diff --git a/CHANGES b/CHANGES
index 424be28bb5..4a65b5ccfe 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,38 @@
+6.2.0-dev.155 | 2023-11-21 10:08:14 +0100
+
+  * GH-3453: DNS: Add Ed25519 and Ed448 enum values to parser (Arne Welzel, Corelight)
+
+    We already had these declared in dns/const.zeek, so extend the parser
+    as well to avoid raising weirds and add some test pcaps:
+
+       $ dig @8.8.8.8 DNSKEY ed448.no
+       $ dig @8.8.8.8 ed448.no +dnssec
+
+    And the same for the ed25519.no domain.
+
+  * RE_Match_State: Do not reset current_pos for every Match() call (Arne Welzel, Corelight)
+
+    This seems like a bug: If one feeds one byte at a time, current_pos
+    is being reset for every byte, possibly reporting the wrong offsets
+    in the accepted_matches map.
+
+  * frameworks/software: Fix stale value used for stripping (Arne Welzel, Corelight)
+
+    There was some confusion around which value was used subsequent to a strip(),
+    but sub not respecting anchors make it appear to work. Also seems that the
+    `\(?` part seems redundant.
+
+  * GH-3455: strings.bif/sub,gsub: Respect anchors in pattern (Arne Welzel, Corelight)
+
+    Anchors within pattern passed to sub() or gsub() were previously ignored,
+    replacing any occurrence of '<text>' even when '^<text>' was used as a
+    pattern.
+
+    This is a pretty user-visible change (and we even have anchored patterns
+    within the base scripts), but seems "the right thing to do".
+
+    Relates to #3455
+
 6.2.0-dev.147 | 2023-11-17 18:00:32 +0100
 
   * BTest updates to accommodate event handler coalescence differences (Vern Paxson, Corelight)
diff --git a/NEWS b/NEWS
index daf081c955..d18db9e4a0 100644
--- a/NEWS
+++ b/NEWS
@@ -27,6 +27,8 @@ Changed Functionality
   end-of-line $ anchors. Previously, an anchored pattern would be matched anywhere
   in the input string.
 
+- Ed25519 and Ed448 DNSKEY and RRSIG entries do not cause weirds anymore.
+
 Removed Functionality
 ---------------------
 
diff --git a/VERSION b/VERSION
index 49397a7c47..ac6895eaee 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-6.2.0-dev.147
+6.2.0-dev.155
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index 6e0d416bee..304893f121 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -872,6 +872,8 @@ bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg, const u_char*& dat
         case detail::GOST_R_34_10_2001: break;
         case detail::ECDSA_curveP256withSHA256: break;
         case detail::ECDSA_curveP384withSHA384: break;
+        case detail::Ed25519: break;
+        case detail::Ed448: break;
         case detail::Indirect: analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", util::fmt("%d", algo)); break;
         case detail::PrivateDNS: analyzer->Weird("DNSSEC_RRSIG_PrivateDNS_ZoneSignAlgo", util::fmt("%d", algo)); break;
         case detail::PrivateOID: analyzer->Weird("DNSSEC_RRSIG_PrivateOID_ZoneSignAlgo", util::fmt("%d", algo)); break;
@@ -945,6 +947,8 @@ bool DNS_Interpreter::ParseRR_DNSKEY(detail::DNS_MsgInfo* msg, const u_char*& da
         case detail::GOST_R_34_10_2001: break;
         case detail::ECDSA_curveP256withSHA256: break;
         case detail::ECDSA_curveP384withSHA384: break;
+        case detail::Ed25519: break;
+        case detail::Ed448: break;
         case detail::Indirect:
             analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", util::fmt("%d", dalgorithm));
             break;
diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h
index f70c6cfc4e..3b361bc937 100644
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@@ -127,6 +127,8 @@ enum DNSSEC_Algo {
     GOST_R_34_10_2001 = 12,
     ECDSA_curveP256withSHA256 = 13,
     ECDSA_curveP384withSHA384 = 14,
+    Ed25519 = 15,
+    Ed448 = 16,
     Indirect = 252,   ///<
     PrivateDNS = 253, ///<  OPTIONAL
     PrivateOID = 254, ///<  OPTIONAL
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed25519.log b/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed25519.log
new file mode 100644
index 0000000000..8b918e980d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed25519.log
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+id.orig_h	id.resp_h	qtype_name	query	answers
+192.168.0.107	8.8.8.8	DNSKEY	ed25519.no	DNSKEY 15,Ed25519,DNSKEY 15,Ed25519
+192.168.0.107	8.8.8.8	A	ed25519.no	194.63.248.47,RRSIG 1 ed25519.no,Ed25519
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed448.log b/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed448.log
new file mode 100644
index 0000000000..5267c46854
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed448.log
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+id.orig_h	id.resp_h		answers
+192.168.0.107	8.8.8.8		DNSKEY 16,Ed448,DNSKEY 16,Ed448
+192.168.0.107	8.8.8.8		194.63.248.47,RRSIG 1 ed448.no,Ed448
diff --git a/testing/btest/Traces/dnssec/ed25519.no.pcap b/testing/btest/Traces/dnssec/ed25519.no.pcap
new file mode 100644
index 0000000000..07cefd411a
Binary files /dev/null and b/testing/btest/Traces/dnssec/ed25519.no.pcap differ
diff --git a/testing/btest/Traces/dnssec/ed448.no.pcap b/testing/btest/Traces/dnssec/ed448.no.pcap
new file mode 100644
index 0000000000..ee5b321b7f
Binary files /dev/null and b/testing/btest/Traces/dnssec/ed448.no.pcap differ
diff --git a/testing/btest/scripts/base/protocols/dns/dnssec.zeek b/testing/btest/scripts/base/protocols/dns/dnssec.zeek
new file mode 100644
index 0000000000..5342fcc00d
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dns/dnssec.zeek
@@ -0,0 +1,24 @@
+# @TEST-DOC: Add the textual representation of the DNSSEC algorithm into answers and verify there's no weirds for the ed25519 and ed448 curves.
+#
+# @TEST-EXEC: zeek -b -r $TRACES/dnssec/ed25519.no.pcap %INPUT
+# @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: zeek-cut -m id.orig_h id.resp_h qtype_name query answers < dns.log > dns.ed25519.log
+#
+# @TEST-EXEC: zeek -b -C -r $TRACES/dnssec/ed448.no.pcap %INPUT
+# @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: zeek-cut -m id.orig_h id.resp_h questions answers < dns.log > dns.ed448.log
+#
+# @TEST-EXEC: btest-diff dns.ed25519.log
+# @TEST-EXEC: btest-diff dns.ed448.log
+
+@load base/protocols/dns
+
+event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr) &priority=4
+	{
+	c$dns$answers += DNS::algorithms[rrsig$algorithm];
+	}
+
+event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr) &priority=4
+	{
+	c$dns$answers += DNS::algorithms[dnskey$algorithm];
+	}