyubinsk.su",
+	"arkhangelsk.su",
+	"armenia.su",
+	"ashgabad.su",
+	"azerbaijan.su",
+	"balashov.su",
+	"bashkiria.su",
+	"bryansk.su",
+	"bukhara.su",
+	"chimkent.su",
+	"dagestan.su",
+	"east-kazakhstan.su",
+	"exnet.su",
+	"georgia.su",
+	"grozny.su",
+	"ivanovo.su",
+	"jambyl.su",
+	"kalmykia.su",
+	"kaluga.su",
+	"karacol.su",
+	"karaganda.su",
+	"karelia.su",
+	"khakassia.su",
+	"krasnodar.su",
+	"kurgan.su",
+	"kustanai.su",
+	"lenug.su",
+	"mangyshlak.su",
+	"mordovia.su",
+	"msk.su",
+	"murmansk.su",
+	"nalchik.su",
+	"navoi.su",
+	"north-kazakhstan.su",
+	"nov.su",
+	"obninsk.su",
+	"penza.su",
+	"pokrovsk.su",
+	"sochi.su",
+	"spb.su",
+	"tashkent.su",
+	"termez.su",
+	"togliatti.su",
+	"troitsk.su",
+	"tselinograd.su",
+	"tula.su",
+	"tuva.su",
+	"vladikavkaz.su",
+	"vladimir.su",
+	"vologda.su",
+	"fastlylb.net",
+	"map.fastlylb.net",
+	"freetls.fastly.net",
+	"map.fastly.net",
+	"a.prod.fastly.net",
+	"global.prod.fastly.net",
+	"a.ssl.fastly.net",
+	"b.ssl.fastly.net",
+	"global.ssl.fastly.net",
+	"fhapp.xyz",
+	"fedorainfracloud.org",
+	"fedorapeople.org",
+	"cloud.fedoraproject.org",
+	"filegear.me",
+	"firebaseapp.com",
+	"flynnhub.com",
+	"freebox-os.com",
+	"freeboxos.com",
+	"fbx-os.fr",
+	"fbxos.fr",
+	"freebox-os.fr",
+	"freeboxos.fr",
+	"myfusion.cloud",
+	"futurehosting.at",
+	"futuremailing.at",
+	"*.ex.ortsinfo.at",
+	"*.kunden.ortsinfo.at",
+	"*.statics.cloud",
+	"service.gov.uk",
+	"github.io",
+	"githubusercontent.com",
+	"githubcloud.com",
+	"*.api.githubcloud.com",
+	"*.ext.githubcloud.com",
+	"gist.githubcloud.com",
+	"*.githubcloudusercontent.com",
+	"gitlab.io",
+	"homeoffice.gov.uk",
+	"ro.im",
+	"shop.ro",
+	"goip.de",
+	"*.0emm.com",
+	"appspot.com",
+	"blogspot.ae",
+	"blogspot.al",
+	"blogspot.am",
+	"blogspot.ba",
+	"blogspot.be",
+	"blogspot.bg",
+	"blogspot.bj",
+	"blogspot.ca",
+	"blogspot.cf",
+	"blogspot.ch",
+	"blogspot.cl",
+	"blogspot.co.at",
+	"blogspot.co.id",
+	"blogspot.co.il",
+	"blogspot.co.ke",
+	"blogspot.co.nz",
+	"blogspot.co.uk",
+	"blogspot.co.za",
+	"blogspot.com",
+	"blogspot.com.ar",
+	"blogspot.com.au",
+	"blogspot.com.br",
+	"blogspot.com.by",
+	"blogspot.com.co",
+	"blogspot.com.cy",
+	"blogspot.com.ee",
+	"blogspot.com.eg",
+	"blogspot.com.es",
+	"blogspot.com.mt",
+	"blogspot.com.ng",
+	"blogspot.com.tr",
+	"blogspot.com.uy",
+	"blogspot.cv",
+	"blogspot.cz",
+	"blogspot.de",
+	"blogspot.dk",
+	"blogspot.fi",
+	"blogspot.fr",
+	"blogspot.gr",
+	"blogspot.hk",
+	"blogspot.hr",
+	"blogspot.hu",
+	"blogspot.ie",
+	"blogspot.in",
+	"blogspot.is",
+	"blogspot.it",
+	"blogspot.jp",
+	"blogspot.kr",
+	"blogspot.li",
+	"blogspot.lt",
+	"blogspot.lu",
+	"blogspot.md",
+	"blogspot.mk",
+	"blogspot.mr",
+	"blogspot.mx",
+	"blogspot.my",
+	"blogspot.nl",
+	"blogspot.no",
+	"blogspot.pe",
+	"blogspot.pt",
+	"blogspot.qa",
+	"blogspot.re",
+	"blogspot.ro",
+	"blogspot.rs",
+	"blogspot.ru",
+	"blogspot.se",
+	"blogspot.sg",
+	"blogspot.si",
+	"blogspot.sk",
+	"blogspot.sn",
+	"blogspot.td",
+	"blogspot.tw",
+	"blogspot.ug",
+	"blogspot.vn",
+	"cloudfunctions.net",
+	"cloud.goog",
+	"codespot.com",
+	"googleapis.com",
+	"googlecode.com",
+	"pagespeedmobilizer.com",
+	"publishproxy.com",
+	"withgoogle.com",
+	"withyoutube.com",
+	"hashbang.sh",
+	"hasura-app.io",
+	"hepforge.org",
+	"herokuapp.com",
+	"herokussl.com",
+	"moonscale.net",
+	"iki.fi",
+	"biz.at",
+	"info.at",
+	"ac.leg.br",
+	"al.leg.br",
+	"am.leg.br",
+	"ap.leg.br",
+	"ba.leg.br",
+	"ce.leg.br",
+	"df.leg.br",
+	"es.leg.br",
+	"go.leg.br",
+	"ma.leg.br",
+	"mg.leg.br",
+	"ms.leg.br",
+	"mt.leg.br",
+	"pa.leg.br",
+	"pb.leg.br",
+	"pe.leg.br",
+	"pi.leg.br",
+	"pr.leg.br",
+	"rj.leg.br",
+	"rn.leg.br",
+	"ro.leg.br",
+	"rr.leg.br",
+	"rs.leg.br",
+	"sc.leg.br",
+	"se.leg.br",
+	"sp.leg.br",
+	"to.leg.br",
+	"ipifony.net",
+	"*.triton.zone",
+	"*.cns.joyent.com",
+	"js.org",
+	"keymachine.de",
+	"knightpoint.systems",
+	"co.krd",
+	"edu.krd",
+	"barsy.bg",
+	"barsyonline.com",
+	"barsy.de",
+	"barsy.eu",
+	"barsy.in",
+	"barsy.net",
+	"barsy.online",
+	"barsy.support",
+	"*.magentosite.cloud",
+	"hb.cldmail.ru",
+	"meteorapp.com",
+	"eu.meteorapp.com",
+	"co.pl",
+	"azurewebsites.net",
+	"azure-mobile.net",
+	"cloudapp.net",
+	"bmoattachments.org",
+	"4u.com",
+	"ngrok.io",
+	"nfshost.com",
+	"nsupdate.info",
+	"nerdpol.ovh",
+	"blogsyte.com",
+	"brasilia.me",
+	"cable-modem.org",
+	"ciscofreak.com",
+	"collegefan.org",
+	"couchpotatofries.org",
+	"damnserver.com",
+	"ddns.me",
+	"ditchyourip.com",
+	"dnsfor.me",
+	"dnsiskinky.com",
+	"dvrcam.info",
+	"dynns.com",
+	"eating-organic.net",
+	"fantasyleague.cc",
+	"geekgalaxy.com",
+	"golffan.us",
+	"health-carereform.com",
+	"homesecuritymac.com",
+	"homesecuritypc.com",
+	"hopto.me",
+	"ilovecollege.info",
+	"loginto.me",
+	"mlbfan.org",
+	"mmafan.biz",
+	"myactivedirectory.com",
+	"mydissent.net",
+	"myeffect.net",
+	"mymediapc.net",
+	"mypsx.net",
+	"mysecuritycamera.com",
+	"mysecuritycamera.net",
+	"mysecuritycamera.org",
+	"net-freaks.com",
+	"nflfan.org",
+	"nhlfan.net",
+	"no-ip.ca",
+	"no-ip.co.uk",
+	"no-ip.net",
+	"noip.us",
+	"onthewifi.com",
+	"pgafan.net",
+	"point2this.com",
+	"pointto.us",
+	"privatizehealthinsurance.net",
+	"quicksytes.com",
+	"read-books.org",
+	"securitytactics.com",
+	"serveexchange.com",
+	"servehumour.com",
+	"servep2p.com",
+	"servesarcasm.com",
+	"stufftoread.com",
+	"ufcfan.org",
+	"unusualperson.com",
+	"workisboring.com",
+	"3utilities.com",
+	"bounceme.net",
+	"ddns.net",
+	"ddnsking.com",
+	"gotdns.ch",
+	"hopto.org",
+	"myftp.biz",
+	"myftp.org",
+	"myvnc.com",
+	"no-ip.biz",
+	"no-ip.info",
+	"no-ip.org",
+	"noip.me",
+	"redirectme.net",
+	"servebeer.com",
+	"serveblog.net",
+	"servecounterstrike.com",
+	"serveftp.com",
+	"servegame.com",
+	"servehalflife.com",
+	"servehttp.com",
+	"serveirc.com",
+	"serveminecraft.net",
+	"servemp3.com",
+	"servepics.com",
+	"servequake.com",
+	"sytes.net",
+	"webhop.me",
+	"zapto.org",
+	"nodum.co",
+	"nodum.io",
+	"nyc.mn",
+	"cya.gg",
+	"nid.io",
+	"opencraft.hosting",
+	"operaunite.com",
+	"outsystemscloud.com",
+	"ownprovider.com",
+	"oy.lc",
+	"pgfog.com",
+	"pagefrontapp.com",
+	"art.pl",
+	"gliwice.pl",
+	"krakow.pl",
+	"poznan.pl",
+	"wroc.pl",
+	"zakopane.pl",
+	"pantheonsite.io",
+	"gotpantheon.com",
+	"mypep.link",
+	"on-web.fr",
+	"*.platform.sh",
+	"*.platformsh.site",
+	"xen.prgmr.com",
+	"priv.at",
+	"protonet.io",
+	"chirurgiens-dentistes-en-france.fr",
+	"qa2.com",
+	"dev-myqnapcloud.com",
+	"alpha-myqnapcloud.com",
+	"myqnapcloud.com",
+	"*.quipelements.com",
+	"vapor.cloud",
+	"vaporcloud.io",
+	"rackmaze.com",
+	"rackmaze.net",
+	"rhcloud.com",
+	"hzc.io",
+	"wellbeingzone.eu",
+	"ptplus.fit",
+	"wellbeingzone.co.uk",
+	"sandcats.io",
+	"logoip.de",
+	"logoip.com",
+	"firewall-gateway.com",
+	"firewall-gateway.de",
+	"my-gateway.de",
+	"my-router.de",
+	"spdns.de",
+	"spdns.eu",
+	"firewall-gateway.net",
+	"my-firewall.org",
+	"myfirewall.org",
+	"spdns.org",
+	"*.sensiosite.cloud",
+	"biz.ua",
+	"co.ua",
+	"pp.ua",
+	"shiftedit.io",
+	"myshopblocks.com",
+	"1kapp.com",
+	"appchizi.com",
+	"applinzi.com",
+	"sinaapp.com",
+	"vipsinaapp.com",
+	"bounty-full.com",
+	"alpha.bounty-full.com",
+	"beta.bounty-full.com",
+	"static.land",
+	"dev.static.land",
+	"sites.static.land",
+	"apps.lair.io",
+	"*.stolos.io",
+	"spacekit.io",
+	"stackspace.space",
+	"storj.farm",
+	"diskstation.me",
+	"dscloud.biz",
+	"dscloud.me",
+	"dscloud.mobi",
+	"dsmynas.com",
+	"dsmynas.net",
+	"dsmynas.org",
+	"familyds.com",
+	"familyds.net",
+	"familyds.org",
+	"i234.me",
+	"myds.me",
+	"synology.me",
+	"vpnplus.to",
+	"taifun-dns.de",
+	"gda.pl",
+	"gdansk.pl",
+	"gdynia.pl",
+	"med.pl",
+	"sopot.pl",
+	"bloxcms.com",
+	"townnews-staging.com",
+	"*.transurl.be",
+	"*.transurl.eu",
+	"*.transurl.nl",
+	"tuxfamily.org",
+	"dd-dns.de",
+	"diskstation.eu",
+	"diskstation.org",
+	"dray-dns.de",
+	"draydns.de",
+	"dyn-vpn.de",
+	"dynvpn.de",
+	"mein-vigor.de",
+	"my-vigor.de",
+	"my-wan.de",
+	"syno-ds.de",
+	"synology-diskstation.de",
+	"synology-ds.de",
+	"uber.space",
+	"hk.com",
+	"hk.org",
+	"ltd.hk",
+	"inc.hk",
+	"lib.de.us",
+	"router.management",
+	"wedeploy.io",
+	"wedeploy.me",
+	"remotewd.com",
+	"wmflabs.org",
+	"xs4all.space",
+	"yolasite.com",
+	"ybo.faith",
+	"yombo.me",
+	"homelink.one",
+	"ybo.party",
+	"ybo.review",
+	"ybo.science",
+	"ybo.trade",
+	"za.net",
+	"za.org",
+	"now.sh",
+}
+
+var nodeLabels = [...]string{
+	"aaa",
+	"aarp",
+	"abarth",
+	"abb",
+	"abbott",
+	"abbvie",
+	"abc",
+	"able",
+	"abogado",
+	"abudhabi",
+	"ac",
+	"academy",
+	"accenture",
+	"accountant",
+	"accountants",
+	"aco",
+	"active",
+	"actor",
+	"ad",
+	"adac",
+	"ads",
+	"adult",
+	"ae",
+	"aeg",
+	"aero",
+	"aetna",
+	"af",
+	"afamilycompany",
+	"afl",
+	"africa",
+	"ag",
+	"agakhan",
+	"agency",
+	"ai",
+	"aig",
+	"aigo",
+	"airbus",
+	"airforce",
+	"airtel",
+	"akdn",
+	"al",
+	"alfaromeo",
+	"alibaba",
+	"alipay",
+	"allfinanz",
+	"allstate",
+	"ally",
+	"alsace",
+	"alstom",
+	"am",
+	"americanexpress",
+	"americanfamily",
+	"amex",
+	"amfam",
+	"amica",
+	"amsterdam",
+	"analytics",
+	"android",
+	"anquan",
+	"anz",
+	"ao",
+	"aol",
+	"apartments",
+	"app",
+	"apple",
+	"aq",
+	"aquarelle",
+	"ar",
+	"arab",
+	"aramco",
+	"archi",
+	"army",
+	"arpa",
+	"art",
+	"arte",
+	"as",
+	"asda",
+	"asia",
+	"associates",
+	"at",
+	"athleta",
+	"attorney",
+	"au",
+	"auction",
+	"audi",
+	"audible",
+	"audio",
+	"auspost",
+	"author",
+	"auto",
+	"autos",
+	"avianca",
+	"aw",
+	"aws",
+	"ax",
+	"axa",
+	"az",
+	"azure",
+	"ba",
+	"baby",
+	"baidu",
+	"banamex",
+	"bananarepublic",
+	"band",
+	"bank",
+	"bar",
+	"barcelona",
+	"barclaycard",
+	"barclays",
+	"barefoot",
+	"bargains",
+	"baseball",
+	"basketball",
+	"bauhaus",
+	"bayern",
+	"bb",
+	"bbc",
+	"bbt",
+	"bbva",
+	"bcg",
+	"bcn",
+	"bd",
+	"be",
+	"beats",
+	"beauty",
+	"beer",
+	"bentley",
+	"berlin",
+	"best",
+	"bestbuy",
+	"bet",
+	"bf",
+	"bg",
+	"bh",
+	"bharti",
+	"bi",
+	"bible",
+	"bid",
+	"bike",
+	"bing",
+	"bingo",
+	"bio",
+	"biz",
+	"bj",
+	"black",
+	"blackfriday",
+	"blanco",
+	"blockbuster",
+	"blog",
+	"bloomberg",
+	"blue",
+	"bm",
+	"bms",
+	"bmw",
+	"bn",
+	"bnl",
+	"bnpparibas",
+	"bo",
+	"boats",
+	"boehringer",
+	"bofa",
+	"bom",
+	"bond",
+	"boo",
+	"book",
+	"booking",
+	"boots",
+	"bosch",
+	"bostik",
+	"boston",
+	"bot",
+	"boutique",
+	"box",
+	"br",
+	"bradesco",
+	"bridgestone",
+	"broadway",
+	"broker",
+	"brother",
+	"brussels",
+	"bs",
+	"bt",
+	"budapest",
+	"bugatti",
+	"build",
+	"builders",
+	"business",
+	"buy",
+	"buzz",
+	"bv",
+	"bw",
+	"by",
+	"bz",
+	"bzh",
+	"ca",
+	"cab",
+	"cafe",
+	"cal",
+	"call",
+	"calvinklein",
+	"cam",
+	"camera",
+	"camp",
+	"cancerresearch",
+	"canon",
+	"capetown",
+	"capital",
+	"capitalone",
+	"car",
+	"caravan",
+	"cards",
+	"care",
+	"career",
+	"careers",
+	"cars",
+	"cartier",
+	"casa",
+	"case",
+	"caseih",
+	"cash",
+	"casino",
+	"cat",
+	"catering",
+	"catholic",
+	"cba",
+	"cbn",
+	"cbre",
+	"cbs",
+	"cc",
+	"cd",
+	"ceb",
+	"center",
+	"ceo",
+	"cern",
+	"cf",
+	"cfa",
+	"cfd",
+	"cg",
+	"ch",
+	"chanel",
+	"channel",
+	"chase",
+	"chat",
+	"cheap",
+	"chintai",
+	"chloe",
+	"christmas",
+	"chrome",
+	"chrysler",
+	"church",
+	"ci",
+	"cipriani",
+	"circle",
+	"cisco",
+	"citadel",
+	"citi",
+	"citic",
+	"city",
+	"cityeats",
+	"ck",
+	"cl",
+	"claims",
+	"cleaning",
+	"click",
+	"clinic",
+	"clinique",
+	"clothing",
+	"cloud",
+	"club",
+	"clubmed",
+	"cm",
+	"cn",
+	"co",
+	"coach",
+	"codes",
+	"coffee",
+	"college",
+	"cologne",
+	"com",
+	"comcast",
+	"commbank",
+	"community",
+	"company",
+	"compare",
+	"computer",
+	"comsec",
+	"condos",
+	"construction",
+	"consulting",
+	"contact",
+	"contractors",
+	"cooking",
+	"cookingchannel",
+	"cool",
+	"coop",
+	"corsica",
+	"country",
+	"coupon",
+	"coupons",
+	"courses",
+	"cr",
+	"credit",
+	"creditcard",
+	"creditunion",
+	"cricket",
+	"crown",
+	"crs",
+	"cruise",
+	"cruises",
+	"csc",
+	"cu",
+	"cuisinella",
+	"cv",
+	"cw",
+	"cx",
+	"cy",
+	"cymru",
+	"cyou",
+	"cz",
+	"dabur",
+	"dad",
+	"dance",
+	"data",
+	"date",
+	"dating",
+	"datsun",
+	"day",
+	"dclk",
+	"dds",
+	"de",
+	"deal",
+	"dealer",
+	"deals",
+	"degree",
+	"delivery",
+	"dell",
+	"deloitte",
+	"delta",
+	"democrat",
+	"dental",
+	"dentist",
+	"desi",
+	"design",
+	"dev",
+	"dhl",
+	"diamonds",
+	"diet",
+	"digital",
+	"direct",
+	"directory",
+	"discount",
+	"discover",
+	"dish",
+	"diy",
+	"dj",
+	"dk",
+	"dm",
+	"dnp",
+	"do",
+	"docs",
+	"doctor",
+	"dodge",
+	"dog",
+	"doha",
+	"domains",
+	"dot",
+	"download",
+	"drive",
+	"dtv",
+	"dubai",
+	"duck",
+	"dunlop",
+	"duns",
+	"dupont",
+	"durban",
+	"dvag",
+	"dvr",
+	"dz",
+	"earth",
+	"eat",
+	"ec",
+	"eco",
+	"edeka",
+	"edu",
+	"education",
+	"ee",
+	"eg",
+	"email",
+	"emerck",
+	"energy",
+	"engineer",
+	"engineering",
+	"enterprises",
+	"epost",
+	"epson",
+	"equipment",
+	"er",
+	"ericsson",
+	"erni",
+	"es",
+	"esq",
+	"estate",
+	"esurance",
+	"et",
+	"etisalat",
+	"eu",
+	"eurovision",
+	"eus",
+	"events",
+	"everbank",
+	"exchange",
+	"expert",
+	"exposed",
+	"express",
+	"extraspace",
+	"fage",
+	"fail",
+	"fairwinds",
+	"faith",
+	"family",
+	"fan",
+	"fans",
+	"farm",
+	"farmers",
+	"fashion",
+	"fast",
+	"fedex",
+	"feedback",
+	"ferrari",
+	"ferrero",
+	"fi",
+	"fiat",
+	"fidelity",
+	"fido",
+	"film",
+	"final",
+	"finance",
+	"financial",
+	"fire",
+	"firestone",
+	"firmdale",
+	"fish",
+	"fishing",
+	"fit",
+	"fitness",
+	"fj",
+	"fk",
+	"flickr",
+	"flights",
+	"flir",
+	"florist",
+	"flowers",
+	"fly",
+	"fm",
+	"fo",
+	"foo",
+	"food",
+	"foodnetwork",
+	"football",
+	"ford",
+	"forex",
+	"forsale",
+	"forum",
+	"foundation",
+	"fox",
+	"fr",
+	"free",
+	"fresenius",
+	"frl",
+	"frogans",
+	"frontdoor",
+	"frontier",
+	"ftr",
+	"fujitsu",
+	"fujixerox",
+	"fun",
+	"fund",
+	"furniture",
+	"futbol",
+	"fyi",
+	"ga",
+	"gal",
+	"gallery",
+	"gallo",
+	"gallup",
+	"game",
+	"games",
+	"gap",
+	"garden",
+	"gb",
+	"gbiz",
+	"gd",
+	"gdn",
+	"ge",
+	"gea",
+	"gent",
+	"genting",
+	"george",
+	"gf",
+	"gg",
+	"ggee",
+	"gh",
+	"gi",
+	"gift",
+	"gifts",
+	"gives",
+	"giving",
+	"gl",
+	"glade",
+	"glass",
+	"gle",
+	"global",
+	"globo",
+	"gm",
+	"gmail",
+	"gmbh",
+	"gmo",
+	"gmx",
+	"gn",
+	"godaddy",
+	"gold",
+	"goldpoint",
+	"golf",
+	"goo",
+	"goodhands",
+	"goodyear",
+	"goog",
+	"google",
+	"gop",
+	"got",
+	"gov",
+	"gp",
+	"gq",
+	"gr",
+	"grainger",
+	"graphics",
+	"gratis",
+	"green",
+	"gripe",
+	"grocery",
+	"group",
+	"gs",
+	"gt",
+	"gu",
+	"guardian",
+	"gucci",
+	"guge",
+	"guide",
+	"guitars",
+	"guru",
+	"gw",
+	"gy",
+	"hair",
+	"hamburg",
+	"hangout",
+	"haus",
+	"hbo",
+	"hdfc",
+	"hdfcbank",
+	"health",
+	"healthcare",
+	"help",
+	"helsinki",
+	"here",
+	"hermes",
+	"hgtv",
+	"hiphop",
+	"hisamitsu",
+	"hitachi",
+	"hiv",
+	"hk",
+	"hkt",
+	"hm",
+	"hn",
+	"hockey",
+	"holdings",
+	"holiday",
+	"homedepot",
+	"homegoods",
+	"homes",
+	"homesense",
+	"honda",
+	"honeywell",
+	"horse",
+	"hospital",
+	"host",
+	"hosting",
+	"hot",
+	"hoteles",
+	"hotels",
+	"hotmail",
+	"house",
+	"how",
+	"hr",
+	"hsbc",
+	"ht",
+	"htc",
+	"hu",
+	"hughes",
+	"hyatt",
+	"hyundai",
+	"ibm",
+	"icbc",
+	"ice",
+	"icu",
+	"id",
+	"ie",
+	"ieee",
+	"ifm",
+	"ikano",
+	"il",
+	"im",
+	"imamat",
+	"imdb",
+	"immo",
+	"immobilien",
+	"in",
+	"industries",
+	"infiniti",
+	"info",
+	"ing",
+	"ink",
+	"institute",
+	"insurance",
+	"insure",
+	"int",
+	"intel",
+	"international",
+	"intuit",
+	"investments",
+	"io",
+	"ipiranga",
+	"iq",
+	"ir",
+	"irish",
+	"is",
+	"iselect",
+	"ismaili",
+	"ist",
+	"istanbul",
+	"it",
+	"itau",
+	"itv",
+	"iveco",
+	"iwc",
+	"jaguar",
+	"java",
+	"jcb",
+	"jcp",
+	"je",
+	"jeep",
+	"jetzt",
+	"jewelry",
+	"jio",
+	"jlc",
+	"jll",
+	"jm",
+	"jmp",
+	"jnj",
+	"jo",
+	"jobs",
+	"joburg",
+	"jot",
+	"joy",
+	"jp",
+	"jpmorgan",
+	"jprs",
+	"juegos",
+	"juniper",
+	"kaufen",
+	"kddi",
+	"ke",
+	"kerryhotels",
+	"kerrylogistics",
+	"kerryproperties",
+	"kfh",
+	"kg",
+	"kh",
+	"ki",
+	"kia",
+	"kim",
+	"kinder",
+	"kindle",
+	"kitchen",
+	"kiwi",
+	"km",
+	"kn",
+	"koeln",
+	"komatsu",
+	"kosher",
+	"kp",
+	"kpmg",
+	"kpn",
+	"kr",
+	"krd",
+	"kred",
+	"kuokgroup",
+	"kw",
+	"ky",
+	"kyoto",
+	"kz",
+	"la",
+	"lacaixa",
+	"ladbrokes",
+	"lamborghini",
+	"lamer",
+	"lancaster",
+	"lancia",
+	"lancome",
+	"land",
+	"landrover",
+	"lanxess",
+	"lasalle",
+	"lat",
+	"latino",
+	"latrobe",
+	"law",
+	"lawyer",
+	"lb",
+	"lc",
+	"lds",
+	"lease",
+	"leclerc",
+	"lefrak",
+	"legal",
+	"lego",
+	"lexus",
+	"lgbt",
+	"li",
+	"liaison",
+	"lidl",
+	"life",
+	"lifeinsurance",
+	"lifestyle",
+	"lighting",
+	"like",
+	"lilly",
+	"limited",
+	"limo",
+	"lincoln",
+	"linde",
+	"link",
+	"lipsy",
+	"live",
+	"living",
+	"lixil",
+	"lk",
+	"loan",
+	"loans",
+	"locker",
+	"locus",
+	"loft",
+	"lol",
+	"london",
+	"lotte",
+	"lotto",
+	"love",
+	"lpl",
+	"lplfinancial",
+	"lr",
+	"ls",
+	"lt",
+	"ltd",
+	"ltda",
+	"lu",
+	"lundbeck",
+	"lupin",
+	"luxe",
+	"luxury",
+	"lv",
+	"ly",
+	"ma",
+	"macys",
+	"madrid",
+	"maif",
+	"maison",
+	"makeup",
+	"man",
+	"management",
+	"mango",
+	"map",
+	"market",
+	"marketing",
+	"markets",
+	"marriott",
+	"marshalls",
+	"maserati",
+	"mattel",
+	"mba",
+	"mc",
+	"mcd",
+	"mcdonalds",
+	"mckinsey",
+	"md",
+	"me",
+	"med",
+	"media",
+	"meet",
+	"melbourne",
+	"meme",
+	"memorial",
+	"men",
+	"menu",
+	"meo",
+	"merckmsd",
+	"metlife",
+	"mg",
+	"mh",
+	"miami",
+	"microsoft",
+	"mil",
+	"mini",
+	"mint",
+	"mit",
+	"mitsubishi",
+	"mk",
+	"ml",
+	"mlb",
+	"mls",
+	"mm",
+	"mma",
+	"mn",
+	"mo",
+	"mobi",
+	"mobile",
+	"mobily",
+	"moda",
+	"moe",
+	"moi",
+	"mom",
+	"monash",
+	"money",
+	"monster",
+	"montblanc",
+	"mopar",
+	"mormon",
+	"mortgage",
+	"moscow",
+	"moto",
+	"motorcycles",
+	"mov",
+	"movie",
+	"movistar",
+	"mp",
+	"mq",
+	"mr",
+	"ms",
+	"msd",
+	"mt",
+	"mtn",
+	"mtpc",
+	"mtr",
+	"mu",
+	"museum",
+	"mutual",
+	"mv",
+	"mw",
+	"mx",
+	"my",
+	"mz",
+	"na",
+	"nab",
+	"nadex",
+	"nagoya",
+	"name",
+	"nationwide",
+	"natura",
+	"navy",
+	"nba",
+	"nc",
+	"ne",
+	"nec",
+	"net",
+	"netbank",
+	"netflix",
+	"network",
+	"neustar",
+	"new",
+	"newholland",
+	"news",
+	"next",
+	"nextdirect",
+	"nexus",
+	"nf",
+	"nfl",
+	"ng",
+	"ngo",
+	"nhk",
+	"ni",
+	"nico",
+	"nike",
+	"nikon",
+	"ninja",
+	"nissan",
+	"nissay",
+	"nl",
+	"no",
+	"nokia",
+	"northwesternmutual",
+	"norton",
+	"now",
+	"nowruz",
+	"nowtv",
+	"np",
+	"nr",
+	"nra",
+	"nrw",
+	"ntt",
+	"nu",
+	"nyc",
+	"nz",
+	"obi",
+	"observer",
+	"off",
+	"office",
+	"okinawa",
+	"olayan",
+	"olayangroup",
+	"oldnavy",
+	"ollo",
+	"om",
+	"omega",
+	"one",
+	"ong",
+	"onion",
+	"onl",
+	"online",
+	"onyourside",
+	"ooo",
+	"open",
+	"oracle",
+	"orange",
+	"org",
+	"organic",
+	"origins",
+	"osaka",
+	"otsuka",
+	"ott",
+	"ovh",
+	"pa",
+	"page",
+	"pamperedchef",
+	"panasonic",
+	"panerai",
+	"paris",
+	"pars",
+	"partners",
+	"parts",
+	"party",
+	"passagens",
+	"pay",
+	"pccw",
+	"pe",
+	"pet",
+	"pf",
+	"pfizer",
+	"pg",
+	"ph",
+	"pharmacy",
+	"phd",
+	"philips",
+	"phone",
+	"photo",
+	"photography",
+	"photos",
+	"physio",
+	"piaget",
+	"pics",
+	"pictet",
+	"pictures",
+	"pid",
+	"pin",
+	"ping",
+	"pink",
+	"pioneer",
+	"pizza",
+	"pk",
+	"pl",
+	"place",
+	"play",
+	"playstation",
+	"plumbing",
+	"plus",
+	"pm",
+	"pn",
+	"pnc",
+	"pohl",
+	"poker",
+	"politie",
+	"porn",
+	"post",
+	"pr",
+	"pramerica",
+	"praxi",
+	"press",
+	"prime",
+	"pro",
+	"prod",
+	"productions",
+	"prof",
+	"progressive",
+	"promo",
+	"properties",
+	"property",
+	"protection",
+	"pru",
+	"prudential",
+	"ps",
+	"pt",
+	"pub",
+	"pw",
+	"pwc",
+	"py",
+	"qa",
+	"qpon",
+	"quebec",
+	"quest",
+	"qvc",
+	"racing",
+	"radio",
+	"raid",
+	"re",
+	"read",
+	"realestate",
+	"realtor",
+	"realty",
+	"recipes",
+	"red",
+	"redstone",
+	"redumbrella",
+	"rehab",
+	"reise",
+	"reisen",
+	"reit",
+	"reliance",
+	"ren",
+	"rent",
+	"rentals",
+	"repair",
+	"report",
+	"republican",
+	"rest",
+	"restaurant",
+	"review",
+	"reviews",
+	"rexroth",
+	"rich",
+	"richardli",
+	"ricoh",
+	"rightathome",
+	"ril",
+	"rio",
+	"rip",
+	"rmit",
+	"ro",
+	"rocher",
+	"rocks",
+	"rodeo",
+	"rogers",
+	"room",
+	"rs",
+	"rsvp",
+	"ru",
+	"rugby",
+	"ruhr",
+	"run",
+	"rw",
+	"rwe",
+	"ryukyu",
+	"sa",
+	"saarland",
+	"safe",
+	"safety",
+	"sakura",
+	"sale",
+	"salon",
+	"samsclub",
+	"samsung",
+	"sandvik",
+	"sandvikcoromant",
+	"sanofi",
+	"sap",
+	"sapo",
+	"sarl",
+	"sas",
+	"save",
+	"saxo",
+	"sb",
+	"sbi",
+	"sbs",
+	"sc",
+	"sca",
+	"scb",
+	"schaeffler",
+	"schmidt",
+	"scholarships",
+	"school",
+	"schule",
+	"schwarz",
+	"science",
+	"scjohnson",
+	"scor",
+	"scot",
+	"sd",
+	"se",
+	"search",
+	"seat",
+	"secure",
+	"security",
+	"seek",
+	"select",
+	"sener",
+	"services",
+	"ses",
+	"seven",
+	"sew",
+	"sex",
+	"sexy",
+	"sfr",
+	"sg",
+	"sh",
+	"shangrila",
+	"sharp",
+	"shaw",
+	"shell",
+	"shia",
+	"shiksha",
+	"shoes",
+	"shop",
+	"shopping",
+	"shouji",
+	"show",
+	"showtime",
+	"shriram",
+	"si",
+	"silk",
+	"sina",
+	"singles",
+	"site",
+	"sj",
+	"sk",
+	"ski",
+	"skin",
+	"sky",
+	"skype",
+	"sl",
+	"sling",
+	"sm",
+	"smart",
+	"smile",
+	"sn",
+	"sncf",
+	"so",
+	"soccer",
+	"social",
+	"softbank",
+	"software",
+	"sohu",
+	"solar",
+	"solutions",
+	"song",
+	"sony",
+	"soy",
+	"space",
+	"spiegel",
+	"spot",
+	"spreadbetting",
+	"sr",
+	"srl",
+	"srt",
+	"st",
+	"stada",
+	"staples",
+	"star",
+	"starhub",
+	"statebank",
+	"statefarm",
+	"statoil",
+	"stc",
+	"stcgroup",
+	"stockholm",
+	"storage",
+	"store",
+	"stream",
+	"studio",
+	"study",
+	"style",
+	"su",
+	"sucks",
+	"supplies",
+	"supply",
+	"support",
+	"surf",
+	"surgery",
+	"suzuki",
+	"sv",
+	"swatch",
+	"swiftcover",
+	"swiss",
+	"sx",
+	"sy",
+	"sydney",
+	"symantec",
+	"systems",
+	"sz",
+	"tab",
+	"taipei",
+	"talk",
+	"taobao",
+	"target",
+	"tatamotors",
+	"tatar",
+	"tattoo",
+	"tax",
+	"taxi",
+	"tc",
+	"tci",
+	"td",
+	"tdk",
+	"team",
+	"tech",
+	"technology",
+	"tel",
+	"telecity",
+	"telefonica",
+	"temasek",
+	"tennis",
+	"teva",
+	"tf",
+	"tg",
+	"th",
+	"thd",
+	"theater",
+	"theatre",
+	"tiaa",
+	"tickets",
+	"tienda",
+	"tiffany",
+	"tips",
+	"tires",
+	"tirol",
+	"tj",
+	"tjmaxx",
+	"tjx",
+	"tk",
+	"tkmaxx",
+	"tl",
+	"tm",
+	"tmall",
+	"tn",
+	"to",
+	"today",
+	"tokyo",
+	"tools",
+	"top",
+	"toray",
+	"toshiba",
+	"total",
+	"tours",
+	"town",
+	"toyota",
+	"toys",
+	"tr",
+	"trade",
+	"trading",
+	"training",
+	"travel",
+	"travelchannel",
+	"travelers",
+	"travelersinsurance",
+	"trust",
+	"trv",
+	"tt",
+	"tube",
+	"tui",
+	"tunes",
+	"tushu",
+	"tv",
+	"tvs",
+	"tw",
+	"tz",
+	"ua",
+	"ubank",
+	"ubs",
+	"uconnect",
+	"ug",
+	"uk",
+	"unicom",
+	"university",
+	"uno",
+	"uol",
+	"ups",
+	"us",
+	"uy",
+	"uz",
+	"va",
+	"vacations",
+	"vana",
+	"vanguard",
+	"vc",
+	"ve",
+	"vegas",
+	"ventures",
+	"verisign",
+	"versicherung",
+	"vet",
+	"vg",
+	"vi",
+	"viajes",
+	"video",
+	"vig",
+	"viking",
+	"villas",
+	"vin",
+	"vip",
+	"virgin",
+	"visa",
+	"vision",
+	"vista",
+	"vistaprint",
+	"viva",
+	"vivo",
+	"vlaanderen",
+	"vn",
+	"vodka",
+	"volkswagen",
+	"volvo",
+	"vote",
+	"voting",
+	"voto",
+	"voyage",
+	"vu",
+	"vuelos",
+	"wales",
+	"walmart",
+	"walter",
+	"wang",
+	"wanggou",
+	"warman",
+	"watch",
+	"watches",
+	"weather",
+	"weatherchannel",
+	"webcam",
+	"weber",
+	"website",
+	"wed",
+	"wedding",
+	"weibo",
+	"weir",
+	"wf",
+	"whoswho",
+	"wien",
+	"wiki",
+	"williamhill",
+	"win",
+	"windows",
+	"wine",
+	"winners",
+	"wme",
+	"wolterskluwer",
+	"woodside",
+	"work",
+	"works",
+	"world",
+	"wow",
+	"ws",
+	"wtc",
+	"wtf",
+	"xbox",
+	"xerox",
+	"xfinity",
+	"xihuan",
+	"xin",
+	"xn--11b4c3d",
+	"xn--1ck2e1b",
+	"xn--1qqw23a",
+	"xn--30rr7y",
+	"xn--3bst00m",
+	"xn--3ds443g",
+	"xn--3e0b707e",
+	"xn--3oq18vl8pn36a",
+	"xn--3pxu8k",
+	"xn--42c2d9a",
+	"xn--45brj9c",
+	"xn--45q11c",
+	"xn--4gbrim",
+	"xn--54b7fta0cc",
+	"xn--55qw42g",
+	"xn--55qx5d",
+	"xn--5su34j936bgsg",
+	"xn--5tzm5g",
+	"xn--6frz82g",
+	"xn--6qq986b3xl",
+	"xn--80adxhks",
+	"xn--80ao21a",
+	"xn--80aqecdr1a",
+	"xn--80asehdb",
+	"xn--80aswg",
+	"xn--8y0a063a",
+	"xn--90a3ac",
+	"xn--90ais",
+	"xn--9dbq2a",
+	"xn--9et52u",
+	"xn--9krt00a",
+	"xn--b4w605ferd",
+	"xn--bck1b9a5dre4c",
+	"xn--c1avg",
+	"xn--c2br7g",
+	"xn--cck2b3b",
+	"xn--cg4bki",
+	"xn--clchc0ea0b2g2a9gcd",
+	"xn--czr694b",
+	"xn--czrs0t",
+	"xn--czru2d",
+	"xn--d1acj3b",
+	"xn--d1alf",
+	"xn--e1a4c",
+	"xn--eckvdtc9d",
+	"xn--efvy88h",
+	"xn--estv75g",
+	"xn--fct429k",
+	"xn--fhbei",
+	"xn--fiq228c5hs",
+	"xn--fiq64b",
+	"xn--fiqs8s",
+	"xn--fiqz9s",
+	"xn--fjq720a",
+	"xn--flw351e",
+	"xn--fpcrj9c3d",
+	"xn--fzc2c9e2c",
+	"xn--fzys8d69uvgm",
+	"xn--g2xx48c",
+	"xn--gckr3f0f",
+	"xn--gecrj9c",
+	"xn--gk3at1e",
+	"xn--h2brj9c",
+	"xn--hxt814e",
+	"xn--i1b6b1a6a2e",
+	"xn--imr513n",
+	"xn--io0a7i",
+	"xn--j1aef",
+	"xn--j1amh",
+	"xn--j6w193g",
+	"xn--jlq61u9w7b",
+	"xn--jvr189m",
+	"xn--kcrx77d1x4a",
+	"xn--kprw13d",
+	"xn--kpry57d",
+	"xn--kpu716f",
+	"xn--kput3i",
+	"xn--l1acc",
+	"xn--lgbbat1ad8j",
+	"xn--mgb2ddes",
+	"xn--mgb9awbf",
+	"xn--mgba3a3ejt",
+	"xn--mgba3a4f16a",
+	"xn--mgba3a4fra",
+	"xn--mgba7c0bbn0a",
+	"xn--mgbaakc7dvf",
+	"xn--mgbaam7a8h",
+	"xn--mgbab2bd",
+	"xn--mgbai9a5eva00b",
+	"xn--mgbai9azgqp6j",
+	"xn--mgbayh7gpa",
+	"xn--mgbb9fbpob",
+	"xn--mgbbh1a71e",
+	"xn--mgbc0a9azcg",
+	"xn--mgbca7dzdo",
+	"xn--mgberp4a5d4a87g",
+	"xn--mgberp4a5d4ar",
+	"xn--mgbi4ecexp",
+	"xn--mgbpl2fh",
+	"xn--mgbqly7c0a67fbc",
+	"xn--mgbqly7cvafr",
+	"xn--mgbt3dhd",
+	"xn--mgbtf8fl",
+	"xn--mgbtx2b",
+	"xn--mgbx4cd0ab",
+	"xn--mix082f",
+	"xn--mix891f",
+	"xn--mk1bu44c",
+	"xn--mxtq1m",
+	"xn--ngbc5azd",
+	"xn--ngbe9e0a",
+	"xn--ngbrx",
+	"xn--nnx388a",
+	"xn--node",
+	"xn--nqv7f",
+	"xn--nqv7fs00ema",
+	"xn--nyqy26a",
+	"xn--o3cw4h",
+	"xn--ogbpf8fl",
+	"xn--p1acf",
+	"xn--p1ai",
+	"xn--pbt977c",
+	"xn--pgbs0dh",
+	"xn--pssy2u",
+	"xn--q9jyb4c",
+	"xn--qcka1pmc",
+	"xn--qxam",
+	"xn--rhqv96g",
+	"xn--rovu88b",
+	"xn--s9brj9c",
+	"xn--ses554g",
+	"xn--t60b56a",
+	"xn--tckwe",
+	"xn--tiq49xqyj",
+	"xn--unup4y",
+	"xn--vermgensberater-ctb",
+	"xn--vermgensberatung-pwb",
+	"xn--vhquv",
+	"xn--vuq861b",
+	"xn--w4r85el8fhu5dnra",
+	"xn--w4rs40l",
+	"xn--wgbh1c",
+	"xn--wgbl6a",
+	"xn--xhq521b",
+	"xn--xkc2al3hye2a",
+	"xn--xkc2dl3a5ee0h",
+	"xn--y9a3aq",
+	"xn--yfro4i67o",
+	"xn--ygbi2ammx",
+	"xn--zfr164b",
+	"xperia",
+	"xxx",
+	"xyz",
+	"yachts",
+	"yahoo",
+	"yamaxun",
+	"yandex",
+	"ye",
+	"yodobashi",
+	"yoga",
+	"yokohama",
+	"you",
+	"youtube",
+	"yt",
+	"yun",
+	"za",
+	"zappos",
+	"zara",
+	"zero",
+	"zip",
+	"zippo",
+	"zm",
+	"zone",
+	"zuerich",
+	"zw",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"nom",
+	"ac",
+	"blogspot",
+	"co",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"sch",
+	"accident-investigation",
+	"accident-prevention",
+	"aerobatic",
+	"aeroclub",
+	"aerodrome",
+	"agents",
+	"air-surveillance",
+	"air-traffic-control",
+	"aircraft",
+	"airline",
+	"airport",
+	"airtraffic",
+	"ambulance",
+	"amusement",
+	"association",
+	"author",
+	"ballooning",
+	"broker",
+	"caa",
+	"cargo",
+	"catering",
+	"certification",
+	"championship",
+	"charter",
+	"civilaviation",
+	"club",
+	"conference",
+	"consultant",
+	"consulting",
+	"control",
+	"council",
+	"crew",
+	"design",
+	"dgca",
+	"educator",
+	"emergency",
+	"engine",
+	"engineer",
+	"entertainment",
+	"equipment",
+	"exchange",
+	"express",
+	"federation",
+	"flight",
+	"freight",
+	"fuel",
+	"gliding",
+	"government",
+	"groundhandling",
+	"group",
+	"hanggliding",
+	"homebuilt",
+	"insurance",
+	"journal",
+	"journalist",
+	"leasing",
+	"logistics",
+	"magazine",
+	"maintenance",
+	"media",
+	"microlight",
+	"modelling",
+	"navigation",
+	"parachuting",
+	"paragliding",
+	"passenger-association",
+	"pilot",
+	"press",
+	"production",
+	"recreation",
+	"repbody",
+	"res",
+	"research",
+	"rotorcraft",
+	"safety",
+	"scientist",
+	"services",
+	"show",
+	"skydiving",
+	"software",
+	"student",
+	"trader",
+	"trading",
+	"trainer",
+	"union",
+	"workinggroup",
+	"works",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"co",
+	"com",
+	"net",
+	"nom",
+	"org",
+	"com",
+	"net",
+	"off",
+	"org",
+	"blogspot",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"blogspot",
+	"co",
+	"ed",
+	"gv",
+	"it",
+	"og",
+	"pb",
+	"com",
+	"edu",
+	"gob",
+	"gov",
+	"int",
+	"mil",
+	"musica",
+	"net",
+	"org",
+	"tur",
+	"blogspot",
+	"e164",
+	"in-addr",
+	"ip6",
+	"iris",
+	"uri",
+	"urn",
+	"gov",
+	"cloudns",
+	"ac",
+	"biz",
+	"co",
+	"futurehosting",
+	"futuremailing",
+	"gv",
+	"info",
+	"or",
+	"ortsinfo",
+	"priv",
+	"blogspot",
+	"ex",
+	"kunden",
+	"act",
+	"asn",
+	"com",
+	"conf",
+	"edu",
+	"gov",
+	"id",
+	"info",
+	"net",
+	"nsw",
+	"nt",
+	"org",
+	"oz",
+	"qld",
+	"sa",
+	"tas",
+	"vic",
+	"wa",
+	"blogspot",
+	"act",
+	"nsw",
+	"nt",
+	"qld",
+	"sa",
+	"tas",
+	"vic",
+	"wa",
+	"qld",
+	"sa",
+	"tas",
+	"vic",
+	"wa",
+	"com",
+	"biz",
+	"com",
+	"edu",
+	"gov",
+	"info",
+	"int",
+	"mil",
+	"name",
+	"net",
+	"org",
+	"pp",
+	"pro",
+	"blogspot",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"biz",
+	"co",
+	"com",
+	"edu",
+	"gov",
+	"info",
+	"net",
+	"org",
+	"store",
+	"tv",
+	"ac",
+	"blogspot",
+	"transurl",
+	"gov",
+	"0",
+	"1",
+	"2",
+	"3",
+	"4",
+	"5",
+	"6",
+	"7",
+	"8",
+	"9",
+	"a",
+	"b",
+	"barsy",
+	"blogspot",
+	"c",
+	"d",
+	"e",
+	"f",
+	"g",
+	"h",
+	"i",
+	"j",
+	"k",
+	"l",
+	"m",
+	"n",
+	"o",
+	"p",
+	"q",
+	"r",
+	"s",
+	"t",
+	"u",
+	"v",
+	"w",
+	"x",
+	"y",
+	"z",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"co",
+	"com",
+	"edu",
+	"or",
+	"org",
+	"cloudns",
+	"dscloud",
+	"dyndns",
+	"for-better",
+	"for-more",
+	"for-some",
+	"for-the",
+	"mmafan",
+	"myftp",
+	"no-ip",
+	"selfip",
+	"webhop",
+	"asso",
+	"barreau",
+	"blogspot",
+	"gouv",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"com",
+	"edu",
+	"gob",
+	"gov",
+	"int",
+	"mil",
+	"net",
+	"org",
+	"tv",
+	"adm",
+	"adv",
+	"agr",
+	"am",
+	"arq",
+	"art",
+	"ato",
+	"b",
+	"belem",
+	"bio",
+	"blog",
+	"bmd",
+	"cim",
+	"cng",
+	"cnt",
+	"com",
+	"coop",
+	"cri",
+	"def",
+	"ecn",
+	"eco",
+	"edu",
+	"emp",
+	"eng",
+	"esp",
+	"etc",
+	"eti",
+	"far",
+	"flog",
+	"floripa",
+	"fm",
+	"fnd",
+	"fot",
+	"fst",
+	"g12",
+	"ggf",
+	"gov",
+	"imb",
+	"ind",
+	"inf",
+	"jampa",
+	"jor",
+	"jus",
+	"leg",
+	"lel",
+	"mat",
+	"med",
+	"mil",
+	"mp",
+	"mus",
+	"net",
+	"nom",
+	"not",
+	"ntr",
+	"odo",
+	"org",
+	"poa",
+	"ppg",
+	"pro",
+	"psc",
+	"psi",
+	"qsl",
+	"radio",
+	"rec",
+	"recife",
+	"slg",
+	"srv",
+	"taxi",
+	"teo",
+	"tmp",
+	"trd",
+	"tur",
+	"tv",
+	"vet",
+	"vix",
+	"vlog",
+	"wiki",
+	"zlg",
+	"blogspot",
+	"ac",
+	"al",
+	"am",
+	"ap",
+	"ba",
+	"ce",
+	"df",
+	"es",
+	"go",
+	"ma",
+	"mg",
+	"ms",
+	"mt",
+	"pa",
+	"pb",
+	"pe",
+	"pi",
+	"pr",
+	"rj",
+	"rn",
+	"ro",
+	"rr",
+	"rs",
+	"sc",
+	"se",
+	"sp",
+	"to",
+	"ac",
+	"al",
+	"am",
+	"ap",
+	"ba",
+	"ce",
+	"df",
+	"es",
+	"go",
+	"ma",
+	"mg",
+	"ms",
+	"mt",
+	"pa",
+	"pb",
+	"pe",
+	"pi",
+	"pr",
+	"rj",
+	"rn",
+	"ro",
+	"rr",
+	"rs",
+	"sc",
+	"se",
+	"sp",
+	"to",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"co",
+	"org",
+	"com",
+	"gov",
+	"mil",
+	"of",
+	"blogspot",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"za",
+	"ab",
+	"awdev",
+	"bc",
+	"blogspot",
+	"co",
+	"gc",
+	"mb",
+	"nb",
+	"nf",
+	"nl",
+	"no-ip",
+	"ns",
+	"nt",
+	"nu",
+	"on",
+	"pe",
+	"qc",
+	"sk",
+	"yk",
+	"cloudns",
+	"fantasyleague",
+	"ftpaccess",
+	"game-server",
+	"myphotos",
+	"scrapping",
+	"twmail",
+	"gov",
+	"blogspot",
+	"blogspot",
+	"gotdns",
+	"square7",
+	"ac",
+	"asso",
+	"co",
+	"com",
+	"ed",
+	"edu",
+	"go",
+	"gouv",
+	"int",
+	"md",
+	"net",
+	"or",
+	"org",
+	"presse",
+	"xn--aroport-bya",
+	"www",
+	"blogspot",
+	"co",
+	"gob",
+	"gov",
+	"mil",
+	"magentosite",
+	"myfusion",
+	"sensiosite",
+	"statics",
+	"vapor",
+	"cloudns",
+	"co",
+	"com",
+	"gov",
+	"net",
+	"ac",
+	"ah",
+	"bj",
+	"com",
+	"cq",
+	"edu",
+	"fj",
+	"gd",
+	"gov",
+	"gs",
+	"gx",
+	"gz",
+	"ha",
+	"hb",
+	"he",
+	"hi",
+	"hk",
+	"hl",
+	"hn",
+	"jl",
+	"js",
+	"jx",
+	"ln",
+	"mil",
+	"mo",
+	"net",
+	"nm",
+	"nx",
+	"org",
+	"qh",
+	"sc",
+	"sd",
+	"sh",
+	"sn",
+	"sx",
+	"tj",
+	"tw",
+	"xj",
+	"xn--55qx5d",
+	"xn--io0a7i",
+	"xn--od0alg",
+	"xz",
+	"yn",
+	"zj",
+	"amazonaws",
+	"cn-north-1",
+	"compute",
+	"elb",
+	"elasticbeanstalk",
+	"s3",
+	"arts",
+	"com",
+	"edu",
+	"firm",
+	"gov",
+	"info",
+	"int",
+	"mil",
+	"net",
+	"nodum",
+	"nom",
+	"org",
+	"rec",
+	"web",
+	"blogspot",
+	"0emm",
+	"1kapp",
+	"3utilities",
+	"4u",
+	"africa",
+	"alpha-myqnapcloud",
+	"amazonaws",
+	"appchizi",
+	"applinzi",
+	"appspot",
+	"ar",
+	"barsyonline",
+	"betainabox",
+	"blogdns",
+	"blogspot",
+	"blogsyte",
+	"bloxcms",
+	"bounty-full",
+	"bplaced",
+	"br",
+	"cechire",
+	"ciscofreak",
+	"cloudcontrolapp",
+	"cloudcontrolled",
+	"cn",
+	"co",
+	"codespot",
+	"damnserver",
+	"ddnsking",
+	"de",
+	"dev-myqnapcloud",
+	"ditchyourip",
+	"dnsalias",
+	"dnsdojo",
+	"dnsiskinky",
+	"doesntexist",
+	"dontexist",
+	"doomdns",
+	"dreamhosters",
+	"dsmynas",
+	"dyn-o-saur",
+	"dynalias",
+	"dyndns-at-home",
+	"dyndns-at-work",
+	"dyndns-blog",
+	"dyndns-free",
+	"dyndns-home",
+	"dyndns-ip",
+	"dyndns-mail",
+	"dyndns-office",
+	"dyndns-pics",
+	"dyndns-remote",
+	"dyndns-server",
+	"dyndns-web",
+	"dyndns-wiki",
+	"dyndns-work",
+	"dynns",
+	"elasticbeanstalk",
+	"est-a-la-maison",
+	"est-a-la-masion",
+	"est-le-patron",
+	"est-mon-blogueur",
+	"eu",
+	"evennode",
+	"familyds",
+	"fbsbx",
+	"firebaseapp",
+	"firewall-gateway",
+	"flynnhub",
+	"freebox-os",
+	"freeboxos",
+	"from-ak",
+	"from-al",
+	"from-ar",
+	"from-ca",
+	"from-ct",
+	"from-dc",
+	"from-de",
+	"from-fl",
+	"from-ga",
+	"from-hi",
+	"from-ia",
+	"from-id",
+	"from-il",
+	"from-in",
+	"from-ks",
+	"from-ky",
+	"from-ma",
+	"from-md",
+	"from-mi",
+	"from-mn",
+	"from-mo",
+	"from-ms",
+	"from-mt",
+	"from-nc",
+	"from-nd",
+	"from-ne",
+	"from-nh",
+	"from-nj",
+	"from-nm",
+	"from-nv",
+	"from-oh",
+	"from-ok",
+	"from-or",
+	"from-pa",
+	"from-pr",
+	"from-ri",
+	"from-sc",
+	"from-sd",
+	"from-tn",
+	"from-tx",
+	"from-ut",
+	"from-va",
+	"from-vt",
+	"from-wa",
+	"from-wi",
+	"from-wv",
+	"from-wy",
+	"gb",
+	"geekgalaxy",
+	"getmyip",
+	"githubcloud",
+	"githubcloudusercontent",
+	"githubusercontent",
+	"googleapis",
+	"googlecode",
+	"gotdns",
+	"gotpantheon",
+	"gr",
+	"health-carereform",
+	"herokuapp",
+	"herokussl",
+	"hk",
+	"hobby-site",
+	"homelinux",
+	"homesecuritymac",
+	"homesecuritypc",
+	"homeunix",
+	"hu",
+	"iamallama",
+	"is-a-anarchist",
+	"is-a-blogger",
+	"is-a-bookkeeper",
+	"is-a-bulls-fan",
+	"is-a-caterer",
+	"is-a-chef",
+	"is-a-conservative",
+	"is-a-cpa",
+	"is-a-cubicle-slave",
+	"is-a-democrat",
+	"is-a-designer",
+	"is-a-doctor",
+	"is-a-financialadvisor",
+	"is-a-geek",
+	"is-a-green",
+	"is-a-guru",
+	"is-a-hard-worker",
+	"is-a-hunter",
+	"is-a-landscaper",
+	"is-a-lawyer",
+	"is-a-liberal",
+	"is-a-libertarian",
+	"is-a-llama",
+	"is-a-musician",
+	"is-a-nascarfan",
+	"is-a-nurse",
+	"is-a-painter",
+	"is-a-personaltrainer",
+	"is-a-photographer",
+	"is-a-player",
+	"is-a-republican",
+	"is-a-rockstar",
+	"is-a-socialist",
+	"is-a-student",
+	"is-a-teacher",
+	"is-a-techie",
+	"is-a-therapist",
+	"is-an-accountant",
+	"is-an-actor",
+	"is-an-actress",
+	"is-an-anarchist",
+	"is-an-artist",
+	"is-an-engineer",
+	"is-an-entertainer",
+	"is-certified",
+	"is-gone",
+	"is-into-anime",
+	"is-into-cars",
+	"is-into-cartoons",
+	"is-into-games",
+	"is-leet",
+	"is-not-certified",
+	"is-slick",
+	"is-uberleet",
+	"is-with-theband",
+	"isa-geek",
+	"isa-hockeynut",
+	"issmarterthanyou",
+	"joyent",
+	"jpn",
+	"kr",
+	"likes-pie",
+	"likescandy",
+	"logoip",
+	"meteorapp",
+	"mex",
+	"myactivedirectory",
+	"myasustor",
+	"mydrobo",
+	"myqnapcloud",
+	"mysecuritycamera",
+	"myshopblocks",
+	"myvnc",
+	"neat-url",
+	"net-freaks",
+	"nfshost",
+	"no",
+	"on-aptible",
+	"onthewifi",
+	"operaunite",
+	"outsystemscloud",
+	"ownprovider",
+	"pagefrontapp",
+	"pagespeedmobilizer",
+	"pgfog",
+	"point2this",
+	"prgmr",
+	"publishproxy",
+	"qa2",
+	"qc",
+	"quicksytes",
+	"quipelements",
+	"rackmaze",
+	"remotewd",
+	"rhcloud",
+	"ru",
+	"sa",
+	"saves-the-whales",
+	"se",
+	"securitytactics",
+	"selfip",
+	"sells-for-less",
+	"sells-for-u",
+	"servebbs",
+	"servebeer",
+	"servecounterstrike",
+	"serveexchange",
+	"serveftp",
+	"servegame",
+	"servehalflife",
+	"servehttp",
+	"servehumour",
+	"serveirc",
+	"servemp3",
+	"servep2p",
+	"servepics",
+	"servequake",
+	"servesarcasm",
+	"simple-url",
+	"sinaapp",
+	"space-to-rent",
+	"stufftoread",
+	"teaches-yoga",
+	"townnews-staging",
+	"uk",
+	"unusualperson",
+	"us",
+	"uy",
+	"vipsinaapp",
+	"withgoogle",
+	"withyoutube",
+	"workisboring",
+	"writesthisblog",
+	"xenapponazure",
+	"yolasite",
+	"za",
+	"ap-northeast-1",
+	"ap-northeast-2",
+	"ap-south-1",
+	"ap-southeast-1",
+	"ap-southeast-2",
+	"ca-central-1",
+	"compute",
+	"compute-1",
+	"elb",
+	"eu-central-1",
+	"eu-west-1",
+	"eu-west-2",
+	"s3",
+	"s3-ap-northeast-1",
+	"s3-ap-northeast-2",
+	"s3-ap-south-1",
+	"s3-ap-southeast-1",
+	"s3-ap-southeast-2",
+	"s3-ca-central-1",
+	"s3-eu-central-1",
+	"s3-eu-west-1",
+	"s3-eu-west-2",
+	"s3-external-1",
+	"s3-fips-us-gov-west-1",
+	"s3-sa-east-1",
+	"s3-us-east-2",
+	"s3-us-gov-west-1",
+	"s3-us-west-1",
+	"s3-us-west-2",
+	"s3-website-ap-northeast-1",
+	"s3-website-ap-southeast-1",
+	"s3-website-ap-southeast-2",
+	"s3-website-eu-west-1",
+	"s3-website-sa-east-1",
+	"s3-website-us-east-1",
+	"s3-website-us-west-1",
+	"s3-website-us-west-2",
+	"sa-east-1",
+	"us-east-1",
+	"us-east-2",
+	"dualstack",
+	"s3",
+	"dualstack",
+	"s3",
+	"s3-website",
+	"s3",
+	"dualstack",
+	"s3",
+	"s3-website",
+	"s3",
+	"dualstack",
+	"s3",
+	"dualstack",
+	"s3",
+	"dualstack",
+	"s3",
+	"s3-website",
+	"s3",
+	"dualstack",
+	"s3",
+	"s3-website",
+	"s3",
+	"dualstack",
+	"s3",
+	"dualstack",
+	"s3",
+	"s3-website",
+	"s3",
+	"dualstack",
+	"s3",
+	"dualstack",
+	"s3",
+	"dualstack",
+	"s3",
+	"s3-website",
+	"s3",
+	"alpha",
+	"beta",
+	"eu-1",
+	"eu-2",
+	"eu-3",
+	"us-1",
+	"us-2",
+	"us-3",
+	"apps",
+	"api",
+	"ext",
+	"gist",
+	"cns",
+	"eu",
+	"xen",
+	"ac",
+	"co",
+	"ed",
+	"fi",
+	"go",
+	"or",
+	"sa",
+	"com",
+	"edu",
+	"gov",
+	"inf",
+	"net",
+	"org",
+	"blogspot",
+	"com",
+	"edu",
+	"net",
+	"org",
+	"ath",
+	"gov",
+	"ac",
+	"biz",
+	"com",
+	"ekloges",
+	"gov",
+	"ltd",
+	"name",
+	"net",
+	"org",
+	"parliament",
+	"press",
+	"pro",
+	"tm",
+	"blogspot",
+	"blogspot",
+	"co",
+	"e4",
+	"realm",
+	"barsy",
+	"blogspot",
+	"bplaced",
+	"com",
+	"cosidns",
+	"dd-dns",
+	"ddnss",
+	"dnshome",
+	"dnsupdater",
+	"dray-dns",
+	"draydns",
+	"dyn-ip24",
+	"dyn-vpn",
+	"dynamisches-dns",
+	"dyndns1",
+	"dynvpn",
+	"firewall-gateway",
+	"fuettertdasnetz",
+	"goip",
+	"home-webserver",
+	"internet-dns",
+	"isteingeek",
+	"istmein",
+	"keymachine",
+	"l-o-g-i-n",
+	"lebtimnetz",
+	"leitungsen",
+	"logoip",
+	"mein-vigor",
+	"my-gateway",
+	"my-router",
+	"my-vigor",
+	"my-wan",
+	"myhome-server",
+	"spdns",
+	"square7",
+	"syno-ds",
+	"synology-diskstation",
+	"synology-ds",
+	"taifun-dns",
+	"traeumtgerade",
+	"dyn",
+	"dyn",
+	"dyndns",
+	"dyn",
+	"biz",
+	"blogspot",
+	"co",
+	"firm",
+	"reg",
+	"store",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"art",
+	"com",
+	"edu",
+	"gob",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"sld",
+	"web",
+	"art",
+	"asso",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"pol",
+	"com",
+	"edu",
+	"fin",
+	"gob",
+	"gov",
+	"info",
+	"k12",
+	"med",
+	"mil",
+	"net",
+	"org",
+	"pro",
+	"aip",
+	"com",
+	"edu",
+	"fie",
+	"gov",
+	"lib",
+	"med",
+	"org",
+	"pri",
+	"riik",
+	"blogspot",
+	"com",
+	"edu",
+	"eun",
+	"gov",
+	"mil",
+	"name",
+	"net",
+	"org",
+	"sci",
+	"blogspot",
+	"com",
+	"edu",
+	"gob",
+	"nom",
+	"org",
+	"blogspot",
+	"compute",
+	"biz",
+	"com",
+	"edu",
+	"gov",
+	"info",
+	"name",
+	"net",
+	"org",
+	"barsy",
+	"cloudns",
+	"diskstation",
+	"mycd",
+	"spdns",
+	"transurl",
+	"wellbeingzone",
+	"party",
+	"user",
+	"ybo",
+	"storj",
+	"aland",
+	"blogspot",
+	"dy",
+	"iki",
+	"ptplus",
+	"aeroport",
+	"assedic",
+	"asso",
+	"avocat",
+	"avoues",
+	"blogspot",
+	"cci",
+	"chambagri",
+	"chirurgiens-dentistes",
+	"chirurgiens-dentistes-en-france",
+	"com",
+	"experts-comptables",
+	"fbx-os",
+	"fbxos",
+	"freebox-os",
+	"freeboxos",
+	"geometre-expert",
+	"gouv",
+	"greta",
+	"huissier-justice",
+	"medecin",
+	"nom",
+	"notaires",
+	"on-web",
+	"pharmacien",
+	"port",
+	"prd",
+	"presse",
+	"tm",
+	"veterinaire",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"pvt",
+	"co",
+	"cya",
+	"net",
+	"org",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"org",
+	"com",
+	"edu",
+	"gov",
+	"ltd",
+	"mod",
+	"org",
+	"co",
+	"com",
+	"edu",
+	"net",
+	"org",
+	"ac",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"cloud",
+	"asso",
+	"com",
+	"edu",
+	"mobi",
+	"net",
+	"org",
+	"blogspot",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"com",
+	"edu",
+	"gob",
+	"ind",
+	"mil",
+	"net",
+	"org",
+	"co",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"blogspot",
+	"com",
+	"edu",
+	"gov",
+	"idv",
+	"inc",
+	"ltd",
+	"net",
+	"org",
+	"xn--55qx5d",
+	"xn--ciqpn",
+	"xn--gmq050i",
+	"xn--gmqw5a",
+	"xn--io0a7i",
+	"xn--lcvr32d",
+	"xn--mk0axi",
+	"xn--mxtq1m",
+	"xn--od0alg",
+	"xn--od0aq3b",
+	"xn--tn0ag",
+	"xn--uc0atv",
+	"xn--uc0ay4a",
+	"xn--wcvs22d",
+	"xn--zf0avx",
+	"com",
+	"edu",
+	"gob",
+	"mil",
+	"net",
+	"org",
+	"opencraft",
+	"blogspot",
+	"com",
+	"from",
+	"iz",
+	"name",
+	"adult",
+	"art",
+	"asso",
+	"com",
+	"coop",
+	"edu",
+	"firm",
+	"gouv",
+	"info",
+	"med",
+	"net",
+	"org",
+	"perso",
+	"pol",
+	"pro",
+	"rel",
+	"shop",
+	"2000",
+	"agrar",
+	"blogspot",
+	"bolt",
+	"casino",
+	"city",
+	"co",
+	"erotica",
+	"erotika",
+	"film",
+	"forum",
+	"games",
+	"hotel",
+	"info",
+	"ingatlan",
+	"jogasz",
+	"konyvelo",
+	"lakas",
+	"media",
+	"news",
+	"org",
+	"priv",
+	"reklam",
+	"sex",
+	"shop",
+	"sport",
+	"suli",
+	"szex",
+	"tm",
+	"tozsde",
+	"utazas",
+	"video",
+	"ac",
+	"biz",
+	"co",
+	"desa",
+	"go",
+	"mil",
+	"my",
+	"net",
+	"or",
+	"sch",
+	"web",
+	"blogspot",
+	"blogspot",
+	"gov",
+	"ac",
+	"co",
+	"gov",
+	"idf",
+	"k12",
+	"muni",
+	"net",
+	"org",
+	"blogspot",
+	"ac",
+	"co",
+	"com",
+	"net",
+	"org",
+	"ro",
+	"tt",
+	"tv",
+	"ltd",
+	"plc",
+	"ac",
+	"barsy",
+	"blogspot",
+	"cloudns",
+	"co",
+	"edu",
+	"firm",
+	"gen",
+	"gov",
+	"ind",
+	"mil",
+	"net",
+	"nic",
+	"org",
+	"res",
+	"barrel-of-knowledge",
+	"barrell-of-knowledge",
+	"cloudns",
+	"dvrcam",
+	"dynamic-dns",
+	"dyndns",
+	"for-our",
+	"groks-the",
+	"groks-this",
+	"here-for-more",
+	"ilovecollege",
+	"knowsitall",
+	"no-ip",
+	"nsupdate",
+	"selfip",
+	"webhop",
+	"eu",
+	"backplaneapp",
+	"boxfuse",
+	"browsersafetymark",
+	"com",
+	"dedyn",
+	"definima",
+	"drud",
+	"enonic",
+	"github",
+	"gitlab",
+	"hasura-app",
+	"hzc",
+	"lair",
+	"ngrok",
+	"nid",
+	"nodum",
+	"pantheonsite",
+	"protonet",
+	"sandcats",
+	"shiftedit",
+	"spacekit",
+	"stolos",
+	"vaporcloud",
+	"wedeploy",
+	"customer",
+	"apps",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"ac",
+	"co",
+	"gov",
+	"id",
+	"net",
+	"org",
+	"sch",
+	"xn--mgba3a4f16a",
+	"xn--mgba3a4fra",
+	"blogspot",
+	"com",
+	"cupcake",
+	"edu",
+	"gov",
+	"int",
+	"net",
+	"org",
+	"abr",
+	"abruzzo",
+	"ag",
+	"agrigento",
+	"al",
+	"alessandria",
+	"alto-adige",
+	"altoadige",
+	"an",
+	"ancona",
+	"andria-barletta-trani",
+	"andria-trani-barletta",
+	"andriabarlettatrani",
+	"andriatranibarletta",
+	"ao",
+	"aosta",
+	"aosta-valley",
+	"aostavalley",
+	"aoste",
+	"ap",
+	"aq",
+	"aquila",
+	"ar",
+	"arezzo",
+	"ascoli-piceno",
+	"ascolipiceno",
+	"asti",
+	"at",
+	"av",
+	"avellino",
+	"ba",
+	"balsan",
+	"bari",
+	"barletta-trani-andria",
+	"barlettatraniandria",
+	"bas",
+	"basilicata",
+	"belluno",
+	"benevento",
+	"bergamo",
+	"bg",
+	"bi",
+	"biella",
+	"bl",
+	"blogspot",
+	"bn",
+	"bo",
+	"bologna",
+	"bolzano",
+	"bozen",
+	"br",
+	"brescia",
+	"brindisi",
+	"bs",
+	"bt",
+	"bz",
+	"ca",
+	"cagliari",
+	"cal",
+	"calabria",
+	"caltanissetta",
+	"cam",
+	"campania",
+	"campidano-medio",
+	"campidanomedio",
+	"campobasso",
+	"carbonia-iglesias",
+	"carboniaiglesias",
+	"carrara-massa",
+	"carraramassa",
+	"caserta",
+	"catania",
+	"catanzaro",
+	"cb",
+	"ce",
+	"cesena-forli",
+	"cesenaforli",
+	"ch",
+	"chieti",
+	"ci",
+	"cl",
+	"cn",
+	"co",
+	"como",
+	"cosenza",
+	"cr",
+	"cremona",
+	"crotone",
+	"cs",
+	"ct",
+	"cuneo",
+	"cz",
+	"dell-ogliastra",
+	"dellogliastra",
+	"edu",
+	"emilia-romagna",
+	"emiliaromagna",
+	"emr",
+	"en",
+	"enna",
+	"fc",
+	"fe",
+	"fermo",
+	"ferrara",
+	"fg",
+	"fi",
+	"firenze",
+	"florence",
+	"fm",
+	"foggia",
+	"forli-cesena",
+	"forlicesena",
+	"fr",
+	"friuli-v-giulia",
+	"friuli-ve-giulia",
+	"friuli-vegiulia",
+	"friuli-venezia-giulia",
+	"friuli-veneziagiulia",
+	"friuli-vgiulia",
+	"friuliv-giulia",
+	"friulive-giulia",
+	"friulivegiulia",
+	"friulivenezia-giulia",
+	"friuliveneziagiulia",
+	"friulivgiulia",
+	"frosinone",
+	"fvg",
+	"ge",
+	"genoa",
+	"genova",
+	"go",
+	"gorizia",
+	"gov",
+	"gr",
+	"grosseto",
+	"iglesias-carbonia",
+	"iglesiascarbonia",
+	"im",
+	"imperia",
+	"is",
+	"isernia",
+	"kr",
+	"la-spezia",
+	"laquila",
+	"laspezia",
+	"latina",
+	"laz",
+	"lazio",
+	"lc",
+	"le",
+	"lecce",
+	"lecco",
+	"li",
+	"lig",
+	"liguria",
+	"livorno",
+	"lo",
+	"lodi",
+	"lom",
+	"lombardia",
+	"lombardy",
+	"lt",
+	"lu",
+	"lucania",
+	"lucca",
+	"macerata",
+	"mantova",
+	"mar",
+	"marche",
+	"massa-carrara",
+	"massacarrara",
+	"matera",
+	"mb",
+	"mc",
+	"me",
+	"medio-campidano",
+	"mediocampidano",
+	"messina",
+	"mi",
+	"milan",
+	"milano",
+	"mn",
+	"mo",
+	"modena",
+	"mol",
+	"molise",
+	"monza",
+	"monza-brianza",
+	"monza-e-della-brianza",
+	"monzabrianza",
+	"monzaebrianza",
+	"monzaedellabrianza",
+	"ms",
+	"mt",
+	"na",
+	"naples",
+	"napoli",
+	"no",
+	"novara",
+	"nu",
+	"nuoro",
+	"og",
+	"ogliastra",
+	"olbia-tempio",
+	"olbiatempio",
+	"or",
+	"oristano",
+	"ot",
+	"pa",
+	"padova",
+	"padua",
+	"palermo",
+	"parma",
+	"pavia",
+	"pc",
+	"pd",
+	"pe",
+	"perugia",
+	"pesaro-urbino",
+	"pesarourbino",
+	"pescara",
+	"pg",
+	"pi",
+	"piacenza",
+	"piedmont",
+	"piemonte",
+	"pisa",
+	"pistoia",
+	"pmn",
+	"pn",
+	"po",
+	"pordenone",
+	"potenza",
+	"pr",
+	"prato",
+	"pt",
+	"pu",
+	"pug",
+	"puglia",
+	"pv",
+	"pz",
+	"ra",
+	"ragusa",
+	"ravenna",
+	"rc",
+	"re",
+	"reggio-calabria",
+	"reggio-emilia",
+	"reggiocalabria",
+	"reggioemilia",
+	"rg",
+	"ri",
+	"rieti",
+	"rimini",
+	"rm",
+	"rn",
+	"ro",
+	"roma",
+	"rome",
+	"rovigo",
+	"sa",
+	"salerno",
+	"sar",
+	"sardegna",
+	"sardinia",
+	"sassari",
+	"savona",
+	"si",
+	"sic",
+	"sicilia",
+	"sicily",
+	"siena",
+	"siracusa",
+	"so",
+	"sondrio",
+	"sp",
+	"sr",
+	"ss",
+	"suedtirol",
+	"sv",
+	"ta",
+	"taa",
+	"taranto",
+	"te",
+	"tempio-olbia",
+	"tempioolbia",
+	"teramo",
+	"terni",
+	"tn",
+	"to",
+	"torino",
+	"tos",
+	"toscana",
+	"tp",
+	"tr",
+	"trani-andria-barletta",
+	"trani-barletta-andria",
+	"traniandriabarletta",
+	"tranibarlettaandria",
+	"trapani",
+	"trentino",
+	"trentino-a-adige",
+	"trentino-aadige",
+	"trentino-alto-adige",
+	"trentino-altoadige",
+	"trentino-s-tirol",
+	"trentino-stirol",
+	"trentino-sud-tirol",
+	"trentino-sudtirol",
+	"trentino-sued-tirol",
+	"trentino-suedtirol",
+	"trentinoa-adige",
+	"trentinoaadige",
+	"trentinoalto-adige",
+	"trentinoaltoadige",
+	"trentinos-tirol",
+	"trentinostirol",
+	"trentinosud-tirol",
+	"trentinosudtirol",
+	"trentinosued-tirol",
+	"trentinosuedtirol",
+	"trento",
+	"treviso",
+	"trieste",
+	"ts",
+	"turin",
+	"tuscany",
+	"tv",
+	"ud",
+	"udine",
+	"umb",
+	"umbria",
+	"urbino-pesaro",
+	"urbinopesaro",
+	"va",
+	"val-d-aosta",
+	"val-daosta",
+	"vald-aosta",
+	"valdaosta",
+	"valle-aosta",
+	"valle-d-aosta",
+	"valle-daosta",
+	"valleaosta",
+	"valled-aosta",
+	"valledaosta",
+	"vallee-aoste",
+	"valleeaoste",
+	"vao",
+	"varese",
+	"vb",
+	"vc",
+	"vda",
+	"ve",
+	"ven",
+	"veneto",
+	"venezia",
+	"venice",
+	"verbania",
+	"vercelli",
+	"verona",
+	"vi",
+	"vibo-valentia",
+	"vibovalentia",
+	"vicenza",
+	"viterbo",
+	"vr",
+	"vs",
+	"vt",
+	"vv",
+	"co",
+	"net",
+	"org",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"name",
+	"net",
+	"org",
+	"sch",
+	"ac",
+	"ad",
+	"aichi",
+	"akita",
+	"aomori",
+	"blogspot",
+	"chiba",
+	"co",
+	"ed",
+	"ehime",
+	"fukui",
+	"fukuoka",
+	"fukushima",
+	"gifu",
+	"go",
+	"gr",
+	"gunma",
+	"hiroshima",
+	"hokkaido",
+	"hyogo",
+	"ibaraki",
+	"ishikawa",
+	"iwate",
+	"kagawa",
+	"kagoshima",
+	"kanagawa",
+	"kawasaki",
+	"kitakyushu",
+	"kobe",
+	"kochi",
+	"kumamoto",
+	"kyoto",
+	"lg",
+	"mie",
+	"miyagi",
+	"miyazaki",
+	"nagano",
+	"nagasaki",
+	"nagoya",
+	"nara",
+	"ne",
+	"niigata",
+	"oita",
+	"okayama",
+	"okinawa",
+	"or",
+	"osaka",
+	"saga",
+	"saitama",
+	"sapporo",
+	"sendai",
+	"shiga",
+	"shimane",
+	"shizuoka",
+	"tochigi",
+	"tokushima",
+	"tokyo",
+	"tottori",
+	"toyama",
+	"wakayama",
+	"xn--0trq7p7nn",
+	"xn--1ctwo",
+	"xn--1lqs03n",
+	"xn--1lqs71d",
+	"xn--2m4a15e",
+	"xn--32vp30h",
+	"xn--4it168d",
+	"xn--4it797k",
+	"xn--4pvxs",
+	"xn--5js045d",
+	"xn--5rtp49c",
+	"xn--5rtq34k",
+	"xn--6btw5a",
+	"xn--6orx2r",
+	"xn--7t0a264c",
+	"xn--8ltr62k",
+	"xn--8pvr4u",
+	"xn--c3s14m",
+	"xn--d5qv7z876c",
+	"xn--djrs72d6uy",
+	"xn--djty4k",
+	"xn--efvn9s",
+	"xn--ehqz56n",
+	"xn--elqq16h",
+	"xn--f6qx53a",
+	"xn--k7yn95e",
+	"xn--kbrq7o",
+	"xn--klt787d",
+	"xn--kltp7d",
+	"xn--kltx9a",
+	"xn--klty5x",
+	"xn--mkru45i",
+	"xn--nit225k",
+	"xn--ntso0iqx3a",
+	"xn--ntsq17g",
+	"xn--pssu33l",
+	"xn--qqqt11m",
+	"xn--rht27z",
+	"xn--rht3d",
+	"xn--rht61e",
+	"xn--rny31h",
+	"xn--tor131o",
+	"xn--uist22h",
+	"xn--uisz3g",
+	"xn--uuwu58a",
+	"xn--vgu402c",
+	"xn--zbx025d",
+	"yamagata",
+	"yamaguchi",
+	"yamanashi",
+	"yokohama",
+	"aisai",
+	"ama",
+	"anjo",
+	"asuke",
+	"chiryu",
+	"chita",
+	"fuso",
+	"gamagori",
+	"handa",
+	"hazu",
+	"hekinan",
+	"higashiura",
+	"ichinomiya",
+	"inazawa",
+	"inuyama",
+	"isshiki",
+	"iwakura",
+	"kanie",
+	"kariya",
+	"kasugai",
+	"kira",
+	"kiyosu",
+	"komaki",
+	"konan",
+	"kota",
+	"mihama",
+	"miyoshi",
+	"nishio",
+	"nisshin",
+	"obu",
+	"oguchi",
+	"oharu",
+	"okazaki",
+	"owariasahi",
+	"seto",
+	"shikatsu",
+	"shinshiro",
+	"shitara",
+	"tahara",
+	"takahama",
+	"tobishima",
+	"toei",
+	"togo",
+	"tokai",
+	"tokoname",
+	"toyoake",
+	"toyohashi",
+	"toyokawa",
+	"toyone",
+	"toyota",
+	"tsushima",
+	"yatomi",
+	"akita",
+	"daisen",
+	"fujisato",
+	"gojome",
+	"hachirogata",
+	"happou",
+	"higashinaruse",
+	"honjo",
+	"honjyo",
+	"ikawa",
+	"kamikoani",
+	"kamioka",
+	"katagami",
+	"kazuno",
+	"kitaakita",
+	"kosaka",
+	"kyowa",
+	"misato",
+	"mitane",
+	"moriyoshi",
+	"nikaho",
+	"noshiro",
+	"odate",
+	"oga",
+	"ogata",
+	"semboku",
+	"yokote",
+	"yurihonjo",
+	"aomori",
+	"gonohe",
+	"hachinohe",
+	"hashikami",
+	"hiranai",
+	"hirosaki",
+	"itayanagi",
+	"kuroishi",
+	"misawa",
+	"mutsu",
+	"nakadomari",
+	"noheji",
+	"oirase",
+	"owani",
+	"rokunohe",
+	"sannohe",
+	"shichinohe",
+	"shingo",
+	"takko",
+	"towada",
+	"tsugaru",
+	"tsuruta",
+	"abiko",
+	"asahi",
+	"chonan",
+	"chosei",
+	"choshi",
+	"chuo",
+	"funabashi",
+	"futtsu",
+	"hanamigawa",
+	"ichihara",
+	"ichikawa",
+	"ichinomiya",
+	"inzai",
+	"isumi",
+	"kamagaya",
+	"kamogawa",
+	"kashiwa",
+	"katori",
+	"katsuura",
+	"kimitsu",
+	"kisarazu",
+	"kozaki",
+	"kujukuri",
+	"kyonan",
+	"matsudo",
+	"midori",
+	"mihama",
+	"minamiboso",
+	"mobara",
+	"mutsuzawa",
+	"nagara",
+	"nagareyama",
+	"narashino",
+	"narita",
+	"noda",
+	"oamishirasato",
+	"omigawa",
+	"onjuku",
+	"otaki",
+	"sakae",
+	"sakura",
+	"shimofusa",
+	"shirako",
+	"shiroi",
+	"shisui",
+	"sodegaura",
+	"sosa",
+	"tako",
+	"tateyama",
+	"togane",
+	"tohnosho",
+	"tomisato",
+	"urayasu",
+	"yachimata",
+	"yachiyo",
+	"yokaichiba",
+	"yokoshibahikari",
+	"yotsukaido",
+	"ainan",
+	"honai",
+	"ikata",
+	"imabari",
+	"iyo",
+	"kamijima",
+	"kihoku",
+	"kumakogen",
+	"masaki",
+	"matsuno",
+	"matsuyama",
+	"namikata",
+	"niihama",
+	"ozu",
+	"saijo",
+	"seiyo",
+	"shikokuchuo",
+	"tobe",
+	"toon",
+	"uchiko",
+	"uwajima",
+	"yawatahama",
+	"echizen",
+	"eiheiji",
+	"fukui",
+	"ikeda",
+	"katsuyama",
+	"mihama",
+	"minamiechizen",
+	"obama",
+	"ohi",
+	"ono",
+	"sabae",
+	"sakai",
+	"takahama",
+	"tsuruga",
+	"wakasa",
+	"ashiya",
+	"buzen",
+	"chikugo",
+	"chikuho",
+	"chikujo",
+	"chikushino",
+	"chikuzen",
+	"chuo",
+	"dazaifu",
+	"fukuchi",
+	"hakata",
+	"higashi",
+	"hirokawa",
+	"hisayama",
+	"iizuka",
+	"inatsuki",
+	"kaho",
+	"kasuga",
+	"kasuya",
+	"kawara",
+	"keisen",
+	"koga",
+	"kurate",
+	"kurogi",
+	"kurume",
+	"minami",
+	"miyako",
+	"miyama",
+	"miyawaka",
+	"mizumaki",
+	"munakata",
+	"nakagawa",
+	"nakama",
+	"nishi",
+	"nogata",
+	"ogori",
+	"okagaki",
+	"okawa",
+	"oki",
+	"omuta",
+	"onga",
+	"onojo",
+	"oto",
+	"saigawa",
+	"sasaguri",
+	"shingu",
+	"shinyoshitomi",
+	"shonai",
+	"soeda",
+	"sue",
+	"tachiarai",
+	"tagawa",
+	"takata",
+	"toho",
+	"toyotsu",
+	"tsuiki",
+	"ukiha",
+	"umi",
+	"usui",
+	"yamada",
+	"yame",
+	"yanagawa",
+	"yukuhashi",
+	"aizubange",
+	"aizumisato",
+	"aizuwakamatsu",
+	"asakawa",
+	"bandai",
+	"date",
+	"fukushima",
+	"furudono",
+	"futaba",
+	"hanawa",
+	"higashi",
+	"hirata",
+	"hirono",
+	"iitate",
+	"inawashiro",
+	"ishikawa",
+	"iwaki",
+	"izumizaki",
+	"kagamiishi",
+	"kaneyama",
+	"kawamata",
+	"kitakata",
+	"kitashiobara",
+	"koori",
+	"koriyama",
+	"kunimi",
+	"miharu",
+	"mishima",
+	"namie",
+	"nango",
+	"nishiaizu",
+	"nishigo",
+	"okuma",
+	"omotego",
+	"ono",
+	"otama",
+	"samegawa",
+	"shimogo",
+	"shirakawa",
+	"showa",
+	"soma",
+	"sukagawa",
+	"taishin",
+	"tamakawa",
+	"tanagura",
+	"tenei",
+	"yabuki",
+	"yamato",
+	"yamatsuri",
+	"yanaizu",
+	"yugawa",
+	"anpachi",
+	"ena",
+	"gifu",
+	"ginan",
+	"godo",
+	"gujo",
+	"hashima",
+	"hichiso",
+	"hida",
+	"higashishirakawa",
+	"ibigawa",
+	"ikeda",
+	"kakamigahara",
+	"kani",
+	"kasahara",
+	"kasamatsu",
+	"kawaue",
+	"kitagata",
+	"mino",
+	"minokamo",
+	"mitake",
+	"mizunami",
+	"motosu",
+	"nakatsugawa",
+	"ogaki",
+	"sakahogi",
+	"seki",
+	"sekigahara",
+	"shirakawa",
+	"tajimi",
+	"takayama",
+	"tarui",
+	"toki",
+	"tomika",
+	"wanouchi",
+	"yamagata",
+	"yaotsu",
+	"yoro",
+	"annaka",
+	"chiyoda",
+	"fujioka",
+	"higashiagatsuma",
+	"isesaki",
+	"itakura",
+	"kanna",
+	"kanra",
+	"katashina",
+	"kawaba",
+	"kiryu",
+	"kusatsu",
+	"maebashi",
+	"meiwa",
+	"midori",
+	"minakami",
+	"naganohara",
+	"nakanojo",
+	"nanmoku",
+	"numata",
+	"oizumi",
+	"ora",
+	"ota",
+	"shibukawa",
+	"shimonita",
+	"shinto",
+	"showa",
+	"takasaki",
+	"takayama",
+	"tamamura",
+	"tatebayashi",
+	"tomioka",
+	"tsukiyono",
+	"tsumagoi",
+	"ueno",
+	"yoshioka",
+	"asaminami",
+	"daiwa",
+	"etajima",
+	"fuchu",
+	"fukuyama",
+	"hatsukaichi",
+	"higashihiroshima",
+	"hongo",
+	"jinsekikogen",
+	"kaita",
+	"kui",
+	"kumano",
+	"kure",
+	"mihara",
+	"miyoshi",
+	"naka",
+	"onomichi",
+	"osakikamijima",
+	"otake",
+	"saka",
+	"sera",
+	"seranishi",
+	"shinichi",
+	"shobara",
+	"takehara",
+	"abashiri",
+	"abira",
+	"aibetsu",
+	"akabira",
+	"akkeshi",
+	"asahikawa",
+	"ashibetsu",
+	"ashoro",
+	"assabu",
+	"atsuma",
+	"bibai",
+	"biei",
+	"bifuka",
+	"bihoro",
+	"biratori",
+	"chippubetsu",
+	"chitose",
+	"date",
+	"ebetsu",
+	"embetsu",
+	"eniwa",
+	"erimo",
+	"esan",
+	"esashi",
+	"fukagawa",
+	"fukushima",
+	"furano",
+	"furubira",
+	"haboro",
+	"hakodate",
+	"hamatonbetsu",
+	"hidaka",
+	"higashikagura",
+	"higashikawa",
+	"hiroo",
+	"hokuryu",
+	"hokuto",
+	"honbetsu",
+	"horokanai",
+	"horonobe",
+	"ikeda",
+	"imakane",
+	"ishikari",
+	"iwamizawa",
+	"iwanai",
+	"kamifurano",
+	"kamikawa",
+	"kamishihoro",
+	"kamisunagawa",
+	"kamoenai",
+	"kayabe",
+	"kembuchi",
+	"kikonai",
+	"kimobetsu",
+	"kitahiroshima",
+	"kitami",
+	"kiyosato",
+	"koshimizu",
+	"kunneppu",
+	"kuriyama",
+	"kuromatsunai",
+	"kushiro",
+	"kutchan",
+	"kyowa",
+	"mashike",
+	"matsumae",
+	"mikasa",
+	"minamifurano",
+	"mombetsu",
+	"moseushi",
+	"mukawa",
+	"muroran",
+	"naie",
+	"nakagawa",
+	"nakasatsunai",
+	"nakatombetsu",
+	"nanae",
+	"nanporo",
+	"nayoro",
+	"nemuro",
+	"niikappu",
+	"niki",
+	"nishiokoppe",
+	"noboribetsu",
+	"numata",
+	"obihiro",
+	"obira",
+	"oketo",
+	"okoppe",
+	"otaru",
+	"otobe",
+	"otofuke",
+	"otoineppu",
+	"oumu",
+	"ozora",
+	"pippu",
+	"rankoshi",
+	"rebun",
+	"rikubetsu",
+	"rishiri",
+	"rishirifuji",
+	"saroma",
+	"sarufutsu",
+	"shakotan",
+	"shari",
+	"shibecha",
+	"shibetsu",
+	"shikabe",
+	"shikaoi",
+	"shimamaki",
+	"shimizu",
+	"shimokawa",
+	"shinshinotsu",
+	"shintoku",
+	"shiranuka",
+	"shiraoi",
+	"shiriuchi",
+	"sobetsu",
+	"sunagawa",
+	"taiki",
+	"takasu",
+	"takikawa",
+	"takinoue",
+	"teshikaga",
+	"tobetsu",
+	"tohma",
+	"tomakomai",
+	"tomari",
+	"toya",
+	"toyako",
+	"toyotomi",
+	"toyoura",
+	"tsubetsu",
+	"tsukigata",
+	"urakawa",
+	"urausu",
+	"uryu",
+	"utashinai",
+	"wakkanai",
+	"wassamu",
+	"yakumo",
+	"yoichi",
+	"aioi",
+	"akashi",
+	"ako",
+	"amagasaki",
+	"aogaki",
+	"asago",
+	"ashiya",
+	"awaji",
+	"fukusaki",
+	"goshiki",
+	"harima",
+	"himeji",
+	"ichikawa",
+	"inagawa",
+	"itami",
+	"kakogawa",
+	"kamigori",
+	"kamikawa",
+	"kasai",
+	"kasuga",
+	"kawanishi",
+	"miki",
+	"minamiawaji",
+	"nishinomiya",
+	"nishiwaki",
+	"ono",
+	"sanda",
+	"sannan",
+	"sasayama",
+	"sayo",
+	"shingu",
+	"shinonsen",
+	"shiso",
+	"sumoto",
+	"taishi",
+	"taka",
+	"takarazuka",
+	"takasago",
+	"takino",
+	"tamba",
+	"tatsuno",
+	"toyooka",
+	"yabu",
+	"yashiro",
+	"yoka",
+	"yokawa",
+	"ami",
+	"asahi",
+	"bando",
+	"chikusei",
+	"daigo",
+	"fujishiro",
+	"hitachi",
+	"hitachinaka",
+	"hitachiomiya",
+	"hitachiota",
+	"ibaraki",
+	"ina",
+	"inashiki",
+	"itako",
+	"iwama",
+	"joso",
+	"kamisu",
+	"kasama",
+	"kashima",
+	"kasumigaura",
+	"koga",
+	"miho",
+	"mito",
+	"moriya",
+	"naka",
+	"namegata",
+	"oarai",
+	"ogawa",
+	"omitama",
+	"ryugasaki",
+	"sakai",
+	"sakuragawa",
+	"shimodate",
+	"shimotsuma",
+	"shirosato",
+	"sowa",
+	"suifu",
+	"takahagi",
+	"tamatsukuri",
+	"tokai",
+	"tomobe",
+	"tone",
+	"toride",
+	"tsuchiura",
+	"tsukuba",
+	"uchihara",
+	"ushiku",
+	"yachiyo",
+	"yamagata",
+	"yawara",
+	"yuki",
+	"anamizu",
+	"hakui",
+	"hakusan",
+	"kaga",
+	"kahoku",
+	"kanazawa",
+	"kawakita",
+	"komatsu",
+	"nakanoto",
+	"nanao",
+	"nomi",
+	"nonoichi",
+	"noto",
+	"shika",
+	"suzu",
+	"tsubata",
+	"tsurugi",
+	"uchinada",
+	"wajima",
+	"fudai",
+	"fujisawa",
+	"hanamaki",
+	"hiraizumi",
+	"hirono",
+	"ichinohe",
+	"ichinoseki",
+	"iwaizumi",
+	"iwate",
+	"joboji",
+	"kamaishi",
+	"kanegasaki",
+	"karumai",
+	"kawai",
+	"kitakami",
+	"kuji",
+	"kunohe",
+	"kuzumaki",
+	"miyako",
+	"mizusawa",
+	"morioka",
+	"ninohe",
+	"noda",
+	"ofunato",
+	"oshu",
+	"otsuchi",
+	"rikuzentakata",
+	"shiwa",
+	"shizukuishi",
+	"sumita",
+	"tanohata",
+	"tono",
+	"yahaba",
+	"yamada",
+	"ayagawa",
+	"higashikagawa",
+	"kanonji",
+	"kotohira",
+	"manno",
+	"marugame",
+	"mitoyo",
+	"naoshima",
+	"sanuki",
+	"tadotsu",
+	"takamatsu",
+	"tonosho",
+	"uchinomi",
+	"utazu",
+	"zentsuji",
+	"akune",
+	"amami",
+	"hioki",
+	"isa",
+	"isen",
+	"izumi",
+	"kagoshima",
+	"kanoya",
+	"kawanabe",
+	"kinko",
+	"kouyama",
+	"makurazaki",
+	"matsumoto",
+	"minamitane",
+	"nakatane",
+	"nishinoomote",
+	"satsumasendai",
+	"soo",
+	"tarumizu",
+	"yusui",
+	"aikawa",
+	"atsugi",
+	"ayase",
+	"chigasaki",
+	"ebina",
+	"fujisawa",
+	"hadano",
+	"hakone",
+	"hiratsuka",
+	"isehara",
+	"kaisei",
+	"kamakura",
+	"kiyokawa",
+	"matsuda",
+	"minamiashigara",
+	"miura",
+	"nakai",
+	"ninomiya",
+	"odawara",
+	"oi",
+	"oiso",
+	"sagamihara",
+	"samukawa",
+	"tsukui",
+	"yamakita",
+	"yamato",
+	"yokosuka",
+	"yugawara",
+	"zama",
+	"zushi",
+	"city",
+	"city",
+	"city",
+	"aki",
+	"geisei",
+	"hidaka",
+	"higashitsuno",
+	"ino",
+	"kagami",
+	"kami",
+	"kitagawa",
+	"kochi",
+	"mihara",
+	"motoyama",
+	"muroto",
+	"nahari",
+	"nakamura",
+	"nankoku",
+	"nishitosa",
+	"niyodogawa",
+	"ochi",
+	"okawa",
+	"otoyo",
+	"otsuki",
+	"sakawa",
+	"sukumo",
+	"susaki",
+	"tosa",
+	"tosashimizu",
+	"toyo",
+	"tsuno",
+	"umaji",
+	"yasuda",
+	"yusuhara",
+	"amakusa",
+	"arao",
+	"aso",
+	"choyo",
+	"gyokuto",
+	"kamiamakusa",
+	"kikuchi",
+	"kumamoto",
+	"mashiki",
+	"mifune",
+	"minamata",
+	"minamioguni",
+	"nagasu",
+	"nishihara",
+	"oguni",
+	"ozu",
+	"sumoto",
+	"takamori",
+	"uki",
+	"uto",
+	"yamaga",
+	"yamato",
+	"yatsushiro",
+	"ayabe",
+	"fukuchiyama",
+	"higashiyama",
+	"ide",
+	"ine",
+	"joyo",
+	"kameoka",
+	"kamo",
+	"kita",
+	"kizu",
+	"kumiyama",
+	"kyotamba",
+	"kyotanabe",
+	"kyotango",
+	"maizuru",
+	"minami",
+	"minamiyamashiro",
+	"miyazu",
+	"muko",
+	"nagaokakyo",
+	"nakagyo",
+	"nantan",
+	"oyamazaki",
+	"sakyo",
+	"seika",
+	"tanabe",
+	"uji",
+	"ujitawara",
+	"wazuka",
+	"yamashina",
+	"yawata",
+	"asahi",
+	"inabe",
+	"ise",
+	"kameyama",
+	"kawagoe",
+	"kiho",
+	"kisosaki",
+	"kiwa",
+	"komono",
+	"kumano",
+	"kuwana",
+	"matsusaka",
+	"meiwa",
+	"mihama",
+	"minamiise",
+	"misugi",
+	"miyama",
+	"nabari",
+	"shima",
+	"suzuka",
+	"tado",
+	"taiki",
+	"taki",
+	"tamaki",
+	"toba",
+	"tsu",
+	"udono",
+	"ureshino",
+	"watarai",
+	"yokkaichi",
+	"furukawa",
+	"higashimatsushima",
+	"ishinomaki",
+	"iwanuma",
+	"kakuda",
+	"kami",
+	"kawasaki",
+	"marumori",
+	"matsushima",
+	"minamisanriku",
+	"misato",
+	"murata",
+	"natori",
+	"ogawara",
+	"ohira",
+	"onagawa",
+	"osaki",
+	"rifu",
+	"semine",
+	"shibata",
+	"shichikashuku",
+	"shikama",
+	"shiogama",
+	"shiroishi",
+	"tagajo",
+	"taiwa",
+	"tome",
+	"tomiya",
+	"wakuya",
+	"watari",
+	"yamamoto",
+	"zao",
+	"aya",
+	"ebino",
+	"gokase",
+	"hyuga",
+	"kadogawa",
+	"kawaminami",
+	"kijo",
+	"kitagawa",
+	"kitakata",
+	"kitaura",
+	"kobayashi",
+	"kunitomi",
+	"kushima",
+	"mimata",
+	"miyakonojo",
+	"miyazaki",
+	"morotsuka",
+	"nichinan",
+	"nishimera",
+	"nobeoka",
+	"saito",
+	"shiiba",
+	"shintomi",
+	"takaharu",
+	"takanabe",
+	"takazaki",
+	"tsuno",
+	"achi",
+	"agematsu",
+	"anan",
+	"aoki",
+	"asahi",
+	"azumino",
+	"chikuhoku",
+	"chikuma",
+	"chino",
+	"fujimi",
+	"hakuba",
+	"hara",
+	"hiraya",
+	"iida",
+	"iijima",
+	"iiyama",
+	"iizuna",
+	"ikeda",
+	"ikusaka",
+	"ina",
+	"karuizawa",
+	"kawakami",
+	"kiso",
+	"kisofukushima",
+	"kitaaiki",
+	"komagane",
+	"komoro",
+	"matsukawa",
+	"matsumoto",
+	"miasa",
+	"minamiaiki",
+	"minamimaki",
+	"minamiminowa",
+	"minowa",
+	"miyada",
+	"miyota",
+	"mochizuki",
+	"nagano",
+	"nagawa",
+	"nagiso",
+	"nakagawa",
+	"nakano",
+	"nozawaonsen",
+	"obuse",
+	"ogawa",
+	"okaya",
+	"omachi",
+	"omi",
+	"ookuwa",
+	"ooshika",
+	"otaki",
+	"otari",
+	"sakae",
+	"sakaki",
+	"saku",
+	"sakuho",
+	"shimosuwa",
+	"shinanomachi",
+	"shiojiri",
+	"suwa",
+	"suzaka",
+	"takagi",
+	"takamori",
+	"takayama",
+	"tateshina",
+	"tatsuno",
+	"togakushi",
+	"togura",
+	"tomi",
+	"ueda",
+	"wada",
+	"yamagata",
+	"yamanouchi",
+	"yasaka",
+	"yasuoka",
+	"chijiwa",
+	"futsu",
+	"goto",
+	"hasami",
+	"hirado",
+	"iki",
+	"isahaya",
+	"kawatana",
+	"kuchinotsu",
+	"matsuura",
+	"nagasaki",
+	"obama",
+	"omura",
+	"oseto",
+	"saikai",
+	"sasebo",
+	"seihi",
+	"shimabara",
+	"shinkamigoto",
+	"togitsu",
+	"tsushima",
+	"unzen",
+	"city",
+	"ando",
+	"gose",
+	"heguri",
+	"higashiyoshino",
+	"ikaruga",
+	"ikoma",
+	"kamikitayama",
+	"kanmaki",
+	"kashiba",
+	"kashihara",
+	"katsuragi",
+	"kawai",
+	"kawakami",
+	"kawanishi",
+	"koryo",
+	"kurotaki",
+	"mitsue",
+	"miyake",
+	"nara",
+	"nosegawa",
+	"oji",
+	"ouda",
+	"oyodo",
+	"sakurai",
+	"sango",
+	"shimoichi",
+	"shimokitayama",
+	"shinjo",
+	"soni",
+	"takatori",
+	"tawaramoto",
+	"tenkawa",
+	"tenri",
+	"uda",
+	"yamatokoriyama",
+	"yamatotakada",
+	"yamazoe",
+	"yoshino",
+	"aga",
+	"agano",
+	"gosen",
+	"itoigawa",
+	"izumozaki",
+	"joetsu",
+	"kamo",
+	"kariwa",
+	"kashiwazaki",
+	"minamiuonuma",
+	"mitsuke",
+	"muika",
+	"murakami",
+	"myoko",
+	"nagaoka",
+	"niigata",
+	"ojiya",
+	"omi",
+	"sado",
+	"sanjo",
+	"seiro",
+	"seirou",
+	"sekikawa",
+	"shibata",
+	"tagami",
+	"tainai",
+	"tochio",
+	"tokamachi",
+	"tsubame",
+	"tsunan",
+	"uonuma",
+	"yahiko",
+	"yoita",
+	"yuzawa",
+	"beppu",
+	"bungoono",
+	"bungotakada",
+	"hasama",
+	"hiji",
+	"himeshima",
+	"hita",
+	"kamitsue",
+	"kokonoe",
+	"kuju",
+	"kunisaki",
+	"kusu",
+	"oita",
+	"saiki",
+	"taketa",
+	"tsukumi",
+	"usa",
+	"usuki",
+	"yufu",
+	"akaiwa",
+	"asakuchi",
+	"bizen",
+	"hayashima",
+	"ibara",
+	"kagamino",
+	"kasaoka",
+	"kibichuo",
+	"kumenan",
+	"kurashiki",
+	"maniwa",
+	"misaki",
+	"nagi",
+	"niimi",
+	"nishiawakura",
+	"okayama",
+	"satosho",
+	"setouchi",
+	"shinjo",
+	"shoo",
+	"soja",
+	"takahashi",
+	"tamano",
+	"tsuyama",
+	"wake",
+	"yakage",
+	"aguni",
+	"ginowan",
+	"ginoza",
+	"gushikami",
+	"haebaru",
+	"higashi",
+	"hirara",
+	"iheya",
+	"ishigaki",
+	"ishikawa",
+	"itoman",
+	"izena",
+	"kadena",
+	"kin",
+	"kitadaito",
+	"kitanakagusuku",
+	"kumejima",
+	"kunigami",
+	"minamidaito",
+	"motobu",
+	"nago",
+	"naha",
+	"nakagusuku",
+	"nakijin",
+	"nanjo",
+	"nishihara",
+	"ogimi",
+	"okinawa",
+	"onna",
+	"shimoji",
+	"taketomi",
+	"tarama",
+	"tokashiki",
+	"tomigusuku",
+	"tonaki",
+	"urasoe",
+	"uruma",
+	"yaese",
+	"yomitan",
+	"yonabaru",
+	"yonaguni",
+	"zamami",
+	"abeno",
+	"chihayaakasaka",
+	"chuo",
+	"daito",
+	"fujiidera",
+	"habikino",
+	"hannan",
+	"higashiosaka",
+	"higashisumiyoshi",
+	"higashiyodogawa",
+	"hirakata",
+	"ibaraki",
+	"ikeda",
+	"izumi",
+	"izumiotsu",
+	"izumisano",
+	"kadoma",
+	"kaizuka",
+	"kanan",
+	"kashiwara",
+	"katano",
+	"kawachinagano",
+	"kishiwada",
+	"kita",
+	"kumatori",
+	"matsubara",
+	"minato",
+	"minoh",
+	"misaki",
+	"moriguchi",
+	"neyagawa",
+	"nishi",
+	"nose",
+	"osakasayama",
+	"sakai",
+	"sayama",
+	"sennan",
+	"settsu",
+	"shijonawate",
+	"shimamoto",
+	"suita",
+	"tadaoka",
+	"taishi",
+	"tajiri",
+	"takaishi",
+	"takatsuki",
+	"tondabayashi",
+	"toyonaka",
+	"toyono",
+	"yao",
+	"ariake",
+	"arita",
+	"fukudomi",
+	"genkai",
+	"hamatama",
+	"hizen",
+	"imari",
+	"kamimine",
+	"kanzaki",
+	"karatsu",
+	"kashima",
+	"kitagata",
+	"kitahata",
+	"kiyama",
+	"kouhoku",
+	"kyuragi",
+	"nishiarita",
+	"ogi",
+	"omachi",
+	"ouchi",
+	"saga",
+	"shiroishi",
+	"taku",
+	"tara",
+	"tosu",
+	"yoshinogari",
+	"arakawa",
+	"asaka",
+	"chichibu",
+	"fujimi",
+	"fujimino",
+	"fukaya",
+	"hanno",
+	"hanyu",
+	"hasuda",
+	"hatogaya",
+	"hatoyama",
+	"hidaka",
+	"higashichichibu",
+	"higashimatsuyama",
+	"honjo",
+	"ina",
+	"iruma",
+	"iwatsuki",
+	"kamiizumi",
+	"kamikawa",
+	"kamisato",
+	"kasukabe",
+	"kawagoe",
+	"kawaguchi",
+	"kawajima",
+	"kazo",
+	"kitamoto",
+	"koshigaya",
+	"kounosu",
+	"kuki",
+	"kumagaya",
+	"matsubushi",
+	"minano",
+	"misato",
+	"miyashiro",
+	"miyoshi",
+	"moroyama",
+	"nagatoro",
+	"namegawa",
+	"niiza",
+	"ogano",
+	"ogawa",
+	"ogose",
+	"okegawa",
+	"omiya",
+	"otaki",
+	"ranzan",
+	"ryokami",
+	"saitama",
+	"sakado",
+	"satte",
+	"sayama",
+	"shiki",
+	"shiraoka",
+	"soka",
+	"sugito",
+	"toda",
+	"tokigawa",
+	"tokorozawa",
+	"tsurugashima",
+	"urawa",
+	"warabi",
+	"yashio",
+	"yokoze",
+	"yono",
+	"yorii",
+	"yoshida",
+	"yoshikawa",
+	"yoshimi",
+	"city",
+	"city",
+	"aisho",
+	"gamo",
+	"higashiomi",
+	"hikone",
+	"koka",
+	"konan",
+	"kosei",
+	"koto",
+	"kusatsu",
+	"maibara",
+	"moriyama",
+	"nagahama",
+	"nishiazai",
+	"notogawa",
+	"omihachiman",
+	"otsu",
+	"ritto",
+	"ryuoh",
+	"takashima",
+	"takatsuki",
+	"torahime",
+	"toyosato",
+	"yasu",
+	"akagi",
+	"ama",
+	"gotsu",
+	"hamada",
+	"higashiizumo",
+	"hikawa",
+	"hikimi",
+	"izumo",
+	"kakinoki",
+	"masuda",
+	"matsue",
+	"misato",
+	"nishinoshima",
+	"ohda",
+	"okinoshima",
+	"okuizumo",
+	"shimane",
+	"tamayu",
+	"tsuwano",
+	"unnan",
+	"yakumo",
+	"yasugi",
+	"yatsuka",
+	"arai",
+	"atami",
+	"fuji",
+	"fujieda",
+	"fujikawa",
+	"fujinomiya",
+	"fukuroi",
+	"gotemba",
+	"haibara",
+	"hamamatsu",
+	"higashiizu",
+	"ito",
+	"iwata",
+	"izu",
+	"izunokuni",
+	"kakegawa",
+	"kannami",
+	"kawanehon",
+	"kawazu",
+	"kikugawa",
+	"kosai",
+	"makinohara",
+	"matsuzaki",
+	"minamiizu",
+	"mishima",
+	"morimachi",
+	"nishiizu",
+	"numazu",
+	"omaezaki",
+	"shimada",
+	"shimizu",
+	"shimoda",
+	"shizuoka",
+	"susono",
+	"yaizu",
+	"yoshida",
+	"ashikaga",
+	"bato",
+	"haga",
+	"ichikai",
+	"iwafune",
+	"kaminokawa",
+	"kanuma",
+	"karasuyama",
+	"kuroiso",
+	"mashiko",
+	"mibu",
+	"moka",
+	"motegi",
+	"nasu",
+	"nasushiobara",
+	"nikko",
+	"nishikata",
+	"nogi",
+	"ohira",
+	"ohtawara",
+	"oyama",
+	"sakura",
+	"sano",
+	"shimotsuke",
+	"shioya",
+	"takanezawa",
+	"tochigi",
+	"tsuga",
+	"ujiie",
+	"utsunomiya",
+	"yaita",
+	"aizumi",
+	"anan",
+	"ichiba",
+	"itano",
+	"kainan",
+	"komatsushima",
+	"matsushige",
+	"mima",
+	"minami",
+	"miyoshi",
+	"mugi",
+	"nakagawa",
+	"naruto",
+	"sanagochi",
+	"shishikui",
+	"tokushima",
+	"wajiki",
+	"adachi",
+	"akiruno",
+	"akishima",
+	"aogashima",
+	"arakawa",
+	"bunkyo",
+	"chiyoda",
+	"chofu",
+	"chuo",
+	"edogawa",
+	"fuchu",
+	"fussa",
+	"hachijo",
+	"hachioji",
+	"hamura",
+	"higashikurume",
+	"higashimurayama",
+	"higashiyamato",
+	"hino",
+	"hinode",
+	"hinohara",
+	"inagi",
+	"itabashi",
+	"katsushika",
+	"kita",
+	"kiyose",
+	"kodaira",
+	"koganei",
+	"kokubunji",
+	"komae",
+	"koto",
+	"kouzushima",
+	"kunitachi",
+	"machida",
+	"meguro",
+	"minato",
+	"mitaka",
+	"mizuho",
+	"musashimurayama",
+	"musashino",
+	"nakano",
+	"nerima",
+	"ogasawara",
+	"okutama",
+	"ome",
+	"oshima",
+	"ota",
+	"setagaya",
+	"shibuya",
+	"shinagawa",
+	"shinjuku",
+	"suginami",
+	"sumida",
+	"tachikawa",
+	"taito",
+	"tama",
+	"toshima",
+	"chizu",
+	"hino",
+	"kawahara",
+	"koge",
+	"kotoura",
+	"misasa",
+	"nanbu",
+	"nichinan",
+	"sakaiminato",
+	"tottori",
+	"wakasa",
+	"yazu",
+	"yonago",
+	"asahi",
+	"fuchu",
+	"fukumitsu",
+	"funahashi",
+	"himi",
+	"imizu",
+	"inami",
+	"johana",
+	"kamiichi",
+	"kurobe",
+	"nakaniikawa",
+	"namerikawa",
+	"nanto",
+	"nyuzen",
+	"oyabe",
+	"taira",
+	"takaoka",
+	"tateyama",
+	"toga",
+	"tonami",
+	"toyama",
+	"unazuki",
+	"uozu",
+	"yamada",
+	"arida",
+	"aridagawa",
+	"gobo",
+	"hashimoto",
+	"hidaka",
+	"hirogawa",
+	"inami",
+	"iwade",
+	"kainan",
+	"kamitonda",
+	"katsuragi",
+	"kimino",
+	"kinokawa",
+	"kitayama",
+	"koya",
+	"koza",
+	"kozagawa",
+	"kudoyama",
+	"kushimoto",
+	"mihama",
+	"misato",
+	"nachikatsuura",
+	"shingu",
+	"shirahama",
+	"taiji",
+	"tanabe",
+	"wakayama",
+	"yuasa",
+	"yura",
+	"asahi",
+	"funagata",
+	"higashine",
+	"iide",
+	"kahoku",
+	"kaminoyama",
+	"kaneyama",
+	"kawanishi",
+	"mamurogawa",
+	"mikawa",
+	"murayama",
+	"nagai",
+	"nakayama",
+	"nanyo",
+	"nishikawa",
+	"obanazawa",
+	"oe",
+	"oguni",
+	"ohkura",
+	"oishida",
+	"sagae",
+	"sakata",
+	"sakegawa",
+	"shinjo",
+	"shirataka",
+	"shonai",
+	"takahata",
+	"tendo",
+	"tozawa",
+	"tsuruoka",
+	"yamagata",
+	"yamanobe",
+	"yonezawa",
+	"yuza",
+	"abu",
+	"hagi",
+	"hikari",
+	"hofu",
+	"iwakuni",
+	"kudamatsu",
+	"mitou",
+	"nagato",
+	"oshima",
+	"shimonoseki",
+	"shunan",
+	"tabuse",
+	"tokuyama",
+	"toyota",
+	"ube",
+	"yuu",
+	"chuo",
+	"doshi",
+	"fuefuki",
+	"fujikawa",
+	"fujikawaguchiko",
+	"fujiyoshida",
+	"hayakawa",
+	"hokuto",
+	"ichikawamisato",
+	"kai",
+	"kofu",
+	"koshu",
+	"kosuge",
+	"minami-alps",
+	"minobu",
+	"nakamichi",
+	"nanbu",
+	"narusawa",
+	"nirasaki",
+	"nishikatsura",
+	"oshino",
+	"otsuki",
+	"showa",
+	"tabayama",
+	"tsuru",
+	"uenohara",
+	"yamanakako",
+	"yamanashi",
+	"city",
+	"co",
+	"blogspot",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"biz",
+	"com",
+	"edu",
+	"gov",
+	"info",
+	"net",
+	"org",
+	"ass",
+	"asso",
+	"com",
+	"coop",
+	"edu",
+	"gouv",
+	"gov",
+	"medecin",
+	"mil",
+	"nom",
+	"notaires",
+	"org",
+	"pharmaciens",
+	"prd",
+	"presse",
+	"tm",
+	"veterinaire",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"com",
+	"edu",
+	"gov",
+	"org",
+	"rep",
+	"tra",
+	"ac",
+	"blogspot",
+	"busan",
+	"chungbuk",
+	"chungnam",
+	"co",
+	"daegu",
+	"daejeon",
+	"es",
+	"gangwon",
+	"go",
+	"gwangju",
+	"gyeongbuk",
+	"gyeonggi",
+	"gyeongnam",
+	"hs",
+	"incheon",
+	"jeju",
+	"jeonbuk",
+	"jeonnam",
+	"kg",
+	"mil",
+	"ms",
+	"ne",
+	"or",
+	"pe",
+	"re",
+	"sc",
+	"seoul",
+	"ulsan",
+	"co",
+	"edu",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"bnr",
+	"c",
+	"com",
+	"edu",
+	"gov",
+	"info",
+	"int",
+	"net",
+	"org",
+	"per",
+	"static",
+	"dev",
+	"sites",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"co",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"oy",
+	"blogspot",
+	"cyon",
+	"mypep",
+	"ac",
+	"assn",
+	"com",
+	"edu",
+	"gov",
+	"grp",
+	"hotel",
+	"int",
+	"ltd",
+	"net",
+	"ngo",
+	"org",
+	"sch",
+	"soc",
+	"web",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"co",
+	"org",
+	"blogspot",
+	"gov",
+	"blogspot",
+	"asn",
+	"com",
+	"conf",
+	"edu",
+	"gov",
+	"id",
+	"mil",
+	"net",
+	"org",
+	"com",
+	"edu",
+	"gov",
+	"id",
+	"med",
+	"net",
+	"org",
+	"plc",
+	"sch",
+	"ac",
+	"co",
+	"gov",
+	"net",
+	"org",
+	"press",
+	"router",
+	"asso",
+	"tm",
+	"blogspot",
+	"ac",
+	"brasilia",
+	"c66",
+	"co",
+	"daplie",
+	"ddns",
+	"diskstation",
+	"dnsfor",
+	"dscloud",
+	"edu",
+	"filegear",
+	"gov",
+	"hopto",
+	"i234",
+	"its",
+	"loginto",
+	"myds",
+	"net",
+	"noip",
+	"org",
+	"priv",
+	"synology",
+	"webhop",
+	"wedeploy",
+	"yombo",
+	"localhost",
+	"co",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"nom",
+	"org",
+	"prd",
+	"tm",
+	"blogspot",
+	"com",
+	"edu",
+	"gov",
+	"inf",
+	"name",
+	"net",
+	"org",
+	"com",
+	"edu",
+	"gouv",
+	"gov",
+	"net",
+	"org",
+	"presse",
+	"edu",
+	"gov",
+	"nyc",
+	"org",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"dscloud",
+	"blogspot",
+	"gov",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"com",
+	"edu",
+	"net",
+	"org",
+	"blogspot",
+	"ac",
+	"co",
+	"com",
+	"gov",
+	"net",
+	"or",
+	"org",
+	"academy",
+	"agriculture",
+	"air",
+	"airguard",
+	"alabama",
+	"alaska",
+	"amber",
+	"ambulance",
+	"american",
+	"americana",
+	"americanantiques",
+	"americanart",
+	"amsterdam",
+	"and",
+	"annefrank",
+	"anthro",
+	"anthropology",
+	"antiques",
+	"aquarium",
+	"arboretum",
+	"archaeological",
+	"archaeology",
+	"architecture",
+	"art",
+	"artanddesign",
+	"artcenter",
+	"artdeco",
+	"arteducation",
+	"artgallery",
+	"arts",
+	"artsandcrafts",
+	"asmatart",
+	"assassination",
+	"assisi",
+	"association",
+	"astronomy",
+	"atlanta",
+	"austin",
+	"australia",
+	"automotive",
+	"aviation",
+	"axis",
+	"badajoz",
+	"baghdad",
+	"bahn",
+	"bale",
+	"baltimore",
+	"barcelona",
+	"baseball",
+	"basel",
+	"baths",
+	"bauern",
+	"beauxarts",
+	"beeldengeluid",
+	"bellevue",
+	"bergbau",
+	"berkeley",
+	"berlin",
+	"bern",
+	"bible",
+	"bilbao",
+	"bill",
+	"birdart",
+	"birthplace",
+	"bonn",
+	"boston",
+	"botanical",
+	"botanicalgarden",
+	"botanicgarden",
+	"botany",
+	"brandywinevalley",
+	"brasil",
+	"bristol",
+	"british",
+	"britishcolumbia",
+	"broadcast",
+	"brunel",
+	"brussel",
+	"brussels",
+	"bruxelles",
+	"building",
+	"burghof",
+	"bus",
+	"bushey",
+	"cadaques",
+	"california",
+	"cambridge",
+	"can",
+	"canada",
+	"capebreton",
+	"carrier",
+	"cartoonart",
+	"casadelamoneda",
+	"castle",
+	"castres",
+	"celtic",
+	"center",
+	"chattanooga",
+	"cheltenham",
+	"chesapeakebay",
+	"chicago",
+	"children",
+	"childrens",
+	"childrensgarden",
+	"chiropractic",
+	"chocolate",
+	"christiansburg",
+	"cincinnati",
+	"cinema",
+	"circus",
+	"civilisation",
+	"civilization",
+	"civilwar",
+	"clinton",
+	"clock",
+	"coal",
+	"coastaldefence",
+	"cody",
+	"coldwar",
+	"collection",
+	"colonialwilliamsburg",
+	"coloradoplateau",
+	"columbia",
+	"columbus",
+	"communication",
+	"communications",
+	"community",
+	"computer",
+	"computerhistory",
+	"contemporary",
+	"contemporaryart",
+	"convent",
+	"copenhagen",
+	"corporation",
+	"corvette",
+	"costume",
+	"countryestate",
+	"county",
+	"crafts",
+	"cranbrook",
+	"creation",
+	"cultural",
+	"culturalcenter",
+	"culture",
+	"cyber",
+	"cymru",
+	"dali",
+	"dallas",
+	"database",
+	"ddr",
+	"decorativearts",
+	"delaware",
+	"delmenhorst",
+	"denmark",
+	"depot",
+	"design",
+	"detroit",
+	"dinosaur",
+	"discovery",
+	"dolls",
+	"donostia",
+	"durham",
+	"eastafrica",
+	"eastcoast",
+	"education",
+	"educational",
+	"egyptian",
+	"eisenbahn",
+	"elburg",
+	"elvendrell",
+	"embroidery",
+	"encyclopedic",
+	"england",
+	"entomology",
+	"environment",
+	"environmentalconservation",
+	"epilepsy",
+	"essex",
+	"estate",
+	"ethnology",
+	"exeter",
+	"exhibition",
+	"family",
+	"farm",
+	"farmequipment",
+	"farmers",
+	"farmstead",
+	"field",
+	"figueres",
+	"filatelia",
+	"film",
+	"fineart",
+	"finearts",
+	"finland",
+	"flanders",
+	"florida",
+	"force",
+	"fortmissoula",
+	"fortworth",
+	"foundation",
+	"francaise",
+	"frankfurt",
+	"franziskaner",
+	"freemasonry",
+	"freiburg",
+	"fribourg",
+	"frog",
+	"fundacio",
+	"furniture",
+	"gallery",
+	"garden",
+	"gateway",
+	"geelvinck",
+	"gemological",
+	"geology",
+	"georgia",
+	"giessen",
+	"glas",
+	"glass",
+	"gorge",
+	"grandrapids",
+	"graz",
+	"guernsey",
+	"halloffame",
+	"hamburg",
+	"handson",
+	"harvestcelebration",
+	"hawaii",
+	"health",
+	"heimatunduhren",
+	"hellas",
+	"helsinki",
+	"hembygdsforbund",
+	"heritage",
+	"histoire",
+	"historical",
+	"historicalsociety",
+	"historichouses",
+	"historisch",
+	"historisches",
+	"history",
+	"historyofscience",
+	"horology",
+	"house",
+	"humanities",
+	"illustration",
+	"imageandsound",
+	"indian",
+	"indiana",
+	"indianapolis",
+	"indianmarket",
+	"intelligence",
+	"interactive",
+	"iraq",
+	"iron",
+	"isleofman",
+	"jamison",
+	"jefferson",
+	"jerusalem",
+	"jewelry",
+	"jewish",
+	"jewishart",
+	"jfk",
+	"journalism",
+	"judaica",
+	"judygarland",
+	"juedisches",
+	"juif",
+	"karate",
+	"karikatur",
+	"kids",
+	"koebenhavn",
+	"koeln",
+	"kunst",
+	"kunstsammlung",
+	"kunstunddesign",
+	"labor",
+	"labour",
+	"lajolla",
+	"lancashire",
+	"landes",
+	"lans",
+	"larsson",
+	"lewismiller",
+	"lincoln",
+	"linz",
+	"living",
+	"livinghistory",
+	"localhistory",
+	"london",
+	"losangeles",
+	"louvre",
+	"loyalist",
+	"lucerne",
+	"luxembourg",
+	"luzern",
+	"mad",
+	"madrid",
+	"mallorca",
+	"manchester",
+	"mansion",
+	"mansions",
+	"manx",
+	"marburg",
+	"maritime",
+	"maritimo",
+	"maryland",
+	"marylhurst",
+	"media",
+	"medical",
+	"medizinhistorisches",
+	"meeres",
+	"memorial",
+	"mesaverde",
+	"michigan",
+	"midatlantic",
+	"military",
+	"mill",
+	"miners",
+	"mining",
+	"minnesota",
+	"missile",
+	"missoula",
+	"modern",
+	"moma",
+	"money",
+	"monmouth",
+	"monticello",
+	"montreal",
+	"moscow",
+	"motorcycle",
+	"muenchen",
+	"muenster",
+	"mulhouse",
+	"muncie",
+	"museet",
+	"museumcenter",
+	"museumvereniging",
+	"music",
+	"national",
+	"nationalfirearms",
+	"nationalheritage",
+	"nativeamerican",
+	"naturalhistory",
+	"naturalhistorymuseum",
+	"naturalsciences",
+	"nature",
+	"naturhistorisches",
+	"natuurwetenschappen",
+	"naumburg",
+	"naval",
+	"nebraska",
+	"neues",
+	"newhampshire",
+	"newjersey",
+	"newmexico",
+	"newport",
+	"newspaper",
+	"newyork",
+	"niepce",
+	"norfolk",
+	"north",
+	"nrw",
+	"nuernberg",
+	"nuremberg",
+	"nyc",
+	"nyny",
+	"oceanographic",
+	"oceanographique",
+	"omaha",
+	"online",
+	"ontario",
+	"openair",
+	"oregon",
+	"oregontrail",
+	"otago",
+	"oxford",
+	"pacific",
+	"paderborn",
+	"palace",
+	"paleo",
+	"palmsprings",
+	"panama",
+	"paris",
+	"pasadena",
+	"pharmacy",
+	"philadelphia",
+	"philadelphiaarea",
+	"philately",
+	"phoenix",
+	"photography",
+	"pilots",
+	"pittsburgh",
+	"planetarium",
+	"plantation",
+	"plants",
+	"plaza",
+	"portal",
+	"portland",
+	"portlligat",
+	"posts-and-telecommunications",
+	"preservation",
+	"presidio",
+	"press",
+	"project",
+	"public",
+	"pubol",
+	"quebec",
+	"railroad",
+	"railway",
+	"research",
+	"resistance",
+	"riodejaneiro",
+	"rochester",
+	"rockart",
+	"roma",
+	"russia",
+	"saintlouis",
+	"salem",
+	"salvadordali",
+	"salzburg",
+	"sandiego",
+	"sanfrancisco",
+	"santabarbara",
+	"santacruz",
+	"santafe",
+	"saskatchewan",
+	"satx",
+	"savannahga",
+	"schlesisches",
+	"schoenbrunn",
+	"schokoladen",
+	"school",
+	"schweiz",
+	"science",
+	"science-fiction",
+	"scienceandhistory",
+	"scienceandindustry",
+	"sciencecenter",
+	"sciencecenters",
+	"sciencehistory",
+	"sciences",
+	"sciencesnaturelles",
+	"scotland",
+	"seaport",
+	"settlement",
+	"settlers",
+	"shell",
+	"sherbrooke",
+	"sibenik",
+	"silk",
+	"ski",
+	"skole",
+	"society",
+	"sologne",
+	"soundandvision",
+	"southcarolina",
+	"southwest",
+	"space",
+	"spy",
+	"square",
+	"stadt",
+	"stalbans",
+	"starnberg",
+	"state",
+	"stateofdelaware",
+	"station",
+	"steam",
+	"steiermark",
+	"stjohn",
+	"stockholm",
+	"stpetersburg",
+	"stuttgart",
+	"suisse",
+	"surgeonshall",
+	"surrey",
+	"svizzera",
+	"sweden",
+	"sydney",
+	"tank",
+	"tcm",
+	"technology",
+	"telekommunikation",
+	"television",
+	"texas",
+	"textile",
+	"theater",
+	"time",
+	"timekeeping",
+	"topology",
+	"torino",
+	"touch",
+	"town",
+	"transport",
+	"tree",
+	"trolley",
+	"trust",
+	"trustee",
+	"uhren",
+	"ulm",
+	"undersea",
+	"university",
+	"usa",
+	"usantiques",
+	"usarts",
+	"uscountryestate",
+	"usculture",
+	"usdecorativearts",
+	"usgarden",
+	"ushistory",
+	"ushuaia",
+	"uslivinghistory",
+	"utah",
+	"uvic",
+	"valley",
+	"vantaa",
+	"versailles",
+	"viking",
+	"village",
+	"virginia",
+	"virtual",
+	"virtuel",
+	"vlaanderen",
+	"volkenkunde",
+	"wales",
+	"wallonie",
+	"war",
+	"washingtondc",
+	"watch-and-clock",
+	"watchandclock",
+	"western",
+	"westfalen",
+	"whaling",
+	"wildlife",
+	"williamsburg",
+	"windmill",
+	"workshop",
+	"xn--9dbhblg6di",
+	"xn--comunicaes-v6a2o",
+	"xn--correios-e-telecomunicaes-ghc29a",
+	"xn--h1aegh",
+	"xn--lns-qla",
+	"york",
+	"yorkshire",
+	"yosemite",
+	"youth",
+	"zoological",
+	"zoology",
+	"aero",
+	"biz",
+	"com",
+	"coop",
+	"edu",
+	"gov",
+	"info",
+	"int",
+	"mil",
+	"museum",
+	"name",
+	"net",
+	"org",
+	"pro",
+	"ac",
+	"biz",
+	"co",
+	"com",
+	"coop",
+	"edu",
+	"gov",
+	"int",
+	"museum",
+	"net",
+	"org",
+	"blogspot",
+	"com",
+	"edu",
+	"gob",
+	"net",
+	"org",
+	"blogspot",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"name",
+	"net",
+	"org",
+	"ac",
+	"adv",
+	"co",
+	"edu",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"ca",
+	"cc",
+	"co",
+	"com",
+	"dr",
+	"in",
+	"info",
+	"mobi",
+	"mx",
+	"name",
+	"or",
+	"org",
+	"pro",
+	"school",
+	"tv",
+	"us",
+	"ws",
+	"her",
+	"his",
+	"forgot",
+	"forgot",
+	"asso",
+	"nom",
+	"alwaysdata",
+	"at-band-camp",
+	"azure-mobile",
+	"azurewebsites",
+	"barsy",
+	"blogdns",
+	"bounceme",
+	"bplaced",
+	"broke-it",
+	"buyshouses",
+	"cdn77",
+	"cdn77-ssl",
+	"cloudapp",
+	"cloudfront",
+	"cloudfunctions",
+	"cryptonomic",
+	"ddns",
+	"definima",
+	"dnsalias",
+	"dnsdojo",
+	"does-it",
+	"dontexist",
+	"dsmynas",
+	"dynalias",
+	"dynathome",
+	"dynv6",
+	"eating-organic",
+	"endofinternet",
+	"familyds",
+	"fastly",
+	"fastlylb",
+	"feste-ip",
+	"firewall-gateway",
+	"from-az",
+	"from-co",
+	"from-la",
+	"from-ny",
+	"gb",
+	"gets-it",
+	"ham-radio-op",
+	"homeftp",
+	"homeip",
+	"homelinux",
+	"homeunix",
+	"hu",
+	"in",
+	"in-the-band",
+	"ipifony",
+	"is-a-chef",
+	"is-a-geek",
+	"isa-geek",
+	"jp",
+	"kicks-ass",
+	"knx-server",
+	"moonscale",
+	"mydissent",
+	"myeffect",
+	"myfritz",
+	"mymediapc",
+	"mypsx",
+	"mysecuritycamera",
+	"nhlfan",
+	"no-ip",
+	"office-on-the",
+	"pgafan",
+	"podzone",
+	"privatizehealthinsurance",
+	"rackmaze",
+	"redirectme",
+	"ru",
+	"scrapper-site",
+	"se",
+	"selfip",
+	"sells-it",
+	"servebbs",
+	"serveblog",
+	"serveftp",
+	"serveminecraft",
+	"square7",
+	"static-access",
+	"sytes",
+	"t3l3p0rt",
+	"thruhere",
+	"twmail",
+	"uk",
+	"webhop",
+	"za",
+	"r",
+	"freetls",
+	"map",
+	"prod",
+	"ssl",
+	"a",
+	"global",
+	"a",
+	"b",
+	"global",
+	"map",
+	"alces",
+	"arts",
+	"com",
+	"firm",
+	"info",
+	"net",
+	"other",
+	"per",
+	"rec",
+	"store",
+	"web",
+	"com",
+	"edu",
+	"gov",
+	"i",
+	"mil",
+	"mobi",
+	"name",
+	"net",
+	"org",
+	"sch",
+	"blogspot",
+	"ac",
+	"biz",
+	"co",
+	"com",
+	"edu",
+	"gob",
+	"in",
+	"info",
+	"int",
+	"mil",
+	"net",
+	"nom",
+	"org",
+	"web",
+	"blogspot",
+	"bv",
+	"co",
+	"transurl",
+	"virtueeldomein",
+	"aa",
+	"aarborte",
+	"aejrie",
+	"afjord",
+	"agdenes",
+	"ah",
+	"akershus",
+	"aknoluokta",
+	"akrehamn",
+	"al",
+	"alaheadju",
+	"alesund",
+	"algard",
+	"alstahaug",
+	"alta",
+	"alvdal",
+	"amli",
+	"amot",
+	"andasuolo",
+	"andebu",
+	"andoy",
+	"ardal",
+	"aremark",
+	"arendal",
+	"arna",
+	"aseral",
+	"asker",
+	"askim",
+	"askoy",
+	"askvoll",
+	"asnes",
+	"audnedaln",
+	"aukra",
+	"aure",
+	"aurland",
+	"aurskog-holand",
+	"austevoll",
+	"austrheim",
+	"averoy",
+	"badaddja",
+	"bahcavuotna",
+	"bahccavuotna",
+	"baidar",
+	"bajddar",
+	"balat",
+	"balestrand",
+	"ballangen",
+	"balsfjord",
+	"bamble",
+	"bardu",
+	"barum",
+	"batsfjord",
+	"bearalvahki",
+	"beardu",
+	"beiarn",
+	"berg",
+	"bergen",
+	"berlevag",
+	"bievat",
+	"bindal",
+	"birkenes",
+	"bjarkoy",
+	"bjerkreim",
+	"bjugn",
+	"blogspot",
+	"bodo",
+	"bokn",
+	"bomlo",
+	"bremanger",
+	"bronnoy",
+	"bronnoysund",
+	"brumunddal",
+	"bryne",
+	"bu",
+	"budejju",
+	"buskerud",
+	"bygland",
+	"bykle",
+	"cahcesuolo",
+	"co",
+	"davvenjarga",
+	"davvesiida",
+	"deatnu",
+	"dep",
+	"dielddanuorri",
+	"divtasvuodna",
+	"divttasvuotna",
+	"donna",
+	"dovre",
+	"drammen",
+	"drangedal",
+	"drobak",
+	"dyroy",
+	"egersund",
+	"eid",
+	"eidfjord",
+	"eidsberg",
+	"eidskog",
+	"eidsvoll",
+	"eigersund",
+	"elverum",
+	"enebakk",
+	"engerdal",
+	"etne",
+	"etnedal",
+	"evenassi",
+	"evenes",
+	"evje-og-hornnes",
+	"farsund",
+	"fauske",
+	"fedje",
+	"fet",
+	"fetsund",
