From e49e28c40c55c400ad06a52c780b918539dd1761 Mon Sep 17 00:00:00 2001
From: David Chisnall <github@theravensnest.org>
Date: Thu, 18 Apr 2024 10:59:29 +0100
Subject: [PATCH] Add the things needed for the host to the demo.

---
 demos/2024-04-23-cheritech/morello/README.txt |  50 +
 .../morello/home/demo/.minirc.dfl             |   9 +
 .../morello/home/demo/audit.sh                |  21 +
 .../morello/home/demo/script/cheri.js         |  87 ++
 .../morello/home/demo/script/compile.sh       |   5 +
 .../morello/home/demo/script/demo.js          | 109 +++
 .../morello/home/demo/script/demo.mvm-bc      | Bin 0 -> 1048 bytes
 .../morello/opt/etc/mosquitto/certs/cert.pem  |  11 +
 .../morello/opt/etc/mosquitto/certs/key.pem   |   5 +
 .../morello/opt/etc/mosquitto/mosquitto.conf  | 913 ++++++++++++++++++
 .../morello/usr/local/etc/ntpd.conf           |  13 +
 .../morello/usr/local64/etc/dhcpd.conf        |  22 +
 .../usr/local64/etc/namedb/db.cheriot.demo    |  10 +
 .../usr/local64/etc/namedb/db.pool.ntp.org    |  11 +
 .../morello/usr/local64/etc/namedb/named.conf | 389 ++++++++
 15 files changed, 1655 insertions(+)
 create mode 100644 demos/2024-04-23-cheritech/morello/README.txt
 create mode 100644 demos/2024-04-23-cheritech/morello/home/demo/.minirc.dfl
 create mode 100755 demos/2024-04-23-cheritech/morello/home/demo/audit.sh
 create mode 100644 demos/2024-04-23-cheritech/morello/home/demo/script/cheri.js
 create mode 100755 demos/2024-04-23-cheritech/morello/home/demo/script/compile.sh
 create mode 100644 demos/2024-04-23-cheritech/morello/home/demo/script/demo.js
 create mode 100644 demos/2024-04-23-cheritech/morello/home/demo/script/demo.mvm-bc
 create mode 100644 demos/2024-04-23-cheritech/morello/opt/etc/mosquitto/certs/cert.pem
 create mode 100644 demos/2024-04-23-cheritech/morello/opt/etc/mosquitto/certs/key.pem
 create mode 100644 demos/2024-04-23-cheritech/morello/opt/etc/mosquitto/mosquitto.conf
 create mode 100644 demos/2024-04-23-cheritech/morello/usr/local/etc/ntpd.conf
 create mode 100644 demos/2024-04-23-cheritech/morello/usr/local64/etc/dhcpd.conf
 create mode 100644 demos/2024-04-23-cheritech/morello/usr/local64/etc/namedb/db.cheriot.demo
 create mode 100644 demos/2024-04-23-cheritech/morello/usr/local64/etc/namedb/db.pool.ntp.org
 create mode 100644 demos/2024-04-23-cheritech/morello/usr/local64/etc/namedb/named.conf

diff --git a/demos/2024-04-23-cheritech/morello/README.txt b/demos/2024-04-23-cheritech/morello/README.txt
new file mode 100644
index 0000000..6e6482c
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/README.txt
@@ -0,0 +1,50 @@
+Morello machine setup
+=====================
+
+This directory contains the files that are necessary to set up the Morello machine to act as the server in this demo.
+
+Note: This contains the *private* key used on the server for the demo.
+This would allow anyone to impersonate the server.
+This does not matter because it is used *only* for the demo, never use this key for anything important!
+Including the key here remove the need to generate a new header file for the client portion of the demo.
+
+Pure-capability packages:
+
+minicom
+openntpd
+
+Hybrid packages:
+
+bind918
+isc-dhcp44-server
+jq
+npm
+wireshark
+
+Built from source:
+
+cheriot-audit (no port yet)
+mosquitto (xsltproc is broken and the port's no-docs mode doesn't work).
+
+Make sure to build Release builds (-O0 is *really* slow on Morello, with -O0 Mosquitto can't keep up with two clients on FPGA!).
+Install in /opt.
+
+The following lines need to be added to /etc/rc.conf:
+
+# Network interface for the demo
+ifconfig_ue0="inet 10.0.0.10 netmask 255.0.0.0"
+
+# DHCP server
+dhcpd_enable="YES">->--->--->---# dhcpd enabled?
+dhcpd_ifaces="ue0">->--->--->---# ethernet interface(s)
+dhcpd_withumask="022">-->--->---# file creation mask
+
+# bind
+named_enable="YES"
+openntpd_enable="YES"
+
+# Mosquitto
+mosquitto_enable="YES"
+
+devfs_enable="YES"
+
diff --git a/demos/2024-04-23-cheritech/morello/home/demo/.minirc.dfl b/demos/2024-04-23-cheritech/morello/home/demo/.minirc.dfl
new file mode 100644
index 0000000..b309104
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/home/demo/.minirc.dfl
@@ -0,0 +1,9 @@
+# Machine-generated file - use setup menu in minicom to change parameters.
+pu baudrate         115200
+pu bits             8
+pu parity           N
+pu stopbits         1
+pu rtscts           No 
+pu addlinefeed      No 
+pu linewrap         Yes
+pu addcarreturn     Yes
diff --git a/demos/2024-04-23-cheritech/morello/home/demo/audit.sh b/demos/2024-04-23-cheritech/morello/home/demo/audit.sh
new file mode 100755
index 0000000..5898a0a
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/home/demo/audit.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+if [ $# -eq 0 ] ; then
+	echo Query required.  Try one of the following:
+	echo Print all connection capabilities:
+	echo -e \\tdata.network_stack.all_connection_capabilities
+	echo Is the network stack configuration valid?
+	echo -e "\\t'data.network_stack.valid(kunyan_ethernet)'"
+	echo Print all allocator capabilities and their owners:
+	echo -e "\\t'[ { \"owner\": owner, \"capability\": data.rtos.decode_allocator_capability(c) } | c = input.compartments[owner].imports[_] ; data.rtos.is_allocator_capability(c) ]'"
+	echo Print all compartments that invoke functions in the JavaScript compartment:
+	echo -e "\\t'data.compartment.compartments_calling(\"javascript\")'"
+	echo Print all compartments that invoke functions in the allocator:
+	echo -e "\\t'data.compartment.compartments_calling(\"allocator\")'"
+	echo Print all compartments that have direct access to the LEDs / switches:
+	echo -e "\\t'data.compartment.compartments_with_mmio_import(data.board.devices.gpio_led0)'"
+else
+	echo "cheriot-audit --board ibex-arty-a7-100.json --firmware-report cheritech-demo.json --module network_stack.rego --query \"$1\""
+	cheriot-audit --board ibex-arty-a7-100.json --firmware-report cheritech-demo.json --module network_stack.rego --query "$1" | jq
+fi
+
diff --git a/demos/2024-04-23-cheritech/morello/home/demo/script/cheri.js b/demos/2024-04-23-cheritech/morello/home/demo/script/cheri.js
new file mode 100644
index 0000000..cb0ea1a
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/home/demo/script/cheri.js
@@ -0,0 +1,87 @@
+// FFI Imports
+// Each function imported from the host environment needs to be assigned to a
+// global like this and identified by a constant that the resolver in the C/C++
+// code will understand.
+// These constants are defined in the `Exports` enumeration.
+
+
+var FFINumber = 1;
+
+/**
+ * Log function, writes all arguments to the UART.
+ */
+export const print = vmImport(FFINumber++);
+
+/**
+ * led_on(index).
+ *
+ * Turns on the LED at the specified index.
+ */
+export const led_on = vmImport(FFINumber++);
+
+/**
+ * led_off(index).
+ *
+ * Turns off the LED at the specified index.
+ */
+export const led_off = vmImport(FFINumber++);
+
+/**
+ * buttons_read().
+ *
+ * Reads the value of all of the buttons, returning a 4-bit value indicating
+ * the states of all of them.
+ */
+export const buttons_read = vmImport(FFINumber++);
+
+/**
+ * switches_read().
