diff --git a/doc/Changelog b/doc/Changelog
index 9471a489a..4f343765b 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -3,6 +3,9 @@
 	- generated configure with autoconf-2.61.
 	- iana portlist updated.
 	- detect if libssl needs libdl.  For static linking with libssl.
+	- changed to use new algorithm identifiers for sha256/sha512
+	  from ldns 1.4.0 (need very latest version).
+	- updated the included ldns tarball.
 
 23 October 2008: Wouter
 	- a little more debug info for failure on signer names. prints names.
diff --git a/ldns-src.tar.gz b/ldns-src.tar.gz
index 31737b5c2..e1ae23bb4 100644
Binary files a/ldns-src.tar.gz and b/ldns-src.tar.gz differ
diff --git a/testdata/test_signatures.10 b/testdata/test_signatures.10
index 42d9ef1e0..a5404f865 100644
--- a/testdata/test_signatures.10
+++ b/testdata/test_signatures.10
@@ -10,7 +10,7 @@ ENTRY_BEGIN
 SECTION QUESTION
 sub.example.com.	IN DNSKEY
 SECTION ANSWER
-example.com.	3600	IN	DNSKEY	256 3 9 AwEAAeHRRbGrk8zEVeSLNlELTGcvJLEiv+OJp1HWhq+kitN3p+IjLT2YmV2p43ReRiPSBDjzsf/8VPKCsGaDeli0/cq3u0s54ft8KB9lYbMDKg0LQkDdjVY2Ah5l7FRZGDn+AnmxWlZ3mp8ZREs2NCtQW5GOiKzZtJfftUZ9f8PXemIV ;{id = 54034 (zsk), size = 1024b}
+example.com.	3600	IN	DNSKEY	256 3 10 AwEAAb3HJP1WF0wWvk9VqqZ2+xTpURPSwyiZcNRlO/hAXJisMA4/ZN2Kf0aNGewVDa6IhT8ehww5FBvVJm3R1KW/hqO+H3WzvCBpVDv1JdDqZvHMGiqEd2lCfKz4+fxuJ+HeUJBZlTz6pm9Rlqevry5uB7sKpgddDe2fK9CFCr7M1BzX ;{id = 18320 (zsk), size = 1024b}
 ENTRY_END
 
 ; entry to test
@@ -19,6 +19,6 @@ SECTION QUESTION
 www.example.com.    IN      A 
 SECTION ANSWER
 www.example.com.	3600	IN	A	192.0.2.66
-www.example.com.	3600	IN	RRSIG	A 9 3 3600 20070926134150 20070829134150 54034 example.com. FASMRTKfNKrj4o5gEkwfIjlqw2o03ZaoT95TcEdhBW80iyhi3cN3FESX7cquyqQ3AoA3i7OU5bqFVeLoQq9zeE8G2qHklpSPjrEFPHB/HKPtweb5rk4+yZqo9b0G375We12sZWHY5/gpaL2zVgX5A3j2H78rlfM7EMVnOEOIc0Y= ;{id = 54034}
+www.example.com.	3600	IN	RRSIG	A 10 3 3600 20070926134150 20070829134150 18320 example.com. m0FS92Zg6oyJE7CEwa4o2hkV+U6M/Xvniem/vLo9pz4tsAv7xxlMgT0Q8Uxl+pugiHTMSJ78V6fG/Kv6FZgesxKu70mLHQo1SjAgozRHuNwUB6cD8yeOeX0WafbRW4IfvSs6uauc+/SRukBFhJMdiX/IXw3syUGfntm03jcpWoc= ;{id = 18320}
 ENTRY_END
 
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index e033fdc0d..a6dd8f2d2 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -372,9 +372,11 @@ dnskey_algo_id_is_supported(int id)
 	case LDNS_RSAMD5:
 #ifdef SHA256_DIGEST_LENGTH
 	case LDNS_RSASHA256:
+	case LDNS_RSASHA256_NSEC3:
 #endif
 #ifdef SHA512_DIGEST_LENGTH
 	case LDNS_RSASHA512:
+	case LDNS_RSASHA512_NSEC3:
 #endif
 		return 1;
 	default:
@@ -1302,9 +1304,11 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
 		case LDNS_RSASHA1_NSEC3:
 #ifdef SHA256_DIGEST_LENGTH
 		case LDNS_RSASHA256:
+		case LDNS_RSASHA256_NSEC3:
 #endif
 #ifdef SHA512_DIGEST_LENGTH
 		case LDNS_RSASHA512:
+		case LDNS_RSASHA512_NSEC3:
 #endif
 			rsa = ldns_key_buf2rsa_raw(key, keylen);
 			if(!rsa) {
@@ -1320,12 +1324,14 @@ setup_key_digest(int algo, EVP_PKEY* evp_key, const EVP_MD** digest_type,
 
 			/* select SHA version */
 #ifdef SHA256_DIGEST_LENGTH
-			if(algo == LDNS_RSASHA256)
+			if(algo == LDNS_RSASHA256 || 
+				algo == LDNS_RSASHA256_NSEC3)
 				*digest_type = EVP_sha256();
 			else
 #endif
 #ifdef SHA512_DIGEST_LENGTH
-				if(algo == LDNS_RSASHA512)
+				if(algo == LDNS_RSASHA512 || 
+					algo == LDNS_RSASHA512_NSEC3)
 				*digest_type = EVP_sha512();
 			else
 #endif