diff --git a/bin/tests/system/tsig/tests_badtime.py b/bin/tests/system/tsig/tests_badtime.py
new file mode 100644
index 0000000000..2f6d251151
--- /dev/null
+++ b/bin/tests/system/tsig/tests_badtime.py
@@ -0,0 +1,63 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=unused-variable
+
+import socket
+import time
+
+import pytest
+
+pytest.importorskip("dns", minversion="2.0.0")
+import dns.message
+import dns.query
+import dns.tsigkeyring
+
+TIMEOUT = 10
+
+
+def create_msg(qname, qtype, edns=-1):
+    msg = dns.message.make_query(qname, qtype, use_edns=edns)
+    return msg
+
+
+def timeout():
+    return time.time() + TIMEOUT
+
+
+def create_socket(host, port):
+    sock = socket.create_connection((host, port), timeout=10)
+    sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, True)
+    return sock
+
+
+def test_tsig_badtime(named_port):
+    with create_socket("10.53.0.1", named_port) as sock:
+        msg = create_msg("a.example.", "A")
+
+        keyring = dns.tsigkeyring.from_text(
+            {
+                "sha256": "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=",
+            }
+        )
+
+        msg.use_tsig(keyring, keyname="sha256", fudge=0)
+
+        wire = msg.to_wire()
+        assert len(wire) > 0
+
+        time.sleep(3)
+
+        (sbytes, stime) = dns.query.send_tcp(sock, wire, timeout())
+        with pytest.raises(dns.tsig.PeerBadTime):
+            (response, rtime) = dns.query.receive_tcp(sock, timeout(), keyring=keyring)