diff --git a/CHANGES b/CHANGES
index 4fb51bc062..288f910b90 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1819.	[bug]		The validator needed to check both the algorithm and
+			digest types of the DS to determine if it could be
+			used to introduce a secure zone. [RT #13593]
+
 1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]
 
 1817.	[placeholder]	rt13587
diff --git a/lib/dns/ds.c b/lib/dns/ds.c
index 44cb4d32d2..7bcf1fb37e 100644
--- a/lib/dns/ds.c
+++ b/lib/dns/ds.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.c,v 1.4 2004/03/05 05:09:19 marka Exp $ */
+/* $Id: ds.c,v 1.5 2005/03/04 03:53:20 marka Exp $ */
 
 #include <config.h>
 
@@ -81,3 +81,8 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 	return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
 				     &ds, &b));
 }
+
+isc_boolean_t
+dns_ds_digest_supported(unsigned int digest_type) {
+	return  (ISC_TF(digest_type == DNS_DSDIGEST_SHA1));
+}
diff --git a/lib/dns/include/dns/ds.h b/lib/dns/include/dns/ds.h
index 40e3c6a8ec..3e2f7a90fe 100644
--- a/lib/dns/include/dns/ds.h
+++ b/lib/dns/include/dns/ds.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.h,v 1.3 2004/03/05 05:09:42 marka Exp $ */
+/* $Id: ds.h,v 1.4 2005/03/04 03:53:21 marka Exp $ */
 
 #ifndef DNS_DS_H
 #define DNS_DS_H 1
@@ -51,6 +51,12 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
  *		to 'buffer'.
  */
 
+isc_boolean_t
+dns_ds_digest_supported(unsigned int digest_type);
+/*
+ * Is this digest algorithm supported by dns_ds_buildrdata()?
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_DS_H */
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index 0f35a6ba71..1aaa335be0 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.h,v 1.41 2004/04/15 23:40:26 marka Exp $ */
+/* $Id: resolver.h,v 1.42 2005/03/04 03:53:22 marka Exp $ */
 
 #ifndef DNS_RESOLVER_H
 #define DNS_RESOLVER_H 1
@@ -416,6 +416,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
  * crypto libraries if not specifically disabled.
  */
 
+isc_boolean_t
+dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest_type);
+/*
+ * Is this digest type supported.
+ */
+
 void
 dns_resolver_resetmustbesecure(dns_resolver_t *resolver);
 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 9680424404..5eaba1668b 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.303 2005/02/08 23:51:31 marka Exp $ */
+/* $Id: resolver.c,v 1.304 2005/03/04 03:53:21 marka Exp $ */
 
 #include <config.h>
 
@@ -30,6 +30,7 @@
 #include <dns/cache.h>
 #include <dns/db.h>
 #include <dns/dispatch.h>
+#include <dns/ds.h>
 #include <dns/events.h>
 #include <dns/forward.h>
 #include <dns/keytable.h>
@@ -6520,6 +6521,13 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
 	return (dst_algorithm_supported(alg));
 }
 
+isc_boolean_t
+dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest) {
+
+	UNUSED(resolver);
+	return (dns_ds_digest_supported(digest));
+}
+
 void
 dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {
 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 0989855cec..8668beb3ad 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.126 2005/02/09 05:19:30 marka Exp $ */
+/* $Id: validator.c,v 1.127 2005/03/04 03:53:21 marka Exp $ */
 
 #include <config.h>
 
@@ -1561,6 +1561,9 @@ dlv_validatezonekey(dns_validator_t *val) {
 		dns_rdataset_current(val->dlv, &dlvrdata);
 		(void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
 
+		if (!dns_resolver_digest_supported(val->view->resolver,
+						   dlv.digest_type))
+			continue;
 		if (!dns_resolver_algorithm_supported(val->view->resolver,
 						      val->event->name,
 						      dlv.algorithm))
@@ -1647,7 +1650,7 @@ dlv_validatezonekey(dns_validator_t *val) {
 		val->event->rdataset->trust = dns_trust_answer;
 		val->event->sigrdataset->trust = dns_trust_answer;
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no supported algorithm (dlv)");
+			      "no supported algorithm/digest (dlv)");
 		return (ISC_R_SUCCESS);
 	} else
 		return (DNS_R_NOVALIDSIG);
@@ -1848,6 +1851,10 @@ validatezonekey(dns_validator_t *val) {
 		dns_rdataset_current(val->dsset, &dsrdata);
 		(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
 
+		if (!dns_resolver_digest_supported(val->view->resolver,
+						   ds.digest_type))
+			continue;
+
 		if (!dns_resolver_algorithm_supported(val->view->resolver,
 						      val->event->name,
 						      ds.algorithm))
@@ -1940,7 +1947,7 @@ validatezonekey(dns_validator_t *val) {
 		val->event->rdataset->trust = dns_trust_answer;
 		val->event->sigrdataset->trust = dns_trust_answer;
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no supported algorithm (ds)");
+			      "no supported algorithm/digest (ds)");
 		return (ISC_R_SUCCESS);
 	} else
 		return (DNS_R_NOVALIDSIG);
@@ -2193,7 +2200,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 }
 
 static isc_boolean_t
-check_ds_algorithm(dns_validator_t *val, dns_name_t *name,
+check_ds(dns_validator_t *val, dns_name_t *name,
 		   dns_rdataset_t *rdataset) {
 	dns_rdata_t dsrdata = DNS_RDATA_INIT;
 	dns_rdata_ds_t ds;
@@ -2205,9 +2212,13 @@ check_ds_algorithm(dns_validator_t *val, dns_name_t *name,
 		dns_rdataset_current(rdataset, &dsrdata);
 		(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
 
-		if (dns_resolver_algorithm_supported(val->view->resolver,
-						     name, ds.algorithm))
+		if (dns_resolver_digest_supported(val->view->resolver,
+						  ds.digest_type) &&
+		    dns_resolver_algorithm_supported(val->view->resolver,
+						     name, ds.algorithm)) {
+			dns_rdata_reset(&dsrdata);
 			return (ISC_TRUE);
+		}
 		dns_rdata_reset(&dsrdata);
 	}
 	return (ISC_FALSE);
@@ -2385,8 +2396,8 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 	} else {
 		validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
 		if (val->frdataset.trust >= dns_trust_secure &&
-		    !check_ds_algorithm(val, dns_fixedname_name(&val->fname),
-					&val->frdataset)) {
+		    !check_ds(val, dns_fixedname_name(&val->fname),
+			       &val->frdataset)) {
 			if (val->mustbesecure) {
 				validator_log(val, ISC_LOG_WARNING,
 					      "must be secure failure");
@@ -2394,7 +2405,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 				goto out;
 			}
 			validator_log(val, ISC_LOG_DEBUG(3),
-				      "no supported algorithm (ds)");
+				      "no supported algorithm/digest (ds)");
 			val->event->rdataset->trust = dns_trust_answer;
 			result = ISC_R_SUCCESS;
 			goto out;
@@ -2453,10 +2464,9 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 			 * continue.
 			 */
 			if (val->frdataset.trust >= dns_trust_secure) {
-				if (!check_ds_algorithm(val, tname,
-							&val->frdataset)) {
+				if (!check_ds(val, tname, &val->frdataset)) {
 					validator_log(val, ISC_LOG_DEBUG(3),
-					      "no supported algorithm (ds)");
+					   "no supported algorithm/digest (ds)");
 					if (val->mustbesecure) {
 						validator_log(val,
 							      ISC_LOG_WARNING,