diff --git a/_examples/funkensturm/Kmiek.nl.+005+21798.key b/_examples/funkensturm/Kmiek.nl.+005+21798.key
new file mode 100644
index 00000000..28ba14d1
--- /dev/null
+++ b/_examples/funkensturm/Kmiek.nl.+005+21798.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 21798, for miek.nl.
+; Created: 20110122104659 (Sat Jan 22 11:46:59 2011)
+; Publish: 20110122104659 (Sat Jan 22 11:46:59 2011)
+; Activate: 20110122104659 (Sat Jan 22 11:46:59 2011)
+miek.nl. IN DNSKEY 256 3 5 AwEAAQGk589980oEiFs1AUicHq2YlHbE5n0DWgfgCqTfBZ1ZYRjn2mye mQotdt4Yzq97nBPy1nzxrZhKabhX9nZriVv8jurPLXeauW/NT1Drfrjz DQRidU+A1DvLDkEKeEl8O+kOyiIHK49kUrjbfar9yQuFZUAeo+24FRfH q9oGysW70Q==
diff --git a/_examples/funkensturm/Kmiek.nl.+005+21798.private b/_examples/funkensturm/Kmiek.nl.+005+21798.private
new file mode 100644
index 00000000..b68f3cdf
--- /dev/null
+++ b/_examples/funkensturm/Kmiek.nl.+005+21798.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: AaTnz33zSgSIWzUBSJwerZiUdsTmfQNaB+AKpN8FnVlhGOfabJ6ZCi123hjOr3ucE/LWfPGtmEppuFf2dmuJW/yO6s8td5q5b81PUOt+uPMNBGJ1T4DUO8sOQQp4SXw76Q7KIgcrj2RSuNt9qv3JC4VlQB6j7bgVF8er2gbKxbvR
+PublicExponent: AQAB
+PrivateExponent: /IkdBCupeEi7uHS5tPnvHAHPtNm5nf4xhWm9fBYpT0wjnlB+JTYbViXgoa+4uAhwK54nPvXxzovZz+UPLfwvFBoG3D0vYS+M9WWOBCnEuDK0MfcBWfTE2hlV13xDll1o7Pj/fvpRQ7paBhjpP6uBwlVI1vH6GR9kNXQRfWK1NQU=
+Prime1: AdG+8ixEeDzHKI2GRD7lGhrQ8EzN4Tc0mek1u6ioFZ0imohaPqtqNq7RWVo35cWuvYflhFQYzFn99HGRvfGfDv8=
+Prime2: 51psvlotBXuaqzrgfb5I6u7DG9JhU5WO68PZf1RMmq2e2xLvKvDGXCP5oFur9AOsHdbmahnzgFC1s18vg7kFLw==
+Exponent1: glXRJ5oxm7CQJKrCRmeOmpqF5Lhooi5SM/UZguUmx0Z7wFSg3Q9oJhvnyVuDLYLs/y63jWEzLqvm0DFc2lUMuQ==
+Exponent2: Aq3qan3y3Yhj7y28YdhtUcM4IT9bfzNRN2vKPg5E4Nm36EOc33twYKrN/kxxfl74hFPz0TDBwC+vGwe0LitbYw==
+Coefficient: AZX3xIGzo/3fw4ouA6nAjpiWGpTK+OdFRkZtvbmzwgqnFDQopB0SweVnd1shpKCXkPTkdvpLTdmhU/84CW5m7cQ=
+Created: 20110122104659
+Publish: 20110122104659
+Activate: 20110122104659
diff --git a/_examples/funkensturm/Makefile b/_examples/funkensturm/Makefile
index b6663f52..f1b784dd 100644
--- a/_examples/funkensturm/Makefile
+++ b/_examples/funkensturm/Makefile
@@ -4,7 +4,7 @@
 include $(GOROOT)/src/Make.inc
 TARG=funkensturm
 GOFILES=funkensturm.go\
-	config.go\
+	config_sign.go\
 
