31 files changed, 13840 insertions, 0 deletions

diff --git a/src/service/gns/.gitignore b/src/service/gns/.gitignore
new file mode 100644
index 000000000..3bbb2eb3d
--- /dev/null
+++ b/src/service/gns/.gitignore
@@ -0,0 +1,12 @@
+gnunet-service-gns
+gnunet-bcd
+gnunet-dns2gns
+gnunet-gns
+gnunet-gns-proxy
+gnunet-gns-benchmark
+test_gns_proxy
+local.crt
+local.der
+local.key
+server.csr
+gnunet-gns-proxy-setup-ca
diff --git a/src/service/gns/Makefile.am b/src/service/gns/Makefile.am
new file mode 100644
index 000000000..a169b43a6
--- /dev/null
+++ b/src/service/gns/Makefile.am
@@ -0,0 +1,180 @@
+# This Makefile.am is in the public domain
+AM_CPPFLAGS = -I$(top_srcdir)/src/include
+
+if HAVE_GLIBCNSS
+NSS_SUBDIR = nss
+endif
+
+SUBDIRS = . $(NSS_SUBDIR)
+
+if HAVE_LIBIDN
+  LIBIDN= -lidn
+else
+  LIBIDN=
+endif
+
+if HAVE_LIBIDN2
+  LIBIDN2= -lidn2
+else
+  LIBIDN2=
+endif
+
+USE_VPN = $(top_builddir)/src/service/vpn/libgnunetvpn.la
+
+if USE_COVERAGE
+  AM_CFLAGS = --coverage -O0
+endif
+
+pkgcfgdir = $(pkgdatadir)/config.d/
+
+libexecdir= $(pkglibdir)/libexec/
+
+plugindir = $(libdir)/gnunet
+
+pkgcfg_DATA = \
+  gns.conf
+dist_pkgcfg_DATA = \
+  tlds.conf
+
+lib_LTLIBRARIES = \
+  libgnunetgns.la
+
+libexec_PROGRAMS = \
+  gnunet-service-gns \
+  gnunet-dns2gns
+
+noinst_PROGRAMS = \
+  gnunet-gns-benchmark
+
+if HAVE_PDFLATEX
+libexec_PROGRAMS += gnunet-bcd
+endif
+
+if HAVE_GNUTLS
+libexec_PROGRAMS += gnunet-gns-proxy
+endif
+
+gnunet_gns_benchmark_SOURCES = \
+ gnunet-gns-benchmark.c
+gnunet_gns_benchmark_LDADD = \
+  libgnunetgns.la \
+  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+
+
+gnunet_bcd_SOURCES = \
+ gnunet-bcd.c
+gnunet_bcd_LDADD = \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(GN_LIBINTL) $(MHD_LIBS)
+gnunet_bcd_CFLAGS = $(MHD_CFLAGS) $(AM_CFLAGS)
+
+
+gnunet_dns2gns_SOURCES = \
+ gnunet-dns2gns.c
+gnunet_dns2gns_LDADD = \
+  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+  libgnunetgns.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(USE_VPN) \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(GN_LIBINTL)
+
+if HAVE_SUDO
+SUDO_OR_DOAS_BINARY= $(SUDO_BINARY) -n
+else
+if HAVE_DOAS_BINARY
+SUDO_OR_DOAS_BINARY= $(DOAS_BINARY)
+endif
+endif
+
+if LINUX
+HIJACKBIN = gnunet-dns2gns
+install-exec-hook:
+        $(SUDO_OR_DOAS_BINARY) setcap 'cap_net_bind_service=+ep' $(DESTDIR)$(libexecdir)/gnunet-dns2gns || true
+else
+install-exec-hook:
+endif
+
+gnunet_gns_proxy_SOURCES = \
+ gnunet-gns-proxy.c
+gnunet_gns_proxy_LDADD = $(MHD_LIBS) @LIBCURL@ -lgnutls \
+  libgnunetgns.la \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+if HAVE_GNUTLS_DANE
+gnunet_gns_proxy_LDADD += -lgnutls-dane
+endif
+gnunet_gns_proxy_CFLAGS = $(MHD_CFLAGS) @LIBCURL_CPPFLAGS@ $(AM_CFLAGS)
+
+test_gns_proxy_SOURCES = \
+  test_gns_proxy.c
+test_gns_proxy_LDADD = $(MHD_LIBS) @LIBCURL@ -lgnutls \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(GN_LIBINTL)
+test_gns_proxy_CFLAGS = $(MHD_CFLAGS) @LIBCURL_CPPFLAGS@ $(AM_CFLAGS)
+
+#gnunet_gns_import_SOURCES = \
+#  gnunet-gns-import.c
+#gnunet_gns_import_LDADD = \
+#  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+#  $(top_builddir)/src/service/namestore/libgnunetnamestore.la \
+#  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+#  $(top_builddir)/src/lib/util/libgnunetutil.la \
+#  $(GN_LIBINTL)
+
+
+gnunet_service_gns_SOURCES = \
+ gnunet-service-gns.c gnunet-service-gns.h \
+ gnunet-service-gns_resolver.c gnunet-service-gns_resolver.h \
+ gnunet-service-gns_interceptor.c gnunet-service-gns_interceptor.h
+gnunet_service_gns_LDADD = \
+  -lm \
+  $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la \
+  $(top_builddir)/src/service/identity/libgnunetidentity.la \
+  $(top_builddir)/src/service/revocation/libgnunetrevocation.la \
+  $(top_builddir)/src/service/statistics/libgnunetstatistics.la \
+  $(top_builddir)/src/lib/util/libgnunetutil.la \
+  $(top_builddir)/src/service/dns/libgnunetdns.la \
+  $(top_builddir)/src/service/dht/libgnunetdht.la \
+  $(top_builddir)/src/service/namecache/libgnunetnamecache.la \
+  $(LIBIDN) $(LIBIDN2) \
+  $(GN_LIBINTL)
+
+
+libgnunetgns_la_SOURCES = \
+ gns_api.c gns_api.h \
+ gns_tld_api.c gns.h
+libgnunetgns_la_LIBADD = \
+ $(top_builddir)/src/lib/util/libgnunetutil.la $(XLIB) \
+ $(top_builddir)/src/service/identity/libgnunetidentity.la \
+ $(top_builddir)/src/lib/gnsrecord/libgnunetgnsrecord.la
+libgnunetgns_la_LDFLAGS = \
+  $(GN_LIBINTL) \
+  $(GN_LIB_LDFLAGS)
+
+
+if HAVE_GNUTLS
+check_PROGRAMS = \
+  test_gns_proxy
+endif
+
+if HAVE_GNUTLS_CURL
+check_SCRIPTS = \
+  test_proxy.sh
+endif
+
+EXTRA_DIST = \
+  test_gns_proxy.conf \
+  test_proxy.sh
+
+if ENABLE_TEST_RUN
+if HAVE_SQLITE
+ AM_TESTS_ENVIRONMENT=export GNUNET_PREFIX=$${GNUNET_PREFIX:-@libdir@};export PATH=$${GNUNET_PREFIX:-@prefix@}/bin:$$PATH;unset XDG_DATA_HOME;unset XDG_CONFIG_HOME;
+ TESTS = $(check_SCRIPTS)
+endif
+endif
diff --git a/src/service/gns/gns.conf.in b/src/service/gns/gns.conf.in
new file mode 100644
index 000000000..d8a27ec22
--- /dev/null
+++ b/src/service/gns/gns.conf.in
@@ -0,0 +1,59 @@
+[gns]
+START_ON_DEMAND = @START_ON_DEMAND@
+IMMEDIATE_START = YES
+HOSTNAME = localhost
+BINARY = gnunet-service-gns
+UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-service-gns.sock
+@JAVAPORT@PORT = 2102
+
+# Do we require users that want to access GNS to run this process
+# (usually not a good idea)
+UNIX_MATCH_UID = NO
+
+# Do we require users that want to access GNS to be in the 'gnunet' group?
+UNIX_MATCH_GID = YES
+
+# How many queries is GNS allowed to perform in the background at the same time?
+MAX_PARALLEL_BACKGROUND_QUERIES = 1000
+
+# Should we use the DNS interception mechanism?  If set to YES
+# we will ask gnunet-service-dns to pass DNS queries to us. Otherwise,
+# we only answer GNS queries via the API (which itself may be
+# called via NSS or other mechanisms).
+INTERCEPT_DNS = NO
+
+# PREFIX = valgrind --leak-check=full --track-origins=yes
+
+[gns-proxy]
+BINARY = gnunet-gns-proxy
+START_ON_DEMAND = NO
+RUN_PER_USER = YES
+BIND_TO=127.0.0.1
+BIND_TO6=::1
+
+# Where is the certificate for the GNS proxy stored?
+PROXY_CACERT = $GNUNET_DATA_HOME/gns/gns_ca_cert.pem
+PROXY_UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-gns-proxy.sock
+
+[bcd]
+BINARY = gnunet-bcd
+OPTIONS = -p 8888
+START_ON_DEMAND = NO
+RUN_PER_USER = YES
+
+[dns2gns]
+BINARY = gnunet-dns2gns
+START_ON_DEMAND = NO
+RUN_PER_USER = NO
+BIND_TO=127.0.0.1
+BIND_TO6=::1
+
+# -d: DNS resolver to use
+OPTIONS = -d 9.9.9.9
+PORT = 15353
+
+# This setting is useful in combination with systemd-resolve and
+# NetworkManager-dispatcher. It allows the interfaces to automatically
+# configure the dns2gns server for interfaces going up
+# See also: contrib/packages/fedora/10-dns2gns.sh
+ENABLE_RESOLVECTL_NMDISPATCHER = NO
diff --git a/src/service/gns/gns.h b/src/service/gns/gns.h
new file mode 100644
index 000000000..d882278f5
--- /dev/null
+++ b/src/service/gns/gns.h
@@ -0,0 +1,104 @@
+/*
+      This file is part of GNUnet
+      Copyright (C) 2012-2020 GNUnet e.V.
+
+      GNUnet is free software: you can redistribute it and/or modify it
+      under the terms of the GNU Affero General Public License as published
+      by the Free Software Foundation, either version 3 of the License,
+      or (at your option) any later version.
+
+      GNUnet is distributed in the hope that it will be useful, but
+      WITHOUT ANY WARRANTY; without even the implied warranty of
+      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+      Affero General Public License for more details.
+
+      You should have received a copy of the GNU Affero General Public License
+      along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gns/gns.h
+ * @brief IPC messages between GNS API and GNS service
+ * @author Martin Schanzenbach
+ */
+#ifndef GNS_H
+#define GNS_H
+
+#include "gnunet_gns_service.h"
+
+
+GNUNET_NETWORK_STRUCT_BEGIN
+
+/**
+ * Message from client to GNS service to lookup records.
+ */
+struct LookupMessage
+{
+  /**
+   * Header of type #GNUNET_MESSAGE_TYPE_GNS_LOOKUP
+   */
+  struct GNUNET_MessageHeader header;
+
+  /**
+   * Unique identifier for this request (for key collisions).
+   */
+  uint32_t id GNUNET_PACKED;
+
+  /**
+   * Local options for where to look for results
+   * (an `enum GNUNET_GNS_LocalOptions` in NBO).
+   */
+  int16_t options GNUNET_PACKED;
+
+  /**
+   * Recursion depth limit, i.e. how many more
+   * GNS zones may be traversed during the resolution
+   * of this name.
+   */
+  uint16_t recursion_depth_limit GNUNET_PACKED;
+
+  /**
+   * the type of record to look up
+   */
+  int32_t type GNUNET_PACKED;
+
+  /**
+   * Length of the zone key
+   */
+  uint32_t key_len GNUNET_PACKED;
+  /**
+   * Followed by the zone that is to be used for lookup
+   * Followed by the zero-terminated name to look up */
+};
+
+
+/**
+ * Message from GNS service to client: new results.
+ */
+struct LookupResultMessage
+{
+  /**
+   * Header of type #GNUNET_MESSAGE_TYPE_GNS_LOOKUP_RESULT
+   */
+  struct GNUNET_MessageHeader header;
+
+  /**
+   * Unique identifier for this request (for key collisions).
+   */
+  uint32_t id GNUNET_PACKED;
+
+  /**
+   * The number of records contained in response. Zero for
+   * NXDOMAIN (as GNS always returns all records, there is
+   * no "NO DATA" case).
+   */
+  uint32_t rd_count GNUNET_PACKED;
+
+  /* followed by rd_count GNUNET_GNSRECORD_Data structs*/
+};
+
+
+GNUNET_NETWORK_STRUCT_END
+
+#endif
diff --git a/src/service/gns/gns_api.c b/src/service/gns/gns_api.c
new file mode 100644
index 000000000..0dc7580f9
--- /dev/null
+++ b/src/service/gns/gns_api.c
@@ -0,0 +1,440 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2009-2020 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gns/gns_api.c
+ * @brief library to access the GNS service
+ * @author Martin Schanzenbach
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_constants.h"
+#include "gnunet_arm_service.h"
+#include "gnunet_protocols.h"
+#include "gnunet_dht_service.h"
+#include "gns.h"
+#include "gns_api.h"
+
+
+#define LOG(kind, ...) GNUNET_log_from (kind, "gns-api", __VA_ARGS__)
+
+/**
+ * Default recursion depth limit to apply if
+ * the application does not specify any.
+ */
+#define DEFAULT_LIMIT 128
+
+/**
+ * Handle to a lookup request
+ */
+struct GNUNET_GNS_LookupRequest
+{
+  /**
+   * DLL
+   */
+  struct GNUNET_GNS_LookupRequest *next;
+
+  /**
+   * DLL
+   */
+  struct GNUNET_GNS_LookupRequest *prev;
+
+  /**
+   * handle to gns
+   */
+  struct GNUNET_GNS_Handle *gns_handle;
+
+  /**
+   * processor to call on lookup result
+   */
+  GNUNET_GNS_LookupResultProcessor lookup_proc;
+
+  /**
+   * @e lookup_proc closure
+   */
+  void *proc_cls;
+
+  /**
+   * Envelope with the message for this queue entry.
+   */
+  struct GNUNET_MQ_Envelope *env;
+
+  /**
+   * request id
+   */
+  uint32_t r_id;
+};
+
+
+/**
+ * Reconnect to GNS service.
+ *
+ * @param handle the handle to the GNS service
+ */
+static void
+reconnect (struct GNUNET_GNS_Handle *handle);
+
+
+/**
+ * Reconnect to GNS
+ *
+ * @param cls the handle
+ */
+static void
+reconnect_task (void *cls)
+{
+  struct GNUNET_GNS_Handle *handle = cls;
+
+  handle->reconnect_task = NULL;
+  reconnect (handle);
+}
+
+
+/**
+ * Disconnect from service and then reconnect.
+ *
+ * @param handle our handle
+ */
+static void
+force_reconnect (struct GNUNET_GNS_Handle *handle)
+{
+  GNUNET_MQ_destroy (handle->mq);
+  handle->mq = NULL;
+  handle->reconnect_backoff
+    = GNUNET_TIME_STD_BACKOFF (handle->reconnect_backoff);
+  handle->reconnect_task
+    = GNUNET_SCHEDULER_add_delayed (handle->reconnect_backoff,
+                                    &reconnect_task,
+                                    handle);
+}
+
+
+/**
+ * Generic error handler, called with the appropriate error code and
+ * the same closure specified at the creation of the message queue.
+ * Not every message queue implementation supports an error handler.
+ *
+ * @param cls closure with the `struct GNUNET_GNS_Handle *`
+ * @param error error code
+ */
+static void
+mq_error_handler (void *cls,
+                  enum GNUNET_MQ_Error error)
+{
+  struct GNUNET_GNS_Handle *handle = cls;
+
+  LOG (GNUNET_ERROR_TYPE_WARNING,
+       "Problem with message queue. error: %i\n",
+       error);
+  force_reconnect (handle);
+}
+
+
+/**
+ * Check validity of message received from the GNS service
+ *
+ * @param cls the `struct GNUNET_GNS_Handle *`
+ * @param loookup_msg the incoming message
+ */
+static int
+check_result (void *cls,
+              const struct LookupResultMessage *lookup_msg)
+{
+  size_t mlen = ntohs (lookup_msg->header.size) - sizeof(*lookup_msg);
+  uint32_t rd_count = ntohl (lookup_msg->rd_count);
+  struct GNUNET_GNSRECORD_Data rd[rd_count];
+
+  (void) cls;
+  if (GNUNET_SYSERR ==
+      GNUNET_GNSRECORD_records_deserialize (mlen,
+                                            (const char *) &lookup_msg[1],
+                                            rd_count,
+                                            rd))
+  {
+    GNUNET_break (0);
+    return GNUNET_SYSERR;
+  }
+  return GNUNET_OK;
+}
+
+
+/**
+ * Handler for messages received from the GNS service
+ *
+ * @param cls the `struct GNUNET_GNS_Handle *`
+ * @param loookup_msg the incoming message
+ */
+static void
+handle_result (void *cls,
+               const struct LookupResultMessage *lookup_msg)
+{
+  struct GNUNET_GNS_Handle *handle = cls;
+  size_t mlen = ntohs (lookup_msg->header.size) - sizeof(*lookup_msg);
+  uint32_t rd_count = ntohl (lookup_msg->rd_count);
+  struct GNUNET_GNSRECORD_Data rd[rd_count];
+  uint32_t r_id = ntohl (lookup_msg->id);
+  struct GNUNET_GNS_LookupRequest *lr;
+  GNUNET_GNS_LookupResultProcessor proc;
+  void *proc_cls;
+
+  LOG (GNUNET_ERROR_TYPE_DEBUG,
+       "Received lookup reply from GNS service (%u records)\n",
+       (unsigned int) rd_count);
+  for (lr = handle->lookup_head; NULL != lr; lr = lr->next)
+    if (lr->r_id == r_id)
+      break;
+  if (NULL == lr)
+    return;
+  proc = lr->lookup_proc;
+  proc_cls = lr->proc_cls;
+
+  GNUNET_assert (GNUNET_OK ==
+                 GNUNET_GNSRECORD_records_deserialize (mlen,
+                                                       (const
+                                                        char *) &lookup_msg[1],
+                                                       rd_count,
+                                                       rd));
+  proc (proc_cls,
+        rd_count,
+        rd);
+  GNUNET_CONTAINER_DLL_remove (handle->lookup_head,
+                               handle->lookup_tail,
+                               lr);
+  if (NULL != lr->env)
+    GNUNET_MQ_discard (lr->env);
+  GNUNET_free (lr);
+}
+
+
+/**
+ * Reconnect to GNS service.
+ *
+ * @param handle the handle to the GNS service
+ */
+static void
+reconnect (struct GNUNET_GNS_Handle *handle)
+{
+  struct GNUNET_MQ_MessageHandler handlers[] = {
+    GNUNET_MQ_hd_var_size (result,
+                           GNUNET_MESSAGE_TYPE_GNS_LOOKUP_RESULT,
+                           struct LookupResultMessage,
+                           handle),
+    GNUNET_MQ_handler_end ()
+  };
+
+  GNUNET_assert (NULL == handle->mq);
+  LOG (GNUNET_ERROR_TYPE_DEBUG,
+       "Trying to connect to GNS\n");
+  handle->mq = GNUNET_CLIENT_connect (handle->cfg,
+                                      "gns",
+                                      handlers,
+                                      &mq_error_handler,
+                                      handle);
+  if (NULL == handle->mq)
+    return;
+  for (struct GNUNET_GNS_LookupRequest *lh = handle->lookup_head;
+       NULL != lh;
+       lh = lh->next)
+    GNUNET_MQ_send_copy (handle->mq,
+                         lh->env);
+}
+
+
+/**
+ * Initialize the connection with the GNS service.
+ *
+ * @param cfg configuration to use
+ * @return handle to the GNS service, or NULL on error
+ */
+struct GNUNET_GNS_Handle *
+GNUNET_GNS_connect (const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_GNS_Handle *handle;
+
+  handle = GNUNET_new (struct GNUNET_GNS_Handle);
+  handle->cfg = cfg;
+  reconnect (handle);
+  if (NULL == handle->mq)
+  {
+    GNUNET_free (handle);
+    return NULL;
+  }
+  return handle;
+}
+
+
+/**
+ * Shutdown connection with the GNS service.
+ *
+ * @param handle handle of the GNS connection to stop
+ */
+void
+GNUNET_GNS_disconnect (struct GNUNET_GNS_Handle *handle)
+{
+  if (NULL != handle->mq)
+  {
+    GNUNET_MQ_destroy (handle->mq);
+    handle->mq = NULL;
+  }
+  if (NULL != handle->reconnect_task)
+  {
+    GNUNET_SCHEDULER_cancel (handle->reconnect_task);
+    handle->reconnect_task = NULL;
+  }
+  GNUNET_assert (NULL == handle->lookup_head);
+  GNUNET_free (handle);
+}
+
+
+/**
+ * Cancel pending lookup request
+ *
+ * @param lr the lookup request to cancel
+ * @return closure from the lookup result processor
+ */
+void *
+GNUNET_GNS_lookup_cancel (struct GNUNET_GNS_LookupRequest *lr)
+{
+  struct GNUNET_GNS_Handle *handle = lr->gns_handle;
+  void *ret;
+
+  GNUNET_CONTAINER_DLL_remove (handle->lookup_head,
+                               handle->lookup_tail,
+                               lr);
+  GNUNET_MQ_discard (lr->env);
+  ret = lr->proc_cls;
+  GNUNET_free (lr);
+  return ret;
+}
+
+
+/**
+ * Perform an asynchronous lookup operation on the GNS.
+ *
+ * @param handle handle to the GNS service
+ * @param name the name to look up (in UTF-8 encoding)
+ * @param zone zone to look in
+ * @param type the GNS record type to look for
+ * @param options local options for the lookup
+ * @param recursion_depth_limit maximum number of zones
+ *        that the lookup may (still) traverse
+ * @param proc function to call on result
+ * @param proc_cls closure for @a proc
+ * @return handle to the queued request
+ */
+struct GNUNET_GNS_LookupRequest *
+GNUNET_GNS_lookup_limited (struct GNUNET_GNS_Handle *handle,
+                           const char *name,
+                           const struct GNUNET_CRYPTO_PublicKey *zone,
+                           uint32_t type,
+                           enum GNUNET_GNS_LocalOptions options,
+                           uint16_t recursion_depth_limit,
+                           GNUNET_GNS_LookupResultProcessor proc,
+                           void *proc_cls)
+{
+  /* IPC to shorten gns names, return shorten_handle */
+  struct LookupMessage *lookup_msg;
+  struct GNUNET_GNS_LookupRequest *lr;
+  size_t nlen;
+  size_t key_len;
+  ssize_t written;
+  char *buf;
+
+  if (NULL == name)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+  LOG (GNUNET_ERROR_TYPE_DEBUG,
+       "Trying to lookup `%s' in GNS\n",
+       name);
+  nlen = strlen (name) + 1;
+  if (nlen >= GNUNET_MAX_MESSAGE_SIZE - sizeof(*lr))
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+  lr = GNUNET_new (struct GNUNET_GNS_LookupRequest);
+  lr->gns_handle = handle;
+  lr->lookup_proc = proc;
+  lr->proc_cls = proc_cls;
+  lr->r_id = handle->r_id_gen++;
+  key_len = GNUNET_CRYPTO_public_key_get_length (zone);
+  lr->env = GNUNET_MQ_msg_extra (lookup_msg,
+                                 nlen + key_len,
+                                 GNUNET_MESSAGE_TYPE_GNS_LOOKUP);
+  buf = (char *) &lookup_msg[1];
+  lookup_msg->id = htonl (lr->r_id);
+  lookup_msg->options = htons ((uint16_t) options);
+  lookup_msg->recursion_depth_limit
+    = htons (recursion_depth_limit);
+  lookup_msg->key_len = htonl (key_len);
+  written = GNUNET_CRYPTO_write_public_key_to_buffer (zone,
+                                                        buf,
+                                                        key_len);
+  GNUNET_assert (0 <= written);
+  buf += written;
+  lookup_msg->type = htonl (type);
+  GNUNET_memcpy (buf,
+                 name,
+                 nlen);
+  GNUNET_CONTAINER_DLL_insert (handle->lookup_head,
+                               handle->lookup_tail,
+                               lr);
+  if (NULL != handle->mq)
+    GNUNET_MQ_send_copy (handle->mq,
+                         lr->env);
+  return lr;
+}
+
+
+/**
+ * Perform an asynchronous lookup operation on the GNS.
+ *
+ * @param handle handle to the GNS service
+ * @param name the name to look up (in UTF-8 encoding)
+ * @param zone the zone to start the resolution in
+ * @param type the record type to look up
+ * @param options local options for the lookup
+ * @param proc processor to call on result
+ * @param proc_cls closure for @a proc
+ * @return handle to the get request
+ */
+struct GNUNET_GNS_LookupRequest*
+GNUNET_GNS_lookup (struct GNUNET_GNS_Handle *handle,
+                   const char *name,
+                   const struct GNUNET_CRYPTO_PublicKey *zone,
+                   uint32_t type,
+                   enum GNUNET_GNS_LocalOptions options,
+                   GNUNET_GNS_LookupResultProcessor proc,
+                   void *proc_cls)
+{
+  return GNUNET_GNS_lookup_limited (handle,
+                                    name,
+                                    zone,
+                                    type,
+                                    options,
+                                    DEFAULT_LIMIT,
+                                    proc,
+                                    proc_cls);
+}
+
+
+/* end of gns_api.c */
diff --git a/src/service/gns/gns_api.h b/src/service/gns/gns_api.h
new file mode 100644
index 000000000..003955bdd
--- /dev/null
+++ b/src/service/gns/gns_api.h
@@ -0,0 +1,74 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2009-2013, 2016, 2018 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gns/gns_api.h
+ * @brief shared data structures of libgnunetgns
+ * @author Martin Schanzenbach
+ * @author Christian Grothoff
+ */
+#ifndef GNS_API_H
+#define GNS_API_H
+
+#include "gnunet_gns_service.h"
+
+
+/**
+ * Connection to the GNS service.
+ */
+struct GNUNET_GNS_Handle
+{
+  /**
+   * Configuration to use.
+   */
+  const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+  /**
+   * Connection to service (if available).
+   */
+  struct GNUNET_MQ_Handle *mq;
+
+  /**
+   * Head of linked list of active lookup requests.
+   */
+  struct GNUNET_GNS_LookupRequest *lookup_head;
+
+  /**
+   * Tail of linked list of active lookup requests.
+   */
+  struct GNUNET_GNS_LookupRequest *lookup_tail;
+
+  /**
+   * Reconnect task
+   */
+  struct GNUNET_SCHEDULER_Task *reconnect_task;
+
+  /**
+   * How long do we wait until we try to reconnect?
+   */
+  struct GNUNET_TIME_Relative reconnect_backoff;
+
+  /**
+   * Request Id generator.  Incremented by one for each request.
+   */
+  uint32_t r_id_gen;
+};
+
+
+#endif
diff --git a/src/service/gns/gns_tld_api.c b/src/service/gns/gns_tld_api.c
new file mode 100644
index 000000000..7a6864010
--- /dev/null
+++ b/src/service/gns/gns_tld_api.c
@@ -0,0 +1,352 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2009-2013, 2016, 2018 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gns/gns_tld_api.c
+ * @brief library to access the GNS service, including TLD lookup
+ * @author Martin Schanzenbach
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "gnunet_common.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_constants.h"
+#include "gnunet_arm_service.h"
+#include "gnunet_identity_service.h"
+#include "gnunet_protocols.h"
+#include "gnunet_dht_service.h"
+#include "gns.h"
+#include "gns_api.h"
+
+
+#define LOG(kind, ...) GNUNET_log_from (kind, "gns-tld-api", __VA_ARGS__)
+
+
+/**
+ * Handle to a lookup request
+ */
+struct GNUNET_GNS_LookupWithTldRequest
+{
+  /**
+   * handle to gns
+   */
+  struct GNUNET_GNS_Handle *gns_handle;
+
+  /**
+   * processor to call on lookup result
+   */
+  GNUNET_GNS_LookupResultProcessor2 lookup_proc;
+
+  /**
+   * Domain name we are resolving.
+   */
+  char *name;
+
+  /**
+   * @e lookup_proc closure
+   */
+  void *lookup_proc_cls;
+
+  /**
+   * Underlying GNS lookup.
+   */
+  struct GNUNET_GNS_LookupRequest *lr;
+
+  /**
+   * Lookup an ego with the identity service.
+   */
+  struct GNUNET_IDENTITY_EgoSuffixLookup *id_co;
+
+  /**
+   * Name of the longest matching ego found so far.
+   * Must be freed on termination.
+   */
+  char *longest_match;
+
+  /**
+   * Ego corresponding to @e longest_match.
+   */
+  struct GNUNET_IDENTITY_Ego *longest_match_ego;
+
+  /**
+   * Desired result record type.
+   */
+  uint32_t type;
+
+  /**
+   * Lookup options.
+   */
+  enum GNUNET_GNS_LocalOptions options;
+};
+
+
+/**
+ * Obtain the TLD of the given @a name.
+ *
+ * @param name a name
+ * @return the part of @a name after the last ".",
+ *         or @a name if @a name does not contain a "."
+ */
+static const char *
+get_tld (const char *name)
+{
+  const char *tld;
+
+  tld = strrchr (name, (unsigned char) '.');
+  if (NULL == tld)
+    tld = name;
+  else
+    tld++; /* skip the '.' */
+  return tld;
+}
+
+
+/**
+ * Eat the "TLD" (last bit) of the given @a name.
+ *
+ * @param[in,out] name a name
+ * @param tld what to eat (can be more than just the tld)
+ */
+static void
+eat_tld (char *name, const char *tld)
+{
+  GNUNET_assert (0 < strlen (name));
+  if ((NULL == tld) || (strlen (name) == strlen (tld)))
+  {
+    strcpy (name, GNUNET_GNS_EMPTY_LABEL_AT);
+  }
+  else
+  {
+    GNUNET_assert (strlen (tld) < strlen (name));
+    name[strlen (name) - strlen (tld) - 1] = '\0';
+  }
+}
+
+
+/**
+ * Function called with the result of a GNS lookup.
+ *
+ * @param cls a `struct GNUNET_GNS_LookupWithTldRequest *`
+ * @param rd_count number of records returned
+ * @param rd array of @a rd_count records with the results
+ */
+static void
+process_lookup_result (void *cls,
+                       uint32_t rd_count,
+                       const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct GNUNET_GNS_LookupWithTldRequest *ltr = cls;
+
+  ltr->lr = NULL;
+  ltr->lookup_proc (ltr->lookup_proc_cls, GNUNET_YES, rd_count, rd);
+  GNUNET_GNS_lookup_with_tld_cancel (ltr);
+}
+
+
+/**
+ * Perform the actual resolution, starting with the zone
+ * identified by the given public key.
+ *
+ * @param pkey public key to use for the zone, can be NULL
+ */
+static void
+lookup_with_public_key (struct GNUNET_GNS_LookupWithTldRequest *ltr,
+                        const struct GNUNET_CRYPTO_PublicKey *pkey)
+{
+  ltr->lr = GNUNET_GNS_lookup (ltr->gns_handle,
+                               ltr->name,
+                               pkey,
+                               ltr->type,
+                               ltr->options,
+                               &process_lookup_result,
+                               ltr);
+}
+
+
+/**
+ * Method called to with the ego we are to use for the lookup,
+ * when the ego is determined by a name.
+ *
+ * @param cls a `struct GNUNET_GNS_LookupWithTldRequest *`
+ * @param ego ego handle, NULL at the end of the iteration
+ * @param ctx context we could store data to associate with @e ego
+ * @param ego_name name of the ego
+ */
+static void
+identity_zone_cb (void *cls,
+                  const struct GNUNET_CRYPTO_PrivateKey *priv,
+                  const char *ego_name)
+{
+  struct GNUNET_GNS_LookupWithTldRequest *ltr = cls;
+  struct GNUNET_CRYPTO_PublicKey pkey;
+
+  ltr->id_co = NULL;
+  if (NULL == priv)
+  {
+    /* no matching ego found */
+    ltr->lookup_proc (ltr->lookup_proc_cls, GNUNET_NO, 0, NULL);
+    return;
+  }
+  /* Final case: TLD matches one of our egos */
+  if (0 == strcmp (ltr->name, ego_name))
+  {
+    /* name matches ego name perfectly, only "@" remains */
+    strcpy (ltr->name, GNUNET_GNS_EMPTY_LABEL_AT);
+  }
+  else
+  {
+    GNUNET_assert (strlen (ego_name) < strlen (ltr->name));
+    ltr->name[strlen (ltr->name) - strlen (ego_name) - 1] = '\0';
+  }
+  /* if the name is of the form 'label' (and not 'label.SUBDOMAIN'), never go to the DHT */
+  if (NULL == strchr (ltr->name, (unsigned char) '.'))
+    ltr->options = GNUNET_GNS_LO_NO_DHT;
+  else
+    ltr->options = GNUNET_GNS_LO_LOCAL_MASTER;
+  GNUNET_CRYPTO_key_get_public (priv, &pkey);
+  lookup_with_public_key (ltr, &pkey);
+}
+
+
+enum GNUNET_GenericReturnValue
+GNUNET_GNS_parse_ztld (const char *name,
+                       struct GNUNET_CRYPTO_PublicKey *ztld_key)
+{
+  const char *tld;
+
+  /* start with trivial case: TLD is zkey */
+  tld = get_tld (name);
+  return GNUNET_CRYPTO_public_key_from_string (tld, ztld_key);
+}
+
+
+struct GNUNET_GNS_LookupWithTldRequest *
+GNUNET_GNS_lookup_with_tld (struct GNUNET_GNS_Handle *handle,
+                            const char *name,
+                            uint32_t type,
+                            enum GNUNET_GNS_LocalOptions options,
+                            GNUNET_GNS_LookupResultProcessor2 proc,
+                            void *proc_cls)
+{
+  struct GNUNET_GNS_LookupWithTldRequest *ltr;
+  const char *tld;
+  char *dot_tld;
+  char *zonestr;
+  struct GNUNET_CRYPTO_PublicKey pkey;
+
+  ltr = GNUNET_new (struct GNUNET_GNS_LookupWithTldRequest);
+  ltr->gns_handle = handle;
+  ltr->name = GNUNET_strdup (name);
+  ltr->type = type;
+  ltr->options = options;
+  ltr->lookup_proc = proc;
+  ltr->lookup_proc_cls = proc_cls;
+  /* start with trivial case: TLD is zkey */
+  if (GNUNET_OK ==
+      GNUNET_GNS_parse_ztld (ltr->name, &pkey))
+  {
+    tld = get_tld (ltr->name);
+    LOG (GNUNET_ERROR_TYPE_DEBUG,
+         "`%s' seems to be a valid zone key\n", tld);
+    eat_tld (ltr->name, tld);
+    lookup_with_public_key (ltr, &pkey);
+    return ltr;
+  }
+
+  /* second case: domain is mapped in our configuration file */
+  for (const char *domain = name; NULL != domain;
+       domain = strchr (domain, (unsigned char) '.'))
+  {
+    if ('.' == domain[0])
+      domain++;
+    GNUNET_asprintf (&dot_tld, ".%s", domain);
+    if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_string (handle->cfg,
+                                                            "gns",
+                                                            dot_tld,
+                                                            &zonestr))
+    {
+      if (GNUNET_OK !=
+          GNUNET_CRYPTO_public_key_from_string (zonestr,
+                                                &pkey))
+      {
+        GNUNET_log_config_invalid (
+          GNUNET_ERROR_TYPE_ERROR,
+          "gns",
+          dot_tld,
+          _ ("Expected a base32-encoded public zone key\n"));
+        GNUNET_free (zonestr);
+        GNUNET_free (dot_tld);
+        GNUNET_free (ltr->name);
+        GNUNET_free (ltr);
+        return NULL;
+      }
+      eat_tld (ltr->name, &dot_tld[1]);
+      GNUNET_free (zonestr);
+      GNUNET_free (dot_tld);
+      lookup_with_public_key (ltr, &pkey);
+      return ltr;
+    }
+    GNUNET_free (dot_tld);
+  }
+  LOG (GNUNET_ERROR_TYPE_DEBUG,
+       "`%s' should be a valid ego\n", ltr->name);
+  ltr->id_co =
+    GNUNET_IDENTITY_ego_lookup_by_suffix (ltr->gns_handle->cfg,
+                                          ltr->name,
+                                          &identity_zone_cb,
+                                          ltr);
+  if (NULL == ltr->id_co)
+  {
+    GNUNET_free (ltr->name);
+    GNUNET_free (ltr);
+    return NULL;
+  }
+  return ltr;
+}
+
+
+/**
+ * Cancel pending lookup request
+ *
+ * @param ltr the lookup request to cancel
+ * @return closure from the lookup result processor
+ */
+void *
+GNUNET_GNS_lookup_with_tld_cancel (struct GNUNET_GNS_LookupWithTldRequest *ltr)
+{
+  void *ret = ltr->lookup_proc_cls;
+
+  if (NULL != ltr->id_co)
+  {
+    GNUNET_IDENTITY_ego_lookup_by_suffix_cancel (ltr->id_co);
+    ltr->id_co = NULL;
+  }
+  if (NULL != ltr->lr)
+  {
+    GNUNET_GNS_lookup_cancel (ltr->lr);
+    ltr->lr = NULL;
+  }
+  GNUNET_free (ltr->longest_match);
+  GNUNET_free (ltr->name);
+  GNUNET_free (ltr);
+  return ret;
+}
+
+
+/* end of gns_tld_api.c */
diff --git a/src/service/gns/gnunet-bcd.c b/src/service/gns/gnunet-bcd.c
new file mode 100644
index 000000000..0f7fb6507
--- /dev/null
+++ b/src/service/gns/gnunet-bcd.c
@@ -0,0 +1,677 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2013 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file gns/gnunet-bcd.c
+ * @author Christian Grothoff
+ * @brief HTTP server to create GNS business cards
+ */
+
+#include "platform.h"
+#include <microhttpd.h>
+#include "gnunet_util_lib.h"
+#include "gnunet_identity_service.h"
+#include "gnunet_mhd_compat.h"
+
+struct StaticResource
+{
+  /**
+   * Handle to file on disk.
+   */
+  struct GNUNET_DISK_FileHandle *handle;
+
+  /**
+   * Size in bytes of the file.
+   */
+  uint64_t size;
+
+  /**
+   * Cached response object to send to clients.
+   */
+  struct MHD_Response *response;
+};
+
+struct ParameterMap
+{
+  /**
+   * Name of the parameter from the request.
+   */
+  char *name;
+
+  /**
+   * Name of the definition in the TeX output.
+   */
+  char *definition;
+};
+
+/**
+ * Handle to the HTTP server as provided by libmicrohttpd
+ */
+static struct MHD_Daemon *httpd = NULL;
+
+/**
+ * Our primary task for the HTTPD.
+ */
+static struct GNUNET_SCHEDULER_Task *httpd_task = NULL;
+
+/**
+ * Index file resource (simple result).
+ */
+static struct StaticResource *index_simple = NULL;
+
+/**
+ * Index file resource (full result).
+ */
+static struct StaticResource *index_full = NULL;
+
+/**
+ * Error: invalid gns key.
+ */
+static struct StaticResource *key_error = NULL;
+
+/**
+ * Error: 404
+ */
+static struct StaticResource *notfound_error = NULL;
+
+/**
+ * Errors after receiving the form data.
+ */
+static struct StaticResource *internal_error = NULL;
+
+/**
+ * Other errors.
+ */
+static struct StaticResource *forbidden_error = NULL;
+
+/**
+ * Full path to the TeX template file (simple result)
+ */
+static char *tex_file_simple = NULL;
+
+/**
+ * Full path to the TeX template file (full result)
+ */
+static char *tex_file_full = NULL;
+
+/**
+ * Full path to the TeX template file (PNG result)
+ */
+static char *tex_file_png = NULL;
+
+/**
+ * Used as a sort of singleton to send exactly one 100 CONTINUE per request.
+ */
+static int continue_100 = 100;
+
+/**
+ * Map of names with TeX definitions, used during PDF generation.
+ */
+static const struct ParameterMap pmap[] = {
+  {"prefix", "prefix"},
+  {"name", "name"},
+  {"suffix", "suffix"},
+  {"street", "street"},
+  {"city", "city"},
+  {"phone", "phone"},
+  {"fax", "fax"},
+  {"email", "email"},
+  {"homepage", "homepage"},
+  {"org", "organization"},
+  {"department", "department"},
+  {"subdepartment", "subdepartment"},
+  {"jobtitle", "jobtitle"},
+  {NULL, NULL},
+};
+
+/**
+ * Port number.
+ */
+static uint16_t port = 8888;
+
+/**
+ * Task ran at shutdown to clean up everything.
+ *
+ * @param cls unused
+ */
+static void
+do_shutdown (void *cls)
+{
+  /* We cheat a bit here: the file descriptor is implicitly closed by MHD, so
+   calling `GNUNET_DISK_file_close' would generate a spurious warning message
+   in the log. Since that function does nothing but close the descriptor and
+   free the allocated memory, After destroying the response all that's left to
+   do is call `GNUNET_free'. */
+  if (NULL != index_simple)
+  {
+    MHD_destroy_response (index_simple->response);
+    GNUNET_free (index_simple->handle);
+    GNUNET_free (index_simple);
+  }
+  if (NULL != index_full)
+  {
+    MHD_destroy_response (index_full->response);
+    GNUNET_free (index_full->handle);
+    GNUNET_free (index_full);
+  }
+  if (NULL != key_error)
+  {
+    MHD_destroy_response (key_error->response);
+    GNUNET_free (key_error->handle);
+    GNUNET_free (key_error);
+  }
+  if (NULL != notfound_error)
+  {
+    MHD_destroy_response (notfound_error->response);
+    GNUNET_free (notfound_error->handle);
+    GNUNET_free (notfound_error);
+  }
+  if (NULL != internal_error)
+  {
+    MHD_destroy_response (internal_error->response);
+    GNUNET_free (internal_error->handle);
+    GNUNET_free (internal_error);
+  }
+  if (NULL != forbidden_error)
+  {
+    MHD_destroy_response (forbidden_error->response);
+    GNUNET_free (forbidden_error->handle);
+    GNUNET_free (forbidden_error);
+  }
+
+  if (NULL != httpd_task)
+  {
+    GNUNET_SCHEDULER_cancel (httpd_task);
+  }
+  if (NULL != httpd)
+  {
+    MHD_stop_daemon (httpd);
+  }
+}
+
+/**
+ * Called when the HTTP server has some pending operations.
+ *
+ * @param cls unused
+ */
+static void
+do_httpd (void *cls);
+
+/**
+ * Schedule a task to run MHD.
+ */
+static void
+run_httpd (void)
+{
+  fd_set rs;
+  fd_set ws;
+  fd_set es;
+
+  struct GNUNET_NETWORK_FDSet *grs = GNUNET_NETWORK_fdset_create ();
+  struct GNUNET_NETWORK_FDSet *gws = GNUNET_NETWORK_fdset_create ();
+  struct GNUNET_NETWORK_FDSet *ges = GNUNET_NETWORK_fdset_create ();
+
+  FD_ZERO (&rs);
+  FD_ZERO (&ws);
+  FD_ZERO (&es);
+
+  int max = -1;
+  GNUNET_assert (MHD_YES == MHD_get_fdset (httpd, &rs, &ws, &es, &max));
+
+  unsigned MHD_LONG_LONG timeout = 0;
+  struct GNUNET_TIME_Relative gtime = GNUNET_TIME_UNIT_FOREVER_REL;
+  if (MHD_YES == MHD_get_timeout (httpd, &timeout))
+  {
+    gtime = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS,
+                                           timeout);
+  }
+
+  GNUNET_NETWORK_fdset_copy_native (grs, &rs, max + 1);
+  GNUNET_NETWORK_fdset_copy_native (gws, &ws, max + 1);
+  GNUNET_NETWORK_fdset_copy_native (ges, &es, max + 1);
+
+  httpd_task = GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_HIGH,
+                                            gtime,
+                                            grs,
+                                            gws,
+                                            &do_httpd,
+                                            NULL);
+  GNUNET_NETWORK_fdset_destroy (grs);
+  GNUNET_NETWORK_fdset_destroy (gws);
+  GNUNET_NETWORK_fdset_destroy (ges);
+}
+
+/**
+ * Called when the HTTP server has some pending operations.
+ *
+ * @param cls unused
+ */
+static void
+do_httpd (void *cls)
+{
+  httpd_task = NULL;
+  MHD_run (httpd);
+  run_httpd ();
+}
+
+/**
+ * Send a response back to a connected client.
+ *
+ * @param cls unused
+ * @param connection the connection with the client
+ * @param url the requested address
+ * @param method the HTTP method used
+ * @param version the protocol version (including the "HTTP/" part)
+ * @param upload_data data sent with a POST request
+ * @param upload_data_size length in bytes of the POST data
+ * @param ptr used to pass data between request handling phases
+ * @return MHD_NO on error
+ */
+static MHD_RESULT
+create_response (void *cls,
+                 struct MHD_Connection *connection,
+                 const char *url,
+                 const char *method,
+                 const char *version,
+                 const char *upload_data,
+                 size_t *upload_data_size,
+                 void **ptr)
+{
+  (void) cls;
+  (void) version;
+  (void) upload_data;
+  (void) upload_data_size;
+
+  bool isget = (0 == strcmp (method, MHD_HTTP_METHOD_GET));
+  bool ishead = (0 == strcmp (method, MHD_HTTP_METHOD_HEAD));
+
+  if (!isget && !ishead)
+  {
+    return MHD_queue_response (connection,
+                               MHD_HTTP_NOT_IMPLEMENTED,
+                               forbidden_error->response);
+  }
+
+  if (ishead)
+  {
+    /* Dedicated branch in case we want to provide a different result for some
+       reason (e.g. a non-web browser application using the web UI) */
+    return MHD_queue_response (connection,
+                               MHD_HTTP_OK,
+                               index_simple->response);
+  }
+
+  /* Send a 100 CONTINUE response to tell clients that the result of the
+     request might take some time */
+  if (NULL == *ptr)
+  {
+    *ptr = &continue_100;
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Sending 100 CONTINUE\n");
+    return MHD_YES;
+  }
+
+  if (0 == strcmp ("/", url))
+  {
+    return MHD_queue_response (connection,
+                               MHD_HTTP_OK,
+                               index_simple->response);
+  }
+
+  if (0 == strcmp ("/full", url))
+  {
+    return MHD_queue_response (connection,
+                               MHD_HTTP_OK,
+                               index_full->response);
+  }
+
+  bool isfull = (0 == strcmp ("/submit/full", url));
+  bool issimple = (0 == strcmp ("/submit/simple", url));
+
+  if (!isfull && !issimple)
+  {
+    return MHD_queue_response (connection,
+                               MHD_HTTP_NOT_FOUND,
+                               notfound_error->response);
+  }
+
+  const char *gpgfp = MHD_lookup_connection_value (connection,
+                                                   MHD_GET_ARGUMENT_KIND,
+                                                   "gpgfingerprint");
+  const char *gnsnick = MHD_lookup_connection_value (connection,
+                                                     MHD_GET_ARGUMENT_KIND,
+                                                     "gnsnick");
+  const char *gnskey = MHD_lookup_connection_value (connection,
+                                                    MHD_GET_ARGUMENT_KIND,
+                                                    "gnskey");
+  const char *qrpng = MHD_lookup_connection_value (connection,
+                                                   MHD_GET_ARGUMENT_KIND,
+                                                   "gnspng");
+
+  struct GNUNET_CRYPTO_PublicKey pk;
+  if (NULL == gnskey
+      || GNUNET_OK != GNUNET_CRYPTO_public_key_from_string (gnskey, &pk))
+  {
+    return MHD_queue_response (connection,
+                               MHD_HTTP_BAD_REQUEST,
+                               key_error->response);
+  }
+
+  char *tmpd = GNUNET_DISK_mkdtemp (gnskey);
+  if (NULL == tmpd)
+  {
+    GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, "mktemp", gnskey);
+    return MHD_queue_response (connection,
+                               MHD_HTTP_INTERNAL_SERVER_ERROR,
+                               internal_error->response);
+  }
+
+  char *defpath = NULL;
+  GNUNET_asprintf (&defpath, "%s%s%s", tmpd, DIR_SEPARATOR_STR, "def.tex");
+
+  FILE *deffile = fopen (defpath, "w");
+  if (NULL == deffile)
+  {
+    GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, "open", defpath);
+    GNUNET_free (defpath);
+    GNUNET_DISK_directory_remove (tmpd);
+    GNUNET_free (tmpd);
+    return MHD_queue_response (connection,
+                               MHD_HTTP_INTERNAL_SERVER_ERROR,
+                               internal_error->response);
+  }
+
+  GNUNET_free (defpath);
+
+  for (size_t i=0; NULL!=pmap[i].name; ++i)
+  {
+    const char *value = MHD_lookup_connection_value (connection,
+                                                     MHD_GET_ARGUMENT_KIND,
+                                                     pmap[i].name);
+    fprintf (deffile,
+             "\\def\\%s{%s}\n",
+             pmap[i].definition,
+             (NULL == value) ? "" : value);
+  }
+
+  if (NULL != gpgfp)
+  {
+    size_t len = strlen (gpgfp);
+    char *line1 = GNUNET_strndup (gpgfp, len/2);
+    char *line2 = GNUNET_strdup (&gpgfp[len/2]);
+    fprintf (deffile,
+             "\\def\\gpglineone{%s}\n\\def\\gpglinetwo{%s}\n",
+             line1,
+             line2);
+    GNUNET_free (line1);
+    GNUNET_free (line2);
+  }
+
+  fprintf (deffile,
+           "\\def\\gns{%s/%s}\n",
+           gnskey,
+           (NULL == gnsnick) ? "" : gnsnick);
+
+  fclose (deffile);
+
+  char *command = NULL;
+  GNUNET_asprintf (&command,
+                   "cd %s; cp %s gns-bcd.tex; "
+                   "pdflatex %s gns-bcd.tex >/dev/null 2>&1",
+                   tmpd,
+                   (isfull) ? tex_file_full :
+                   ((NULL == qrpng) ? tex_file_simple : tex_file_png),
+                   (NULL == qrpng) ? "" : "-shell-escape");
+
+  int ret = system (command);
+
+  GNUNET_free (command);
+
+  if (WIFSIGNALED (ret) || 0 != WEXITSTATUS (ret))
+  {
+    GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, "system", command);
+  }
+
+  GNUNET_asprintf (&defpath,
+                   "%s%s%s",
+                   tmpd,
+                   DIR_SEPARATOR_STR,
+                   (NULL == qrpng) ? "gns-bcd.pdf" : "gns-bcd.png");
+
+  int pdf = open (defpath, O_RDONLY);
+  if (-1 == pdf)
+  {
+    GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, "open", defpath);
+    GNUNET_free (defpath);
+    GNUNET_DISK_directory_remove (tmpd);
+    GNUNET_free (tmpd);
+    return MHD_queue_response (connection,
+                               MHD_HTTP_INTERNAL_SERVER_ERROR,
+                               internal_error->response);
+  }
+
+  struct stat statret;
+  GNUNET_break (0 == stat (defpath, &statret));
+
+  GNUNET_free (defpath);
+
+  struct MHD_Response *pdfrs =
+    MHD_create_response_from_fd ((size_t) statret.st_size, pdf);
+  if (NULL == pdfrs)
+  {
+    GNUNET_break (0);
+    GNUNET_break (0 == close (pdf));
+    GNUNET_DISK_directory_remove (tmpd);
+    GNUNET_free (tmpd);
+    return MHD_queue_response (connection,
+                               MHD_HTTP_INTERNAL_SERVER_ERROR,
+                               internal_error->response);
+  }
+
+  GNUNET_assert (MHD_NO != MHD_add_response_header (pdfrs,
+                           MHD_HTTP_HEADER_CONTENT_TYPE,
+                           (NULL == qrpng) ? "application/pdf" : "image/png"));
+  GNUNET_assert (MHD_NO != MHD_add_response_header (pdfrs,
+                           MHD_HTTP_HEADER_CONTENT_DISPOSITION,
+                           (NULL == qrpng) ?
