164 files changed, 28550 insertions, 0 deletions

diff --git a/src/cli/.gitignore b/src/cli/.gitignore
new file mode 100644
index 000000000..cedad92f1
--- /dev/null
+++ b/src/cli/.gitignore
@@ -0,0 +1,2 @@
+gnunet-revocation
+gnunet-revocation-tvg
diff --git a/src/cli/Makefile.am b/src/cli/Makefile.am
new file mode 100644
index 000000000..6ad6dd70a
--- /dev/null
+++ b/src/cli/Makefile.am
@@ -0,0 +1,21 @@
+SUBDIRS = \
+        util \
+        arm \
+        statistics \
+        peerstore \
+        core \
+        nat \
+        nat-auto \
+        nse \
+        datastore \
+        dht \
+        identity \
+        namecache \
+        namestore \
+        revocation \
+        vpn \
+        gns \
+        fs \
+        cadet \
+        reclaim \
+        messenger
diff --git a/src/cli/arm/.gitignore b/src/cli/arm/.gitignore
new file mode 100644
index 000000000..f010c20a1
--- /dev/null
+++ b/src/cli/arm/.gitignore
@@ -0,0 +1 @@
+gnunet-arm
diff --git a/src/cli/arm/Makefile.am b/src/cli/arm/Makefile.am
new file mode 100644
index 000000000..2d41ab141
--- /dev/null
+++ b/src/cli/arm/Makefile.am
@@ -0,0 +1,45 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+bin_PROGRAMS = \
+ gnunet-arm
+
+gnunet_arm_SOURCES = \
+ gnunet-arm.c
+gnunet_arm_LDADD = \
+  $(top_builddir)/src/service/arm/libgnunetarm.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+# FIXME the respective conf file now resides in service/arm/
+#if HAVE_PYTHON
+#check_SCRIPTS = \
+# test_gnunet_arm.py
+#endif
+
+if ENABLE_TEST_RUN
+AM_TESTS_ENVIRONMENT=export GNUNET_PREFIX=$${GNUNET_PREFIX:-@libdir@};export PATH=$${GNUNET_PREFIX:-@prefix@}/bin:$$PATH;unset XDG_DATA_HOME;unset XDG_CONFIG_HOME;
+TESTS = $(check_PROGRAMS)  $(check_SCRIPTS)
+endif
+
+#SUFFIXES = .py.in .py
+#.py.in.py:
+#       $(AWK) -v bdir="$(bindir)" -v py="$(PYTHON)" -v awkay="$(AWK_BINARY)" -v pfx="$(prefix)" -v prl="$(PERL)" -v sysconfdirectory="$(sysconfdir)" -v pkgdatadirectory="$(pkgdatadir)" -f $(top_srcdir)/scripts/dosubst.awk < $(srcdir)/$< > $@
+#       chmod +x $@
+#
+#test_gnunet_arm.py: test_gnunet_arm.py.in Makefile
+#       $(AWK) -v bdir="$(bindir)" -v py="$(PYTHON)" -v awkay="$(AWK_BINARY)" -v pfx="$(prefix)" -v prl="$(PERL)" -v sysconfdirectory="$(sysconfdir)" -v pkgdatadirectory="$(pkgdatadir)" -f $(top_srcdir)/scripts/dosubst.awk < $(srcdir)/test_gnunet_arm.py.in > test_gnunet_arm.py
+#       chmod +x test_gnunet_arm.py
+#
+#EXTRA_DIST = \
+#  test_arm_api_data.conf \
+#  test_gnunet_arm.py.in
diff --git a/src/cli/arm/gnunet-arm.c b/src/cli/arm/gnunet-arm.c
new file mode 100644
index 000000000..ea3a012ab
--- /dev/null
+++ b/src/cli/arm/gnunet-arm.c
@@ -0,0 +1,1065 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2009, 2012, 2013 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file arm/gnunet-arm.c
+ * @brief arm for writing a tool
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "gnunet_arm_service.h"
+#include "gnunet_constants.h"
+#include "gnunet_util_lib.h"
+
+/**
+ * Set if we are to shutdown all services (including ARM).
+ */
+static int end;
+
+/**
+ * Set if we are to start default services (including ARM).
+ */
+static int start;
+
+/**
+ * Set if we are to stop/start default services (including ARM).
+ */
+static int restart;
+
+/**
+ * Set if we should delete configuration and temp directory on exit.
+ */
+static int delete;
+
+/**
+ * Set if we should not print status messages.
+ */
+static int quiet;
+
+/**
+ * Set if we should print all services, including stopped ones.
+ */
+static int show_all;
+
+/**
+ * Monitor ARM activity.
+ */
+static int monitor;
+
+/**
+ * Set if we should print a list of currently running services.
+ */
+static int list;
+
+/**
+ * Set to the name of a service to start.
+ */
+static char *init;
+
+/**
+ * Set to the name of a service to kill.
+ */
+static char *term;
+
+/**
+ * Set to the name of the config file used.
+ */
+static char *config_file;
+
+/**
+ * Set to the directory where runtime files are stored.
+ */
+static char *dir;
+
+/**
+ * Final status code.
+ */
+static int ret;
+
+/**
+ * Connection with ARM.
+ */
+static struct GNUNET_ARM_Handle *h;
+
+/**
+ * Monitor connection with ARM.
+ */
+static struct GNUNET_ARM_MonitorHandle *m;
+
+/**
+ * Our configuration.
+ */
+static struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Processing stage that we are in.  Simple counter.
+ */
+static unsigned int phase;
+
+/**
+ * User defined timestamp for completing operations.
+ */
+static struct GNUNET_TIME_Relative timeout;
+
+/**
+ * Task to be run on timeout.
+ */
+static struct GNUNET_SCHEDULER_Task *timeout_task;
+
+/**
+ * Do we want to give our stdout to gnunet-service-arm?
+ */
+static int no_stdout;
+
+/**
+ * Do we want to give our stderr to gnunet-service-arm?
+ */
+static int no_stderr;
+
+/**
+ * Handle for the task running the #action_loop().
+ */
+static struct GNUNET_SCHEDULER_Task *al_task;
+
+/**
+ * Current operation.
+ */
+static struct GNUNET_ARM_Operation *op;
+
+/**
+ * Attempts to delete configuration file and GNUNET_HOME
+ * on ARM shutdown provided the end and delete options
+ * were specified when gnunet-arm was run.
+ */
+static void
+delete_files ()
+{
+  GNUNET_log (
+    GNUNET_ERROR_TYPE_DEBUG,
+    "Will attempt to remove configuration file %s and service directory %s\n",
+    config_file,
+    dir);
+  if (0 != unlink (config_file))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Failed to remove configuration file %s\n"),
+                config_file);
+  }
+  if (GNUNET_OK != GNUNET_DISK_directory_remove (dir))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Failed to remove servicehome directory %s\n"),
+                dir);
+  }
+}
+
+
+/**
+ * Main continuation-passing-style loop.  Runs the various
+ * jobs that we've been asked to do in order.
+ *
+ * @param cls closure, unused
+ */
+static void
+shutdown_task (void *cls)
+{
+  (void) cls;
+  if (NULL != al_task)
+  {
+    GNUNET_SCHEDULER_cancel (al_task);
+    al_task = NULL;
+  }
+  if (NULL != op)
+  {
+    GNUNET_ARM_operation_cancel (op);
+    op = NULL;
+  }
+  if (NULL != h)
+  {
+    GNUNET_ARM_disconnect (h);
+    h = NULL;
+  }
+  if (NULL != m)
+  {
+    GNUNET_ARM_monitor_stop (m);
+    m = NULL;
+  }
+  if (NULL != timeout_task)
+  {
+    GNUNET_SCHEDULER_cancel (timeout_task);
+    timeout_task = NULL;
+  }
+  if ( (GNUNET_YES == end) &&
+       (GNUNET_YES == delete) )
+    delete_files ();
+  GNUNET_CONFIGURATION_destroy (cfg);
+  cfg = NULL;
+}
+
+
+/**
+ * Returns a string interpretation of @a rs
+ *
+ * @param rs the request status from ARM
+ * @return a string interpretation of the request status
+ */
+static const char *
+req_string (enum GNUNET_ARM_RequestStatus rs)
+{
+  switch (rs)
+  {
+  case GNUNET_ARM_REQUEST_SENT_OK:
+    return _ ("Message was sent successfully");
+
+  case GNUNET_ARM_REQUEST_DISCONNECTED:
+    return _ ("We disconnected from ARM before we could send a request");
+  }
+  return _ ("Unknown request status");
+}
+
+
+/**
+ * Returns a string interpretation of the @a result
+ *
+ * @param result the arm result
+ * @return a string interpretation
+ */
+static const char *
+ret_string (enum GNUNET_ARM_Result result)
+{
+  switch (result)
+  {
+  case GNUNET_ARM_RESULT_STOPPED:
+    return _ ("is stopped");
+
+  case GNUNET_ARM_RESULT_STARTING:
+    return _ ("is starting");
+
+  case GNUNET_ARM_RESULT_STOPPING:
+    return _ ("is stopping");
+
+  case GNUNET_ARM_RESULT_IS_STARTING_ALREADY:
+    return _ ("is starting already");
+
+  case GNUNET_ARM_RESULT_IS_STOPPING_ALREADY:
+    return _ ("is stopping already");
+
+  case GNUNET_ARM_RESULT_IS_STARTED_ALREADY:
+    return _ ("is started already");
+
+  case GNUNET_ARM_RESULT_IS_STOPPED_ALREADY:
+    return _ ("is stopped already");
+
+  case GNUNET_ARM_RESULT_IS_NOT_KNOWN:
+    return _ ("service is not known to ARM");
+
+  case GNUNET_ARM_RESULT_START_FAILED:
+    return _ ("service failed to start");
+
+  case GNUNET_ARM_RESULT_IN_SHUTDOWN:
+    return _ ("service cannot be manipulated because ARM is shutting down");
+  }
+  return _ ("Unknown result code.");
+}
+
+
+/**
+ * Main task that runs our various operations in order.
+ *
+ * @param cls closure
+ */
+static void
+action_loop (void *cls);
+
+
+/**
+ * Function called whenever we connect to or disconnect from ARM.
+ * Termiantes the process if we fail to connect to the service on
+ * our first attempt.
+ *
+ * @param cls closure
+ * @param connected #GNUNET_YES if connected, #GNUNET_NO if disconnected,
+ *                  #GNUNET_SYSERR on error.
+ */
+static void
+conn_status (void *cls,
+             int connected)
+{
+  static int once;
+
+  (void) cls;
+  if ( (GNUNET_SYSERR == connected) &&
+       (0 == once) )
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Fatal error initializing ARM API.\n"));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  once = 1;
+}
+
+
+/**
+ * We have requested ARM to be started, this function
+ * is called with the result of the operation.  Informs the
+ * use of the result; on success, we continue with the event
+ * loop, on failure we terminate the process.
+ *
+ * @param cls closure unused
+ * @param rs what happened to our request
+ * @param result if the request was processed, this is the result
+ *               according to ARM
+ */
+static void
+start_callback (void *cls,
+                enum GNUNET_ARM_RequestStatus rs,
+                enum GNUNET_ARM_Result result)
+{
+  (void) cls;
+  op = NULL;
+  if (GNUNET_ARM_REQUEST_SENT_OK != rs)
+  {
+    fprintf (stdout,
+             _ ("Failed to start the ARM service: %s\n"),
+             req_string (rs));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if ((GNUNET_ARM_RESULT_STARTING != result) &&
+      (GNUNET_ARM_RESULT_IS_STARTED_ALREADY != result))
+  {
+    fprintf (stdout,
+             _ ("Failed to start the ARM service: %s\n"),
+             ret_string (result));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "ARM service [re]start successful\n");
+  start = 0;
+  al_task = GNUNET_SCHEDULER_add_now (&action_loop,
+                                      NULL);
+}
+
+
+/**
+ * We have requested ARM to be stopped, this function
+ * is called with the result of the operation.  Informs the
+ * use of the result; on success, we continue with the event
+ * loop, on failure we terminate the process.
+ *
+ * @param cls closure unused
+ * @param rs what happened to our request
+ * @param result if the request was processed, this is the result
+ *               according to ARM
+ */
+static void
+stop_callback (void *cls,
+               enum GNUNET_ARM_RequestStatus rs,
+               enum GNUNET_ARM_Result result)
+{
+  char *msg;
+
+  (void) cls;
+  op = NULL;
+  if (GNUNET_ARM_REQUEST_SENT_OK != rs)
+  {
+    GNUNET_asprintf (&msg,
+                     "%s",
+                     _ (
+                       "Failed to send a stop request to the ARM service: %s\n"));
+    fprintf (stdout, msg, req_string (rs));
+    GNUNET_free (msg);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if ( (GNUNET_ARM_RESULT_STOPPING != result) &&
+       (GNUNET_ARM_RESULT_STOPPED != result) &&
+       (GNUNET_ARM_RESULT_IS_STOPPED_ALREADY != result) )
+  {
+    fprintf (stdout,
+             _ ("Failed to stop the ARM service: %s\n"),
+             ret_string (result));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "ARM service shutdown successful\n");
+  end = 0;
+  if (restart)
+  {
+    restart = 0;
+    start = 1;
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Initiating an ARM restart\n");
+  }
+  al_task = GNUNET_SCHEDULER_add_now (&action_loop,
+                                      NULL);
+}
+
+
+/**
+ * We have requested a service to be started, this function
+ * is called with the result of the operation.  Informs the
+ * use of the result; on success, we continue with the event
+ * loop, on failure we terminate the process.
+ *
+ * @param cls closure unused
+ * @param rs what happened to our request
+ * @param result if the request was processed, this is the result
+ *               according to ARM
+ */
+static void
+init_callback (void *cls,
+               enum GNUNET_ARM_RequestStatus rs,
+               enum GNUNET_ARM_Result result)
+{
+  (void) cls;
+  op = NULL;
+  if (GNUNET_ARM_REQUEST_SENT_OK != rs)
+  {
+    fprintf (stdout,
+             _ ("Failed to send a request to start the `%s' service: %s\n"),
+             init,
+             req_string (rs));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if ((GNUNET_ARM_RESULT_STARTING != result) &&
+      (GNUNET_ARM_RESULT_IS_STARTED_ALREADY != result))
+  {
+    fprintf (stdout,
+             _ ("Failed to start the `%s' service: %s\n"),
+             init,
+             ret_string (result));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Service %s [re]started successfully\n",
+              init);
+  GNUNET_free (init);
+  init = NULL;
+  al_task = GNUNET_SCHEDULER_add_now (&action_loop,
+                                      NULL);
+}
+
+
+/**
+ * We have requested a service to be stopped, this function
+ * is called with the result of the operation.  Informs the
+ * use of the result; on success, we continue with the event
+ * loop, on failure we terminate the process.
+ *
+ * @param cls closure unused
+ * @param rs what happened to our request
+ * @param result if the request was processed, this is the result
+ *               according to ARM
+ */
+static void
+term_callback (void *cls,
+               enum GNUNET_ARM_RequestStatus rs,
+               enum GNUNET_ARM_Result result)
+{
+  char *msg;
+
+  (void) cls;
+  op = NULL;
+  if (GNUNET_ARM_REQUEST_SENT_OK != rs)
+  {
+    GNUNET_asprintf (&msg,
+                     _ (
+                       "Failed to send a request to kill the `%s' service: %%s\n"),
+                     term);
+    fprintf (stdout,
+             msg,
+             req_string (rs));
+    GNUNET_free (msg);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if ( (GNUNET_ARM_RESULT_STOPPED != result) &&
+       (GNUNET_ARM_RESULT_IS_STOPPED_ALREADY != result) )
+  {
+    fprintf (stdout,
+             _ ("Failed to kill the `%s' service: %s\n"),
+             term,
+             ret_string (result));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Service %s stopped successfully\n",
+              term);
+  GNUNET_free (term);
+  term = NULL;
+  al_task = GNUNET_SCHEDULER_add_now (&action_loop,
+                                      NULL);
+}
+
+
+/**
+ * Function called with the list of running services. Prints
+ * the list to stdout, then starts the event loop again.
+ * Prints an error message and terminates the process on errors.
+ *
+ * @param cls closure (unused)
+ * @param rs request status (success, failure, etc.)
+ * @param count number of services in the list
+ * @param list list of services managed by arm
+ */
+static void
+list_callback (void *cls,
+               enum GNUNET_ARM_RequestStatus rs,
+               unsigned int count,
+               const struct GNUNET_ARM_ServiceInfo *list)
+{
+  unsigned int num_stopped = 0;
+  unsigned int num_started = 0;
+  unsigned int num_stopping = 0;
+  unsigned int num_failed = 0;
+  unsigned int num_finished = 0;
+  (void) cls;
+  op = NULL;
+  if (GNUNET_ARM_REQUEST_SENT_OK != rs)
+  {
+    char *msg;
+
+    GNUNET_asprintf (&msg,
+                     "%s",
+                     _ ("Failed to request a list of services: %s\n"));
+    fprintf (stdout,
+             msg,
+             req_string (rs));
+    GNUNET_free (msg);
+    ret = 3;
+    GNUNET_SCHEDULER_shutdown ();
+  }
+  if (NULL == list)
+  {
+    fprintf (stderr,
+             "%s",
+             _ ("Error communicating with ARM. ARM not running?\n"));
+    GNUNET_SCHEDULER_shutdown ();
+    ret = 3;
+    return;
+  }
+  for (unsigned int i = 0; i < count; i++)
+  {
+    switch (list[i].status)
+    {
+    case GNUNET_ARM_SERVICE_STATUS_STOPPED:
+      num_stopped++;
+      break;
+    case GNUNET_ARM_SERVICE_STATUS_FAILED:
+      num_failed++;
+      break;
+    case GNUNET_ARM_SERVICE_STATUS_FINISHED:
+      num_finished++;
+      break;
+    case GNUNET_ARM_SERVICE_STATUS_STARTED:
+      num_started++;
+      break;
+    case GNUNET_ARM_SERVICE_STATUS_STOPPING:
+      num_stopping++;
+      fprintf (stdout,
+               "%s (binary='%s', status=stopping)\n",
+               list[i].name,
+               list[i].binary);
+      break;
+    default:
+      GNUNET_break_op (0);
+      fprintf (stdout,
+               "%s (binary='%s', status=unknown)\n",
+               list[i].name,
+               list[i].binary);
+      break;
+    }
+  }
+  if (! quiet)
+  {
+    if (show_all)
+      fprintf (stdout,
+               "%s",
+               _ ("All services:\n"));
+    else
+      fprintf (stdout,
+               "%s",
+               _ ("Services (excluding stopped services):\n"));
+    if (num_stopped || num_failed || num_finished || num_stopping ||
+        num_started)
+    {
+      int sep = 0;
+      fprintf (stdout, "(");
+      if (0 != num_started)
+      {
+        if (sep)
+          fprintf (stdout, " / ");
+        fprintf (stdout,
+                 "started: %u",
+                 num_started);
+        sep = 1;
+      }
+      if (0 != num_failed)
+      {
+        if (sep)
+          fprintf (stdout, " / ");
+        fprintf (stdout,
+                 "failed: %u",
+                 num_failed);
+        sep = 1;
+      }
+      if (0 != num_stopping)
+      {
+        if (sep)
+          fprintf (stdout, " / ");
+        fprintf (stdout,
+                 "stopping: %u",
+                 num_stopping);
+        sep = 1;
+      }
+      if (0 != num_stopped)
+      {
+        if (sep)
+          fprintf (stdout, " / ");
+        fprintf (stdout,
+                 "stopped: %u",
+                 num_stopped);
+        sep = 1;
+      }
+      if (0 != num_finished)
+      {
+        if (sep)
+          fprintf (stdout, " / ");
+        fprintf (stdout,
+                 "finished: %u",
+                 num_finished);
+        sep = 1;
+      }
+      fprintf (stdout, ")\n");
+    }
+    else
+    {
+      fprintf (stdout,
+               "%s",
+               _ ("(No services configured.)\n"));
+    }
+  }
+  for (unsigned int i = 0; i < count; i++)
+  {
+    struct GNUNET_TIME_Relative restart_in;
+    switch (list[i].status)
+    {
+    case GNUNET_ARM_SERVICE_STATUS_STOPPED:
+      if (show_all)
+        fprintf (stdout,
+                 "%s (binary='%s', status=stopped)\n",
+                 list[i].name,
+                 list[i].binary);
+      break;
+    case GNUNET_ARM_SERVICE_STATUS_FAILED:
+      restart_in = GNUNET_TIME_absolute_get_remaining (list[i].restart_at);
+      fprintf (stdout,
+               "%s (binary='%s', status=failed, exit_status=%d, restart_delay='%s')\n",
+               list[i].name,
+               list[i].binary,
+               list[i].last_exit_status,
+               GNUNET_STRINGS_relative_time_to_string (restart_in,
+                                                       GNUNET_YES));
+      break;
+    case GNUNET_ARM_SERVICE_STATUS_FINISHED:
+      fprintf (stdout,
+               "%s (binary='%s', status=finished)\n",
+               list[i].name,
+               list[i].binary);
+      break;
+    case GNUNET_ARM_SERVICE_STATUS_STARTED:
+      fprintf (stdout,
+               "%s (binary='%s', status=started)\n",
+               list[i].name,
+               list[i].binary);
+      break;
+    case GNUNET_ARM_SERVICE_STATUS_STOPPING:
+      fprintf (stdout,
+               "%s (binary='%s', status=stopping)\n",
+               list[i].name,
+               list[i].binary);
+      break;
+    default:
+      GNUNET_break_op (0);
+      fprintf (stdout,
+               "%s (binary='%s', status=unknown)\n",
+               list[i].name,
+               list[i].binary);
+      break;
+    }
+  }
+  al_task = GNUNET_SCHEDULER_add_now (&action_loop,
+                                      NULL);
+}
+
+
+/**
+ * Main action loop.  Runs the various jobs that we've been asked to
+ * do, in order.
+ *
+ * @param cls closure, unused
+ */
+static void
+action_loop (void *cls)
+{
+  (void) cls;
+  al_task = NULL;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Running requested actions\n");
+  while (1)
+  {
+    switch (phase++)
+    {
+    case 0:
+      if (NULL != term)
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                    "Termination action\n");
+        op = GNUNET_ARM_request_service_stop (h,
+                                              term,
+                                              &term_callback,
+                                              NULL);
+        return;
+      }
+      break;
+
+    case 1:
+      if (end || restart)
+      {
+        if (GNUNET_YES !=
+            GNUNET_CLIENT_test (cfg,
+                                "arm"))
+        {
+          GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                      "GNUnet not running, cannot stop the peer\n");
+        }
+        else
+        {
+          GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                      "End action\n");
+          op = GNUNET_ARM_request_service_stop (h,
+                                                "arm",
+                                                &stop_callback,
+                                                NULL);
+          return;
+        }
+      }
+      break;
+
+    case 2:
+      if (start)
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                    "Start action\n");
+        op =
+          GNUNET_ARM_request_service_start (h,
+                                            "arm",
+                                            (no_stdout
+                                             ? 0
+                                             : GNUNET_OS_INHERIT_STD_OUT)
+                                            | (no_stderr
+                                               ? 0
+                                               : GNUNET_OS_INHERIT_STD_ERR),
+                                            &start_callback,
+                                            NULL);
+        return;
+      }
+      break;
+
+    case 3:
+      if (NULL != init)
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                    "Initialization action\n");
+        op = GNUNET_ARM_request_service_start (h,
+                                               init,
+                                               GNUNET_OS_INHERIT_STD_NONE,
+                                               &init_callback,
+                                               NULL);
+        return;
+      }
+      break;
+
+    case 4:
+      if (list)
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                    "Going to list all running services controlled by ARM.\n");
+        op = GNUNET_ARM_request_service_list (h,
+                                              &list_callback,
+                                              &list);
+        return;
+      }
+      break;
+
+    case 5:
+      if (monitor)
+      {
+        if (! quiet)
+          fprintf (stderr,
+                   _ ("Now only monitoring, press CTRL-C to stop.\n"));
+        quiet =
+          0;       /* does not make sense to stay quiet in monitor mode at this time */
+        return;       /* done with tasks, just monitor */
+      }
+      break;
+
+    default:     /* last phase */
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+  }
+}
+
+
+/**
+ * Function called when a service starts or stops.
+ *
+ * @param cls closure
+ * @param service service name
+ * @param status status of the service
+ */
+static void
+srv_status (void *cls,
+            const char *service,
+            enum GNUNET_ARM_ServiceMonitorStatus status)
+{
+  const char *msg;
+
+  (void) cls;
+  switch (status)
+  {
+  case GNUNET_ARM_SERVICE_MONITORING_STARTED:
+    return;   /* this should be done silently */
+
+  case GNUNET_ARM_SERVICE_STOPPED:
+    msg = _ ("Stopped %s.\n");
+    break;
+
+  case GNUNET_ARM_SERVICE_STARTING:
+    msg = _ ("Starting %s...\n");
+    break;
+
+  case GNUNET_ARM_SERVICE_STOPPING:
+    msg = _ ("Stopping %s...\n");
+    break;
+
+  default:
+    msg = NULL;
+    break;
+  }
+  if (! quiet)
+  {
+    if (NULL != msg)
+      fprintf (stderr,
+               msg,
+               service);
+    else
+      fprintf (stderr,
+               _ ("Unknown status %u for service %s.\n"),
+               status,
+               service);
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Got service %s status %d\n",
+              service,
+              (int) status);
+}
+
+
+/**
+ * Task run on timeout (if -T is given).
+ */
+static void
+timeout_task_cb (void *cls)
+{
+  (void) cls;
+  timeout_task = NULL;
+  ret = 2;
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  (void) cls;
+  (void) args;
+  (void) cfgfile;
+  cfg = GNUNET_CONFIGURATION_dup (c);
+  if (GNUNET_OK !=
+      GNUNET_CONFIGURATION_get_value_string (cfg,
+                                             "PATHS",
+                                             "GNUNET_HOME",
+                                             &dir))
+  {
+    GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+                               "PATHS",
+                               "GNUNET_HOME");
+    return;
+  }
+  (void) GNUNET_CONFIGURATION_get_value_filename (cfg,
+                                                  "arm",
+                                                  "CONFIG",
+                                                  &config_file);
+  if (NULL == (h = GNUNET_ARM_connect (cfg,
+                                       &conn_status,
+                                       NULL)))
+    return;
+  if (monitor)
+    m = GNUNET_ARM_monitor_start (cfg,
+                                  &srv_status,
+                                  NULL);
+  al_task = GNUNET_SCHEDULER_add_now (&action_loop,
+                                      NULL);
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_task,
+                                 NULL);
+  if (0 != timeout.rel_value_us)
+    timeout_task =
+      GNUNET_SCHEDULER_add_delayed (timeout,
+                                    &timeout_task_cb,
+                                    NULL);
+}
+
+
+/**
+ * The main function to obtain arm from gnunetd.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error, 2 on timeout
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_flag ('e',
+                               "end",
+                               gettext_noop ("stop all GNUnet services"),
+                               &end),
+    GNUNET_GETOPT_option_string ('i',
+                                 "init",
+                                 "SERVICE",
+                                 gettext_noop ("start a particular service"),
+                                 &init),
+    GNUNET_GETOPT_option_string ('k',
+                                 "kill",
+                                 "SERVICE",
+                                 gettext_noop ("stop a particular service"),
+                                 &term),
+    GNUNET_GETOPT_option_flag ('a',
+                               "all",
+                               gettext_noop (
+                                 "also show stopped services (used with -I)"),
+                               &show_all),
+    GNUNET_GETOPT_option_flag ('s',
+                               "start",
+                               gettext_noop (
+                                 "start all GNUnet default services"),
+                               &start),
+    GNUNET_GETOPT_option_flag ('r',
+                               "restart",
+                               gettext_noop (
+                                 "stop and start all GNUnet default services"),
+                               &restart),
+    GNUNET_GETOPT_option_flag ('d',
+                               "delete",
+                               gettext_noop (
+                                 "delete config file and directory on exit"),
+                               &delete),
+    GNUNET_GETOPT_option_flag ('m',
+                               "monitor",
+                               gettext_noop ("monitor ARM activities"),
+                               &monitor),
+    GNUNET_GETOPT_option_flag ('q',
+                               "quiet",
+                               gettext_noop ("don't print status messages"),
+                               &quiet),
+    GNUNET_GETOPT_option_relative_time (
+      'T',
+      "timeout",
+      "DELAY",
+      gettext_noop (
+        "exit with error status if operation does not finish after DELAY"),
+      &timeout),
+    GNUNET_GETOPT_option_flag ('I',
+                               "info",
+                               gettext_noop (
+                                 "list currently running services"),
+                               &list),
+    GNUNET_GETOPT_option_flag (
+      'O',
+      "no-stdout",
+      gettext_noop ("don't let gnunet-service-arm inherit standard output"),
+      &no_stdout),
+    GNUNET_GETOPT_option_flag (
+      'E',
+      "no-stderr",
+      gettext_noop ("don't let gnunet-service-arm inherit standard error"),
+      &no_stderr),
+    GNUNET_GETOPT_OPTION_END
+  };
+  int lret;
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc,
+                                    argv,
+                                    &argc,
+                                    &argv))
+    return 2;
+  if (GNUNET_OK ==
+      (lret = GNUNET_PROGRAM_run (
+         argc,
+         argv,
+         "gnunet-arm",
+         gettext_noop (
+           "Control services and the Automated Restart Manager (ARM)"),
+         options,
+         &run,
+         NULL)))
+  {
+    GNUNET_free_nz ((void *) argv);
+    return ret;
+  }
+  GNUNET_free_nz ((void *) argv);
+  return lret;
+}
+
+
+/* end of gnunet-arm.c */
diff --git a/src/cli/arm/meson.build b/src/cli/arm/meson.build
new file mode 100644
index 000000000..a50e47ee9
--- /dev/null
+++ b/src/cli/arm/meson.build
@@ -0,0 +1,8 @@
+gnunetarm_src = ['gnunet-arm.c']
+
+executable ('gnunet-arm',
+            gnunetarm_src,
+            dependencies: [libgnunetarm_dep, libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
diff --git a/src/cli/cadet/.gitignore b/src/cli/cadet/.gitignore
new file mode 100644
index 000000000..bcd7158aa
--- /dev/null
+++ b/src/cli/cadet/.gitignore
@@ -0,0 +1 @@
+gnunet-cadet
diff --git a/src/cli/cadet/Makefile.am b/src/cli/cadet/Makefile.am
new file mode 100644
index 000000000..fc9caa12c
--- /dev/null
+++ b/src/cli/cadet/Makefile.am
@@ -0,0 +1,26 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+plugindir = $(libdir)/gnunet
+
+AM_CLFAGS = -g
+
+bin_PROGRAMS = \
+ gnunet-cadet
+
+gnunet_cadet_SOURCES = \
+  gnunet-cadet.c
+gnunet_cadet_LDADD = \
+  $(top_builddir)/src/service/cadet/libgnunetcadet.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la
+gnunet_cadet_LDFLAGS = \
+  $(GN_LIBINTL)
diff --git a/src/cli/cadet/gnunet-cadet.c b/src/cli/cadet/gnunet-cadet.c
new file mode 100644
index 000000000..c77fb914c
--- /dev/null
+++ b/src/cli/cadet/gnunet-cadet.c
@@ -0,0 +1,851 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012, 2017, 2019 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file cadet/gnunet-cadet.c
+ * @brief Print information about cadet tunnels and peers.
+ * @author Bartlomiej Polot
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_cadet_service.h"
+#include "../../service/cadet/cadet.h" // FIXME Smell: this should not be shared like this.
+
+#define STREAM_BUFFER_SIZE 1024 // Pakets
+
+/**
+ * Option -P.
+ */
+static int request_peers;
+
+/**
+ * Option --peer
+ */
+static char *peer_id;
+
+/**
+ * Option -T.
+ */
+static int request_tunnels;
+
+/**
+ * Option --connection
+ */
+static char *conn_id;
+
+/**
+ * Option --channel
+ */
+static char *channel_id;
+
+/**
+ * Port to listen on (-o).
+ */
+static char *listen_port;
+
+/**
+ * Request echo service
+ */
+static int echo;
+
+/**
+ * Time of last echo request.
+ */
+static struct GNUNET_TIME_Absolute echo_time;
+
+/**
+ * Task for next echo request.
+ */
+static struct GNUNET_SCHEDULER_Task *echo_task;
+
+/**
+ * Peer to connect to.
+ */
+static char *target_id;
+
+/**
+ * Port to connect to
+ */
+static char *target_port = "default";
+
+/**
+ * Cadet handle.
+ */
+static struct GNUNET_CADET_Handle *mh;
+
+/**
+ * Our configuration.
+ */
+static const struct GNUNET_CONFIGURATION_Handle *my_cfg;
+
+/**
+ * Active get path operation.
+ */
+static struct GNUNET_CADET_GetPath *gpo;
+
+/**
+ * Active peer listing operation.
+ */
+static struct GNUNET_CADET_PeersLister *plo;
+
+/**
+ * Active tunnel listing operation.
+ */
+static struct GNUNET_CADET_ListTunnels *tio;
+
+/**
+ * Channel handle.
+ */
+static struct GNUNET_CADET_Channel *ch;
+
+/**
+ * HashCode of the given port string
+ */
+static struct GNUNET_HashCode porthash;
+
+/**
+ * Data structure for ongoing reception of incoming virtual circuits.
+ */
+struct GNUNET_CADET_Port *lp;
+
+/**
+ * Task for reading from stdin.
+ */
+static struct GNUNET_SCHEDULER_Task *rd_task;
+
+/**
+ * Task for main job.
+ */
+static struct GNUNET_SCHEDULER_Task *job;
+
+static unsigned int sent_pkt;
+
+
+/**
+ * Wait for input on STDIO and send it out over the #ch.
+ */
+static void
+listen_stdio (void);
+
+
+/**
+ * Convert encryption status to human readable string.
+ *
+ * @param status Encryption status.
+ *
+ * @return Human readable string.
+ */
+static const char *
+enc_2s (uint16_t status)
+{
+  switch (status)
+  {
+  case 0:
+    return "NULL ";
+
+  case 1:
+    return "KSENT";
+
+  case 2:
+    return "KRECV";
+
+  case 3:
+    return "READY";
+
+  default:
+    return "";
+  }
+}
+
+
+/**
+ * Convert connection status to human readable string.
+ *
+ * @param status Connection status.
+ *
+ * @return Human readable string.
+ */
+static const char *
+conn_2s (uint16_t status)
+{
+  switch (status)
+  {
+  case 0:
+    return "NEW  ";
+
+  case 1:
+    return "SRCH ";
+
+  case 2:
+    return "WAIT ";
+
+  case 3:
+    return "READY";
+
+  case 4:
+    return "SHUTD";
+
+  default:
+    return "";
+  }
+}
+
+
+/**
+ * Task to shut down this application.
+ *
+ * @param cls Closure (unused).
+ */
+static void
+shutdown_task (void *cls)
+{
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Shutdown\n");
+  if (NULL != lp)
+  {
+    GNUNET_CADET_close_port (lp);
+    lp = NULL;
+  }
+  if (NULL != ch)
+  {
+    GNUNET_CADET_channel_destroy (ch);
+    ch = NULL;
+  }
+  if (NULL != gpo)
+  {
+    GNUNET_CADET_get_path_cancel (gpo);
+    gpo = NULL;
+  }
+  if (NULL != plo)
+  {
+    GNUNET_CADET_list_peers_cancel (plo);
+    plo = NULL;
+  }
+  if (NULL != tio)
+  {
+    GNUNET_CADET_list_tunnels_cancel (tio);
+    tio = NULL;
+  }
+  if (NULL != mh)
+  {
+    GNUNET_CADET_disconnect (mh);
+    mh = NULL;
+  }
+  if (NULL != rd_task)
+  {
+    GNUNET_SCHEDULER_cancel (rd_task);
+    rd_task = NULL;
+  }
+  if (NULL != echo_task)
+  {
+    GNUNET_SCHEDULER_cancel (echo_task);
+    echo_task = NULL;
+  }
+  if (NULL != job)
+  {
+    GNUNET_SCHEDULER_cancel (job);
+    job = NULL;
+  }
+}
+
+
+void
+mq_cb (void *cls)
+{
+  listen_stdio ();
+}
+
+
+/**
+ * Task run in stdio mode, after some data is available at stdin.
+ *
+ * @param cls Closure (unused).
+ */
+static void
+read_stdio (void *cls)
+{
+  struct GNUNET_MQ_Envelope *env;
+  struct GNUNET_MessageHeader *msg;
+  char buf[60000];
+  ssize_t data_size;
+
+  rd_task = NULL;
+  data_size = read (0, buf, 60000);
+  if (data_size < 1)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "read() returned  %s\n",
+                strerror (errno));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Read %u bytes from stdio\n",
+              (unsigned int) data_size);
+  env = GNUNET_MQ_msg_extra (msg, data_size, GNUNET_MESSAGE_TYPE_CADET_CLI);
+  GNUNET_memcpy (&msg[1], buf, data_size);
+  GNUNET_MQ_send (GNUNET_CADET_get_mq (ch), env);
+
+  sent_pkt++;
+
+  if (GNUNET_NO == echo)
+  {
+    // Use MQ's notification if too much data of stdin is pooring in too fast.
+    if (STREAM_BUFFER_SIZE < sent_pkt)
+    {
+      GNUNET_MQ_notify_sent (env, mq_cb, cls);
+      sent_pkt = 0;
+    }
+    else
+    {
+      listen_stdio ();
+    }
+  }
+  else
+  {
+    echo_time = GNUNET_TIME_absolute_get ();
+  }
+}
+
+
+/**
+ * Wait for input on STDIO and send it out over the #ch.
+ */
+static void
+listen_stdio ()
+{
+  struct GNUNET_NETWORK_FDSet *rs;
+
+  /* FIXME: why use 'rs' here, seems overly complicated... */
+  rs = GNUNET_NETWORK_fdset_create ();
+  GNUNET_NETWORK_fdset_set_native (rs, 0);  /* STDIN */
+  rd_task = GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT,
+                                         GNUNET_TIME_UNIT_FOREVER_REL,
+                                         rs,
+                                         NULL,
+                                         &read_stdio,
+                                         NULL);
+  GNUNET_NETWORK_fdset_destroy (rs);
+}
+
+
+/**
+ * Function called whenever a channel is destroyed.  Should clean up
+ * any associated state.
+ *
+ * It must NOT call #GNUNET_CADET_channel_destroy on the channel.
+ *
+ * @param cls closure
+ * @param channel connection to the other end (henceforth invalid)
+ */
+static void
+channel_ended (void *cls, const struct GNUNET_CADET_Channel *channel)
+{
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Channel ended!\n");
+  GNUNET_assert (channel == ch);
+  ch = NULL;
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Method called whenever another peer has added us to a channel
+ * the other peer initiated.
+ * Only called (once) upon reception of data with a message type which was
+ * subscribed to in #GNUNET_CADET_connect.
+ *
+ * A call to #GNUNET_CADET_channel_destroy causes the channel to be ignored.
+ * In this case the handler MUST return NULL.
+ *
+ * @param cls closure
+ * @param channel new handle to the channel
+ * @param initiator peer that started the channel
+ * @return initial channel context for the channel, we use @a channel
+ */
+static void *
+channel_incoming (void *cls,
+                  struct GNUNET_CADET_Channel *channel,
+                  const struct GNUNET_PeerIdentity *initiator)
+{
+  GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+              "Incoming connection from %s\n",
+              GNUNET_i2s_full (initiator));
+  GNUNET_assert (NULL == ch);
+  GNUNET_assert (NULL != lp);
+  GNUNET_CADET_close_port (lp);
+  lp = NULL;
+  ch = channel;
+  if (GNUNET_NO == echo)
+    listen_stdio ();
+  return channel;
+}
+
+
+/**
+ * @brief Send an echo request to the remote peer.
+ *
+ * @param cls Closure (NULL).
+ */
+static void
+send_echo (void *cls)
+{
+  struct GNUNET_MQ_Envelope *env;
+  struct GNUNET_MessageHeader *msg;
+
+  echo_task = NULL;
+  if (NULL == ch)
+    return;
+  env = GNUNET_MQ_msg (msg, GNUNET_MESSAGE_TYPE_CADET_CLI);
+  GNUNET_MQ_send (GNUNET_CADET_get_mq (ch), env);
+}
+
+
+/**
+ * Check data message sanity. Does nothing so far (all messages are OK).
+ *
+ * @param cls Closure (unused).
+ * @param message The message to check.
+ * @return #GNUNET_OK to keep the channel open,
+ *         #GNUNET_SYSERR to close it (signal serious error).
+ */
+static int
+check_data (void *cls, const struct GNUNET_MessageHeader *message)
+{
+  return GNUNET_OK; /* all is well-formed */
+}
+
+
+/**
+ * Function called whenever a message is received.
+ *
+ * Each time the function must call #GNUNET_CADET_receive_done on the channel
+ * in order to receive the next message. This doesn't need to be immediate:
+ * can be delayed if some processing is done on the message.
+ *
+ * @param cls NULL
+ * @param message The actual message.
+ */
+static void
+handle_data (void *cls, const struct GNUNET_MessageHeader *message)
+{
+  size_t payload_size = ntohs (message->size) - sizeof(*message);
+  uint16_t len;
+  ssize_t done;
+  uint16_t off;
+  const char *buf;
+
+  GNUNET_CADET_receive_done (ch);
+  if (GNUNET_YES == echo)
+  {
+    if (NULL != listen_port)
+    {
+      struct GNUNET_MQ_Envelope *env;
+      struct GNUNET_MessageHeader *msg;
+
+      env =
+        GNUNET_MQ_msg_extra (msg, payload_size, GNUNET_MESSAGE_TYPE_CADET_CLI);
+      GNUNET_memcpy (&msg[1], &message[1], payload_size);
+      GNUNET_MQ_send (GNUNET_CADET_get_mq (ch), env);
+      return;
+    }
+    else
+    {
+      struct GNUNET_TIME_Relative latency;
+
+      latency = GNUNET_TIME_absolute_get_duration (echo_time);
+      echo_time = GNUNET_TIME_UNIT_FOREVER_ABS;
+      GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+                  "time: %s\n",
+                  GNUNET_STRINGS_relative_time_to_string (latency, GNUNET_NO));
+      echo_task = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS,
+                                                &send_echo,
+                                                NULL);
+    }
+  }
+
+  len = ntohs (message->size) - sizeof(*message);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Got %u bytes\n", len);
+  buf = (const char *) &message[1];
+  off = 0;
+  while (off < len)
+  {
+    done = write (1, &buf[off], len - off);
+    if (done <= 0)
+    {
+      if (-1 == done)
+        GNUNET_log_strerror (GNUNET_ERROR_TYPE_WARNING, "write");
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+    off += done;
+  }
+}
+
+
+/**
+ * Method called to retrieve information about all peers in CADET, called
+ * once per peer.
+ *
+ * After last peer has been reported, an additional call with NULL is done.
+ *
+ * @param cls Closure.
+ * @param ple information about peer, or NULL on "EOF".
+ */
+static void
+peers_callback (void *cls, const struct GNUNET_CADET_PeerListEntry *ple)
+{
+  if (NULL == ple)
+  {
+    plo = NULL;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  fprintf (stdout,
+           "%s tunnel: %c, paths: %u\n",
+           GNUNET_i2s_full (&ple->peer),
+           ple->have_tunnel ? 'Y' : 'N',
+           ple->n_paths);
+}
+
+
+/**
+ * Method called to retrieve information about paths to a specific peer
+ * known to the service.
+ *
+ * @param cls Closure.
+ * @param ppd path detail
+ */
+static void
+path_callback (void *cls, const struct GNUNET_CADET_PeerPathDetail *ppd)
+{
+  if (NULL == ppd)
+  {
+    gpo = NULL;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  fprintf (stdout, "Path of length %u: ", ppd->path_length);
+  for (unsigned int i = 0; i < ppd->path_length; i++)
+    fprintf (stdout,
+             (i == ppd->target_offset) ? "*%s* " : "%s ",
+             GNUNET_i2s (&ppd->path[i]));
+  fprintf (stdout, "\n");
+}
+
+
+/**
+ * Method called to retrieve information about all tunnels in CADET.
+ *
+ * @param cls Closure.
+ * @param td tunnel details
+ */
+static void
+tunnels_callback (void *cls, const struct GNUNET_CADET_TunnelDetails *td)
+{
+  if (NULL == td)
+  {
+    tio = NULL;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  fprintf (stdout,
+           "%s [ENC: %s, CON: %s] CHs: %u, CONNs: %u\n",
+           GNUNET_i2s_full (&td->peer),
+           enc_2s (td->estate),
+           conn_2s (td->cstate),
+           td->channels,
+           td->connections);
+}
+
+
+/**
+ * Call CADET's meta API, get all peers known to a peer.
+ *
+ * @param cls Closure (unused).
+ */
+static void
+get_peers (void *cls)
+{
+  job = NULL;
+  plo = GNUNET_CADET_list_peers (my_cfg, &peers_callback, NULL);
+}
+
+
+/**
+ * Call CADET's monitor API, get info of one peer.
+ *
+ * @param cls Closure (unused).
+ */
+static void
+show_peer (void *cls)
+{
+  struct GNUNET_PeerIdentity pid;
+
+  job = NULL;
+  if (GNUNET_OK != GNUNET_CRYPTO_eddsa_public_key_from_string (peer_id,
+                                                               strlen (peer_id),
+                                                               &pid.public_key))
+  {
+    fprintf (stderr, _ ("Invalid peer ID `%s'\n"), peer_id);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  gpo = GNUNET_CADET_get_path (my_cfg, &pid, &path_callback, NULL);
+}
+
+
+/**
+ * Call CADET's meta API, get all tunnels known to a peer.
+ *
+ * @param cls Closure (unused).
+ */
+static void
+get_tunnels (void *cls)
+{
+  job = NULL;
+  tio = GNUNET_CADET_list_tunnels (my_cfg, &tunnels_callback, NULL);
+}
+
+
+/**
+ * Call CADET's monitor API, get info of one channel.
+ *
+ * @param cls Closure (unused).
+ */
+static void
+show_channel (void *cls)
+{
+  job = NULL;
+  GNUNET_break (0);
+}
+
+
+/**
+ * Call CADET's monitor API, get info of one connection.
+ *
+ * @param cls Closure (unused).
+ */
+static void
+show_connection (void *cls)
+{
+  job = NULL;
+  GNUNET_break (0);
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_MQ_MessageHandler handlers[] =
+  { GNUNET_MQ_hd_var_size (data,
+                           GNUNET_MESSAGE_TYPE_CADET_CLI,
+                           struct GNUNET_MessageHeader,
+                           NULL),
+    GNUNET_MQ_handler_end () };
+
+  /* FIXME add option to monitor apps */
+  my_cfg = cfg;
+  target_id = args[0];
+  if (target_id && args[1])
+    target_port = args[1];
+
+  if (((0 != (request_peers | request_tunnels)) || (NULL != conn_id) ||
+       (NULL != channel_id) ) &&
+      (target_id != NULL) )
+  {
+    fprintf (stderr,
+             _ ("Extra arguments are not applicable "
+                "in combination with this option.\n"));
+    return;
+  }
+
+  if (NULL != peer_id)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Show peer\n");
+    job = GNUNET_SCHEDULER_add_now (&show_peer, NULL);
+  }
+  else if (NULL != channel_id)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Show channel\n");
+    job = GNUNET_SCHEDULER_add_now (&show_channel, NULL);
+  }
+  else if (NULL != conn_id)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Show connection\n");
+    job = GNUNET_SCHEDULER_add_now (&show_connection, NULL);
+  }
+  else if (GNUNET_YES == request_peers)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Show all peers\n");
+    job = GNUNET_SCHEDULER_add_now (&get_peers, NULL);
+  }
+  else if (GNUNET_YES == request_tunnels)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Show all tunnels\n");
+    job = GNUNET_SCHEDULER_add_now (&get_tunnels, NULL);
+  }
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Connecting to CADET service\n");
+  mh = GNUNET_CADET_connect (cfg);
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_task, NULL);
+  if (NULL == mh)
+  {
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if (NULL != listen_port)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Opening CADET listen port\n");
+    GNUNET_CRYPTO_hash (listen_port, strlen (listen_port), &porthash);
+    lp = GNUNET_CADET_open_port (mh,
+                                 &porthash,
+                                 &channel_incoming,
+                                 NULL,
+                                 NULL /* window changes */,
+                                 &channel_ended,
+                                 handlers);
+  }
+  if (NULL != target_id)
+  {
+    struct GNUNET_PeerIdentity pid;
+
+    if (GNUNET_OK !=
+        GNUNET_CRYPTO_eddsa_public_key_from_string (target_id,
+                                                    strlen (target_id),
+                                                    &pid.public_key))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+                  _ ("Invalid target `%s'\n"),
+                  target_id);
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Connecting to `%s:%s'\n",
+                target_id,
+                target_port);
+    GNUNET_CRYPTO_hash (target_port, strlen (target_port), &porthash);
+    ch = GNUNET_CADET_channel_create (mh,
+                                      NULL,
+                                      &pid,
+                                      &porthash,
+                                      NULL /* window changes */,
+                                      &channel_ended,
+                                      handlers);
+    if (GNUNET_YES == echo)
+    {
+      echo_task = GNUNET_SCHEDULER_add_now (&send_echo, NULL);
+    }
+    else
+    {
+      listen_stdio ();
+    }
+  }
+
+  if ((NULL == lp) && (NULL == job) && (NULL == ch))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE, _ ("No action requested\n"));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+}
+
+
+/**
+ * The main function to obtain peer information.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  int res;
+  const char helpstr[] =
+    "Create tunnels and retrieve info about CADET's status.";
+  struct GNUNET_GETOPT_CommandLineOption options[] = {  /* I would use the terminology 'circuit' here...  --lynX */
+    GNUNET_GETOPT_option_string (
+      'C',
+      "connection",
+      "CONNECTION_ID",
+      gettext_noop ("Provide information about a particular connection"),
+      &conn_id),
+    GNUNET_GETOPT_option_flag ('e',
+                               "echo",
+                               gettext_noop ("Activate echo mode"),
+                               &echo),
+    GNUNET_GETOPT_option_string (
+      'o',
+      "open-port",
+      "SHARED_SECRET",
+      gettext_noop (
+        "Listen for connections using a shared secret among sender and recipient"),
+      &listen_port),
+    GNUNET_GETOPT_option_string ('p',
+                                 "peer",
+                                 "PEER_ID",
+                                 gettext_noop (
+                                   "Provide information about a patricular peer"),
+                                 &peer_id),
+    GNUNET_GETOPT_option_flag ('P',
+                               "peers",
+                               gettext_noop (
+                                 "Provide information about all peers"),
+                               &request_peers),
+    GNUNET_GETOPT_option_flag ('T',
+                               "tunnels",
+                               gettext_noop (
+                                 "Provide information about all tunnels"),
+                               &request_tunnels),
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  res = GNUNET_PROGRAM_run (argc,
+                            argv,
+                            "gnunet-cadet (OPTIONS | PEER_ID SHARED_SECRET)",
+                            gettext_noop (helpstr),
+                            options,
+                            &run,
+                            NULL);
+
+  GNUNET_free_nz ((void *) argv);
+
+  if (GNUNET_OK == res)
+    return 0;
+  return 1;
+}
+
+
+/* end of gnunet-cadet.c */
diff --git a/src/cli/cadet/meson.build b/src/cli/cadet/meson.build
new file mode 100644
index 000000000..09a1965ac
--- /dev/null
+++ b/src/cli/cadet/meson.build
@@ -0,0 +1,15 @@
+executable ('gnunet-cadet',
+            ['gnunet-cadet.c'],
+            dependencies: [libgnunetcadet_dep,
+                           libgnunetutil_dep,
+                           libgnunetcore_dep,
+                           libgnunetdht_dep,
+                           m_dep,
+                           libgnunetstatistics_dep,
+                           libgnunetpeerstore_dep,
+                           libgnunettransportapplication_dep,
+                           libgnunethello_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+
diff --git a/src/cli/core/.gitignore b/src/cli/core/.gitignore
new file mode 100644
index 000000000..95169ed2b
--- /dev/null
+++ b/src/cli/core/.gitignore
@@ -0,0 +1 @@
+gnunet-core
diff --git a/src/cli/core/Makefile.am b/src/cli/core/Makefile.am
new file mode 100644
index 000000000..97abf0db2
--- /dev/null
+++ b/src/cli/core/Makefile.am
@@ -0,0 +1,24 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+plugindir = $(libdir)/gnunet
+
+libexecdir= $(pkglibdir)/libexec/
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+bin_PROGRAMS = \
+ gnunet-core
+
+gnunet_core_SOURCES = \
+ gnunet-core.c
+gnunet_core_LDADD = \
+  $(top_builddir)/src/service/core/libgnunetcore.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la
+gnunet_core_LDFLAGS = \
+  $(GN_LIBINTL)
diff --git a/src/cli/core/gnunet-core.c b/src/cli/core/gnunet-core.c
new file mode 100644
index 000000000..00b08eefc
--- /dev/null
+++ b/src/cli/core/gnunet-core.c
@@ -0,0 +1,274 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2011, 2012, 2014 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file core/gnunet-core.c
+ * @brief Print information about other peers known to CORE.
+ * @author Nathan Evans
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_core_service.h"
+
+
+/**
+ * Option -m.
+ */
+static int monitor_connections;
+
+/**
+ * Option -i.
+ */
+static int show_pid;
+
+/**
+ * Option -s.
+ */
+static int show_conns;
+
+/**
+ * Handle to the CORE monitor.
+ */
+static struct GNUNET_CORE_MonitorHandle *mh;
+
+
+/**
+ * Task run in monitor mode when the user presses CTRL-C to abort.
+ * Stops monitoring activity.
+ *
+ * @param cls NULL
+ */
+static void
+shutdown_task (void *cls)
+{
+  (void) cls;
+  if (NULL != mh)
+  {
+    GNUNET_CORE_monitor_stop (mh);
+    mh = NULL;
+  }
+}
+
+
+/**
+ * Function called to notify core users that another
+ * peer changed its state with us.
+ *
+ * @param cls closure
+ * @param peer the peer that changed state
+ * @param state new state of the peer
+ * @param timeout timeout for the new state
+ */
+static void
+monitor_cb (void *cls,
+            const struct GNUNET_PeerIdentity *peer,
+            enum GNUNET_CORE_KxState state,
+            struct GNUNET_TIME_Absolute timeout)
+{
+  struct GNUNET_TIME_Absolute now = GNUNET_TIME_absolute_get ();
+  const char *now_str;
+  const char *state_str;
+
+  (void) cls;
+  if (((NULL == peer) || (GNUNET_CORE_KX_ITERATION_FINISHED == state)) &&
+      (GNUNET_NO == monitor_connections))
+  {
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+
+  switch (state)
+  {
+  case GNUNET_CORE_KX_STATE_DOWN:
+    /* should never happen, as we immediately send the key */
+    state_str = _ ("fresh connection");
+    break;
+
+  case GNUNET_CORE_KX_STATE_KEY_SENT:
+    state_str = _ ("key sent");
+    break;
+
+  case GNUNET_CORE_KX_STATE_KEY_RECEIVED:
+    state_str = _ ("key received");
+    break;
+
+  case GNUNET_CORE_KX_STATE_UP:
+    state_str = _ ("connection established");
+    break;
+
+  case GNUNET_CORE_KX_STATE_REKEY_SENT:
+    state_str = _ ("rekeying");
+    break;
+
+  case GNUNET_CORE_KX_PEER_DISCONNECT:
+    state_str = _ ("disconnected");
+    break;
+
+  case GNUNET_CORE_KX_ITERATION_FINISHED:
+    return;
+
+  case GNUNET_CORE_KX_CORE_DISCONNECT:
+    fprintf (stderr,
+             "%s\n",
+             _ ("Connection to CORE service lost (reconnecting)"));
+    return;
+
+  default:
+    state_str = _ ("unknown state");
+    break;
+  }
+  now_str = GNUNET_STRINGS_absolute_time_to_string (now);
+  fprintf (stdout,
+           _ ("%24s: %-30s %4s (timeout in %6s)\n"),
+           now_str,
+           state_str,
+           GNUNET_i2s (peer),
+           GNUNET_STRINGS_relative_time_to_string (
+             GNUNET_TIME_absolute_get_remaining (timeout),
+             GNUNET_YES));
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_CRYPTO_EddsaPrivateKey pk;
+  struct GNUNET_CRYPTO_EddsaPublicKey pub;
+  char *keyfile;
+  (void) cls;
+  (void) cfgfile;
+  if (NULL != args[0])
+  {
+    fprintf (stderr, _ ("Invalid command line argument `%s'\n"), args[0]);
+    return;
+  }
+  if (GNUNET_OK !=
+      GNUNET_CONFIGURATION_get_value_filename (cfg,
+                                               "PEER",
+                                               "PRIVATE_KEY",
+                                               &keyfile))
+  {
+    GNUNET_log (
+      GNUNET_ERROR_TYPE_ERROR,
+      _ ("Core service is lacking HOSTKEY configuration setting.  Exiting.\n"));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if (GNUNET_SYSERR ==
+      GNUNET_CRYPTO_eddsa_key_from_file (keyfile,
+                                         GNUNET_YES,
+                                         &pk))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to read peer's private key!\n");
+    GNUNET_SCHEDULER_shutdown ();
+    GNUNET_free (keyfile);
+    return;
+  }
+  GNUNET_CRYPTO_eddsa_key_get_public (&pk, &pub);
+  if (show_pid)
+    fprintf (stdout,
+             _ ("Current local peer identity: %s\n"),
+             GNUNET_i2s_full ((struct GNUNET_PeerIdentity*) &pub));
+  if (show_conns || monitor_connections)
+  {
+    mh = GNUNET_CORE_monitor_start (cfg, &monitor_cb, NULL);
+    if (NULL == mh)
+    {
+      fprintf (stderr, "%s", _ ("Failed to connect to CORE service!\n"));
+      GNUNET_free (keyfile);
+      return;
+    }
+  }
+  if (! show_pid && ! show_conns && ! monitor_connections)
+  {
+    fprintf (stderr, "%s", _ ("No argument given.\n"));
+    GNUNET_free (keyfile);
+    return;
+  }
+  GNUNET_free (keyfile);
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_task, NULL);
+}
+
+
+/**
+ * The main function to obtain peer information from CORE.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  int res;
+  struct GNUNET_GETOPT_CommandLineOption options[] =
+  { GNUNET_GETOPT_option_flag (
+      'm',
+      "monitor",
+      gettext_noop (
+        "provide information about all current connections (continuously)"),
+      &monitor_connections),
+    GNUNET_GETOPT_option_flag (
+      'i',
+      "show-identity",
+      gettext_noop (
+        "Show our current peer identity"
+        ),
+      &show_pid),
+    GNUNET_GETOPT_option_flag (
+      's',
+      "connection-status",
+      gettext_noop (
+        "Show current connections"
+        ),
+      &show_conns),
+    GNUNET_GETOPT_OPTION_END };
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+  res = GNUNET_PROGRAM_run (argc,
+                            argv,
+                            "gnunet-core",
+                            gettext_noop (
+                              "Print information about connected peers."),
+                            options,
+                            &run,
+                            NULL);
+
+  GNUNET_free_nz ((void *) argv);
+  if (GNUNET_OK == res)
+    return 0;
+  return 1;
+}
+
+
+/* end of gnunet-core.c */
diff --git a/src/cli/core/meson.build b/src/cli/core/meson.build
new file mode 100644
index 000000000..db246a3c4
--- /dev/null
+++ b/src/cli/core/meson.build
@@ -0,0 +1,6 @@
+executable ('gnunet-core',
+            ['gnunet-core.c'],
+            dependencies: [libgnunetcore_dep, libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
diff --git a/src/cli/datastore/.gitignore b/src/cli/datastore/.gitignore
new file mode 100644
index 000000000..ddb105175
--- /dev/null
+++ b/src/cli/datastore/.gitignore
@@ -0,0 +1 @@
+gnunet-datastore
diff --git a/src/cli/datastore/Makefile.am b/src/cli/datastore/Makefile.am
new file mode 100644
index 000000000..91098db96
--- /dev/null
+++ b/src/cli/datastore/Makefile.am
@@ -0,0 +1,24 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+plugindir = $(libdir)/gnunet
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIBS = -lgcov
+endif
+
+
+bin_PROGRAMS = \
+ gnunet-datastore
+
+gnunet_datastore_SOURCES = \
+ gnunet-datastore.c
+gnunet_datastore_LDADD = \
+  $(top_builddir)/src/service/datastore/libgnunetdatastore.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
diff --git a/src/cli/datastore/gnunet-datastore.c b/src/cli/datastore/gnunet-datastore.c
new file mode 100644
index 000000000..9a76d1160
--- /dev/null
+++ b/src/cli/datastore/gnunet-datastore.c
@@ -0,0 +1,508 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2010, 2013 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file datastore/gnunet-datastore.c
+ * @brief tool to manipulate datastores
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include <inttypes.h>
+#include "gnunet_util_lib.h"
+#include "gnunet_datastore_service.h"
+
+GNUNET_NETWORK_STRUCT_BEGIN
+
+struct DataRecord
+{
+  /**
+   * Number of bytes in the item (NBO).
+   */
+  uint32_t size GNUNET_PACKED;
+
+  /**
+   * Type of the item (NBO) (actually an enum GNUNET_BLOCK_Type)
+   */
+  uint32_t type GNUNET_PACKED;
+
+  /**
+   * Priority of the item (NBO).
+   */
+  uint32_t priority GNUNET_PACKED;
+
+  /**
+   * Desired anonymity level (NBO).
+   */
+  uint32_t anonymity GNUNET_PACKED;
+
+  /**
+   * Desired replication level (NBO).
+   */
+  uint32_t replication GNUNET_PACKED;
+
+  /**
+   * Expiration time (NBO).
+   */
+  struct GNUNET_TIME_AbsoluteNBO expiration;
+
+  /**
+   * Key under which the item can be found.
+   */
+  struct GNUNET_HashCode key;
+};
+GNUNET_NETWORK_STRUCT_END
+
+
+/**
+ * Length of our magic header.
+ */
+static const size_t MAGIC_LEN = 16;
+
+/**
+ * Magic header bytes.
+ */
+static const uint8_t MAGIC_BYTES[16] = "GNUNETDATASTORE1";
+
+/**
+ * Dump the database.
+ */
+static int dump;
+
+/**
+ * Insert into the database.
+ */
+static int insert;
+
+/**
+ * Dump file name.
+ */
+static char *file_name;
+
+/**
+ * Dump file handle.
+ */
+static struct GNUNET_DISK_FileHandle *file_handle;
+
+/**
+ * Global return value.
+ */
+static int ret;
+
+/**
+ * Handle for datastore.
+ */
+static struct GNUNET_DATASTORE_Handle *datastore;
+
+/**
+ * Current operation.
+ */
+static struct GNUNET_DATASTORE_QueueEntry *qe;
+
+/**
+ * Record count.
+ */
+static uint64_t record_count;
+
+
+static void
+do_shutdown (void *cls)
+{
+  if (NULL != qe)
+    GNUNET_DATASTORE_cancel (qe);
+  if (NULL != datastore)
+    GNUNET_DATASTORE_disconnect (datastore, GNUNET_NO);
+  if (NULL != file_handle)
+    GNUNET_DISK_file_close (file_handle);
+}
+
+
+/**
+ * Begin dumping the database.
+ */
+static void
+start_dump (void);
+
+
+/**
+ * Begin inserting into the database.
+ */
+static void
+start_insert (void);
+
+
+/**
+ * Perform next GET operation.
+ */
+static void
+do_get (const uint64_t next_uid);
+
+
+/**
+ * Process a datum that was stored in the datastore.
+ *
+ * @param cls closure
+ * @param key key for the content
+ * @param size number of bytes in data
+ * @param data content stored
+ * @param type type of the content
+ * @param priority priority of the content
+ * @param anonymity anonymity-level for the content
+ * @param replication replication-level for the content
+ * @param expiration expiration time for the content
+ * @param uid unique identifier for the datum;
+ *        maybe 0 if no unique identifier is available
+ */
+static void
+get_cb (void *cls,
+        const struct GNUNET_HashCode *key,
+        size_t size,
+        const void *data,
+        enum GNUNET_BLOCK_Type type,
+        uint32_t priority,
+        uint32_t anonymity,
+        uint32_t replication,
+        struct GNUNET_TIME_Absolute expiration,
+        uint64_t uid)
+{
+  qe = NULL;
+  if (NULL == key)
+  {
+    fprintf (stderr, _ ("Dumped %" PRIu64 " records\n"), record_count);
+    GNUNET_DISK_file_close (file_handle);
+    file_handle = NULL;
+    if (insert)
+      start_insert ();
+    else
+    {
+      ret = 0;
+      GNUNET_SCHEDULER_shutdown ();
+    }
+    return;
+  }
+
+  struct DataRecord dr;
+  dr.size = htonl ((uint32_t) size);
+  dr.type = htonl (type);
+  dr.priority = htonl (priority);
+  dr.anonymity = htonl (anonymity);
+  dr.replication = htonl (replication);
+  dr.expiration = GNUNET_TIME_absolute_hton (expiration);
+  dr.key = *key;
+
+  ssize_t len;
+  len = GNUNET_DISK_file_write (file_handle, &dr, sizeof(dr));
+  if (sizeof(dr) != len)
+  {
+    fprintf (stderr,
+             _ ("Short write to file: %zd bytes expecting %zd\n"),
+             len,
+             sizeof(dr));
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+
+  len = GNUNET_DISK_file_write (file_handle, data, size);
+  if (size != len)
+  {
+    fprintf (stderr,
+             _ ("Short write to file: %zd bytes expecting %zd\n"),
+             len,
+             size);
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+
+  record_count++;
+  do_get (uid + 1);
+}
+
+
+/**
+ * Perform next GET operation.
+ */
+static void
+do_get (const uint64_t next_uid)
+{
+  GNUNET_assert (NULL == qe);
+  qe = GNUNET_DATASTORE_get_key (datastore,
+                                 next_uid,
+                                 false /* random */,
+                                 NULL /* key */,
+                                 GNUNET_BLOCK_TYPE_ANY,
+                                 0 /* queue_priority */,
+                                 1 /* max_queue_size */,
+                                 &get_cb,
+                                 NULL /* proc_cls */);
+  if (NULL == qe)
+  {
+    fprintf (stderr, _ ("Error queueing datastore GET operation\n"));
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+  }
+}
+
+
+/**
+ * Begin dumping the database.
+ */
+static void
+start_dump ()
+{
+  record_count = 0;
+
+  if (NULL != file_name)
+  {
+    file_handle = GNUNET_DISK_file_open (file_name,
+                                         GNUNET_DISK_OPEN_WRITE
+                                         | GNUNET_DISK_OPEN_TRUNCATE
+                                         | GNUNET_DISK_OPEN_CREATE,
+                                         GNUNET_DISK_PERM_USER_READ
+                                         | GNUNET_DISK_PERM_USER_WRITE);
+    if (NULL == file_handle)
+    {
+      fprintf (stderr, _ ("Unable to open dump file: %s\n"), file_name);
+      ret = 1;
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+  }
+  else
+  {
+    file_handle = GNUNET_DISK_get_handle_from_int_fd (STDOUT_FILENO);
+  }
+  GNUNET_DISK_file_write (file_handle, MAGIC_BYTES, MAGIC_LEN);
+  do_get (0);
+}
+
+
+/**
+ * Continuation called to notify client about result of the
+ * operation.
+ *
+ * @param cls closure
+ * @param success GNUNET_SYSERR on failure (including timeout/queue drop)
+ *                GNUNET_NO if content was already there
+ *                GNUNET_YES (or other positive value) on success
+ * @param min_expiration minimum expiration time required for 0-priority content to be stored
+ *                by the datacache at this time, zero for unknown, forever if we have no
+ *                space for 0-priority content
+ * @param msg NULL on success, otherwise an error message
+ */
+static void
+put_cb (void *cls,
+        int32_t success,
+        struct GNUNET_TIME_Absolute min_expiration,
+        const char *msg)
+{
+  qe = NULL;
+  if (GNUNET_SYSERR == success)
+  {
+    fprintf (stderr, _ ("Failed to store item: %s, aborting\n"), msg);
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+
+  struct DataRecord dr;
+  ssize_t len;
+
+  len = GNUNET_DISK_file_read (file_handle, &dr, sizeof(dr));
+  if (0 == len)
+  {
+    fprintf (stderr, _ ("Inserted %" PRIu64 " records\n"), record_count);
+    ret = 0;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  else if (sizeof(dr) != len)
+  {
+    fprintf (stderr,
+             _ ("Short read from file: %zd bytes expecting %zd\n"),
+             len,
+             sizeof(dr));
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+
+  const size_t size = ntohl (dr.size);
+  uint8_t data[size];
+  len = GNUNET_DISK_file_read (file_handle, data, size);
+  if (size != len)
+  {
+    fprintf (stderr,
+             _ ("Short read from file: %zd bytes expecting %zd\n"),
+             len,
+             size);
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+
+  record_count++;
+  qe = GNUNET_DATASTORE_put (datastore,
+                             0,
+                             &dr.key,
+                             size,
+                             data,
+                             ntohl (dr.type),
+                             ntohl (dr.priority),
+                             ntohl (dr.anonymity),
+                             ntohl (dr.replication),
+                             GNUNET_TIME_absolute_ntoh (dr.expiration),
+                             0,
+                             1,
+                             &put_cb,
+                             NULL);
+  if (NULL == qe)
+  {
+    fprintf (stderr, _ ("Error queueing datastore PUT operation\n"));
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+  }
+}
+
+
+/**
+ * Begin inserting into the database.
+ */
+static void
+start_insert ()
+{
+  record_count = 0;
+
+  if (NULL != file_name)
+  {
+    file_handle = GNUNET_DISK_file_open (file_name,
+                                         GNUNET_DISK_OPEN_READ,
+                                         GNUNET_DISK_PERM_NONE);
+    if (NULL == file_handle)
+    {
+      fprintf (stderr, _ ("Unable to open dump file: %s\n"), file_name);
+      ret = 1;
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+  }
+  else
+  {
+    file_handle = GNUNET_DISK_get_handle_from_int_fd (STDIN_FILENO);
+  }
+
+  uint8_t buf[MAGIC_LEN];
+  ssize_t len;
+
+  len = GNUNET_DISK_file_read (file_handle, buf, MAGIC_LEN);
+  if ((len != MAGIC_LEN) || (0 != memcmp (buf, MAGIC_BYTES, MAGIC_LEN)))
+  {
+    fprintf (stderr, _ ("Input file is not of a supported format\n"));
+    return;
+  }
+  put_cb (NULL, GNUNET_YES, GNUNET_TIME_UNIT_ZERO_ABS, NULL);
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL);
+  datastore = GNUNET_DATASTORE_connect (cfg);
+  if (NULL == datastore)
+  {
+    fprintf (stderr, _ ("Failed connecting to the datastore.\n"));
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if (dump)
+    start_dump ();
+  else if (insert)
+    start_insert ();
+  else
+  {
+    fprintf (stderr,
+             _ ("Please choose at least one operation: %s, %s\n"),
+             "dump",
+             "insert");
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+  }
+}
+
+
+/**
+ * The main function to manipulate datastores.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] =
+  { GNUNET_GETOPT_option_flag ('d',
+                               "dump",
+                               gettext_noop (
+                                 "Dump all records from the datastore"),
+                               &dump),
+    GNUNET_GETOPT_option_flag ('i',
+                               "insert",
+                               gettext_noop (
+                                 "Insert records into the datastore"),
+                               &insert),
+    GNUNET_GETOPT_option_filename ('f',
+                                   "file",
+                                   "FILENAME",
+                                   gettext_noop ("File to dump or insert"),
+                                   &file_name),
+    GNUNET_GETOPT_OPTION_END };
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  if (GNUNET_OK !=
+      GNUNET_PROGRAM_run (argc,
+                          argv,
+                          "gnunet-datastore",
+                          gettext_noop ("Manipulate GNUnet datastore"),
+                          options,
+                          &run,
+                          NULL))
+    ret = 1;
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-datastore.c */
diff --git a/src/cli/datastore/meson.build b/src/cli/datastore/meson.build
new file mode 100644
index 000000000..7ec8eec47
--- /dev/null
+++ b/src/cli/datastore/meson.build
@@ -0,0 +1,9 @@
+executable ('gnunet-datastore',
+            ['gnunet-datastore.c'],
+            dependencies: [libgnunetdatastore_dep,
+                           libgnunetutil_dep,
+                           libgnunetstatistics_dep,
+                           libgnunetdatacache_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
diff --git a/src/cli/dht/.gitignore b/src/cli/dht/.gitignore
new file mode 100644
index 000000000..3b6564ef0
--- /dev/null
+++ b/src/cli/dht/.gitignore
@@ -0,0 +1,5 @@
+gnunet-dht-get
+gnunet-dht-monitor
+gnunet-dht-profiler
+gnunet-dht-put
+gnunet-dht-hello
diff --git a/src/cli/dht/Makefile.am b/src/cli/dht/Makefile.am
new file mode 100644
index 000000000..f026b5270
--- /dev/null
+++ b/src/cli/dht/Makefile.am
@@ -0,0 +1,52 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+plugindir = $(libdir)/gnunet
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+bin_PROGRAMS = \
+ gnunet-dht-monitor \
+ gnunet-dht-get \
+ gnunet-dht-put \
+ gnunet-dht-hello
+
+gnunet_dht_get_SOURCES = \
+ gnunet-dht-get.c
+gnunet_dht_get_LDADD = \
+  $(top_builddir)/src/service/dht/libgnunetdht.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la
+gnunet_dht_get_LDFLAGS = \
+  $(GN_LIBINTL)
+
+gnunet_dht_hello_SOURCES = \
+ gnunet-dht-hello.c
+gnunet_dht_hello_LDADD = \
+  $(top_builddir)/src/service/dht/libgnunetdht.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la
+gnunet_dht_hello_LDFLAGS = \
+  $(GN_LIBINTL)
+
+gnunet_dht_put_SOURCES = \
+ gnunet-dht-put.c
+gnunet_dht_put_LDADD = \
+  $(top_builddir)/src/service/dht/libgnunetdht.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la
+gnunet_dht_put_LDFLAGS = \
+  $(GN_LIBINTL)
+
+gnunet_dht_monitor_SOURCES = \
+ gnunet-dht-monitor.c
+gnunet_dht_monitor_LDADD = \
+  $(top_builddir)/src/service/dht/libgnunetdht.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la
+gnunet_dht_monitor_LDFLAGS = \
+  $(GN_LIBINTL)
+
diff --git a/src/cli/dht/gnunet-dht-get.c b/src/cli/dht/gnunet-dht-get.c
new file mode 100644
index 000000000..393184bb6
--- /dev/null
+++ b/src/cli/dht/gnunet-dht-get.c
@@ -0,0 +1,352 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2001, 2002, 2004, 2005, 2006, 2007, 2009, 2022 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file dht/gnunet-dht-get.c
+ * @brief search for data in DHT
+ * @author Christian Grothoff
+ * @author Nathan Evans
+ */
+#include "platform.h"
+#include "gnunet_dht_service.h"
+
+#define LOG(kind, ...) GNUNET_log_from (kind, "dht-clients", __VA_ARGS__)
+/**
+ * The type of the query
+ */
+static unsigned int query_type;
+
+/**
+ * Desired replication level
+ */
+static unsigned int replication = 5;
+
+/**
+ * The key for the query
+ */
+static char *query_key;
+
+/**
+ * User supplied timeout value
+ */
+static struct GNUNET_TIME_Relative timeout_request = { 60000 };
+
+/**
+ * Be verbose
+ */
+static unsigned int verbose;
+
+/**
+ * Use DHT demultixplex_everywhere
+ */
+static int demultixplex_everywhere;
+
+/**
+ * Use #GNUNET_DHT_RO_RECORD_ROUTE.
+ */
+static int record_route;
+
+/**
+ * Handle to the DHT
+ */
+static struct GNUNET_DHT_Handle *dht_handle;
+
+/**
+ * Global handle of the configuration
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Handle for the get request
+ */
+static struct GNUNET_DHT_GetHandle *get_handle;
+
+/**
+ * Count of results found
+ */
+static unsigned int result_count;
+
+/**
+ * Global status value
+ */
+static int ret;
+
+/**
+ * Task scheduled to handle timeout.
+ */
+static struct GNUNET_SCHEDULER_Task *tt;
+
+
+/**
+ * Task run to clean up on shutdown.
+ *
+ * @param cls unused
+ */
+static void
+cleanup_task (void *cls)
+{
+  if (NULL != get_handle)
+  {
+    GNUNET_DHT_get_stop (get_handle);
+    get_handle = NULL;
+  }
+  if (NULL != dht_handle)
+  {
+    GNUNET_DHT_disconnect (dht_handle);
+    dht_handle = NULL;
+  }
+  if (NULL != tt)
+  {
+    GNUNET_SCHEDULER_cancel (tt);
+    tt = NULL;
+  }
+}
+
+
+/**
+ * Task run on timeout. Triggers shutdown.
+ *
+ * @param cls unused
+ */
+static void
+timeout_task (void *cls)
+{
+  tt = NULL;
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Iterator called on each result obtained for a DHT
+ * operation that expects a reply
+ *
+ * @param cls closure
+ * @param exp when will this value expire
+ * @param key key of the result
+ * @param trunc_peer peer at which the path was truncated, or NULL if not
+ * @param get_path peers on reply path (or NULL if not recorded)
+ * @param get_path_length number of entries in get_path
+ * @param put_path peers on the PUT path (or NULL if not recorded)
+ * @param put_path_length number of entries in get_path
+ * @param type type of the result
+ * @param size number of bytes in data
+ * @param data pointer to the result data
+ */
+static void
+get_result_iterator (void *cls,
+                     struct GNUNET_TIME_Absolute exp,
+                     const struct GNUNET_HashCode *key,
+                     const struct GNUNET_PeerIdentity *trunc_peer,
+                     const struct GNUNET_DHT_PathElement *get_path,
+                     unsigned int get_path_length,
+                     const struct GNUNET_DHT_PathElement *put_path,
+                     unsigned int put_path_length,
+                     enum GNUNET_BLOCK_Type type,
+                     size_t size,
+                     const void *data)
+{
+  fprintf (stdout,
+           (GNUNET_BLOCK_TYPE_TEST == type)
+           ? _ ("Result %d, type %d:\n%.*s\n")
+           : _ ("Result %d, type %d:\n"),
+           result_count,
+           type,
+           (int) size,
+           (char *) data);
+  if (record_route && verbose)
+  {
+    {
+      struct GNUNET_PeerIdentity my_identity;
+
+      GNUNET_break (GNUNET_OK ==
+                    GNUNET_CRYPTO_get_peer_identity (cfg,
+                                                     &my_identity));
+      GNUNET_break (0 ==
+                    GNUNET_DHT_verify_path (data,
+                                            size,
+                                            exp,
+                                            trunc_peer,
+                                            put_path,
+                                            put_path_length,
+                                            get_path,
+                                            get_path_length,
+                                            &my_identity));
+    }
+    fprintf (stdout,
+             "  GET path: ");
+    for (unsigned int i = 0; i < get_path_length; i++)
+      fprintf (stdout,
+               "%s%s",
+               (0 == i) ? "" : "-",
+               GNUNET_i2s (&get_path[i].pred));
+    fprintf (stdout,
+             "\n  PUT path: ");
+    for (unsigned int i = 0; i < put_path_length; i++)
+      fprintf (stdout,
+               "%s%s",
+               (0 == i) ? "" : "-",
+               GNUNET_i2s (&put_path[i].pred));
+    if (NULL != trunc_peer)
+      fprintf (stdout,
+               "!%s",
+               GNUNET_i2s (trunc_peer));
+    fprintf (stdout,
+             "\n");
+  }
+  result_count++;
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  struct GNUNET_HashCode key;
+  enum GNUNET_DHT_RouteOption ro;
+
+  cfg = c;
+  if (NULL == query_key)
+  {
+    fprintf (stderr,
+             "%s",
+             _ ("Must provide key for DHT GET!\n"));
+    ret = 1;
+    return;
+  }
+  if (NULL == (dht_handle = GNUNET_DHT_connect (cfg, 1)))
+  {
+    fprintf (stderr,
+             "%s",
+             _ ("Failed to connect to DHT service!\n"));
+    ret = 1;
+    return;
+  }
+  if (query_type == GNUNET_BLOCK_TYPE_ANY) /* Type of data not set */
+    query_type = GNUNET_BLOCK_TYPE_TEST;
+  GNUNET_CRYPTO_hash (query_key, strlen (query_key), &key);
+  if (verbose)
+    fprintf (stderr,
+             "%s `%s' \n",
+             _ ("Issuing DHT GET with key"),
+             GNUNET_h2s_full (&key));
+  GNUNET_SCHEDULER_add_shutdown (&cleanup_task, NULL);
+  tt = GNUNET_SCHEDULER_add_delayed (timeout_request, &timeout_task, NULL);
+  ro = GNUNET_DHT_RO_NONE;
+  if (demultixplex_everywhere)
+    ro |= GNUNET_DHT_RO_DEMULTIPLEX_EVERYWHERE;
+  if (record_route)
+    ro |= GNUNET_DHT_RO_RECORD_ROUTE;
+  get_handle = GNUNET_DHT_get_start (dht_handle,
+                                     query_type,
+                                     &key,
+                                     replication,
+                                     ro,
+                                     NULL,
+                                     0,
+                                     &get_result_iterator,
+                                     NULL);
+}
+
+
+/**
+ * Entry point for gnunet-dht-get
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  char *u8_argv = NULL;
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_string (
+      'k',
+      "key",
+      "KEY",
+      gettext_noop ("the query key"),
+      &query_key),
+    GNUNET_GETOPT_option_uint (
+      'r',
+      "replication",
+      "LEVEL",
+      gettext_noop ("how many parallel requests (replicas) to create"),
+      &replication),
+    GNUNET_GETOPT_option_flag (
+      'R',
+      "record",
+      gettext_noop ("use DHT's record route option"),
+      &record_route),
+    GNUNET_GETOPT_option_uint (
+      't',
+      "type",
+      "TYPE",
+      gettext_noop ("the type of data to look for"),
+      &query_type),
+    GNUNET_GETOPT_option_relative_time (
+      'T',
+      "timeout",
+      "TIMEOUT",
+      gettext_noop ("how long to execute this query before giving up?"),
+      &timeout_request),
+    GNUNET_GETOPT_option_flag (
+      'x',
+      "demultiplex",
+      gettext_noop (
+        "use DHT's demultiplex everywhere option"),
+      &demultixplex_everywhere),
+    GNUNET_GETOPT_option_verbose (&verbose),
+    GNUNET_GETOPT_OPTION_END
+  };
+
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+  ret = (GNUNET_OK ==
+         GNUNET_PROGRAM_run (
+           argc,
+           argv,
+           "gnunet-dht-get",
+           gettext_noop (
+             "Issue a GET request to the GNUnet DHT, prints results."),
+           options,
+           &run,
+           NULL))
+         ? ret
+         : 1;
+  // This is ugly, but meh. The GNUNET_STRINGS_get_utf8_args allows us to do this.
+  u8_argv = (char*) argv;
+  GNUNET_free (u8_argv);
+  return ret;
+}
+
+
+/* end of gnunet-dht-get.c */
diff --git a/src/cli/dht/gnunet-dht-hello.c b/src/cli/dht/gnunet-dht-hello.c
new file mode 100644
index 000000000..369ed5643
--- /dev/null
+++ b/src/cli/dht/gnunet-dht-hello.c
@@ -0,0 +1,178 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2022 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file dht/gnunet-dht-hello.c
+ * @brief Obtain HELLO from DHT for bootstrapping
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "gnunet_dht_service.h"
+
+#define LOG(kind, ...) GNUNET_log_from (kind, "dht-clients", __VA_ARGS__)
+
+/**
+ * Handle to the DHT
+ */
+static struct GNUNET_DHT_Handle *dht_handle;
+
+/**
+ * Handle to the DHT hello get operation.
+ */
+static struct GNUNET_DHT_HelloGetHandle *get_hello_handle;
+
+/**
+ * Global status value
+ */
+static int global_ret;
+
+
+/**
+ * Task run to clean up on shutdown.
+ *
+ * @param cls unused
+ */
+static void
+cleanup_task (void *cls)
+{
+  if (NULL != get_hello_handle)
+  {
+    GNUNET_DHT_hello_get_cancel (get_hello_handle);
+    get_hello_handle = NULL;
+  }
+  if (NULL != dht_handle)
+  {
+    GNUNET_DHT_disconnect (dht_handle);
+    dht_handle = NULL;
+  }
+}
+
+
+/**
+ * Task run when we are finished. Triggers shutdown.
+ *
+ * @param cls unused
+ */
+static void
+hello_done_cb (void *cls)
+{
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Function called on our HELLO.
+ *
+ * @param cls closure
+ * @param url the HELLO URL
+ */
+static void
+hello_result_cb (void *cls,
+                 const char *url)
+{
+  get_hello_handle = NULL;
+  fprintf (stdout,
+           "%s\n",
+           url);
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure, NULL
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  (void) cls;
+  (void) cfgfile;
+  GNUNET_SCHEDULER_add_shutdown (&cleanup_task,
+                                 NULL);
+  if (NULL == (dht_handle = GNUNET_DHT_connect (cfg,
+                                                1)))
+  {
+    fprintf (stderr,
+             _ ("Failed to connect to DHT service!\n"));
+    global_ret = EXIT_NOTCONFIGURED;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if (NULL == args[0])
+  {
+    get_hello_handle = GNUNET_DHT_hello_get (dht_handle,
+                                             &hello_result_cb,
+                                             NULL);
+    GNUNET_break (NULL != get_hello_handle);
+  }
+  else
+  {
+    GNUNET_DHT_hello_offer (dht_handle,
+                            args[0],
+                            &hello_done_cb,
+                            NULL);
+  }
+}
+
+
+/**
+ * Entry point for gnunet-dht-hello
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc,
+      char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_OPTION_END
+  };
+  enum GNUNET_GenericReturnValue iret;
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+  iret = GNUNET_PROGRAM_run (
+    argc,
+    argv,
+    "gnunet-dht-hello [URL]",
+    gettext_noop (
+      "Obtain HELLO from DHT or provide HELLO to DHT for bootstrapping"),
+    options,
+    &run,
+    NULL);
+  if (GNUNET_SYSERR == iret)
+    return EXIT_FAILURE;
+  if (GNUNET_NO == iret)
+    return EXIT_SUCCESS;
+  return global_ret;
+}
+
+
+/* end of gnunet-dht-hello.c */
diff --git a/src/cli/dht/gnunet-dht-monitor.c b/src/cli/dht/gnunet-dht-monitor.c
new file mode 100644
index 000000000..93ea1284a
--- /dev/null
+++ b/src/cli/dht/gnunet-dht-monitor.c
@@ -0,0 +1,345 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file dht/gnunet-dht-monitor.c
+ * @brief search for data in DHT
+ * @author Christian Grothoff
+ * @author Bartlomiej Polot
+ */
+#include "platform.h"
+#include "gnunet_dht_service.h"
+
+/**
+ * The type of the query
+ */
+static unsigned int block_type;
+
+/**
+ * The key to be monitored
+ */
+static char *query_key;
+
+/**
+ * User supplied timeout value (in seconds)
+ */
+static struct GNUNET_TIME_Relative timeout_request = { 60000 };
+
+/**
+ * Be verbose
+ */
+static int verbose;
+
+/**
+ * Handle to the DHT
+ */
+static struct GNUNET_DHT_Handle *dht_handle;
+
+/**
+ * Global handle of the configuration
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Handle for the get request
+ */
+static struct GNUNET_DHT_MonitorHandle *monitor_handle;
+
+/**
+ * Count of messages received
+ */
+static unsigned int result_count;
+
+/**
+ * Global status value
+ */
+static int ret;
+
+/**
+ * Task scheduled to handle timeout.
+ */
+static struct GNUNET_SCHEDULER_Task *tt;
+
+
+/**
+ * Stop monitoring request and start shutdown
+ *
+ * @param cls closure (unused)
+ */
+static void
+cleanup_task (void *cls)
+{
+  if (verbose)
+    fprintf (stderr, "%s", "Cleaning up!\n");
+  if (NULL != monitor_handle)
+  {
+    GNUNET_DHT_monitor_stop (monitor_handle);
+    monitor_handle = NULL;
+  }
+  if (NULL != dht_handle)
+  {
+    GNUNET_DHT_disconnect (dht_handle);
+    dht_handle = NULL;
+  }
+  if (NULL != tt)
+  {
+    GNUNET_SCHEDULER_cancel (tt);
+    tt = NULL;
+  }
+}
+
+
+/**
+ * We hit a timeout. Stop monitoring request and start shutdown
+ *
+ * @param cls closure (unused)
+ */
+static void
+timeout_task (void *cls)
+{
+  tt = NULL;
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Callback called on each GET request going through the DHT.
+ *
+ * @param cls Closure.
+ * @param options Options, for instance RecordRoute, DemultiplexEverywhere.
+ * @param type The type of data in the request.
+ * @param hop_count Hop count so far.
+ * @param desired_replication_level Desired replication level.
+ * @param key Key of the requested data.
+ */
+static void
+get_callback (void *cls,
+              enum GNUNET_DHT_RouteOption options,
+              enum GNUNET_BLOCK_Type type,
+              uint32_t hop_count,
+              uint32_t desired_replication_level,
+              const struct GNUNET_HashCode *key)
+{
+  fprintf (stdout,
+           "GET #%u: type %d, key `%s'\n",
+           result_count,
+           (int) type,
+           GNUNET_h2s_full (key));
+  result_count++;
+}
+
+
+/**
+ * Callback called on each GET reply going through the DHT.
+ *
+ * @param cls Closure.
+ * @param type The type of data in the result.
+ * @param trunc_peer peer where the path was truncated, or NULL if the path is complete
+ * @param get_path Peers on GET path (or NULL if not recorded).
+ * @param get_path_length number of entries in get_path.
+ * @param put_path peers on the PUT path (or NULL if not recorded).
+ * @param put_path_length number of entries in get_path.
+ * @param exp Expiration time of the data.
+ * @param key Key of the data.
+ * @param data Pointer to the result data.
+ * @param size Number of bytes in data.
+ */
+static void
+get_resp_callback (void *cls,
+                   enum GNUNET_BLOCK_Type type,
+                   const struct GNUNET_PeerIdentity *trunc_peer,
+                   const struct GNUNET_DHT_PathElement *get_path,
+                   unsigned int get_path_length,
+                   const struct GNUNET_DHT_PathElement *put_path,
+                   unsigned int put_path_length,
+                   struct GNUNET_TIME_Absolute exp,
+                   const struct GNUNET_HashCode *key,
+                   const void *data,
+                   size_t size)
+{
+  fprintf (stdout,
+           (GNUNET_BLOCK_TYPE_TEST == type)
+           ? "RESPONSE #%u (%s): type %d, key `%s', data `%.*s'\n"
+           : "RESPONSE #%u (%s): type %d, key `%s'\n",
+           result_count,
+           GNUNET_STRINGS_absolute_time_to_string (exp),
+           (int) type,
+           GNUNET_h2s_full (key),
+           (unsigned int) size,
+           (char *) data);
+  result_count++;
+}
+
+
+/**
+ * Callback called on each PUT request going through the DHT.
+ *
+ * @param cls Closure.
+ * @param options Options, for instance RecordRoute, DemultiplexEverywhere.
+ * @param type The type of data in the request.
+ * @param hop_count Hop count so far.
+ * @param trunc_peer peer where the path was truncated, or NULL if the path is complete
+ * @param path_length number of entries in path (or 0 if not recorded).
+ * @param path peers on the PUT path (or NULL if not recorded).
+ * @param desired_replication_level Desired replication level.
+ * @param exp Expiration time of the data.
+ * @param key Key under which data is to be stored.
+ * @param data Pointer to the data carried.
+ * @param size Number of bytes in data.
+ */
+static void
+put_callback (void *cls,
+              enum GNUNET_DHT_RouteOption options,
+              enum GNUNET_BLOCK_Type type,
+              uint32_t hop_count,
+              uint32_t desired_replication_level,
+              const struct GNUNET_PeerIdentity *trunc_peer,
+              unsigned int path_length,
+              const struct GNUNET_DHT_PathElement *path,
+              struct GNUNET_TIME_Absolute exp,
+              const struct GNUNET_HashCode *key,
+              const void *data,
+              size_t size)
+{
+  fprintf (stdout,
+           (GNUNET_BLOCK_TYPE_TEST == type)
+           ? "PUT %u (%s): type %d, key `%s', data `%.*s'\n"
+           : "PUT %u (%s): type %d, key `%s'\n",
+           result_count,
+           GNUNET_STRINGS_absolute_time_to_string (exp),
+           (int) type,
+           GNUNET_h2s_full (key),
+           (unsigned int) size,
+           (char *) data);
+  result_count++;
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  struct GNUNET_HashCode *key;
+  struct GNUNET_HashCode hc;
+
+  cfg = c;
+
+  if (NULL == (dht_handle = GNUNET_DHT_connect (cfg, 1)))
+  {
+    fprintf (stderr, "%s", _ ("Failed to connect to DHT service!\n"));
+    ret = 1;
+    return;
+  }
+  if (GNUNET_BLOCK_TYPE_ANY == block_type) /* Type of data not set */
+    block_type = GNUNET_BLOCK_TYPE_TEST;
+  if (NULL != query_key)
+  {
+    key = &hc;
+    if (GNUNET_OK != GNUNET_CRYPTO_hash_from_string (query_key, key))
+      GNUNET_CRYPTO_hash (query_key, strlen (query_key), key);
+  }
+  else
+  {
+    key = NULL;
+  }
+  if (verbose)
+    fprintf (stderr,
+             "Monitoring for %s\n",
+             GNUNET_STRINGS_relative_time_to_string (timeout_request,
+                                                     GNUNET_NO));
+  tt = GNUNET_SCHEDULER_add_delayed (timeout_request, &timeout_task, NULL);
+  GNUNET_SCHEDULER_add_shutdown (&cleanup_task, NULL);
+  monitor_handle = GNUNET_DHT_monitor_start (dht_handle,
+                                             block_type,
+                                             key,
+                                             &get_callback,
+                                             &get_resp_callback,
+                                             &put_callback,
+                                             NULL);
+}
+
+
+/**
+ * Entry point for gnunet-dht-monitor
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_string ('k',
+                                 "key",
+                                 "KEY",
+                                 gettext_noop ("the query key"),
+                                 &query_key),
+
+    GNUNET_GETOPT_option_uint ('t',
+                               "type",
+                               "TYPE",
+                               gettext_noop ("the type of data to look for"),
+                               &block_type),
+
+    GNUNET_GETOPT_option_relative_time (
+      'T',
+      "timeout",
+      "TIMEOUT",
+      gettext_noop ("how long should the monitor command run"),
+      &timeout_request),
+
+    GNUNET_GETOPT_option_flag ('V',
+                               "verbose",
+                               gettext_noop (
+                                 "be verbose (print progress information)"),
+                               &verbose),
+
+    GNUNET_GETOPT_OPTION_END
+  };
+
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  return (GNUNET_OK ==
+          GNUNET_PROGRAM_run (argc,
+                              argv,
+                              "gnunet-dht-monitor",
+                              gettext_noop (
+                                "Prints all packets that go through the DHT."),
+                              options,
+                              &run,
+                              NULL))
+         ? ret
+         : 1;
+}
+
+
+/* end of gnunet-dht-monitor.c */
diff --git a/src/cli/dht/gnunet-dht-put.c b/src/cli/dht/gnunet-dht-put.c
new file mode 100644
index 000000000..8f8e098e4
--- /dev/null
+++ b/src/cli/dht/gnunet-dht-put.c
@@ -0,0 +1,255 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2001, 2002, 2004, 2005, 2006, 2007, 2009, 2017 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file dht/gnunet-dht-put.c
+ * @brief search for data in DHT
+ * @author Christian Grothoff
+ * @author Nathan Evans
+ */
+#include "platform.h"
+#include "gnunet_dht_service.h"
+
+/**
+ * The type of the query
+ */
+static unsigned int query_type;
+
+/**
+ * The key used in the DHT
+ */
+struct GNUNET_HashCode key;
+
+/**
+ * The key for the query
+ */
+static char *query_key;
+
+/**
+ * User supplied expiration value
+ */
+static struct GNUNET_TIME_Relative expiration;
+
+/**
+ * Desired replication level.
+ */
+static unsigned int replication = 5;
+
+/**
+ * Be verbose
+ */
+static unsigned int verbose;
+
+/**
+ * Use #GNUNET_DHT_DEMULTIPLEX_EVERYWHERE.
+ */
+static int demultixplex_everywhere;
+
+/**
+ * Use #GNUNET_DHT_RO_RECORD_ROUTE.
+ */
+static int record_route;
+
+/**
+ * Handle to the DHT
+ */
+static struct GNUNET_DHT_Handle *dht_handle;
+
+
+/**
+ * Global handle of the configuration
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Global status value
+ */
+static int ret;
+
+/**
+ * The data to insert into the dht
+ */
+static char *data;
+
+
+static void
+shutdown_task (void *cls)
+{
+  if (NULL != dht_handle)
+  {
+    GNUNET_DHT_disconnect (dht_handle);
+    dht_handle = NULL;
+  }
+}
+
+
+/**
+ * Signature of the main function of a task.
+ *
+ * @param cls closure
+ */
+static void
+message_sent_cont (void *cls)
+{
+  GNUNET_SCHEDULER_add_now (&shutdown_task, NULL);
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  enum GNUNET_DHT_RouteOption ro;
+
+  cfg = c;
+  if ((NULL == query_key) || (NULL == data))
+  {
+    fprintf (stderr, "%s", _ ("Must provide KEY and DATA for DHT put!\n"));
+    ret = 1;
+    return;
+  }
+
+  if (NULL == (dht_handle = GNUNET_DHT_connect (cfg, 1)))
+  {
+    fprintf (stderr, _ ("Could not connect to DHT service!\n"));
+    ret = 1;
+    return;
+  }
+  if (GNUNET_BLOCK_TYPE_ANY == query_type) /* Type of data not set */
+    query_type = GNUNET_BLOCK_TYPE_TEST;
+
+  GNUNET_CRYPTO_hash (query_key, strlen (query_key), &key);
+
+  if (verbose)
+    fprintf (stderr,
+             _ ("Issuing put request for `%s' with data `%s'!\n"),
+             query_key,
+             data);
+  ro = GNUNET_DHT_RO_NONE;
+  if (demultixplex_everywhere)
+    ro |= GNUNET_DHT_RO_DEMULTIPLEX_EVERYWHERE;
+  if (record_route)
+    ro |= GNUNET_DHT_RO_RECORD_ROUTE;
+  GNUNET_DHT_put (dht_handle,
+                  &key,
+                  replication,
+                  ro,
+                  query_type,
+                  strlen (data),
+                  data,
+                  GNUNET_TIME_relative_to_absolute (expiration),
+                  &message_sent_cont,
+                  NULL);
+}
+
+
+/**
+ * Entry point for gnunet-dht-put
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  char *u8_argv = NULL;
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_string (
+      'd',
+      "data",
+      "DATA",
+      gettext_noop (
+        "the data to insert under the key"),
+      &data),
+    GNUNET_GETOPT_option_relative_time (
+      'e',
+      "expiration",
+      "EXPIRATION",
+      gettext_noop ("how long to store this entry in the dht (in seconds)"),
+      &expiration),
+    GNUNET_GETOPT_option_string (
+      'k',
+      "key",
+      "KEY",
+      gettext_noop ("the query key"),
+      &query_key),
+    GNUNET_GETOPT_option_flag (
+      'x',
+      "demultiplex",
+      gettext_noop (
+        "use DHT's demultiplex everywhere option"),
+      &demultixplex_everywhere),
+    GNUNET_GETOPT_option_uint (
+      'r',
+      "replication",
+      "LEVEL",
+      gettext_noop ("how many replicas to create"),
+      &replication),
+    GNUNET_GETOPT_option_flag (
+      'R',
+      "record",
+      gettext_noop ("use DHT's record route option"),
+      &record_route),
+    GNUNET_GETOPT_option_uint (
+      't',
+      "type",
+      "TYPE",
+      gettext_noop ("the type to insert data as"),
+      &query_type),
+    GNUNET_GETOPT_option_verbose (&verbose),
+    GNUNET_GETOPT_OPTION_END
+  };
+
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+  expiration = GNUNET_TIME_UNIT_HOURS;
+  ret = (GNUNET_OK ==
+         GNUNET_PROGRAM_run (
+           argc,
+           argv,
+           "gnunet-dht-put",
+           gettext_noop (
+             "Issue a PUT request to the GNUnet DHT insert DATA under KEY."),
+           options,
+           &run,
+           NULL))
+         ? ret
+         : 1;
+  // This is ugly, but meh. The GNUNET_STRINGS_get_utf8_args allows us to do this.
