From: Peter van Dijk <peter.van.dijk@netherlabs.nl>
Date: Thu, 28 May 2015 16:56:51 +0000 (+0200)
Subject: snap
X-Git-Tag: dnsdist-1.0.0-alpha1~248^2~58^2~21^2~5^2~74
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=561434a6d4cdfbf6fc18c6c7e4a4f23c6944c8c3;p=thirdparty%2Fpdns.git

snap
---

diff --git a/pdns/dnsbackend.cc b/pdns/dnsbackend.cc
index 09e9b8afc8..3f4b1b06bd 100644
--- a/pdns/dnsbackend.cc
+++ b/pdns/dnsbackend.cc
@@ -279,13 +279,19 @@ bool DNSBackend::getSOA(const DNSName &domain, SOAData &sd, DNSPacket *p)
 
 bool DNSBackend::getBeforeAndAfterNames(uint32_t id, const DNSName& zonename, const DNSName& qname, DNSName& before, DNSName& after)
 {
+  // FIXME FIXME FIXME
   // string lcqname=toLower(qname); FIXME tolower?
   // string lczonename=toLower(zonename); FIXME tolower?
   // lcqname=makeRelative(lcqname, lczonename);
   
   // lcqname=labelReverse(lcqname);
   DNSName dnc;
-  bool ret = this->getBeforeAndAfterNamesAbsolute(id, qname, dnc, before, after);
+  string sbefore, safter;
+  sbefore = before.toString();
+  safter = after.toString();
+  bool ret = this->getBeforeAndAfterNamesAbsolute(id, qname, dnc, sbefore, safter);
+  before = DNSName(sbefore);
+  after = DNSName(safter);
   
   // before=dotConcat(labelReverse(before), lczonename); FIXME
   // after=dotConcat(labelReverse(after), lczonename); FIXME
diff --git a/pdns/dnsbackend.hh b/pdns/dnsbackend.hh
index 6336bb484b..5d37315803 100644
--- a/pdns/dnsbackend.hh
+++ b/pdns/dnsbackend.hh
@@ -184,7 +184,7 @@ public:
   virtual bool deleteTSIGKey(const DNSName& name) { return false; }
   virtual bool getTSIGKeys(std::vector< struct TSIGKey > &keys) { return false; }
 
-  virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const DNSName& qname, DNSName& unhashed, DNSName& before, DNSName& after)
+  virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const DNSName& qname, DNSName& unhashed, string& before, string& after)
   {
     std::cerr<<"Default beforeAndAfterAbsolute called!"<<std::endl;
     abort();
diff --git a/pdns/dnsname.hh b/pdns/dnsname.hh
index 62954af0eb..988a8e33ae 100644
--- a/pdns/dnsname.hh
+++ b/pdns/dnsname.hh
@@ -5,6 +5,7 @@
 #include <deque>
 #include <strings.h>
 // #include "dns.hh"
+#include "logger.hh"
 
 // #include <ext/vstring.h>
 
@@ -20,6 +21,7 @@
    NOTE: For now, everything MUST be . terminated, otherwise it is an error
 */
 
+
 class DNSName
 {
 public:
@@ -39,6 +41,8 @@ public:
   std::vector<std::string> getRawLabels() const; //!< Individual raw unescaped labels
   bool chopOff();                               //!< Turn www.powerdns.com. into powerdns.com., returns false for .
   unsigned int countLabels() const;
+  bool empty() const { return countLabels()==0; } // FIXME remove me?
+  void clear() { trimToLabels(0); } // FIXME remove me?
   void trimToLabels(unsigned int);
   DNSName& operator+=(const DNSName& rhs)
   {
diff --git a/pdns/dnsparser.cc b/pdns/dnsparser.cc
index 6815220ffc..d533771597 100644
--- a/pdns/dnsparser.cc
+++ b/pdns/dnsparser.cc
@@ -47,7 +47,7 @@ public:
     const string& relevant=(parts.size() > 2) ? parts[2] : "";
     unsigned int total=atoi(parts[1].c_str());
     if(relevant.size()!=2*total)
-      throw MOADNSException((boost::format("invalid unknown record length for label %s: size not equal to length field (%d != %d)") % d_dr.d_label.c_str() % relevant.size() % (2*total)).str());
+      throw MOADNSException((boost::format("invalid unknown record length for label %s: size not equal to length field (%d != %d)") % d_dr.d_label.toString() % relevant.size() % (2*total)).str());
     string out;
     out.reserve(total+1);
     for(unsigned int n=0; n < total; ++n) {
@@ -99,7 +99,7 @@ static const string EncodeDNSLabel(const DNSName& input)
 }
 
 
-shared_ptr<DNSRecordContent> DNSRecordContent::unserialize(const string& qname, uint16_t qtype, const string& serialized)
+shared_ptr<DNSRecordContent> DNSRecordContent::unserialize(const DNSName& qname, uint16_t qtype, const string& serialized)
 {
   dnsheader dnsheader;
   memset(&dnsheader, 0, sizeof(dnsheader));
diff --git a/pdns/dnsparser.hh b/pdns/dnsparser.hh
index f097126bdc..814740cc62 100644
--- a/pdns/dnsparser.hh
+++ b/pdns/dnsparser.hh
@@ -185,11 +185,11 @@ public:
     return record;
   }
 
-  static shared_ptr<DNSRecordContent> unserialize(const string& qname, uint16_t qtype, const string& serialized);
+  static shared_ptr<DNSRecordContent> unserialize(const DNSName& qname, uint16_t qtype, const string& serialized);
 
   void doRecordCheck(const struct DNSRecord&){}
 
-  std::string label;
+  DNSName label; // FIXME rename
   struct dnsrecordheader header;
 
   typedef DNSRecordContent* makerfunc_t(const struct DNSRecord& dr, PacketReader& pr);  
@@ -262,7 +262,7 @@ protected:
 
 struct DNSRecord
 {
-  std::string d_label;
+  DNSName d_label; //FIXME rename
   uint16_t d_type;
   uint16_t d_class;
   uint32_t d_ttl;
@@ -278,8 +278,8 @@ struct DNSRecord
     if(rhs.d_content)
       rzrp=toLower(rhs.d_content->getZoneRepresentation());
     
-    string llabel=toLower(d_label);
-    string rlabel=toLower(rhs.d_label);
+    string llabel=toLower(d_label.toString()); //FIXME
+    string rlabel=toLower(rhs.d_label.toString()); //FIXME
 
     return 
       tie(llabel,     d_type,     d_class, lzrp) <
@@ -294,8 +294,8 @@ struct DNSRecord
     if(rhs.d_content)
       rzrp=toLower(rhs.d_content->getZoneRepresentation());
     
-    string llabel=toLower(d_label);
-    string rlabel=toLower(rhs.d_label);
+    string llabel=toLower(d_label.toString()); //FIXME
+    string rlabel=toLower(rhs.d_label.toString()); //FIXME
     
     return 
       tie(llabel,     d_type,     d_class, lzrp) ==
@@ -320,7 +320,7 @@ public:
   }
 
   dnsheader d_header;
-  string d_qname;
+  DNSName d_qname;
   uint16_t d_qclass, d_qtype;
   //uint8_t d_rcode;
 
diff --git a/pdns/dnsproxy.cc b/pdns/dnsproxy.cc
index 65a7845797..3987e42cf2 100644
--- a/pdns/dnsproxy.cc
+++ b/pdns/dnsproxy.cc
@@ -126,7 +126,7 @@ bool DNSProxy::sendPacket(DNSPacket *p)
 }
 
 //! look up qname aname with r->qtype, plonk it in the answer section of 'r' with name target
-bool DNSProxy::completePacket(DNSPacket *r, const std::string& target,const std::string& aname)
+bool DNSProxy::completePacket(DNSPacket *r, const DNSName& target,const DNSName& aname)
 {
   uint16_t id;
   {
@@ -139,7 +139,7 @@ bool DNSProxy::completePacket(DNSPacket *r, const std::string& target,const std:
     ce.outsock  = r->getSocket();
     ce.created  = time( NULL );
     ce.qtype = r->qtype.getCode();
-    ce.qname = stripDot(target);
+    ce.qname = target;
     ce.anyLocal = r->d_anyLocal;
     ce.complete = r;
     ce.aname=aname;
diff --git a/pdns/dnsproxy.hh b/pdns/dnsproxy.hh
index 94510d4727..fc103f562a 100644
--- a/pdns/dnsproxy.hh
+++ b/pdns/dnsproxy.hh
@@ -55,7 +55,7 @@ public:
   void go(); //!< launches the actual thread
   void onlyFrom(const string &ips); //!< Only these netmasks are allowed to recurse via us
   bool sendPacket(DNSPacket *p);    //!< send out a packet and make a conntrack entry to we can send back the answer
-  bool completePacket(DNSPacket *r, const std::string& target,const std::string& aname);
+  bool completePacket(DNSPacket *r, const DNSName& target,const DNSName& aname);
 
   void mainloop();                  //!< this is the main loop that receives reply packets and sends them out again
   static void *launchhelper(void *p)
@@ -82,7 +82,7 @@ private:
     DNSName qname;
     uint16_t qtype;
     DNSPacket* complete;
-    string aname;
+    DNSName aname;
     boost::optional<ComboAddress> anyLocal;
   };
 
diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index 36d7bcc36e..7b9d1e6dbe 100644
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -285,7 +285,7 @@ bool sharedDNSSECCompare(const shared_ptr<DNSRecordContent>& a, const shared_ptr
   return a->serialize("", true, true) < b->serialize("", true, true);
 }
 
-string getMessageForRRSET(const std::string& qname, const RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& signRecords) 
+string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& signRecords) 
 {
   sort(signRecords.begin(), signRecords.end(), sharedDNSSECCompare);
 
@@ -294,7 +294,7 @@ string getMessageForRRSET(const std::string& qname, const RRSIGRecordContent& rr
   toHash.resize(toHash.size() - rrc.d_signature.length()); // chop off the end, don't sign the signature!
 
