diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in
index 8a7f3ebd48..ef1fc22fa7 100644
--- a/bin/tests/system/kasp/ns3/named.conf.in
+++ b/bin/tests/system/kasp/ns3/named.conf.in
@@ -45,6 +45,27 @@ zone "default.kasp" {
 	dnssec-policy "default";
 };
 
+/* checkds: Zone with one KSK. */
+zone "checkds-ksk.kasp" {
+	type primary;
+	file "checkds-ksk.kasp.db";
+	dnssec-policy "checkds-ksk";
+};
+
+/* checkds: Zone with two KSKs. */
+zone "checkds-doubleksk.kasp" {
+	type primary;
+	file "checkds-doubleksk.kasp.db";
+	dnssec-policy "checkds-doubleksk";
+};
+
+/* checkds: Zone with one CSK. */
+zone "checkds-csk.kasp" {
+	type primary;
+	file "checkds-csk.kasp.db";
+	dnssec-policy "checkds-csk";
+};
+
 /* Key lifetime unlimited. */
 zone "unlimited.kasp" {
 	type primary;
diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf b/bin/tests/system/kasp/ns3/policies/kasp.conf
index e0ce931d90..81c764c7f2 100644
--- a/bin/tests/system/kasp/ns3/policies/kasp.conf
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf
@@ -76,3 +76,30 @@ dnssec-policy "ecdsa384" {
 		zsk key-directory lifetime P1Y  algorithm 14 384;
 	};
 };
+
+dnssec-policy "checkds-ksk" {
+	dnskey-ttl 303;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm 13;
+		zsk key-directory lifetime unlimited algorithm 13;
+	};
+};
+
+dnssec-policy "checkds-doubleksk" {
+	dnskey-ttl 303;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm 13;
+		ksk key-directory lifetime unlimited algorithm 13;
+		zsk key-directory lifetime unlimited algorithm 13;
+	};
+};
+
+dnssec-policy "checkds-csk" {
+	dnskey-ttl 303;
+
+	keys {
+		csk key-directory lifetime unlimited algorithm 13;
+	};
+};
diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index f75cd6e53a..c6e62e8b25 100644
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -53,7 +53,7 @@ U="UNRETENTIVE"
 for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \
 	  rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \
 	  dynamic dynamic-inline-signing inline-signing \
-	  inherit unlimited
+	  checkds-ksk checkds-doubleksk checkds-csk inherit unlimited
 do
 	setup "${zn}.kasp"
 	cp template.db.in "$zonefile"
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 34915ff221..d83017b6ba 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -960,35 +960,6 @@ check_dnssecstatus() {
 	status=$((status+ret))
 }
 
-_loadkeys_on() {
-	_server=$1
-	_dir=$2
-	_zone=$3
-
-	nextpart $_dir/named.run > /dev/null
-	rndccmd $_server loadkeys $_zone in $_view > rndc.dnssec.loadkeys.out.$_zone.$n
-	wait_for_log 20 "zone ${_zone}/IN (signed): next key event" $_dir/named.run || return 1
-}
-
-# Tell named that the DS for the key in given zone has been seen in the
-# parent (this does not actually has to be true, we just issue the command
-# to make named believe it can continue with the rollover).
-rndc_checkds() {
-	_server=$1
-	_dir=$2
-	_keyid=$3
-	_when=$4
-	_what=$5
-	_zone=$6
-	_view=$7
-
-	echo_i "calling checkds $_what key ${_keyid} zone ${_zone} ($n)"
-
-	rndccmd $_server dnssec -checkds -key $_keyid -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed"
-	_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
-}
-
-
 # Check if RRset of type $1 in file $2 is signed with the right keys.
 # The right keys are the ones that expect a signature and matches the role $3.
 check_signatures() {
@@ -1201,6 +1172,42 @@ check_subdomain() {
 	status=$((status+ret))
 }
 
+#
+# rndc dnssec -checkds
+#
+_loadkeys_on() {
+	_server=$1
+	_dir=$2
+	_zone=$3
+
+	nextpart $_dir/named.run > /dev/null
+	rndccmd $_server loadkeys $_zone in $_view > rndc.dnssec.loadkeys.out.$_zone.$n
+	wait_for_log 20 "zone ${_zone}/IN (signed): next key event" $_dir/named.run || return 1
+}
+
+# Tell named that the DS for the key in given zone has been seen in the
+# parent (this does not actually has to be true, we just issue the command
+# to make named believe it can continue with the rollover).
+rndc_checkds() {
+	_server=$1
+	_dir=$2
+	_keyid=$3
+	_when=$4
+	_what=$5
+	_zone=$6
+	_view=$7
+
+	echo_i "calling checkds $_what key ${_keyid} zone ${_zone} ($n)"
+
+	if [ "${_keyid}" = "-" ]; then
+		rndccmd $_server dnssec -checkds -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed"
+	else
+		rndccmd $_server dnssec -checkds -key $_keyid -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed"
+	fi
+
+	_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
+}
+
 #
 # Zone: default.kasp.
 #