+	"fhs",
+	"finnoy",
+	"fitjar",
+	"fjaler",
+	"fjell",
+	"fla",
+	"flakstad",
+	"flatanger",
+	"flekkefjord",
+	"flesberg",
+	"flora",
+	"floro",
+	"fm",
+	"folkebibl",
+	"folldal",
+	"forde",
+	"forsand",
+	"fosnes",
+	"frana",
+	"fredrikstad",
+	"frei",
+	"frogn",
+	"froland",
+	"frosta",
+	"froya",
+	"fuoisku",
+	"fuossko",
+	"fusa",
+	"fylkesbibl",
+	"fyresdal",
+	"gaivuotna",
+	"galsa",
+	"gamvik",
+	"gangaviika",
+	"gaular",
+	"gausdal",
+	"giehtavuoatna",
+	"gildeskal",
+	"giske",
+	"gjemnes",
+	"gjerdrum",
+	"gjerstad",
+	"gjesdal",
+	"gjovik",
+	"gloppen",
+	"gol",
+	"gran",
+	"grane",
+	"granvin",
+	"gratangen",
+	"grimstad",
+	"grong",
+	"grue",
+	"gulen",
+	"guovdageaidnu",
+	"ha",
+	"habmer",
+	"hadsel",
+	"hagebostad",
+	"halden",
+	"halsa",
+	"hamar",
+	"hamaroy",
+	"hammarfeasta",
+	"hammerfest",
+	"hapmir",
+	"haram",
+	"hareid",
+	"harstad",
+	"hasvik",
+	"hattfjelldal",
+	"haugesund",
+	"hedmark",
+	"hemne",
+	"hemnes",
+	"hemsedal",
+	"herad",
+	"hitra",
+	"hjartdal",
+	"hjelmeland",
+	"hl",
+	"hm",
+	"hobol",
+	"hof",
+	"hokksund",
+	"hol",
+	"hole",
+	"holmestrand",
+	"holtalen",
+	"honefoss",
+	"hordaland",
+	"hornindal",
+	"horten",
+	"hoyanger",
+	"hoylandet",
+	"hurdal",
+	"hurum",
+	"hvaler",
+	"hyllestad",
+	"ibestad",
+	"idrett",
+	"inderoy",
+	"iveland",
+	"ivgu",
+	"jan-mayen",
+	"jessheim",
+	"jevnaker",
+	"jolster",
+	"jondal",
+	"jorpeland",
+	"kafjord",
+	"karasjohka",
+	"karasjok",
+	"karlsoy",
+	"karmoy",
+	"kautokeino",
+	"kirkenes",
+	"klabu",
+	"klepp",
+	"kommune",
+	"kongsberg",
+	"kongsvinger",
+	"kopervik",
+	"kraanghke",
+	"kragero",
+	"kristiansand",
+	"kristiansund",
+	"krodsherad",
+	"krokstadelva",
+	"kvafjord",
+	"kvalsund",
+	"kvam",
+	"kvanangen",
+	"kvinesdal",
+	"kvinnherad",
+	"kviteseid",
+	"kvitsoy",
+	"laakesvuemie",
+	"lahppi",
+	"langevag",
+	"lardal",
+	"larvik",
+	"lavagis",
+	"lavangen",
+	"leangaviika",
+	"lebesby",
+	"leikanger",
+	"leirfjord",
+	"leirvik",
+	"leka",
+	"leksvik",
+	"lenvik",
+	"lerdal",
+	"lesja",
+	"levanger",
+	"lier",
+	"lierne",
+	"lillehammer",
+	"lillesand",
+	"lindas",
+	"lindesnes",
+	"loabat",
+	"lodingen",
+	"lom",
+	"loppa",
+	"lorenskog",
+	"loten",
+	"lund",
+	"lunner",
+	"luroy",
+	"luster",
+	"lyngdal",
+	"lyngen",
+	"malatvuopmi",
+	"malselv",
+	"malvik",
+	"mandal",
+	"marker",
+	"marnardal",
+	"masfjorden",
+	"masoy",
+	"matta-varjjat",
+	"meland",
+	"meldal",
+	"melhus",
+	"meloy",
+	"meraker",
+	"midsund",
+	"midtre-gauldal",
+	"mil",
+	"mjondalen",
+	"mo-i-rana",
+	"moareke",
+	"modalen",
+	"modum",
+	"molde",
+	"more-og-romsdal",
+	"mosjoen",
+	"moskenes",
+	"moss",
+	"mosvik",
+	"mr",
+	"muosat",
+	"museum",
+	"naamesjevuemie",
+	"namdalseid",
+	"namsos",
+	"namsskogan",
+	"nannestad",
+	"naroy",
+	"narviika",
+	"narvik",
+	"naustdal",
+	"navuotna",
+	"nedre-eiker",
+	"nesna",
+	"nesodden",
+	"nesoddtangen",
+	"nesseby",
+	"nesset",
+	"nissedal",
+	"nittedal",
+	"nl",
+	"nord-aurdal",
+	"nord-fron",
+	"nord-odal",
+	"norddal",
+	"nordkapp",
+	"nordland",
+	"nordre-land",
+	"nordreisa",
+	"nore-og-uvdal",
+	"notodden",
+	"notteroy",
+	"nt",
+	"odda",
+	"of",
+	"oksnes",
+	"ol",
+	"omasvuotna",
+	"oppdal",
+	"oppegard",
+	"orkanger",
+	"orkdal",
+	"orland",
+	"orskog",
+	"orsta",
+	"osen",
+	"oslo",
+	"osoyro",
+	"osteroy",
+	"ostfold",
+	"ostre-toten",
+	"overhalla",
+	"ovre-eiker",
+	"oyer",
+	"oygarden",
+	"oystre-slidre",
+	"porsanger",
+	"porsangu",
+	"porsgrunn",
+	"priv",
+	"rade",
+	"radoy",
+	"rahkkeravju",
+	"raholt",
+	"raisa",
+	"rakkestad",
+	"ralingen",
+	"rana",
+	"randaberg",
+	"rauma",
+	"rendalen",
+	"rennebu",
+	"rennesoy",
+	"rindal",
+	"ringebu",
+	"ringerike",
+	"ringsaker",
+	"risor",
+	"rissa",
+	"rl",
+	"roan",
+	"rodoy",
+	"rollag",
+	"romsa",
+	"romskog",
+	"roros",
+	"rost",
+	"royken",
+	"royrvik",
+	"ruovat",
+	"rygge",
+	"salangen",
+	"salat",
+	"saltdal",
+	"samnanger",
+	"sandefjord",
+	"sandnes",
+	"sandnessjoen",
+	"sandoy",
+	"sarpsborg",
+	"sauda",
+	"sauherad",
+	"sel",
+	"selbu",
+	"selje",
+	"seljord",
+	"sf",
+	"siellak",
+	"sigdal",
+	"siljan",
+	"sirdal",
+	"skanit",
+	"skanland",
+	"skaun",
+	"skedsmo",
+	"skedsmokorset",
+	"ski",
+	"skien",
+	"skierva",
+	"skiptvet",
+	"skjak",
+	"skjervoy",
+	"skodje",
+	"slattum",
+	"smola",
+	"snaase",
+	"snasa",
+	"snillfjord",
+	"snoasa",
+	"sogndal",
+	"sogne",
+	"sokndal",
+	"sola",
+	"solund",
+	"somna",
+	"sondre-land",
+	"songdalen",
+	"sor-aurdal",
+	"sor-fron",
+	"sor-odal",
+	"sor-varanger",
+	"sorfold",
+	"sorreisa",
+	"sortland",
+	"sorum",
+	"spjelkavik",
+	"spydeberg",
+	"st",
+	"stange",
+	"stat",
+	"stathelle",
+	"stavanger",
+	"stavern",
+	"steigen",
+	"steinkjer",
+	"stjordal",
+	"stjordalshalsen",
+	"stokke",
+	"stor-elvdal",
+	"stord",
+	"stordal",
+	"storfjord",
+	"strand",
+	"stranda",
+	"stryn",
+	"sula",
+	"suldal",
+	"sund",
+	"sunndal",
+	"surnadal",
+	"svalbard",
+	"sveio",
+	"svelvik",
+	"sykkylven",
+	"tana",
+	"tananger",
+	"telemark",
+	"time",
+	"tingvoll",
+	"tinn",
+	"tjeldsund",
+	"tjome",
+	"tm",
+	"tokke",
+	"tolga",
+	"tonsberg",
+	"torsken",
+	"tr",
+	"trana",
+	"tranby",
+	"tranoy",
+	"troandin",
+	"trogstad",
+	"tromsa",
+	"tromso",
+	"trondheim",
+	"trysil",
+	"tvedestrand",
+	"tydal",
+	"tynset",
+	"tysfjord",
+	"tysnes",
+	"tysvar",
+	"ullensaker",
+	"ullensvang",
+	"ulvik",
+	"unjarga",
+	"utsira",
+	"va",
+	"vaapste",
+	"vadso",
+	"vaga",
+	"vagan",
+	"vagsoy",
+	"vaksdal",
+	"valle",
+	"vang",
+	"vanylven",
+	"vardo",
+	"varggat",
+	"varoy",
+	"vefsn",
+	"vega",
+	"vegarshei",
+	"vennesla",
+	"verdal",
+	"verran",
+	"vestby",
+	"vestfold",
+	"vestnes",
+	"vestre-slidre",
+	"vestre-toten",
+	"vestvagoy",
+	"vevelstad",
+	"vf",
+	"vgs",
+	"vik",
+	"vikna",
+	"vindafjord",
+	"voagat",
+	"volda",
+	"voss",
+	"vossevangen",
+	"xn--andy-ira",
+	"xn--asky-ira",
+	"xn--aurskog-hland-jnb",
+	"xn--avery-yua",
+	"xn--bdddj-mrabd",
+	"xn--bearalvhki-y4a",
+	"xn--berlevg-jxa",
+	"xn--bhcavuotna-s4a",
+	"xn--bhccavuotna-k7a",
+	"xn--bidr-5nac",
+	"xn--bievt-0qa",
+	"xn--bjarky-fya",
+	"xn--bjddar-pta",
+	"xn--blt-elab",
+	"xn--bmlo-gra",
+	"xn--bod-2na",
+	"xn--brnny-wuac",
+	"xn--brnnysund-m8ac",
+	"xn--brum-voa",
+	"xn--btsfjord-9za",
+	"xn--davvenjrga-y4a",
+	"xn--dnna-gra",
+	"xn--drbak-wua",
+	"xn--dyry-ira",
+	"xn--eveni-0qa01ga",
+	"xn--finny-yua",
+	"xn--fjord-lra",
+	"xn--fl-zia",
+	"xn--flor-jra",
+	"xn--frde-gra",
+	"xn--frna-woa",
+	"xn--frya-hra",
+	"xn--ggaviika-8ya47h",
+	"xn--gildeskl-g0a",
+	"xn--givuotna-8ya",
+	"xn--gjvik-wua",
+	"xn--gls-elac",
+	"xn--h-2fa",
+	"xn--hbmer-xqa",
+	"xn--hcesuolo-7ya35b",
+	"xn--hgebostad-g3a",
+	"xn--hmmrfeasta-s4ac",
+	"xn--hnefoss-q1a",
+	"xn--hobl-ira",
+	"xn--holtlen-hxa",
+	"xn--hpmir-xqa",
+	"xn--hyanger-q1a",
+	"xn--hylandet-54a",
+	"xn--indery-fya",
+	"xn--jlster-bya",
+	"xn--jrpeland-54a",
+	"xn--karmy-yua",
+	"xn--kfjord-iua",
+	"xn--klbu-woa",
+	"xn--koluokta-7ya57h",
+	"xn--krager-gya",
+	"xn--kranghke-b0a",
+	"xn--krdsherad-m8a",
+	"xn--krehamn-dxa",
+	"xn--krjohka-hwab49j",
+	"xn--ksnes-uua",
+	"xn--kvfjord-nxa",
+	"xn--kvitsy-fya",
+	"xn--kvnangen-k0a",
+	"xn--l-1fa",
+	"xn--laheadju-7ya",
+	"xn--langevg-jxa",
+	"xn--ldingen-q1a",
+	"xn--leagaviika-52b",
+	"xn--lesund-hua",
+	"xn--lgrd-poac",
+	"xn--lhppi-xqa",
+	"xn--linds-pra",
+	"xn--loabt-0qa",
+	"xn--lrdal-sra",
+	"xn--lrenskog-54a",
+	"xn--lt-liac",
+	"xn--lten-gra",
+	"xn--lury-ira",
+	"xn--mely-ira",
+	"xn--merker-kua",
+	"xn--mjndalen-64a",
+	"xn--mlatvuopmi-s4a",
+	"xn--mli-tla",
+	"xn--mlselv-iua",
+	"xn--moreke-jua",
+	"xn--mosjen-eya",
+	"xn--mot-tla",
+	"xn--mre-og-romsdal-qqb",
+	"xn--msy-ula0h",
+	"xn--mtta-vrjjat-k7af",
+	"xn--muost-0qa",
+	"xn--nmesjevuemie-tcba",
+	"xn--nry-yla5g",
+	"xn--nttery-byae",
+	"xn--nvuotna-hwa",
+	"xn--oppegrd-ixa",
+	"xn--ostery-fya",
+	"xn--osyro-wua",
+	"xn--porsgu-sta26f",
+	"xn--rady-ira",
+	"xn--rdal-poa",
+	"xn--rde-ula",
+	"xn--rdy-0nab",
+	"xn--rennesy-v1a",
+	"xn--rhkkervju-01af",
+	"xn--rholt-mra",
+	"xn--risa-5na",
+	"xn--risr-ira",
+	"xn--rland-uua",
+	"xn--rlingen-mxa",
+	"xn--rmskog-bya",
+	"xn--rros-gra",
+	"xn--rskog-uua",
+	"xn--rst-0na",
+	"xn--rsta-fra",
+	"xn--ryken-vua",
+	"xn--ryrvik-bya",
+	"xn--s-1fa",
+	"xn--sandnessjen-ogb",
+	"xn--sandy-yua",
+	"xn--seral-lra",
+	"xn--sgne-gra",
+	"xn--skierv-uta",
+	"xn--skjervy-v1a",
+	"xn--skjk-soa",
+	"xn--sknit-yqa",
+	"xn--sknland-fxa",
+	"xn--slat-5na",
+	"xn--slt-elab",
+	"xn--smla-hra",
+	"xn--smna-gra",
+	"xn--snase-nra",
+	"xn--sndre-land-0cb",
+	"xn--snes-poa",
+	"xn--snsa-roa",
+	"xn--sr-aurdal-l8a",
+	"xn--sr-fron-q1a",
+	"xn--sr-odal-q1a",
+	"xn--sr-varanger-ggb",
+	"xn--srfold-bya",
+	"xn--srreisa-q1a",
+	"xn--srum-gra",
+	"xn--stfold-9xa",
+	"xn--stjrdal-s1a",
+	"xn--stjrdalshalsen-sqb",
+	"xn--stre-toten-zcb",
+	"xn--tjme-hra",
+	"xn--tnsberg-q1a",
+	"xn--trany-yua",
+	"xn--trgstad-r1a",
+	"xn--trna-woa",
+	"xn--troms-zua",
+	"xn--tysvr-vra",
+	"xn--unjrga-rta",
+	"xn--vads-jra",
+	"xn--vard-jra",
+	"xn--vegrshei-c0a",
+	"xn--vestvgy-ixa6o",
+	"xn--vg-yiab",
+	"xn--vgan-qoa",
+	"xn--vgsy-qoa0j",
+	"xn--vre-eiker-k8a",
+	"xn--vrggt-xqad",
+	"xn--vry-yla5g",
+	"xn--yer-zna",
+	"xn--ygarden-p1a",
+	"xn--ystre-slidre-ujb",
+	"gs",
+	"gs",
+	"nes",
+	"gs",
+	"nes",
+	"gs",
+	"os",
+	"valer",
+	"xn--vler-qoa",
+	"gs",
+	"gs",
+	"os",
+	"gs",
+	"heroy",
+	"sande",
+	"gs",
+	"gs",
+	"bo",
+	"heroy",
+	"xn--b-5ga",
+	"xn--hery-ira",
+	"gs",
+	"gs",
+	"gs",
+	"gs",
+	"valer",
+	"gs",
+	"gs",
+	"gs",
+	"gs",
+	"bo",
+	"xn--b-5ga",
+	"gs",
+	"gs",
+	"gs",
+	"sande",
+	"gs",
+	"sande",
+	"xn--hery-ira",
+	"xn--vler-qoa",
+	"biz",
+	"com",
+	"edu",
+	"gov",
+	"info",
+	"net",
+	"org",
+	"merseine",
+	"mine",
+	"shacknet",
+	"ac",
+	"co",
+	"cri",
+	"geek",
+	"gen",
+	"govt",
+	"health",
+	"iwi",
+	"kiwi",
+	"maori",
+	"mil",
+	"net",
+	"org",
+	"parliament",
+	"school",
+	"xn--mori-qsa",
+	"blogspot",
+	"co",
+	"com",
+	"edu",
+	"gov",
+	"med",
+	"museum",
+	"net",
+	"org",
+	"pro",
+	"homelink",
+	"barsy",
+	"ae",
+	"amune",
+	"blogdns",
+	"blogsite",
+	"bmoattachments",
+	"boldlygoingnowhere",
+	"cable-modem",
+	"cdn77",
+	"cdn77-secure",
+	"certmgr",
+	"cloudns",
+	"collegefan",
+	"couchpotatofries",
+	"ddnss",
+	"diskstation",
+	"dnsalias",
+	"dnsdojo",
+	"doesntexist",
+	"dontexist",
+	"doomdns",
+	"dsmynas",
+	"duckdns",
+	"dvrdns",
+	"dynalias",
+	"dyndns",
+	"endofinternet",
+	"endoftheinternet",
+	"eu",
+	"familyds",
+	"fedorainfracloud",
+	"fedorapeople",
+	"fedoraproject",
+	"from-me",
+	"game-host",
+	"gotdns",
+	"hepforge",
+	"hk",
+	"hobby-site",
+	"homedns",
+	"homeftp",
+	"homelinux",
+	"homeunix",
+	"hopto",
+	"is-a-bruinsfan",
+	"is-a-candidate",
+	"is-a-celticsfan",
+	"is-a-chef",
+	"is-a-geek",
+	"is-a-knight",
+	"is-a-linux-user",
+	"is-a-patsfan",
+	"is-a-soxfan",
+	"is-found",
+	"is-lost",
+	"is-saved",
+	"is-very-bad",
+	"is-very-evil",
+	"is-very-good",
+	"is-very-nice",
+	"is-very-sweet",
+	"isa-geek",
+	"js",
+	"kicks-ass",
+	"misconfused",
+	"mlbfan",
+	"my-firewall",
+	"myfirewall",
+	"myftp",
+	"mysecuritycamera",
+	"nflfan",
+	"no-ip",
+	"pimienta",
+	"podzone",
+	"poivron",
+	"potager",
+	"read-books",
+	"readmyblog",
+	"selfip",
+	"sellsyourhome",
+	"servebbs",
+	"serveftp",
+	"servegame",
+	"spdns",
+	"stuff-4-sale",
+	"sweetpepper",
+	"tunk",
+	"tuxfamily",
+	"twmail",
+	"ufcfan",
+	"us",
+	"webhop",
+	"wmflabs",
+	"za",
+	"zapto",
+	"tele",
+	"c",
+	"rsc",
+	"origin",
+	"ssl",
+	"go",
+	"home",
+	"al",
+	"asso",
+	"at",
+	"au",
+	"be",
+	"bg",
+	"ca",
+	"cd",
+	"ch",
+	"cn",
+	"cy",
+	"cz",
+	"de",
+	"dk",
+	"edu",
+	"ee",
+	"es",
+	"fi",
+	"fr",
+	"gr",
+	"hr",
+	"hu",
+	"ie",
+	"il",
+	"in",
+	"int",
+	"is",
+	"it",
+	"jp",
+	"kr",
+	"lt",
+	"lu",
+	"lv",
+	"mc",
+	"me",
+	"mk",
+	"mt",
+	"my",
+	"net",
+	"ng",
+	"nl",
+	"no",
+	"nz",
+	"paris",
+	"pl",
+	"pt",
+	"q-a",
+	"ro",
+	"ru",
+	"se",
+	"si",
+	"sk",
+	"tr",
+	"uk",
+	"us",
+	"cloud",
+	"nerdpol",
+	"abo",
+	"ac",
+	"com",
+	"edu",
+	"gob",
+	"ing",
+	"med",
+	"net",
+	"nom",
+	"org",
+	"sld",
+	"ybo",
+	"blogspot",
+	"com",
+	"edu",
+	"gob",
+	"mil",
+	"net",
+	"nom",
+	"org",
+	"com",
+	"edu",
+	"org",
+	"com",
+	"edu",
+	"gov",
+	"i",
+	"mil",
+	"net",
+	"ngo",
+	"org",
+	"biz",
+	"com",
+	"edu",
+	"fam",
+	"gob",
+	"gok",
+	"gon",
+	"gop",
+	"gos",
+	"gov",
+	"info",
+	"net",
+	"org",
+	"web",
+	"agro",
+	"aid",
+	"art",
+	"atm",
+	"augustow",
+	"auto",
+	"babia-gora",
+	"bedzin",
+	"beep",
+	"beskidy",
+	"bialowieza",
+	"bialystok",
+	"bielawa",
+	"bieszczady",
+	"biz",
+	"boleslawiec",
+	"bydgoszcz",
+	"bytom",
+	"cieszyn",
+	"co",
+	"com",
+	"czeladz",
+	"czest",
+	"dlugoleka",
+	"edu",
+	"elblag",
+	"elk",
+	"gda",
+	"gdansk",
+	"gdynia",
+	"gliwice",
+	"glogow",
+	"gmina",
+	"gniezno",
+	"gorlice",
+	"gov",
+	"grajewo",
+	"gsm",
+	"ilawa",
+	"info",
+	"jaworzno",
+	"jelenia-gora",
+	"jgora",
+	"kalisz",
+	"karpacz",
+	"kartuzy",
+	"kaszuby",
+	"katowice",
+	"kazimierz-dolny",
+	"kepno",
+	"ketrzyn",
+	"klodzko",
+	"kobierzyce",
+	"kolobrzeg",
+	"konin",
+	"konskowola",
+	"krakow",
+	"kutno",
+	"lapy",
+	"lebork",
+	"legnica",
+	"lezajsk",
+	"limanowa",
+	"lomza",
+	"lowicz",
+	"lubin",
+	"lukow",
+	"mail",
+	"malbork",
+	"malopolska",
+	"mazowsze",
+	"mazury",
+	"med",
+	"media",
+	"miasta",
+	"mielec",
+	"mielno",
+	"mil",
+	"mragowo",
+	"naklo",
+	"net",
+	"nieruchomosci",
+	"nom",
+	"nowaruda",
+	"nysa",
+	"olawa",
+	"olecko",
+	"olkusz",
+	"olsztyn",
+	"opoczno",
+	"opole",
+	"org",
+	"ostroda",
+	"ostroleka",
+	"ostrowiec",
+	"ostrowwlkp",
+	"pc",
+	"pila",
+	"pisz",
+	"podhale",
+	"podlasie",
+	"polkowice",
+	"pomorskie",
+	"pomorze",
+	"powiat",
+	"poznan",
+	"priv",
+	"prochowice",
+	"pruszkow",
+	"przeworsk",
+	"pulawy",
+	"radom",
+	"rawa-maz",
+	"realestate",
+	"rel",
+	"rybnik",
+	"rzeszow",
+	"sanok",
+	"sejny",
+	"sex",
+	"shop",
+	"sklep",
+	"skoczow",
+	"slask",
+	"slupsk",
+	"sopot",
+	"sos",
+	"sosnowiec",
+	"stalowa-wola",
+	"starachowice",
+	"stargard",
+	"suwalki",
+	"swidnica",
+	"swiebodzin",
+	"swinoujscie",
+	"szczecin",
+	"szczytno",
+	"szkola",
+	"targi",
+	"tarnobrzeg",
+	"tgory",
+	"tm",
+	"tourism",
+	"travel",
+	"turek",
+	"turystyka",
+	"tychy",
+	"ustka",
+	"walbrzych",
+	"warmia",
+	"warszawa",
+	"waw",
+	"wegrow",
+	"wielun",
+	"wlocl",
+	"wloclawek",
+	"wodzislaw",
+	"wolomin",
+	"wroc",
+	"wroclaw",
+	"zachpomor",
+	"zagan",
+	"zakopane",
+	"zarow",
+	"zgora",
+	"zgorzelec",
+	"ap",
+	"griw",
+	"ic",
+	"is",
+	"kmpsp",
+	"konsulat",
+	"kppsp",
+	"kwp",
+	"kwpsp",
+	"mup",
+	"mw",
+	"oirm",
+	"oum",
+	"pa",
+	"pinb",
+	"piw",
+	"po",
+	"psp",
+	"psse",
+	"pup",
+	"rzgw",
+	"sa",
+	"sdn",
+	"sko",
+	"so",
+	"sr",
+	"starostwo",
+	"ug",
+	"ugim",
+	"um",
+	"umig",
+	"upow",
+	"uppo",
+	"us",
+	"uw",
+	"uzs",
+	"wif",
+	"wiih",
+	"winb",
+	"wios",
+	"witd",
+	"wiw",
+	"wsa",
+	"wskr",
+	"wuoz",
+	"wzmiuw",
+	"zp",
+	"co",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"ac",
+	"biz",
+	"com",
+	"edu",
+	"est",
+	"gov",
+	"info",
+	"isla",
+	"name",
+	"net",
+	"org",
+	"pro",
+	"prof",
+	"aaa",
+	"aca",
+	"acct",
+	"avocat",
+	"bar",
+	"cloudns",
+	"cpa",
+	"eng",
+	"jur",
+	"law",
+	"med",
+	"recht",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"plo",
+	"sec",
+	"blogspot",
+	"com",
+	"edu",
+	"gov",
+	"int",
+	"net",
+	"nome",
+	"org",
+	"publ",
+	"belau",
+	"cloudns",
+	"co",
+	"ed",
+	"go",
+	"ne",
+	"or",
+	"com",
+	"coop",
+	"edu",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"blogspot",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"name",
+	"net",
+	"org",
+	"sch",
+	"asso",
+	"blogspot",
+	"com",
+	"nom",
+	"ybo",
+	"arts",
+	"blogspot",
+	"com",
+	"firm",
+	"info",
+	"nom",
+	"nt",
+	"org",
+	"rec",
+	"shop",
+	"store",
+	"tm",
+	"www",
+	"ac",
+	"blogspot",
+	"co",
+	"edu",
+	"gov",
+	"in",
+	"org",
+	"ac",
+	"adygeya",
+	"bashkiria",
+	"bir",
+	"blogspot",
+	"cbg",
+	"cldmail",
+	"com",
+	"dagestan",
+	"edu",
+	"gov",
+	"grozny",
+	"int",
+	"kalmykia",
+	"kustanai",
+	"marine",
+	"mil",
+	"mordovia",
+	"msk",
+	"mytis",
+	"nalchik",
+	"nov",
+	"pyatigorsk",
+	"spb",
+	"test",
+	"vladikavkaz",
+	"vladimir",
+	"hb",
+	"ac",
+	"co",
+	"com",
+	"edu",
+	"gouv",
+	"gov",
+	"int",
+	"mil",
+	"net",
+	"com",
+	"edu",
+	"gov",
+	"med",
+	"net",
+	"org",
+	"pub",
+	"sch",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"ybo",
+	"com",
+	"edu",
+	"gov",
+	"info",
+	"med",
+	"net",
+	"org",
+	"tv",
+	"a",
+	"ac",
+	"b",
+	"bd",
+	"blogspot",
+	"brand",
+	"c",
+	"com",
+	"d",
+	"e",
+	"f",
+	"fh",
+	"fhsk",
+	"fhv",
+	"g",
+	"h",
+	"i",
+	"k",
+	"komforb",
+	"kommunalforbund",
+	"komvux",
+	"l",
+	"lanbib",
+	"m",
+	"n",
+	"naturbruksgymn",
+	"o",
+	"org",
+	"p",
+	"parti",
+	"pp",
+	"press",
+	"r",
+	"s",
+	"t",
+	"tm",
+	"u",
+	"w",
+	"x",
+	"y",
+	"z",
+	"blogspot",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"per",
+	"com",
+	"gov",
+	"hashbang",
+	"mil",
+	"net",
+	"now",
+	"org",
+	"platform",
+	"blogspot",
+	"cyon",
+	"platformsh",
+	"blogspot",
+	"com",
+	"edu",
+	"gov",
+	"net",
+	"org",
+	"art",
+	"blogspot",
+	"com",
+	"edu",
+	"gouv",
+	"org",
+	"perso",
+	"univ",
+	"com",
+	"net",
+	"org",
+	"stackspace",
+	"uber",
+	"xs4all",
+	"co",
+	"com",
+	"consulado",
+	"edu",
+	"embaixada",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"principe",
+	"saotome",
+	"store",
+	"abkhazia",
+	"adygeya",
+	"aktyubinsk",
+	"arkhangelsk",
+	"armenia",
+	"ashgabad",
+	"azerbaijan",
+	"balashov",
+	"bashkiria",
+	"bryansk",
+	"bukhara",
+	"chimkent",
+	"dagestan",
+	"east-kazakhstan",
+	"exnet",
+	"georgia",
+	"grozny",
+	"ivanovo",
+	"jambyl",
+	"kalmykia",
+	"kaluga",
+	"karacol",
+	"karaganda",
+	"karelia",
+	"khakassia",
+	"krasnodar",
+	"kurgan",
+	"kustanai",
+	"lenug",
+	"mangyshlak",
+	"mordovia",
+	"msk",
+	"murmansk",
+	"nalchik",
+	"navoi",
+	"north-kazakhstan",
+	"nov",
+	"obninsk",
+	"penza",
+	"pokrovsk",
+	"sochi",
+	"spb",
+	"tashkent",
+	"termez",
+	"togliatti",
+	"troitsk",
+	"tselinograd",
+	"tula",
+	"tuva",
+	"vladikavkaz",
+	"vladimir",
+	"vologda",
+	"barsy",
+	"com",
+	"edu",
+	"gob",
+	"org",
+	"red",
+	"gov",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"knightpoint",
+	"ac",
+	"co",
+	"org",
+	"blogspot",
+	"ac",
+	"co",
+	"go",
+	"in",
+	"mi",
+	"net",
+	"or",
+	"ac",
+	"biz",
+	"co",
+	"com",
+	"edu",
+	"go",
+	"gov",
+	"int",
+	"mil",
+	"name",
+	"net",
+	"nic",
+	"org",
+	"test",
+	"web",
+	"gov",
+	"co",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"net",
+	"nom",
+	"org",
+	"agrinet",
+	"com",
+	"defense",
+	"edunet",
+	"ens",
+	"fin",
+	"gov",
+	"ind",
+	"info",
+	"intl",
+	"mincom",
+	"nat",
+	"net",
+	"org",
+	"perso",
+	"rnrt",
+	"rns",
+	"rnu",
+	"tourism",
+	"turen",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"vpnplus",
+	"av",
+	"bbs",
+	"bel",
+	"biz",
+	"com",
+	"dr",
+	"edu",
+	"gen",
+	"gov",
+	"info",
+	"k12",
+	"kep",
+	"mil",
+	"name",
+	"nc",
+	"net",
+	"org",
+	"pol",
+	"tel",
+	"tv",
+	"web",
+	"blogspot",
+	"gov",
+	"ybo",
+	"aero",
+	"biz",
+	"co",
+	"com",
+	"coop",
+	"edu",
+	"gov",
+	"info",
+	"int",
+	"jobs",
+	"mobi",
+	"museum",
+	"name",
+	"net",
+	"org",
+	"pro",
+	"travel",
+	"better-than",
+	"dyndns",
+	"on-the-web",
+	"worse-than",
+	"blogspot",
+	"club",
+	"com",
+	"ebiz",
+	"edu",
+	"game",
+	"gov",
+	"idv",
+	"mil",
+	"net",
+	"org",
+	"url",
+	"xn--czrw28b",
+	"xn--uc0atv",
+	"xn--zf0ao64a",
+	"mymailer",
+	"ac",
+	"co",
+	"go",
+	"hotel",
+	"info",
+	"me",
+	"mil",
+	"mobi",
+	"ne",
+	"or",
+	"sc",
+	"tv",
+	"biz",
+	"cc",
+	"cherkassy",
+	"cherkasy",
+	"chernigov",
+	"chernihiv",
+	"chernivtsi",
+	"chernovtsy",
+	"ck",
+	"cn",
+	"co",
+	"com",
+	"cr",
+	"crimea",
+	"cv",
+	"dn",
+	"dnepropetrovsk",
+	"dnipropetrovsk",
+	"dominic",
+	"donetsk",
+	"dp",
+	"edu",
+	"gov",
+	"if",
+	"in",
+	"inf",
+	"ivano-frankivsk",
+	"kh",
+	"kharkiv",
+	"kharkov",
+	"kherson",
+	"khmelnitskiy",
+	"khmelnytskyi",
+	"kiev",
+	"kirovograd",
+	"km",
+	"kr",
+	"krym",
+	"ks",
+	"kv",
+	"kyiv",
+	"lg",
+	"lt",
+	"ltd",
+	"lugansk",
+	"lutsk",
+	"lv",
+	"lviv",
+	"mk",
+	"mykolaiv",
+	"net",
+	"nikolaev",
+	"od",
+	"odesa",
+	"odessa",
+	"org",
+	"pl",
+	"poltava",
+	"pp",
+	"rivne",
+	"rovno",
+	"rv",
+	"sb",
+	"sebastopol",
+	"sevastopol",
+	"sm",
+	"sumy",
+	"te",
+	"ternopil",
+	"uz",
+	"uzhgorod",
+	"vinnica",
+	"vinnytsia",
+	"vn",
+	"volyn",
+	"yalta",
+	"zaporizhzhe",
+	"zaporizhzhia",
+	"zhitomir",
+	"zhytomyr",
+	"zp",
+	"zt",
+	"ac",
+	"blogspot",
+	"co",
+	"com",
+	"go",
+	"ne",
+	"or",
+	"org",
+	"sc",
+	"ac",
+	"co",
+	"gov",
+	"ltd",
+	"me",
+	"net",
+	"nhs",
+	"org",
+	"plc",
+	"police",
+	"sch",
+	"blogspot",
+	"no-ip",
+	"wellbeingzone",
+	"homeoffice",
+	"service",
+	"ak",
+	"al",
+	"ar",
+	"as",
+	"az",
+	"ca",
+	"cloudns",
+	"co",
+	"ct",
+	"dc",
+	"de",
+	"dni",
+	"drud",
+	"fed",
+	"fl",
+	"ga",
+	"golffan",
+	"gu",
+	"hi",
+	"ia",
+	"id",
+	"il",
+	"in",
+	"is-by",
+	"isa",
+	"kids",
+	"ks",
+	"ky",
+	"la",
+	"land-4-sale",
+	"ma",
+	"md",
+	"me",
+	"mi",
+	"mn",
+	"mo",
+	"ms",
+	"mt",
+	"nc",
+	"nd",
+	"ne",
+	"nh",
+	"nj",
+	"nm",
+	"noip",
+	"nsn",
+	"nv",
+	"ny",
+	"oh",
+	"ok",
+	"or",
+	"pa",
+	"pointto",
+	"pr",
+	"ri",
+	"sc",
+	"sd",
+	"stuff-4-sale",
+	"tn",
+	"tx",
+	"ut",
+	"va",
+	"vi",
+	"vt",
+	"wa",
+	"wi",
+	"wv",
+	"wy",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"chtr",
+	"paroch",
+	"pvt",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"k12",
+	"lib",
+	"cc",
+	"cc",
+	"k12",
+	"lib",
+	"com",
+	"edu",
+	"gub",
+	"mil",
+	"net",
+	"org",
+	"blogspot",
+	"co",
+	"com",
+	"net",
+	"org",
+	"com",
+	"edu",
+	"gov",
+	"mil",
+	"net",
+	"org",
+	"arts",
+	"co",
+	"com",
+	"e12",
+	"edu",
+	"firm",
+	"gob",
+	"gov",
+	"info",
+	"int",
+	"mil",
+	"net",
+	"org",
+	"rec",
+	"store",
+	"tec",
+	"web",
+	"co",
+	"com",
+	"k12",
+	"net",
+	"org",
+	"ac",
+	"biz",
+	"blogspot",
+	"com",
+	"edu",
+	"gov",
+	"health",
+	"info",
+	"int",
+	"name",
+	"net",
+	"org",
+	"pro",
+	"com",
+	"edu",
+	"net",
+	"org",
+	"advisor",
+	"com",
+	"dyndns",
+	"edu",
+	"gov",
+	"mypets",
+	"net",
+	"org",
+	"xn--80au",
+	"xn--90azh",
+	"xn--c1avg",
+	"xn--d1at",
+	"xn--o1ac",
+	"xn--o1ach",
+	"xn--12c1fe0br",
+	"xn--12cfi8ixb8l",
+	"xn--12co0c3b4eva",
+	"xn--h3cuzk1di",
+	"xn--m3ch0j3a",
+	"xn--o3cyx2a",
+	"fhapp",
+	"ac",
+	"agric",
+	"alt",
+	"co",
+	"edu",
+	"gov",
+	"grondar",
+	"law",
+	"mil",
+	"net",
+	"ngo",
+	"nis",
+	"nom",
+	"org",
+	"school",
+	"tm",
+	"web",
+	"blogspot",
+	"ac",
+	"biz",
+	"co",
+	"com",
+	"edu",
+	"gov",
+	"info",
+	"mil",
+	"net",
+	"org",
+	"sch",
+	"triton",
+	"ac",
+	"co",
+	"gov",
+	"mil",
+	"org",
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/AUTHORS b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/AUTHORS
new file mode 100644
index 000000000..15167cd74
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/AUTHORS
@@ -0,0 +1,3 @@
+# This source code refers to The Go Authors for copyright purposes.
+# The master list of authors is in the main Go distribution,
+# visible at http://tip.golang.org/AUTHORS.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/CONTRIBUTING.md b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/CONTRIBUTING.md
new file mode 100644
index 000000000..88dff59bc
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/CONTRIBUTING.md
@@ -0,0 +1,31 @@
+# Contributing to Go
+
+Go is an open source project.
+
+It is the work of hundreds of contributors. We appreciate your help!
+
+
+## Filing issues
+
+When [filing an issue](https://golang.org/issue/new), make sure to answer these five questions:
+
+1. What version of Go are you using (`go version`)?
+2. What operating system and processor architecture are you using?
+3. What did you do?
+4. What did you expect to see?
+5. What did you see instead?
+
+General questions should go to the [golang-nuts mailing list](https://groups.google.com/group/golang-nuts) instead of the issue tracker.
+The gophers there will answer or ask you to file an issue if you've tripped over a bug.
+
+## Contributing code
+
+Please read the [Contribution Guidelines](https://golang.org/doc/contribute.html)
+before sending patches.
+
+**We do not accept GitHub pull requests**
+(we use [Gerrit](https://code.google.com/p/gerrit/) instead for code review).
+
+Unless otherwise noted, the Go source files are distributed under
+the BSD-style license found in the LICENSE file.
+
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/CONTRIBUTORS b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/CONTRIBUTORS
new file mode 100644
index 000000000..1c4577e96
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/CONTRIBUTORS
@@ -0,0 +1,3 @@
+# This source code was written by the Go contributors.
+# The master list of contributors is in the main Go distribution,
+# visible at http://tip.golang.org/CONTRIBUTORS.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/LICENSE b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/LICENSE
new file mode 100644
index 000000000..6a66aea5e
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/PATENTS b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/PATENTS
new file mode 100644
index 000000000..733099041
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/PATENTS
@@ -0,0 +1,22 @@
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Google as part of the Go project.
+
+Google hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section)
+patent license to make, have made, use, offer to sell, sell, import,
+transfer and otherwise run, modify and propagate the contents of this
+implementation of Go, where such license applies only to those patent
+claims, both currently owned or controlled by Google and acquired in
+the future, licensable by Google that are necessarily infringed by this
+implementation of Go.  This grant does not include claims that would be
+infringed only as a consequence of further modification of this
+implementation.  If you or your agent or exclusive licensee institute or
+order or agree to the institution of patent litigation against any
+entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that this implementation of Go or any code incorporated within this
+implementation of Go constitutes direct or contributory patent
+infringement, or inducement of patent infringement, then any patent
+rights granted to you under this License for this implementation of Go
+shall terminate as of the date such litigation is filed.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/README b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/README
new file mode 100644
index 000000000..144e347b4
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/README
@@ -0,0 +1 @@
+This repository provides supplementary Go time packages.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/rate/rate.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/rate/rate.go
new file mode 100644
index 000000000..eabcd1147
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/rate/rate.go
@@ -0,0 +1,380 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package rate provides a rate limiter.
+package rate
+
+import (
+	"fmt"
+	"math"
+	"sync"
+	"time"
+)
+
+// Limit defines the maximum frequency of some events.
+// Limit is represented as number of events per second.
+// A zero Limit allows no events.
+type Limit float64
+
+// Inf is the infinite rate limit; it allows all events (even if burst is zero).
+const Inf = Limit(math.MaxFloat64)
+
+// Every converts a minimum time interval between events to a Limit.
+func Every(interval time.Duration) Limit {
+	if interval <= 0 {
+		return Inf
+	}
+	return 1 / Limit(interval.Seconds())
+}
+
+// A Limiter controls how frequently events are allowed to happen.
+// It implements a "token bucket" of size b, initially full and refilled
+// at rate r tokens per second.
+// Informally, in any large enough time interval, the Limiter limits the
+// rate to r tokens per second, with a maximum burst size of b events.
+// As a special case, if r == Inf (the infinite rate), b is ignored.
+// See https://en.wikipedia.org/wiki/Token_bucket for more about token buckets.
+//
+// The zero value is a valid Limiter, but it will reject all events.
+// Use NewLimiter to create non-zero Limiters.
+//
+// Limiter has three main methods, Allow, Reserve, and Wait.
+// Most callers should use Wait.
+//
+// Each of the three methods consumes a single token.
+// They differ in their behavior when no token is available.
+// If no token is available, Allow returns false.
+// If no token is available, Reserve returns a reservation for a future token
+// and the amount of time the caller must wait before using it.
+// If no token is available, Wait blocks until one can be obtained
+// or its associated context.Context is canceled.
+//
+// The methods AllowN, ReserveN, and WaitN consume n tokens.
+type Limiter struct {
+	limit Limit
+	burst int
+
+	mu     sync.Mutex
+	tokens float64
+	// last is the last time the limiter's tokens field was updated
+	last time.Time
+	// lastEvent is the latest time of a rate-limited event (past or future)
+	lastEvent time.Time
+}
+
+// Limit returns the maximum overall event rate.
+func (lim *Limiter) Limit() Limit {
+	lim.mu.Lock()
+	defer lim.mu.Unlock()
+	return lim.limit
+}
+
+// Burst returns the maximum burst size. Burst is the maximum number of tokens
+// that can be consumed in a single call to Allow, Reserve, or Wait, so higher
+// Burst values allow more events to happen at once.
+// A zero Burst allows no events, unless limit == Inf.
+func (lim *Limiter) Burst() int {
+	return lim.burst
+}
+
+// NewLimiter returns a new Limiter that allows events up to rate r and permits
+// bursts of at most b tokens.
+func NewLimiter(r Limit, b int) *Limiter {
+	return &Limiter{
+		limit: r,
+		burst: b,
+	}
+}
+
+// Allow is shorthand for AllowN(time.Now(), 1).
+func (lim *Limiter) Allow() bool {
+	return lim.AllowN(time.Now(), 1)
+}
+
+// AllowN reports whether n events may happen at time now.
+// Use this method if you intend to drop / skip events that exceed the rate limit.
+// Otherwise use Reserve or Wait.
+func (lim *Limiter) AllowN(now time.Time, n int) bool {
+	return lim.reserveN(now, n, 0).ok
+}
+
+// A Reservation holds information about events that are permitted by a Limiter to happen after a delay.
+// A Reservation may be canceled, which may enable the Limiter to permit additional events.
+type Reservation struct {
+	ok        bool
+	lim       *Limiter
+	tokens    int
+	timeToAct time.Time
+	// This is the Limit at reservation time, it can change later.
+	limit Limit
+}
+
+// OK returns whether the limiter can provide the requested number of tokens
+// within the maximum wait time.  If OK is false, Delay returns InfDuration, and
+// Cancel does nothing.
+func (r *Reservation) OK() bool {
+	return r.ok
+}
+
+// Delay is shorthand for DelayFrom(time.Now()).
+func (r *Reservation) Delay() time.Duration {
+	return r.DelayFrom(time.Now())
+}
+
+// InfDuration is the duration returned by Delay when a Reservation is not OK.
+const InfDuration = time.Duration(1<<63 - 1)
+
+// DelayFrom returns the duration for which the reservation holder must wait
+// before taking the reserved action.  Zero duration means act immediately.
+// InfDuration means the limiter cannot grant the tokens requested in this
+// Reservation within the maximum wait time.
+func (r *Reservation) DelayFrom(now time.Time) time.Duration {
+	if !r.ok {
+		return InfDuration
+	}
+	delay := r.timeToAct.Sub(now)
+	if delay < 0 {
+		return 0
+	}
+	return delay
+}
+
+// Cancel is shorthand for CancelAt(time.Now()).
+func (r *Reservation) Cancel() {
+	r.CancelAt(time.Now())
+	return
+}
+
+// CancelAt indicates that the reservation holder will not perform the reserved action
+// and reverses the effects of this Reservation on the rate limit as much as possible,
+// considering that other reservations may have already been made.
+func (r *Reservation) CancelAt(now time.Time) {
+	if !r.ok {
+		return
+	}
+
+	r.lim.mu.Lock()
+	defer r.lim.mu.Unlock()
+
+	if r.lim.limit == Inf || r.tokens == 0 || r.timeToAct.Before(now) {
+		return
+	}
+
+	// calculate tokens to restore
+	// The duration between lim.lastEvent and r.timeToAct tells us how many tokens were reserved
+	// after r was obtained. These tokens should not be restored.
+	restoreTokens := float64(r.tokens) - r.limit.tokensFromDuration(r.lim.lastEvent.Sub(r.timeToAct))
+	if restoreTokens <= 0 {
+		return
+	}
+	// advance time to now
+	now, _, tokens := r.lim.advance(now)
+	// calculate new number of tokens
+	tokens += restoreTokens
+	if burst := float64(r.lim.burst); tokens > burst {
+		tokens = burst
+	}
+	// update state
+	r.lim.last = now
+	r.lim.tokens = tokens
+	if r.timeToAct == r.lim.lastEvent {
+		prevEvent := r.timeToAct.Add(r.limit.durationFromTokens(float64(-r.tokens)))
+		if !prevEvent.Before(now) {
+			r.lim.lastEvent = prevEvent
+		}
+	}
+
+	return
+}
+
+// Reserve is shorthand for ReserveN(time.Now(), 1).
+func (lim *Limiter) Reserve() *Reservation {
+	return lim.ReserveN(time.Now(), 1)
+}
+
+// ReserveN returns a Reservation that indicates how long the caller must wait before n events happen.
+// The Limiter takes this Reservation into account when allowing future events.
+// ReserveN returns false if n exceeds the Limiter's burst size.
+// Usage example:
+//   r := lim.ReserveN(time.Now(), 1)
+//   if !r.OK() {
+//     // Not allowed to act! Did you remember to set lim.burst to be > 0 ?
+//     return
+//   }
+//   time.Sleep(r.Delay())
+//   Act()
+// Use this method if you wish to wait and slow down in accordance with the rate limit without dropping events.
+// If you need to respect a deadline or cancel the delay, use Wait instead.
+// To drop or skip events exceeding rate limit, use Allow instead.
+func (lim *Limiter) ReserveN(now time.Time, n int) *Reservation {
+	r := lim.reserveN(now, n, InfDuration)
+	return &r
+}
+
+// contextContext is a temporary(?) copy of the context.Context type
+// to support both Go 1.6 using golang.org/x/net/context and Go 1.7+
+// with the built-in context package. If people ever stop using Go 1.6
+// we can remove this.
+type contextContext interface {
+	Deadline() (deadline time.Time, ok bool)
+	Done() <-chan struct{}
+	Err() error
+	Value(key interface{}) interface{}
+}
+
+// Wait is shorthand for WaitN(ctx, 1).
+func (lim *Limiter) wait(ctx contextContext) (err error) {
+	return lim.WaitN(ctx, 1)
+}
+
+// WaitN blocks until lim permits n events to happen.
+// It returns an error if n exceeds the Limiter's burst size, the Context is
+// canceled, or the expected wait time exceeds the Context's Deadline.
+// The burst limit is ignored if the rate limit is Inf.
+func (lim *Limiter) waitN(ctx contextContext, n int) (err error) {
+	if n > lim.burst && lim.limit != Inf {
+		return fmt.Errorf("rate: Wait(n=%d) exceeds limiter's burst %d", n, lim.burst)
+	}
+	// Check if ctx is already cancelled
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	default:
+	}
+	// Determine wait limit
+	now := time.Now()
+	waitLimit := InfDuration
+	if deadline, ok := ctx.Deadline(); ok {
+		waitLimit = deadline.Sub(now)
+	}
+	// Reserve
+	r := lim.reserveN(now, n, waitLimit)
+	if !r.ok {
+		return fmt.Errorf("rate: Wait(n=%d) would exceed context deadline", n)
+	}
+	// Wait
+	t := time.NewTimer(r.DelayFrom(now))
+	defer t.Stop()
+	select {
+	case <-t.C:
+		// We can proceed.
+		return nil
+	case <-ctx.Done():
+		// Context was canceled before we could proceed.  Cancel the
+		// reservation, which may permit other events to proceed sooner.
+		r.Cancel()
+		return ctx.Err()
+	}
+}
+
+// SetLimit is shorthand for SetLimitAt(time.Now(), newLimit).
+func (lim *Limiter) SetLimit(newLimit Limit) {
+	lim.SetLimitAt(time.Now(), newLimit)
+}
+
+// SetLimitAt sets a new Limit for the limiter. The new Limit, and Burst, may be violated
+// or underutilized by those which reserved (using Reserve or Wait) but did not yet act
+// before SetLimitAt was called.
+func (lim *Limiter) SetLimitAt(now time.Time, newLimit Limit) {
+	lim.mu.Lock()
+	defer lim.mu.Unlock()
+
+	now, _, tokens := lim.advance(now)
+
+	lim.last = now
+	lim.tokens = tokens
+	lim.limit = newLimit
+}
+
+// reserveN is a helper method for AllowN, ReserveN, and WaitN.
+// maxFutureReserve specifies the maximum reservation wait duration allowed.
+// reserveN returns Reservation, not *Reservation, to avoid allocation in AllowN and WaitN.
+func (lim *Limiter) reserveN(now time.Time, n int, maxFutureReserve time.Duration) Reservation {
+	lim.mu.Lock()
+
+	if lim.limit == Inf {
+		lim.mu.Unlock()
+		return Reservation{
+			ok:        true,
+			lim:       lim,
+			tokens:    n,
+			timeToAct: now,
+		}
+	}
+
+	now, last, tokens := lim.advance(now)
+
+	// Calculate the remaining number of tokens resulting from the request.
+	tokens -= float64(n)
+
+	// Calculate the wait duration
+	var waitDuration time.Duration
+	if tokens < 0 {
+		waitDuration = lim.limit.durationFromTokens(-tokens)
+	}
+
+	// Decide result
+	ok := n <= lim.burst && waitDuration <= maxFutureReserve
+
+	// Prepare reservation
+	r := Reservation{
+		ok:    ok,
+		lim:   lim,
+		limit: lim.limit,
+	}
+	if ok {
+		r.tokens = n
+		r.timeToAct = now.Add(waitDuration)
+	}
+
+	// Update state
+	if ok {
+		lim.last = now
+		lim.tokens = tokens
+		lim.lastEvent = r.timeToAct
+	} else {
+		lim.last = last
+	}
+
+	lim.mu.Unlock()
+	return r
+}
+
+// advance calculates and returns an updated state for lim resulting from the passage of time.
+// lim is not changed.
+func (lim *Limiter) advance(now time.Time) (newNow time.Time, newLast time.Time, newTokens float64) {
+	last := lim.last
+	if now.Before(last) {
+		last = now
+	}
+
+	// Avoid making delta overflow below when last is very old.
+	maxElapsed := lim.limit.durationFromTokens(float64(lim.burst) - lim.tokens)
+	elapsed := now.Sub(last)
+	if elapsed > maxElapsed {
+		elapsed = maxElapsed
+	}
+
+	// Calculate the new number of tokens, due to time that passed.
+	delta := lim.limit.tokensFromDuration(elapsed)
+	tokens := lim.tokens + delta
+	if burst := float64(lim.burst); tokens > burst {
+		tokens = burst
+	}
+
+	return now, last, tokens
+}
+
+// durationFromTokens is a unit conversion function from the number of tokens to the duration
+// of time it takes to accumulate them at a rate of limit tokens per second.
+func (limit Limit) durationFromTokens(tokens float64) time.Duration {
+	seconds := tokens / float64(limit)
+	return time.Nanosecond * time.Duration(1e9*seconds)
+}
+
+// tokensFromDuration is a unit conversion function from a time duration to the number of tokens
+// which could be accumulated during that duration at a rate of limit tokens per second.
+func (limit Limit) tokensFromDuration(d time.Duration) float64 {
+	return d.Seconds() * float64(limit)
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/rate/rate_go16.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/rate/rate_go16.go
new file mode 100644
index 000000000..6bab1850f
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/rate/rate_go16.go
@@ -0,0 +1,21 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !go1.7
+
+package rate
+
+import "golang.org/x/net/context"
+
+// Wait is shorthand for WaitN(ctx, 1).
+func (lim *Limiter) Wait(ctx context.Context) (err error) {
+	return lim.waitN(ctx, 1)
+}
+
+// WaitN blocks until lim permits n events to happen.
+// It returns an error if n exceeds the Limiter's burst size, the Context is
+// canceled, or the expected wait time exceeds the Context's Deadline.
+func (lim *Limiter) WaitN(ctx context.Context, n int) (err error) {
+	return lim.waitN(ctx, n)
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/rate/rate_go17.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/rate/rate_go17.go
new file mode 100644
index 000000000..f90d85f51
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/rate/rate_go17.go
@@ -0,0 +1,21 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build go1.7
+
+package rate
+
+import "context"
+
+// Wait is shorthand for WaitN(ctx, 1).
+func (lim *Limiter) Wait(ctx context.Context) (err error) {
+	return lim.waitN(ctx, 1)
+}
+
+// WaitN blocks until lim permits n events to happen.
+// It returns an error if n exceeds the Limiter's burst size, the Context is
+// canceled, or the expected wait time exceeds the Context's Deadline.
+func (lim *Limiter) WaitN(ctx context.Context, n int) (err error) {
+	return lim.waitN(ctx, n)
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/rate/rate_test.go b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/rate/rate_test.go
new file mode 100644
index 000000000..e8add694f
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/golang.org/x/time/rate/rate_test.go
@@ -0,0 +1,449 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build go1.7
+
+package rate
+
+import (
+	"context"
+	"math"
+	"runtime"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+)
+
+func TestLimit(t *testing.T) {
+	if Limit(10) == Inf {
+		t.Errorf("Limit(10) == Inf should be false")
+	}
+}
+
+func closeEnough(a, b Limit) bool {
+	return (math.Abs(float64(a)/float64(b)) - 1.0) < 1e-9
+}
+
+func TestEvery(t *testing.T) {
+	cases := []struct {
+		interval time.Duration
+		lim      Limit
+	}{
+		{0, Inf},
+		{-1, Inf},
+		{1 * time.Nanosecond, Limit(1e9)},
+		{1 * time.Microsecond, Limit(1e6)},
+		{1 * time.Millisecond, Limit(1e3)},
+		{10 * time.Millisecond, Limit(100)},
+		{100 * time.Millisecond, Limit(10)},
+		{1 * time.Second, Limit(1)},
+		{2 * time.Second, Limit(0.5)},
+		{time.Duration(2.5 * float64(time.Second)), Limit(0.4)},
+		{4 * time.Second, Limit(0.25)},
+		{10 * time.Second, Limit(0.1)},
+		{time.Duration(math.MaxInt64), Limit(1e9 / float64(math.MaxInt64))},
+	}
+	for _, tc := range cases {
+		lim := Every(tc.interval)
+		if !closeEnough(lim, tc.lim) {
+			t.Errorf("Every(%v) = %v want %v", tc.interval, lim, tc.lim)
+		}
+	}
+}
+
+const (
+	d = 100 * time.Millisecond
+)
+
+var (
+	t0 = time.Now()
+	t1 = t0.Add(time.Duration(1) * d)
+	t2 = t0.Add(time.Duration(2) * d)
+	t3 = t0.Add(time.Duration(3) * d)
+	t4 = t0.Add(time.Duration(4) * d)
+	t5 = t0.Add(time.Duration(5) * d)
+	t9 = t0.Add(time.Duration(9) * d)
+)
+
+type allow struct {
+	t  time.Time
+	n  int
+	ok bool
+}
+
+func run(t *testing.T, lim *Limiter, allows []allow) {
+	for i, allow := range allows {
+		ok := lim.AllowN(allow.t, allow.n)
+		if ok != allow.ok {
+			t.Errorf("step %d: lim.AllowN(%v, %v) = %v want %v",
+				i, allow.t, allow.n, ok, allow.ok)
+		}
+	}
+}
+
+func TestLimiterBurst1(t *testing.T) {
+	run(t, NewLimiter(10, 1), []allow{
+		{t0, 1, true},
+		{t0, 1, false},
+		{t0, 1, false},
+		{t1, 1, true},
+		{t1, 1, false},
+		{t1, 1, false},
+		{t2, 2, false}, // burst size is 1, so n=2 always fails
+		{t2, 1, true},
+		{t2, 1, false},
+	})
+}
+
+func TestLimiterBurst3(t *testing.T) {
+	run(t, NewLimiter(10, 3), []allow{
+		{t0, 2, true},
+		{t0, 2, false},
+		{t0, 1, true},
+		{t0, 1, false},
+		{t1, 4, false},
+		{t2, 1, true},
+		{t3, 1, true},
+		{t4, 1, true},
+		{t4, 1, true},
+		{t4, 1, false},
+		{t4, 1, false},
+		{t9, 3, true},
+		{t9, 0, true},
+	})
+}
+
+func TestLimiterJumpBackwards(t *testing.T) {
+	run(t, NewLimiter(10, 3), []allow{
+		{t1, 1, true}, // start at t1
+		{t0, 1, true}, // jump back to t0, two tokens remain
+		{t0, 1, true},
+		{t0, 1, false},
+		{t0, 1, false},
+		{t1, 1, true}, // got a token
+		{t1, 1, false},
+		{t1, 1, false},
+		{t2, 1, true}, // got another token
+		{t2, 1, false},
+		{t2, 1, false},
+	})
+}
+
+func TestSimultaneousRequests(t *testing.T) {
+	const (
+		limit       = 1
+		burst       = 5
+		numRequests = 15
+	)
+	var (
+		wg    sync.WaitGroup
+		numOK = uint32(0)
+	)
+
+	// Very slow replenishing bucket.
+	lim := NewLimiter(limit, burst)
+
+	// Tries to take a token, atomically updates the counter and decreases the wait
+	// group counter.
+	f := func() {
+		defer wg.Done()
+		if ok := lim.Allow(); ok {
+			atomic.AddUint32(&numOK, 1)
+		}
+	}
+
+	wg.Add(numRequests)
+	for i := 0; i < numRequests; i++ {
+		go f()
+	}
+	wg.Wait()
+	if numOK != burst {
+		t.Errorf("numOK = %d, want %d", numOK, burst)
+	}
+}
+
+func TestLongRunningQPS(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping in short mode")
+	}
+	if runtime.GOOS == "openbsd" {
+		t.Skip("low resolution time.Sleep invalidates test (golang.org/issue/14183)")
+		return
+	}
+
+	// The test runs for a few seconds executing many requests and then checks
+	// that overall number of requests is reasonable.
+	const (
+		limit = 100
+		burst = 100
+	)
+	var numOK = int32(0)
+
+	lim := NewLimiter(limit, burst)
+
+	var wg sync.WaitGroup
+	f := func() {
+		if ok := lim.Allow(); ok {
+			atomic.AddInt32(&numOK, 1)
+		}
+		wg.Done()
+	}
+
+	start := time.Now()
+	end := start.Add(5 * time.Second)
+	for time.Now().Before(end) {
+		wg.Add(1)
+		go f()
+
+		// This will still offer ~500 requests per second, but won't consume
+		// outrageous amount of CPU.
+		time.Sleep(2 * time.Millisecond)
+	}
+	wg.Wait()
+	elapsed := time.Since(start)
+	ideal := burst + (limit * float64(elapsed) / float64(time.Second))
+
+	// We should never get more requests than allowed.
+	if want := int32(ideal + 1); numOK > want {
+		t.Errorf("numOK = %d, want %d (ideal %f)", numOK, want, ideal)
+	}
+	// We should get very close to the number of requests allowed.
+	if want := int32(0.999 * ideal); numOK < want {
+		t.Errorf("numOK = %d, want %d (ideal %f)", numOK, want, ideal)
+	}
+}
+
+type request struct {
+	t   time.Time
+	n   int
+	act time.Time
+	ok  bool
+}
+
+// dFromDuration converts a duration to a multiple of the global constant d
+func dFromDuration(dur time.Duration) int {
+	// Adding a millisecond to be swallowed by the integer division
+	// because we don't care about small inaccuracies
+	return int((dur + time.Millisecond) / d)
+}
+
+// dSince returns multiples of d since t0
+func dSince(t time.Time) int {
+	return dFromDuration(t.Sub(t0))
+}
+
+func runReserve(t *testing.T, lim *Limiter, req request) *Reservation {
+	return runReserveMax(t, lim, req, InfDuration)
+}
+
+func runReserveMax(t *testing.T, lim *Limiter, req request, maxReserve time.Duration) *Reservation {
+	r := lim.reserveN(req.t, req.n, maxReserve)
+	if r.ok && (dSince(r.timeToAct) != dSince(req.act)) || r.ok != req.ok {
+		t.Errorf("lim.reserveN(t%d, %v, %v) = (t%d, %v) want (t%d, %v)",
+			dSince(req.t), req.n, maxReserve, dSince(r.timeToAct), r.ok, dSince(req.act), req.ok)
+	}
+	return &r
+}
+
+func TestSimpleReserve(t *testing.T) {
+	lim := NewLimiter(10, 2)
+
+	runReserve(t, lim, request{t0, 2, t0, true})
+	runReserve(t, lim, request{t0, 2, t2, true})
+	runReserve(t, lim, request{t3, 2, t4, true})
+}
+
+func TestMix(t *testing.T) {
+	lim := NewLimiter(10, 2)
+
+	runReserve(t, lim, request{t0, 3, t1, false}) // should return false because n > Burst
+	runReserve(t, lim, request{t0, 2, t0, true})
+	run(t, lim, []allow{{t1, 2, false}}) // not enought tokens - don't allow
+	runReserve(t, lim, request{t1, 2, t2, true})
+	run(t, lim, []allow{{t1, 1, false}}) // negative tokens - don't allow
+	run(t, lim, []allow{{t3, 1, true}})
+}
+
+func TestCancelInvalid(t *testing.T) {
+	lim := NewLimiter(10, 2)
+
+	runReserve(t, lim, request{t0, 2, t0, true})
+	r := runReserve(t, lim, request{t0, 3, t3, false})
+	r.CancelAt(t0)                               // should have no effect
+	runReserve(t, lim, request{t0, 2, t2, true}) // did not get extra tokens
+}
+
+func TestCancelLast(t *testing.T) {
+	lim := NewLimiter(10, 2)
+
+	runReserve(t, lim, request{t0, 2, t0, true})
+	r := runReserve(t, lim, request{t0, 2, t2, true})
+	r.CancelAt(t1) // got 2 tokens back
+	runReserve(t, lim, request{t1, 2, t2, true})
+}
+
+func TestCancelTooLate(t *testing.T) {
+	lim := NewLimiter(10, 2)
+
+	runReserve(t, lim, request{t0, 2, t0, true})
+	r := runReserve(t, lim, request{t0, 2, t2, true})
+	r.CancelAt(t3) // too late to cancel - should have no effect
+	runReserve(t, lim, request{t3, 2, t4, true})
+}
+
+func TestCancel0Tokens(t *testing.T) {
+	lim := NewLimiter(10, 2)
+
+	runReserve(t, lim, request{t0, 2, t0, true})
+	r := runReserve(t, lim, request{t0, 1, t1, true})
+	runReserve(t, lim, request{t0, 1, t2, true})
+	r.CancelAt(t0) // got 0 tokens back
+	runReserve(t, lim, request{t0, 1, t3, true})
+}
+
+func TestCancel1Token(t *testing.T) {
+	lim := NewLimiter(10, 2)
+
+	runReserve(t, lim, request{t0, 2, t0, true})
+	r := runReserve(t, lim, request{t0, 2, t2, true})
+	runReserve(t, lim, request{t0, 1, t3, true})
+	r.CancelAt(t2) // got 1 token back
+	runReserve(t, lim, request{t2, 2, t4, true})
+}
+
+func TestCancelMulti(t *testing.T) {
+	lim := NewLimiter(10, 4)
+
+	runReserve(t, lim, request{t0, 4, t0, true})
+	rA := runReserve(t, lim, request{t0, 3, t3, true})
+	runReserve(t, lim, request{t0, 1, t4, true})
+	rC := runReserve(t, lim, request{t0, 1, t5, true})
+	rC.CancelAt(t1) // get 1 token back
+	rA.CancelAt(t1) // get 2 tokens back, as if C was never reserved
+	runReserve(t, lim, request{t1, 3, t5, true})
+}
+
+func TestReserveJumpBack(t *testing.T) {
+	lim := NewLimiter(10, 2)
+
+	runReserve(t, lim, request{t1, 2, t1, true}) // start at t1
+	runReserve(t, lim, request{t0, 1, t1, true}) // should violate Limit,Burst
+	runReserve(t, lim, request{t2, 2, t3, true})
+}
+
+func TestReserveJumpBackCancel(t *testing.T) {
+	lim := NewLimiter(10, 2)
+
+	runReserve(t, lim, request{t1, 2, t1, true}) // start at t1
+	r := runReserve(t, lim, request{t1, 2, t3, true})
+	runReserve(t, lim, request{t1, 1, t4, true})
+	r.CancelAt(t0)                               // cancel at t0, get 1 token back
+	runReserve(t, lim, request{t1, 2, t4, true}) // should violate Limit,Burst
+}
+
+func TestReserveSetLimit(t *testing.T) {
+	lim := NewLimiter(5, 2)
+
+	runReserve(t, lim, request{t0, 2, t0, true})
+	runReserve(t, lim, request{t0, 2, t4, true})
+	lim.SetLimitAt(t2, 10)
+	runReserve(t, lim, request{t2, 1, t4, true}) // violates Limit and Burst
+}
+
+func TestReserveSetLimitCancel(t *testing.T) {
+	lim := NewLimiter(5, 2)
+
+	runReserve(t, lim, request{t0, 2, t0, true})
+	r := runReserve(t, lim, request{t0, 2, t4, true})
+	lim.SetLimitAt(t2, 10)
+	r.CancelAt(t2) // 2 tokens back
+	runReserve(t, lim, request{t2, 2, t3, true})
+}
+
+func TestReserveMax(t *testing.T) {
+	lim := NewLimiter(10, 2)
+	maxT := d
+
+	runReserveMax(t, lim, request{t0, 2, t0, true}, maxT)
+	runReserveMax(t, lim, request{t0, 1, t1, true}, maxT)  // reserve for close future
+	runReserveMax(t, lim, request{t0, 1, t2, false}, maxT) // time to act too far in the future
+}
+
+type wait struct {
+	name   string
+	ctx    context.Context
+	n      int
+	delay  int // in multiples of d
+	nilErr bool
+}
+
+func runWait(t *testing.T, lim *Limiter, w wait) {
+	start := time.Now()
+	err := lim.WaitN(w.ctx, w.n)
+	delay := time.Now().Sub(start)
+	if (w.nilErr && err != nil) || (!w.nilErr && err == nil) || w.delay != dFromDuration(delay) {
+		errString := "<nil>"
+		if !w.nilErr {
+			errString = "<non-nil error>"
+		}
+		t.Errorf("lim.WaitN(%v, lim, %v) = %v with delay %v ; want %v with delay %v",
+			w.name, w.n, err, delay, errString, d*time.Duration(w.delay))
+	}
+}
+
+func TestWaitSimple(t *testing.T) {
+	lim := NewLimiter(10, 3)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+	runWait(t, lim, wait{"already-cancelled", ctx, 1, 0, false})
+
+	runWait(t, lim, wait{"exceed-burst-error", context.Background(), 4, 0, false})
+
+	runWait(t, lim, wait{"act-now", context.Background(), 2, 0, true})
+	runWait(t, lim, wait{"act-later", context.Background(), 3, 2, true})
+}
+
+func TestWaitCancel(t *testing.T) {
+	lim := NewLimiter(10, 3)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	runWait(t, lim, wait{"act-now", ctx, 2, 0, true}) // after this lim.tokens = 1
+	go func() {
+		time.Sleep(d)
+		cancel()
+	}()
+	runWait(t, lim, wait{"will-cancel", ctx, 3, 1, false})
+	// should get 3 tokens back, and have lim.tokens = 2
+	t.Logf("tokens:%v last:%v lastEvent:%v", lim.tokens, lim.last, lim.lastEvent)
+	runWait(t, lim, wait{"act-now-after-cancel", context.Background(), 2, 0, true})
+}
+
+func TestWaitTimeout(t *testing.T) {
+	lim := NewLimiter(10, 3)
+
+	ctx, cancel := context.WithTimeout(context.Background(), d)
+	defer cancel()
+	runWait(t, lim, wait{"act-now", ctx, 2, 0, true})
+	runWait(t, lim, wait{"w-timeout-err", ctx, 3, 0, false})
+}
+
+func TestWaitInf(t *testing.T) {
+	lim := NewLimiter(Inf, 0)
+
+	runWait(t, lim, wait{"exceed-burst-no-error", context.Background(), 3, 0, true})
+}
+
+func BenchmarkAllowN(b *testing.B) {
+	lim := NewLimiter(Every(1*time.Second), 1)
+	now := time.Now()
+	b.ReportAllocs()
+	b.ResetTimer()
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			lim.AllowN(now, 1)
+		}
+	})
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/.gitcookies.sh.enc b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/.gitcookies.sh.enc
new file mode 100644
index 000000000..730e569b0
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/.gitcookies.sh.enc
@@ -0,0 +1 @@
+'|�&{t�U|gG�(�Cy=+���c�:u:/p�#~��["�4�!�n�A�DK<�uf�h�a��:�����B/�ؤ���_�h��S�T*w�x����-�|���Ӄ�����㣗A$$�6���G)8n�p��ˡ3̚�o��v�B�3��]xݓ�2l�G�|qRޯ
�2
5R����$��Y��ݙl�˫yAI"ی���û��k�|K��[9����=�����|@S�3�#�x?�V�,��S����wP�og�6&V6	�D.dB�7
\ No newline at end of file
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/.gitignore b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/.gitignore
new file mode 100644
index 000000000..5b4d73b68
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/.gitignore
@@ -0,0 +1,7 @@
+*~
+.*.swp
+*.out
+*.test
+*.pem
+*.cov
+jose-util/jose-util
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/.travis.yml b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/.travis.yml
new file mode 100644
index 000000000..c38cd007d
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/.travis.yml
@@ -0,0 +1,45 @@
+language: go
+
+sudo: false
+
+matrix:
+  fast_finish: true
+  allow_failures:
+    - go: tip
+
+go:
+- 1.3
+- 1.4
+- 1.5
+- 1.6
+- 1.7
+- tip
+
+go_import_path: gopkg.in/square/go-jose.v1
+
+before_script:
+- export PATH=$HOME/.local/bin:$PATH
+
+before_install:
+# Install encrypted gitcookies to get around bandwidth-limits
+# that is causing Travis-CI builds to fail. For more info, see
+# https://github.com/golang/go/issues/12933
+- openssl aes-256-cbc -K $encrypted_1528c3c2cafd_key -iv $encrypted_1528c3c2cafd_iv -in .gitcookies.sh.enc -out .gitcookies.sh -d || true
+- bash .gitcookies.sh || true
+- go get github.com/wadey/gocovmerge
+- go get github.com/mattn/goveralls
+- go get golang.org/x/tools/cmd/cover || true
+- go get code.google.com/p/go.tools/cmd/cover || true
+- pip install cram --user `whoami`
+
+script:
+- go test . -v -covermode=count -coverprofile=profile.cov
+- go test ./cipher -v -covermode=count -coverprofile=cipher/profile.cov
+- go test ./json -v # no coverage for forked encoding/json package
+- cd jose-util && go build && PATH=$PWD:$PATH cram -v jose-util.t
+- cd ..
+
+after_success:
+- gocovmerge *.cov */*.cov > merged.coverprofile
+- $HOME/gopath/bin/goveralls -coverprofile merged.coverprofile -service=travis-ci
+
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/BUG-BOUNTY.md b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/BUG-BOUNTY.md
new file mode 100644
index 000000000..97e61dbb6
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/BUG-BOUNTY.md
@@ -0,0 +1,10 @@
+Serious about security
+======================
+
+Square recognizes the important contributions the security research community
+can make. We therefore encourage reporting security issues with the code
+contained in this repository.
+
+If you believe you have discovered a security vulnerability, please follow the
+guidelines at <https://hackerone.com/square-open-source>.
+
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/CONTRIBUTING.md b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/CONTRIBUTING.md
new file mode 100644
index 000000000..61b183651
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/CONTRIBUTING.md
@@ -0,0 +1,14 @@
+# Contributing
+
+If you would like to contribute code to go-jose you can do so through GitHub by
+forking the repository and sending a pull request.
+
+When submitting code, please make every effort to follow existing conventions
+and style in order to keep the code as readable as possible. Please also make
+sure all tests pass by running `go test`, and format your code with `go fmt`.
+We also recommend using `golint` and `errcheck`.
+
+Before your code can be accepted into the project you must also sign the
+[Individual Contributor License Agreement][1].
+
+ [1]: https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ&ndplr=1
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/LICENSE b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/LICENSE
new file mode 100644
index 000000000..d64569567
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/README.md b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/README.md
new file mode 100644
index 000000000..60293ffa2
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/README.md
@@ -0,0 +1,212 @@
+# Go JOSE 
+
+[![godoc](http://img.shields.io/badge/godoc-reference-blue.svg?style=flat)](https://godoc.org/gopkg.in/square/go-jose.v1) [![license](http://img.shields.io/badge/license-apache_2.0-blue.svg?style=flat)](https://raw.githubusercontent.com/square/go-jose/master/LICENSE)
+[![release](https://img.shields.io/github/release/square/go-jose.svg?style=flat)](https://github.com/square/go-jose/releases)
+[![build](https://travis-ci.org/square/go-jose.svg?branch=master)](https://travis-ci.org/square/go-jose)
+[![coverage](https://coveralls.io/repos/github/square/go-jose/badge.svg?branch=master)](https://coveralls.io/r/square/go-jose)
+
+Package jose aims to provide an implementation of the Javascript Object Signing
+and Encryption set of standards. For the moment, it mainly focuses on encryption
+and signing based on the JSON Web Encryption and JSON Web Signature standards.
+
+**Disclaimer**: This library contains encryption software that is subject to
+the U.S. Export Administration Regulations. You may not export, re-export,
+transfer or download this code or any part of it in violation of any United
+States law, directive or regulation. In particular this software may not be
+exported or re-exported in any form or on any media to Iran, North Sudan,
+Syria, Cuba, or North Korea, or to denied persons or entities mentioned on any
+US maintained blocked list.
+
+## Overview
+
+The implementation follows the
+[JSON Web Encryption](http://dx.doi.org/10.17487/RFC7516)
+standard (RFC 7516) and
+[JSON Web Signature](http://dx.doi.org/10.17487/RFC7515)
+standard (RFC 7515). Tables of supported algorithms are shown below.
+The library supports both the compact and full serialization formats, and has
+optional support for multiple recipients. It also comes with a small
+command-line utility
+([`jose-util`](https://github.com/square/go-jose/tree/master/jose-util))
+for dealing with JOSE messages in a shell.
+
+**Note**: We use a forked version of the `encoding/json` package from the Go
+standard library which uses case-sensitive matching for member names (instead
+of [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/current/msg03763.html)).
+This is to avoid differences in interpretation of messages between go-jose and
+libraries in other languages. If you do not like this behavior, you can use the
+`std_json` build tag to disable it (though we do not recommend doing so).
+
+### Versions
+
+We use [gopkg.in](https://gopkg.in) for versioning.
+
+[Version 1](https://gopkg.in/square/go-jose.v1) is the current stable version:
+
+    import "gopkg.in/square/go-jose.v1"
+
+The interface for [go-jose.v1](https://gopkg.in/square/go-jose.v1) will remain
+backwards compatible. We're currently sketching out ideas for a new version, to
+clean up the interface a bit. If you have ideas or feature requests [please let
+us know](https://github.com/square/go-jose/issues/64)!
+
+### Supported algorithms
+
+See below for a table of supported algorithms. Algorithm identifiers match
+the names in the
+[JSON Web Algorithms](http://dx.doi.org/10.17487/RFC7518)
+standard where possible. The
+[Godoc reference](https://godoc.org/github.com/square/go-jose#pkg-constants)
+has a list of constants.
+
+ Key encryption             | Algorithm identifier(s)
+ :------------------------- | :------------------------------
+ RSA-PKCS#1v1.5             | RSA1_5
+ RSA-OAEP                   | RSA-OAEP, RSA-OAEP-256
+ AES key wrap               | A128KW, A192KW, A256KW
+ AES-GCM key wrap           | A128GCMKW, A192GCMKW, A256GCMKW
+ ECDH-ES + AES key wrap     | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW
+ ECDH-ES (direct)           | ECDH-ES<sup>1</sup>
+ Direct encryption          | dir<sup>1</sup>
+
+<sup>1. Not supported in multi-recipient mode</sup>
+
+ Signing / MAC              | Algorithm identifier(s)
+ :------------------------- | :------------------------------
+ RSASSA-PKCS#1v1.5          | RS256, RS384, RS512
+ RSASSA-PSS                 | PS256, PS384, PS512
+ HMAC                       | HS256, HS384, HS512
+ ECDSA                      | ES256, ES384, ES512
+
+ Content encryption         | Algorithm identifier(s)
+ :------------------------- | :------------------------------
+ AES-CBC+HMAC               | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512
+ AES-GCM                    | A128GCM, A192GCM, A256GCM 
+
+ Compression                | Algorithm identifiers(s)
+ :------------------------- | -------------------------------
+ DEFLATE (RFC 1951)         | DEF
+
+### Supported key types
+
+See below for a table of supported key types. These are understood by the
+library, and can be passed to corresponding functions such as `NewEncrypter` or
+`NewSigner`. Note that if you are creating a new encrypter or signer with a
+JsonWebKey, the key id of the JsonWebKey (if present) will be added to any
+resulting messages.
+
+ Algorithm(s)               | Corresponding types
+ :------------------------- | -------------------------------
+ RSA                        | *[rsa.PublicKey](http://golang.org/pkg/crypto/rsa/#PublicKey), *[rsa.PrivateKey](http://golang.org/pkg/crypto/rsa/#PrivateKey), *[jose.JsonWebKey](https://godoc.org/github.com/square/go-jose#JsonWebKey)
+ ECDH, ECDSA                | *[ecdsa.PublicKey](http://golang.org/pkg/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](http://golang.org/pkg/crypto/ecdsa/#PrivateKey), *[jose.JsonWebKey](https://godoc.org/github.com/square/go-jose#JsonWebKey)
+ AES, HMAC                  | []byte, *[jose.JsonWebKey](https://godoc.org/github.com/square/go-jose#JsonWebKey)
+
+## Examples
+
+Encryption/decryption example using RSA:
+
+```Go
+// Generate a public/private key pair to use for this example. The library
+// also provides two utility functions (LoadPublicKey and LoadPrivateKey)
+// that can be used to load keys from PEM/DER-encoded data.
+privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+if err != nil {
+	panic(err)
+}
+
+// Instantiate an encrypter using RSA-OAEP with AES128-GCM. An error would
+// indicate that the selected algorithm(s) are not currently supported.
+publicKey := &privateKey.PublicKey
+encrypter, err := NewEncrypter(RSA_OAEP, A128GCM, publicKey)
+if err != nil {
+	panic(err)
+}
+
+// Encrypt a sample plaintext. Calling the encrypter returns an encrypted
+// JWE object, which can then be serialized for output afterwards. An error
+// would indicate a problem in an underlying cryptographic primitive.
+var plaintext = []byte("Lorem ipsum dolor sit amet")
+object, err := encrypter.Encrypt(plaintext)
+if err != nil {
+	panic(err)
+}
+
+// Serialize the encrypted object using the full serialization format.
+// Alternatively you can also use the compact format here by calling
+// object.CompactSerialize() instead.
+serialized := object.FullSerialize()
+
+// Parse the serialized, encrypted JWE object. An error would indicate that
+// the given input did not represent a valid message.
+object, err = ParseEncrypted(serialized)
+if err != nil {
+	panic(err)
+}
+
+// Now we can decrypt and get back our original plaintext. An error here
+// would indicate the the message failed to decrypt, e.g. because the auth
+// tag was broken or the message was tampered with.
+decrypted, err := object.Decrypt(privateKey)
+if err != nil {
+	panic(err)
+}
+
+fmt.Printf(string(decrypted))
+// output: Lorem ipsum dolor sit amet
+```
+
+Signing/verification example using RSA:
+
+```Go
+// Generate a public/private key pair to use for this example. The library
+// also provides two utility functions (LoadPublicKey and LoadPrivateKey)
+// that can be used to load keys from PEM/DER-encoded data.
+privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+if err != nil {
+	panic(err)
+}
+
+// Instantiate a signer using RSASSA-PSS (SHA512) with the given private key.
+signer, err := NewSigner(PS512, privateKey)
+if err != nil {
+	panic(err)
+}
+
+// Sign a sample payload. Calling the signer returns a protected JWS object,
+// which can then be serialized for output afterwards. An error would
+// indicate a problem in an underlying cryptographic primitive.
+var payload = []byte("Lorem ipsum dolor sit amet")
+object, err := signer.Sign(payload)
+if err != nil {
+	panic(err)
+}
+
+// Serialize the encrypted object using the full serialization format.
+// Alternatively you can also use the compact format here by calling
+// object.CompactSerialize() instead.
+serialized := object.FullSerialize()
+
+// Parse the serialized, protected JWS object. An error would indicate that
+// the given input did not represent a valid message.
+object, err = ParseSigned(serialized)
+if err != nil {
+	panic(err)
+}
+
+// Now we can verify the signature on the payload. An error here would
+// indicate the the message failed to verify, e.g. because the signature was
+// broken or the message was tampered with.
+output, err := object.Verify(&privateKey.PublicKey)
+if err != nil {
+	panic(err)
+}
+
+fmt.Printf(string(output))
+// output: Lorem ipsum dolor sit amet
+```
+
+More examples can be found in the [Godoc
+reference](https://godoc.org/github.com/square/go-jose) for this package. The
+[`jose-util`](https://github.com/square/go-jose/tree/master/jose-util)
+subdirectory also contains a small command-line utility which might
+be useful as an example.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/asymmetric.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/asymmetric.go
new file mode 100644
index 000000000..cd36c21da
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/asymmetric.go
@@ -0,0 +1,520 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"crypto"
+	"crypto/aes"
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"math/big"
+
+	"gopkg.in/square/go-jose.v1/cipher"
+)
+
+// A generic RSA-based encrypter/verifier
+type rsaEncrypterVerifier struct {
+	publicKey *rsa.PublicKey
+}
+
+// A generic RSA-based decrypter/signer
+type rsaDecrypterSigner struct {
+	privateKey *rsa.PrivateKey
+}
+
+// A generic EC-based encrypter/verifier
+type ecEncrypterVerifier struct {
+	publicKey *ecdsa.PublicKey
+}
+
+// A key generator for ECDH-ES
+type ecKeyGenerator struct {
+	size      int
+	algID     string
+	publicKey *ecdsa.PublicKey
+}
+
+// A generic EC-based decrypter/signer
+type ecDecrypterSigner struct {
+	privateKey *ecdsa.PrivateKey
+}
+
+// newRSARecipient creates recipientKeyInfo based on the given key.
+func newRSARecipient(keyAlg KeyAlgorithm, publicKey *rsa.PublicKey) (recipientKeyInfo, error) {
+	// Verify that key management algorithm is supported by this encrypter
+	switch keyAlg {
+	case RSA1_5, RSA_OAEP, RSA_OAEP_256:
+	default:
+		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	if publicKey == nil {
+		return recipientKeyInfo{}, errors.New("invalid public key")
+	}
+
+	return recipientKeyInfo{
+		keyAlg: keyAlg,
+		keyEncrypter: &rsaEncrypterVerifier{
+			publicKey: publicKey,
+		},
+	}, nil
+}
+
+// newRSASigner creates a recipientSigInfo based on the given key.
+func newRSASigner(sigAlg SignatureAlgorithm, privateKey *rsa.PrivateKey) (recipientSigInfo, error) {
+	// Verify that key management algorithm is supported by this encrypter
+	switch sigAlg {
+	case RS256, RS384, RS512, PS256, PS384, PS512:
+	default:
+		return recipientSigInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	if privateKey == nil {
+		return recipientSigInfo{}, errors.New("invalid private key")
+	}
+
+	return recipientSigInfo{
+		sigAlg: sigAlg,
+		publicKey: &JsonWebKey{
+			Key: &privateKey.PublicKey,
+		},
+		signer: &rsaDecrypterSigner{
+			privateKey: privateKey,
+		},
+	}, nil
+}
+
+// newECDHRecipient creates recipientKeyInfo based on the given key.
+func newECDHRecipient(keyAlg KeyAlgorithm, publicKey *ecdsa.PublicKey) (recipientKeyInfo, error) {
+	// Verify that key management algorithm is supported by this encrypter
+	switch keyAlg {
+	case ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:
+	default:
+		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	if publicKey == nil || !publicKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
+		return recipientKeyInfo{}, errors.New("invalid public key")
+	}
+
+	return recipientKeyInfo{
+		keyAlg: keyAlg,
+		keyEncrypter: &ecEncrypterVerifier{
+			publicKey: publicKey,
+		},
+	}, nil
+}
+
+// newECDSASigner creates a recipientSigInfo based on the given key.
+func newECDSASigner(sigAlg SignatureAlgorithm, privateKey *ecdsa.PrivateKey) (recipientSigInfo, error) {
+	// Verify that key management algorithm is supported by this encrypter
+	switch sigAlg {
+	case ES256, ES384, ES512:
+	default:
+		return recipientSigInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	if privateKey == nil {
+		return recipientSigInfo{}, errors.New("invalid private key")
+	}
+
+	return recipientSigInfo{
+		sigAlg: sigAlg,
+		publicKey: &JsonWebKey{
+			Key: &privateKey.PublicKey,
+		},
+		signer: &ecDecrypterSigner{
+			privateKey: privateKey,
+		},
+	}, nil
+}
+
+// Encrypt the given payload and update the object.
+func (ctx rsaEncrypterVerifier) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
+	encryptedKey, err := ctx.encrypt(cek, alg)
+	if err != nil {
+		return recipientInfo{}, err
+	}
+
+	return recipientInfo{
+		encryptedKey: encryptedKey,
+		header:       &rawHeader{},
+	}, nil
+}
+
+// Encrypt the given payload. Based on the key encryption algorithm,
+// this will either use RSA-PKCS1v1.5 or RSA-OAEP (with SHA-1 or SHA-256).
+func (ctx rsaEncrypterVerifier) encrypt(cek []byte, alg KeyAlgorithm) ([]byte, error) {
+	switch alg {
+	case RSA1_5:
+		return rsa.EncryptPKCS1v15(randReader, ctx.publicKey, cek)
+	case RSA_OAEP:
+		return rsa.EncryptOAEP(sha1.New(), randReader, ctx.publicKey, cek, []byte{})
+	case RSA_OAEP_256:
+		return rsa.EncryptOAEP(sha256.New(), randReader, ctx.publicKey, cek, []byte{})
+	}
+
+	return nil, ErrUnsupportedAlgorithm
+}
+
+// Decrypt the given payload and return the content encryption key.
+func (ctx rsaDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
+	return ctx.decrypt(recipient.encryptedKey, KeyAlgorithm(headers.Alg), generator)
+}
+
+// Decrypt the given payload. Based on the key encryption algorithm,
+// this will either use RSA-PKCS1v1.5 or RSA-OAEP (with SHA-1 or SHA-256).
+func (ctx rsaDecrypterSigner) decrypt(jek []byte, alg KeyAlgorithm, generator keyGenerator) ([]byte, error) {
+	// Note: The random reader on decrypt operations is only used for blinding,
+	// so stubbing is meanlingless (hence the direct use of rand.Reader).
+	switch alg {
+	case RSA1_5:
+		defer func() {
+			// DecryptPKCS1v15SessionKey sometimes panics on an invalid payload
+			// because of an index out of bounds error, which we want to ignore.
+			// This has been fixed in Go 1.3.1 (released 2014/08/13), the recover()
+			// only exists for preventing crashes with unpatched versions.
+			// See: https://groups.google.com/forum/#!topic/golang-dev/7ihX6Y6kx9k
+			// See: https://code.google.com/p/go/source/detail?r=58ee390ff31602edb66af41ed10901ec95904d33
+			_ = recover()
+		}()
+
+		// Perform some input validation.
+		keyBytes := ctx.privateKey.PublicKey.N.BitLen() / 8
+		if keyBytes != len(jek) {
+			// Input size is incorrect, the encrypted payload should always match
+			// the size of the public modulus (e.g. using a 2048 bit key will
+			// produce 256 bytes of output). Reject this since it's invalid input.
+			return nil, ErrCryptoFailure
+		}
+
+		cek, _, err := generator.genKey()
+		if err != nil {
+			return nil, ErrCryptoFailure
+		}
+
+		// When decrypting an RSA-PKCS1v1.5 payload, we must take precautions to
+		// prevent chosen-ciphertext attacks as described in RFC 3218, "Preventing
+		// the Million Message Attack on Cryptographic Message Syntax". We are
+		// therefore deliberately ignoring errors here.
+		_ = rsa.DecryptPKCS1v15SessionKey(rand.Reader, ctx.privateKey, jek, cek)
+
+		return cek, nil
+	case RSA_OAEP:
+		// Use rand.Reader for RSA blinding
+		return rsa.DecryptOAEP(sha1.New(), rand.Reader, ctx.privateKey, jek, []byte{})
+	case RSA_OAEP_256:
+		// Use rand.Reader for RSA blinding
+		return rsa.DecryptOAEP(sha256.New(), rand.Reader, ctx.privateKey, jek, []byte{})
+	}
+
+	return nil, ErrUnsupportedAlgorithm
+}
+
+// Sign the given payload
+func (ctx rsaDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
+	var hash crypto.Hash
+
+	switch alg {
+	case RS256, PS256:
+		hash = crypto.SHA256
+	case RS384, PS384:
+		hash = crypto.SHA384
+	case RS512, PS512:
+		hash = crypto.SHA512
+	default:
+		return Signature{}, ErrUnsupportedAlgorithm
+	}
+
+	hasher := hash.New()
+
+	// According to documentation, Write() on hash never fails
+	_, _ = hasher.Write(payload)
+	hashed := hasher.Sum(nil)
+
+	var out []byte
+	var err error
+
+	switch alg {
+	case RS256, RS384, RS512:
+		out, err = rsa.SignPKCS1v15(randReader, ctx.privateKey, hash, hashed)
+	case PS256, PS384, PS512:
+		out, err = rsa.SignPSS(randReader, ctx.privateKey, hash, hashed, &rsa.PSSOptions{
+			SaltLength: rsa.PSSSaltLengthAuto,
+		})
+	}
+
+	if err != nil {
+		return Signature{}, err
+	}
+
+	return Signature{
+		Signature: out,
+		protected: &rawHeader{},
+	}, nil
+}
+
+// Verify the given payload
+func (ctx rsaEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
+	var hash crypto.Hash
+
+	switch alg {
+	case RS256, PS256:
+		hash = crypto.SHA256
+	case RS384, PS384:
+		hash = crypto.SHA384
+	case RS512, PS512:
+		hash = crypto.SHA512
+	default:
+		return ErrUnsupportedAlgorithm
+	}
+
+	hasher := hash.New()
+
+	// According to documentation, Write() on hash never fails
+	_, _ = hasher.Write(payload)
+	hashed := hasher.Sum(nil)
+
+	switch alg {
+	case RS256, RS384, RS512:
+		return rsa.VerifyPKCS1v15(ctx.publicKey, hash, hashed, signature)
+	case PS256, PS384, PS512:
+		return rsa.VerifyPSS(ctx.publicKey, hash, hashed, signature, nil)
+	}
+
+	return ErrUnsupportedAlgorithm
+}
+
+// Encrypt the given payload and update the object.
+func (ctx ecEncrypterVerifier) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
+	switch alg {
+	case ECDH_ES:
+		// ECDH-ES mode doesn't wrap a key, the shared secret is used directly as the key.
+		return recipientInfo{
+			header: &rawHeader{},
+		}, nil
+	case ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:
+	default:
+		return recipientInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	generator := ecKeyGenerator{
+		algID:     string(alg),
+		publicKey: ctx.publicKey,
+	}
+
+	switch alg {
+	case ECDH_ES_A128KW:
+		generator.size = 16
+	case ECDH_ES_A192KW:
+		generator.size = 24
+	case ECDH_ES_A256KW:
+		generator.size = 32
+	}
+
+	kek, header, err := generator.genKey()
+	if err != nil {
+		return recipientInfo{}, err
+	}
+
+	block, err := aes.NewCipher(kek)
+	if err != nil {
+		return recipientInfo{}, err
+	}
+
+	jek, err := josecipher.KeyWrap(block, cek)
+	if err != nil {
+		return recipientInfo{}, err
+	}
+
+	return recipientInfo{
+		encryptedKey: jek,
+		header:       &header,
+	}, nil
+}
+
+// Get key size for EC key generator
+func (ctx ecKeyGenerator) keySize() int {
+	return ctx.size
+}
+
+// Get a content encryption key for ECDH-ES
+func (ctx ecKeyGenerator) genKey() ([]byte, rawHeader, error) {
+	priv, err := ecdsa.GenerateKey(ctx.publicKey.Curve, randReader)
+	if err != nil {
+		return nil, rawHeader{}, err
+	}
+
+	out := josecipher.DeriveECDHES(ctx.algID, []byte{}, []byte{}, priv, ctx.publicKey, ctx.size)
+
+	headers := rawHeader{
+		Epk: &JsonWebKey{
+			Key: &priv.PublicKey,
+		},
+	}
+
+	return out, headers, nil
+}
+
+// Decrypt the given payload and return the content encryption key.
+func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
+	if headers.Epk == nil {
+		return nil, errors.New("square/go-jose: missing epk header")
+	}
+
+	publicKey, ok := headers.Epk.Key.(*ecdsa.PublicKey)
+	if publicKey == nil || !ok {
+		return nil, errors.New("square/go-jose: invalid epk header")
+	}
+
+	if !ctx.privateKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
+		return nil, errors.New("square/go-jose: invalid public key in epk header")
+	}
+
+	apuData := headers.Apu.bytes()
+	apvData := headers.Apv.bytes()
+
+	deriveKey := func(algID string, size int) []byte {
+		return josecipher.DeriveECDHES(algID, apuData, apvData, ctx.privateKey, publicKey, size)
+	}
+
+	var keySize int
+
+	switch KeyAlgorithm(headers.Alg) {
+	case ECDH_ES:
+		// ECDH-ES uses direct key agreement, no key unwrapping necessary.
+		return deriveKey(string(headers.Enc), generator.keySize()), nil
+	case ECDH_ES_A128KW:
+		keySize = 16
+	case ECDH_ES_A192KW:
+		keySize = 24
+	case ECDH_ES_A256KW:
+		keySize = 32
+	default:
+		return nil, ErrUnsupportedAlgorithm
+	}
+
+	key := deriveKey(headers.Alg, keySize)
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	return josecipher.KeyUnwrap(block, recipient.encryptedKey)
+}
+
+// Sign the given payload
+func (ctx ecDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
+	var expectedBitSize int
+	var hash crypto.Hash
+
+	switch alg {
+	case ES256:
+		expectedBitSize = 256
+		hash = crypto.SHA256
+	case ES384:
+		expectedBitSize = 384
+		hash = crypto.SHA384
+	case ES512:
+		expectedBitSize = 521
+		hash = crypto.SHA512
+	}
+
+	curveBits := ctx.privateKey.Curve.Params().BitSize
+	if expectedBitSize != curveBits {
+		return Signature{}, fmt.Errorf("square/go-jose: expected %d bit key, got %d bits instead", expectedBitSize, curveBits)
+	}
+
+	hasher := hash.New()
+
+	// According to documentation, Write() on hash never fails
+	_, _ = hasher.Write(payload)
+	hashed := hasher.Sum(nil)
+
+	r, s, err := ecdsa.Sign(randReader, ctx.privateKey, hashed)
+	if err != nil {
+		return Signature{}, err
+	}
+
+	keyBytes := curveBits / 8
+	if curveBits%8 > 0 {
+		keyBytes += 1
+	}
+
+	// We serialize the outpus (r and s) into big-endian byte arrays and pad
+	// them with zeros on the left to make sure the sizes work out. Both arrays
+	// must be keyBytes long, and the output must be 2*keyBytes long.
+	rBytes := r.Bytes()
+	rBytesPadded := make([]byte, keyBytes)
+	copy(rBytesPadded[keyBytes-len(rBytes):], rBytes)
+
+	sBytes := s.Bytes()
+	sBytesPadded := make([]byte, keyBytes)
+	copy(sBytesPadded[keyBytes-len(sBytes):], sBytes)
+
+	out := append(rBytesPadded, sBytesPadded...)
+
+	return Signature{
+		Signature: out,
+		protected: &rawHeader{},
+	}, nil
+}
+
+// Verify the given payload
+func (ctx ecEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
+	var keySize int
+	var hash crypto.Hash
+
+	switch alg {
+	case ES256:
+		keySize = 32
+		hash = crypto.SHA256
+	case ES384:
+		keySize = 48
+		hash = crypto.SHA384
+	case ES512:
+		keySize = 66
+		hash = crypto.SHA512
+	default:
+		return ErrUnsupportedAlgorithm
+	}
+
+	if len(signature) != 2*keySize {
+		return fmt.Errorf("square/go-jose: invalid signature size, have %d bytes, wanted %d", len(signature), 2*keySize)
+	}
+
+	hasher := hash.New()
+
+	// According to documentation, Write() on hash never fails
+	_, _ = hasher.Write(payload)
+	hashed := hasher.Sum(nil)
+
+	r := big.NewInt(0).SetBytes(signature[:keySize])
+	s := big.NewInt(0).SetBytes(signature[keySize:])
+
+	match := ecdsa.Verify(ctx.publicKey, hashed, r, s)
+	if !match {
+		return errors.New("square/go-jose: ecdsa signature failed to verify")
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/asymmetric_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/asymmetric_test.go
new file mode 100644
index 000000000..018ad2e2d
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/asymmetric_test.go
@@ -0,0 +1,468 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"errors"
+	"io"
+	"math/big"
+	"testing"
+)
+
+func TestVectorsRSA(t *testing.T) {
+	// Sources:
+	//   http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-rsa-cryptography-standard.htm
+	//   ftp://ftp.rsa.com/pub/rsalabs/tmp/pkcs1v15crypt-vectors.txt
+	priv := &rsa.PrivateKey{
+		PublicKey: rsa.PublicKey{
+			N: fromHexInt(`
+				a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8
+				ae4811a1e0abc4c7e0b082d693a5e7fced675cf4668512772c0c
+				bc64a742c6c630f533c8cc72f62ae833c40bf25842e984bb78bd
+				bf97c0107d55bdb662f5c4e0fab9845cb5148ef7392dd3aaff93
+				ae1e6b667bb3d4247616d4f5ba10d4cfd226de88d39f16fb`),
+			E: 65537,
+		},
+		D: fromHexInt(`
+				53339cfdb79fc8466a655c7316aca85c55fd8f6dd898fdaf1195
+				17ef4f52e8fd8e258df93fee180fa0e4ab29693cd83b152a553d
+				4ac4d1812b8b9fa5af0e7f55fe7304df41570926f3311f15c4d6
+				5a732c483116ee3d3d2d0af3549ad9bf7cbfb78ad884f84d5beb
+				04724dc7369b31def37d0cf539e9cfcdd3de653729ead5d1`),
+		Primes: []*big.Int{
+			fromHexInt(`
+				d32737e7267ffe1341b2d5c0d150a81b586fb3132bed2f8d5262
+				864a9cb9f30af38be448598d413a172efb802c21acf1c11c520c
+				2f26a471dcad212eac7ca39d`),
+			fromHexInt(`
+				cc8853d1d54da630fac004f471f281c7b8982d8224a490edbeb3
+				3d3e3d5cc93c4765703d1dd791642f1f116a0dd852be2419b2af
+				72bfe9a030e860b0288b5d77`),
+		},
+	}
+
+	input := fromHexBytes(
+		"6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34")
+
+	expectedPKCS := fromHexBytes(`
+		50b4c14136bd198c2f3c3ed243fce036e168d56517984a263cd66492b808
+		04f169d210f2b9bdfb48b12f9ea05009c77da257cc600ccefe3a6283789d
+		8ea0e607ac58e2690ec4ebc10146e8cbaa5ed4d5cce6fe7b0ff9efc1eabb
+		564dbf498285f449ee61dd7b42ee5b5892cb90601f30cda07bf26489310b
+		cd23b528ceab3c31`)
+
+	expectedOAEP := fromHexBytes(`
+		354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad4
+		68fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618
+		c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e6
+		57a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5
+		210035d47ac72e8a`)
+
+	// Mock random reader
+	randReader = bytes.NewReader(fromHexBytes(`
+		017341ae3875d5f87101f8cc4fa9b9bc156bb04628fccdb2f4f11e905bd3
+		a155d376f593bd7304210874eba08a5e22bcccb4c9d3882a93a54db022f5
+		03d16338b6b7ce16dc7f4bbf9a96b59772d6606e9747c7649bf9e083db98
+		1884a954ab3c6f18b776ea21069d69776a33e96bad48e1dda0a5ef`))
+	defer resetRandReader()
+
+	// RSA-PKCS1v1.5 encrypt
+	enc := new(rsaEncrypterVerifier)
+	enc.publicKey = &priv.PublicKey
+	encryptedPKCS, err := enc.encrypt(input, RSA1_5)
+	if err != nil {
+		t.Error("Encryption failed:", err)
+		return
+	}
+
+	if bytes.Compare(encryptedPKCS, expectedPKCS) != 0 {
+		t.Error("Output does not match expected value (PKCS1v1.5)")
+	}
+
+	// RSA-OAEP encrypt
+	encryptedOAEP, err := enc.encrypt(input, RSA_OAEP)
+	if err != nil {
+		t.Error("Encryption failed:", err)
+		return
+	}
+
+	if bytes.Compare(encryptedOAEP, expectedOAEP) != 0 {
+		t.Error("Output does not match expected value (OAEP)")
+	}
+
+	// Need fake cipher for PKCS1v1.5 decrypt
+	resetRandReader()
+	aes := newAESGCM(len(input))
+
+	keygen := randomKeyGenerator{
+		size: aes.keySize(),
+	}
+
+	// RSA-PKCS1v1.5 decrypt
+	dec := new(rsaDecrypterSigner)
+	dec.privateKey = priv
+	decryptedPKCS, err := dec.decrypt(encryptedPKCS, RSA1_5, keygen)
+	if err != nil {
+		t.Error("Decryption failed:", err)
+		return
+	}
+
+	if bytes.Compare(input, decryptedPKCS) != 0 {
+		t.Error("Output does not match expected value (PKCS1v1.5)")
+	}
+
+	// RSA-OAEP decrypt
+	decryptedOAEP, err := dec.decrypt(encryptedOAEP, RSA_OAEP, keygen)
+	if err != nil {
+		t.Error("decryption failed:", err)
+		return
+	}
+
+	if bytes.Compare(input, decryptedOAEP) != 0 {
+		t.Error("output does not match expected value (OAEP)")
+	}
+}
+
+func TestInvalidAlgorithmsRSA(t *testing.T) {
+	_, err := newRSARecipient("XYZ", nil)
+	if err != ErrUnsupportedAlgorithm {
+		t.Error("should return error on invalid algorithm")
+	}
+
+	_, err = newRSASigner("XYZ", nil)
+	if err != ErrUnsupportedAlgorithm {
+		t.Error("should return error on invalid algorithm")
+	}
+
+	enc := new(rsaEncrypterVerifier)
+	enc.publicKey = &rsaTestKey.PublicKey
+	_, err = enc.encryptKey([]byte{}, "XYZ")
+	if err != ErrUnsupportedAlgorithm {
+		t.Error("should return error on invalid algorithm")
+	}
+
+	err = enc.verifyPayload([]byte{}, []byte{}, "XYZ")
+	if err != ErrUnsupportedAlgorithm {
+		t.Error("should return error on invalid algorithm")
+	}
+
+	dec := new(rsaDecrypterSigner)
+	dec.privateKey = rsaTestKey
+	_, err = dec.decrypt(make([]byte, 256), "XYZ", randomKeyGenerator{size: 16})
+	if err != ErrUnsupportedAlgorithm {
+		t.Error("should return error on invalid algorithm")
+	}
+
+	_, err = dec.signPayload([]byte{}, "XYZ")
+	if err != ErrUnsupportedAlgorithm {
+		t.Error("should return error on invalid algorithm")
+	}
+}
+
+type failingKeyGenerator struct{}
+
+func (ctx failingKeyGenerator) keySize() int {
+	return 0
+}
+
+func (ctx failingKeyGenerator) genKey() ([]byte, rawHeader, error) {
+	return nil, rawHeader{}, errors.New("failed to generate key")
+}
+
+func TestPKCSKeyGeneratorFailure(t *testing.T) {