+ *
+ * Reads the value of all of the switches, returning a 4-bit value indicating
+ * the states of all of them.
+ */
+export const switches_read = vmImport(FFINumber++);
+
+
+export const mqtt_publish = vmImport(FFINumber++);
+export const mqtt_subscribe = vmImport(FFINumber++);
+
+/**
+ * led_set(index, state).
+ *
+ * Turns the LED at the specified index on or off depending on whether state is
+ * true or false.
+ */
+export function led_set(index, state)
+{
+	if (state)
+	{
+		led_on(index);
+	}
+	else
+	{
+		led_off(index);
+	}
+}
+
+/**
+ * button_read(index).
+ *
+ * Reads the value of the button at the specified index.
+ */
+export function button_read(index)
+{
+	return (buttons_read() & (1 << index)) !== 0;
+}
+
+
+/**
+ * switch_read(index).
+ *
+ * Reads the value of the switch at the specified index.
+ */
+export function switch_read(index)
+{
+	return (switches_read() & (1 << index)) !== 0;
+}
+
diff --git a/demos/2024-04-23-cheritech/morello/home/demo/script/compile.sh b/demos/2024-04-23-cheritech/morello/home/demo/script/compile.sh
new file mode 100755
index 0000000..7a8718f
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/home/demo/script/compile.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+set -e
+microvium demo.js
+echo Publishing code to MQTT broker
+mosquitto_pub -h cheriot.demo -p 8883 --cafile /opt/etc/mosquitto/certs/cert.pem -t cheri-code -f demo.mvm-bc
diff --git a/demos/2024-04-23-cheritech/morello/home/demo/script/demo.js b/demos/2024-04-23-cheritech/morello/home/demo/script/demo.js
new file mode 100644
index 0000000..57adddd
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/home/demo/script/demo.js
@@ -0,0 +1,109 @@
+import * as host from "./cheri.js"
+
+var ticks = 0
+var switches = 0
+
+/**
+ * Subscribe to a topic, print to the UART whether the subscription was
+ * successful.
+ */
+function subscribe(topic)
+{
+	var ret = host.mqtt_subscribe(topic)
+	host.print("Subscribe ", topic, " returned: ", ret)
+	if (ret)
+	{
+		host.print("Subscribed to", topic)
+	}
+	else
+	{
+		host.print("Failed to subscribe to ", topic)
+	}
+}
+
+/**
+ * On first run, subscribe to the switch topics.
+ */
+function first_run()
+{
+	subscribe("cheri-switch-0")
+	subscribe("cheri-switch-1")
+}
+
+/**
+ * Tick function, called every 100ms (roughly).
+ */
+function tick()
+{
+	if (ticks === 0)
+	{
+		first_run();
+	}
+	ticks++
+	// If we're not a lightswitch, don't do anything else.
+	if (host.switch_read(3))
+	{
+		return;
+	}
+	// If we're not a lightbulb, make sure the lights are out
+	host.led_off(0)
+	host.led_off(1)
+	// Uncomment the next block to validate that the tick callback is being called.
+	/*
+	if (ticks % 5 === 0)
+	{
+		host.print("tick: ", ticks)
+	}
+	*/
+	var new_switches = host.switches_read()
+	if (new_switches !== switches)
+	{
+		for (var i = 0 ; i < 2 ; i++)
+		{
+			if ((new_switches & (1 << i)) !== (switches & (1 << i)))
+			{
+				host.print("Switch ", i, " changed to ", (new_switches & (1 << i)) ? "on" : "off")
+				host.mqtt_publish("cheri-switch-" + i, (new_switches & (1 << i)) ? "on" : "off")
+			}
+		}
+		switches = new_switches
+	}
+}
+
+/**
+ * Publish notification callback, called whenever a new publish message is
+ * received from the MQTT broker.
+ */
+function message(topic, message)
+{
+	host.print("Received message on topic: ", topic, " message: ", message)
+	var switchNumber = -1
+	// If we're not a lightbulb, don't do anything else.
+	if (!host.switch_read(3))
+	{
+		return;
+	}
+	if (topic === "cheri-switch-0")
+	{
+		switchNumber = 0
+	}
+	else if (topic === "cheri-switch-1")
+	{
+		switchNumber = 1
+	}
+	else
+	{
+		return
+	}
+	if (message === "on")
+	{
+		host.led_on(switchNumber)
+	}
+	else
+	{
+		host.led_off(switchNumber)
+	}
+}
+
+vmExport(1234, tick);
+vmExport(1235, message);
diff --git a/demos/2024-04-23-cheritech/morello/home/demo/script/demo.mvm-bc b/demos/2024-04-23-cheritech/morello/home/demo/script/demo.mvm-bc
new file mode 100644
index 0000000000000000000000000000000000000000..f542b30a7ae4b3f11c838ac92a99f24fdf8b5a4c
GIT binary patch
literal 1048
zcmZ8gO-tNh5T1GSwbfOl*4BcSrN`2RW}#3D!h2~iMUeUf%zngd>TWh}vS}`Rs3Jtr
zgFj%w6ngOB(SuN-mmWNLX-_Q*J+uc)J-F<(&`GjewFHv)d1l_{nVB$|8Gvc=$&mm6
zGw=`!^l-4@RQM$zFc3fl31m><v$)5;h%Moq_^YRb7nsL+Ji%F<!yRnHF&v?VZ9IfM
zScOZF@BsI*1KV&08D29gORnLOTb7qvp4YIKnntmbVE2vXm8%0RbEj$99xxq1N$xdl
zN+XPYoyPKVf*FkTwcP$?rVB92Q$3?kGF_y+`l{zGIjvI7a;veH1Y;@Zwn}cfX_buB
zLxy3#IG}Pdm*u&p;kBB!QF#^<qgU}t&TGIle^IokJv!(9iN%0&$9TDFG_8DEQT{Pe
z|8rW*W%yz;gB+blc&=P6+GeT<An>$*k*9r+-qeH{{>msDmQVS0!*z?Mk!#rG?^xxe
z-eErA69~dW!5P^E2oGTewO|eP80@9MzodAKj|m5;Xx*M{>wWI*2B$0_ZX&3mge#F2
zu-z1OU?mD?Q48}p6>O-^#5H=J{MJ#w#>~Zx|C>BTz|g{AEjhI5fI7fX?7={;J1^;@
zDm8VBfoY}!+vIdBV9wJNQah1M*OHoIpbP-j9R(PTZwg>LS?X5;4Bq<tsLQ)*=DU*_
zSGNQ({h#B?M7Kv-%4D}^J40%0_|7!_Z`Uf`!O5_Lca*!`p7S6)z+fW{UXn?8gp;+~
z$`pmNacJHD5bmRY8o#>#=9Nt7geG)>g<wPK&#m9hYe&^+4s~Z(3)}R$Pvg>MH8Kk%
zQg^1V+M9?+q)^2Fk&^TaBO?8Cmh7(p&)E(`c=S=CO<sjRw4<|Z8#LB|_q3x2a0s7h
QYroQdUeLZGN_Y?d0#CRh0ssI2

literal 0
HcmV?d00001

diff --git a/demos/2024-04-23-cheritech/morello/opt/etc/mosquitto/certs/cert.pem b/demos/2024-04-23-cheritech/morello/opt/etc/mosquitto/certs/cert.pem
new file mode 100644
index 0000000..1ddab5d
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/opt/etc/mosquitto/certs/cert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBgzCCASmgAwIBAgIUeyRaxt/cqeeZ1JByg4V4shx4lhowCgYIKoZIzj0EAwIw
+FzEVMBMGA1UEAwwMY2hlcmlvdC5kZW1vMB4XDTI0MDQwODE0NTcwMVoXDTI1MDQw
+ODE0NTcwMVowFzEVMBMGA1UEAwwMY2hlcmlvdC5kZW1vMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAE2zq+r59p+QKkoKdBguXxBl4KoX5DYb6gHyI9Wrn7o4bz8rNZ
+4JPG4J+mIlEQKv9eIJYn1owIWQ5YbKaHpZqWAqNTMFEwHQYDVR0OBBYEFBdDvYEz
+T9pLdHbNwBVFT9wwQGVdMB8GA1UdIwQYMBaAFBdDvYEzT9pLdHbNwBVFT9wwQGVd
+MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgb2epifZyBtLofZsk
+gs5HqfpKuiMijfe3Q+H7ETP3aIwCIQDYBIR7uQ4s24mK3dcj+u5Qc6gSr/WuBZGO
+xzxrtzDGTw==
+-----END CERTIFICATE-----
diff --git a/demos/2024-04-23-cheritech/morello/opt/etc/mosquitto/certs/key.pem b/demos/2024-04-23-cheritech/morello/opt/etc/mosquitto/certs/key.pem
new file mode 100644
index 0000000..e912dcc
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/opt/etc/mosquitto/certs/key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgFF2t/aeGHzLHsP4k
+63Q9yIFLeU8+mtOylWjhfwwQbNihRANCAATbOr6vn2n5AqSgp0GC5fEGXgqhfkNh
+vqAfIj1aufujhvPys1ngk8bgn6YiURAq/14glifWjAhZDlhspoelmpYC
+-----END PRIVATE KEY-----
diff --git a/demos/2024-04-23-cheritech/morello/opt/etc/mosquitto/mosquitto.conf b/demos/2024-04-23-cheritech/morello/opt/etc/mosquitto/mosquitto.conf
new file mode 100644
index 0000000..989c510
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/opt/etc/mosquitto/mosquitto.conf
@@ -0,0 +1,913 @@
+# Config file for mosquitto
+#
+# See mosquitto.conf(5) for more information.
