diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 91388ce6ed..41d8bbf056 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -491,7 +491,7 @@ n=`expr $n + 1`
 echo_i "checking named-checkconf kasp errors ($n)"
 ret=0
 $CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
-grep "'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone" < checkconf.out$n > /dev/null || ret=1
+grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1
 grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
 grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
 grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index ae62c9002d..db4aec53ec 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -3447,11 +3447,16 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		if (has_dnssecpolicy) {
 			if (!ddns && !signing) {
 				cfg_obj_log(kasp, logctx, ISC_LOG_ERROR,
-					    "'dnssec-policy;' requires%s "
-					    "inline-signing to be configured "
-					    "for the zone",
+					    "'inline-signing yes;' must also "
+					    "be configured explicitly for "
+					    "zones using dnssec-policy%s. See "
+					    "https://kb.isc.org/docs/"
+					    "dnssec-policy-requires-dynamic-"
+					    "dns-or-inline-signing",
 					    (ztype == CFG_ZONE_PRIMARY)
-						    ? " dynamic DNS or"
+						    ? " without a configured "
+						      "'allow-update' or "
+						      "'update-policy'"
 						    : "");
 				result = ISC_R_FAILURE;
 			}