+                           "attachment; filename=\"gns-business-card.pdf\"" :
+                           "attachment; filename=\"gns-qr-code.png\""));
+  MHD_RESULT r = MHD_queue_response (connection, MHD_HTTP_OK, pdfrs);
+
+  MHD_destroy_response (pdfrs);
+  GNUNET_DISK_directory_remove (tmpd);
+  GNUNET_free (tmpd);
+
+  return r;
+}
+
+/**
+ * Open a file on disk and generate a response for it.
+ *
+ * @param name name of the file to open
+ * @param basedir directory where the file is located
+ * @return NULL on error
+ */
+static struct StaticResource *
+open_static_resource (const char *name, const char *basedir)
+{
+  char *fullname = NULL;
+  GNUNET_asprintf (&fullname, "%s%s%s", basedir, DIR_SEPARATOR_STR, name);
+
+  struct GNUNET_DISK_FileHandle *f =
+    GNUNET_DISK_file_open (fullname,
+                           GNUNET_DISK_OPEN_READ,
+                           GNUNET_DISK_PERM_NONE);
+
+  GNUNET_free (fullname);
+
+  if (NULL == f)
+  {
+    return NULL;
+  }
+
+  off_t size = 0;
+  if (GNUNET_SYSERR == GNUNET_DISK_file_handle_size (f, &size))
+  {
+    GNUNET_DISK_file_close (f);
+    return NULL;
+  }
+
+  struct MHD_Response *response = MHD_create_response_from_fd64 (size, f->fd);
+
+  if (NULL == response)
+  {
+    GNUNET_DISK_file_close (f);
+    return NULL;
+  }
+
+  struct StaticResource *res = GNUNET_new (struct StaticResource);
+  res->handle = f;
+  res->size = (uint64_t) size;
+  res->response = response;
+
+  return res;
+}
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  (void) cls;
+  (void) args;
+  (void) cfgfile;
+
+  if (0 == port)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Invalid port number %u\n"),
+                port);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown, NULL);
+
+  char *datadir = GNUNET_OS_installation_get_path (GNUNET_OS_IPK_DATADIR);
+  GNUNET_assert (NULL != datadir);
+
+  GNUNET_asprintf (&tex_file_full,
+                   "%s%s%s",
+                   datadir,
+                   DIR_SEPARATOR_STR,
+                   "gns-bcd.tex");
+  GNUNET_asprintf (&tex_file_simple,
+                   "%s%s%s",
+                   datadir,
+                   DIR_SEPARATOR_STR,
+                   "gns-bcd-simple.tex");
+  GNUNET_asprintf(&tex_file_png,
+                  "%s%s%s",
+                  datadir,
+                  DIR_SEPARATOR_STR,
+                  "gns-bcd-png.tex");
+
+  index_simple = open_static_resource ("gns-bcd-simple.html", datadir);
+  index_full = open_static_resource ("gns-bcd.html", datadir);
+  key_error = open_static_resource ("gns-bcd-invalid-key.html", datadir);
+  notfound_error = open_static_resource ("gns-bcd-not-found.html", datadir);
+  internal_error = open_static_resource ("gns-bcd-internal-error.html", datadir);
+  forbidden_error = open_static_resource ("gns-bcd-forbidden.html", datadir);
+
+  GNUNET_free (datadir);
+
+  if ((NULL == index_simple) || (NULL == index_full)
+      || (NULL == key_error) || (NULL == notfound_error)
+      || (NULL == internal_error) || (NULL == forbidden_error))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Unable to set up the daemon\n"));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+
+  int flags = MHD_USE_DUAL_STACK | MHD_USE_DEBUG | MHD_ALLOW_SUSPEND_RESUME;
+  do
+  {
+    httpd = MHD_start_daemon (flags,
+                              port,
+                              NULL, NULL,
+                              &create_response, NULL,
+                              MHD_OPTION_CONNECTION_LIMIT, 512,
+                              MHD_OPTION_PER_IP_CONNECTION_LIMIT, 2,
+                              MHD_OPTION_CONNECTION_TIMEOUT, 60,
+                              MHD_OPTION_CONNECTION_MEMORY_LIMIT, 16 * 1024,
+                              MHD_OPTION_END);
+    flags = MHD_USE_DEBUG;
+  } while (NULL == httpd && flags != MHD_USE_DEBUG);
+
+  if (NULL == httpd)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Failed to start HTTP server\n"));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+
+  run_httpd ();
+}
+
+/**
+ * The main function for gnunet-gns.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_uint16 (
+      'p',
+      "port",
+      "PORT",
+      gettext_noop ("Run HTTP server on port PORT (default is 8888)"),
+      &port),
+    GNUNET_GETOPT_OPTION_END,
+  };
+
+  return ((GNUNET_OK ==
+           GNUNET_PROGRAM_run (argc,
+                               argv,
+                               "gnunet-bcd",
+                               _ ("GNUnet HTTP server to create business cards"),
+                               options,
+                               &run,
+                               NULL))
+          ? 0
+          : 1);
+}
+
+/* end of gnunet-bcd.c */
diff --git a/src/service/gns/gnunet-dns2gns.c b/src/service/gns/gnunet-dns2gns.c
new file mode 100644
index 000000000..8706bec3a
--- /dev/null
+++ b/src/service/gns/gnunet-dns2gns.c
@@ -0,0 +1,1024 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012-2013 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gnunet-dns2gns.c
+ * @brief DNS server that translates DNS requests to GNS
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include <gnunet_util_lib.h>
+#include <gnunet_gns_service.h>
+#include "gnunet_vpn_service.h"
+#include "gns.h"
+
+/**
+ * Timeout for DNS requests.
+ */
+#define TIMEOUT GNUNET_TIME_UNIT_MINUTES
+
+/**
+ * Default timeout for VPN redirections.
+ */
+#define VPN_TIMEOUT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MINUTES, 30)
+
+
+struct Request;
+
+/**
+ * Closure for #vpn_allocation_cb.
+ */
+struct VpnContext
+{
+  /**
+   * Which resolution process are we processing.
+   */
+  struct Request *request;
+
+  /**
+   * Handle to the VPN request that we were performing.
+   */
+  struct GNUNET_VPN_RedirectionRequest *vpn_request;
+
+  /**
+   * Number of records serialized in @e rd_data.
+   */
+  unsigned int rd_count;
+
+  /**
+   * Serialized records.
+   */
+  char *rd_data;
+
+  /**
+   * Number of bytes in @e rd_data.
+   */
+  ssize_t rd_data_size;
+};
+
+
+/**
+ * Data kept per request.
+ */
+struct Request
+{
+  /**
+   * Socket to use for sending the reply.
+   */
+  struct GNUNET_NETWORK_Handle *lsock;
+
+  /**
+   * Destination address to use.
+   */
+  const void *addr;
+
+  /**
+   * Initially, this is the DNS request, it will then be
+   * converted to the DNS response.
+   */
+  struct GNUNET_DNSPARSER_Packet *packet;
+
+  /**
+   * Our GNS request handle.
+   */
+  struct GNUNET_GNS_LookupWithTldRequest *lookup;
+
+  /**
+   * Our DNS request handle
+   */
+  struct GNUNET_DNSSTUB_RequestSocket *dns_lookup;
+
+  /**
+   * Task run on timeout or shutdown to clean up without
+   * response.
+   */
+  struct GNUNET_SCHEDULER_Task *timeout_task;
+
+  /**
+   * Vpn resulution context
+   */
+  struct VpnContext *vpn_ctx;
+
+  /**
+   * Original UDP request message.
+   */
+  char *udp_msg;
+
+  /**
+   * Number of bytes in @e addr.
+   */
+  size_t addr_len;
+
+  /**
+   * Number of bytes in @e udp_msg.
+   */
+  size_t udp_msg_size;
+
+  /**
+   * ID of the original request.
+   */
+  uint16_t original_request_id;
+
+};
+
+/**
+ * The address to bind to
+ */
+static in_addr_t address;
+
+/**
+ * The IPv6 address to bind to
+ */
+static struct in6_addr address6;
+
+
+/**
+ * Handle to GNS resolver.
+ */
+struct GNUNET_GNS_Handle *gns;
+
+/**
+ * Our handle to the vpn service
+ */
+static struct GNUNET_VPN_Handle *vpn_handle;
+
+/**
+ * Stub resolver
+ */
+struct GNUNET_DNSSTUB_Context *dns_stub;
+
+/**
+ * Listen socket for IPv4.
+ */
+static struct GNUNET_NETWORK_Handle *listen_socket4;
+
+/**
+ * Listen socket for IPv6.
+ */
+static struct GNUNET_NETWORK_Handle *listen_socket6;
+
+/**
+ * Task for IPv4 socket.
+ */
+static struct GNUNET_SCHEDULER_Task *t4;
+
+/**
+ * Task for IPv6 socket.
+ */
+static struct GNUNET_SCHEDULER_Task *t6;
+
+/**
+ * IP of DNS server
+ */
+static char *dns_ip;
+
+/**
+ * UDP Port we listen on for inbound DNS requests.
+ */
+static unsigned long long listen_port = 53;
+
+/**
+ * Configuration to use.
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+
+/**
+ * Task run on shutdown.  Cleans up everything.
+ *
+ * @param cls unused
+ */
+static void
+do_shutdown (void *cls)
+{
+  (void) cls;
+  if (NULL != t4)
+  {
+    GNUNET_SCHEDULER_cancel (t4);
+    t4 = NULL;
+  }
+  if (NULL != t6)
+  {
+    GNUNET_SCHEDULER_cancel (t6);
+    t6 = NULL;
+  }
+  if (NULL != listen_socket4)
+  {
+    GNUNET_NETWORK_socket_close (listen_socket4);
+    listen_socket4 = NULL;
+  }
+  if (NULL != listen_socket6)
+  {
+    GNUNET_NETWORK_socket_close (listen_socket6);
+    listen_socket6 = NULL;
+  }
+  if (NULL != gns)
+  {
+    GNUNET_GNS_disconnect (gns);
+    gns = NULL;
+  }
+  if (NULL != vpn_handle)
+  {
+    GNUNET_VPN_disconnect (vpn_handle);
+    vpn_handle = NULL;
+  }
+  if (NULL != dns_stub)
+  {
+    GNUNET_DNSSTUB_stop (dns_stub);
+    dns_stub = NULL;
+  }
+}
+
+
+/**
+ * Shuffle answers
+ * Fisher-Yates (aka Knuth) Shuffle
+ *
+ * @param request context for the request (with answers)
+ */
+static void
+shuffle_answers (struct Request *request)
+{
+  unsigned int idx = request->packet->num_answers;
+  unsigned int r_idx;
+  struct GNUNET_DNSPARSER_Record tmp_answer;
+
+  while (0 != idx)
+  {
+    r_idx = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK,
+                                      request->packet->num_answers);
+    idx--;
+    tmp_answer = request->packet->answers[idx];
+    memcpy (&request->packet->answers[idx], &request->packet->answers[r_idx],
+            sizeof (struct GNUNET_DNSPARSER_Record));
+    memcpy (&request->packet->answers[r_idx], &tmp_answer,
+            sizeof (struct GNUNET_DNSPARSER_Record));
+  }
+}
+
+
+/**
+ * Send the response for the given request and clean up.
+ *
+ * @param request context for the request.
+ */
+static void
+send_response (struct Request *request)
+{
+  char *buf;
+  size_t size;
+  ssize_t sret;
+
+  shuffle_answers (request);
+  if (GNUNET_SYSERR ==
+      GNUNET_DNSPARSER_pack (request->packet,
+                             UINT16_MAX /* is this not too much? */,
+                             &buf,
+                             &size))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Failed to pack DNS response into UDP packet!\n"));
+  }
+  else
+  {
+    sret = GNUNET_NETWORK_socket_sendto (request->lsock,
+                                         buf,
+                                         size,
+                                         request->addr,
+                                         request->addr_len);
+    if ((sret < 0) ||
+        (size != (size_t) sret))
+      GNUNET_log_strerror (GNUNET_ERROR_TYPE_WARNING,
+                           "sendto");
+    GNUNET_free (buf);
+  }
+  GNUNET_SCHEDULER_cancel (request->timeout_task);
+  GNUNET_DNSPARSER_free_packet (request->packet);
+  GNUNET_free (request->udp_msg);
+  GNUNET_free (request);
+}
+
+
+/**
+ * Task run on timeout.  Cleans up request.
+ *
+ * @param cls `struct Request *` of the request to clean up
+ */
+static void
+do_timeout (void *cls)
+{
+  struct Request *request = cls;
+  struct VpnContext *vpn_ctx;
+
+  if (NULL != request->packet)
+    GNUNET_DNSPARSER_free_packet (request->packet);
+  if (NULL != request->lookup)
+    GNUNET_GNS_lookup_with_tld_cancel (request->lookup);
+  if (NULL != request->dns_lookup)
+    GNUNET_DNSSTUB_resolve_cancel (request->dns_lookup);
+  GNUNET_free (request->udp_msg);
+  if (NULL != (vpn_ctx = request->vpn_ctx))
+  {
+    GNUNET_VPN_cancel_request (vpn_ctx->vpn_request);
+    GNUNET_free (vpn_ctx->rd_data);
+    GNUNET_free (vpn_ctx);
+  }
+  GNUNET_free (request);
+}
+
+
+/**
+ * Iterator called on obtained result for a DNS lookup
+ *
+ * @param cls closure
+ * @param dns the DNS udp payload
+ * @param r size of the DNS payload
+ */
+static void
+dns_result_processor (void *cls,
+                      const struct GNUNET_TUN_DnsHeader *dns,
+                      size_t r)
+{
+  struct Request *request = cls;
+
+  if (NULL == dns)
+  {
+    /* DNSSTUB gave up, so we trigger timeout early */
+    GNUNET_SCHEDULER_cancel (request->timeout_task);
+    do_timeout (request);
+    return;
+  }
+  if (request->original_request_id != dns->id)
+  {
+    /* for a another query, ignore */
+    return;
+  }
+  request->packet = GNUNET_DNSPARSER_parse ((char *) dns,
+                                            r);
+  if (NULL == request->packet)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Failed to parse DNS response!\n"));
+    GNUNET_SCHEDULER_cancel (request->timeout_task);
+    do_timeout (request);
+    return;
+  }
+  GNUNET_DNSSTUB_resolve_cancel (request->dns_lookup);
+  send_response (request);
+}
+
+/**
+ * Callback invoked from the VPN service once a redirection is
+ * available.  Provides the IP address that can now be used to
+ * reach the requested destination.  Replaces the "VPN" record
+ * with the respective A/AAAA record and continues processing.
+ *
+ * @param cls closure
+ * @param af address family, AF_INET or AF_INET6; AF_UNSPEC on error;
+ *                will match 'result_af' from the request
+ * @param address IP address (struct in_addr or struct in_addr6, depending on 'af')
+ *                that the VPN allocated for the redirection;
+ *                traffic to this IP will now be redirected to the
+ *                specified target peer; NULL on error
+ */
+static void
+vpn_allocation_cb (void *cls,
+                   int af,
+                   const void *address)
+{
+  struct VpnContext *vpn_ctx = cls;
+  struct Request *request = vpn_ctx->request;
+  struct GNUNET_GNSRECORD_Data rd[vpn_ctx->rd_count];
+  unsigned int i;
+
+  vpn_ctx->vpn_request = NULL;
+  request->vpn_ctx = NULL;
+  GNUNET_assert (GNUNET_OK ==
+                 GNUNET_GNSRECORD_records_deserialize (
+                   (size_t) vpn_ctx->rd_data_size,
+                   vpn_ctx->rd_data,
+                   vpn_ctx->rd_count,
+                   rd));
+  for (i = 0; i < vpn_ctx->rd_count; i++)
+  {
+    if (GNUNET_GNSRECORD_TYPE_VPN == rd[i].record_type)
+    {
+      switch (af)
+      {
+      case AF_INET:
+        rd[i].record_type = GNUNET_DNSPARSER_TYPE_A;
+        rd[i].data_size = sizeof(struct in_addr);
+        rd[i].expiration_time = GNUNET_TIME_relative_to_absolute (
+          VPN_TIMEOUT).abs_value_us;
+        rd[i].flags = 0;
+        rd[i].data = address;
+        break;
+
+      case AF_INET6:
+        rd[i].record_type = GNUNET_DNSPARSER_TYPE_AAAA;
+        rd[i].expiration_time = GNUNET_TIME_relative_to_absolute (
+          VPN_TIMEOUT).abs_value_us;
+        rd[i].flags = 0;
+        rd[i].data = address;
+        rd[i].data_size = sizeof(struct in6_addr);
+        break;
+
+      default:
+        GNUNET_assert (0);
+      }
+      break;
+    }
+  }
+  GNUNET_assert (i < vpn_ctx->rd_count);
+  if (0 == vpn_ctx->rd_count)
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("VPN returned empty result for `%s'\n"),
+                request->packet->queries[0].name);
+  send_response (request);
+  GNUNET_free (vpn_ctx->rd_data);
+  GNUNET_free (vpn_ctx);
+}
+
+
+
+/**
+ * Iterator called on obtained result for a GNS lookup.
+ *
+ * @param cls closure
+ * @param was_gns #GNUNET_NO if the TLD is not configured for GNS
+ * @param rd_count number of records in @a rd
+ * @param rd the records in reply
+ */
+static void
+result_processor (void *cls,
+                  int was_gns,
+                  uint32_t rd_count,
+                  const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct Request *request = cls;
+  struct GNUNET_DNSPARSER_Packet *packet;
+  struct GNUNET_DNSPARSER_Record rec;
+  struct VpnContext *vpn_ctx;
+  const struct GNUNET_TUN_GnsVpnRecord *vpn;
+  const char *vname;
+  struct GNUNET_HashCode vhash;
+  int af;
+
+  request->lookup = NULL;
+  if (GNUNET_NO == was_gns)
+  {
+    /* TLD not configured for GNS, fall back to DNS */
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Using DNS resolver IP `%s' to resolve `%s'\n",
+                dns_ip,
+                request->packet->queries[0].name);
+    request->original_request_id = request->packet->id;
+    GNUNET_DNSPARSER_free_packet (request->packet);
+    request->packet = NULL;
+    request->dns_lookup = GNUNET_DNSSTUB_resolve (dns_stub,
+                                                  request->udp_msg,
+                                                  request->udp_msg_size,
+                                                  &dns_result_processor,
+                                                  request);
+    return;
+  }
+  packet = request->packet;
+  packet->flags.query_or_response = 1;
+  packet->flags.return_code = GNUNET_TUN_DNS_RETURN_CODE_NO_ERROR;
+  packet->flags.checking_disabled = 0;
+  packet->flags.authenticated_data = 1;
+  packet->flags.zero = 0;
+  packet->flags.recursion_available = 1;
+  packet->flags.message_truncated = 0;
+  packet->flags.authoritative_answer = 0;
+  // packet->flags.opcode = GNUNET_TUN_DNS_OPCODE_STATUS; // ???
+  for (uint32_t i = 0; i < rd_count; i++)
+  {
+    rec.expiration_time.abs_value_us = rd[i].expiration_time;
+    switch (rd[i].record_type)
+    {
+    case GNUNET_DNSPARSER_TYPE_A:
+      GNUNET_assert (sizeof(struct in_addr) == rd[i].data_size);
+      rec.name = GNUNET_strdup (packet->queries[0].name);
+      rec.dns_traffic_class = GNUNET_TUN_DNS_CLASS_INTERNET;
+      rec.type = GNUNET_DNSPARSER_TYPE_A;
+      rec.data.raw.data = GNUNET_new (struct in_addr);
+      GNUNET_memcpy (rec.data.raw.data,
+                     rd[i].data,
+                     rd[i].data_size);
+      rec.data.raw.data_len = sizeof(struct in_addr);
+      GNUNET_array_append (packet->answers,
+                           packet->num_answers,
+                           rec);
+      break;
+
+    case GNUNET_DNSPARSER_TYPE_AAAA:
+      GNUNET_assert (sizeof(struct in6_addr) == rd[i].data_size);
+      rec.name = GNUNET_strdup (packet->queries[0].name);
+      rec.data.raw.data = GNUNET_new (struct in6_addr);
+      rec.dns_traffic_class = GNUNET_TUN_DNS_CLASS_INTERNET;
+      rec.type = GNUNET_DNSPARSER_TYPE_AAAA;
+      GNUNET_memcpy (rec.data.raw.data,
+                     rd[i].data,
+                     rd[i].data_size);
+      rec.data.raw.data_len = sizeof(struct in6_addr);
+      GNUNET_array_append (packet->answers,
+                           packet->num_answers,
+                           rec);
+      break;
+
+    case GNUNET_DNSPARSER_TYPE_CNAME:
+      rec.name = GNUNET_strdup (packet->queries[0].name);
+      rec.data.hostname = GNUNET_strdup (rd[i].data);
+      rec.dns_traffic_class = GNUNET_TUN_DNS_CLASS_INTERNET;
+      rec.type = GNUNET_DNSPARSER_TYPE_CNAME;
+      GNUNET_memcpy (rec.data.hostname,
+                     rd[i].data,
+                     rd[i].data_size);
+      GNUNET_array_append (packet->answers,
+                           packet->num_answers,
+                           rec);
+      break;
+    case GNUNET_GNSRECORD_TYPE_VPN:
+      if ((GNUNET_DNSPARSER_TYPE_A != request->packet->queries[0].type) &&
+          (GNUNET_DNSPARSER_TYPE_AAAA != request->packet->queries[0].type))
+        break;
+      af = (GNUNET_DNSPARSER_TYPE_A == request->packet->queries[0].type) ?
+           AF_INET :
+           AF_INET6;
+      if (sizeof(struct GNUNET_TUN_GnsVpnRecord) >
+          rd[i].data_size)
+      {
+        GNUNET_break_op (0);
+        break;
+      }
+      vpn = (const struct GNUNET_TUN_GnsVpnRecord *) rd[i].data;
+      vname = (const char *) &vpn[1];
+      if ('\0' != vname[rd[i].data_size - 1 - sizeof(struct
+                                                     GNUNET_TUN_GnsVpnRecord)
+          ])
+      {
+        GNUNET_break_op (0);
+        break;
+      }
+      GNUNET_TUN_service_name_to_hash (vname,
+                                       &vhash);
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "Attempting VPN allocation for %s-%s (AF: %d, proto %d)\n",
+                  GNUNET_i2s (&vpn->peer),
+                  vname,
+                  (int) af,
+                  (int) ntohs (vpn->proto));
+      vpn_ctx = GNUNET_new (struct VpnContext);
+      request->vpn_ctx = vpn_ctx;
+      vpn_ctx->request = request;
+      vpn_ctx->rd_data_size = GNUNET_GNSRECORD_records_get_size (rd_count,
+                                                                 rd);
+      if (vpn_ctx->rd_data_size < 0)
+      {
+        GNUNET_break_op (0);
+        GNUNET_free (vpn_ctx);
+        break;
+      }
+      vpn_ctx->rd_data = GNUNET_malloc ((size_t) vpn_ctx->rd_data_size);
+      vpn_ctx->rd_count = rd_count;
+      GNUNET_assert (vpn_ctx->rd_data_size ==
+                     GNUNET_GNSRECORD_records_serialize (rd_count,
+                                                         rd,
+                                                         (size_t) vpn_ctx
+                                                         ->rd_data_size,
+                                                         vpn_ctx->rd_data));
+      vpn_ctx->vpn_request = GNUNET_VPN_redirect_to_peer (vpn_handle,
+                                                          af,
+                                                          ntohs (
+                                                            vpn->proto),
+                                                          &vpn->peer,
+                                                          &vhash,
+                                                          GNUNET_TIME_relative_to_absolute (
+                                                            VPN_TIMEOUT),
+                                                          &
+                                                          vpn_allocation_cb,
+                                                          vpn_ctx);
+      return;
+
+
+    default:
+      /* skip */
+      break;
+    }
+  }
+  send_response (request);
+}
+
+
+/**
+ * Handle DNS request.
+ *
+ * @param lsock socket to use for sending the reply
+ * @param addr address to use for sending the reply
+ * @param addr_len number of bytes in @a addr
+ * @param udp_msg DNS request payload
+ * @param udp_msg_size number of bytes in @a udp_msg
+ */
+static void
+handle_request (struct GNUNET_NETWORK_Handle *lsock,
+                const void *addr,
+                size_t addr_len,
+                const char *udp_msg,
+                size_t udp_msg_size)
+{
+  struct Request *request;
+  struct GNUNET_DNSPARSER_Packet *packet;
+
+  packet = GNUNET_DNSPARSER_parse (udp_msg,
+                                   udp_msg_size);
+  if (NULL == packet)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Cannot parse DNS request from %s\n"),
+                GNUNET_a2s (addr, addr_len));
+    return;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Received request for `%s' with flags %u, #answers %d, #auth %d, #additional %d\n",
+              packet->queries[0].name,
+              (unsigned int) packet->flags.query_or_response,
+              (int) packet->num_answers,
+              (int) packet->num_authority_records,
+              (int) packet->num_additional_records);
+  if ((0 != packet->flags.query_or_response) ||
+      (0 != packet->num_answers) ||
+      (0 != packet->num_authority_records))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Received malformed DNS request from %s\n"),
+                GNUNET_a2s (addr, addr_len));
+    GNUNET_DNSPARSER_free_packet (packet);
+    return;
+  }
+  if ((1 != packet->num_queries))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Received unsupported DNS request from %s\n"),
+                GNUNET_a2s (addr,
+                            addr_len));
+    GNUNET_DNSPARSER_free_packet (packet);
+    return;
+  }
+  request = GNUNET_malloc (sizeof(struct Request) + addr_len);
+  request->lsock = lsock;
+  request->packet = packet;
+  request->addr = &request[1];
+  request->addr_len = addr_len;
+  GNUNET_memcpy (&request[1],
+                 addr,
+                 addr_len);
+  request->udp_msg_size = udp_msg_size;
+  request->udp_msg = GNUNET_memdup (udp_msg,
+                                    udp_msg_size);
+  request->timeout_task = GNUNET_SCHEDULER_add_delayed (TIMEOUT,
+                                                        &do_timeout,
+                                                        request);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Calling GNS on `%s'\n",
+              packet->queries[0].name);
+  request->lookup = GNUNET_GNS_lookup_with_tld (gns,
+                                                packet->queries[0].name,
+                                                packet->queries[0].type,
+                                                GNUNET_GNS_LO_DEFAULT,
+                                                &result_processor,
+                                                request);
+}
+
+
+/**
+ * Task to read IPv4 DNS packets.
+ *
+ * @param cls the 'listen_socket4'
+ */
+static void
+read_dns4 (void *cls)
+{
+  struct sockaddr_in v4;
+  socklen_t addrlen;
+  ssize_t size;
+  const struct GNUNET_SCHEDULER_TaskContext *tc;
+
+  GNUNET_assert (listen_socket4 == cls);
+  t4 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                      listen_socket4,
+                                      &read_dns4,
+                                      listen_socket4);
+  tc = GNUNET_SCHEDULER_get_task_context ();
+  if (0 == (GNUNET_SCHEDULER_REASON_READ_READY & tc->reason))
+    return; /* shutdown? */
+  size = GNUNET_NETWORK_socket_recvfrom_amount (listen_socket4);
+  if (0 > size)
+  {
+    GNUNET_break (0);
+    return;   /* read error!? */
+  }
+  {
+    char buf[size + 1];
+    ssize_t sret;
+
+    addrlen = sizeof(v4);
+    sret = GNUNET_NETWORK_socket_recvfrom (listen_socket4,
+                                           buf,
+                                           size + 1,
+                                           (struct sockaddr *) &v4,
+                                           &addrlen);
+    if (0 > sret)
+    {
+      GNUNET_log_strerror (GNUNET_ERROR_TYPE_WARNING,
+                           "recvfrom");
+      return;
+    }
+    GNUNET_break (size != sret);
+    handle_request (listen_socket4,
+                    &v4,
+                    addrlen,
+                    buf,
+                    size);
+  }
+}
+
+
+/**
+ * Task to read IPv6 DNS packets.
+ *
+ * @param cls the 'listen_socket6'
+ */
+static void
+read_dns6 (void *cls)
+{
+  struct sockaddr_in6 v6;
+  socklen_t addrlen;
+  ssize_t size;
+  const struct GNUNET_SCHEDULER_TaskContext *tc;
+
+  GNUNET_assert (listen_socket6 == cls);
+  t6 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                      listen_socket6,
+                                      &read_dns6,
+                                      listen_socket6);
+  tc = GNUNET_SCHEDULER_get_task_context ();
+  if (0 == (GNUNET_SCHEDULER_REASON_READ_READY & tc->reason))
+    return; /* shutdown? */
+  size = GNUNET_NETWORK_socket_recvfrom_amount (listen_socket6);
+  if (0 > size)
+  {
+    GNUNET_break (0);
+    return;   /* read error!? */
+  }
+  {
+    char buf[size];
+    ssize_t sret;
+
+    addrlen = sizeof(v6);
+    sret = GNUNET_NETWORK_socket_recvfrom (listen_socket6,
+                                           buf,
+                                           size,
+                                           (struct sockaddr *) &v6,
+                                           &addrlen);
+    if (0 > sret)
+    {
+      GNUNET_log_strerror (GNUNET_ERROR_TYPE_WARNING,
+                           "recvfrom");
+      return;
+    }
+    GNUNET_break (size != sret);
+    handle_request (listen_socket6,
+                    &v6,
+                    addrlen,
+                    buf,
+                    size);
+  }
+}
+
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  char *addr_str;
+
+  (void) cls;
+  (void) args;
+  (void) cfgfile;
+  cfg = c;
+  if (NULL == dns_ip)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("No DNS server specified!\n"));
+    return;
+  }
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
+                                 NULL);
+  if (NULL == (gns = GNUNET_GNS_connect (cfg)))
+    return;
+  if (NULL == (vpn_handle = GNUNET_VPN_connect (cfg)))
+    return;
+  GNUNET_assert (NULL != (dns_stub = GNUNET_DNSSTUB_start (128)));
+  if (GNUNET_OK !=
+      GNUNET_DNSSTUB_add_dns_ip (dns_stub,
+                                 dns_ip))
+  {
+    GNUNET_DNSSTUB_stop (dns_stub);
+    GNUNET_GNS_disconnect (gns);
+    gns = NULL;
+    GNUNET_VPN_disconnect (vpn_handle);
+    vpn_handle = NULL;
+    return;
+  }
+
+  /* Get address to bind to */
+  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (c, "dns2gns",
+                                                          "BIND_TO",
+                                                          &addr_str))
+  {
+    // No address specified
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Don't know what to bind to...\n");
+    GNUNET_free (addr_str);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if (1 != inet_pton (AF_INET, addr_str, &address))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Unable to parse address %s\n",
+                addr_str);
+    GNUNET_free (addr_str);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  GNUNET_free (addr_str);
+  /* Get address to bind to */
+  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (c, "dns2gns",
+                                                          "BIND_TO6",
+                                                          &addr_str))
+  {
+    // No address specified
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Don't know what to bind6 to...\n");
+    GNUNET_free (addr_str);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if (1 != inet_pton (AF_INET6, addr_str, &address6))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Unable to parse IPv6 address %s\n",
+                addr_str);
+    GNUNET_free (addr_str);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  GNUNET_free (addr_str);
+  if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_number (c, "dns2gns",
+                                         "PORT",
+                                         &listen_port))
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Listening on %llu\n", listen_port);
+
+  listen_socket4 = GNUNET_NETWORK_socket_create (PF_INET,
+                                                 SOCK_DGRAM,
+                                                 IPPROTO_UDP);
+  if (NULL != listen_socket4)
+  {
+    struct sockaddr_in v4;
+
+    memset (&v4, 0, sizeof(v4));
+    v4.sin_family = AF_INET;
+    v4.sin_addr.s_addr = address;
+#if HAVE_SOCKADDR_IN_SIN_LEN
+    v4.sin_len = sizeof(v4);
+#endif
+    v4.sin_port = htons (listen_port);
+    if (GNUNET_OK !=
+        GNUNET_NETWORK_socket_bind (listen_socket4,
+                                    (struct sockaddr *) &v4,
+                                    sizeof(v4)))
+    {
+      GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR, "bind");
+      GNUNET_NETWORK_socket_close (listen_socket4);
+      listen_socket4 = NULL;
+    }
+  }
+  listen_socket6 = GNUNET_NETWORK_socket_create (PF_INET6,
+                                                 SOCK_DGRAM,
+                                                 IPPROTO_UDP);
+  if (NULL != listen_socket6)
+  {
+    struct sockaddr_in6 v6;
+
+    memset (&v6, 0, sizeof(v6));
+    v6.sin6_family = AF_INET6;
+    v6.sin6_addr = address6;
+#if HAVE_SOCKADDR_IN_SIN_LEN
+    v6.sin6_len = sizeof(v6);
+#endif
+    v6.sin6_port = htons (listen_port);
+    if (GNUNET_OK !=
+        GNUNET_NETWORK_socket_bind (listen_socket6,
+                                    (struct sockaddr *) &v6,
+                                    sizeof(v6)))
+    {
+      GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR, "bind");
+      GNUNET_NETWORK_socket_close (listen_socket6);
+      listen_socket6 = NULL;
+    }
+  }
+  if ((NULL == listen_socket4) &&
+      (NULL == listen_socket6))
+  {
+    GNUNET_GNS_disconnect (gns);
+    gns = NULL;
+    GNUNET_VPN_disconnect (vpn_handle);
+    vpn_handle = NULL;
+    GNUNET_DNSSTUB_stop (dns_stub);
+    dns_stub = NULL;
+    return;
+  }
+  if (NULL != listen_socket4)
+    t4 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                        listen_socket4,
+                                        &read_dns4,
+                                        listen_socket4);
+  if (NULL != listen_socket6)
+    t6 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                        listen_socket6,
+                                        &read_dns6,
+                                        listen_socket6);
+}
+
+
+/**
+ * The main function for the dns2gns daemon.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc,
+      char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_string ('d',
+                                 "dns",
+                                 "IP",
+                                 gettext_noop (
+                                   "IP of recursive DNS resolver to use (required)"),
+                                 &dns_ip),
+    GNUNET_GETOPT_OPTION_END
+  };
+  int ret;
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+  GNUNET_log_setup ("gnunet-dns2gns",
+                    "WARNING",
+                    NULL);
+  ret =
+    (GNUNET_OK ==
+     GNUNET_PROGRAM_run (argc, argv,
+                         "gnunet-dns2gns",
+                         _ ("GNUnet DNS-to-GNS proxy (a DNS server)"),
+                         options,
+                         &run, NULL)) ? 0 : 1;
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-dns2gns.c */
diff --git a/src/service/gns/gnunet-gns-benchmark.c b/src/service/gns/gnunet-gns-benchmark.c
new file mode 100644
index 000000000..b36a83f21
--- /dev/null
+++ b/src/service/gns/gnunet-gns-benchmark.c
@@ -0,0 +1,618 @@
+/*
+     This file is part of GNUnet
+     Copyright (C) 2018 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file src/gns/gnunet-gns-benchmark.c
+ * @brief issue many queries to GNS and compute performance statistics
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include <gnunet_util_lib.h>
+#include <gnunet_gnsrecord_lib.h>
+#include <gnunet_gns_service.h>
+
+
+/**
+ * How long do we wait at least between requests by default?
+ */
+#define DEF_REQUEST_DELAY GNUNET_TIME_relative_multiply ( \
+    GNUNET_TIME_UNIT_MILLISECONDS, 1)
+
+/**
+ * How long do we wait until we consider a request failed by default?
+ */
+#define DEF_TIMEOUT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MINUTES, 1)
+
+
+/**
+ * We distinguish between different categories of
+ * requests, for which we track statistics separately.
+ * However, this process does not change how it acts
+ * based on the category.
+ */
+enum RequestCategory
+{
+  RC_SHARED = 0,
+  RC_PRIVATE = 1,
+  /**
+   * Must be last and match number of categories.
+   */
+  RC_MAX = 2
+};
+
+
+/**
+ * Request we should make.  We keep this struct in memory per request,
+ * thus optimizing it is crucial for the overall memory consumption of
+ * the zone importer.
+ */
+struct Request
+{
+  /**
+   * Active requests are kept in a DLL.
+   */
+  struct Request *next;
+
+  /**
+   * Active requests are kept in a DLL.
+   */
+  struct Request *prev;
+
+  /**
+   * Socket used to make the request, NULL if not active.
+   */
+  struct GNUNET_GNS_LookupWithTldRequest *lr;
+
+  /**
+   * Hostname we are resolving, allocated at the end of
+   * this struct (optimizing memory consumption by reducing
+   * total number of allocations).
+   */
+  const char *hostname;
+
+  /**
+   * While we are fetching the record, the value is set to the
+   * starting time of the GNS operation.
+   */
+  struct GNUNET_TIME_Absolute op_start_time;
+
+  /**
+   * Observed latency, set once we got a reply.
+   */
+  struct GNUNET_TIME_Relative latency;
+
+  /**
+   * Category of the request.
+   */
+  enum RequestCategory cat;
+};
+
+
+/**
+ * GNS handle.
+ */
+static struct GNUNET_GNS_Handle *gns;
+
+/**
+ * Number of lookups we performed overall per category.
+ */
+static unsigned int lookups[RC_MAX];
+
+/**
+ * Number of replies we got per category.
+ */
+static unsigned int replies[RC_MAX];
+
+/**
+ * Number of replies we got per category.
+ */
+static unsigned int failures[RC_MAX];
+
+/**
+ * Sum of the observed latencies of successful queries,
+ * per category.
+ */
+static struct GNUNET_TIME_Relative latency_sum[RC_MAX];
+
+/**
+ * Active requests are kept in a DLL.
+ */
+static struct Request *act_head;
+
+/**
+ * Active requests are kept in a DLL.
+ */
+static struct Request *act_tail;
+
+/**
+ * Completed successful requests are kept in a DLL.
+ */
+static struct Request *succ_head;
+
+/**
+ * Completed successful requests are kept in a DLL.
+ */
+static struct Request *succ_tail;
+
+/**
+ * Yet to be started requests are kept in a DLL.
+ */
+static struct Request *todo_head;
+
+/**
+ * Yet to be started requests are kept in a DLL.
+ */
+static struct Request *todo_tail;
+
+/**
+ * Main task.
+ */
+static struct GNUNET_SCHEDULER_Task *t;
+
+/**
+ * Delay between requests.
+ */
+static struct GNUNET_TIME_Relative request_delay;
+
+/**
+ * Timeout for requests.
+ */
+static struct GNUNET_TIME_Relative timeout;
+
+/**
+ * Number of requests we have concurrently active.
+ */
+static unsigned int active_cnt;
+
+/**
+ * Look for GNS2DNS records specifically?
+ */
+static int g2d;
+
+/**
+ * Free @a req and data structures reachable from it.
+ *
+ * @param req request to free
+ */
+static void
+free_request (struct Request *req)
+{
+  if (NULL != req->lr)
+    GNUNET_GNS_lookup_with_tld_cancel (req->lr);
+  GNUNET_free (req);
+}
+
+
+/**
+ * Function called with the result of a GNS resolution.
+ *
+ * @param cls closure with the `struct Request`
+ * @param gns_tld #GNUNET_YES if GNS lookup was attempted
+ * @param rd_count number of records in @a rd
+ * @param rd the records in reply
+ */
+static void
+process_result (void *cls,
+                int gns_tld,
+                uint32_t rd_count,
+                const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct Request *req = cls;
+
+  (void) gns_tld;
+  (void) rd_count;
+  (void) rd;
+  active_cnt--;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Got response for request `%s'\n",
+              req->hostname);
+  req->lr = NULL;
+  req->latency = GNUNET_TIME_absolute_get_duration (req->op_start_time);
+  GNUNET_CONTAINER_DLL_remove (act_head,
+                               act_tail,
+                               req);
+  GNUNET_CONTAINER_DLL_insert (succ_head,
+                               succ_tail,
+                               req);
+  replies[req->cat]++;
+  latency_sum[req->cat]
+    = GNUNET_TIME_relative_add (latency_sum[req->cat],
+                                req->latency);
+}
+
+
+/**
+ * Process request from the queue.
+ *
+ * @param cls NULL
+ */
+static void
+process_queue (void *cls)
+{
+  struct Request *req;
+  struct GNUNET_TIME_Relative duration;
+
+  (void) cls;
+  t = NULL;
+  /* check for expired requests */
+  while (NULL != (req = act_head))
+  {
+    duration = GNUNET_TIME_absolute_get_duration (req->op_start_time);
+    if (duration.rel_value_us < timeout.rel_value_us)
+      break;
+    GNUNET_CONTAINER_DLL_remove (act_head,
+                                 act_tail,
+                                 req);
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Failing request `%s' due to timeout\n",
+                req->hostname);
+    failures[req->cat]++;
+    active_cnt--;
+    free_request (req);
+  }
+  if (NULL == (req = todo_head))
+  {
+    struct GNUNET_TIME_Absolute at;
+
+    if (NULL == (req = act_head))
+    {
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+    at = GNUNET_TIME_absolute_add (req->op_start_time,
+                                   timeout);
+    t = GNUNET_SCHEDULER_add_at (at,
+                                 &process_queue,
+                                 NULL);
+    return;
+  }
+  GNUNET_CONTAINER_DLL_remove (todo_head,
+                               todo_tail,
+                               req);
+  GNUNET_CONTAINER_DLL_insert_tail (act_head,
+                                    act_tail,
+                                    req);
+  lookups[req->cat]++;
+  active_cnt++;
+  req->op_start_time = GNUNET_TIME_absolute_get ();
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Starting request `%s' (%u in parallel)\n",
+              req->hostname,
+              active_cnt);
+  req->lr = GNUNET_GNS_lookup_with_tld (gns,
+                                        req->hostname,
+                                        g2d
+                                        ? GNUNET_GNSRECORD_TYPE_GNS2DNS
+                                        : GNUNET_GNSRECORD_TYPE_ANY,
+                                        GNUNET_GNS_LO_DEFAULT,
+                                        &process_result,
+                                        req);
+  t = GNUNET_SCHEDULER_add_delayed (request_delay,
+                                    &process_queue,
+                                    NULL);
+}
+
+
+/**
+ * Compare two requests by latency for qsort().
+ *
+ * @param c1 pointer to `struct Request *`
+ * @param c2 pointer to `struct Request *`
+ * @return -1 if c1<c2, 1 if c1>c2, 0 if c1==c2.
+ */
+static int
+compare_req (const void *c1,
+             const void *c2)
+{
+  const struct Request *r1 = *(void **) c1;
+  const struct Request *r2 = *(void **) c2;
+
+  if (r1->latency.rel_value_us < r2->latency.rel_value_us)
+    return -1;
+  if (r1->latency.rel_value_us > r2->latency.rel_value_us)
+    return 1;
+  return 0;
+}
+
+
+/**
+ * Output statistics, then clean up and terminate the process.
+ *
+ * @param cls NULL
+ */
+static void
+do_shutdown (void *cls)
+{
+  struct Request *req;
+  struct Request **ra[RC_MAX];
+  unsigned int rp[RC_MAX];
+
+  (void) cls;
+  for (enum RequestCategory rc = 0; rc < RC_MAX; rc++)
+  {
+    ra[rc] = GNUNET_new_array (replies[rc],
+                               struct Request *);
+    rp[rc] = 0;
+  }
+  for (req = succ_head; NULL != req; req = req->next)
+  {
+    GNUNET_assert (rp[req->cat] < replies[req->cat]);
+    ra[req->cat][rp[req->cat]++] = req;
+  }
+  for (enum RequestCategory rc = 0; rc < RC_MAX; rc++)
+  {
+    unsigned int off;
+
+    fprintf (stdout,
+             "Category %u\n",
+             rc);
+    fprintf (stdout,
+             "\tlookups: %u replies: %u failures: %u\n",
+             lookups[rc],
+             replies[rc],
+             failures[rc]);
+    if (0 == rp[rc])
+      continue;
+    qsort (ra[rc],
+           rp[rc],
+           sizeof(struct Request *),
+           &compare_req);
+    latency_sum[rc] = GNUNET_TIME_relative_divide (latency_sum[rc],
+                                                   replies[rc]);
+    fprintf (stdout,
+             "\taverage: %s\n",
+             GNUNET_STRINGS_relative_time_to_string (latency_sum[rc],
+                                                     GNUNET_YES));
+    off = rp[rc] * 50 / 100;
+    fprintf (stdout,
+             "\tmedian(50): %s\n",
+             GNUNET_STRINGS_relative_time_to_string (ra[rc][off]->latency,
+                                                     GNUNET_YES));
+    off = rp[rc] * 75 / 100;
+    fprintf (stdout,
+             "\tquantile(75): %s\n",
+             GNUNET_STRINGS_relative_time_to_string (ra[rc][off]->latency,
+                                                     GNUNET_YES));
+    off = rp[rc] * 90 / 100;
+    fprintf (stdout,
+             "\tquantile(90): %s\n",
+             GNUNET_STRINGS_relative_time_to_string (ra[rc][off]->latency,
+                                                     GNUNET_YES));
+    off = rp[rc] * 99 / 100;
+    fprintf (stdout,
+             "\tquantile(99): %s\n",
+             GNUNET_STRINGS_relative_time_to_string (ra[rc][off]->latency,
+                                                     GNUNET_YES));
+    GNUNET_free (ra[rc]);
+  }
+  if (NULL != t)
+  {
+    GNUNET_SCHEDULER_cancel (t);
+    t = NULL;
+  }
+  while (NULL != (req = act_head))
+  {
+    GNUNET_CONTAINER_DLL_remove (act_head,
+                                 act_tail,
+                                 req);
+    free_request (req);
+  }
+  while (NULL != (req = succ_head))
+  {
+    GNUNET_CONTAINER_DLL_remove (succ_head,
+                                 succ_tail,
+                                 req);
+    free_request (req);
+  }
+  while (NULL != (req = todo_head))
+  {
+    GNUNET_CONTAINER_DLL_remove (todo_head,
+                                 todo_tail,
+                                 req);
+    free_request (req);
+  }
+  if (NULL != gns)
+  {
+    GNUNET_GNS_disconnect (gns);
+    gns = NULL;
+  }
+}
+
+
+/**
+ * Add @a hostname to the list of requests to be made.
+ *
+ * @param hostname name to resolve
+ * @param cat category of the @a hostname
+ */
+static void
+queue (const char *hostname,
+       enum RequestCategory cat)
+{
+  struct Request *req;
+  const char *dot;
+  size_t hlen;
+
+  dot = strchr (hostname,
+                (unsigned char) '.');
+  if (NULL == dot)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Refusing invalid hostname `%s' (lacks '.')\n",
+                hostname);
+    return;
+  }
+  hlen = strlen (hostname) + 1;
+  req = GNUNET_malloc (sizeof(struct Request) + hlen);
+  req->cat = cat;
+  req->hostname = (char *) &req[1];
+  GNUNET_memcpy (&req[1],
+                 hostname,
+                 hlen);
+  GNUNET_CONTAINER_DLL_insert (todo_head,
+                               todo_tail,
+                               req);
+}
+
+
+/**
+ * Begin processing hostnames from stdin.
+ *
+ * @param cls NULL
+ */
+static void
+process_stdin (void *cls)
+{
+  static struct GNUNET_TIME_Absolute last;
+  static uint64_t idot;
+  unsigned int cat;
+  char hn[256];
+  char in[270];
+
+  (void) cls;
+  t = NULL;
+  while (NULL !=
+         fgets (in,
+                sizeof(in),
+                stdin))
+  {
+    if (strlen (in) > 0)
+      hn[strlen (in) - 1] = '\0';  /* eat newline */
+    if ((2 != sscanf (in,
+                      "%u %255s",
+                      &cat,
+                      hn)) ||
+        (cat >= RC_MAX))
+    {
+      fprintf (stderr,
+               "Malformed input line `%s', skipping\n",
+               in);
+      continue;
+    }
+    if (0 == idot)
+      last = GNUNET_TIME_absolute_get ();
+    idot++;
+    if (0 == idot % 100000)
+    {
+      struct GNUNET_TIME_Relative delta;
+
+      delta = GNUNET_TIME_absolute_get_duration (last);
+      last = GNUNET_TIME_absolute_get ();
+      fprintf (stderr,
+               "Read 100000 domain names in %s\n",
+               GNUNET_STRINGS_relative_time_to_string (delta,
+                                                       GNUNET_YES));
+    }
+    queue (hn,
+           (enum RequestCategory) cat);
+  }
+  fprintf (stderr,
+           "Done reading %llu domain names\n",
+           (unsigned long long) idot);
+  t = GNUNET_SCHEDULER_add_now (&process_queue,
+                                NULL);
+}
+
+
+/**
+ * Process requests from the queue, then if the queue is
+ * not empty, try again.
+ *
+ * @param cls NULL
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param cfg configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  (void) cls;
+  (void) args;
+  (void) cfgfile;
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
+                                 NULL);
+  gns = GNUNET_GNS_connect (cfg);
+  if (NULL == gns)
+  {
+    GNUNET_break (0);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  t = GNUNET_SCHEDULER_add_now (&process_stdin,
+                                NULL);
+}
+
+
+/**
+ * Call with list of names with numeric category to query.
+ *
+ * @param argc unused
+ * @param argv unused
+ * @return 0 on success
+ */
+int
+main (int argc,
+      char *const*argv)
+{
+  int ret = 0;
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_relative_time ('d',
+                                        "delay",
+                                        "RELATIVETIME",
+                                        gettext_noop (
+                                          "how long to wait between queries"),
+                                        &request_delay),
+    GNUNET_GETOPT_option_relative_time ('t',
+                                        "timeout",
+                                        "RELATIVETIME",
+                                        gettext_noop (
+                                          "how long to wait for an answer"),
+                                        &timeout),
+    GNUNET_GETOPT_option_flag ('2',
+                               "g2d",
+                               gettext_noop (
+                                 "look for GNS2DNS records instead of ANY"),
+                               &g2d),
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+  timeout = DEF_TIMEOUT;
+  request_delay = DEF_REQUEST_DELAY;
+  if (GNUNET_OK !=
+      GNUNET_PROGRAM_run (argc,
+                          argv,
+                          "gnunet-gns-benchmark",
+                          "resolve GNS names and measure performance",
+                          options,
+                          &run,
+                          NULL))
+    ret = 1;
+  GNUNET_free_nz ((void *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-gns-benchmark.c */
diff --git a/src/service/gns/gnunet-gns-import.c b/src/service/gns/gnunet-gns-import.c
new file mode 100644
index 000000000..5d4602682
--- /dev/null
+++ b/src/service/gns/gnunet-gns-import.c
@@ -0,0 +1,498 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012-2013 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gnunet-gns.c
+ * @brief binary version of gnunet-gns-import.sh
+ *        (for OSes that have no POSIX shell).
+ * @author LRN
+ */
+#include "platform.h"
+#include <gnunet_util_lib.h>
+#include <gnunet_gnsrecord_lib.h>
+#include <gnunet_identity_service.h>
+#include <gnunet_namestore_service.h>
+
+/**
+ * Configuration we are using.
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+/**
+ * Handle to IDENTITY service.
