diff --git a/CHANGES b/CHANGES
index 10358f8a9f..d852491eac 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+6322.	[bug]		Changes to "listen-on" statements were ignored on
+			reconfiguration unless the port or interface address was
+			changed, making it impossible to change a related
+			listener transport type. Thanks to Thomas Amgarten.
+			[GL #4518] [GL #4528]
+
 6321.	[func]		The 'tls' block was extended with a new
 			'cipher-suites' option that allows setting
 			allowed cipher suites for TLSv1.3.
diff --git a/bin/tests/system/transport-change/clean.sh b/bin/tests/system/transport-change/clean.sh
new file mode 100644
index 0000000000..e8d1b95ee5
--- /dev/null
+++ b/bin/tests/system/transport-change/clean.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f ./*/named.conf
+rm -f ./*/named.memstats
+rm -f ./*/named.run
+rm -f ./*/named.run.prev
+rm -f ./dig.out.*
+rm -f ./*/example.db
+rm -rf ./headers.*
diff --git a/bin/tests/system/transport-change/ns1/named-http-plain-proxy.conf.in b/bin/tests/system/transport-change/ns1/named-http-plain-proxy.conf.in
new file mode 100644
index 0000000000..012b167ae3
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-http-plain-proxy.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ proxy plain tls none http default { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ proxy plain tls none http default { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-http-plain.conf.in b/bin/tests/system/transport-change/ns1/named-http-plain.conf.in
new file mode 100644
index 0000000000..627742920b
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-http-plain.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ tls none http default { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ tls none http default { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-https-proxy-encrypted.conf.in b/bin/tests/system/transport-change/ns1/named-https-proxy-encrypted.conf.in
new file mode 100644
index 0000000000..8c28c26a8e
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-https-proxy-encrypted.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ proxy encrypted tls self-signed http default { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ proxy encrypted tls self-signed http default { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-https-proxy-plain.conf.in b/bin/tests/system/transport-change/ns1/named-https-proxy-plain.conf.in
new file mode 100644
index 0000000000..7b5538ce0d
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-https-proxy-plain.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ proxy plain tls self-signed http default { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ proxy plain tls self-signed http default { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-https.conf.in b/bin/tests/system/transport-change/ns1/named-https.conf.in
new file mode 100644
index 0000000000..c24346e941
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-https.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ tls self-signed http default { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ tls self-signed http default { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-proxy.conf.in b/bin/tests/system/transport-change/ns1/named-proxy.conf.in
new file mode 100644
index 0000000000..1b9fb684aa
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-proxy.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test
+	listen-on port @EXTRAPORT1@ proxy plain { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ proxy plain { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-tls-proxy-encrypted.conf.in b/bin/tests/system/transport-change/ns1/named-tls-proxy-encrypted.conf.in
new file mode 100644
index 0000000000..4183fb8a31
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-tls-proxy-encrypted.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ proxy encrypted tls self-signed { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ proxy encrypted tls self-signed { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-tls-proxy-plain.conf.in b/bin/tests/system/transport-change/ns1/named-tls-proxy-plain.conf.in
new file mode 100644
index 0000000000..8a283cb21b
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-tls-proxy-plain.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ proxy plain tls self-signed { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ proxy plain tls self-signed { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named-tls.conf.in b/bin/tests/system/transport-change/ns1/named-tls.conf.in