+#
+# Default values are shown, uncomment to change.
+#
+# Use the # character to indicate a comment, but only if it is the
+# very first character on the line.
+
+# =================================================================
+# General configuration
+# =================================================================
+
+# Use per listener security settings.
+#
+# It is recommended this option be set before any other options.
+#
+# If this option is set to true, then all authentication and access control
+# options are controlled on a per listener basis. The following options are
+# affected:
+#
+# acl_file
+# allow_anonymous
+# allow_zero_length_clientid
+# auto_id_prefix
+# password_file
+# plugin
+# plugin_opt_*
+# psk_file
+#
+# Note that if set to true, then a durable client (i.e. with clean session set
+# to false) that has disconnected will use the ACL settings defined for the
+# listener that it was most recently connected to.
+#
+# The default behaviour is for this to be set to false, which maintains the
+# setting behaviour from previous versions of mosquitto.
+#per_listener_settings false
+
+
+# This option controls whether a client is allowed to connect with a zero
+# length client id or not. This option only affects clients using MQTT v3.1.1
+# and later. If set to false, clients connecting with a zero length client id
+# are disconnected. If set to true, clients will be allocated a client id by
+# the broker. This means it is only useful for clients with clean session set
+# to true.
+#allow_zero_length_clientid true
+
+# If allow_zero_length_clientid is true, this option allows you to set a prefix
+# to automatically generated client ids to aid visibility in logs.
+# Defaults to 'auto-'
+#auto_id_prefix auto-
+
+# This option affects the scenario when a client subscribes to a topic that has
+# retained messages. It is possible that the client that published the retained
+# message to the topic had access at the time they published, but that access
+# has been subsequently removed. If check_retain_source is set to true, the
+# default, the source of a retained message will be checked for access rights
+# before it is republished. When set to false, no check will be made and the
+# retained message will always be published. This affects all listeners.
+#check_retain_source true
+
+# QoS 1 and 2 messages will be allowed inflight per client until this limit
+# is exceeded.  Defaults to 0. (No maximum)
+# See also max_inflight_messages
+#max_inflight_bytes 0
+
+# The maximum number of QoS 1 and 2 messages currently inflight per
+# client.
+# This includes messages that are partway through handshakes and
+# those that are being retried. Defaults to 20. Set to 0 for no
+# maximum. Setting to 1 will guarantee in-order delivery of QoS 1
+# and 2 messages.
+#max_inflight_messages 20
+
+# For MQTT v5 clients, it is possible to have the server send a "server
+# keepalive" value that will override the keepalive value set by the client.
+# This is intended to be used as a mechanism to say that the server will
+# disconnect the client earlier than it anticipated, and that the client should
+# use the new keepalive value. The max_keepalive option allows you to specify
+# that clients may only connect with keepalive less than or equal to this
+# value, otherwise they will be sent a server keepalive telling them to use
+# max_keepalive. This only applies to MQTT v5 clients. The default, and maximum
+# value allowable, is 65535.
+#
+# Set to 0 to allow clients to set keepalive = 0, which means no keepalive
+# checks are made and the client will never be disconnected by the broker if no
+# messages are received. You should be very sure this is the behaviour that you
+# want.
+#
+# For MQTT v3.1.1 and v3.1 clients, there is no mechanism to tell the client
+# what keepalive value they should use. If an MQTT v3.1.1 or v3.1 client
+# specifies a keepalive time greater than max_keepalive they will be sent a
+# CONNACK message with the "identifier rejected" reason code, and disconnected.
+#
+#max_keepalive 65535
+
+# For MQTT v5 clients, it is possible to have the server send a "maximum packet
+# size" value that will instruct the client it will not accept MQTT packets
+# with size greater than max_packet_size bytes. This applies to the full MQTT
+# packet, not just the payload. Setting this option to a positive value will
+# set the maximum packet size to that number of bytes. If a client sends a
+# packet which is larger than this value, it will be disconnected. This applies
+# to all clients regardless of the protocol version they are using, but v3.1.1
+# and earlier clients will of course not have received the maximum packet size
+# information. Defaults to no limit. Setting below 20 bytes is forbidden
+# because it is likely to interfere with ordinary client operation, even with
+# very small payloads.
+#max_packet_size 0
+
+# QoS 1 and 2 messages above those currently in-flight will be queued per
+# client until this limit is exceeded.  Defaults to 0. (No maximum)
+# See also max_queued_messages.
+# If both max_queued_messages and max_queued_bytes are specified, packets will
+# be queued until the first limit is reached.
+#max_queued_bytes 0
+
+# Set the maximum QoS supported. Clients publishing at a QoS higher than
+# specified here will be disconnected.
+#max_qos 2
+
+# The maximum number of QoS 1 and 2 messages to hold in a queue per client
+# above those that are currently in-flight.  Defaults to 1000. Set
+# to 0 for no maximum (not recommended).
+# See also queue_qos0_messages.
+# See also max_queued_bytes.
+#max_queued_messages 1000
+#
+# This option sets the maximum number of heap memory bytes that the broker will
+# allocate, and hence sets a hard limit on memory use by the broker.  Memory
+# requests that exceed this value will be denied. The effect will vary
+# depending on what has been denied. If an incoming message is being processed,
+# then the message will be dropped and the publishing client will be
+# disconnected. If an outgoing message is being sent, then the individual
+# message will be dropped and the receiving client will be disconnected.
+# Defaults to no limit.
+#memory_limit 0
+
+# This option sets the maximum publish payload size that the broker will allow.
+# Received messages that exceed this size will not be accepted by the broker.
+# The default value is 0, which means that all valid MQTT messages are
+# accepted. MQTT imposes a maximum payload size of 268435455 bytes.
+#message_size_limit 0
+
+# This option allows the session of persistent clients (those with clean
+# session set to false) that are not currently connected to be removed if they
+# do not reconnect within a certain time frame. This is a non-standard option
+# in MQTT v3.1. MQTT v3.1.1 and v5.0 allow brokers to remove client sessions.
+#
+# Badly designed clients may set clean session to false whilst using a randomly
+# generated client id. This leads to persistent clients that connect once and
+# never reconnect. This option allows these clients to be removed.  This option
+# allows persistent clients (those with clean session set to false) to be
+# removed if they do not reconnect within a certain time frame.
+#
+# The expiration period should be an integer followed by one of h d w m y for
+# hour, day, week, month and year respectively. For example
+#
+# persistent_client_expiration 2m
+# persistent_client_expiration 14d
+# persistent_client_expiration 1y
+#
+# The default if not set is to never expire persistent clients.
+#persistent_client_expiration
+
+# Write process id to a file. Default is a blank string which means
+# a pid file shouldn't be written.
