diff --git a/openssh-8.3p1-ldns.patch b/openssh-8.3p1-ldns.patch
new file mode 100644
index 0000000..7e743fe
--- /dev/null
+++ b/openssh-8.3p1-ldns.patch
@@ -0,0 +1,13 @@
+diff --git a/configure.ac b/configure.ac
+index c94a514..4a5843d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1594,7 +1594,7 @@ AC_ARG_WITH(ldns,
+ # include <stdint.h>
+ #endif
+ #include <ldns/ldns.h>
+-int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
++int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; (void)status; exit(0); }
+ 			]])
+ 		],
+ 			[AC_MSG_RESULT(yes)],
diff --git a/openssh.spec b/openssh.spec
index df39c02..528aac1 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -29,6 +29,9 @@
 # Do we want libedit support
 %global libedit 1
 
+# Do we want DNSSEC support
+%global ldns 1
+
 # Whether to build pam_ssh_agent_auth
 %if 0%{?!nopam:1}
 %global pam_ssh_agent 1
@@ -197,6 +200,8 @@ Patch965: openssh-8.2p1-visibility.patch
 # Do not break X11 without IPv6
 Patch966: openssh-8.2p1-x11-without-ipv6.patch
 Patch967: openssh-8.4p1-ssh-copy-id.patch
+# Fix DNSSEC library detection
+Patch968: openssh-8.3p1-ldns.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -227,6 +232,10 @@ Obsoletes: openssh-ldap <= 8.3p1-3
 BuildRequires: krb5-devel
 %endif
 
+%if %{ldns}
+BuildRequires: ldns-devel
+%endif
+
 %if %{libedit}
 BuildRequires: libedit-devel ncurses-devel
 %endif
@@ -381,6 +390,7 @@ popd
 %patch965 -p1 -b .visibility
 %patch966 -p1 -b .x11-ipv6
 %patch967 -p1 -b .ssh-copy-id
+%patch968 -p1 -b .ldns
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@@ -452,6 +462,11 @@ fi
 %else
 	--without-kerberos5 \
 %endif
+%if %{ldns}
+	--with-ldns=%{_prefix} \
+%else
+	--without-ldns \
+%endif
 %if %{libedit}
 	--with-libedit
 %else