new file mode 100644
index 0000000000..4bcc976173
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named-tls.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test TLS
+	listen-on port @EXTRAPORT1@ tls self-signed { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ tls self-signed { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/ns1/named.conf.in b/bin/tests/system/transport-change/ns1/named.conf.in
new file mode 100644
index 0000000000..0ee7fc5d36
--- /dev/null
+++ b/bin/tests/system/transport-change/ns1/named.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+	cert-file "../self-signed-cert.pem";
+	key-file "../self-signed-key.pem";
+};
+
+options {
+	pid-file "named.pid";
+	##
+	# generic
+	listen-on port @PORT@ { 10.53.0.1; };
+	# test
+	listen-on port @EXTRAPORT1@ { 10.53.0.1; };
+	listen-on-v6 port @EXTRAPORT1@ { fd92:7065:b8e:ffff::1; };
+	##
+	recursion no;
+	notify explicit;
+	statistics-file "named.stats";
+	dnssec-validation yes;
+	tcp-initial-timeout 1200;
+	allow-proxy { any; };
+	allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/transport-change/prereq.sh b/bin/tests/system/transport-change/prereq.sh
new file mode 100644
index 0000000000..0c19f1178b
--- /dev/null
+++ b/bin/tests/system/transport-change/prereq.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck disable=SC1091
+. ../conf.sh
+
+$FEATURETEST --with-libnghttp2 || {
+  echo_i "This test requires libnghttp2 support." >&2
+  exit 255
+}
+
+exit 0
diff --git a/bin/tests/system/transport-change/privkey.pem b/bin/tests/system/transport-change/privkey.pem
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/bin/tests/system/transport-change/self-signed-cert.pem b/bin/tests/system/transport-change/self-signed-cert.pem
new file mode 100644
index 0000000000..3f4df28f60
--- /dev/null
+++ b/bin/tests/system/transport-change/self-signed-cert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqTCCAVCgAwIBAgIULBCxkDF3scu+KzMu4JWrS1MiD8gwCgYIKoZIzj0EAwIw
+FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNMjQwMTEwMTQwOTAyWhgPMjA1MTA1
+MjgxNDA5MDJaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEraleW8FCXwU72Iva/H2FRiY5yrnKOVG0wZ8UN8bghx2yyK+z
+EFaHS5buo5jEnWnweX2qrX4N9RWDii7nqfwjNaN6MHgwHQYDVR0OBBYEFEGCx9FF
+rNxaR7zTM74ksT4fDaGjMB8GA1UdIwQYMBaAFEGCx9FFrNxaR7zTM74ksT4fDaGj
+MA8GA1UdEwEB/wQFMAMBAf8wJQYDVR0RBB4wHIILZXhhbXBsZS5jb22CDSouZXhh
+bXBsZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgL+cDL9EKz9YY3iR6/fZqjniXaiap
+lMfzbtesX1LVi04CIBOBW97oz4jQ1K4D1QN4aDJpit2LJWrEKHyLk4SPqZUS
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/transport-change/self-signed-key.pem b/bin/tests/system/transport-change/self-signed-key.pem
new file mode 100644
index 0000000000..b68bd11a6c
--- /dev/null
+++ b/bin/tests/system/transport-change/self-signed-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg9uAMbwHDtsF9BDAu
+CafftgyXCZbbRy8aJpoo76B8iwWhRANCAAStqV5bwUJfBTvYi9r8fYVGJjnKuco5
+UbTBnxQ3xuCHHbLIr7MQVodLlu6jmMSdafB5faqtfg31FYOKLuep/CM1
+-----END PRIVATE KEY-----
diff --git a/bin/tests/system/transport-change/setup.sh b/bin/tests/system/transport-change/setup.sh
new file mode 100644
index 0000000000..f726f7020d
--- /dev/null
+++ b/bin/tests/system/transport-change/setup.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck disable=SC1091
+. ../conf.sh
+
+$SHELL clean.sh
+
+$SHELL "${TOP_SRCDIR}"/bin/tests/system/genzone.sh 2 >ns1/example.db
+
+copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/transport-change/tests.sh b/bin/tests/system/transport-change/tests.sh
new file mode 100644
index 0000000000..646f5af290
--- /dev/null
+++ b/bin/tests/system/transport-change/tests.sh
@@ -0,0 +1,100 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# shellcheck disable=SC1091
+. ../conf.sh
+
+dig_out_basename="dig.out.test"
+testing="testing if the query is successfully completed"
+
+dig_with_opts() {
+  # shellcheck disable=SC2086
+  "$DIG" -p "${EXTRAPORT1}" +noadd +nosea +nostat +noquest +nocmd "$@" NS example
+}
+
+status=0
+n=0
+
+run_dig_test() {
+  test_message="$1"
+  shift
+  n=$((n + 1))
+  echo_i "$test_message ($n)"
+  dig_failed=0
+  dig_with_opts "$@" >"$dig_out_basename$n" || dig_failed=1
+}
+
+run_dig_test_expect_success() {
+  ret=0
