Add BPKI CRL to pubd's SQL database, and clean up a lot of redundant

SAX code.

svn path=/rpkid/irbe-cli.py; revision=1835

50 files changed, 602 insertions, 462 deletions

diff --git a/rpkid/irbe-cli.py b/rpkid/irbe-cli.py
index e50bdec6..fa4fc103 100755
--- a/rpkid/irbe-cli.py
+++ b/rpkid/irbe-cli.py
@@ -28,9 +28,16 @@ pem_out = None
 class cmd_mixin(object):
   """Left-right protocol mix-in for command line client."""
 
+  ## @var excludes
+  # XML attributes and elements that should not be allowed as command
+  # line arguments.  At the moment the only such is the
+  # bsc.pkcs10_request sub-element, but writing this generally is no
+  # harder than handling that one special case.
+  excludes = ()
+
   def client_getopt(self, argv):
     """Parse options for this class."""
-    opts, argv = getopt.getopt(argv, "", [x + "=" for x in self.attributes + self.elements] + list(self.booleans))
+    opts, argv = getopt.getopt(argv, "", [x + "=" for x in self.attributes + self.elements if x not in self.excludes] + list(self.booleans))
     for o, a in opts:
       o = o[2:]
       handler = getattr(self, "client_query_" + o, None)
@@ -81,6 +88,8 @@ class self_elt(cmd_mixin, rpki.left_right.self_elt):
 
 class bsc_elt(cmd_mixin, rpki.left_right.bsc_elt):
 
+  excludes = ("pkcs10_request",)
+
   def client_query_signing_cert(self, arg):
     """--signing_cert option."""
     self.signing_cert = rpki.x509.X509(Auto_file=arg)
@@ -113,11 +122,11 @@ class route_origin_elt(cmd_mixin, rpki.left_right.route_origin_elt):
 
   def client_query_ipv4(self, arg):
     """Handle IPv4 addresses."""
-    self.ipv4 = resource_set.resource_set_ipv4(arg)
+    self.ipv4 = resource_set.roa_prefix_set_ipv4(arg)
 
   def client_query_ipv6(self, arg):
     """Handle IPv6 addresses."""
-    self.ipv6 = resource_set.resource_set_ipv6(arg)
+    self.ipv6 = resource_set.roa_prefix_set_ipv6(arg)
 
 class msg(rpki.left_right.msg):
   pdus = dict((x.element_name, x)
@@ -135,7 +144,7 @@ def usage(code=1):
   print "Usage:", sys.argv[0], " ".join(["--" + x for x in top_opts])
   for k,v in msg.pdus.items():
     print " ", k, \
-          " ".join(["--" + x + "=" for x in v.attributes + v.elements]), \
+          " ".join(["--" + x + "=" for x in v.attributes + v.elements if x not in v.excludes]), \
           " ".join(["--" + x for x in v.booleans])
   sys.exit(code)
 
diff --git a/rpkid/left-right-protocol-samples.xml b/rpkid/left-right-protocol-samples.xml
index b7af5830..b9189c0c 100644
--- a/rpkid/left-right-protocol-samples.xml
+++ b/rpkid/left-right-protocol-samples.xml
@@ -1196,7 +1196,7 @@
     <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/">
 	<route_origin action="set" self_id="42" route_origin_id="88"
 	    suppress_publication="yes"
-	    as_number="12345" exact_match="true" ipv4="10.0.0.44/32" ipv6="2002:a00::/48"/>
+	    as_number="12345" ipv4="10.0.0.44/32" ipv6="2002:a00::/48-56"/>
     </msg>
     
     <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/">
@@ -1209,7 +1209,7 @@
     
     <msg version="1" type="reply" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/">
 	<route_origin action="get" self_id="42" route_origin_id="88"
-	    as_number="12345" exact_match="true" ipv4="10.0.0.44/32" ipv6="2002:a00::/48"/>
+	    as_number="12345" ipv4="10.0.0.44/32" ipv6="2002:a00::/48-56"/>
     </msg>
     
     <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/">
diff --git a/rpkid/left-right-protocol-samples/pdu.053.xml b/rpkid/left-right-protocol-samples/pdu.053.xml
index 960e8709..b7db126d 100644
--- a/rpkid/left-right-protocol-samples/pdu.053.xml
+++ b/rpkid/left-right-protocol-samples/pdu.053.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1" type="query">
-  <route_origin action="set" self_id="42" route_origin_id="88" suppress_publication="yes" as_number="12345" exact_match="true" ipv4="10.0.0.44/32" ipv6="2002:a00::/48"/>
+  <route_origin action="set" self_id="42" route_origin_id="88" suppress_publication="yes" as_number="12345" ipv4="10.0.0.44/32" ipv6="2002:a00::/48-56"/>
 </msg>
diff --git a/rpkid/left-right-protocol-samples/pdu.056.xml b/rpkid/left-right-protocol-samples/pdu.056.xml
index f55d117d..55cd2c78 100644
--- a/rpkid/left-right-protocol-samples/pdu.056.xml
+++ b/rpkid/left-right-protocol-samples/pdu.056.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/left-right-spec/" version="1" type="reply">
-  <route_origin action="get" self_id="42" route_origin_id="88" as_number="12345" exact_match="true" ipv4="10.0.0.44/32" ipv6="2002:a00::/48"/>
+  <route_origin action="get" self_id="42" route_origin_id="88" as_number="12345" ipv4="10.0.0.44/32" ipv6="2002:a00::/48-56"/>
 </msg>
diff --git a/rpkid/left-right-schema.rnc b/rpkid/left-right-schema.rnc
index f24dbb90..1b410f36 100644
--- a/rpkid/left-right-schema.rnc
+++ b/rpkid/left-right-schema.rnc
@@ -194,7 +194,6 @@ route_origin_id = attribute route_origin_id { sql_id }
 route_origin_bool = attribute suppress_publication { "yes" }?
 
 route_origin_payload = (attribute as_number { xsd:positiveInteger }?,
-                        attribute exact_match { xsd:boolean }?,
                         attribute ipv4 { ipv4_list }?,
                         attribute ipv6 { ipv6_list }?)
 
diff --git a/rpkid/left-right-schema.rng b/rpkid/left-right-schema.rng
index 48f6ffb9..337c6852 100644
--- a/rpkid/left-right-schema.rng
+++ b/rpkid/left-right-schema.rng
@@ -795,11 +795,6 @@
       </attribute>
     </optional>
     <optional>
-      <attribute name="exact_match">
-        <data type="boolean"/>
-      </attribute>
-    </optional>
-    <optional>
       <attribute name="ipv4">
         <ref name="ipv4_list"/>
       </attribute>
diff --git a/rpkid/pubd.py b/rpkid/pubd.py
index 818370b3..a96e75f0 100755
--- a/rpkid/pubd.py
+++ b/rpkid/pubd.py
@@ -48,11 +48,11 @@ class pubd_context(rpki.gctx.global_context):
     self.sql_cache = {}
     self.sql_dirty = set()
 
-  def handler_common(self, query, client, certs):
+  def handler_common(self, query, client, certs, crl = None):
     """Common PDU handler code."""
     q_msg = rpki.publication.cms_msg.unwrap(query, certs)
     r_msg = q_msg.serve_top_level(self, client)
-    reply = rpki.publication.cms_msg.wrap(r_msg, self.pubd_key, self.pubd_cert)
+    reply = rpki.publication.cms_msg.wrap(r_msg, self.pubd_key, self.pubd_cert, crl)
     self.sql_sweep()
     return reply
 
@@ -75,7 +75,10 @@ class pubd_context(rpki.gctx.global_context):
       client = rpki.publication.client_elt.sql_fetch(self, long(client_id))
       if client is None:
         raise rpki.exceptions.ClientNotFound, "Could not find client %s" % client_id
-      return 200, self.handler_common(query, client, (self.bpki_ta, client.bpki_cert, client.bpki_glue))
+      config = rpki.publication.config_elt.fetch(self)
+      if config is None or config.bpki_crl is None:
+        raise rpki.exceptions.CMSCRLNotSet
+      return 200, self.handler_common(query, client, (self.bpki_ta, client.bpki_cert, client.bpki_glue), config.bpki_crl)
     except Exception, data:
       rpki.log.error(traceback.format_exc())
       return 500, "Could not process PDU: %s" % data
diff --git a/rpkid/pubd.sql b/rpkid/pubd.sql
index d8a9938c..2e9e235d 100644
--- a/rpkid/pubd.sql
+++ b/rpkid/pubd.sql
@@ -16,6 +16,18 @@
 
 -- SQL objects needed by pubd.py.
 
+-- The config table is weird because we're really only using it
+-- to store one BPKI CRL, but putting this here lets us use a lot of
+-- existing machinery and the alternatives are whacky in other ways.
+
+DROP TABLE IF EXISTS config;
+
+CREATE TABLE config (
+        config_id       SERIAL NOT NULL,
+        bpki_crl        LONGBLOB,
+        PRIMARY KEY     (config_id)
+);
+
 DROP TABLE IF EXISTS client;
 
 CREATE TABLE client (
diff --git a/rpkid/publication-protocol-samples.xml b/rpkid/publication-protocol-samples.xml
index 0d1eb6fb..debae3b5 100644
--- a/rpkid/publication-protocol-samples.xml
+++ b/rpkid/publication-protocol-samples.xml
@@ -22,6 +22,46 @@
 