   BOOST_FOREACH(shared_ptr<DNSRecordContent>& add, signRecords) {
-    toHash.append(toLower(simpleCompress(qname, "")));
+    toHash.append(qname.toDNSString()); // FIXME tolower?
     uint16_t tmp=htons(rrc.d_type);
     toHash.append((char*)&tmp, 2);
     tmp=htons(1); // class
@@ -310,10 +310,10 @@ string getMessageForRRSET(const std::string& qname, const RRSIGRecordContent& rr
   return toHash;
 }
 
-DSRecordContent makeDSFromDNSKey(const std::string& qname, const DNSKEYRecordContent& drc, int digest)
+DSRecordContent makeDSFromDNSKey(const DNSName& qname, const DNSKEYRecordContent& drc, int digest)
 {
   string toHash;
-  toHash.assign(toLower(simpleCompress(qname)));
+  toHash.assign(qname.toDNSString()); // FIXME tolower?
   toHash.append(const_cast<DNSKEYRecordContent&>(drc).serialize("", true, true));
   
   DSRecordContent dsrc;
diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh
index 390146c558..4633e01b1c 100644
--- a/pdns/dnssecinfra.hh
+++ b/pdns/dnssecinfra.hh
@@ -126,7 +126,7 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const DNSName& signer, const DNSName sig
 std::string hashQNameWithSalt(unsigned int times, const std::string& salt, const DNSName& qname);
 void decodeDERIntegerSequence(const std::string& input, vector<string>& output);
 class DNSPacket;
-void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<string, CIStringCompare>& authMap, vector<DNSResourceRecord>& rrs);
+void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<DNSName>& authMap, vector<DNSResourceRecord>& rrs);
 
 
 string calculateMD5HMAC(const std::string& key, const std::string& text);
diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index e5fb527c80..0a3a0bb0b5 100644
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -139,7 +139,7 @@ uint64_t signatureCacheSize(const std::string& str)
   return g_signatures.size();
 }
 
-void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign) 
+void fillOutRRSIG(DNSSECPrivateKey& dpk, const DNSName& signQName, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign) 
 {
   if(!g_signatureCount)
     g_signatureCount = S.getPointer("signatures");
diff --git a/pdns/misc.hh b/pdns/misc.hh
index 90718d9cc7..e77f051c47 100644
--- a/pdns/misc.hh
+++ b/pdns/misc.hh
@@ -513,6 +513,7 @@ inline string toCanonic(const string& zone, const string& domain)
 }
 
 string stripDot(const string& dom);
+
 void seedRandom(const string& source);
 string makeRelative(const std::string& fqdn, const std::string& zone);
 string labelReverse(const std::string& qname);
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 991a64c31f..f56f256182 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -253,7 +253,7 @@ vector<DNSResourceRecord> PacketHandler::getBestDNAMESynth(DNSPacket *p, SOAData
 {
   vector<DNSResourceRecord> ret;
   DNSResourceRecord rr;
-  string prefix;
+  DNSName prefix;
   DNSName subdomain(target);
   do {
     DLOG(L<<"Attempting DNAME lookup for "<<subdomain.toString()<<", sd.qname="<<sd.qname.toString()<<endl);
@@ -263,16 +263,15 @@ vector<DNSResourceRecord> PacketHandler::getBestDNAMESynth(DNSPacket *p, SOAData
       ret.push_back(rr);  // put in the original
       rr.qtype = QType::CNAME;
       rr.qname = prefix + rr.qname;
-      rr.content = prefix + rr.content;
+      rr.content = (prefix + rr.content).toString();
       rr.auth = 0; // don't sign CNAME
       target= rr.content;
       ret.push_back(rr); 
     }
     if(!ret.empty())
       return ret;
-    string::size_type pos = subdomain.find('.');
-    if(pos != string::npos)
-      prefix+= subdomain.substr(0, pos+1);
+    if(subdomain.countLabels())
+      prefix+= subdomain.getRawLabels()[0];
     if(subdomain == sd.qname) // stop at SOA
       break;
 
@@ -414,7 +413,7 @@ void PacketHandler::emitNSEC(const DNSName& begin, const DNSName& end, const DNS
   r->addRecord(rr);
 }
 
-void emitNSEC3(UeberBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOAData& sd, const DNSName& unhashed, const DNSName& begin, const DNSName& end, const DNSName& toNSEC3, DNSPacket *r, int mode)
+void emitNSEC3(UeberBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOAData& sd, const DNSName& unhashed, const string& begin, const string& end, const DNSName& toNSEC3, DNSPacket *r, int mode)
 {
   // cerr<<"We should emit NSEC3 '"<<toBase32Hex(begin)<<"' - ('"<<toNSEC3<<"') - '"<<toBase32Hex(end)<<"' (unhashed: '"<<unhashed<<"')"<<endl;
   NSEC3RecordContent n3rc;
@@ -443,7 +442,7 @@ void emitNSEC3(UeberBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOA
 
   n3rc.d_nexthash=end;
 
-  rr.qname=dotConcat(toBase32Hex(begin), sd.qname);
+  rr.qname=DNSName(toBase32Hex(begin))+sd.qname;
   rr.ttl = sd.default_ttl;
   rr.qtype=QType::NSEC3;
   rr.content=n3rc.getZoneRepresentation();
@@ -453,7 +452,7 @@ void emitNSEC3(UeberBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOA
   r->addRecord(rr);
 }
 
-void PacketHandler::emitNSEC3(const NSEC3PARAMRecordContent& ns3prc, const SOAData& sd, const DNSName& unhashed, const DNSName& begin, const DNSName& end, const DNSName& toNSEC3, DNSPacket *r, int mode)
+void PacketHandler::emitNSEC3(const NSEC3PARAMRecordContent& ns3prc, const SOAData& sd, const DNSName& unhashed, const string& begin, const string& end, /* FIXME unused */ const DNSName& toNSEC3, DNSPacket *r, int mode)
 {
   ::emitNSEC3(B, ns3prc, sd, unhashed, begin, end, toNSEC3, r, mode);
   
@@ -473,7 +472,7 @@ void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const DNSName& target,
     return;
 
   NSEC3PARAMRecordContent ns3rc;
-  // cerr<<"Doing NSEC3PARAM lookup for '"<<auth<<"', "<<p->qdomain<<"|"<<p->qtype.getName()<<": ";
+  // cerr<<"Doing NSEC3PARAM lookup for '"<<auth<<"', "<<p->qdomain.toString()<<"|"<<p->qtype.getName()<<": ";
   bool narrow;
   if(d_dk.getNSEC3PARAM(auth, &ns3rc, &narrow))  {
     // cerr<<"Present, narrow="<<narrow<<endl;
@@ -517,7 +516,7 @@ static void decrementHash(std::string& raw) // I wonder if this is correct, cmou
 }
 
 
-bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after, int mode)
+bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, DNSName& unhashed, string& before, string& after, int mode)
 {
   bool ret;
   if(narrow) { // nsec3-narrow
@@ -543,9 +542,9 @@ bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hash
   return ret;
 }
 
-void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& wildcard, const string& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
+void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const DNSName& target, const DNSName& wildcard, const DNSName& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
 {
-  DLOG(L<<"addNSEC3() mode="<<mode<<" auth="<<auth<<" target="<<target<<" wildcard="<<wildcard<<endl);
+  DLOG(L<<"addNSEC3() mode="<<mode<<" auth="<<auth.toString()<<" target="<<target.toString()<<" wildcard="<<wildcard.toString()<<endl);
 
   SOAData sd;
   if(!B.getSOAUncached(auth, sd)) {
@@ -554,13 +553,13 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
   }
 
   bool doNextcloser = false;
-  string unhashed, hashed, before, after;
-  string closest;
+  string before, after, hashed;
+  DNSName unhashed, closest;
   DNSResourceRecord rr;
 
   if (mode == 2 || mode == 3 || mode == 4) {
     closest=wildcard;
-    (void) chopOff(closest);
+    closest.chopOff();
   } else
     closest=target;
 
@@ -568,9 +567,9 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
   if (mode != 3) {
     unhashed=(mode == 0 || mode == 1 || mode == 5) ? target : closest;
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
-    DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
+    DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed.toString()<<endl);
 
-    if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr))
+    // if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr))
       getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after, mode);
 
     if (((mode == 0 && ns3rc.d_flags) ||  mode == 1) && (hashed != before)) {
@@ -578,7 +577,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
 
       bool doBreak = false;
       DNSResourceRecord rr;
-      while( chopOff( closest ) && (closest != sd.qname))  { // stop at SOA
+      while( closest.chopOff() && (closest != sd.qname))  { // stop at SOA
         B.lookup(QType(QType::ANY), closest, p, sd.domain_id);
         while(B.get(rr))
           if (rr.auth)
@@ -589,9 +588,9 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
       doNextcloser = true;
       unhashed=closest;
       hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
-      DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
+      DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed.toString()<<endl);
 
-      if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr))
+      // if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr))
         getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after);
     }
 
@@ -604,41 +603,41 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
 
   // add covering NSEC3 RR
   if ((mode >= 2 && mode <= 4) || doNextcloser) {
-    string next(target);
+    DNSName next(target);
     do {
       unhashed=next;
     }
-    while( chopOff( next ) && !pdns_iequals(next, closest));
+    while( next.chopOff() && !pdns_iequals(next, closest));
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
-    DLOG(L<<"2 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
-    if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr)) {
+    DLOG(L<<"2 hash: "<<toBase32Hex(hashed)<<" "<<unhashed.toString()<<endl);
+    // if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr)) {
       getNSEC3Hashes(narrow, sd.db,sd.domain_id,  hashed, true, unhashed, before, after);
       DLOG(L<<"Done calling for covering, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
       emitNSEC3( ns3rc, sd, unhashed, before, after, target, r, mode);
-    } else if(!before.empty())
-      r->addRecord(rr);
+    // } else if(!before.empty())
+    //   r->addRecord(rr);
   }
 
   // wildcard denial
   if (mode == 2 || mode == 4) {
-    unhashed=dotConcat("*", closest);
+    unhashed=DNSName("*")+closest;
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
-    DLOG(L<<"3 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
+    DLOG(L<<"3 hash: "<<toBase32Hex(hashed)<<" "<<unhashed.toString()<<endl);
 
-    if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr)) {
+    // if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr)) {
       getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, (mode != 2), unhashed, before, after);
       DLOG(L<<"Done calling for '*', hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
       emitNSEC3( ns3rc, sd, unhashed, before, after, target, r, mode);
-    } else if(!before.empty())
-      r->addRecord(rr);
+    // } else if(!before.empty())
+    //   r->addRecord(rr);
   }
 }
 
-void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, const string& wildcard, const string& auth, int mode)
+void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const DNSName& target, const DNSName& wildcard, const DNSName& auth, int mode)
 {
-  DLOG(L<<"addNSEC() mode="<<mode<<" auth="<<auth<<" target="<<target<<" wildcard="<<wildcard<<endl);
+  DLOG(L<<"addNSEC() mode="<<mode<<" auth="<<auth.toString()<<" target="<<target.toString()<<" wildcard="<<wildcard.toString()<<endl);
 
   SOAData sd;
   if(!B.getSOAUncached(auth, sd)) {
@@ -646,29 +645,29 @@ void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, co
     return;
   }
 
