Source tree reorg, phase 1. Almost everything moved, no file contents changed.

svn path=/branches/tk685/; revision=5757

10 files changed, 3215 insertions, 0 deletions

diff --git a/schemas/relaxng/left-right-schema.rnc b/schemas/relaxng/left-right-schema.rnc
new file mode 100644
index 00000000..b46adeb5
--- /dev/null
+++ b/schemas/relaxng/left-right-schema.rnc
@@ -0,0 +1,323 @@
+# $Id$
+#
+# RelaxNG schema for RPKI left-right protocol.
+#
+# Copyright (C) 2012--2014  Dragon Research Labs ("DRL")
+# Portions copyright (C) 2009--2011  Internet Systems Consortium ("ISC")
+# Portions copyright (C) 2007--2008  American Registry for Internet Numbers ("ARIN")
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notices and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL
+# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL DRL,
+# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+default namespace = "http://www.hactrn.net/uris/rpki/left-right-spec/"
+
+# Top level PDU
+
+start = element msg {
+  attribute version { xsd:positiveInteger { maxInclusive="1" } },
+  ( (attribute type { "query" }, query_elt*) |
+    (attribute type { "reply" }, reply_elt*) )
+}
+
+# PDUs allowed in a query
+query_elt |= self_query
+query_elt |= bsc_query
+query_elt |= parent_query
+query_elt |= child_query
+query_elt |= repository_query
+query_elt |= list_roa_requests_query
+query_elt |= list_ghostbuster_requests_query
+query_elt |= list_ee_certificate_requests_query
+query_elt |= list_resources_query
+query_elt |= list_published_objects_query
+query_elt |= list_received_resources_query
+
+# PDUs allowed in a reply
+reply_elt |= self_reply
+reply_elt |= bsc_reply
+reply_elt |= parent_reply
+reply_elt |= child_reply
+reply_elt |= repository_reply
+reply_elt |= list_resources_reply
+reply_elt |= list_roa_requests_reply
+reply_elt |= list_ghostbuster_requests_reply
+reply_elt |= list_ee_certificate_requests_reply
+reply_elt |= list_published_objects_reply
+reply_elt |= list_received_resources_reply
+reply_elt |= report_error_reply
+
+# Tag attributes for bulk operations
+tag = attribute tag { xsd:token {maxLength="1024" } }?
+
+# Combinations of action and type attributes used in later definitions.
+# The same patterns repeat in most of the elements in this protocol.
+ctl_create  = attribute action { "create"  }, tag
+ctl_set     = attribute action { "set"     }, tag
+ctl_get     = attribute action { "get"     }, tag
+ctl_list    = attribute action { "list"    }, tag
+ctl_destroy = attribute action { "destroy" }, tag
+
+# Base64 encoded DER stuff
+base64 = xsd:base64Binary { maxLength="512000" }
+
+# Base definition for all fields that are really just SQL primary indices
+#sql_id = xsd:nonNegativeInteger
+
+# ...except that fields containing SQL primary indicies don't belong
+# in this protocol, so they're turninging into handles.
+# Length restriction is a MySQL implementation issue.
+# Handles are case-insensitive (because SQL is, among other reasons).
+object_handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9]+" }
+
+# URIs
+uri = xsd:anyURI { maxLength="4096" }
+
+# Name fields imported from up-down protocol
+up_down_name = xsd:token { maxLength="1024" }
+
+# Resource lists
+asn_list  = xsd:string { maxLength="512000" pattern="[\-,0-9]*" }
+ipv4_list = xsd:string { maxLength="512000" pattern="[\-,0-9/.]*" }
+ipv6_list = xsd:string { maxLength="512000" pattern="[\-,0-9/:a-fA-F]*" }
+
+# <self/> element
+
+self_bool = (attribute rekey { "yes" }?,
+             attribute reissue { "yes" }?,
+             attribute revoke { "yes" }?,
+             attribute run_now { "yes" }?,
+             attribute publish_world_now { "yes" }?,
+             attribute revoke_forgotten { "yes" }?,
+             attribute clear_replay_protection { "yes" }?)
+
+self_payload = (attribute use_hsm { "yes" | "no" }?,
+                attribute crl_interval { xsd:positiveInteger }?,
+                attribute regen_margin { xsd:positiveInteger }?,
+                element bpki_cert { base64 }?,
+                element bpki_glue { base64 }?)
+
+self_handle = attribute self_handle { object_handle }
+
+self_query |= element self { ctl_create,  self_handle, self_bool, self_payload }
+self_reply |= element self { ctl_create,  self_handle }
+self_query |= element self { ctl_set,     self_handle, self_bool, self_payload }
+self_reply |= element self { ctl_set,     self_handle }
+self_query |= element self { ctl_get,     self_handle }
+self_reply |= element self { ctl_get,     self_handle, self_payload }
+self_query |= element self { ctl_list }
+self_reply |= element self { ctl_list,    self_handle, self_payload }
+self_query |= element self { ctl_destroy, self_handle }
+self_reply |= element self { ctl_destroy, self_handle }
+
+# <bsc/> element.  Key parameters hardwired for now.
+
+bsc_bool = ((attribute generate_keypair { "yes" },
+             attribute key_type { "rsa" }?,
+             attribute hash_alg { "sha256" }?,
+             attribute key_length { "2048" }?)?)
+
+bsc_handle = attribute bsc_handle { object_handle }
+
+bsc_payload = (element signing_cert { base64 }?,
+               element signing_cert_crl { base64 }?)
+
+bsc_readonly = element pkcs10_request { base64 }?
+
+bsc_query |= element bsc { ctl_create,  self_handle, bsc_handle, bsc_bool, bsc_payload }
+bsc_reply |= element bsc { ctl_create,  self_handle, bsc_handle, bsc_readonly }
+bsc_query |= element bsc { ctl_set,     self_handle, bsc_handle, bsc_bool, bsc_payload }
+bsc_reply |= element bsc { ctl_set,     self_handle, bsc_handle, bsc_readonly }
+bsc_query |= element bsc { ctl_get,     self_handle, bsc_handle }
+bsc_reply |= element bsc { ctl_get,     self_handle, bsc_handle, bsc_payload, bsc_readonly }
+bsc_query |= element bsc { ctl_list,    self_handle }
+bsc_reply |= element bsc { ctl_list,    self_handle, bsc_handle, bsc_payload, bsc_readonly }
+bsc_query |= element bsc { ctl_destroy, self_handle, bsc_handle }
+bsc_reply |= element bsc { ctl_destroy, self_handle, bsc_handle }
+
+# <parent/> element
+
+parent_handle = attribute parent_handle { object_handle }
+
+parent_bool = (attribute rekey { "yes" }?,
+               attribute reissue { "yes" }?,
+               attribute revoke { "yes" }?,
+               attribute revoke_forgotten { "yes" }?,
+             attribute clear_replay_protection { "yes" }?)
+
+parent_payload = (attribute peer_contact_uri { uri }?,
+                  attribute sia_base { uri }?,
+                  bsc_handle?,
+                  repository_handle?,
+                  attribute sender_name { up_down_name }?,
+                  attribute recipient_name { up_down_name }?,
+                  element bpki_cms_cert { base64 }?,
+                  element bpki_cms_glue { base64 }?)
+
+parent_query |= element parent { ctl_create,  self_handle, parent_handle, parent_bool, parent_payload }
+parent_reply |= element parent { ctl_create,  self_handle, parent_handle }
+parent_query |= element parent { ctl_set,     self_handle, parent_handle, parent_bool, parent_payload }
+parent_reply |= element parent { ctl_set,     self_handle, parent_handle }
+parent_query |= element parent { ctl_get,     self_handle, parent_handle }
+parent_reply |= element parent { ctl_get,     self_handle, parent_handle, parent_payload }
+parent_query |= element parent { ctl_list,    self_handle }
+parent_reply |= element parent { ctl_list,    self_handle, parent_handle, parent_payload }
+parent_query |= element parent { ctl_destroy, self_handle, parent_handle }
+parent_reply |= element parent { ctl_destroy, self_handle, parent_handle }
+
+# <child/> element
+
+child_handle = attribute child_handle { object_handle }
+
+child_bool = (attribute reissue { "yes" }?,
+              attribute clear_replay_protection { "yes" }?)
+
+child_payload = (bsc_handle?,
+                 element bpki_cert { base64 }?,
+                 element bpki_glue { base64 }?)
+
+child_query |= element child { ctl_create,  self_handle, child_handle, child_bool, child_payload }
+child_reply |= element child { ctl_create,  self_handle, child_handle }
+child_query |= element child { ctl_set,     self_handle, child_handle, child_bool, child_payload }
+child_reply |= element child { ctl_set,     self_handle, child_handle }
+child_query |= element child { ctl_get,     self_handle, child_handle }
+child_reply |= element child { ctl_get,     self_handle, child_handle, child_payload }
+child_query |= element child { ctl_list,    self_handle }
+child_reply |= element child { ctl_list,    self_handle, child_handle, child_payload }
+child_query |= element child { ctl_destroy, self_handle, child_handle }
+child_reply |= element child { ctl_destroy, self_handle, child_handle }
+
+# <repository/> element
+
+repository_handle = attribute repository_handle { object_handle }
+
+repository_bool = attribute clear_replay_protection { "yes" }?
+
+repository_payload = (attribute peer_contact_uri { uri }?,
+                      bsc_handle?,
+                      element bpki_cert { base64 }?,
+                      element bpki_glue { base64 }?)
+
+repository_query |= element repository { ctl_create,  self_handle, repository_handle, repository_bool, repository_payload }
+repository_reply |= element repository { ctl_create,  self_handle, repository_handle }
+repository_query |= element repository { ctl_set,     self_handle, repository_handle, repository_bool, repository_payload }
+repository_reply |= element repository { ctl_set,     self_handle, repository_handle }
+repository_query |= element repository { ctl_get,     self_handle, repository_handle }
+repository_reply |= element repository { ctl_get,     self_handle, repository_handle, repository_payload }
+repository_query |= element repository { ctl_list,    self_handle }
+repository_reply |= element repository { ctl_list,    self_handle, repository_handle, repository_payload }
+repository_query |= element repository { ctl_destroy, self_handle, repository_handle }
+repository_reply |= element repository { ctl_destroy, self_handle, repository_handle }
+
+# <list_resources/> element
+
+list_resources_query = element list_resources {
+  tag, self_handle, child_handle
+}
+
+list_resources_reply = element list_resources {
+  tag, self_handle, child_handle,
+  attribute valid_until { xsd:dateTime { pattern=".*Z" } },
+  attribute asn { asn_list }?,
+  attribute ipv4 { ipv4_list }?,
+  attribute ipv6 { ipv6_list }?
+}
+
+# <list_roa_requests/> element
+
+list_roa_requests_query = element list_roa_requests {
+  tag, self_handle
+}
+
+list_roa_requests_reply = element list_roa_requests {
+  tag, self_handle,
+  attribute asn { xsd:nonNegativeInteger },
+  attribute ipv4 { ipv4_list }?,
+  attribute ipv6 { ipv6_list }?
