diff --git a/bin/tests/system/ecdsa/clean.sh b/bin/tests/system/ecdsa/clean.sh
index 1b0d13d426..8db3a84359 100644
--- a/bin/tests/system/ecdsa/clean.sh
+++ b/bin/tests/system/ecdsa/clean.sh
@@ -23,3 +23,4 @@ rm -f ns*/named.run
 rm -f ns*/root.db
 rm -f ns*/signer.err
 rm -f ns*/trusted.conf
+rm -f *-supported.file
diff --git a/bin/tests/system/ecdsa/ns1/sign.sh b/bin/tests/system/ecdsa/ns1/sign.sh
index 1e47ff165f..55e13009fb 100644
--- a/bin/tests/system/ecdsa/ns1/sign.sh
+++ b/bin/tests/system/ecdsa/ns1/sign.sh
@@ -17,14 +17,39 @@ zone=.
 infile=root.db.in
 zonefile=root.db
 
-key1=$($KEYGEN -q -a ECDSAP256SHA256 -n zone "$zone")
-key2=$($KEYGEN -q -a ECDSAP384SHA384 -n zone -f KSK "$zone")
-$DSFROMKEY -a sha-384 "$key2.key" > dsset-384
+echo_i "ns1/sign.sh"
 
-cat "$infile" "$key1.key" "$key2.key" > $zonefile
+cp $infile $zonefile
 
-$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
+if [ -f ../ecdsa256-supported.file ]; then
+	zsk256=$($KEYGEN -q -a ECDSA256 -n zone "$zone")
+	ksk256=$($KEYGEN -q -a ECDSA256 -n zone -f KSK "$zone")
+	cat "$ksk256.key" "$zsk256.key" >> "$zonefile"
+	$DSFROMKEY -a sha-256 "$ksk256.key" >> dsset-256
+fi
+
+if [ -f ../ecdsa384-supported.file ]; then
+	zsk384=$($KEYGEN -q -a ECDSA384 -n zone "$zone")
+	ksk384=$($KEYGEN -q -a ECDSA384 -n zone -f KSK "$zone")
+	cat "$ksk384.key" "$zsk384.key" >> "$zonefile"
+	$DSFROMKEY -a sha-256 "$ksk384.key" >> dsset-256
+fi
 
 # Configure the resolving server with a static key.
-keyfile_to_static_ds "$key1" > trusted.conf
-cp trusted.conf ../ns2/trusted.conf
+if [ -f ../ecdsa256-supported.file ]; then
+	keyfile_to_static_ds $ksk256 > trusted.conf
+	cp trusted.conf ../ns2/trusted.conf
+else
+	keyfile_to_static_ds $ksk384 > trusted.conf
+	cp trusted.conf ../ns2/trusted.conf
+fi
+
+if [ -f ../ecdsa384-supported.file ]; then
+	keyfile_to_static_ds $ksk384 > trusted.conf
+	cp trusted.conf ../ns3/trusted.conf
+else
+	keyfile_to_static_ds $ksk256 > trusted.conf
+	cp trusted.conf ../ns3/trusted.conf
+fi
+
+$SIGNER -P -g -o "$zone" "$zonefile" > /dev/null 2> signer.err || cat signer.err
diff --git a/bin/tests/system/ecdsa/ns3/named.conf.in b/bin/tests/system/ecdsa/ns3/named.conf.in
new file mode 100644
index 0000000000..32d8c77d8f
--- /dev/null
+++ b/bin/tests/system/ecdsa/ns3/named.conf.in
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-validation yes;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/ecdsa/setup.sh b/bin/tests/system/ecdsa/setup.sh
index 19bbbcf64d..4dcab50820 100644
--- a/bin/tests/system/ecdsa/setup.sh
+++ b/bin/tests/system/ecdsa/setup.sh
@@ -13,7 +13,18 @@ set -e
 
 . ../conf.sh
 
+if $SHELL ../testcrypto.sh ecdsap384sha384; then
+	echo "yes" > ecdsa256-supported.file
+fi
+
+if $SHELL ../testcrypto.sh ecdsap384sha384; then
+	echo "yes" > ecdsa384-supported.file
+fi
+
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
-
-cd ns1 && $SHELL sign.sh
+copy_setports ns3/named.conf.in ns3/named.conf
+(
+	cd ns1
+	$SHELL sign.sh
+)
diff --git a/bin/tests/system/ecdsa/tests.sh b/bin/tests/system/ecdsa/tests.sh
index b2c7401e3f..0a12a44378 100644
--- a/bin/tests/system/ecdsa/tests.sh
+++ b/bin/tests/system/ecdsa/tests.sh
@@ -14,23 +14,39 @@ set -e
 . ../conf.sh
 
 status=0
-n=1
+n=0
 
 dig_with_opts() {
     "$DIG" +tcp +noau +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
 }
 
+if [ -f ecdsa256-supported.file ]; then
+	n=$((n+1))
+	echo_i "checking that ECDSA256 positive validation works ($n)"
+	ret=0
+	dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
+	dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
+	$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
+	grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+else
+	echo_i "algorithm ECDSA256 not supported, skipping test"
+fi
 
-# Check the example. domain
-echo_i "checking that positive validation works ($n)"
-ret=0
-dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
-dig_with_opts . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
-$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
-n=$((n+1))
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status+ret))
+if [ -f ecdsa384-supported.file ]; then
+	n=$((n+1))
+	echo_i "checking that ECDSA384 positive validation works ($n)"
+	ret=0
+	dig_with_opts . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
+	dig_with_opts . @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
+	$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns3.test$n || ret=1
+	grep "flags:.*ad.*QUERY" dig.out.ns3.test$n > /dev/null || ret=1
+	if [ $ret != 0 ]; then echo_i "failed"; fi
+	status=$((status+ret))
+else
+	echo_i "algorithm ECDSA384 not supported, skipping test"
+fi
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1