-  string before,after;
+  DNSName before,after;
   DNSResourceRecord rr;
 
   rr.auth=false;
-  if(!B.getDirectNSECx(sd.domain_id, toLower(labelReverse(makeRelative(target, auth))), QType(QType::NSEC), before, rr)) {
+  // if(!B.getDirectNSECx(sd.domain_id, toLower(labelReverse(makeRelative(target.toString(), auth.toString()))) /* FIXME DNSName should do this */, QType(QType::NSEC), before, rr)) {
     sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after);
     emitNSEC(before, after, target, sd, r, mode);
-  } else if(rr.auth) {
-    if (mode == 5)
-      rr.d_place=DNSResourceRecord::ANSWER;
-    r->addRecord(rr);
-  }
+  // } else if(rr.auth) {
+  //   if (mode == 5)
+  //     rr.d_place=DNSResourceRecord::ANSWER;
+  //   r->addRecord(rr);
+  // }
 
   if (mode == 2 || mode == 4) {
     // wildcard NO-DATA or wildcard denial
     before.clear();
-    string closest(wildcard);
+    DNSName closest(wildcard);
     if (mode == 4) {
-      (void) chopOff(closest);
-      closest=dotConcat("*", closest);
+      closest.chopOff();
+      closest.prependRawLabel("*");
     }
     rr.auth=false;
-    if(!B.getDirectNSECx(sd.domain_id, toLower(labelReverse(makeRelative(closest, auth))), QType(QType::NSEC), before, rr)) {
+    if(!B.getDirectNSECx(sd.domain_id, toLower(labelReverse(makeRelative(closest.toString(), auth.toString()))), QType(QType::NSEC), before, rr)) {
       sd.db->getBeforeAndAfterNames(sd.domain_id, auth, closest, before, after);
       emitNSEC(before, after, target, sd, r, mode);
     } else if(rr.auth)
@@ -725,10 +724,10 @@ int PacketHandler::trySuperMasterSynchronous(DNSPacket *p)
     Resolver resolver;
     uint32_t theirserial;
     resolver.getSoaSerial(p->getRemote(),p->qdomain, &theirserial);    
-    resolver.resolve(p->getRemote(), p->qdomain.c_str(), QType::NS, &nsset);
+    resolver.resolve(p->getRemote(), p->qdomain, QType::NS, &nsset);
   }
   catch(ResolverException &re) {
-    L<<Logger::Error<<"Error resolving SOA or NS for "<<p->qdomain<<" at: "<< p->getRemote() <<": "<<re.reason<<endl;
+    L<<Logger::Error<<"Error resolving SOA or NS for "<<p->qdomain.toString()<<" at: "<< p->getRemote() <<": "<<re.reason<<endl;
     return RCode::ServFail;
   }
 
@@ -740,14 +739,14 @@ int PacketHandler::trySuperMasterSynchronous(DNSPacket *p)
   }
 
   if(!haveNS) {
-    L<<Logger::Error<<"While checking for supermaster, did not find NS for "<<p->qdomain<<" at: "<< p->getRemote()<<endl;
+    L<<Logger::Error<<"While checking for supermaster, did not find NS for "<<p->qdomain.toString()<<" at: "<< p->getRemote()<<endl;
     return RCode::ServFail;
   }
 
   string nameserver, account;
   DNSBackend *db;
   if(!B.superMasterBackend(p->getRemote(), p->qdomain, nsset, &nameserver, &account, &db)) {
-    L<<Logger::Error<<"Unable to find backend willing to host "<<p->qdomain<<" for potential supermaster "<<p->getRemote()<<". Remote nameservers: "<<endl;
+    L<<Logger::Error<<"Unable to find backend willing to host "<<p->qdomain.toString()<<" for potential supermaster "<<p->getRemote()<<". Remote nameservers: "<<endl;
     BOOST_FOREACH(class DNSResourceRecord& rr, nsset) {
       if(rr.qtype.getCode()==QType::NS)
         L<<Logger::Error<<rr.content<<endl;
@@ -758,10 +757,10 @@ int PacketHandler::trySuperMasterSynchronous(DNSPacket *p)
     db->createSlaveDomain(p->getRemote(), p->qdomain, nameserver, account);
   }
   catch(PDNSException& ae) {
-    L<<Logger::Error<<"Database error trying to create "<<p->qdomain<<" for potential supermaster "<<p->getRemote()<<": "<<ae.reason<<endl;
+    L<<Logger::Error<<"Database error trying to create "<<p->qdomain.toString()<<" for potential supermaster "<<p->getRemote()<<": "<<ae.reason<<endl;
     return RCode::ServFail;
   }
-  L<<Logger::Warning<<"Created new slave zone '"<<p->qdomain<<"' from supermaster "<<p->getRemote()<<endl;
+  L<<Logger::Warning<<"Created new slave zone '"<<p->qdomain.toString()<<"' from supermaster "<<p->getRemote()<<endl;
   return RCode::NoError;
 }
 
@@ -774,12 +773,12 @@ int PacketHandler::processNotify(DNSPacket *p)
      if master is higher -> do stuff
   */
   if(!::arg().mustDo("slave")) {
-    L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but slave support is disabled in the configuration"<<endl;
+    L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain.toString()<<" from "<<p->getRemote()<<" but slave support is disabled in the configuration"<<endl;
     return RCode::NotImp;
   }
 
   if(!s_allowNotifyFrom.match((ComboAddress *) &p->d_remote )) {
-    L<<Logger::Notice<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but remote is not in allow-notify-from"<<endl;
+    L<<Logger::Notice<<"Received NOTIFY for "<<p->qdomain.toString()<<" from "<<p->getRemote()<<" but remote is not in allow-notify-from"<<endl;
     return RCode::Refused;
   }
 
@@ -787,19 +786,19 @@ int PacketHandler::processNotify(DNSPacket *p)
   DomainInfo di;
   di.serial = 0;
   if(!B.getDomainInfo(p->qdomain, di) || !(db=di.backend)) {
-    L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" for which we are not authoritative"<<endl;
+    L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain.toString()<<" from "<<p->getRemote()<<" for which we are not authoritative"<<endl;
     return trySuperMaster(p);
   }
     
   if(::arg().contains("trusted-notification-proxy", p->getRemote())) {
-    L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from trusted-notification-proxy "<< p->getRemote()<<endl;
+    L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain.toString()<<" from trusted-notification-proxy "<< p->getRemote()<<endl;
     if(di.masters.empty()) {
-      L<<Logger::Error<<"However, "<<p->qdomain<<" does not have any masters defined"<<endl;
+      L<<Logger::Error<<"However, "<<p->qdomain.toString()<<" does not have any masters defined"<<endl;
       return RCode::Refused;
     }
   }
   else if(!db->isMaster(p->qdomain, p->getRemote())) {
-    L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" which is not a master"<<endl;
+    L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain.toString()<<" from "<<p->getRemote()<<" which is not a master"<<endl;
     return RCode::Refused;
   }
     
@@ -915,7 +914,7 @@ void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const DNSName& targe
   if(d_dk.isSecuredZone(sd.qname))
     addNSECX(p, r, target, wildcard, sd.qname, mode);
 
-  S.ringAccount("noerror-queries",p->qdomain+"/"+p->qtype.getName());
+  S.ringAccount("noerror-queries",p->qdomain.toString()+"/"+p->qtype.getName());
 }
 
 
@@ -939,7 +938,7 @@ bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const DN
   if(rrset.empty())
     return false;
   
-  DLOG(L<<"The best NS is: "<<rrset.begin()->qname<<endl);
+  DLOG(L<<"The best NS is: "<<rrset.begin()->qname.toString()<<endl);
   BOOST_FOREACH(DNSResourceRecord rr, rrset) {
     DLOG(L<<"\tadding '"<<rr.content<<"'"<<endl);
     rr.d_place=DNSResourceRecord::AUTHORITY;
@@ -987,7 +986,7 @@ bool PacketHandler::tryDNAME(DNSPacket *p, DNSPacket*r, SOAData& sd, DNSName &ta
 bool PacketHandler::tryWildcard(DNSPacket *p, DNSPacket*r, SOAData& sd, DNSName &target, DNSName &wildcard, bool& retargeted, bool& nodata)
 {
   retargeted = nodata = false;
-  string bestmatch;
+  DNSName bestmatch;
 
   vector<DNSResourceRecord> rrset;
   if(!getBestWildcard(p, sd, target, wildcard, &rrset))
@@ -998,7 +997,7 @@ bool PacketHandler::tryWildcard(DNSPacket *p, DNSPacket*r, SOAData& sd, DNSName
     nodata=true;
   }
   else {
-    DLOG(L<<"The best wildcard match: "<<rrset.begin()->qname<<endl);
+    DLOG(L<<"The best wildcard match: "<<rrset.begin()->qname.toString()<<endl);
     BOOST_FOREACH(DNSResourceRecord rr, rrset) {
       rr.wildcardname = rr.qname;
       rr.qname=bestmatch=target;
@@ -1026,14 +1025,14 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
   DNSResourceRecord rr;
   SOAData sd;
 
-  string subdomain="";
+  // string subdomain="";
   string soa;
   int retargetcount=0;
   set<DNSName> authSet;
 
   vector<DNSResourceRecord> rrset;
   bool weDone=0, weRedirected=0, weHaveUnauth=0;
-  string haveAlias;
+  DNSName haveAlias;
 
   DNSPacket *r=0;
   bool noCache=false;
@@ -1082,15 +1081,15 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
 
     // XXX FIXME do this in DNSPacket::parse ?
 
-    if(!validDNSName(p->qdomain)) {
-      if(d_logDNSDetails)
-        L<<Logger::Error<<"Received a malformed qdomain from "<<p->getRemote()<<", '"<<p->qdomain<<"': sending servfail"<<endl;
-      S.inc("corrupt-packets");
-      S.ringAccount("remotes-corrupt", p->d_remote);
-      S.inc("servfail-packets");
-      r->setRcode(RCode::ServFail);
-      return r;
-    }
+    // if(!validDNSName(p->qdomain)) {
+    //   if(d_logDNSDetails)
+    //     L<<Logger::Error<<"Received a malformed qdomain from "<<p->getRemote()<<", '"<<p->qdomain.toString()<<"': sending servfail"<<endl;
+    //   S.inc("corrupt-packets");
+    //   S.ringAccount("remotes-corrupt", p->d_remote);
+    //   S.inc("servfail-packets");
+    //   r->setRcode(RCode::ServFail);
+    //   return r;
+    // }
     if(p->d.opcode) { // non-zero opcode (again thanks RA!)
       if(p->d.opcode==Opcode::Update) {
         S.inc("dnsupdate-queries");
@@ -1115,13 +1114,13 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
         return 0;
       }
       
-      L<<Logger::Error<<"Received an unknown opcode "<<p->d.opcode<<" from "<<p->getRemote()<<" for "<<p->qdomain<<endl;
+      L<<Logger::Error<<"Received an unknown opcode "<<p->d.opcode<<" from "<<p->getRemote()<<" for "<<p->qdomain.toString()<<endl;
 
       r->setRcode(RCode::NotImp); 
       return r; 
     }
 
-    // L<<Logger::Warning<<"Query for '"<<p->qdomain<<"' "<<p->qtype.getName()<<" from "<<p->getRemote()<< " (tcp="<<p->d_tcp<<")"<<endl;
+    // L<<Logger::Warning<<"Query for '"<<p->qdomain.toString()<<"' "<<p->qtype.getName()<<" from "<<p->getRemote()<< " (tcp="<<p->d_tcp<<")"<<endl;
     
     r->d.ra = (p->d.rd && d_doRecursion && DP->recurseFor(p));  // make sure we set ra if rd was set, and we'll do it
 
@@ -1130,7 +1129,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
       return r;
     }
 
