diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 231447d9eb..2bf83f7f64 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1892,7 +1892,7 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 	const char *cfilename;
 	const char *zfilename;
 	dns_zone_t *raw = NULL;
-	isc_boolean_t has_raw;
+	isc_boolean_t has_raw, mirror;
 	dns_zonetype_t ztype;
 
 	zoptions = cfg_tuple_get(zconfig, "options");
@@ -1932,6 +1932,21 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 		return (ISC_FALSE);
 	}
 
+	/*
+	 * Do not reuse a zone whose "mirror" setting was changed.
+	 */
+	obj = NULL;
+	mirror = ISC_FALSE;
+	(void)cfg_map_get(zoptions, "mirror", &obj);
+	if (obj != NULL) {
+		mirror = cfg_obj_asboolean(obj);
+	}
+	if (dns_zone_ismirror(zone) != mirror) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "not reusable: mirror setting changed");
+		return (ISC_FALSE);
+	}
+
 	if (zonetype_fromconfig(zoptions) != ztype) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "not reusable: type mismatch");
diff --git a/bin/tests/system/mirror/clean.sh b/bin/tests/system/mirror/clean.sh
index 3f45916958..fc189a8604 100644
--- a/bin/tests/system/mirror/clean.sh
+++ b/bin/tests/system/mirror/clean.sh
@@ -17,6 +17,7 @@ rm -f */K*
 rm -f */db-*
 rm -f */dsset-*
 rm -f */jn-*
+rm -f */managed-keys.bind*
 rm -f */named.memstats
 rm -f */named.run
 rm -f dig.out.*
diff --git a/bin/tests/system/mirror/ns2/named.conf.in b/bin/tests/system/mirror/ns2/named.conf.in
index 7928dc2f70..7141ec7e00 100644
--- a/bin/tests/system/mirror/ns2/named.conf.in
+++ b/bin/tests/system/mirror/ns2/named.conf.in
@@ -56,6 +56,11 @@ zone "verify-ixfr" {
 	ixfr-from-differences yes;
 };
 
+zone "verify-reconfig" {
+	type master;
+	file "verify-reconfig.db.signed";
+};
+
 zone "verify-unsigned" {
 	type master;
 	file "verify.db.in";
diff --git a/bin/tests/system/mirror/ns2/sign.sh b/bin/tests/system/mirror/ns2/sign.sh
index d647c12288..827a11c897 100644
--- a/bin/tests/system/mirror/ns2/sign.sh
+++ b/bin/tests/system/mirror/ns2/sign.sh
@@ -36,7 +36,7 @@ ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' verify.db.in`
 UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1`
 UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2`
 
-for variant in axfr ixfr load untrusted; do
+for variant in axfr ixfr load reconfig untrusted; do
 	zone=verify-$variant
 	infile=verify.db.in
 	zonefile=verify-$variant.db
diff --git a/bin/tests/system/mirror/ns3/named.conf.in b/bin/tests/system/mirror/ns3/named.conf.in
index 4c60bdb202..627b82f3db 100644
--- a/bin/tests/system/mirror/ns3/named.conf.in
+++ b/bin/tests/system/mirror/ns3/named.conf.in
@@ -72,6 +72,14 @@ zone "verify-load" {
 	masterfile-format text;
 };
 
+zone "verify-reconfig" {
+	type slave;
+	masters { 10.53.0.2; };
+	mirror yes;
+	file "verify-reconfig.db.mirror";
+	masterfile-format text;
+};
+
 zone "verify-unsigned" {
 	type slave;
 	masters { 10.53.0.2; };
diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh
index c82da3e095..95eb93f734 100644
--- a/bin/tests/system/mirror/tests.sh
+++ b/bin/tests/system/mirror/tests.sh
@@ -362,5 +362,47 @@ grep "type: mirror" rndc.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking that \"rndc reconfig\" properly handles a yes -> no \"mirror\" setting change ($n)"
+ret=0
+# Sanity check before we start.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.1 2>&1 || ret=1
+grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1
+grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1
+# Reconfigure the zone so that it is no longer a mirror zone.
+nextpart ns3/named.run > /dev/null
+sed '/^zone "verify-reconfig" {$/,/^};$/{s/mirror yes;/mirror no;/}' ns3/named.conf > ns3/named.conf.modified
+mv ns3/named.conf.modified ns3/named.conf
+$RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1
+# Zones whose "mirror" setting was changed should not be reusable, which means
+# the tested zone should have been reloaded from disk.
+wait_for_load verify-reconfig ${ORIGINAL_SERIAL} ns3/named.run
+# Ensure responses sourced from the reconfigured zone have AA=1 and AD=0.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n.2 2>&1 || ret=1
+grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null || ret=1
+grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that \"rndc reconfig\" properly handles a no -> yes \"mirror\" setting change ($n)"
+ret=0
+# Put an incorrectly signed version of the zone in the zone file used by ns3.
+nextpart ns3/named.run > /dev/null
+cat ns2/verify-reconfig.db.bad.signed > ns3/verify-reconfig.db.mirror
+# Reconfigure the zone so that it is a mirror zone again.
+sed '/^zone "verify-reconfig" {$/,/^};$/{s/mirror no;/mirror yes;/}' ns3/named.conf > ns3/named.conf.modified
+mv ns3/named.conf.modified ns3/named.conf
+$RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1
+# The reconfigured zone should fail verification.
+wait_for_load verify-reconfig ${UPDATED_SERIAL_BAD} ns3/named.run
+$DIG $DIGOPTS @10.53.0.3 +norec verify-reconfig SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "${UPDATED_SERIAL_BAD}.*; serial" dig.out.ns3.test$n > /dev/null && ret=1
+nextpart ns3/named.run | grep "No correct RSASHA256 signature for verify-reconfig SOA" > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1