diff --git a/node/NetworkConfigMaster.cpp b/attic/NetworkConfigMaster.cpp
similarity index 100%
rename from node/NetworkConfigMaster.cpp
rename to attic/NetworkConfigMaster.cpp
diff --git a/attic/NetworkConfigMaster.hpp b/attic/NetworkConfigMaster.hpp
new file mode 100644
index 000000000..f43861896
--- /dev/null
+++ b/attic/NetworkConfigMaster.hpp
@@ -0,0 +1,135 @@
+/*
+ * ZeroTier One - Network Virtualization Everywhere
+ * Copyright (C) 2011-2015  ZeroTier, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * --
+ *
+ * ZeroTier may be used and distributed under the terms of the GPLv3, which
+ * are available at: http://www.gnu.org/licenses/gpl-3.0.html
+ *
+ * If you would like to embed ZeroTier into a commercial application or
+ * redistribute it in a modified binary form, please contact ZeroTier Networks
+ * LLC. Start here: http://www.zerotier.com/
+ */
+
+#ifndef ZT_NETWORKCONFIGMASTER_HPP
+#define ZT_NETWORKCONFIGMASTER_HPP
+
+#include "Constants.hpp"
+
+#define ZT_LOCAL_CONFIG_NETCONF_REDIS_HOST "netconf.redisHost"
+#define ZT_LOCAL_CONFIG_NETCONF_REDIS_PORT "netconf.redisPort"
+#define ZT_LOCAL_CONFIG_NETCONF_REDIS_PORT_DEFAULT 6379
+#define ZT_LOCAL_CONFIG_NETCONF_REDIS_AUTH "netconf.redisAuth"
+#define ZT_LOCAL_CONFIG_NETCONF_REDIS_DBNUM "netconf.redisDatabaseNumber"
+#define ZT_LOCAL_CONFIG_NETCONF_REDIS_DBNUM_DEFAULT 0
+
+#ifdef ZT_ENABLE_NETCONF_MASTER
+
+#include <stdint.h>
+#include <string>
+#include <map>
+#include <vector>
+
+#include "Address.hpp"
+#include "Dictionary.hpp"
+#include "Mutex.hpp"
+#include "InetAddress.hpp"
+
+#include <hiredis/hiredis.h>
+
+namespace ZeroTier {
+
+class RuntimeEnvironment;
+
+/**
+ * Network configuration master -- responds to NETCONF requests
+ *
+ * This requires the 'hiredis' C library to build.
+ */
+class NetworkConfigMaster
+{
+public:
+	/**
+	 * Create netconf master
+	 *
+	 * This doesn't connect to Redis until the first request is received.
+	 *
+	 * @param renv Runtime environment
+	 * @param redisHost Hostname or IP of Redis server
+	 * @param redisPort Redis IP port number
+	 * @param redisPassword Redis AUTH password or NULL if none
+	 * @param redisDatabaseNumber Redis database number (usually 0)
+	 */
+	NetworkConfigMaster(
+		const RuntimeEnvironment *renv,
+		const char *redisHost,
+		unsigned int redisPort,
+		const char *redisPassword,
+		unsigned int redisDatabaseNumber);
+
+	~NetworkConfigMaster();
+
+	/**
+	 * Handle a network config request, sending replies if necessary
+	 *
+	 * This is a blocking call, so rate is limited by Redis. It will fail