-    string target=p->qdomain;
+    DNSName target=p->qdomain;
 
     // catch chaos qclass requests
     if(p->qclass == QClass::CHAOS) {
@@ -1160,7 +1159,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
 
   retargeted:;
     if(retargetcount > 10) {    // XXX FIXME, retargetcount++?
-      L<<Logger::Warning<<"Abort CNAME chain resolution after "<<--retargetcount<<" redirects, sending out servfail. Initial query: '"<<p->qdomain<<"'"<<endl;
+      L<<Logger::Warning<<"Abort CNAME chain resolution after "<<--retargetcount<<" redirects, sending out servfail. Initial query: '"<<p->qdomain.toString()<<"'"<<endl;
       delete r;
       r=p->replyPacket();
       r->setRcode(RCode::ServFail);
@@ -1168,7 +1167,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     }
     
     if(!B.getAuth(p, &sd, target)) {
-      DLOG(L<<Logger::Error<<"We have no authority over zone '"<<target<<"'"<<endl);
+      DLOG(L<<Logger::Error<<"We have no authority over zone '"<<target.toString()<<"'"<<endl);
       if(r->d.ra) {
         DLOG(L<<Logger::Error<<"Recursion is available for this remote, doing that"<<endl);
         *shouldRecurse=true;
@@ -1188,7 +1187,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
       }
       goto sendit;
     }
-    DLOG(L<<Logger::Error<<"We have authority, zone='"<<sd.qname<<"', id="<<sd.domain_id<<endl);
+    DLOG(L<<Logger::Error<<"We have authority, zone='"<<sd.qname.toString()<<"', id="<<sd.domain_id<<endl);
     authSet.insert(sd.qname); 
 
     if(!retargetcount) r->qdomainzone=sd.qname;
@@ -1227,7 +1226,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
 
     // this TRUMPS a cname!
     if(p->qtype.getCode() == QType::RRSIG) {
-      L<<Logger::Info<<"Direct RRSIG query for "<<target<<" from "<<p->getRemote()<<endl;
+      L<<Logger::Info<<"Direct RRSIG query for "<<target.toString()<<" from "<<p->getRemote()<<endl;
       r->setRcode(RCode::NotImp);
       goto sendit;
     }
@@ -1241,7 +1240,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     // see what we get..
     B.lookup(QType(QType::ANY), target, p, sd.domain_id);
     rrset.clear();
-    haveAlias.clear();
+    haveAlias.trimToLabels(0);
     weDone = weRedirected = weHaveUnauth =  false;
     
     while(B.get(rr)) {
@@ -1261,7 +1260,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
         weRedirected=1;
 
       if(DP && rr.qtype.getCode() == QType::ALIAS) {
-	haveAlias=rr.content;
+	haveAlias=DNSName(rr.content);
       }
 
       // Filter out all SOA's and add them in later
@@ -1283,7 +1282,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     }
 
 
-    DLOG(L<<"After first ANY query for '"<<target<<"', id="<<sd.domain_id<<": weDone="<<weDone<<", weHaveUnauth="<<weHaveUnauth<<", weRedirected="<<weRedirected<<", haveAlias='"<<haveAlias<<"'"<<endl);
+    DLOG(L<<"After first ANY query for '"<<target.toString()<<"', id="<<sd.domain_id<<": weDone="<<weDone<<", weHaveUnauth="<<weHaveUnauth<<", weRedirected="<<weRedirected<<", haveAlias='"<<haveAlias.toString()<<"'"<<endl);
     if(p->qtype.getCode() == QType::DS && weHaveUnauth &&  !weDone && !weRedirected && d_dk.isSecuredZone(sd.qname)) {
       DLOG(L<<"Q for DS of a name for which we do have NS, but for which we don't have on a zone with DNSSEC need to provide an AUTH answer that proves we don't"<<endl);
       makeNOError(p, r, target, "", sd, 1);
@@ -1291,7 +1290,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     }
 
     if(!haveAlias.empty() && !weDone) {
-      DLOG(L<<Logger::Warning<<"Found nothing that matched for '"<<target<<"', but did get alias to '"<<haveAlias<<"', referring"<<endl);
+      DLOG(L<<Logger::Warning<<"Found nothing that matched for '"<<target.toString()<<"', but did get alias to '"<<haveAlias.toString()<<"', referring"<<endl);
       DP->completePacket(r, haveAlias, target);
       return 0;
     }
@@ -1311,7 +1310,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
 
       DLOG(L<<Logger::Warning<<"Found nothing in the by-name ANY, but let's try wildcards.."<<endl);
       bool wereRetargeted(false), nodata(false);
-      string wildcard;
+      DNSName wildcard;
       if(tryWildcard(p, r, sd, target, wildcard, wereRetargeted, nodata)) {
         if(wereRetargeted) {
           if(!retargetcount) r->qdomainwild=wildcard;
@@ -1369,11 +1368,11 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
       if(tryReferral(p, r, sd, target, retargetcount))
         goto sendit;
       // check whether this could be fixed easily
-      if (*(rr.qname.rbegin()) == '.') {
-           L<<Logger::Error<<"Should not get here ("<<p->qdomain<<"|"<<p->qtype.getCode()<<"): you have a trailing dot, this could be the problem (or run pdnssec rectify-zone " <<sd.qname<<")"<<endl;
-      } else {
-           L<<Logger::Error<<"Should not get here ("<<p->qdomain<<"|"<<p->qtype.getCode()<<"): please run pdnssec rectify-zone "<<sd.qname<<endl;
-      }
+      // if (*(rr.qname.rbegin()) == '.') {
+      //      L<<Logger::Error<<"Should not get here ("<<p->qdomain.toString()<<"|"<<p->qtype.getCode()<<"): you have a trailing dot, this could be the problem (or run pdnssec rectify-zone " <<sd.qname<<")"<<endl;
+      // } else {
+           L<<Logger::Error<<"Should not get here ("<<p->qdomain.toString()<<"|"<<p->qtype.getCode()<<"): please run pdnssec rectify-zone "<<sd.qname.toString()<<endl;
+      // }
     }
     else {
       DLOG(L<<"Have some data, but not the right data"<<endl);
@@ -1407,7 +1406,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     r=p->replyPacket(); // generate an empty reply packet
     r->setRcode(RCode::ServFail);
     S.inc("servfail-packets");
-    S.ringAccount("servfail-queries",p->qdomain);
+    S.ringAccount("servfail-queries",p->qdomain.toString());
   }
   catch(PDNSException &e) {
     L<<Logger::Error<<"Backend reported permanent error which prevented lookup ("+e.reason+"), aborting"<<endl;
@@ -1419,7 +1418,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     r=p->replyPacket(); // generate an empty reply packet
     r->setRcode(RCode::ServFail);
     S.inc("servfail-packets");
-    S.ringAccount("servfail-queries",p->qdomain);
+    S.ringAccount("servfail-queries",p->qdomain.toString());
   }
   return r; 
 
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index 16d94cc064..a313fb3ef6 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -78,7 +78,7 @@ private:
   void addNSEC(DNSPacket *p, DNSPacket* r, const DNSName &target, const DNSName &wildcard, const DNSName& auth, int mode);
   void addNSEC3(DNSPacket *p, DNSPacket* r, const DNSName &target, const DNSName &wildcard, const DNSName& auth, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode);
   void emitNSEC(const DNSName& before, const DNSName& after, const DNSName& toNSEC, const SOAData& sd, DNSPacket *r, int mode);
-  void emitNSEC3(const NSEC3PARAMRecordContent &ns3rc, const SOAData& sd, const DNSName& unhashed, const DNSName& begin, const DNSName& end, const DNSName& toNSEC3, DNSPacket *r, int mode);
+  void emitNSEC3(const NSEC3PARAMRecordContent &ns3rc, const SOAData& sd, const DNSName& unhashed, /* FIXME should this be DNSName? */ const string& begin, const string& end, const DNSName& toNSEC3, DNSPacket *r, int mode);
   int processUpdate(DNSPacket *p);
   int forwardPacket(const string &msgPrefix, DNSPacket *p, DomainInfo *di);
   uint performUpdate(const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool* narrow, bool* haveNSEC3, NSEC3PARAMRecordContent *ns3pr, bool *updatedSerial);
@@ -112,5 +112,5 @@ private:
   UeberBackend B; // every thread an own instance
   DNSSECKeeper d_dk; // B is shared with DNSSECKeeper
 };
-bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after, int mode=0);
+bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, DNSName& unhashed, string& before, string& after, int mode=0);
 #endif /* PACKETHANDLER */
diff --git a/pdns/resolver.cc b/pdns/resolver.cc
index 74b2e02b8a..a41220eb18 100644
--- a/pdns/resolver.cc
+++ b/pdns/resolver.cc
@@ -112,8 +112,8 @@ Resolver::~Resolver()
 }
 
 uint16_t Resolver::sendResolve(const ComboAddress& remote, const ComboAddress& local,
-                               const char *domain, int type, bool dnssecOK,
-                               const string& tsigkeyname, const string& tsigalgorithm,
+                               const DNSName &domain, int type, bool dnssecOK,
+                               const DNSName& tsigkeyname, const DNSName& tsigalgorithm,
                                const string& tsigsecret)
 {
   uint16_t randomid;
@@ -167,9 +167,9 @@ uint16_t Resolver::sendResolve(const ComboAddress& remote, const ComboAddress& l
   return randomid;
 }
 
-uint16_t Resolver::sendResolve(const ComboAddress& remote, const char *domain,
+uint16_t Resolver::sendResolve(const ComboAddress& remote, const DNSName &domain,
                                int type, bool dnssecOK,
-                               const string& tsigkeyname, const string& tsigalgorithm,
+                               const DNSName& tsigkeyname, const DNSName& tsigalgorithm,
                                const string& tsigsecret)
 {
   ComboAddress local;
@@ -177,28 +177,26 @@ uint16_t Resolver::sendResolve(const ComboAddress& remote, const char *domain,
   return this->sendResolve(remote, local, domain, type, dnssecOK, tsigkeyname, tsigalgorithm, tsigsecret);
 }
 
-static int parseResult(MOADNSParser& mdp, const std::string& origQname, uint16_t origQtype, uint16_t id, Resolver::res_t* result)
+static int parseResult(MOADNSParser& mdp, const DNSName& origQname, uint16_t origQtype, uint16_t id, Resolver::res_t* result)
 {
   result->clear();
   
   if(mdp.d_header.rcode) 
     return mdp.d_header.rcode;
       
