42 files changed, 3529 insertions, 0 deletions

diff --git a/src/cli/gns/.gitignore b/src/cli/gns/.gitignore
new file mode 100644
index 000000000..23bd1d13b
--- /dev/null
+++ b/src/cli/gns/.gitignore
@@ -0,0 +1,2 @@
+gnunet-gns
+gnunet-gns-proxy-setup-ca
diff --git a/src/cli/gns/Makefile.am b/src/cli/gns/Makefile.am
new file mode 100644
index 000000000..ae167bca5
--- /dev/null
+++ b/src/cli/gns/Makefile.am
@@ -0,0 +1,108 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+pkgdata_DATA = \
+  gnunet-gns-proxy-ca.template
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+endif
+
+if HAVE_LIBIDN
+  LIBIDN= -lidn
+else
+  LIBIDN=
+endif
+
+if HAVE_LIBIDN2
+  LIBIDN2= -lidn2
+else
+  LIBIDN2=
+endif
+
+pkgcfgdir = $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+plugindir = $(libdir)/gnunet
+
+bin_PROGRAMS = \
+  gnunet-gns
+
+bin_SCRIPTS = \
+  gnunet-gns-proxy-setup-ca
+
+gnunet-gns-proxy-setup-ca: gnunet-gns-proxy-setup-ca.in Makefile
+        $(AWK) -v bdir="$(bindir)" -v py="$(PYTHON)" -v awkay="$(AWK_BINARY)" -v pfx="$(prefix)" -v prl="$(PERL)" -v sysconfdirectory="$(sysconfdir)" -v pkgdatadirectory="$(pkgdatadir)" -f $(top_srcdir)/scripts/dosubst.awk < $(srcdir)/gnunet-gns-proxy-setup-ca.in > gnunet-gns-proxy-setup-ca
+        @chmod +x gnunet-gns-proxy-setup-ca
+
+test_gnunet_gns.sh: test_gnunet_gns.sh.in Makefile
+        $(AWK) -v bdir="$(bindir)" -v py="$(PYTHON)" -v awkay="$(AWK_BINARY)" -v pfx="$(prefix)" -v prl="$(PERL)" -v sysconfdirectory="$(sysconfdir)" -v pkgdatadirectory="$(pkgdatadir)" -f $(top_srcdir)/scripts/dosubst.awk < $(srcdir)/test_gnunet_gns.sh.in > test_gnunet_gns.sh
+        @chmod +x test_gnunet_gns.sh
+
+CLEANFILES = test_gnunet_gns.sh
+
+gnunet_gns_SOURCES = \
+ gnunet-gns.c
+gnunet_gns_LDADD = \
+  $(top_builddir)/src/service/gns/libgnunetgns.la \
+  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(LIBIDN) $(LIBIDN2) \
+  $(GN_LIBINTL)
+
+check_SCRIPTS = \
+   test_gns_lookup.sh \
+   test_gns_config_lookup.sh \
+   test_gns_ipv6_lookup.sh\
+   test_gns_txt_lookup.sh\
+   test_gns_caa_lookup.sh\
+   test_gns_mx_lookup.sh \
+   test_gns_gns2dns_lookup.sh \
+   test_gns_gns2dns_zkey_lookup.sh \
+   test_gns_gns2dns_cname_lookup.sh \
+   test_gns_dht_lookup.sh\
+   test_gns_delegated_lookup.sh \
+   test_gns_at_lookup.sh\
+   test_gns_zkey_lookup.sh\
+   test_gns_rel_expiration.sh\
+   test_gns_soa_lookup.sh\
+   test_gns_revocation.sh\
+   test_gns_redirect_lookup.sh
+
+EXTRA_DIST = \
+  test_gns_defaults.conf \
+  test_gns_lookup.conf \
+  test_gns_simple_lookup.conf \
+  openssl.cnf \
+  gnunet-gns-proxy-setup-ca.in \
+  zonefiles/J7POEUT41A8PBFS7KVVDRF88GBOU4HK8PSU5QKVLVE3R9T91E99G.zkey \
+  zonefiles/OEFL7A4VEF1B40QLEMTG5D8G1CN6EN16QUSG5R2DT71GRJN34LSG.zkey \
+  zonefiles/test_zonekey \
+  test_gns_lookup.sh \
+  test_gns_config_lookup.sh \
+  test_gns_ipv6_lookup.sh\
+  test_gns_txt_lookup.sh\
+  test_gns_caa_lookup.sh\
+  test_gns_mx_lookup.sh \
+  test_gns_gns2dns_lookup.sh \
+  test_gns_gns2dns_zkey_lookup.sh \
+  test_gns_gns2dns_cname_lookup.sh \
+  test_gns_dht_lookup.sh\
+  test_gns_delegated_lookup.sh \
+  test_gns_at_lookup.sh\
+  test_gns_zkey_lookup.sh\
+  test_gns_rel_expiration.sh\
+  test_gns_soa_lookup.sh\
+  test_gns_revocation.sh\
+  test_gns_redirect_lookup.sh\
+        $(pkgdata_DATA) \
+  test_gnunet_gns.sh.in
+
+if ENABLE_TEST_RUN
+if HAVE_SQLITE
+ AM_TESTS_ENVIRONMENT=export GNUNET_PREFIX=$${GNUNET_PREFIX:-@libdir@};export PATH=$${GNUNET_PREFIX:-@prefix@}/bin:$$PATH;unset XDG_DATA_HOME;unset XDG_CONFIG_HOME;
+ TESTS = $(check_SCRIPTS)
+endif
+endif
diff --git a/src/cli/gns/gnunet-gns-proxy-ca.template b/src/cli/gns/gnunet-gns-proxy-ca.template
new file mode 100644
index 000000000..b1a0d16fd
--- /dev/null
+++ b/src/cli/gns/gnunet-gns-proxy-ca.template
@@ -0,0 +1,303 @@
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "GNU"
+
+# The organizational unit of the subject.
+unit = "GNUnet"
+
+# The locality of the subject.
+locality = World
+
+# The state of the certificate owner.
+# state = "Attiki"
+
+# The country of the subject. Two letter code.
+country = ZZ
+
+# The common name of the certificate owner.
+cn = "GNS Proxy CA"
+
+# A user id of the certificate owner.
+#uid = "clauper"
+
+# Set domain components
+#dc = "name"
+#dc = "domain"
+
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+#dn_oid = "2.5.4.12 Dr."
+#dn_oid = "2.5.4.65 jackal"
+
+# This is deprecated and should not be used in new
+# certificates.
+# pkcs9_email = "none@none.org"
+
+# An alternative way to set the certificate's distinguished name directly
+# is with the "dn" option. The attribute names allowed are:
+# C (country), street, O (organization), OU (unit), title, CN (common name),
+# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
+# countryOfResidence, serialNumber, telephoneNumber, surName, initials,
+# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
+# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
+# jurisdictionOfIncorporationStateOrProvinceName,
+# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
+
+#dn = "cn = Nikos,st = New\, Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
+
+# The serial number of the certificate
+# The value is in decimal (e.g. 1963) or hex (e.g. 0x07ab).
+# Comment the field for a random serial number.
+#serial = 007
+
+# In how many days, counting from today, this certificate will expire.
+# Use -1 if there is no expiration date.
+expiration_days = 3650
+
+# Alternatively you may set concrete dates and time. The GNU date string
+# formats are accepted. See:
+# https://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
+
+#activation_date = "2004-02-29 16:21:42"
+#expiration_date = "2025-02-29 16:24:41"
+
+# X.509 v3 extensions
+
+# A dnsname in case of a WWW server.
+#dns_name = "www.none.org"
+#dns_name = "www.morethanone.org"
+
+# An othername defined by an OID and a hex encoded string
+#other_name = "1.3.6.1.5.2.2 302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e"
+#other_name_utf8 = "1.2.4.5.6 A UTF8 string"
+#other_name_octet = "1.2.4.5.6 A string that will be encoded as ASN.1 octet string"
+
+# Allows writing an XmppAddr Identifier
+#xmpp_name = juliet@im.example.com
+
+# Names used in PKINIT
+#krb5_principal = user@REALM.COM
+#krb5_principal = HTTP/user@REALM.COM
+
+# A subject alternative name URI
+#uri = "https://www.example.com"
+
+# An IP address in case of a server.
+#ip_address = "192.168.1.1"
+
+# An email in case of a person
+email = "bounce@gnunet.org"
+
+# TLS feature (rfc7633) extension. That can is used to indicate mandatory TLS
+# extension features to be provided by the server. In practice this is used
+# to require the Status Request (extid: 5) extension from the server. That is,
+# to require the server holding this certificate to provide a stapled OCSP response.
+# You can have multiple lines for multiple TLS features.
+
+# To ask for OCSP status request use:
+#tls_feature = 5
+
+# Challenge password used in certificate requests
+challenge_password = 123456
+
+# Password when encrypting a private key
+#password = secret
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+#crl_dist_points = "https://www.getcrl.crl/getcrl/"
+
+# Whether this is a CA certificate or not
+ca
+
+# Subject Unique ID (in hex)
+#subject_unique_id = 00153224
+
+# Issuer Unique ID (in hex)
+#issuer_unique_id = 00153225
+
+#### Key usage
+
+# The following key usage flags are used by CAs and end certificates
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites). This is the digitalSignature flag
+# in RFC5280 terminology.
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing. This is the keyEncipherment flag
+# in RFC5280 terminology.
+encryption_key
+
+# Whether this key will be used to sign other certificates. The
+# keyCertSign flag in RFC5280 terminology.
+cert_signing_key
+
+# Whether this key will be used to sign CRLs. The
+# cRLSign flag in RFC5280 terminology.
+#crl_signing_key
+
+# The keyAgreement flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#key_agreement
+
+# The dataEncipherment flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#data_encipherment
+
+# The nonRepudiation flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#non_repudiation
+
+#### Extended key usage (key purposes)
+
+# The following extensions are used in an end certificate
+# to clarify its purpose. Some CAs also use it to indicate
+# the types of certificates they are purposed to sign.
+
+
+# Whether this certificate will be used for a TLS client;
+# this sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
+# extended key usage.
+#tls_www_client
+
+# Whether this certificate will be used for a TLS server;
+# this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
+# extended key usage.
+tls_www_server
+
+# Whether this key will be used to sign code. This sets the
+# id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage
+# extension.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data. This sets the
+# id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension.
+#ocsp_signing_key
+
+# Whether this key will be used for time stamping. This sets the
+# id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension.
+#time_stamping_key
+
+# Whether this key will be used for email protection. This sets the
+# id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension.
+#email_protection_key
+
+# Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17).
+#ipsec_ike_key
+
+## adding custom key purpose OIDs
+
+# for microsoft smart card logon
+# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
+
+# for email protection
+# key_purpose_oid = 1.3.6.1.5.5.7.3.4
+
+# for any purpose (must not be used in intermediate CA certificates)
+# key_purpose_oid = 2.5.29.37.0
+
+### end of key purpose OIDs
+
+### Adding arbitrary extensions
+# This requires to provide the extension OIDs, as well as the extension data in
+# hex format. The following two options are available since GnuTLS 3.5.3.
+#add_extension = "1.2.3.4 0x0AAB01ACFE"
+
+# As above but encode the data as an octet string
+#add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)"
+
+# For portability critical extensions shouldn't be set to certificates.
+#add_critical_extension = "5.6.7.8 0x1AAB01ACFE"
+
+# When generating a certificate from a certificate
+# request, then honor the extensions stored in the request
+# and store them in the real certificate.
+#honor_crq_extensions
+
+# Alternatively only specific extensions can be copied.
+#honor_crq_ext = 2.5.29.17
+#honor_crq_ext = 2.5.29.15
+
+# Path length constraint. Sets the maximum number of
+# certificates that can be used to certify this certificate.
+# (i.e. the certificate chain length)
+#path_len = -1
+#path_len = 2
+
+# OCSP URI
+# ocsp_uri = https://my.ocsp.server/ocsp
+
+# CA issuers URI
+# ca_issuers_uri = https://my.ca.issuer
+
+# Certificate policies
+#policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
+#policy1_txt = "This is a long policy to summarize"
+#policy1_url = https://www.example.com/a-policy-to-read
+
+#policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
+#policy2_txt = "This is a short policy"
+#policy2_url = https://www.example.com/another-policy-to-read
+
+# The number of additional certificates that may appear in a
+# path before the anyPolicy is no longer acceptable.
+#inhibit_anypolicy_skip_certs 1
+
+# Name constraints
+
+# DNS
+#nc_permit_dns = example.com
+#nc_exclude_dns = test.example.com
+
+# EMAIL
+#nc_permit_email = "nmav@ex.net"
+
+# Exclude subdomains of example.com
+#nc_exclude_email = .example.com
+
+# Exclude all e-mail addresses of example.com
+#nc_exclude_email = example.com
+
+# IP
+#nc_permit_ip = 192.168.0.0/16
+#nc_exclude_ip = 192.168.5.0/24
+#nc_permit_ip = fc0a:eef2:e7e7:a56e::/64
+
+
+# Options for proxy certificates
+#proxy_policy_language = 1.3.6.1.5.5.7.21.1
+
+
+# Options for generating a CRL
+
+# The number of days the next CRL update will be due.
+# next CRL update will be in 43 days
+#crl_next_update = 43
+
+# this is the 5th CRL by this CA
+# The value is in decimal (e.g. 1963) or hex (e.g. 0x07ab).