 <completely_gratuitous_wrapper_element_to_let_me_run_this_through_xmllint>
     
+    <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="query" version="1">
+	<config action="set">
+	    <bpki_crl>
+		MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2VydGlm
+		aWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1WqAOMAww
+		CgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljVqX/CHo+RpqYt
+		vmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDWAV6UG6uUGum0VHWO
+		cj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ16aF5fubxQqZa1pdGCSac
+		1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ftF8zZAFpDGnS4biCnRVqhGv6R
+		0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHSIbjiy0WuuaZ3k2xSh0C94anrHBZA
+		vvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoisHKkehy4Y0GySdj98fV+OuiRTH9vt/M=
+	    </bpki_crl>
+	</config>
+    </msg>
+
+    <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="reply" version="1">
+	<config action="set"/>
+    </msg>
+
+    <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="query" version="1">
+	<config action="get"/>
+    </msg>
+
+    <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="reply" version="1">
+	<config action="get">
+	    <bpki_crl>
+		MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2VydGlm
+		aWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1WqAOMAww
+		CgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljVqX/CHo+RpqYt
+		vmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDWAV6UG6uUGum0VHWO
+		cj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ16aF5fubxQqZa1pdGCSac
+		1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ftF8zZAFpDGnS4biCnRVqhGv6R
+		0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHSIbjiy0WuuaZ3k2xSh0C94anrHBZA
+		vvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoisHKkehy4Y0GySdj98fV+OuiRTH9vt/M=
+	    </bpki_crl>
+	</config>
+    </msg>
+
+    <!-- === -->
+
     <msg version="1" type="query" xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
 	<client action="create" base_uri="rsync://wombat.invalid/">
 	    <bpki_cert>
diff --git a/rpkid/publication-protocol-samples/pdu.001.xml b/rpkid/publication-protocol-samples/pdu.001.xml
index 1537fce0..99b676d9 100644
--- a/rpkid/publication-protocol-samples/pdu.001.xml
+++ b/rpkid/publication-protocol-samples/pdu.001.xml
@@ -1,25 +1,16 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
-<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
-  <client action="create" base_uri="rsync://wombat.invalid/">
-    <bpki_cert>
-		MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
-		BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
-		MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
-		b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
-		G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
-		Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
-		DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
-		uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
-		2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
-		diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
-		ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
-		hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
-		cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
-		XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
-		sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
-		YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
-		3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
-	    </bpki_cert>
-  </client>
+<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="query" version="1">
+  <config action="set">
+    <bpki_crl>
+		MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2VydGlm
+		aWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1WqAOMAww
+		CgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljVqX/CHo+RpqYt
+		vmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDWAV6UG6uUGum0VHWO
+		cj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ16aF5fubxQqZa1pdGCSac
+		1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ftF8zZAFpDGnS4biCnRVqhGv6R
+		0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHSIbjiy0WuuaZ3k2xSh0C94anrHBZA
+		vvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoisHKkehy4Y0GySdj98fV+OuiRTH9vt/M=
+	    </bpki_crl>
+  </config>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.002.xml b/rpkid/publication-protocol-samples/pdu.002.xml
index 8b2d517b..33b53084 100644
--- a/rpkid/publication-protocol-samples/pdu.002.xml
+++ b/rpkid/publication-protocol-samples/pdu.002.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
-<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <client action="create" client_id="3"/>
+<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="reply" version="1">
+  <config action="set"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.003.xml b/rpkid/publication-protocol-samples/pdu.003.xml
index bf6167f5..c9325602 100644
--- a/rpkid/publication-protocol-samples/pdu.003.xml
+++ b/rpkid/publication-protocol-samples/pdu.003.xml
@@ -1,25 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
-<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
-  <client action="set" client_id="3">
-    <bpki_glue>
-		MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
-		BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
-		MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
-		b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
-		G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
-		Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
-		DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
-		uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
-		2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
-		diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
-		ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
-		hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
-		cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
-		XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
-		sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
-		YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
-		3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
-	    </bpki_glue>
-  </client>
+<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="query" version="1">
+  <config action="get"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.004.xml b/rpkid/publication-protocol-samples/pdu.004.xml
index 59d78276..745ef003 100644
--- a/rpkid/publication-protocol-samples/pdu.004.xml
+++ b/rpkid/publication-protocol-samples/pdu.004.xml
@@ -1,5 +1,16 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
-<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <client action="set" client_id="3"/>
+<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="reply" version="1">
+  <config action="get">
+    <bpki_crl>
+		MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2VydGlm
+		aWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1WqAOMAww
+		CgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljVqX/CHo+RpqYt
+		vmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDWAV6UG6uUGum0VHWO
+		cj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ16aF5fubxQqZa1pdGCSac
+		1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ftF8zZAFpDGnS4biCnRVqhGv6R
+		0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHSIbjiy0WuuaZ3k2xSh0C94anrHBZA
+		vvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoisHKkehy4Y0GySdj98fV+OuiRTH9vt/M=
+	    </bpki_crl>
+  </config>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.005.xml b/rpkid/publication-protocol-samples/pdu.005.xml
index 288881c3..1537fce0 100644
--- a/rpkid/publication-protocol-samples/pdu.005.xml
+++ b/rpkid/publication-protocol-samples/pdu.005.xml
@@ -1,5 +1,25 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
-  <client action="get" client_id="3"/>
+  <client action="create" base_uri="rsync://wombat.invalid/">
+    <bpki_cert>
+		MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+		BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+		MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+		b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+		G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+		Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+		DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+		uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+		2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+		diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+		ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+		hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+		cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+		XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+		sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+		YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+		3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+	    </bpki_cert>
+  </client>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.006.xml b/rpkid/publication-protocol-samples/pdu.006.xml
index 81ee4943..8b2d517b 100644
--- a/rpkid/publication-protocol-samples/pdu.006.xml
+++ b/rpkid/publication-protocol-samples/pdu.006.xml
@@ -1,25 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <client action="get" client_id="3" base_uri="rsync://wombat.invalid/">
-    <bpki_cert>
-		MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
-		BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
-		MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
-		b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
-		G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
-		Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
-		DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
-		uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
-		2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
-		diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
-		ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
-		hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
-		cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
-		XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
-		sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
-		YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
-		3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
-	    </bpki_cert>
-  </client>
+  <client action="create" client_id="3"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.007.xml b/rpkid/publication-protocol-samples/pdu.007.xml
index b930d604..bf6167f5 100644
--- a/rpkid/publication-protocol-samples/pdu.007.xml
+++ b/rpkid/publication-protocol-samples/pdu.007.xml
@@ -1,5 +1,25 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
-  <client action="list"/>
