diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh
index 1165d2ac39..296434413d 100644
--- a/bin/tests/system/dnssec/ns7/sign.sh
+++ b/bin/tests/system/dnssec/ns7/sign.sh
@@ -25,8 +25,18 @@ k2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 
 cat "$infile" "$k1.key" "$k2.key" > "$zonefile"
 
+# The awk script below achieves two goals:
+#
+# - it puts one of the two RRSIG(SOA) records at the end of the zone file, so
+#   that these two records (forming a single RRset) are not placed immediately
+#   next to each other; the test then checks if RRSIG RRsets split this way are
+#   correctly added to resigning heaps,
+#
+# - it places a copy of one of the RRSIG(SOA) records somewhere else than at the
+#   zone apex; the test then checks whether such signatures are automatically
+#   removed from the zone after it is loaded.
 "$SIGNER" -P -3 - -A -o "$zone" -O full -f "$zonefile.unsplit" -e now-3600 -s now-7200 "$zonefile" > /dev/null 2>&1
 awk 'BEGIN { r = ""; }
      $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; }
      { print }
-     END { print r }' "$zonefile.unsplit" > "$zonefile.signed"
+     END { print r; print "not-at-zone-apex." r; }' "$zonefile.unsplit" > "$zonefile.signed"
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 25494e9184..0620562e25 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3244,6 +3244,14 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
+echo_i "check that not-at-zone-apex RRSIG(SOA) RRsets are removed from the zone after load ($n)"
+ret=0
+dig_with_opts split-rrsig AXFR @10.53.0.7 > dig.out.test$n || ret=1
+grep -q "not-at-zone-apex.*RRSIG.*SOA" dig.out.test$n && ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 echo_i "check that 'dnssec-keygen -S' works for all supported algorithms ($n)"
 ret=0
 alg=1