 DEPS=../../
 include $(GOROOT)/src/Make.cmd
diff --git a/_examples/funkensturm/config.go b/_examples/funkensturm/config.go
index 634507fb..64b3445a 100644
--- a/_examples/funkensturm/config.go
+++ b/_examples/funkensturm/config.go
@@ -3,6 +3,7 @@ package main
 // This is a transparant proxy config. All recevied pkt are just forwarded to the
 // nameserver, hardcoded to 127.0.0.1 and then return to the original querier
 import (
+        "fmt" 
 	"dns"
 	"dns/resolver"
 )
@@ -11,6 +12,7 @@ func match(m *dns.Msg, d int) (*dns.Msg, bool) {
 	// Matching criteria
         switch d {
         case IN:
+                fmt.Printf("%v\n", m)
                 // nothing
         case OUT:
                 // Note that when sending back only the mangling is important
diff --git a/_examples/funkensturm/config_delay.go b/_examples/funkensturm/config_delay.go
new file mode 100644
index 00000000..634507fb
--- /dev/null
+++ b/_examples/funkensturm/config_delay.go
@@ -0,0 +1,59 @@
+package main
+
+// This is a transparant proxy config. All recevied pkt are just forwarded to the
+// nameserver, hardcoded to 127.0.0.1 and then return to the original querier
+import (
+	"dns"
+	"dns/resolver"
+)
+
+func match(m *dns.Msg, d int) (*dns.Msg, bool) {
+	// Matching criteria
+        switch d {
+        case IN:
+                // nothing
+        case OUT:
+                // Note that when sending back only the mangling is important
+                // the actual return code of these function isn't checked by
+                // funkensturm
+        }
+
+	// Packet Mangling functions
+	switch d {
+	case IN:
+		// nothing
+	case OUT:
+		// nothing
+	}
+	return m, true
+}
+
+func send(m *dns.Msg, ok bool) (*dns.Msg, bool) {
+	switch ok {
+	case true, false:
+		qr <- resolver.Msg{m, nil, nil}
+		in := <-qr
+		return in.Dns, true
+	}
+	return nil, false // Bug in Go, yes BUG IN GO
+}
+
+// qr is global and started by Funkensturm. If you
+// need 2 or more resolvers, you'll need to start
+// them yourself. This needs to be a global variable
+//var qr1 chan resolver.Msg
+
+// Return the configration
+func funkensturm() *Funkensturm {
+	f := new(Funkensturm)
+
+	f.Setup = func() bool { return true }
+
+	f.Matches = make([]Match, 1)
+	f.Matches[0].Op = AND
+	f.Matches[0].Func = match
+
+	f.Actions = make([]Action, 1)
+	f.Actions[0].Func = send
+	return f
+}
diff --git a/_examples/funkensturm/config_sign.go b/_examples/funkensturm/config_sign.go
new file mode 100644
index 00000000..ee8f918c
--- /dev/null
+++ b/_examples/funkensturm/config_sign.go
@@ -0,0 +1,111 @@
+package main
+
+// This is a transparant proxy config. All recevied pkt are just forwarded to the
+// nameserver, hardcoded to 127.0.0.1 and then return to the original querier
+import (
+	"dns"
+	"dns/resolver"
+        "crypto/rsa"
+)
+
+func sign(m *dns.Msg) *dns.Msg {
+        // Assume miek.nl, just for testing, example.com???
+        sg := new(dns.RR_RRSIG)
+        sg.Hdr = dns.RR_Header{"miek.nl.", dns.TypeRRSIG, dns.ClassINET, 14400, 0}
+        sg.Expiration = 1296534305 // date -u '+%s' -d"2011-02-01 04:25:05"
+        sg.Inception = 1293942305  // date -u '+%s' -d"2011-01-02 04:25:05"
+        sg.KeyTag = pubkey.KeyTag()   // Get the keyfrom the Key
+        sg.SignerName = pubkey.Hdr.Name
+        sg.Algorithm = dns.AlgRSASHA256
+
+        if len(m.Answer) > 0 {
+                // sign the first record
+                an := m.Answer[0]
+                sg.TypeCovered = an.Header().Rrtype
+                sg.Labels = dns.LabelCount(an.Header().Name)
+                sg.OrigTtl = an.Header().Ttl
+                switch p:=privkey.(type) {
+                        case *rsa.PrivateKey:
