diff --git a/doc/Changelog b/doc/Changelog
index e3ff95eb3..a3e2b0fbc 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+7 July 2009: Wouter
+	- iana portlist updated.
+
 6 July 2009: Wouter
 	- prettier error handling in SSL setup.
 	- makedist.sh uname fix (same as ldns).
diff --git a/doc/TODO b/doc/TODO
index de29ed1bb..9488f619e 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -158,6 +158,13 @@ Triggered by a trust anchor or by a signed DS record for a zone.
     it works, if spoofed every time unbound backs off and stops trying.
   * parent has inconsistently signed DS records.  Together with a subzone that
     is badly managed.  Unbound backs up to the root once per hour.
+  * parent has bad DS records, different sets on different servers, but they
+    are signed ok.  If child is okay with one set, unbound may get lucky
+    at one attempt and it'll work, otherwise, the parent is tried once in a
+    while but the zone goes dark.  Because the server that gave that bad DS
+    with good signature is not marked as problematic.
+    Perhaps mark the IPorigin of the DS as problematic on a failed applicated
+    DS as well.
   * domain is sold, but decomission is faster than the setup of new server.
     Unbound does exponential backoff, if new setup is fast, it'll pickup the
     new data fast.
diff --git a/util/iana_ports.inc b/util/iana_ports.inc
index 4f365e4e7..35a7f4882 100644
--- a/util/iana_ports.inc
+++ b/util/iana_ports.inc
@@ -4021,6 +4021,7 @@
 5025,
 5026,
 5027,
+5029,
 5030,
 5042,
 5043,
@@ -5124,6 +5125,7 @@
 25793,
 25900,
 25901,
+25902,
 25903,
 26000,
 26133,
@@ -5209,6 +5211,7 @@
 44818,
 45054,
 45678,
+45825,
 45966,
 46999,
 47000,