diff --git a/bin/tests/system/synthfromdnssec/clean.sh b/bin/tests/system/synthfromdnssec/clean.sh
index dc76acdb06..12e5ca1388 100644
--- a/bin/tests/system/synthfromdnssec/clean.sh
+++ b/bin/tests/system/synthfromdnssec/clean.sh
@@ -39,6 +39,7 @@ rm -f ./wild.out ./insecure.wild.out
 rm -f ./wildcname.out ./insecure.wildcname.out
 rm -f ./wildnodata1nsec.out ./insecure.wildnodata1nsec.out
 rm -f ./wildnodata2nsec.out ./insecure.wildnodata2nsec.out
+rm -f ./wildnodata2nsecafterdata.out ./insecure.wildnodata2nsecafterdata.out
 rm -f ./minimal.nxdomain.out
 rm -f ./black.out
 rm -f ./xml.out*
diff --git a/bin/tests/system/synthfromdnssec/ns1/example.db.in b/bin/tests/system/synthfromdnssec/ns1/example.db.in
index d9f149c339..210725ad44 100644
--- a/bin/tests/system/synthfromdnssec/ns1/example.db.in
+++ b/bin/tests/system/synthfromdnssec/ns1/example.db.in
@@ -17,4 +17,7 @@ nodata		TXT	nodata
 *.wild-1-nsec	A	1.2.3.4
 *.wild-2-nsec 	A	1.2.3.4
 _x.wild-2-nsec	TXT	a name beween wild-2-nsec and a.wild-2-nsec
+*.wild-2-nsec-afterdata 	A	1.2.3.4
+*.wild-2-nsec-afterdata 	AAAA	2002::1
+_x.wild-2-nsec-afterdata	TXT	a name beween wild-2-nsec-afterdata and a.wild-2-nsec-afterdata
 dnamed		DNAME	dnamed.
diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh
index 452653b440..48e04f43e4 100644
--- a/bin/tests/system/synthfromdnssec/tests.sh
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@@ -175,6 +175,18 @@ do
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
 
+    echo_i "prime wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts a.wild-2-nsec-afterdata.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1
+    check_ad_flag $ad dig.out.txt.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1
+    check_nosynth_soa example. dig.out.txt.ns${ns}.test$n || ret=1
+    check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1
+    [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > wildnodata2nsecafterdata.out
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
     echo_i "prime insecure negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
     ret=0
     dig_with_opts a.insecure.example. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
@@ -243,6 +255,18 @@ do
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
 
+    echo_i "prime insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts a.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TXT > dig.out.txt.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.txt.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.txt.ns${ns}.test$n || ret=1
+    check_nosynth_soa insecure.example. dig.out.txt.ns${ns}.test$n || ret=1
+    check_auth_count 6 dig.out.txt.ns${ns}.test$n || ret=1
+    [ $ns -eq 2 ] && sed 's/^a\./b./' dig.out.txt.ns${ns}.test$n > insecure.wildnodata2nsecafterdata.out
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
     echo_i "prime minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
     ret=0
     dig_with_opts nxdomain.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
@@ -418,6 +442,31 @@ do
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
 
+    echo_i "check synthesized wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    # Use AAAA to avoid cached qname minimisation _.wild-2-nsec-afterdata.example A record
+    dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1
+    check_ad_flag $ad dig.out.a.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1
+    check_nosynth_aaaa b.wild-2-nsec-afterdata.example. dig.out.a.ns${ns}.test$n || ret=1
+    #
+    nextpart ns1/named.run > /dev/null
+    dig_with_opts b.wild-2-nsec-afterdata.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    if [ ${synth} = yes ]
+    then
+	check_synth_soa example. dig.out.ns${ns}.test$n || ret=1
+	nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null && ret=1
+    else
+	check_nosynth_soa example. dig.out.ns${ns}.test$n || ret=1
+	nextpart ns1/named.run | grep b.wild-2-nsec-afterdata.example/TLSA > /dev/null || ret=1
+    fi
+    digcomp wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
     echo_i "check insecure NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
     ret=0
     nextpart ns1/named.run > /dev/null
@@ -495,6 +544,23 @@ do
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
 
+    echo_i "check insecure wildcard NODATA 2 NSEC after data response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    nextpart ns1/named.run > /dev/null
+    dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} AAAA > dig.out.a.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.a.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.a.ns${ns}.test$n || ret=1
+    check_nosynth_aaaa b.wild-2-nsec-afterdata.insecure.example. dig.out.a.ns${ns}.test$n || ret=1
+    #
+    dig_with_opts b.wild-2-nsec-afterdata.insecure.example. @10.53.0.${ns} TLSA > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag no dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa insecure.example. dig.out.ns${ns}.test$n || ret=1
+    digcomp insecure.wildnodata2nsecafterdata.out dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
     echo_i "check minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
     ret=0
     nextpart ns1/named.run > /dev/null
@@ -585,7 +651,7 @@ do
     do
 	case $synthesized in
 	NXDOMAIN) count=1;;
-	no-data) count=4;;
+	no-data) count=5;;
 	wildcard) count=2;;
 	esac
 	echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)"
@@ -646,7 +712,7 @@ do
 	do
 	    case $synthesized in
 	    SynthNXDOMAIN) count=1;;
-	    SynthNODATA) count=4;;
+	    SynthNODATA) count=5;;
 	    SynthWILDCARD) count=2;;
 	    esac
 
@@ -709,7 +775,7 @@ do
 	do
 	    case $synthesized in
 	    SynthNXDOMAIN) count=1;;
-	    SynthNODATA) count=4;;
+	    SynthNODATA) count=5;;
 	    SynthWILDCARD) count=2;;
 	    esac