+# Comment the field for a time-based number.
+# Time-based CRL numbers generated in GnuTLS 3.6.3 and later
+# are significantly larger than those generated in previous
+# versions. Since CRL numbers need to be monotonic, you need
+# to specify the CRL number here manually if you intend to
+# downgrade to an earlier version than 3.6.3 after publishing
+# the CRL as it is not possible to specify CRL numbers greater
+# than 2**63-2 using hex notation in those versions.
+#crl_number = 5
+
+# Specify the update dates more precisely.
+#crl_this_update_date = "2004-02-29 16:21:42"
+#crl_next_update_date = "2025-02-29 16:24:41"
+
+# The date that the certificates will be made seen as
+# being revoked.
+#crl_revocation_date = "2025-02-29 16:24:41"
diff --git a/src/cli/gns/gnunet-gns-proxy-setup-ca.in b/src/cli/gns/gnunet-gns-proxy-setup-ca.in
new file mode 100644
index 000000000..b3ebfd11d
--- /dev/null
+++ b/src/cli/gns/gnunet-gns-proxy-setup-ca.in
@@ -0,0 +1,339 @@
+#!/bin/sh
+#
+# This shell script will generate an X509 certificate for
+# your gnunet-gns-proxy and install it (for both GNUnet
+# and your browser).
+#
+# TODO: Implement support for more browsers
+# TODO: Debug and switch to the new version
+# TODO  - The only remaining task is fixing the getopts
+# TODO: Error checks
+#
+# The current version partially reuses and recycles
+# code from build.sh by NetBSD (although not entirely
+# used because it needs debugging):
+#
+# Copyright (c) 2001-2011 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# This code is derived from software contributed to
+# The NetBSD Foundation by Todd Vierling and Luke Mewburn.
+#
+# Redistribution and use in source and binary forms, with or
+# without modification, are permitted provided that the following
+# conditions are met:
+# 1. Redistributions of source code must retain the above
+#    copyright notice, this list of conditions and the following
+#    disclaimer.
+# 2. Redistributions in binary form must reproduce the above
+#    copyright notice, this list of conditions and the following
+#    disclaimer in the documentation and/or other materials
+#    provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND
+# CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED.
+# IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR
+# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
+# OF SUCH DAMAGE.
+
+dir=$(dirname "$0")
+
+progname=${0##*/}
+
+existence() {
+  command -v "$1" >/dev/null 2>&1
+}
+
+statusmsg()
+{
+    ${runcmd} echo "${tab}$@" | tee -a "${results}"
+}
+
+infomsg()
+{
+    if [ x$verbosity = x1 ]; then
+        statusmsg "INFO:${tab}$@"
+    fi
+}
+
+warningmsg()
+{
+    statusmsg "WARNING:${tab}$@"
+}
+
+errormsg()
+{
+    statusmsg "ERROR:${tab}$@"
+}
+
+linemsg()
+{
+    statusmsg "========================================="
+}
+
+
+print_version()
+{
+    GNUNET_ARM_VERSION=`gnunet-arm -v | awk '{print $2 " " $3}'`
+    echo ${progname} $GNUNET_ARM_VERSION
+}
+
+# Whitespace normalization without depending on shell features:
+tab='   '
+tab2='   '
+nl='
+'
+
+setdefaults()
+{
+    verbosity=0
+    resfile=
+    results=/dev/null
+    tmpdir=${TMPDIR:-/tmp}
+    runcmd=
+}
+
+usage()
+{
+    if [ -n "$*" ]; then
+        echo "${nl}${progname}: $*"
+    fi
+    cat <<_usage_
+
+Usage: ${progname} [-hvVto] [-c FILE]
+
+Options:
+${tab}-c FILE Use the configuration file FILE.
+${tab}-h${tab2}${tab2}Print this help message.
+${tab}-o${tab2}${tab2}Display summary of statusmessages
+${tab}-t${tab2}${tab2}Short developer test on binaries
+${tab}-v${tab2}${tab2}Print the version and exit.
+${tab}-V${tab2}${tab2}be verbose
+
+_usage_
+        exit 1
+}
+
+
+generate_ca()
+{
+    echo ""
+    infomsg "Generating CA"
+    TMPDIR=${TMPDIR:-/tmp}
+    if test -e "$TMPDIR"; then
+        GNSCERT=`mktemp -t cert.pem.XXXXXXXX` || exit 1
+        GNSCAKY=`mktemp -t caky.pem.XXXXXXXX` || exit 1
+        GNSCANO=`mktemp -t cano.pem.XXXXXXXX` || exit 1
+    else
+        # This warning is mostly pointless.
+        warningmsg "You need to export the TMPDIR variable"
+    fi
+
+    # # ------------- gnutls
+    #
+    # if ! which certutil > /dev/null
+    # then
+    #     warningmsg "The 'certutil' command was not found."
+    #     warningmsg "Not importing into browsers."
+    #     warningmsg "For 'certutil' install nss."
+    # else
+    #     # Generate CA key
+    #     # pkcs#8 password-protects key
+    #     certtool --pkcs8 --generate-privkey --sec-param high --outfile ca-key.pem
+    #     # self-sign the CA to create public certificate
+    #     certtool --generate-self-signed --load-privkey ca-key.pem --template ca.cfg --outfile ca.pem
+
+    # ------------- openssl
+
+    GNUTLS_CA_TEMPLATE=@PKGDATADIRECTORY@/gnunet-gns-proxy-ca.template
+    OPENSSLCFG=@PKGDATADIRECTORY@/openssl.cnf
+    CERTTOOL=""
+    OPENSSL=0
+    if test -x $(existence gnunet-certtool)
+    # if test -z "`gnutls-certtool --version`" > /dev/null
+    then
+      # We only support gnutls certtool for now. Treat the grep
+      # for "gnutls" in the output with extra care, it only matches
+      # the email address! It is probably safer to run strings(1)
+      # over certtool for a string matching "gnutls"
+      if test -z "`certtool --version | grep gnutls`" > /dev/null
+      then
+        warningmsg "'gnutls-certtool' or 'certtool' command not found. Trying openssl."
+        # if test -z "`openssl version`" > /dev/null
+        if test -x $(existence openssl)
+        then
+          OPENSSL=1
+        else
+          warningmsg "Install either gnutls certtool or openssl for certificate generation!"
+          statusmsg  "Cleaning up."
+          rm -f $GNSCAKY $GNSCERT
+          exit 1
+        fi
+      fi
+      CERTTOOL="certtool"
+    else
+      CERTTOOL="gnutls-certtool"
+    fi
+    if test -n "${GNUNET_CONFIG_FILE}"; then
+        GNUNET_CONFIG="-c ${GNUNET_CONFIG_FILE}"
+    else
+        GNUNET_CONFIG=""
+    fi
+    GNS_CA_CERT_PEM=`gnunet-config ${GNUNET_CONFIG} -s gns-proxy -o PROXY_CACERT -f ${options}`
+    mkdir -p `dirname $GNS_CA_CERT_PEM`
+
+    if test 1 -eq $OPENSSL
+    then
+        if test 1 -eq $verbosity; then
+            openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System"
+        else
+            openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" >/dev/null 2>&1
+        fi
+        infomsg "Removing passphrase from key"
+        if test 1 -eq $verbosity; then
+            openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO
+        else
+            openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO >/dev/null 2>&1
+        fi
+      cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM
+    else
+        if test 1 -eq $verbosity; then
+            $CERTTOOL --generate-privkey --outfile $GNSCAKY
+            $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT
+        else
+            $CERTTOOL --generate-privkey --outfile $GNSCAKY >/dev/null 2>&1
+            $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT >/dev/null 2>&1
+        fi
+      infomsg "Making private key available to gnunet-gns-proxy"
+      cat $GNSCERT $GNSCAKY > $GNS_CA_CERT_PEM
+    fi
+}
+
+importbrowsers()
+{
+    # if test -z "`command -v certutil`" > /dev/null 2>&1
+    if test -x $(existence gnutls-certutil) || test -x $(existence certutil)
+    then
+        statusmsg "Importing CA into browsers"
+        # TODO: Error handling?
+        for f in ~/.mozilla/firefox/*.*/
+        do
+            if [ -d $f ]; then
+                infomsg "Importing CA into Firefox at $f"
+                # delete old certificate (if any)
+                certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null
+                # add new certificate
+                certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT
+            fi
+        done
+        for f in ~/.mozilla/icecat/*.*/
+        do
+            if [ -d $f ]; then
+                infomsg "Importing CA into Icecat at $f"
+                # delete old certificate (if any)
+                certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null
+                # add new certificate
+                certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT
+            fi
+        done
+        # TODO: Error handling?
+        if [ -d ~/.pki/nssdb/ ]; then
+            statusmsg "Importing CA into Chrome at ~/.pki/nssdb/"
+            # delete old certificate (if any)
+            certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null
+            # add new certificate
+            certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT
+        fi
+    else
+        warningmsg "The 'certutil' command was not found."
+        warningmsg "Not importing into browsers."
+        warningmsg "For 'certutil' install nss."
+    fi
+}
+
+clean_up()
+{
+    infomsg "Cleaning up."
+    rm -f $GNSCAKY $GNSCANO $GNSCERT
+    if test -e $SETUP_TMPDIR
+    then
+        rm -rf $SETUP_TMPDIR
+    fi
+
+    linemsg
+    statusmsg "You can now start gnunet-gns-proxy."
+    statusmsg "Afterwards, configure your browser "
+    statusmsg "to use a SOCKS proxy on port 7777. "
+    linemsg
+}
+
+main()
+{
+    setdefaults
+    while getopts "vhVtoc:" opt; do
+        case $opt in
+            v)
+                print_version
+                exit 0
+                ;;
+            h)
+                usage
+                ;;
+            V)
+                verbosity=1
+                ;;
+            c)
+                options="$options -c $OPTARG"
+                infomsg "Using configuration file $OPTARG"
+                GNUNET_CONFIG_FILE=${OPTARG}
+                ;;
+            t)
+                verbosity=1
+                infomsg "Running short developer test"
+                if test -x $(existence openssl); then
+                   openssl version
+                fi
+                if test -x $(existence certtool); then
+                    certtool --version
+                fi
+                if test -x $(existence gnutls-certtool); then
+                    gnutls-certtool --version
+                fi
+                exit 0
+                ;;
+            o)
+                resfile=$(mktemp -t ${progname}.results)
+                results="${resfile}"
+                ;;
+            \?)
+                echo "Invalid option: -$OPTARG" >&2
+                usage
+                ;;
+            :)
+                echo "Option -$OPTARG requires an argument." >&2
+                usage
+                ;;
+        esac
+    done
+    generate_ca
+    importbrowsers
+    if [ -s "${results}" ]; then
+        echo "===> Summary of results:"
+        sed -e 's/^===>//;s/^/  /' "${results}"
+        echo "===> ."
+        infomsg "Please remove ${results} manually."
+    fi
+    clean_up
+}
+
+main "$@"
diff --git a/src/cli/gns/gnunet-gns.c b/src/cli/gns/gnunet-gns.c
new file mode 100644
index 000000000..724fbce24
--- /dev/null
+++ b/src/cli/gns/gnunet-gns.c
@@ -0,0 +1,411 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012-2013, 2017-2018 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gnunet-gns.c
+ * @brief command line tool to access distributed GNS
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#if HAVE_LIBIDN2
+#if HAVE_IDN2_H
+#include <idn2.h>
+#elif HAVE_IDN2_IDN2_H
+#include <idn2/idn2.h>
+#endif
+#elif HAVE_LIBIDN
+#if HAVE_IDNA_H
+#include <idna.h>
+#elif HAVE_IDN_IDNA_H
+#include <idn/idna.h>
+#endif
+#endif
+#include <gnunet_util_lib.h>
+#include <gnunet_gnsrecord_lib.h>
+#include <gnunet_namestore_service.h>
+#include <gnunet_gns_service.h>
+
+
+/**
+ * Configuration we are using.
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Handle to GNS service.
+ */
+static struct GNUNET_GNS_Handle *gns;
+
+/**
+ * GNS name to lookup. (-u option)
+ */
+static char *lookup_name;
+
+/**
+ * DNS IDNA name to lookup. (set if -d option is set)
+ */
+char *idna_name;
+
+/**
+ * DNS compatibility (name is given as DNS name, possible IDNA).
+ */
+static int dns_compat;
+
+/**
+ * record type to look up (-t option)
+ */
+static char *lookup_type;
+
+/**
+ * raw output
+ */
+static int raw;
+
+/**
+ * Desired record type.
+ */
+static uint32_t rtype;
+
+/**
+ * Timeout for lookup
+ */
+static struct GNUNET_TIME_Relative timeout;
+
+/**
+ * Timeout task
+ */
+static struct GNUNET_SCHEDULER_Task *to_task;
+
+/**
+ * Handle to lookup request
+ */
+static struct GNUNET_GNS_LookupWithTldRequest *lr;
+
+/**
+ * Global return value.
+ * 0 on success (default),
+ * 1 on internal failures
+ * 2 on launch failure,
+ * 4 if the name is not a GNS-supported TLD,
+ */
+static int global_ret;
+
+
+/**
+ * Task run on shutdown.  Cleans up everything.
