diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh
index 359409af39..35a4ca5583 100644
--- a/bin/tests/system/autosign/clean.sh
+++ b/bin/tests/system/autosign/clean.sh
@@ -12,9 +12,9 @@
 rm -f */K* */dsset-* */*.signed */tmp* */*.jnl */*.bk
 rm -f */core
 rm -f */example.bk
+rm -f */named.conf
 rm -f */named.memstats
 rm -f */named.run
-rm -f */named.conf
 rm -f */trusted.conf */private.conf
 rm -f activate-now-publish-1day.key
 rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key
@@ -24,6 +24,7 @@ rm -f digcomp.out.test*
 rm -f digcomp.out.test*
 rm -f missingzsk.key inactivezsk.key
 rm -f nopriv.key vanishing.key del1.key del2.key
+rm -f ns*/managed-keys.bind*
 rm -f ns*/named.lock
 rm -f ns*/named.lock
 rm -f ns1/root.db
@@ -32,11 +33,12 @@ rm -f ns2/private.secure.example.db ns2/bar.db
 rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
 rm -f ns3/*.nzf
 rm -f ns3/autonsec3.example.db
+rm -f ns3/delzsk.example.db
+rm -f ns3/dname-at-apex-nsec3.example.db
 rm -f ns3/inacksk2.example.db
 rm -f ns3/inacksk3.example.db
 rm -f ns3/inaczsk2.example.db
 rm -f ns3/inaczsk3.example.db
-rm -f ns3/delzsk.example.db
 rm -f ns3/kg.out ns3/s.out ns3/st.out
 rm -f ns3/kskonly.example.db
 rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
@@ -64,4 +66,3 @@ rm -f nsupdate.out
 rm -f settime.out.*
 rm -f signing.out.*
 rm -f sync.key
-rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/autosign/ns2/example.db.in b/bin/tests/system/autosign/ns2/example.db.in
index b4eeccbecf..d519863098 100644
--- a/bin/tests/system/autosign/ns2/example.db.in
+++ b/bin/tests/system/autosign/ns2/example.db.in
@@ -82,3 +82,5 @@ ns.nsec3-to-nsec	A	10.53.0.3
 
 oldsigs			NS	ns.oldsigs
 ns.oldsigs		A	10.53.0.3
+
+dname-at-apex-nsec3	NS	ns3
diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh
index d55be53bd9..2f7d438b4c 100644
--- a/bin/tests/system/autosign/ns2/keygen.sh
+++ b/bin/tests/system/autosign/ns2/keygen.sh
@@ -15,7 +15,8 @@ SYSTEMTESTTOP=../..
 # Have the child generate subdomain keys and pass DS sets to us.
 ( cd ../ns3 && $SHELL keygen.sh )
 
-for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync
+for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync \
+    dname-at-apex-nsec3
 do
 	cp ../ns3/dsset-$subdomain.example$TP .
 done
diff --git a/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in b/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in
new file mode 100644
index 0000000000..c4a378eba1
--- /dev/null
+++ b/bin/tests/system/autosign/ns3/dname-at-apex-nsec3.example.db.in
@@ -0,0 +1,5 @@
+$TTL	600
+@	SOA	ns3.example. . 1 1200 1200 1814400 3600
+@	NS	ns3.example.
+@	DNAME	example.
+@	NSEC3PARAM 1 0 0 -
diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
index a113ff570e..826a35cd79 100644
--- a/bin/tests/system/autosign/ns3/keygen.sh
+++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -325,3 +325,12 @@ ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
 $KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 zsk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out
 echo $zsk > ../delzsk.key
+
+#
+#  Check that NSEC3 are correctly signed and returned from below a DNAME
+#
+setup dname-at-apex-nsec3.example
+cp $infile $zonefile
+ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
+$DSFROMKEY $ksk.key > dsset-${zone}$TP
diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in
index 529e39d0b8..dbb7435511 100644
--- a/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -289,4 +289,11 @@ zone "delzsk.example." {
 	auto-dnssec maintain;
 };
 
+zone "dname-at-apex-nsec3.example" {
+	type master;
+	file "dname-at-apex-nsec3.example.db";
+	allow-update { any; };
+	auto-dnssec maintain;
+};
+
 include "trusted.conf";
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 8c4aa99d83..fbe70e592d 100755
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -1449,5 +1449,13 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)"
+ret=0
+$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "RRSIG NSEC3 7 3 3600" dig.out.ns3.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1