+  u8_argv = (char*) argv;
+  GNUNET_free (u8_argv);
+  return ret;
+}
+
+
+/* end of gnunet-dht-put.c */
diff --git a/src/cli/dht/meson.build b/src/cli/dht/meson.build
new file mode 100644
index 000000000..d8c326513
--- /dev/null
+++ b/src/cli/dht/meson.build
@@ -0,0 +1,25 @@
+executable ('gnunet-dht-put',
+            ['gnunet-dht-put.c'],
+            dependencies: [libgnunetdht_dep, libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-dht-get',
+            ['gnunet-dht-get.c'],
+            dependencies: [libgnunetdht_dep, libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-dht-monitor',
+            ['gnunet-dht-monitor.c'],
+            dependencies: [libgnunetdht_dep, libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-dht-hello',
+            ['gnunet-dht-hello.c'],
+            dependencies: [libgnunetdht_dep, libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+
diff --git a/src/cli/fs/.gitignore b/src/cli/fs/.gitignore
new file mode 100644
index 000000000..3ca8908d0
--- /dev/null
+++ b/src/cli/fs/.gitignore
@@ -0,0 +1,8 @@
+gnunet-unindex
+gnunet-auto-share
+gnunet-directory
+gnunet-download
+gnunet-fs
+gnunet-publish
+gnunet-search
+
diff --git a/src/cli/fs/Makefile.am b/src/cli/fs/Makefile.am
new file mode 100644
index 000000000..0d489dbe6
--- /dev/null
+++ b/src/cli/fs/Makefile.am
@@ -0,0 +1,107 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+bin_PROGRAMS = \
+  gnunet-auto-share \
+  gnunet-directory \
+  gnunet-download \
+  gnunet-publish \
+  gnunet-search \
+  gnunet-fs \
+  gnunet-unindex
+
+gnunet_directory_SOURCES = \
+ gnunet-directory.c
+gnunet_directory_LDADD = \
+  $(top_builddir)/src/service/fs/libgnunetfs.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+if HAVE_LIBEXTRACTOR
+gnunet_directory_LDADD += \
+  -lextractor
+endif
+
+gnunet_fs_SOURCES = \
+ gnunet-fs.c
+gnunet_fs_LDADD = \
+  $(top_builddir)/src/service/fs/libgnunetfs.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+if HAVE_LIBEXTRACTOR
+gnunet_fs_LDADD += \
+  -lextractor
+endif
+
+gnunet_download_SOURCES =  \
+ gnunet-download.c
+gnunet_download_LDADD =  \
+ $(top_builddir)/src/service/fs/libgnunetfs.la \
+ $(top_builddir)/src/lib/util/libgnunetutil.la \
+ $(GN_LIBINTL)
+
+gnunet_publish_SOURCES =  \
+ gnunet-publish.c
+gnunet_publish_LDADD =  \
+ $(top_builddir)/src/service/identity/libgnunetidentity.la \
+ $(top_builddir)/src/service/fs/libgnunetfs.la \
+ $(top_builddir)/src/lib/util/libgnunetutil.la \
+ $(GN_LIBINTL)
+
+if HAVE_LIBEXTRACTOR
+gnunet_publish_LDADD += \
+  -lextractor
+endif
+
+gnunet_auto_share_SOURCES =  \
+ gnunet-auto-share.c
+gnunet_auto_share_LDADD =  \
+ $(top_builddir)/src/lib/util/libgnunetutil.la \
+ $(GN_LIBINTL)
+
+if HAVE_LIBEXTRACTOR
+gnunet_auto_share_LDADD += \
+  -lextractor
+endif
+
+gnunet_helper_fs_publish_SOURCES =  \
+ gnunet-helper-fs-publish.c
+gnunet_helper_fs_publish_LDADD =  \
+  $(top_builddir)/src/service/fs/libgnunetfs.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+if HAVE_LIBEXTRACTOR
+gnunet_helper_fs_publish_LDADD += \
+  -lextractor
+endif
+
+gnunet_search_SOURCES = \
+ gnunet-search.c
+gnunet_search_LDADD = \
+  $(top_builddir)/src/service/fs/libgnunetfs.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+if HAVE_LIBEXTRACTOR
+gnunet_search_LDADD += \
+  -lextractor
+endif
+
+
+gnunet_unindex_SOURCES = \
+ gnunet-unindex.c
+gnunet_unindex_LDADD = \
+  $(top_builddir)/src/service/fs/libgnunetfs.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
diff --git a/src/cli/fs/gnunet-auto-share.c b/src/cli/fs/gnunet-auto-share.c
new file mode 100644
index 000000000..f91e9d00d
--- /dev/null
+++ b/src/cli/fs/gnunet-auto-share.c
@@ -0,0 +1,791 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2001--2012 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file fs/gnunet-auto-share.c
+ * @brief automatically publish files on GNUnet
+ * @author Christian Grothoff
+ *
+ * TODO:
+ * - support loading meta data / keywords from resource file
+ * - add stability timer (a la buildbot)
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+
+#define MAX_DELAY GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_HOURS, 4)
+
+#define MIN_DELAY GNUNET_TIME_UNIT_MINUTES
+
+
+/**
+ * Item in our work queue (or in the set of files/directories
+ * we have successfully published).
+ */
+struct WorkItem
+{
+  /**
+   * PENDING Work is kept in a linked list.
+   */
+  struct WorkItem *prev;
+
+  /**
+   * PENDING Work is kept in a linked list.
+   */
+  struct WorkItem *next;
+
+  /**
+   * Filename of the work item.
+   */
+  char *filename;
+
+  /**
+   * Unique identity for this work item (used to detect
+   * if we need to do the work again).
+   */
+  struct GNUNET_HashCode id;
+};
+
+
+/**
+ * Global return value from 'main'.
+ */
+static int ret;
+
+/**
+ * Are we running 'verbosely'?
+ */
+static unsigned int verbose;
+
+/**
+ * Configuration to use.
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Name of the configuration file.
+ */
+static char *cfg_filename;
+
+/**
+ * Disable extractor option to use for publishing.
+ */
+static int disable_extractor;
+
+/**
+ * Disable creation time option to use for publishing.
+ */
+static int do_disable_creation_time;
+
+/**
+ * Handle for the main task that does scanning and working.
+ */
+static struct GNUNET_SCHEDULER_Task *run_task;
+
+/**
+ * Anonymity level option to use for publishing.
+ */
+static unsigned int anonymity_level = 1;
+
+/**
+ * Content priority option to use for publishing.
+ */
+static unsigned int content_priority = 365;
+
+/**
+ * Replication level option to use for publishing.
+ */
+static unsigned int replication_level = 1;
+
+/**
+ * Top-level directory we monitor to auto-publish.
+ */
+static const char *dir_name;
+
+/**
+ * Head of linked list of files still to publish.
+ */
+static struct WorkItem *work_head;
+
+/**
+ * Tail of linked list of files still to publish.
+ */
+static struct WorkItem *work_tail;
+
+/**
+ * Map from the hash of the filename (!) to a `struct WorkItem`
+ * that was finished.
+ */
+static struct GNUNET_CONTAINER_MultiHashMap *work_finished;
+
+/**
+ * Set to #GNUNET_YES if we are shutting down.
+ */
+static int do_shutdown;
+
+/**
+ * Start time of the current round; used to determine how long
+ * one iteration takes (which influences how fast we schedule
+ * the next one).
+ */
+static struct GNUNET_TIME_Absolute start_time;
+
+/**
+ * Pipe used to communicate 'gnunet-publish' completion (SIGCHLD) via signal.
+ */
+static struct GNUNET_DISK_PipeHandle *sigpipe;
+
+/**
+ * Handle to the 'gnunet-publish' process that we executed.
+ */
+static struct GNUNET_OS_Process *publish_proc;
+
+
+/**
+ * Compute the name of the state database file we will use.
+ */
+static char *
+get_state_file ()
+{
+  char *ret;
+
+  GNUNET_asprintf (&ret,
+                   "%s%s.auto-share",
+                   dir_name,
+                   (DIR_SEPARATOR == dir_name[strlen (dir_name) - 1])
+                   ? ""
+                   : DIR_SEPARATOR_STR);
+  return ret;
+}
+
+
+/**
+ * Load the set of #work_finished items from disk.
+ */
+static void
+load_state ()
+{
+  char *fn;
+  struct GNUNET_BIO_ReadHandle *rh;
+  uint32_t n;
+  struct GNUNET_HashCode id;
+  struct WorkItem *wi;
+  char *emsg;
+
+  emsg = NULL;
+  fn = get_state_file ();
+  rh = GNUNET_BIO_read_open_file (fn);
+  GNUNET_free (fn);
+  if (NULL == rh)
+    return;
+  fn = NULL;
+  if (GNUNET_OK != GNUNET_BIO_read_int32 (rh, "number of files",
+                                          (int32_t *) &n))
+    goto error;
+  while (n-- > 0)
+  {
+    struct GNUNET_BIO_ReadSpec rs[] = {
+      GNUNET_BIO_read_spec_string ("filename", &fn, 1024),
+      GNUNET_BIO_read_spec_object ("id", &id, sizeof(struct GNUNET_HashCode)),
+      GNUNET_BIO_read_spec_end (),
+    };
+    if (GNUNET_OK != GNUNET_BIO_read_spec_commit (rh, rs))
+      goto error;
+    wi = GNUNET_new (struct WorkItem);
+    wi->id = id;
+    wi->filename = fn;
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Loaded serialization ID for `%s' is `%s'\n",
+                wi->filename,
+                GNUNET_h2s (&id));
+    fn = NULL;
+    GNUNET_CRYPTO_hash (wi->filename, strlen (wi->filename), &id);
+    GNUNET_break (GNUNET_OK ==
+                  GNUNET_CONTAINER_multihashmap_put (
+                    work_finished,
+                    &id,
+                    wi,
+                    GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
+  }
+  if (GNUNET_OK == GNUNET_BIO_read_close (rh, &emsg))
+    return;
+  rh = NULL;
+error:
+  GNUNET_free (fn);
+  if (NULL != rh)
+    (void) GNUNET_BIO_read_close (rh, &emsg);
+  GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+              _ ("Failed to load state: %s\n"),
+              emsg);
+  GNUNET_free (emsg);
+}
+
+
+/**
+ * Write work item from the #work_finished map to the given write handle.
+ *
+ * @param cls the `struct GNUNET_BIO_WriteHandle *`
+ * @param key key of the item in the map (unused)
+ * @param value the `struct WorkItem` to write
+ * @return #GNUNET_OK to continue to iterate (if write worked)
+ */
+static int
+write_item (void *cls, const struct GNUNET_HashCode *key, void *value)
+{
+  struct GNUNET_BIO_WriteHandle *wh = cls;
+  struct WorkItem *wi = value;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Saving serialization ID of file `%s' with value `%s'\n",
+              wi->filename,
+              GNUNET_h2s (&wi->id));
+  struct GNUNET_BIO_WriteSpec ws[] = {
+    GNUNET_BIO_write_spec_string ("auto-share-write-item-filename",
+                                  wi->filename),
+    GNUNET_BIO_write_spec_object ("id", &wi->id, sizeof(struct
+                                                        GNUNET_HashCode)),
+    GNUNET_BIO_write_spec_end (),
+  };
+  if (GNUNET_OK != GNUNET_BIO_write_spec_commit (wh, ws))
+    return GNUNET_SYSERR; /* write error, abort iteration */
+  return GNUNET_OK;
+}
+
+
+/**
+ * Save the set of #work_finished items on disk.
+ */
+static void
+save_state ()
+{
+  uint32_t n;
+  struct GNUNET_BIO_WriteHandle *wh;
+  char *fn;
+
+  n = GNUNET_CONTAINER_multihashmap_size (work_finished);
+  fn = get_state_file ();
+  wh = GNUNET_BIO_write_open_file (fn);
+  if (NULL == wh)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Failed to save state to file %s\n"),
+                fn);
+    GNUNET_free (fn);
+    return;
+  }
+  if (GNUNET_OK != GNUNET_BIO_write_int32 (wh, "size of state", n))
+  {
+    (void) GNUNET_BIO_write_close (wh, NULL);
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Failed to save state to file %s\n"),
+                fn);
+    GNUNET_free (fn);
+    return;
+  }
+  (void) GNUNET_CONTAINER_multihashmap_iterate (work_finished, &write_item, wh);
+  if (GNUNET_OK != GNUNET_BIO_write_close (wh, NULL))
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Failed to save state to file %s\n"),
+                fn);
+  GNUNET_free (fn);
+}
+
+
+/**
+ * Task run on shutdown.  Serializes our current state to disk.
+ *
+ * @param cls closure, unused
+ */
+static void
+do_stop_task (void *cls)
+{
+  do_shutdown = GNUNET_YES;
+  if (NULL != publish_proc)
+  {
+    GNUNET_OS_process_kill (publish_proc, SIGKILL);
+    return;
+  }
+  if (NULL != run_task)
+  {
+    GNUNET_SCHEDULER_cancel (run_task);
+    run_task = NULL;
+  }
+}
+
+
+/**
+ * Decide what the next task is (working or scanning) and schedule it.
+ */
+static void
+schedule_next_task (void);
+
+
+/**
+ * Task triggered whenever we receive a SIGCHLD (child
+ * process died).
+ *
+ * @param cls the `struct WorkItem` we were working on
+ */
+static void
+maint_child_death (void *cls)
+{
+  struct WorkItem *wi = cls;
+  struct GNUNET_HashCode key;
+  enum GNUNET_OS_ProcessStatusType type;
+  unsigned long code;
+  int ret;
+  char c;
+  const struct GNUNET_DISK_FileHandle *pr;
+  const struct GNUNET_SCHEDULER_TaskContext *tc;
+
+  run_task = NULL;
+  pr = GNUNET_DISK_pipe_handle (sigpipe, GNUNET_DISK_PIPE_END_READ);
+  tc = GNUNET_SCHEDULER_get_task_context ();
+  if (0 == (tc->reason & GNUNET_SCHEDULER_REASON_READ_READY))
+  {
+    /* shutdown scheduled us, someone else will kill child,
+       we should just try again */
+    run_task = GNUNET_SCHEDULER_add_read_file (GNUNET_TIME_UNIT_FOREVER_REL,
+                                               pr,
+                                               &maint_child_death,
+                                               wi);
+    return;
+  }
+  /* consume the signal */
+  GNUNET_break (0 < GNUNET_DISK_file_read (pr, &c, sizeof(c)));
+
+  ret = GNUNET_OS_process_status (publish_proc, &type, &code);
+  GNUNET_assert (GNUNET_SYSERR != ret);
+  if (GNUNET_NO == ret)
+  {
+    /* process still running? Then where did the SIGCHLD come from?
+       Well, let's declare it spurious (kernel bug?) and keep rolling.
+     */
+    GNUNET_break (0);
+    run_task = GNUNET_SCHEDULER_add_read_file (GNUNET_TIME_UNIT_FOREVER_REL,
+                                               pr,
+                                               &maint_child_death,
+                                               wi);
+    return;
+  }
+  GNUNET_assert (GNUNET_OK == ret);
+
+  GNUNET_OS_process_destroy (publish_proc);
+  publish_proc = NULL;
+
+  if (GNUNET_YES == do_shutdown)
+  {
+    GNUNET_free (wi->filename);
+    GNUNET_free (wi);
+    return;
+  }
+  if ((GNUNET_OS_PROCESS_EXITED == type) && (0 == code))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+                _ ("Publication of `%s' done\n"),
+                wi->filename);
+    GNUNET_CRYPTO_hash (wi->filename, strlen (wi->filename), &key);
+    GNUNET_break (GNUNET_OK ==
+                  GNUNET_CONTAINER_multihashmap_put (
+                    work_finished,
+                    &key,
+                    wi,
+                    GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
+  }
+  else
+  {
+    GNUNET_CONTAINER_DLL_insert_tail (work_head, work_tail, wi);
+  }
+  save_state ();
+  schedule_next_task ();
+}
+
+
+/**
+ * Signal handler called for SIGCHLD.  Triggers the
+ * respective handler by writing to the trigger pipe.
+ */
+static void
+sighandler_child_death ()
+{
+  static char c;
+  int old_errno = errno; /* back-up errno */
+
+  GNUNET_break (
+    1 ==
+    GNUNET_DISK_file_write (GNUNET_DISK_pipe_handle (sigpipe,
+                                                     GNUNET_DISK_PIPE_END_WRITE),
+                            &c,
+                            sizeof(c)));
+  errno = old_errno; /* restore errno */
+}
+
+
+/**
+ * Function called to process work items.
+ *
+ * @param cls closure, NULL
+ */
+static void
+work (void *cls)
+{
+  static char *argv[14];
+  static char anon_level[20];
+  static char content_prio[20];
+  static char repl_level[20];
+  struct WorkItem *wi;
+  const struct GNUNET_DISK_FileHandle *pr;
+  int argc;
+
+  run_task = NULL;
+  wi = work_head;
+  GNUNET_CONTAINER_DLL_remove (work_head, work_tail, wi);
+  argc = 0;
+  argv[argc++] = "gnunet-publish";
+  if (verbose)
+    argv[argc++] = "-V";
+  if (disable_extractor)
+    argv[argc++] = "-D";
+  if (do_disable_creation_time)
+    argv[argc++] = "-d";
+  argv[argc++] = "-c";
+  argv[argc++] = cfg_filename;
+  GNUNET_snprintf (anon_level, sizeof(anon_level), "%u", anonymity_level);
+  argv[argc++] = "-a";
+  argv[argc++] = anon_level;
+  GNUNET_snprintf (content_prio, sizeof(content_prio), "%u", content_priority);
+  argv[argc++] = "-p";
+  argv[argc++] = content_prio;
+  GNUNET_snprintf (repl_level, sizeof(repl_level), "%u", replication_level);
+  argv[argc++] = "-r";
+  argv[argc++] = repl_level;
+  argv[argc++] = wi->filename;
+  argv[argc] = NULL;
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, _ ("Publishing `%s'\n"), wi->filename);
+  GNUNET_assert (NULL == publish_proc);
+  publish_proc = GNUNET_OS_start_process_vap (GNUNET_OS_USE_PIPE_CONTROL,
+                                              NULL,
+                                              NULL,
+                                              NULL,
+                                              "gnunet-publish",
+                                              argv);
+  if (NULL == publish_proc)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Failed to run `%s'\n"),
+                "gnunet-publish");
+    GNUNET_CONTAINER_DLL_insert (work_head, work_tail, wi);
+    run_task =
+      GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_MINUTES, &work, NULL);
+    return;
+  }
+  pr = GNUNET_DISK_pipe_handle (sigpipe, GNUNET_DISK_PIPE_END_READ);
+  run_task = GNUNET_SCHEDULER_add_read_file (GNUNET_TIME_UNIT_FOREVER_REL,
+                                             pr,
+                                             &maint_child_death,
+                                             wi);
+}
+
+
+/**
+ * Recursively scan the given file/directory structure to determine
+ * a unique ID that represents the current state of the hierarchy.
+ *
+ * @param cls where to store the unique ID we are computing
+ * @param filename file to scan
+ * @return #GNUNET_OK (always)
+ */
+static int
+determine_id (void *cls, const char *filename)
+{
+  struct GNUNET_HashCode *id = cls;
+  struct stat sbuf;
+  struct GNUNET_HashCode fx[2];
+  struct GNUNET_HashCode ft;
+
+  if (0 != stat (filename, &sbuf))
+  {
+    GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING, "stat", filename);
+    return GNUNET_OK;
+  }
+  GNUNET_CRYPTO_hash (filename, strlen (filename), &fx[0]);
+  if (! S_ISDIR (sbuf.st_mode))
+  {
+    uint64_t fattr[2];
+
+    fattr[0] = GNUNET_htonll (sbuf.st_size);
+    fattr[0] = GNUNET_htonll (sbuf.st_mtime);
+
+    GNUNET_CRYPTO_hash (fattr, sizeof(fattr), &fx[1]);
+  }
+  else
+  {
+    memset (&fx[1], 1, sizeof(struct GNUNET_HashCode));
+    GNUNET_DISK_directory_scan (filename, &determine_id, &fx[1]);
+  }
+  /* use hash here to make hierarchical structure distinct from
+     all files on the same level */
+  GNUNET_CRYPTO_hash (fx, sizeof(fx), &ft);
+  /* use XOR here so that order of the files in the directory
+     does not matter! */
+  GNUNET_CRYPTO_hash_xor (&ft, id, id);
+  return GNUNET_OK;
+}
+
+
+/**
+ * Function called with a filename (or directory name) to publish
+ * (if it has changed since the last time we published it).  This function
+ * is called for the top-level files only.
+ *
+ * @param cls closure, NULL
+ * @param filename complete filename (absolute path)
+ * @return #GNUNET_OK to continue to iterate, #GNUNET_SYSERR during shutdown
+ */
+static int
+add_file (void *cls, const char *filename)
+{
+  struct WorkItem *wi;
+  struct GNUNET_HashCode key;
+  struct GNUNET_HashCode id;
+
+  if (GNUNET_YES == do_shutdown)
+    return GNUNET_SYSERR;
+  if ((NULL != strstr (filename, "/.auto-share")) ||
+      (NULL != strstr (filename, "\\.auto-share")))
+    return GNUNET_OK; /* skip internal file */
+  GNUNET_CRYPTO_hash (filename, strlen (filename), &key);
+  wi = GNUNET_CONTAINER_multihashmap_get (work_finished, &key);
+  memset (&id, 0, sizeof(struct GNUNET_HashCode));
+  determine_id (&id, filename);
+  if (NULL != wi)
+  {
+    if (0 == memcmp (&id, &wi->id, sizeof(struct GNUNET_HashCode)))
+      return GNUNET_OK;   /* skip: we did this one already */
+    /* contents changed, need to re-do the directory... */
+    GNUNET_assert (
+      GNUNET_YES ==
+      GNUNET_CONTAINER_multihashmap_remove (work_finished, &key, wi));
+  }
+  else
+  {
+    wi = GNUNET_new (struct WorkItem);
+    wi->filename = GNUNET_strdup (filename);
+  }
+  wi->id = id;
+  GNUNET_CONTAINER_DLL_insert (work_head, work_tail, wi);
+  if (GNUNET_YES == do_shutdown)
+    return GNUNET_SYSERR;
+  return GNUNET_OK;
+}
+
+
+/**
+ * Periodically run task to update our view of the directory to share.
+ *
+ * @param cls NULL
+ */
+static void
+scan (void *cls)
+{
+  run_task = NULL;
+  start_time = GNUNET_TIME_absolute_get ();
+  (void) GNUNET_DISK_directory_scan (dir_name, &add_file, NULL);
+  schedule_next_task ();
+}
+
+
+/**
+ * Decide what the next task is (working or scanning) and schedule it.
+ */
+static void
+schedule_next_task ()
+{
+  struct GNUNET_TIME_Relative delay;
+
+  if (GNUNET_YES == do_shutdown)
+    return;
+  GNUNET_assert (NULL == run_task);
+  if (NULL == work_head)
+  {
+    /* delay by at most 4h, at least 1s, and otherwise in between depending
+       on how long it took to scan */
+    delay = GNUNET_TIME_absolute_get_duration (start_time);
+    delay = GNUNET_TIME_relative_saturating_multiply (delay, 100);
+    delay = GNUNET_TIME_relative_min (delay, MAX_DELAY);
+    delay = GNUNET_TIME_relative_max (delay, MIN_DELAY);
+    run_task = GNUNET_SCHEDULER_add_delayed (delay, &scan, NULL);
+  }
+  else
+  {
+    run_task = GNUNET_SCHEDULER_add_now (&work, NULL);
+  }
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  /* check arguments */
+  if ((NULL == args[0]) || (NULL != args[1]) ||
+      (GNUNET_YES != GNUNET_DISK_directory_test (args[0], GNUNET_YES)))
+  {
+    printf (_ (
+              "You must specify one and only one directory name for automatic publication.\n"));
+    ret = -1;
+    return;
+  }
+  cfg_filename = GNUNET_strdup (cfgfile);
+  cfg = c;
+  dir_name = args[0];
+  work_finished = GNUNET_CONTAINER_multihashmap_create (1024, GNUNET_NO);
+  load_state ();
+  run_task = GNUNET_SCHEDULER_add_with_priority (GNUNET_SCHEDULER_PRIORITY_IDLE,
+                                                 &scan,
+                                                 NULL);
+  GNUNET_SCHEDULER_add_shutdown (&do_stop_task, NULL);
+}
+
+
+/**
+ * Free memory associated with the work item from the work_finished map.
+ *
+ * @param cls NULL (unused)
+ * @param key key of the item in the map (unused)
+ * @param value the `struct WorkItem` to free
+ * @return #GNUNET_OK to continue to iterate
+ */
+static int
+free_item (void *cls, const struct GNUNET_HashCode *key, void *value)
+{
+  struct WorkItem *wi = value;
+
+  GNUNET_free (wi->filename);
+  GNUNET_free (wi);
+  return GNUNET_OK;
+}
+
+
+/**
+ * The main function to automatically publish content to GNUnet.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_uint ('a',
+                               "anonymity",
+                               "LEVEL",
+                               gettext_noop (
+                                 "set the desired LEVEL of sender-anonymity"),
+                               &anonymity_level),
+
+    GNUNET_GETOPT_option_flag (
+      'd',
+      "disable-creation-time",
+      gettext_noop (
+        "disable adding the creation time to the metadata of the uploaded file"),
+      &do_disable_creation_time),
+
+    GNUNET_GETOPT_option_flag (
+      'D',
+      "disable-extractor",
+      gettext_noop ("do not use libextractor to add keywords or metadata"),
+      &disable_extractor),
+
+    GNUNET_GETOPT_option_uint ('p',
+                               "priority",
+                               "PRIORITY",
+                               gettext_noop (
+                                 "specify the priority of the content"),
+                               &content_priority),
+
+    GNUNET_GETOPT_option_uint ('r',
+                               "replication",
+                               "LEVEL",
+                               gettext_noop (
+                                 "set the desired replication LEVEL"),
+                               &replication_level),
+
+    GNUNET_GETOPT_option_verbose (&verbose),
+
+    GNUNET_GETOPT_OPTION_END
+  };
+  struct WorkItem *wi;
+  int ok;
+  struct GNUNET_SIGNAL_Context *shc_chld;
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+  sigpipe = GNUNET_DISK_pipe (GNUNET_DISK_PF_NONE);
+  GNUNET_assert (NULL != sigpipe);
+  shc_chld =
+    GNUNET_SIGNAL_handler_install (GNUNET_SIGCHLD, &sighandler_child_death);
+  ok =
+    (GNUNET_OK ==
+     GNUNET_PROGRAM_run (
+       argc,
+       argv,
+       "gnunet-auto-share [OPTIONS] FILENAME",
+       gettext_noop ("Automatically publish files from a directory on GNUnet"),
+       options,
+       &run,
+       NULL))
+    ? ret
+    : 1;
+  if (NULL != work_finished)
+  {
+    (void) GNUNET_CONTAINER_multihashmap_iterate (work_finished,
+                                                  &free_item,
+                                                  NULL);
+    GNUNET_CONTAINER_multihashmap_destroy (work_finished);
+  }
+  while (NULL != (wi = work_head))
+  {
+    GNUNET_CONTAINER_DLL_remove (work_head, work_tail, wi);
+    GNUNET_free (wi->filename);
+    GNUNET_free (wi);
+  }
+  GNUNET_SIGNAL_handler_uninstall (shc_chld);
+  shc_chld = NULL;
+  GNUNET_DISK_pipe_close (sigpipe);
+  sigpipe = NULL;
+  GNUNET_free (cfg_filename);
+  cfg_filename = NULL;
+  GNUNET_free_nz ((void *) argv);
+  return ok;
+}
+
+
+/* end of gnunet-auto-share.c */
diff --git a/src/cli/fs/gnunet-directory.c b/src/cli/fs/gnunet-directory.c
new file mode 100644
index 000000000..ab9f2905a
--- /dev/null
+++ b/src/cli/fs/gnunet-directory.c
@@ -0,0 +1,212 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2001, 2002, 2004, 2005, 2006, 2007, 2009 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file fs/gnunet-directory.c
+ * @brief display content of GNUnet directories
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+
+#include "gnunet_fs_service.h"
+
+static int ret;
+
+/**
+ * Print a meta data entry.
+ *
+ * @param cls closure (unused)
+ * @param plugin_name name of the plugin that generated the meta data
+ * @param type type of the keyword
+ * @param format format of data
+ * @param data_mime_type mime type of data
+ * @param data value of the meta data
+ * @param data_size number of bytes in @a data
+ * @return always 0 (to continue iterating)
+ */
+static int
+item_printer (void *cls,
+              const char *plugin_name,
+              enum EXTRACTOR_MetaType type,
+              enum EXTRACTOR_MetaFormat format,
+              const char *data_mime_type,
+              const char *data,
+              size_t data_size)
+{
+  if (type == EXTRACTOR_METATYPE_GNUNET_FULL_DATA)
+  {
+    printf (_ ("\t<original file embedded in %u bytes of meta data>\n"),
+            (unsigned int) data_size);
+    return 0;
+  }
+  if ((format != EXTRACTOR_METAFORMAT_UTF8) &&
+      (format != EXTRACTOR_METAFORMAT_C_STRING))
+    return 0;
+  if (type == EXTRACTOR_METATYPE_GNUNET_ORIGINAL_FILENAME)
+    return 0;
+#if HAVE_LIBEXTRACTOR
+  printf ("\t%20s: %s\n",
+          dgettext (LIBEXTRACTOR_GETTEXT_DOMAIN,
+                    EXTRACTOR_metatype_to_string (type)),
+          data);
+#else
+  printf ("\t%20d: %s\n", type, data);
+#endif
+  return 0;
+}
+
+
+/**
+ * Print an entry in a directory.
+ *
+ * @param cls closure (not used)
+ * @param filename name of the file in the directory
+ * @param uri URI of the file
+ * @param meta metadata for the file; metadata for
+ *        the directory if everything else is NULL/zero
+ * @param length length of the available data for the file
+ *           (of type size_t since data must certainly fit
+ *            into memory; if files are larger than size_t
+ *            permits, then they will certainly not be
+ *            embedded with the directory itself).
+ * @param data data available for the file (length bytes)
+ */
+static void
+print_entry (void *cls,
+             const char *filename,
+             const struct GNUNET_FS_Uri *uri,
+             const struct GNUNET_FS_MetaData *meta,
+             size_t length,
+             const void *data)
+{
+  char *string;
+  char *name;
+
+  name = GNUNET_FS_meta_data_get_by_type (
+    meta,
+    EXTRACTOR_METATYPE_GNUNET_ORIGINAL_FILENAME);
+  if (uri == NULL)
+  {
+    printf (_ ("Directory `%s' meta data:\n"), name ? name : "");
+    GNUNET_FS_meta_data_iterate (meta, &item_printer, NULL);
+    printf ("\n");
+    printf (_ ("Directory `%s' contents:\n"), name ? name : "");
+    GNUNET_free (name);
+    return;
+  }
+  string = GNUNET_FS_uri_to_string (uri);
+  printf ("%s (%s):\n", name ? name : "", string);
+  GNUNET_free (string);
+  GNUNET_FS_meta_data_iterate (meta, &item_printer, NULL);
+  printf ("\n");
+  GNUNET_free (name);
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_DISK_MapHandle *map;
+  struct GNUNET_DISK_FileHandle *h;
+  void *data;
+  size_t len;
+  uint64_t size;
+  const char *filename;
+  int i;
+
+  if (NULL == args[0])
+  {
+    fprintf (stderr, "%s", _ ("You must specify a filename to inspect.\n"));
+    ret = 1;
+    return;
+  }
+  i = 0;
+  while (NULL != (filename = args[i++]))
+  {
+    if ((GNUNET_OK !=
+         GNUNET_DISK_file_size (filename, &size, GNUNET_YES, GNUNET_YES)) ||
+        (NULL == (h = GNUNET_DISK_file_open (filename,
+                                             GNUNET_DISK_OPEN_READ,
+                                             GNUNET_DISK_PERM_NONE))))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  _ ("Failed to read directory `%s'\n"),
+                  filename);
+      ret = 1;
+      continue;
+    }
+    len = (size_t) size;
+    data = GNUNET_DISK_file_map (h, &map, GNUNET_DISK_MAP_TYPE_READ, len);
+    GNUNET_assert (NULL != data);
+    if (GNUNET_OK !=
+        GNUNET_FS_directory_list_contents (len, data, 0, &print_entry, NULL))
+      fprintf (stdout, _ ("`%s' is not a GNUnet directory\n"), filename);
+    else
+      printf ("\n");
+    GNUNET_DISK_file_unmap (map);
+    GNUNET_DISK_file_close (h);
+  }
+}
+
+
+/**
+ * The main function to inspect GNUnet directories.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  static struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  ret = (GNUNET_OK ==
+         GNUNET_PROGRAM_run (argc,
+                             argv,
+                             "gnunet-directory [OPTIONS] FILENAME",
+                             gettext_noop (
+                               "Display contents of a GNUnet directory"),
+                             options,
+                             &run,
+                             NULL))
+        ? ret
+        : 1;
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-directory.c */
diff --git a/src/cli/fs/gnunet-download.c b/src/cli/fs/gnunet-download.c
new file mode 100644
index 000000000..4694077e9
--- /dev/null
+++ b/src/cli/fs/gnunet-download.c
@@ -0,0 +1,385 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2001, 2002, 2004, 2005, 2006, 2007, 2009 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file fs/gnunet-download.c
+ * @brief downloading for files on GNUnet
+ * @author Christian Grothoff
+ * @author Krista Bennett
+ * @author James Blackwell
+ * @author Igor Wronsky
+ */
+#include "platform.h"
+
+#include "gnunet_fs_service.h"
+
+static int ret;
+
+static unsigned int verbose;
+
+static int delete_incomplete;
+
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+static struct GNUNET_FS_Handle *ctx;
+
+static struct GNUNET_FS_DownloadContext *dc;
+
+static unsigned int anonymity = 1;
+
+static unsigned int parallelism = 16;
+
+static unsigned int request_parallelism = 4092;
+
+static int do_recursive;
+
+static char *filename;
+
+static int local_only;
+
+
+static void
+cleanup_task (void *cls)
+{
+  GNUNET_FS_stop (ctx);
+  ctx = NULL;
+}
+
+
+static void
+shutdown_task (void *cls)
+{
+  if (NULL != dc)
+  {
+    GNUNET_FS_download_stop (dc, delete_incomplete);
+    dc = NULL;
+  }
+}
+
+
+/**
+ * Display progress bar (if tty).
+ *
+ * @param x current position in the download
+ * @param n total size of the download
+ * @param w desired number of steps in the progress bar
+ */
+static void
+display_bar (unsigned long long x, unsigned long long n, unsigned int w)
+{
+  char buf[w + 20];
+  unsigned int p;
+  unsigned int endeq;
+  float ratio_complete;
+
+  if (0 == isatty (1))
+    return;
+  ratio_complete = x / (float) n;
+  endeq = ratio_complete * w;
+  GNUNET_snprintf (buf, sizeof(buf), "%3d%% [", (int) (ratio_complete * 100));
+  for (p = 0; p < endeq; p++)
+    strcat (buf, "=");
+  for (p = endeq; p < w; p++)
+    strcat (buf, " ");
+  strcat (buf, "]\r");
+  printf ("%s", buf);
+  fflush (stdout);
+}
+
+
+/**
+ * Called by FS client to give information about the progress of an
+ * operation.
+ *
+ * @param cls closure
+ * @param info details about the event, specifying the event type
+ *        and various bits about the event
+ * @return client-context (for the next progress call
+ *         for this operation; should be set to NULL for
+ *         SUSPEND and STOPPED events).  The value returned
+ *         will be passed to future callbacks in the respective
+ *         field in the `struct GNUNET_FS_ProgressInfo`
+ */
+static void *
+progress_cb (void *cls, const struct GNUNET_FS_ProgressInfo *info)
+{
+  char *s;
+  const char *s2;
+  char *t;
+
+  switch (info->status)
+  {
+  case GNUNET_FS_STATUS_DOWNLOAD_START:
+    if (verbose > 1)
+      fprintf (stderr,
+               _ ("Starting download `%s'.\n"),
+               info->value.download.filename);
+    break;
+
+  case GNUNET_FS_STATUS_DOWNLOAD_PROGRESS:
+    if (verbose)
+    {
+      s = GNUNET_strdup (
+        GNUNET_STRINGS_relative_time_to_string (info->value.download.eta,
+                                                GNUNET_YES));
+      if (info->value.download.specifics.progress.block_download_duration
+          .rel_value_us == GNUNET_TIME_UNIT_FOREVER_REL.rel_value_us)
+        s2 = _ ("<unknown time>");
+      else
+        s2 = GNUNET_STRINGS_relative_time_to_string (info->value.download
+                                                     .specifics.progress
+                                                     .block_download_duration,
+                                                     GNUNET_YES);
+      t = GNUNET_STRINGS_byte_size_fancy (
+        info->value.download.completed * 1000LL
+        / (info->value.download.duration.rel_value_us + 1));
+      fprintf (
+        stdout,
+        _ (
+          "Downloading `%s' at %llu/%llu (%s remaining, %s/s). Block took %s to download\n"),
+        info->value.download.filename,
+        (unsigned long long) info->value.download.completed,
+        (unsigned long long) info->value.download.size,
+        s,
+        t,
+        s2);
+      GNUNET_free (s);
+      GNUNET_free (t);
+    }
+    else
+    {
+      display_bar (info->value.download.completed,
+                   info->value.download.size,
+                   60);
+    }
+    break;
+
+  case GNUNET_FS_STATUS_DOWNLOAD_ERROR:
+    if (0 != isatty (1))
+      fprintf (stdout, "\n");
+    fprintf (stderr,
+             _ ("Error downloading: %s.\n"),
+             info->value.download.specifics.error.message);
+    GNUNET_SCHEDULER_shutdown ();
+    break;
+
+  case GNUNET_FS_STATUS_DOWNLOAD_COMPLETED:
+    s = GNUNET_STRINGS_byte_size_fancy (
+      info->value.download.completed * 1000
+      / (info->value.download.duration.rel_value_us + 1));
+    if (0 != isatty (1))
+      fprintf (stdout, "\n");
+    fprintf (stdout,
+             _ ("Downloading `%s' done (%s/s).\n"),
+             info->value.download.filename,
+             s);
+    GNUNET_free (s);
+    if (info->value.download.dc == dc)
+      GNUNET_SCHEDULER_shutdown ();
+    break;
+
+  case GNUNET_FS_STATUS_DOWNLOAD_STOPPED:
+    if (info->value.download.dc == dc)
+      GNUNET_SCHEDULER_add_now (&cleanup_task, NULL);
+    break;
+
+  case GNUNET_FS_STATUS_DOWNLOAD_ACTIVE:
+  case GNUNET_FS_STATUS_DOWNLOAD_INACTIVE:
+    break;
+
+  default:
+    fprintf (stderr, _ ("Unexpected status: %d\n"), info->status);
+    break;
+  }
+  return NULL;
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  struct GNUNET_FS_Uri *uri;
+  char *emsg;
+  enum GNUNET_FS_DownloadOptions options;
+
+  if (NULL == args[0])
+  {
+    fprintf (stderr, "%s", _ ("You need to specify a URI argument.\n"));
+    return;
+  }
+  uri = GNUNET_FS_uri_parse (args[0], &emsg);
+  if (NULL == uri)
+  {
+    fprintf (stderr, _ ("Failed to parse URI: %s\n"), emsg);
+    GNUNET_free (emsg);
+    ret = 1;
+    return;
+  }
+  if ((! GNUNET_FS_uri_test_chk (uri)) && (! GNUNET_FS_uri_test_loc (uri)))
+  {
+    fprintf (stderr, "%s", _ ("Only CHK or LOC URIs supported.\n"));
+    ret = 1;
+    GNUNET_FS_uri_destroy (uri);
+    return;
+  }
+  if (NULL == filename)
+  {
+    fprintf (stderr, "%s", _ ("Target filename must be specified.\n"));
+    ret = 1;
+    GNUNET_FS_uri_destroy (uri);
+    return;
+  }
+  cfg = c;
+  ctx = GNUNET_FS_start (cfg,
+                         "gnunet-download",
+                         &progress_cb,
+                         NULL,
+                         GNUNET_FS_FLAGS_NONE,
+                         GNUNET_FS_OPTIONS_DOWNLOAD_PARALLELISM,
+                         parallelism,
+                         GNUNET_FS_OPTIONS_REQUEST_PARALLELISM,
+                         request_parallelism,
+                         GNUNET_FS_OPTIONS_END);
+  if (NULL == ctx)
+  {
+    fprintf (stderr, _ ("Could not initialize `%s' subsystem.\n"), "FS");
+    GNUNET_FS_uri_destroy (uri);
+    ret = 1;
+    return;
+  }
+  options = GNUNET_FS_DOWNLOAD_OPTION_NONE;
+  if (do_recursive)
+    options |= GNUNET_FS_DOWNLOAD_OPTION_RECURSIVE;
+  if (local_only)
+    options |= GNUNET_FS_DOWNLOAD_OPTION_LOOPBACK_ONLY;
+  dc = GNUNET_FS_download_start (ctx,
+                                 uri,
+                                 NULL,
+                                 filename,
+                                 NULL,
+                                 0,
+                                 GNUNET_FS_uri_chk_get_file_size (uri),
+                                 anonymity,
+                                 options,
+                                 NULL,
+                                 NULL);
+  GNUNET_FS_uri_destroy (uri);
+  if (dc == NULL)
+  {
+    GNUNET_FS_stop (ctx);
+    ctx = NULL;
+    return;
+  }
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_task, NULL);
+}
+
+
+/**
+ * The main function to download GNUnet.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] =
+  { GNUNET_GETOPT_option_uint ('a',
+                               "anonymity",
+                               "LEVEL",
+                               gettext_noop (
+                                 "set the desired LEVEL of receiver-anonymity"),
+                               &anonymity),
+
+    GNUNET_GETOPT_option_flag (
+      'D',
+      "delete-incomplete",
+      gettext_noop ("delete incomplete downloads (when aborted with CTRL-C)"),
+      &delete_incomplete),
+
+    GNUNET_GETOPT_option_flag (
+      'n',
+      "no-network",
+      gettext_noop ("only search the local peer (no P2P network search)"),
+      &local_only),
+    GNUNET_GETOPT_option_string ('o',
+                                 "output",
+                                 "FILENAME",
+                                 gettext_noop ("write the file to FILENAME"),
+                                 &filename),
+    GNUNET_GETOPT_option_uint (
+      'p',
+      "parallelism",
+      "DOWNLOADS",
+      gettext_noop (
+        "set the maximum number of parallel downloads that is allowed"),
+      &parallelism),
+    GNUNET_GETOPT_option_uint (
+      'r',
+      "request-parallelism",
+      "REQUESTS",
+      gettext_noop (
+        "set the maximum number of parallel requests for blocks that is allowed"),
+      &request_parallelism),
+    GNUNET_GETOPT_option_flag ('R',
+                               "recursive",
+                               gettext_noop (
+                                 "download a GNUnet directory recursively"),
+                               &do_recursive),
+    GNUNET_GETOPT_option_increment_uint (
+      'V',
+      "verbose",
+      gettext_noop ("be verbose (print progress information)"),
+      &verbose),
+    GNUNET_GETOPT_OPTION_END };
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  ret =
+    (GNUNET_OK ==
+     GNUNET_PROGRAM_run (
+       argc,
+       argv,
+       "gnunet-download [OPTIONS] URI",
+       gettext_noop (
+         "Download files from GNUnet using a GNUnet CHK or LOC URI (gnunet://fs/chk/...)"),
+       options,
+       &run,
+       NULL))
+    ? ret
+    : 1;
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-download.c */
diff --git a/src/cli/fs/gnunet-fs.c b/src/cli/fs/gnunet-fs.c
new file mode 100644
index 000000000..21e3c4a40
--- /dev/null
+++ b/src/cli/fs/gnunet-fs.c
@@ -0,0 +1,191 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2011 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file fs/gnunet-fs.c
+ * @brief special file-sharing functions
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+
+#include "gnunet_fs_service.h"
+
+/**
+ * Return value.
+ */
+static int ret;
+
+/**
+ * Handle to FS service.
+ */
+static struct GNUNET_FS_Handle *fs;
+
+/**
+ * Handle for the index listing operation.
+ */
+static struct GNUNET_FS_GetIndexedContext *gic;
+
+/**
+ * Option -i given?
+ */
+static int list_indexed_files;
+
+/**
+ * Option -v given?
+ */
+static unsigned int verbose;
+
+
+/**
+ * Print indexed filenames to stdout.
+ *
+ * @param cls closure
+ * @param filename the name of the file
+ * @param file_id hash of the contents of the indexed file
+ * @return #GNUNET_OK to continue iteration
+ */
+static enum GNUNET_GenericReturnValue
+print_indexed (void *cls,
+               const char *filename,
+               const struct GNUNET_HashCode *file_id)
+{
+  if (NULL == filename)
+  {
+    gic = NULL;
+    GNUNET_SCHEDULER_shutdown ();
+    return GNUNET_OK;
+  }
+  if (verbose)
+    fprintf (stdout,
+             "%s: %s\n",
+             GNUNET_h2s (file_id),
+             filename);
+  else
+    fprintf (stdout,
+             "%s\n",
+             filename);
+  return GNUNET_OK;
+}
+
+
+/**
+ * Function run on shutdown.
+ *
+ * @param cls NULL
+ */
+static void
+do_shutdown (void *cls)
+{
+  (void) cls;
+  if (NULL != gic)
+  {
+    GNUNET_FS_get_indexed_files_cancel (gic);
+    gic = NULL;
+  }
+  if (NULL != fs)
+  {
+    GNUNET_FS_stop (fs);
+    fs = NULL;
+  }
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  if (! list_indexed_files)
+    return;
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
+                                 NULL);
+  fs = GNUNET_FS_start (cfg,
+                        "gnunet-fs",
+                        NULL,
+                        NULL,
+                        GNUNET_FS_FLAGS_NONE,
+                        GNUNET_FS_OPTIONS_END);
+  if (NULL == fs)
+  {
+    ret = 1;
+    return;
+  }
+  gic = GNUNET_FS_get_indexed_files (fs,
+                                     &print_indexed,
+                                     NULL);
+  if (NULL == gic)
+  {
+    ret = 2;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+}
+
+
+/**
+ * The main function to access special file-sharing functions.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc,
+      char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_flag ('i',
+                               "list-indexed",
+                               gettext_noop (
+                                 "print a list of all indexed files"),
+                               &list_indexed_files),
+
+    GNUNET_GETOPT_option_verbose (&verbose),
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+  ret = (GNUNET_OK ==
+         GNUNET_PROGRAM_run (argc,
+                             argv,
+                             "gnunet-fs [OPTIONS]",
+                             gettext_noop ("Special file-sharing operations"),
+                             options,
+                             &run,
+                             NULL))
+        ? ret
+        : 1;
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-fs.c */
diff --git a/src/cli/fs/gnunet-publish.c b/src/cli/fs/gnunet-publish.c
new file mode 100644
index 000000000..7a87130de
--- /dev/null
+++ b/src/cli/fs/gnunet-publish.c
@@ -0,0 +1,1009 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2001-2013 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file fs/gnunet-publish.c
+ * @brief publishing files on GNUnet
+ * @author Christian Grothoff
+ * @author Krista Bennett
+ * @author James Blackwell
+ * @author Igor Wronsky
+ */
+#include "platform.h"
+
+#include "gnunet_fs_service.h"
+#include "gnunet_identity_service.h"
+
+/**
+ * Global return value from #main().
+ */
+static int ret;
+
+/**
+ * Command line option 'verbose' set
+ */
+static unsigned int verbose;
+
+/**
+ * Handle to our configuration.
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Handle for interaction with file-sharing service.
+ */
+static struct GNUNET_FS_Handle *ctx;
+
+/**
+ * Handle to FS-publishing operation.
+ */
+static struct GNUNET_FS_PublishContext *pc;
+
+/**
+ * Meta-data provided via command-line option.
+ */
+static struct GNUNET_FS_MetaData *meta;
+
+/**
+ * Keywords provided via command-line option.
+ */
+static struct GNUNET_FS_Uri *topKeywords;
+
+/**
+ * Options we set for published blocks.
+ */
+static struct GNUNET_FS_BlockOptions bo = { { 0LL }, 1, 365, 1 };
+
+/**
+ * Value of URI provided on command-line (when not publishing
+ * a file but just creating UBlocks to refer to an existing URI).
+ */
+static char *uri_string;
+
+/**
+ * Value of URI provided on command-line (when not publishing
+ * a file but just creating UBlocks to refer to an existing URI);
+ * parsed version of 'uri_string'.
+ */
+static struct GNUNET_FS_Uri *uri;
+
+/**
+ * Command-line option for namespace publishing: identifier for updates
+ * to this publication.
+ */
+static char *next_id;
+
+/**
+ * Command-line option for namespace publishing: identifier for this
+ * publication.
+ */
+static char *this_id;
+
+/**
+ * Command-line option identifying the pseudonym to use for the publication.
+ */
+static char *pseudonym;
+
+/**
+ * Command-line option for 'inserting'
+ */
+static int do_insert;
+
+/**
+ * Command-line option to disable meta data extraction.
+ */
+static int disable_extractor;
+
+/**
+ * Command-line option to merely simulate publishing operation.
+ */
+static int do_simulate;
+
+/**
+ * Command-line option to only perform meta data extraction, but not publish.
+ */
+static int extract_only;
+
+/**
+ * Command-line option to disable adding creation time.
+ */
+static int enable_creation_time;
+
+/**
+ * Handle to the directory scanner (for recursive insertions).
+ */
+static struct GNUNET_FS_DirScanner *ds;
+
+/**
+ * Which namespace do we publish to? NULL if we do not publish to
+ * a namespace.
+ */
+static struct GNUNET_IDENTITY_Ego *namespace;
+
+/**
+ * Handle to identity service.
+ */
+static struct GNUNET_IDENTITY_Handle *identity;
+
+
+/**
+ * We are finished with the publishing operation, clean up all
+ * FS state.
+ *
+ * @param cls NULL
+ */
+static void
+do_stop_task (void *cls)
+{
+  struct GNUNET_FS_PublishContext *p;
+
+  if (NULL != ds)
+  {
+    GNUNET_FS_directory_scan_abort (ds);
+    ds = NULL;
+  }
+  if (NULL != identity)
+  {
+    GNUNET_IDENTITY_disconnect (identity);
+    identity = NULL;
+  }
+  if (NULL != pc)
+  {
+    p = pc;
+    pc = NULL;
+    GNUNET_FS_publish_stop (p);
+  }
+  if (NULL != ctx)
+  {
+    GNUNET_FS_stop (ctx);
+    ctx = NULL;
+  }
+  if (NULL != meta)
+  {
+    GNUNET_FS_meta_data_destroy (meta);
+    meta = NULL;
+  }
+  if (NULL != uri)
+  {
+    GNUNET_FS_uri_destroy (uri);
+    uri = NULL;
+  }
+}
+
+
+/**
+ * Called by FS client to give information about the progress of an
+ * operation.
+ *
+ * @param cls closure
+ * @param info details about the event, specifying the event type
+ *        and various bits about the event
+ * @return client-context (for the next progress call
+ *         for this operation; should be set to NULL for
+ *         SUSPEND and STOPPED events).  The value returned
+ *         will be passed to future callbacks in the respective
+ *         field in the GNUNET_FS_ProgressInfo struct.
+ */
+static void *
+progress_cb (void *cls, const struct GNUNET_FS_ProgressInfo *info)
+{
+  const char *s;
+  char *suri;
+
+  switch (info->status)
+  {
+  case GNUNET_FS_STATUS_PUBLISH_START:
+    break;
+
+  case GNUNET_FS_STATUS_PUBLISH_PROGRESS:
+    if (verbose)
+    {
+      s = GNUNET_STRINGS_relative_time_to_string (info->value.publish.eta,
+                                                  GNUNET_YES);
+      fprintf (stdout,
+               _ ("Publishing `%s' at %llu/%llu (%s remaining)\n"),
+               info->value.publish.filename,
+               (unsigned long long) info->value.publish.completed,
+               (unsigned long long) info->value.publish.size,
+               s);
+    }
+    break;
+
+  case GNUNET_FS_STATUS_PUBLISH_PROGRESS_DIRECTORY:
+    if (verbose)
+    {
+      s = GNUNET_STRINGS_relative_time_to_string (info->value.publish.specifics
+                                                  .progress_directory.eta,
+                                                  GNUNET_YES);
+      fprintf (stdout,
+               _ ("Publishing `%s' at %llu/%llu (%s remaining)\n"),
+               info->value.publish.filename,
+               (unsigned long long)
+               info->value.publish.specifics.progress_directory.completed,
+               (unsigned long long)
+               info->value.publish.specifics.progress_directory.total,
+               s);
+    }
+    break;
+
+  case GNUNET_FS_STATUS_PUBLISH_ERROR:
+    fprintf (stderr,
+             _ ("Error publishing: %s.\n"),
+             info->value.publish.specifics.error.message);
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    break;
+
+  case GNUNET_FS_STATUS_PUBLISH_COMPLETED:
+    fprintf (stdout,
+             _ ("Publishing `%s' done.\n"),
+             info->value.publish.filename);
+    suri =
+      GNUNET_FS_uri_to_string (info->value.publish.specifics.completed.chk_uri);
+    fprintf (stdout, _ ("URI is `%s'.\n"), suri);
+    GNUNET_free (suri);
+    if (NULL != info->value.publish.specifics.completed.sks_uri)
+    {
+      suri = GNUNET_FS_uri_to_string (
+        info->value.publish.specifics.completed.sks_uri);
+      fprintf (stdout, _ ("Namespace URI is `%s'.\n"), suri);
+      GNUNET_free (suri);
+    }
+    if (NULL == info->value.publish.pctx)
+    {
+      ret = 0;
+      GNUNET_SCHEDULER_shutdown ();
+    }
+    break;
+
+  case GNUNET_FS_STATUS_PUBLISH_STOPPED:
+    GNUNET_break (NULL == pc);
+    return NULL;
+
+  case GNUNET_FS_STATUS_UNINDEX_START:
+    fprintf (stderr, "%s", _ ("Starting cleanup after abort\n"));
+    return NULL;
+
+  case GNUNET_FS_STATUS_UNINDEX_PROGRESS:
+    return NULL;
+
+  case GNUNET_FS_STATUS_UNINDEX_COMPLETED:
+    fprintf (stderr, "%s", _ ("Cleanup after abort completed.\n"));
+    GNUNET_FS_unindex_stop (info->value.unindex.uc);
+    return NULL;
+
+  case GNUNET_FS_STATUS_UNINDEX_ERROR:
+    fprintf (stderr, "%s", _ ("Cleanup after abort failed.\n"));
+    GNUNET_FS_unindex_stop (info->value.unindex.uc);
+    return NULL;
+
+  case GNUNET_FS_STATUS_UNINDEX_STOPPED:
+    return NULL;
+
+  default:
+    fprintf (stderr, _ ("Unexpected status: %d\n"), info->status);
+    return NULL;
+  }
+  return ""; /* non-null */
+}
+
+
+/**
+ * Print metadata entries (except binary
+ * metadata and the filename).
+ *
+ * @param cls closure
+ * @param plugin_name name of the plugin that generated the meta data
+ * @param type type of the meta data
+ * @param format format of data
+ * @param data_mime_type mime type of @a data
+ * @param data value of the meta data
+ * @param data_size number of bytes in @a data
+ * @return always 0
+ */
+static int
+meta_printer (void *cls,
+              const char *plugin_name,
+              enum EXTRACTOR_MetaType type,
+              enum EXTRACTOR_MetaFormat format,
+              const char *data_mime_type,
+              const char *data,
+              size_t data_size)
+{
+  if ((EXTRACTOR_METAFORMAT_UTF8 != format) &&
+      (EXTRACTOR_METAFORMAT_C_STRING != format))
+    return 0;
+  if (EXTRACTOR_METATYPE_GNUNET_ORIGINAL_FILENAME == type)
+    return 0;
+#if HAVE_LIBEXTRACTOR
+  fprintf (stdout, "\t%s - %s\n", EXTRACTOR_metatype_to_string (type), data);
+#else
+  fprintf (stdout, "\t%d - %s\n", type, data);
+#endif
+  return 0;
+}
+
+
+/**
+ * Iterator printing keywords
+ *
+ * @param cls closure
+ * @param keyword the keyword
+ * @param is_mandatory is the keyword mandatory (in a search)
+ * @return #GNUNET_OK to continue to iterate, #GNUNET_SYSERR to abort
+ */
+static int
+keyword_printer (void *cls, const char *keyword, int is_mandatory)
+{
+  fprintf (stdout, "\t%s\n", keyword);
+  return GNUNET_OK;
+}
+
+
+/**
+ * Function called on all entries before the publication.  This is
+ * where we perform modifications to the default based on command-line
+ * options.
+ *
+ * @param cls closure
+ * @param fi the entry in the publish-structure
+ * @param length length of the file or directory
+ * @param m metadata for the file or directory (can be modified)
+ * @param uri pointer to the keywords that will be used for this entry (can be modified)
+ * @param bo block options
+ * @param do_index should we index?
+ * @param client_info pointer to client context set upon creation (can be modified)
+ * @return #GNUNET_OK to continue, #GNUNET_NO to remove
+ *         this entry from the directory, #GNUNET_SYSERR
+ *         to abort the iteration
+ */
+static int
+publish_inspector (void *cls,
+                   struct GNUNET_FS_FileInformation *fi,
+                   uint64_t length,
+                   struct GNUNET_FS_MetaData *m,
+                   struct GNUNET_FS_Uri **uri,
+                   struct GNUNET_FS_BlockOptions *bo,
+                   int *do_index,
+                   void **client_info)
+{
+  char *fn;
+  char *fs;
+  struct GNUNET_FS_Uri *new_uri;
+
+  if (cls == fi)
+    return GNUNET_OK;
+  if ((disable_extractor) && (NULL != *uri))
+  {
+    GNUNET_FS_uri_destroy (*uri);
+    *uri = NULL;
+  }
+  if (NULL != topKeywords)
+  {
+    if (NULL != *uri)
+    {
+      new_uri = GNUNET_FS_uri_ksk_merge (topKeywords, *uri);
+      GNUNET_FS_uri_destroy (*uri);
+      *uri = new_uri;
+      GNUNET_FS_uri_destroy (topKeywords);
+    }
+    else
+    {
+      *uri = topKeywords;
+    }
+    topKeywords = NULL;
+  }
+  if (NULL != meta)
+  {
+    GNUNET_FS_meta_data_merge (m, meta);
+    GNUNET_FS_meta_data_destroy (meta);
+    meta = NULL;
+  }
+  if (enable_creation_time)
+    GNUNET_FS_meta_data_add_publication_date (m);
+  if (extract_only)
+  {
+    fn = GNUNET_FS_meta_data_get_by_type (
+      m,
+      EXTRACTOR_METATYPE_GNUNET_ORIGINAL_FILENAME);
+    fs = GNUNET_STRINGS_byte_size_fancy (length);
+    fprintf (stdout, _ ("Meta data for file `%s' (%s)\n"), fn, fs);
+    GNUNET_FS_meta_data_iterate (m, &meta_printer, NULL);
+    fprintf (stdout, _ ("Keywords for file `%s' (%s)\n"), fn, fs);
+    GNUNET_free (fn);
+    GNUNET_free (fs);
+    if (NULL != *uri)
+      GNUNET_FS_uri_ksk_get_keywords (*uri, &keyword_printer, NULL);
+    fprintf (stdout, "%s", "\n");
+  }
+  if (GNUNET_YES == GNUNET_FS_meta_data_test_for_directory (m))
+    GNUNET_FS_file_information_inspect (fi, &publish_inspector, fi);
+  return GNUNET_OK;
+}
+
+
+/**
+ * Function called upon completion of the publishing
+ * of the UBLOCK for the SKS URI.  As this is the last
+ * step, stop our interaction with FS (clean up).
+ *
+ * @param cls NULL (closure)
+ * @param sks_uri URI for the block that was published
+ * @param emsg error message, NULL on success
+ */
+static void
+uri_sks_continuation (void *cls,
+                      const struct GNUNET_FS_Uri *sks_uri,
+                      const char *emsg)
+{
+  if (NULL != emsg)
+  {
+    fprintf (stderr, "%s\n", emsg);
+    ret = 1;
+  }
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Function called upon completion of the publishing
+ * of the UBLOCK for the KSK URI.  Continue with
+ * publishing the SKS URI (if applicable) or clean up.
+ *
+ * @param cls NULL (closure)
+ * @param ksk_uri URI for the block that was published
+ * @param emsg error message, NULL on success
+ */
+static void
+uri_ksk_continuation (void *cls,
+                      const struct GNUNET_FS_Uri *ksk_uri,
+                      const char *emsg)
+{
+  const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv;
+  const struct GNUNET_CRYPTO_PrivateKey *pk;
+
+  if (NULL != emsg)
+  {
+    fprintf (stderr, "%s\n", emsg);
+    ret = 1;
+  }
+  if (NULL == namespace)
+  {
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  pk = GNUNET_IDENTITY_ego_get_private_key (namespace);
+  if (GNUNET_PUBLIC_KEY_TYPE_ECDSA != ntohl (pk->type))
+    return;
+  priv = &pk->ecdsa_key;
+  GNUNET_FS_publish_sks (ctx,
+                         priv,
+                         this_id,
+                         next_id,
+                         meta,
+                         uri,
+                         &bo,
+                         GNUNET_FS_PUBLISH_OPTION_NONE,
+                         &uri_sks_continuation,
+                         NULL);
+}
+
+
+/**
+ * Iterate over the results from the directory scan and extract
+ * the desired information for the publishing operation.
+ *
+ * @param item root with the data from the directory scan
+ * @return handle with the information for the publishing operation
+ */
+static struct GNUNET_FS_FileInformation *
+get_file_information (struct GNUNET_FS_ShareTreeItem *item)
+{
+  struct GNUNET_FS_FileInformation *fi;
+  struct GNUNET_FS_FileInformation *fic;
+  struct GNUNET_FS_ShareTreeItem *child;
+
+  if (GNUNET_YES == item->is_directory)
+  {
+    if (NULL == item->meta)
+      item->meta = GNUNET_FS_meta_data_create ();
+    GNUNET_FS_meta_data_delete (item->meta,
+                                EXTRACTOR_METATYPE_MIMETYPE,
+                                NULL,
+                                0);
+    GNUNET_FS_meta_data_make_directory (item->meta);
+    if (NULL == item->ksk_uri)
+    {
+      const char *mime = GNUNET_FS_DIRECTORY_MIME;
+      item->ksk_uri = GNUNET_FS_uri_ksk_create_from_args (1, &mime);
+    }
+    else
+      GNUNET_FS_uri_ksk_add_keyword (item->ksk_uri,
+                                     GNUNET_FS_DIRECTORY_MIME,
+                                     GNUNET_NO);
+    fi = GNUNET_FS_file_information_create_empty_directory (ctx,
+                                                            NULL,
+                                                            item->ksk_uri,
+                                                            item->meta,
+                                                            &bo,
+                                                            item->filename);
+    for (child = item->children_head; child; child = child->next)
+    {
+      fic = get_file_information (child);
+      GNUNET_break (GNUNET_OK == GNUNET_FS_file_information_add (fi, fic));
+    }
+  }
+  else
+  {
+    fi = GNUNET_FS_file_information_create_from_file (ctx,
+                                                      NULL,
+                                                      item->filename,
+                                                      item->ksk_uri,
+                                                      item->meta,
+                                                      ! do_insert,
+                                                      &bo);
+  }
+  return fi;
+}
+
+
+/**
+ * We've finished scanning the directory and optimized the meta data.
+ * Begin the publication process.
+ *
+ * @param directory_scan_result result from the directory scan, freed in this function
+ */
+static void
+directory_trim_complete (struct GNUNET_FS_ShareTreeItem *directory_scan_result)
+{
+  struct GNUNET_FS_FileInformation *fi;
+  const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv;
+  const struct GNUNET_CRYPTO_PrivateKey *pk;
+
+  fi = get_file_information (directory_scan_result);
+  GNUNET_FS_share_tree_free (directory_scan_result);
+  if (NULL == fi)
+  {
+    fprintf (stderr, "%s", _ ("Could not publish\n"));
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  GNUNET_FS_file_information_inspect (fi, &publish_inspector, NULL);
+  if (extract_only)
+  {
+    GNUNET_FS_file_information_destroy (fi, NULL, NULL);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  priv = NULL;
+  if (NULL != namespace)
+  {
+    pk = GNUNET_IDENTITY_ego_get_private_key (namespace);
+    GNUNET_assert (GNUNET_PUBLIC_KEY_TYPE_ECDSA == ntohl (pk->type));
+    priv = &pk->ecdsa_key;
+  }
+  pc = GNUNET_FS_publish_start (ctx,
+                                fi,
+                                priv,
+                                this_id,
+                                next_id,
+                                (do_simulate)
+                                ? GNUNET_FS_PUBLISH_OPTION_SIMULATE_ONLY
+                                : GNUNET_FS_PUBLISH_OPTION_NONE);
+  if (NULL == pc)
+  {
+    fprintf (stderr, "%s", _ ("Could not start publishing.\n"));
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+}
+
+
+/**
+ * Function called by the directory scanner as we build the tree
+ * that we will need to publish later.
+ *
+ * @param cls closure
+ * @param filename which file we are making progress on
+ * @param is_directory #GNUNET_YES if this is a directory,
+ *                     #GNUNET_NO if this is a file
+ *                     #GNUNET_SYSERR if it is neither (or unknown)
+ * @param reason kind of progress we are making
+ */
+static void
+directory_scan_cb (void *cls,
+                   const char *filename,
+                   int is_directory,
+                   enum GNUNET_FS_DirScannerProgressUpdateReason reason)
+{
+  struct GNUNET_FS_ShareTreeItem *directory_scan_result;
+
+  switch (reason)
+  {
+  case GNUNET_FS_DIRSCANNER_FILE_START:
+    if (verbose > 1)
+    {
+      if (is_directory == GNUNET_YES)
+        fprintf (stdout, _ ("Scanning directory `%s'.\n"), filename);
+      else
+        fprintf (stdout, _ ("Scanning file `%s'.\n"), filename);
+    }
+    break;
+
+  case GNUNET_FS_DIRSCANNER_FILE_IGNORED:
+    fprintf (stderr,
+             _ ("There was trouble processing file `%s', skipping it.\n"),
+             filename);
+    break;
+
+  case GNUNET_FS_DIRSCANNER_ALL_COUNTED:
+    if (verbose)
+      fprintf (stdout, "%s", _ ("Preprocessing complete.\n"));
+    break;
+
+  case GNUNET_FS_DIRSCANNER_EXTRACT_FINISHED:
+    if (verbose > 2)
+      fprintf (stdout,
+               _ ("Extracting meta data from file `%s' complete.\n"),
+               filename);
+    break;
+
+  case GNUNET_FS_DIRSCANNER_FINISHED:
+    if (verbose > 1)
+      fprintf (stdout, "%s", _ ("Meta data extraction has finished.\n"));
+    directory_scan_result = GNUNET_FS_directory_scan_get_result (ds);
+    ds = NULL;
+    GNUNET_FS_share_tree_trim (directory_scan_result);
+    directory_trim_complete (directory_scan_result);
+    break;
+
+  case GNUNET_FS_DIRSCANNER_INTERNAL_ERROR:
+    fprintf (stdout, "%s", _ ("Error scanning directory.\n"));
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    break;
+
+  default:
+    GNUNET_assert (0);
+    break;
+  }
+  fflush (stdout);
+}
+
+
+/**
+ * Continuation proceeding with initialization after identity subsystem
+ * has been initialized.
+ *
+ * @param args0 filename to publish
+ */
+static void
+identity_continuation (const char *args0)
+{
+  char *ex;
+  char *emsg;
+
+  if ((NULL != pseudonym) && (NULL == namespace))
+  {
+    fprintf (stderr, _ ("Selected pseudonym `%s' unknown\n"), pseudonym);
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if (NULL != uri_string)
+  {
+    emsg = NULL;
+    if (NULL == (uri = GNUNET_FS_uri_parse (uri_string, &emsg)))
+    {
+      fprintf (stderr, _ ("Failed to parse URI: %s\n"), emsg);
+      GNUNET_free (emsg);
+      ret = 1;
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+    GNUNET_FS_publish_ksk (ctx,
+                           topKeywords,
+                           meta,
+                           uri,
+                           &bo,
+                           GNUNET_FS_PUBLISH_OPTION_NONE,
+                           &uri_ksk_continuation,
+                           NULL);
+    return;
+  }
+  if (GNUNET_OK !=
+      GNUNET_CONFIGURATION_get_value_string (cfg, "FS", "EXTRACTORS", &ex))
+    ex = NULL;
+  if (0 != access (args0, R_OK))
+  {
+    fprintf (stderr,
+             _ ("Failed to access `%s': %s\n"),
+             args0,
+             strerror (errno));
+    GNUNET_free (ex);
+    return;
+  }
+  ds = GNUNET_FS_directory_scan_start (args0,
+                                       disable_extractor,
+                                       ex,
+                                       &directory_scan_cb,
+                                       NULL);
+  if (NULL == ds)
+  {
+    fprintf (
+      stderr,
+      "%s",
+      _ (
+        "Failed to start meta directory scanner.  Is gnunet-helper-publish-fs installed?\n"));
+    GNUNET_free (ex);
+    return;
+  }
+  GNUNET_free (ex);
+}
+
+
+/**
+ * Function called by identity service with known pseudonyms.
+ *
+ * @param cls closure with 'const char *' of filename to publish
+ * @param ego ego handle
+ * @param ctx context for application to store data for this ego
+ *                 (during the lifetime of this process, initially NULL)
+ * @param name name assigned by the user for this ego,
+ *                   NULL if the user just deleted the ego and it
+ *                   must thus no longer be used
+ */
+static void
+identity_cb (void *cls,
+             struct GNUNET_IDENTITY_Ego *ego,
+             void **ctx,
+             const char *name)
+{
+  const char *args0 = cls;
+
+  if (NULL == ego)
+  {
+    identity_continuation (args0);
+    return;
+  }
+  if (NULL == name)
+    return;
+  if (0 == strcmp (name, pseudonym))
+    namespace = ego;
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  /* check arguments */
+  if ((NULL != uri_string) && (extract_only))
+  {
+    printf (_ ("Cannot extract metadata from a URI!\n"));
+    ret = -1;
+    return;
+  }
+  if (((NULL == uri_string) || (extract_only)) &&
+      ((NULL == args[0]) || (NULL != args[1])))
+  {
+    printf (_ ("You must specify one and only one filename for insertion.\n"));
+    ret = -1;
+    return;
+  }
+  if ((NULL != uri_string) && (NULL != args[0]))
+  {
+    printf (_ ("You must NOT specify an URI and a filename.\n"));
+    ret = -1;
+    return;
+  }
+  if (NULL != pseudonym)
+  {
+    if (NULL == this_id)
+    {
+      fprintf (stderr,
+               _ ("Option `%s' is required when using option `%s'.\n"),
+               "-t",
+               "-P");
+      ret = -1;
+      return;
+    }
+  }
+  else
+  {   /* ordinary insertion checks */
+    if (NULL != next_id)
+    {
+      fprintf (stderr,
+               _ ("Option `%s' makes no sense without option `%s'.\n"),
+               "-N",
+               "-P");
+      ret = -1;
+      return;
+    }
+    if (NULL != this_id)
+    {
+      fprintf (stderr,
+               _ ("Option `%s' makes no sense without option `%s'.\n"),
+               "-t",
+               "-P");
+      ret = -1;
+      return;
+    }
+  }
+  cfg = c;
+  ctx = GNUNET_FS_start (cfg,
+                         "gnunet-publish",
+                         &progress_cb,
+                         NULL,
+                         GNUNET_FS_FLAGS_NONE,
+                         GNUNET_FS_OPTIONS_END);
+  if (NULL == ctx)
+  {
+    fprintf (stderr, _ ("Could not initialize `%s' subsystem.\n"), "FS");
+    ret = 1;
+    return;
+  }
+  GNUNET_SCHEDULER_add_shutdown (&do_stop_task, NULL);
+  if (NULL != pseudonym)
+    identity = GNUNET_IDENTITY_connect (cfg, &identity_cb, args[0]);
+  else
+    identity_continuation (args[0]);
+}
+
+
+/**
+ * The main function to publish content to GNUnet.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] =
+  { GNUNET_GETOPT_option_uint ('a',
+                               "anonymity",
+                               "LEVEL",
+                               gettext_noop (
+                                 "set the desired LEVEL of sender-anonymity"),
+                               &bo.anonymity_level),
+    GNUNET_GETOPT_option_flag (
+      'D',
+      "disable-extractor",
+      gettext_noop ("do not use libextractor to add keywords or metadata"),
+      &disable_extractor),
+    GNUNET_GETOPT_option_flag ('E',
+                               "enable-creation-time",
+                               gettext_noop (
+                                 "enable adding the creation time to the "
+                                 "metadata of the uploaded file"),
+                               &enable_creation_time),
+    GNUNET_GETOPT_option_flag ('e',
+                               "extract",
+                               gettext_noop (
+                                 "print list of extracted keywords that would "
+                                 "be used, but do not perform upload"),
+                               &extract_only),
+    GNUNET_FS_GETOPT_KEYWORDS (
+      'k',
+      "key",
+      "KEYWORD",
+      gettext_noop (
+        "add an additional keyword for the top-level "
+        "file or directory (this option can be specified multiple times)"),
+      &topKeywords),
+    GNUNET_FS_GETOPT_METADATA (
+      'm',
+      "meta",
+      "TYPE:VALUE",
+      gettext_noop ("set the meta-data for the given TYPE to the given VALUE"),
+      &meta),
+    GNUNET_GETOPT_option_flag (
+      'n',
+      "noindex",
+      gettext_noop ("do not index, perform full insertion (stores "
+                    "entire file in encrypted form in GNUnet database)"),
+      &do_insert),
+    GNUNET_GETOPT_option_string (
+      'N',
+      "next",
+      "ID",
+      gettext_noop ("specify ID of an updated version to be "
+                    "published in the future (for namespace insertions only)"),
+      &next_id),
+    GNUNET_GETOPT_option_uint ('p',
+                               "priority",
+                               "PRIORITY",
+                               gettext_noop (
+                                 "specify the priority of the content"),
+                               &bo.content_priority),
+    GNUNET_GETOPT_option_string ('P',
+                                 "pseudonym",
+                                 "NAME",
+                                 gettext_noop (
+                                   "publish the files under the pseudonym "
+                                   "NAME (place file into namespace)"),
+                                 &pseudonym),
+    GNUNET_GETOPT_option_uint ('r',
+                               "replication",
+                               "LEVEL",
+                               gettext_noop (
+                                 "set the desired replication LEVEL"),
+                               &bo.replication_level),
+    GNUNET_GETOPT_option_flag ('s',
+                               "simulate-only",
+                               gettext_noop (
+                                 "only simulate the process but do not do "
+                                 "any actual publishing (useful to compute URIs)"),
+                               &do_simulate),
+    GNUNET_GETOPT_option_string ('t',
+                                 "this",
+                                 "ID",
+                                 gettext_noop (
+                                   "set the ID of this version of the publication "
+                                   "(for namespace insertions only)"),
+                                 &this_id),
+    GNUNET_GETOPT_option_string (
+      'u',
+      "uri",
+      "URI",
+      gettext_noop (
+        "URI to be published (can be used instead of passing a "
+        "file to add keywords to the file with the respective URI)"),
+      &uri_string),
+
+    GNUNET_GETOPT_option_verbose (&verbose),
+
+    GNUNET_GETOPT_OPTION_END };
+
+  bo.expiration_time =
+    GNUNET_TIME_year_to_time (GNUNET_TIME_get_current_year () + 2);
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+  ret =
+    (GNUNET_OK ==
+     GNUNET_PROGRAM_run (argc,
+                         argv,
+                         "gnunet-publish [OPTIONS] FILENAME",
+                         gettext_noop ("Publish a file or directory on GNUnet"),
+                         options,
+                         &run,
+                         NULL))
+    ? ret
+    : 1;
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-publish.c */
diff --git a/src/cli/fs/gnunet-search.c b/src/cli/fs/gnunet-search.c
new file mode 100644
index 000000000..a72cf97cc
--- /dev/null
+++ b/src/cli/fs/gnunet-search.c
@@ -0,0 +1,801 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2001, 2002, 2004, 2005, 2006, 2007, 2009, 2022 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file fs/gnunet-search.c
+ * @brief searching for files on GNUnet
+ * @author Christian Grothoff
+ * @author Krista Bennett
+ * @author James Blackwell
+ * @author Igor Wronsky
+ * @author madmurphy
+ */
+#include "platform.h"
+#include <ctype.h>
+#include <inttypes.h>
+#include <limits.h>
+
+#include "gnunet_fs_service.h"
+
+
+#define GNUNET_SEARCH_log(kind, ...) \
+  GNUNET_log_from (kind, "gnunet-search", __VA_ARGS__)
+
+
+/*  The default settings that we use for the printed output  */
+
+#define DEFAULT_DIR_FORMAT       "#%n:\ngnunet-download -o \"%f\" -R %u\n\n"
+#define HELP_DEFAULT_DIR_FORMAT  "#%n:\\ngnunet-download -o \"%f\" -R %u\\n\\n"
+#define DEFAULT_FILE_FORMAT      "#%n:\ngnunet-download -o \"%f\" %u\n\n"
+#define HELP_DEFAULT_FILE_FORMAT "#%n:\\ngnunet-download -o \"%f\" %u\\n\\n"
+#define VERB_DEFAULT_DIR_FORMAT  DEFAULT_DIR_FORMAT "%a\n"
+#define VERB_DEFAULT_FILE_FORMAT DEFAULT_FILE_FORMAT "%a\n"
+
+#if HAVE_LIBEXTRACTOR
+#define DEFAULT_META_FORMAT      "  %t: %p\n"
+#define HELP_DEFAULT_META_FORMAT "  %t: %p\\n"
+#define HELP_EXTRACTOR_TEXTADD   ", %t"
+#else
+#define DEFAULT_META_FORMAT      "  MetaType #%i: %p\n"
+#define HELP_DEFAULT_META_FORMAT "  MetaType #%i: %p\\n"
+#define HELP_EXTRACTOR_TEXTADD   ""
+#endif
+
+#define GENERIC_DIRECTORY_NAME   "collection"
+#define GENERIC_FILE_NAME        "no-name"
+#define GENERIC_FILE_MIMETYPE    "application/octet-stream"
+
+
+enum GNUNET_SEARCH_MetadataPrinterFlags
+{
+  METADATA_PRINTER_FLAG_NONE = 0,
+  METADATA_PRINTER_FLAG_ONE_RUN = 1,
+  METADATA_PRINTER_FLAG_HAVE_TYPE = 2
+};
+
+
+struct GNUNET_SEARCH_MetadataPrinterInfo
+{
+  unsigned int counter;
+  unsigned int flags;
+  int type;
+};
+
+
+static int ret;
+
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+static struct GNUNET_FS_Handle *ctx;
+
+static struct GNUNET_FS_SearchContext *sc;
+
+static char *output_filename;
+
+static char *format_string;
+
+static char *dir_format_string;
+
+static char *meta_format_string;
+
+static struct GNUNET_FS_DirectoryBuilder *db;
+
+static unsigned int anonymity = 1;
+
+/**
+ * Timeout for the search, 0 means to wait for CTRL-C.
+ */
+static struct GNUNET_TIME_Relative timeout;
+
+static unsigned int results_limit;
+
+static unsigned int results;
+
+static unsigned int verbose;
+
+static int bookmark_only;
+
+static int local_only;
+
+static int silent_mode;
+
+static struct GNUNET_SCHEDULER_Task *tt;
+
+static int stop_searching;
+
+
+/**
+ * Print the escape sequence at the beginning of a string.
+ *
+ * @param esc a string that **must** begin with a backslash (the function only
+ *        assumes that it does, but does not check)
+ * @return the fragment that follows what has been printed
+ * @author madmurphy
+ *
+ * If `"\\nfoo"` is passed as argument, this function prints a new line and
+ * returns `"foo"`
+ */
+static const char *
+print_escape_sequence (const char *const esc)
+{
+  unsigned int probe;
+  const char *cursor = esc + 1;
+  char tmp;
+  switch (*cursor)
+  {
+  /*  Trivia  */
+  case '\\': putchar ('\\'); return cursor + 1;
+  case 'a': putchar ('\a'); return cursor + 1;
+  case 'b': putchar ('\b'); return cursor + 1;
+  case 'e': putchar ('\x1B'); return cursor + 1;
+  case 'f': putchar ('\f'); return cursor + 1;
+  case 'n': putchar ('\n'); return cursor + 1;
+  case 'r': putchar ('\r'); return cursor + 1;
+  case 't': putchar ('\t'); return cursor + 1;
+  case 'v': putchar ('\v'); return cursor + 1;
+
+  /*  Possibly hexadecimal code point  */
+  case 'x':
+    probe = 0;
+    while (probe < 256 && isxdigit ((tmp = *++cursor)))
+      probe = (probe << 4) + tmp - (tmp > 96 ? 87 : tmp > 64 ? 55 : 48);
+    goto maybe_codepoint;
+
+  /*  Possibly octal code point  */
+  case '0': case '1': case '2': case '3':
+  case '4': case '5': case '6': case '7':
+    probe = *cursor++ - 48;
+    do probe = (probe << 3) + *cursor++ - 48;
+    while (probe < 256 && cursor < esc + 4 && *cursor > 47 && *cursor < 56);
+    goto maybe_codepoint;
+
+  /*  Boredom  */
+  case '\0': putchar ('\\'); return cursor;
+  default: printf ("\\%c", *cursor); return cursor + 1;
+  }
+
+  maybe_codepoint:
+  if (probe < 256)
+    putchar (probe);
+  else
+    fwrite (esc, 1, cursor - esc, stdout);
+  return cursor;
+}
+
+
+/**
+ * Type of a function that libextractor calls for each
+ * meta data item found.
+ *
+ * @param cls closure (user-defined, used for the iteration info)
+ * @param plugin_name name of the plugin that produced this value;
+ *        special values can be used (e.g. '&lt;zlib&gt;' for zlib being
+ *        used in the main libextractor library and yielding
+ *        meta data).
+ * @param type libextractor-type describing the meta data
+ * @param format basic format information about data
+ * @param data_mime_type mime-type of data (not of the original file);
+ *        can be NULL (if mime-type is not known)
+ * @param data actual meta-data found
+ * @param data_size number of bytes in @a data
+ * @return 0 to continue extracting, 1 to abort
+ */
+static int
+item_printer (void *const cls,
+              const char *const plugin_name,
+              const enum EXTRACTOR_MetaType type,
+              const enum EXTRACTOR_MetaFormat format,
+              const char *const data_mime_type,
+              const char *const data,
+              const size_t data_size)
+{
+#define info ((struct GNUNET_SEARCH_MetadataPrinterInfo *) cls)
+  if ((format != EXTRACTOR_METAFORMAT_UTF8 &&
+       format != EXTRACTOR_METAFORMAT_C_STRING) ||
+      type == EXTRACTOR_METATYPE_GNUNET_ORIGINAL_FILENAME)
+    return 0;
+  info->counter++;
+  if ((info->flags & METADATA_PRINTER_FLAG_HAVE_TYPE) && type != info->type)
+    return 0;
+
+  const char *cursor = meta_format_string;
+  const char *next_spec = strchr (cursor, '%');
+  const char *next_esc = strchr (cursor, '\\');
+
+  parse_format:
+
+  /*  If an escape sequence exists before the next format specifier...  */
+  if (next_esc && (! next_spec || next_esc < next_spec))
+  {
+    if (next_esc > cursor)
+      fwrite (cursor, 1, next_esc - cursor, stdout);
+
+    cursor = print_escape_sequence (next_esc);
+    next_esc = strchr (cursor, '\\');
+    goto parse_format;
+  }
+
+  /*  If a format specifier exists before the next escape sequence...  */
+  if (next_spec && (! next_esc || next_spec < next_esc))
+  {
+    if (next_spec > cursor)
+      fwrite (cursor, 1, next_spec - cursor, stdout);
+
+    switch (*++next_spec)
+    {
+    case '%': putchar ('%'); break;
+    case 'i': printf ("%d", type); break;
+    case 'l': printf ("%lu", (long unsigned int) data_size); break;
+    case 'n': printf ("%u", info->counter); break;
+    case 'p': printf ("%s", data); break;
+#if HAVE_LIBEXTRACTOR
+    case 't':
+      printf ("%s",
+              dgettext (LIBEXTRACTOR_GETTEXT_DOMAIN,
+                        EXTRACTOR_metatype_to_string (type)));
+      break;
+#endif
+    case 'w': printf ("%s", plugin_name); break;
+    case '\0': putchar ('%'); return 0;
+    default: printf ("%%%c", *next_spec); break;
+    }
+    cursor = next_spec + 1;
+    next_spec = strchr (cursor, '%');
+    goto parse_format;
+  }
+
+  if (*cursor)
+    printf ("%s", cursor);
+
+  return info->flags & METADATA_PRINTER_FLAG_ONE_RUN;
+#undef info
+}
+
+
+/**
+ * Print a search result according to the current formats
+ *
+ * @param filename the filename for this result
+ * @param uri the `struct GNUNET_FS_Uri` this result refers to
+ * @param metadata the `struct GNUNET_FS_MetaData` associated with this
+          result
+ * @param resultnum the result number
+ * @param is_directory GNUNET_YES if this is a directory, otherwise GNUNET_NO
+ * @author madmurphy
+ */
+static void
+print_search_result (const char *const filename,
+                     const struct GNUNET_FS_Uri *const uri,
+                     const struct GNUNET_FS_MetaData *const metadata,
+                     const unsigned int resultnum,
+                     const int is_directory)
+{
+
+  const char *cursor = GNUNET_YES == is_directory ?
+                       dir_format_string
+                       : format_string;
+
+  const char *next_spec = strchr (cursor, '%');
+  const char *next_esc = strchr (cursor, '\\');
+  char *placeholder;
+  struct GNUNET_SEARCH_MetadataPrinterInfo info;
+
+  parse_format:
+  /*  If an escape sequence exists before the next format specifier...  */
+  if (next_esc && (! next_spec || next_esc < next_spec))
+  {
+    if (next_esc > cursor)
+      fwrite (cursor, 1, next_esc - cursor, stdout);
+
+    cursor = print_escape_sequence (next_esc);
+    next_esc = strchr (cursor, '\\');
+    goto parse_format;
+  }
+
+  /*  If a format specifier exists before the next escape sequence...  */
+  if (next_spec && (! next_esc || next_spec < next_esc))
+  {
+    if (next_spec > cursor)
+      fwrite (cursor, 1, next_spec - cursor, stdout);
+
+    switch (*++next_spec)
+    {
+    /*  All metadata fields  */
+    case 'a':
+      info.flags = METADATA_PRINTER_FLAG_NONE;
+
+      iterate_meta:
+      info.counter = 0;
+      GNUNET_FS_meta_data_iterate (metadata, &item_printer, &info);
+      break;
+    /*  File's name  */
+    case 'f':
+      if (GNUNET_YES == is_directory)
+      {
+        printf ("%s%s", filename, GNUNET_FS_DIRECTORY_EXT);
+        break;
+      }
+      printf ("%s", filename);
+      break;
+    /*  Only the first metadata field  */
+    case 'j':
+      info.flags = METADATA_PRINTER_FLAG_ONE_RUN;
+      goto iterate_meta;
+    /*  File name's length  */
+    case 'l':
+      printf ("%lu",
+              (long unsigned int) (GNUNET_YES == is_directory ?
+                                   strlen (filename)
+                                   + (sizeof(GNUNET_FS_DIRECTORY_EXT) - 1)
+                                   :
+                                   strlen (filename)));
+      break;
+    /*  File's mime type  */
+    case 'm':
+      if (GNUNET_YES == is_directory)
+      {
+        printf ("%s", GNUNET_FS_DIRECTORY_MIME);
+        break;
+      }
+      placeholder = GNUNET_FS_meta_data_get_by_type (
+        metadata,
+        EXTRACTOR_METATYPE_MIMETYPE);
+      printf ("%s", placeholder ? placeholder : GENERIC_FILE_MIMETYPE);
+      GNUNET_free (placeholder);
+      break;
+    /*  Result number  */
+    case 'n': printf ("%u", resultnum); break;
+    /*  File's size  */
+    case 's':
+      printf ("%" PRIu64, GNUNET_FS_uri_chk_get_file_size (uri));
+      break;
+    /*  File's URI  */
+    case 'u':
+      placeholder = GNUNET_FS_uri_to_string (uri);
+      printf ("%s", placeholder);
+      GNUNET_free (placeholder);
+      break;
+
+    /*  We can add as many cases as we want here...  */
+
+    /*  Handle `%123#a` and `%123#j` (e.g. `%5#j` is a book title)  */
+    case '0': case '1': case '2': case '3': case '4':
+    case '5': case '6': case '7': case '8': case '9':
+      cursor = next_spec;
+      info.type = *cursor - 48;
+      while (isdigit (*++cursor) && info.type < (INT_MAX - *cursor + 48) / 10)
+        info.type = info.type * 10 + *cursor - 48;
+      if (info.type == 0 || *cursor != '#')
+        goto not_a_specifier;
+      switch (*++cursor)
+      {
+      /*  All metadata fields of type `info.type`   */
+      case 'a':
+        next_spec = cursor;
+        info.flags = METADATA_PRINTER_FLAG_HAVE_TYPE;
+        goto iterate_meta;
+
+      /*  Only the first metadata field of type `info.type`  */
+      case 'j':
+        next_spec = cursor;
+        info.flags = METADATA_PRINTER_FLAG_HAVE_TYPE
+                     | METADATA_PRINTER_FLAG_ONE_RUN;
+        goto iterate_meta;
+      }
+      goto not_a_specifier;
+
+    /*  All other cases  */
+    case '%': putchar ('%'); break;
+    case '\0': putchar ('%'); return;
+
+      not_a_specifier:
+    default: printf ("%%%c", *next_spec); break;
+    }
+    cursor = next_spec + 1;
+    next_spec = strchr (cursor, '%');
+    goto parse_format;
+  }
+
+  if (*cursor)
+    printf ("%s", cursor);
+}
+
+
+static void
+clean_task (void *const cls)
+{
+  size_t dsize;
+  void *ddata;
+
+  GNUNET_FS_stop (ctx);
+  ctx = NULL;
+  if (output_filename == NULL)
+    return;
+  if (GNUNET_OK !=
+      GNUNET_FS_directory_builder_finish (db, &dsize, &ddata))
+  {
+    GNUNET_break (0);
+    GNUNET_free (output_filename);
+    return;
+  }
+  (void) GNUNET_DISK_directory_remove (output_filename);
+  if (GNUNET_OK !=
+      GNUNET_DISK_fn_write (output_filename,
+                            ddata,
+                            dsize,
+                            GNUNET_DISK_PERM_USER_READ
+                            | GNUNET_DISK_PERM_USER_WRITE))
+  {
+    GNUNET_SEARCH_log (GNUNET_ERROR_TYPE_ERROR,
+                       _ ("Failed to write directory with search results to "
+                          "`%s'\n"),
+                       output_filename);
+  }
+  GNUNET_free (ddata);
+  GNUNET_free (output_filename);
+}
+
+
+/**
+ * Called by FS client to give information about the progress of an
+ * operation.
+ *
+ * @param cls closure
+ * @param info details about the event, specifying the event type
+ *        and various bits about the event
+ * @return client-context (for the next progress call
+ *         for this operation; should be set to NULL for
+ *         SUSPEND and STOPPED events).  The value returned
+ *         will be passed to future callbacks in the respective
+ *         field in the GNUNET_FS_ProgressInfo struct.
+ */
+static void *
+progress_cb (void *const cls,
+             const struct GNUNET_FS_ProgressInfo *const info)
+{
+  static unsigned int cnt;
+  int is_directory;
+  char *filename;
+
+  switch (info->status)
+  {
+  case GNUNET_FS_STATUS_SEARCH_START:
+    break;
+
+  case GNUNET_FS_STATUS_SEARCH_RESULT:
+    if (stop_searching)
+      break;
+
+    if (db != NULL)
+      GNUNET_FS_directory_builder_add (
+        db,
+        info->value.search.specifics.result.uri,
+        info->value.search.specifics.result.meta,
+        NULL);
+
+    if (silent_mode)
+      break;
+
+    cnt++;
+    filename = GNUNET_FS_meta_data_get_by_type (
+      info->value.search.specifics.result.meta,
+      EXTRACTOR_METATYPE_GNUNET_ORIGINAL_FILENAME);
+    is_directory = GNUNET_FS_meta_data_test_for_directory (
+      info->value.search.specifics.result.meta);
+    if (NULL != filename)
+    {
+      while ((filename[0] != '\0') && ('/' == filename[strlen (filename) - 1]))
+        filename[strlen (filename) - 1] = '\0';
+      GNUNET_DISK_filename_canonicalize (filename);
+    }
+    print_search_result (filename ?
+                         filename
+                         : is_directory ?
+                         GENERIC_DIRECTORY_NAME
+                         :
+                         GENERIC_FILE_NAME,
+                         info->value.search.specifics.result.uri,
+                         info->value.search.specifics.result.meta,
+                         cnt,
+                         is_directory);
+    fflush (stdout);
+    GNUNET_free (filename);
+    results++;
+    if ((results_limit > 0) && (results >= results_limit))
+    {
+      GNUNET_SCHEDULER_shutdown ();
+      /*  otherwise the function might keep printing results for a while...  */
+      stop_searching = GNUNET_YES;
+    }
+    break;
+
+  case GNUNET_FS_STATUS_SEARCH_UPDATE:
+  case GNUNET_FS_STATUS_SEARCH_RESULT_STOPPED:
+    /* ignore */
+    break;
+
+  case GNUNET_FS_STATUS_SEARCH_ERROR:
+    GNUNET_SEARCH_log (GNUNET_ERROR_TYPE_ERROR,
+                       _ ("Error searching: %s.\n"),
+                       info->value.search.specifics.error.message);
+    GNUNET_SCHEDULER_shutdown ();
+    break;
+
+  case GNUNET_FS_STATUS_SEARCH_STOPPED:
+    GNUNET_SCHEDULER_add_now (&clean_task, NULL);
+    break;
+
+  default:
+    GNUNET_SEARCH_log (GNUNET_ERROR_TYPE_ERROR,
+                       _ ("Unexpected status: %d\n"),
+                       info->status);
+    break;
+  }
+  return NULL;
+}
+
+
+static void
+shutdown_task (void *const cls)
+{
+  if (sc != NULL)
+  {
+    GNUNET_FS_search_stop (sc);
+    sc = NULL;
+  }
+}
+
+
+static void
+timeout_task (void *const cls)
+{
+  tt = NULL;
+  stop_searching = GNUNET_YES;
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfgarg configuration
+ */
+static void
+run (void *const cls,
+     char *const *const args,
+     const char *const cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *const cfgarg)
+{
+  struct GNUNET_FS_Uri *uri;
+  unsigned int argc;
+  enum GNUNET_FS_SearchOptions options;
+
+  if (silent_mode && bookmark_only)
+  {
+    fprintf (stderr,
+             _ ("Conflicting options --bookmark-only and --silent.\n"));
+    ret = 1;
+    return;
+  }
+  if (bookmark_only && output_filename)
+  {
+    fprintf (stderr,
+             _ ("Conflicting options --bookmark-only and --output.\n"));
+    ret = 1;
+    return;
+  }
+  if (silent_mode && ! output_filename)
+  {
+    fprintf (stderr, _ ("An output file is mandatory for silent mode.\n"));
+    ret = 1;
+    return;
+  }
+  if (NULL == dir_format_string)
+    dir_format_string = format_string ? format_string
+                      : verbose ? VERB_DEFAULT_DIR_FORMAT
+                      : DEFAULT_DIR_FORMAT;
+  if (NULL == format_string)
+    format_string = verbose ? VERB_DEFAULT_FILE_FORMAT
+                  : DEFAULT_FILE_FORMAT;
+  if (NULL == meta_format_string)
+    meta_format_string = DEFAULT_META_FORMAT;
+  argc = 0;
+  while (NULL != args[argc])
+    argc++;
+  uri = GNUNET_FS_uri_ksk_create_from_args (argc, (const char **) args);
+  if (NULL == uri)
+  {
+    fprintf (stderr,
+             "%s",
+             _ ("Could not create keyword URI from arguments.\n"));
+    ret = 1;
+    return;
+  }
+  if (! GNUNET_FS_uri_test_ksk (uri) && ! GNUNET_FS_uri_test_sks (uri))
+  {
+    fprintf (stderr,
+             "%s",
+             _ ("Invalid URI. Valid URIs for searching are keyword query "
+                "URIs\n(\"gnunet://fs/ksk/...\") and namespace content URIs "
+                "(\"gnunet://fs/sks/...\").\n"));
+    GNUNET_FS_uri_destroy (uri);
+    ret = 1;
+    return;
+  }
+  if (bookmark_only)
+  {
+    char *bmstr = GNUNET_FS_uri_to_string (uri);
+    printf ("%s\n", bmstr);
+    GNUNET_free (bmstr);
+    GNUNET_FS_uri_destroy (uri);
+    ret = 0;
+    return;
+  }
+  cfg = cfgarg;
+  ctx = GNUNET_FS_start (cfg,
+                         "gnunet-search",
+                         &progress_cb,
+                         NULL,
+                         GNUNET_FS_FLAGS_NONE,
+                         GNUNET_FS_OPTIONS_END);
+  if (NULL == ctx)
+  {
+    fprintf (stderr, _ ("Could not initialize the `%s` subsystem.\n"), "FS");
+    GNUNET_FS_uri_destroy (uri);
+    ret = 1;
+    return;
+  }
+  if (output_filename != NULL)
+    db = GNUNET_FS_directory_builder_create (NULL);
+  options = GNUNET_FS_SEARCH_OPTION_NONE;
+  if (local_only)
+    options |= GNUNET_FS_SEARCH_OPTION_LOOPBACK_ONLY;
+  sc = GNUNET_FS_search_start (ctx, uri, anonymity, options, NULL);
+  GNUNET_FS_uri_destroy (uri);
+  if (NULL == sc)
+  {
+    fprintf (stderr, "%s", _ ("Could not start searching.\n"));
+    GNUNET_FS_stop (ctx);
+    ret = 1;
+    return;
+  }
+  if (0 != timeout.rel_value_us)
+    tt = GNUNET_SCHEDULER_add_delayed (timeout, &timeout_task, NULL);
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_task, NULL);
+}
+
+
+/**
+ * The main function to search GNUnet.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, an error number on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] =
+  { GNUNET_GETOPT_option_uint (
+      'a',
+      "anonymity",
+      "LEVEL",
+      gettext_noop ("set the desired LEVEL of receiver-anonymity (default: "
+                    "1)"),
+      &anonymity),
+    GNUNET_GETOPT_option_flag (
+      'b',
+      "bookmark-only",
+      gettext_noop ("do not search, print only the URI that points to this "
+                    "search"),
+      &bookmark_only),
+    GNUNET_GETOPT_option_string (
+      'F',
+      "dir-printf",
+      "FORMAT",
+      gettext_noop ("write search results for directories according to "
+                    "FORMAT; accepted placeholders are: %a, %f, %j, %l, %m, "
+                    "%n, %s; defaults to the value of --printf when omitted "
+                    "or to `" HELP_DEFAULT_DIR_FORMAT "` if --printf is "
+                    "omitted too"),
+      &dir_format_string),
+    GNUNET_GETOPT_option_string (
+      'f',
+      "printf",
+      "FORMAT",
+      gettext_noop ("write search results according to FORMAT; accepted "
+                    "placeholders are: %a, %f, %j, %l, %m, %n, %s; defaults "
+                    "to `" HELP_DEFAULT_FILE_FORMAT "` when omitted"),
+      &format_string),
+    GNUNET_GETOPT_option_string (
+      'i',
+      "iter-printf",
+      "FORMAT",
+      gettext_noop ("when the %a or %j placeholders appear in --printf or "
+                    "--dir-printf, list each metadata property according to "
+                    "FORMAT; accepted placeholders are: %i, %l, %n, %p"
+                    HELP_EXTRACTOR_TEXTADD ", %w; defaults to `"
+                    HELP_DEFAULT_META_FORMAT "` when omitted"),
+      &meta_format_string),
+    GNUNET_GETOPT_option_uint ('N',
+                               "results",
+                               "VALUE",
+                               gettext_noop ("automatically terminate search "
+                                             "after VALUE results are found"),
+                               &results_limit),
+    GNUNET_GETOPT_option_flag (
+      'n',
+      "no-network",
+      gettext_noop ("only search the local peer (no P2P network search)"),
+      &local_only),
+    GNUNET_GETOPT_option_string (
+      'o',
+      "output",
+      "FILENAME",
+      gettext_noop ("create a GNUnet directory with search results at "
+                    "FILENAME (e.g. `gnunet-search --output=commons"
+                    GNUNET_FS_DIRECTORY_EXT " commons`)"),
+      &output_filename),
+    GNUNET_GETOPT_option_flag (
+      's',
+      "silent",
+      gettext_noop ("silent mode (requires the --output argument)"),
+      &silent_mode),
+    GNUNET_GETOPT_option_relative_time (
+      't',
+      "timeout",
+      "DELAY",
+      gettext_noop ("automatically terminate search after DELAY; the value "
+                    "given must be a number followed by a space and a time "
+                    "unit, for example \"500 ms\"; without a unit it defaults "
+                    "to microseconds - 1000000 = 1 second; if 0 or omitted "
+                    "it means to wait for CTRL-C"),
+      &timeout),
+    GNUNET_GETOPT_option_increment_uint (
+      'V',
+      "verbose",
+      gettext_noop ("be verbose (append \"%a\\n\" to the default --printf and "
+                    "--dir-printf arguments - ignored when these are provided "
+                    "by the user)"),
+      &verbose),
+    GNUNET_GETOPT_OPTION_END };
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 12;
+
+  if (GNUNET_SYSERR ==
+      GNUNET_PROGRAM_run (argc,
+                          argv,
+                          "gnunet-search [OPTIONS] KEYWORD1 KEYWORD2 ...",
+                          gettext_noop ("Search for files that have been "
+                                        "published on GNUnet\n"),
+                          options,
+                          &run,
+                          NULL))
+    ret = 1;
+
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-search.c */
diff --git a/src/cli/fs/gnunet-unindex.c b/src/cli/fs/gnunet-unindex.c
new file mode 100644
index 000000000..326f75a63
--- /dev/null
+++ b/src/cli/fs/gnunet-unindex.c
@@ -0,0 +1,206 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2001, 2002, 2004, 2005, 2006, 2007, 2009 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file fs/gnunet-unindex.c
+ * @brief unindex files published on GNUnet
+ * @author Christian Grothoff
+ * @author Krista Bennett
+ * @author James Blackwell
+ * @author Igor Wronsky
+ */
+#include "platform.h"
+
+#include "gnunet_fs_service.h"
+
+static int ret;
+
+static unsigned int verbose;
+
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+static struct GNUNET_FS_Handle *ctx;
+
+static struct GNUNET_FS_UnindexContext *uc;
+
+
+static void
+cleanup_task (void *cls)
+{
+  GNUNET_FS_stop (ctx);
+  ctx = NULL;
+}
+
+
+static void
+shutdown_task (void *cls)
+{
+  struct GNUNET_FS_UnindexContext *u;
+
+  if (uc != NULL)
+  {
+    u = uc;
+    uc = NULL;
+    GNUNET_FS_unindex_stop (u);
+  }
+}
+
+
+/**
+ * Called by FS client to give information about the progress of an
+ * operation.
