diff --git a/contrib/README b/contrib/README
index 19abd0544..943ce5264 100644
--- a/contrib/README
+++ b/contrib/README
@@ -17,3 +17,5 @@ distribution but may be helpful.
 	in with the nagios monitoring framework.  Contributed by Migiel de Vos.
 * unbound_unixsock.diff: Add Unix socket support for unbound-control. 
 	Contributed by Ilya Bakulin, 2012-08-28.
+* patch_rsamd5_enable.diff: this patch enables RSAMD5 validation (otherwise
+  it is treated as insecure).  The RSAMD5 algorithm is deprecated (RFC6725).
diff --git a/contrib/patch_rsamd5_enable.diff b/contrib/patch_rsamd5_enable.diff
new file mode 100644
index 000000000..dfd4a7b9f
--- /dev/null
+++ b/contrib/patch_rsamd5_enable.diff
@@ -0,0 +1,22 @@
+Index: validator/val_secalgo.c
+===================================================================
+--- validator/val_secalgo.c	(revision 2759)
++++ validator/val_secalgo.c	(working copy)
+@@ -153,7 +153,7 @@
+ 	switch(id) {
+ 	case LDNS_RSAMD5:
+ 		/* RFC 6725 deprecates RSAMD5 */
+-		return 0;
++		return 1;
+ 	case LDNS_DSA:
+ 	case LDNS_DSA_NSEC3:
+ 	case LDNS_RSASHA1:
+@@ -617,7 +617,7 @@
+ 	switch(id) {
+ 	case LDNS_RSAMD5:
+ 		/* RFC 6725 deprecates RSAMD5 */
+-		return 0;
++		return 1;
+ 	case LDNS_DSA:
+ 	case LDNS_DSA_NSEC3:
+ 	case LDNS_RSASHA1:
diff --git a/doc/Changelog b/doc/Changelog
index f655cb697..629749839 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,10 @@
+17 September 2012: Wouter
+	- patch_rsamd5_enable.diff: this patch enables RSAMD5 validation
+	  otherwise it is treated as insecure.  The RSAMD5 algorithm is
+	  deprecated (RFC6725).  The MD5 hash is considered weak for some
+	  purposes, if you want to sign your zone, then RSASHA256 is an
+	  uncontested hash.
+
 30 August 2012: Wouter
 	- RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
 	- iana portlist updated.