diff --git a/libs/ldns/Makefile b/libs/ldns/Makefile
index 8d78f2cf..ca84b588 100644
--- a/libs/ldns/Makefile
+++ b/libs/ldns/Makefile
@@ -8,19 +8,21 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ldns
-PKG_VERSION:=1.6.17
+PKG_VERSION:=1.7.1
 PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.nlnetlabs.nl/downloads/ldns
-PKG_HASH:=8b88e059452118e8949a2752a55ce59bc71fa5bc414103e17f5b6b06f9bcc8cd
+PKG_HASH:=8ac84c16bdca60e710eea75782356f3ac3b55680d40e1530d7cea474ac208229
 
+PKG_MAINTAINER:=Eric Luehrsen <ericluehrsen@gmail.com>
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
-PKG_MAINTAINER:=Nicolas Thill <nico@openwrt.org>
+PKG_CPE_ID:=cpe:/a:nlnetlabs:ldns
 
 PKG_FIXUP:=autoreconf
 PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -53,14 +55,31 @@ define Package/drill
 endef
 
 define Package/drill/description
-  drill is a tool to designed to get all sorts of information out of the DNS. It
-  is specificly designed to be used with DNSSEC.
+  ldns includes the drill tool, which is much like dig from BIND. It was
+  designed with DNSSEC in mind and should be a useful debugging/query tool
+  for DNSSEC.
+endef
+
+define Package/ldns-examples
+  $(call Package/libldns/Default)
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=IP Addresses and Names
+  TITLE:=Example programs from NLNetLabs ldns library
+  DEPENDS+= +libldns +libpcap +drill
+endef
+
+define Package/ldns-examples/description
+  A few example programs are included in the source of ldns. They include tools
+  which can create DNSSEC keys and DNSSEC zone files.
 endef
 
 CONFIGURE_ARGS += \
-	--disable-ecdsa \
+	--disable-dsa \
 	--disable-gost \
+	--enable-ecdsa \
 	--with-drill \
+	--with-examples \
 	--with-ssl="$(STAGING_DIR)/usr"
 
 define Build/InstallDev
@@ -68,6 +87,8 @@ define Build/InstallDev
 	$(CP) $(PKG_INSTALL_DIR)/usr/include/ldns $(1)/usr/include/
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libldns.{a,so*} $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+	$(CP) $(PKG_BUILD_DIR)/packaging/libldns.pc $(1)/usr/lib/pkgconfig
 endef
 
 define Package/libldns/install
@@ -80,5 +101,33 @@ define Package/drill/install
 	$(CP) $(PKG_INSTALL_DIR)/usr/bin/drill $(1)/usr/bin/
 endef
 
+define Package/ldns-examples/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-chaos $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-compare-zones $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-dane $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-dpa $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-gen-zone $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-key2ds $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-keyfetcher $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-keygen $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-mx $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-notify $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-nsec3-hash $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-read-zone $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-revoke $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-rrsig $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-signzone $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-test-edns $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-testns $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-update $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-verify-zone $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-version $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-walk $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-zcat $(1)/usr/bin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/ldns-zsplit $(1)/usr/bin/