+ *
+ * @param cls closure
+ * @param info details about the event, specifying the event type
+ *        and various bits about the event
+ * @return client-context (for the next progress call
+ *         for this operation; should be set to NULL for
+ *         SUSPEND and STOPPED events).  The value returned
+ *         will be passed to future callbacks in the respective
+ *         field in the GNUNET_FS_ProgressInfo struct.
+ */
+static void *
+progress_cb (void *cls, const struct GNUNET_FS_ProgressInfo *info)
+{
+  const char *s;
+
+  switch (info->status)
+  {
+  case GNUNET_FS_STATUS_UNINDEX_START:
+    break;
+
+  case GNUNET_FS_STATUS_UNINDEX_PROGRESS:
+    if (verbose)
+    {
+      s = GNUNET_STRINGS_relative_time_to_string (info->value.unindex.eta,
+                                                  GNUNET_YES);
+      fprintf (stdout,
+               _ ("Unindexing at %llu/%llu (%s remaining)\n"),
+               (unsigned long long) info->value.unindex.completed,
+               (unsigned long long) info->value.unindex.size,
+               s);
+    }
+    break;
+
+  case GNUNET_FS_STATUS_UNINDEX_ERROR:
+    fprintf (stderr,
+             _ ("Error unindexing: %s.\n"),
+             info->value.unindex.specifics.error.message);
+    GNUNET_SCHEDULER_shutdown ();
+    break;
+
+  case GNUNET_FS_STATUS_UNINDEX_COMPLETED:
+    fprintf (stdout, "%s", _ ("Unindexing done.\n"));
+    GNUNET_SCHEDULER_shutdown ();
+    break;
+
+  case GNUNET_FS_STATUS_UNINDEX_STOPPED:
+    GNUNET_SCHEDULER_add_now (&cleanup_task, NULL);
+    break;
+
+  default:
+    fprintf (stderr, _ ("Unexpected status: %d\n"), info->status);
+    break;
+  }
+  return NULL;
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  /* check arguments */
+  if ((args[0] == NULL) || (args[1] != NULL))
+  {
+    printf (_ ("You must specify one and only one filename for unindexing.\n"));
+    ret = -1;
+    return;
+  }
+  cfg = c;
+  ctx = GNUNET_FS_start (cfg,
+                         "gnunet-unindex",
+                         &progress_cb,
+                         NULL,
+                         GNUNET_FS_FLAGS_NONE,
+                         GNUNET_FS_OPTIONS_END);
+  if (NULL == ctx)
+  {
+    fprintf (stderr, _ ("Could not initialize `%s' subsystem.\n"), "FS");
+    ret = 1;
+    return;
+  }
+  uc = GNUNET_FS_unindex_start (ctx, args[0], NULL);
+  if (NULL == uc)
+  {
+    fprintf (stderr, "%s", _ ("Could not start unindex operation.\n"));
+    GNUNET_FS_stop (ctx);
+    return;
+  }
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_task, NULL);
+}
+
+
+/**
+ * The main function to unindex content.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_verbose (&verbose),
+
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  ret = (GNUNET_OK ==
+         GNUNET_PROGRAM_run (
+           argc,
+           argv,
+           "gnunet-unindex [OPTIONS] FILENAME",
+           gettext_noop (
+             "Unindex a file that was previously indexed with gnunet-publish."),
+           options,
+           &run,
+           NULL))
+        ? ret
+        : 1;
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-unindex.c */
diff --git a/src/cli/fs/meson.build b/src/cli/fs/meson.build
new file mode 100644
index 000000000..1b29dd56d
--- /dev/null
+++ b/src/cli/fs/meson.build
@@ -0,0 +1,51 @@
+executable ('gnunet-search',
+            'gnunet-search.c',
+            dependencies: [libgnunetfs_dep,
+                           libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-unindex',
+            'gnunet-unindex.c',
+            dependencies: [libgnunetfs_dep,
+                           libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-auto-share',
+            'gnunet-auto-share.c',
+            dependencies: [libgnunetfs_dep,
+                           libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-directory',
+            'gnunet-directory.c',
+            dependencies: [libgnunetfs_dep,
+                           libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-download',
+            'gnunet-download.c',
+            dependencies: [libgnunetfs_dep,
+                           libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-fs',
+            'gnunet-fs.c',
+            dependencies: [libgnunetfs_dep,
+                           libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-publish',
+            'gnunet-publish.c',
+            dependencies: [libgnunetfs_dep,
+                           libgnunetidentity_dep,
+                           libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+
diff --git a/src/cli/gns/.gitignore b/src/cli/gns/.gitignore
new file mode 100644
index 000000000..23bd1d13b
--- /dev/null
+++ b/src/cli/gns/.gitignore
@@ -0,0 +1,2 @@
+gnunet-gns
+gnunet-gns-proxy-setup-ca
diff --git a/src/cli/gns/Makefile.am b/src/cli/gns/Makefile.am
new file mode 100644
index 000000000..ae167bca5
--- /dev/null
+++ b/src/cli/gns/Makefile.am
@@ -0,0 +1,108 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+pkgdata_DATA = \
+  gnunet-gns-proxy-ca.template
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+endif
+
+if HAVE_LIBIDN
+  LIBIDN= -lidn
+else
+  LIBIDN=
+endif
+
+if HAVE_LIBIDN2
+  LIBIDN2= -lidn2
+else
+  LIBIDN2=
+endif
+
+pkgcfgdir = $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+plugindir = $(libdir)/gnunet
+
+bin_PROGRAMS = \
+  gnunet-gns
+
+bin_SCRIPTS = \
+  gnunet-gns-proxy-setup-ca
+
+gnunet-gns-proxy-setup-ca: gnunet-gns-proxy-setup-ca.in Makefile
+        $(AWK) -v bdir="$(bindir)" -v py="$(PYTHON)" -v awkay="$(AWK_BINARY)" -v pfx="$(prefix)" -v prl="$(PERL)" -v sysconfdirectory="$(sysconfdir)" -v pkgdatadirectory="$(pkgdatadir)" -f $(top_srcdir)/scripts/dosubst.awk < $(srcdir)/gnunet-gns-proxy-setup-ca.in > gnunet-gns-proxy-setup-ca
+        @chmod +x gnunet-gns-proxy-setup-ca
+
+test_gnunet_gns.sh: test_gnunet_gns.sh.in Makefile
+        $(AWK) -v bdir="$(bindir)" -v py="$(PYTHON)" -v awkay="$(AWK_BINARY)" -v pfx="$(prefix)" -v prl="$(PERL)" -v sysconfdirectory="$(sysconfdir)" -v pkgdatadirectory="$(pkgdatadir)" -f $(top_srcdir)/scripts/dosubst.awk < $(srcdir)/test_gnunet_gns.sh.in > test_gnunet_gns.sh
+        @chmod +x test_gnunet_gns.sh
+
+CLEANFILES = test_gnunet_gns.sh
+
+gnunet_gns_SOURCES = \
+ gnunet-gns.c
+gnunet_gns_LDADD = \
+  $(top_builddir)/src/service/gns/libgnunetgns.la \
+  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(LIBIDN) $(LIBIDN2) \
+  $(GN_LIBINTL)
+
+check_SCRIPTS = \
+   test_gns_lookup.sh \
+   test_gns_config_lookup.sh \
+   test_gns_ipv6_lookup.sh\
+   test_gns_txt_lookup.sh\
+   test_gns_caa_lookup.sh\
+   test_gns_mx_lookup.sh \
+   test_gns_gns2dns_lookup.sh \
+   test_gns_gns2dns_zkey_lookup.sh \
+   test_gns_gns2dns_cname_lookup.sh \
+   test_gns_dht_lookup.sh\
+   test_gns_delegated_lookup.sh \
+   test_gns_at_lookup.sh\
+   test_gns_zkey_lookup.sh\
+   test_gns_rel_expiration.sh\
+   test_gns_soa_lookup.sh\
+   test_gns_revocation.sh\
+   test_gns_redirect_lookup.sh
+
+EXTRA_DIST = \
+  test_gns_defaults.conf \
+  test_gns_lookup.conf \
+  test_gns_simple_lookup.conf \
+  openssl.cnf \
+  gnunet-gns-proxy-setup-ca.in \
+  zonefiles/J7POEUT41A8PBFS7KVVDRF88GBOU4HK8PSU5QKVLVE3R9T91E99G.zkey \
+  zonefiles/OEFL7A4VEF1B40QLEMTG5D8G1CN6EN16QUSG5R2DT71GRJN34LSG.zkey \
+  zonefiles/test_zonekey \
+  test_gns_lookup.sh \
+  test_gns_config_lookup.sh \
+  test_gns_ipv6_lookup.sh\
+  test_gns_txt_lookup.sh\
+  test_gns_caa_lookup.sh\
+  test_gns_mx_lookup.sh \
+  test_gns_gns2dns_lookup.sh \
+  test_gns_gns2dns_zkey_lookup.sh \
+  test_gns_gns2dns_cname_lookup.sh \
+  test_gns_dht_lookup.sh\
+  test_gns_delegated_lookup.sh \
+  test_gns_at_lookup.sh\
+  test_gns_zkey_lookup.sh\
+  test_gns_rel_expiration.sh\
+  test_gns_soa_lookup.sh\
+  test_gns_revocation.sh\
+  test_gns_redirect_lookup.sh\
+        $(pkgdata_DATA) \
+  test_gnunet_gns.sh.in
+
+if ENABLE_TEST_RUN
+if HAVE_SQLITE
+ AM_TESTS_ENVIRONMENT=export GNUNET_PREFIX=$${GNUNET_PREFIX:-@libdir@};export PATH=$${GNUNET_PREFIX:-@prefix@}/bin:$$PATH;unset XDG_DATA_HOME;unset XDG_CONFIG_HOME;
+ TESTS = $(check_SCRIPTS)
+endif
+endif
diff --git a/src/cli/gns/gnunet-gns-proxy-ca.template b/src/cli/gns/gnunet-gns-proxy-ca.template
new file mode 100644
index 000000000..b1a0d16fd
--- /dev/null
+++ b/src/cli/gns/gnunet-gns-proxy-ca.template
@@ -0,0 +1,303 @@
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "GNU"
+
+# The organizational unit of the subject.
+unit = "GNUnet"
+
+# The locality of the subject.
+locality = World
+
+# The state of the certificate owner.
+# state = "Attiki"
+
+# The country of the subject. Two letter code.
+country = ZZ
+
+# The common name of the certificate owner.
+cn = "GNS Proxy CA"
+
+# A user id of the certificate owner.
+#uid = "clauper"
+
+# Set domain components
+#dc = "name"
+#dc = "domain"
+
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+#dn_oid = "2.5.4.12 Dr."
+#dn_oid = "2.5.4.65 jackal"
+
+# This is deprecated and should not be used in new
+# certificates.
+# pkcs9_email = "none@none.org"
+
+# An alternative way to set the certificate's distinguished name directly
+# is with the "dn" option. The attribute names allowed are:
+# C (country), street, O (organization), OU (unit), title, CN (common name),
+# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
+# countryOfResidence, serialNumber, telephoneNumber, surName, initials,
+# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
+# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
+# jurisdictionOfIncorporationStateOrProvinceName,
+# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
+
+#dn = "cn = Nikos,st = New\, Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
+
+# The serial number of the certificate
+# The value is in decimal (e.g. 1963) or hex (e.g. 0x07ab).
+# Comment the field for a random serial number.
+#serial = 007
+
+# In how many days, counting from today, this certificate will expire.
+# Use -1 if there is no expiration date.
+expiration_days = 3650
+
+# Alternatively you may set concrete dates and time. The GNU date string
+# formats are accepted. See:
+# https://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
+
+#activation_date = "2004-02-29 16:21:42"
+#expiration_date = "2025-02-29 16:24:41"
+
+# X.509 v3 extensions
+
+# A dnsname in case of a WWW server.
+#dns_name = "www.none.org"
+#dns_name = "www.morethanone.org"
+
+# An othername defined by an OID and a hex encoded string
+#other_name = "1.3.6.1.5.2.2 302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e"
+#other_name_utf8 = "1.2.4.5.6 A UTF8 string"
+#other_name_octet = "1.2.4.5.6 A string that will be encoded as ASN.1 octet string"
+
+# Allows writing an XmppAddr Identifier
+#xmpp_name = juliet@im.example.com
+
+# Names used in PKINIT
+#krb5_principal = user@REALM.COM
+#krb5_principal = HTTP/user@REALM.COM
+
+# A subject alternative name URI
+#uri = "https://www.example.com"
+
+# An IP address in case of a server.
+#ip_address = "192.168.1.1"
+
+# An email in case of a person
+email = "bounce@gnunet.org"
+
+# TLS feature (rfc7633) extension. That can is used to indicate mandatory TLS
+# extension features to be provided by the server. In practice this is used
+# to require the Status Request (extid: 5) extension from the server. That is,
+# to require the server holding this certificate to provide a stapled OCSP response.
+# You can have multiple lines for multiple TLS features.
+
+# To ask for OCSP status request use:
+#tls_feature = 5
+
+# Challenge password used in certificate requests
+challenge_password = 123456
+
+# Password when encrypting a private key
+#password = secret
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+#crl_dist_points = "https://www.getcrl.crl/getcrl/"
+
+# Whether this is a CA certificate or not
+ca
+
+# Subject Unique ID (in hex)
+#subject_unique_id = 00153224
+
+# Issuer Unique ID (in hex)
+#issuer_unique_id = 00153225
+
+#### Key usage
+
+# The following key usage flags are used by CAs and end certificates
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites). This is the digitalSignature flag
+# in RFC5280 terminology.
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing. This is the keyEncipherment flag
+# in RFC5280 terminology.
+encryption_key
+
+# Whether this key will be used to sign other certificates. The
+# keyCertSign flag in RFC5280 terminology.
+cert_signing_key
+
+# Whether this key will be used to sign CRLs. The
+# cRLSign flag in RFC5280 terminology.
+#crl_signing_key
+
+# The keyAgreement flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#key_agreement
+
+# The dataEncipherment flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#data_encipherment
+
+# The nonRepudiation flag of RFC5280. It's purpose is loosely
+# defined. Not use it unless required by a protocol.
+#non_repudiation
+
+#### Extended key usage (key purposes)
+
+# The following extensions are used in an end certificate
+# to clarify its purpose. Some CAs also use it to indicate
+# the types of certificates they are purposed to sign.
+
+
+# Whether this certificate will be used for a TLS client;
+# this sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
+# extended key usage.
+#tls_www_client
+
+# Whether this certificate will be used for a TLS server;
+# this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
+# extended key usage.
+tls_www_server
+
+# Whether this key will be used to sign code. This sets the
+# id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage
+# extension.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data. This sets the
+# id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension.
+#ocsp_signing_key
+
+# Whether this key will be used for time stamping. This sets the
+# id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension.
+#time_stamping_key
+
+# Whether this key will be used for email protection. This sets the
+# id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension.
+#email_protection_key
+
+# Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17).
+#ipsec_ike_key
+
+## adding custom key purpose OIDs
+
+# for microsoft smart card logon
+# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
+
+# for email protection
+# key_purpose_oid = 1.3.6.1.5.5.7.3.4
+
+# for any purpose (must not be used in intermediate CA certificates)
+# key_purpose_oid = 2.5.29.37.0
+
+### end of key purpose OIDs
+
+### Adding arbitrary extensions
+# This requires to provide the extension OIDs, as well as the extension data in
+# hex format. The following two options are available since GnuTLS 3.5.3.
+#add_extension = "1.2.3.4 0x0AAB01ACFE"
+
+# As above but encode the data as an octet string
+#add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)"
+
+# For portability critical extensions shouldn't be set to certificates.
+#add_critical_extension = "5.6.7.8 0x1AAB01ACFE"
+
+# When generating a certificate from a certificate
+# request, then honor the extensions stored in the request
+# and store them in the real certificate.
+#honor_crq_extensions
+
+# Alternatively only specific extensions can be copied.
+#honor_crq_ext = 2.5.29.17
+#honor_crq_ext = 2.5.29.15
+
+# Path length constraint. Sets the maximum number of
+# certificates that can be used to certify this certificate.
+# (i.e. the certificate chain length)
+#path_len = -1
+#path_len = 2
+
+# OCSP URI
+# ocsp_uri = https://my.ocsp.server/ocsp
+
+# CA issuers URI
+# ca_issuers_uri = https://my.ca.issuer
+
+# Certificate policies
+#policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
+#policy1_txt = "This is a long policy to summarize"
+#policy1_url = https://www.example.com/a-policy-to-read
+
+#policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
+#policy2_txt = "This is a short policy"
+#policy2_url = https://www.example.com/another-policy-to-read
+
+# The number of additional certificates that may appear in a
+# path before the anyPolicy is no longer acceptable.
+#inhibit_anypolicy_skip_certs 1
+
+# Name constraints
+
+# DNS
+#nc_permit_dns = example.com
+#nc_exclude_dns = test.example.com
+
+# EMAIL
+#nc_permit_email = "nmav@ex.net"
+
+# Exclude subdomains of example.com
+#nc_exclude_email = .example.com
+
+# Exclude all e-mail addresses of example.com
+#nc_exclude_email = example.com
+
+# IP
+#nc_permit_ip = 192.168.0.0/16
+#nc_exclude_ip = 192.168.5.0/24
+#nc_permit_ip = fc0a:eef2:e7e7:a56e::/64
+
+
+# Options for proxy certificates
+#proxy_policy_language = 1.3.6.1.5.5.7.21.1
+
+
+# Options for generating a CRL
+
+# The number of days the next CRL update will be due.
+# next CRL update will be in 43 days
+#crl_next_update = 43
+
+# this is the 5th CRL by this CA
+# The value is in decimal (e.g. 1963) or hex (e.g. 0x07ab).
+# Comment the field for a time-based number.
+# Time-based CRL numbers generated in GnuTLS 3.6.3 and later
+# are significantly larger than those generated in previous
+# versions. Since CRL numbers need to be monotonic, you need
+# to specify the CRL number here manually if you intend to
+# downgrade to an earlier version than 3.6.3 after publishing
+# the CRL as it is not possible to specify CRL numbers greater
+# than 2**63-2 using hex notation in those versions.
+#crl_number = 5
+
+# Specify the update dates more precisely.
+#crl_this_update_date = "2004-02-29 16:21:42"
+#crl_next_update_date = "2025-02-29 16:24:41"
+
+# The date that the certificates will be made seen as
+# being revoked.
+#crl_revocation_date = "2025-02-29 16:24:41"
diff --git a/src/cli/gns/gnunet-gns-proxy-setup-ca.in b/src/cli/gns/gnunet-gns-proxy-setup-ca.in
new file mode 100644
index 000000000..b3ebfd11d
--- /dev/null
+++ b/src/cli/gns/gnunet-gns-proxy-setup-ca.in
@@ -0,0 +1,339 @@
+#!/bin/sh
+#
+# This shell script will generate an X509 certificate for
+# your gnunet-gns-proxy and install it (for both GNUnet
+# and your browser).
+#
+# TODO: Implement support for more browsers
+# TODO: Debug and switch to the new version
+# TODO  - The only remaining task is fixing the getopts
+# TODO: Error checks
+#
+# The current version partially reuses and recycles
+# code from build.sh by NetBSD (although not entirely
+# used because it needs debugging):
+#
+# Copyright (c) 2001-2011 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# This code is derived from software contributed to
+# The NetBSD Foundation by Todd Vierling and Luke Mewburn.
+#
+# Redistribution and use in source and binary forms, with or
+# without modification, are permitted provided that the following
+# conditions are met:
+# 1. Redistributions of source code must retain the above
+#    copyright notice, this list of conditions and the following
+#    disclaimer.
+# 2. Redistributions in binary form must reproduce the above
+#    copyright notice, this list of conditions and the following
+#    disclaimer in the documentation and/or other materials
+#    provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND
+# CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED.
+# IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR
+# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
+# OF SUCH DAMAGE.
+
+dir=$(dirname "$0")
+
+progname=${0##*/}
+
+existence() {
+  command -v "$1" >/dev/null 2>&1
+}
+
+statusmsg()
+{
+    ${runcmd} echo "${tab}$@" | tee -a "${results}"
+}
+
+infomsg()
+{
+    if [ x$verbosity = x1 ]; then
+        statusmsg "INFO:${tab}$@"
+    fi
+}
+
+warningmsg()
+{
+    statusmsg "WARNING:${tab}$@"
+}
+
+errormsg()
+{
+    statusmsg "ERROR:${tab}$@"
+}
+
+linemsg()
+{
+    statusmsg "========================================="
+}
+
+
+print_version()
+{
+    GNUNET_ARM_VERSION=`gnunet-arm -v | awk '{print $2 " " $3}'`
+    echo ${progname} $GNUNET_ARM_VERSION
+}
+
+# Whitespace normalization without depending on shell features:
+tab='   '
+tab2='   '
+nl='
+'
+
+setdefaults()
+{
+    verbosity=0
+    resfile=
+    results=/dev/null
+    tmpdir=${TMPDIR:-/tmp}
+    runcmd=
+}
+
+usage()
+{
+    if [ -n "$*" ]; then
+        echo "${nl}${progname}: $*"
+    fi
+    cat <<_usage_
+
+Usage: ${progname} [-hvVto] [-c FILE]
+
+Options:
+${tab}-c FILE Use the configuration file FILE.
+${tab}-h${tab2}${tab2}Print this help message.
+${tab}-o${tab2}${tab2}Display summary of statusmessages
+${tab}-t${tab2}${tab2}Short developer test on binaries
+${tab}-v${tab2}${tab2}Print the version and exit.
+${tab}-V${tab2}${tab2}be verbose
+
+_usage_
+        exit 1
+}
+
+
+generate_ca()
+{
+    echo ""
+    infomsg "Generating CA"
+    TMPDIR=${TMPDIR:-/tmp}
+    if test -e "$TMPDIR"; then
+        GNSCERT=`mktemp -t cert.pem.XXXXXXXX` || exit 1
+        GNSCAKY=`mktemp -t caky.pem.XXXXXXXX` || exit 1
+        GNSCANO=`mktemp -t cano.pem.XXXXXXXX` || exit 1
+    else
+        # This warning is mostly pointless.
+        warningmsg "You need to export the TMPDIR variable"
+    fi
+
+    # # ------------- gnutls
+    #
+    # if ! which certutil > /dev/null
+    # then
+    #     warningmsg "The 'certutil' command was not found."
+    #     warningmsg "Not importing into browsers."
+    #     warningmsg "For 'certutil' install nss."
+    # else
+    #     # Generate CA key
+    #     # pkcs#8 password-protects key
+    #     certtool --pkcs8 --generate-privkey --sec-param high --outfile ca-key.pem
+    #     # self-sign the CA to create public certificate
+    #     certtool --generate-self-signed --load-privkey ca-key.pem --template ca.cfg --outfile ca.pem
+
+    # ------------- openssl
+
+    GNUTLS_CA_TEMPLATE=@PKGDATADIRECTORY@/gnunet-gns-proxy-ca.template
+    OPENSSLCFG=@PKGDATADIRECTORY@/openssl.cnf
+    CERTTOOL=""
+    OPENSSL=0
+    if test -x $(existence gnunet-certtool)
+    # if test -z "`gnutls-certtool --version`" > /dev/null
+    then
+      # We only support gnutls certtool for now. Treat the grep
+      # for "gnutls" in the output with extra care, it only matches
+      # the email address! It is probably safer to run strings(1)
+      # over certtool for a string matching "gnutls"
+      if test -z "`certtool --version | grep gnutls`" > /dev/null
+      then
+        warningmsg "'gnutls-certtool' or 'certtool' command not found. Trying openssl."
+        # if test -z "`openssl version`" > /dev/null
+        if test -x $(existence openssl)
+        then
+          OPENSSL=1
+        else
+          warningmsg "Install either gnutls certtool or openssl for certificate generation!"
+          statusmsg  "Cleaning up."
+          rm -f $GNSCAKY $GNSCERT
+          exit 1
+        fi
+      fi
+      CERTTOOL="certtool"
+    else
+      CERTTOOL="gnutls-certtool"
+    fi
+    if test -n "${GNUNET_CONFIG_FILE}"; then
+        GNUNET_CONFIG="-c ${GNUNET_CONFIG_FILE}"
+    else
+        GNUNET_CONFIG=""
+    fi
+    GNS_CA_CERT_PEM=`gnunet-config ${GNUNET_CONFIG} -s gns-proxy -o PROXY_CACERT -f ${options}`
+    mkdir -p `dirname $GNS_CA_CERT_PEM`
+
+    if test 1 -eq $OPENSSL
+    then
+        if test 1 -eq $verbosity; then
+            openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System"
+        else
+            openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" >/dev/null 2>&1
+        fi
+        infomsg "Removing passphrase from key"
+        if test 1 -eq $verbosity; then
+            openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO
+        else
+            openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO >/dev/null 2>&1
+        fi
+      cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM
+    else
+        if test 1 -eq $verbosity; then
+            $CERTTOOL --generate-privkey --outfile $GNSCAKY
+            $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT
+        else
+            $CERTTOOL --generate-privkey --outfile $GNSCAKY >/dev/null 2>&1
+            $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT >/dev/null 2>&1
+        fi
+      infomsg "Making private key available to gnunet-gns-proxy"
+      cat $GNSCERT $GNSCAKY > $GNS_CA_CERT_PEM
+    fi
+}
+
+importbrowsers()
+{
+    # if test -z "`command -v certutil`" > /dev/null 2>&1
+    if test -x $(existence gnutls-certutil) || test -x $(existence certutil)
+    then
+        statusmsg "Importing CA into browsers"
+        # TODO: Error handling?
+        for f in ~/.mozilla/firefox/*.*/
+        do
+            if [ -d $f ]; then
+                infomsg "Importing CA into Firefox at $f"
+                # delete old certificate (if any)
+                certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null
+                # add new certificate
+                certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT
+            fi
+        done
+        for f in ~/.mozilla/icecat/*.*/
+        do
+            if [ -d $f ]; then
+                infomsg "Importing CA into Icecat at $f"
+                # delete old certificate (if any)
+                certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null
+                # add new certificate
+                certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT
+            fi
+        done
+        # TODO: Error handling?
+        if [ -d ~/.pki/nssdb/ ]; then
+            statusmsg "Importing CA into Chrome at ~/.pki/nssdb/"
+            # delete old certificate (if any)
+            certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null
+            # add new certificate
+            certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT
+        fi
+    else
+        warningmsg "The 'certutil' command was not found."
+        warningmsg "Not importing into browsers."
+        warningmsg "For 'certutil' install nss."
+    fi
+}
+
+clean_up()
+{
+    infomsg "Cleaning up."
+    rm -f $GNSCAKY $GNSCANO $GNSCERT
+    if test -e $SETUP_TMPDIR
+    then
+        rm -rf $SETUP_TMPDIR
+    fi
+
+    linemsg
+    statusmsg "You can now start gnunet-gns-proxy."
+    statusmsg "Afterwards, configure your browser "
+    statusmsg "to use a SOCKS proxy on port 7777. "
+    linemsg
+}
+
+main()
+{
+    setdefaults
+    while getopts "vhVtoc:" opt; do
+        case $opt in
+            v)
+                print_version
+                exit 0
+                ;;
+            h)
+                usage
+                ;;
+            V)
+                verbosity=1
+                ;;
+            c)
+                options="$options -c $OPTARG"
+                infomsg "Using configuration file $OPTARG"
+                GNUNET_CONFIG_FILE=${OPTARG}
+                ;;
+            t)
+                verbosity=1
+                infomsg "Running short developer test"
+                if test -x $(existence openssl); then
+                   openssl version
+                fi
+                if test -x $(existence certtool); then
+                    certtool --version
+                fi
+                if test -x $(existence gnutls-certtool); then
+                    gnutls-certtool --version
+                fi
+                exit 0
+                ;;
+            o)
+                resfile=$(mktemp -t ${progname}.results)
+                results="${resfile}"
+                ;;
+            \?)
+                echo "Invalid option: -$OPTARG" >&2
+                usage
+                ;;
+            :)
+                echo "Option -$OPTARG requires an argument." >&2
+                usage
+                ;;
+        esac
+    done
+    generate_ca
+    importbrowsers
+    if [ -s "${results}" ]; then
+        echo "===> Summary of results:"
+        sed -e 's/^===>//;s/^/  /' "${results}"
+        echo "===> ."
+        infomsg "Please remove ${results} manually."
+    fi
+    clean_up
+}
+
+main "$@"
diff --git a/src/cli/gns/gnunet-gns.c b/src/cli/gns/gnunet-gns.c
new file mode 100644
index 000000000..724fbce24
--- /dev/null
+++ b/src/cli/gns/gnunet-gns.c
@@ -0,0 +1,411 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012-2013, 2017-2018 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gnunet-gns.c
+ * @brief command line tool to access distributed GNS
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#if HAVE_LIBIDN2
+#if HAVE_IDN2_H
+#include <idn2.h>
+#elif HAVE_IDN2_IDN2_H
+#include <idn2/idn2.h>
+#endif
+#elif HAVE_LIBIDN
+#if HAVE_IDNA_H
+#include <idna.h>
+#elif HAVE_IDN_IDNA_H
+#include <idn/idna.h>
+#endif
+#endif
+#include <gnunet_util_lib.h>
+#include <gnunet_gnsrecord_lib.h>
+#include <gnunet_namestore_service.h>
+#include <gnunet_gns_service.h>
+
+
+/**
+ * Configuration we are using.
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Handle to GNS service.
+ */
+static struct GNUNET_GNS_Handle *gns;
+
+/**
+ * GNS name to lookup. (-u option)
+ */
+static char *lookup_name;
+
+/**
+ * DNS IDNA name to lookup. (set if -d option is set)
+ */
+char *idna_name;
+
+/**
+ * DNS compatibility (name is given as DNS name, possible IDNA).
+ */
+static int dns_compat;
+
+/**
+ * record type to look up (-t option)
+ */
+static char *lookup_type;
+
+/**
+ * raw output
+ */
+static int raw;
+
+/**
+ * Desired record type.
+ */
+static uint32_t rtype;
+
+/**
+ * Timeout for lookup
+ */
+static struct GNUNET_TIME_Relative timeout;
+
+/**
+ * Timeout task
+ */
+static struct GNUNET_SCHEDULER_Task *to_task;
+
+/**
+ * Handle to lookup request
+ */
+static struct GNUNET_GNS_LookupWithTldRequest *lr;
+
+/**
+ * Global return value.
+ * 0 on success (default),
+ * 1 on internal failures
+ * 2 on launch failure,
+ * 4 if the name is not a GNS-supported TLD,
+ */
+static int global_ret;
+
+
+/**
+ * Task run on shutdown.  Cleans up everything.
+ *
+ * @param cls unused
+ */
+static void
+do_shutdown (void *cls)
+{
+  (void) cls;
+  if (NULL != to_task)
+  {
+    GNUNET_SCHEDULER_cancel (to_task);
+    to_task = NULL;
+  }
+  if (NULL != lr)
+  {
+    GNUNET_GNS_lookup_with_tld_cancel (lr);
+    lr = NULL;
+  }
+  if (NULL != gns)
+  {
+    GNUNET_GNS_disconnect (gns);
+    gns = NULL;
+  }
+  if (NULL != idna_name)
+  {
+    GNUNET_free (idna_name);
+    idna_name = NULL;
+  }
+}
+
+
+/**
+ * Task to run on timeout
+ *
+ * @param cls unused
+ */
+static void
+do_timeout (void*cls)
+{
+  to_task = NULL;
+  global_ret = 3; // Timeout
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Function called with the result of a GNS lookup.
+ *
+ * @param cls the 'const char *' name that was resolved
+ * @param was_gns #GNUNET_NO if TLD did not indicate use of GNS
+ * @param rd_count number of records returned
+ * @param rd array of @a rd_count records with the results
+ */
+static void
+process_lookup_result (void *cls,
+                       int was_gns,
+                       uint32_t rd_count,
+                       const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct GNUNET_TIME_Relative block_exp;
+  const char *typename;
+  char *string_val;
+
+  lr = NULL;
+  if (GNUNET_NO == was_gns)
+  {
+    global_ret = 4; /* not for GNS */
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  block_exp = GNUNET_TIME_absolute_get_remaining (
+    GNUNET_GNSRECORD_record_get_expiration_time (
+      rd_count,
+      rd,
+      GNUNET_TIME_UNIT_ZERO_ABS));
+  if (! raw)
+  {
+    printf ("<<< %u record(s) found:\n\n", rd_count);
+  }
+  for (uint32_t i = 0; i < rd_count; i++)
+  {
+    typename = GNUNET_GNSRECORD_number_to_typename (rd[i].
+                                                    record_type);
+    string_val = GNUNET_GNSRECORD_value_to_string (rd[i].record_type
+                                                   ,
+                                                   rd[i].data,
+                                                   rd[i].data_size);
+    if (NULL == string_val)
+    {
+      fprintf (stderr,
+               "Record %u of type %d malformed, skipping\n",
+               (unsigned int) i,
+               (int) rd[i].record_type);
+      continue;
+    }
+    if (raw)
+      printf ("%s\n", string_val);
+    else
+      printf ("%s: `%s' %s\n",
+              typename,
+              string_val,
+              (0 != (rd[i].flags
+                     &
+                     GNUNET_GNSRECORD_RF_SUPPLEMENTAL)
+              ) ?
+              "(supplemental)" : "");
+    GNUNET_free (string_val);
+  }
+  if (! raw)
+  {
+    if (0 != rd_count)
+      printf ("\nRecord set expires in %s.\n",
+              GNUNET_STRINGS_relative_time_to_string (
+                block_exp, GNUNET_YES));
+  }
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  const char *effective_lookup_type;
+  (void) cls;
+  (void) args;
+  (void) cfgfile;
+
+  cfg = c;
+  to_task = NULL;
+  {
+    char *colon;
+
+    if (NULL != (colon = strchr (lookup_name, ':')))
+      *colon = '\0';
+  }
+
+  /**
+   * If DNS compatibility is requested, we first verify that the
+   * lookup_name is in a DNS format. If yes, we convert it to UTF-8.
+   */
+  if (GNUNET_YES == dns_compat)
+  {
+    Idna_rc rc;
+
+    if (GNUNET_OK != GNUNET_DNSPARSER_check_name (lookup_name))
+    {
+      fprintf (stderr,
+               _ ("`%s' is not a valid DNS domain name\n"),
+               lookup_name);
+      global_ret = 3;
+      return;
+    }
+    if (IDNA_SUCCESS !=
+        (rc = idna_to_unicode_8z8z (lookup_name, &idna_name,
+                                    IDNA_ALLOW_UNASSIGNED)))
+    {
+      fprintf (stderr,
+               _ (
+                 "Failed to convert DNS IDNA name `%s' to UTF-8: %s\n"),
+               lookup_name,
+               idna_strerror (rc));
+      global_ret = 4;
+      return;
+    }
+    lookup_name = idna_name;
+  }
+
+  if (GNUNET_YES !=
+      GNUNET_CLIENT_test (cfg,
+                          "arm"))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ (
+                  "Cannot resolve using GNS: GNUnet peer not running\n"));
+    global_ret = 5;
+    return;
+  }
+  to_task = GNUNET_SCHEDULER_add_delayed (timeout,
+                                          &do_timeout,
+                                          NULL);
+  gns = GNUNET_GNS_connect (cfg);
+  if (NULL == gns)
+  {
+    fprintf (stderr,
+             _ ("Failed to connect to GNS\n"));
+    global_ret = 2;
+    return;
+  }
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
+                                 NULL);
+  if (NULL != lookup_type)
+  {
+    effective_lookup_type = lookup_type;
+    rtype = GNUNET_GNSRECORD_typename_to_number (lookup_type);
+  }
+  else
+  {
+    effective_lookup_type = "A";
+    rtype = GNUNET_DNSPARSER_TYPE_A;
+  }
+  if (UINT32_MAX == rtype)
+  {
+    fprintf (stderr,
+             _ ("Invalid typename specified, assuming `ANY'\n"));
+    rtype = GNUNET_GNSRECORD_TYPE_ANY;
+  }
+  if (! raw)
+  {
+    printf (">>> Looking for `%s' records under `%s'\n",
+            effective_lookup_type, lookup_name);
+  }
+  lr = GNUNET_GNS_lookup_with_tld (gns,
+                                   lookup_name,
+                                   rtype,
+                                   GNUNET_GNS_LO_DEFAULT,
+                                   &process_lookup_result,
+                                   lookup_name);
+  if (NULL == lr)
+  {
+    global_ret = 2;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+}
+
+
+/**
+ * The main function for gnunet-gns.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  timeout = GNUNET_TIME_UNIT_FOREVER_REL;
+  struct GNUNET_GETOPT_CommandLineOption options[] =
+  { GNUNET_GETOPT_option_mandatory (
+      GNUNET_GETOPT_option_string ('u',
+                                   "lookup",
+                                   "NAME",
+                                   gettext_noop (
+                                     "Lookup a record for the given name"),
+                                   &lookup_name)),
+    GNUNET_GETOPT_option_string ('t',
+                                 "type",
+                                 "TYPE",
+                                 gettext_noop (
+                                   "Specify the type of the record to lookup"),
+                                 &lookup_type),
+    GNUNET_GETOPT_option_relative_time ('T',
+                                        "timeout",
+                                        "TIMEOUT",
+                                        gettext_noop (
+                                          "Specify a timeout for the lookup"),
+                                        &timeout),
+    GNUNET_GETOPT_option_flag ('r',
+                               "raw",
+                               gettext_noop ("No unneeded output"),
+                               &raw),
+    GNUNET_GETOPT_option_flag ('d',
+                               "dns",
+                               gettext_noop (
+                                 "DNS Compatibility: Name is passed in IDNA instead of UTF-8"),
+                               &dns_compat),
+    GNUNET_GETOPT_OPTION_END };
+  int ret;
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+
+  GNUNET_log_setup ("gnunet-gns", "WARNING", NULL);
+  ret = GNUNET_PROGRAM_run (argc,
+                            argv,
+                            "gnunet-gns",
+                            _ ("GNUnet GNS resolver tool"),
+                            options,
+                            &run,
+                            NULL);
+  GNUNET_free_nz ((void *) argv);
+  if (GNUNET_OK != ret)
+    return 1;
+  return global_ret;
+}
+
+
+/* end of gnunet-gns.c */
diff --git a/src/cli/gns/meson.build b/src/cli/gns/meson.build
new file mode 100644
index 000000000..bb6bfc477
--- /dev/null
+++ b/src/cli/gns/meson.build
@@ -0,0 +1,69 @@
+configure_file(input : 'gnunet-gns-proxy-setup-ca.in',
+  output : 'gnunet-gns-proxy-setup-ca',
+  configuration : cdata,
+  install: true,
+  install_mode: 'rwxr-xr-x',
+  install_dir: get_option('bindir'))
+
+install_data('gnunet-gns-proxy-ca.template',
+  install_dir: get_option('datadir')/'gnunet')
+install_data('openssl.cnf',
+  install_dir: get_option('datadir')/'gnunet')
+
+executable ('gnunet-gns',
+  'gnunet-gns.c',
+  dependencies: [libgnunetgns_dep,
+    libgnunetgnsrecord_dep,
+    idn_dep,
+    libgnunetutil_dep],
+  include_directories: [incdir, configuration_inc],
+  install: true,
+  install_dir: get_option('bindir'))
+
+testgns = [
+  'test_dns2gns',
+  'test_gns_at_lookup',
+  'test_gns_caa_lookup',
+  'test_gns_config_lookup',
+  'test_gns_delegated_lookup',
+  'test_gns_dht_lookup',
+  'test_gns_gns2dns_cname_lookup',
+  'test_gns_gns2dns_lookup',
+  'test_gns_gns2dns_zkey_lookup',
+  'test_gns_ipv6_lookup',
+  'test_gns_lookup',
+  'test_gns_mx_lookup',
+  'test_gns_quickupdate',
+  'test_gns_redirect_lookup',
+  'test_gns_rel_expiration',
+  'test_gns_revocation',
+  'test_gns_soa_lookup',
+  'test_gns_txt_lookup',
+  'test_gns_zkey_lookup',
+  'test_gns_sbox_simple',
+  'test_gns_sbox',
+  'test_gns_box_sbox',
+  ]
+
+testconfigs = [
+  'test_dns2gns.conf',
+  'test_gns_defaults.conf',
+  'test_gns_lookup.conf',
+  'test_gns_lookup_peer1.conf',
+  'test_gns_lookup_peer2.conf',
+  'test_gns_simple_lookup.conf'
+  ]
+
+foreach f : testconfigs
+  configure_file(input: f, output: f, copy: true)
+endforeach
+
+foreach t : testgns
+
+  test_filename = t + '.sh'
+  test_file = configure_file(input : test_filename,
+    output : test_filename,
+    copy: true)
+
+  test(t, test_file, suite: 'gns', workdir: meson.current_build_dir(), is_parallel: false)
+endforeach
diff --git a/src/cli/gns/openssl.cnf b/src/cli/gns/openssl.cnf
new file mode 100644
index 000000000..5dce35388
--- /dev/null
+++ b/src/cli/gns/openssl.cnf
@@ -0,0 +1,244 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME                    = .
+#RANDFILE               = $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file               = $ENV::HOME/.oid
+oid_section             = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions            =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca' and 'req'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+####################################################################
+[ ca ]
+default_ca      = CA_default            # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir             = ./demoCA              # Where everything is kept
+certs           = $dir/certs            # Where the issued certs are kept
+crl_dir         = $dir/crl              # Where the issued crl are kept
+database        = $dir/index.txt        # database index file.
+new_certs_dir   = $dir/newcerts         # default place for new certs.
+
+certificate     = $dir/cacert.pem       # The CA certificate
+serial          = $dir/serial           # The current serial number
+crl             = $dir/crl.pem          # The current CRL
+private_key     = $dir/private/cakey.pem# The private key
+RANDFILE        = $dir/private/.rand    # private random number file
+
+x509_extensions = usr_cert              # The extensions to add to the cert
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crl_extensions        = crl_ext
+
+default_days    = 365                   # how long to certify for
+default_crl_days= 30                    # how long before next CRL
+default_md      = md5                   # which md to use.
+preserve        = no                    # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy          = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+####################################################################
+[ req ]
+default_bits            = 1024
+default_keyfile         = privkey.pem
+distinguished_name      = req_distinguished_name
+attributes              = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix   : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = AU
+countryName_min                 = 2
+countryName_max                 = 2
+
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = Some-State
+
+localityName                    = Locality Name (eg, city)
+
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName             = Second Organization Name (eg, company)
+#1.organizationName_default     = World Wide Web Pty Ltd
+
+organizationalUnitName          = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName                      = Common Name (eg, YOUR name)
+commonName_max                  = 64
+
+emailAddress                    = Email Address
+emailAddress_max                = 40
+
+# SET-ex3                       = SET extension number 3
+
+[ req_attributes ]
+challengePassword               = A challenge password
+challengePassword_min           = 4
+challengePassword_max           = 20
+
+unstructuredName                = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType                    = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment                       = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/src/cli/gns/test_dns2gns.conf b/src/cli/gns/test_dns2gns.conf
new file mode 100644
index 000000000..2f6bdc797
--- /dev/null
+++ b/src/cli/gns/test_dns2gns.conf
@@ -0,0 +1,69 @@
+@INLINE@ test_gns_defaults.conf
+
+[namecache]
+DISABLE = YES
+
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunet-gns-peer-1/
+
+[dht]
+START_ON_DEMAND = YES
+IMMEDIATE_START = YES
+
+[gns]
+# PREFIX = valgrind --leak-check=full --track-origins=yes
+START_ON_DEMAND = YES
+AUTO_IMPORT_PKEY = YES
+MAX_PARALLEL_BACKGROUND_QUERIES = 10
+DEFAULT_LOOKUP_TIMEOUT = 15 s
+RECORD_PUT_INTERVAL = 1 h
+ZONE_PUBLISH_TIME_WINDOW = 1 h
+.gnunet.org =
+
+[namestore]
+IMMEDIATE_START = YES
+#PREFIX = valgrind --leak-check=full --track-origins=yes --log-file=$GNUNET_TMP/ns_log
+
+[revocation]
+WORKBITS = 1
+
+[dhtcache]
+QUOTA = 1 MB
+DATABASE = heap
+
+[topology]
+TARGET-CONNECTION-COUNT = 16
+AUTOCONNECT = YES
+FRIENDS-ONLY = NO
+MINIMUM-FRIENDS = 0
+
+[ats]
+WAN_QUOTA_IN = 1 GB
+WAN_QUOTA_OUT = 1 GB
+
+[transport]
+plugins = tcp
+NEIGHBOUR_LIMIT = 50
+PORT = 2091
+
+[transport-tcp]
+TIMEOUT = 300 s
+
+[nat]
+DISABLEV6 = YES
+BINDTO = 127.0.0.1
+ENABLE_UPNP = NO
+BEHIND_NAT = NO
+ALLOW_NAT = NO
+INTERNAL_ADDRESS = 127.0.0.1
+EXTERNAL_ADDRESS = 127.0.0.1
+
+[dns2gns]
+BINARY = gnunet-dns2gns
+START_ON_DEMAND = YES
+IMMEDIATE_START = YES
+RUN_PER_USER = YES
+BIND_TO = 127.0.0.1
+BIND_TO6 = ::1
+PORT = 12000
+OPTIONS = -d 1.1.1.1
diff --git a/src/cli/gns/test_dns2gns.sh b/src/cli/gns/test_dns2gns.sh
new file mode 100755
index 000000000..a6024ca3c
--- /dev/null
+++ b/src/cli/gns/test_dns2gns.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_dns2gns.conf" INT
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_dns2gns.conf -f -s paths -o GNUNET_TEST_HOME`
+MY_EGO="localego"
+TEST_IP="127.0.0.1"
+TEST_IPV6="dead::beef"
+LABEL="fnord"
+TEST_DOMAIN="taler.net"
+
+gnunet-arm -s -c test_dns2gns.conf
+PKEY=`gnunet-identity -V -C $MY_EGO -c test_dns2gns.conf`
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t A -V $TEST_IP -e 3600s -c test_dns2gns.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t AAAA -V $TEST_IPV6 -e 3600s -c test_dns2gns.conf
+
+# FIXME resolution works but always returns all available records
+# also, the records seem to be returned twice if using GNS
+
+if nslookup -port=12000 $LABEL.$PKEY localhost && nslookup -port=12000 $LABEL.$MY_EGO localhost; then
+  echo "PASS: GNS records can be resolved using dns2gns bridge"
+else
+  echo "FAIL: GNS records can't be resolved using dns2gns bridge"
+  gnunet-arm -e -c test_dns2gns.conf
+  rm -rf `gnunet-config -c test_dns2gns.conf -f -s paths -o GNUNET_TEST_HOME`
+  exit 1
+fi
+
+if nslookup -port=12000 $TEST_DOMAIN localhost; then
+  echo "PASS: DNS records can be resolved using dns2gns bridge"
+else
+  echo "FAIL: DNS records can't be resolved using dns2gns bridge"
+  gnunet-arm -e -c test_dns2gns.conf
+  rm -rf `gnunet-config -c test_dns2gns.conf -f -s paths -o GNUNET_TEST_HOME`
+  exit 1
+fi
+gnunet-arm -e -c test_dns2gns.conf
+
+rm -rf `gnunet-config -c test_dns2gns.conf -f -s paths -o GNUNET_TEST_HOME`
diff --git a/src/cli/gns/test_gns_at_lookup.sh b/src/cli/gns/test_gns_at_lookup.sh
new file mode 100755
index 000000000..6a2c958de
--- /dev/null
+++ b/src/cli/gns/test_gns_at_lookup.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+TEST_IP="127.0.0.1"
+MY_EGO="myego"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C delegatedego -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep delegatedego | awk '{print $3}')
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n b -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z delegatedego -a -n '@' -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u b.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-namestore -z delegatedego -d -n '@' -t A -V $TEST_IP  -e never -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_box_sbox.sh b/src/cli/gns/test_gns_box_sbox.sh
new file mode 100755
index 000000000..d7e95912e
--- /dev/null
+++ b/src/cli/gns/test_gns_box_sbox.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+TEST_B="TXT_record_in_BOX"
+TEST_S="TXT_record_in_SBOX"
+TEST_A="10.1.11.10"
+MY_EGO="myego"
+LABEL="testsbox"
+SERVICE="443"
+SERVICE_TEXT="_443"
+PROTOCOL="6"
+PROTOCOL_TEXT="_tcp"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$SERVICE_TEXT.$PROTOCOL_TEXT 16 $TEST_S" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "$PROTOCOL $SERVICE 16 $TEST_B" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$SERVICE_TEXT.$PROTOCOL_TEXT 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "$PROTOCOL $SERVICE 1 $TEST_A" -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_B_S=`$DO_TIMEOUT gnunet-gns --raw -u $SERVICE_TEXT.$PROTOCOL_TEXT.$LABEL.$MY_EGO -t TXT -c test_gns_lookup.conf`
+RES_A=`$DO_TIMEOUT gnunet-gns --raw -u $SERVICE_TEXT.$PROTOCOL_TEXT.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t SBOX -V "$SERVICE_TEXT.$PROTOCOL_TEXT 16 $TEST_S" -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t BOX -V "$PROTOCOL $SERVICE 16 $TEST_B" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -d -n $LABEL -t SBOX -V "$SERVICE_TEXT.$PROTOCOL_TEXT 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -d -n $LABEL -t BOX -V "$PROTOCOL $SERVICE 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+{ read RES_A1; read RES_A2; read RES_B; read RES_S;} <<< "${RES_B_S}"
+if [ "$RES_B" = "$RES_S" ]
+then
+  echo "Failed to resolve to diffrent TXT records, got '$RES_B' and '$RES_S'."
+  exit 1
+fi
+
+{ read RES_S_A; read RES_B_A;} <<< "${RES_A}"
+if [ "$RES_S_A" = "$TEST_A" ] && [ "$RES_B_A" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A '$TEST_A', got '$RES_S_A' and '$RES_S_B'."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_caa_lookup.sh b/src/cli/gns/test_gns_caa_lookup.sh
new file mode 100755
index 000000000..fb488f47b
--- /dev/null
+++ b/src/cli/gns/test_gns_caa_lookup.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+TEST_CAA="0 issue ca.example.net; policy=ev"
+MY_EGO="myego"
+LABEL="testcaa"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t CAA -V "$TEST_CAA" -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_CAA=`$DO_TIMEOUT gnunet-gns --raw -u $LABEL.$MY_EGO -t CAA -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t CAA -V "$TEST_CAA" -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_CAA" = "$TEST_CAA" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper CAA, got '$RES_CAA'."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_config_lookup.sh b/src/cli/gns/test_gns_config_lookup.sh
new file mode 100755
index 000000000..bda08f87b
--- /dev/null
+++ b/src/cli/gns/test_gns_config_lookup.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+MY_EGO="myego"
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -s PATHS -o GNUNET_HOME -f`
+CFG=`mktemp  --tmpdir=$PWD`
+cp test_gns_lookup.conf $CFG || exit 77
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+TEST_IP="dead::beef"
+gnunet-arm -s -c $CFG || exit 77
+gnunet-identity -C $MY_EGO -c $CFG 
+EPUB=`gnunet-identity -d -c $CFG | grep $MY_EGO | awk '{print $3}'`
+gnunet-arm -e -c $CFG
+gnunet-config -c $CFG -s "gns" -o ".google.com" -V $EPUB
+gnunet-arm -s -c $CFG
+sleep 1
+gnunet-namestore -p -z $MY_EGO -a -n www -t AAAA -V $TEST_IP -e never -c $CFG
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.google.com -t AAAA -c $CFG`
+gnunet-namestore -z $MY_EGO -d -n www -t AAAA -V $TEST_IP -e never -c $CFG
+gnunet-identity -D $MY_EGO -c $CFG
+gnunet-arm -e -c $CFG
+rm -rf `gnunet-config -c $CFG -f -s paths -o GNUNET_TEST_HOME`
+rm $CFG
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_defaults.conf b/src/cli/gns/test_gns_defaults.conf
new file mode 100644
index 000000000..80a2f3c44
--- /dev/null
+++ b/src/cli/gns/test_gns_defaults.conf
@@ -0,0 +1,34 @@
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunet-gns-testing/
+
+[namestore-sqlite]
+FILENAME = $GNUNET_TEST_HOME/namestore/sqlite_test.db
+
+[namecache-sqlite]
+FILENAME=$GNUNET_TEST_HOME/namecache/namecache.db
+
+[identity]
+# Directory where we store information about our egos
+EGODIR = $GNUNET_TEST_HOME/identity/egos/
+
+[dhtcache]
+DATABASE = heap
+
+[transport]
+PLUGINS = tcp
+
+[transport-tcp]
+BINDTO = 127.0.0.1
+
+
+[fs]
+IMMEDIATE_START = NO
+START_ON_DEMAND = NO
+
+[rps]
+IMMEDIATE_START = NO
+START_ON_DEMAND = NO
+
+[topology]
+IMMEDIATE_START = NO
+START_ON_DEMAND = NO
diff --git a/src/cli/gns/test_gns_delegated_lookup.sh b/src/cli/gns/test_gns_delegated_lookup.sh
new file mode 100755
index 000000000..5105abdb5
--- /dev/null
+++ b/src/cli/gns/test_gns_delegated_lookup.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+MY_EGO="myego"
+OTHER_EGO="delegatedego"
+FINAL_LABEL="www"
+DELEGATION_LABEL="b"
+
+TEST_IP="127.0.0.1"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $OTHER_EGO -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep $OTHER_EGO | awk '{print $3}')
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $DELEGATION_LABEL -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $OTHER_EGO -a -n $FINAL_LABEL -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u $FINAL_LABEL.$DELEGATION_LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-namestore -z $OTHER_EGO -d -n $FINAL_LABEL -t A -V $TEST_IP  -e never -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_dht_lookup.sh b/src/cli/gns/test_gns_dht_lookup.sh
new file mode 100755
index 000000000..da87d8477
--- /dev/null
+++ b/src/cli/gns/test_gns_dht_lookup.sh
@@ -0,0 +1,63 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+TEST_IP="127.0.0.1"
+MY_EGO="myego"
+OTHER_EGO="delegatedego"
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-arm -i zonemaster -c test_gns_lookup.conf
+gnunet-arm -i datastore -c test_gns_lookup.conf
+gnunet-identity -C $OTHER_EGO -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep $OTHER_EGO | awk '{print $3}')
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+echo "MYEGO: $MY_EGO OTHER_EGO: $DELEGATED_PKEY"
+gnunet-namestore -p -z $MY_EGO -a -n b -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+#This works
+gnunet-namestore -p -z $OTHER_EGO -a -n www -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+#This doesn't
+gnunet-namestore -p -z $OTHER_EGO -a -n www2 -t A -V $TEST_IP -e '5 s' -c test_gns_lookup.conf
+sleep 6
+#gnunet-namestore -p -z $OTHER_EGO -d -n www2 -t A -V $TEST_IP -e '5 s' -c test_gns_lookup.conf
+#gnunet-namestore -p -z $OTHER_EGO -a -n www2 -t A -V $TEST_IP -e '5 s' -c test_gns_lookup.conf
+gnunet-arm -k zonemaster -c test_gns_lookup.conf
+gnunet-arm -i zonemaster -c test_gns_lookup.conf
+#gnunet-arm -r -c test_gns_lookup.conf
+#gnunet-arm -i zonemaster
+#gnunet-arm -i gns -c test_gns_lookup.conf
+#gnunet-identity -D $OTHER_EGO -c test_gns_lookup.conf
+#gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+#gnunet-namestore -z $OTHER_EGO -d -n www -t A -V $TEST_IP  -e never -c test_gns_lookup.conf
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.b.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_IP_REL=`$DO_TIMEOUT gnunet-gns --raw -u www2.b.$MY_EGO -t A -c test_gns_lookup.conf`
+#gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP_REL" != "$TEST_IP" ]
+then
+  echo "Failed to resolve to proper IP, got $RES_IP_REL. (relative expiration)"
+  #exit 1
+fi
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_gns2dns_cname_lookup.sh b/src/cli/gns/test_gns_gns2dns_cname_lookup.sh
new file mode 100755
index 000000000..c33c9d132
--- /dev/null
+++ b/src/cli/gns/test_gns_gns2dns_cname_lookup.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+# IP address of 'www.gnunet.org'
+TEST_IP="147.87.255.218"
+# IP address of 'gnunet.org'
+TEST_IPALT="131.159.74.67"
+# IPv6 address of 'gnunet.org'
+TEST_IP6="2a07:6b47:100:464::9357:ffdb"
+
+# main label used during resolution
+TEST_RECORD_NAME="homepage"
+
+XNS=ns.joker.com
+
+if ! nslookup gnunet.org a.$XNS > /dev/null 2>&1
+then
+  echo "Cannot reach DNS, skipping test"
+  exit 77
+fi
+
+# helper record for pointing to the DNS resolver
+TEST_RESOLVER_LABEL="resolver"
+# GNS2DNS record value: delegate to DNS domain 'gnunet.org'
+# using the TEST_RESOLVER_LABEL DNS server for resolution
+TEST_RECORD_GNS2DNS1="gnunet.org@a.$XNS"
+TEST_RECORD_GNS2DNS2="gnunet.org@b.$XNS"
+TEST_RECORD_GNS2DNS3="gnunet.org@c.$XNS"
+
+MY_EGO="myego"
+# various names we will use for resolution
+TEST_DOMAIN="www.${TEST_RECORD_NAME}.$MY_EGO"
+
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 15"
+
+gnunet-arm -s -c test_gns_lookup.conf
+OUT=`$DO_TIMEOUT gnunet-resolver -c test_gns_lookup.conf www.gnunet.org`
+echo $OUT | grep $TEST_IP - > /dev/null || { gnunet-arm -e -c test_gns_lookup.conf ; echo "IPv4 for gnunet.org not found ($OUT), skipping test"; exit 77; }
+echo $OUT | grep $TEST_IP6 - > /dev/null || { gnunet-arm -e -c test_gns_lookup.conf ; echo "IPv6 for gnunet.org not found ($OUT), skipping test"; exit 77; }
+
+
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+
+# set IP address for DNS resolver for resolving in gnunet.org domain
+# map '$TEST_RECORD_NAME.$MY_EGO' to 'gnunet.org' in DNS
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS1 -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS2 -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS3 -e never -c test_gns_lookup.conf
+
+gnunet-namestore -z $MY_EGO -D -c test_gns_lookup.conf
+
+sleep 0.5
+
+# lookup 'www.gnunet.org', IPv4
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t A -c test_gns_lookup.conf`
+# lookup 'www.gnunet.org', IPv6
+RES_IP6=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t AAAA -c test_gns_lookup.conf`
+
+# clean up
+gnunet-namestore -z $MY_EGO -d -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS1 -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS2 -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS3 -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+ret=0
+if echo "$RES_IP" | grep "$TEST_IP" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN to $RES_IP."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN, got $RES_IP, wanted $TEST_IP."
+  ret=1
+fi
+
+if echo "$RES_IP6" | grep "$TEST_IP6" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN to $RES_IP6."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN, got $RES_IP6, wanted $TEST_IP6."
+  ret=1
+fi
+
+exit $ret
diff --git a/src/cli/gns/test_gns_gns2dns_lookup.sh b/src/cli/gns/test_gns_gns2dns_lookup.sh
new file mode 100755
index 000000000..43a4756d3
--- /dev/null
+++ b/src/cli/gns/test_gns_gns2dns_lookup.sh
@@ -0,0 +1,117 @@
+#!/bin/sh
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+# IP address of 'docs.gnunet.org'
+TEST_IP_ALT2="147.87.255.218"
+# IP address of 'www.gnunet.org'
+TEST_IP="147.87.255.218"
+# IPv6 address of 'gnunet.org'
+TEST_IP6="2a07:6b47:100:464::9357:ffdb"
+# permissive DNS resolver we will use for the test
+TEST_IP_GNS2DNS="8.8.8.8"
+
+# main label used during resolution
+TEST_RECORD_NAME="homepage"
+
+if ! nslookup gnunet.org $TEST_IP_GNS2DNS > /dev/null 2>&1
+then
+  echo "Cannot reach DNS, skipping test"
+  exit 77
+fi
+
+# helper record for pointing to the DNS resolver
+TEST_RESOLVER_LABEL="resolver"
+# GNS2DNS record value: delegate to DNS domain 'gnunet.org'
+# using the TEST_RESOLVER_LABEL DNS server for resolution
+TEST_RECORD_GNS2DNS="gnunet.org@${TEST_RESOLVER_LABEL}.+"
+
+MY_EGO="myego"
+# various names we will use for resolution
+TEST_DOMAIN="www.${TEST_RECORD_NAME}.$MY_EGO"
+TEST_DOMAIN_ALT="${TEST_RECORD_NAME}.$MY_EGO"
+TEST_DOMAIN_ALT2="docs.${TEST_RECORD_NAME}.$MY_EGO"
+
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 15"
+
+
+gnunet-arm -s -c test_gns_lookup.conf
+
+OUT=`$DO_TIMEOUT gnunet-resolver -c test_gns_lookup.conf www.gnunet.org`
+echo $OUT | grep $TEST_IP - > /dev/null || { gnunet-arm -e -c test_gns_lookup.conf ; echo "IPv4 for gnunet.org not found ($OUT), skipping test"; exit 77; }
+echo $OUT | grep $TEST_IP6 - > /dev/null || { gnunet-arm -e -c test_gns_lookup.conf ; echo "IPv6 for gnunet.org not found ($OUT), skipping test"; exit 77; }
+
+
+
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+
+# set IP address for DNS resolver for resolving in gnunet.org domain
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RESOLVER_LABEL -t A -V $TEST_IP_GNS2DNS -e never -c test_gns_lookup.conf
+# map '$TEST_RECORD_NAME.$MY_EGO' to 'gnunet.org' in DNS
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS -e never -c test_gns_lookup.conf
+
+sleep 1
+
+gnunet-gns -u $TEST_RECORD_NAME.$MY_EGO -t GNS2DNS -c test_gns_lookup.conf
+
+# lookup 'www.gnunet.org', IPv4
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t A -c test_gns_lookup.conf`
+# lookup 'www.gnunet.org', IPv6
+RES_IP6=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t AAAA -c test_gns_lookup.conf | head -n1`
+# lookup 'gnunet.org', IPv4
+RES_IP_ALT=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_ALT -t A -c test_gns_lookup.conf`
+# lookup 'docs.gnunet.org', IPv4
+RES_IP_ALT2=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_ALT2 -t A -c test_gns_lookup.conf`
+
+# clean up
+gnunet-namestore -z $MY_EGO -d -n $TEST_RESOLVER_LABEL -t A -V $TEST_IP_GNS2DNS -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+ret=0
+if echo "$RES_IP" | grep "$TEST_IP" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN to $RES_IP."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN, got $RES_IP, wanted $TEST_IP."
+  ret=1
+fi
+
+if [ "${RES_IP6%?}" = "${TEST_IP6%?}" ]
+then
+  echo "PASS: Resolved $TEST_DOMAIN to $RES_IP6."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN, got $RES_IP6, wanted $TEST_IP6."
+  ret=1
+fi
+
+if echo "$RES_IP_ALT" | grep "$TEST_IP" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN_ALT to $RES_IP_ALT."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN_ALT, got $RES_IP_ALT, wanted $TEST_IP."
+  ret=1
+fi
+
+if echo "$RES_IP_ALT2" | grep "$TEST_IP_ALT2" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN_ALT2 to $RES_IP_ALT2."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN_ALT2, got $RES_IP_ALT2, wanted $TEST_IP_ALT2."
+  ret=1
+fi
+exit $ret
diff --git a/src/cli/gns/test_gns_gns2dns_zkey_lookup.sh b/src/cli/gns/test_gns_gns2dns_zkey_lookup.sh
new file mode 100755
index 000000000..03549314e
--- /dev/null
+++ b/src/cli/gns/test_gns_gns2dns_zkey_lookup.sh
@@ -0,0 +1,116 @@
+#!/bin/sh
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+# IP address of 'docs.gnunet.org'
+TEST_IP_ALT2="147.87.255.218"
+# IP address of 'www.gnunet.org'
+TEST_IP="147.87.255.218"
+# IPv6 address of 'gnunet.org'
+TEST_IP6="2a07:6b47:100:464::9357:ffdb"
+# permissive DNS resolver we will use for the test
+TEST_IP_GNS2DNS="8.8.8.8"
+
+# main label used during resolution
+TEST_RECORD_NAME="homepage"
+
+if ! nslookup gnunet.org $TEST_IP_GNS2DNS > /dev/null 2>&1
+then
+  echo "Cannot reach DNS, skipping test"
+  exit 77
+fi
+
+# helper record for pointing to the DNS resolver
+TEST_RESOLVER_LABEL="resolver"
+
+MY_EGO="myego"
+# various names we will use for resolution
+TEST_DOMAIN="www.${TEST_RECORD_NAME}.$MY_EGO"
+TEST_DOMAIN_ALT="${TEST_RECORD_NAME}.$MY_EGO"
+TEST_DOMAIN_ALT2="docs.${TEST_RECORD_NAME}.$MY_EGO"
+
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 15"
+
+
+gnunet-arm -s -c test_gns_lookup.conf
+
+OUT=`$DO_TIMEOUT gnunet-resolver -c test_gns_lookup.conf www.gnunet.org`
+echo $OUT | grep $TEST_IP - > /dev/null || { gnunet-arm -e -c test_gns_lookup.conf ; echo "IPv4 for gnunet.org not found ($OUT), skipping test"; exit 77; }
+echo $OUT | grep $TEST_IP6 - > /dev/null || { gnunet-arm -e -c test_gns_lookup.conf ; echo "IPv6 for gnunet.org not found ($OUT), skipping test"; exit 77; }
+
+
+
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+MY_EGO_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep ${MY_EGO} | awk '{print $3}')
+# GNS2DNS record value: delegate to DNS domain 'gnunet.org'
+# using the TEST_RESOLVER_LABEL DNS server for resolution
+TEST_RECORD_GNS2DNS="gnunet.org@${TEST_RESOLVER_LABEL}.${MY_EGO_PKEY}"
+
+# set IP address for DNS resolver for resolving in gnunet.org domain
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RESOLVER_LABEL -t A -V $TEST_IP_GNS2DNS -e never -c test_gns_lookup.conf
+# map '$TEST_RECORD_NAME.$MY_EGO' to 'gnunet.org' in DNS
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS -e never -c test_gns_lookup.conf
+
+sleep 1
+
+# lookup 'www.gnunet.org', IPv4
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t A -c test_gns_lookup.conf`
+# lookup 'www.gnunet.org', IPv6
+RES_IP6=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t AAAA -c test_gns_lookup.conf | head -n1`
+# lookup 'gnunet.org', IPv4
+RES_IP_ALT=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_ALT -t A -c test_gns_lookup.conf`
+# lookup 'docs.gnunet.org', IPv4
+RES_IP_ALT2=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_ALT2 -t A -c test_gns_lookup.conf`
+
+# clean up
+gnunet-namestore -z $MY_EGO -d -n $TEST_RESOLVER_LABEL -t A -V $TEST_IP_GNS2DNS -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $TEST_RECORD_NAME -t GNS2DNS -V $TEST_RECORD_GNS2DNS -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+ret=0
+if echo "$RES_IP" | grep "$TEST_IP" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN to $RES_IP."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN, got $RES_IP, wanted $TEST_IP."
+  ret=1
+fi
+
+if [ "${RES_IP6%?}" = "${TEST_IP6%?}" ]
+then
+  echo "PASS: Resolved $TEST_DOMAIN to $RES_IP6."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN, got $RES_IP6, wanted $TEST_IP6."
+  ret=1
+fi
+
+if echo "$RES_IP_ALT" | grep "$TEST_IP" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN_ALT to $RES_IP_ALT."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN_ALT, got $RES_IP_ALT, wanted $TEST_IP."
+  ret=1
+fi
+
+if echo "$RES_IP_ALT2" | grep "$TEST_IP_ALT2" > /dev/null
+then
+  echo "PASS: Resolved $TEST_DOMAIN_ALT2 to $RES_IP_ALT2."
+else
+  echo "Failed to resolve to proper IP for $TEST_DOMAIN_ALT2, got $RES_IP_ALT2, wanted $TEST_IP_ALT2."
+  ret=1
+fi
+exit $ret
diff --git a/src/cli/gns/test_gns_ipv6_lookup.sh b/src/cli/gns/test_gns_ipv6_lookup.sh
new file mode 100755
index 000000000..31e662f68
--- /dev/null
+++ b/src/cli/gns/test_gns_ipv6_lookup.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+MY_EGO="myego"
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -s PATHS -o GNUNET_HOME -f`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+TEST_IP="dead::beef"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n www -t AAAA -V $TEST_IP -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.$MY_EGO -t AAAA -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n www -t AAAA -V $TEST_IP -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_lightest.sh b/src/cli/gns/test_gns_lightest.sh
new file mode 100755
index 000000000..2d2203e66
--- /dev/null
+++ b/src/cli/gns/test_gns_lightest.sh
@@ -0,0 +1,141 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+START_EGO="startego"
+MY_EGO="test-lightest"
+LABEL="test-scheme"
+PTR_LABEL="test-ptr"
+TEST_URI="10 1 \"https://ec.europa.eu/tools/lotl/eu-lotl.xml\""
+TEST_SMIMEA="3 0 1 f7e8e4e554fb7c7a8f6f360e0ca2f59d466c8f9539a25963f5ed37e905f0c797"
+SCHEME="_scheme"
+TRUST="_trust"
+TRANSLATION="_translation"
+TEST_PTR="$SCHEME.$TRUST.$LABEL.$MY_EGO.$START_EGO"
+TEST_PTR2="$TRANSLATION.$TRUST.$LABEL.$MY_EGO.$START_EGO"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-identity -C $START_EGO -c test_gns_lookup.conf
+PKEY=`gnunet-identity -d -e $MY_EGO -q -c test_gns_lookup.conf`
+gnunet-namestore -p -z $MY_EGO -a -n $PTR_LABEL -t BOX -V "49152 49152 12 $TEST_PTR" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $PTR_LABEL -t BOX -V "49152 49153 12 $TEST_PTR2" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "49152 49152 256 $TEST_URI" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "49152 49152 53 $TEST_SMIMEA" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "49152 49153 256 $TEST_URI" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "49152 49153 53 $TEST_SMIMEA" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $START_EGO -a -n $MY_EGO -t PKEY -V "$PKEY" -e never -c test_gns_lookup.conf
+sleep 0.5
+PTR_SCHEME=`$DO_TIMEOUT gnunet-gns --raw -u $SCHEME.$TRUST.$PTR_LABEL.$MY_EGO.$START_EGO -t PTR -c test_gns_lookup.conf`
+PTR_TRANSLATION=`$DO_TIMEOUT gnunet-gns --raw -u $TRANSLATION.$TRUST.$PTR_LABEL.$MY_EGO.$START_EGO -t PTR -c test_gns_lookup.conf`
+
+SUCCESS=0
+if [ "$PTR_SCHEME" != "$TEST_PTR" ]
+then
+  echo "Failed to resolve to proper PTR, got '$PTR_SCHEME'."
+  SUCCESS=1
+else
+  echo "Resolved to proper PTR, got '$PTR_SCHEME'."
+fi
+
+if [ "$PTR_TRANSLATION" != "$TEST_PTR2" ]
+then
+  echo "Failed to resolve to proper PTR, got '$PTR_TRANSLATION'."
+  SUCCESS=1
+else
+  echo "Resolved to proper PTR, got '$PTR_TRANSLATION'."
+fi
+
+if [ "$SUCCESS" = "1" ]
+then
+  gnunet-namestore -z $MY_EGO -X -c test_gns_lookup.conf
+  gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+  gnunet-arm -e -c test_gns_lookup.conf
+  rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+  exit 1
+fi
+
+
+RES_URI_SCHEME=`$DO_TIMEOUT gnunet-gns --raw -u $PTR_SCHEME -t URI -c test_gns_lookup.conf`
+RES_SMIMEA_SCHEME=`$DO_TIMEOUT gnunet-gns --raw -u $PTR_SCHEME -t SMIMEA -c test_gns_lookup.conf`
+
+RES_URI_TRANSLATION=`$DO_TIMEOUT gnunet-gns --raw -u $PTR_TRANSLATION -t URI -c test_gns_lookup.conf`
+RES_SMIMEA_TRANSLATION=`$DO_TIMEOUT gnunet-gns --raw -u $PTR_TRANSLATION -t SMIMEA -c test_gns_lookup.conf`
+
+
+if [ "$RES_URI_SCHEME" != "$TEST_URI" ]
+then
+  echo "Failed to resolve to proper URI, got '$RES_URI_SCHEME'."
+  SUCCESS=1
+else
+  echo "Resolved to proper URI, got '$RES_URI_SCHEME'."
+fi
+
+if [ "$RES_SMIMEA_SCHEME" != "$TEST_SMIMEA" ]
+then
+  echo "Failed to resolve to proper SMIMEA, got '$RES_SMIMEA_SCHEME'."
+  SUCCESS=1
+else
+  echo "Resolved to proper SMIMEA, got '$RES_SMIMEA_SCHEME'."
+fi
+
+if [ "$RES_URI_TRANSLATION" != "$TEST_URI" ]
+then
+  echo "Failed to resolve to proper URI, got '$RES_URI_TRANSLATION'."
+  SUCCESS=1
+else
+  echo "Resolved to proper URI, got '$RES_URI_TRANSLATION'."
+fi
+
+if [ "$RES_SMIMEA_TRANSLATION" != "$TEST_SMIMEA" ]
+then
+  echo "Failed to resolve to proper SMIMEA, got '$RES_SMIMEA_TRANSLATION'."
+  SUCCESS=1
+else
+  echo "Resolved to proper SMIMEA, got '$RES_SMIMEA_TRANSLATION'."
+fi
+
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "49152 49152 256 10 1 \"thisisnotavaliduri\"" -e never -c test_gns_lookup.conf
+status=$?
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t BOX -V "49152 49152 256 10 1 mailto:thisrecordismalformed@test.com" -e never -c test_gns_lookup.conf
+status2=$?
+
+if [ "$status" = "0" ]
+then
+  echo "Failed to detect malformed URI."
+  SUCCESS=1
+else
+  echo "Detected malformed URI."
+fi
+
+if [ "$status2" = "0" ]
+then
+  echo "Failed to detect malformed URI Record Presentation."
+  SUCCESS=1
+else
+  echo "Detected malformed URI Presentation."
+fi
+
+
+
+gnunet-namestore -z $MY_EGO -X -c test_gns_lookup.conf
+gnunet-namestore -z $START_EGO -X -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-identity -D $START_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+exit $SUCCESS
\ No newline at end of file
diff --git a/src/cli/gns/test_gns_lookup.conf b/src/cli/gns/test_gns_lookup.conf
new file mode 100644
index 000000000..46e89a64d
--- /dev/null
+++ b/src/cli/gns/test_gns_lookup.conf
@@ -0,0 +1,65 @@
+@INLINE@ test_gns_defaults.conf
+
+[namecache]
+DISABLE = NO
+
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunet-gns-peer-1/
+
+[dht]
+START_ON_DEMAND = YES
+
+[gns]
+# PREFIX = valgrind --leak-check=full --track-origins=yes
+START_ON_DEMAND = YES
+AUTO_IMPORT_PKEY = YES
+MAX_PARALLEL_BACKGROUND_QUERIES = 10
+DEFAULT_LOOKUP_TIMEOUT = 15 s
+RECORD_PUT_INTERVAL = 1 h
+ZONE_PUBLISH_TIME_WINDOW = 1 h
+DNS_ROOT=PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0
+
+[namestore]
+#PREFIX = valgrind --leak-check=full --track-origins=yes --log-file=$GNUNET_TMP/ns_log
+
+[zonemaster]
+IMMEDIATE_START = YES
+START_ON_DEMAND = YES
+
+[rest]
+BASIC_AUTH_ENABLED=NO
+
+[revocation]
+WORKBITS = 2
+EPOCH_DURATION = 365 d
+
+[dhtcache]
+QUOTA = 1 MB
+DATABASE = heap
+
+[topology]
+TARGET-CONNECTION-COUNT = 16
+AUTOCONNECT = YES
+FRIENDS-ONLY = NO
+MINIMUM-FRIENDS = 0
+
+[ats]
+WAN_QUOTA_IN = 1 GB
+WAN_QUOTA_OUT = 1 GB
+
+[transport]
+plugins = tcp
+NEIGHBOUR_LIMIT = 50
+PORT = 2091
+
+[transport-tcp]
+TIMEOUT = 300 s
+
+[nat]
+DISABLEV6 = YES
+BINDTO = 127.0.0.1
+ENABLE_UPNP = NO
+BEHIND_NAT = NO
+ALLOW_NAT = NO
+INTERNAL_ADDRESS = 127.0.0.1
+EXTERNAL_ADDRESS = 127.0.0.1
diff --git a/src/cli/gns/test_gns_lookup.sh b/src/cli/gns/test_gns_lookup.sh
new file mode 100755
index 000000000..92dfae28b
--- /dev/null
+++ b/src/cli/gns/test_gns_lookup.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -s PATHS -o GNUNET_HOME -f`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+TEST_IP="127.0.0.1"
+MY_EGO="myego"
+LABEL="www"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u $LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "FAIL: Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_lookup_peer1.conf b/src/cli/gns/test_gns_lookup_peer1.conf
new file mode 100644
index 000000000..69e2f0973
--- /dev/null
+++ b/src/cli/gns/test_gns_lookup_peer1.conf
@@ -0,0 +1,75 @@
+@INLINE@ test_gns_defaults.conf
+
+[namecache]
+DISABLE = YES
+
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunet-gns-peer-1/
+GNUNET_RUNTIME_DIR = $GNUNET_TMP/test-gnunet-gns-peer-1-system-runtime/
+GNUNET_USER_RUNTIME_DIR = $GNUNET_TMP/test-gnunet-gns-peer-1-user-runtime/
+
+[dht]
+START_ON_DEMAND = YES
+IMMEDIATE_START = YES
+
+[gns]
+# PREFIX = valgrind --leak-check=full --track-origins=yes
+START_ON_DEMAND = YES
+AUTO_IMPORT_PKEY = YES
+MAX_PARALLEL_BACKGROUND_QUERIES = 10
+DEFAULT_LOOKUP_TIMEOUT = 15 s
+RECORD_PUT_INTERVAL = 1 h
+ZONE_PUBLISH_TIME_WINDOW = 1 h
+DNS_ROOT=PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0
+
+[namestore]
+IMMEDIATE_START = YES
+#PREFIX = valgrind --leak-check=full --track-origins=yes --log-file=$GNUNET_TMP/ns_log
+
+[revocation]
+WORKBITS = 1
+
+[dhtcache]
+QUOTA = 1 MB
+DATABASE = heap
+
+[topology]
+TARGET-CONNECTION-COUNT = 16
+AUTOCONNECT = YES
+FRIENDS-ONLY = NO
+MINIMUM-FRIENDS = 0
+
+[ats]
+WAN_QUOTA_IN = 1 GB
+WAN_QUOTA_OUT = 1 GB
+
+[transport]
+plugins = unix
+NEIGHBOUR_LIMIT = 50
+PORT = 2091
+
+[transport-unix]
+UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-transport-plugin-unix1.sock
+
+[hostlist]
+SERVERS = http://localhost:9999/
+OPTIONS = -b
+IMMEDIATE_START = YES
+
+[nat]
+DISABLEV6 = YES
+BINDTO = 127.0.0.1
+ENABLE_UPNP = NO
+BEHIND_NAT = NO
+ALLOW_NAT = NO
+INTERNAL_ADDRESS = 127.0.0.1
+EXTERNAL_ADDRESS = 127.0.0.1
+
+[dns2gns]
+BINARY = gnunet-dns2gns
+START_ON_DEMAND = YES
+IMMEDIATE_START = YES
+RUN_PER_USER = YES
+BIND_TO = 127.0.0.1
+BIND_TO6 = ::1
+OPTIONS = -d 1.1.1.1 -p 12000
diff --git a/src/cli/gns/test_gns_lookup_peer2.conf b/src/cli/gns/test_gns_lookup_peer2.conf
new file mode 100644
index 000000000..3de81d7f3
--- /dev/null
+++ b/src/cli/gns/test_gns_lookup_peer2.conf
@@ -0,0 +1,72 @@
+@INLINE@ test_gns_defaults.conf
+
+[namecache]
+DISABLE = YES
+
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunet-gns-peer-2/
+GNUNET_RUNTIME_DIR = $GNUNET_TMP/test-gnunet-gns-peer-2-runtime/
+GNUNET_USER_RUNTIME_DIR = $GNUNET_TMP/test-gnunet-gns-peer-2-user-runtime/
+
+[dht]
+START_ON_DEMAND = YES
+IMMEDIATE_START = YES
+
+[identity]
+START_ON_DEMAND = YES
+IMMEDIATE_START = YES
+
+[gns]
+# PREFIX = valgrind --leak-check=full --track-origins=yes
+IMMEDIATE_START = YES
+START_ON_DEMAND = YES
+AUTO_IMPORT_PKEY = YES
+MAX_PARALLEL_BACKGROUND_QUERIES = 10
+DEFAULT_LOOKUP_TIMEOUT = 15 s
+RECORD_PUT_INTERVAL = 1 h
+ZONE_PUBLISH_TIME_WINDOW = 1 h
+DNS_ROOT=PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0
+
+[namestore]
+IMMEDIATE_START = YES
+#PREFIX = valgrind --leak-check=full --track-origins=yes --log-file=$GNUNET_TMP/ns_log
+
+[revocation]
+WORKBITS = 1
+
+[dhtcache]
+QUOTA = 1 MB
+DATABASE = heap
+
+[topology]
+TARGET-CONNECTION-COUNT = 16
+AUTOCONNECT = YES
+FRIENDS-ONLY = NO
+MINIMUM-FRIENDS = 0
+
+[hostlist]
+SERVERS =
+HTTPPORT = 9999
+OPTIONS = -p
+IMMEDIATE_START = YES
+
+
+[ats]
+WAN_QUOTA_IN = 1 GB
+WAN_QUOTA_OUT = 1 GB
+
+[transport]
+plugins = unix
+NEIGHBOUR_LIMIT = 50
+
+[transport-unix]
+UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-transport-plugin-unix2.sock
+
+[nat]
+DISABLEV6 = YES
+BINDTO = 127.0.0.1
+ENABLE_UPNP = NO
+BEHIND_NAT = NO
+ALLOW_NAT = NO
+INTERNAL_ADDRESS = 127.0.0.1
+EXTERNAL_ADDRESS = 127.0.0.1
diff --git a/src/cli/gns/test_gns_multiple_record_lookup.sh b/src/cli/gns/test_gns_multiple_record_lookup.sh
new file mode 100755
index 000000000..52a487329
--- /dev/null
+++ b/src/cli/gns/test_gns_multiple_record_lookup.sh
@@ -0,0 +1,95 @@
+#!/bin/bash
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup_peer1.conf" INT
+trap "gnunet-arm -e -c test_gns_lookup_peer2.conf" INT
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+
+unset XDG_DATA_HOME
+unset XDG_CONFIG_HOME
+unset XDG_CACHE_HOME
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup_peer1.conf -f -s paths -o GNUNET_TEST_HOME`
+rm -rf `gnunet-config -c test_gns_lookup_peer2.conf -f -s paths -o GNUNET_TEST_HOME`
+OTHER_EGO="remoteego"
+
+TEST_IP="127.0.0.1"
+TEST_IPV6="dead::beef"
+LABEL="fnord"
+
+gnunet-arm -s -c test_gns_lookup_peer2.conf
+gnunet-identity -C $OTHER_EGO -c test_gns_lookup_peer2.conf
+PKEY=`$DO_TIMEOUT gnunet-identity -d -c test_gns_lookup_peer2.conf | grep $OTHER_EGO | awk '{print $3}'`
+
+# Note: if zonemaster is kept running, it MAY publish the "A" record in the
+# DHT immediately and then _LATER_ also the "AAAA" record. But as then there
+# will be TWO valid blocks in the DHT (one with only A and one with A and
+# AAAA), the subsequent GET for both may fail and only return the result with
+# just the "A" record).
+# If we _waited_ until the original block with just "A" expired, everything
+# would be fine, but we don't want to do that for the test, so we
+# simply pause publishing to the DHT until all records are defined.
+# In the future, it would be good to have an enhanced gnunet-namestore command
+# that would read a series of changes to be made to a record set from
+# stdin and do them _all_ *atomically*. Then we would not need to do this.
+
+gnunet-arm -c test_gns_lookup_peer2.conf -k zonemaster
+
+gnunet-namestore -p -z $OTHER_EGO -a -n $LABEL -t A -V $TEST_IP -e 3600s -c test_gns_lookup_peer2.conf
+gnunet-namestore -p -z $OTHER_EGO -a -n $LABEL -t AAAA -V $TEST_IPV6 -e 3600s -c test_gns_lookup_peer2.conf
+gnunet-namestore -D -z $OTHER_EGO -n $LABEL -c test_gns_lookup_peer2.conf
+
+gnunet-arm -c test_gns_lookup_peer2.conf -i zonemaster
+
+gnunet-arm -s -c test_gns_lookup_peer1.conf
+
+
+RESP=`$DO_TIMEOUT gnunet-gns --raw -u $LABEL.$PKEY -t ANY -c test_gns_lookup_peer1.conf`
+RESP1=`$DO_TIMEOUT gnunet-gns --raw -u $LABEL.$PKEY -t A -c test_gns_lookup_peer1.conf`
+RESP2=`$DO_TIMEOUT gnunet-gns --raw -u $LABEL.$PKEY -t AAAA -c test_gns_lookup_peer1.conf`
+
+echo "$LABEL.$PKEY"
+echo $RESP $RESP1 $RESP2
+
+gnunet-arm -e -c test_gns_lookup_peer1.conf
+gnunet-arm -e -c test_gns_lookup_peer2.conf
+
+gnunet-config -c test_gns_lookup_peer1.conf -f -s paths -o GNUNET_TEST_HOME
+
+rm -rf `gnunet-config -c test_gns_lookup_peer1.conf -f -s paths -o GNUNET_TEST_HOME`
+rm -rf `gnunet-config -c test_gns_lookup_peer2.conf -f -s paths -o GNUNET_TEST_HOME`
+
+RESPONSES=($(echo $RESP | tr "\n" " " ))
+
+if [ "$RESP1" == "$TEST_IP" ]
+then
+  echo "PASS: A record resolution from DHT via separate peer"
+else
+  echo "FAIL: A record resolution from DHT via separate peer, got $RESP1, expected $TEST_IP"
+  exit 1
+fi
+if [ "$RESP2" == "$TEST_IPV6" ]
+then
+  echo "PASS: AAAA record resolution from DHT via separate peer"
+else
+  echo "FAIL: AAAA record resolution from DHT via separate peer, got $RESP2, expected $TEST_IPV6"
+  exit 1
+fi
+if [[ "${RESPONSES[0]} ${RESPONSES[1]}" == "$TEST_IPV6 $TEST_IP" ]] || [[ "${RESPONSES[0]} ${RESPONSES[1]}" == "$TEST_IP $TEST_IPV6" ]]
+then
+  echo "PASS: ANY record resolution from DHT via separate peer"
+else
+  echo "FAIL: ANY record resolution from DHT via separate peer, got $RESP, expected $TEST_IPV6 $TEST_IP or $TEST_IP $TEST_IPV6"
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_mx_lookup.sh b/src/cli/gns/test_gns_mx_lookup.sh
new file mode 100755
index 000000000..6f2b8192d
--- /dev/null
+++ b/src/cli/gns/test_gns_mx_lookup.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+
+MY_EGO="myego"
+TEST_MX="5 mail.+"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+PKEY=`gnunet-identity -d | grep "$MY_EGO - " | awk '{print $3'}`
+WANT_MX="5 mail.$PKEY"
+gnunet-namestore -p -z $MY_EGO -a -n www -t MX -V "$TEST_MX" -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_MX=`$DO_TIMEOUT gnunet-gns --raw -u www.$MY_EGO -t MX -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n www -t MX -V "$TEST_MX" -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+# make cmp case-insensitive by converting to lower case first
+RES_MX=`echo $RES_MX | tr [A-Z] [a-z]`
+WANT_MX=`echo $WANT_MX | tr [A-Z] [a-z]`
+
+if [ "$RES_MX" = "$WANT_MX" ]
+then
+  exit 0
+else
+  echo "FAIL: did not get proper IP, got $RES_MX, expected $WANT_MX."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_quickupdate.sh b/src/cli/gns/test_gns_quickupdate.sh
new file mode 100755
index 000000000..eac69103d
--- /dev/null
+++ b/src/cli/gns/test_gns_quickupdate.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+MY_EGO="myego"
+OTHER_EGO="delegatedego"
+
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+TEST_IP="127.0.0.1"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-identity -C $OTHER_EGO -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep $OTHER_EGO | awk '{print $3}')
+gnunet-arm -i gns -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n b -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+# Give GNS/namestore time to fully start and finish initial iteration
+sleep 2
+# Performing namestore update
+gnunet-namestore -p -z $OTHER_EGO -a -n www -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+# Give GNS chance to observe store event via monitor
+sleep 1
+gnunet-namestore -z $OTHER_EGO -d -n www -t A -V $TEST_IP  -e never -c test_gns_lookup.conf
+# give GNS chance to process monitor event
+sleep 1
+# stop everything and restart to check that DHT PUT did happen
+gnunet-arm -k gns -c test_gns_lookup.conf
+gnunet-arm -k namestore -c test_gns_lookup.conf
+gnunet-arm -k namecache -c test_gns_lookup.conf
+gnunet-arm -k zonemaster -c test_gns_lookup.conf
+# Purge nameacache, as we might otherwise fetch from there
+# FIXME: testcase started failing after the line below was fixed by adding '-f',
+# might have never worked (!)
+rm -r `gnunet-config -f -c test_gns_lookup.conf -s namecache-sqlite -o FILENAME`
+gnunet-arm -i namestore -c test_gns_lookup.conf
+gnunet-arm -i namecache -c test_gns_lookup.conf
+gnunet-arm -i zonemaster -c test_gns_lookup.conf
+gnunet-arm -i gns -c test_gns_lookup.conf
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.b.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-identity -D $OTHER_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to properly resolve IP, expected $TEST_IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_redirect_lookup.sh b/src/cli/gns/test_gns_redirect_lookup.sh
new file mode 100755
index 000000000..90729713d
--- /dev/null
+++ b/src/cli/gns/test_gns_redirect_lookup.sh
@@ -0,0 +1,100 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+# permissive DNS resolver we will use for the test
+DNS_RESOLVER="8.8.8.8"
+if ! nslookup gnunet.org $DNS_RESOLVER > /dev/null 2>&1
+then
+  echo "Cannot reach DNS, skipping test"
+  exit 77
+fi
+
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+TEST_IP_PLUS="127.0.0.1"
+TEST_IP_DNS="147.87.255.218"
+TEST_RECORD_REDIRECT_SERVER="server"
+TEST_RECORD_REDIRECT_PLUS="server.+"
+TEST_RECORD_REDIRECT_DNS="gnunet.org"
+TEST_RECORD_NAME_SERVER="server"
+TEST_RECORD_NAME_PLUS="www"
+TEST_RECORD_NAME_ZKEY="www2"
+TEST_RECORD_NAME_DNS="www3"
+MY_EGO="myego"
+TEST_DOMAIN_PLUS="www.$MY_EGO"
+TEST_DOMAIN_ZKEY="www2.$MY_EGO"
+TEST_DOMAIN_DNS="www3.$MY_EGO"
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 15"
+
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+MY_EGO_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep ${MY_EGO} | awk '{print $3}')
+TEST_RECORD_REDIRECT_ZKEY="server.${MY_EGO_PKEY}"
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME_DNS -t REDIRECT -V $TEST_RECORD_REDIRECT_DNS -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME_PLUS -t REDIRECT -V $TEST_RECORD_REDIRECT_PLUS -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME_ZKEY -t REDIRECT -V $TEST_RECORD_REDIRECT_ZKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_REDIRECT_SERVER -t A -V $TEST_IP_PLUS -e never -c test_gns_lookup.conf
+sleep 1
+RES_REDIRECT=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_PLUS -t A -c test_gns_lookup.conf`
+RES_REDIRECT_RAW=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_PLUS -t REDIRECT -c test_gns_lookup.conf`
+RES_REDIRECT_ZKEY=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_ZKEY -t A -c test_gns_lookup.conf`
+RES_REDIRECT_DNS=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN_DNS -t A -c test_gns_lookup.conf | grep $TEST_IP_DNS`
+
+TESTEGOZONE=`gnunet-identity -c test_gns_lookup.conf -d | awk '{print $3}'`
+gnunet-namestore -p -z $MY_EGO -d -n $TEST_RECORD_NAME_DNS -t REDIRECT -V $TEST_RECORD_REDIRECT_DNS -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -d -n $TEST_RECORD_NAME_PLUS -t REDIRECT -V $TEST_RECORD_REDIRECT_PLUS -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -d -n $TEST_RECORD_NAME_ZKEY -t REDIRECT -V $TEST_RECORD_REDIRECT_ZKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -d -n $TEST_RECORD_REDIRECT_SERVER -t A -V $TEST_IP_PLUS -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+# make cmp case-insensitive by converting to lower case first
+RES_REDIRECT_RAW=`echo $RES_REDIRECT_RAW | tr [A-Z] [a-z]`
+TESTEGOZONE=`echo $TESTEGOZONE | tr [A-Z] [a-z]`
+if [ "$RES_REDIRECT_RAW" = "server.$TESTEGOZONE" ]
+then
+  echo "PASS: REDIRECT resolution from GNS"
+else
+  echo "FAIL: REDIRECT resolution from GNS, got $RES_REDIRECT_RAW, expected server.$TESTEGOZONE."
+  exit 1
+fi
+
+if [ "$RES_REDIRECT" = "$TEST_IP_PLUS" ]
+then
+  echo "PASS: IP resolution from GNS (.+)"
+else
+  echo "FAIL: IP resolution from GNS (.+), got $RES_REDIRECT, expected $TEST_IP_PLUS."
+  exit 1
+fi
+
+if [ "$RES_REDIRECT_ZKEY" = "$TEST_IP_PLUS" ]
+then
+  echo "PASS: IP resolution from GNS (.zkey)"
+else
+  echo "FAIL: IP resolution from GNS (.zkey), got $RES_REDIRECT, expected $TEST_IP_PLUS."
+  exit 1
+fi
+
+if echo "$RES_REDIRECT_DNS" | grep "$TEST_IP_DNS" > /dev/null
+then
+  echo "PASS: IP resolution from DNS"
+  exit 0
+else
+  echo "FAIL: IP resolution from DNS, got $RES_REDIRECT_DNS, expected $TEST_IP_DNS."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_rel_expiration.sh b/src/cli/gns/test_gns_rel_expiration.sh
new file mode 100755
index 000000000..a240cfd0f
--- /dev/null
+++ b/src/cli/gns/test_gns_rel_expiration.sh
@@ -0,0 +1,64 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+
+if [ -z $(which timeout) ]
+then
+  echo "timeout utility not found which is required for test."
+  exit 77
+fi
+
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+MY_EGO="myego"
+OTHER_EGO="delegatedego"
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+TEST_IP="127.0.0.1"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-identity -C $OTHER_EGO -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep $OTHER_EGO | awk '{print $3}')
+gnunet-namestore -p -z $MY_EGO -a -n b -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $OTHER_EGO -a -n www -t A -V $TEST_IP -e '5 s' -c test_gns_lookup.conf
+gnunet-arm -i gns -c test_gns_lookup.conf
+sleep 0.5
+# confirm that lookup currently works
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.b.$MY_EGO -t A -c test_gns_lookup.conf`
+# remove entry
+gnunet-namestore -z $OTHER_EGO -d -n www -t A -V $TEST_IP  -e '5 s' -c test_gns_lookup.conf
+# wait for old entry with 5s 'expiration' to definitively expire
+sleep 6
+# try again, should no longer work
+RES_IP_EXP=`$DO_TIMEOUT gnunet-gns --raw -u www.b.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-identity -D $OTHER_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP_EXP" = "$TEST_IP" ]
+then
+  echo "Failed to properly expire IP, got $RES_IP_EXP."
+  exit 1
+fi
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to properly resolve IP, got $RES_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_revocation.sh b/src/cli/gns/test_gns_revocation.sh
new file mode 100755
index 000000000..2253adcb4
--- /dev/null
+++ b/src/cli/gns/test_gns_revocation.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+MY_EGO="myego"
+OTHER_EGO="delegatedego"
+TEST_IP="127.0.0.1"
+
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $OTHER_EGO -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep $OTHER_EGO | awk '{print $3}')
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n b -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $OTHER_EGO -a -n www -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+sleep 1
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.b.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-revocation -R $OTHER_EGO -p  -c test_gns_lookup.conf
+RES_IP_REV=`$DO_TIMEOUT gnunet-gns --raw -u www.b.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-namestore -z $OTHER_EGO -d -n www -t A -V $TEST_IP  -e never -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP" != "$TEST_IP" ]
+then
+  echo "Failed to resolve to proper IP, got $RES_IP."
+  exit 1
+fi
+
+if [ "x$RES_IP_REV" = "x" ]
+then
+  exit 0
+else
+  echo "Failed to revoke zone, got $RES_IP_REV."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_sbox.sh b/src/cli/gns/test_gns_sbox.sh
new file mode 100755
index 000000000..6918bf130
--- /dev/null
+++ b/src/cli/gns/test_gns_sbox.sh
@@ -0,0 +1,121 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 7"
+TEST_A="139.134.54.9"
+MY_EGO="myego"
+LABEL="testsbox"
+PREFIX1="_name"
+PREFIX2="__"
+PREFIX3="_a_b_c_d_e_f_g_h_i_j_k_l_m_n_o_p_q_r_s_t_u_v_w_x_y_z_"
+PREFIX4="abcdefghijklmnopqrstuvwxyz.abcdefghijklmnopqrstuvwxyz._abc"
+PREFIX5="abc.abc._abc.abc"
+PREFIX6="abc.abc._abc.abc._abc"
+PREFIX7="abc.abc._abc.abc._abc.abc"
+PREFIX8="_at"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX1 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX2 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX3 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX4 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX5 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX6 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t SBOX -V "$PREFIX7 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n '@' -t SBOX -V "$PREFIX8 1 $TEST_A" -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_A1=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX1.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A2=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX2.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A3=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX3.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A4=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX4.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A5=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX5.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A6=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX6.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A7=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX7.$LABEL.$MY_EGO -t A -c test_gns_lookup.conf`
+RES_A8=`$DO_TIMEOUT gnunet-gns --raw -u $PREFIX8.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t SBOX -V "$PREFIX1 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t SBOX -V "$PREFIX2 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t SBOX -V "$PREFIX3 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t SBOX -V "$PREFIX4 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t SBOX -V "$PREFIX6 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-namestore -z $MY_EGO -d -n '@' -t SBOX -V "$PREFIX8 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_A1" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A1'."
+  exit 1
+fi
+
+if [ "$RES_A2" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A2'."
+  exit 1
+fi
+
+if [ "$RES_A3" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A3'."
+  exit 1
+fi
+
+if [ "$RES_A4" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A4'."
+  exit 1
+fi
+
+if [ "$RES_A5" = "$TEST_A" ]
+then
+  echo "Should have failed to resolve to proper A, got '$RES_A5' anyway."
+  exit 1
+else
+  exit 0
+fi
+
+if [ "$RES_A6" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A6'."
+  exit 1
+fi
+
+if [ "$RES_A7" = "$TEST_A" ]
+then
+  echo "Should have failed to resolve to proper A, got '$RES_A7' anyway."
