diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
index bdab9e8621..52ea741802 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -57,6 +57,7 @@ options {
 	recursion no;
 	notify yes;
 	minimal-responses no;
+	update-quota 1;
 };
 
 acl named-acl {
@@ -117,6 +118,7 @@ zone "other.nil" {
 	check-integrity no;
 	check-mx warn;
 	update-policy local;
+	allow-query { !10.53.0.2; any; };
 	allow-query-on { 10.53.0.1; 127.0.0.1; };
 	allow-transfer { any; };
 };
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 5adc99ce5c..7333609645 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -1558,6 +1558,34 @@ $DIG $DIGOPTS +tcp @10.53.0.3 _dns.ns.relaxed SVCB > dig.out.ns3.test$n
 grep '1 ns.relaxed. alpn="h2"' dig.out.ns3.test$n || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if query is not allowed ($n)"
+{
+  $NSUPDATE -d <<END
+  local 10.53.0.2
+  server 10.53.0.1 ${PORT}
+  update add reject.other.nil 3600 IN TXT Whatever
+  send
+END
+} > nsupdate.out.test$n 2>&1
+grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if quota is exceeded ($n)"
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+  $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END
+  update add txt-$loop.other.nil 3600 IN TXT Whatever
+  send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 if ! $FEATURETEST --gssapi ; then
   echo_i "SKIPPED: GSSAPI tests"
 else
diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
index a2c53cdde8..2641c43893 100644
--- a/bin/tests/system/upforwd/clean.sh
+++ b/bin/tests/system/upforwd/clean.sh
@@ -31,3 +31,5 @@ rm -f keyname keyname.err
 rm -f ns*/named.lock
 rm -f ns1/example2.db
 rm -f ns*/managed-keys.bind*
+rm -f nsupdate.out.*
+rm -f ns*/named.run.prev
diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
similarity index 84%
rename from bin/tests/system/upforwd/ns3/named.conf.in
rename to bin/tests/system/upforwd/ns3/named1.conf.in
index ed4f421537..624fdcef99 100644
--- a/bin/tests/system/upforwd/ns3/named.conf.in
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
@@ -27,12 +27,12 @@ options {
 };
 
 key rndc_key {
-        secret "1234abcd8765";
-        algorithm @DEFAULT_HMAC@;
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
 };
 
 controls {
-        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
 tls tls-example-primary {
@@ -43,21 +43,21 @@ tls tls-example-primary {
 zone "example" {
 	type secondary;
 	file "example.bk";
-	allow-update-forwarding { any; };
+	allow-update-forwarding { 10.53.0.1; };
 	primaries { 10.53.0.1 tls ephemeral; };
 };
 
 zone "example2" {
 	type secondary;
 	file "example2.bk";
-	allow-update-forwarding { any; };
+	allow-update-forwarding { 10.53.0.1; };
 	primaries { 10.53.0.1; };
 };
 
 zone "example3" {
 	type secondary;
 	file "example3.bk";
-	allow-update-forwarding { any; };
+	allow-update-forwarding { 10.53.0.1; };
 	primaries {
 		10.53.0.1 tls tls-example-primary; // bad
 		10.53.0.1; // good
diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
new file mode 100644
index 0000000000..9d5df0f029
--- /dev/null
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	tls-port @TLSPORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on tls ephemeral { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	update-quota 1;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+	type secondary;
+	file "example.bk";
+	allow-update-forwarding { any; };
+	primaries { 10.53.0.1; };
+};
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
index 531a46a20d..f2719bace0 100644
--- a/bin/tests/system/upforwd/setup.sh
+++ b/bin/tests/system/upforwd/setup.sh
@@ -18,7 +18,7 @@ cp -f ns3/noprimary.db ns3/noprimary1.db
 
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
-copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
 
 if $FEATURETEST --enable-dnstap
 then
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index 7aeaa4a746..31508e5049 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -81,6 +81,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 echo_i "checking update forwarding of a zone (signed) (Do53 -> DoT) ($n)"
 ret=0
 $NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -- - <<EOF || ret=1
+local 10.53.0.1
 server 10.53.0.3 ${PORT}
 update add updated.example. 600 A 10.10.10.1
 update add updated.example. 600 TXT Foo
@@ -122,6 +123,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 echo_i "checking update forwarding of a zone (signed) (DoT -> DoT) ($n)"
 ret=0
 $NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -S -O -- - <<EOF || ret=1
+local 10.53.0.1
 server 10.53.0.3 ${TLSPORT}
 update add updated-dot.example. 600 A 10.10.10.1
 update add updated-dot.example. 600 TXT Foo
@@ -181,6 +183,7 @@ fi
 echo_i "updating zone (unsigned) ($n)"
 ret=0
 $NSUPDATE -- - <<EOF || ret=1
+local 10.53.0.1
 server 10.53.0.3 ${PORT}
 update add unsigned.example. 600 A 10.10.10.1
 update add unsigned.example. 600 TXT Foo
@@ -248,6 +251,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 echo_i "checking update forwarding of a zone (signed) (Do53 -> DoT) ($n)"
 ret=0
 $NSUPDATE -y "${DEFAULT_HMAC}:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K" -- - <<EOF || ret=1
+local 10.53.0.1
 server 10.53.0.3 ${PORT}
 update add updated.example3. 600 A 10.10.10.1
 update add updated.example3. 600 TXT Foo
@@ -305,6 +309,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
 do
 (
 $NSUPDATE -- - <<EOF 
+local 10.53.0.1
 server 10.53.0.3 ${PORT}
 zone noprimary
 update add unsigned.noprimary. 600 A 10.10.10.1
@@ -332,10 +337,11 @@ fi
 
 if test -f keyname
 then
-	echo_i "checking update forwarding to with sig0 (Do53 -> Do53) ($n)"
+	echo_i "checking update forwarding with sig0 (Do53 -> Do53) ($n)"
 	ret=0
 	keyname=`cat keyname`
 	$NSUPDATE -k $keyname.private -- - <<EOF
+	local 10.53.0.1
 	server 10.53.0.3 ${PORT}
 	zone example2
 	update add unsigned.example2. 600 A 10.10.10.1
@@ -359,10 +365,11 @@ EOF
 		n=`expr $n + 1`
 	fi
 
-	echo_i "checking update forwarding to with sig0 (DoT -> Do53) ($n)"
+	echo_i "checking update forwarding with sig0 (DoT -> Do53) ($n)"
 	ret=0
 	keyname=`cat keyname`
 	$NSUPDATE -k $keyname.private -S -O -- - <<EOF
+        local 10.53.0.1
 	server 10.53.0.3 ${TLSPORT}
 	zone example2
 	update add unsigned-dot.example2. 600 A 10.10.10.1
@@ -387,5 +394,40 @@ EOF
 	fi
 fi
 
+echo_i "attempting an update that should be rejected by ACL ($n)"
+ret=0
+{
+        $NSUPDATE -- - << EOF
+        local 10.53.0.2
+        server 10.53.0.3 ${PORT}
+        update add another.unsigned.example. 600 A 10.10.10.2
+        update add another.unsigned.example. 600 TXT Bar
+        send
+EOF
+} > nsupdate.out.$n 2>&1
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+n=$((n + 1))
+ret=0
+echo_i "attempting updates that should exceed quota ($n)"
+# lower the update quota to 1.
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+nextpart ns3/named.run > /dev/null
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+  $NSUPDATE -- - > /dev/null 2>&1 <<END
+  local 10.53.0.1
+  server 10.53.0.3 ${PORT}
+  update add txt-$loop.unsigned.example 300 IN TXT Whatever
+  send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1