-  if(!origQname.empty()) {  // not AXFR
+  if(origQname.countLabels()) {  // not AXFR
     if(mdp.d_header.id != id) 
       throw ResolverException("Remote nameserver replied with wrong id");
     if(mdp.d_header.qdcount != 1)
       throw ResolverException("resolver: received answer with wrong number of questions ("+itoa(mdp.d_header.qdcount)+")");
-    if(mdp.d_qname != origQname+".")
-      throw ResolverException(string("resolver: received an answer to another question (")+mdp.d_qname+"!="+ origQname+".)");
+    if(mdp.d_qname != origQname)
+      throw ResolverException(string("resolver: received an answer to another question (")+mdp.d_qname.toString()+"!="+ origQname.toString()+".)");
   }
     
   vector<DNSResourceRecord> ret;
   DNSResourceRecord rr;
   for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i!=mdp.d_answers.end(); ++i) {
     rr.qname = i->first.d_label;
-    if(!rr.qname.empty())
-      boost::erase_tail(rr.qname, 1); // strip .
     rr.qtype = i->first.d_type;
     rr.ttl = i->first.d_ttl;
     rr.content = i->first.d_content->getZoneRepresentation();
@@ -218,7 +216,7 @@ static int parseResult(MOADNSParser& mdp, const std::string& origQname, uint16_t
   return 0;
 }
 
-bool Resolver::tryGetSOASerial(string* domain, uint32_t *theirSerial, uint32_t *theirInception, uint32_t *theirExpire, uint16_t* id)
+bool Resolver::tryGetSOASerial(DNSName *domain, uint32_t *theirSerial, uint32_t *theirInception, uint32_t *theirExpire, uint16_t* id)
 {
   struct pollfd *fds = new struct pollfd[locals.size()];
   size_t i = 0, k;
@@ -262,13 +260,13 @@ bool Resolver::tryGetSOASerial(string* domain, uint32_t *theirSerial, uint32_t *
 
   MOADNSParser mdp((char*)buf, err);
   *id=mdp.d_header.id;
-  *domain = stripDot(mdp.d_qname);
+  *domain = mdp.d_qname;
   
   if(mdp.d_answers.empty())
-    throw ResolverException("Query to '" + fromaddr.toStringWithPort() + "' for SOA of '" + *domain + "' produced no results (RCode: " + RCode::to_s(mdp.d_header.rcode) + ")");
+    throw ResolverException("Query to '" + fromaddr.toStringWithPort() + "' for SOA of '" + domain->toString() + "' produced no results (RCode: " + RCode::to_s(mdp.d_header.rcode) + ")");
   
   if(mdp.d_qtype != QType::SOA)
-    throw ResolverException("Query to '" + fromaddr.toStringWithPort() + "' for SOA of '" + *domain + "' returned wrong record type");
+    throw ResolverException("Query to '" + fromaddr.toStringWithPort() + "' for SOA of '" + domain->toString() + "' returned wrong record type");
 
   *theirInception = *theirExpire = 0;
   bool gotSOA=false;
@@ -287,11 +285,11 @@ bool Resolver::tryGetSOASerial(string* domain, uint32_t *theirSerial, uint32_t *
     }
   }
   if(!gotSOA)
-    throw ResolverException("Query to '" + fromaddr.toString() + "' for SOA of '" + *domain + "' did not return a SOA");
+    throw ResolverException("Query to '" + fromaddr.toString() + "' for SOA of '" + domain->toString() + "' did not return a SOA");
   return true;
 }
 
-int Resolver::resolve(const string &ipport, const char *domain, int type, Resolver::res_t* res, const ComboAddress &local)
+int Resolver::resolve(const string &ipport, const DNSName &domain, int type, Resolver::res_t* res, const ComboAddress &local)
 {
   try {
     ComboAddress to(ipport, 53);
@@ -337,35 +335,35 @@ int Resolver::resolve(const string &ipport, const char *domain, int type, Resolv
   return -1;
 }
 
-int Resolver::resolve(const string &ipport, const char *domain, int type, Resolver::res_t* res) {
+int Resolver::resolve(const string &ipport, const DNSName &domain, int type, Resolver::res_t* res) {
   ComboAddress local;
   local.sin4.sin_family = 0;
   return resolve(ipport, domain, type, res, local);
 }
 
-void Resolver::getSoaSerial(const string &ipport, const string &domain, uint32_t *serial)
+void Resolver::getSoaSerial(const string &ipport, const DNSName &domain, uint32_t *serial)
 {
   vector<DNSResourceRecord> res;
-  int ret = resolve(ipport, domain.c_str(), QType::SOA, &res);
+  int ret = resolve(ipport, domain, QType::SOA, &res);
   
   if(ret || res.empty())
-    throw ResolverException("Query to '" + ipport + "' for SOA of '" + domain + "' produced no answers");
+    throw ResolverException("Query to '" + ipport + "' for SOA of '" + domain.toString() + "' produced no answers");
 
   if(res[0].qtype.getCode() != QType::SOA) 
-    throw ResolverException("Query to '" + ipport + "' for SOA of '" + domain + "' produced a "+res[0].qtype.getName()+" record");
+    throw ResolverException("Query to '" + ipport + "' for SOA of '" + domain.toString() + "' produced a "+res[0].qtype.getName()+" record");
 
   vector<string>parts;
   stringtok(parts, res[0].content);
   if(parts.size()<3)
-    throw ResolverException("Query to '" + ipport + "' for SOA of '" + domain + "' produced an unparseable response");
+    throw ResolverException("Query to '" + ipport + "' for SOA of '" + domain.toString() + "' produced an unparseable response");
   
   *serial=(uint32_t)atol(parts[2].c_str());
 }
 
 AXFRRetriever::AXFRRetriever(const ComboAddress& remote,
-        const string& domain,
-        const string& tsigkeyname,
-        const string& tsigalgorithm, 
+        const DNSName& domain,
+        const DNSName& tsigkeyname,
+        const DNSName& tsigalgorithm, 
         const string& tsigsecret,
         const ComboAddress* laddr)
 : d_tsigkeyname(tsigkeyname), d_tsigsecret(tsigsecret), d_tsigPos(0), d_nonSignedMessages(0)
@@ -491,7 +489,7 @@ int AXFRRetriever::getChunk(Resolver::res_t &res) // Implementation is making su
 
     if (checkTSIG) {
       if (theirMac.empty())
-        throw ResolverException("No TSIG on AXFR response from "+d_remote.toStringWithPort()+" , should be signed with TSIG key '"+d_tsigkeyname+"'");
+        throw ResolverException("No TSIG on AXFR response from "+d_remote.toStringWithPort()+" , should be signed with TSIG key '"+d_tsigkeyname.toString()+"'");
 
       string message;
       if (!d_prevMac.empty()) {
@@ -515,7 +513,7 @@ int AXFRRetriever::getChunk(Resolver::res_t &res) // Implementation is making su
 
         // ourMac[0]++; // sabotage == for testing :-)
         if(ourMac != theirMac) {
-          throw ResolverException("Signature failed to validate on AXFR response from "+d_remote.toStringWithPort()+" signed with TSIG key '"+d_tsigkeyname+"'");
+          throw ResolverException("Signature failed to validate on AXFR response from "+d_remote.toStringWithPort()+" signed with TSIG key '"+d_tsigkeyname.toString()+"'");
         }
       }
 
diff --git a/pdns/resolver.hh b/pdns/resolver.hh
index 2b55aad52e..a70434e141 100644
--- a/pdns/resolver.hh
+++ b/pdns/resolver.hh
@@ -59,22 +59,22 @@ public:
 
   typedef vector<DNSResourceRecord> res_t;
   //! synchronously resolve domain|type at IP, store result in result, rcode in ret
-  int resolve(const string &ip, const char *domain, int type, res_t* result, const ComboAddress& local);
+  int resolve(const string &ip, const DNSName &domain, int type, res_t* result, const ComboAddress& local);
 
-  int resolve(const string &ip, const char *domain, int type, res_t* result);
+  int resolve(const string &ip, const DNSName &domain, int type, res_t* result);
 
   //! only send out a resolution request
-  uint16_t sendResolve(const ComboAddress& remote, const ComboAddress& local, const char *domain, int type, bool dnssecOk=false,
-    const string& tsigkeyname="", const string& tsigalgorithm="", const string& tsigsecret="");
+  uint16_t sendResolve(const ComboAddress& remote, const ComboAddress& local, const DNSName &domain, int type, bool dnssecOk=false,
+    const DNSName& tsigkeyname=DNSName(), const DNSName& tsigalgorithm=DNSName(), const string& tsigsecret="");
 
-  uint16_t sendResolve(const ComboAddress& remote, const char *domain, int type, bool dnssecOk=false,
-    const string& tsigkeyname="", const string& tsigalgorithm="", const string& tsigsecret="");
+  uint16_t sendResolve(const ComboAddress& remote, const DNSName &domain, int type, bool dnssecOk=false,
+    const DNSName& tsigkeyname=DNSName(), const DNSName& tsigalgorithm=DNSName(), const string& tsigsecret="");
 
   //! see if we got a SOA response from our sendResolve
-  bool tryGetSOASerial(string* theirDomain, uint32_t* theirSerial, uint32_t* theirInception, uint32_t* theirExpire, uint16_t* id);
+  bool tryGetSOASerial(DNSName *theirDomain, uint32_t* theirSerial, uint32_t* theirInception, uint32_t* theirExpire, uint16_t* id);
   
   //! convenience function that calls resolve above
-  void getSoaSerial(const string &, const string &, uint32_t *);
+  void getSoaSerial(const string &, const DNSName &, uint32_t *);
   
 private:
   std::map<std::string, int> locals;
@@ -84,9 +84,9 @@ class AXFRRetriever : public boost::noncopyable
 {
   public:
     AXFRRetriever(const ComboAddress& remote,
-        const string& zone,
-        const string& tsigkeyname=string(),
-        const string& tsigalgorithm=string(),
+        const DNSName& zone,
+        const DNSName& tsigkeyname=DNSName(),
+        const DNSName& tsigalgorithm=DNSName(),
         const string& tsigsecret=string(),
         const ComboAddress* laddr = NULL);
 	~AXFRRetriever();
@@ -103,7 +103,7 @@ class AXFRRetriever : public boost::noncopyable
     int d_soacount;
     ComboAddress d_remote;
     
-    string d_tsigkeyname;
+    DNSName d_tsigkeyname;
     string d_tsigsecret;
     string d_prevMac; // RFC2845 4.4
     string d_signData;
diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index d1cc01087d..25a2aceabc 100644
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -29,11 +29,9 @@ int PacketHandler::checkUpdatePrerequisites(const DNSRecord *rr, DomainInfo *di)
   if ( (rr->d_class == QClass::NONE || rr->d_class == QClass::ANY) && rr->d_clen != 0)
     return RCode::FormErr;
 
-  string rrLabel = stripDot(rr->d_label);
-
   bool foundRecord=false;
   DNSResourceRecord rec;
-  di->backend->lookup(QType(QType::ANY), rrLabel);
+  di->backend->lookup(QType(QType::ANY), rr->d_label);
   while(di->backend->get(rec)) {
     if (!rec.qtype.getCode())
       continue;
@@ -91,22 +89,20 @@ int PacketHandler::checkUpdatePrescan(const DNSRecord *rr) {
 // Implements section 3.4.2 of RFC2136
 uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool* narrow, bool* haveNSEC3, NSEC3PARAMRecordContent *ns3pr, bool *updatedSerial) {
 