+  exit 1
+else
+  exit 0
+fi
+
+if [ "$RES_A8" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A8'."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_sbox_simple.sh b/src/cli/gns/test_gns_sbox_simple.sh
new file mode 100755
index 000000000..f0d31e471
--- /dev/null
+++ b/src/cli/gns/test_gns_sbox_simple.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+TEST_A="139.134.54.9"
+MY_EGO="myego"
+HASH="c93f1e400f26708f98cb19d936620da35eec8f72e57f9eec01c1afd6"
+PROTOCOL_TEXT="_smimecert"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n '@' -t SBOX -V "$HASH.$PROTOCOL_TEXT 1 $TEST_A" -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_A=`$DO_TIMEOUT gnunet-gns --raw -u $HASH.$PROTOCOL_TEXT.$MY_EGO -t A -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n '@' -t SBOX -V "$HASH.$PROTOCOL_TEXT 1 $TEST_A" -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_A" = "$TEST_A" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper A, got '$RES_A'."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_simple_lookup.conf b/src/cli/gns/test_gns_simple_lookup.conf
new file mode 100644
index 000000000..374731377
--- /dev/null
+++ b/src/cli/gns/test_gns_simple_lookup.conf
@@ -0,0 +1,97 @@
+@INLINE@ test_gns_defaults.conf
+[fs]
+START_ON_DEMAND = NO
+
+[resolver]
+START_ON_DEMAND = YES
+HOSTNAME = localhost
+
+[dht]
+START_ON_DEMAND = YES
+ACCEPT_FROM6 = ::1;
+ACCEPT_FROM = 127.0.0.1;
+HOSTNAME = localhost
+PORT = 12100
+BINARY = gnunet-service-dht
+
+[dhtcache]
+QUOTA = 1 MB
+DATABASE = heap
+
+[transport]
+PLUGINS = tcp
+ACCEPT_FROM6 = ::1;
+ACCEPT_FROM = 127.0.0.1;
+NEIGHBOUR_LIMIT = 50
+PORT = 12365
+
+[ats]
+WAN_QUOTA_IN = 1 GB
+WAN_QUOTA_OUT = 1 GB
+
+[core]
+PORT = 12092
+
+[arm]
+PORT = 12366
+
+[transport-tcp]
+TIMEOUT = 300 s
+PORT = 12368
+BINDTO = 127.0.0.1
+
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunetd-gns-peer-1/
+
+
+[nat]
+DISABLEV6 = YES
+ENABLE_UPNP = NO
+BEHIND_NAT = NO
+ALLOW_NAT = NO
+INTERNAL_ADDRESS = 127.0.0.1
+EXTERNAL_ADDRESS = 127.0.0.1
+USE_LOCALADDR = NO
+
+[dns]
+START_ON_DEMAND = YES
+DNS_EXIT = 8.8.8.8
+
+[gns]
+#PREFIX = valgrind --leak-check=full --track-origins=yes
+START_ON_DEMAND = YES
+BINARY = gnunet-service-gns
+ZONEKEY = zonefiles/test_zonekey
+PRIVATE_ZONE = private
+PRIVATE_ZONEKEY = zonefiles/OEFL7A4VEF1B40QLEMTG5D8G1CN6EN16QUSG5R2DT71GRJN34LSG.zkey
+SHORTEN_ZONE = short
+SHORTEN_ZONEKEY = zonefiles/188JSUMKEF25GVU8TTV0PBNNN8JVCPUEDFV1UHJJU884JD25V0T0.zkey
+#ZONEKEY =  $GNUNET_TEST_HOME/gns/zonekey.zkey
+HIJACK_DNS = NO
+UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-gns.sock
+AUTO_IMPORT_PKEY = YES
+MAX_PARALLEL_BACKGROUND_QUERIES = 10
+DEFAULT_LOOKUP_TIMEOUT = 15 s
+RECORD_PUT_INTERVAL = 1 h
+
+[nse]
+START_ON_DEMAND = NO
+
+[statistics]
+START_ON_DEMAND = NO
+
+[namestore]
+PORT = 22371
+START_ON_DEMAND = YES
+UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-namestore-default.sock
+UNIX_MATCH_UID = YES
+UNIX_MATCH_GID = YES
+HOSTNAME = localhost
+BINARY = gnunet-service-namestore
+ACCEPT_FROM = 127.0.0.1;
+ACCEPT_FROM6 = ::1;
+DATABASE = sqlite
+ZONEFILE_DIRECTORY = $GNUNET_TEST_HOME
+
+[namestore-sqlite]
+FILENAME = $GNUNET_TEST_HOME/sqlite-default.db
diff --git a/src/cli/gns/test_gns_soa_lookup.sh b/src/cli/gns/test_gns_soa_lookup.sh
new file mode 100755
index 000000000..a697782bb
--- /dev/null
+++ b/src/cli/gns/test_gns_soa_lookup.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+MY_EGO="myego"
+TEST_DOMAIN="homepage.$MY_EGO"
+# some public DNS resolver we can use
+#TEST_IP_GNS2DNS="184.172.157.218" # This one seems currently down.
+TEST_IP_GNS2DNS="8.8.8.8"
+TEST_RECORD_NAME="homepage"
+TEST_RECORD_GNS2DNS="gnunet.org"
+
+if ! nslookup $TEST_RECORD_GNS2DNS $TEST_IP_GNS2DNS > /dev/null 2>&1
+then
+  echo "Cannot reach DNS, skipping test"
+  exit 77
+fi
+
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $TEST_RECORD_NAME -t GNS2DNS -V ${TEST_RECORD_GNS2DNS}@${TEST_IP_GNS2DNS} -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_SOA=`$DO_TIMEOUT gnunet-gns --raw -u $TEST_DOMAIN -t SOA -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n $TEST_RECORD_NAME -t GNS2DNS -V ${TEST_RECORD_GNS2DNS}@${TEST_IP_GNS2DNS} -e never -c test_gns_lookup.conf > /dev/null 2>&1
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "x$RES_SOA" != "x" ]
+then
+  echo "PASS: Resolved SOA for $TEST_DOMAIN to $RES_SOA."
+  exit 0
+else
+  echo "Failed to resolve to proper SOA for $TEST_DOMAIN, got no result."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_txt_lookup.sh b/src/cli/gns/test_gns_txt_lookup.sh
new file mode 100755
index 000000000..4e36e8ad8
--- /dev/null
+++ b/src/cli/gns/test_gns_txt_lookup.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+TEST_TXT="GNS powered txt record data"
+MY_EGO="myego"
+LABEL="testtxt"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C $MY_EGO -c test_gns_lookup.conf
+gnunet-namestore -p -z $MY_EGO -a -n $LABEL -t TXT -V "$TEST_TXT" -e never -c test_gns_lookup.conf
+sleep 0.5
+RES_TXT=`$DO_TIMEOUT gnunet-gns --raw -u $LABEL.$MY_EGO -t TXT -c test_gns_lookup.conf`
+gnunet-namestore -z $MY_EGO -d -n $LABEL -t TXT -V "$TEST_TXT" -e never -c test_gns_lookup.conf
+gnunet-identity -D $MY_EGO -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_TXT" = "$TEST_TXT" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper TXT, got '$RES_TXT'."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gns_zkey_lookup.sh b/src/cli/gns/test_gns_zkey_lookup.sh
new file mode 100755
index 000000000..3d4aefc7c
--- /dev/null
+++ b/src/cli/gns/test_gns_zkey_lookup.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_gns_lookup.conf" INT
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+TEST_IP="127.0.0.1"
+gnunet-arm -s -c test_gns_lookup.conf
+gnunet-identity -C delegatedego -c test_gns_lookup.conf
+DELEGATED_PKEY=$(gnunet-identity -d -c test_gns_lookup.conf | grep delegatedego | awk '{print $3}')
+gnunet-identity -C testego -c test_gns_lookup.conf
+gnunet-namestore -p -z testego -a -n b -t PKEY -V $DELEGATED_PKEY -e never -c test_gns_lookup.conf
+gnunet-namestore -p -z delegatedego -a -n www -t A -V $TEST_IP -e never -c test_gns_lookup.conf
+RES_IP=`$DO_TIMEOUT gnunet-gns --raw -u www.${DELEGATED_PKEY} -t A -c test_gns_lookup.conf`
+gnunet-namestore -z testego -d -n b -t PKEY -V $DELEGATED_PKEY  -e never -c test_gns_lookup.conf
+gnunet-namestore -z delegatedego -d -n www -t A -V $TEST_IP  -e never -c test_gns_lookup.conf
+gnunet-arm -e -c test_gns_lookup.conf
+rm -rf `gnunet-config -c test_gns_lookup.conf -f -s paths -o GNUNET_TEST_HOME`
+
+if [ "$RES_IP" = "$TEST_IP" ]
+then
+  exit 0
+else
+  echo "Failed to resolve to proper IP, got $RES_IP, wanted $TEST_IP."
+  exit 1
+fi
diff --git a/src/cli/gns/test_gnunet_gns.sh.in b/src/cli/gns/test_gnunet_gns.sh.in
new file mode 100755
index 000000000..d0c07b4e4
--- /dev/null
+++ b/src/cli/gns/test_gnunet_gns.sh.in
@@ -0,0 +1,47 @@
+#!/bin/bash
+# This file is in the public domain.
+# test -z being correct was a false assumption here.
+# I have no executable 'fooble', but this will
+# return 1:
+# if test -z "`which fooble`"; then echo 1; fi
+# The command builtin might not work with busybox's ash
+# but this works for now.
+dir=$(dirname "$0")
+
+existence() {
+  command -v "$1" >/dev/null 2>&1
+}
+
+LOCATION=`existence gnunet-config`
+if test -z $LOCATION; then
+    LOCATION="gnunet-config"
+fi
+$LOCATION --version
+if test $? != 0
+then
+    echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+    exit 77
+fi
+
+trap "gnunet-arm -e -c test_gns_lookup.conf" SIGINT
+ME=`whoami`
+if [ "$ME" != "root" ]
+then
+  echo "This test only works if run as root.  Skipping."
+  exit 77
+fi
+export PATH=".:$PATH"
+gnunet-service-gns -c gns.conf &
+sleep 1
+LO=`nslookup alice.gnu | grep Address | tail -n1`
+if [ "$LO" != "Address: 1.2.3.4" ]
+then
+ echo "Fail: $LO"
+fi
+LO=`nslookup www.bob.gnu | grep Address | tail -n1`
+if [ "$LO" != "Address: 4.5.6.7" ]
+then
+  echo "Fail: $LO"
+fi
+# XXX: jobs. a builtin by bash, netbsd sh, maybe leave it be for now.
+kill `jobs -p`
diff --git a/src/cli/gns/zonefiles/188JSUMKEF25GVU8TTV0PBNNN8JVCPUEDFV1UHJJU884JD25V0T0.zkey b/src/cli/gns/zonefiles/188JSUMKEF25GVU8TTV0PBNNN8JVCPUEDFV1UHJJU884JD25V0T0.zkey
new file mode 100644
index 000000000..895946037
--- /dev/null
+++ b/src/cli/gns/zonefiles/188JSUMKEF25GVU8TTV0PBNNN8JVCPUEDFV1UHJJU884JD25V0T0.zkey
diff --git a/src/cli/gns/zonefiles/J7POEUT41A8PBFS7KVVDRF88GBOU4HK8PSU5QKVLVE3R9T91E99G.zkey b/src/cli/gns/zonefiles/J7POEUT41A8PBFS7KVVDRF88GBOU4HK8PSU5QKVLVE3R9T91E99G.zkey
new file mode 100644
index 000000000..3ef49f0ac
--- /dev/null
+++ b/src/cli/gns/zonefiles/J7POEUT41A8PBFS7KVVDRF88GBOU4HK8PSU5QKVLVE3R9T91E99G.zkey
diff --git a/src/cli/gns/zonefiles/OEFL7A4VEF1B40QLEMTG5D8G1CN6EN16QUSG5R2DT71GRJN34LSG.zkey b/src/cli/gns/zonefiles/OEFL7A4VEF1B40QLEMTG5D8G1CN6EN16QUSG5R2DT71GRJN34LSG.zkey
new file mode 100644
index 000000000..89e0b3a0a
--- /dev/null
+++ b/src/cli/gns/zonefiles/OEFL7A4VEF1B40QLEMTG5D8G1CN6EN16QUSG5R2DT71GRJN34LSG.zkey
diff --git a/src/cli/gns/zonefiles/test_zonekey b/src/cli/gns/zonefiles/test_zonekey
new file mode 100644
index 000000000..870c56315
--- /dev/null
+++ b/src/cli/gns/zonefiles/test_zonekey
diff --git a/src/cli/identity/.gitignore b/src/cli/identity/.gitignore
new file mode 100644
index 000000000..1c5862dbb
--- /dev/null
+++ b/src/cli/identity/.gitignore
@@ -0,0 +1 @@
+gnunet-identity
diff --git a/src/cli/identity/Makefile.am b/src/cli/identity/Makefile.am
new file mode 100644
index 000000000..68bcc7a41
--- /dev/null
+++ b/src/cli/identity/Makefile.am
@@ -0,0 +1,35 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+plugindir = $(libdir)/gnunet
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+bin_PROGRAMS = \
+ gnunet-identity
+
+gnunet_identity_SOURCES = \
+ gnunet-identity.c
+gnunet_identity_LDADD = \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(top_builddir)/src/service/statistics/libgnunetstatistics.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+check_SCRIPTS = \
+  test_identity_messages.sh
+
+# if ENABLE_TEST_RUN
+# AM_TESTS_ENVIRONMENT=export GNUNET_PREFIX=$${GNUNET_PREFIX:-@libdir@};export PATH=$${GNUNET_PREFIX:-@prefix@}/bin:$$PATH;unset XDG_DATA_HOME;unset XDG_CONFIG_HOME;
+# TESTS = $(check_PROGRAMS) $(check_SCRIPTS)
+# endif
+
+
+EXTRA_DIST = \
+  test_identity_messages.sh
+
diff --git a/src/cli/identity/gnunet-identity.c b/src/cli/identity/gnunet-identity.c
new file mode 100644
index 000000000..9fe4ccc51
--- /dev/null
+++ b/src/cli/identity/gnunet-identity.c
@@ -0,0 +1,624 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2013, 2018, 2019 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file identity/gnunet-identity.c
+ * @brief IDENTITY management command line tool
+ * @author Christian Grothoff
+ *
+ * Todo:
+ * - add options to get default egos
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_identity_service.h"
+
+
+/**
+ * Return value from main on timeout.
+ */
+#define TIMEOUT_STATUS_CODE 40
+
+/**
+ * Handle to IDENTITY service.
+ */
+static struct GNUNET_IDENTITY_Handle *sh;
+
+/**
+ * Was "list" specified?
+ */
+static int list;
+
+/**
+ * Was "monitor" specified?
+ */
+static int monitor;
+
+/**
+ * Was "private" specified?
+ */
+static int private_keys;
+
+/**
+ * Was "verbose" specified?
+ */
+static unsigned int verbose;
+
+/**
+ * Was "quiet" specified?
+ */
+static int quiet;
+
+/**
+ * Was "eddsa" specified?
+ */
+static int type_eddsa;
+
+/**
+ * -W option
+ */
+static char *write_msg;
+
+/**
+ * -R option
+ */
+static char *read_msg;
+
+/**
+ * -C option
+ */
+static char *create_ego;
+
+/**
+ * -D option
+ */
+static char *delete_ego;
+
+/**
+ * -P option
+ */
+static char *privkey_ego;
+
+/**
+ * -k option
+ */
+static char *pubkey_msg;
+
+/**
+ * -s option.
+ */
+static char *set_ego;
+
+/**
+ * Operation handle for set operation.
+ */
+static struct GNUNET_IDENTITY_Operation *set_op;
+
+/**
+ * Handle for create operation.
+ */
+static struct GNUNET_IDENTITY_Operation *create_op;
+
+/**
+ * Handle for delete operation.
+ */
+static struct GNUNET_IDENTITY_Operation *delete_op;
+
+/**
+ * Private key from command line option, or NULL.
+ */
+struct GNUNET_CRYPTO_PrivateKey pk;
+
+/**
+ * Value to return from #main().
+ */
+static int global_ret;
+
+
+/**
+ * Task run on shutdown.
+ *
+ * @param cls NULL
+ */
+static void
+shutdown_task (void *cls)
+{
+  if (NULL != set_op)
+  {
+    GNUNET_IDENTITY_cancel (set_op);
+    set_op = NULL;
+  }
+  if (NULL != create_op)
+  {
+    GNUNET_IDENTITY_cancel (create_op);
+    create_op = NULL;
+  }
+  if (NULL != delete_op)
+  {
+    GNUNET_IDENTITY_cancel (delete_op);
+    delete_op = NULL;
+  }
+  if (NULL != set_ego)
+  {
+    GNUNET_free (set_ego);
+    set_ego = NULL;
+  }
+  GNUNET_IDENTITY_disconnect (sh);
+  sh = NULL;
+}
+
+
+/**
+ * Test if we are finished yet.
+ */
+static void
+test_finished (void)
+{
+  if ( (NULL == create_op) &&
+       (NULL == delete_op) &&
+       (NULL == set_op) &&
+       (NULL == write_msg) &&
+       (NULL == read_msg) &&
+       (! list) &&
+       (! monitor))
+  {
+    if (TIMEOUT_STATUS_CODE == global_ret)
+      global_ret = 0;
+    GNUNET_SCHEDULER_shutdown ();
+  }
+}
+
+
+/**
+ * Deletion operation finished.
+ *
+ * @param cls pointer to operation handle
+ * @param ec the error code
+ */
+static void
+delete_finished (void *cls,
+                 enum GNUNET_ErrorCode ec)
+{
+  struct GNUNET_IDENTITY_Operation **op = cls;
+
+  *op = NULL;
+  if (GNUNET_EC_NONE != ec)
+    fprintf (stderr, "%s\n", GNUNET_ErrorCode_get_hint (ec));
+  test_finished ();
+}
+
+
+/**
+ * Creation operation finished.
+ *
+ * @param cls pointer to operation handle
+ * @param pk private key of the ego, or NULL on error
+ * @param ec the error code
+ */
+static void
+create_finished (void *cls,
+                 const struct GNUNET_CRYPTO_PrivateKey *pk,
+                 enum GNUNET_ErrorCode ec)
+{
+  struct GNUNET_IDENTITY_Operation **op = cls;
+
+  *op = NULL;
+  if (NULL == pk)
+  {
+    fprintf (stderr,
+             _ ("Failed to create ego: %s\n"),
+             GNUNET_ErrorCode_get_hint (ec));
+    global_ret = 1;
+  }
+  else if (verbose)
+  {
+    struct GNUNET_CRYPTO_PublicKey pub;
+    char *pubs;
+
+    GNUNET_CRYPTO_key_get_public (pk, &pub);
+    pubs = GNUNET_CRYPTO_public_key_to_string (&pub);
+    if (private_keys)
+    {
+      char *privs;
+
+      privs = GNUNET_CRYPTO_private_key_to_string (pk);
+      fprintf (stdout, "%s - %s\n", pubs, privs);
+      GNUNET_free (privs);
+    }
+    else
+    {
+      fprintf (stdout, "%s\n", pubs);
+    }
+    GNUNET_free (pubs);
+  }
+  test_finished ();
+}
+
+
+/**
+ * Encrypt a message given with -W, encrypted using public key of
+ * an identity given with -k.
+ */
+static void
+write_encrypted_message (void)
+{
+  struct GNUNET_CRYPTO_PublicKey recipient;
+  size_t ct_len = strlen (write_msg) + 1
+                  + GNUNET_CRYPTO_ENCRYPT_OVERHEAD_BYTES;
+  unsigned char ct[ct_len];
+  if (GNUNET_CRYPTO_public_key_from_string (pubkey_msg, &recipient) !=
+      GNUNET_SYSERR)
+  {
+    size_t msg_len = strlen (write_msg) + 1;
+    if (GNUNET_OK == GNUNET_CRYPTO_encrypt (write_msg,
+                                              msg_len,
+                                              &recipient,
+                                              ct, ct_len))
+    {
+      char *serialized_msg;
+      serialized_msg = GNUNET_STRINGS_data_to_string_alloc (ct, ct_len);
+      fprintf (stdout,
+               "%s\n",
+               serialized_msg);
+      GNUNET_free (serialized_msg);
+    }
+    else
+    {
+      fprintf (stderr, "Error during encryption.\n");
+      global_ret = 1;
+    }
+  }
+  else
+  {
+    fprintf (stderr, "Invalid recipient public key.\n");
+    global_ret = 1;
+  }
+}
+
+
+/**
+ * Decrypt a message given with -R, encrypted using public key of @c ego
+ * and ephemeral key given with -k.
+ *
+ * @param ego ego whose private key is used for decryption
+ */
+static void
+read_encrypted_message (struct GNUNET_IDENTITY_Ego *ego)
+{
+  char *deserialized_msg;
+  size_t msg_len;
+  if (GNUNET_OK == GNUNET_STRINGS_string_to_data_alloc (read_msg, strlen (
+                                                          read_msg),
+                                                        (void **) &
+                                                        deserialized_msg,
+                                                        &msg_len))
+  {
+    if (GNUNET_OK == GNUNET_CRYPTO_decrypt (deserialized_msg,
+                                              msg_len,
+                                              GNUNET_IDENTITY_ego_get_private_key (
+                                                ego),
+                                              deserialized_msg, msg_len))
+    {
+      deserialized_msg[msg_len - 1] = '\0';
+      fprintf (stdout,
+               "%s\n",
+               deserialized_msg);
+    }
+    else
+    {
+      fprintf (stderr, "Failed to decrypt message.\n");
+      global_ret = 1;
+    }
+    GNUNET_free (deserialized_msg);
+  }
+  else
+  {
+    fprintf (stderr, "Invalid message format.\n");
+    global_ret = 1;
+  }
+}
+
+
+/**
+ * If listing is enabled, prints information about the egos.
+ *
+ * This function is initially called for all egos and then again
+ * whenever a ego's identifier changes or if it is deleted.  At the
+ * end of the initial pass over all egos, the function is once called
+ * with 'NULL' for 'ego'. That does NOT mean that the callback won't
+ * be invoked in the future or that there was an error.
+ *
+ * When used with 'GNUNET_IDENTITY_create' or 'GNUNET_IDENTITY_get', this
+ * function is only called ONCE, and 'NULL' being passed in 'ego' does
+ * indicate an error (for example because name is taken or no default value is
+ * known).  If 'ego' is non-NULL and if '*ctx' is set in those callbacks, the
+ * value WILL be passed to a subsequent call to the identity callback of
+ * 'GNUNET_IDENTITY_connect' (if that one was not NULL).
+ *
+ * When an identity is renamed, this function is called with the
+ * (known) ego but the NEW identifier.
+ *
+ * When an identity is deleted, this function is called with the
+ * (known) ego and "NULL" for the 'identifier'.  In this case,
+ * the 'ego' is henceforth invalid (and the 'ctx' should also be
+ * cleaned up).
+ *
+ * @param cls closure
+ * @param ego ego handle
+ * @param ctx context for application to store data for this ego
+ *                 (during the lifetime of this process, initially NULL)
+ * @param identifier identifier assigned by the user for this ego,
+ *                   NULL if the user just deleted the ego and it
+ *                   must thus no longer be used
+ */
+static void
+print_ego (void *cls,
+           struct GNUNET_IDENTITY_Ego *ego,
+           void **ctx,
+           const char *identifier)
+{
+  struct GNUNET_CRYPTO_PublicKey pk;
+  char *s;
+  char *privs;
+
+  if ( (NULL == ego) &&
+       (NULL != set_ego) &&
+       (NULL != read_msg) )
+  {
+    fprintf (stderr,
+             "Ego `%s' is not known, cannot decrypt message.\n",
+             set_ego);
+    GNUNET_free (read_msg);
+    read_msg = NULL;
+    GNUNET_free (set_ego);
+    set_ego = NULL;
+  }
+  if ((NULL == ego) && (! monitor))
+  {
+    list = 0;
+    test_finished ();
+    return;
+  }
+  if (! (list | monitor) && (NULL == read_msg))
+    return;
+  if ( (NULL == ego) ||
+       (NULL == identifier) )
+    return;
+  if ( (NULL != set_ego) &&
+       (0 != strcmp (identifier,
+                     set_ego)) )
+    return;
+  GNUNET_IDENTITY_ego_get_public_key (ego, &pk);
+  s = GNUNET_CRYPTO_public_key_to_string (&pk);
+  privs = GNUNET_CRYPTO_private_key_to_string (
+    GNUNET_IDENTITY_ego_get_private_key (ego));
+  if ((NULL != read_msg) && (NULL != set_ego))
+  {
+    // due to the check above, set_ego and the identifier are equal
+    read_encrypted_message (ego);
+    GNUNET_free (read_msg);
+    read_msg = NULL;
+  }
+  else if ((monitor) || (NULL != identifier))
+  {
+    if (quiet)
+    {
+      if (private_keys)
+        fprintf (stdout, "%s - %s\n", s, privs);
+      else
+        fprintf (stdout, "%s\n", s);
+    }
+    else
+    {
+      if (private_keys)
+        fprintf (stdout, "%s - %s - %s - %s\n",
+                 identifier, s, privs,
+                 (ntohl (pk.type) == GNUNET_PUBLIC_KEY_TYPE_ECDSA) ?
+                 "ECDSA" : "EdDSA");
+      else
+        fprintf (stdout, "%s - %s - %s\n",
+                 identifier, s,
+                 (ntohl (pk.type) == GNUNET_PUBLIC_KEY_TYPE_ECDSA) ?
+                 "ECDSA" : "EdDSA");
+
+    }
+  }
+  GNUNET_free (privs);
+  GNUNET_free (s);
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  if ((NULL != read_msg) && (NULL == set_ego))
+  {
+    fprintf (stderr,
+             "Option -R requires options -e to be specified as well.\n");
+    return;
+  }
+
+  if ((NULL != write_msg) && (NULL == pubkey_msg))
+  {
+    fprintf (stderr, "Option -W requires option -k to be specified as well.\n");
+    return;
+  }
+  sh = GNUNET_IDENTITY_connect (cfg,
+                                (monitor | list) ||
+                                (NULL != set_ego)
+                                ? &print_ego
+                                : NULL,
+                                NULL);
+  if (NULL != write_msg)
+  {
+    write_encrypted_message ();
+    GNUNET_free (write_msg);
+    write_msg = NULL;
+  }
+  // read message is handled in ego callback (print_ego)
+  if (NULL != delete_ego)
+    delete_op =
+      GNUNET_IDENTITY_delete (sh,
+                              delete_ego,
+                              &delete_finished,
+                              &delete_op);
+  if (NULL != create_ego)
+  {
+    if (NULL != privkey_ego)
+    {
+      GNUNET_STRINGS_string_to_data (privkey_ego,
+                                     strlen (privkey_ego),
+                                     &pk,
+                                     sizeof(struct
+                                            GNUNET_CRYPTO_PrivateKey));
+      create_op =
+        GNUNET_IDENTITY_create (sh,
+                                create_ego,
+                                &pk,
+                                0, // Ignored
+                                &create_finished,
+                                &create_op);
+    }
+    else
+      create_op =
+        GNUNET_IDENTITY_create (sh,
+                                create_ego,
+                                NULL,
+                                (type_eddsa) ?
+                                GNUNET_PUBLIC_KEY_TYPE_EDDSA :
+                                GNUNET_PUBLIC_KEY_TYPE_ECDSA,
+                                &create_finished,
+                                &create_op);
+  }
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_task,
+                                 NULL);
+  test_finished ();
+}
+
+
+/**
+ * The main function.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_string ('C',
+                                 "create",
+                                 "NAME",
+                                 gettext_noop ("create ego NAME"),
+                                 &create_ego),
+    GNUNET_GETOPT_option_string ('D',
+                                 "delete",
+                                 "NAME",
+                                 gettext_noop ("delete ego NAME "),
+                                 &delete_ego),
+    GNUNET_GETOPT_option_string ('P',
+                                 "privkey",
+                                 "PRIVATE_KEY",
+                                 gettext_noop (
+                                   "set the private key for the identity to PRIVATE_KEY (use together with -C)"),
+                                 &privkey_ego),
+    GNUNET_GETOPT_option_string ('R',
+                                 "read",
+                                 "MESSAGE",
+                                 gettext_noop (
+                                   "Read and decrypt message encrypted for the given ego (use together with -e EGO)"),
+                                 &read_msg),
+    GNUNET_GETOPT_option_string ('W',
+                                 "write",
+                                 "MESSAGE",
+                                 gettext_noop (
+                                   "Encrypt and write message for recipient identity PULBIC_KEY, (use together with -k RECIPIENT_PUBLIC_KEY)"),
+                                 &write_msg),
+    GNUNET_GETOPT_option_flag ('X',
+                               "eddsa",
+                               gettext_noop (
+                                 "generate an EdDSA identity. (use together with -C) EXPERIMENTAL"),
+                               &type_eddsa),
+    GNUNET_GETOPT_option_flag ('d',
+                               "display",
+                               gettext_noop ("display all egos"),
+                               &list),
+    GNUNET_GETOPT_option_flag ('q',
+                               "quiet",
+                               gettext_noop ("reduce output"),
+                               &quiet),
+    GNUNET_GETOPT_option_string (
+      'e',
+      "ego",
+      "NAME",
+      gettext_noop (
+        "restrict results to NAME (use together with -d) or read and decrypt a message for NAME (use together with -R)"),
+      &set_ego),
+    GNUNET_GETOPT_option_string ('k',
+                                 "key",
+                                 "PUBLIC_KEY",
+                                 gettext_noop (
+                                   "The public key of the recipient (with -W)"),
+                                 &pubkey_msg),
+    GNUNET_GETOPT_option_flag ('m',
+                               "monitor",
+                               gettext_noop ("run in monitor mode egos"),
+                               &monitor),
+    GNUNET_GETOPT_option_flag ('p',
+                               "private-keys",
+                               gettext_noop ("display private keys as well"),
+                               &private_keys),
+    GNUNET_GETOPT_option_verbose (&verbose),
+    GNUNET_GETOPT_OPTION_END
+  };
+  int res;
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 4;
+  global_ret = TIMEOUT_STATUS_CODE; /* timeout */
+  res = GNUNET_PROGRAM_run (argc,
+                            argv,
+                            "gnunet-identity",
+                            gettext_noop ("Maintain egos"),
+                            options,
+                            &run,
+                            NULL);
+  GNUNET_free_nz ((void *) argv);
+
+  if (GNUNET_OK != res)
+    return 3;
+  return global_ret;
+}
+
+
+/* end of gnunet-identity.c */
diff --git a/src/cli/identity/meson.build b/src/cli/identity/meson.build
new file mode 100644
index 000000000..958a4ccd5
--- /dev/null
+++ b/src/cli/identity/meson.build
@@ -0,0 +1,9 @@
+executable ('gnunet-identity',
+            ['gnunet-identity.c'],
+            dependencies: [libgnunetidentity_dep,
+                           libgnunetutil_dep,
+                           libgnunetstatistics_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+
diff --git a/src/cli/identity/test_identity_messages.sh b/src/cli/identity/test_identity_messages.sh
new file mode 100755
index 000000000..edb4d5805
--- /dev/null
+++ b/src/cli/identity/test_identity_messages.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+trap "gnunet-arm -e -c test_identity.conf" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+  echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+  exit 77
+fi
+
+rm -rf `gnunet-config -c test_identity.conf -s PATHS -o GNUNET_HOME -f`
+
+which timeout >/dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+
+TEST_MSG="This is a test message. 123"
+gnunet-arm -s -c test_identity.conf
+gnunet-identity -C recipientego -c test_identity.conf
+gnunet-identity -C recipientegoed -X -c test_identity.conf
+RECIPIENT_KEY=`gnunet-identity -d -e recipientego -q -c test_identity.conf`
+MSG_ENC=`gnunet-identity -W "$TEST_MSG" -k $RECIPIENT_KEY -c test_identity.conf`
+if [ $? == 0 ]
+then
+  MSG_DEC=`gnunet-identity -R "$MSG_ENC" -e recipientego -c test_identity.conf`
+fi
+RECIPIENT_KEY_ED=`gnunet-identity -d -e recipientegoed -q -c test_identity.conf`
+MSG_ENC_ED=`gnunet-identity -W "$TEST_MSG" -k $RECIPIENT_KEY_ED -c test_identity.conf`
+if [ $? == 0 ]
+then
+  MSG_DEC_ED=`gnunet-identity -R "$MSG_ENC_ED" -e recipientegoed -c test_identity.conf`
+fi
+gnunet-identity -D recipientego -c test_identity.conf
+gnunet-identity -D recipientegoed -c test_identity.conf
+gnunet-arm -e -c test_identity.conf
+if [ "$TEST_MSG" != "$MSG_DEC" ]
+then
+  diff  <(echo "$TEST_MSG" ) <(echo "$MSG_DEC")
+  echo "Failed - \"$TEST_MSG\" != \"$MSG_DEC\""
+  exit 1
+fi
+if [ "$TEST_MSG" != "$MSG_DEC_ED" ]
+then
+  diff  <(echo "$TEST_MSG" ) <(echo "$MSG_DEC_ED")
+  echo "Failed - \"$TEST_MSG\" != \"$MSG_DEC_ED\""
+  exit 1
+fi
diff --git a/src/cli/meson.build b/src/cli/meson.build
new file mode 100644
index 000000000..12662933d
--- /dev/null
+++ b/src/cli/meson.build
@@ -0,0 +1,20 @@
+subdir('util')
+subdir('arm')
+subdir('statistics')
+subdir('peerstore')
+subdir('datastore')
+subdir('nat')
+subdir('nat-auto')
+subdir('core')
+subdir('nse')
+subdir('dht')
+subdir('identity')
+subdir('namecache')
+subdir('namestore')
+subdir('cadet')
+subdir('revocation')
+subdir('vpn')
+subdir('gns')
+subdir('fs')
+subdir('reclaim')
+subdir('messenger')
diff --git a/src/cli/messenger/.gitignore b/src/cli/messenger/.gitignore
new file mode 100644
index 000000000..1c1447be8
--- /dev/null
+++ b/src/cli/messenger/.gitignore
@@ -0,0 +1 @@
+gnunet-messenger
diff --git a/src/cli/messenger/Makefile.am b/src/cli/messenger/Makefile.am
new file mode 100644
index 000000000..741e2b7b9
--- /dev/null
+++ b/src/cli/messenger/Makefile.am
@@ -0,0 +1,25 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+AM_CLFAGS = -g
+
+bin_PROGRAMS = \
+ gnunet-messenger
+
+gnunet_messenger_SOURCES = \
+ gnunet-messenger.c
+gnunet_messenger_LDADD = \
+ $(top_builddir)/src/service/messenger/libgnunetmessenger.la \
+ $(top_builddir)/src/service/identity/libgnunetidentity.la \
+ $(top_builddir)/src/lib/util/libgnunetutil.la
+gnunet_messenger_LDFLAGS = \
+  $(GN_LIBINTL)
diff --git a/src/cli/messenger/gnunet-messenger.c b/src/cli/messenger/gnunet-messenger.c
new file mode 100644
index 000000000..6bff0b25d
--- /dev/null
+++ b/src/cli/messenger/gnunet-messenger.c
@@ -0,0 +1,415 @@
+/*
+   This file is part of GNUnet.
+   Copyright (C) 2020--2024 GNUnet e.V.
+
+   GNUnet is free software: you can redistribute it and/or modify it
+   under the terms of the GNU Affero General Public License as published
+   by the Free Software Foundation, either version 3 of the License,
+   or (at your option) any later version.
+
+   GNUnet is distributed in the hope that it will be useful, but
+   WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+   SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @author Tobias Frisch
+ * @file src/messenger/gnunet-messenger.c
+ * @brief Print information about messenger groups.
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+
+#include "gnunet_identity_service.h"
+#include "gnunet_messenger_service.h"
+#include "gnunet_util_lib.h"
+
+const struct GNUNET_CONFIGURATION_Handle *config;
+struct GNUNET_MESSENGER_Handle *messenger;
+
+/**
+ * Function called whenever a message is received or sent.
+ *
+ * @param[in,out] cls Closure
+ * @param[in] room Room
+ * @param[in] sender Sender of message
+ * @param[in] message Message
+ * @param[in] hash Hash of message
+ * @param[in] flags Flags of message
+ */
+void
+on_message (void *cls,
+            struct GNUNET_MESSENGER_Room *room,
+            const struct GNUNET_MESSENGER_Contact *sender,
+            const struct GNUNET_MESSENGER_Contact *recipient,
+            const struct GNUNET_MESSENGER_Message *message,
+            const struct GNUNET_HashCode *hash,
+            enum GNUNET_MESSENGER_MessageFlags flags)
+{
+  const char *sender_name = GNUNET_MESSENGER_contact_get_name (sender);
+  const char *recipient_name = GNUNET_MESSENGER_contact_get_name (recipient);
+
+  if (! sender_name)
+    sender_name = "anonymous";
+
+  if (! recipient_name)
+    recipient_name = "anonymous";
+
+  printf ("[%s ->", GNUNET_h2s (&(message->header.previous)));
+  printf (" %s]", GNUNET_h2s (hash));
+  printf ("[%s] ", GNUNET_sh2s (&(message->header.sender_id)));
+
+  if (flags & GNUNET_MESSENGER_FLAG_PRIVATE)
+    printf ("*( '%s' ) ", recipient_name);
+
+  switch (message->header.kind)
+  {
+  case GNUNET_MESSENGER_KIND_JOIN:
+    {
+      printf ("* '%s' joined the room!\n", sender_name);
+      break;
+    }
+  case GNUNET_MESSENGER_KIND_NAME:
+    {
+      printf ("* '%s' gets renamed to '%s'\n", sender_name,
+              message->body.name.name);
+      break;
+    }
+  case GNUNET_MESSENGER_KIND_LEAVE:
+    {
+      printf ("* '%s' leaves the room!\n", sender_name);
+      break;
+    }
+  case GNUNET_MESSENGER_KIND_PEER:
+    {
+      printf ("* '%s' opened the room on: %s\n", sender_name,
+              GNUNET_i2s_full (&(message->body.peer.peer)));
+      break;
+    }
+  case GNUNET_MESSENGER_KIND_TEXT:
+    {
+      if (flags & GNUNET_MESSENGER_FLAG_SENT)
+        printf (">");
+      else
+        printf ("<");
+
+      printf (" '%s' says: \"%s\"\n", sender_name, message->body.text.text);
+      break;
+    }
+  default:
+    {
+      printf ("~ message: %s\n",
+              GNUNET_MESSENGER_name_of_kind (message->header.kind));
+      break;
+    }
+  }
+
+  if ((GNUNET_MESSENGER_KIND_JOIN == message->header.kind) &&
+      (flags & GNUNET_MESSENGER_FLAG_SENT))
+  {
+    const char *name = GNUNET_MESSENGER_get_name (messenger);
+
+    if (! name)
+      return;
+
+    struct GNUNET_MESSENGER_Message response;
+    response.header.kind = GNUNET_MESSENGER_KIND_NAME;
+    response.body.name.name = GNUNET_strdup (name);
+
+    GNUNET_MESSENGER_send_message (room, &response, NULL);
+
+    GNUNET_free (response.body.name.name);
+  }
+}
+
+
+struct GNUNET_SCHEDULER_Task *read_task;
+struct GNUNET_IDENTITY_EgoLookup *ego_lookup;
+
+/**
+ * Task to shut down this application.
+ *
+ * @param[in,out] cls Closure
+ */
+static void
+shutdown_hook (void *cls)
+{
+  struct GNUNET_MESSENGER_Room *room = cls;
+
+  if (read_task)
+    GNUNET_SCHEDULER_cancel (read_task);
+
+  if (room)
+    GNUNET_MESSENGER_close_room (room);
+
+  if (messenger)
+    GNUNET_MESSENGER_disconnect (messenger);
+
+  if (ego_lookup)
+    GNUNET_IDENTITY_ego_lookup_cancel (ego_lookup);
+}
+
+
+static void
+listen_stdio (void *cls);
+
+#define MAX_BUFFER_SIZE 60000
+
+static int
+iterate_send_private_message (void *cls,
+                              struct GNUNET_MESSENGER_Room *room,
+                              const struct GNUNET_MESSENGER_Contact *contact)
+{
+  struct GNUNET_MESSENGER_Message *message = cls;
+
+  if (GNUNET_MESSENGER_contact_get_key (contact))
+    GNUNET_MESSENGER_send_message (room, message, contact);
+
+  return GNUNET_YES;
+}
+
+
+int private_mode;
+
+/**
+ * Task run in stdio mode, after some data is available at stdin.
+ *
+ * @param[in,out] cls Closure
+ */
+static void
+read_stdio (void *cls)
+{
+  read_task = NULL;
+
+  char buffer[MAX_BUFFER_SIZE];
+  ssize_t length;
+
+  length = read (0, buffer, MAX_BUFFER_SIZE);
+
+  if ((length <= 0) || (length >= MAX_BUFFER_SIZE))
+  {
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+
+  if (buffer[length - 1] == '\n')
+    buffer[length - 1] = '\0';
+  else
+    buffer[length] = '\0';
+
+  struct GNUNET_MESSENGER_Room *room = cls;
+
+  struct GNUNET_MESSENGER_Message message;
+  message.header.kind = GNUNET_MESSENGER_KIND_TEXT;
+  message.body.text.text = buffer;
+
+  if (GNUNET_YES == private_mode)
+    GNUNET_MESSENGER_iterate_members (room, iterate_send_private_message,
+                                      &message);
+  else
+    GNUNET_MESSENGER_send_message (room, &message, NULL);
+
+  read_task = GNUNET_SCHEDULER_add_now (listen_stdio, cls);
+}
+
+
+/**
+ * Wait for input on STDIO and send it out over the #ch.
+ *
+ * @param[in,out] cls Closure
+ */
+static void
+listen_stdio (void *cls)
+{
+  read_task = NULL;
+
+  struct GNUNET_NETWORK_FDSet *rs = GNUNET_NETWORK_fdset_create ();
+
+  GNUNET_NETWORK_fdset_set_native (rs, 0);
+
+  read_task = GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT,
+                                           GNUNET_TIME_UNIT_FOREVER_REL, rs,
+                                           NULL, &read_stdio, cls);
+
+  GNUNET_NETWORK_fdset_destroy (rs);
+}
+
+
+/**
+ * Initial task to startup application.
+ *
+ * @param[in,out] cls Closure
+ */
+static void
+idle (void *cls)
+{
+  struct GNUNET_MESSENGER_Room *room = cls;
+
+  printf ("* You joined the room.\n");
+
+  read_task = GNUNET_SCHEDULER_add_now (listen_stdio, room);
+}
+
+
+char *door_id;
+char *ego_name;
+char *room_key;
+
+struct GNUNET_SCHEDULER_Task *shutdown_task;
+
+/**
+ * Function called when an identity is retrieved.
+ *
+ * @param[in,out] cls Closure
+ * @param[in,out] handle Handle of messenger service
+ */
+static void
+on_identity (void *cls,
+             struct GNUNET_MESSENGER_Handle *handle)
+{
+  struct GNUNET_HashCode key;
+  memset (&key, 0, sizeof(key));
+
+  if (room_key)
+    GNUNET_CRYPTO_hash (room_key, strlen (room_key), &key);
+
+  struct GNUNET_PeerIdentity door_peer;
+  struct GNUNET_PeerIdentity *door = NULL;
+
+  if ((door_id) &&
+      (GNUNET_OK == GNUNET_CRYPTO_eddsa_public_key_from_string (door_id,
+                                                                strlen (
+                                                                  door_id),
+                                                                &(door_peer.
+                                                                  public_key))))
+    door = &door_peer;
+
+  const char *name = GNUNET_MESSENGER_get_name (handle);
+
+  if (! name)
+    name = "anonymous";
+
+  printf ("* Welcome to the messenger, '%s'!\n", name);
+
+  struct GNUNET_MESSENGER_Room *room;
+
+  if (door)
+  {
+    printf ("* You try to entry a room...\n");
+
+    room = GNUNET_MESSENGER_enter_room (messenger, door, &key);
+  }
+  else
+  {
+    printf ("* You try to open a room...\n");
+
+    room = GNUNET_MESSENGER_open_room (messenger, &key);
+  }
+
+  GNUNET_SCHEDULER_cancel (shutdown_task);
+
+  shutdown_task = GNUNET_SCHEDULER_add_shutdown (shutdown_hook, room);
+
+  if (! room)
+    GNUNET_SCHEDULER_shutdown ();
+  else
+  {
+    GNUNET_SCHEDULER_add_delayed_with_priority (
+      GNUNET_TIME_relative_get_zero_ (),
+      GNUNET_SCHEDULER_PRIORITY_IDLE,
+      idle, room);
+  }
+}
+
+
+static void
+on_ego_lookup (void *cls,
+               struct GNUNET_IDENTITY_Ego *ego)
+{
+  ego_lookup = NULL;
+
+  const struct GNUNET_CRYPTO_PrivateKey *key;
+  key = ego ? GNUNET_IDENTITY_ego_get_private_key (ego) : NULL;
+
+  messenger = GNUNET_MESSENGER_connect (config, ego_name, key, &on_message,
+                                        NULL);
+
+  on_identity (NULL, messenger);
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param[in/out] cls closure
+ * @param[in] args remaining command-line arguments
+ * @param[in] cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param[in] cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  config = cfg;
+
+  if (ego_name)
+  {
+    ego_lookup = GNUNET_IDENTITY_ego_lookup (cfg, ego_name, &on_ego_lookup,
+                                             NULL);
+    messenger = NULL;
+  }
+  else
+  {
+    ego_lookup = NULL;
+    messenger = GNUNET_MESSENGER_connect (cfg, NULL, NULL, &on_message, NULL);
+  }
+
+  shutdown_task = GNUNET_SCHEDULER_add_shutdown (shutdown_hook, NULL);
+
+  if (messenger)
+    on_identity (NULL, messenger);
+}
+
+
+/**
+ * The main function to obtain messenger information.
+ *
+ * @param[in] argc number of arguments from the command line
+ * @param[in] argv command line arguments
+ * @return #EXIT_SUCCESS ok, #EXIT_FAILURE on error
+ */
+int
+main (int argc,
+      char **argv)
+{
+  const char *description =
+    "Open and connect to rooms using the MESSENGER to chat.";
+
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_string ('d', "door", "PEERIDENTITY",
+                                 "peer identity to entry into the room",
+                                 &door_id),
+    GNUNET_GETOPT_option_string ('e', "ego", "IDENTITY",
+                                 "identity to use for messaging",
+                                 &ego_name),
+    GNUNET_GETOPT_option_string ('r', "room", "ROOMKEY",
+                                 "key of the room to connect to",
+                                 &room_key),
+    GNUNET_GETOPT_option_flag ('p', "private", "flag to enable private mode",
+                               &private_mode),
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  return (GNUNET_OK == GNUNET_PROGRAM_run (argc, argv, "gnunet-messenger\0",
+                                           gettext_noop (description), options,
+                                           &run,
+                                           NULL) ? EXIT_SUCCESS : EXIT_FAILURE);
+}
diff --git a/src/cli/messenger/meson.build b/src/cli/messenger/meson.build
new file mode 100644
index 000000000..3a3870c9d
--- /dev/null
+++ b/src/cli/messenger/meson.build
@@ -0,0 +1,9 @@
+executable ('gnunet-messenger',
+            'gnunet-messenger.c',
+            dependencies: [libgnunetmessenger_dep,
+                           libgnunetidentity_dep,
+                           libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+
diff --git a/src/cli/namecache/.gitignore b/src/cli/namecache/.gitignore
new file mode 100644
index 000000000..54aa17e9f
--- /dev/null
+++ b/src/cli/namecache/.gitignore
@@ -0,0 +1 @@
+gnunet-namecache
diff --git a/src/cli/namecache/Makefile.am b/src/cli/namecache/Makefile.am
new file mode 100644
index 000000000..48ee216be
--- /dev/null
+++ b/src/cli/namecache/Makefile.am
@@ -0,0 +1,20 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include $(POSTGRESQL_CPPFLAGS)
+
+plugindir = $(libdir)/gnunet
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+bin_PROGRAMS = \
+ gnunet-namecache
+
+gnunet_namecache_SOURCES = \
+ gnunet-namecache.c
+gnunet_namecache_LDADD = \
+  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(top_builddir)/src/service/namecache/libgnunetnamecache.la \
+  $(GN_LIBINTL)
diff --git a/src/cli/namecache/gnunet-namecache.c b/src/cli/namecache/gnunet-namecache.c
new file mode 100644
index 000000000..0236609aa
--- /dev/null
+++ b/src/cli/namecache/gnunet-namecache.c
@@ -0,0 +1,245 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012, 2013 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gnunet-namecache.c
+ * @brief command line tool to inspect the name cache
+ * @author Christian Grothoff
+ *
+ * TODO:
+ * - test
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_identity_service.h"
+#include "gnunet_gnsrecord_lib.h"
+#include "gnunet_namecache_service.h"
+
+
+/**
+ * Handle to the namecache.
+ */
+static struct GNUNET_NAMECACHE_Handle *ns;
+
+/**
+ * Queue entry for the 'query' operation.
+ */
+static struct GNUNET_NAMECACHE_QueueEntry *qe;
+
+/**
+ * Name (label) of the records to list.
+ */
+static char *name;
+
+/**
+ * Public key of the zone to look in.
+ */
+static struct GNUNET_CRYPTO_PublicKey pubkey;
+
+/**
+ * Public key of the zone to look in, in ASCII.
+ */
+static char *pkey;
+
+/**
+ * Global return value
+ */
+static int ret;
+
+
+/**
+ * Task run on shutdown.  Cleans up everything.
+ *
+ * @param cls unused
+ */
+static void
+do_shutdown (void *cls)
+{
+  if (NULL != qe)
+  {
+    GNUNET_NAMECACHE_cancel (qe);
+    qe = NULL;
+  }
+  if (NULL != ns)
+  {
+    GNUNET_NAMECACHE_disconnect (ns);
+    ns = NULL;
+  }
+}
+
+
+/**
+ * Process a record that was stored in the namecache in a block.
+ *
+ * @param cls closure, NULL
+ * @param rd_len number of entries in @a rd array
+ * @param rd array of records with data to store
+ */
+static void
+display_records_from_block (void *cls,
+                            unsigned int rd_len,
+                            const struct GNUNET_GNSRECORD_Data *rd)
+{
+  const char *typestring;
+  char *s;
+  unsigned int i;
+
+  if (0 == rd_len)
+  {
+    fprintf (stdout, _ ("No records found for `%s'"), name);
+    return;
+  }
+  fprintf (stdout, "%s:\n", name);
+  for (i = 0; i < rd_len; i++)
+  {
+    typestring = GNUNET_GNSRECORD_number_to_typename (rd[i].record_type);
+    s = GNUNET_GNSRECORD_value_to_string (rd[i].record_type,
+                                          rd[i].data,
+                                          rd[i].data_size);
+    if (NULL == s)
+    {
+      fprintf (stdout,
+               _ ("\tCorrupt or unsupported record of type %u\n"),
+               (unsigned int) rd[i].record_type);
+      continue;
+    }
+    fprintf (stdout, "\t%s: %s\n", typestring, s);
+    GNUNET_free (s);
+  }
+  fprintf (stdout, "%s", "\n");
+}
+
+
+/**
+ * Display block obtained from listing (by name).
+ *
+ * @param cls NULL
+ * @param block NULL if not found
+ */
+static void
+handle_block (void *cls, const struct GNUNET_GNSRECORD_Block *block)
+{
+  qe = NULL;
+  if (NULL == block)
+  {
+    fprintf (stderr, "No matching block found\n");
+  }
+  else if (GNUNET_OK !=
+           GNUNET_GNSRECORD_block_decrypt (block,
+                                           &pubkey,
+                                           name,
+                                           &display_records_from_block,
+                                           NULL))
+  {
+    fprintf (stderr, "Failed to decrypt block!\n");
+  }
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_HashCode dhash;
+
+  if (NULL == pkey)
+  {
+    fprintf (stderr, _ ("You must specify which zone should be accessed\n"));
+    return;
+  }
+
+  if (GNUNET_OK !=
+      GNUNET_CRYPTO_public_key_from_string (pkey, &pubkey))
+  {
+    fprintf (stderr, _ ("Invalid public key for zone `%s'\n"), pkey);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if (NULL == name)
+  {
+    fprintf (stderr, _ ("You must specify a name\n"));
+    return;
+  }
+
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL);
+  ns = GNUNET_NAMECACHE_connect (cfg);
+  GNUNET_GNSRECORD_query_from_public_key (&pubkey, name, &dhash);
+  qe = GNUNET_NAMECACHE_lookup_block (ns, &dhash, &handle_block, NULL);
+}
+
+
+/**
+ * The main function for gnunet-namecache.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] =
+  { GNUNET_GETOPT_option_string ('n',
+                                 "name",
+                                 "NAME",
+                                 gettext_noop (
+                                   "name of the record to add/delete/display"),
+                                 &name),
+
+    GNUNET_GETOPT_option_string (
+      'z',
+      "zone",
+      "PKEY",
+      gettext_noop ("specifies the public key of the zone to look in"),
+      &pkey),
+
+    GNUNET_GETOPT_OPTION_END };
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  GNUNET_log_setup ("gnunet-namecache", "WARNING", NULL);
+  if (GNUNET_OK != GNUNET_PROGRAM_run (argc,
+                                       argv,
+                                       "gnunet-namecache",
+                                       _ ("GNUnet zone manipulation tool"),
+                                       options,
+                                       &run,
+                                       NULL))
+  {
+    GNUNET_free_nz ((void *) argv);
+    return 1;
+  }
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-namecache.c */
diff --git a/src/cli/namecache/meson.build b/src/cli/namecache/meson.build
new file mode 100644
index 000000000..99ed68bca
--- /dev/null
+++ b/src/cli/namecache/meson.build
@@ -0,0 +1,10 @@
+executable ('gnunet-namecache',
+            gnunetnamecache_src,
+            dependencies: [libgnunetnamecache_dep,
+                           libgnunetutil_dep,
+                           libgnunetgnsrecord_dep,
+                           libgnunetidentity_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+
diff --git a/src/cli/namestore/.gitignore b/src/cli/namestore/.gitignore
new file mode 100644
index 000000000..3c0282e8c
--- /dev/null
+++ b/src/cli/namestore/.gitignore
@@ -0,0 +1,6 @@
+gnunet-namestore
+gnunet-namestore-dbtool
+gnunet-namestore-zonefile
+gnunet-namestore-fcfsd
+gnunet-zoneimport
+
diff --git a/src/cli/namestore/Makefile.am b/src/cli/namestore/Makefile.am
new file mode 100644
index 000000000..b666c8851
--- /dev/null
+++ b/src/cli/namestore/Makefile.am
@@ -0,0 +1,70 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include $(POSTGRESQL_CPPFLAGS)
+
+plugindir = $(libdir)/gnunet
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+sqldir = $(prefix)/share/gnunet/sql/
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIBS = -lgcov
+endif
+
+
+bin_PROGRAMS = \
+ gnunet-namestore \
+ gnunet-namestore-dbtool \
+ gnunet-namestore-zonefile \
+ gnunet-zoneimport
+
+gnunet_namestore_zonefile_SOURCES = \
+ gnunet-namestore-zonefile.c
+gnunet_namestore_zonefile_LDADD = \
+  $(top_builddir)/src/service/namestore/libgnunetnamestore.la \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la  \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+gnunet_zoneimport_SOURCES = \
+ gnunet-zoneimport.c
+gnunet_zoneimport_LDADD = \
+  $(top_builddir)/src/service/namestore/libgnunetnamestore.la \
+  $(top_builddir)/src/service/statistics/libgnunetstatistics.la \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+gnunet_namestore_SOURCES = \
+ gnunet-namestore.c
+gnunet_namestore_LDADD = \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(top_builddir)/src/service/namestore/libgnunetnamestore.la \
+  $(GN_LIBINTL)
+
+gnunet_namestore_dbtool_SOURCES = \
+ gnunet-namestore-dbtool.c
+gnunet_namestore_dbtool_LDADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(top_builddir)/src/service/namestore/libgnunetnamestore.la \
+  $(GN_LIBINTL)
+
+
+
+check_SCRIPTS = \
+  test_namestore_put.sh \
+  test_namestore_put_stdin.sh \
+  test_namestore_lookup.sh \
+  test_namestore_delete.sh \
+  test_namestore_zonefile_import.sh
+
+EXTRA_DIST = \
+  example_zonefile \
+  $(check_SCRIPTS)
diff --git a/src/cli/namestore/example_zonefile b/src/cli/namestore/example_zonefile
new file mode 100644
index 000000000..5e380ff90
--- /dev/null
+++ b/src/cli/namestore/example_zonefile
@@ -0,0 +1,27 @@
+$ORIGIN example.com.     ; designates the start of this zone file in the namespace
+$TTL 3600                ; default expiration time (in seconds) of all RRs without their own TTL value
+example.com.    IN  SOA   ns.example.com. username.example.com. ( 2020091025 ; A comment
+                                                                  7200 ; Comment
+                                                                 ; empty line on purpose
+                                                                  3600
+                                                                  1209600
+                                                                  3600 )
+example.com.    IN  NS    ns                    ; ns.example.com is a nameserver for example.com
+example.com.    IN  NS    ns.somewhere.example. ; ns.somewhere.example is a backup nameserver for example.com
+example.com.    IN  MX    10 mail.example.com.  ; mail.example.com is the mailserver for example.com
+@               IN  MX    20 mail2.example.com. ; equivalent to above line, "@" represents zone origin
+@               IN  MX    50 mail3              ; equivalent to above line, but using a relative host name
+b.example.com.  IN  A     192.0.2.1             ; IPv4 address for example.com
+                IN  AAAA  2001:db8:10::1        ; IPv6 address for example.com
+ns              IN  A     192.0.2.2             ; IPv4 address for ns.example.com
+                IN  AAAA  2001:db8:10::2        ; IPv6 address for ns.example.com
+www             IN  CNAME example.com.          ; www.example.com is an alias for example.com
+wwwtest         IN  CNAME www                   ; wwwtest.example.com is another alias for www.example.com
+mail            IN  A     192.0.2.3             ; IPv4 address for mail.example.com
+mail2           IN  A     192.0.2.4             ; IPv4 address for mail2.example.com
+mail3           IN  A     192.0.2.5             ; IPv4 address for mail3.example.com
+
+mail3           IN  TXT   "This is ; quoted"    ; A quoted comment separator
+$ORIGIN example.de.
+www2            IN  A     192.0.2.7             ; IPv4 address for www2.example.de
+
diff --git a/src/cli/namestore/gnunet-namestore-dbtool.c b/src/cli/namestore/gnunet-namestore-dbtool.c
new file mode 100644
index 000000000..835d7a228
--- /dev/null
+++ b/src/cli/namestore/gnunet-namestore-dbtool.c
@@ -0,0 +1,199 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012, 2013, 2014, 2019, 2022 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gnunet-namestore-dbtool.c
+ * @brief command line tool to manipulate the database backends for the namestore
+ * @author Martin Schanzenbach
+ *
+ */
+#include "platform.h"
+#include <gnunet_util_lib.h>
+#include <gnunet_namestore_plugin.h>
+
+/**
+ * Name of the plugin argument
+ */
+static char *pluginname;
+
+/**
+ * Reset argument
+ */
+static int reset;
+
+/**
+ * Initialize argument
+ */
+static int init;
+
+/**
+ * Return code
+ */
+static int ret = 0;
+
+/**
+ * Task run on shutdown.  Cleans up everything.
+ *
+ * @param cls unused
+ */
+static void
+do_shutdown (void *cls)
+{
+  (void) cls;
+  if (NULL != pluginname)
+    GNUNET_free (pluginname);
+}
+
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  char *db_lib_name;
+  struct GNUNET_NAMESTORE_PluginFunctions *plugin;
+
+  (void) cls;
+  (void) args;
+  (void) cfgfile;
+  if (NULL != args[0])
+    GNUNET_log (
+      GNUNET_ERROR_TYPE_WARNING,
+      _ ("Superfluous command line arguments (starting with `%s') ignored\n"),
+      args[0]);
+
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
+                                 (void *) cfg);
+  if (NULL == pluginname)
+  {
+    fprintf (stderr, "No plugin given!\n");
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  GNUNET_asprintf (&db_lib_name,
+                   "libgnunet_plugin_namestore_%s",
+                   pluginname);
+  plugin = GNUNET_PLUGIN_load (db_lib_name, (void *) cfg);
+  if (NULL == plugin)
+  {
+    fprintf (stderr,
+             "Failed to load %s!\n",
+             db_lib_name);
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    GNUNET_free (db_lib_name);
+    return;
+  }
+  if (reset)
+  {
+    if (GNUNET_OK !=
+        plugin->drop_tables (plugin->cls))
+    {
+      fprintf (stderr,
+               "Failed to reset database\n");
+      ret = 1;
+      GNUNET_free (db_lib_name);
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+  }
+  if (init || reset)
+  {
+    if (GNUNET_OK !=
+        plugin->create_tables (plugin->cls))
+    {
+      fprintf (stderr,
+               "Failed to initialize database\n");
+      ret = 1;
+      GNUNET_free (db_lib_name);
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+  }
+  GNUNET_SCHEDULER_shutdown ();
+  GNUNET_break (NULL == GNUNET_PLUGIN_unload (db_lib_name,
+                                              plugin));
+  GNUNET_free (db_lib_name);
+}
+
+
+/**
+ * The main function for gnunet-namestore-dbtool.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_flag ('i', "init",
+                               gettext_noop ("initialize database"),
+                               &init),
+    GNUNET_GETOPT_option_flag ('r',
+                               "reset",
+                               gettext_noop (
+                                 "reset database (DANGEROUS: All existing data is lost!"),
+                               &reset),
+    GNUNET_GETOPT_option_string (
+      'p',
+      "plugin",
+      "PLUGIN",
+      gettext_noop (
+        "the namestore plugin to work with, e.g. 'sqlite'"),
+      &pluginname),
+    GNUNET_GETOPT_OPTION_END
+  };
+  int lret;
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+
+  GNUNET_log_setup ("gnunet-namestore-dbtool",
+                    "WARNING",
+                    NULL);
+  if (GNUNET_OK !=
+      (lret = GNUNET_PROGRAM_run (argc,
+                                  argv,
+                                  "gnunet-namestore-dbtool",
+                                  _ (
+                                    "GNUnet namestore database manipulation tool"),
+                                  options,
+                                  &run,
+                                  NULL)))
+  {
+    GNUNET_free_nz ((void *) argv);
+    return lret;
+  }
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
diff --git a/src/cli/namestore/gnunet-namestore-zonefile.c b/src/cli/namestore/gnunet-namestore-zonefile.c
new file mode 100644
index 000000000..d43e88006
--- /dev/null
+++ b/src/cli/namestore/gnunet-namestore-zonefile.c
@@ -0,0 +1,729 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012, 2013, 2014, 2019, 2022 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gnunet-namestore-dbtool.c
+ * @brief command line tool to manipulate the database backends for the namestore
+ * @author Martin Schanzenbach
+ *
+ */
+#include "platform.h"
+#include <gnunet_util_lib.h>
+#include <gnunet_namestore_plugin.h>
+
+#define MAX_RECORDS_PER_NAME 50
+
+/**
+ * Maximum length of a zonefile line
+ */
+#define MAX_ZONEFILE_LINE_LEN 4096
+
+/**
+ * FIXME: Soft limit this?
+ */
+#define MAX_ZONEFILE_RECORD_DATA_LEN 2048
+
+/**
+ * The record data under a single label. Reused.
+ * Hard limit.
+ */
+static struct GNUNET_GNSRECORD_Data rd[MAX_RECORDS_PER_NAME];
+
+/**
+ * Current record $TTL to use
+ */
+static struct GNUNET_TIME_Relative ttl;
+
+/**
+ * Current origin
+ */
+static char origin[GNUNET_DNSPARSER_MAX_NAME_LENGTH];
+
+/**
+ * Number of records for currently parsed set
+ */
+static unsigned int rd_count = 0;
+
+/**
+ * Return code
+ */
+static int ret = 0;
+
+/**
+ * Name of the ego
+ */
+static char *ego_name = NULL;
+
+/**
+ * Currently read line or NULL on EOF
+ */
+static char *res;
+
+/**
+ * Statistics, how many published record sets
+ */
+static unsigned int published_sets = 0;
+
+/**
+ * Statistics, how many records published in aggregate
+ */
+static unsigned int published_records = 0;
+
+
+/**
+ * Handle to identity lookup.
+ */
+static struct GNUNET_IDENTITY_EgoLookup *el;
+
+/**
+ * Private key for the our zone.
+ */
+static struct GNUNET_CRYPTO_PrivateKey zone_pkey;
+
+/**
+ * Queue entry for the 'add' operation.
+ */
+static struct GNUNET_NAMESTORE_QueueEntry *ns_qe;
+
+/**
+ * Handle to the namestore.
+ */
+static struct GNUNET_NAMESTORE_Handle *ns;
+
+/**
+ * Origin create operations
+ */
+static struct GNUNET_IDENTITY_Operation *id_op;
+
+/**
+ * Handle to IDENTITY
+ */
+static struct GNUNET_IDENTITY_Handle *id;
+
+/**
+ * Current configurataion
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Scheduled parse task
+ */
+static struct GNUNET_SCHEDULER_Task *parse_task;
+
+/**
+ * The current state of the parser
+ */
+static int state;
+
+enum ZonefileImportState
+{
+
+  /* Uninitialized */
+  ZS_READY,
+
+  /* The initial state */
+  ZS_ORIGIN_SET,
+
+  /* The $ORIGIN has changed */
+  ZS_ORIGIN_CHANGED,
+
+  /* The record name/label has changed */
+  ZS_NAME_CHANGED
+
+};
+
+
+
+/**
+ * Task run on shutdown.  Cleans up everything.
+ *
+ * @param cls unused
+ */
+static void
+do_shutdown (void *cls)
+{
+  (void) cls;
+  if (NULL != ego_name)
+    GNUNET_free (ego_name);
+  if (NULL != el)
+  {
+    GNUNET_IDENTITY_ego_lookup_cancel (el);
+    el = NULL;
+  }
+  if (NULL != ns_qe)
+    GNUNET_NAMESTORE_cancel (ns_qe);
+  if (NULL != id_op)
+    GNUNET_IDENTITY_cancel (id_op);
+  if (NULL != ns)
+    GNUNET_NAMESTORE_disconnect (ns);
+  if (NULL != id)
+    GNUNET_IDENTITY_disconnect (id);
+  for (int i = 0; i < rd_count; i++)
+  {
+    void *rd_ptr = (void*) rd[i].data;
+    GNUNET_free (rd_ptr);
+  }
+  if (NULL != parse_task)
+    GNUNET_SCHEDULER_cancel (parse_task);
+}
+
+static void
+parse (void *cls);
+
+static char*
+trim (char *line)
+{
+  char *ltrimmed = line;
+  int ltrimmed_len;
+  int quoted = 0;
+
+  // Trim all whitespace to the left
+  while (*ltrimmed == ' ')
+    ltrimmed++;
+  ltrimmed_len = strlen (ltrimmed);
+  // Find the first occurence of an unqoted ';', which is our comment
+  for (int i = 0; i < ltrimmed_len; i++)
+  {
+    if (ltrimmed[i] == '"')
+      quoted = ! quoted;
+    if ((ltrimmed[i] != ';') || quoted)
+      continue;
+    ltrimmed[i] = '\0';
+  }
+  ltrimmed_len = strlen (ltrimmed);
+  // Remove trailing whitespace
+  for (int i = ltrimmed_len; i > 0; i--)
+  {
+    if (ltrimmed[i - 1] != ' ')
+      break;
+    ltrimmed[i - 1] = '\0';
+  }
+  ltrimmed_len = strlen (ltrimmed);
+  if (ltrimmed[ltrimmed_len - 1] == '\n')
+    ltrimmed[ltrimmed_len - 1] = ' ';
+  return ltrimmed;
+}
+
+static char*
+next_token (char *token)
+{
+  char *next = token;
+  while (*next == ' ')
+    next++;
+  return next;
+}
+
+static int
+parse_ttl (char *token, struct GNUNET_TIME_Relative *ttl)
+{
+  char *next;
+  unsigned int ttl_tmp;
+
+  next = strchr (token, ';');
+  if (NULL != next)
+    next[0] = '\0';
+  next = strchr (token, ' ');
+  if (NULL != next)
+    next[0] = '\0';
+  if (1 != sscanf (token, "%u", &ttl_tmp))
+  {
+    fprintf (stderr, "Unable to parse TTL `%s'\n", token);
+    return GNUNET_SYSERR;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "TTL is: %u\n", ttl_tmp);
+  ttl->rel_value_us = ttl_tmp * 1000 * 1000;
+  return GNUNET_OK;
+}
+
+static int
+parse_origin (char *token, char *origin)
+{
+  char *next;
+  next = strchr (token, ';');
+  if (NULL != next)
+    next[0] = '\0';
+  next = strchr (token, ' ');
+  if (NULL != next)
+    next[0] = '\0';
+  strcpy (origin, token);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Origin is: %s\n", origin);
+  return GNUNET_OK;
+}
+
+static void
+origin_create_cb (void *cls, const struct GNUNET_CRYPTO_PrivateKey *pk,
+                  enum GNUNET_ErrorCode ec)
+{
+  id_op = NULL;
+  if (GNUNET_EC_NONE != ec)
+  {
+    fprintf (stderr, "Error: %s\n", GNUNET_ErrorCode_get_hint (ec));
+    ret = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  state = ZS_ORIGIN_SET;
+  zone_pkey = *pk;
+  parse_task = GNUNET_SCHEDULER_add_now (&parse, NULL);
+}
+
+static void
+origin_lookup_cb (void *cls, struct GNUNET_IDENTITY_Ego *ego)
+{
+
+  el = NULL;
+
+  if (NULL == ego)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "$ORIGIN %s does not exist, creating...\n", ego_name);
+    id_op = GNUNET_IDENTITY_create (id, ego_name, NULL,
+                                    GNUNET_PUBLIC_KEY_TYPE_ECDSA, // FIXME make configurable
+                                    origin_create_cb,
+                                    NULL);
+    return;
+  }
+  state = ZS_ORIGIN_SET;
+  zone_pkey = *GNUNET_IDENTITY_ego_get_private_key (ego);
+  parse_task = GNUNET_SCHEDULER_add_now (&parse, NULL);
+}
+
+static void
+add_continuation (void *cls, enum GNUNET_ErrorCode ec)
+{
+  ns_qe = NULL;
+  if (GNUNET_EC_NONE != ec)
+  {
+    fprintf (stderr,
+             _ ("Failed to store records...\n"));
+    GNUNET_SCHEDULER_shutdown ();
+    ret = -1;
+  }
+  if (ZS_ORIGIN_CHANGED == state)
+  {
+    if (NULL != ego_name)
+      GNUNET_free (ego_name);
+    ego_name = GNUNET_strdup (origin);
+    if (ego_name[strlen (ego_name) - 1] == '.')
+      ego_name[strlen (ego_name) - 1] = '\0';
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Changing origin to %s\n", ego_name);
+    el = GNUNET_IDENTITY_ego_lookup (cfg, ego_name,
+                                     &origin_lookup_cb, NULL);
+    return;
+  }
+  parse_task = GNUNET_SCHEDULER_add_now (&parse, NULL);
+}
+
+
+
+/**
+ * Main function that will be run.
+ *
+ * TODO:
+ *  - We must assume that names are not repeated later in the zonefile because
+ *    our _store APIs are replacing. No sure if that is common in zonefiles.
+ *  - We must only actually store a record set when the name to store changes or
+ *    the end of the file is reached.
+ *    that way we can group them and add (see above).
+ *  - We need to hope our string formats are compatible, but seems ok.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+parse (void *cls)
+{
+  char buf[MAX_ZONEFILE_LINE_LEN];
+  char payload[MAX_ZONEFILE_RECORD_DATA_LEN];
+  char *next;
+  char *token;
+  char *payload_pos;
+  static char lastname[GNUNET_DNSPARSER_MAX_LABEL_LENGTH];
+  char newname[GNUNET_DNSPARSER_MAX_LABEL_LENGTH];
+  void *data;
+  size_t data_size;
+  int ttl_line = 0;
+  int type;
+  int bracket_unclosed = 0;
+  int quoted = 0;
+
+  parse_task = NULL;
+  /* use filename provided as 1st argument (stdin by default) */
+  int ln = 0;
+  while ((res = fgets (buf, sizeof(buf), stdin)))                     /* read each line of input */
+  {
+    ln++;
+    ttl_line = 0;
+    token = trim (buf);
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Trimmed line (bracket %s): `%s'\n",
+                (bracket_unclosed > 0) ? "unclosed" : "closed",
+                token);
+    if ((0 == strlen (token)) ||
+        ((1 == strlen (token)) && (' ' == *token)))
+      continue; // I guess we can safely ignore blank lines
+    if (bracket_unclosed == 0)
+    {
+      /* Payload is already parsed */
+      payload_pos = payload;
+      /* Find space */
+      next = strchr (token, ' ');
+      if (NULL == next)
+      {
+        fprintf (stderr, "Error at line %u: %s\n", ln, token);
+        ret = 1;
+        GNUNET_SCHEDULER_shutdown ();
+        return;
+      }
+      next[0] = '\0';
+      next++;
+      if (0 == (strcmp (token, "$ORIGIN")))
+      {
+        state = ZS_ORIGIN_CHANGED;
+        token = next_token (next);
+      }
+      else if (0 == (strcmp (token, "$TTL")))
+      {
+        ttl_line = 1;
+        token = next_token (next);
+      }
+      else
+      {
+        if (0 == strcmp (token, "IN")) // Inherit name from before
+        {
+          GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                      "Old name: %s\n", lastname);
+          strcpy (newname, lastname);
+          token[strlen (token)] = ' ';
+        }
+        else if (token[strlen (token) - 1] != '.') // no fqdn
+        {
+          GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "New name: %s\n", token);
+          if (GNUNET_DNSPARSER_MAX_LABEL_LENGTH < strlen (token))
+          {
+            fprintf (stderr,
+                     _ ("Name `%s' is too long\n"),
+                     token);
+            ret = 1;
+            GNUNET_SCHEDULER_shutdown ();
+            return;
+          }
+          strcpy (newname, token);
+          token = next_token (next);
+        }
+        else if (0 == strcmp (token, origin))
+        {
+          GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "New name: @\n");
+          strcpy (newname, "@");
+          token = next_token (next);
+        }
+        else
+        {
+          if (strlen (token) < strlen (origin))
+          {
+            fprintf (stderr, "Wrong origin: %s (expected %s)\n", token, origin);
+            break; // FIXME error?
+          }
+          if (0 != strcmp (token + (strlen (token) - strlen (origin)), origin))
+          {
+            fprintf (stderr, "Wrong origin: %s (expected %s)\n", token, origin);
+            break;
+          }
+          token[strlen (token) - strlen (origin) - 1] = '\0';
+          GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "New name: %s\n", token);
+          if (GNUNET_DNSPARSER_MAX_LABEL_LENGTH < strlen (token))
+          {
+            fprintf (stderr,
+                     _ ("Name `%s' is too long\n"),
+                     token);
+            ret = 1;
+            GNUNET_SCHEDULER_shutdown ();
+            return;
+          }
+          strcpy (newname, token);
+          token = next_token (next);
+        }
+        if (0 != strcmp (newname, lastname) &&
+            (0 < rd_count))
+        {
+          GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                      "Name changed %s->%s, storing record set of %u elements\n",
+                      lastname, newname,
+                      rd_count);
+          state = ZS_NAME_CHANGED;
+        }
+        else {
+          strcpy (lastname, newname);
+        }
+      }
+
+      if (ttl_line)
+      {
+        if (GNUNET_SYSERR == parse_ttl (token, &ttl))
+        {
+          fprintf (stderr, _ ("Failed to parse $TTL\n"));
+          ret = 1;
+          GNUNET_SCHEDULER_shutdown ();
+          return;
+        }
+        continue;
+      }
+      if (ZS_ORIGIN_CHANGED == state)
+      {
+        if (GNUNET_SYSERR == parse_origin (token, origin))
+        {
+          fprintf (stderr, _ ("Failed to parse $ORIGIN from %s\n"), token);
+          ret = 1;
+          GNUNET_SCHEDULER_shutdown ();
+          return;
+        }
+        break;
+      }
+      if (ZS_READY == state)
+      {
+        fprintf (stderr,
+                 _ (
+                   "You must provide $ORIGIN in your zonefile or via arguments (--zone)!\n"));
+        ret = 1;
+        GNUNET_SCHEDULER_shutdown ();
+        return;
+      }
+      // This is a record, let's go
+      if (MAX_RECORDS_PER_NAME == rd_count)
+      {
+        fprintf (stderr,
+                 _ ("Only %u records per unique name supported.\n"),
+                 MAX_RECORDS_PER_NAME);
+        ret = 1;
+        GNUNET_SCHEDULER_shutdown ();
+        return;
+      }
+      rd[rd_count].flags = GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION;
+      rd[rd_count].expiration_time = ttl.rel_value_us;
+      next = strchr (token, ' ');
+      if (NULL == next)
+      {
+        fprintf (stderr, "Error, last token: %s\n", token);
+        ret = 1;
+        GNUNET_SCHEDULER_shutdown ();
+        break;
+      }
+      next[0] = '\0';
+      next++;
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "class is: %s\n", token);
+      while (*next == ' ')
+        next++;
+      token = next;
+      next = strchr (token, ' ');
+      if (NULL == next)
+      {
+        fprintf (stderr, "Error\n");
+        break;
+      }
+      next[0] = '\0';
+      next++;
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "type is: %s\n", token);
+      type = GNUNET_GNSRECORD_typename_to_number (token);
+      rd[rd_count].record_type = type;
+      while (*next == ' ')
+        next++;
+      token = next;
+    }
+    for (int i = 0; i < strlen (token); i++)
+    {
+      if (token[i] == '"')
+        quoted = ! quoted;
+      if ((token[i] == '(') && ! quoted)
+        bracket_unclosed++;
+      if ((token[i] == ')') && ! quoted)
+        bracket_unclosed--;
+    }
+    memcpy (payload_pos, token, strlen (token));
+    payload_pos += strlen (token);
+    if (bracket_unclosed > 0)
+    {
+      *payload_pos = ' ';
+      payload_pos++;
+      continue;
+    }
+    *payload_pos = '\0';
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "data is: %s\n\n", payload);
+    if (GNUNET_OK !=
+        GNUNET_GNSRECORD_string_to_value (type, payload,
+                                          &data,
+                                          &data_size))
+    {
+      fprintf (stderr,
+               _ ("Data `%s' invalid\n"),
+               payload);
+      ret = 1;
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+    rd[rd_count].data = data;
+    rd[rd_count].data_size = data_size;
+    if (ZS_NAME_CHANGED == state)
+      break;
+    rd_count++;
+  }
+  if (rd_count > 0)
+  {
+    ns_qe = GNUNET_NAMESTORE_record_set_store (ns,
+                                            &zone_pkey,
+                                            lastname,
+                                            rd_count,
+                                            rd,
+                                            &add_continuation,
+                                            NULL);
+    published_sets++;
+    published_records += rd_count;
+    for (int i = 0; i < rd_count; i++)
+    {
+      data = (void*) rd[i].data;
+      GNUNET_free (data);
+    }
+    if (ZS_NAME_CHANGED == state)
+    {
+      rd[0] = rd[rd_count]; // recover last rd parsed.
+      rd_count = 1;
+      strcpy (lastname, newname);
+      state = ZS_ORIGIN_SET;
+    }
+    else
+      rd_count = 0;
+    return;
+  }
+  if (ZS_ORIGIN_CHANGED == state)
+  {
+    if (NULL != ego_name)
+      GNUNET_free (ego_name);
+    ego_name = GNUNET_strdup (origin);
+    if (ego_name[strlen (ego_name) - 1] == '.')
+      ego_name[strlen (ego_name) - 1] = '\0';
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Changing origin to %s\n", ego_name);
+    el = GNUNET_IDENTITY_ego_lookup (cfg, ego_name,
+                                     &origin_lookup_cb, NULL);
+    return;
+  }
+  printf ("Published %u records sets with total %u records\n",
+          published_sets, published_records);
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+static void
+identity_cb (void *cls, struct GNUNET_IDENTITY_Ego *ego)
+{
+
+  el = NULL;
+  if (NULL == ego)
+  {
+    if (NULL != ego_name)
+    {
+      fprintf (stderr,
+               _ ("Ego `%s' not known to identity service\n"),
+               ego_name);
+
+    }
+    GNUNET_SCHEDULER_shutdown ();
+    ret = -1;
+    return;
+  }
+  zone_pkey = *GNUNET_IDENTITY_ego_get_private_key (ego);
+  sprintf (origin, "%s.", ego_name);
+  state = ZS_ORIGIN_SET;
+  parse_task = GNUNET_SCHEDULER_add_now (&parse, NULL);
+}
+
+
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *_cfg)
+{
+  cfg = _cfg;
+  ns = GNUNET_NAMESTORE_connect (cfg);
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown, (void *) cfg);
+  if (NULL == ns)
+  {
+    fprintf (stderr,
+             _ ("Failed to connect to NAMESTORE\n"));
+    return;
+  }
+  id = GNUNET_IDENTITY_connect (cfg, NULL, NULL);
+  if (NULL == id)
+  {
+    fprintf (stderr,
+             _ ("Failed to connect to IDENTITY\n"));
+    return;
+  }
+  if (NULL != ego_name)
+    el = GNUNET_IDENTITY_ego_lookup (cfg, ego_name, &identity_cb, (void *) cfg);
+  else
+    parse_task = GNUNET_SCHEDULER_add_now (&parse, NULL);
+  state = ZS_READY;
+}
+
+
+/**
+ * The main function for gnunet-namestore-dbtool.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_string ('z',
+                                 "zone",
+                                 "EGO",
+                                 gettext_noop (
+                                   "name of the ego controlling the zone"),
+                                 &ego_name),
+    GNUNET_GETOPT_OPTION_END
+  };
+  int lret;
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  GNUNET_log_setup ("gnunet-namestore-dbtool", "WARNING", NULL);
+  if (GNUNET_OK !=
+      (lret = GNUNET_PROGRAM_run (argc,
+                                  argv,
+                                  "gnunet-namestore-zonefile",
+                                  _ (
+                                    "GNUnet namestore database manipulation tool"),
+                                  options,
+                                  &run,
+                                  NULL)))
+  {
+    GNUNET_free_nz ((void *) argv);
+    return lret;
+  }
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
diff --git a/src/cli/namestore/gnunet-namestore.c b/src/cli/namestore/gnunet-namestore.c
new file mode 100644
index 000000000..6c0890a43
--- /dev/null
+++ b/src/cli/namestore/gnunet-namestore.c
@@ -0,0 +1,2118 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012, 2013, 2014, 2019 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gnunet-namestore.c
+ * @brief command line tool to manipulate the local zone
+ * @author Christian Grothoff
+ *
+ * TODO:
+ * - test
+ */
+#include "platform.h"
+#include <gnunet_util_lib.h>
+#include <gnunet_identity_service.h>
+#include <gnunet_gnsrecord_lib.h>
+#include <gnunet_gns_service.h>
+#include <gnunet_namestore_service.h>
+#include <inttypes.h>
+
+/**
+ * The upper bound for the zone iteration interval
+ * (per record).
+ */
+#define WARN_RELATIVE_EXPIRATION_LIMIT GNUNET_TIME_relative_multiply ( \
+          GNUNET_TIME_UNIT_MINUTES, 15)
+
+/**
+ * Entry in record set for bulk processing.
+ */
+struct RecordSetEntry
+{
+  /**
+   * Kept in a linked list.
+   */
+  struct RecordSetEntry *next;
+
+  /**
+   * The record to add/remove.
+   */
+  struct GNUNET_GNSRECORD_Data record;
+};
+
+/**
+ * The record marked for deletion
+ */
+struct MarkedRecord
+{
+  /**
+   * DLL
+   */
+  struct MarkedRecord *next;
+
+  /**
+   * DLL
+   */
+  struct MarkedRecord *prev;
+
+  /**
+   * Ego Identifier
+   */
+  char *name;
+
+  /**
+   * The zone key
+   */
+  struct GNUNET_CRYPTO_PrivateKey key;
+};
+
+/**
+ * The default namestore ego
+ */
+struct EgoEntry
+{
+  /**
+   * DLL
+   */
+  struct EgoEntry *next;
+
+  /**
+   * DLL
+   */
+  struct EgoEntry *prev;
+
+  /**
+   * Ego Identifier
+   */
+  char *identifier;
+
+  /**
+   * The Ego
+   */
+  struct GNUNET_IDENTITY_Ego *ego;
+};
+
+/**
+ * Handle to the namestore.
+ */
+static struct GNUNET_NAMESTORE_Handle *ns;
+
+/**
+ * Private key for the our zone.
+ */
+static struct GNUNET_CRYPTO_PrivateKey zone_pkey;
+
+/**
+ * Identity service handle
+ */
+static struct GNUNET_IDENTITY_Handle *idh;
+
+/**
+ * Name of the ego controlling the zone.
+ */
+static char *ego_name;
+
+/**
+ * Queue entry for the 'add-uri' operation.
+ */
+static struct GNUNET_NAMESTORE_QueueEntry *add_qe_uri;
+
+/**
+ * Queue entry for the 'add' operation.
+ */
+static struct GNUNET_NAMESTORE_QueueEntry *add_qe;
+
+/**
+ * Queue entry for the 'lookup' operation.
+ */
+static struct GNUNET_NAMESTORE_QueueEntry *get_qe;
+
+/**
+ * Queue entry for the 'reverse lookup' operation (in combination with a name).
+ */
+static struct GNUNET_NAMESTORE_QueueEntry *reverse_qe;
+
+/**
+ * Marked record list
+ */
+static struct MarkedRecord *marked_head;
+
+/**
+ * Marked record list
+ */
+static struct MarkedRecord *marked_tail;
+
+/**
+ * Configuration handle
+ */
+const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Ego list
+ */
+static struct EgoEntry *ego_head;
+
+/**
+ * Ego list
+ */
+static struct EgoEntry *ego_tail;
+
+/**
+ * List iterator for the 'list' operation.
+ */
+static struct GNUNET_NAMESTORE_ZoneIterator *list_it;
+
+/**
+ * Run in read from stdin mode.
+ */
+static int read_from_stdin;
+
+/**
+ * Desired action is to list records.
+ */
+static int list;
+
+/**
+ * Desired action is to add a record.
+ */
+static int add;
+
+/**
+ * Desired action is to remove a record.
+ */
+static int del;
+
+/**
+ * Is record public (opposite of #GNUNET_GNSRECORD_RF_PRIVATE)
+ */
+static int is_public;
+
+/**
+ * Is record a shadow record (#GNUNET_GNSRECORD_RF_SHADOW)
+ */
+static int is_shadow;
+
+/**
+ * Is record a maintenance record (#GNUNET_GNSRECORD_RF_MAINTENANCE)
+ */
+static int is_maintenance;
+
+/**
+ * Filter private records
+ */
+static int omit_private;
+
+/**
+ * Output in recordline format
+ */
+static int output_recordline;
+
+
+/**
+ * Purge zone contents
+ */
+static int purge_zone;
+
+/**
+ * Do not filter maintenance records
+ */
+static int include_maintenance;
+
+/**
+ * Purge orphaned records
+ */
+static int purge_orphaned;
+
+/**
+ * List records and zone keys of orphaned records
+ */
+static int list_orphaned;
+
+/**
+ * Queue entry for the 'del' operation.
+ */
+static struct GNUNET_NAMESTORE_QueueEntry *del_qe;
+
+/**
+ * Queue entry for the 'set/replace' operation.
+ */
+static struct GNUNET_NAMESTORE_QueueEntry *set_qe;
+
+/**
+ * Queue entry for begin/commit
+ */
+static struct GNUNET_NAMESTORE_QueueEntry *ns_qe;
+
+/**
+ * Name of the records to add/list/remove.
+ */
+static char *name;
+
+/**
+ * Value of the record to add/remove.
+ */
+static char *value;
+
+/**
+ * URI to import.
+ */
+static char *uri;
+
+/**
+ * Reverse lookup to perform.
+ */
+static char *reverse_pkey;
+
+/**
+ * Type of the record to add/remove, NULL to remove all.
+ */
+static char *typestring;
+
+/**
+ * Desired expiration time.
+ */
+static char *expirationstring;
+
+/**
+ * Desired nick name.
+ */
+static char *nickstring;
+
+/**
+ * Global return value
+ */
+static int ret;
+
+/**
+ * Type string converted to DNS type value.
+ */
+static uint32_t type;
+
+/**
+ * Value in binary format.
+ */
+static void *data;
+
+/**
+ * Number of bytes in #data.
+ */
+static size_t data_size;
+
+/**
+ * Expiration string converted to numeric value.
+ */
+static uint64_t etime;
+
+/**
+ * Is expiration time relative or absolute time?
+ */
+static int etime_is_rel = GNUNET_SYSERR;
+
+/**
+ * Monitor handle.
+ */
+static struct GNUNET_NAMESTORE_ZoneMonitor *zm;
+
+/**
+ * Enables monitor mode.
+ */
+static int monitor;
+
+/**
+ * Entry in record set for processing records in bulk.
+ */
+static struct RecordSetEntry *recordset;
+
+/**
+ * Purge task
+ */
+static struct GNUNET_SCHEDULER_Task *purge_task;
+
+/**
+ * Parse expiration time.
+ *
+ * @param expirationstring text to parse
+ * @param[out] etime_is_rel set to #GNUNET_YES if time is relative
+ * @param[out] etime set to expiration time (abs or rel)
+ * @return #GNUNET_OK on success
+ */
+static int
+parse_expiration (const char *expirationstring,
+                  int *etime_is_rel,
+                  uint64_t *etime)
+{
+  struct GNUNET_TIME_Relative etime_rel;
+  struct GNUNET_TIME_Absolute etime_abs;
+
+  if (0 == strcmp (expirationstring, "never"))
+  {
+    *etime = GNUNET_TIME_UNIT_FOREVER_ABS.abs_value_us;
+    *etime_is_rel = GNUNET_NO;
+    return GNUNET_OK;
+  }
+  if (GNUNET_OK ==
+      GNUNET_STRINGS_fancy_time_to_relative (expirationstring, &etime_rel))
+  {
+    *etime_is_rel = GNUNET_YES;
+    *etime = etime_rel.rel_value_us;
+    if (GNUNET_TIME_relative_cmp (etime_rel, <, WARN_RELATIVE_EXPIRATION_LIMIT))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                  "Relative expiration times of less than %s are not recommended. To improve availability, consider increasing this value.\n",
+                  GNUNET_STRINGS_relative_time_to_string (
+                    WARN_RELATIVE_EXPIRATION_LIMIT, GNUNET_NO));
+    }
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Storing record with relative expiration time of %s\n",
+                GNUNET_STRINGS_relative_time_to_string (etime_rel, GNUNET_NO));
+    return GNUNET_OK;
+  }
+  if (GNUNET_OK ==
+      GNUNET_STRINGS_fancy_time_to_absolute (expirationstring, &etime_abs))
+  {
+    *etime_is_rel = GNUNET_NO;
+    *etime = etime_abs.abs_value_us;
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Storing record with absolute expiration time of %s\n",
+                GNUNET_STRINGS_absolute_time_to_string (etime_abs));
+    return GNUNET_OK;
+  }
+  return GNUNET_SYSERR;
+}
+
+
+static int
+parse_recordline (const char *line)
+{
+  struct RecordSetEntry **head = &recordset;
+  struct RecordSetEntry *r;
+  struct GNUNET_GNSRECORD_Data record;
+  char *cp;
+  char *tok;
+  char *saveptr;
+  void *raw_data;
+
+  cp = GNUNET_strdup (line);
+  tok = strtok_r (cp, " ", &saveptr);
+  if (NULL == tok)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Missing entries in record line `%s'.\n"),
+                line);
+    GNUNET_free (cp);
+    return GNUNET_SYSERR;
+  }
+  record.record_type = GNUNET_GNSRECORD_typename_to_number (tok);
+  if (UINT32_MAX == record.record_type)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, _ ("Unknown record type `%s'\n"), tok);
+    GNUNET_free (cp);
+    return GNUNET_SYSERR;
+  }
+  tok = strtok_r (NULL, " ", &saveptr);
+  if (NULL == tok)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Empty record line argument is not allowed.\n"));
+    GNUNET_free (cp);
+    return GNUNET_SYSERR;
+  }
+  if (1 != sscanf (tok, "%" SCNu64, &record.expiration_time))
+  {
+    fprintf (stderr,
+             _ ("Error parsing expiration time %s.\n"), tok);
+    GNUNET_free (cp);
+    return GNUNET_SYSERR;
+  }
+  tok = strtok_r (NULL, " ", &saveptr);
+  if (NULL == tok)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Empty record line argument is not allowed.\n"));
+    GNUNET_free (cp);
+    return GNUNET_SYSERR;
+  }
+  record.flags = GNUNET_GNSRECORD_RF_NONE;
+  if (NULL != strchr (tok, (unsigned char) 'r'))
+    record.flags |= GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION;
+  if (NULL == strchr (tok, (unsigned char) 'p')) /* p = public */
+    record.flags |= GNUNET_GNSRECORD_RF_PRIVATE;
+  if (NULL != strchr (tok, (unsigned char) 'S'))
+    record.flags |= GNUNET_GNSRECORD_RF_SUPPLEMENTAL;
+  if (NULL != strchr (tok, (unsigned char) 's'))
+    record.flags |= GNUNET_GNSRECORD_RF_SHADOW;
+  if (NULL != strchr (tok, (unsigned char) 'C'))
+    record.flags |= GNUNET_GNSRECORD_RF_CRITICAL;
+  tok += strlen (tok) + 1;
+  if (GNUNET_OK != GNUNET_GNSRECORD_string_to_value (record.record_type,
+                                                     tok,
+                                                     &raw_data,
+                                                     &record.data_size))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Invalid record data for type %s: `%s'.\n"),
+                GNUNET_GNSRECORD_number_to_typename (record.record_type),
+                tok);
+    GNUNET_free (cp);
+    return GNUNET_SYSERR;
+  }
+  GNUNET_free (cp);
+
+  r = GNUNET_malloc (sizeof(struct RecordSetEntry) + record.data_size);
+  r->next = *head;
+  record.data = &r[1];
+  memcpy (&r[1], raw_data, record.data_size);
+  GNUNET_free (raw_data);
+  r->record = record;
+  *head = r;
+  return GNUNET_OK;
+}
+
+
+static void
+reset_handles (void)
+{
+  struct MarkedRecord *mrec;
+  struct MarkedRecord *mrec_tmp;
+  struct RecordSetEntry *rs_entry;
+
+  rs_entry = recordset;
+  while (NULL != (rs_entry = recordset))
+  {
+    recordset = recordset->next;
+    GNUNET_free (rs_entry);
+  }
+  recordset = NULL;
+  if (NULL != ego_name)
+  {
+    GNUNET_free (ego_name);
+    ego_name = NULL;
+  }
+  if (NULL != name)
+  {
+    GNUNET_free (name);
+    name = NULL;
+  }
+  if (NULL != value)
+  {
+    GNUNET_free (value);
+    value = NULL;
+  }
+  if (NULL != uri)
+  {
+    GNUNET_free (uri);
+    uri = NULL;
+  }
+  if (NULL != expirationstring)
+  {
+    GNUNET_free (expirationstring);
+    expirationstring = NULL;
+  }
+  if (NULL != purge_task)
+  {
+    GNUNET_SCHEDULER_cancel (purge_task);
+    purge_task = NULL;
+  }
+  for (mrec = marked_head; NULL != mrec;)
+  {
+    mrec_tmp = mrec;
+    mrec = mrec->next;
+    GNUNET_free (mrec_tmp->name);
+    GNUNET_free (mrec_tmp);
+  }
+  if (NULL != list_it)
+  {
+    GNUNET_NAMESTORE_zone_iteration_stop (list_it);
+    list_it = NULL;
+  }
+  if (NULL != add_qe)
+  {
+    GNUNET_NAMESTORE_cancel (add_qe);
+    add_qe = NULL;
+  }
+  if (NULL != set_qe)
+  {
+    GNUNET_NAMESTORE_cancel (set_qe);
+    set_qe = NULL;
+  }
+  if (NULL != add_qe_uri)
+  {
+    GNUNET_NAMESTORE_cancel (add_qe_uri);
+    add_qe_uri = NULL;
+  }
+  if (NULL != get_qe)
+  {
+    GNUNET_NAMESTORE_cancel (get_qe);
+    get_qe = NULL;
+  }
+  if (NULL != del_qe)
+  {
+    GNUNET_NAMESTORE_cancel (del_qe);
+    del_qe = NULL;
+  }
+  if (NULL != reverse_qe)
+  {
+    GNUNET_NAMESTORE_cancel (reverse_qe);
+    reverse_qe = NULL;
+  }
+  memset (&zone_pkey, 0, sizeof(zone_pkey));
+  if (NULL != zm)
+  {
+    GNUNET_NAMESTORE_zone_monitor_stop (zm);
+    zm = NULL;
+  }
+  if (NULL != data)
+  {
+    GNUNET_free (data);
+    data = NULL;
+  }
+  if (NULL != typestring)
+  {
+    GNUNET_free (typestring);
+    typestring = NULL;
+  }
+  list = 0;
+  is_public = 0;
+  is_shadow = 0;
+  is_maintenance = 0;
+  purge_zone = 0;
+}
+
+
+/**
+ * Task run on shutdown.  Cleans up everything.
+ *
+ * @param cls unused
+ */
+static void
+do_shutdown (void *cls)
+{
+  struct EgoEntry *ego_entry;
+  struct EgoEntry *ego_tmp;
+  (void) cls;
+
+  reset_handles ();
+  if (NULL != ns_qe)
+  {
+    GNUNET_NAMESTORE_cancel (ns_qe);
+    ns_qe = NULL;
+  }
+  if (NULL != ns)
+  {
+    GNUNET_NAMESTORE_disconnect (ns);
+    ns = NULL;
+  }
+  if (NULL != idh)
+  {
+    GNUNET_IDENTITY_disconnect (idh);
+    idh = NULL;
+  }
+  for (ego_entry = ego_head; NULL != ego_entry;)
+  {
+    ego_tmp = ego_entry;
+    ego_entry = ego_entry->next;
+    GNUNET_free (ego_tmp->identifier);
+    GNUNET_free (ego_tmp);
+  }
+}
+
+
+static void
+process_command_stdin ();
+
+
+static void
+finish_command (void)
+{
+  reset_handles ();
+  if (read_from_stdin)
+  {
+    process_command_stdin ();
+    return;
+  }
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+static void
+add_continuation (void *cls, enum GNUNET_ErrorCode ec)
+{
+  struct GNUNET_NAMESTORE_QueueEntry **qe = cls;
+
+  *qe = NULL;
+  if (GNUNET_EC_NONE != ec)
+  {
+    fprintf (stderr,
+             _ ("Adding record failed: %s\n"),
+             GNUNET_ErrorCode_get_hint (ec));
+    if (GNUNET_EC_NAMESTORE_RECORD_EXISTS != ec)
+      ret = 1;
+  }
+  ret = 0;
+  finish_command ();
+}
+
+
+static void
+del_continuation (void *cls, enum GNUNET_ErrorCode ec)
+{
+  (void) cls;
+  del_qe = NULL;
+  if (GNUNET_EC_NAMESTORE_RECORD_NOT_FOUND == ec)
+  {
+    fprintf (stderr,
+             _ ("Deleting record failed: %s\n"), GNUNET_ErrorCode_get_hint (
+               ec));
+  }
+  finish_command ();
+}
+
+
+static void
+purge_next_record (void *cls);
+
+static void
+marked_deleted (void *cls, enum GNUNET_ErrorCode ec)
+{
+  del_qe = NULL;
+  if (GNUNET_EC_NONE != ec)
+  {
+    fprintf (stderr,
+             _ ("Deleting record failed: %s\n"),
+             GNUNET_ErrorCode_get_hint (ec));
+  }
+  purge_task = GNUNET_SCHEDULER_add_now (&purge_next_record, NULL);
+}
+
+
+static void
+purge_next_record (void *cls)
+{
+  struct MarkedRecord *mrec;
+  purge_task = NULL;
+
+  if (NULL == marked_head)
+  {
+    ret = 0;
+    finish_command ();
+    return;
+  }
+  mrec = marked_head;
+  GNUNET_CONTAINER_DLL_remove (marked_head,
+                               marked_tail,
+                               mrec);
+  del_qe = GNUNET_NAMESTORE_record_set_store (ns,
+                                              &mrec->key,
+                                              mrec->name,
+                                              0, NULL,
+                                              &marked_deleted,
+                                              NULL);
+  GNUNET_free (mrec->name);
+  GNUNET_free (mrec);
+}
+
+
+/**
+ * Function called when we are done with a zone iteration.
+ */
+static void
+zone_iteration_finished (void *cls)
+{
+  (void) cls;
+  list_it = NULL;
+  if (purge_orphaned || purge_zone)
+  {
+    purge_task = GNUNET_SCHEDULER_add_now (&purge_next_record, NULL);
+    return;
+  }
+  ret = 0;
+  finish_command ();
+}
+
+
+/**
+ * Function called when we encountered an error in a zone iteration.