+}
+
+# <list_ghostbuster_requests/> element
+
+list_ghostbuster_requests_query = element list_ghostbuster_requests {
+  tag, self_handle, parent_handle
+}
+
+list_ghostbuster_requests_reply = element list_ghostbuster_requests {
+  tag, self_handle, parent_handle,
+  xsd:string
+}
+
+# <list_ee_certificate_requests/> element
+
+list_ee_certificate_requests_query = element list_ee_certificate_requests {
+  tag, self_handle
+}
+
+list_ee_certificate_requests_reply = element list_ee_certificate_requests {
+  tag, self_handle,
+  attribute gski { xsd:token { minLength="27" maxLength="27" } },
+  attribute valid_until { xsd:dateTime { pattern=".*Z" } },
+  attribute asn  { asn_list }?,
+  attribute ipv4 { ipv4_list }?,
+  attribute ipv6 { ipv6_list }?,
+  attribute cn  { xsd:string { maxLength="64"     pattern="[\-0-9A-Za-z_ ]+" } }?,
+  attribute sn  { xsd:string { maxLength="64"     pattern="[0-9A-Fa-f]+"     } }?,
+  attribute eku { xsd:string { maxLength="512000" pattern="[.,0-9]+"         } }?,
+  element pkcs10 { base64 }
+}
+
+# <list_published_objects/> element
+
+list_published_objects_query = element list_published_objects {
+  tag, self_handle
+}
+
+list_published_objects_reply = element list_published_objects {
+  tag, self_handle,
+  attribute uri { uri },
+  attribute child_handle { object_handle }?,
+  base64
+}
+
+# <list_received_resources/> element
+
+list_received_resources_query = element list_received_resources {
+  tag, self_handle
+}
+
+list_received_resources_reply = element list_received_resources {
+  tag, self_handle, parent_handle,
+  attribute notBefore { xsd:dateTime { pattern=".*Z" } },
+  attribute notAfter { xsd:dateTime { pattern=".*Z" } },
+  attribute uri { uri },
+  attribute sia_uri { uri },
+  attribute aia_uri { uri },
+  attribute asn { asn_list }?,
+  attribute ipv4 { ipv4_list }?,
+  attribute ipv6 { ipv6_list }?
+}
+
+# <report_error/> element
+
+error = xsd:token { maxLength="1024" }
+
+report_error_reply = element report_error {
+  tag, self_handle?,
+  attribute error_code { error },
+  xsd:string { maxLength="512000" }?
+}
+
+# Local Variables:
+# indent-tabs-mode: nil
+# comment-start: "# "
+# comment-start-skip: "#[ \t]*"
+# End:
diff --git a/schemas/relaxng/left-right-schema.rng b/schemas/relaxng/left-right-schema.rng
new file mode 100644
index 00000000..6c3d2f1a
--- /dev/null
+++ b/schemas/relaxng/left-right-schema.rng
@@ -0,0 +1,1089 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  $Id: left-right-schema.rnc 5753 2014-04-05 19:24:26Z sra $
+  
+  RelaxNG schema for RPKI left-right protocol.
+  
+  Copyright (C) 2012- -2014  Dragon Research Labs ("DRL")
+  Portions copyright (C) 2009- -2011  Internet Systems Consortium ("ISC")
+  Portions copyright (C) 2007- -2008  American Registry for Internet Numbers ("ARIN")
+  
+  Permission to use, copy, modify, and distribute this software for any
+  purpose with or without fee is hereby granted, provided that the above
+  copyright notices and this permission notice appear in all copies.
+  
+  THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL
+  WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+  WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL DRL,
+  ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+  CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+  OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+  NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+  WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+<grammar ns="http://www.hactrn.net/uris/rpki/left-right-spec/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+  <!-- Top level PDU -->
+  <start>
+    <element name="msg">
+      <attribute name="version">
+        <data type="positiveInteger">
+          <param name="maxInclusive">1</param>
+        </data>
+      </attribute>
+      <choice>
+        <group>
+          <attribute name="type">
+            <value>query</value>
+          </attribute>
+          <zeroOrMore>
+            <ref name="query_elt"/>
+          </zeroOrMore>
+        </group>
+        <group>
+          <attribute name="type">
+            <value>reply</value>
+          </attribute>
+          <zeroOrMore>
+            <ref name="reply_elt"/>
+          </zeroOrMore>
+        </group>
+      </choice>
+    </element>
+  </start>
+  <!-- PDUs allowed in a query -->
+  <define name="query_elt" combine="choice">
+    <ref name="self_query"/>
+  </define>
+  <define name="query_elt" combine="choice">
+    <ref name="bsc_query"/>
+  </define>
+  <define name="query_elt" combine="choice">
+    <ref name="parent_query"/>
+  </define>
+  <define name="query_elt" combine="choice">
+    <ref name="child_query"/>
+  </define>
+  <define name="query_elt" combine="choice">
+    <ref name="repository_query"/>
+  </define>
+  <define name="query_elt" combine="choice">
+    <ref name="list_roa_requests_query"/>
+  </define>
+  <define name="query_elt" combine="choice">
+    <ref name="list_ghostbuster_requests_query"/>
+  </define>
+  <define name="query_elt" combine="choice">
+    <ref name="list_ee_certificate_requests_query"/>
+  </define>
+  <define name="query_elt" combine="choice">
+    <ref name="list_resources_query"/>
+  </define>
+  <define name="query_elt" combine="choice">
+    <ref name="list_published_objects_query"/>
+  </define>
+  <define name="query_elt" combine="choice">
+    <ref name="list_received_resources_query"/>
+  </define>
+  <!-- PDUs allowed in a reply -->
+  <define name="reply_elt" combine="choice">
+    <ref name="self_reply"/>
+  </define>
+  <define name="reply_elt" combine="choice">
+    <ref name="bsc_reply"/>
+  </define>
+  <define name="reply_elt" combine="choice">
+    <ref name="parent_reply"/>
+  </define>
+  <define name="reply_elt" combine="choice">
+    <ref name="child_reply"/>
+  </define>
+  <define name="reply_elt" combine="choice">
+    <ref name="repository_reply"/>
+  </define>
+  <define name="reply_elt" combine="choice">
+    <ref name="list_resources_reply"/>
+  </define>
+  <define name="reply_elt" combine="choice">
+    <ref name="list_roa_requests_reply"/>
+  </define>
+  <define name="reply_elt" combine="choice">
+    <ref name="list_ghostbuster_requests_reply"/>
+  </define>
+  <define name="reply_elt" combine="choice">
+    <ref name="list_ee_certificate_requests_reply"/>
+  </define>
+  <define name="reply_elt" combine="choice">
+    <ref name="list_published_objects_reply"/>
+  </define>
+  <define name="reply_elt" combine="choice">
+    <ref name="list_received_resources_reply"/>
+  </define>
+  <define name="reply_elt" combine="choice">
+    <ref name="report_error_reply"/>
+  </define>
+  <!-- Tag attributes for bulk operations -->
+  <define name="tag">
+    <optional>
+      <attribute name="tag">
+        <data type="token">
+          <param name="maxLength">1024</param>
+        </data>
+      </attribute>
+    </optional>
+  </define>
+  <!--
+    Combinations of action and type attributes used in later definitions.
+    The same patterns repeat in most of the elements in this protocol.
+  -->
+  <define name="ctl_create">
+    <attribute name="action">
+      <value>create</value>
+    </attribute>
+    <ref name="tag"/>
+  </define>
+  <define name="ctl_set">
+    <attribute name="action">
+      <value>set</value>
+    </attribute>
+    <ref name="tag"/>
+  </define>
+  <define name="ctl_get">
+    <attribute name="action">
+      <value>get</value>
+    </attribute>
+    <ref name="tag"/>
+  </define>
+  <define name="ctl_list">
+    <attribute name="action">
+      <value>list</value>
+    </attribute>
+    <ref name="tag"/>
+  </define>
+  <define name="ctl_destroy">
+    <attribute name="action">
+      <value>destroy</value>
+    </attribute>
+    <ref name="tag"/>
+  </define>
+  <!-- Base64 encoded DER stuff -->
+  <define name="base64">
+    <data type="base64Binary">
+      <param name="maxLength">512000</param>
+    </data>
+  </define>
+  <!--
+    Base definition for all fields that are really just SQL primary indices
+    sql_id = xsd:nonNegativeInteger
+  -->
+  <!--
+    ...except that fields containing SQL primary indicies don't belong
+    in this protocol, so they're turninging into handles.
+    Length restriction is a MySQL implementation issue.
+    Handles are case-insensitive (because SQL is, among other reasons).
+  -->
+  <define name="object_handle">
+    <data type="string">
+      <param name="maxLength">255</param>
+      <param name="pattern">[\-_A-Za-z0-9]+</param>
+    </data>
+  </define>
+  <!-- URIs -->
+  <define name="uri">
+    <data type="anyURI">
+      <param name="maxLength">4096</param>
+    </data>
+  </define>
+  <!-- Name fields imported from up-down protocol -->
+  <define name="up_down_name">
+    <data type="token">
+      <param name="maxLength">1024</param>
+    </data>
+  </define>
+  <!-- Resource lists -->
+  <define name="asn_list">
+    <data type="string">
+      <param name="maxLength">512000</param>
+      <param name="pattern">[\-,0-9]*</param>
+    </data>
+  </define>
+  <define name="ipv4_list">
+    <data type="string">
+      <param name="maxLength">512000</param>
+      <param name="pattern">[\-,0-9/.]*</param>
+    </data>
+  </define>
+  <define name="ipv6_list">
+    <data type="string">
+      <param name="maxLength">512000</param>
+      <param name="pattern">[\-,0-9/:a-fA-F]*</param>
+    </data>
+  </define>
+  <!-- <self/> element -->
+  <define name="self_bool">
+    <optional>
+      <attribute name="rekey">
+        <value>yes</value>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="reissue">
+        <value>yes</value>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="revoke">
+        <value>yes</value>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="run_now">
+        <value>yes</value>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="publish_world_now">
+        <value>yes</value>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="revoke_forgotten">
+        <value>yes</value>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="clear_replay_protection">
+        <value>yes</value>
+      </attribute>
+    </optional>
+  </define>
+  <define name="self_payload">
+    <optional>
+      <attribute name="use_hsm">
+        <choice>
+          <value>yes</value>
+          <value>no</value>
+        </choice>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="crl_interval">
+        <data type="positiveInteger"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="regen_margin">
+        <data type="positiveInteger"/>
+      </attribute>
+    </optional>
+    <optional>
+      <element name="bpki_cert">
+        <ref name="base64"/>
+      </element>
+    </optional>
+    <optional>
+      <element name="bpki_glue">
+        <ref name="base64"/>
+      </element>
+    </optional>
+  </define>
+  <define name="self_handle">
+    <attribute name="self_handle">
+      <ref name="object_handle"/>
+    </attribute>
+  </define>
+  <define name="self_query" combine="choice">
+    <element name="self">
+      <ref name="ctl_create"/>
+      <ref name="self_handle"/>
+      <ref name="self_bool"/>
+      <ref name="self_payload"/>
+    </element>
+  </define>
+  <define name="self_reply" combine="choice">
+    <element name="self">
+      <ref name="ctl_create"/>
+      <ref name="self_handle"/>
+    </element>
+  </define>
+  <define name="self_query" combine="choice">
+    <element name="self">
+      <ref name="ctl_set"/>
+      <ref name="self_handle"/>
+      <ref name="self_bool"/>
+      <ref name="self_payload"/>
+    </element>
+  </define>
+  <define name="self_reply" combine="choice">
+    <element name="self">
+      <ref name="ctl_set"/>
+      <ref name="self_handle"/>