+endef
+
 $(eval $(call BuildPackage,libldns))
 $(eval $(call BuildPackage,drill))
+$(eval $(call BuildPackage,ldns-examples))
diff --git a/libs/ldns/patches/001-compile-for-darwin.patch b/libs/ldns/patches/001-compile-for-darwin.patch
new file mode 100644
index 00000000..1108c668
--- /dev/null
+++ b/libs/ldns/patches/001-compile-for-darwin.patch
@@ -0,0 +1,11 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -881,7 +881,7 @@ AC_ARG_WITH(xcode-sdk, AC_HELP_STRING([--with-xcode-sdk],
+  [],[with_xcode_sdk="yes"])
+ if test "x_$with_xcode_sdk" != "x_no" ; then
+    # check OSX deployment target, if needed
+-   if echo $build_os | grep darwin > /dev/null; then
++   if echo $target_os | grep darwin > /dev/null; then
+      sdk_p=`xcode-select -print-path`;
+      if test "x_$with_xcode_sdk" = "x_yes" ; then
+         sdk_v="$( /usr/bin/xcrun --show-sdk-version 2>/dev/null )"
diff --git a/libs/ldns/patches/001-perl5-defined-array.patch b/libs/ldns/patches/001-perl5-defined-array.patch
deleted file mode 100644
index 5e193d9e..00000000
--- a/libs/ldns/patches/001-perl5-defined-array.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/doc/doxyparse.pl
-+++ b/doc/doxyparse.pl
-@@ -273,7 +273,7 @@ foreach (keys %manpages) {
- 
- 	print MAN $MAN_MIDDLE;
- 
--	if (defined(@$also)) {
-+	if (@$also) {
- 		print MAN "\n.SH SEE ALSO\n\\fI";
- 		print MAN join "\\fR, \\fI", @$also;
- 		print MAN "\\fR.\nAnd ";
diff --git a/libs/ldns/patches/010-openssl-deprecated.patch b/libs/ldns/patches/010-openssl-deprecated.patch
new file mode 100644
index 00000000..eed21e0f
--- /dev/null
+++ b/libs/ldns/patches/010-openssl-deprecated.patch
@@ -0,0 +1,54 @@
+From cee98e71bb3d69e41cd4d2c6e33c68639dd1eaf0 Mon Sep 17 00:00:00 2001
+From: Rosen Penev <rosenp@gmail.com>
+Date: Thu, 5 Dec 2019 12:13:44 -0800
+Subject: [PATCH] Fix compilation without deprecated APIs
+
+---
+ dnssec_verify.c | 2 ++
+ drill/drill.c   | 2 ++
+ keys.c          | 1 +
+ 3 files changed, 5 insertions(+)
+
+diff --git a/dnssec_verify.c b/dnssec_verify.c
+index d22962eb..99a7515d 100644
+--- a/dnssec_verify.c
++++ b/dnssec_verify.c
+@@ -597,7 +597,9 @@ ldns_dnssec_trust_tree_print_sm_fmt(FILE *out,
+ 						if (tree->parent_status[i]
+ 						    == LDNS_STATUS_SSL_ERR) {
+ 							printf("; SSL Error: ");
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(HAVE_LIBRESSL)
+ 							ERR_load_crypto_strings();
++#endif
+ 							ERR_print_errors_fp(stdout);
+ 							printf("\n");
+ 						}
+diff --git a/drill/drill.c b/drill/drill.c
+index 6efd29a5..186bdff2 100644
+--- a/drill/drill.c
++++ b/drill/drill.c
+@@ -994,10 +994,12 @@ main(int argc, char *argv[])
+ 	xfree(tsig_algorithm);
+ 
+ #ifdef HAVE_SSL
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(HAVE_LIBRESSL)
+ 	CRYPTO_cleanup_all_ex_data();
+ 	ERR_free_strings();
+ 	EVP_cleanup();
+ #endif
++#endif
+ #ifdef USE_WINSOCK
+ 	WSACleanup();
+ #endif
+diff --git a/keys.c b/keys.c
+index 016f9731..06afb739 100644
+--- a/keys.c
++++ b/keys.c
+@@ -15,6 +15,7 @@
+ #include <ldns/ldns.h>
+ 
+ #ifdef HAVE_SSL