+  <client action="set" client_id="3">
+    <bpki_glue>
+		MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+		BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+		MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+		b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+		G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+		Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+		DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+		uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+		2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+		diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+		ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+		hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+		cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+		XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+		sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+		YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+		3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+	    </bpki_glue>
+  </client>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.008.xml b/rpkid/publication-protocol-samples/pdu.008.xml
index 15464eab..59d78276 100644
--- a/rpkid/publication-protocol-samples/pdu.008.xml
+++ b/rpkid/publication-protocol-samples/pdu.008.xml
@@ -1,25 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <client action="list" client_id="3">
-    <bpki_cert>
-		MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
-		BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
-		MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
-		b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
-		G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
-		Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
-		DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
-		uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
-		2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
-		diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
-		ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
-		hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
-		cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
-		XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
-		sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
-		YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
-		3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
-	    </bpki_cert>
-  </client>
+  <client action="set" client_id="3"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.009.xml b/rpkid/publication-protocol-samples/pdu.009.xml
index 47b78520..288881c3 100644
--- a/rpkid/publication-protocol-samples/pdu.009.xml
+++ b/rpkid/publication-protocol-samples/pdu.009.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
-  <client action="destroy" client_id="3"/>
+  <client action="get" client_id="3"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.010.xml b/rpkid/publication-protocol-samples/pdu.010.xml
index e71fd39e..81ee4943 100644
--- a/rpkid/publication-protocol-samples/pdu.010.xml
+++ b/rpkid/publication-protocol-samples/pdu.010.xml
@@ -1,5 +1,25 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <client action="destroy" client_id="3"/>
+  <client action="get" client_id="3" base_uri="rsync://wombat.invalid/">
+    <bpki_cert>
+		MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+		BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+		MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+		b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+		G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+		Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+		DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+		uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+		2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+		diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+		ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+		hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+		cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+		XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+		sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+		YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+		3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+	    </bpki_cert>
+  </client>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.011.xml b/rpkid/publication-protocol-samples/pdu.011.xml
index 2ba77edf..b930d604 100644
--- a/rpkid/publication-protocol-samples/pdu.011.xml
+++ b/rpkid/publication-protocol-samples/pdu.011.xml
@@ -1,30 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
-  <certificate action="publish" uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.cer">
-	    MIIE+jCCA+KgAwIBAgIBDTANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhERjRBODAxN0U2
-	    NkE5RTkxNzJFNDYxMkQ4Q0Y0QzgzRjIzOERFMkEzMB4XDTA4MDUyMjE4MDUxMloXDTA4MDUy
-	    NDE3NTQ1M1owMzExMC8GA1UEAxMoOEZCODIxOEYwNkU1MEFCNzAyQTdEOTZEQzhGMENEQ0Q4
-	    MjhGN0YxNzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMeziKp0k5nP7v6SZoNs
-	    XIMQYRgNtC6Fr/9Xm/1yQHomiPqHUk47rHhGojYiK5AhkrwoYhkH4UjJl2iwklDYczXuaBU3
-	    F5qrKlZ4aZnjIxdlP7+hktVpeApL6yuJTUAYeC3UIxnLDVdD6phydZ/FOQluffiNDjzteCCv
-	    oyOUatqt8WB+oND6LToHp028g1YUYLHG6mur0dPdcHOVXLSmUDuZ1HDz1nDuYvIVKjB/MpH9
-	    aW9XeaQ6ZFIlZVPwuuvI2brR+ThH7Gv27GL/o8qFdC300VQfoTZ+rKPGDE8K1cI906BL4kiw
-	    x9z0oiDcE96QCz+B0vsjc9mGaA1jgAxlXWsCAwEAAaOCAhcwggITMB0GA1UdDgQWBBSPuCGP
-	    BuUKtwKn2W3I8M3Ngo9/FzAfBgNVHSMEGDAWgBTfSoAX5mqekXLkYS2M9Mg/I43iozBVBgNV
-	    HR8ETjBMMEqgSKBGhkRyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQvUklSLzEvMzBx
-	    QUYtWnFucEZ5NUdFdGpQVElQeU9ONHFNLmNybDBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUH
-	    MAKGKXJzeW5jOi8vbG9jYWxob3N0OjQ0MDAvdGVzdGJlZC9XT01CQVQuY2VyMBgGA1UdIAEB
-	    /wQOMAwwCgYIKwYBBQUHDgIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwgZsG
-	    CCsGAQUFBwELBIGOMIGLMDQGCCsGAQUFBzAFhihyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rl
-	    c3RiZWQvUklSL1IwLzEvMFMGCCsGAQUFBzAKhkdyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rl
-	    c3RiZWQvUklSL1IwLzEvajdnaGp3YmxDcmNDcDlsdHlQRE56WUtQZnhjLm1uZjAaBggrBgEF
-	    BQcBCAEB/wQLMAmgBzAFAgMA/BUwPgYIKwYBBQUHAQcBAf8ELzAtMCsEAgABMCUDAwAKAzAO
-	    AwUAwAACAQMFAcAAAiAwDgMFAsAAAiwDBQDAAAJkMA0GCSqGSIb3DQEBCwUAA4IBAQCEhuH7
-	    jtI2PJY6+zwv306vmCuXhtu9Lr2mmRw2ZErB8EMcb5xypMrNqMoKeu14K2x4a4RPJkK4yATh
-	    M81FPNRsU5mM0acIRnAPtxjHvPME7PHN2w2nGLASRsZmaa+b8A7SSOxVcFURazENztppsolH
-	    eTpm0cpLItK7mNpudUg1JGuFo94VLf1MnE2EqARG1vTsNhel/SM/UvOArCCOBvf0Gz7kSuup
-	    DSZ7qx+LiDmtEsLdbGNQBiYPbLrDk41PHrxdx28qIj7ejZkRzNFw/3pi8/XK281h8zeHoFVu
-	    6ghRPy5dbOA4akX/KG6b8XIx0iwPYdLiDbdWFbtTdPcXBauY
-	</certificate>
+  <client action="list"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.012.xml b/rpkid/publication-protocol-samples/pdu.012.xml
index c548bceb..15464eab 100644
--- a/rpkid/publication-protocol-samples/pdu.012.xml
+++ b/rpkid/publication-protocol-samples/pdu.012.xml
@@ -1,5 +1,25 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <certificate action="publish" uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.cer"/>
+  <client action="list" client_id="3">
+    <bpki_cert>
+		MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV
+		BAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1MzEwWhcN
+		MDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXRlIEJvYiBS
+		b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYUtJaM5PH5917S
+		G2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GIdnoupzMnoZVtY3G
+		Ux2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8UN17mUKKgujrch6ZvgC
+		DO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVdqb/rW/6GTg0Xb/zLT6WWM
+		uT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tba0xyBGAUII0GfREY6t4/+NAP
+		2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJ
+		diqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4
+		ULlB7+GMDBlimTAfBgNVHSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkq
+		hkiG9w0BAQUFAAOCAQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acg
+		cum1YieNdtT0n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4
+		XY39EZHhMW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Sm
+		sqep6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+		YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq
+		3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
+	    </bpki_cert>
+  </client>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.013.xml b/rpkid/publication-protocol-samples/pdu.013.xml
index cd6001f5..47b78520 100644
--- a/rpkid/publication-protocol-samples/pdu.013.xml
+++ b/rpkid/publication-protocol-samples/pdu.013.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
-  <certificate action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.cer"/>
+  <client action="destroy" client_id="3"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.014.xml b/rpkid/publication-protocol-samples/pdu.014.xml
index 4e5d606a..e71fd39e 100644
--- a/rpkid/publication-protocol-samples/pdu.014.xml
+++ b/rpkid/publication-protocol-samples/pdu.014.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <certificate action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.cer"/>
+  <client action="destroy" client_id="3"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.015.xml b/rpkid/publication-protocol-samples/pdu.015.xml
index e404c3b9..2ba77edf 100644
--- a/rpkid/publication-protocol-samples/pdu.015.xml
+++ b/rpkid/publication-protocol-samples/pdu.015.xml
@@ -1,15 +1,30 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
-  <crl action="publish" uri="rsync://wombat.invalid/testbed/RIR/1/30qAF-ZqnpFy5GEtjPTIPyON4qM.crl">
-	    MIIBwzCBrAIBATANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhERjRBODAxN0U2NkE5RTkx
-	    NzJFNDYxMkQ4Q0Y0QzgzRjIzOERFMkEzFw0wODA1MjIxODA0MTZaFw0wODA1MjIxODA1MTZa
-	    MBQwEgIBAhcNMDgwNTIyMTc1ODQwWqAvMC0wHwYDVR0jBBgwFoAU30qAF+ZqnpFy5GEtjPTI
-	    PyON4qMwCgYDVR0UBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAKkM0Fb/pJpHVHWZyjp4wojH
-	    W2KkvA/DFtBiz3moxocSnkDVP3QI19uVvqdC6nH3hJyFmsAMwULR0f1XU/V4j+X+FqYEl6Nv
-	    p8zAEPIB4r8xbEFs7udRwXRAjkJmOQbv9aomF2i+d7jpTFVJxShZWOgsoGEhIy/aktKQrOIR
-	    c4ZDrXpQwXVj2Y7+cGVfQ4gvnPOdlyLcnNovoegazATvA3EcidBNPWRg7XTCz0LVBEB7JgPd
-	    nNyXRg35HdMEHBl7U9uUQJXP7S02oaQ1ehNDMfaJPgBBpQtAnM1lIzJfevd9+e4ywGsRpxAV
-	    8wxTXSPd1jwuKtS0kwrgsrQ8Ya85xUE=
-	</crl>
+  <certificate action="publish" uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.cer">
+	    MIIE+jCCA+KgAwIBAgIBDTANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhERjRBODAxN0U2
+	    NkE5RTkxNzJFNDYxMkQ4Q0Y0QzgzRjIzOERFMkEzMB4XDTA4MDUyMjE4MDUxMloXDTA4MDUy
+	    NDE3NTQ1M1owMzExMC8GA1UEAxMoOEZCODIxOEYwNkU1MEFCNzAyQTdEOTZEQzhGMENEQ0Q4
+	    MjhGN0YxNzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMeziKp0k5nP7v6SZoNs