+ *
+ * @param cls unused
+ */
+static void
+do_shutdown (void *cls)
+{
+  (void) cls;
+  if (NULL != to_task)
+  {
+    GNUNET_SCHEDULER_cancel (to_task);
+    to_task = NULL;
+  }
+  if (NULL != lr)
+  {
+    GNUNET_GNS_lookup_with_tld_cancel (lr);
+    lr = NULL;
+  }
+  if (NULL != gns)
+  {
+    GNUNET_GNS_disconnect (gns);
+    gns = NULL;
+  }
+  if (NULL != idna_name)
+  {
+    GNUNET_free (idna_name);
+    idna_name = NULL;
+  }
+}
+
+
+/**
+ * Task to run on timeout
+ *
+ * @param cls unused
+ */
+static void
+do_timeout (void*cls)
+{
+  to_task = NULL;
+  global_ret = 3; // Timeout
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Function called with the result of a GNS lookup.
+ *
+ * @param cls the 'const char *' name that was resolved
+ * @param was_gns #GNUNET_NO if TLD did not indicate use of GNS
+ * @param rd_count number of records returned
+ * @param rd array of @a rd_count records with the results
+ */
+static void
+process_lookup_result (void *cls,
+                       int was_gns,
+                       uint32_t rd_count,
+                       const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct GNUNET_TIME_Relative block_exp;
+  const char *typename;
+  char *string_val;
+
+  lr = NULL;
+  if (GNUNET_NO == was_gns)
+  {
+    global_ret = 4; /* not for GNS */
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  block_exp = GNUNET_TIME_absolute_get_remaining (
+    GNUNET_GNSRECORD_record_get_expiration_time (
+      rd_count,
+      rd,
+      GNUNET_TIME_UNIT_ZERO_ABS));
+  if (! raw)
+  {
+    printf ("<<< %u record(s) found:\n\n", rd_count);
+  }
+  for (uint32_t i = 0; i < rd_count; i++)
+  {
+    typename = GNUNET_GNSRECORD_number_to_typename (rd[i].
+                                                    record_type);
+    string_val = GNUNET_GNSRECORD_value_to_string (rd[i].record_type
+                                                   ,
+                                                   rd[i].data,
+                                                   rd[i].data_size);
+    if (NULL == string_val)
+    {
+      fprintf (stderr,
+               "Record %u of type %d malformed, skipping\n",
+               (unsigned int) i,
+               (int) rd[i].record_type);
+      continue;
+    }
+    if (raw)
+      printf ("%s\n", string_val);
+    else
+      printf ("%s: `%s' %s\n",
+              typename,
+              string_val,
+              (0 != (rd[i].flags
+                     &
+                     GNUNET_GNSRECORD_RF_SUPPLEMENTAL)
+              ) ?
+              "(supplemental)" : "");
+    GNUNET_free (string_val);
+  }
+  if (! raw)
+  {
+    if (0 != rd_count)
+      printf ("\nRecord set expires in %s.\n",
+              GNUNET_STRINGS_relative_time_to_string (
+                block_exp, GNUNET_YES));
+  }
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  const char *effective_lookup_type;
+  (void) cls;
+  (void) args;
+  (void) cfgfile;
+
+  cfg = c;
+  to_task = NULL;
+  {
+    char *colon;
+
+    if (NULL != (colon = strchr (lookup_name, ':')))
+      *colon = '\0';
+  }
+
+  /**
+   * If DNS compatibility is requested, we first verify that the
+   * lookup_name is in a DNS format. If yes, we convert it to UTF-8.
+   */
+  if (GNUNET_YES == dns_compat)
+  {
+    Idna_rc rc;
+
+    if (GNUNET_OK != GNUNET_DNSPARSER_check_name (lookup_name))
+    {
+      fprintf (stderr,
+               _ ("`%s' is not a valid DNS domain name\n"),
+               lookup_name);
+      global_ret = 3;
+      return;
+    }
+    if (IDNA_SUCCESS !=
+        (rc = idna_to_unicode_8z8z (lookup_name, &idna_name,
+                                    IDNA_ALLOW_UNASSIGNED)))
+    {
+      fprintf (stderr,
+               _ (
+                 "Failed to convert DNS IDNA name `%s' to UTF-8: %s\n"),
+               lookup_name,
+               idna_strerror (rc));
+      global_ret = 4;
+      return;
+    }
+    lookup_name = idna_name;
+  }
+
+  if (GNUNET_YES !=
+      GNUNET_CLIENT_test (cfg,
+                          "arm"))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ (
+                  "Cannot resolve using GNS: GNUnet peer not running\n"));
+    global_ret = 5;
+    return;
+  }
+  to_task = GNUNET_SCHEDULER_add_delayed (timeout,
+                                          &do_timeout,
+                                          NULL);
+  gns = GNUNET_GNS_connect (cfg);
+  if (NULL == gns)
+  {
+    fprintf (stderr,
+             _ ("Failed to connect to GNS\n"));
+    global_ret = 2;
+    return;
+  }
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
+                                 NULL);
+  if (NULL != lookup_type)
+  {
+    effective_lookup_type = lookup_type;
+    rtype = GNUNET_GNSRECORD_typename_to_number (lookup_type);
+  }
+  else
+  {
+    effective_lookup_type = "A";
+    rtype = GNUNET_DNSPARSER_TYPE_A;
+  }
+  if (UINT32_MAX == rtype)
+  {
+    fprintf (stderr,
+             _ ("Invalid typename specified, assuming `ANY'\n"));
+    rtype = GNUNET_GNSRECORD_TYPE_ANY;
+  }
+  if (! raw)
+  {
+    printf (">>> Looking for `%s' records under `%s'\n",
+            effective_lookup_type, lookup_name);
+  }
+  lr = GNUNET_GNS_lookup_with_tld (gns,
+                                   lookup_name,
+                                   rtype,
+                                   GNUNET_GNS_LO_DEFAULT,
+                                   &process_lookup_result,
+                                   lookup_name);
+  if (NULL == lr)
+  {
+    global_ret = 2;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+}
+
+
+/**
+ * The main function for gnunet-gns.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  timeout = GNUNET_TIME_UNIT_FOREVER_REL;
+  struct GNUNET_GETOPT_CommandLineOption options[] =
+  { GNUNET_GETOPT_option_mandatory (
+      GNUNET_GETOPT_option_string ('u',
+                                   "lookup",
+                                   "NAME",
+                                   gettext_noop (
+                                     "Lookup a record for the given name"),
+                                   &lookup_name)),
+    GNUNET_GETOPT_option_string ('t',
+                                 "type",
+                                 "TYPE",
+                                 gettext_noop (
+                                   "Specify the type of the record to lookup"),
+                                 &lookup_type),
+    GNUNET_GETOPT_option_relative_time ('T',
+                                        "timeout",
+                                        "TIMEOUT",
+                                        gettext_noop (
+                                          "Specify a timeout for the lookup"),
+                                        &timeout),
+    GNUNET_GETOPT_option_flag ('r',
+                               "raw",
+                               gettext_noop ("No unneeded output"),
+                               &raw),
+    GNUNET_GETOPT_option_flag ('d',
+                               "dns",
+                               gettext_noop (
+                                 "DNS Compatibility: Name is passed in IDNA instead of UTF-8"),
+                               &dns_compat),
+    GNUNET_GETOPT_OPTION_END };
+  int ret;
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+
+  GNUNET_log_setup ("gnunet-gns", "WARNING", NULL);
+  ret = GNUNET_PROGRAM_run (argc,
+                            argv,
+                            "gnunet-gns",
+                            _ ("GNUnet GNS resolver tool"),
+                            options,
+                            &run,
+                            NULL);
+  GNUNET_free_nz ((void *) argv);
+  if (GNUNET_OK != ret)
+    return 1;
+  return global_ret;
+}
+
+
+/* end of gnunet-gns.c */
diff --git a/src/cli/gns/meson.build b/src/cli/gns/meson.build
new file mode 100644
index 000000000..bb6bfc477
--- /dev/null
+++ b/src/cli/gns/meson.build
@@ -0,0 +1,69 @@
+configure_file(input : 'gnunet-gns-proxy-setup-ca.in',
+  output : 'gnunet-gns-proxy-setup-ca',
+  configuration : cdata,
+  install: true,
+  install_mode: 'rwxr-xr-x',
+  install_dir: get_option('bindir'))
+
+install_data('gnunet-gns-proxy-ca.template',
+  install_dir: get_option('datadir')/'gnunet')
+install_data('openssl.cnf',
+  install_dir: get_option('datadir')/'gnunet')
+
+executable ('gnunet-gns',
+  'gnunet-gns.c',
+  dependencies: [libgnunetgns_dep,
+    libgnunetgnsrecord_dep,
+    idn_dep,
+    libgnunetutil_dep],
+  include_directories: [incdir, configuration_inc],
+  install: true,
+  install_dir: get_option('bindir'))
+
+testgns = [
+  'test_dns2gns',
+  'test_gns_at_lookup',
+  'test_gns_caa_lookup',
+  'test_gns_config_lookup',
+  'test_gns_delegated_lookup',
+  'test_gns_dht_lookup',
+  'test_gns_gns2dns_cname_lookup',
+  'test_gns_gns2dns_lookup',
+  'test_gns_gns2dns_zkey_lookup',
+  'test_gns_ipv6_lookup',
+  'test_gns_lookup',
+  'test_gns_mx_lookup',
+  'test_gns_quickupdate',
+  'test_gns_redirect_lookup',
+  'test_gns_rel_expiration',
+  'test_gns_revocation',
+  'test_gns_soa_lookup',
+  'test_gns_txt_lookup',
+  'test_gns_zkey_lookup',
+  'test_gns_sbox_simple',
+  'test_gns_sbox',
+  'test_gns_box_sbox',
+  ]
+
+testconfigs = [
+  'test_dns2gns.conf',
+  'test_gns_defaults.conf',
+  'test_gns_lookup.conf',
+  'test_gns_lookup_peer1.conf',
+  'test_gns_lookup_peer2.conf',
+  'test_gns_simple_lookup.conf'
+  ]
+
+foreach f : testconfigs
+  configure_file(input: f, output: f, copy: true)
+endforeach
+
+foreach t : testgns
+
+  test_filename = t + '.sh'
+  test_file = configure_file(input : test_filename,
+    output : test_filename,
+    copy: true)
+
+  test(t, test_file, suite: 'gns', workdir: meson.current_build_dir(), is_parallel: false)
+endforeach
diff --git a/src/cli/gns/openssl.cnf b/src/cli/gns/openssl.cnf
new file mode 100644
index 000000000..5dce35388
--- /dev/null
+++ b/src/cli/gns/openssl.cnf
@@ -0,0 +1,244 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME                    = .
+#RANDFILE               = $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file               = $ENV::HOME/.oid
+oid_section             = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions            =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca      = CA_default            # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir             = ./demoCA              # Where everything is kept
+certs           = $dir/certs            # Where the issued certs are kept
+crl_dir         = $dir/crl              # Where the issued crl are kept
+database        = $dir/index.txt        # database index file.
+new_certs_dir   = $dir/newcerts         # default place for new certs.
+
+certificate     = $dir/cacert.pem       # The CA certificate
+serial          = $dir/serial           # The current serial number
+crl             = $dir/crl.pem          # The current CRL
+private_key     = $dir/private/cakey.pem# The private key
+RANDFILE        = $dir/private/.rand    # private random number file
+
+x509_extensions = usr_cert              # The extensions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions        = crl_ext
+
+default_days    = 365                   # how long to certify for
+default_crl_days= 30                    # how long before next CRL
+default_md      = md5                   # which md to use.