+# This should be set to /var/run/mosquitto/mosquitto.pid if mosquitto is
+# being run automatically on boot with an init script and
+# start-stop-daemon or similar.
+#pid_file
+
+# Set to true to queue messages with QoS 0 when a persistent client is
+# disconnected. These messages are included in the limit imposed by
+# max_queued_messages and max_queued_bytes
+# Defaults to false.
+# This is a non-standard option for the MQTT v3.1 spec but is allowed in
+# v3.1.1.
+#queue_qos0_messages false
+
+# Set to false to disable retained message support. If a client publishes a
+# message with the retain bit set, it will be disconnected if this is set to
+# false.
+#retain_available true
+
+# Disable Nagle's algorithm on client sockets. This has the effect of reducing
+# latency of individual messages at the potential cost of increasing the number
+# of packets being sent.
+#set_tcp_nodelay false
+
+# Time in seconds between updates of the $SYS tree.
+# Set to 0 to disable the publishing of the $SYS tree.
+#sys_interval 10
+
+# The MQTT specification requires that the QoS of a message delivered to a
+# subscriber is never upgraded to match the QoS of the subscription. Enabling
+# this option changes this behaviour. If upgrade_outgoing_qos is set true,
+# messages sent to a subscriber will always match the QoS of its subscription.
+# This is a non-standard option explicitly disallowed by the spec.
+#upgrade_outgoing_qos false
+
+# When run as root, drop privileges to this user and its primary
+# group.
+# Set to root to stay as root, but this is not recommended.
+# If set to "mosquitto", or left unset, and the "mosquitto" user does not exist
+# then it will drop privileges to the "nobody" user instead.
+# If run as a non-root user, this setting has no effect.
+# Note that on Windows this has no effect and so mosquitto should be started by
+# the user you wish it to run as.
+#user mosquitto
+
+# =================================================================
+# Listeners
+# =================================================================
+
+# Listen on a port/ip address combination. By using this variable
+# multiple times, mosquitto can listen on more than one port. If
+# this variable is used and neither bind_address nor port given,
+# then the default listener will not be started.
+# The port number to listen on must be given. Optionally, an ip
+# address or host name may be supplied as a second argument. In
+# this case, mosquitto will attempt to bind the listener to that
+# address and so restrict access to the associated network and
+# interface. By default, mosquitto will listen on all interfaces.
+# Note that for a websockets listener it is not possible to bind to a host
+# name.
+#
+# On systems that support Unix Domain Sockets, it is also possible
+# to create a # Unix socket rather than opening a TCP socket. In
+# this case, the port number should be set to 0 and a unix socket
+# path must be provided, e.g.
+# listener 0 /tmp/mosquitto.sock
+#
+# listener port-number [ip address/host name/unix socket path]
+#listener
+
+# By default, a listener will attempt to listen on all supported IP protocol
+# versions. If you do not have an IPv4 or IPv6 interface you may wish to
+# disable support for either of those protocol versions. In particular, note
+# that due to the limitations of the websockets library, it will only ever
+# attempt to open IPv6 sockets if IPv6 support is compiled in, and so will fail
+# if IPv6 is not available.
+#
+# Set to `ipv4` to force the listener to only use IPv4, or set to `ipv6` to
+# force the listener to only use IPv6. If you want support for both IPv4 and
+# IPv6, then do not use the socket_domain option.
+#
+#socket_domain
+
+# Bind the listener to a specific interface. This is similar to
+# the [ip address/host name] part of the listener definition, but is useful
+# when an interface has multiple addresses or the address may change. If used
+# with the [ip address/host name] part of the listener definition, then the
+# bind_interface option will take priority.
+# Not available on Windows.
+#
+# Example: bind_interface eth0
+#bind_interface
+
+# When a listener is using the websockets protocol, it is possible to serve
+# http data as well. Set http_dir to a directory which contains the files you
+# wish to serve. If this option is not specified, then no normal http
+# connections will be possible.
+#http_dir
+
+# The maximum number of client connections to allow. This is
+# a per listener setting.
+# Default is -1, which means unlimited connections.
+# Note that other process limits mean that unlimited connections
+# are not really possible. Typically the default maximum number of
+# connections possible is around 1024.
+#max_connections -1
+
+# The listener can be restricted to operating within a topic hierarchy using
+# the mount_point option. This is achieved be prefixing the mount_point string
+# to all topics for any clients connected to this listener. This prefixing only
+# happens internally to the broker; the client will not see the prefix.
+#mount_point
+
+# Choose the protocol to use when listening.
+# This can be either mqtt or websockets.
+# Certificate based TLS may be used with websockets, except that only the
+# cafile, certfile, keyfile, ciphers, and ciphers_tls13 options are supported.
+#protocol mqtt
+
+# Set use_username_as_clientid to true to replace the clientid that a client
+# connected with with its username. This allows authentication to be tied to
+# the clientid, which means that it is possible to prevent one client
+# disconnecting another by using the same clientid.
+# If a client connects with no username it will be disconnected as not
+# authorised when this option is set to true.
+# Do not use in conjunction with clientid_prefixes.
+# See also use_identity_as_username.
+# This does not apply globally, but on a per-listener basis.
+#use_username_as_clientid
+
+# Change the websockets headers size. This is a global option, it is not
+# possible to set per listener. This option sets the size of the buffer used in
+# the libwebsockets library when reading HTTP headers. If you are passing large
+# header data such as cookies then you may need to increase this value. If left
+# unset, or set to 0, then the default of 1024 bytes will be used.
+#websockets_headers_size
+
+# -----------------------------------------------------------------
+# Certificate based SSL/TLS support
+# -----------------------------------------------------------------
+# The following options can be used to enable certificate based SSL/TLS support
+# for this listener. Note that the recommended port for MQTT over TLS is 8883,
+# but this must be set manually.
+#
+# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS
+# support" section. Only one of certificate or PSK encryption support can be
+# enabled for any listener.
+
+# Both of certfile and keyfile must be defined to enable certificate based
+# TLS encryption.
+
+# Path to the PEM encoded server certificate.
+#certfile
+
+# Path to the PEM encoded keyfile.
+#keyfile
+
+# If you wish to control which encryption ciphers are used, use the ciphers
+# option. The list of available ciphers can be optained using the "openssl
+# ciphers" command and should be provided in the same format as the output of
+# that command. This applies to TLS 1.2 and earlier versions only. Use
+# ciphers_tls1.3 for TLS v1.3.
+#ciphers
+
+# Choose which TLS v1.3 ciphersuites are used for this listener.
+# Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+#ciphers_tls1.3
+
+# If you have require_certificate set to true, you can create a certificate
+# revocation list file to revoke access to particular client certificates. If
+# you have done this, use crlfile to point to the PEM encoded revocation file.
+#crlfile
+
+# To allow the use of ephemeral DH key exchange, which provides forward
+# security, the listener must load DH parameters. This can be specified with
+# the dhparamfile option. The dhparamfile can be generated with the command
+# e.g. "openssl dhparam -out dhparam.pem 2048"
+#dhparamfile
+
+# By default an TLS enabled listener will operate in a similar fashion to a
+# https enabled web server, in that the server has a certificate signed by a CA
+# and the client will verify that it is a trusted certificate. The overall aim
+# is encryption of the network traffic. By setting require_certificate to true,
+# the client must provide a valid certificate in order for the network
+# connection to proceed. This allows access to the broker to be controlled
+# outside of the mechanisms provided by MQTT.
+#require_certificate false
+
+# cafile and capath define methods of accessing the PEM encoded
+# Certificate Authority certificates that will be considered trusted when
+# checking incoming client certificates.
+# cafile defines the path to a file containing the CA certificates.
+# capath defines a directory that will be searched for files
+# containing the CA certificates. For capath to work correctly, the
+# certificate files must have ".crt" as the file ending and you must run
+# "openssl rehash <path to capath>" each time you add/remove a certificate.
+#cafile
+#capath
+
+
+# If require_certificate is true, you may set use_identity_as_username to true
+# to use the CN value from the client certificate as a username. If this is
+# true, the password_file option will not be used for this listener.
