diff --git a/src/context.c b/src/context.c
index 00c685ce..94a88f72 100644
--- a/src/context.c
+++ b/src/context.c
@@ -515,6 +515,7 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 	    ; upstreams->count
 	    ; upstreams->count--, upstream++ ) {
 
+		sha256_pin_t *pin = upstream->tls_pubkey_pinset;
 		if (upstream->loop && (   upstream->event.read_cb
 		                       || upstream->event.write_cb
 		                       || upstream->event.timeout_cb) ) {
@@ -530,6 +531,12 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 		}
 		if (upstream->fd != -1)
 			close(upstream->fd);
+		while (pin) {
+			sha256_pin_t *nextpin = pin->next;
+			GETDNS_FREE(upstreams->mf, pin);
+			pin = nextpin;
+		}
+		upstream->tls_pubkey_pinset = NULL;
 	}
 	GETDNS_FREE(upstreams->mf, upstreams);
 }
@@ -669,6 +676,7 @@ upstream_init(getdns_upstream *upstream,
 	upstream->tls_hs_state = GETDNS_HS_NONE;
 	upstream->tls_auth_failed = 0;
 	upstream->tls_auth_name[0] = '\0';
+	upstream->tls_pubkey_pinset = NULL;
 	upstream->tcp.write_error = 0;
 	upstream->loop = NULL;
 	(void) getdns_eventloop_event_init(
diff --git a/src/context.h b/src/context.h
index 264cb687..729962ac 100644
--- a/src/context.h
+++ b/src/context.h
@@ -102,6 +102,12 @@ typedef struct getdns_tsig_info {
 
 const getdns_tsig_info *_getdns_get_tsig_info(getdns_tsig_algo tsig_alg);
 
+/* for doing public key pinning of TLS-capable upstreams: */
+typedef struct sha256_pin {
+	char pin[SHA256_DIGEST_LENGTH];
+	struct sha256_pin *next;
+} sha256_pin_t;
+
 typedef struct getdns_upstream {
 	/* backpointer to containing upstreams structure */
 	struct getdns_upstreams *upstreams;
@@ -126,6 +132,7 @@ typedef struct getdns_upstream {
 	getdns_tcp_state         tcp;
 	char                     tls_auth_name[256];
 	size_t                   tls_auth_failed;
+	sha256_pin_t            *tls_pubkey_pinset;
 
 	/* Pipelining of TCP network requests */
 	getdns_network_req      *write_queue;