+	dec := new(rsaDecrypterSigner)
+	dec.privateKey = rsaTestKey
+	generator := failingKeyGenerator{}
+	_, err := dec.decrypt(make([]byte, 256), RSA1_5, generator)
+	if err != ErrCryptoFailure {
+		t.Error("should return error on invalid algorithm")
+	}
+}
+
+func TestInvalidAlgorithmsEC(t *testing.T) {
+	_, err := newECDHRecipient("XYZ", nil)
+	if err != ErrUnsupportedAlgorithm {
+		t.Error("should return error on invalid algorithm")
+	}
+
+	_, err = newECDSASigner("XYZ", nil)
+	if err != ErrUnsupportedAlgorithm {
+		t.Error("should return error on invalid algorithm")
+	}
+
+	enc := new(ecEncrypterVerifier)
+	enc.publicKey = &ecTestKey256.PublicKey
+	_, err = enc.encryptKey([]byte{}, "XYZ")
+	if err != ErrUnsupportedAlgorithm {
+		t.Error("should return error on invalid algorithm")
+	}
+}
+
+func TestInvalidECKeyGen(t *testing.T) {
+	gen := ecKeyGenerator{
+		size:      16,
+		algID:     "A128GCM",
+		publicKey: &ecTestKey256.PublicKey,
+	}
+
+	if gen.keySize() != 16 {
+		t.Error("ec key generator reported incorrect key size")
+	}
+
+	_, _, err := gen.genKey()
+	if err != nil {
+		t.Error("ec key generator failed to generate key", err)
+	}
+}
+
+func TestInvalidECDecrypt(t *testing.T) {
+	dec := ecDecrypterSigner{
+		privateKey: ecTestKey256,
+	}
+
+	generator := randomKeyGenerator{size: 16}
+
+	// Missing epk header
+	headers := rawHeader{
+		Alg: string(ECDH_ES),
+	}
+
+	_, err := dec.decryptKey(headers, nil, generator)
+	if err == nil {
+		t.Error("ec decrypter accepted object with missing epk header")
+	}
+
+	// Invalid epk header
+	headers.Epk = &JsonWebKey{}
+
+	_, err = dec.decryptKey(headers, nil, generator)
+	if err == nil {
+		t.Error("ec decrypter accepted object with invalid epk header")
+	}
+}
+
+func TestDecryptWithIncorrectSize(t *testing.T) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	dec := new(rsaDecrypterSigner)
+	dec.privateKey = priv
+	aes := newAESGCM(16)
+
+	keygen := randomKeyGenerator{
+		size: aes.keySize(),
+	}
+
+	payload := make([]byte, 254)
+	_, err = dec.decrypt(payload, RSA1_5, keygen)
+	if err == nil {
+		t.Error("Invalid payload size should return error")
+	}
+
+	payload = make([]byte, 257)
+	_, err = dec.decrypt(payload, RSA1_5, keygen)
+	if err == nil {
+		t.Error("Invalid payload size should return error")
+	}
+}
+
+func TestPKCSDecryptNeverFails(t *testing.T) {
+	// We don't want RSA-PKCS1 v1.5 decryption to ever fail, in order to prevent
+	// side-channel timing attacks (Bleichenbacher attack in particular).
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	dec := new(rsaDecrypterSigner)
+	dec.privateKey = priv
+	aes := newAESGCM(16)
+
+	keygen := randomKeyGenerator{
+		size: aes.keySize(),
+	}
+
+	for i := 1; i < 50; i++ {
+		payload := make([]byte, 256)
+		_, err := io.ReadFull(rand.Reader, payload)
+		if err != nil {
+			t.Error("Unable to get random data:", err)
+			return
+		}
+		_, err = dec.decrypt(payload, RSA1_5, keygen)
+		if err != nil {
+			t.Error("PKCS1v1.5 decrypt should never fail:", err)
+			return
+		}
+	}
+}
+
+func BenchmarkPKCSDecryptWithValidPayloads(b *testing.B) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		panic(err)
+	}
+
+	enc := new(rsaEncrypterVerifier)
+	enc.publicKey = &priv.PublicKey
+	dec := new(rsaDecrypterSigner)
+	dec.privateKey = priv
+	aes := newAESGCM(32)
+
+	b.StopTimer()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		plaintext := make([]byte, 32)
+		_, err = io.ReadFull(rand.Reader, plaintext)
+		if err != nil {
+			panic(err)
+		}
+
+		ciphertext, err := enc.encrypt(plaintext, RSA1_5)
+		if err != nil {
+			panic(err)
+		}
+
+		keygen := randomKeyGenerator{
+			size: aes.keySize(),
+		}
+
+		b.StartTimer()
+		_, err = dec.decrypt(ciphertext, RSA1_5, keygen)
+		b.StopTimer()
+		if err != nil {
+			panic(err)
+		}
+	}
+}
+
+func BenchmarkPKCSDecryptWithInvalidPayloads(b *testing.B) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		panic(err)
+	}
+
+	enc := new(rsaEncrypterVerifier)
+	enc.publicKey = &priv.PublicKey
+	dec := new(rsaDecrypterSigner)
+	dec.privateKey = priv
+	aes := newAESGCM(16)
+
+	keygen := randomKeyGenerator{
+		size: aes.keySize(),
+	}
+
+	b.StopTimer()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		plaintext := make([]byte, 16)
+		_, err = io.ReadFull(rand.Reader, plaintext)
+		if err != nil {
+			panic(err)
+		}
+
+		ciphertext, err := enc.encrypt(plaintext, RSA1_5)
+		if err != nil {
+			panic(err)
+		}
+
+		// Do some simple scrambling
+		ciphertext[128] ^= 0xFF
+
+		b.StartTimer()
+		_, err = dec.decrypt(ciphertext, RSA1_5, keygen)
+		b.StopTimer()
+		if err != nil {
+			panic(err)
+		}
+	}
+}
+
+func TestInvalidEllipticCurve(t *testing.T) {
+	signer256 := ecDecrypterSigner{privateKey: ecTestKey256}
+	signer384 := ecDecrypterSigner{privateKey: ecTestKey384}
+	signer521 := ecDecrypterSigner{privateKey: ecTestKey521}
+
+	_, err := signer256.signPayload([]byte{}, ES384)
+	if err == nil {
+		t.Error("should not generate ES384 signature with P-256 key")
+	}
+	_, err = signer256.signPayload([]byte{}, ES512)
+	if err == nil {
+		t.Error("should not generate ES512 signature with P-256 key")
+	}
+	_, err = signer384.signPayload([]byte{}, ES256)
+	if err == nil {
+		t.Error("should not generate ES256 signature with P-384 key")
+	}
+	_, err = signer384.signPayload([]byte{}, ES512)
+	if err == nil {
+		t.Error("should not generate ES512 signature with P-384 key")
+	}
+	_, err = signer521.signPayload([]byte{}, ES256)
+	if err == nil {
+		t.Error("should not generate ES256 signature with P-521 key")
+	}
+	_, err = signer521.signPayload([]byte{}, ES384)
+	if err == nil {
+		t.Error("should not generate ES384 signature with P-521 key")
+	}
+}
+
+func TestInvalidECPublicKey(t *testing.T) {
+	// Invalid key
+	invalid := &ecdsa.PrivateKey{
+		PublicKey: ecdsa.PublicKey{
+			Curve: elliptic.P256(),
+			X:     fromBase64Int("MTEx"),
+			Y:     fromBase64Int("MTEx"),
+		},
+		D: fromBase64Int("0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo="),
+	}
+
+	headers := rawHeader{
+		Alg: string(ECDH_ES),
+		Epk: &JsonWebKey{
+			Key: &invalid.PublicKey,
+		},
+	}
+
+	dec := ecDecrypterSigner{
+		privateKey: ecTestKey256,
+	}
+
+	_, err := dec.decryptKey(headers, nil, randomKeyGenerator{size: 16})
+	if err == nil {
+		t.Fatal("decrypter accepted JWS with invalid ECDH public key")
+	}
+}
+
+func TestInvalidAlgorithmEC(t *testing.T) {
+	err := ecEncrypterVerifier{publicKey: &ecTestKey256.PublicKey}.verifyPayload([]byte{}, []byte{}, "XYZ")
+	if err != ErrUnsupportedAlgorithm {
+		t.Fatal("should not accept invalid/unsupported algorithm")
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac.go
new file mode 100644
index 000000000..126b85ce2
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac.go
@@ -0,0 +1,196 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package josecipher
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/subtle"
+	"encoding/binary"
+	"errors"
+	"hash"
+)
+
+const (
+	nonceBytes = 16
+)
+
+// NewCBCHMAC instantiates a new AEAD based on CBC+HMAC.
+func NewCBCHMAC(key []byte, newBlockCipher func([]byte) (cipher.Block, error)) (cipher.AEAD, error) {
+	keySize := len(key) / 2
+	integrityKey := key[:keySize]
+	encryptionKey := key[keySize:]
+
+	blockCipher, err := newBlockCipher(encryptionKey)
+	if err != nil {
+		return nil, err
+	}
+
+	var hash func() hash.Hash
+	switch keySize {
+	case 16:
+		hash = sha256.New
+	case 24:
+		hash = sha512.New384
+	case 32:
+		hash = sha512.New
+	}
+
+	return &cbcAEAD{
+		hash:         hash,
+		blockCipher:  blockCipher,
+		authtagBytes: keySize,
+		integrityKey: integrityKey,
+	}, nil
+}
+
+// An AEAD based on CBC+HMAC
+type cbcAEAD struct {
+	hash         func() hash.Hash
+	authtagBytes int
+	integrityKey []byte
+	blockCipher  cipher.Block
+}
+
+func (ctx *cbcAEAD) NonceSize() int {
+	return nonceBytes
+}
+
+func (ctx *cbcAEAD) Overhead() int {
+	// Maximum overhead is block size (for padding) plus auth tag length, where
+	// the length of the auth tag is equivalent to the key size.
+	return ctx.blockCipher.BlockSize() + ctx.authtagBytes
+}
+
+// Seal encrypts and authenticates the plaintext.
+func (ctx *cbcAEAD) Seal(dst, nonce, plaintext, data []byte) []byte {
+	// Output buffer -- must take care not to mangle plaintext input.
+	ciphertext := make([]byte, uint64(len(plaintext))+uint64(ctx.Overhead()))[:len(plaintext)]
+	copy(ciphertext, plaintext)
+	ciphertext = padBuffer(ciphertext, ctx.blockCipher.BlockSize())
+
+	cbc := cipher.NewCBCEncrypter(ctx.blockCipher, nonce)
+
+	cbc.CryptBlocks(ciphertext, ciphertext)
+	authtag := ctx.computeAuthTag(data, nonce, ciphertext)
+
+	ret, out := resize(dst, uint64(len(dst))+uint64(len(ciphertext))+uint64(len(authtag)))
+	copy(out, ciphertext)
+	copy(out[len(ciphertext):], authtag)
+
+	return ret
+}
+
+// Open decrypts and authenticates the ciphertext.
+func (ctx *cbcAEAD) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
+	if len(ciphertext) < ctx.authtagBytes {
+		return nil, errors.New("square/go-jose: invalid ciphertext (too short)")
+	}
+
+	offset := len(ciphertext) - ctx.authtagBytes
+	expectedTag := ctx.computeAuthTag(data, nonce, ciphertext[:offset])
+	match := subtle.ConstantTimeCompare(expectedTag, ciphertext[offset:])
+	if match != 1 {
+		return nil, errors.New("square/go-jose: invalid ciphertext (auth tag mismatch)")
+	}
+
+	cbc := cipher.NewCBCDecrypter(ctx.blockCipher, nonce)
+
+	// Make copy of ciphertext buffer, don't want to modify in place
+	buffer := append([]byte{}, []byte(ciphertext[:offset])...)
+
+	if len(buffer)%ctx.blockCipher.BlockSize() > 0 {
+		return nil, errors.New("square/go-jose: invalid ciphertext (invalid length)")
+	}
+
+	cbc.CryptBlocks(buffer, buffer)
+
+	// Remove padding
+	plaintext, err := unpadBuffer(buffer, ctx.blockCipher.BlockSize())
+	if err != nil {
+		return nil, err
+	}
+
+	ret, out := resize(dst, uint64(len(dst))+uint64(len(plaintext)))
+	copy(out, plaintext)
+
+	return ret, nil
+}
+
+// Compute an authentication tag
+func (ctx *cbcAEAD) computeAuthTag(aad, nonce, ciphertext []byte) []byte {
+	buffer := make([]byte, uint64(len(aad))+uint64(len(nonce))+uint64(len(ciphertext))+8)
+	n := 0
+	n += copy(buffer, aad)
+	n += copy(buffer[n:], nonce)
+	n += copy(buffer[n:], ciphertext)
+	binary.BigEndian.PutUint64(buffer[n:], uint64(len(aad))*8)
+
+	// According to documentation, Write() on hash.Hash never fails.
+	hmac := hmac.New(ctx.hash, ctx.integrityKey)
+	_, _ = hmac.Write(buffer)
+
+	return hmac.Sum(nil)[:ctx.authtagBytes]
+}
+
+// resize ensures the the given slice has a capacity of at least n bytes.
+// If the capacity of the slice is less than n, a new slice is allocated
+// and the existing data will be copied.
+func resize(in []byte, n uint64) (head, tail []byte) {
+	if uint64(cap(in)) >= n {
+		head = in[:n]
+	} else {
+		head = make([]byte, n)
+		copy(head, in)
+	}
+
+	tail = head[len(in):]
+	return
+}
+
+// Apply padding
+func padBuffer(buffer []byte, blockSize int) []byte {
+	missing := blockSize - (len(buffer) % blockSize)
+	ret, out := resize(buffer, uint64(len(buffer))+uint64(missing))
+	padding := bytes.Repeat([]byte{byte(missing)}, missing)
+	copy(out, padding)
+	return ret
+}
+
+// Remove padding
+func unpadBuffer(buffer []byte, blockSize int) ([]byte, error) {
+	if len(buffer)%blockSize != 0 {
+		return nil, errors.New("square/go-jose: invalid padding")
+	}
+
+	last := buffer[len(buffer)-1]
+	count := int(last)
+
+	if count == 0 || count > blockSize || count > len(buffer) {
+		return nil, errors.New("square/go-jose: invalid padding")
+	}
+
+	padding := bytes.Repeat([]byte{last}, count)
+	if !bytes.HasSuffix(buffer, padding) {
+		return nil, errors.New("square/go-jose: invalid padding")
+	}
+
+	return buffer[:len(buffer)-count], nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac_test.go
new file mode 100644
index 000000000..40bcb20fa
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac_test.go
@@ -0,0 +1,498 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package josecipher
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"io"
+	"strings"
+	"testing"
+)
+
+func TestInvalidInputs(t *testing.T) {
+	key := []byte{
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+	}
+
+	nonce := []byte{
+		92, 80, 104, 49, 133, 25, 161, 215, 173, 101, 219, 211, 136, 91, 210, 145}
+
+	aead, _ := NewCBCHMAC(key, aes.NewCipher)
+	ciphertext := aead.Seal(nil, nonce, []byte("plaintext"), []byte("aad"))
+
+	// Changed AAD, must fail
+	_, err := aead.Open(nil, nonce, ciphertext, []byte("INVALID"))
+	if err == nil {
+		t.Error("must detect invalid aad")
+	}
+
+	// Empty ciphertext, must fail
+	_, err = aead.Open(nil, nonce, []byte{}, []byte("aad"))
+	if err == nil {
+		t.Error("must detect invalid/empty ciphertext")
+	}
+
+	// Corrupt ciphertext, must fail
+	corrupt := make([]byte, len(ciphertext))
+	copy(corrupt, ciphertext)
+	corrupt[0] ^= 0xFF
+
+	_, err = aead.Open(nil, nonce, corrupt, []byte("aad"))
+	if err == nil {
+		t.Error("must detect corrupt ciphertext")
+	}
+
+	// Corrupt authtag, must fail
+	copy(corrupt, ciphertext)
+	corrupt[len(ciphertext)-1] ^= 0xFF
+
+	_, err = aead.Open(nil, nonce, corrupt, []byte("aad"))
+	if err == nil {
+		t.Error("must detect corrupt authtag")
+	}
+
+	// Truncated data, must fail
+	_, err = aead.Open(nil, nonce, ciphertext[:10], []byte("aad"))
+	if err == nil {
+		t.Error("must detect corrupt authtag")
+	}
+}
+
+func TestVectorsAESCBC128(t *testing.T) {
+	// Source: http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-29#appendix-A.2
+	plaintext := []byte{
+		76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32,
+		112, 114, 111, 115, 112, 101, 114, 46}
+
+	aad := []byte{
+		101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69,
+		120, 88, 122, 85, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105,
+		74, 66, 77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85,
+		50, 73, 110, 48}
+
+	expectedCiphertext := []byte{
+		40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
+		75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
+		112, 56, 102}
+
+	expectedAuthtag := []byte{
+		246, 17, 244, 190, 4, 95, 98, 3, 231, 0, 115, 157, 242, 203, 100,
+		191}
+
+	key := []byte{
+		4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 206,
+		107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 44, 207}
+
+	nonce := []byte{
+		3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104, 101}
+
+	enc, err := NewCBCHMAC(key, aes.NewCipher)
+	out := enc.Seal(nil, nonce, plaintext, aad)
+	if err != nil {
+		t.Error("Unable to encrypt:", err)
+		return
+	}
+
+	if bytes.Compare(out[:len(out)-16], expectedCiphertext) != 0 {
+		t.Error("Ciphertext did not match")
+	}
+	if bytes.Compare(out[len(out)-16:], expectedAuthtag) != 0 {
+		t.Error("Auth tag did not match")
+	}
+}
+
+func TestVectorsAESCBC256(t *testing.T) {
+	// Source: https://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05#section-5.4
+	plaintext := []byte{
+		0x41, 0x20, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x20, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x20,
+		0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x65, 0x71, 0x75,
+		0x69, 0x72, 0x65, 0x64, 0x20, 0x74, 0x6f, 0x20, 0x62, 0x65, 0x20, 0x73, 0x65, 0x63, 0x72, 0x65,
+		0x74, 0x2c, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x69, 0x74, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62,
+		0x65, 0x20, 0x61, 0x62, 0x6c, 0x65, 0x20, 0x74, 0x6f, 0x20, 0x66, 0x61, 0x6c, 0x6c, 0x20, 0x69,
+		0x6e, 0x74, 0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x68, 0x61, 0x6e, 0x64, 0x73, 0x20, 0x6f, 0x66,
+		0x20, 0x74, 0x68, 0x65, 0x20, 0x65, 0x6e, 0x65, 0x6d, 0x79, 0x20, 0x77, 0x69, 0x74, 0x68, 0x6f,
+		0x75, 0x74, 0x20, 0x69, 0x6e, 0x63, 0x6f, 0x6e, 0x76, 0x65, 0x6e, 0x69, 0x65, 0x6e, 0x63, 0x65}
+
+	aad := []byte{
+		0x54, 0x68, 0x65, 0x20, 0x73, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x20, 0x70, 0x72, 0x69, 0x6e, 0x63,
+		0x69, 0x70, 0x6c, 0x65, 0x20, 0x6f, 0x66, 0x20, 0x41, 0x75, 0x67, 0x75, 0x73, 0x74, 0x65, 0x20,
+		0x4b, 0x65, 0x72, 0x63, 0x6b, 0x68, 0x6f, 0x66, 0x66, 0x73}
+
+	expectedCiphertext := []byte{
+		0x4a, 0xff, 0xaa, 0xad, 0xb7, 0x8c, 0x31, 0xc5, 0xda, 0x4b, 0x1b, 0x59, 0x0d, 0x10, 0xff, 0xbd,
+		0x3d, 0xd8, 0xd5, 0xd3, 0x02, 0x42, 0x35, 0x26, 0x91, 0x2d, 0xa0, 0x37, 0xec, 0xbc, 0xc7, 0xbd,
+		0x82, 0x2c, 0x30, 0x1d, 0xd6, 0x7c, 0x37, 0x3b, 0xcc, 0xb5, 0x84, 0xad, 0x3e, 0x92, 0x79, 0xc2,
+		0xe6, 0xd1, 0x2a, 0x13, 0x74, 0xb7, 0x7f, 0x07, 0x75, 0x53, 0xdf, 0x82, 0x94, 0x10, 0x44, 0x6b,
+		0x36, 0xeb, 0xd9, 0x70, 0x66, 0x29, 0x6a, 0xe6, 0x42, 0x7e, 0xa7, 0x5c, 0x2e, 0x08, 0x46, 0xa1,
+		0x1a, 0x09, 0xcc, 0xf5, 0x37, 0x0d, 0xc8, 0x0b, 0xfe, 0xcb, 0xad, 0x28, 0xc7, 0x3f, 0x09, 0xb3,
+		0xa3, 0xb7, 0x5e, 0x66, 0x2a, 0x25, 0x94, 0x41, 0x0a, 0xe4, 0x96, 0xb2, 0xe2, 0xe6, 0x60, 0x9e,
+		0x31, 0xe6, 0xe0, 0x2c, 0xc8, 0x37, 0xf0, 0x53, 0xd2, 0x1f, 0x37, 0xff, 0x4f, 0x51, 0x95, 0x0b,
+		0xbe, 0x26, 0x38, 0xd0, 0x9d, 0xd7, 0xa4, 0x93, 0x09, 0x30, 0x80, 0x6d, 0x07, 0x03, 0xb1, 0xf6}
+
+	expectedAuthtag := []byte{
+		0x4d, 0xd3, 0xb4, 0xc0, 0x88, 0xa7, 0xf4, 0x5c, 0x21, 0x68, 0x39, 0x64, 0x5b, 0x20, 0x12, 0xbf,
+		0x2e, 0x62, 0x69, 0xa8, 0xc5, 0x6a, 0x81, 0x6d, 0xbc, 0x1b, 0x26, 0x77, 0x61, 0x95, 0x5b, 0xc5}
+
+	key := []byte{
+		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+		0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+		0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f}
+
+	nonce := []byte{
+		0x1a, 0xf3, 0x8c, 0x2d, 0xc2, 0xb9, 0x6f, 0xfd, 0xd8, 0x66, 0x94, 0x09, 0x23, 0x41, 0xbc, 0x04}
+
+	enc, err := NewCBCHMAC(key, aes.NewCipher)
+	out := enc.Seal(nil, nonce, plaintext, aad)
+	if err != nil {
+		t.Error("Unable to encrypt:", err)
+		return
+	}
+
+	if bytes.Compare(out[:len(out)-32], expectedCiphertext) != 0 {
+		t.Error("Ciphertext did not match, got", out[:len(out)-32], "wanted", expectedCiphertext)
+	}
+	if bytes.Compare(out[len(out)-32:], expectedAuthtag) != 0 {
+		t.Error("Auth tag did not match, got", out[len(out)-32:], "wanted", expectedAuthtag)
+	}
+}
+
+func TestAESCBCRoundtrip(t *testing.T) {
+	key128 := []byte{
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}
+
+	key192 := []byte{
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+		0, 1, 2, 3, 4, 5, 6, 7,
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+		0, 1, 2, 3, 4, 5, 6, 7}
+
+	key256 := []byte{
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}
+
+	nonce := []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}
+
+	RunRoundtrip(t, key128, nonce)
+	RunRoundtrip(t, key192, nonce)
+	RunRoundtrip(t, key256, nonce)
+}
+
+func RunRoundtrip(t *testing.T, key, nonce []byte) {
+	aead, err := NewCBCHMAC(key, aes.NewCipher)
+	if err != nil {
+		panic(err)
+	}
+
+	if aead.NonceSize() != len(nonce) {
+		panic("invalid nonce")
+	}
+
+	// Test pre-existing data in dst buffer
+	dst := []byte{15, 15, 15, 15}
+	plaintext := []byte{0, 0, 0, 0}
+	aad := []byte{4, 3, 2, 1}
+
+	result := aead.Seal(dst, nonce, plaintext, aad)
+	if bytes.Compare(dst, result[:4]) != 0 {
+		t.Error("Existing data in dst not preserved")
+	}
+
+	// Test pre-existing (empty) dst buffer with sufficient capacity
+	dst = make([]byte, 256)[:0]
+	result, err = aead.Open(dst, nonce, result[4:], aad)
+	if err != nil {
+		panic(err)
+	}
+
+	if bytes.Compare(result, plaintext) != 0 {
+		t.Error("Plaintext does not match output")
+	}
+}
+
+func TestAESCBCOverhead(t *testing.T) {
+	aead, err := NewCBCHMAC(make([]byte, 32), aes.NewCipher)
+	if err != nil {
+		panic(err)
+	}
+
+	if aead.Overhead() != 32 {
+		t.Error("CBC-HMAC reports incorrect overhead value")
+	}
+}
+
+func TestPadding(t *testing.T) {
+	for i := 0; i < 256; i++ {
+		slice := make([]byte, i)
+		padded := padBuffer(slice, 16)
+		if len(padded)%16 != 0 {
+			t.Error("failed to pad slice properly", i)
+			return
+		}
+		unpadded, err := unpadBuffer(padded, 16)
+		if err != nil || len(unpadded) != i {
+			t.Error("failed to unpad slice properly", i)
+			return
+		}
+	}
+}
+
+func TestInvalidKey(t *testing.T) {
+	key := make([]byte, 30)
+	_, err := NewCBCHMAC(key, aes.NewCipher)
+	if err == nil {
+		t.Error("should not be able to instantiate CBC-HMAC with invalid key")
+	}
+}
+
+func TestTruncatedCiphertext(t *testing.T) {
+	key := make([]byte, 32)
+	nonce := make([]byte, 16)
+	data := make([]byte, 32)
+
+	io.ReadFull(rand.Reader, key)
+	io.ReadFull(rand.Reader, nonce)
+
+	aead, err := NewCBCHMAC(key, aes.NewCipher)
+	if err != nil {
+		panic(err)
+	}
+
+	ctx := aead.(*cbcAEAD)
+	ct := aead.Seal(nil, nonce, data, nil)
+
+	// Truncated ciphertext, but with correct auth tag
+	truncated, tail := resize(ct[:len(ct)-ctx.authtagBytes-2], uint64(len(ct))-2)
+	copy(tail, ctx.computeAuthTag(nil, nonce, truncated[:len(truncated)-ctx.authtagBytes]))
+
+	// Open should fail
+	_, err = aead.Open(nil, nonce, truncated, nil)
+	if err == nil {
+		t.Error("open on truncated ciphertext should fail")
+	}
+}
+
+func TestInvalidPaddingOpen(t *testing.T) {
+	key := make([]byte, 32)
+	nonce := make([]byte, 16)
+
+	// Plaintext with invalid padding
+	plaintext := padBuffer(make([]byte, 28), aes.BlockSize)
+	plaintext[len(plaintext)-1] = 0xFF
+
+	io.ReadFull(rand.Reader, key)
+	io.ReadFull(rand.Reader, nonce)
+
+	block, _ := aes.NewCipher(key)
+	cbc := cipher.NewCBCEncrypter(block, nonce)
+	buffer := append([]byte{}, plaintext...)
+	cbc.CryptBlocks(buffer, buffer)
+
+	aead, _ := NewCBCHMAC(key, aes.NewCipher)
+	ctx := aead.(*cbcAEAD)
+
+	// Mutated ciphertext, but with correct auth tag
+	size := uint64(len(buffer))
+	ciphertext, tail := resize(buffer, size+(uint64(len(key))/2))
+	copy(tail, ctx.computeAuthTag(nil, nonce, ciphertext[:size]))
+
+	// Open should fail (b/c of invalid padding, even though tag matches)
+	_, err := aead.Open(nil, nonce, ciphertext, nil)
+	if err == nil || !strings.Contains(err.Error(), "invalid padding") {
+		t.Error("no or unexpected error on open with invalid padding:", err)
+	}
+}
+
+func TestInvalidPadding(t *testing.T) {
+	for i := 0; i < 256; i++ {
+		slice := make([]byte, i)
+		padded := padBuffer(slice, 16)
+		if len(padded)%16 != 0 {
+			t.Error("failed to pad slice properly", i)
+			return
+		}
+
+		paddingBytes := 16 - (i % 16)
+
+		// Mutate padding for testing
+		for j := 1; j <= paddingBytes; j++ {
+			mutated := make([]byte, len(padded))
+			copy(mutated, padded)
+			mutated[len(mutated)-j] ^= 0xFF
+
+			_, err := unpadBuffer(mutated, 16)
+			if err == nil {
+				t.Error("unpad on invalid padding should fail", i)
+				return
+			}
+		}
+
+		// Test truncated padding
+		_, err := unpadBuffer(padded[:len(padded)-1], 16)
+		if err == nil {
+			t.Error("unpad on truncated padding should fail", i)
+			return
+		}
+	}
+}
+
+func TestZeroLengthPadding(t *testing.T) {
+	data := make([]byte, 16)
+	data, err := unpadBuffer(data, 16)
+	if err == nil {
+		t.Error("padding with 0x00 should never be valid")
+	}
+}
+
+func benchEncryptCBCHMAC(b *testing.B, keySize, chunkSize int) {
+	key := make([]byte, keySize*2)
+	nonce := make([]byte, 16)
+
+	io.ReadFull(rand.Reader, key)
+	io.ReadFull(rand.Reader, nonce)
+
+	chunk := make([]byte, chunkSize)
+
+	aead, err := NewCBCHMAC(key, aes.NewCipher)
+	if err != nil {
+		panic(err)
+	}
+
+	b.SetBytes(int64(chunkSize))
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		aead.Seal(nil, nonce, chunk, nil)
+	}
+}
+
+func benchDecryptCBCHMAC(b *testing.B, keySize, chunkSize int) {
+	key := make([]byte, keySize*2)
+	nonce := make([]byte, 16)
+
+	io.ReadFull(rand.Reader, key)
+	io.ReadFull(rand.Reader, nonce)
+
+	chunk := make([]byte, chunkSize)
+
+	aead, err := NewCBCHMAC(key, aes.NewCipher)
+	if err != nil {
+		panic(err)
+	}
+
+	out := aead.Seal(nil, nonce, chunk, nil)
+
+	b.SetBytes(int64(chunkSize))
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		aead.Open(nil, nonce, out, nil)
+	}
+}
+
+func BenchmarkEncryptAES128_CBCHMAC_1k(b *testing.B) {
+	benchEncryptCBCHMAC(b, 16, 1024)
+}
+
+func BenchmarkEncryptAES128_CBCHMAC_64k(b *testing.B) {
+	benchEncryptCBCHMAC(b, 16, 65536)
+}
+
+func BenchmarkEncryptAES128_CBCHMAC_1MB(b *testing.B) {
+	benchEncryptCBCHMAC(b, 16, 1048576)
+}
+
+func BenchmarkEncryptAES128_CBCHMAC_64MB(b *testing.B) {
+	benchEncryptCBCHMAC(b, 16, 67108864)
+}
+
+func BenchmarkDecryptAES128_CBCHMAC_1k(b *testing.B) {
+	benchDecryptCBCHMAC(b, 16, 1024)
+}
+
+func BenchmarkDecryptAES128_CBCHMAC_64k(b *testing.B) {
+	benchDecryptCBCHMAC(b, 16, 65536)
+}
+
+func BenchmarkDecryptAES128_CBCHMAC_1MB(b *testing.B) {
+	benchDecryptCBCHMAC(b, 16, 1048576)
+}
+
+func BenchmarkDecryptAES128_CBCHMAC_64MB(b *testing.B) {
+	benchDecryptCBCHMAC(b, 16, 67108864)
+}
+
+func BenchmarkEncryptAES192_CBCHMAC_64k(b *testing.B) {
+	benchEncryptCBCHMAC(b, 24, 65536)
+}
+
+func BenchmarkEncryptAES192_CBCHMAC_1MB(b *testing.B) {
+	benchEncryptCBCHMAC(b, 24, 1048576)
+}
+
+func BenchmarkEncryptAES192_CBCHMAC_64MB(b *testing.B) {
+	benchEncryptCBCHMAC(b, 24, 67108864)
+}
+
+func BenchmarkDecryptAES192_CBCHMAC_1k(b *testing.B) {
+	benchDecryptCBCHMAC(b, 24, 1024)
+}
+
+func BenchmarkDecryptAES192_CBCHMAC_64k(b *testing.B) {
+	benchDecryptCBCHMAC(b, 24, 65536)
+}
+
+func BenchmarkDecryptAES192_CBCHMAC_1MB(b *testing.B) {
+	benchDecryptCBCHMAC(b, 24, 1048576)
+}
+
+func BenchmarkDecryptAES192_CBCHMAC_64MB(b *testing.B) {
+	benchDecryptCBCHMAC(b, 24, 67108864)
+}
+
+func BenchmarkEncryptAES256_CBCHMAC_64k(b *testing.B) {
+	benchEncryptCBCHMAC(b, 32, 65536)
+}
+
+func BenchmarkEncryptAES256_CBCHMAC_1MB(b *testing.B) {
+	benchEncryptCBCHMAC(b, 32, 1048576)
+}
+
+func BenchmarkEncryptAES256_CBCHMAC_64MB(b *testing.B) {
+	benchEncryptCBCHMAC(b, 32, 67108864)
+}
+
+func BenchmarkDecryptAES256_CBCHMAC_1k(b *testing.B) {
+	benchDecryptCBCHMAC(b, 32, 1032)
+}
+
+func BenchmarkDecryptAES256_CBCHMAC_64k(b *testing.B) {
+	benchDecryptCBCHMAC(b, 32, 65536)
+}
+
+func BenchmarkDecryptAES256_CBCHMAC_1MB(b *testing.B) {
+	benchDecryptCBCHMAC(b, 32, 1048576)
+}
+
+func BenchmarkDecryptAES256_CBCHMAC_64MB(b *testing.B) {
+	benchDecryptCBCHMAC(b, 32, 67108864)
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf.go
new file mode 100644
index 000000000..f62c3bdba
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf.go
@@ -0,0 +1,75 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package josecipher
+
+import (
+	"crypto"
+	"encoding/binary"
+	"hash"
+	"io"
+)
+
+type concatKDF struct {
+	z, info []byte
+	i       uint32
+	cache   []byte
+	hasher  hash.Hash
+}
+
+// NewConcatKDF builds a KDF reader based on the given inputs.
+func NewConcatKDF(hash crypto.Hash, z, algID, ptyUInfo, ptyVInfo, supPubInfo, supPrivInfo []byte) io.Reader {
+	buffer := make([]byte, uint64(len(algID))+uint64(len(ptyUInfo))+uint64(len(ptyVInfo))+uint64(len(supPubInfo))+uint64(len(supPrivInfo)))
+	n := 0
+	n += copy(buffer, algID)
+	n += copy(buffer[n:], ptyUInfo)
+	n += copy(buffer[n:], ptyVInfo)
+	n += copy(buffer[n:], supPubInfo)
+	copy(buffer[n:], supPrivInfo)
+
+	hasher := hash.New()
+
+	return &concatKDF{
+		z:      z,
+		info:   buffer,
+		hasher: hasher,
+		cache:  []byte{},
+		i:      1,
+	}
+}
+
+func (ctx *concatKDF) Read(out []byte) (int, error) {
+	copied := copy(out, ctx.cache)
+	ctx.cache = ctx.cache[copied:]
+
+	for copied < len(out) {
+		ctx.hasher.Reset()
+
+		// Write on a hash.Hash never fails
+		_ = binary.Write(ctx.hasher, binary.BigEndian, ctx.i)
+		_, _ = ctx.hasher.Write(ctx.z)
+		_, _ = ctx.hasher.Write(ctx.info)
+
+		hash := ctx.hasher.Sum(nil)
+		chunkCopied := copy(out[copied:], hash)
+		copied += chunkCopied
+		ctx.cache = hash[chunkCopied:]
+
+		ctx.i++
+	}
+
+	return copied, nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf_test.go
new file mode 100644
index 000000000..48219b3e1
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf_test.go
@@ -0,0 +1,150 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package josecipher
+
+import (
+	"bytes"
+	"crypto"
+	"testing"
+)
+
+// Taken from: https://tools.ietf.org/id/draft-ietf-jose-json-web-algorithms-38.txt
+func TestVectorConcatKDF(t *testing.T) {
+	z := []byte{
+		158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132,
+		38, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121,
+		140, 254, 144, 196}
+
+	algID := []byte{0, 0, 0, 7, 65, 49, 50, 56, 71, 67, 77}
+
+	ptyUInfo := []byte{0, 0, 0, 5, 65, 108, 105, 99, 101}
+	ptyVInfo := []byte{0, 0, 0, 3, 66, 111, 98}
+
+	supPubInfo := []byte{0, 0, 0, 128}
+	supPrivInfo := []byte{}
+
+	expected := []byte{
+		86, 170, 141, 234, 248, 35, 109, 32, 92, 34, 40, 205, 113, 167, 16, 26}
+
+	ckdf := NewConcatKDF(crypto.SHA256, z, algID, ptyUInfo, ptyVInfo, supPubInfo, supPrivInfo)
+
+	out0 := make([]byte, 9)
+	out1 := make([]byte, 7)
+
+	read0, err := ckdf.Read(out0)
+	if err != nil {
+		t.Error("error when reading from concat kdf reader", err)
+		return
+	}
+
+	read1, err := ckdf.Read(out1)
+	if err != nil {
+		t.Error("error when reading from concat kdf reader", err)
+		return
+	}
+
+	if read0+read1 != len(out0)+len(out1) {
+		t.Error("did not receive enough bytes from concat kdf reader")
+		return
+	}
+
+	out := []byte{}
+	out = append(out, out0...)
+	out = append(out, out1...)
+
+	if bytes.Compare(out, expected) != 0 {
+		t.Error("did not receive expected output from concat kdf reader")
+		return
+	}
+}
+
+func TestCache(t *testing.T) {
+	z := []byte{
+		158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132,
+		38, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121,
+		140, 254, 144, 196}
+
+	algID := []byte{1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4}
+
+	ptyUInfo := []byte{1, 2, 3, 4}
+	ptyVInfo := []byte{4, 3, 2, 1}
+
+	supPubInfo := []byte{}
+	supPrivInfo := []byte{}
+
+	outputs := [][]byte{}
+
+	// Read the same amount of data in different chunk sizes
+	chunkSizes := []int{1, 2, 4, 8, 16, 32, 64, 128, 256, 512}
+
+	for _, c := range chunkSizes {
+		out := make([]byte, 1024)
+		reader := NewConcatKDF(crypto.SHA256, z, algID, ptyUInfo, ptyVInfo, supPubInfo, supPrivInfo)
+
+		for i := 0; i < 1024; i += c {
+			_, _ = reader.Read(out[i : i+c])
+		}
+
+		outputs = append(outputs, out)
+	}
+
+	for i := range outputs {
+		if bytes.Compare(outputs[i], outputs[(i+1)%len(outputs)]) != 0 {
+			t.Error("not all outputs from KDF matched")
+		}
+	}
+}
+
+func benchmarkKDF(b *testing.B, total int) {
+	z := []byte{
+		158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132,
+		38, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121,
+		140, 254, 144, 196}
+
+	algID := []byte{1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4}
+
+	ptyUInfo := []byte{1, 2, 3, 4}
+	ptyVInfo := []byte{4, 3, 2, 1}
+
+	supPubInfo := []byte{}
+	supPrivInfo := []byte{}
+
+	out := make([]byte, total)
+	reader := NewConcatKDF(crypto.SHA256, z, algID, ptyUInfo, ptyVInfo, supPubInfo, supPrivInfo)
+
+	b.ResetTimer()
+	b.SetBytes(int64(total))
+	for i := 0; i < b.N; i++ {
+		_, _ = reader.Read(out)
+	}
+}
+
+func BenchmarkConcatKDF_1k(b *testing.B) {
+	benchmarkKDF(b, 1024)
+}
+
+func BenchmarkConcatKDF_64k(b *testing.B) {
+	benchmarkKDF(b, 65536)
+}
+
+func BenchmarkConcatKDF_1MB(b *testing.B) {
+	benchmarkKDF(b, 1048576)
+}
+
+func BenchmarkConcatKDF_64MB(b *testing.B) {
+	benchmarkKDF(b, 67108864)
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es.go
new file mode 100644
index 000000000..f23d49e1f
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es.go
@@ -0,0 +1,62 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package josecipher
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"encoding/binary"
+)
+
+// DeriveECDHES derives a shared encryption key using ECDH/ConcatKDF as described in JWE/JWA.
+// It is an error to call this function with a private/public key that are not on the same
+// curve. Callers must ensure that the keys are valid before calling this function. Output
+// size may be at most 1<<16 bytes (64 KiB).
+func DeriveECDHES(alg string, apuData, apvData []byte, priv *ecdsa.PrivateKey, pub *ecdsa.PublicKey, size int) []byte {
+	if size > 1<<16 {
+		panic("ECDH-ES output size too large, must be less than 1<<16")
+	}
+
+	// algId, partyUInfo, partyVInfo inputs must be prefixed with the length
+	algID := lengthPrefixed([]byte(alg))
+	ptyUInfo := lengthPrefixed(apuData)
+	ptyVInfo := lengthPrefixed(apvData)
+
+	// suppPubInfo is the encoded length of the output size in bits
+	supPubInfo := make([]byte, 4)
+	binary.BigEndian.PutUint32(supPubInfo, uint32(size)*8)
+
+	if !priv.PublicKey.Curve.IsOnCurve(pub.X, pub.Y) {
+		panic("public key not on same curve as private key")
+	}
+
+	z, _ := priv.PublicKey.Curve.ScalarMult(pub.X, pub.Y, priv.D.Bytes())
+	reader := NewConcatKDF(crypto.SHA256, z.Bytes(), algID, ptyUInfo, ptyVInfo, supPubInfo, []byte{})
+
+	key := make([]byte, size)
+
+	// Read on the KDF will never fail
+	_, _ = reader.Read(key)
+	return key
+}
+
+func lengthPrefixed(data []byte) []byte {
+	out := make([]byte, len(data)+4)
+	binary.BigEndian.PutUint32(out, uint32(len(data)))
+	copy(out[4:], data)
+	return out
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es_test.go
new file mode 100644
index 000000000..ca2c508dd
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es_test.go
@@ -0,0 +1,115 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package josecipher
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"encoding/base64"
+	"math/big"
+	"testing"
+)
+
+// Example keys from JWA, Appendix C
+var aliceKey = &ecdsa.PrivateKey{
+	PublicKey: ecdsa.PublicKey{
+		Curve: elliptic.P256(),
+		X:     fromBase64Int("gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0="),
+		Y:     fromBase64Int("SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps="),
+	},
+	D: fromBase64Int("0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo="),
+}
+
+var bobKey = &ecdsa.PrivateKey{
+	PublicKey: ecdsa.PublicKey{
+		Curve: elliptic.P256(),
+		X:     fromBase64Int("weNJy2HscCSM6AEDTDg04biOvhFhyyWvOHQfeF_PxMQ="),
+		Y:     fromBase64Int("e8lnCO-AlStT-NJVX-crhB7QRYhiix03illJOVAOyck="),
+	},
+	D: fromBase64Int("VEmDZpDXXK8p8N0Cndsxs924q6nS1RXFASRl6BfUqdw="),
+}
+
+// Build big int from base64-encoded string. Strips whitespace (for testing).
+func fromBase64Int(data string) *big.Int {
+	val, err := base64.URLEncoding.DecodeString(data)
+	if err != nil {
+		panic("Invalid test data")
+	}
+	return new(big.Int).SetBytes(val)
+}
+
+func TestVectorECDHES(t *testing.T) {
+	apuData := []byte("Alice")
+	apvData := []byte("Bob")
+
+	expected := []byte{
+		86, 170, 141, 234, 248, 35, 109, 32, 92, 34, 40, 205, 113, 167, 16, 26}
+
+	output := DeriveECDHES("A128GCM", apuData, apvData, bobKey, &aliceKey.PublicKey, 16)
+
+	if bytes.Compare(output, expected) != 0 {
+		t.Error("output did not match what we expect, got", output, "wanted", expected)
+	}
+}
+
+func TestInvalidECPublicKey(t *testing.T) {
+	defer func() { recover() }()
+
+	// Invalid key
+	invalid := &ecdsa.PrivateKey{
+		PublicKey: ecdsa.PublicKey{
+			Curve: elliptic.P256(),
+			X:     fromBase64Int("MTEx"),
+			Y:     fromBase64Int("MTEx"),
+		},
+		D: fromBase64Int("0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo="),
+	}
+
+	DeriveECDHES("A128GCM", []byte{}, []byte{}, bobKey, &invalid.PublicKey, 16)
+	t.Fatal("should panic if public key was invalid")
+}
+
+func BenchmarkECDHES_128(b *testing.B) {
+	apuData := []byte("APU")
+	apvData := []byte("APV")
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		DeriveECDHES("ID", apuData, apvData, bobKey, &aliceKey.PublicKey, 16)
+	}
+}
+
+func BenchmarkECDHES_192(b *testing.B) {
+	apuData := []byte("APU")
+	apvData := []byte("APV")
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		DeriveECDHES("ID", apuData, apvData, bobKey, &aliceKey.PublicKey, 24)
+	}
+}
+
+func BenchmarkECDHES_256(b *testing.B) {
+	apuData := []byte("APU")
+	apvData := []byte("APV")
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		DeriveECDHES("ID", apuData, apvData, bobKey, &aliceKey.PublicKey, 32)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap.go
new file mode 100644
index 000000000..1d36d5015
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap.go
@@ -0,0 +1,109 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package josecipher
+
+import (
+	"crypto/cipher"
+	"crypto/subtle"
+	"encoding/binary"
+	"errors"
+)
+
+var defaultIV = []byte{0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}
+
+// KeyWrap implements NIST key wrapping; it wraps a content encryption key (cek) with the given block cipher.
+func KeyWrap(block cipher.Block, cek []byte) ([]byte, error) {
+	if len(cek)%8 != 0 {
+		return nil, errors.New("square/go-jose: key wrap input must be 8 byte blocks")
+	}
+
+	n := len(cek) / 8
+	r := make([][]byte, n)
+
+	for i := range r {
+		r[i] = make([]byte, 8)
+		copy(r[i], cek[i*8:])
+	}
+
+	buffer := make([]byte, 16)
+	tBytes := make([]byte, 8)
+	copy(buffer, defaultIV)
+
+	for t := 0; t < 6*n; t++ {
+		copy(buffer[8:], r[t%n])
+
+		block.Encrypt(buffer, buffer)
+
+		binary.BigEndian.PutUint64(tBytes, uint64(t+1))
+
+		for i := 0; i < 8; i++ {
+			buffer[i] = buffer[i] ^ tBytes[i]
+		}
+		copy(r[t%n], buffer[8:])
+	}
+
+	out := make([]byte, (n+1)*8)
+	copy(out, buffer[:8])
+	for i := range r {
+		copy(out[(i+1)*8:], r[i])
+	}
+
+	return out, nil
+}
+
+// KeyUnwrap implements NIST key unwrapping; it unwraps a content encryption key (cek) with the given block cipher.
+func KeyUnwrap(block cipher.Block, ciphertext []byte) ([]byte, error) {
+	if len(ciphertext)%8 != 0 {
+		return nil, errors.New("square/go-jose: key wrap input must be 8 byte blocks")
+	}
+
+	n := (len(ciphertext) / 8) - 1
+	r := make([][]byte, n)
+
+	for i := range r {
+		r[i] = make([]byte, 8)
+		copy(r[i], ciphertext[(i+1)*8:])
+	}
+
+	buffer := make([]byte, 16)
+	tBytes := make([]byte, 8)
+	copy(buffer[:8], ciphertext[:8])
+
+	for t := 6*n - 1; t >= 0; t-- {
+		binary.BigEndian.PutUint64(tBytes, uint64(t+1))
+
+		for i := 0; i < 8; i++ {
+			buffer[i] = buffer[i] ^ tBytes[i]
+		}
+		copy(buffer[8:], r[t%n])
+
+		block.Decrypt(buffer, buffer)
+
+		copy(r[t%n], buffer[8:])
+	}
+
+	if subtle.ConstantTimeCompare(buffer[:8], defaultIV) == 0 {
+		return nil, errors.New("square/go-jose: failed to unwrap key")
+	}
+
+	out := make([]byte, n*8)
+	for i := range r {
+		copy(out[i*8:], r[i])
+	}
+
+	return out, nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap_test.go
new file mode 100644
index 000000000..ceecf812b
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap_test.go
@@ -0,0 +1,133 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package josecipher
+
+import (
+	"bytes"
+	"crypto/aes"
+	"encoding/hex"
+	"testing"
+)
+
+func TestAesKeyWrap(t *testing.T) {
+	// Test vectors from: http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf
+	kek0, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F")
+	cek0, _ := hex.DecodeString("00112233445566778899AABBCCDDEEFF")
+
+	expected0, _ := hex.DecodeString("1FA68B0A8112B447AEF34BD8FB5A7B829D3E862371D2CFE5")
+
+	kek1, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F1011121314151617")
+	cek1, _ := hex.DecodeString("00112233445566778899AABBCCDDEEFF")
+
+	expected1, _ := hex.DecodeString("96778B25AE6CA435F92B5B97C050AED2468AB8A17AD84E5D")
+
+	kek2, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F")
+	cek2, _ := hex.DecodeString("00112233445566778899AABBCCDDEEFF0001020304050607")
+
+	expected2, _ := hex.DecodeString("A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1")
+
+	block0, _ := aes.NewCipher(kek0)
+	block1, _ := aes.NewCipher(kek1)
+	block2, _ := aes.NewCipher(kek2)
+
+	out0, _ := KeyWrap(block0, cek0)
+	out1, _ := KeyWrap(block1, cek1)
+	out2, _ := KeyWrap(block2, cek2)
+
+	if bytes.Compare(out0, expected0) != 0 {
+		t.Error("output 0 not as expected, got", out0, "wanted", expected0)
+	}
+
+	if bytes.Compare(out1, expected1) != 0 {
+		t.Error("output 1 not as expected, got", out1, "wanted", expected1)
+	}
+
+	if bytes.Compare(out2, expected2) != 0 {
+		t.Error("output 2 not as expected, got", out2, "wanted", expected2)
+	}
+
+	unwrap0, _ := KeyUnwrap(block0, out0)
+	unwrap1, _ := KeyUnwrap(block1, out1)
+	unwrap2, _ := KeyUnwrap(block2, out2)
+
+	if bytes.Compare(unwrap0, cek0) != 0 {
+		t.Error("key unwrap did not return original input, got", unwrap0, "wanted", cek0)
+	}
+
+	if bytes.Compare(unwrap1, cek1) != 0 {
+		t.Error("key unwrap did not return original input, got", unwrap1, "wanted", cek1)
+	}
+
+	if bytes.Compare(unwrap2, cek2) != 0 {
+		t.Error("key unwrap did not return original input, got", unwrap2, "wanted", cek2)
+	}
+}
+
+func TestAesKeyWrapInvalid(t *testing.T) {
+	kek, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F")
+
+	// Invalid unwrap input (bit flipped)
+	input0, _ := hex.DecodeString("1EA68C1A8112B447AEF34BD8FB5A7B828D3E862371D2CFE5")
+
+	block, _ := aes.NewCipher(kek)
+
+	_, err := KeyUnwrap(block, input0)
+	if err == nil {
+		t.Error("key unwrap failed to detect invalid input")
+	}
+
+	// Invalid unwrap input (truncated)
+	input1, _ := hex.DecodeString("1EA68C1A8112B447AEF34BD8FB5A7B828D3E862371D2CF")
+
+	_, err = KeyUnwrap(block, input1)
+	if err == nil {
+		t.Error("key unwrap failed to detect truncated input")
+	}
+
+	// Invalid wrap input (not multiple of 8)
+	input2, _ := hex.DecodeString("0123456789ABCD")
+
+	_, err = KeyWrap(block, input2)
+	if err == nil {
+		t.Error("key wrap accepted invalid input")
+	}
+
+}
+
+func BenchmarkAesKeyWrap(b *testing.B) {
+	kek, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F")
+	key, _ := hex.DecodeString("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")
+
+	block, _ := aes.NewCipher(kek)
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		KeyWrap(block, key)
+	}
+}
+
+func BenchmarkAesKeyUnwrap(b *testing.B) {
+	kek, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F")
+	input, _ := hex.DecodeString("1FA68B0A8112B447AEF34BD8FB5A7B829D3E862371D2CFE5")
+
+	block, _ := aes.NewCipher(kek)
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		KeyUnwrap(block, input)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/crypter.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/crypter.go
new file mode 100644
index 000000000..b3bdaec80
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/crypter.go
@@ -0,0 +1,416 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"errors"
+	"fmt"
+	"reflect"
+)
+
+// Encrypter represents an encrypter which produces an encrypted JWE object.
+type Encrypter interface {
+	Encrypt(plaintext []byte) (*JsonWebEncryption, error)
+	EncryptWithAuthData(plaintext []byte, aad []byte) (*JsonWebEncryption, error)
+	SetCompression(alg CompressionAlgorithm)
+}
+
+// MultiEncrypter represents an encrypter which supports multiple recipients.
+type MultiEncrypter interface {
+	Encrypt(plaintext []byte) (*JsonWebEncryption, error)
+	EncryptWithAuthData(plaintext []byte, aad []byte) (*JsonWebEncryption, error)
+	SetCompression(alg CompressionAlgorithm)
+	AddRecipient(alg KeyAlgorithm, encryptionKey interface{}) error
+}
+
+// A generic content cipher
+type contentCipher interface {
+	keySize() int
+	encrypt(cek []byte, aad, plaintext []byte) (*aeadParts, error)
+	decrypt(cek []byte, aad []byte, parts *aeadParts) ([]byte, error)
+}
+
+// A key generator (for generating/getting a CEK)
+type keyGenerator interface {
+	keySize() int
+	genKey() ([]byte, rawHeader, error)
+}
+
+// A generic key encrypter
+type keyEncrypter interface {
+	encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) // Encrypt a key
+}
+
+// A generic key decrypter
+type keyDecrypter interface {
+	decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) // Decrypt a key
+}
+
+// A generic encrypter based on the given key encrypter and content cipher.
+type genericEncrypter struct {
+	contentAlg     ContentEncryption
+	compressionAlg CompressionAlgorithm
+	cipher         contentCipher
+	recipients     []recipientKeyInfo
+	keyGenerator   keyGenerator
+}
+
+type recipientKeyInfo struct {
+	keyID        string
+	keyAlg       KeyAlgorithm
+	keyEncrypter keyEncrypter
+}
+
+// SetCompression sets a compression algorithm to be applied before encryption.
+func (ctx *genericEncrypter) SetCompression(compressionAlg CompressionAlgorithm) {
+	ctx.compressionAlg = compressionAlg
+}
+
+// NewEncrypter creates an appropriate encrypter based on the key type
+func NewEncrypter(alg KeyAlgorithm, enc ContentEncryption, encryptionKey interface{}) (Encrypter, error) {
+	encrypter := &genericEncrypter{
+		contentAlg:     enc,
+		compressionAlg: NONE,
+		recipients:     []recipientKeyInfo{},
+		cipher:         getContentCipher(enc),
+	}
+
+	if encrypter.cipher == nil {
+		return nil, ErrUnsupportedAlgorithm
+	}
+
+	var keyID string
+	var rawKey interface{}
+	switch encryptionKey := encryptionKey.(type) {
+	case *JsonWebKey:
+		keyID = encryptionKey.KeyID
+		rawKey = encryptionKey.Key
+	default:
+		rawKey = encryptionKey
+	}
+
+	switch alg {
+	case DIRECT:
+		// Direct encryption mode must be treated differently
+		if reflect.TypeOf(rawKey) != reflect.TypeOf([]byte{}) {
+			return nil, ErrUnsupportedKeyType
+		}
+		encrypter.keyGenerator = staticKeyGenerator{
+			key: rawKey.([]byte),
+		}
+		recipient, _ := newSymmetricRecipient(alg, rawKey.([]byte))
+		if keyID != "" {
+			recipient.keyID = keyID
+		}
+		encrypter.recipients = []recipientKeyInfo{recipient}
+		return encrypter, nil
+	case ECDH_ES:
+		// ECDH-ES (w/o key wrapping) is similar to DIRECT mode
+		typeOf := reflect.TypeOf(rawKey)
+		if typeOf != reflect.TypeOf(&ecdsa.PublicKey{}) {
+			return nil, ErrUnsupportedKeyType
+		}
+		encrypter.keyGenerator = ecKeyGenerator{
+			size:      encrypter.cipher.keySize(),
+			algID:     string(enc),
+			publicKey: rawKey.(*ecdsa.PublicKey),
+		}
+		recipient, _ := newECDHRecipient(alg, rawKey.(*ecdsa.PublicKey))
+		if keyID != "" {
+			recipient.keyID = keyID
+		}
+		encrypter.recipients = []recipientKeyInfo{recipient}
+		return encrypter, nil
+	default:
+		// Can just add a standard recipient
+		encrypter.keyGenerator = randomKeyGenerator{
+			size: encrypter.cipher.keySize(),
+		}
+		err := encrypter.AddRecipient(alg, encryptionKey)
+		return encrypter, err
+	}
+}
+
+// NewMultiEncrypter creates a multi-encrypter based on the given parameters
+func NewMultiEncrypter(enc ContentEncryption) (MultiEncrypter, error) {
+	cipher := getContentCipher(enc)
+
+	if cipher == nil {
+		return nil, ErrUnsupportedAlgorithm
+	}
+
+	encrypter := &genericEncrypter{
+		contentAlg:     enc,
+		compressionAlg: NONE,
+		recipients:     []recipientKeyInfo{},
+		cipher:         cipher,
+		keyGenerator: randomKeyGenerator{
+			size: cipher.keySize(),
+		},
+	}
+
+	return encrypter, nil
+}
+
+func (ctx *genericEncrypter) AddRecipient(alg KeyAlgorithm, encryptionKey interface{}) (err error) {
+	var recipient recipientKeyInfo
+
+	switch alg {
+	case DIRECT, ECDH_ES:
+		return fmt.Errorf("square/go-jose: key algorithm '%s' not supported in multi-recipient mode", alg)
+	}
+
+	recipient, err = makeJWERecipient(alg, encryptionKey)
+
+	if err == nil {
+		ctx.recipients = append(ctx.recipients, recipient)
+	}
+	return err
+}
+
+func makeJWERecipient(alg KeyAlgorithm, encryptionKey interface{}) (recipientKeyInfo, error) {
+	switch encryptionKey := encryptionKey.(type) {
+	case *rsa.PublicKey:
+		return newRSARecipient(alg, encryptionKey)
+	case *ecdsa.PublicKey:
+		return newECDHRecipient(alg, encryptionKey)
+	case []byte:
+		return newSymmetricRecipient(alg, encryptionKey)
+	case *JsonWebKey:
+		recipient, err := makeJWERecipient(alg, encryptionKey.Key)
+		if err == nil && encryptionKey.KeyID != "" {
+			recipient.keyID = encryptionKey.KeyID
+		}
+		return recipient, err
+	default:
+		return recipientKeyInfo{}, ErrUnsupportedKeyType
+	}
+}
+
+// newDecrypter creates an appropriate decrypter based on the key type
+func newDecrypter(decryptionKey interface{}) (keyDecrypter, error) {
+	switch decryptionKey := decryptionKey.(type) {
+	case *rsa.PrivateKey:
+		return &rsaDecrypterSigner{
+			privateKey: decryptionKey,
+		}, nil
+	case *ecdsa.PrivateKey:
+		return &ecDecrypterSigner{
+			privateKey: decryptionKey,
+		}, nil
+	case []byte:
+		return &symmetricKeyCipher{
+			key: decryptionKey,
+		}, nil
+	case *JsonWebKey:
+		return newDecrypter(decryptionKey.Key)
+	default:
+		return nil, ErrUnsupportedKeyType
+	}
+}
+
+// Implementation of encrypt method producing a JWE object.
+func (ctx *genericEncrypter) Encrypt(plaintext []byte) (*JsonWebEncryption, error) {
+	return ctx.EncryptWithAuthData(plaintext, nil)
+}
+
+// Implementation of encrypt method producing a JWE object.
+func (ctx *genericEncrypter) EncryptWithAuthData(plaintext, aad []byte) (*JsonWebEncryption, error) {
+	obj := &JsonWebEncryption{}
+	obj.aad = aad
+
+	obj.protected = &rawHeader{
+		Enc: ctx.contentAlg,
+	}
+	obj.recipients = make([]recipientInfo, len(ctx.recipients))
+
+	if len(ctx.recipients) == 0 {
+		return nil, fmt.Errorf("square/go-jose: no recipients to encrypt to")
+	}
+
+	cek, headers, err := ctx.keyGenerator.genKey()
+	if err != nil {
+		return nil, err
+	}
+
+	obj.protected.merge(&headers)
+
+	for i, info := range ctx.recipients {
+		recipient, err := info.keyEncrypter.encryptKey(cek, info.keyAlg)
+		if err != nil {
+			return nil, err
+		}
+
+		recipient.header.Alg = string(info.keyAlg)
+		if info.keyID != "" {
+			recipient.header.Kid = info.keyID
+		}
+		obj.recipients[i] = recipient
+	}
+
+	if len(ctx.recipients) == 1 {
+		// Move per-recipient headers into main protected header if there's
+		// only a single recipient.
+		obj.protected.merge(obj.recipients[0].header)
+		obj.recipients[0].header = nil
+	}
+
+	if ctx.compressionAlg != NONE {
+		plaintext, err = compress(ctx.compressionAlg, plaintext)
+		if err != nil {
+			return nil, err
+		}
+
+		obj.protected.Zip = ctx.compressionAlg
+	}
+
+	authData := obj.computeAuthData()
+	parts, err := ctx.cipher.encrypt(cek, authData, plaintext)
+	if err != nil {
+		return nil, err
+	}
+
+	obj.iv = parts.iv
+	obj.ciphertext = parts.ciphertext
+	obj.tag = parts.tag
+
+	return obj, nil
+}
+
+// Decrypt and validate the object and return the plaintext. Note that this
+// function does not support multi-recipient, if you desire multi-recipient
+// decryption use DecryptMulti instead.
+func (obj JsonWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
+	headers := obj.mergedHeaders(nil)
+
+	if len(obj.recipients) > 1 {
+		return nil, errors.New("square/go-jose: too many recipients in payload; expecting only one")
+	}
+
+	if len(headers.Crit) > 0 {
+		return nil, fmt.Errorf("square/go-jose: unsupported crit header")
+	}
+
+	decrypter, err := newDecrypter(decryptionKey)
+	if err != nil {
+		return nil, err
+	}
+
+	cipher := getContentCipher(headers.Enc)
+	if cipher == nil {
+		return nil, fmt.Errorf("square/go-jose: unsupported enc value '%s'", string(headers.Enc))
+	}
+
+	generator := randomKeyGenerator{
+		size: cipher.keySize(),
+	}
+
+	parts := &aeadParts{
+		iv:         obj.iv,
+		ciphertext: obj.ciphertext,
+		tag:        obj.tag,
+	}
+
+	authData := obj.computeAuthData()
+
+	var plaintext []byte
+	recipient := obj.recipients[0]
+	recipientHeaders := obj.mergedHeaders(&recipient)
+
+	cek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)
+	if err == nil {
+		// Found a valid CEK -- let's try to decrypt.
+		plaintext, err = cipher.decrypt(cek, authData, parts)
+	}
+
+	if plaintext == nil {
+		return nil, ErrCryptoFailure
+	}
+
+	// The "zip" header parameter may only be present in the protected header.
+	if obj.protected.Zip != "" {
+		plaintext, err = decompress(obj.protected.Zip, plaintext)
+	}
+
+	return plaintext, err
+}
+
+// DecryptMulti decrypts and validates the object and returns the plaintexts,
+// with support for multiple recipients. It returns the index of the recipient
+// for which the decryption was successful, the merged headers for that recipient,
+// and the plaintext.
+func (obj JsonWebEncryption) DecryptMulti(decryptionKey interface{}) (int, JoseHeader, []byte, error) {
+	globalHeaders := obj.mergedHeaders(nil)
+
+	if len(globalHeaders.Crit) > 0 {
+		return -1, JoseHeader{}, nil, fmt.Errorf("square/go-jose: unsupported crit header")
+	}
+
+	decrypter, err := newDecrypter(decryptionKey)
+	if err != nil {
+		return -1, JoseHeader{}, nil, err
+	}
+
+	cipher := getContentCipher(globalHeaders.Enc)
+	if cipher == nil {
+		return -1, JoseHeader{}, nil, fmt.Errorf("square/go-jose: unsupported enc value '%s'", string(globalHeaders.Enc))
+	}
+
+	generator := randomKeyGenerator{
+		size: cipher.keySize(),
+	}
+
+	parts := &aeadParts{
+		iv:         obj.iv,
+		ciphertext: obj.ciphertext,
+		tag:        obj.tag,
+	}
+
+	authData := obj.computeAuthData()
+
+	index := -1
+	var plaintext []byte
+	var headers rawHeader
+
+	for i, recipient := range obj.recipients {
+		recipientHeaders := obj.mergedHeaders(&recipient)
+
+		cek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)
+		if err == nil {
+			// Found a valid CEK -- let's try to decrypt.
+			plaintext, err = cipher.decrypt(cek, authData, parts)
+			if err == nil {
+				index = i
+				headers = recipientHeaders
+				break
+			}
+		}
+	}
+
+	if plaintext == nil || err != nil {
+		return -1, JoseHeader{}, nil, ErrCryptoFailure
+	}
+
+	// The "zip" header parameter may only be present in the protected header.
+	if obj.protected.Zip != "" {
+		plaintext, err = decompress(obj.protected.Zip, plaintext)
+	}
+
+	return index, headers.sanitized(), plaintext, err
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/crypter_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/crypter_test.go
new file mode 100644
index 000000000..431f65378
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/crypter_test.go
@@ -0,0 +1,785 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"fmt"
+	"io"
+	"testing"
+)
+
+// We generate only a single RSA and EC key for testing, speeds up tests.
+var rsaTestKey, _ = rsa.GenerateKey(rand.Reader, 2048)
+
+var ecTestKey256, _ = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+var ecTestKey384, _ = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+var ecTestKey521, _ = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+
+func RoundtripJWE(keyAlg KeyAlgorithm, encAlg ContentEncryption, compressionAlg CompressionAlgorithm, serializer func(*JsonWebEncryption) (string, error), corrupter func(*JsonWebEncryption) bool, aad []byte, encryptionKey interface{}, decryptionKey interface{}) error {
+	enc, err := NewEncrypter(keyAlg, encAlg, encryptionKey)
+	if err != nil {
+		return fmt.Errorf("error on new encrypter: %s", err)
+	}
+
+	enc.SetCompression(compressionAlg)
+
+	input := []byte("Lorem ipsum dolor sit amet")
+	obj, err := enc.EncryptWithAuthData(input, aad)
+	if err != nil {
+		return fmt.Errorf("error in encrypt: %s", err)
+	}
+
+	msg, err := serializer(obj)
+	if err != nil {
+		return fmt.Errorf("error in serializer: %s", err)
+	}
+
+	parsed, err := ParseEncrypted(msg)
+	if err != nil {
+		return fmt.Errorf("error in parse: %s, on msg '%s'", err, msg)
+	}
+
+	// (Maybe) mangle object
+	skip := corrupter(parsed)
+	if skip {
+		return fmt.Errorf("corrupter indicated message should be skipped")
+	}
+
+	if bytes.Compare(parsed.GetAuthData(), aad) != 0 {
+		return fmt.Errorf("auth data in parsed object does not match")
+	}
+
+	output, err := parsed.Decrypt(decryptionKey)
+	if err != nil {
+		return fmt.Errorf("error on decrypt: %s", err)
+	}
+
+	if bytes.Compare(input, output) != 0 {
+		return fmt.Errorf("Decrypted output does not match input, got '%s' but wanted '%s'", output, input)
+	}
+
+	return nil
+}
+
+func TestRoundtripsJWE(t *testing.T) {
+	// Test matrix
+	keyAlgs := []KeyAlgorithm{
+		DIRECT, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128KW, A192KW, A256KW,
+		RSA1_5, RSA_OAEP, RSA_OAEP_256, A128GCMKW, A192GCMKW, A256GCMKW}
+	encAlgs := []ContentEncryption{A128GCM, A192GCM, A256GCM, A128CBC_HS256, A192CBC_HS384, A256CBC_HS512}
+	zipAlgs := []CompressionAlgorithm{NONE, DEFLATE}
+
+	serializers := []func(*JsonWebEncryption) (string, error){
+		func(obj *JsonWebEncryption) (string, error) { return obj.CompactSerialize() },
+		func(obj *JsonWebEncryption) (string, error) { return obj.FullSerialize(), nil },
+	}
+
+	corrupter := func(obj *JsonWebEncryption) bool { return false }
+
+	// Note: can't use AAD with compact serialization
+	aads := [][]byte{
+		nil,
+		[]byte("Ut enim ad minim veniam"),
+	}
+
+	// Test all different configurations
+	for _, alg := range keyAlgs {
+		for _, enc := range encAlgs {
+			for _, key := range generateTestKeys(alg, enc) {
+				for _, zip := range zipAlgs {
+					for i, serializer := range serializers {
+						err := RoundtripJWE(alg, enc, zip, serializer, corrupter, aads[i], key.enc, key.dec)
+						if err != nil {
+							t.Error(err, alg, enc, zip, i)
+						}
+					}
+				}
+			}
+		}
+	}
+}
+
+func TestRoundtripsJWECorrupted(t *testing.T) {
+	// Test matrix
+	keyAlgs := []KeyAlgorithm{DIRECT, ECDH_ES, ECDH_ES_A128KW, A128KW, RSA1_5, RSA_OAEP, RSA_OAEP_256, A128GCMKW}
+	encAlgs := []ContentEncryption{A128GCM, A192GCM, A256GCM, A128CBC_HS256, A192CBC_HS384, A256CBC_HS512}
+	zipAlgs := []CompressionAlgorithm{NONE, DEFLATE}
+
+	serializers := []func(*JsonWebEncryption) (string, error){
+		func(obj *JsonWebEncryption) (string, error) { return obj.CompactSerialize() },
+		func(obj *JsonWebEncryption) (string, error) { return obj.FullSerialize(), nil },
+	}
+
+	bitflip := func(slice []byte) bool {
+		if len(slice) > 0 {
+			slice[0] ^= 0xFF
+			return false
+		}
+		return true
+	}
+
+	corrupters := []func(*JsonWebEncryption) bool{
+		func(obj *JsonWebEncryption) bool {
+			// Set invalid ciphertext
+			return bitflip(obj.ciphertext)
+		},
+		func(obj *JsonWebEncryption) bool {
+			// Set invalid auth tag
+			return bitflip(obj.tag)
+		},
+		func(obj *JsonWebEncryption) bool {
+			// Set invalid AAD
+			return bitflip(obj.aad)
+		},
+		func(obj *JsonWebEncryption) bool {
+			// Mess with encrypted key
+			return bitflip(obj.recipients[0].encryptedKey)
+		},
+		func(obj *JsonWebEncryption) bool {
+			// Mess with GCM-KW auth tag
+			return bitflip(obj.protected.Tag.bytes())
+		},
+	}
+
+	// Note: can't use AAD with compact serialization
+	aads := [][]byte{
+		nil,
+		[]byte("Ut enim ad minim veniam"),
+	}
+
+	// Test all different configurations
+	for _, alg := range keyAlgs {
+		for _, enc := range encAlgs {
+			for _, key := range generateTestKeys(alg, enc) {
+				for _, zip := range zipAlgs {
+					for i, serializer := range serializers {
+						for j, corrupter := range corrupters {
+							err := RoundtripJWE(alg, enc, zip, serializer, corrupter, aads[i], key.enc, key.dec)
+							if err == nil {
+								t.Error("failed to detect corrupt data", err, alg, enc, zip, i, j)
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+}
+
+func TestEncrypterWithJWKAndKeyID(t *testing.T) {
+	enc, err := NewEncrypter(A128KW, A128GCM, &JsonWebKey{
+		KeyID: "test-id",
+		Key:   []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
+	})
+	if err != nil {
+		t.Error(err)
+	}
+
+	ciphertext, _ := enc.Encrypt([]byte("Lorem ipsum dolor sit amet"))
+
+	serialized1, _ := ciphertext.CompactSerialize()
+	serialized2 := ciphertext.FullSerialize()
+
+	parsed1, _ := ParseEncrypted(serialized1)
+	parsed2, _ := ParseEncrypted(serialized2)
+
+	if parsed1.Header.KeyID != "test-id" {
+		t.Errorf("expected message to have key id from JWK, but found '%s' instead", parsed1.Header.KeyID)
+	}
+	if parsed2.Header.KeyID != "test-id" {
+		t.Errorf("expected message to have key id from JWK, but found '%s' instead", parsed2.Header.KeyID)
+	}
+}
+
+func TestEncrypterWithBrokenRand(t *testing.T) {
+	keyAlgs := []KeyAlgorithm{ECDH_ES_A128KW, A128KW, RSA1_5, RSA_OAEP, RSA_OAEP_256, A128GCMKW}
+	encAlgs := []ContentEncryption{A128GCM, A192GCM, A256GCM, A128CBC_HS256, A192CBC_HS384, A256CBC_HS512}
+
+	serializer := func(obj *JsonWebEncryption) (string, error) { return obj.CompactSerialize() }
+	corrupter := func(obj *JsonWebEncryption) bool { return false }
+
+	// Break rand reader
+	readers := []func() io.Reader{
+		// Totally broken
+		func() io.Reader { return bytes.NewReader([]byte{}) },
+		// Not enough bytes
+		func() io.Reader { return io.LimitReader(rand.Reader, 20) },
+	}
+
+	defer resetRandReader()
+
+	for _, alg := range keyAlgs {
+		for _, enc := range encAlgs {
+			for _, key := range generateTestKeys(alg, enc) {
+				for i, getReader := range readers {
+					randReader = getReader()
+					err := RoundtripJWE(alg, enc, NONE, serializer, corrupter, nil, key.enc, key.dec)
+					if err == nil {
+						t.Error("encrypter should fail if rand is broken", i)
+					}
+				}
+			}
+		}
+	}
+}
+
+func TestNewEncrypterErrors(t *testing.T) {
+	_, err := NewEncrypter("XYZ", "XYZ", nil)
+	if err == nil {
+		t.Error("was able to instantiate encrypter with invalid cipher")
+	}
+
+	_, err = NewMultiEncrypter("XYZ")
+	if err == nil {
+		t.Error("was able to instantiate multi-encrypter with invalid cipher")
+	}
+
+	_, err = NewEncrypter(DIRECT, A128GCM, nil)
+	if err == nil {
+		t.Error("was able to instantiate encrypter with invalid direct key")
+	}
+
+	_, err = NewEncrypter(ECDH_ES, A128GCM, nil)
+	if err == nil {
+		t.Error("was able to instantiate encrypter with invalid EC key")
+	}
+}
+
+func TestMultiRecipientJWE(t *testing.T) {
+	enc, err := NewMultiEncrypter(A128GCM)
+	if err != nil {
+		panic(err)
+	}
+
+	err = enc.AddRecipient(RSA_OAEP, &rsaTestKey.PublicKey)
+	if err != nil {
+		t.Fatal("error when adding RSA recipient", err)
+	}
+
+	sharedKey := []byte{
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+	}
+
+	err = enc.AddRecipient(A256GCMKW, sharedKey)
+	if err != nil {
+		t.Fatal("error when adding AES recipient: ", err)
+	}
+
+	input := []byte("Lorem ipsum dolor sit amet")
+	obj, err := enc.Encrypt(input)
+	if err != nil {
+		t.Fatal("error in encrypt: ", err)
+	}
+
+	msg := obj.FullSerialize()
+
+	parsed, err := ParseEncrypted(msg)
+	if err != nil {
+		t.Fatal("error in parse: ", err)
+	}
+
+	i, _, output, err := parsed.DecryptMulti(rsaTestKey)
+	if err != nil {
+		t.Fatal("error on decrypt with RSA: ", err)
+	}
+
+	if i != 0 {
+		t.Fatal("recipient index should be 0 for RSA key")
+	}
+
+	if bytes.Compare(input, output) != 0 {
+		t.Fatal("Decrypted output does not match input: ", output, input)
+	}
+
+	i, _, output, err = parsed.DecryptMulti(sharedKey)
+	if err != nil {
+		t.Fatal("error on decrypt with AES: ", err)
+	}
+
+	if i != 1 {
+		t.Fatal("recipient index should be 1 for shared key")
+	}
+
+	if bytes.Compare(input, output) != 0 {
+		t.Fatal("Decrypted output does not match input", output, input)
+	}
+}
+
+func TestMultiRecipientErrors(t *testing.T) {
+	enc, err := NewMultiEncrypter(A128GCM)
+	if err != nil {
+		panic(err)
+	}
+
+	input := []byte("Lorem ipsum dolor sit amet")
+	_, err = enc.Encrypt(input)
+	if err == nil {
+		t.Error("should fail when encrypting to zero recipients")
+	}
+
+	err = enc.AddRecipient(DIRECT, nil)
+	if err == nil {
+		t.Error("should reject DIRECT mode when encrypting to multiple recipients")
+	}
+
+	err = enc.AddRecipient(ECDH_ES, nil)
+	if err == nil {
+		t.Error("should reject ECDH_ES mode when encrypting to multiple recipients")
+	}
+
+	err = enc.AddRecipient(RSA1_5, nil)
+	if err == nil {
+		t.Error("should reject invalid recipient key")
+	}
+}
+
+type testKey struct {
+	enc, dec interface{}
+}
+
+func symmetricTestKey(size int) []testKey {
+	key, _, _ := randomKeyGenerator{size: size}.genKey()
+
+	return []testKey{
+		testKey{
+			enc: key,
+			dec: key,
+		},
+		testKey{
+			enc: &JsonWebKey{KeyID: "test", Key: key},
+			dec: &JsonWebKey{KeyID: "test", Key: key},
+		},
+	}
+}
+
+func generateTestKeys(keyAlg KeyAlgorithm, encAlg ContentEncryption) []testKey {
+	switch keyAlg {
+	case DIRECT:
+		return symmetricTestKey(getContentCipher(encAlg).keySize())
+	case ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:
+		return []testKey{
+			testKey{
+				dec: ecTestKey256,
+				enc: &ecTestKey256.PublicKey,
+			},
+			testKey{
+				dec: ecTestKey384,
+				enc: &ecTestKey384.PublicKey,
+			},
+			testKey{
+				dec: ecTestKey521,
+				enc: &ecTestKey521.PublicKey,
+			},
+			testKey{
+				dec: &JsonWebKey{KeyID: "test", Key: ecTestKey256},
+				enc: &JsonWebKey{KeyID: "test", Key: &ecTestKey256.PublicKey},
+			},
+		}
+	case A128GCMKW, A128KW:
+		return symmetricTestKey(16)
+	case A192GCMKW, A192KW:
+		return symmetricTestKey(24)
+	case A256GCMKW, A256KW:
+		return symmetricTestKey(32)
+	case RSA1_5, RSA_OAEP, RSA_OAEP_256:
+		return []testKey{testKey{
+			dec: rsaTestKey,
+			enc: &rsaTestKey.PublicKey,
+		}}
+	}
+
+	panic("Must update test case")
+}
+
+func RunRoundtripsJWE(b *testing.B, alg KeyAlgorithm, enc ContentEncryption, zip CompressionAlgorithm, priv, pub interface{}) {
+	serializer := func(obj *JsonWebEncryption) (string, error) {
+		return obj.CompactSerialize()
+	}
+
+	corrupter := func(obj *JsonWebEncryption) bool { return false }
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		err := RoundtripJWE(alg, enc, zip, serializer, corrupter, nil, pub, priv)
+		if err != nil {
+			b.Error(err)
+		}
+	}
+}
+
+var (
+	chunks = map[string][]byte{
+		"1B":   make([]byte, 1),
+		"64B":  make([]byte, 64),
+		"1KB":  make([]byte, 1024),
+		"64KB": make([]byte, 65536),
+		"1MB":  make([]byte, 1048576),
+		"64MB": make([]byte, 67108864),
+	}
+
+	symKey, _, _ = randomKeyGenerator{size: 32}.genKey()
+
+	encrypters = map[string]Encrypter{
+		"OAEPAndGCM":          mustEncrypter(RSA_OAEP, A128GCM, &rsaTestKey.PublicKey),
+		"PKCSAndGCM":          mustEncrypter(RSA1_5, A128GCM, &rsaTestKey.PublicKey),
+		"OAEPAndCBC":          mustEncrypter(RSA_OAEP, A128CBC_HS256, &rsaTestKey.PublicKey),
+		"PKCSAndCBC":          mustEncrypter(RSA1_5, A128CBC_HS256, &rsaTestKey.PublicKey),
+		"DirectGCM128":        mustEncrypter(DIRECT, A128GCM, symKey),
+		"DirectCBC128":        mustEncrypter(DIRECT, A128CBC_HS256, symKey),
+		"DirectGCM256":        mustEncrypter(DIRECT, A256GCM, symKey),
+		"DirectCBC256":        mustEncrypter(DIRECT, A256CBC_HS512, symKey),
+		"AESKWAndGCM128":      mustEncrypter(A128KW, A128GCM, symKey),
+		"AESKWAndCBC256":      mustEncrypter(A256KW, A256GCM, symKey),
+		"ECDHOnP256AndGCM128": mustEncrypter(ECDH_ES, A128GCM, &ecTestKey256.PublicKey),
+		"ECDHOnP384AndGCM128": mustEncrypter(ECDH_ES, A128GCM, &ecTestKey384.PublicKey),
+		"ECDHOnP521AndGCM128": mustEncrypter(ECDH_ES, A128GCM, &ecTestKey521.PublicKey),
+	}
+)
+
+func BenchmarkEncrypt1BWithOAEPAndGCM(b *testing.B)   { benchEncrypt("1B", "OAEPAndGCM", b) }
+func BenchmarkEncrypt64BWithOAEPAndGCM(b *testing.B)  { benchEncrypt("64B", "OAEPAndGCM", b) }
+func BenchmarkEncrypt1KBWithOAEPAndGCM(b *testing.B)  { benchEncrypt("1KB", "OAEPAndGCM", b) }
+func BenchmarkEncrypt64KBWithOAEPAndGCM(b *testing.B) { benchEncrypt("64KB", "OAEPAndGCM", b) }
+func BenchmarkEncrypt1MBWithOAEPAndGCM(b *testing.B)  { benchEncrypt("1MB", "OAEPAndGCM", b) }
+func BenchmarkEncrypt64MBWithOAEPAndGCM(b *testing.B) { benchEncrypt("64MB", "OAEPAndGCM", b) }
+
+func BenchmarkEncrypt1BWithPKCSAndGCM(b *testing.B)   { benchEncrypt("1B", "PKCSAndGCM", b) }
+func BenchmarkEncrypt64BWithPKCSAndGCM(b *testing.B)  { benchEncrypt("64B", "PKCSAndGCM", b) }
+func BenchmarkEncrypt1KBWithPKCSAndGCM(b *testing.B)  { benchEncrypt("1KB", "PKCSAndGCM", b) }
+func BenchmarkEncrypt64KBWithPKCSAndGCM(b *testing.B) { benchEncrypt("64KB", "PKCSAndGCM", b) }
+func BenchmarkEncrypt1MBWithPKCSAndGCM(b *testing.B)  { benchEncrypt("1MB", "PKCSAndGCM", b) }
+func BenchmarkEncrypt64MBWithPKCSAndGCM(b *testing.B) { benchEncrypt("64MB", "PKCSAndGCM", b) }
+
+func BenchmarkEncrypt1BWithOAEPAndCBC(b *testing.B)   { benchEncrypt("1B", "OAEPAndCBC", b) }
+func BenchmarkEncrypt64BWithOAEPAndCBC(b *testing.B)  { benchEncrypt("64B", "OAEPAndCBC", b) }
+func BenchmarkEncrypt1KBWithOAEPAndCBC(b *testing.B)  { benchEncrypt("1KB", "OAEPAndCBC", b) }
+func BenchmarkEncrypt64KBWithOAEPAndCBC(b *testing.B) { benchEncrypt("64KB", "OAEPAndCBC", b) }
+func BenchmarkEncrypt1MBWithOAEPAndCBC(b *testing.B)  { benchEncrypt("1MB", "OAEPAndCBC", b) }
+func BenchmarkEncrypt64MBWithOAEPAndCBC(b *testing.B) { benchEncrypt("64MB", "OAEPAndCBC", b) }
+
+func BenchmarkEncrypt1BWithPKCSAndCBC(b *testing.B)   { benchEncrypt("1B", "PKCSAndCBC", b) }
+func BenchmarkEncrypt64BWithPKCSAndCBC(b *testing.B)  { benchEncrypt("64B", "PKCSAndCBC", b) }
+func BenchmarkEncrypt1KBWithPKCSAndCBC(b *testing.B)  { benchEncrypt("1KB", "PKCSAndCBC", b) }
+func BenchmarkEncrypt64KBWithPKCSAndCBC(b *testing.B) { benchEncrypt("64KB", "PKCSAndCBC", b) }
+func BenchmarkEncrypt1MBWithPKCSAndCBC(b *testing.B)  { benchEncrypt("1MB", "PKCSAndCBC", b) }
+func BenchmarkEncrypt64MBWithPKCSAndCBC(b *testing.B) { benchEncrypt("64MB", "PKCSAndCBC", b) }
+
+func BenchmarkEncrypt1BWithDirectGCM128(b *testing.B)   { benchEncrypt("1B", "DirectGCM128", b) }
+func BenchmarkEncrypt64BWithDirectGCM128(b *testing.B)  { benchEncrypt("64B", "DirectGCM128", b) }
+func BenchmarkEncrypt1KBWithDirectGCM128(b *testing.B)  { benchEncrypt("1KB", "DirectGCM128", b) }
+func BenchmarkEncrypt64KBWithDirectGCM128(b *testing.B) { benchEncrypt("64KB", "DirectGCM128", b) }
+func BenchmarkEncrypt1MBWithDirectGCM128(b *testing.B)  { benchEncrypt("1MB", "DirectGCM128", b) }
+func BenchmarkEncrypt64MBWithDirectGCM128(b *testing.B) { benchEncrypt("64MB", "DirectGCM128", b) }
+
+func BenchmarkEncrypt1BWithDirectCBC128(b *testing.B)   { benchEncrypt("1B", "DirectCBC128", b) }
+func BenchmarkEncrypt64BWithDirectCBC128(b *testing.B)  { benchEncrypt("64B", "DirectCBC128", b) }
+func BenchmarkEncrypt1KBWithDirectCBC128(b *testing.B)  { benchEncrypt("1KB", "DirectCBC128", b) }
+func BenchmarkEncrypt64KBWithDirectCBC128(b *testing.B) { benchEncrypt("64KB", "DirectCBC128", b) }
+func BenchmarkEncrypt1MBWithDirectCBC128(b *testing.B)  { benchEncrypt("1MB", "DirectCBC128", b) }
+func BenchmarkEncrypt64MBWithDirectCBC128(b *testing.B) { benchEncrypt("64MB", "DirectCBC128", b) }
+
+func BenchmarkEncrypt1BWithDirectGCM256(b *testing.B)   { benchEncrypt("1B", "DirectGCM256", b) }
+func BenchmarkEncrypt64BWithDirectGCM256(b *testing.B)  { benchEncrypt("64B", "DirectGCM256", b) }
+func BenchmarkEncrypt1KBWithDirectGCM256(b *testing.B)  { benchEncrypt("1KB", "DirectGCM256", b) }
+func BenchmarkEncrypt64KBWithDirectGCM256(b *testing.B) { benchEncrypt("64KB", "DirectGCM256", b) }
+func BenchmarkEncrypt1MBWithDirectGCM256(b *testing.B)  { benchEncrypt("1MB", "DirectGCM256", b) }
+func BenchmarkEncrypt64MBWithDirectGCM256(b *testing.B) { benchEncrypt("64MB", "DirectGCM256", b) }
+
+func BenchmarkEncrypt1BWithDirectCBC256(b *testing.B)   { benchEncrypt("1B", "DirectCBC256", b) }
+func BenchmarkEncrypt64BWithDirectCBC256(b *testing.B)  { benchEncrypt("64B", "DirectCBC256", b) }
+func BenchmarkEncrypt1KBWithDirectCBC256(b *testing.B)  { benchEncrypt("1KB", "DirectCBC256", b) }
+func BenchmarkEncrypt64KBWithDirectCBC256(b *testing.B) { benchEncrypt("64KB", "DirectCBC256", b) }
+func BenchmarkEncrypt1MBWithDirectCBC256(b *testing.B)  { benchEncrypt("1MB", "DirectCBC256", b) }
+func BenchmarkEncrypt64MBWithDirectCBC256(b *testing.B) { benchEncrypt("64MB", "DirectCBC256", b) }
+
+func BenchmarkEncrypt1BWithAESKWAndGCM128(b *testing.B)   { benchEncrypt("1B", "AESKWAndGCM128", b) }
+func BenchmarkEncrypt64BWithAESKWAndGCM128(b *testing.B)  { benchEncrypt("64B", "AESKWAndGCM128", b) }
+func BenchmarkEncrypt1KBWithAESKWAndGCM128(b *testing.B)  { benchEncrypt("1KB", "AESKWAndGCM128", b) }
+func BenchmarkEncrypt64KBWithAESKWAndGCM128(b *testing.B) { benchEncrypt("64KB", "AESKWAndGCM128", b) }
+func BenchmarkEncrypt1MBWithAESKWAndGCM128(b *testing.B)  { benchEncrypt("1MB", "AESKWAndGCM128", b) }
+func BenchmarkEncrypt64MBWithAESKWAndGCM128(b *testing.B) { benchEncrypt("64MB", "AESKWAndGCM128", b) }
+
+func BenchmarkEncrypt1BWithAESKWAndCBC256(b *testing.B)   { benchEncrypt("1B", "AESKWAndCBC256", b) }
+func BenchmarkEncrypt64BWithAESKWAndCBC256(b *testing.B)  { benchEncrypt("64B", "AESKWAndCBC256", b) }
+func BenchmarkEncrypt1KBWithAESKWAndCBC256(b *testing.B)  { benchEncrypt("1KB", "AESKWAndCBC256", b) }
+func BenchmarkEncrypt64KBWithAESKWAndCBC256(b *testing.B) { benchEncrypt("64KB", "AESKWAndCBC256", b) }
+func BenchmarkEncrypt1MBWithAESKWAndCBC256(b *testing.B)  { benchEncrypt("1MB", "AESKWAndCBC256", b) }
+func BenchmarkEncrypt64MBWithAESKWAndCBC256(b *testing.B) { benchEncrypt("64MB", "AESKWAndCBC256", b) }
+
+func BenchmarkEncrypt1BWithECDHOnP256AndGCM128(b *testing.B) {
+	benchEncrypt("1B", "ECDHOnP256AndGCM128", b)
+}
+func BenchmarkEncrypt64BWithECDHOnP256AndGCM128(b *testing.B) {
+	benchEncrypt("64B", "ECDHOnP256AndGCM128", b)
+}
+func BenchmarkEncrypt1KBWithECDHOnP256AndGCM128(b *testing.B) {
+	benchEncrypt("1KB", "ECDHOnP256AndGCM128", b)
+}
+func BenchmarkEncrypt64KBWithECDHOnP256AndGCM128(b *testing.B) {
+	benchEncrypt("64KB", "ECDHOnP256AndGCM128", b)
+}
+func BenchmarkEncrypt1MBWithECDHOnP256AndGCM128(b *testing.B) {
+	benchEncrypt("1MB", "ECDHOnP256AndGCM128", b)
+}
+func BenchmarkEncrypt64MBWithECDHOnP256AndGCM128(b *testing.B) {
+	benchEncrypt("64MB", "ECDHOnP256AndGCM128", b)
+}
+
+func BenchmarkEncrypt1BWithECDHOnP384AndGCM128(b *testing.B) {
+	benchEncrypt("1B", "ECDHOnP384AndGCM128", b)
+}
+func BenchmarkEncrypt64BWithECDHOnP384AndGCM128(b *testing.B) {
+	benchEncrypt("64B", "ECDHOnP384AndGCM128", b)
+}
+func BenchmarkEncrypt1KBWithECDHOnP384AndGCM128(b *testing.B) {
+	benchEncrypt("1KB", "ECDHOnP384AndGCM128", b)
+}
+func BenchmarkEncrypt64KBWithECDHOnP384AndGCM128(b *testing.B) {
+	benchEncrypt("64KB", "ECDHOnP384AndGCM128", b)
+}
+func BenchmarkEncrypt1MBWithECDHOnP384AndGCM128(b *testing.B) {
+	benchEncrypt("1MB", "ECDHOnP384AndGCM128", b)
+}
+func BenchmarkEncrypt64MBWithECDHOnP384AndGCM128(b *testing.B) {
+	benchEncrypt("64MB", "ECDHOnP384AndGCM128", b)
+}
+
+func BenchmarkEncrypt1BWithECDHOnP521AndGCM128(b *testing.B) {
+	benchEncrypt("1B", "ECDHOnP521AndGCM128", b)
+}
+func BenchmarkEncrypt64BWithECDHOnP521AndGCM128(b *testing.B) {
+	benchEncrypt("64B", "ECDHOnP521AndGCM128", b)
+}
+func BenchmarkEncrypt1KBWithECDHOnP521AndGCM128(b *testing.B) {
+	benchEncrypt("1KB", "ECDHOnP521AndGCM128", b)
+}
+func BenchmarkEncrypt64KBWithECDHOnP521AndGCM128(b *testing.B) {
+	benchEncrypt("64KB", "ECDHOnP521AndGCM128", b)
+}
+func BenchmarkEncrypt1MBWithECDHOnP521AndGCM128(b *testing.B) {
+	benchEncrypt("1MB", "ECDHOnP521AndGCM128", b)
+}
+func BenchmarkEncrypt64MBWithECDHOnP521AndGCM128(b *testing.B) {
+	benchEncrypt("64MB", "ECDHOnP521AndGCM128", b)
+}
+
+func benchEncrypt(chunkKey, primKey string, b *testing.B) {
+	data, ok := chunks[chunkKey]
+	if !ok {
+		b.Fatalf("unknown chunk size %s", chunkKey)
+	}
+
+	enc, ok := encrypters[primKey]
+	if !ok {
+		b.Fatalf("unknown encrypter %s", primKey)
+	}
+
+	b.SetBytes(int64(len(data)))
+	for i := 0; i < b.N; i++ {
+		enc.Encrypt(data)
+	}
+}
+
+var (
+	decryptionKeys = map[string]interface{}{
+		"OAEPAndGCM": rsaTestKey,
+		"PKCSAndGCM": rsaTestKey,
+		"OAEPAndCBC": rsaTestKey,
+		"PKCSAndCBC": rsaTestKey,
+
+		"DirectGCM128": symKey,
+		"DirectCBC128": symKey,
+		"DirectGCM256": symKey,
+		"DirectCBC256": symKey,
+
+		"AESKWAndGCM128": symKey,
+		"AESKWAndCBC256": symKey,
+
+		"ECDHOnP256AndGCM128": ecTestKey256,
+		"ECDHOnP384AndGCM128": ecTestKey384,
+		"ECDHOnP521AndGCM128": ecTestKey521,
+	}
+)
+
+func BenchmarkDecrypt1BWithOAEPAndGCM(b *testing.B)   { benchDecrypt("1B", "OAEPAndGCM", b) }
+func BenchmarkDecrypt64BWithOAEPAndGCM(b *testing.B)  { benchDecrypt("64B", "OAEPAndGCM", b) }
+func BenchmarkDecrypt1KBWithOAEPAndGCM(b *testing.B)  { benchDecrypt("1KB", "OAEPAndGCM", b) }
+func BenchmarkDecrypt64KBWithOAEPAndGCM(b *testing.B) { benchDecrypt("64KB", "OAEPAndGCM", b) }
+func BenchmarkDecrypt1MBWithOAEPAndGCM(b *testing.B)  { benchDecrypt("1MB", "OAEPAndGCM", b) }
+func BenchmarkDecrypt64MBWithOAEPAndGCM(b *testing.B) { benchDecrypt("64MB", "OAEPAndGCM", b) }
+
+func BenchmarkDecrypt1BWithPKCSAndGCM(b *testing.B)   { benchDecrypt("1B", "PKCSAndGCM", b) }
+func BenchmarkDecrypt64BWithPKCSAndGCM(b *testing.B)  { benchDecrypt("64B", "PKCSAndGCM", b) }
+func BenchmarkDecrypt1KBWithPKCSAndGCM(b *testing.B)  { benchDecrypt("1KB", "PKCSAndGCM", b) }
+func BenchmarkDecrypt64KBWithPKCSAndGCM(b *testing.B) { benchDecrypt("64KB", "PKCSAndGCM", b) }
+func BenchmarkDecrypt1MBWithPKCSAndGCM(b *testing.B)  { benchDecrypt("1MB", "PKCSAndGCM", b) }
+func BenchmarkDecrypt64MBWithPKCSAndGCM(b *testing.B) { benchDecrypt("64MB", "PKCSAndGCM", b) }
+
+func BenchmarkDecrypt1BWithOAEPAndCBC(b *testing.B)   { benchDecrypt("1B", "OAEPAndCBC", b) }
+func BenchmarkDecrypt64BWithOAEPAndCBC(b *testing.B)  { benchDecrypt("64B", "OAEPAndCBC", b) }
+func BenchmarkDecrypt1KBWithOAEPAndCBC(b *testing.B)  { benchDecrypt("1KB", "OAEPAndCBC", b) }
+func BenchmarkDecrypt64KBWithOAEPAndCBC(b *testing.B) { benchDecrypt("64KB", "OAEPAndCBC", b) }
+func BenchmarkDecrypt1MBWithOAEPAndCBC(b *testing.B)  { benchDecrypt("1MB", "OAEPAndCBC", b) }
+func BenchmarkDecrypt64MBWithOAEPAndCBC(b *testing.B) { benchDecrypt("64MB", "OAEPAndCBC", b) }
+
+func BenchmarkDecrypt1BWithPKCSAndCBC(b *testing.B)   { benchDecrypt("1B", "PKCSAndCBC", b) }
+func BenchmarkDecrypt64BWithPKCSAndCBC(b *testing.B)  { benchDecrypt("64B", "PKCSAndCBC", b) }
+func BenchmarkDecrypt1KBWithPKCSAndCBC(b *testing.B)  { benchDecrypt("1KB", "PKCSAndCBC", b) }
+func BenchmarkDecrypt64KBWithPKCSAndCBC(b *testing.B) { benchDecrypt("64KB", "PKCSAndCBC", b) }
+func BenchmarkDecrypt1MBWithPKCSAndCBC(b *testing.B)  { benchDecrypt("1MB", "PKCSAndCBC", b) }
+func BenchmarkDecrypt64MBWithPKCSAndCBC(b *testing.B) { benchDecrypt("64MB", "PKCSAndCBC", b) }
+
+func BenchmarkDecrypt1BWithDirectGCM128(b *testing.B)   { benchDecrypt("1B", "DirectGCM128", b) }
+func BenchmarkDecrypt64BWithDirectGCM128(b *testing.B)  { benchDecrypt("64B", "DirectGCM128", b) }
+func BenchmarkDecrypt1KBWithDirectGCM128(b *testing.B)  { benchDecrypt("1KB", "DirectGCM128", b) }
+func BenchmarkDecrypt64KBWithDirectGCM128(b *testing.B) { benchDecrypt("64KB", "DirectGCM128", b) }
+func BenchmarkDecrypt1MBWithDirectGCM128(b *testing.B)  { benchDecrypt("1MB", "DirectGCM128", b) }
+func BenchmarkDecrypt64MBWithDirectGCM128(b *testing.B) { benchDecrypt("64MB", "DirectGCM128", b) }
+
+func BenchmarkDecrypt1BWithDirectCBC128(b *testing.B)   { benchDecrypt("1B", "DirectCBC128", b) }
+func BenchmarkDecrypt64BWithDirectCBC128(b *testing.B)  { benchDecrypt("64B", "DirectCBC128", b) }
+func BenchmarkDecrypt1KBWithDirectCBC128(b *testing.B)  { benchDecrypt("1KB", "DirectCBC128", b) }
+func BenchmarkDecrypt64KBWithDirectCBC128(b *testing.B) { benchDecrypt("64KB", "DirectCBC128", b) }
+func BenchmarkDecrypt1MBWithDirectCBC128(b *testing.B)  { benchDecrypt("1MB", "DirectCBC128", b) }
+func BenchmarkDecrypt64MBWithDirectCBC128(b *testing.B) { benchDecrypt("64MB", "DirectCBC128", b) }
+
+func BenchmarkDecrypt1BWithDirectGCM256(b *testing.B)   { benchDecrypt("1B", "DirectGCM256", b) }
+func BenchmarkDecrypt64BWithDirectGCM256(b *testing.B)  { benchDecrypt("64B", "DirectGCM256", b) }
+func BenchmarkDecrypt1KBWithDirectGCM256(b *testing.B)  { benchDecrypt("1KB", "DirectGCM256", b) }
+func BenchmarkDecrypt64KBWithDirectGCM256(b *testing.B) { benchDecrypt("64KB", "DirectGCM256", b) }
+func BenchmarkDecrypt1MBWithDirectGCM256(b *testing.B)  { benchDecrypt("1MB", "DirectGCM256", b) }
+func BenchmarkDecrypt64MBWithDirectGCM256(b *testing.B) { benchDecrypt("64MB", "DirectGCM256", b) }
+
+func BenchmarkDecrypt1BWithDirectCBC256(b *testing.B)   { benchDecrypt("1B", "DirectCBC256", b) }
+func BenchmarkDecrypt64BWithDirectCBC256(b *testing.B)  { benchDecrypt("64B", "DirectCBC256", b) }
+func BenchmarkDecrypt1KBWithDirectCBC256(b *testing.B)  { benchDecrypt("1KB", "DirectCBC256", b) }
+func BenchmarkDecrypt64KBWithDirectCBC256(b *testing.B) { benchDecrypt("64KB", "DirectCBC256", b) }
+func BenchmarkDecrypt1MBWithDirectCBC256(b *testing.B)  { benchDecrypt("1MB", "DirectCBC256", b) }
+func BenchmarkDecrypt64MBWithDirectCBC256(b *testing.B) { benchDecrypt("64MB", "DirectCBC256", b) }
+
+func BenchmarkDecrypt1BWithAESKWAndGCM128(b *testing.B)   { benchDecrypt("1B", "AESKWAndGCM128", b) }
+func BenchmarkDecrypt64BWithAESKWAndGCM128(b *testing.B)  { benchDecrypt("64B", "AESKWAndGCM128", b) }
+func BenchmarkDecrypt1KBWithAESKWAndGCM128(b *testing.B)  { benchDecrypt("1KB", "AESKWAndGCM128", b) }
+func BenchmarkDecrypt64KBWithAESKWAndGCM128(b *testing.B) { benchDecrypt("64KB", "AESKWAndGCM128", b) }
+func BenchmarkDecrypt1MBWithAESKWAndGCM128(b *testing.B)  { benchDecrypt("1MB", "AESKWAndGCM128", b) }
+func BenchmarkDecrypt64MBWithAESKWAndGCM128(b *testing.B) { benchDecrypt("64MB", "AESKWAndGCM128", b) }
+
+func BenchmarkDecrypt1BWithAESKWAndCBC256(b *testing.B)   { benchDecrypt("1B", "AESKWAndCBC256", b) }
+func BenchmarkDecrypt64BWithAESKWAndCBC256(b *testing.B)  { benchDecrypt("64B", "AESKWAndCBC256", b) }
+func BenchmarkDecrypt1KBWithAESKWAndCBC256(b *testing.B)  { benchDecrypt("1KB", "AESKWAndCBC256", b) }
+func BenchmarkDecrypt64KBWithAESKWAndCBC256(b *testing.B) { benchDecrypt("64KB", "AESKWAndCBC256", b) }
+func BenchmarkDecrypt1MBWithAESKWAndCBC256(b *testing.B)  { benchDecrypt("1MB", "AESKWAndCBC256", b) }
+func BenchmarkDecrypt64MBWithAESKWAndCBC256(b *testing.B) { benchDecrypt("64MB", "AESKWAndCBC256", b) }
+
+func BenchmarkDecrypt1BWithECDHOnP256AndGCM128(b *testing.B) {
+	benchDecrypt("1B", "ECDHOnP256AndGCM128", b)
+}
+func BenchmarkDecrypt64BWithECDHOnP256AndGCM128(b *testing.B) {
+	benchDecrypt("64B", "ECDHOnP256AndGCM128", b)
+}
+func BenchmarkDecrypt1KBWithECDHOnP256AndGCM128(b *testing.B) {
+	benchDecrypt("1KB", "ECDHOnP256AndGCM128", b)
+}
+func BenchmarkDecrypt64KBWithECDHOnP256AndGCM128(b *testing.B) {
+	benchDecrypt("64KB", "ECDHOnP256AndGCM128", b)
+}
+func BenchmarkDecrypt1MBWithECDHOnP256AndGCM128(b *testing.B) {
+	benchDecrypt("1MB", "ECDHOnP256AndGCM128", b)
+}
+func BenchmarkDecrypt64MBWithECDHOnP256AndGCM128(b *testing.B) {
+	benchDecrypt("64MB", "ECDHOnP256AndGCM128", b)
+}
+
+func BenchmarkDecrypt1BWithECDHOnP384AndGCM128(b *testing.B) {
+	benchDecrypt("1B", "ECDHOnP384AndGCM128", b)
+}
+func BenchmarkDecrypt64BWithECDHOnP384AndGCM128(b *testing.B) {
+	benchDecrypt("64B", "ECDHOnP384AndGCM128", b)
+}
+func BenchmarkDecrypt1KBWithECDHOnP384AndGCM128(b *testing.B) {
+	benchDecrypt("1KB", "ECDHOnP384AndGCM128", b)
+}
+func BenchmarkDecrypt64KBWithECDHOnP384AndGCM128(b *testing.B) {
+	benchDecrypt("64KB", "ECDHOnP384AndGCM128", b)
+}
+func BenchmarkDecrypt1MBWithECDHOnP384AndGCM128(b *testing.B) {
+	benchDecrypt("1MB", "ECDHOnP384AndGCM128", b)
+}
+func BenchmarkDecrypt64MBWithECDHOnP384AndGCM128(b *testing.B) {
+	benchDecrypt("64MB", "ECDHOnP384AndGCM128", b)
+}
+
+func BenchmarkDecrypt1BWithECDHOnP521AndGCM128(b *testing.B) {
+	benchDecrypt("1B", "ECDHOnP521AndGCM128", b)
+}
+func BenchmarkDecrypt64BWithECDHOnP521AndGCM128(b *testing.B) {
+	benchDecrypt("64B", "ECDHOnP521AndGCM128", b)
+}
+func BenchmarkDecrypt1KBWithECDHOnP521AndGCM128(b *testing.B) {
+	benchDecrypt("1KB", "ECDHOnP521AndGCM128", b)
+}
+func BenchmarkDecrypt64KBWithECDHOnP521AndGCM128(b *testing.B) {
+	benchDecrypt("64KB", "ECDHOnP521AndGCM128", b)
+}
+func BenchmarkDecrypt1MBWithECDHOnP521AndGCM128(b *testing.B) {
+	benchDecrypt("1MB", "ECDHOnP521AndGCM128", b)
+}
+func BenchmarkDecrypt64MBWithECDHOnP521AndGCM128(b *testing.B) {
+	benchDecrypt("64MB", "ECDHOnP521AndGCM128", b)
+}
+
+func benchDecrypt(chunkKey, primKey string, b *testing.B) {
+	chunk, ok := chunks[chunkKey]
+	if !ok {
+		b.Fatalf("unknown chunk size %s", chunkKey)
+	}
+
+	enc, ok := encrypters[primKey]
+	if !ok {
+		b.Fatalf("unknown encrypter %s", primKey)
+	}
+
+	dec, ok := decryptionKeys[primKey]
+	if !ok {
+		b.Fatalf("unknown decryption key %s", primKey)
+	}
+
+	data, err := enc.Encrypt(chunk)
+	if err != nil {
+		b.Fatal(err)
+	}
+
+	b.SetBytes(int64(len(chunk)))
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		data.Decrypt(dec)
+	}
+}
+
+func mustEncrypter(keyAlg KeyAlgorithm, encAlg ContentEncryption, encryptionKey interface{}) Encrypter {
+	enc, err := NewEncrypter(keyAlg, encAlg, encryptionKey)
+	if err != nil {
+		panic(err)
+	}
+	return enc
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/doc.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/doc.go
new file mode 100644
index 000000000..b4cd1e989
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/doc.go
@@ -0,0 +1,26 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+
+Package jose aims to provide an implementation of the Javascript Object Signing
+and Encryption set of standards. For the moment, it mainly focuses on
+encryption and signing based on the JSON Web Encryption and JSON Web Signature
+standards.  The library supports both the compact and full serialization
+formats, and has optional support for multiple recipients.
+
+*/
+package jose // import "gopkg.in/square/go-jose.v1"
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/doc_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/doc_test.go
new file mode 100644
index 000000000..50468295d
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/doc_test.go
@@ -0,0 +1,226 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/rsa"
+	"fmt"
+)
+
+// Dummy encrypter for use in examples
+var encrypter, _ = NewEncrypter(DIRECT, A128GCM, []byte{})
+
+func Example_jWE() {
+	// Generate a public/private key pair to use for this example. The library
+	// also provides two utility functions (LoadPublicKey and LoadPrivateKey)
+	// that can be used to load keys from PEM/DER-encoded data.
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		panic(err)
+	}
+
+	// Instantiate an encrypter using RSA-OAEP with AES128-GCM. An error would
+	// indicate that the selected algorithm(s) are not currently supported.