+#use_identity_as_username false
+
+# -----------------------------------------------------------------
+# Pre-shared-key based SSL/TLS support
+# -----------------------------------------------------------------
+# The following options can be used to enable PSK based SSL/TLS support for
+# this listener. Note that the recommended port for MQTT over TLS is 8883, but
+# this must be set manually.
+#
+# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
+# support" section. Only one of certificate or PSK encryption support can be
+# enabled for any listener.
+
+# The psk_hint option enables pre-shared-key support for this listener and also
+# acts as an identifier for this listener. The hint is sent to clients and may
+# be used locally to aid authentication. The hint is a free form string that
+# doesn't have much meaning in itself, so feel free to be creative.
+# If this option is provided, see psk_file to define the pre-shared keys to be
+# used or create a security plugin to handle them.
+#psk_hint
+
+# When using PSK, the encryption ciphers used will be chosen from the list of
+# available PSK ciphers. If you want to control which ciphers are available,
+# use the "ciphers" option.  The list of available ciphers can be optained
+# using the "openssl ciphers" command and should be provided in the same format
+# as the output of that command.
+#ciphers
+
+# Set use_identity_as_username to have the psk identity sent by the client used
+# as its username. Authentication will be carried out using the PSK rather than
+# the MQTT username/password and so password_file will not be used for this
+# listener.
+#use_identity_as_username false
+
+
+# =================================================================
+# Persistence
+# =================================================================
+
+# If persistence is enabled, save the in-memory database to disk
+# every autosave_interval seconds. If set to 0, the persistence
+# database will only be written when mosquitto exits. See also
+# autosave_on_changes.
+# Note that writing of the persistence database can be forced by
+# sending mosquitto a SIGUSR1 signal.
+#autosave_interval 1800
+
+# If true, mosquitto will count the number of subscription changes, retained
+# messages received and queued messages and if the total exceeds
+# autosave_interval then the in-memory database will be saved to disk.
+# If false, mosquitto will save the in-memory database to disk by treating
+# autosave_interval as a time in seconds.
+#autosave_on_changes false
+
+# Save persistent message data to disk (true/false).
+# This saves information about all messages, including
+# subscriptions, currently in-flight messages and retained
+# messages.
+# retained_persistence is a synonym for this option.
+#persistence false
+
+# The filename to use for the persistent database, not including
+# the path.
+#persistence_file mosquitto.db
+
+# Location for persistent database.
+# Default is an empty string (current directory).
+# Set to e.g. /var/lib/mosquitto if running as a proper service on Linux or
+# similar.
+#persistence_location
+
+
+# =================================================================
+# Logging
+# =================================================================
+
+# Places to log to. Use multiple log_dest lines for multiple
+# logging destinations.
+# Possible destinations are: stdout stderr syslog topic file dlt
+#
+# stdout and stderr log to the console on the named output.
+#
+# syslog uses the userspace syslog facility which usually ends up
+# in /var/log/messages or similar.
+#
+# topic logs to the broker topic '$SYS/broker/log/<severity>',
+# where severity is one of D, E, W, N, I, M which are debug, error,
+# warning, notice, information and message. Message type severity is used by
+# the subscribe/unsubscribe log_types and publishes log messages to
+# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.
+#
+# The file destination requires an additional parameter which is the file to be
+# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be
+# closed and reopened when the broker receives a HUP signal. Only a single file
+# destination may be configured.
+#
+# The dlt destination is for the automotive `Diagnostic Log and Trace` tool.
+# This requires that Mosquitto has been compiled with DLT support.
+#
+# Note that if the broker is running as a Windows service it will default to
+# "log_dest none" and neither stdout nor stderr logging is available.
+# Use "log_dest none" if you wish to disable logging.
+#log_dest stderr
+
+# Types of messages to log. Use multiple log_type lines for logging
+# multiple types of messages.
+# Possible types are: debug, error, warning, notice, information,
+# none, subscribe, unsubscribe, websockets, all.
+# Note that debug type messages are for decoding the incoming/outgoing
+# network packets. They are not logged in "topics".
+#log_type error
+#log_type warning
+#log_type notice
+#log_type information
+
+
+# If set to true, client connection and disconnection messages will be included
+# in the log.
+#connection_messages true
+
+# If using syslog logging (not on Windows), messages will be logged to the
+# "daemon" facility by default. Use the log_facility option to choose which of
+# local0 to local7 to log to instead. The option value should be an integer
+# value, e.g. "log_facility 5" to use local5.
+#log_facility
+
+# If set to true, add a timestamp value to each log message.
+#log_timestamp true
+
+# Set the format of the log timestamp. If left unset, this is the number of
+# seconds since the Unix epoch.
+# This is a free text string which will be passed to the strftime function. To
+# get an ISO 8601 datetime, for example:
+# log_timestamp_format %Y-%m-%dT%H:%M:%S
+#log_timestamp_format
+
+# Change the websockets logging level. This is a global option, it is not
+# possible to set per listener. This is an integer that is interpreted by
+# libwebsockets as a bit mask for its lws_log_levels enum. See the
+# libwebsockets documentation for more details. "log_type websockets" must also
+# be enabled.
+#websockets_log_level 0
+
+
+# =================================================================
+# Security
+# =================================================================
+
+# If set, only clients that have a matching prefix on their
+# clientid will be allowed to connect to the broker. By default,
+# all clients may connect.
+# For example, setting "secure-" here would mean a client "secure-
+# client" could connect but another with clientid "mqtt" couldn't.
+#clientid_prefixes
+
+# Boolean value that determines whether clients that connect
+# without providing a username are allowed to connect. If set to
+# false then a password file should be created (see the
+# password_file option) to control authenticated client access.
+#
+# Defaults to false, unless there are no listeners defined in the configuration
+# file, in which case it is set to true, but connections are only allowed from
+# the local machine.
+#allow_anonymous false
+
+# -----------------------------------------------------------------
+# Default authentication and topic access control
+# -----------------------------------------------------------------
+
+# Control access to the broker using a password file. This file can be
+# generated using the mosquitto_passwd utility. If TLS support is not compiled
+# into mosquitto (it is recommended that TLS support should be included) then
+# plain text passwords are used, in which case the file should be a text file
+# with lines in the format:
+# username:password
+# The password (and colon) may be omitted if desired, although this
+# offers very little in the way of security.
+#
+# See the TLS client require_certificate and use_identity_as_username options
+# for alternative authentication options. If a plugin is used as well as
+# password_file, the plugin check will be made first.
+#password_file
+
+# Access may also be controlled using a pre-shared-key file. This requires
+# TLS-PSK support and a listener configured to use it. The file should be text
+# lines in the format:
+# identity:key
+# The key should be in hexadecimal format without a leading "0x".
+# If an plugin is used as well, the plugin check will be made first.
+#psk_file
+
+# Control access to topics on the broker using an access control list
+# file. If this parameter is defined then only the topics listed will
+# have access.
+# If the first character of a line of the ACL file is a # it is treated as a
+# comment.
+# Topic access is added with lines of the format:
+#
+# topic [read|write|readwrite|deny] <topic>
+#
+# The access type is controlled using "read", "write", "readwrite" or "deny".
+# This parameter is optional (unless <topic> contains a space character) - if
+# not given then the access is read/write.  <topic> can contain the + or #
+# wildcards as in subscriptions.
+#
+# The "deny" option can used to explicity deny access to a topic that would
+# otherwise be granted by a broader read/write/readwrite statement. Any "deny"
+# topics are handled before topics that grant read/write access.
+#
+# The first set of topics are applied to anonymous clients, assuming
+# allow_anonymous is true. User specific topic ACLs are added after a
+# user line as follows:
+#
+# user <username>
+#
+# The username referred to here is the same as in password_file. It is
+# not the clientid.
+#
+#
+# If is also possible to define ACLs based on pattern substitution within the
+# topic. The patterns available for substition are:
+#
+# %c to match the client id of the client
+# %u to match the username of the client
+#
+# The substitution pattern must be the only text for that level of hierarchy.
+#
+# The form is the same as for the topic keyword, but using pattern as the
+# keyword.
+# Pattern ACLs apply to all users even if the "user" keyword has previously
+# been given.
