diff --git a/apihandler.go b/apihandler.go
index da204d6..26f58d0 100644
--- a/apihandler.go
+++ b/apihandler.go
@@ -69,6 +69,13 @@ func APIcommand(conf *Config) func(w http.ResponseWriter, r *http.Request) {
 			resp = tapir.CommandResponse{
 				Status: "ok", // only status we know, so far
 				Msg:    "We're happy, but send more cookies"}
+		case "stop":
+			log.Printf("Daemon instructed to stop\n")
+			resp = tapir.CommandResponse{
+				Status: "stopping",
+				Msg:    "Daemon was happy, but now winding down",
+			}
+			conf.Internal.APIStopCh <- struct{}{}
 		case "bump":
 			resp.Msg, err = BumpSerial(conf, cp.Zone)
 			if err != nil {
@@ -154,14 +161,14 @@ func APIcommand(conf *Config) func(w http.ResponseWriter, r *http.Request) {
 			}
 			resp.Msg = rpzresp.Msg
 
-		case "stop":
-			log.Printf("Daemon instructed to stop\n")
-			// var done struct{}
+			//		case "stop":
+			//			log.Printf("Daemon instructed to stop\n")
+			//			// var done struct{}
 			// conf.Internal.APIStopCh <- done
-			resp = tapir.CommandResponse{
-				Status: "stopping",
-				Msg:    "Daemon was happy, but now winding down",
-			}
+			//			resp = tapir.CommandResponse{
+			//				Status: "stopping",
+			//				Msg:    "Daemon was happy, but now winding down",
+			//			}
 		default:
 			resp.ErrorMsg = fmt.Sprintf("Unknown command: %s", cp.Command)
 			resp.Error = true
diff --git a/config.go b/config.go
index bc2b706..7fed9aa 100644
--- a/config.go
+++ b/config.go
@@ -93,6 +93,7 @@ type ApiserverConf struct {
 type InternalConf struct {
 	// RefreshZoneCh chan RpzRefresher
 	// RpzCmdCh      chan RpzCmdData
+	APIStopCh chan struct{}
 }
 
 func ValidateConfig(v *viper.Viper, cfgfile string) error {
diff --git a/dnshandler.go b/dnshandler.go
index 5de792c..325b727 100644
--- a/dnshandler.go
+++ b/dnshandler.go
@@ -222,19 +222,19 @@ func ApexResponder(w dns.ResponseWriter, r *dns.Msg, zd *tapir.ZoneData,
 	var glue tapir.RRset
 
 	switch qtype {
-	case dns.TypeAXFR, dns.TypeIXFR:
-		//	log.Printf("We have the zone %s, so let's try to serve it", qname)
-		//	log.Printf("SOA: %s", zd.SOA.String())
-		//	log.Printf("BodyRRs: %d (+ %d apex RRs)", len(zd.BodyRRs), zd.ApexLen)
-
-		zd.Logger.Printf("ApexResponder: sending zone %s with %d body RRs to XfrOut",
-			zd.ZoneName, len(zd.RRs))
-
-		_, err := zd.ZoneTransferOut(w, r)
-		if err != nil {
-			zd.Logger.Printf("ApexResponder: error serving zone %s: %v", zd.ZoneName, err)
-		}
-		return nil
+	//	case dns.TypeAXFR, dns.TypeIXFR:
+	//	log.Printf("We have the zone %s, so let's try to serve it", qname)
+	//	log.Printf("SOA: %s", zd.SOA.String())
+	//	log.Printf("BodyRRs: %d (+ %d apex RRs)", len(zd.BodyRRs), zd.ApexLen)
+
+	//		zd.Logger.Printf("ApexResponder: sending zone %s with %d body RRs to XfrOut",
+	//			zd.ZoneName, len(zd.RRs))
+
+	//		_, err := zd.ZoneTransferOut(w, r)
+	//		if err != nil {
+	//			zd.Logger.Printf("ApexResponder: error serving zone %s: %v", zd.ZoneName, err)
+	//		}
+	//		return nil
 	case dns.TypeSOA:
 		// zd.Logger.Printf("There are %d SOA RRs in %s. rrset: %v", len(apex.RRtypes[dns.TypeSOA].RRs),
 		// 			   zd.ZoneName, apex.RRtypes[dns.TypeSOA])
diff --git a/main.go b/main.go
index 5094c8d..4a322e0 100644
--- a/main.go
+++ b/main.go
@@ -18,6 +18,7 @@ import (
 