++#include <openssl/ui.h>
+ #include <openssl/ssl.h>
+ #include <openssl/rand.h>
+ #include <openssl/bn.h>
diff --git a/libs/ldns/patches/020-openssl-dsa.patch b/libs/ldns/patches/020-openssl-dsa.patch
new file mode 100644
index 00000000..ee02a0a8
--- /dev/null
+++ b/libs/ldns/patches/020-openssl-dsa.patch
@@ -0,0 +1,333 @@
+From 8a12d9183271b2b16f399c3fe867f149dbf753d7 Mon Sep 17 00:00:00 2001
+From: Rosen Penev <rosenp@gmail.com>
+Date: Thu, 20 Feb 2020 18:58:52 -0800
+Subject: [PATCH] Fix compilation without DSA and deprecated APIs
+
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+---
+ dnssec.c                    |  2 ++
+ examples/ldns-dane.c        |  2 ++
+ examples/ldns-keygen.c      |  2 ++
+ examples/ldns-signzone.c    | 16 ++++++++++++++++
+ examples/ldns-verify-zone.c |  2 ++
+ host2str.c                  |  8 ++++++++
+ keys.c                      | 10 +++++++---
+ ldns/keys.h                 |  8 ++++++++
+ rr_functions.c              |  4 ++++
+ 9 files changed, 51 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec.c b/dnssec.c
+index 482cefd6..71508600 100644
+--- a/dnssec.c
++++ b/dnssec.c
+@@ -332,6 +332,7 @@ uint16_t ldns_calc_keytag_raw(const uint8_t* key, size_t keysize)
+ }
+ 
+ #ifdef HAVE_SSL
++#ifdef USE_DSA
+ DSA *
+ ldns_key_buf2dsa(const ldns_buffer *key)
+ {
+@@ -407,6 +408,7 @@ ldns_key_buf2dsa_raw(const unsigned char* key, size_t len)
+ #endif /* OPENSSL_VERSION_NUMBER */
+ 	return dsa;
+ }
++#endif /* USE_DSA */
+ 
+ RSA *
+ ldns_key_buf2rsa(const ldns_buffer *key)
+diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c
+index 4c31fd8f..7b33ad18 100644
+--- a/examples/ldns-dane.c
++++ b/examples/ldns-dane.c
+@@ -1680,9 +1680,11 @@ main(int argc, char* const* argv)
+ 		assert(0);
+ 	}
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+ 	/* ssl inititalize */
+ 	SSL_load_error_strings();
+ 	SSL_library_init();
++#endif
+ 
+ 	/* ssl load validation store */
+ 	if (! assume_pkix_validity || CAfile || CApath) {
+diff --git a/examples/ldns-keygen.c b/examples/ldns-keygen.c
+index 62b8d228..237016e5 100644
+--- a/examples/ldns-keygen.c
++++ b/examples/ldns-keygen.c
+@@ -148,6 +148,7 @@ main(int argc, char *argv[])
+ 			exit(1);
+ 		}
+ 		break;
++#ifdef USE_DSA
+ 	case LDNS_SIGN_DSA:
+ 	case LDNS_SIGN_DSA_NSEC3:
+ 		if (bits < 512 || bits > 1024) {
+@@ -156,6 +157,7 @@ main(int argc, char *argv[])
+ 			exit(1);
+ 		}
+ 		break;
++#endif /* USE_DSA */
+ #ifdef USE_GOST
+ 	case LDNS_SIGN_ECC_GOST:
+ 		if(!ldns_key_EVP_load_gost_id()) {
+diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c
+index 7d24ad90..abae352a 100644
+--- a/examples/ldns-signzone.c
++++ b/examples/ldns-signzone.c
+@@ -72,10 +72,14 @@ usage(FILE *fp, const char *prog) {
+ 
+ 	fprintf ( fp, "\n " );
+ 	__LIST ( RSAMD5 );
++#ifdef USE_DSA
+ 	__LIST ( DSA );
++#endif
+ 	__LIST ( RSASHA1 );
+ 	fprintf ( fp, "\n " );
++#ifdef USE_DSA
+ 	__LIST ( DSA_NSEC3 );
++#endif
+ 	__LIST ( RSASHA1_NSEC3 );
+ 	__LIST ( RSASHA256 );
+ 	fprintf ( fp, "\n " );
+@@ -350,11 +354,15 @@ parse_algspec ( const char * const p )
+ 
+ 	__MATCH ( RSAMD5 );
+ 	__MATCH ( RSASHA1 );
++#ifdef USE_DSA
+ 	__MATCH ( DSA );
++#endif
+ 	__MATCH ( RSASHA1_NSEC3 );
+ 	__MATCH ( RSASHA256 );
+ 	__MATCH ( RSASHA512 );
++#ifdef USE_DSA
+ 	__MATCH ( DSA_NSEC3 );
++#endif
+ 	__MATCH ( ECC_GOST );
+ 	__MATCH ( ECDSAP256SHA256 );
+ 	__MATCH ( ECDSAP384SHA384 );
