diff --git a/bin/tests/system/sfcache/clean.sh b/bin/tests/system/sfcache/clean.sh
index 1f22f85c01..616244cb05 100644
--- a/bin/tests/system/sfcache/clean.sh
+++ b/bin/tests/system/sfcache/clean.sh
@@ -9,7 +9,7 @@
 rm -f */K*.key */K*.private */*.signed */*.db */dsset-*
 rm -f */managed.conf */trusted.conf
 rm -f */named.memstats
-rm -f */named.run
+rm -f */named.run */named.run.prev
 rm -f dig.*
 rm -f sfcache.*
 rm -f ns*/named.lock
diff --git a/bin/tests/system/sfcache/tests.sh b/bin/tests/system/sfcache/tests.sh
index e9986b2b4a..bbab1c95e4 100644
--- a/bin/tests/system/sfcache/tests.sh
+++ b/bin/tests/system/sfcache/tests.sh
@@ -16,6 +16,15 @@ rm -f dig.out.*
 
 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p 5300"
 
+# read everything that's been appended to a file since the last time
+# 'nextpart' was called.
+nextpart () {
+    [ -f $1.prev ] || echo "0" > $1.prev
+    prev=`cat $1.prev`
+    awk "FNR > $prev "'{ print }
+         END           { print NR > "/dev/stderr" }' $1 2> $1.prev
+}
+
 echo "I:checking DNSSEC SERVFAIL is cached ($n)"
 ret=0
 $DIG $DIGOPTS +dnssec foo.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
@@ -47,8 +56,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 echo "I:disabling server to force non-dnssec SERVFAIL"
-$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 stop 2>&1 | sed 's/^/I:ns2 /'
-
+$PERL $SYSTEMTESTTOP/stop.pl --use-rndc ns2
 awk '/SERVFAIL/ { next; out=1 } /Zone/ { out=0 } { if (out) print }' ns5/named_dump.db
 echo "I:checking SERVFAIL is cached ($n)"
 ret=0
@@ -66,24 +74,28 @@ status=`expr $status + $ret`
 
 echo "I:checking SERVFAIL is returned from cache ($n)"
 ret=0
+nextpart ns5/named.run > /dev/null
 $DIG $DIGOPTS bar.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
 grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
+nextpart ns5/named.run | grep 'servfail cache hit bar.example/A (CD=0)' > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
-echo "I:checking with +cd query ($n)"
+echo "I:checking cache is bypassed with +cd query ($n)"
 ret=0
 $DIG $DIGOPTS +cd bar.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
 grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
+nextpart ns5/named.run | grep 'servfail cache hit' > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
-echo "I:checking with +dnssec query ($n)"
+echo "I:checking cache is used for subsequent +cd query ($n)"
 ret=0
-$DIG $DIGOPTS +cd bar.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
+$DIG $DIGOPTS +dnssec bar.example. a @10.53.0.5 > dig.out.ns5.test$n || ret=1
 grep "SERVFAIL" dig.out.ns5.test$n > /dev/null || ret=1
+nextpart ns5/named.run | grep 'servfail cache hit bar.example/A (CD=1)' > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`