diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
index 4d31c056ff..6793caa920 100644
--- a/bin/tests/system/feature-test.c
+++ b/bin/tests/system/feature-test.c
@@ -38,6 +38,7 @@ usage(void) {
 	fprintf(stderr, "args:\n");
 	fprintf(stderr, "\t--edns-version\n");
 	fprintf(stderr, "\t--enable-dnsrps\n");
+	fprintf(stderr, "\t--enable-dnstap\n");
 	fprintf(stderr, "\t--gethostname\n");
 	fprintf(stderr, "\t--gssapi\n");
 	fprintf(stderr, "\t--have-geoip2\n");
@@ -73,6 +74,14 @@ main(int argc, char **argv) {
 #endif /* ifdef USE_DNSRPS */
 	}
 
+	if (strcmp(argv[1], "--enable-dnstap") == 0) {
+#ifdef HAVE_DNSTAP
+		return (0);
+#else  /* ifdef HAVE_DNSTAP */
+		return (1);
+#endif /* ifdef HAVE_DNSTAP */
+	}
+
 	if (strcmp(argv[1], "--gethostname") == 0) {
 		char hostname[MAXHOSTNAMELEN];
 		int n;
diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
index 88452154bf..2025252556 100644
--- a/bin/tests/system/upforwd/clean.sh
+++ b/bin/tests/system/upforwd/clean.sh
@@ -16,12 +16,16 @@
 rm -f dig.out.ns1* dig.out.ns2 dig.out.ns1 dig.out.ns3 dig.out.ns1.after
 rm -f ns1/*.jnl ns2/*.jnl ns3/*.jnl ns1/example.db ns2/*.bk ns3/*.bk
 rm -f ns3/nomaster1.db
+rm -f ns3/dnstap.out*
+rm -f ns3/dnstap.conf
+rm -f dnstap.out*
+rm -f dnstapread.out*
 rm -f */named.memstats
 rm -f */named.run
 rm -f */named.conf
 rm -f */ans.run
 rm -f Ksig0.example2.*
-rm -f keyname
+rm -f keyname keyname.err
 rm -f ns*/named.lock
 rm -f ns1/example2.db
 rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named.conf.in
index e9f97698af..7bd13d3417 100644
--- a/bin/tests/system/upforwd/ns3/named.conf.in
+++ b/bin/tests/system/upforwd/ns3/named.conf.in
@@ -19,6 +19,16 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	include "dnstap.conf";
+};
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-sha256;
+};
+
+controls {
+        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
 zone "example" {
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
index 927356f7ae..91804e4b20 100644
--- a/bin/tests/system/upforwd/setup.sh
+++ b/bin/tests/system/upforwd/setup.sh
@@ -18,10 +18,23 @@ copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 
+if ../feature-test --enable-dnstap
+then
+	cat <<'EOF' > ns3/dnstap.conf
+	dnstap-identity "ns3";
+	dnstap-version "xxx";
+	dnstap-output file "dnstap.out";
+	dnstap { all; };
+EOF
+else
+	echo "/* DNSTAP NOT ENABLED */" >ns3/dnstap.conf
+fi
+
+
 #
 # SIG(0) required cryptographic support which may not be configured.
 #
-keyname=`$KEYGEN  -q -n HOST -a RSASHA1 -b 1024 -T KEY sig0.example2 2>/dev/null | $D2U`
+keyname=`$KEYGEN  -q -n HOST -a RSASHA1 -b 1024 -T KEY sig0.example2 2>keyname.err`
 if test -n "$keyname"
 then
 	cat ns1/example1.db $keyname.key > ns1/example2.db
@@ -29,3 +42,4 @@ then
 else
 	cat ns1/example1.db > ns1/example2.db
 fi
+cat_i < keyname.err
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index fdeb9f6169..e46a4d2c96 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -16,9 +16,22 @@
 . ../conf.sh
 
 DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
+RNDCCMD="$RNDC -p ${CONTROLPORT} -c ../common/rndc.conf"
 
 status=0
 n=1
+capture_dnstap() {
+	retry_quiet 20 test -f ns3/dnstap.out && mv ns3/dnstap.out dnstap.out.$n
+	$RNDCCMD -s 10.53.0.3 dnstap -reopen
+}
+
+uq_equals_ur() {
+	"$DNSTAPREAD" dnstap.out.$n |
+        awk '$3 == "UQ" { UQ+=1 } $3 == "UR" { UR += 1 } END { print UQ+0, UR+0 }' > dnstapread.out$n
+        read UQ UR < dnstapread.out$n
+	echo_i "UQ=$UQ UR=$UR"
+        test $UQ -eq $UR || return 1
+}
 
 echo_i "waiting for servers to be ready for testing ($n)"
 for i in 1 2 3 4 5 6 7 8 9 10
@@ -110,6 +123,17 @@ grep "forwarding update for zone 'example/IN'" ns3/named.run > /dev/null || ret=
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`
 
+if $FEATURETEST --enable-dnstap
+then
+	echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
+	ret=0
+	capture_dnstap
+	uq_equals_ur || ret=1
+	if [ $ret != 0 ] ; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+	n=`expr $n + 1`
+fi
+
 echo_i "updating zone (unsigned) ($n)"
 ret=0
 $NSUPDATE -- - <<EOF || ret=1
@@ -149,6 +173,17 @@ digcomp knowngood.after2 dig.out.ns1 || ret=1
 digcomp knowngood.after2 dig.out.ns2 || ret=1
 digcomp knowngood.after2 dig.out.ns3 || ret=1
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+if $FEATURETEST --enable-dnstap
+then
+	echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
+	ret=0
+	capture_dnstap
+	uq_equals_ur || ret=1
+	if [ $ret != 0 ] ; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+	n=`expr $n + 1`
+fi
 n=`expr $n + 1`
 
 echo_i "checking update forwarding to dead primary ($n)"
@@ -172,6 +207,17 @@ done
 if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 n=`expr $n + 1`
 
+if $FEATURETEST --enable-dnstap
+then
+	echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
+	ret=0
+	capture_dnstap
+	uq_equals_ur && ret=1
+	if [ $ret != 0 ] ; then echo_i "failed"; fi
+	status=`expr $status + $ret`
+	n=`expr $n + 1`
+fi
+
 if test -f keyname
 then
 	echo_i "checking update forwarding to with sig0 ($n)"
@@ -189,6 +235,17 @@ EOF
 	if [ $ret != 0 ] ; then echo_i "failed"; fi
 	status=`expr $status + $ret`
 	n=`expr $n + 1`
+
+	if $FEATURETEST --enable-dnstap
+	then
+		echo_i "checking DNSTAP logging of UPDATE forwarded update replies ($n)"
+		ret=0
+		capture_dnstap
+		uq_equals_ur || ret=1
+		if [ $ret != 0 ] ; then echo_i "failed"; fi
+		status=`expr $status + $ret`
+		n=`expr $n + 1`
+	fi
 fi
 
 echo_i "exit status: $status"