+    </element>
+  </define>
+  <define name="self_query" combine="choice">
+    <element name="self">
+      <ref name="ctl_get"/>
+      <ref name="self_handle"/>
+    </element>
+  </define>
+  <define name="self_reply" combine="choice">
+    <element name="self">
+      <ref name="ctl_get"/>
+      <ref name="self_handle"/>
+      <ref name="self_payload"/>
+    </element>
+  </define>
+  <define name="self_query" combine="choice">
+    <element name="self">
+      <ref name="ctl_list"/>
+    </element>
+  </define>
+  <define name="self_reply" combine="choice">
+    <element name="self">
+      <ref name="ctl_list"/>
+      <ref name="self_handle"/>
+      <ref name="self_payload"/>
+    </element>
+  </define>
+  <define name="self_query" combine="choice">
+    <element name="self">
+      <ref name="ctl_destroy"/>
+      <ref name="self_handle"/>
+    </element>
+  </define>
+  <define name="self_reply" combine="choice">
+    <element name="self">
+      <ref name="ctl_destroy"/>
+      <ref name="self_handle"/>
+    </element>
+  </define>
+  <!-- <bsc/> element.  Key parameters hardwired for now. -->
+  <define name="bsc_bool">
+    <optional>
+      <attribute name="generate_keypair">
+        <value>yes</value>
+      </attribute>
+      <optional>
+        <attribute name="key_type">
+          <value>rsa</value>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="hash_alg">
+          <value>sha256</value>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="key_length">
+          <value>2048</value>
+        </attribute>
+      </optional>
+    </optional>
+  </define>
+  <define name="bsc_handle">
+    <attribute name="bsc_handle">
+      <ref name="object_handle"/>
+    </attribute>
+  </define>
+  <define name="bsc_payload">
+    <optional>
+      <element name="signing_cert">
+        <ref name="base64"/>
+      </element>
+    </optional>
+    <optional>
+      <element name="signing_cert_crl">
+        <ref name="base64"/>
+      </element>
+    </optional>
+  </define>
+  <define name="bsc_readonly">
+    <optional>
+      <element name="pkcs10_request">
+        <ref name="base64"/>
+      </element>
+    </optional>
+  </define>
+  <define name="bsc_query" combine="choice">
+    <element name="bsc">
+      <ref name="ctl_create"/>
+      <ref name="self_handle"/>
+      <ref name="bsc_handle"/>
+      <ref name="bsc_bool"/>
+      <ref name="bsc_payload"/>
+    </element>
+  </define>
+  <define name="bsc_reply" combine="choice">
+    <element name="bsc">
+      <ref name="ctl_create"/>
+      <ref name="self_handle"/>
+      <ref name="bsc_handle"/>
+      <ref name="bsc_readonly"/>
+    </element>
+  </define>
+  <define name="bsc_query" combine="choice">
+    <element name="bsc">
+      <ref name="ctl_set"/>
+      <ref name="self_handle"/>
+      <ref name="bsc_handle"/>
+      <ref name="bsc_bool"/>
+      <ref name="bsc_payload"/>
+    </element>
+  </define>
+  <define name="bsc_reply" combine="choice">
+    <element name="bsc">
+      <ref name="ctl_set"/>
+      <ref name="self_handle"/>
+      <ref name="bsc_handle"/>
+      <ref name="bsc_readonly"/>
+    </element>
+  </define>
+  <define name="bsc_query" combine="choice">
+    <element name="bsc">
+      <ref name="ctl_get"/>
+      <ref name="self_handle"/>
+      <ref name="bsc_handle"/>
+    </element>
+  </define>
+  <define name="bsc_reply" combine="choice">
+    <element name="bsc">
+      <ref name="ctl_get"/>
+      <ref name="self_handle"/>
+      <ref name="bsc_handle"/>
+      <ref name="bsc_payload"/>
+      <ref name="bsc_readonly"/>
+    </element>
+  </define>
+  <define name="bsc_query" combine="choice">
+    <element name="bsc">
+      <ref name="ctl_list"/>
+      <ref name="self_handle"/>
+    </element>
+  </define>
+  <define name="bsc_reply" combine="choice">
+    <element name="bsc">
+      <ref name="ctl_list"/>
+      <ref name="self_handle"/>
+      <ref name="bsc_handle"/>
+      <ref name="bsc_payload"/>
+      <ref name="bsc_readonly"/>
+    </element>
+  </define>
+  <define name="bsc_query" combine="choice">
+    <element name="bsc">
+      <ref name="ctl_destroy"/>
+      <ref name="self_handle"/>
+      <ref name="bsc_handle"/>
+    </element>
+  </define>
+  <define name="bsc_reply" combine="choice">
+    <element name="bsc">
+      <ref name="ctl_destroy"/>
+      <ref name="self_handle"/>
+      <ref name="bsc_handle"/>
+    </element>
+  </define>
+  <!-- <parent/> element -->
+  <define name="parent_handle">
+    <attribute name="parent_handle">
+      <ref name="object_handle"/>
+    </attribute>
+  </define>
+  <define name="parent_bool">
+    <optional>
+      <attribute name="rekey">
+        <value>yes</value>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="reissue">
+        <value>yes</value>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="revoke">
+        <value>yes</value>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="revoke_forgotten">
+        <value>yes</value>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="clear_replay_protection">
+        <value>yes</value>
+      </attribute>
+    </optional>
+  </define>
+  <define name="parent_payload">
+    <optional>
+      <attribute name="peer_contact_uri">
+        <ref name="uri"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="sia_base">
+        <ref name="uri"/>
+      </attribute>
+    </optional>
+    <optional>
+      <ref name="bsc_handle"/>
+    </optional>
+    <optional>
+      <ref name="repository_handle"/>
+    </optional>
+    <optional>
+      <attribute name="sender_name">
+        <ref name="up_down_name"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="recipient_name">
+        <ref name="up_down_name"/>
+      </attribute>
+    </optional>
+    <optional>
+      <element name="bpki_cms_cert">
+        <ref name="base64"/>
+      </element>
+    </optional>
+    <optional>
+      <element name="bpki_cms_glue">
+        <ref name="base64"/>
+      </element>
+    </optional>
+  </define>
+  <define name="parent_query" combine="choice">
+    <element name="parent">
+      <ref name="ctl_create"/>
+      <ref name="self_handle"/>
+      <ref name="parent_handle"/>
+      <ref name="parent_bool"/>
+      <ref name="parent_payload"/>
+    </element>
+  </define>
+  <define name="parent_reply" combine="choice">
+    <element name="parent">
+      <ref name="ctl_create"/>
+      <ref name="self_handle"/>
+      <ref name="parent_handle"/>
+    </element>
+  </define>
+  <define name="parent_query" combine="choice">
+    <element name="parent">
+      <ref name="ctl_set"/>
+      <ref name="self_handle"/>
+      <ref name="parent_handle"/>
+      <ref name="parent_bool"/>
+      <ref name="parent_payload"/>
+    </element>
+  </define>
+  <define name="parent_reply" combine="choice">
+    <element name="parent">
+      <ref name="ctl_set"/>
+      <ref name="self_handle"/>
+      <ref name="parent_handle"/>
+    </element>
+  </define>
+  <define name="parent_query" combine="choice">
+    <element name="parent">
+      <ref name="ctl_get"/>
+      <ref name="self_handle"/>
+      <ref name="parent_handle"/>
+    </element>
+  </define>
+  <define name="parent_reply" combine="choice">
+    <element name="parent">
+      <ref name="ctl_get"/>
+      <ref name="self_handle"/>
+      <ref name="parent_handle"/>
+      <ref name="parent_payload"/>
+    </element>
+  </define>
+  <define name="parent_query" combine="choice">
+    <element name="parent">
+      <ref name="ctl_list"/>
+      <ref name="self_handle"/>
+    </element>
+  </define>
+  <define name="parent_reply" combine="choice">
+    <element name="parent">
+      <ref name="ctl_list"/>
+      <ref name="self_handle"/>
+      <ref name="parent_handle"/>
+      <ref name="parent_payload"/>
+    </element>
+  </define>
+  <define name="parent_query" combine="choice">
+    <element name="parent">
+      <ref name="ctl_destroy"/>
+      <ref name="self_handle"/>
+      <ref name="parent_handle"/>
+    </element>
+  </define>
+  <define name="parent_reply" combine="choice">
+    <element name="parent">
+      <ref name="ctl_destroy"/>
+      <ref name="self_handle"/>
+      <ref name="parent_handle"/>
+    </element>
+  </define>
+  <!-- <child/> element -->
+  <define name="child_handle">
+    <attribute name="child_handle">
+      <ref name="object_handle"/>
+    </attribute>
+  </define>
+  <define name="child_bool">
+    <optional>
+      <attribute name="reissue">
+        <value>yes</value>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="clear_replay_protection">
+        <value>yes</value>
+      </attribute>
+    </optional>
+  </define>
+  <define name="child_payload">
+    <optional>
+      <ref name="bsc_handle"/>
+    </optional>
+    <optional>
+      <element name="bpki_cert">
+        <ref name="base64"/>
+      </element>
+    </optional>
+    <optional>
+      <element name="bpki_glue">
+        <ref name="base64"/>
+      </element>
+    </optional>
+  </define>
+  <define name="child_query" combine="choice">
+    <element name="child">
+      <ref name="ctl_create"/>
+      <ref name="self_handle"/>
+      <ref name="child_handle"/>
+      <ref name="child_bool"/>
+      <ref name="child_payload"/>
+    </element>
+  </define>
+  <define name="child_reply" combine="choice">
+    <element name="child">
+      <ref name="ctl_create"/>
+      <ref name="self_handle"/>
+      <ref name="child_handle"/>
+    </element>
+  </define>
+  <define name="child_query" combine="choice">
+    <element name="child">
+      <ref name="ctl_set"/>
+      <ref name="self_handle"/>
+      <ref name="child_handle"/>
+      <ref name="child_bool"/>
+      <ref name="child_payload"/>
+    </element>
+  </define>
+  <define name="child_reply" combine="choice">
+    <element name="child">
+      <ref name="ctl_set"/>
+      <ref name="self_handle"/>
+      <ref name="child_handle"/>
+    </element>
+  </define>
+  <define name="child_query" combine="choice">
+    <element name="child">
+      <ref name="ctl_get"/>
+      <ref name="self_handle"/>
+      <ref name="child_handle"/>
+    </element>
+  </define>
+  <define name="child_reply" combine="choice">
+    <element name="child">
+      <ref name="ctl_get"/>
+      <ref name="self_handle"/>
+      <ref name="child_handle"/>
+      <ref name="child_payload"/>
+    </element>
+  </define>
+  <define name="child_query" combine="choice">
+    <element name="child">
+      <ref name="ctl_list"/>
+      <ref name="self_handle"/>
+    </element>
+  </define>
+  <define name="child_reply" combine="choice">
+    <element name="child">
+      <ref name="ctl_list"/>
+      <ref name="self_handle"/>
+      <ref name="child_handle"/>
+      <ref name="child_payload"/>
+    </element>
+  </define>
+  <define name="child_query" combine="choice">
+    <element name="child">
+      <ref name="ctl_destroy"/>
+      <ref name="self_handle"/>
+      <ref name="child_handle"/>
+    </element>
+  </define>
+  <define name="child_reply" combine="choice">
+    <element name="child">
+      <ref name="ctl_destroy"/>
+      <ref name="self_handle"/>
+      <ref name="child_handle"/>
+    </element>
+  </define>
+  <!-- <repository/> element -->
+  <define name="repository_handle">
+    <attribute name="repository_handle">
+      <ref name="object_handle"/>
+    </attribute>
+  </define>
+  <define name="repository_bool">
+    <optional>
+      <attribute name="clear_replay_protection">
+        <value>yes</value>
+      </attribute>
+    </optional>
+  </define>
+  <define name="repository_payload">
+    <optional>
+      <attribute name="peer_contact_uri">
+        <ref name="uri"/>
+      </attribute>
+    </optional>
+    <optional>
+      <ref name="bsc_handle"/>
