diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index c12ecacc5a..e255b6e2a9 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1622,6 +1622,14 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin,
 	     result = dns_rdataset_next(&keys)) {
 		dns_rdata_reset(&rdata);
 		dns_rdataset_current(&keys, &rdata);
+
+		/* Skip unsupported algorithms */
+		REQUIRE(rdata.type == dns_rdatatype_key ||
+			rdata.type == dns_rdatatype_dnskey);
+		REQUIRE(rdata.length > 3);
+		if (!dst_algorithm_supported(rdata.data[3]))
+			goto skip;
+
 		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
 		dst_key_setttl(pubkey, keys.ttl);
 
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 50930b66d6..e60375e039 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -274,7 +274,7 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
 /*%<
  * Search 'directory' for K* key files matching the name in 'origin'.
  * Append all such keys, along with use hints gleaned from their
- * metadata, onto 'keylist'.
+ * metadata, onto 'keylist'.  Skip any unsupported algorithms.
  *
  *	Requires:
  *\li		'keylist' is not NULL
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 861e909422..f30d69591b 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1811,8 +1811,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
 		dns_rdata_t rdata = DNS_RDATA_INIT;
-
 		dns_rdataset_current(&rdataset, &rdata);
+
+		/* Skip unsupported algorithms when
+		 * calculating the maximum iterations.
+		 */
+		REQUIRE(rdata.type == dns_rdatatype_key ||
+			rdata.type == dns_rdatatype_dnskey);
+		REQUIRE(rdata.length > 3);
+		if (!dst_algorithm_supported(rdata.data[3]))
+			continue;
+
 		isc_buffer_init(&buffer, rdata.data, rdata.length);
 		isc_buffer_add(&buffer, rdata.length);
 		CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,