+	    XIMQYRgNtC6Fr/9Xm/1yQHomiPqHUk47rHhGojYiK5AhkrwoYhkH4UjJl2iwklDYczXuaBU3
+	    F5qrKlZ4aZnjIxdlP7+hktVpeApL6yuJTUAYeC3UIxnLDVdD6phydZ/FOQluffiNDjzteCCv
+	    oyOUatqt8WB+oND6LToHp028g1YUYLHG6mur0dPdcHOVXLSmUDuZ1HDz1nDuYvIVKjB/MpH9
+	    aW9XeaQ6ZFIlZVPwuuvI2brR+ThH7Gv27GL/o8qFdC300VQfoTZ+rKPGDE8K1cI906BL4kiw
+	    x9z0oiDcE96QCz+B0vsjc9mGaA1jgAxlXWsCAwEAAaOCAhcwggITMB0GA1UdDgQWBBSPuCGP
+	    BuUKtwKn2W3I8M3Ngo9/FzAfBgNVHSMEGDAWgBTfSoAX5mqekXLkYS2M9Mg/I43iozBVBgNV
+	    HR8ETjBMMEqgSKBGhkRyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQvUklSLzEvMzBx
+	    QUYtWnFucEZ5NUdFdGpQVElQeU9ONHFNLmNybDBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUH
+	    MAKGKXJzeW5jOi8vbG9jYWxob3N0OjQ0MDAvdGVzdGJlZC9XT01CQVQuY2VyMBgGA1UdIAEB
+	    /wQOMAwwCgYIKwYBBQUHDgIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwgZsG
+	    CCsGAQUFBwELBIGOMIGLMDQGCCsGAQUFBzAFhihyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rl
+	    c3RiZWQvUklSL1IwLzEvMFMGCCsGAQUFBzAKhkdyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rl
+	    c3RiZWQvUklSL1IwLzEvajdnaGp3YmxDcmNDcDlsdHlQRE56WUtQZnhjLm1uZjAaBggrBgEF
+	    BQcBCAEB/wQLMAmgBzAFAgMA/BUwPgYIKwYBBQUHAQcBAf8ELzAtMCsEAgABMCUDAwAKAzAO
+	    AwUAwAACAQMFAcAAAiAwDgMFAsAAAiwDBQDAAAJkMA0GCSqGSIb3DQEBCwUAA4IBAQCEhuH7
+	    jtI2PJY6+zwv306vmCuXhtu9Lr2mmRw2ZErB8EMcb5xypMrNqMoKeu14K2x4a4RPJkK4yATh
+	    M81FPNRsU5mM0acIRnAPtxjHvPME7PHN2w2nGLASRsZmaa+b8A7SSOxVcFURazENztppsolH
+	    eTpm0cpLItK7mNpudUg1JGuFo94VLf1MnE2EqARG1vTsNhel/SM/UvOArCCOBvf0Gz7kSuup
+	    DSZ7qx+LiDmtEsLdbGNQBiYPbLrDk41PHrxdx28qIj7ejZkRzNFw/3pi8/XK281h8zeHoFVu
+	    6ghRPy5dbOA4akX/KG6b8XIx0iwPYdLiDbdWFbtTdPcXBauY
+	</certificate>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.016.xml b/rpkid/publication-protocol-samples/pdu.016.xml
index b94b45a4..c548bceb 100644
--- a/rpkid/publication-protocol-samples/pdu.016.xml
+++ b/rpkid/publication-protocol-samples/pdu.016.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <crl action="publish" uri="rsync://wombat.invalid/testbed/RIR/1/30qAF-ZqnpFy5GEtjPTIPyON4qM.crl"/>
+  <certificate action="publish" uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.cer"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.017.xml b/rpkid/publication-protocol-samples/pdu.017.xml
index f54f18e4..cd6001f5 100644
--- a/rpkid/publication-protocol-samples/pdu.017.xml
+++ b/rpkid/publication-protocol-samples/pdu.017.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
-  <crl action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/1/30qAF-ZqnpFy5GEtjPTIPyON4qM.crl"/>
+  <certificate action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.cer"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.018.xml b/rpkid/publication-protocol-samples/pdu.018.xml
index 20c30004..4e5d606a 100644
--- a/rpkid/publication-protocol-samples/pdu.018.xml
+++ b/rpkid/publication-protocol-samples/pdu.018.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <crl action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/1/30qAF-ZqnpFy5GEtjPTIPyON4qM.crl"/>
+  <certificate action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.cer"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.019.xml b/rpkid/publication-protocol-samples/pdu.019.xml
index 34606b8d..e404c3b9 100644
--- a/rpkid/publication-protocol-samples/pdu.019.xml
+++ b/rpkid/publication-protocol-samples/pdu.019.xml
@@ -1,40 +1,15 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
-  <manifest action="publish" uri="rsync://wombat.invalid/testbed/RIR/R0/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.mnf">
-	    MIIHCgYJKoZIhvcNAQcCoIIG+zCCBvcCAQMxDTALBglghkgBZQMEAgEwggEeBgsqhkiG9w0B
-	    CRABGqCCAQ0EggEJMIIBBQIBEhgPMjAwODA1MjIxODA1MTVaGA8yMDA4MDUyMjE4MDYxNVoG
-	    CWCGSAFlAwQCATCB0jBEFh9ZbTVUTzRJYnlDb0pNZ3E2R2o4dG41Mng5U0UuY2VyAyEA4L8Z
-	    WMyuhOx+o6kUfsRR++QjSaRaATy4UOeVtjvZVqYwRBYfWnRxbjB3NEVFbU9hclAzQmd1SUY3
-	    MDhhNTM4LmNlcgMhAGQI1gYJotxWmwzcmpLNFZJ656uWOjcPYANlbNz80xm8MEQWH2xxa1Vx
-	    RHEwMDBESW9ZVjlybXdLTGdrN2F6by5jZXIDIQB7jRAEpkPvc4s4PX9vDvnTifj3BIE145FO
-	    1ne2kEejVqCCBBEwggQNMIIC9aADAgECAgEFMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNVBAMT
-	    KDhGQjgyMThGMDZFNTBBQjcwMkE3RDk2REM4RjBDRENEODI4RjdGMTcwHhcNMDgwNTIyMTc1
-	    NzQ5WhcNMDgwNTI0MTc1NDUzWjAzMTEwLwYDVQQDEyhERkRBMjMyMUJENEVCMDNFQTE1RkUy
-	    N0NGRkRGMEFGRkU1QjBFNjY4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2/Gk
-	    AHW5pDqye0+TvUp7sl0rVgmTfeHpVp18ypxvuovogVJgkjEtBEikfaFU0646wYD6JM6IJFJX
-	    lWLWd7bVmhkWViKuZL0VmT2wpUToNHCLUGUQUVVX8R7oSHFdTArv2AqH+6yt0LmczDH1y2M6
-	    2Tgkz9wZ9ryyuPx3VX4PkHzUMlkGFICj1fvyXkcAu8jBaxR9UME1c413TPaMi6lMh1HUmtVN
-	    LJMP5+/SnwEAW/Z3dPClCFIgQXK3nAKPVzAIwADEiqhK7cSchhO7ikI1CVt0XzG4n7oaILc3
-	    Hq/DAxyiutw5GlkUlKPri2YJzJ3+H4P+TveSa/b02fVA5csm/QIDAQABo4IBKjCCASYwHQYD
-	    VR0OBBYEFN/aIyG9TrA+oV/ifP/fCv/lsOZoMB8GA1UdIwQYMBaAFI+4IY8G5Qq3AqfZbcjw
-	    zc2Cj38XMFgGA1UdHwRRME8wTaBLoEmGR3JzeW5jOi8vbG9jYWxob3N0OjQ0MDAvdGVzdGJl
-	    ZC9SSVIvUjAvMS9qN2doandibENyY0NwOWx0eVBETnpZS1BmeGMuY3JsMGAGCCsGAQUFBwEB
-	    BFQwUjBQBggrBgEFBQcwAoZEcnN5bmM6Ly9sb2NhbGhvc3Q6NDQwMC90ZXN0YmVkL1JJUi8x
-	    L2o3Z2hqd2JsQ3JjQ3A5bHR5UEROellLUGZ4Yy5jZXIwGAYDVR0gAQH/BA4wDDAKBggrBgEF
-	    BQcOAjAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBADpsE9HfgVTgmX1WeJTE
-	    fm87CXuOoGH85RFiAngSt5kR4gYCyadklOZ7Eta+ERUZVu4tcKO6sJOTuHPfVrAvR0VpgH+j
-	    PvXboYWSfwJdi00BC28ScrVM2zarA7B10+J6Oq8tbFlAyVBkrbuPet/axmndBtGWhrBTynGl
-	    nc/5L371Lxy6CrOYqXO0Qx3SrOKaailAe3zTIpHQeACqnPdL00zIBw/hVy/VNaH1wy+FmhAz
-	    TsmsQUrMyovJcu/ry5w0KHlP8BTnqfykikCWR+Lw0VQHmpJGAbtrmsOeIbfLY1zl7A81lDAl
-	    AG/ZH1DUdDOUIXMLHWur+D2rwjp7RL16LHYxggGqMIIBpgIBA4AU39ojIb1OsD6hX+J8/98K
-	    /+Ww5mgwCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEaMBwGCSqG
-	    SIb3DQEJBTEPFw0wODA1MjIxODA1MTVaMC8GCSqGSIb3DQEJBDEiBCBj/GjEQw3LgKPf5DTz
-	    8eu1fcp6/cQjqqne6ZqFkF42azANBgkqhkiG9w0BAQEFAASCAQBOY0uHNMwy/o1nFANSgha5
-	    PZxt8fz+wTrbeomCb+lxqQKq1clcSiQORVGc8NmqC8sS5OR3eTw/3qnK9yPHxz2UQ4hn1pBa
-	    +Zy5veM61qMaXCw6w98EyNcvUfA1AkezAjkabfHQDs3o4Ezh49thXXyRcBoF+O6Lmi+LZbT2
-	    4jvfFbaXW9zsb6/DaoDkeHnlk+YYgfSP4wOnkK5uqxtDW8QpMPq3GGdIp0oJDkzEdj7VsWIL
-	    9JP2mxxL8fTPVUyAPOmURYwYDXqhke2O9eVDiCYhrEfB8/84Rint4Cj8n5aCujnAtqtwxHpD
-	    0NRYO/V1MjhG+ARy1vRH1Dm0r92RBam3
-	</manifest>
+  <crl action="publish" uri="rsync://wombat.invalid/testbed/RIR/1/30qAF-ZqnpFy5GEtjPTIPyON4qM.crl">
+	    MIIBwzCBrAIBATANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhERjRBODAxN0U2NkE5RTkx
+	    NzJFNDYxMkQ4Q0Y0QzgzRjIzOERFMkEzFw0wODA1MjIxODA0MTZaFw0wODA1MjIxODA1MTZa
+	    MBQwEgIBAhcNMDgwNTIyMTc1ODQwWqAvMC0wHwYDVR0jBBgwFoAU30qAF+ZqnpFy5GEtjPTI
+	    PyON4qMwCgYDVR0UBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAKkM0Fb/pJpHVHWZyjp4wojH
+	    W2KkvA/DFtBiz3moxocSnkDVP3QI19uVvqdC6nH3hJyFmsAMwULR0f1XU/V4j+X+FqYEl6Nv
+	    p8zAEPIB4r8xbEFs7udRwXRAjkJmOQbv9aomF2i+d7jpTFVJxShZWOgsoGEhIy/aktKQrOIR
+	    c4ZDrXpQwXVj2Y7+cGVfQ4gvnPOdlyLcnNovoegazATvA3EcidBNPWRg7XTCz0LVBEB7JgPd
+	    nNyXRg35HdMEHBl7U9uUQJXP7S02oaQ1ehNDMfaJPgBBpQtAnM1lIzJfevd9+e4ywGsRpxAV
+	    8wxTXSPd1jwuKtS0kwrgsrQ8Ya85xUE=
+	</crl>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.020.xml b/rpkid/publication-protocol-samples/pdu.020.xml
index 8fb07898..b94b45a4 100644
--- a/rpkid/publication-protocol-samples/pdu.020.xml
+++ b/rpkid/publication-protocol-samples/pdu.020.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <manifest action="publish" uri="rsync://wombat.invalid/testbed/RIR/R0/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.mnf"/>
+  <crl action="publish" uri="rsync://wombat.invalid/testbed/RIR/1/30qAF-ZqnpFy5GEtjPTIPyON4qM.crl"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.021.xml b/rpkid/publication-protocol-samples/pdu.021.xml
index 22639575..f54f18e4 100644
--- a/rpkid/publication-protocol-samples/pdu.021.xml
+++ b/rpkid/publication-protocol-samples/pdu.021.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
-  <manifest action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/R0/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.mnf"/>
+  <crl action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/1/30qAF-ZqnpFy5GEtjPTIPyON4qM.crl"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.022.xml b/rpkid/publication-protocol-samples/pdu.022.xml
index 951dde35..20c30004 100644
--- a/rpkid/publication-protocol-samples/pdu.022.xml
+++ b/rpkid/publication-protocol-samples/pdu.022.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <manifest action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/R0/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.mnf"/>
+  <crl action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/1/30qAF-ZqnpFy5GEtjPTIPyON4qM.crl"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.023.xml b/rpkid/publication-protocol-samples/pdu.023.xml
index 0a4608b4..34606b8d 100644
--- a/rpkid/publication-protocol-samples/pdu.023.xml
+++ b/rpkid/publication-protocol-samples/pdu.023.xml
@@ -1,38 +1,40 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
-  <roa action="publish" uri="rsync://wombat.invalid/testbed/RIR/R0/1/lqkUqDq000DIoYV9rmwKLgk7azo.roa">
-	    MIIGmwYJKoZIhvcNAQcCoIIGjDCCBogCAQMxDTALBglghkgBZQMEAgEwKgYLKoZIhvcNAQkQ
-	    ARigGwQZMBcCAgKaMBEwDwQCAAEwCTAHAwUACgMALKCCBJgwggSUMIIDfKADAgECAgEJMA0G
-	    CSqGSIb3DQEBCwUAMDMxMTAvBgNVBAMTKDhGQjgyMThGMDZFNTBBQjcwMkE3RDk2REM4RjBD
-	    RENEODI4RjdGMTcwHhcNMDgwNTIyMTc1ODI0WhcNMDgwNTI0MTc1NDUzWjAzMTEwLwYDVQQD
-	    Eyg5NkE5MTRBODNBQjREMzQwQzhBMTg1N0RBRTZDMEEyRTA5M0I2QjNBMIIBIjANBgkqhkiG
-	    9w0BAQEFAAOCAQ8AMIIBCgKCAQEApoK50BjW5bcF4gsdaYhndtVADZvQk3RCsvuqDElF6uLi
-	    9BYQq/NHyDOIMyJtvCmzjdv3Y135n1sNO7YvssqHlt7dMfCQTD5ND1GpFnQLdWP7stWM5AbO
-	    nJV6+PtDITUA/QHOli7Do0YCUgR6G+1QJsMu0DK+TRSzBJ6WP7WIYOBOOg3y/NKc1rkWhS1Q
-	    dcQepbHgQYZHzzpjNDR6+oYVuhuUEWx1P6O4pv/p+tpE0SDua7jBjMywIYHkPQBecf2IX1RU
-	    WNojB9dJlnRx5YUUneP2SvF2MrmdDbclgzwhf6alqD2OjiMuoBOG8yeTKcuhzCMnrFAklbst
-	    6x3Rnq9BswIDAQABo4IBsTCCAa0wHQYDVR0OBBYEFJapFKg6tNNAyKGFfa5sCi4JO2s6MB8G
-	    A1UdIwQYMBaAFI+4IY8G5Qq3AqfZbcjwzc2Cj38XMFgGA1UdHwRRME8wTaBLoEmGR3JzeW5j
-	    Oi8vbG9jYWxob3N0OjQ0MDAvdGVzdGJlZC9SSVIvUjAvMS9qN2doandibENyY0NwOWx0eVBE
-	    TnpZS1BmeGMuY3JsMGAGCCsGAQUFBwEBBFQwUjBQBggrBgEFBQcwAoZEcnN5bmM6Ly9sb2Nh
-	    bGhvc3Q6NDQwMC90ZXN0YmVkL1JJUi8xL2o3Z2hqd2JsQ3JjQ3A5bHR5UEROellLUGZ4Yy5j
-	    ZXIwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjAOBgNVHQ8BAf8EBAMCB4AwYwYIKwYBBQUH
-	    AQsEVzBVMFMGCCsGAQUFBzALhkdyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQvUklS
-	    L1IwLzEvbHFrVXFEcTAwMERJb1lWOXJtd0tMZ2s3YXpvLnJvYTAgBggrBgEFBQcBBwEB/wQR
-	    MA8wDQQCAAEwBwMFAAoDACwwDQYJKoZIhvcNAQELBQADggEBAL8iHwsyGOYhhIf3nVuL361y
-	    TOJSP8SR0mtQLHULPl+GkYk+5MRNWtL8ucTXFvniYJtOCXEGGEIO9eDXvkQIXQSz/qbF9URQ
-	    fuf38ghRza257syVhal6UHTgCFYuRIO9CUjcU1vkWUxH05BBIHlYdtlIQbAG/mRsCPCEgSmG