+    </optional>
+    <optional>
+      <element name="bpki_cert">
+        <ref name="base64"/>
+      </element>
+    </optional>
+    <optional>
+      <element name="bpki_glue">
+        <ref name="base64"/>
+      </element>
+    </optional>
+  </define>
+  <define name="repository_query" combine="choice">
+    <element name="repository">
+      <ref name="ctl_create"/>
+      <ref name="self_handle"/>
+      <ref name="repository_handle"/>
+      <ref name="repository_bool"/>
+      <ref name="repository_payload"/>
+    </element>
+  </define>
+  <define name="repository_reply" combine="choice">
+    <element name="repository">
+      <ref name="ctl_create"/>
+      <ref name="self_handle"/>
+      <ref name="repository_handle"/>
+    </element>
+  </define>
+  <define name="repository_query" combine="choice">
+    <element name="repository">
+      <ref name="ctl_set"/>
+      <ref name="self_handle"/>
+      <ref name="repository_handle"/>
+      <ref name="repository_bool"/>
+      <ref name="repository_payload"/>
+    </element>
+  </define>
+  <define name="repository_reply" combine="choice">
+    <element name="repository">
+      <ref name="ctl_set"/>
+      <ref name="self_handle"/>
+      <ref name="repository_handle"/>
+    </element>
+  </define>
+  <define name="repository_query" combine="choice">
+    <element name="repository">
+      <ref name="ctl_get"/>
+      <ref name="self_handle"/>
+      <ref name="repository_handle"/>
+    </element>
+  </define>
+  <define name="repository_reply" combine="choice">
+    <element name="repository">
+      <ref name="ctl_get"/>
+      <ref name="self_handle"/>
+      <ref name="repository_handle"/>
+      <ref name="repository_payload"/>
+    </element>
+  </define>
+  <define name="repository_query" combine="choice">
+    <element name="repository">
+      <ref name="ctl_list"/>
+      <ref name="self_handle"/>
+    </element>
+  </define>
+  <define name="repository_reply" combine="choice">
+    <element name="repository">
+      <ref name="ctl_list"/>
+      <ref name="self_handle"/>
+      <ref name="repository_handle"/>
+      <ref name="repository_payload"/>
+    </element>
+  </define>
+  <define name="repository_query" combine="choice">
+    <element name="repository">
+      <ref name="ctl_destroy"/>
+      <ref name="self_handle"/>
+      <ref name="repository_handle"/>
+    </element>
+  </define>
+  <define name="repository_reply" combine="choice">
+    <element name="repository">
+      <ref name="ctl_destroy"/>
+      <ref name="self_handle"/>
+      <ref name="repository_handle"/>
+    </element>
+  </define>
+  <!-- <list_resources/> element -->
+  <define name="list_resources_query">
+    <element name="list_resources">
+      <ref name="tag"/>
+      <ref name="self_handle"/>
+      <ref name="child_handle"/>
+    </element>
+  </define>
+  <define name="list_resources_reply">
+    <element name="list_resources">
+      <ref name="tag"/>
+      <ref name="self_handle"/>
+      <ref name="child_handle"/>
+      <attribute name="valid_until">
+        <data type="dateTime">
+          <param name="pattern">.*Z</param>
+        </data>
+      </attribute>
+      <optional>
+        <attribute name="asn">
+          <ref name="asn_list"/>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="ipv4">
+          <ref name="ipv4_list"/>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="ipv6">
+          <ref name="ipv6_list"/>
+        </attribute>
+      </optional>
+    </element>
+  </define>
+  <!-- <list_roa_requests/> element -->
+  <define name="list_roa_requests_query">
+    <element name="list_roa_requests">
+      <ref name="tag"/>
+      <ref name="self_handle"/>
+    </element>
+  </define>
+  <define name="list_roa_requests_reply">
+    <element name="list_roa_requests">
+      <ref name="tag"/>
+      <ref name="self_handle"/>
+      <attribute name="asn">
+        <data type="nonNegativeInteger"/>
+      </attribute>
+      <optional>
+        <attribute name="ipv4">
+          <ref name="ipv4_list"/>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="ipv6">
+          <ref name="ipv6_list"/>
+        </attribute>
+      </optional>
+    </element>
+  </define>
+  <!-- <list_ghostbuster_requests/> element -->
+  <define name="list_ghostbuster_requests_query">
+    <element name="list_ghostbuster_requests">
+      <ref name="tag"/>
+      <ref name="self_handle"/>
+      <ref name="parent_handle"/>
+    </element>
+  </define>
+  <define name="list_ghostbuster_requests_reply">
+    <element name="list_ghostbuster_requests">
+      <ref name="tag"/>
+      <ref name="self_handle"/>
+      <ref name="parent_handle"/>
+      <data type="string"/>
+    </element>
+  </define>
+  <!-- <list_ee_certificate_requests/> element -->
+  <define name="list_ee_certificate_requests_query">
+    <element name="list_ee_certificate_requests">
+      <ref name="tag"/>
+      <ref name="self_handle"/>
+    </element>
+  </define>
+  <define name="list_ee_certificate_requests_reply">
+    <element name="list_ee_certificate_requests">
+      <ref name="tag"/>
+      <ref name="self_handle"/>
+      <attribute name="gski">
+        <data type="token">
+          <param name="minLength">27</param>
+          <param name="maxLength">27</param>
+        </data>
+      </attribute>
+      <attribute name="valid_until">
+        <data type="dateTime">
+          <param name="pattern">.*Z</param>
+        </data>
+      </attribute>
+      <optional>
+        <attribute name="asn">
+          <ref name="asn_list"/>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="ipv4">
+          <ref name="ipv4_list"/>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="ipv6">
+          <ref name="ipv6_list"/>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="cn">
+          <data type="string">
+            <param name="maxLength">64</param>
+            <param name="pattern">[\-0-9A-Za-z_ ]+</param>
+          </data>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="sn">
+          <data type="string">
+            <param name="maxLength">64</param>
+            <param name="pattern">[0-9A-Fa-f]+</param>
+          </data>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="eku">
+          <data type="string">
+            <param name="maxLength">512000</param>
+            <param name="pattern">[.,0-9]+</param>
+          </data>
+        </attribute>
+      </optional>
+      <element name="pkcs10">
+        <ref name="base64"/>
+      </element>
+    </element>
+  </define>
+  <!-- <list_published_objects/> element -->
+  <define name="list_published_objects_query">
+    <element name="list_published_objects">
+      <ref name="tag"/>
+      <ref name="self_handle"/>
+    </element>
+  </define>
+  <define name="list_published_objects_reply">
+    <element name="list_published_objects">
+      <ref name="tag"/>
+      <ref name="self_handle"/>
+      <attribute name="uri">
+        <ref name="uri"/>
+      </attribute>
+      <optional>
+        <attribute name="child_handle">
+          <ref name="object_handle"/>
+        </attribute>
+      </optional>
+      <ref name="base64"/>
+    </element>
+  </define>
+  <!-- <list_received_resources/> element -->
+  <define name="list_received_resources_query">
+    <element name="list_received_resources">
+      <ref name="tag"/>
+      <ref name="self_handle"/>
+    </element>
+  </define>
+  <define name="list_received_resources_reply">
+    <element name="list_received_resources">
+      <ref name="tag"/>
+      <ref name="self_handle"/>
+      <ref name="parent_handle"/>
+      <attribute name="notBefore">
+        <data type="dateTime">
+          <param name="pattern">.*Z</param>
+        </data>
+      </attribute>
+      <attribute name="notAfter">
+        <data type="dateTime">
+          <param name="pattern">.*Z</param>
+        </data>
+      </attribute>
+      <attribute name="uri">
+        <ref name="uri"/>
+      </attribute>
+      <attribute name="sia_uri">
+        <ref name="uri"/>
+      </attribute>
+      <attribute name="aia_uri">
+        <ref name="uri"/>
+      </attribute>
+      <optional>
+        <attribute name="asn">
+          <ref name="asn_list"/>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="ipv4">
+          <ref name="ipv4_list"/>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="ipv6">
+          <ref name="ipv6_list"/>
+        </attribute>
+      </optional>
+    </element>
+  </define>
+  <!-- <report_error/> element -->
+  <define name="error">
+    <data type="token">
+      <param name="maxLength">1024</param>
+    </data>
+  </define>
+  <define name="report_error_reply">
+    <element name="report_error">
+      <ref name="tag"/>
+      <optional>
+        <ref name="self_handle"/>
+      </optional>
+      <attribute name="error_code">
+        <ref name="error"/>
+      </attribute>
+      <optional>
+        <data type="string">
+          <param name="maxLength">512000</param>
+        </data>
+      </optional>
+    </element>
+  </define>
+</grammar>
+<!--
+  Local Variables:
+  indent-tabs-mode: nil
+  comment-start: "# "
+  comment-start-skip: "#[ \t]*"
+  End:
+-->
diff --git a/schemas/relaxng/myrpki.rnc b/schemas/relaxng/myrpki.rnc
new file mode 100644
index 00000000..156ab0d5
--- /dev/null
+++ b/schemas/relaxng/myrpki.rnc
@@ -0,0 +1,164 @@
+# $Id$
+#
+# RelaxNG schema for MyRPKI XML messages.
+#
+# This message protocol is on its way out, as we're in the process of
+# moving on from the user interface model that produced it, but even
+# after we finish replacing it we'll still need the schema for a while
+# to validate old messages when upgrading.
+#
+# libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so
+# run the compact syntax through trang to get XML syntax.
+#
+# Copyright (C) 2009-2011  Internet Systems Consortium ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+default namespace = "http://www.hactrn.net/uris/rpki/myrpki/"
+
+version         = "2"
+
+base64		= xsd:base64Binary { maxLength="512000" }
+object_handle	= xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9]+" }
+pubd_handle     = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9/]+" }
+uri		= xsd:anyURI { maxLength="4096" }
+asn             = xsd:positiveInteger
+asn_list	= xsd:string { maxLength="512000" pattern="[\-,0-9]+" }
+ipv4_list	= xsd:string { maxLength="512000" pattern="[\-,0-9/.]+" }
+ipv6_list	= xsd:string { maxLength="512000" pattern="[\-,0-9/:a-fA-F]+" }
+timestamp       = xsd:dateTime { pattern=".*Z" }
+
+# Message formate used between configure_resources and
+# configure_daemons.
+
+start |= element myrpki {
+  attribute version { version },
+  attribute handle { object_handle },
+  attribute service_uri { uri }?,
+  element roa_request {
+    attribute asn { asn },
+    attribute v4 { ipv4_list },
+    attribute v6 { ipv6_list }
+  }*,
+  element child {
+    attribute handle { object_handle },
+    attribute valid_until { timestamp },
+    attribute asns { asn_list }?,
+    attribute v4 { ipv4_list }?,
+    attribute v6 { ipv6_list }?,
+    element bpki_certificate { base64 }?
+  }*,
+  element parent {
+    attribute handle { object_handle },
+    attribute service_uri { uri }?,
+    attribute myhandle { object_handle }?,
+    attribute sia_base { uri }?,
+    element bpki_cms_certificate { base64 }?
+  }*,
+  element repository {
+    attribute handle { object_handle },
+    attribute service_uri { uri }?,
+    element bpki_certificate { base64 }?
+  }*,
+  element bpki_ca_certificate { base64 }?,
+  element bpki_crl { base64 }?,
+  element bpki_bsc_certificate { base64 }?,
+  element bpki_bsc_pkcs10 { base64 }?
+}
+
+# Format of an identity.xml file.