+preserve        = no                    # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy          = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+####################################################################
+[ req ]
+default_bits            = 1024
+default_keyfile         = privkey.pem
+distinguished_name      = req_distinguished_name
+attributes              = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix   : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = AU
+countryName_min                 = 2
+countryName_max                 = 2
+
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = Some-State
+
+localityName                    = Locality Name (eg, city)
+
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName             = Second Organization Name (eg, company)
+#1.organizationName_default     = World Wide Web Pty Ltd
+
+organizationalUnitName          = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName                      = Common Name (eg, YOUR name)
+commonName_max                  = 64
+
+emailAddress                    = Email Address
+emailAddress_max                = 40
+
+# SET-ex3                       = SET extension number 3
+
+[ req_attributes ]
+challengePassword               = A challenge password
+challengePassword_min           = 4
+challengePassword_max           = 20
+
+unstructuredName                = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType                    = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment                       = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/src/cli/gns/test_dns2gns.conf b/src/cli/gns/test_dns2gns.conf
new file mode 100644
index 000000000..2f6bdc797
--- /dev/null
+++ b/src/cli/gns/test_dns2gns.conf
@@ -0,0 +1,69 @@
+@INLINE@ test_gns_defaults.conf
+
+[namecache]
+DISABLE = YES
+
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunet-gns-peer-1/
+
+[dht]
+START_ON_DEMAND = YES
+IMMEDIATE_START = YES
+
+[gns]
+# PREFIX = valgrind --leak-check=full --track-origins=yes
+START_ON_DEMAND = YES
+AUTO_IMPORT_PKEY = YES
+MAX_PARALLEL_BACKGROUND_QUERIES = 10
+DEFAULT_LOOKUP_TIMEOUT = 15 s
+RECORD_PUT_INTERVAL = 1 h
+ZONE_PUBLISH_TIME_WINDOW = 1 h
+.gnunet.org =
+
+[namestore]
+IMMEDIATE_START = YES
+#PREFIX = valgrind --leak-check=full --track-origins=yes --log-file=$GNUNET_TMP/ns_log
+
+[revocation]
+WORKBITS = 1
+
+[dhtcache]
+QUOTA = 1 MB
+DATABASE = heap
+
+[topology]
+TARGET-CONNECTION-COUNT = 16
+AUTOCONNECT = YES
+FRIENDS-ONLY = NO
+MINIMUM-FRIENDS = 0
+
+[ats]
+WAN_QUOTA_IN = 1 GB
+WAN_QUOTA_OUT = 1 GB
+
+[transport]
+plugins = tcp
+NEIGHBOUR_LIMIT = 50
+PORT = 2091
+
+[transport-tcp]
+TIMEOUT = 300 s
+
+[nat]
+DISABLEV6 = YES
+BINDTO = 127.0.0.1
+ENABLE_UPNP = NO
+BEHIND_NAT = NO
+ALLOW_NAT = NO
+INTERNAL_ADDRESS = 127.0.0.1
+EXTERNAL_ADDRESS = 127.0.0.1
+
+[dns2gns]
+BINARY = gnunet-dns2gns
+START_ON_DEMAND = YES
+IMMEDIATE_START = YES
+RUN_PER_USER = YES
+BIND_TO = 127.0.0.1
+BIND_TO6 = ::1
+PORT = 12000
+OPTIONS = -d 1.1.1.1
diff --git a/src/cli/gns/test_dns2gns.sh b/src/cli/gns/test_dns2gns.sh
new file mode 100755
index 000000000..a6024ca3c
--- /dev/null
+++ b/src/cli/gns/test_dns2gns.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_dns2gns.conf" INT
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_dns2gns.conf -f -s paths -o GNUNET_TEST_HOME`
+MY_EGO="localego"
+TEST_IP="127.0.0.1"
+TEST_IPV6="dead::beef"
+LABEL="fnord"
+TEST_DOMAIN="taler.net"
+
+gnunet-arm -s -c test_dns2gns.conf
+PKEY=`gnunet-identity -V -C $MY_EGO -c test_dns2gns.conf`
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t A -V $TEST_IP -e 3600s -c test_dns2gns.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t AAAA -V $TEST_IPV6 -e 3600s -c test_dns2gns.conf
+
+# FIXME resolution works but always returns all available records
+# also, the records seem to be returned twice if using GNS
+
+if nslookup -port=12000 $LABEL.$PKEY localhost && nslookup -port=12000 $LABEL.$MY_EGO localhost; then
+  echo "PASS: GNS records can be resolved using dns2gns bridge"
+else
+  echo "FAIL: GNS records can't be resolved using dns2gns bridge"
+  gnunet-arm -e -c test_dns2gns.conf
+  rm -rf `gnunet-config -c test_dns2gns.conf -f -s paths -o GNUNET_TEST_HOME`
+  exit 1
+fi
+
+if nslookup -port=12000 $TEST_DOMAIN localhost; then
+  echo "PASS: DNS records can be resolved using dns2gns bridge"
+else
+  echo "FAIL: DNS records can't be resolved using dns2gns bridge"
+  gnunet-arm -e -c test_dns2gns.conf
+  rm -rf `gnunet-config -c test_dns2gns.conf -f -s paths -o GNUNET_TEST_HOME`
+  exit 1
+fi
+gnunet-arm -e -c test_dns2gns.conf
+
+rm -rf `gnunet-config -c test_dns2gns.conf -f -s paths -o GNUNET_TEST_HOME`
diff --git a/src/cli/gns/test_gns_at_lookup.sh b/src/cli/gns/test_gns_at_lookup.sh
new file mode 100755
index 000000000..6a2c958de
--- /dev/null
+++ b/src/cli/gns/test_gns_at_lookup.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+TEST_IP="127.0.0.1"
+MY_EGO="myego"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C delegatedego -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep delegatedego | awk '{print $3}')
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n b -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z delegatedego -a -n '@' -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u b.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-namestore -z delegatedego -d -n '@' -t A -V $TEST_IP  -e never -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_box_sbox.sh b/src/cli/gns/test_gns_box_sbox.sh
new file mode 100755
index 000000000..d7e95912e
--- /dev/null
+++ b/src/cli/gns/test_gns_box_sbox.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+TEST_B="TXT_record_in_BOX"
+TEST_S="TXT_record_in_SBOX"
+TEST_A="10.1.11.10"
+MY_EGO="myego"
+LABEL="testsbox"
+SERVICE="443"
+SERVICE_TEXT="_443"
+PROTOCOL="6"
+PROTOCOL_TEXT="_tcp"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$SERVICE_TEXT.$PROTOCOL_TEXT 16 $TEST_S" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "$PROTOCOL $SERVICE 16 $TEST_B" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$SERVICE_TEXT.$PROTOCOL_TEXT 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "$PROTOCOL $SERVICE 1 $TEST_A" -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_B_S=`$DO_TIMEOUT gnunet-gns --raw -u $SERVICE_TEXT.$PROTOCOL_TEXT.$LABEL.$MY_EGO -t TXT -c test_gns_lookup.conf`
+RES_A=`$DO_TIMEOUT gnunet-gns --raw -u $SERVICE_TEXT.$PROTOCOL_TEXT.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t SBOX -V "$SERVICE_TEXT.$PROTOCOL_TEXT 16 $TEST_S" -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t BOX -V "$PROTOCOL $SERVICE 16 $TEST_B" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -d -n $LABEL -t SBOX -V "$SERVICE_TEXT.$PROTOCOL_TEXT 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -d -n $LABEL -t BOX -V "$PROTOCOL $SERVICE 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+{ read RES_A1; read RES_A2; read RES_B; read RES_S;} <<< "${RES_B_S}"
+if [ "$RES_B" = "$RES_S" ]
+then
+  echo "Failed to resolve to diffrent TXT records, got '$RES_B' and '$RES_S'."
+  exit 1
+fi
+
+{ read RES_S_A; read RES_B_A;} <<< "${RES_A}"
+if [ "$RES_S_A" = "$TEST_A" ] && [ "$RES_B_A" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A '$TEST_A', got '$RES_S_A' and '$RES_S_B'."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_caa_lookup.sh b/src/cli/gns/test_gns_caa_lookup.sh
new file mode 100755
index 000000000..fb488f47b
--- /dev/null
+++ b/src/cli/gns/test_gns_caa_lookup.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+TEST_CAA="0 issue ca.example.net; policy=ev"
+MY_EGO="myego"
+LABEL="testcaa"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t CAA -V "$TEST_CAA" -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_CAA=`$DO_TIMEOUT gnunet-gns --raw -u $LABEL.$MY_EGO -t CAA -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t CAA -V "$TEST_CAA" -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_CAA" = "$TEST_CAA" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper CAA, got '$RES_CAA'."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_config_lookup.sh b/src/cli/gns/test_gns_config_lookup.sh
new file mode 100755
index 000000000..bda08f87b
--- /dev/null
+++ b/src/cli/gns/test_gns_config_lookup.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+MY_EGO="myego"
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -s PATHS -o GNUNET_HOME -f`
+CFG=`mktemp  --tmpdir=$PWD`
+cp test_gns_lookup.conf $CFG || exit 77
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+TEST_IP="dead::beef"
+gnunet-arm -s -c $CFG || exit 77
+gnunet-identity -C $MY_EGO -c $CFG 
+EPUB=`gnunet-identity -d -c $CFG | grep $MY_EGO | awk '{print $3}'`
+gnunet-arm -e -c $CFG
+gnunet-config -c $CFG -s "gns" -o ".google.com" -V $EPUB
+gnunet-arm -s -c $CFG
+sleep 1
+gnunet-namestore -p -z $MY_EGO -a -n www -t AAAA -V $TEST_IP -e never -c $CFG
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.google.com -t AAAA -c $CFG`
+gnunet-namestore -z $MY_EGO -d -n www -t AAAA -V $TEST_IP -e never -c $CFG
+gnunet-identity -D $MY_EGO -c $CFG
+gnunet-arm -e -c $CFG
+rm -rf `gnunet-config -c $CFG -f -s paths -o GNUNET_TEST_HOME`
+rm $CFG
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_defaults.conf b/src/cli/gns/test_gns_defaults.conf
new file mode 100644
index 000000000..80a2f3c44
--- /dev/null
+++ b/src/cli/gns/test_gns_defaults.conf
@@ -0,0 +1,34 @@
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunet-gns-testing/
+
+[namestore-sqlite]
+FILENAME = $GNUNET_TEST_HOME/namestore/sqlite_test.db
+
+[namecache-sqlite]
+FILENAME=$GNUNET_TEST_HOME/namecache/namecache.db
+
+[identity]
+# Directory where we store information about our egos
+EGODIR = $GNUNET_TEST_HOME/identity/egos/
+
+[dhtcache]
+DATABASE = heap
+
+[transport]
+PLUGINS = tcp
+
+[transport-tcp]
+BINDTO = 127.0.0.1
+
+
+[fs]
+IMMEDIATE_START = NO
+START_ON_DEMAND = NO
+
+[rps]
+IMMEDIATE_START = NO
+START_ON_DEMAND = NO
+
+[topology]
+IMMEDIATE_START = NO
+START_ON_DEMAND = NO
diff --git a/src/cli/gns/test_gns_delegated_lookup.sh b/src/cli/gns/test_gns_delegated_lookup.sh
new file mode 100755
index 000000000..5105abdb5
--- /dev/null
+++ b/src/cli/gns/test_gns_delegated_lookup.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+MY_EGO="myego"
+OTHER_EGO="delegatedego"
+FINAL_LABEL="www"
+DELEGATION_LABEL="b"
+
+TEST_IP="127.0.0.1"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $OTHER_EGO -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep $OTHER_EGO | awk '{print $3}')
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $DELEGATION_LABEL -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $OTHER_EGO -a -n $FINAL_LABEL -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u $FINAL_LABEL.$DELEGATION_LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-namestore -z $OTHER_EGO -d -n $FINAL_LABEL -t A -V $TEST_IP  -e never -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_dht_lookup.sh b/src/cli/gns/test_gns_dht_lookup.sh
new file mode 100755
index 000000000..da87d8477
--- /dev/null
+++ b/src/cli/gns/test_gns_dht_lookup.sh
@@ -0,0 +1,63 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+TEST_IP="127.0.0.1"
+MY_EGO="myego"
+OTHER_EGO="delegatedego"
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-arm -i zonemaster -c test_gns_lookup.conf
+gnunet-arm -i datastore -c test_gns_lookup.conf
+gnunet-identity -C $OTHER_EGO -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep $OTHER_EGO | awk '{print $3}')
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+echo "MYEGO: $MY_EGO OTHER_EGO: $DELEGATED_PKEY"
+gnunet-namestore -p -z $MY_EGO -a -n b -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+#This works
+gnunet-namestore -p -z $OTHER_EGO -a -n www -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+#This doesn't
+gnunet-namestore -p -z $OTHER_EGO -a -n www2 -t A -V $TEST_IP -e '5 s' -c test_gns_lookup.conf
+sleep 6
+#gnunet-namestore -p -z $OTHER_EGO -d -n www2 -t A -V $TEST_IP -e '5 s' -c test_gns_lookup.conf
+#gnunet-namestore -p -z $OTHER_EGO -a -n www2 -t A -V $TEST_IP -e '5 s' -c test_gns_lookup.conf
+gnunet-arm -k zonemaster -c test_gns_lookup.conf
+gnunet-arm -i zonemaster -c test_gns_lookup.conf
+#gnunet-arm -r -c test_gns_lookup.conf
+#gnunet-arm -i zonemaster
+#gnunet-arm -i gns -c test_gns_lookup.conf
+#gnunet-identity -D $OTHER_EGO -c test_gns_lookup.conf
+#gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+#gnunet-namestore -z $OTHER_EGO -d -n www -t A -V $TEST_IP  -e never -c test_gns_lookup.conf
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.b.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_IP_REL=`$DO_TIMEOUT gnunet-gns --raw -u www2.b.$MY_EGO -t A -c test_gns_lookup.conf`
+#gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP_REL" != "$TEST_IP" ]
+then
+  echo "Failed to resolve to proper IP, got $RES_IP_REL. (relative expiration)"
+  #exit 1
+fi
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_gns2dns_cname_lookup.sh b/src/cli/gns/test_gns_gns2dns_cname_lookup.sh
new file mode 100755
index 000000000..c33c9d132
--- /dev/null
+++ b/src/cli/gns/test_gns_gns2dns_cname_lookup.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+# IP address of 'www.gnunet.org'
+TEST_IP="147.87.255.218"
+# IP address of 'gnunet.org'
+TEST_IPALT="131.159.74.67"
+# IPv6 address of 'gnunet.org'
+TEST_IP6="2a07:6b47:100:464::9357:ffdb"
+
+# main label used during resolution
+TEST_RECORD_NAME="homepage"
+
+XNS=ns.joker.com
+
+if ! nslookup gnunet.org a.$XNS > /dev/null 2>&1
+then
+  echo "Cannot reach DNS, skipping test"
+  exit 77
+fi
+
+# helper record for pointing to the DNS resolver
+TEST_RESOLVER_LABEL="resolver"
+# GNS2DNS record value: delegate to DNS domain 'gnunet.org'
+# using the TEST_RESOLVER_LABEL DNS server for resolution
+TEST_RECORD_GNS2DNS1="gnunet.org@a.$XNS"
+TEST_RECORD_GNS2DNS2="gnunet.org@b.$XNS"
+TEST_RECORD_GNS2DNS3="gnunet.org@c.$XNS"
+
+MY_EGO="myego"
+# various names we will use for resolution
+TEST_DOMAIN="www.${TEST_RECORD_NAME}.$MY_EGO"
+
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 15"
+
+gnunet-arm -s -c test_gns_lookup.conf
+OUT=`$DO_TIMEOUT gnunet-resolver -c test_gns_lookup.conf www.gnunet.org`
+echo $OUT | grep $TEST_IP - > /dev/null || { gnunet-arm -e -c test_gns_lookup.conf ; echo "IPv4 for gnunet.org not found ($OUT), skipping test"; exit 77; }
+echo $OUT | grep $TEST_IP6 - > /dev/null || { gnunet-arm -e -c test_gns_lookup.conf ; echo "IPv6 for gnunet.org not found ($OUT), skipping test"; exit 77; }
+
+
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+
+# set IP address for DNS resolver for resolving in gnunet.org domain
+# map '$TEST_RECORD_NAME.$MY_EGO' to 'gnunet.org' in DNS
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS1 -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS2 -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS3 -e never -c test_gns_lookup.conf
+
+gnunet-namestore -z $MY_EGO -D -c test_gns_lookup.conf
+
+sleep 0.5
+
+# lookup 'www.gnunet.org', IPv4
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t A -c test_gns_lookup.conf`
+# lookup 'www.gnunet.org', IPv6
+RES_IP6=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t AAAA -c test_gns_lookup.conf`
+
+# clean up
+gnunet-namestore -z $MY_EGO -d -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS1 -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS2 -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS3 -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+ret=0
+if echo "$RES_IP" | grep "$TEST_IP" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN to $RES_IP."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN, got $RES_IP, wanted $TEST_IP."
