diff --git a/tlsaroll b/tlsaroll
index 38665be..6f8d251 100755
--- a/tlsaroll
+++ b/tlsaroll
@@ -20,7 +20,6 @@ use autodie;
 
 use Data::Dumper;
 use Digest::SHA;
-use File::Copy;
 use Getopt::Long;
 use MIME::Base64;
 use Net::DNS;
@@ -37,9 +36,9 @@ my $port = 53;
 my $ttl = 3600;
 my $help = 0;
 my $tsigalgo = 'hmac-sha256';
-my $serviceaction = 'reload';
+my $exit_code = 1;
 my ($current_cert, $new_cert, $tsigname, $tsigkey, $server, $verbose, $tsig);
-my ($service, $domain, $dnsname, $state_file);
+my ($domain, $dnsname, $state_file);
 my ($current_cert_tlsa, $new_cert_tlsa, $state, $update, $wait_until, $now);
 
 GetOptions("help|?" => \$help,
@@ -51,9 +50,7 @@ GetOptions("help|?" => \$help,
 	   "tsigkey=s" => \$tsigkey,
 	   "tsigalgo=s" => \$tsigalgo,
 	   "domain=s" => \$domain,
-	   "dnsname=s" => \$dnsname,
-	   "service=s" => \$service,
-	   "serviceaction=s" => \$serviceaction)
+	   "dnsname=s" => \$dnsname)
     or die("Error in command line arguments\n");
 
 pod2usage(1) if ($help or scalar(@ARGV) != 2);
@@ -75,11 +72,6 @@ if (!defined $dnsname) {
     pod2usage(1);
 }
 
-if (!defined $service) {
-    say STDERR "service to restart missing.";
-    pod2usage(1);
-}
-
 $state_file = STATE_DIR.$dnsname;
 
 $current_cert_tlsa = gen_tlsa($dnsname, $current_cert);
@@ -101,17 +93,19 @@ say($state->{'state'}, "\n", ('-' x length($state->{'state'})), "\n\t",
 if ($state->{state} eq 'OK') {
     # nothing to do
     unlink $state_file if (-f $state_file);
-    exit(0);
+    $exit_code = 2;
 } elsif ($state->{state} eq 'NXDOMAIN') {
     # no TLSA record what so ever, add record for current cert
     unlink $state_file if (-f $state_file);
     $update = new Net::DNS::Update($domain);
     $update->push(update => rr_add($current_cert_tlsa->string));
+    $exit_code = 0;
 } elsif ($state->{state} eq 'NEED2ND') {
     # we generated a new cert, add tlsa record
     unlink $state_file if (-f $state_file);
     $update = new Net::DNS::Update($domain);
     $update->push(update => rr_add($new_cert_tlsa->string));
+    $exit_code = 2;
 } elsif ($state->{state} eq '2TLSA') {
     $now = time();
     $wait_until = get_wait_until($server, $port, $domain, $dnsname,
@@ -119,23 +113,22 @@ if ($state->{state} eq 'OK') {
     if (defined $wait_until) {
 	if ($wait_until > $now) {
 	    say 'need to wait until '.localtime($wait_until) if ($verbose);
-	    exit(0);
+	    $exit_code = 2;
 	} else {
-	    copy($new_cert, $current_cert);
-	    system '/usr/sbin/rcctl', $serviceaction, $service;
 	    $update = new Net::DNS::Update($domain);
 	    $update->push(update => rr_del($current_cert_tlsa->string));
 	    unlink $state_file if (-f $state_file);
+	    $exit_code = 0;
 	}
     } else {
 	say $state->{state},': not yet propagated to auths, wait'
 	    if ($verbose);
-	exit(0);
+	$exit_code = 2;
     }
 } else {
     say STDERR "don't know how to handle ", '"', $state->{state}, '" ',
 	'("', $state->{msg}, '")';
-    exit(1);
+    $exit_code=1;
 }
 
 if ($update && defined $tsigname && defined $tsigkey) {
@@ -146,6 +139,9 @@ if ($update && defined $tsigname && defined $tsigkey) {
 
 handle_update($server, $port, $domain, $update) if (defined $update);
 
+say "exit: ", $exit_code;
+exit($exit_code);
+
 sub handle_update {
     my ($server, $port, $domain, $update) = @_;
     my ($resolver, $reply);
@@ -338,8 +334,6 @@ tlsaroll [options] currentcert newcert
     -tsigalgo		tsig algorithm
     -domain		DNS domain
     -dnsname		DNS name for TLSA record
-    -service		service to restart or reload
-    -serviceaction	rrctl action
 
 =head1 OPTIONS