+	 * and log its failure if the Redis server is not available or times out.
+	 *
+	 * @param fromAddr Originating IP address
+	 * @param packetId 64-bit packet ID
+	 * @param member Originating peer ZeroTier address
+	 * @param nwid 64-bit network ID
+	 * @param metaData Meta-data bundled with request (empty if none)
+	 * @param haveTimestamp Timestamp requesting peer has or 0 if none or not included
+	 */
+	void doNetworkConfigRequest(
+		const InetAddress &fromAddr,
+		uint64_t packetId,
+		const Address &member,
+		uint64_t nwid,
+		const Dictionary &metaData,
+		uint64_t haveTimestamp);
+
+private:
+	// These assume _lock is locked
+	bool _reconnect();
+	bool _hgetall(const char *key,Dictionary &hdata);
+	bool _hmset(const char *key,const Dictionary &hdata);
+	bool _hget(const char *key,const char *hashKey,std::string &value);
+	bool _hset(const char *key,const char *hashKey,const char *value);
+	bool _get(const char *key,std::string &value);
+	bool _smembers(const char *key,std::vector<std::string> &sdata);
+
+	bool _initNewMember(uint64_t nwid,const Address &member,const Dictionary &metaData,Dictionary &memberRecord);
+	bool _generateNetconf(uint64_t nwid,const Address &member,const Dictionary &metaData,std::string &netconf,uint64_t &ts);
+
+	Mutex _lock;
+
+	std::string _redisHost;
+	std::string _redisPassword;
+	unsigned int _redisPort;
+	unsigned int _redisDatabaseNumber;
+
+	const RuntimeEnvironment *RR;
+	redisContext *_rc;
+};
+
+} // namespace ZeroTier
+
+#endif // ZT_ENABLE_NETCONF_MASTER
+
+#endif
diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp
index e87369c0a..7bc8cc9c9 100644
--- a/node/IncomingPacket.cpp
+++ b/node/IncomingPacket.cpp
@@ -622,29 +622,70 @@ bool IncomingPacket::_doNETWORK_CONFIG_REQUEST(const RuntimeEnvironment *RR,cons
 {
 	try {
 		uint64_t nwid = at<uint64_t>(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_NETWORK_ID);
+		unsigned int metaDataLength = at<uint16_t>(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT_LEN);
+		Dictionary metaData((const char *)field(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT,metaDataLength),metaDataLength);
+		uint64_t haveTimestamp = 0;
+		if ((ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT + metaDataLength + 8) <= size())
+			haveTimestamp = at<uint64_t>(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT + metaDataLength);
+
+		peer->received(RR,_fromSock,_remoteAddress,hops(),packetId(),Packet::VERB_NETWORK_CONFIG_REQUEST,0,Packet::VERB_NOP,Utils::now());
 
-#ifdef ZT_ENABLE_NETCONF_MASTER
 		if (RR->netconfMaster) {
-			unsigned int metaDataLength = at<uint16_t>(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT_LEN);
-			Dictionary metaData((const char *)field(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT,metaDataLength),metaDataLength);
-			uint64_t haveTimestamp = 0;
-			if ((ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT + metaDataLength + 8) <= size())
-				haveTimestamp = at<uint64_t>(ZT_PROTO_VERB_NETWORK_CONFIG_REQUEST_IDX_DICT + metaDataLength);
-			RR->netconfMaster->doNetworkConfigRequest(_remoteAddress,packetId(),source(),nwid,metaData,haveTimestamp);
+			Dictionary netconf;
+			switch(RR->netconfMaster->doNetworkConfigRequest(_remoteAddress,packetId(),source(),nwid,metaData,haveTimestamp,netconf)) {
+				case NetworkConfigMaster::NETCONF_QUERY_OK: {
+					std::string netconfStr(netconf.toString());
+					if (netconfStr.length() > 0xffff) { // sanity check since field ix 16-bit
+						LOG("NETWORK_CONFIG_REQUEST failed: internal error: netconf size %u is too large",(unsigned int)netconfStr.length());
+					} else {
+						Packet outp(peer->address(),RR->identity.address(),Packet::VERB_OK);
+						outp.append((unsigned char)Packet::VERB_NETWORK_CONFIG_REQUEST);
+						outp.append(packetId());
+						outp.append(nwid);
+						outp.append((uint16_t)netconfStr.length());
+						outp.append(netconfStr.data(),netconfStr.length());
+						outp.compress();
+						if (outp.size() > ZT_PROTO_MAX_PACKET_LENGTH) {
+							LOG("NETWORK_CONFIG_REQUEST failed: internal error: netconf size %u is too large",(unsigned int)netconfStr.length());
+						} else {
+							_fromSock->send(_remoteAddress,outp.data(),outp.size());
+						}
+					}
+				}	break;
+				case NetworkConfigMaster::NETCONF_QUERY_OBJECT_NOT_FOUND: {
+					Packet outp(peer->address(),RR->identity.address(),Packet::VERB_ERROR);
+					outp.append((unsigned char)Packet::VERB_NETWORK_CONFIG_REQUEST);
+					outp.append(packetId());
+					outp.append((unsigned char)Packet::ERROR_OBJ_NOT_FOUND);
+					outp.append(nwid);
+					outp.armor(peer->key(),true);
+					_fromSock->send(_remoteAddress,outp.data(),outp.size());
+				}	break;
+				case NetworkConfigMaster::NETCONF_QUERY_ACCESS_DENIED: {
+					Packet outp(peer->address(),RR->identity.address(),Packet::VERB_ERROR);
+					outp.append((unsigned char)Packet::VERB_NETWORK_CONFIG_REQUEST);
+					outp.append(packetId());
+					outp.append((unsigned char)Packet::ERROR_NETWORK_ACCESS_DENIED_);
+					outp.append(nwid);
+					outp.armor(peer->key(),true);
+					_fromSock->send(_remoteAddress,outp.data(),outp.size());
+				} break;
+				case NetworkConfigMaster::NETCONF_QUERY_INTERNAL_SERVER_ERROR:
+					LOG("NETWORK_CONFIG_REQUEST failed: internal error: %s",netconf.get("error","(unknown)").c_str());
+					break;
+				default:
+					TRACE("NETWORK_CONFIG_REQUEST failed: invalid return value from NetworkConfigMaster::doNetworkConfigRequest()");
+					break;
+			}
 		} else {
-#endif
-			Packet outp(source(),RR->identity.address(),Packet::VERB_ERROR);
+			Packet outp(peer->address(),RR->identity.address(),Packet::VERB_ERROR);
 			outp.append((unsigned char)Packet::VERB_NETWORK_CONFIG_REQUEST);
 			outp.append(packetId());
 			outp.append((unsigned char)Packet::ERROR_UNSUPPORTED_OPERATION);
 			outp.append(nwid);
 			outp.armor(peer->key(),true);
 			_fromSock->send(_remoteAddress,outp.data(),outp.size());
-#ifdef ZT_ENABLE_NETCONF_MASTER
 		}
-#endif
-
-		peer->received(RR,_fromSock,_remoteAddress,hops(),packetId(),Packet::VERB_NETWORK_CONFIG_REQUEST,0,Packet::VERB_NOP,Utils::now());
 	} catch (std::exception &exc) {
 		TRACE("dropped NETWORK_CONFIG_REQUEST from %s(%s): unexpected exception: %s",source().toString().c_str(),_remoteAddress.toString().c_str(),exc.what());
 	} catch ( ... ) {
diff --git a/node/NetworkConfigMaster.hpp b/node/NetworkConfigMaster.hpp
index f43861896..5e2ab6fc5 100644
--- a/node/NetworkConfigMaster.hpp
+++ b/node/NetworkConfigMaster.hpp
@@ -28,108 +28,65 @@
 #ifndef ZT_NETWORKCONFIGMASTER_HPP
 #define ZT_NETWORKCONFIGMASTER_HPP
 
-#include "Constants.hpp"
-
-#define ZT_LOCAL_CONFIG_NETCONF_REDIS_HOST "netconf.redisHost"
-#define ZT_LOCAL_CONFIG_NETCONF_REDIS_PORT "netconf.redisPort"
-#define ZT_LOCAL_CONFIG_NETCONF_REDIS_PORT_DEFAULT 6379
-#define ZT_LOCAL_CONFIG_NETCONF_REDIS_AUTH "netconf.redisAuth"
-#define ZT_LOCAL_CONFIG_NETCONF_REDIS_DBNUM "netconf.redisDatabaseNumber"
-#define ZT_LOCAL_CONFIG_NETCONF_REDIS_DBNUM_DEFAULT 0
-
-#ifdef ZT_ENABLE_NETCONF_MASTER
-
 #include <stdint.h>
-#include <string>
-#include <map>
-#include <vector>
 
-#include "Address.hpp"
-#include "Dictionary.hpp"
-#include "Mutex.hpp"
+#include "Constants.hpp"
 #include "InetAddress.hpp"
-
-#include <hiredis/hiredis.h>
+#include "Dictionary.hpp"
+#include "Address.hpp"
 
 namespace ZeroTier {
 
 class RuntimeEnvironment;
 
 /**
- * Network configuration master -- responds to NETCONF requests
- *
- * This requires the 'hiredis' C library to build.
+ * Interface for network configuration (netconf) master implementations
  */
 class NetworkConfigMaster
 {
 public:
 	/**
-	 * Create netconf master
-	 *
-	 * This doesn't connect to Redis until the first request is received.
-	 *
-	 * @param renv Runtime environment
-	 * @param redisHost Hostname or IP of Redis server
-	 * @param redisPort Redis IP port number
-	 * @param redisPassword Redis AUTH password or NULL if none
-	 * @param redisDatabaseNumber Redis database number (usually 0)
+	 * Return value of doNetworkConfigRequest
 	 */
-	NetworkConfigMaster(
-		const RuntimeEnvironment *renv,
-		const char *redisHost,
-		unsigned int redisPort,
-		const char *redisPassword,
-		unsigned int redisDatabaseNumber);
+	enum ResultCode
+	{
+		NETCONF_QUERY_OK = 0,
+		NETCONF_QUERY_OBJECT_NOT_FOUND = 1,
+		NETCONF_QUERY_ACCESS_DENIED = 2,
+		NETCONF_QUERY_INTERNAL_SERVER_ERROR = 3
+	};
 
-	~NetworkConfigMaster();
+	NetworkConfigMaster() {}
+	virtual ~NetworkConfigMaster() {}
 
 	/**
 	 * Handle a network config request, sending replies if necessary
 	 *
-	 * This is a blocking call, so rate is limited by Redis. It will fail
-	 * and log its failure if the Redis server is not available or times out.
+	 * This call is permitted to block, and may be called concurrently from more
+	 * than one thread. Implementations must use locks if needed.
+	 *
+	 * On internal server errors, the 'error' field in result can be filled in
+	 * to indicate the error.
 	 *
 	 * @param fromAddr Originating IP address
 	 * @param packetId 64-bit packet ID
 	 * @param member Originating peer ZeroTier address
 	 * @param nwid 64-bit network ID
 	 * @param metaData Meta-data bundled with request (empty if none)
-	 * @param haveTimestamp Timestamp requesting peer has or 0 if none or not included
+	 * @param haveTimestamp Timestamp sent by requesting peer or 0 if none
+	 * @param result Dictionary to receive resulting signed netconf on success
+	 * @return Returns NETCONF_QUERY_OK if result dictionary is valid, or an error code on error
 	 */
-	void doNetworkConfigRequest(
+	virtual NetworkConfigMaster::ResultCode doNetworkConfigRequest(
 		const InetAddress &fromAddr,
 		uint64_t packetId,
 		const Address &member,
 		uint64_t nwid,
 		const Dictionary &metaData,
-		uint64_t haveTimestamp);
-
-private:
-	// These assume _lock is locked
-	bool _reconnect();
-	bool _hgetall(const char *key,Dictionary &hdata);
-	bool _hmset(const char *key,const Dictionary &hdata);
-	bool _hget(const char *key,const char *hashKey,std::string &value);
-	bool _hset(const char *key,const char *hashKey,const char *value);
-	bool _get(const char *key,std::string &value);
-	bool _smembers(const char *key,std::vector<std::string> &sdata);
-
-	bool _initNewMember(uint64_t nwid,const Address &member,const Dictionary &metaData,Dictionary &memberRecord);
-	bool _generateNetconf(uint64_t nwid,const Address &member,const Dictionary &metaData,std::string &netconf,uint64_t &ts);
-
-	Mutex _lock;
-
-	std::string _redisHost;
-	std::string _redisPassword;
-	unsigned int _redisPort;
-	unsigned int _redisDatabaseNumber;
-
-	const RuntimeEnvironment *RR;
-	redisContext *_rc;
+		uint64_t haveTimestamp,
+		Dictionary &result) = 0;
 };
 