+ */
+static void
+zone_iteration_error_cb (void *cls)
+{
+  (void) cls;
+  list_it = NULL;
+  fprintf (stderr, "Error iterating over zone\n");
+  ret = 1;
+  finish_command ();
+}
+
+
+static void
+collect_zone_records_to_purge (const struct
+                               GNUNET_CRYPTO_PrivateKey *zone_key,
+                               const char *rname,
+                               unsigned int rd_len,
+                               const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct MarkedRecord *mrec;
+
+  mrec = GNUNET_new (struct MarkedRecord);
+  mrec->key = *zone_key;
+  mrec->name = GNUNET_strdup (rname);
+  GNUNET_CONTAINER_DLL_insert (marked_head,
+                               marked_tail,
+                               mrec);
+}
+
+
+static void
+collect_orphans (const struct GNUNET_CRYPTO_PrivateKey *zone_key,
+                 const char *rname,
+                 unsigned int rd_len,
+                 const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct EgoEntry *ego;
+  struct MarkedRecord *orphan;
+  int is_orphaned = 1;
+
+  for (ego = ego_head; NULL != ego; ego = ego->next)
+  {
+    if (0 == memcmp (GNUNET_IDENTITY_ego_get_private_key (ego->ego),
+                     zone_key,
+                     sizeof (*zone_key)))
+    {
+      is_orphaned = 0;
+      break;
+    }
+  }
+  if (is_orphaned)
+  {
+    orphan = GNUNET_new (struct MarkedRecord);
+    orphan->key = *zone_key;
+    orphan->name = GNUNET_strdup (rname);
+    GNUNET_CONTAINER_DLL_insert (marked_head,
+                                 marked_tail,
+                                 orphan);
+  }
+}
+
+
+/**
+ * Process a record that was stored in the namestore.
+ *
+ * @param rname name that is being mapped (at most 255 characters long)
+ * @param rd_len number of entries in @a rd array
+ * @param rd array of records with data to store
+ */
+static void
+display_record (const struct GNUNET_CRYPTO_PrivateKey *zone_key,
+                const char *rname,
+                unsigned int rd_len,
+                const struct GNUNET_GNSRECORD_Data *rd)
+{
+  const char *typestr;
+  char *s;
+  const char *ets;
+  struct GNUNET_TIME_Absolute at;
+  struct GNUNET_TIME_Relative rt;
+  struct EgoEntry *ego;
+  int have_record;
+  int is_orphaned = 1;
+  char *orphaned_str;
+
+  if ((NULL != name) && (0 != strcmp (name, rname)))
+    return;
+  have_record = GNUNET_NO;
+  for (unsigned int i = 0; i < rd_len; i++)
+  {
+    if ((GNUNET_GNSRECORD_TYPE_NICK == rd[i].record_type) &&
+        (0 != strcmp (rname, GNUNET_GNS_EMPTY_LABEL_AT)))
+      continue;
+    if ((type != rd[i].record_type) && (GNUNET_GNSRECORD_TYPE_ANY != type))
+      continue;
+    have_record = GNUNET_YES;
+    break;
+  }
+  if (GNUNET_NO == have_record)
+    return;
+  for (ego = ego_head; NULL != ego; ego = ego->next)
+  {
+    if (0 == memcmp (GNUNET_IDENTITY_ego_get_private_key (ego->ego),
+                     zone_key,
+                     sizeof (*zone_key)))
+    {
+      is_orphaned = 0;
+      break;
+    }
+  }
+  if (list_orphaned && ! is_orphaned)
+    return;
+  if (! list_orphaned && is_orphaned)
+    return;
+  orphaned_str = GNUNET_CRYPTO_private_key_to_string (zone_key);
+  fprintf (stdout, "%s.%s:\n", rname, is_orphaned ? orphaned_str :
+           ego->identifier);
+  GNUNET_free (orphaned_str);
+  if (NULL != typestring)
+    type = GNUNET_GNSRECORD_typename_to_number (typestring);
+  else
+    type = GNUNET_GNSRECORD_TYPE_ANY;
+  for (unsigned int i = 0; i < rd_len; i++)
+  {
+    if ((GNUNET_GNSRECORD_TYPE_NICK == rd[i].record_type) &&
+        (0 != strcmp (rname, GNUNET_GNS_EMPTY_LABEL_AT)))
+      continue;
+    if ((type != rd[i].record_type) && (GNUNET_GNSRECORD_TYPE_ANY != type))
+      continue;
+    typestr = GNUNET_GNSRECORD_number_to_typename (rd[i].record_type);
+    s = GNUNET_GNSRECORD_value_to_string (rd[i].record_type,
+                                          rd[i].data,
+                                          rd[i].data_size);
+    if (NULL == s)
+    {
+      fprintf (stdout,
+               _ ("\tCorrupt or unsupported record of type %u\n"),
+               (unsigned int) rd[i].record_type);
+      continue;
+    }
+    if (0 != (rd[i].flags & GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION))
+    {
+      rt.rel_value_us = rd[i].expiration_time;
+      ets = GNUNET_STRINGS_relative_time_to_string (rt, GNUNET_YES);
+    }
+    else
+    {
+      at.abs_value_us = rd[i].expiration_time;
+      ets = GNUNET_STRINGS_absolute_time_to_string (at);
+    }
+    char flgstr[16];
+    sprintf (flgstr, "[%s%s%s%s%s]",
+             (rd[i].flags & GNUNET_GNSRECORD_RF_PRIVATE) ? "" : "p",
+             (rd[i].flags & GNUNET_GNSRECORD_RF_SUPPLEMENTAL) ? "S" : "",
+             (rd[i].flags & GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION) ? "r" : "",
+             (rd[i].flags & GNUNET_GNSRECORD_RF_SHADOW) ? "S" : "",
+             (rd[i].flags & GNUNET_GNSRECORD_RF_CRITICAL) ? "C" : "");
+    if (output_recordline)
+      fprintf (stdout,
+               "  %s %" PRIu64 " %s %s\n",
+               typestr,
+               rd[i].expiration_time,
+               flgstr,
+               s);
+    else
+      fprintf (stdout,
+               "\t%s: %s (%s)\t%s\t%s\t%s\n",
+               typestr,
+               s,
+               ets,
+               (0 != (rd[i].flags & GNUNET_GNSRECORD_RF_PRIVATE)) ? "PRIVATE"
+             : "PUBLIC",
+               (0 != (rd[i].flags & GNUNET_GNSRECORD_RF_SHADOW)) ? "SHADOW"
+               : "",
+               (0 != (rd[i].flags & GNUNET_GNSRECORD_RF_MAINTENANCE)) ?
+               "MAINTENANCE"
+             : "");
+    GNUNET_free (s);
+  }
+  // fprintf (stdout, "%s", "\n");
+}
+
+
+static void
+purge_zone_iterator (void *cls,
+                     const struct GNUNET_CRYPTO_PrivateKey *zone_key,
+                     const char *rname,
+                     unsigned int rd_len,
+                     const struct GNUNET_GNSRECORD_Data *rd,
+                     struct GNUNET_TIME_Absolute expiry)
+{
+  (void) cls;
+  (void) zone_key;
+  (void) expiry;
+  collect_zone_records_to_purge (zone_key, rname, rd_len, rd);
+  GNUNET_NAMESTORE_zone_iterator_next (list_it, 1);
+}
+
+
+static void
+purge_orphans_iterator (void *cls,
+                        const struct GNUNET_CRYPTO_PrivateKey *zone_key,
+                        const char *rname,
+                        unsigned int rd_len,
+                        const struct GNUNET_GNSRECORD_Data *rd,
+                        struct GNUNET_TIME_Absolute expiry)
+{
+  (void) cls;
+  (void) zone_key;
+  (void) expiry;
+  collect_orphans (zone_key, rname, rd_len, rd);
+  GNUNET_NAMESTORE_zone_iterator_next (list_it, 1);
+}
+
+
+/**
+ * Process a record that was stored in the namestore.
+ *
+ * @param cls closure
+ * @param zone_key private key of the zone
+ * @param rname name that is being mapped (at most 255 characters long)
+ * @param rd_len number of entries in @a rd array
+ * @param rd array of records with data to store
+ */
+static void
+display_record_iterator (void *cls,
+                         const struct GNUNET_CRYPTO_PrivateKey *zone_key,
+                         const char *rname,
+                         unsigned int rd_len,
+                         const struct GNUNET_GNSRECORD_Data *rd,
+                         struct GNUNET_TIME_Absolute expiry)
+{
+  (void) cls;
+  (void) zone_key;
+  (void) expiry;
+  display_record (zone_key, rname, rd_len, rd);
+  GNUNET_NAMESTORE_zone_iterator_next (list_it, 1);
+}
+
+
+/**
+ * Process a record that was stored in the namestore.
+ *
+ * @param cls closure
+ * @param zone_key private key of the zone
+ * @param rname name that is being mapped (at most 255 characters long)
+ * @param rd_len number of entries in @a rd array
+ * @param rd array of records with data to store
+ */
+static void
+display_record_monitor (void *cls,
+                        const struct GNUNET_CRYPTO_PrivateKey *zone_key,
+                        const char *rname,
+                        unsigned int rd_len,
+                        const struct GNUNET_GNSRECORD_Data *rd,
+                        struct GNUNET_TIME_Absolute expiry)
+{
+  (void) cls;
+  (void) zone_key;
+  (void) expiry;
+  display_record (zone_key, rname, rd_len, rd);
+  GNUNET_NAMESTORE_zone_monitor_next (zm, 1);
+}
+
+
+/**
+ * Process a record that was stored in the namestore.
+ *
+ * @param cls closure
+ * @param zone_key private key of the zone
+ * @param rname name that is being mapped (at most 255 characters long)
+ * @param rd_len number of entries in @a rd array
+ * @param rd array of records with data to store
+ */
+static void
+display_record_lookup (void *cls,
+                       const struct GNUNET_CRYPTO_PrivateKey *zone_key,
+                       const char *rname,
+                       unsigned int rd_len,
+                       const struct GNUNET_GNSRECORD_Data *rd)
+{
+  (void) cls;
+  (void) zone_key;
+  get_qe = NULL;
+  display_record (zone_key, rname, rd_len, rd);
+  finish_command ();
+}
+
+
+/**
+ * Function called once we are in sync in monitor mode.
+ *
+ * @param cls NULL
+ */
+static void
+sync_cb (void *cls)
+{
+  (void) cls;
+  fprintf (stdout, "%s", "Monitor is now in sync.\n");
+}
+
+
+/**
+ * Function called on errors while monitoring.
+ *
+ * @param cls NULL
+ */
+static void
+monitor_error_cb (void *cls)
+{
+  (void) cls;
+  fprintf (stderr, "%s", "Monitor disconnected and out of sync.\n");
+}
+
+
+/**
+ * Function called on errors while monitoring.
+ *
+ * @param cls NULL
+ */
+static void
+lookup_error_cb (void *cls)
+{
+  (void) cls;
+  get_qe = NULL;
+  fprintf (stderr, "%s", "Failed to lookup record.\n");
+  finish_command ();
+}
+
+
+/**
+ * Function called if lookup fails.
+ */
+static void
+add_error_cb (void *cls)
+{
+  (void) cls;
+  add_qe = NULL;
+  GNUNET_break (0);
+  ret = 1;
+  finish_command ();
+}
+
+
+/**
+ * We're storing a record; this function is given the existing record
+ * so that we can merge the information.
+ *
+ * @param cls closure, unused
+ * @param zone_key private key of the zone
+ * @param rec_name name that is being mapped (at most 255 characters long)
+ * @param rd_count number of entries in @a rd array
+ * @param rd array of records with data to store
+ */
+static void
+get_existing_record (void *cls,
+                     const struct GNUNET_CRYPTO_PrivateKey *zone_key,
+                     const char *rec_name,
+                     unsigned int rd_count,
+                     const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct GNUNET_GNSRECORD_Data rdn[rd_count + 1];
+  struct GNUNET_GNSRECORD_Data *rde;
+
+  (void) cls;
+  (void) zone_key;
+  add_qe = NULL;
+  if (0 != strcmp (rec_name, name))
+  {
+    GNUNET_break (0);
+    ret = 1;
+    finish_command ();
+    return;
+  }
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Received %u records for name `%s'\n",
+              rd_count,
+              rec_name);
+  for (unsigned int i = 0; i < rd_count; i++)
+  {
+    switch (rd[i].record_type)
+    {
+    case GNUNET_DNSPARSER_TYPE_SOA:
+      if (GNUNET_DNSPARSER_TYPE_SOA == type)
+      {
+        fprintf (
+          stderr,
+          _ (
+            "A SOA record exists already under `%s', cannot add a second SOA to the same zone.\n"),
+          rec_name);
+        ret = 1;
+        finish_command ();
+        return;
+      }
+      break;
+    }
+  }
+  memset (rdn, 0, sizeof(struct GNUNET_GNSRECORD_Data));
+  GNUNET_memcpy (&rdn[1], rd, rd_count * sizeof(struct GNUNET_GNSRECORD_Data));
+  rde = &rdn[0];
+  rde->data = data;
+  rde->data_size = data_size;
+  rde->record_type = type;
+  if (1 == is_shadow)
+    rde->flags |= GNUNET_GNSRECORD_RF_SHADOW;
+  if (1 == is_maintenance)
+    rde->flags |= GNUNET_GNSRECORD_RF_MAINTENANCE;
+  if (1 != is_public)
+    rde->flags |= GNUNET_GNSRECORD_RF_PRIVATE;
+  rde->expiration_time = etime;
+  if (GNUNET_YES == etime_is_rel)
+    rde->flags |= GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION;
+  else if (GNUNET_NO != etime_is_rel)
+    rde->expiration_time = GNUNET_TIME_UNIT_FOREVER_ABS.abs_value_us;
+  GNUNET_assert (NULL != name);
+  add_qe = GNUNET_NAMESTORE_record_set_store (ns,
+                                              &zone_pkey,
+                                              name,
+                                              rd_count + 1,
+                                              rde,
+                                              &add_continuation,
+                                              &add_qe);
+}
+
+
+/**
+ * Function called if we encountered an error in zone-to-name.
+ */
+static void
+reverse_error_cb (void *cls)
+{
+  (void) cls;
+  reverse_qe = NULL;
+  fprintf (stdout, "%s.zkey\n", reverse_pkey);
+}
+
+
+/**
+ * Function called with the result of our attempt to obtain a name for a given
+ * public key.
+ *
+ * @param cls NULL
+ * @param zone private key of the zone; NULL on disconnect
+ * @param label label of the records; NULL on disconnect
+ * @param rd_count number of entries in @a rd array, 0 if label was deleted
+ * @param rd array of records with data to store
+ */
+static void
+handle_reverse_lookup (void *cls,
+                       const struct GNUNET_CRYPTO_PrivateKey *zone,
+                       const char *label,
+                       unsigned int rd_count,
+                       const struct GNUNET_GNSRECORD_Data *rd)
+{
+  (void) cls;
+  (void) zone;
+  (void) rd_count;
+  (void) rd;
+  reverse_qe = NULL;
+  if (NULL == label)
+    fprintf (stdout, "%s\n", reverse_pkey);
+  else
+    fprintf (stdout, "%s.%s\n", label, ego_name);
+  finish_command ();
+}
+
+
+/**
+ * Function called if lookup for deletion fails.
+ */
+static void
+del_lookup_error_cb (void *cls)
+{
+  (void) cls;
+  del_qe = NULL;
+  GNUNET_break (0);
+  ret = 1;
+  finish_command ();
+}
+
+
+/**
+ * We were asked to delete something; this function is called with
+ * the existing records. Now we should determine what should be
+ * deleted and then issue the deletion operation.
+ *
+ * @param cls NULL
+ * @param zone private key of the zone we are deleting from
+ * @param label name of the records we are editing
+ * @param rd_count size of the @a rd array
+ * @param rd existing records
+ */
+static void
+del_monitor (void *cls,
+             const struct GNUNET_CRYPTO_PrivateKey *zone,
+             const char *label,
+             unsigned int rd_count,
+             const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct GNUNET_GNSRECORD_Data rdx[rd_count];
+  unsigned int rd_left;
+  uint32_t type;
+  char *vs;
+
+  (void) cls;
+  (void) zone;
+  del_qe = NULL;
+  if (0 == rd_count)
+  {
+    fprintf (stderr,
+             _ (
+               "There are no records under label `%s' that could be deleted.\n"),
+             label);
+    ret = 1;
+    finish_command ();
+    return;
+  }
+  if ((NULL == value) && (NULL == typestring))
+  {
+    /* delete everything */
+    del_qe = GNUNET_NAMESTORE_record_set_store (ns,
+                                                &zone_pkey,
+                                                name,
+                                                0,
+                                                NULL,
+                                                &del_continuation,
+                                                NULL);
+    return;
+  }
+  rd_left = 0;
+  if (NULL != typestring)
+    type = GNUNET_GNSRECORD_typename_to_number (typestring);
+  else
+    type = GNUNET_GNSRECORD_TYPE_ANY;
+  for (unsigned int i = 0; i < rd_count; i++)
+  {
+    vs = NULL;
+    if (! (((GNUNET_GNSRECORD_TYPE_ANY == type) ||
+            (rd[i].record_type == type)) &&
+           ((NULL == value) ||
+            (NULL ==
+             (vs = (GNUNET_GNSRECORD_value_to_string (rd[i].record_type,
+                                                      rd[i].data,
+                                                      rd[i].data_size)))) ||
+            (0 == strcmp (vs, value)))))
+      rdx[rd_left++] = rd[i];
+    GNUNET_free (vs);
+  }
+  if (rd_count == rd_left)
+  {
+    /* nothing got deleted */
+    fprintf (
+      stderr,
+      _ (
+        "There are no records under label `%s' that match the request for deletion.\n"),
+      label);
+    finish_command ();
+    return;
+  }
+  /* delete everything but what we copied to 'rdx' */
+  del_qe = GNUNET_NAMESTORE_record_set_store (ns,
+                                              &zone_pkey,
+                                              name,
+                                              rd_left,
+                                              rdx,
+                                              &del_continuation,
+                                              NULL);
+}
+
+
+static void
+replace_cont (void *cls, enum GNUNET_ErrorCode ec)
+{
+  (void) cls;
+
+  set_qe = NULL;
+  if (GNUNET_EC_NONE != ec)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+                _ ("%s\n"),
+                GNUNET_ErrorCode_get_hint (ec));
+    ret = 1;   /* fail from 'main' */
+  }
+  finish_command ();
+}
+
+
+/**
+ * We have obtained the zone's private key, so now process
+ * the main commands using it.
+ *
+ * @param cfg configuration to use
+ */
+static void
+run_with_zone_pkey (const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_GNSRECORD_Data rd;
+  enum GNUNET_GNSRECORD_Filter filter_flags = GNUNET_GNSRECORD_FILTER_NONE;
+
+  if (omit_private)
+    filter_flags |= GNUNET_GNSRECORD_FILTER_OMIT_PRIVATE;
+  if (include_maintenance)
+    filter_flags |= GNUNET_GNSRECORD_FILTER_INCLUDE_MAINTENANCE;
+  if (! (add | del | list | (NULL != nickstring) | (NULL != uri)
+         | (NULL != reverse_pkey) | (NULL != recordset) | (monitor)
+         | (purge_orphaned) | (list_orphaned) | (purge_zone)) )
+  {
+    /* nothing more to be done */
+    fprintf (stderr, _ ("No options given\n"));
+    finish_command ();
+    return;
+  }
+
+  if (NULL != recordset)
+  {
+    /* replace entire record set */
+    unsigned int rd_count;
+    struct GNUNET_GNSRECORD_Data *rd;
+
+    /* FIXME: We could easily support append and delete with this as well */
+    if (! add)
+    {
+      fprintf (stderr, _ ("Recordlines only work with option `%s'\n"),
+               "-a");
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    if (NULL == name)
+    {
+      fprintf (stderr,
+               _ ("Missing option `%s' for operation `%s'\n"),
+               "-n",
+               _ ("name"));
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    rd_count = 0;
+    for (struct RecordSetEntry *e = recordset; NULL != e; e = e->next)
+      rd_count++;
+    rd = GNUNET_new_array (rd_count, struct GNUNET_GNSRECORD_Data);
+    rd_count = 0;
+    for (struct RecordSetEntry *e = recordset; NULL != e; e = e->next)
+    {
+      rd[rd_count] = e->record;
+      rd_count++;
+    }
+    set_qe = GNUNET_NAMESTORE_record_set_store (ns,
+                                                &zone_pkey,
+                                                name,
+                                                rd_count,
+                                                rd,
+                                                &replace_cont,
+                                                NULL);
+    GNUNET_free (rd);
+    return;
+  }
+  if (NULL != nickstring)
+  {
+    if (0 == strlen (nickstring))
+    {
+      fprintf (stderr, _ ("Invalid nick `%s'\n"), nickstring);
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    add = 1;
+    typestring = GNUNET_strdup (GNUNET_GNSRECORD_number_to_typename (
+                                  GNUNET_GNSRECORD_TYPE_NICK));
+    name = GNUNET_strdup (GNUNET_GNS_EMPTY_LABEL_AT);
+    value = GNUNET_strdup (nickstring);
+    is_public = 0;
+    expirationstring = GNUNET_strdup ("never");
+    GNUNET_free (nickstring);
+    nickstring = NULL;
+  }
+
+  if (add)
+  {
+    if (NULL == ego_name)
+    {
+      fprintf (stderr,
+               _ ("Missing option `%s' for operation `%s'\n"),
+               "-z",
+               _ ("add"));
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    if (NULL == name)
+    {
+      fprintf (stderr,
+               _ ("Missing option `%s' for operation `%s'\n"),
+               "-n",
+               _ ("add"));
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    if (NULL == typestring)
+    {
+      fprintf (stderr,
+               _ ("Missing option `%s' for operation `%s'\n"),
+               "-t",
+               _ ("add"));
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    type = GNUNET_GNSRECORD_typename_to_number (typestring);
+    if (UINT32_MAX == type)
+    {
+      fprintf (stderr, _ ("Unsupported type `%s'\n"), typestring);
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    if ((GNUNET_DNSPARSER_TYPE_SRV == type) ||
+        (GNUNET_DNSPARSER_TYPE_TLSA == type) ||
+        (GNUNET_DNSPARSER_TYPE_SMIMEA == type) ||
+        (GNUNET_DNSPARSER_TYPE_OPENPGPKEY == type))
+    {
+      fprintf (stderr,
+               _ (
+                 "For DNS record types `SRV', `TLSA', `SMIMEA' and `OPENPGPKEY'"));
+      fprintf (stderr, ", please use a `BOX' record instead\n");
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    if (NULL == value)
+    {
+      fprintf (stderr,
+               _ ("Missing option `%s' for operation `%s'\n"),
+               "-V",
+               _ ("add"));
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    if (GNUNET_OK !=
+        GNUNET_GNSRECORD_string_to_value (type, value, &data, &data_size))
+    {
+      fprintf (stderr,
+               _ ("Value `%s' invalid for record type `%s'\n"),
+               value,
+               typestring);
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    if (NULL == expirationstring)
+    {
+      fprintf (stderr,
+               _ ("Missing option `%s' for operation `%s'\n"),
+               "-e",
+               _ ("add"));
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    if (GNUNET_OK != parse_expiration (expirationstring, &etime_is_rel, &etime))
+    {
+      fprintf (stderr, _ ("Invalid time format `%s'\n"), expirationstring);
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    add_qe = GNUNET_NAMESTORE_records_lookup (ns,
+                                              &zone_pkey,
+                                              name,
+                                              &add_error_cb,
+                                              NULL,
+                                              &get_existing_record,
+                                              NULL);
+  }
+  if (del)
+  {
+    if (NULL == ego_name)
+    {
+      fprintf (stderr,
+               _ ("Missing option `%s' for operation `%s'\n"),
+               "-z",
+               _ ("del"));
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    if (NULL == name)
+    {
+      fprintf (stderr,
+               _ ("Missing option `%s' for operation `%s'\n"),
+               "-n",
+               _ ("del"));
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    del_qe = GNUNET_NAMESTORE_records_lookup2 (ns,
+                                               &zone_pkey,
+                                               name,
+                                               &del_lookup_error_cb,
+                                               NULL,
+                                               &del_monitor,
+                                               NULL,
+                                               filter_flags);
+  }
+  if (purge_orphaned)
+  {
+    list_it = GNUNET_NAMESTORE_zone_iteration_start2 (ns,
+                                                      NULL,
+                                                      &zone_iteration_error_cb,
+                                                      NULL,
+                                                      &purge_orphans_iterator,
+                                                      NULL,
+                                                      &zone_iteration_finished,
+                                                      NULL,
+                                                      filter_flags);
+
+  }
+  else if (purge_zone)
+  {
+    if (NULL == ego_name)
+    {
+      fprintf (stderr,
+               _ ("Missing option `%s' for operation `%s'\n"),
+               "-z",
+               _ ("purge-zone"));
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    list_it = GNUNET_NAMESTORE_zone_iteration_start2 (ns,
+                                                      &zone_pkey,
+                                                      &zone_iteration_error_cb,
+                                                      NULL,
+                                                      &purge_zone_iterator,
+                                                      NULL,
+                                                      &zone_iteration_finished,
+                                                      NULL,
+                                                      filter_flags);
+
+  }
+  else if (list || list_orphaned)
+  {
+    if (NULL != name)
+    {
+      if (NULL == ego_name)
+      {
+        fprintf (stderr,
+                 _ ("Missing option `%s' for operation `%s'\n"),
+                 "-z",
+                 _ ("list"));
+        ret = 1;
+        finish_command ();
+        return;
+      }
+      get_qe = GNUNET_NAMESTORE_records_lookup (ns,
+                                                &zone_pkey,
+                                                name,
+                                                &lookup_error_cb,
+                                                NULL,
+                                                &display_record_lookup,
+                                                NULL);
+    }
+    else
+      list_it = GNUNET_NAMESTORE_zone_iteration_start2 (ns,
+                                                        (NULL == ego_name) ?
+                                                        NULL : &zone_pkey,
+                                                        &zone_iteration_error_cb,
+                                                        NULL,
+                                                        &display_record_iterator,
+                                                        NULL,
+                                                        &zone_iteration_finished,
+                                                        NULL,
+                                                        filter_flags);
+  }
+  if (NULL != reverse_pkey)
+  {
+    struct GNUNET_CRYPTO_PublicKey pubkey;
+
+    if (NULL == ego_name)
+    {
+      fprintf (stderr,
+               _ ("Missing option `%s' for operation `%s'\n"),
+               "-z",
+               _ ("reverse-pkey"));
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    if (GNUNET_OK !=
+        GNUNET_CRYPTO_public_key_from_string (reverse_pkey,
+                                              &pubkey))
+    {
+      fprintf (stderr,
+               _ ("Invalid public key for reverse lookup `%s'\n"),
+               reverse_pkey);
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    reverse_qe = GNUNET_NAMESTORE_zone_to_name (ns,
+                                                &zone_pkey,
+                                                &pubkey,
+                                                &reverse_error_cb,
+                                                NULL,
+                                                &handle_reverse_lookup,
+                                                NULL);
+  }
+  if (NULL != uri)
+  {
+    char sh[105];
+    char sname[64];
+    struct GNUNET_CRYPTO_PublicKey pkey;
+    if (NULL == ego_name)
+    {
+      fprintf (stderr,
+               _ ("Missing option `%s' for operation `%s'\n"),
+               "-z",
+               _ ("uri"));
+      ret = 1;
+      finish_command ();
+      return;
+    }
+
+    memset (sh, 0, 105);
+    memset (sname, 0, 64);
+
+    if ((2 != (sscanf (uri, "gnunet://gns/%58s/%63s", sh, sname))) ||
+        (GNUNET_OK !=
+         GNUNET_CRYPTO_public_key_from_string (sh, &pkey)))
+    {
+      fprintf (stderr, _ ("Invalid URI `%s'\n"), uri);
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    if (NULL == expirationstring)
+    {
+      fprintf (stderr,
+               _ ("Missing option `%s' for operation `%s'\n"),
+               "-e",
+               _ ("add"));
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    if (GNUNET_OK != parse_expiration (expirationstring, &etime_is_rel, &etime))
+    {
+      fprintf (stderr, _ ("Invalid time format `%s'\n"), expirationstring);
+      ret = 1;
+      finish_command ();
+      return;
+    }
+    memset (&rd, 0, sizeof(rd));
+    rd.data = &pkey;
+    rd.data_size = GNUNET_CRYPTO_public_key_get_length (&pkey);
+    rd.record_type = ntohl (pkey.type);
+    rd.expiration_time = etime;
+    if (GNUNET_YES == etime_is_rel)
+      rd.flags |= GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION;
+    if (1 == is_shadow)
+      rd.flags |= GNUNET_GNSRECORD_RF_SHADOW;
+    if (1 == is_maintenance)
+      rd.flags |= GNUNET_GNSRECORD_RF_MAINTENANCE;
+    add_qe_uri = GNUNET_NAMESTORE_record_set_store (ns,
+                                                    &zone_pkey,
+                                                    sname,
+                                                    1,
+                                                    &rd,
+                                                    &add_continuation,
+                                                    &add_qe_uri);
+  }
+  if (monitor)
+  {
+    zm = GNUNET_NAMESTORE_zone_monitor_start2 (cfg,
+                                               (NULL != ego_name) ?
+                                               &zone_pkey : NULL,
+                                               GNUNET_YES,
+                                               &monitor_error_cb,
+                                               NULL,
+                                               &display_record_monitor,
+                                               NULL,
+                                               &sync_cb,
+                                               NULL,
+                                               filter_flags);
+  }
+}
+
+
+#define MAX_LINE_LEN 4086
+
+#define MAX_ARGS 20
+
+static int
+get_identity_for_string (const char *str,
+                         struct GNUNET_CRYPTO_PrivateKey *zk)
+{
+  const struct GNUNET_CRYPTO_PrivateKey *privkey;
+  struct GNUNET_CRYPTO_PublicKey pubkey;
+  struct GNUNET_CRYPTO_PublicKey ego_pubkey;
+  struct EgoEntry *ego_entry;
+
+  if (GNUNET_OK == GNUNET_CRYPTO_public_key_from_string (str,
+                                                         &pubkey))
+  {
+    for (ego_entry = ego_head;
+         NULL != ego_entry; ego_entry = ego_entry->next)
+    {
+      privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego);
+      GNUNET_IDENTITY_ego_get_public_key (ego_entry->ego, &ego_pubkey);
+      if (0 == memcmp (&ego_pubkey, &pubkey, sizeof (pubkey)))
+      {
+        *zk = *privkey;
+        return GNUNET_OK;
+      }
+    }
+  }
+  else
+  {
+    for (ego_entry = ego_head; NULL != ego_entry; ego_entry = ego_entry->next)
+    {
+      /** FIXME: Check for zTLD? **/
+      if (0 != strcmp (str, ego_entry->identifier))
+        continue;
+      *zk = *GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego);
+      return GNUNET_OK;
+    }
+  }
+  return GNUNET_NO;
+}
+
+
+static void
+process_command_stdin ()
+{
+  char buf[MAX_LINE_LEN];
+  static struct GNUNET_CRYPTO_PrivateKey next_zone_key;
+  static char next_name[GNUNET_DNSPARSER_MAX_NAME_LENGTH];
+  static int finished = GNUNET_NO;
+  static int have_next_zonekey = GNUNET_NO;
+  int zonekey_set = GNUNET_NO;
+  char *tmp;
+
+
+  if (GNUNET_YES == have_next_zonekey)
+  {
+    zone_pkey = next_zone_key;
+    if (NULL != name)
+      GNUNET_free (name);
+    name = GNUNET_strdup (next_name);
+    zonekey_set = GNUNET_YES;
+  }
+  while (NULL != fgets (buf, sizeof (buf), stdin))
+  {
+    if (1 >= strlen (buf))
+      continue;
+    if (buf[strlen (buf) - 1] == '\n')
+      buf[strlen (buf) - 1] = '\0';
+    /**
+     * Check if this is a new name. If yes, and we have records, store them.
+     */
+    if (buf[strlen (buf) - 1] == ':')
+    {
+      memset (next_name, 0, sizeof (next_name));
+      strncpy (next_name, buf, strlen (buf) - 1);
+      tmp = strchr (next_name, '.');
+      if (NULL == tmp)
+      {
+        fprintf (stderr, "Error parsing name `%s'\n", next_name);
+        GNUNET_SCHEDULER_shutdown ();
+        ret = 1;
+        return;
+      }
+      if (GNUNET_OK != get_identity_for_string (tmp + 1, &next_zone_key))
+      {
+        fprintf (stderr, "Error parsing zone name `%s'\n", tmp + 1);
+        ret = 1;
+        GNUNET_SCHEDULER_shutdown ();
+        return;
+      }
+      *tmp = '\0';
+      have_next_zonekey = GNUNET_YES;
+      /* Run a command for the previous record set */
+      if (NULL != recordset)
+      {
+        run_with_zone_pkey (cfg);
+        return;
+      }
+      zone_pkey = next_zone_key;
+      if (NULL != name)
+        GNUNET_free (name);
+      name = GNUNET_strdup (next_name);
+      zonekey_set = GNUNET_YES;
+      continue;
+    }
+    if (GNUNET_NO == zonekey_set)
+    {
+      fprintf (stderr, "Warning, encountered recordline without zone\n");
+      continue;
+    }
+    parse_recordline (buf);
+  }
+  if (GNUNET_NO == finished)
+  {
+    if (NULL != recordset)
+    {
+      if (GNUNET_YES == zonekey_set)
+      {
+        run_with_zone_pkey (cfg); /** one last time **/
+        finished = GNUNET_YES;
+        return;
+      }
+      fprintf (stderr, "Warning, encountered recordline without zone\n");
+    }
+  }
+  GNUNET_SCHEDULER_shutdown ();
+  return;
+}
+
+
+/**
+ * Function called with ALL of the egos known to the
+ * identity service, used on startup if the user did
+ * not specify a zone on the command-line.
+ * Once the iteration is done (@a ego is NULL), we
+ * ask for the default ego for "namestore".
+ *
+ * @param cls a `struct GNUNET_CONFIGURATION_Handle`
+ * @param ego an ego, NULL for end of iteration
+ * @param ctx NULL
+ * @param name name associated with @a ego
+ */
+static void
+id_connect_cb (void *cls,
+               struct GNUNET_IDENTITY_Ego *ego,
+               void **ctx,
+               const char *name)
+{
+  struct GNUNET_CRYPTO_PublicKey pk;
+  struct EgoEntry *ego_entry;
+
+  (void) ctx;
+  (void) name;
+  if ((NULL != name) && (NULL != ego))
+  {
+    ego_entry = GNUNET_new (struct EgoEntry);
+    GNUNET_IDENTITY_ego_get_public_key (ego, &pk);
+    ego_entry->ego = ego;
+    ego_entry->identifier = GNUNET_strdup (name);
+    GNUNET_CONTAINER_DLL_insert_tail (ego_head,
+                                      ego_tail,
+                                      ego_entry);
+    if ((NULL != ego_name) &&
+        (0 == strcmp (name, ego_name)))
+      zone_pkey = *GNUNET_IDENTITY_ego_get_private_key (ego);
+    return;
+  }
+  if (NULL != ego)
+    return;
+  if (read_from_stdin)
+  {
+    process_command_stdin ();
+    return;
+  }
+  run_with_zone_pkey (cfg);
+}
+
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *_cfg)
+{
+  (void) cls;
+  (void) args;
+  (void) cfgfile;
+  cfg = _cfg;
+  if (NULL != args[0])
+    GNUNET_log (
+      GNUNET_ERROR_TYPE_WARNING,
+      _ ("Superfluous command line arguments (starting with `%s') ignored\n"),
+      args[0]);
+
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown, (void *) cfg);
+  ns = GNUNET_NAMESTORE_connect (cfg);
+  if (NULL == ns)
+  {
+    fprintf (stderr, _ ("Failed to connect to namestore\n"));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  idh = GNUNET_IDENTITY_connect (cfg, &id_connect_cb, (void *) cfg);
+  if (NULL == idh)
+  {
+    ret = -1;
+    fprintf (stderr, _ ("Cannot connect to identity service\n"));
+    GNUNET_SCHEDULER_shutdown ();
+  }
+}
+
+
+/**
+ * The main function for gnunet-namestore.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  int lret;
+  struct GNUNET_GETOPT_CommandLineOption options[] =
+  { GNUNET_GETOPT_option_flag ('a', "add", gettext_noop ("add record"), &add),
+    GNUNET_GETOPT_option_flag ('d',
+                               "delete",
+                               gettext_noop ("delete record"),
+                               &del),
+    GNUNET_GETOPT_option_flag ('D',
+                               "display",
+                               gettext_noop ("display records"),
+                               &list),
+    GNUNET_GETOPT_option_flag ('S',
+                               "from-stdin",
+                               gettext_noop ("read commands from stdin"),
+                               &read_from_stdin),
+    GNUNET_GETOPT_option_string (
+      'e',
+      "expiration",
+      "TIME",
+      gettext_noop (
+        "expiration time for record to use (for adding only), \"never\" is possible"),
+      &expirationstring),
+    GNUNET_GETOPT_option_string ('i',
+                                 "nick",
+                                 "NICKNAME",
+                                 gettext_noop (
+                                   "set the desired nick name for the zone"),
+                                 &nickstring),
+    GNUNET_GETOPT_option_flag ('m',
+                               "monitor",
+                               gettext_noop (
+                                 "monitor changes in the namestore"),
+                               &monitor),
+    GNUNET_GETOPT_option_string ('n',
+                                 "name",
+                                 "NAME",
+                                 gettext_noop (
+                                   "name of the record to add/delete/display"),
+                                 &name),
+    GNUNET_GETOPT_option_flag ('r',
+                               "recordline",
+                               gettext_noop ("Output in recordline format"),
+                               &output_recordline),
+    GNUNET_GETOPT_option_string ('Z',
+                                 "zone-to-name",
+                                 "KEY",
+                                 gettext_noop (
+                                   "determine our name for the given KEY"),
+                                 &reverse_pkey),
+    GNUNET_GETOPT_option_string ('t',
+                                 "type",
+                                 "TYPE",
+                                 gettext_noop (
+                                   "type of the record to add/delete/display"),
+                                 &typestring),
+    GNUNET_GETOPT_option_string ('u',
+                                 "uri",
+                                 "URI",
+                                 gettext_noop ("URI to import into our zone"),
+                                 &uri),
+    GNUNET_GETOPT_option_string ('V',
+                                 "value",
+                                 "VALUE",
+                                 gettext_noop (
+                                   "value of the record to add/delete"),
+                                 &value),
+    GNUNET_GETOPT_option_flag ('p',
+                               "public",
+                               gettext_noop ("create or list public record"),
+                               &is_public),
+    GNUNET_GETOPT_option_flag ('o',
+                               "omit-private",
+                               gettext_noop ("omit private records"),
+                               &omit_private),
+    GNUNET_GETOPT_option_flag ('T',
+                               "include-maintenance",
+                               gettext_noop (
+                                 "do not filter maintenance records"),
+                               &include_maintenance),
+    GNUNET_GETOPT_option_flag ('P',
+                               "purge-orphans",
+                               gettext_noop (
+                                 "purge namestore of all orphans"),
+                               &purge_orphaned),
+    GNUNET_GETOPT_option_flag ('O',
+                               "list-orphans",
+                               gettext_noop (
+                                 "show private key for orphaned records for recovery using `gnunet-identity -C -P <key>'. Use in combination with --display"),
+                               &list_orphaned),
+    GNUNET_GETOPT_option_flag ('X',
+                               "purge-zone-records",
+                               gettext_noop (
+                                 "delete all records in specified zone"),
+                               &purge_zone),
+    GNUNET_GETOPT_option_flag (
+      's',
+      "shadow",
+      gettext_noop (
+        "create shadow record (only valid if all other records of the same type have expired)"),
+      &is_shadow),
+    GNUNET_GETOPT_option_flag (
+      'M',
+      "maintenance",
+      gettext_noop (
+        "create maintenance record (e.g TOMBSTONEs)"),
+      &is_maintenance),
+    GNUNET_GETOPT_option_string ('z',
+                                 "zone",
+                                 "EGO",
+                                 gettext_noop (
+                                   "name of the ego controlling the zone"),
+                                 &ego_name),
+    GNUNET_GETOPT_OPTION_END };
+
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  is_public = -1;
+  is_shadow = -1;
+  is_maintenance = -1;
+  GNUNET_log_setup ("gnunet-namestore", "WARNING", NULL);
+  if (GNUNET_OK !=
+      (lret = GNUNET_PROGRAM_run (argc,
+                                  argv,
+                                  "gnunet-namestore",
+                                  _ ("GNUnet zone manipulation tool"),
+                                  options,
+                                  &run,
+                                  NULL)))
+  {
+    GNUNET_free_nz ((void *) argv);
+    // FIXME
+    // GNUNET_CRYPTO_ecdsa_key_clear (&zone_pkey);
+    return lret;
+  }
+  GNUNET_free_nz ((void *) argv);
+  // FIXME
+  // GNUNET_CRYPTO_ecdsa_key_clear (&zone_pkey);
+  return ret;
+}
+
+
+/* end of gnunet-namestore.c */
diff --git a/src/cli/namestore/gnunet-zoneimport.c b/src/cli/namestore/gnunet-zoneimport.c
new file mode 100644
index 000000000..aaed808dd
--- /dev/null
+++ b/src/cli/namestore/gnunet-zoneimport.c
@@ -0,0 +1,1882 @@
+/*
+     This file is part of GNUnet
+     Copyright (C) 2018 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file src/namestore/gnunet-zoneimport.c
+ * @brief import a DNS zone for publication in GNS, incremental
+ * @author Christian Grothoff
+ */
+#include <gnunet_util_lib.h>
+#include <gnunet_gnsrecord_lib.h>
+#include <gnunet_namestore_service.h>
+#include <gnunet_statistics_service.h>
+#include <gnunet_identity_service.h>
+
+
+/**
+ * Maximum number of queries pending at the same time.
+ */
+#define THRESH 100
+
+/**
+ * TIME_THRESH is in usecs.  How quickly do we submit fresh queries.
+ * Used as an additional throttle.
+ */
+#define TIME_THRESH 10
+
+/**
+ * How often do we retry a query before giving up for good?
+ */
+#define MAX_RETRIES 5
+
+/**
+ * How many DNS requests do we at most issue in rapid series?
+ */
+#define MAX_SERIES 10
+
+/**
+ * How long do we wait at least between series of requests?
+ */
+#define SERIES_DELAY \
+        GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MICROSECONDS, 10)
+
+/**
+ * How long do DNS records have to last at least after being imported?
+ */
+static struct GNUNET_TIME_Relative minimum_expiration_time;
+
+/**
+ * How many requests do we request from NAMESTORE in one batch
+ * during our initial iteration?
+ */
+#define NS_BATCH_SIZE 1024
+
+/**
+ * Some zones may include authoritative records for other
+ * zones, such as foo.com.uk or bar.com.fr.  As for GNS
+ * each dot represents a zone cut, we then need to create a
+ * zone on-the-fly to capture those records properly.
+ */
+struct Zone
+{
+  /**
+   * Kept in a DLL.
+   */
+  struct Zone *next;
+
+  /**
+   * Kept in a DLL.
+   */
+  struct Zone *prev;
+
+  /**
+   * Domain of the zone (i.e. "fr" or "com.fr")
+   */
+  char *domain;
+
+  /**
+   * Private key of the zone.
+   */
+  struct GNUNET_CRYPTO_PrivateKey key;
+};
+
+
+/**
+ * Record for the request to be stored by GNS.
+ */
+struct Record
+{
+  /**
+   * Kept in a DLL.
+   */
+  struct Record *next;
+
+  /**
+   * Kept in a DLL.
+   */
+  struct Record *prev;
+
+  /**
+   * GNS record.
+   */
+  struct GNUNET_GNSRECORD_Data grd;
+};
+
+
+/**
+ * Request we should make.  We keep this struct in memory per request,
+ * thus optimizing it is crucial for the overall memory consumption of
+ * the zone importer.
+ */
+struct Request
+{
+  /**
+   * Requests are kept in a heap while waiting to be resolved.
+   */
+  struct GNUNET_CONTAINER_HeapNode *hn;
+
+  /**
+   * Active requests are kept in a DLL.
+   */
+  struct Request *next;
+
+  /**
+   * Active requests are kept in a DLL.
+   */
+  struct Request *prev;
+
+  /**
+   * Head of records that should be published in GNS for
+   * this hostname.
+   */
+  struct Record *rec_head;
+
+  /**
+   * Tail of records that should be published in GNS for
+   * this hostname.
+   */
+  struct Record *rec_tail;
+
+  /**
+   * Socket used to make the request, NULL if not active.
+   */
+  struct GNUNET_DNSSTUB_RequestSocket *rs;
+
+  /**
+   * Hostname we are resolving, allocated at the end of
+   * this struct (optimizing memory consumption by reducing
+   * total number of allocations).
+   */
+  char *hostname;
+
+  /**
+   * Namestore operation pending for this record.
+   */
+  struct GNUNET_NAMESTORE_QueueEntry *qe;
+
+  /**
+   * Zone responsible for this request.
+   */
+  const struct Zone *zone;
+
+  /**
+   * At what time does the (earliest) of the returned records
+   * for this name expire? At this point, we need to re-fetch
+   * the record.
+   */
+  struct GNUNET_TIME_Absolute expires;
+
+  /**
+   * While we are fetching the record, the value is set to the
+   * starting time of the DNS operation.  While doing a
+   * NAMESTORE store, again set to the start time of the
+   * NAMESTORE operation.
+   */
+  struct GNUNET_TIME_Absolute op_start_time;
+
+  /**
+   * How often did we issue this query? (And failed, reset
+   * to zero once we were successful.)
+   */
+  unsigned int issue_num;
+
+  /**
+   * random 16-bit DNS query identifier.
+   */
+  uint16_t id;
+};
+
+
+/**
+ * Command-line argument specifying desired size of the hash map with
+ * all of our pending names.  Usually, we use an automatically growing
+ * map, but this is only OK up to about a million entries.  Above that
+ * number, the user must explicitly specify the size at startup.
+ */
+static unsigned int map_size = 1024;
+
+/**
+ * Handle to the identity service.
+ */
+static struct GNUNET_IDENTITY_Handle *id;
+
+/**
+ * Namestore handle.
+ */
+static struct GNUNET_NAMESTORE_Handle *ns;
+
+/**
+ * Handle to the statistics service.
+ */
+static struct GNUNET_STATISTICS_Handle *stats;
+
+/**
+ * Context for DNS resolution.
+ */
+static struct GNUNET_DNSSTUB_Context *ctx;
+
+/**
+ * The number of DNS queries that are outstanding
+ */
+static unsigned int pending;
+
+/**
+ * The number of NAMESTORE record store operations that are outstanding
+ */
+static unsigned int pending_rs;
+
+/**
+ * Number of lookups we performed overall.
+ */
+static unsigned int lookups;
+
+/**
+ * Number of records we had cached.
+ */
+static unsigned int cached;
+
+/**
+ * How many hostnames did we reject (malformed).
+ */
+static unsigned int rejects;
+
+/**
+ * Number of lookups that failed.
+ */
+static unsigned int failures;
+
+/**
+ * Number of records we found.
+ */
+static unsigned int records;
+
+/**
+ * Number of record sets given to namestore.
+ */
+static unsigned int record_sets;
+
+/**
+ * Heap of all requests to perform, sorted by
+ * the time we should next do the request (i.e. by expires).
+ */
+static struct GNUNET_CONTAINER_Heap *req_heap;
+
+/**
+ * Active requests are kept in a DLL.
+ */
+static struct Request *req_head;
+
+/**
+ * Active requests are kept in a DLL.
+ */
+static struct Request *req_tail;
+
+/**
+ * Main task.
+ */
+static struct GNUNET_SCHEDULER_Task *t;
+
+/**
+ * Hash map of requests for which we may still get a response from
+ * the namestore.  Set to NULL once the initial namestore iteration
+ * is done.
+ */
+static struct GNUNET_CONTAINER_MultiHashMap *ns_pending;
+
+/**
+ * Current zone iteration handle.
+ */
+static struct GNUNET_NAMESTORE_ZoneIterator *zone_it;
+
+/**
+ * Head of list of zones we are managing.
+ */
+static struct Zone *zone_head;
+
+/**
+ * Tail of list of zones we are managing.
+ */
+static struct Zone *zone_tail;
+
+/**
+ * After how many more results must #ns_lookup_result_cb() ask
+ * the namestore for more?
+ */
+static uint64_t ns_iterator_trigger_next;
+
+/**
+ * Number of DNS requests counted in latency total.
+ */
+static uint64_t total_dns_latency_cnt;
+
+/**
+ * Sum of DNS latencies observed.
+ */
+static struct GNUNET_TIME_Relative total_dns_latency;
+
+/**
+ * Number of records processed (DNS lookup, no NAMESTORE) in total.
+ */
+static uint64_t total_reg_proc_dns;
+
+/**
+ * Number of records processed (DNS lookup, with NAMESTORE) in total.
+ */
+static uint64_t total_reg_proc_dns_ns;
+
+/**
+ * Start time of the regular processing.
+ */
+static struct GNUNET_TIME_Absolute start_time_reg_proc;
+
+/**
+ * Last time we worked before going idle.
+ */
+static struct GNUNET_TIME_Absolute sleep_time_reg_proc;
+
+/**
+ * Time we slept just waiting for work.
+ */
+static struct GNUNET_TIME_Relative idle_time;
+
+
+/**
+ * Callback for #for_all_records
+ *
+ * @param cls closure
+ * @param rec a DNS record
+ */
+typedef void (*RecordProcessor) (void *cls,
+                                 const struct GNUNET_DNSPARSER_Record *rec);
+
+
+/**
+ * Call @a rp for each record in @a p, regardless of
+ * what response section it is in.
+ *
+ * @param p packet from DNS
+ * @param rp function to call
+ * @param rp_cls closure for @a rp
+ */
+static void
+for_all_records (const struct GNUNET_DNSPARSER_Packet *p,
+                 RecordProcessor rp,
+                 void *rp_cls)
+{
+  for (unsigned int i = 0; i < p->num_answers; i++)
+  {
+    struct GNUNET_DNSPARSER_Record *rs = &p->answers[i];
+
+    rp (rp_cls, rs);
+  }
+  for (unsigned int i = 0; i < p->num_authority_records; i++)
+  {
+    struct GNUNET_DNSPARSER_Record *rs = &p->authority_records[i];
+
+    rp (rp_cls, rs);
+  }
+  for (unsigned int i = 0; i < p->num_additional_records; i++)
+  {
+    struct GNUNET_DNSPARSER_Record *rs = &p->additional_records[i];
+
+    rp (rp_cls, rs);
+  }
+}
+
+
+/**
+ * Return just the label of the hostname in @a req.
+ *
+ * @param req request to process hostname of
+ * @return statically allocated pointer to the label,
+ *         overwritten upon the next request!
+ */
+static const char *
+get_label (struct Request *req)
+{
+  static char label[64];
+  const char *dot;
+
+  dot = strchr (req->hostname, (unsigned char) '.');
+  if (NULL == dot)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+  if (((size_t) (dot - req->hostname)) >= sizeof(label))
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+  GNUNET_memcpy (label, req->hostname, dot - req->hostname);
+  label[dot - req->hostname] = '\0';
+  return label;
+}
+
+
+/**
+ * Build DNS query for @a hostname.
+ *
+ * @param hostname host to build query for
+ * @param[out] raw_size number of bytes in the query
+ * @return NULL on error, otherwise pointer to statically (!)
+ *         allocated query buffer
+ */
+static void *
+build_dns_query (struct Request *req, size_t *raw_size)
+{
+  static char raw[512];
+  char *rawp;
+  struct GNUNET_DNSPARSER_Packet p;
+  struct GNUNET_DNSPARSER_Query q;
+  int ret;
+
+  q.name = (char *) req->hostname;
+  q.type = GNUNET_DNSPARSER_TYPE_NS;
+  q.dns_traffic_class = GNUNET_TUN_DNS_CLASS_INTERNET;
+
+  memset (&p, 0, sizeof(p));
+  p.num_queries = 1;
+  p.queries = &q;
+  p.id = req->id;
+  ret = GNUNET_DNSPARSER_pack (&p, UINT16_MAX, &rawp, raw_size);
+  if (GNUNET_OK != ret)
+  {
+    if (GNUNET_NO == ret)
+      GNUNET_free (rawp);
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to pack query for hostname `%s'\n",
+                req->hostname);
+    rejects++;
+    return NULL;
+  }
+  if (*raw_size > sizeof(raw))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to pack query for hostname `%s'\n",
+                req->hostname);
+    rejects++;
+    GNUNET_break (0);
+    GNUNET_free (rawp);
+    return NULL;
+  }
+  GNUNET_memcpy (raw, rawp, *raw_size);
+  GNUNET_free (rawp);
+  return raw;
+}
+
+
+/**
+ * Free records associated with @a req.
+ *
+ * @param req request to free records of
+ */
+static void
+free_records (struct Request *req)
+{
+  struct Record *rec;
+
+  /* Free records */
+  while (NULL != (rec = req->rec_head))
+  {
+    GNUNET_CONTAINER_DLL_remove (req->rec_head, req->rec_tail, rec);
+    GNUNET_free (rec);
+  }
+}
+
+
+/**
+ * Free @a req and data structures reachable from it.
+ *
+ * @param req request to free
+ */
+static void
+free_request (struct Request *req)
+{
+  free_records (req);
+  GNUNET_free (req);
+}
+
+
+/**
+ * Process as many requests as possible from the queue.
+ *
+ * @param cls NULL
+ */
+static void
+process_queue (void *cls);
+
+
+/**
+ * Insert @a req into DLL sorted by next fetch time.
+ *
+ * @param req request to insert into #req_heap
+ */
+static void
+insert_sorted (struct Request *req)
+{
+  req->hn =
+    GNUNET_CONTAINER_heap_insert (req_heap, req, req->expires.abs_value_us);
+  if (req == GNUNET_CONTAINER_heap_peek (req_heap))
+  {
+    if (NULL != t)
+      GNUNET_SCHEDULER_cancel (t);
+    sleep_time_reg_proc = GNUNET_TIME_absolute_get ();
+    t = GNUNET_SCHEDULER_add_at (req->expires, &process_queue, NULL);
+  }
+}
+
+
+/**
+ * Add record to the GNS record set for @a req.
+ *
+ * @param req the request to expand GNS record set for
+ * @param type type to use
+ * @param expiration_time when should @a rec expire
+ * @param data raw data to store
+ * @param data_len number of bytes in @a data
+ */
+static void
+add_record (struct Request *req,
+            uint32_t type,
+            struct GNUNET_TIME_Absolute expiration_time,
+            const void *data,
+            size_t data_len)
+{
+  struct Record *rec;
+
+  rec = GNUNET_malloc (sizeof(struct Record) + data_len);
+  rec->grd.data = &rec[1];
+  rec->grd.expiration_time = expiration_time.abs_value_us;
+  rec->grd.data_size = data_len;
+  rec->grd.record_type = type;
+  rec->grd.flags = GNUNET_GNSRECORD_RF_NONE;
+  GNUNET_memcpy (&rec[1], data, data_len);
+  GNUNET_CONTAINER_DLL_insert (req->rec_head, req->rec_tail, rec);
+}
+
+
+/**
+ * Closure for #check_for_glue.
+ */
+struct GlueClosure
+{
+  /**
+   * Overall request we are processing.
+   */
+  struct Request *req;
+
+  /**
+   * NS name we are looking for glue for.
+   */
+  const char *ns;
+
+  /**
+   * Set to #GNUNET_YES if glue was found.
+   */
+  int found;
+};
+
+
+/**
+ * Try to find glue records for a given NS record.
+ *
+ * @param cls a `struct GlueClosure *`
+ * @param rec record that may contain glue information
+ */
+static void
+check_for_glue (void *cls, const struct GNUNET_DNSPARSER_Record *rec)
+{
+  struct GlueClosure *gc = cls;
+  char dst[65536];
+  size_t dst_len;
+  size_t off;
+  char ip[INET6_ADDRSTRLEN + 1];
+  socklen_t ip_size = (socklen_t) sizeof(ip);
+  struct GNUNET_TIME_Absolute expiration_time;
+  struct GNUNET_TIME_Relative left;
+
+  if (0 != strcasecmp (rec->name, gc->ns))
+    return;
+  expiration_time = rec->expiration_time;
+  left = GNUNET_TIME_absolute_get_remaining (expiration_time);
+  if (0 == left.rel_value_us)
+    return; /* ignore expired glue records */
+  /* if expiration window is too short, bump it to configured minimum */
+  if (left.rel_value_us < minimum_expiration_time.rel_value_us)
+    expiration_time =
+      GNUNET_TIME_relative_to_absolute (minimum_expiration_time);
+  dst_len = sizeof(dst);
+  off = 0;
+  switch (rec->type)
+  {
+  case GNUNET_DNSPARSER_TYPE_A:
+    if (sizeof(struct in_addr) != rec->data.raw.data_len)
+    {
+      GNUNET_break (0);
+      return;
+    }
+    if (NULL == inet_ntop (AF_INET, rec->data.raw.data, ip, ip_size))
+    {
+      GNUNET_break (0);
+      return;
+    }
+    if ((GNUNET_OK == GNUNET_DNSPARSER_builder_add_name (dst,
+                                                         dst_len,
+                                                         &off,
+                                                         gc->req->hostname)) &&
+        (GNUNET_OK ==
+         GNUNET_DNSPARSER_builder_add_name (dst, dst_len, &off, ip)))
+    {
+      add_record (gc->req,
+                  GNUNET_GNSRECORD_TYPE_GNS2DNS,
+                  expiration_time,
+                  dst,
+                  off);
+      gc->found = GNUNET_YES;
+    }
+    break;
+
+  case GNUNET_DNSPARSER_TYPE_AAAA:
+    if (sizeof(struct in6_addr) != rec->data.raw.data_len)
+    {
+      GNUNET_break (0);
+      return;
+    }
+    if (NULL == inet_ntop (AF_INET6, rec->data.raw.data, ip, ip_size))
+    {
+      GNUNET_break (0);
+      return;
+    }
+    if ((GNUNET_OK == GNUNET_DNSPARSER_builder_add_name (dst,
+                                                         dst_len,
+                                                         &off,
+                                                         gc->req->hostname)) &&
+        (GNUNET_OK ==
+         GNUNET_DNSPARSER_builder_add_name (dst, dst_len, &off, ip)))
+    {
+      add_record (gc->req,
+                  GNUNET_GNSRECORD_TYPE_GNS2DNS,
+                  expiration_time,
+                  dst,
+                  off);
+      gc->found = GNUNET_YES;
+    }
+    break;
+
+  case GNUNET_DNSPARSER_TYPE_CNAME:
+    if ((GNUNET_OK == GNUNET_DNSPARSER_builder_add_name (dst,
+                                                         dst_len,
+                                                         &off,
+                                                         gc->req->hostname)) &&
+        (GNUNET_OK == GNUNET_DNSPARSER_builder_add_name (dst,
+                                                         dst_len,
+                                                         &off,
+                                                         rec->data.hostname)))
+    {
+      add_record (gc->req,
+                  GNUNET_GNSRECORD_TYPE_GNS2DNS,
+                  expiration_time,
+                  dst,
+                  off);
+      gc->found = GNUNET_YES;
+    }
+    break;
+
+  default:
+    /* useless, do nothing */
+    break;
+  }
+}
+
+
+/**
+ * Closure for #process_record().
+ */
+struct ProcessRecordContext
+{
+  /**
+   * Answer we got back and are currently parsing, or NULL
+   * if not active.
+   */
+  struct GNUNET_DNSPARSER_Packet *p;
+
+  /**
+   * Request we are processing.
+   */
+  struct Request *req;
+};
+
+
+/**
+ * We received @a rec for @a req. Remember the answer.
+ *
+ * @param cls a `struct ProcessRecordContext`
+ * @param rec response
+ */
+static void
+process_record (void *cls, const struct GNUNET_DNSPARSER_Record *rec)
+{
+  struct ProcessRecordContext *prc = cls;
+  struct Request *req = prc->req;
+  char dst[65536];
+  size_t dst_len;
+  size_t off;
+  struct GNUNET_TIME_Absolute expiration_time;
+  struct GNUNET_TIME_Relative left;
+
+  dst_len = sizeof(dst);
+  off = 0;
+  records++;
+  if (0 != strcasecmp (rec->name, req->hostname))
+  {
+    GNUNET_log (
+      GNUNET_ERROR_TYPE_DEBUG,
+      "DNS returned record from zone `%s' of type %u while resolving `%s'\n",
+      rec->name,
+      (unsigned int) rec->type,
+      req->hostname);
+    return;   /* does not match hostname, might be glue, but
+                 not useful for this pass! */
+  }
+  expiration_time = rec->expiration_time;
+  left = GNUNET_TIME_absolute_get_remaining (expiration_time);
+  if (0 == left.rel_value_us)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "DNS returned expired record for `%s'\n",
+                req->hostname);
+    GNUNET_STATISTICS_update (stats,
+                              "# expired records obtained from DNS",
+                              1,
+                              GNUNET_NO);
+    return;   /* record expired */
+  }
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "DNS returned record that expires at %s for `%s'\n",
+              GNUNET_STRINGS_absolute_time_to_string (expiration_time),
+              req->hostname);
+  /* if expiration window is too short, bump it to configured minimum */
+  if (left.rel_value_us < minimum_expiration_time.rel_value_us)
+    expiration_time =
+      GNUNET_TIME_relative_to_absolute (minimum_expiration_time);
+  switch (rec->type)
+  {
+  case GNUNET_DNSPARSER_TYPE_NS: {
+      struct GlueClosure gc;
+
+      /* check for glue */
+      gc.req = req;
+      gc.ns = rec->data.hostname;
+      gc.found = GNUNET_NO;
+      for_all_records (prc->p, &check_for_glue, &gc);
+      if ((GNUNET_NO == gc.found) &&
+          (GNUNET_OK == GNUNET_DNSPARSER_builder_add_name (dst,
+                                                           dst_len,
+                                                           &off,
+                                                           req->hostname)) &&
+          (GNUNET_OK == GNUNET_DNSPARSER_builder_add_name (dst,
+                                                           dst_len,
+                                                           &off,
+                                                           rec->data.hostname)))
+      {
+        /* FIXME: actually check if this is out-of-bailiwick,
+             and if not request explicit resolution... */
+        GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                    "Converted OOB (`%s') NS record for `%s'\n",
+                    rec->data.hostname,
+                    rec->name);
+        add_record (req,
+                    GNUNET_GNSRECORD_TYPE_GNS2DNS,
+                    expiration_time,
+                    dst,
+                    off);
+      }
+      else
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                    "Converted NS record for `%s' using glue\n",
+                    rec->name);
+      }
+      break;
+    }
+
+  case GNUNET_DNSPARSER_TYPE_CNAME:
+    if (GNUNET_OK == GNUNET_DNSPARSER_builder_add_name (dst,
+                                                        dst_len,
+                                                        &off,
+                                                        rec->data.hostname))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "Converting CNAME (`%s') record for `%s'\n",
+                  rec->data.hostname,
+                  rec->name);
+      add_record (req, rec->type, expiration_time, dst, off);
+    }
+    break;
+
+  case GNUNET_DNSPARSER_TYPE_DNAME:
+    /* No support for DNAME in GNS yet! FIXME: support later! */
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                "FIXME: not supported: %s DNAME %s\n",
+                rec->name,
+                rec->data.hostname);
+    break;
+
+  case GNUNET_DNSPARSER_TYPE_MX:
+    if (GNUNET_OK ==
+        GNUNET_DNSPARSER_builder_add_mx (dst, dst_len, &off, rec->data.mx))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "Converting MX (`%s') record for `%s'\n",
+                  rec->data.mx->mxhost,
+                  rec->name);
+      add_record (req, rec->type, expiration_time, dst, off);
+    }
+    break;
+
+  case GNUNET_DNSPARSER_TYPE_SOA:
+    if (GNUNET_OK ==
+        GNUNET_DNSPARSER_builder_add_soa (dst, dst_len, &off, rec->data.soa))
+    {
+      /* NOTE: GNS does not really use SOAs */
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "Converting SOA record for `%s'\n",
+                  rec->name);
+      add_record (req, rec->type, expiration_time, dst, off);
+    }
+    break;
+
+  case GNUNET_DNSPARSER_TYPE_SRV:
+    if (GNUNET_OK ==
+        GNUNET_DNSPARSER_builder_add_srv (dst, dst_len, &off, rec->data.srv))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "Converting SRV record for `%s'\n",
+                  rec->name);
+      add_record (req, rec->type, expiration_time, dst, off);
+    }
+    break;
+
+  case GNUNET_DNSPARSER_TYPE_URI:
+    if (GNUNET_OK ==
+        GNUNET_DNSPARSER_builder_add_uri (dst, dst_len, &off, rec->data.uri))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "Converting URI record for `%s'\n",
+                  rec->name);
+      add_record (req, rec->type, expiration_time, dst, off);
+    }
+    break;
+
+  case GNUNET_DNSPARSER_TYPE_PTR:
+    if (GNUNET_OK == GNUNET_DNSPARSER_builder_add_name (dst,
+                                                        dst_len,
+                                                        &off,
+                                                        rec->data.hostname))
+    {
+      /* !?: what does a PTR record do in a regular TLD??? */
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "Converting PTR record for `%s' (weird)\n",
+                  rec->name);
+      add_record (req, rec->type, expiration_time, dst, off);
+    }
+    break;
+
+  case GNUNET_DNSPARSER_TYPE_CERT:
+    if (GNUNET_OK ==
+        GNUNET_DNSPARSER_builder_add_cert (dst, dst_len, &off, rec->data.cert))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "Converting CERT record for `%s'\n",
+                  rec->name);
+      add_record (req, rec->type, expiration_time, dst, off);
+    }
+    break;
+
+  /* Rest is 'raw' encoded and just needs to be copied IF
+     the hostname matches the requested name; otherwise we
+     simply cannot use it. */
+  case GNUNET_DNSPARSER_TYPE_A:
+  case GNUNET_DNSPARSER_TYPE_AAAA:
+  case GNUNET_DNSPARSER_TYPE_TXT:
+  default:
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Converting record of type %u for `%s'\n",
+                (unsigned int) rec->type,
+                rec->name);
+    add_record (req,
+                rec->type,
+                expiration_time,
+                rec->data.raw.data,
+                rec->data.raw.data_len);
+    break;
+  }
+}
+
+
+static void
+store_completed_cb (void *cls, enum GNUNET_ErrorCode ec)
+{
+  static struct GNUNET_TIME_Absolute last;
+  struct Request *req = cls;
+
+  req->qe = NULL;
+  if (GNUNET_EC_NONE != ec)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to store zone data for `%s': %s\n",
+                req->hostname,
+                GNUNET_ErrorCode_get_hint (ec));
+  }
+  else
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Stored records under `%s' (%d)\n",
+                req->hostname,
+                ec);
+  }
+  total_reg_proc_dns_ns++; /* finished regular processing */
+  pending_rs--;
+  free_records (req);
+  /* compute NAMESTORE statistics */
+  {
+    static uint64_t total_ns_latency_cnt;
+    static struct GNUNET_TIME_Relative total_ns_latency;
+    struct GNUNET_TIME_Relative ns_latency;
+
+    ns_latency = GNUNET_TIME_absolute_get_duration (req->op_start_time);
+    total_ns_latency = GNUNET_TIME_relative_add (total_ns_latency, ns_latency);
+    if (0 == total_ns_latency_cnt)
+      last = GNUNET_TIME_absolute_get ();
+    total_ns_latency_cnt++;
+    if (0 == (total_ns_latency_cnt % 1000))
+    {
+      struct GNUNET_TIME_Relative delta;
+
+      delta = GNUNET_TIME_absolute_get_duration (last);
+      last = GNUNET_TIME_absolute_get ();
+      fprintf (stderr,
+               "Processed 1000 records in %s\n",
+               GNUNET_STRINGS_relative_time_to_string (delta, GNUNET_YES));
+      GNUNET_STATISTICS_set (stats,
+                             "# average NAMESTORE PUT latency (μs)",
+                             total_ns_latency.rel_value_us
+                             / total_ns_latency_cnt,
+                             GNUNET_NO);
+    }
+  }
+  /* compute and publish overall velocity */
+  if (0 == (total_reg_proc_dns_ns % 100))
+  {
+    struct GNUNET_TIME_Relative runtime;
+
+    runtime = GNUNET_TIME_absolute_get_duration (start_time_reg_proc);
+    runtime = GNUNET_TIME_relative_subtract (runtime, idle_time);
+    runtime =
+      GNUNET_TIME_relative_divide (runtime,
+                                   total_reg_proc_dns + total_reg_proc_dns_ns);
+    GNUNET_STATISTICS_set (stats,
+                           "# Regular processing completed without NAMESTORE",
+                           total_reg_proc_dns,
+                           GNUNET_NO);
+    GNUNET_STATISTICS_set (stats,
+                           "# Regular processing completed with NAMESTORE PUT",
+                           total_reg_proc_dns_ns,
+                           GNUNET_NO);
+    GNUNET_STATISTICS_set (stats,
+                           "# average request processing latency (μs)",
+                           runtime.rel_value_us,
+                           GNUNET_NO);
+    GNUNET_STATISTICS_set (stats,
+                           "# total time spent idle (μs)",
+                           idle_time.rel_value_us,
+                           GNUNET_NO);
+  }
+
+  if (NULL == t)
+  {
+    sleep_time_reg_proc = GNUNET_TIME_absolute_get ();
+    t = GNUNET_SCHEDULER_add_now (&process_queue, NULL);
+  }
+}
+
+
+/**
+ * Function called with the result of a DNS resolution.
+ *
+ * @param cls closure with the `struct Request`
+ * @param dns dns response, never NULL
+ * @param dns_len number of bytes in @a dns
+ */
+static void
+process_result (void *cls,
+                const struct GNUNET_TUN_DnsHeader *dns,
+                size_t dns_len)
+{
+  struct Request *req = cls;
+  struct Record *rec;
+  struct GNUNET_DNSPARSER_Packet *p;
+  unsigned int rd_count;
+
+  GNUNET_assert (NULL == req->hn);
+  if (NULL == dns)
+  {
+    /* stub gave up */
+    GNUNET_CONTAINER_DLL_remove (req_head, req_tail, req);
+    pending--;
+    if (NULL == t)
+    {
+      sleep_time_reg_proc = GNUNET_TIME_absolute_get ();
+      t = GNUNET_SCHEDULER_add_now (&process_queue, NULL);
+    }
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Stub gave up on DNS reply for `%s'\n",
+                req->hostname);
+    GNUNET_STATISTICS_update (stats, "# DNS lookups timed out", 1, GNUNET_NO);
+    if (req->issue_num > MAX_RETRIES)
+    {
+      failures++;
+      free_request (req);
+      GNUNET_STATISTICS_update (stats, "# requests given up on", 1, GNUNET_NO);
+      return;
+    }
+    total_reg_proc_dns++;
+    req->rs = NULL;
+    insert_sorted (req);
+    return;
+  }
+  if (req->id != dns->id)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "DNS ID did not match request, ignoring reply\n");
+    GNUNET_STATISTICS_update (stats, "# DNS ID mismatches", 1, GNUNET_NO);
+    return;
+  }
+  GNUNET_CONTAINER_DLL_remove (req_head, req_tail, req);
+  GNUNET_DNSSTUB_resolve_cancel (req->rs);
+  req->rs = NULL;
+  pending--;
+  p = GNUNET_DNSPARSER_parse ((const char *) dns, dns_len);
+  if (NULL == p)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to parse DNS reply for `%s'\n",
+                req->hostname);
+    GNUNET_STATISTICS_update (stats, "# DNS parser errors", 1, GNUNET_NO);
+    if (NULL == t)
+    {
+      sleep_time_reg_proc = GNUNET_TIME_absolute_get ();
+      t = GNUNET_SCHEDULER_add_now (&process_queue, NULL);
+    }
+    if (req->issue_num > MAX_RETRIES)
+    {
+      failures++;
+      free_request (req);
+      GNUNET_STATISTICS_update (stats, "# requests given up on", 1, GNUNET_NO);
+      return;
+    }
+    insert_sorted (req);
+    return;
+  }
+  /* import new records */
+  req->issue_num = 0; /* success, reset counter! */
+  {
+    struct ProcessRecordContext prc = { .req = req, .p = p };
+
+    for_all_records (p, &process_record, &prc);
+  }
+  GNUNET_DNSPARSER_free_packet (p);
+  /* count records found, determine minimum expiration time */
+  req->expires = GNUNET_TIME_UNIT_FOREVER_ABS;
+  {
+    struct GNUNET_TIME_Relative dns_latency;
+
+    dns_latency = GNUNET_TIME_absolute_get_duration (req->op_start_time);
+    total_dns_latency =
+      GNUNET_TIME_relative_add (total_dns_latency, dns_latency);
+    total_dns_latency_cnt++;
+    if (0 == (total_dns_latency_cnt % 1000))
+    {
+      GNUNET_STATISTICS_set (stats,
+                             "# average DNS lookup latency (μs)",
+                             total_dns_latency.rel_value_us
+                             / total_dns_latency_cnt,
+                             GNUNET_NO);
+    }
+  }
+  rd_count = 0;
+  for (rec = req->rec_head; NULL != rec; rec = rec->next)
+  {
+    struct GNUNET_TIME_Absolute at;
+
+    at.abs_value_us = rec->grd.expiration_time;
+    req->expires = GNUNET_TIME_absolute_min (req->expires, at);
+    rd_count++;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "Obtained %u records for `%s'\n",
+              rd_count,
+              req->hostname);
+  /* Instead of going for SOA, simplified for now to look each
+     day in case we got an empty response */
+  if (0 == rd_count)
+  {
+    req->expires = GNUNET_TIME_relative_to_absolute (GNUNET_TIME_UNIT_DAYS);
+    GNUNET_STATISTICS_update (stats,
+                              "# empty DNS replies (usually NXDOMAIN)",
+                              1,
+                              GNUNET_NO);
+  }
+  else
+  {
+    record_sets++;
+  }
+  /* convert records to namestore import format */
+  {
+    struct GNUNET_GNSRECORD_Data rd[GNUNET_NZL (rd_count)];
+    unsigned int off = 0;
+
+    /* convert linked list into array */
+    for (rec = req->rec_head; NULL != rec; rec = rec->next)
+      rd[off++] = rec->grd;
+    pending_rs++;
+    req->op_start_time = GNUNET_TIME_absolute_get ();
+    req->qe = GNUNET_NAMESTORE_record_set_store (ns,
+                                                 &req->zone->key,
+                                                 get_label (req),
+                                                 rd_count,
+                                                 rd,
+                                                 &store_completed_cb,
+                                                 req);
+    GNUNET_assert (NULL != req->qe);
+  }
+  insert_sorted (req);
+}
+
+
+/**
+ * Process as many requests as possible from the queue.
+ *
+ * @param cls NULL
+ */
+static void
+process_queue (void *cls)
+{
+  struct Request *req;
+  unsigned int series;
+  void *raw;
+  size_t raw_size;
+  struct GNUNET_TIME_Relative delay;
+
+  (void) cls;
+  delay = GNUNET_TIME_absolute_get_duration (sleep_time_reg_proc);
+  idle_time = GNUNET_TIME_relative_add (idle_time, delay);
+  series = 0;
+  t = NULL;
+  while (pending + pending_rs < THRESH)
+  {
+    req = GNUNET_CONTAINER_heap_peek (req_heap);
+    if (NULL == req)
+      break;
+    if (NULL != req->qe)
+      return;   /* namestore op still pending */
+    if (NULL != req->rs)
+    {
+      GNUNET_break (0);
+      return;     /* already submitted */
+    }
+    if (GNUNET_TIME_absolute_get_remaining (req->expires).rel_value_us > 0)
+      break;
+    GNUNET_assert (req == GNUNET_CONTAINER_heap_remove_root (req_heap));
+    req->hn = NULL;
+    GNUNET_CONTAINER_DLL_insert (req_head, req_tail, req);
+    GNUNET_assert (NULL == req->rs);
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+                "Requesting resolution for `%s'\n",
+                req->hostname);
+    raw = build_dns_query (req, &raw_size);
+    if (NULL == raw)
+    {
+      GNUNET_break (0);
+      free_request (req);
+      continue;
+    }
+    req->op_start_time = GNUNET_TIME_absolute_get ();
+    req->rs = GNUNET_DNSSTUB_resolve (ctx, raw, raw_size, &process_result, req);
+    GNUNET_assert (NULL != req->rs);
+    req->issue_num++;
+    lookups++;
+    pending++;
+    series++;
+    if (series > MAX_SERIES)
+      break;
+  }
+  if (pending + pending_rs >= THRESH)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Stopped processing queue (%u+%u/%u)]\n",
+                pending,
+                pending_rs,
+                THRESH);
+    return;   /* wait for replies */
+  }
+  req = GNUNET_CONTAINER_heap_peek (req_heap);
+  if (NULL == req)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Stopped processing queue: empty queue\n");
+    return;
+  }
+  if (GNUNET_TIME_absolute_get_remaining (req->expires).rel_value_us > 0)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+                "Waiting until %s for next record (`%s') to expire\n",
+                GNUNET_STRINGS_absolute_time_to_string (req->expires),
+                req->hostname);
+    if (NULL != t)
+      GNUNET_SCHEDULER_cancel (t);
+    sleep_time_reg_proc = GNUNET_TIME_absolute_get ();
+    t = GNUNET_SCHEDULER_add_at (req->expires, &process_queue, NULL);
+    return;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Throttling\n");
+  if (NULL != t)
+    GNUNET_SCHEDULER_cancel (t);
+  sleep_time_reg_proc = GNUNET_TIME_absolute_get ();
+  t = GNUNET_SCHEDULER_add_delayed (SERIES_DELAY, &process_queue, NULL);
+}
+
+
+/**
+ * Iterator called during #do_shutdown() to free requests in
+ * the #ns_pending map.
+ *
+ * @param cls NULL
+ * @param key unused
+ * @param value the `struct Request` to free
+ * @return #GNUNET_OK
+ */
+static int
+free_request_it (void *cls, const struct GNUNET_HashCode *key, void *value)
+{
+  struct Request *req = value;
+
+  (void) cls;
+  (void) key;
+  free_request (req);
+  return GNUNET_OK;
+}
+
+
+/**
+ * Clean up and terminate the process.
+ *
+ * @param cls NULL
+ */
+static void
+do_shutdown (void *cls)
+{
+  struct Request *req;
+  struct Zone *zone;
+
+  (void) cls;
+  if (NULL != id)
+  {
+    GNUNET_IDENTITY_disconnect (id);
+    id = NULL;
+  }
+  if (NULL != t)
+  {
+    GNUNET_SCHEDULER_cancel (t);
+    t = NULL;
+  }
+  while (NULL != (req = req_head))
+  {
+    GNUNET_CONTAINER_DLL_remove (req_head, req_tail, req);
+    if (NULL != req->qe)
+      GNUNET_NAMESTORE_cancel (req->qe);
+    free_request (req);
+  }
+  while (NULL != (req = GNUNET_CONTAINER_heap_remove_root (req_heap)))
+  {
+    req->hn = NULL;
+    if (NULL != req->qe)
+      GNUNET_NAMESTORE_cancel (req->qe);
+    free_request (req);
+  }
+  if (NULL != zone_it)
+  {
+    GNUNET_NAMESTORE_zone_iteration_stop (zone_it);
+    zone_it = NULL;
+  }
+  if (NULL != ns)
+  {
+    GNUNET_NAMESTORE_disconnect (ns);
+    ns = NULL;
+  }
+  if (NULL != ctx)
+  {
+    GNUNET_DNSSTUB_stop (ctx);
+    ctx = NULL;
+  }
+  if (NULL != req_heap)
+  {
+    GNUNET_CONTAINER_heap_destroy (req_heap);
+    req_heap = NULL;
+  }
+  if (NULL != ns_pending)
+  {
+    GNUNET_CONTAINER_multihashmap_iterate (ns_pending, &free_request_it, NULL);
+    GNUNET_CONTAINER_multihashmap_destroy (ns_pending);
+    ns_pending = NULL;
+  }
+  while (NULL != (zone = zone_head))
+  {
+    GNUNET_CONTAINER_DLL_remove (zone_head, zone_tail, zone);
+    GNUNET_free (zone->domain);
+    GNUNET_free (zone);
+  }
+  if (NULL != stats)
+  {
+    GNUNET_STATISTICS_destroy (stats, GNUNET_NO);
+    stats = NULL;
+  }
+}
+
+
+/**
+ * Iterate over all of the zones we care about and see which records
+ * we may need to re-fetch when.
+ *
+ * @param cls NULL
+ */
+static void
+iterate_zones (void *cls);
+
+
+/**
+ * Function called if #GNUNET_NAMESTORE_records_lookup() failed.
+ * Just logs an error.
+ *
+ * @param cls a `struct Zone`
+ */
+static void
+ns_lookup_error_cb (void *cls)
+{
+  struct Zone *zone = cls;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "Failed to load data from namestore for zone `%s'\n",
+              zone->domain);
+  zone_it = NULL;
+  ns_iterator_trigger_next = 0;
+  iterate_zones (NULL);
+}
+
+
+/**
+ * Process a record that was stored in the namestore.
+ *
+ * @param cls a `struct Zone *`
+ * @param key private key of the zone
+ * @param label label of the records
+ * @param rd_count number of entries in @a rd array, 0 if label was deleted
+ * @param rd array of records with data to store
+ */
+static void
+ns_lookup_result_cb (void *cls,
+                     const struct GNUNET_CRYPTO_PrivateKey *key,
+                     const char *label,
+                     unsigned int rd_count,
+                     const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct Zone *zone = cls;
+  struct Request *req;
+  struct GNUNET_HashCode hc;
+  char *fqdn;
+
+  ns_iterator_trigger_next--;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Obtained NAMESTORE reply, %llu left in round\n",
+              (unsigned long long) ns_iterator_trigger_next);
+  if (0 == ns_iterator_trigger_next)
+  {
+    ns_iterator_trigger_next = NS_BATCH_SIZE;
+    GNUNET_STATISTICS_update (stats,
+                              "# NAMESTORE records requested from cache",
+                              ns_iterator_trigger_next,
+                              GNUNET_NO);
+    GNUNET_NAMESTORE_zone_iterator_next (zone_it, ns_iterator_trigger_next);
+  }
+  GNUNET_asprintf (&fqdn, "%s.%s", label, zone->domain);
+  GNUNET_CRYPTO_hash (fqdn, strlen (fqdn) + 1, &hc);
+  GNUNET_free (fqdn);
+  req = GNUNET_CONTAINER_multihashmap_get (ns_pending, &hc);
+  if (NULL == req)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+                "Ignoring record `%s' in zone `%s': not on my list!\n",
+                label,
+                zone->domain);
+    return;
+  }
+  GNUNET_assert (GNUNET_OK ==
+                 GNUNET_CONTAINER_multihashmap_remove (ns_pending, &hc, req));
+  GNUNET_break (0 == GNUNET_memcmp (key, &req->zone->key));
+  GNUNET_break (0 == strcasecmp (label, get_label (req)));
+  for (unsigned int i = 0; i < rd_count; i++)
+  {
+    struct GNUNET_TIME_Absolute at;
+
+    if (0 != (rd->flags & GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION))
+    {
+      struct GNUNET_TIME_Relative rel;
+
+      rel.rel_value_us = rd->expiration_time;
+      at = GNUNET_TIME_relative_to_absolute (rel);
+    }
+    else
+    {
+      at.abs_value_us = rd->expiration_time;
+    }
+    add_record (req, rd->record_type, at, rd->data, rd->data_size);
+  }
+  if (0 == rd_count)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+                "Empty record set in namestore for `%s'\n",
+                req->hostname);
+  }
+  else
+  {
+    unsigned int pos = 0;
+
+    cached++;
+    req->expires = GNUNET_TIME_UNIT_FOREVER_ABS;
+    for (struct Record *rec = req->rec_head; NULL != rec; rec = rec->next)
+    {
+      struct GNUNET_TIME_Absolute at;
+
+      at.abs_value_us = rec->grd.expiration_time;
+      req->expires = GNUNET_TIME_absolute_min (req->expires, at);
+      pos++;
+    }
+    if (0 == pos)
+      req->expires = GNUNET_TIME_UNIT_ZERO_ABS;
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+                "Hot-start with %u existing records for `%s'\n",
+                pos,
+                req->hostname);
+  }
+  free_records (req);
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Adding `%s' to worklist to start at %s\n",
+              req->hostname,
+              GNUNET_STRINGS_absolute_time_to_string (req->expires));
+  insert_sorted (req);
+}
+
+
+/**
+ * Add @a hostname to the list of requests to be made.
+ *
+ * @param hostname name to resolve
+ */
+static void
+queue (const char *hostname)
+{
+  struct Request *req;
+  const char *dot;
+  struct Zone *zone;
+  size_t hlen;
+  struct GNUNET_HashCode hc;
+
+  if (GNUNET_OK != GNUNET_DNSPARSER_check_name (hostname))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Refusing invalid hostname `%s'\n",
+                hostname);
+    rejects++;
+    return;
+  }
+  dot = strchr (hostname, (unsigned char) '.');
+  if (NULL == dot)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Refusing invalid hostname `%s' (lacks '.')\n",
+                hostname);
+    rejects++;
+    return;
+  }
+  for (zone = zone_head; NULL != zone; zone = zone->next)
+    if (0 == strcmp (zone->domain, dot + 1))
+      break;
+  if (NULL == zone)
+  {
+    rejects++;
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Domain name `%s' not in ego list!\n",
+                dot + 1);
+    return;
+  }
+
+  hlen = strlen (hostname) + 1;
+  req = GNUNET_malloc (sizeof(struct Request) + hlen);
+  req->zone = zone;
+  req->hostname = (char *) &req[1];
+  GNUNET_memcpy (req->hostname, hostname, hlen);
+  req->id = (uint16_t) GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE,
+                                                 UINT16_MAX);
+  GNUNET_CRYPTO_hash (req->hostname, hlen, &hc);
+  if (GNUNET_OK != GNUNET_CONTAINER_multihashmap_put (
+        ns_pending,
+        &hc,
+        req,
+        GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                "Duplicate hostname `%s' ignored\n",
+                hostname);
+    GNUNET_free (req);
+    return;
+  }
+}
+
+
+/**
+ * We have completed the initial iteration over the namestore's database.
+ * This function is called on each of the remaining records in
+ * #move_to_queue to #queue() them, as we will simply not find existing
+ * records for them any longer.
+ *
+ * @param cls NULL
+ * @param key unused
+ * @param value a `struct Request`
+ * @return #GNUNET_OK (continue to iterate)
+ */
+static int
+move_to_queue (void *cls, const struct GNUNET_HashCode *key, void *value)
+{
+  struct Request *req = value;
+
+  (void) cls;
+  (void) key;
+  insert_sorted (req);
+  return GNUNET_OK;
+}
+
+
+/**
+ * Iterate over all of the zones we care about and see which records
+ * we may need to re-fetch when.
+ *
+ * @param cls NULL
+ */
+static void
+iterate_zones (void *cls)
+{
+  static struct Zone *last;
+
+  (void) cls;
+  if (NULL != zone_it)
+  {
+    zone_it = NULL;
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Finished iteration over zone `%s'!\n",
+                last->domain);
+    /* subtract left-overs from previous iteration */
+    GNUNET_STATISTICS_update (stats,
+                              "# NAMESTORE records requested from cache",
+                              (long long) (-ns_iterator_trigger_next),
+                              GNUNET_NO);
+    ns_iterator_trigger_next = 0;
+  }
+  GNUNET_assert (NULL != zone_tail);
+  if (zone_tail == last)
+  {
+    /* Done iterating over relevant zones in NAMESTORE, move
+       rest of hash map to work queue as well. */
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Finished all NAMESTORE iterations!\n");
+    GNUNET_STATISTICS_set (stats,
+                           "# Domain names without cached reply",
+                           GNUNET_CONTAINER_multihashmap_size (ns_pending),
+                           GNUNET_NO);
+    GNUNET_CONTAINER_multihashmap_iterate (ns_pending, &move_to_queue, NULL);
+    GNUNET_CONTAINER_multihashmap_destroy (ns_pending);
+    ns_pending = NULL;
+    start_time_reg_proc = GNUNET_TIME_absolute_get ();
+    total_reg_proc_dns = 0;
+    total_reg_proc_dns_ns = 0;
+    return;
+  }
+  if (NULL == last)
+    last = zone_head;
+  else
+    last = last->next;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Starting iteration over zone `%s'!\n",
+              last->domain);
+  /* subtract left-overs from previous iteration */
+  GNUNET_STATISTICS_update (stats,
+                            "# NAMESTORE records requested from cache",
+                            1,
+                            GNUNET_NO);
+  ns_iterator_trigger_next = 1;
+  GNUNET_STATISTICS_update (stats, "# zones iterated", 1, GNUNET_NO);
+  zone_it = GNUNET_NAMESTORE_zone_iteration_start (ns,
+                                                   &last->key,
+                                                   &ns_lookup_error_cb,
+                                                   NULL,
+                                                   &ns_lookup_result_cb,
+                                                   last,
+                                                   &iterate_zones,
+                                                   NULL);
+}
+
+
+/**
+ * Begin processing hostnames from stdin.
+ *
+ * @param cls NULL
+ */
+static void
+process_stdin (void *cls)
+{
+  static struct GNUNET_TIME_Absolute last;
+  static uint64_t idot;
+  char hn[256];
+
+  (void) cls;
+  t = NULL;
+  if (NULL != id)
+  {
+    GNUNET_IDENTITY_disconnect (id);
+    id = NULL;
+  }
+  while (NULL != fgets (hn, sizeof(hn), stdin))
+  {
+    if (strlen (hn) > 0)
+      hn[strlen (hn) - 1] = '\0';  /* eat newline */
+    if (0 == idot)
+      last = GNUNET_TIME_absolute_get ();
+    idot++;
+    if (0 == idot % 100000)
+    {
+      struct GNUNET_TIME_Relative delta;
+
+      delta = GNUNET_TIME_absolute_get_duration (last);
+      last = GNUNET_TIME_absolute_get ();
+      fprintf (stderr,
+               "Read 100000 domain names in %s\n",
+               GNUNET_STRINGS_relative_time_to_string (delta, GNUNET_YES));
+      GNUNET_STATISTICS_set (stats, "# domain names provided", idot, GNUNET_NO);
+    }
+    queue (hn);
+  }
+  fprintf (stderr,
+           "Done reading %llu domain names\n",
+           (unsigned long long) idot);
+  GNUNET_STATISTICS_set (stats, "# domain names provided", idot, GNUNET_NO);
+  iterate_zones (NULL);
+}
+
+
+/**
+ * Method called to inform about the egos of this peer.
+ *
+ * When used with #GNUNET_IDENTITY_connect, this function is
+ * initially called for all egos and then again whenever a
+ * ego's name changes or if it is deleted.  At the end of
+ * the initial pass over all egos, the function is once called
+ * with 'NULL' for @a ego. That does NOT mean that the callback won't
+ * be invoked in the future or that there was an error.
+ *
+ * When used with #GNUNET_IDENTITY_create or #GNUNET_IDENTITY_get, this
+ * function is only called ONCE, and 'NULL' being passed in @a ego does
+ * indicate an error (for example because name is taken or no default value is
+ * known).  If @a ego is non-NULL and if '*ctx' is set in those callbacks, the
+ * value WILL be passed to a subsequent call to the identity callback of
+ * #GNUNET_IDENTITY_connect (if that one was not NULL).
+ *
+ * When an identity is renamed, this function is called with the
+ * (known) @a ego but the NEW @a name.
+ *
+ * When an identity is deleted, this function is called with the
+ * (known) ego and "NULL" for the @a name.  In this case,
+ * the @a ego is henceforth invalid (and the @a ctx should also be
+ * cleaned up).
+ *
+ * @param cls closure
+ * @param ego ego handle, NULL for end of list
+ * @param ctx context for application to store data for this ego
+ *                 (during the lifetime of this process, initially NULL)
+ * @param name name assigned by the user for this ego,
+ *                   NULL if the user just deleted the ego and it
+ *                   must thus no longer be used
+ */
+static void
+identity_cb (void *cls,
+             struct GNUNET_IDENTITY_Ego *ego,
+             void **ctx,
+             const char *name)
+{
+  (void) cls;
+  (void) ctx;
+
+  if (NULL == ego)
+  {
+    /* end of iteration */
+    if (NULL == zone_head)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "No zone found\n");
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+    /* zone_head non-null, process hostnames from stdin */
+    t = GNUNET_SCHEDULER_add_now (&process_stdin, NULL);
+    return;
+  }
+  if (NULL != name)
+  {
+    struct Zone *zone;
+
+    zone = GNUNET_new (struct Zone);
+    zone->key = *GNUNET_IDENTITY_ego_get_private_key (ego);
+    zone->domain = GNUNET_strdup (name);
+    GNUNET_CONTAINER_DLL_insert (zone_head, zone_tail, zone);
+  }
+}
+
+
+/**
+ * Process requests from the queue, then if the queue is
+ * not empty, try again.
+ *
+ * @param cls NULL
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  (void) cls;
+  (void) args;
+  (void) cfgfile;
+  stats = GNUNET_STATISTICS_create ("zoneimport", cfg);
+  req_heap = GNUNET_CONTAINER_heap_create (GNUNET_CONTAINER_HEAP_ORDER_MIN);
+  ns_pending = GNUNET_CONTAINER_multihashmap_create (map_size, GNUNET_NO);
+  if (NULL == ns_pending)
+  {
+    fprintf (stderr, "Failed to allocate memory for main hash map\n");
+    return;
+  }
+  ctx = GNUNET_DNSSTUB_start (256);
+  if (NULL == ctx)
+  {
+    fprintf (stderr, "Failed to initialize GNUnet DNS STUB\n");
+    return;
+  }
+  if (NULL == args[0])
+  {
+    fprintf (stderr,
+             "You must provide a list of DNS resolvers on the command line\n");
+    return;
+  }
+  for (unsigned int i = 0; NULL != args[i]; i++)
+  {
+    if (GNUNET_OK != GNUNET_DNSSTUB_add_dns_ip (ctx, args[i]))
+    {
+      fprintf (stderr, "Failed to use `%s' for DNS resolver\n", args[i]);
+      return;
+    }
+  }
+
+
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL);
+  ns = GNUNET_NAMESTORE_connect (cfg);
+  if (NULL == ns)
+  {
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  id = GNUNET_IDENTITY_connect (cfg, &identity_cb, NULL);
+}
+
+
+/**
+ * Call with IP address of resolver to query.
+ *
+ * @param argc should be 2
+ * @param argv[1] should contain IP address
+ * @return 0 on success
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] =
+  { GNUNET_GETOPT_option_uint ('s',
+                               "size",
+                               "MAPSIZE",
+                               gettext_noop (
+                                 "size to use for the main hash map"),
+                               &map_size),
+    GNUNET_GETOPT_option_relative_time (
+      'm',
+      "minimum-expiration",
+      "RELATIVETIME",
+      gettext_noop ("minimum expiration time we assume for imported records"),
+      &minimum_expiration_time),
+    GNUNET_GETOPT_OPTION_END };
+  int ret;
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+  if (GNUNET_OK != (ret = GNUNET_PROGRAM_run (argc,
+                                              argv,
+                                              "gnunet-zoneimport",
+                                              "import DNS zone into namestore",
+                                              options,
+                                              &run,
+                                              NULL)))
+    return ret;
+  GNUNET_free_nz ((void *) argv);
+  fprintf (stderr,
+           "Rejected %u names, had %u cached, did %u lookups, stored %u record sets\n"
+           "Found %u records, %u lookups failed, %u/%u pending on shutdown\n",
+           rejects,
+           cached,
+           lookups,
+           record_sets,
+           records,
+           failures,
+           pending,
+           pending_rs);
+  return 0;
+}
+
+
+/* end of gnunet-zoneimport.c */
diff --git a/src/cli/namestore/meson.build b/src/cli/namestore/meson.build
new file mode 100644
index 000000000..e619876c5
--- /dev/null
+++ b/src/cli/namestore/meson.build
@@ -0,0 +1,38 @@
+executable ('gnunet-namestore',
+          ['gnunet-namestore.c'],
+          dependencies: [libgnunetnamestore_dep,
+                         libgnunetutil_dep,
+                         libgnunetgnsrecord_dep,
+                         libgnunetidentity_dep],
+          include_directories: [incdir, configuration_inc],
+        install: true,
+        install_dir: get_option('bindir'))
+executable ('gnunet-namestore-dbtool',
+            ['gnunet-namestore-dbtool.c'],
+            dependencies: [libgnunetnamestore_dep,
+                           libgnunetutil_dep,
+                           libgnunetgnsrecord_dep,
+                           libgnunetidentity_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-namestore-zonefile',
+            ['gnunet-namestore-zonefile.c'],
+            dependencies: [libgnunetnamestore_dep,
+                           libgnunetutil_dep,
+                           libgnunetgnsrecord_dep,
+                           libgnunetidentity_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-zoneimport',
+            ['gnunet-zoneimport.c'],
+            dependencies: [libgnunetnamestore_dep,
+                           libgnunetutil_dep,
+                           libgnunetstatistics_dep,
+                           libgnunetgnsrecord_dep,
+                           libgnunetidentity_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+
diff --git a/src/cli/namestore/test_namestore_box_lightest.sh b/src/cli/namestore/test_namestore_box_lightest.sh
new file mode 100755
index 000000000..3c8ad2799
--- /dev/null
+++ b/src/cli/namestore/test_namestore_box_lightest.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+CONFIGURATION="test_namestore_api.conf"
+trap "gnunet-arm -e -c $CONFIGURATION" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `$LOCATION -c $CONFIGURATION -s PATHS -o GNUNET_HOME`
+TEST_RECORD_NAME_DNS="trust"
+TEST_RECORD_VALUE_SMIMEA="49152 49153 53 0 0 1 d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971"
+TEST_RECORD_VALUE_URI="49152 49152 256 10 10 \"http://lightest.nletlabs.nl/\""
+which timeout &> /dev/null && DO_TIMEOUT="timeout 5"
+
+function start_peer
+{
+        gnunet-arm -s -c $CONFIGURATION
+        gnunet-identity -C testego -c $CONFIGURATION
+}
+
+function stop_peer
+{
+        gnunet-identity -D testego -c $CONFIGURATION
+        gnunet-arm -e -c $CONFIGURATION
+}
+
+
+start_peer
+# Create a public SMIMEA record
+gnunet-namestore -p -z testego -a -n $TEST_RECORD_NAME_DNS -t BOX -V "$TEST_RECORD_VALUE_SMIMEA" -e never -c $CONFIGURATION
+NAMESTORE_RES=$?
+
+if [ $NAMESTORE_RES = 0 ]
+then
+  echo "PASS: Creating boxed name in namestore SMIMEA"
+else
+  echo "FAIL: Creating boxed name in namestore failed with $NAMESTORE_RES."
+  stop_peer
+  exit 1
+fi
+
+# Create a public URI record
+gnunet-namestore -p -z testego -a -n $TEST_RECORD_NAME_DNS -t BOX -V "$TEST_RECORD_VALUE_URI" -e never -c $CONFIGURATION
+NAMESTORE_RES=$?
+
+if [ $NAMESTORE_RES = 0 ]
+then
+  echo "PASS: Creating boxed name in namestore URI"
+else
+  echo "FAIL: Creating boxed name in namestore failed with $NAMESTORE_RES."
+  stop_peer
+  exit 1
+fi
+
+stop_peer
\ No newline at end of file
diff --git a/src/cli/namestore/test_namestore_delete.sh b/src/cli/namestore/test_namestore_delete.sh
new file mode 100755
index 000000000..b861a4bc0
--- /dev/null
+++ b/src/cli/namestore/test_namestore_delete.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+CONFIGURATION="test_namestore_api.conf"
+trap "gnunet-arm -e -c $CONFIGURATION" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `$LOCATION -c $CONFIGURATION -s PATHS -o GNUNET_HOME`
+TEST_DOMAIN_PLUS="www.gnu"
+TEST_DOMAIN_DNS="www3.gnu"
+TEST_IP_PLUS="127.0.0.1"
+TEST_IP_DNS="131.159.74.67"
+TEST_RECORD_CNAME_SERVER="server"
+TEST_RECORD_CNAME_PLUS="server.+"
+TEST_RECORD_CNAME_DNS="gnunet.org"
+TEST_RECORD_NAME_SERVER="server"
+TEST_RECORD_NAME_PLUS="www"
+TEST_RECORD_NAME_DNS="www3"
+which timeout &> /dev/null && DO_TIMEOUT="timeout 5"
+
+function start_peer
+{
+        gnunet-arm -s -c $CONFIGURATION
+        gnunet-identity -C testego -c $CONFIGURATION
+}
+
+function stop_peer
+{
+        gnunet-identity -D testego -c $CONFIGURATION
+        gnunet-arm -e -c $CONFIGURATION
+}
+
+
+start_peer
+# Create a public record
+gnunet-namestore -p -z testego -a -n $TEST_RECORD_NAME_DNS -t A -V $TEST_IP_PLUS -e never -c $CONFIGURATION
+# Delete record
+gnunet-namestore -p -z testego -d -n $TEST_RECORD_NAME_DNS -t A -V $TEST_IP_PLUS -e never -c $CONFIGURATION
+# List all records
+OUTPUT=`gnunet-namestore -p -z testego -D`
+FOUND_IP=false
+FOUND_NAME=false
+for LINE in $OUTPUT ;
+ do
+        if echo "$LINE" | grep -q "$TEST_RECORD_NAME_DNS"; then
+                FOUND_NAME=true;
+        fi
+        if echo "$LINE" | grep -q "$TEST_IP_PLUS"; then
+                FOUND_IP=true;
+        fi
+ done
+stop_peer
+
+
+if [ $FOUND_IP = true ]
+then
+  echo "FAIL: Delete name in namestore: IP returned"
+  exit 1
+fi
diff --git a/src/cli/namestore/test_namestore_lookup.sh b/src/cli/namestore/test_namestore_lookup.sh
new file mode 100755
index 000000000..1c96e102a
--- /dev/null
+++ b/src/cli/namestore/test_namestore_lookup.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+CONFIGURATION="test_namestore_api.conf"
+trap "gnunet-arm -e -c $CONFIGURATION" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `$LOCATION -c $CONFIGURATION -s PATHS -o GNUNET_HOME`
+TEST_IP_PLUS="127.0.0.1"
+TEST_RECORD_NAME_DNS="www3"
+which timeout &> /dev/null && DO_TIMEOUT="timeout 5"
+
+# start peer
+gnunet-arm -s -c $CONFIGURATION
+gnunet-identity -C testego -c $CONFIGURATION
+
+# Create a public record
+gnunet-namestore -p -z testego -a -n $TEST_RECORD_NAME_DNS -t A -V $TEST_IP_PLUS -e never -c $CONFIGURATION
+NAMESTORE_RES=$?
