diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
index 14b9cc6a44..d56c942069 100644
--- a/bin/tests/system/upforwd/clean.sh
+++ b/bin/tests/system/upforwd/clean.sh
@@ -29,6 +29,7 @@ rm -f */ans.run
 rm -f Ksig0.example2.*
 rm -f keyname keyname.err
 rm -f ns1/example2.db
+rm -f ns1/example2-toomanykeys.db
 rm -f ns*/managed-keys.bind*
 rm -f nsupdate.out.*
 rm -f ns*/named.run.prev
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
index 79d66c2fa4..2c25a371de 100644
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -44,6 +44,12 @@ zone "example2" {
 	allow-update { key sig0.example2.; };
 };
 
+zone "example2-toomanykeys" {
+	type primary;
+	file "example2-toomanykeys.db";
+	allow-update { key sig0.example2-toomanykeys.; };
+};
+
 zone "example3" {
 	type primary;
 	file "example3.db";
diff --git a/bin/tests/system/upforwd/ns3/named1.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
index df51f7bb2c..95feb796aa 100644
--- a/bin/tests/system/upforwd/ns3/named1.conf.in
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
@@ -56,6 +56,13 @@ zone "example2" {
 	primaries { 10.53.0.1; };
 };
 
+zone "example2-toomanykeys" {
+	type secondary;
+	file "example2-toomanykeys.bk";
+	allow-update-forwarding { 10.53.0.1; };
+	primaries { 10.53.0.1; };
+};
+
 zone "example3" {
 	type secondary;
 	file "example3.bk";
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
index cc34d3966b..0df66cb6f2 100644
--- a/bin/tests/system/upforwd/setup.sh
+++ b/bin/tests/system/upforwd/setup.sh
@@ -32,7 +32,7 @@ else
 fi
 
 #
-# SIG(0) required cryptographic support which may not be configured.
+# SIG(0) requires cryptographic support which may not be configured.
 #
 keyname=$($KEYGEN -q -n HOST -a ${DEFAULT_ALGORITHM} -T KEY sig0.example2 2>keyname.err)
 if test -n "$keyname"; then
@@ -42,3 +42,12 @@ else
   cat ns1/example1.db >ns1/example2.db
 fi
 cat_i <keyname.err
+
+cat ns1/example1.db >ns1/example2-toomanykeys.db
+for i in 1 2 3; do
+  keyname=$($KEYGEN -q -n HOST -a ${DEFAULT_ALGORITHM} -T KEY sig0.example2-toomanykeys 2>/dev/null)
+  if test -n "$keyname"; then
+    cat $keyname.key >>ns1/example2-toomanykeys.db
+    echo $keyname >keyname$i
+  fi
+done
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index 6c8e40b5a9..5e1f4550bd 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -389,7 +389,7 @@ if test -f keyname; then
   nextpart_thrice
   ret=0
   keyname=$(cat keyname)
-  $NSUPDATE -k $keyname.private -- - <<EOF || ret=1
+  $NSUPDATE -k $keyname.private -- - <<EOF >nsupdate.out.test$n 2>&1 || ret=1
 	local 10.53.0.1
 	server 10.53.0.3 ${PORT}
 	zone example2
@@ -424,7 +424,7 @@ EOF
   nextpart_thrice
   ret=0
   keyname=$(cat keyname)
-  $NSUPDATE -k $keyname.private -S -O -- - <<EOF || ret=1
+  $NSUPDATE -k $keyname.private -S -O -- - <<EOF >nsupdate.out.test$n 2>&1 || ret=1
         local 10.53.0.1
 	server 10.53.0.3 ${TLSPORT}
 	zone example2
@@ -454,6 +454,28 @@ EOF
     status=$((status + ret))
     n=$((n + 1))
   fi
+
+  echo_i "checking update forwarding with sig0 with too many keys ($n)"
+  nextpart_thrice
+  ret=0
+  good=0
+  bad=0
+  for i in 1 2 3; do
+    keyname=$(cat keyname$i)
+    $NSUPDATE -d -D -k $keyname.private -- - <<EOF >nsupdate.out.test$n.$i 2>&1 && good=$((good + 1)) || bad=$((bad + 1))
+	local 10.53.0.1
+	server 10.53.0.3 ${PORT}
+	zone example2-toomanykeys
+	update add toomanykeys$i.example2-toomanykeys. 600 A 10.10.10.1
+	send
+EOF
+  done
+  # There are three keys in the zone but named checks the signature using
+  # maximum two keys, so one of these updates should have been failed.
+  [ $good = 2 ] && [ $bad = 1 ] || ret=1
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
+  n=$((n + 1))
 fi
 
 echo_i "attempting an update that should be rejected by ACL ($n)"