+#
+# If using bridges with usernames and ACLs, connection messages can be allowed
+# with the following pattern:
+# pattern write $SYS/broker/connection/%c/state
+#
+# pattern [read|write|readwrite] <topic>
+#
+# Example:
+#
+# pattern write sensor/%u/data
+#
+# If an plugin is used as well as acl_file, the plugin check will be
+# made first.
+#acl_file
+
+# -----------------------------------------------------------------
+# External authentication and topic access plugin options
+# -----------------------------------------------------------------
+
+# External authentication and access control can be supported with the
+# plugin option. This is a path to a loadable plugin. See also the
+# plugin_opt_* options described below.
+#
+# The plugin option can be specified multiple times to load multiple
+# plugins. The plugins will be processed in the order that they are specified
+# here. If the plugin option is specified alongside either of
+# password_file or acl_file then the plugin checks will be made first.
+#
+# If the per_listener_settings option is false, the plugin will be apply to all
+# listeners. If per_listener_settings is true, then the plugin will apply to
+# the current listener being defined only.
+#
+# This option is also available as `auth_plugin`, but this use is deprecated
+# and will be removed in the future.
+#
+#plugin
+
+# If the plugin option above is used, define options to pass to the
+# plugin here as described by the plugin instructions. All options named
+# using the format plugin_opt_* will be passed to the plugin, for example:
+#
+# This option is also available as `auth_opt_*`, but this use is deprecated
+# and will be removed in the future.
+#
+# plugin_opt_db_host
+# plugin_opt_db_port
+# plugin_opt_db_username
+# plugin_opt_db_password
+
+
+# =================================================================
+# Bridges
+# =================================================================
+
+# A bridge is a way of connecting multiple MQTT brokers together.
+# Create a new bridge using the "connection" option as described below. Set
+# options for the bridges using the remaining parameters. You must specify the
+# address and at least one topic to subscribe to.
+#
+# Each connection must have a unique name.
+#
+# The address line may have multiple host address and ports specified. See
+# below in the round_robin description for more details on bridge behaviour if
+# multiple addresses are used. Note that if you use an IPv6 address, then you
+# are required to specify a port.
+#
+# The direction that the topic will be shared can be chosen by
+# specifying out, in or both, where the default value is out.
+# The QoS level of the bridged communication can be specified with the next
+# topic option. The default QoS level is 0, to change the QoS the topic
+# direction must also be given.
+#
+# The local and remote prefix options allow a topic to be remapped when it is
+# bridged to/from the remote broker. This provides the ability to place a topic
+# tree in an appropriate location.
+#
+# For more details see the mosquitto.conf man page.
+#
+# Multiple topics can be specified per connection, but be careful
+# not to create any loops.
+#
+# If you are using bridges with cleansession set to false (the default), then
+# you may get unexpected behaviour from incoming topics if you change what
+# topics you are subscribing to. This is because the remote broker keeps the
+# subscription for the old topic. If you have this problem, connect your bridge
+# with cleansession set to true, then reconnect with cleansession set to false
+# as normal.
+#connection <name>
+#address <host>[:<port>] [<host>[:<port>]]
+#topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix]
+
+# If you need to have the bridge connect over a particular network interface,
+# use bridge_bind_address to tell the bridge which local IP address the socket
+# should bind to, e.g. `bridge_bind_address 192.168.1.10`
+#bridge_bind_address
+
+# If a bridge has topics that have "out" direction, the default behaviour is to
+# send an unsubscribe request to the remote broker on that topic. This means
+# that changing a topic direction from "in" to "out" will not keep receiving
+# incoming messages. Sending these unsubscribe requests is not always
+# desirable, setting bridge_attempt_unsubscribe to false will disable sending
+# the unsubscribe request.
+#bridge_attempt_unsubscribe true
+
+# Set the version of the MQTT protocol to use with for this bridge. Can be one
+# of mqttv50, mqttv311 or mqttv31. Defaults to mqttv311.
+#bridge_protocol_version mqttv311
+
+# Set the clean session variable for this bridge.
+# When set to true, when the bridge disconnects for any reason, all
+# messages and subscriptions will be cleaned up on the remote
+# broker. Note that with cleansession set to true, there may be a
+# significant amount of retained messages sent when the bridge
+# reconnects after losing its connection.
+# When set to false, the subscriptions and messages are kept on the
+# remote broker, and delivered when the bridge reconnects.
+#cleansession false
+
+# Set the amount of time a bridge using the lazy start type must be idle before
+# it will be stopped. Defaults to 60 seconds.
+#idle_timeout 60
+
+# Set the keepalive interval for this bridge connection, in
+# seconds.
+#keepalive_interval 60
+
+# Set the clientid to use on the local broker. If not defined, this defaults to
+# 'local.<clientid>'. If you are bridging a broker to itself, it is important
+# that local_clientid and clientid do not match.
+#local_clientid
+
+# If set to true, publish notification messages to the local and remote brokers
+# giving information about the state of the bridge connection. Retained
+# messages are published to the topic $SYS/broker/connection/<clientid>/state
+# unless the notification_topic option is used.
+# If the message is 1 then the connection is active, or 0 if the connection has
+# failed.
+# This uses the last will and testament feature.
+#notifications true
+
+# Choose the topic on which notification messages for this bridge are
+# published. If not set, messages are published on the topic
+# $SYS/broker/connection/<clientid>/state
+#notification_topic
+
+# Set the client id to use on the remote end of this bridge connection. If not
+# defined, this defaults to 'name.hostname' where name is the connection name
+# and hostname is the hostname of this computer.
+# This replaces the old "clientid" option to avoid confusion. "clientid"
+# remains valid for the time being.
+#remote_clientid
+
+# Set the password to use when connecting to a broker that requires
+# authentication. This option is only used if remote_username is also set.
+# This replaces the old "password" option to avoid confusion. "password"
+# remains valid for the time being.
+#remote_password
+
+# Set the username to use when connecting to a broker that requires
+# authentication.
+# This replaces the old "username" option to avoid confusion. "username"
+# remains valid for the time being.
+#remote_username
+
+# Set the amount of time a bridge using the automatic start type will wait
+# until attempting to reconnect.
+# This option can be configured to use a constant delay time in seconds, or to
+# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree
+# of randomness to when the restart occurs.
+#
+# Set a constant timeout of 20 seconds:
+# restart_timeout 20
+#
+# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of
+# 60 seconds:
+# restart_timeout 10 30
+#
+# Defaults to jitter with a base of 5 and cap of 30
+#restart_timeout 5 30
+
+# If the bridge has more than one address given in the address/addresses
+# configuration, the round_robin option defines the behaviour of the bridge on
+# a failure of the bridge connection. If round_robin is false, the default
+# value, then the first address is treated as the main bridge connection. If
+# the connection fails, the other secondary addresses will be attempted in
+# turn. Whilst connected to a secondary bridge, the bridge will periodically
+# attempt to reconnect to the main bridge until successful.
+# If round_robin is true, then all addresses are treated as equals. If a
+# connection fails, the next address will be tried and if successful will
+# remain connected until it fails
+#round_robin false
+
+# Set the start type of the bridge. This controls how the bridge starts and
+# can be one of three types: automatic, lazy and once. Note that RSMB provides
+# a fourth start type "manual" which isn't currently supported by mosquitto.
+#
+# "automatic" is the default start type and means that the bridge connection
+# will be started automatically when the broker starts and also restarted
+# after a short delay (30 seconds) if the connection fails.
+#
+# Bridges using the "lazy" start type will be started automatically when the
+# number of queued messages exceeds the number set with the "threshold"
+# parameter. It will be stopped automatically after the time set by the
+# "idle_timeout" parameter. Use this start type if you wish the connection to
+# only be active when it is needed.
+#
+# A bridge using the "once" start type will be started automatically when the
+# broker starts but will not be restarted if the connection fails.
+#start_type automatic
+
+# Set the number of messages that need to be queued for a bridge with lazy
+# start type to be restarted. Defaults to 10 messages.
+# Must be less than max_queued_messages.
+#threshold 10
+
+# If try_private is set to true, the bridge will attempt to indicate to the
+# remote broker that it is a bridge not an ordinary client. If successful, this
+# means that loop detection will be more effective and that retained messages
+# will be propagated correctly. Not all brokers support this feature so it may
+# be necessary to set try_private to false if your bridge does not connect
+# properly.