+
+start |= element identity {
+  attribute version { version },
+  attribute handle { object_handle },
+  element bpki_ta { base64 }
+}
+
+# Format of <authorization/> element used in referrals.  The Base64
+# text is a <referral/> (q. v.) element signed with CMS.
+
+authorization = element authorization {
+  attribute referrer { pubd_handle },
+  base64
+}
+
+# Format of <contact_info/> element used in referrals.
+
+contact_info = element contact_info {
+  attribute uri { uri }?,
+  xsd:string
+}
+
+# Variant payload portion of a <repository/> element.
+
+repository_payload = (
+  (attribute type { "none" }) |
+  (attribute type { "offer" }) |
+  (attribute type { "referral" }, authorization, contact_info)
+)
+
+# <parent/> element (response from configure_child).
+
+start |= element parent {
+  attribute version { version },
+  attribute valid_until { timestamp }?,
+  attribute service_uri { uri }?,
+  attribute child_handle { object_handle },
+  attribute parent_handle { object_handle },
+  element bpki_resource_ta { base64 },
+  element bpki_child_ta { base64 },
+  element repository { repository_payload }?
+}
+
+# <repository/> element, types offer and referral
+# (input to configure_publication_client).
+
+start |= element repository {
+  attribute version { version },
+  attribute handle { object_handle },
+  attribute parent_handle { object_handle },
+  repository_payload,
+  element bpki_client_ta { base64 }
+}
+
+# <repository/> element, confirmation type (output of
+# configure_publication_client).
+
+start |= element repository {
+  attribute version { version },
+  attribute type { "confirmed" },
+  attribute parent_handle { object_handle },
+  attribute client_handle { pubd_handle },
+  attribute service_uri { uri },
+  attribute sia_base { uri },
+  element bpki_server_ta { base64 },
+  element bpki_client_ta { base64 },
+  authorization?,
+  contact_info?
+}
+
+# <referral/> element.  This is the entirety of a separate message
+# which is signed with CMS then included ase the Base64 content of an
+# <authorization/> element in the main message.
+
+start |= element referral {
+  attribute version { version },
+  attribute authorized_sia_base { uri },
+  base64
+}
+
+# Local Variables:
+# indent-tabs-mode: nil
+# comment-start: "# "
+# comment-start-skip: "#[ \t]*"
+# End:
diff --git a/schemas/relaxng/myrpki.rng b/schemas/relaxng/myrpki.rng
new file mode 100644
index 00000000..07b8beb3
--- /dev/null
+++ b/schemas/relaxng/myrpki.rng
@@ -0,0 +1,379 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  $Id: myrpki.rnc 5753 2014-04-05 19:24:26Z sra $
+  
+  RelaxNG schema for MyRPKI XML messages.
+  
+  This message protocol is on its way out, as we're in the process of
+  moving on from the user interface model that produced it, but even
+  after we finish replacing it we'll still need the schema for a while
+  to validate old messages when upgrading.
+  
+  libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so
+  run the compact syntax through trang to get XML syntax.
+  
+  Copyright (C) 2009-2011  Internet Systems Consortium ("ISC")
+  
+  Permission to use, copy, modify, and distribute this software for any
+  purpose with or without fee is hereby granted, provided that the above
+  copyright notice and this permission notice appear in all copies.
+  
+  THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+  REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+  AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+  INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+  LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+  OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+  PERFORMANCE OF THIS SOFTWARE.
+-->
+<grammar ns="http://www.hactrn.net/uris/rpki/myrpki/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+  <define name="version">
+    <value>2</value>
+  </define>
+  <define name="base64">
+    <data type="base64Binary">
+      <param name="maxLength">512000</param>
+    </data>
+  </define>
+  <define name="object_handle">
+    <data type="string">
+      <param name="maxLength">255</param>
+      <param name="pattern">[\-_A-Za-z0-9]+</param>
+    </data>
+  </define>
+  <define name="pubd_handle">
+    <data type="string">
+      <param name="maxLength">255</param>
+      <param name="pattern">[\-_A-Za-z0-9/]+</param>
+    </data>
+  </define>
+  <define name="uri">
+    <data type="anyURI">
+      <param name="maxLength">4096</param>
+    </data>
+  </define>
+  <define name="asn">
+    <data type="positiveInteger"/>
+  </define>
+  <define name="asn_list">
+    <data type="string">
+      <param name="maxLength">512000</param>
+      <param name="pattern">[\-,0-9]+</param>
+    </data>
+  </define>
+  <define name="ipv4_list">
+    <data type="string">
+      <param name="maxLength">512000</param>
+      <param name="pattern">[\-,0-9/.]+</param>
+    </data>
+  </define>
+  <define name="ipv6_list">
+    <data type="string">
+      <param name="maxLength">512000</param>
+      <param name="pattern">[\-,0-9/:a-fA-F]+</param>
+    </data>
+  </define>
+  <define name="timestamp">
+    <data type="dateTime">
+      <param name="pattern">.*Z</param>
+    </data>
+  </define>
+  <!--
+    Message formate used between configure_resources and
+    configure_daemons.
+  -->
+  <start combine="choice">
+    <element name="myrpki">
+      <attribute name="version">
+        <ref name="version"/>
+      </attribute>
+      <attribute name="handle">
+        <ref name="object_handle"/>
+      </attribute>
+      <optional>
+        <attribute name="service_uri">
+          <ref name="uri"/>
+        </attribute>
+      </optional>
+      <zeroOrMore>
+        <element name="roa_request">
+          <attribute name="asn">
+            <ref name="asn"/>
+          </attribute>
+          <attribute name="v4">
+            <ref name="ipv4_list"/>
+          </attribute>
+          <attribute name="v6">
+            <ref name="ipv6_list"/>
+          </attribute>
+        </element>
+      </zeroOrMore>
+      <zeroOrMore>
+        <element name="child">
+          <attribute name="handle">
+            <ref name="object_handle"/>
+          </attribute>
+          <attribute name="valid_until">
+            <ref name="timestamp"/>
+          </attribute>
+          <optional>
+            <attribute name="asns">
+              <ref name="asn_list"/>
+            </attribute>
+          </optional>
+          <optional>
+            <attribute name="v4">
+              <ref name="ipv4_list"/>
+            </attribute>
+          </optional>
+          <optional>
+            <attribute name="v6">
+              <ref name="ipv6_list"/>
+            </attribute>
+          </optional>
+          <optional>
+            <element name="bpki_certificate">
+              <ref name="base64"/>
+            </element>
+          </optional>
+        </element>
+      </zeroOrMore>
+      <zeroOrMore>
+        <element name="parent">
+          <attribute name="handle">
+            <ref name="object_handle"/>
+          </attribute>
+          <optional>
+            <attribute name="service_uri">
+              <ref name="uri"/>
+            </attribute>
+          </optional>
+          <optional>
+            <attribute name="myhandle">
+              <ref name="object_handle"/>
+            </attribute>
+          </optional>
+          <optional>
+            <attribute name="sia_base">
+              <ref name="uri"/>
+            </attribute>
+          </optional>
+          <optional>
+            <element name="bpki_cms_certificate">
+              <ref name="base64"/>
+            </element>
+          </optional>
+        </element>
+      </zeroOrMore>
+      <zeroOrMore>
+        <element name="repository">
+          <attribute name="handle">
+            <ref name="object_handle"/>
+          </attribute>
+          <optional>
+            <attribute name="service_uri">
+              <ref name="uri"/>
+            </attribute>
+          </optional>
+          <optional>
+            <element name="bpki_certificate">
+              <ref name="base64"/>
+            </element>
+          </optional>
+        </element>
+      </zeroOrMore>
+      <optional>
+        <element name="bpki_ca_certificate">
+          <ref name="base64"/>
+        </element>
+      </optional>
+      <optional>
+        <element name="bpki_crl">
+          <ref name="base64"/>
+        </element>
+      </optional>
+      <optional>
+        <element name="bpki_bsc_certificate">
+          <ref name="base64"/>
+        </element>
+      </optional>
+      <optional>
+        <element name="bpki_bsc_pkcs10">
+          <ref name="base64"/>
+        </element>
+      </optional>
+    </element>
+  </start>
+  <!-- Format of an identity.xml file. -->
+  <start combine="choice">
+    <element name="identity">
+      <attribute name="version">
+        <ref name="version"/>
+      </attribute>
+      <attribute name="handle">
+        <ref name="object_handle"/>
+      </attribute>
+      <element name="bpki_ta">
+        <ref name="base64"/>
+      </element>
+    </element>
+  </start>
+  <!--
+    Format of <authorization/> element used in referrals.  The Base64
+    text is a <referral/> (q. v.) element signed with CMS.
+  -->
+  <define name="authorization">
+    <element name="authorization">
+      <attribute name="referrer">
+        <ref name="pubd_handle"/>
+      </attribute>
+      <ref name="base64"/>
+    </element>
+  </define>
+  <!-- Format of <contact_info/> element used in referrals. -->
+  <define name="contact_info">
+    <element name="contact_info">
+      <optional>
+        <attribute name="uri">
+          <ref name="uri"/>
+        </attribute>
+      </optional>
+      <data type="string"/>
+    </element>
+  </define>
+  <!-- Variant payload portion of a <repository/> element. -->
+  <define name="repository_payload">
+    <choice>
+      <attribute name="type">
+        <value>none</value>
+      </attribute>
+      <attribute name="type">
+        <value>offer</value>
+      </attribute>
+      <group>
+        <attribute name="type">
+          <value>referral</value>
+        </attribute>
+        <ref name="authorization"/>
+        <ref name="contact_info"/>
+      </group>
+    </choice>
+  </define>
+  <!-- <parent/> element (response from configure_child). -->
+  <start combine="choice">
+    <element name="parent">
+      <attribute name="version">
+        <ref name="version"/>
+      </attribute>
+      <optional>
+        <attribute name="valid_until">
+          <ref name="timestamp"/>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="service_uri">
+          <ref name="uri"/>
+        </attribute>
+      </optional>
+      <attribute name="child_handle">
+        <ref name="object_handle"/>
+      </attribute>
+      <attribute name="parent_handle">
+        <ref name="object_handle"/>
+      </attribute>
+      <element name="bpki_resource_ta">
+        <ref name="base64"/>
+      </element>
+      <element name="bpki_child_ta">
+        <ref name="base64"/>
+      </element>
+      <optional>
+        <element name="repository">
+          <ref name="repository_payload"/>
+        </element>
+      </optional>
+    </element>
+  </start>
+  <!--
+    <repository/> element, types offer and referral
+    (input to configure_publication_client).
+  -->
+  <start combine="choice">
+    <element name="repository">
+      <attribute name="version">
+        <ref name="version"/>
+      </attribute>
+      <attribute name="handle">
+        <ref name="object_handle"/>
+      </attribute>
+      <attribute name="parent_handle">
+        <ref name="object_handle"/>
+      </attribute>
+      <ref name="repository_payload"/>
+      <element name="bpki_client_ta">
+        <ref name="base64"/>
+      </element>
+    </element>
+  </start>
+  <!--
+    <repository/> element, confirmation type (output of
+    configure_publication_client).
+  -->
+  <start combine="choice">
+    <element name="repository">
+      <attribute name="version">
+        <ref name="version"/>
+      </attribute>
+      <attribute name="type">
+        <value>confirmed</value>
+      </attribute>
+      <attribute name="parent_handle">
+        <ref name="object_handle"/>
+      </attribute>
+      <attribute name="client_handle">
+        <ref name="pubd_handle"/>
+      </attribute>
+      <attribute name="service_uri">
+        <ref name="uri"/>
+      </attribute>
+      <attribute name="sia_base">
+        <ref name="uri"/>
+      </attribute>
+      <element name="bpki_server_ta">
+        <ref name="base64"/>
+      </element>
+      <element name="bpki_client_ta">
+        <ref name="base64"/>
+      </element>
+      <optional>
+        <ref name="authorization"/>
+      </optional>
+      <optional>
+        <ref name="contact_info"/>
+      </optional>
+    </element>
+  </start>
+  <!--
+    <referral/> element.  This is the entirety of a separate message
+    which is signed with CMS then included ase the Base64 content of an
+    <authorization/> element in the main message.
