diff --git a/core/java/src/net/i2p/data/DatabaseEntry.java b/core/java/src/net/i2p/data/DatabaseEntry.java
index 32f358879f00f9207fab800df5a3dc09911844b2..6c2ee37cb948af98a45bd542d7690908ada90233 100644
--- a/core/java/src/net/i2p/data/DatabaseEntry.java
+++ b/core/java/src/net/i2p/data/DatabaseEntry.java
@@ -13,6 +13,8 @@ import java.util.Arrays;
 
 import net.i2p.I2PAppContext;
 import net.i2p.crypto.DSAEngine;
+import net.i2p.crypto.SigAlgo;
+import net.i2p.crypto.SigType;
 
 /**
  *<p>
@@ -206,6 +208,12 @@ public abstract class DatabaseEntry extends DataStructureImpl {
         if (data == null)
             return false;
         // if the data is non-null the SPK will be non-null
-        return DSAEngine.getInstance().verifySignature(_signature, data, getSigningPublicKey());
+        SigningPublicKey spk = getSigningPublicKey();
+        SigType type = spk.getType();
+        // As of 0.9.28, disallow RSA as it's so slow it could be
+        // used as a DoS
+        if (type == null || type.getBaseAlgorithm() == SigAlgo.RSA)
+            return false;
+        return DSAEngine.getInstance().verifySignature(_signature, data, spk);
     }
 }
diff --git a/router/java/src/net/i2p/router/networkdb/kademlia/KademliaNetworkDatabaseFacade.java b/router/java/src/net/i2p/router/networkdb/kademlia/KademliaNetworkDatabaseFacade.java
index 2e2152ceac68980724ca8e62646788c47f5c6590..6c4f1bae6e8d5fef7a2724ee1594010f756aa187 100644
--- a/router/java/src/net/i2p/router/networkdb/kademlia/KademliaNetworkDatabaseFacade.java
+++ b/router/java/src/net/i2p/router/networkdb/kademlia/KademliaNetworkDatabaseFacade.java
@@ -19,6 +19,7 @@ import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
 
+import net.i2p.crypto.SigAlgo;
 import net.i2p.crypto.SigType;
 import net.i2p.data.Certificate;
 import net.i2p.data.DatabaseEntry;
@@ -1080,7 +1081,7 @@ public class KademliaNetworkDatabaseFacade extends NetworkDatabaseFacade {
                     try {
                         KeyCertificate kc = c.toKeyCertificate();
                         SigType type = kc.getSigType();
-                        if (type == null || !type.isAvailable()) {
+                        if (type == null || !type.isAvailable() || type.getBaseAlgorithm() == SigAlgo.RSA) {
                             failPermanently(d);
                             String stype = (type != null) ? type.toString() : Integer.toString(kc.getSigTypeCode());
                             if (_log.shouldLog(Log.WARN))