+                        sg.Sign(p, []dns.RR{an})
+                }
+        }
+        m.Answer = append(m.Answer, sg)
+        return m
+}
+
+func match(m *dns.Msg, d int) (*dns.Msg, bool) {
+	// Matching criteria
+        switch d {
+        case IN:
+                // nothing
+        case OUT:
+                // Note that when sending back only the mangling is important
+                // the actual return code of these function isn't checked by
+                // funkensturm
+        }
+
+	// Packet Mangling functions
+	switch d {
+	case IN:
+		// nothing
+	case OUT:
+                // On the way out sign the packet
+                m = sign(m) // keys are global
+	}
+	return m, true
+}
+
+func send(m *dns.Msg, ok bool) (*dns.Msg, bool) {
+	switch ok {
+	case true, false:
+		qr <- resolver.Msg{m, nil, nil}
+		in := <-qr
+		return in.Dns, true
+	}
+	return nil, false // Bug in Go, yes BUG IN GO
+}
+
+// qr is global and started by Funkensturm. If you
+// need 2 or more resolvers, you'll need to start
+// them yourself. This needs to be a global variable
+//var qr1 chan resolver.Msg
+
+var pubkey *dns.RR_DNSKEY
+var privkey dns.PrivateKey
+
+func setup() bool {
+        privdata := `Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: AaTnz33zSgSIWzUBSJwerZiUdsTmfQNaB+AKpN8FnVlhGOfabJ6ZCi123hjOr3ucE/LWfPGtmEppuFf2dmuJW/yO6s8td5q5b81PUOt+uPMNBGJ1T4DUO8sOQQp4SXw76Q7KIgcrj2RSuNt9qv3JC4VlQB6j7bgVF8er2gbKxbvR
+PublicExponent: AQAB
+PrivateExponent: /IkdBCupeEi7uHS5tPnvHAHPtNm5nf4xhWm9fBYpT0wjnlB+JTYbViXgoa+4uAhwK54nPvXxzovZz+UPLfwvFBoG3D0vYS+M9WWOBCnEuDK0MfcBWfTE2hlV13xDll1o7Pj/fvpRQ7paBhjpP6uBwlVI1vH6GR9kNXQRfWK1NQU=
+Prime1: AdG+8ixEeDzHKI2GRD7lGhrQ8EzN4Tc0mek1u6ioFZ0imohaPqtqNq7RWVo35cWuvYflhFQYzFn99HGRvfGfDv8=
+Prime2: 51psvlotBXuaqzrgfb5I6u7DG9JhU5WO68PZf1RMmq2e2xLvKvDGXCP5oFur9AOsHdbmahnzgFC1s18vg7kFLw==
+Exponent1: glXRJ5oxm7CQJKrCRmeOmpqF5Lhooi5SM/UZguUmx0Z7wFSg3Q9oJhvnyVuDLYLs/y63jWEzLqvm0DFc2lUMuQ==
+Exponent2: Aq3qan3y3Yhj7y28YdhtUcM4IT9bfzNRN2vKPg5E4Nm36EOc33twYKrN/kxxfl74hFPz0TDBwC+vGwe0LitbYw==
+Coefficient: AZX3xIGzo/3fw4ouA6nAjpiWGpTK+OdFRkZtvbmzwgqnFDQopB0SweVnd1shpKCXkPTkdvpLTdmhU/84CW5m7cQ=
+Created: 20110122104659
+Publish: 20110122104659
+Activate: 20110122104659`
+        pubkey = new(dns.RR_DNSKEY)
+        privkey, _ = pubkey.PrivateKeySetString(privdata)
+        pubkey.Hdr = dns.RR_Header{"miek.nl.", dns.TypeDNSKEY, dns.ClassINET, 3600, 0}
+        pubkey.Protocol = 3
+        pubkey.Flags = 256
+        return true
+}
+
+// Return the configration
+func funkensturm() *Funkensturm {
+	f := new(Funkensturm)
+
+	f.Setup = setup
+
+	f.Matches = make([]Match, 1)
+	f.Matches[0].Op = AND
+	f.Matches[0].Func = match
+
+	f.Actions = make([]Action, 1)
+	f.Actions[0].Func = send
+	return f
+}
diff --git a/_examples/funkensturm/funkensturm.go b/_examples/funkensturm/funkensturm.go
index 686bde44..23e6f53b 100644
--- a/_examples/funkensturm/funkensturm.go
+++ b/_examples/funkensturm/funkensturm.go
@@ -88,10 +88,11 @@ func (s *server) ResponderUDP(c *net.UDPConn, a net.Addr, i []byte) {
 
         // loop again for matching, but now with OUT, this is done
         // for some last minute packet changing. Note the boolean return
-        // code isn't used any more
+        // code isn't used any more, i.e No more actions are allowed
+        // anymore
         pkt1 = resultpkt
 	for _, m := range f.Matches {
-		pkt1, _ = m.Func(pkt1, IN)
+		pkt1, _ = m.Func(pkt1, OUT)
 	}
 
 	out, ok1 := pkt1.Pack()
@@ -103,6 +104,7 @@ func (s *server) ResponderUDP(c *net.UDPConn, a net.Addr, i []byte) {
 }
 
 func (s *server) ResponderTCP(c *net.TCPConn, in []byte) {
+        /* todo */
 }
 
 // Small helper function