diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh
index d6b11e749b..7ca6829689 100644
--- a/bin/tests/system/nsec3/clean.sh
+++ b/bin/tests/system/nsec3/clean.sh
@@ -13,7 +13,7 @@
 
 set -e
 
-rm -f dig.out.* rndc.signing.* verify.out.*
+rm -f dig.out.* rndc.signing.* update.out.* verify.out.*
 rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
 rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
 rm -f ns*/K*.private ns*/K*.key ns*/K*.state
diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in
index dc885f0066..e21c533610 100644
--- a/bin/tests/system/nsec3/ns3/named.conf.in
+++ b/bin/tests/system/nsec3/ns3/named.conf.in
@@ -185,10 +185,26 @@ zone "nsec3-fails-to-load.kasp" {
 	allow-update { any; };
 };
 
-/* The zone switches from dynamic to inline-signing. */
+/* These zones switch from dynamic to inline-signing or vice versa. */
 zone "nsec3-dynamic-to-inline.kasp" {
 	type primary;
 	file "nsec3-dynamic-to-inline.kasp.db";
 	dnssec-policy "nsec3";
 	allow-update { any; };
 };
+
+zone "nsec3-inline-to-dynamic.kasp" {
+	type primary;
+	file "nsec3-inline-to-dynamic.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+};
+
+/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */
+zone "nsec3-dynamic-update-inline.kasp" {
+	type primary;
+	file "nsec3-dynamic-update-inline.kasp.db";
+	inline-signing yes;
+	allow-update { any; };
+	dnssec-policy "nsec";
+};
diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in
index 26b49ea109..084bba3f0b 100644
--- a/bin/tests/system/nsec3/ns3/named2.conf.in
+++ b/bin/tests/system/nsec3/ns3/named2.conf.in
@@ -194,7 +194,7 @@ zone "nsec3-fails-to-load.kasp" {
 	allow-update { any; };
 };
 
-/* The zone switches from dynamic to inline-signing. */
+/* These zones switch from dynamic to inline-signing or vice versa. */
 zone "nsec3-dynamic-to-inline.kasp" {
 	type primary;
 	file "nsec3-dynamic-to-inline.kasp.db";
@@ -202,3 +202,11 @@ zone "nsec3-dynamic-to-inline.kasp" {
 	dnssec-policy "nsec3";
 	allow-update { any; };
 };
+
+zone "nsec3-inline-to-dynamic.kasp" {
+	type primary;
+	file "nsec3-inline-to-dynamic.kasp.db";
+	inline-signing no;
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh
index a0dd793236..68bc2e4511 100644
--- a/bin/tests/system/nsec3/ns3/setup.sh
+++ b/bin/tests/system/nsec3/ns3/setup.sh
@@ -26,7 +26,8 @@ setup() {
 
 for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
 	  nsec3-to-optout nsec3-from-optout nsec3-dynamic \
-	  nsec3-dynamic-change nsec3-dynamic-to-inline
+	  nsec3-dynamic-change nsec3-dynamic-to-inline \
+	  nsec3-inline-to-dynamic nsec3-dynamic-update-inline
 do
 	setup "${zn}.kasp"
 done
diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index 7317d79060..8c70497149 100644
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -304,6 +304,13 @@ set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
+# Zone: nsec3-inline-to-dynamic.kasp.
+set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
 # Zone: nsec3-to-nsec.kasp.
 set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
@@ -332,7 +339,26 @@ set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
+# Zone: nsec3-dynamic-update-inline.kasp.
+set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec
+
+n=$((n+1))
+echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)"
+ret=0
+$NSUPDATE > update.out.$ZONE.test$n 2>&1 << END || ret=1
+server 10.53.0.3 ${PORT}
+zone ${ZONE}.
+update add 04O18462RI5903H8RDVL0QDT5B528DUJ.${ZONE}. 3600 NSEC3 0 0 0 408A4B2D412A4E95 1JMDDPMTFF8QQLIOINSIG4CR9OTICAOC A RRSIG
+send
+END
+wait_for_log 10 "updating zone '${ZONE}/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)" ns3/named.run || ret=1
+check_nsec
+
 # Reconfig named.
+ret=0
 echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
 copy_setports ns3/named2.conf.in ns3/named.conf
 rndc_reconfig ns3 10.53.0.3
@@ -426,13 +452,20 @@ set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
-# Zone: nsec3-dynamic-to-inline.kasp. (reconfigured)
+# Zone: nsec3-dynamic-to-inline.kasp. (same)
 set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
+# Zone: nsec3-inline-to-dynamic.kasp. (same)
+set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
 # Zone: nsec3-to-nsec.kasp. (reconfigured)
 set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600
 set_nsec3param "1" "11" "8"