diff --git a/doc/Changelog b/doc/Changelog
index 2577d6ff2..731971332 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+9 April 2009: Wouter
+	- Fix for removal of RSASHA256_NSEC3 protonumber from ldns.
+	- ldns tarball updated.
+
 6 April 2009: Wouter
 	- windows compile fix.
 	- Detect FreeBSD jail without ipv6 addresses assigned.
diff --git a/ldns-src.tar.gz b/ldns-src.tar.gz
index f9366f90b..753a24a75 100644
Binary files a/ldns-src.tar.gz and b/ldns-src.tar.gz differ
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 2a8fe7903..9b84ab9f4 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -372,11 +372,9 @@ dnskey_algo_id_is_supported(int id)
 	case LDNS_RSAMD5:
 #ifdef HAVE_EVP_SHA256
 	case LDNS_RSASHA256:
-	case LDNS_RSASHA256_NSEC3:
 #endif
 #ifdef HAVE_EVP_SHA512
 	case LDNS_RSASHA512:
-	case LDNS_RSASHA512_NSEC3:
 #endif
 		return 1;
 	default:
@@ -1241,11 +1239,9 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
 		case LDNS_RSASHA1_NSEC3:
 #ifdef HAVE_EVP_SHA256
 		case LDNS_RSASHA256:
-		case LDNS_RSASHA256_NSEC3:
 #endif
 #ifdef HAVE_EVP_SHA512
 		case LDNS_RSASHA512:
-		case LDNS_RSASHA512_NSEC3:
 #endif
 			rsa = ldns_key_buf2rsa_raw(key, keylen);
 			if(!rsa) {
@@ -1261,14 +1257,12 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
 
 			/* select SHA version */
 #ifdef HAVE_EVP_SHA256
-			if(algo == LDNS_RSASHA256 || 
-				algo == LDNS_RSASHA256_NSEC3)
+			if(algo == LDNS_RSASHA256)
 				*digest_type = EVP_sha256();
 			else
 #endif
 #ifdef HAVE_EVP_SHA512
-				if(algo == LDNS_RSASHA512 || 
-					algo == LDNS_RSASHA512_NSEC3)
+				if(algo == LDNS_RSASHA512)
 				*digest_type = EVP_sha512();
 			else
 #endif