+ */
+static struct GNUNET_IDENTITY_Handle *sh;
+
+/**
+ * Zone iterator for master zone
+ */
+struct GNUNET_NAMESTORE_ZoneIterator *list_it;
+
+/**
+ * Handle to the namestore.
+ */
+static struct GNUNET_NAMESTORE_Handle *ns;
+
+/**
+ * String version of PKEY for master-zone.
+ */
+static char *master_zone_pkey;
+
+/**
+ * Binary version of PKEY for master-zone.
+ */
+static struct GNUNET_CRYPTO_EcdsaPrivateKey master_pk;
+
+/**
+ * String version of PKEY for private-zone.
+ */
+static char *private_zone_pkey;
+
+/**
+ * String version of PKEY for pin-zone.
+ */
+static char *pin_zone_pkey =
+  "72QC35CO20UJN1E91KPJFNT9TG4CLKAPB4VK9S3Q758S9MLBRKOG";
+
+/**
+ * Set to GNUNET_YES if private record was found;
+ */
+static int found_private_rec = GNUNET_NO;
+
+/**
+ * Set to GNUNET_YES if pin record was found;
+ */
+static int found_pin_rec = GNUNET_NO;
+
+/**
+ * Exit code.
+ */
+static int ret;
+
+
+static int
+run_process_and_wait (enum GNUNET_OS_InheritStdioFlags std_inheritance,
+                      struct GNUNET_DISK_PipeHandle *pipe_stdin,
+                      struct GNUNET_DISK_PipeHandle *pipe_stdout,
+                      enum GNUNET_OS_ProcessStatusType *st,
+                      unsigned long *code,
+                      const char *filename, ...)
+{
+  static struct GNUNET_OS_Process *p;
+  int arglen;
+  char *arg;
+  char *args;
+  char *argp;
+  va_list ap, apc1, apc2;
+
+  va_start (ap, filename);
+  va_copy (apc1, ap);
+  va_copy (apc2, ap);
+  arglen = 0;
+  while (NULL != (arg = va_arg (apc1, char *)))
+    arglen += strlen (arg) + 1;
+  va_end (apc1);
+  args = argp = GNUNET_malloc (arglen);
+  while (NULL != (arg = va_arg (apc2, char *)))
+  {
+    strcpy (argp, arg);
+    argp += strlen (arg);
+    *argp = ' ';
+    argp += 1;
+  }
+  va_end (apc2);
+  if (arglen > 0)
+    argp[-1] = '\0';
+  p = GNUNET_OS_start_process_va (std_inheritance,
+                                  pipe_stdin,
+                                  pipe_stdout,
+                                  NULL,
+                                  filename, ap);
+  va_end (ap);
+  if (NULL == p)
+  {
+    ret = 3;
+    fprintf (stderr, "Failed to run `%s'\n", args);
+    GNUNET_free (args);
+    return 1;
+  }
+
+  if (GNUNET_OK != GNUNET_OS_process_wait (p))
+  {
+    ret = 4;
+    fprintf (stderr, "Failed to wait for `%s'\n", args);
+    GNUNET_free (args);
+    return 1;
+  }
+
+  switch (GNUNET_OS_process_status (p, st, code))
+  {
+  case GNUNET_OK:
+    break;
+
+  case GNUNET_NO:
+    ret = 5;
+    fprintf (stderr, "`%s' is still running\n", args);
+    GNUNET_free (args);
+    return 1;
+
+  default:
+  case GNUNET_SYSERR:
+    ret = 6;
+    fprintf (stderr, "Failed to check the status of `%s'\n", args);
+    GNUNET_free (args);
+    return 1;
+  }
+  return 0;
+}
+
+
+static void
+check_pkey (unsigned int rd_len, const struct GNUNET_GNSRECORD_Data *rd,
+            char *pk, int *found_rec)
+{
+  int i;
+  struct GNUNET_CRYPTO_PublicKey pubkey;
+
+  for (i = 0; i < rd_len; i++)
+  {
+    char *s;
+    if (sizeof (uint32_t) > rd[i].data_size)
+      continue;
+    if (GNUNET_OK != GNUNET_GNSRECORD_identity_from_data (rd[i].data,
+                                                          rd[i].data_size,
+                                                          rd[i].record_type,
+                                                          &pubkey))
+      continue;
+    s = GNUNET_GNSRECORD_value_to_string (rd[i].record_type,
+                                          rd[i].data,
+                                          rd[i].data_size);
+    if (NULL == s)
+      continue;
+    if (0 == strcmp (s, pk))
+      *found_rec = GNUNET_YES;
+    GNUNET_free (s);
+  }
+}
+
+
+/**
+ * Process a record that was stored in the namestore.
+ *
+ * @param cls closure
+ * @param zone_key private key of the zone
+ * @param rname name that is being mapped (at most 255 characters long)
+ * @param rd_len number of entries in @a rd array
+ * @param rd array of records with data to store
+ */
+static void
+zone_iterator (void *cls,
+               const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone_key,
+               const char *rname, unsigned int rd_len,
+               const struct GNUNET_GNSRECORD_Data *rd)
+{
+  if (NULL != rname)
+  {
+    if (0 == strcmp (rname, "private"))
+      check_pkey (rd_len, rd, private_zone_pkey, &found_private_rec);
+    else if (0 == strcmp (rname, "pin"))
+      check_pkey (rd_len, rd, pin_zone_pkey, &found_pin_rec);
+  }
+  GNUNET_NAMESTORE_zone_iterator_next (list_it);
+}
+
+
+static void
+zone_iteration_error (void *cls)
+{
+  enum GNUNET_OS_ProcessStatusType st;
+  unsigned long code;
+
+  if (! found_private_rec)
+  {
+    if (0 != run_process_and_wait (GNUNET_OS_INHERIT_STD_OUT_AND_ERR,
+                                   NULL, NULL, &st, &code,
+                                   "gnunet-namestore",
+                                   "gnunet-namestore", "-z", "master-zone",
+                                   "-a", "-e", "never", "-n", "private", "-p",
+                                   "-t", "PKEY", "-V",
+                                   private_zone_pkey, NULL))
+    {
+      ret = 8;
+      return;
+    }
+  }
+  if (! found_pin_rec)
+  {
+    if (0 != run_process_and_wait (GNUNET_OS_INHERIT_STD_OUT_AND_ERR,
+                                   NULL, NULL, &st, &code,
+                                   "gnunet-namestore",
+                                   "gnunet-namestore", "-z", "master-zone",
+                                   "-a", "-e", "never", "-n", "pin", "-p", "-t",
+                                   "PKEY", "-V", pin_zone_pkey,
+                                   NULL))
+    {
+      ret = 10;
+      return;
+    }
+  }
+  list_it = NULL;
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+static void
+zone_iteration_finished (void *cls)
+{
+}
+
+
+/**
+ * Get master-zone and private-zone keys.
+ *
+ * This function is initially called for all egos and then again
+ * whenever a ego's identifier changes or if it is deleted.  At the
+ * end of the initial pass over all egos, the function is once called
+ * with 'NULL' for 'ego'. That does NOT mean that the callback won't
+ * be invoked in the future or that there was an error.
+ *
+ * When used with 'GNUNET_IDENTITY_create' or 'GNUNET_IDENTITY_get', this
+ * function is only called ONCE, and 'NULL' being passed in 'ego' does
+ * indicate an error (for example because name is taken or no default value is
+ * known).  If 'ego' is non-NULL and if '*ctx' is set in those callbacks, the
+ * value WILL be passed to a subsequent call to the identity callback of
+ * 'GNUNET_IDENTITY_connect' (if that one was not NULL).
+ *
+ * When an identity is renamed, this function is called with the
+ * (known) ego but the NEW identifier.
+ *
+ * When an identity is deleted, this function is called with the
+ * (known) ego and "NULL" for the 'identifier'.  In this case,
+ * the 'ego' is henceforth invalid (and the 'ctx' should also be
+ * cleaned up).
+ *
+ * @param cls closure
+ * @param ego ego handle
+ * @param ctx context for application to store data for this ego
+ *                 (during the lifetime of this process, initially NULL)
+ * @param identifier identifier assigned by the user for this ego,
+ *                   NULL if the user just deleted the ego and it
+ *                   must thus no longer be used
+ */
+static void
+get_ego (void *cls,
+         struct GNUNET_IDENTITY_Ego *ego,
+         void **ctx,
+         const char *identifier)
+{
+  static struct GNUNET_CRYPTO_EcdsaPublicKey pk;
+
+  if (NULL == ego)
+  {
+    if ((NULL == master_zone_pkey) ||
+        (NULL == private_zone_pkey) )
+    {
+      ret = 11;
+      GNUNET_SCHEDULER_shutdown ();
+      return;
+    }
+    list_it = GNUNET_NAMESTORE_zone_iteration_start (ns,
+                                                     &master_pk,
+                                                     &zone_iteration_error,
+                                                     NULL, &zone_iterator, NULL,
+                                                     &zone_iteration_finished,
+                                                     NULL);
+    if (NULL == list_it)
+    {
+      ret = 12;
+      GNUNET_SCHEDULER_shutdown ();
+    }
+    return;
+  }
+  GNUNET_IDENTITY_ego_get_public_key (ego, &pk);
+  if (NULL != identifier)
+  {
+    if ((NULL == master_zone_pkey) && (0 == strcmp ("master-zone",
+                                                    identifier)) )
+    {
+      master_zone_pkey = GNUNET_CRYPTO_ecdsa_public_key_to_string (&pk);
+      master_pk = *GNUNET_IDENTITY_ego_get_private_key (ego);
+    }
+    else if ((NULL == private_zone_pkey) && (0 == strcmp ("private-zone",
+                                                          identifier)) )
+      private_zone_pkey = GNUNET_CRYPTO_ecdsa_public_key_to_string (&pk);
+  }
+}
+
+
+/**
+ * Task run on shutdown.
+ *
+ * @param cls NULL
+ */
+static void
+shutdown_task (void *cls)
+{
+  GNUNET_free (master_zone_pkey);
+  master_zone_pkey = NULL;
+  GNUNET_free (private_zone_pkey);
+  private_zone_pkey = NULL;
+  if (NULL != list_it)
+  {
+    GNUNET_NAMESTORE_zone_iteration_stop (list_it);
+    list_it = NULL;
+  }
+  if (NULL != ns)
+  {
+    GNUNET_NAMESTORE_disconnect (ns);
+    ns = NULL;
+  }
+  if (NULL != sh)
+  {
+    GNUNET_IDENTITY_disconnect (sh);
+    sh = NULL;
+  }
+}
+
+
+/**
+ * Main function that will be run.
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls, char *const *args, const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  enum GNUNET_OS_ProcessStatusType st;
+  unsigned long code;
+
+  cfg = c;
+
+  if (0 != run_process_and_wait (GNUNET_OS_INHERIT_STD_NONE,
+                                 NULL, NULL, &st, &code,
+                                 "gnunet-arm",
+                                 "gnunet-arm", "-I", NULL))
+  {
+    if (7 == ret)
+      fprintf (stderr,
+               "GNUnet is not running, please start GNUnet before running import\n");
+    return;
+  }
+
+  if (0 != run_process_and_wait (GNUNET_OS_INHERIT_STD_OUT_AND_ERR,
+                                 NULL, NULL, &st, &code,
+                                 "gnunet-identity",
+                                 "gnunet-identity", "-C", "master-zone", NULL))
+    return;
+
+  if (0 != run_process_and_wait (GNUNET_OS_INHERIT_STD_OUT_AND_ERR,
+                                 NULL, NULL, &st, &code,
+                                 "gnunet-identity",
+                                 "gnunet-identity", "-C", "private-zone", NULL))
+    return;
+
+  if (0 != run_process_and_wait (GNUNET_OS_INHERIT_STD_OUT_AND_ERR,
+                                 NULL, NULL, &st, &code,
+                                 "gnunet-identity",
+                                 "gnunet-identity", "-C", "sks-zone", NULL))
+    return;
+
+  if (0 != run_process_and_wait (GNUNET_OS_INHERIT_STD_OUT_AND_ERR,
+                                 NULL, NULL, &st, &code,
+                                 "gnunet-identity",
+                                 "gnunet-identity", "-e", "master-zone", "-s",
+                                 "gns-master", NULL))
+    return;
+
+  if (0 != run_process_and_wait (GNUNET_OS_INHERIT_STD_OUT_AND_ERR,
+                                 NULL, NULL, &st, &code,
+                                 "gnunet-identity",
+                                 "gnunet-identity", "-e", "master-zone", "-s",
+                                 "namestore", NULL))
+    return;
+
+  if (0 != run_process_and_wait (GNUNET_OS_INHERIT_STD_OUT_AND_ERR,
+                                 NULL, NULL, &st, &code,
+                                 "gnunet-identity",
+                                 "gnunet-identity", "-e", "master-zone", "-s",
+                                 "gns-proxy", NULL))
+    return;
+
+  if (0 != run_process_and_wait (GNUNET_OS_INHERIT_STD_OUT_AND_ERR,
+                                 NULL, NULL, &st, &code,
+                                 "gnunet-identity",
+                                 "gnunet-identity", "-e", "master-zone", "-s",
+                                 "gns-intercept", NULL))
+    return;
+
+  if (0 != run_process_and_wait (GNUNET_OS_INHERIT_STD_OUT_AND_ERR,
+                                 NULL, NULL, &st, &code,
+                                 "gnunet-identity",
+                                 "gnunet-identity", "-e", "private-zone", "-s",
+                                 "gns-private", NULL))
+    return;
+
+  if (0 != run_process_and_wait (GNUNET_OS_INHERIT_STD_OUT_AND_ERR,
+                                 NULL, NULL, &st, &code,
+                                 "gnunet-identity",
+                                 "gnunet-identity", "-e", "sks-zone", "-s",
+                                 "fs-sks", NULL))
+    return;
+
+  ns = GNUNET_NAMESTORE_connect (cfg);
+  sh = GNUNET_IDENTITY_connect (cfg, &get_ego, NULL);
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_task, NULL);
+}
+
+
+/**
+ * The main function for gnunet-gns.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc, char *const *argv)
+{
+  static const struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_OPTION_END
+  };
+  int r;
+
+  if (GNUNET_OK != GNUNET_STRINGS_get_utf8_args (argc, argv, &argc, &argv))
+    return 2;
+
+  GNUNET_log_setup ("gnunet-gns-import", "WARNING", NULL);
+  ret = 0;
+  r = GNUNET_PROGRAM_run (argc, argv, "gnunet-gns-import",
+                          _ (
+                            "This program will import some GNS authorities into your GNS namestore."),
+                          options,
+                          &run, NULL);
+  GNUNET_free_nz ((void *) argv);
+  return GNUNET_OK == r ? ret : 1;
+}
+
+
+/* end of gnunet-gns-import.c */
diff --git a/src/service/gns/gnunet-gns-proxy.c b/src/service/gns/gnunet-gns-proxy.c
new file mode 100644
index 000000000..b38f0a425
--- /dev/null
+++ b/src/service/gns/gnunet-gns-proxy.c
@@ -0,0 +1,3912 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012-2018 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @author Martin Schanzenbach
+ * @author Christian Grothoff
+ * @file src/gns/gnunet-gns-proxy.c
+ * @brief HTTP(S) proxy that rewrites URIs and fakes certificates to make GNS work
+ *        with legacy browsers
+ *
+ * TODO:
+ * - double-check queueing logic
+ */
+#include "platform.h"
+#include <microhttpd.h>
+/* Just included for the right curl.h */
+#include "gnunet_curl_lib.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+#include <gnutls/crypto.h>
+#if HAVE_GNUTLS_DANE
+#include <gnutls/dane.h>
+#endif
+#include <regex.h>
+#include "gnunet_util_lib.h"
+#include "gnunet_gns_service.h"
+#include "gnunet_identity_service.h"
+#include "gns.h"
+#include "gnunet_mhd_compat.h"
+
+/**
+ * Default Socks5 listen port.
+ */
+#define GNUNET_GNS_PROXY_PORT 7777
+
+/**
+ * Maximum supported length for a URI.
+ * Should die. @deprecated
+ */
+#define MAX_HTTP_URI_LENGTH 2048
+
+/**
+ * Maximum number of DANE records we support
+ * per domain name (and port and protocol).
+ */
+#define MAX_DANES 32
+
+/**
+ * Size of the buffer for the data upload / download.  Must be
+ * enough for curl, thus CURL_MAX_WRITE_SIZE is needed here (16k).
+ */
+#define IO_BUFFERSIZE CURL_MAX_WRITE_SIZE
+
+/**
+ * Size of the read/write buffers for Socks.   Uses
+ * 256 bytes for the hostname (at most), plus a few
+ * bytes overhead for the messages.
+ */
+#define SOCKS_BUFFERSIZE (256 + 32)
+
+/**
+ * Port for plaintext HTTP.
+ */
+#define HTTP_PORT 80
+
+/**
+ * Port for HTTPS.
+ */
+#define HTTPS_PORT 443
+
+/**
+ * Largest allowed size for a PEM certificate.
+ */
+#define MAX_PEM_SIZE (10 * 1024)
+
+/**
+ * After how long do we clean up unused MHD TLS instances?
+ */
+#define MHD_CACHE_TIMEOUT GNUNET_TIME_relative_multiply ( \
+    GNUNET_TIME_UNIT_MINUTES, 5)
+
+/**
+ * After how long do we clean up Socks5 handles that failed to show any activity
+ * with their respective MHD instance?
+ */
+#define HTTP_HANDSHAKE_TIMEOUT GNUNET_TIME_relative_multiply ( \
+    GNUNET_TIME_UNIT_SECONDS, 15)
+
+
+/**
+ * Log curl error.
+ *
+ * @param level log level
+ * @param fun name of curl_easy-function that gave the error
+ * @param rc return code from curl
+ */
+#define LOG_CURL_EASY(level, fun, rc) \
+  GNUNET_log (level, \
+              _ ("%s failed at %s:%d: `%s'\n"), \
+              fun, \
+              __FILE__, \
+              __LINE__, \
+              curl_easy_strerror (rc))
+
+
+/* *************** Socks protocol definitions (move to TUN?) ****************** */
+
+/**
+ * Which SOCKS version do we speak?
+ */
+#define SOCKS_VERSION_5 0x05
+
+/**
+ * Flag to set for 'no authentication'.
+ */
+#define SOCKS_AUTH_NONE 0
+
+
+/**
+ * Commands in Socks5.
+ */
+enum Socks5Commands
+{
+  /**
+   * Establish TCP/IP stream.
+   */
+  SOCKS5_CMD_TCP_STREAM = 1,
+
+  /**
+   * Establish TCP port binding.
+   */
+  SOCKS5_CMD_TCP_PORT = 2,
+
+  /**
+   * Establish UDP port binding.
+   */
+  SOCKS5_CMD_UDP_PORT = 3
+};
+
+
+/**
+ * Address types in Socks5.
+ */
+enum Socks5AddressType
+{
+  /**
+   * IPv4 address.
+   */
+  SOCKS5_AT_IPV4 = 1,
+
+  /**
+   * IPv4 address.
+   */
+  SOCKS5_AT_DOMAINNAME = 3,
+
+  /**
+   * IPv6 address.
+   */
+  SOCKS5_AT_IPV6 = 4
+};
+
+
+/**
+ * Status codes in Socks5 response.
+ */
+enum Socks5StatusCode
+{
+  SOCKS5_STATUS_REQUEST_GRANTED = 0,
+  SOCKS5_STATUS_GENERAL_FAILURE = 1,
+  SOCKS5_STATUS_CONNECTION_NOT_ALLOWED_BY_RULE = 2,
+  SOCKS5_STATUS_NETWORK_UNREACHABLE = 3,
+  SOCKS5_STATUS_HOST_UNREACHABLE = 4,
+  SOCKS5_STATUS_CONNECTION_REFUSED_BY_HOST = 5,
+  SOCKS5_STATUS_TTL_EXPIRED = 6,
+  SOCKS5_STATUS_COMMAND_NOT_SUPPORTED = 7,
+  SOCKS5_STATUS_ADDRESS_TYPE_NOT_SUPPORTED = 8
+};
+
+
+/**
+ * Client hello in Socks5 protocol.
+ */
+struct Socks5ClientHelloMessage
+{
+  /**
+   * Should be #SOCKS_VERSION_5.
+   */
+  uint8_t version;
+
+  /**
+   * How many authentication methods does the client support.
+   */
+  uint8_t num_auth_methods;
+
+  /* followed by supported authentication methods, 1 byte per method */
+};
+
+
+/**
+ * Server hello in Socks5 protocol.
+ */
+struct Socks5ServerHelloMessage
+{
+  /**
+   * Should be #SOCKS_VERSION_5.
+   */
+  uint8_t version;
+
+  /**
+   * Chosen authentication method, for us always #SOCKS_AUTH_NONE,
+   * which skips the authentication step.
+   */
+  uint8_t auth_method;
+};
+
+
+/**
+ * Client socks request in Socks5 protocol.
+ */
+struct Socks5ClientRequestMessage
+{
+  /**
+   * Should be #SOCKS_VERSION_5.
+   */
+  uint8_t version;
+
+  /**
+   * Command code, we only uspport #SOCKS5_CMD_TCP_STREAM.
+   */
+  uint8_t command;
+
+  /**
+   * Reserved, always zero.
+   */
+  uint8_t resvd;
+
+  /**
+   * Address type, an `enum Socks5AddressType`.
+   */
+  uint8_t addr_type;
+
+  /*
+   * Followed by either an ip4/ipv6 address or a domain name with a
+   * length field (uint8_t) in front (depending on @e addr_type).
+   * followed by port number in network byte order (uint16_t).
+   */
+};
+
+
+/**
+ * Server response to client requests in Socks5 protocol.
+ */
+struct Socks5ServerResponseMessage
+{
+  /**
+   * Should be #SOCKS_VERSION_5.
+   */
+  uint8_t version;
+
+  /**
+   * Status code, an `enum Socks5StatusCode`
+   */
+  uint8_t reply;
+
+  /**
+   * Always zero.
+   */
+  uint8_t reserved;
+
+  /**
+   * Address type, an `enum Socks5AddressType`.
+   */
+  uint8_t addr_type;
+
+  /*
+   * Followed by either an ip4/ipv6 address or a domain name with a
+   * length field (uint8_t) in front (depending on @e addr_type).
+   * followed by port number in network byte order (uint16_t).
+   */
+};
+
+
+/* *********************** Datastructures for HTTP handling ****************** */
+
+/**
+ * A structure for CA cert/key
+ */
+struct ProxyCA
+{
+  /**
+   * The certificate
+   */
+  gnutls_x509_crt_t cert;
+
+  /**
+   * The private key
+   */
+  gnutls_x509_privkey_t key;
+};
+
+
+/**
+ * Structure for GNS certificates
+ */
+struct ProxyGNSCertificate
+{
+  /**
+   * The certificate as PEM
+   */
+  char cert[MAX_PEM_SIZE];
+
+  /**
+   * The private key as PEM
+   */
+  char key[MAX_PEM_SIZE];
+};
+
+
+/**
+ * A structure for all running Httpds
+ */
+struct MhdHttpList
+{
+  /**
+   * DLL for httpds
+   */
+  struct MhdHttpList *prev;
+
+  /**
+   * DLL for httpds
+   */
+  struct MhdHttpList *next;
+
+  /**
+   * the domain name to server (only important for TLS)
+   */
+  char *domain;
+
+  /**
+   * The daemon handle
+   */
+  struct MHD_Daemon *daemon;
+
+  /**
+   * Optional proxy certificate used
+   */
+  struct ProxyGNSCertificate *proxy_cert;
+
+  /**
+   * The task ID
+   */
+  struct GNUNET_SCHEDULER_Task *httpd_task;
+
+  /**
+   * is this an ssl daemon?
+   */
+  int is_ssl;
+};
+
+
+/* ***************** Datastructures for Socks handling **************** */
+
+
+/**
+ * The socks phases.
+ */
+enum SocksPhase
+{
+  /**
+   * We're waiting to get the client hello.
+   */
+  SOCKS5_INIT,
+
+  /**
+   * We're waiting to get the initial request.
+   */
+  SOCKS5_REQUEST,
+
+  /**
+   * We are currently resolving the destination.
+   */
+  SOCKS5_RESOLVING,
+
+  /**
+   * We're in transfer mode.
+   */
+  SOCKS5_DATA_TRANSFER,
+
+  /**
+   * Finish writing the write buffer, then clean up.
+   */
+  SOCKS5_WRITE_THEN_CLEANUP,
+
+  /**
+   * Socket has been passed to MHD, do not close it anymore.
+   */
+  SOCKS5_SOCKET_WITH_MHD,
+
+  /**
+   * We've started receiving upload data from MHD.
+   */
+  SOCKS5_SOCKET_UPLOAD_STARTED,
+
+  /**
+   * We've finished receiving upload data from MHD.
+   */
+  SOCKS5_SOCKET_UPLOAD_DONE,
+
+  /**
+   * We've finished uploading data via CURL and can now download.
+   */
+  SOCKS5_SOCKET_DOWNLOAD_STARTED,
+
+  /**
+   * We've finished receiving download data from cURL.
+   */
+  SOCKS5_SOCKET_DOWNLOAD_DONE
+};
+
+
+/**
+ * A header list
+ */
+struct HttpResponseHeader
+{
+  /**
+   * DLL
+   */
+  struct HttpResponseHeader *next;
+
+  /**
+   * DLL
+   */
+  struct HttpResponseHeader *prev;
+
+  /**
+   * Header type
+   */
+  char *type;
+
+  /**
+   * Header value
+   */
+  char *value;
+};
+
+/**
+ * A structure for socks requests
+ */
+struct Socks5Request
+{
+  /**
+   * DLL.
+   */
+  struct Socks5Request *next;
+
+  /**
+   * DLL.
+   */
+  struct Socks5Request *prev;
+
+  /**
+   * The client socket
+   */
+  struct GNUNET_NETWORK_Handle *sock;
+
+  /**
+   * Handle to GNS lookup, during #SOCKS5_RESOLVING phase.
+   */
+  struct GNUNET_GNS_LookupWithTldRequest *gns_lookup;
+
+  /**
+   * Client socket read task
+   */
+  struct GNUNET_SCHEDULER_Task *rtask;
+
+  /**
+   * Client socket write task
+   */
+  struct GNUNET_SCHEDULER_Task *wtask;
+
+  /**
+   * Timeout task
+   */
+  struct GNUNET_SCHEDULER_Task *timeout_task;
+
+  /**
+   * Read buffer
+   */
+  char rbuf[SOCKS_BUFFERSIZE];
+
+  /**
+   * Write buffer
+   */
+  char wbuf[SOCKS_BUFFERSIZE];
+
+  /**
+   * Buffer we use for moving data between MHD and curl (in both directions).
+   */
+  char io_buf[IO_BUFFERSIZE];
+
+  /**
+   * MHD HTTP instance handling this request, NULL for none.
+   */
+  struct MhdHttpList *hd;
+
+  /**
+   * MHD connection for this request.
+   */
+  struct MHD_Connection *con;
+
+  /**
+   * MHD response object for this request.
+   */
+  struct MHD_Response *response;
+
+  /**
+   * the domain name to server (only important for TLS)
+   */
+  char *domain;
+
+  /**
+   * DNS Legacy Host Name as given by GNS, NULL if not given.
+   */
+  char *leho;
+
+  /**
+   * Payload of the DANE records encountered.
+   */
+  char *dane_data[MAX_DANES + 1];
+
+  /**
+   * The URL to fetch
+   */
+  char *url;
+
+  /**
+   * Handle to cURL
+   */
+  CURL *curl;
+
+  /**
+   * HTTP request headers for the curl request.
+   */
+  struct curl_slist *headers;
+
+  /**
+   * DNS->IP mappings resolved through GNS
+   */
+  struct curl_slist *hosts;
+
+  /**
+   * HTTP response code to give to MHD for the response.
+   */
+  unsigned int response_code;
+
+  /**
+   * Number of bytes in @e dane_data.
+   */
+  int dane_data_len[MAX_DANES + 1];
+
+  /**
+   * Number of entries used in @e dane_data_len
+   * and @e dane_data.
+   */
+  unsigned int num_danes;
+
+  /**
+   * Number of bytes already in read buffer
+   */
+  size_t rbuf_len;
+
+  /**
+   * Number of bytes already in write buffer
+   */
+  size_t wbuf_len;
+
+  /**
+   * Number of bytes already in the IO buffer.
+   */
+  size_t io_len;
+
+  /**
+   * Once known, what's the target address for the connection?
+   */
+  struct sockaddr_storage destination_address;
+
+  /**
+   * The socks state
+   */
+  enum SocksPhase state;
+
+  /**
+   * Desired destination port.
+   */
+  uint16_t port;
+
+  /**
+   * Headers from response
+   */
+  struct HttpResponseHeader *header_head;
+
+  /**
+   * Headers from response
+   */
+  struct HttpResponseHeader *header_tail;
+
+  /**
+   * X.509 Certificate status
+   */
+  int ssl_checked;
+
+  /**
+   * Was the hostname resolved via GNS?
+   */
+  int is_gns;
+
+  /**
+   * This is (probably) a TLS connection
+   */
+  int is_tls;
+
+  /**
+   * Did we suspend MHD processing?
+   */
+  int suspended;
+
+  /**
+   * Did we pause CURL processing?
+   */
+  int curl_paused;
+};
+
+
+/* *********************** Globals **************************** */
+
+/**
+ * The address to bind to
+ */
+static in_addr_t address;
+
+/**
+ * The IPv6 address to bind to
+ */
+static struct in6_addr address6;
+
+/**
+ * The port the proxy is running on (default 7777)
+ */
+static uint16_t port = GNUNET_GNS_PROXY_PORT;
+
+/**
+ * The CA file (pem) to use for the proxy CA
+ */
+static char *cafile_opt;
+
+/**
+ * The listen socket of the proxy for IPv4
+ */
+static struct GNUNET_NETWORK_Handle *lsock4;
+
+/**
+ * The listen socket of the proxy for IPv6
+ */
+static struct GNUNET_NETWORK_Handle *lsock6;
+
+/**
+ * The listen task ID for IPv4
+ */
+static struct GNUNET_SCHEDULER_Task *ltask4;
+
+/**
+ * The listen task ID for IPv6
+ */
+static struct GNUNET_SCHEDULER_Task *ltask6;
+
+/**
+ * The cURL download task (curl multi API).
+ */
+static struct GNUNET_SCHEDULER_Task *curl_download_task;
+
+/**
+ * The cURL multi handle
+ */
+static CURLM *curl_multi;
+
+/**
+ * Handle to the GNS service
+ */
+static struct GNUNET_GNS_Handle *gns_handle;
+
+/**
+ * Disable IPv6.
+ */
+static int disable_v6;
+
+/**
+ * DLL for http/https daemons
+ */
+static struct MhdHttpList *mhd_httpd_head;
+
+/**
+ * DLL for http/https daemons
+ */
+static struct MhdHttpList *mhd_httpd_tail;
+
+/**
+ * Daemon for HTTP (we have one per X.509 certificate, and then one for
+ * all HTTP connections; this is the one for HTTP, not HTTPS).
+ */
+static struct MhdHttpList *httpd;
+
+/**
+ * DLL of active socks requests.
+ */
+static struct Socks5Request *s5r_head;
+
+/**
+ * DLL of active socks requests.
+ */
+static struct Socks5Request *s5r_tail;
+
+/**
+ * The CA for X.509 certificate generation
+ */
+static struct ProxyCA proxy_ca;
+
+/**
+ * Response we return on cURL failures.
+ */
+static struct MHD_Response *curl_failure_response;
+
+/**
+ * Our configuration.
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+
+/* ************************* Global helpers ********************* */
+
+
+/**
+ * Run MHD now, we have extra data ready for the callback.
+ *
+ * @param hd the daemon to run now.
+ */
+static void
+run_mhd_now (struct MhdHttpList *hd);
+
+
+/**
+ * Clean up s5r handles.
+ *
+ * @param s5r the handle to destroy
+ */
+static void
+cleanup_s5r (struct Socks5Request *s5r)
+{
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Cleaning up socks request\n");
+  if (NULL != s5r->curl)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Cleaning up cURL handle\n");
+    curl_multi_remove_handle (curl_multi,
+                              s5r->curl);
+    curl_easy_cleanup (s5r->curl);
+    s5r->curl = NULL;
+  }
+  if (s5r->suspended)
+  {
+    s5r->suspended = GNUNET_NO;
+    MHD_resume_connection (s5r->con);
+  }
+  curl_slist_free_all (s5r->headers);
+  if (NULL != s5r->hosts)
+  {
+    curl_slist_free_all (s5r->hosts);
+  }
+  if ((NULL != s5r->response) &&
+      (curl_failure_response != s5r->response))
+  {
+    MHD_destroy_response (s5r->response);
+    s5r->response = NULL;
+  }
+  if (NULL != s5r->rtask)
+  {
+    GNUNET_SCHEDULER_cancel (s5r->rtask);
+    s5r->rtask = NULL;
+  }
+  if (NULL != s5r->timeout_task)
+  {
+    GNUNET_SCHEDULER_cancel (s5r->timeout_task);
+    s5r->timeout_task = NULL;
+  }
+  if (NULL != s5r->wtask)
+  {
+    GNUNET_SCHEDULER_cancel (s5r->wtask);
+    s5r->wtask = NULL;
+  }
+  if (NULL != s5r->gns_lookup)
+  {
+    GNUNET_GNS_lookup_with_tld_cancel (s5r->gns_lookup);
+    s5r->gns_lookup = NULL;
+  }
+  if (NULL != s5r->sock)
+  {
+    if (SOCKS5_SOCKET_WITH_MHD <= s5r->state)
+      GNUNET_NETWORK_socket_free_memory_only_ (s5r->sock);
+    else
+      GNUNET_NETWORK_socket_close (s5r->sock);
+    s5r->sock = NULL;
+  }
+  GNUNET_CONTAINER_DLL_remove (s5r_head,
+                               s5r_tail,
+                               s5r);
+  GNUNET_free (s5r->domain);
+  GNUNET_free (s5r->leho);
+  GNUNET_free (s5r->url);
+  for (unsigned int i = 0; i < s5r->num_danes; i++)
+    GNUNET_free (s5r->dane_data[i]);
+  GNUNET_free (s5r);
+}
+
+
+/* ************************* HTTP handling with cURL *********************** */
+
+static void
+curl_download_prepare ();
+
+
+/**
+ * Callback for MHD response generation.  This function is called from
+ * MHD whenever MHD expects to get data back.  Copies data from the
+ * io_buf, if available.
+ *
+ * @param cls closure with our `struct Socks5Request`
+ * @param pos in buffer
+ * @param buf where to copy data
+ * @param max available space in @a buf
+ * @return number of bytes written to @a buf
+ */
+static ssize_t
+mhd_content_cb (void *cls,
+                uint64_t pos,
+                char*buf,
+                size_t max)
+{
+  struct Socks5Request *s5r = cls;
+  size_t bytes_to_copy;
+
+  if ((SOCKS5_SOCKET_UPLOAD_STARTED == s5r->state) ||
+      (SOCKS5_SOCKET_UPLOAD_DONE == s5r->state))
+  {
+    /* we're still not done with the upload, do not yet
+       start the download, the IO buffer is still full
+       with upload data. */
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Pausing MHD download %s%s, not yet ready for download\n",
+                s5r->domain,
+                s5r->url);
+    return 0;   /* not yet ready for data download */
+  }
+  bytes_to_copy = GNUNET_MIN (max,
+                              s5r->io_len);
+  if ((0 == bytes_to_copy) &&
+      (SOCKS5_SOCKET_DOWNLOAD_DONE != s5r->state))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Pausing MHD download %s%s, no data available\n",
+                s5r->domain,
+                s5r->url);
+    if (NULL != s5r->curl)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "Continuing CURL interaction for %s%s\n",
+                  s5r->domain,
+                  s5r->url);
+      if (GNUNET_YES == s5r->curl_paused)
+      {
+        s5r->curl_paused = GNUNET_NO;
+        curl_easy_pause (s5r->curl,
+                         CURLPAUSE_CONT);
+      }
+      curl_download_prepare ();
+    }
+    if (GNUNET_NO == s5r->suspended)
+    {
+      MHD_suspend_connection (s5r->con);
+      s5r->suspended = GNUNET_YES;
+    }
+    return 0;   /* more data later */
+  }
+  if ((0 == bytes_to_copy) &&
+      (SOCKS5_SOCKET_DOWNLOAD_DONE == s5r->state))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Completed MHD download %s%s\n",
+                s5r->domain,
+                s5r->url);
+    return MHD_CONTENT_READER_END_OF_STREAM;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Writing %llu/%llu bytes to %s%s\n",
+              (unsigned long long) bytes_to_copy,
+              (unsigned long long) s5r->io_len,
+              s5r->domain,
+              s5r->url);
+  GNUNET_memcpy (buf,
+                 s5r->io_buf,
+                 bytes_to_copy);
+  memmove (s5r->io_buf,
+           &s5r->io_buf[bytes_to_copy],
+           s5r->io_len - bytes_to_copy);
+  s5r->io_len -= bytes_to_copy;
+  if ((NULL != s5r->curl) &&
+      (GNUNET_YES == s5r->curl_paused))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Continuing CURL interaction for %s%s\n",
+                s5r->domain,
+                s5r->url);
+    s5r->curl_paused = GNUNET_NO;
+    curl_easy_pause (s5r->curl,
+                     CURLPAUSE_CONT);
+  }
+  return bytes_to_copy;
+}
+
+
+/**
+ * Check that the website has presented us with a valid X.509 certificate.
+ * The certificate must either match the domain name or the LEHO name
+ * (or, if available, the TLSA record).
+ *
+ * @param s5r request to check for.
+ * @return #GNUNET_OK if the certificate is valid
+ */
+static int
+check_ssl_certificate (struct Socks5Request *s5r)
+{
+  unsigned int cert_list_size;
+  const gnutls_datum_t *chainp;
+  const struct curl_tlssessioninfo *tlsinfo;
+  char certdn[GNUNET_DNSPARSER_MAX_NAME_LENGTH + 3];
+  size_t size;
+  gnutls_x509_crt_t x509_cert;
+  int rc;
+  const char *name;
+
+  s5r->ssl_checked = GNUNET_YES;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Checking X.509 certificate\n");
+  if (CURLE_OK !=
+      curl_easy_getinfo (s5r->curl,
+                         CURLINFO_TLS_SSL_PTR,
+                         &tlsinfo))
+    return GNUNET_SYSERR;
+  if (CURLSSLBACKEND_GNUTLS != tlsinfo->backend)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Unsupported CURL TLS backend %d\n"),
+                tlsinfo->backend);
+    return GNUNET_SYSERR;
+  }
+  chainp = gnutls_certificate_get_peers (tlsinfo->internals,
+                                         &cert_list_size);
+  if ((! chainp) ||
+      (0 == cert_list_size))
+    return GNUNET_SYSERR;
+
+  size = sizeof(certdn);
+  /* initialize an X.509 certificate structure. */
+  gnutls_x509_crt_init (&x509_cert);
+  gnutls_x509_crt_import (x509_cert,
+                          chainp,
+                          GNUTLS_X509_FMT_DER);
+
+  if (0 != (rc = gnutls_x509_crt_get_dn_by_oid (x509_cert,
+                                                GNUTLS_OID_X520_COMMON_NAME,
+                                                0, /* the first and only one */
+                                                0 /* no DER encoding */,
+                                                certdn,
+                                                &size)))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Failed to fetch CN from cert: %s\n"),
+                gnutls_strerror (rc));
+    gnutls_x509_crt_deinit (x509_cert);
+    return GNUNET_SYSERR;
+  }
+  /* check for TLSA/DANE records */
+#if HAVE_GNUTLS_DANE
+  if (0 != s5r->num_danes)
+  {
+    dane_state_t dane_state;
+    dane_query_t dane_query;
+    unsigned int verify;
+
+    /* FIXME: add flags to gnutls to NOT read UNBOUND_ROOT_KEY_FILE here! */
+    if (0 != (rc = dane_state_init (&dane_state,
+#ifdef DANE_F_IGNORE_DNSSEC
+                                    DANE_F_IGNORE_DNSSEC |
+#endif
+                                    DANE_F_IGNORE_LOCAL_RESOLVER)))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                  _ ("Failed to initialize DANE: %s\n"),
+                  dane_strerror (rc));
+      gnutls_x509_crt_deinit (x509_cert);
+      return GNUNET_SYSERR;
+    }
+    s5r->dane_data[s5r->num_danes] = NULL;
+    s5r->dane_data_len[s5r->num_danes] = 0;
+    if (0 != (rc = dane_raw_tlsa (dane_state,
+                                  &dane_query,
+                                  s5r->dane_data,
+                                  s5r->dane_data_len,
+                                  GNUNET_YES,
+                                  GNUNET_NO)))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                  _ ("Failed to parse DANE record: %s\n"),
+                  dane_strerror (rc));
+      dane_state_deinit (dane_state);
+      gnutls_x509_crt_deinit (x509_cert);
+      return GNUNET_SYSERR;
+    }
+    if (0 != (rc = dane_verify_crt_raw (dane_state,
+                                        chainp,
+                                        cert_list_size,
+                                        gnutls_certificate_type_get (
+                                          tlsinfo->internals),
+                                        dane_query,
+                                        0, 0,
+                                        &verify)))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                  _ ("Failed to verify TLS connection using DANE: %s\n"),
+                  dane_strerror (rc));
+      dane_query_deinit (dane_query);
+      dane_state_deinit (dane_state);
+      gnutls_x509_crt_deinit (x509_cert);
+      return GNUNET_SYSERR;
+    }
+    if (0 != verify)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                  _ (
+                    "Failed DANE verification failed with GnuTLS verify status code: %u\n"),
+                  verify);
+      dane_query_deinit (dane_query);
+      dane_state_deinit (dane_state);
+      gnutls_x509_crt_deinit (x509_cert);
+      return GNUNET_SYSERR;
+    }
+    dane_query_deinit (dane_query);
+    dane_state_deinit (dane_state);
+    /* success! */
+  }
+  else
+#endif
+  {
+    /* try LEHO or ordinary domain name X509 verification */
+    name = s5r->domain;
+    if (NULL != s5r->leho)
+      name = s5r->leho;
+    if (NULL != name)
+    {
+      if (0 == (rc = gnutls_x509_crt_check_hostname (x509_cert,
+                                                     name)))
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                    _ (
+                      "TLS certificate subject name (%s) does not match `%s': %d\n"),
+                    certdn,
+                    name,
+                    rc);
+        gnutls_x509_crt_deinit (x509_cert);
+        return GNUNET_SYSERR;
+      }
+    }
+    else
+    {
+      /* we did not even have the domain name!? */
+      GNUNET_break (0);
+      return GNUNET_SYSERR;
+    }
+  }
+  gnutls_x509_crt_deinit (x509_cert);
+  return GNUNET_OK;
+}
+
+
+/**
+ * We're getting an HTTP response header from cURL.  Convert it to the
+ * MHD response headers.  Mostly copies the headers, but makes special
+ * adjustments to "Set-Cookie" and "Location" headers as those may need
+ * to be changed from the LEHO to the domain the browser expects.
+ *
+ * @param buffer curl buffer with a single line of header data; not 0-terminated!
+ * @param size curl blocksize
+ * @param nmemb curl blocknumber
+ * @param cls our `struct Socks5Request *`
+ * @return size of processed bytes
+ */
+static size_t
+curl_check_hdr (void *buffer,
+                size_t size,
+                size_t nmemb,
+                void *cls)
+{
+  struct Socks5Request *s5r = cls;
+  struct HttpResponseHeader *header;
+  size_t bytes = size * nmemb;
+  char *ndup;
+  const char *hdr_type;
+  const char *cookie_domain;
+  char *hdr_val;
+  char *new_cookie_hdr;
+  char *new_location;
+  size_t offset;
+  size_t delta_cdomain;
+  int domain_matched;
+  char *tok;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Receiving HTTP response header from CURL\n");
+  /* first, check TLS certificate */
+  if ((GNUNET_YES != s5r->ssl_checked) &&
+      (GNUNET_YES == s5r->is_tls))
+  // (HTTPS_PORT == s5r->port))
+  {
+    if (GNUNET_OK != check_ssl_certificate (s5r))
+      return 0;
+  }
+  ndup = GNUNET_strndup (buffer,
+                         bytes);
+  hdr_type = strtok (ndup,
+                     ":");
+  if (NULL == hdr_type)
+  {
+    GNUNET_free (ndup);
+    return bytes;
+  }
+  hdr_val = strtok (NULL,
+                    "");
+  if (NULL == hdr_val)
+  {
+    GNUNET_free (ndup);
+    return bytes;
+  }
+  if (' ' == *hdr_val)
+    hdr_val++;
+
+  /* custom logic for certain header types */
+  new_cookie_hdr = NULL;
+  if ((NULL != s5r->leho) &&
+      (0 == strcasecmp (hdr_type,
+                        MHD_HTTP_HEADER_SET_COOKIE)))
+
+  {
+    new_cookie_hdr = GNUNET_malloc (strlen (hdr_val)
+                                    + strlen (s5r->domain) + 1);
+    offset = 0;
+    domain_matched = GNUNET_NO;   /* make sure we match domain at most once */
+    for (tok = strtok (hdr_val, ";"); NULL != tok; tok = strtok (NULL, ";"))
+    {
+      if ((0 == strncasecmp (tok,
+                             " domain",
+                             strlen (" domain"))) &&
+          (GNUNET_NO == domain_matched))
+      {
+        domain_matched = GNUNET_YES;
+        cookie_domain = tok + strlen (" domain") + 1;
+        if (strlen (cookie_domain) < strlen (s5r->leho))
+        {
+          delta_cdomain = strlen (s5r->leho) - strlen (cookie_domain);
+          if (0 == strcasecmp (cookie_domain,
+                               s5r->leho + delta_cdomain))
+          {
+            offset += sprintf (new_cookie_hdr + offset,
+                               " domain=%s;",
+                               s5r->domain);
+            continue;
+          }
+        }
+        else if (0 == strcmp (cookie_domain,
+                              s5r->leho))
+        {
+          offset += sprintf (new_cookie_hdr + offset,
+                             " domain=%s;",
+                             s5r->domain);
+          continue;
+        }
+        else if (('.' == cookie_domain[0]) &&
+                 (0 == strcmp (&cookie_domain[1],
+                               s5r->leho)))
+        {
+          offset += sprintf (new_cookie_hdr + offset,
+                             " domain=.%s;",
+                             s5r->domain);
+          continue;
+        }
+        GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                    _ ("Cookie domain `%s' supplied by server is invalid\n"),
+                    tok);
+      }
+      GNUNET_memcpy (new_cookie_hdr + offset,
+                     tok,
+                     strlen (tok));
+      offset += strlen (tok);
+      new_cookie_hdr[offset++] = ';';
+    }
+    hdr_val = new_cookie_hdr;
+    hdr_val[offset] = '\0';
+  }
+
+  new_location = NULL;
+  if (0 == strcasecmp (MHD_HTTP_HEADER_TRANSFER_ENCODING,
+                       hdr_type))
+  {
+    /* Ignore transfer encoding, set automatically by MHD if required */
+    goto cleanup;
+  }
+  if ((0 == strcasecmp (MHD_HTTP_HEADER_LOCATION,
+                        hdr_type)))
+  {
+    char *leho_host;
+
+    GNUNET_asprintf (&leho_host,
+                     (GNUNET_YES != s5r->is_tls)  // (HTTPS_PORT != s5r->port)
+                     ? "http://%s"
+                     : "https://%s",
+                     s5r->leho);
+    if (0 == strncmp (leho_host,
+                      hdr_val,
+                      strlen (leho_host)))
+    {
+      GNUNET_asprintf (&new_location,
+                       "%s%s%s",
+                       (GNUNET_YES != s5r->is_tls)    // (HTTPS_PORT != s5r->port)
+                       ? "http://"
+                       : "https://",
+                       s5r->domain,
+                       hdr_val + strlen (leho_host));
+      hdr_val = new_location;
+    }
+    GNUNET_free (leho_host);
+  }
+  else if (0 == strcasecmp (MHD_HTTP_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
+                            hdr_type))
+  {
+    char *leho_host;
+
+    GNUNET_asprintf (&leho_host,
+                     (GNUNET_YES != s5r->is_tls)  // (HTTPS_PORT != s5r->port)
+                     ? "http://%s"
+                     : "https://%s",
+                     s5r->leho);
+    if (0 == strncmp (leho_host,
+                      hdr_val,
+                      strlen (leho_host)))
+    {
+      GNUNET_asprintf (&new_location,
+                       "%s%s",
+                       (GNUNET_YES != s5r->is_tls)    // (HTTPS_PORT != s5r->port)
+                       ? "http://"
+                       : "https://",
+                       s5r->domain);
+      hdr_val = new_location;
+    }
+    GNUNET_free (leho_host);
+  }
+
+  /* MHD does not allow certain characters in values, remove those */
+  if (NULL != (tok = strchr (hdr_val, '\n')))
+    *tok = '\0';
+  if (NULL != (tok = strchr (hdr_val, '\r')))
+    *tok = '\0';
+  if (NULL != (tok = strchr (hdr_val, '\t')))
+    *tok = '\0';
+  if (0 != strlen (hdr_val))  /* Rely in MHD to set those */
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Adding header %s: %s to MHD response\n",
+                hdr_type,
+                hdr_val);
+    header = GNUNET_new (struct HttpResponseHeader);
+    header->type = GNUNET_strdup (hdr_type);
+    header->value = GNUNET_strdup (hdr_val);
+    GNUNET_CONTAINER_DLL_insert (s5r->header_head,
+                                 s5r->header_tail,
+                                 header);
+  }
+  cleanup:
+  GNUNET_free (ndup);
+  GNUNET_free (new_cookie_hdr);
+  GNUNET_free (new_location);
+  return bytes;
+}
+
+
+/**
+ * Create an MHD response object in @a s5r matching the
+ * information we got from curl.
+ *
+ * @param s5r the request for which we convert the response
+ * @return #GNUNET_OK on success, #GNUNET_SYSERR if response was
+ *         already initialized before
+ */
+static int
+create_mhd_response_from_s5r (struct Socks5Request *s5r)
+{
+  long resp_code;
+  double content_length;
+
+  if (NULL != s5r->response)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Response already set!\n");
+    return GNUNET_SYSERR;
+  }
+
+  GNUNET_break (CURLE_OK ==
+                curl_easy_getinfo (s5r->curl,
+                                   CURLINFO_RESPONSE_CODE,
+                                   &resp_code));
+  GNUNET_break (CURLE_OK ==
+                curl_easy_getinfo (s5r->curl,
+                                   CURLINFO_CONTENT_LENGTH_DOWNLOAD_T,
+                                   &content_length));
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Creating MHD response with code %d and size %d for %s%s\n",
+              (int) resp_code,
+              (int) content_length,
+              s5r->domain,
+              s5r->url);
+  s5r->response_code = resp_code;
+  s5r->response = MHD_create_response_from_callback ((-1 == content_length)
+                                                     ? MHD_SIZE_UNKNOWN
+                                                     : content_length,
+                                                     IO_BUFFERSIZE,
+                                                     &mhd_content_cb,
+                                                     s5r,
+                                                     NULL);
+  for (struct HttpResponseHeader *header = s5r->header_head;
+       NULL != header;
+       header = header->next)
+  {
+    if (0 == strcasecmp (header->type,
+                         MHD_HTTP_HEADER_CONTENT_LENGTH))
+      continue;   /* MHD won't let us mess with those, for good reason */
+    if ((0 == strcasecmp (header->type,
+                          MHD_HTTP_HEADER_TRANSFER_ENCODING)) &&
+        ((0 == strcasecmp (header->value,
+                           "identity")) ||
+         (0 == strcasecmp (header->value,
+                           "chunked"))))
+      continue;   /* MHD won't let us mess with those, for good reason */
+    if (MHD_YES !=
+        MHD_add_response_header (s5r->response,
+                                 header->type,
+                                 header->value))
+    {
+      GNUNET_break (0);
+      GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+                  "Failed to add header `%s:%s'\n",
+                  header->type,
+                  header->value);
+    }
+  }
+  /* force connection to be closed after each request, as we
+     do not support HTTP pipelining (yet, FIXME!) */
+  /*GNUNET_break (MHD_YES ==
+     MHD_add_response_header (s5r->response,
+     MHD_HTTP_HEADER_CONNECTION,
+     "close"));*/
+  MHD_resume_connection (s5r->con);
+  s5r->suspended = GNUNET_NO;
+  return GNUNET_OK;
+}
+
+
+/**
+ * Handle response payload data from cURL.  Copies it into our `io_buf` to make
+ * it available to MHD.