-	    bbQaomGlUOqmJMlKxLLcoAtz2vDrwVotgHyfS5h2mgINFjnlLcNLTci+sfs7/aQAkDYx7K98
-	    se/ZlMorvGkFNhHoOTcGIrWkYsfkbTygVwWRm278PaB3o4449Kvsg/gb8BZeHXRs68cr5Mcf
-	    jP7Q6jeypjTgDBnwb1yzoJIKWszFuSgxggGqMIIBpgIBA4AUlqkUqDq000DIoYV9rmwKLgk7
-	    azowCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEYMBwGCSqGSIb3
-	    DQEJBTEPFw0wODA1MjIxNzU4MjRaMC8GCSqGSIb3DQEJBDEiBCDCyf9v9Wed515TRp2WwnyM
-	    1rk6dB///X+aqIym2e9jdTANBgkqhkiG9w0BAQEFAASCAQAFvzrHeRPW+wn4WSyoyBEq0zKS
-	    Cyh5tu1qTR0NHs6Rr/p8Pk81P1HQLND/U+znJZKLWlO2niEHUXPIicPDYchbj8ApH9VxKA+1
-	    lCWllOzFAsYyZFr3/VNs9pVp2eT4F9eEYBrBVDSNrD72MMTlWm1T5MEXqltTJJOCKzUEX96x
-	    91iW6A+4erop7S8hpCnxqkTin4bFVreqYcGc4CC4bh+L9pPqJnURcEk7Qeu/WEHQBm38voB4
-	    S11qRZNrJMQ99oiJR7hXDIBm66HjGqoUL2gPCfpgJEVVnM9pVv2k889z4eTTck2Qj54gga2W
-	    Xkvw4Je420aDx88s9T2+PqXcbZ4g
-	</roa>
+  <manifest action="publish" uri="rsync://wombat.invalid/testbed/RIR/R0/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.mnf">
+	    MIIHCgYJKoZIhvcNAQcCoIIG+zCCBvcCAQMxDTALBglghkgBZQMEAgEwggEeBgsqhkiG9w0B
+	    CRABGqCCAQ0EggEJMIIBBQIBEhgPMjAwODA1MjIxODA1MTVaGA8yMDA4MDUyMjE4MDYxNVoG
+	    CWCGSAFlAwQCATCB0jBEFh9ZbTVUTzRJYnlDb0pNZ3E2R2o4dG41Mng5U0UuY2VyAyEA4L8Z
+	    WMyuhOx+o6kUfsRR++QjSaRaATy4UOeVtjvZVqYwRBYfWnRxbjB3NEVFbU9hclAzQmd1SUY3
+	    MDhhNTM4LmNlcgMhAGQI1gYJotxWmwzcmpLNFZJ656uWOjcPYANlbNz80xm8MEQWH2xxa1Vx
+	    RHEwMDBESW9ZVjlybXdLTGdrN2F6by5jZXIDIQB7jRAEpkPvc4s4PX9vDvnTifj3BIE145FO
+	    1ne2kEejVqCCBBEwggQNMIIC9aADAgECAgEFMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNVBAMT
+	    KDhGQjgyMThGMDZFNTBBQjcwMkE3RDk2REM4RjBDRENEODI4RjdGMTcwHhcNMDgwNTIyMTc1
+	    NzQ5WhcNMDgwNTI0MTc1NDUzWjAzMTEwLwYDVQQDEyhERkRBMjMyMUJENEVCMDNFQTE1RkUy
+	    N0NGRkRGMEFGRkU1QjBFNjY4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2/Gk
+	    AHW5pDqye0+TvUp7sl0rVgmTfeHpVp18ypxvuovogVJgkjEtBEikfaFU0646wYD6JM6IJFJX
+	    lWLWd7bVmhkWViKuZL0VmT2wpUToNHCLUGUQUVVX8R7oSHFdTArv2AqH+6yt0LmczDH1y2M6
+	    2Tgkz9wZ9ryyuPx3VX4PkHzUMlkGFICj1fvyXkcAu8jBaxR9UME1c413TPaMi6lMh1HUmtVN
+	    LJMP5+/SnwEAW/Z3dPClCFIgQXK3nAKPVzAIwADEiqhK7cSchhO7ikI1CVt0XzG4n7oaILc3
+	    Hq/DAxyiutw5GlkUlKPri2YJzJ3+H4P+TveSa/b02fVA5csm/QIDAQABo4IBKjCCASYwHQYD
+	    VR0OBBYEFN/aIyG9TrA+oV/ifP/fCv/lsOZoMB8GA1UdIwQYMBaAFI+4IY8G5Qq3AqfZbcjw
+	    zc2Cj38XMFgGA1UdHwRRME8wTaBLoEmGR3JzeW5jOi8vbG9jYWxob3N0OjQ0MDAvdGVzdGJl
+	    ZC9SSVIvUjAvMS9qN2doandibENyY0NwOWx0eVBETnpZS1BmeGMuY3JsMGAGCCsGAQUFBwEB
+	    BFQwUjBQBggrBgEFBQcwAoZEcnN5bmM6Ly9sb2NhbGhvc3Q6NDQwMC90ZXN0YmVkL1JJUi8x
+	    L2o3Z2hqd2JsQ3JjQ3A5bHR5UEROellLUGZ4Yy5jZXIwGAYDVR0gAQH/BA4wDDAKBggrBgEF
+	    BQcOAjAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBADpsE9HfgVTgmX1WeJTE
+	    fm87CXuOoGH85RFiAngSt5kR4gYCyadklOZ7Eta+ERUZVu4tcKO6sJOTuHPfVrAvR0VpgH+j
+	    PvXboYWSfwJdi00BC28ScrVM2zarA7B10+J6Oq8tbFlAyVBkrbuPet/axmndBtGWhrBTynGl
+	    nc/5L371Lxy6CrOYqXO0Qx3SrOKaailAe3zTIpHQeACqnPdL00zIBw/hVy/VNaH1wy+FmhAz
+	    TsmsQUrMyovJcu/ry5w0KHlP8BTnqfykikCWR+Lw0VQHmpJGAbtrmsOeIbfLY1zl7A81lDAl
+	    AG/ZH1DUdDOUIXMLHWur+D2rwjp7RL16LHYxggGqMIIBpgIBA4AU39ojIb1OsD6hX+J8/98K
+	    /+Ww5mgwCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEaMBwGCSqG
+	    SIb3DQEJBTEPFw0wODA1MjIxODA1MTVaMC8GCSqGSIb3DQEJBDEiBCBj/GjEQw3LgKPf5DTz
+	    8eu1fcp6/cQjqqne6ZqFkF42azANBgkqhkiG9w0BAQEFAASCAQBOY0uHNMwy/o1nFANSgha5
+	    PZxt8fz+wTrbeomCb+lxqQKq1clcSiQORVGc8NmqC8sS5OR3eTw/3qnK9yPHxz2UQ4hn1pBa
+	    +Zy5veM61qMaXCw6w98EyNcvUfA1AkezAjkabfHQDs3o4Ezh49thXXyRcBoF+O6Lmi+LZbT2
+	    4jvfFbaXW9zsb6/DaoDkeHnlk+YYgfSP4wOnkK5uqxtDW8QpMPq3GGdIp0oJDkzEdj7VsWIL
+	    9JP2mxxL8fTPVUyAPOmURYwYDXqhke2O9eVDiCYhrEfB8/84Rint4Cj8n5aCujnAtqtwxHpD
+	    0NRYO/V1MjhG+ARy1vRH1Dm0r92RBam3
+	</manifest>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.024.xml b/rpkid/publication-protocol-samples/pdu.024.xml
index 8f4c22dc..8fb07898 100644
--- a/rpkid/publication-protocol-samples/pdu.024.xml
+++ b/rpkid/publication-protocol-samples/pdu.024.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <roa action="publish" uri="rsync://wombat.invalid/testbed/RIR/R0/1/lqkUqDq000DIoYV9rmwKLgk7azo.roa"/>
+  <manifest action="publish" uri="rsync://wombat.invalid/testbed/RIR/R0/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.mnf"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.025.xml b/rpkid/publication-protocol-samples/pdu.025.xml
index 6319d0be..22639575 100644
--- a/rpkid/publication-protocol-samples/pdu.025.xml
+++ b/rpkid/publication-protocol-samples/pdu.025.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
-  <roa action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/R0/1/lqkUqDq000DIoYV9rmwKLgk7azo.roa"/>
+  <manifest action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/R0/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.mnf"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.026.xml b/rpkid/publication-protocol-samples/pdu.026.xml
index a0dc50a9..951dde35 100644
--- a/rpkid/publication-protocol-samples/pdu.026.xml
+++ b/rpkid/publication-protocol-samples/pdu.026.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <roa action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/R0/1/lqkUqDq000DIoYV9rmwKLgk7azo.roa"/>
+  <manifest action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/R0/1/j7ghjwblCrcCp9ltyPDNzYKPfxc.mnf"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.027.xml b/rpkid/publication-protocol-samples/pdu.027.xml
index 544c817e..0a4608b4 100644
--- a/rpkid/publication-protocol-samples/pdu.027.xml
+++ b/rpkid/publication-protocol-samples/pdu.027.xml
@@ -1,5 +1,38 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
-<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <report_error error_code="your_hair_is_on_fire">text string</report_error>
+<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
+  <roa action="publish" uri="rsync://wombat.invalid/testbed/RIR/R0/1/lqkUqDq000DIoYV9rmwKLgk7azo.roa">
+	    MIIGmwYJKoZIhvcNAQcCoIIGjDCCBogCAQMxDTALBglghkgBZQMEAgEwKgYLKoZIhvcNAQkQ
+	    ARigGwQZMBcCAgKaMBEwDwQCAAEwCTAHAwUACgMALKCCBJgwggSUMIIDfKADAgECAgEJMA0G
+	    CSqGSIb3DQEBCwUAMDMxMTAvBgNVBAMTKDhGQjgyMThGMDZFNTBBQjcwMkE3RDk2REM4RjBD
+	    RENEODI4RjdGMTcwHhcNMDgwNTIyMTc1ODI0WhcNMDgwNTI0MTc1NDUzWjAzMTEwLwYDVQQD
+	    Eyg5NkE5MTRBODNBQjREMzQwQzhBMTg1N0RBRTZDMEEyRTA5M0I2QjNBMIIBIjANBgkqhkiG
+	    9w0BAQEFAAOCAQ8AMIIBCgKCAQEApoK50BjW5bcF4gsdaYhndtVADZvQk3RCsvuqDElF6uLi
+	    9BYQq/NHyDOIMyJtvCmzjdv3Y135n1sNO7YvssqHlt7dMfCQTD5ND1GpFnQLdWP7stWM5AbO
+	    nJV6+PtDITUA/QHOli7Do0YCUgR6G+1QJsMu0DK+TRSzBJ6WP7WIYOBOOg3y/NKc1rkWhS1Q
+	    dcQepbHgQYZHzzpjNDR6+oYVuhuUEWx1P6O4pv/p+tpE0SDua7jBjMywIYHkPQBecf2IX1RU
+	    WNojB9dJlnRx5YUUneP2SvF2MrmdDbclgzwhf6alqD2OjiMuoBOG8yeTKcuhzCMnrFAklbst
+	    6x3Rnq9BswIDAQABo4IBsTCCAa0wHQYDVR0OBBYEFJapFKg6tNNAyKGFfa5sCi4JO2s6MB8G
+	    A1UdIwQYMBaAFI+4IY8G5Qq3AqfZbcjwzc2Cj38XMFgGA1UdHwRRME8wTaBLoEmGR3JzeW5j
+	    Oi8vbG9jYWxob3N0OjQ0MDAvdGVzdGJlZC9SSVIvUjAvMS9qN2doandibENyY0NwOWx0eVBE
+	    TnpZS1BmeGMuY3JsMGAGCCsGAQUFBwEBBFQwUjBQBggrBgEFBQcwAoZEcnN5bmM6Ly9sb2Nh
+	    bGhvc3Q6NDQwMC90ZXN0YmVkL1JJUi8xL2o3Z2hqd2JsQ3JjQ3A5bHR5UEROellLUGZ4Yy5j
+	    ZXIwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjAOBgNVHQ8BAf8EBAMCB4AwYwYIKwYBBQUH
+	    AQsEVzBVMFMGCCsGAQUFBzALhkdyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQvUklS
+	    L1IwLzEvbHFrVXFEcTAwMERJb1lWOXJtd0tMZ2s3YXpvLnJvYTAgBggrBgEFBQcBBwEB/wQR
+	    MA8wDQQCAAEwBwMFAAoDACwwDQYJKoZIhvcNAQELBQADggEBAL8iHwsyGOYhhIf3nVuL361y
+	    TOJSP8SR0mtQLHULPl+GkYk+5MRNWtL8ucTXFvniYJtOCXEGGEIO9eDXvkQIXQSz/qbF9URQ
+	    fuf38ghRza257syVhal6UHTgCFYuRIO9CUjcU1vkWUxH05BBIHlYdtlIQbAG/mRsCPCEgSmG
+	    bbQaomGlUOqmJMlKxLLcoAtz2vDrwVotgHyfS5h2mgINFjnlLcNLTci+sfs7/aQAkDYx7K98
+	    se/ZlMorvGkFNhHoOTcGIrWkYsfkbTygVwWRm278PaB3o4449Kvsg/gb8BZeHXRs68cr5Mcf
+	    jP7Q6jeypjTgDBnwb1yzoJIKWszFuSgxggGqMIIBpgIBA4AUlqkUqDq000DIoYV9rmwKLgk7
+	    azowCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEYMBwGCSqGSIb3
+	    DQEJBTEPFw0wODA1MjIxNzU4MjRaMC8GCSqGSIb3DQEJBDEiBCDCyf9v9Wed515TRp2WwnyM
+	    1rk6dB///X+aqIym2e9jdTANBgkqhkiG9w0BAQEFAASCAQAFvzrHeRPW+wn4WSyoyBEq0zKS
+	    Cyh5tu1qTR0NHs6Rr/p8Pk81P1HQLND/U+znJZKLWlO2niEHUXPIicPDYchbj8ApH9VxKA+1
+	    lCWllOzFAsYyZFr3/VNs9pVp2eT4F9eEYBrBVDSNrD72MMTlWm1T5MEXqltTJJOCKzUEX96x
+	    91iW6A+4erop7S8hpCnxqkTin4bFVreqYcGc4CC4bh+L9pPqJnURcEk7Qeu/WEHQBm38voB4
+	    S11qRZNrJMQ99oiJR7hXDIBm66HjGqoUL2gPCfpgJEVVnM9pVv2k889z4eTTck2Qj54gga2W
+	    Xkvw4Je420aDx88s9T2+PqXcbZ4g
+	</roa>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.028.xml b/rpkid/publication-protocol-samples/pdu.028.xml
index 3e9f8c77..8f4c22dc 100644
--- a/rpkid/publication-protocol-samples/pdu.028.xml
+++ b/rpkid/publication-protocol-samples/pdu.028.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="US-ASCII"?>
 <!--Automatically generated, do not edit.-->
 <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
-  <report_error error_code="your_hair_is_on_fire"/>
+  <roa action="publish" uri="rsync://wombat.invalid/testbed/RIR/R0/1/lqkUqDq000DIoYV9rmwKLgk7azo.roa"/>
 </msg>
diff --git a/rpkid/publication-protocol-samples/pdu.029.xml b/rpkid/publication-protocol-samples/pdu.029.xml
new file mode 100644
index 00000000..6319d0be
--- /dev/null
+++ b/rpkid/publication-protocol-samples/pdu.029.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="query">
+  <roa action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/R0/1/lqkUqDq000DIoYV9rmwKLgk7azo.roa"/>
+</msg>
diff --git a/rpkid/publication-protocol-samples/pdu.030.xml b/rpkid/publication-protocol-samples/pdu.030.xml
new file mode 100644
index 00000000..a0dc50a9
--- /dev/null
+++ b/rpkid/publication-protocol-samples/pdu.030.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
+  <roa action="withdraw" uri="rsync://wombat.invalid/testbed/RIR/R0/1/lqkUqDq000DIoYV9rmwKLgk7azo.roa"/>
+</msg>
diff --git a/rpkid/publication-protocol-samples/pdu.031.xml b/rpkid/publication-protocol-samples/pdu.031.xml
new file mode 100644
index 00000000..544c817e
--- /dev/null
+++ b/rpkid/publication-protocol-samples/pdu.031.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
+  <report_error error_code="your_hair_is_on_fire">text string</report_error>
+</msg>
diff --git a/rpkid/publication-protocol-samples/pdu.032.xml b/rpkid/publication-protocol-samples/pdu.032.xml
new file mode 100644
index 00000000..3e9f8c77
--- /dev/null
+++ b/rpkid/publication-protocol-samples/pdu.032.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<!--Automatically generated, do not edit.-->
+<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" version="1" type="reply">
+  <report_error error_code="your_hair_is_on_fire"/>
+</msg>
diff --git a/rpkid/publication-schema.rnc b/rpkid/publication-schema.rnc
index 8573f7f1..be815100 100644
--- a/rpkid/publication-schema.rnc
+++ b/rpkid/publication-schema.rnc
@@ -16,10 +16,10 @@ start = element msg {
 }
 