+#try_private true
+
+# Some MQTT brokers do not allow retained messages. MQTT v5 gives a mechanism
+# for brokers to tell clients that they do not support retained messages, but
+# this is not possible for MQTT v3.1.1 or v3.1. If you need to bridge to a
+# v3.1.1 or v3.1 broker that does not support retained messages, set the
+# bridge_outgoing_retain option to false. This will remove the retain bit on
+# all outgoing messages to that bridge, regardless of any other setting.
+#bridge_outgoing_retain true
+
+# If you wish to restrict the size of messages sent to a remote bridge, use the
+# bridge_max_packet_size option. This sets the maximum number of bytes for
+# the total message, including headers and payload.
+# Note that MQTT v5 brokers may provide their own maximum-packet-size property.
+# In this case, the smaller of the two limits will be used.
+# Set to 0 for "unlimited".
+#bridge_max_packet_size 0
+
+
+# -----------------------------------------------------------------
+# Certificate based SSL/TLS support
+# -----------------------------------------------------------------
+# Either bridge_cafile or bridge_capath must be defined to enable TLS support
+# for this bridge.
+# bridge_cafile defines the path to a file containing the
+# Certificate Authority certificates that have signed the remote broker
+# certificate.
+# bridge_capath defines a directory that will be searched for files containing
+# the CA certificates. For bridge_capath to work correctly, the certificate
+# files must have ".crt" as the file ending and you must run "openssl rehash
+# <path to capath>" each time you add/remove a certificate.
+#bridge_cafile
+#bridge_capath
+
+
+# If the remote broker has more than one protocol available on its port, e.g.
+# MQTT and WebSockets, then use bridge_alpn to configure which protocol is
+# requested. Note that WebSockets support for bridges is not yet available.
+#bridge_alpn
+
+# When using certificate based encryption, bridge_insecure disables
+# verification of the server hostname in the server certificate. This can be
+# useful when testing initial server configurations, but makes it possible for
+# a malicious third party to impersonate your server through DNS spoofing, for
+# example. Use this option in testing only. If you need to resort to using this
+# option in a production environment, your setup is at fault and there is no
+# point using encryption.
+#bridge_insecure false
+
+# Path to the PEM encoded client certificate, if required by the remote broker.
+#bridge_certfile
+
+# Path to the PEM encoded client private key, if required by the remote broker.
+#bridge_keyfile
+
+# -----------------------------------------------------------------
+# PSK based SSL/TLS support
+# -----------------------------------------------------------------
+# Pre-shared-key encryption provides an alternative to certificate based
+# encryption. A bridge can be configured to use PSK with the bridge_identity
+# and bridge_psk options. These are the client PSK identity, and pre-shared-key
+# in hexadecimal format with no "0x". Only one of certificate and PSK based
+# encryption can be used on one
+# bridge at once.
+#bridge_identity
+#bridge_psk
+
+
+# =================================================================
+# External config files
+# =================================================================
+
+# External configuration files may be included by using the
+# include_dir option. This defines a directory that will be searched
+# for config files. All files that end in '.conf' will be loaded as
+# a configuration file. It is best to have this as the last option
+# in the main file. This option will only be processed from the main
+# configuration file. The directory specified must not contain the
+# main configuration file.
+# Files within include_dir will be loaded sorted in case-sensitive
+# alphabetical order, with capital letters ordered first. If this option is
+# given multiple times, all of the files from the first instance will be
+# processed before the next instance. See the man page for examples.
+#include_dir
+
+listener 8883 10.0.0.10
+tls_keyform pem
+keyfile /opt/etc/mosquitto/certs/key.pem
+certfile /opt/etc/mosquitto/certs/cert.pem
+log_type all
+allow_anonymous true 
+connection_messages true
+
diff --git a/demos/2024-04-23-cheritech/morello/usr/local/etc/ntpd.conf b/demos/2024-04-23-cheritech/morello/usr/local/etc/ntpd.conf
new file mode 100644
index 0000000..84b4177
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/usr/local/etc/ntpd.conf
@@ -0,0 +1,13 @@
+# $OpenBSD: ntpd.conf,v 1.16 2019/11/06 19:04:12 deraadt Exp $
+#
+# See ntpd.conf(5) and /etc/examples/ntpd.conf
+
+servers pool.ntp.org
+server time.cloudflare.com
+sensor *
+
+listen on 10.0.0.10
+
+constraint from "9.9.9.9"              # quad9 v4 without DNS
+constraint from "2620:fe::fe"          # quad9 v6 without DNS
+constraints from "www.google.com"      # intentionally not 8.8.8.8
diff --git a/demos/2024-04-23-cheritech/morello/usr/local64/etc/dhcpd.conf b/demos/2024-04-23-cheritech/morello/usr/local64/etc/dhcpd.conf
new file mode 100644
index 0000000..39cffce
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/usr/local64/etc/dhcpd.conf
@@ -0,0 +1,22 @@
+# dhcpd.conf
+#
+# Sample configuration file for ISC dhcpd
+#
+
+default-lease-time 600;
+max-lease-time 6000;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility local7;
+
+subnet 10.0.0.0 netmask 255.0.0.0 {
+	range 10.0.0.1 10.0.0.8;
+	option domain-name-servers 10.0.0.10;
+	allow-unknown-clients;
+}
+
diff --git a/demos/2024-04-23-cheritech/morello/usr/local64/etc/namedb/db.cheriot.demo b/demos/2024-04-23-cheritech/morello/usr/local64/etc/namedb/db.cheriot.demo
new file mode 100644
index 0000000..3298085
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/usr/local64/etc/namedb/db.cheriot.demo
@@ -0,0 +1,10 @@
+@       IN      SOA     cheriot.demo. root.cheriot.demo. (
+                              2         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                         604800 )       ; Negative Cache TTL
+;
+@       IN      NS      ns.cheriot.demo.
+@       IN      A       10.0.0.10
+ns      IN      A       10.0.0.10
diff --git a/demos/2024-04-23-cheritech/morello/usr/local64/etc/namedb/db.pool.ntp.org b/demos/2024-04-23-cheritech/morello/usr/local64/etc/namedb/db.pool.ntp.org
new file mode 100644
index 0000000..d197174
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/usr/local64/etc/namedb/db.pool.ntp.org
@@ -0,0 +1,11 @@
+@       IN      SOA     pool.ntp.org. root.pool.ntp.org. (
+                              2         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                         604800 )       ; Negative Cache TTL
+;
+@       IN      NS      ns.pool.ntp.org.
+@       IN      A       10.0.0.10
+ns      IN      A       10.0.0.10
+
diff --git a/demos/2024-04-23-cheritech/morello/usr/local64/etc/namedb/named.conf b/demos/2024-04-23-cheritech/morello/usr/local64/etc/namedb/named.conf
new file mode 100644
index 0000000..93d45a2
--- /dev/null
+++ b/demos/2024-04-23-cheritech/morello/usr/local64/etc/namedb/named.conf
@@ -0,0 +1,389 @@
+// Refer to the named.conf(5) and named(8) man pages, and the documentation
+// in /usr/local/share/doc/bind for more details.
+//
+// If you are going to set up an authoritative server, make sure you
+// understand the hairy details of how DNS works.  Even with
+// simple mistakes, you can break connectivity for affected parties,
+// or cause huge amounts of useless Internet traffic.
+
+options {
+	// All file and path names are relative to the chroot directory,
+	// if any, and should be fully qualified.
+	directory	"/usr/local64/etc/namedb/working";
+	pid-file	"/var/run/named/pid";
+	dump-file	"/var/dump/named_dump.db";
+	statistics-file	"/var/stats/named.stats";
+
+// If named is being used only as a local resolver, this is a safe default.
+// For named to be accessible to the network, comment this option, specify
+// the proper IP address, or delete this option.
+	listen-on	{ 10.0.0.10; };
+
+// If you have IPv6 enabled on this system, uncomment this option for
+// use as a local resolver.  To give access to the network, specify
+// an IPv6 address, or the keyword "any".
+//	listen-on-v6	{ ::1; };
+
+// These zones are already covered by the empty zones listed below.
+// If you remove the related empty zones below, comment these lines out.