+ *
+ * @param ptr pointer to the data
+ * @param size number of blocks of data
+ * @param nmemb blocksize
+ * @param ctx our `struct Socks5Request *`
+ * @return number of bytes handled
+ */
+static size_t
+curl_download_cb (void *ptr,
+                  size_t size,
+                  size_t nmemb,
+                  void*ctx)
+{
+  struct Socks5Request *s5r = ctx;
+  size_t total = size * nmemb;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Receiving %ux%u bytes for `%s%s' from cURL to download\n",
+              (unsigned int) size,
+              (unsigned int) nmemb,
+              s5r->domain,
+              s5r->url);
+  if (NULL == s5r->response)
+    GNUNET_assert (GNUNET_OK ==
+                   create_mhd_response_from_s5r (s5r));
+  if ((SOCKS5_SOCKET_UPLOAD_DONE == s5r->state) &&
+      (0 == s5r->io_len))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Previous upload finished... starting DOWNLOAD.\n");
+    s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
+  }
+  if ((SOCKS5_SOCKET_UPLOAD_STARTED == s5r->state) ||
+      (SOCKS5_SOCKET_UPLOAD_DONE == s5r->state))
+  {
+    /* we're still not done with the upload, do not yet
+       start the download, the IO buffer is still full
+       with upload data. */
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Pausing CURL download `%s%s', waiting for UPLOAD to finish\n",
+                s5r->domain,
+                s5r->url);
+    s5r->curl_paused = GNUNET_YES;
+    return CURL_WRITEFUNC_PAUSE;   /* not yet ready for data download */
+  }
+  if (sizeof(s5r->io_buf) - s5r->io_len < total)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Pausing CURL `%s%s' download, not enough space %llu %llu %llu\n",
+                s5r->domain,
+                s5r->url,
+                (unsigned long long) sizeof(s5r->io_buf),
+                (unsigned long long) s5r->io_len,
+                (unsigned long long) total);
+    s5r->curl_paused = GNUNET_YES;
+    return CURL_WRITEFUNC_PAUSE;   /* not enough space */
+  }
+  GNUNET_memcpy (&s5r->io_buf[s5r->io_len],
+                 ptr,
+                 total);
+  s5r->io_len += total;
+  if (GNUNET_YES == s5r->suspended)
+  {
+    MHD_resume_connection (s5r->con);
+    s5r->suspended = GNUNET_NO;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Received %llu bytes of payload via cURL from %s\n",
+              (unsigned long long) total,
+              s5r->domain);
+  if (s5r->io_len == total)
+    run_mhd_now (s5r->hd);
+  return total;
+}
+
+
+/**
+ * cURL callback for uploaded (PUT/POST) data.  Copies it into our `io_buf`
+ * to make it available to MHD.
+ *
+ * @param buf where to write the data
+ * @param size number of bytes per member
+ * @param nmemb number of members available in @a buf
+ * @param cls our `struct Socks5Request` that generated the data
+ * @return number of bytes copied to @a buf
+ */
+static size_t
+curl_upload_cb (void *buf,
+                size_t size,
+                size_t nmemb,
+                void *cls)
+{
+  struct Socks5Request *s5r = cls;
+  size_t len = size * nmemb;
+  size_t to_copy;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Receiving %ux%u bytes for `%s%s' from cURL to upload\n",
+              (unsigned int) size,
+              (unsigned int) nmemb,
+              s5r->domain,
+              s5r->url);
+
+  if ((0 == s5r->io_len) &&
+      (SOCKS5_SOCKET_UPLOAD_DONE != s5r->state))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Pausing CURL UPLOAD %s%s, need more data\n",
+                s5r->domain,
+                s5r->url);
+    return CURL_READFUNC_PAUSE;
+  }
+  if ((0 == s5r->io_len) &&
+      (SOCKS5_SOCKET_UPLOAD_DONE == s5r->state))
+  {
+    s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
+    if (GNUNET_YES == s5r->curl_paused)
+    {
+      s5r->curl_paused = GNUNET_NO;
+      curl_easy_pause (s5r->curl,
+                       CURLPAUSE_CONT);
+    }
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Completed CURL UPLOAD %s%s\n",
+                s5r->domain,
+                s5r->url);
+    return 0;   /* upload finished, can now download */
+  }
+  if ((SOCKS5_SOCKET_UPLOAD_STARTED != s5r->state) &&
+      (SOCKS5_SOCKET_UPLOAD_DONE != s5r->state))
+  {
+    GNUNET_break (0);
+    return CURL_READFUNC_ABORT;
+  }
+  to_copy = GNUNET_MIN (s5r->io_len,
+                        len);
+  GNUNET_memcpy (buf,
+                 s5r->io_buf,
+                 to_copy);
+  memmove (s5r->io_buf,
+           &s5r->io_buf[to_copy],
+           s5r->io_len - to_copy);
+  s5r->io_len -= to_copy;
+  if (s5r->io_len + to_copy == sizeof(s5r->io_buf))
+    run_mhd_now (s5r->hd); /* got more space for upload now */
+  return to_copy;
+}
+
+
+/* ************************** main loop of cURL interaction ****************** */
+
+
+/**
+ * Task that is run when we are ready to receive more data
+ * from curl
+ *
+ * @param cls closure
+ */
+static void
+curl_task_download (void *cls);
+
+
+/**
+ * Ask cURL for the select() sets and schedule cURL operations.
+ */
+static void
+curl_download_prepare ()
+{
+  CURLMcode mret;
+  fd_set rs;
+  fd_set ws;
+  fd_set es;
+  int max;
+  struct GNUNET_NETWORK_FDSet *grs;
+  struct GNUNET_NETWORK_FDSet *gws;
+  long to;
+  struct GNUNET_TIME_Relative rtime;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Scheduling CURL interaction\n");
+  if (NULL != curl_download_task)
+  {
+    GNUNET_SCHEDULER_cancel (curl_download_task);
+    curl_download_task = NULL;
+  }
+  max = -1;
+  FD_ZERO (&rs);
+  FD_ZERO (&ws);
+  FD_ZERO (&es);
+  if (CURLM_OK != (mret = curl_multi_fdset (curl_multi,
+                                            &rs,
+                                            &ws,
+                                            &es,
+                                            &max)))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "%s failed at %s:%d: `%s'\n",
+                "curl_multi_fdset", __FILE__, __LINE__,
+                curl_multi_strerror (mret));
+    return;
+  }
+  to = -1;
+  GNUNET_break (CURLM_OK ==
+                curl_multi_timeout (curl_multi,
+                                    &to));
+  if (-1 == to)
+    rtime = GNUNET_TIME_UNIT_FOREVER_REL;
+  else
+    rtime = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS,
+                                           to);
+  if (-1 != max)
+  {
+    grs = GNUNET_NETWORK_fdset_create ();
+    gws = GNUNET_NETWORK_fdset_create ();
+    GNUNET_NETWORK_fdset_copy_native (grs,
+                                      &rs,
+                                      max + 1);
+    GNUNET_NETWORK_fdset_copy_native (gws,
+                                      &ws,
+                                      max + 1);
+    curl_download_task = GNUNET_SCHEDULER_add_select (
+      GNUNET_SCHEDULER_PRIORITY_DEFAULT,
+      rtime,
+      grs,
+      gws,
+      &curl_task_download,
+      curl_multi);
+    GNUNET_NETWORK_fdset_destroy (gws);
+    GNUNET_NETWORK_fdset_destroy (grs);
+  }
+  else
+  {
+    curl_download_task = GNUNET_SCHEDULER_add_delayed (rtime,
+                                                       &curl_task_download,
+                                                       curl_multi);
+  }
+}
+
+
+/**
+ * Task that is run when we are ready to receive more data from curl.
+ *
+ * @param cls closure, NULL
+ */
+static void
+curl_task_download (void *cls)
+{
+  int running;
+  int msgnum;
+  struct CURLMsg *msg;
+  CURLMcode mret;
+  struct Socks5Request *s5r;
+
+  curl_download_task = NULL;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Running CURL interaction\n");
+  do
+  {
+    running = 0;
+    mret = curl_multi_perform (curl_multi,
+                               &running);
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Checking CURL multi status: %d\n",
+                mret);
+    while (NULL != (msg = curl_multi_info_read (curl_multi,
+                                                &msgnum)))
+    {
+      GNUNET_break (CURLE_OK ==
+                    curl_easy_getinfo (msg->easy_handle,
+                                       CURLINFO_PRIVATE,
+                                       (char **) &s5r));
+      if (NULL == s5r)
+      {
+        GNUNET_break (0);
+        continue;
+      }
+      switch (msg->msg)
+      {
+      case CURLMSG_NONE:
+        /* documentation says this is not used */
+        GNUNET_break (0);
+        break;
+
+      case CURLMSG_DONE:
+        switch (msg->data.result)
+        {
+        case CURLE_OK:
+        case CURLE_GOT_NOTHING:
+          GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                      "CURL download %s%s completed.\n",
+                      s5r->domain,
+                      s5r->url);
+          if (NULL == s5r->response)
+          {
+            GNUNET_assert (GNUNET_OK ==
+                           create_mhd_response_from_s5r (s5r));
+          }
+          s5r->state = SOCKS5_SOCKET_DOWNLOAD_DONE;
+          if (GNUNET_YES == s5r->suspended)
+          {
+            MHD_resume_connection (s5r->con);
+            s5r->suspended = GNUNET_NO;
+          }
+          run_mhd_now (s5r->hd);
+          break;
+
+        default:
+          GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                      "Download curl %s%s failed: %s\n",
+                      s5r->domain,
+                      s5r->url,
+                      curl_easy_strerror (msg->data.result));
+          /* FIXME: indicate error somehow? close MHD connection badly as well? */
+          s5r->state = SOCKS5_SOCKET_DOWNLOAD_DONE;
+          if (GNUNET_YES == s5r->suspended)
+          {
+            MHD_resume_connection (s5r->con);
+            s5r->suspended = GNUNET_NO;
+          }
+          run_mhd_now (s5r->hd);
+          break;
+        }
+        if (NULL == s5r->response)
+          s5r->response = curl_failure_response;
+        break;
+
+      case CURLMSG_LAST:
+        /* documentation says this is not used */
+        GNUNET_break (0);
+        break;
+
+      default:
+        /* unexpected status code */
+        GNUNET_break (0);
+        break;
+      }
+    }
+    ;
+  }
+  while (mret == CURLM_CALL_MULTI_PERFORM);
+  if (CURLM_OK != mret)
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "%s failed at %s:%d: `%s'\n",
+                "curl_multi_perform", __FILE__, __LINE__,
+                curl_multi_strerror (mret));
+  if (0 == running)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Suspending cURL multi loop, no more events pending\n");
+    if (NULL != curl_download_task)
+    {
+      GNUNET_SCHEDULER_cancel (curl_download_task);
+      curl_download_task = NULL;
+    }
+    return;   /* nothing more in progress */
+  }
+  curl_download_prepare ();
+}
+
+
+/* ********************************* MHD response generation ******************* */
+
+
+/**
+ * Read HTTP request header field from the request.  Copies the fields
+ * over to the 'headers' that will be given to curl.  However, 'Host'
+ * is substituted with the LEHO if present.  We also change the
+ * 'Connection' header value to "close" as the proxy does not support
+ * pipelining.
+ *
+ * @param cls our `struct Socks5Request`
+ * @param kind value kind
+ * @param key field key
+ * @param value field value
+ * @return #MHD_YES to continue to iterate
+ */
+static int
+con_val_iter (void *cls,
+              enum MHD_ValueKind kind,
+              const char *key,
+              const char *value)
+{
+  struct Socks5Request *s5r = cls;
+  char *hdr;
+
+  if ((0 == strcasecmp (MHD_HTTP_HEADER_HOST,
+                        key)) &&
+      (NULL != s5r->leho))
+    value = s5r->leho;
+  GNUNET_asprintf (&hdr,
+                   "%s: %s",
+                   key,
+                   value);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Adding HEADER `%s' to HTTP request\n",
+              hdr);
+  s5r->headers = curl_slist_append (s5r->headers,
+                                    hdr);
+  GNUNET_free (hdr);
+  return MHD_YES;
+}
+
+
+/**
+ * Main MHD callback for handling requests.
+ *
+ * @param cls unused
+ * @param con MHD connection handle
+ * @param url the url in the request
+ * @param meth the HTTP method used ("GET", "PUT", etc.)
+ * @param ver the HTTP version string ("HTTP/1.1" for version 1.1, etc.)
+ * @param upload_data the data being uploaded (excluding HEADERS,
+ *        for a POST that fits into memory and that is encoded
+ *        with a supported encoding, the POST data will NOT be
+ *        given in upload_data and is instead available as
+ *        part of MHD_get_connection_values; very large POST
+ *        data *will* be made available incrementally in
+ *        upload_data)
+ * @param upload_data_size set initially to the size of the
+ *        @a upload_data provided; the method must update this
+ *        value to the number of bytes NOT processed;
+ * @param con_cls pointer to location where we store the `struct Request`
+ * @return #MHD_YES if the connection was handled successfully,
+ *         #MHD_NO if the socket must be closed due to a serious
+ *         error while handling the request
+ */
+static MHD_RESULT
+create_response (void *cls,
+                 struct MHD_Connection *con,
+                 const char *url,
+                 const char *meth,
+                 const char *ver,
+                 const char *upload_data,
+                 size_t *upload_data_size,
+                 void **con_cls)
+{
+  struct Socks5Request *s5r = *con_cls;
+  char *curlurl;
+  char ipstring[INET6_ADDRSTRLEN];
+  char ipaddr[INET6_ADDRSTRLEN + 2];
+  char *curl_hosts;
+  const struct sockaddr *sa;
+  const struct sockaddr_in *s4;
+  const struct sockaddr_in6 *s6;
+  uint16_t port;
+  size_t left;
+
+  if (NULL == s5r)
+  {
+    GNUNET_break (0);
+    return MHD_NO;
+  }
+  s5r->con = con;
+  /* Fresh connection. */
+  if (SOCKS5_SOCKET_WITH_MHD == s5r->state)
+  {
+    /* first time here, initialize curl handle */
+    if (s5r->is_gns)
+    {
+      sa = (const struct sockaddr *) &s5r->destination_address;
+      switch (sa->sa_family)
+      {
+      case AF_INET:
+        s4 = (const struct sockaddr_in *) &s5r->destination_address;
+        if (NULL == inet_ntop (AF_INET,
+                               &s4->sin_addr,
+                               ipstring,
+                               sizeof(ipstring)))
+        {
+          GNUNET_break (0);
+          return MHD_NO;
+        }
+        GNUNET_snprintf (ipaddr,
+                         sizeof(ipaddr),
+                         "%s",
+                         ipstring);
+        port = ntohs (s4->sin_port);
+        break;
+
+      case AF_INET6:
+        s6 = (const struct sockaddr_in6 *) &s5r->destination_address;
+        if (NULL == inet_ntop (AF_INET6,
+                               &s6->sin6_addr,
+                               ipstring,
+                               sizeof(ipstring)))
+        {
+          GNUNET_break (0);
+          return MHD_NO;
+        }
+        GNUNET_snprintf (ipaddr,
+                         sizeof(ipaddr),
+                         "%s",
+                         ipstring);
+        port = ntohs (s6->sin6_port);
+        break;
+
+      default:
+        GNUNET_break (0);
+        return MHD_NO;
+      }
+      GNUNET_asprintf (&curl_hosts,
+                       "%s:%d:%s",
+                       s5r->leho,
+                       port,
+                       ipaddr);
+      s5r->hosts = curl_slist_append (NULL,
+                                      curl_hosts);
+      GNUNET_free (curl_hosts);
+    }
+    else
+    {
+      port = s5r->port;
+    }
+    if (NULL == s5r->curl)
+      s5r->curl = curl_easy_init ();
+    if (NULL == s5r->curl)
+      return MHD_queue_response (con,
+                                 MHD_HTTP_INTERNAL_SERVER_ERROR,
+                                 curl_failure_response);
+    curl_easy_setopt (s5r->curl,
+                      CURLOPT_HEADERFUNCTION,
+                      &curl_check_hdr);
+    curl_easy_setopt (s5r->curl,
+                      CURLOPT_HEADERDATA,
+                      s5r);
+    curl_easy_setopt (s5r->curl,
+                      CURLOPT_FOLLOWLOCATION,
+                      0);
+    if (s5r->is_gns)
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_IPRESOLVE,
+                        CURL_IPRESOLVE_V4);
+    curl_easy_setopt (s5r->curl,
+                      CURLOPT_CONNECTTIMEOUT,
+                      600L);
+    curl_easy_setopt (s5r->curl,
+                      CURLOPT_TIMEOUT,
+                      600L);
+    curl_easy_setopt (s5r->curl,
+                      CURLOPT_NOSIGNAL,
+                      1L);
+    curl_easy_setopt (s5r->curl,
+                      CURLOPT_HTTP_CONTENT_DECODING,
+                      0);
+    curl_easy_setopt (s5r->curl,
+                      CURLOPT_NOSIGNAL,
+                      1L);
+    curl_easy_setopt (s5r->curl,
+                      CURLOPT_PRIVATE,
+                      s5r);
+    curl_easy_setopt (s5r->curl,
+                      CURLOPT_VERBOSE,
+                      0L);
+    /**
+     * Pre-populate cache to resolve Hostname.
+     * This is necessary as the DNS name in the CURLOPT_URL is used
+     * for SNI http://de.wikipedia.org/wiki/Server_Name_Indication
+     */
+    if ((NULL != s5r->leho) &&
+        (NULL != s5r->hosts))
+    {
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_RESOLVE,
+                        s5r->hosts);
+    }
+    if (s5r->is_gns)
+    {
+      GNUNET_asprintf (&curlurl,
+                       (GNUNET_YES != s5r->is_tls)    // (HTTPS_PORT != s5r->port)
+                       ? "http://%s:%d%s"
+                       : "https://%s:%d%s",
+                       (NULL != s5r->leho)
+                       ? s5r->leho
+                       : ipaddr,
+                       port,
+                       s5r->url);
+    }
+    else
+    {
+      GNUNET_asprintf (&curlurl,
+                       (GNUNET_YES != s5r->is_tls)    // (HTTPS_PORT != s5r->port)
+                       ? "http://%s:%d%s"
+                       : "https://%s:%d%s",
+                       s5r->domain,
+                       port,
+                       s5r->url);
+    }
+    curl_easy_setopt (s5r->curl,
+                      CURLOPT_URL,
+                      curlurl);
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Launching %s CURL interaction, fetching `%s'\n",
+                (s5r->is_gns) ? "GNS" : "DNS",
+                curlurl);
+    GNUNET_free (curlurl);
+    if (0 == strcasecmp (meth,
+                         MHD_HTTP_METHOD_PUT))
+    {
+      s5r->state = SOCKS5_SOCKET_UPLOAD_STARTED;
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_UPLOAD,
+                        1L);
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_WRITEFUNCTION,
+                        &curl_download_cb);
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_WRITEDATA,
+                        s5r);
+      GNUNET_assert (CURLE_OK ==
+                     curl_easy_setopt (s5r->curl,
+                                       CURLOPT_READFUNCTION,
+                                       &curl_upload_cb));
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_READDATA,
+                        s5r);
+      {
+        const char *us;
+        long upload_size = 0;
+
+        us = MHD_lookup_connection_value (con,
+                                          MHD_HEADER_KIND,
+                                          MHD_HTTP_HEADER_CONTENT_LENGTH);
+        if ((1 == sscanf (us,
+                          "%ld",
+                          &upload_size)) &&
+            (upload_size >= 0))
+        {
+          curl_easy_setopt (s5r->curl,
+                            CURLOPT_INFILESIZE,
+                            upload_size);
+        }
+      }
+    }
+    else if (0 == strcasecmp (meth, MHD_HTTP_METHOD_POST))
+    {
+      s5r->state = SOCKS5_SOCKET_UPLOAD_STARTED;
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_POST,
+                        1L);
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_WRITEFUNCTION,
+                        &curl_download_cb);
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_WRITEDATA,
+                        s5r);
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_READFUNCTION,
+                        &curl_upload_cb);
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_READDATA,
+                        s5r);
+      {
+        const char *us;
+        long upload_size;
+
+        upload_size = 0;
+        us = MHD_lookup_connection_value (con,
+                                          MHD_HEADER_KIND,
+                                          MHD_HTTP_HEADER_CONTENT_LENGTH);
+        if ((NULL != us) &&
+            (1 == sscanf (us,
+                          "%ld",
+                          &upload_size)) &&
+            (upload_size >= 0))
+        {
+          curl_easy_setopt (s5r->curl,
+                            CURLOPT_INFILESIZE,
+                            upload_size);
+        }
+        else
+        {
+          curl_easy_setopt (s5r->curl,
+                            CURLOPT_INFILESIZE,
+                            upload_size);
+        }
+      }
+    }
+    else if (0 == strcasecmp (meth,
+                              MHD_HTTP_METHOD_HEAD))
+    {
+      s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_NOBODY,
+                        1L);
+    }
+    else if (0 == strcasecmp (meth,
+                              MHD_HTTP_METHOD_OPTIONS))
+    {
+      s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_CUSTOMREQUEST,
+                        "OPTIONS");
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_WRITEFUNCTION,
+                        &curl_download_cb);
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_WRITEDATA,
+                        s5r);
+    }
+    else if (0 == strcasecmp (meth,
+                              MHD_HTTP_METHOD_GET))
+    {
+      s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_HTTPGET,
+                        1L);
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_WRITEFUNCTION,
+                        &curl_download_cb);
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_WRITEDATA,
+                        s5r);
+    }
+    else if (0 == strcasecmp (meth,
+                              MHD_HTTP_METHOD_DELETE))
+    {
+      s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_CUSTOMREQUEST,
+                        "DELETE");
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_WRITEFUNCTION,
+                        &curl_download_cb);
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_WRITEDATA,
+                        s5r);
+    }
+    else
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                  _ ("Unsupported HTTP method `%s'\n"),
+                  meth);
+      curl_easy_cleanup (s5r->curl);
+      s5r->curl = NULL;
+      return MHD_NO;
+    }
+
+    if (0 == strcasecmp (ver, MHD_HTTP_VERSION_1_0))
+    {
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_HTTP_VERSION,
+                        CURL_HTTP_VERSION_1_0);
+    }
+    else if (0 == strcasecmp (ver, MHD_HTTP_VERSION_1_1))
+    {
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_HTTP_VERSION,
+                        CURL_HTTP_VERSION_1_1);
+    }
+    else
+    {
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_HTTP_VERSION,
+                        CURL_HTTP_VERSION_NONE);
+    }
+
+    if (GNUNET_YES == s5r->is_tls)   // (HTTPS_PORT == s5r->port)
+    {
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_USE_SSL,
+                        CURLUSESSL_ALL);
+      if (0 < s5r->num_danes)
+        curl_easy_setopt (s5r->curl,
+                          CURLOPT_SSL_VERIFYPEER,
+                          0L);
+      else
+        curl_easy_setopt (s5r->curl,
+                          CURLOPT_SSL_VERIFYPEER,
+                          1L);
+      /* Disable cURL checking the hostname, as we will check ourselves
+         as only we have the domain name or the LEHO or the DANE record */
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_SSL_VERIFYHOST,
+                        0L);
+    }
+    else
+    {
+      curl_easy_setopt (s5r->curl,
+                        CURLOPT_USE_SSL,
+                        CURLUSESSL_NONE);
+    }
+
+    if (CURLM_OK !=
+        curl_multi_add_handle (curl_multi,
+                               s5r->curl))
+    {
+      GNUNET_break (0);
+      curl_easy_cleanup (s5r->curl);
+      s5r->curl = NULL;
+      return MHD_NO;
+    }
+    MHD_get_connection_values (con,
+                               MHD_HEADER_KIND,
+                               (MHD_KeyValueIterator) & con_val_iter,
+                               s5r);
+    curl_easy_setopt (s5r->curl,
+                      CURLOPT_HTTPHEADER,
+                      s5r->headers);
+    curl_download_prepare ();
+    return MHD_YES;
+  }
+
+  /* continuing to process request */
+  if (0 != *upload_data_size)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Processing %u bytes UPLOAD\n",
+                (unsigned int) *upload_data_size);
+
+    /* FIXME: This must be set or a header with Transfer-Encoding: chunked. Else
+     * upload callback is not called!
+     */
+    curl_easy_setopt (s5r->curl,
+                      CURLOPT_POSTFIELDSIZE,
+                      *upload_data_size);
+
+    left = GNUNET_MIN (*upload_data_size,
+                       sizeof(s5r->io_buf) - s5r->io_len);
+    GNUNET_memcpy (&s5r->io_buf[s5r->io_len],
+                   upload_data,
+                   left);
+    s5r->io_len += left;
+    *upload_data_size -= left;
+    GNUNET_assert (NULL != s5r->curl);
+    if (GNUNET_YES == s5r->curl_paused)
+    {
+      s5r->curl_paused = GNUNET_NO;
+      curl_easy_pause (s5r->curl,
+                       CURLPAUSE_CONT);
+    }
+    return MHD_YES;
+  }
+  if (SOCKS5_SOCKET_UPLOAD_STARTED == s5r->state)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Finished processing UPLOAD\n");
+    s5r->state = SOCKS5_SOCKET_UPLOAD_DONE;
+  }
+  if (NULL == s5r->response)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Waiting for HTTP response for %s%s...\n",
+                s5r->domain,
+                s5r->url);
+    MHD_suspend_connection (con);
+    s5r->suspended = GNUNET_YES;
+    return MHD_YES;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Queueing response for %s%s with MHD\n",
+              s5r->domain,
+              s5r->url);
+  run_mhd_now (s5r->hd);
+  return MHD_queue_response (con,
+                             s5r->response_code,
+                             s5r->response);
+}
+
+
+/* ******************** MHD HTTP setup and event loop ******************** */
+
+
+/**
+ * Function called when MHD decides that we are done with a request.
+ *
+ * @param cls NULL
+ * @param connection connection handle
+ * @param con_cls value as set by the last call to
+ *        the MHD_AccessHandlerCallback, should be our `struct Socks5Request *`
+ * @param toe reason for request termination (ignored)
+ */
+static void
+mhd_completed_cb (void *cls,
+                  struct MHD_Connection *connection,
+                  void **con_cls,
+                  enum MHD_RequestTerminationCode toe)
+{
+  struct Socks5Request *s5r = *con_cls;
+
+  if (NULL == s5r)
+    return;
+  if (MHD_REQUEST_TERMINATED_COMPLETED_OK != toe)
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+                "MHD encountered error handling request: %d\n",
+                toe);
+  if (NULL != s5r->curl)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Removing cURL handle (MHD interaction complete)\n");
+    curl_multi_remove_handle (curl_multi,
+                              s5r->curl);
+    curl_slist_free_all (s5r->headers);
+    s5r->headers = NULL;
+    curl_easy_reset (s5r->curl);
+    s5r->rbuf_len = 0;
+    s5r->wbuf_len = 0;
+    s5r->io_len = 0;
+    curl_download_prepare ();
+  }
+  if ((NULL != s5r->response) &&
+      (curl_failure_response != s5r->response))
+    MHD_destroy_response (s5r->response);
+  for (struct HttpResponseHeader *header = s5r->header_head;
+       NULL != header;
+       header = s5r->header_head)
+  {
+    GNUNET_CONTAINER_DLL_remove (s5r->header_head,
+                                 s5r->header_tail,
+                                 header);
+    GNUNET_free (header->type);
+    GNUNET_free (header->value);
+    GNUNET_free (header);
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Finished request for %s\n",
+              s5r->url);
+  GNUNET_free (s5r->url);
+  s5r->state = SOCKS5_SOCKET_WITH_MHD;
+  s5r->url = NULL;
+  s5r->response = NULL;
+  *con_cls = NULL;
+}
+
+
+/**
+ * Function called when MHD connection is opened or closed.
+ *
+ * @param cls NULL
+ * @param connection connection handle
+ * @param con_cls value as set by the last call to
+ *        the MHD_AccessHandlerCallback, should be our `struct Socks5Request *`
+ * @param toe connection notification type
+ */
+static void
+mhd_connection_cb (void *cls,
+                   struct MHD_Connection *connection,
+                   void **con_cls,
+                   enum MHD_ConnectionNotificationCode cnc)
+{
+  struct Socks5Request *s5r;
+  const union MHD_ConnectionInfo *ci;
+  int sock;
+
+  switch (cnc)
+  {
+  case MHD_CONNECTION_NOTIFY_STARTED:
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Connection started...\n");
+    ci = MHD_get_connection_info (connection,
+                                  MHD_CONNECTION_INFO_CONNECTION_FD);
+    if (NULL == ci)
+    {
+      GNUNET_break (0);
+      return;
+    }
+    sock = ci->connect_fd;
+    for (s5r = s5r_head; NULL != s5r; s5r = s5r->next)
+    {
+      if (GNUNET_NETWORK_get_fd (s5r->sock) == sock)
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                    "Context set...\n");
+        s5r->ssl_checked = GNUNET_NO;
+        *con_cls = s5r;
+        break;
+      }
+    }
+    break;
+
+  case MHD_CONNECTION_NOTIFY_CLOSED:
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Connection closed... cleaning up\n");
+    s5r = *con_cls;
+    if (NULL == s5r)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "Connection stale!\n");
+      return;
+    }
+    cleanup_s5r (s5r);
+    curl_download_prepare ();
+    *con_cls = NULL;
+    break;
+
+  default:
+    GNUNET_break (0);
+  }
+}
+
+
+/**
+ * Function called when MHD first processes an incoming connection.
+ * Gives us the respective URI information.
+ *
+ * We use this to associate the `struct MHD_Connection` with our
+ * internal `struct Socks5Request` data structure (by checking
+ * for matching sockets).
+ *
+ * @param cls the HTTP server handle (a `struct MhdHttpList`)
+ * @param url the URL that is being requested
+ * @param connection MHD connection object for the request
+ * @return the `struct Socks5Request` that this @a connection is for
+ */
+static void *
+mhd_log_callback (void *cls,
+                  const char *url,
+                  struct MHD_Connection *connection)
+{
+  struct Socks5Request *s5r;
+  const union MHD_ConnectionInfo *ci;
+
+  ci = MHD_get_connection_info (connection,
+                                MHD_CONNECTION_INFO_SOCKET_CONTEXT);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Processing %s\n", url);
+  if (NULL == ci)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+  s5r = ci->socket_context;
+  if (NULL != s5r->url)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+  s5r->url = GNUNET_strdup (url);
+  if (NULL != s5r->timeout_task)
+  {
+    GNUNET_SCHEDULER_cancel (s5r->timeout_task);
+    s5r->timeout_task = NULL;
+  }
+  GNUNET_assert (s5r->state == SOCKS5_SOCKET_WITH_MHD);
+  return s5r;
+}
+
+
+/**
+ * Kill the given MHD daemon.
+ *
+ * @param hd daemon to stop
+ */
+static void
+kill_httpd (struct MhdHttpList *hd)
+{
+  GNUNET_CONTAINER_DLL_remove (mhd_httpd_head,
+                               mhd_httpd_tail,
+                               hd);
+  GNUNET_free (hd->domain);
+  MHD_stop_daemon (hd->daemon);
+  if (NULL != hd->httpd_task)
+  {
+    GNUNET_SCHEDULER_cancel (hd->httpd_task);
+    hd->httpd_task = NULL;
+  }
+  GNUNET_free (hd->proxy_cert);
+  if (hd == httpd)
+    httpd = NULL;
+  GNUNET_free (hd);
+}
+
+
+/**
+ * Task run whenever HTTP server is idle for too long. Kill it.
+ *
+ * @param cls the `struct MhdHttpList *`
+ */
+static void
+kill_httpd_task (void *cls)
+{
+  struct MhdHttpList *hd = cls;
+
+  hd->httpd_task = NULL;
+  kill_httpd (hd);
+}
+
+
+/**
+ * Task run whenever HTTP server operations are pending.
+ *
+ * @param cls the `struct MhdHttpList *` of the daemon that is being run
+ */
+static void
+do_httpd (void *cls);
+
+
+/**
+ * Schedule MHD.  This function should be called initially when an
+ * MHD is first getting its client socket, and will then automatically
+ * always be called later whenever there is work to be done.
+ *
+ * @param hd the daemon to schedule
+ */
+static void
+schedule_httpd (struct MhdHttpList *hd)
+{
+  fd_set rs;
+  fd_set ws;
+  fd_set es;
+  struct GNUNET_NETWORK_FDSet *wrs;
+  struct GNUNET_NETWORK_FDSet *wws;
+  int max;
+  int haveto;
+  MHD_UNSIGNED_LONG_LONG timeout;
+  struct GNUNET_TIME_Relative tv;
+
+  FD_ZERO (&rs);
+  FD_ZERO (&ws);
+  FD_ZERO (&es);
+  max = -1;
+  if (MHD_YES !=
+      MHD_get_fdset (hd->daemon,
+                     &rs,
+                     &ws,
+                     &es,
+                     &max))
+  {
+    kill_httpd (hd);
+    return;
+  }
+  haveto = MHD_get_timeout (hd->daemon,
+                            &timeout);
+  if (MHD_YES == haveto)
+    tv.rel_value_us = (uint64_t) timeout * 1000LL;
+  else
+    tv = GNUNET_TIME_UNIT_FOREVER_REL;
+  if (-1 != max)
+  {
+    wrs = GNUNET_NETWORK_fdset_create ();
+    wws = GNUNET_NETWORK_fdset_create ();
+    GNUNET_NETWORK_fdset_copy_native (wrs, &rs, max + 1);
+    GNUNET_NETWORK_fdset_copy_native (wws, &ws, max + 1);
+  }
+  else
+  {
+    wrs = NULL;
+    wws = NULL;
+  }
+  if (NULL != hd->httpd_task)
+  {
+    GNUNET_SCHEDULER_cancel (hd->httpd_task);
+    hd->httpd_task = NULL;
+  }
+  if ((MHD_YES != haveto) &&
+      (-1 == max) &&
+      (hd != httpd))
+  {
+    /* daemon is idle, kill after timeout */
+    hd->httpd_task = GNUNET_SCHEDULER_add_delayed (MHD_CACHE_TIMEOUT,
+                                                   &kill_httpd_task,
+                                                   hd);
+  }
+  else
+  {
+    hd->httpd_task =
+      GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT,
+                                   tv, wrs, wws,
+                                   &do_httpd, hd);
+  }
+  if (NULL != wrs)
+    GNUNET_NETWORK_fdset_destroy (wrs);
+  if (NULL != wws)
+    GNUNET_NETWORK_fdset_destroy (wws);
+}
+
+
+static void
+do_httpd (void *cls)
+{
+  struct MhdHttpList *hd = cls;
+
+  hd->httpd_task = NULL;
+  MHD_run (hd->daemon);
+  schedule_httpd (hd);
+}
+
+
+/**
+ * Run MHD now, we have extra data ready for the callback.
+ *
+ * @param hd the daemon to run now.
+ */
+static void
+run_mhd_now (struct MhdHttpList *hd)
+{
+  if (NULL != hd->httpd_task)
+    GNUNET_SCHEDULER_cancel (hd->httpd_task);
+  hd->httpd_task = GNUNET_SCHEDULER_add_now (&do_httpd,
+                                             hd);
+}
+
+
+/**
+ * Read file in filename
+ *
+ * @param filename file to read
+ * @param size pointer where filesize is stored
+ * @return NULL on error
+ */
+static void*
+load_file (const char*filename,
+           unsigned int*size)
+{
+  void *buffer;
+  uint64_t fsize;
+
+  if (GNUNET_OK !=
+      GNUNET_DISK_file_size (filename,
+                             &fsize,
+                             GNUNET_YES,
+                             GNUNET_YES))
+    return NULL;
+  if (fsize > MAX_PEM_SIZE)
+    return NULL;
+  *size = (unsigned int) fsize;
+  buffer = GNUNET_malloc (*size);
+  if (fsize !=
+      GNUNET_DISK_fn_read (filename,
+                           buffer,
+                           (size_t) fsize))
+  {
+    GNUNET_free (buffer);
+    return NULL;
+  }
+  return buffer;
+}
+
+
+/**
+ * Load PEM key from file
+ *
+ * @param key where to store the data
+ * @param keyfile path to the PEM file
+ * @return #GNUNET_OK on success
+ */
+static int
+load_key_from_file (gnutls_x509_privkey_t key,
+                    const char*keyfile)
+{
+  gnutls_datum_t key_data;
+  int ret;
+
+  key_data.data = load_file (keyfile,
+                             &key_data.size);
+  if (NULL == key_data.data)
+    return GNUNET_SYSERR;
+  ret = gnutls_x509_privkey_import (key, &key_data,
+                                    GNUTLS_X509_FMT_PEM);
+  if (GNUTLS_E_SUCCESS != ret)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Unable to import private key from file `%s'\n"),
+                keyfile);
+  }
+  GNUNET_free (key_data.data);
+  return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK;
+}
+
+
+/**
+ * Load cert from file
+ *
+ * @param crt struct to store data in
+ * @param certfile path to pem file
+ * @return #GNUNET_OK on success
+ */
+static int
+load_cert_from_file (gnutls_x509_crt_t crt,
+                     const char*certfile)
+{
+  gnutls_datum_t cert_data;
+  int ret;
+
+  cert_data.data = load_file (certfile,
+                              &cert_data.size);
+  if (NULL == cert_data.data)
+    return GNUNET_SYSERR;
+  ret = gnutls_x509_crt_import (crt,
+                                &cert_data,
+                                GNUTLS_X509_FMT_PEM);
+  if (GNUTLS_E_SUCCESS != ret)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Unable to import certificate from `%s'\n"),
+                certfile);
+  }
+  GNUNET_free (cert_data.data);
+  return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK;
+}
+
+
+/**
+ * Generate new certificate for specific name
+ *
+ * @param name the subject name to generate a cert for
+ * @return a struct holding the PEM data, NULL on error
+ */
+static struct ProxyGNSCertificate *
+generate_gns_certificate (const char *name)
+{
+  unsigned int serial;
+  size_t key_buf_size;
+  size_t cert_buf_size;
+  gnutls_x509_crt_t request;
+  time_t etime;
+  struct tm *tm_data;
+  struct ProxyGNSCertificate *pgc;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Generating x.509 certificate for `%s'\n",
+              name);
+  GNUNET_break (GNUTLS_E_SUCCESS == gnutls_x509_crt_init (&request));
+  GNUNET_break (GNUTLS_E_SUCCESS == gnutls_x509_crt_set_key (request,
+                                                             proxy_ca.key));
+  pgc = GNUNET_new (struct ProxyGNSCertificate);
+  gnutls_x509_crt_set_dn_by_oid (request,
+                                 GNUTLS_OID_X520_COUNTRY_NAME,
+                                 0,
+                                 "ZZ",
+                                 strlen ("ZZ"));
+  gnutls_x509_crt_set_dn_by_oid (request,
+                                 GNUTLS_OID_X520_ORGANIZATION_NAME,
+                                 0,
+                                 "GNU Name System",
+                                 strlen ("GNU Name System"));
+  gnutls_x509_crt_set_dn_by_oid (request,
+                                 GNUTLS_OID_X520_COMMON_NAME,
+                                 0,
+                                 name,
+                                 strlen (name));
+  gnutls_x509_crt_set_subject_alternative_name (request,
+                                                GNUTLS_SAN_DNSNAME,
+                                                name);
+  GNUNET_break (GNUTLS_E_SUCCESS ==
+                gnutls_x509_crt_set_version (request,
+                                             3));
+  gnutls_rnd (GNUTLS_RND_NONCE,
+              &serial,
+              sizeof(serial));
+  gnutls_x509_crt_set_serial (request,
+                              &serial,
+                              sizeof(serial));
+  etime = time (NULL);
+  tm_data = localtime (&etime);
+  tm_data->tm_hour--;
+  etime = mktime (tm_data);
+  gnutls_x509_crt_set_activation_time (request,
+                                       etime);
+  tm_data->tm_year++;
+  etime = mktime (tm_data);
+  gnutls_x509_crt_set_expiration_time (request,
+                                       etime);
+  gnutls_x509_crt_sign2 (request,
+                         proxy_ca.cert,
+                         proxy_ca.key,
+                         GNUTLS_DIG_SHA512,
+                         0);
+  key_buf_size = sizeof(pgc->key);
+  cert_buf_size = sizeof(pgc->cert);
+  gnutls_x509_crt_export (request,
+                          GNUTLS_X509_FMT_PEM,
+                          pgc->cert,
+                          &cert_buf_size);
+  gnutls_x509_privkey_export (proxy_ca.key,
+                              GNUTLS_X509_FMT_PEM,
+                              pgc->key,
+                              &key_buf_size);
+  gnutls_x509_crt_deinit (request);
+  return pgc;
+}
+
+
+/**
+ * Function called by MHD with errors, suppresses them all.
+ *
+ * @param cls closure
+ * @param fm format string (`printf()`-style)
+ * @param ap arguments to @a fm
+ */
+static void
+mhd_error_log_callback (void *cls,
+                        const char *fm,
+                        va_list ap)
+{
+  /* do nothing */
+}
+
+
+/**
+ * Lookup (or create) an TLS MHD instance for a particular domain.
+ *
+ * @param domain the domain the TLS daemon has to serve
+ * @return NULL on error
+ */
+static struct MhdHttpList *
+lookup_ssl_httpd (const char*domain)
+{
+  struct MhdHttpList *hd;
+  struct ProxyGNSCertificate *pgc;
+
+  if (NULL == domain)
+  {
+    GNUNET_break (0);
+    return NULL;
+  }
+  for (hd = mhd_httpd_head; NULL != hd; hd = hd->next)
+    if ((NULL != hd->domain) &&
+        (0 == strcmp (hd->domain, domain)))
+      return hd;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Starting fresh MHD HTTPS instance for domain `%s'\n",
+              domain);
+  pgc = generate_gns_certificate (domain);
+  hd = GNUNET_new (struct MhdHttpList);
+  hd->is_ssl = GNUNET_YES;
+  hd->domain = GNUNET_strdup (domain);
+  hd->proxy_cert = pgc;
+  hd->daemon = MHD_start_daemon (MHD_USE_DEBUG | MHD_USE_SSL
+                                 | MHD_USE_NO_LISTEN_SOCKET
+                                 | MHD_ALLOW_SUSPEND_RESUME,
+                                 0,
+                                 NULL, NULL,
+                                 &create_response, hd,
+                                 MHD_OPTION_CONNECTION_TIMEOUT, (unsigned
+                                                                 int) 16,
+                                 MHD_OPTION_NOTIFY_COMPLETED, &mhd_completed_cb,
+                                 NULL,
+                                 MHD_OPTION_NOTIFY_CONNECTION,
+                                 &mhd_connection_cb, NULL,
+                                 MHD_OPTION_URI_LOG_CALLBACK, &mhd_log_callback,
+                                 NULL,
+                                 MHD_OPTION_EXTERNAL_LOGGER,
+                                 &mhd_error_log_callback, NULL,
+                                 MHD_OPTION_HTTPS_MEM_KEY, pgc->key,
+                                 MHD_OPTION_HTTPS_MEM_CERT, pgc->cert,
+                                 MHD_OPTION_END);
+  if (NULL == hd->daemon)
+  {
+    GNUNET_free (pgc);
+    GNUNET_free (hd);
+    return NULL;
+  }
+  GNUNET_CONTAINER_DLL_insert (mhd_httpd_head,
+                               mhd_httpd_tail,
+                               hd);
+  return hd;
+}
+
+
+/**
+ * Task run when a Socks5Request somehow fails to be associated with
+ * an MHD connection (e.g. because the client never speaks HTTP after
+ * the SOCKS5 handshake).  Clean up.
+ *
+ * @param cls the `struct Socks5Request *`
+ */
+static void
+timeout_s5r_handshake (void *cls)
+{
+  struct Socks5Request *s5r = cls;
+
+  s5r->timeout_task = NULL;
+  cleanup_s5r (s5r);
+}
+
+
+/**
+ * We're done with the Socks5 protocol, now we need to pass the
+ * connection data through to the final destination, either
+ * direct (if the protocol might not be HTTP), or via MHD
+ * (if the port looks like it should be HTTP).
+ *
+ * @param s5r socks request that has reached the final stage
+ */
+static void
+setup_data_transfer (struct Socks5Request *s5r)
+{
+  struct MhdHttpList *hd;
+  int fd;
+  const struct sockaddr *addr;
+  socklen_t len;
+  char *domain;
+
+  if (GNUNET_YES == s5r->is_tls)
+  {
+    GNUNET_asprintf (&domain,
+                     "%s",
+                     s5r->domain);
+    hd = lookup_ssl_httpd (domain);
+    if (NULL == hd)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  _ ("Failed to start HTTPS server for `%s'\n"),
+                  s5r->domain);
+      cleanup_s5r (s5r);
+      GNUNET_free (domain);
+      return;
+    }
+  }
+  else
+  {
+    domain = NULL;
+    GNUNET_assert (NULL != httpd);
+    hd = httpd;
+  }
+  fd = GNUNET_NETWORK_get_fd (s5r->sock);
+  addr = GNUNET_NETWORK_get_addr (s5r->sock);
+  len = GNUNET_NETWORK_get_addrlen (s5r->sock);
+  s5r->state = SOCKS5_SOCKET_WITH_MHD;
+  if (MHD_YES !=
+      MHD_add_connection (hd->daemon,
+                          fd,
+                          addr,
+                          len))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Failed to pass client to MHD\n"));
+    cleanup_s5r (s5r);
+    GNUNET_free (domain);
+    return;
+  }
+  s5r->hd = hd;
+  schedule_httpd (hd);
+  s5r->timeout_task = GNUNET_SCHEDULER_add_delayed (HTTP_HANDSHAKE_TIMEOUT,
+                                                    &timeout_s5r_handshake,
+                                                    s5r);
+  GNUNET_free (domain);
+}
+
+
+/* ********************* SOCKS handling ************************* */
+
+
+/**
+ * Write data from buffer to socks5 client, then continue with state machine.
+ *
+ * @param cls the closure with the `struct Socks5Request`
+ */
+static void
+do_write (void *cls)
+{
+  struct Socks5Request *s5r = cls;
+  ssize_t len;
+
+  s5r->wtask = NULL;
+  len = GNUNET_NETWORK_socket_send (s5r->sock,
+                                    s5r->wbuf,
+                                    s5r->wbuf_len);
+  if (len <= 0)
+  {
+    /* write error: connection closed, shutdown, etc.; just clean up */
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Write Error\n");
+    cleanup_s5r (s5r);
+    return;
+  }
+  memmove (s5r->wbuf,
+           &s5r->wbuf[len],
+           s5r->wbuf_len - len);
+  s5r->wbuf_len -= len;
+  if (s5r->wbuf_len > 0)
+  {
+    /* not done writing */
+    s5r->wtask =
+      GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                      s5r->sock,
+                                      &do_write, s5r);
+    return;
+  }
+
+  /* we're done writing, continue with state machine! */
+
+  switch (s5r->state)
+  {
+  case SOCKS5_INIT:
+    GNUNET_assert (0);
+    break;
+
+  case SOCKS5_REQUEST:
+    GNUNET_assert (NULL != s5r->rtask);
+    break;
+
+  case SOCKS5_DATA_TRANSFER:
+    setup_data_transfer (s5r);
+    return;
+
+  case SOCKS5_WRITE_THEN_CLEANUP:
+    cleanup_s5r (s5r);
+    return;
+
+  default:
+    GNUNET_break (0);
+    break;
+  }
+}
+
+
+/**
+ * Return a server response message indicating a failure to the client.
+ *
+ * @param s5r request to return failure code for
+ * @param sc status code to return
+ */
+static void
+signal_socks_failure (struct Socks5Request *s5r,
+                      enum Socks5StatusCode sc)
+{
+  struct Socks5ServerResponseMessage *s_resp;
+
+  GNUNET_break (0 == s5r->wbuf_len); /* Should happen first in any transmission, right? */
+  GNUNET_assert (SOCKS_BUFFERSIZE - s5r->wbuf_len >=
+                 sizeof(struct Socks5ServerResponseMessage));
+  s_resp = (struct Socks5ServerResponseMessage *) &s5r->wbuf[s5r->wbuf_len];
+  memset (s_resp, 0, sizeof(struct Socks5ServerResponseMessage));
+  s_resp->version = SOCKS_VERSION_5;
+  s_resp->reply = sc;
+  s5r->state = SOCKS5_WRITE_THEN_CLEANUP;
+  if (NULL != s5r->wtask)
+    s5r->wtask =
+      GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                      s5r->sock,
+                                      &do_write, s5r);
+}
+
+
+/**
+ * Return a server response message indicating success.
+ *
+ * @param s5r request to return success status message for
+ */
+static void
+signal_socks_success (struct Socks5Request *s5r)
+{
+  struct Socks5ServerResponseMessage *s_resp;
+
+  s_resp = (struct Socks5ServerResponseMessage *) &s5r->wbuf[s5r->wbuf_len];
+  s_resp->version = SOCKS_VERSION_5;
+  s_resp->reply = SOCKS5_STATUS_REQUEST_GRANTED;
+  s_resp->reserved = 0;
+  s_resp->addr_type = SOCKS5_AT_IPV4;
+  /* zero out IPv4 address and port */
+  memset (&s_resp[1],
+          0,
+          sizeof(struct in_addr) + sizeof(uint16_t));
+  s5r->wbuf_len += sizeof(struct Socks5ServerResponseMessage)
+                   + sizeof(struct in_addr) + sizeof(uint16_t);
+  if (NULL == s5r->wtask)
+    s5r->wtask =
+      GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                      s5r->sock,
+                                      &do_write, s5r);
+}
+
+
+/**
+ * Process GNS results for target domain.
+ *
+ * @param cls the `struct Socks5Request *`
+ * @param tld #GNUNET_YES if this was a GNS TLD.