+@@ -419,8 +427,10 @@ load_key ( const char * const p, ENGINE * const e )
+ 	case LDNS_SIGN_RSASHA1_NSEC3:
+ 	case LDNS_SIGN_RSASHA256:
+ 	case LDNS_SIGN_RSASHA512:
++#ifdef USE_DSA
+ 	case LDNS_SIGN_DSA:
+ 	case LDNS_SIGN_DSA_NSEC3:
++#endif
+ 	case LDNS_SIGN_ECC_GOST:
+ #ifdef USE_ECDSA
+ 	case LDNS_SIGN_ECDSAP256SHA256:
+@@ -995,9 +1005,13 @@ main(int argc, char *argv[])
+ 
+ #ifdef HAVE_SSL
+ 		if (ERR_peek_error()) {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(HAVE_LIBRESSL)
+ 			ERR_load_crypto_strings();
++#endif
+ 			ERR_print_errors_fp(stderr);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(HAVE_LIBRESSL)
+ 			ERR_free_strings();
++#endif
+ 		}
+ #endif
+ 		exit(EXIT_FAILURE);
+@@ -1018,7 +1032,9 @@ main(int argc, char *argv[])
+ #ifndef OPENSSL_NO_ENGINE
+ 	shutdown_openssl ( engine );
+ #else
++#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+ 	CRYPTO_cleanup_all_ex_data();
++#endif
+ #endif
+ 
+ 	free(prog);
+diff --git a/examples/ldns-verify-zone.c b/examples/ldns-verify-zone.c
+index c17bd21c..a5a1d003 100644
+--- a/examples/ldns-verify-zone.c
++++ b/examples/ldns-verify-zone.c
+@@ -113,7 +113,9 @@ print_rr_status_error(FILE* stream, ldns_rr* rr, ldns_status status)
+ 	if (status != LDNS_STATUS_OK) {
+ 		print_rr_error(stream, rr, ldns_get_errorstr_by_id(status));
+ 		if (verbosity > 0 && status == LDNS_STATUS_SSL_ERR) {
++#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+ 			ERR_load_crypto_strings();
++#endif
+ 			ERR_print_errors_fp(stream);
+ 		}
+ 	}
+diff --git a/host2str.c b/host2str.c
+index 3ca23c20..29a5f5c9 100644
+--- a/host2str.c
++++ b/host2str.c
+@@ -49,10 +49,14 @@
+ ldns_lookup_table ldns_algorithms[] = {
+         { LDNS_RSAMD5, "RSAMD5" },
+         { LDNS_DH, "DH" },
++#ifdef USE_DSA
+         { LDNS_DSA, "DSA" },
++#endif /* USE_DSA */
+         { LDNS_ECC, "ECC" },
+         { LDNS_RSASHA1, "RSASHA1" },
++#ifdef USE_DSA
+         { LDNS_DSA_NSEC3, "DSA-NSEC3-SHA1" },
++#endif /* USE_DSA */
+         { LDNS_RSASHA1_NSEC3, "RSASHA1-NSEC3-SHA1" },
+ #ifdef USE_SHA2
+ 	{ LDNS_RSASHA256, "RSASHA256"},
+@@ -2133,7 +2137,9 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k)
+ 	unsigned char  *bignum;
+ #ifdef HAVE_SSL
+ 	RSA *rsa;
++#ifdef USE_DSA
+ 	DSA *dsa;
++#endif /* USE_DSA */
+ #endif /* HAVE_SSL */
+ 
+ 	if (!k) {
+@@ -2243,6 +2249,7 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k)
+ 
+ 				RSA_free(rsa);
+ 				break;
++#ifdef USE_DSA
+ 			case LDNS_SIGN_DSA:
+ 			case LDNS_SIGN_DSA_NSEC3:
+ 				dsa = ldns_key_dsa_key(k);
+@@ -2283,6 +2290,7 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k)
+ 						goto error;
+ 				}
+ 				break;
++#endif /* USE_DSA */
+ 			case LDNS_SIGN_ECC_GOST:
+ 				/* no format defined, use blob */
+ #if defined(HAVE_SSL) && defined(USE_GOST)
+diff --git a/keys.c b/keys.c
+index 06afb739..ddff6f35 100644
+--- a/keys.c
++++ b/keys.c
+@@ -905,6 +905,7 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr)
+ 	return NULL;
+ }
+ 
++#ifdef USE_DSA
+ DSA *
+ ldns_key_new_frm_fp_dsa(FILE *f)
+ {
+@@ -1015,6 +1016,7 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr))
+ 	BN_free(pub_key);
+ 	return NULL;
+ }
++#endif /* USE_DSA */
+ 
+ unsigned char *
+ ldns_key_new_frm_fp_hmac(FILE *f, size_t *hmac_size)
+@@ -1149,9 +1151,9 @@ ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size)
+ #endif /* HAVE_EVP_PKEY_KEYGEN */
+ #endif /* HAVE_SSL */