 # PDUs allowed in a query
-query_elt = ( client_query | certificate_query | crl_query | manifest_query | roa_query )
+query_elt = ( config_query | client_query | certificate_query | crl_query | manifest_query | roa_query )
 
 # PDUs allowed in a reply
-reply_elt = ( client_reply | certificate_reply | crl_reply | manifest_reply | roa_reply | report_error_reply )
+reply_elt = ( config_reply | client_reply | certificate_reply | crl_reply | manifest_reply | roa_reply | report_error_reply )
 
 # Tag attributes for bulk operations
 tag = attribute tag { xsd:token {maxLength="1024" } }
@@ -31,6 +31,16 @@ base64 = xsd:base64Binary { maxLength="512000" }
 uri_t = xsd:anyURI { maxLength="4096" }
 uri = attribute uri { uri_t }
 
+# <config/> element (use restricted to repository operator)
+# config_id attribute and list command omitted deliberately, see code for details
+
+config_payload = (element bpki_crl { base64 }?)
+
+config_query |= element config { attribute action { "set" },     tag?, config_payload }
+config_reply |= element config { attribute action { "set" },     tag? }
+config_query |= element config { attribute action { "get" },     tag? }
+config_reply |= element config { attribute action { "get" },     tag?, config_payload }
+
 # <client/> element (use restricted to repository operator)
 
 client_id = attribute client_id { xsd:nonNegativeInteger }
diff --git a/rpkid/publication-schema.rng b/rpkid/publication-schema.rng
index 77cc6561..5f0b31ae 100644
--- a/rpkid/publication-schema.rng
+++ b/rpkid/publication-schema.rng
@@ -39,6 +39,7 @@
   <!-- PDUs allowed in a query -->
   <define name="query_elt">
     <choice>
+      <ref name="config_query"/>
       <ref name="client_query"/>
       <ref name="certificate_query"/>
       <ref name="crl_query"/>
@@ -49,6 +50,7 @@
   <!-- PDUs allowed in a reply -->
   <define name="reply_elt">
     <choice>
+      <ref name="config_reply"/>
       <ref name="client_reply"/>
       <ref name="certificate_reply"/>
       <ref name="crl_reply"/>
@@ -82,6 +84,59 @@
       <ref name="uri_t"/>
     </attribute>
   </define>
+  <!--
+    <config/> element (use restricted to repository operator)
+    config_id attribute and list command omitted deliberately, see code for details
+  -->
+  <define name="config_payload">
+    <optional>
+      <element name="bpki_crl">
+        <ref name="base64"/>
+      </element>
+    </optional>
+  </define>
+  <define name="config_query" combine="choice">
+    <element name="config">
+      <attribute name="action">
+        <value>set</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="config_payload"/>
+    </element>
+  </define>
+  <define name="config_reply" combine="choice">
+    <element name="config">
+      <attribute name="action">
+        <value>set</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+    </element>
+  </define>
+  <define name="config_query" combine="choice">
+    <element name="config">
+      <attribute name="action">
+        <value>get</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+    </element>
+  </define>
+  <define name="config_reply" combine="choice">
+    <element name="config">
+      <attribute name="action">
+        <value>get</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="config_payload"/>
+    </element>
+  </define>
   <!-- <client/> element (use restricted to repository operator) -->
   <define name="client_id">
     <attribute name="client_id">
diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py
index 91f7e351..b3db4737 100644
--- a/rpkid/rpki/exceptions.py
+++ b/rpkid/rpki/exceptions.py
@@ -120,3 +120,6 @@ class MissingCMSCRL(RPKI_Exception):
 
 class UnparsableCMSDER(RPKI_Exception):
   """Alleged CMS DER wasn't parsable."""
+
+class CMSCRLNotSet(RPKI_Exception):
+  """CMS CRL has not been configured."""
diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py
index 900d5e16..04f35529 100644
--- a/rpkid/rpki/left_right.py
+++ b/rpkid/rpki/left_right.py
@@ -141,31 +141,6 @@ class self_elt(data_elt):
     """
     return self.sql_fetch_all(self.gctx)
 
-  def startElement(self, stack, name, attrs):
-    """Handle <self/> element."""
-    if name not in ("bpki_cert", "bpki_glue"):
-      assert name == "self", "Unexpected name %s, stack %s" % (name, stack)
-      self.read_attrs(attrs)
-
-  def endElement(self, stack, name, text):
-    """Handle <self/> element."""
-    if name == "bpki_cert":
-      self.bpki_cert = rpki.x509.X509(Base64 = text)
-    elif name == "bpki_glue":
-      self.bpki_glue = rpki.x509.X509(Base64 = text)
-    else:
-      assert name == "self", "Unexpected name %s, stack %s" % (name, stack)
-      stack.pop()
-
-  def toXML(self):
-    """Generate <self/> element."""
-    elt = self.make_elt()
-    if self.bpki_cert and not self.bpki_cert.empty():
-      self.make_b64elt(elt, "bpki_cert", self.bpki_cert.get_DER())
-    if self.bpki_glue and not self.bpki_glue.empty():
-      self.make_b64elt(elt, "bpki_glue", self.bpki_glue.get_DER())
-    return elt
-
   def client_poll(self):
     """Run the regular client poll cycle with each of this self's parents in turn."""
 
@@ -261,7 +236,7 @@ class bsc_elt(data_elt):
   
   element_name = "bsc"
   attributes = ("action", "tag", "self_id", "bsc_id", "key_type", "hash_alg", "key_length")
-  elements = ("signing_cert", "signing_cert_crl")
+  elements = ("pkcs10_request", "signing_cert", "signing_cert_crl")
   booleans = ("generate_keypair",)
 
   sql_template = rpki.sql.template("bsc", "bsc_id", "self_id", "hash_alg",
@@ -299,35 +274,6 @@ class bsc_elt(data_elt):
       self.pkcs10_request = rpki.x509.PKCS10.create(keypair)
       r_pdu.pkcs10_request = self.pkcs10_request
 
-  def startElement(self, stack, name, attrs):
-    """Handle <bsc/> element."""
-    if name not in ("pkcs10_request", "signing_cert", "signing_cert_crl"):
-      assert name == "bsc", "Unexpected name %s, stack %s" % (name, stack)
-      self.read_attrs(attrs)
-
-  def endElement(self, stack, name, text):
-    """Handle <bsc/> element."""
-    if name == "signing_cert":
-      self.signing_cert = rpki.x509.X509(Base64 = text)
-    elif name == "signing_cert_crl":
-      self.signing_cert_crl = rpki.x509.CRL(Base64 = text)
-    elif name == "pkcs10_request":
-      self.pkcs10_request = rpki.x509.PKCS10(Base64 = text)
-    else:
-      assert name == "bsc", "Unexpected name %s, stack %s" % (name, stack)
-      stack.pop()
-
-  def toXML(self):
-    """Generate <bsc/> element."""
-    elt = self.make_elt()
-    if self.signing_cert is not None:
-      self.make_b64elt(elt, "signing_cert", self.signing_cert.get_DER())
-    if self.signing_cert_crl is not None:
-      self.make_b64elt(elt, "signing_cert_crl", self.signing_cert_crl.get_DER())
-    if self.pkcs10_request is not None:
-      self.make_b64elt(elt, "pkcs10_request", self.pkcs10_request.get_DER())
-    return elt
-
 class parent_elt(data_elt):
   """<parent/> element."""
 
@@ -373,39 +319,6 @@ class parent_elt(data_elt):
     for ca in self.cas():
       ca.revoke()
 
-  def startElement(self, stack, name, attrs):
-    """Handle <parent/> element."""
-    if name not in ("bpki_cms_cert", "bpki_cms_glue", "bpki_https_cert", "bpki_https_glue"):
-      assert name == "parent", "Unexpected name %s, stack %s" % (name, stack)
-      self.read_attrs(attrs)
-
-  def endElement(self, stack, name, text):
-    """Handle <parent/> element."""
-    if name == "bpki_cms_cert":
-      self.bpki_cms_cert = rpki.x509.X509(Base64 = text)
-    elif name == "bpki_cms_glue":
-      self.bpki_cms_glue = rpki.x509.X509(Base64 = text)
-    elif name == "bpki_https_cert":
-      self.bpki_https_cert = rpki.x509.X509(Base64 = text)
-    elif name == "bpki_https_glue":
-      self.bpki_https_glue = rpki.x509.X509(Base64 = text)
-    else:
-      assert name == "parent", "Unexpected name %s, stack %s" % (name, stack)
-      stack.pop()
-
-  def toXML(self):
-    """Generate <parent/> element."""
-    elt = self.make_elt()
-    if self.bpki_cms_cert and not self.bpki_cms_cert.empty():
-      self.make_b64elt(elt, "bpki_cms_cert", self.bpki_cms_cert.get_DER())
-    if self.bpki_cms_glue and not self.bpki_cms_glue.empty():
-      self.make_b64elt(elt, "bpki_cms_glue", self.bpki_cms_glue.get_DER())
-    if self.bpki_https_cert and not self.bpki_https_cert.empty():
-      self.make_b64elt(elt, "bpki_https_cert", self.bpki_https_cert.get_DER())
-    if self.bpki_https_glue and not self.bpki_https_glue.empty():
-      self.make_b64elt(elt, "bpki_https_glue", self.bpki_https_glue.get_DER())
-    return elt
-
   def query_up_down(self, q_pdu):
     """Client code for sending one up-down query PDU to this parent.
 