 } // namespace ZeroTier
 
-#endif // ZT_ENABLE_NETCONF_MASTER
-
 #endif
diff --git a/node/Node.cpp b/node/Node.cpp
index 20d09108e..28c9ddaa9 100644
--- a/node/Node.cpp
+++ b/node/Node.cpp
@@ -108,9 +108,7 @@ struct _NodeImpl
 		delete renv.mc;            renv.mc = (Multicaster *)0;
 		delete renv.antiRec;       renv.antiRec = (AntiRecursion *)0;
 		delete renv.sw;            renv.sw = (Switch *)0;                // order matters less from here down
-#ifdef ZT_ENABLE_NETCONF_MASTER
 		delete renv.netconfMaster; renv.netconfMaster = (NetworkConfigMaster *)0;
-#endif
 		delete renv.http;          renv.http = (HttpClient *)0;
 		delete renv.prng;          renv.prng = (CMWC4096 *)0;
 		delete renv.log;           renv.log = (Logger *)0;               // but stop logging last of all
@@ -310,21 +308,6 @@ Node::ReasonForTermination Node::run()
 		}
 		RR->node = this;
 
-#ifdef ZT_ENABLE_NETCONF_MASTER
-		{
-			std::string redisHost(RR->nc->getLocalConfig(ZT_LOCAL_CONFIG_NETCONF_REDIS_HOST));
-			if (redisHost.length() > 0) {
-				unsigned int redisPort = Utils::strToUInt(RR->nc->getLocalConfig(ZT_LOCAL_CONFIG_NETCONF_REDIS_PORT).c_str());
-				if ((redisPort == 0)||(redisPort > 0xffff))
-					redisPort = ZT_LOCAL_CONFIG_NETCONF_REDIS_PORT_DEFAULT;
-				std::string redisAuth(RR->nc->getLocalConfig(ZT_LOCAL_CONFIG_NETCONF_REDIS_AUTH));
-				std::string redisDatabaseNumberStr(RR->nc->getLocalConfig(ZT_LOCAL_CONFIG_NETCONF_REDIS_DBNUM));
-				unsigned int redisDatabaseNumber = (redisDatabaseNumberStr.length() > 0) ? Utils::strToUInt(redisDatabaseNumberStr.c_str()) : (unsigned int)ZT_LOCAL_CONFIG_NETCONF_REDIS_DBNUM_DEFAULT;
-				RR->netconfMaster = new NetworkConfigMaster(RR,redisHost.c_str(),redisPort,redisAuth.c_str(),redisDatabaseNumber);
-			}
-		}
-#endif
-
 #ifdef ZT_AUTO_UPDATE
 		if (ZT_DEFAULTS.updateLatestNfoURL.length()) {
 			RR->updater = new SoftwareUpdater(RR);
diff --git a/objects.mk b/objects.mk
index 7f9895960..0b6c9c4f9 100644
--- a/objects.mk
+++ b/objects.mk
@@ -17,7 +17,6 @@ OBJS=\
 	node/Multicaster.o \
 	node/Network.o \
 	node/NetworkConfig.o \
-	node/NetworkConfigMaster.o \
 	node/Node.o \
 	node/NodeConfig.o \
 	node/OutboundMulticast.o \