+ 			break;
++#ifdef USE_DSA
+ 		case LDNS_SIGN_DSA:
+ 		case LDNS_SIGN_DSA_NSEC3:
+-#ifdef USE_DSA
+ #ifdef HAVE_SSL
+ # if OPENSSL_VERSION_NUMBER < 0x00908000L
+ 			d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL);
+@@ -1878,10 +1880,10 @@ ldns_key2rr(const ldns_key *k)
+ #endif
+ 			size++;
+ 			break;
++#ifdef USE_DSA
+ 		case LDNS_SIGN_DSA:
+ 			ldns_rr_push_rdf(pubkey,
+ 					ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA));
+-#ifdef USE_DSA
+ #ifdef HAVE_SSL
+ 			dsa = ldns_key_dsa_key(k);
+ 			if (dsa) {
+@@ -1901,10 +1903,10 @@ ldns_key2rr(const ldns_key *k)
+ #endif /* HAVE_SSL */
+ #endif /* USE_DSA */
+ 			break;
++#ifdef USE_DSA
+ 		case LDNS_SIGN_DSA_NSEC3:
+ 			ldns_rr_push_rdf(pubkey,
+ 					ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA_NSEC3));
+-#ifdef USE_DSA
+ #ifdef HAVE_SSL
+ 			dsa = ldns_key_dsa_key(k);
+ 			if (dsa) {
+@@ -2165,7 +2167,9 @@ ldns_signing_algorithm ldns_get_signing_algorithm_by_name(const char* name)
+         ldns_lookup_table aliases[] = {
+                 /* from bind dnssec-keygen */
+                 {LDNS_SIGN_HMACMD5, "HMAC-MD5"},
++#ifdef USE_DSA
+                 {LDNS_SIGN_DSA_NSEC3, "NSEC3DSA"},
++#endif /* USE_DSA */
+                 {LDNS_SIGN_RSASHA1_NSEC3, "NSEC3RSASHA1"},
+                 /* old ldns usage, now RFC names */
+ #ifdef USE_DSA
+diff --git a/ldns/keys.h b/ldns/keys.h
+index df4bb22b..826f876f 100644
+--- a/ldns/keys.h
++++ b/ldns/keys.h
+@@ -45,10 +45,14 @@ enum ldns_enum_algorithm
+ {
+         LDNS_RSAMD5             = 1,   /* RFC 4034,4035 */
+         LDNS_DH                 = 2,
++#ifdef USE_DSA
+         LDNS_DSA                = 3,
++#endif /* USE_DSA */
+         LDNS_ECC                = 4,
+         LDNS_RSASHA1            = 5,
++#ifdef USE_DSA
+         LDNS_DSA_NSEC3          = 6,
++#endif /* USE_DSA */
+         LDNS_RSASHA1_NSEC3      = 7,
+         LDNS_RSASHA256          = 8,   /* RFC 5702 */
+         LDNS_RSASHA512          = 10,  /* RFC 5702 */
+@@ -90,11 +94,15 @@ enum ldns_enum_signing_algorithm
+ {
+ 	LDNS_SIGN_RSAMD5	 = LDNS_RSAMD5,
+ 	LDNS_SIGN_RSASHA1	 = LDNS_RSASHA1,
++#ifdef USE_DSA
+ 	LDNS_SIGN_DSA		 = LDNS_DSA,
++#endif /* USE_DSA */
+ 	LDNS_SIGN_RSASHA1_NSEC3  = LDNS_RSASHA1_NSEC3,
+ 	LDNS_SIGN_RSASHA256	 = LDNS_RSASHA256,
+ 	LDNS_SIGN_RSASHA512	 = LDNS_RSASHA512,
++#ifdef USE_DSA
+ 	LDNS_SIGN_DSA_NSEC3	 = LDNS_DSA_NSEC3,
++#endif /* USE_DSA */
+ 	LDNS_SIGN_ECC_GOST       = LDNS_ECC_GOST,
+         LDNS_SIGN_ECDSAP256SHA256 = LDNS_ECDSAP256SHA256,
+         LDNS_SIGN_ECDSAP384SHA384 = LDNS_ECDSAP384SHA384,
+diff --git a/rr_functions.c b/rr_functions.c
+index 20a0bfaa..8d72696b 100644
+--- a/rr_functions.c
++++ b/rr_functions.c
+@@ -269,14 +269,17 @@ ldns_rr_dnskey_key_size_raw(const unsigned char* keydata,
+                             const size_t len,
+                             const ldns_algorithm alg)
+ {
++#ifdef USE_DSA
+ 	/* for DSA keys */
+ 	uint8_t t;
++#endif /* USE_DSA */
+ 	
+ 	/* for RSA keys */
+ 	uint16_t exp;
+ 	uint16_t int16;
+ 	
+ 	switch ((ldns_signing_algorithm)alg) {
++#ifdef USE_DSA
+ 	case LDNS_SIGN_DSA:
+ 	case LDNS_SIGN_DSA_NSEC3:
+ 		if (len > 0) {
+@@ -286,6 +289,7 @@ ldns_rr_dnskey_key_size_raw(const unsigned char* keydata,
+ 			return 0;
+ 		}
+ 		break;
++#endif /* USE_DSA */
+ 	case LDNS_SIGN_RSAMD5:
+ 	case LDNS_SIGN_RSASHA1:
+ 	case LDNS_SIGN_RSASHA1_NSEC3: