diff --git a/doc/Changelog b/doc/Changelog
index 12af05557..5b0bc0115 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,10 @@
+22 August 2017: Wouter
+	- Fix install of trust anchor when two anchors are present, makes both
+	  valid.  Checks hash of DS but not signature of new key.  This fixes
+	  installs between sep11 and oct11 2017.
+	- tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix).
+	- trunk version 1.6.6 in development.
+
 10 August 2017: Wouter
 	- Patch to show DNSCrypt status in help output, from Carsten
 	  Strotmann.
diff --git a/validator/autotrust.c b/validator/autotrust.c
index a533733c7..5bf815b5e 100644
--- a/validator/autotrust.c
+++ b/validator/autotrust.c
@@ -1571,6 +1571,11 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve,
 			verbose(VERB_ALGO, "DS match attempt failed");
 			continue;
 		}
+		/* match of hash is sufficient for bootstrap of trust point */
+		(void)reason;
+		(void)ve;
+		return 1;
+		/* no need to check RRSIG, DS hash already matched with source
 		if(dnskey_verify_rrset(env, ve, dnskey_rrset, 
 			dnskey_rrset, key_idx, &reason) == sec_status_secure) {
 			return 1;
@@ -1578,6 +1583,7 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve,
 			verbose(VERB_ALGO, "DS match failed because the key "
 				"does not verify the keyset: %s", reason);
 		}
+		*/
 	}
 	return 0;
 }