diff --git a/lib/dns/tests/acl_test.c b/lib/dns/tests/acl_test.c
index 910c68c954..e153f45a2c 100644
--- a/lib/dns/tests/acl_test.c
+++ b/lib/dns/tests/acl_test.c
@@ -19,6 +19,7 @@
 #include <unistd.h>
 
 #include <isc/print.h>
+#include <isc/string.h>
 
 #include <dns/acl.h>
 #include "dnstest.h"
@@ -41,6 +42,11 @@ ATF_TC_BODY(dns_acl_isinsecure, tc) {
 	dns_acl_t *none = NULL;
 	dns_acl_t *notnone = NULL;
 	dns_acl_t *notany = NULL;
+#ifdef HAVE_GEOIP
+	dns_acl_t *geoip = NULL;
+	dns_acl_t *notgeoip = NULL;
+	dns_aclelement_t *de;
+#endif
 
 	UNUSED(tc);
 
@@ -65,15 +71,46 @@ ATF_TC_BODY(dns_acl_isinsecure, tc) {
 	result = dns_acl_merge(notany, any, ISC_FALSE);
 	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
+#ifdef HAVE_GEOIP
+	result = dns_acl_create(mctx, 1, &geoip);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	de = geoip->elements;
+	ATF_REQUIRE(de != NULL);
+	strlcpy(de->geoip_elem.as_string, "AU",
+		sizeof(de->geoip_elem.as_string));
+	de->geoip_elem.subtype = dns_geoip_country_code;
+	de->type = dns_aclelementtype_geoip;
+	de->negative = ISC_FALSE;
+	ATF_REQUIRE(geoip->length < geoip->alloc);
+	geoip->node_count++;
+	de->node_num = geoip->node_count;
+	geoip->length++;
+
+	result = dns_acl_create(mctx, 1, &notgeoip);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_acl_merge(notgeoip, geoip, ISC_FALSE);
+#endif
+
 	ATF_CHECK(dns_acl_isinsecure(any));		/* any; */
 	ATF_CHECK(!dns_acl_isinsecure(none));		/* none; */
 	ATF_CHECK(!dns_acl_isinsecure(notany));		/* !any; */
 	ATF_CHECK(!dns_acl_isinsecure(notnone));	/* !none; */
 
+#ifdef HAVE_GEOIP
+	ATF_CHECK(dns_acl_isinsecure(geoip));		/* geoip; */
+	ATF_CHECK(!dns_acl_isinsecure(notgeoip));	/* !geoip; */
+#endif
+
 	dns_acl_detach(&any);
 	dns_acl_detach(&none);
 	dns_acl_detach(&notany);
 	dns_acl_detach(&notnone);
+#ifdef HAVE_GEOIP
+	dns_acl_detach(&geoip);
+	dns_acl_detach(&notgeoip);
+#endif
 
 	dns_test_end();
 }