+  ret=1
+fi
+
+if echo "$RES_IP6" | grep "$TEST_IP6" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN to $RES_IP6."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN, got $RES_IP6, wanted $TEST_IP6."
+  ret=1
+fi
+
+exit $ret
diff --git a/src/cli/gns/test_gns_gns2dns_lookup.sh b/src/cli/gns/test_gns_gns2dns_lookup.sh
new file mode 100755
index 000000000..43a4756d3
--- /dev/null
+++ b/src/cli/gns/test_gns_gns2dns_lookup.sh
@@ -0,0 +1,117 @@
+#!/bin/sh
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+# IP address of 'docs.gnunet.org'
+TEST_IP_ALT2="147.87.255.218"
+# IP address of 'www.gnunet.org'
+TEST_IP="147.87.255.218"
+# IPv6 address of 'gnunet.org'
+TEST_IP6="2a07:6b47:100:464::9357:ffdb"
+# permissive DNS resolver we will use for the test
+TEST_IP_GNS2DNS="8.8.8.8"
+
+# main label used during resolution
+TEST_RECORD_NAME="homepage"
+
+if ! nslookup gnunet.org $TEST_IP_GNS2DNS > /dev/null 2>&1
+then
+  echo "Cannot reach DNS, skipping test"
+  exit 77
+fi
+
+# helper record for pointing to the DNS resolver
+TEST_RESOLVER_LABEL="resolver"
+# GNS2DNS record value: delegate to DNS domain 'gnunet.org'
+# using the TEST_RESOLVER_LABEL DNS server for resolution
+TEST_RECORD_GNS2DNS="gnunet.org@${TEST_RESOLVER_LABEL}.+"
+
+MY_EGO="myego"
+# various names we will use for resolution
+TEST_DOMAIN="www.${TEST_RECORD_NAME}.$MY_EGO"
+TEST_DOMAIN_ALT="${TEST_RECORD_NAME}.$MY_EGO"
+TEST_DOMAIN_ALT2="docs.${TEST_RECORD_NAME}.$MY_EGO"
+
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 15"
+
+
+gnunet-arm -s -c test_gns_lookup.conf
+
+OUT=`$DO_TIMEOUT gnunet-resolver -c test_gns_lookup.conf www.gnunet.org`
+echo $OUT | grep $TEST_IP - > /dev/null || { gnunet-arm -e -c test_gns_lookup.conf ; echo "IPv4 for gnunet.org not found ($OUT), skipping test"; exit 77; }
+echo $OUT | grep $TEST_IP6 - > /dev/null || { gnunet-arm -e -c test_gns_lookup.conf ; echo "IPv6 for gnunet.org not found ($OUT), skipping test"; exit 77; }
+
+
+
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+
+# set IP address for DNS resolver for resolving in gnunet.org domain
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RESOLVER_LABEL -t A -V $TEST_IP_GNS2DNS -e never -c test_gns_lookup.conf
+# map '$TEST_RECORD_NAME.$MY_EGO' to 'gnunet.org' in DNS
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS -e never -c test_gns_lookup.conf
+
+sleep 1
+
+gnunet-gns -u $TEST_RECORD_NAME.$MY_EGO -t GNS2DNS -c test_gns_lookup.conf
+
+# lookup 'www.gnunet.org', IPv4
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t A -c test_gns_lookup.conf`
+# lookup 'www.gnunet.org', IPv6
+RES_IP6=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t AAAA -c test_gns_lookup.conf | head -n1`
+# lookup 'gnunet.org', IPv4
+RES_IP_ALT=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_ALT -t A -c test_gns_lookup.conf`
+# lookup 'docs.gnunet.org', IPv4
+RES_IP_ALT2=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_ALT2 -t A -c test_gns_lookup.conf`
+
+# clean up
+gnunet-namestore -z $MY_EGO -d -n $TEST_RESOLVER_LABEL -t A -V $TEST_IP_GNS2DNS -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+ret=0
+if echo "$RES_IP" | grep "$TEST_IP" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN to $RES_IP."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN, got $RES_IP, wanted $TEST_IP."
+  ret=1
+fi
+
+if [ "${RES_IP6%?}" = "${TEST_IP6%?}" ]
+then
+  echo "PASS: Resolved $TEST_DOMAIN to $RES_IP6."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN, got $RES_IP6, wanted $TEST_IP6."
+  ret=1
+fi
+
+if echo "$RES_IP_ALT" | grep "$TEST_IP" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN_ALT to $RES_IP_ALT."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN_ALT, got $RES_IP_ALT, wanted $TEST_IP."
+  ret=1
+fi
+
+if echo "$RES_IP_ALT2" | grep "$TEST_IP_ALT2" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN_ALT2 to $RES_IP_ALT2."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN_ALT2, got $RES_IP_ALT2, wanted $TEST_IP_ALT2."
+  ret=1
+fi
+exit $ret
diff --git a/src/cli/gns/test_gns_gns2dns_zkey_lookup.sh b/src/cli/gns/test_gns_gns2dns_zkey_lookup.sh
new file mode 100755
index 000000000..03549314e
--- /dev/null
+++ b/src/cli/gns/test_gns_gns2dns_zkey_lookup.sh
@@ -0,0 +1,116 @@
+#!/bin/sh
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+# IP address of 'docs.gnunet.org'
+TEST_IP_ALT2="147.87.255.218"
+# IP address of 'www.gnunet.org'
+TEST_IP="147.87.255.218"
+# IPv6 address of 'gnunet.org'
+TEST_IP6="2a07:6b47:100:464::9357:ffdb"
+# permissive DNS resolver we will use for the test
+TEST_IP_GNS2DNS="8.8.8.8"
+
+# main label used during resolution
+TEST_RECORD_NAME="homepage"
+
+if ! nslookup gnunet.org $TEST_IP_GNS2DNS > /dev/null 2>&1
+then
+  echo "Cannot reach DNS, skipping test"
+  exit 77
+fi
+
+# helper record for pointing to the DNS resolver
+TEST_RESOLVER_LABEL="resolver"
+
+MY_EGO="myego"
+# various names we will use for resolution
+TEST_DOMAIN="www.${TEST_RECORD_NAME}.$MY_EGO"
+TEST_DOMAIN_ALT="${TEST_RECORD_NAME}.$MY_EGO"
+TEST_DOMAIN_ALT2="docs.${TEST_RECORD_NAME}.$MY_EGO"
+
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 15"
+
+
+gnunet-arm -s -c test_gns_lookup.conf
+
+OUT=`$DO_TIMEOUT gnunet-resolver -c test_gns_lookup.conf www.gnunet.org`
+echo $OUT | grep $TEST_IP - > /dev/null || { gnunet-arm -e -c test_gns_lookup.conf ; echo "IPv4 for gnunet.org not found ($OUT), skipping test"; exit 77; }
+echo $OUT | grep $TEST_IP6 - > /dev/null || { gnunet-arm -e -c test_gns_lookup.conf ; echo "IPv6 for gnunet.org not found ($OUT), skipping test"; exit 77; }
+
+
+
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+MY_EGO_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep ${MY_EGO} | awk '{print $3}')
+# GNS2DNS record value: delegate to DNS domain 'gnunet.org'
+# using the TEST_RESOLVER_LABEL DNS server for resolution
+TEST_RECORD_GNS2DNS="gnunet.org@${TEST_RESOLVER_LABEL}.${MY_EGO_PKEY}"
+
+# set IP address for DNS resolver for resolving in gnunet.org domain
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RESOLVER_LABEL -t A -V $TEST_IP_GNS2DNS -e never -c test_gns_lookup.conf
+# map '$TEST_RECORD_NAME.$MY_EGO' to 'gnunet.org' in DNS
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS -e never -c test_gns_lookup.conf
+
+sleep 1
+
+# lookup 'www.gnunet.org', IPv4
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t A -c test_gns_lookup.conf`
+# lookup 'www.gnunet.org', IPv6
+RES_IP6=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t AAAA -c test_gns_lookup.conf | head -n1`
+# lookup 'gnunet.org', IPv4
+RES_IP_ALT=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_ALT -t A -c test_gns_lookup.conf`
+# lookup 'docs.gnunet.org', IPv4
+RES_IP_ALT2=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_ALT2 -t A -c test_gns_lookup.conf`
+
+# clean up
+gnunet-namestore -z $MY_EGO -d -n $TEST_RESOLVER_LABEL -t A -V $TEST_IP_GNS2DNS -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+ret=0
+if echo "$RES_IP" | grep "$TEST_IP" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN to $RES_IP."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN, got $RES_IP, wanted $TEST_IP."
+  ret=1
+fi
+
+if [ "${RES_IP6%?}" = "${TEST_IP6%?}" ]
+then
+  echo "PASS: Resolved $TEST_DOMAIN to $RES_IP6."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN, got $RES_IP6, wanted $TEST_IP6."
+  ret=1
+fi
+
+if echo "$RES_IP_ALT" | grep "$TEST_IP" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN_ALT to $RES_IP_ALT."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN_ALT, got $RES_IP_ALT, wanted $TEST_IP."
+  ret=1
+fi
+
+if echo "$RES_IP_ALT2" | grep "$TEST_IP_ALT2" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN_ALT2 to $RES_IP_ALT2."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN_ALT2, got $RES_IP_ALT2, wanted $TEST_IP_ALT2."
+  ret=1
+fi
+exit $ret
diff --git a/src/cli/gns/test_gns_ipv6_lookup.sh b/src/cli/gns/test_gns_ipv6_lookup.sh
new file mode 100755
index 000000000..31e662f68
--- /dev/null
+++ b/src/cli/gns/test_gns_ipv6_lookup.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+MY_EGO="myego"
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -s PATHS -o GNUNET_HOME -f`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+TEST_IP="dead::beef"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n www -t AAAA -V $TEST_IP -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.$MY_EGO -t AAAA -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n www -t AAAA -V $TEST_IP -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_lightest.sh b/src/cli/gns/test_gns_lightest.sh
new file mode 100755
index 000000000..2d2203e66
--- /dev/null
+++ b/src/cli/gns/test_gns_lightest.sh
@@ -0,0 +1,141 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+START_EGO="startego"
+MY_EGO="test-lightest"
+LABEL="test-scheme"
+PTR_LABEL="test-ptr"
+TEST_URI="10 1 \"https://ec.europa.eu/tools/lotl/eu-lotl.xml\""
+TEST_SMIMEA="3 0 1 f7e8e4e554fb7c7a8f6f360e0ca2f59d466c8f9539a25963f5ed37e905f0c797"
+SCHEME="_scheme"
+TRUST="_trust"
+TRANSLATION="_translation"
+TEST_PTR="$SCHEME.$TRUST.$LABEL.$MY_EGO.$START_EGO"
+TEST_PTR2="$TRANSLATION.$TRUST.$LABEL.$MY_EGO.$START_EGO"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-identity -C $START_EGO -c test_gns_lookup.conf
+PKEY=`gnunet-identity -d -e $MY_EGO -q -c test_gns_lookup.conf`
+gnunet-namestore -p -z $MY_EGO -a -n $PTR_LABEL -t BOX -V "49152 49152 12 $TEST_PTR" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $PTR_LABEL -t BOX -V "49152 49153 12 $TEST_PTR2" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "49152 49152 256 $TEST_URI" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "49152 49152 53 $TEST_SMIMEA" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "49152 49153 256 $TEST_URI" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "49152 49153 53 $TEST_SMIMEA" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $START_EGO -a -n $MY_EGO -t PKEY -V "$PKEY" -e never -c test_gns_lookup.conf
+sleep 0.5
+PTR_SCHEME=`$DO_TIMEOUT gnunet-gns --raw -u $SCHEME.$TRUST.$PTR_LABEL.$MY_EGO.$START_EGO -t PTR -c test_gns_lookup.conf`
+PTR_TRANSLATION=`$DO_TIMEOUT gnunet-gns --raw -u $TRANSLATION.$TRUST.$PTR_LABEL.$MY_EGO.$START_EGO -t PTR -c test_gns_lookup.conf`
+
+SUCCESS=0
+if [ "$PTR_SCHEME" != "$TEST_PTR" ]
+then
+  echo "Failed to resolve to proper PTR, got '$PTR_SCHEME'."