+ * @param rd_count number of records returned
+ * @param rd record data
+ */
+static void
+handle_gns_result (void *cls,
+                   int tld,
+                   uint32_t rd_count,
+                   const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct Socks5Request *s5r = cls;
+  const struct GNUNET_GNSRECORD_Data *r;
+  int got_ip;
+
+  s5r->gns_lookup = NULL;
+  s5r->is_gns = tld;
+  got_ip = GNUNET_NO;
+  for (uint32_t i = 0; i < rd_count; i++)
+  {
+    r = &rd[i];
+    switch (r->record_type)
+    {
+    case GNUNET_DNSPARSER_TYPE_A:
+      {
+        struct sockaddr_in *in;
+
+        if (sizeof(struct in_addr) != r->data_size)
+        {
+          GNUNET_break_op (0);
+          break;
+        }
+        if (GNUNET_YES == got_ip)
+          break;
+        if (GNUNET_OK !=
+            GNUNET_NETWORK_test_pf (PF_INET))
+          break;
+        got_ip = GNUNET_YES;
+        in = (struct sockaddr_in *) &s5r->destination_address;
+        in->sin_family = AF_INET;
+        GNUNET_memcpy (&in->sin_addr,
+                       r->data,
+                       r->data_size);
+        in->sin_port = htons (s5r->port);
+#if HAVE_SOCKADDR_IN_SIN_LEN
+        in->sin_len = sizeof(*in);
+#endif
+      }
+      break;
+
+    case GNUNET_DNSPARSER_TYPE_AAAA:
+      {
+        struct sockaddr_in6 *in;
+
+        if (sizeof(struct in6_addr) != r->data_size)
+        {
+          GNUNET_break_op (0);
+          break;
+        }
+        if (GNUNET_YES == got_ip)
+          break;
+        if (GNUNET_YES == disable_v6)
+          break;
+        if (GNUNET_OK !=
+            GNUNET_NETWORK_test_pf (PF_INET6))
+          break;
+        /* FIXME: allow user to disable IPv6 per configuration option... */
+        got_ip = GNUNET_YES;
+        in = (struct sockaddr_in6 *) &s5r->destination_address;
+        in->sin6_family = AF_INET6;
+        GNUNET_memcpy (&in->sin6_addr,
+                       r->data,
+                       r->data_size);
+        in->sin6_port = htons (s5r->port);
+#if HAVE_SOCKADDR_IN_SIN_LEN
+        in->sin6_len = sizeof(*in);
+#endif
+      }
+      break;
+
+    case GNUNET_GNSRECORD_TYPE_VPN:
+      GNUNET_break (0);    /* should have been translated within GNS */
+      break;
+
+    case GNUNET_GNSRECORD_TYPE_LEHO:
+      GNUNET_free (s5r->leho);
+      s5r->leho = GNUNET_strndup (r->data,
+                                  r->data_size);
+      break;
+
+    case GNUNET_GNSRECORD_TYPE_BOX:
+      {
+        const struct GNUNET_GNSRECORD_BoxRecord *box;
+
+        if (r->data_size < sizeof(struct GNUNET_GNSRECORD_BoxRecord))
+        {
+          GNUNET_break_op (0);
+          break;
+        }
+        box = r->data;
+        if ((ntohl (box->record_type) != GNUNET_DNSPARSER_TYPE_TLSA) ||
+            (ntohs (box->protocol) != IPPROTO_TCP) ||
+            (ntohs (box->service) != s5r->port))
+          break;   /* BOX record does not apply */
+        if (s5r->num_danes >= MAX_DANES)
+        {
+          GNUNET_break (0);     /* MAX_DANES too small */
+          break;
+        }
+        s5r->is_tls = GNUNET_YES;   /* This should be TLS */
+        s5r->dane_data_len[s5r->num_danes]
+          = r->data_size - sizeof(struct GNUNET_GNSRECORD_BoxRecord);
+        s5r->dane_data[s5r->num_danes]
+          = GNUNET_memdup (&box[1],
+                           s5r->dane_data_len[s5r->num_danes]);
+        s5r->num_danes++;
+        break;
+      }
+
+    default:
+      /* don't care */
+      break;
+    }
+  }
+  if ((GNUNET_YES != got_ip) &&
+      (GNUNET_YES == tld))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Name resolution failed to yield useful IP address.\n");
+    signal_socks_failure (s5r,
+                          SOCKS5_STATUS_GENERAL_FAILURE);
+    return;
+  }
+  s5r->state = SOCKS5_DATA_TRANSFER;
+  signal_socks_success (s5r);
+}
+
+
+/**
+ * Remove the first @a len bytes from the beginning of the read buffer.
+ *
+ * @param s5r the handle clear the read buffer for
+ * @param len number of bytes in read buffer to advance
+ */
+static void
+clear_from_s5r_rbuf (struct Socks5Request *s5r,
+                     size_t len)
+{
+  GNUNET_assert (len <= s5r->rbuf_len);
+  memmove (s5r->rbuf,
+           &s5r->rbuf[len],
+           s5r->rbuf_len - len);
+  s5r->rbuf_len -= len;
+}
+
+
+/**
+ * Read data from incoming Socks5 connection
+ *
+ * @param cls the closure with the `struct Socks5Request`
+ */
+static void
+do_s5r_read (void *cls)
+{
+  struct Socks5Request *s5r = cls;
+  const struct Socks5ClientHelloMessage *c_hello;
+  struct Socks5ServerHelloMessage *s_hello;
+  const struct Socks5ClientRequestMessage *c_req;
+  ssize_t rlen;
+  size_t alen;
+  const struct GNUNET_SCHEDULER_TaskContext *tc;
+
+  s5r->rtask = NULL;
+  tc = GNUNET_SCHEDULER_get_task_context ();
+  if ((NULL != tc->read_ready) &&
+      (GNUNET_NETWORK_fdset_isset (tc->read_ready,
+                                   s5r->sock)))
+  {
+    rlen = GNUNET_NETWORK_socket_recv (s5r->sock,
+                                       &s5r->rbuf[s5r->rbuf_len],
+                                       sizeof(s5r->rbuf) - s5r->rbuf_len);
+    if (rlen <= 0)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "socks5 client disconnected.\n");
+      cleanup_s5r (s5r);
+      return;
+    }
+    s5r->rbuf_len += rlen;
+  }
+  s5r->rtask = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                              s5r->sock,
+                                              &do_s5r_read, s5r);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Processing %zu bytes of socks data in state %d\n",
+              s5r->rbuf_len,
+              s5r->state);
+  switch (s5r->state)
+  {
+  case SOCKS5_INIT:
+    c_hello = (const struct Socks5ClientHelloMessage*) &s5r->rbuf;
+    if ((s5r->rbuf_len < sizeof(struct Socks5ClientHelloMessage)) ||
+        (s5r->rbuf_len < sizeof(struct Socks5ClientHelloMessage)
+         + c_hello->num_auth_methods))
+      return;   /* need more data */
+    if (SOCKS_VERSION_5 != c_hello->version)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  _ ("Unsupported socks version %d\n"),
+                  (int) c_hello->version);
+      cleanup_s5r (s5r);
+      return;
+    }
+    clear_from_s5r_rbuf (s5r,
+                         sizeof(struct Socks5ClientHelloMessage)
+                         + c_hello->num_auth_methods);
+    GNUNET_assert (0 == s5r->wbuf_len);
+    s_hello = (struct Socks5ServerHelloMessage *) &s5r->wbuf;
+    s5r->wbuf_len = sizeof(struct Socks5ServerHelloMessage);
+    s_hello->version = SOCKS_VERSION_5;
+    s_hello->auth_method = SOCKS_AUTH_NONE;
+    GNUNET_assert (NULL == s5r->wtask);
+    s5r->wtask = GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                                 s5r->sock,
+                                                 &do_write, s5r);
+    s5r->state = SOCKS5_REQUEST;
+    return;
+
+  case SOCKS5_REQUEST:
+    c_req = (const struct Socks5ClientRequestMessage *) &s5r->rbuf;
+    if (s5r->rbuf_len < sizeof(struct Socks5ClientRequestMessage))
+      return;
+    switch (c_req->command)
+    {
+    case SOCKS5_CMD_TCP_STREAM:
+      /* handled below */
+      break;
+
+    default:
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  _ ("Unsupported socks command %d\n"),
+                  (int) c_req->command);
+      signal_socks_failure (s5r,
+                            SOCKS5_STATUS_COMMAND_NOT_SUPPORTED);
+      return;
+    }
+    switch (c_req->addr_type)
+    {
+    case SOCKS5_AT_IPV4:
+      {
+        const struct in_addr *v4 = (const struct in_addr *) &c_req[1];
+        const uint16_t *port = (const uint16_t *) &v4[1];
+        struct sockaddr_in *in;
+
+        s5r->port = ntohs (*port);
+        alen = sizeof(struct in_addr);
+        if (s5r->rbuf_len < sizeof(struct Socks5ClientRequestMessage)
+            + alen + sizeof(uint16_t))
+          return;     /* need more data */
+        in = (struct sockaddr_in *) &s5r->destination_address;
+        in->sin_family = AF_INET;
+        in->sin_addr = *v4;
+        in->sin_port = *port;
+#if HAVE_SOCKADDR_IN_SIN_LEN
+        in->sin_len = sizeof(*in);
+#endif
+        s5r->state = SOCKS5_DATA_TRANSFER;
+      }
+      break;
+
+    case SOCKS5_AT_IPV6:
+      {
+        const struct in6_addr *v6 = (const struct in6_addr *) &c_req[1];
+        const uint16_t *port = (const uint16_t *) &v6[1];
+        struct sockaddr_in6 *in;
+
+        s5r->port = ntohs (*port);
+        alen = sizeof(struct in6_addr);
+        if (s5r->rbuf_len < sizeof(struct Socks5ClientRequestMessage)
+            + alen + sizeof(uint16_t))
+          return;     /* need more data */
+        in = (struct sockaddr_in6 *) &s5r->destination_address;
+        in->sin6_family = AF_INET6;
+        in->sin6_addr = *v6;
+        in->sin6_port = *port;
+#if HAVE_SOCKADDR_IN_SIN_LEN
+        in->sin6_len = sizeof(*in);
+#endif
+        s5r->state = SOCKS5_DATA_TRANSFER;
+      }
+      break;
+
+    case SOCKS5_AT_DOMAINNAME:
+      {
+        const uint8_t *dom_len;
+        const char *dom_name;
+        const uint16_t *port;
+
+        dom_len = (const uint8_t *) &c_req[1];
+        alen = *dom_len + 1;
+        if (s5r->rbuf_len < sizeof(struct Socks5ClientRequestMessage)
+            + alen + sizeof(uint16_t))
+          return;     /* need more data */
+        dom_name = (const char *) &dom_len[1];
+        port = (const uint16_t *) &dom_name[*dom_len];
+        s5r->domain = GNUNET_strndup (dom_name,
+                                      *dom_len);
+        GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                    "Requested connection is to %s:%d\n",
+                    // (HTTPS_PORT == s5r->port) ? "s" : "",
+                    s5r->domain,
+                    ntohs (*port));
+        s5r->state = SOCKS5_RESOLVING;
+        s5r->port = ntohs (*port);
+        s5r->is_tls = (HTTPS_PORT == s5r->port) ? GNUNET_YES : GNUNET_NO;
+        s5r->gns_lookup = GNUNET_GNS_lookup_with_tld (gns_handle,
+                                                      s5r->domain,
+                                                      GNUNET_DNSPARSER_TYPE_A,
+                                                      GNUNET_GNS_LO_LOCAL_MASTER /* only cached */,
+                                                      &handle_gns_result,
+                                                      s5r);
+        break;
+      }
+
+    default:
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  _ ("Unsupported socks address type %d\n"),
+                  (int) c_req->addr_type);
+      signal_socks_failure (s5r,
+                            SOCKS5_STATUS_ADDRESS_TYPE_NOT_SUPPORTED);
+      return;
+    }
+    clear_from_s5r_rbuf (s5r,
+                         sizeof(struct Socks5ClientRequestMessage)
+                         + alen + sizeof(uint16_t));
+    if (0 != s5r->rbuf_len)
+    {
+      /* read more bytes than healthy, why did the client send more!? */
+      GNUNET_break_op (0);
+      signal_socks_failure (s5r,
+                            SOCKS5_STATUS_GENERAL_FAILURE);
+      return;
+    }
+    if (SOCKS5_DATA_TRANSFER == s5r->state)
+    {
+      /* if we are not waiting for GNS resolution, signal success */
+      signal_socks_success (s5r);
+    }
+    /* We are done reading right now */
+    GNUNET_SCHEDULER_cancel (s5r->rtask);
+    s5r->rtask = NULL;
+    return;
+
+  case SOCKS5_RESOLVING:
+    GNUNET_assert (0);
+    return;
+
+  case SOCKS5_DATA_TRANSFER:
+    GNUNET_assert (0);
+    return;
+
+  default:
+    GNUNET_assert (0);
+    return;
+  }
+}
+
+
+/**
+ * Accept new incoming connections
+ *
+ * @param cls the closure with the lsock4 or lsock6
+ */
+static void
+do_accept (void *cls)
+{
+  struct GNUNET_NETWORK_Handle *lsock = cls;
+  struct GNUNET_NETWORK_Handle *s;
+  struct Socks5Request *s5r;
+
+  GNUNET_assert (NULL != lsock);
+  if (lsock == lsock4)
+    ltask4 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                            lsock,
+                                            &do_accept,
+                                            lsock);
+  else if (lsock == lsock6)
+    ltask6 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                            lsock,
+                                            &do_accept,
+                                            lsock);
+  else
+    GNUNET_assert (0);
+  s = GNUNET_NETWORK_socket_accept (lsock,
+                                    NULL,
+                                    NULL);
+  if (NULL == s)
+  {
+    GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
+                         "accept");
+    return;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Got an inbound connection, waiting for data\n");
+  s5r = GNUNET_new (struct Socks5Request);
+  GNUNET_CONTAINER_DLL_insert (s5r_head,
+                               s5r_tail,
+                               s5r);
+  s5r->sock = s;
+  s5r->state = SOCKS5_INIT;
+  s5r->rtask = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                              s5r->sock,
+                                              &do_s5r_read,
+                                              s5r);
+}
+
+
+/* ******************* General / main code ********************* */
+
+
+/**
+ * Task run on shutdown
+ *
+ * @param cls closure
+ */
+static void
+do_shutdown (void *cls)
+{
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "Shutting down...\n");
+  /* MHD requires resuming before destroying the daemons */
+  for (struct Socks5Request *s5r = s5r_head;
+       NULL != s5r;
+       s5r = s5r->next)
+  {
+    if (s5r->suspended)
+    {
+      s5r->suspended = GNUNET_NO;
+      MHD_resume_connection (s5r->con);
+    }
+  }
+  while (NULL != mhd_httpd_head)
+    kill_httpd (mhd_httpd_head);
+  while (NULL != s5r_head)
+    cleanup_s5r (s5r_head);
+  if (NULL != lsock4)
+  {
+    GNUNET_NETWORK_socket_close (lsock4);
+    lsock4 = NULL;
+  }
+  if (NULL != lsock6)
+  {
+    GNUNET_NETWORK_socket_close (lsock6);
+    lsock6 = NULL;
+  }
+  if (NULL != curl_multi)
+  {
+    curl_multi_cleanup (curl_multi);
+    curl_multi = NULL;
+  }
+  if (NULL != gns_handle)
+  {
+    GNUNET_GNS_disconnect (gns_handle);
+    gns_handle = NULL;
+  }
+  if (NULL != curl_download_task)
+  {
+    GNUNET_SCHEDULER_cancel (curl_download_task);
+    curl_download_task = NULL;
+  }
+  if (NULL != ltask4)
+  {
+    GNUNET_SCHEDULER_cancel (ltask4);
+    ltask4 = NULL;
+  }
+  if (NULL != ltask6)
+  {
+    GNUNET_SCHEDULER_cancel (ltask6);
+    ltask6 = NULL;
+  }
+  gnutls_x509_crt_deinit (proxy_ca.cert);
+  gnutls_x509_privkey_deinit (proxy_ca.key);
+  gnutls_global_deinit ();
+}
+
+
+/**
+ * Create an IPv4 listen socket bound to our port.
+ *
+ * @return NULL on error
+ */
+static struct GNUNET_NETWORK_Handle *
+bind_v4 ()
+{
+  struct GNUNET_NETWORK_Handle *ls;
+  struct sockaddr_in sa4;
+  int eno;
+
+  memset (&sa4, 0, sizeof(sa4));
+  sa4.sin_family = AF_INET;
+  sa4.sin_port = htons (port);
+  sa4.sin_addr.s_addr = address;
+#if HAVE_SOCKADDR_IN_SIN_LEN
+  sa4.sin_len = sizeof(sa4);
+#endif
+  ls = GNUNET_NETWORK_socket_create (AF_INET,
+                                     SOCK_STREAM,
+                                     0);
+  if (NULL == ls)
+    return NULL;
+  if (GNUNET_OK !=
+      GNUNET_NETWORK_socket_bind (ls,
+                                  (const struct sockaddr *) &sa4,
+                                  sizeof(sa4)))
+  {
+    eno = errno;
+    GNUNET_NETWORK_socket_close (ls);
+    errno = eno;
+    return NULL;
+  }
+  return ls;
+}
+
+
+/**
+ * Create an IPv6 listen socket bound to our port.
+ *
+ * @return NULL on error
+ */
+static struct GNUNET_NETWORK_Handle *
+bind_v6 ()
+{
+  struct GNUNET_NETWORK_Handle *ls;
+  struct sockaddr_in6 sa6;
+  int eno;
+
+  memset (&sa6, 0, sizeof(sa6));
+  sa6.sin6_family = AF_INET6;
+  sa6.sin6_port = htons (port);
+  sa6.sin6_addr = address6;
+#if HAVE_SOCKADDR_IN_SIN_LEN
+  sa6.sin6_len = sizeof(sa6);
+#endif
+  ls = GNUNET_NETWORK_socket_create (AF_INET6,
+                                     SOCK_STREAM,
+                                     0);
+  if (NULL == ls)
+    return NULL;
+  if (GNUNET_OK !=
+      GNUNET_NETWORK_socket_bind (ls,
+                                  (const struct sockaddr *) &sa6,
+                                  sizeof(sa6)))
+  {
+    eno = errno;
+    GNUNET_NETWORK_socket_close (ls);
+    errno = eno;
+    return NULL;
+  }
+  return ls;
+}
+
+
+/**
+ * Main function that will be run
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  char*cafile_cfg = NULL;
+  char*cafile;
+  char*addr_str;
+  struct MhdHttpList *hd;
+
+  cfg = c;
+
+  /* Get address to bind to */
+  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, "gns-proxy",
+                                                          "BIND_TO",
+                                                          &addr_str))
+  {
+    // No address specified
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Don't know what to bind to...\n");
+    GNUNET_free (addr_str);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if (1 != inet_pton (AF_INET, addr_str, &address))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Unable to parse address %s\n",
+                addr_str);
+    GNUNET_free (addr_str);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  GNUNET_free (addr_str);
+  /* Get address to bind to */
+  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, "gns-proxy",
+                                                          "BIND_TO6",
+                                                          &addr_str))
+  {
+    // No address specified
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Don't know what to bind6 to...\n");
+    GNUNET_free (addr_str);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if (1 != inet_pton (AF_INET6, addr_str, &address6))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Unable to parse IPv6 address %s\n",
+                addr_str);
+    GNUNET_free (addr_str);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  GNUNET_free (addr_str);
+
+  if (NULL == (curl_multi = curl_multi_init ()))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Failed to create cURL multi handle!\n");
+    return;
+  }
+  cafile = cafile_opt;
+  if (NULL == cafile)
+  {
+    if (GNUNET_OK !=
+        GNUNET_CONFIGURATION_get_value_filename (cfg,
+                                                 "gns-proxy",
+                                                 "PROXY_CACERT",
+                                                 &cafile_cfg))
+    {
+      GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+                                 "gns-proxy",
+                                 "PROXY_CACERT");
+      return;
+    }
+    cafile = cafile_cfg;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Using `%s' as CA\n",
+              cafile);
+
+  gnutls_global_init ();
+  gnutls_x509_crt_init (&proxy_ca.cert);
+  gnutls_x509_privkey_init (&proxy_ca.key);
+
+  if ((GNUNET_OK !=
+       load_cert_from_file (proxy_ca.cert,
+                            cafile)) ||
+      (GNUNET_OK !=
+       load_key_from_file (proxy_ca.key,
+                           cafile)))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Failed to load X.509 key and certificate from `%s'\n"),
+                cafile);
+    gnutls_x509_crt_deinit (proxy_ca.cert);
+    gnutls_x509_privkey_deinit (proxy_ca.key);
+    gnutls_global_deinit ();
+    GNUNET_free (cafile_cfg);
+    return;
+  }
+  GNUNET_free (cafile_cfg);
+  if (NULL == (gns_handle = GNUNET_GNS_connect (cfg)))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Unable to connect to GNS!\n");
+    gnutls_x509_crt_deinit (proxy_ca.cert);
+    gnutls_x509_privkey_deinit (proxy_ca.key);
+    gnutls_global_deinit ();
+    return;
+  }
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
+                                 NULL);
+
+  /* Open listen socket for socks proxy */
+  lsock6 = bind_v6 ();
+  if (NULL == lsock6)
+  {
+    GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
+                         "bind");
+  }
+  else
+  {
+    if (GNUNET_OK !=
+        GNUNET_NETWORK_socket_listen (lsock6,
+                                      5))
+    {
+      GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
+                           "listen");
+      GNUNET_NETWORK_socket_close (lsock6);
+      lsock6 = NULL;
+    }
+    else
+    {
+      ltask6 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                              lsock6,
+                                              &do_accept,
+                                              lsock6);
+    }
+  }
+  lsock4 = bind_v4 ();
+  if (NULL == lsock4)
+  {
+    GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
+                         "bind");
+  }
+  else
+  {
+    if (GNUNET_OK !=
+        GNUNET_NETWORK_socket_listen (lsock4,
+                                      5))
+    {
+      GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
+                           "listen");
+      GNUNET_NETWORK_socket_close (lsock4);
+      lsock4 = NULL;
+    }
+    else
+    {
+      ltask4 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
+                                              lsock4,
+                                              &do_accept,
+                                              lsock4);
+    }
+  }
+  if ((NULL == lsock4) &&
+      (NULL == lsock6))
+  {
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if (CURLSSLSET_OK != curl_global_sslset (CURLSSLBACKEND_GNUTLS,
+                                           NULL,
+                                           NULL))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                "cURL does not support the GnuTLS backend\n");
+
+  }
+  if (0 != curl_global_init (CURL_GLOBAL_WIN32))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "cURL global init failed!\n");
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Proxy listens on port %u\n",
+              (unsigned int) port);
+
+  /* start MHD daemon for HTTP */
+  hd = GNUNET_new (struct MhdHttpList);
+  hd->daemon = MHD_start_daemon (MHD_USE_DEBUG | MHD_USE_NO_LISTEN_SOCKET
+                                 | MHD_ALLOW_SUSPEND_RESUME,
+                                 0,
+                                 NULL, NULL,
+                                 &create_response, hd,
+                                 MHD_OPTION_CONNECTION_TIMEOUT, (unsigned
+                                                                 int) 16,
+                                 MHD_OPTION_NOTIFY_COMPLETED, &mhd_completed_cb,
+                                 NULL,
+                                 MHD_OPTION_NOTIFY_CONNECTION,
+                                 &mhd_connection_cb, NULL,
+                                 MHD_OPTION_URI_LOG_CALLBACK, &mhd_log_callback,
+                                 NULL,
+                                 MHD_OPTION_END);
+  if (NULL == hd->daemon)
+  {
+    GNUNET_free (hd);
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  httpd = hd;
+  GNUNET_CONTAINER_DLL_insert (mhd_httpd_head,
+                               mhd_httpd_tail,
+                               hd);
+}
+
+
+/**
+ * The main function for gnunet-gns-proxy.
+ *
+ * @param argc number of arguments from the command line
+ * @param argv command line arguments
+ * @return 0 ok, 1 on error
+ */
+int
+main (int argc,
+      char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_uint16 ('p',
+                                 "port",
+                                 NULL,
+                                 gettext_noop (
+                                   "listen on specified port (default: 7777)"),
+                                 &port),
+    GNUNET_GETOPT_option_string ('a',
+                                 "authority",
+                                 NULL,
+                                 gettext_noop ("pem file to use as CA"),
+                                 &cafile_opt),
+    GNUNET_GETOPT_option_flag ('6',
+                               "disable-ivp6",
+                               gettext_noop ("disable use of IPv6"),
+                               &disable_v6),
+
+    GNUNET_GETOPT_OPTION_END
+  };
+  static const char*page =
+    "<html><head><title>gnunet-gns-proxy</title>"
+    "</head><body>cURL fail</body></html>";
+  int ret;
+
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+  GNUNET_log_setup ("gnunet-gns-proxy",
+                    "WARNING",
+                    NULL);
+  curl_failure_response
+    = MHD_create_response_from_buffer (strlen (page),
+                                       (void *) page,
+                                       MHD_RESPMEM_PERSISTENT);
+
+  ret =
+    (GNUNET_OK ==
+     GNUNET_PROGRAM_run (argc, argv,
+                         "gnunet-gns-proxy",
+                         _ ("GNUnet GNS proxy"),
+                         options,
+                         &run, NULL)) ? 0 : 1;
+  MHD_destroy_response (curl_failure_response);
+  GNUNET_free_nz ((char *) argv);
+  return ret;
+}
+
+
+/* end of gnunet-gns-proxy.c */
diff --git a/src/service/gns/gnunet-service-gns.c b/src/service/gns/gnunet-service-gns.c
new file mode 100644
index 000000000..aaf82a557
--- /dev/null
+++ b/src/service/gns/gnunet-service-gns.c
@@ -0,0 +1,618 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2011-2018 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gns/gnunet-service-gns.c
+ * @brief GNU Name System (main service)
+ * @author Martin Schanzenbach
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_dns_service.h"
+#include "gnunet_dht_service.h"
+#include "gnunet_namecache_service.h"
+#include "gnunet_gnsrecord_lib.h"
+#include "gnunet_gns_service.h"
+#include "gnunet_statistics_service.h"
+#include "gns.h"
+#include "gnunet-service-gns_resolver.h"
+#include "gnunet-service-gns_interceptor.h"
+#include "gnunet_protocols.h"
+
+
+/**
+ * GnsClient prototype
+ */
+struct GnsClient;
+
+/**
+ * Handle to a lookup operation from client via API.
+ */
+struct ClientLookupHandle
+{
+  /**
+   * We keep these in a DLL.
+   */
+  struct ClientLookupHandle *next;
+
+  /**
+   * We keep these in a DLL.
+   */
+  struct ClientLookupHandle *prev;
+
+  /**
+   * Client handle
+   */
+  struct GnsClient *gc;
+
+  /**
+   * Active handle for the lookup.
+   */
+  struct GNS_ResolverHandle *lookup;
+
+  /**
+   * request id
+   */
+  uint32_t request_id;
+};
+
+
+/**
+ * Information we track per connected client.
+ */
+struct GnsClient
+{
+  /**
+   * The client
+   */
+  struct GNUNET_SERVICE_Client *client;
+
+  /**
+   * The MQ
+   */
+  struct GNUNET_MQ_Handle *mq;
+
+  /**
+   * Head of the DLL.
+   */
+  struct ClientLookupHandle *clh_head;
+
+  /**
+   * Tail of the DLL.
+   */
+  struct ClientLookupHandle *clh_tail;
+};
+
+
+/**
+ * Representation of a TLD, mapping the respective TLD string
+ * (e.g. ".gnu") to the respective public key of the zone.
+ */
+struct GNS_TopLevelDomain
+{
+  /**
+   * Kept in a DLL, as there are unlikely enough of these to
+   * warrant a hash map.
+   */
+  struct GNS_TopLevelDomain *next;
+
+  /**
+   * Kept in a DLL, as there are unlikely enough of these to
+   * warrant a hash map.
+   */
+  struct GNS_TopLevelDomain *prev;
+
+  /**
+   * Public key associated with the @a tld.
+   */
+  struct GNUNET_CRYPTO_PublicKey pkey;
+
+  /**
+   * Top-level domain as a string, including leading ".".
+   */
+  char *tld;
+};
+
+
+/**
+ * Our handle to the DHT
+ */
+static struct GNUNET_DHT_Handle *dht_handle;
+
+/**
+ * Our handle to the namecache service
+ */
+static struct GNUNET_NAMECACHE_Handle *namecache_handle;
+
+/**
+ * #GNUNET_YES if ipv6 is supported
+ */
+static int v6_enabled;
+
+/**
+ * #GNUNET_YES if ipv4 is supported
+ */
+static int v4_enabled;
+
+/**
+ * Handle to the statistics service
+ */
+static struct GNUNET_STATISTICS_Handle *statistics;
+
+/**
+ * Head of DLL of TLDs we map to GNS zones.
+ */
+static struct GNS_TopLevelDomain *tld_head;
+
+/**
+ * Tail of DLL of TLDs we map to GNS zones.
+ */
+static struct GNS_TopLevelDomain *tld_tail;
+
+
+/**
+ * Find GNS zone belonging to TLD @a tld.
+ *
+ * @param tld_str top-level domain to look up
+ * @param[out] pkey public key to set
+ * @return #GNUNET_YES if @a tld was found #GNUNET_NO if not
+ */
+int
+GNS_find_tld (const char *tld_str,
+              struct GNUNET_CRYPTO_PublicKey *pkey)
+{
+  if ('\0' == *tld_str)
+    return GNUNET_NO;
+  for (struct GNS_TopLevelDomain *tld = tld_head;
+       NULL != tld;
+       tld = tld->next)
+  {
+    if (0 == strcasecmp (tld_str,
+                         tld->tld))
+    {
+      *pkey = tld->pkey;
+      return GNUNET_YES;
+    }
+  }
+  if (GNUNET_OK ==
+      GNUNET_GNSRECORD_zkey_to_pkey (tld_str + 1,
+                                     pkey))
+    return GNUNET_YES; /* TLD string *was* the public key */
+  return GNUNET_NO;
+}
+
+
+/**
+ * Obtain the TLD of the given @a name.
+ *
+ * @param name a name
+ * @return the part of @a name after the last ".",
+ *         or @a name if @a name does not contain a "."
+ */
+const char *
+GNS_get_tld (const char *name)
+{
+  const char *tld;
+
+  tld = strrchr (name,
+                 (unsigned char) '.');
+  if (NULL == tld)
+    tld = name;
+  else
+    tld++; /* skip the '.' */
+  return tld;
+}
+
+
+/**
+ * Task run during shutdown.
+ *
+ * @param cls unused, NULL
+ */
+static void
+shutdown_task (void *cls)
+{
+  struct GNS_TopLevelDomain *tld;
+
+  (void) cls;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Shutting down!\n");
+  GNS_interceptor_done ();
+  GNS_resolver_done ();
+  if (NULL != statistics)
+  {
+    GNUNET_STATISTICS_destroy (statistics,
+                               GNUNET_NO);
+    statistics = NULL;
+  }
+  if (NULL != namecache_handle)
+  {
+    GNUNET_NAMECACHE_disconnect (namecache_handle);
+    namecache_handle = NULL;
+  }
+  if (NULL != dht_handle)
+  {
+    GNUNET_DHT_disconnect (dht_handle);
+    dht_handle = NULL;
+  }
+  while (NULL != (tld = tld_head))
+  {
+    GNUNET_CONTAINER_DLL_remove (tld_head,
+                                 tld_tail,
+                                 tld);
+    GNUNET_free (tld->tld);
+    GNUNET_free (tld);
+  }
+}
+
+
+/**
+ * Called whenever a client is disconnected.
+ *
+ * @param cls closure
+ * @param client identification of the client
+ * @param app_ctx @a client
+ */
+static void
+client_disconnect_cb (void *cls,
+                      struct GNUNET_SERVICE_Client *client,
+                      void *app_ctx)
+{
+  struct ClientLookupHandle *clh;
+  struct GnsClient *gc = app_ctx;
+
+  (void) cls;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Client %p disconnected\n",
+              client);
+  while (NULL != (clh = gc->clh_head))
+  {
+    if (NULL != clh->lookup)
+      GNS_resolver_lookup_cancel (clh->lookup);
+    GNUNET_CONTAINER_DLL_remove (gc->clh_head,
+                                 gc->clh_tail,
+                                 clh);
+    GNUNET_free (clh);
+  }
+  GNUNET_free (gc);
+}
+
+
+/**
+ * Add a client to our list of active clients.
+ *
+ * @param cls NULL
+ * @param client client to add
+ * @param mq message queue for @a client
+ * @return internal namestore client structure for this client
+ */
+static void *
+client_connect_cb (void *cls,
+                   struct GNUNET_SERVICE_Client *client,
+                   struct GNUNET_MQ_Handle *mq)
+{
+  struct GnsClient *gc;
+
+  (void) cls;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Client %p connected\n",
+              client);
+  gc = GNUNET_new (struct GnsClient);
+  gc->client = client;
+  gc->mq = mq;
+  return gc;
+}
+
+
+/**
+ * Reply to client with the result from our lookup.
+ *
+ * @param cls the closure (our client lookup handle)
+ * @param rd_count the number of records in @a rd
+ * @param rd the record data
+ */
+static void
+send_lookup_response (void *cls,
+                      uint32_t rd_count,
+                      const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct ClientLookupHandle *clh = cls;
+  struct GnsClient *gc = clh->gc;
+  struct GNUNET_MQ_Envelope *env;
+  struct LookupResultMessage *rmsg;
+  ssize_t len;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Sending LOOKUP_RESULT message with %u results\n",
+              (unsigned int) rd_count);
+  len = GNUNET_GNSRECORD_records_get_size (rd_count,
+                                           rd);
+  if (len < 0)
+  {
+    GNUNET_break (0);
+    GNUNET_SERVICE_client_drop (gc->client);
+    return;
+  }
+  if (len > UINT16_MAX - sizeof(*rmsg))
+  {
+    GNUNET_break (0);
+    GNUNET_SERVICE_client_drop (gc->client);
+    return;
+  }
+  env = GNUNET_MQ_msg_extra (rmsg,
+                             len,
+                             GNUNET_MESSAGE_TYPE_GNS_LOOKUP_RESULT);
+  rmsg->id = clh->request_id;
+  rmsg->rd_count = htonl (rd_count);
+  GNUNET_assert (len ==
+                 GNUNET_GNSRECORD_records_serialize (rd_count,
+                                                     rd,
+                                                     len,
+                                                     (char *) &rmsg[1]));
+  GNUNET_MQ_send (GNUNET_SERVICE_client_get_mq (gc->client),
+                  env);
+  GNUNET_CONTAINER_DLL_remove (gc->clh_head,
+                               gc->clh_tail,
+                               clh);
+  GNUNET_free (clh);
+  GNUNET_STATISTICS_update (statistics,
+                            "Completed lookups", 1,
+                            GNUNET_NO);
+  GNUNET_STATISTICS_update (statistics,
+                            "Records resolved",
+                            rd_count,
+                            GNUNET_NO);
+}
+
+
+/**
+ * Checks a #GNUNET_MESSAGE_TYPE_GNS_LOOKUP message
+ *
+ * @param cls client sending the message
+ * @param l_msg message of type `struct LookupMessage`
+ * @return #GNUNET_OK if @a l_msg is well-formed
+ */
+static int
+check_lookup (void *cls,
+              const struct LookupMessage *l_msg)
+{
+  size_t nlen;
+  size_t klen;
+
+  (void) cls;
+  klen = ntohl (l_msg->key_len);
+  nlen = ntohs (l_msg->header.size) - sizeof(struct LookupMessage) - klen;
+  if (nlen > GNUNET_DNSPARSER_MAX_NAME_LENGTH)
+  {
+    GNUNET_break (0);
+    return GNUNET_SYSERR;
+  }
+  return GNUNET_OK;
+}
+
+
+/**
+ * Handle lookup requests from client
+ *
+ * @param cls the closure
+ * @param sh_msg the message
+ */
+static void
+handle_lookup (void *cls,
+               const struct LookupMessage *sh_msg)
+{
+  struct GnsClient *gc = cls;
+  struct ClientLookupHandle *clh;
+  struct GNUNET_CRYPTO_PublicKey zone;
+  const char *name;
+  size_t key_len;
+  size_t read;
+
+  GNUNET_SERVICE_client_continue (gc->client);
+  key_len = ntohl (sh_msg->key_len);
+  clh = GNUNET_new (struct ClientLookupHandle);
+  GNUNET_CONTAINER_DLL_insert (gc->clh_head,
+                               gc->clh_tail,
+                               clh);
+  clh->gc = gc;
+  clh->request_id = sh_msg->id;
+  if ((GNUNET_SYSERR ==
+       GNUNET_CRYPTO_read_public_key_from_buffer (&sh_msg[1],
+                                                    key_len,
+                                                    &zone,
+                                                    &read)) ||
+      (read != key_len))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "LOOKUP: Failed to read zone key!");
+    send_lookup_response (clh,
+                          0,
+                          NULL);
+    return;
+  }
+  name = (const char *) &sh_msg[1] + key_len;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Received LOOKUP `%s' message\n",
+              name);
+  if ((GNUNET_DNSPARSER_TYPE_A == ntohl (sh_msg->type)) &&
+      (GNUNET_OK != v4_enabled))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "LOOKUP: Query for A record but AF_INET not supported!");
+    send_lookup_response (clh,
+                          0,
+                          NULL);
+    return;
+  }
+  if ((GNUNET_DNSPARSER_TYPE_AAAA == ntohl (sh_msg->type)) &&
+      (GNUNET_OK != v6_enabled))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "LOOKUP: Query for AAAA record but AF_INET6 not supported!");
+    send_lookup_response (clh,
+                          0,
+                          NULL);
+    return;
+  }
+  clh->lookup = GNS_resolver_lookup (&zone,
+                                     ntohl (sh_msg->type),
+                                     name,
+                                     (enum GNUNET_GNS_LocalOptions) ntohs (
+                                       sh_msg->options),
+                                     ntohs (sh_msg->recursion_depth_limit),
+                                     &send_lookup_response, clh);
+  GNUNET_STATISTICS_update (statistics,
+                            "Lookup attempts",
+                            1, GNUNET_NO);
+}
+
+
+/**
+ * Reads the configuration and populates TLDs
+ *
+ * @param cls unused
+ * @param section name of section in config, always "gns"
+ * @param option name of the option, TLDs start with "."
+ * @param value value for the option, public key for TLDs
+ */
+static void
+read_service_conf (void *cls,
+                   const char *section,
+                   const char *option,
+                   const char *value)
+{
+  struct GNUNET_CRYPTO_PublicKey pk;
+  struct GNS_TopLevelDomain *tld;
+
+  (void) cls;
+  (void) section;
+  if (option[0] != '.')
+    return;
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_string_to_data (value,
+                                     strlen (value),
+                                     &pk,
+                                     sizeof(pk)))
+  {
+    GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR,
+                               section,
+                               option,
+                               _ (
+                                 "Properly base32-encoded public key required"));
+    return;
+  }
+  tld = GNUNET_new (struct GNS_TopLevelDomain);
+  tld->tld = GNUNET_strdup (&option[1]);
+  tld->pkey = pk;
+  GNUNET_CONTAINER_DLL_insert (tld_head,
+                               tld_tail,
+                               tld);
+}
+
+
+/**
+ * Process GNS requests.
+ *
+ * @param cls closure
+ * @param server the initialized server
+ * @param c configuration to use
+ */
+static void
+run (void *cls,
+     const struct GNUNET_CONFIGURATION_Handle *c,
+     struct GNUNET_SERVICE_Handle *service)
+{
+  unsigned long long max_parallel_bg_queries = 16;
+
+  GNUNET_CONFIGURATION_iterate_section_values (c,
+                                               "gns",
+                                               &read_service_conf,
+                                               NULL);
+  v6_enabled = GNUNET_NETWORK_test_pf (PF_INET6);
+  v4_enabled = GNUNET_NETWORK_test_pf (PF_INET);
+  namecache_handle = GNUNET_NAMECACHE_connect (c);
+  if (NULL == namecache_handle)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Failed to connect to the namecache!\n"));
+    GNUNET_SCHEDULER_shutdown ();
+    return;
+  }
+  if (GNUNET_OK ==
+      GNUNET_CONFIGURATION_get_value_number (c,
+                                             "gns",
+                                             "MAX_PARALLEL_BACKGROUND_QUERIES",
+                                             &max_parallel_bg_queries))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Number of allowed parallel background queries: %llu\n",
+                max_parallel_bg_queries);
+  }
+  dht_handle = GNUNET_DHT_connect (c,
+                                   (unsigned int) max_parallel_bg_queries);
+  if (NULL == dht_handle)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Could not connect to DHT!\n"));
+    GNUNET_SCHEDULER_add_now (&shutdown_task,
+                              NULL);
+    return;
+  }
+  GNS_resolver_init (namecache_handle,
+                     dht_handle,
+                     c,
+                     max_parallel_bg_queries);
+  if ((GNUNET_YES ==
+       GNUNET_CONFIGURATION_get_value_yesno (c,
+                                             "gns",
+                                             "INTERCEPT_DNS")) &&
+      (GNUNET_SYSERR ==
+       GNS_interceptor_init (c)))
+  {
+    GNUNET_break (0);
+    GNUNET_SCHEDULER_add_now (&shutdown_task,
+                              NULL);
+    return;
+  }
+  statistics = GNUNET_STATISTICS_create ("gns",
+                                         c);
+  GNUNET_SCHEDULER_add_shutdown (&shutdown_task,
+                                 NULL);
+}
+
+
+/**
+ * Define "main" method using service macro.
+ */
+GNUNET_SERVICE_MAIN
+  ("gns",
+  GNUNET_SERVICE_OPTION_NONE,
+  &run,
+  &client_connect_cb,
+  &client_disconnect_cb,
+  NULL,
+  GNUNET_MQ_hd_var_size (lookup,
+                         GNUNET_MESSAGE_TYPE_GNS_LOOKUP,
+                         struct LookupMessage,
+                         NULL),
+  GNUNET_MQ_handler_end ());
+
+
+/* end of gnunet-service-gns.c */
diff --git a/src/service/gns/gnunet-service-gns.h b/src/service/gns/gnunet-service-gns.h
new file mode 100644
index 000000000..13e28349c
--- /dev/null
+++ b/src/service/gns/gnunet-service-gns.h
@@ -0,0 +1,54 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2018 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gns/gnunet-service-gns.h
+ * @brief GNU Name System (main service)
+ * @author Martin Schanzenbach
+ * @author Christian Grothoff
+ */
+#ifndef GNUNET_SERVICE_GNS_H
+#define GNUNET_SERVICE_GNS_H
+
+#include "gnunet_identity_service.h"
+
+/**
+ * Find GNS zone belonging to TLD @a tld.
+ *
+ * @param tld_str top-level domain to look up
+ * @param[out] pkey public key to set
+ * @return #GNUNET_YES if @a tld was found #GNUNET_NO if not
+ */
+int
+GNS_find_tld (const char *tld_str,
+              struct GNUNET_CRYPTO_PublicKey *pkey);
+
+
+/**
+ * Obtain the TLD of the given @a name.
+ *
+ * @param name a name
+ * @return the part of @a name after the last ".",
+ *         or @a name if @a name does not contain a "."
+ */
+const char *
+GNS_get_tld (const char *name);
+
+
+#endif
diff --git a/src/service/gns/gnunet-service-gns_interceptor.c b/src/service/gns/gnunet-service-gns_interceptor.c
new file mode 100644
index 000000000..ecd1b5475
--- /dev/null
+++ b/src/service/gns/gnunet-service-gns_interceptor.c
@@ -0,0 +1,430 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2009-2013 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gns/gnunet-service-gns_interceptor.c
+ * @brief GNUnet GNS interceptor logic
+ * @author Martin Schanzenbach
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#include "gnunet_util_lib.h"
+#include "gnunet_dns_service.h"
+#include "gnunet-service-gns.h"
+#include "gnunet-service-gns_resolver.h"
+#include "gnunet-service-gns_interceptor.h"
+#include "gns.h"
+
+
+/**
+ * How deep do we allow recursions to go before we abort?
+ */
+#define MAX_RECURSION 256
+
+
+/**
+ * Handle to a DNS intercepted
+ * reslution request
+ */
+struct InterceptLookupHandle
+{
+  /**
+   * We keep these in a DLL.
+   */
+  struct InterceptLookupHandle *next;
+
+  /**
+   * We keep these in a DLL.
+   */
+  struct InterceptLookupHandle *prev;
+
+  /**
+   * the request handle to reply to
+   */
+  struct GNUNET_DNS_RequestHandle *request_handle;
+
+  /**
+   * the dns parser packet received
+   */
+  struct GNUNET_DNSPARSER_Packet *packet;
+
+  /**
+   * Handle for the lookup operation.
+   */
+  struct GNS_ResolverHandle *lookup;
+};
+
+
+/**
+ * Our handle to the DNS handler library
+ */
+static struct GNUNET_DNS_Handle *dns_handle;
+
+/**
+ * Head of the DLL.
+ */
+static struct InterceptLookupHandle *ilh_head;
+
+/**
+ * Tail of the DLL.
+ */
+static struct InterceptLookupHandle *ilh_tail;
+
+
+/**
+ * Reply to dns request with the result from our lookup.
+ *
+ * @param cls the closure to the request (an InterceptLookupHandle)
+ * @param rd_count the number of records to return
+ * @param rd the record data
+ */
+static void
+reply_to_dns (void *cls, uint32_t rd_count,
+              const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct InterceptLookupHandle *ilh = cls;
+  struct GNUNET_DNSPARSER_Packet *packet = ilh->packet;
+  struct GNUNET_DNSPARSER_Query *query = &packet->queries[0];
+  uint32_t i;
+  size_t len;
+  int ret;
+  char *buf;
+  unsigned int num_answers;
+  unsigned int skip_answers;
+  unsigned int skip_additional;
+  size_t off = 0;
+
+  /* Put records in the DNS packet */
+  num_answers = 0;
+  for (i = 0; i < rd_count; i++)
+    if (rd[i].record_type == query->type)
+      num_answers++;
+  skip_answers = 0;
+  skip_additional = 0;
+
+  {
+    struct GNUNET_DNSPARSER_Record answer_records[num_answers];
+    struct GNUNET_DNSPARSER_Record additional_records[rd_count - num_answers];
+
+    packet->answers = answer_records;
+    packet->additional_records = additional_records;
+    /* FIXME: need to handle #GNUNET_GNSRECORD_RF_SHADOW_RECORD option
+       (by ignoring records where this flag is set if there is any
+       other record of that type in the result set) */
+    for (i = 0; i < rd_count; i++)
+    {
+      if (rd[i].record_type == query->type)
+      {
+        answer_records[i - skip_answers].name = query->name;
+        answer_records[i - skip_answers].type = rd[i].record_type;
+        switch (rd[i].record_type)
+        {
+        case GNUNET_DNSPARSER_TYPE_NS:
+        case GNUNET_DNSPARSER_TYPE_CNAME:
+        case GNUNET_DNSPARSER_TYPE_PTR:
+          answer_records[i - skip_answers].data.hostname
+            = GNUNET_DNSPARSER_parse_name (rd[i].data,
+                                           rd[i].data_size,
+                                           &off);
+          if ((off != rd[i].data_size) ||
+              (NULL == answer_records[i].data.hostname))
+          {
+            GNUNET_break_op (0);
+            skip_answers++;
+          }
+          break;
+
+        case GNUNET_DNSPARSER_TYPE_SOA:
+          answer_records[i - skip_answers].data.soa
+            = GNUNET_DNSPARSER_parse_soa (rd[i].data,
+                                          rd[i].data_size,
+                                          &off);
+          if ((off != rd[i].data_size) ||
+              (NULL == answer_records[i].data.soa))
+          {
+            GNUNET_break_op (0);
+            skip_answers++;
+          }
+          break;
+
+        case GNUNET_DNSPARSER_TYPE_SRV:
+          /* FIXME: SRV is not yet supported */
+          skip_answers++;
+          break;
+
+        case GNUNET_DNSPARSER_TYPE_URI:
+          /* FIXME: URI is not yet supported */
+          skip_answers++;
+          break;
+
+        case GNUNET_DNSPARSER_TYPE_MX:
+          answer_records[i - skip_answers].data.mx
+            = GNUNET_DNSPARSER_parse_mx (rd[i].data,
+                                         rd[i].data_size,
+                                         &off);
+          if ((off != rd[i].data_size) ||
+              (NULL == answer_records[i].data.hostname))
+          {
+            GNUNET_break_op (0);
+            skip_answers++;
+          }
+          break;
+
+        default:
+          answer_records[i - skip_answers].data.raw.data_len = rd[i].data_size;
+          answer_records[i - skip_answers].data.raw.data = (char *) rd[i].data;
+          break;
+        }
+        GNUNET_break (0 == (rd[i - skip_answers].flags
+                            & GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION));
+        answer_records[i - skip_answers].expiration_time.abs_value_us =
+          rd[i].expiration_time;
+        answer_records[i - skip_answers].dns_traffic_class =
+          GNUNET_TUN_DNS_CLASS_INTERNET;
+      }
+      else
+      {
+        additional_records[i - skip_additional].name = query->name;
+        additional_records[i - skip_additional].type = rd[i].record_type;
+        switch (rd[i].record_type)
+        {
+        case GNUNET_DNSPARSER_TYPE_NS:
+        case GNUNET_DNSPARSER_TYPE_CNAME:
+        case GNUNET_DNSPARSER_TYPE_PTR:
+          additional_records[i - skip_additional].data.hostname
+            = GNUNET_DNSPARSER_parse_name (rd[i].data,
+                                           rd[i].data_size,
+                                           &off);
+          if ((off != rd[i].data_size) ||
+              (NULL == additional_records[i].data.hostname))
+          {
+            GNUNET_break_op (0);
+            skip_additional++;
+          }
+          break;
+
+        case GNUNET_DNSPARSER_TYPE_SOA:
+          additional_records[i - skip_additional].data.soa
+            = GNUNET_DNSPARSER_parse_soa (rd[i].data,
+                                          rd[i].data_size,
+                                          &off);
+          if ((off != rd[i].data_size) ||
+              (NULL == additional_records[i].data.hostname))
+          {
+            GNUNET_break_op (0);
+            skip_additional++;
+          }
+          break;
+
+        case GNUNET_DNSPARSER_TYPE_MX:
+          additional_records[i - skip_additional].data.mx
+            = GNUNET_DNSPARSER_parse_mx (rd[i].data,
+                                         rd[i].data_size,
+                                         &off);
+          if ((off != rd[i].data_size) ||
+              (NULL == additional_records[i].data.hostname))
+          {
+            GNUNET_break_op (0);
+            skip_additional++;
+          }
+          break;
+
+        case GNUNET_DNSPARSER_TYPE_SRV:
+          /* FIXME: SRV is not yet supported */
+          skip_answers++;
+          break;
+
+        case GNUNET_DNSPARSER_TYPE_URI:
+          additional_records[i - skip_additional].data.uri
+            = GNUNET_DNSPARSER_parse_uri (rd[i].data,
+                                           rd[i].data_size,
+                                           &off);
+          if ((off != rd[i].data_size) ||
+              (NULL == additional_records[i].data.uri))
+          {
+            GNUNET_break_op (0);
+            skip_additional++;
+          }
+          break;
+
+        default:
+          additional_records[i - skip_additional].data.raw.data_len =
+            rd[i].data_size;
+          additional_records[i - skip_additional].data.raw.data =
+            (char *) rd[i].data;
+          break;
+        }
+        GNUNET_break (0 == (rd[i - skip_additional].flags
+                            & GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION));
+        additional_records[i - skip_additional].expiration_time.abs_value_us =
+          rd[i].expiration_time;
+        additional_records[i - skip_additional].dns_traffic_class =
+          GNUNET_TUN_DNS_CLASS_INTERNET;
+      }
+    }
+    packet->num_answers = num_answers - skip_answers;
+    packet->num_additional_records = rd_count - num_answers - skip_additional;
+    packet->flags.authoritative_answer = 1;
+    if (NULL == rd)
+      packet->flags.return_code = GNUNET_TUN_DNS_RETURN_CODE_NAME_ERROR;
+    else
+      packet->flags.return_code = GNUNET_TUN_DNS_RETURN_CODE_NO_ERROR;
+    packet->flags.query_or_response = 1;
+    ret = GNUNET_DNSPARSER_pack (packet,
+                                 1024, /* maximum allowed size for DNS reply */
+                                 &buf,
+                                 &len);
+    if (GNUNET_OK != ret)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                  _ ("Error converting GNS response to DNS response!\n"));
+      if (GNUNET_NO == ret)
+        GNUNET_free (buf);
+    }
+    else
+    {
+      GNUNET_DNS_request_answer (ilh->request_handle,
+                                 len,
+                                 buf);
+      GNUNET_free (buf);
+    }
+    packet->num_answers = 0;
+    packet->answers = NULL;
+    packet->num_additional_records = 0;
+    packet->additional_records = NULL;
+    GNUNET_DNSPARSER_free_packet (packet);
+  }
+  GNUNET_CONTAINER_DLL_remove (ilh_head, ilh_tail, ilh);
+  GNUNET_free (ilh);
+}
+
+
+/**
+ * The DNS request handler.  Called for every incoming DNS request.