+# Lookup specific name
+OUTPUT=`gnunet-namestore -p -z testego -n $TEST_RECORD_NAME_DNS -D`
+
+
+FOUND_IP=false
+FOUND_NAME=false
+for LINE in $OUTPUT ;
+ do
+        if echo "$LINE" | grep -q "$TEST_RECORD_NAME_DNS"; then
+                FOUND_NAME=true;
+                #echo $FOUND_NAME
+        fi
+        if echo "$LINE" | grep -q "$TEST_IP_PLUS"; then
+                FOUND_IP=true;
+                #echo $FOUND_IP
+        fi
+done
+# stop peer
+gnunet-identity -D testego -c $CONFIGURATION
+gnunet-arm -e -c $CONFIGURATION
+
+
+if [ $FOUND_NAME = true -a $FOUND_IP = true ]
+then
+  echo "PASS: Lookup name in namestore"
+  exit 0
+elif [ $FOUND_NAME = false ]
+then
+  echo "FAIL: Lookup name in namestore: name not returned"
+  exit 1
+elif [ $FOUND_IP = false ]
+then
+  echo "FAIL: Lookup name in namestore: IP not returned"
+  exit 1
+fi
diff --git a/src/cli/namestore/test_namestore_put.sh b/src/cli/namestore/test_namestore_put.sh
new file mode 100755
index 000000000..eaf7d44b4
--- /dev/null
+++ b/src/cli/namestore/test_namestore_put.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+CONFIGURATION="test_namestore_api.conf"
+trap "gnunet-arm -e -c $CONFIGURATION" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `$LOCATION -c $CONFIGURATION -s PATHS -o GNUNET_HOME`
+TEST_DOMAIN_PLUS="www.gnu"
+TEST_DOMAIN_DNS="www3.gnu"
+TEST_IP_PLUS="127.0.0.1"
+TEST_IP_DNS="131.159.74.67"
+TEST_RECORD_CNAME_SERVER="server"
+TEST_RECORD_CNAME_PLUS="server.+"
+TEST_RECORD_CNAME_DNS="gnunet.org"
+TEST_RECORD_NAME_SERVER="server"
+TEST_RECORD_NAME_PLUS="www"
+TEST_RECORD_NAME_DNS="www3"
+which timeout &> /dev/null && DO_TIMEOUT="timeout 5"
+
+function start_peer
+{
+        gnunet-arm -s -c $CONFIGURATION
+        gnunet-identity -C testego -c $CONFIGURATION
+}
+
+function stop_peer
+{
+        gnunet-identity -D testego -c $CONFIGURATION
+        gnunet-arm -e -c $CONFIGURATION
+}
+
+
+start_peer
+# Create a public record
+gnunet-namestore -p -z testego -a -n $TEST_RECORD_NAME_DNS -t A -V $TEST_IP_PLUS -e never -c $CONFIGURATION
+NAMESTORE_RES=$?
+stop_peer
+
+if [ $NAMESTORE_RES = 0 ]
+then
+  echo "PASS: Creating name in namestore"
+else
+  echo "FAIL: Creating name in namestore failed with $NAMESTORE_RES."
+  exit 1
+fi
diff --git a/src/cli/namestore/test_namestore_put_multiple.sh b/src/cli/namestore/test_namestore_put_multiple.sh
new file mode 100755
index 000000000..4c7340440
--- /dev/null
+++ b/src/cli/namestore/test_namestore_put_multiple.sh
@@ -0,0 +1,112 @@
+#!/bin/bash
+
+# Check for required packages
+if ! [ -x "$(command -v gnunet-namestore)" ]; then
+    echo 'bind/named is not installed' >&2
+    exit 1
+fi
+
+# Check if gnunet is running
+gnunet-arm -I 2&>1 /dev/null
+ret=$?
+if [ 0 -ne $ret ]; then
+    echo 'gnunet services are not running'
+    exit 1
+fi
+
+## GNUNET part
+# Check if identity exists and deletes and readds it to get rid of entries in zone
+gnunet-identity -d | grep randomtestingid 2>&1 /dev/null
+ret=$?
+
+if [ 0 -ne $ret ]; then
+    gnunet-identity -D randomtestingid
+    gnunet-identity -C randomtestingid
+fi
+
+function get_record_type {
+    arr=$1
+    typ=$(echo -n "${arr[0]}" | cut -d' ' -f1)
+    echo "$typ"
+}
+
+function get_value {
+    arr=$1
+    val=$(echo -n "${arr[0]}" | cut -d' ' -f4-)
+    echo "$val"
+}
+
+function testing {
+    label=$1
+    records=$2
+    recordstring=""
+    typ=$(get_record_type "${records[@]}")
+    for i in "${records[@]}"
+    do
+        recordstring+="$i"$'\n'
+    done
+    echo "$recordstring"
+    gnunet-namestore -a -S <<EOF
+$label.randomtestingid:
+      $recordstring
+EOF
+    ret=$?
+    if [ 0 -ne $ret ]; then
+        echo "failed to add record $label: $recordstring"
+    fi
+    gnunet-gns -t "$typ" -u foo2.randomtestingid 2>&1 /dev/null
+    if [ 0 -ne $ret ]; then
+        echo "record $label could not be found"
+    fi
+}
+
+# TEST CASES
+# 1
+echo "Testing adding of single A record with -R"
+declare -a arr=('A 1200 [r] 127.0.0.1')
+testing test1 "${arr[@]}"
+# 2
+echo "Testing adding of multiple A records with -R"
+declare -a arr=('A 1200 [r] 127.0.0.1' 'A 2400 [r] 127.0.0.2')
+testing test2 "${arr[@]}"
+# 3
+echo "Testing adding of multiple different records with -R"
+declare -a arr=('A 1200 [r] 127.0.0.1' 'AAAA 2400 [r] 2002::')
+testing test3 "${arr[@]}"
+# 4
+echo "Testing adding of single GNS2DNS record with -R"
+declare -a arr=('GNS2DNS 86400 [r] gnu.org@127.0.0.1')
+testing test4 "${arr[@]}"
+# 5
+echo "Testing adding of single GNS2DNS shadow record with -R"
+declare -a arr=('GNS2DNS 86409 [rs] gnu.org@127.0.0.250')
+testing test5 "${arr[@]}"
+# 6
+echo "Testing adding of multiple GNS2DNS record with -R"
+declare -a arr=('GNS2DNS 1 [r] gnunet.org@127.0.0.1' 'GNS2DNS 3600 [s] gnunet.org@127.0.0.2')
+testing test6 "${arr[@]}"
+val=$(gnunet-gns -t GNS2DNS -u test6.randomtestingid)
+if [[ $val == *"127.0.0.1"* ]]; then
+    echo "shadow!"
+fi
+echo "Sleeping to let record expire"
+sleep 5
+val=$(gnunet-gns -t GNS2DNS -u test6.randomtestingid)
+if [[ $val == *"127.0.0.2"* ]]; then
+    echo "no shadow!"
+fi
+# 7
+echo "Testing adding MX record with -R"
+declare -a arr=('MX 3600 [r] 10,mail')
+testing test7 "${arr[@]}"
+# 8
+echo "Testing adding TXT record with -R"
+declare -a arr=('TXT 3600 [r] Pretty_Unicorns')
+testing test8 "${arr[@]}"
+# 8
+#echo "Testing adding TXT record with -R"
+#declare -a arr=('SRV 3600 [r] _autodiscover_old._tcp.bfh.ch.')
+#testing test8 "${arr[@]}"
+
+# CLEANUP
+gnunet-identity -D randomtestingid
diff --git a/src/cli/namestore/test_namestore_put_stdin.sh b/src/cli/namestore/test_namestore_put_stdin.sh
new file mode 100755
index 000000000..deb7bc4cb
--- /dev/null
+++ b/src/cli/namestore/test_namestore_put_stdin.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+CONFIGURATION="test_namestore_api.conf"
+trap "gnunet-arm -e -c $CONFIGURATION" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `$LOCATION -c $CONFIGURATION -s PATHS -o GNUNET_HOME`
+TEST_RECORD_NAME="www3"
+TEST_RECORD_NAME2="www"
+TEST_IP="8.7.6.5"
+TEST_IP2="1.2.3.4"
+
+which timeout &> /dev/null && DO_TIMEOUT="timeout 5"
+
+function start_peer
+{
+        gnunet-arm -s -c $CONFIGURATION
+        gnunet-identity -C testego -c $CONFIGURATION
+  gnunet-identity -C testego2 -c $CONFIGURATION
+}
+
+function stop_peer
+{
+        gnunet-identity -D testego -c $CONFIGURATION
+  gnunet-identity -D testego2 -c $CONFIGURATION
+        gnunet-arm -e -c $CONFIGURATION
+}
+
+
+start_peer
+# Create a public record
+EGOKEY=`gnunet-identity -d | grep testego2 | cut -d' ' -f3`
+gnunet-namestore -a -c $CONFIGURATION -S <<EOF
+$TEST_RECORD_NAME.testego:
+  A 3600000000 [pr] $TEST_IP
+  TXT 21438201833 [r] $TEST_IP2
+
+  TXT 21438201833 [r] aslkdj asdlkjaslkd 232!
+
+$TEST_RECORD_NAME2.testego:
+  AAAA 324241223 [prS] ::dead:beef
+  A 111324241223000000 [pC] 1.1.1.1
+
+www7.$EGOKEY:
+  A 3600000000 [pr] $TEST_IP
+
+EOF
+NAMESTORE_RES=$?
+gnunet-namestore -D -r -c $CONFIGURATION
+stop_peer
+
+if [ $NAMESTORE_RES = 0 ]
+then
+  echo "PASS: Creating name in namestore"
+else
+  echo "FAIL: Creating name in namestore failed with $NAMESTORE_RES."
+  exit 1
+fi
diff --git a/src/cli/namestore/test_namestore_zonefile_import.sh b/src/cli/namestore/test_namestore_zonefile_import.sh
new file mode 100755
index 000000000..d6345257f
--- /dev/null
+++ b/src/cli/namestore/test_namestore_zonefile_import.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+# This file is in the public domain.
+trap "gnunet-arm -e -c test_namestore_api.conf" INT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_namestore_api.conf -f -s paths -o GNUNET_TEST_HOME`
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 5"
+
+MY_EGO="myego"
+gnunet-arm -s -c test_namestore_api.conf
+gnunet-identity -C $MY_EGO -c test_namestore_api.conf
+gnunet-namestore-zonefile -c test_namestore_api.conf < example_zonefile
+res=$?
+gnunet-identity -D $MY_EGO -c test_namestore_api.conf
+gnunet-arm -e -c test_namestore_api.conf
+
+if [ $res != 0 ]; then
+  echo "FAIL: Zone import failed."
+  exit 1
+fi
+
+
diff --git a/src/cli/nat-auto/.gitignore b/src/cli/nat-auto/.gitignore
new file mode 100644
index 000000000..c750bf612
--- /dev/null
+++ b/src/cli/nat-auto/.gitignore
@@ -0,0 +1,2 @@
+gnunet-nat-auto
+gnunet-nat-server
diff --git a/src/cli/nat-auto/Makefile.am b/src/cli/nat-auto/Makefile.am
new file mode 100644
index 000000000..4b2d74280
--- /dev/null
+++ b/src/cli/nat-auto/Makefile.am
@@ -0,0 +1,26 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+libexecdir= $(pkglibdir)/libexec/
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+bin_PROGRAMS = \
+ gnunet-nat-auto \
+ gnunet-nat-server
+
+gnunet_nat_server_SOURCES = \
+ gnunet-nat-server.c
+gnunet_nat_server_LDADD = \
+  $(top_builddir)/src/service/nat/libgnunetnatnew.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la
+gnunet_nat_server_LDFLAGS = \
+  $(GN_LIBINTL)
+
+gnunet_nat_auto_SOURCES = \
+  gnunet-nat-auto.c
+gnunet_nat_auto_LDADD = \
+  $(top_builddir)/src/service/nat-auto/libgnunetnatauto.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la
+gnunet_nat_auto_LDFLAGS = \
+  $(GN_LIBINTL)
diff --git a/src/cli/nat-auto/gnunet-nat-auto.c b/src/cli/nat-auto/gnunet-nat-auto.c
new file mode 100644
index 000000000..055a949bd
--- /dev/null
+++ b/src/cli/nat-auto/gnunet-nat-auto.c
@@ -0,0 +1,367 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2015, 2016, 2017 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file src/nat/gnunet-nat-auto.c
+ * @brief Command-line tool for testing and autoconfiguration of NAT traversal
+ * @author Christian Grothoff
+ * @author Bruno Cabral
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_nat_service.h"
+#include "gnunet_nat_auto_service.h"
+
+/**
+ * Value to return from #main().
+ */
+static int global_ret;
+
+/**
+ * Handle to ongoing autoconfiguration.
+ */
+static struct GNUNET_NAT_AUTO_AutoHandle *ah;
+
+/**
+ * If we do auto-configuration, should we write the result
+ * to a file?
+ */
+static int write_cfg;
+
+/**
+ * Configuration filename.
+ */
+static const char *cfg_file;
+
+/**
+ * Original configuration.
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Adapter we are supposed to test.
+ */
+static char *section_name;
+
+/**
+ * Should we run autoconfiguration?
+ */
+static int do_auto;
+
+/**
+ * Handle to a NAT test operation.
+ */
+static struct GNUNET_NAT_AUTO_Test *nt;
+
+/**
+ * Flag set to 1 if we use IPPROTO_UDP.
+ */
+static int use_udp;
+
+/**
+ * Flag set to 1 if we use IPPROTO_TCP.
+ */
+static int use_tcp;
+
+/**
+ * Protocol to use.
+ */
+static uint8_t proto;
+
+/**
+ * Test if all activities have finished, and if so,
+ * terminate.
+ */
+static void
+test_finished ()
+{
+  if (NULL != ah)
+    return;
+  if (NULL != nt)
+    return;
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Function to iterate over suggested changes options
+ *
+ * @param cls closure
+ * @param section name of the section
+ * @param option name of the option
+ * @param value value of the option
+ */
+static void
+auto_conf_iter (void *cls,
+                const char *section,
+                const char *option,
+                const char *value)
+{
+  struct GNUNET_CONFIGURATION_Handle *new_cfg = cls;
+
+  printf ("%s: %s\n", option, value);
+  if (NULL != new_cfg)
+    GNUNET_CONFIGURATION_set_value_string (new_cfg, section, option, value);
+}
+
+
+/**
+ * Function called with the result from the autoconfiguration.
+ *
+ * @param cls closure
+ * @param diff minimal suggested changes to the original configuration
+ *             to make it work (as best as we can)
+ * @param result #GNUNET_NAT_ERROR_SUCCESS on success, otherwise the specific error code
+ * @param type what the situation of the NAT
+ */
+static void
+auto_config_cb (void *cls,
+                const struct GNUNET_CONFIGURATION_Handle *diff,
+                enum GNUNET_NAT_StatusCode result,
+                enum GNUNET_NAT_Type type)
+{
+  const char *nat_type;
+  char unknown_type[64];
+  struct GNUNET_CONFIGURATION_Handle *new_cfg;
+
+  ah = NULL;
+  switch (type)
+  {
+  case GNUNET_NAT_TYPE_NO_NAT:
+    nat_type = "NO NAT";
+    break;
+
+  case GNUNET_NAT_TYPE_UNREACHABLE_NAT:
+    nat_type = "NAT but we can traverse";
+    break;
+
+  case GNUNET_NAT_TYPE_STUN_PUNCHED_NAT:
+    nat_type = "NAT but STUN is able to identify the correct information";
+    break;
+
+  case GNUNET_NAT_TYPE_UPNP_NAT:
+    nat_type = "NAT but UPNP opened the ports";
+    break;
+
+  default:
+    sprintf (unknown_type, "NAT unknown, type %u", type);
+    nat_type = unknown_type;
+    break;
+  }
+
+  GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+              "NAT status: %s/%s\n",
+              GNUNET_NAT_AUTO_status2string (result),
+              nat_type);
+
+  if (NULL == diff)
+    return;
+
+  /* Shortcut: if there are no changes suggested, bail out early. */
+  if (GNUNET_NO == GNUNET_CONFIGURATION_is_dirty (diff))
+  {
+    test_finished ();
+    return;
+  }
+
+  /* Apply diff to original configuration and show changes
+     to the user */
+  new_cfg = write_cfg ? GNUNET_CONFIGURATION_dup (cfg) : NULL;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+              _ ("Suggested configuration changes:\n"));
+  GNUNET_CONFIGURATION_iterate_section_values (diff,
+                                               "nat",
+                                               &auto_conf_iter,
+                                               new_cfg);
+
+  /* If desired, write configuration to file; we write only the
+     changes to the defaults to keep things compact. */
+  if (write_cfg)
+  {
+    struct GNUNET_CONFIGURATION_Handle *def_cfg;
+
+    GNUNET_CONFIGURATION_set_value_string (new_cfg, "ARM", "CONFIG", NULL);
+    def_cfg = GNUNET_CONFIGURATION_create ();
+    GNUNET_break (GNUNET_OK == GNUNET_CONFIGURATION_load (def_cfg, NULL));
+    if (GNUNET_OK !=
+        GNUNET_CONFIGURATION_write_diffs (def_cfg, new_cfg, cfg_file))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+                  _ ("Failed to write configuration to `%s'\n"),
+                  cfg_file);
+      global_ret = 1;
+    }
+    else
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+                  _ ("Wrote updated configuration to `%s'\n"),
+                  cfg_file);
+    }
+    GNUNET_CONFIGURATION_destroy (def_cfg);
+  }
+
+  if (NULL != new_cfg)
+    GNUNET_CONFIGURATION_destroy (new_cfg);
+  test_finished ();
+}
+
+
+/**
+ * Function called to report success or failure for
+ * NAT configuration test.
+ *
+ * @param cls closure
+ * @param result #GNUNET_NAT_ERROR_SUCCESS on success, otherwise the specific error code
+ */
+static void
+test_report_cb (void *cls, enum GNUNET_NAT_StatusCode result)
+{
+  nt = NULL;
+  printf ("NAT test result: %s\n", GNUNET_NAT_AUTO_status2string (result));
+  test_finished ();
+}
+
+
+/**
+ * Task run on shutdown.
+ *
+ * @param cls NULL
+ */
+static void
+do_shutdown (void *cls)
+{
+  if (NULL != ah)
+  {
+    GNUNET_NAT_AUTO_autoconfig_cancel (ah);
+    ah = NULL;
+  }
+  if (NULL != nt)
+  {
+    GNUNET_NAT_AUTO_test_stop (nt);
+    nt = NULL;
+  }
+}
+
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  cfg_file = cfgfile;
+  cfg = c;
+
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL);
+
+  if (do_auto)
+  {
+    ah = GNUNET_NAT_AUTO_autoconfig_start (c, &auto_config_cb, NULL);
+  }
+
+  if (use_tcp && use_udp)
+  {
+    if (do_auto)
+      return;
+    GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE, "Cannot use TCP and UDP\n");
+    global_ret = 1;
+    return;
+  }
+  proto = 0;
+  if (use_tcp)
+    proto = IPPROTO_TCP;
+  if (use_udp)
+    proto = IPPROTO_UDP;
+
+  if (NULL != section_name)
+  {
+    nt = GNUNET_NAT_AUTO_test_start (c,
+                                     proto,
+                                     section_name,
+                                     &test_report_cb,
+                                     NULL);
+  }
+  test_finished ();
+}
+
+
+/**
+ * Main function of gnunet-nat-auto
+ *
+ * @param argc number of command-line arguments
+ * @param argv command line
+ * @return 0 on success, -1 on error
+ */
+int
+main (int argc, char *const argv[])
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] =
+  { GNUNET_GETOPT_option_flag ('a',
+                               "auto",
+                               gettext_noop ("run autoconfiguration"),
+                               &do_auto),
+
+    GNUNET_GETOPT_option_string (
+      'S',
+      "section",
+      "NAME",
+      gettext_noop (
+        "section name providing the configuration for the adapter"),
+      &section_name),
+
+    GNUNET_GETOPT_option_flag ('t', "tcp", gettext_noop ("use TCP"), &use_tcp),
+
+    GNUNET_GETOPT_option_flag ('u', "udp", gettext_noop ("use UDP"), &use_udp),
+
+    GNUNET_GETOPT_option_flag (
+      'w',
+      "write",
+      gettext_noop ("write configuration file (for autoconfiguration)"),
+      &write_cfg),
+    GNUNET_GETOPT_OPTION_END };
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+  if (GNUNET_OK !=
+      GNUNET_PROGRAM_run (argc,
+                          argv,
+                          "gnunet-nat-auto [options]",
+                          _ ("GNUnet NAT traversal autoconfiguration"),
+                          options,
+                          &run,
+                          NULL))
+  {
+    global_ret = 1;
+  }
+  GNUNET_free_nz ((void *) argv);
+  return global_ret;
+}
+
+
+/* end of gnunet-nat-auto.c */
diff --git a/src/cli/nat-auto/gnunet-nat-server.c b/src/cli/nat-auto/gnunet-nat-server.c
new file mode 100644
index 000000000..baa610e8f
--- /dev/null
+++ b/src/cli/nat-auto/gnunet-nat-server.c
@@ -0,0 +1,403 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2011, 2017 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file src/nat/gnunet-nat-server.c
+ * @brief Daemon to run on 'gnunet.org' to help test NAT traversal code
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_nat_service.h"
+#include "gnunet_protocols.h"
+// FIXME can we build this without this header?
+#include "../../service/nat-auto/nat-auto.h"
+
+
+/**
+ * Information we track per client.
+ */
+struct ClientData
+{
+  /**
+   * Timeout task.
+   */
+  struct GNUNET_SCHEDULER_Task *tt;
+
+  /**
+   * Client handle.
+   */
+  struct GNUNET_SERVICE_Client *client;
+};
+
+
+/**
+ * Our configuration.
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+
+/**
+ * Try contacting the peer using autonomous NAT traversal method.
+ *
+ * @param dst_ipv4 IPv4 address to send the fake ICMP message
+ * @param dport destination port to include in ICMP message
+ * @param is_tcp mark for TCP (#GNUNET_YES)  or UDP (#GNUNET_NO)
+ */
+static void
+try_anat (uint32_t dst_ipv4,
+          uint16_t dport,
+          int is_tcp)
+{
+  struct GNUNET_NAT_Handle *h;
+  struct sockaddr_in lsa;
+  struct sockaddr_in rsa;
+  const struct sockaddr *sa;
+  socklen_t sa_len;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Asking for connection reversal with %x and code %u\n",
+              (unsigned int) dst_ipv4,
+              (unsigned int) dport);
+  memset (&lsa, 0, sizeof(lsa));
+  lsa.sin_family = AF_INET;
+#if HAVE_SOCKADDR_IN_SIN_LEN
+  lsa.sin_len = sizeof(sa);
+#endif
+  lsa.sin_addr.s_addr = 0;
+  lsa.sin_port = htons (dport);
+  memset (&rsa, 0, sizeof(rsa));
+  rsa.sin_family = AF_INET;
+#if HAVE_SOCKADDR_IN_SIN_LEN
+  rsa.sin_len = sizeof(sa);
+#endif
+  rsa.sin_addr.s_addr = dst_ipv4;
+  rsa.sin_port = htons (dport);
+  sa_len = sizeof(lsa);
+  sa = (const struct sockaddr *) &lsa;
+  h = GNUNET_NAT_register (cfg,
+                           "none",
+                           is_tcp ? IPPROTO_TCP : IPPROTO_UDP,
+                           1,
+                           &sa,
+                           &sa_len,
+                           NULL, NULL, NULL);
+  GNUNET_NAT_request_reversal (h,
+                               &lsa,
+                               &rsa);
+  GNUNET_NAT_unregister (h);
+}
+
+
+/**
+ * Closure for #tcp_send.
+ */
+struct TcpContext
+{
+  /**
+   * TCP  socket.
+   */
+  struct GNUNET_NETWORK_Handle *s;
+
+  /**
+   * Data to transmit.
+   */
+  uint16_t data;
+};
+
+
+/**
+ * Task called by the scheduler once we can do the TCP send
+ * (or once we failed to connect...).
+ *
+ * @param cls the `struct TcpContext`
+ */
+static void
+tcp_send (void *cls)
+{
+  struct TcpContext *ctx = cls;
+  const struct GNUNET_SCHEDULER_TaskContext *tc;
+
+  tc = GNUNET_SCHEDULER_get_task_context ();
+  if ((NULL != tc->write_ready) &&
+      (GNUNET_NETWORK_fdset_isset (tc->write_ready, ctx->s)))
+  {
+    if (-1 ==
+        GNUNET_NETWORK_socket_send (ctx->s, &ctx->data, sizeof(ctx->data)))
+    {
+      GNUNET_log_strerror (GNUNET_ERROR_TYPE_DEBUG, "send");
+    }
+    GNUNET_NETWORK_socket_shutdown (ctx->s, SHUT_RDWR);
+  }
+  GNUNET_NETWORK_socket_close (ctx->s);
+  GNUNET_free (ctx);
+}
+
+
+/**
+ * Try to send @a data to the
+ * IP @a dst_ipv4' at port @a dport via TCP.
+ *
+ * @param dst_ipv4 target IP
+ * @param dport target port
+ * @param data data to send
+ */
+static void
+try_send_tcp (uint32_t dst_ipv4,
+              uint16_t dport,
+              uint16_t data)
+{
+  struct GNUNET_NETWORK_Handle *s;
+  struct sockaddr_in sa;
+  struct TcpContext *ctx;
+
+  s = GNUNET_NETWORK_socket_create (AF_INET,
+                                    SOCK_STREAM,
+                                    0);
+  if (NULL == s)
+  {
+    GNUNET_log_strerror (GNUNET_ERROR_TYPE_WARNING,
+                         "socket");
+    return;
+  }
+  memset (&sa, 0, sizeof(sa));
+  sa.sin_family = AF_INET;
+#if HAVE_SOCKADDR_IN_SIN_LEN
+  sa.sin_len = sizeof(sa);
+#endif
+  sa.sin_addr.s_addr = dst_ipv4;
+  sa.sin_port = htons (dport);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Sending TCP message to `%s'\n",
+              GNUNET_a2s ((struct sockaddr *) &sa,
+                          sizeof(sa)));
+  if ((GNUNET_OK !=
+       GNUNET_NETWORK_socket_connect (s,
+                                      (const struct sockaddr *) &sa,
+                                      sizeof(sa))) &&
+      (errno != EINPROGRESS))
+  {
+    GNUNET_log_strerror (GNUNET_ERROR_TYPE_WARNING,
+                         "connect");
+    GNUNET_NETWORK_socket_close (s);
+    return;
+  }
+  ctx = GNUNET_new (struct TcpContext);
+  ctx->s = s;
+  ctx->data = data;
+  GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_SECONDS,
+                                  s,
+                                  &tcp_send,
+                                  ctx);
+}
+
+
+/**
+ * Try to send @a data to the
+ * IP @a dst_ipv4 at port @a dport via UDP.
+ *
+ * @param dst_ipv4 target IP
+ * @param dport target port
+ * @param data data to send
+ */
+static void
+try_send_udp (uint32_t dst_ipv4,
+              uint16_t dport,
+              uint16_t data)
+{
+  struct GNUNET_NETWORK_Handle *s;
+  struct sockaddr_in sa;
+
+  s = GNUNET_NETWORK_socket_create (AF_INET,
+                                    SOCK_DGRAM,
+                                    0);
+  if (NULL == s)
+  {
+    GNUNET_log_strerror (GNUNET_ERROR_TYPE_WARNING,
+                         "socket");
+    return;
+  }
+  memset (&sa, 0, sizeof(sa));
+  sa.sin_family = AF_INET;
+#if HAVE_SOCKADDR_IN_SIN_LEN
+  sa.sin_len = sizeof(sa);
+#endif
+  sa.sin_addr.s_addr = dst_ipv4;
+  sa.sin_port = htons (dport);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Sending UDP packet to `%s'\n",
+              GNUNET_a2s ((struct sockaddr *) &sa,
+                          sizeof(sa)));
+  if (-1 ==
+      GNUNET_NETWORK_socket_sendto (s,
+                                    &data,
+                                    sizeof(data),
+                                    (const struct sockaddr *) &sa,
+                                    sizeof(sa)))
+    GNUNET_log_strerror (GNUNET_ERROR_TYPE_WARNING,
+                         "sendto");
+  GNUNET_NETWORK_socket_close (s);
+}
+
+
+/**
+ * We've received a request to probe a NAT
+ * traversal. Do it.
+ *
+ * @param cls handle to client (we always close)
+ * @param tm message with details about what to test
+ */
+static void
+handle_test (void *cls,
+             const struct GNUNET_NAT_AUTO_TestMessage *tm)
+{
+  struct ClientData *cd = cls;
+  uint16_t dport;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Received test request\n");
+  dport = ntohs (tm->dport);
+  if (0 == dport)
+    try_anat (tm->dst_ipv4,
+              ntohs (tm->data),
+              (int) ntohl (tm->is_tcp));
+  else if (GNUNET_YES == ntohl (tm->is_tcp))
+    try_send_tcp (tm->dst_ipv4,
+                  dport,
+                  tm->data);
+  else
+    try_send_udp (tm->dst_ipv4,
+                  dport,
+                  tm->data);
+  GNUNET_SERVICE_client_drop (cd->client);
+}
+
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param c configuration
+ * @param srv service handle
+ */
+static void
+run (void *cls,
+     const struct GNUNET_CONFIGURATION_Handle *c,
+     struct GNUNET_SERVICE_Handle *srv)
+{
+  cfg = c;
+}
+
+
+/**
+ * Forcefully drops client after 1s.
+ *
+ * @param cls our `struct ClientData` of a client to drop
+ */
+static void
+force_timeout (void *cls)
+{
+  struct ClientData *cd = cls;
+
+  cd->tt = NULL;
+  GNUNET_SERVICE_client_drop (cd->client);
+}
+
+
+/**
+ * Callback called when a client connects to the service.
+ *
+ * @param cls closure for the service
+ * @param c the new client that connected to the service
+ * @param mq the message queue used to send messages to the client
+ * @return our `struct ClientData`
+ */
+static void *
+client_connect_cb (void *cls,
+                   struct GNUNET_SERVICE_Client *c,
+                   struct GNUNET_MQ_Handle *mq)
+{
+  struct ClientData *cd;
+
+  cd = GNUNET_new (struct ClientData);
+  cd->client = c;
+  cd->tt = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS,
+                                         &force_timeout,
+                                         cd);
+  return cd;
+}
+
+
+/**
+ * Callback called when a client disconnected from the service
+ *
+ * @param cls closure for the service
+ * @param c the client that disconnected
+ * @param internal_cls our `struct ClientData`
+ */
+static void
+client_disconnect_cb (void *cls,
+                      struct GNUNET_SERVICE_Client *c,
+                      void *internal_cls)
+{
+  struct ClientData *cd = internal_cls;
+
+  if (NULL != cd->tt)
+    GNUNET_SCHEDULER_cancel (cd->tt);
+  GNUNET_free (cd);
+}
+
+
+/**
+ * Define "main" method using service macro.
+ */
+GNUNET_SERVICE_MAIN
+  ("nat-server",
+  GNUNET_SERVICE_OPTION_NONE,
+  &run,
+  &client_connect_cb,
+  &client_disconnect_cb,
+  NULL,
+  GNUNET_MQ_hd_fixed_size (test,
+                           GNUNET_MESSAGE_TYPE_NAT_TEST,
+                           struct GNUNET_NAT_AUTO_TestMessage,
+                           NULL),
+  GNUNET_MQ_handler_end ());
+
+
+#if defined(__linux__) && defined(__GLIBC__)
+#include <malloc.h>
+
+/**
+ * MINIMIZE heap size (way below 128k) since this process doesn't need much.
+ */
+void __attribute__ ((constructor))
+GNUNET_ARM_memory_init ()
+{
+  mallopt (M_TRIM_THRESHOLD, 4 * 1024);
+  mallopt (M_TOP_PAD, 1 * 1024);
+  malloc_trim (0);
+}
+
+
+#endif
+
+
+/* end of gnunet-nat-server.c */
diff --git a/src/cli/nat-auto/meson.build b/src/cli/nat-auto/meson.build
new file mode 100644
index 000000000..69e719126
--- /dev/null
+++ b/src/cli/nat-auto/meson.build
@@ -0,0 +1,14 @@
+executable ('gnunet-nat-auto',
+            ['gnunet-nat-auto.c'],
+            dependencies: [libgnunetnatauto_dep, libgnunetutil_dep,
+                           libgnunetnat_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-nat-server',
+            ['gnunet-nat-server.c'],
+            dependencies: [libgnunetnatauto_dep, libgnunetutil_dep, libgnunetnat_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+
diff --git a/src/cli/nat/.gitignore b/src/cli/nat/.gitignore
new file mode 100644
index 000000000..89e635e9f
--- /dev/null
+++ b/src/cli/nat/.gitignore
@@ -0,0 +1 @@
+gnunet-nat
diff --git a/src/cli/nat/Makefile.am b/src/cli/nat/Makefile.am
new file mode 100644
index 000000000..1bdd1a6be
--- /dev/null
+++ b/src/cli/nat/Makefile.am
@@ -0,0 +1,17 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+libexecdir= $(pkglibdir)/libexec/
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+bin_PROGRAMS = \
+ gnunet-nat
+
+gnunet_nat_SOURCES = \
+  gnunet-nat.c
+gnunet_nat_LDADD = \
+  $(top_builddir)/src/service/nat/libgnunetnatnew.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la
+gnunet_nat_LDFLAGS = \
+  $(GN_LIBINTL)
diff --git a/src/cli/nat/gnunet-nat.c b/src/cli/nat/gnunet-nat.c
new file mode 100644
index 000000000..fd85549d6
--- /dev/null
+++ b/src/cli/nat/gnunet-nat.c
@@ -0,0 +1,476 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2015, 2016 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file src/nat/gnunet-nat.c
+ * @brief Command-line tool to interact with the NAT service
+ * @author Christian Grothoff
+ * @author Bruno Cabral
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_nat_service.h"
+
+/**
+ * Value to return from #main().
+ */
+static int global_ret;
+
+/**
+ * Name of section in configuration file to use for
+ * additional options.
+ */
+static char *section_name;
+
+/**
+ * Flag set to 1 if we use IPPROTO_UDP.
+ */
+static int use_udp;
+
+/**
+ * Flag set to 1 if we are to listen for connection reversal requests.
+ */
+static int listen_reversal;
+
+/**
+ * Flag set to 1 if we use IPPROTO_TCP.
+ */
+static int use_tcp;
+
+/**
+ * Protocol to use.
+ */
+static uint8_t proto;
+
+/**
+ * Local address to use for connection reversal request.
+ */
+static char *local_addr;
+
+/**
+ * Remote address to use for connection reversal request.
+ */
+static char *remote_addr;
+
+/**
+ * Should we actually bind to #bind_addr and receive and process STUN requests?
+ */
+static int do_stun;
+
+/**
+ * Handle to NAT operation.
+ */
+static struct GNUNET_NAT_Handle *nh;
+
+/**
+ * Listen socket for STUN processing.
+ */
+static struct GNUNET_NETWORK_Handle *ls;
+
+/**
+ * Task for reading STUN packets.
+ */
+static struct GNUNET_SCHEDULER_Task *rtask;
+
+
+/**
+ * Test if all activities have finished, and if so,
+ * terminate.
+ */
+static void
+test_finished ()
+{
+  if (NULL != nh)
+    return;
+  if (NULL != rtask)
+    return;
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Signature of the callback passed to #GNUNET_NAT_register() for
+ * a function to call whenever our set of 'valid' addresses changes.
+ *
+ * @param cls closure, NULL
+ * @param[in,out] app_ctx location where the app can store stuff
+ *                  on add and retrieve it on remove
+ * @param add_remove #GNUNET_YES to add a new public IP address,
+ *                   #GNUNET_NO to remove a previous (now invalid) one
+ * @param ac address class the address belongs to
+ * @param addr either the previous or the new public IP address
+ * @param addrlen actual length of the @a addr
+ */
+static void
+address_cb (void *cls,
+            void **app_ctx,
+            int add_remove,
+            enum GNUNET_NAT_AddressClass ac,
+            const struct sockaddr *addr,
+            socklen_t addrlen)
+{
+  (void) cls;
+  (void) app_ctx;
+
+  fprintf (stdout,
+           "%s %s (%d)\n",
+           add_remove ? "+" : "-",
+           GNUNET_a2s (addr, addrlen),
+           (int) ac);
+}
+
+
+/**
+ * Signature of the callback passed to #GNUNET_NAT_register().
+ * for a function to call whenever someone asks us to do connection
+ * reversal.
+ *
+ * @param cls closure, NULL
+ * @param remote_addr public IP address of the other peer
+ * @param remote_addrlen actual length of the @a remote_addr
+ */
+static void
+reversal_cb (void *cls,
+             const struct sockaddr *remote_addr,
+             socklen_t remote_addrlen)
+{
+  GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+              "Connection reversal requested by %s\n",
+              GNUNET_a2s (remote_addr, remote_addrlen));
+}
+
+
+/**
+ * Task run on shutdown.
+ *
+ * @param cls NULL
+ */
+static void
+do_shutdown (void *cls)
+{
+  if (NULL != nh)
+  {
+    GNUNET_NAT_unregister (nh);
+    nh = NULL;
+  }
+  if (NULL != ls)
+  {
+    GNUNET_NETWORK_socket_close (ls);
+    ls = NULL;
+  }
+  if (NULL != rtask)
+  {
+    GNUNET_SCHEDULER_cancel (rtask);
+    rtask = NULL;
+  }
+}
+
+
+/**
+ * Task to receive incoming packets for STUN processing.
+ */
+static void
+stun_read_task (void *cls)
+{
+  ssize_t size;
+
+  rtask = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                         ls,
+                                         &stun_read_task,
+                                         NULL);
+  size = GNUNET_NETWORK_socket_recvfrom_amount (ls);
+  if (size > 0)
+  {
+    GNUNET_break (0);
+    GNUNET_SCHEDULER_shutdown ();
+    global_ret = 1;
+    return;
+  }
+  {
+    char buf[size + 1];
+    struct sockaddr_storage sa;
+    socklen_t salen = sizeof(sa);
+    ssize_t ret;
+
+    ret = GNUNET_NETWORK_socket_recvfrom (ls,
+                                          buf,
+                                          size + 1,
+                                          (struct sockaddr *) &sa,
+                                          &salen);
+    if (ret != size)
+    {
+      GNUNET_break (0);
+      GNUNET_SCHEDULER_shutdown ();
+      global_ret = 1;
+      return;
+    }
+    (void) GNUNET_NAT_stun_handle_packet (nh,
+                                          (const struct sockaddr *) &sa,
+                                          salen,
+                                          buf,
+                                          ret);
+  }
+}
+
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  uint8_t af;
+  struct sockaddr *local_sa;
+  struct sockaddr *remote_sa;
+  socklen_t local_len;
+  size_t remote_len;
+
+  if (use_tcp && use_udp)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE, "Cannot use TCP and UDP\n");
+    global_ret = 1;
+    return;
+  }
+  proto = 0;
+  if (use_tcp)
+    proto = IPPROTO_TCP;
+  if (use_udp)
+    proto = IPPROTO_UDP;
+
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL);
+
+  if (0 == proto)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE, "Must specify either TCP or UDP\n");
+    global_ret = 1;
+    return;
+  }
+  local_len = 0;
+  local_sa = NULL;
+  remote_len = 0;
+  remote_sa = NULL;
+  if (NULL != local_addr)
+  {
+    local_len =
+      (socklen_t) GNUNET_STRINGS_parse_socket_addr (local_addr, &af, &local_sa);
+    if (0 == local_len)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+                  "Invalid socket address `%s'\n",
+                  local_addr);
+      goto fail_and_shutdown;
+    }
+  }
+
+  if (NULL != remote_addr)
+  {
+    remote_len =
+      GNUNET_STRINGS_parse_socket_addr (remote_addr, &af, &remote_sa);
+    if (0 == remote_len)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+                  "Invalid socket address `%s'\n",
+                  remote_addr);
+      goto fail_and_shutdown;
+    }
+  }
+
+  if (NULL != local_addr)
+  {
+    if (NULL == section_name)
+      section_name = GNUNET_strdup ("undefined");
+    nh = GNUNET_NAT_register (c,
+                              section_name,
+                              proto,
+                              1,
+                              (const struct sockaddr **) &local_sa,
+                              &local_len,
+                              &address_cb,
+                              (listen_reversal) ? &reversal_cb : NULL,
+                              NULL);
+  }
+  else if (listen_reversal)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+                "Use of `-W` only effective in combination with `-i`\n");
+    goto fail_and_shutdown;
+  }
+
+  if (NULL != remote_addr)
+  {
+    int ret;
+
+    if ((NULL == nh) || (sizeof(struct sockaddr_in) != local_len))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+                  "Require IPv4 local address to initiate connection reversal\n");
+      goto fail_and_shutdown;
+    }
+    if (sizeof(struct sockaddr_in) != remote_len)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+                  "Require IPv4 reversal target address\n");
+      goto fail_and_shutdown;
+    }
+    GNUNET_assert (AF_INET == local_sa->sa_family);
+    GNUNET_assert (AF_INET == remote_sa->sa_family);
+    ret = GNUNET_NAT_request_reversal (nh,
+                                       (const struct sockaddr_in *) local_sa,
+                                       (const struct sockaddr_in *) remote_sa);
+    switch (ret)
+    {
+    case GNUNET_SYSERR:
+      GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+                  "Connection reversal internal error\n");
+      break;
+
+    case GNUNET_NO:
+      GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+                  "Connection reversal unavailable\n");
+      break;
+
+    case GNUNET_OK:
+      /* operation in progress */
+      break;
+    }
+  }
+
+  if (do_stun)
+  {
+    if (NULL == local_addr)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE,
+                  "Require local address to support STUN requests\n");
+      goto fail_and_shutdown;
+    }
+    if (IPPROTO_UDP != proto)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE, "STUN only supported over UDP\n");
+      goto fail_and_shutdown;
+    }
+    ls = GNUNET_NETWORK_socket_create (af, SOCK_DGRAM, IPPROTO_UDP);
+    if (NULL == ls)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_MESSAGE, "Failed to create socket\n");
+      goto fail_and_shutdown;
+    }
+    if (GNUNET_OK != GNUNET_NETWORK_socket_bind (ls, local_sa, local_len))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "Failed to bind to %s: %s\n",
+                  GNUNET_a2s (local_sa, local_len),
+                  strerror (errno));
+      goto fail_and_shutdown;
+    }
+    rtask = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                           ls,
+                                           &stun_read_task,
+                                           NULL);
+  }
+  GNUNET_free (remote_sa);
+  GNUNET_free (local_sa);
+  test_finished ();
+  return;
+fail_and_shutdown:
+  global_ret = 1;
+  GNUNET_SCHEDULER_shutdown ();
+  GNUNET_free (remote_sa);
+  GNUNET_free (local_sa);
+}
+
+
+/**
+ * Main function of gnunet-nat
+ *
+ * @param argc number of command-line arguments
+ * @param argv command line
+ * @return 0 on success, -1 on error
+ */
+int
+main (int argc, char *const argv[])
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_string (
+      'i',
+      "in",
+      "ADDRESS",
+      gettext_noop ("which IP and port are we locally using to bind/listen to"),
+      &local_addr),
+
+    GNUNET_GETOPT_option_string (
+      'r',
+      "remote",
+      "ADDRESS",
+      gettext_noop (
+        "which remote IP and port should be asked for connection reversal"),
+      &remote_addr),
+
+    GNUNET_GETOPT_option_string (
+      'S',
+      "section",
+      NULL,
+      gettext_noop (
+        "name of configuration section to find additional options, such as manual host punching data"),
+      &section_name),
+
+    GNUNET_GETOPT_option_flag ('s',
+                               "stun",
+                               gettext_noop ("enable STUN processing"),
+                               &do_stun),
+
+    GNUNET_GETOPT_option_flag ('t', "tcp", gettext_noop ("use TCP"), &use_tcp),
+
+    GNUNET_GETOPT_option_flag ('u', "udp", gettext_noop ("use UDP"), &use_udp),
+
+    GNUNET_GETOPT_option_flag ('W',
+                               "watch",
+                               gettext_noop (
+                                 "watch for connection reversal requests"),
+                               &listen_reversal),
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+  if (GNUNET_OK !=
+      GNUNET_PROGRAM_run (argc,
+                          argv,
+                          "gnunet-nat [options]",
+                          _ ("GNUnet NAT traversal autoconfigure daemon"),
+                          options,
+                          &run,
+                          NULL))
+  {
+    global_ret = 1;
+  }
+  GNUNET_free_nz ((void *) argv);
+  return global_ret;
+}
+
+
+/* end of gnunet-nat.c */
diff --git a/src/cli/nat/meson.build b/src/cli/nat/meson.build
new file mode 100644
index 000000000..41af0c087
--- /dev/null
+++ b/src/cli/nat/meson.build
@@ -0,0 +1,7 @@
+executable ('gnunet-nat',
+            ['gnunet-nat.c'],
+            dependencies: [libgnunetnat_dep, libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+
diff --git a/src/cli/nse/.gitignore b/src/cli/nse/.gitignore
new file mode 100644
index 000000000..ec3c6a9cf
--- /dev/null
+++ b/src/cli/nse/.gitignore
@@ -0,0 +1 @@
+gnunet-nse
diff --git a/src/cli/nse/Makefile.am b/src/cli/nse/Makefile.am
new file mode 100644
index 000000000..e724a22d3
--- /dev/null
+++ b/src/cli/nse/Makefile.am
@@ -0,0 +1,19 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+bin_PROGRAMS = gnunet-nse
+
+gnunet_nse_SOURCES = gnunet-nse.c
+gnunet_nse_LDADD = \
+  $(top_builddir)/src/service/nse/libgnunetnse.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(XLIB) $(GN_LIBINTL)
diff --git a/src/cli/nse/gnunet-nse.c b/src/cli/nse/gnunet-nse.c
new file mode 100644
index 000000000..b88697695
--- /dev/null
+++ b/src/cli/nse/gnunet-nse.c
@@ -0,0 +1,143 @@
+/*
+      This file is part of GNUnet
+      Copyright (C) 2008--2014, 2016 GNUnet e.V.
+
+      GNUnet is free software: you can redistribute it and/or modify it
+      under the terms of the GNU Affero General Public License as published
+      by the Free Software Foundation, either version 3 of the License,
+      or (at your option) any later version.
+
+      GNUnet is distributed in the hope that it will be useful, but
+      WITHOUT ANY WARRANTY; without even the implied warranty of
+      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+      Affero General Public License for more details.
+
+      You should have received a copy of the GNU Affero General Public License
+      along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file nse/gnunet-nse.c
+ * @brief Program to display network size estimates from the NSE service
+ * @author Sree Harsha Totakura <sreeharsha@totakura.in>
+ */
+
+#include "platform.h"
+#include "gnunet_nse_service.h"
+#include <gnunet_util_lib.h>
+
+/**
+ * The handle to the NSE service
+ */
+static struct GNUNET_NSE_Handle *nse;
+
+/**
+ * The program status; 0 for success.
+ */
+static int status;
+
+/**
+ * Monitor flag.
+ */
+static int monitor;
+
+
+/**
+ * Task to shutdown and clean up all state
+ *
+ * @param cls NULL
+ */
+static void
+do_shutdown (void *cls)
+{
+  (void) cls;
+  if (NULL != nse)
+  {
+    GNUNET_NSE_disconnect (nse);
+    nse = NULL;
+  }
+}
+
+
+/**
+ * Callback to call when network size estimate is updated.
+ *
+ * @param cls NULL
+ * @param timestamp server timestamp
+ * @param estimate the value of the current network size estimate
+ * @param std_dev standard deviation (rounded down to nearest integer)
+ *                of the size estimation values seen
+ */
+static void
+handle_estimate (void *cls,
+                 struct GNUNET_TIME_Absolute timestamp,
+                 double estimate,
+                 double std_dev)
+{
+  (void) cls;
+  status = 0;
+  fprintf (stdout,
+           "%s: #peers=%f (ld(#peers)=%f, stddev=%f)\n",
+           GNUNET_STRINGS_absolute_time_to_string (timestamp),
+           GNUNET_NSE_log_estimate_to_n (estimate),
+           estimate,
+           std_dev);
+  if (! monitor)
+    GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Actual main function that runs the emulation.
+ *
+ * @param cls unused
+ * @param args remaining args, unused
+ * @param cfgfile name of the configuration
+ * @param cfg configuration handle
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  (void) cls;
+  (void) args;
+  (void) cfgfile;
+  nse = GNUNET_NSE_connect (cfg, &handle_estimate, NULL);
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL);
+}
+
+
+/**
+ * Main function.
+ *
+ * @return 0 on success
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_flag ('m',
+                               "monitor",
+                               gettext_noop (
+                                 "Monitor and output current estimates"),
+                               &monitor),
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  status = 1;
+  if (GNUNET_OK !=
+      GNUNET_PROGRAM_run (argc,
+                          argv,
+                          "gnunet-nse",
+                          gettext_noop (
+                            "Show network size estimates from NSE service."),
+                          options,
+                          &run,
+                          NULL))
+    return 2;
+  return status;
+}
diff --git a/src/cli/nse/meson.build b/src/cli/nse/meson.build
new file mode 100644
index 000000000..584c7eb71
--- /dev/null
+++ b/src/cli/nse/meson.build
@@ -0,0 +1,7 @@
+executable ('gnunet-nse',
+            ['gnunet-nse.c'],
+            dependencies: [libgnunetnse_dep, m_dep, libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+
diff --git a/src/cli/peerstore/.gitignore b/src/cli/peerstore/.gitignore
new file mode 100644
index 000000000..3ae0f6c6c
--- /dev/null
+++ b/src/cli/peerstore/.gitignore
@@ -0,0 +1 @@
+gnunet-peerstore
diff --git a/src/cli/peerstore/Makefile.am b/src/cli/peerstore/Makefile.am
new file mode 100644
index 000000000..f5be82f09
--- /dev/null
+++ b/src/cli/peerstore/Makefile.am
@@ -0,0 +1,23 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+plugindir = $(libdir)/gnunet
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+if USE_COVERAGE
+  AM_CFLAGS = -fprofile-arcs -ftest-coverage
+endif
+
+# This program does not do anything.
+noinst_PROGRAMS = \
+ gnunet-peerstore
+
+gnunet_peerstore_SOURCES = \
+ gnunet-peerstore.c
+gnunet_peerstore_LDADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(top_builddir)/src/service/peerstore/libgnunetpeerstore.la \
+  $(GN_LIBINTL)
diff --git a/src/cli/peerstore/gnunet-peerstore.c b/src/cli/peerstore/gnunet-peerstore.c
new file mode 100644
index 000000000..84cae675f
--- /dev/null
+++ b/src/cli/peerstore/gnunet-peerstore.c
@@ -0,0 +1,97 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C)
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file peerstore/gnunet-peerstore.c
+ * @brief peerstore tool
+ * @author Omar Tarabai
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_peerstore_service.h"
+
+static int ret;
+
+/*
+ * Handle to PEERSTORE service
+ */
+static struct GNUNET_PEERSTORE_Handle *peerstore_handle;
+
+
+/**
+ * Run on shutdown
+ *
+ * @param cls unused
+ */
+static void
+shutdown_task (void *cls)
+{
+  if (NULL != peerstore_handle)
+  {
+    GNUNET_PEERSTORE_disconnect (peerstore_handle);
+    peerstore_handle = NULL;
+  }
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_task,
+                                 NULL);
+  peerstore_handle = GNUNET_PEERSTORE_connect (cfg);
+  GNUNET_assert (NULL != peerstore_handle);
+  ret = 0;
+}
+
+
+/**
+ * The main function to peerstore.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  static const struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  return (GNUNET_OK ==
+          GNUNET_PROGRAM_run (argc, argv, "gnunet-peerstore [options [value]]",
+                              gettext_noop ("peerstore"), options, &run,
+                              NULL)) ? ret : 1;
+}
+
+
+/* end of gnunet-peerstore.c */
diff --git a/src/cli/peerstore/meson.build b/src/cli/peerstore/meson.build
new file mode 100644
index 000000000..1fd177734
--- /dev/null
+++ b/src/cli/peerstore/meson.build
@@ -0,0 +1,9 @@
+executable ('gnunet-peerstore',
+            'gnunet-peerstore.c',
+            dependencies: [libgnunetpeerstore_dep,
+                           libgnunetutil_dep
+                          ],
+            include_directories: [incdir, configuration_inc],
+            install: false,
+            install_dir: get_option('bindir'))
+
diff --git a/src/cli/reclaim/.gitignore b/src/cli/reclaim/.gitignore
new file mode 100644
index 000000000..49e84eb66
--- /dev/null
+++ b/src/cli/reclaim/.gitignore
@@ -0,0 +1,2 @@
+gnunet-reclaim
+gnunet-did
diff --git a/src/cli/reclaim/Makefile.am b/src/cli/reclaim/Makefile.am
new file mode 100644
index 000000000..9803ac7ac
--- /dev/null
+++ b/src/cli/reclaim/Makefile.am
@@ -0,0 +1,57 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+ plugindir = $(libdir)/gnunet
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+
+EXTRA_DIST = \
+  test_reclaim_defaults.conf \
+  test_reclaim.conf \
+  $(check_SCRIPTS)
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+bin_PROGRAMS = \
+ gnunet-reclaim \
+ gnunet-did
+
+gnunet_reclaim_SOURCES = \
+ gnunet-reclaim.c
+gnunet_reclaim_LDADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(top_builddir)/src/service/namestore/libgnunetnamestore.la \
+  $(top_builddir)/src/service/reclaim/libgnunetreclaim.la \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(GN_LIBINTL)
+
+gnunet_did_SOURCES = \
+        gnunet-did.c
+gnunet_did_LDADD = \
+        $(top_builddir)/src/lib/util/libgnunetutil.la \
+        $(top_builddir)/src/service/gns/libgnunetgns.la \
+        $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+        $(top_builddir)/src/service/identity/libgnunetidentity.la \
+        $(top_builddir)/src/service/namestore/libgnunetnamestore.la \
+  $(top_builddir)/src/service/reclaim/libgnunetdid.la \
+        -ljansson
+gnunet_did_CFLAGS = \
+        -I$(top_builddir)/src/service/reclaim
+
+check_SCRIPTS = \
+  test_reclaim_attribute.sh \
+  test_reclaim_issue.sh \
+  test_reclaim_consume.sh
+
+if ENABLE_TEST_RUN
+ AM_TESTS_ENVIRONMENT=export GNUNET_PREFIX=$${GNUNET_PREFIX:-@libdir@};export PATH=$${GNUNET_PREFIX:-@prefix@}/bin:$$PATH;unset XDG_DATA_HOME;unset XDG_CONFIG_HOME;
+ TESTS = \
+  $(check_SCRIPTS) \
+  $(check_PROGRAMS)
+endif
diff --git a/src/cli/reclaim/gnunet-did.c b/src/cli/reclaim/gnunet-did.c
new file mode 100644
index 000000000..a8ac7652e
--- /dev/null
+++ b/src/cli/reclaim/gnunet-did.c
@@ -0,0 +1,661 @@
+/*
+   This file is part of GNUnet.
+   Copyright (C) 2012-2022 GNUnet e.V.
+
+   GNUnet is free software: you can redistribute it and/or modify it
+   under the terms of the GNU Affero General Public License as published
+   by the Free Software Foundation, either version 3 of the License,
+   or (at your option) any later version.
+
+   GNUnet is distributed in the hope that it will be useful, but
+   WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * FIXME: Do we only want to handle EdDSA identities?
+ * TODO: Own GNS record type
+ * TODO: Fix overwrite of records in @ if present look for other with same sub
+ * TODO. Tests
+ * TODO: Move constants to did.h
+ * FIXME: Remove and lookup require differnt representations (did vs egoname)
+ */
+
+/**
+ * @author Tristan Schwieren
+ * @file src/did/gnunet-did.c
+ * @brief DID Method Wrapper
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_namestore_service.h"
+#include "gnunet_identity_service.h"
+#include "gnunet_gns_service.h"
+#include "gnunet_gnsrecord_lib.h"
+#include "did_core.h"
+
+#define GNUNET_DID_DEFAULT_DID_DOCUMENT_EXPIRATION_TIME "1d"
+
+/**
+ * return value
+ */
+static int ret;
+
+/**
+ * Replace DID Document Flag
+ */
+static int replace;
+
+/**
+ * Remove DID Document Flag
+ */
+static int remove_did;
+
+/**
+ *  Get DID Documement for DID Flag
+ */
+static int get;
+
+/**
+ * Create DID Document Flag
+ */
+static int create;
+
+/**
+ * Show DID for Ego Flag
+ */
+static int show;
+
+/**
+ * Show DID for Ego Flag
+ */
+static int show_all;
+
+/**
+ * DID Attribut String
+ */
+static char *did;
+
+/**
+ * DID Document Attribut String
+ */
+static char *didd;
+
+/**
+ * Ego Attribut String
+ */
+static char *egoname;
+
+/**
+ * DID Document expiration Date Attribut String
+ */
+static char *expire;
+
+/*
+ * Handle to the GNS service
+ */
+static struct GNUNET_GNS_Handle *gns_handle;
+
+/*
+ * Handle to the NAMESTORE service
+ */
+static struct GNUNET_NAMESTORE_Handle *namestore_handle;
+
+/*
+ * Handle to the IDENTITY service
+ */
+static struct GNUNET_IDENTITY_Handle *identity_handle;
+
+
+/*
+ * The configuration
+ */
+const static struct GNUNET_CONFIGURATION_Handle *my_cfg;
+
+/**
+ * Give ego exists
+ */
+static int ego_exists = 0;
+
+/**
+ * @brief Disconnect and shutdown
+ * @param cls closure
+ */
+static void
+cleanup (void *cls)
+{
+  if (NULL != gns_handle)
+    GNUNET_GNS_disconnect (gns_handle);
+  if (NULL != namestore_handle)
+    GNUNET_NAMESTORE_disconnect (namestore_handle);
+  if (NULL != identity_handle)
+    GNUNET_IDENTITY_disconnect (identity_handle);
+
+  GNUNET_free (did);
+  GNUNET_free (didd);
+  GNUNET_free (egoname);
+  GNUNET_free (expire);
+
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * @brief GNS lookup callback. Prints the DID Document to standard out.
+ * Fails if there is more than one DID record.
+ *
+ * @param cls closure
+ * @param rd_count number of records in @a rd
+ * @param rd the records in the reply
+ */
+static void
+print_did_document (
+  enum GNUNET_GenericReturnValue status,
+  char *did_document,
+  void *cls
+  )
+{
+  if (GNUNET_OK == status)
+    printf ("%s\n", did_document);
+  else
+    printf ("An error occured: %s\n", did_document);
+
+  GNUNET_SCHEDULER_add_now (cleanup, NULL);
+  ret = 0;
+  return;
+}
+
+
+/**
+ * @brief Resolve a DID given by the user.
+ */
+static void
+resolve_did ()
+{
+
+  if (did == NULL)
+  {
+    printf ("Set DID option to resolve DID\n");
+    GNUNET_SCHEDULER_add_now (cleanup, NULL);
+    ret = 1;
+    return;
+  }
+
+  if (GNUNET_OK != DID_resolve (did, gns_handle, print_did_document, NULL))
+  {
+    printf ("An error occured while resoling the DID\n");
+    GNUNET_SCHEDULER_add_now (cleanup, NULL);
+    ret = 0;
+    return;
+  }
+}
+
+
+/**
+ * @brief Signature of a callback function that is called after a did has been removed
+ */
+typedef void
+(*remove_did_document_callback) (void *cls);
+
+/**
+ * @brief A Structure containing a cont and cls. Can be passed as a cls to a callback function
+ *
+ */
+struct Event
+{
+  remove_did_document_callback cont;
+  void *cls;
+};
+
+/**
+ * @brief Implements the GNUNET_NAMESTORE_ContinuationWithStatus
+ * Calls the callback function and cls in the event struct
+ *
+ * @param cls closure containing the event struct
+ * @param success
+ * @param emgs
+ */
+static void
+remove_did_document_namestore_cb (void *cls, enum GNUNET_ErrorCode ec)
+{
+  struct Event *event;
+
+  if (GNUNET_EC_NONE == ec)
+  {
+    event = (struct Event *) cls;
+
+    if (event->cont != NULL)
+    {
+      event->cont (event->cls);
+      free (event);
+    }
+    else
+    {
+      free (event);
+      GNUNET_SCHEDULER_add_now (cleanup, NULL);
+      ret = 0;
+      return;
+    }
+  }
+  else
+  {
+    printf ("Something went wrong when deleting the DID Document\n");
+
+    printf ("%s\n", GNUNET_ErrorCode_get_hint (ec));
+
+    GNUNET_SCHEDULER_add_now (cleanup, NULL);
+    ret = 0;
+    return;
+  }
+}
+
+
+/**
+ * @brief Callback called after the ego has been locked up
+ *
+ * @param cls closure
+ * @param ego the ego returned by the identity service
+ */
+static void
+remove_did_document_ego_lookup_cb (void *cls, struct GNUNET_IDENTITY_Ego *ego)
+{
+  const struct GNUNET_CRYPTO_PrivateKey *skey =
+    GNUNET_IDENTITY_ego_get_private_key (ego);
+
+  GNUNET_NAMESTORE_record_set_store (namestore_handle,
+                                     skey,
+                                     GNUNET_GNS_EMPTY_LABEL_AT,
+                                     0,
+                                     NULL,
+                                     &remove_did_document_namestore_cb,
+                                     cls);
+}
+
+
+/**
+ * @brief Remove a DID Document
+ */
+static void
+remove_did_document (remove_did_document_callback cont, void *cls)
+{
+  struct Event *event;
+
+  if (egoname == NULL)
+  {
+    printf ("Remove requieres an ego option\n");
+    GNUNET_SCHEDULER_add_now (cleanup, NULL);
+    ret = 1;
+    return;
+  }
+  else
+  {
+    event = malloc (sizeof(*event));
+    event->cont = cont;
+    event->cls = cls;
+
+    GNUNET_IDENTITY_ego_lookup (my_cfg,
+                                egoname,
+                                &remove_did_document_ego_lookup_cb,
+                                (void *) event);
+  }
+}
+
+
+// Needed because create_did_ego_lookup_cb() and
+// create_did_ego_create_cb() can call each other
+static void create_did_ego_lockup_cb ();
+
+/**
+ * @brief Create a DID(-Document). Called after DID has been created
+ * Prints status and the DID.
+ *
+ */
+static void
+create_did_cb (enum GNUNET_GenericReturnValue status, void *cls)
+{
+  if (GNUNET_OK == status)
+  {
+    printf ("DID has been created.\n%s\n", (char *) cls);
+    free (cls);
+    ret = 0;
+  }
+  else
+  {
+    printf ("An error occured while creating the DID.\n");
+    ret = 1;
+  }
+
+  GNUNET_SCHEDULER_add_now (&cleanup, NULL);
+  return;
+}
+
+
+/**
+ * @brief Create a DID(-Document) - Called after a new Identity has been created.
+ */
+static void
+create_did_ego_create_cb (void *cls,
+                          const struct GNUNET_CRYPTO_PrivateKey *pk,
+                          enum GNUNET_ErrorCode ec)
+{
+  if (GNUNET_EC_NONE != ec)
+  {
+    printf ("%s\n", GNUNET_ErrorCode_get_hint (ec));
+    GNUNET_SCHEDULER_add_now (&cleanup, NULL);
+    ret = 1;
+    return;
+  }
+
+  GNUNET_IDENTITY_ego_lookup (my_cfg,
+                              egoname,
+                              &create_did_ego_lockup_cb,
+                              NULL);
+}
+
+
+/**
+ * @brief Create a DID(-Document). Called after ego lookup
+ *
+ */
+static void
+create_did_ego_lockup_cb (void *cls, struct GNUNET_IDENTITY_Ego *ego)
+{
+  if (ego == NULL)
+  {
+    // If Ego was not found. Create new one first
+    printf ("Ego was not found. Creating new one.\n");
+    GNUNET_IDENTITY_create (identity_handle,
+                            egoname,
+                            NULL,
+                            GNUNET_PUBLIC_KEY_TYPE_EDDSA,
+                            &create_did_ego_create_cb,
+                            egoname);
+  }
+  else
+  {
+    char *did = DID_identity_to_did (ego);
+    void *cls = malloc (strlen (did) + 1);
+    struct GNUNET_TIME_Relative expire_relative;
+
+    if (expire == NULL)
+    {
+      GNUNET_STRINGS_fancy_time_to_relative (
+        DID_DOCUMENT_DEFAULT_EXPIRATION_TIME, &expire_relative);
+    }
+    else if (GNUNET_OK != GNUNET_STRINGS_fancy_time_to_relative (expire,
+                                                                 &
+                                                                 expire_relative))
+    {
+      printf ("Failed to read given expiration time\n");
+      GNUNET_SCHEDULER_add_now (cleanup, NULL);
+      ret = 1;
+      return;
+    }
+
+    strcpy (cls, did);
+    // TODO: Add DID_document argument
+    if (GNUNET_OK != DID_create (ego,
+                                 NULL,
+                                 &expire_relative,
+                                 namestore_handle,
+                                 create_did_cb,
+                                 cls))
+    {
+      printf ("An error occured while creating the DID.\n");
+      ret = 1;
+      GNUNET_SCHEDULER_add_now (&cleanup, NULL);
+      return;
+    }
+  }
+}
+
+
+/**
+ * @brief Create a DID(-Document).
+ *
+ */
+static void
+create_did ()
+{
+  // Ego name to be set
+  if (egoname == NULL)
+  {
+    printf ("Set the Ego argument to create a new DID(-Document)\n");
+    GNUNET_SCHEDULER_add_now (&cleanup, NULL);
+    ret = 1;
+    return;
+  }
+
+  GNUNET_IDENTITY_ego_lookup (my_cfg,
+                              egoname,
+                              &create_did_ego_lockup_cb,
+                              NULL);
+}
+
+
+/**
+ * @brief Replace a DID Docuemnt. Callback function after ego lockup
+ *
+ * @param cls
+ * @param ego
+ */
+static void
+replace_did_document_ego_lookup_cb (void *cls, struct GNUNET_IDENTITY_Ego *ego)
+{
+  // create_did_store (didd, ego);
+}
+
+
+/**
+ * @brief Replace a DID Document. Callback functiona after remove
+ *
+ * @param cls
+ */
+static void
+replace_did_document_remove_cb (void *cls)
+{
+  GNUNET_IDENTITY_ego_lookup (my_cfg,
+                              egoname,
+                              &replace_did_document_ego_lookup_cb,
+                              NULL);
+}
+
+
+/**
+ * @brief Replace a DID Docuemnt
+ *
+ */
+static void
+replace_did_document ()
+{
+  if ((didd != NULL) && (expire != NULL))
+  {
+    remove_did_document (&replace_did_document_remove_cb, NULL);
+  }
+  else
+  {
+    printf (
+      "Set the DID Document and expiration time argument to replace the DID Document\n");
+    GNUNET_SCHEDULER_add_now (&cleanup, NULL);
+    ret = 1;
+    return;
+  }
+}
+
+
+static void
+post_ego_iteration (void *cls)
+{
+  // TODO: Check that only one argument is set
+
+  if (1 == replace)
+  {
+    replace_did_document ();
+  }
+  else if (1 == get)
+  {
+    resolve_did ();
+  }
+  else if (1 == remove_did)
+  {
+    remove_did_document (NULL, NULL);
+  }
+  else if (1 == create)
+  {
+    create_did ();
+  }
+  else
+  {
+    // No Argument found
+    GNUNET_SCHEDULER_add_now (&cleanup, NULL);
+    return;
+  }
+}
+
+
+static void
+process_dids (void *cls, struct GNUNET_IDENTITY_Ego *ego,
+              void **ctx, const char*name)
+{
+  char *did_str;
+
+  if (ego == NULL)
+  {
+    if (1 == ego_exists)
+    {
+      GNUNET_SCHEDULER_add_now (&cleanup, NULL);
+      return;
+    }
+    GNUNET_SCHEDULER_add_now (&post_ego_iteration, NULL);
+    return;
+  }
+
+  if (1 == show_all)
+  {
+    did_str = DID_identity_to_did (ego);
+    printf ("%s:\n\t%s\n", name, did_str);
+    GNUNET_free (did_str);
+    return;
+  }
+  if (1 == show)
+  {
+    if (0 == strncmp (name, egoname, strlen (egoname)))
+    {
+      did_str = DID_identity_to_did (ego);
+      printf ("%s:\n\t%s\n", name, did_str);
+      GNUNET_free (did_str);
+      return;
+    }
+  }
+}
+
+
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  gns_handle = GNUNET_GNS_connect (c);
+  namestore_handle = GNUNET_NAMESTORE_connect (c);
+  my_cfg = c;
+
+  // check if GNS_handle could connect
+  if (gns_handle == NULL)
+  {
+    ret = 1;
+    return;
+  }
+
+  // check if NAMESTORE_handle could connect
+  if (namestore_handle == NULL)
+  {
+    GNUNET_SCHEDULER_add_now (&cleanup, NULL);
+    ret = 1;
+    return;
+  }
+
+  identity_handle = GNUNET_IDENTITY_connect (c, &process_dids, NULL);
+  if (identity_handle == NULL)
+  {
+    GNUNET_SCHEDULER_add_now (&cleanup, NULL);
+    ret = 1;
+    return;
+  }
+}
+
+
+int
+main (int argc, char *const argv[])
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_flag ('C',
+                               "create",
+                               gettext_noop (
+                                 "Create a DID Document and display its DID"),
+                               &create),
+    GNUNET_GETOPT_option_flag ('g',
+                               "get",
+                               gettext_noop (
+                                 "Get the DID Document associated with the given DID"),
+                               &get),
+    GNUNET_GETOPT_option_flag ('r',
+                               "remove",
+                               gettext_noop (
+                                 "Remove the DID"),
+                               &remove_did),
+    GNUNET_GETOPT_option_flag ('R',
+                               "replace",
+                               gettext_noop ("Replace the DID Document."),
+                               &replace),
+    GNUNET_GETOPT_option_flag ('s',
+                               "show",
+                               gettext_noop ("Show the DID for a given ego"),
+                               &show),
+    GNUNET_GETOPT_option_flag ('A',
+                               "show-all",
+                               gettext_noop ("Show egos with DIDs"),
+                               &show_all),
+    GNUNET_GETOPT_option_string ('d',
+                                 "did",
+                                 "DID",
+                                 gettext_noop (
+                                   "The Decentralized Identity (DID)"),
+                                 &did),
+    GNUNET_GETOPT_option_string ('D',
+                                 "did-document",
+                                 "JSON",
+                                 gettext_noop (
+                                   "The DID Document to store in GNUNET"),
+                                 &didd),
+    GNUNET_GETOPT_option_string ('e',
+                                 "ego",
+                                 "EGO",
+                                 gettext_noop ("The name of the EGO"),
+                                 &egoname),
+    GNUNET_GETOPT_option_string ('t',
+                                 "expiration-time",
+                                 "TIME",
+                                 gettext_noop (
+                                   "The time until the DID Document is going to expire (e.g. 5d)"),
+                                 &expire),
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  if (GNUNET_OK != GNUNET_PROGRAM_run (argc,
+                                       argv,
+                                       "gnunet-did",
+                                       "Manage Decentralized Identities (DIDs)",
+                                       options,
+                                       &run,
+                                       NULL))
+    return 1;
+  else
+    return ret;
+}
diff --git a/src/cli/reclaim/gnunet-reclaim.c b/src/cli/reclaim/gnunet-reclaim.c
new file mode 100644
index 000000000..94bceb8da
--- /dev/null
+++ b/src/cli/reclaim/gnunet-reclaim.c
@@ -0,0 +1,943 @@
+/*
+   This file is part of GNUnet.
+   Copyright (C) 2012-2015 GNUnet e.V.
+
+   GNUnet is free software: you can redistribute it and/or modify it
+   under the terms of the GNU Affero General Public License as published
+   by the Free Software Foundation, either version 3 of the License,
+   or (at your option) any later version.
+
+   GNUnet is distributed in the hope that it will be useful, but
+   WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @author Martin Schanzenbach
+ * @file src/reclaim/gnunet-reclaim.c
+ * @brief Identity Provider utility
+ *
+ */
+#include "platform.h"
+#include <inttypes.h>
+
+#include "gnunet_util_lib.h"
+
+#include "gnunet_identity_service.h"
+#include "gnunet_namestore_service.h"
+#include "gnunet_reclaim_service.h"
+#include "gnunet_signatures.h"
+/**
+ * return value
+ */
+static int ret;
+
+/**
+ * List attribute flag
+ */
+static int list;
+
+/**
+ * List credentials flag
+ */
+static int list_credentials;
+
+/**
+ * Credential ID string
+ */
+static char *credential_id;
+
+/**
+ * The expected RP URI
+ */
+static char *ex_rp_uri;
+
+/**
+ * Credential ID
+ */
+static struct GNUNET_RECLAIM_Identifier credential;
+
+/**
+ * Credential name
+ */
+static char *credential_name;
+
+/**
+ * Credential type
+ */
+static char *credential_type;
+
+/**
+ * Credential exists
+ */
+static int credential_exists;
+
+/**
+ * Relying party
+ */
+static char *rp;
+
+/**
+ * The attribute
+ */
+static char *attr_name;
+
+/**
+ * Attribute value
+ */
+static char *attr_value;
+
+/**
+ * Attributes to issue
+ */
+static char *issue_attrs;
+
+/**
+ * Ticket to consume
+ */
+static char *consume_ticket;
+
+/**
+ * Attribute type
+ */
+static char *type_str;
+
+/**
+ * Ticket to revoke
+ */
+static char *revoke_ticket;
+
+/**
+ * Ticket listing
+ */
+static int list_tickets;
+
+/**
+ * Ego name
+ */
+static char *ego_name;
+
+/**
+ * Identity handle
+ */
+static struct GNUNET_IDENTITY_Handle *identity_handle;
+
+/**
+ * reclaim handle
+ */
+static struct GNUNET_RECLAIM_Handle *reclaim_handle;
+
+/**
+ * reclaim operation
+ */
+static struct GNUNET_RECLAIM_Operation *reclaim_op;
+
+/**
+ * Attribute iterator
+ */
+static struct GNUNET_RECLAIM_AttributeIterator *attr_iterator;
+
+/**
+ * Credential iterator
+ */
+static struct GNUNET_RECLAIM_CredentialIterator *cred_iterator;
+
+
+/**
+ * Ticket iterator
+ */
+static struct GNUNET_RECLAIM_TicketIterator *ticket_iterator;
+
+
+/**
+ * ego private key
+ */
+static const struct GNUNET_CRYPTO_PrivateKey *pkey;
+
+/**
+ * Ticket to consume
+ */
+static struct GNUNET_RECLAIM_Ticket ticket;
+
+/**
+ * Attribute list
+ */
+static struct GNUNET_RECLAIM_AttributeList *attr_list;
+
+/**
+ * Attribute expiration interval
+ */
+static struct GNUNET_TIME_Relative exp_interval;
+
+/**
+ * Timeout task
+ */
+static struct GNUNET_SCHEDULER_Task *timeout;
+
+/**
+ * Cleanup task
+ */
+static struct GNUNET_SCHEDULER_Task *cleanup_task;
+
+/**
+ * Claim to store
+ */
+struct GNUNET_RECLAIM_Attribute *claim;
+
+/**
+ * Claim to delete
+ */
+static char *attr_delete;
+
+/**
+ * Claim object to delete
+ */
+static struct GNUNET_RECLAIM_Attribute *attr_to_delete;
+
+static void
+do_cleanup (void *cls)
+{
+  cleanup_task = NULL;
+  if (NULL != timeout)
+    GNUNET_SCHEDULER_cancel (timeout);
+  if (NULL != reclaim_op)
+    GNUNET_RECLAIM_cancel (reclaim_op);
+  if (NULL != attr_iterator)
+    GNUNET_RECLAIM_get_attributes_stop (attr_iterator);
+  if (NULL != cred_iterator)
+    GNUNET_RECLAIM_get_credentials_stop (cred_iterator);
+  if (NULL != ticket_iterator)
+    GNUNET_RECLAIM_ticket_iteration_stop (ticket_iterator);
+  if (NULL != reclaim_handle)
+    GNUNET_RECLAIM_disconnect (reclaim_handle);
+  if (NULL != identity_handle)
+    GNUNET_IDENTITY_disconnect (identity_handle);
+  if (NULL != attr_list)
+  {
+    GNUNET_RECLAIM_attribute_list_destroy (attr_list);
+    attr_list = NULL;
+  }
+  if (NULL != attr_to_delete)
+    GNUNET_free (attr_to_delete);
+  if (NULL == credential_type)
+    GNUNET_free (credential_type);
+}
+
+
+static void
+ticket_issue_cb (void *cls,
+                 const struct GNUNET_RECLAIM_Ticket *ticket,
+                 const struct GNUNET_RECLAIM_PresentationList *presentations)
+{
+  reclaim_op = NULL;
+  if (NULL != ticket)
+  {
+    printf ("%s\n", ticket->gns_name);
+  }
+  cleanup_task = GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+}
+
+
+static void
+store_cont (void *cls, int32_t success, const char *emsg)
+{
+  reclaim_op = NULL;
+  if (GNUNET_SYSERR == success)
+  {
+    fprintf (stderr, "%s\n", emsg);
+  }
+  cleanup_task = GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+}
+
+
+static void
+process_attrs (void *cls,
+               const struct GNUNET_CRYPTO_PublicKey *identity,
+               const struct GNUNET_RECLAIM_Attribute *attr,
+               const struct GNUNET_RECLAIM_Presentation *presentation)
+{
+  char *value_str;
+  char *id;
+  const char *attr_type;
+
+  if (NULL == identity)
+  {
+    reclaim_op = NULL;
+    cleanup_task = GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+    return;
+  }
+  if (NULL == attr)
+  {
+    ret = 1;
+    return;
+  }
+  attr_type = GNUNET_RECLAIM_attribute_number_to_typename (attr->type);
+  id = GNUNET_STRINGS_data_to_string_alloc (&attr->id, sizeof(attr->id));
+  value_str = NULL;
+  if (NULL == presentation)
+  {
+    value_str = GNUNET_RECLAIM_attribute_value_to_string (attr->type,
+                                                          attr->data,
+                                                          attr->data_size);
+  }
+  else
+  {
+    struct GNUNET_RECLAIM_AttributeListEntry *ale;
+    struct GNUNET_RECLAIM_AttributeList *al
+      = GNUNET_RECLAIM_presentation_get_attributes (presentation);
+
+    for (ale = al->list_head; NULL != ale; ale = ale->next)
+    {
+      if (0 != strncmp (attr->data, ale->attribute->name, attr->data_size))
+        continue;
+      value_str
+        = GNUNET_RECLAIM_attribute_value_to_string (ale->attribute->type,
+                                                    ale->attribute->data,
+                                                    ale->attribute->data_size);
+      break;
+    }
+  }
+  fprintf (stdout,
+           "Name: %s; Value: %s (%s); Flag %u; ID: %s %s\n",
+           attr->name,
+           (NULL != value_str) ? value_str : "???",
+           attr_type,
+           attr->flag,
+           id,
+           (NULL == presentation) ? "" : "(ATTESTED)");
+  GNUNET_free (value_str);
+  GNUNET_free (id);
+}
+
+
+static void
+ticket_iter_err (void *cls)
+{
+  ticket_iterator = NULL;
+  fprintf (stderr, "Failed to iterate over tickets\n");
+  cleanup_task = GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+}
+
+
+static void
+ticket_iter_fin (void *cls)
+{
+  ticket_iterator = NULL;
+  cleanup_task = GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+}
+
+
+static void
+ticket_iter (void *cls, const struct GNUNET_RECLAIM_Ticket *ticket, const char* rp_uri)
+{
+  fprintf (stdout, "Ticket: %s | RP URI: %s\n", ticket->gns_name, rp_uri);
+  GNUNET_RECLAIM_ticket_iteration_next (ticket_iterator);
+}
+
+
+static void
+iter_error (void *cls)
+{
+  attr_iterator = NULL;
+  cred_iterator = NULL;
+  fprintf (stderr, "Failed\n");
+
+  cleanup_task = GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+}
+
+
+static void
+timeout_task (void *cls)
+{
+  timeout = NULL;
+  ret = 1;
+  fprintf (stderr, "Timeout\n");
+  if (NULL == cleanup_task)
+    cleanup_task = GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+}
+
+
+static void
+process_rvk (void *cls, int success, const char *msg)
+{
+  reclaim_op = NULL;
+  if (GNUNET_OK != success)
+  {
+    fprintf (stderr, "Revocation failed.\n");
+    ret = 1;
+  }
+  cleanup_task = GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+}
+
+
+static void
+process_delete (void *cls, int success, const char *msg)
+{
+  reclaim_op = NULL;
+  if (GNUNET_OK != success)
+  {
+    fprintf (stderr, "Deletion failed.\n");
+    ret = 1;
+  }
+  cleanup_task = GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+}
+
+
+static void
+iter_finished (void *cls)
+{
+  struct GNUNET_RECLAIM_AttributeListEntry *le;
+  char *attrs_tmp;
+  char *attr_str;
+  char *data;
+  size_t data_size;
+  int type;
+
+  attr_iterator = NULL;
+  if (list)
+  {
+    cleanup_task = GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+    return;
+  }
+
+  if (issue_attrs)
+  {
+    attrs_tmp = GNUNET_strdup (issue_attrs);
+    attr_str = strtok (attrs_tmp, ",");
+    while (NULL != attr_str)
+    {
+      le = attr_list->list_head;
+      while (le)
+      {
+        if (0 == strcasecmp (attr_str, le->attribute->name))
+          break;
+
+        le = le->next;
+      }
+
+      if (! le)
+      {
+        fprintf (stdout, "No such attribute ``%s''\n", attr_str);
+        break;
+      }
+      attr_str = strtok (NULL, ",");
+    }
+    GNUNET_free (attrs_tmp);
+    if (NULL != attr_str)
+    {
+      GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+      return;
+    }
+    if (NULL == ex_rp_uri)
+    {
+      fprintf (stdout, "No RP URI provided\n");
+      GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+      return;
+    }
+    reclaim_op = GNUNET_RECLAIM_ticket_issue (reclaim_handle,
+                                              pkey,
+                                              ex_rp_uri,
+                                              attr_list,
+                                              &ticket_issue_cb,
+                                              NULL);
+    return;
+  }
+  if (consume_ticket)
+  {
+    if (NULL == ex_rp_uri)
+    {
+      fprintf (stderr, "Expected an RP URI to consume ticket\n");
+      GNUNET_SCHEDULER_add_now(&do_cleanup, NULL);
+      return;
+    }
+    reclaim_op = GNUNET_RECLAIM_ticket_consume (reclaim_handle,
+                                                &ticket,
+                                                ex_rp_uri,
+                                                &process_attrs,
+                                                NULL);
+    timeout = GNUNET_SCHEDULER_add_delayed (
+      GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 10),
+      &timeout_task,
+      NULL);
+    return;
+  }
+  if (revoke_ticket)
+  {
+    reclaim_op = GNUNET_RECLAIM_ticket_revoke (reclaim_handle,
+                                               pkey,
+                                               &ticket,
+                                               &process_rvk,
+                                               NULL);
+    return;
+  }
+  if (attr_delete)
+  {
+    if (NULL == attr_to_delete)
+    {
+      fprintf (stdout, "No such attribute ``%s''\n", attr_delete);
+      GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+      return;
+    }
+    reclaim_op = GNUNET_RECLAIM_attribute_delete (reclaim_handle,
+                                                  pkey,
+                                                  attr_to_delete,
+                                                  &process_delete,
+                                                  NULL);
+    return;
+  }
+  if (attr_name)
+  {
+    if (NULL == type_str)
+      type = GNUNET_RECLAIM_ATTRIBUTE_TYPE_STRING;
+    else
+      type = GNUNET_RECLAIM_attribute_typename_to_number (type_str);
+
+    GNUNET_assert (GNUNET_SYSERR !=
+                   GNUNET_RECLAIM_attribute_string_to_value (type,
+                                                             attr_value,
+                                                             (void **) &data,
+                                                             &data_size));
+    if (NULL != claim)
+    {
+      claim->type = type;
+      claim->data = data;
+      claim->data_size = data_size;
+    }
+    else
+    {
+      claim =
+        GNUNET_RECLAIM_attribute_new (attr_name, NULL, type, data, data_size);
+    }
+    if (NULL != credential_id)
+    {
+      claim->credential = credential;
+    }
+    reclaim_op = GNUNET_RECLAIM_attribute_store (reclaim_handle,
+                                                 pkey,
+                                                 claim,
+                                                 &exp_interval,
+                                                 &store_cont,
+                                                 NULL);
+    GNUNET_free (data);
+    GNUNET_free (claim);
+    return;
+  }
+  cleanup_task = GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+}
+
+
+static void
+iter_cb (void *cls,
+         const struct GNUNET_CRYPTO_PublicKey *identity,
+         const struct GNUNET_RECLAIM_Attribute *attr)
+{
+  struct GNUNET_RECLAIM_AttributeListEntry *le;
+  char *attrs_tmp;
+  char *attr_str;
+  char *label;
+  char *id;
+  const char *attr_type;
+
+  if ((NULL != attr_name) && (NULL == claim))
+  {
+    if (0 == strcasecmp (attr_name, attr->name))
+    {
+      claim = GNUNET_RECLAIM_attribute_new (attr->name,
+                                            &attr->credential,
+                                            attr->type,
+                                            attr->data,
+                                            attr->data_size);
+      claim->id = attr->id;
+    }
+  }
+  else if (issue_attrs)
+  {
+    attrs_tmp = GNUNET_strdup (issue_attrs);
+    attr_str = strtok (attrs_tmp, ",");
+    while (NULL != attr_str)
+    {
+      if (0 != strcasecmp (attr_str, attr->name))
+      {
+        attr_str = strtok (NULL, ",");
+        continue;
+      }
+      le = GNUNET_new (struct GNUNET_RECLAIM_AttributeListEntry);
+      le->attribute = GNUNET_RECLAIM_attribute_new (attr->name,
+                                                    &attr->credential,
+                                                    attr->type,
+                                                    attr->data,
+                                                    attr->data_size);
+      le->attribute->flag = attr->flag;
+      le->attribute->id = attr->id;
+      GNUNET_CONTAINER_DLL_insert (attr_list->list_head,
+                                   attr_list->list_tail,
+                                   le);
+      break;
+    }
+    GNUNET_free (attrs_tmp);
+  }
+  else if (attr_delete && (NULL == attr_to_delete))
+  {
+    label = GNUNET_STRINGS_data_to_string_alloc (&attr->id, sizeof(attr->id));
+    if (0 == strcasecmp (attr_delete, label))
+    {
+      attr_to_delete = GNUNET_RECLAIM_attribute_new (attr->name,
+                                                     &attr->credential,
+                                                     attr->type,
+                                                     attr->data,
+                                                     attr->data_size);
+      attr_to_delete->id = attr->id;
+    }
+    GNUNET_free (label);
+  }
+  else if (list)
+  {
+    attr_str = GNUNET_RECLAIM_attribute_value_to_string (attr->type,
+                                                         attr->data,
+                                                         attr->data_size);
+    attr_type = GNUNET_RECLAIM_attribute_number_to_typename (attr->type);
+    id = GNUNET_STRINGS_data_to_string_alloc (&attr->id, sizeof(attr->id));
+    if (GNUNET_YES == GNUNET_RECLAIM_id_is_zero (&attr->credential))
+    {
+      fprintf (stdout,
+               "%s: ``%s'' (%s); ID: %s\n",
+               attr->name,
+               attr_str,
+               attr_type,
+               id);
+    }
+    else
+    {
+      char *cred_id =
+        GNUNET_STRINGS_data_to_string_alloc (&attr->credential,
+                                             sizeof(attr->credential));
+      fprintf (stdout,
+               "%s: ``%s'' in credential presentation `%s' (%s); ID: %s\n",
+               attr->name,
+               attr_str,
+               cred_id,
+               attr_type,
+               id);
+      GNUNET_free (cred_id);
+
+    }
+    GNUNET_free (id);
+  }
+  GNUNET_RECLAIM_get_attributes_next (attr_iterator);
+}
+
+
+static void
+cred_iter_finished (void *cls)
+{
+  cred_iterator = NULL;
+
+  // Add new credential
+  if ((NULL != credential_name) &&
+      (NULL != attr_value))
+  {
+    enum GNUNET_RECLAIM_CredentialType ctype =
+      GNUNET_RECLAIM_credential_typename_to_number (credential_type);
+    struct GNUNET_RECLAIM_Credential *credential =
+      GNUNET_RECLAIM_credential_new (credential_name,
+                                     ctype,
+                                     attr_value,
+                                     strlen (attr_value));
+    reclaim_op = GNUNET_RECLAIM_credential_store (reclaim_handle,
+                                                  pkey,
+                                                  credential,
+                                                  &exp_interval,
+                                                  store_cont,
+                                                  NULL);
+    return;
+
+  }
+  if (list_credentials)
+  {
+    cleanup_task = GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+    return;
+  }
+  attr_iterator = GNUNET_RECLAIM_get_attributes_start (reclaim_handle,
+                                                       pkey,
+                                                       &iter_error,
+                                                       NULL,
+                                                       &iter_cb,
+                                                       NULL,
+                                                       &iter_finished,
+                                                       NULL);
+
+}
+
+
+static void
+cred_iter_cb (void *cls,
+              const struct GNUNET_CRYPTO_PublicKey *identity,
+              const struct GNUNET_RECLAIM_Credential *cred)
+{
+  char *cred_str;
+  char *attr_str;
+  char *id;
+  const char *cred_type;
+  struct GNUNET_RECLAIM_AttributeListEntry *ale;
+
+  if (GNUNET_YES == GNUNET_RECLAIM_id_is_equal (&credential,
+                                                &cred->id))
+    credential_exists = GNUNET_YES;
+  if (list_credentials)
+  {
+    cred_str = GNUNET_RECLAIM_credential_value_to_string (cred->type,
+                                                          cred->data,
+                                                          cred->data_size);
+    cred_type = GNUNET_RECLAIM_credential_number_to_typename (cred->type);
+    id = GNUNET_STRINGS_data_to_string_alloc (&cred->id, sizeof(cred->id));
+    fprintf (stdout,
+             "%s: ``%s'' (%s); ID: %s\n",
+             cred->name,
+             cred_str,
+             cred_type,
+             id);
+    struct GNUNET_RECLAIM_AttributeList *attrs =
+      GNUNET_RECLAIM_credential_get_attributes (cred);
+    if (NULL != attrs)
+    {
+      fprintf (stdout,
+               "\t Attributes:\n");
+      for (ale = attrs->list_head; NULL != ale; ale = ale->next)
+      {
+        attr_str = GNUNET_RECLAIM_attribute_value_to_string (
+          ale->attribute->type,
+          ale->attribute->data,
+          ale->attribute->data_size);
+        fprintf (stdout,
+                 "\t %s: %s\n", ale->attribute->name, attr_str);
+        GNUNET_free (attr_str);
+      }
+      GNUNET_RECLAIM_attribute_list_destroy (attrs);
+    }
+    GNUNET_free (id);
+  }
+  GNUNET_RECLAIM_get_credentials_next (cred_iterator);
+}
+
+
+static void
+start_process ()
+{
+  if (NULL == pkey)
+  {
+    fprintf (stderr, "Ego %s not found\n", ego_name);
+    cleanup_task = GNUNET_SCHEDULER_add_now (&do_cleanup, NULL);
+    return;
+  }
+  if (NULL == credential_type)
+    credential_type = GNUNET_strdup ("JWT");
+  credential = GNUNET_RECLAIM_ID_ZERO;
+  if (NULL != credential_id)
+    GNUNET_STRINGS_string_to_data (credential_id,
+                                   strlen (credential_id),
+                                   &credential, sizeof(credential));
+  credential_exists = GNUNET_NO;
+  if (list_tickets)
+  {
+    ticket_iterator = GNUNET_RECLAIM_ticket_iteration_start (reclaim_handle,
+                                                             pkey,
+                                                             &ticket_iter_err,
+                                                             NULL,
+                                                             &ticket_iter,
+                                                             NULL,
+                                                             &ticket_iter_fin,
+                                                             NULL);
+    return;
+  }
+
+  if (NULL != consume_ticket)
+    memcpy (ticket.gns_name,  consume_ticket, strlen (consume_ticket) + 1);
+  if (NULL != revoke_ticket)
+    GNUNET_STRINGS_string_to_data (revoke_ticket,
+                                   strlen (revoke_ticket),
+                                   &ticket,
+                                   sizeof(struct GNUNET_RECLAIM_Ticket));
+
+  attr_list = GNUNET_new (struct GNUNET_RECLAIM_AttributeList);
+  claim = NULL;
+  cred_iterator = GNUNET_RECLAIM_get_credentials_start (reclaim_handle,
+                                                        pkey,
+                                                        &iter_error,
+                                                        NULL,
+                                                        &cred_iter_cb,
+                                                        NULL,
+                                                        &cred_iter_finished,
+                                                        NULL);
+
+}
+
+
+static int init = GNUNET_YES;
+
+static void
+ego_cb (void *cls,
+        struct GNUNET_IDENTITY_Ego *ego,
+        void **ctx,
+        const char *name)
+{
+  if (NULL == name)
+  {
+    if (GNUNET_YES == init)
+    {
+      init = GNUNET_NO;
+      start_process ();
+    }
+    return;
+  }
+  if (0 != strcmp (name, ego_name))
+    return;
+  pkey = GNUNET_IDENTITY_ego_get_private_key (ego);
+}
+
+
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  ret = 0;
+  if (NULL == ego_name)
+  {
+    ret = 1;
+    fprintf (stderr, _ ("Ego is required\n"));
+    return;
+  }
+
+  if ((NULL == attr_value) && (NULL != attr_name))
+  {
+    ret = 1;
+    fprintf (stderr, _ ("Attribute value missing!\n"));
+    return;
+  }
+
+  if ((NULL == rp) && (NULL != issue_attrs))
+  {
+    ret = 1;
+    fprintf (stderr, _ ("Requesting party key is required!\n"));
+    return;
+  }
+
+  reclaim_handle = GNUNET_RECLAIM_connect (c);
+  // Get Ego
+  identity_handle = GNUNET_IDENTITY_connect (c, &ego_cb, NULL);
+}
+
+
+int
+main (int argc, char *const argv[])
+{
+  exp_interval = GNUNET_TIME_UNIT_HOURS;
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_string ('a',
+                                 "add",
+                                 "NAME",
+                                 gettext_noop (
+                                   "Add or update an attribute NAME"),
+                                 &attr_name),
+    GNUNET_GETOPT_option_string ('d',
+                                 "delete",
+                                 "ID",
+                                 gettext_noop ("Delete the attribute with ID"),
+                                 &attr_delete),
+    GNUNET_GETOPT_option_string ('V',
+                                 "value",
+                                 "VALUE",
+                                 gettext_noop ("The attribute VALUE"),
+                                 &attr_value),
+    GNUNET_GETOPT_option_string ('e',
+                                 "ego",
+                                 "EGO",
+                                 gettext_noop ("The EGO to use"),
+                                 &ego_name),
+    GNUNET_GETOPT_option_string ('r',
+                                 "rp",
+                                 "RP",
+                                 gettext_noop (
+                                   "Specify the relying party for issue"),
+                                 &rp),
+    GNUNET_GETOPT_option_string ('U',
+                                 "rpuri",
+                                 "RPURI",
+                                 gettext_noop (
+                                   "Specify the relying party URI for a ticket to consume"),
+                                 &ex_rp_uri),
+    GNUNET_GETOPT_option_flag ('D',
+                               "dump",
+                               gettext_noop ("List attributes for EGO"),
+                               &list),
+    GNUNET_GETOPT_option_flag ('A',
+                               "credentials",
+                               gettext_noop ("List credentials for EGO"),
+                               &list_credentials),
+    GNUNET_GETOPT_option_string ('I',
+                                 "credential-id",
+                                 "CREDENTIAL_ID",
+                                 gettext_noop (
+                                   "Credential to use for attribute"),
+                                 &credential_id),
+    GNUNET_GETOPT_option_string ('N',
+                                 "credential-name",
+                                 "NAME",
+                                 gettext_noop ("Credential name"),
+                                 &credential_name),
+    GNUNET_GETOPT_option_string ('i',
+                                 "issue",
+                                 "A1,A2,...",
+                                 gettext_noop (
+                                   "Issue a ticket for a set of attributes separated by comma"),
+                                 &issue_attrs),
+    GNUNET_GETOPT_option_string ('C',
+                                 "consume",
+                                 "TICKET",
+                                 gettext_noop ("Consume a ticket"),
+                                 &consume_ticket),
+    GNUNET_GETOPT_option_string ('R',
+                                 "revoke",
+                                 "TICKET",
+                                 gettext_noop ("Revoke a ticket"),
+                                 &revoke_ticket),
+    GNUNET_GETOPT_option_string ('t',
+                                 "type",
+                                 "TYPE",
+                                 gettext_noop ("Type of attribute"),
+                                 &type_str),
+    GNUNET_GETOPT_option_string ('u',
+                                 "credential-type",
+                                 "TYPE",
+                                 gettext_noop ("Type of credential"),
+                                 &credential_type),
+    GNUNET_GETOPT_option_flag ('T',
+                               "tickets",
+                               gettext_noop ("List tickets of ego"),
+                               &list_tickets),
+    GNUNET_GETOPT_option_relative_time ('E',
+                                        "expiration",
+                                        "INTERVAL",
+                                        gettext_noop (
+                                          "Expiration interval of the attribute"),
+                                        &exp_interval),
+
+    GNUNET_GETOPT_OPTION_END
+  };
+  if (GNUNET_OK != GNUNET_PROGRAM_run (argc,
+                                       argv,
+                                       "gnunet-reclaim",
+                                       _ ("re:claimID command line tool"),
+                                       options,
+                                       &run,
+                                       NULL))
+    return 1;
+  else
+    return ret;
+}
diff --git a/src/cli/reclaim/meson.build b/src/cli/reclaim/meson.build
new file mode 100644
index 000000000..53ce13edb
--- /dev/null
+++ b/src/cli/reclaim/meson.build
@@ -0,0 +1,22 @@
+executable ('gnunet-reclaim',
+            'gnunet-reclaim.c',
+            dependencies: [libgnunetreclaim_dep,
+                           libgnunetidentity_dep,
+                           libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-did',
+            'gnunet-did.c',
+            dependencies: [libgnunetreclaim_dep,
+                           libgnunetdid_dep,
+                           libgnunetgns_dep,
+                           libgnunetnamestore_dep,
+                           libgnunetidentity_dep,
+                           libgnunetutil_dep],
+            include_directories: [incdir,
+                                  configuration_inc,
+                                  include_directories ('../../service/reclaim')],
+            install: true,
+            install_dir: get_option('bindir'))
+
diff --git a/src/cli/reclaim/test_reclaim.conf b/src/cli/reclaim/test_reclaim.conf
new file mode 100644
index 000000000..a8d2c808a
--- /dev/null
+++ b/src/cli/reclaim/test_reclaim.conf
@@ -0,0 +1,44 @@
+@INLINE@ test_reclaim_defaults.conf
+
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunet-reclaim-peer-1/
+
+[dht]
+START_ON_DEMAND = YES
+
+[rest]
+START_ON_DEMAND = YES
+# PREFIX = valgrind --leak-check=full --track-origins=yes --log-file=$GNUNET_TMP/restlog
+BASIC_AUTH_ENABLED = NO
+
+[transport]
+PLUGINS =
+
+[zonemaster]
+START_ON_DEMAND = YES
+IMMEDIATE_START = YES
+
+[reclaim]
+IMMEDIATE_START = YES
+START_ON_DEMAND = YES
+TICKET_REFRESH_INTERVAL = 1 h
+#PREFIX = valgrind --leak-check=full --show-leak-kinds=all --track-origins=yes --log-file=$GNUNET_TMP/idplog
+
+[gns]
+#PREFIX = valgrind --leak-check=full --track-origins=yes
+START_ON_DEMAND = YES
+AUTO_IMPORT_PKEY = YES
+MAX_PARALLEL_BACKGROUND_QUERIES = 10
+DEFAULT_LOOKUP_TIMEOUT = 15 s
+RECORD_PUT_INTERVAL = 1 h
+ZONE_PUBLISH_TIME_WINDOW = 1 h
+DNS_ROOT=PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0
+
+[reclaim-rest-plugin]
+expiration_time = 3600
+JWT_SECRET = secret
+OIDC_USERINFO_CONSUME_TIMEOUT = 5s
+OIDC_DIR = $GNUNET_DATA_HOME/oidc
+OIDC_CLIENT_HMAC_SECRET = secret
+OIDC_JSON_WEB_ALGORITHM = RS256
+ADDRESS = https://ui.reclaim/#/login
diff --git a/src/cli/reclaim/test_reclaim.sh b/src/cli/reclaim/test_reclaim.sh
new file mode 100755
index 000000000..da93b10f7
--- /dev/null
+++ b/src/cli/reclaim/test_reclaim.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+#trap "gnunet-arm -e -c test_reclaim_lookup.conf" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_reclaim.conf -s PATHS -o GNUNET_HOME -f`
+
+#  (1) PKEY1.user -> PKEY2.resu.user
+#  (2) PKEY2.resu -> PKEY3
+#  (3) PKEY3.user -> PKEY4
+
+
+which timeout > /dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+
+TEST_ATTR="test"
+gnunet-arm -s -c test_reclaim.conf
+gnunet-identity -C testego -c test_reclaim.conf
+valgrind gnunet-reclaim -e testego -a email -V john@doe.gnu -c test_reclaim.conf
+gnunet-reclaim -e testego -a name -V John -c test_reclaim.conf
+gnunet-reclaim -e testego -D -c test_reclaim.conf
+gnunet-arm -e -c test_reclaim.conf
diff --git a/src/cli/reclaim/test_reclaim_attribute.sh b/src/cli/reclaim/test_reclaim_attribute.sh
new file mode 100755
index 000000000..17f7863d4
--- /dev/null
+++ b/src/cli/reclaim/test_reclaim_attribute.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+trap "gnunet-arm -e -c test_reclaim.conf" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_reclaim.conf -s PATHS -o GNUNET_HOME -f`
+
+#  (1) PKEY1.user -> PKEY2.resu.user
+#  (2) PKEY2.resu -> PKEY3
+#  (3) PKEY3.user -> PKEY4
+
+
+which timeout &> /dev/null && DO_TIMEOUT="timeout 30"
+
+TEST_ATTR="test"
+gnunet-arm -s -c test_reclaim.conf
+#gnunet-arm -i rest -c test_reclaim.conf
+gnunet-identity -C testego -c test_reclaim.conf
+gnunet-identity -C rpego -c test_reclaim.conf
+TEST_KEY=$(gnunet-identity -d -e testego -q -c test_reclaim.conf)
+gnunet-reclaim -e testego -a email -V john@doe.gnu -c test_reclaim.conf
+gnunet-reclaim -e testego -a name -V John -c test_reclaim.conf
+if test $? != 0
+then
+  echo "Failed."