-  string rrLabel = stripDot(rr->d_label);
-  rrLabel = toLower(rrLabel);
   QType rrType = QType(rr->d_type);
 
   if (rrType == QType::NSEC || rrType == QType::NSEC3) {
-    L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rrLabel<<"|"<<rrType.getName()<<". These are generated records, ignoring!"<<endl;
+    L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_label.toString()<<"|"<<rrType.getName()<<". These are generated records, ignoring!"<<endl;
     return 0;
   }
 
   if (!isPresigned && ((!::arg().mustDo("direct-dnskey") && rrType == QType::DNSKEY) || rrType == QType::RRSIG)) {
-    L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rrLabel<<"|"<<rrType.getName()<<" in non-presigned zone, ignoring!"<<endl;
+    L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_label.toString()<<"|"<<rrType.getName()<<" in non-presigned zone, ignoring!"<<endl;
     return 0;
   }
 
-  if ((rrType == QType::NSEC3PARAM || rrType == QType::DNSKEY) && rrLabel != di->zone) {
-    L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rrLabel<<"|"<<rrType.getName()<<", "<<rrType.getName()<<" must be at zone apex, ignoring!"<<endl;
+  if ((rrType == QType::NSEC3PARAM || rrType == QType::DNSKEY) && rr->d_label != di->zone) {
+    L<<Logger::Warning<<msgPrefix<<"Trying to add/update/delete "<<rr->d_label.toString()<<"|"<<rrType.getName()<<", "<<rrType.getName()<<" must be at zone apex, ignoring!"<<endl;
     return 0;
   }
 
@@ -118,19 +114,19 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
 
 
   if (rr->d_class == QClass::IN) { // 3.4.2.2 QClass::IN means insert or update
-    DLOG(L<<msgPrefix<<"Add/Update record (QClass == IN) "<<rrLabel<<"|"<<rrType.getName()<<endl);
+    DLOG(L<<msgPrefix<<"Add/Update record (QClass == IN) "<<rr->d_label.toString()<<"|"<<rrType.getName()<<endl);
 
     if (rrType == QType::NSEC3PARAM) {
       L<<Logger::Notice<<msgPrefix<<"Adding/updating NSEC3PARAM for zone, resetting ordernames."<<endl;
 
-      NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone);
+      NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone.toString() /* FIXME huh */);
       *narrow = false; // adding a NSEC3 will cause narrow mode to be dropped, as you cannot specify that in a NSEC3PARAM record
       d_dk.setNSEC3PARAM(di->zone, nsec3param, (*narrow));
 
       *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
 
       vector<DNSResourceRecord> rrs;
-      set<string> qnames, nssets, dssets;
+      set<DNSName> qnames, nssets, dssets;
       di->backend->list(di->zone, di->id);
       while (di->backend->get(rec)) {
         qnames.insert(rec.qname);
@@ -140,8 +136,9 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
           dssets.insert(rec.qname);
       }
 
-      string shorter, hashed;
-      BOOST_FOREACH(const string& qname, qnames) {
+      DNSName shorter;
+      string hashed;
+      for(const auto& qname: qnames) {
         shorter = qname;
         int ddepth = 0;
         do {
@@ -149,7 +146,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
             break;
           if(nssets.count(shorter))
             ++ddepth;
-        } while(chopOff(shorter));
+        } while(shorter.chopOff());
 
         if (! *narrow && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) {
           hashed = toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, qname));
@@ -173,7 +170,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
 
 
     bool foundRecord = false;
-    di->backend->lookup(rrType, rrLabel);
+    di->backend->lookup(rrType, rr->d_label);
     while (di->backend->get(rec)) {
       rrset.push_back(rec);
       foundRecord = true;
@@ -191,7 +188,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
           di->backend->replaceRRSet(di->id, oldRec->qname, oldRec->qtype, rrset);
           *updatedSerial = true;
           changedRecords++;
-          L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rrLabel<<"|"<<rrType.getName()<<endl;
+          L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_label.toString()<<"|"<<rrType.getName()<<endl;
         } else {
           L<<Logger::Notice<<msgPrefix<<"Provided serial ("<<sdUpdate.serial<<") is older than the current serial ("<<sdOld.serial<<"), ignoring SOA update."<<endl;
         }
@@ -207,11 +204,11 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
           }
         }
         if (changedCNames > 0) {
-          di->backend->replaceRRSet(di->id, rrLabel, rrType, rrset);
-          L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rrLabel<<"|"<<rrType.getName()<<endl;
+          di->backend->replaceRRSet(di->id, rr->d_label, rrType, rrset);
+          L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_label.toString()<<"|"<<rrType.getName()<<endl;
           changedRecords += changedCNames;
         } else {
-          L<<Logger::Notice<<msgPrefix<<"Replace for record "<<rrLabel<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl;
+          L<<Logger::Notice<<msgPrefix<<"Replace for record "<<rr->d_label.toString()<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl;
         }
 
       // In any other case, we must check if the TYPE and RDATA match to provide an update (which effectily means a update of TTL)
@@ -229,11 +226,11 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
           }
         }
         if (updateTTL > 0) {
-          di->backend->replaceRRSet(di->id, rrLabel, rrType, rrset);
-          L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rrLabel<<"|"<<rrType.getName()<<endl;
+          di->backend->replaceRRSet(di->id, rr->d_label, rrType, rrset);
+          L<<Logger::Notice<<msgPrefix<<"Replacing record "<<rr->d_label.toString()<<"|"<<rrType.getName()<<endl;
           changedRecords += updateTTL;
         } else {
-          L<<Logger::Notice<<msgPrefix<<"Replace for record "<<rrLabel<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl;
+          L<<Logger::Notice<<msgPrefix<<"Replace for record "<<rr->d_label.toString()<<"|"<<rrType.getName()<<" requested, but no changes made."<<endl;
         }
       }
 
@@ -245,23 +242,23 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
         if(*haveNSEC3) {
           string hashed;
           if(! *narrow)
-            hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rrLabel));
+            hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rr->d_label));
 
           if (*narrow)
-            di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, rrLabel, auth);
+            di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, rr->d_label, auth);
           else
-            di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, rrLabel, hashed, auth);
+            di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, rr->d_label, hashed, auth);
           if(!auth || rrType == QType::DS) {
-            di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "NS");
-            di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A");
-            di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA");
+            di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rr->d_label, "NS");
+            di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rr->d_label, "A");
+            di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rr->d_label, "AAAA");
           }
 
         } else { // NSEC
-          di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, rrLabel, auth);
+          di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, rr->d_label, auth);
           if(!auth || rrType == QType::DS) {
-            di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A");
-            di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA");
+            di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rr->d_label, "A");
+            di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rr->d_label, "AAAA");
           }
         }
       }
@@ -270,17 +267,17 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
 
     // If we haven't found a record that matches, we must add it.
     if (! foundRecord) {
-      L<<Logger::Notice<<msgPrefix<<"Adding record "<<rrLabel<<"|"<<rrType.getName()<<endl;
-      delnonterm.insert(rrLabel); // always remove any ENT's in the place where we're going to add a record.
+      L<<Logger::Notice<<msgPrefix<<"Adding record "<<rr->d_label.toString()<<"|"<<rrType.getName()<<endl;
+      delnonterm.insert(rr->d_label); // always remove any ENT's in the place where we're going to add a record.
       DNSResourceRecord newRec(*rr);
       newRec.domain_id = di->id;
-      newRec.auth = (rrLabel == di->zone || rrType.getCode() != QType::NS);
+      newRec.auth = (rr->d_label == di->zone || rrType.getCode() != QType::NS);
       di->backend->feedRecord(newRec);
       changedRecords++;
 
 
       // because we added a record, we need to fix DNSSEC data.
-      DNSName shorter(rrLabel);
+      DNSName shorter(rr->d_label);
       bool auth=newRec.auth;
       bool fixDS = (rrType == QType::DS);
 
@@ -293,15 +290,15 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
           bool foundShorter = false;
           di->backend->lookup(QType(QType::ANY), shorter);
           while (di->backend->get(rec)) {
-            if (pdns_iequals(rec.qname, rrLabel) && rec.qtype == QType::DS)
+            if (pdns_iequals(rec.qname, rr->d_label) && rec.qtype == QType::DS)
               fixDS = true;
-            if ( ! pdns_iequals(shorter, rrLabel) )
+            if ( ! pdns_iequals(shorter, rr->d_label) )
               foundShorter = true;
             if (rec.qtype == QType::NS) // are we inserting below a delegate?
               auth=false;
           }
 
-          if (!foundShorter && auth && !pdns_iequals(shorter, rrLabel)) // haven't found any record at current level, insert ENT.
+          if (!foundShorter && auth && !pdns_iequals(shorter, rr->d_label)) // haven't found any record at current level, insert ENT.
             insnonterm.insert(shorter);
           if (foundShorter)
             break; // if we find a shorter record, we can stop searching
@@ -312,56 +309,56 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
       {
         string hashed;
         if(! *narrow)
-          hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rrLabel));
+          hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rr->d_label));
 
         if (*narrow)
-          di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, rrLabel, auth);
+          di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, rr->d_label, auth);
         else
-          di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, rrLabel, hashed, auth);
+          di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, rr->d_label, hashed, auth);
 
         if (fixDS)
-          di->backend->setDNSSECAuthOnDsRecord(di->id, rrLabel);
+          di->backend->setDNSSECAuthOnDsRecord(di->id, rr->d_label);
 
         if(!auth)
         {
           if (ns3pr->d_flags)
-            di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "NS");
-          di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A");
-          di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA");
+            di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rr->d_label, "NS");
+          di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rr->d_label, "A");
+          di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rr->d_label, "AAAA");
         }
       }
       else // NSEC
       {
-        di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, rrLabel, auth);
+        di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, rr->d_label, auth);
         if (fixDS) {
-          di->backend->setDNSSECAuthOnDsRecord(di->id, rrLabel);
+          di->backend->setDNSSECAuthOnDsRecord(di->id, rr->d_label);
         }
         if(!auth) {
-          di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A");
-          di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA");
+          di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rr->d_label, "A");
+          di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rr->d_label, "AAAA");
         }
       }
 
 
       // If we insert an NS, all the records below it become non auth - so, we're inserting a delegate.
-      // Auth can only be false when the rrLabel is not the zone
+      // Auth can only be false when the rr->d_label is not the zone
       if (auth == false && rrType == QType::NS) {
-        DLOG(L<<msgPrefix<<"Going to fix auth flags below "<<rrLabel<<endl);
+        DLOG(L<<msgPrefix<<"Going to fix auth flags below "<<rr->d_label.toString()<<endl);
         insnonterm.clear(); // No ENT's are needed below delegates (auth=0)
-        vector<string> qnames;
-        di->backend->listSubZone(rrLabel, di->id);
+        vector<DNSName> qnames;
+        di->backend->listSubZone(rr->d_label, di->id);
         while(di->backend->get(rec)) {
-          if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS && !pdns_iequals(rrLabel, rec.qname)) // Skip ENT, DS and our already corrected record.
+          if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS && !pdns_iequals(rr->d_label, rec.qname)) // Skip ENT, DS and our already corrected record.
             qnames.push_back(rec.qname);
         }
-        for(vector<string>::const_iterator qname=qnames.begin(); qname != qnames.end(); ++qname) {
+        for(vector<DNSName>::const_iterator qname=qnames.begin(); qname != qnames.end(); ++qname) {
           if(*haveNSEC3)  {
             string hashed;
             if(! *narrow)
               hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *qname));
 
             if (*narrow)
-              di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, rrLabel, auth);
+              di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, rr->d_label, auth);
             else
               di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *qname, hashed, auth);
 