+  -->
+  <start combine="choice">
+    <element name="referral">
+      <attribute name="version">
+        <ref name="version"/>
+      </attribute>
+      <attribute name="authorized_sia_base">
+        <ref name="uri"/>
+      </attribute>
+      <ref name="base64"/>
+    </element>
+  </start>
+</grammar>
+<!--
+  Local Variables:
+  indent-tabs-mode: nil
+  comment-start: "# "
+  comment-start-skip: "#[ \t]*"
+  End:
+-->
diff --git a/schemas/relaxng/publication-schema.rnc b/schemas/relaxng/publication-schema.rnc
new file mode 100644
index 00000000..4353ae80
--- /dev/null
+++ b/schemas/relaxng/publication-schema.rnc
@@ -0,0 +1,137 @@
+# $Id$
+#
+# RelaxNG schema for RPKI publication protocol.
+#
+# Copyright (C) 2012--2014  Dragon Research Labs ("DRL")
+# Portions copyright (C) 2009--2011  Internet Systems Consortium ("ISC")
+# Portions copyright (C) 2007--2008  American Registry for Internet Numbers ("ARIN")
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notices and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL
+# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL DRL,
+# ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+default namespace = "http://www.hactrn.net/uris/rpki/publication-spec/"
+
+# Top level PDU
+
+start = element msg {
+  attribute version { xsd:positiveInteger { maxInclusive="1" } },
+  ( (attribute type { "query" }, query_elt*) |
+    (attribute type { "reply" }, reply_elt*) )
+}
+
+# PDUs allowed in a query
+query_elt = ( config_query | client_query | certificate_query | crl_query |
+              manifest_query | roa_query | ghostbuster_query )
+
+# PDUs allowed in a reply
+reply_elt = ( config_reply | client_reply | certificate_reply | crl_reply |
+              manifest_reply | roa_reply | ghostbuster_reply | report_error_reply )
+
+# Tag attributes for bulk operations
+tag = attribute tag { xsd:token {maxLength="1024" } }
+
+# Base64 encoded DER stuff
+#base64 = xsd:base64Binary { maxLength="512000" }
+#
+# Sadly, it turns out that CRLs can in fact get longer than this for an active CA.
+# Remove length limit for now, think about whether to put it back later.
+base64 = xsd:base64Binary
+
+# Publication URLs
+uri_t = xsd:anyURI { maxLength="4096" }
+uri = attribute uri { uri_t }
+
+# Handles on remote objects (replaces passing raw SQL IDs).  NB:
+# Unlike the up-down protocol, handles in this protocol allow "/" as a
+# hierarchy delimiter.
+object_handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9/]+" }
+
+# <config/> element (use restricted to repository operator)
+# config_handle attribute, create, list, and destroy commands omitted deliberately, see code for details
+
+config_payload = (element bpki_crl { base64 }?)
+
+config_query |= element config { attribute action { "set" }, tag?, config_payload }
+config_reply |= element config { attribute action { "set" }, tag? }
+config_query |= element config { attribute action { "get" }, tag? }
+config_reply |= element config { attribute action { "get" }, tag?, config_payload }
+
+# <client/> element (use restricted to repository operator)
+
+client_handle = attribute client_handle { object_handle }
+
+client_bool = attribute clear_replay_protection { "yes" }?
+
+client_payload = (attribute base_uri { uri_t }?, element bpki_cert { base64 }?, element bpki_glue { base64 }?)
+
+client_query |= element client { attribute action { "create" },  tag?, client_handle, client_bool, client_payload }
+client_reply |= element client { attribute action { "create" },  tag?, client_handle }
+client_query |= element client { attribute action { "set" },     tag?, client_handle, client_bool, client_payload }
+client_reply |= element client { attribute action { "set" },     tag?, client_handle }
+client_query |= element client { attribute action { "get" },     tag?, client_handle }
+client_reply |= element client { attribute action { "get" },     tag?, client_handle, client_payload }
+client_query |= element client { attribute action { "list" },    tag? }
+client_reply |= element client { attribute action { "list" },    tag?, client_handle, client_payload }
+client_query |= element client { attribute action { "destroy" }, tag?, client_handle }
+client_reply |= element client { attribute action { "destroy" }, tag?, client_handle }
+
+# <certificate/> element
+
+certificate_query |= element certificate { attribute action { "publish" }, tag?, uri, base64 }
+certificate_reply |= element certificate { attribute action { "publish" }, tag?, uri }
+certificate_query |= element certificate { attribute action { "withdraw" }, tag?, uri }
+certificate_reply |= element certificate { attribute action { "withdraw" }, tag?, uri }
+
+# <crl/> element
+
+crl_query |= element crl { attribute action { "publish" }, tag?, uri, base64 }
+crl_reply |= element crl { attribute action { "publish" }, tag?, uri }
+crl_query |= element crl { attribute action { "withdraw" }, tag?, uri }
+crl_reply |= element crl { attribute action { "withdraw" }, tag?, uri }
+
+# <manifest/> element
+
+manifest_query |= element manifest { attribute action { "publish" }, tag?, uri, base64 }
+manifest_reply |= element manifest { attribute action { "publish" }, tag?, uri }
+manifest_query |= element manifest { attribute action { "withdraw" }, tag?, uri }
+manifest_reply |= element manifest { attribute action { "withdraw" }, tag?, uri }
+
+# <roa/> element
+
+roa_query |= element roa { attribute action { "publish" }, tag?, uri, base64 }
+roa_reply |= element roa { attribute action { "publish" }, tag?, uri }
+roa_query |= element roa { attribute action { "withdraw" }, tag?, uri }
+roa_reply |= element roa { attribute action { "withdraw" }, tag?, uri }
+
+# <ghostbuster/> element
+
+ghostbuster_query |= element ghostbuster { attribute action { "publish" }, tag?, uri, base64 }
+ghostbuster_reply |= element ghostbuster { attribute action { "publish" }, tag?, uri }
+ghostbuster_query |= element ghostbuster { attribute action { "withdraw" }, tag?, uri }
+ghostbuster_reply |= element ghostbuster { attribute action { "withdraw" }, tag?, uri }
+
+# <report_error/> element
+
+error = xsd:token { maxLength="1024" }
+
+report_error_reply = element report_error {
+  tag?,
+  attribute error_code { error },
+  xsd:string { maxLength="512000" }?
+}
+
+# Local Variables:
+# indent-tabs-mode: nil
+# comment-start: "# "
+# comment-start-skip: "#[ \t]*"
+# End:
diff --git a/schemas/relaxng/publication-schema.rng b/schemas/relaxng/publication-schema.rng
new file mode 100644
index 00000000..63fb6ea5
--- /dev/null
+++ b/schemas/relaxng/publication-schema.rng
@@ -0,0 +1,574 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  $Id: publication-schema.rnc 5753 2014-04-05 19:24:26Z sra $
+  
+  RelaxNG schema for RPKI publication protocol.
+  
+  Copyright (C) 2012- -2014  Dragon Research Labs ("DRL")
+  Portions copyright (C) 2009- -2011  Internet Systems Consortium ("ISC")
+  Portions copyright (C) 2007- -2008  American Registry for Internet Numbers ("ARIN")
+  
+  Permission to use, copy, modify, and distribute this software for any
+  purpose with or without fee is hereby granted, provided that the above
+  copyright notices and this permission notice appear in all copies.
+  
+  THE SOFTWARE IS PROVIDED "AS IS" AND DRL, ISC, AND ARIN DISCLAIM ALL
+  WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+  WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL DRL,
+  ISC, OR ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+  CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+  OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+  NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+  WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+<grammar ns="http://www.hactrn.net/uris/rpki/publication-spec/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+  <!-- Top level PDU -->
+  <start>
+    <element name="msg">
+      <attribute name="version">
+        <data type="positiveInteger">
+          <param name="maxInclusive">1</param>
+        </data>
+      </attribute>
+      <choice>
+        <group>
+          <attribute name="type">
+            <value>query</value>
+          </attribute>
+          <zeroOrMore>
+            <ref name="query_elt"/>
+          </zeroOrMore>
+        </group>
+        <group>
+          <attribute name="type">
+            <value>reply</value>
+          </attribute>
+          <zeroOrMore>
+            <ref name="reply_elt"/>
+          </zeroOrMore>
+        </group>
+      </choice>
+    </element>
+  </start>
+  <!-- PDUs allowed in a query -->
+  <define name="query_elt">
+    <choice>
+      <ref name="config_query"/>
+      <ref name="client_query"/>
+      <ref name="certificate_query"/>
+      <ref name="crl_query"/>
+      <ref name="manifest_query"/>
+      <ref name="roa_query"/>
+      <ref name="ghostbuster_query"/>
+    </choice>
+  </define>
+  <!-- PDUs allowed in a reply -->
+  <define name="reply_elt">
+    <choice>
+      <ref name="config_reply"/>
+      <ref name="client_reply"/>
+      <ref name="certificate_reply"/>
+      <ref name="crl_reply"/>
+      <ref name="manifest_reply"/>
+      <ref name="roa_reply"/>
+      <ref name="ghostbuster_reply"/>
+      <ref name="report_error_reply"/>
+    </choice>
+  </define>
+  <!-- Tag attributes for bulk operations -->
+  <define name="tag">
+    <attribute name="tag">
+      <data type="token">
+        <param name="maxLength">1024</param>
+      </data>
+    </attribute>
+  </define>
+  <!--
+    Base64 encoded DER stuff
+    base64 = xsd:base64Binary { maxLength="512000" }
+    
+    Sadly, it turns out that CRLs can in fact get longer than this for an active CA.
+    Remove length limit for now, think about whether to put it back later.
+  -->
+  <define name="base64">
+    <data type="base64Binary"/>
+  </define>
+  <!-- Publication URLs -->
+  <define name="uri_t">
+    <data type="anyURI">
+      <param name="maxLength">4096</param>
+    </data>
+  </define>
+  <define name="uri">
+    <attribute name="uri">
+      <ref name="uri_t"/>
+    </attribute>
+  </define>
+  <!--
+    Handles on remote objects (replaces passing raw SQL IDs).  NB:
+    Unlike the up-down protocol, handles in this protocol allow "/" as a
+    hierarchy delimiter.