+  exit 1
+fi
+
+#curl localhost:7776/reclaim/attributes/testego
+gnunet-arm -e -c test_reclaim.conf
diff --git a/src/cli/reclaim/test_reclaim_consume.sh b/src/cli/reclaim/test_reclaim_consume.sh
new file mode 100755
index 000000000..00076fbf8
--- /dev/null
+++ b/src/cli/reclaim/test_reclaim_consume.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+trap "gnunet-arm -e -c test_reclaim.conf" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1>/dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_reclaim.conf -s PATHS -o GNUNET_HOME -f`
+
+#  (1) PKEY1.user -> PKEY2.resu.user
+#  (2) PKEY2.resu -> PKEY3
+#  (3) PKEY3.user -> PKEY4
+
+
+which timeout >/dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+
+TEST_ATTR="test"
+gnunet-arm -s -c test_reclaim.conf
+#gnunet-arm -i rest -c test_reclaim.conf
+gnunet-arm -I
+gnunet-identity -C testego -c test_reclaim.conf
+gnunet-identity -C rpego -c test_reclaim.conf
+SUBJECT_KEY=$(gnunet-identity -d -e rpego -q -c test_reclaim.conf)
+TEST_KEY=$(gnunet-identity -d -e testego -q -c test_reclaim.conf)
+gnunet-reclaim -e testego -a email -V john@doe.gnu -c test_reclaim.conf
+gnunet-reclaim -e testego -a name -V John -c test_reclaim.conf
+TICKET=$(gnunet-reclaim -e testego -U "urn:gns:$TEST_KEY" -i "email,name" -r $SUBJECT_KEY -c test_reclaim.conf | awk '{print $1}')
+echo "Ticket: $TICKET"
+gnunet-gns -u $TICKET -c test_reclaim.conf
+gnunet-namestore -z testego -D -c test_reclaim.conf
+gnunet-identity -d -c test_reclaim.conf
+sleep 1
+gnunet-reclaim -e rpego -U "urn:gns:$TEST_KEY" -C $TICKET -c test_reclaim.conf
+
+RES=$?
+gnunet-identity -D testego -c test_reclaim.conf
+gnunet-identity -D rpego -c test_reclaim.conf
+gnunet-arm -e -c test_reclaim.conf
+if test $RES != 0
+then
+  echo "Failed."
+fi
+
diff --git a/src/cli/reclaim/test_reclaim_defaults.conf b/src/cli/reclaim/test_reclaim_defaults.conf
new file mode 100644
index 000000000..02372563d
--- /dev/null
+++ b/src/cli/reclaim/test_reclaim_defaults.conf
@@ -0,0 +1,24 @@
+@INLINE@ ../../../contrib/conf/gnunet/no_forcestart.conf
+
+[PATHS]
+GNUNET_TEST_HOME = $GNUNET_TMP/test-gnunet-idp-testing/
+
+[namestore-sqlite]
+FILENAME = $GNUNET_TEST_HOME/namestore/sqlite_test.db
+
+[namecache-sqlite]
+FILENAME=$GNUNET_TEST_HOME/namecache/namecache.db
+
+[identity]
+# Directory where we store information about our egos
+EGODIR = $GNUNET_TEST_HOME/identity/egos/
+
+[dhtcache]
+DATABASE = heap
+
+[transport]
+PLUGINS = tcp
+
+[transport-tcp]
+BINDTO = 127.0.0.1
+
diff --git a/src/cli/reclaim/test_reclaim_issue.sh b/src/cli/reclaim/test_reclaim_issue.sh
new file mode 100755
index 000000000..39e614d19
--- /dev/null
+++ b/src/cli/reclaim/test_reclaim_issue.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+trap "gnunet-arm -e -c test_reclaim.conf" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_reclaim.conf -s PATHS -o GNUNET_HOME -f`
+
+#  (1) PKEY1.user -> PKEY2.resu.user
+#  (2) PKEY2.resu -> PKEY3
+#  (3) PKEY3.user -> PKEY4
+
+
+which timeout >/dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+
+TEST_ATTR="test"
+gnunet-arm -s -c test_reclaim.conf
+#gnunet-arm -i rest -c test_reclaim.conf
+gnunet-identity -C testego -c test_reclaim.conf
+gnunet-identity -C rpego -c test_reclaim.conf
+SUBJECT_KEY=$(gnunet-identity -d -e rpego -q -c test_reclaim.conf)
+TEST_KEY=$(gnunet-identity -d -e testego -q -c test_reclaim.conf)
+gnunet-reclaim -e testego -a email -V john@doe.gnu -c test_reclaim.conf
+gnunet-reclaim -e testego -a name -V John -c test_reclaim.conf
+#gnunet-reclaim -e testego -D -c test_reclaim.conf
+gnunet-reclaim -e testego -u "urn:gns:$TEST_KEY" -i "email,name" -r $SUBJECT_KEY -c test_reclaim.conf > /dev/null 2>&1
+if test $? != 0
+then
+  echo "Failed."
+  exit 1
+fi
+#curl http://localhost:7776/reclaim/attributes/testego
+gnunet-arm -e -c test_reclaim.conf
diff --git a/src/cli/reclaim/test_reclaim_oidc.sh b/src/cli/reclaim/test_reclaim_oidc.sh
new file mode 100755
index 000000000..cdea61a03
--- /dev/null
+++ b/src/cli/reclaim/test_reclaim_oidc.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+trap "gnunet-arm -e -c test_reclaim.conf" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1>/dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_reclaim.conf -s PATHS -o GNUNET_HOME -f`
+
+which timeout >/dev/null 2>&1 && DO_TIMEOUT="timeout 30"
+
+RES=0
+TEST_ATTR="test"
+REDIRECT_URI="https://example.gns.alt/my_cb"
+SCOPE="\"openid email name\""
+gnunet-arm -s -c test_reclaim.conf
+gnunet-arm -i rest -c test_reclaim.conf
+gnunet-arm -I
+gnunet-identity -C testego -c test_reclaim.conf
+gnunet-identity -C rpego -c test_reclaim.conf
+TEST_KEY=$(gnunet-identity -d -e rpego -q -c test_reclaim.conf)
+SUBJECT_KEY=$(gnunet-identity -d -e testego -q -c test_reclaim.conf)
+gnunet-reclaim -e testego -a email -V john@doe.gnu -c test_reclaim.conf
+gnunet-reclaim -e testego -a name -V John -c test_reclaim.conf
+
+# Register client
+gnunet-namestore -z rpego -a -n @ -t RECLAIM_OIDC_CLIENT -V "My RP" -e 1d -p -c test_reclaim.conf
+gnunet-namestore -z rpego -a -n @ -t RECLAIM_OIDC_REDIRECT -V $REDIRECT_URI -e 1d -p -c test_reclaim.conf
+
+gnunet-gns -u @.$TEST_KEY -t RECLAIM_OIDC_REDIRECT -c test_reclaim.conf
+curl -v -X POST -H -v "http://localhost:7776/openid/login" --data "{\"identity\": \"$SUBJECT_KEY\"}"
+
+PKCE_CHALLENGE=$(echo -n secret | openssl dgst -binary -sha256 | openssl base64 | sed 's/\=//g' | sed 's/+/-/g' | sed 's/\//_/g')
+
+CODE=$(curl -H "Cookie: Identity=$SUBJECT_KEY" "http://localhost:7776/openid/authorize?client_id=$TEST_KEY&response_type=code&redirect_uri=$REDIRECT_URI&scope=openid&claims=%7B%22userinfo%22%3A%20%7B%22email%22%3A%20%7B%22essential%22%20%20%20%20%3A%20true%7D%7D%2C%22id_token%22%3A%20%7B%22email%22%3A%20%7B%22essential%22%3A%20true%7D%7D%7D&state=xyz&code_challenge=$PKCE_CHALLENGE&code_challenge_method=S256" \
+  -sS -D - -o /dev/null | grep "Location: " | cut -d" " -f2 | cut -d"?" -f2 | cut -d"&" -f1 | cut -d"=" -f2)
+
+echo "Code: $CODE"
+
+curl -v -X POST -u$TEST_KEY:"secret" "http://localhost:7776/openid/token?client_id=$TEST_KEY&response_type=code&redirect_uri=$REDIRECT_URI&scope=openid&claims=%7B%22userinfo%22%3A%20%7B%22email%22%3A%20%7B%22essential%22%20%20%20%20%3A%20true%7D%7D%2C%22id_token%22%3A%20%7B%22email%22%3A%20%7B%22essential%22%3A%20true%7D%7D%7D&state=xyz&grant_type=authorization_code&code=$CODE&code_verifier=secret"
+
+gnunet-identity -D testego -c test_reclaim.conf
+gnunet-identity -D rpego -c test_reclaim.conf
+gnunet-arm -e -c test_reclaim.conf
+if test $RES != 0
+then
+  echo "Failed."
+fi
+
diff --git a/src/cli/reclaim/test_reclaim_revoke.sh b/src/cli/reclaim/test_reclaim_revoke.sh
new file mode 100755
index 000000000..da091a1ee
--- /dev/null
+++ b/src/cli/reclaim/test_reclaim_revoke.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+trap "gnunet-arm -e -c test_reclaim.conf" SIGINT
+
+LOCATION=$(which gnunet-config)
+if [ -z $LOCATION ]
+then
+  LOCATION="gnunet-config"
+fi
+$LOCATION --version 1> /dev/null
+if test $? != 0
+then
+        echo "GNUnet command line tools cannot be found, check environmental variables PATH and GNUNET_PREFIX"
+        exit 77
+fi
+
+rm -rf `gnunet-config -c test_reclaim.conf -s PATHS -o GNUNET_HOME -f`
+
+#  (1) PKEY1.user -> PKEY2.resu.user
+#  (2) PKEY2.resu -> PKEY3
+#  (3) PKEY3.user -> PKEY4
+
+
+which timeout >/dev/null 2&>1 && DO_TIMEOUT="timeout 30"
+
+TEST_ATTR="test"
+gnunet-arm -s -c test_reclaim.conf >/dev/null 2&>1
+gnunet-identity -C alice -c test_reclaim.conf
+gnunet-identity -C bob -c test_reclaim.conf
+gnunet-identity -C eve -c test_reclaim.conf
+ALICE_KEY=$(gnunet-identity -d -e alice -q -c test_reclaim.conf)
+BOB_KEY=$(gnunet-identity -d -e bob -q -c test_reclaim.conf)
+EVE_KEY=$(gnunet-identity -d -e eve -q -c test_reclaim.conf)
+gnunet-reclaim -e alice -E 15s -a email -V john@doe.gnu -c test_reclaim.conf
+gnunet-reclaim -e alice -E 15s -a name -V John -c test_reclaim.conf
+TICKET_BOB=$(gnunet-reclaim -e alice -i "email,name" -r $BOB_KEY -c test_reclaim.conf | awk '{print $1}')
+#gnunet-reclaim -e bob -C $TICKET_BOB -c test_reclaim.conf
+TICKET_EVE=$(gnunet-reclaim -e alice -i "email" -r $EVE_KEY -c test_reclaim.conf | awk '{print $1}')
+gnunet-namestore -z alice -D
+echo "Revoking $TICKET"
+gnunet-reclaim -e alice -R $TICKET_EVE -c test_reclaim.conf
+gnunet-namestore -z alice -D
+sleep 16
+echo "Consuming $TICKET"
+
+gnunet-reclaim -e eve -C $TICKET_EVE -c test_reclaim.conf
+if test $? = 0
+then
+  echo "Eve can still resolve attributes..."
+  gnunet-arm -e -c test_reclaim.conf
+  exit 1
+fi
+
+gnunet-arm -e -c test_reclaim.conf
+gnunet-arm -s -c test_reclaim.conf >/dev/null 2&>1
+
+gnunet-reclaim -e bob -C $TICKET_BOB -c test_reclaim.conf
+#gnunet-reclaim -e bob -C $TICKET_BOB -c test_reclaim.conf >/dev/null 2&>1
+if test $? != 0
+then
+  echo "Bob cannot resolve attributes..."
+  gnunet-arm -e -c test_reclaim.conf
+  exit 1
+fi
+
+gnunet-arm -e -c test_reclaim.conf
diff --git a/src/cli/revocation/Makefile.am b/src/cli/revocation/Makefile.am
new file mode 100644
index 000000000..ffd76effa
--- /dev/null
+++ b/src/cli/revocation/Makefile.am
@@ -0,0 +1,52 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+plugindir = $(libdir)/gnunet
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+bin_PROGRAMS = \
+ gnunet-revocation
+
+gnunet_revocation_SOURCES = \
+ gnunet-revocation.c
+gnunet_revocation_LDADD = \
+  $(top_builddir)/src/service/revocation/libgnunetrevocation.la \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+gnunet_revocation_tvg_SOURCES = \
+ gnunet-revocation-tvg.c
+gnunet_revocation_tvg_LDADD = \
+  $(top_builddir)/src/service/revocation/libgnunetrevocation.la \
+  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+noinst_PROGRAMS = \
+ gnunet-revocation-tvg
+
+check_SCRIPTS = \
+ #test_local_revocation.py
+
+if ENABLE_TEST_RUN
+ AM_TESTS_ENVIRONMENT=export GNUNET_PREFIX=$${GNUNET_PREFIX:-@libdir@};export PATH=$${GNUNET_PREFIX:-@prefix@}/bin:$$PATH;unset XDG_DATA_HOME;unset XDG_CONFIG_HOME;
+ TESTS = \
+ $(check_SCRIPTS) \
+ $(check_PROGRAMS)
+endif
+
+test_local_revocation.py: test_local_revocation.py.in Makefile
+        $(AWK) -v bdir="$(bindir)" -v py="$(PYTHON)" -v awkay="$(AWK_BINARY)" -v pfx="$(prefix)" -v prl="$(PERL)" -v sysconfdirectory="$(sysconfdir)" -v pkgdatadirectory="$(pkgdatadir)" -f $(top_srcdir)/scripts/dosubst.awk < $(srcdir)/test_local_revocation.py.in > test_local_revocation.py
+        chmod +x test_local_revocation.py
+
+EXTRA_DIST = test_local_revocation.py.in
diff --git a/src/cli/revocation/gnunet-revocation-tvg.c b/src/cli/revocation/gnunet-revocation-tvg.c
new file mode 100644
index 000000000..5c2bfbe45
--- /dev/null
+++ b/src/cli/revocation/gnunet-revocation-tvg.c
@@ -0,0 +1,230 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2020 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/gnunet-revocation-tvg.c
+ * @brief Generate test vectors for revocation.
+ * @author Martin Schanzenbach
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_signatures.h"
+#include "gnunet_revocation_service.h"
+#include "gnunet_testing_lib.h"
+// FIXME try to avoid this include somehow
+#include "../../lib/gnsrecord/gnsrecord_crypto.h"
+#include <inttypes.h>
+
+#define TEST_EPOCHS 2
+#define TEST_DIFFICULTY 5
+
+static char*d_pkey =
+  "6fea32c05af58bfa979553d188605fd57d8bf9cc263b78d5f7478c07b998ed70";
+
+static char *d_edkey =
+  "5af7020ee19160328832352bbc6a68a8d71a7cbe1b929969a7c66d415a0d8f65";
+
+int
+parsehex (char *src, char *dst, size_t dstlen, int invert)
+{
+  char *line = src;
+  char *data = line;
+  int off;
+  int read_byte;
+  int data_len = 0;
+
+  while (sscanf (data, " %02x%n", &read_byte, &off) == 1)
+  {
+    if (invert)
+      dst[dstlen - 1 - data_len++] = read_byte;
+    else
+      dst[data_len++] = read_byte;
+    data += off;
+  }
+  return data_len;
+}
+
+
+static void
+print_bytes_ (void *buf,
+              size_t buf_len,
+              int fold,
+              int in_be)
+{
+  int i;
+
+  for (i = 0; i < buf_len; i++)
+  {
+    if (0 != i)
+    {
+      if ((0 != fold) && (i % fold == 0))
+        printf ("\n  ");
+      else
+        printf (" ");
+    }
+    else
+    {
+      printf ("  ");
+    }
+    if (in_be)
+      printf ("%02x", ((unsigned char*) buf)[buf_len - 1 - i]);
+    else
+      printf ("%02x", ((unsigned char*) buf)[i]);
+  }
+  printf ("\n");
+}
+
+
+static void
+print_bytes (void *buf,
+             size_t buf_len,
+             int fold)
+{
+  print_bytes_ (buf, buf_len, fold, 0);
+}
+
+
+static void
+run_with_key (struct GNUNET_CRYPTO_PrivateKey *id_priv)
+{
+  struct GNUNET_CRYPTO_PublicKey id_pub;
+  struct GNUNET_GNSRECORD_PowP *pow;
+  struct GNUNET_GNSRECORD_PowCalculationHandle *ph;
+  struct GNUNET_TIME_Relative exp;
+  char ztld[128];
+  ssize_t key_len;
+
+  GNUNET_CRYPTO_key_get_public (id_priv,
+                                  &id_pub);
+  GNUNET_STRINGS_data_to_string (&id_pub,
+                                 GNUNET_CRYPTO_public_key_get_length (
+                                   &id_pub),
+                                 ztld,
+                                 sizeof (ztld));
+  fprintf (stdout, "\n");
+  fprintf (stdout, "Zone identifier (ztype|zkey):\n");
+  key_len = GNUNET_CRYPTO_public_key_get_length (&id_pub);
+  GNUNET_assert (0 < key_len);
+  print_bytes (&id_pub, key_len, 8);
+  fprintf (stdout, "\n");
+  fprintf (stdout, "Encoded zone identifier (zkl = zTLD):\n");
+  fprintf (stdout, "%s\n", ztld);
+  fprintf (stdout, "\n");
+  pow = GNUNET_malloc (GNUNET_MAX_POW_SIZE);
+  GNUNET_GNSRECORD_pow_init (id_priv,
+                              pow);
+  ph = GNUNET_GNSRECORD_pow_start (pow,
+                                    TEST_EPOCHS,
+                                    TEST_DIFFICULTY);
+  fprintf (stdout, "Difficulty (%d base difficulty + %d epochs): %d\n\n",
+           TEST_DIFFICULTY,
+           TEST_EPOCHS,
+           TEST_DIFFICULTY + TEST_EPOCHS);
+  uint64_t pow_passes = 0;
+  while (GNUNET_YES != GNUNET_GNSRECORD_pow_round (ph))
+  {
+    pow_passes++;
+  }
+  struct GNUNET_GNSRECORD_SignaturePurposePS *purp;
+  purp = GNR_create_signature_message (pow);
+  fprintf (stdout, "Signed message:\n");
+  print_bytes (purp,
+               ntohl (purp->purpose.size),
+               8);
+  printf ("\n");
+  GNUNET_free (purp);
+
+  exp = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_YEARS,
+                                       TEST_EPOCHS);
+  GNUNET_assert (GNUNET_OK == GNUNET_GNSRECORD_check_pow (pow,
+                                                           TEST_DIFFICULTY,
+                                                           exp));
+  fprintf (stdout, "Proof:\n");
+  print_bytes (pow,
+               GNUNET_GNSRECORD_proof_get_size (pow),
+               8);
+  GNUNET_free (ph);
+
+}
+
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_CRYPTO_PrivateKey id_priv;
+
+  id_priv.type = htonl (GNUNET_PUBLIC_KEY_TYPE_ECDSA);
+  parsehex (d_pkey,(char*) &id_priv.ecdsa_key, sizeof (id_priv.ecdsa_key), 1);
+
+  fprintf (stdout, "Zone private key (d, big-endian):\n");
+  print_bytes_ (&id_priv.ecdsa_key, sizeof(id_priv.ecdsa_key), 8, 1);
+  run_with_key (&id_priv);
+  printf ("\n");
+  id_priv.type = htonl (GNUNET_PUBLIC_KEY_TYPE_EDDSA);
+  parsehex (d_edkey,(char*) &id_priv.eddsa_key, sizeof (id_priv.eddsa_key), 0);
+
+  fprintf (stdout, "Zone private key (d):\n");
+  print_bytes (&id_priv.eddsa_key, sizeof(id_priv.eddsa_key), 8);
+  run_with_key (&id_priv);
+}
+
+
+/**
+ * The main function of the test vector generation tool.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc,
+      char *const *argv)
+{
+  const struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  GNUNET_assert (GNUNET_OK ==
+                 GNUNET_log_setup ("gnunet-revocation-tvg",
+                                   "INFO",
+                                   NULL));
+  if (GNUNET_OK !=
+      GNUNET_PROGRAM_run (argc, argv,
+                          "gnunet-revocation-tvg",
+                          "Generate test vectors for revocation",
+                          options,
+                          &run, NULL))
+    return 1;
+  return 0;
+}
+
+
+/* end of gnunet-revocation-tvg.c */
diff --git a/src/cli/revocation/gnunet-revocation.c b/src/cli/revocation/gnunet-revocation.c
new file mode 100644
index 000000000..add9a003b
--- /dev/null
+++ b/src/cli/revocation/gnunet-revocation.c
@@ -0,0 +1,581 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2013 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file revocation/gnunet-revocation.c
+ * @brief tool for revoking public keys
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "gnunet_gnsrecord_lib.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_revocation_service.h"
+
+/**
+ * Pow passes
+ */
+static unsigned int pow_passes = 1;
+
+/**
+ * Final status code.
+ */
+static int ret;
+
+/**
+ * Was "-p" specified?
+ */
+static int perform;
+
+/**
+ * -f option.
+ */
+static char *filename;
+
+/**
+ * -R option
+ */
+static char *revoke_ego;
+
+/**
+ * -t option.
+ */
+static char *test_ego;
+
+/**
+ * -e option.
+ */
+static unsigned int epochs = 1;
+
+/**
+ * Handle for revocation query.
+ */
+static struct GNUNET_REVOCATION_Query *q;
+
+/**
+ * Handle for revocation.
+ */
+static struct GNUNET_REVOCATION_Handle *h;
+
+/**
+ * Handle for our ego lookup.
+ */
+static struct GNUNET_IDENTITY_EgoLookup *el;
+
+/**
+ * Our configuration.
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Number of matching bits required for revocation.
+ */
+static unsigned long long matching_bits;
+
+/**
+ * Epoch length
+ */
+static struct GNUNET_TIME_Relative epoch_duration;
+
+/**
+ * Task used for proof-of-work calculation.
+ */
+static struct GNUNET_SCHEDULER_Task *pow_task;
+
+/**
+ * Proof-of-work object
+ */
+static struct GNUNET_GNSRECORD_PowP *proof_of_work;
+
+/**
+ * Function run if the user aborts with CTRL-C.
+ *
+ * @param cls closure
+ */
+static void
+do_shutdown (void *cls)
+{
+  fprintf (stderr, "%s", _ ("Shutting down...\n"));
+  if (NULL != el)
+  {
+    GNUNET_IDENTITY_ego_lookup_cancel (el);
+    el = NULL;
+  }
+  if (NULL != q)
+  {
+    GNUNET_REVOCATION_query_cancel (q);
+    q = NULL;
+  }
+  if (NULL != h)
+  {
+    GNUNET_REVOCATION_revoke_cancel (h);
+    h = NULL;
+  }
+}
+
+
+/**
+ * Print the result from a revocation query.
+ *
+ * @param cls NULL
+ * @param is_valid #GNUNET_YES if the key is still valid, #GNUNET_NO if not, #GNUNET_SYSERR on error
+ */
+static void
+print_query_result (void *cls, int is_valid)
+{
+  q = NULL;
+  switch (is_valid)
+  {
+  case GNUNET_YES:
+    fprintf (stdout, _ ("Key `%s' is valid\n"), test_ego);
+    break;
+
+  case GNUNET_NO:
+    fprintf (stdout, _ ("Key `%s' has been revoked\n"), test_ego);
+    break;
+
+  case GNUNET_SYSERR:
+    fprintf (stdout, "%s", _ ("Internal error\n"));
+    break;
+
+  default:
+    GNUNET_break (0);
+    break;
+  }
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Print the result from a revocation request.
+ *
+ * @param cls NULL
+ * @param is_valid #GNUNET_YES if the key is still valid, #GNUNET_NO if not, #GNUNET_SYSERR on error
+ */
+static void
+print_revocation_result (void *cls, int is_valid)
+{
+  h = NULL;
+  switch (is_valid)
+  {
+  case GNUNET_YES:
+    if (NULL != revoke_ego)
+      fprintf (stdout,
+               _ ("Key for ego `%s' is still valid, revocation failed (!)\n"),
+               revoke_ego);
+    else
+      fprintf (stdout, "%s", _ ("Revocation failed (!)\n"));
+    break;
+
+  case GNUNET_NO:
+    if (NULL != revoke_ego)
+      fprintf (stdout,
+               _ ("Key for ego `%s' has been successfully revoked\n"),
+               revoke_ego);
+    else
+      fprintf (stdout, "%s", _ ("Revocation successful.\n"));
+    break;
+
+  case GNUNET_SYSERR:
+    fprintf (stdout,
+             "%s",
+             _ ("Internal error, key revocation might have failed\n"));
+    break;
+
+  default:
+    GNUNET_break (0);
+    break;
+  }
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Perform the revocation.
+ */
+static void
+perform_revocation ()
+{
+  h = GNUNET_REVOCATION_revoke (cfg,
+                                proof_of_work,
+                                &print_revocation_result,
+                                NULL);
+}
+
+
+/**
+ * Write the current state of the revocation data
+ * to disk.
+ *
+ * @param rd data to sync
+ */
+static void
+sync_pow ()
+{
+  size_t psize = GNUNET_GNSRECORD_proof_get_size (proof_of_work);
+  if ((NULL != filename) &&
+      (GNUNET_OK !=
+       GNUNET_DISK_fn_write (filename,
+                             proof_of_work,
+                             psize,
+                             GNUNET_DISK_PERM_USER_READ
+                             | GNUNET_DISK_PERM_USER_WRITE)))
+    GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, "write", filename);
+}
+
+
+/**
+ * Perform the proof-of-work calculation.
+ *
+ * @param cls the `struct RevocationData`
+ */
+static void
+calculate_pow_shutdown (void *cls)
+{
+  struct GNUNET_GNSRECORD_PowCalculationHandle *ph = cls;
+  fprintf (stderr, "%s", _ ("Cancelling calculation.\n"));
+  sync_pow ();
+  if (NULL != pow_task)
+  {
+    GNUNET_SCHEDULER_cancel (pow_task);
+    pow_task = NULL;
+  }
+  if (NULL != ph)
+    GNUNET_GNSRECORD_pow_stop (ph);
+}
+
+
+/**
+ * Perform the proof-of-work calculation.
+ *
+ * @param cls the `struct RevocationData`
+ */
+static void
+calculate_pow (void *cls)
+{
+  struct GNUNET_GNSRECORD_PowCalculationHandle *ph = cls;
+  size_t psize;
+
+  /* store temporary results */
+  pow_task = NULL;
+  if (0 == (pow_passes % 128))
+    sync_pow ();
+  /* actually do POW calculation */
+  if (GNUNET_OK == GNUNET_GNSRECORD_pow_round (ph))
+  {
+    psize = GNUNET_GNSRECORD_proof_get_size (proof_of_work);
+    if (NULL != filename)
+    {
+      (void) GNUNET_DISK_directory_remove (filename);
+      if (GNUNET_OK !=
+          GNUNET_DISK_fn_write (filename,
+                                proof_of_work,
+                                psize,
+                                GNUNET_DISK_PERM_USER_READ
+                                | GNUNET_DISK_PERM_USER_WRITE))
+        GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, "write", filename);
+    }
+    if (perform)
+    {
+      perform_revocation ();
+    }
+    else
+    {
+      fprintf (stderr, "%s", "\n");
+      fprintf (stderr,
+               _ ("Revocation certificate for `%s' stored in `%s'\n"),
+               revoke_ego,
+               filename);
+      GNUNET_SCHEDULER_shutdown ();
+    }
+    return;
+  }
+  pow_passes++;
+  pow_task = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_MILLISECONDS,
+                                           &calculate_pow,
+                                           ph);
+
+}
+
+
+/**
+ * Function called with the result from the ego lookup.
+ *
+ * @param cls closure
+ * @param ego the ego, NULL if not found
+ */
+static void
+ego_callback (void *cls, struct GNUNET_IDENTITY_Ego *ego)
+{
+  struct GNUNET_CRYPTO_PublicKey key;
+  const struct GNUNET_CRYPTO_PrivateKey *privkey;
+  struct GNUNET_GNSRECORD_PowCalculationHandle *ph = NULL;
+  size_t psize;
+
+  el = NULL;
+  if (NULL == ego)
+  {
+    fprintf (stdout, _ ("Ego `%s' not found.\n"), revoke_ego);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  GNUNET_IDENTITY_ego_get_public_key (ego, &key);
+  privkey = GNUNET_IDENTITY_ego_get_private_key (ego);
+  proof_of_work = GNUNET_malloc (GNUNET_MAX_POW_SIZE);
+  if ((NULL != filename) && (GNUNET_YES == GNUNET_DISK_file_test (filename)) &&
+      (0 < (psize =
+              GNUNET_DISK_fn_read (filename, proof_of_work,
+                                   GNUNET_MAX_POW_SIZE))))
+  {
+    ssize_t ksize = GNUNET_CRYPTO_public_key_get_length (&key);
+    if (0 > ksize)
+    {
+      fprintf (stderr,
+               _ ("Error: Key is invalid\n"));
+      return;
+    }
+    if (((psize - sizeof (*proof_of_work)) < ksize) || // Key too small
+        (0 != memcmp (&proof_of_work[1], &key, ksize))) // Keys do not match
+    {
+      fprintf (stderr,
+               _ ("Error: revocation certificate in `%s' is not for `%s'\n"),
+               filename,
+               revoke_ego);
+      return;
+    }
+    if (GNUNET_YES ==
+        GNUNET_GNSRECORD_check_pow (proof_of_work,
+                                    (unsigned int) matching_bits,
+                                    epoch_duration))
+    {
+      fprintf (stderr, "%s", _ ("Revocation certificate ready\n"));
+      if (perform)
+        perform_revocation ();
+      else
+        GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+    /**
+     * Certificate not yet ready
+     */
+    fprintf (stderr,
+             "%s",
+             _ ("Continuing calculation where left off...\n"));
+    ph = GNUNET_GNSRECORD_pow_start (proof_of_work,
+                                     epochs,
+                                     matching_bits);
+  }
+  fprintf (stderr,
+           "%s",
+           _ ("Revocation certificate not ready, calculating proof of work\n"));
+  if (NULL == ph)
+  {
+    GNUNET_GNSRECORD_pow_init (privkey,
+                               proof_of_work);
+    ph = GNUNET_GNSRECORD_pow_start (proof_of_work,
+                                     epochs,  /* Epochs */
+                                     matching_bits);
+  }
+  pow_task = GNUNET_SCHEDULER_add_now (&calculate_pow, ph);
+  GNUNET_SCHEDULER_add_shutdown (&calculate_pow_shutdown, ph);
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  struct GNUNET_CRYPTO_PublicKey pk;
+  size_t psize;
+
+  cfg = c;
+  if (NULL != test_ego)
+  {
+    if (GNUNET_OK !=
+        GNUNET_CRYPTO_public_key_from_string (test_ego,
+                                              &pk))
+    {
+      fprintf (stderr, _ ("Public key `%s' malformed\n"), test_ego);
+      return;
+    }
+    GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL);
+    q = GNUNET_REVOCATION_query (cfg, &pk, &print_query_result, NULL);
+    if (NULL != revoke_ego)
+      fprintf (
+        stderr,
+        "%s",
+        _ (
+          "Testing and revoking at the same time is not allowed, only executing test.\n"));
+    return;
+  }
+  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_number (cfg,
+                                                          "REVOCATION",
+                                                          "WORKBITS",
+                                                          &matching_bits))
+  {
+    GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+                               "REVOCATION",
+                               "WORKBITS");
+    return;
+  }
+  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_time (cfg,
+                                                        "REVOCATION",
+                                                        "EPOCH_DURATION",
+                                                        &epoch_duration))
+  {
+    GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+                               "REVOCATION",
+                               "EPOCH_DURATION");
+    return;
+  }
+
+  if (NULL != revoke_ego)
+  {
+    if (! perform && (NULL == filename))
+    {
+      fprintf (stderr,
+               "%s",
+               _ ("No filename to store revocation certificate given.\n"));
+      return;
+    }
+    /* main code here */
+    el = GNUNET_IDENTITY_ego_lookup (cfg, revoke_ego, &ego_callback, NULL);
+    GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL);
+    return;
+  }
+  if ((NULL != filename) && (perform))
+  {
+    size_t bread;
+    proof_of_work = GNUNET_malloc (GNUNET_MAX_POW_SIZE);
+    if (0 < (bread = GNUNET_DISK_fn_read (filename,
+                                          proof_of_work,
+                                          GNUNET_MAX_POW_SIZE)))
+    {
+      fprintf (stderr,
+               _ ("Failed to read revocation certificate from `%s'\n"),
+               filename);
+      return;
+    }
+    psize = GNUNET_GNSRECORD_proof_get_size (proof_of_work);
+    if (bread != psize)
+    {
+      fprintf (stderr,
+               _ ("Revocation certificate corrupted in `%s'\n"),
+               filename);
+      return;
+    }
+    GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL);
+    if (GNUNET_YES !=
+        GNUNET_GNSRECORD_check_pow (proof_of_work,
+                                    (unsigned int) matching_bits,
+                                    epoch_duration))
+    {
+      struct GNUNET_GNSRECORD_PowCalculationHandle *ph;
+      ph = GNUNET_GNSRECORD_pow_start (proof_of_work,
+                                       epochs,  /* Epochs */
+                                       matching_bits);
+
+      pow_task = GNUNET_SCHEDULER_add_now (&calculate_pow, ph);
+      GNUNET_SCHEDULER_add_shutdown (&calculate_pow_shutdown, ph);
+      return;
+    }
+    perform_revocation ();
+    return;
+  }
+  fprintf (stderr, "%s", _ ("No action specified. Nothing to do.\n"));
+}
+
+
+/**
+ * The main function of gnunet-revocation.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_string ('f',
+                                 "filename",
+                                 "NAME",
+                                 gettext_noop (
+                                   "use NAME for the name of the revocation file"),
+                                 &filename),
+
+    GNUNET_GETOPT_option_string (
+      'R',
+      "revoke",
+      "NAME",
+      gettext_noop (
+        "revoke the private key associated for the the private key associated with the ego NAME "),
+      &revoke_ego),
+
+    GNUNET_GETOPT_option_flag (
+      'p',
+      "perform",
+      gettext_noop (
+        "actually perform revocation, otherwise we just do the precomputation"),
+      &perform),
+
+    GNUNET_GETOPT_option_string ('t',
+                                 "test",
+                                 "KEY",
+                                 gettext_noop (
+                                   "test if the public key KEY has been revoked"),
+                                 &test_ego),
+    GNUNET_GETOPT_option_uint ('e',
+                               "epochs",
+                               "EPOCHS",
+                               gettext_noop (
+                                 "number of epochs to calculate for"),
+                               &epochs),
+
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  ret = (GNUNET_OK == GNUNET_PROGRAM_run (argc,
+                                          argv,
+                                          "gnunet-revocation",
+                                          gettext_noop ("help text"),
+                                          options,
+                                          &run,
+                                          NULL))
+        ? ret
+        : 1;
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-revocation.c */
diff --git a/src/cli/revocation/meson.build b/src/cli/revocation/meson.build
new file mode 100644
index 000000000..090b381df
--- /dev/null
+++ b/src/cli/revocation/meson.build
@@ -0,0 +1,22 @@
+executable ('gnunet-revocation',
+            ['gnunet-revocation.c'],
+            dependencies: [libgnunetrevocation_dep,
+                           libgnunetutil_dep,
+                           libgnunetstatistics_dep,
+                           libgnunetcore_dep,
+                           libgnunetgnsrecord_dep,
+                           libgnunetsetu_dep,
+                           libgnunetidentity_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+
+executable ('gnunet-revocation-tvg',
+            ['gnunet-revocation.c'],
+            dependencies: [libgnunetrevocation_dep,
+                           libgnunetutil_dep,
+                           libgnunetgnsrecord_dep,
+                           libgnunetidentity_dep],
+            include_directories: [incdir, configuration_inc],
+            install: false)
+
diff --git a/src/cli/revocation/test_local_revocation.py.in b/src/cli/revocation/test_local_revocation.py.in
new file mode 100644
index 000000000..e667c10ce
--- /dev/null
+++ b/src/cli/revocation/test_local_revocation.py.in
@@ -0,0 +1,129 @@
+#!@PYTHONEXE@
+#    This file is part of GNUnet.
+#    (C) 2010, 2018 Christian Grothoff (and other contributing authors)
+#
+#    GNUnet is free software: you can redistribute it and/or modify it
+#    under the terms of the GNU Affero General Public License as published
+#    by the Free Software Foundation, either version 3 of the License,
+#    or (at your option) any later version.
+#
+#    GNUnet is distributed in the hope that it will be useful, but
+#    WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#    Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#    SPDX-License-Identifier: AGPL3.0-or-later
+#
+# Testcase for ego revocation
+
+import sys
+import os
+import subprocess
+import re
+import shutil
+
+if os.name == 'posix':
+    config = 'gnunet-config'
+    gnunetarm = 'gnunet-arm'
+    ident = 'gnunet-identity'
+    revoc = './gnunet-revocation'
+elif os.name == 'nt':
+    config = 'gnunet-config.exe'
+    gnunetarm = 'gnunet-arm.exe'
+    ident = 'gnunet-identity.exe'
+    revoc = './gnunet-revocation.exe'
+
+TEST_CONFIGURATION = "test_revocation.conf"
+TEST_REVOCATION_EGO = "revoc_test"
+
+get_clean = subprocess.Popen([
+    config, '-c', TEST_CONFIGURATION, '-s', 'PATHS', '-o', 'GNUNET_HOME', '-f'
+],
+                             stdout=subprocess.PIPE)
+cleandir, x = get_clean.communicate()
+cleandir = cleandir.decode("utf-8")
+cleandir = cleandir.rstrip('\n').rstrip('\r')
+
+if os.path.isdir(cleandir):
+    shutil.rmtree(cleandir, True)
+
+res = 0
+arm = subprocess.Popen([gnunetarm, '-s', '-c', TEST_CONFIGURATION])
+arm.communicate()
+
+try:
+    print("Creating an ego " + TEST_REVOCATION_EGO)
+    sys.stdout.flush()
+    sys.stderr.flush()
+    idc = subprocess.Popen([
+        ident, '-C', TEST_REVOCATION_EGO, '-c', TEST_CONFIGURATION
+    ])
+    idc.communicate()
+    if idc.returncode != 0:
+        raise Exception(
+            "gnunet-identity failed to create an ego `" + TEST_REVOCATION_EGO +
+            "'"
+        )
+
+    sys.stdout.flush()
+    sys.stderr.flush()
+    idd = subprocess.Popen([ident, '-d'], stdout=subprocess.PIPE)
+    rev_key, x = idd.communicate()
+    rev_key = rev_key.decode("utf-8")
+    if len(rev_key.split()) < 3:
+        raise Exception("can't get revocation key out of `" + rev_key + "'")
+    rev_key = rev_key.split()[2]
+
+    print("Testing key " + rev_key)
+    sys.stdout.flush()
+    sys.stderr.flush()
+    tst = subprocess.Popen([revoc, '-t', rev_key, '-c', TEST_CONFIGURATION],
+                           stdout=subprocess.PIPE)
+    output_not_revoked, x = tst.communicate()
+    output_not_revoked = output_not_revoked.decode("utf-8")
+    if tst.returncode != 0:
+        raise Exception(
+            "gnunet-revocation failed to test a key - " + str(tst.returncode) +
+            ": " + output_not_revoked
+        )
+    if 'valid' not in output_not_revoked:
+        res = 1
+        print("Key was not valid")
+    else:
+        print("Key was valid")
+
+    print("Revoking key " + rev_key)
+    sys.stdout.flush()
+    sys.stderr.flush()
+    rev = subprocess.Popen([
+        revoc, '-R', TEST_REVOCATION_EGO, '-p', '-c', TEST_CONFIGURATION
+    ])
+    rev.communicate()
+    if rev.returncode != 0:
+        raise Exception("gnunet-revocation failed to revoke a key")
+
+    print("Testing revoked key " + rev_key)
+    sys.stdout.flush()
+    sys.stderr.flush()
+    tst = subprocess.Popen([revoc, '-t', rev_key, '-c', TEST_CONFIGURATION],
+                           stdout=subprocess.PIPE)
+    output_revoked, x = tst.communicate()
+    output_revoked = output_revoked.decode("utf-8")
+    if tst.returncode != 0:
+        raise Exception("gnunet-revocation failed to test a revoked key")
+    if 'revoked' not in output_revoked:
+        res = 1
+        print("Key was not revoked")
+    else:
+        print("Key was revoked")
+
+finally:
+    arm = subprocess.Popen([gnunetarm, '-e', '-c', TEST_CONFIGURATION])
+    arm.communicate()
+    if os.path.isdir(cleandir):
+        shutil.rmtree(cleandir, True)
+
+sys.exit(res)
diff --git a/src/cli/statistics/.gitignore b/src/cli/statistics/.gitignore
new file mode 100644
index 000000000..2a7218e76
--- /dev/null
+++ b/src/cli/statistics/.gitignore
@@ -0,0 +1 @@
+gnunet-statistics
diff --git a/src/cli/statistics/Makefile.am b/src/cli/statistics/Makefile.am
new file mode 100644
index 000000000..29160ed71
--- /dev/null
+++ b/src/cli/statistics/Makefile.am
@@ -0,0 +1,40 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+bin_PROGRAMS = \
+ gnunet-statistics
+
+gnunet_statistics_SOURCES = \
+ gnunet-statistics.c
+gnunet_statistics_LDADD = \
+  $(top_builddir)/src/service/statistics/libgnunetstatistics.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+# Config file still in service folder
+#if HAVE_PYTHON
+#check_SCRIPTS = \
+#  test_gnunet_statistics.py
+#endif
+#
+#SUFFIXES = .py.in .py
+#.py.in.py:
+#       $(AWK) -v bdir="$(bindir)" -v py="$(PYTHON)" -v awkay="$(AWK_BINARY)" -v pfx="$(prefix)" -v prl="$(PERL)" -v sysconfdirectory="$(sysconfdir)" -v pkgdatadirectory="$(pkgdatadir)" -f $(top_srcdir)/scripts/dosubst.awk < $(srcdir)/$< > $@
+#       chmod +x $@
+#
+#test_gnunet_statistics.py: test_gnunet_statistics.py.in Makefile
+#       $(AWK) -v bdir="$(bindir)" -v py="$(PYTHON)" -v awkay="$(AWK_BINARY)" -v pfx="$(prefix)" -v prl="$(PERL)" -v sysconfdirectory="$(sysconfdir)" -v pkgdatadirectory="$(pkgdatadir)" -f $(top_srcdir)/scripts/dosubst.awk < $(srcdir)/test_gnunet_statistics.py.in > test_gnunet_statistics.py
+#       chmod +x test_gnunet_statistics.py
+#
+#EXTRA_DIST = \
+#  test_statistics_api_data.conf \
+#  test_gnunet_statistics.py.in
diff --git a/src/cli/statistics/gnunet-statistics.c b/src/cli/statistics/gnunet-statistics.c
new file mode 100644
index 000000000..3336980d1
--- /dev/null
+++ b/src/cli/statistics/gnunet-statistics.c
@@ -0,0 +1,889 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2001, 2002, 2004-2007, 2009, 2016 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file statistics/gnunet-statistics.c
+ * @brief tool to obtain statistics
+ * @author Christian Grothoff
+ * @author Igor Wronsky
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_statistics_service.h"
+#include "../../service/statistics/statistics.h"
+
+
+/**
+ * Final status code.
+ */
+static int ret;
+
+/**
+ * Set to subsystem that we're going to get stats for (or NULL for all).
+ */
+static char *subsystem;
+
+/**
+ * The path of the testbed data.
+ */
+static char *path_testbed;
+
+/**
+ * Set to the specific stat value that we are after (or NULL for all).
+ */
+static char *name;
+
+/**
+ * Make the value that is being set persistent.
+ */
+static int persistent;
+
+/**
+ * Watch value continuously
+ */
+static int watch;
+
+/**
+ * Quiet mode
+ */
+static int quiet;
+
+/**
+ * @brief Separator string for csv.
+ */
+static char *csv_separator;
+
+/**
+ * Remote host
+ */
+static char *remote_host;
+
+/**
+ * Remote host's port
+ */
+static unsigned long long remote_port;
+
+/**
+ * Value to set
+ */
+static unsigned long long set_val;
+
+/**
+ * Set operation
+ */
+static int set_value;
+
+/**
+ * @brief Representation of all (testbed) nodes.
+ */
+static struct Node
+{
+  /**
+   * @brief Index of the node in this array.
+   */
+  unsigned index_node;
+
+  /**
+   * @brief Configuration handle for this node
+   */
+  struct GNUNET_CONFIGURATION_Handle *conf;
+
+  /**
+   * Handle for pending GET operation.
+   */
+  struct GNUNET_STATISTICS_GetHandle *gh;
+
+  /**
+   * @brief Statistics handle nodes.
+   */
+  struct GNUNET_STATISTICS_Handle *handle;
+  /**
+   * @brief Identifier for shutdown task for this node.
+   */
+  struct GNUNET_SCHEDULER_Task *shutdown_task;
+} *nodes;
+
+/**
+ * @brief Number of configurations of all (testbed) nodes.
+ */
+static unsigned num_nodes;
+
+/**
+ * @brief Set of values for a combination of subsystem and name.
+ */
+struct ValueSet
+{
+  /**
+   * @brief Subsystem of the valueset.
+   */
+  char *subsystem;
+
+  /**
+   * @brief Name of the valueset.
+   */
+  char *name;
+
+  /**
+   * @brief The values.
+   */
+  uint64_t *values;
+
+  /**
+   * @brief Persistence of the values.
+   */
+  int is_persistent;
+};
+
+
+/**
+ * @brief Collection of all values (represented with #ValueSet).
+ */
+static struct GNUNET_CONTAINER_MultiHashMap *values;
+
+/**
+ * @brief Number of nodes that have their values ready.
+ */
+static int num_nodes_ready;
+
+/**
+ * @brief Number of nodes that have their values ready.
+ */
+static int num_nodes_ready_shutdown;
+
+
+/**
+ * @brief Create a new #ValueSet
+ *
+ * @param subsystem Subsystem of the valueset.
+ * @param name Name of the valueset.
+ * @param num_values Number of values in valueset - number of peers.
+ * @param is_persistent Persistence status of values.
+ * @return Newly allocated #ValueSet.
+ */
+static struct ValueSet *
+new_value_set (const char *subsystem,
+               const char *name,
+               unsigned num_values,
+               int is_persistent)
+{
+  struct ValueSet *value_set;
+
+  value_set = GNUNET_new (struct ValueSet);
+  value_set->subsystem = GNUNET_strdup (subsystem);
+  value_set->name = GNUNET_strdup (name);
+  value_set->values = GNUNET_new_array (num_values,
+                                        uint64_t);
+  value_set->is_persistent = persistent;
+  return value_set;
+}
+
+
+/**
+ * @brief Print the (collected) values.
+ *
+ * Implements #GNUNET_CONTAINER_HashMapIterator.
+ *
+ * @param cls Closure - unused
+ * @param key #GNUNET_HashCode key of #GNUNET_CONTAINER_MultiHashMap iterator -
+ *        unused
+ * @param value Values represented as #ValueSet.
+ * @return #GNUNET_YES - continue iteration.
+ */
+static int
+printer (void *cls,
+         const struct GNUNET_HashCode *key,
+         void *value)
+{
+  struct GNUNET_TIME_Absolute now = GNUNET_TIME_absolute_get ();
+  const char *now_str;
+  struct ValueSet *value_set = value;
+
+  if (quiet == GNUNET_NO)
+  {
+    if (GNUNET_YES == watch)
+    {
+      now_str = GNUNET_STRINGS_absolute_time_to_string (now);
+      fprintf (stdout,
+               "%24s%s %s%s%12s%s %s%50s%s%s ",
+               now_str,
+               csv_separator,
+               value_set->is_persistent ? "!" : " ",
+               csv_separator,
+               value_set->subsystem,
+               csv_separator,
+               (0 == strlen (csv_separator) ? "" : "\""),   /* quotes if csv */
+               _ (value_set->name),
+               (0 == strlen (csv_separator) ? "" : "\""),   /* quotes if csv */
+               (0 == strlen (csv_separator) ? ":" : csv_separator));
+    }
+    else
+    {
+      fprintf (stdout,
+               "%s%s%12s%s %s%50s%s%s ",
+               value_set->is_persistent ? "!" : " ",
+               csv_separator,
+               value_set->subsystem,
+               csv_separator,
+               (0 == strlen (csv_separator) ? "" : "\""),   /* quotes if csv */
+               _ (value_set->name),
+               (0 == strlen (csv_separator) ? "" : "\""),   /* quotes if csv */
+               (0 == strlen (csv_separator) ? ":" : csv_separator));
+    }
+  }
+  for (unsigned i = 0; i < num_nodes; i++)
+  {
+    fprintf (stdout,
+             "%16llu%s",
+             (unsigned long long) value_set->values[i],
+             csv_separator);
+  }
+  fprintf (stdout, "\n");
+  GNUNET_free (value_set->subsystem);
+  GNUNET_free (value_set->name);
+  GNUNET_free (value_set->values);
+  GNUNET_free (value_set);
+  return GNUNET_YES;
+}
+
+
+/**
+ * Callback function to process statistic values.
+ *
+ * @param cls closure
+ * @param subsystem name of subsystem that created the statistic
+ * @param name the name of the datum
+ * @param value the current value
+ * @param is_persistent #GNUNET_YES if the value is persistent, #GNUNET_NO if not
+ * @return #GNUNET_OK to continue, #GNUNET_SYSERR to abort iteration
+ */
+static int
+printer_watch (void *cls,
+               const char *subsystem,
+               const char *name,
+               uint64_t value,
+               int is_persistent)
+{
+  struct GNUNET_TIME_Absolute now = GNUNET_TIME_absolute_get ();
+  const char *now_str;
+
+  if (quiet == GNUNET_NO)
+  {
+    if (GNUNET_YES == watch)
+    {
+      now_str = GNUNET_STRINGS_absolute_time_to_string (now);
+      fprintf (stdout,
+               "%24s%s %s%s%12s%s %s%50s%s%s %16llu\n",
+               now_str,
+               csv_separator,
+               is_persistent ? "!" : " ",
+               csv_separator,
+               subsystem,
+               csv_separator,
+               (0 == strlen (csv_separator) ? "" : "\""),   /* quotes if csv */
+               _ (name),
+               (0 == strlen (csv_separator) ? "" : "\""),   /* quotes if csv */
+               (0 == strlen (csv_separator) ? ":" : csv_separator),
+               (unsigned long long) value);
+    }
+    else
+    {
+      fprintf (stdout,
+               "%s%s%12s%s %s%50s%s%s %16llu\n",
+               is_persistent ? "!" : " ",
+               csv_separator,
+               subsystem,
+               csv_separator,
+               (0 == strlen (csv_separator) ? "" : "\""),   /* quotes if csv */
+               _ (name),
+               (0 == strlen (csv_separator) ? "" : "\""),   /* quotes if csv */
+               (0 == strlen (csv_separator) ? ":" : csv_separator),
+               (unsigned long long) value);
+    }
+  }
+  else
+    fprintf (stdout, "%llu\n", (unsigned long long) value);
+
+  return GNUNET_OK;
+}
+
+
+/**
+ * @brief Clean all data structures related to given node.
+ *
+ * Also clears global structures if we are the last node to clean.
+ *
+ * @param cls the index of the node
+ */
+static void
+clean_node (void *cls)
+{
+  const unsigned index_node = *(unsigned *) cls;
+  struct GNUNET_STATISTICS_Handle *h;
+  struct GNUNET_STATISTICS_GetHandle *gh;
+
+  if ((NULL != path_testbed) && /* were issued with -t <testbed-path> option */
+      (NULL != nodes[index_node].conf))
+  {
+    GNUNET_CONFIGURATION_destroy (nodes[index_node].conf);
+    nodes[index_node].conf = NULL;
+  }
+
+  h = nodes[index_node].handle;
+  gh = nodes[index_node].gh;
+
+  if (NULL != gh)
+  {
+    GNUNET_STATISTICS_get_cancel (gh);
+    gh = NULL;
+  }
+  if (GNUNET_YES == watch)
+  {
+    GNUNET_assert (
+      GNUNET_OK ==
+      GNUNET_STATISTICS_watch_cancel (h,
+                                      subsystem,
+                                      name,
+                                      &printer_watch,
+                                      &nodes[index_node].index_node));
+  }
+
+  if (NULL != h)
+  {
+    GNUNET_STATISTICS_destroy (h, GNUNET_NO);
+    h = NULL;
+  }
+
+  num_nodes_ready_shutdown++;
+}
+
+
+/**
+ * @brief Print and shutdown
+ *
+ * @param cls unused
+ */
+static void
+print_finish (void *cls)
+{
+  GNUNET_CONTAINER_multihashmap_iterate (values,
+                                         &printer,
+                                         NULL);
+  GNUNET_CONTAINER_multihashmap_destroy (values);
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * @brief Called once all statistic values are available.
+ *
+ * Implements #GNUNET_STATISTICS_Callback
+ *
+ * @param cls Closure - The index of the node.
+ * @param success Whether statistics were obtained successfully.
+ */
+static void
+continuation_print (void *cls,
+                    int success)
+{
+  const unsigned index_node = *(unsigned *) cls;
+
+  nodes[index_node].gh = NULL;
+  if (GNUNET_OK != success)
+  {
+    if (NULL == remote_host)
+      fprintf (stderr,
+               "%s",
+               _ ("Failed to obtain statistics.\n"));
+    else
+      fprintf (stderr,
+               _ ("Failed to obtain statistics from host `%s:%llu'\n"),
+               remote_host,
+               remote_port);
+    ret = 1;
+  }
+  if (NULL != nodes[index_node].shutdown_task)
+  {
+    GNUNET_SCHEDULER_cancel (nodes[index_node].shutdown_task);
+    nodes[index_node].shutdown_task = NULL;
+  }
+  GNUNET_SCHEDULER_add_now (&clean_node,
+                            &nodes[index_node].index_node);
+  num_nodes_ready++;
+  if (num_nodes_ready == num_nodes)
+  {
+    GNUNET_SCHEDULER_add_now (&print_finish,
+                              NULL);
+  }
+}
+
+
+/**
+ * Function called last by the statistics code.
+ *
+ * @param cls closure
+ * @param success #GNUNET_OK if statistics were
+ *        successfully obtained, #GNUNET_SYSERR if not.
+ */
+static void
+cleanup (void *cls,
+         int success)
+{
+  for (unsigned i = 0; i < num_nodes; i++)
+  {
+    nodes[i].gh = NULL;
+  }
+  if (GNUNET_OK != success)
+  {
+    if (NULL == remote_host)
+      fprintf (stderr, "%s", _ ("Failed to obtain statistics.\n"));
+    else
+      fprintf (stderr,
+               _ ("Failed to obtain statistics from host `%s:%llu'\n"),
+               remote_host,
+               remote_port);
+    ret = 1;
+  }
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * @brief Iterate over statistics values and store them in #values.
+ * They will be printed once all are available.
+ *
+ * @param cls Cosure - Node index.
+ * @param subsystem Subsystem of the value.
+ * @param name Name of the value.
+ * @param value Value itself.
+ * @param is_persistent Persistence.
+ * @return #GNUNET_OK - continue.
+ */
+static int
+collector (void *cls,
+           const char *subsystem,
+           const char *name,
+           uint64_t value,
+           int is_persistent)
+{
+  const unsigned index_node = *(unsigned *) cls;
+  struct GNUNET_HashCode *key;
+  struct GNUNET_HashCode hc;
+  char *subsys_name;
+  unsigned len_subsys_name;
+  struct ValueSet *value_set;
+
+  len_subsys_name = strlen (subsystem) + 3 + strlen (name) + 1;
+  subsys_name = GNUNET_malloc (len_subsys_name);
+  sprintf (subsys_name, "%s---%s", subsystem, name);
+  key = &hc;
+  GNUNET_CRYPTO_hash (subsys_name, len_subsys_name, key);
+  GNUNET_free (subsys_name);
+  if (GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (values, key))
+  {
+    value_set = GNUNET_CONTAINER_multihashmap_get (values, key);
+  }
+  else
+  {
+    value_set = new_value_set (subsystem, name, num_nodes, is_persistent);
+  }
+  value_set->values[index_node] = value;
+  GNUNET_assert (GNUNET_YES ==
+                 GNUNET_CONTAINER_multihashmap_put (
+                   values,
+                   key,
+                   value_set,
+                   GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
+  return GNUNET_OK;
+}
+
+
+/**
+ * Main task that does the actual work.
+ *
+ * @param cls closure with our configuration
+ */
+static void
+main_task (void *cls)
+{
+  unsigned index_node = *(unsigned *) cls;
+  const struct GNUNET_CONFIGURATION_Handle *cfg = nodes[index_node].conf;
+
+  if (set_value)
+  {
+    if (NULL == subsystem)
+    {
+      fprintf (stderr, "%s", _ ("Missing argument: subsystem \n"));
+      ret = 1;
+      return;
+    }
+    if (NULL == name)
+    {
+      fprintf (stderr, "%s", _ ("Missing argument: name\n"));
+      ret = 1;
+      return;
+    }
+    nodes[index_node].handle = GNUNET_STATISTICS_create (subsystem, cfg);
+    if (NULL == nodes[index_node].handle)
+    {
+      ret = 1;
+      return;
+    }
+    GNUNET_STATISTICS_set (nodes[index_node].handle,
+                           name,
+                           (uint64_t) set_val,
+                           persistent);
+    GNUNET_STATISTICS_destroy (nodes[index_node].handle, GNUNET_YES);
+    nodes[index_node].handle = NULL;
+    return;
+  }
+  if (NULL == (nodes[index_node].handle =
+                 GNUNET_STATISTICS_create ("gnunet-statistics", cfg)))
+  {
+    ret = 1;
+    return;
+  }
+  if (GNUNET_NO == watch)
+  {
+    if (NULL == (nodes[index_node].gh =
+                   GNUNET_STATISTICS_get (nodes[index_node].handle,
+                                          subsystem,
+                                          name,
+                                          &continuation_print,
+                                          &collector,
+                                          &nodes[index_node].index_node)))
+      cleanup (nodes[index_node].handle, GNUNET_SYSERR);
+  }
+  else
+  {
+    if ((NULL == subsystem) || (NULL == name))
+    {
+      printf (_ ("No subsystem or name given\n"));
+      GNUNET_STATISTICS_destroy (nodes[index_node].handle, GNUNET_NO);
+      nodes[index_node].handle = NULL;
+      ret = 1;
+      return;
+    }
+    if (GNUNET_OK != GNUNET_STATISTICS_watch (nodes[index_node].handle,
+                                              subsystem,
+                                              name,
+                                              &printer_watch,
+                                              &nodes[index_node].index_node))
+    {
+      fprintf (stderr, _ ("Failed to initialize watch routine\n"));
+      nodes[index_node].shutdown_task =
+        GNUNET_SCHEDULER_add_now (&clean_node, &nodes[index_node].index_node);
+      return;
+    }
+  }
+  nodes[index_node].shutdown_task =
+    GNUNET_SCHEDULER_add_shutdown (&clean_node, &nodes[index_node].index_node);
+}
+
+
+/**
+ * @brief Iter over content of a node's directory to check for existence of a
+ * config file.
+ *
+ * Implements #GNUNET_FileNameCallback
+ *
+ * @param cls pointer to indicate success
+ * @param filename filename inside the directory of the potential node
+ *
+ * @return to continue iteration or not to
+ */
+static int
+iter_check_config (void *cls,
+                   const char *filename)
+{
+  if (0 == strncmp (GNUNET_STRINGS_get_short_name (filename), "config", 6))
+  {
+    /* Found the config - stop iteration successfully */
+    GNUNET_array_grow (nodes, num_nodes, num_nodes + 1);
+    nodes[num_nodes - 1].conf = GNUNET_CONFIGURATION_create ();
+    nodes[num_nodes - 1].index_node = num_nodes - 1;
+    if (GNUNET_OK !=
+        GNUNET_CONFIGURATION_load (nodes[num_nodes - 1].conf, filename))
+    {
+      fprintf (stderr, "Failed loading config `%s'\n", filename);
+      return GNUNET_SYSERR;
+    }
+    return GNUNET_NO;
+  }
+  else
+  {
+    /* Continue iteration */
+    return GNUNET_OK;
+  }
+}
+
+
+/**
+ * @brief Iterates over filenames in testbed directory.
+ *
+ * Implements #GNUNET_FileNameCallback
+ *
+ * Checks if the file is a directory for a testbed node
+ * and counts the nodes.
+ *
+ * @param cls counter of nodes
+ * @param filename full path of the file in testbed
+ * @return status whether to continue iteration
+ */
+static int
+iter_testbed_path (void *cls,
+                   const char *filename)
+{
+  unsigned index_node;
+
+  GNUNET_assert (NULL != filename);
+  if (1 == sscanf (GNUNET_STRINGS_get_short_name (filename),
+                   "%u",
+                   &index_node))
+  {
+    if (-1 == GNUNET_DISK_directory_scan (filename,
+                                          iter_check_config,
+                                          NULL))
+    {
+      /* This is probably no directory for a testbed node
+       * Go on with iteration */
+      return GNUNET_OK;
+    }
+    return GNUNET_OK;
+  }
+  return GNUNET_OK;
+}
+
+
+/**
+ * @brief Count the number of nodes running in the testbed
+ *
+ * @param path_testbed path to the testbed data
+ *
+ * @return number of running nodes
+ */
+static int
+discover_testbed_nodes (const char *path_testbed)
+{
+  int num_dir_entries;
+
+  num_dir_entries =
+    GNUNET_DISK_directory_scan (path_testbed,
+                                &iter_testbed_path,
+                                NULL);
+  if (-1 == num_dir_entries)
+  {
+    fprintf (stderr,
+             "Failure during scanning directory `%s'\n",
+             path_testbed);
+    return -1;
+  }
+  return 0;
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_CONFIGURATION_Handle *c;
+
+  c = (struct GNUNET_CONFIGURATION_Handle *) cfg;
+  set_value = GNUNET_NO;
+  if (NULL == csv_separator)
+    csv_separator = "";
+  if (NULL != args[0])
+  {
+    if (1 != sscanf (args[0], "%llu", &set_val))
+    {
+      fprintf (stderr, _ ("Invalid argument `%s'\n"), args[0]);
+      ret = 1;
+      return;
+    }
+    set_value = GNUNET_YES;
+  }
+  if (NULL != remote_host)
+  {
+    if (0 == remote_port)
+    {
+      if (GNUNET_SYSERR ==
+          GNUNET_CONFIGURATION_get_value_number (cfg,
+                                                 "statistics",
+                                                 "PORT",
+                                                 &remote_port))
+      {
+        fprintf (stderr,
+                 _ ("A port is required to connect to host `%s'\n"),
+                 remote_host);
+        return;
+      }
+    }
+    else if (65535 <= remote_port)
+    {
+      fprintf (stderr,
+               _ (
+                 "A port has to be between 1 and 65535 to connect to host `%s'\n"),
+               remote_host);
+      return;
+    }
+
+    /* Manipulate configuration */
+    GNUNET_CONFIGURATION_set_value_string (c,
+                                           "statistics",
+                                           "UNIXPATH",
+                                           "");
+    GNUNET_CONFIGURATION_set_value_string (c,
+                                           "statistics",
+                                           "HOSTNAME",
+                                           remote_host);
+    GNUNET_CONFIGURATION_set_value_number (c,
+                                           "statistics",
+                                           "PORT",
+                                           remote_port);
+  }
+  if (NULL == path_testbed)
+  {
+    values = GNUNET_CONTAINER_multihashmap_create (1, GNUNET_NO);
+    GNUNET_array_grow (nodes, num_nodes, 1);
+    nodes[0].index_node = 0;
+    nodes[0].conf = c;
+    GNUNET_SCHEDULER_add_now (&main_task, &nodes[0].index_node);
+  }
+  else
+  {
+    if (GNUNET_YES == watch)
+    {
+      printf (
+        _ ("Not able to watch testbed nodes (yet - feel free to implement)\n"));
+      ret = 1;
+      return;
+    }
+    values = GNUNET_CONTAINER_multihashmap_create (4, GNUNET_NO);
+    if (-1 == discover_testbed_nodes (path_testbed))
+    {
+      return;
+    }
+    /* For each config/node collect statistics */
+    for (unsigned i = 0; i < num_nodes; i++)
+    {
+      GNUNET_SCHEDULER_add_now (&main_task, &nodes[i].index_node);
+    }
+  }
+}
+
+
+/**
+ * The main function to obtain statistics in GNUnet.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_string ('n',
+                                 "name",
+                                 "NAME",
+                                 gettext_noop (
+                                   "limit output to statistics for the given NAME"),
+                                 &name),
+    GNUNET_GETOPT_option_flag ('p',
+                               "persistent",
+                               gettext_noop (
+                                 "make the value being set persistent"),
+                               &persistent),
+    GNUNET_GETOPT_option_string ('s',
+                                 "subsystem",
+                                 "SUBSYSTEM",
+                                 gettext_noop (
+                                   "limit output to the given SUBSYSTEM"),
+                                 &subsystem),
+    GNUNET_GETOPT_option_string ('S',
+                                 "csv-separator",
+                                 "CSV_SEPARATOR",
+                                 gettext_noop ("use as csv separator"),
+                                 &csv_separator),
+    GNUNET_GETOPT_option_filename ('t',
+                                   "testbed",
+                                   "TESTBED",
+                                   gettext_noop (
+                                     "path to the folder containing the testbed data"),
+                                   &path_testbed),
+    GNUNET_GETOPT_option_flag ('q',
+                               "quiet",
+                               gettext_noop (
+                                 "just print the statistics value"),
+                               &quiet),
+    GNUNET_GETOPT_option_flag ('w',
+                               "watch",
+                               gettext_noop ("watch value continuously"),
+                               &watch),
+    GNUNET_GETOPT_option_string ('r',
+                                 "remote",
+                                 "REMOTE",
+                                 gettext_noop ("connect to remote host"),
+                                 &remote_host),
+    GNUNET_GETOPT_option_ulong ('o',
+                                "port",
+                                "PORT",
+                                gettext_noop ("port for remote host"),
+                                &remote_port),
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  remote_port = 0;
+  remote_host = NULL;
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+
+  ret = (GNUNET_OK ==
+         GNUNET_PROGRAM_run (argc,
+                             argv,
+                             "gnunet-statistics [options [value]]",
+                             gettext_noop (
+                               "Print statistics about GNUnet operations."),
+                             options,
+                             &run,
+                             NULL))
+        ? ret
+        : 1;
+  GNUNET_array_grow (nodes,
+                     num_nodes,
+                     0);
+  GNUNET_free (remote_host);
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-statistics.c */
diff --git a/src/cli/statistics/meson.build b/src/cli/statistics/meson.build
new file mode 100644
index 000000000..ea0af10c7
--- /dev/null
+++ b/src/cli/statistics/meson.build
@@ -0,0 +1,8 @@
+executable ('gnunet-statistics',
+            ['gnunet-statistics.c'],
+            dependencies: [libgnunetstatistics_dep, libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+
+
diff --git a/src/cli/util/.gitignore b/src/cli/util/.gitignore
new file mode 100644
index 000000000..9e045f16f
--- /dev/null
+++ b/src/cli/util/.gitignore
@@ -0,0 +1,10 @@
+gnunet-config
+gnunet-config-diff
+gnunet-crypto-tvg
+gnunet-ecc
+gnunet-qr
+gnunet-resolver
+gnunet-scrypt
+gnunet-uri
+gnunet-base32
+gnunet-timeout
diff --git a/src/cli/util/Makefile.am b/src/cli/util/Makefile.am
new file mode 100644
index 000000000..cac477e13
--- /dev/null
+++ b/src/cli/util/Makefile.am
@@ -0,0 +1,108 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+plugindir = $(libdir)/gnunet
+
+libexecdir= $(pkglibdir)/libexec/
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+  XLIB = -lgcov
+endif
+
+gnunet_config_diff_SOURCES = \
+ gnunet-config-diff.c
+gnunet_config_diff_LDADD = \
+ $(top_builddir)/src/lib/util/libgnunetutil.la
+
+GNUNET_ECC = gnunet-ecc
+GNUNET_SCRYPT = gnunet-scrypt
+
+libexec_PROGRAMS = \
+ gnunet-timeout
+
+bin_PROGRAMS = \
+ gnunet-base32 \
+ gnunet-config \
+ gnunet-resolver \
+ $(GNUNET_ECC) \
+ $(GNUNET_SCRYPT) \
+ gnunet-uri
+if HAVE_ZBAR
+bin_PROGRAMS += gnunet-qr
+endif
+
+noinst_PROGRAMS = \
+ gnunet-config-diff \
+ gnunet-crypto-tvg
+
+if ENABLE_TEST_RUN
+AM_TESTS_ENVIRONMENT=export GNUNET_PREFIX=$${GNUNET_PREFIX:-@libdir@};export PATH=$${GNUNET_PREFIX:-@prefix@}/bin:$$PATH;unset XDG_DATA_HOME;unset XDG_CONFIG_HOME;
+TESTS = $(check_PROGRAMS) $(check_SCRIPTS)
+endif
+
+gnunet_timeout_SOURCES = \
+ gnunet-timeout.c
+
+gnunet_resolver_SOURCES = \
+ gnunet-resolver.c
+gnunet_resolver_LDADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+gnunet_crypto_tvg_SOURCES = \
+ gnunet-crypto-tvg.c
+gnunet_crypto_tvg_LDADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL) -lgcrypt -ljansson
+
+gnunet_ecc_SOURCES = \
+ gnunet-ecc.c
+gnunet_ecc_LDADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL) -lgcrypt
+
+gnunet_base32_SOURCES = \
+ gnunet-base32.c
+gnunet_base32_LDADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+gnunet_scrypt_SOURCES = \
+ gnunet-scrypt.c
+gnunet_scrypt_LDADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL) -lgcrypt
+
+
+gnunet_config_SOURCES = \
+ gnunet-config.c
+gnunet_config_LDADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+gnunet_uri_SOURCES = \
+ gnunet-uri.c
+gnunet_uri_LDADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+
+gnunet_qr_SOURCES = \
+  gnunet-qr.c
+gnunet_qr_LDADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+gnunet_qr_LDFLAGS= -lzbar
+if HAVE_PNG
+gnunet_qr_LDFLAGS += -lpng
+endif
+
+check_SCRIPTS = \
+ test_crypto_vectors.sh
+
+EXTRA_DIST = \
+  test_crypto_vectors.sh \
+  crypto-test-vectors.json
diff --git a/src/cli/util/crypto-test-vectors.json b/src/cli/util/crypto-test-vectors.json
new file mode 100644
index 000000000..972b62c3e
--- /dev/null
+++ b/src/cli/util/crypto-test-vectors.json
@@ -0,0 +1,56 @@
+{
+  "encoding": "base32crockford",
+  "producer": "GNUnet 0.14.0 git-64ad3b0a1",
+  "vectors": [
+    {
+      "operation": "hash",
+      "input": "91JPRV3F5GG4EKJNDSJQ8",
+      "output": "D0R24RZ1TPASVQ2NY56CT8AJDYZE9ZGDB0GVZ05E9D4YGZQW2RC5YFPQ0Q86EPW836DY7VYQTNFFJT3ZR2K508F4JVS5JNJKYN2MMFR"
+    },
+    {
+      "operation": "ecc_ecdh",
+      "priv1": "TFA439C75RT2JK9V6GTRRXH3QR3QC4SVJ1KBQ4MNY3S338GT6T50",
+      "pub1": "E19WJDA83485BC8EC8RV7FTAK86BESJG1YNYRENEC0JV7XEZ7M80",
+      "priv2": "2DT3B0TMY6VVP56YZKG5ASRSQAEV0GB4QMT9N6CTPDARNJ905APG",
+      "skm": "GY63DCHR6BGV2AKDM44V7A4H4DA0WJC7D5C2R7DXTWC9D83H7XM0PEQKKZ1K2HWMWBSBNPDWXDN7PA1R1WJKVQ2RDTNF1PBXCFHM9QR"
+    },
+    {
+      "operation": "eddsa_key_derivation",
+      "priv": "8QC2VNF8443S5KPNKMB4XMV58BTHWAKZ7SVW5WG3KRB37567XS90",
+      "pub": "3M9KK1WSNM1RTY5P72HKFA264V4B7MVHVJ08Y90CV06DYHV8XPP0"
+    },
+    {
+      "operation": "eddsa_signing",
+      "priv": "5077XJR9AMH4T97ACKFBVBJD0KFENHPV66B2Y1JBSKXBJKNZJ4E0",
+      "pub": "6E2F03JJ8AEDANTTZZ4SBZDFEEZSF8A9DVGTS6VFBCVZQYQ46RRG",
+      "data": "00000300000000000000",
+      "sig": "XCNJGJ96WPDH60YVMH6C74NGQSGJE3BC1TYMGX6BHY5DMZZZKTB373QTXJ507K5EBSG9YS2EYKHCX3ATRQ6P5MY9MXC4ZB1XSZ2X23G"
+    },
+    {
+      "operation": "kdf",
+      "salt": "94KPT83PCNS7J83KC5P78Y8",
+      "ikm": "94KPT83MD1JJ0WV5CDS6AX10D5Q70XBM41NPAY90DNGQ8SBJD5GPR",
+      "ctx": "94KPT83141HPYVKMCNW78833D1TPWTSC41GPRWVF41NPWVVQDRG62WS04XMPWSKF4WG6JVH0EHM6A82J8S1G",
+      "out_len %u\n": 64,
+      "out": "GTMR4QT05Z9WF5HKVG0WK9RPXGHSMHJNW377G9GJXCA8B0FEKPF4D27RJMSJZYWSQNTBJ5EYVV7ZW18B48Z0JVJJ80RHB706Y96Q358"
+    },
+    {
+      "operation": "eddsa_ecdh",
+      "priv_ecdhe": "5FBRFZY942H2PD96NFNYWZKYXCRFY11JWQ59V7G9B4M8EX1KE100",
+      "pub_ecdhe": "GDX7FC01AZYMG0BY0AMHR6E7KCGX9F6SWES16WZ1QWZ2VSYXKH00",
+      "priv_eddsa": "3HYHM9DZQ3D61APDQNBCSKJE452YEP6JK01DWR1J3VZAASFEA570",
+      "pub_eddsa": "87N7PFAHBX97HRE8XYW8KYN64YZDF4FCBR2BZ5SZN3QE3D2BF0R0",
+      "key_material": "QH0RAXXC9RYDEAXKNTAWM0WXJS25RS67H5T252EGA22RA6JTYRFDAEK8CJY85QSYWGYHQXK5Y1SWSRB3P0NXNXYP237EXMXQ3P2WE00"
+    },
+    {
+      "operation": "rsa_blind_signing",
+      "message_hash": "XKQMJ4CNTXBFE1V2WR6JS063J7PZQE4XMB5JH3RS5X0THQ1JQSQ69Y7KDBC9TYRJEZH48MEPY2SF4QHQ4VHXC0YQX5935MQEGP0AX6R",
+      "rsa_public_key": "040000YRN1NVJ68RS6RJF52PGRCQG19ZKWQPSTJX2G7ZDCKSZFE2VW3HHA81YF5C639JHJF5TX8YTEE2FW2WQCG1PTKNBSPPJEJGA032CN3E8QZ27VWY0K6JFT8ZSYWRH2SKDMXW56A4QKY46JJBWJ6T0ZRVBW6S1HTHXVE2RW8MXRW5T801077MDY13N5F8Z1JZVKBJ06TK3S0YPEDBXK0VEHRHEQJ5X5XYKR4KQTFAZNBMKXY8836VCHBXTK4YNX6AJ1CK29SMJH3Z3QRM16A2TNQGFR0HSMV446BF7FMT2E379ZAT5ST4G3BM2NWZYW545S2SW5MG5S6M88XZZ7SKFD48YVXNZ205GGSEYJPVBMR76WG4ZG30WBCPC1N54XE12RMAG81D8C09WG22PKGGDHYXX68N04002",
+      "rsa_private_key": "50W3MTV5F4PP8RBMC4520A1H60X70XB2DHMP6BBBCNWGM81050SKMWKKC452081050RKMVHJ6MVKM06RN1NVJ68RS6RJF52PGRCQG19ZKWQPSTJX2G7ZDCKSZFE2VW3HHA81YF5C639JHJF5TX8YTEE2FW2WQCG1PTKNBSPPJEJGA032CN3E8QZ27VWY0K6JFT8ZSYWRH2SKDMXW56A4QKY46JJBWJ6T0ZRVBW6S1HTHXVE2RW8MXRW5T801077MDY13N5F8Z1JZVKBJ06TK3S0YPEDBXK0VEHRHEQJ5X5XYKR4KQTFAZNBMKXY8836VCHBXTK4YNX6AJ1CK29SMJH3Z3QRM16A2TNQGFR0HSMV446BF7FMT2E379ZAT5ST4G3BM2NWZYW545S2SW5MG5S6M88XZZ7SKFD48YVXNZ205GGSEYJPVBMR76WG4ZG30WBCPC1N54XE12RMAG81D8C09WG22PKGGDHYXX68N5452081050RKMS9K780G009918G2081918G20A8A40M32C9TE1S6JXK1EHJJTTV5F45208186CX74WV118G2081864X6WCHN6WX01P58DEWHJ669P4KS8NM635W0AFWZ5XPEMQ8M1ZVB4YFVVGPZ0WCAJ0FKSB1GTCMCKSEQA7PKKGKZ0Q5V40DPMXAYDNMKMM2G0RK58VJ5ZRHYZ7G4SMKYJ7YFQ648PCVD7F19JH5WZH1MMJZ4HPG7Y6TZ1P8CEMFEVGP7257E71EJ0081SX3FG8X9BT7RCQYWTWG1PMRY87NKKAZCR6VME4BNWHF9FFMY14XYKTQXAX4ZFJ20SPV4AZEMS7NF9JMGB4RJED4M8ZRXY509JGPNDW3Y04ED6S11JVSVX6GKGSTFTPHEEH40TX0NF7ZQ191E8PF1D41E9N227FZSYCVV927PZDFRG1C46BQMNPTX61SQ417W0R72V5K0D997BG8P52M20BA302F40GNMW43CFQF9J59918G2081864X6ACST04002A8A40G20A1H79J34D9P78SBPDS45EQZVX2D6R1GZ6FHKHDG4ABYZ6FCPSMMGZ29ZY5NS8B304D0QBD800A5SM3D8S92WKS3KFWFXE8X597TNJBR94BGNCFHY8TV63KQZ0RFMRTPHFA2XNFX2V4KECZNTHGKZNJTWH8051XP6FJJ6700A5KWMH24CK1KF9XVH2ATQJ4F1ZJZQM00A00ESTVKM5N58K5FN5TW34B1H1Q1CWRZXJ9QMBG0QKHXHZMFYZSN9ERV59935716NGSX9GBB3R9BY32TBTAJ7K0N391ATSE5263X5NKVDH7XCF1PF0WRTTJYBAJBQWVGJ8P7RGVWB27Q3S4AJJ55FS2T9K341EHATHJZQQTR0JWP5E4NQHR4GN60QMK2SY0VJM56N0NHJXRGAGJW3S9ABJ7M4TAV6YRJJ2H040G2GC9TE0RK4E9T03CET00DAJDXJ1NF511J69JMDDSVARPSFSS6AJTRMVXD10NVA4Z162ER74WNH0J6H2RTA9C9MZM4TEBP8P7AF0NANBH4XZJCNDZV7BEAMJ6R363GHZKGBR0HH1SATGWNJWGW2961MRFPX7S0RJK7CWYE7EX1XQ2683TENRPDKV29D1F1RNDD6P04MZTKSH5YMEZPKGEDRJZXXM9918G2081864X72C9J74X01ZXF256C681JDWRRG7T4AC9JRHP54YM65X9AT17YGC3G4569ZKBQEZ219Y7JG4V10F4AW7Q1XKGPTW3Y3X0WCTB06HM249Q094VHEYD4BTEQ2DF334W8G3VEB7N1CHCMPZEVVTR0XWQSNV6MBJRF5MBY6Z148YA36YA61EXA28PHE3KSN1M4HVF7B06JD736TSK9GC9CAG8F0MMGM81040M32EKN64S3JEG0YCC3PHPNBZAGQ2WE8HJHM28B049N2MQ94G8VPXNHG43C6ADB44DE1DK8ASMYTSXZWMAYKN1SS2GVFTVH8Q4N3TTJ3BKA61Y93QE17XNRF3S0CSSQTY3SVVAFHDA9APFFSMRYD67N4DXQ1X42NA270VF6H0MCRQ87JKVBQAB0CH2WH7RHYMCQ4KN50M2NEFE1YA6F2N2DG7Z9JA8A40G20A8A40G2J2H054500",
+      "blinding_key_secret": "3SWF49XZPHQMENTSBZQR7Z0B8ZSZ2JRARE79Q4VXZMQ7W6QABXMG",
+      "blinded_message": "3KHKZJZ30ABB4E56MA2V0EQWGCWH0QQG9P2ZHYHR186C5HZXJMM4N9WXAQTKS94QSV9Y17GGNXN5MB1PZZFG7Q0FY88QPKKRG4MYCPSMTZK5W59R0MJVNJ4P4AQM96TDG5W7RV8GSNR1QQZ1GNHW3CX6D6ZRTMXB2NKB5SSYTDJS79F5ZFBRZ4HVED9JBBPWSR79KVV5QQ4APBGHBCKGMF9NJJS53A1BVYHDEVYAGFYF2SNEP827ZP50FKJ5GKGV8NQ15ESEZ69AT7GJG0T3TZVENY2YN9CVR98W3BKEZ53J7VTANARG8SJS8AMJQ7S23P5HRJ7XE9KTNRNXKH49MXV9JHHYE5535N7AGWEKR47SBCGNF44Z7XJ9RV5BQV12ZRJKN4HBZQHDNCMH3QKX9Z6G64",
+      "blinded_sig": "ND1V807BK0G73SDXN582BP3Q21MWF4A76EGWD0KA3XGJAWPSVHNHKA44931ZRB9M76SYAFD8ZPTG3A7FH5G2CWGX76VXTCDX5XNRW7EEBNMPDAQ0ZEKF6AHP872SKCGRH89SK4NGC57M8BRA3ZRPDDT9XCBG3XY02VQH4Z0F39DPBS48K0EBMK7B9S3X6QDNR5ND5MV0G7G7T3VPKZRW94MQBKPY1T6K53MQGG4PV81D9YEWNRM3WE04NNQREYDA5ETVDWQ5ZCYV9HF4ZCMWVVGWDBDH732JA3NKZ2B8QK0E6XS0Y4GGGQJS6HFQ4PATGK3TS5GHJEPDF3A6XAFNJQV99CSJW7V1NC504NTQ5NJ8KAVC1758MBBV3SS2BND4YHF0Y4NWJNVH3STV166YWFKR8W",
+      "sig": "EC5MVSPGQMM96N2VT4R2G5104E61V8RY4PR6AK9F614TVVEN7D152T0DP97CDTRDDSQGBV4GZWXQPM90SW30R2RAKKHNDCXHQFAMRSW1XCBEKVKBGC6FP0AQY9S37NVR01VJ2WVX8PN29H2ZFFQBQ9JK96GTJZ3B7DD583S8Y93GH5KWEM41CZJ73QCRT1A2AGVXX5ACFR0T448MC81QB4EGCKP5Z96VCX6RPDD5S9A4295M0E9PPQJCN5G5JKWKG17HWEDF4A26ZMD8YW27EQBZ69GSEZX4PWEV7AXFGG5X0RPKCQEPCX7XDY6NXJ1E2FZBX259RDRCFNDAZS80T0DHD9NVE73QDDESZYEZTM1TM669GHPN8AF4QV8DNW7SFZZKJ67FWR8CZC0PWTEN4ZPTRM"
+    }
+  ]
+}
diff --git a/src/cli/util/gnunet-base32.c b/src/cli/util/gnunet-base32.c
new file mode 100644
index 000000000..209741740
--- /dev/null
+++ b/src/cli/util/gnunet-base32.c
@@ -0,0 +1,155 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2021 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/gnunet-base32.c
+ * @brief tool to encode/decode from/to the Crockford Base32 encoding GNUnet uses
+ * @author Christian Grothoff
+ */
+
+#include "platform.h"
+#include "gnunet_util_lib.h"
+
+
+/**
+ * The main function of gnunet-base32
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc,
+      char *const *argv)
+{
+  int decode = 0;
+  const struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_flag ('d',
+                               "decode",
+                               gettext_noop (
+                                 "run decoder modus, otherwise runs as encoder"),
+                               &decode),
+    GNUNET_GETOPT_option_help ("Crockford base32 encoder/decoder"),
+    GNUNET_GETOPT_option_version (PACKAGE_VERSION),
+    GNUNET_GETOPT_OPTION_END
+  };
+  int ret;
+  char *in;
+  unsigned int in_size;
+  ssize_t iret;
+  char *out;
+  size_t out_size;
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+  ret = GNUNET_GETOPT_run ("gnunet-base32",
+                           options,
+                           argc,
+                           argv);
+  if (ret < 0)
+    return 1;
+  if (0 == ret)
+    return 0;
+  in_size = 0;
+  in = NULL;
+  iret = 1;
+  while (iret > 0)
+  {
+    /* read in blocks of 4k */
+    char buf[4092];
+
+    iret = read (0,
+                 buf,
+                 sizeof (buf));
+    if (iret < 0)
+    {
+      GNUNET_free (in);
+      return 2;
+    }
+    if (iret > 0)
+    {
+      if (iret + in_size < in_size)
+      {
+        GNUNET_break (0);
+        GNUNET_free (in);
+        return 1;
+      }
+      GNUNET_array_grow (in,
+                         in_size,
+                         in_size + iret);
+      memcpy (&in[in_size - iret],
+              buf,
+              iret);
+    }
+  }
+  if (decode)
+  {
+    /* This formula can overestimate by 1 byte, so we try both
+       out_size and out_size-1 below */
+    out_size = in_size * 5 / 8;
+    out = GNUNET_malloc (out_size);
+    if ( (GNUNET_OK !=
+          GNUNET_STRINGS_string_to_data (in,
+                                         in_size,
+                                         out,
+                                         out_size)) &&
+         (out_size > 0) )
+    {
+      out_size--;
+      if (GNUNET_OK !=
+          GNUNET_STRINGS_string_to_data (in,
+                                         in_size,
+                                         out,
+                                         out_size))
+      {
+        GNUNET_free (out);
+        GNUNET_free (in);
+        return 3;
+      }
+    }
+  }
+  else
+  {
+    out = GNUNET_STRINGS_data_to_string_alloc (in,
+                                               in_size);
+    out_size = strlen (out);
+  }
+  {
+    size_t pos = 0;
+
+    while (pos < out_size)
+    {
+      iret = write (1,
+                    &out[pos],
+                    out_size - pos);
+      if (iret <= 0)
+        return 4;
+      pos += iret;
+    }
+  }
+  GNUNET_free (out);
+  GNUNET_free_nz ((void *) argv);
+  return 0;
+}
+
+
+/* end of gnunet-uri.c */
diff --git a/src/cli/util/gnunet-config-diff.c b/src/cli/util/gnunet-config-diff.c
new file mode 100644
index 000000000..e1e3ffd5d
--- /dev/null
+++ b/src/cli/util/gnunet-config-diff.c
@@ -0,0 +1,24 @@
+
+#include "platform.h"
+#include <gnunet_util_lib.h>
+
+int
+main (int argc, char **argv)
+{
+  struct GNUNET_CONFIGURATION_Handle *i1;
+  struct GNUNET_CONFIGURATION_Handle *i2;
+
+  if (argc != 3)
+  {
+    fprintf (stderr, "Invoke using `%s DEFAULTS-IN DIFFS'\n", argv[0]);
+    return 1;
+  }
+  i1 = GNUNET_CONFIGURATION_create ();
+  i2 = GNUNET_CONFIGURATION_create ();
+  if ((GNUNET_OK != GNUNET_CONFIGURATION_load (i1, argv[1])) ||
+      (GNUNET_OK != GNUNET_CONFIGURATION_load (i2, argv[2])))
+    return 1;
+  if (GNUNET_OK != GNUNET_CONFIGURATION_write_diffs (i1, i2, argv[2]))
+    return 2;
+  return 0;
+}
diff --git a/src/cli/util/gnunet-config.c b/src/cli/util/gnunet-config.c
new file mode 100644
index 000000000..714c683dd
--- /dev/null
+++ b/src/cli/util/gnunet-config.c
@@ -0,0 +1,206 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012-2021 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/gnunet-config.c
+ * @brief tool to access and manipulate GNUnet configuration files
+ * @author Christian Grothoff
+ */
+
+#include "platform.h"
+#include "gnunet_util_lib.h"
+
+
+/**
+ * Backend to check if the respective plugin is
+ * loadable. NULL if no check is to be performed.
+ * The value is the "basename" of the plugin to load.
+ */
+static char *backend_check;
+
+
+/**
+ * If printing the value of CFLAGS has been requested.
+ */
+static int cflags;
+
+/**
+ * Check if this is an experimental build
+ */
+static int is_experimental;
+
+
+/**
+ * If printing the value of LIBS has been requested.
+ */
+static int libs;
+
+
+/**
+ * If printing the value of PREFIX has been requested.
+ */
+static int prefix;
+
+
+/**
+ * Print each option in a given section.
+ * Main task to run to perform operations typical for
+ * gnunet-config as per the configuration settings
+ * given in @a cls.
+ *
+ * @param cls closure with the `struct GNUNET_CONFIGURATION_ConfigSettings`
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving,
+ *                                                     can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_CONFIGURATION_ConfigSettings *cs = cls;
+
+  if (1 == is_experimental)
+  {
+#ifdef GNUNET_EXPERIMENTAL
+    cs->global_ret = 0;
+#else
+    cs->global_ret = 1;
+#endif
+    return;
+  }
+  if (1 == cflags || 1 == libs || 1 == prefix)
+  {
+    char *prefixdir = GNUNET_OS_installation_get_path (GNUNET_OS_IPK_PREFIX);
+    char *libdir = GNUNET_OS_installation_get_path (GNUNET_OS_IPK_LIBDIR);
+
+    if (1 == cflags)
+    {
+      fprintf (stdout, "-I%sinclude\n", prefixdir);
+    }
+    if (1 == libs)
+    {
+      fprintf (stdout, "-L%s -lgnunetutil\n", libdir);
+    }
+    if (1 == prefix)
+    {
+      fprintf (stdout, "%s\n", prefixdir);
+    }
+    cs->global_ret = 0;
+    GNUNET_free (prefixdir);
+    GNUNET_free (libdir);
+    return;
+  }
+  if (NULL != backend_check)
+  {
+    char *name;
+
+    GNUNET_asprintf (&name,
+                     "libgnunet_plugin_%s",
+                     backend_check);
+    cs->global_ret = (GNUNET_OK ==
+                      GNUNET_PLUGIN_test (name)) ? 0 : 77;
+    GNUNET_free (name);
+    return;
+  }
+  GNUNET_CONFIGURATION_config_tool_run (cs,
+                                        args,
+                                        cfgfile,
+                                        cfg);
+}
+
+
+/**
+ * Program to manipulate configuration files.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc,
+      char *const *argv)
+{
+  struct GNUNET_CONFIGURATION_ConfigSettings cs = {
+    .api_version = GNUNET_UTIL_VERSION,
+    .global_ret = EXIT_SUCCESS
+  };
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_exclusive (
+      GNUNET_GETOPT_option_string (
+        'b',
+        "supported-backend",
+        "BACKEND",
+        gettext_noop (
+          "test if the current installation supports the specified BACKEND"),
+        &backend_check)),
+    GNUNET_GETOPT_option_flag (
+      'C',
+      "cflags",
+      gettext_noop (
+        "Provide an appropriate value for CFLAGS to applications building on top of GNUnet"),
+      &cflags),
+    GNUNET_GETOPT_option_flag (
+      'E',
+      "is-experimental",
+      gettext_noop ("Is this an experimental build of GNUnet"),
+      &is_experimental),
+    GNUNET_GETOPT_option_flag (
+      'j',
+      "libs",
+      gettext_noop (
+        "Provide an appropriate value for LIBS to applications building on top of GNUnet"),
+      &libs),
+    GNUNET_GETOPT_option_flag (
+      'p',
+      "prefix",
+      gettext_noop (
+        "Provide the path under which GNUnet was installed"),
+      &prefix),
+    GNUNET_CONFIGURATION_CONFIG_OPTIONS (&cs),
+    GNUNET_GETOPT_OPTION_END
+  };
+  enum GNUNET_GenericReturnValue ret;
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return EXIT_FAILURE;
+  ret =
+    GNUNET_PROGRAM_run (argc,
+                        argv,
+                        "gnunet-config [OPTIONS]",
+                        gettext_noop ("Manipulate GNUnet configuration files"),
+                        options,
+                        &run,
+                        &cs);
+  GNUNET_free_nz ((void *) argv);
+  GNUNET_CONFIGURATION_config_settings_free (&cs);
+  if (GNUNET_NO == ret)
+    return 0;
+  if (GNUNET_SYSERR == ret)
+    return EXIT_INVALIDARGUMENT;
+  return cs.global_ret;
+}
+
+
+/* end of gnunet-config.c */
diff --git a/src/cli/util/gnunet-crypto-tvg.c b/src/cli/util/gnunet-crypto-tvg.c
new file mode 100644
index 000000000..721177eda
--- /dev/null
+++ b/src/cli/util/gnunet-crypto-tvg.c
@@ -0,0 +1,1608 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2020 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/gnunet-crypto-tgv.c
+ * @brief Generate test vectors for cryptographic operations.
+ * @author Florian Dold
+ *
+ * Note that this program shouldn't depend on code in src/json/,
+ * so we're using raw jansson and no GNUnet JSON helpers.
+ *
+ * Test vectors have the following format (TypeScript pseudo code):
+ *
+ * interface TestVectorFile {
+ *   encoding: "base32crockford";
+ *   producer?: string;
+ *   vectors: TestVector[];
+ * }
+ *
+ * enum Operation {
+ *  Hash("hash"),
+ *  ...
+ * }
+ *
+ * interface TestVector {
+ *   operation: Operation;
+ *   // Inputs for the operation
+ *   [ k: string]: string | number;
+ * };
+ *
+ *
+ */
+
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_signatures.h"
+#include "gnunet_testing_lib.h"
+#include <jansson.h>
+#include <gcrypt.h>
+
+GNUNET_NETWORK_STRUCT_BEGIN
+
+/**
+ * Sample signature struct.
+ *
+ * Purpose is #GNUNET_SIGNATURE_PURPOSE_TEST
+ */
+struct TestSignatureDataPS
+{
+  struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
+  uint32_t testval;
+};
+
+GNUNET_NETWORK_STRUCT_END
+
+
+/**
+ * Should we verify or output test vectors?
+ */
+static int verify_flag = GNUNET_NO;
+
+
+/**
+ * Global exit code.
+ */
+static int global_ret = 0;
+
+
+/**
+ * Create a fresh test vector for a given operation label.
+ *
+ * @param vecs array of vectors to append the new vector to
+ * @param vecname label for the operation of the vector
+ * @returns the fresh test vector
+ */
+static json_t *
+vec_for (json_t *vecs, const char *vecname)
+{
+  json_t *t = json_object ();
+
+  json_object_set_new (t,
+                       "operation",
+                       json_string (vecname));
+  json_array_append_new (vecs, t);
+  return t;
+}
+
+
+/**
+ * Add a base32crockford encoded value
+ * to a test vector.
+ *
+ * @param vec test vector to add to
+ * @param label label for the value
+ * @param data data to add
+ * @param size size of data
+ */
+static void
+d2j (json_t *vec,
+     const char *label,
+     const void *data,
+     size_t size)
+{
+  char *buf;
+  json_t *json;
+
+  buf = GNUNET_STRINGS_data_to_string_alloc (data, size);
+  json = json_string (buf);
+  GNUNET_free (buf);
+  GNUNET_break (NULL != json);
+
+  json_object_set_new (vec, label, json);
+}
+
+
+/**
+ * Add a number to a test vector.
+ *
+ * @param vec test vector to add to
+ * @param label label for the value
+ * @param data data to add
+ * @param size size of data
+ */
+static void
+uint2j (json_t *vec,
+        const char *label,
+        unsigned int num)
+{
+  json_t *json = json_integer (num);
+
+  json_object_set_new (vec, label, json);
+}
+
+
+static int
+expect_data_fixed (json_t *vec,
+                   const char *name,
+                   void *data,
+                   size_t expect_len)
+{
+  const char *s = json_string_value (json_object_get (vec, name));
+
+  if (NULL == s)
+    return GNUNET_NO;
+
+  if (GNUNET_OK != GNUNET_STRINGS_string_to_data (s,
+                                                  strlen (s),
+                                                  data,
+                                                  expect_len))
+    return GNUNET_NO;
+  return GNUNET_OK;
+}
+
+
+static int
+expect_data_dynamic (json_t *vec,
+                     const char *name,
+                     void **data,
+                     size_t *ret_len)
+{
+  const char *s = json_string_value (json_object_get (vec, name));
+  char *tmp;
+  size_t len;
+
+  if (NULL == s)
+    return GNUNET_NO;
+
+  len = (strlen (s) * 5) / 8;
+  if (NULL != ret_len)
+    *ret_len = len;
+  tmp = GNUNET_malloc (len);
+
+  if (GNUNET_OK != GNUNET_STRINGS_string_to_data (s, strlen (s), tmp, len))
+  {
+    GNUNET_free (tmp);
+    return GNUNET_NO;
+  }
+  *data = tmp;
+  return GNUNET_OK;
+}
+
+
+/**
+ * Check a single vector.
+ *
+ * @param operation operator of the vector
+ * @param vec the vector, a JSON object.
+ *
+ * @returns GNUNET_OK if the vector is okay
+ */
+static int
+checkvec (const char *operation,
+          json_t *vec)
+{
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "checking %s\n", operation);
+
+  if (0 == strcmp (operation, "hash"))
+  {
+    void *data;
+    size_t data_len;
+    struct GNUNET_HashCode hash_out;
+    struct GNUNET_HashCode hc;
+
+    if (GNUNET_OK != expect_data_dynamic (vec,
+                                          "input",
+                                          &data,
+                                          &data_len))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "output",
+                                        &hash_out,
+                                        sizeof (hash_out)))
+    {
+      GNUNET_free (data);
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+
+    GNUNET_CRYPTO_hash (data, data_len, &hc);
+
+    if (0 != GNUNET_memcmp (&hc, &hash_out))
+    {
+      GNUNET_free (data);
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+    GNUNET_free (data);
+  }
+  else if (0 == strcmp (operation, "ecc_ecdh"))
+  {
+    struct GNUNET_CRYPTO_EcdhePrivateKey priv1;
+    struct GNUNET_CRYPTO_EcdhePublicKey pub1;
+    struct GNUNET_CRYPTO_EcdhePrivateKey priv2;
+    struct GNUNET_HashCode skm;
+    struct GNUNET_HashCode skm_comp;
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "priv1",
+                                        &priv1,
+                                        sizeof (priv1)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "priv2",
+                                        &priv2,
+                                        sizeof (priv2)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "pub1",
+                                        &pub1,
+                                        sizeof (pub1)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "skm",
+                                        &skm,
+                                        sizeof (skm)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+    GNUNET_assert (GNUNET_OK ==
+                   GNUNET_CRYPTO_ecc_ecdh (&priv2,
+                                           &pub1,
+                                           &skm_comp));
+    if (0 != GNUNET_memcmp (&skm, &skm_comp))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+  }
+  else if (0 == strcmp (operation, "eddsa_key_derivation"))
+  {
+    struct GNUNET_CRYPTO_EddsaPrivateKey priv;
+    struct GNUNET_CRYPTO_EddsaPublicKey pub;
+    struct GNUNET_CRYPTO_EddsaPublicKey pub_comp;
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "priv",
+                                        &priv,
+                                        sizeof (priv)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "pub",
+                                        &pub,
+                                        sizeof (pub)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+
+    GNUNET_CRYPTO_eddsa_key_get_public (&priv,
+                                        &pub_comp);
+    if (0 != GNUNET_memcmp (&pub, &pub_comp))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+
+  }
+  else if (0 == strcmp (operation, "eddsa_signing"))
+  {
+    struct GNUNET_CRYPTO_EddsaPrivateKey priv;
+    struct GNUNET_CRYPTO_EddsaPublicKey pub;
+    struct TestSignatureDataPS data = { 0 };
+    struct GNUNET_CRYPTO_EddsaSignature sig;
+    struct GNUNET_CRYPTO_EddsaSignature sig_comp;
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "priv",
+                                        &priv,
+                                        sizeof (priv)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "pub",
+                                        &pub,
+                                        sizeof (pub)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "data",
+                                        &data,
+                                        sizeof (data)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "sig",
+                                        &sig,
+                                        sizeof (sig)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+
+    GNUNET_CRYPTO_eddsa_sign (&priv,
+                              &data,
+                              &sig_comp);
+    GNUNET_assert (GNUNET_OK ==
+                   GNUNET_CRYPTO_eddsa_verify (GNUNET_SIGNATURE_PURPOSE_TEST,
+                                               &data,
+                                               &sig,
+                                               &pub));
+    if (0 != GNUNET_memcmp (&sig, &sig_comp))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+  }
+  else if (0 == strcmp (operation, "kdf"))
+  {
+    size_t out_len;
+    void *out;
+    size_t out_len_comp;
+    void *out_comp;
+    void *ikm;
+    size_t ikm_len;
+    void *salt;
+    size_t salt_len;
+    void *ctx;
+    size_t ctx_len;
+
+    if (GNUNET_OK != expect_data_dynamic (vec,
+                                          "out",
+                                          &out,
+                                          &out_len))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+
+    out_len_comp = out_len;
+    out_comp = GNUNET_malloc (out_len_comp);
+
+    if (GNUNET_OK != expect_data_dynamic (vec,
+                                          "ikm",
+                                          &ikm,
+                                          &ikm_len))
+    {
+      GNUNET_free (out);
+      GNUNET_free (out_comp);
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+
+    if (GNUNET_OK != expect_data_dynamic (vec,
+                                          "salt",
+                                          &salt,
+                                          &salt_len))
+    {
+      GNUNET_free (out);
+      GNUNET_free (out_comp);
+      GNUNET_free (ikm);
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+
+    if (GNUNET_OK != expect_data_dynamic (vec,
+                                          "ctx",
+                                          &ctx,
+                                          &ctx_len))
+    {
+      GNUNET_free (out);
+      GNUNET_free (out_comp);
+      GNUNET_free (ikm);
+      GNUNET_free (salt);
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+
+    GNUNET_assert (GNUNET_OK ==
+                   GNUNET_CRYPTO_kdf (out_comp,
+                                      out_len_comp,
+                                      salt,
+                                      salt_len,
+                                      ikm,
+                                      ikm_len,
+                                      ctx,
+                                      ctx_len,
+                                      NULL));
+
+    if (0 != memcmp (out, out_comp, out_len))
+    {
+      GNUNET_free (out);
+      GNUNET_free (out_comp);
+      GNUNET_free (ikm);
+      GNUNET_free (salt);
+      GNUNET_free (ctx);
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+    GNUNET_free (out);
+    GNUNET_free (out_comp);
+    GNUNET_free (ikm);
+    GNUNET_free (salt);
+    GNUNET_free (ctx);
+  }
+  else if (0 == strcmp (operation, "eddsa_ecdh"))
+  {
+    struct GNUNET_CRYPTO_EcdhePrivateKey priv_ecdhe;
+    struct GNUNET_CRYPTO_EcdhePublicKey pub_ecdhe;
+    struct GNUNET_CRYPTO_EddsaPrivateKey priv_eddsa;
+    struct GNUNET_CRYPTO_EddsaPublicKey pub_eddsa;
+    struct GNUNET_HashCode key_material;
+    struct GNUNET_HashCode key_material_comp;
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "priv_ecdhe",
+                                        &priv_ecdhe,
+                                        sizeof (priv_ecdhe)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "pub_ecdhe",
+                                        &pub_ecdhe,
+                                        sizeof (pub_ecdhe)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "priv_eddsa",
+                                        &priv_eddsa,
+                                        sizeof (priv_eddsa)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "pub_eddsa",
+                                        &pub_eddsa,
+                                        sizeof (pub_eddsa)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "key_material",
+                                        &key_material,
+                                        sizeof (key_material)))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+
+    GNUNET_CRYPTO_ecdh_eddsa (&priv_ecdhe,
+                              &pub_eddsa,
+                              &key_material_comp);
+
+    if (0 != GNUNET_memcmp (&key_material,
+                            &key_material_comp))
+    {
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+  }
+  else if (0 == strcmp (operation, "rsa_blind_signing"))
+  {
+    struct GNUNET_CRYPTO_RsaPrivateKey *skey;
+    struct GNUNET_CRYPTO_RsaPublicKey *pkey;
+    struct GNUNET_HashCode message_hash;
+    struct GNUNET_CRYPTO_RsaBlindingKeySecret bks;
+    struct GNUNET_CRYPTO_RsaSignature *blinded_sig;
+    struct GNUNET_CRYPTO_RsaSignature *sig;
+    struct GNUNET_CRYPTO_RsaBlindedMessage bm;
+    struct GNUNET_CRYPTO_RsaBlindedMessage bm_comp;
+    void *public_enc_data;
+    size_t public_enc_len;
+    void *secret_enc_data;
+    size_t secret_enc_len;
+    void *sig_enc_data;
+    size_t sig_enc_length;
+    void *sig_enc_data_comp;
+    size_t sig_enc_length_comp;
+
+    if (GNUNET_OK !=
+        expect_data_fixed (vec,
+                           "message_hash",
+                           &message_hash,
+                           sizeof (message_hash)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+
+    if (GNUNET_OK !=
+        expect_data_fixed (vec,
+                           "blinding_key_secret",
+                           &bks,
+                           sizeof (bks)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+
+    if (GNUNET_OK !=
+        expect_data_dynamic (vec,
+                             "blinded_message",
+                             &bm.blinded_msg,
+                             &bm.blinded_msg_size))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK !=
+        expect_data_dynamic (vec,
+                             "rsa_public_key",
+                             &public_enc_data,
+                             &public_enc_len))
+    {
+      GNUNET_CRYPTO_rsa_blinded_message_free (&bm);
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK !=
+        expect_data_dynamic (vec,
+                             "rsa_private_key",
+                             &secret_enc_data,
+                             &secret_enc_len))
+    {
+      GNUNET_CRYPTO_rsa_blinded_message_free (&bm);
+      GNUNET_free (public_enc_data);
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK !=
+        expect_data_dynamic (vec,
+                             "sig",
+                             &sig_enc_data,
+                             &sig_enc_length))
+    {
+      GNUNET_CRYPTO_rsa_blinded_message_free (&bm);
+      GNUNET_free (public_enc_data);
+      GNUNET_free (secret_enc_data);
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+
+    pkey = GNUNET_CRYPTO_rsa_public_key_decode (public_enc_data,
+                                                public_enc_len);
+    GNUNET_assert (NULL != pkey);
+    skey = GNUNET_CRYPTO_rsa_private_key_decode (secret_enc_data,
+                                                 secret_enc_len);
+    GNUNET_assert (NULL != skey);
+
+    GNUNET_assert (GNUNET_YES ==
+                   GNUNET_CRYPTO_rsa_blind (&message_hash,
+                                            sizeof (message_hash),
+                                            &bks,
+                                            pkey,
+                                            &bm_comp));
+    if ( (bm.blinded_msg_size !=
+          bm_comp.blinded_msg_size) ||
+         (0 != memcmp (bm.blinded_msg,
+                       bm_comp.blinded_msg,
+                       bm.blinded_msg_size)) )
+    {
+      GNUNET_CRYPTO_rsa_blinded_message_free (&bm);
+      GNUNET_CRYPTO_rsa_blinded_message_free (&bm_comp);
+      GNUNET_free (public_enc_data);
+      GNUNET_free (secret_enc_data);
+      GNUNET_free (sig_enc_data);
+      GNUNET_CRYPTO_rsa_private_key_free (skey);
+      GNUNET_CRYPTO_rsa_public_key_free (pkey);
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+    blinded_sig = GNUNET_CRYPTO_rsa_sign_blinded (skey,
+                                                  &bm);
+    sig = GNUNET_CRYPTO_rsa_unblind (blinded_sig,
+                                     &bks,
+                                     pkey);
+    GNUNET_assert (GNUNET_YES ==
+                   GNUNET_CRYPTO_rsa_verify (&message_hash,
+                                             sizeof (message_hash),
+                                             sig,
+                                             pkey));
+    GNUNET_free (public_enc_data);
+    public_enc_len = GNUNET_CRYPTO_rsa_public_key_encode (pkey,
+                                                          &public_enc_data);
+    sig_enc_length_comp = GNUNET_CRYPTO_rsa_signature_encode (sig,
+                                                              &sig_enc_data_comp);
+
+    if ( (sig_enc_length != sig_enc_length_comp) ||
+         (0 != memcmp (sig_enc_data, sig_enc_data_comp, sig_enc_length) ))
+    {
+      GNUNET_CRYPTO_rsa_signature_free (blinded_sig);
+      GNUNET_CRYPTO_rsa_blinded_message_free (&bm);
+      GNUNET_CRYPTO_rsa_blinded_message_free (&bm_comp);
+      GNUNET_free (public_enc_data);
+      GNUNET_free (secret_enc_data);
+      GNUNET_free (sig_enc_data);
+      GNUNET_free (sig_enc_data_comp);
+      GNUNET_CRYPTO_rsa_private_key_free (skey);
+      GNUNET_CRYPTO_rsa_signature_free (sig);
+      GNUNET_CRYPTO_rsa_public_key_free (pkey);
+      GNUNET_break (0);
+      return GNUNET_NO;
+    }
+    GNUNET_CRYPTO_rsa_signature_free (blinded_sig);
+    GNUNET_CRYPTO_rsa_blinded_message_free (&bm);
+    GNUNET_CRYPTO_rsa_blinded_message_free (&bm_comp);
+    GNUNET_free (public_enc_data);
+    GNUNET_free (secret_enc_data);
+    GNUNET_free (sig_enc_data);
+    GNUNET_free (sig_enc_data_comp);
+    GNUNET_CRYPTO_rsa_signature_free (sig);
+    GNUNET_CRYPTO_rsa_public_key_free (pkey);
+    GNUNET_CRYPTO_rsa_private_key_free (skey);
+  }
+  else if (0 == strcmp (operation, "cs_blind_signing"))
+  {
+    struct GNUNET_CRYPTO_CsPrivateKey priv;
+    struct GNUNET_CRYPTO_CsPublicKey pub;
+    struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
+    struct GNUNET_CRYPTO_CsRSecret r_priv[2];
+    struct GNUNET_CRYPTO_CsRPublic r_pub[2];
+    struct GNUNET_CRYPTO_CSPublicRPairP r_pub_blind;
+    struct GNUNET_CRYPTO_CsC c[2];
+    struct GNUNET_CRYPTO_CsS signature_scalar;
+    struct GNUNET_CRYPTO_CsBlindS blinded_s;
+    struct GNUNET_CRYPTO_CsSignature sig;
+    struct GNUNET_CRYPTO_CsSessionNonce snonce;
+    struct GNUNET_CRYPTO_CsBlindingNonce bnonce;
+    struct GNUNET_HashCode message_hash;
+    unsigned int b;
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "message_hash",
+                                        &message_hash,
+                                        sizeof (message_hash)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_public_key",
+                                        &pub,
+                                        sizeof (pub)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+
+    if (GNUNET_OK !=
+        expect_data_fixed (vec,
+                           "cs_private_key",
+                           &priv,
+                           sizeof (priv)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK !=
+        expect_data_fixed (vec,
+                           "cs_nonce",
+                           &snonce,
+                           sizeof (snonce)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    /* historically, the tvg used the same nonce for
+       both, which is HORRIBLE for production, but
+       maybe OK for TVG... */
+    memcpy (&bnonce,
+            &snonce,
+            sizeof (snonce));
+    if (GNUNET_OK !=
+        expect_data_fixed (vec,
+                           "cs_r_priv_0",
+                           &r_priv[0],
+                           sizeof (r_priv[0])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_r_priv_1",
+                                        &r_priv[1],
+                                        sizeof (r_priv[1])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_r_pub_0",
+                                        &r_pub[0],
+                                        sizeof (r_pub[0])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_r_pub_1",
+                                        &r_pub[1],
+                                        sizeof (r_pub[1])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_bs_alpha_0",
+                                        &bs[0].alpha,
+                                        sizeof (bs[0].alpha)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_bs_alpha_1",
+                                        &bs[1].alpha,
+                                        sizeof (bs[1].alpha)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_bs_beta_0",
+                                        &bs[0].beta,
+                                        sizeof (bs[0].beta)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK !=
+        expect_data_fixed (vec,
+                           "cs_bs_beta_1",
+                           &bs[1].beta,
+                           sizeof (bs[1].beta)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK !=
+        expect_data_fixed (vec,
+                           "cs_r_pub_blind_0",
+                           &r_pub_blind.r_pub[0],
+                           sizeof (r_pub_blind.r_pub[0])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK !=
+        expect_data_fixed (vec,
+                           "cs_r_pub_blind_1",
+                           &r_pub_blind.r_pub[1],
+                           sizeof (r_pub_blind.r_pub[1])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK !=
+        expect_data_fixed (vec,
+                           "cs_c_0",
+                           &c[0],
+                           sizeof (c[0])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_c_1",
+                                        &c[1],
+                                        sizeof (c[1])))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_blind_s",
+                                        &blinded_s,
+                                        sizeof (blinded_s)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_b",
+                                        &b,
+                                        sizeof (b)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_sig_s",
+                                        &signature_scalar,
+                                        sizeof (signature_scalar)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    sig.s_scalar = signature_scalar;
+    if (GNUNET_OK != expect_data_fixed (vec,
+                                        "cs_sig_R",
+                                        &sig.r_point,
+                                        sizeof (sig.r_point)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+
+    if ((b != 1) && (b != 0))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+
+    struct GNUNET_CRYPTO_CsRSecret r_priv_comp[2];
+    struct GNUNET_CRYPTO_CsRPublic r_pub_comp[2];
+    struct GNUNET_CRYPTO_CsBlindingSecret bs_comp[2];
+    struct GNUNET_CRYPTO_CsC c_comp[2];
+    struct GNUNET_CRYPTO_CSPublicRPairP r_pub_blind_comp;
+    struct GNUNET_CRYPTO_CsBlindSignature blinded_s_comp;
+    struct GNUNET_CRYPTO_CsS signature_scalar_comp;
+    struct GNUNET_CRYPTO_CsSignature sig_comp;
+
+    GNUNET_CRYPTO_cs_r_derive (&snonce,
+                               "rw",
+                               &priv,
+                               r_priv_comp);
+    GNUNET_CRYPTO_cs_r_get_public (&r_priv_comp[0],
+                                   &r_pub_comp[0]);
+    GNUNET_CRYPTO_cs_r_get_public (&r_priv_comp[1],
+                                   &r_pub_comp[1]);
+    GNUNET_assert (0 == memcmp (&r_priv_comp,
+                                &r_priv,
+                                sizeof(struct GNUNET_CRYPTO_CsRSecret) * 2));
+    GNUNET_assert (0 == memcmp (&r_pub_comp,
+                                &r_pub,
+                                sizeof(struct GNUNET_CRYPTO_CsRPublic) * 2));
+
+    GNUNET_CRYPTO_cs_blinding_secrets_derive (&bnonce,
+                                              bs_comp);
+    GNUNET_assert (0 ==
+                   memcmp (&bs_comp,
+                           &bs,
+                           sizeof(struct GNUNET_CRYPTO_CsBlindingSecret)
+                           * 2));
+    GNUNET_CRYPTO_cs_calc_blinded_c (bs_comp,
+                                     r_pub_comp,
+                                     &pub,
+                                     &message_hash,
+                                     sizeof(message_hash),
+                                     c_comp,
+                                     &r_pub_blind_comp);
+    GNUNET_assert (0 ==
+                   memcmp (&c_comp,
+                           &c,
+                           sizeof(struct GNUNET_CRYPTO_CsC) * 2));
+    GNUNET_assert (0 ==
+                   GNUNET_memcmp (&r_pub_blind_comp,
+                                  &r_pub_blind));
+    {
+      struct GNUNET_CRYPTO_CsBlindedMessage bm = {
+        .c[0] = c_comp[0],
+        .c[1] = c_comp[1],
+        .nonce = snonce
+      };
+
+      GNUNET_CRYPTO_cs_sign_derive (&priv,
+                                    r_priv_comp,
+                                    &bm,
+                                    &blinded_s_comp);
+    }
+    GNUNET_assert (0 ==
+                   GNUNET_memcmp (&blinded_s_comp.s_scalar,
+                                  &blinded_s));
+    GNUNET_assert (b == blinded_s_comp.b);
+    GNUNET_CRYPTO_cs_unblind (&blinded_s_comp.s_scalar,
+                              &bs_comp[b],
+                              &signature_scalar_comp);
+    GNUNET_assert (0 ==
+                   GNUNET_memcmp (&signature_scalar_comp,
+                                  &signature_scalar));
+    sig_comp.r_point = r_pub_blind_comp.r_pub[b];
+    sig_comp.s_scalar = signature_scalar_comp;
+    GNUNET_assert (0 == memcmp (&sig_comp,
+                                &sig,
+                                sizeof(sig_comp)));
+    if (GNUNET_OK !=
+        GNUNET_CRYPTO_cs_verify (&sig_comp,
+                                 &pub,
+                                 &message_hash,
+                                 sizeof(message_hash)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+  }
+  else
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "unsupported operation '%s'\n", operation);
+  }
+
+  return GNUNET_OK;
+}
+
+
+/**
+ * Check test vectors from stdin.
+ *
+ * @returns global exit code
+ */
+static int
+check_vectors ()
+{
+  json_error_t err;
+  json_t *vecfile = json_loadf (stdin, 0, &err);
+  const char *encoding;
+  json_t *vectors;
+
+  if (NULL == vecfile)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "unable to parse JSON\n");
+    return 1;
+  }
+  encoding = json_string_value (json_object_get (vecfile,
+                                                 "encoding"));
+  if ( (NULL == encoding) || (0 != strcmp (encoding, "base32crockford")) )
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "unsupported or missing encoding\n");
+    json_decref (vecfile);
+    return 1;
+  }
+  vectors = json_object_get (vecfile, "vectors");
+  if (! json_is_array (vectors))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "bad vectors\n");
+    json_decref (vecfile);
+    return 1;
+  }
+  {
+    /* array is a JSON array */
+    size_t index;
+    json_t *value;
+    enum GNUNET_GenericReturnValue ret = GNUNET_OK;
+
+    json_array_foreach (vectors, index, value) {
+      const char *op = json_string_value (json_object_get (value,
+                                                           "operation"));
+
+      if (NULL == op)
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                    "missing operation\n");
+        ret = GNUNET_SYSERR;
+        break;
+      }
+      ret = checkvec (op, value);
+      if (GNUNET_OK != ret)
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                    "bad vector %u\n",
+                    (unsigned int) index);
+        break;
+      }
+    }
+    json_decref (vecfile);
+    return (ret == GNUNET_OK) ? 0 : 1;
+  }
+}
+
+
+/**
+ * Output test vectors.
+ *
+ * @returns global exit code
+ */
+static int
+output_vectors ()
+{
+  json_t *vecfile = json_object ();
+  json_t *vecs = json_array ();
+
+  json_object_set_new (vecfile,
+                       "encoding",
+                       json_string ("base32crockford"));
+  json_object_set_new (vecfile,
+                       "producer",
+                       json_string ("GNUnet " PACKAGE_VERSION " " VCS_VERSION));
+  json_object_set_new (vecfile,
+                       "vectors",
+                       vecs);
+
+  {
+    json_t *vec = vec_for (vecs, "hash");
+    struct GNUNET_HashCode hc;
+    char *str = "Hello, GNUnet";
+
+    GNUNET_CRYPTO_hash (str, strlen (str), &hc);
+
+    d2j (vec, "input", str, strlen (str));
+    d2j (vec, "output", &hc, sizeof (struct GNUNET_HashCode));
+  }
+  {
+    json_t *vec = vec_for (vecs, "ecc_ecdh");
+    struct GNUNET_CRYPTO_EcdhePrivateKey priv1;
+    struct GNUNET_CRYPTO_EcdhePublicKey pub1;
+    struct GNUNET_CRYPTO_EcdhePrivateKey priv2;
+    struct GNUNET_HashCode skm;
+
+    GNUNET_CRYPTO_ecdhe_key_create (&priv1);
+    GNUNET_CRYPTO_ecdhe_key_create (&priv2);
+    GNUNET_CRYPTO_ecdhe_key_get_public (&priv1,
+                                        &pub1);
+    GNUNET_assert (GNUNET_OK ==
+                   GNUNET_CRYPTO_ecc_ecdh (&priv2,
+                                           &pub1,
+                                           &skm));
+
+    d2j (vec,
+         "priv1",
+         &priv1,
+         sizeof (struct GNUNET_CRYPTO_EcdhePrivateKey));
+    d2j (vec,
+         "pub1",
+         &pub1,
+         sizeof (struct GNUNET_CRYPTO_EcdhePublicKey));
+    d2j (vec,
+         "priv2",
+         &priv2,
+         sizeof (struct GNUNET_CRYPTO_EcdhePrivateKey));
+    d2j (vec,
+         "skm",
+         &skm,
+         sizeof (struct GNUNET_HashCode));
+  }
+
+  {
+    json_t *vec = vec_for (vecs, "eddsa_key_derivation");
+    struct GNUNET_CRYPTO_EddsaPrivateKey priv;
+    struct GNUNET_CRYPTO_EddsaPublicKey pub;
+
+    GNUNET_CRYPTO_eddsa_key_create (&priv);
+    GNUNET_CRYPTO_eddsa_key_get_public (&priv,
+                                        &pub);
+
+    d2j (vec,
+         "priv",
+         &priv,
+         sizeof (struct GNUNET_CRYPTO_EddsaPrivateKey));
+    d2j (vec,
+         "pub",
+         &pub,
+         sizeof (struct GNUNET_CRYPTO_EddsaPublicKey));
+  }
+  {
+    json_t *vec = vec_for (vecs, "eddsa_signing");
+    struct GNUNET_CRYPTO_EddsaPrivateKey priv;
+    struct GNUNET_CRYPTO_EddsaPublicKey pub;
+    struct GNUNET_CRYPTO_EddsaSignature sig;
+    struct TestSignatureDataPS data = { 0 };
+
+    GNUNET_CRYPTO_eddsa_key_create (&priv);
+    GNUNET_CRYPTO_eddsa_key_get_public (&priv,
+                                        &pub);
+    data.purpose.size = htonl (sizeof (data));
+    data.purpose.purpose = htonl (GNUNET_SIGNATURE_PURPOSE_TEST);
+    GNUNET_CRYPTO_eddsa_sign (&priv,
+                              &data,
+                              &sig);
+    GNUNET_assert (GNUNET_OK ==
+                   GNUNET_CRYPTO_eddsa_verify (GNUNET_SIGNATURE_PURPOSE_TEST,
+                                               &data,
+                                               &sig,
+                                               &pub));
+
+    d2j (vec,
+         "priv",
+         &priv,
+         sizeof (struct GNUNET_CRYPTO_EddsaPrivateKey));
+    d2j (vec,
+         "pub",
+         &pub,
+         sizeof (struct GNUNET_CRYPTO_EddsaPublicKey));
+    d2j (vec,
+         "data",
+         &data,
+         sizeof (struct TestSignatureDataPS));
+    d2j (vec,
+         "sig",
+         &sig,
+         sizeof (struct GNUNET_CRYPTO_EddsaSignature));
+  }
+
+  {
+    json_t *vec = vec_for (vecs, "kdf");
+    size_t out_len = 64;
+    char out[out_len];
+    char *ikm = "I'm the secret input key material";
+    char *salt = "I'm very salty";
+    char *ctx = "I'm a context chunk, also known as 'info' in the RFC";
+
+    GNUNET_assert (GNUNET_OK ==
+                   GNUNET_CRYPTO_kdf (&out,
+                                      out_len,
+                                      salt,
+                                      strlen (salt),
+                                      ikm,
+                                      strlen (ikm),
+                                      ctx,
+                                      strlen (ctx),
+                                      NULL));
+
+    d2j (vec,
+         "salt",
+         salt,
+         strlen (salt));
+    d2j (vec,
+         "ikm",
+         ikm,
+         strlen (ikm));
+    d2j (vec,
+         "ctx",
+         ctx,
+         strlen (ctx));
+    uint2j (vec,
+            "out_len",
+            (unsigned int) out_len);
+    d2j (vec,
+         "out",
+         out,
+         out_len);
+  }
+  {
+    json_t *vec = vec_for (vecs, "eddsa_ecdh");
+    struct GNUNET_CRYPTO_EcdhePrivateKey priv_ecdhe;
+    struct GNUNET_CRYPTO_EcdhePublicKey pub_ecdhe;
+    struct GNUNET_CRYPTO_EddsaPrivateKey priv_eddsa;
+    struct GNUNET_CRYPTO_EddsaPublicKey pub_eddsa;
+    struct GNUNET_HashCode key_material;
+
+    GNUNET_CRYPTO_ecdhe_key_create (&priv_ecdhe);
+    GNUNET_CRYPTO_ecdhe_key_get_public (&priv_ecdhe, &pub_ecdhe);
+    GNUNET_CRYPTO_eddsa_key_create (&priv_eddsa);
+    GNUNET_CRYPTO_eddsa_key_get_public (&priv_eddsa, &pub_eddsa);
+    GNUNET_CRYPTO_ecdh_eddsa (&priv_ecdhe, &pub_eddsa, &key_material);
+
+    d2j (vec, "priv_ecdhe",
+         &priv_ecdhe,
+         sizeof (struct GNUNET_CRYPTO_EcdhePrivateKey));
+    d2j (vec, "pub_ecdhe",
+         &pub_ecdhe,
+         sizeof (struct GNUNET_CRYPTO_EcdhePublicKey));
+    d2j (vec, "priv_eddsa",
+         &priv_eddsa,
+         sizeof (struct GNUNET_CRYPTO_EddsaPrivateKey));
+    d2j (vec, "pub_eddsa",
+         &pub_eddsa,
+         sizeof (struct GNUNET_CRYPTO_EddsaPublicKey));
+    d2j (vec, "key_material",
+         &key_material,
+         sizeof (struct GNUNET_HashCode));
+  }
+
+  {
+    json_t *vec = vec_for (vecs, "edx25519_derive");
+    struct GNUNET_CRYPTO_Edx25519PrivateKey priv1_edx;
+    struct GNUNET_CRYPTO_Edx25519PublicKey pub1_edx;
+    struct GNUNET_CRYPTO_Edx25519PrivateKey priv2_edx;
+    struct GNUNET_CRYPTO_Edx25519PublicKey pub2_edx;
+    struct GNUNET_HashCode seed;
+
+    GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
+                                &seed,
+                                sizeof (struct GNUNET_HashCode));
+    GNUNET_CRYPTO_edx25519_key_create (&priv1_edx);
+    GNUNET_CRYPTO_edx25519_key_get_public (&priv1_edx, &pub1_edx);
+    GNUNET_CRYPTO_edx25519_private_key_derive (&priv1_edx,
+                                               &seed,
+                                               sizeof (seed),
+                                               &priv2_edx);
+    GNUNET_CRYPTO_edx25519_public_key_derive (&pub1_edx,
+                                              &seed,
+                                              sizeof (seed),
+                                              &pub2_edx);
+
+    d2j (vec, "priv1_edx",
+         &priv1_edx,
+         sizeof (struct GNUNET_CRYPTO_Edx25519PrivateKey));
+    d2j (vec, "pub1_edx",
+         &pub1_edx,
+         sizeof (struct GNUNET_CRYPTO_Edx25519PublicKey));
+    d2j (vec, "seed",
+         &seed,
+         sizeof (struct GNUNET_HashCode));
+    d2j (vec, "priv2_edx",
+         &priv2_edx,
+         sizeof (struct GNUNET_CRYPTO_Edx25519PrivateKey));
+    d2j (vec, "pub2_edx",
+         &pub2_edx,
+         sizeof (struct GNUNET_CRYPTO_Edx25519PublicKey));
+  }
+
+  {
+    json_t *vec = vec_for (vecs, "rsa_blind_signing");
+
+    struct GNUNET_CRYPTO_RsaPrivateKey *skey;
+    struct GNUNET_CRYPTO_RsaPublicKey *pkey;
+    struct GNUNET_HashCode message_hash;
+    struct GNUNET_CRYPTO_RsaBlindingKeySecret bks;
+    struct GNUNET_CRYPTO_RsaSignature *blinded_sig;
+    struct GNUNET_CRYPTO_RsaSignature *sig;
+    struct GNUNET_CRYPTO_RsaBlindedMessage bm;
+    void *public_enc_data;
+    size_t public_enc_len;
+    void *secret_enc_data;
+    size_t secret_enc_len;
+    void *blinded_sig_enc_data;
+    size_t blinded_sig_enc_length;
+    void *sig_enc_data;
+    size_t sig_enc_length;
+
+    skey = GNUNET_CRYPTO_rsa_private_key_create (2048);
+    pkey = GNUNET_CRYPTO_rsa_private_key_get_public (skey);
+    GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
+                                &message_hash,
+                                sizeof (struct GNUNET_HashCode));
+    GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
+                                &bks,
+                                sizeof (struct
+                                        GNUNET_CRYPTO_RsaBlindingKeySecret));
+    GNUNET_assert (GNUNET_YES ==
+                   GNUNET_CRYPTO_rsa_blind (&message_hash,
+                                            sizeof (message_hash),
+                                            &bks,
+                                            pkey,
+                                            &bm));
+    blinded_sig = GNUNET_CRYPTO_rsa_sign_blinded (skey,
+                                                  &bm);
+    sig = GNUNET_CRYPTO_rsa_unblind (blinded_sig,
+                                     &bks,
+                                     pkey);
+    GNUNET_assert (GNUNET_YES ==
+                   GNUNET_CRYPTO_rsa_verify (&message_hash,
+                                             sizeof (message_hash),
+                                             sig,
+                                             pkey));
+    public_enc_len = GNUNET_CRYPTO_rsa_public_key_encode (pkey,
+                                                          &public_enc_data);
+    secret_enc_len = GNUNET_CRYPTO_rsa_private_key_encode (skey,
+                                                           &secret_enc_data);
+    blinded_sig_enc_length
+      = GNUNET_CRYPTO_rsa_signature_encode (blinded_sig,
+                                            &blinded_sig_enc_data);
+    sig_enc_length = GNUNET_CRYPTO_rsa_signature_encode (sig,
+                                                         &sig_enc_data);
+    d2j (vec,
+         "message_hash",
+         &message_hash,
+         sizeof (struct GNUNET_HashCode));
+    d2j (vec,
+         "rsa_public_key",
+         public_enc_data,
+         public_enc_len);
+    d2j (vec,
+         "rsa_private_key",
+         secret_enc_data,
+         secret_enc_len);
+    d2j (vec,
+         "blinding_key_secret",
+         &bks,
+         sizeof (struct GNUNET_CRYPTO_RsaBlindingKeySecret));
+    d2j (vec,
+         "blinded_message",
+         bm.blinded_msg,
+         bm.blinded_msg_size);
+    d2j (vec,
+         "blinded_sig",
+         blinded_sig_enc_data,
+         blinded_sig_enc_length);
+    d2j (vec,
+         "sig",
+         sig_enc_data,
+         sig_enc_length);
+    GNUNET_CRYPTO_rsa_private_key_free (skey);
+    GNUNET_CRYPTO_rsa_public_key_free (pkey);
+    GNUNET_CRYPTO_rsa_signature_free (sig);
+    GNUNET_CRYPTO_rsa_signature_free (blinded_sig);
+    GNUNET_free (public_enc_data);
+    GNUNET_CRYPTO_rsa_blinded_message_free (&bm);
+    GNUNET_free (sig_enc_data);
+    GNUNET_free (blinded_sig_enc_data);
+    GNUNET_free (secret_enc_data);
+  }
+
+  {
+    json_t *vec = vec_for (vecs, "cs_blind_signing");
+
+    struct GNUNET_CRYPTO_CsPrivateKey priv;
+    struct GNUNET_CRYPTO_CsPublicKey pub;
+    struct GNUNET_CRYPTO_CsBlindingSecret bs[2];
+    struct GNUNET_CRYPTO_CsRSecret r_priv[2];
+    struct GNUNET_CRYPTO_CsRPublic r_pub[2];
+    struct GNUNET_CRYPTO_CSPublicRPairP r_pub_blind;
+    struct GNUNET_CRYPTO_CsC c[2];
+    struct GNUNET_CRYPTO_CsS signature_scalar;
+    struct GNUNET_CRYPTO_CsBlindSignature blinded_s;
+    struct GNUNET_CRYPTO_CsSignature sig;
+    struct GNUNET_CRYPTO_CsSessionNonce snonce;
+    struct GNUNET_CRYPTO_CsBlindingNonce bnonce;
+    struct GNUNET_HashCode message_hash;
+
+    GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
+                                &message_hash,
+                                sizeof (struct GNUNET_HashCode));
+
+    GNUNET_CRYPTO_cs_private_key_generate (&priv);
+    GNUNET_CRYPTO_cs_private_key_get_public (&priv,
+                                             &pub);
+    GNUNET_assert (GNUNET_YES ==
+                   GNUNET_CRYPTO_hkdf (&snonce,
+                                       sizeof(snonce),
+                                       GCRY_MD_SHA512,
+                                       GCRY_MD_SHA256,
+                                       "nonce",
+                                       strlen ("nonce"),
+                                       "nonce_secret",
+                                       strlen ("nonce_secret"),
+                                       NULL,
+                                       0));
+    /* NOTE: historically, we made the bad choice of
+       making both nonces the same. Maybe barely OK
+       for the TGV, not good for production! */
+    memcpy (&bnonce,
+            &snonce,
+            sizeof (snonce));
+    GNUNET_CRYPTO_cs_r_derive (&snonce,
+                               "rw",
+                               &priv,
+                               r_priv);
+    GNUNET_CRYPTO_cs_r_get_public (&r_priv[0],
+                                   &r_pub[0]);
+    GNUNET_CRYPTO_cs_r_get_public (&r_priv[1],
+                                   &r_pub[1]);
+    GNUNET_CRYPTO_cs_blinding_secrets_derive (&bnonce,
+                                              bs);
+    GNUNET_CRYPTO_cs_calc_blinded_c (bs,
+                                     r_pub,
+                                     &pub,
+                                     &message_hash,
+                                     sizeof(message_hash),
+                                     c,
+                                     &r_pub_blind);
+    {
+      struct GNUNET_CRYPTO_CsBlindedMessage bm = {
+        .c[0] = c[0],
+        .c[1] = c[1],
+        .nonce = snonce
+      };
+
+      GNUNET_CRYPTO_cs_sign_derive (&priv,
+                                    r_priv,
+                                    &bm,
+                                    &blinded_s);
+    }
+    GNUNET_CRYPTO_cs_unblind (&blinded_s.s_scalar,
+                              &bs[blinded_s.b],
+                              &signature_scalar);
+    sig.r_point = r_pub_blind.r_pub[blinded_s.b];
+    sig.s_scalar = signature_scalar;
+    if (GNUNET_OK !=
+        GNUNET_CRYPTO_cs_verify (&sig,
+                                 &pub,
+                                 &message_hash,
+                                 sizeof(message_hash)))
+    {
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+    d2j (vec,
+         "message_hash",
+         &message_hash,
+         sizeof (struct GNUNET_HashCode));
+    d2j (vec,
+         "cs_public_key",
+         &pub,
+         sizeof(pub));
+    d2j (vec,
+         "cs_private_key",
+         &priv,
+         sizeof(priv));
+    d2j (vec,
+         "cs_nonce",
+         &snonce,
+         sizeof(snonce));
+    d2j (vec,
+         "cs_r_priv_0",
+         &r_priv[0],
+         sizeof(r_priv[0]));
+    d2j (vec,
+         "cs_r_priv_1",
+         &r_priv[1],
+         sizeof(r_priv[1]));
+    d2j (vec,
+         "cs_r_pub_0",
+         &r_pub[0],
+         sizeof(r_pub[0]));
+    d2j (vec,
+         "cs_r_pub_1",
+         &r_pub[1],
+         sizeof(r_pub[1]));
+    d2j (vec,
+         "cs_bs_alpha_0",
+         &bs[0].alpha,
+         sizeof(bs[0].alpha));
+    d2j (vec,
+         "cs_bs_alpha_1",
+         &bs[1].alpha,
+         sizeof(bs[1].alpha));
+    d2j (vec,
+         "cs_bs_beta_0",
+         &bs[0].beta,
+         sizeof(bs[0].beta));
+    d2j (vec,
+         "cs_bs_beta_1",
+         &bs[1].beta,
+         sizeof(bs[1].beta));
+    d2j (vec,
+         "cs_r_pub_blind_0",
+         &r_pub_blind.r_pub[0],
+         sizeof(r_pub_blind.r_pub[0]));
+    d2j (vec,
+         "cs_r_pub_blind_1",
+         &r_pub_blind.r_pub[1],
+         sizeof(r_pub_blind.r_pub[1]));
+    d2j (vec,
+         "cs_c_0",
+         &c[0],
+         sizeof(c[0]));
+    d2j (vec,
+         "cs_c_1",
+         &c[1],
+         sizeof(c[1]));
+    d2j (vec,
+         "cs_blind_s",
+         &blinded_s,
+         sizeof(blinded_s));
+    d2j (vec,
+         "cs_b",
+         &blinded_s.b,
+         sizeof(blinded_s.b));
+    d2j (vec,
+         "cs_sig_s",
+         &signature_scalar,
+         sizeof(signature_scalar));
+    d2j (vec,
+         "cs_sig_R",
+         &r_pub_blind.r_pub[blinded_s.b],
+         sizeof(r_pub_blind.r_pub[blinded_s.b]));
+  }
+
+  json_dumpf (vecfile, stdout, JSON_INDENT (2));
+  json_decref (vecfile);
+  printf ("\n");
+
+  return 0;
+}
+
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  if (GNUNET_YES == verify_flag)
+    global_ret = check_vectors ();
+  else
+    global_ret = output_vectors ();
+}
+
+
+/**
+ * The main function of the test vector generation tool.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc,
+      char *const *argv)
+{
+  const struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_flag ('V',
+                               "verify",
+                               gettext_noop (
+                                 "verify a test vector from stdin"),
+                               &verify_flag),
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  GNUNET_assert (GNUNET_OK ==
+                 GNUNET_log_setup ("gnunet-crypto-tvg",
+                                   "INFO",
+                                   NULL));
+  if (GNUNET_OK !=
+      GNUNET_PROGRAM_run (argc, argv,
+                          "gnunet-crypto-tvg",
+                          "Generate test vectors for cryptographic operations",
+                          options,
+                          &run, NULL))
+    return 1;
+  return global_ret;
+}
+
+
+/* end of gnunet-crypto-tvg.c */
diff --git a/src/cli/util/gnunet-ecc.c b/src/cli/util/gnunet-ecc.c
new file mode 100644
index 000000000..812745085
--- /dev/null
+++ b/src/cli/util/gnunet-ecc.c
@@ -0,0 +1,510 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012, 2013 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/gnunet-ecc.c
+ * @brief tool to manipulate EDDSA key files
+ * @author Christian Grothoff
+ */
+
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_testing_lib.h"
+#include <gcrypt.h>
+
+/**
+ * Number of characters a Base32-encoded public key requires.
+ */
+#define KEY_STR_LEN sizeof(struct GNUNET_CRYPTO_EddsaPublicKey) * 8 / 5 + 1
+
+/**
+ * Flag for listing public key.
+ */
+static int list_keys;
+
+/**
+ * Flag for listing public key.
+ */
+static unsigned int list_keys_count;
+
+/**
+ * Flag for printing public key.
+ */
+static int print_public_key;
+
+/**
+ * Flag for printing private key.
+ */
+static int print_private_key;
+
+/**
+ * Flag for printing public key in hex.
+ */
+static int print_public_key_hex;
+
+/**
+ * Flag for printing the output of random example operations.
+ */
+static int print_examples_flag;
+
+/**
+ * Option set to create a bunch of keys at once.
+ */
+static unsigned int make_keys;
+
+
+/**
+ * Create a flat file with a large number of key pairs for testing.
+ *
+ * @param fn File name to store the keys.
+ * @param prefix Desired prefix for the public keys, NULL if any key is OK.
+ */
+static void
+create_keys (const char *fn, const char *prefix)
+{
+  FILE *f;
+  struct GNUNET_CRYPTO_EddsaPrivateKey pk;
+  struct GNUNET_CRYPTO_EddsaPublicKey target_pub;
+  static char vanity[KEY_STR_LEN + 1];
+  size_t len;
+  size_t n;
+  size_t rest;
+  unsigned char mask;
+  unsigned target_byte;
+  char *s;
+
+  if (NULL == (f = fopen (fn, "w+")))
+  {
+    fprintf (stderr, _ ("Failed to open `%s': %s\n"), fn, strerror (errno));
+    return;
+  }
+  if (NULL != prefix)
+  {
+    len = GNUNET_strlcpy (vanity, prefix, sizeof(vanity));
+    n = len * 5 / 8;
+    rest = len * 5 % 8;
+
+    memset (&vanity[len], '0', KEY_STR_LEN - len);
+    vanity[KEY_STR_LEN] = '\0';
+    GNUNET_assert (GNUNET_OK ==
+                   GNUNET_CRYPTO_eddsa_public_key_from_string (vanity,
+                                                               KEY_STR_LEN,
+                                                               &target_pub));
+    if (0 != rest)
+    {
+      /**
+       * Documentation by example:
+       * vanity = "A"
+       * len = 1
+       * n = 5/8 = 0 (bytes)
+       * rest = 5%8 = 5 (bits)
+       * mask = ~(2**(8 - 5) - 1) = ~(2**3 - 1) = ~(8 - 1) = ~b111 = b11111000
+       */mask = ~((int) pow (2, 8 - rest) - 1);
+      target_byte = ((unsigned char *) &target_pub)[n] & mask;
+    }
+    else
+    {
+      /* Just so old (debian) versions of GCC calm down with the warnings. */
+      mask = target_byte = 0;
+    }
+    s = GNUNET_CRYPTO_eddsa_public_key_to_string (&target_pub);
+    fprintf (stderr,
+             _ ("Generating %u keys like %s, please wait"),
+             make_keys,
+             s);
+    GNUNET_free (s);
+    fprintf (stderr, "\nattempt %s [%u, %X]\n", vanity, (unsigned int) n, mask);
+  }
+  else
+  {
+    fprintf (stderr, _ ("Generating %u keys, please wait"), make_keys);
+    /* Just so old (debian) versions of GCC calm down with the warnings. */
+    n = rest = target_byte = mask = 0;
+  }
+
+  while (0 < make_keys--)
+  {
+    fprintf (stderr, ".");
+    GNUNET_CRYPTO_eddsa_key_create (&pk);
+    if (NULL != prefix)
+    {
+      struct GNUNET_CRYPTO_EddsaPublicKey newkey;
+
+      GNUNET_CRYPTO_eddsa_key_get_public (&pk,
+                                          &newkey);
+      if (0 != memcmp (&target_pub,
+                       &newkey,
+                       n))
+      {
+        make_keys++;
+        continue;
+      }
+      if (0 != rest)
+      {
+        unsigned char new_byte;
+
+        new_byte = ((unsigned char *) &newkey)[n] & mask;
+        if (target_byte != new_byte)
+        {
+          make_keys++;
+          continue;
+        }
+      }
+    }
+    if (GNUNET_TESTING_HOSTKEYFILESIZE !=
+        fwrite (&pk,
+                1,
+                GNUNET_TESTING_HOSTKEYFILESIZE,
+                f))
+    {
+      fprintf (stderr,
+               _ ("\nFailed to write to `%s': %s\n"),
+               fn,
+               strerror (errno));
+      break;
+    }
+  }
+  if (UINT_MAX == make_keys)
+    fprintf (stderr, _ ("\nFinished!\n"));
+  else
+    fprintf (stderr, _ ("\nError, %u keys not generated\n"), make_keys);
+  fclose (f);
+}
+
+
+static void
+print_hex (const char *msg, const void *buf, size_t size)
+{
+  printf ("%s: ", msg);
+  for (size_t i = 0; i < size; i++)
+  {
+    printf ("%02hhx", ((const uint8_t *) buf)[i]);
+  }
+  printf ("\n");
+}
+
+
+static void
+print_examples_ecdh (void)
+{
+  struct GNUNET_CRYPTO_EcdhePrivateKey dh_priv1;
+  struct GNUNET_CRYPTO_EcdhePublicKey dh_pub1;
+  struct GNUNET_CRYPTO_EcdhePrivateKey dh_priv2;
+  struct GNUNET_CRYPTO_EcdhePublicKey dh_pub2;
+  struct GNUNET_HashCode hash;
+  char buf[128];
+
+  GNUNET_CRYPTO_ecdhe_key_create (&dh_priv1);
+  GNUNET_CRYPTO_ecdhe_key_create (&dh_priv2);
+  GNUNET_CRYPTO_ecdhe_key_get_public (&dh_priv1,
+                                      &dh_pub1);
+  GNUNET_CRYPTO_ecdhe_key_get_public (&dh_priv2,
+                                      &dh_pub2);
+
+  GNUNET_assert (NULL !=
+                 GNUNET_STRINGS_data_to_string (&dh_priv1,
+                                                sizeof (dh_priv1),
+                                                buf,
+                                                sizeof (buf)));
+  printf ("ECDHE key 1:\n");
+  printf ("private: %s\n",
+          buf);
+  print_hex ("private(hex)",
+             &dh_priv1, sizeof (dh_priv1));
+  GNUNET_assert (NULL !=
+                 GNUNET_STRINGS_data_to_string (&dh_pub1,
+                                                sizeof (dh_pub1),
+                                                buf,
+                                                sizeof (buf)));
+  printf ("public: %s\n",
+          buf);
+  print_hex ("public(hex)",
+             &dh_pub1,
+             sizeof (dh_pub1));
+
+  GNUNET_assert (NULL !=
+                 GNUNET_STRINGS_data_to_string (&dh_priv2,
+                                                sizeof (dh_priv2),
+                                                buf,
+                                                sizeof (buf)));
+  printf ("ECDHE key 2:\n");
+  printf ("private: %s\n", buf);
+  print_hex ("private(hex)",
+             &dh_priv2,
+             sizeof (dh_priv2));
+  GNUNET_assert (NULL !=
+                 GNUNET_STRINGS_data_to_string (&dh_pub2,
+                                                sizeof (dh_pub2),
+                                                buf,
+                                                sizeof (buf)));
+  printf ("public: %s\n", buf);
+  print_hex ("public(hex)",
+             &dh_pub2,
+             sizeof (dh_pub2));
+
+  GNUNET_assert (GNUNET_OK ==
+                 GNUNET_CRYPTO_ecc_ecdh (&dh_priv1,
+                                         &dh_pub2,
+                                         &hash));
+  GNUNET_assert (NULL !=
+                 GNUNET_STRINGS_data_to_string (&hash,
+                                                sizeof (hash),
+                                                buf,
+                                                sizeof (buf)));
+  printf ("ECDH shared secret: %s\n",
+          buf);
+
+}
+
+
+/**
+ * Print some random example operations to stdout.
+ */
+static void
+print_examples (void)
+{
+  print_examples_ecdh ();
+  // print_examples_ecdsa ();
+  // print_examples_eddsa ();
+}
+
+
+static void
+print_key (const char *filename)
+{
+  struct GNUNET_DISK_FileHandle *fd;
+  struct GNUNET_CRYPTO_EddsaPrivateKey private_key;
+  struct GNUNET_CRYPTO_EddsaPublicKey public_key;
+  char *hostkeys_data;
+  char *hostkey_str;
+  uint64_t fs;
+  unsigned int total_hostkeys;
+  unsigned int c;
+  ssize_t sret;
+
+  if (GNUNET_YES != GNUNET_DISK_file_test (filename))
+  {
+    fprintf (stderr, _ ("Hostkeys file `%s' not found\n"), filename);
+    return;
+  }
+
+  /* Check hostkey file size, read entire thing into memory */
+  if (GNUNET_OK !=
+      GNUNET_DISK_file_size (filename, &fs, GNUNET_YES, GNUNET_YES))
+    fs = 0;
+  if (0 == fs)
+  {
+    fprintf (stderr, _ ("Hostkeys file `%s' is empty\n"), filename);
+    return;   /* File is empty */
+  }
+  if (0 != (fs % GNUNET_TESTING_HOSTKEYFILESIZE))
+  {
+    fprintf (stderr, _ ("Incorrect hostkey file format: %s\n"), filename);
+    return;
+  }
+  fd = GNUNET_DISK_file_open (filename,
+                              GNUNET_DISK_OPEN_READ,
+                              GNUNET_DISK_PERM_NONE);
+  if (NULL == fd)
+  {
+    GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, "open", filename);
+    return;
+  }
+  hostkeys_data = GNUNET_malloc (fs);
+  sret = GNUNET_DISK_file_read (fd, hostkeys_data, fs);
+  if ((sret < 0) || (fs != (size_t) sret))
+  {
+    fprintf (stderr, _ ("Could not read hostkey file: %s\n"), filename);
+    GNUNET_free (hostkeys_data);
+    GNUNET_DISK_file_close (fd);
+    return;
+  }
+  GNUNET_DISK_file_close (fd);
+
+  if (NULL == hostkeys_data)
+    return;
+  total_hostkeys = fs / GNUNET_TESTING_HOSTKEYFILESIZE;
+  for (c = 0; (c < total_hostkeys) && (c < list_keys_count); c++)
+  {
+    GNUNET_memcpy (&private_key,
+                   hostkeys_data + (c * GNUNET_TESTING_HOSTKEYFILESIZE),
+                   GNUNET_TESTING_HOSTKEYFILESIZE);
+    GNUNET_CRYPTO_eddsa_key_get_public (&private_key, &public_key);
+    hostkey_str = GNUNET_CRYPTO_eddsa_public_key_to_string (&public_key);
+    if (NULL != hostkey_str)
+    {
+      fprintf (stderr, "%4u: %s\n", c, hostkey_str);
+      GNUNET_free (hostkey_str);
+    }
+    else
+      fprintf (stderr, "%4u: %s\n", c, "invalid");
+  }
+  GNUNET_free (hostkeys_data);
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure, NULL
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  (void) cls;
+  (void) cfgfile;
+  (void) cfg;
+
+  if (print_examples_flag)
+  {
+    print_examples ();
+    return;
+  }
+  if (NULL == args[0])
+  {
+    fprintf (stderr, "%s", _ ("No hostkey file specified on command line\n"));
+    return;
+  }
+  if (list_keys)
+  {
+    print_key (args[0]);
+    return;
+  }
+  if (make_keys > 0)
+  {
+    create_keys (args[0], args[1]);
+    return;
+  }
+  if (print_public_key || print_public_key_hex || print_private_key)
+  {
+    char *str;
+    struct GNUNET_DISK_FileHandle *keyfile;
+    struct GNUNET_CRYPTO_EddsaPrivateKey pk;
+    struct GNUNET_CRYPTO_EddsaPublicKey pub;
+
+    keyfile = GNUNET_DISK_file_open (args[0],
+                                     GNUNET_DISK_OPEN_READ,
+                                     GNUNET_DISK_PERM_NONE);
+    if (NULL == keyfile)
+      return;
+    while (sizeof(pk) == GNUNET_DISK_file_read (keyfile, &pk, sizeof(pk)))
+    {
+      GNUNET_CRYPTO_eddsa_key_get_public (&pk, &pub);
+      if (print_public_key_hex)
+      {
+        print_hex ("HEX:", &pub, sizeof(pub));
+      }
+      else if (print_public_key)
+      {
+        str = GNUNET_CRYPTO_eddsa_public_key_to_string (&pub);
+        fprintf (stdout, "%s\n", str);
+        GNUNET_free (str);
+      }
+      else if (print_private_key)
+      {
+        str = GNUNET_CRYPTO_eddsa_private_key_to_string (&pk);
+        fprintf (stdout, "%s\n", str);
+        GNUNET_free (str);
+      }
+    }
+    GNUNET_DISK_file_close (keyfile);
+  }
+}
+
+
+/**
+ * Program to manipulate ECC key files.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] =
+  { GNUNET_GETOPT_option_flag ('i',
+                               "iterate",
+                               gettext_noop (
+                                 "list keys included in a file (for testing)"),
+                               &list_keys),
+    GNUNET_GETOPT_option_uint (
+      'e',
+      "end=",
+      "COUNT",
+      gettext_noop ("number of keys to list included in a file (for testing)"),
+      &list_keys_count),
+    GNUNET_GETOPT_option_uint (
+      'g',
+      "generate-keys",
+      "COUNT",
+      gettext_noop ("create COUNT public-private key pairs (for testing)"),
+      &make_keys),
+    GNUNET_GETOPT_option_flag ('p',
+                               "print-public-key",
+                               gettext_noop (
+                                 "print the public key in ASCII format"),
+                               &print_public_key),
+    GNUNET_GETOPT_option_flag ('P',
+                               "print-private-key",
+                               gettext_noop (
+                                 "print the private key in ASCII format"),
+                               &print_private_key),
+    GNUNET_GETOPT_option_flag ('x',
+                               "print-hex",
+                               gettext_noop (
+                                 "print the public key in HEX format"),
+                               &print_public_key_hex),
+    GNUNET_GETOPT_option_flag (
+      'E',
+      "examples",
+      gettext_noop (
+        "print examples of ECC operations (used for compatibility testing)"),
+      &print_examples_flag),
+    GNUNET_GETOPT_OPTION_END };
+  int ret;
+
+  list_keys_count = UINT32_MAX;
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  ret = (GNUNET_OK ==
+         GNUNET_PROGRAM_run (argc,
+                             argv,
+                             "gnunet-ecc [OPTIONS] keyfile [VANITY_PREFIX]",
+                             gettext_noop (
+                               "Manipulate GNUnet private ECC key files"),
+                             options,
+                             &run,
+                             NULL))
+        ? 0
+        : 1;
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-ecc.c */
diff --git a/src/cli/util/gnunet-qr.c b/src/cli/util/gnunet-qr.c
new file mode 100644
index 000000000..d9b873c05
--- /dev/null
+++ b/src/cli/util/gnunet-qr.c
@@ -0,0 +1,597 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2013-2019 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file util/gnunet-qr.c
+ * @author Hartmut Goebel (original implementation)
+ * @author Martin Schanzenbach (integrate gnunet-uri)
+ * @author Christian Grothoff (error handling)
+ */
+#include "platform.h"
+#include <stdio.h>
+#include <stdbool.h>
+#include <signal.h>
+#include <zbar.h>
+
+
+#include "gnunet_util_lib.h"
+
+#if HAVE_PNG
+#include <png.h>
+#endif
+
+/**
+ * Global exit code.
+ * Set to non-zero if an error occurs after the scheduler has started.
+ */
+static int exit_code = 0;
+
+/**
+ * Video device to capture from.
+ * Used by default if PNG support is disabled or no PNG file is specified.
+ * Defaults to /dev/video0.
+ */
+static char *device = NULL;
+
+#if HAVE_PNG
+/**
+ * Name of the file to read from.
+ * If the file is not a PNG-encoded image of a QR code, an error will be
+ * thrown.
+ */
+static char *pngfilename = NULL;
+#endif
+
+/**
+ * Requested verbosity.
+ */
+static unsigned int verbosity = 0;
+
+/**
+ * Child process handle.
+ */
+struct GNUNET_OS_Process *childproc = NULL;
+
+/**
+ * Child process handle for waiting.
+ */
+static struct GNUNET_ChildWaitHandle *waitchildproc = NULL;
+
+/**
+ * Macro to handle verbosity when printing messages.
+ */
+#define LOG(fmt, ...)                                           \
+  do                                                            \
+  {                                                             \
+    if (0 < verbosity)                                          \
+    {                                                           \
+      GNUNET_log (GNUNET_ERROR_TYPE_INFO, fmt, ##__VA_ARGS__);  \
+      if (verbosity > 1)                                        \
+      {                                                         \
+        fprintf (stdout, fmt, ##__VA_ARGS__);                   \
+      }                                                         \
+    }                                                           \
+  }                                                             \
+  while (0)
+
+/**
+ * Executed when program is terminating.
+ */
+static void
+shutdown_program (void *cls)
+{
+  if (NULL != waitchildproc)
+  {
+    GNUNET_wait_child_cancel (waitchildproc);
+  }
+  if (NULL != childproc)
+  {
+    /* A bit brutal, but this process is terminating so we're out of time */
+    GNUNET_OS_process_kill (childproc, SIGKILL);
+  }
+}
+
+/**
+ * Callback executed when the child process terminates.
+ *
+ * @param cls closure
+ * @param type status of the child process
+ * @param code the exit code of the child process
+ */
+static void
+wait_child (void *cls,
+            enum GNUNET_OS_ProcessStatusType type,
+            long unsigned int code)
+{
+  GNUNET_OS_process_destroy (childproc);
+  childproc = NULL;
+  waitchildproc = NULL;
+
+  char *uri = cls;
+
+  if (0 != exit_code)
+  {
+    fprintf (stdout, _("Failed to add URI %s\n"), uri);
+  }
+  else
+  {
+    fprintf (stdout, _("Added URI %s\n"), uri);
+  }
+
+  GNUNET_free (uri);
+
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+/**
+ * Dispatch URIs to the appropriate GNUnet helper process.
+ *
+ * @param cls closure
+ * @param uri URI to dispatch
+ * @param cfgfile name of the configuration file in use
+ * @param cfg the configuration in use
+ */
+static void
+handle_uri (void *cls,
+            const char *uri,
+            const char *cfgfile,
+            const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  const char *cursor = uri;
+
+  if (0 != strncasecmp ("gnunet://", uri, strlen ("gnunet://")))
+  {
+    fprintf (stderr,
+             _("Invalid URI: does not start with `gnunet://'\n"));
+    exit_code = 1;
+    return;
+  }
+
+  cursor += strlen ("gnunet://");
+
+  const char *slash = strchr (cursor, '/');
+  if (NULL == slash)
+  {
+    fprintf (stderr, _("Invalid URI: fails to specify a subsystem\n"));
+    exit_code = 1;
+    return;
+  }
+
+  char *subsystem = GNUNET_strndup (cursor, slash - cursor);
+  char *program = NULL;
+
+  if (GNUNET_OK !=
+      GNUNET_CONFIGURATION_get_value_string (cfg, "uri", subsystem, &program))
+  {
+    fprintf (stderr, _("No known handler for subsystem `%s'\n"), subsystem);
+    GNUNET_free (subsystem);
+    exit_code = 1;
+    return;
+  }
+
+  GNUNET_free (subsystem);
+
+  char **childargv = NULL;
+  unsigned int childargc = 0;
+
+  for (const char *token=strtok (program, " ");
+       NULL!=token;
+       token=strtok(NULL, " "))
+  {
+    GNUNET_array_append (childargv, childargc, GNUNET_strdup (token));
+  }
+  GNUNET_array_append (childargv, childargc, GNUNET_strdup (uri));
+  GNUNET_array_append (childargv, childargc, NULL);
+
+  childproc = GNUNET_OS_start_process_vap (GNUNET_OS_INHERIT_STD_ALL,
+                                           NULL,
+                                           NULL,
+                                           NULL,
+                                           childargv[0],
+                                           childargv);
+  for (size_t i=0; i<childargc-1; ++i)
+  {
+    GNUNET_free (childargv[i]);
+  }
+
+  GNUNET_array_grow (childargv, childargc, 0);
+
+  if (NULL == childproc)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _("Unable to start child process `%s'\n"),
+                program);
+    GNUNET_free (program);
+    exit_code = 1;
+    return;
+  }
+
+  waitchildproc = GNUNET_wait_child (childproc, &wait_child, (void *)uri);
+}
+
+/**
+ * Obtain a QR code symbol from @a proc.
+ *
+ * @param proc the zbar processor to use
+ * @return NULL on error
+ */
+static const zbar_symbol_t *
+get_symbol (zbar_processor_t *proc)
+{
+  if (0 != zbar_processor_parse_config (proc, "enable"))
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+
+  int r = zbar_processor_init (proc, device, 1);
+  if (0 != r)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _("Failed to open device: `%s': %d\n"),
+                device,
+                r);
+    return NULL;
+  }
+
+  r = zbar_processor_set_visible (proc, 1);
+  r += zbar_processor_set_active (proc, 1);
+  if (0 != r)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+
+  LOG (_("Capturing...\n"));
+
+  int n = zbar_process_one (proc, -1);
+
+  zbar_processor_set_active (proc, 0);
+  zbar_processor_set_visible (proc, 0);
+
+  if (-1 == n)
+  {
+    LOG (_("No captured images\n"));
+    return NULL;
+  }
+
+  LOG(_("Got %d images\n"), n);
+
+  const zbar_symbol_set_t *symbols = zbar_processor_get_results (proc);
+  if (NULL == symbols)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+
+  return zbar_symbol_set_first_symbol (symbols);
+}
+
+/**
+ * Run the zbar QR code parser.
+ *
+ * @return NULL on error
+ */
+static char *
+run_zbar (void)
+{
+  zbar_processor_t *proc = zbar_processor_create (1);
+  if (NULL == proc)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+
+  if (NULL == device)
+  {
+    device = GNUNET_strdup ("/dev/video0");
+  }
+
+  const zbar_symbol_t *symbol = get_symbol (proc);
+  if (NULL == symbol)
+  {
+    zbar_processor_destroy (proc);
+    return NULL;
+  }
+
+  const char *data = zbar_symbol_get_data (symbol);
+  if (NULL == data)
+  {
+    GNUNET_break (0);
+    zbar_processor_destroy (proc);
+    return NULL;
+  }
+
+  LOG (_("Found %s: \"%s\"\n"),
+       zbar_get_symbol_name (zbar_symbol_get_type (symbol)),
+       data);
+
+  char *copy = GNUNET_strdup (data);
+
+  zbar_processor_destroy (proc);
+  GNUNET_free (device);
+
+  return copy;
+}
+
+#if HAVE_PNG
+/**
+ * Decode the PNG-encoded file to a raw byte buffer.
+ *
+ * @param width[out] where to store the image width
+ * @param height[out] where to store the image height
+ */
+static char *
+png_parse (uint32_t *width, uint32_t *height)
+{
+  if (NULL == width || NULL == height)
+  {
+    return NULL;
+  }
+
+  FILE *pngfile = fopen (pngfilename, "rb");
+  if (NULL == pngfile)
+  {
+    return NULL;
+  }
+
+  unsigned char header[8];
+  if (8 != fread (header, 1, 8, pngfile))
+  {
+    fclose (pngfile);
+    return NULL;
+  }
+
+  if (png_sig_cmp (header, 0, 8))
+  {
+    fclose (pngfile);
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _("%s is not a PNG file\n"),
+                pngfilename);
+    fprintf (stderr, _("%s is not a PNG file\n"), pngfilename);
+    return NULL;
+  }
+
+  /* libpng's default error handling might or might not conflict with GNUnet's
+     scheduler and event loop. Beware of strange interactions. */
+  png_structp png = png_create_read_struct (PNG_LIBPNG_VER_STRING,
+                                            NULL,
+                                            NULL,
+                                            NULL);
+  if (NULL == png)
+  {
+    GNUNET_break (0);
+    fclose (pngfile);
+    return NULL;
+  }
+
+  png_infop pnginfo = png_create_info_struct (png);
+  if (NULL == pnginfo)
+  {
+    GNUNET_break (0);
+    png_destroy_read_struct (&png, NULL, NULL);
+    fclose (pngfile);
+    return NULL;
+  }
+
+  if (setjmp (png_jmpbuf (png)))
+  {
+    GNUNET_break (0);
+    png_destroy_read_struct (&png, &pnginfo, NULL);
+    fclose (pngfile);
+    return NULL;
+  }
+
+  png_init_io (png, pngfile);
+  png_set_sig_bytes (png, 8);
+
+  png_read_info (png, pnginfo);
+
+  png_byte pngcolor = png_get_color_type (png, pnginfo);
+  png_byte pngdepth = png_get_bit_depth (png, pnginfo);
+
+  /* Normalize picture --- based on a zbar example */
+  if (0 != (pngcolor & PNG_COLOR_TYPE_PALETTE))
+  {
+    png_set_palette_to_rgb (png);
+  }
+
+  if (pngcolor == PNG_COLOR_TYPE_GRAY && pngdepth < 8)
+  {
+    png_set_expand_gray_1_2_4_to_8 (png);
+  }
+
+  if (16 == pngdepth)
+  {
+    png_set_strip_16 (png);
+  }
+
+  if (0 != (pngcolor & PNG_COLOR_MASK_ALPHA))
+  {
+    png_set_strip_alpha (png);
+  }
+
+  if (0 != (pngcolor & PNG_COLOR_MASK_COLOR))
+  {
+    png_set_rgb_to_gray_fixed (png, 1, -1, -1);
+  }
+
+  png_uint_32 pngwidth = png_get_image_width (png, pnginfo);
+  png_uint_32 pngheight = png_get_image_height (png, pnginfo);
+
+  char *buffer = GNUNET_new_array (pngwidth * pngheight, char);
+  png_bytepp rows = GNUNET_new_array (pngheight, png_bytep);
+
+  for (png_uint_32 i=0; i<pngheight; ++i)
+  {
+    rows[i] = (unsigned char *)buffer + (pngwidth * i);
+  }
+
+  png_read_image (png, rows);
+
+  GNUNET_free (rows);
+  fclose (pngfile);
+
+  *width = pngwidth;
+  *height = pngheight;
+
+  return buffer;
+}
+
+/**
+ * Parse a PNG-encoded file for a QR code.
+ *
+ * @return NULL on error
+ */
+static char *
+run_png_reader (void)
+{
+  uint32_t width = 0;
+  uint32_t height = 0;
+  char *buffer = png_parse (&width, &height);
+  if (NULL == buffer)
+  {
+    return NULL;
+  }
+
+  zbar_image_scanner_t *scanner = zbar_image_scanner_create ();
+  zbar_image_scanner_set_config (scanner,0, ZBAR_CFG_ENABLE, 1);
+
+  zbar_image_t *zimage = zbar_image_create ();
+  zbar_image_set_format (zimage, zbar_fourcc ('Y', '8', '0', '0'));
+  zbar_image_set_size (zimage, width, height);
+  zbar_image_set_data (zimage, buffer, width * height, &zbar_image_free_data);
+
+  int n = zbar_scan_image (scanner, zimage);
+
+  if (-1 == n)
+  {
+    LOG (_("No captured images\n"));
+    return NULL;
+  }
+
+  LOG(_("Got %d images\n"), n);
+
+  const zbar_symbol_t *symbol = zbar_image_first_symbol (zimage);
+
+  const char *data = zbar_symbol_get_data (symbol);
+  if (NULL == data)
+  {
+    GNUNET_break (0);
+    zbar_image_destroy (zimage);
+    zbar_image_scanner_destroy (scanner);
+    return NULL;
+  }
+
+  LOG (_("Found %s: \"%s\"\n"),
+       zbar_get_symbol_name (zbar_symbol_get_type (symbol)),
+       data);
+
+  char *copy = GNUNET_strdup (data);
+
+  zbar_image_destroy (zimage);
+  zbar_image_scanner_destroy (scanner);
+
+  return copy;
+}
+#endif
+
+/**
+ * Main function executed by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command line arguments
+ * @param cfgfile name of the configuration file being used
+ * @param cfg the used configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  char *data = NULL;
+
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_program, NULL);
+
+#if HAVE_PNG
+  if (NULL != pngfilename)
+  {
+    data = run_png_reader ();
+  }
+  else
+#endif
+  {
+    data = run_zbar ();
+  }
+
+  if (NULL == data)
+  {
+    LOG (_("No data found\n"));
+    exit_code = 1;
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+
+  handle_uri (cls, data, cfgfile, cfg);
+
+  if (0 != exit_code)
+  {
+    fprintf (stdout, _("Failed to add URI %s\n"), data);
+    GNUNET_free (data);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+
+  LOG (_("Dispatching the URI\n"));
+}
+
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_string (
+      'd',
+      "device",
+      "DEVICE",
+      gettext_noop ("use the video device DEVICE (defaults to /dev/video0)"),
+      &device),
+#if HAVE_PNG
+    GNUNET_GETOPT_option_string (
+      'f',
+      "file",
+      "FILE",
+      gettext_noop ("read from the PNG-encoded file FILE"),
+      &pngfilename),
+#endif
+    GNUNET_GETOPT_option_verbose (&verbosity),
+    GNUNET_GETOPT_OPTION_END,
+  };
+
+  enum GNUNET_GenericReturnValue ret =
+    GNUNET_PROGRAM_run (argc,
+                        argv,
+                        "gnunet-qr",
+                        gettext_noop ("Scan a QR code and import the URI read"),
+                        options,
+                        &run,
+                        NULL);
+
+  return ((GNUNET_OK == ret) && (0 == exit_code)) ? 0 : 1;
+}
diff --git a/src/cli/util/gnunet-resolver.c b/src/cli/util/gnunet-resolver.c
new file mode 100644
index 000000000..a23aeb4aa
--- /dev/null
+++ b/src/cli/util/gnunet-resolver.c
@@ -0,0 +1,191 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2010 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/gnunet-resolver.c
+ * @brief tool to test resolver
+ * @author Christian Grothoff
+ */
+
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_resolver_service.h"
+
+#define GET_TIMEOUT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 5)
+
+/**
+ * Flag for reverse lookup.
+ */
+static int reverse;
+
+
+/**
+ * Prints each hostname obtained from DNS.
+ *
+ * @param cls closure (unused)
+ * @param hostname one of the names for the host, NULL
+ *        on the last call to the callback
+ */
+static void
+print_hostname (void *cls,
+                const char *hostname)
+{
+  (void) cls;
+  if (NULL == hostname)
+    return;
+  fprintf (stdout,
+           "%s\n",
+           hostname);
+}
+
+
+/**
+ * Callback function to display address.
+ *
+ * @param cls closure (unused)
+ * @param addr one of the addresses of the host, NULL for the last address
+ * @param addrlen length of the address
+ */
+static void
+print_sockaddr (void *cls,
+                const struct sockaddr *addr,
+                socklen_t addrlen)
+{
+  (void) cls;
+  if (NULL == addr)
+    return;
+  fprintf (stdout,
+           "%s\n",
+           GNUNET_a2s (addr,
+                       addrlen));
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  const struct sockaddr *sa;
+  socklen_t salen;
+  struct sockaddr_in v4;
+  struct sockaddr_in6 v6;
+
+  (void) cls;
+  (void) cfgfile;
+  (void) cfg;
+  if (NULL == args[0])
+    return;
+  if (! reverse)
+  {
+    GNUNET_RESOLVER_ip_get (args[0],
+                            AF_UNSPEC,
+                            GET_TIMEOUT,
+                            &print_sockaddr,
+                            NULL);
+    return;
+  }
+
+  sa = NULL;
+  memset (&v4, 0, sizeof(v4));
+  v4.sin_family = AF_INET;
+#if HAVE_SOCKADDR_IN_SIN_LEN
+  v4.sin_len = sizeof(v4);
+#endif
+  if (1 == inet_pton (AF_INET,
+                      args[0],
+                      &v4.sin_addr))
+  {
+    sa = (struct sockaddr *) &v4;
+    salen = sizeof(v4);
+  }
+  memset (&v6, 0, sizeof(v6));
+  v6.sin6_family = AF_INET6;
+#if HAVE_SOCKADDR_IN_SIN_LEN
+  v6.sin6_len = sizeof(v6);
+#endif
+  if (1 == inet_pton (AF_INET6,
+                      args[0],
+                      &v6.sin6_addr))
+  {
+    sa = (struct sockaddr *) &v6;
+    salen = sizeof(v6);
+  }
+  if (NULL == sa)
+  {
+    fprintf (stderr,
+             "`%s' is not a valid IP: %s\n",
+             args[0],
+             strerror (errno));
+    return;
+  }
+  GNUNET_RESOLVER_hostname_get (sa, salen,
+                                GNUNET_YES,
+                                GET_TIMEOUT,
+                                &print_hostname,
+                                NULL);
+}
+
+
+/**
+ * The main function to access GNUnet's DNS resolver.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_flag ('r',
+                               "reverse",
+                               gettext_noop ("perform a reverse lookup"),
+                               &reverse),
+    GNUNET_GETOPT_OPTION_END
+  };
+  int ret;
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+
+  ret = (GNUNET_OK ==
+         GNUNET_PROGRAM_run (argc, argv,
+                             "gnunet-resolver [hostname]",
+                             gettext_noop ("Use built-in GNUnet stub resolver"),
+                             options,
+                             &run, NULL)) ? 0 : 1;
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-resolver.c */
diff --git a/src/cli/util/gnunet-scrypt.c b/src/cli/util/gnunet-scrypt.c
new file mode 100644
index 000000000..3d1b9c017
--- /dev/null
+++ b/src/cli/util/gnunet-scrypt.c
@@ -0,0 +1,325 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2014 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file util/gnunet-scrypt.c
+ * @brief tool to manipulate SCRYPT proofs of work.
+ * @author Bart Polot
+ */
+
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include <gcrypt.h>
+
+
+/**
+ * Salt for PoW calcualations.
+ */
+static struct GNUNET_CRYPTO_PowSalt salt = { "gnunet-nse-proof" };
+
+
+/**
+ * Amount of work required (W-bit collisions) for NSE proofs, in collision-bits.
+ */
+static unsigned long long nse_work_required;
+
+/**
+ * Interval between proof find runs.
+ */
+static struct GNUNET_TIME_Relative proof_find_delay;
+
+static struct GNUNET_CRYPTO_EddsaPublicKey pub;
+
+static uint64_t proof;
+
+static struct GNUNET_SCHEDULER_Task *proof_task;
+
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+static char *pkfn;
+
+static char *pwfn;
+
+
+/**
+ * Write our current proof to disk.
+ *
+ * @param cls closure
+ */
+static void
+shutdown_task (void *cls)
+{
+  (void) cls;
+  if (GNUNET_OK !=
+      GNUNET_DISK_fn_write (pwfn,
+                            &proof,
+                            sizeof(proof),
+                            GNUNET_DISK_PERM_USER_READ
+                            | GNUNET_DISK_PERM_USER_WRITE))
+    GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING,
+                              "write",
+                              pwfn);
+}
+
+
+/**
+ * Find our proof of work.
+ *
+ * @param cls closure (unused)
+ */
+static void
+find_proof (void *cls)
+{
+#define ROUND_SIZE 10
+  uint64_t counter;
+  char buf[sizeof(struct GNUNET_CRYPTO_EddsaPublicKey)
+           + sizeof(uint64_t)] GNUNET_ALIGN;
+  struct GNUNET_HashCode result;
+  unsigned int i;
+  struct GNUNET_TIME_Absolute timestamp;
+  struct GNUNET_TIME_Relative elapsed;
+
+  (void) cls;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Got Proof of Work %llu\n",
+              (unsigned long long) proof);
+  proof_task = NULL;
+  GNUNET_memcpy (&buf[sizeof(uint64_t)],
+                 &pub,
+                 sizeof(struct GNUNET_CRYPTO_EddsaPublicKey));
+  i = 0;
+  counter = proof;
+  timestamp = GNUNET_TIME_absolute_get ();
+  while ((counter != UINT64_MAX) && (i < ROUND_SIZE))
+  {
+    GNUNET_memcpy (buf, &counter, sizeof(uint64_t));
+    GNUNET_CRYPTO_pow_hash (&salt,
+                            buf,
+                            sizeof(buf),
+                            &result);
+    if (nse_work_required <=
+        GNUNET_CRYPTO_hash_count_leading_zeros (&result))
+    {
+      proof = counter;
+      fprintf (stdout,
+               "Proof of work found: %llu!\n",
+               (unsigned long long) proof);
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+    counter++;
+    i++;
+  }
+  elapsed = GNUNET_TIME_absolute_get_duration (timestamp);
+  elapsed = GNUNET_TIME_relative_divide (elapsed, ROUND_SIZE);
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "Current: %llu [%s/proof]\n",
+              (unsigned long long) counter,
+              GNUNET_STRINGS_relative_time_to_string (elapsed, 0));
+  if (proof / (100 * ROUND_SIZE) < counter / (100 * ROUND_SIZE))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Testing proofs currently at %llu\n",
+                (unsigned long long) counter);
+    /* remember progress every 100 rounds */
+    proof = counter;
+    shutdown_task (NULL);
+  }
+  else
+  {
+    proof = counter;
+  }
+  proof_task =
+    GNUNET_SCHEDULER_add_delayed_with_priority (proof_find_delay,
+                                                GNUNET_SCHEDULER_PRIORITY_IDLE,
+                                                &find_proof,
+                                                NULL);
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *config)
+{
+  struct GNUNET_CRYPTO_EddsaPrivateKey pk;
+  char *pids;
+
+  (void) cls;
+  (void) args;
+  (void) cfgfile;
+  cfg = config;
+  /* load proof of work */
+  if (NULL == pwfn)
+  {
+    if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (cfg,
+                                                              "NSE",
+                                                              "PROOFFILE",
+                                                              &pwfn))
+    {
+      GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, "NSE", "PROOFFILE");
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "Proof of Work file: %s\n", pwfn);
+  if ((GNUNET_YES != GNUNET_DISK_file_test (pwfn)) ||
+      (sizeof(proof) != GNUNET_DISK_fn_read (pwfn, &proof, sizeof(proof))))
+    proof = 0;
+
+  /* load private key */
+  if (NULL == pkfn)
+  {
+    if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (cfg,
+                                                              "PEER",
+                                                              "PRIVATE_KEY",
+                                                              &pkfn))
+    {
+      GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+                                 "PEER",
+                                 "PRIVATE_KEY");
+      return;
+    }
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "Private Key file: %s\n", pkfn);
+  if (GNUNET_SYSERR ==
+      GNUNET_CRYPTO_eddsa_key_from_file (pkfn,
+                                         GNUNET_YES,
+                                         &pk))
+  {
+    fprintf (stderr, _ ("Loading hostkey from `%s' failed.\n"), pkfn);
+    GNUNET_free (pkfn);
+    return;
+  }
+  GNUNET_free (pkfn);
+  GNUNET_CRYPTO_eddsa_key_get_public (&pk,
+                                      &pub);
+  pids = GNUNET_CRYPTO_eddsa_public_key_to_string (&pub);
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "Peer ID: %s\n", pids);
+  GNUNET_free (pids);
+
+  /* get target bit amount */
+  if (0 == nse_work_required)
+  {
+    if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_number (cfg,
+                                                            "NSE",
+                                                            "WORKBITS",
+                                                            &nse_work_required))
+    {
+      GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, "NSE", "WORKBITS");
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+    if (nse_work_required >= sizeof(struct GNUNET_HashCode) * 8)
+    {
+      GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
+                                 "NSE",
+                                 "WORKBITS",
+                                 _ ("Value is too large.\n"));
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+    else if (0 == nse_work_required)
+    {
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO, "Bits: %llu\n", nse_work_required);
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Delay between tries: %s\n",
+              GNUNET_STRINGS_relative_time_to_string (proof_find_delay, 1));
+  proof_task =
+    GNUNET_SCHEDULER_add_with_priority (GNUNET_SCHEDULER_PRIORITY_IDLE,
+                                        &find_proof,
+                                        NULL);
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_task, NULL);
+}
+
+
+/**
+ * Program to manipulate ECC key files.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_ulong (
+      'b',
+      "bits",
+      "BITS",
+      gettext_noop ("number of bits to require for the proof of work"),
+      &nse_work_required),
+    GNUNET_GETOPT_option_filename (
+      'k',
+      "keyfile",
+      "FILE",
+      gettext_noop ("file with private key, otherwise default is used"),
+      &pkfn),
+    GNUNET_GETOPT_option_filename (
+      'o',
+      "outfile",
+      "FILE",
+      gettext_noop ("file with proof of work, otherwise default is used"),
+      &pwfn),
+    GNUNET_GETOPT_option_relative_time ('t',
+                                        "timeout",
+                                        "TIME",
+                                        gettext_noop (
+                                          "time to wait between calculations"),
+                                        &proof_find_delay),
+    GNUNET_GETOPT_OPTION_END
+  };
+  int ret;
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  ret =
+    (GNUNET_OK ==
+     GNUNET_PROGRAM_run (argc,
+                         argv,
+                         "gnunet-scrypt [OPTIONS] prooffile",
+                         gettext_noop ("Manipulate GNUnet proof of work files"),
+                         options,
+                         &run,
+                         NULL))
+    ? 0
+    : 1;
+  GNUNET_free_nz ((void *) argv);
+  GNUNET_free (pwfn);
+  return ret;
+}
+
+
+/* end of gnunet-scrypt.c */
diff --git a/src/cli/util/gnunet-timeout.c b/src/cli/util/gnunet-timeout.c
new file mode 100644
index 000000000..1d3002c08
--- /dev/null
+++ b/src/cli/util/gnunet-timeout.c
@@ -0,0 +1,119 @@
+/*
+     This file is part of GNUnet
+     Copyright (C) 2010 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License, or
+     (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file src/util/gnunet-timeout.c
+ * @brief small tool starting a child process, waiting that it terminates or killing it after a given timeout period
+ * @author Matthias Wachs
+ */
+
+#include "platform.h"
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+static pid_t child;
+
+
+static void
+sigchld_handler (int val)
+{
+  int status = 0;
+  int ret = 0;
+
+  (void) val;
+  waitpid (child, &status, 0);
+  if (WIFEXITED (status) != 0)
+  {
+    ret = WEXITSTATUS (status);
+    _exit (ret);  /* return same status code */
+  }
+  if (WIFSIGNALED (status) != 0)
+  {
+    ret = WTERMSIG (status);
+    kill (getpid (), ret); /* kill self with the same signal */
+  }
+  _exit (-1);
+}
+
+
+static void
+sigint_handler (int val)
+{
+  kill (0, val);
+  _exit (val);
+}
+
+
+int
+main (int argc, char *argv[])
+{
+  int timeout = 0;
+  pid_t gpid = 0;
+
+  if (argc < 3)
+  {
+    fprintf (stderr,
+             "arg 1: timeout in sec., arg 2: executable, arg<n> arguments\n");
+    exit (-1);
+  }
+
+  timeout = atoi (argv[1]);
+
+  if (timeout == 0)
+    timeout = 600;
+
+  /* with getpgid() it does not compile, but getpgrp is the BSD version and working */
+  gpid = getpgrp ();
+
+  signal (SIGCHLD, sigchld_handler);
+  signal (SIGABRT, sigint_handler);
+  signal (SIGFPE, sigint_handler);
+  signal (SIGILL, sigint_handler);
+  signal (SIGINT, sigint_handler);
+  signal (SIGSEGV, sigint_handler);
+  signal (SIGTERM, sigint_handler);
+
+  child = fork ();
+  if (child == 0)
+  {
+    /*  int setpgrp(pid_t pid, pid_t pgid); is not working on this machine */
+    // setpgrp (0, pid_t gpid);
+    if (-1 != gpid)
+      setpgid (0, gpid);
+    execvp (argv[2], &argv[2]);
+    exit (-1);
+  }
+  if (child > 0)
+  {
+    sleep (timeout);
+    printf ("Child processes were killed after timeout of %u seconds\n",
+            timeout);
+    kill (0, SIGTERM);
+    exit (3);
+  }
+  exit (-1);
+}
+
+
+/* end of timeout_watchdog.c */
diff --git a/src/cli/util/gnunet-uri.c b/src/cli/util/gnunet-uri.c
new file mode 100644
index 000000000..128167cc5
--- /dev/null
+++ b/src/cli/util/gnunet-uri.c
@@ -0,0 +1,192 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/gnunet-uri.c
+ * @brief tool to dispatch URIs to the appropriate GNUnet helper process
+ * @author Christian Grothoff
+ */
+
+#include "platform.h"
+#include "gnunet_util_lib.h"
+
+/**
+ * Handler exit code
+ */
+static long unsigned int exit_code = 0;
+
+/**
+ * Helper process we started.
+ */
+static struct GNUNET_OS_Process *p;
+
+/**
+ * Pipe used to communicate shutdown via signal.
+ */
+static struct GNUNET_DISK_PipeHandle *sigpipe;
+
+
+/**
+ * Task triggered whenever we receive a SIGCHLD (child
+ * process died) or when user presses CTRL-C.
+ *
+ * @param cls closure, NULL
+ */
+static void
+maint_child_death (void *cls)
+{
+  enum GNUNET_OS_ProcessStatusType type;
+
+  (void) cls;
+  if ((GNUNET_OK != GNUNET_OS_process_status (p, &type, &exit_code)) ||
+      (type != GNUNET_OS_PROCESS_EXITED))
+    GNUNET_break (0 == GNUNET_OS_process_kill (p, GNUNET_TERM_SIG));
+  GNUNET_OS_process_destroy (p);
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  const char *uri;
+  const char *slash;
+  char *subsystem;
+  char *program;
+  struct GNUNET_SCHEDULER_Task *rt;
+
+  (void) cls;
+  (void) cfgfile;
+  if (NULL == (uri = args[0]))
+  {
+    fprintf (stderr, _ ("No URI specified on command line\n"));
+    return;
+  }
+  if (0 != strncasecmp ("gnunet://", uri, strlen ("gnunet://")))
+  {
+    fprintf (stderr,
+             _ ("Invalid URI: does not start with `%s'\n"),
+             "gnunet://");
+    return;
+  }
+  uri += strlen ("gnunet://");
+  if (NULL == (slash = strchr (uri, '/')))
+  {
+    fprintf (stderr, _ ("Invalid URI: fails to specify subsystem\n"));
+    return;
+  }
+  subsystem = GNUNET_strndup (uri, slash - uri);
+  if (GNUNET_OK !=
+      GNUNET_CONFIGURATION_get_value_string (cfg, "uri", subsystem, &program))
+  {
+    fprintf (stderr, _ ("No handler known for subsystem `%s'\n"), subsystem);
+    GNUNET_free (subsystem);
+    return;
+  }
+  GNUNET_free (subsystem);
+  rt = GNUNET_SCHEDULER_add_read_file (
+    GNUNET_TIME_UNIT_FOREVER_REL,
+    GNUNET_DISK_pipe_handle (sigpipe, GNUNET_DISK_PIPE_END_READ),
+    &maint_child_death,
+    NULL);
+  p = GNUNET_OS_start_process (GNUNET_OS_INHERIT_STD_NONE,
+                               NULL,
+                               NULL,
+                               NULL,
+                               program,
+                               program,
+                               args[0],
+                               NULL);
+  GNUNET_free (program);
+  if (NULL == p)
+    GNUNET_SCHEDULER_cancel (rt);
+}
+
+
+/**
+ * Signal handler called for SIGCHLD.  Triggers the
+ * respective handler by writing to the trigger pipe.
+ */
+static void
+sighandler_child_death ()
+{
+  static char c;
+  int old_errno = errno; /* back-up errno */
+
+  GNUNET_break (
+    1 ==
+    GNUNET_DISK_file_write (GNUNET_DISK_pipe_handle (sigpipe,
+                                                     GNUNET_DISK_PIPE_END_WRITE),
+                            &c,
+                            sizeof(c)));
+  errno = old_errno; /* restore errno */
+}
+
+
+/**
+ * The main function to handle gnunet://-URIs.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  static const struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_OPTION_END
+  };
+  struct GNUNET_SIGNAL_Context *shc_chld;
+  int ret;
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+  sigpipe = GNUNET_DISK_pipe (GNUNET_DISK_PF_NONE);
+  GNUNET_assert (sigpipe != NULL);
+  shc_chld =
+    GNUNET_SIGNAL_handler_install (GNUNET_SIGCHLD, &sighandler_child_death);
+  ret = GNUNET_PROGRAM_run (argc,
+                            argv,
+                            "gnunet-uri URI",
+                            gettext_noop (
+                              "Perform default-actions for GNUnet URIs"),
+                            options,
+                            &run,
+                            NULL);
+  GNUNET_SIGNAL_handler_uninstall (shc_chld);
+  shc_chld = NULL;
+  GNUNET_DISK_pipe_close (sigpipe);
+  sigpipe = NULL;
+  GNUNET_free_nz ((void *) argv);
+  return ((GNUNET_OK == ret) && (0 == exit_code)) ? 0 : 1;
+}
+
+
+/* end of gnunet-uri.c */
diff --git a/src/cli/util/meson.build b/src/cli/util/meson.build
new file mode 100644
index 000000000..ed9c3105c
--- /dev/null
+++ b/src/cli/util/meson.build
@@ -0,0 +1,62 @@
+executable ('gnunet-base32',
+            ['gnunet-base32.c'],
+            dependencies: [libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-config',
+            ['gnunet-config.c'],
+            dependencies: [libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-resolver',
+            ['gnunet-resolver.c'],
+            dependencies: [libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-ecc',
+            ['gnunet-ecc.c'],
+            dependencies: [libgnunetutil_dep, gcrypt_dep, m_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-scrypt',
+            ['gnunet-scrypt.c'],
+            dependencies: [libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+executable ('gnunet-uri',
+            ['gnunet-uri.c'],
+            dependencies: [libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('bindir'))
+if zbar_dep.found()
+  executable ('gnunet-qr',
+              ['gnunet-qr.c'],
+              dependencies: [zbar_dep, libgnunetutil_dep],
+              include_directories: [incdir, configuration_inc],
+              install: true,
+              install_dir: get_option('bindir'))
+endif
+executable ('gnunet-config-diff',
+            ['gnunet-config-diff.c'],
+            dependencies: [libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: false)
+
+executable ('gnunet-timeout',
+            ['gnunet-timeout.c'],
+            dependencies: [libgnunetutil_dep],
+            include_directories: [incdir, configuration_inc],
+            install: true,
+            install_dir: get_option('libdir') / 'gnunet' / 'libexec')
+executable ('gnunet-crypto-tvg',
+            ['gnunet-crypto-tvg.c'],
+            dependencies: [libgnunetutil_dep, json_dep],
+            include_directories: [incdir, configuration_inc],
+            install: false)
+
diff --git a/src/cli/util/test_crypto_vectors.sh b/src/cli/util/test_crypto_vectors.sh
new file mode 100755
index 000000000..40700a324
--- /dev/null
+++ b/src/cli/util/test_crypto_vectors.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+cat ./crypto-test-vectors.json | ./gnunet-crypto-tvg --verify
diff --git a/src/cli/vpn/.gitignore b/src/cli/vpn/.gitignore
new file mode 100644
index 000000000..dbd75eb25
--- /dev/null
+++ b/src/cli/vpn/.gitignore
@@ -0,0 +1 @@
+gnunet-vpn
diff --git a/src/cli/vpn/Makefile.am b/src/cli/vpn/Makefile.am
new file mode 100644
index 000000000..0c7c459ef
--- /dev/null
+++ b/src/cli/vpn/Makefile.am
@@ -0,0 +1,22 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include -I$(top_builddir)/src/include
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+endif
+
+pkgcfgdir= $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+plugindir = $(libdir)/gnunet
+
+bin_PROGRAMS = \
+  gnunet-vpn
+
+gnunet_vpn_SOURCES = \
+ gnunet-vpn.c
+gnunet_vpn_LDADD = \
+  $(top_builddir)/src/service/vpn/libgnunetvpn.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
diff --git a/src/cli/vpn/gnunet-vpn.c b/src/cli/vpn/gnunet-vpn.c
new file mode 100644
index 000000000..a67e17016
--- /dev/null
+++ b/src/cli/vpn/gnunet-vpn.c
@@ -0,0 +1,364 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file src/vpn/gnunet-vpn.c
+ * @brief Tool to manually request VPN tunnels to be created
+ * @author Christian Grothoff
+ */
+
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_vpn_service.h"
+
+
+/**
+ * Handle to vpn service.
+ */
+static struct GNUNET_VPN_Handle *handle;
+
+/**
+ * Opaque redirection request handle.
+ */
+static struct GNUNET_VPN_RedirectionRequest *request;
+
+/**
+ * Option -p: destination peer identity for service
+ */
+static char *peer_id;
+
+/**
+ * Option -s: service name (hash to get service descriptor)
+ */
+static char *service_name;
+
+/**
+ * Option -i: target IP
+ */
+static char *target_ip;
+
+/**
+ * Option -4: IPv4 requested.
+ */
+static int ipv4;
+
+/**
+ * Option -6: IPv6 requested.
+ */
+static int ipv6;
+
+/**
+ * Option -t: TCP requested.
+ */
+static int tcp;
+
+/**
+ * Option -u: UDP requested.
+ */
+static int udp;
+
+/**
+ * Selected level of verbosity.
+ */
+static unsigned int verbosity;
+
+/**
+ * Global return value.
+ */
+static int ret;
+
+/**
+ * Option '-d': duration of the mapping
+ */
+static struct GNUNET_TIME_Relative duration = { 5 * 60 * 1000 };
+
+
+/**
+ * Shutdown.
+ */
+static void
+do_disconnect (void *cls)
+{
+  if (NULL != request)
+  {
+    GNUNET_VPN_cancel_request (request);
+    request = NULL;
+  }
+  if (NULL != handle)
+  {
+    GNUNET_VPN_disconnect (handle);
+    handle = NULL;
+  }
+  GNUNET_free (peer_id);
+  GNUNET_free (service_name);
+  GNUNET_free (target_ip);
+}
+
+
+/**
+ * Callback invoked from the VPN service once a redirection is
+ * available.  Provides the IP address that can now be used to
+ * reach the requested destination.
+ *
+ * @param cls closure
+ * @param af address family, AF_INET or AF_INET6; AF_UNSPEC on error;
+ *                will match 'result_af' from the request
+ * @param address IP address (struct in_addr or struct in_addr6, depending on 'af')
+ *                that the VPN allocated for the redirection;
+ *                traffic to this IP will now be redirected to the
+ *                specified target peer; NULL on error
+ */
+static void
+allocation_cb (void *cls, int af, const void *address)
+{
+  char buf[INET6_ADDRSTRLEN];
+
+  request = NULL;
+  switch (af)
+  {
+  case AF_INET6:
+  case AF_INET:
+    fprintf (stdout, "%s\n", inet_ntop (af, address, buf, sizeof(buf)));
+    break;
+
+  case AF_UNSPEC:
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR, _ ("Error creating tunnel\n"));
+    ret = 1;
+    break;
+
+  default:
+    break;
+  }
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Main function that will be run by the scheduler.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  int dst_af;
+  int req_af;
+  struct GNUNET_PeerIdentity peer;
+  struct GNUNET_HashCode sd;
+  const void *addr;
+  struct in_addr v4;
+  struct in6_addr v6;
+  uint8_t protocol;
+  struct GNUNET_TIME_Absolute etime;
+
+  etime = GNUNET_TIME_relative_to_absolute (duration);
+  GNUNET_SCHEDULER_add_shutdown (&do_disconnect, NULL);
+  handle = GNUNET_VPN_connect (cfg);
+  if (NULL == handle)
+    goto error;
+  req_af = AF_UNSPEC;
+  if (ipv4)
+  {
+    if (ipv6)
+    {
+      fprintf (stderr,
+               _ ("Option `%s' makes no sense with option `%s'.\n"),
+               "-4",
+               "-6");
+      goto error;
+    }
+    req_af = AF_INET;
+  }
+  if (ipv6)
+    req_af = AF_INET6;
+
+  if (NULL == target_ip)
+  {
+    if (NULL == service_name)
+    {
+      fprintf (stderr, _ ("Option `%s' or `%s' is required.\n"), "-i", "-s");
+      goto error;
+    }
+    if (NULL == peer_id)
+    {
+      fprintf (stderr,
+               _ ("Option `%s' is required when using option `%s'.\n"),
+               "-p",
+               "-s");
+      goto error;
+    }
+    if (! (tcp | udp))
+    {
+      fprintf (stderr,
+               _ ("Option `%s' or `%s' is required when using option `%s'.\n"),
+               "-t",
+               "-u",
+               "-s");
+      goto error;
+    }
+    if (tcp & udp)
+    {
+      fprintf (stderr,
+               _ ("Option `%s' makes no sense with option `%s'.\n"),
+               "-t",
+               "-u");
+      goto error;
+    }
+    if (tcp)
+      protocol = IPPROTO_TCP;
+    if (udp)
+      protocol = IPPROTO_UDP;
+    if (GNUNET_OK !=
+        GNUNET_CRYPTO_eddsa_public_key_from_string (peer_id,
+                                                    strlen (peer_id),
+                                                    &peer.public_key))
+    {
+      fprintf (stderr, _ ("`%s' is not a valid peer identifier.\n"), peer_id);
+      goto error;
+    }
+    GNUNET_TUN_service_name_to_hash (service_name, &sd);
+    request = GNUNET_VPN_redirect_to_peer (handle,
+                                           req_af,
+                                           protocol,
+                                           &peer,
+                                           &sd,
+                                           etime,
+                                           &allocation_cb,
+                                           NULL);
+  }
+  else
+  {
+    if (1 != inet_pton (AF_INET6, target_ip, &v6))
+    {
+      if (1 != inet_pton (AF_INET, target_ip, &v4))
+      {
+        fprintf (stderr, _ ("`%s' is not a valid IP address.\n"), target_ip);
+        goto error;
+      }
+      else
+      {
+        dst_af = AF_INET;
+        addr = &v4;
+      }
+    }
+    else
+    {
+      dst_af = AF_INET6;
+      addr = &v6;
+    }
+    request = GNUNET_VPN_redirect_to_ip (handle,
+                                         req_af,
+                                         dst_af,
+                                         addr,
+                                         etime,
+                                         &allocation_cb,
+                                         NULL);
+  }
+  return;
+
+error:
+  GNUNET_SCHEDULER_shutdown ();
+  ret = 1;
+}
+
+
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] =
+  { GNUNET_GETOPT_option_flag ('4',
+                               "ipv4",
+                               gettext_noop (
+                                 "request that result should be an IPv4 address"),
+                               &ipv4),
+
+    GNUNET_GETOPT_option_flag ('6',
+                               "ipv6",
+                               gettext_noop (
+                                 "request that result should be an IPv6 address"),
+                               &ipv6),
+
+    GNUNET_GETOPT_option_relative_time (
+      'd',
+      "duration",
+      "TIME",
+      gettext_noop ("how long should the mapping be valid for new tunnels?"),
+      &duration),
+
+    GNUNET_GETOPT_option_string ('i',
+                                 "ip",
+                                 "IP",
+                                 gettext_noop (
+                                   "destination IP for the tunnel"),
+                                 &target_ip),
+
+    GNUNET_GETOPT_option_string (
+      'p',
+      "peer",
+      "PEERID",
+      gettext_noop ("peer offering the service we would like to access"),
+      &peer_id),
+
+    GNUNET_GETOPT_option_string ('s',
+                                 "service",
+                                 "NAME",
+                                 gettext_noop (
+                                   "name of the service we would like to access"),
+                                 &service_name),
+
+    GNUNET_GETOPT_option_flag ('t',
+                               "tcp",
+                               gettext_noop ("service is offered via TCP"),
+                               &tcp),
+
+    GNUNET_GETOPT_option_flag ('u',
+                               "udp",
+                               gettext_noop ("service is offered via UDP"),
+                               &udp),
+
+    GNUNET_GETOPT_option_verbose (&verbosity),
+
+    GNUNET_GETOPT_OPTION_END };
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  ret =
+    (GNUNET_OK == GNUNET_PROGRAM_run (argc,
+                                      argv,
+                                      "gnunet-vpn",
+                                      gettext_noop ("Setup tunnels via VPN."),
+                                      options,
+                                      &run,
+                                      NULL))
+    ? ret
+    : 1;
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-vpn.c */
diff --git a/src/cli/vpn/meson.build b/src/cli/vpn/meson.build
new file mode 100644
index 000000000..477551f1d
--- /dev/null
+++ b/src/cli/vpn/meson.build
@@ -0,0 +1,13 @@
+executable ('gnunet-vpn',
+            ['gnunet-vpn.c'],
+            dependencies: [libgnunetvpn_dep,
+                           libgnunetutil_dep,
+                           libgnunetstatistics_dep,
+                           libgnunetregex_dep,
+                           libgnunetcore_dep,
+                           libgnunetcadet_dep,
+                           libgnunetblock_dep],
+            include_directories: [incdir, configuration_inc, exitdir],
+            install: true,
+            install_dir: get_option('bindir'))
+