diff --git a/bind-9.11-ed448-disable.patch b/bind-9.11-ed448-disable.patch
new file mode 100644
index 0000000..179f32f
--- /dev/null
+++ b/bind-9.11-ed448-disable.patch
@@ -0,0 +1,41 @@
+From e6bad0789c731f06de781997e33e864c71510ff2 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 21 Feb 2019 12:36:17 +0100
+Subject: [PATCH] Disable autodetected ED448 algorithm support
+
+Implementation is broken in bind, disabled also in more recent versions.
+Makes bin/tests/system/dnssec fail.
+---
+ configure.in | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index ca84ff3239..da4dd5f249 100644
+--- a/configure.in
++++ b/configure.in
+@@ -1917,6 +1917,9 @@ int main() {
+ }
+ ],
+ 		[AC_MSG_RESULT(yes)
++		# ED448 support is broken in BIND
++		# https://gitlab.isc.org/isc-projects/bind9/issues/225
++		# disable if autodetected, can be enabled by --with-eddsa=all
+ 		have_ed448="yes"],
+ 		[AC_MSG_RESULT(no)
+ 		have_ed448="no"],
+@@ -1929,8 +1932,10 @@ int main() {
+ 		esac
+ 		case $have_ed448 in
+ 		yes)
+-			AC_DEFINE(HAVE_OPENSSL_ED448, 1,
+-				  [Define if your OpenSSL version supports Ed448.])
++		# ED448 support is broken in BIND
++		# https://gitlab.isc.org/isc-projects/bind9/issues/225
++		#	AC_DEFINE(HAVE_OPENSSL_ED448, 1,
++		#		  [Define if your OpenSSL version supports Ed448.])
+ 			;;
+ 		*)
+ 			;;
+-- 
+2.20.1
+
diff --git a/bind.spec b/bind.spec
index f7ff9dc..5af1fc5 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.5
-Release:  9%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release:  10%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -137,6 +137,8 @@ Patch164:bind-9.11-rh1666814.patch
 Patch165:bind-9.11-rh1647829.patch
 # commit 8e1cc95c943b7dfaaaaf2d9a4971861735cc3fb2
 Patch166:bind-9.11-rh1647829-2.patch
+# https://gitlab.isc.org/isc-projects/bind9/issues/225
+Patch167:bind-9.11-ed448-disable.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -516,6 +518,7 @@ are used for building ISC DHCP.
 %patch164 -p1 -b .rh1666814
 %patch165 -p1 -b .rh1647829
 %patch166 -p1 -b .rh1647829-2
+%patch167 -p1 -b .noed448
 
 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1523,6 +1526,9 @@ fi;
 
 
 %changelog
+* Thu Feb 21 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-10.P1
+- Disable autodetected eddsa algorithm ED448
+
 * Thu Jan 31 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-9.P1
 - dig prints ASCII name instead of failure (#1647829)
 - disable IDN output from scripts