+	publicKey := &privateKey.PublicKey
+	encrypter, err := NewEncrypter(RSA_OAEP, A128GCM, publicKey)
+	if err != nil {
+		panic(err)
+	}
+
+	// Encrypt a sample plaintext. Calling the encrypter returns an encrypted
+	// JWE object, which can then be serialized for output afterwards. An error
+	// would indicate a problem in an underlying cryptographic primitive.
+	var plaintext = []byte("Lorem ipsum dolor sit amet")
+	object, err := encrypter.Encrypt(plaintext)
+	if err != nil {
+		panic(err)
+	}
+
+	// Serialize the encrypted object using the full serialization format.
+	// Alternatively you can also use the compact format here by calling
+	// object.CompactSerialize() instead.
+	serialized := object.FullSerialize()
+
+	// Parse the serialized, encrypted JWE object. An error would indicate that
+	// the given input did not represent a valid message.
+	object, err = ParseEncrypted(serialized)
+	if err != nil {
+		panic(err)
+	}
+
+	// Now we can decrypt and get back our original plaintext. An error here
+	// would indicate the the message failed to decrypt, e.g. because the auth
+	// tag was broken or the message was tampered with.
+	decrypted, err := object.Decrypt(privateKey)
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Printf(string(decrypted))
+	// output: Lorem ipsum dolor sit amet
+}
+
+func Example_jWS() {
+	// Generate a public/private key pair to use for this example. The library
+	// also provides two utility functions (LoadPublicKey and LoadPrivateKey)
+	// that can be used to load keys from PEM/DER-encoded data.
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		panic(err)
+	}
+
+	// Instantiate a signer using RSASSA-PSS (SHA512) with the given private key.
+	signer, err := NewSigner(PS512, privateKey)
+	if err != nil {
+		panic(err)
+	}
+
+	// Sign a sample payload. Calling the signer returns a protected JWS object,
+	// which can then be serialized for output afterwards. An error would
+	// indicate a problem in an underlying cryptographic primitive.
+	var payload = []byte("Lorem ipsum dolor sit amet")
+	object, err := signer.Sign(payload)
+	if err != nil {
+		panic(err)
+	}
+
+	// Serialize the encrypted object using the full serialization format.
+	// Alternatively you can also use the compact format here by calling
+	// object.CompactSerialize() instead.
+	serialized := object.FullSerialize()
+
+	// Parse the serialized, protected JWS object. An error would indicate that
+	// the given input did not represent a valid message.
+	object, err = ParseSigned(serialized)
+	if err != nil {
+		panic(err)
+	}
+
+	// Now we can verify the signature on the payload. An error here would
+	// indicate the the message failed to verify, e.g. because the signature was
+	// broken or the message was tampered with.
+	output, err := object.Verify(&privateKey.PublicKey)
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Printf(string(output))
+	// output: Lorem ipsum dolor sit amet
+}
+
+func ExampleNewEncrypter_publicKey() {
+	var publicKey *rsa.PublicKey
+
+	// Instantiate an encrypter using RSA-OAEP with AES128-GCM.
+	NewEncrypter(RSA_OAEP, A128GCM, publicKey)
+
+	// Instantiate an encrypter using RSA-PKCS1v1.5 with AES128-CBC+HMAC.
+	NewEncrypter(RSA1_5, A128CBC_HS256, publicKey)
+}
+
+func ExampleNewEncrypter_symmetric() {
+	var sharedKey []byte
+
+	// Instantiate an encrypter using AES128-GCM with AES-GCM key wrap.
+	NewEncrypter(A128GCMKW, A128GCM, sharedKey)
+
+	// Instantiate an encrypter using AES256-GCM directly, w/o key wrapping.
+	NewEncrypter(DIRECT, A256GCM, sharedKey)
+}
+
+func ExampleNewSigner_publicKey() {
+	var rsaPrivateKey *rsa.PrivateKey
+	var ecdsaPrivateKey *ecdsa.PrivateKey
+
+	// Instantiate a signer using RSA-PKCS#1v1.5 with SHA-256.
+	NewSigner(RS256, rsaPrivateKey)
+
+	// Instantiate a signer using ECDSA with SHA-384.
+	NewSigner(ES384, ecdsaPrivateKey)
+}
+
+func ExampleNewSigner_symmetric() {
+	var sharedKey []byte
+
+	// Instantiate an signer using HMAC-SHA256.
+	NewSigner(HS256, sharedKey)
+
+	// Instantiate an signer using HMAC-SHA512.
+	NewSigner(HS512, sharedKey)
+}
+
+func ExampleNewMultiEncrypter() {
+	var publicKey *rsa.PublicKey
+	var sharedKey []byte
+
+	// Instantiate an encrypter using AES-GCM.
+	encrypter, err := NewMultiEncrypter(A128GCM)
+	if err != nil {
+		panic(err)
+	}
+
+	// Add a recipient using a shared key with AES-GCM key wap
+	err = encrypter.AddRecipient(A128GCMKW, sharedKey)
+	if err != nil {
+		panic(err)
+	}
+
+	// Add a recipient using an RSA public key with RSA-OAEP
+	err = encrypter.AddRecipient(RSA_OAEP, publicKey)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func ExampleNewMultiSigner() {
+	var privateKey *rsa.PrivateKey
+	var sharedKey []byte
+
+	// Instantiate a signer for multiple recipients.
+	signer := NewMultiSigner()
+
+	// Add a recipient using a shared key with HMAC-SHA256
+	err := signer.AddRecipient(HS256, sharedKey)
+	if err != nil {
+		panic(err)
+	}
+
+	// Add a recipient using an RSA private key with RSASSA-PSS with SHA384
+	err = signer.AddRecipient(PS384, privateKey)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func ExampleEncrypter_encrypt() {
+	// Encrypt a plaintext in order to get an encrypted JWE object.
+	var plaintext = []byte("This is a secret message")
+
+	encrypter.Encrypt(plaintext)
+}
+
+func ExampleEncrypter_encryptWithAuthData() {
+	// Encrypt a plaintext in order to get an encrypted JWE object. Also attach
+	// some additional authenticated data (AAD) to the object. Note that objects
+	// with attached AAD can only be represented using full serialization.
+	var plaintext = []byte("This is a secret message")
+	var aad = []byte("This is authenticated, but public data")
+
+	encrypter.EncryptWithAuthData(plaintext, aad)
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/encoding.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/encoding.go
new file mode 100644
index 000000000..dde0a42db
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/encoding.go
@@ -0,0 +1,193 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"bytes"
+	"compress/flate"
+	"encoding/base64"
+	"encoding/binary"
+	"io"
+	"math/big"
+	"regexp"
+	"strings"
+
+	"gopkg.in/square/go-jose.v1/json"
+)
+
+var stripWhitespaceRegex = regexp.MustCompile("\\s")
+
+// Url-safe base64 encode that strips padding
+func base64URLEncode(data []byte) string {
+	var result = base64.URLEncoding.EncodeToString(data)
+	return strings.TrimRight(result, "=")
+}
+
+// Url-safe base64 decoder that adds padding
+func base64URLDecode(data string) ([]byte, error) {
+	var missing = (4 - len(data)%4) % 4
+	data += strings.Repeat("=", missing)
+	return base64.URLEncoding.DecodeString(data)
+}
+
+// Helper function to serialize known-good objects.
+// Precondition: value is not a nil pointer.
+func mustSerializeJSON(value interface{}) []byte {
+	out, err := json.Marshal(value)
+	if err != nil {
+		panic(err)
+	}
+	// We never want to serialize the top-level value "null," since it's not a
+	// valid JOSE message. But if a caller passes in a nil pointer to this method,
+	// MarshalJSON will happily serialize it as the top-level value "null". If
+	// that value is then embedded in another operation, for instance by being
+	// base64-encoded and fed as input to a signing algorithm
+	// (https://github.com/square/go-jose/issues/22), the result will be
+	// incorrect. Because this method is intended for known-good objects, and a nil
+	// pointer is not a known-good object, we are free to panic in this case.
+	// Note: It's not possible to directly check whether the data pointed at by an
+	// interface is a nil pointer, so we do this hacky workaround.
+	// https://groups.google.com/forum/#!topic/golang-nuts/wnH302gBa4I
+	if string(out) == "null" {
+		panic("Tried to serialize a nil pointer.")
+	}
+	return out
+}
+
+// Strip all newlines and whitespace
+func stripWhitespace(data string) string {
+	return stripWhitespaceRegex.ReplaceAllString(data, "")
+}
+
+// Perform compression based on algorithm
+func compress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+	switch algorithm {
+	case DEFLATE:
+		return deflate(input)
+	default:
+		return nil, ErrUnsupportedAlgorithm
+	}
+}
+
+// Perform decompression based on algorithm
+func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+	switch algorithm {
+	case DEFLATE:
+		return inflate(input)
+	default:
+		return nil, ErrUnsupportedAlgorithm
+	}
+}
+
+// Compress with DEFLATE
+func deflate(input []byte) ([]byte, error) {
+	output := new(bytes.Buffer)
+
+	// Writing to byte buffer, err is always nil
+	writer, _ := flate.NewWriter(output, 1)
+	_, _ = io.Copy(writer, bytes.NewBuffer(input))
+
+	err := writer.Close()
+	return output.Bytes(), err
+}
+
+// Decompress with DEFLATE
+func inflate(input []byte) ([]byte, error) {
+	output := new(bytes.Buffer)
+	reader := flate.NewReader(bytes.NewBuffer(input))
+
+	_, err := io.Copy(output, reader)
+	if err != nil {
+		return nil, err
+	}
+
+	err = reader.Close()
+	return output.Bytes(), err
+}
+
+// byteBuffer represents a slice of bytes that can be serialized to url-safe base64.
+type byteBuffer struct {
+	data []byte
+}
+
+func newBuffer(data []byte) *byteBuffer {
+	if data == nil {
+		return nil
+	}
+	return &byteBuffer{
+		data: data,
+	}
+}
+
+func newFixedSizeBuffer(data []byte, length int) *byteBuffer {
+	if len(data) > length {
+		panic("square/go-jose: invalid call to newFixedSizeBuffer (len(data) > length)")
+	}
+	pad := make([]byte, length-len(data))
+	return newBuffer(append(pad, data...))
+}
+
+func newBufferFromInt(num uint64) *byteBuffer {
+	data := make([]byte, 8)
+	binary.BigEndian.PutUint64(data, num)
+	return newBuffer(bytes.TrimLeft(data, "\x00"))
+}
+
+func (b *byteBuffer) MarshalJSON() ([]byte, error) {
+	return json.Marshal(b.base64())
+}
+
+func (b *byteBuffer) UnmarshalJSON(data []byte) error {
+	var encoded string
+	err := json.Unmarshal(data, &encoded)
+	if err != nil {
+		return err
+	}
+
+	if encoded == "" {
+		return nil
+	}
+
+	decoded, err := base64URLDecode(encoded)
+	if err != nil {
+		return err
+	}
+
+	*b = *newBuffer(decoded)
+
+	return nil
+}
+
+func (b *byteBuffer) base64() string {
+	return base64URLEncode(b.data)
+}
+
+func (b *byteBuffer) bytes() []byte {
+	// Handling nil here allows us to transparently handle nil slices when serializing.
+	if b == nil {
+		return nil
+	}
+	return b.data
+}
+
+func (b byteBuffer) bigInt() *big.Int {
+	return new(big.Int).SetBytes(b.data)
+}
+
+func (b byteBuffer) toInt() int {
+	return int(b.bigInt().Int64())
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/encoding_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/encoding_test.go
new file mode 100644
index 000000000..e2f8d979c
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/encoding_test.go
@@ -0,0 +1,173 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+)
+
+func TestBase64URLEncode(t *testing.T) {
+	// Test arrays with various sizes
+	if base64URLEncode([]byte{}) != "" {
+		t.Error("failed to encode empty array")
+	}
+
+	if base64URLEncode([]byte{0}) != "AA" {
+		t.Error("failed to encode [0x00]")
+	}
+
+	if base64URLEncode([]byte{0, 1}) != "AAE" {
+		t.Error("failed to encode [0x00, 0x01]")
+	}
+
+	if base64URLEncode([]byte{0, 1, 2}) != "AAEC" {
+		t.Error("failed to encode [0x00, 0x01, 0x02]")
+	}
+
+	if base64URLEncode([]byte{0, 1, 2, 3}) != "AAECAw" {
+		t.Error("failed to encode [0x00, 0x01, 0x02, 0x03]")
+	}
+}
+
+func TestBase64URLDecode(t *testing.T) {
+	// Test arrays with various sizes
+	val, err := base64URLDecode("")
+	if err != nil || !bytes.Equal(val, []byte{}) {
+		t.Error("failed to decode empty array")
+	}
+
+	val, err = base64URLDecode("AA")
+	if err != nil || !bytes.Equal(val, []byte{0}) {
+		t.Error("failed to decode [0x00]")
+	}
+
+	val, err = base64URLDecode("AAE")
+	if err != nil || !bytes.Equal(val, []byte{0, 1}) {
+		t.Error("failed to decode [0x00, 0x01]")
+	}
+
+	val, err = base64URLDecode("AAEC")
+	if err != nil || !bytes.Equal(val, []byte{0, 1, 2}) {
+		t.Error("failed to decode [0x00, 0x01, 0x02]")
+	}
+
+	val, err = base64URLDecode("AAECAw")
+	if err != nil || !bytes.Equal(val, []byte{0, 1, 2, 3}) {
+		t.Error("failed to decode [0x00, 0x01, 0x02, 0x03]")
+	}
+}
+
+func TestDeflateRoundtrip(t *testing.T) {
+	original := []byte("Lorem ipsum dolor sit amet")
+
+	compressed, err := deflate(original)
+	if err != nil {
+		panic(err)
+	}
+
+	output, err := inflate(compressed)
+	if err != nil {
+		panic(err)
+	}
+
+	if bytes.Compare(output, original) != 0 {
+		t.Error("Input and output do not match")
+	}
+}
+
+func TestInvalidCompression(t *testing.T) {
+	_, err := compress("XYZ", []byte{})
+	if err == nil {
+		t.Error("should not accept invalid algorithm")
+	}
+
+	_, err = decompress("XYZ", []byte{})
+	if err == nil {
+		t.Error("should not accept invalid algorithm")
+	}
+
+	_, err = decompress(DEFLATE, []byte{1, 2, 3, 4})
+	if err == nil {
+		t.Error("should not accept invalid data")
+	}
+}
+
+func TestByteBufferTrim(t *testing.T) {
+	buf := newBufferFromInt(1)
+	if !bytes.Equal(buf.data, []byte{1}) {
+		t.Error("Byte buffer for integer '1' should contain [0x01]")
+	}
+
+	buf = newBufferFromInt(65537)
+	if !bytes.Equal(buf.data, []byte{1, 0, 1}) {
+		t.Error("Byte buffer for integer '65537' should contain [0x01, 0x00, 0x01]")
+	}
+}
+
+func TestFixedSizeBuffer(t *testing.T) {
+	data0 := []byte{}
+	data1 := []byte{1}
+	data2 := []byte{1, 2}
+	data3 := []byte{1, 2, 3}
+	data4 := []byte{1, 2, 3, 4}
+
+	buf0 := newFixedSizeBuffer(data0, 4)
+	buf1 := newFixedSizeBuffer(data1, 4)
+	buf2 := newFixedSizeBuffer(data2, 4)
+	buf3 := newFixedSizeBuffer(data3, 4)
+	buf4 := newFixedSizeBuffer(data4, 4)
+
+	if !bytes.Equal(buf0.data, []byte{0, 0, 0, 0}) {
+		t.Error("Invalid padded buffer for buf0")
+	}
+	if !bytes.Equal(buf1.data, []byte{0, 0, 0, 1}) {
+		t.Error("Invalid padded buffer for buf1")
+	}
+	if !bytes.Equal(buf2.data, []byte{0, 0, 1, 2}) {
+		t.Error("Invalid padded buffer for buf2")
+	}
+	if !bytes.Equal(buf3.data, []byte{0, 1, 2, 3}) {
+		t.Error("Invalid padded buffer for buf3")
+	}
+	if !bytes.Equal(buf4.data, []byte{1, 2, 3, 4}) {
+		t.Error("Invalid padded buffer for buf4")
+	}
+}
+
+func TestSerializeJSONRejectsNil(t *testing.T) {
+	defer func() {
+		r := recover()
+		if r == nil || !strings.Contains(r.(string), "nil pointer") {
+			t.Error("serialize function should not accept nil pointer")
+		}
+	}()
+
+	mustSerializeJSON(nil)
+}
+
+func TestFixedSizeBufferTooLarge(t *testing.T) {
+	defer func() {
+		r := recover()
+		if r == nil {
+			t.Error("should not be able to create fixed size buffer with oversized data")
+		}
+	}()
+
+	newFixedSizeBuffer(make([]byte, 2), 1)
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/LICENSE b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/LICENSE
new file mode 100644
index 000000000..744875676
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2012 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/README.md b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/README.md
new file mode 100644
index 000000000..86de5e558
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/README.md
@@ -0,0 +1,13 @@
+# Safe JSON
+
+This repository contains a fork of the `encoding/json` package from Go 1.6.
+
+The following changes were made:
+
+* Object deserialization uses case-sensitive member name matching instead of
+  [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/current/msg03763.html).
+  This is to avoid differences in the interpretation of JOSE messages between
+  go-jose and libraries written in other languages.
+* When deserializing a JSON object, we check for duplicate keys and reject the
+  input whenever we detect a duplicate. Rather than trying to work with malformed
+  data, we prefer to reject it right away.
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/bench_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/bench_test.go
new file mode 100644
index 000000000..ed89d1156
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/bench_test.go
@@ -0,0 +1,223 @@
+// Copyright 2011 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Large data benchmark.
+// The JSON data is a summary of agl's changes in the
+// go, webkit, and chromium open source projects.
+// We benchmark converting between the JSON form
+// and in-memory data structures.
+
+package json
+
+import (
+	"bytes"
+	"compress/gzip"
+	"io/ioutil"
+	"os"
+	"strings"
+	"testing"
+)
+
+type codeResponse struct {
+	Tree     *codeNode `json:"tree"`
+	Username string    `json:"username"`
+}
+
+type codeNode struct {
+	Name     string      `json:"name"`
+	Kids     []*codeNode `json:"kids"`
+	CLWeight float64     `json:"cl_weight"`
+	Touches  int         `json:"touches"`
+	MinT     int64       `json:"min_t"`
+	MaxT     int64       `json:"max_t"`
+	MeanT    int64       `json:"mean_t"`
+}
+
+var codeJSON []byte
+var codeStruct codeResponse
+
+func codeInit() {
+	f, err := os.Open("testdata/code.json.gz")
+	if err != nil {
+		panic(err)
+	}
+	defer f.Close()
+	gz, err := gzip.NewReader(f)
+	if err != nil {
+		panic(err)
+	}
+	data, err := ioutil.ReadAll(gz)
+	if err != nil {
+		panic(err)
+	}
+
+	codeJSON = data
+
+	if err := Unmarshal(codeJSON, &codeStruct); err != nil {
+		panic("unmarshal code.json: " + err.Error())
+	}
+
+	if data, err = Marshal(&codeStruct); err != nil {
+		panic("marshal code.json: " + err.Error())
+	}
+
+	if !bytes.Equal(data, codeJSON) {
+		println("different lengths", len(data), len(codeJSON))
+		for i := 0; i < len(data) && i < len(codeJSON); i++ {
+			if data[i] != codeJSON[i] {
+				println("re-marshal: changed at byte", i)
+				println("orig: ", string(codeJSON[i-10:i+10]))
+				println("new: ", string(data[i-10:i+10]))
+				break
+			}
+		}
+		panic("re-marshal code.json: different result")
+	}
+}
+
+func BenchmarkCodeEncoder(b *testing.B) {
+	if codeJSON == nil {
+		b.StopTimer()
+		codeInit()
+		b.StartTimer()
+	}
+	enc := NewEncoder(ioutil.Discard)
+	for i := 0; i < b.N; i++ {
+		if err := enc.Encode(&codeStruct); err != nil {
+			b.Fatal("Encode:", err)
+		}
+	}
+	b.SetBytes(int64(len(codeJSON)))
+}
+
+func BenchmarkCodeMarshal(b *testing.B) {
+	if codeJSON == nil {
+		b.StopTimer()
+		codeInit()
+		b.StartTimer()
+	}
+	for i := 0; i < b.N; i++ {
+		if _, err := Marshal(&codeStruct); err != nil {
+			b.Fatal("Marshal:", err)
+		}
+	}
+	b.SetBytes(int64(len(codeJSON)))
+}
+
+func BenchmarkCodeDecoder(b *testing.B) {
+	if codeJSON == nil {
+		b.StopTimer()
+		codeInit()
+		b.StartTimer()
+	}
+	var buf bytes.Buffer
+	dec := NewDecoder(&buf)
+	var r codeResponse
+	for i := 0; i < b.N; i++ {
+		buf.Write(codeJSON)
+		// hide EOF
+		buf.WriteByte('\n')
+		buf.WriteByte('\n')
+		buf.WriteByte('\n')
+		if err := dec.Decode(&r); err != nil {
+			b.Fatal("Decode:", err)
+		}
+	}
+	b.SetBytes(int64(len(codeJSON)))
+}
+
+func BenchmarkDecoderStream(b *testing.B) {
+	b.StopTimer()
+	var buf bytes.Buffer
+	dec := NewDecoder(&buf)
+	buf.WriteString(`"` + strings.Repeat("x", 1000000) + `"` + "\n\n\n")
+	var x interface{}
+	if err := dec.Decode(&x); err != nil {
+		b.Fatal("Decode:", err)
+	}
+	ones := strings.Repeat(" 1\n", 300000) + "\n\n\n"
+	b.StartTimer()
+	for i := 0; i < b.N; i++ {
+		if i%300000 == 0 {
+			buf.WriteString(ones)
+		}
+		x = nil
+		if err := dec.Decode(&x); err != nil || x != 1.0 {
+			b.Fatalf("Decode: %v after %d", err, i)
+		}
+	}
+}
+
+func BenchmarkCodeUnmarshal(b *testing.B) {
+	if codeJSON == nil {
+		b.StopTimer()
+		codeInit()
+		b.StartTimer()
+	}
+	for i := 0; i < b.N; i++ {
+		var r codeResponse
+		if err := Unmarshal(codeJSON, &r); err != nil {
+			b.Fatal("Unmmarshal:", err)
+		}
+	}
+	b.SetBytes(int64(len(codeJSON)))
+}
+
+func BenchmarkCodeUnmarshalReuse(b *testing.B) {
+	if codeJSON == nil {
+		b.StopTimer()
+		codeInit()
+		b.StartTimer()
+	}
+	var r codeResponse
+	for i := 0; i < b.N; i++ {
+		if err := Unmarshal(codeJSON, &r); err != nil {
+			b.Fatal("Unmmarshal:", err)
+		}
+	}
+}
+
+func BenchmarkUnmarshalString(b *testing.B) {
+	data := []byte(`"hello, world"`)
+	var s string
+
+	for i := 0; i < b.N; i++ {
+		if err := Unmarshal(data, &s); err != nil {
+			b.Fatal("Unmarshal:", err)
+		}
+	}
+}
+
+func BenchmarkUnmarshalFloat64(b *testing.B) {
+	var f float64
+	data := []byte(`3.14`)
+
+	for i := 0; i < b.N; i++ {
+		if err := Unmarshal(data, &f); err != nil {
+			b.Fatal("Unmarshal:", err)
+		}
+	}
+}
+
+func BenchmarkUnmarshalInt64(b *testing.B) {
+	var x int64
+	data := []byte(`3`)
+
+	for i := 0; i < b.N; i++ {
+		if err := Unmarshal(data, &x); err != nil {
+			b.Fatal("Unmarshal:", err)
+		}
+	}
+}
+
+func BenchmarkIssue10335(b *testing.B) {
+	b.ReportAllocs()
+	var s struct{}
+	j := []byte(`{"a":{ }}`)
+	for n := 0; n < b.N; n++ {
+		if err := Unmarshal(j, &s); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/decode.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/decode.go
new file mode 100644
index 000000000..37457e5a8
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/decode.go
@@ -0,0 +1,1183 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Represents JSON data structure using native Go types: booleans, floats,
+// strings, arrays, and maps.
+
+package json
+
+import (
+	"bytes"
+	"encoding"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"reflect"
+	"runtime"
+	"strconv"
+	"unicode"
+	"unicode/utf16"
+	"unicode/utf8"
+)
+
+// Unmarshal parses the JSON-encoded data and stores the result
+// in the value pointed to by v.
+//
+// Unmarshal uses the inverse of the encodings that
+// Marshal uses, allocating maps, slices, and pointers as necessary,
+// with the following additional rules:
+//
+// To unmarshal JSON into a pointer, Unmarshal first handles the case of
+// the JSON being the JSON literal null.  In that case, Unmarshal sets
+// the pointer to nil.  Otherwise, Unmarshal unmarshals the JSON into
+// the value pointed at by the pointer.  If the pointer is nil, Unmarshal
+// allocates a new value for it to point to.
+//
+// To unmarshal JSON into a struct, Unmarshal matches incoming object
+// keys to the keys used by Marshal (either the struct field name or its tag),
+// preferring an exact match but also accepting a case-insensitive match.
+// Unmarshal will only set exported fields of the struct.
+//
+// To unmarshal JSON into an interface value,
+// Unmarshal stores one of these in the interface value:
+//
+//	bool, for JSON booleans
+//	float64, for JSON numbers
+//	string, for JSON strings
+//	[]interface{}, for JSON arrays
+//	map[string]interface{}, for JSON objects
+//	nil for JSON null
+//
+// To unmarshal a JSON array into a slice, Unmarshal resets the slice length
+// to zero and then appends each element to the slice.
+// As a special case, to unmarshal an empty JSON array into a slice,
+// Unmarshal replaces the slice with a new empty slice.
+//
+// To unmarshal a JSON array into a Go array, Unmarshal decodes
+// JSON array elements into corresponding Go array elements.
+// If the Go array is smaller than the JSON array,
+// the additional JSON array elements are discarded.
+// If the JSON array is smaller than the Go array,
+// the additional Go array elements are set to zero values.
+//
+// To unmarshal a JSON object into a string-keyed map, Unmarshal first
+// establishes a map to use, If the map is nil, Unmarshal allocates a new map.
+// Otherwise Unmarshal reuses the existing map, keeping existing entries.
+// Unmarshal then stores key-value pairs from the JSON object into the map.
+//
+// If a JSON value is not appropriate for a given target type,
+// or if a JSON number overflows the target type, Unmarshal
+// skips that field and completes the unmarshaling as best it can.
+// If no more serious errors are encountered, Unmarshal returns
+// an UnmarshalTypeError describing the earliest such error.
+//
+// The JSON null value unmarshals into an interface, map, pointer, or slice
+// by setting that Go value to nil. Because null is often used in JSON to mean
+// ``not present,'' unmarshaling a JSON null into any other Go type has no effect
+// on the value and produces no error.
+//
+// When unmarshaling quoted strings, invalid UTF-8 or
+// invalid UTF-16 surrogate pairs are not treated as an error.
+// Instead, they are replaced by the Unicode replacement
+// character U+FFFD.
+//
+func Unmarshal(data []byte, v interface{}) error {
+	// Check for well-formedness.
+	// Avoids filling out half a data structure
+	// before discovering a JSON syntax error.
+	var d decodeState
+	err := checkValid(data, &d.scan)
+	if err != nil {
+		return err
+	}
+
+	d.init(data)
+	return d.unmarshal(v)
+}
+
+// Unmarshaler is the interface implemented by objects
+// that can unmarshal a JSON description of themselves.
+// The input can be assumed to be a valid encoding of
+// a JSON value. UnmarshalJSON must copy the JSON data
+// if it wishes to retain the data after returning.
+type Unmarshaler interface {
+	UnmarshalJSON([]byte) error
+}
+
+// An UnmarshalTypeError describes a JSON value that was
+// not appropriate for a value of a specific Go type.
+type UnmarshalTypeError struct {
+	Value  string       // description of JSON value - "bool", "array", "number -5"
+	Type   reflect.Type // type of Go value it could not be assigned to
+	Offset int64        // error occurred after reading Offset bytes
+}
+
+func (e *UnmarshalTypeError) Error() string {
+	return "json: cannot unmarshal " + e.Value + " into Go value of type " + e.Type.String()
+}
+
+// An UnmarshalFieldError describes a JSON object key that
+// led to an unexported (and therefore unwritable) struct field.
+// (No longer used; kept for compatibility.)
+type UnmarshalFieldError struct {
+	Key   string
+	Type  reflect.Type
+	Field reflect.StructField
+}
+
+func (e *UnmarshalFieldError) Error() string {
+	return "json: cannot unmarshal object key " + strconv.Quote(e.Key) + " into unexported field " + e.Field.Name + " of type " + e.Type.String()
+}
+
+// An InvalidUnmarshalError describes an invalid argument passed to Unmarshal.
+// (The argument to Unmarshal must be a non-nil pointer.)
+type InvalidUnmarshalError struct {
+	Type reflect.Type
+}
+
+func (e *InvalidUnmarshalError) Error() string {
+	if e.Type == nil {
+		return "json: Unmarshal(nil)"
+	}
+
+	if e.Type.Kind() != reflect.Ptr {
+		return "json: Unmarshal(non-pointer " + e.Type.String() + ")"
+	}
+	return "json: Unmarshal(nil " + e.Type.String() + ")"
+}
+
+func (d *decodeState) unmarshal(v interface{}) (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			if _, ok := r.(runtime.Error); ok {
+				panic(r)
+			}
+			err = r.(error)
+		}
+	}()
+
+	rv := reflect.ValueOf(v)
+	if rv.Kind() != reflect.Ptr || rv.IsNil() {
+		return &InvalidUnmarshalError{reflect.TypeOf(v)}
+	}
+
+	d.scan.reset()
+	// We decode rv not rv.Elem because the Unmarshaler interface
+	// test must be applied at the top level of the value.
+	d.value(rv)
+	return d.savedError
+}
+
+// A Number represents a JSON number literal.
+type Number string
+
+// String returns the literal text of the number.
+func (n Number) String() string { return string(n) }
+
+// Float64 returns the number as a float64.
+func (n Number) Float64() (float64, error) {
+	return strconv.ParseFloat(string(n), 64)
+}
+
+// Int64 returns the number as an int64.
+func (n Number) Int64() (int64, error) {
+	return strconv.ParseInt(string(n), 10, 64)
+}
+
+// isValidNumber reports whether s is a valid JSON number literal.
+func isValidNumber(s string) bool {
+	// This function implements the JSON numbers grammar.
+	// See https://tools.ietf.org/html/rfc7159#section-6
+	// and http://json.org/number.gif
+
+	if s == "" {
+		return false
+	}
+
+	// Optional -
+	if s[0] == '-' {
+		s = s[1:]
+		if s == "" {
+			return false
+		}
+	}
+
+	// Digits
+	switch {
+	default:
+		return false
+
+	case s[0] == '0':
+		s = s[1:]
+
+	case '1' <= s[0] && s[0] <= '9':
+		s = s[1:]
+		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
+			s = s[1:]
+		}
+	}
+
+	// . followed by 1 or more digits.
+	if len(s) >= 2 && s[0] == '.' && '0' <= s[1] && s[1] <= '9' {
+		s = s[2:]
+		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
+			s = s[1:]
+		}
+	}
+
+	// e or E followed by an optional - or + and
+	// 1 or more digits.
+	if len(s) >= 2 && (s[0] == 'e' || s[0] == 'E') {
+		s = s[1:]
+		if s[0] == '+' || s[0] == '-' {
+			s = s[1:]
+			if s == "" {
+				return false
+			}
+		}
+		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
+			s = s[1:]
+		}
+	}
+
+	// Make sure we are at the end.
+	return s == ""
+}
+
+// decodeState represents the state while decoding a JSON value.
+type decodeState struct {
+	data       []byte
+	off        int // read offset in data
+	scan       scanner
+	nextscan   scanner // for calls to nextValue
+	savedError error
+	useNumber  bool
+}
+
+// errPhase is used for errors that should not happen unless
+// there is a bug in the JSON decoder or something is editing
+// the data slice while the decoder executes.
+var errPhase = errors.New("JSON decoder out of sync - data changing underfoot?")
+
+func (d *decodeState) init(data []byte) *decodeState {
+	d.data = data
+	d.off = 0
+	d.savedError = nil
+	return d
+}
+
+// error aborts the decoding by panicking with err.
+func (d *decodeState) error(err error) {
+	panic(err)
+}
+
+// saveError saves the first err it is called with,
+// for reporting at the end of the unmarshal.
+func (d *decodeState) saveError(err error) {
+	if d.savedError == nil {
+		d.savedError = err
+	}
+}
+
+// next cuts off and returns the next full JSON value in d.data[d.off:].
+// The next value is known to be an object or array, not a literal.
+func (d *decodeState) next() []byte {
+	c := d.data[d.off]
+	item, rest, err := nextValue(d.data[d.off:], &d.nextscan)
+	if err != nil {
+		d.error(err)
+	}
+	d.off = len(d.data) - len(rest)
+
+	// Our scanner has seen the opening brace/bracket
+	// and thinks we're still in the middle of the object.
+	// invent a closing brace/bracket to get it out.
+	if c == '{' {
+		d.scan.step(&d.scan, '}')
+	} else {
+		d.scan.step(&d.scan, ']')
+	}
+
+	return item
+}
+
+// scanWhile processes bytes in d.data[d.off:] until it
+// receives a scan code not equal to op.
+// It updates d.off and returns the new scan code.
+func (d *decodeState) scanWhile(op int) int {
+	var newOp int
+	for {
+		if d.off >= len(d.data) {
+			newOp = d.scan.eof()
+			d.off = len(d.data) + 1 // mark processed EOF with len+1
+		} else {
+			c := d.data[d.off]
+			d.off++
+			newOp = d.scan.step(&d.scan, c)
+		}
+		if newOp != op {
+			break
+		}
+	}
+	return newOp
+}
+
+// value decodes a JSON value from d.data[d.off:] into the value.
+// it updates d.off to point past the decoded value.
+func (d *decodeState) value(v reflect.Value) {
+	if !v.IsValid() {
+		_, rest, err := nextValue(d.data[d.off:], &d.nextscan)
+		if err != nil {
+			d.error(err)
+		}
+		d.off = len(d.data) - len(rest)
+
+		// d.scan thinks we're still at the beginning of the item.
+		// Feed in an empty string - the shortest, simplest value -
+		// so that it knows we got to the end of the value.
+		if d.scan.redo {
+			// rewind.
+			d.scan.redo = false
+			d.scan.step = stateBeginValue
+		}
+		d.scan.step(&d.scan, '"')
+		d.scan.step(&d.scan, '"')
+
+		n := len(d.scan.parseState)
+		if n > 0 && d.scan.parseState[n-1] == parseObjectKey {
+			// d.scan thinks we just read an object key; finish the object
+			d.scan.step(&d.scan, ':')
+			d.scan.step(&d.scan, '"')
+			d.scan.step(&d.scan, '"')
+			d.scan.step(&d.scan, '}')
+		}
+
+		return
+	}
+
+	switch op := d.scanWhile(scanSkipSpace); op {
+	default:
+		d.error(errPhase)
+
+	case scanBeginArray:
+		d.array(v)
+
+	case scanBeginObject:
+		d.object(v)
+
+	case scanBeginLiteral:
+		d.literal(v)
+	}
+}
+
+type unquotedValue struct{}
+
+// valueQuoted is like value but decodes a
+// quoted string literal or literal null into an interface value.
+// If it finds anything other than a quoted string literal or null,
+// valueQuoted returns unquotedValue{}.
+func (d *decodeState) valueQuoted() interface{} {
+	switch op := d.scanWhile(scanSkipSpace); op {
+	default:
+		d.error(errPhase)
+
+	case scanBeginArray:
+		d.array(reflect.Value{})
+
+	case scanBeginObject:
+		d.object(reflect.Value{})
+
+	case scanBeginLiteral:
+		switch v := d.literalInterface().(type) {
+		case nil, string:
+			return v
+		}
+	}
+	return unquotedValue{}
+}
+
+// indirect walks down v allocating pointers as needed,
+// until it gets to a non-pointer.
+// if it encounters an Unmarshaler, indirect stops and returns that.
+// if decodingNull is true, indirect stops at the last pointer so it can be set to nil.
+func (d *decodeState) indirect(v reflect.Value, decodingNull bool) (Unmarshaler, encoding.TextUnmarshaler, reflect.Value) {
+	// If v is a named type and is addressable,
+	// start with its address, so that if the type has pointer methods,
+	// we find them.
+	if v.Kind() != reflect.Ptr && v.Type().Name() != "" && v.CanAddr() {
+		v = v.Addr()
+	}
+	for {
+		// Load value from interface, but only if the result will be
+		// usefully addressable.
+		if v.Kind() == reflect.Interface && !v.IsNil() {
+			e := v.Elem()
+			if e.Kind() == reflect.Ptr && !e.IsNil() && (!decodingNull || e.Elem().Kind() == reflect.Ptr) {
+				v = e
+				continue
+			}
+		}
+
+		if v.Kind() != reflect.Ptr {
+			break
+		}
+
+		if v.Elem().Kind() != reflect.Ptr && decodingNull && v.CanSet() {
+			break
+		}
+		if v.IsNil() {
+			v.Set(reflect.New(v.Type().Elem()))
+		}
+		if v.Type().NumMethod() > 0 {
+			if u, ok := v.Interface().(Unmarshaler); ok {
+				return u, nil, reflect.Value{}
+			}
+			if u, ok := v.Interface().(encoding.TextUnmarshaler); ok {
+				return nil, u, reflect.Value{}
+			}
+		}
+		v = v.Elem()
+	}
+	return nil, nil, v
+}
+
+// array consumes an array from d.data[d.off-1:], decoding into the value v.
+// the first byte of the array ('[') has been read already.
+func (d *decodeState) array(v reflect.Value) {
+	// Check for unmarshaler.
+	u, ut, pv := d.indirect(v, false)
+	if u != nil {
+		d.off--
+		err := u.UnmarshalJSON(d.next())
+		if err != nil {
+			d.error(err)
+		}
+		return
+	}
+	if ut != nil {
+		d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
+		d.off--
+		d.next()
+		return
+	}
+
+	v = pv
+
+	// Check type of target.
+	switch v.Kind() {
+	case reflect.Interface:
+		if v.NumMethod() == 0 {
+			// Decoding into nil interface?  Switch to non-reflect code.
+			v.Set(reflect.ValueOf(d.arrayInterface()))
+			return
+		}
+		// Otherwise it's invalid.
+		fallthrough
+	default:
+		d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
+		d.off--
+		d.next()
+		return
+	case reflect.Array:
+	case reflect.Slice:
+		break
+	}
+
+	i := 0
+	for {
+		// Look ahead for ] - can only happen on first iteration.
+		op := d.scanWhile(scanSkipSpace)
+		if op == scanEndArray {
+			break
+		}
+
+		// Back up so d.value can have the byte we just read.
+		d.off--
+		d.scan.undo(op)
+
+		// Get element of array, growing if necessary.
+		if v.Kind() == reflect.Slice {
+			// Grow slice if necessary
+			if i >= v.Cap() {
+				newcap := v.Cap() + v.Cap()/2
+				if newcap < 4 {
+					newcap = 4
+				}
+				newv := reflect.MakeSlice(v.Type(), v.Len(), newcap)
+				reflect.Copy(newv, v)
+				v.Set(newv)
+			}
+			if i >= v.Len() {
+				v.SetLen(i + 1)
+			}
+		}
+
+		if i < v.Len() {
+			// Decode into element.
+			d.value(v.Index(i))
+		} else {
+			// Ran out of fixed array: skip.
+			d.value(reflect.Value{})
+		}
+		i++
+
+		// Next token must be , or ].
+		op = d.scanWhile(scanSkipSpace)
+		if op == scanEndArray {
+			break
+		}
+		if op != scanArrayValue {
+			d.error(errPhase)
+		}
+	}
+
+	if i < v.Len() {
+		if v.Kind() == reflect.Array {
+			// Array.  Zero the rest.
+			z := reflect.Zero(v.Type().Elem())
+			for ; i < v.Len(); i++ {
+				v.Index(i).Set(z)
+			}
+		} else {
+			v.SetLen(i)
+		}
+	}
+	if i == 0 && v.Kind() == reflect.Slice {
+		v.Set(reflect.MakeSlice(v.Type(), 0, 0))
+	}
+}
+
+var nullLiteral = []byte("null")
+
+// object consumes an object from d.data[d.off-1:], decoding into the value v.
+// the first byte ('{') of the object has been read already.
+func (d *decodeState) object(v reflect.Value) {
+	// Check for unmarshaler.
+	u, ut, pv := d.indirect(v, false)
+	if u != nil {
+		d.off--
+		err := u.UnmarshalJSON(d.next())
+		if err != nil {
+			d.error(err)
+		}
+		return
+	}
+	if ut != nil {
+		d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
+		d.off--
+		d.next() // skip over { } in input
+		return
+	}
+	v = pv
+
+	// Decoding into nil interface?  Switch to non-reflect code.
+	if v.Kind() == reflect.Interface && v.NumMethod() == 0 {
+		v.Set(reflect.ValueOf(d.objectInterface()))
+		return
+	}
+
+	// Check type of target: struct or map[string]T
+	switch v.Kind() {
+	case reflect.Map:
+		// map must have string kind
+		t := v.Type()
+		if t.Key().Kind() != reflect.String {
+			d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
+			d.off--
+			d.next() // skip over { } in input
+			return
+		}
+		if v.IsNil() {
+			v.Set(reflect.MakeMap(t))
+		}
+	case reflect.Struct:
+
+	default:
+		d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
+		d.off--
+		d.next() // skip over { } in input
+		return
+	}
+
+	var mapElem reflect.Value
+	keys := map[string]bool{}
+
+	for {
+		// Read opening " of string key or closing }.
+		op := d.scanWhile(scanSkipSpace)
+		if op == scanEndObject {
+			// closing } - can only happen on first iteration.
+			break
+		}
+		if op != scanBeginLiteral {
+			d.error(errPhase)
+		}
+
+		// Read key.
+		start := d.off - 1
+		op = d.scanWhile(scanContinue)
+		item := d.data[start : d.off-1]
+		key, ok := unquote(item)
+		if !ok {
+			d.error(errPhase)
+		}
+
+		// Check for duplicate keys.
+		_, ok = keys[key]
+		if !ok {
+			keys[key] = true
+		} else {
+			d.error(fmt.Errorf("json: duplicate key '%s' in object", key))
+		}
+
+		// Figure out field corresponding to key.
+		var subv reflect.Value
+		destring := false // whether the value is wrapped in a string to be decoded first
+
+		if v.Kind() == reflect.Map {
+			elemType := v.Type().Elem()
+			if !mapElem.IsValid() {
+				mapElem = reflect.New(elemType).Elem()
+			} else {
+				mapElem.Set(reflect.Zero(elemType))
+			}
+			subv = mapElem
+		} else {
+			var f *field
+			fields := cachedTypeFields(v.Type())
+			for i := range fields {
+				ff := &fields[i]
+				if bytes.Equal(ff.nameBytes, []byte(key)) {
+					f = ff
+					break
+				}
+			}
+			if f != nil {
+				subv = v
+				destring = f.quoted
+				for _, i := range f.index {
+					if subv.Kind() == reflect.Ptr {
+						if subv.IsNil() {
+							subv.Set(reflect.New(subv.Type().Elem()))
+						}
+						subv = subv.Elem()
+					}
+					subv = subv.Field(i)
+				}
+			}
+		}
+
+		// Read : before value.
+		if op == scanSkipSpace {
+			op = d.scanWhile(scanSkipSpace)
+		}
+		if op != scanObjectKey {
+			d.error(errPhase)
+		}
+
+		// Read value.
+		if destring {
+			switch qv := d.valueQuoted().(type) {
+			case nil:
+				d.literalStore(nullLiteral, subv, false)
+			case string:
+				d.literalStore([]byte(qv), subv, true)
+			default:
+				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal unquoted value into %v", subv.Type()))
+			}
+		} else {
+			d.value(subv)
+		}
+
+		// Write value back to map;
+		// if using struct, subv points into struct already.
+		if v.Kind() == reflect.Map {
+			kv := reflect.ValueOf(key).Convert(v.Type().Key())
+			v.SetMapIndex(kv, subv)
+		}
+
+		// Next token must be , or }.
+		op = d.scanWhile(scanSkipSpace)
+		if op == scanEndObject {
+			break
+		}
+		if op != scanObjectValue {
+			d.error(errPhase)
+		}
+	}
+}
+
+// literal consumes a literal from d.data[d.off-1:], decoding into the value v.
+// The first byte of the literal has been read already
+// (that's how the caller knows it's a literal).
+func (d *decodeState) literal(v reflect.Value) {
+	// All bytes inside literal return scanContinue op code.
+	start := d.off - 1
+	op := d.scanWhile(scanContinue)
+
+	// Scan read one byte too far; back up.
+	d.off--
+	d.scan.undo(op)
+
+	d.literalStore(d.data[start:d.off], v, false)
+}
+
+// convertNumber converts the number literal s to a float64 or a Number
+// depending on the setting of d.useNumber.
+func (d *decodeState) convertNumber(s string) (interface{}, error) {
+	if d.useNumber {
+		return Number(s), nil
+	}
+	f, err := strconv.ParseFloat(s, 64)
+	if err != nil {
+		return nil, &UnmarshalTypeError{"number " + s, reflect.TypeOf(0.0), int64(d.off)}
+	}
+	return f, nil
+}
+
+var numberType = reflect.TypeOf(Number(""))
+
+// literalStore decodes a literal stored in item into v.
+//
+// fromQuoted indicates whether this literal came from unwrapping a
+// string from the ",string" struct tag option. this is used only to
+// produce more helpful error messages.
+func (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool) {
+	// Check for unmarshaler.
+	if len(item) == 0 {
+		//Empty string given
+		d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+		return
+	}
+	wantptr := item[0] == 'n' // null
+	u, ut, pv := d.indirect(v, wantptr)
+	if u != nil {
+		err := u.UnmarshalJSON(item)
+		if err != nil {
+			d.error(err)
+		}
+		return
+	}
+	if ut != nil {
+		if item[0] != '"' {
+			if fromQuoted {
+				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+			} else {
+				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
+			}
+			return
+		}
+		s, ok := unquoteBytes(item)
+		if !ok {
+			if fromQuoted {
+				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+			} else {
+				d.error(errPhase)
+			}
+		}
+		err := ut.UnmarshalText(s)
+		if err != nil {
+			d.error(err)
+		}
+		return
+	}
+
+	v = pv
+
+	switch c := item[0]; c {
+	case 'n': // null
+		switch v.Kind() {
+		case reflect.Interface, reflect.Ptr, reflect.Map, reflect.Slice:
+			v.Set(reflect.Zero(v.Type()))
+			// otherwise, ignore null for primitives/string
+		}
+	case 't', 'f': // true, false
+		value := c == 't'
+		switch v.Kind() {
+		default:
+			if fromQuoted {
+				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+			} else {
+				d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
+			}
+		case reflect.Bool:
+			v.SetBool(value)
+		case reflect.Interface:
+			if v.NumMethod() == 0 {
+				v.Set(reflect.ValueOf(value))
+			} else {
+				d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
+			}
+		}
+
+	case '"': // string
+		s, ok := unquoteBytes(item)
+		if !ok {
+			if fromQuoted {
+				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+			} else {
+				d.error(errPhase)
+			}
+		}
+		switch v.Kind() {
+		default:
+			d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
+		case reflect.Slice:
+			if v.Type().Elem().Kind() != reflect.Uint8 {
+				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
+				break
+			}
+			b := make([]byte, base64.StdEncoding.DecodedLen(len(s)))
+			n, err := base64.StdEncoding.Decode(b, s)
+			if err != nil {
+				d.saveError(err)
+				break
+			}
+			v.SetBytes(b[:n])
+		case reflect.String:
+			v.SetString(string(s))
+		case reflect.Interface:
+			if v.NumMethod() == 0 {
+				v.Set(reflect.ValueOf(string(s)))
+			} else {
+				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
+			}
+		}
+
+	default: // number
+		if c != '-' && (c < '0' || c > '9') {
+			if fromQuoted {
+				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+			} else {
+				d.error(errPhase)
+			}
+		}
+		s := string(item)
+		switch v.Kind() {
+		default:
+			if v.Kind() == reflect.String && v.Type() == numberType {
+				v.SetString(s)
+				if !isValidNumber(s) {
+					d.error(fmt.Errorf("json: invalid number literal, trying to unmarshal %q into Number", item))
+				}
+				break
+			}
+			if fromQuoted {
+				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
+			} else {
+				d.error(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
+			}
+		case reflect.Interface:
+			n, err := d.convertNumber(s)
+			if err != nil {
+				d.saveError(err)
+				break
+			}
+			if v.NumMethod() != 0 {
+				d.saveError(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
+				break
+			}
+			v.Set(reflect.ValueOf(n))
+
+		case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+			n, err := strconv.ParseInt(s, 10, 64)
+			if err != nil || v.OverflowInt(n) {
+				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
+				break
+			}
+			v.SetInt(n)
+
+		case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+			n, err := strconv.ParseUint(s, 10, 64)
+			if err != nil || v.OverflowUint(n) {
+				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
+				break
+			}
+			v.SetUint(n)
+
+		case reflect.Float32, reflect.Float64:
+			n, err := strconv.ParseFloat(s, v.Type().Bits())
+			if err != nil || v.OverflowFloat(n) {
+				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
+				break
+			}
+			v.SetFloat(n)
+		}
+	}
+}
+
+// The xxxInterface routines build up a value to be stored
+// in an empty interface.  They are not strictly necessary,
+// but they avoid the weight of reflection in this common case.
+
+// valueInterface is like value but returns interface{}
+func (d *decodeState) valueInterface() interface{} {
+	switch d.scanWhile(scanSkipSpace) {
+	default:
+		d.error(errPhase)
+		panic("unreachable")
+	case scanBeginArray:
+		return d.arrayInterface()
+	case scanBeginObject:
+		return d.objectInterface()
+	case scanBeginLiteral:
+		return d.literalInterface()
+	}
+}
+
+// arrayInterface is like array but returns []interface{}.
+func (d *decodeState) arrayInterface() []interface{} {
+	var v = make([]interface{}, 0)
+	for {
+		// Look ahead for ] - can only happen on first iteration.
+		op := d.scanWhile(scanSkipSpace)
+		if op == scanEndArray {
+			break
+		}
+
+		// Back up so d.value can have the byte we just read.
+		d.off--
+		d.scan.undo(op)
+
+		v = append(v, d.valueInterface())
+
+		// Next token must be , or ].
+		op = d.scanWhile(scanSkipSpace)
+		if op == scanEndArray {
+			break
+		}
+		if op != scanArrayValue {
+			d.error(errPhase)
+		}
+	}
+	return v
+}
+
+// objectInterface is like object but returns map[string]interface{}.
+func (d *decodeState) objectInterface() map[string]interface{} {
+	m := make(map[string]interface{})
+	keys := map[string]bool{}
+
+	for {
+		// Read opening " of string key or closing }.
+		op := d.scanWhile(scanSkipSpace)
+		if op == scanEndObject {
+			// closing } - can only happen on first iteration.
+			break
+		}
+		if op != scanBeginLiteral {
+			d.error(errPhase)
+		}
+
+		// Read string key.
+		start := d.off - 1
+		op = d.scanWhile(scanContinue)
+		item := d.data[start : d.off-1]
+		key, ok := unquote(item)
+		if !ok {
+			d.error(errPhase)
+		}
+
+		// Check for duplicate keys.
+		_, ok = keys[key]
+		if !ok {
+			keys[key] = true
+		} else {
+			d.error(fmt.Errorf("json: duplicate key '%s' in object", key))
+		}
+
+		// Read : before value.
+		if op == scanSkipSpace {
+			op = d.scanWhile(scanSkipSpace)
+		}
+		if op != scanObjectKey {
+			d.error(errPhase)
+		}
+
+		// Read value.
+		m[key] = d.valueInterface()
+
+		// Next token must be , or }.
+		op = d.scanWhile(scanSkipSpace)
+		if op == scanEndObject {
+			break
+		}
+		if op != scanObjectValue {
+			d.error(errPhase)
+		}
+	}
+	return m
+}
+
+// literalInterface is like literal but returns an interface value.
+func (d *decodeState) literalInterface() interface{} {
+	// All bytes inside literal return scanContinue op code.
+	start := d.off - 1
+	op := d.scanWhile(scanContinue)
+
+	// Scan read one byte too far; back up.
+	d.off--
+	d.scan.undo(op)
+	item := d.data[start:d.off]
+
+	switch c := item[0]; c {
+	case 'n': // null
+		return nil
+
+	case 't', 'f': // true, false
+		return c == 't'
+
+	case '"': // string
+		s, ok := unquote(item)
+		if !ok {
+			d.error(errPhase)
+		}
+		return s
+
+	default: // number
+		if c != '-' && (c < '0' || c > '9') {
+			d.error(errPhase)
+		}
+		n, err := d.convertNumber(string(item))
+		if err != nil {
+			d.saveError(err)
+		}
+		return n
+	}
+}
+
+// getu4 decodes \uXXXX from the beginning of s, returning the hex value,
+// or it returns -1.
+func getu4(s []byte) rune {
+	if len(s) < 6 || s[0] != '\\' || s[1] != 'u' {
+		return -1
+	}
+	r, err := strconv.ParseUint(string(s[2:6]), 16, 64)
+	if err != nil {
+		return -1
+	}
+	return rune(r)
+}
+
+// unquote converts a quoted JSON string literal s into an actual string t.
+// The rules are different than for Go, so cannot use strconv.Unquote.
+func unquote(s []byte) (t string, ok bool) {
+	s, ok = unquoteBytes(s)
+	t = string(s)
+	return
+}
+
+func unquoteBytes(s []byte) (t []byte, ok bool) {
+	if len(s) < 2 || s[0] != '"' || s[len(s)-1] != '"' {
+		return
+	}
+	s = s[1 : len(s)-1]
+
+	// Check for unusual characters. If there are none,
+	// then no unquoting is needed, so return a slice of the
+	// original bytes.
+	r := 0
+	for r < len(s) {
+		c := s[r]
+		if c == '\\' || c == '"' || c < ' ' {
+			break
+		}
+		if c < utf8.RuneSelf {
+			r++
+			continue
+		}
+		rr, size := utf8.DecodeRune(s[r:])
+		if rr == utf8.RuneError && size == 1 {
+			break
+		}
+		r += size
+	}
+	if r == len(s) {
+		return s, true
+	}
+
+	b := make([]byte, len(s)+2*utf8.UTFMax)
+	w := copy(b, s[0:r])
+	for r < len(s) {
+		// Out of room?  Can only happen if s is full of
+		// malformed UTF-8 and we're replacing each
+		// byte with RuneError.
+		if w >= len(b)-2*utf8.UTFMax {
+			nb := make([]byte, (len(b)+utf8.UTFMax)*2)
+			copy(nb, b[0:w])
+			b = nb
+		}
+		switch c := s[r]; {
+		case c == '\\':
+			r++
+			if r >= len(s) {
+				return
+			}
+			switch s[r] {
+			default:
+				return
+			case '"', '\\', '/', '\'':
+				b[w] = s[r]
+				r++
+				w++
+			case 'b':
+				b[w] = '\b'
+				r++
+				w++
+			case 'f':
+				b[w] = '\f'
+				r++
+				w++
+			case 'n':
+				b[w] = '\n'
+				r++
+				w++
+			case 'r':
+				b[w] = '\r'
+				r++
+				w++
+			case 't':
+				b[w] = '\t'
+				r++
+				w++
+			case 'u':
+				r--
+				rr := getu4(s[r:])
+				if rr < 0 {
+					return
+				}
+				r += 6
+				if utf16.IsSurrogate(rr) {
+					rr1 := getu4(s[r:])
+					if dec := utf16.DecodeRune(rr, rr1); dec != unicode.ReplacementChar {
+						// A valid pair; consume.
+						r += 6
+						w += utf8.EncodeRune(b[w:], dec)
+						break
+					}
+					// Invalid surrogate; fall back to replacement rune.
+					rr = unicode.ReplacementChar
+				}
+				w += utf8.EncodeRune(b[w:], rr)
+			}
+
+		// Quote, control characters are invalid.
+		case c == '"', c < ' ':
+			return
+
+		// ASCII
+		case c < utf8.RuneSelf:
+			b[w] = c
+			r++
+			w++
+
+		// Coerce to well-formed UTF-8.
+		default:
+			rr, size := utf8.DecodeRune(s[r:])
+			r += size
+			w += utf8.EncodeRune(b[w:], rr)
+		}
+	}
+	return b[0:w], true
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/decode_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/decode_test.go
new file mode 100644
index 000000000..32394654e
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/decode_test.go
@@ -0,0 +1,1474 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"bytes"
+	"encoding"
+	"fmt"
+	"image"
+	"net"
+	"reflect"
+	"strings"
+	"testing"
+	"time"
+)
+
+type T struct {
+	X string
+	Y int
+	Z int `json:"-"`
+}
+
+type U struct {
+	Alphabet string `json:"alpha"`
+}
+
+type V struct {
+	F1 interface{}
+	F2 int32
+	F3 Number
+}
+
+// ifaceNumAsFloat64/ifaceNumAsNumber are used to test unmarshaling with and
+// without UseNumber
+var ifaceNumAsFloat64 = map[string]interface{}{
+	"k1": float64(1),
+	"k2": "s",
+	"k3": []interface{}{float64(1), float64(2.0), float64(3e-3)},
+	"k4": map[string]interface{}{"kk1": "s", "kk2": float64(2)},
+}
+
+var ifaceNumAsNumber = map[string]interface{}{
+	"k1": Number("1"),
+	"k2": "s",
+	"k3": []interface{}{Number("1"), Number("2.0"), Number("3e-3")},
+	"k4": map[string]interface{}{"kk1": "s", "kk2": Number("2")},
+}
+
+type tx struct {
+	x int
+}
+
+// A type that can unmarshal itself.
+
+type unmarshaler struct {
+	T bool
+}
+
+func (u *unmarshaler) UnmarshalJSON(b []byte) error {
+	*u = unmarshaler{true} // All we need to see that UnmarshalJSON is called.
+	return nil
+}
+
+type ustruct struct {
+	M unmarshaler
+}
+
+type unmarshalerText struct {
+	T bool
+}
+
+// needed for re-marshaling tests
+func (u *unmarshalerText) MarshalText() ([]byte, error) {
+	return []byte(""), nil
+}
+
+func (u *unmarshalerText) UnmarshalText(b []byte) error {
+	*u = unmarshalerText{true} // All we need to see that UnmarshalText is called.
+	return nil
+}
+
+var _ encoding.TextUnmarshaler = (*unmarshalerText)(nil)
+
+type ustructText struct {
+	M unmarshalerText
+}
+
+var (
+	um0, um1 unmarshaler // target2 of unmarshaling
+	ump      = &um1
+	umtrue   = unmarshaler{true}
+	umslice  = []unmarshaler{{true}}
+	umslicep = new([]unmarshaler)
+	umstruct = ustruct{unmarshaler{true}}
+
+	um0T, um1T unmarshalerText // target2 of unmarshaling
+	umpT       = &um1T
+	umtrueT    = unmarshalerText{true}
+	umsliceT   = []unmarshalerText{{true}}
+	umslicepT  = new([]unmarshalerText)
+	umstructT  = ustructText{unmarshalerText{true}}
+)
+
+// Test data structures for anonymous fields.
+
+type Point struct {
+	Z int
+}
+
+type Top struct {
+	Level0 int
+	Embed0
+	*Embed0a
+	*Embed0b `json:"e,omitempty"` // treated as named
+	Embed0c  `json:"-"`           // ignored
+	Loop
+	Embed0p // has Point with X, Y, used
+	Embed0q // has Point with Z, used
+	embed   // contains exported field
+}
+
+type Embed0 struct {
+	Level1a int // overridden by Embed0a's Level1a with json tag
+	Level1b int // used because Embed0a's Level1b is renamed
+	Level1c int // used because Embed0a's Level1c is ignored
+	Level1d int // annihilated by Embed0a's Level1d
+	Level1e int `json:"x"` // annihilated by Embed0a.Level1e
+}
+
+type Embed0a struct {
+	Level1a int `json:"Level1a,omitempty"`
+	Level1b int `json:"LEVEL1B,omitempty"`
+	Level1c int `json:"-"`
+	Level1d int // annihilated by Embed0's Level1d
+	Level1f int `json:"x"` // annihilated by Embed0's Level1e
+}
+
+type Embed0b Embed0
+
+type Embed0c Embed0
+
+type Embed0p struct {
+	image.Point
+}
+
+type Embed0q struct {
+	Point
+}
+
+type embed struct {
+	Q int
+}
+
+type Loop struct {
+	Loop1 int `json:",omitempty"`
+	Loop2 int `json:",omitempty"`
+	*Loop
+}
+
+// From reflect test:
+// The X in S6 and S7 annihilate, but they also block the X in S8.S9.
+type S5 struct {
+	S6
+	S7
+	S8
+}
+
+type S6 struct {
+	X int
+}
+
+type S7 S6
+
+type S8 struct {
+	S9
+}
+
+type S9 struct {
+	X int
+	Y int
+}
+
+// From reflect test:
+// The X in S11.S6 and S12.S6 annihilate, but they also block the X in S13.S8.S9.
+type S10 struct {
+	S11
+	S12
+	S13
+}
+
+type S11 struct {
+	S6
+}
+
+type S12 struct {
+	S6
+}
+
+type S13 struct {
+	S8
+}
+
+type unmarshalTest struct {
+	in        string
+	ptr       interface{}
+	out       interface{}
+	err       error
+	useNumber bool
+}
+
+type XYZ struct {
+	X interface{}
+	Y interface{}
+	Z interface{}
+}
+
+func sliceAddr(x []int) *[]int                 { return &x }
+func mapAddr(x map[string]int) *map[string]int { return &x }
+
+var unmarshalTests = []unmarshalTest{
+	// basic types
+	{in: `true`, ptr: new(bool), out: true},
+	{in: `1`, ptr: new(int), out: 1},
+	{in: `1.2`, ptr: new(float64), out: 1.2},
+	{in: `-5`, ptr: new(int16), out: int16(-5)},
+	{in: `2`, ptr: new(Number), out: Number("2"), useNumber: true},
+	{in: `2`, ptr: new(Number), out: Number("2")},
+	{in: `2`, ptr: new(interface{}), out: float64(2.0)},
+	{in: `2`, ptr: new(interface{}), out: Number("2"), useNumber: true},
+	{in: `"a\u1234"`, ptr: new(string), out: "a\u1234"},
+	{in: `"http:\/\/"`, ptr: new(string), out: "http://"},
+	{in: `"g-clef: \uD834\uDD1E"`, ptr: new(string), out: "g-clef: \U0001D11E"},
+	{in: `"invalid: \uD834x\uDD1E"`, ptr: new(string), out: "invalid: \uFFFDx\uFFFD"},
+	{in: "null", ptr: new(interface{}), out: nil},
+	{in: `{"X": [1,2,3], "Y": 4}`, ptr: new(T), out: T{Y: 4}, err: &UnmarshalTypeError{"array", reflect.TypeOf(""), 7}},
+	{in: `{"x": 1}`, ptr: new(tx), out: tx{}},
+	{in: `{"F1":1,"F2":2,"F3":3}`, ptr: new(V), out: V{F1: float64(1), F2: int32(2), F3: Number("3")}},
+	{in: `{"F1":1,"F2":2,"F3":3}`, ptr: new(V), out: V{F1: Number("1"), F2: int32(2), F3: Number("3")}, useNumber: true},
+	{in: `{"k1":1,"k2":"s","k3":[1,2.0,3e-3],"k4":{"kk1":"s","kk2":2}}`, ptr: new(interface{}), out: ifaceNumAsFloat64},
+	{in: `{"k1":1,"k2":"s","k3":[1,2.0,3e-3],"k4":{"kk1":"s","kk2":2}}`, ptr: new(interface{}), out: ifaceNumAsNumber, useNumber: true},
+
+	// raw values with whitespace
+	{in: "\n true ", ptr: new(bool), out: true},
+	{in: "\t 1 ", ptr: new(int), out: 1},
+	{in: "\r 1.2 ", ptr: new(float64), out: 1.2},
+	{in: "\t -5 \n", ptr: new(int16), out: int16(-5)},
+	{in: "\t \"a\\u1234\" \n", ptr: new(string), out: "a\u1234"},
+
+	// Z has a "-" tag.
+	{in: `{"Y": 1, "Z": 2}`, ptr: new(T), out: T{Y: 1}},
+
+	{in: `{"alpha": "abc", "alphabet": "xyz"}`, ptr: new(U), out: U{Alphabet: "abc"}},
+	{in: `{"alpha": "abc"}`, ptr: new(U), out: U{Alphabet: "abc"}},
+	{in: `{"alphabet": "xyz"}`, ptr: new(U), out: U{}},
+
+	// syntax errors
+	{in: `{"X": "foo", "Y"}`, err: &SyntaxError{"invalid character '}' after object key", 17}},
+	{in: `[1, 2, 3+]`, err: &SyntaxError{"invalid character '+' after array element", 9}},
+	{in: `{"X":12x}`, err: &SyntaxError{"invalid character 'x' after object key:value pair", 8}, useNumber: true},
+
+	// raw value errors
+	{in: "\x01 42", err: &SyntaxError{"invalid character '\\x01' looking for beginning of value", 1}},
+	{in: " 42 \x01", err: &SyntaxError{"invalid character '\\x01' after top-level value", 5}},
+	{in: "\x01 true", err: &SyntaxError{"invalid character '\\x01' looking for beginning of value", 1}},
+	{in: " false \x01", err: &SyntaxError{"invalid character '\\x01' after top-level value", 8}},
+	{in: "\x01 1.2", err: &SyntaxError{"invalid character '\\x01' looking for beginning of value", 1}},
+	{in: " 3.4 \x01", err: &SyntaxError{"invalid character '\\x01' after top-level value", 6}},
+	{in: "\x01 \"string\"", err: &SyntaxError{"invalid character '\\x01' looking for beginning of value", 1}},
+	{in: " \"string\" \x01", err: &SyntaxError{"invalid character '\\x01' after top-level value", 11}},
+
+	// array tests
+	{in: `[1, 2, 3]`, ptr: new([3]int), out: [3]int{1, 2, 3}},
+	{in: `[1, 2, 3]`, ptr: new([1]int), out: [1]int{1}},
+	{in: `[1, 2, 3]`, ptr: new([5]int), out: [5]int{1, 2, 3, 0, 0}},
+
+	// empty array to interface test
+	{in: `[]`, ptr: new([]interface{}), out: []interface{}{}},
+	{in: `null`, ptr: new([]interface{}), out: []interface{}(nil)},
+	{in: `{"T":[]}`, ptr: new(map[string]interface{}), out: map[string]interface{}{"T": []interface{}{}}},
+	{in: `{"T":null}`, ptr: new(map[string]interface{}), out: map[string]interface{}{"T": interface{}(nil)}},
+
+	// composite tests
+	{in: allValueIndent, ptr: new(All), out: allValue},
+	{in: allValueCompact, ptr: new(All), out: allValue},
+	{in: allValueIndent, ptr: new(*All), out: &allValue},
+	{in: allValueCompact, ptr: new(*All), out: &allValue},
+	{in: pallValueIndent, ptr: new(All), out: pallValue},
+	{in: pallValueCompact, ptr: new(All), out: pallValue},
+	{in: pallValueIndent, ptr: new(*All), out: &pallValue},
+	{in: pallValueCompact, ptr: new(*All), out: &pallValue},
+
+	// unmarshal interface test
+	{in: `{"T":false}`, ptr: &um0, out: umtrue}, // use "false" so test will fail if custom unmarshaler is not called
+	{in: `{"T":false}`, ptr: &ump, out: &umtrue},
+	{in: `[{"T":false}]`, ptr: &umslice, out: umslice},
+	{in: `[{"T":false}]`, ptr: &umslicep, out: &umslice},
+	{in: `{"M":{"T":false}}`, ptr: &umstruct, out: umstruct},
+
+	// UnmarshalText interface test
+	{in: `"X"`, ptr: &um0T, out: umtrueT}, // use "false" so test will fail if custom unmarshaler is not called
+	{in: `"X"`, ptr: &umpT, out: &umtrueT},
+	{in: `["X"]`, ptr: &umsliceT, out: umsliceT},
+	{in: `["X"]`, ptr: &umslicepT, out: &umsliceT},
+	{in: `{"M":"X"}`, ptr: &umstructT, out: umstructT},
+
+	// Overwriting of data.
+	// This is different from package xml, but it's what we've always done.
+	// Now documented and tested.
+	{in: `[2]`, ptr: sliceAddr([]int{1}), out: []int{2}},
+	{in: `{"key": 2}`, ptr: mapAddr(map[string]int{"old": 0, "key": 1}), out: map[string]int{"key": 2}},
+
+	{
+		in: `{
+			"Level0": 1,
+			"Level1b": 2,
+			"Level1c": 3,
+			"x": 4,
+			"Level1a": 5,
+			"LEVEL1B": 6,
+			"e": {
+				"Level1a": 8,
+				"Level1b": 9,
+				"Level1c": 10,
+				"Level1d": 11,
+				"x": 12
+			},
+			"Loop1": 13,
+			"Loop2": 14,
+			"X": 15,
+			"Y": 16,
+			"Z": 17,
+			"Q": 18
+		}`,
+		ptr: new(Top),
+		out: Top{
+			Level0: 1,
+			Embed0: Embed0{
+				Level1b: 2,
+				Level1c: 3,
+			},
+			Embed0a: &Embed0a{
+				Level1a: 5,
+				Level1b: 6,
+			},
+			Embed0b: &Embed0b{
+				Level1a: 8,
+				Level1b: 9,
+				Level1c: 10,
+				Level1d: 11,
+				Level1e: 12,
+			},
+			Loop: Loop{
+				Loop1: 13,
+				Loop2: 14,
+			},
+			Embed0p: Embed0p{
+				Point: image.Point{X: 15, Y: 16},
+			},
+			Embed0q: Embed0q{
+				Point: Point{Z: 17},
+			},
+			embed: embed{
+				Q: 18,
+			},
+		},
+	},
+	{
+		in:  `{"X": 1,"Y":2}`,
+		ptr: new(S5),
+		out: S5{S8: S8{S9: S9{Y: 2}}},
+	},
+	{
+		in:  `{"X": 1,"Y":2}`,
+		ptr: new(S10),
+		out: S10{S13: S13{S8: S8{S9: S9{Y: 2}}}},
+	},
+
+	// invalid UTF-8 is coerced to valid UTF-8.
+	{
+		in:  "\"hello\xffworld\"",
+		ptr: new(string),
+		out: "hello\ufffdworld",
+	},
+	{
+		in:  "\"hello\xc2\xc2world\"",
+		ptr: new(string),
+		out: "hello\ufffd\ufffdworld",
+	},
+	{
+		in:  "\"hello\xc2\xffworld\"",
+		ptr: new(string),
+		out: "hello\ufffd\ufffdworld",
+	},
+	{
+		in:  "\"hello\\ud800world\"",
+		ptr: new(string),
+		out: "hello\ufffdworld",
+	},
+	{
+		in:  "\"hello\\ud800\\ud800world\"",
+		ptr: new(string),
+		out: "hello\ufffd\ufffdworld",
+	},
+	{
+		in:  "\"hello\\ud800\\ud800world\"",
+		ptr: new(string),
+		out: "hello\ufffd\ufffdworld",
+	},
+	{
+		in:  "\"hello\xed\xa0\x80\xed\xb0\x80world\"",
+		ptr: new(string),
+		out: "hello\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdworld",
+	},
+
+	// issue 8305
+	{
+		in:  `{"2009-11-10T23:00:00Z": "hello world"}`,
+		ptr: &map[time.Time]string{},
+		err: &UnmarshalTypeError{"object", reflect.TypeOf(map[time.Time]string{}), 1},
+	},
+}
+
+func TestMarshal(t *testing.T) {
+	b, err := Marshal(allValue)
+	if err != nil {
+		t.Fatalf("Marshal allValue: %v", err)
+	}
+	if string(b) != allValueCompact {
+		t.Errorf("Marshal allValueCompact")
+		diff(t, b, []byte(allValueCompact))
+		return
+	}
+
+	b, err = Marshal(pallValue)
+	if err != nil {
+		t.Fatalf("Marshal pallValue: %v", err)
+	}
+	if string(b) != pallValueCompact {
+		t.Errorf("Marshal pallValueCompact")
+		diff(t, b, []byte(pallValueCompact))
+		return
+	}
+}
+
+var badUTF8 = []struct {
+	in, out string
+}{
+	{"hello\xffworld", `"hello\ufffdworld"`},
+	{"", `""`},
+	{"\xff", `"\ufffd"`},
+	{"\xff\xff", `"\ufffd\ufffd"`},
+	{"a\xffb", `"a\ufffdb"`},
+	{"\xe6\x97\xa5\xe6\x9c\xac\xff\xaa\x9e", `"日本\ufffd\ufffd\ufffd"`},
+}
+
+func TestMarshalBadUTF8(t *testing.T) {
+	for _, tt := range badUTF8 {
+		b, err := Marshal(tt.in)
+		if string(b) != tt.out || err != nil {
+			t.Errorf("Marshal(%q) = %#q, %v, want %#q, nil", tt.in, b, err, tt.out)
+		}
+	}
+}
+
+func TestMarshalNumberZeroVal(t *testing.T) {
+	var n Number
+	out, err := Marshal(n)
+	if err != nil {
+		t.Fatal(err)
+	}
+	outStr := string(out)
+	if outStr != "0" {
+		t.Fatalf("Invalid zero val for Number: %q", outStr)
+	}
+}
+
+func TestMarshalEmbeds(t *testing.T) {
+	top := &Top{
+		Level0: 1,
+		Embed0: Embed0{
+			Level1b: 2,
+			Level1c: 3,
+		},
+		Embed0a: &Embed0a{
+			Level1a: 5,
+			Level1b: 6,
+		},
+		Embed0b: &Embed0b{
+			Level1a: 8,
+			Level1b: 9,
+			Level1c: 10,
+			Level1d: 11,
+			Level1e: 12,
+		},
+		Loop: Loop{
+			Loop1: 13,
+			Loop2: 14,
+		},
+		Embed0p: Embed0p{
+			Point: image.Point{X: 15, Y: 16},
+		},
+		Embed0q: Embed0q{
+			Point: Point{Z: 17},
+		},
+		embed: embed{
+			Q: 18,
+		},
+	}
+	b, err := Marshal(top)
+	if err != nil {
+		t.Fatal(err)
+	}
+	want := "{\"Level0\":1,\"Level1b\":2,\"Level1c\":3,\"Level1a\":5,\"LEVEL1B\":6,\"e\":{\"Level1a\":8,\"Level1b\":9,\"Level1c\":10,\"Level1d\":11,\"x\":12},\"Loop1\":13,\"Loop2\":14,\"X\":15,\"Y\":16,\"Z\":17,\"Q\":18}"
+	if string(b) != want {
+		t.Errorf("Wrong marshal result.\n got: %q\nwant: %q", b, want)
+	}
+}
+
+func TestUnmarshal(t *testing.T) {
+	for i, tt := range unmarshalTests {
+		var scan scanner
+		in := []byte(tt.in)
+		if err := checkValid(in, &scan); err != nil {
+			if !reflect.DeepEqual(err, tt.err) {
+				t.Errorf("#%d: checkValid: %#v", i, err)
+				continue
+			}
+		}
+		if tt.ptr == nil {
+			continue
+		}
+
+		// v = new(right-type)
+		v := reflect.New(reflect.TypeOf(tt.ptr).Elem())
+		dec := NewDecoder(bytes.NewReader(in))
+		if tt.useNumber {
+			dec.UseNumber()
+		}
+		if err := dec.Decode(v.Interface()); !reflect.DeepEqual(err, tt.err) {
+			t.Errorf("#%d: %v, want %v", i, err, tt.err)
+			continue
+		} else if err != nil {
+			continue
+		}
+		if !reflect.DeepEqual(v.Elem().Interface(), tt.out) {
+			t.Errorf("#%d: mismatch\nhave: %#+v\nwant: %#+v", i, v.Elem().Interface(), tt.out)
+			data, _ := Marshal(v.Elem().Interface())
+			println(string(data))
+			data, _ = Marshal(tt.out)
+			println(string(data))
+			continue
+		}
+
+		// Check round trip.
+		if tt.err == nil {
+			enc, err := Marshal(v.Interface())
+			if err != nil {
+				t.Errorf("#%d: error re-marshaling: %v", i, err)
+				continue
+			}
+			vv := reflect.New(reflect.TypeOf(tt.ptr).Elem())
+			dec = NewDecoder(bytes.NewReader(enc))
+			if tt.useNumber {
+				dec.UseNumber()
+			}
+			if err := dec.Decode(vv.Interface()); err != nil {
+				t.Errorf("#%d: error re-unmarshaling %#q: %v", i, enc, err)
+				continue
+			}
+			if !reflect.DeepEqual(v.Elem().Interface(), vv.Elem().Interface()) {
+				t.Errorf("#%d: mismatch\nhave: %#+v\nwant: %#+v", i, v.Elem().Interface(), vv.Elem().Interface())
+				t.Errorf("     In: %q", strings.Map(noSpace, string(in)))
+				t.Errorf("Marshal: %q", strings.Map(noSpace, string(enc)))
+				continue
+			}
+		}
+	}
+}
+
+func TestUnmarshalMarshal(t *testing.T) {
+	initBig()
+	var v interface{}
+	if err := Unmarshal(jsonBig, &v); err != nil {
+		t.Fatalf("Unmarshal: %v", err)
+	}
+	b, err := Marshal(v)
+	if err != nil {
+		t.Fatalf("Marshal: %v", err)
+	}
+	if !bytes.Equal(jsonBig, b) {
+		t.Errorf("Marshal jsonBig")
+		diff(t, b, jsonBig)
+		return
+	}
+}
+
+var numberTests = []struct {
+	in       string
+	i        int64
+	intErr   string
+	f        float64
+	floatErr string
+}{
+	{in: "-1.23e1", intErr: "strconv.ParseInt: parsing \"-1.23e1\": invalid syntax", f: -1.23e1},
+	{in: "-12", i: -12, f: -12.0},
+	{in: "1e1000", intErr: "strconv.ParseInt: parsing \"1e1000\": invalid syntax", floatErr: "strconv.ParseFloat: parsing \"1e1000\": value out of range"},
+}
+
+// Independent of Decode, basic coverage of the accessors in Number
+func TestNumberAccessors(t *testing.T) {
+	for _, tt := range numberTests {
+		n := Number(tt.in)
+		if s := n.String(); s != tt.in {
+			t.Errorf("Number(%q).String() is %q", tt.in, s)
+		}
+		if i, err := n.Int64(); err == nil && tt.intErr == "" && i != tt.i {
+			t.Errorf("Number(%q).Int64() is %d", tt.in, i)
+		} else if (err == nil && tt.intErr != "") || (err != nil && err.Error() != tt.intErr) {
+			t.Errorf("Number(%q).Int64() wanted error %q but got: %v", tt.in, tt.intErr, err)
+		}
+		if f, err := n.Float64(); err == nil && tt.floatErr == "" && f != tt.f {
+			t.Errorf("Number(%q).Float64() is %g", tt.in, f)
+		} else if (err == nil && tt.floatErr != "") || (err != nil && err.Error() != tt.floatErr) {
+			t.Errorf("Number(%q).Float64() wanted error %q but got: %v", tt.in, tt.floatErr, err)
+		}
+	}
+}
+
+func TestLargeByteSlice(t *testing.T) {
+	s0 := make([]byte, 2000)
+	for i := range s0 {
+		s0[i] = byte(i)
+	}
+	b, err := Marshal(s0)
+	if err != nil {
+		t.Fatalf("Marshal: %v", err)
+	}
+	var s1 []byte
+	if err := Unmarshal(b, &s1); err != nil {
+		t.Fatalf("Unmarshal: %v", err)
+	}
+	if !bytes.Equal(s0, s1) {
+		t.Errorf("Marshal large byte slice")
+		diff(t, s0, s1)
+	}
+}
+
+type Xint struct {
+	X int
+}
+
+func TestUnmarshalInterface(t *testing.T) {
+	var xint Xint
+	var i interface{} = &xint
+	if err := Unmarshal([]byte(`{"X":1}`), &i); err != nil {
+		t.Fatalf("Unmarshal: %v", err)
+	}
+	if xint.X != 1 {
+		t.Fatalf("Did not write to xint")
+	}
+}
+
+func TestUnmarshalPtrPtr(t *testing.T) {
+	var xint Xint
+	pxint := &xint
+	if err := Unmarshal([]byte(`{"X":1}`), &pxint); err != nil {
+		t.Fatalf("Unmarshal: %v", err)
+	}
+	if xint.X != 1 {
+		t.Fatalf("Did not write to xint")
+	}
+}
+
+func TestEscape(t *testing.T) {
+	const input = `"foobar"<html>` + " [\u2028 \u2029]"
+	const expected = `"\"foobar\"\u003chtml\u003e [\u2028 \u2029]"`
+	b, err := Marshal(input)
+	if err != nil {
+		t.Fatalf("Marshal error: %v", err)
+	}
+	if s := string(b); s != expected {
+		t.Errorf("Encoding of [%s]:\n got [%s]\nwant [%s]", input, s, expected)
+	}
+}
+
+// WrongString is a struct that's misusing the ,string modifier.
+type WrongString struct {
+	Message string `json:"result,string"`
+}
+
+type wrongStringTest struct {
+	in, err string
+}
+
+var wrongStringTests = []wrongStringTest{
+	{`{"result":"x"}`, `json: invalid use of ,string struct tag, trying to unmarshal "x" into string`},
+	{`{"result":"foo"}`, `json: invalid use of ,string struct tag, trying to unmarshal "foo" into string`},
+	{`{"result":"123"}`, `json: invalid use of ,string struct tag, trying to unmarshal "123" into string`},
+	{`{"result":123}`, `json: invalid use of ,string struct tag, trying to unmarshal unquoted value into string`},
+}
+
+// If people misuse the ,string modifier, the error message should be
+// helpful, telling the user that they're doing it wrong.
+func TestErrorMessageFromMisusedString(t *testing.T) {
+	for n, tt := range wrongStringTests {
+		r := strings.NewReader(tt.in)
+		var s WrongString
+		err := NewDecoder(r).Decode(&s)
+		got := fmt.Sprintf("%v", err)
+		if got != tt.err {
+			t.Errorf("%d. got err = %q, want %q", n, got, tt.err)
+		}
+	}
+}
+
+func noSpace(c rune) rune {
+	if isSpace(byte(c)) { //only used for ascii
+		return -1
+	}
+	return c
+}
+
+type All struct {
+	Bool    bool
+	Int     int
+	Int8    int8
+	Int16   int16
+	Int32   int32
+	Int64   int64
+	Uint    uint
+	Uint8   uint8
+	Uint16  uint16
+	Uint32  uint32
+	Uint64  uint64
+	Uintptr uintptr
+	Float32 float32
+	Float64 float64
+
+	Foo  string `json:"bar"`
+	Foo2 string `json:"bar2,dummyopt"`
+
+	IntStr int64 `json:",string"`
+
+	PBool    *bool
+	PInt     *int
+	PInt8    *int8
+	PInt16   *int16
+	PInt32   *int32
+	PInt64   *int64
+	PUint    *uint
+	PUint8   *uint8
+	PUint16  *uint16
+	PUint32  *uint32
+	PUint64  *uint64
+	PUintptr *uintptr
+	PFloat32 *float32
+	PFloat64 *float64
+
+	String  string
+	PString *string
+
+	Map   map[string]Small
+	MapP  map[string]*Small
+	PMap  *map[string]Small
+	PMapP *map[string]*Small
+
+	EmptyMap map[string]Small
+	NilMap   map[string]Small
+
+	Slice   []Small
+	SliceP  []*Small
+	PSlice  *[]Small
+	PSliceP *[]*Small
+
+	EmptySlice []Small
+	NilSlice   []Small
+
+	StringSlice []string
+	ByteSlice   []byte
+
+	Small   Small
+	PSmall  *Small
+	PPSmall **Small
+
+	Interface  interface{}
+	PInterface *interface{}
+
+	unexported int
+}
+
+type Small struct {
+	Tag string
+}
+
+var allValue = All{
+	Bool:    true,
+	Int:     2,
+	Int8:    3,
+	Int16:   4,
+	Int32:   5,
+	Int64:   6,
+	Uint:    7,
+	Uint8:   8,
+	Uint16:  9,
+	Uint32:  10,
+	Uint64:  11,
+	Uintptr: 12,
+	Float32: 14.1,
+	Float64: 15.1,
+	Foo:     "foo",
+	Foo2:    "foo2",
+	IntStr:  42,
+	String:  "16",
+	Map: map[string]Small{
+		"17": {Tag: "tag17"},
+		"18": {Tag: "tag18"},
+	},
+	MapP: map[string]*Small{
+		"19": {Tag: "tag19"},
+		"20": nil,
+	},
+	EmptyMap:    map[string]Small{},
+	Slice:       []Small{{Tag: "tag20"}, {Tag: "tag21"}},
+	SliceP:      []*Small{{Tag: "tag22"}, nil, {Tag: "tag23"}},
+	EmptySlice:  []Small{},
+	StringSlice: []string{"str24", "str25", "str26"},
+	ByteSlice:   []byte{27, 28, 29},
+	Small:       Small{Tag: "tag30"},
+	PSmall:      &Small{Tag: "tag31"},
+	Interface:   5.2,
+}
+
+var pallValue = All{
+	PBool:      &allValue.Bool,
+	PInt:       &allValue.Int,
+	PInt8:      &allValue.Int8,
+	PInt16:     &allValue.Int16,
+	PInt32:     &allValue.Int32,
+	PInt64:     &allValue.Int64,
+	PUint:      &allValue.Uint,
+	PUint8:     &allValue.Uint8,
+	PUint16:    &allValue.Uint16,
+	PUint32:    &allValue.Uint32,
+	PUint64:    &allValue.Uint64,
+	PUintptr:   &allValue.Uintptr,
+	PFloat32:   &allValue.Float32,
+	PFloat64:   &allValue.Float64,
+	PString:    &allValue.String,
+	PMap:       &allValue.Map,
+	PMapP:      &allValue.MapP,
+	PSlice:     &allValue.Slice,
+	PSliceP:    &allValue.SliceP,
+	PPSmall:    &allValue.PSmall,
+	PInterface: &allValue.Interface,
+}
+
+var allValueIndent = `{
+	"Bool": true,
+	"Int": 2,
+	"Int8": 3,
+	"Int16": 4,
+	"Int32": 5,
+	"Int64": 6,
+	"Uint": 7,
+	"Uint8": 8,
+	"Uint16": 9,
+	"Uint32": 10,
+	"Uint64": 11,
+	"Uintptr": 12,
+	"Float32": 14.1,
+	"Float64": 15.1,
+	"bar": "foo",
+	"bar2": "foo2",
+	"IntStr": "42",
+	"PBool": null,
+	"PInt": null,
+	"PInt8": null,
+	"PInt16": null,
+	"PInt32": null,
+	"PInt64": null,
+	"PUint": null,
+	"PUint8": null,
+	"PUint16": null,
+	"PUint32": null,
+	"PUint64": null,
+	"PUintptr": null,
+	"PFloat32": null,
+	"PFloat64": null,
+	"String": "16",
+	"PString": null,
+	"Map": {
+		"17": {
+			"Tag": "tag17"
+		},
+		"18": {
+			"Tag": "tag18"
+		}
+	},
+	"MapP": {
+		"19": {
+			"Tag": "tag19"
+		},
+		"20": null
+	},
+	"PMap": null,
+	"PMapP": null,
+	"EmptyMap": {},
+	"NilMap": null,
+	"Slice": [
+		{
+			"Tag": "tag20"
+		},
+		{
+			"Tag": "tag21"
+		}
+	],
+	"SliceP": [
+		{
+			"Tag": "tag22"
+		},
+		null,
+		{
+			"Tag": "tag23"
+		}
+	],
+	"PSlice": null,
+	"PSliceP": null,
+	"EmptySlice": [],
+	"NilSlice": null,
+	"StringSlice": [
+		"str24",
+		"str25",
+		"str26"
+	],
+	"ByteSlice": "Gxwd",
+	"Small": {
+		"Tag": "tag30"
+	},
+	"PSmall": {
+		"Tag": "tag31"
+	},
+	"PPSmall": null,
+	"Interface": 5.2,
+	"PInterface": null
+}`
+
+var allValueCompact = strings.Map(noSpace, allValueIndent)
+
+var pallValueIndent = `{
+	"Bool": false,
+	"Int": 0,
+	"Int8": 0,
+	"Int16": 0,
+	"Int32": 0,
+	"Int64": 0,
+	"Uint": 0,
+	"Uint8": 0,
+	"Uint16": 0,
+	"Uint32": 0,
+	"Uint64": 0,
+	"Uintptr": 0,
+	"Float32": 0,
+	"Float64": 0,
+	"bar": "",
+	"bar2": "",
+        "IntStr": "0",
+	"PBool": true,
+	"PInt": 2,
+	"PInt8": 3,
+	"PInt16": 4,
+	"PInt32": 5,
+	"PInt64": 6,
+	"PUint": 7,
+	"PUint8": 8,
+	"PUint16": 9,
+	"PUint32": 10,
+	"PUint64": 11,
+	"PUintptr": 12,
+	"PFloat32": 14.1,
+	"PFloat64": 15.1,
+	"String": "",
+	"PString": "16",
+	"Map": null,
+	"MapP": null,
+	"PMap": {
+		"17": {
+			"Tag": "tag17"
+		},
+		"18": {
+			"Tag": "tag18"
+		}
+	},
+	"PMapP": {
+		"19": {
+			"Tag": "tag19"
+		},
+		"20": null
+	},
+	"EmptyMap": null,
+	"NilMap": null,
+	"Slice": null,
+	"SliceP": null,
+	"PSlice": [
+		{
+			"Tag": "tag20"
+		},
+		{
+			"Tag": "tag21"
+		}
+	],
+	"PSliceP": [
+		{
+			"Tag": "tag22"
+		},
+		null,
+		{
+			"Tag": "tag23"
+		}
+	],
+	"EmptySlice": null,
+	"NilSlice": null,
+	"StringSlice": null,
+	"ByteSlice": null,
+	"Small": {
+		"Tag": ""
+	},
+	"PSmall": null,
+	"PPSmall": {
+		"Tag": "tag31"
+	},
+	"Interface": null,
+	"PInterface": 5.2
+}`
+
+var pallValueCompact = strings.Map(noSpace, pallValueIndent)
+
+func TestRefUnmarshal(t *testing.T) {
+	type S struct {
+		// Ref is defined in encode_test.go.
+		R0 Ref
+		R1 *Ref
+		R2 RefText
+		R3 *RefText
+	}
+	want := S{
+		R0: 12,
+		R1: new(Ref),
+		R2: 13,
+		R3: new(RefText),
+	}
+	*want.R1 = 12
+	*want.R3 = 13
+
+	var got S
+	if err := Unmarshal([]byte(`{"R0":"ref","R1":"ref","R2":"ref","R3":"ref"}`), &got); err != nil {
+		t.Fatalf("Unmarshal: %v", err)
+	}
+	if !reflect.DeepEqual(got, want) {
+		t.Errorf("got %+v, want %+v", got, want)
+	}
+}
+
+// Test that the empty string doesn't panic decoding when ,string is specified
+// Issue 3450
+func TestEmptyString(t *testing.T) {
+	type T2 struct {
+		Number1 int `json:",string"`
+		Number2 int `json:",string"`
+	}
+	data := `{"Number1":"1", "Number2":""}`
+	dec := NewDecoder(strings.NewReader(data))
+	var t2 T2
+	err := dec.Decode(&t2)
+	if err == nil {
+		t.Fatal("Decode: did not return error")
+	}
+	if t2.Number1 != 1 {
+		t.Fatal("Decode: did not set Number1")
+	}
+}
+
+// Test that a null for ,string is not replaced with the previous quoted string (issue 7046).
+// It should also not be an error (issue 2540, issue 8587).
+func TestNullString(t *testing.T) {
+	type T struct {
+		A int  `json:",string"`
+		B int  `json:",string"`
+		C *int `json:",string"`
+	}
+	data := []byte(`{"A": "1", "B": null, "C": null}`)
+	var s T
+	s.B = 1
+	s.C = new(int)
+	*s.C = 2
+	err := Unmarshal(data, &s)
+	if err != nil {
+		t.Fatalf("Unmarshal: %v", err)
+	}
+	if s.B != 1 || s.C != nil {
+		t.Fatalf("after Unmarshal, s.B=%d, s.C=%p, want 1, nil", s.B, s.C)
+	}
+}
+
+func intp(x int) *int {
+	p := new(int)
+	*p = x
+	return p
+}
+
+func intpp(x *int) **int {
+	pp := new(*int)
+	*pp = x
+	return pp
+}
+
+var interfaceSetTests = []struct {
+	pre  interface{}
+	json string
+	post interface{}
+}{
+	{"foo", `"bar"`, "bar"},
+	{"foo", `2`, 2.0},
+	{"foo", `true`, true},
+	{"foo", `null`, nil},
+
+	{nil, `null`, nil},
+	{new(int), `null`, nil},
+	{(*int)(nil), `null`, nil},
+	{new(*int), `null`, new(*int)},
+	{(**int)(nil), `null`, nil},
+	{intp(1), `null`, nil},
+	{intpp(nil), `null`, intpp(nil)},
+	{intpp(intp(1)), `null`, intpp(nil)},
+}
+
+func TestInterfaceSet(t *testing.T) {
+	for _, tt := range interfaceSetTests {
+		b := struct{ X interface{} }{tt.pre}
+		blob := `{"X":` + tt.json + `}`
+		if err := Unmarshal([]byte(blob), &b); err != nil {
+			t.Errorf("Unmarshal %#q: %v", blob, err)
+			continue
+		}
+		if !reflect.DeepEqual(b.X, tt.post) {
+			t.Errorf("Unmarshal %#q into %#v: X=%#v, want %#v", blob, tt.pre, b.X, tt.post)
+		}
+	}
+}
+
+// JSON null values should be ignored for primitives and string values instead of resulting in an error.
+// Issue 2540
+func TestUnmarshalNulls(t *testing.T) {
+	jsonData := []byte(`{
+		"Bool"    : null,
+		"Int"     : null,
+		"Int8"    : null,
+		"Int16"   : null,
+		"Int32"   : null,
+		"Int64"   : null,
+		"Uint"    : null,
+		"Uint8"   : null,
+		"Uint16"  : null,
+		"Uint32"  : null,
+		"Uint64"  : null,
+		"Float32" : null,
+		"Float64" : null,
+		"String"  : null}`)
+
+	nulls := All{
+		Bool:    true,
+		Int:     2,
+		Int8:    3,
+		Int16:   4,
+		Int32:   5,
+		Int64:   6,
+		Uint:    7,
+		Uint8:   8,
+		Uint16:  9,
+		Uint32:  10,
+		Uint64:  11,
+		Float32: 12.1,
+		Float64: 13.1,
+		String:  "14"}
+
+	err := Unmarshal(jsonData, &nulls)
+	if err != nil {
+		t.Errorf("Unmarshal of null values failed: %v", err)
+	}
+	if !nulls.Bool || nulls.Int != 2 || nulls.Int8 != 3 || nulls.Int16 != 4 || nulls.Int32 != 5 || nulls.Int64 != 6 ||
+		nulls.Uint != 7 || nulls.Uint8 != 8 || nulls.Uint16 != 9 || nulls.Uint32 != 10 || nulls.Uint64 != 11 ||
+		nulls.Float32 != 12.1 || nulls.Float64 != 13.1 || nulls.String != "14" {
+
+		t.Errorf("Unmarshal of null values affected primitives")
+	}
+}
+
+func TestStringKind(t *testing.T) {
+	type stringKind string
+
+	var m1, m2 map[stringKind]int
+	m1 = map[stringKind]int{
+		"foo": 42,
+	}
+
+	data, err := Marshal(m1)
+	if err != nil {
+		t.Errorf("Unexpected error marshaling: %v", err)
+	}
+
+	err = Unmarshal(data, &m2)
+	if err != nil {
+		t.Errorf("Unexpected error unmarshaling: %v", err)
+	}
+
+	if !reflect.DeepEqual(m1, m2) {
+		t.Error("Items should be equal after encoding and then decoding")
+	}
+}
+
+// Custom types with []byte as underlying type could not be marshalled
+// and then unmarshalled.
+// Issue 8962.
+func TestByteKind(t *testing.T) {
+	type byteKind []byte
+
+	a := byteKind("hello")
+
+	data, err := Marshal(a)
+	if err != nil {
+		t.Error(err)
+	}
+	var b byteKind
+	err = Unmarshal(data, &b)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !reflect.DeepEqual(a, b) {
+		t.Errorf("expected %v == %v", a, b)
+	}
+}
+
+// The fix for issue 8962 introduced a regression.
+// Issue 12921.
+func TestSliceOfCustomByte(t *testing.T) {
+	type Uint8 uint8
+
+	a := []Uint8("hello")
+
+	data, err := Marshal(a)
+	if err != nil {
+		t.Fatal(err)
+	}
+	var b []Uint8
+	err = Unmarshal(data, &b)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !reflect.DeepEqual(a, b) {
+		t.Fatalf("expected %v == %v", a, b)
+	}
+}
+
+var decodeTypeErrorTests = []struct {
+	dest interface{}
+	src  string
+}{
+	{new(string), `{"user": "name"}`}, // issue 4628.
+	{new(error), `{}`},                // issue 4222
+	{new(error), `[]`},
+	{new(error), `""`},
+	{new(error), `123`},
+	{new(error), `true`},
+}
+
+func TestUnmarshalTypeError(t *testing.T) {
+	for _, item := range decodeTypeErrorTests {
+		err := Unmarshal([]byte(item.src), item.dest)
+		if _, ok := err.(*UnmarshalTypeError); !ok {
+			t.Errorf("expected type error for Unmarshal(%q, type %T): got %T",
+				item.src, item.dest, err)
+		}
+	}
+}
+
+var unmarshalSyntaxTests = []string{
+	"tru",
+	"fals",
+	"nul",
+	"123e",
+	`"hello`,
+	`[1,2,3`,
+	`{"key":1`,
+	`{"key":1,`,
+}
+
+func TestUnmarshalSyntax(t *testing.T) {
+	var x interface{}
+	for _, src := range unmarshalSyntaxTests {
+		err := Unmarshal([]byte(src), &x)
+		if _, ok := err.(*SyntaxError); !ok {
+			t.Errorf("expected syntax error for Unmarshal(%q): got %T", src, err)
+		}
+	}
+}
+
+// Test handling of unexported fields that should be ignored.
+// Issue 4660
+type unexportedFields struct {
+	Name string
+	m    map[string]interface{} `json:"-"`
+	m2   map[string]interface{} `json:"abcd"`
+}
+
+func TestUnmarshalUnexported(t *testing.T) {
+	input := `{"Name": "Bob", "m": {"x": 123}, "m2": {"y": 456}, "abcd": {"z": 789}}`
+	want := &unexportedFields{Name: "Bob"}
+
+	out := &unexportedFields{}
+	err := Unmarshal([]byte(input), out)
+	if err != nil {
+		t.Errorf("got error %v, expected nil", err)
+	}
+	if !reflect.DeepEqual(out, want) {
+		t.Errorf("got %q, want %q", out, want)
+	}
+}
+
+// Time3339 is a time.Time which encodes to and from JSON
+// as an RFC 3339 time in UTC.
+type Time3339 time.Time
+
+func (t *Time3339) UnmarshalJSON(b []byte) error {
+	if len(b) < 2 || b[0] != '"' || b[len(b)-1] != '"' {
+		return fmt.Errorf("types: failed to unmarshal non-string value %q as an RFC 3339 time", b)
+	}
+	tm, err := time.Parse(time.RFC3339, string(b[1:len(b)-1]))
+	if err != nil {
+		return err
+	}
+	*t = Time3339(tm)
+	return nil
+}
+
+func TestUnmarshalJSONLiteralError(t *testing.T) {
+	var t3 Time3339
+	err := Unmarshal([]byte(`"0000-00-00T00:00:00Z"`), &t3)
+	if err == nil {
+		t.Fatalf("expected error; got time %v", time.Time(t3))
+	}
+	if !strings.Contains(err.Error(), "range") {
+		t.Errorf("got err = %v; want out of range error", err)
+	}
+}
+
+// Test that extra object elements in an array do not result in a
+// "data changing underfoot" error.
+// Issue 3717
+func TestSkipArrayObjects(t *testing.T) {
+	json := `[{}]`
+	var dest [0]interface{}
+
+	err := Unmarshal([]byte(json), &dest)
+	if err != nil {
+		t.Errorf("got error %q, want nil", err)
+	}
+}
+
+// Test semantics of pre-filled struct fields and pre-filled map fields.
+// Issue 4900.
+func TestPrefilled(t *testing.T) {
+	ptrToMap := func(m map[string]interface{}) *map[string]interface{} { return &m }
+
+	// Values here change, cannot reuse table across runs.
+	var prefillTests = []struct {
+		in  string
+		ptr interface{}
+		out interface{}
+	}{
+		{
+			in:  `{"X": 1, "Y": 2}`,
+			ptr: &XYZ{X: float32(3), Y: int16(4), Z: 1.5},
+			out: &XYZ{X: float64(1), Y: float64(2), Z: 1.5},
+		},
+		{
+			in:  `{"X": 1, "Y": 2}`,
+			ptr: ptrToMap(map[string]interface{}{"X": float32(3), "Y": int16(4), "Z": 1.5}),
+			out: ptrToMap(map[string]interface{}{"X": float64(1), "Y": float64(2), "Z": 1.5}),
+		},
+	}
+
+	for _, tt := range prefillTests {
+		ptrstr := fmt.Sprintf("%v", tt.ptr)
+		err := Unmarshal([]byte(tt.in), tt.ptr) // tt.ptr edited here
+		if err != nil {
+			t.Errorf("Unmarshal: %v", err)
+		}
+		if !reflect.DeepEqual(tt.ptr, tt.out) {
+			t.Errorf("Unmarshal(%#q, %s): have %v, want %v", tt.in, ptrstr, tt.ptr, tt.out)
+		}
+	}
+}
+
+var invalidUnmarshalTests = []struct {
+	v    interface{}
+	want string
+}{
+	{nil, "json: Unmarshal(nil)"},
+	{struct{}{}, "json: Unmarshal(non-pointer struct {})"},
+	{(*int)(nil), "json: Unmarshal(nil *int)"},
+}
+
+func TestInvalidUnmarshal(t *testing.T) {
+	buf := []byte(`{"a":"1"}`)
+	for _, tt := range invalidUnmarshalTests {
+		err := Unmarshal(buf, tt.v)
+		if err == nil {
+			t.Errorf("Unmarshal expecting error, got nil")
+			continue
+		}
+		if got := err.Error(); got != tt.want {
+			t.Errorf("Unmarshal = %q; want %q", got, tt.want)
+		}
+	}
+}
+
+var invalidUnmarshalTextTests = []struct {
+	v    interface{}
+	want string
+}{
+	{nil, "json: Unmarshal(nil)"},
+	{struct{}{}, "json: Unmarshal(non-pointer struct {})"},
+	{(*int)(nil), "json: Unmarshal(nil *int)"},
+	{new(net.IP), "json: cannot unmarshal string into Go value of type *net.IP"},
+}
+
+func TestInvalidUnmarshalText(t *testing.T) {
+	buf := []byte(`123`)
+	for _, tt := range invalidUnmarshalTextTests {
+		err := Unmarshal(buf, tt.v)
+		if err == nil {
+			t.Errorf("Unmarshal expecting error, got nil")
+			continue
+		}
+		if got := err.Error(); got != tt.want {
+			t.Errorf("Unmarshal = %q; want %q", got, tt.want)
+		}
+	}
+}
+
+// Test that string option is ignored for invalid types.
+// Issue 9812.
+func TestInvalidStringOption(t *testing.T) {
+	num := 0
+	item := struct {
+		T time.Time         `json:",string"`
+		M map[string]string `json:",string"`
+		S []string          `json:",string"`
+		A [1]string         `json:",string"`
+		I interface{}       `json:",string"`
+		P *int              `json:",string"`
+	}{M: make(map[string]string), S: make([]string, 0), I: num, P: &num}
+
+	data, err := Marshal(item)
+	if err != nil {
+		t.Fatalf("Marshal: %v", err)
+	}
+
+	err = Unmarshal(data, &item)
+	if err != nil {
+		t.Fatalf("Unmarshal: %v", err)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/encode.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/encode.go
new file mode 100644
index 000000000..1dae8bb7c
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/encode.go
@@ -0,0 +1,1197 @@
+// Copyright 2010 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package json implements encoding and decoding of JSON objects as defined in
+// RFC 4627. The mapping between JSON objects and Go values is described
+// in the documentation for the Marshal and Unmarshal functions.
+//
+// See "JSON and Go" for an introduction to this package:
+// https://golang.org/doc/articles/json_and_go.html
+package json
+
+import (
+	"bytes"
+	"encoding"
+	"encoding/base64"
+	"fmt"
+	"math"
+	"reflect"
+	"runtime"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+	"unicode"
+	"unicode/utf8"
+)
+
+// Marshal returns the JSON encoding of v.
+//
+// Marshal traverses the value v recursively.
+// If an encountered value implements the Marshaler interface
+// and is not a nil pointer, Marshal calls its MarshalJSON method
+// to produce JSON. If no MarshalJSON method is present but the
+// value implements encoding.TextMarshaler instead, Marshal calls
+// its MarshalText method.
+// The nil pointer exception is not strictly necessary
+// but mimics a similar, necessary exception in the behavior of
+// UnmarshalJSON.
+//
+// Otherwise, Marshal uses the following type-dependent default encodings:
+//
+// Boolean values encode as JSON booleans.
+//
+// Floating point, integer, and Number values encode as JSON numbers.
+//
+// String values encode as JSON strings coerced to valid UTF-8,
+// replacing invalid bytes with the Unicode replacement rune.
+// The angle brackets "<" and ">" are escaped to "\u003c" and "\u003e"
+// to keep some browsers from misinterpreting JSON output as HTML.
+// Ampersand "&" is also escaped to "\u0026" for the same reason.
+//
+// Array and slice values encode as JSON arrays, except that
+// []byte encodes as a base64-encoded string, and a nil slice
+// encodes as the null JSON object.
+//
+// Struct values encode as JSON objects. Each exported struct field
+// becomes a member of the object unless
+//   - the field's tag is "-", or
+//   - the field is empty and its tag specifies the "omitempty" option.
+// The empty values are false, 0, any
+// nil pointer or interface value, and any array, slice, map, or string of
+// length zero. The object's default key string is the struct field name
+// but can be specified in the struct field's tag value. The "json" key in
+// the struct field's tag value is the key name, followed by an optional comma
+// and options. Examples:
+//
+//   // Field is ignored by this package.
+//   Field int `json:"-"`
+//
+//   // Field appears in JSON as key "myName".
+//   Field int `json:"myName"`
+//
+//   // Field appears in JSON as key "myName" and
+//   // the field is omitted from the object if its value is empty,
+//   // as defined above.
+//   Field int `json:"myName,omitempty"`
+//
+//   // Field appears in JSON as key "Field" (the default), but
+//   // the field is skipped if empty.
+//   // Note the leading comma.
+//   Field int `json:",omitempty"`
+//
+// The "string" option signals that a field is stored as JSON inside a
+// JSON-encoded string. It applies only to fields of string, floating point,
+// integer, or boolean types. This extra level of encoding is sometimes used
+// when communicating with JavaScript programs:
+//
+//    Int64String int64 `json:",string"`
+//
+// The key name will be used if it's a non-empty string consisting of
+// only Unicode letters, digits, dollar signs, percent signs, hyphens,
+// underscores and slashes.
+//
+// Anonymous struct fields are usually marshaled as if their inner exported fields
+// were fields in the outer struct, subject to the usual Go visibility rules amended
+// as described in the next paragraph.
+// An anonymous struct field with a name given in its JSON tag is treated as
+// having that name, rather than being anonymous.
+// An anonymous struct field of interface type is treated the same as having
+// that type as its name, rather than being anonymous.
+//
+// The Go visibility rules for struct fields are amended for JSON when
+// deciding which field to marshal or unmarshal. If there are
+// multiple fields at the same level, and that level is the least
+// nested (and would therefore be the nesting level selected by the
+// usual Go rules), the following extra rules apply:
+//
+// 1) Of those fields, if any are JSON-tagged, only tagged fields are considered,
+// even if there are multiple untagged fields that would otherwise conflict.
+// 2) If there is exactly one field (tagged or not according to the first rule), that is selected.
+// 3) Otherwise there are multiple fields, and all are ignored; no error occurs.
+//
+// Handling of anonymous struct fields is new in Go 1.1.
+// Prior to Go 1.1, anonymous struct fields were ignored. To force ignoring of
+// an anonymous struct field in both current and earlier versions, give the field
+// a JSON tag of "-".
+//
+// Map values encode as JSON objects.
+// The map's key type must be string; the map keys are used as JSON object
+// keys, subject to the UTF-8 coercion described for string values above.
+//
+// Pointer values encode as the value pointed to.
+// A nil pointer encodes as the null JSON object.
+//
+// Interface values encode as the value contained in the interface.
+// A nil interface value encodes as the null JSON object.
+//
+// Channel, complex, and function values cannot be encoded in JSON.
+// Attempting to encode such a value causes Marshal to return
+// an UnsupportedTypeError.
+//
+// JSON cannot represent cyclic data structures and Marshal does not
+// handle them.  Passing cyclic structures to Marshal will result in
+// an infinite recursion.
+//
+func Marshal(v interface{}) ([]byte, error) {
+	e := &encodeState{}
+	err := e.marshal(v)
+	if err != nil {
+		return nil, err
+	}
+	return e.Bytes(), nil
+}
+
+// MarshalIndent is like Marshal but applies Indent to format the output.
+func MarshalIndent(v interface{}, prefix, indent string) ([]byte, error) {
+	b, err := Marshal(v)
+	if err != nil {
+		return nil, err
+	}
+	var buf bytes.Buffer
+	err = Indent(&buf, b, prefix, indent)
+	if err != nil {
+		return nil, err
+	}
+	return buf.Bytes(), nil
+}
+
+// HTMLEscape appends to dst the JSON-encoded src with <, >, &, U+2028 and U+2029
+// characters inside string literals changed to \u003c, \u003e, \u0026, \u2028, \u2029
+// so that the JSON will be safe to embed inside HTML <script> tags.
+// For historical reasons, web browsers don't honor standard HTML
+// escaping within <script> tags, so an alternative JSON encoding must
+// be used.
+func HTMLEscape(dst *bytes.Buffer, src []byte) {
+	// The characters can only appear in string literals,
+	// so just scan the string one byte at a time.
+	start := 0
+	for i, c := range src {
+		if c == '<' || c == '>' || c == '&' {
+			if start < i {
+				dst.Write(src[start:i])
+			}
+			dst.WriteString(`\u00`)
+			dst.WriteByte(hex[c>>4])
+			dst.WriteByte(hex[c&0xF])
+			start = i + 1
+		}
+		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
+		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
+			if start < i {
+				dst.Write(src[start:i])
+			}
+			dst.WriteString(`\u202`)
+			dst.WriteByte(hex[src[i+2]&0xF])
+			start = i + 3
+		}
+	}
+	if start < len(src) {
+		dst.Write(src[start:])
+	}
+}
+
+// Marshaler is the interface implemented by objects that
+// can marshal themselves into valid JSON.
+type Marshaler interface {
+	MarshalJSON() ([]byte, error)
+}
+
+// An UnsupportedTypeError is returned by Marshal when attempting
+// to encode an unsupported value type.
+type UnsupportedTypeError struct {
+	Type reflect.Type
+}
+
+func (e *UnsupportedTypeError) Error() string {
+	return "json: unsupported type: " + e.Type.String()
+}
+
+type UnsupportedValueError struct {
+	Value reflect.Value
+	Str   string
+}
+
+func (e *UnsupportedValueError) Error() string {
+	return "json: unsupported value: " + e.Str
+}
+
+// Before Go 1.2, an InvalidUTF8Error was returned by Marshal when
+// attempting to encode a string value with invalid UTF-8 sequences.
+// As of Go 1.2, Marshal instead coerces the string to valid UTF-8 by
+// replacing invalid bytes with the Unicode replacement rune U+FFFD.
+// This error is no longer generated but is kept for backwards compatibility
+// with programs that might mention it.
+type InvalidUTF8Error struct {
+	S string // the whole string value that caused the error
+}
+
+func (e *InvalidUTF8Error) Error() string {
+	return "json: invalid UTF-8 in string: " + strconv.Quote(e.S)
+}
+
+type MarshalerError struct {
+	Type reflect.Type
+	Err  error
+}
+
+func (e *MarshalerError) Error() string {
+	return "json: error calling MarshalJSON for type " + e.Type.String() + ": " + e.Err.Error()
+}
+
+var hex = "0123456789abcdef"
+
+// An encodeState encodes JSON into a bytes.Buffer.
+type encodeState struct {
+	bytes.Buffer // accumulated output
+	scratch      [64]byte
+}
+
+var encodeStatePool sync.Pool
+
+func newEncodeState() *encodeState {
+	if v := encodeStatePool.Get(); v != nil {
+		e := v.(*encodeState)
+		e.Reset()
+		return e
+	}
+	return new(encodeState)
+}
+
+func (e *encodeState) marshal(v interface{}) (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			if _, ok := r.(runtime.Error); ok {
+				panic(r)
+			}
+			if s, ok := r.(string); ok {
+				panic(s)
+			}
+			err = r.(error)
+		}
+	}()
+	e.reflectValue(reflect.ValueOf(v))
+	return nil
+}
+
+func (e *encodeState) error(err error) {
+	panic(err)
+}
+
+func isEmptyValue(v reflect.Value) bool {
+	switch v.Kind() {
+	case reflect.Array, reflect.Map, reflect.Slice, reflect.String:
+		return v.Len() == 0
+	case reflect.Bool:
+		return !v.Bool()
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return v.Int() == 0
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		return v.Uint() == 0
+	case reflect.Float32, reflect.Float64:
+		return v.Float() == 0
+	case reflect.Interface, reflect.Ptr:
+		return v.IsNil()
+	}
+	return false
+}
+
+func (e *encodeState) reflectValue(v reflect.Value) {
+	valueEncoder(v)(e, v, false)
+}
+
+type encoderFunc func(e *encodeState, v reflect.Value, quoted bool)
+
+var encoderCache struct {
+	sync.RWMutex
+	m map[reflect.Type]encoderFunc
+}
+
+func valueEncoder(v reflect.Value) encoderFunc {
+	if !v.IsValid() {
+		return invalidValueEncoder
+	}
+	return typeEncoder(v.Type())
+}
+
+func typeEncoder(t reflect.Type) encoderFunc {
+	encoderCache.RLock()
+	f := encoderCache.m[t]
+	encoderCache.RUnlock()
+	if f != nil {
+		return f
+	}
+
+	// To deal with recursive types, populate the map with an
+	// indirect func before we build it. This type waits on the
+	// real func (f) to be ready and then calls it.  This indirect
+	// func is only used for recursive types.
+	encoderCache.Lock()
+	if encoderCache.m == nil {
+		encoderCache.m = make(map[reflect.Type]encoderFunc)
+	}
+	var wg sync.WaitGroup
+	wg.Add(1)
+	encoderCache.m[t] = func(e *encodeState, v reflect.Value, quoted bool) {
+		wg.Wait()
+		f(e, v, quoted)
+	}
+	encoderCache.Unlock()
+
+	// Compute fields without lock.
+	// Might duplicate effort but won't hold other computations back.
+	f = newTypeEncoder(t, true)
+	wg.Done()
+	encoderCache.Lock()
+	encoderCache.m[t] = f
+	encoderCache.Unlock()
+	return f
+}
+
+var (
+	marshalerType     = reflect.TypeOf(new(Marshaler)).Elem()
+	textMarshalerType = reflect.TypeOf(new(encoding.TextMarshaler)).Elem()
+)
+
+// newTypeEncoder constructs an encoderFunc for a type.
+// The returned encoder only checks CanAddr when allowAddr is true.
+func newTypeEncoder(t reflect.Type, allowAddr bool) encoderFunc {
+	if t.Implements(marshalerType) {
+		return marshalerEncoder
+	}
+	if t.Kind() != reflect.Ptr && allowAddr {
+		if reflect.PtrTo(t).Implements(marshalerType) {
+			return newCondAddrEncoder(addrMarshalerEncoder, newTypeEncoder(t, false))
+		}
+	}
+
+	if t.Implements(textMarshalerType) {
+		return textMarshalerEncoder
+	}
+	if t.Kind() != reflect.Ptr && allowAddr {
+		if reflect.PtrTo(t).Implements(textMarshalerType) {
+			return newCondAddrEncoder(addrTextMarshalerEncoder, newTypeEncoder(t, false))
+		}
+	}
+
+	switch t.Kind() {
+	case reflect.Bool:
+		return boolEncoder
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return intEncoder
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		return uintEncoder
+	case reflect.Float32:
+		return float32Encoder
+	case reflect.Float64:
+		return float64Encoder
+	case reflect.String:
+		return stringEncoder
+	case reflect.Interface:
+		return interfaceEncoder
+	case reflect.Struct:
+		return newStructEncoder(t)
+	case reflect.Map:
+		return newMapEncoder(t)
+	case reflect.Slice:
+		return newSliceEncoder(t)
+	case reflect.Array:
+		return newArrayEncoder(t)
+	case reflect.Ptr:
+		return newPtrEncoder(t)
+	default:
+		return unsupportedTypeEncoder
+	}
+}
+
+func invalidValueEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	e.WriteString("null")
+}
+
+func marshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	if v.Kind() == reflect.Ptr && v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	m := v.Interface().(Marshaler)
+	b, err := m.MarshalJSON()
+	if err == nil {
+		// copy JSON into buffer, checking validity.
+		err = compact(&e.Buffer, b, true)
+	}
+	if err != nil {
+		e.error(&MarshalerError{v.Type(), err})
+	}
+}
+
+func addrMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	va := v.Addr()
+	if va.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	m := va.Interface().(Marshaler)
+	b, err := m.MarshalJSON()
+	if err == nil {
+		// copy JSON into buffer, checking validity.
+		err = compact(&e.Buffer, b, true)
+	}
+	if err != nil {
+		e.error(&MarshalerError{v.Type(), err})
+	}
+}
+
+func textMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	if v.Kind() == reflect.Ptr && v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	m := v.Interface().(encoding.TextMarshaler)
+	b, err := m.MarshalText()
+	if err != nil {
+		e.error(&MarshalerError{v.Type(), err})
+	}
+	e.stringBytes(b)
+}
+
+func addrTextMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	va := v.Addr()
+	if va.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	m := va.Interface().(encoding.TextMarshaler)
+	b, err := m.MarshalText()
+	if err != nil {
+		e.error(&MarshalerError{v.Type(), err})
+	}
+	e.stringBytes(b)
+}
+
+func boolEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	if quoted {
+		e.WriteByte('"')
+	}
+	if v.Bool() {
+		e.WriteString("true")
+	} else {
+		e.WriteString("false")
+	}
+	if quoted {
+		e.WriteByte('"')
+	}
+}
+
+func intEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	b := strconv.AppendInt(e.scratch[:0], v.Int(), 10)
+	if quoted {
+		e.WriteByte('"')
+	}
+	e.Write(b)
+	if quoted {
+		e.WriteByte('"')
+	}
+}
+
+func uintEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	b := strconv.AppendUint(e.scratch[:0], v.Uint(), 10)
+	if quoted {
+		e.WriteByte('"')
+	}
+	e.Write(b)
+	if quoted {
+		e.WriteByte('"')
+	}
+}
+
+type floatEncoder int // number of bits
+
+func (bits floatEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
+	f := v.Float()
+	if math.IsInf(f, 0) || math.IsNaN(f) {
+		e.error(&UnsupportedValueError{v, strconv.FormatFloat(f, 'g', -1, int(bits))})
+	}
+	b := strconv.AppendFloat(e.scratch[:0], f, 'g', -1, int(bits))
+	if quoted {
+		e.WriteByte('"')
+	}
+	e.Write(b)
+	if quoted {
+		e.WriteByte('"')
+	}
+}
+
+var (
+	float32Encoder = (floatEncoder(32)).encode
+	float64Encoder = (floatEncoder(64)).encode
+)
+
+func stringEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	if v.Type() == numberType {
+		numStr := v.String()
+		// In Go1.5 the empty string encodes to "0", while this is not a valid number literal
+		// we keep compatibility so check validity after this.
+		if numStr == "" {
+			numStr = "0" // Number's zero-val
+		}
+		if !isValidNumber(numStr) {
+			e.error(fmt.Errorf("json: invalid number literal %q", numStr))
+		}
+		e.WriteString(numStr)
+		return
+	}
+	if quoted {
+		sb, err := Marshal(v.String())
+		if err != nil {
+			e.error(err)
+		}
+		e.string(string(sb))
+	} else {
+		e.string(v.String())
+	}
+}
+
+func interfaceEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	if v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	e.reflectValue(v.Elem())
+}
+
+func unsupportedTypeEncoder(e *encodeState, v reflect.Value, quoted bool) {
+	e.error(&UnsupportedTypeError{v.Type()})
+}
+
+type structEncoder struct {
+	fields    []field
+	fieldEncs []encoderFunc
+}
+
+func (se *structEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
+	e.WriteByte('{')
+	first := true
+	for i, f := range se.fields {
+		fv := fieldByIndex(v, f.index)
+		if !fv.IsValid() || f.omitEmpty && isEmptyValue(fv) {
+			continue
+		}
+		if first {
+			first = false
+		} else {
+			e.WriteByte(',')
+		}
+		e.string(f.name)
+		e.WriteByte(':')
+		se.fieldEncs[i](e, fv, f.quoted)
+	}
+	e.WriteByte('}')
+}
+
+func newStructEncoder(t reflect.Type) encoderFunc {
+	fields := cachedTypeFields(t)
+	se := &structEncoder{
+		fields:    fields,
+		fieldEncs: make([]encoderFunc, len(fields)),
+	}
+	for i, f := range fields {
+		se.fieldEncs[i] = typeEncoder(typeByIndex(t, f.index))
+	}
+	return se.encode
+}
+
+type mapEncoder struct {
+	elemEnc encoderFunc
+}
+
+func (me *mapEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
+	if v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	e.WriteByte('{')
+	var sv stringValues = v.MapKeys()
+	sort.Sort(sv)
+	for i, k := range sv {
+		if i > 0 {
+			e.WriteByte(',')
+		}
+		e.string(k.String())
+		e.WriteByte(':')
+		me.elemEnc(e, v.MapIndex(k), false)
+	}
+	e.WriteByte('}')
+}
+
+func newMapEncoder(t reflect.Type) encoderFunc {
+	if t.Key().Kind() != reflect.String {
+		return unsupportedTypeEncoder
+	}
+	me := &mapEncoder{typeEncoder(t.Elem())}
+	return me.encode
+}
+
+func encodeByteSlice(e *encodeState, v reflect.Value, _ bool) {
+	if v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	s := v.Bytes()
+	e.WriteByte('"')
+	if len(s) < 1024 {
+		// for small buffers, using Encode directly is much faster.
+		dst := make([]byte, base64.StdEncoding.EncodedLen(len(s)))
+		base64.StdEncoding.Encode(dst, s)
+		e.Write(dst)
+	} else {
+		// for large buffers, avoid unnecessary extra temporary
+		// buffer space.
+		enc := base64.NewEncoder(base64.StdEncoding, e)
+		enc.Write(s)
+		enc.Close()
+	}
+	e.WriteByte('"')
+}
+
+// sliceEncoder just wraps an arrayEncoder, checking to make sure the value isn't nil.
+type sliceEncoder struct {
+	arrayEnc encoderFunc
+}
+
+func (se *sliceEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
+	if v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	se.arrayEnc(e, v, false)
+}
+
+func newSliceEncoder(t reflect.Type) encoderFunc {
+	// Byte slices get special treatment; arrays don't.
+	if t.Elem().Kind() == reflect.Uint8 {
+		return encodeByteSlice
+	}
+	enc := &sliceEncoder{newArrayEncoder(t)}
+	return enc.encode
+}
+
+type arrayEncoder struct {
+	elemEnc encoderFunc
+}
+
+func (ae *arrayEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
+	e.WriteByte('[')
+	n := v.Len()
+	for i := 0; i < n; i++ {
+		if i > 0 {
+			e.WriteByte(',')
+		}
+		ae.elemEnc(e, v.Index(i), false)
+	}
+	e.WriteByte(']')
+}
+
+func newArrayEncoder(t reflect.Type) encoderFunc {
+	enc := &arrayEncoder{typeEncoder(t.Elem())}
+	return enc.encode
+}
+
+type ptrEncoder struct {
+	elemEnc encoderFunc
+}
+
+func (pe *ptrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
+	if v.IsNil() {
+		e.WriteString("null")
+		return
+	}
+	pe.elemEnc(e, v.Elem(), quoted)
+}
+
+func newPtrEncoder(t reflect.Type) encoderFunc {
+	enc := &ptrEncoder{typeEncoder(t.Elem())}
+	return enc.encode
+}
+
+type condAddrEncoder struct {
+	canAddrEnc, elseEnc encoderFunc
+}
+
+func (ce *condAddrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
+	if v.CanAddr() {
+		ce.canAddrEnc(e, v, quoted)
+	} else {
+		ce.elseEnc(e, v, quoted)
+	}
+}
+
+// newCondAddrEncoder returns an encoder that checks whether its value
+// CanAddr and delegates to canAddrEnc if so, else to elseEnc.
+func newCondAddrEncoder(canAddrEnc, elseEnc encoderFunc) encoderFunc {
+	enc := &condAddrEncoder{canAddrEnc: canAddrEnc, elseEnc: elseEnc}
+	return enc.encode
+}
+
+func isValidTag(s string) bool {
+	if s == "" {
+		return false
+	}
+	for _, c := range s {
+		switch {
+		case strings.ContainsRune("!#$%&()*+-./:<=>?@[]^_{|}~ ", c):
+			// Backslash and quote chars are reserved, but
+			// otherwise any punctuation chars are allowed
+			// in a tag name.
+		default:
+			if !unicode.IsLetter(c) && !unicode.IsDigit(c) {
+				return false
+			}
+		}
+	}
+	return true
+}
+
+func fieldByIndex(v reflect.Value, index []int) reflect.Value {
+	for _, i := range index {
+		if v.Kind() == reflect.Ptr {
+			if v.IsNil() {
+				return reflect.Value{}
+			}
+			v = v.Elem()
+		}
+		v = v.Field(i)
+	}
+	return v
+}
+
+func typeByIndex(t reflect.Type, index []int) reflect.Type {
+	for _, i := range index {
+		if t.Kind() == reflect.Ptr {
+			t = t.Elem()
+		}
+		t = t.Field(i).Type
+	}
+	return t
+}
+
+// stringValues is a slice of reflect.Value holding *reflect.StringValue.
+// It implements the methods to sort by string.
+type stringValues []reflect.Value
+
+func (sv stringValues) Len() int           { return len(sv) }
+func (sv stringValues) Swap(i, j int)      { sv[i], sv[j] = sv[j], sv[i] }
+func (sv stringValues) Less(i, j int) bool { return sv.get(i) < sv.get(j) }
+func (sv stringValues) get(i int) string   { return sv[i].String() }
+
+// NOTE: keep in sync with stringBytes below.
+func (e *encodeState) string(s string) int {
+	len0 := e.Len()
+	e.WriteByte('"')
+	start := 0
+	for i := 0; i < len(s); {
+		if b := s[i]; b < utf8.RuneSelf {
+			if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' && b != '&' {
+				i++
+				continue
+			}
+			if start < i {
+				e.WriteString(s[start:i])
+			}
+			switch b {
+			case '\\', '"':
+				e.WriteByte('\\')
+				e.WriteByte(b)
+			case '\n':
+				e.WriteByte('\\')
+				e.WriteByte('n')
+			case '\r':
+				e.WriteByte('\\')
+				e.WriteByte('r')
+			case '\t':
+				e.WriteByte('\\')
+				e.WriteByte('t')
+			default:
+				// This encodes bytes < 0x20 except for \n and \r,
+				// as well as <, > and &. The latter are escaped because they
+				// can lead to security holes when user-controlled strings
+				// are rendered into JSON and served to some browsers.
+				e.WriteString(`\u00`)
+				e.WriteByte(hex[b>>4])
+				e.WriteByte(hex[b&0xF])
+			}
+			i++
+			start = i
+			continue
+		}
+		c, size := utf8.DecodeRuneInString(s[i:])
+		if c == utf8.RuneError && size == 1 {
+			if start < i {
+				e.WriteString(s[start:i])
+			}
+			e.WriteString(`\ufffd`)
+			i += size
+			start = i
+			continue
+		}
+		// U+2028 is LINE SEPARATOR.
+		// U+2029 is PARAGRAPH SEPARATOR.
+		// They are both technically valid characters in JSON strings,
+		// but don't work in JSONP, which has to be evaluated as JavaScript,
+		// and can lead to security holes there. It is valid JSON to
+		// escape them, so we do so unconditionally.
+		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
+		if c == '\u2028' || c == '\u2029' {
+			if start < i {
+				e.WriteString(s[start:i])
+			}
+			e.WriteString(`\u202`)
+			e.WriteByte(hex[c&0xF])
+			i += size
+			start = i
+			continue
+		}
+		i += size
+	}
+	if start < len(s) {
+		e.WriteString(s[start:])
+	}
+	e.WriteByte('"')
+	return e.Len() - len0
+}
+
+// NOTE: keep in sync with string above.
+func (e *encodeState) stringBytes(s []byte) int {
+	len0 := e.Len()
+	e.WriteByte('"')
+	start := 0
+	for i := 0; i < len(s); {
+		if b := s[i]; b < utf8.RuneSelf {
+			if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' && b != '&' {
+				i++
+				continue
+			}
+			if start < i {
+				e.Write(s[start:i])
+			}
+			switch b {
+			case '\\', '"':
+				e.WriteByte('\\')
+				e.WriteByte(b)
+			case '\n':
+				e.WriteByte('\\')
+				e.WriteByte('n')
+			case '\r':
+				e.WriteByte('\\')
+				e.WriteByte('r')
+			case '\t':
+				e.WriteByte('\\')
+				e.WriteByte('t')
+			default:
+				// This encodes bytes < 0x20 except for \n and \r,
+				// as well as <, >, and &. The latter are escaped because they
+				// can lead to security holes when user-controlled strings
+				// are rendered into JSON and served to some browsers.
+				e.WriteString(`\u00`)
+				e.WriteByte(hex[b>>4])
+				e.WriteByte(hex[b&0xF])
+			}
+			i++
+			start = i
+			continue
+		}
+		c, size := utf8.DecodeRune(s[i:])
+		if c == utf8.RuneError && size == 1 {
+			if start < i {
+				e.Write(s[start:i])
+			}
+			e.WriteString(`\ufffd`)
+			i += size
+			start = i
+			continue
+		}
+		// U+2028 is LINE SEPARATOR.
+		// U+2029 is PARAGRAPH SEPARATOR.
+		// They are both technically valid characters in JSON strings,
+		// but don't work in JSONP, which has to be evaluated as JavaScript,
+		// and can lead to security holes there. It is valid JSON to
+		// escape them, so we do so unconditionally.
+		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
+		if c == '\u2028' || c == '\u2029' {
+			if start < i {
+				e.Write(s[start:i])
+			}
+			e.WriteString(`\u202`)
+			e.WriteByte(hex[c&0xF])
+			i += size
+			start = i
+			continue
+		}
+		i += size
+	}
+	if start < len(s) {
+		e.Write(s[start:])
+	}
+	e.WriteByte('"')
+	return e.Len() - len0
+}
+
+// A field represents a single field found in a struct.
+type field struct {
+	name      string
+	nameBytes []byte // []byte(name)
+
+	tag       bool
+	index     []int
+	typ       reflect.Type
+	omitEmpty bool
+	quoted    bool
+}
+
+func fillField(f field) field {
+	f.nameBytes = []byte(f.name)
+	return f
+}
+
+// byName sorts field by name, breaking ties with depth,
+// then breaking ties with "name came from json tag", then
+// breaking ties with index sequence.
+type byName []field
+
+func (x byName) Len() int { return len(x) }
+
+func (x byName) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
+
+func (x byName) Less(i, j int) bool {
+	if x[i].name != x[j].name {
+		return x[i].name < x[j].name
+	}
+	if len(x[i].index) != len(x[j].index) {
+		return len(x[i].index) < len(x[j].index)
+	}
+	if x[i].tag != x[j].tag {
+		return x[i].tag
+	}
+	return byIndex(x).Less(i, j)
+}
+
+// byIndex sorts field by index sequence.
+type byIndex []field
+
+func (x byIndex) Len() int { return len(x) }
+
+func (x byIndex) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
+
+func (x byIndex) Less(i, j int) bool {
+	for k, xik := range x[i].index {
+		if k >= len(x[j].index) {
+			return false
+		}
+		if xik != x[j].index[k] {
+			return xik < x[j].index[k]
+		}
+	}
+	return len(x[i].index) < len(x[j].index)
+}
+
+// typeFields returns a list of fields that JSON should recognize for the given type.
+// The algorithm is breadth-first search over the set of structs to include - the top struct
+// and then any reachable anonymous structs.
+func typeFields(t reflect.Type) []field {
+	// Anonymous fields to explore at the current level and the next.
+	current := []field{}
+	next := []field{{typ: t}}
+
+	// Count of queued names for current level and the next.
+	count := map[reflect.Type]int{}
+	nextCount := map[reflect.Type]int{}
+
+	// Types already visited at an earlier level.
+	visited := map[reflect.Type]bool{}
+
+	// Fields found.
+	var fields []field
+
+	for len(next) > 0 {
+		current, next = next, current[:0]
+		count, nextCount = nextCount, map[reflect.Type]int{}
+
+		for _, f := range current {
+			if visited[f.typ] {
+				continue
+			}
+			visited[f.typ] = true
+
+			// Scan f.typ for fields to include.
+			for i := 0; i < f.typ.NumField(); i++ {
+				sf := f.typ.Field(i)
+				if sf.PkgPath != "" && !sf.Anonymous { // unexported
+					continue
+				}
+				tag := sf.Tag.Get("json")
+				if tag == "-" {
+					continue
+				}
+				name, opts := parseTag(tag)
+				if !isValidTag(name) {
+					name = ""
+				}
+				index := make([]int, len(f.index)+1)
+				copy(index, f.index)
+				index[len(f.index)] = i
+
+				ft := sf.Type
+				if ft.Name() == "" && ft.Kind() == reflect.Ptr {
+					// Follow pointer.
+					ft = ft.Elem()
+				}
+
+				// Only strings, floats, integers, and booleans can be quoted.
+				quoted := false
+				if opts.Contains("string") {
+					switch ft.Kind() {
+					case reflect.Bool,
+						reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
+						reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64,
+						reflect.Float32, reflect.Float64,
+						reflect.String:
+						quoted = true
+					}
+				}
+
+				// Record found field and index sequence.
+				if name != "" || !sf.Anonymous || ft.Kind() != reflect.Struct {
+					tagged := name != ""
+					if name == "" {
+						name = sf.Name
+					}
+					fields = append(fields, fillField(field{
+						name:      name,
+						tag:       tagged,
+						index:     index,
+						typ:       ft,
+						omitEmpty: opts.Contains("omitempty"),
+						quoted:    quoted,
+					}))
+					if count[f.typ] > 1 {
+						// If there were multiple instances, add a second,
+						// so that the annihilation code will see a duplicate.
+						// It only cares about the distinction between 1 or 2,
+						// so don't bother generating any more copies.
+						fields = append(fields, fields[len(fields)-1])
+					}
+					continue
+				}
+
+				// Record new anonymous struct to explore in next round.
+				nextCount[ft]++
+				if nextCount[ft] == 1 {
+					next = append(next, fillField(field{name: ft.Name(), index: index, typ: ft}))
+				}
+			}
+		}
+	}
+
+	sort.Sort(byName(fields))
+
+	// Delete all fields that are hidden by the Go rules for embedded fields,
+	// except that fields with JSON tags are promoted.
+
+	// The fields are sorted in primary order of name, secondary order
+	// of field index length. Loop over names; for each name, delete
+	// hidden fields by choosing the one dominant field that survives.
+	out := fields[:0]
+	for advance, i := 0, 0; i < len(fields); i += advance {
+		// One iteration per name.
+		// Find the sequence of fields with the name of this first field.
+		fi := fields[i]
+		name := fi.name
+		for advance = 1; i+advance < len(fields); advance++ {
+			fj := fields[i+advance]
+			if fj.name != name {
+				break
+			}
+		}
+		if advance == 1 { // Only one field with this name
+			out = append(out, fi)
+			continue
+		}
+		dominant, ok := dominantField(fields[i : i+advance])
+		if ok {
+			out = append(out, dominant)
+		}
+	}
+
+	fields = out
+	sort.Sort(byIndex(fields))
+
+	return fields
+}
+
+// dominantField looks through the fields, all of which are known to
+// have the same name, to find the single field that dominates the
+// others using Go's embedding rules, modified by the presence of
+// JSON tags. If there are multiple top-level fields, the boolean
+// will be false: This condition is an error in Go and we skip all
+// the fields.
+func dominantField(fields []field) (field, bool) {
+	// The fields are sorted in increasing index-length order. The winner
+	// must therefore be one with the shortest index length. Drop all
+	// longer entries, which is easy: just truncate the slice.
+	length := len(fields[0].index)
+	tagged := -1 // Index of first tagged field.
+	for i, f := range fields {
+		if len(f.index) > length {
+			fields = fields[:i]
+			break
+		}
+		if f.tag {
+			if tagged >= 0 {
+				// Multiple tagged fields at the same level: conflict.
+				// Return no field.
+				return field{}, false
+			}
+			tagged = i
+		}
+	}
+	if tagged >= 0 {
+		return fields[tagged], true
+	}
+	// All remaining fields have the same length. If there's more than one,
+	// we have a conflict (two fields named "X" at the same level) and we
+	// return no field.
+	if len(fields) > 1 {
+		return field{}, false
+	}
+	return fields[0], true
+}
+
+var fieldCache struct {
+	sync.RWMutex
+	m map[reflect.Type][]field
+}
+
+// cachedTypeFields is like typeFields but uses a cache to avoid repeated work.
+func cachedTypeFields(t reflect.Type) []field {
+	fieldCache.RLock()
+	f := fieldCache.m[t]
+	fieldCache.RUnlock()
+	if f != nil {
+		return f
+	}
+
+	// Compute fields without lock.
+	// Might duplicate effort but won't hold other computations back.
+	f = typeFields(t)
+	if f == nil {
+		f = []field{}
+	}
+
+	fieldCache.Lock()
+	if fieldCache.m == nil {
+		fieldCache.m = map[reflect.Type][]field{}
+	}
+	fieldCache.m[t] = f
+	fieldCache.Unlock()
+	return f
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/encode_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/encode_test.go
new file mode 100644
index 000000000..c00491e00
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/encode_test.go
@@ -0,0 +1,538 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"bytes"
+	"math"
+	"reflect"
+	"testing"
+	"unicode"
+)
+
+type Optionals struct {
+	Sr string `json:"sr"`
+	So string `json:"so,omitempty"`
+	Sw string `json:"-"`
+
+	Ir int `json:"omitempty"` // actually named omitempty, not an option
+	Io int `json:"io,omitempty"`
+
+	Slr []string `json:"slr,random"`
+	Slo []string `json:"slo,omitempty"`
+
+	Mr map[string]interface{} `json:"mr"`
+	Mo map[string]interface{} `json:",omitempty"`
+
+	Fr float64 `json:"fr"`
+	Fo float64 `json:"fo,omitempty"`
+
+	Br bool `json:"br"`
+	Bo bool `json:"bo,omitempty"`
+
+	Ur uint `json:"ur"`
+	Uo uint `json:"uo,omitempty"`
+
+	Str struct{} `json:"str"`
+	Sto struct{} `json:"sto,omitempty"`
+}
+
+var optionalsExpected = `{
+ "sr": "",
+ "omitempty": 0,
+ "slr": null,
+ "mr": {},
+ "fr": 0,
+ "br": false,
+ "ur": 0,
+ "str": {},
+ "sto": {}
+}`
+
+func TestOmitEmpty(t *testing.T) {
+	var o Optionals
+	o.Sw = "something"
+	o.Mr = map[string]interface{}{}
+	o.Mo = map[string]interface{}{}
+
+	got, err := MarshalIndent(&o, "", " ")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if got := string(got); got != optionalsExpected {
+		t.Errorf(" got: %s\nwant: %s\n", got, optionalsExpected)
+	}
+}
+
+type StringTag struct {
+	BoolStr bool   `json:",string"`
+	IntStr  int64  `json:",string"`
+	StrStr  string `json:",string"`
+}
+
+var stringTagExpected = `{
+ "BoolStr": "true",
+ "IntStr": "42",
+ "StrStr": "\"xzbit\""
+}`
+
+func TestStringTag(t *testing.T) {
+	var s StringTag
+	s.BoolStr = true
+	s.IntStr = 42
+	s.StrStr = "xzbit"
+	got, err := MarshalIndent(&s, "", " ")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if got := string(got); got != stringTagExpected {
+		t.Fatalf(" got: %s\nwant: %s\n", got, stringTagExpected)
+	}
+
+	// Verify that it round-trips.
+	var s2 StringTag
+	err = NewDecoder(bytes.NewReader(got)).Decode(&s2)
+	if err != nil {
+		t.Fatalf("Decode: %v", err)
+	}
+	if !reflect.DeepEqual(s, s2) {
+		t.Fatalf("decode didn't match.\nsource: %#v\nEncoded as:\n%s\ndecode: %#v", s, string(got), s2)
+	}
+}
+
+// byte slices are special even if they're renamed types.
+type renamedByte byte
+type renamedByteSlice []byte
+type renamedRenamedByteSlice []renamedByte
+
+func TestEncodeRenamedByteSlice(t *testing.T) {
+	s := renamedByteSlice("abc")
+	result, err := Marshal(s)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expect := `"YWJj"`
+	if string(result) != expect {
+		t.Errorf(" got %s want %s", result, expect)
+	}
+	r := renamedRenamedByteSlice("abc")
+	result, err = Marshal(r)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(result) != expect {
+		t.Errorf(" got %s want %s", result, expect)
+	}
+}
+
+var unsupportedValues = []interface{}{
+	math.NaN(),
+	math.Inf(-1),
+	math.Inf(1),
+}
+
+func TestUnsupportedValues(t *testing.T) {
+	for _, v := range unsupportedValues {
+		if _, err := Marshal(v); err != nil {
+			if _, ok := err.(*UnsupportedValueError); !ok {
+				t.Errorf("for %v, got %T want UnsupportedValueError", v, err)
+			}
+		} else {
+			t.Errorf("for %v, expected error", v)
+		}
+	}
+}
+
+// Ref has Marshaler and Unmarshaler methods with pointer receiver.
+type Ref int
+
+func (*Ref) MarshalJSON() ([]byte, error) {
+	return []byte(`"ref"`), nil
+}
+
+func (r *Ref) UnmarshalJSON([]byte) error {
+	*r = 12
+	return nil
+}
+
+// Val has Marshaler methods with value receiver.
+type Val int
+
+func (Val) MarshalJSON() ([]byte, error) {
+	return []byte(`"val"`), nil
+}
+
+// RefText has Marshaler and Unmarshaler methods with pointer receiver.
+type RefText int
+
+func (*RefText) MarshalText() ([]byte, error) {
+	return []byte(`"ref"`), nil
+}
+
+func (r *RefText) UnmarshalText([]byte) error {
+	*r = 13
+	return nil
+}
+
+// ValText has Marshaler methods with value receiver.
+type ValText int
+
+func (ValText) MarshalText() ([]byte, error) {
+	return []byte(`"val"`), nil
+}
+
+func TestRefValMarshal(t *testing.T) {
+	var s = struct {
+		R0 Ref
+		R1 *Ref
+		R2 RefText
+		R3 *RefText
+		V0 Val
+		V1 *Val
+		V2 ValText
+		V3 *ValText
+	}{
+		R0: 12,
+		R1: new(Ref),
+		R2: 14,
+		R3: new(RefText),
+		V0: 13,
+		V1: new(Val),
+		V2: 15,
+		V3: new(ValText),
+	}
+	const want = `{"R0":"ref","R1":"ref","R2":"\"ref\"","R3":"\"ref\"","V0":"val","V1":"val","V2":"\"val\"","V3":"\"val\""}`
+	b, err := Marshal(&s)
+	if err != nil {
+		t.Fatalf("Marshal: %v", err)
+	}
+	if got := string(b); got != want {
+		t.Errorf("got %q, want %q", got, want)
+	}
+}
+
+// C implements Marshaler and returns unescaped JSON.
+type C int
+
+func (C) MarshalJSON() ([]byte, error) {
+	return []byte(`"<&>"`), nil
+}
+
+// CText implements Marshaler and returns unescaped text.
+type CText int
+
+func (CText) MarshalText() ([]byte, error) {
+	return []byte(`"<&>"`), nil
+}
+
+func TestMarshalerEscaping(t *testing.T) {
+	var c C
+	want := `"\u003c\u0026\u003e"`
+	b, err := Marshal(c)
+	if err != nil {
+		t.Fatalf("Marshal(c): %v", err)
+	}
+	if got := string(b); got != want {
+		t.Errorf("Marshal(c) = %#q, want %#q", got, want)
+	}
+
+	var ct CText
+	want = `"\"\u003c\u0026\u003e\""`
+	b, err = Marshal(ct)
+	if err != nil {
+		t.Fatalf("Marshal(ct): %v", err)
+	}
+	if got := string(b); got != want {
+		t.Errorf("Marshal(ct) = %#q, want %#q", got, want)
+	}
+}
+
+type IntType int
+
+type MyStruct struct {
+	IntType
+}
+
+func TestAnonymousNonstruct(t *testing.T) {
+	var i IntType = 11
+	a := MyStruct{i}
+	const want = `{"IntType":11}`
+
+	b, err := Marshal(a)
+	if err != nil {
+		t.Fatalf("Marshal: %v", err)
+	}
+	if got := string(b); got != want {
+		t.Errorf("got %q, want %q", got, want)
+	}
+}
+
+type BugA struct {
+	S string
+}
+
+type BugB struct {
+	BugA
+	S string
+}
+
+type BugC struct {
+	S string
+}
+
+// Legal Go: We never use the repeated embedded field (S).
+type BugX struct {
+	A int
+	BugA
+	BugB
+}
+
+// Issue 5245.
+func TestEmbeddedBug(t *testing.T) {
+	v := BugB{
+		BugA{"A"},
+		"B",
+	}
+	b, err := Marshal(v)
+	if err != nil {
+		t.Fatal("Marshal:", err)
+	}
+	want := `{"S":"B"}`
+	got := string(b)
+	if got != want {
+		t.Fatalf("Marshal: got %s want %s", got, want)
+	}
+	// Now check that the duplicate field, S, does not appear.
+	x := BugX{
+		A: 23,
+	}
+	b, err = Marshal(x)
+	if err != nil {
+		t.Fatal("Marshal:", err)
+	}
+	want = `{"A":23}`
+	got = string(b)
+	if got != want {
+		t.Fatalf("Marshal: got %s want %s", got, want)
+	}
+}
+
+type BugD struct { // Same as BugA after tagging.
+	XXX string `json:"S"`
+}
+
+// BugD's tagged S field should dominate BugA's.
+type BugY struct {
+	BugA
+	BugD
+}
+
+// Test that a field with a tag dominates untagged fields.
+func TestTaggedFieldDominates(t *testing.T) {
+	v := BugY{
+		BugA{"BugA"},
+		BugD{"BugD"},
+	}
+	b, err := Marshal(v)
+	if err != nil {
+		t.Fatal("Marshal:", err)
+	}
+	want := `{"S":"BugD"}`
+	got := string(b)
+	if got != want {
+		t.Fatalf("Marshal: got %s want %s", got, want)
+	}
+}
+
+// There are no tags here, so S should not appear.
+type BugZ struct {
+	BugA
+	BugC
+	BugY // Contains a tagged S field through BugD; should not dominate.
+}
+
+func TestDuplicatedFieldDisappears(t *testing.T) {
+	v := BugZ{
+		BugA{"BugA"},
+		BugC{"BugC"},
+		BugY{
+			BugA{"nested BugA"},
+			BugD{"nested BugD"},
+		},
+	}
+	b, err := Marshal(v)
+	if err != nil {
+		t.Fatal("Marshal:", err)
+	}
+	want := `{}`
+	got := string(b)
+	if got != want {
+		t.Fatalf("Marshal: got %s want %s", got, want)
+	}
+}
+
+func TestStringBytes(t *testing.T) {
+	// Test that encodeState.stringBytes and encodeState.string use the same encoding.
+	es := &encodeState{}
+	var r []rune
+	for i := '\u0000'; i <= unicode.MaxRune; i++ {
+		r = append(r, i)
+	}
+	s := string(r) + "\xff\xff\xffhello" // some invalid UTF-8 too
+	es.string(s)
+
+	esBytes := &encodeState{}
+	esBytes.stringBytes([]byte(s))
+
+	enc := es.Buffer.String()
+	encBytes := esBytes.Buffer.String()
+	if enc != encBytes {
+		i := 0
+		for i < len(enc) && i < len(encBytes) && enc[i] == encBytes[i] {
+			i++
+		}
+		enc = enc[i:]
+		encBytes = encBytes[i:]
+		i = 0
+		for i < len(enc) && i < len(encBytes) && enc[len(enc)-i-1] == encBytes[len(encBytes)-i-1] {
+			i++
+		}
+		enc = enc[:len(enc)-i]
+		encBytes = encBytes[:len(encBytes)-i]
+
+		if len(enc) > 20 {
+			enc = enc[:20] + "..."
+		}
+		if len(encBytes) > 20 {
+			encBytes = encBytes[:20] + "..."
+		}
+
+		t.Errorf("encodings differ at %#q vs %#q", enc, encBytes)
+	}
+}
+
+func TestIssue6458(t *testing.T) {
+	type Foo struct {
+		M RawMessage
+	}
+	x := Foo{RawMessage(`"foo"`)}
+
+	b, err := Marshal(&x)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if want := `{"M":"foo"}`; string(b) != want {
+		t.Errorf("Marshal(&x) = %#q; want %#q", b, want)
+	}
+
+	b, err = Marshal(x)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if want := `{"M":"ImZvbyI="}`; string(b) != want {
+		t.Errorf("Marshal(x) = %#q; want %#q", b, want)
+	}
+}
+
+func TestIssue10281(t *testing.T) {
+	type Foo struct {
+		N Number
+	}
+	x := Foo{Number(`invalid`)}
+
+	b, err := Marshal(&x)
+	if err == nil {
+		t.Errorf("Marshal(&x) = %#q; want error", b)
+	}
+}
+
+func TestHTMLEscape(t *testing.T) {
+	var b, want bytes.Buffer
+	m := `{"M":"<html>foo &` + "\xe2\x80\xa8 \xe2\x80\xa9" + `</html>"}`
+	want.Write([]byte(`{"M":"\u003chtml\u003efoo \u0026\u2028 \u2029\u003c/html\u003e"}`))
+	HTMLEscape(&b, []byte(m))
+	if !bytes.Equal(b.Bytes(), want.Bytes()) {
+		t.Errorf("HTMLEscape(&b, []byte(m)) = %s; want %s", b.Bytes(), want.Bytes())
+	}
+}
+
+// golang.org/issue/8582
+func TestEncodePointerString(t *testing.T) {
+	type stringPointer struct {
+		N *int64 `json:"n,string"`
+	}
+	var n int64 = 42
+	b, err := Marshal(stringPointer{N: &n})
+	if err != nil {
+		t.Fatalf("Marshal: %v", err)
+	}
+	if got, want := string(b), `{"n":"42"}`; got != want {
+		t.Errorf("Marshal = %s, want %s", got, want)
+	}
+	var back stringPointer
+	err = Unmarshal(b, &back)
+	if err != nil {
+		t.Fatalf("Unmarshal: %v", err)
+	}
+	if back.N == nil {
+		t.Fatalf("Unmarshalled nil N field")
+	}
+	if *back.N != 42 {
+		t.Fatalf("*N = %d; want 42", *back.N)
+	}
+}
+
+var encodeStringTests = []struct {
+	in  string
+	out string
+}{
+	{"\x00", `"\u0000"`},
+	{"\x01", `"\u0001"`},
+	{"\x02", `"\u0002"`},
+	{"\x03", `"\u0003"`},
+	{"\x04", `"\u0004"`},
+	{"\x05", `"\u0005"`},
+	{"\x06", `"\u0006"`},
+	{"\x07", `"\u0007"`},
+	{"\x08", `"\u0008"`},
+	{"\x09", `"\t"`},
+	{"\x0a", `"\n"`},
+	{"\x0b", `"\u000b"`},
+	{"\x0c", `"\u000c"`},
+	{"\x0d", `"\r"`},
+	{"\x0e", `"\u000e"`},
+	{"\x0f", `"\u000f"`},
+	{"\x10", `"\u0010"`},
+	{"\x11", `"\u0011"`},
+	{"\x12", `"\u0012"`},
+	{"\x13", `"\u0013"`},
+	{"\x14", `"\u0014"`},
+	{"\x15", `"\u0015"`},
+	{"\x16", `"\u0016"`},
+	{"\x17", `"\u0017"`},
+	{"\x18", `"\u0018"`},
+	{"\x19", `"\u0019"`},
+	{"\x1a", `"\u001a"`},
+	{"\x1b", `"\u001b"`},
+	{"\x1c", `"\u001c"`},
+	{"\x1d", `"\u001d"`},
+	{"\x1e", `"\u001e"`},
+	{"\x1f", `"\u001f"`},
+}
+
+func TestEncodeString(t *testing.T) {
+	for _, tt := range encodeStringTests {
+		b, err := Marshal(tt.in)
+		if err != nil {
+			t.Errorf("Marshal(%q): %v", tt.in, err)
+			continue
+		}
+		out := string(b)
+		if out != tt.out {
+			t.Errorf("Marshal(%q) = %#q, want %#q", tt.in, out, tt.out)
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/indent.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/indent.go
new file mode 100644
index 000000000..7cd9f4db1
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/indent.go
@@ -0,0 +1,141 @@
+// Copyright 2010 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import "bytes"
+
+// Compact appends to dst the JSON-encoded src with
+// insignificant space characters elided.
+func Compact(dst *bytes.Buffer, src []byte) error {
+	return compact(dst, src, false)
+}
+
+func compact(dst *bytes.Buffer, src []byte, escape bool) error {
+	origLen := dst.Len()
+	var scan scanner
+	scan.reset()
+	start := 0
+	for i, c := range src {
+		if escape && (c == '<' || c == '>' || c == '&') {
+			if start < i {
+				dst.Write(src[start:i])
+			}
+			dst.WriteString(`\u00`)
+			dst.WriteByte(hex[c>>4])
+			dst.WriteByte(hex[c&0xF])
+			start = i + 1
+		}
+		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
+		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
+			if start < i {
+				dst.Write(src[start:i])
+			}
+			dst.WriteString(`\u202`)
+			dst.WriteByte(hex[src[i+2]&0xF])
+			start = i + 3
+		}
+		v := scan.step(&scan, c)
+		if v >= scanSkipSpace {
+			if v == scanError {
+				break
+			}
+			if start < i {
+				dst.Write(src[start:i])
+			}
+			start = i + 1
+		}
+	}
+	if scan.eof() == scanError {
+		dst.Truncate(origLen)
+		return scan.err
+	}
+	if start < len(src) {
+		dst.Write(src[start:])
+	}
+	return nil
+}
+
+func newline(dst *bytes.Buffer, prefix, indent string, depth int) {
+	dst.WriteByte('\n')
+	dst.WriteString(prefix)
+	for i := 0; i < depth; i++ {
+		dst.WriteString(indent)
+	}
+}
+
+// Indent appends to dst an indented form of the JSON-encoded src.
+// Each element in a JSON object or array begins on a new,
+// indented line beginning with prefix followed by one or more
+// copies of indent according to the indentation nesting.
+// The data appended to dst does not begin with the prefix nor
+// any indentation, to make it easier to embed inside other formatted JSON data.
+// Although leading space characters (space, tab, carriage return, newline)
+// at the beginning of src are dropped, trailing space characters
+// at the end of src are preserved and copied to dst.
+// For example, if src has no trailing spaces, neither will dst;
+// if src ends in a trailing newline, so will dst.
+func Indent(dst *bytes.Buffer, src []byte, prefix, indent string) error {
+	origLen := dst.Len()
+	var scan scanner
+	scan.reset()
+	needIndent := false
+	depth := 0
+	for _, c := range src {
+		scan.bytes++
+		v := scan.step(&scan, c)
+		if v == scanSkipSpace {
+			continue
+		}
+		if v == scanError {
+			break
+		}
+		if needIndent && v != scanEndObject && v != scanEndArray {
+			needIndent = false
+			depth++
+			newline(dst, prefix, indent, depth)
+		}
+
+		// Emit semantically uninteresting bytes
+		// (in particular, punctuation in strings) unmodified.
+		if v == scanContinue {
+			dst.WriteByte(c)
+			continue
+		}
+
+		// Add spacing around real punctuation.
+		switch c {
+		case '{', '[':
+			// delay indent so that empty object and array are formatted as {} and [].
+			needIndent = true
+			dst.WriteByte(c)
+
+		case ',':
+			dst.WriteByte(c)
+			newline(dst, prefix, indent, depth)
+
+		case ':':
+			dst.WriteByte(c)
+			dst.WriteByte(' ')
+
+		case '}', ']':
+			if needIndent {
+				// suppress indent in empty object/array
+				needIndent = false
+			} else {
+				depth--
+				newline(dst, prefix, indent, depth)
+			}
+			dst.WriteByte(c)
+
+		default:
+			dst.WriteByte(c)
+		}
+	}
+	if scan.eof() == scanError {
+		dst.Truncate(origLen)
+		return scan.err
+	}
+	return nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/number_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/number_test.go
new file mode 100644
index 000000000..4e63cf9c7
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/number_test.go
@@ -0,0 +1,133 @@
+// Copyright 2011 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"regexp"
+	"testing"
+)
+
+func TestNumberIsValid(t *testing.T) {
+	// From: http://stackoverflow.com/a/13340826
+	var jsonNumberRegexp = regexp.MustCompile(`^-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?$`)
+
+	validTests := []string{
+		"0",
+		"-0",
+		"1",
+		"-1",
+		"0.1",
+		"-0.1",
+		"1234",
+		"-1234",
+		"12.34",
+		"-12.34",
+		"12E0",
+		"12E1",
+		"12e34",
+		"12E-0",
+		"12e+1",
+		"12e-34",
+		"-12E0",
+		"-12E1",
+		"-12e34",
+		"-12E-0",
+		"-12e+1",
+		"-12e-34",
+		"1.2E0",
+		"1.2E1",
+		"1.2e34",
+		"1.2E-0",
+		"1.2e+1",
+		"1.2e-34",
+		"-1.2E0",
+		"-1.2E1",
+		"-1.2e34",
+		"-1.2E-0",
+		"-1.2e+1",
+		"-1.2e-34",
+		"0E0",
+		"0E1",
+		"0e34",
+		"0E-0",
+		"0e+1",
+		"0e-34",
+		"-0E0",
+		"-0E1",
+		"-0e34",
+		"-0E-0",
+		"-0e+1",
+		"-0e-34",
+	}
+
+	for _, test := range validTests {
+		if !isValidNumber(test) {
+			t.Errorf("%s should be valid", test)
+		}
+
+		var f float64
+		if err := Unmarshal([]byte(test), &f); err != nil {
+			t.Errorf("%s should be valid but Unmarshal failed: %v", test, err)
+		}
+
+		if !jsonNumberRegexp.MatchString(test) {
+			t.Errorf("%s should be valid but regexp does not match", test)
+		}
+	}
+
+	invalidTests := []string{
+		"",
+		"invalid",
+		"1.0.1",
+		"1..1",
+		"-1-2",
+		"012a42",
+		"01.2",
+		"012",
+		"12E12.12",
+		"1e2e3",
+		"1e+-2",
+		"1e--23",
+		"1e",
+		"e1",
+		"1e+",
+		"1ea",
+		"1a",
+		"1.a",
+		"1.",
+		"01",
+		"1.e1",
+	}
+
+	for _, test := range invalidTests {
+		if isValidNumber(test) {
+			t.Errorf("%s should be invalid", test)
+		}
+
+		var f float64
+		if err := Unmarshal([]byte(test), &f); err == nil {
+			t.Errorf("%s should be invalid but unmarshal wrote %v", test, f)
+		}
+
+		if jsonNumberRegexp.MatchString(test) {
+			t.Errorf("%s should be invalid but matches regexp", test)
+		}
+	}
+}
+
+func BenchmarkNumberIsValid(b *testing.B) {
+	s := "-61657.61667E+61673"
+	for i := 0; i < b.N; i++ {
+		isValidNumber(s)
+	}
+}
+
+func BenchmarkNumberIsValidRegexp(b *testing.B) {
+	var jsonNumberRegexp = regexp.MustCompile(`^-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?$`)
+	s := "-61657.61667E+61673"
+	for i := 0; i < b.N; i++ {
+		jsonNumberRegexp.MatchString(s)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/scanner.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/scanner.go
new file mode 100644
index 000000000..ee6622e8c
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/scanner.go
@@ -0,0 +1,623 @@
+// Copyright 2010 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+// JSON value parser state machine.
+// Just about at the limit of what is reasonable to write by hand.
+// Some parts are a bit tedious, but overall it nicely factors out the
+// otherwise common code from the multiple scanning functions
+// in this package (Compact, Indent, checkValid, nextValue, etc).
+//
+// This file starts with two simple examples using the scanner
+// before diving into the scanner itself.
+
+import "strconv"
+
+// checkValid verifies that data is valid JSON-encoded data.
+// scan is passed in for use by checkValid to avoid an allocation.
+func checkValid(data []byte, scan *scanner) error {
+	scan.reset()
+	for _, c := range data {
+		scan.bytes++
+		if scan.step(scan, c) == scanError {
+			return scan.err
+		}
+	}
+	if scan.eof() == scanError {
+		return scan.err
+	}
+	return nil
+}
+
+// nextValue splits data after the next whole JSON value,
+// returning that value and the bytes that follow it as separate slices.
+// scan is passed in for use by nextValue to avoid an allocation.
+func nextValue(data []byte, scan *scanner) (value, rest []byte, err error) {
+	scan.reset()
+	for i, c := range data {
+		v := scan.step(scan, c)
+		if v >= scanEndObject {
+			switch v {
+			// probe the scanner with a space to determine whether we will
+			// get scanEnd on the next character. Otherwise, if the next character
+			// is not a space, scanEndTop allocates a needless error.
+			case scanEndObject, scanEndArray:
+				if scan.step(scan, ' ') == scanEnd {
+					return data[:i+1], data[i+1:], nil
+				}
+			case scanError:
+				return nil, nil, scan.err
+			case scanEnd:
+				return data[:i], data[i:], nil
+			}
+		}
+	}
+	if scan.eof() == scanError {
+		return nil, nil, scan.err
+	}
+	return data, nil, nil
+}
+
+// A SyntaxError is a description of a JSON syntax error.
+type SyntaxError struct {
+	msg    string // description of error
+	Offset int64  // error occurred after reading Offset bytes
+}
+
+func (e *SyntaxError) Error() string { return e.msg }
+
+// A scanner is a JSON scanning state machine.
+// Callers call scan.reset() and then pass bytes in one at a time
+// by calling scan.step(&scan, c) for each byte.
+// The return value, referred to as an opcode, tells the
+// caller about significant parsing events like beginning
+// and ending literals, objects, and arrays, so that the
+// caller can follow along if it wishes.
+// The return value scanEnd indicates that a single top-level
+// JSON value has been completed, *before* the byte that
+// just got passed in.  (The indication must be delayed in order
+// to recognize the end of numbers: is 123 a whole value or
+// the beginning of 12345e+6?).
+type scanner struct {
+	// The step is a func to be called to execute the next transition.
+	// Also tried using an integer constant and a single func
+	// with a switch, but using the func directly was 10% faster
+	// on a 64-bit Mac Mini, and it's nicer to read.
+	step func(*scanner, byte) int
+
+	// Reached end of top-level value.
+	endTop bool
+
+	// Stack of what we're in the middle of - array values, object keys, object values.
+	parseState []int
+
+	// Error that happened, if any.
+	err error
+
+	// 1-byte redo (see undo method)
+	redo      bool
+	redoCode  int
+	redoState func(*scanner, byte) int
+
+	// total bytes consumed, updated by decoder.Decode
+	bytes int64
+}
+
+// These values are returned by the state transition functions
+// assigned to scanner.state and the method scanner.eof.
+// They give details about the current state of the scan that
+// callers might be interested to know about.
+// It is okay to ignore the return value of any particular
+// call to scanner.state: if one call returns scanError,
+// every subsequent call will return scanError too.
+const (
+	// Continue.
+	scanContinue     = iota // uninteresting byte
+	scanBeginLiteral        // end implied by next result != scanContinue
+	scanBeginObject         // begin object
+	scanObjectKey           // just finished object key (string)
+	scanObjectValue         // just finished non-last object value
+	scanEndObject           // end object (implies scanObjectValue if possible)
+	scanBeginArray          // begin array
+	scanArrayValue          // just finished array value
+	scanEndArray            // end array (implies scanArrayValue if possible)
+	scanSkipSpace           // space byte; can skip; known to be last "continue" result
+
+	// Stop.
+	scanEnd   // top-level value ended *before* this byte; known to be first "stop" result
+	scanError // hit an error, scanner.err.
+)
+
+// These values are stored in the parseState stack.
+// They give the current state of a composite value
+// being scanned.  If the parser is inside a nested value
+// the parseState describes the nested state, outermost at entry 0.
+const (
+	parseObjectKey   = iota // parsing object key (before colon)
+	parseObjectValue        // parsing object value (after colon)
+	parseArrayValue         // parsing array value
+)
+
+// reset prepares the scanner for use.
+// It must be called before calling s.step.
+func (s *scanner) reset() {
+	s.step = stateBeginValue
+	s.parseState = s.parseState[0:0]
+	s.err = nil
+	s.redo = false
+	s.endTop = false
+}
+
+// eof tells the scanner that the end of input has been reached.
+// It returns a scan status just as s.step does.
+func (s *scanner) eof() int {
+	if s.err != nil {
+		return scanError
+	}
+	if s.endTop {
+		return scanEnd
+	}
+	s.step(s, ' ')
+	if s.endTop {
+		return scanEnd
+	}
+	if s.err == nil {
+		s.err = &SyntaxError{"unexpected end of JSON input", s.bytes}
+	}
+	return scanError
+}
+
+// pushParseState pushes a new parse state p onto the parse stack.
+func (s *scanner) pushParseState(p int) {
+	s.parseState = append(s.parseState, p)
+}
+
+// popParseState pops a parse state (already obtained) off the stack
+// and updates s.step accordingly.
+func (s *scanner) popParseState() {
+	n := len(s.parseState) - 1
+	s.parseState = s.parseState[0:n]
+	s.redo = false
+	if n == 0 {
+		s.step = stateEndTop
+		s.endTop = true
+	} else {
+		s.step = stateEndValue
+	}
+}
+
+func isSpace(c byte) bool {
+	return c == ' ' || c == '\t' || c == '\r' || c == '\n'
+}
+
+// stateBeginValueOrEmpty is the state after reading `[`.
+func stateBeginValueOrEmpty(s *scanner, c byte) int {
+	if c <= ' ' && isSpace(c) {
+		return scanSkipSpace
+	}
+	if c == ']' {
+		return stateEndValue(s, c)
+	}
+	return stateBeginValue(s, c)
+}
+
+// stateBeginValue is the state at the beginning of the input.
+func stateBeginValue(s *scanner, c byte) int {
+	if c <= ' ' && isSpace(c) {
+		return scanSkipSpace
+	}
+	switch c {
+	case '{':
+		s.step = stateBeginStringOrEmpty
+		s.pushParseState(parseObjectKey)
+		return scanBeginObject
+	case '[':
+		s.step = stateBeginValueOrEmpty
+		s.pushParseState(parseArrayValue)
+		return scanBeginArray
+	case '"':
+		s.step = stateInString
+		return scanBeginLiteral
+	case '-':
+		s.step = stateNeg
+		return scanBeginLiteral
+	case '0': // beginning of 0.123
+		s.step = state0
+		return scanBeginLiteral
+	case 't': // beginning of true
+		s.step = stateT
+		return scanBeginLiteral
+	case 'f': // beginning of false
+		s.step = stateF
+		return scanBeginLiteral
+	case 'n': // beginning of null
+		s.step = stateN
+		return scanBeginLiteral
+	}
+	if '1' <= c && c <= '9' { // beginning of 1234.5
+		s.step = state1
+		return scanBeginLiteral
+	}
+	return s.error(c, "looking for beginning of value")
+}
+
+// stateBeginStringOrEmpty is the state after reading `{`.
+func stateBeginStringOrEmpty(s *scanner, c byte) int {
+	if c <= ' ' && isSpace(c) {
+		return scanSkipSpace
+	}
+	if c == '}' {
+		n := len(s.parseState)
+		s.parseState[n-1] = parseObjectValue
+		return stateEndValue(s, c)
+	}
+	return stateBeginString(s, c)
+}
+
+// stateBeginString is the state after reading `{"key": value,`.
+func stateBeginString(s *scanner, c byte) int {
+	if c <= ' ' && isSpace(c) {
+		return scanSkipSpace
+	}
+	if c == '"' {
+		s.step = stateInString
+		return scanBeginLiteral
+	}
+	return s.error(c, "looking for beginning of object key string")
+}
+
+// stateEndValue is the state after completing a value,
+// such as after reading `{}` or `true` or `["x"`.
+func stateEndValue(s *scanner, c byte) int {
+	n := len(s.parseState)
+	if n == 0 {
+		// Completed top-level before the current byte.
+		s.step = stateEndTop
+		s.endTop = true
+		return stateEndTop(s, c)
+	}
+	if c <= ' ' && isSpace(c) {
+		s.step = stateEndValue
+		return scanSkipSpace
+	}
+	ps := s.parseState[n-1]
+	switch ps {
+	case parseObjectKey:
+		if c == ':' {
+			s.parseState[n-1] = parseObjectValue
+			s.step = stateBeginValue
+			return scanObjectKey
+		}
+		return s.error(c, "after object key")
+	case parseObjectValue:
+		if c == ',' {
+			s.parseState[n-1] = parseObjectKey
+			s.step = stateBeginString
+			return scanObjectValue
+		}
+		if c == '}' {
+			s.popParseState()
+			return scanEndObject
+		}
+		return s.error(c, "after object key:value pair")
+	case parseArrayValue:
+		if c == ',' {
+			s.step = stateBeginValue
+			return scanArrayValue
+		}
+		if c == ']' {
+			s.popParseState()
+			return scanEndArray
+		}
+		return s.error(c, "after array element")
+	}
+	return s.error(c, "")
+}
+
+// stateEndTop is the state after finishing the top-level value,
+// such as after reading `{}` or `[1,2,3]`.
+// Only space characters should be seen now.
+func stateEndTop(s *scanner, c byte) int {
+	if c != ' ' && c != '\t' && c != '\r' && c != '\n' {
+		// Complain about non-space byte on next call.
+		s.error(c, "after top-level value")
+	}
+	return scanEnd
+}
+
+// stateInString is the state after reading `"`.
+func stateInString(s *scanner, c byte) int {
+	if c == '"' {
+		s.step = stateEndValue
+		return scanContinue
+	}
+	if c == '\\' {
+		s.step = stateInStringEsc
+		return scanContinue
+	}
+	if c < 0x20 {
+		return s.error(c, "in string literal")
+	}
+	return scanContinue
+}
+
+// stateInStringEsc is the state after reading `"\` during a quoted string.
+func stateInStringEsc(s *scanner, c byte) int {
+	switch c {
+	case 'b', 'f', 'n', 'r', 't', '\\', '/', '"':
+		s.step = stateInString
+		return scanContinue
+	case 'u':
+		s.step = stateInStringEscU
+		return scanContinue
+	}
+	return s.error(c, "in string escape code")
+}
+
+// stateInStringEscU is the state after reading `"\u` during a quoted string.
+func stateInStringEscU(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
+		s.step = stateInStringEscU1
+		return scanContinue
+	}
+	// numbers
+	return s.error(c, "in \\u hexadecimal character escape")
+}
+
+// stateInStringEscU1 is the state after reading `"\u1` during a quoted string.
+func stateInStringEscU1(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
+		s.step = stateInStringEscU12
+		return scanContinue
+	}
+	// numbers
+	return s.error(c, "in \\u hexadecimal character escape")
+}
+
+// stateInStringEscU12 is the state after reading `"\u12` during a quoted string.
+func stateInStringEscU12(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
+		s.step = stateInStringEscU123
+		return scanContinue
+	}
+	// numbers
+	return s.error(c, "in \\u hexadecimal character escape")
+}
+
+// stateInStringEscU123 is the state after reading `"\u123` during a quoted string.
+func stateInStringEscU123(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
+		s.step = stateInString
+		return scanContinue
+	}
+	// numbers
+	return s.error(c, "in \\u hexadecimal character escape")
+}
+
+// stateNeg is the state after reading `-` during a number.
+func stateNeg(s *scanner, c byte) int {
+	if c == '0' {
+		s.step = state0
+		return scanContinue
+	}
+	if '1' <= c && c <= '9' {
+		s.step = state1
+		return scanContinue
+	}
+	return s.error(c, "in numeric literal")
+}
+
+// state1 is the state after reading a non-zero integer during a number,
+// such as after reading `1` or `100` but not `0`.
+func state1(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' {
+		s.step = state1
+		return scanContinue
+	}
+	return state0(s, c)
+}
+
+// state0 is the state after reading `0` during a number.
+func state0(s *scanner, c byte) int {
+	if c == '.' {
+		s.step = stateDot
+		return scanContinue
+	}
+	if c == 'e' || c == 'E' {
+		s.step = stateE
+		return scanContinue
+	}
+	return stateEndValue(s, c)
+}
+
+// stateDot is the state after reading the integer and decimal point in a number,
+// such as after reading `1.`.
+func stateDot(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' {
+		s.step = stateDot0
+		return scanContinue
+	}
+	return s.error(c, "after decimal point in numeric literal")
+}
+
+// stateDot0 is the state after reading the integer, decimal point, and subsequent
+// digits of a number, such as after reading `3.14`.
+func stateDot0(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' {
+		return scanContinue
+	}
+	if c == 'e' || c == 'E' {
+		s.step = stateE
+		return scanContinue
+	}
+	return stateEndValue(s, c)
+}
+
+// stateE is the state after reading the mantissa and e in a number,
+// such as after reading `314e` or `0.314e`.
+func stateE(s *scanner, c byte) int {
+	if c == '+' || c == '-' {
+		s.step = stateESign
+		return scanContinue
+	}
+	return stateESign(s, c)
+}
+
+// stateESign is the state after reading the mantissa, e, and sign in a number,
+// such as after reading `314e-` or `0.314e+`.
+func stateESign(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' {
+		s.step = stateE0
+		return scanContinue
+	}
+	return s.error(c, "in exponent of numeric literal")
+}
+
+// stateE0 is the state after reading the mantissa, e, optional sign,
+// and at least one digit of the exponent in a number,
+// such as after reading `314e-2` or `0.314e+1` or `3.14e0`.
+func stateE0(s *scanner, c byte) int {
+	if '0' <= c && c <= '9' {
+		return scanContinue
+	}
+	return stateEndValue(s, c)
+}
+
+// stateT is the state after reading `t`.
+func stateT(s *scanner, c byte) int {
+	if c == 'r' {
+		s.step = stateTr
+		return scanContinue
+	}
+	return s.error(c, "in literal true (expecting 'r')")
+}
+
+// stateTr is the state after reading `tr`.
+func stateTr(s *scanner, c byte) int {
+	if c == 'u' {
+		s.step = stateTru
+		return scanContinue
+	}
+	return s.error(c, "in literal true (expecting 'u')")
+}
+
+// stateTru is the state after reading `tru`.
+func stateTru(s *scanner, c byte) int {
+	if c == 'e' {
+		s.step = stateEndValue
+		return scanContinue
+	}
+	return s.error(c, "in literal true (expecting 'e')")
+}
+
+// stateF is the state after reading `f`.
+func stateF(s *scanner, c byte) int {
+	if c == 'a' {
+		s.step = stateFa
+		return scanContinue
+	}
+	return s.error(c, "in literal false (expecting 'a')")
+}
+
+// stateFa is the state after reading `fa`.
+func stateFa(s *scanner, c byte) int {
+	if c == 'l' {
+		s.step = stateFal
+		return scanContinue
+	}
+	return s.error(c, "in literal false (expecting 'l')")
+}
+
+// stateFal is the state after reading `fal`.
+func stateFal(s *scanner, c byte) int {
+	if c == 's' {
+		s.step = stateFals
+		return scanContinue
+	}
+	return s.error(c, "in literal false (expecting 's')")
+}
+
+// stateFals is the state after reading `fals`.
+func stateFals(s *scanner, c byte) int {
+	if c == 'e' {
+		s.step = stateEndValue
+		return scanContinue
+	}
+	return s.error(c, "in literal false (expecting 'e')")
+}
+
+// stateN is the state after reading `n`.
+func stateN(s *scanner, c byte) int {
+	if c == 'u' {
+		s.step = stateNu
+		return scanContinue
+	}
+	return s.error(c, "in literal null (expecting 'u')")
+}
+
+// stateNu is the state after reading `nu`.
+func stateNu(s *scanner, c byte) int {
+	if c == 'l' {
+		s.step = stateNul
+		return scanContinue
+	}
+	return s.error(c, "in literal null (expecting 'l')")
+}
+
+// stateNul is the state after reading `nul`.
+func stateNul(s *scanner, c byte) int {
+	if c == 'l' {
+		s.step = stateEndValue
+		return scanContinue
+	}
+	return s.error(c, "in literal null (expecting 'l')")
+}
+
+// stateError is the state after reaching a syntax error,
+// such as after reading `[1}` or `5.1.2`.
+func stateError(s *scanner, c byte) int {
+	return scanError
+}
+
+// error records an error and switches to the error state.
+func (s *scanner) error(c byte, context string) int {
+	s.step = stateError
+	s.err = &SyntaxError{"invalid character " + quoteChar(c) + " " + context, s.bytes}
+	return scanError
+}
+
+// quoteChar formats c as a quoted character literal
+func quoteChar(c byte) string {
+	// special cases - different from quoted strings
+	if c == '\'' {
+		return `'\''`
+	}
+	if c == '"' {
+		return `'"'`
+	}
+
+	// use quoted string with different quotation marks
+	s := strconv.Quote(string(c))
+	return "'" + s[1:len(s)-1] + "'"
+}
+
+// undo causes the scanner to return scanCode from the next state transition.
+// This gives callers a simple 1-byte undo mechanism.
+func (s *scanner) undo(scanCode int) {
+	if s.redo {
+		panic("json: invalid use of scanner")
+	}
+	s.redoCode = scanCode
+	s.redoState = s.step
+	s.step = stateRedo
+	s.redo = true
+}
+
+// stateRedo helps implement the scanner's 1-byte undo.
+func stateRedo(s *scanner, c byte) int {
+	s.redo = false
+	s.step = s.redoState
+	return s.redoCode
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/scanner_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/scanner_test.go
new file mode 100644
index 000000000..66383ef0e
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/scanner_test.go
@@ -0,0 +1,316 @@
+// Copyright 2010 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"bytes"
+	"math"
+	"math/rand"
+	"reflect"
+	"testing"
+)
+
+// Tests of simple examples.
+
+type example struct {
+	compact string
+	indent  string
+}
+
+var examples = []example{
+	{`1`, `1`},
+	{`{}`, `{}`},
+	{`[]`, `[]`},
+	{`{"":2}`, "{\n\t\"\": 2\n}"},
+	{`[3]`, "[\n\t3\n]"},
+	{`[1,2,3]`, "[\n\t1,\n\t2,\n\t3\n]"},
+	{`{"x":1}`, "{\n\t\"x\": 1\n}"},
+	{ex1, ex1i},
+}
+
+var ex1 = `[true,false,null,"x",1,1.5,0,-5e+2]`
+
+var ex1i = `[
+	true,
+	false,
+	null,
+	"x",
+	1,
+	1.5,
+	0,
+	-5e+2
+]`
+
+func TestCompact(t *testing.T) {
+	var buf bytes.Buffer
+	for _, tt := range examples {
+		buf.Reset()
+		if err := Compact(&buf, []byte(tt.compact)); err != nil {
+			t.Errorf("Compact(%#q): %v", tt.compact, err)
+		} else if s := buf.String(); s != tt.compact {
+			t.Errorf("Compact(%#q) = %#q, want original", tt.compact, s)
+		}
+
+		buf.Reset()
+		if err := Compact(&buf, []byte(tt.indent)); err != nil {
+			t.Errorf("Compact(%#q): %v", tt.indent, err)
+			continue
+		} else if s := buf.String(); s != tt.compact {
+			t.Errorf("Compact(%#q) = %#q, want %#q", tt.indent, s, tt.compact)
+		}
+	}
+}
+
+func TestCompactSeparators(t *testing.T) {
+	// U+2028 and U+2029 should be escaped inside strings.
+	// They should not appear outside strings.
+	tests := []struct {
+		in, compact string
+	}{
+		{"{\"\u2028\": 1}", `{"\u2028":1}`},
+		{"{\"\u2029\" :2}", `{"\u2029":2}`},
+	}
+	for _, tt := range tests {
+		var buf bytes.Buffer
+		if err := Compact(&buf, []byte(tt.in)); err != nil {
+			t.Errorf("Compact(%q): %v", tt.in, err)
+		} else if s := buf.String(); s != tt.compact {
+			t.Errorf("Compact(%q) = %q, want %q", tt.in, s, tt.compact)
+		}
+	}
+}
+
+func TestIndent(t *testing.T) {
+	var buf bytes.Buffer
+	for _, tt := range examples {
+		buf.Reset()
+		if err := Indent(&buf, []byte(tt.indent), "", "\t"); err != nil {
+			t.Errorf("Indent(%#q): %v", tt.indent, err)
+		} else if s := buf.String(); s != tt.indent {
+			t.Errorf("Indent(%#q) = %#q, want original", tt.indent, s)
+		}
+
+		buf.Reset()
+		if err := Indent(&buf, []byte(tt.compact), "", "\t"); err != nil {
+			t.Errorf("Indent(%#q): %v", tt.compact, err)
+			continue
+		} else if s := buf.String(); s != tt.indent {
+			t.Errorf("Indent(%#q) = %#q, want %#q", tt.compact, s, tt.indent)
+		}
+	}
+}
+
+// Tests of a large random structure.
+
+func TestCompactBig(t *testing.T) {
+	initBig()
+	var buf bytes.Buffer
+	if err := Compact(&buf, jsonBig); err != nil {
+		t.Fatalf("Compact: %v", err)
+	}
+	b := buf.Bytes()
+	if !bytes.Equal(b, jsonBig) {
+		t.Error("Compact(jsonBig) != jsonBig")
+		diff(t, b, jsonBig)
+		return
+	}
+}
+
+func TestIndentBig(t *testing.T) {
+	initBig()
+	var buf bytes.Buffer
+	if err := Indent(&buf, jsonBig, "", "\t"); err != nil {
+		t.Fatalf("Indent1: %v", err)
+	}
+	b := buf.Bytes()
+	if len(b) == len(jsonBig) {
+		// jsonBig is compact (no unnecessary spaces);
+		// indenting should make it bigger
+		t.Fatalf("Indent(jsonBig) did not get bigger")
+	}
+
+	// should be idempotent
+	var buf1 bytes.Buffer
+	if err := Indent(&buf1, b, "", "\t"); err != nil {
+		t.Fatalf("Indent2: %v", err)
+	}
+	b1 := buf1.Bytes()
+	if !bytes.Equal(b1, b) {
+		t.Error("Indent(Indent(jsonBig)) != Indent(jsonBig)")
+		diff(t, b1, b)
+		return
+	}
+
+	// should get back to original
+	buf1.Reset()
+	if err := Compact(&buf1, b); err != nil {
+		t.Fatalf("Compact: %v", err)
+	}
+	b1 = buf1.Bytes()
+	if !bytes.Equal(b1, jsonBig) {
+		t.Error("Compact(Indent(jsonBig)) != jsonBig")
+		diff(t, b1, jsonBig)
+		return
+	}
+}
+
+type indentErrorTest struct {
+	in  string
+	err error
+}
+
+var indentErrorTests = []indentErrorTest{
+	{`{"X": "foo", "Y"}`, &SyntaxError{"invalid character '}' after object key", 17}},
+	{`{"X": "foo" "Y": "bar"}`, &SyntaxError{"invalid character '\"' after object key:value pair", 13}},
+}
+
+func TestIndentErrors(t *testing.T) {
+	for i, tt := range indentErrorTests {
+		slice := make([]uint8, 0)
+		buf := bytes.NewBuffer(slice)
+		if err := Indent(buf, []uint8(tt.in), "", ""); err != nil {
+			if !reflect.DeepEqual(err, tt.err) {
+				t.Errorf("#%d: Indent: %#v", i, err)
+				continue
+			}
+		}
+	}
+}
+
+func TestNextValueBig(t *testing.T) {
+	initBig()
+	var scan scanner
+	item, rest, err := nextValue(jsonBig, &scan)
+	if err != nil {
+		t.Fatalf("nextValue: %s", err)
+	}
+	if len(item) != len(jsonBig) || &item[0] != &jsonBig[0] {
+		t.Errorf("invalid item: %d %d", len(item), len(jsonBig))
+	}
+	if len(rest) != 0 {
+		t.Errorf("invalid rest: %d", len(rest))
+	}
+
+	item, rest, err = nextValue(append(jsonBig, "HELLO WORLD"...), &scan)
+	if err != nil {
+		t.Fatalf("nextValue extra: %s", err)
+	}
+	if len(item) != len(jsonBig) {
+		t.Errorf("invalid item: %d %d", len(item), len(jsonBig))
+	}
+	if string(rest) != "HELLO WORLD" {
+		t.Errorf("invalid rest: %d", len(rest))
+	}
+}
+
+var benchScan scanner
+
+func BenchmarkSkipValue(b *testing.B) {
+	initBig()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		nextValue(jsonBig, &benchScan)
+	}
+	b.SetBytes(int64(len(jsonBig)))
+}
+
+func diff(t *testing.T, a, b []byte) {
+	for i := 0; ; i++ {
+		if i >= len(a) || i >= len(b) || a[i] != b[i] {
+			j := i - 10
+			if j < 0 {
+				j = 0
+			}
+			t.Errorf("diverge at %d: «%s» vs «%s»", i, trim(a[j:]), trim(b[j:]))
+			return
+		}
+	}
+}
+
+func trim(b []byte) []byte {
+	if len(b) > 20 {
+		return b[0:20]
+	}
+	return b
+}
+
+// Generate a random JSON object.
+
+var jsonBig []byte
+
+func initBig() {
+	n := 10000
+	if testing.Short() {
+		n = 100
+	}
+	b, err := Marshal(genValue(n))
+	if err != nil {
+		panic(err)
+	}
+	jsonBig = b
+}
+
+func genValue(n int) interface{} {
+	if n > 1 {
+		switch rand.Intn(2) {
+		case 0:
+			return genArray(n)
+		case 1:
+			return genMap(n)
+		}
+	}
+	switch rand.Intn(3) {
+	case 0:
+		return rand.Intn(2) == 0
+	case 1:
+		return rand.NormFloat64()
+	case 2:
+		return genString(30)
+	}
+	panic("unreachable")
+}
+
+func genString(stddev float64) string {
+	n := int(math.Abs(rand.NormFloat64()*stddev + stddev/2))
+	c := make([]rune, n)
+	for i := range c {
+		f := math.Abs(rand.NormFloat64()*64 + 32)
+		if f > 0x10ffff {
+			f = 0x10ffff
+		}
+		c[i] = rune(f)
+	}
+	return string(c)
+}
+
+func genArray(n int) []interface{} {
+	f := int(math.Abs(rand.NormFloat64()) * math.Min(10, float64(n/2)))
+	if f > n {
+		f = n
+	}
+	if f < 1 {
+		f = 1
+	}
+	x := make([]interface{}, f)
+	for i := range x {
+		x[i] = genValue(((i+1)*n)/f - (i*n)/f)
+	}
+	return x
+}
+
+func genMap(n int) map[string]interface{} {
+	f := int(math.Abs(rand.NormFloat64()) * math.Min(10, float64(n/2)))
+	if f > n {
+		f = n
+	}
+	if n > 0 && f == 0 {
+		f = 1
+	}
+	x := make(map[string]interface{})
+	for i := 0; i < f; i++ {
+		x[genString(10)] = genValue(((i+1)*n)/f - (i*n)/f)
+	}
+	return x
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/stream.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/stream.go
new file mode 100644
index 000000000..8ddcf4d27
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/stream.go
@@ -0,0 +1,480 @@
+// Copyright 2010 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"bytes"
+	"errors"
+	"io"
+)
+
+// A Decoder reads and decodes JSON objects from an input stream.
+type Decoder struct {
+	r     io.Reader
+	buf   []byte
+	d     decodeState
+	scanp int // start of unread data in buf
+	scan  scanner
+	err   error
+
+	tokenState int
+	tokenStack []int
+}
+
+// NewDecoder returns a new decoder that reads from r.
+//
+// The decoder introduces its own buffering and may
+// read data from r beyond the JSON values requested.
+func NewDecoder(r io.Reader) *Decoder {
+	return &Decoder{r: r}
+}
+
+// UseNumber causes the Decoder to unmarshal a number into an interface{} as a
+// Number instead of as a float64.
+func (dec *Decoder) UseNumber() { dec.d.useNumber = true }
+
+// Decode reads the next JSON-encoded value from its
+// input and stores it in the value pointed to by v.
+//
+// See the documentation for Unmarshal for details about
+// the conversion of JSON into a Go value.
+func (dec *Decoder) Decode(v interface{}) error {
+	if dec.err != nil {
+		return dec.err
+	}
+
+	if err := dec.tokenPrepareForDecode(); err != nil {
+		return err
+	}
+
+	if !dec.tokenValueAllowed() {
+		return &SyntaxError{msg: "not at beginning of value"}
+	}
+
+	// Read whole value into buffer.
+	n, err := dec.readValue()
+	if err != nil {
+		return err
+	}
+	dec.d.init(dec.buf[dec.scanp : dec.scanp+n])
+	dec.scanp += n
+
+	// Don't save err from unmarshal into dec.err:
+	// the connection is still usable since we read a complete JSON
+	// object from it before the error happened.
+	err = dec.d.unmarshal(v)
+
+	// fixup token streaming state
+	dec.tokenValueEnd()
+
+	return err
+}
+
+// Buffered returns a reader of the data remaining in the Decoder's
+// buffer. The reader is valid until the next call to Decode.
+func (dec *Decoder) Buffered() io.Reader {
+	return bytes.NewReader(dec.buf[dec.scanp:])
+}
+
+// readValue reads a JSON value into dec.buf.
+// It returns the length of the encoding.
+func (dec *Decoder) readValue() (int, error) {
+	dec.scan.reset()
+
+	scanp := dec.scanp
+	var err error
+Input:
+	for {
+		// Look in the buffer for a new value.
+		for i, c := range dec.buf[scanp:] {
+			dec.scan.bytes++
+			v := dec.scan.step(&dec.scan, c)
+			if v == scanEnd {
+				scanp += i
+				break Input
+			}
+			// scanEnd is delayed one byte.
+			// We might block trying to get that byte from src,
+			// so instead invent a space byte.
+			if (v == scanEndObject || v == scanEndArray) && dec.scan.step(&dec.scan, ' ') == scanEnd {
+				scanp += i + 1
+				break Input
+			}
+			if v == scanError {
+				dec.err = dec.scan.err
+				return 0, dec.scan.err
+			}
+		}
+		scanp = len(dec.buf)
+
+		// Did the last read have an error?
+		// Delayed until now to allow buffer scan.
+		if err != nil {
+			if err == io.EOF {
+				if dec.scan.step(&dec.scan, ' ') == scanEnd {
+					break Input
+				}
+				if nonSpace(dec.buf) {
+					err = io.ErrUnexpectedEOF
+				}
+			}
+			dec.err = err
+			return 0, err
+		}
+
+		n := scanp - dec.scanp
+		err = dec.refill()
+		scanp = dec.scanp + n
+	}
+	return scanp - dec.scanp, nil
+}
+
+func (dec *Decoder) refill() error {
+	// Make room to read more into the buffer.
+	// First slide down data already consumed.
+	if dec.scanp > 0 {
+		n := copy(dec.buf, dec.buf[dec.scanp:])
+		dec.buf = dec.buf[:n]
+		dec.scanp = 0
+	}
+
+	// Grow buffer if not large enough.
+	const minRead = 512
+	if cap(dec.buf)-len(dec.buf) < minRead {
+		newBuf := make([]byte, len(dec.buf), 2*cap(dec.buf)+minRead)
+		copy(newBuf, dec.buf)
+		dec.buf = newBuf
+	}
+
+	// Read.  Delay error for next iteration (after scan).
+	n, err := dec.r.Read(dec.buf[len(dec.buf):cap(dec.buf)])
+	dec.buf = dec.buf[0 : len(dec.buf)+n]
+
+	return err
+}
+
+func nonSpace(b []byte) bool {
+	for _, c := range b {
+		if !isSpace(c) {
+			return true
+		}
+	}
+	return false
+}
+
+// An Encoder writes JSON objects to an output stream.
+type Encoder struct {
+	w   io.Writer
+	err error
+}
+
+// NewEncoder returns a new encoder that writes to w.
+func NewEncoder(w io.Writer) *Encoder {
+	return &Encoder{w: w}
+}
+
+// Encode writes the JSON encoding of v to the stream,
+// followed by a newline character.
+//
+// See the documentation for Marshal for details about the
+// conversion of Go values to JSON.
+func (enc *Encoder) Encode(v interface{}) error {
+	if enc.err != nil {
+		return enc.err
+	}
+	e := newEncodeState()
+	err := e.marshal(v)
+	if err != nil {
+		return err
+	}
+
+	// Terminate each value with a newline.
+	// This makes the output look a little nicer
+	// when debugging, and some kind of space
+	// is required if the encoded value was a number,
+	// so that the reader knows there aren't more
+	// digits coming.
+	e.WriteByte('\n')
+
+	if _, err = enc.w.Write(e.Bytes()); err != nil {
+		enc.err = err
+	}
+	encodeStatePool.Put(e)
+	return err
+}
+
+// RawMessage is a raw encoded JSON object.
+// It implements Marshaler and Unmarshaler and can
+// be used to delay JSON decoding or precompute a JSON encoding.
+type RawMessage []byte
+
+// MarshalJSON returns *m as the JSON encoding of m.
+func (m *RawMessage) MarshalJSON() ([]byte, error) {
+	return *m, nil
+}
+
+// UnmarshalJSON sets *m to a copy of data.
+func (m *RawMessage) UnmarshalJSON(data []byte) error {
+	if m == nil {
+		return errors.New("json.RawMessage: UnmarshalJSON on nil pointer")
+	}
+	*m = append((*m)[0:0], data...)
+	return nil
+}
+
+var _ Marshaler = (*RawMessage)(nil)
+var _ Unmarshaler = (*RawMessage)(nil)
+
+// A Token holds a value of one of these types:
+//
+//	Delim, for the four JSON delimiters [ ] { }
+//	bool, for JSON booleans
+//	float64, for JSON numbers
+//	Number, for JSON numbers
+//	string, for JSON string literals
+//	nil, for JSON null
+//
+type Token interface{}
+
+const (
+	tokenTopValue = iota
+	tokenArrayStart
+	tokenArrayValue
+	tokenArrayComma
+	tokenObjectStart
+	tokenObjectKey
+	tokenObjectColon
+	tokenObjectValue
+	tokenObjectComma
+)
+
+// advance tokenstate from a separator state to a value state
+func (dec *Decoder) tokenPrepareForDecode() error {
+	// Note: Not calling peek before switch, to avoid
+	// putting peek into the standard Decode path.
+	// peek is only called when using the Token API.
+	switch dec.tokenState {
+	case tokenArrayComma:
+		c, err := dec.peek()
+		if err != nil {
+			return err
+		}
+		if c != ',' {
+			return &SyntaxError{"expected comma after array element", 0}
+		}
+		dec.scanp++
+		dec.tokenState = tokenArrayValue
+	case tokenObjectColon:
+		c, err := dec.peek()
+		if err != nil {
+			return err
+		}
+		if c != ':' {
+			return &SyntaxError{"expected colon after object key", 0}
+		}
+		dec.scanp++
+		dec.tokenState = tokenObjectValue
+	}
+	return nil
+}
+
+func (dec *Decoder) tokenValueAllowed() bool {
+	switch dec.tokenState {
+	case tokenTopValue, tokenArrayStart, tokenArrayValue, tokenObjectValue:
+		return true
+	}
+	return false
+}
+
+func (dec *Decoder) tokenValueEnd() {
+	switch dec.tokenState {
+	case tokenArrayStart, tokenArrayValue:
+		dec.tokenState = tokenArrayComma
+	case tokenObjectValue:
+		dec.tokenState = tokenObjectComma
+	}
+}
+
+// A Delim is a JSON array or object delimiter, one of [ ] { or }.
+type Delim rune
+
+func (d Delim) String() string {
+	return string(d)
+}
+
+// Token returns the next JSON token in the input stream.
+// At the end of the input stream, Token returns nil, io.EOF.
+//
+// Token guarantees that the delimiters [ ] { } it returns are
+// properly nested and matched: if Token encounters an unexpected
+// delimiter in the input, it will return an error.
+//
+// The input stream consists of basic JSON values—bool, string,
+// number, and null—along with delimiters [ ] { } of type Delim
+// to mark the start and end of arrays and objects.
+// Commas and colons are elided.
+func (dec *Decoder) Token() (Token, error) {
+	for {
+		c, err := dec.peek()
+		if err != nil {
+			return nil, err
+		}
+		switch c {
+		case '[':
+			if !dec.tokenValueAllowed() {
+				return dec.tokenError(c)
+			}
+			dec.scanp++
+			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
+			dec.tokenState = tokenArrayStart
+			return Delim('['), nil
+
+		case ']':
+			if dec.tokenState != tokenArrayStart && dec.tokenState != tokenArrayComma {
+				return dec.tokenError(c)
+			}
+			dec.scanp++
+			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
+			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
+			dec.tokenValueEnd()
+			return Delim(']'), nil
+
+		case '{':
+			if !dec.tokenValueAllowed() {
+				return dec.tokenError(c)
+			}
+			dec.scanp++
+			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
+			dec.tokenState = tokenObjectStart
+			return Delim('{'), nil
+
+		case '}':
+			if dec.tokenState != tokenObjectStart && dec.tokenState != tokenObjectComma {
+				return dec.tokenError(c)
+			}
+			dec.scanp++
+			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
+			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
+			dec.tokenValueEnd()
+			return Delim('}'), nil
+
+		case ':':
+			if dec.tokenState != tokenObjectColon {
+				return dec.tokenError(c)
+			}
+			dec.scanp++
+			dec.tokenState = tokenObjectValue
+			continue
+
+		case ',':
+			if dec.tokenState == tokenArrayComma {
+				dec.scanp++
+				dec.tokenState = tokenArrayValue
+				continue
+			}
+			if dec.tokenState == tokenObjectComma {
+				dec.scanp++
+				dec.tokenState = tokenObjectKey
+				continue
+			}
+			return dec.tokenError(c)
+
+		case '"':
+			if dec.tokenState == tokenObjectStart || dec.tokenState == tokenObjectKey {
+				var x string
+				old := dec.tokenState
+				dec.tokenState = tokenTopValue
+				err := dec.Decode(&x)
+				dec.tokenState = old
+				if err != nil {
+					clearOffset(err)
+					return nil, err
+				}
+				dec.tokenState = tokenObjectColon
+				return x, nil
+			}
+			fallthrough
+
+		default:
+			if !dec.tokenValueAllowed() {
+				return dec.tokenError(c)
+			}
+			var x interface{}
+			if err := dec.Decode(&x); err != nil {
+				clearOffset(err)
+				return nil, err
+			}
+			return x, nil
+		}
+	}
+}
+
+func clearOffset(err error) {
+	if s, ok := err.(*SyntaxError); ok {
+		s.Offset = 0
+	}
+}
+
+func (dec *Decoder) tokenError(c byte) (Token, error) {
+	var context string
+	switch dec.tokenState {
+	case tokenTopValue:
+		context = " looking for beginning of value"
+	case tokenArrayStart, tokenArrayValue, tokenObjectValue:
+		context = " looking for beginning of value"
+	case tokenArrayComma:
+		context = " after array element"
+	case tokenObjectKey:
+		context = " looking for beginning of object key string"
+	case tokenObjectColon:
+		context = " after object key"
+	case tokenObjectComma:
+		context = " after object key:value pair"
+	}
+	return nil, &SyntaxError{"invalid character " + quoteChar(c) + " " + context, 0}
+}
+
+// More reports whether there is another element in the
+// current array or object being parsed.
+func (dec *Decoder) More() bool {
+	c, err := dec.peek()
+	return err == nil && c != ']' && c != '}'
+}
+
+func (dec *Decoder) peek() (byte, error) {
+	var err error
+	for {
+		for i := dec.scanp; i < len(dec.buf); i++ {
+			c := dec.buf[i]
+			if isSpace(c) {
+				continue
+			}
+			dec.scanp = i
+			return c, nil
+		}
+		// buffer has been scanned, now report any error
+		if err != nil {
+			return 0, err
+		}
+		err = dec.refill()
+	}
+}
+
+/*
+TODO
+
+// EncodeToken writes the given JSON token to the stream.
+// It returns an error if the delimiters [ ] { } are not properly used.
+//
+// EncodeToken does not call Flush, because usually it is part of
+// a larger operation such as Encode, and those will call Flush when finished.
+// Callers that create an Encoder and then invoke EncodeToken directly,
+// without using Encode, need to call Flush when finished to ensure that
+// the JSON is written to the underlying writer.
+func (e *Encoder) EncodeToken(t Token) error  {
+	...
+}
+
+*/
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/stream_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/stream_test.go
new file mode 100644
index 000000000..eccf365b2
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/stream_test.go
@@ -0,0 +1,354 @@
+// Copyright 2010 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"bytes"
+	"io"
+	"io/ioutil"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"reflect"
+	"strings"
+	"testing"
+)
+
+// Test values for the stream test.
+// One of each JSON kind.
+var streamTest = []interface{}{
+	0.1,
+	"hello",
+	nil,
+	true,
+	false,
+	[]interface{}{"a", "b", "c"},
+	map[string]interface{}{"K": "Kelvin", "ß": "long s"},
+	3.14, // another value to make sure something can follow map
+}
+
+var streamEncoded = `0.1
+"hello"
+null
+true
+false
+["a","b","c"]
+{"ß":"long s","K":"Kelvin"}
+3.14
+`
+
+func TestEncoder(t *testing.T) {
+	for i := 0; i <= len(streamTest); i++ {
+		var buf bytes.Buffer
+		enc := NewEncoder(&buf)
+		for j, v := range streamTest[0:i] {
+			if err := enc.Encode(v); err != nil {
+				t.Fatalf("encode #%d: %v", j, err)
+			}
+		}
+		if have, want := buf.String(), nlines(streamEncoded, i); have != want {
+			t.Errorf("encoding %d items: mismatch", i)
+			diff(t, []byte(have), []byte(want))
+			break
+		}
+	}
+}
+
+func TestDecoder(t *testing.T) {
+	for i := 0; i <= len(streamTest); i++ {
+		// Use stream without newlines as input,
+		// just to stress the decoder even more.
+		// Our test input does not include back-to-back numbers.
+		// Otherwise stripping the newlines would
+		// merge two adjacent JSON values.
+		var buf bytes.Buffer
+		for _, c := range nlines(streamEncoded, i) {
+			if c != '\n' {
+				buf.WriteRune(c)
+			}
+		}
+		out := make([]interface{}, i)
+		dec := NewDecoder(&buf)
+		for j := range out {
+			if err := dec.Decode(&out[j]); err != nil {
+				t.Fatalf("decode #%d/%d: %v", j, i, err)
+			}
+		}
+		if !reflect.DeepEqual(out, streamTest[0:i]) {
+			t.Errorf("decoding %d items: mismatch", i)
+			for j := range out {
+				if !reflect.DeepEqual(out[j], streamTest[j]) {
+					t.Errorf("#%d: have %v want %v", j, out[j], streamTest[j])
+				}
+			}
+			break
+		}
+	}
+}
+
+func TestDecoderBuffered(t *testing.T) {
+	r := strings.NewReader(`{"Name": "Gopher"} extra `)
+	var m struct {
+		Name string
+	}
+	d := NewDecoder(r)
+	err := d.Decode(&m)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if m.Name != "Gopher" {
+		t.Errorf("Name = %q; want Gopher", m.Name)
+	}
+	rest, err := ioutil.ReadAll(d.Buffered())
+	if err != nil {
+		t.Fatal(err)
+	}
+	if g, w := string(rest), " extra "; g != w {
+		t.Errorf("Remaining = %q; want %q", g, w)
+	}
+}
+
+func nlines(s string, n int) string {
+	if n <= 0 {
+		return ""
+	}
+	for i, c := range s {
+		if c == '\n' {
+			if n--; n == 0 {
+				return s[0 : i+1]
+			}
+		}
+	}
+	return s
+}
+
+func TestRawMessage(t *testing.T) {
+	// TODO(rsc): Should not need the * in *RawMessage
+	var data struct {
+		X  float64
+		Id *RawMessage
+		Y  float32
+	}
+	const raw = `["\u0056",null]`
+	const msg = `{"X":0.1,"Id":["\u0056",null],"Y":0.2}`
+	err := Unmarshal([]byte(msg), &data)
+	if err != nil {
+		t.Fatalf("Unmarshal: %v", err)
+	}
+	if string([]byte(*data.Id)) != raw {
+		t.Fatalf("Raw mismatch: have %#q want %#q", []byte(*data.Id), raw)
+	}
+	b, err := Marshal(&data)
+	if err != nil {
+		t.Fatalf("Marshal: %v", err)
+	}
+	if string(b) != msg {
+		t.Fatalf("Marshal: have %#q want %#q", b, msg)
+	}
+}
+
+func TestNullRawMessage(t *testing.T) {
+	// TODO(rsc): Should not need the * in *RawMessage
+	var data struct {
+		X  float64
+		Id *RawMessage
+		Y  float32
+	}
+	data.Id = new(RawMessage)
+	const msg = `{"X":0.1,"Id":null,"Y":0.2}`
+	err := Unmarshal([]byte(msg), &data)
+	if err != nil {
+		t.Fatalf("Unmarshal: %v", err)
+	}
+	if data.Id != nil {
+		t.Fatalf("Raw mismatch: have non-nil, want nil")
+	}
+	b, err := Marshal(&data)
+	if err != nil {
+		t.Fatalf("Marshal: %v", err)
+	}
+	if string(b) != msg {
+		t.Fatalf("Marshal: have %#q want %#q", b, msg)
+	}
+}
+
+var blockingTests = []string{
+	`{"x": 1}`,
+	`[1, 2, 3]`,
+}
+
+func TestBlocking(t *testing.T) {
+	for _, enc := range blockingTests {
+		r, w := net.Pipe()
+		go w.Write([]byte(enc))
+		var val interface{}
+
+		// If Decode reads beyond what w.Write writes above,
+		// it will block, and the test will deadlock.
+		if err := NewDecoder(r).Decode(&val); err != nil {
+			t.Errorf("decoding %s: %v", enc, err)
+		}
+		r.Close()
+		w.Close()
+	}
+}
+
+func BenchmarkEncoderEncode(b *testing.B) {
+	b.ReportAllocs()
+	type T struct {
+		X, Y string
+	}
+	v := &T{"foo", "bar"}
+	for i := 0; i < b.N; i++ {
+		if err := NewEncoder(ioutil.Discard).Encode(v); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+type tokenStreamCase struct {
+	json      string
+	expTokens []interface{}
+}
+
+type decodeThis struct {
+	v interface{}
+}
+
+var tokenStreamCases []tokenStreamCase = []tokenStreamCase{
+	// streaming token cases
+	{json: `10`, expTokens: []interface{}{float64(10)}},
+	{json: ` [10] `, expTokens: []interface{}{
+		Delim('['), float64(10), Delim(']')}},
+	{json: ` [false,10,"b"] `, expTokens: []interface{}{
+		Delim('['), false, float64(10), "b", Delim(']')}},
+	{json: `{ "a": 1 }`, expTokens: []interface{}{
+		Delim('{'), "a", float64(1), Delim('}')}},
+	{json: `{"a": 1, "b":"3"}`, expTokens: []interface{}{
+		Delim('{'), "a", float64(1), "b", "3", Delim('}')}},
+	{json: ` [{"a": 1},{"a": 2}] `, expTokens: []interface{}{
+		Delim('['),
+		Delim('{'), "a", float64(1), Delim('}'),
+		Delim('{'), "a", float64(2), Delim('}'),
+		Delim(']')}},
+	{json: `{"obj": {"a": 1}}`, expTokens: []interface{}{
+		Delim('{'), "obj", Delim('{'), "a", float64(1), Delim('}'),
+		Delim('}')}},
+	{json: `{"obj": [{"a": 1}]}`, expTokens: []interface{}{
+		Delim('{'), "obj", Delim('['),
+		Delim('{'), "a", float64(1), Delim('}'),
+		Delim(']'), Delim('}')}},
+
+	// streaming tokens with intermittent Decode()
+	{json: `{ "a": 1 }`, expTokens: []interface{}{
+		Delim('{'), "a",
+		decodeThis{float64(1)},
+		Delim('}')}},
+	{json: ` [ { "a" : 1 } ] `, expTokens: []interface{}{
+		Delim('['),
+		decodeThis{map[string]interface{}{"a": float64(1)}},
+		Delim(']')}},
+	{json: ` [{"a": 1},{"a": 2}] `, expTokens: []interface{}{
+		Delim('['),
+		decodeThis{map[string]interface{}{"a": float64(1)}},
+		decodeThis{map[string]interface{}{"a": float64(2)}},
+		Delim(']')}},
+	{json: `{ "obj" : [ { "a" : 1 } ] }`, expTokens: []interface{}{
+		Delim('{'), "obj", Delim('['),
+		decodeThis{map[string]interface{}{"a": float64(1)}},
+		Delim(']'), Delim('}')}},
+
+	{json: `{"obj": {"a": 1}}`, expTokens: []interface{}{
+		Delim('{'), "obj",
+		decodeThis{map[string]interface{}{"a": float64(1)}},
+		Delim('}')}},
+	{json: `{"obj": [{"a": 1}]}`, expTokens: []interface{}{
+		Delim('{'), "obj",
+		decodeThis{[]interface{}{
+			map[string]interface{}{"a": float64(1)},
+		}},
+		Delim('}')}},
+	{json: ` [{"a": 1} {"a": 2}] `, expTokens: []interface{}{
+		Delim('['),
+		decodeThis{map[string]interface{}{"a": float64(1)}},
+		decodeThis{&SyntaxError{"expected comma after array element", 0}},
+	}},
+	{json: `{ "a" 1 }`, expTokens: []interface{}{
+		Delim('{'), "a",
+		decodeThis{&SyntaxError{"expected colon after object key", 0}},
+	}},
+}
+
+func TestDecodeInStream(t *testing.T) {
+
+	for ci, tcase := range tokenStreamCases {
+
+		dec := NewDecoder(strings.NewReader(tcase.json))
+		for i, etk := range tcase.expTokens {
+
+			var tk interface{}
+			var err error
+
+			if dt, ok := etk.(decodeThis); ok {
+				etk = dt.v
+				err = dec.Decode(&tk)
+			} else {
+				tk, err = dec.Token()
+			}
+			if experr, ok := etk.(error); ok {
+				if err == nil || err.Error() != experr.Error() {
+					t.Errorf("case %v: Expected error %v in %q, but was %v", ci, experr, tcase.json, err)
+				}
+				break
+			} else if err == io.EOF {
+				t.Errorf("case %v: Unexpected EOF in %q", ci, tcase.json)
+				break
+			} else if err != nil {
+				t.Errorf("case %v: Unexpected error '%v' in %q", ci, err, tcase.json)
+				break
+			}
+			if !reflect.DeepEqual(tk, etk) {
+				t.Errorf(`case %v: %q @ %v expected %T(%v) was %T(%v)`, ci, tcase.json, i, etk, etk, tk, tk)
+				break
+			}
+		}
+	}
+
+}
+
+// Test from golang.org/issue/11893
+func TestHTTPDecoding(t *testing.T) {
+	const raw = `{ "foo": "bar" }`
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte(raw))
+	}))
+	defer ts.Close()
+	res, err := http.Get(ts.URL)
+	if err != nil {
+		log.Fatalf("GET failed: %v", err)
+	}
+	defer res.Body.Close()
+
+	foo := struct {
+		Foo string `json:"foo"`
+	}{}
+
+	d := NewDecoder(res.Body)
+	err = d.Decode(&foo)
+	if err != nil {
+		t.Fatalf("Decode: %v", err)
+	}
+	if foo.Foo != "bar" {
+		t.Errorf("decoded %q; want \"bar\"", foo.Foo)
+	}
+
+	// make sure we get the EOF the second time
+	err = d.Decode(&foo)
+	if err != io.EOF {
+		t.Errorf("err = %v; want io.EOF", err)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/tagkey_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/tagkey_test.go
new file mode 100644
index 000000000..85bb4ba83
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/tagkey_test.go
@@ -0,0 +1,115 @@
+// Copyright 2011 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"testing"
+)
+
+type basicLatin2xTag struct {
+	V string `json:"$%-/"`
+}
+
+type basicLatin3xTag struct {
+	V string `json:"0123456789"`
+}
+
+type basicLatin4xTag struct {
+	V string `json:"ABCDEFGHIJKLMO"`
+}
+
+type basicLatin5xTag struct {
+	V string `json:"PQRSTUVWXYZ_"`
+}
+
+type basicLatin6xTag struct {
+	V string `json:"abcdefghijklmno"`
+}
+
+type basicLatin7xTag struct {
+	V string `json:"pqrstuvwxyz"`
+}
+
+type miscPlaneTag struct {
+	V string `json:"色は匂へど"`
+}
+
+type percentSlashTag struct {
+	V string `json:"text/html%"` // https://golang.org/issue/2718
+}
+
+type punctuationTag struct {
+	V string `json:"!#$%&()*+-./:<=>?@[]^_{|}~"` // https://golang.org/issue/3546
+}
+
+type emptyTag struct {
+	W string
+}
+
+type misnamedTag struct {
+	X string `jsom:"Misnamed"`
+}
+
+type badFormatTag struct {
+	Y string `:"BadFormat"`
+}
+
+type badCodeTag struct {
+	Z string `json:" !\"#&'()*+,."`
+}
+
+type spaceTag struct {
+	Q string `json:"With space"`
+}
+
+type unicodeTag struct {
+	W string `json:"Ελλάδα"`
+}
+
+var structTagObjectKeyTests = []struct {
+	raw   interface{}
+	value string
+	key   string
+}{
+	{basicLatin2xTag{"2x"}, "2x", "$%-/"},
+	{basicLatin3xTag{"3x"}, "3x", "0123456789"},
+	{basicLatin4xTag{"4x"}, "4x", "ABCDEFGHIJKLMO"},
+	{basicLatin5xTag{"5x"}, "5x", "PQRSTUVWXYZ_"},
+	{basicLatin6xTag{"6x"}, "6x", "abcdefghijklmno"},
+	{basicLatin7xTag{"7x"}, "7x", "pqrstuvwxyz"},
+	{miscPlaneTag{"いろはにほへと"}, "いろはにほへと", "色は匂へど"},
+	{emptyTag{"Pour Moi"}, "Pour Moi", "W"},
+	{misnamedTag{"Animal Kingdom"}, "Animal Kingdom", "X"},
+	{badFormatTag{"Orfevre"}, "Orfevre", "Y"},
+	{badCodeTag{"Reliable Man"}, "Reliable Man", "Z"},
+	{percentSlashTag{"brut"}, "brut", "text/html%"},
+	{punctuationTag{"Union Rags"}, "Union Rags", "!#$%&()*+-./:<=>?@[]^_{|}~"},
+	{spaceTag{"Perreddu"}, "Perreddu", "With space"},
+	{unicodeTag{"Loukanikos"}, "Loukanikos", "Ελλάδα"},
+}
+
+func TestStructTagObjectKey(t *testing.T) {
+	for _, tt := range structTagObjectKeyTests {
+		b, err := Marshal(tt.raw)
+		if err != nil {
+			t.Fatalf("Marshal(%#q) failed: %v", tt.raw, err)
+		}
+		var f interface{}
+		err = Unmarshal(b, &f)
+		if err != nil {
+			t.Fatalf("Unmarshal(%#q) failed: %v", b, err)
+		}
+		for i, v := range f.(map[string]interface{}) {
+			switch i {
+			case tt.key:
+				if s, ok := v.(string); !ok || s != tt.value {
+					t.Fatalf("Unexpected value: %#q, want %v", s, tt.value)
+				}
+			default:
+				t.Fatalf("Unexpected key: %#q, from %#q", i, b)
+			}
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/tags.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/tags.go
new file mode 100644
index 000000000..c38fd5102
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/tags.go
@@ -0,0 +1,44 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"strings"
+)
+
+// tagOptions is the string following a comma in a struct field's "json"
+// tag, or the empty string. It does not include the leading comma.
+type tagOptions string
+
+// parseTag splits a struct field's json tag into its name and
+// comma-separated options.
+func parseTag(tag string) (string, tagOptions) {
+	if idx := strings.Index(tag, ","); idx != -1 {
+		return tag[:idx], tagOptions(tag[idx+1:])
+	}
+	return tag, tagOptions("")
+}
+
+// Contains reports whether a comma-separated list of options
+// contains a particular substr flag. substr must be surrounded by a
+// string boundary or commas.
+func (o tagOptions) Contains(optionName string) bool {
+	if len(o) == 0 {
+		return false
+	}
+	s := string(o)
+	for s != "" {
+		var next string
+		i := strings.Index(s, ",")
+		if i >= 0 {
+			s, next = s[:i], s[i+1:]
+		}
+		if s == optionName {
+			return true
+		}
+		s = next
+	}
+	return false
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/tags_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/tags_test.go
new file mode 100644
index 000000000..91fb18831
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/tags_test.go
@@ -0,0 +1,28 @@
+// Copyright 2011 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package json
+
+import (
+	"testing"
+)
+
+func TestTagParsing(t *testing.T) {
+	name, opts := parseTag("field,foobar,foo")
+	if name != "field" {
+		t.Fatalf("name = %q, want field", name)
+	}
+	for _, tt := range []struct {
+		opt  string
+		want bool
+	}{
+		{"foobar", true},
+		{"foo", true},
+		{"bar", false},
+	} {
+		if opts.Contains(tt.opt) != tt.want {
+			t.Errorf("Contains(%q) = %v", tt.opt, !tt.want)
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/testdata/code.json.gz b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/testdata/code.json.gz
new file mode 100644
index 000000000..0e2895b53
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json/testdata/code.json.gz
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json_fork_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json_fork_test.go
new file mode 100644
index 000000000..686df51b2
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/json_fork_test.go
@@ -0,0 +1,116 @@
+// +build !std_json
+
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"testing"
+
+	"gopkg.in/square/go-jose.v1/json"
+)
+
+type CaseSensitive struct {
+	A int `json:"Test"`
+	B int `json:"test"`
+	C int `json:"TEST"`
+}
+
+type UnicodeTest struct {
+	Sig string `json:"sig"`
+}
+
+func TestUnicodeComparison(t *testing.T) {
+	// Some tests from RFC 7515, Section 10.13
+	raw := []byte(`{"\u0073ig":"foo"}`)
+	var ut UnicodeTest
+	err := json.Unmarshal(raw, &ut)
+	if err != nil {
+		t.Error(err)
+	}
+
+	if ut.Sig != "foo" {
+		t.Error("strings 'sig' and '\\u0073ig' should be equal")
+	}
+
+	raw = []byte(`{"si\u0047":"bar"}`)
+	var ut2 UnicodeTest
+	err = json.Unmarshal(raw, &ut2)
+	if err != nil {
+		t.Error(err)
+	}
+
+	if ut2.Sig != "" {
+		t.Error("strings 'sig' and 'si\\u0047' should not be equal")
+	}
+}
+
+func TestCaseSensitiveJSON(t *testing.T) {
+	raw := []byte(`{"test":42}`)
+	var cs CaseSensitive
+	err := json.Unmarshal(raw, &cs)
+	if err != nil {
+		t.Error(err)
+	}
+
+	if cs.A != 0 || cs.B != 42 || cs.C != 0 {
+		t.Errorf("parsing JSON should be case-sensitive (got %v)", cs)
+	}
+}
+
+func TestErrorOnTrailingCharacters(t *testing.T) {
+	raw := []byte(`{"test":42}asdf`)
+	var m map[string]interface{}
+	err := json.Unmarshal(raw, &m)
+	if err == nil {
+		t.Error("json.Unmarshal should fail if string has trailing chars")
+	}
+}
+
+func TestRejectDuplicateKeysObject(t *testing.T) {
+	raw := []byte(`{"test":42,"test":43}`)
+	var cs CaseSensitive
+	err := json.Unmarshal(raw, &cs)
+	if err == nil {
+		t.Error("should reject JSON with duplicate keys, but didn't")
+	}
+}
+
+func TestRejectDuplicateKeysInterface(t *testing.T) {
+	raw := []byte(`{"test":42,"test":43}`)
+	var m interface{}
+	err := json.Unmarshal(raw, &m)
+	if err == nil {
+		t.Error("should reject JSON with duplicate keys, but didn't")
+	}
+}
+
+func TestParseCaseSensitiveJWE(t *testing.T) {
+	invalidJWE := `{"protected":"eyJlbmMiOiJYWVoiLCJBTEciOiJYWVoifQo","encrypted_key":"QUJD","iv":"QUJD","ciphertext":"QUJD","tag":"QUJD"}`
+	_, err := ParseEncrypted(invalidJWE)
+	if err == nil {
+		t.Error("Able to parse message with case-invalid headers", invalidJWE)
+	}
+}
+
+func TestParseCaseSensitiveJWS(t *testing.T) {
+	invalidJWS := `{"PAYLOAD":"CUJD","signatures":[{"protected":"e30","signature":"CUJD"}]}`
+	_, err := ParseSigned(invalidJWS)
+	if err == nil {
+		t.Error("Able to parse message with case-invalid headers", invalidJWS)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jwe.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jwe.go
new file mode 100644
index 000000000..7eb8956d2
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jwe.go
@@ -0,0 +1,280 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"fmt"
+	"strings"
+
+	"gopkg.in/square/go-jose.v1/json"
+)
+
+// rawJsonWebEncryption represents a raw JWE JSON object. Used for parsing/serializing.
+type rawJsonWebEncryption struct {
+	Protected    *byteBuffer        `json:"protected,omitempty"`
+	Unprotected  *rawHeader         `json:"unprotected,omitempty"`
+	Header       *rawHeader         `json:"header,omitempty"`
+	Recipients   []rawRecipientInfo `json:"recipients,omitempty"`
+	Aad          *byteBuffer        `json:"aad,omitempty"`
+	EncryptedKey *byteBuffer        `json:"encrypted_key,omitempty"`
+	Iv           *byteBuffer        `json:"iv,omitempty"`
+	Ciphertext   *byteBuffer        `json:"ciphertext,omitempty"`
+	Tag          *byteBuffer        `json:"tag,omitempty"`
+}
+
+// rawRecipientInfo represents a raw JWE Per-Recipient header JSON object. Used for parsing/serializing.
+type rawRecipientInfo struct {
+	Header       *rawHeader `json:"header,omitempty"`
+	EncryptedKey string     `json:"encrypted_key,omitempty"`
+}
+
+// JsonWebEncryption represents an encrypted JWE object after parsing.
+type JsonWebEncryption struct {
+	Header                   JoseHeader
+	protected, unprotected   *rawHeader
+	recipients               []recipientInfo
+	aad, iv, ciphertext, tag []byte
+	original                 *rawJsonWebEncryption
+}
+
+// recipientInfo represents a raw JWE Per-Recipient header JSON object after parsing.
+type recipientInfo struct {
+	header       *rawHeader
+	encryptedKey []byte
+}
+
+// GetAuthData retrieves the (optional) authenticated data attached to the object.
+func (obj JsonWebEncryption) GetAuthData() []byte {
+	if obj.aad != nil {
+		out := make([]byte, len(obj.aad))
+		copy(out, obj.aad)
+		return out
+	}
+
+	return nil
+}
+
+// Get the merged header values
+func (obj JsonWebEncryption) mergedHeaders(recipient *recipientInfo) rawHeader {
+	out := rawHeader{}
+	out.merge(obj.protected)
+	out.merge(obj.unprotected)
+
+	if recipient != nil {
+		out.merge(recipient.header)
+	}
+
+	return out
+}
+
+// Get the additional authenticated data from a JWE object.
+func (obj JsonWebEncryption) computeAuthData() []byte {
+	var protected string
+
+	if obj.original != nil {
+		protected = obj.original.Protected.base64()
+	} else {
+		protected = base64URLEncode(mustSerializeJSON((obj.protected)))
+	}
+
+	output := []byte(protected)
+	if obj.aad != nil {
+		output = append(output, '.')
+		output = append(output, []byte(base64URLEncode(obj.aad))...)
+	}
+
+	return output
+}
+
+// ParseEncrypted parses an encrypted message in compact or full serialization format.
+func ParseEncrypted(input string) (*JsonWebEncryption, error) {
+	input = stripWhitespace(input)
+	if strings.HasPrefix(input, "{") {
+		return parseEncryptedFull(input)
+	}
+
+	return parseEncryptedCompact(input)
+}
+
+// parseEncryptedFull parses a message in compact format.
+func parseEncryptedFull(input string) (*JsonWebEncryption, error) {
+	var parsed rawJsonWebEncryption
+	err := json.Unmarshal([]byte(input), &parsed)
+	if err != nil {
+		return nil, err
+	}
+
+	return parsed.sanitized()
+}
+
+// sanitized produces a cleaned-up JWE object from the raw JSON.
+func (parsed *rawJsonWebEncryption) sanitized() (*JsonWebEncryption, error) {
+	obj := &JsonWebEncryption{
+		original:    parsed,
+		unprotected: parsed.Unprotected,
+	}
+
+	// Check that there is not a nonce in the unprotected headers
+	if (parsed.Unprotected != nil && parsed.Unprotected.Nonce != "") ||
+		(parsed.Header != nil && parsed.Header.Nonce != "") {
+		return nil, ErrUnprotectedNonce
+	}
+
+	if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
+		err := json.Unmarshal(parsed.Protected.bytes(), &obj.protected)
+		if err != nil {
+			return nil, fmt.Errorf("square/go-jose: invalid protected header: %s, %s", err, parsed.Protected.base64())
+		}
+	}
+
+	// Note: this must be called _after_ we parse the protected header,
+	// otherwise fields from the protected header will not get picked up.
+	obj.Header = obj.mergedHeaders(nil).sanitized()
+
+	if len(parsed.Recipients) == 0 {
+		obj.recipients = []recipientInfo{
+			recipientInfo{
+				header:       parsed.Header,
+				encryptedKey: parsed.EncryptedKey.bytes(),
+			},
+		}
+	} else {
+		obj.recipients = make([]recipientInfo, len(parsed.Recipients))
+		for r := range parsed.Recipients {
+			encryptedKey, err := base64URLDecode(parsed.Recipients[r].EncryptedKey)
+			if err != nil {
+				return nil, err
+			}
+
+			// Check that there is not a nonce in the unprotected header
+			if parsed.Recipients[r].Header != nil && parsed.Recipients[r].Header.Nonce != "" {
+				return nil, ErrUnprotectedNonce
+			}
+
+			obj.recipients[r].header = parsed.Recipients[r].Header
+			obj.recipients[r].encryptedKey = encryptedKey
+		}
+	}
+
+	for _, recipient := range obj.recipients {
+		headers := obj.mergedHeaders(&recipient)
+		if headers.Alg == "" || headers.Enc == "" {
+			return nil, fmt.Errorf("square/go-jose: message is missing alg/enc headers")
+		}
+	}
+
+	obj.iv = parsed.Iv.bytes()
+	obj.ciphertext = parsed.Ciphertext.bytes()
+	obj.tag = parsed.Tag.bytes()
+	obj.aad = parsed.Aad.bytes()
+
+	return obj, nil
+}
+
+// parseEncryptedCompact parses a message in compact format.
+func parseEncryptedCompact(input string) (*JsonWebEncryption, error) {
+	parts := strings.Split(input, ".")
+	if len(parts) != 5 {
+		return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts")
+	}
+
+	rawProtected, err := base64URLDecode(parts[0])
+	if err != nil {
+		return nil, err
+	}
+
+	encryptedKey, err := base64URLDecode(parts[1])
+	if err != nil {
+		return nil, err
+	}
+
+	iv, err := base64URLDecode(parts[2])
+	if err != nil {
+		return nil, err
+	}
+
+	ciphertext, err := base64URLDecode(parts[3])
+	if err != nil {
+		return nil, err
+	}
+
+	tag, err := base64URLDecode(parts[4])
+	if err != nil {
+		return nil, err
+	}
+
+	raw := &rawJsonWebEncryption{
+		Protected:    newBuffer(rawProtected),
+		EncryptedKey: newBuffer(encryptedKey),
+		Iv:           newBuffer(iv),
+		Ciphertext:   newBuffer(ciphertext),
+		Tag:          newBuffer(tag),
+	}
+
+	return raw.sanitized()
+}
+
+// CompactSerialize serializes an object using the compact serialization format.
+func (obj JsonWebEncryption) CompactSerialize() (string, error) {
+	if len(obj.recipients) != 1 || obj.unprotected != nil ||
+		obj.protected == nil || obj.recipients[0].header != nil {
+		return "", ErrNotSupported
+	}
+
+	serializedProtected := mustSerializeJSON(obj.protected)
+
+	return fmt.Sprintf(
+		"%s.%s.%s.%s.%s",
+		base64URLEncode(serializedProtected),
+		base64URLEncode(obj.recipients[0].encryptedKey),
+		base64URLEncode(obj.iv),
+		base64URLEncode(obj.ciphertext),
+		base64URLEncode(obj.tag)), nil
+}
+
+// FullSerialize serializes an object using the full JSON serialization format.
+func (obj JsonWebEncryption) FullSerialize() string {
+	raw := rawJsonWebEncryption{
+		Unprotected:  obj.unprotected,
+		Iv:           newBuffer(obj.iv),
+		Ciphertext:   newBuffer(obj.ciphertext),
+		EncryptedKey: newBuffer(obj.recipients[0].encryptedKey),
+		Tag:          newBuffer(obj.tag),
+		Aad:          newBuffer(obj.aad),
+		Recipients:   []rawRecipientInfo{},
+	}
+
+	if len(obj.recipients) > 1 {
+		for _, recipient := range obj.recipients {
+			info := rawRecipientInfo{
+				Header:       recipient.header,
+				EncryptedKey: base64URLEncode(recipient.encryptedKey),
+			}
+			raw.Recipients = append(raw.Recipients, info)
+		}
+	} else {
+		// Use flattened serialization
+		raw.Header = obj.recipients[0].header
+		raw.EncryptedKey = newBuffer(obj.recipients[0].encryptedKey)
+	}
+
+	if obj.protected != nil {
+		raw.Protected = newBuffer(mustSerializeJSON(obj.protected))
+	}
+
+	return string(mustSerializeJSON(raw))
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jwe_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jwe_test.go
new file mode 100644
index 000000000..ab03fd000
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jwe_test.go
@@ -0,0 +1,537 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"math/big"
+	"testing"
+)
+
+func TestCompactParseJWE(t *testing.T) {
+	// Should parse
+	msg := "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.dGVzdA.dGVzdA"
+	_, err := ParseEncrypted(msg)
+	if err != nil {
+		t.Error("Unable to parse valid message:", err)
+	}
+
+	// Messages that should fail to parse
+	failures := []string{
+		// Too many parts
+		"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.dGVzdA.dGVzdA.dGVzdA",
+		// Not enough parts
+		"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.dGVzdA",
+		// Invalid encrypted key
+		"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.//////.dGVzdA.dGVzdA.dGVzdA",
+		// Invalid IV
+		"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.//////.dGVzdA.dGVzdA",
+		// Invalid ciphertext
+		"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.//////.dGVzdA",
+		// Invalid tag
+		"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.dGVzdA.//////",
+		// Invalid header
+		"W10.dGVzdA.dGVzdA.dGVzdA.dGVzdA",
+		// Invalid header
+		"######.dGVzdA.dGVzdA.dGVzdA.dGVzdA",
+		// Missing alc/enc params
+		"e30.dGVzdA.dGVzdA.dGVzdA.dGVzdA",
+	}
+
+	for _, msg := range failures {
+		_, err = ParseEncrypted(msg)
+		if err == nil {
+			t.Error("Able to parse invalid message", msg)
+		}
+	}
+}
+
+func TestFullParseJWE(t *testing.T) {
+	// Messages that should succeed to parse
+	successes := []string{
+		// Flattened serialization, single recipient
+		"{\"protected\":\"eyJhbGciOiJYWVoiLCJlbmMiOiJYWVoifQo\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
+		// Unflattened serialization, single recipient
+		"{\"protected\":\"\",\"unprotected\":{\"enc\":\"XYZ\"},\"recipients\":[{\"header\":{\"alg\":\"XYZ\"},\"encrypted_key\":\"QUJD\"}],\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
+	}
+
+	for i := range successes {
+		_, err := ParseEncrypted(successes[i])
+		if err != nil {
+			t.Error("Unble to parse valid message", err, successes[i])
+		}
+	}
+
+	// Messages that should fail to parse
+	failures := []string{
+		// Empty
+		"{}",
+		// Invalid JSON
+		"{XX",
+		// Invalid protected header
+		"{\"protected\":\"###\"}",
+		// Invalid protected header
+		"{\"protected\":\"e1gK\"}",
+		// Invalid encrypted key
+		"{\"protected\":\"e30\",\"encrypted_key\":\"###\"}",
+		// Invalid IV
+		"{\"protected\":\"e30\",\"encrypted_key\":\"QUJD\",\"iv\":\"###\"}",
+		// Invalid ciphertext
+		"{\"protected\":\"e30\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"###\"}",
+		// Invalid tag
+		"{\"protected\":\"e30\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"###\"}",
+		// Invalid AAD
+		"{\"protected\":\"e30\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\",\"aad\":\"###\"}",
+		// Missing alg/enc headers
+		"{\"protected\":\"e30\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
+		// Missing enc header
+		"{\"protected\":\"eyJhbGciOiJYWVoifQ\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
+		// Missing alg header
+		"{\"protected\":\"eyJlbmMiOiJYWVoifQ\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
+		// Unflattened serialization, single recipient, invalid encrypted_key
+		"{\"protected\":\"\",\"recipients\":[{\"header\":{\"alg\":\"XYZ\", \"enc\":\"XYZ\"},\"encrypted_key\":\"###\"}],\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
+		// Unflattened serialization, single recipient, missing alg
+		"{\"protected\":\"eyJhbGciOiJYWVoifQ\",\"recipients\":[{\"encrypted_key\":\"QUJD\"}],\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
+	}
+
+	for i := range failures {
+		_, err := ParseEncrypted(failures[i])
+		if err == nil {
+			t.Error("Able to parse invalid message", err, failures[i])
+		}
+	}
+}
+
+func TestMissingInvalidHeaders(t *testing.T) {
+	obj := &JsonWebEncryption{
+		protected:   &rawHeader{Enc: A128GCM},
+		unprotected: &rawHeader{},
+		recipients: []recipientInfo{
+			recipientInfo{},
+		},
+	}
+
+	_, err := obj.Decrypt(nil)
+	if err != ErrUnsupportedKeyType {
+		t.Error("should detect invalid key")
+	}
+
+	obj.unprotected.Crit = []string{"1", "2"}
+
+	_, err = obj.Decrypt(nil)
+	if err == nil {
+		t.Error("should reject message with crit header")
+	}
+
+	obj.unprotected.Crit = nil
+	obj.protected = &rawHeader{Alg: string(RSA1_5)}
+
+	_, err = obj.Decrypt(rsaTestKey)
+	if err == nil || err == ErrCryptoFailure {
+		t.Error("should detect missing enc header")
+	}
+}
+
+func TestRejectUnprotectedJWENonce(t *testing.T) {
+	// No need to test compact, since that's always protected
+
+	// Flattened JSON
+	input := `{
+	"header":  {
+		"alg": "XYZ", "enc": "XYZ",
+		"nonce": "should-cause-an-error"
+	},
+	"encrypted_key": "does-not-matter",
+	"aad": "does-not-matter",
+	"iv": "does-not-matter",
+	"ciphertext": "does-not-matter",
+	"tag": "does-not-matter"
+	}`
+	_, err := ParseEncrypted(input)
+	if err == nil {
+		t.Error("JWE with an unprotected nonce parsed as valid.")
+	} else if err.Error() != "square/go-jose: Nonce parameter included in unprotected header" {
+		t.Errorf("Improper error for unprotected nonce: %v", err)
+	}
+
+	input = `{
+		"unprotected":  {
+			"alg": "XYZ", "enc": "XYZ",
+			"nonce": "should-cause-an-error"
+		},
+		"encrypted_key": "does-not-matter",
+		"aad": "does-not-matter",
+		"iv": "does-not-matter",
+		"ciphertext": "does-not-matter",
+		"tag": "does-not-matter"
+	}`
+	_, err = ParseEncrypted(input)
+	if err == nil {
+		t.Error("JWE with an unprotected nonce parsed as valid.")
+	} else if err.Error() != "square/go-jose: Nonce parameter included in unprotected header" {
+		t.Errorf("Improper error for unprotected nonce: %v", err)
+	}
+
+	// Full JSON
+	input = `{
+		"header":  { "alg": "XYZ", "enc": "XYZ" },
+		"aad": "does-not-matter",
+		"iv": "does-not-matter",
+		"ciphertext": "does-not-matter",
+		"tag": "does-not-matter",
+		"recipients": [{
+			"header": { "nonce": "should-cause-an-error" },
+			"encrypted_key": "does-not-matter"
+		}]
+	}`
+	_, err = ParseEncrypted(input)
+	if err == nil {
+		t.Error("JWS with an unprotected nonce parsed as valid.")
+	} else if err.Error() != "square/go-jose: Nonce parameter included in unprotected header" {
+		t.Errorf("Improper error for unprotected nonce: %v", err)
+	}
+}
+
+func TestCompactSerialize(t *testing.T) {
+	// Compact serialization must fail if we have unprotected headers
+	obj := &JsonWebEncryption{
+		unprotected: &rawHeader{Alg: "XYZ"},
+	}
+
+	_, err := obj.CompactSerialize()
+	if err == nil {
+		t.Error("Object with unprotected headers can't be compact serialized")
+	}
+}
+
+func TestVectorsJWE(t *testing.T) {
+	plaintext := []byte("The true sign of intelligence is not knowledge but imagination.")
+
+	publicKey := &rsa.PublicKey{
+		N: fromBase64Int(`
+			oahUIoWw0K0usKNuOR6H4wkf4oBUXHTxRvgb48E-BVvxkeDNjbC4he8rUW
+			cJoZmds2h7M70imEVhRU5djINXtqllXI4DFqcI1DgjT9LewND8MW2Krf3S
+			psk_ZkoFnilakGygTwpZ3uesH-PFABNIUYpOiN15dsQRkgr0vEhxN92i2a
+			sbOenSZeyaxziK72UwxrrKoExv6kc5twXTq4h-QChLOln0_mtUZwfsRaMS
+			tPs6mS6XrgxnxbWhojf663tuEQueGC-FCMfra36C9knDFGzKsNa7LZK2dj
+			YgyD3JR_MB_4NUJW_TqOQtwHYbxevoJArm-L5StowjzGy-_bq6Gw`),
+		E: 65537,
+	}
+
+	expectedCompact := stripWhitespace(`
+		eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.ROQCfge4JPm_
+		yACxv1C1NSXmwNbL6kvmCuyxBRGpW57DvlwByjyjsb6g8m7wtLMqKEyhFCn
+		tV7sjippEePIlKln6BvVnz5ZLXHNYQgmubuNq8MC0KTwcaGJ_C0z_T8j4PZ
+		a1nfpbhSe-ePYaALrf_nIsSRKu7cWsrwOSlaRPecRnYeDd_ytAxEQWYEKFi
+		Pszc70fP9geZOB_09y9jq0vaOF0jGmpIAmgk71lCcUpSdrhNokTKo5y8MH8
+		3NcbIvmuZ51cjXQj1f0_AwM9RW3oCh2Hu0z0C5l4BujZVsDuGgMsGZsjUhS
+		RZsAQSXHCAmlJ2NlnN60U7y4SPJhKv5tKYw.48V1_ALb6US04U3b.5eym8T
+		W_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6jiS
+		diwkIr3ajwQzaBtQD_A.XFBoMYUZodetZdvTiFvSkQ`)
+
+	expectedFull := stripWhitespace(`
+		{ "protected":"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ",
+		"encrypted_key":
+			"ROQCfge4JPm_yACxv1C1NSXmwNbL6kvmCuyxBRGpW57DvlwByjyjsb
+			 6g8m7wtLMqKEyhFCntV7sjippEePIlKln6BvVnz5ZLXHNYQgmubuNq
+			 8MC0KTwcaGJ_C0z_T8j4PZa1nfpbhSe-ePYaALrf_nIsSRKu7cWsrw
+			 OSlaRPecRnYeDd_ytAxEQWYEKFiPszc70fP9geZOB_09y9jq0vaOF0
+			 jGmpIAmgk71lCcUpSdrhNokTKo5y8MH83NcbIvmuZ51cjXQj1f0_Aw
+			 M9RW3oCh2Hu0z0C5l4BujZVsDuGgMsGZsjUhSRZsAQSXHCAmlJ2Nln
+			 N60U7y4SPJhKv5tKYw",
+		"iv": "48V1_ALb6US04U3b",
+		"ciphertext":
+			"5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFS
+			 hS8iB7j6jiSdiwkIr3ajwQzaBtQD_A",
+		"tag":"XFBoMYUZodetZdvTiFvSkQ" }`)
+
+	// Mock random reader
+	randReader = bytes.NewReader([]byte{
+		// Encryption key
+		177, 161, 244, 128, 84, 143, 225, 115, 63, 180, 3, 255, 107, 154,
+		212, 246, 138, 7, 110, 91, 112, 46, 34, 105, 47, 130, 203, 46, 122,
+		234, 64, 252,
+		// Randomness for RSA-OAEP
+		0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+		// Initialization vector
+		227, 197, 117, 252, 2, 219, 233, 68, 180, 225, 77, 219})
+	defer resetRandReader()
+
+	// Encrypt with a dummy key
+	encrypter, err := NewEncrypter(RSA_OAEP, A256GCM, publicKey)
+	if err != nil {
+		panic(err)
+	}
+
+	object, err := encrypter.Encrypt(plaintext)
+	if err != nil {
+		panic(err)
+	}
+
+	serialized, err := object.CompactSerialize()
+	if serialized != expectedCompact {
+		t.Error("Compact serialization is not what we expected", serialized, expectedCompact)
+	}
+
+	serialized = object.FullSerialize()
+	if serialized != expectedFull {
+		t.Error("Full serialization is not what we expected")
+	}
+}
+
+func TestVectorsJWECorrupt(t *testing.T) {
+	priv := &rsa.PrivateKey{
+		PublicKey: rsa.PublicKey{
+			N: fromHexInt(`
+				a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8
+				ae4811a1e0abc4c7e0b082d693a5e7fced675cf4668512772c0c
+				bc64a742c6c630f533c8cc72f62ae833c40bf25842e984bb78bd
+				bf97c0107d55bdb662f5c4e0fab9845cb5148ef7392dd3aaff93
+				ae1e6b667bb3d4247616d4f5ba10d4cfd226de88d39f16fb`),
+			E: 65537,
+		},
+		D: fromHexInt(`
+				53339cfdb79fc8466a655c7316aca85c55fd8f6dd898fdaf1195
+				17ef4f52e8fd8e258df93fee180fa0e4ab29693cd83b152a553d
+				4ac4d1812b8b9fa5af0e7f55fe7304df41570926f3311f15c4d6
+				5a732c483116ee3d3d2d0af3549ad9bf7cbfb78ad884f84d5beb
+				04724dc7369b31def37d0cf539e9cfcdd3de653729ead5d1`),
+		Primes: []*big.Int{
+			fromHexInt(`
+				d32737e7267ffe1341b2d5c0d150a81b586fb3132bed2f8d5262
+				864a9cb9f30af38be448598d413a172efb802c21acf1c11c520c
+				2f26a471dcad212eac7ca39d`),
+			fromHexInt(`
+				cc8853d1d54da630fac004f471f281c7b8982d8224a490edbeb3
+				3d3e3d5cc93c4765703d1dd791642f1f116a0dd852be2419b2af
+				72bfe9a030e860b0288b5d77`),
+		},
+	}
+
+	corruptCiphertext := stripWhitespace(`
+		eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.NFl09dehy
+		IR2Oh5iSsvEa82Ps7DLjRHeo0RnuTuSR45OsaIP6U8yu7vLlWaZKSZMy
+		B2qRBSujf-5XIRoNhtyIyjk81eJRXGa_Bxaor1XBCMyyhGchW2H2P71f
+		PhDO6ufSC7kV4bNqgHR-4ziS7KXwzN83_5kogXqxUpymUoJDNc.tk-GT
+		W_VVhiTIKFF.D_BE6ImZUl9F.52a-zFnRb3YQwIC7UrhVyQ`)
+
+	corruptAuthtag := stripWhitespace(`
+		eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.NFl09dehy
+		IR2Oh5iSsvEa82Ps7DLjRHeo0RnuTuSR45OsaIP6U8yu7vLlWaZKSZMy
+		B2qRBSujf-5XIRoNhtyIyjk81eJRXGa_Bxaor1XBCMyyhGchW2H2P71f
+		PhDO6ufSC7kV4bNqgHR-4ziS7KNwzN83_5kogXqxUpymUoJDNc.tk-GT
+		W_VVhiTIKFF.D_BE6ImZUl9F.52a-zFnRb3YQwiC7UrhVyQ`)
+
+	msg, _ := ParseEncrypted(corruptCiphertext)
+	_, err := msg.Decrypt(priv)
+	if err != ErrCryptoFailure {
+		t.Error("should detect corrupt ciphertext")
+	}
+
+	msg, _ = ParseEncrypted(corruptAuthtag)
+	_, err = msg.Decrypt(priv)
+	if err != ErrCryptoFailure {
+		t.Error("should detect corrupt auth tag")
+	}
+}
+
+// Test vectors generated with nimbus-jose-jwt
+func TestSampleNimbusJWEMessagesRSA(t *testing.T) {
+	rsaPrivateKey, err := LoadPrivateKey(fromBase64Bytes(`
+		MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCNRCEmf5PlbXKuT4uwnb
+		wGKvFrtpi+bDYxOZxxqxdVkZM/bYATAnD1fg9pNvLMKeF+MWJ9kPIMmDgOh9RdnRdLvQGb
+		BzhLmxwhhcua2QYiHEZizXmiaXvNP12bzEBhebdX7ObW8izMVW0p0lqHPNzkK3K75B0Sxo
+		FMVKkZ7KtBHgepBT5yPhPPcNe5lXQeTne5bo3I60DRcN9jTBgMJOXdq0I9o4y6ZmoXdNTm
+		0EyLzn9/EYiHqBxtKFh791EHR7wYgyi/t+nOKr4sO74NbEByP0mHDil+mPvZSzFW4l7fPx
+		OclRZvpRIKIub2TroZA9s2WsshGf79eqqXYbBB9NNRAgMBAAECggEAIExbZ/nzTplfhwsY
+		3SCzRJW87OuqsJ79JPQPGM4NX7sQ94eJqM7+FKLl0yCFErjgnYGdCyiArvB+oJPdsimgke
+		h83X0hGeg03lVA3/6OsG3WifCAxulnLN44AM8KST8S9D9t5+cm5vEBLHazzAfWWTS13s+g
+		9hH8rf8NSqgZ36EutjKlvLdHx1mWcKX7SREFVHT8FWPAbdhTLEHUjoWHrfSektnczaSHnt
+		q8fFJy6Ld13QkF1ZJRUhtA24XrD+qLTc+M36IuedjeZaLHFB+KyhYR3YvXEtrbCug7dCRd
+		uG6uTlDCSaSy7xHeTPolWtWo9F202jal54otxiAJFGUHgQKBgQDRAT0s6YQZUfwE0wluXV
+		k0JdhDdCo8sC1aMmKlRKWUkBAqrDl7BI3MF56VOr4ybr90buuscshFf9TtrtBOjHSGcfDI
+		tSKfhhkW5ewQKB0YqyHzoD6UKT0/XAshFY3esc3uCxuJ/6vOiXV0og9o7eFvr51O0TfDFh
+		mcTvW4wirKlQKBgQCtB7UAu8I9Nn8czkd6oXLDRyTWYviuiqFmxR+PM9klgZtsumkeSxO1
+		lkfFoj9+G8nFaqYEBA9sPeNtJVTSROCvj/iQtoqpV2NiI/wWeVszpBwsswx2mlks4LJa8a
+		Yz9xrsfNoroKYVppefc/MCoSx4M+99RSm3FSpLGZQHAUGyzQKBgQDMQmq4JuuMF1y2lk0E
+		SESyuz21BqV0tDVOjilsHT+5hmXWXoS6nkO6L2czrrpM7YE82F6JJZBmo7zEIXHBInGLJ3
+		XLoYLZ5qNEhqYDUEDHaBCBWZ1vDTKnZlwWFEuXVavNNZvPbUhKTHq25t8qjDki/r09Vykp
+		BsM2yNBKpbBOVQKBgCJyUVd3CaFUExQyAMrqD0XPCQdhJq7gzGcAQVsp8EXmOoH3zmuIeM
+		ECzQEMXuWFNLMHm0tbX5Kl83vMHcnKioyI9ewhWxOBYTitf0ceG8j5F97SOl32NmCXzwoJ
+		55Oa0xJXfLuIvOe8hZzp4WwZmBfKBxiCR166aPQQgIawelrVAoGAEJsHomfCI4epxH4oMw
+		qYJMCGy95zloB+2+c86BZCOJAGwnfzbtc2eutWZw61/9sSO8sQCfzA8oX+5HwAgnFVzwW4
+		lNMZohppYcpwN9EyjkPaCXuALC7p5rF2o63wY7JLvnjS2aYZliknh2yW6X6fSB0PK0Cpvd
+		lAIyRw6Kud0zI=`))
+	if err != nil {
+		panic(err)
+	}
+
+	rsaSampleMessages := []string{
+		"eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiUlNBMV81In0.EW0KOhHeoAxTBnLjYhh2T6HjwI-srNs6RpcSdZvE-GJ5iww3EYWBCmeGGj1UVz6OcBfwW3wllZ6GPOHU-hxVQH5KYpVOjkmrFIYU6-8BHhxBP_PjSJEBCZzjOgsCm9Th4-zmlO7UWTdK_UtwE7nk4X-kkmEy-aZBCShA8nFe2MVvqD5F7nvEWNFBOHh8ae_juo-kvycoIzvxLV9g1B0Zn8K9FAlu8YF1KiL5NFekn76f3jvAwlExuRbFPUx4gJN6CeBDK_D57ABsY2aBVDSiQceuYZxvCIAajqSS6dMT382FNJzAiQhToOpo_1w5FnnBjzJLLEKDk_I-Eo2YCWxxsQ.5mCMuxJqLRuPXGAr.Ghe4INeBhP3MDWGvyNko7qanKdZIzKjfeiU.ja3UlVWJXKNFJ-rZsJWycw",
+		"eyJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiUlNBMV81In0.JsJeYoP0St1bRYNUaAmA34DAA27usE7RNuC2grGikBRmh1xrwUOpnEIXXpwr7fjVmNi52zzWkNHC8JkkRTrLcCh2VXvnOnarpH8DCr9qM6440bSrahzbxIvDds8z8q0wT1W4kjVnq1mGwGxg8RQNBWTV6Sp2FLQkZyjzt_aXsgYzr3zEmLZxB-d41lBS81Mguk_hdFJIg_WO4ao54lozvxkCn_uMiIZ8eLb8qHy0h-N21tiHGCaiC2vV8KXomwoqbJ0SXrEH4r9_R2J844H80TBZdbvNBd8whvoQNHvOX659LNs9EQ9xxvHU2kqGZekXBu7sDXXTjctMkMITobGSzw.1v5govaDvanP3LGp.llwYNBDrD7MwVLaFHesljlratfmndWs4XPQ.ZGT1zk9_yIKi2GzW6CuAyA",
+		"eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBMV81In0.fBv3fA3TMS3ML8vlsCuvwdsKvB0ym8R30jJrlOiqkWKk7WVUkjDInFzr1zw3Owla6c5BqOJNoACXt4IWbkLbkoWV3tweXlWwpafuaWPkjLOUH_K31rS2fCX5x-MTj8_hScquVQXpbz3vk2EfulRmGXZc_8JU2NqQCAsYy3a28houqP3rDe5jEAvZS2SOFvJkKW--f5S-z39t1D7fNz1N8Btd9SmXWQzjbul5YNxI9ctqxhJpkKYpxOLlvrzdA6YdJjOlDx3n6S-HnSZGM6kQd_xKtAf8l1EGwhQmhbXhMhjVxMvGwE5BX7PAb8Ccde5bzOCJx-PVbVetuLb169ZYqQ._jiZbOPRR82FEWMZ.88j68LI-K2KT6FMBEdlz6amG5nvaJU8a-90.EnEbUTJsWNqJYKzfO0x4Yw",
+		"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBMV81In0.bN6FN0qmGxhkESiVukrCaDVG3woL0xE-0bHN_Mu0WZXTQWbzzT-7jOvaN1xhGK8nzi8qpCSRgE5onONNB9i8OnJm3MMIxF7bUUEAXO9SUAFn2v--wNc4drPc5OjIu0RiJrDVDkkGjNrBDIuBaEQcke7A0v91PH58dXE7o4TLPzC8UJmRtXWhUSwjXVF3-UmYRMht2rjHJlvRbtm6Tu2LMBIopRL0zj6tlPP4Dm7I7sz9OEB3VahYAhpXnFR7D_f8RjLSXQmBvB1FiI5l_vMz2NFt2hYUmQF3EJMLIEdHvvPp3iHDGiXC1obJrDID_CCf3qs9UY7DMYL622KLvP2NIg.qb72oxECzxd_aNuHVR0aNg.Gwet9Ms8hB8rKEb0h4RGdFNRq97Qs2LQaJM0HWrCqoI.03ljVThOFvgXzMmQJ79VjQ",
+		"eyJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwiYWxnIjoiUlNBMV81In0.ZbEOP6rqdiIP4g7Nl1PL5gwhgDwv9RinyiUQxZXPOmD7kwEZrZ093dJnhqI9kEd3QGFlHDpB7HgNz53d27z2zmEj1-27v6miizq6tH4sN2MoeZLwSyk16O1_n3bVdDmROawsTYYFJfHsuLwyVJxPd37duIYnbUCFO9J8lLIv-2VI50KJ1t47YfE4P-Wt9jVzxP2CVUQaJwTlcwfiDLJTagYmfyrDjf525WlQFlgfJGqsJKp8BX9gmKvAo-1iCBAM8VpEjS0u0_hW9VSye36yh8BthVV-VJkhJ-0tMpto3bbBmj7M25Xf4gbTrrVU7Nz6wb18YZuhHZWmj2Y2nHV6Jg.AjnS44blTrIIfFlqVw0_Mg.muCRgaEXNKKpW8rMfW7jf7Zpn3VwSYDz-JTRg16jZxY.qjc9OGlMaaWKDWQSIwVpR4K556Pp6SF9",
+		"eyJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiUlNBMV81In0.c7_F1lMlRHQQE3WbKmtHBYTosdZrG9hPfs-F9gNQYet61zKG8NXVkSy0Zf2UFHt0vhcO8hP2qrqOFsy7vmRj20xnGHQ2EE29HH6hwX5bx1Jj3uE5WT9Gvh0OewpvF9VubbwWTIObBpdEG7XdJsMAQlIxtXUmQYAtLTWcy2ZJipyJtVlWQLaPuE8BKfZH-XAsp2CpQNiRPI8Ftza3EAspiyRfVQbjKt7nF8nuZ2sESjt7Y50q4CSiiCuGT28T3diMN0_rWrH-I-xx7OQvJlrQaNGglGtu3jKUcrJDcvxW2e1OxriaTeuQ848ayuRvGUNeSv6WoVYmkiK1x_gNwUAAbw.7XtSqHJA7kjt6JrfxJMwiA.Yvi4qukAbdT-k-Fd2s4G8xzL4VFxaFC0ZIzgFDAI6n0.JSWPJ-HjOE3SK9Lm0yHclmjS7Z1ahtQga9FHGCWVRcc",
+		"eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ.SYVxJbCnJ_tcR13LJpaqHQj-nGNkMxre4A1FmnUdxnvzeJwuvyrLiUdRsZR1IkP4fqLtDON2mumx39QeJQf0WIObPBYlIxycRLkwxDHRVlyTmPvdZHAxN26jPrk09wa5SgK1UF1W1VSQIPm-Tek8jNAmarF1Yxzxl-t54wZFlQiHP4TuaczugO5f-J4nlWenfla2mU1snDgdUMlEZGOAQ_gTEtwSgd1MqXmK_7LZBkoDqqoCujMZhziafJPXPDaUUqBLW3hHkkDA7GpVec3XcTtNUWQJqOpMyQhqo1KQMc8jg3fuirILp-hjvvNVtBnCRBvbrKUCPzu2_yH3HM_agA.2VsdijtonAxShNIW.QzzB3P9CxYP3foNKN0Ma1Z9tMwijAlkWo08.ZdQkIPDY_M-hxqi5fD4NGw",
+		"eyJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiUlNBLU9BRVAifQ.Z2oTJXXib1u-S38Vn3DRKE3JnhnwgUa92UhsefzY2Wpdn0dmxMfYt9iRoJGFfSAcA97MOfjyvXVRCKWXGrG5AZCMAXEqU8SNQwKPRjlcqojcVzQyMucXI0ikLC4mUgeRlfKTwsBicq6JZZylzRoLGGSNJQbni3_BLsf7H3Qor0BYg0FPCLG9Z2OVvrFzvjTLmZtV6gFlVrMHBxJub_aUet9gAkxiu1Wx_Kx46TlLX2tkumXIpTGlzX6pef6jLeZ5EIg_K-Uz4tkWgWQIEkLD7qmTyk5pAGmzukHa_08jIh5-U-Sd8XGZdx4J1pVPJ5CPg0qDJGZ_cfgkgpWbP_wB6A.4qgKfokK1EwYxz20._Md82bv_KH2Vru0Ue2Eb6oAqHP2xBBP5jF8.WFRojvQpD5VmZlOr_dN0rQ",
+		"eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ.JzCUgJcBJmBgByp4PBAABUfhezPvndxBIVzaoZ96DAS0HPni0OjMbsOGsz6JwNsiTr1gSn_S6R1WpZM8GJc9R2z0EKKVP67TR62ZSG0MEWyLpHmG_4ug0fAp1HWWMa9bT4ApSaOLgwlpVAb_-BPZZgIu6c8cREuMon6UBHDqW1euTBbzk8zix3-FTZ6p5b_3soDL1wXfRiRBEsxxUGMnpryx1OFb8Od0JdyGF0GgfLt6OoaujDJpo-XtLRawu1Xlg6GqRs0NQwSHZ5jXgQ6-zgCufXonAmYTiIyBXY2no9XmECTexjwrS_05nA7H-UyIZEBOCp3Yhz2zxrt5j_0pvQ.SJR-ghhaUKP4zXtZ.muiuzLfZA0y0BDNsroGTw2r2-l73SLf9lK8.XFMH1oHr1G6ByP3dWSUUPA",
+		"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBLU9BRVAifQ.U946MVfIm4Dpk_86HrnIA-QXyiUu0LZ67PL93CMLmEtJemMNDqmRd9fXyenCIhAC7jPIV1aaqW7gS194xyrrnUpBoJBdbegiPqOfquy493Iq_GQ8OXnFxFibPNQ6rU0l8BwIfh28ei_VIF2jqN6bhxFURCVW7fG6n6zkCCuEyc7IcxWafSHjH2FNttREuVj-jS-4LYDZsFzSKbpqoYF6mHt8H3btNEZDTSmy_6v0fV1foNtUKNfWopCp-iE4hNh4EzJfDuU8eXLhDb03aoOockrUiUCh-E0tQx9su4rOv-mDEOHHAQK7swm5etxoa7__9PC3Hg97_p4GM9gC9ykNgw.pnXwvoSPi0kMQP54of-HGg.RPJt1CMWs1nyotx1fOIfZ8760mYQ69HlyDp3XmdVsZ8.Yxw2iPVWaBROFE_FGbvodA",
+		"eyJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwiYWxnIjoiUlNBLU9BRVAifQ.eKEOIJUJpXmO_ghH_nGCJmoEspqKyiy3D5l0P8lKutlo8AuYHPQlgOsaFYnDkypyUVWd9zi-JaQuCeo7dzoBiS1L71nAZo-SUoN0anQBkVuyuRjr-deJMhPPfq1H86tTk-4rKzPr1Ivd2RGXMtWsrUpNGk81r1v8DdMntLE7UxZQqT34ONuZg1IXnD_U6di7k07unI29zuU1ySeUr6w1YPw5aUDErMlpZcEJWrgOEYWaS2nuC8sWGlPGYEjqkACMFGn-y40UoS_JatNZO6gHK3SKZnXD7vN5NAaMo_mFNbh50e1t_zO8DaUdLtXPOBLcx_ULoteNd9H8HyDGWqwAPw.0xmtzJfeVMoIT1Cp68QrXA.841l1aA4c3uvSYfw6l180gn5JZQjL53WQ5fr8ejtvoI.lojzeWql_3gDq-AoaIbl_aGQRH_54w_f",
+		"eyJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiUlNBLU9BRVAifQ.D0QkvIXR1TL7dIHWuPNMybmmD8UPyQd1bRKjRDNbA2HmKGpamCtcJmpNB_EetNFe-LDmhe44BYI_XN2wIBbYURKgDK_WG9BH0LQw_nCVqQ-sKqjtj3yQeytXhLHYTDmiF0TO-uW-RFR7GbPAdARBfuf4zj82r_wDD9sD5WSCGx89iPfozDOYQ_OLwdL2WD99VvDyfwS3ZhxA-9IMSYv5pwqPkxj4C0JdjCqrN0YNrZn_1ORgjtsVmcWXsmusObTozUGA7n5GeVepfZdU1vrMulAwdRYqOYtlqKaOpFowe9xFN3ncBG7wb4f9pmzbS_Dgt-1_Ii_4SEB9GQ4NiuBZ0w.N4AZeCxMGUv52A0UVJsaZw.5eHOGbZdtahnp3l_PDY-YojYib4ft4SRmdsQ2kggrTs.WsmGH8ZDv4ctBFs7qsQvw2obe4dVToRcAQaZ3PYL34E",
+		"eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.fDTxO_ZzZ3Jdrdw-bxvg7u-xWB2q1tp3kI5zH6JfhLUm4h6rt9qDA_wZlRym8-GzEtkUjkTtQGs6HgQx_qlyy8ylCakY5GHsNhCG4m0UNhRiNfcasAs03JSXfON9-tfTJimWD9n4k5OHHhvcrsCW1G3jYeLsK9WHCGRIhNz5ULbo8HBrCTbmZ6bOEQ9mqhdssLpdV24HDpebotf3bgPJqoaTfWU6Uy7tLmPiNuuNRLQ-iTpLyNMTVvGqqZhpcV3lAEN5l77QabI5xLJYucvYjrXQhAEZ7YXO8oRYhGkdG2XXIRcwr87rBeRH-47HAyhZgF_PBPBhhrJNS9UNMqdfBw.FvU4_s7Md6vxnXWd.fw29Q4_gHt4f026DPPV-CNebQ8plJ6IVLX8._apBZrw7WsT8HOmxgCrTwA",
+		"eyJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.bYuorK-rHMbO4c2CRWtvyOEaM1EN-o-wLRZ0wFWRX9mCXQ-iTNarZn7ksYM1XnGmZ4u3CSowX1Hpca9Rg72_VJCmKapqCT7r3YfasN4_oeLwuSKI_gT-uVOznod97tn3Gf_EDv0y1V4H0k9BEIFGbajAcG1znTD_ODY3j2KZJxisfrsBoslc6N-HI0kKZMC2hSGuHOcOf8HN1sTE-BLqZCtoj-zxQECJK8Wh14Ih4jzzdmmiu_qmSR780K6su-4PRt3j8uY7oCiLBfwpCsCmhJgp8rKd91zoedZmamfvX38mJIfE52j4fG6HmIYw9Ov814fk9OffV6tzixjcg54Q2g.yeVJz4aSh2s-GUr9.TBzzWP5llEiDdugpP2SmPf2U4MEGG9EoPWk.g25UoWpsBaOd45J__FX7mA",
+		"eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.h9tFtmh762JuffBxlSQbJujCyI4Zs9yc3IOb1yR8g65W4ZHosIvzVGHWbShj4EY9MNrz-RbKtHfqQGGzDeo3Xb4-HcQ2ZDHyWoUg7VfA8JafJ5zIKL1npz8eUExOVMLsAaRfHg8qNfczodg3egoSmX5Q-nrx4DeidDSXYZaZjV0C72stLTPcuQ7XPV7z1tvERAkqpvcsRmJn_PiRNxIbAgoyHMJ4Gijuzt1bWZwezlxYmw0TEuwCTVC2fl9NJTZyxOntS1Lcm-WQGlPkVYeVgYTOQXLlp7tF9t-aAvYpth2oWGT6Y-hbPrjx_19WaKD0XyWCR46V32DlXEVDP3Xl2A.NUgfnzQyEaJjzt9r.k2To43B2YVWMeR-w3n4Pr2b5wYq2o87giHk.X8_QYCg0IGnn1pJqe8p_KA",
+		"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.EDq6cNP6Yp1sds5HZ4CkXYp7bs9plIYVZScKvuyxUy0H1VyBC_YWg0HvndPNb-vwh1LA6KMxRazlOwJ9iPR9YzHnYmGgPM3Je_ZzBfiPlRfq6hQBpGnNaypBI1XZ2tyFBhulsVLqyJe2SmM2Ud00kasOdMYgcN8FNFzq7IOE7E0FUQkIwLdUL1nrzepiYDp-5bGkxWRcL02cYfdqdm00G4m0GkUxAmdxa3oPNxZlt2NeBI_UVWQSgJE-DJVJQkDcyA0id27TV2RCDnmujYauNT_wYlyb0bFDx3pYzzNXfAXd4wHZxt75QaLZ5APJ0EVfiXJ0qki6kT-GRVmOimUbQA.vTULZL7LvS0WD8kR8ZUtLg.mb2f0StEmmkuuvsyz8UplMvF58FtZzlu8eEwzvPUvN0.hbhveEN40V-pgG2hSVgyKg",
+		"eyJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.DuYk92p7u-YIN-JKn-XThmlVcnhU9x5TieQ2uhsLQVNlo0iWC9JJPP6bT6aI6u_1BIS3yE8_tSGGL7eM-zyEk6LuTqSWFRaZcZC06d0MnS9eYZcw1T2D17fL-ki-NtCaTahJD7jE2s0HevRVW49YtL-_V8whnO_EyVjvXIAQlPYqhH_o-0Nzcpng9ggdAnuF2rY1_6iRPYFJ3BLQvG1oWhyJ9s6SBttlOa0i6mmFCVLHx6sRpdGAB3lbCL3wfmHq4tpIv77gfoYUNP0SNff-zNmBXF_wp3dCntLZFTjbfMpGyHlruF_uoaLqwdjYpUGNUFVUoeSiMnSbMKm9NxiDgQ.6Mdgcqz7bMU1UeoAwFC8pg.W36QWOlBaJezakUX5FMZzbAgeAu_R14AYKZCQmuhguw.5OeyIJ03olxmJft8uBmjuOFQPWNZMYLI",
+		"eyJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.ECulJArWFsPL2FlpCN0W8E7IseSjJg1cZqE3wz5jk9gvwgNForAUEv5KYZqhNI-p5IxkGV0f8K6Y2X8pWzbLwiPIjZe8_dVqHYJoINxqCSgWLBhz0V36qL9Nc_xARTBk4-ZteIu75NoXVeos9gNvFnkOCj4tm-jGo8z8EFO9XfODgjhiR4xv8VqUtvrkjo9GQConaga5zpV-J4JQlXbdqbDjnuwacnJAxYpFyuemqcgqsl6BnFX3tovGkmSUPqcvF1A6tiHqr-TEmcgVqo5C3xswknRBKTQRM00iAmJ92WlVdkoOCx6E6O7cVHFawZ14BLzWzm66Crb4tv0ucYvk_Q.mxolwUaoj5S5kHCfph0w8g.nFpgYdnYg3blHCCEi2XXQGkkKQBXs2OkZaH11m3PRvk.k8BAVT4EcyrUFVIKr-KOSPbF89xyL0Vri2rFTu2iIWM",
+	}
+
+	for _, msg := range rsaSampleMessages {
+		obj, err := ParseEncrypted(msg)
+		if err != nil {
+			t.Error("unable to parse message", msg, err)
+			continue
+		}
+		plaintext, err := obj.Decrypt(rsaPrivateKey)
+		if err != nil {
+			t.Error("unable to decrypt message", msg, err)
+			continue
+		}
+		if string(plaintext) != "Lorem ipsum dolor sit amet" {
+			t.Error("plaintext is not what we expected for msg", msg)
+		}
+	}
+}
+
+// Test vectors generated with nimbus-jose-jwt
+func TestSampleNimbusJWEMessagesAESKW(t *testing.T) {
+	aesTestKeys := [][]byte{
+		fromHexBytes("DF1FA4F36FFA7FC42C81D4B3C033928D"),
+		fromHexBytes("DF1FA4F36FFA7FC42C81D4B3C033928D95EC9CDC2D82233C"),
+		fromHexBytes("DF1FA4F36FFA7FC42C81D4B3C033928D95EC9CDC2D82233C333C35BA29044E90"),
+	}
+
+	aesSampleMessages := [][]string{
+		[]string{
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4R0NNIiwidGFnIjoib2ZMd2Q5NGloVWFRckJ0T1pQUDdjUSIsImFsZyI6IkExMjhHQ01LVyIsIml2IjoiV2Z3TnN5cjEwWUFjY2p2diJ9.9x3RxdqIS6P9xjh93Eu1bQ.6fs3_fSGt2jull_5.YDlzr6sWACkFg_GU5MEc-ZEWxNLwI_JMKe_jFA.f-pq-V7rlSSg_q2e1gDygw",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyR0NNIiwidGFnIjoic2RneXB1ckFjTEFzTmZJU0lkZUNpUSIsImFsZyI6IkExMjhHQ01LVyIsIml2IjoieVFMR0dCdDJFZ0c1THdyViJ9.arslKo4aKlh6f4s0z1_-U-8JbmhAoZHN.Xw2Q-GX98YXwuc4i.halTEWMWAYZbv-qOD52G6bte4x6sxlh1_VpGEA.Z1spn016v58cW6Q2o0Qxag",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwidGFnIjoicTNzejF5VUlhbVBDYXJfZ05kSVJqQSIsImFsZyI6IkExMjhHQ01LVyIsIml2IjoiM0ZRM0FsLWJWdWhmcEIyQyJ9.dhVipWbzIdsINttuZM4hnjpHvwEHf0VsVrOp4GAg01g.dk7dUyt1Qj13Pipw.5Tt70ONATF0BZAS8dBkYmCV7AQUrfb8qmKNLmw.A6ton9MQjZg0b3C0QcW-hg",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwidGFnIjoiUHNpTGphZnJZNE16UlRmNlBPLTZfdyIsImFsZyI6IkExMjhHQ01LVyIsIml2IjoiSUFPbnd2ODR5YXFEaUxtbSJ9.swf92_LyCvjsvkynHTuMNXRl_MX2keU-fMDWIMezHG4.LOp9SVIXzs4yTnOtMyXZYQ.HUlXrzqJ1qXYl3vUA-ydezCg77WvJNtKdmZ3FPABoZw.8UYl1LOofQLAxHHvWqoTbg",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwidGFnIjoiWGRndHQ5dUVEMVlVeU1rVHl6M3lqZyIsImFsZyI6IkExMjhHQ01LVyIsIml2IjoiWF90V2RhSmh6X3J1SHJvQSJ9.JQ3dS1JSgzIFi5M9ig63FoFU1nHBTmPwXY_ovNE2m1JOSUvHtalmihIuraPDloCf.e920JVryUIWt7zJJQM-www.8DUrl4LmsxIEhRr9RLTHG9tBTOcwXqEbQHAJd_qMHzE.wHinoqGUhL4O7lx125kponpwNtlp8VGJ",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwidGFnIjoicGgyaTdoY0FWNlh3ZkQta1RHYlVXdyIsImFsZyI6IkExMjhHQ01LVyIsIml2IjoiaG41Smk4Wm1rUmRrSUxWVSJ9._bQlJXl22dhsBgYPhkxUyinBNi871teGWbviOueWj2PqG9OPxIc9SDS8a27YLSVDMircd5Q1Df28--vcXIABQA.DssmhrAg6w_f2VDaPpxTbQ.OGclEmqrxwvZqAfn7EgXlIfXgr0wiGvEbZz3zADnqJs.YZeP0uKVEiDl8VyC-s20YN-RbdyGNsbdtoGDP3eMof8",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiQTEyOEtXIn0.TEMcXEoY8WyqGjYs5GZgS-M_Niwu6wDY.i-26KtTt51Td6Iwd.wvhkagvPsLj3QxhPBbfH_th8OqxisUtme2UadQ.vlfvBPv3bw2Zk2H60JVNLQ",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiQTEyOEtXIn0.gPaR6mgQ9TUx05V6DRfgTQeZxl0ZSzBa5uQd-qw6yLs.MojplOD77FkMooS-.2yuD7dKR_C3sFbhgwiBccKKOF8DrSvNiwX7wPQ.qDKUbSvMnJv0qifjpWC14g",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiQTEyOEtXIn0.Fg-dgSkUW1KEaL5YDPoWHNL8fpX1WxWVLA9OOWsjIFhQVDKyUZI7BQ.mjRBpyJTZf7H-quf.YlNHezMadtaSKp23G-ozmYhHOeHwuJnvWGTtGg.YagnR7awBItUlMDo4uklvg",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiQTEyOEtXIn0.x1vYzUE-E2XBWva9OPuwtqfQaf9rlJCIBAyAe6N2q2kWfJrkxGxFsQ.gAwe78dyODFaoP2IOityAA.Yh5YfovkWxGBNAs1sVhvXow_2izHHsBiYEc9JYD6kVg.mio1p3ncp2wLEaEaRa7P0w",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwiYWxnIjoiQTEyOEtXIn0.szGrdnmF7D5put2aRBvSSFfp0vRgkRGYaafijJIqAF6PWd1IxsysZRV8aQkQOW1cB6d0fXsTfYM.Ru25LVOOk4xhaK-cIZ0ThA.pF9Ok5zot7elVqXFW5YYHV8MuF9gVGzpQnG1XDs_g_w.-7la0uwcNPpteev185pMHZjbVDXlrec8",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiQTEyOEtXIn0.cz-hRv0xR5CnOcnoRWNK8Q9poyVYzRCVTjfmEXQN6xPOZUkJ3zKNqb8Pir_FS0o2TVvxmIbuxeISeATTR2Ttx_YGCNgMkc93.SF5rEQT94lZR-UORcMKqGw.xphygoU7zE0ZggOczXCi_ytt-Evln8CL-7WLDlWcUHg.5h99r8xCCwP2PgDbZqzCJ13oFfB2vZWetD5qZjmmVho",
+		},
+		[]string{
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4R0NNIiwidGFnIjoiVWR5WUVKdEJ5ZTA5dzdjclY0cXI1QSIsImFsZyI6IkExOTJHQ01LVyIsIml2IjoiZlBBV0QwUmdSbHlFdktQcCJ9.P1uTfTuH-imL-NJJMpuTRA.22yqZ1NIfx3KNPgc.hORWZaTSgni1FS-JT90vJly-cU37qTn-tWSqTg.gMN0ufXF92rSXupTtBNkhA",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyR0NNIiwidGFnIjoiOU9qX3B2LTJSNW5lZl9YbWVkUWltUSIsImFsZyI6IkExOTJHQ01LVyIsIml2IjoiY3BybGEwYUYzREVQNmFJTSJ9.6NVpAm_APiC7km2v-oNR8g23K9U_kf1-.jIg-p8tNwSvwxch0.1i-GPaxS4qR6Gy4tzeVtSdRFRSKQSMpmn-VhzA.qhFWPqtA6vVPl7OM3DThsA",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwidGFnIjoiOVc3THg3MVhGQVJCb3NaLVZ5dXc4ZyIsImFsZyI6IkExOTJHQ01LVyIsIml2IjoiZ1N4ZE5heFdBSVBRR0tHYiJ9.3YjPz6dVQwAtCekvtXiHZrooOUlmCsMSvyfwmGwdrOA.hA_C0IDJmGaRzsB0.W4l7OPqpFxiVOZTGfAlRktquyRTo4cEOk9KurQ.l4bGxOkO_ql_jlPo3Oz3TQ",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwidGFnIjoiOHJYbWl2WXFWZjNfbHhhd2NUbHJoUSIsImFsZyI6IkExOTJHQ01LVyIsIml2IjoiVXBWeXprVTNKcjEwYXRqYyJ9.8qft-Q_xqUbo5j_aVrVNHchooeLttR4Kb6j01O8k98M.hXO-5IKBYCL9UdwBFVm0tg.EBM4lCZX_K6tfqYmfoDxVPHcf6cT--AegXTTjfSqsIw.Of8xUvEQSh3xgFT3uENnAg",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwidGFnIjoiVnItSnVaX0tqV2hSWWMzdzFwZ3cwdyIsImFsZyI6IkExOTJHQ01LVyIsIml2IjoiRGg2R3dISVBVS3ljZGNZeCJ9.YSEDjCnGWr_n9H94AvLoRnwm6bdU9w6-Q67k-QQRVcKRd6673pgH9zEF9A9Dt6o1.gcmVN4kxqBuMq6c7GrK3UQ.vWzJb0He6OY1lhYYjYS7CLh55REAAq1O7yNN-ND4R5Q.OD0B6nwyFaDr_92ysDOtlVnJaeoIqhGw",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwidGFnIjoieEtad1BGYURpQ3NqUnBqZUprZHhmZyIsImFsZyI6IkExOTJHQ01LVyIsIml2IjoieTVHRFdteXdkb2R1SDJlYyJ9.AW0gbhWqlptOQ1y9aoNVwrTIIkBfrp33C2OWJsbrDRk6lhxg_IgFhMDTE37moReySGUtttC4CXQD_7etHmd3Hw.OvKXK-aRKlXHOpJQ9ZY_YQ.Ngv7WarDDvR2uBj_DavPAR3DYuIaygvSSdcHrc8-ZqM.MJ6ElitzFCKf_0h5fIJw8uOLC6ps7dKZPozF8juQmUY",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiQTE5MktXIn0.8qu63pppcSvp1vv37WrZ44qcCTg7dQMA.cDp-f8dJTrDEpZW4.H6OBJYs4UvFR_IZHLYQZxB6u9a0wOdAif2LNfQ.1dB-id0UIwRSlmwHx5BJCg",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiQTE5MktXIn0._FdoKQvC8qUs7K0upriEihUwztK8gOwonXpOxdIwrfs.UO38ok8gDdpLVa1T.x1GvHdVCy4fxoQRg-OQK4Ez3jDOvu9gllLPeEA.3dLeZGIprh_nHizOTVi1xw",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiQTE5MktXIn0.uzCJskgSIK6VkjJIu-dQi18biqaY0INc_A1Ehx0oESafgtR99_n4IA.W2eKK8Y14WwTowI_.J2cJC7R6Bz6maR0s1UBMPyRi5BebNUAmof4pvw.-7w6htAlc4iUsOJ6I04rFg",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiQTE5MktXIn0.gImQeQETp_6dfJypFDPLlv7c5pCzuq86U16gzrLiCXth6X9XfxJpvQ.YlC4MxjtLWrsyEvlFhvsqw.Vlpvmg9F3gkz4e1xG01Yl2RXx-jG99rF5UvCxOBXSLc.RZUrU_FoR5bG3M-j3GY0Dw",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwiYWxnIjoiQTE5MktXIn0.T2EfQ6Tu2wJyRMgZzfvBYmQNCCfdMudMrg86ibEMVAOUKJPtR3WMPEb_Syy9p2VjrLKRlv7nebo.GPc8VbarPPRtzIRATB8NsA.ugPCqLvVLwh55bWlwjsFkmWzJ31z5z-wuih2oJqmG_U.m7FY3EjvV6mKosEYJ5cY7ezFoVQoJS8X",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiQTE5MktXIn0.OgLMhZ-2ZhslQyHfzOfyC-qmT6bNg9AdpP59B4jtyxWkQu3eW475WCdiAjojjeyBtVRGQ5vOomwaOIFejY_IekzH6I_taii3.U9x44MF6Wyz5TIwIzwhoxQ.vK7yvSF2beKdNxNY_7n4XdF7JluCGZoxdFJyTJVkSmI.bXRlI8KL-g7gpprQxGmXjVYjYghhWJq7mlCfWI8q2uA",
+		},
+		[]string{
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4R0NNIiwidGFnIjoiR3BjX3pfbjduZjJVZlEtWGdsaTBaQSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiUk40eUdhOVlvYlFhUmZ1TCJ9.Q4ukD6_hZpmASAVcqWJ9Wg.Zfhny_1WNdlp4fH-.3sekDCjkExQCcv28ZW4yrcFnz0vma3vgoenSXA.g8_Ird2Y0itTCDP61du-Yg",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyR0NNIiwidGFnIjoiWC05UkNVWVh4U3NRelcwelVJS01VUSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiY3JNMnJfa3RrdWpyQ1h5OSJ9.c0q2jCxxV4y1h9u_Xvn7FqUDnbkmNEG4.S_noOTZKuUo9z1l6.ez0RdA25vXMUGH96iXmj3DEVox0J7TasJMnzgg.RbuSPTte_NzTtEEokbc5Ig",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwidGFnIjoiWmwyaDFpUW11QWZWd2lJeVp5RHloZyIsImFsZyI6IkEyNTZHQ01LVyIsIml2Ijoib19xZmljb0N0NzNzRWo1QyJ9.NpJxRJ0aqcpekD6HU2u9e6_pL_11JXjWvjfeQnAKkZU.4c5qBcBBrMWi27Lf.NKwNIb4b6cRDJ1TwMKsPrjs7ADn6aNoBdQClVw.yNWmSSRBqQfIQObzj8zDqw",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwidGFnIjoiMXdwVEI3LWhjdzZUVXhCbVh2UzdhUSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiOUdIVnZJaDZ0a09vX2pHUSJ9.MFgIhp9mzlq9hoPqqKVKHJ3HL79EBYtV4iNhD63yqiU.UzW5iq8ou21VpZYJgKEN8A.1gOEzA4uAPvHP76GMfs9uLloAV10mKaxiZVAeL7iQA0.i1X_2i0bCAz-soXF9bI_zw",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwidGFnIjoiNThocUtsSk15Y1BFUEFRUlNfSzlNUSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiUDh3aTBWMTluVnZqNXpkOSJ9.FXidOWHNFJODO74Thq3J2cC-Z2B8UZkn7SikeosU0bUK6Jx_lzzmUZ-Lafadpdpj.iLfcDbpuBKFiSfiBzUQc7Q.VZK-aD7BFspqfvbwa0wE2wwWxdomzk2IKMetFe8bI44.7wC6rJRGa4x48xbYMd6NH9VzK8uNn4Cb",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwidGFnIjoicGcwOEpUcXdzMXdEaXBaRUlpVExoQSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiSlpodk9CdU1RUDFFZTZTNSJ9.wqVgTPm6TcYCTkpbwmn9sW4mgJROH2A3dIdSXo5oKIQUIVbQsmy7KXH8UYO2RS9slMGtb869C8o0My67GKg9dQ.ogrRiLlqjB1S5j-7a05OwA.2Y_LyqhU4S_RXMsB74bxcBacd23J2Sp5Lblw-sOkaUY.XGMiYoU-f3GaEzSvG41vpJP2DMGbeDFoWmkUGLUjc4M",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiQTI1NktXIn0.QiIZm9NYfahqYFIbiaoUhCCHjotHMkup.EsU0XLn4FjzzCILn.WuCoQkm9vzo95E7hxBtfYpt-Mooc_vmSTyzj6Q.NbeeYVy6gQPlmhoWDrZwaQ",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiQTI1NktXIn0.1ol3j_Lt0Os3UMe2Gypj0o8b77k0FSmqD7kNRNoMa9U.vZ2HMTgN2dgUd42h.JvNcy8-c8sYzOC089VtFSg2BOQx3YF8CqSTuJw.t03LRioWWKN3d7SjinU6SQ",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiQTI1NktXIn0.gbkk03l1gyrE9qGEMVtORiyyUqKsgzbqjLd8lw0RQ07WWn--TV4BgA.J8ThH4ac2UhSsMIP.g-W1piEGrdi3tNwQDJXpYm3fQjTf82mtVCrCOg.-vY05P4kiB9FgF2vwrSeXQ",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiQTI1NktXIn0.k86pQs7gmQIzuIWRFwesF32XY2xi1WbYxi7XUf_CYlOlehwGCTINHg.3NcC9VzfQgsECISKf4xy-g.v2amdo-rgeGsg-II_tvPukX9D-KAP27xxf2uQJ277Ws.E4LIE3fte3glAnPpnd8D9Q",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwiYWxnIjoiQTI1NktXIn0.b8iN0Am3fCUvj7sBd7Z0lpfzBjh1MOgojV7J5rDfrcTU3b35RGYgEV1RdcrtUTBgUwITDjmU7jM.wsSDBFghDga_ERv36I2AOg.6uJsucCb2YReFOJGBdo4zidTIKLUmZBIXfm_M0AJpKk.YwdAfXI3HHcw2wLSnfCRtw4huZQtSKhz",
+			"eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiQTI1NktXIn0.akY9pHCbkHPh5VpXIrX0At41XnJIKBR9iMMkf301vKeJNAZYJTxWzeJhFd-DhQ47tMctc3YYkwZkQ5I_9fGYb_f0oBcw4esh.JNwuuHud78h6S99NO1oBQQ.0RwckPYATBgvw67upkAQ1AezETHc-gh3rryz19i5ryc.3XClRTScgzfMgLCHxHHoRF8mm9VVGXv_Ahtx65PskKQ",
+		},
+	}
+
+	for i, msgs := range aesSampleMessages {
+		for _, msg := range msgs {
+			obj, err := ParseEncrypted(msg)
+			if err != nil {
+				t.Error("unable to parse message", msg, err)
+				continue
+			}
+			plaintext, err := obj.Decrypt(aesTestKeys[i])
+			if err != nil {
+				t.Error("unable to decrypt message", msg, err)
+				continue
+			}
+			if string(plaintext) != "Lorem ipsum dolor sit amet" {
+				t.Error("plaintext is not what we expected for msg", msg)
+			}
+		}
+	}
+}
+
+// Test vectors generated with jose4j
+func TestSampleJose4jJWEMessagesECDH(t *testing.T) {
+	ecTestKey := &ecdsa.PrivateKey{
+		PublicKey: ecdsa.PublicKey{
+			Curve: elliptic.P256(),
+			X:     fromBase64Int("weNJy2HscCSM6AEDTDg04biOvhFhyyWvOHQfeF_PxMQ"),
+			Y:     fromBase64Int("e8lnCO-AlStT-NJVX-crhB7QRYhiix03illJOVAOyck"),
+		},
+		D: fromBase64Int("VEmDZpDXXK8p8N0Cndsxs924q6nS1RXFASRl6BfUqdw"),
+	}
+
+	ecSampleMessages := []string{
+		"eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTEyOENCQy1IUzI1NiIsImVwayI6eyJrdHkiOiJFQyIsIngiOiJTQzAtRnJHUkVvVkpKSmg1TGhORmZqZnFXMC1XSUFyd3RZMzJzQmFQVVh3IiwieSI6ImFQMWlPRENveU9laTVyS1l2VENMNlRMZFN5UEdUN0djMnFsRnBwNXdiWFEiLCJjcnYiOiJQLTI1NiJ9fQ..3mifklTnTTGuA_etSUBBCw.dj8KFM8OlrQ3rT35nHcHZ7A5p84VB2OZb054ghSjS-M.KOIgnJjz87LGqMtikXGxXw",
+		"eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTE5MkNCQy1IUzM4NCIsImVwayI6eyJrdHkiOiJFQyIsIngiOiJUaHRGc0lRZ1E5MkZOYWFMbUFDQURLbE93dmNGVlRORHc4ampfWlJidUxjIiwieSI6IjJmRDZ3UXc3YmpYTm1nVThXMGpFbnl5ZUZkX3Y4ZmpDa3l1R29vTFhGM0EiLCJjcnYiOiJQLTI1NiJ9fQ..90zFayMkKc-fQC_19f6P3A.P1Y_7lMnfkUQOXW_en31lKZ3zAn1nEYn6fXLjmyVPrQ.hrgwy1cePVfhMWT0h-crKTXldglHZ-4g",
+		"eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkNCQy1IUzUxMiIsImVwayI6eyJrdHkiOiJFQyIsIngiOiI5R1Z6c3VKNWgySl96UURVUFR3WU5zUkFzVzZfY2RzN0pELVQ2RDREQ1ZVIiwieSI6InFZVGl1dVU4aTB1WFpoaS14VGlRNlZJQm5vanFoWENPVnpmWm1pR2lRTEUiLCJjcnYiOiJQLTI1NiJ9fQ..v2reRlDkIsw3eWEsTCc1NA.0qakrFdbhtBCTSl7EREf9sxgHBP9I-Xw29OTJYnrqP8.54ozViEBYYmRkcKp7d2Ztt4hzjQ9Vb5zCeijN_RQrcI",
+		"eyJhbGciOiJFQ0RILUVTK0EyNTZLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiOElUemg3VVFaaUthTWtfME9qX1hFaHZENXpUWjE2Ti13WVdjeTJYUC1tdyIsInkiOiJPNUJiVEk0bUFpU005ZmpCejBRU3pXaU5vbnl3cWlQLUN0RGgwdnNGYXNRIiwiY3J2IjoiUC0yNTYifX0.D3DP3wqPvJv4TYYfhnfrOG6nsM-MMH_CqGfnOGjgdXHNF7xRwEJBOA.WL9Kz3gNYA7S5Rs5mKcXmA.EmQkXhO_nFqAwxJWaM0DH4s3pmCscZovB8YWJ3Ru4N8.Bf88uzwfxiyTjpejU5B0Ng",
+		"eyJhbGciOiJFQ0RILUVTK0EyNTZLVyIsImVuYyI6IkExOTJDQkMtSFMzODQiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiMjlJMk4zRkF0UlBlNGhzYjRLWlhTbmVyV0wyTVhtSUN1LXJJaXhNSHpJQSIsInkiOiJvMjY1bzFReEdmbDhzMHQ0U1JROS00RGNpc3otbXh4NlJ6WVF4SktyeWpJIiwiY3J2IjoiUC0yNTYifX0.DRmsmXz6fCnLc_njDIKdpM7Oc4jTqd_yd9J94TOUksAstEUkAl9Ie3Wg-Ji_LzbdX2xRLXIimcw.FwJOHPQhnqKJCfxt1_qRnQ.ssx3q1ZYILsMTln5q-K8HVn93BVPI5ViusstKMxZzRs.zzcfzWNYSdNDdQ4CiHfymj0bePaAbVaT",
+		"eyJhbGciOiJFQ0RILUVTK0EyNTZLVyIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiRUp6bTViQnRzVXJNYTl2Y1Q2d1hZRXI3ZjNMcjB0N1V4SDZuZzdGcFF0VSIsInkiOiJRYTNDSDllVTFXYjItdFdVSDN3Sk9fTDVMZXRsRUlMQWNkNE9XR2tFd0hZIiwiY3J2IjoiUC0yNTYifX0.5WxwluZpVWAOJdVrsnDIlEc4_wfRE1gXOaQyx_rKkElNz157Ykf-JsAD7aEvXfx--NKF4js5zYyjeCtxWBhRWPOoNNZJlqV_.Iuo82-qsP2S1SgQQklAnrw.H4wB6XoLKOKWCu6Y3LPAEuHkvyvr-xAh4IBm53uRF8g._fOLKq0bqDZ8KNjni_MJ4olHNaYz376dV9eNmp9O9PU",
+		"eyJhbGciOiJFQ0RILUVTK0ExOTJLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiZktNSG5sRkoxajBTSnJ3WGtVWlpaX3BtWHdUQlJtcHhlaTkxdUpaczUycyIsInkiOiJLRkxKaXhEUTJQcjEybWp1aFdYb3pna2U1V3lhWnhmTWlxZkJ0OEJpbkRvIiwiY3J2IjoiUC0yNTYifX0.2LSD2Mw4tyYJyfsmpVmzBtJRd12jMEYGdlhFbaXIbKi5A33CGNQ1tg.s40aAjmZOvK8Us86FCBdHg.jpYSMAKp___oMCoWM495mTfbi_YC80ObeoCmGE3H_gs.A6V-jJJRY1yz24CaXGUbzg",
+		"eyJhbGciOiJFQ0RILUVTK0ExOTJLVyIsImVuYyI6IkExOTJDQkMtSFMzODQiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiSDRxcFUzeWtuRktWRnV4SmxLa3NZSE5ieHF3aXM0WWtCVVFHVE1Td05JQSIsInkiOiJHb0lpRUZaUGRRSHJCbVR4ZTA3akJoZmxrdWNqUjVoX1QwNWVXc3Zib0prIiwiY3J2IjoiUC0yNTYifX0.KTrwwV2uzD--gf3PGG-kjEAGgi7u0eMqZPZfa4kpyFGm3x8t2m1NHdz3t9rfiqjuaqsxPKhF4gs.cu16fEOzYaSxhHu_Ht9w4g.BRJdxVBI9spVtY5KQ6gTR4CNcKvmLUMKZap0AO-RF2I.DZyUaa2p6YCIaYtjWOjC9GN_VIYgySlZ",
+		"eyJhbGciOiJFQ0RILUVTK0ExOTJLVyIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoieDBYSGRkSGM2Q0ktSnlfbUVMOEZZRExhWnV0UkVFczR4c3BMQmcwZk1jbyIsInkiOiJEa0xzOUJGTlBkTTVTNkpLYVJ3cnV1TWMwcUFzWW9yNW9fZWp6NXBNVXFrIiwiY3J2IjoiUC0yNTYifX0.mfCxJ7JYIqTMqcAh5Vp2USF0eF7OhOeluqda7YagOUJNwxA9wC9o23DSoLUylfrZUfanZrJJJcG69awlv-LY7anOLHlp3Ht5.ec48A_JWb4qa_PVHWZaTfQ.kDAjIDb3LzJpfxNh-DiAmAuaKMYaOGSTb0rkiJLuVeY.oxGCpPlii4pr89XMk4b9s084LucTqPGU6TLbOW2MZoc",
+		"eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiQXB5TnlqU2d0bmRUcFg0eENYenNDRnZva1l3X18weXg2dGRUYzdPUUhIMCIsInkiOiJYUHdHMDVDaW1vOGlhWmxZbDNsMEp3ZllhY1FZWHFuM2RRZEJUWFpldDZBIiwiY3J2IjoiUC0yNTYifX0.yTA2PwK9IPqkaGPenZ9R-gOn9m9rvcSEfuX_Nm8AkuwHIYLzzYeAEA.ZW1F1iyHYKfo-YoanNaIVg.PouKQD94DlPA5lbpfGJXY-EJhidC7l4vSayVN2vVzvA.MexquqtGaXKUvX7WBmD4bA",
+		"eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExOTJDQkMtSFMzODQiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiaDRWeGNzNVUzWk1fTlp4WmJxQ3hMTVB5UmEtR2ktSVNZa0xDTzE1RHJkZyIsInkiOiJFeVotS3dWNVE5OXlnWk5zU0lpSldpR3hqbXNLUk1WVE5sTTNSd1VYTFRvIiwiY3J2IjoiUC0yNTYifX0.wo56VISyL1QAbi2HLuVut5NGF2FvxKt7B8zHzJ3FpmavPozfbVZV08-GSYQ6jLQWJ4xsO80I4Kg.3_9Bo5ozvD96WHGhqp_tfQ.48UkJ6jk6WK70QItb2QZr0edKH7O-aMuVahTEeqyfW4.ulMlY2tbC341ct20YSmNdtc84FRz1I4g",
+		"eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiN0xZRzZZWTJkel9ZaGNvNnRCcG1IX0tPREQ2X2hwX05tajdEc1c2RXgxcyIsInkiOiI5Y2lPeDcwUkdGT0tpVnBRX0NHQXB5NVlyeThDazBmUkpwNHVrQ2tjNmQ0IiwiY3J2IjoiUC0yNTYifX0.bWwW3J80k46HG1fQAZxUroko2OO8OKkeRavr_o3AnhJDMvp78OR229x-fZUaBm4uWv27_Yjm0X9T2H2lhlIli2Rl9v1PNC77.1NmsJBDGI1fDjRzyc4mtyA.9KfCFynQj7LmJq08qxAG4c-6ZPz1Lh3h3nUbgVwB0TI.cqech0d8XHzWfkWqgKZq1SlAfmO0PUwOsNVkuByVGWk",
+	}
+
+	for _, msg := range ecSampleMessages {
+		obj, err := ParseEncrypted(msg)
+		if err != nil {
+			t.Error("unable to parse message", msg, err)
+			continue
+		}
+		plaintext, err := obj.Decrypt(ecTestKey)
+		if err != nil {
+			t.Error("unable to decrypt message", msg, err)
+			continue
+		}
+		if string(plaintext) != "Lorem ipsum dolor sit amet." {
+			t.Error("plaintext is not what we expected for msg", msg)
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jwk.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jwk.go
new file mode 100644
index 000000000..505dd700e
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jwk.go
@@ -0,0 +1,457 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"math/big"
+	"reflect"
+	"strings"
+
+	"gopkg.in/square/go-jose.v1/json"
+)
+
+// rawJsonWebKey represents a public or private key in JWK format, used for parsing/serializing.
+type rawJsonWebKey struct {
+	Use string      `json:"use,omitempty"`
+	Kty string      `json:"kty,omitempty"`
+	Kid string      `json:"kid,omitempty"`
+	Crv string      `json:"crv,omitempty"`
+	Alg string      `json:"alg,omitempty"`
+	K   *byteBuffer `json:"k,omitempty"`
+	X   *byteBuffer `json:"x,omitempty"`
+	Y   *byteBuffer `json:"y,omitempty"`
+	N   *byteBuffer `json:"n,omitempty"`
+	E   *byteBuffer `json:"e,omitempty"`
+	// -- Following fields are only used for private keys --
+	// RSA uses D, P and Q, while ECDSA uses only D. Fields Dp, Dq, and Qi are
+	// completely optional. Therefore for RSA/ECDSA, D != nil is a contract that
+	// we have a private key whereas D == nil means we have only a public key.
+	D  *byteBuffer `json:"d,omitempty"`
+	P  *byteBuffer `json:"p,omitempty"`
+	Q  *byteBuffer `json:"q,omitempty"`
+	Dp *byteBuffer `json:"dp,omitempty"`
+	Dq *byteBuffer `json:"dq,omitempty"`
+	Qi *byteBuffer `json:"qi,omitempty"`
+	// Certificates
+	X5c []string `json:"x5c,omitempty"`
+}
+
+// JsonWebKey represents a public or private key in JWK format.
+type JsonWebKey struct {
+	Key          interface{}
+	Certificates []*x509.Certificate
+	KeyID        string
+	Algorithm    string
+	Use          string
+}
+
+// MarshalJSON serializes the given key to its JSON representation.
+func (k JsonWebKey) MarshalJSON() ([]byte, error) {
+	var raw *rawJsonWebKey
+	var err error
+
+	switch key := k.Key.(type) {
+	case *ecdsa.PublicKey:
+		raw, err = fromEcPublicKey(key)
+	case *rsa.PublicKey:
+		raw = fromRsaPublicKey(key)
+	case *ecdsa.PrivateKey:
+		raw, err = fromEcPrivateKey(key)
+	case *rsa.PrivateKey:
+		raw, err = fromRsaPrivateKey(key)
+	case []byte:
+		raw, err = fromSymmetricKey(key)
+	default:
+		return nil, fmt.Errorf("square/go-jose: unknown key type '%s'", reflect.TypeOf(key))
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	raw.Kid = k.KeyID
+	raw.Alg = k.Algorithm
+	raw.Use = k.Use
+
+	for _, cert := range k.Certificates {
+		raw.X5c = append(raw.X5c, base64.StdEncoding.EncodeToString(cert.Raw))
+	}
+
+	return json.Marshal(raw)
+}
+
+// UnmarshalJSON reads a key from its JSON representation.
+func (k *JsonWebKey) UnmarshalJSON(data []byte) (err error) {
+	var raw rawJsonWebKey
+	err = json.Unmarshal(data, &raw)
+	if err != nil {
+		return err
+	}
+
+	var key interface{}
+	switch raw.Kty {
+	case "EC":
+		if raw.D != nil {
+			key, err = raw.ecPrivateKey()
+		} else {
+			key, err = raw.ecPublicKey()
+		}
+	case "RSA":
+		if raw.D != nil {
+			key, err = raw.rsaPrivateKey()
+		} else {
+			key, err = raw.rsaPublicKey()
+		}
+	case "oct":
+		key, err = raw.symmetricKey()
+	default:
+		err = fmt.Errorf("square/go-jose: unknown json web key type '%s'", raw.Kty)
+	}
+
+	if err == nil {
+		*k = JsonWebKey{Key: key, KeyID: raw.Kid, Algorithm: raw.Alg, Use: raw.Use}
+	}
+
+	k.Certificates = make([]*x509.Certificate, len(raw.X5c))
+	for i, cert := range raw.X5c {
+		raw, err := base64.StdEncoding.DecodeString(cert)
+		if err != nil {
+			return err
+		}
+		k.Certificates[i], err = x509.ParseCertificate(raw)
+		if err != nil {
+			return err
+		}
+	}
+
+	return
+}
+
+// JsonWebKeySet represents a JWK Set object.
+type JsonWebKeySet struct {
+	Keys []JsonWebKey `json:"keys"`
+}
+
+// Key convenience method returns keys by key ID. Specification states
+// that a JWK Set "SHOULD" use distinct key IDs, but allows for some
+// cases where they are not distinct. Hence method returns a slice
+// of JsonWebKeys.
+func (s *JsonWebKeySet) Key(kid string) []JsonWebKey {
+	var keys []JsonWebKey
+	for _, key := range s.Keys {
+		if key.KeyID == kid {
+			keys = append(keys, key)
+		}
+	}
+
+	return keys
+}
+
+const rsaThumbprintTemplate = `{"e":"%s","kty":"RSA","n":"%s"}`
+const ecThumbprintTemplate = `{"crv":"%s","kty":"EC","x":"%s","y":"%s"}`
+
+func ecThumbprintInput(curve elliptic.Curve, x, y *big.Int) (string, error) {
+	coordLength := curveSize(curve)
+	crv, err := curveName(curve)
+	if err != nil {
+		return "", err
+	}
+
+	return fmt.Sprintf(ecThumbprintTemplate, crv,
+		newFixedSizeBuffer(x.Bytes(), coordLength).base64(),
+		newFixedSizeBuffer(y.Bytes(), coordLength).base64()), nil
+}
+
+func rsaThumbprintInput(n *big.Int, e int) (string, error) {
+	return fmt.Sprintf(rsaThumbprintTemplate,
+		newBufferFromInt(uint64(e)).base64(),
+		newBuffer(n.Bytes()).base64()), nil
+}
+
+// Thumbprint computes the JWK Thumbprint of a key using the
+// indicated hash algorithm.
+func (k *JsonWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) {
+	var input string
+	var err error
+	switch key := k.Key.(type) {
+	case *ecdsa.PublicKey:
+		input, err = ecThumbprintInput(key.Curve, key.X, key.Y)
+	case *ecdsa.PrivateKey:
+		input, err = ecThumbprintInput(key.Curve, key.X, key.Y)
+	case *rsa.PublicKey:
+		input, err = rsaThumbprintInput(key.N, key.E)
+	case *rsa.PrivateKey:
+		input, err = rsaThumbprintInput(key.N, key.E)
+	default:
+		return nil, fmt.Errorf("square/go-jose: unknown key type '%s'", reflect.TypeOf(key))
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	h := hash.New()
+	h.Write([]byte(input))
+	return h.Sum(nil), nil
+}
+
+// IsPublic returns true if the JWK represents a public key (not symmetric, not private).
+func (k *JsonWebKey) IsPublic() bool {
+	switch k.Key.(type) {
+	case *ecdsa.PublicKey, *rsa.PublicKey:
+		return true
+	default:
+		return false
+	}
+}
+
+// Valid checks that the key contains the expected parameters.
+func (k *JsonWebKey) Valid() bool {
+	if k.Key == nil {
+		return false
+	}
+	switch key := k.Key.(type) {
+	case *ecdsa.PublicKey:
+		if key.Curve == nil || key.X == nil || key.Y == nil {
+			return false
+		}
+	case *ecdsa.PrivateKey:
+		if key.Curve == nil || key.X == nil || key.Y == nil || key.D == nil {
+			return false
+		}
+	case *rsa.PublicKey:
+		if key.N == nil || key.E == 0 {
+			return false
+		}
+	case *rsa.PrivateKey:
+		if key.N == nil || key.E == 0 || key.D == nil || len(key.Primes) < 2 {
+			return false
+		}
+	default:
+		return false
+	}
+	return true
+}
+
+func (key rawJsonWebKey) rsaPublicKey() (*rsa.PublicKey, error) {
+	if key.N == nil || key.E == nil {
+		return nil, fmt.Errorf("square/go-jose: invalid RSA key, missing n/e values")
+	}
+
+	return &rsa.PublicKey{
+		N: key.N.bigInt(),
+		E: key.E.toInt(),
+	}, nil
+}
+
+func fromRsaPublicKey(pub *rsa.PublicKey) *rawJsonWebKey {
+	return &rawJsonWebKey{
+		Kty: "RSA",
+		N:   newBuffer(pub.N.Bytes()),
+		E:   newBufferFromInt(uint64(pub.E)),
+	}
+}
+
+func (key rawJsonWebKey) ecPublicKey() (*ecdsa.PublicKey, error) {
+	var curve elliptic.Curve
+	switch key.Crv {
+	case "P-256":
+		curve = elliptic.P256()
+	case "P-384":
+		curve = elliptic.P384()
+	case "P-521":
+		curve = elliptic.P521()
+	default:
+		return nil, fmt.Errorf("square/go-jose: unsupported elliptic curve '%s'", key.Crv)
+	}
+
+	if key.X == nil || key.Y == nil {
+		return nil, errors.New("square/go-jose: invalid EC key, missing x/y values")
+	}
+
+	x := key.X.bigInt()
+	y := key.Y.bigInt()
+
+	if !curve.IsOnCurve(x, y) {
+		return nil, errors.New("square/go-jose: invalid EC key, X/Y are not on declared curve")
+	}
+
+	return &ecdsa.PublicKey{
+		Curve: curve,
+		X:     x,
+		Y:     y,
+	}, nil
+}
+
+func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJsonWebKey, error) {
+	if pub == nil || pub.X == nil || pub.Y == nil {
+		return nil, fmt.Errorf("square/go-jose: invalid EC key (nil, or X/Y missing)")
+	}
+
+	name, err := curveName(pub.Curve)
+	if err != nil {
+		return nil, err
+	}
+
+	size := curveSize(pub.Curve)
+
+	xBytes := pub.X.Bytes()
+	yBytes := pub.Y.Bytes()
+
+	if len(xBytes) > size || len(yBytes) > size {
+		return nil, fmt.Errorf("square/go-jose: invalid EC key (X/Y too large)")
+	}
+
+	key := &rawJsonWebKey{
+		Kty: "EC",
+		Crv: name,
+		X:   newFixedSizeBuffer(xBytes, size),
+		Y:   newFixedSizeBuffer(yBytes, size),
+	}
+
+	return key, nil
+}
+
+func (key rawJsonWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) {
+	var missing []string
+	switch {
+	case key.N == nil:
+		missing = append(missing, "N")
+	case key.E == nil:
+		missing = append(missing, "E")
+	case key.D == nil:
+		missing = append(missing, "D")
+	case key.P == nil:
+		missing = append(missing, "P")
+	case key.Q == nil:
+		missing = append(missing, "Q")
+	}
+
+	if len(missing) > 0 {
+		return nil, fmt.Errorf("square/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
+	}
+
+	rv := &rsa.PrivateKey{
+		PublicKey: rsa.PublicKey{
+			N: key.N.bigInt(),
+			E: key.E.toInt(),
+		},
+		D: key.D.bigInt(),
+		Primes: []*big.Int{
+			key.P.bigInt(),
+			key.Q.bigInt(),
+		},
+	}
+
+	if key.Dp != nil {
+		rv.Precomputed.Dp = key.Dp.bigInt()
+	}
+	if key.Dq != nil {
+		rv.Precomputed.Dq = key.Dq.bigInt()
+	}
+	if key.Qi != nil {
+		rv.Precomputed.Qinv = key.Qi.bigInt()
+	}
+
+	err := rv.Validate()
+	return rv, err
+}
+
+func fromRsaPrivateKey(rsa *rsa.PrivateKey) (*rawJsonWebKey, error) {
+	if len(rsa.Primes) != 2 {
+		return nil, ErrUnsupportedKeyType
+	}
+
+	raw := fromRsaPublicKey(&rsa.PublicKey)
+
+	raw.D = newBuffer(rsa.D.Bytes())
+	raw.P = newBuffer(rsa.Primes[0].Bytes())
+	raw.Q = newBuffer(rsa.Primes[1].Bytes())
+
+	return raw, nil
+}
+
+func (key rawJsonWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) {
+	var curve elliptic.Curve
+	switch key.Crv {
+	case "P-256":
+		curve = elliptic.P256()
+	case "P-384":
+		curve = elliptic.P384()
+	case "P-521":
+		curve = elliptic.P521()
+	default:
+		return nil, fmt.Errorf("square/go-jose: unsupported elliptic curve '%s'", key.Crv)
+	}
+
+	if key.X == nil || key.Y == nil || key.D == nil {
+		return nil, fmt.Errorf("square/go-jose: invalid EC private key, missing x/y/d values")
+	}
+
+	x := key.X.bigInt()
+	y := key.Y.bigInt()
+
+	if !curve.IsOnCurve(x, y) {
+		return nil, errors.New("square/go-jose: invalid EC key, X/Y are not on declared curve")
+	}
+
+	return &ecdsa.PrivateKey{
+		PublicKey: ecdsa.PublicKey{
+			Curve: curve,
+			X:     x,
+			Y:     y,
+		},
+		D: key.D.bigInt(),
+	}, nil
+}
+
+func fromEcPrivateKey(ec *ecdsa.PrivateKey) (*rawJsonWebKey, error) {
+	raw, err := fromEcPublicKey(&ec.PublicKey)
+	if err != nil {
+		return nil, err
+	}
+
+	if ec.D == nil {
+		return nil, fmt.Errorf("square/go-jose: invalid EC private key")
+	}
+
+	raw.D = newBuffer(ec.D.Bytes())
+
+	return raw, nil
+}
+
+func fromSymmetricKey(key []byte) (*rawJsonWebKey, error) {
+	return &rawJsonWebKey{
+		Kty: "oct",
+		K:   newBuffer(key),
+	}, nil
+}
+
+func (key rawJsonWebKey) symmetricKey() ([]byte, error) {
+	if key.K == nil {
+		return nil, fmt.Errorf("square/go-jose: invalid OCT (symmetric) key, missing k value")
+	}
+	return key.K.bytes(), nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jwk_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jwk_test.go
new file mode 100644
index 000000000..c34f5de56
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jwk_test.go
@@ -0,0 +1,662 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/hex"
+	"fmt"
+	"math/big"
+	"reflect"
+	"testing"
+
+	"gopkg.in/square/go-jose.v1/json"
+)
+
+// Test chain of two X.509 certificates
+var testCertificates, _ = x509.ParseCertificates(fromBase64Bytes(`
+MIIDfDCCAmSgAwIBAgIJANWAkzF7PA8/MA0GCSqGSIb3DQEBCwUAMFUxCzAJ
+BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEChMHY2VydGlnbzEQMA4G
+A1UECxMHZXhhbXBsZTEVMBMGA1UEAxMMZXhhbXBsZS1sZWFmMB4XDTE2MDYx
+MDIyMTQxMVoXDTIzMDQxNTIyMTQxMVowVTELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgTAkNBMRAwDgYDVQQKEwdjZXJ0aWdvMRAwDgYDVQQLEwdleGFtcGxlMRUw
+EwYDVQQDEwxleGFtcGxlLWxlYWYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC7stSvfQyGuHw3v34fisqIdDXberrFoFk9ht/WdXgYzX2uLNKd
+sR/J5sbWSl8K/5djpzj31eIzqU69w8v7SChM5x9bouDsABHz3kZucx5cSafE
+gJojysBkcrq3VY+aJanzbL+qErYX+lhRpPcZK6JMWIwar8Y3B2la4yWwieec
+w2/WfEVvG0M/DOYKnR8QHFsfl3US1dnBM84czKPyt9r40gDk2XiH/lGts5a9
+4rAGvbr8IMCtq0mA5aH3Fx3mDSi3+4MZwygCAHrF5O5iSV9rEI+m2+7j2S+j
+HDUnvV+nqcpb9m6ENECnYX8FD2KcqlOjTmw8smDy09N2Np6i464lAgMBAAGj
+TzBNMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAsBgNVHREEJTAj
+hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABgglsb2NhbGhvc3QwDQYJKoZIhvcN
+AQELBQADggEBAGM4aa/qrURUweZBIwZYv8O9b2+r4l0HjGAh982/B9sMlM05
+kojyDCUGvj86z18Lm8mKr4/y+i0nJ+vDIksEvfDuzw5ALAXGcBzPJKtICUf7
+LstA/n9NNpshWz0kld9ylnB5mbUzSFDncVyeXkEf5sGQXdIIZT9ChRBoiloS
+aa7dvBVCcsX1LGP2LWqKtD+7nUnw5qCwtyAVT8pthEUxFTpywoiJS5ZdzeEx
+8MNGvUeLFj2kleqPF78EioEQlSOxViCuctEtnQuPcDLHNFr10byTZY9roObi
+qdsJLMVvb2XliJjAqaPa9AkYwGE6xHw2ispwg64Rse0+AtKups19WIUwggNT
+MIICO6ADAgECAgkAqD4tCWKt9/AwDQYJKoZIhvcNAQELBQAwVTELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQKEwdjZXJ0aWdvMRAwDgYDVQQL
+EwdleGFtcGxlMRUwEwYDVQQDEwxleGFtcGxlLXJvb3QwHhcNMTYwNjEwMjIx
+NDExWhcNMjMwNDE1MjIxNDExWjBVMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
+Q0ExEDAOBgNVBAoTB2NlcnRpZ28xEDAOBgNVBAsTB2V4YW1wbGUxFTATBgNV
+BAMTDGV4YW1wbGUtcm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMo4ShKI2MxDz/NQVxBbz0tbD5R5NcobA0NKkaPKLyMEpnWVY9ucyauM
+joNn1F568cfOoF0pm3700U8UTPt2MMxEHIi4mFG/OF8UF+Voh1J42Tb42lRo
+W5RRR3ogh4+7QB1G94nxkYddHAJ4QMhUJlLigFg8c6Ff/MxYODy9I7ilLFOM
+Zzsjx8fFpRKRXNQFt471P/V4WTSba7GzdTOJRyTZf/xipF36n8RoEQPvyde8
+pEAsCC4oDOrEiCTdxw8rRJVAU0Wr55XX+qjxyi55C6oykIC/BWR+lUqGd7IL
+Y2Uyt/OVxllt8b+KuVKNCfn4TFlfgizLWkJRs6JV9KuwJ20CAwEAAaMmMCQw
+DgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcN
+AQELBQADggEBAIsQlTrm9NT6gts0cs4JHp8AutuMrvGyLpIUOlJcEybvgxaz
+LebIMGZek5w3yEJiCyCK9RdNDP3Kdc/+nM6PhvzfPOVo58+0tMCYyEpZVXhD
+zmasNDP4fMbiUpczvx5OwPw/KuhwD+1ITuZUQnQlqXgTYoj9n39+qlgUsHos
+WXHmfzd6Fcz96ADSXg54IL2cEoJ41Q3ewhA7zmWWPLMAl21aex2haiAmzqqN
+xXyfZTnGNnE3lkV1yVguOrqDZyMRdcxDFvxvtmEeMtYV2Mc/zlS9ccrcOkrc
+mZSDxthLu3UMl98NA2NrCGWwzJwpk36vQ0PRSbibsCMarFspP8zbIoU=`))
+
+func TestCurveSize(t *testing.T) {
+	size256 := curveSize(elliptic.P256())
+	size384 := curveSize(elliptic.P384())
+	size521 := curveSize(elliptic.P521())
+	if size256 != 32 {
+		t.Error("P-256 have 32 bytes")
+	}
+	if size384 != 48 {
+		t.Error("P-384 have 48 bytes")
+	}
+	if size521 != 66 {
+		t.Error("P-521 have 66 bytes")
+	}
+}
+
+func TestRoundtripRsaPrivate(t *testing.T) {
+	jwk, err := fromRsaPrivateKey(rsaTestKey)
+	if err != nil {
+		t.Error("problem constructing JWK from rsa key", err)
+	}
+
+	rsa2, err := jwk.rsaPrivateKey()
+	if err != nil {
+		t.Error("problem converting RSA private -> JWK", err)
+	}
+
+	if rsa2.N.Cmp(rsaTestKey.N) != 0 {
+		t.Error("RSA private N mismatch")
+	}
+	if rsa2.E != rsaTestKey.E {
+		t.Error("RSA private E mismatch")
+	}
+	if rsa2.D.Cmp(rsaTestKey.D) != 0 {
+		t.Error("RSA private D mismatch")
+	}
+	if len(rsa2.Primes) != 2 {
+		t.Error("RSA private roundtrip expected two primes")
+	}
+	if rsa2.Primes[0].Cmp(rsaTestKey.Primes[0]) != 0 {
+		t.Error("RSA private P mismatch")
+	}
+	if rsa2.Primes[1].Cmp(rsaTestKey.Primes[1]) != 0 {
+		t.Error("RSA private Q mismatch")
+	}
+}
+
+func TestRsaPrivateInsufficientPrimes(t *testing.T) {
+	brokenRsaPrivateKey := rsa.PrivateKey{
+		PublicKey: rsa.PublicKey{
+			N: rsaTestKey.N,
+			E: rsaTestKey.E,
+		},
+		D:      rsaTestKey.D,
+		Primes: []*big.Int{rsaTestKey.Primes[0]},
+	}
+
+	_, err := fromRsaPrivateKey(&brokenRsaPrivateKey)
+	if err != ErrUnsupportedKeyType {
+		t.Error("expected unsupported key type error, got", err)
+	}
+}
+
+func TestRsaPrivateExcessPrimes(t *testing.T) {
+	brokenRsaPrivateKey := rsa.PrivateKey{
+		PublicKey: rsa.PublicKey{
+			N: rsaTestKey.N,
+			E: rsaTestKey.E,
+		},
+		D: rsaTestKey.D,
+		Primes: []*big.Int{
+			rsaTestKey.Primes[0],
+			rsaTestKey.Primes[1],
+			big.NewInt(3),
+		},
+	}
+
+	_, err := fromRsaPrivateKey(&brokenRsaPrivateKey)
+	if err != ErrUnsupportedKeyType {
+		t.Error("expected unsupported key type error, got", err)
+	}
+}
+
+func TestRoundtripEcPublic(t *testing.T) {
+	for i, ecTestKey := range []*ecdsa.PrivateKey{ecTestKey256, ecTestKey384, ecTestKey521} {
+		jwk, err := fromEcPublicKey(&ecTestKey.PublicKey)
+
+		ec2, err := jwk.ecPublicKey()
+		if err != nil {
+			t.Error("problem converting ECDSA private -> JWK", i, err)
+		}
+
+		if !reflect.DeepEqual(ec2.Curve, ecTestKey.Curve) {
+			t.Error("ECDSA private curve mismatch", i)
+		}
+		if ec2.X.Cmp(ecTestKey.X) != 0 {
+			t.Error("ECDSA X mismatch", i)
+		}
+		if ec2.Y.Cmp(ecTestKey.Y) != 0 {
+			t.Error("ECDSA Y mismatch", i)
+		}
+	}
+}
+
+func TestRoundtripEcPrivate(t *testing.T) {
+	for i, ecTestKey := range []*ecdsa.PrivateKey{ecTestKey256, ecTestKey384, ecTestKey521} {
+		jwk, err := fromEcPrivateKey(ecTestKey)
+
+		ec2, err := jwk.ecPrivateKey()
+		if err != nil {
+			t.Error("problem converting ECDSA private -> JWK", i, err)
+		}
+
+		if !reflect.DeepEqual(ec2.Curve, ecTestKey.Curve) {
+			t.Error("ECDSA private curve mismatch", i)
+		}
+		if ec2.X.Cmp(ecTestKey.X) != 0 {
+			t.Error("ECDSA X mismatch", i)
+		}
+		if ec2.Y.Cmp(ecTestKey.Y) != 0 {
+			t.Error("ECDSA Y mismatch", i)
+		}
+		if ec2.D.Cmp(ecTestKey.D) != 0 {
+			t.Error("ECDSA D mismatch", i)
+		}
+	}
+}
+
+func TestRoundtripX5C(t *testing.T) {
+	jwk := JsonWebKey{
+		Key:          rsaTestKey,
+		KeyID:        "bar",
+		Algorithm:    "foo",
+		Certificates: testCertificates,
+	}
+
+	jsonbar, err := jwk.MarshalJSON()
+	if err != nil {
+		t.Error("problem marshaling", err)
+	}
+
+	var jwk2 JsonWebKey
+	err = jwk2.UnmarshalJSON(jsonbar)
+	if err != nil {
+		t.Error("problem unmarshalling", err)
+	}
+
+	if !reflect.DeepEqual(testCertificates, jwk2.Certificates) {
+		t.Error("Certificates not equal", jwk.Certificates, jwk2.Certificates)
+	}
+
+	jsonbar2, err := jwk2.MarshalJSON()
+	if err != nil {
+		t.Error("problem marshaling", err)
+	}
+	if !bytes.Equal(jsonbar, jsonbar2) {
+		t.Error("roundtrip should not lose information")
+	}
+}
+
+func TestMarshalUnmarshal(t *testing.T) {
+	kid := "DEADBEEF"
+
+	for i, key := range []interface{}{ecTestKey256, ecTestKey384, ecTestKey521, rsaTestKey} {
+		for _, use := range []string{"", "sig", "enc"} {
+			jwk := JsonWebKey{Key: key, KeyID: kid, Algorithm: "foo"}
+			if use != "" {
+				jwk.Use = use
+			}
+
+			jsonbar, err := jwk.MarshalJSON()
+			if err != nil {
+				t.Error("problem marshaling", i, err)
+			}
+
+			var jwk2 JsonWebKey
+			err = jwk2.UnmarshalJSON(jsonbar)
+			if err != nil {
+				t.Error("problem unmarshalling", i, err)
+			}
+
+			jsonbar2, err := jwk2.MarshalJSON()
+			if err != nil {
+				t.Error("problem marshaling", i, err)
+			}
+
+			if !bytes.Equal(jsonbar, jsonbar2) {
+				t.Error("roundtrip should not lose information", i)
+			}
+			if jwk2.KeyID != kid {
+				t.Error("kid did not roundtrip JSON marshalling", i)
+			}
+
+			if jwk2.Algorithm != "foo" {
+				t.Error("alg did not roundtrip JSON marshalling", i)
+			}
+
+			if jwk2.Use != use {
+				t.Error("use did not roundtrip JSON marshalling", i)
+			}
+		}
+	}
+}
+
+func TestMarshalNonPointer(t *testing.T) {
+	type EmbedsKey struct {
+		Key JsonWebKey
+	}
+
+	keyJson := []byte(`{
+		"e": "AQAB",
+		"kty": "RSA",
+		"n": "vd7rZIoTLEe-z1_8G1FcXSw9CQFEJgV4g9V277sER7yx5Qjz_Pkf2YVth6wwwFJEmzc0hoKY-MMYFNwBE4hQHw"
+	}`)
+	var parsedKey JsonWebKey
+	err := json.Unmarshal(keyJson, &parsedKey)
+	if err != nil {
+		t.Error(fmt.Sprintf("Error unmarshalling key: %v", err))
+		return
+	}
+	ek := EmbedsKey{
+		Key: parsedKey,
+	}
+	out, err := json.Marshal(ek)
+	if err != nil {
+		t.Error(fmt.Sprintf("Error marshalling JSON: %v", err))
+		return
+	}