+ *
+ * @param cls closure, unused
+ * @param rh request handle to user for reply
+ * @param request_length number of bytes in @a request
+ * @param request UDP payload of the DNS request
+ */
+static void
+handle_dns_request (void *cls,
+                    struct GNUNET_DNS_RequestHandle *rh,
+                    size_t request_length,
+                    const char *request)
+{
+  struct GNUNET_DNSPARSER_Packet *p;
+  struct InterceptLookupHandle *ilh;
+  struct GNUNET_CRYPTO_PublicKey zone;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Hijacked a DNS request. Processing.\n");
+  if (NULL == (p = GNUNET_DNSPARSER_parse (request, request_length)))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                "Received malformed DNS packet, leaving it untouched.\n");
+    GNUNET_DNS_request_forward (rh);
+    return;
+  }
+
+  /* Check TLD and decide if we or legacy dns is responsible */
+  if (1 != p->num_queries)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Not exactly one query in DNS packet. Forwarding untouched.\n");
+    GNUNET_DNS_request_forward (rh);
+    GNUNET_DNSPARSER_free_packet (p);
+    return;
+  }
+
+  /* Check for GNS TLDs. */
+  if (GNUNET_YES ==
+      GNS_find_tld (GNS_get_tld (p->queries[0].name),
+                    &zone))
+  {
+    /* Start resolution in GNS */
+    ilh = GNUNET_new (struct InterceptLookupHandle);
+    GNUNET_CONTAINER_DLL_insert (ilh_head,
+                                 ilh_tail,
+                                 ilh);
+    ilh->packet = p;
+    ilh->request_handle = rh;
+    ilh->lookup = GNS_resolver_lookup (&zone,
+                                       p->queries[0].type,
+                                       p->queries[0].name,
+                                       GNUNET_GNS_LO_DEFAULT,
+                                       MAX_RECURSION,
+                                       &reply_to_dns, ilh);
+    return;
+  }
+  /* This request does not concern us. Forward to real DNS. */
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Request for `%s' is forwarded to DNS untouched.\n",
+              p->queries[0].name);
+  GNUNET_DNS_request_forward (rh);
+  GNUNET_DNSPARSER_free_packet (p);
+}
+
+
+int
+GNS_interceptor_init (const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "DNS hijacking enabled. Connecting to DNS service.\n");
+  dns_handle = GNUNET_DNS_connect (c,
+                                   GNUNET_DNS_FLAG_PRE_RESOLUTION,
+                                   &handle_dns_request,
+                                   NULL);
+  if (NULL == dns_handle)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Failed to connect to the DNS service!\n"));
+    return GNUNET_SYSERR;
+  }
+  return GNUNET_YES;
+}
+
+
+/**
+ * Disconnect from interceptor
+ */
+void
+GNS_interceptor_done ()
+{
+  struct InterceptLookupHandle *ilh;
+
+  while (NULL != (ilh = ilh_head))
+  {
+    GNUNET_CONTAINER_DLL_remove (ilh_head,
+                                 ilh_tail,
+                                 ilh);
+    GNS_resolver_lookup_cancel (ilh->lookup);
+    GNUNET_DNS_request_drop (ilh->request_handle);
+    GNUNET_DNSPARSER_free_packet (ilh->packet);
+    GNUNET_free (ilh);
+  }
+  if (NULL != dns_handle)
+  {
+    GNUNET_DNS_disconnect (dns_handle);
+    dns_handle = NULL;
+  }
+}
+
+
+/* end of gnunet-service-gns_interceptor.c */
diff --git a/src/service/gns/gnunet-service-gns_interceptor.h b/src/service/gns/gnunet-service-gns_interceptor.h
new file mode 100644
index 000000000..7f9733c2a
--- /dev/null
+++ b/src/service/gns/gnunet-service-gns_interceptor.h
@@ -0,0 +1,46 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2009, 2010, 2011, 2012 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gns/gnunet-service-gns_interceptor.h
+ * @brief GNUnet GNS service
+ * @author Martin Schanzenbach
+ */
+#ifndef GNUNET_GNS_INTERCEPTOR_H
+#define GNUNET_GNS_INTERCEPTOR_H
+
+#include "gnunet_util_lib.h"
+
+
+/**
+ * Initialize DNS interceptor
+ *
+ * @param c the configuration
+ * @return #GNUNET_YES on success #GNUNET_SYSERR on error
+ */
+int
+GNS_interceptor_init (const struct GNUNET_CONFIGURATION_Handle *c);
+
+/**
+ * Stops the interceptor
+ */
+void
+GNS_interceptor_done (void);
+
+#endif
diff --git a/src/service/gns/gnunet-service-gns_resolver.c b/src/service/gns/gnunet-service-gns_resolver.c
new file mode 100644
index 000000000..b14500ab7
--- /dev/null
+++ b/src/service/gns/gnunet-service-gns_resolver.c
@@ -0,0 +1,3173 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2011-2013 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file gns/gnunet-service-gns_resolver.c
+ * @brief GNU Name System resolver logic
+ * @author Martin Schanzenbach
+ * @author Christian Grothoff
+ */
+#include "platform.h"
+#if HAVE_LIBIDN2
+#if HAVE_IDN2_H
+#include <idn2.h>
+#elif HAVE_IDN2_IDN2_H
+#include <idn2/idn2.h>
+#endif
+#elif HAVE_LIBIDN
+#if HAVE_IDNA_H
+#include <idna.h>
+#elif HAVE_IDN_IDNA_H
+#include <idn/idna.h>
+#endif
+#endif
+#include "gnunet_util_lib.h"
+#include "gnunet_dht_service.h"
+#include "gnunet_gnsrecord_lib.h"
+#include "gnunet_namecache_service.h"
+#include "gnunet_dns_service.h"
+#include "gnunet_resolver_service.h"
+#include "gnunet_revocation_service.h"
+#include "gnunet_gns_service.h"
+#include "gns.h"
+#include "gnunet-service-gns.h"
+#include "gnunet-service-gns_resolver.h"
+#include "gnu_name_system_protocols.h"
+#include "gnu_name_system_service_ports.h"
+
+
+/**
+ * Default DHT timeout for lookups.
+ */
+#define DHT_LOOKUP_TIMEOUT GNUNET_TIME_relative_multiply ( \
+    GNUNET_TIME_UNIT_SECONDS, 60)
+
+/**
+ * Default timeout for DNS lookups.
+ */
+#define DNS_LOOKUP_TIMEOUT GNUNET_TIME_relative_multiply ( \
+    GNUNET_TIME_UNIT_SECONDS, 15)
+
+/**
+ * DHT replication level
+ */
+#define DHT_GNS_REPLICATION_LEVEL 10
+
+
+/**
+ * DLL to hold the authority chain we had to pass in the resolution
+ * process.
+ */
+struct AuthorityChain;
+
+
+/**
+ * Element of a resolution process for looking up the
+ * responsible DNS server hostname in a GNS2DNS recursive
+ * resolution.
+ */
+struct Gns2DnsPending
+{
+  /**
+   * Kept in a DLL.
+   */
+  struct Gns2DnsPending *next;
+
+  /**
+   * Kept in a DLL.
+   */
+  struct Gns2DnsPending *prev;
+
+  /**
+   * Context this activity belongs with.
+   */
+  struct AuthorityChain *ac;
+
+  /**
+   * Handle for the resolution of the IP part of the
+   * GNS2DNS record.  Will return to us the addresses
+   * of the DNS resolver to use.
+   */
+  struct GNS_ResolverHandle *rh;
+
+  /**
+   * Handle for DNS resolution of the DNS nameserver.
+   */
+  struct GNUNET_RESOLVER_RequestHandle *dns_rh;
+
+  /**
+   * How many results did we get?
+   */
+  unsigned int num_results;
+};
+
+
+/**
+ * Handle to a currently pending resolution.  On result (positive or
+ * negative) the #GNS_ResultProcessor is called.
+ */
+struct GNS_ResolverHandle;
+
+
+/**
+ * DLL to hold the authority chain we had to pass in the resolution
+ * process.
+ */
+struct AuthorityChain
+{
+  /**
+   * This is a DLL.
+   */
+  struct AuthorityChain *prev;
+
+  /**
+   * This is a DLL.
+   */
+  struct AuthorityChain *next;
+
+  /**
+   * Resolver handle this entry in the chain belongs to.
+   */
+  struct GNS_ResolverHandle *rh;
+
+  /**
+   * label/name corresponding to the authority
+   */
+  char *label;
+
+  /**
+   * #GNUNET_YES if the authority was a GNS authority,
+   * #GNUNET_NO if the authority was a DNS authority.
+   */
+  int gns_authority;
+
+  /**
+   * Information about the resolver authority for this label.
+   */
+  union
+  {
+    /**
+     * The zone of the GNS authority
+     */
+    struct GNUNET_CRYPTO_PublicKey gns_authority;
+
+    struct
+    {
+      /**
+       * Domain of the DNS resolver that is the authority.
+       * (appended to construct the DNS name to resolve;
+       * this is NOT the DNS name of the DNS server!).
+       */
+      char name[GNUNET_DNSPARSER_MAX_NAME_LENGTH + 1];
+
+      /**
+       * List of resolutions of the 'ip' of the name server that
+       * are still pending.
+       */
+      struct Gns2DnsPending *gp_head;
+
+      /**
+       * Tail of list of resolutions of the 'ip' of the name server that
+       * are still pending.
+       */
+      struct Gns2DnsPending *gp_tail;
+
+      /**
+       * Handle to perform DNS lookups with this authority (in GNS2DNS handling).
+       */
+      struct GNUNET_DNSSTUB_Context *dns_handle;
+
+      /**
+       * Did we succeed in getting an IP address for *any* of the DNS servers listed?
+       * Once we do, we can start with DNS queries.
+       */
+      int found;
+
+      /**
+       * Did we start the recursive resolution via DNS?
+       */
+      int launched;
+    } dns_authority;
+  } authority_info;
+};
+
+
+/**
+ * A result we got from DNS.
+ */
+struct DnsResult
+{
+  /**
+   * Kept in DLL.
+   */
+  struct DnsResult *next;
+
+  /**
+   * Kept in DLL.
+   */
+  struct DnsResult *prev;
+
+  /**
+   * Binary value stored in the DNS record (appended to this struct)
+   */
+  const void *data;
+
+  /**
+   * Expiration time for the DNS record, 0 if we didn't
+   * get anything useful (i.e. 'gethostbyname()' was used).
+   */
+  uint64_t expiration_time;
+
+  /**
+   * Number of bytes in @e data.
+   */
+  size_t data_size;
+
+  /**
+   * Type of the GNS/DNS record.
+   */
+  uint32_t record_type;
+};
+
+
+/**
+ * Handle to a currently pending resolution.  On result (positive or
+ * negative) the #GNS_ResultProcessor is called.
+ */
+struct GNS_ResolverHandle
+{
+  /**
+   * DLL
+   */
+  struct GNS_ResolverHandle *next;
+
+  /**
+   * DLL
+   */
+  struct GNS_ResolverHandle *prev;
+
+  /**
+   * The top-level GNS authoritative zone to query
+   */
+  struct GNUNET_CRYPTO_PublicKey authority_zone;
+
+  /**
+   * called when resolution phase finishes
+   */
+  GNS_ResultProcessor proc;
+
+  /**
+   * closure passed to @e proc
+   */
+  void *proc_cls;
+
+  /**
+   * Handle for DHT lookups. should be NULL if no lookups are in progress
+   */
+  struct GNUNET_DHT_GetHandle *get_handle;
+
+
+  /**
+   * Socket for a DNS request, NULL if none is active.
+   */
+  struct GNUNET_DNSSTUB_RequestSocket *dns_request;
+
+  /**
+   * Handle for standard DNS resolution, NULL if none is active.
+   */
+  struct GNUNET_RESOLVER_RequestHandle *std_resolve;
+
+  /**
+   * Pending Namecache lookup task
+   */
+  struct GNUNET_NAMECACHE_QueueEntry *namecache_qe;
+
+  /**
+   * Pending revocation check.
+   */
+  struct GNUNET_REVOCATION_Query *rev_check;
+
+  /**
+   * Heap node associated with this lookup.  Used to limit number of
+   * concurrent requests.
+   */
+  struct GNUNET_CONTAINER_HeapNode *dht_heap_node;
+
+  /**
+   * DLL to store the authority chain
+   */
+  struct AuthorityChain *ac_head;
+
+  /**
+   * DLL to store the authority chain
+   */
+  struct AuthorityChain *ac_tail;
+
+  /**
+   * ID of a task associated with the resolution process.
+   */
+  struct GNUNET_SCHEDULER_Task *task_id;
+
+  /**
+   * The name to resolve
+   */
+  char *name;
+
+  /**
+   * Legacy Hostname to use if we encountered GNS2DNS record
+   * and thus can deduct the LEHO from that transition.
+   */
+  char *leho;
+
+  /**
+   * DLL of results we got from DNS.
+   */
+  struct DnsResult *dns_result_head;
+
+  /**
+   * DLL of results we got from DNS.
+   */
+  struct DnsResult *dns_result_tail;
+
+  /**
+   * Current offset in @e name where we are resolving.
+   */
+  size_t name_resolution_pos;
+
+  /**
+   * Use only cache
+   */
+  enum GNUNET_GNS_LocalOptions options;
+
+  /**
+   * For SRV and TLSA records, the number of the
+   * protocol specified in the name.  0 if no protocol was given.
+   */
+  int protocol;
+
+  /**
+   * For SRV and TLSA records, the number of the
+   * service specified in the name.  0 if no service was given.
+   */
+  int service;
+
+  /**
+   * For SMIMEA,OPENPGPKEY... records. NULL if no _ prefix was given.
+   */
+  char *prefix;
+
+
+  /**
+   * Desired type for the resolution.
+   */
+  int record_type;
+
+  /**
+   * We increment the loop limiter for each step in a recursive
+   * resolution.  If it passes our @e loop_threshold (e.g. due to
+   * self-recursion in the resolution, i.e CNAME fun), we stop.
+   */
+  unsigned int loop_limiter;
+
+  /**
+   * Maximum value of @e loop_limiter allowed by client.
+   */
+  unsigned int loop_threshold;
+
+  /**
+   * 16 bit random ID we used in the @e dns_request.
+   */
+  uint16_t original_dns_id;
+};
+
+
+/**
+ * Active namestore caching operations.
+ */
+struct CacheOps
+{
+  /**
+   * Organized in a DLL.
+   */
+  struct CacheOps *next;
+
+  /**
+   * Organized in a DLL.
+   */
+  struct CacheOps *prev;
+
+  /**
+   * Pending Namestore caching task.
+   */
+  struct GNUNET_NAMECACHE_QueueEntry *namecache_qe_cache;
+};
+
+
+/**
+ * Our handle to the namecache service
+ */
+static struct GNUNET_NAMECACHE_Handle *namecache_handle;
+
+/**
+ * Resolver handle to the dht
+ */
+static struct GNUNET_DHT_Handle *dht_handle;
+
+/**
+ * Heap for limiting parallel DHT lookups
+ */
+static struct GNUNET_CONTAINER_Heap *dht_lookup_heap;
+
+/**
+ * Maximum amount of parallel queries to the DHT
+ */
+static unsigned long long max_allowed_background_queries;
+
+/**
+ * Head of resolver lookup list
+ */
+static struct GNS_ResolverHandle *rlh_head;
+
+/**
+ * Tail of resolver lookup list
+ */
+static struct GNS_ResolverHandle *rlh_tail;
+
+/**
+ * Organized in a DLL.
+ */
+static struct CacheOps *co_head;
+
+/**
+ * Organized in a DLL.
+ */
+static struct CacheOps *co_tail;
+
+/**
+ * Use namecache
+ */
+static int disable_cache;
+
+/**
+ * Global configuration.
+ */
+static const struct GNUNET_CONFIGURATION_Handle *cfg;
+
+
+/**
+ * Determine if this name is canonical (is a legal name in a zone, without delegation);
+ * note that we do not test that the name does not contain illegal characters, we only
+ * test for delegation.  Note that service records (like _foo._srv) are canonical names
+ * even though they consist of multiple labels.
+ *
+ * Examples:
+ * a.b.gnu   = not canonical
+ * a         = canonical
+ * _foo._srv = canonical
+ * _f.bar    = not canonical
+ *
+ * @param name the name to test
+ * @return #GNUNET_YES if canonical
+ */
+/* dead, but keep for now */ int
+is_canonical (const char *name)
+{
+  const char *pos;
+  const char *dot;
+
+  if (NULL == strchr (name,
+                      (unsigned char) '.'))
+    return GNUNET_YES;
+  if ('_' != name[0])
+    return GNUNET_NO;
+  pos = &name[1];
+  while (NULL != (dot = strchr (pos,
+                                (unsigned char) '.')))
+    if ('_' != dot[1])
+      return GNUNET_NO;
+    else
+      pos = dot + 1;
+  return GNUNET_YES;
+}
+
+
+/* ************************** Resolution **************************** */
+
+/**
+ * Expands a name ending in .+ with the zone of origin.
+ *
+ * @param rh resolution context
+ * @param name name to modify (to be free'd or returned)
+ * @return updated name
+ */
+static char *
+translate_dot_plus (struct GNS_ResolverHandle *rh,
+                    char *name)
+{
+  char *ret;
+  size_t s_len = strlen (name);
+
+  if (0 != strcmp (&name[s_len - 2],
+                   ".+"))
+    return name; /* did not end in ".+" */
+  GNUNET_assert (GNUNET_YES == rh->ac_tail->gns_authority);
+  GNUNET_asprintf (&ret,
+                   "%.*s.%s",
+                   (int) (s_len - 2),
+                   name,
+                   GNUNET_GNSRECORD_pkey_to_zkey (
+                     &rh->ac_tail->authority_info.gns_authority));
+  GNUNET_free (name);
+  return ret;
+}
+
+
+/**
+ * Wrapper around #GNS_resolver_lookup_cancel() as a task.
+ * Used for delayed cleanup so we can unwind the stack first.
+ *
+ * @param cls the `struct GNS_ResolverHandle`
+ */
+static void
+GNS_resolver_lookup_cancel_ (void *cls)
+{
+  struct GNS_ResolverHandle *rh = cls;
+
+  rh->task_id = NULL;
+  GNS_resolver_lookup_cancel (rh);
+}
+
+
+/**
+ * Function called to asynchronously fail a resolution.
+ *
+ * @param rh the resolution to fail
+ */
+static void
+fail_resolution (struct GNS_ResolverHandle *rh)
+{
+  rh->proc (rh->proc_cls,
+            0,
+            NULL);
+  GNUNET_assert (NULL == rh->task_id);
+  rh->task_id = GNUNET_SCHEDULER_add_now (&GNS_resolver_lookup_cancel_,
+                                          rh);
+}
+
+
+/**
+ * Function called when a resolution times out.
+ *
+ * @param cls the `struct GNS_ResolverHandle`
+ */
+static void
+timeout_resolution (void *cls)
+{
+  struct GNS_ResolverHandle *rh = cls;
+
+  rh->task_id = NULL;
+  fail_resolution (rh);
+}
+
+
+/**
+ * Function called to receive the protocol number for a service.
+ *
+ * @param name name of the protocol
+*/
+static int
+resolver_getprotobyname (const char *name)
+{
+  struct protoent *pe = getprotobyname (name);
+  if (pe == NULL)
+  {
+    return GNUNET_GNS_protocol_name_to_number (name);
+  }
+  return pe->p_proto;
+}
+
+
+/**
+ * Function called to receive the port number for a service.
+ *
+ * @param name name of the service
+ * @param proto name of the protocol
+*/
+static int
+resolver_getservbyname (const char *name, const char *proto)
+{
+  struct servent *se = getservbyname (name, proto);
+  if (se == NULL)
+  {
+    return htons (GNUNET_GNS_service_port_name_to_number (name));
+  }
+  return se->s_port;
+}
+
+
+/**
+ * Get the next, rightmost label from the name that we are trying to resolve,
+ * and update the resolution position accordingly.  Labels usually consist
+ * of up to 63 characters without a period ("."); however, we use a special
+ * convention to support resource records where the domain name
+ * includes a label starting with '_'. The syntax (see RFC 8552) here is
+ * "someLabel._Label.Name" and in this special case we include the "someLabel._Label" in the rightmost label.
+ * Thus, for "_443._tcp.foo.bar" we first return the label "bar" and then
+ * the label "_443._tcp.foo".  The special case is detected by the
+ * presence of one label beginning with an underscore.  The rightmost label
+ * beginning with an underscore, is combined with the label to its right
+ * (and the "." is preserved). If the label is in the syntax of
+ * "_PORT._PROTOCOL" (e.g. "_443._tcp") we also extract the port and protocol.
+ * In this implementation, the more specific case is handled first.
+ *
+ * @param rh handle to the resolution operation to get the next label from
+ * @return NULL if there are no more labels
+ */
+static char *
+resolver_lookup_get_next_label (struct GNS_ResolverHandle *rh)
+{
+  const char *rp;
+  const char *dot;
+  size_t len;
+  char *ret;
+  char *srv_name;
+  char *proto_name;
+  int protocol;
+  int service;
+
+  if (0 == rh->name_resolution_pos)
+    return NULL;
+  dot = memrchr (rh->name,
+                 (int) '.',
+                 rh->name_resolution_pos);
+  if (NULL == dot)
+  {
+    /* done, this was the last one */
+    len = rh->name_resolution_pos;
+    rp = rh->name;
+    rh->name_resolution_pos = 0;
+  }
+  else if ('_' == dot[1])
+  {
+    /**
+     * Do not advance a label. This seems to be a name only consisting
+     * of a prefix. Indicating a BOX record (_443,_tcp)
+     * Or some version of an SBOX record (HEX,_smimeacert)
+     * Which means, it is a BOX/SBOX under the empty label.
+     * leaving name_resolution_pos as is and returning empty label.
+     */
+    rp = GNUNET_GNS_EMPTY_LABEL_AT;
+    len = strlen (GNUNET_GNS_EMPTY_LABEL_AT);
+  }
+  else
+  {
+    /* advance by one label */
+    len = rh->name_resolution_pos - (dot - rh->name) - 1;
+    rp = dot + 1;
+    rh->name_resolution_pos = dot - rh->name;
+  }
+  rh->protocol = 0;
+  rh->service = 0;
+  rh->prefix = NULL;
+  ret = GNUNET_strndup (rp, len);
+  /** If we have labels starting with underscore with label on
+   * the right (SRV/DANE/BOX case), determine port/protocol;
+   * The format of `rh->name` must be "_PORT._PROTOCOL".
+   */
+  if (('_' == rh->name[0]) &&
+      (NULL != (dot = memrchr (rh->name,
+                               (int) '.',
+                               rh->name_resolution_pos))) &&
+      ('_' == dot[1]) &&
+      (NULL == memrchr (rh->name,
+                        (int) '.',
+                        dot - rh->name)))
+  {
+    srv_name = GNUNET_strndup (&rh->name[1],
+                               (dot - rh->name) - 1);
+    proto_name = GNUNET_strndup (&dot[2],
+                                 rh->name_resolution_pos - (dot - rh->name)
+                                 - 2);
+    protocol = resolver_getprotobyname (proto_name);
+    if (0 == protocol)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                  _ (
+                    "Protocol `%s' unknown, skipping labels as BOX retain as SBOX.\n"),
+                  proto_name);
+      GNUNET_free (proto_name);
+      GNUNET_free (srv_name);
+      rh->prefix = GNUNET_strndup (rh->name, rh->name_resolution_pos);
+      rh->name_resolution_pos = 0;
+      return ret;
+    }
+    service = resolver_getservbyname (srv_name,
+                                      proto_name);
+    if (0 == service)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                  _ (
+                    "Service `%s' unknown for protocol `%s', trying as number.\n"),
+                  srv_name,
+                  proto_name);
+      if (1 != sscanf (srv_name, "%u", &rh->service))
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                    _ (
+                      "Service `%s' not a port, skipping service labels as BOX retain as SBOX.\n"),
+                    srv_name);
+        GNUNET_free (proto_name);
+        GNUNET_free (srv_name);
+        rh->prefix = GNUNET_strndup (rh->name, rh->name_resolution_pos);
+        rh->name_resolution_pos = 0;
+        return ret;
+      }
+    }
+    else
+    {
+      rh->service = ntohs (service);
+    }
+    rh->protocol = protocol;
+    GNUNET_free (proto_name);
+    GNUNET_free (srv_name);
+  }
+  /**
+  * If we have labels starting with underscore with label on
+  * the right, copy prefix to rh->prefix;
+  * The format of `rh->name` must be "*._label" or "_label",
+  * where label is a string without '.'
+  */
+  if ((NULL != (dot = memrchr (rh->name,
+                               (int) '.',
+                               rh->name_resolution_pos)) && '_' == dot[1]) ||
+      ((NULL == memrchr (rh->name,
+                         (int) '.',
+                         rh->name_resolution_pos)) && '_' == rh->name[0]))
+  {
+    rh->prefix = GNUNET_strndup (rh->name, rh->name_resolution_pos);
+    rh->name_resolution_pos = 0;
+  }
+  return ret;
+}
+
+
+/**
+ * Gives the cumulative result obtained to the callback and clean up the request.
+ *
+ * @param rh resolution process that has culminated in a result
+ */
+static void
+transmit_lookup_dns_result (struct GNS_ResolverHandle *rh)
+{
+  struct DnsResult *pos;
+  unsigned int n;
+  unsigned int i;
+
+  n = 0;
+  for (pos = rh->dns_result_head; NULL != pos; pos = pos->next)
+    n++;
+  {
+    struct GNUNET_GNSRECORD_Data rd[n];
+
+    i = 0;
+    for (pos = rh->dns_result_head; NULL != pos; pos = pos->next)
+    {
+      rd[i].data = pos->data;
+      rd[i].data_size = pos->data_size;
+      rd[i].record_type = pos->record_type;
+      rd[i].flags = GNUNET_GNSRECORD_RF_NONE;
+      /**
+       * If this is a LEHO, we added this before. It must be a supplemental
+       * record #LSD0001
+       */
+      if (GNUNET_GNSRECORD_TYPE_LEHO == rd[i].record_type)
+        rd[i].flags |= GNUNET_GNSRECORD_RF_SUPPLEMENTAL;
+      if (0 == pos->expiration_time)
+      {
+        rd[i].flags |= GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION;
+        rd[i].expiration_time = 0;
+      }
+      else
+      {
+        rd[i].expiration_time = pos->expiration_time;
+      }
+      i++;
+    }
+    GNUNET_assert (i == n);
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Transmitting standard DNS result with %u records\n",
+                n);
+    rh->proc (rh->proc_cls,
+              n,
+              rd);
+  }
+  GNS_resolver_lookup_cancel (rh);
+}
+
+
+/**
+ * Add a result from DNS to the records to be returned to the application.
+ *
+ * @param rh resolution request to extend with a result
+ * @param expiration_time expiration time for the answer
+ * @param record_type DNS record type of the answer
+ * @param data_size number of bytes in @a data
+ * @param data binary data to return in DNS record
+ */
+static void
+add_dns_result (struct GNS_ResolverHandle *rh,
+                uint64_t expiration_time,
+                uint32_t record_type,
+                size_t data_size,
+                const void *data)
+{
+  struct DnsResult *res;
+
+  res = GNUNET_malloc (sizeof(struct DnsResult) + data_size);
+  res->expiration_time = expiration_time;
+  res->data_size = data_size;
+  res->record_type = record_type;
+  res->data = &res[1];
+  GNUNET_memcpy (&res[1],
+                 data,
+                 data_size);
+  GNUNET_CONTAINER_DLL_insert (rh->dns_result_head,
+                               rh->dns_result_tail,
+                               res);
+}
+
+
+/**
+ * We had to do a DNS lookup.  Convert the result (if any) and return
+ * it.
+ *
+ * @param cls closure with the `struct GNS_ResolverHandle`
+ * @param addr one of the addresses of the host, NULL for the last address
+ * @param addrlen length of the address
+ */
+static void
+handle_dns_result (void *cls,
+                   const struct sockaddr *addr,
+                   socklen_t addrlen)
+{
+  struct GNS_ResolverHandle *rh = cls;
+  const struct sockaddr_in *sa4;
+  const struct sockaddr_in6 *sa6;
+
+  if (NULL == addr)
+  {
+    rh->std_resolve = NULL;
+    transmit_lookup_dns_result (rh);
+    return;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Received %u bytes of DNS IP data\n",
+              addrlen);
+  switch (addr->sa_family)
+  {
+  case AF_INET:
+    sa4 = (const struct sockaddr_in *) addr;
+    add_dns_result (rh,
+                    0 /* expiration time is unknown */,
+                    GNUNET_DNSPARSER_TYPE_A,
+                    sizeof(struct in_addr),
+                    &sa4->sin_addr);
+    break;
+
+  case AF_INET6:
+    sa6 = (const struct sockaddr_in6 *) addr;
+    add_dns_result (rh,
+                    0 /* expiration time is unknown */,
+                    GNUNET_DNSPARSER_TYPE_AAAA,
+                    sizeof(struct in6_addr),
+                    &sa6->sin6_addr);
+    break;
+
+  default:
+    GNUNET_break (0);
+    break;
+  }
+}
+
+
+/**
+ * Task scheduled to continue with the resolution process.
+ *
+ * @param cls the 'struct GNS_ResolverHandle' of the resolution
+ */
+static void
+recursive_resolution (void *cls);
+
+
+/**
+ * Begin the resolution process from 'name', starting with
+ * the identification of the zone specified by 'name'.
+ *
+ * @param cls closure with `struct GNS_ResolverHandle *rh`
+ */
+static void
+start_resolver_lookup (void *cls);
+
+
+/**
+ * Function called with the result of a DNS resolution.
+ *
+ * @param cls the request handle of the resolution that
+ *        we were attempting to make
+ * @param dns dns response, never NULL
+ * @param dns_len number of bytes in @a dns
+ */
+static void
+dns_result_parser (void *cls,
+                   const struct GNUNET_TUN_DnsHeader *dns,
+                   size_t dns_len)
+{
+  struct GNS_ResolverHandle *rh = cls;
+  struct GNUNET_DNSPARSER_Packet *p;
+  const struct GNUNET_DNSPARSER_Record *rec;
+  unsigned int rd_count;
+
+  if (NULL == dns)
+  {
+    rh->dns_request = NULL;
+    GNUNET_SCHEDULER_cancel (rh->task_id);
+    rh->task_id = NULL;
+    fail_resolution (rh);
+    return;
+  }
+  if (rh->original_dns_id != dns->id)
+  {
+    /* DNS answer, but for another query */
+    return;
+  }
+  p = GNUNET_DNSPARSER_parse ((const char *) dns,
+                              dns_len);
+  if (NULL == p)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Failed to parse DNS response\n"));
+    return;
+  }
+
+  /* We got a result from DNS */
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Received DNS response for `%s' with %u answers\n",
+              rh->ac_tail->label,
+              (unsigned int) p->num_answers);
+  if ((p->num_answers > 0) &&
+      (GNUNET_DNSPARSER_TYPE_CNAME == p->answers[0].type) &&
+      (GNUNET_DNSPARSER_TYPE_CNAME != rh->record_type))
+  {
+    int af;
+
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+                "Got CNAME `%s' from DNS for `%s'\n",
+                p->answers[0].data.hostname,
+                rh->name);
+    if (NULL != rh->std_resolve)
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                  "Multiple CNAME results from DNS resolving `%s'! Not really allowed...\n",
+                  rh->name);
+      GNUNET_RESOLVER_request_cancel (rh->std_resolve);
+    }
+    GNUNET_free (rh->name);
+    rh->name = GNUNET_strdup (p->answers[0].data.hostname);
+    rh->name_resolution_pos = strlen (rh->name);
+    switch (rh->record_type)
+    {
+    case GNUNET_DNSPARSER_TYPE_A:
+      af = AF_INET;
+      break;
+
+    case GNUNET_DNSPARSER_TYPE_AAAA:
+      af = AF_INET6;
+      break;
+
+    default:
+      af = AF_UNSPEC;
+      break;
+    }
+    if (NULL != rh->leho)
+      add_dns_result (rh,
+                      GNUNET_TIME_UNIT_HOURS.rel_value_us,
+                      GNUNET_GNSRECORD_TYPE_LEHO,
+                      strlen (rh->leho),
+                      rh->leho);
+    rh->std_resolve = GNUNET_RESOLVER_ip_get (rh->name,
+                                              af,
+                                              DNS_LOOKUP_TIMEOUT,
+                                              &handle_dns_result,
+                                              rh);
+    GNUNET_DNSPARSER_free_packet (p);
+    GNUNET_DNSSTUB_resolve_cancel (rh->dns_request);
+    rh->dns_request = NULL;
+    return;
+  }
+
+  /* convert from (parsed) DNS to (binary) GNS format! */
+  rd_count = p->num_answers + p->num_authority_records
+             + p->num_additional_records;
+  {
+    struct GNUNET_GNSRECORD_Data rd[rd_count + 1]; /* +1 for LEHO */
+    int skip;
+    char buf[UINT16_MAX];
+    size_t buf_off;
+    size_t buf_start;
+
+    buf_off = 0;
+    skip = 0;
+    memset (rd,
+            0,
+            sizeof(rd));
+    for (unsigned int i = 0; i < rd_count; i++)
+    {
+      if (i < p->num_answers)
+        rec = &p->answers[i];
+      else if (i < p->num_answers + p->num_authority_records)
+        rec = &p->authority_records[i - p->num_answers];
+      else
+        rec = &p->additional_records[i - p->num_answers
+                                     - p->num_authority_records];
+      /* As we copied the full DNS name to 'rh->ac_tail->label', this
+         should be the correct check to see if this record is actually
+         a record for our label... */
+      if (0 != strcmp (rec->name,
+                       rh->ac_tail->label))
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                    "Dropping record `%s', does not match desired name `%s'\n",
+                    rec->name,
+                    rh->ac_tail->label);
+        skip++;
+        continue;
+      }
+      rd[i - skip].record_type = rec->type;
+      rd[i - skip].expiration_time = rec->expiration_time.abs_value_us;
+      switch (rec->type)
+      {
+      case GNUNET_DNSPARSER_TYPE_A:
+        if (rec->data.raw.data_len != sizeof(struct in_addr))
+        {
+          GNUNET_break_op (0);
+          skip++;
+          continue;
+        }
+        rd[i - skip].data_size = rec->data.raw.data_len;
+        rd[i - skip].data = rec->data.raw.data;
+        break;
+
+      case GNUNET_DNSPARSER_TYPE_AAAA:
+        if (rec->data.raw.data_len != sizeof(struct in6_addr))
+        {
+          GNUNET_break_op (0);
+          skip++;
+          continue;
+        }
+        rd[i - skip].data_size = rec->data.raw.data_len;
+        rd[i - skip].data = rec->data.raw.data;
+        break;
+
+      case GNUNET_DNSPARSER_TYPE_CNAME:
+      case GNUNET_DNSPARSER_TYPE_PTR:
+      case GNUNET_DNSPARSER_TYPE_NS:
+        buf_start = buf_off;
+        if (GNUNET_OK !=
+            GNUNET_DNSPARSER_builder_add_name (buf,
+                                               sizeof(buf),
+                                               &buf_off,
+                                               rec->data.hostname))
+        {
+          GNUNET_break (0);
+          skip++;
+          continue;
+        }
+        rd[i - skip].data_size = buf_off - buf_start;
+        rd[i - skip].data = &buf[buf_start];
+        break;
+
+      case GNUNET_DNSPARSER_TYPE_SOA:
+        buf_start = buf_off;
+        if (GNUNET_OK !=
+            GNUNET_DNSPARSER_builder_add_soa (buf,
+                                              sizeof(buf),
+                                              &buf_off,
+                                              rec->data.soa))
+        {
+          GNUNET_break (0);
+          skip++;
+          continue;
+        }
+        rd[i - skip].data_size = buf_off - buf_start;
+        rd[i - skip].data = &buf[buf_start];
+        break;
+
+      case GNUNET_DNSPARSER_TYPE_MX:
+        buf_start = buf_off;
+        if (GNUNET_OK !=
+            GNUNET_DNSPARSER_builder_add_mx (buf,
+                                             sizeof(buf),
+                                             &buf_off,
+                                             rec->data.mx))
+        {
+          GNUNET_break (0);
+          skip++;
+          continue;
+        }
+        rd[i - skip].data_size = buf_off - buf_start;
+        rd[i - skip].data = &buf[buf_start];
+        break;
+
+      case GNUNET_DNSPARSER_TYPE_SRV:
+        buf_start = buf_off;
+        if (GNUNET_OK !=
+            GNUNET_DNSPARSER_builder_add_srv (buf,
+                                              sizeof(buf),
+                                              &buf_off,
+                                              rec->data.srv))
+        {
+          GNUNET_break (0);
+          skip++;
+          continue;
+        }
+        rd[i - skip].data_size = buf_off - buf_start;
+        rd[i - skip].data = &buf[buf_start];
+        break;
+
+      case GNUNET_DNSPARSER_TYPE_URI:
+        buf_start = buf_off;
+        if (GNUNET_OK !=
+            GNUNET_DNSPARSER_builder_add_uri (buf,
+                                              sizeof(buf),
+                                              &buf_off,
+                                              rec->data.uri))
+        {
+          GNUNET_break (0);
+          skip++;
+          continue;
+        }
+        rd[i - skip].data_size = buf_off - buf_start;
+        rd[i - skip].data = &buf[buf_start];
+        break;
+
+      default:
+        GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+                    _ ("Skipping record of unsupported type %d\n"),
+                    rec->type);
+        skip++;
+        continue;
+      }
+    }   /* end of for all records in answer */
+    if (NULL != rh->leho)
+    {
+      rd[rd_count - skip].record_type = GNUNET_GNSRECORD_TYPE_LEHO;
+      rd[rd_count - skip].flags = GNUNET_GNSRECORD_RF_RELATIVE_EXPIRATION;
+      rd[rd_count - skip].flags |= GNUNET_GNSRECORD_RF_SUPPLEMENTAL;
+      rd[rd_count - skip].expiration_time = GNUNET_TIME_UNIT_HOURS.rel_value_us;
+      rd[rd_count - skip].data = rh->leho;
+      rd[rd_count - skip].data_size = strlen (rh->leho);
+      skip--;   /* skip one LESS */
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "Adding LEHO %s\n",
+                  rh->leho);
+    }
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Returning DNS response for `%s' with %u answers\n",
+                rh->ac_tail->label,
+                (unsigned int) (rd_count - skip));
+    rh->proc (rh->proc_cls,
+              rd_count - skip,
+              rd);
+    GNUNET_DNSSTUB_resolve_cancel (rh->dns_request);
+    rh->dns_request = NULL;
+  }
+  GNUNET_DNSPARSER_free_packet (p);
+  if (NULL != rh->task_id)
+    GNUNET_SCHEDULER_cancel (rh->task_id); /* should be timeout task */
+  rh->task_id = GNUNET_SCHEDULER_add_now (&GNS_resolver_lookup_cancel_,
+                                          rh);
+}
+
+
+/**
+ * Perform recursive DNS resolution.  Asks the given DNS resolver to
+ * resolve "rh->dns_name", possibly recursively proceeding following
+ * NS delegations, CNAMES, etc., until 'rh->loop_limiter' bounds us or
+ * we find the answer.
+ *
+ * @param rh resolution information
+ */
+static void
+recursive_dns_resolution (struct GNS_ResolverHandle *rh)
+{
+  struct AuthorityChain *ac;
+  struct GNUNET_DNSPARSER_Query *query;
+  struct GNUNET_DNSPARSER_Packet *p;
+  char *dns_request;
+  size_t dns_request_length;
+  int ret;
+
+  ac = rh->ac_tail;
+  GNUNET_assert (NULL != ac);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Starting DNS lookup for `%s'\n",
+              ac->label);
+  GNUNET_assert (GNUNET_NO == ac->gns_authority);
+  query = GNUNET_new (struct GNUNET_DNSPARSER_Query);
+  query->name = GNUNET_strdup (ac->label);
+  query->type = rh->record_type;
+  query->dns_traffic_class = GNUNET_TUN_DNS_CLASS_INTERNET;
+  p = GNUNET_new (struct GNUNET_DNSPARSER_Packet);
+  p->queries = query;
+  p->num_queries = 1;
+  p->id = (uint16_t) GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE,
+                                               UINT16_MAX);
+  p->flags.opcode = GNUNET_TUN_DNS_OPCODE_QUERY;
+  p->flags.recursion_desired = 1;
+  ret = GNUNET_DNSPARSER_pack (p,
+                               1024,
+                               &dns_request,
+                               &dns_request_length);
+  if (GNUNET_OK != ret)
+  {
+    GNUNET_break (0);
+    rh->proc (rh->proc_cls,
+              0,
+              NULL);
+    GNUNET_assert (NULL == rh->task_id);
+    rh->task_id = GNUNET_SCHEDULER_add_now (&GNS_resolver_lookup_cancel_,
+                                            rh);
+  }
+  else
+  {
+    rh->original_dns_id = p->id;
+    GNUNET_assert (NULL != ac->authority_info.dns_authority.dns_handle);
+    GNUNET_assert (NULL == rh->dns_request);
+    rh->leho = GNUNET_strdup (ac->label);
+    rh->dns_request = GNUNET_DNSSTUB_resolve (
+      ac->authority_info.dns_authority.dns_handle,
+      dns_request,
+      dns_request_length,
+      &dns_result_parser,
+      rh);
+    rh->task_id = GNUNET_SCHEDULER_add_delayed (DNS_LOOKUP_TIMEOUT,
+                                                &timeout_resolution,
+                                                rh);
+  }
+  if (GNUNET_SYSERR != ret)
+    GNUNET_free (dns_request);
+  GNUNET_DNSPARSER_free_packet (p);
+}
+
+
+/**
+ * We encountered a REDIRECT record during our resolution.
+ * Merge it into our chain.
+ *
+ * @param rh resolution we are performing
+ * @param rname value of the redirect record we got for the current
+ *        authority chain tail
+ */
+static void
+handle_gns_redirect_result (struct GNS_ResolverHandle *rh,
+                            const char *rname)
+{
+  size_t nlen;
+  char *res;
+  const char *tld;
+  struct AuthorityChain *ac;
+  int af;
+  struct GNUNET_CRYPTO_PublicKey zone;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Handling GNS REDIRECT result `%s'\n",
+              rname);
+  nlen = strlen (rname);
+  tld = GNS_get_tld (rname);
+  if (0 == strcmp ("+", tld))
+  {
+    /* REDIRECT resolution continues relative to current domain */
+    if (0 == rh->name_resolution_pos)
+    {
+      res = GNUNET_strndup (rname, nlen - 2);
+      rh->name_resolution_pos = nlen - 2;
+    }
+    else
+    {
+      GNUNET_asprintf (&res,
+                       "%.*s.%.*s",
+                       (int) rh->name_resolution_pos,
+                       rh->name,
+                       (int) (nlen - 2),
+                       rname);
+      rh->name_resolution_pos = strlen (res);
+    }
+    GNUNET_free (rh->name);
+    rh->name = res;
+    ac = GNUNET_new (struct AuthorityChain);
+    ac->rh = rh;
+    ac->gns_authority = GNUNET_YES;
+    ac->authority_info.gns_authority =
+      rh->ac_tail->authority_info.gns_authority;
+    ac->label = resolver_lookup_get_next_label (rh);
+    /* add AC to tail */
+    GNUNET_CONTAINER_DLL_insert_tail (rh->ac_head,
+                                      rh->ac_tail,
+                                      ac);
+    rh->task_id = GNUNET_SCHEDULER_add_now (&recursive_resolution,
+                                            rh);
+    return;
+  }
+  if (GNUNET_OK == GNUNET_GNSRECORD_zkey_to_pkey (tld, &zone))
+  {
+    /* REDIRECT resolution continues relative to current domain */
+    if (0 == rh->name_resolution_pos)
+    {
+      GNUNET_asprintf (&res,
+                       "%.*s",
+                       (int) (strlen (rname) - (strlen (tld) + 1)),
+                       rname);
+    }
+    else
+    {
+      GNUNET_asprintf (&res,
+                       "%.*s.%.*s",
+                       (int) rh->name_resolution_pos,
+                       rh->name,
+                       (int) (strlen (rname) - (strlen (tld) + 1)),
+                       rname);
+    }
+    rh->name_resolution_pos = strlen (res);
+    GNUNET_free (rh->name);
+    rh->name = res;
+    ac = GNUNET_new (struct AuthorityChain);
+    ac->rh = rh;
+    ac->gns_authority = GNUNET_YES;
+    ac->authority_info.gns_authority = zone;
+    ac->label = resolver_lookup_get_next_label (rh);
+    /* add AC to tail */
+    GNUNET_CONTAINER_DLL_insert_tail (rh->ac_head,
+                                      rh->ac_tail,
+                                      ac);
+    rh->task_id = GNUNET_SCHEDULER_add_now (&recursive_resolution,
+                                            rh);
+    return;
+  }
+
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "Got REDIRECT `%s' from GNS for `%s'\n",
+              rname,
+              rh->name);
+  if (NULL != rh->std_resolve)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                "Multiple REDIRECT results from GNS resolving `%s'! Not really allowed...\n",
+                rh->name);
+    GNUNET_RESOLVER_request_cancel (rh->std_resolve);
+  }
+  /* name is absolute, go to DNS */
+  GNUNET_free (rh->name);
+  rh->name = GNUNET_strdup (rname);
+  rh->name_resolution_pos = strlen (rh->name);
+  switch (rh->record_type)
+  {
+  case GNUNET_DNSPARSER_TYPE_A:
+    af = AF_INET;
+    break;
+
+  case GNUNET_DNSPARSER_TYPE_AAAA:
+    af = AF_INET6;
+    break;
+
+  default:
+    af = AF_UNSPEC;
+    break;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Doing standard DNS lookup for `%s'\n",
+              rh->name);
+
+  rh->std_resolve = GNUNET_RESOLVER_ip_get (rh->name,
+                                            af,
+                                            DNS_LOOKUP_TIMEOUT,
+                                            &handle_dns_result,
+                                            rh);
+}
+
+
+/**
+ * We encountered a CNAME record during our resolution.
+ * Merge it into our chain.
+ *
+ * @param rh resolution we are performing
+ * @param cname value of the cname record we got for the current
+ *        authority chain tail
+ */
+static void
+handle_gns_cname_result (struct GNS_ResolverHandle *rh,
+                         const char *cname)
+{
+  int af;
+
+  GNUNET_free (rh->name);
+  rh->name = GNUNET_strdup (cname);
+  rh->name_resolution_pos = strlen (rh->name);
+  switch (rh->record_type)
+  {
+  case GNUNET_DNSPARSER_TYPE_A:
+    af = AF_INET;
+    break;
+
+  case GNUNET_DNSPARSER_TYPE_AAAA:
+    af = AF_INET6;
+    break;
+
+  default:
+    af = AF_UNSPEC;
+    break;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Doing standard DNS lookup for `%s'\n",
+              rh->name);
+
+  rh->std_resolve = GNUNET_RESOLVER_ip_get (rh->name,
+                                            af,
+                                            DNS_LOOKUP_TIMEOUT,
+                                            &handle_dns_result,
+                                            rh);
+}
+
+
+/**
+ * Process records that were decrypted from a block.
+ *
+ * @param cls closure with the 'struct GNS_ResolverHandle'
+ * @param rd_count number of entries in @a rd array
+ * @param rd array of records with data to store
+ */
+static void
+handle_gns_resolution_result (void *cls,
+                              unsigned int rd_count,
+                              const struct GNUNET_GNSRECORD_Data *rd);
+
+
+/**
+ * We have resolved one or more of the nameservers for a
+ * GNS2DNS lookup.  Once we have some of them, begin using
+ * the DNSSTUB resolver.
+ *
+ * @param ac context for GNS2DNS resolution
+ */
+static void
+continue_with_gns2dns (struct AuthorityChain *ac)
+{
+  struct GNS_ResolverHandle *rh = ac->rh;
+
+  if ((NULL != ac->authority_info.dns_authority.gp_head) &&
+      (GNUNET_NO == ac->authority_info.dns_authority.found))
+    return; /* more pending and none found yet */
+  if (GNUNET_NO == ac->authority_info.dns_authority.found)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+                "Failed to resolve DNS server for `%s' in GNS2DNS resolution\n",
+                ac->authority_info.dns_authority.name);
+    fail_resolution (rh);
+    return;
+  }
+  if (GNUNET_NO != ac->authority_info.dns_authority.launched)
+    return; /* already running, do not launch again! */
+  /* recurse */
+  ac->authority_info.dns_authority.launched = GNUNET_YES;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Will continue resolution using DNS to resolve `%s'\n",
+              ac->label);
+  GNUNET_assert (NULL == rh->task_id);
+  rh->task_id = GNUNET_SCHEDULER_add_now (&recursive_resolution,
+                                          rh);
+}
+
+
+/**
+ * We've resolved the IP address for the DNS resolver to use
+ * after encountering a GNS2DNS record.