+  -->
+  <define name="object_handle">
+    <data type="string">
+      <param name="maxLength">255</param>
+      <param name="pattern">[\-_A-Za-z0-9/]+</param>
+    </data>
+  </define>
+  <!--
+    <config/> element (use restricted to repository operator)
+    config_handle attribute, create, list, and destroy commands omitted deliberately, see code for details
+  -->
+  <define name="config_payload">
+    <optional>
+      <element name="bpki_crl">
+        <ref name="base64"/>
+      </element>
+    </optional>
+  </define>
+  <define name="config_query" combine="choice">
+    <element name="config">
+      <attribute name="action">
+        <value>set</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="config_payload"/>
+    </element>
+  </define>
+  <define name="config_reply" combine="choice">
+    <element name="config">
+      <attribute name="action">
+        <value>set</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+    </element>
+  </define>
+  <define name="config_query" combine="choice">
+    <element name="config">
+      <attribute name="action">
+        <value>get</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+    </element>
+  </define>
+  <define name="config_reply" combine="choice">
+    <element name="config">
+      <attribute name="action">
+        <value>get</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="config_payload"/>
+    </element>
+  </define>
+  <!-- <client/> element (use restricted to repository operator) -->
+  <define name="client_handle">
+    <attribute name="client_handle">
+      <ref name="object_handle"/>
+    </attribute>
+  </define>
+  <define name="client_bool">
+    <optional>
+      <attribute name="clear_replay_protection">
+        <value>yes</value>
+      </attribute>
+    </optional>
+  </define>
+  <define name="client_payload">
+    <optional>
+      <attribute name="base_uri">
+        <ref name="uri_t"/>
+      </attribute>
+    </optional>
+    <optional>
+      <element name="bpki_cert">
+        <ref name="base64"/>
+      </element>
+    </optional>
+    <optional>
+      <element name="bpki_glue">
+        <ref name="base64"/>
+      </element>
+    </optional>
+  </define>
+  <define name="client_query" combine="choice">
+    <element name="client">
+      <attribute name="action">
+        <value>create</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="client_handle"/>
+      <ref name="client_bool"/>
+      <ref name="client_payload"/>
+    </element>
+  </define>
+  <define name="client_reply" combine="choice">
+    <element name="client">
+      <attribute name="action">
+        <value>create</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="client_handle"/>
+    </element>
+  </define>
+  <define name="client_query" combine="choice">
+    <element name="client">
+      <attribute name="action">
+        <value>set</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="client_handle"/>
+      <ref name="client_bool"/>
+      <ref name="client_payload"/>
+    </element>
+  </define>
+  <define name="client_reply" combine="choice">
+    <element name="client">
+      <attribute name="action">
+        <value>set</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="client_handle"/>
+    </element>
+  </define>
+  <define name="client_query" combine="choice">
+    <element name="client">
+      <attribute name="action">
+        <value>get</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="client_handle"/>
+    </element>
+  </define>
+  <define name="client_reply" combine="choice">
+    <element name="client">
+      <attribute name="action">
+        <value>get</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="client_handle"/>
+      <ref name="client_payload"/>
+    </element>
+  </define>
+  <define name="client_query" combine="choice">
+    <element name="client">
+      <attribute name="action">
+        <value>list</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+    </element>
+  </define>
+  <define name="client_reply" combine="choice">
+    <element name="client">
+      <attribute name="action">
+        <value>list</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="client_handle"/>
+      <ref name="client_payload"/>
+    </element>
+  </define>
+  <define name="client_query" combine="choice">
+    <element name="client">
+      <attribute name="action">
+        <value>destroy</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="client_handle"/>
+    </element>
+  </define>
+  <define name="client_reply" combine="choice">
+    <element name="client">
+      <attribute name="action">
+        <value>destroy</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="client_handle"/>
+    </element>
+  </define>
+  <!-- <certificate/> element -->
+  <define name="certificate_query" combine="choice">
+    <element name="certificate">
+      <attribute name="action">
+        <value>publish</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+      <ref name="base64"/>
+    </element>
+  </define>
+  <define name="certificate_reply" combine="choice">
+    <element name="certificate">
+      <attribute name="action">
+        <value>publish</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <define name="certificate_query" combine="choice">
+    <element name="certificate">
+      <attribute name="action">
+        <value>withdraw</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <define name="certificate_reply" combine="choice">
+    <element name="certificate">
+      <attribute name="action">
+        <value>withdraw</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <!-- <crl/> element -->
+  <define name="crl_query" combine="choice">
+    <element name="crl">
+      <attribute name="action">
+        <value>publish</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+      <ref name="base64"/>
+    </element>
+  </define>
+  <define name="crl_reply" combine="choice">
+    <element name="crl">
+      <attribute name="action">
+        <value>publish</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <define name="crl_query" combine="choice">
+    <element name="crl">
+      <attribute name="action">
+        <value>withdraw</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <define name="crl_reply" combine="choice">
+    <element name="crl">
+      <attribute name="action">
+        <value>withdraw</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <!-- <manifest/> element -->
+  <define name="manifest_query" combine="choice">
+    <element name="manifest">
+      <attribute name="action">
+        <value>publish</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+      <ref name="base64"/>
+    </element>
+  </define>
+  <define name="manifest_reply" combine="choice">
+    <element name="manifest">
+      <attribute name="action">
+        <value>publish</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <define name="manifest_query" combine="choice">
+    <element name="manifest">
+      <attribute name="action">
+        <value>withdraw</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <define name="manifest_reply" combine="choice">
+    <element name="manifest">
+      <attribute name="action">
+        <value>withdraw</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <!-- <roa/> element -->
+  <define name="roa_query" combine="choice">
+    <element name="roa">
+      <attribute name="action">
+        <value>publish</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+      <ref name="base64"/>
+    </element>
+  </define>
+  <define name="roa_reply" combine="choice">
+    <element name="roa">
+      <attribute name="action">
+        <value>publish</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <define name="roa_query" combine="choice">
+    <element name="roa">
+      <attribute name="action">
+        <value>withdraw</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <define name="roa_reply" combine="choice">
+    <element name="roa">
+      <attribute name="action">
+        <value>withdraw</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <!-- <ghostbuster/> element -->
+  <define name="ghostbuster_query" combine="choice">
+    <element name="ghostbuster">
+      <attribute name="action">
+        <value>publish</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+      <ref name="base64"/>
+    </element>
+  </define>
+  <define name="ghostbuster_reply" combine="choice">
+    <element name="ghostbuster">
+      <attribute name="action">
+        <value>publish</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <define name="ghostbuster_query" combine="choice">
+    <element name="ghostbuster">
+      <attribute name="action">
+        <value>withdraw</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <define name="ghostbuster_reply" combine="choice">
+    <element name="ghostbuster">
+      <attribute name="action">
+        <value>withdraw</value>
+      </attribute>
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <ref name="uri"/>
+    </element>
+  </define>
+  <!-- <report_error/> element -->
+  <define name="error">
+    <data type="token">
+      <param name="maxLength">1024</param>
+    </data>
+  </define>
+  <define name="report_error_reply">
+    <element name="report_error">
+      <optional>
+        <ref name="tag"/>
+      </optional>
+      <attribute name="error_code">
+        <ref name="error"/>
+      </attribute>
+      <optional>
+        <data type="string">
+          <param name="maxLength">512000</param>
+        </data>
+      </optional>
+    </element>
+  </define>
+</grammar>
+<!--
+  Local Variables:
+  indent-tabs-mode: nil
+  comment-start: "# "
+  comment-start-skip: "#[ \t]*"
+  End:
+-->
diff --git a/schemas/relaxng/router-certificate-schema.rnc b/schemas/relaxng/router-certificate-schema.rnc
new file mode 100644
index 00000000..8cc325ce
--- /dev/null
+++ b/schemas/relaxng/router-certificate-schema.rnc
@@ -0,0 +1,61 @@
+# $Id$
+#
+# RelaxNG schema for BGPSEC router certificate interchange format.
+#
+# At least for now, this is a trivial encapsulation of a PKCS #10
+# request, a set (usually containing exactly one member) of autonomous
+# system numbers, and a router-id.  Be warned that this could change
+# radically by the time we have any real operational understanding of
+# how these things will be used, this is just our current best guess
+# to let us move forward on initial coding.
+#
+# Copyright (C) 2014  Dragon Research Labs ("DRL")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND DRL DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL DRL BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+default namespace = "http://www.hactrn.net/uris/rpki/router-certificate/"
+
+version         = "1"
+base64		= xsd:base64Binary { maxLength="512000" }
+router_id       = xsd:unsignedInt
+asn_list	= xsd:string       { maxLength="512000" pattern="[0-9][\-,0-9]*" }
+timestamp       = xsd:dateTime { pattern=".*Z" }
+
+# Core payload used in this schema.
+
+payload = (
+  attribute router_id   { router_id },
+  attribute asn         { asn_list },
+  attribute valid_until { timestamp }?,
+  base64
+)
+
+# We allow two forms, one with a wrapper to allow multiple requests in
+# a single file, one without for brevity; the version attribute goes
+# in the outermost element in either case.
+
+start |= element router_certificate_request {
+  attribute version { version },
+  payload
+}
+
+start |= element router_certificate_requests {
+  attribute version { version },
+  element router_certificate_request { payload }*
+}
+
+# Local Variables:
+# indent-tabs-mode: nil
+# comment-start: "# "
+# comment-start-skip: "#[ \t]*"
+# End:
diff --git a/schemas/relaxng/router-certificate-schema.rng b/schemas/relaxng/router-certificate-schema.rng
new file mode 100644
index 00000000..d8be9eda
--- /dev/null
+++ b/schemas/relaxng/router-certificate-schema.rng
@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  $Id: router-certificate-schema.rnc 5753 2014-04-05 19:24:26Z sra $
+  
+  RelaxNG schema for BGPSEC router certificate interchange format.
+  
+  At least for now, this is a trivial encapsulation of a PKCS #10
+  request, a set (usually containing exactly one member) of autonomous
+  system numbers, and a router-id.  Be warned that this could change
+  radically by the time we have any real operational understanding of
+  how these things will be used, this is just our current best guess
+  to let us move forward on initial coding.
+  
+  Copyright (C) 2014  Dragon Research Labs ("DRL")
+  
+  Permission to use, copy, modify, and distribute this software for any
+  purpose with or without fee is hereby granted, provided that the above
+  copyright notice and this permission notice appear in all copies.
+  
+  THE SOFTWARE IS PROVIDED "AS IS" AND DRL DISCLAIMS ALL WARRANTIES WITH
+  REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+  AND FITNESS.  IN NO EVENT SHALL DRL BE LIABLE FOR ANY SPECIAL, DIRECT,
+  INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+  LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+  OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+  PERFORMANCE OF THIS SOFTWARE.
+-->
+<grammar ns="http://www.hactrn.net/uris/rpki/router-certificate/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+  <define name="version">
+    <value>1</value>
+  </define>
+  <define name="base64">
+    <data type="base64Binary">
+      <param name="maxLength">512000</param>
+    </data>
+  </define>
+  <define name="router_id">
+    <data type="unsignedInt"/>
+  </define>
+  <define name="asn_list">
+    <data type="string">
+      <param name="maxLength">512000</param>
+      <param name="pattern">[0-9][\-,0-9]*</param>
+    </data>
+  </define>
+  <define name="timestamp">
+    <data type="dateTime">
+      <param name="pattern">.*Z</param>
+    </data>
+  </define>
+  <!-- Core payload used in this schema. -->
+  <define name="payload">
+    <attribute name="router_id">
+      <ref name="router_id"/>
+    </attribute>
+    <attribute name="asn">
+      <ref name="asn_list"/>
+    </attribute>
+    <optional>
+      <attribute name="valid_until">
+        <ref name="timestamp"/>
+      </attribute>
+    </optional>
+    <ref name="base64"/>
+  </define>
+  <!--
+    We allow two forms, one with a wrapper to allow multiple requests in
+    a single file, one without for brevity; the version attribute goes
+    in the outermost element in either case.