+	expected := "{\"Key\":{\"kty\":\"RSA\",\"n\":\"vd7rZIoTLEe-z1_8G1FcXSw9CQFEJgV4g9V277sER7yx5Qjz_Pkf2YVth6wwwFJEmzc0hoKY-MMYFNwBE4hQHw\",\"e\":\"AQAB\"}}"
+	if string(out) != expected {
+		t.Error("Failed to marshal embedded non-pointer JWK properly:", string(out))
+	}
+}
+
+func TestMarshalUnmarshalInvalid(t *testing.T) {
+	// Make an invalid curve coordinate by creating a byte array that is one
+	// byte too large, and setting the first byte to 1 (otherwise it's just zero).
+	invalidCoord := make([]byte, curveSize(ecTestKey256.Curve)+1)
+	invalidCoord[0] = 1
+
+	keys := []interface{}{
+		// Empty keys
+		&rsa.PrivateKey{},
+		&ecdsa.PrivateKey{},
+		// Invalid keys
+		&ecdsa.PrivateKey{
+			PublicKey: ecdsa.PublicKey{
+				// Missing values in pub key
+				Curve: elliptic.P256(),
+			},
+		},
+		&ecdsa.PrivateKey{
+			PublicKey: ecdsa.PublicKey{
+				// Invalid curve
+				Curve: nil,
+				X:     ecTestKey256.X,
+				Y:     ecTestKey256.Y,
+			},
+		},
+		&ecdsa.PrivateKey{
+			// Valid pub key, but missing priv key values
+			PublicKey: ecTestKey256.PublicKey,
+		},
+		&ecdsa.PrivateKey{
+			// Invalid pub key, values too large
+			PublicKey: ecdsa.PublicKey{
+				Curve: ecTestKey256.Curve,
+				X:     big.NewInt(0).SetBytes(invalidCoord),
+				Y:     big.NewInt(0).SetBytes(invalidCoord),
+			},
+			D: ecTestKey256.D,
+		},
+		nil,
+	}
+
+	for i, key := range keys {
+		jwk := JsonWebKey{Key: key}
+		_, err := jwk.MarshalJSON()
+		if err == nil {
+			t.Error("managed to serialize invalid key", i)
+		}
+	}
+}
+
+func TestWebKeyVectorsInvalid(t *testing.T) {
+	keys := []string{
+		// Invalid JSON
+		"{X",
+		// Empty key
+		"{}",
+		// Invalid RSA keys
+		`{"kty":"RSA"}`,
+		`{"kty":"RSA","e":""}`,
+		`{"kty":"RSA","e":"XXXX"}`,
+		`{"kty":"RSA","d":"XXXX"}`,
+		// Invalid EC keys
+		`{"kty":"EC","crv":"ABC"}`,
+		`{"kty":"EC","crv":"P-256"}`,
+		`{"kty":"EC","crv":"P-256","d":"XXX"}`,
+		`{"kty":"EC","crv":"ABC","d":"dGVzdA","x":"dGVzdA"}`,
+		`{"kty":"EC","crv":"P-256","d":"dGVzdA","x":"dGVzdA"}`,
+	}
+
+	for _, key := range keys {
+		var jwk2 JsonWebKey
+		err := jwk2.UnmarshalJSON([]byte(key))
+		if err == nil {
+			t.Error("managed to parse invalid key:", key)
+		}
+	}
+}
+
+// Test vectors from RFC 7520
+var cookbookJWKs = []string{
+	// EC Public
+	stripWhitespace(`{
+     "kty": "EC",
+     "kid": "bilbo.baggins@hobbiton.example",
+     "use": "sig",
+     "crv": "P-521",
+     "x": "AHKZLLOsCOzz5cY97ewNUajB957y-C-U88c3v13nmGZx6sYl_oJXu9
+         A5RkTKqjqvjyekWF-7ytDyRXYgCF5cj0Kt",
+     "y": "AdymlHvOiLxXkEhayXQnNCvDX4h9htZaCJN34kfmC6pV5OhQHiraVy
+         SsUdaQkAgDPrwQrJmbnX9cwlGfP-HqHZR1"
+   }`),
+
+	// EC Private
+	stripWhitespace(`{
+     "kty": "EC",
+     "kid": "bilbo.baggins@hobbiton.example",
+     "use": "sig",
+     "crv": "P-521",
+     "x": "AHKZLLOsCOzz5cY97ewNUajB957y-C-U88c3v13nmGZx6sYl_oJXu9
+           A5RkTKqjqvjyekWF-7ytDyRXYgCF5cj0Kt",
+     "y": "AdymlHvOiLxXkEhayXQnNCvDX4h9htZaCJN34kfmC6pV5OhQHiraVy
+           SsUdaQkAgDPrwQrJmbnX9cwlGfP-HqHZR1",
+     "d": "AAhRON2r9cqXX1hg-RoI6R1tX5p2rUAYdmpHZoC1XNM56KtscrX6zb
+           KipQrCW9CGZH3T4ubpnoTKLDYJ_fF3_rJt"
+   }`),
+
+	// RSA Public
+	stripWhitespace(`{
+     "kty": "RSA",
+     "kid": "bilbo.baggins@hobbiton.example",
+     "use": "sig",
+     "n": "n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT
+         -O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqV
+         wGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-
+         oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde
+         3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuC
+         LqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5g
+         HdrNP5zw",
+     "e": "AQAB"
+   }`),
+
+	// RSA Private
+	stripWhitespace(`{"kty":"RSA",
+      "kid":"juliet@capulet.lit",
+      "use":"enc",
+      "n":"t6Q8PWSi1dkJj9hTP8hNYFlvadM7DflW9mWepOJhJ66w7nyoK1gPNqFMSQRy
+           O125Gp-TEkodhWr0iujjHVx7BcV0llS4w5ACGgPrcAd6ZcSR0-Iqom-QFcNP
+           8Sjg086MwoqQU_LYywlAGZ21WSdS_PERyGFiNnj3QQlO8Yns5jCtLCRwLHL0
+           Pb1fEv45AuRIuUfVcPySBWYnDyGxvjYGDSM-AqWS9zIQ2ZilgT-GqUmipg0X
+           OC0Cc20rgLe2ymLHjpHciCKVAbY5-L32-lSeZO-Os6U15_aXrk9Gw8cPUaX1
+           _I8sLGuSiVdt3C_Fn2PZ3Z8i744FPFGGcG1qs2Wz-Q",
+      "e":"AQAB",
+      "d":"GRtbIQmhOZtyszfgKdg4u_N-R_mZGU_9k7JQ_jn1DnfTuMdSNprTeaSTyWfS
+           NkuaAwnOEbIQVy1IQbWVV25NY3ybc_IhUJtfri7bAXYEReWaCl3hdlPKXy9U
+           vqPYGR0kIXTQRqns-dVJ7jahlI7LyckrpTmrM8dWBo4_PMaenNnPiQgO0xnu
+           ToxutRZJfJvG4Ox4ka3GORQd9CsCZ2vsUDmsXOfUENOyMqADC6p1M3h33tsu
+           rY15k9qMSpG9OX_IJAXmxzAh_tWiZOwk2K4yxH9tS3Lq1yX8C1EWmeRDkK2a
+           hecG85-oLKQt5VEpWHKmjOi_gJSdSgqcN96X52esAQ",
+      "p":"2rnSOV4hKSN8sS4CgcQHFbs08XboFDqKum3sc4h3GRxrTmQdl1ZK9uw-PIHf
+           QP0FkxXVrx-WE-ZEbrqivH_2iCLUS7wAl6XvARt1KkIaUxPPSYB9yk31s0Q8
+           UK96E3_OrADAYtAJs-M3JxCLfNgqh56HDnETTQhH3rCT5T3yJws",
+      "q":"1u_RiFDP7LBYh3N4GXLT9OpSKYP0uQZyiaZwBtOCBNJgQxaj10RWjsZu0c6I
+           edis4S7B_coSKB0Kj9PaPaBzg-IySRvvcQuPamQu66riMhjVtG6TlV8CLCYK
+           rYl52ziqK0E_ym2QnkwsUX7eYTB7LbAHRK9GqocDE5B0f808I4s",
+      "dp":"KkMTWqBUefVwZ2_Dbj1pPQqyHSHjj90L5x_MOzqYAJMcLMZtbUtwKqvVDq3
+           tbEo3ZIcohbDtt6SbfmWzggabpQxNxuBpoOOf_a_HgMXK_lhqigI4y_kqS1w
+           Y52IwjUn5rgRrJ-yYo1h41KR-vz2pYhEAeYrhttWtxVqLCRViD6c",
+      "dq":"AvfS0-gRxvn0bwJoMSnFxYcK1WnuEjQFluMGfwGitQBWtfZ1Er7t1xDkbN9
+           GQTB9yqpDoYaN06H7CFtrkxhJIBQaj6nkF5KKS3TQtQ5qCzkOkmxIe3KRbBy
+           mXxkb5qwUpX5ELD5xFc6FeiafWYY63TmmEAu_lRFCOJ3xDea-ots",
+      "qi":"lSQi-w9CpyUReMErP1RsBLk7wNtOvs5EQpPqmuMvqW57NBUczScEoPwmUqq
+           abu9V0-Py4dQ57_bapoKRu1R90bvuFnU63SHWEFglZQvJDMeAvmj4sm-Fp0o
+           Yu_neotgQ0hzbI5gry7ajdYy9-2lNx_76aBZoOUu9HCJ-UsfSOI8"}`),
+
+	// X.509 Certificate Chain
+	stripWhitespace(`{"kty":"RSA",
+      "use":"sig",
+      "kid":"1b94c",
+      "n":"vrjOfz9Ccdgx5nQudyhdoR17V-IubWMeOZCwX_jj0hgAsz2J_pqYW08
+           PLbK_PdiVGKPrqzmDIsLI7sA25VEnHU1uCLNwBuUiCO11_-7dYbsr4iJmG0Q
+           u2j8DsVyT1azpJC_NG84Ty5KKthuCaPod7iI7w0LK9orSMhBEwwZDCxTWq4a
+           YWAchc8t-emd9qOvWtVMDC2BXksRngh6X5bUYLy6AyHKvj-nUy1wgzjYQDwH
+           MTplCoLtU-o-8SNnZ1tmRoGE9uJkBLdh5gFENabWnU5m1ZqZPdwS-qo-meMv
+           VfJb6jJVWRpl2SUtCnYG2C32qvbWbjZ_jBPD5eunqsIo1vQ",
+      "e":"AQAB",
+      "x5c":
+           ["MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJB
+           gNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYD
+           VQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1
+           wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBg
+           NVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDV
+           QQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1w
+           YmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnH
+           YMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66
+           s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6
+           SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpn
+           fajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPq
+           PvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVk
+           aZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BA
+           QUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL
+           +9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1
+           zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL
+           2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo
+           4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTq
+           gawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA=="]}`),
+}
+
+// SHA-256 thumbprints of the above keys, hex-encoded
+var cookbookJWKThumbprints = []string{
+	"747ae2dd2003664aeeb21e4753fe7402846170a16bc8df8f23a8cf06d3cbe793",
+	"747ae2dd2003664aeeb21e4753fe7402846170a16bc8df8f23a8cf06d3cbe793",
+	"f63838e96077ad1fc01c3f8405774dedc0641f558ebb4b40dccf5f9b6d66a932",
+	"0fc478f8579325fcee0d4cbc6d9d1ce21730a6e97e435d6008fb379b0ebe47d4",
+	"0ddb05bfedbec2070fa037324ba397396561d3425d6d69245570c261dc49dee3",
+}
+
+func TestWebKeyVectorsValid(t *testing.T) {
+	for _, key := range cookbookJWKs {
+		var jwk2 JsonWebKey
+		err := jwk2.UnmarshalJSON([]byte(key))
+		if err != nil {
+			t.Error("unable to parse valid key:", key, err)
+		}
+	}
+}
+
+func TestThumbprint(t *testing.T) {
+	for i, key := range cookbookJWKs {
+		var jwk2 JsonWebKey
+		err := jwk2.UnmarshalJSON([]byte(key))
+		if err != nil {
+			t.Error("unable to parse valid key:", key, err)
+		}
+
+		tp, err := jwk2.Thumbprint(crypto.SHA256)
+		if err != nil {
+			t.Error("unable to compute thumbprint:", key, err)
+		}
+
+		tpHex := hex.EncodeToString(tp)
+		if cookbookJWKThumbprints[i] != tpHex {
+			t.Error("incorrect thumbprint:", i, cookbookJWKThumbprints[i], tpHex)
+		}
+	}
+}
+
+func TestMarshalUnmarshalJWKSet(t *testing.T) {
+	jwk1 := JsonWebKey{Key: rsaTestKey, KeyID: "ABCDEFG", Algorithm: "foo"}
+	jwk2 := JsonWebKey{Key: rsaTestKey, KeyID: "GFEDCBA", Algorithm: "foo"}
+	var set JsonWebKeySet
+	set.Keys = append(set.Keys, jwk1)
+	set.Keys = append(set.Keys, jwk2)
+
+	jsonbar, err := json.Marshal(&set)
+	if err != nil {
+		t.Error("problem marshalling set", err)
+	}
+	var set2 JsonWebKeySet
+	err = json.Unmarshal(jsonbar, &set2)
+	if err != nil {
+		t.Error("problem unmarshalling set", err)
+	}
+	jsonbar2, err := json.Marshal(&set2)
+	if err != nil {
+		t.Error("problem marshalling set", err)
+	}
+	if !bytes.Equal(jsonbar, jsonbar2) {
+		t.Error("roundtrip should not lose information")
+	}
+}
+
+func TestJWKSetKey(t *testing.T) {
+	jwk1 := JsonWebKey{Key: rsaTestKey, KeyID: "ABCDEFG", Algorithm: "foo"}
+	jwk2 := JsonWebKey{Key: rsaTestKey, KeyID: "GFEDCBA", Algorithm: "foo"}
+	var set JsonWebKeySet
+	set.Keys = append(set.Keys, jwk1)
+	set.Keys = append(set.Keys, jwk2)
+	k := set.Key("ABCDEFG")
+	if len(k) != 1 {
+		t.Errorf("method should return slice with one key not %d", len(k))
+	}
+	if k[0].KeyID != "ABCDEFG" {
+		t.Error("method should return key with ID ABCDEFG")
+	}
+}
+
+func TestJWKSymmetricKey(t *testing.T) {
+	sample1 := `{"kty":"oct","alg":"A128KW","k":"GawgguFyGrWKav7AX4VKUg"}`
+	sample2 := `{"kty":"oct","k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow","kid":"HMAC key used in JWS spec Appendix A.1 example"}`
+
+	var jwk1 JsonWebKey
+	json.Unmarshal([]byte(sample1), &jwk1)
+
+	if jwk1.Algorithm != "A128KW" {
+		t.Errorf("expected Algorithm to be A128KW, but was '%s'", jwk1.Algorithm)
+	}
+	expected1 := fromHexBytes("19ac2082e1721ab58a6afec05f854a52")
+	if !bytes.Equal(jwk1.Key.([]byte), expected1) {
+		t.Errorf("expected Key to be '%s', but was '%s'", hex.EncodeToString(expected1), hex.EncodeToString(jwk1.Key.([]byte)))
+	}
+
+	var jwk2 JsonWebKey
+	json.Unmarshal([]byte(sample2), &jwk2)
+
+	if jwk2.KeyID != "HMAC key used in JWS spec Appendix A.1 example" {
+		t.Errorf("expected KeyID to be 'HMAC key used in JWS spec Appendix A.1 example', but was '%s'", jwk2.KeyID)
+	}
+	expected2 := fromHexBytes(`
+    0323354b2b0fa5bc837e0665777ba68f5ab328e6f054c928a90f84b2d2502ebf
+    d3fb5a92d20647ef968ab4c377623d223d2e2172052e4f08c0cd9af567d080a3`)
+	if !bytes.Equal(jwk2.Key.([]byte), expected2) {
+		t.Errorf("expected Key to be '%s', but was '%s'", hex.EncodeToString(expected2), hex.EncodeToString(jwk2.Key.([]byte)))
+	}
+}
+
+func TestJWKSymmetricRoundtrip(t *testing.T) {
+	jwk1 := JsonWebKey{Key: []byte{1, 2, 3, 4}}
+	marshaled, err := jwk1.MarshalJSON()
+	if err != nil {
+		t.Errorf("failed to marshal valid JWK object", err)
+	}
+
+	var jwk2 JsonWebKey
+	err = jwk2.UnmarshalJSON(marshaled)
+	if err != nil {
+		t.Errorf("failed to unmarshal valid JWK object", err)
+	}
+
+	if !bytes.Equal(jwk1.Key.([]byte), jwk2.Key.([]byte)) {
+		t.Error("round-trip of symmetric JWK gave different raw keys")
+	}
+}
+
+func TestJWKSymmetricInvalid(t *testing.T) {
+	invalid := JsonWebKey{}
+	_, err := invalid.MarshalJSON()
+	if err == nil {
+		t.Error("excepted error on marshaling invalid symmetric JWK object")
+	}
+
+	var jwk JsonWebKey
+	err = jwk.UnmarshalJSON([]byte(`{"kty":"oct"}`))
+	if err == nil {
+		t.Error("excepted error on unmarshaling invalid symmetric JWK object")
+	}
+}
+
+func TestJWKValid(t *testing.T) {
+	bigInt := big.NewInt(0)
+	eccPub := ecdsa.PublicKey{elliptic.P256(), bigInt, bigInt}
+	rsaPub := rsa.PublicKey{bigInt, 1}
+	cases := []struct {
+		key              interface{}
+		expectedValidity bool
+	}{
+		{nil, false},
+		{&ecdsa.PublicKey{}, false},
+		{&eccPub, true},
+		{&ecdsa.PrivateKey{}, false},
+		{&ecdsa.PrivateKey{eccPub, bigInt}, true},
+		{&rsa.PublicKey{}, false},
+		{&rsaPub, true},
+		{&rsa.PrivateKey{}, false},
+		{&rsa.PrivateKey{rsaPub, bigInt, []*big.Int{bigInt, bigInt}, rsa.PrecomputedValues{}}, true},
+	}
+
+	for _, tc := range cases {
+		k := &JsonWebKey{Key: tc.key}
+		if valid := k.Valid(); valid != tc.expectedValidity {
+			t.Errorf("expected Valid to return %t, got %t", tc.expectedValidity, valid)
+		}
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jws.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jws.go
new file mode 100644
index 000000000..04a2a1530
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jws.go
@@ -0,0 +1,272 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"gopkg.in/square/go-jose.v1/json"
+)
+
+// rawJsonWebSignature represents a raw JWS JSON object. Used for parsing/serializing.
+type rawJsonWebSignature struct {
+	Payload    *byteBuffer        `json:"payload,omitempty"`
+	Signatures []rawSignatureInfo `json:"signatures,omitempty"`
+	Protected  *byteBuffer        `json:"protected,omitempty"`
+	Header     *rawHeader         `json:"header,omitempty"`
+	Signature  *byteBuffer        `json:"signature,omitempty"`
+}
+
+// rawSignatureInfo represents a single JWS signature over the JWS payload and protected header.
+type rawSignatureInfo struct {
+	Protected *byteBuffer `json:"protected,omitempty"`
+	Header    *rawHeader  `json:"header,omitempty"`
+	Signature *byteBuffer `json:"signature,omitempty"`
+}
+
+// JsonWebSignature represents a signed JWS object after parsing.
+type JsonWebSignature struct {
+	payload []byte
+	// Signatures attached to this object (may be more than one for multi-sig).
+	// Be careful about accessing these directly, prefer to use Verify() or
+	// VerifyMulti() to ensure that the data you're getting is verified.
+	Signatures []Signature
+}
+
+// Signature represents a single signature over the JWS payload and protected header.
+type Signature struct {
+	// Header fields, such as the signature algorithm
+	Header JoseHeader
+
+	// The actual signature value
+	Signature []byte
+
+	protected *rawHeader
+	header    *rawHeader
+	original  *rawSignatureInfo
+}
+
+// ParseSigned parses a signed message in compact or full serialization format.
+func ParseSigned(input string) (*JsonWebSignature, error) {
+	input = stripWhitespace(input)
+	if strings.HasPrefix(input, "{") {
+		return parseSignedFull(input)
+	}
+
+	return parseSignedCompact(input)
+}
+
+// Get a header value
+func (sig Signature) mergedHeaders() rawHeader {
+	out := rawHeader{}
+	out.merge(sig.protected)
+	out.merge(sig.header)
+	return out
+}
+
+// Compute data to be signed
+func (obj JsonWebSignature) computeAuthData(signature *Signature) []byte {
+	var serializedProtected string
+
+	if signature.original != nil && signature.original.Protected != nil {
+		serializedProtected = signature.original.Protected.base64()
+	} else if signature.protected != nil {
+		serializedProtected = base64URLEncode(mustSerializeJSON(signature.protected))
+	} else {
+		serializedProtected = ""
+	}
+
+	return []byte(fmt.Sprintf("%s.%s",
+		serializedProtected,
+		base64URLEncode(obj.payload)))
+}
+
+// parseSignedFull parses a message in full format.
+func parseSignedFull(input string) (*JsonWebSignature, error) {
+	var parsed rawJsonWebSignature
+	err := json.Unmarshal([]byte(input), &parsed)
+	if err != nil {
+		return nil, err
+	}
+
+	return parsed.sanitized()
+}
+
+// sanitized produces a cleaned-up JWS object from the raw JSON.
+func (parsed *rawJsonWebSignature) sanitized() (*JsonWebSignature, error) {
+	if parsed.Payload == nil {
+		return nil, fmt.Errorf("square/go-jose: missing payload in JWS message")
+	}
+
+	obj := &JsonWebSignature{
+		payload:    parsed.Payload.bytes(),
+		Signatures: make([]Signature, len(parsed.Signatures)),
+	}
+
+	if len(parsed.Signatures) == 0 {
+		// No signatures array, must be flattened serialization
+		signature := Signature{}
+		if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
+			signature.protected = &rawHeader{}
+			err := json.Unmarshal(parsed.Protected.bytes(), signature.protected)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		// Check that there is not a nonce in the unprotected header
+		if parsed.Header != nil && parsed.Header.Nonce != "" {
+			return nil, ErrUnprotectedNonce
+		}
+
+		signature.header = parsed.Header
+		signature.Signature = parsed.Signature.bytes()
+		// Make a fake "original" rawSignatureInfo to store the unprocessed
+		// Protected header. This is necessary because the Protected header can
+		// contain arbitrary fields not registered as part of the spec. See
+		// https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-4
+		// If we unmarshal Protected into a rawHeader with its explicit list of fields,
+		// we cannot marshal losslessly. So we have to keep around the original bytes.
+		// This is used in computeAuthData, which will first attempt to use
+		// the original bytes of a protected header, and fall back on marshaling the
+		// header struct only if those bytes are not available.
+		signature.original = &rawSignatureInfo{
+			Protected: parsed.Protected,
+			Header:    parsed.Header,
+			Signature: parsed.Signature,
+		}
+
+		signature.Header = signature.mergedHeaders().sanitized()
+
+		// As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
+		jwk := signature.Header.JsonWebKey
+		if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
+			return nil, errors.New("square/go-jose: invalid embedded jwk, must be public key")
+		}
+
+		obj.Signatures = append(obj.Signatures, signature)
+	}
+
+	for i, sig := range parsed.Signatures {
+		if sig.Protected != nil && len(sig.Protected.bytes()) > 0 {
+			obj.Signatures[i].protected = &rawHeader{}
+			err := json.Unmarshal(sig.Protected.bytes(), obj.Signatures[i].protected)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		// Check that there is not a nonce in the unprotected header
+		if sig.Header != nil && sig.Header.Nonce != "" {
+			return nil, ErrUnprotectedNonce
+		}
+
+		obj.Signatures[i].Header = obj.Signatures[i].mergedHeaders().sanitized()
+		obj.Signatures[i].Signature = sig.Signature.bytes()
+
+		// As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
+		jwk := obj.Signatures[i].Header.JsonWebKey
+		if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
+			return nil, errors.New("square/go-jose: invalid embedded jwk, must be public key")
+		}
+
+		// Copy value of sig
+		original := sig
+
+		obj.Signatures[i].header = sig.Header
+		obj.Signatures[i].original = &original
+	}
+
+	return obj, nil
+}
+
+// parseSignedCompact parses a message in compact format.
+func parseSignedCompact(input string) (*JsonWebSignature, error) {
+	parts := strings.Split(input, ".")
+	if len(parts) != 3 {
+		return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts")
+	}
+
+	rawProtected, err := base64URLDecode(parts[0])
+	if err != nil {
+		return nil, err
+	}
+
+	payload, err := base64URLDecode(parts[1])
+	if err != nil {
+		return nil, err
+	}
+
+	signature, err := base64URLDecode(parts[2])
+	if err != nil {
+		return nil, err
+	}
+
+	raw := &rawJsonWebSignature{
+		Payload:   newBuffer(payload),
+		Protected: newBuffer(rawProtected),
+		Signature: newBuffer(signature),
+	}
+	return raw.sanitized()
+}
+
+// CompactSerialize serializes an object using the compact serialization format.
+func (obj JsonWebSignature) CompactSerialize() (string, error) {
+	if len(obj.Signatures) != 1 || obj.Signatures[0].header != nil || obj.Signatures[0].protected == nil {
+		return "", ErrNotSupported
+	}
+
+	serializedProtected := mustSerializeJSON(obj.Signatures[0].protected)
+
+	return fmt.Sprintf(
+		"%s.%s.%s",
+		base64URLEncode(serializedProtected),
+		base64URLEncode(obj.payload),
+		base64URLEncode(obj.Signatures[0].Signature)), nil
+}
+
+// FullSerialize serializes an object using the full JSON serialization format.
+func (obj JsonWebSignature) FullSerialize() string {
+	raw := rawJsonWebSignature{
+		Payload: newBuffer(obj.payload),
+	}
+
+	if len(obj.Signatures) == 1 {
+		if obj.Signatures[0].protected != nil {
+			serializedProtected := mustSerializeJSON(obj.Signatures[0].protected)
+			raw.Protected = newBuffer(serializedProtected)
+		}
+		raw.Header = obj.Signatures[0].header
+		raw.Signature = newBuffer(obj.Signatures[0].Signature)
+	} else {
+		raw.Signatures = make([]rawSignatureInfo, len(obj.Signatures))
+		for i, signature := range obj.Signatures {
+			raw.Signatures[i] = rawSignatureInfo{
+				Header:    signature.header,
+				Signature: newBuffer(signature.Signature),
+			}
+
+			if signature.protected != nil {
+				raw.Signatures[i].Protected = newBuffer(mustSerializeJSON(signature.protected))
+			}
+		}
+	}
+
+	return string(mustSerializeJSON(raw))
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jws_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jws_test.go
new file mode 100644
index 000000000..4526f11c9
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/jws_test.go
@@ -0,0 +1,312 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+)
+
+func TestEmbeddedHMAC(t *testing.T) {
+	// protected: {"alg":"HS256", "jwk":{"kty":"oct", "k":"MTEx"}}, aka HMAC key.
+	msg := `{"payload":"TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ","protected":"eyJhbGciOiJIUzI1NiIsICJqd2siOnsia3R5Ijoib2N0IiwgImsiOiJNVEV4In19","signature":"lvo41ZZsuHwQvSh0uJtEXRR3vmuBJ7in6qMoD7p9jyo"}`
+
+	_, err := ParseSigned(msg)
+	if err == nil {
+		t.Error("should not allow parsing JWS with embedded JWK with HMAC key")
+	}
+}
+
+func TestCompactParseJWS(t *testing.T) {
+	// Should parse
+	msg := "eyJhbGciOiJYWVoifQ.cGF5bG9hZA.c2lnbmF0dXJl"
+	_, err := ParseSigned(msg)
+	if err != nil {
+		t.Error("Unable to parse valid message:", err)
+	}
+
+	// Messages that should fail to parse
+	failures := []string{
+		// Not enough parts
+		"eyJhbGciOiJYWVoifQ.cGF5bG9hZA",
+		// Invalid signature
+		"eyJhbGciOiJYWVoifQ.cGF5bG9hZA.////",
+		// Invalid payload
+		"eyJhbGciOiJYWVoifQ.////.c2lnbmF0dXJl",
+		// Invalid header
+		"////.eyJhbGciOiJYWVoifQ.c2lnbmF0dXJl",
+		// Invalid header
+		"cGF5bG9hZA.cGF5bG9hZA.c2lnbmF0dXJl",
+	}
+
+	for i := range failures {
+		_, err = ParseSigned(failures[i])
+		if err == nil {
+			t.Error("Able to parse invalid message")
+		}
+	}
+}
+
+func TestFullParseJWS(t *testing.T) {
+	// Messages that should succeed to parse
+	successes := []string{
+		"{\"payload\":\"CUJD\",\"signatures\":[{\"protected\":\"e30\",\"header\":{\"kid\":\"XYZ\"},\"signature\":\"CUJD\"},{\"protected\":\"e30\",\"signature\":\"CUJD\"}]}",
+	}
+
+	for i := range successes {
+		_, err := ParseSigned(successes[i])
+		if err != nil {
+			t.Error("Unble to parse valid message", err, successes[i])
+		}
+	}
+
+	// Messages that should fail to parse
+	failures := []string{
+		// Empty
+		"{}",
+		// Invalid JSON
+		"{XX",
+		// Invalid protected header
+		"{\"payload\":\"CUJD\",\"signatures\":[{\"protected\":\"CUJD\",\"header\":{\"kid\":\"XYZ\"},\"signature\":\"CUJD\"}]}",
+		// Invalid protected header
+		"{\"payload\":\"CUJD\",\"protected\":\"CUJD\",\"header\":{\"kid\":\"XYZ\"},\"signature\":\"CUJD\"}",
+		// Invalid protected header
+		"{\"payload\":\"CUJD\",\"signatures\":[{\"protected\":\"###\",\"header\":{\"kid\":\"XYZ\"},\"signature\":\"CUJD\"}]}",
+		// Invalid payload
+		"{\"payload\":\"###\",\"signatures\":[{\"protected\":\"CUJD\",\"header\":{\"kid\":\"XYZ\"},\"signature\":\"CUJD\"}]}",
+		// Invalid payload
+		"{\"payload\":\"CUJD\",\"signatures\":[{\"protected\":\"e30\",\"header\":{\"kid\":\"XYZ\"},\"signature\":\"###\"}]}",
+	}
+
+	for i := range failures {
+		_, err := ParseSigned(failures[i])
+		if err == nil {
+			t.Error("Able to parse invalid message", err, failures[i])
+		}
+	}
+}
+
+func TestRejectUnprotectedJWSNonce(t *testing.T) {
+	// No need to test compact, since that's always protected
+
+	// Flattened JSON
+	input := `{
+		"header": { "nonce": "should-cause-an-error" },
+		"payload": "does-not-matter",
+		"signature": "does-not-matter"
+	}`
+	_, err := ParseSigned(input)
+	if err == nil {
+		t.Error("JWS with an unprotected nonce parsed as valid.")
+	} else if err != ErrUnprotectedNonce {
+		t.Errorf("Improper error for unprotected nonce: %v", err)
+	}
+
+	// Full JSON
+	input = `{
+		"payload": "does-not-matter",
+ 		"signatures": [{
+ 			"header": { "nonce": "should-cause-an-error" },
+			"signature": "does-not-matter"
+		}]
+	}`
+	_, err = ParseSigned(input)
+	if err == nil {
+		t.Error("JWS with an unprotected nonce parsed as valid.")
+	} else if err != ErrUnprotectedNonce {
+		t.Errorf("Improper error for unprotected nonce: %v", err)
+	}
+}
+
+func TestVerifyFlattenedWithIncludedUnprotectedKey(t *testing.T) {
+	input := `{
+			"header": {
+					"alg": "RS256",
+					"jwk": {
+							"e": "AQAB",
+							"kty": "RSA",
+							"n": "tSwgy3ORGvc7YJI9B2qqkelZRUC6F1S5NwXFvM4w5-M0TsxbFsH5UH6adigV0jzsDJ5imAechcSoOhAh9POceCbPN1sTNwLpNbOLiQQ7RD5mY_pSUHWXNmS9R4NZ3t2fQAzPeW7jOfF0LKuJRGkekx6tXP1uSnNibgpJULNc4208dgBaCHo3mvaE2HV2GmVl1yxwWX5QZZkGQGjNDZYnjFfa2DKVvFs0QbAk21ROm594kAxlRlMMrvqlf24Eq4ERO0ptzpZgm_3j_e4hGRD39gJS7kAzK-j2cacFQ5Qi2Y6wZI2p-FCq_wiYsfEAIkATPBiLKl_6d_Jfcvs_impcXQ"
+					}
+			},
+			"payload": "Zm9vCg",
+			"signature": "hRt2eYqBd_MyMRNIh8PEIACoFtmBi7BHTLBaAhpSU6zyDAFdEBaX7us4VB9Vo1afOL03Q8iuoRA0AT4akdV_mQTAQ_jhTcVOAeXPr0tB8b8Q11UPQ0tXJYmU4spAW2SapJIvO50ntUaqU05kZd0qw8-noH1Lja-aNnU-tQII4iYVvlTiRJ5g8_CADsvJqOk6FcHuo2mG643TRnhkAxUtazvHyIHeXMxydMMSrpwUwzMtln4ZJYBNx4QGEq6OhpAD_VSp-w8Lq5HOwGQoNs0bPxH1SGrArt67LFQBfjlVr94E1sn26p4vigXm83nJdNhWAMHHE9iV67xN-r29LT-FjA"
+	}`
+
+	jws, err := ParseSigned(input)
+	if err != nil {
+		t.Error("Unable to parse valid message.")
+	}
+	if len(jws.Signatures) != 1 {
+		t.Error("Too many or too few signatures.")
+	}
+	sig := jws.Signatures[0]
+	if sig.Header.JsonWebKey == nil {
+		t.Error("No JWK in signature header.")
+	}
+	payload, err := jws.Verify(sig.Header.JsonWebKey)
+	if err != nil {
+		t.Error(fmt.Sprintf("Signature did not validate: %v", err))
+	}
+	if string(payload) != "foo\n" {
+		t.Error(fmt.Sprintf("Payload was incorrect: '%s' should have been 'foo\\n'", string(payload)))
+	}
+}
+
+func TestVerifyFlattenedWithPrivateProtected(t *testing.T) {
+	// The protected field contains a Private Header Parameter name, per
+	// https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-4
+	// Base64-decoded, it's '{"nonce":"8HIepUNFZUa-exKTrXVf4g"}'
+	input := `{"header":{"alg":"RS256","jwk":{"kty":"RSA","n":"7ixeydcbxxppzxrBphrW1atUiEZqTpiHDpI-79olav5XxAgWolHmVsJyxzoZXRxmtED8PF9-EICZWBGdSAL9ZTD0hLUCIsPcpdgT_LqNW3Sh2b2caPL2hbMF7vsXvnCGg9varpnHWuYTyRrCLUF9vM7ES-V3VCYTa7LcCSRm56Gg9r19qar43Z9kIKBBxpgt723v2cC4bmLmoAX2s217ou3uCpCXGLOeV_BesG4--Nl3pso1VhCfO85wEWjmW6lbv7Kg4d7Jdkv5DjDZfJ086fkEAYZVYGRpIgAvJBH3d3yKDCrSByUEud1bWuFjQBmMaeYOrVDXO_mbYg5PwUDMhw","e":"AQAB"}},"protected":"eyJub25jZSI6IjhISWVwVU5GWlVhLWV4S1RyWFZmNGcifQ","payload":"eyJjb250YWN0IjpbIm1haWx0bzpmb29AYmFyLmNvbSJdfQ","signature":"AyvVGMgXsQ1zTdXrZxE_gyO63pQgotL1KbI7gv6Wi8I7NRy0iAOkDAkWcTQT9pcCYApJ04lXfEDZfP5i0XgcFUm_6spxi5mFBZU-NemKcvK9dUiAbXvb4hB3GnaZtZiuVnMQUb_ku4DOaFFKbteA6gOYCnED_x7v0kAPHIYrQnvIa-KZ6pTajbV9348zgh9TL7NgGIIsTcMHd-Jatr4z1LQ0ubGa8tS300hoDhVzfoDQaEetYjCo1drR1RmdEN1SIzXdHOHfubjA3ZZRbrF_AJnNKpRRoIwzu1VayOhRmdy1qVSQZq_tENF4VrQFycEL7DhG7JLoXC4T2p1urwMlsw"}`
+
+	jws, err := ParseSigned(input)
+	if err != nil {
+		t.Error("Unable to parse valid message.")
+	}
+	if len(jws.Signatures) != 1 {
+		t.Error("Too many or too few signatures.")
+	}
+	sig := jws.Signatures[0]
+	if sig.Header.JsonWebKey == nil {
+		t.Error("No JWK in signature header.")
+	}
+	payload, err := jws.Verify(sig.Header.JsonWebKey)
+	if err != nil {
+		t.Error(fmt.Sprintf("Signature did not validate: %v", err))
+	}
+	expected := "{\"contact\":[\"mailto:foo@bar.com\"]}"
+	if string(payload) != expected {
+		t.Error(fmt.Sprintf("Payload was incorrect: '%s' should have been '%s'", string(payload), expected))
+	}
+}
+
+// Test vectors generated with nimbus-jose-jwt
+func TestSampleNimbusJWSMessagesRSA(t *testing.T) {
+	rsaPublicKey, err := LoadPublicKey(fromBase64Bytes(`
+		MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3aLSGwbeX0ZA2Ha+EvELaIFGzO
+		91+Q15JQc/tdGdCgGW3XAbrh7ZUhDh1XKzbs+UOQxqn3Eq4YOx18IG0WsJSuCaHQIxnDlZ
+		t/GP8WLwjMC0izlJLm2SyfM/EEoNpmTC3w6MQ2dHK7SZ9Zoq+sKijQd+V7CYdr8zHMpDrd
+		NKoEcR0HjmvzzdMoUChhkGH5TaNbZyollULTggepaYUKS8QphqdSDMWiSetKG+g6V87lv6
+		CVYyK1FF6g7Esp5OOj5pNn3/bmF+7V+b7TvK91NCIlURCjE9toRgNoIP4TDnWRn/vvfZ3G
+		zNrtWmlizqz3r5KdvIs71ahWgMUSD4wfazrwIDAQAB`))
+	if err != nil {
+		panic(err)
+	}
+
+	rsaSampleMessages := []string{
+		"eyJhbGciOiJSUzI1NiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.YHX849fvekz6wJGeyqnQhFqyHFcUXNJKj3o2w3ddR46YLlsCopUJrlifRU_ZuTWzpYxt5oC--T2eoqMhlCvltSWrE5_1_EumqiMfAYsZULx9E6Jns7q3w7mttonYFSIh7aR3-yg2HMMfTCgoAY1y_AZ4VjXwHDcZ5gu1oZDYgvZF4uXtCmwT6e5YtR1m8abiWPF8BgoTG_BD3KV6ClLj_QQiNFdfdxAMDw7vKVOKG1T7BFtz6cDs2Q3ILS4To5E2IjcVSSYS8mi77EitCrWmrqbK_G3WCdKeUFGnMnyuKXaCDy_7FLpAZ6Z5RomRr5iskXeJZdZqIKcJV8zl4fpsPA",
+		"eyJhbGciOiJSUzM4NCJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.meyfoOTjAAjXHFYiNlU7EEnsYtbeUYeEglK6BL_cxISEr2YAGLr1Gwnn2HnucTnH6YilyRio7ZC1ohy_ZojzmaljPHqpr8kn1iqNFu9nFE2M16ZPgJi38-PGzppcDNliyzOQO-c7L-eA-v8Gfww5uyRaOJdiWg-hUJmeGBIngPIeLtSVmhJtz8oTeqeNdUOqQv7f7VRCuvagLhW1PcEM91VUS-gS0WEUXoXWZ2lp91No0v1O24izgX3__FKiX_16XhrOfAgJ82F61vjbTIQYwhexHPZyYTlXYt_scNRzFGhSKeGFin4zVdFLOXWJqKWdUd5IrDP5Nya3FSoWbWDXAg",
+		"eyJhbGciOiJSUzUxMiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.rQPz0PDh8KyE2AX6JorgI0MLwv-qi1tcWlz6tuZuWQG1hdrlzq5tR1tQg1evYNc_SDDX87DWTSKXT7JEqhKoFixLfZa13IJrOc7FB8r5ZLx7OwOBC4F--OWrvxMA9Y3MTJjPN3FemQePUo-na2vNUZv-YgkcbuOgbO3hTxwQ7j1JGuqy-YutXOFnccdXvntp3t8zYZ4Mg1It_IyL9pzgGqHIEmMV1pCFGHsDa-wStB4ffmdhrADdYZc0q_SvxUdobyC_XzZCz9ENzGIhgwYxyyrqg7kjqUGoKmCLmoSlUFW7goTk9IC5SXdUyLPuESxOWNfHoRClGav230GYjPFQFA",
+		"eyJhbGciOiJQUzI1NiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.UTtxjsv_6x4CdlAmZfAW6Lun3byMjJbcwRp_OlPH2W4MZaZar7aql052mIB_ddK45O9VUz2aphYVRvKPZY8WHmvlTUU30bk0z_cDJRYB9eIJVMOiRCYj0oNkz1iEZqsP0YgngxwuUDv4Q4A6aJ0Bo5E_rZo3AnrVHMHUjPp_ZRRSBFs30tQma1qQ0ApK4Gxk0XYCYAcxIv99e78vldVRaGzjEZmQeAVZx4tGcqZP20vG1L84nlhSGnOuZ0FhR8UjRFLXuob6M7EqtMRoqPgRYw47EI3fYBdeSivAg98E5S8R7R1NJc7ef-l03RvfUSY0S3_zBq_4PlHK6A-2kHb__w",
+		"eyJhbGciOiJSUzM4NCJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.meyfoOTjAAjXHFYiNlU7EEnsYtbeUYeEglK6BL_cxISEr2YAGLr1Gwnn2HnucTnH6YilyRio7ZC1ohy_ZojzmaljPHqpr8kn1iqNFu9nFE2M16ZPgJi38-PGzppcDNliyzOQO-c7L-eA-v8Gfww5uyRaOJdiWg-hUJmeGBIngPIeLtSVmhJtz8oTeqeNdUOqQv7f7VRCuvagLhW1PcEM91VUS-gS0WEUXoXWZ2lp91No0v1O24izgX3__FKiX_16XhrOfAgJ82F61vjbTIQYwhexHPZyYTlXYt_scNRzFGhSKeGFin4zVdFLOXWJqKWdUd5IrDP5Nya3FSoWbWDXAg",
+		"eyJhbGciOiJSUzUxMiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.rQPz0PDh8KyE2AX6JorgI0MLwv-qi1tcWlz6tuZuWQG1hdrlzq5tR1tQg1evYNc_SDDX87DWTSKXT7JEqhKoFixLfZa13IJrOc7FB8r5ZLx7OwOBC4F--OWrvxMA9Y3MTJjPN3FemQePUo-na2vNUZv-YgkcbuOgbO3hTxwQ7j1JGuqy-YutXOFnccdXvntp3t8zYZ4Mg1It_IyL9pzgGqHIEmMV1pCFGHsDa-wStB4ffmdhrADdYZc0q_SvxUdobyC_XzZCz9ENzGIhgwYxyyrqg7kjqUGoKmCLmoSlUFW7goTk9IC5SXdUyLPuESxOWNfHoRClGav230GYjPFQFA",
+	}
+
+	for _, msg := range rsaSampleMessages {
+		obj, err := ParseSigned(msg)
+		if err != nil {
+			t.Error("unable to parse message", msg, err)
+			continue
+		}
+		payload, err := obj.Verify(rsaPublicKey)
+		if err != nil {
+			t.Error("unable to verify message", msg, err)
+			continue
+		}
+		if string(payload) != "Lorem ipsum dolor sit amet" {
+			t.Error("payload is not what we expected for msg", msg)
+		}
+	}
+}
+
+// Test vectors generated with nimbus-jose-jwt
+func TestSampleNimbusJWSMessagesEC(t *testing.T) {
+	ecPublicKeyP256, err := LoadPublicKey(fromBase64Bytes("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIg62jq6FyL1otEj9Up7S35BUrwGF9TVrAzrrY1rHUKZqYIGEg67u/imjgadVcr7y9Q32I0gB8W8FHqbqt696rA=="))
+	if err != nil {
+		panic(err)
+	}
+	ecPublicKeyP384, err := LoadPublicKey(fromBase64Bytes("MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEPXsVlqCtN2oTY+F+hFZm3M0ldYpb7IeeJM5wYmT0k1RaqzBFDhDMNnYK5Q5x+OyssZrAtHgYDFw02AVJhhng/eHRp7mqmL/vI3wbxJtrLKYldIbBA+9fYBQcKeibjlu5"))
+	if err != nil {
+		panic(err)
+	}
+	ecPublicKeyP521, err := LoadPublicKey(fromBase64Bytes("MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAa2w3MMJ5FWD6tSf68G+Wy5jIhWXOD3IA7pE5IC/myQzo1lWcD8KS57SM6nm4POtPcxyLmDhL7FLuh8DKoIZyvtAAdK8+tOQP7XXRlT2bkvzIuazp05It3TAPu00YzTIpKfDlc19Y1lvf7etrbFqhShD92B+hHmhT4ddrdbPCBDW8hvU="))
+	if err != nil {
+		panic(err)
+	}
+
+	ecPublicKeys := []interface{}{ecPublicKeyP256, ecPublicKeyP384, ecPublicKeyP521}
+
+	ecSampleMessages := []string{
+		"eyJhbGciOiJFUzI1NiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.MEWJVlvGRQyzMEGOYm4rwuiwxrX-6LjnlbaRDAuhwmnBm2Gtn7pRpGXRTMFZUXsSGDz2L1p-Hz1qn8j9bFIBtQ",
+		"eyJhbGciOiJFUzM4NCJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.nbdjPnJPYQtVNNdBIx8-KbFKplTxrz-hnW5UNhYUY7SBkwHK4NZnqc2Lv4DXoA0aWHq9eiypgOh1kmyPWGEmqKAHUx0xdIEkBoHk3ZsbmhOQuq2jL_wcMUG6nTWNhLrB",
+		"eyJhbGciOiJFUzUxMiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.AeYNFC1rwIgQv-5fwd8iRyYzvTaSCYTEICepgu9gRId-IW99kbSVY7yH0MvrQnqI-a0L8zwKWDR35fW5dukPAYRkADp3Y1lzqdShFcEFziUVGo46vqbiSajmKFrjBktJcCsfjKSaLHwxErF-T10YYPCQFHWb2nXJOOI3CZfACYqgO84g",
+	}
+
+	for i, msg := range ecSampleMessages {
+		obj, err := ParseSigned(msg)
+		if err != nil {
+			t.Error("unable to parse message", msg, err)
+			continue
+		}
+		payload, err := obj.Verify(ecPublicKeys[i])
+		if err != nil {
+			t.Error("unable to verify message", msg, err)
+			continue
+		}
+		if string(payload) != "Lorem ipsum dolor sit amet" {
+			t.Error("payload is not what we expected for msg", msg)
+		}
+	}
+}
+
+// Test vectors generated with nimbus-jose-jwt
+func TestSampleNimbusJWSMessagesHMAC(t *testing.T) {
+	hmacTestKey := fromHexBytes("DF1FA4F36FFA7FC42C81D4B3C033928D")
+
+	hmacSampleMessages := []string{
+		"eyJhbGciOiJIUzI1NiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.W5tc_EUhxexcvLYEEOckyyvdb__M5DQIVpg6Nmk1XGM",
+		"eyJhbGciOiJIUzM4NCJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.sBu44lXOJa4Nd10oqOdYH2uz3lxlZ6o32QSGHaoGdPtYTDG5zvSja6N48CXKqdAh",
+		"eyJhbGciOiJIUzUxMiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.M0yR4tmipsORIix-BitIbxEPGaxPchDfj8UNOpKuhDEfnb7URjGvCKn4nOlyQ1z9mG1FKbwnqR1hOVAWSzAU_w",
+	}
+
+	for _, msg := range hmacSampleMessages {
+		obj, err := ParseSigned(msg)
+		if err != nil {
+			t.Error("unable to parse message", msg, err)
+			continue
+		}
+		payload, err := obj.Verify(hmacTestKey)
+		if err != nil {
+			t.Error("unable to verify message", msg, err)
+			continue
+		}
+		if string(payload) != "Lorem ipsum dolor sit amet" {
+			t.Error("payload is not what we expected for msg", msg)
+		}
+	}
+}
+
+// Test vectors generated with nimbus-jose-jwt
+func TestErrorMissingPayloadJWS(t *testing.T) {
+	_, err := (&rawJsonWebSignature{}).sanitized()
+	if err == nil {
+		t.Error("was able to parse message with missing payload")
+	}
+	if !strings.Contains(err.Error(), "missing payload") {
+		t.Errorf("unexpected error message, should contain 'missing payload': %s", err)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/shared.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/shared.go
new file mode 100644
index 000000000..9d895a912
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/shared.go
@@ -0,0 +1,224 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"crypto/elliptic"
+	"errors"
+	"fmt"
+)
+
+// KeyAlgorithm represents a key management algorithm.
+type KeyAlgorithm string
+
+// SignatureAlgorithm represents a signature (or MAC) algorithm.
+type SignatureAlgorithm string
+
+// ContentEncryption represents a content encryption algorithm.
+type ContentEncryption string
+
+// CompressionAlgorithm represents an algorithm used for plaintext compression.
+type CompressionAlgorithm string
+
+var (
+	// ErrCryptoFailure represents an error in cryptographic primitive. This
+	// occurs when, for example, a message had an invalid authentication tag or
+	// could not be decrypted.
+	ErrCryptoFailure = errors.New("square/go-jose: error in cryptographic primitive")
+
+	// ErrUnsupportedAlgorithm indicates that a selected algorithm is not
+	// supported. This occurs when trying to instantiate an encrypter for an
+	// algorithm that is not yet implemented.
+	ErrUnsupportedAlgorithm = errors.New("square/go-jose: unknown/unsupported algorithm")
+
+	// ErrUnsupportedKeyType indicates that the given key type/format is not
+	// supported. This occurs when trying to instantiate an encrypter and passing
+	// it a key of an unrecognized type or with unsupported parameters, such as
+	// an RSA private key with more than two primes.
+	ErrUnsupportedKeyType = errors.New("square/go-jose: unsupported key type/format")
+
+	// ErrNotSupported serialization of object is not supported. This occurs when
+	// trying to compact-serialize an object which can't be represented in
+	// compact form.
+	ErrNotSupported = errors.New("square/go-jose: compact serialization not supported for object")
+
+	// ErrUnprotectedNonce indicates that while parsing a JWS or JWE object, a
+	// nonce header parameter was included in an unprotected header object.
+	ErrUnprotectedNonce = errors.New("square/go-jose: Nonce parameter included in unprotected header")
+)
+
+// Key management algorithms
+const (
+	RSA1_5             = KeyAlgorithm("RSA1_5")             // RSA-PKCS1v1.5
+	RSA_OAEP           = KeyAlgorithm("RSA-OAEP")           // RSA-OAEP-SHA1
+	RSA_OAEP_256       = KeyAlgorithm("RSA-OAEP-256")       // RSA-OAEP-SHA256
+	A128KW             = KeyAlgorithm("A128KW")             // AES key wrap (128)
+	A192KW             = KeyAlgorithm("A192KW")             // AES key wrap (192)
+	A256KW             = KeyAlgorithm("A256KW")             // AES key wrap (256)
+	DIRECT             = KeyAlgorithm("dir")                // Direct encryption
+	ECDH_ES            = KeyAlgorithm("ECDH-ES")            // ECDH-ES
+	ECDH_ES_A128KW     = KeyAlgorithm("ECDH-ES+A128KW")     // ECDH-ES + AES key wrap (128)
+	ECDH_ES_A192KW     = KeyAlgorithm("ECDH-ES+A192KW")     // ECDH-ES + AES key wrap (192)
+	ECDH_ES_A256KW     = KeyAlgorithm("ECDH-ES+A256KW")     // ECDH-ES + AES key wrap (256)
+	A128GCMKW          = KeyAlgorithm("A128GCMKW")          // AES-GCM key wrap (128)
+	A192GCMKW          = KeyAlgorithm("A192GCMKW")          // AES-GCM key wrap (192)
+	A256GCMKW          = KeyAlgorithm("A256GCMKW")          // AES-GCM key wrap (256)
+	PBES2_HS256_A128KW = KeyAlgorithm("PBES2-HS256+A128KW") // PBES2 + HMAC-SHA256 + AES key wrap (128)
+	PBES2_HS384_A192KW = KeyAlgorithm("PBES2-HS384+A192KW") // PBES2 + HMAC-SHA384 + AES key wrap (192)
+	PBES2_HS512_A256KW = KeyAlgorithm("PBES2-HS512+A256KW") // PBES2 + HMAC-SHA512 + AES key wrap (256)
+)
+
+// Signature algorithms
+const (
+	HS256 = SignatureAlgorithm("HS256") // HMAC using SHA-256
+	HS384 = SignatureAlgorithm("HS384") // HMAC using SHA-384
+	HS512 = SignatureAlgorithm("HS512") // HMAC using SHA-512
+	RS256 = SignatureAlgorithm("RS256") // RSASSA-PKCS-v1.5 using SHA-256
+	RS384 = SignatureAlgorithm("RS384") // RSASSA-PKCS-v1.5 using SHA-384
+	RS512 = SignatureAlgorithm("RS512") // RSASSA-PKCS-v1.5 using SHA-512
+	ES256 = SignatureAlgorithm("ES256") // ECDSA using P-256 and SHA-256
+	ES384 = SignatureAlgorithm("ES384") // ECDSA using P-384 and SHA-384
+	ES512 = SignatureAlgorithm("ES512") // ECDSA using P-521 and SHA-512
+	PS256 = SignatureAlgorithm("PS256") // RSASSA-PSS using SHA256 and MGF1-SHA256
+	PS384 = SignatureAlgorithm("PS384") // RSASSA-PSS using SHA384 and MGF1-SHA384
+	PS512 = SignatureAlgorithm("PS512") // RSASSA-PSS using SHA512 and MGF1-SHA512
+)
+
+// Content encryption algorithms
+const (
+	A128CBC_HS256 = ContentEncryption("A128CBC-HS256") // AES-CBC + HMAC-SHA256 (128)
+	A192CBC_HS384 = ContentEncryption("A192CBC-HS384") // AES-CBC + HMAC-SHA384 (192)
+	A256CBC_HS512 = ContentEncryption("A256CBC-HS512") // AES-CBC + HMAC-SHA512 (256)
+	A128GCM       = ContentEncryption("A128GCM")       // AES-GCM (128)
+	A192GCM       = ContentEncryption("A192GCM")       // AES-GCM (192)
+	A256GCM       = ContentEncryption("A256GCM")       // AES-GCM (256)
+)
+
+// Compression algorithms
+const (
+	NONE    = CompressionAlgorithm("")    // No compression
+	DEFLATE = CompressionAlgorithm("DEF") // DEFLATE (RFC 1951)
+)
+
+// rawHeader represents the JOSE header for JWE/JWS objects (used for parsing).
+type rawHeader struct {
+	Alg   string               `json:"alg,omitempty"`
+	Enc   ContentEncryption    `json:"enc,omitempty"`
+	Zip   CompressionAlgorithm `json:"zip,omitempty"`
+	Crit  []string             `json:"crit,omitempty"`
+	Apu   *byteBuffer          `json:"apu,omitempty"`
+	Apv   *byteBuffer          `json:"apv,omitempty"`
+	Epk   *JsonWebKey          `json:"epk,omitempty"`
+	Iv    *byteBuffer          `json:"iv,omitempty"`
+	Tag   *byteBuffer          `json:"tag,omitempty"`
+	Jwk   *JsonWebKey          `json:"jwk,omitempty"`
+	Kid   string               `json:"kid,omitempty"`
+	Nonce string               `json:"nonce,omitempty"`
+}
+
+// JoseHeader represents the read-only JOSE header for JWE/JWS objects.
+type JoseHeader struct {
+	KeyID      string
+	JsonWebKey *JsonWebKey
+	Algorithm  string
+	Nonce      string
+}
+
+// sanitized produces a cleaned-up header object from the raw JSON.
+func (parsed rawHeader) sanitized() JoseHeader {
+	return JoseHeader{
+		KeyID:      parsed.Kid,
+		JsonWebKey: parsed.Jwk,
+		Algorithm:  parsed.Alg,
+		Nonce:      parsed.Nonce,
+	}
+}
+
+// Merge headers from src into dst, giving precedence to headers from l.
+func (dst *rawHeader) merge(src *rawHeader) {
+	if src == nil {
+		return
+	}
+
+	if dst.Alg == "" {
+		dst.Alg = src.Alg
+	}
+	if dst.Enc == "" {
+		dst.Enc = src.Enc
+	}
+	if dst.Zip == "" {
+		dst.Zip = src.Zip
+	}
+	if dst.Crit == nil {
+		dst.Crit = src.Crit
+	}
+	if dst.Crit == nil {
+		dst.Crit = src.Crit
+	}
+	if dst.Apu == nil {
+		dst.Apu = src.Apu
+	}
+	if dst.Apv == nil {
+		dst.Apv = src.Apv
+	}
+	if dst.Epk == nil {
+		dst.Epk = src.Epk
+	}
+	if dst.Iv == nil {
+		dst.Iv = src.Iv
+	}
+	if dst.Tag == nil {
+		dst.Tag = src.Tag
+	}
+	if dst.Kid == "" {
+		dst.Kid = src.Kid
+	}
+	if dst.Jwk == nil {
+		dst.Jwk = src.Jwk
+	}
+	if dst.Nonce == "" {
+		dst.Nonce = src.Nonce
+	}
+}
+
+// Get JOSE name of curve
+func curveName(crv elliptic.Curve) (string, error) {
+	switch crv {
+	case elliptic.P256():
+		return "P-256", nil
+	case elliptic.P384():
+		return "P-384", nil
+	case elliptic.P521():
+		return "P-521", nil
+	default:
+		return "", fmt.Errorf("square/go-jose: unsupported/unknown elliptic curve")
+	}
+}
+
+// Get size of curve in bytes
+func curveSize(crv elliptic.Curve) int {
+	bits := crv.Params().BitSize
+
+	div := bits / 8
+	mod := bits % 8
+
+	if mod == 0 {
+		return div
+	}
+
+	return div + 1
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/signing.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/signing.go
new file mode 100644
index 000000000..e64f8ab8d
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/signing.go
@@ -0,0 +1,258 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"errors"
+	"fmt"
+)
+
+// NonceSource represents a source of random nonces to go into JWS objects
+type NonceSource interface {
+	Nonce() (string, error)
+}
+
+// Signer represents a signer which takes a payload and produces a signed JWS object.
+type Signer interface {
+	Sign(payload []byte) (*JsonWebSignature, error)
+	SetNonceSource(source NonceSource)
+	SetEmbedJwk(embed bool)
+}
+
+// MultiSigner represents a signer which supports multiple recipients.
+type MultiSigner interface {
+	Sign(payload []byte) (*JsonWebSignature, error)
+	SetNonceSource(source NonceSource)
+	SetEmbedJwk(embed bool)
+	AddRecipient(alg SignatureAlgorithm, signingKey interface{}) error
+}
+
+type payloadSigner interface {
+	signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error)
+}
+
+type payloadVerifier interface {
+	verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error
+}
+
+type genericSigner struct {
+	recipients  []recipientSigInfo
+	nonceSource NonceSource
+	embedJwk    bool
+}
+
+type recipientSigInfo struct {
+	sigAlg    SignatureAlgorithm
+	keyID     string
+	publicKey *JsonWebKey
+	signer    payloadSigner
+}
+
+// NewSigner creates an appropriate signer based on the key type
+func NewSigner(alg SignatureAlgorithm, signingKey interface{}) (Signer, error) {
+	// NewMultiSigner never fails (currently)
+	signer := NewMultiSigner()
+
+	err := signer.AddRecipient(alg, signingKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return signer, nil
+}
+
+// NewMultiSigner creates a signer for multiple recipients
+func NewMultiSigner() MultiSigner {
+	return &genericSigner{
+		recipients: []recipientSigInfo{},
+		embedJwk:   true,
+	}
+}
+
+// newVerifier creates a verifier based on the key type
+func newVerifier(verificationKey interface{}) (payloadVerifier, error) {
+	switch verificationKey := verificationKey.(type) {
+	case *rsa.PublicKey:
+		return &rsaEncrypterVerifier{
+			publicKey: verificationKey,
+		}, nil
+	case *ecdsa.PublicKey:
+		return &ecEncrypterVerifier{
+			publicKey: verificationKey,
+		}, nil
+	case []byte:
+		return &symmetricMac{
+			key: verificationKey,
+		}, nil
+	case *JsonWebKey:
+		return newVerifier(verificationKey.Key)
+	default:
+		return nil, ErrUnsupportedKeyType
+	}
+}
+
+func (ctx *genericSigner) AddRecipient(alg SignatureAlgorithm, signingKey interface{}) error {
+	recipient, err := makeJWSRecipient(alg, signingKey)
+	if err != nil {
+		return err
+	}
+
+	ctx.recipients = append(ctx.recipients, recipient)
+	return nil
+}
+
+func makeJWSRecipient(alg SignatureAlgorithm, signingKey interface{}) (recipientSigInfo, error) {
+	switch signingKey := signingKey.(type) {
+	case *rsa.PrivateKey:
+		return newRSASigner(alg, signingKey)
+	case *ecdsa.PrivateKey:
+		return newECDSASigner(alg, signingKey)
+	case []byte:
+		return newSymmetricSigner(alg, signingKey)
+	case *JsonWebKey:
+		recipient, err := makeJWSRecipient(alg, signingKey.Key)
+		if err != nil {
+			return recipientSigInfo{}, err
+		}
+		recipient.keyID = signingKey.KeyID
+		return recipient, nil
+	default:
+		return recipientSigInfo{}, ErrUnsupportedKeyType
+	}
+}
+
+func (ctx *genericSigner) Sign(payload []byte) (*JsonWebSignature, error) {
+	obj := &JsonWebSignature{}
+	obj.payload = payload
+	obj.Signatures = make([]Signature, len(ctx.recipients))
+
+	for i, recipient := range ctx.recipients {
+		protected := &rawHeader{
+			Alg: string(recipient.sigAlg),
+		}
+
+		if recipient.publicKey != nil && ctx.embedJwk {
+			protected.Jwk = recipient.publicKey
+		}
+		if recipient.keyID != "" {
+			protected.Kid = recipient.keyID
+		}
+
+		if ctx.nonceSource != nil {
+			nonce, err := ctx.nonceSource.Nonce()
+			if err != nil {
+				return nil, fmt.Errorf("square/go-jose: Error generating nonce: %v", err)
+			}
+			protected.Nonce = nonce
+		}
+
+		serializedProtected := mustSerializeJSON(protected)
+
+		input := []byte(fmt.Sprintf("%s.%s",
+			base64URLEncode(serializedProtected),
+			base64URLEncode(payload)))
+
+		signatureInfo, err := recipient.signer.signPayload(input, recipient.sigAlg)
+		if err != nil {
+			return nil, err
+		}
+
+		signatureInfo.protected = protected
+		obj.Signatures[i] = signatureInfo
+	}
+
+	return obj, nil
+}
+
+// SetNonceSource provides or updates a nonce pool to the first recipients.
+// After this method is called, the signer will consume one nonce per
+// signature, returning an error it is unable to get a nonce.
+func (ctx *genericSigner) SetNonceSource(source NonceSource) {
+	ctx.nonceSource = source
+}
+
+// SetEmbedJwk specifies if the signing key should be embedded in the protected
+// header, if any. It defaults to 'true', though that may change in the future.
+// Note that the use of embedded JWKs in the signature header can be dangerous,
+// as you cannot assume that the key received in a payload is trusted.
+func (ctx *genericSigner) SetEmbedJwk(embed bool) {
+	ctx.embedJwk = embed
+}
+
+// Verify validates the signature on the object and returns the payload.
+// This function does not support multi-signature, if you desire multi-sig
+// verification use VerifyMulti instead.
+//
+// Be careful when verifying signatures based on embedded JWKs inside the
+// payload header. You cannot assume that the key received in a payload is
+// trusted.
+func (obj JsonWebSignature) Verify(verificationKey interface{}) ([]byte, error) {
+	verifier, err := newVerifier(verificationKey)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(obj.Signatures) > 1 {
+		return nil, errors.New("square/go-jose: too many signatures in payload; expecting only one")
+	}
+
+	signature := obj.Signatures[0]
+	headers := signature.mergedHeaders()
+	if len(headers.Crit) > 0 {
+		// Unsupported crit header
+		return nil, ErrCryptoFailure
+	}
+
+	input := obj.computeAuthData(&signature)
+	alg := SignatureAlgorithm(headers.Alg)
+	err = verifier.verifyPayload(input, signature.Signature, alg)
+	if err == nil {
+		return obj.payload, nil
+	}
+
+	return nil, ErrCryptoFailure
+}
+
+// VerifyMulti validates (one of the multiple) signatures on the object and
+// returns the index of the signature that was verified, along with the signature
+// object and the payload. We return the signature and index to guarantee that
+// callers are getting the verified value.
+func (obj JsonWebSignature) VerifyMulti(verificationKey interface{}) (int, Signature, []byte, error) {
+	verifier, err := newVerifier(verificationKey)
+	if err != nil {
+		return -1, Signature{}, nil, err
+	}
+
+	for i, signature := range obj.Signatures {
+		headers := signature.mergedHeaders()
+		if len(headers.Crit) > 0 {
+			// Unsupported crit header
+			continue
+		}
+
+		input := obj.computeAuthData(&signature)
+		alg := SignatureAlgorithm(headers.Alg)
+		err := verifier.verifyPayload(input, signature.Signature, alg)
+		if err == nil {
+			return i, signature, obj.payload, nil
+		}
+	}
+
+	return -1, Signature{}, nil, ErrCryptoFailure
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/signing_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/signing_test.go
new file mode 100644
index 000000000..15c319730
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/signing_test.go
@@ -0,0 +1,451 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"fmt"
+	"io"
+	"testing"
+
+	"gopkg.in/square/go-jose.v1/json"
+)
+
+type staticNonceSource string
+
+func (sns staticNonceSource) Nonce() (string, error) {
+	return string(sns), nil
+}
+
+func RoundtripJWS(sigAlg SignatureAlgorithm, serializer func(*JsonWebSignature) (string, error), corrupter func(*JsonWebSignature), signingKey interface{}, verificationKey interface{}, nonce string) error {
+	signer, err := NewSigner(sigAlg, signingKey)
+	if err != nil {
+		return fmt.Errorf("error on new signer: %s", err)
+	}
+
+	if nonce != "" {
+		signer.SetNonceSource(staticNonceSource(nonce))
+	}
+
+	input := []byte("Lorem ipsum dolor sit amet")
+	obj, err := signer.Sign(input)
+	if err != nil {
+		return fmt.Errorf("error on sign: %s", err)
+	}
+
+	msg, err := serializer(obj)
+	if err != nil {
+		return fmt.Errorf("error on serialize: %s", err)
+	}
+
+	obj, err = ParseSigned(msg)
+	if err != nil {
+		return fmt.Errorf("error on parse: %s", err)
+	}
+
+	// (Maybe) mangle the object
+	corrupter(obj)
+
+	output, err := obj.Verify(verificationKey)
+	if err != nil {
+		return fmt.Errorf("error on verify: %s", err)
+	}
+
+	// Check that verify works with embedded keys (if present)
+	for i, sig := range obj.Signatures {
+		if sig.Header.JsonWebKey != nil {
+			_, err = obj.Verify(sig.Header.JsonWebKey)
+			if err != nil {
+				return fmt.Errorf("error on verify with embedded key %d: %s", i, err)
+			}
+		}
+
+		// Check that the nonce correctly round-tripped (if present)
+		if sig.Header.Nonce != nonce {
+			return fmt.Errorf("Incorrect nonce returned: [%s]", sig.Header.Nonce)
+		}
+	}
+
+	if bytes.Compare(output, input) != 0 {
+		return fmt.Errorf("input/output do not match, got '%s', expected '%s'", output, input)
+	}
+
+	return nil
+}
+
+func TestRoundtripsJWS(t *testing.T) {
+	// Test matrix
+	sigAlgs := []SignatureAlgorithm{RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512, ES256, ES384, ES512}
+
+	serializers := []func(*JsonWebSignature) (string, error){
+		func(obj *JsonWebSignature) (string, error) { return obj.CompactSerialize() },
+		func(obj *JsonWebSignature) (string, error) { return obj.FullSerialize(), nil },
+	}
+
+	corrupter := func(obj *JsonWebSignature) {}
+
+	for _, alg := range sigAlgs {
+		signingKey, verificationKey := GenerateSigningTestKey(alg)
+
+		for i, serializer := range serializers {
+			err := RoundtripJWS(alg, serializer, corrupter, signingKey, verificationKey, "test_nonce")
+			if err != nil {
+				t.Error(err, alg, i)
+			}
+		}
+	}
+}
+
+func TestRoundtripsJWSCorruptSignature(t *testing.T) {
+	// Test matrix
+	sigAlgs := []SignatureAlgorithm{RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512, ES256, ES384, ES512}
+
+	serializers := []func(*JsonWebSignature) (string, error){
+		func(obj *JsonWebSignature) (string, error) { return obj.CompactSerialize() },
+		func(obj *JsonWebSignature) (string, error) { return obj.FullSerialize(), nil },
+	}
+
+	corrupters := []func(*JsonWebSignature){
+		func(obj *JsonWebSignature) {
+			// Changes bytes in signature
+			obj.Signatures[0].Signature[10]++
+		},
+		func(obj *JsonWebSignature) {
+			// Set totally invalid signature
+			obj.Signatures[0].Signature = []byte("###")
+		},
+	}
+
+	// Test all different configurations
+	for _, alg := range sigAlgs {
+		signingKey, verificationKey := GenerateSigningTestKey(alg)
+
+		for i, serializer := range serializers {
+			for j, corrupter := range corrupters {
+				err := RoundtripJWS(alg, serializer, corrupter, signingKey, verificationKey, "test_nonce")
+				if err == nil {
+					t.Error("failed to detect corrupt signature", err, alg, i, j)
+				}
+			}
+		}
+	}
+}
+
+func TestSignerWithBrokenRand(t *testing.T) {
+	sigAlgs := []SignatureAlgorithm{RS256, RS384, RS512, PS256, PS384, PS512}
+
+	serializer := func(obj *JsonWebSignature) (string, error) { return obj.CompactSerialize() }
+	corrupter := func(obj *JsonWebSignature) {}
+
+	// Break rand reader
+	readers := []func() io.Reader{
+		// Totally broken
+		func() io.Reader { return bytes.NewReader([]byte{}) },
+		// Not enough bytes
+		func() io.Reader { return io.LimitReader(rand.Reader, 20) },
+	}
+
+	defer resetRandReader()
+
+	for _, alg := range sigAlgs {
+		signingKey, verificationKey := GenerateSigningTestKey(alg)
+		for i, getReader := range readers {
+			randReader = getReader()
+			err := RoundtripJWS(alg, serializer, corrupter, signingKey, verificationKey, "test_nonce")
+			if err == nil {
+				t.Error("signer should fail if rand is broken", alg, i)
+			}
+		}
+	}
+}
+
+func TestJWSInvalidKey(t *testing.T) {
+	signingKey0, verificationKey0 := GenerateSigningTestKey(RS256)
+	_, verificationKey1 := GenerateSigningTestKey(ES256)
+
+	signer, err := NewSigner(RS256, signingKey0)
+	if err != nil {
+		panic(err)
+	}
+
+	input := []byte("Lorem ipsum dolor sit amet")
+	obj, err := signer.Sign(input)
+	if err != nil {
+		panic(err)
+	}
+
+	// Must work with correct key
+	_, err = obj.Verify(verificationKey0)
+	if err != nil {
+		t.Error("error on verify", err)
+	}
+
+	// Must not work with incorrect key
+	_, err = obj.Verify(verificationKey1)
+	if err == nil {
+		t.Error("verification should fail with incorrect key")
+	}
+
+	// Must not work with invalid key
+	_, err = obj.Verify("")
+	if err == nil {
+		t.Error("verification should fail with incorrect key")
+	}
+}
+
+func TestMultiRecipientJWS(t *testing.T) {
+	signer := NewMultiSigner()
+
+	sharedKey := []byte{
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+		0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+	}
+
+	signer.AddRecipient(RS256, rsaTestKey)
+	signer.AddRecipient(HS384, sharedKey)
+
+	input := []byte("Lorem ipsum dolor sit amet")
+	obj, err := signer.Sign(input)
+	if err != nil {
+		t.Fatal("error on sign: ", err)
+	}
+
+	_, err = obj.CompactSerialize()
+	if err == nil {
+		t.Fatal("message with multiple recipient was compact serialized")
+	}
+
+	msg := obj.FullSerialize()
+
+	obj, err = ParseSigned(msg)
+	if err != nil {
+		t.Fatal("error on parse: ", err)
+	}
+
+	i, _, output, err := obj.VerifyMulti(&rsaTestKey.PublicKey)
+	if err != nil {
+		t.Fatal("error on verify: ", err)
+	}
+
+	if i != 0 {
+		t.Fatal("signature index should be 0 for RSA key")
+	}
+
+	if bytes.Compare(output, input) != 0 {
+		t.Fatal("input/output do not match", output, input)
+	}
+
+	i, _, output, err = obj.VerifyMulti(sharedKey)
+	if err != nil {
+		t.Fatal("error on verify: ", err)
+	}
+
+	if i != 1 {
+		t.Fatal("signature index should be 1 for EC key")
+	}
+
+	if bytes.Compare(output, input) != 0 {
+		t.Fatal("input/output do not match", output, input)
+	}
+}
+
+func GenerateSigningTestKey(sigAlg SignatureAlgorithm) (sig, ver interface{}) {
+	switch sigAlg {
+	case RS256, RS384, RS512, PS256, PS384, PS512:
+		sig = rsaTestKey
+		ver = &rsaTestKey.PublicKey
+	case HS256, HS384, HS512:
+		sig, _, _ = randomKeyGenerator{size: 16}.genKey()
+		ver = sig
+	case ES256:
+		key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		sig = key
+		ver = &key.PublicKey
+	case ES384:
+		key, _ := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+		sig = key
+		ver = &key.PublicKey
+	case ES512:
+		key, _ := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+		sig = key
+		ver = &key.PublicKey
+	default:
+		panic("Must update test case")
+	}
+
+	return
+}
+
+func TestInvalidSignerAlg(t *testing.T) {
+	_, err := NewSigner("XYZ", nil)
+	if err == nil {
+		t.Error("should not accept invalid algorithm")
+	}
+
+	_, err = NewSigner("XYZ", []byte{})
+	if err == nil {
+		t.Error("should not accept invalid algorithm")
+	}
+}
+
+func TestInvalidJWS(t *testing.T) {
+	signer, err := NewSigner(PS256, rsaTestKey)
+	if err != nil {
+		panic(err)
+	}
+
+	obj, err := signer.Sign([]byte("Lorem ipsum dolor sit amet"))
+	obj.Signatures[0].header = &rawHeader{
+		Crit: []string{"TEST"},
+	}
+
+	_, err = obj.Verify(&rsaTestKey.PublicKey)
+	if err == nil {
+		t.Error("should not verify message with unknown crit header")
+	}
+
+	// Try without alg header
+	obj.Signatures[0].protected = &rawHeader{}
+	obj.Signatures[0].header = &rawHeader{}
+
+	_, err = obj.Verify(&rsaTestKey.PublicKey)
+	if err == nil {
+		t.Error("should not verify message with missing headers")
+	}
+}
+
+func TestSignerKid(t *testing.T) {
+	kid := "DEADBEEF"
+	payload := []byte("Lorem ipsum dolor sit amet")
+
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Error("problem generating test signing key", err)
+	}
+
+	basejwk := JsonWebKey{Key: key}
+	jsonbar, err := basejwk.MarshalJSON()
+	if err != nil {
+		t.Error("problem marshalling base JWK", err)
+	}
+
+	var jsonmsi map[string]interface{}
+	err = json.Unmarshal(jsonbar, &jsonmsi)
+	if err != nil {
+		t.Error("problem unmarshalling base JWK", err)
+	}
+	jsonmsi["kid"] = kid
+	jsonbar2, err := json.Marshal(jsonmsi)
+	if err != nil {
+		t.Error("problem marshalling kided JWK", err)
+	}
+
+	var jwk JsonWebKey
+	err = jwk.UnmarshalJSON(jsonbar2)
+	if err != nil {
+		t.Error("problem unmarshalling kided JWK", err)
+	}
+
+	signer, err := NewSigner(ES256, &jwk)
+	if err != nil {
+		t.Error("problem creating signer", err)
+	}
+	signed, err := signer.Sign(payload)
+
+	serialized := signed.FullSerialize()
+
+	parsed, err := ParseSigned(serialized)
+	if err != nil {
+		t.Error("problem parsing signed object", err)
+	}
+
+	if parsed.Signatures[0].Header.KeyID != kid {
+		t.Error("KeyID did not survive trip")
+	}
+}
+
+func TestEmbedJwk(t *testing.T) {
+	var payload = []byte("Lorem ipsum dolor sit amet")
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Error("Failed to generate key")
+	}
+
+	signer, err := NewSigner(ES256, key)
+	if err != nil {
+		t.Error("Failed to create signer")
+	}
+
+	object, err := signer.Sign(payload)
+	if err != nil {
+		t.Error("Failed to sign payload")
+	}
+
+	object, err = ParseSigned(object.FullSerialize())
+	if err != nil {
+		t.Error("Failed to parse jws")
+	}
+
+	if object.Signatures[0].protected.Jwk == nil {
+		t.Error("JWK isn't set in protected header")
+	}
+
+	// Now sign it again, but don't embed JWK.
+	signer.SetEmbedJwk(false)
+
+	object, err = signer.Sign(payload)
+	if err != nil {
+		t.Error("Failed to sign payload")
+	}
+
+	object, err = ParseSigned(object.FullSerialize())
+	if err != nil {
+		t.Error("Failed to parse jws")
+	}
+
+	if object.Signatures[0].protected.Jwk != nil {
+		t.Error("JWK is set in protected header")
+	}
+}
+
+func TestSignerWithJWKAndKeyID(t *testing.T) {
+	enc, err := NewSigner(HS256, &JsonWebKey{
+		KeyID: "test-id",
+		Key:   []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
+	})
+	if err != nil {
+		t.Error(err)
+	}
+
+	signed, _ := enc.Sign([]byte("Lorem ipsum dolor sit amet"))
+
+	serialized1, _ := signed.CompactSerialize()
+	serialized2 := signed.FullSerialize()
+
+	parsed1, _ := ParseSigned(serialized1)
+	parsed2, _ := ParseSigned(serialized2)
+
+	if parsed1.Signatures[0].Header.KeyID != "test-id" {
+		t.Errorf("expected message to have key id from JWK, but found '%s' instead", parsed1.Signatures[0].Header.KeyID)
+	}
+	if parsed2.Signatures[0].Header.KeyID != "test-id" {
+		t.Errorf("expected message to have key id from JWK, but found '%s' instead", parsed2.Signatures[0].Header.KeyID)
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/symmetric.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/symmetric.go
new file mode 100644
index 000000000..51f8cb394
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/symmetric.go
@@ -0,0 +1,349 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/subtle"
+	"errors"
+	"hash"
+	"io"
+
+	"gopkg.in/square/go-jose.v1/cipher"
+)
+
+// Random reader (stubbed out in tests)
+var randReader = rand.Reader
+
+// Dummy key cipher for shared symmetric key mode
+type symmetricKeyCipher struct {
+	key []byte // Pre-shared content-encryption key
+}
+
+// Signer/verifier for MAC modes
+type symmetricMac struct {
+	key []byte
+}
+
+// Input/output from an AEAD operation
+type aeadParts struct {
+	iv, ciphertext, tag []byte
+}
+
+// A content cipher based on an AEAD construction
+type aeadContentCipher struct {
+	keyBytes     int
+	authtagBytes int
+	getAead      func(key []byte) (cipher.AEAD, error)
+}
+
+// Random key generator
+type randomKeyGenerator struct {
+	size int
+}
+
+// Static key generator
+type staticKeyGenerator struct {
+	key []byte
+}
+
+// Create a new content cipher based on AES-GCM
+func newAESGCM(keySize int) contentCipher {
+	return &aeadContentCipher{
+		keyBytes:     keySize,
+		authtagBytes: 16,
+		getAead: func(key []byte) (cipher.AEAD, error) {
+			aes, err := aes.NewCipher(key)
+			if err != nil {
+				return nil, err
+			}
+
+			return cipher.NewGCM(aes)
+		},
+	}
+}
+
+// Create a new content cipher based on AES-CBC+HMAC
+func newAESCBC(keySize int) contentCipher {
+	return &aeadContentCipher{
+		keyBytes:     keySize * 2,
+		authtagBytes: 16,
+		getAead: func(key []byte) (cipher.AEAD, error) {
+			return josecipher.NewCBCHMAC(key, aes.NewCipher)
+		},
+	}
+}
+
+// Get an AEAD cipher object for the given content encryption algorithm
+func getContentCipher(alg ContentEncryption) contentCipher {
+	switch alg {
+	case A128GCM:
+		return newAESGCM(16)
+	case A192GCM:
+		return newAESGCM(24)
+	case A256GCM:
+		return newAESGCM(32)
+	case A128CBC_HS256:
+		return newAESCBC(16)
+	case A192CBC_HS384:
+		return newAESCBC(24)
+	case A256CBC_HS512:
+		return newAESCBC(32)
+	default:
+		return nil
+	}
+}
+
+// newSymmetricRecipient creates a JWE encrypter based on AES-GCM key wrap.
+func newSymmetricRecipient(keyAlg KeyAlgorithm, key []byte) (recipientKeyInfo, error) {
+	switch keyAlg {
+	case DIRECT, A128GCMKW, A192GCMKW, A256GCMKW, A128KW, A192KW, A256KW:
+	default:
+		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	return recipientKeyInfo{
+		keyAlg: keyAlg,
+		keyEncrypter: &symmetricKeyCipher{
+			key: key,
+		},
+	}, nil
+}
+
+// newSymmetricSigner creates a recipientSigInfo based on the given key.
+func newSymmetricSigner(sigAlg SignatureAlgorithm, key []byte) (recipientSigInfo, error) {
+	// Verify that key management algorithm is supported by this encrypter
+	switch sigAlg {
+	case HS256, HS384, HS512:
+	default:
+		return recipientSigInfo{}, ErrUnsupportedAlgorithm
+	}
+
+	return recipientSigInfo{
+		sigAlg: sigAlg,
+		signer: &symmetricMac{
+			key: key,
+		},
+	}, nil
+}
+
+// Generate a random key for the given content cipher
+func (ctx randomKeyGenerator) genKey() ([]byte, rawHeader, error) {
+	key := make([]byte, ctx.size)
+	_, err := io.ReadFull(randReader, key)
+	if err != nil {
+		return nil, rawHeader{}, err
+	}
+
+	return key, rawHeader{}, nil
+}
+
+// Key size for random generator
+func (ctx randomKeyGenerator) keySize() int {
+	return ctx.size
+}
+
+// Generate a static key (for direct mode)
+func (ctx staticKeyGenerator) genKey() ([]byte, rawHeader, error) {
+	cek := make([]byte, len(ctx.key))
+	copy(cek, ctx.key)
+	return cek, rawHeader{}, nil
+}
+
+// Key size for static generator
+func (ctx staticKeyGenerator) keySize() int {
+	return len(ctx.key)
+}
+
+// Get key size for this cipher
+func (ctx aeadContentCipher) keySize() int {
+	return ctx.keyBytes
+}
+
+// Encrypt some data
+func (ctx aeadContentCipher) encrypt(key, aad, pt []byte) (*aeadParts, error) {
+	// Get a new AEAD instance
+	aead, err := ctx.getAead(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// Initialize a new nonce
+	iv := make([]byte, aead.NonceSize())
+	_, err = io.ReadFull(randReader, iv)
+	if err != nil {
+		return nil, err
+	}
+
+	ciphertextAndTag := aead.Seal(nil, iv, pt, aad)
+	offset := len(ciphertextAndTag) - ctx.authtagBytes
+
+	return &aeadParts{
+		iv:         iv,
+		ciphertext: ciphertextAndTag[:offset],
+		tag:        ciphertextAndTag[offset:],
+	}, nil
+}
+
+// Decrypt some data
+func (ctx aeadContentCipher) decrypt(key, aad []byte, parts *aeadParts) ([]byte, error) {
+	aead, err := ctx.getAead(key)
+	if err != nil {
+		return nil, err
+	}
+
+	return aead.Open(nil, parts.iv, append(parts.ciphertext, parts.tag...), aad)
+}
+
+// Encrypt the content encryption key.
+func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
+	switch alg {
+	case DIRECT:
+		return recipientInfo{
+			header: &rawHeader{},
+		}, nil
+	case A128GCMKW, A192GCMKW, A256GCMKW:
+		aead := newAESGCM(len(ctx.key))
+
+		parts, err := aead.encrypt(ctx.key, []byte{}, cek)
+		if err != nil {
+			return recipientInfo{}, err
+		}
+
+		return recipientInfo{
+			header: &rawHeader{
+				Iv:  newBuffer(parts.iv),
+				Tag: newBuffer(parts.tag),
+			},
+			encryptedKey: parts.ciphertext,
+		}, nil
+	case A128KW, A192KW, A256KW:
+		block, err := aes.NewCipher(ctx.key)
+		if err != nil {
+			return recipientInfo{}, err
+		}
+
+		jek, err := josecipher.KeyWrap(block, cek)
+		if err != nil {
+			return recipientInfo{}, err
+		}
+
+		return recipientInfo{
+			encryptedKey: jek,
+			header:       &rawHeader{},
+		}, nil
+	}
+
+	return recipientInfo{}, ErrUnsupportedAlgorithm
+}
+
+// Decrypt the content encryption key.
+func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
+	switch KeyAlgorithm(headers.Alg) {
+	case DIRECT:
+		cek := make([]byte, len(ctx.key))
+		copy(cek, ctx.key)
+		return cek, nil
+	case A128GCMKW, A192GCMKW, A256GCMKW:
+		aead := newAESGCM(len(ctx.key))
+
+		parts := &aeadParts{
+			iv:         headers.Iv.bytes(),
+			ciphertext: recipient.encryptedKey,
+			tag:        headers.Tag.bytes(),
+		}
+
+		cek, err := aead.decrypt(ctx.key, []byte{}, parts)
+		if err != nil {
+			return nil, err
+		}
+
+		return cek, nil
+	case A128KW, A192KW, A256KW:
+		block, err := aes.NewCipher(ctx.key)
+		if err != nil {
+			return nil, err
+		}
+
+		cek, err := josecipher.KeyUnwrap(block, recipient.encryptedKey)
+		if err != nil {
+			return nil, err
+		}
+		return cek, nil
+	}
+
+	return nil, ErrUnsupportedAlgorithm
+}
+
+// Sign the given payload
+func (ctx symmetricMac) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
+	mac, err := ctx.hmac(payload, alg)
+	if err != nil {
+		return Signature{}, errors.New("square/go-jose: failed to compute hmac")
+	}
+
+	return Signature{
+		Signature: mac,
+		protected: &rawHeader{},
+	}, nil
+}
+
+// Verify the given payload
+func (ctx symmetricMac) verifyPayload(payload []byte, mac []byte, alg SignatureAlgorithm) error {
+	expected, err := ctx.hmac(payload, alg)
+	if err != nil {
+		return errors.New("square/go-jose: failed to compute hmac")
+	}
+
+	if len(mac) != len(expected) {
+		return errors.New("square/go-jose: invalid hmac")
+	}
+
+	match := subtle.ConstantTimeCompare(mac, expected)
+	if match != 1 {
+		return errors.New("square/go-jose: invalid hmac")
+	}
+
+	return nil
+}
+
+// Compute the HMAC based on the given alg value
+func (ctx symmetricMac) hmac(payload []byte, alg SignatureAlgorithm) ([]byte, error) {
+	var hash func() hash.Hash
+
+	switch alg {
+	case HS256:
+		hash = sha256.New
+	case HS384:
+		hash = sha512.New384
+	case HS512:
+		hash = sha512.New
+	default:
+		return nil, ErrUnsupportedAlgorithm
+	}
+
+	hmac := hmac.New(hash, ctx.key)
+
+	// According to documentation, Write() on hash never fails
+	_, _ = hmac.Write(payload)
+	return hmac.Sum(nil), nil
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/symmetric_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/symmetric_test.go
new file mode 100644
index 000000000..67f535e3b
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/symmetric_test.go
@@ -0,0 +1,131 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"crypto/rand"
+	"io"
+	"testing"
+)
+
+func TestInvalidSymmetricAlgorithms(t *testing.T) {
+	_, err := newSymmetricRecipient("XYZ", []byte{})
+	if err != ErrUnsupportedAlgorithm {
+		t.Error("should not accept invalid algorithm")
+	}
+
+	enc := &symmetricKeyCipher{}
+	_, err = enc.encryptKey([]byte{}, "XYZ")
+	if err != ErrUnsupportedAlgorithm {
+		t.Error("should not accept invalid algorithm")
+	}
+}
+
+func TestAeadErrors(t *testing.T) {
+	aead := &aeadContentCipher{
+		keyBytes:     16,
+		authtagBytes: 16,
+		getAead: func(key []byte) (cipher.AEAD, error) {
+			return nil, ErrCryptoFailure
+		},
+	}
+
+	parts, err := aead.encrypt([]byte{}, []byte{}, []byte{})
+	if err != ErrCryptoFailure {
+		t.Error("should handle aead failure")
+	}
+
+	_, err = aead.decrypt([]byte{}, []byte{}, parts)
+	if err != ErrCryptoFailure {
+		t.Error("should handle aead failure")
+	}
+}
+
+func TestInvalidKey(t *testing.T) {
+	gcm := newAESGCM(16).(*aeadContentCipher)
+	_, err := gcm.getAead([]byte{})
+	if err == nil {
+		t.Error("should not accept invalid key")
+	}
+}
+
+func TestStaticKeyGen(t *testing.T) {
+	key := make([]byte, 32)
+	io.ReadFull(rand.Reader, key)
+
+	gen := &staticKeyGenerator{key: key}
+	if gen.keySize() != len(key) {
+		t.Error("static key generator reports incorrect size")
+	}
+
+	generated, _, err := gen.genKey()
+	if err != nil {
+		t.Error("static key generator should always succeed", err)
+	}
+	if !bytes.Equal(generated, key) {
+		t.Error("static key generator returns different data")
+	}
+}
+
+func TestVectorsAESGCM(t *testing.T) {
+	// Source: http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-29#appendix-A.1
+	plaintext := []byte{
+		84, 104, 101, 32, 116, 114, 117, 101, 32, 115, 105, 103, 110, 32,
+		111, 102, 32, 105, 110, 116, 101, 108, 108, 105, 103, 101, 110, 99,
+		101, 32, 105, 115, 32, 110, 111, 116, 32, 107, 110, 111, 119, 108,
+		101, 100, 103, 101, 32, 98, 117, 116, 32, 105, 109, 97, 103, 105,
+		110, 97, 116, 105, 111, 110, 46}
+
+	aad := []byte{
+		101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69,
+		116, 84, 48, 70, 70, 85, 67, 73, 115, 73, 109, 86, 117, 89, 121, 73,
+		54, 73, 107, 69, 121, 78, 84, 90, 72, 81, 48, 48, 105, 102, 81}
+
+	expectedCiphertext := []byte{
+		229, 236, 166, 241, 53, 191, 115, 196, 174, 43, 73, 109, 39, 122,
+		233, 96, 140, 206, 120, 52, 51, 237, 48, 11, 190, 219, 186, 80, 111,
+		104, 50, 142, 47, 167, 59, 61, 181, 127, 196, 21, 40, 82, 242, 32,
+		123, 143, 168, 226, 73, 216, 176, 144, 138, 247, 106, 60, 16, 205,
+		160, 109, 64, 63, 192}
+
+	expectedAuthtag := []byte{
+		92, 80, 104, 49, 133, 25, 161, 215, 173, 101, 219, 211, 136, 91, 210, 145}
+
+	// Mock random reader
+	randReader = bytes.NewReader([]byte{
+		177, 161, 244, 128, 84, 143, 225, 115, 63, 180, 3, 255, 107, 154,
+		212, 246, 138, 7, 110, 91, 112, 46, 34, 105, 47, 130, 203, 46, 122,
+		234, 64, 252, 227, 197, 117, 252, 2, 219, 233, 68, 180, 225, 77, 219})
+	defer resetRandReader()
+
+	enc := newAESGCM(32)
+	key, _, _ := randomKeyGenerator{size: 32}.genKey()
+	out, err := enc.encrypt(key, aad, plaintext)
+	if err != nil {
+		t.Error("Unable to encrypt:", err)
+		return
+	}
+
+	if bytes.Compare(out.ciphertext, expectedCiphertext) != 0 {
+		t.Error("Ciphertext did not match")
+	}
+	if bytes.Compare(out.tag, expectedAuthtag) != 0 {
+		t.Error("Auth tag did not match")
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/utils.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/utils.go
new file mode 100644
index 000000000..4ca2bc06b
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/utils.go
@@ -0,0 +1,74 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+)
+
+// LoadPublicKey loads a public key from PEM/DER-encoded data.
+func LoadPublicKey(data []byte) (interface{}, error) {
+	input := data
+
+	block, _ := pem.Decode(data)
+	if block != nil {
+		input = block.Bytes
+	}
+
+	// Try to load SubjectPublicKeyInfo
+	pub, err0 := x509.ParsePKIXPublicKey(input)
+	if err0 == nil {
+		return pub, nil
+	}
+
+	cert, err1 := x509.ParseCertificate(input)
+	if err1 == nil {
+		return cert.PublicKey, nil
+	}
+
+	return nil, fmt.Errorf("square/go-jose: parse error, got '%s' and '%s'", err0, err1)
+}
+
+// LoadPrivateKey loads a private key from PEM/DER-encoded data.
+func LoadPrivateKey(data []byte) (interface{}, error) {
+	input := data
+
+	block, _ := pem.Decode(data)
+	if block != nil {
+		input = block.Bytes
+	}
+
+	var priv interface{}
+	priv, err0 := x509.ParsePKCS1PrivateKey(input)
+	if err0 == nil {
+		return priv, nil
+	}
+
+	priv, err1 := x509.ParsePKCS8PrivateKey(input)
+	if err1 == nil {
+		return priv, nil
+	}
+
+	priv, err2 := x509.ParseECPrivateKey(input)
+	if err2 == nil {
+		return priv, nil
+	}
+
+	return nil, fmt.Errorf("square/go-jose: parse error, got '%s', '%s' and '%s'", err0, err1, err2)
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/utils_test.go b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/utils_test.go
new file mode 100644
index 000000000..6ad622da7
--- /dev/null
+++ b/vendor/github.com/rsc/letsencrypt/vendor/gopkg.in/square/go-jose.v1/utils_test.go
@@ -0,0 +1,225 @@
+/*-
+ * Copyright 2014 Square Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jose
+
+import (
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/rsa"
+	"encoding/base64"
+	"encoding/hex"
+	"math/big"
+	"regexp"
+	"testing"
+)
+
+// Reset random reader to original value
+func resetRandReader() {
+	randReader = rand.Reader
+}
+
+// Build big int from hex-encoded string. Strips whitespace (for testing).
+func fromHexInt(base16 string) *big.Int {
+	re := regexp.MustCompile(`\s+`)
+	val, ok := new(big.Int).SetString(re.ReplaceAllString(base16, ""), 16)
+	if !ok {
+		panic("Invalid test data")
+	}
+	return val
+}
+
+// Build big int from base64-encoded string. Strips whitespace (for testing).
+func fromBase64Int(base64 string) *big.Int {
+	re := regexp.MustCompile(`\s+`)
+	val, err := base64URLDecode(re.ReplaceAllString(base64, ""))
+	if err != nil {
+		panic("Invalid test data")
+	}
+	return new(big.Int).SetBytes(val)
+}
+
+// Decode hex-encoded string into byte array. Strips whitespace (for testing).
+func fromHexBytes(base16 string) []byte {
+	re := regexp.MustCompile(`\s+`)
+	val, err := hex.DecodeString(re.ReplaceAllString(base16, ""))
+	if err != nil {
+		panic("Invalid test data")
+	}
+	return val
+}
+
+// Decode base64-encoded string into byte array. Strips whitespace (for testing).
+func fromBase64Bytes(b64 string) []byte {
+	re := regexp.MustCompile(`\s+`)
+	val, err := base64.StdEncoding.DecodeString(re.ReplaceAllString(b64, ""))
+	if err != nil {
+		panic("Invalid test data")
+	}
+	return val
+}
+
+// Test vectors below taken from crypto/x509/x509_test.go in the Go std lib.
+
+var pkixPublicKey = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3VoPN9PKUjKFLMwOge6+
+wnDi8sbETGIx2FKXGgqtAKpzmem53kRGEQg8WeqRmp12wgp74TGpkEXsGae7RS1k
+enJCnma4fii+noGH7R0qKgHvPrI2Bwa9hzsH8tHxpyM3qrXslOmD45EH9SxIDUBJ
+FehNdaPbLP1gFyahKMsdfxFJLUvbUycuZSJ2ZnIgeVxwm4qbSvZInL9Iu4FzuPtg
+fINKcbbovy1qq4KvPIrXzhbY3PWDc6btxCf3SE0JdE1MCPThntB62/bLMSQ7xdDR
+FF53oIpvxe/SCOymfWq/LW849Ytv3Xwod0+wzAP8STXG4HSELS4UedPYeHJJJYcZ
++QIDAQAB
+-----END PUBLIC KEY-----`
+
+var pkcs1PrivateKey = `-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBALKZD0nEffqM1ACuak0bijtqE2QrI/KLADv7l3kK3ppMyCuLKoF0
+fd7Ai2KW5ToIwzFofvJcS/STa6HA5gQenRUCAwEAAQJBAIq9amn00aS0h/CrjXqu
+/ThglAXJmZhOMPVn4eiu7/ROixi9sex436MaVeMqSNf7Ex9a8fRNfWss7Sqd9eWu
+RTUCIQDasvGASLqmjeffBNLTXV2A5g4t+kLVCpsEIZAycV5GswIhANEPLmax0ME/
+EO+ZJ79TJKN5yiGBRsv5yvx5UiHxajEXAiAhAol5N4EUyq6I9w1rYdhPMGpLfk7A
+IU2snfRJ6Nq2CQIgFrPsWRCkV+gOYcajD17rEqmuLrdIRexpg8N1DOSXoJ8CIGlS
+tAboUGBxTDq3ZroNism3DaMIbKPyYrAqhKov1h5V
+-----END RSA PRIVATE KEY-----`
+
+var ecdsaSHA256p384CertPem = `
+-----BEGIN CERTIFICATE-----
+MIICSjCCAdECCQDje/no7mXkVzAKBggqhkjOPQQDAjCBjjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDAS
+BgNVBAoMC0dvb2dsZSwgSW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEG
+CSqGSIb3DQEJARYUZ29sYW5nLWRldkBnbWFpbC5jb20wHhcNMTIwNTIxMDYxMDM0
+WhcNMjIwNTE5MDYxMDM0WjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
+b3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDASBgNVBAoMC0dvb2dsZSwg
+SW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEGCSqGSIb3DQEJARYUZ29s
+YW5nLWRldkBnbWFpbC5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARRuzRNIKRK
+jIktEmXanNmrTR/q/FaHXLhWRZ6nHWe26Fw7Rsrbk+VjGy4vfWtNn7xSFKrOu5ze
+qxKnmE0h5E480MNgrUiRkaGO2GMJJVmxx20aqkXOk59U8yGA4CghE6MwCgYIKoZI
+zj0EAwIDZwAwZAIwBZEN8gvmRmfeP/9C1PRLzODIY4JqWub2PLRT4mv9GU+yw3Gr
+PU9A3CHMdEcdw/MEAjBBO1lId8KOCh9UZunsSMfqXiVurpzmhWd6VYZ/32G+M+Mh
+3yILeYQzllt/g0rKVRk=
+-----END CERTIFICATE-----`
+
+var ecdsaSHA256p384CertDer = fromBase64Bytes(`
+MIICSjCCAdECCQDje/no7mXkVzAKBggqhkjOPQQDAjCBjjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDAS
+BgNVBAoMC0dvb2dsZSwgSW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEG
+CSqGSIb3DQEJARYUZ29sYW5nLWRldkBnbWFpbC5jb20wHhcNMTIwNTIxMDYxMDM0
+WhcNMjIwNTE5MDYxMDM0WjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
+b3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDASBgNVBAoMC0dvb2dsZSwg
+SW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEGCSqGSIb3DQEJARYUZ29s
+YW5nLWRldkBnbWFpbC5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARRuzRNIKRK
+jIktEmXanNmrTR/q/FaHXLhWRZ6nHWe26Fw7Rsrbk+VjGy4vfWtNn7xSFKrOu5ze
+qxKnmE0h5E480MNgrUiRkaGO2GMJJVmxx20aqkXOk59U8yGA4CghE6MwCgYIKoZI
+zj0EAwIDZwAwZAIwBZEN8gvmRmfeP/9C1PRLzODIY4JqWub2PLRT4mv9GU+yw3Gr
+PU9A3CHMdEcdw/MEAjBBO1lId8KOCh9UZunsSMfqXiVurpzmhWd6VYZ/32G+M+Mh
+3yILeYQzllt/g0rKVRk=`)
+
+var pkcs8ECPrivateKey = `
+-----BEGIN PRIVATE KEY-----
+MIHtAgEAMBAGByqGSM49AgEGBSuBBAAjBIHVMIHSAgEBBEHqkl65VsjYDQWIHfgv
+zQLPa0JZBsaJI16mjiH8k6VA4lgfK/KNldlEsY433X7wIzo43u8OpX7Nv7n8pVRH
+15XWK6GBiQOBhgAEAfDuikMI4bWsyse7t8iSCmjt9fneW/qStZuIPuVLo7mSJdud
+Cs3J/x9wOnnhLv1u+0atnq5HKKdL4ff3itJPlhmSAQzByKQ5LTvB7d6fn95GJVK/
+hNuS5qGBpB7qeMXVFoki0/2RZIOway8/fXjmNYwe4v/XB5LLn4hcTvEUGYcF8M9K
+-----END PRIVATE KEY-----`
+
+var ecPrivateKey = `
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBv2rdY9mWGD/UgiuXB0LJcUzgaB6TXq/Ra1jrZKBV3IGSacM5QDFu
+N8yrywiQaTDEqn1zVcLwrnqoQux3gWN1jxugBwYFK4EEACOhgYkDgYYABAFJgaM/
+2a3+gE6Khm/1PYftqNwAzQ21HSLp27q2lTN+GBFho691ARFRkr9UzlQ8gRnhkTbu
+yGfASamlHsYlr3Tv+gFc4BY8SU0q8kzpQ0dOHWFk7dfGFmKwhJrSFIIOeRn/LY03
+XsVFctNDsGhobS2JguQrxhGx8Ll7vQCakV/PEmCQJA==
+-----END EC PRIVATE KEY-----`
+
+var ecPrivateKeyDer = fromBase64Bytes(`
+MIHcAgEBBEIBv2rdY9mWGD/UgiuXB0LJcUzgaB6TXq/Ra1jrZKBV3IGSacM5QDFu
+N8yrywiQaTDEqn1zVcLwrnqoQux3gWN1jxugBwYFK4EEACOhgYkDgYYABAFJgaM/
+2a3+gE6Khm/1PYftqNwAzQ21HSLp27q2lTN+GBFho691ARFRkr9UzlQ8gRnhkTbu
+yGfASamlHsYlr3Tv+gFc4BY8SU0q8kzpQ0dOHWFk7dfGFmKwhJrSFIIOeRn/LY03
+XsVFctNDsGhobS2JguQrxhGx8Ll7vQCakV/PEmCQJA==`)
+
+var invalidPemKey = `
+-----BEGIN PUBLIC KEY-----
+MIHcAgEBBEIBv2rdY9mWGD/UgiuXB0LJcUzgaB6TXq/Ra1jrZKBV3IGSacM5QDFu
+XsVFctNDsGhobS2JguQrxhGx8Ll7vQCakV/PEmCQJA==
+-----END PUBLIC KEY-----`
+
+func TestLoadPublicKey(t *testing.T) {
+	pub, err := LoadPublicKey([]byte(pkixPublicKey))
+	switch pub.(type) {
+	case *rsa.PublicKey:
+	default:
+		t.Error("failed to parse RSA PKIX public key:", err)
+	}
+
+	pub, err = LoadPublicKey([]byte(ecdsaSHA256p384CertPem))
+	switch pub.(type) {
+	case *ecdsa.PublicKey:
+	default:
+		t.Error("failed to parse ECDSA X.509 cert:", err)
+	}
+
+	pub, err = LoadPublicKey([]byte(ecdsaSHA256p384CertDer))
+	switch pub.(type) {
+	case *ecdsa.PublicKey:
+	default:
+		t.Error("failed to parse ECDSA X.509 cert:", err)
+	}
+
+	pub, err = LoadPublicKey([]byte("###"))
+	if err == nil {
+		t.Error("should not parse invalid key")
+	}
+
+	pub, err = LoadPublicKey([]byte(invalidPemKey))
+	if err == nil {
+		t.Error("should not parse invalid key")
+	}
+}
+
+func TestLoadPrivateKey(t *testing.T) {
+	priv, err := LoadPrivateKey([]byte(pkcs1PrivateKey))
+	switch priv.(type) {
+	case *rsa.PrivateKey:
+	default:
+		t.Error("failed to parse RSA PKCS1 private key:", err)
+	}
+
+	priv, err = LoadPrivateKey([]byte(pkcs8ECPrivateKey))
+	if _, ok := priv.(*ecdsa.PrivateKey); !ok {
+		t.Error("failed to parse EC PKCS8 private key:", err)
+	}
+
+	priv, err = LoadPrivateKey([]byte(ecPrivateKey))
+	if _, ok := priv.(*ecdsa.PrivateKey); !ok {
+		t.Error("failed to parse EC private key:", err)
+	}
+
+	priv, err = LoadPrivateKey([]byte(ecPrivateKeyDer))
+	if _, ok := priv.(*ecdsa.PrivateKey); !ok {
+		t.Error("failed to parse EC private key:", err)
+	}
+
+	priv, err = LoadPrivateKey([]byte("###"))
+	if err == nil {
+		t.Error("should not parse invalid key")
+	}
+
+	priv, err = LoadPrivateKey([]byte(invalidPemKey))
+	if err == nil {
+		t.Error("should not parse invalid key")
+	}
+}
diff --git a/vendor/github.com/rsc/letsencrypt/vendor/vendor.json b/vendor/github.com/rsc/letsencrypt/vendor/vendor.json
index 8a4241102..756c1caed 100644
--- a/vendor/github.com/rsc/letsencrypt/vendor/vendor.json
+++ b/vendor/github.com/rsc/letsencrypt/vendor/vendor.json
@@ -1,31 +1,49 @@
 {
-	"comment": "",
-	"ignore": "",
 	"package": [
 		{
-			"checksumSHA1": "CHmdoMriAboKW2nHYSXo0yBizaE=",
+			"path": "github.com/miekg/dns",
+			"revision": "e78414ef75607394ad7d917824f07f381df2eafa",
+			"revisionTime": "2017-06-04T13:30:08+01:00"
+		},
+		{
 			"path": "github.com/xenolf/lego/acme",
-			"revision": "ca19a90028e242e878585941c2a27c8f3b3efc25",
-			"revisionTime": "2016-03-28T16:28:34Z"
+			"revision": "28ead50ff1ca93acdb62734d3ed8da0206d036ff",
+			"revisionTime": "2017-06-18T11:58:28-06:00"
+		},
+		{
+			"path": "golang.org/x/crypto/ocsp",
+			"revision": "84f24dfdf3c414ed893ca1b318d0045ef5a1f607",
+			"revisionTime": "2017-06-23T19:03:27+09:00"
+		},
+		{
+			"path": "golang.org/x/net/context",
+			"revision": "8663ed5da4fd087c3cfb99a996e628b72e2f0948",
+			"revisionTime": "2017-06-28T12:07:11+09:00"
+		},
+		{
+			"path": "golang.org/x/net/publicsuffix",
+			"revision": "8663ed5da4fd087c3cfb99a996e628b72e2f0948",
+			"revisionTime": "2017-06-28T12:07:11+09:00"
+		},
+		{
+			"path": "golang.org/x/time/rate",
+			"revision": "8be79e1e0910c292df4e79c241bb7e8f7e725959",
+			"revisionTime": "2017-04-24T23:40:30Z"
 		},
 		{
-			"checksumSHA1": "jrheBzltbBE1frmNXQiu911T7dE=",
 			"path": "gopkg.in/square/go-jose.v1",
-			"revision": "40d457b439244b546f023d056628e5184136899b",
-			"revisionTime": "2016-03-29T20:33:11Z"
+			"revision": "v1.1.0",
+			"revisionTime": "2016-09-22T17:08:11-07:00"
 		},
 		{
-			"checksumSHA1": "fX4KSC9E1oX9yRx20Zjb3rVJHn4=",
 			"path": "gopkg.in/square/go-jose.v1/cipher",
-			"revision": "40d457b439244b546f023d056628e5184136899b",
-			"revisionTime": "2016-03-29T20:33:11Z"
+			"revision": "v1.1.0",
+			"revisionTime": "2016-09-22T17:08:11-07:00"
 		},
 		{
-			"checksumSHA1": "NxdXsIcLGuuX654ygsaOhoLsg6s=",
 			"path": "gopkg.in/square/go-jose.v1/json",
-			"revision": "40d457b439244b546f023d056628e5184136899b",
-			"revisionTime": "2016-03-29T20:33:11Z"
+			"revision": "v1.1.0",
+			"revisionTime": "2016-09-22T17:08:11-07:00"
 		}
-	],
-	"rootPath": "rsc.io/letsencrypt"
+	]
 }
diff --git a/vendor/github.com/spf13/cobra/README.md b/vendor/github.com/spf13/cobra/README.md
index ff844d2c0..e249c1bcb 100644
--- a/vendor/github.com/spf13/cobra/README.md
+++ b/vendor/github.com/spf13/cobra/README.md
@@ -140,8 +140,8 @@ import "github.com/spf13/cobra"
 