+ *
+ * @param cls the `struct Gns2DnsPending` used for this request
+ * @param rd_count number of records in @a rd
+ * @param rd addresses for the DNS resolver  (presumably)
+ */
+static void
+handle_gns2dns_result (void *cls,
+                       unsigned int rd_count,
+                       const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct Gns2DnsPending *gp = cls;
+  struct AuthorityChain *ac = gp->ac;
+
+  GNUNET_CONTAINER_DLL_remove (ac->authority_info.dns_authority.gp_head,
+                               ac->authority_info.dns_authority.gp_tail,
+                               gp);
+  /* enable cleanup of 'rh' handle that automatically comes after we return,
+     and which expects 'rh' to be in the #rlh_head DLL. */
+  if (NULL != gp->rh)
+  {
+    GNUNET_CONTAINER_DLL_insert (rlh_head,
+                                 rlh_tail,
+                                 gp->rh);
+    gp->rh = NULL;
+  }
+  GNUNET_free (gp);
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Received %u results for IP address of DNS server for GNS2DNS transition\n",
+              rd_count);
+  /* find suitable A/AAAA record */
+  for (unsigned int j = 0; j < rd_count; j++)
+  {
+    switch (rd[j].record_type)
+    {
+    case GNUNET_DNSPARSER_TYPE_A:
+      {
+        struct sockaddr_in v4;
+
+        if (sizeof(struct in_addr) != rd[j].data_size)
+        {
+          GNUNET_break_op (0);
+          continue;
+        }
+        memset (&v4,
+                0,
+                sizeof(v4));
+        v4.sin_family = AF_INET;
+        v4.sin_port = htons (53);
+#if HAVE_SOCKADDR_IN_SIN_LEN
+        v4.sin_len = (u_char) sizeof(v4);
+#endif
+        GNUNET_memcpy (&v4.sin_addr,
+                       rd[j].data,
+                       sizeof(struct in_addr));
+        if (GNUNET_OK ==
+            GNUNET_DNSSTUB_add_dns_sa (
+              ac->authority_info.dns_authority.dns_handle,
+              (const struct sockaddr *) &v4))
+          ac->authority_info.dns_authority.found = GNUNET_YES;
+        break;
+      }
+
+    case GNUNET_DNSPARSER_TYPE_AAAA:
+      {
+        struct sockaddr_in6 v6;
+
+        if (sizeof(struct in6_addr) != rd[j].data_size)
+        {
+          GNUNET_break_op (0);
+          continue;
+        }
+        /* FIXME: might want to check if we support IPv6 here,
+           and otherwise skip this one and hope we find another */
+        memset (&v6,
+                0,
+                sizeof(v6));
+        v6.sin6_family = AF_INET6;
+        v6.sin6_port = htons (53);
+#if HAVE_SOCKADDR_IN_SIN_LEN
+        v6.sin6_len = (u_char) sizeof(v6);
+#endif
+        GNUNET_memcpy (&v6.sin6_addr,
+                       rd[j].data,
+                       sizeof(struct in6_addr));
+        if (GNUNET_OK ==
+            GNUNET_DNSSTUB_add_dns_sa (
+              ac->authority_info.dns_authority.dns_handle,
+              (const struct sockaddr *) &v6))
+          ac->authority_info.dns_authority.found = GNUNET_YES;
+        break;
+      }
+
+    default:
+      break;
+    }
+  }
+  continue_with_gns2dns (ac);
+}
+
+
+/**
+ * Function called by the resolver for each address obtained from DNS.
+ *
+ * @param cls closure, a `struct Gns2DnsPending *`
+ * @param addr one of the addresses of the host, NULL for the last address
+ * @param addrlen length of @a addr
+ */
+static void
+handle_gns2dns_ip (void *cls,
+                   const struct sockaddr *addr,
+                   socklen_t addrlen)
+{
+  struct Gns2DnsPending *gp = cls;
+  struct AuthorityChain *ac = gp->ac;
+  struct sockaddr_storage ss;
+  struct sockaddr_in *v4;
+  struct sockaddr_in6 *v6;
+
+  if (NULL == addr)
+  {
+    /* DNS resolution finished */
+    if (0 == gp->num_results)
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                  "Failed to use DNS to resolve name of DNS resolver\n");
+    GNUNET_CONTAINER_DLL_remove (ac->authority_info.dns_authority.gp_head,
+                                 ac->authority_info.dns_authority.gp_tail,
+                                 gp);
+    GNUNET_free (gp);
+    continue_with_gns2dns (ac);
+    return;
+  }
+  GNUNET_memcpy (&ss,
+                 addr,
+                 addrlen);
+  switch (ss.ss_family)
+  {
+  case AF_INET:
+    v4 = (struct sockaddr_in *) &ss;
+    v4->sin_port = htons (53);
+    gp->num_results++;
+    break;
+
+  case AF_INET6:
+    v6 = (struct sockaddr_in6 *) &ss;
+    v6->sin6_port = htons (53);
+    gp->num_results++;
+    break;
+
+  default:
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Unsupported AF %d\n",
+                ss.ss_family);
+    return;
+  }
+  if (GNUNET_OK ==
+      GNUNET_DNSSTUB_add_dns_sa (ac->authority_info.dns_authority.dns_handle,
+                                 (struct sockaddr *) &ss))
+    ac->authority_info.dns_authority.found = GNUNET_YES;
+}
+
+
+/**
+ * We found a REDIRECT record, perform recursive resolution on it.
+ *
+ * @param rh resolution handle
+ * @param rd record with CNAME to resolve recursively
+ */
+static void
+recursive_redirect_resolution (struct GNS_ResolverHandle *rh,
+                               const struct GNUNET_GNSRECORD_Data *rd)
+{
+  handle_gns_redirect_result (rh,
+                              rd->data);
+}
+
+
+/**
+ * We found a CNAME record, perform recursive resolution on it.
+ *
+ * @param rh resolution handle
+ * @param rd record with CNAME to resolve recursively
+ */
+static void
+recursive_cname_resolution (struct GNS_ResolverHandle *rh,
+                            const struct GNUNET_GNSRECORD_Data *rd)
+{
+  char *cname;
+  size_t off;
+
+  off = 0;
+  cname = GNUNET_DNSPARSER_parse_name (rd->data,
+                                       rd->data_size,
+                                       &off);
+  if ((NULL == cname) ||
+      (off != rd->data_size))
+  {
+    GNUNET_break_op (0);  /* record not well-formed */
+    GNUNET_free (cname);
+    fail_resolution (rh);
+    return;
+  }
+  handle_gns_cname_result (rh,
+                           cname);
+  GNUNET_free (cname);
+}
+
+
+/**
+ * We found a PKEY record, perform recursive resolution on it.
+ *
+ * @param rh resolution handle
+ * @param rd record with PKEY to resolve recursively
+ */
+static void
+recursive_pkey_resolution (struct GNS_ResolverHandle *rh,
+                           const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct AuthorityChain *ac;
+  struct GNUNET_CRYPTO_PublicKey auth;
+
+  /* delegation to another zone */
+  if (GNUNET_OK != GNUNET_GNSRECORD_identity_from_data (rd->data,
+                                                        rd->data_size,
+                                                        rd->record_type,
+                                                        &auth))
+  {
+    GNUNET_break_op (0);
+    fail_resolution (rh);
+    return;
+  }
+  /* expand authority chain */
+  ac = GNUNET_new (struct AuthorityChain);
+  ac->rh = rh;
+  ac->gns_authority = GNUNET_YES;
+  ac->authority_info.gns_authority = auth;
+  ac->label = resolver_lookup_get_next_label (rh);
+  /* add AC to tail */
+  GNUNET_CONTAINER_DLL_insert_tail (rh->ac_head,
+                                    rh->ac_tail,
+                                    ac);
+  /* recurse */
+  rh->task_id = GNUNET_SCHEDULER_add_now (&recursive_resolution,
+                                          rh);
+}
+
+
+/**
+ * We found one or more GNS2DNS records, perform recursive resolution on it.
+ * (to be precise, one or more records in @a rd is GNS2DNS, there may be others,
+ * so this function still needs to check which ones are GNS2DNS).
+ *
+ * @param rh resolution handle
+ * @param rd_count length of the @a rd array
+ * @param rd record with PKEY to resolve recursively
+ * @return #GNUNET_OK if this worked, #GNUNET_SYSERR if no GNS2DNS records were in @a rd
+ */
+static int
+recursive_gns2dns_resolution (struct GNS_ResolverHandle *rh,
+                              unsigned int rd_count,
+                              const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct AuthorityChain *ac;
+  const char *tld;
+  char *ns;
+
+  ns = NULL;
+  /* expand authority chain */
+  ac = GNUNET_new (struct AuthorityChain);
+  ac->rh = rh;
+  ac->authority_info.dns_authority.dns_handle = GNUNET_DNSSTUB_start (4);
+
+  for (unsigned int i = 0; i < rd_count; i++)
+  {
+    char *ip;
+    char *n;
+    size_t off;
+    struct Gns2DnsPending *gp;
+    struct GNUNET_CRYPTO_PublicKey zone;
+    struct sockaddr_in v4;
+    struct sockaddr_in6 v6;
+
+    if (GNUNET_GNSRECORD_TYPE_GNS2DNS != rd[i].record_type)
+    {
+      /**
+       * Records other than GNS2DNS not allowed
+       */
+      GNUNET_free (ns);
+      GNUNET_free (ac);
+      return GNUNET_SYSERR;
+    }
+    off = 0;
+    n = GNUNET_DNSPARSER_parse_name (rd[i].data,
+                                     rd[i].data_size,
+                                     &off);
+    ip = GNUNET_strdup (&((const char *) rd[i].data)[off]);
+    if ((NULL == n) ||
+        (NULL == ip))
+    {
+      GNUNET_break_op (0);
+      GNUNET_free (n);
+      GNUNET_free (ip);
+      continue;
+    }
+
+    off += strlen (ip) + 1;
+
+    if (off != rd[i].data_size)
+    {
+      GNUNET_break_op (0);
+      GNUNET_free (n);
+      GNUNET_free (ip);
+      continue;
+    }
+    /* resolve 'ip' to determine the IP(s) of the DNS
+       resolver to use for lookup of 'ns' */
+    if (NULL != ns)
+    {
+      if (0 != strcasecmp (ns,
+                           n))
+      {
+        /* NS values must all be the same for all GNS2DNS records,
+           anything else leads to insanity */
+        GNUNET_break_op (0);
+        GNUNET_free (n);
+        GNUNET_free (ip);
+        continue;
+      }
+      GNUNET_free (n);
+    }
+    else
+    {
+      ns = n;
+    }
+
+    /* check if 'ip' is already an IPv4/IPv6 address */
+    if ((1 == inet_pton (AF_INET,
+                         ip,
+                         &v4)) ||
+        (1 == inet_pton (AF_INET6,
+                         ip,
+                         &v6)))
+    {
+      GNUNET_break (GNUNET_OK ==
+                    GNUNET_DNSSTUB_add_dns_ip (
+                      ac->authority_info.dns_authority.dns_handle,
+                      ip));
+      ac->authority_info.dns_authority.found = GNUNET_YES;
+      GNUNET_free (ip);
+      continue;
+    }
+    tld = GNS_get_tld (ip);
+    if ((0 != strcmp (tld, "+")) &&
+        (GNUNET_OK != GNUNET_GNSRECORD_zkey_to_pkey (tld, &zone)))
+    {
+      /* 'ip' is a DNS name */
+      gp = GNUNET_new (struct Gns2DnsPending);
+      gp->ac = ac;
+      GNUNET_CONTAINER_DLL_insert (ac->authority_info.dns_authority.gp_head,
+                                   ac->authority_info.dns_authority.gp_tail,
+                                   gp);
+      gp->dns_rh = GNUNET_RESOLVER_ip_get (ip,
+                                           AF_UNSPEC,
+                                           GNUNET_TIME_UNIT_FOREVER_REL,
+                                           &handle_gns2dns_ip,
+                                           gp);
+      GNUNET_free (ip);
+      continue;
+    }
+    /* 'ip' should be a GNS name */
+    gp = GNUNET_new (struct Gns2DnsPending);
+    gp->ac = ac;
+    GNUNET_CONTAINER_DLL_insert (ac->authority_info.dns_authority.gp_head,
+                                 ac->authority_info.dns_authority.gp_tail,
+                                 gp);
+    gp->rh = GNUNET_new (struct GNS_ResolverHandle);
+    if (0 == strcmp (tld, "+"))
+    {
+      ip = translate_dot_plus (rh,
+                               ip);
+      tld = GNS_get_tld (ip);
+      if (GNUNET_OK !=
+          GNUNET_GNSRECORD_zkey_to_pkey (tld,
+                                         &zone))
+      {
+        GNUNET_break_op (0);
+        GNUNET_free (ip);
+        continue;
+      }
+    }
+    gp->rh->authority_zone = zone;
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Resolving `%s' to determine IP address of DNS server for GNS2DNS transition for `%s'\n",
+                ip,
+                ns);
+    gp->rh->name = ip;
+    gp->rh->name_resolution_pos = strlen (ip) - strlen (tld) - 1;
+    gp->rh->proc = &handle_gns2dns_result;
+    gp->rh->proc_cls = gp;
+    gp->rh->record_type = GNUNET_GNSRECORD_TYPE_ANY;
+    gp->rh->options = GNUNET_GNS_LO_DEFAULT;
+    gp->rh->loop_limiter = rh->loop_limiter + 1;
+    gp->rh->loop_threshold = rh->loop_threshold;
+    gp->rh->task_id
+      = GNUNET_SCHEDULER_add_now (&start_resolver_lookup,
+                                  gp->rh);
+  }   /* end 'for all records' */
+
+  if (NULL == ns)
+  {
+    /* not a single GNS2DNS record found */
+    GNUNET_free (ac);
+    return GNUNET_SYSERR;
+  }
+  GNUNET_assert (strlen (ns) <= GNUNET_DNSPARSER_MAX_NAME_LENGTH);
+  strcpy (ac->authority_info.dns_authority.name,
+          ns);
+  /* for DNS recursion, the label is the full DNS name,
+     created from the remainder of the GNS name and the
+     name in the NS record */
+  GNUNET_asprintf (&ac->label,
+                   "%.*s%s%s",
+                   (int) rh->name_resolution_pos,
+                   rh->name,
+                   (0 != rh->name_resolution_pos) ? "." : "",
+                   ns);
+  GNUNET_free (ns);
+
+  {
+    /* the GNS name is UTF-8 and may include multibyte chars.
+     * We have to convert the combined name to a DNS-compatible IDNA.
+     */
+    char *tmp = ac->label;
+
+    if (IDNA_SUCCESS != idna_to_ascii_8z (tmp,
+                                          &ac->label,
+                                          IDNA_ALLOW_UNASSIGNED))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                  _ ("Name `%s' cannot be converted to IDNA."),
+                  tmp);
+      GNUNET_free (tmp);
+      GNUNET_free (ac);
+      return GNUNET_SYSERR;
+    }
+    GNUNET_free (tmp);
+  }
+
+  GNUNET_CONTAINER_DLL_insert_tail (rh->ac_head,
+                                    rh->ac_tail,
+                                    ac);
+  if (strlen (ac->label) > GNUNET_DNSPARSER_MAX_NAME_LENGTH)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("GNS lookup resulted in DNS name that is too long (`%s')\n"),
+                ac->label);
+    GNUNET_free (ac->label);
+    GNUNET_free (ac);
+    return GNUNET_SYSERR;
+  }
+  continue_with_gns2dns (ac);
+  return GNUNET_OK;
+}
+
+
+static void
+handle_gns_resolution_result (void *cls,
+                              unsigned int rd_count,
+                              const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct GNS_ResolverHandle *rh = cls;
+  char *cname;
+  char scratch[UINT16_MAX];
+  size_t scratch_off;
+  size_t scratch_start;
+  size_t off;
+  struct GNUNET_GNSRECORD_Data rd_new[rd_count];
+  unsigned int rd_off;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "Resolution succeeded for `%s' in zone %s, got %u records\n",
+              rh->ac_tail->label,
+              GNUNET_GNSRECORD_z2s (&rh->ac_tail->authority_info.gns_authority),
+              rd_count);
+  if (0 == rd_count)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("GNS lookup failed (zero records found for `%s')\n"),
+                rh->name);
+    fail_resolution (rh);
+    return;
+  }
+
+  if (0 == rh->name_resolution_pos)
+  {
+    /* top-level match, are we done yet? */
+    if ((rd_count > 0) &&
+        (GNUNET_DNSPARSER_TYPE_CNAME == rd[0].record_type) &&
+        (GNUNET_DNSPARSER_TYPE_CNAME != rh->record_type))
+    {
+      off = 0;
+      cname = GNUNET_DNSPARSER_parse_name (rd[0].data,
+                                           rd[0].data_size,
+                                           &off);
+      if ((NULL == cname) ||
+          (off != rd[0].data_size))
+      {
+        GNUNET_break_op (0);
+        GNUNET_free (cname);
+        fail_resolution (rh);
+        return;
+      }
+      handle_gns_cname_result (rh,
+                               cname);
+      GNUNET_free (cname);
+      return;
+    }
+    if ((rd_count > 0) &&
+        (GNUNET_GNSRECORD_TYPE_REDIRECT == rd[0].record_type) &&
+        (GNUNET_GNSRECORD_TYPE_REDIRECT != rh->record_type))
+    {
+      handle_gns_redirect_result (rh,
+                                  rd[0].data);
+      return;
+    }
+
+
+    /* If A/AAAA was requested,
+     * but we got a GNS2DNS record */
+    if ((GNUNET_DNSPARSER_TYPE_A == rh->record_type) ||
+        (GNUNET_DNSPARSER_TYPE_AAAA == rh->record_type))
+    {
+      for (unsigned int i = 0; i < rd_count; i++)
+      {
+        switch (rd[i].record_type)
+        {
+        case GNUNET_GNSRECORD_TYPE_GNS2DNS:
+          {
+            /* delegation to DNS */
+            GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                        "Found GNS2DNS record, delegating to DNS!\n");
+            if (GNUNET_OK ==
+                recursive_gns2dns_resolution (rh,
+                                              rd_count,
+                                              rd))
+              return;
+            else
+              goto fail;
+          }
+
+        default:
+          break;
+        }         /* end: switch */
+      }       /* end: for rd */
+    }     /* end: name_resolution_pos */
+    /* convert relative names in record values to absolute names,
+       using 'scratch' array for memory allocations */
+    scratch_off = 0;
+    rd_off = 0;
+    for (unsigned int i = 0; i < rd_count; i++)
+    {
+      GNUNET_assert (rd_off <= i);
+      if ((((0 != rh->protocol) &&
+            (0 != rh->service)) || (NULL != rh->prefix)) &&
+          (GNUNET_GNSRECORD_TYPE_BOX != rd[i].record_type &&
+           GNUNET_GNSRECORD_TYPE_SBOX != rd[i].record_type))
+        if (GNUNET_GNSRECORD_TYPE_PKEY != rd[i].record_type &&
+            GNUNET_GNSRECORD_TYPE_EDKEY != rd[i].record_type)
+          continue;
+      /* we _only_ care about boxed records */
+
+      GNUNET_assert (rd_off < rd_count);
+      rd_new[rd_off] = rd[i];
+      /* Check if the embedded name(s) end in "+", and if so,
+         replace the "+" with the zone at "ac_tail", changing the name
+         to a ".ZONEKEY".  The name is allocated on the 'scratch' array,
+         so we can free it afterwards. */
+      switch (rd[i].record_type)
+      {
+      case GNUNET_GNSRECORD_TYPE_REDIRECT:
+        {
+          char *rname;
+          rname = GNUNET_strndup (rd[i].data, rd[i].data_size);
+          rname = translate_dot_plus (rh, rname);
+          GNUNET_break (NULL != rname);
+          scratch_start = scratch_off;
+          memcpy (&scratch[scratch_start], rname, strlen (rname) + 1);
+          scratch_off += strlen (rname) + 1;
+          GNUNET_assert (rd_off < rd_count);
+          rd_new[rd_off].data = &scratch[scratch_start];
+          rd_new[rd_off].data_size = scratch_off - scratch_start;
+          rd_off++;
+          GNUNET_free (rname);
+        }
+        break;
+
+      case GNUNET_DNSPARSER_TYPE_CNAME:
+        {
+          char *cname;
+
+          off = 0;
+          cname = GNUNET_DNSPARSER_parse_name (rd[i].data,
+                                               rd[i].data_size,
+                                               &off);
+          if ((NULL == cname) ||
+              (off != rd[i].data_size))
+          {
+            GNUNET_break_op (0);      /* record not well-formed */
+          }
+          else
+          {
+            cname = translate_dot_plus (rh, cname);
+            GNUNET_break (NULL != cname);
+            scratch_start = scratch_off;
+            if (GNUNET_OK !=
+                GNUNET_DNSPARSER_builder_add_name (scratch,
+                                                   sizeof(scratch),
+                                                   &scratch_off,
+                                                   cname))
+            {
+              GNUNET_break (0);
+            }
+            else
+            {
+              GNUNET_assert (rd_off < rd_count);
+              rd_new[rd_off].data = &scratch[scratch_start];
+              rd_new[rd_off].data_size = scratch_off - scratch_start;
+              rd_off++;
+            }
+          }
+          GNUNET_free (cname);
+        }
+        break;
+
+      case GNUNET_DNSPARSER_TYPE_SOA:
+        {
+          struct GNUNET_DNSPARSER_SoaRecord *soa;
+
+          off = 0;
+          soa = GNUNET_DNSPARSER_parse_soa (rd[i].data,
+                                            rd[i].data_size,
+                                            &off);
+          if ((NULL == soa) ||
+              (off != rd[i].data_size))
+          {
+            GNUNET_break_op (0);      /* record not well-formed */
+          }
+          else
+          {
+            soa->mname = translate_dot_plus (rh, soa->mname);
+            soa->rname = translate_dot_plus (rh, soa->rname);
+            scratch_start = scratch_off;
+            if (GNUNET_OK !=
+                GNUNET_DNSPARSER_builder_add_soa (scratch,
+                                                  sizeof(scratch),
+                                                  &scratch_off,
+                                                  soa))
+            {
+              GNUNET_break (0);
+            }
+            else
+            {
+              GNUNET_assert (rd_off < rd_count);
+              rd_new[rd_off].data = &scratch[scratch_start];
+              rd_new[rd_off].data_size = scratch_off - scratch_start;
+              rd_off++;
+            }
+          }
+          if (NULL != soa)
+            GNUNET_DNSPARSER_free_soa (soa);
+        }
+        break;
+
+      case GNUNET_DNSPARSER_TYPE_MX:
+        {
+          struct GNUNET_DNSPARSER_MxRecord *mx;
+
+          off = 0;
+          mx = GNUNET_DNSPARSER_parse_mx (rd[i].data,
+                                          rd[i].data_size,
+                                          &off);
+          if ((NULL == mx) ||
+              (off != rd[i].data_size))
+          {
+            GNUNET_break_op (0);      /* record not well-formed */
+          }
+          else
+          {
+            mx->mxhost = translate_dot_plus (rh, mx->mxhost);
+            scratch_start = scratch_off;
+            if (GNUNET_OK !=
+                GNUNET_DNSPARSER_builder_add_mx (scratch,
+                                                 sizeof(scratch),
+                                                 &scratch_off,
+                                                 mx))
+            {
+              GNUNET_break (0);
+            }
+            else
+            {
+              GNUNET_assert (rd_off < rd_count);
+              rd_new[rd_off].data = &scratch[scratch_start];
+              rd_new[rd_off].data_size = scratch_off - scratch_start;
+              rd_off++;
+            }
+          }
+          if (NULL != mx)
+            GNUNET_DNSPARSER_free_mx (mx);
+        }
+        break;
+
+      case GNUNET_DNSPARSER_TYPE_SRV:
+        {
+          struct GNUNET_DNSPARSER_SrvRecord *srv;
+
+          off = 0;
+          srv = GNUNET_DNSPARSER_parse_srv (rd[i].data,
+                                            rd[i].data_size,
+                                            &off);
+          if ((NULL == srv) ||
+              (off != rd[i].data_size))
+          {
+            GNUNET_break_op (0);      /* record not well-formed */
+          }
+          else
+          {
+            srv->target = translate_dot_plus (rh, srv->target);
+            scratch_start = scratch_off;
+            if (GNUNET_OK !=
+                GNUNET_DNSPARSER_builder_add_srv (scratch,
+                                                  sizeof(scratch),
+                                                  &scratch_off,
+                                                  srv))
+            {
+              GNUNET_break (0);
+            }
+            else
+            {
+              GNUNET_assert (rd_off < rd_count);
+              rd_new[rd_off].data = &scratch[scratch_start];
+              rd_new[rd_off].data_size = scratch_off - scratch_start;
+              rd_off++;
+            }
+          }
+          if (NULL != srv)
+            GNUNET_DNSPARSER_free_srv (srv);
+        }
+        break;
+
+      case GNUNET_DNSPARSER_TYPE_URI:
+        {
+          struct GNUNET_DNSPARSER_UriRecord *uri;
+
+          off = 0;
+          uri = GNUNET_DNSPARSER_parse_uri (rd[i].data,
+                                            rd[i].data_size,
+                                            &off);
+          if ((NULL == uri) ||
+              (off != rd[i].data_size))
+          {
+            GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                        _ ("Failed to deserialize URI record with target\n"));
+            GNUNET_break_op (0);      /* record not well-formed */
+          }
+          else
+          {
+            scratch_start = scratch_off;
+            if (GNUNET_OK !=
+                GNUNET_DNSPARSER_builder_add_uri (scratch,
+                                                  sizeof(scratch),
+                                                  &scratch_off,
+                                                  uri))
+            {
+              GNUNET_break (0);
+            }
+            else
+            {
+              GNUNET_assert (rd_off < rd_count);
+              rd_new[rd_off].data = &scratch[scratch_start];
+              rd_new[rd_off].data_size = scratch_off - scratch_start;
+              rd_off++;
+            }
+          }
+          if (NULL != uri)
+            GNUNET_DNSPARSER_free_uri (uri);
+        }
+        break;
+
+      case GNUNET_GNSRECORD_TYPE_PKEY:
+      case GNUNET_GNSRECORD_TYPE_EDKEY:
+        {
+          struct GNUNET_CRYPTO_PublicKey pubkey;
+          if (rd[i].data_size < sizeof(uint32_t))
+          {
+            GNUNET_break_op (0);
+            break;
+          }
+          if (GNUNET_OK !=
+              GNUNET_GNSRECORD_identity_from_data (rd[i].data,
+                                                   rd[i].data_size,
+                                                   rd[i].record_type,
+                                                   &pubkey))
+          {
+            GNUNET_break_op (0);
+            break;
+          }
+          rd_off++;
+          if (rd[i].record_type != rh->record_type)
+          {
+            /* try to resolve "@" */
+            struct AuthorityChain *ac;
+
+            ac = GNUNET_new (struct AuthorityChain);
+            ac->rh = rh;
+            ac->gns_authority = GNUNET_YES;
+            ac->authority_info.gns_authority = pubkey;
+            ac->label = GNUNET_strdup (GNUNET_GNS_EMPTY_LABEL_AT);
+            GNUNET_CONTAINER_DLL_insert_tail (rh->ac_head,
+                                              rh->ac_tail,
+                                              ac);
+            rh->task_id = GNUNET_SCHEDULER_add_now (&recursive_resolution,
+                                                    rh);
+            return;
+          }
+        }
+        break;
+
+      case GNUNET_GNSRECORD_TYPE_GNS2DNS:
+        {
+          /* delegation to DNS */
+          if (GNUNET_GNSRECORD_TYPE_GNS2DNS == rh->record_type)
+          {
+            rd_off++;
+            break;       /* do not follow to DNS, we wanted the GNS2DNS record! */
+          }
+          GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                      "Found GNS2DNS record, delegating to DNS!\n");
+          if (GNUNET_OK ==
+              recursive_gns2dns_resolution (rh,
+                                            rd_count,
+                                            rd))
+            return;
+          else
+            goto fail;
+        }
+
+      case GNUNET_GNSRECORD_TYPE_BOX:
+        {
+          /* unbox SRV/TLSA records if a specific one was requested */
+          if ((0 != rh->protocol) &&
+              (0 != rh->service) &&
+              (rd[i].data_size >= sizeof(struct GNUNET_GNSRECORD_BoxRecord)))
+          {
+            const struct GNUNET_GNSRECORD_BoxRecord *box;
+
+            box = rd[i].data;
+            GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                        "Got BOX record, checking if parameters match... %u/%u vs %u/%u\n",
+                        ntohs (box->protocol), ntohs (box->service),
+                        rh->protocol, rh->service);
+            if ((ntohs (box->protocol) == rh->protocol) &&
+                (ntohs (box->service) == rh->service))
+            {
+              /* Box matches, unbox! */
+              GNUNET_assert (rd_off < rd_count);
+              rd_new[rd_off].record_type = ntohl (box->record_type);
+              rd_new[rd_off].data_size -= sizeof(struct
+                                                 GNUNET_GNSRECORD_BoxRecord);
+              rd_new[rd_off].data = &box[1];
+              rd_off++;
+            }
+          }
+          else
+          {
+            /* no specific protocol/service specified, preserve all BOX
+               records (for modern, GNS-enabled applications) */
+            rd_off++;
+          }
+          break;
+        }
+      case GNUNET_GNSRECORD_TYPE_SBOX:
+        {
+          /* unbox SBOX records if a specific one was requested */
+          if ((rh->prefix != NULL) &&
+              (rd[i].data_size >= sizeof(struct GNUNET_GNSRECORD_SBoxRecord)))
+          {
+            const struct GNUNET_GNSRECORD_SBoxRecord *box;
+
+            box = rd[i].data;
+            const char *prefix = rd[i].data + sizeof(struct
+                                                     GNUNET_GNSRECORD_SBoxRecord);
+            size_t prefix_len = strnlen (prefix, rd[i].data_size - sizeof(struct
+                                                                          GNUNET_GNSRECORD_SBoxRecord))
+                                + 1;
+            if (prefix_len - 1 >= rd[i].data_size - sizeof(struct
+                                                           GNUNET_GNSRECORD_SBoxRecord))
+            {
+              GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                          "SBOX record with invalid prefix length, maybe not null-terminated\n");
+              continue;
+            }
+            GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                        "Got SBOX record, checking if prefixes match... %s vs %s\n",
+                        prefix, rh->prefix);
+            if (strcmp (rh->prefix, prefix) == 0)
+            {
+              /* Box matches, unbox! */
+              GNUNET_assert (rd_off < rd_count);
+              rd_new[rd_off].record_type = ntohl (box->record_type);
+              rd_new[rd_off].data_size -= sizeof(struct
+                                                 GNUNET_GNSRECORD_SBoxRecord)
+                                          + prefix_len;
+              rd_new[rd_off].data = rd[i].data
+                                    + sizeof(struct GNUNET_GNSRECORD_SBoxRecord)
+                                    + prefix_len;
+              rd_off++;
+            }
+          }
+          else
+          {
+            GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                        _ (
+                          "GNS no specific protocol/service specified, preserve all SBOX `%s')\n"),
+                        rh->name);
+            /* no specific protocol/service specified, preserve all SBOX
+               records (for modern, GNS-enabled applications) */
+            rd_off++;
+          }
+          break;
+        }
+      default:
+        rd_off++;
+        break;
+      }       /* end: switch */
+    }     /* end: for rd_count */
+
+    GNUNET_free (rh->prefix);
+    rh->prefix = NULL;
+
+    /* yes, we are done, return result */
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Returning GNS response for `%s' with %u answers\n",
+                rh->ac_tail->label,
+                rd_off);
+    rh->proc (rh->proc_cls,
+              rd_off,
+              rd_new);
+    rh->task_id = GNUNET_SCHEDULER_add_now (&GNS_resolver_lookup_cancel_,
+                                            rh);
+    return;
+  }
+
+  switch (rd[0].record_type)
+  {
+  case GNUNET_GNSRECORD_TYPE_REDIRECT:
+    GNUNET_break_op (1 == rd_count);  /* REDIRECT should be unique */
+    recursive_redirect_resolution (rh,
+                                   &rd[0]);
+    return;
+
+  case GNUNET_DNSPARSER_TYPE_CNAME:
+    GNUNET_break_op (1 == rd_count);  /* CNAME should be unique */
+    recursive_cname_resolution (rh,
+                                &rd[0]);
+    return;
+
+  case GNUNET_GNSRECORD_TYPE_PKEY:
+  case GNUNET_GNSRECORD_TYPE_EDKEY:
+    GNUNET_break_op (1 == rd_count);  /* PKEY should be unique */
+    recursive_pkey_resolution (rh,
+                               &rd[0]);
+    return;
+
+  case GNUNET_GNSRECORD_TYPE_GNS2DNS:
+    if (GNUNET_OK ==
+        recursive_gns2dns_resolution (rh,
+                                      rd_count,
+                                      rd))
+      return;
+    break;
+  default:
+    if (GNUNET_YES != GNUNET_GNSRECORD_is_critical (rd[0].record_type))
+      return;
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Unable to process critical delegation record\n"));
+    break;
+  }
+fail:
+  GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+              _ ("GNS lookup recursion failed (no delegation record found)\n"));
+  fail_resolution (rh);
+}
+
+
+/**
+ * Function called once the namestore has completed the request for
+ * caching a block.
+ *
+ * @param cls closure with the `struct CacheOps`
+ * @param success #GNUNET_OK on success
+ * @param emsg error message
+ */
+static void
+namecache_cache_continuation (void *cls,
+                              int32_t success,
+                              const char *emsg)
+{
+  struct CacheOps *co = cls;
+
+  co->namecache_qe_cache = NULL;
+  if (GNUNET_OK != success)
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Failed to cache GNS resolution: %s\n"),
+                emsg);
+  GNUNET_CONTAINER_DLL_remove (co_head,
+                               co_tail,
+                               co);
+  GNUNET_free (co);
+}
+
+
+/**
+ * Iterator called on each result obtained for a DHT
+ * operation that expects a reply
+ *
+ * @param cls closure with the `struct GNS_ResolverHandle`
+ * @param exp when will this value expire
+ * @param key key of the result
+ * @param trunc_peer truncated peer, NULL if not truncated
+ * @param get_path peers on reply path (or NULL if not recorded)
+ *                 [0] = datastore's first neighbor, [length - 1] = local peer
+ * @param get_path_length number of entries in @a get_path
+ * @param put_path peers on the PUT path (or NULL if not recorded)
+ *                 [0] = origin, [length - 1] = datastore
+ * @param put_path_length number of entries in @a put_path
+ * @param type type of the result
+ * @param size number of bytes in data
+ * @param data pointer to the result data
+ */
+static void
+handle_dht_response (void *cls,
+                     struct GNUNET_TIME_Absolute exp,
+                     const struct GNUNET_HashCode *key,
+                     const struct GNUNET_PeerIdentity *trunc_peer,
+                     const struct GNUNET_DHT_PathElement *get_path,
+                     unsigned int get_path_length,
+                     const struct GNUNET_DHT_PathElement *put_path,
+                     unsigned int put_path_length,
+                     enum GNUNET_BLOCK_Type type,
+                     size_t size,
+                     const void *data)
+{
+  struct GNS_ResolverHandle *rh = cls;
+  struct AuthorityChain *ac = rh->ac_tail;
+  const struct GNUNET_GNSRECORD_Block *block;
+  struct CacheOps *co;
+
+  (void) exp;
+  (void) key;
+  (void) get_path;
+  (void) get_path_length;
+  (void) put_path;
+  (void) put_path_length;
+  (void) type;
+  GNUNET_DHT_get_stop (rh->get_handle);
+  rh->get_handle = NULL;
+  GNUNET_CONTAINER_heap_remove_node (rh->dht_heap_node);
+  rh->dht_heap_node = NULL;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Handling response from the DHT\n");
+  if (size < sizeof(struct GNUNET_GNSRECORD_Block))
+  {
+    /* how did this pass DHT block validation!? */
+    GNUNET_break (0);
+    fail_resolution (rh);
+    return;
+  }
+  block = data;
+  if (size != GNUNET_GNSRECORD_block_get_size (block))
+  {
+    /* how did this pass DHT block validation!? */
+    GNUNET_break (0);
+    fail_resolution (rh);
+    return;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Decrypting DHT block of size %llu for `%s', expires %s\n",
+              (unsigned long long) GNUNET_GNSRECORD_block_get_size (block),
+              rh->name,
+              GNUNET_STRINGS_absolute_time_to_string (exp));
+  if (GNUNET_OK !=
+      GNUNET_GNSRECORD_block_decrypt (block,
+                                      &ac->authority_info.gns_authority,
+                                      ac->label,
+                                      &handle_gns_resolution_result,
+                                      rh))
+  {
+    GNUNET_break_op (0);  /* block was ill-formed */
+    fail_resolution (rh);
+    return;
+  }
+  if (0 == GNUNET_TIME_absolute_get_remaining (
+        GNUNET_GNSRECORD_block_get_expiration (block)).
+      rel_value_us)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Received expired block from the DHT, will not cache it.\n");
+    return;
+  }
+  if (GNUNET_YES == disable_cache)
+    return;
+  /* Cache well-formed blocks */
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Caching response from the DHT in namecache\n");
+  co = GNUNET_new (struct CacheOps);
+  co->namecache_qe_cache = GNUNET_NAMECACHE_block_cache (namecache_handle,
+                                                         block,
+                                                         &
+                                                         namecache_cache_continuation,
+                                                         co);
+  GNUNET_CONTAINER_DLL_insert (co_head,
+                               co_tail,
+                               co);
+}
+
+
+/**
+ * Initiate a DHT query for a set of GNS records.
+ *
+ * @param rh resolution handle
+ * @param query key to use in the DHT lookup
+ */
+static void
+start_dht_request (struct GNS_ResolverHandle *rh,
+                   const struct GNUNET_HashCode *query)
+{
+  struct GNS_ResolverHandle *rx;
+
+  GNUNET_assert (NULL == rh->get_handle);
+  rh->get_handle = GNUNET_DHT_get_start (dht_handle,
+                                         GNUNET_BLOCK_TYPE_GNS_NAMERECORD,
+                                         query,
+                                         DHT_GNS_REPLICATION_LEVEL,
+                                         GNUNET_DHT_RO_DEMULTIPLEX_EVERYWHERE,
+                                         NULL, 0,
+                                         &handle_dht_response, rh);
+  rh->dht_heap_node = GNUNET_CONTAINER_heap_insert (dht_lookup_heap,
+                                                    rh,
+                                                    GNUNET_TIME_absolute_get ().
+                                                    abs_value_us);
+  if (GNUNET_CONTAINER_heap_get_size (dht_lookup_heap) >
+      max_allowed_background_queries)
+  {
+    /* fail longest-standing DHT request */
+    rx = GNUNET_CONTAINER_heap_remove_root (dht_lookup_heap);
+    rx->dht_heap_node = NULL;
+    GNUNET_assert (NULL != rx);
+    fail_resolution (rx);
+  }
+}
+
+
+/**
+ * Process a records that were decrypted from a block that we got from
+ * the namecache.  Simply calls #handle_gns_resolution_result().
+ *
+ * @param cls closure with the `struct GNS_ResolverHandle`
+ * @param rd_count number of entries in @a rd array
+ * @param rd array of records with data to store
+ */
+static void
+handle_gns_namecache_resolution_result (void *cls,
+                                        unsigned int rd_count,
+                                        const struct GNUNET_GNSRECORD_Data *rd)
+{
+  struct GNS_ResolverHandle *rh = cls;
+
+  if (0 == rd_count)
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("GNS namecache returned empty result for `%s'\n"),
+                rh->name);
+  handle_gns_resolution_result (rh,
+                                rd_count,
+                                rd);
+}
+
+
+/**
+ * Process a record that was stored in the namecache.
+ *
+ * @param cls closure with the `struct GNS_ResolverHandle`
+ * @param block block that was stored in the namecache
+ */
+static void
+handle_namecache_block_response (void *cls,
+                                 const struct GNUNET_GNSRECORD_Block *block)
+{
+  struct GNS_ResolverHandle *rh = cls;
+  struct AuthorityChain *ac = rh->ac_tail;
+  const char *label = ac->label;
+  const struct GNUNET_CRYPTO_PublicKey *auth =
+    &ac->authority_info.gns_authority;
+  struct GNUNET_HashCode query;
+
+  GNUNET_assert (NULL != rh->namecache_qe);
+  rh->namecache_qe = NULL;
+  if (NULL == block)
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "No block found\n");
+  else
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Got block with expiration %s\n",
+                GNUNET_STRINGS_absolute_time_to_string (
+                  GNUNET_GNSRECORD_block_get_expiration (block)));
+  if (((GNUNET_GNS_LO_DEFAULT == rh->options) ||
+       ((GNUNET_GNS_LO_LOCAL_MASTER == rh->options) &&
+        (ac != rh->ac_head))) &&
+      ((NULL == block) ||
+       (0 == GNUNET_TIME_absolute_get_remaining (
+          GNUNET_GNSRECORD_block_get_expiration (block)).
+        rel_value_us)))
+  {
+    /* namecache knows nothing; try DHT lookup */
+    GNUNET_GNSRECORD_query_from_public_key (auth,
+                                            label,
+                                            &query);
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Starting DHT lookup for `%s' in zone `%s' under key `%s'\n",
+                ac->label,
+                GNUNET_GNSRECORD_z2s (&ac->authority_info.gns_authority),
+                GNUNET_h2s (&query));
+    start_dht_request (rh, &query);
+    return;
+  }
+
+  if ((NULL == block) ||
+      (0 == GNUNET_TIME_absolute_get_remaining (
+         GNUNET_GNSRECORD_block_get_expiration (block)).
+       rel_value_us))
+  {
+    /* DHT not permitted and no local result, fail */
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Resolution failed for `%s' in zone %s (DHT lookup not permitted by configuration)\n",
+                ac->label,
+                GNUNET_GNSRECORD_z2s (&ac->authority_info.gns_authority));
+    fail_resolution (rh);
+    return;
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Received result from namecache for label `%s'\n",
+              ac->label);
+
+  if (GNUNET_OK !=
+      GNUNET_GNSRECORD_block_decrypt (block,
+                                      auth,
+                                      label,
+                                      &handle_gns_namecache_resolution_result,
+                                      rh))
+  {
+    GNUNET_break_op (0);  /* block was ill-formed */
+    /* try DHT instead */
+    GNUNET_GNSRECORD_query_from_public_key (auth,
+                                            label,
+                                            &query);
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Starting DHT lookup for `%s' in zone `%s' under key `%s'\n",
+                ac->label,
+                GNUNET_GNSRECORD_z2s (&ac->authority_info.gns_authority),
+                GNUNET_h2s (&query));
+    start_dht_request (rh, &query);
+    return;
+  }
+}
+
+
+/**
+ * Lookup tail of our authority chain in the namecache.
+ *
+ * @param rh query we are processing
+ */
+static void
+recursive_gns_resolution_namecache (struct GNS_ResolverHandle *rh)
+{
+  struct AuthorityChain *ac = rh->ac_tail;
+  struct GNUNET_HashCode query;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Starting GNS resolution for `%s' in zone %s\n",
+              ac->label,
+              GNUNET_GNSRECORD_z2s (&ac->authority_info.gns_authority));
+  GNUNET_GNSRECORD_query_from_public_key (&ac->authority_info.gns_authority,
+                                          ac->label,
+                                          &query);
+  if (GNUNET_YES != disable_cache)
+  {
+    rh->namecache_qe
+      = GNUNET_NAMECACHE_lookup_block (namecache_handle,
+                                       &query,
+                                       &handle_namecache_block_response,
+                                       rh);
+    GNUNET_assert (NULL != rh->namecache_qe);
+  }
+  else
+  {
+    start_dht_request (rh,
+                       &query);
+  }
+}
+
+
+/**
+ * Function called with the result from a revocation check.
+ *
+ * @param cls the `struct GNS_ResovlerHandle`
+ * @param is_valid #GNUNET_YES if the zone was not yet revoked
+ */
+static void
+handle_revocation_result (void *cls,
+                          int is_valid)
+{
+  struct GNS_ResolverHandle *rh = cls;
+  struct AuthorityChain *ac = rh->ac_tail;
+
+  rh->rev_check = NULL;
+  if (GNUNET_YES != is_valid)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                _ ("Zone %s was revoked, resolution fails\n"),
+                GNUNET_GNSRECORD_z2s (&ac->authority_info.gns_authority));
+    fail_resolution (rh);
+    return;
+  }
+  recursive_gns_resolution_namecache (rh);
+}
+
+
+/**
+ * Perform revocation check on tail of our authority chain.
+ *
+ * @param rh query we are processing
+ */
+static void
+recursive_gns_resolution_revocation (struct GNS_ResolverHandle *rh)
+{
+  struct AuthorityChain *ac = rh->ac_tail;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Starting revocation check for zone %s\n",
+              GNUNET_GNSRECORD_z2s (&ac->authority_info.gns_authority));
+  rh->rev_check = GNUNET_REVOCATION_query (cfg,
+                                           &ac->authority_info.gns_authority,
+                                           &handle_revocation_result,
+                                           rh);
+  GNUNET_assert (NULL != rh->rev_check);
+}
+
+
+static void
+recursive_resolution (void *cls)
+{
+  struct GNS_ResolverHandle *rh = cls;
+
+  rh->task_id = NULL;
+  if (rh->loop_threshold < rh->loop_limiter++)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                "Encountered unbounded recursion resolving `%s'\n",
+                rh->name);
+    fail_resolution (rh);
+    return;
+  }
+  if (GNUNET_YES == rh->ac_tail->gns_authority)
+    recursive_gns_resolution_revocation (rh);
+  else
+    recursive_dns_resolution (rh);
+}
+
+
+static void
+start_resolver_lookup (void *cls)
+{
+  struct GNS_ResolverHandle *rh = cls;
+  struct AuthorityChain *ac;
+  struct in_addr v4;
+  struct in6_addr v6;
+
+  rh->task_id = NULL;
+  if (1 == inet_pton (AF_INET,
+                      rh->name,
+                      &v4))
+  {
+    /* name is IPv4 address, pretend it's an A record */
+    struct GNUNET_GNSRECORD_Data rd;
+
+    rd.data = &v4;
+    rd.data_size = sizeof(v4);
+    rd.expiration_time = UINT64_MAX;
+    rd.record_type = GNUNET_DNSPARSER_TYPE_A;
+    rd.flags = 0;
+    rh->proc (rh->proc_cls,
+              1,
+              &rd);
+    GNUNET_assert (NULL == rh->task_id);
+    rh->task_id = GNUNET_SCHEDULER_add_now (&GNS_resolver_lookup_cancel_,
+                                            rh);
+    return;
+  }
+  if (1 == inet_pton (AF_INET6,
+                      rh->name,
+                      &v6))
+  {
+    /* name is IPv6 address, pretend it's an AAAA record */
+    struct GNUNET_GNSRECORD_Data rd;
+
+    rd.data = &v6;
+    rd.data_size = sizeof(v6);
+    rd.expiration_time = UINT64_MAX;
+    rd.record_type = GNUNET_DNSPARSER_TYPE_AAAA;
+    rd.flags = 0;
+    rh->proc (rh->proc_cls,
+              1,
+              &rd);
+    GNUNET_assert (NULL == rh->task_id);
+    rh->task_id = GNUNET_SCHEDULER_add_now (&GNS_resolver_lookup_cancel_,
+                                            rh);
+    return;
+  }
+
+  ac = GNUNET_new (struct AuthorityChain);
+  ac->rh = rh;
+  ac->label = resolver_lookup_get_next_label (rh);
+  if (NULL == ac->label)
+    /* name was just the "TLD", so we default to label
+     #GNUNET_GNS_EMPTY_LABEL_AT */
+    ac->label = GNUNET_strdup (GNUNET_GNS_EMPTY_LABEL_AT);
+  ac->gns_authority = GNUNET_YES;
+  ac->authority_info.gns_authority = rh->authority_zone;
+  GNUNET_CONTAINER_DLL_insert_tail (rh->ac_head,
+                                    rh->ac_tail,
+                                    ac);
+  rh->task_id = GNUNET_SCHEDULER_add_now (&recursive_resolution,
+                                          rh);
+}
+
+
+/**
+ * Lookup of a record in a specific zone calls lookup result processor
+ * on result.
+ *
+ * @param zone the zone to perform the lookup in
+ * @param record_type the record type to look up
+ * @param name the name to look up
+ * @param options local options to control local lookup
+ * @param recursion_depth_limit how many zones to traverse
+ *        at most
+ * @param proc the processor to call on result
+ * @param proc_cls the closure to pass to @a proc
+ * @return handle to cancel operation
+ */
+struct GNS_ResolverHandle *
+GNS_resolver_lookup (const struct GNUNET_CRYPTO_PublicKey *zone,
+                     uint32_t record_type,
+                     const char *name,
+                     enum GNUNET_GNS_LocalOptions options,
+                     uint16_t recursion_depth_limit,
+                     GNS_ResultProcessor proc,
+                     void *proc_cls)
+{
+  struct GNS_ResolverHandle *rh;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Starting lookup for `%s'\n",
+              name);
+  rh = GNUNET_new (struct GNS_ResolverHandle);
+  GNUNET_CONTAINER_DLL_insert (rlh_head,
+                               rlh_tail,
+                               rh);
+  rh->authority_zone = *zone;
+  rh->proc = proc;
+  rh->proc_cls = proc_cls;
+  rh->options = options;
+  rh->record_type = record_type;
+  rh->name = GNUNET_strdup (name);
+  rh->name_resolution_pos = strlen (name);
+  rh->loop_threshold = recursion_depth_limit;
+  rh->task_id = GNUNET_SCHEDULER_add_now (&start_resolver_lookup,
+                                          rh);
+  return rh;
+}
+
+
+/**
+ * Cancel active resolution (i.e. client disconnected).
+ *
+ * @param rh resolution to abort
+ */
+void
+GNS_resolver_lookup_cancel (struct GNS_ResolverHandle *rh)
+{
+  struct DnsResult *dr;
+  struct AuthorityChain *ac;
+
+  GNUNET_CONTAINER_DLL_remove (rlh_head,
+                               rlh_tail,
+                               rh);
+  if (NULL != rh->dns_request)
+  {
+    GNUNET_DNSSTUB_resolve_cancel (rh->dns_request);
+    rh->dns_request = NULL;
+  }
+  while (NULL != (ac = rh->ac_head))
+  {
+    GNUNET_CONTAINER_DLL_remove (rh->ac_head,
+                                 rh->ac_tail,
+                                 ac);
+    if (GNUNET_NO == ac->gns_authority)
+    {
+      struct Gns2DnsPending *gp;
+
+      while (NULL != (gp = ac->authority_info.dns_authority.gp_head))
+      {
+        GNUNET_CONTAINER_DLL_remove (ac->authority_info.dns_authority.gp_head,
+                                     ac->authority_info.dns_authority.gp_tail,
+                                     gp);
+        if (NULL != gp->rh)
+        {
+          /* rh->g2dc->rh is NOT in the DLL yet, so to enable us
+             using GNS_resolver_lookup_cancel here, we need to
+             add it first... */
+          GNUNET_CONTAINER_DLL_insert (rlh_head,
+                                       rlh_tail,
+                                       gp->rh);
+          GNUNET_assert (NULL == gp->rh->task_id);
+          gp->rh->task_id = GNUNET_SCHEDULER_add_now (
+            &GNS_resolver_lookup_cancel_,
+            gp->rh);
+          gp->rh = NULL;
+        }
+        if (NULL != gp->dns_rh)
+        {
+          GNUNET_RESOLVER_request_cancel (gp->dns_rh);
+          gp->dns_rh = NULL;
+        }
+        GNUNET_free (gp);
+      }
+      GNUNET_DNSSTUB_stop (ac->authority_info.dns_authority.dns_handle);
+    }
+    GNUNET_free (ac->label);
+    GNUNET_free (ac);
+  }
+  if (NULL != rh->task_id)
+  {
+    GNUNET_SCHEDULER_cancel (rh->task_id);
+    rh->task_id = NULL;
+  }
+  if (NULL != rh->get_handle)
+  {
+    GNUNET_DHT_get_stop (rh->get_handle);
+    rh->get_handle = NULL;
+  }
+  if (NULL != rh->dht_heap_node)
+  {
+    GNUNET_CONTAINER_heap_remove_node (rh->dht_heap_node);
+    rh->dht_heap_node = NULL;
+  }
+  if (NULL != rh->namecache_qe)
+  {
+    GNUNET_NAMECACHE_cancel (rh->namecache_qe);
+    rh->namecache_qe = NULL;
+  }
+  if (NULL != rh->rev_check)
+  {
+    GNUNET_REVOCATION_query_cancel (rh->rev_check);
+    rh->rev_check = NULL;
+  }
+  if (NULL != rh->std_resolve)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                "Canceling standard DNS resolution\n");
+    GNUNET_RESOLVER_request_cancel (rh->std_resolve);
+    rh->std_resolve = NULL;
+  }
+  while (NULL != (dr = rh->dns_result_head))
+  {
+    GNUNET_CONTAINER_DLL_remove (rh->dns_result_head,
+                                 rh->dns_result_tail,
+                                 dr);
+    GNUNET_free (dr);
+  }
+  if (NULL != rh->prefix)
+  {
+    GNUNET_free (rh->prefix);
+    rh->prefix = NULL;
+  }
+  GNUNET_free (rh->leho);
+  GNUNET_free (rh->name);
+  GNUNET_free (rh);
+}
+
+
+/* ***************** Resolver initialization ********************* */
+
+
+/**
+ * Initialize the resolver
+ *
+ * @param nc the namecache handle
+ * @param dht the dht handle
+ * @param c configuration handle
+ * @param max_bg_queries maximum number of parallel background queries in dht
+ */
+void
+GNS_resolver_init (struct GNUNET_NAMECACHE_Handle *nc,
+                   struct GNUNET_DHT_Handle *dht,
+                   const struct GNUNET_CONFIGURATION_Handle *c,
+                   unsigned long long max_bg_queries)
+{
+  cfg = c;
+  namecache_handle = nc;
+  dht_handle = dht;
+  dht_lookup_heap =
+    GNUNET_CONTAINER_heap_create (GNUNET_CONTAINER_HEAP_ORDER_MIN);
+  max_allowed_background_queries = max_bg_queries;
+  disable_cache = GNUNET_CONFIGURATION_get_value_yesno (cfg,
+                                                        "namecache",
+                                                        "DISABLE");
+  if (GNUNET_YES == disable_cache)
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                "Namecache disabled\n");
+}
+
+
+/**
+ * Shutdown resolver
+ */
+void
+GNS_resolver_done ()
+{
+  struct GNS_ResolverHandle *rh;
+  struct CacheOps *co;
+
+  /* abort active resolutions */
+  while (NULL != (rh = rlh_head))
+  {
+    rh->proc (rh->proc_cls,
+              0,
+              NULL);
+    GNS_resolver_lookup_cancel (rh);
+  }
+  while (NULL != (co = co_head))
+  {
+    GNUNET_CONTAINER_DLL_remove (co_head,
+                                 co_tail,
+                                 co);
+    GNUNET_NAMECACHE_cancel (co->namecache_qe_cache);
+    GNUNET_free (co);
+  }
+  GNUNET_CONTAINER_heap_destroy (dht_lookup_heap);
+  dht_lookup_heap = NULL;
+  dht_handle = NULL;
+  namecache_handle = NULL;
+}
+
+
+/* end of gnunet-service-gns_resolver.c */
diff --git a/src/service/gns/gnunet-service-gns_resolver.h b/src/service/gns/gnunet-service-gns_resolver.h
new file mode 100644
index 000000000..908af58e7
--- /dev/null
+++ b/src/service/gns/gnunet-service-gns_resolver.h
@@ -0,0 +1,106 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2009-2020 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+/**
+ * @file gns/gnunet-service-gns_resolver.h
+ * @brief GNUnet GNS service
+ * @author Martin Schanzenbach
+ */
+#ifndef GNS_RESOLVER_H
+#define GNS_RESOLVER_H
+#include "gns.h"
+#include "gnunet_dht_service.h"
+#include "gnunet_gns_service.h"
+#include "gnunet_namecache_service.h"
+
+/**
+ * Initialize the resolver subsystem.