@@ -382,16 +379,16 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
   // Delete records - section 3.4.2.3 and 3.4.2.4 with the exception of the 'always leave 1 NS rule' as that's handled by
   // the code that calls this performUpdate().
   if ((rr->d_class == QClass::ANY || rr->d_class == QClass::NONE) && rrType != QType::SOA) { // never delete a SOA.
-    DLOG(L<<msgPrefix<<"Deleting records: "<<rrLabel<<"; QClasse:"<<rr->d_class<<"; rrType: "<<rrType.getName()<<endl);
+    DLOG(L<<msgPrefix<<"Deleting records: "<<rr->d_label.toString()<<"; QClasse:"<<rr->d_class<<"; rrType: "<<rrType.getName()<<endl);
 
     if (rrType == QType::NSEC3PARAM) {
       L<<Logger::Notice<<msgPrefix<<"Deleting NSEC3PARAM from zone, resetting ordernames."<<endl;
       if (rr->d_class == QClass::ANY)
-        d_dk.unsetNSEC3PARAM(rrLabel);
+        d_dk.unsetNSEC3PARAM(rr->d_label);
       else if (rr->d_class == QClass::NONE) {
-        NSEC3PARAMRecordContent nsec3rr(rr->d_content->getZoneRepresentation(), di->zone);
+        NSEC3PARAMRecordContent nsec3rr(rr->d_content->getZoneRepresentation(), di->zone.toString() /* FIXME huh */);
         if (ns3pr->getZoneRepresentation() == nsec3rr.getZoneRepresentation())
-          d_dk.unsetNSEC3PARAM(rrLabel);
+          d_dk.unsetNSEC3PARAM(rr->d_label);
         else
           return 0;
       } else
@@ -401,7 +398,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
       *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
 
       vector<DNSResourceRecord> rrs;
-      set<string> qnames, nssets, dssets, ents;
+      set<DNSName> qnames, nssets, dssets, ents;
       di->backend->list(di->zone, di->id);
       while (di->backend->get(rec)) {
         qnames.insert(rec.qname);
@@ -413,8 +410,9 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
           ents.insert(rec.qname);
       }
 
-      string shorter, hashed;
-      BOOST_FOREACH(const string& qname, qnames) {
+      DNSName shorter;
+      string hashed;
+      BOOST_FOREACH(const DNSName& qname, qnames) {
         shorter = qname;
         int ddepth = 0;
         do {
@@ -422,7 +420,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
             break;
           if(nssets.count(shorter))
             ++ddepth;
-        } while(chopOff(shorter));
+        } while(shorter.chopOff());
 
         if (!ents.count(qname) && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) {
           di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, qname, (ddepth == 0));
@@ -441,7 +439,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
     } // end of NSEC3PARAM delete block
 
 
-    di->backend->lookup(rrType, rrLabel);
+    di->backend->lookup(rrType, rr->d_label);
     while(di->backend->get(rec)) {
       if (rr->d_class == QClass::ANY) { // 3.4.2.3
         if (rec.qname == di->zone && (rec.qtype == QType::NS || rec.qtype == QType::SOA)) // Never delete all SOA and NS's
@@ -458,45 +456,45 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
     }
   
     if (recordsToDelete.size()) {
-      di->backend->replaceRRSet(di->id, rrLabel, rrType, rrset);
-      L<<Logger::Notice<<msgPrefix<<"Deleting record "<<rrLabel<<"|"<<rrType.getName()<<endl;
+      di->backend->replaceRRSet(di->id, rr->d_label, rrType, rrset);
+      L<<Logger::Notice<<msgPrefix<<"Deleting record "<<rr->d_label.toString()<<"|"<<rrType.getName()<<endl;
       changedRecords += recordsToDelete.size();
 
 
       // If we've removed a delegate, we need to reset ordername/auth for some records.
-      if (rrType == QType::NS && rrLabel != di->zone) { 
+      if (rrType == QType::NS && rr->d_label != di->zone) { 
         vector<DNSName> belowOldDelegate, nsRecs, updateAuthFlag;
-        di->backend->listSubZone(rrLabel, di->id);
+        di->backend->listSubZone(rr->d_label, di->id);
         while (di->backend->get(rec)) {
           if (rec.qtype.getCode()) // skip ENT records, they are always auth=false
             belowOldDelegate.push_back(rec.qname);
-          if (rec.qtype.getCode() == QType::NS && rec.qname != rrLabel)
+          if (rec.qtype.getCode() == QType::NS && rec.qname != rr->d_label)
             nsRecs.push_back(rec.qname);
         }
 
         for(auto &belowOldDel: belowOldDelegate)
         {
           bool isBelowDelegate = false;
-          for(vector<string>::const_iterator ns=nsRecs.begin(); ns!= nsRecs.end(); ns++) {
-            if (endsOn(*ns, *belowOldDel)) {
+          for(const auto & ns: nsRecs) {
+            if (ns.isPartOf(belowOldDel)) {
               isBelowDelegate=true;
               break;
             }
           }
           if (!isBelowDelegate)
-            updateAuthFlag.push_back(*belowOldDel);
+            updateAuthFlag.push_back(belowOldDel);
         }
 
-        for (vector<string>::const_iterator changeRec=updateAuthFlag.begin(); changeRec!=updateAuthFlag.end(); ++changeRec) {
+        for (const auto &changeRec:updateAuthFlag) {
           if(*haveNSEC3)  {
             string hashed;
             if(! *narrow)
-              hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *changeRec));
+              hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, changeRec));
 
-            di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *changeRec, hashed, true);
+            di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, changeRec, hashed, true);
           }
           else // NSEC
-            di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, *changeRec, true);
+            di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, changeRec, true);
         }
       }
 
@@ -505,20 +503,20 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
       // on that level. If so, we must insert an ENT record.
       // We take extra care here to not 'include' the record that we just deleted. Some backends will still return it as they only reload on a commit.
       bool foundDeeper = false, foundOtherWithSameName = false;
-      di->backend->listSubZone(rrLabel, di->id);
+      di->backend->listSubZone(rr->d_label, di->id);
       while (di->backend->get(rec)) {
-        if (rec.qname == rrLabel && !count(recordsToDelete.begin(), recordsToDelete.end(), rec))
+        if (rec.qname == rr->d_label && !count(recordsToDelete.begin(), recordsToDelete.end(), rec))
           foundOtherWithSameName = true;
-        if (rec.qname != rrLabel && rec.qtype.getCode() != QType::NS) //Skip NS records, as this would be a delegate that we can ignore as this does not require us to create a ENT
+        if (rec.qname != rr->d_label && rec.qtype.getCode() != QType::NS) //Skip NS records, as this would be a delegate that we can ignore as this does not require us to create a ENT
           foundDeeper = true;
       }
 
       if (foundDeeper && !foundOtherWithSameName) {
-        insnonterm.insert(rrLabel);
+        insnonterm.insert(rr->d_label);
       } else if (!foundOtherWithSameName) {
         // If we didn't have to insert an ENT, we might have deleted a record at very deep level
         // and we must then clean up the ENT's above the deleted record.
-        DNSName shorter(rrLabel);
+        DNSName shorter(rr->d_label);
         while (shorter != di->zone) {
           shorter.chopOff();
           bool foundRealRR = false;
@@ -546,7 +544,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
         }
       }
     } else { // if (recordsToDelete.size())
-      L<<Logger::Notice<<msgPrefix<<"Deletion for record "<<rrLabel<<"|"<<rrType.getName()<<" requested, but not found."<<endl;
+      L<<Logger::Notice<<msgPrefix<<"Deletion for record "<<rr->d_label.toString()<<"|"<<rrType.getName()<<" requested, but not found."<<endl;
     }
   } // (End of delete block d_class == ANY || d_class == NONE
   
@@ -556,14 +554,14 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
   if (insnonterm.size() > 0 || delnonterm.size() > 0) {
     DLOG(L<<msgPrefix<<"Updating ENT records - "<<insnonterm.size()<<"|"<<delnonterm.size()<<endl);
     di->backend->updateEmptyNonTerminals(di->id, di->zone, insnonterm, delnonterm, false);
-    for (set<string>::const_iterator i=insnonterm.begin(); i!=insnonterm.end(); i++) {
+    for (const auto &i: insnonterm) {
       string hashed;
-      if(*haveNSEC3)
+      if(haveNSEC3)
       {
         string hashed;
         if(! *narrow)
-          hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *i));
-        di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *i, hashed, true);
+          hashed=toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, i));
+        di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, i, hashed, true);
       }
     }
   }
@@ -669,7 +667,7 @@ int PacketHandler::processUpdate(DNSPacket *p) {
   if (! ::arg().mustDo("experimental-dnsupdate"))
     return RCode::Refused;
 
-  string msgPrefix="UPDATE (" + itoa(p->d.id) + ") from " + p->getRemote() + " for " + p->qdomain + ": ";
+  string msgPrefix="UPDATE (" + itoa(p->d.id) + ") from " + p->getRemote() + " for " + p->qdomain.toString() + ": ";
   L<<Logger::Info<<msgPrefix<<"Processing started."<<endl;
 
   // Check permissions - IP based
@@ -766,7 +764,7 @@ int PacketHandler::processUpdate(DNSPacket *p) {
 
     string label = stripDot(rr->d_label);
 
-    if (!endsOn(label, di.zone)) {
+    if (!label.isPartOf(di.zone)) {
       L<<Logger::Error<<msgPrefix<<"Received update/record out of zone, sending NotZone."<<endl;
       return RCode::NotZone;
     }
@@ -794,7 +792,7 @@ int PacketHandler::processUpdate(DNSPacket *p) {
   }
 
   // 3.2.3 - Prerequisite check - this is outside of updatePrequisitesCheck because we check an RRSet and not the RR.
-  typedef pair<string, QType> rrSetKey_t;
+  typedef pair<DNSName, QType> rrSetKey_t;
   typedef vector<DNSResourceRecord> rrVector_t;
   typedef std::map<rrSetKey_t, rrVector_t> RRsetMap_t;
   RRsetMap_t preReqRRsets;
@@ -806,7 +804,7 @@ int PacketHandler::processUpdate(DNSPacket *p) {
         return RCode::FormErr;
 
       if (rr->d_class == QClass::IN) {
-        rrSetKey_t key = make_pair(stripDot(rr->d_label), QType(rr->d_type));
+        rrSetKey_t key = make_pair(rr->d_label, QType(rr->d_type));
         rrVector_t *vec = &preReqRRsets[key];
         vec->push_back(DNSResourceRecord(*rr));
       }
@@ -909,7 +907,7 @@ int PacketHandler::processUpdate(DNSPacket *p) {
       S.deposit("dnsupdate-changes", changedRecords);
 