@@ -492,32 +405,14 @@ class child_elt(data_elt):
       self.gctx.clear_https_ta_cache()
       self.clear_https_ta_cache = False
 
-  def startElement(self, stack, name, attrs):
-    """Handle <child/> element."""
-    if name not in ("bpki_cert", "bpki_glue"):
-      assert name == "child", "Unexpected name %s, stack %s" % (name, stack)
-      self.read_attrs(attrs)
-
   def endElement(self, stack, name, text):
-    """Handle <child/> element."""
-    if name == "bpki_cert":
-      self.bpki_cert = rpki.x509.X509(Base64 = text)
-      self.clear_https_ta_cache = True
-    elif name == "bpki_glue":
-      self.bpki_glue = rpki.x509.X509(Base64 = text)
+    """Handle subelements of <child/> element.  These require special
+    handling because modifying them invalidates the HTTPS trust anchor
+    cache.
+    """
+    rpki.xml_utils.data_elt.endElement(self, stack, name, text)
+    if name in self.elements:
       self.clear_https_ta_cache = True
-    else:
-      assert name == "child", "Unexpected name %s, stack %s" % (name, stack)
-      stack.pop()
-
-  def toXML(self):
-    """Generate <child/> element."""
-    elt = self.make_elt()
-    if self.bpki_cert and not self.bpki_cert.empty():
-      self.make_b64elt(elt, "bpki_cert", self.bpki_cert.get_DER())
-    if self.bpki_glue and not self.bpki_glue.empty():
-      self.make_b64elt(elt, "bpki_glue", self.bpki_glue.get_DER())
-    return elt
 
   def serve_up_down(self, query):
     """Outer layer of server handling for one up-down PDU from this child."""
@@ -569,39 +464,6 @@ class repository_elt(data_elt):
     """Fetch all parent objects that link to this repository object."""
     return parent_elt.sql_fetch_where(self.gctx, "repository_id = %s", (self.repository_id,))
 
-  def startElement(self, stack, name, attrs):
-    """Handle <repository/> element."""
-    if name not in ("bpki_cms_cert", "bpki_cms_glue", "bpki_https_cert", "bpki_https_glue"):
-      assert name == "repository", "Unexpected name %s, stack %s" % (name, stack)
-      self.read_attrs(attrs)
-
-  def endElement(self, stack, name, text):
-    """Handle <repository/> element."""
-    if name == "bpki_cms_cert":
-      self.bpki_cms_cert = rpki.x509.X509(Base64 = text)
-    elif name == "bpki_cms_glue":
-      self.bpki_cms_glue = rpki.x509.X509(Base64 = text)
-    elif name == "bpki_https_cert":
-      self.bpki_https_cert = rpki.x509.X509(Base64 = text)
-    elif name == "bpki_https_glue":
-      self.bpki_https_glue = rpki.x509.X509(Base64 = text)
-    else:
-      assert name == "repository", "Unexpected name %s, stack %s" % (name, stack)
-      stack.pop()
-
-  def toXML(self):
-    """Generate <repository/> element."""
-    elt = self.make_elt()
-    if self.bpki_cms_cert:
-      self.make_b64elt(elt, "bpki_cms_cert", self.bpki_cms_cert.get_DER())
-    if self.bpki_cms_glue:
-      self.make_b64elt(elt, "bpki_cms_glue", self.bpki_cms_glue.get_DER())
-    if self.bpki_https_cert:
-      self.make_b64elt(elt, "bpki_https_cert", self.bpki_https_cert.get_DER())
-    if self.bpki_https_glue:
-      self.make_b64elt(elt, "bpki_https_glue", self.bpki_https_glue.get_DER())
-    return elt
-
   @staticmethod
   def uri_to_filename(base, uri):
     """Convert a URI to a filename. [TEMPORARY]"""
@@ -715,7 +577,9 @@ class route_origin_elt(data_elt):
     self.unimplemented_control("suppress_publication")
 
   def startElement(self, stack, name, attrs):
-    """Handle <route_origin/> element."""
+    """Handle <route_origin/> element.  This requires special
+    processing due to the data types of some of the attributes.
+    """
     assert name == "route_origin", "Unexpected name %s, stack %s" % (name, stack)
     self.read_attrs(attrs)
     if self.as_number is not None:
@@ -725,15 +589,6 @@ class route_origin_elt(data_elt):
     if self.ipv6 is not None:
       self.ipv6 = rpki.resource_set.roa_prefix_set_ipv6(self.ipv6)
 
-  def endElement(self, stack, name, text):
-    """Handle <route_origin/> element."""
-    assert name == "route_origin", "Unexpected name %s, stack %s" % (name, stack)
-    stack.pop()
-
-  def toXML(self):
-    """Generate <route_origin/> element."""
-    return self.make_elt()
-
   def update_roa(self):
     """Bring this route_origin's ROA up to date if necesssary."""
 
@@ -884,7 +739,9 @@ class list_resources_elt(rpki.xml_utils.base_elt, left_right_namespace):
   valid_until = None
 
   def startElement(self, stack, name, attrs):
-    """Handle <list_resources/> element."""
+    """Handle <list_resources/> element.  This requires special
+    handling due to the data types of some of the attributes.
+    """
     assert name == "list_resources", "Unexpected name %s, stack %s" % (name, stack)
     self.read_attrs(attrs)
     if isinstance(self.valid_until, str):
@@ -897,7 +754,9 @@ class list_resources_elt(rpki.xml_utils.base_elt, left_right_namespace):
       self.ipv6 = rpki.resource_set.resource_set_ipv6(self.ipv6)
 
   def toXML(self):
-    """Generate <list_resources/> element."""
+    """Generate <list_resources/> element.  This requires special
+    handling due to the data types of some of the attributes.
+    """
     elt = self.make_elt()
     if isinstance(self.valid_until, int):
       elt.set("valid_until", self.valid_until.toXMLtime())
@@ -909,15 +768,6 @@ class report_error_elt(rpki.xml_utils.base_elt, left_right_namespace):
   element_name = "report_error"
   attributes = ("tag", "self_id", "error_code")
 
-  def startElement(self, stack, name, attrs):
-    """Handle <report_error/> element."""
-    assert name == self.element_name, "Unexpected name %s, stack %s" % (name, stack)
-    self.read_attrs(attrs)
-
-  def toXML(self):
-    """Generate <report_error/> element."""
-    return self.make_elt()
-
   @classmethod
   def from_exception(cls, exc, self_id = None):
     """Generate a <report_error/> element from an exception."""
diff --git a/rpkid/rpki/publication.py b/rpkid/rpki/publication.py
index 07fffa83..82ff30ff 100644
--- a/rpkid/rpki/publication.py
+++ b/rpkid/rpki/publication.py
@@ -26,7 +26,68 @@ class publication_namespace(object):
   xmlns = "http://www.hactrn.net/uris/rpki/publication-spec/"
   nsmap = { None : xmlns }
 
-class client_elt(rpki.xml_utils.data_elt, rpki.sql.sql_persistant, publication_namespace):
+class control_elt(rpki.xml_utils.data_elt, rpki.sql.sql_persistant, publication_namespace):
+  """Virtual class for control channel objects."""
+
+  def serve_dispatch(self, r_msg, client):
+    """Action dispatch handler.  This needs special handling because
+    we need to make sure that this PDU arrived via the control channel.
+    """
+    if client is not None:
+      raise rpki.exceptions.BadQuery, "Control query received on client channel"
+    rpki.xml_utils.data_elt.serve_dispatch(self, r_msg)
+
+class config_elt(control_elt):
+  """<config/> element.  This is a little weird because there should
+  never be more than one row in the SQL config table, but we have to
+  put the BPKI CRL somewhere and SQL is the least bad place available.
+
+  So we reuse a lot of the SQL machinery, but we nail config_id at 1,
+  we don't expose it in the XML protocol, and we only support the get
+  and set actions.
+  """
+
+  attributes = ("action", "tag")
+  element_name = "config"
+  elements = ("bpki_crl",)
+
+  sql_template = rpki.sql.template("config", "config_id", ("bpki_crl", rpki.x509.CRL))
+
+  wired_in_config_id = 1
+
+  def startElement(self, stack, name, attrs):
+    """StartElement() handler for config object.  This requires
+    special handling because of the weird way we treat config_id.
+    """
+    control_elt.startElement(self, stack, name, attrs)
+    self.config_id = self.wired_in_config_id
+
+  @classmethod
+  def fetch(cls, gctx):
+    """Fetch the config object from SQL.  This requires special
+    handling because of the weird way we treat config_id.
+    """
+    return cls.sql_fetch(gctx, cls.wired_in_config_id)
+
+  def serve_set(self, r_msg):
+    """Handle a set action.  This requires special handling because
+    config we don't support the create method.
+    """
+    if self.sql_fetch(self.gctx, self.config_id) is None:
+      control_elt.serve_create(self, r_msg)
+    else:
+      control_elt.serve_set(self, r_msg)
+
+  def serve_fetch_one(self):
+    """Find the config object on which a get or set method should
+    operate.
+    """
+    r = self.sql_fetch(self.gctx, self.config_id)
+    if r is None:
+      raise rpki.exceptions.NotFound
+    return r
+
+class client_elt(control_elt):
   """<client/> element."""
 
   element_name = "client"
@@ -41,32 +102,14 @@ class client_elt(rpki.xml_utils.data_elt, rpki.sql.sql_persistant, publication_n
 
   clear_https_ta_cache = False
 
-  def startElement(self, stack, name, attrs):
-    """Handle <client/> element."""
-    if name not in ("bpki_cert", "bpki_glue"):
-      assert name == self.element_name, "Unexpected name %s, stack %s" % (name, stack)
-      self.read_attrs(attrs)
-
   def endElement(self, stack, name, text):
-    """Handle <client/> element."""
-    if name == "bpki_cert":
-      self.bpki_cert = rpki.x509.X509(Base64 = text)
-      self.clear_https_ta_cache = True
-    elif name == "bpki_glue":
-      self.bpki_glue = rpki.x509.X509(Base64 = text)
+    """Handle subelements of <client/> element.  These require special
+    handling because modifying them invalidates the HTTPS trust anchor
+    cache.
+    """
+    control_elt.endElement(self, stack, name, text)
+    if name in self.elements:
       self.clear_https_ta_cache = True
-    else:
-      assert name == self.element_name, "Unexpected name %s, stack %s" % (name, stack)
-      stack.pop()
-
-  def toXML(self):
-    """Generate <client/> element."""
-    elt = self.make_elt()
-    if self.bpki_cert and not self.bpki_cert.empty():
-      self.make_b64elt(elt, "bpki_cert", self.bpki_cert.get_DER())
-    if self.bpki_glue and not self.bpki_glue.empty():
-      self.make_b64elt(elt, "bpki_glue", self.bpki_glue.get_DER())
-    return elt
 
   def serve_post_save_hook(self, q_pdu, r_pdu):
     """Extra server actions for client_elt."""
@@ -87,29 +130,22 @@ class client_elt(rpki.xml_utils.data_elt, rpki.sql.sql_persistant, publication_n
     """Find client objects on which a list method should operate."""
     return self.sql_fetch_all(self.gctx)
 
