diff --git a/bin/tests/system/optout/ns2/named.conf.j2 b/bin/tests/system/optout/ns2/named.conf.j2
index 4d9aed3ed0..6bfe881451 100644
--- a/bin/tests/system/optout/ns2/named.conf.j2
+++ b/bin/tests/system/optout/ns2/named.conf.j2
@@ -11,6 +11,9 @@
  * information regarding copyright ownership.
  */
 
+{% set reconfiged = reconfiged | default(False) %}
+{% set policy = "optout" if not reconfiged else "nsec" %}
+
 options {
         port @PORT@;
         pid-file "named.pid";
@@ -33,9 +36,22 @@ dnssec-policy "optout" {
 	nsec3param iterations 0 optout yes salt-length 0;
 };
 
+dnssec-policy "nsec" {
+	keys {
+		csk lifetime unlimited algorithm ecdsa256;
+	};
+};
+
 zone "test" {
 	type primary;
 	file "test.db";
 	dnssec-policy "optout";
 	inline-signing yes;
 };
+
+zone "small.test" {
+	type primary;
+	file "small.test.db";
+	dnssec-policy "@policy@";
+	inline-signing yes;
+};
diff --git a/bin/tests/system/optout/ns2/small.test.db b/bin/tests/system/optout/ns2/small.test.db
new file mode 100644
index 0000000000..9b67ef4e80
--- /dev/null
+++ b/bin/tests/system/optout/ns2/small.test.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	3600
+@				IN	SOA	ns2.small.test. hostmaster.small.test. 1 7200 3600 24796800 3600
+				IN	NS	ns2
+
+ns2				IN	A	10.53.0.2
+
+a				IN	A	127.0.0.1
+
+dname				IN	DNAME	branch.example.
+under.dname			IN	TXT	"occluded"
+
+$GENERATE 1-10		child$	IN	NS	ns.example.
+
+child5				IN	DS	7250 13 2 A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2
diff --git a/bin/tests/system/optout/ns2/test.db b/bin/tests/system/optout/ns2/test.db
index d3a930229f..a864d6f1e8 100644
--- a/bin/tests/system/optout/ns2/test.db
+++ b/bin/tests/system/optout/ns2/test.db
@@ -17,6 +17,9 @@ ns2				IN	A	10.53.0.2
 
 a				IN	A	127.0.0.1
 
+dname				IN	DNAME	branch.example.
+under.dname			IN	TXT	"occluded"
+
 $GENERATE 1-50000	child$	IN	NS	ns.example.
 
 child303			IN	DS	7250 13 2 A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2
diff --git a/bin/tests/system/optout/setup.sh b/bin/tests/system/optout/setup.sh
deleted file mode 100644
index bb08b9c092..0000000000
--- a/bin/tests/system/optout/setup.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/sh -e
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-. ../conf.sh
diff --git a/bin/tests/system/optout/tests_optout.py b/bin/tests/system/optout/tests_optout.py
index 67628c20e8..3f0df0bb53 100755
--- a/bin/tests/system/optout/tests_optout.py
+++ b/bin/tests/system/optout/tests_optout.py
@@ -94,14 +94,51 @@ def verify_zone(zone, transfer):
 
 def test_optout(ns2):
     zone = "test"
+    expect_nsec3param = True
 
     # Wait until the provided zone is signed and then verify its DNSSEC data.
     def check_nsec3param():
         response = do_query(ns2, zone, "NSEC3PARAM")
-        return has_nsec3param(zone, response)
+        if expect_nsec3param:
+            return has_nsec3param(zone, response)
+        return not has_nsec3param(zone, response)
 
     # check zone is fully signed.
-    isctest.run.retry_with_timeout(check_nsec3param, timeout=300)
+    isctest.run.retry_with_timeout(check_nsec3param, timeout=100)
+
+    # check if zone if DNSSEC valid.
+    transfer = do_xfr(ns2, zone)
+    assert verify_zone(zone, transfer)
+
+
+def test_optout_to_nsec(ns2, templates):
+    zone = "small.test"
+    expect_nsec3param = True
+
+    # Wait until the provided zone is signed and then verify its DNSSEC data.
+    def check_nsec3param():
+        response = do_query(ns2, zone, "NSEC3PARAM")
+        if expect_nsec3param:
+            return has_nsec3param(zone, response)
+        return not has_nsec3param(zone, response)
+
+    # check zone is fully signed.
+    isctest.run.retry_with_timeout(check_nsec3param, timeout=100)
+
+    # check if zone if DNSSEC valid.
+    transfer = do_xfr(ns2, zone)
+    assert verify_zone(zone, transfer)
+
+    # reconfigure to NSEC.
+    data = {
+        "reconfiged": True,
+    }
+    templates.render(f"{ns2.identifier}/named.conf", data)
+    ns2.reconfigure()
+
+    # wait until NSEC3PARAM is removed.
+    expect_nsec3param = False
+    isctest.run.retry_with_timeout(check_nsec3param, timeout=100)
 
     # check if zone if DNSSEC valid.
     transfer = do_xfr(ns2, zone)