+  SUCCESS=1
+else
+  echo "Resolved to proper PTR, got '$PTR_SCHEME'."
+fi
+
+if [ "$PTR_TRANSLATION" != "$TEST_PTR2" ]
+then
+  echo "Failed to resolve to proper PTR, got '$PTR_TRANSLATION'."
+  SUCCESS=1
+else
+  echo "Resolved to proper PTR, got '$PTR_TRANSLATION'."
+fi
+
+if [ "$SUCCESS" = "1" ]
+then
+  gnunet-namestore -z $MY_EGO -X -c test_gns_lookup.conf
+  gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+  gnunet-arm -e -c test_gns_lookup.conf
+  rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+  exit 1
+fi
+
+
+RES_URI_SCHEME=`$DO_TIMEOUT gnunet-gns --raw -u $PTR_SCHEME -t URI -c test_gns_lookup.conf`
+RES_SMIMEA_SCHEME=`$DO_TIMEOUT gnunet-gns --raw -u $PTR_SCHEME -t SMIMEA -c test_gns_lookup.conf`
+
+RES_URI_TRANSLATION=`$DO_TIMEOUT gnunet-gns --raw -u $PTR_TRANSLATION -t URI -c test_gns_lookup.conf`
+RES_SMIMEA_TRANSLATION=`$DO_TIMEOUT gnunet-gns --raw -u $PTR_TRANSLATION -t SMIMEA -c test_gns_lookup.conf`
+
+
+if [ "$RES_URI_SCHEME" != "$TEST_URI" ]
+then
+  echo "Failed to resolve to proper URI, got '$RES_URI_SCHEME'."
+  SUCCESS=1
+else
+  echo "Resolved to proper URI, got '$RES_URI_SCHEME'."
+fi
+
+if [ "$RES_SMIMEA_SCHEME" != "$TEST_SMIMEA" ]
+then
+  echo "Failed to resolve to proper SMIMEA, got '$RES_SMIMEA_SCHEME'."
+  SUCCESS=1
+else
+  echo "Resolved to proper SMIMEA, got '$RES_SMIMEA_SCHEME'."
+fi
+
+if [ "$RES_URI_TRANSLATION" != "$TEST_URI" ]
+then
+  echo "Failed to resolve to proper URI, got '$RES_URI_TRANSLATION'."
+  SUCCESS=1
+else
+  echo "Resolved to proper URI, got '$RES_URI_TRANSLATION'."
+fi
+
+if [ "$RES_SMIMEA_TRANSLATION" != "$TEST_SMIMEA" ]
+then
+  echo "Failed to resolve to proper SMIMEA, got '$RES_SMIMEA_TRANSLATION'."
+  SUCCESS=1
+else
+  echo "Resolved to proper SMIMEA, got '$RES_SMIMEA_TRANSLATION'."
+fi
+
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "49152 49152 256 10 1 \"thisisnotavaliduri\"" -e never -c test_gns_lookup.conf
+status=$?
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "49152 49152 256 10 1 mailto:thisrecordismalformed@test.com" -e never -c test_gns_lookup.conf
+status2=$?
+
+if [ "$status" = "0" ]
+then
+  echo "Failed to detect malformed URI."
+  SUCCESS=1
+else
+  echo "Detected malformed URI."
+fi
+
+if [ "$status2" = "0" ]
+then
+  echo "Failed to detect malformed URI Record Presentation."
+  SUCCESS=1
+else
+  echo "Detected malformed URI Presentation."
+fi
+
+
+
+gnunet-namestore -z $MY_EGO -X -c test_gns_lookup.conf
+gnunet-namestore -z $START_EGO -X -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-identity -D $START_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+exit $SUCCESS
\ No newline at end of file
diff --git a/src/cli/gns/test_gns_lookup.conf b/src/cli/gns/test_gns_lookup.conf
new file mode 100644
index 000000000..46e89a64d
--- /dev/null
+++ b/src/cli/gns/test_gns_lookup.conf
@@ -0,0 +1,65 @@
+@INLINE@ test_gns_defaults.conf
+
+[namecache]
+DISABLE = NO
+
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunet-gns-peer-1/
+
+[dht]
+START_ON_DEMAND = YES
+
+[gns]
+# PREFIX = valgrind --leak-check=full --track-origins=yes
+START_ON_DEMAND = YES
+AUTO_IMPORT_PKEY = YES
+MAX_PARALLEL_BACKGROUND_QUERIES = 10
+DEFAULT_LOOKUP_TIMEOUT = 15 s
+RECORD_PUT_INTERVAL = 1 h
+ZONE_PUBLISH_TIME_WINDOW = 1 h
+DNS_ROOT=PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0
+
+[namestore]
+#PREFIX = valgrind --leak-check=full --track-origins=yes --log-file=$GNUNET_TMP/ns_log
+
+[zonemaster]
+IMMEDIATE_START = YES
+START_ON_DEMAND = YES
+
+[rest]
+BASIC_AUTH_ENABLED=NO
+
+[revocation]
+WORKBITS = 2
+EPOCH_DURATION = 365 d
+
+[dhtcache]
+QUOTA = 1 MB
+DATABASE = heap
+
+[topology]
+TARGET-CONNECTION-COUNT = 16
+AUTOCONNECT = YES
+FRIENDS-ONLY = NO
+MINIMUM-FRIENDS = 0
+
+[ats]
+WAN_QUOTA_IN = 1 GB
+WAN_QUOTA_OUT = 1 GB
+
+[transport]
+plugins = tcp
+NEIGHBOUR_LIMIT = 50
+PORT = 2091
+
+[transport-tcp]
+TIMEOUT = 300 s
+
+[nat]
+DISABLEV6 = YES
+BINDTO = 127.0.0.1
+ENABLE_UPNP = NO
+BEHIND_NAT = NO
+ALLOW_NAT = NO
+INTERNAL_ADDRESS = 127.0.0.1
+EXTERNAL_ADDRESS = 127.0.0.1
diff --git a/src/cli/gns/test_gns_lookup.sh b/src/cli/gns/test_gns_lookup.sh
new file mode 100755
index 000000000..92dfae28b
--- /dev/null
+++ b/src/cli/gns/test_gns_lookup.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -s PATHS -o GNUNET_HOME -f`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+TEST_IP="127.0.0.1"
+MY_EGO="myego"
+LABEL="www"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u $LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "FAIL: Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_lookup_peer1.conf b/src/cli/gns/test_gns_lookup_peer1.conf
new file mode 100644
index 000000000..69e2f0973
--- /dev/null
+++ b/src/cli/gns/test_gns_lookup_peer1.conf
@@ -0,0 +1,75 @@
+@INLINE@ test_gns_defaults.conf
+
+[namecache]
+DISABLE = YES
+
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunet-gns-peer-1/
+GNUNET_RUNTIME_DIR = $GNUNET_TMP/test-gnunet-gns-peer-1-system-runtime/
+GNUNET_USER_RUNTIME_DIR = $GNUNET_TMP/test-gnunet-gns-peer-1-user-runtime/
+
+[dht]
+START_ON_DEMAND = YES
+IMMEDIATE_START = YES
+
+[gns]
+# PREFIX = valgrind --leak-check=full --track-origins=yes
+START_ON_DEMAND = YES
+AUTO_IMPORT_PKEY = YES
+MAX_PARALLEL_BACKGROUND_QUERIES = 10
+DEFAULT_LOOKUP_TIMEOUT = 15 s
+RECORD_PUT_INTERVAL = 1 h
+ZONE_PUBLISH_TIME_WINDOW = 1 h
+DNS_ROOT=PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0
+
+[namestore]
+IMMEDIATE_START = YES
+#PREFIX = valgrind --leak-check=full --track-origins=yes --log-file=$GNUNET_TMP/ns_log
+
+[revocation]
+WORKBITS = 1
+
+[dhtcache]
+QUOTA = 1 MB
+DATABASE = heap
+
+[topology]
+TARGET-CONNECTION-COUNT = 16
+AUTOCONNECT = YES
+FRIENDS-ONLY = NO
+MINIMUM-FRIENDS = 0
+
+[ats]
+WAN_QUOTA_IN = 1 GB
+WAN_QUOTA_OUT = 1 GB
+
+[transport]
+plugins = unix
+NEIGHBOUR_LIMIT = 50
+PORT = 2091
+
+[transport-unix]
+UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-transport-plugin-unix1.sock
+
+[hostlist]
+SERVERS = http://localhost:9999/
+OPTIONS = -b
+IMMEDIATE_START = YES
+
+[nat]
+DISABLEV6 = YES
+BINDTO = 127.0.0.1
+ENABLE_UPNP = NO
+BEHIND_NAT = NO
+ALLOW_NAT = NO
+INTERNAL_ADDRESS = 127.0.0.1
+EXTERNAL_ADDRESS = 127.0.0.1
+
+[dns2gns]
+BINARY = gnunet-dns2gns
+START_ON_DEMAND = YES
+IMMEDIATE_START = YES
+RUN_PER_USER = YES
+BIND_TO = 127.0.0.1
+BIND_TO6 = ::1
+OPTIONS = -d 1.1.1.1 -p 12000
diff --git a/src/cli/gns/test_gns_lookup_peer2.conf b/src/cli/gns/test_gns_lookup_peer2.conf
new file mode 100644
index 000000000..3de81d7f3
--- /dev/null
+++ b/src/cli/gns/test_gns_lookup_peer2.conf
@@ -0,0 +1,72 @@
+@INLINE@ test_gns_defaults.conf
+
+[namecache]
+DISABLE = YES
+
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunet-gns-peer-2/
+GNUNET_RUNTIME_DIR = $GNUNET_TMP/test-gnunet-gns-peer-2-runtime/
+GNUNET_USER_RUNTIME_DIR = $GNUNET_TMP/test-gnunet-gns-peer-2-user-runtime/
+
+[dht]
+START_ON_DEMAND = YES
+IMMEDIATE_START = YES
+
+[identity]
+START_ON_DEMAND = YES
+IMMEDIATE_START = YES
+
+[gns]
+# PREFIX = valgrind --leak-check=full --track-origins=yes
+IMMEDIATE_START = YES
+START_ON_DEMAND = YES
+AUTO_IMPORT_PKEY = YES
+MAX_PARALLEL_BACKGROUND_QUERIES = 10
+DEFAULT_LOOKUP_TIMEOUT = 15 s
+RECORD_PUT_INTERVAL = 1 h
+ZONE_PUBLISH_TIME_WINDOW = 1 h
+DNS_ROOT=PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0
+
+[namestore]
+IMMEDIATE_START = YES
+#PREFIX = valgrind --leak-check=full --track-origins=yes --log-file=$GNUNET_TMP/ns_log
+
+[revocation]
+WORKBITS = 1
+
+[dhtcache]
+QUOTA = 1 MB
+DATABASE = heap
+
+[topology]
+TARGET-CONNECTION-COUNT = 16
+AUTOCONNECT = YES
+FRIENDS-ONLY = NO
+MINIMUM-FRIENDS = 0
+
+[hostlist]
+SERVERS =
+HTTPPORT = 9999
+OPTIONS = -p
+IMMEDIATE_START = YES
+
+
+[ats]
+WAN_QUOTA_IN = 1 GB
+WAN_QUOTA_OUT = 1 GB
+
+[transport]
+plugins = unix
+NEIGHBOUR_LIMIT = 50
+
+[transport-unix]
+UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-transport-plugin-unix2.sock
+
+[nat]
+DISABLEV6 = YES
+BINDTO = 127.0.0.1
+ENABLE_UPNP = NO
+BEHIND_NAT = NO
+ALLOW_NAT = NO
+INTERNAL_ADDRESS = 127.0.0.1
+EXTERNAL_ADDRESS = 127.0.0.1
diff --git a/src/cli/gns/test_gns_multiple_record_lookup.sh b/src/cli/gns/test_gns_multiple_record_lookup.sh
new file mode 100755
index 000000000..52a487329
--- /dev/null
+++ b/src/cli/gns/test_gns_multiple_record_lookup.sh
@@ -0,0 +1,95 @@
+#!/bin/bash
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup_peer1.conf" INT
+trap "gnunet-arm -e -c test_gns_lookup_peer2.conf" INT
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+
+unset XDG_DATA_HOME
+unset XDG_CONFIG_HOME
+unset XDG_CACHE_HOME
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup_peer1.conf -f -s paths -o GNUNET_TEST_HOME`
+rm -rf `gnunet-config -c test_gns_lookup_peer2.conf -f -s paths -o GNUNET_TEST_HOME`
+OTHER_EGO="remoteego"
+
+TEST_IP="127.0.0.1"
+TEST_IPV6="dead::beef"
+LABEL="fnord"
+
+gnunet-arm -s -c test_gns_lookup_peer2.conf
+gnunet-identity -C $OTHER_EGO -c test_gns_lookup_peer2.conf
+PKEY=`$DO_TIMEOUT gnunet-identity -d -c test_gns_lookup_peer2.conf | grep $OTHER_EGO | awk '{print $3}'`
+
+# Note: if zonemaster is kept running, it MAY publish the "A" record in the
+# DHT immediately and then _LATER_ also the "AAAA" record. But as then there
+# will be TWO valid blocks in the DHT (one with only A and one with A and
+# AAAA), the subsequent GET for both may fail and only return the result with
+# just the "A" record).