+  -->
+  <start combine="choice">
+    <element name="router_certificate_request">
+      <attribute name="version">
+        <ref name="version"/>
+      </attribute>
+      <ref name="payload"/>
+    </element>
+  </start>
+  <start combine="choice">
+    <element name="router_certificate_requests">
+      <attribute name="version">
+        <ref name="version"/>
+      </attribute>
+      <zeroOrMore>
+        <element name="router_certificate_request">
+          <ref name="payload"/>
+        </element>
+      </zeroOrMore>
+    </element>
+  </start>
+</grammar>
+<!--
+  Local Variables:
+  indent-tabs-mode: nil
+  comment-start: "# "
+  comment-start-skip: "#[ \t]*"
+  End:
+-->
diff --git a/schemas/relaxng/up-down-schema.rnc b/schemas/relaxng/up-down-schema.rnc
new file mode 100644
index 00000000..a603b8fe
--- /dev/null
+++ b/schemas/relaxng/up-down-schema.rnc
@@ -0,0 +1,113 @@
+# $Id$
+#
+# RelaxNG schema for the up-down protocol, extracted from RFC 6492.
+#
+# Copyright (c) 2012 IETF Trust and the persons identified as authors
+# of the code.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# * Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in
+#   the documentation and/or other materials provided with the
+#   distribution.
+#
+# * Neither the name of Internet Society, IETF or IETF Trust, nor the
+#   names of specific contributors, may be used to endorse or promote
+#   products derived from this software without specific prior written
+#   permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+default namespace = "http://www.apnic.net/specs/rescerts/up-down/"
+
+grammar {
+   resource_set_as = xsd:string { maxLength="512000" pattern="[\-,0-9]*" }
+   resource_set_ip4 = xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" }
+   resource_set_ip6 = xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" }
+
+   class_name = xsd:token { minLength="1" maxLength="1024" }
+   ski = xsd:token { minLength="27" maxLength="1024" }
+   label = xsd:token { minLength="1" maxLength="1024" }
+   cert_url = xsd:string { minLength="10" maxLength="4096" }
+   base64_binary = xsd:base64Binary { minLength="4" maxLength="512000" }
+
+   start = element message {
+     attribute version { xsd:positiveInteger { maxInclusive="1" } },
+     attribute sender { label },
+     attribute recipient { label },
+     payload
+   }
+
+   payload |= attribute type { "list" }, list_request
+   payload |= attribute type { "list_response"}, list_response
+   payload |= attribute type { "issue" }, issue_request
+   payload |= attribute type { "issue_response"}, issue_response
+   payload |= attribute type { "revoke" }, revoke_request
+   payload |= attribute type { "revoke_response"}, revoke_response
+   payload |= attribute type { "error_response"}, error_response
+
+   list_request = empty
+   list_response = class*
+
+   class = element class {
+     attribute class_name { class_name },
+     attribute cert_url { cert_url },
+     attribute resource_set_as { resource_set_as },
+     attribute resource_set_ipv4 { resource_set_ip4 },
+     attribute resource_set_ipv6 { resource_set_ip6 },
+     attribute resource_set_notafter { xsd:dateTime },
+     attribute suggested_sia_head { xsd:anyURI { maxLength="1024" pattern="rsync://.+"} }?,
+     element certificate {
+       attribute cert_url { cert_url },
+       attribute req_resource_set_as { resource_set_as }?,
+       attribute req_resource_set_ipv4 { resource_set_ip4 }?,
+       attribute req_resource_set_ipv6 { resource_set_ip6 }?,
+       base64_binary
+     }*,
+     element issuer { base64_binary }
+   }
+
+   issue_request = element request {
+     attribute class_name { class_name },
+     attribute req_resource_set_as { resource_set_as }?,
+     attribute req_resource_set_ipv4 { resource_set_ip4 }?,
+     attribute req_resource_set_ipv6 { resource_set_ip6 }?,
+     base64_binary
+   }
+   issue_response = class
+
+   revoke_request = revocation
+   revoke_response = revocation
+
+   revocation = element key {
+     attribute class_name { class_name },
+     attribute ski { ski }
+   }
+
+   error_response =
+     element status { xsd:positiveInteger { maxInclusive="9999" } },
+     element description { attribute xml:lang { xsd:language }, xsd:string { maxLength="1024" } }*
+}
+
+# Local Variables:
+# indent-tabs-mode: nil
+# comment-start: "# "
+# comment-start-skip: "#[ \t]*"
+# End:
diff --git a/schemas/relaxng/up-down-schema.rng b/schemas/relaxng/up-down-schema.rng
new file mode 100644
index 00000000..5368fa65
--- /dev/null
+++ b/schemas/relaxng/up-down-schema.rng
@@ -0,0 +1,277 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  $Id: up-down-schema.rnc 5753 2014-04-05 19:24:26Z sra $
+  
+  RelaxNG schema for the up-down protocol, extracted from RFC 6492.
+  
+  Copyright (c) 2012 IETF Trust and the persons identified as authors
+  of the code.  All rights reserved.
+  
+  Redistribution and use in source and binary forms, with or without
+  modification, are permitted provided that the following conditions
+  are met:
+  
+  * Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+  
+  * Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+  
+  * Neither the name of Internet Society, IETF or IETF Trust, nor the
+    names of specific contributors, may be used to endorse or promote
+    products derived from this software without specific prior written
+    permission.
+  
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+  LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+  FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+  COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+  INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+  BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+  CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+  LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+  ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+  POSSIBILITY OF SUCH DAMAGE.
+-->
+<grammar ns="http://www.apnic.net/specs/rescerts/up-down/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
+  <define name="resource_set_as">
+    <data type="string">
+      <param name="maxLength">512000</param>
+      <param name="pattern">[\-,0-9]*</param>
+    </data>
+  </define>
+  <define name="resource_set_ip4">
+    <data type="string">
+      <param name="maxLength">512000</param>
+      <param name="pattern">[\-,/.0-9]*</param>
+    </data>
+  </define>
+  <define name="resource_set_ip6">
+    <data type="string">
+      <param name="maxLength">512000</param>
+      <param name="pattern">[\-,/:0-9a-fA-F]*</param>
+    </data>
+  </define>
+  <define name="class_name">
+    <data type="token">
+      <param name="minLength">1</param>
+      <param name="maxLength">1024</param>
+    </data>
+  </define>
+  <define name="ski">
+    <data type="token">
+      <param name="minLength">27</param>
+      <param name="maxLength">1024</param>
+    </data>
+  </define>
+  <define name="label">
+    <data type="token">
+      <param name="minLength">1</param>
+      <param name="maxLength">1024</param>
+    </data>
+  </define>
+  <define name="cert_url">
+    <data type="string">
+      <param name="minLength">10</param>
+      <param name="maxLength">4096</param>
+    </data>
+  </define>
+  <define name="base64_binary">
+    <data type="base64Binary">
+      <param name="minLength">4</param>
+      <param name="maxLength">512000</param>
+    </data>
+  </define>
+  <start>
+    <element name="message">
+      <attribute name="version">
+        <data type="positiveInteger">
+          <param name="maxInclusive">1</param>
+        </data>
+      </attribute>
+      <attribute name="sender">
+        <ref name="label"/>
+      </attribute>
+      <attribute name="recipient">
+        <ref name="label"/>
+      </attribute>
+      <ref name="payload"/>
+    </element>
+  </start>
+  <define name="payload" combine="choice">
+    <attribute name="type">
+      <value>list</value>
+    </attribute>
+    <ref name="list_request"/>
+  </define>
+  <define name="payload" combine="choice">
+    <attribute name="type">
+      <value>list_response</value>
+    </attribute>
+    <ref name="list_response"/>
+  </define>
+  <define name="payload" combine="choice">
+    <attribute name="type">
+      <value>issue</value>
+    </attribute>
+    <ref name="issue_request"/>
+  </define>
+  <define name="payload" combine="choice">
+    <attribute name="type">
+      <value>issue_response</value>
+    </attribute>
+    <ref name="issue_response"/>
+  </define>
+  <define name="payload" combine="choice">
+    <attribute name="type">
+      <value>revoke</value>
+    </attribute>
+    <ref name="revoke_request"/>
+  </define>
+  <define name="payload" combine="choice">
+    <attribute name="type">
+      <value>revoke_response</value>
+    </attribute>
+    <ref name="revoke_response"/>
+  </define>
+  <define name="payload" combine="choice">
+    <attribute name="type">
+      <value>error_response</value>
+    </attribute>
+    <ref name="error_response"/>
+  </define>
+  <define name="list_request">
+    <empty/>
+  </define>
+  <define name="list_response">
+    <zeroOrMore>
+      <ref name="class"/>
+    </zeroOrMore>
+  </define>
+  <define name="class">
+    <element name="class">
+      <attribute name="class_name">
+        <ref name="class_name"/>
+      </attribute>
+      <attribute name="cert_url">
+        <ref name="cert_url"/>
+      </attribute>
+      <attribute name="resource_set_as">
+        <ref name="resource_set_as"/>
+      </attribute>
+      <attribute name="resource_set_ipv4">
+        <ref name="resource_set_ip4"/>
+      </attribute>
+      <attribute name="resource_set_ipv6">
+        <ref name="resource_set_ip6"/>
+      </attribute>
+      <attribute name="resource_set_notafter">
+        <data type="dateTime"/>
+      </attribute>
+      <optional>
+        <attribute name="suggested_sia_head">
+          <data type="anyURI">
+            <param name="maxLength">1024</param>
+            <param name="pattern">rsync://.+</param>
+          </data>
+        </attribute>
+      </optional>
+      <zeroOrMore>
+        <element name="certificate">
+          <attribute name="cert_url">
+            <ref name="cert_url"/>
+          </attribute>
+          <optional>
+            <attribute name="req_resource_set_as">
+              <ref name="resource_set_as"/>
+            </attribute>
+          </optional>
+          <optional>
+            <attribute name="req_resource_set_ipv4">
+              <ref name="resource_set_ip4"/>
+            </attribute>
+          </optional>
+          <optional>
+            <attribute name="req_resource_set_ipv6">
+              <ref name="resource_set_ip6"/>
+            </attribute>
+          </optional>
+          <ref name="base64_binary"/>
+        </element>
+      </zeroOrMore>
+      <element name="issuer">
+        <ref name="base64_binary"/>
+      </element>
+    </element>
+  </define>
+  <define name="issue_request">
+    <element name="request">
+      <attribute name="class_name">
+        <ref name="class_name"/>
+      </attribute>
+      <optional>
+        <attribute name="req_resource_set_as">
+          <ref name="resource_set_as"/>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="req_resource_set_ipv4">
+          <ref name="resource_set_ip4"/>
+        </attribute>
+      </optional>
+      <optional>
+        <attribute name="req_resource_set_ipv6">
+          <ref name="resource_set_ip6"/>
+        </attribute>
+      </optional>
+      <ref name="base64_binary"/>
+    </element>
+  </define>
+  <define name="issue_response">
+    <ref name="class"/>
+  </define>
+  <define name="revoke_request">
+    <ref name="revocation"/>
+  </define>
+  <define name="revoke_response">
+    <ref name="revocation"/>
+  </define>
+  <define name="revocation">
+    <element name="key">
+      <attribute name="class_name">
+        <ref name="class_name"/>
+      </attribute>
+      <attribute name="ski">
+        <ref name="ski"/>
+      </attribute>
+    </element>
+  </define>
+  <define name="error_response">
+    <element name="status">
+      <data type="positiveInteger">
+        <param name="maxInclusive">9999</param>
+      </data>
+    </element>
+    <zeroOrMore>
+      <element name="description">
+        <attribute name="xml:lang">
+          <data type="language"/>
+        </attribute>
+        <data type="string">
+          <param name="maxLength">1024</param>
+        </data>
+      </element>
+    </zeroOrMore>
+  </define>
+</grammar>
+<!--
+  Local Variables:
+  indent-tabs-mode: nil
+  comment-start: "# "
+  comment-start-skip: "#[ \t]*"
+  End:
+-->