-  def serve_dispatch(self, r_msg, client):
-    """Action dispatch handler."""
-    if client is not None:
-      raise rpki.exceptions.BadQuery, "Client query received on control channel"
-    rpki.xml_utils.data_elt.serve_dispatch(self, r_msg)
-
   def check_allowed_uri(self, uri):
     if not uri.startswith(self.base_uri):
       raise rpki.exceptions.ForbiddenURI
 
 class publication_object_elt(rpki.xml_utils.base_elt, publication_namespace):
   """Virtual class for publishable objects.  These have very similar
-  syntax, differences lie in underlying datatype and methods.
+  syntax, differences lie in underlying datatype and methods.  XML
+  methods are a little different from the pattern used for objects
+  that support the create/set/get/list/destroy actions, but
+  publishable objects don't go in SQL either so these classes would be
+  different in any case.
   """
 
   attributes = ("action", "tag", "client_id", "uri")
   payload = None
 
-  def startElement(self, stack, name, attrs):
-    """Handle a publishable element."""
-    assert name == self.element_name, "Unexpected name %s, stack %s" % (name, stack)
-    self.read_attrs(attrs)
-
   def endElement(self, stack, name, text):
     """Handle a publishable element element."""
     assert name == self.element_name, "Unexpected name %s, stack %s" % (name, stack)
@@ -127,7 +163,7 @@ class publication_object_elt(rpki.xml_utils.base_elt, publication_namespace):
   def serve_dispatch(self, r_msg, client):
     """Action dispatch handler."""
     if client is None:
-      raise rpki.exceptions.BadQuery, "Control query received on client channel"
+      raise rpki.exceptions.BadQuery, "Client query received on control channel"
     dispatch = { "publish"  : self.serve_publish,
                  "withdraw" : self.serve_withdraw }
     if self.action not in dispatch:
@@ -200,15 +236,6 @@ class report_error_elt(rpki.xml_utils.base_elt, publication_namespace):
   element_name = "report_error"
   attributes = ("tag", "error_code")
 
-  def startElement(self, stack, name, attrs):
-    """Handle <report_error/> element."""
-    assert name == self.element_name, "Unexpected name %s, stack %s" % (name, stack)
-    self.read_attrs(attrs)
-
-  def toXML(self):
-    """Generate <report_error/> element."""
-    return self.make_elt()
-
   @classmethod
   def from_exception(cls, exc):
     """Generate a <report_error/> element from an exception."""
@@ -226,7 +253,7 @@ class msg(rpki.xml_utils.msg, publication_namespace):
   ## @var pdus
   # Dispatch table of PDUs for this protocol.
   pdus = dict((x.element_name, x)
-              for x in (client_elt, certificate_elt, crl_elt, manifest_elt, roa_elt, report_error_elt))
+              for x in (config_elt, client_elt, certificate_elt, crl_elt, manifest_elt, roa_elt, report_error_elt))
 
   def serve_top_level(self, gctx, client):
     """Serve one msg PDU."""
diff --git a/rpkid/rpki/relaxng.py b/rpkid/rpki/relaxng.py
index 87230bcf..017209b6 100644
--- a/rpkid/rpki/relaxng.py
+++ b/rpkid/rpki/relaxng.py
@@ -801,11 +801,6 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc
       </attribute>
     </optional>
     <optional>
-      <attribute name="exact_match">
-        <data type="boolean"/>
-      </attribute>
-    </optional>
-    <optional>
       <attribute name="ipv4">
         <ref name="ipv4_list"/>
       </attribute>
@@ -1257,6 +1252,7 @@ publication = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" en
   <!-- PDUs allowed in a query -->
   <define name="query_elt">
     <choice>
+      <ref name="config_query"/>
       <ref name="client_query"/>
       <ref name="certificate_query"/>
       <ref name="crl_query"/>
@@ -1267,6 +1263,7 @@ publication = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" en
   <!-- PDUs allowed in a reply -->
   <define name="reply_elt">
     <choice>
+      <ref name="config_reply"/>
       <ref name="client_reply"/>
       <ref name="certificate_reply"/>
       <ref name="crl_reply"/>
@@ -1300,6 +1297,59 @@ publication = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" en
       <ref name="uri_t"/>
     </attribute>
   </define>
+  <!--
+    <config/> element (use restricted to repository operator)
+    config_id attribute and list command omitted deliberately, see code for details
+  -->
+  <define name="config_payload">
+    <optional>
+      <element name="bpki_crl">
+        <ref name="base64"/>
+      </element>
+    </optional>
+  </define>
+  <define name="config_query" combine="choice">
+    <element name="config">
+      <attribute name="action">
+        <value>set</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="config_payload"/>
+    </element>
+  </define>
+  <define name="config_reply" combine="choice">
+    <element name="config">
+      <attribute name="action">
+        <value>set</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+    </element>
+  </define>
+  <define name="config_query" combine="choice">
+    <element name="config">
+      <attribute name="action">
+        <value>get</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+    </element>
+  </define>
+  <define name="config_reply" combine="choice">
+    <element name="config">
+      <attribute name="action">
+        <value>get</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="config_payload"/>
+    </element>
+  </define>
   <!-- <client/> element (use restricted to repository operator) -->
   <define name="client_id">
     <attribute name="client_id">
diff --git a/rpkid/rpki/xml_utils.py b/rpkid/rpki/xml_utils.py
index 97f9c5f7..5e9c613e 100644
--- a/rpkid/rpki/xml_utils.py
+++ b/rpkid/rpki/xml_utils.py
@@ -117,12 +117,19 @@ class base_elt(object):
 
   def startElement(self, stack, name, attrs):
     """Default startElement() handler: just process attributes."""
-    self.read_attrs(attrs)
+    if name not in self.elements:
+      assert name == self.element_name, "Unexpected name %s, stack %s" % (name, stack)
+      self.read_attrs(attrs)
 
   def endElement(self, stack, name, text):
     """Default endElement() handler: just pop the stack."""
+    assert name == self.element_name, "Unexpected name %s, stack %s" % (name, stack)
     stack.pop()
 
+  def toXML(self):
+    """Default toXML() element generator."""
+    return self.make_elt()
+
   def read_attrs(self, attrs):
     """Template-driven attribute reader."""
     for key in self.attributes:
@@ -172,6 +179,29 @@ class data_elt(base_elt):
   attribute.
   """
 
+  def endElement(self, stack, name, text):
+    """Default endElement handler for SQL-based objects.  This assumes
+    that sub-elements are Base64-encoded using the sql_template mechanism.
+    """
+    if name in self.elements:
+      elt_type = self.sql_template.map.get(name)
+      assert elt_type is not None, "Couldn't find element type for %s, stack %s" % (name, stack)
+      setattr(self, name, elt_type(Base64 = text))
+    else:
+      assert name == self.element_name, "Unexpected name %s, stack %s" % (name, stack)
+      stack.pop()
+
+  def toXML(self):
+    """Default element generator for SQL-based objects.  This assumes
+    that sub-elements are Base64-encoded DER objects.
+    """
+    elt = self.make_elt()
+    for i in self.elements:
+      x = getattr(self, i, None)
+      if x and not x.empty():
+        self.make_b64elt(elt, i, x.get_DER())
+    return elt
+
   def make_reply(self, r_pdu = None):
     """Construct a reply PDU."""
     if r_pdu is None:
diff --git a/rpkid/testbed.1.yaml b/rpkid/testbed.1.yaml
index b18d13b9..e53b63b6 100644
--- a/rpkid/testbed.1.yaml
+++ b/rpkid/testbed.1.yaml
@@ -15,8 +15,8 @@
 # PERFORMANCE OF THIS SOFTWARE.
 
 name:           RIR
-crl_interval:   60s
-regen_margin:   30s
+crl_interval:   5m
+regen_margin:   2m
 valid_for:      2d
 kids:
   - name: R0
diff --git a/rpkid/testbed.py b/rpkid/testbed.py
index 8324fc44..b53604e8 100644
--- a/rpkid/testbed.py
+++ b/rpkid/testbed.py
@@ -192,9 +192,15 @@ def main():
     for a in db.leaves:
       a.setup_yaml_leaf()
 
+    # Set pubd's BPKI CRL
+    set_pubd_crl()
+
     # Loop until we run out of control YAML
     while True:
 
+      # This is probably where we should be updating expired BPKI
+      # objects, particular CRLs
+
       # Run cron in all RPKI instances
       for a in db.engines:
         a.run_cron()
@@ -267,11 +273,10 @@ cmds = { "sleep" : cmd_sleep,
 class route_origin(object):
   """Representation for a route_origin object."""
 
-  def __init__(self, asn, ipv4, ipv6, exact_match):
+  def __init__(self, asn, ipv4, ipv6):
     self.asn = asn
     self.v4 = rpki.resource_set.roa_prefix_set_ipv4("".join(ipv4.split())) if ipv4 else None
     self.v6 = rpki.resource_set.roa_prefix_set_ipv6("".join(ipv6.split())) if ipv6 else None
-    self.exact_match = exact_match
 
   def __eq__(self, other):
     return self.asn == other.asn and self.v4 == other.v4 and self.v6 == other.v6
@@ -289,7 +294,7 @@ class route_origin(object):
 
   @classmethod
   def parse(cls, yaml):
-    return cls(yaml.get("asn"), yaml.get("ipv4"), yaml.get("ipv6"), yaml.get("exact_match", False))
+    return cls(yaml.get("asn"), yaml.get("ipv4"), yaml.get("ipv6"))
     
 class allocation_db(list):
   """Representation of all the entities and allocations in the test system.
@@ -671,8 +676,8 @@ class allocation(object):
     rpki.log.info("Creating rpkid route_origin objects for %s" % self.name)
     for ro in self.route_origins:
       ro.route_origin_id = self.call_rpkid(rpki.left_right.route_origin_elt.make_pdu(
-        action = "create", self_id = self.self_id, as_number = ro.asn,
-        exact_match = ro.exact_match, ipv4 = ro.v4, ipv6 = ro.v6)).route_origin_id
+        action = "create", self_id = self.self_id,
+        as_number = ro.asn, ipv4 = ro.v4, ipv6 = ro.v6)).route_origin_id
 
   def setup_yaml_leaf(self):
     """Generate certificates and write YAML scripts for leaf nodes.
@@ -836,6 +841,16 @@ def call_pubd(*pdu):
     assert not isinstance(pdu, rpki.publication.report_error_elt)
   return msg[0] if len(msg) == 1 else msg
 
+def set_pubd_crl():
+  """Whack publication daemon's bpki_crl.  This must be configured
+  before publication daemon starts talking to its clients, and must be
+  updated whenever we update the CRL.
+  """
+  rpki.log.info("Setting pubd's BPKI CRL")
+  call_pubd(rpki.publication.config_elt.make_pdu(
+    action = "set",
+    bpki_crl = rpki.x509.CRL(Auto_file = pubd_name + "-TA.crl")))
+
 def run_rcynic():
   """Run rcynic to see whether what was published makes sense."""
   rpki.log.info("Running rcynic")