+# If we _waited_ until the original block with just "A" expired, everything
+# would be fine, but we don't want to do that for the test, so we
+# simply pause publishing to the DHT until all records are defined.
+# In the future, it would be good to have an enhanced gnunet-namestore command
+# that would read a series of changes to be made to a record set from
+# stdin and do them _all_ *atomically*. Then we would not need to do this.
+
+gnunet-arm -c test_gns_lookup_peer2.conf -k zonemaster
+
+gnunet-namestore -p -z $OTHER_EGO -a -n $LABEL -t A -V $TEST_IP -e 3600s -c test_gns_lookup_peer2.conf
+gnunet-namestore -p -z $OTHER_EGO -a -n $LABEL -t AAAA -V $TEST_IPV6 -e 3600s -c test_gns_lookup_peer2.conf
+gnunet-namestore -D -z $OTHER_EGO -n $LABEL -c test_gns_lookup_peer2.conf
+
+gnunet-arm -c test_gns_lookup_peer2.conf -i zonemaster
+
+gnunet-arm -s -c test_gns_lookup_peer1.conf
+
+
+RESP=`$DO_TIMEOUT gnunet-gns --raw -u $LABEL.$PKEY -t ANY -c test_gns_lookup_peer1.conf`
+RESP1=`$DO_TIMEOUT gnunet-gns --raw -u $LABEL.$PKEY -t A -c test_gns_lookup_peer1.conf`
+RESP2=`$DO_TIMEOUT gnunet-gns --raw -u $LABEL.$PKEY -t AAAA -c test_gns_lookup_peer1.conf`
+
+echo "$LABEL.$PKEY"
+echo $RESP $RESP1 $RESP2
+
+gnunet-arm -e -c test_gns_lookup_peer1.conf
+gnunet-arm -e -c test_gns_lookup_peer2.conf
+
+gnunet-config -c test_gns_lookup_peer1.conf -f -s paths -o GNUNET_TEST_HOME
+
+rm -rf `gnunet-config -c test_gns_lookup_peer1.conf -f -s paths -o GNUNET_TEST_HOME`
+rm -rf `gnunet-config -c test_gns_lookup_peer2.conf -f -s paths -o GNUNET_TEST_HOME`
+
+RESPONSES=($(echo $RESP | tr "\n" " " ))
+
+if [ "$RESP1" == "$TEST_IP" ]
+then
+  echo "PASS: A record resolution from DHT via separate peer"
+else
+  echo "FAIL: A record resolution from DHT via separate peer, got $RESP1, expected $TEST_IP"
+  exit 1
+fi
+if [ "$RESP2" == "$TEST_IPV6" ]
+then
+  echo "PASS: AAAA record resolution from DHT via separate peer"
+else
+  echo "FAIL: AAAA record resolution from DHT via separate peer, got $RESP2, expected $TEST_IPV6"
+  exit 1
+fi
+if [[ "${RESPONSES[0]} ${RESPONSES[1]}" == "$TEST_IPV6 $TEST_IP" ]] || [[ "${RESPONSES[0]} ${RESPONSES[1]}" == "$TEST_IP $TEST_IPV6" ]]
+then
+  echo "PASS: ANY record resolution from DHT via separate peer"
+else
+  echo "FAIL: ANY record resolution from DHT via separate peer, got $RESP, expected $TEST_IPV6 $TEST_IP or $TEST_IP $TEST_IPV6"
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_mx_lookup.sh b/src/cli/gns/test_gns_mx_lookup.sh
new file mode 100755
index 000000000..6f2b8192d
--- /dev/null
+++ b/src/cli/gns/test_gns_mx_lookup.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+
+MY_EGO="myego"
+TEST_MX="5 mail.+"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+PKEY=`gnunet-identity -d | grep "$MY_EGO - " | awk '{print $3'}`
+WANT_MX="5 mail.$PKEY"
+gnunet-namestore -p -z $MY_EGO -a -n www -t MX -V "$TEST_MX" -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_MX=`$DO_TIMEOUT gnunet-gns --raw -u www.$MY_EGO -t MX -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n www -t MX -V "$TEST_MX" -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+# make cmp case-insensitive by converting to lower case first
+RES_MX=`echo $RES_MX | tr [A-Z] [a-z]`
+WANT_MX=`echo $WANT_MX | tr [A-Z] [a-z]`
+
+if [ "$RES_MX" = "$WANT_MX" ]
+then
+  exit 0
+else
+  echo "FAIL: did not get proper IP, got $RES_MX, expected $WANT_MX."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_quickupdate.sh b/src/cli/gns/test_gns_quickupdate.sh
new file mode 100755
index 000000000..eac69103d
--- /dev/null
+++ b/src/cli/gns/test_gns_quickupdate.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+MY_EGO="myego"
+OTHER_EGO="delegatedego"
+
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+TEST_IP="127.0.0.1"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-identity -C $OTHER_EGO -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep $OTHER_EGO | awk '{print $3}')
+gnunet-arm -i gns -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n b -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+# Give GNS/namestore time to fully start and finish initial iteration
+sleep 2
+# Performing namestore update
+gnunet-namestore -p -z $OTHER_EGO -a -n www -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+# Give GNS chance to observe store event via monitor
+sleep 1
+gnunet-namestore -z $OTHER_EGO -d -n www -t A -V $TEST_IP  -e never -c test_gns_lookup.conf
+# give GNS chance to process monitor event
+sleep 1
+# stop everything and restart to check that DHT PUT did happen
+gnunet-arm -k gns -c test_gns_lookup.conf
+gnunet-arm -k namestore -c test_gns_lookup.conf
+gnunet-arm -k namecache -c test_gns_lookup.conf
+gnunet-arm -k zonemaster -c test_gns_lookup.conf
+# Purge nameacache, as we might otherwise fetch from there
+# FIXME: testcase started failing after the line below was fixed by adding '-f',
+# might have never worked (!)
+rm -r `gnunet-config -f -c test_gns_lookup.conf -s namecache-sqlite -o FILENAME`
+gnunet-arm -i namestore -c test_gns_lookup.conf
+gnunet-arm -i namecache -c test_gns_lookup.conf
+gnunet-arm -i zonemaster -c test_gns_lookup.conf
+gnunet-arm -i gns -c test_gns_lookup.conf
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.b.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-identity -D $OTHER_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to properly resolve IP, expected $TEST_IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_redirect_lookup.sh b/src/cli/gns/test_gns_redirect_lookup.sh
new file mode 100755
index 000000000..90729713d
--- /dev/null
+++ b/src/cli/gns/test_gns_redirect_lookup.sh
@@ -0,0 +1,100 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+# permissive DNS resolver we will use for the test
+DNS_RESOLVER="8.8.8.8"
+if ! nslookup gnunet.org $DNS_RESOLVER > /dev/null 2>&1
+then
+  echo "Cannot reach DNS, skipping test"
+  exit 77
+fi
+
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+TEST_IP_PLUS="127.0.0.1"
+TEST_IP_DNS="147.87.255.218"
+TEST_RECORD_REDIRECT_SERVER="server"
+TEST_RECORD_REDIRECT_PLUS="server.+"
+TEST_RECORD_REDIRECT_DNS="gnunet.org"
+TEST_RECORD_NAME_SERVER="server"
+TEST_RECORD_NAME_PLUS="www"
+TEST_RECORD_NAME_ZKEY="www2"
+TEST_RECORD_NAME_DNS="www3"
+MY_EGO="myego"
+TEST_DOMAIN_PLUS="www.$MY_EGO"
+TEST_DOMAIN_ZKEY="www2.$MY_EGO"
+TEST_DOMAIN_DNS="www3.$MY_EGO"
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 15"
+
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+MY_EGO_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep ${MY_EGO} | awk '{print $3}')
+TEST_RECORD_REDIRECT_ZKEY="server.${MY_EGO_PKEY}"
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME_DNS -t REDIRECT -V $TEST_RECORD_REDIRECT_DNS -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME_PLUS -t REDIRECT -V $TEST_RECORD_REDIRECT_PLUS -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME_ZKEY -t REDIRECT -V $TEST_RECORD_REDIRECT_ZKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_REDIRECT_SERVER -t A -V $TEST_IP_PLUS -e never -c test_gns_lookup.conf
+sleep 1
+RES_REDIRECT=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_PLUS -t A -c test_gns_lookup.conf`
+RES_REDIRECT_RAW=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_PLUS -t REDIRECT -c test_gns_lookup.conf`
+RES_REDIRECT_ZKEY=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_ZKEY -t A -c test_gns_lookup.conf`
+RES_REDIRECT_DNS=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_DNS -t A -c test_gns_lookup.conf | grep $TEST_IP_DNS`
+
+TESTEGOZONE=`gnunet-identity -c test_gns_lookup.conf -d | awk '{print $3}'`
+gnunet-namestore -p -z $MY_EGO -d -n $TEST_RECORD_NAME_DNS -t REDIRECT -V $TEST_RECORD_REDIRECT_DNS -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -d -n $TEST_RECORD_NAME_PLUS -t REDIRECT -V $TEST_RECORD_REDIRECT_PLUS -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -d -n $TEST_RECORD_NAME_ZKEY -t REDIRECT -V $TEST_RECORD_REDIRECT_ZKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -d -n $TEST_RECORD_REDIRECT_SERVER -t A -V $TEST_IP_PLUS -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+# make cmp case-insensitive by converting to lower case first
+RES_REDIRECT_RAW=`echo $RES_REDIRECT_RAW | tr [A-Z] [a-z]`
+TESTEGOZONE=`echo $TESTEGOZONE | tr [A-Z] [a-z]`
+if [ "$RES_REDIRECT_RAW" = "server.$TESTEGOZONE" ]
+then
+  echo "PASS: REDIRECT resolution from GNS"
+else
+  echo "FAIL: REDIRECT resolution from GNS, got $RES_REDIRECT_RAW, expected server.$TESTEGOZONE."
+  exit 1
+fi
+
+if [ "$RES_REDIRECT" = "$TEST_IP_PLUS" ]
+then
+  echo "PASS: IP resolution from GNS (.+)"
+else
+  echo "FAIL: IP resolution from GNS (.+), got $RES_REDIRECT, expected $TEST_IP_PLUS."
+  exit 1
+fi
+
+if [ "$RES_REDIRECT_ZKEY" = "$TEST_IP_PLUS" ]
+then
+  echo "PASS: IP resolution from GNS (.zkey)"
+else
+  echo "FAIL: IP resolution from GNS (.zkey), got $RES_REDIRECT, expected $TEST_IP_PLUS."
+  exit 1
+fi
+
+if echo "$RES_REDIRECT_DNS" | grep "$TEST_IP_DNS" > /dev/null
+then
+  echo "PASS: IP resolution from DNS"
+  exit 0
+else
+  echo "FAIL: IP resolution from DNS, got $RES_REDIRECT_DNS, expected $TEST_IP_DNS."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_rel_expiration.sh b/src/cli/gns/test_gns_rel_expiration.sh
new file mode 100755
index 000000000..a240cfd0f
--- /dev/null
+++ b/src/cli/gns/test_gns_rel_expiration.sh
@@ -0,0 +1,64 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+
+if [ -z $(which timeout) ]
+then
+  echo "timeout utility not found which is required for test."
+  exit 77
+fi
+
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+MY_EGO="myego"
+OTHER_EGO="delegatedego"
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+TEST_IP="127.0.0.1"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-identity -C $OTHER_EGO -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep $OTHER_EGO | awk '{print $3}')
+gnunet-namestore -p -z $MY_EGO -a -n b -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $OTHER_EGO -a -n www -t A -V $TEST_IP -e '5 s' -c test_gns_lookup.conf
+gnunet-arm -i gns -c test_gns_lookup.conf
+sleep 0.5
+# confirm that lookup currently works
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.b.$MY_EGO -t A -c test_gns_lookup.conf`
+# remove entry
+gnunet-namestore -z $OTHER_EGO -d -n www -t A -V $TEST_IP  -e '5 s' -c test_gns_lookup.conf
+# wait for old entry with 5s 'expiration' to definitively expire
+sleep 6
+# try again, should no longer work
+RES_IP_EXP=`$DO_TIMEOUT gnunet-gns --raw -u www.b.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-identity -D $OTHER_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP_EXP" = "$TEST_IP" ]
+then
+  echo "Failed to properly expire IP, got $RES_IP_EXP."