       // Purge the records!
-      string zone(di.zone);
+      DNSName zone(di.zone);
       zone.append("$");
       PC.purge(zone);
 
@@ -978,7 +976,7 @@ void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di
       vector<string> soaEditSetting;
       B.getDomainMetadata(di->zone, "SOA-EDIT", soaEditSetting);
       if (soaEditSetting.empty()) {
-        L<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-DNSUPDATE increase on DNS update, but SOA-EDIT is not set for domain \""<< di->zone <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"<<endl;
+        L<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-DNSUPDATE increase on DNS update, but SOA-EDIT is not set for domain \""<< di->zone.toString() <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"<<endl;
         soaEdit2136 = "DEFAULT";
       } else
         soaEdit = soaEditSetting[0];
diff --git a/pdns/signingpipe.cc b/pdns/signingpipe.cc
index 94edc09c35..c20e3a628c 100644
--- a/pdns/signingpipe.cc
+++ b/pdns/signingpipe.cc
@@ -70,7 +70,7 @@ catch(...) {
   return 0;
 }
 
-ChunkedSigningPipe::ChunkedSigningPipe(const string& signerName, bool mustSign, const string& servers, unsigned int workers)
+ChunkedSigningPipe::ChunkedSigningPipe(const DNSName& signerName, bool mustSign, const pdns::string& servers, unsigned int workers) 
   : d_queued(0), d_outstanding(0), d_signer(signerName), d_maxchunkrecords(100), d_numworkers(workers), d_tids(d_numworkers),
     d_mustSign(mustSign), d_final(false), d_submitted(0)
 {
@@ -287,7 +287,7 @@ try
       break;
     if(res < 0)
       unixDie("reading object pointer to sign from pdns");
-    set<string, CIStringCompare> authSet;
+    set<DNSName> authSet;
     authSet.insert(d_signer);
     addRRSigs(dk, db, authSet, *chunk);
     ++d_signed;
diff --git a/pdns/signingpipe.hh b/pdns/signingpipe.hh
index 8cb5a2bf31..ce4cdc5f7c 100644
--- a/pdns/signingpipe.hh
+++ b/pdns/signingpipe.hh
@@ -19,7 +19,7 @@ public:
   typedef vector<DNSResourceRecord> rrset_t; 
   typedef rrset_t chunk_t; // for now
   
-  ChunkedSigningPipe(const string& signerName, bool mustSign, const string& servers=string(), unsigned int numWorkers=3);
+  ChunkedSigningPipe(const DNSName& signerName, bool mustSign, /* FIXME servers is unused? */ const pdns::string& servers=pdns::string(), unsigned int numWorkers=3);
   ~ChunkedSigningPipe();
   bool submit(const DNSResourceRecord& rr);
   chunk_t getChunk(bool final=false);
@@ -39,7 +39,7 @@ private:
   static void* helperWorker(void* p);
   rrset_t* d_rrsetToSign;
   std::deque< std::vector<DNSResourceRecord> > d_chunks;
-  string d_signer;
+  DNSName d_signer;
   
   chunk_t::size_type d_maxchunkrecords;
   
diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
index 9c3fb69f17..188e3067ae 100644
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -164,7 +164,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
           continue;
 
         if(!endsOn(i->qname, domain)) {
-          L<<Logger::Error<<"Remote "<<remote<<" tried to sneak in out-of-zone data '"<<i->qname<<"'|"<<i->qtype.getName()<<" during AXFR of zone '"<<domain<<"', ignoring"<<endl;
+          L<<Logger::Error<<"Remote "<<remote<<" tried to sneak in out-of-zone data '"<<i->qname.toString()<<"'|"<<i->qtype.getName()<<" during AXFR of zone '"<<domain<<"', ignoring"<<endl;
           continue;
         }
 
@@ -435,14 +435,15 @@ struct DomainNotificationInfo
   DomainInfo di;
   bool dnssecOk;
   ComboAddress localaddr;
-  string tsigkeyname, tsigalgname, tsigsecret;
+  DNSName tsigkeyname, tsigalgname;
+  string tsigsecret;
 };
 }
 
 
 struct SlaveSenderReceiver
 {
-  typedef pair<string, uint16_t> Identifier;
+  typedef pair<DNSName, uint16_t> Identifier;
 
   struct Answer {
     uint32_t theirSerial;
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index e3bf7ad000..4291c17bf3 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -733,7 +733,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
       }
       rrs.push_back(rr);
     } else {
-      L<<Logger::Warning<<"Zone '"<<target<<"' contains out-of-zone data '"<<rr.qname<<"'|"<<rr.qtype.getName()<<"', ignoring"<<endl;
+      L<<Logger::Warning<<"Zone '"<<target<<"' contains out-of-zone data '"<<rr.qname.toString()<<"'|"<<rr.qtype.getName()<<"', ignoring"<<endl;
       continue;
     }
   }
diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index ff89a11371..3c8a2092b6 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -401,7 +401,7 @@ static void gatherRecords(const Value& container, vector<DNSResourceRecord>& new
       rr.disabled = boolFromJson(record, "disabled");
 
       if (rr.qtype.getCode() == 0) {
-        throw ApiException("Record "+rr.qname+"/"+stringFromJson(record, "type")+" is of unknown type");
+        throw ApiException("Record "+rr.qname.toString()+"/"+stringFromJson(record, "type")+" is of unknown type");
       }
 
       try {
@@ -421,7 +421,7 @@ static void gatherRecords(const Value& container, vector<DNSResourceRecord>& new
       }
       catch(std::exception& e)
       {
-        throw ApiException("Record "+rr.qname+"/"+rr.qtype.getName()+" '"+rr.content+"': "+e.what());
+        throw ApiException("Record "+rr.qname.toString()+"/"+rr.qtype.getName()+" '"+rr.content+"': "+e.what());
       }
 
       if ((rr.qtype.getCode() == QType::A || rr.qtype.getCode() == QType::AAAA) &&
@@ -434,7 +434,7 @@ static void gatherRecords(const Value& container, vector<DNSResourceRecord>& new
         SOAData sd;
         fakePacket.qtype = QType::PTR;
         if (!B.getAuth(&fakePacket, &sd, ptr.qname))
-          throw ApiException("Could not find domain for PTR '"+ptr.qname+"' requested for '"+ptr.content+"'");
+          throw ApiException("Could not find domain for PTR '"+ptr.qname.toString()+"' requested for '"+ptr.content+"'");
 
         ptr.domain_id = sd.domain_id;
         new_ptrs.push_back(ptr);
@@ -653,8 +653,8 @@ static void apiServerZones(HttpRequest* req, HttpResponse* resp) {
     DNSResourceRecord rr;
 
     BOOST_FOREACH(rr, new_records) {
-      if (!iends_with(rr.qname, dotsuffix) && !pdns_iequals(rr.qname, zonename))
-        throw ApiException("RRset "+rr.qname+" IN "+rr.qtype.getName()+": Name is out of zone");
+      if (!rr.qname.isPartOf(dotsuffix) && !pdns_iequals(rr.qname, zonename))
+        throw ApiException("RRset "+rr.qname.toString()+" IN "+rr.qtype.getName()+": Name is out of zone");
 
       if (rr.qtype.getCode() == QType::SOA && pdns_iequals(rr.qname, zonename)) {
         have_soa = true;
@@ -977,7 +977,7 @@ static void patchZone(HttpRequest* req, HttpResponse* resp) {
       else if (changetype == "REPLACE") {
 		// we only validate for REPLACE, as DELETE can be used to "fix" out of zone records.
         if (!iends_with(qname, dotsuffix) && !pdns_iequals(qname, zonename))
-          throw ApiException("RRset "+qname+" IN "+qtype.getName()+": Name is out of zone");
+          throw ApiException("RRset "+qname.toString()+" IN "+qtype.getName()+": Name is out of zone");
 
 		new_records.clear();
         new_comments.clear();
@@ -989,7 +989,7 @@ static void patchZone(HttpRequest* req, HttpResponse* resp) {
           rr.domain_id = di.id;
 
           if (rr.qname != qname || rr.qtype != qtype)
-            throw ApiException("Record "+rr.qname+"/"+rr.qtype.getName()+" "+rr.content+": Record wrongly bundled with RRset " + qname.toString() + "/" + qtype.getName());
+            throw ApiException("Record "+rr.qname.toString()+"/"+rr.qtype+" "+rr.content+": Record wrongly bundled with RRset " + qname.toString() + "/" + qtype.getName());
 
           if (rr.qtype.getCode() == QType::SOA && pdns_iequals(rr.qname, zonename)) {
             soa_edit_done = increaseSOARecord(rr, soa_edit_api_kind, soa_edit_kind);
@@ -1059,12 +1059,12 @@ static void patchZone(HttpRequest* req, HttpResponse* resp) {
     fakePacket.qtype = QType::PTR;
 
     if (!B.getAuth(&fakePacket, &sd, rr.qname))
-      throw ApiException("Could not find domain for PTR '"+rr.qname+"' requested for '"+rr.content+"' (while saving)");
+      throw ApiException("Could not find domain for PTR '"+rr.qname.toString()+"' requested for '"+rr.content+"' (while saving)");
 
     sd.db->startTransaction(rr.qname);
     if (!sd.db->replaceRRSet(sd.domain_id, rr.qname, rr.qtype, vector<DNSResourceRecord>(1, rr))) {
       sd.db->abortTransaction();
-      throw ApiException("PTR-Hosting backend for "+rr.qname+"/"+rr.qtype.getName()+" does not support editing records.");
+      throw ApiException("PTR-Hosting backend for "+rr.qname.toString()+"/"+rr.qtype.getName()+" does not support editing records.");
     }
     sd.db->commitTransaction();
     PC.purge(rr.qname);
@@ -1094,15 +1094,15 @@ static void apiServerSearchData(HttpRequest* req, HttpResponse* resp) {
   Comment comment;
 
   BOOST_FOREACH(const DomainInfo& di, domains) {
-    string zoneId = apiZoneNameToId(di.zone);
+    string zoneId = apiZoneNameToId(di.zone.toString());
 
-    if (pdns_ci_find(di.zone, q) != string::npos) {
+    if (pdns_ci_find(di.zone.toString(), q) != string::npos) {
       Value object;
       object.SetObject();
       object.AddMember("type", "zone", doc.GetAllocator());
       Value jzoneId(zoneId.c_str(), doc.GetAllocator()); // copy
       object.AddMember("zone_id", jzoneId, doc.GetAllocator());
-      Value jzoneName(di.zone.c_str(), doc.GetAllocator()); // copy
+      Value jzoneName(di.zone.toString().c_str(), doc.GetAllocator()); // copy
       object.AddMember("name", jzoneName, doc.GetAllocator());
       doc.PushBack(object, doc.GetAllocator());
     }