+ * MUST be called before #GNS_resolver_lookup.
+ *
+ * @param nc the namecache handle
+ * @param dht handle to the dht
+ * @param c configuration handle
+ * @param max_bg_queries maximum amount of background queries
+ */
+void
+GNS_resolver_init (struct GNUNET_NAMECACHE_Handle *nc,
+                   struct GNUNET_DHT_Handle *dht,
+                   const struct GNUNET_CONFIGURATION_Handle *c,
+                   unsigned long long max_bg_queries);
+
+
+/**
+ * Cleanup resolver: Terminate pending lookups
+ */
+void
+GNS_resolver_done (void);
+
+
+/**
+ * Handle for an active request.
+ */
+struct GNS_ResolverHandle;
+
+
+/**
+ * Function called with results for a GNS resolution.
+ *
+ * @param cls closure
+ * @param rd_count number of records in @a rd
+ * @param rd records returned for the lookup
+ */
+typedef void
+(*GNS_ResultProcessor)(void *cls,
+                       uint32_t rd_count,
+                       const struct GNUNET_GNSRECORD_Data *rd);
+
+
+/**
+ * Lookup of a record in a specific zone
+ * calls RecordLookupProcessor on result or timeout
+ *
+ * @param zone the zone to perform the lookup in
+ * @param record_type the record type to look up
+ * @param name the name to look up
+ * @param options options set to control local lookup
+ * @param recursion_depth_limit how many zones to traverse
+ *        at most
+ * @param proc the processor to call
+ * @param proc_cls the closure to pass to @a proc
+ * @return handle to cancel operation
+ */
+struct GNS_ResolverHandle *
+GNS_resolver_lookup (const struct GNUNET_CRYPTO_PublicKey *zone,
+                     uint32_t record_type,
+                     const char *name,
+                     enum GNUNET_GNS_LocalOptions options,
+                     uint16_t recursion_depth_limit,
+                     GNS_ResultProcessor proc,
+                     void *proc_cls);
+
+
+/**
+ * Cancel active resolution (i.e. client disconnected).
+ *
+ * @param rh resolution to abort
+ */
+void
+GNS_resolver_lookup_cancel (struct GNS_ResolverHandle *rh);
+
+#endif
diff --git a/src/service/gns/gnunet_w32nsp_lib.h b/src/service/gns/gnunet_w32nsp_lib.h
new file mode 100644
index 000000000..9d19ff2aa
--- /dev/null
+++ b/src/service/gns/gnunet_w32nsp_lib.h
@@ -0,0 +1,10 @@
+#if ! defined(GNUNET_W32NSP_LIB_H)
+#define GNUNET_W32NSP_LIB_H
+
+#include <basetyps.h>
+
+/* E0D24085-622C-4A93-9A0018-034469DE28DA */
+DEFINE_GUID (GNUNET_NAMESPACE_PROVIDER_DNS, 0xE0D24085L, 0x622C, 0x4A93, 0x9A,
+             0x18, 0x03, 0x44, 0x69, 0xDE, 0x28, 0xDA);
+
+#endif /* GNUNET_W32NSP_LIB_H */
diff --git a/src/service/gns/meson.build b/src/service/gns/meson.build
new file mode 100644
index 000000000..a12d7e918
--- /dev/null
+++ b/src/service/gns/meson.build
@@ -0,0 +1,113 @@
+libgnunetgns_src = ['gns_api.c', 'gns_tld_api.c']
+
+gnunetservicegns_src = ['gnunet-service-gns.c',
+  'gnunet-service-gns_resolver.c',
+  'gnunet-service-gns_interceptor.c']
+
+gnunetgnsproxy_src = ['gnunet-gns-proxy.c']
+
+configure_file(input : 'gns.conf.in',
+  output : 'gns.conf',
+  configuration : cdata,
+  install: true,
+  install_dir: pkgcfgdir)
+configure_file(input : 'tlds.conf',
+  output : 'tlds.conf',
+  configuration : cdata,
+  install: true,
+  install_dir: pkgcfgdir)
+
+if get_option('monolith')
+  foreach p : libgnunetgns_src + gnunetservicegns_src
+    gnunet_src += 'gns/' + p
+  endforeach
+endif
+
+libgnunetgns = library('gnunetgns',
+  libgnunetgns_src,
+  soversion: '0',
+  version: '0.0.0',
+  dependencies: [libgnunetutil_dep,
+    libgnunetgnsrecord_dep,
+    libgnunetidentity_dep],
+  include_directories: [incdir, configuration_inc],
+  install: true,
+  install_dir: get_option('libdir'))
+libgnunetgns_dep = declare_dependency(link_with : libgnunetgns)
+pkg.generate(libgnunetgns, url: 'https://www.gnunet.org',
+  description : 'Provides API to access the GNU Name System')
+
+executable ('gnunet-gns-proxy',
+  gnunetgnsproxy_src,
+  dependencies: [libgnunetgns_dep,
+    libgnunetutil_dep,
+    mhd_dep,
+    idn_dep,
+    curl_dep,
+    gnutls_dep,
+    libgnunetidentity_dep],
+  include_directories: [incdir, configuration_inc],
+  install: true,
+  install_dir: get_option('libdir') / 'gnunet' / 'libexec')
+
+executable ('gnunet-service-gns',
+  gnunetservicegns_src,
+  dependencies: [libgnunetgns_dep,
+    libgnunetutil_dep,
+    libgnunetstatistics_dep,
+    libgnunetcore_dep,
+    libgnunetdht_dep,
+    libgnunetdns_dep,
+    idn_dep,
+    libgnunetidentity_dep,
+    libgnunetnamecache_dep,
+    libgnunetrevocation_dep,
+    libgnunetgnsrecord_dep,
+    libgnunetcadet_dep,
+    libgnunetblock_dep],
+  include_directories: [incdir, configuration_inc],
+  install: true,
+  install_dir: get_option('libdir') / 'gnunet' / 'libexec')
+executable ('gnunet-bcd',
+  ['gnunet-bcd.c'],
+  dependencies: [libgnunetgns_dep,
+    libgnunetutil_dep,
+    libgnunetstatistics_dep,
+    libgnunetcore_dep,
+    libgnunetdht_dep,
+    libgnunetdns_dep,
+    mhd_dep,
+    idn_dep,
+    libgnunetidentity_dep,
+    libgnunetnamecache_dep,
+    libgnunetrevocation_dep,
+    libgnunetgnsrecord_dep,
+    libgnunetcadet_dep,
+    libgnunetblock_dep],
+  include_directories: [incdir, configuration_inc],
+  install: true,
+  install_dir: get_option('libdir') / 'gnunet' / 'libexec')
+executable ('gnunet-dns2gns',
+  ['gnunet-dns2gns.c'],
+  dependencies: [libgnunetgns_dep,
+    libgnunetutil_dep,
+    libgnunetstatistics_dep,
+    libgnunetvpn_dep,
+    libgnunetcore_dep,
+    libgnunetdht_dep,
+    libgnunetdns_dep,
+    idn_dep,
+    libgnunetidentity_dep,
+    libgnunetnamecache_dep,
+    libgnunetrevocation_dep,
+    libgnunetgnsrecord_dep,
+    libgnunetcadet_dep,
+    libgnunetblock_dep],
+  include_directories: [incdir, configuration_inc],
+  install: true,
+  install_dir: get_option('libdir') / 'gnunet' / 'libexec')
+
+
+if have_nss
+  subdir('nss')
+endif
diff --git a/src/service/gns/nss/Makefile.am b/src/service/gns/nss/Makefile.am
new file mode 100644
index 000000000..af0a8a2e2
--- /dev/null
+++ b/src/service/gns/nss/Makefile.am
@@ -0,0 +1,43 @@
+# This Makefile.am is in the public domain
+# $Id$
+#
+# This file taken and modified from nss-gns.
+#
+# nss-gns is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 3 of the
+# License, or (at your option) any later version.
+#
+# nss-gns is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with nss-gns; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
+# USA.
+
+EXTRA_DIST = map-file
+
+AM_LDFLAGS=-avoid-version -module -export-dynamic
+
+lib_LTLIBRARIES = \
+        libnss_gns.la \
+        libnss_gns4.la \
+        libnss_gns6.la
+
+sources = nss_gns_query.h nss_gns_query.c
+
+# GNU Libc
+libnss_gns_la_SOURCES= $(sources) nss_gns.c
+libnss_gns_la_CFLAGS=$(AM_CFLAGS) -D_GNU_SOURCE
+libnss_gns_la_LDFLAGS=$(AM_LDFLAGS) -shrext .so.2 -Wl,-version-script=$(srcdir)/map-file
+
+libnss_gns4_la_SOURCES=$(libnss_gns_la_SOURCES)
+libnss_gns4_la_CFLAGS=$(libnss_gns_la_CFLAGS) -DNSS_IPV4_ONLY=1
+libnss_gns4_la_LDFLAGS=$(libnss_gns_la_LDFLAGS)
+
+libnss_gns6_la_SOURCES=$(libnss_gns_la_SOURCES)
+libnss_gns6_la_CFLAGS=$(libnss_gns_la_CFLAGS) -DNSS_IPV6_ONLY=1
+libnss_gns6_la_LDFLAGS=$(libnss_gns_la_LDFLAGS)
diff --git a/src/service/gns/nss/map-file b/src/service/gns/nss/map-file
new file mode 100644
index 000000000..476d0ac3e
--- /dev/null
+++ b/src/service/gns/nss/map-file
@@ -0,0 +1,14 @@
+NSSGNS_0 {
+global:
+_nss_gns_gethostbyaddr_r;
+_nss_gns4_gethostbyaddr_r;
+_nss_gns6_gethostbyaddr_r;
+_nss_gns_gethostbyname_r;         
+_nss_gns4_gethostbyname_r;
+_nss_gns6_gethostbyname_r;
+_nss_gns_gethostbyname2_r;         
+_nss_gns4_gethostbyname2_r;
+_nss_gns6_gethostbyname2_r;
+local: 
+*;
+};
diff --git a/src/service/gns/nss/meson.build b/src/service/gns/nss/meson.build
new file mode 100644
index 000000000..7fd00ceb1
--- /dev/null
+++ b/src/service/gns/nss/meson.build
@@ -0,0 +1,34 @@
+# FIXME:
+#
+# EXTRA_DIST = map-file
+# AM_LDFLAGS=-avoid-version -module -export-dynamic
+#
+shared_library('nss_gns',
+               ['nss_gns_query.c', 'nss_gns.c'],
+               soversion: '2',
+               dependencies: [libgnunetutil_dep,
+                             libgnunetgnsrecord_dep],
+               #link_args: ['-fno-version', '-module', '-export-dynamic', '-shrext', '.so.2', '-W', 'l'],
+               include_directories: [incdir, configuration_inc],
+               install: true,
+               install_dir: get_option('libdir'))
+shared_library('nss_gns4',
+               ['nss_gns_query.c', 'nss_gns.c'],
+               soversion: '2',
+               c_args: ['-DNSS_IPV4_ONLY=1'],
+               dependencies: [libgnunetutil_dep,
+                             libgnunetgnsrecord_dep],
+               #link_args: ['-fno-version', '-module', '-export-dynamic', '-shrext', '.so.2', '-W', 'l'],
+               include_directories: [incdir, configuration_inc],
+               install: true,
+               install_dir: get_option('libdir'))
+shared_library('nss_gns6',
+               ['nss_gns_query.c', 'nss_gns.c'],
+               c_args: ['-DNSS_IPV6_ONLY=1'],
+               soversion: '2',
+               dependencies: [libgnunetutil_dep,
+                             libgnunetgnsrecord_dep],
+               #link_args: ['-fno-version', '-module', '-export-dynamic', '-shrext', '.so.2', '-W', 'l'],
+               include_directories: [incdir, configuration_inc],
+               install: true,
+               install_dir: get_option('libdir'))
diff --git a/src/service/gns/nss/nss_gns.c b/src/service/gns/nss/nss_gns.c
new file mode 100644
index 000000000..b05cfff55
--- /dev/null
+++ b/src/service/gns/nss/nss_gns.c
@@ -0,0 +1,252 @@
+/***
+    This file is part of nss-gns.
+
+    Parts taken from: nss.c in nss-mdns
+
+    nss-mdns is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published
+    by the Free Software Foundation; either version 3 of the License,
+    or (at your option) any later version.
+
+    nss-mdns is distributed in the hope that it will be useful, but1
+    WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+    General Public License for more details.
+
+    You should have received a copy of the GNU Lesser General Public License
+    along with nss-mdns; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
+    USA.
+ ***/
+
+#include <gnunet_private_config.h>
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+#include <assert.h>
+#include <netdb.h>
+#include <sys/socket.h>
+#include <nss.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "nss_gns_query.h"
+
+#include <arpa/inet.h>
+
+/** macro to align idx to 32bit boundary */
+#define ALIGN(idx) do { \
+    if (idx % sizeof(void*)) \
+    idx += (sizeof(void*) - idx % sizeof(void*));   /* Align on 32 bit boundary */ \
+} while (0)
+
+
+/**
+ * The gethostbyname hook executed by nsswitch
+ *
+ * @param name the name to resolve
+ * @param af the address family to resolve
+ * @param result the result hostent
+ * @param buffer the result buffer
+ * @param buflen length of the buffer
+ * @param errnop idk
+ * @param h_errnop idk
+ * @return a nss_status code
+ */
+enum nss_status
+_nss_gns_gethostbyname2_r (const char *name,
+                           int af,
+                           struct hostent *result,
+                           char *buffer,
+                           size_t buflen,
+                           int *errnop,
+                           int *h_errnop)
+{
+  struct userdata u;
+  enum nss_status status = NSS_STATUS_UNAVAIL;
+  int i;
+  size_t address_length;
+  size_t l;
+  size_t idx;
+  size_t astart;
+
+  if (af == AF_UNSPEC)
+#ifdef NSS_IPV6_ONLY
+    af = AF_INET6;
+#else
+    af = AF_INET;
+#endif
+
+#ifdef NSS_IPV4_ONLY
+  if (af != AF_INET)
+#elif NSS_IPV6_ONLY
+  if (af != AF_INET6)
+#else
+  if ((af != AF_INET) &&
+      (af != AF_INET6))
+#endif
+  {
+    *errnop = EINVAL;
+    *h_errnop = NO_RECOVERY;
+
+    goto finish;
+  }
+
+  address_length = (af == AF_INET) ? sizeof(ipv4_address_t) :
+                   sizeof(ipv6_address_t);
+  if (buflen <
+      sizeof(char*)       /* alias names */
+      + strlen (name) + 1)
+  {   /* official name */
+    *errnop = ERANGE;
+    *h_errnop = NO_RECOVERY;
+    status = NSS_STATUS_TRYAGAIN;
+
+    goto finish;
+  }
+  u.count = 0;
+  u.data_len = 0;
+  i = gns_resolve_name (af,
+                        name,
+                        &u);
+  if (-1 == i)
+  {
+    *errnop = errno;
+    status = NSS_STATUS_UNAVAIL;
+    *h_errnop = NO_RECOVERY;
+    goto finish;
+  }
+  if (-2 == i)
+  {
+    *errnop = ENOENT;
+    *h_errnop = NO_RECOVERY;
+    status = NSS_STATUS_UNAVAIL;
+    goto finish;
+  }
+  if (-3 == i)
+  {
+    *errnop = ETIMEDOUT;
+    *h_errnop = HOST_NOT_FOUND;
+    status = NSS_STATUS_NOTFOUND;
+    goto finish;
+  }
+  if (0 == u.count)
+  {
+    *errnop = 0;   /* success */
+    *h_errnop = NO_DATA;   /* success */
+    status = NSS_STATUS_NOTFOUND;
+    goto finish;
+  }
+  /* Alias names */
+  *((char **) buffer) = NULL;
+  result->h_aliases = (char **) buffer;
+  idx = sizeof(char*);
+
+  /* Official name */
+  strcpy (buffer + idx,
+          name);
+  result->h_name = buffer + idx;
+  idx += strlen (name) + 1;
+
+  ALIGN (idx);
+
+  result->h_addrtype = af;
+  result->h_length = address_length;
+
+  /* Check if there's enough space for the addresses */
+  if (buflen < idx + u.data_len + sizeof(char*) * (u.count + 1))
+  {
+    *errnop = ERANGE;
+    *h_errnop = NO_RECOVERY;
+    status = NSS_STATUS_TRYAGAIN;
+    goto finish;
+  }
+  /* Addresses */
+  astart = idx;
+  l = u.count * address_length;
+  if (0 != l)
+    memcpy (buffer + astart,
+            &u.data,
+            l);
+  /* address_length is a multiple of 32bits, so idx is still aligned
+   * correctly */
+  idx += l;
+
+  /* Address array address_length is always a multiple of 32bits */
+  for (i = 0; i < u.count; i++)
+    ((char **) (buffer + idx))[i] = buffer + astart + address_length * i;
+  ((char **) (buffer + idx))[i] = NULL;
+  result->h_addr_list = (char **) (buffer + idx);
+
+  status = NSS_STATUS_SUCCESS;
+
+finish:
+  return status;
+}
+
+
+/**
+ * The gethostbyname hook executed by nsswitch
+ *
+ * @param name the name to resolve
+ * @param result the result hostent
+ * @param buffer the result buffer
+ * @param buflen length of the buffer
+ * @param[out] errnop the low-level error code to return to the application
+ * @param h_errnop idk
+ * @return a nss_status code
+ */
+enum nss_status
+_nss_gns_gethostbyname_r (const char *name,
+                          struct hostent *result,
+                          char *buffer,
+                          size_t buflen,
+                          int *errnop,
+                          int *h_errnop)
+{
+  return _nss_gns_gethostbyname2_r (name,
+                                    AF_UNSPEC,
+                                    result,
+                                    buffer,
+                                    buflen,
+                                    errnop,
+                                    h_errnop);
+}
+
+
+/**
+ * The gethostbyaddr hook executed by nsswitch
+ * We can't do this so we always return NSS_STATUS_UNAVAIL
+ *
+ * @param addr the address to resolve
+ * @param len the length of the address
+ * @param af the address family of the address
+ * @param result the result hostent
+ * @param buffer the result buffer
+ * @param buflen length of the buffer
+ * @param[out] errnop the low-level error code to return to the application
+ * @param h_errnop idk
+ * @return NSS_STATUS_UNAVAIL
+ */
+enum nss_status
+_nss_gns_gethostbyaddr_r (const void*addr,
+                          int len,
+                          int af,
+                          struct hostent *result,
+                          char *buffer,
+                          size_t buflen,
+                          int *errnop,
+                          int *h_errnop)
+{
+  (void) addr;
+  (void) len;
+  (void) af;
+  (void) result;
+  (void) buffer;
+  (void) buflen;
+  *errnop = EINVAL;
+  *h_errnop = NO_RECOVERY;
+  /* NOTE we allow to leak this into DNS so no NOTFOUND */
+  return NSS_STATUS_UNAVAIL;
+}
diff --git a/src/service/gns/nss/nss_gns_query.c b/src/service/gns/nss/nss_gns_query.c
new file mode 100644
index 000000000..96e8e10da
--- /dev/null
+++ b/src/service/gns/nss/nss_gns_query.c
@@ -0,0 +1,164 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "nss_gns_query.h"
+#include <arpa/inet.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <netinet/in.h>
+#include <errno.h>
+#include <unistd.h>
+#include <signal.h>
+
+#define TIMEOUT "5s"
+
+static void
+kwait (pid_t chld)
+{
+  int ret;
+
+  kill (chld, SIGKILL);
+  waitpid (chld, &ret, 0);
+}
+
+
+/**
+ * Wrapper function that uses gnunet-gns cli tool to resolve
+ * an IPv4/6 address.
+ *
+ * @param af address family
+ * @param name the name to resolve
+ * @param u the userdata (result struct)
+ * @return -1 on internal error,
+ *         -2 if request is not for GNS,
+ *         -3 on timeout,
+ *          else 0
+ */
+int
+gns_resolve_name (int af, const char *name, struct userdata *u)
+{
+  FILE *p;
+  char line[128];
+  int ret;
+  int retry = 0;
+  int out[2];
+  pid_t pid;
+
+  if (0 == getuid ())
+    return -2; /* GNS via NSS is NEVER for root */
+
+query_gns:
+  if (0 != pipe (out))
+    return -1;
+  pid = fork ();
+  if (-1 == pid)
+    return -1;
+  if (0 == pid)
+  {
+    char *argv[] = { "gnunet-gns",
+                     "-r", /* Raw output for easier parsing */
+                     "-d", /* DNS compatibility (allow IDNA names, no UTF-8) */
+                     "-t",
+                     (AF_INET6 == af) ? "AAAA" : "A",
+                     "-u",
+                     (char *) name,
+                     "-T",
+                     TIMEOUT,
+                     NULL };
+
+    (void) close (STDOUT_FILENO);
+    if ((0 != close (out[0])) ||
+        (STDOUT_FILENO != dup2 (out[1], STDOUT_FILENO)))
+      _exit (1);
+    (void) execvp ("gnunet-gns", argv);
+    _exit (1);
+  }
+  (void) close (out[1]);
+  p = fdopen (out[0], "r");
+  if (NULL == p)
+  {
+    kwait (pid);
+    return -1;
+  }
+  while (NULL != fgets (line, sizeof(line), p))
+  {
+    if (u->count >= MAX_ENTRIES)
+      break;
+    if (line[strlen (line) - 1] == '\n')
+    {
+      line[strlen (line) - 1] = '\0';
+      if (AF_INET == af)
+      {
+        if (inet_pton (af, line, &u->data.ipv4[u->count]))
+        {
+          u->count++;
+          u->data_len += sizeof(ipv4_address_t);
+        }
+        else
+        {
+          (void) fclose (p);
+          kwait (pid);
+          errno = EINVAL;
+          return -1;
+        }
+      }
+      else if (AF_INET6 == af)
+      {
+        if (inet_pton (af, line, &u->data.ipv6[u->count]))
+        {
+          u->count++;
+          u->data_len += sizeof(ipv6_address_t);
+        }
+        else
+        {
+          (void) fclose (p);
+          kwait (pid);
+          errno = EINVAL;
+          return -1;
+        }
+      }
+    }
+  }
+  (void) fclose (p);
+  waitpid (pid, &ret, 0);
+  if (! WIFEXITED (ret))
+    return -1;
+  if (4 == WEXITSTATUS (ret))
+    return -2; /* not for GNS */
+  if (5 == WEXITSTATUS (ret))
+  {
+    if (1 == retry)
+      return -2; /* no go -> service unavailable */
+    retry = 1;
+    system ("gnunet-arm -s");
+    goto query_gns; /* Try again */
+  }
+  if (3 == WEXITSTATUS (ret))
+    return -2; /* timeout -> service unavailable */
+  if ((2 == WEXITSTATUS (ret)) || (1 == WEXITSTATUS (ret)))
+    return -2; /* launch failure -> service unavailable */
+  return 0;
+}
+
+
+/* end of nss_gns_query.c */
diff --git a/src/service/gns/nss/nss_gns_query.h b/src/service/gns/nss/nss_gns_query.h
new file mode 100644
index 000000000..43bf21646
--- /dev/null
+++ b/src/service/gns/nss/nss_gns_query.h
@@ -0,0 +1,73 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2012 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+#ifndef NSS_GNS_QUERY_H
+#define NSS_GNS_QUERY_H
+
+/**
+ * Parts taken from nss-mdns
+ */
+#include <inttypes.h>
+
+/* Maximum number of entries to return */
+#define MAX_ENTRIES 16
+
+typedef struct
+{
+  uint32_t address;
+} ipv4_address_t;
+
+
+typedef struct
+{
+  uint8_t address[16];
+} ipv6_address_t;
+
+
+struct userdata
+{
+  int count;
+  int data_len; /* only valid when doing reverse lookup */
+  union
+  {
+    ipv4_address_t ipv4[MAX_ENTRIES];
+    ipv6_address_t ipv6[MAX_ENTRIES];
+    char *name[MAX_ENTRIES];
+  } data;
+};
+
+
+/**
+ * Wrapper function that uses gnunet-gns cli tool to resolve
+ * an IPv4/6 address.
+ *
+ * @param af address family
+ * @param name the name to resolve
+ * @param u the userdata (result struct)
+ * @return -1 on internal error,
+ *         -2 if request is not for GNS,
+ *         -3 on timeout,
+ *          else 0
+ */
+int
+gns_resolve_name (int af,
+                  const char *name,
+                  struct userdata *userdata);
+
+#endif
diff --git a/src/service/gns/test_gns_proxy.c b/src/service/gns/test_gns_proxy.c
new file mode 100644
index 000000000..e09db5787
--- /dev/null
+++ b/src/service/gns/test_gns_proxy.c
@@ -0,0 +1,576 @@
+/*
+     This file is part of GNUnet
+     Copyright (C) 2007, 2009, 2011, 2012 Christian Grothoff
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file test_gns_proxy.c
+ * @brief testcase for accessing SOCKS5 GNS proxy
+ * @author Martin Schanzenbach
+ */
+#include "platform.h"
+/* Just included for the right curl.h */
+#include "gnunet_curl_lib.h"
+#include <microhttpd.h>
+#include "gnunet_util_lib.h"
+#include "gnutls/x509.h"
+
+/**
+ * Largest allowed size for a PEM certificate.
+ */
+#define MAX_PEM_SIZE (10 * 1024)
+
+#define TEST_DOMAIN "www.test"
+
+#define TIMEOUT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 300)
+
+/**
+ * Return value for 'main'.
+ */
+static int global_ret;
+
+
+static struct MHD_Daemon *mhd;
+
+static struct GNUNET_SCHEDULER_Task *mhd_task_id;
+
+static struct GNUNET_SCHEDULER_Task *curl_task_id;
+
+static CURL *curl;
+
+static CURLM *multi;
+
+static char *url;
+
+static struct GNUNET_OS_Process *proxy_proc;
+
+static char*cafile_opt;
+
+static char*cafile_srv;
+
+static uint16_t port;
+
+static gnutls_x509_crt_t proxy_cert;
+
+static gnutls_x509_privkey_t proxy_key;
+
+struct CBC
+{
+  char buf[1024];
+  size_t pos;
+};
+
+static struct CBC cbc;
+
+/**
+ * Read file in filename
+ *
+ * @param filename file to read
+ * @param size pointer where filesize is stored
+ * @return NULL on error
+ */
+static void*
+load_file (const char*filename,
+           unsigned int*size)
+{
+  void *buffer;
+  uint64_t fsize;
+
+  if (GNUNET_OK !=
+      GNUNET_DISK_file_size (filename,
+                             &fsize,
+                             GNUNET_YES,
+                             GNUNET_YES))
+    return NULL;
+  if (fsize > MAX_PEM_SIZE)
+    return NULL;
+  *size = (unsigned int) fsize;
+  buffer = GNUNET_malloc (*size);
+  if (fsize !=
+      GNUNET_DISK_fn_read (filename,
+                           buffer,
+                           (size_t) fsize))
+  {
+    GNUNET_free (buffer);
+    return NULL;
+  }
+  return buffer;
+}
+
+
+/**
+ * Load PEM key from file
+ *
+ * @param key where to store the data
+ * @param keyfile path to the PEM file
+ * @return #GNUNET_OK on success
+ */
+static int
+load_key_from_file (gnutls_x509_privkey_t key,
+                    const char*keyfile)
+{
+  gnutls_datum_t key_data;
+  int ret;
+
+  key_data.data = load_file (keyfile,
+                             &key_data.size);
+  if (NULL == key_data.data)
+    return GNUNET_SYSERR;
+  ret = gnutls_x509_privkey_import (key, &key_data,
+                                    GNUTLS_X509_FMT_PEM);
+  if (GNUTLS_E_SUCCESS != ret)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Unable to import private key from file `%s'\n"),
+                keyfile);
+  }
+  GNUNET_free (key_data.data);
+  return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK;
+}
+
+
+/**
+ * Load cert from file
+ *
+ * @param crt struct to store data in
+ * @param certfile path to pem file
+ * @return #GNUNET_OK on success
+ */
+static int
+load_cert_from_file (gnutls_x509_crt_t crt,
+                     const char*certfile)
+{
+  gnutls_datum_t cert_data;
+  int ret;
+
+  cert_data.data = load_file (certfile,
+                              &cert_data.size);
+  if (NULL == cert_data.data)
+    return GNUNET_SYSERR;
+  ret = gnutls_x509_crt_import (crt,
+                                &cert_data,
+                                GNUTLS_X509_FMT_PEM);
+  if (GNUTLS_E_SUCCESS != ret)
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Unable to import certificate from `%s'\n"),
+                certfile);
+  }
+  GNUNET_free (cert_data.data);
+  return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK;
+}
+
+
+static size_t
+copy_buffer (void *ptr, size_t size, size_t nmemb, void *ctx)
+{
+  struct CBC *cbc = ctx;
+
+  if (cbc->pos + size * nmemb > sizeof(cbc->buf))
+    return 0;                   /* overflow */
+  GNUNET_memcpy (&cbc->buf[cbc->pos], ptr, size * nmemb);
+  cbc->pos += size * nmemb;
+  return size * nmemb;
+}
+
+
+static enum MHD_Result
+mhd_ahc (void *cls,
+         struct MHD_Connection *connection,
+         const char *url,
+         const char *method,
+         const char *version,
+         const char *upload_data, size_t *upload_data_size,
+         void **unused)
+{
+  static int ptr;
+  struct MHD_Response *response;
+  int ret;
+
+  if (0 != strcmp ("GET", method))
+    return MHD_NO;              /* unexpected method */
+  if (&ptr != *unused)
+  {
+    *unused = &ptr;
+    return MHD_YES;
+  }
+  *unused = NULL;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "MHD sends response for request to URL `%s'\n", url);
+  response = MHD_create_response_from_buffer (strlen (url),
+                                              (void *) url,
+                                              MHD_RESPMEM_MUST_COPY);
+  ret = MHD_queue_response (connection, MHD_HTTP_OK, response);
+  MHD_destroy_response (response);
+  if (ret == MHD_NO)
+  {
+    global_ret = 1;
+    abort ();
+  }
+  global_ret = 0;
+  return ret;
+}
+
+
+static void
+do_shutdown ()
+{
+  if (mhd_task_id != NULL)
+  {
+    GNUNET_SCHEDULER_cancel (mhd_task_id);
+    mhd_task_id = NULL;
+  }
+  if (curl_task_id != NULL)
+  {
+    GNUNET_SCHEDULER_cancel (curl_task_id);
+    curl_task_id = NULL;
+  }
+  if (NULL != mhd)
+  {
+    MHD_stop_daemon (mhd);
+    mhd = NULL;
+  }
+  GNUNET_free (url);
+
+  if (NULL != proxy_proc)
+  {
+    (void) GNUNET_OS_process_kill (proxy_proc, SIGKILL);
+    GNUNET_assert (GNUNET_OK == GNUNET_OS_process_wait (proxy_proc));
+    GNUNET_OS_process_destroy (proxy_proc);
+    proxy_proc = NULL;
+  }
+  url = NULL;
+  GNUNET_SCHEDULER_shutdown ();
+}
+
+
+/**
+ * Function to run the HTTP client.
+ */
+static void
+curl_main (void);
+
+
+static void
+curl_task (void *cls)
+{
+  curl_task_id = NULL;
+  curl_main ();
+}
+
+
+static void
+curl_main ()
+{
+  fd_set rs;
+  fd_set ws;
+  fd_set es;
+  int max;
+  struct GNUNET_NETWORK_FDSet nrs;
+  struct GNUNET_NETWORK_FDSet nws;
+  struct GNUNET_TIME_Relative delay;
+  long timeout;
+  int running;
+  struct CURLMsg *msg;
+
+  max = 0;
+  FD_ZERO (&rs);
+  FD_ZERO (&ws);
+  FD_ZERO (&es);
+  curl_multi_perform (multi, &running);
+  if (running == 0)
+  {
+    GNUNET_assert (NULL != (msg = curl_multi_info_read (multi, &running)));
+    if (msg->msg == CURLMSG_DONE)
+    {
+      if (msg->data.result != CURLE_OK)
+      {
+        fprintf (stderr,
+                 "%s failed at %s:%d: `%s'\n",
+                 "curl_multi_perform",
+                 __FILE__,
+                 __LINE__, curl_easy_strerror (msg->data.result));
+        global_ret = 1;
+      }
+    }
+    curl_multi_remove_handle (multi, curl);
+    curl_multi_cleanup (multi);
+    curl_easy_cleanup (curl);
+    curl = NULL;
+    multi = NULL;
+    if (cbc.pos != strlen ("/hello_world"))
+    {
+      GNUNET_break (0);
+      global_ret = 2;
+    }
+    if (0 != strncmp ("/hello_world", cbc.buf, strlen ("/hello_world")))
+    {
+      GNUNET_break (0);
+      global_ret = 3;
+    }
+    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Download complete, shutting down!\n");
+    do_shutdown ();
+    return;
+  }
+  GNUNET_assert (CURLM_OK == curl_multi_fdset (multi, &rs, &ws, &es, &max));
+  if ((CURLM_OK != curl_multi_timeout (multi, &timeout)) ||
+      (-1 == timeout))
+    delay = GNUNET_TIME_UNIT_SECONDS;
+  else
+    delay = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS,
+                                           (unsigned int) timeout);
+  GNUNET_NETWORK_fdset_copy_native (&nrs,
+                                    &rs,
+                                    max + 1);
+  GNUNET_NETWORK_fdset_copy_native (&nws,
+                                    &ws,
+                                    max + 1);
+  curl_task_id = GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT,
+                                              delay,
+                                              &nrs,
+                                              &nws,
+                                              &curl_task,
+                                              NULL);
+}
+
+
+static void
+start_curl (void *cls)
+{
+  curl_task_id = NULL;
+  GNUNET_asprintf (&url,
+                   "https://%s:%d/hello_world",
+                   TEST_DOMAIN, port);
+  curl = curl_easy_init ();
+  curl_easy_setopt (curl, CURLOPT_URL, url);
+  // curl_easy_setopt (curl, CURLOPT_URL, "https://127.0.0.1:8443/hello_world");
+  curl_easy_setopt (curl, CURLOPT_WRITEFUNCTION, &copy_buffer);
+  curl_easy_setopt (curl, CURLOPT_WRITEDATA, &cbc);
+  curl_easy_setopt (curl, CURLOPT_FAILONERROR, 1);
+  curl_easy_setopt (curl, CURLOPT_TIMEOUT, 150L);
+  curl_easy_setopt (curl, CURLOPT_CONNECTTIMEOUT, 15L);
+  curl_easy_setopt (curl, CURLOPT_NOSIGNAL, 1);
+  curl_easy_setopt (curl, CURLOPT_CAINFO, cafile_opt);
+  // curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0L);
+  // curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0L);
+  curl_easy_setopt (curl, CURLOPT_PROXY, "socks5h://127.0.0.1:7777");
+
+  multi = curl_multi_init ();
+  GNUNET_assert (multi != NULL);
+  GNUNET_assert (CURLM_OK == curl_multi_add_handle (multi, curl));
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Beginning HTTP download from `%s'\n",
+              url);
+  curl_main ();
+}
+
+
+/**
+ * Callback invoked from the namestore service once record is
+ * created.
+ *
+ * @param cls closure
+ * @param af address family, AF_INET or AF_INET6; AF_UNSPEC on error;
+ *                will match 'result_af' from the request
+ * @param address IP address (struct in_addr or struct in_addr6, depending on 'af')
+ *                that the VPN allocated for the redirection;
+ *                traffic to this IP will now be redirected to the
+ *                specified target peer; NULL on error
+ */
+static void
+commence_testing (void *cls)
+{
+  curl_task_id =
+    GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS,
+                                  &start_curl,
+                                  NULL);
+}
+
+
+/**
+ * Function to keep the HTTP server running.
+ */
+static void
+mhd_main (void);
+
+
+static void
+mhd_task (void *cls)
+{
+  mhd_task_id = NULL;
+  MHD_run (mhd);
+  mhd_main ();
+}
+
+
+static void
+mhd_main ()
+{
+  struct GNUNET_NETWORK_FDSet nrs;
+  struct GNUNET_NETWORK_FDSet nws;
+  fd_set rs;
+  fd_set ws;
+  fd_set es;
+  int max_fd;
+  unsigned MHD_LONG_LONG timeout;
+  struct GNUNET_TIME_Relative delay;
+
+  GNUNET_assert (NULL == mhd_task_id);
+  FD_ZERO (&rs);
+  FD_ZERO (&ws);
+  FD_ZERO (&es);
+  max_fd = -1;
+  GNUNET_assert (MHD_YES ==
+                 MHD_get_fdset (mhd, &rs, &ws, &es, &max_fd));
+  if (MHD_YES == MHD_get_timeout (mhd, &timeout))
+    delay = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS,
+                                           (unsigned int) timeout);
+  else
+    delay = GNUNET_TIME_UNIT_FOREVER_REL;
+  GNUNET_NETWORK_fdset_copy_native (&nrs,
+                                    &rs,
+                                    max_fd + 1);
+  GNUNET_NETWORK_fdset_copy_native (&nws,
+                                    &ws,
+                                    max_fd + 1);
+  mhd_task_id = GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT,
+                                             delay,
+                                             &nrs,
+                                             &nws,
+                                             &mhd_task,
+                                             NULL);
+}
+
+
+/**
+ * Main function that will be run
+ *
+ * @param cls closure
+ * @param args remaining command-line arguments
+ * @param cfgfile name of the configuration file used (for saving, can be NULL!)
+ * @param c configuration
+ */
+static void
+run (void *cls,
+     char *const *args,
+     const char *cfgfile,
+     const struct GNUNET_CONFIGURATION_Handle *c)
+{
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Using `%s' as CA\n",
+              cafile_srv);
+  char cert[MAX_PEM_SIZE];
+  char key[MAX_PEM_SIZE];
+  size_t key_buf_size;
+  size_t cert_buf_size;
+
+  gnutls_global_init ();
+  gnutls_x509_crt_init (&proxy_cert);
+  gnutls_x509_privkey_init (&proxy_key);
+
+  if ((GNUNET_OK !=
+       load_cert_from_file (proxy_cert,
+                            cafile_srv)) ||
+      (GNUNET_OK !=
+       load_key_from_file (proxy_key,
+                           cafile_srv)))
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                _ ("Failed to load X.509 key and certificate from `%s'\n"),
+                cafile_srv);
+    gnutls_x509_crt_deinit (proxy_cert);
+    gnutls_x509_privkey_deinit (proxy_key);
+    gnutls_global_deinit ();
+    return;
+  }
+  GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
+                                 NULL);
+  key_buf_size = sizeof(key);
+  cert_buf_size = sizeof(cert);
+  gnutls_x509_crt_export (proxy_cert,
+                          GNUTLS_X509_FMT_PEM,
+                          cert,
+                          &cert_buf_size);
+  gnutls_x509_privkey_export (proxy_key,
+                              GNUTLS_X509_FMT_PEM,
+                              key,
+                              &key_buf_size);
+  mhd = MHD_start_daemon (MHD_USE_DEBUG | MHD_USE_SSL
+                          | MHD_ALLOW_SUSPEND_RESUME, port,
+                          NULL, NULL,
+                          &mhd_ahc, NULL,
+                          MHD_OPTION_HTTPS_MEM_KEY, key,
+                          MHD_OPTION_HTTPS_MEM_CERT, cert,
+                          MHD_OPTION_END);
+  GNUNET_assert (NULL != mhd);
+  mhd_main ();
+
+  GNUNET_SCHEDULER_add_now (&commence_testing,
+                            NULL);
+}
+
+
+int
+main (int argc, char *const *argv)
+{
+  struct GNUNET_GETOPT_CommandLineOption options[] = {
+    GNUNET_GETOPT_option_uint16 ('p',
+                                 "port",
+                                 NULL,
+                                 gettext_noop (
+                                   "listen on specified port (default: 7777)"),
+                                 &port),
+    GNUNET_GETOPT_option_string ('A',
+                                 "curlcert",
+                                 NULL,
+                                 gettext_noop ("pem file to use as CA"),
+                                 &cafile_opt),
+    GNUNET_GETOPT_option_string ('S',
+                                 "servercert",
+                                 NULL,
+                                 gettext_noop (
+                                   "pem file to use for the server"),
+                                 &cafile_srv),
+
+    GNUNET_GETOPT_OPTION_END
+  };
+
+  if (0 != curl_global_init (CURL_GLOBAL_WIN32))
+  {
+    fprintf (stderr, "failed to initialize curl\n");
+    return 2;
+  }
+  if (GNUNET_OK !=
+      GNUNET_STRINGS_get_utf8_args (argc, argv,
+                                    &argc, &argv))
+    return 2;
+  GNUNET_log_setup ("gnunet-gns-proxy-test",
+                    "WARNING",
+                    NULL);
+  if (GNUNET_OK != GNUNET_PROGRAM_run (argc, argv,
+                                       "gnunet-gns-proxy-test",
+                                       _ ("GNUnet GNS proxy test"),
+                                       options,
+                                       &run, NULL))
+    return 1;
+  GNUNET_free_nz ((void*) argv);
+  return global_ret;
+}
+
+
+/* end of test_gns_proxy.c */
diff --git a/src/service/gns/test_gns_proxy.conf b/src/service/gns/test_gns_proxy.conf
new file mode 100644
index 000000000..6670fabf4
--- /dev/null
+++ b/src/service/gns/test_gns_proxy.conf
@@ -0,0 +1,27 @@
+@INLINE@ test_gns_defaults.conf
+
+[transport]
+PLUGINS = tcp
+
+[gns]
+# PREFIX = valgrind --leak-check=full --track-origins=yes
+START_ON_DEMAND = YES
+AUTO_IMPORT_PKEY = YES
+MAX_PARALLEL_BACKGROUND_QUERIES = 10
+DEFAULT_LOOKUP_TIMEOUT = 15 s
+RECORD_PUT_INTERVAL = 1 h
+ZONE_PUBLISH_TIME_WINDOW = 1 h
+DNS_ROOT=PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0
+
+[zonemaster]
+IMMEDIATE_START = YES
+START_ON_DEMAND = YES
+
+
+
+[gns-proxy]
+PROXY_CACERT = $GNUNET_TMP/proxy_cacert.pem
+PROXY_UNIXPATH = $GNUNET_RUNTIME_DIR/gnunet-gns-proxy.sock
+
+[namestore]
+START_ON_DEMAND = YES
diff --git a/src/service/gns/test_proxy.sh b/src/service/gns/test_proxy.sh
new file mode 100755
index 000000000..aa59504ee
--- /dev/null
+++ b/src/service/gns/test_proxy.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+# This file is in the public domain.
+
+if ! which certutil > /dev/null
+then
+    echo "certutil required"
+    exit 77
+fi
+
+if ! which openssl > /dev/null
+then
+    echo "certutil required"
+    exit 77
+fi
+
+TEST_DOMAIN="www.test"
+GNUNET_TMP="$(gnunet-config -f -s PATHS -o GNUNET_TMP)"
+PROXY_CACERT="$(gnunet-config -f -c test_gns_proxy.conf -s gns-proxy -o PROXY_CACERT)"
+
+# Delete old files before starting test
+rm -rf "$GNUNET_TMP/test-gnunet-gns-testing/"
+gnunet-arm -s -c test_gns_proxy.conf
+gnunet-gns-proxy-setup-ca -c test_gns_proxy.conf
+
+openssl genrsa -des3 -passout pass:xxxx -out server.pass.key 2048
+openssl rsa -passin pass:xxxx -in server.pass.key -out local.key
+rm server.pass.key
+openssl req -new -key local.key -out server.csr \
+  -subj "/C=DE/O=GNUnet/OU=GNS/CN=test.local"
+openssl x509 -req -days 1 -in server.csr -signkey local.key -out local.crt
+openssl x509 -in local.crt -out local.der -outform DER
+HEXCERT=`xxd -p local.der | tr -d '\n'`
+#echo "This is the certificate the server does not use: $HEXCERT"
+OLDBOXVALUE="6 8443 52 3 0 0 $HEXCERT"
+
+
+openssl req -new -key local.key -out server.csr \
+  -subj "/C=DE/O=GNUnet/OU=GNS/CN=test.local"
+openssl x509 -req -days 1 -in server.csr -signkey local.key -out local.crt
+openssl x509 -in local.crt -out local.der -outform DER
+HEXCERT=`xxd -p local.der | tr -d '\n'`
+#echo "This is the certificate the server does use: $HEXCERT"
+BOXVALUE="6 8443 52 3 0 0 $HEXCERT"
+
+SERVER_CACERT="$GNUNET_TMP/server_cacert.pem"
+cat local.crt > "$SERVER_CACERT"
+cat local.key >> "$SERVER_CACERT"
+
+gnunet-identity -C test -c test_gns_proxy.conf
+gnunet-namestore -p -z "test" -a -n www -t A -V 127.0.0.1 -e never -c test_gns_proxy.conf
+gnunet-namestore -p -z "test" -a -n www -t LEHO -V "test.local" -e never -c test_gns_proxy.conf
+gnunet-namestore -p -z "test" -a -n www -t BOX -V "$OLDBOXVALUE" -e never -c test_gns_proxy.conf
+gnunet-namestore -p -z "test" -a -n www -t BOX -V "$BOXVALUE" -e never -c test_gns_proxy.conf
+
+gnunet-arm -i gns-proxy -c test_gns_proxy.conf
+
+#gnurl --socks5-hostname 127.0.0.1:7777 "https://$TEST_DOMAIN" -v --cacert "$PROXY_CACERT"
+./test_gns_proxy -A "$PROXY_CACERT" -S "$SERVER_CACERT" -p 8443 -c test_gns_proxy.conf
+
+RES=$?
+
+rm "$PROXY_CACERT"
+rm "$SERVER_CACERT"
+
+gnunet-arm -e test_gns_proxy.conf
+
+if test $RES != 0
+then
+  echo "Failed"
+  exit 1
+fi
diff --git a/src/service/gns/tlds.conf b/src/service/gns/tlds.conf
new file mode 100644
index 000000000..28f23f8e5
--- /dev/null
+++ b/src/service/gns/tlds.conf
@@ -0,0 +1,15 @@
+# WARNING:
+# This header is generated!
+# In order to add TLDs, you must register
+# them in GANA, and then use the header generation script
+# to create an update of this file. You may then replace this
+# file with the update.
+[gns]
+
+# The FCFS authority managed by GNUnet e.V.
+.pin.gns.alt = 000G0522TTKQESZ9KPRT2K0RA9ZC8YMD52D2XYVYVGPDCNPMWHH9QXXF4W
+
+
+# The authoritative zone of the GNUnet project
+.gnunet.gns.alt = 000G0522TTKQESZ9KPRT2K0RA9ZC8YMD52D2XYVYVGPDCNPMWHH9QXXF4W
+
diff --git a/src/service/gns/w32resolver.h b/src/service/gns/w32resolver.h
new file mode 100644
index 000000000..c404e37d3
--- /dev/null
+++ b/src/service/gns/w32resolver.h
@@ -0,0 +1,71 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2009, 2012 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @author Christian Grothoff
+ * @file gns/w32resolver.h
+ */
+#ifndef W32RESOLVER_H
+#define W32RESOLVER_H
+
+#include "platform.h"
+#include "gnunet_crypto_lib.h"
+#include "gnunet_common.h"
+
+/**
+ * Request DNS resolution.
+ */
+#define GNUNET_MESSAGE_TYPE_W32RESOLVER_REQUEST 4
+
+/**
+ * Response to a DNS resolution request.
+ */
+#define GNUNET_MESSAGE_TYPE_W32RESOLVER_RESPONSE 5
+
+GNUNET_NETWORK_STRUCT_BEGIN
+
+/**
+ * Request for the resolver.  Followed by the 0-terminated hostname.
+ *
+ * The response will be one or more messages of type
+ * W32RESOLVER_RESPONSE, each with the message header immediately
+ * followed by the requested data (struct in[6]_addr).
+ * The last W32RESOLVER_RESPONSE will just be a header without any data
+ * (used to indicate the end of the list).
+ */
+struct GNUNET_W32RESOLVER_GetMessage
+{
+  /**
+   * Type:  GNUNET_MESSAGE_TYPE_W32RESOLVER_REQUEST
+   */
+  struct GNUNET_MessageHeader header;
+
+  uint32_t af GNUNET_PACKED;
+
+  uint32_t sc_data1 GNUNET_PACKED;
+  uint16_t sc_data2 GNUNET_PACKED;
+  uint16_t sc_data3 GNUNET_PACKED;
+  uint8_t sc_data4[8];
+  /* followed by 0-terminated string for A/AAAA lookup */
+};
+
+GNUNET_NETWORK_STRUCT_END
+
+#endif