 	_ "github.com/mattn/go-sqlite3"
 	"github.com/spf13/viper"
+
 	"github.com/dnstapir/tapir"
 )
 
@@ -37,7 +38,7 @@ func (td *TemData) SaveRpzSerial() error {
 	if serialFile == "" {
 		log.Fatalf("TEMExiter:No serial cache file specified")
 	}
-	serialData := []byte(fmt.Sprintf("%d", td.Downstreams.Serial))
+	serialData := []byte(fmt.Sprintf("%d", td.Rpz.CurrentSerial))
 	err := os.WriteFile(serialFile, serialData, 0644)
 	if err != nil {
 		log.Printf("Error writing current serial to file: %v", err)
@@ -102,6 +103,10 @@ func mainloop(conf *Config, configfile *string, td *TemData) {
 				log.Println("mainloop: SIGHUP received. Forcing refresh of all configured zones.")
 				log.Printf("mainloop: Requesting refresh of all RPZ zones")
 				conf.TemData.RpzRefreshCh <- RpzRefresh{Name: ""}
+			case <-conf.Internal.APIStopCh:
+				log.Printf("mainloop: API instruction to stop\n")
+				td.SaveRpzSerial()
+				wg.Done()
 			}
 		}
 	}()
@@ -183,7 +188,7 @@ func main() {
 	}
 
 	apistopper := make(chan struct{}) //
-	// conf.Internal.APIStopCh = apistopper
+	conf.Internal.APIStopCh = apistopper
 	go APIdispatcher(&conf, apistopper)
 	//	go httpsserver(&conf, apistopper)
 
diff --git a/output.go b/output.go
index 228dc05..766492c 100644
--- a/output.go
+++ b/output.go
@@ -60,6 +60,7 @@ func (td *TemData) ParseOutputs() error {
 	}
 	// Read the current value of td.Downstreams.Serial from a text file
 	serialFile := viper.GetString("output.rpz.serialcache")
+
 	if serialFile != "" {
 		serialData, err := os.ReadFile(serialFile)
 		if err != nil {
@@ -277,7 +278,7 @@ func (td *TemData) ComputeRpzGreylistAction(name string) tapir.Action {
 
 	if _, exists := greyHits["dns-tapir"]; exists {
 		numtapirtags := greyHits["dns-tapir"].TagMask.NumTags()
-		if numtapirtags > td.Policy.Greylist.NumTapirTags {
+		if numtapirtags >= td.Policy.Greylist.NumTapirTags {
 			td.Logger.Printf("ComputeRpzGreylistAction: name %s has more than %d tapir tags, action is %s",
 				name, td.Policy.Greylist.NumTapirTags, tapir.ActionToString[td.Policy.Greylist.NumTapirTagsAction])
 			return td.Policy.Greylist.NumTapirTagsAction
diff --git a/tem-policy.sample.yaml b/tem-policy.sample.yaml
index 3cecba7..3e57d42 100644
--- a/tem-policy.sample.yaml
+++ b/tem-policy.sample.yaml
@@ -16,5 +16,5 @@ policy:
          limit:		4
          action:	DROP
       blacktapir:	# any of these->action
-         tags:		[ likelymalware, badip, childporn ]	
+         tags:		[ likelymalware, badip ]	
          action:	REDIRECT