+  exit 1
+fi
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to properly resolve IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_revocation.sh b/src/cli/gns/test_gns_revocation.sh
new file mode 100755
index 000000000..2253adcb4
--- /dev/null
+++ b/src/cli/gns/test_gns_revocation.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+MY_EGO="myego"
+OTHER_EGO="delegatedego"
+TEST_IP="127.0.0.1"
+
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $OTHER_EGO -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep $OTHER_EGO | awk '{print $3}')
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n b -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $OTHER_EGO -a -n www -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+sleep 1
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.b.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-revocation -R $OTHER_EGO -p  -c test_gns_lookup.conf
+RES_IP_REV=`$DO_TIMEOUT gnunet-gns --raw -u www.b.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-namestore -z $OTHER_EGO -d -n www -t A -V $TEST_IP  -e never -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP" != "$TEST_IP" ]
+then
+  echo "Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
+
+if [ "x$RES_IP_REV" = "x" ]
+then
+  exit 0
+else
+  echo "Failed to revoke zone, got $RES_IP_REV."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_sbox.sh b/src/cli/gns/test_gns_sbox.sh
new file mode 100755
index 000000000..6918bf130
--- /dev/null
+++ b/src/cli/gns/test_gns_sbox.sh
@@ -0,0 +1,121 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 7"
+TEST_A="139.134.54.9"
+MY_EGO="myego"
+LABEL="testsbox"
+PREFIX1="_name"
+PREFIX2="__"
+PREFIX3="_a_b_c_d_e_f_g_h_i_j_k_l_m_n_o_p_q_r_s_t_u_v_w_x_y_z_"
+PREFIX4="abcdefghijklmnopqrstuvwxyz.abcdefghijklmnopqrstuvwxyz._abc"
+PREFIX5="abc.abc._abc.abc"
+PREFIX6="abc.abc._abc.abc._abc"
+PREFIX7="abc.abc._abc.abc._abc.abc"
+PREFIX8="_at"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX1 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX2 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX3 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX4 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX5 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX6 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX7 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n '@' -t SBOX -V "$PREFIX8 1 $TEST_A" -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_A1=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX1.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A2=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX2.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A3=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX3.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A4=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX4.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A5=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX5.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A6=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX6.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A7=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX7.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A8=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX8.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t SBOX -V "$PREFIX1 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t SBOX -V "$PREFIX2 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t SBOX -V "$PREFIX3 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t SBOX -V "$PREFIX4 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t SBOX -V "$PREFIX6 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n '@' -t SBOX -V "$PREFIX8 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_A1" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A1'."
+  exit 1
+fi
+
+if [ "$RES_A2" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A2'."
+  exit 1
+fi
+
+if [ "$RES_A3" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A3'."
+  exit 1
+fi
+
+if [ "$RES_A4" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A4'."
+  exit 1
+fi
+
+if [ "$RES_A5" = "$TEST_A" ]
+then
+  echo "Should have failed to resolve to proper A, got '$RES_A5' anyway."
+  exit 1
+else
+  exit 0
+fi
+
+if [ "$RES_A6" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A6'."
+  exit 1
+fi
+
+if [ "$RES_A7" = "$TEST_A" ]
+then
+  echo "Should have failed to resolve to proper A, got '$RES_A7' anyway."
+  exit 1
+else
+  exit 0
+fi
+
+if [ "$RES_A8" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A8'."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_sbox_simple.sh b/src/cli/gns/test_gns_sbox_simple.sh
new file mode 100755
index 000000000..f0d31e471
--- /dev/null
+++ b/src/cli/gns/test_gns_sbox_simple.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+TEST_A="139.134.54.9"
+MY_EGO="myego"
+HASH="c93f1e400f26708f98cb19d936620da35eec8f72e57f9eec01c1afd6"
+PROTOCOL_TEXT="_smimecert"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n '@' -t SBOX -V "$HASH.$PROTOCOL_TEXT 1 $TEST_A" -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_A=`$DO_TIMEOUT gnunet-gns --raw -u $HASH.$PROTOCOL_TEXT.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n '@' -t SBOX -V "$HASH.$PROTOCOL_TEXT 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_A" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A'."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_simple_lookup.conf b/src/cli/gns/test_gns_simple_lookup.conf
new file mode 100644
index 000000000..374731377
--- /dev/null
+++ b/src/cli/gns/test_gns_simple_lookup.conf
@@ -0,0 +1,97 @@
+@INLINE@ test_gns_defaults.conf
+[fs]
+START_ON_DEMAND = NO
+
+[resolver]
+START_ON_DEMAND = YES
+HOSTNAME = localhost
+
+[dht]
+START_ON_DEMAND = YES
+ACCEPT_FROM6 = ::1;
+ACCEPT_FROM = 127.0.0.1;
+HOSTNAME = localhost
+PORT = 12100
+BINARY = gnunet-service-dht
+
+[dhtcache]
+QUOTA = 1 MB
+DATABASE = heap
+
+[transport]
+PLUGINS = tcp
+ACCEPT_FROM6 = ::1;
+ACCEPT_FROM = 127.0.0.1;
+NEIGHBOUR_LIMIT = 50
+PORT = 12365
+
+[ats]
+WAN_QUOTA_IN = 1 GB
+WAN_QUOTA_OUT = 1 GB
+
+[core]
+PORT = 12092
+
+[arm]
+PORT = 12366
+
+[transport-tcp]
+TIMEOUT = 300 s
+PORT = 12368
+BINDTO = 127.0.0.1
+
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunetd-gns-peer-1/
+
+
+[nat]
+DISABLEV6 = YES
+ENABLE_UPNP = NO
+BEHIND_NAT = NO
+ALLOW_NAT = NO
+INTERNAL_ADDRESS = 127.0.0.1
+EXTERNAL_ADDRESS = 127.0.0.1
+USE_LOCALADDR = NO
+
+[dns]
+START_ON_DEMAND = YES
+DNS_EXIT = 8.8.8.8
+
+[gns]
+#PREFIX = valgrind --leak-check=full --track-origins=yes
+START_ON_DEMAND = YES
+BINARY = gnunet-service-gns
+ZONEKEY = zonefiles/test_zonekey
+PRIVATE_ZONE = private
+PRIVATE_ZONEKEY = zonefiles/OEFL7A4VEF1B40QLEMTG5D8G1CN6EN16QUSG5R2DT71GRJN34LSG.zkey
+SHORTEN_ZONE = short
+SHORTEN_ZONEKEY = zonefiles/188JSUMKEF25GVU8TTV0PBNNN8JVCPUEDFV1UHJJU884JD25V0T0.zkey
+#ZONEKEY =  $GNUNET_TEST_HOME/gns/zonekey.zkey
+HIJACK_DNS = NO
+UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-gns.sock
+AUTO_IMPORT_PKEY = YES
+MAX_PARALLEL_BACKGROUND_QUERIES = 10
+DEFAULT_LOOKUP_TIMEOUT = 15 s
+RECORD_PUT_INTERVAL = 1 h
+
+[nse]
+START_ON_DEMAND = NO
+
+[statistics]
+START_ON_DEMAND = NO
+
+[namestore]
+PORT = 22371
+START_ON_DEMAND = YES
+UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-namestore-default.sock
+UNIX_MATCH_UID = YES
+UNIX_MATCH_GID = YES
+HOSTNAME = localhost
+BINARY = gnunet-service-namestore
+ACCEPT_FROM = 127.0.0.1;
+ACCEPT_FROM6 = ::1;
+DATABASE = sqlite
+ZONEFILE_DIRECTORY = $GNUNET_TEST_HOME
+
+[namestore-sqlite]
+FILENAME = $GNUNET_TEST_HOME/sqlite-default.db
diff --git a/src/cli/gns/test_gns_soa_lookup.sh b/src/cli/gns/test_gns_soa_lookup.sh
new file mode 100755
index 000000000..a697782bb
--- /dev/null
+++ b/src/cli/gns/test_gns_soa_lookup.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+MY_EGO="myego"
+TEST_DOMAIN="homepage.$MY_EGO"
+# some public DNS resolver we can use
+#TEST_IP_GNS2DNS="184.172.157.218" # This one seems currently down.
+TEST_IP_GNS2DNS="8.8.8.8"
+TEST_RECORD_NAME="homepage"
+TEST_RECORD_GNS2DNS="gnunet.org"
+
+if ! nslookup $TEST_RECORD_GNS2DNS $TEST_IP_GNS2DNS > /dev/null 2>&1
+then
+  echo "Cannot reach DNS, skipping test"
+  exit 77
+fi
+
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME -t GNS2DNS -V ${TEST_RECORD_GNS2DNS}@${TEST_IP_GNS2DNS} -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_SOA=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t SOA -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n $TEST_RECORD_NAME -t GNS2DNS -V ${TEST_RECORD_GNS2DNS}@${TEST_IP_GNS2DNS} -e never -c test_gns_lookup.conf > /dev/null 2>&1
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "x$RES_SOA" != "x" ]
+then
+  echo "PASS: Resolved SOA for $TEST_DOMAIN to $RES_SOA."
+  exit 0
+else
+  echo "Failed to resolve to proper SOA for $TEST_DOMAIN, got no result."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_txt_lookup.sh b/src/cli/gns/test_gns_txt_lookup.sh
new file mode 100755
index 000000000..4e36e8ad8
--- /dev/null
+++ b/src/cli/gns/test_gns_txt_lookup.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+TEST_TXT="GNS powered txt record data"
+MY_EGO="myego"
+LABEL="testtxt"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t TXT -V "$TEST_TXT" -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_TXT=`$DO_TIMEOUT gnunet-gns --raw -u $LABEL.$MY_EGO -t TXT -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t TXT -V "$TEST_TXT" -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_TXT" = "$TEST_TXT" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper TXT, got '$RES_TXT'."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_zkey_lookup.sh b/src/cli/gns/test_gns_zkey_lookup.sh
new file mode 100755
index 000000000..3d4aefc7c
--- /dev/null
+++ b/src/cli/gns/test_gns_zkey_lookup.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+TEST_IP="127.0.0.1"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C delegatedego -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep delegatedego | awk '{print $3}')
+gnunet-identity -C testego -c test_gns_lookup.conf
+gnunet-namestore -p -z testego -a -n b -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z delegatedego -a -n www -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.${DELEGATED_PKEY} -t A -c test_gns_lookup.conf`
+gnunet-namestore -z testego -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-namestore -z delegatedego -d -n www -t A -V $TEST_IP  -e never -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper IP, got $RES_IP, wanted $TEST_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gnunet_gns.sh.in b/src/cli/gns/test_gnunet_gns.sh.in
new file mode 100755
index 000000000..d0c07b4e4
--- /dev/null
+++ b/src/cli/gns/test_gnunet_gns.sh.in
@@ -0,0 +1,47 @@
+#!/bin/bash
+# This file is in the public domain.
+# test -z being correct was a false assumption here.
+# I have no executable 'fooble', but this will
+# return 1:
+# if test -z "`which fooble`"; then echo 1; fi
+# The command builtin might not work with busybox's ash
+# but this works for now.
+dir=$(dirname "$0")
+
+existence() {
+  command -v "$1" >/dev/null 2>&1
+}
+
+LOCATION=`existence gnunet-config`
+if test -z $LOCATION; then
+    LOCATION="gnunet-config"
+fi
+$LOCATION --version
+if test $? != 0
+then
+    echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+    exit 77
+fi
+
+trap "gnunet-arm -e -c test_gns_lookup.conf" SIGINT
+ME=`whoami`
+if [ "$ME" != "root" ]
+then
+  echo "This test only works if run as root.  Skipping."
+  exit 77
+fi
+export PATH=".:$PATH"
+gnunet-service-gns -c gns.conf &
+sleep 1
+LO=`nslookup alice.gnu | grep Address | tail -n1`
+if [ "$LO" != "Address: 1.2.3.4" ]
+then
+ echo "Fail: $LO"
+fi
+LO=`nslookup www.bob.gnu | grep Address | tail -n1`
+if [ "$LO" != "Address: 4.5.6.7" ]
+then
+  echo "Fail: $LO"
+fi
+# XXX: jobs. a builtin by bash, netbsd sh, maybe leave it be for now.
+kill `jobs -p`
diff --git a/src/cli/gns/zonefiles/188JSUMKEF25GVU8TTV0PBNNN8JVCPUEDFV1UHJJU884JD25V0T0.zkey b/src/cli/gns/zonefiles/188JSUMKEF25GVU8TTV0PBNNN8JVCPUEDFV1UHJJU884JD25V0T0.zkey
new file mode 100644
index 000000000..895946037
--- /dev/null
+++ b/src/cli/gns/zonefiles/188JSUMKEF25GVU8TTV0PBNNN8JVCPUEDFV1UHJJU884JD25V0T0.zkey
diff --git a/src/cli/gns/zonefiles/J7POEUT41A8PBFS7KVVDRF88GBOU4HK8PSU5QKVLVE3R9T91E99G.zkey b/src/cli/gns/zonefiles/J7POEUT41A8PBFS7KVVDRF88GBOU4HK8PSU5QKVLVE3R9T91E99G.zkey
new file mode 100644
index 000000000..3ef49f0ac
--- /dev/null
+++ b/src/cli/gns/zonefiles/J7POEUT41A8PBFS7KVVDRF88GBOU4HK8PSU5QKVLVE3R9T91E99G.zkey
diff --git a/src/cli/gns/zonefiles/OEFL7A4VEF1B40QLEMTG5D8G1CN6EN16QUSG5R2DT71GRJN34LSG.zkey b/src/cli/gns/zonefiles/OEFL7A4VEF1B40QLEMTG5D8G1CN6EN16QUSG5R2DT71GRJN34LSG.zkey
new file mode 100644
index 000000000..89e0b3a0a
--- /dev/null
+++ b/src/cli/gns/zonefiles/OEFL7A4VEF1B40QLEMTG5D8G1CN6EN16QUSG5R2DT71GRJN34LSG.zkey
diff --git a/src/cli/gns/zonefiles/test_zonekey b/src/cli/gns/zonefiles/test_zonekey
new file mode 100644
index 000000000..870c56315
--- /dev/null
+++ b/src/cli/gns/zonefiles/test_zonekey