 # Getting Started
 
-While you are welcome to provide your own organization, typically a Cobra based
-application will follow the following organizational structure.
+While you are welcome to provide your own organization, typically a Cobra-based
+application will follow the following organizational structure:
 
 ```
   ▾ appName/
@@ -153,7 +153,7 @@ application will follow the following organizational structure.
       main.go
 ```
 
-In a Cobra app, typically the main.go file is very bare. It serves, one purpose, to initialize Cobra.
+In a Cobra app, typically the main.go file is very bare. It serves one purpose: initializing Cobra.
 
 ```go
 package main
@@ -216,10 +216,11 @@ cobra add create -p 'configCmd'
 ```
 
 *Note: Use camelCase (not snake_case/snake-case) for command names.
-Otherwise, you will become unexpected errors.
+Otherwise, you will encounter errors.
 For example, `cobra add add-user` is incorrect, but `cobra add addUser` is valid.*
 
-Once you have run these three commands you would have an app structure that would look like:
+Once you have run these three commands you would have an app structure similar to
+the following:
 
 ```
   ▾ app/
@@ -232,14 +233,14 @@ Once you have run these three commands you would have an app structure that woul
 
 At this point you can run `go run main.go` and it would run your app. `go run
 main.go serve`, `go run main.go config`, `go run main.go config create` along
-with `go run main.go help serve`, etc would all work.
+with `go run main.go help serve`, etc. would all work.
 
-Obviously you haven't added your own code to these yet, the commands are ready
+Obviously you haven't added your own code to these yet. The commands are ready
 for you to give them their tasks. Have fun!
 
 ### Configuring the cobra generator
 
-The cobra generator will be easier to use if you provide a simple configuration
+The Cobra generator will be easier to use if you provide a simple configuration
 file which will help you eliminate providing a bunch of repeated information in
 flags over and over.
 
@@ -269,7 +270,7 @@ You can also use built-in licenses. For example, **GPLv2**, **GPLv3**, **LGPL**,
 
 ## Manually implementing Cobra
 
-To manually implement cobra you need to create a bare main.go file and a RootCmd file.
+To manually implement Cobra you need to create a bare main.go file and a RootCmd file.
 You will optionally provide additional commands as you see fit.
 
 ### Create the root command
@@ -324,10 +325,10 @@ func init() {
 }
 
 func Execute() {
-	rootCmd.Execute()
+	RootCmd.Execute()
 }
 
-func main() {
+func initConfig() {
   // Don't forget to read config either from cfgFile or from home directory!
 	if cfgFile != "" {
 		// Use config file from the flag.
@@ -336,7 +337,7 @@ func main() {
 		// Find home directory.
 		home, err := homedir.Dir()
 		if err != nil {
-			fmt.Println(home)
+			fmt.Println(err)
 			os.Exit(1)
 		}
 
diff --git a/vendor/github.com/spf13/cobra/cobra.go b/vendor/github.com/spf13/cobra/cobra.go
index 2726d19e4..8928cefc2 100644
--- a/vendor/github.com/spf13/cobra/cobra.go
+++ b/vendor/github.com/spf13/cobra/cobra.go
@@ -47,6 +47,15 @@ var EnablePrefixMatching = false
 // To disable sorting, set it to false.
 var EnableCommandSorting = true
 
+// MousetrapHelpText enables an information splash screen on Windows
+// if the CLI is started from explorer.exe.
+// To disable the mousetrap, just set this variable to blank string ("").
+// Works only on Microsoft Windows.
+var MousetrapHelpText string = `This is a command line tool.
+
+You need to open cmd.exe and run it from there.
+`
+
 // AddTemplateFunc adds a template function that's available to Usage and Help
 // template generation.
 func AddTemplateFunc(name string, tmplFunc interface{}) {
diff --git a/vendor/github.com/spf13/cobra/cobra/cmd/helpers.go b/vendor/github.com/spf13/cobra/cobra/cmd/helpers.go
index 6114227db..c5e261ce3 100644
--- a/vendor/github.com/spf13/cobra/cobra/cmd/helpers.go
+++ b/vendor/github.com/spf13/cobra/cobra/cmd/helpers.go
@@ -45,24 +45,34 @@ func er(msg interface{}) {
 }
 
 // isEmpty checks if a given path is empty.
+// Hidden files in path are ignored.
 func isEmpty(path string) bool {
 	fi, err := os.Stat(path)
 	if err != nil {
 		er(err)
 	}
-	if fi.IsDir() {
-		f, err := os.Open(path)
-		if err != nil {
-			er(err)
-		}
-		defer f.Close()
-		dirs, err := f.Readdirnames(1)
-		if err != nil && err != io.EOF {
-			er(err)
+
+	if !fi.IsDir() {
+		return fi.Size() == 0
+	}
+
+	f, err := os.Open(path)
+	if err != nil {
+		er(err)
+	}
+	defer f.Close()
+
+	names, err := f.Readdirnames(-1)
+	if err != nil && err != io.EOF {
+		er(err)
+	}
+
+	for _, name := range names {
+		if len(name) > 0 && name[0] != '.' {
+			return false
 		}
-		return len(dirs) == 0
 	}
-	return fi.Size() == 0
+	return true
 }
 
 // exists checks if a file or directory exists.
diff --git a/vendor/github.com/spf13/cobra/cobra/cmd/init.go b/vendor/github.com/spf13/cobra/cobra/cmd/init.go
index 4e7ebdb34..149aabe1f 100644
--- a/vendor/github.com/spf13/cobra/cobra/cmd/init.go
+++ b/vendor/github.com/spf13/cobra/cobra/cmd/init.go
@@ -165,7 +165,7 @@ to quickly create a Cobra application.` + "`" + `,
 	//	Run: func(cmd *cobra.Command, args []string) { },
 }
 
-// Execute adds all child commands to the root command sets flags appropriately.
+// Execute adds all child commands to the root command and sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
 func Execute() {
 	if err := RootCmd.Execute(); err != nil {
diff --git a/vendor/github.com/spf13/cobra/cobra/cmd/testdata/root.go.golden b/vendor/github.com/spf13/cobra/cobra/cmd/testdata/root.go.golden
index 0085d5ace..ecc876012 100644
--- a/vendor/github.com/spf13/cobra/cobra/cmd/testdata/root.go.golden
+++ b/vendor/github.com/spf13/cobra/cobra/cmd/testdata/root.go.golden
@@ -39,7 +39,7 @@ to quickly create a Cobra application.`,
 	//	Run: func(cmd *cobra.Command, args []string) { },
 }
 
-// Execute adds all child commands to the root command sets flags appropriately.
+// Execute adds all child commands to the root command and sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
 func Execute() {
 	if err := RootCmd.Execute(); err != nil {
diff --git a/vendor/github.com/spf13/cobra/command.go b/vendor/github.com/spf13/cobra/command.go
index 2cd6ee807..c3e16b1d1 100644
--- a/vendor/github.com/spf13/cobra/command.go
+++ b/vendor/github.com/spf13/cobra/command.go
@@ -767,28 +767,28 @@ func (c *Command) InitDefaultHelpFlag() {
 // It is called automatically by executing the c or by calling help and usage.
 // If c already has help command or c has no subcommands, it will do nothing.
 func (c *Command) InitDefaultHelpCmd() {
-	if c.helpCommand != nil || !c.HasSubCommands() {
+	if !c.HasSubCommands() {
 		return
 	}
 
-	c.helpCommand = &Command{
-		Use:   "help [command]",
-		Short: "Help about any command",
-		Long: `Help provides help for any command in the application.
-    Simply type ` + c.Name() + ` help [path to command] for full details.`,
-		PersistentPreRun:  func(cmd *Command, args []string) {},
-		PersistentPostRun: func(cmd *Command, args []string) {},
+	if c.helpCommand == nil {
+		c.helpCommand = &Command{
+			Use:   "help [command]",
+			Short: "Help about any command",
+			Long: `Help provides help for any command in the application.
+Simply type ` + c.Name() + ` help [path to command] for full details.`,
 
-		Run: func(c *Command, args []string) {
-			cmd, _, e := c.Root().Find(args)
-			if cmd == nil || e != nil {
-				c.Printf("Unknown help topic %#q\n", args)
-				c.Root().Usage()
-			} else {
-				cmd.InitDefaultHelpFlag() // make possible 'help' flag to be shown
-				cmd.Help()
-			}
-		},
+			Run: func(c *Command, args []string) {
+				cmd, _, e := c.Root().Find(args)
+				if cmd == nil || e != nil {
+					c.Printf("Unknown help topic %#q\n", args)
+					c.Root().Usage()
+				} else {
+					cmd.InitDefaultHelpFlag() // make possible 'help' flag to be shown
+					cmd.Help()
+				}
+			},
+		}
 	}
 	c.RemoveCommand(c.helpCommand)
 	c.AddCommand(c.helpCommand)
diff --git a/vendor/github.com/spf13/cobra/command_test.go b/vendor/github.com/spf13/cobra/command_test.go
index f4fe14646..aa6658f85 100644
--- a/vendor/github.com/spf13/cobra/command_test.go
+++ b/vendor/github.com/spf13/cobra/command_test.go
@@ -120,7 +120,6 @@ func TestStripFlags(t *testing.T) {
 }
 
 func TestDisableFlagParsing(t *testing.T) {
-	as := []string{"-v", "-race", "-file", "foo.go"}
 	targs := []string{}
 	cmdPrint := &Command{
 		DisableFlagParsing: true,
@@ -128,14 +127,14 @@ func TestDisableFlagParsing(t *testing.T) {
 			targs = args
 		},
 	}
-	osargs := []string{"cmd"}
-	os.Args = append(osargs, as...)
+	args := []string{"cmd", "-v", "-race", "-file", "foo.go"}
+	cmdPrint.SetArgs(args)
 	err := cmdPrint.Execute()
 	if err != nil {
 		t.Error(err)
 	}
-	if !reflect.DeepEqual(as, targs) {
-		t.Errorf("expected: %v, got: %v", as, targs)
+	if !reflect.DeepEqual(args, targs) {
+		t.Errorf("expected: %v, got: %v", args, targs)
 	}
 }
 
@@ -316,5 +315,35 @@ func TestUseDeprecatedFlags(t *testing.T) {
 	if !strings.Contains(output.String(), "This flag is deprecated") {
 		t.Errorf("Expected to contain deprecated message, but got %q", output.String())
 	}
+}
+
+// TestSetHelpCommand checks, if SetHelpCommand works correctly.
+func TestSetHelpCommand(t *testing.T) {
+	c := &Command{Use: "c", Run: func(*Command, []string) {}}
+	output := new(bytes.Buffer)
+	c.SetOutput(output)
+	c.SetArgs([]string{"help"})
+
+	// Help will not be shown, if c has no subcommands.
+	c.AddCommand(&Command{
+		Use: "empty",
+		Run: func(cmd *Command, args []string) {},
+	})
 
+	correctMessage := "WORKS"
+	c.SetHelpCommand(&Command{
+		Use:   "help [command]",
+		Short: "Help about any command",
+		Long: `Help provides help for any command in the application.
+	Simply type ` + c.Name() + ` help [path to command] for full details.`,
+		Run: func(c *Command, args []string) { c.Print(correctMessage) },
+	})
+
+	if err := c.Execute(); err != nil {
+		t.Error("Unexpected error:", err)
+	}
+
+	if output.String() != correctMessage {
+		t.Errorf("Expected to contain %q message, but got %q", correctMessage, output.String())
+	}
 }
diff --git a/vendor/github.com/spf13/cobra/command_win.go b/vendor/github.com/spf13/cobra/command_win.go
index 4b0eaa1b6..edec728e4 100644
--- a/vendor/github.com/spf13/cobra/command_win.go
+++ b/vendor/github.com/spf13/cobra/command_win.go
@@ -11,14 +11,8 @@ import (
 
 var preExecHookFn = preExecHook
 
-// enables an information splash screen on Windows if the CLI is started from explorer.exe.
-var MousetrapHelpText string = `This is a command line tool
-
-You need to open cmd.exe and run it from there.
-`
-
 func preExecHook(c *Command) {
-	if mousetrap.StartedByExplorer() {
+	if MousetrapHelpText != "" && mousetrap.StartedByExplorer() {
 		c.Print(MousetrapHelpText)
 		time.Sleep(5 * time.Second)
 		os.Exit(1)
diff --git a/vendor/github.com/xenolf/lego/CHANGELOG.md b/vendor/github.com/xenolf/lego/CHANGELOG.md
index c43c4a936..7dc1c1163 100644
--- a/vendor/github.com/xenolf/lego/CHANGELOG.md
+++ b/vendor/github.com/xenolf/lego/CHANGELOG.md
@@ -1,5 +1,54 @@
 # Changelog
 
+## [0.4.0] - 2017-07-13
+
+### Added:
+- CLI: The `--http-timeout` switch. This allows for an override of the default client HTTP timeout.
+- lib: The `HTTPClient` field. This allows for an override of the default HTTP timeout for library HTTP requests.
+- CLI: The `--dns-timeout` switch. This allows for an override of the default DNS timeout for library DNS requests.
+- lib: The `DNSTimeout` switch. This allows for an override of the default client DNS timeout.
+- lib: The `QueryRegistration` function on `acme.Client`. This performs a POST on the client registration's URI and gets the updated registration info.
+- lib: The `DeleteRegistration` function on `acme.Client`. This deletes the registration as currently configured in the client.
+- lib: The `ObtainCertificateForCSR` function on `acme.Client`. The function allows to request a certificate for an already existing CSR.
+- CLI: The `--csr` switch. Allows to use already existing CSRs for certificate requests on the command line.
+- CLI: The `--pem` flag. This will change the certificate output so it outputs a .pem file concatanating the .key and .crt files together.
+- CLI: The `--dns-resolvers` flag. Allows for users to override the default DNS servers used for recursive lookup.
+- lib: Added a memcached provider for the HTTP challenge.
+- CLI: The `--memcached-host` flag. This allows to use memcached for challenge storage.
+- CLI: The `--must-staple` flag. This enables OCSP must staple in the generated CSR.
+- lib: The library will now honor entries in your resolv.conf.
+- lib: Added a field `IssuerCertificate` to the `CertificateResource` struct.
+- lib: A new DNS provider for OVH.
+- lib: A new DNS provider for DNSMadeEasy.
+- lib: A new DNS provider for Linode.
+- lib: A new DNS provider for AuroraDNS.
+- lib: A new DNS provider for NS1.
+- lib: A new DNS provider for Azure DNS.
+- lib: A new DNS provider for Rackspace DNS.
+- lib: A new DNS provider for Exoscale DNS.
+- lib: A new DNS provider for DNSPod.
+
+### Changed:
+- lib: Exported the `PreCheckDNS` field so library users can manage the DNS check in tests.
+- lib: The library will now skip challenge solving if a valid Authz already exists.
+
+### Removed:
+- lib: The library will no longer check for auto renewed certificates. This has been removed from the spec and is not supported in Boulder.
+
+### Fixed:
+- lib: Fix a problem with the Route53 provider where it was possible the verification was published to a private zone.
+- lib: Loading an account from file should fail if a integral part is nil
+- lib: Fix a potential issue where the Dyn provider could resolve to an incorrect zone.
+- lib: If a registration encounteres a conflict, the old registration is now recovered.
+- CLI: The account.json file no longer has the executable flag set.
+- lib: Made the client registration more robust in case of a 403 HTTP response.
+- lib: Fixed an issue with zone lookups when they have a CNAME in another zone.
+- lib: Fixed the lookup for the authoritative zone for Google Cloud.
+- lib: Fixed a race condition in the nonce store.
+- lib: The Google Cloud provider now removes old entries before trying to add new ones.
+- lib: Fixed a condition where we could stall due to an early error condition.
+- lib: Fixed an issue where Authz object could end up in an active state after an error condition.
+
 ## [0.3.1] - 2016-04-19
 
 ### Added:
diff --git a/vendor/github.com/xenolf/lego/LICENSE b/vendor/github.com/xenolf/lego/LICENSE
index 17460b716..270cba089 100644
--- a/vendor/github.com/xenolf/lego/LICENSE
+++ b/vendor/github.com/xenolf/lego/LICENSE
@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015 Sebastian Erhart
+Copyright (c) 2015-2017 Sebastian Erhart
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/vendor/github.com/xenolf/lego/README.md b/vendor/github.com/xenolf/lego/README.md
index 5dc9d550d..27b346b22 100644
--- a/vendor/github.com/xenolf/lego/README.md
+++ b/vendor/github.com/xenolf/lego/README.md
@@ -4,6 +4,7 @@ Let's Encrypt client and ACME library written in Go
 [![GoDoc](https://godoc.org/github.com/xenolf/lego/acme?status.svg)](https://godoc.org/github.com/xenolf/lego/acme)
 [![Build Status](https://travis-ci.org/xenolf/lego.svg?branch=master)](https://travis-ci.org/xenolf/lego)
 [![Dev Chat](https://img.shields.io/badge/dev%20chat-gitter-blue.svg?label=dev+chat)](https://gitter.im/xenolf/lego)
+[![Beerpay](https://beerpay.io/xenolf/lego/badge.svg)](https://beerpay.io/xenolf/lego)
 
 #### General
 This is a work in progress. Please do *NOT* run this on a production server and please report any bugs you find!
@@ -80,32 +81,37 @@ NAME:
 
 USAGE:
    lego [global options] command [command options] [arguments...]
-   
+
 VERSION:
-   0.3.1
-   
+   0.4.0
+
 COMMANDS:
-   run		Register an account, then create and install a certificate
-   revoke	Revoke a certificate
-   renew	Renew a certificate
-   dnshelp	Shows additional help for the --dns global option
-   help, h	Shows a list of commands or help for one command
-   
+     run      Register an account, then create and install a certificate
+     revoke   Revoke a certificate
+     renew    Renew a certificate
+     dnshelp  Shows additional help for the --dns global option
+     help, h  Shows a list of commands or help for one command
+
 GLOBAL OPTIONS:
-   --domains, -d [--domains option --domains option]			Add domains to the process
-   --csr, -c                Certificate signing request filename, if an external CSR is to be used
-   --server, -s "https://acme-v01.api.letsencrypt.org/directory"	CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client.
-   --email, -m 								Email used for registration and recovery contact.
-   --accept-tos, -a							By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
-   --key-type, -k "rsa2048"						Key type to use for private keys. Supported: rsa2048, rsa4096, rsa8192, ec256, ec384
-   --path "${CWD}/.lego"	Directory to use for storing the data
-   --exclude, -x [--exclude option --exclude option]			Explicitly disallow solvers by name from being used. Solvers: "http-01", "tls-sni-01".
-   --webroot 								Set the webroot folder to use for HTTP based challenges to write directly in a file in .well-known/acme-challenge
-   --http 								Set the port and interface to use for HTTP based challenges to listen on. Supported: interface:port or :port
-   --tls 								Set the port and interface to use for TLS based challenges to listen on. Supported: interface:port or :port
-   --dns 								Solve a DNS challenge using the specified provider. Disables all other challenges. Run 'lego dnshelp' for help on usage.
-   --help, -h								show help
-   --version, -v							print the version
+   --domains value, -d value   Add domains to the process
+   --csr value, -c value       Certificate signing request filename, if an external CSR is to be used
+   --server value, -s value    CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client. (default: "https://acme-v01.api.letsencrypt.org/directory")
+   --email value, -m value     Email used for registration and recovery contact.
+   --accept-tos, -a            By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
+   --key-type value, -k value  Key type to use for private keys. Supported: rsa2048, rsa4096, rsa8192, ec256, ec384 (default: "rsa2048")
+   --path value                Directory to use for storing the data (default: "/.lego")
+   --exclude value, -x value   Explicitly disallow solvers by name from being used. Solvers: "http-01", "tls-sni-01".
+   --webroot value             Set the webroot folder to use for HTTP based challenges to write directly in a file in .well-known/acme-challenge
+   --memcached-host value      Set the memcached host(s) to use for HTTP based challenges. Challenges will be written to all specified hosts.
+   --http value                Set the port and interface to use for HTTP based challenges to listen on. Supported: interface:port or :port
+   --tls value                 Set the port and interface to use for TLS based challenges to listen on. Supported: interface:port or :port
+   --dns value                 Solve a DNS challenge using the specified provider. Disables all other challenges. Run 'lego dnshelp' for help on usage.
+   --http-timeout value        Set the HTTP timeout value to a specific value in seconds. The default is 10 seconds. (default: 0)
+   --dns-timeout value         Set the DNS timeout value to a specific value in seconds. The default is 10 seconds. (default: 0)
+   --dns-resolvers value       Set the resolvers to use for performing recursive DNS queries. Supported: host:port. The default is to use Google's DNS resolvers.
+   --pem                       Generate a .pem file by concatanating the .key and .crt files together.
+   --help, -h                  show help
+   --version, -v               print the version
 ```
 
 ##### CLI Example
diff --git a/vendor/github.com/xenolf/lego/acme/http.go b/vendor/github.com/xenolf/lego/acme/http.go
index a858b5a75..fd6018a10 100644
--- a/vendor/github.com/xenolf/lego/acme/http.go
+++ b/vendor/github.com/xenolf/lego/acme/http.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"runtime"
 	"strings"
@@ -15,7 +16,17 @@ import (
 var UserAgent string
 
 // HTTPClient is an HTTP client with a reasonable timeout value.
-var HTTPClient = http.Client{Timeout: 10 * time.Second}
+var HTTPClient = http.Client{
+	Transport: &http.Transport{
+		Dial: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).Dial,
+		TLSHandshakeTimeout:   15 * time.Second,
+		ResponseHeaderTimeout: 15 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	},
+}
 
 const (
 	// defaultGoUserAgent is the Go HTTP package user agent string. Too
diff --git a/vendor/github.com/xenolf/lego/cli.go b/vendor/github.com/xenolf/lego/cli.go
index 03589a233..ae8354b50 100644
--- a/vendor/github.com/xenolf/lego/cli.go
+++ b/vendor/github.com/xenolf/lego/cli.go
@@ -32,7 +32,7 @@ func main() {
 	app.Name = "lego"
 	app.Usage = "Let's Encrypt client written in Go"
 
-	version := "0.3.1"
+	version := "0.4.0"
 	if strings.HasPrefix(gittag, "v") {
 		version = gittag
 	}
@@ -209,13 +209,13 @@ Here is an example bash command using the CloudFlare DNS provider:
 	fmt.Fprintln(w, "\tdnsmadeeasy:\tDNSMADEEASY_API_KEY, DNSMADEEASY_API_SECRET")
 	fmt.Fprintln(w, "\texoscale:\tEXOSCALE_API_KEY, EXOSCALE_API_SECRET, EXOSCALE_ENDPOINT")
 	fmt.Fprintln(w, "\tgandi:\tGANDI_API_KEY")
-	fmt.Fprintln(w, "\tgcloud:\tGCE_PROJECT")
+	fmt.Fprintln(w, "\tgcloud:\tGCE_PROJECT, GCE_SERVICE_ACCOUNT_FILE")
 	fmt.Fprintln(w, "\tlinode:\tLINODE_API_KEY")
 	fmt.Fprintln(w, "\tmanual:\tnone")
 	fmt.Fprintln(w, "\tnamecheap:\tNAMECHEAP_API_USER, NAMECHEAP_API_KEY")
 	fmt.Fprintln(w, "\trackspace:\tRACKSPACE_USER, RACKSPACE_API_KEY")
 	fmt.Fprintln(w, "\trfc2136:\tRFC2136_TSIG_KEY, RFC2136_TSIG_SECRET,\n\t\tRFC2136_TSIG_ALGORITHM, RFC2136_NAMESERVER")
-	fmt.Fprintln(w, "\troute53:\tAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION")
+	fmt.Fprintln(w, "\troute53:\tAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, AWS_HOSTED_ZONE_ID")
 	fmt.Fprintln(w, "\tdyn:\tDYN_CUSTOMER_NAME, DYN_USER_NAME, DYN_PASSWORD")
 	fmt.Fprintln(w, "\tvultr:\tVULTR_API_KEY")
 	fmt.Fprintln(w, "\tovh:\tOVH_ENDPOINT, OVH_APPLICATION_KEY, OVH_APPLICATION_SECRET, OVH_CONSUMER_KEY")
diff --git a/vendor/github.com/xenolf/lego/cli_handlers.go b/vendor/github.com/xenolf/lego/cli_handlers.go
index dad19a144..79bbb37e5 100644
--- a/vendor/github.com/xenolf/lego/cli_handlers.go
+++ b/vendor/github.com/xenolf/lego/cli_handlers.go
@@ -114,7 +114,7 @@ func setup(c *cli.Context) (*Configuration, *Account, *acme.Client) {
 	}
 
 	if c.GlobalIsSet("dns") {
-    provider, err := dns.NewDNSChallengeProviderByName(c.GlobalString("dns"))
+		provider, err := dns.NewDNSChallengeProviderByName(c.GlobalString("dns"))
 		if err != nil {
 			logger().Fatal(err)
 		}
diff --git a/vendor/github.com/xenolf/lego/providers/dns/dns_providers.go b/vendor/github.com/xenolf/lego/providers/dns/dns_providers.go
index 33fca0fad..af6c02cca 100644
--- a/vendor/github.com/xenolf/lego/providers/dns/dns_providers.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/dns_providers.go
@@ -48,7 +48,7 @@ func NewDNSChallengeProviderByName(name string) (acme.ChallengeProvider, error)
 	case "dyn":
 		provider, err = dyn.NewDNSProvider()
 	case "exoscale":
-		provider, err = exoscale.NewDNSProvider()		
+		provider, err = exoscale.NewDNSProvider()
 	case "gandi":
 		provider, err = gandi.NewDNSProvider()
 	case "gcloud":
diff --git a/vendor/github.com/xenolf/lego/providers/dns/googlecloud/googlecloud.go b/vendor/github.com/xenolf/lego/providers/dns/googlecloud/googlecloud.go
index ea6c0875c..ba753f6dc 100644
--- a/vendor/github.com/xenolf/lego/providers/dns/googlecloud/googlecloud.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/googlecloud/googlecloud.go
@@ -4,12 +4,14 @@ package googlecloud
 
 import (
 	"fmt"
+	"io/ioutil"
 	"os"
 	"time"
 
 	"github.com/xenolf/lego/acme"
 
 	"golang.org/x/net/context"
+	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 
 	"google.golang.org/api/dns/v1"
@@ -22,9 +24,14 @@ type DNSProvider struct {
 }
 
 // NewDNSProvider returns a DNSProvider instance configured for Google Cloud
-// DNS. Credentials must be passed in the environment variable: GCE_PROJECT.
+// DNS. Project name must be passed in the environment variable: GCE_PROJECT.
+// A Service Account file can be passed in the environment variable:
+// GCE_SERVICE_ACCOUNT_FILE
 func NewDNSProvider() (*DNSProvider, error) {
 	project := os.Getenv("GCE_PROJECT")
+	if saFile, ok := os.LookupEnv("GCE_SERVICE_ACCOUNT_FILE"); ok {
+		return NewDNSProviderServiceAccount(project, saFile)
+	}
 	return NewDNSProviderCredentials(project)
 }
 
@@ -49,6 +56,36 @@ func NewDNSProviderCredentials(project string) (*DNSProvider, error) {
 	}, nil
 }
 
+// NewDNSProviderServiceAccount uses the supplied service account JSON file to
+// return a DNSProvider instance configured for Google Cloud DNS.
+func NewDNSProviderServiceAccount(project string, saFile string) (*DNSProvider, error) {
+	if project == "" {
+		return nil, fmt.Errorf("Google Cloud project name missing")
+	}
+	if saFile == "" {
+		return nil, fmt.Errorf("Google Cloud Service Account file missing")
+	}
+
+	dat, err := ioutil.ReadFile(saFile)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to read Service Account file: %v", err)
+	}
+	conf, err := google.JWTConfigFromJSON(dat, dns.NdevClouddnsReadwriteScope)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to acquire config: %v", err)
+	}
+	client := conf.Client(oauth2.NoContext)
+
+	svc, err := dns.New(client)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to create Google Cloud DNS service: %v", err)
+	}
+	return &DNSProvider{
+		project: project,
+		client:  svc,
+	}, nil
+}
+
 // Present creates a TXT record to fulfil the dns-01 challenge.
 func (c *DNSProvider) Present(domain, token, keyAuth string) error {
 	fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)
diff --git a/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go b/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go
index 1f1af790f..dde42ddf1 100644
--- a/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go
@@ -20,29 +20,32 @@ type DNSProvider struct {
 	tsigAlgorithm string
 	tsigKey       string
 	tsigSecret    string
+	timeout       time.Duration
 }
 
 // NewDNSProvider returns a DNSProvider instance configured for rfc2136
-// dynamic update. Credentials must be passed in environment variables:
+// dynamic update. Configured with environment variables:
 // RFC2136_NAMESERVER: Network address in the form "host" or "host:port".
 // RFC2136_TSIG_ALGORITHM: Defaults to hmac-md5.sig-alg.reg.int. (HMAC-MD5).
 // See https://github.com/miekg/dns/blob/master/tsig.go for supported values. 
 // RFC2136_TSIG_KEY: Name of the secret key as defined in DNS server configuration.
 // RFC2136_TSIG_SECRET: Secret key payload.
+// RFC2136_TIMEOUT: DNS propagation timeout in time.ParseDuration format. (60s)
 // To disable TSIG authentication, leave the RFC2136_TSIG* variables unset.
 func NewDNSProvider() (*DNSProvider, error) {
 	nameserver := os.Getenv("RFC2136_NAMESERVER")
 	tsigAlgorithm := os.Getenv("RFC2136_TSIG_ALGORITHM")
 	tsigKey := os.Getenv("RFC2136_TSIG_KEY")
 	tsigSecret := os.Getenv("RFC2136_TSIG_SECRET")
-	return NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKey, tsigSecret)
+	timeout := os.Getenv("RFC2136_TIMEOUT")
+	return NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKey, tsigSecret, timeout)
 }
 
 // NewDNSProviderCredentials uses the supplied credentials to return a
 // DNSProvider instance configured for rfc2136 dynamic update. To disable TSIG
 // authentication, leave the TSIG parameters as empty strings.
 // nameserver must be a network address in the form "host" or "host:port".
-func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKey, tsigSecret string) (*DNSProvider, error) {
+func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKey, tsigSecret, timeout string) (*DNSProvider, error) {
 	if nameserver == "" {
 		return nil, fmt.Errorf("RFC2136 nameserver missing")
 	}
@@ -67,9 +70,27 @@ func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKey, tsigSecret st
 		d.tsigSecret = tsigSecret
 	}
 
+	if timeout == "" {
+		d.timeout = 60 * time.Second
+	} else {
+		t, err := time.ParseDuration(timeout)
+		if err != nil {
+			return nil, err
+		} else if t < 0 {
+			return nil, fmt.Errorf("Invalid/negative RFC2136_TIMEOUT: %v", timeout)
+		} else {
+			d.timeout = t
+		}
+	}
+
 	return d, nil
 }
 
+// Returns the timeout configured with RFC2136_TIMEOUT, or 60s.
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+    return d.timeout, 2 * time.Second
+}
+
 // Present creates a TXT record using the specified parameters
 func (r *DNSProvider) Present(domain, token, keyAuth string) error {
 	fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)
diff --git a/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136_test.go b/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136_test.go
index a2515e995..f3ca65b31 100644
--- a/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136_test.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136_test.go
@@ -61,7 +61,7 @@ func TestRFC2136ServerSuccess(t *testing.T) {
 	}
 	defer server.Shutdown()
 
-	provider, err := NewDNSProviderCredentials(addrstr, "", "", "")
+	provider, err := NewDNSProviderCredentials(addrstr, "", "", "", "")
 	if err != nil {
 		t.Fatalf("Expected NewDNSProviderCredentials() to return no error but the error was -> %v", err)
 	}
@@ -81,7 +81,7 @@ func TestRFC2136ServerError(t *testing.T) {
 	}
 	defer server.Shutdown()
 
-	provider, err := NewDNSProviderCredentials(addrstr, "", "", "")
+	provider, err := NewDNSProviderCredentials(addrstr, "", "", "", "")
 	if err != nil {
 		t.Fatalf("Expected NewDNSProviderCredentials() to return no error but the error was -> %v", err)
 	}
@@ -103,7 +103,7 @@ func TestRFC2136TsigClient(t *testing.T) {
 	}
 	defer server.Shutdown()
 
-	provider, err := NewDNSProviderCredentials(addrstr, "", rfc2136TestTsigKey, rfc2136TestTsigSecret)
+	provider, err := NewDNSProviderCredentials(addrstr, "", rfc2136TestTsigKey, rfc2136TestTsigSecret, "")
 	if err != nil {
 		t.Fatalf("Expected NewDNSProviderCredentials() to return no error but the error was -> %v", err)
 	}
@@ -135,7 +135,7 @@ func TestRFC2136ValidUpdatePacket(t *testing.T) {
 		t.Fatalf("Error packing expect msg: %v", err)
 	}
 
-	provider, err := NewDNSProviderCredentials(addrstr, "", "", "")
+	provider, err := NewDNSProviderCredentials(addrstr, "", "", "", "")
 	if err != nil {
 		t.Fatalf("Expected NewDNSProviderCredentials() to return no error but the error was -> %v", err)
 	}
diff --git a/vendor/github.com/xenolf/lego/providers/dns/route53/route53.go b/vendor/github.com/xenolf/lego/providers/dns/route53/route53.go
index f3e53a8e5..934f0a2d4 100644
--- a/vendor/github.com/xenolf/lego/providers/dns/route53/route53.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/route53/route53.go
@@ -5,6 +5,7 @@ package route53
 import (
 	"fmt"
 	"math/rand"
+	"os"
 	"strings"
 	"time"
 
@@ -23,7 +24,8 @@ const (
 
 // DNSProvider implements the acme.ChallengeProvider interface
 type DNSProvider struct {
-	client *route53.Route53
+	client       *route53.Route53
+	hostedZoneID string
 }
 
 // customRetryer implements the client.Retryer interface by composing the
@@ -58,14 +60,22 @@ func (d customRetryer) RetryRules(r *request.Request) time.Duration {
 // 2. Shared credentials file (defaults to ~/.aws/credentials)
 // 3. Amazon EC2 IAM role
 //
+// If AWS_HOSTED_ZONE_ID is not set, Lego tries to determine the correct
+// public hosted zone via the FQDN.
+//
 // See also: https://github.com/aws/aws-sdk-go/wiki/configuring-sdk
 func NewDNSProvider() (*DNSProvider, error) {
+	hostedZoneID := os.Getenv("AWS_HOSTED_ZONE_ID")
+
 	r := customRetryer{}
 	r.NumMaxRetries = maxRetries
 	config := request.WithRetryer(aws.NewConfig(), r)
 	client := route53.New(session.New(config))
 
-	return &DNSProvider{client: client}, nil
+	return &DNSProvider{
+		client:       client,
+		hostedZoneID: hostedZoneID,
+	}, nil
 }
 
 // Present creates a TXT record using the specified parameters
@@ -83,7 +93,7 @@ func (r *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 }
 
 func (r *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error {
-	hostedZoneID, err := getHostedZoneID(fqdn, r.client)
+	hostedZoneID, err := r.getHostedZoneID(fqdn)
 	if err != nil {
 		return fmt.Errorf("Failed to determine Route 53 hosted zone ID: %v", err)
 	}
@@ -124,7 +134,11 @@ func (r *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error {
 	})
 }
 
-func getHostedZoneID(fqdn string, client *route53.Route53) (string, error) {
+func (r *DNSProvider) getHostedZoneID(fqdn string) (string, error) {
+	if r.hostedZoneID != "" {
+		return r.hostedZoneID, nil
+	}
+
 	authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
 	if err != nil {
 		return "", err
@@ -134,7 +148,7 @@ func getHostedZoneID(fqdn string, client *route53.Route53) (string, error) {
 	reqParams := &route53.ListHostedZonesByNameInput{
 		DNSName: aws.String(acme.UnFqdn(authZone)),
 	}
-	resp, err := client.ListHostedZonesByName(reqParams)
+	resp, err := r.client.ListHostedZonesByName(reqParams)
 	if err != nil {
 		return "", err
 	}
diff --git a/vendor/github.com/xenolf/lego/providers/dns/route53/route53_integration_test.go b/vendor/github.com/xenolf/lego/providers/dns/route53/route53_integration_test.go
index 64678906a..17ba4a08a 100644
--- a/vendor/github.com/xenolf/lego/providers/dns/route53/route53_integration_test.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/route53/route53_integration_test.go
@@ -30,7 +30,7 @@ func TestRoute53TTL(t *testing.T) {
 	// unexported.
 	fqdn := "_acme-challenge." + m["route53Domain"] + "."
 	svc := route53.New(session.New())
-	zoneID, err := getHostedZoneID(fqdn, svc)
+	zoneID, err := provider.getHostedZoneID(fqdn)
 	if err != nil {
 		provider.CleanUp(m["route53Domain"], "foo", "bar")
 		t.Fatalf("Fatal: %s", err.Error())
diff --git a/vendor/github.com/xenolf/lego/providers/dns/route53/route53_test.go b/vendor/github.com/xenolf/lego/providers/dns/route53/route53_test.go
index ab8739a58..de4e28f3d 100644
--- a/vendor/github.com/xenolf/lego/providers/dns/route53/route53_test.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/route53/route53_test.go
@@ -16,18 +16,21 @@ var (
 	route53Secret string
 	route53Key    string
 	route53Region string
+	route53Zone   string
 )
 
 func init() {
 	route53Key = os.Getenv("AWS_ACCESS_KEY_ID")
 	route53Secret = os.Getenv("AWS_SECRET_ACCESS_KEY")
 	route53Region = os.Getenv("AWS_REGION")
+	route53Zone = os.Getenv("AWS_HOSTED_ZONE_ID")
 }
 
 func restoreRoute53Env() {
 	os.Setenv("AWS_ACCESS_KEY_ID", route53Key)
 	os.Setenv("AWS_SECRET_ACCESS_KEY", route53Secret)
 	os.Setenv("AWS_REGION", route53Region)
+	os.Setenv("AWS_HOSTED_ZONE_ID", route53Zone)
 }
 
 func makeRoute53Provider(ts *httptest.Server) *DNSProvider {
@@ -67,6 +70,21 @@ func TestRegionFromEnv(t *testing.T) {
 	restoreRoute53Env()
 }
 
+func TestHostedZoneIDFromEnv(t *testing.T) {
+	const testZoneID = "testzoneid"
+
+	defer restoreRoute53Env()
+	os.Setenv("AWS_HOSTED_ZONE_ID", testZoneID)
+
+	provider, err := NewDNSProvider()
+	assert.NoError(t, err, "Expected no error constructing DNSProvider")
+
+	fqdn, err := provider.getHostedZoneID("whatever")
+	assert.NoError(t, err, "Expected FQDN to be resolved to environment variable value")
+
+	assert.Equal(t, testZoneID, fqdn)
+}
+
 func TestRoute53Present(t *testing.T) {
 	mockResponses := MockResponseMap{
 		"/2013-04-01/hostedzonesbyname":         MockResponse{StatusCode: 200, Body: ListHostedZonesByNameResponse},