diff --git a/bin/tests/system/synthfromdnssec/ns1/root.db.in b/bin/tests/system/synthfromdnssec/ns1/root.db.in
index fa9a21b6c2..bade656f67 100644
--- a/bin/tests/system/synthfromdnssec/ns1/root.db.in
+++ b/bin/tests/system/synthfromdnssec/ns1/root.db.in
@@ -14,6 +14,7 @@ $TTL 3600
 @		NS	ns1
 ns1		A	10.53.0.1
 example		NS	ns1.example
+fun		NS	ns1.example
 ns1.example	A	10.53.0.1
 dnamed		NS	ns1.dnamed
 ns1.dnamed	A	10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/ns2/example.internal.db b/bin/tests/system/synthfromdnssec/ns2/example.internal.db
new file mode 100644
index 0000000000..938159b899
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns2/example.internal.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	ns2 hostmaster 1 3600 1200 604800 3600
+@		NS	ns2
+@		A	1.2.3.4
+ns2		A	10.53.0.2
diff --git a/bin/tests/system/synthfromdnssec/ns2/named.conf.in b/bin/tests/system/synthfromdnssec/ns2/named.conf.in
index b226420e6f..736d428172 100644
--- a/bin/tests/system/synthfromdnssec/ns2/named.conf.in
+++ b/bin/tests/system/synthfromdnssec/ns2/named.conf.in
@@ -44,4 +44,9 @@ zone "." {
 	file "root.hints";
 };
 
+zone "example.internal" {
+	type primary;
+	file "example.internal.db";
+};
+
 include "../ns1/trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/ns5/named.conf.in b/bin/tests/system/synthfromdnssec/ns5/named.conf.in
index 2f936f4fa7..a98ef39ddf 100644
--- a/bin/tests/system/synthfromdnssec/ns5/named.conf.in
+++ b/bin/tests/system/synthfromdnssec/ns5/named.conf.in
@@ -25,6 +25,7 @@ options {
 	notify no;
 	dnssec-validation yes;
 	synth-from-dnssec yes;
+	validate-except { example.internal; };
 };
 
 key rndc_key {
@@ -45,4 +46,10 @@ zone "." {
 	file "root.hints";
 };
 
+zone "example.internal" {
+	type forward;
+	forward only;
+	forwarders { 10.53.0.2; };
+};
+
 include "../ns1/trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh
index d9cf0927ec..f5383c97e2 100644
--- a/bin/tests/system/synthfromdnssec/tests.sh
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@@ -870,6 +870,19 @@ n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+echo_i "check synth-from-dnssec with grafted zone (forward only) ($n)"
+ret=0
+#prime cache with NXDOMAIN NSEC covering 'fun' to 'minimal'
+dig_with_opts internal @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns5-1.test$n >/dev/null || ret=1
+grep '^fun\..*NSEC.minimal\. ' dig.out.ns5-1.test$n >/dev/null || ret=1
+#perform lookup in grafted zone
+dig_with_opts example.internal @10.53.0.5 > dig.out.ns5-2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5-2.test$n >/dev/null || ret=1
+grep '^example\.internal\..*A.1.2.3.4$' dig.out.ns5-2.test$n >/dev/null || ret=1
+n=$((n+1))
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1