+	disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
+	disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+	disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+
+// If you've got a DNS server around at your upstream provider, enter
+// its IP address here, and enable the line below.  This will make you
+// benefit from its cache, thus reduce overall DNS traffic in the Internet.
+/*
+	forwarders {
+		127.0.0.1;
+	};
+*/
+
+// If the 'forwarders' clause is not empty the default is to 'forward first'
+// which will fall back to sending a query from your local server if the name
+// servers in 'forwarders' do not have the answer.  Alternatively you can
+// force your name server to never initiate queries of its own by enabling the
+// following line:
+//	forward only;
+
+// If you wish to have forwarding configured automatically based on
+// the entries in /etc/resolv.conf, uncomment the following line and
+// set named_auto_forward=yes in /etc/rc.conf.  You can also enable
+// named_auto_forward_only (the effect of which is described above).
+//	include "/usr/local64/etc/namedb/auto_forward.conf";
+
+	/*
+	   Modern versions of BIND use a random UDP port for each outgoing
+	   query by default in order to dramatically reduce the possibility
+	   of cache poisoning.  All users are strongly encouraged to utilize
+	   this feature, and to configure their firewalls to accommodate it.
+
+	   AS A LAST RESORT in order to get around a restrictive firewall
+	   policy you can try enabling the option below.  Use of this option
+	   will significantly reduce your ability to withstand cache poisoning
+	   attacks, and should be avoided if at all possible.
+
+	   Replace NNNNN in the example with a number between 49160 and 65530.
+	*/
+	// query-source address * port NNNNN;
+};
+
+// If you enable a local name server, don't forget to enter 127.0.0.1
+// first in your /etc/resolv.conf so this server will be queried.
+// Also, make sure to enable it in /etc/rc.conf.
+
+// The traditional root hints mechanism. Use this, OR the secondary zones below.
+//zone "." { type hint; file "/usr/local64/etc/namedb/named.root"; };
+
+/*	Slaving the following zones from the root name servers has some
+	significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+	3. Greater resilience to any potential root server failure/DDoS
+
+	On the other hand, this method requires more monitoring than the
+	hints file to be sure that an unexpected failure mode has not
+	incapacitated your server.  Name servers that are serving a lot
+	of clients will benefit more from this approach than individual
+	hosts.  Use with caution.
+
+	To use this mechanism, uncomment the entries below, and comment
+	the hint zone above.
+
+	As documented at http://dns.icann.org/services/axfr/ these zones:
+	"." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and a few others
+	are available for AXFR from these servers on IPv4 and IPv6:
+	xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
+*/
+/*
+zone "." {
+	type secondary;
+	file "/usr/local64/etc/namedb/secondary/root.secondary";
+	primaries {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+zone "arpa" {
+	type secondary;
+	file "/usr/local64/etc/namedb/secondary/arpa.secondary";
+	primaries {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+zone "in-addr.arpa" {
+	type secondary;
+	file "/usr/local64/etc/namedb/secondary/in-addr.arpa.secondary";
+	primaries {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+zone "ip6.arpa" {
+	type secondary;
+	file "/usr/local64/etc/namedb/secondary/ip6.arpa.secondary";
+	primaries {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+*/
+
+/*	Serving the following zones locally will prevent any queries
+	for these zones leaving your network and going to the root
+	name servers.  This has two significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+*/
+// RFCs 1912, 5735 and 6303 (and BCP 32 for localhost)
+zone "localhost"	{ type primary; file "/usr/local64/etc/namedb/primary/localhost-forward.db"; };
+zone "127.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/localhost-reverse.db"; };
+zone "255.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// RFC 1912-style zone for IPv6 localhost address (RFC 6303)
+zone "0.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/localhost-reverse.db"; };
+
+// "This" Network (RFCs 1912, 5735 and 6303)
+zone "0.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// Private Use Networks (RFCs 1918, 5735 and 6303)
+zone "10.in-addr.arpa"	   { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "16.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "17.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "18.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "19.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "20.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "21.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "22.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "23.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "24.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "25.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "26.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "27.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "28.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "29.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "30.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "31.172.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "168.192.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// Shared Address Space (RFC 6598)
+zone "64.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "65.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "66.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "67.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "68.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "69.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "70.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "71.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "72.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "73.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "74.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "75.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "76.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "77.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "78.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "79.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "80.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "81.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "82.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "83.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "84.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "85.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "86.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "87.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "88.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "89.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "90.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "91.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "92.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "93.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "94.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "95.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "96.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "97.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "98.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "99.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "100.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "101.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "102.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "103.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "104.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "105.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "106.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "107.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "108.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "109.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "110.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "111.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "112.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "113.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "114.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "115.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "116.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "117.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "118.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "119.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "120.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "121.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "122.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "123.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "124.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "125.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "126.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "127.100.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// Link-local/APIPA (RFCs 3927, 5735 and 6303)
+zone "254.169.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// IETF protocol assignments (RFCs 5735 and 5736)
+zone "0.0.192.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// TEST-NET-[1-3] for Documentation (RFCs 5735, 5737 and 6303)
+zone "2.0.192.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "100.51.198.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "113.0.203.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// IPv6 Example Range for Documentation (RFCs 3849 and 6303)
+zone "8.b.d.0.1.0.0.2.ip6.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// Router Benchmark Testing (RFCs 2544 and 5735)
+zone "18.198.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "19.198.in-addr.arpa" { type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// IANA Reserved - Old Class E Space (RFC 5735)
+zone "240.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "241.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "242.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "243.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "244.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "245.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "246.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "247.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "248.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "249.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "250.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "251.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "252.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "253.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "254.in-addr.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// IPv6 Unassigned Addresses (RFC 4291)
+zone "1.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "3.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "4.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "5.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "6.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "7.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "8.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "9.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "a.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "b.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "c.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "d.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "e.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "0.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "1.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "2.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "3.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "4.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "5.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "6.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "7.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "8.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "9.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "a.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "b.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "0.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "1.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "2.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "3.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "4.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "5.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "6.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "7.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// IPv6 ULA (RFCs 4193 and 6303)
+zone "c.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "d.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// IPv6 Link Local (RFCs 4291 and 6303)
+zone "8.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "9.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "a.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "b.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// IPv6 Deprecated Site-Local Addresses (RFCs 3879 and 6303)
+zone "c.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "d.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "e.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+zone "f.e.f.ip6.arpa"	{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// IP6.INT is Deprecated (RFC 4159)
+zone "ip6.int"		{ type primary; file "/usr/local64/etc/namedb/primary/empty.db"; };
+
+// NB: Do not use the IP addresses below, they are faked, and only
+// serve demonstration/documentation purposes!
+//
+// Example secondary zone config entries.  It can be convenient to become
+// a secondary at least for the zone your own domain is in.  Ask
+// your network administrator for the IP address of the responsible
+// primary name server.
+//
+// Do not forget to include the reverse lookup zone!
+// This is named after the first bytes of the IP address, in reverse
+// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
+//
+// Before starting to set up a primary zone, make sure you fully
+// understand how DNS and BIND work.  There are sometimes
+// non-obvious pitfalls.  Setting up a secondary zone is usually simpler.
+//
+// NB: Don't blindly enable the examples below. :-)  Use actual names
+// and addresses instead.
+
+/* An example dynamic zone
+key "exampleorgkey" {
+	algorithm hmac-md5;
+	secret "sf87HJqjkqh8ac87a02lla==";
+};
+zone "example.org" {
+	type primary;
+	allow-update {
+		key "exampleorgkey";
+	};
+	file "/usr/local64/etc/namedb/dynamic/example.org";
+};
+*/
+
+/* Example of a secondary reverse zone
+zone "1.168.192.in-addr.arpa" {
+	type secondary;
+	file "/usr/local64/etc/namedb/secondary/1.168.192.in-addr.arpa";
+	primaries {
+		192.168.1.1;
+	};
+};
+*/
+
+zone "cheriot.demo" {
+        type master;
+        file "/usr/local64/etc/namedb/db.cheriot.demo";
+};
+
+zone "pool.ntp.org" {
+        type master;
+        file "/usr/local64/etc/namedb/db.pool.ntp.org";
+};
+