+  run_dig_test "$@"
+  if [ $dig_failed != 0 ]; then
+    ret=1
+  elif ! [ -s "$dig_out_basename$n" ]; then
+    ret=1
+  fi
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
+}
+
+run_dig_multitest_expect_success() {
+  message="$1"
+  shift
+  run_dig_test_expect_success "$message (IPv4)" -b 10.53.0.10 @10.53.0.1 "$@"
+  run_dig_test_expect_success "$message (IPv6)" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 "$@"
+}
+
+reconfig_server() {
+  message="$1"
+  shift
+  config_file="$1"
+  shift
+  echo_i "$message"
+  copy_setports "ns1/$config_file" "ns1/named.conf"
+  rndc_reconfig ns1 10.53.0.1
+}
+
+run_dig_multitest_expect_success "$testing: a UDP query over Do53"
+run_dig_multitest_expect_success "$testing: a TCP query over Do53" +tcp
+
+reconfig_server "reconfiguring the server to use PROXYv2" named-proxy.conf.in
+run_dig_multitest_expect_success "$testing: a UDP query for Do53 over PROXYv2" +proxy
+run_dig_multitest_expect_success "$testing: a TCP query for Do53 over PROXYv2" +tcp +proxy
+
+reconfig_server "reconfiguring the server to use TLS/DoT" named-tls.conf.in
+run_dig_multitest_expect_success "$testing: a query over TLS/DoT" +tls
+
+reconfig_server "reconfiguring the server to use TLS/DoT over encrypted PROXYv2" named-tls-proxy-encrypted.conf.in
+run_dig_multitest_expect_success "$testing: a query over TLS/DoT over encrypted PROXYv2" +tls +proxy
+
+reconfig_server "reconfiguring the server to use TLS/DoT over plain PROXYv2" named-tls-proxy-plain.conf.in
+run_dig_multitest_expect_success "$testing: a query over TLS/DoT over plain PROXYv2" +tls +proxy +proxy-plain
+
+reconfig_server "reconfiguring the server to use HTTPS/DoH" named-https.conf.in
+run_dig_multitest_expect_success "$testing: a query over HTTPS/DoH" +https
+
+reconfig_server "reconfiguring the server to use HTTPS/DoH over encrypted PROXYv2" named-https-proxy-encrypted.conf.in
+run_dig_multitest_expect_success "$testing: a query over HTTPS/DoH over encrypted PROXYv2" +https +proxy
+
+reconfig_server "reconfiguring the server to use HTTPS/DoH over plain PROXYv2" named-https-proxy-plain.conf.in
+run_dig_multitest_expect_success "$testing: a query over HTTPS/DoH over plain PROXYv2" +https +proxy +proxy-plain
+
+reconfig_server "reconfiguring the server to use plain HTTP/DoH" named-http-plain.conf.in
+run_dig_multitest_expect_success "$testing: a query over plain HTTP/DoH" +http-plain
+
+reconfig_server "reconfiguring the server to use plain HTTP/DoH over PROXYv2" named-http-plain-proxy.conf.in
+run_dig_multitest_expect_success "$testing: a query over plain HTTP/DoH over PROXYv2" +http-plain +proxy
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/transport-change/tests_sh_transport_change.py b/bin/tests/system/transport-change/tests_sh_transport_change.py
new file mode 100644
index 0000000000..d86446389e
--- /dev/null
+++ b/bin/tests/system/transport-change/tests_sh_transport_change.py
@@ -0,0 +1,14 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+
+def test_transport_change(run_tests_sh):
+    run_tests_sh()
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index d76a0a7ed4..1459acdbe8 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -38,7 +38,13 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
-- None.
+- Changes to ``listen-on`` statements were ignored on reconfiguration
+  unless the port or interface address was changed, making it
+  impossible to change a related listener transport type. That issue
+  has been fixed.
+
+  ISC would like to thank Thomas Amgarten for bringing this issue to
+  our attention. :gl:`#4518`, :gl:`#4528`
 
 Known Issues
 ~~~~~~~~~~~~
diff --git a/lib/ns/include/ns/interfacemgr.h b/lib/ns/include/ns/interfacemgr.h
index aea5b2dfac..c9c051cb3a 100644
--- a/lib/ns/include/ns/interfacemgr.h
+++ b/lib/ns/include/ns/interfacemgr.h
@@ -76,6 +76,7 @@ struct ns_interface {
 	char		   name[32];   /*%< Null terminated. */
 	isc_nmsocket_t	  *udplistensocket;
 	isc_nmsocket_t	  *tcplistensocket;
+	isc_nmsocket_t	  *tlslistensocket;
 	isc_nmsocket_t	  *http_listensocket;
 	isc_nmsocket_t	  *http_secure_listensocket;
 	isc_quota_t	  *http_quota;
@@ -87,7 +88,8 @@ struct ns_interface {
 					   *   servicing TCP queries
 					   *   (whether accepting or
 					   *   connected) */
-	ns_clientmgr_t *clientmgr;	  /*%< Client manager. */
+	ns_clientmgr_t	   *clientmgr;	  /*%< Client manager. */
+	isc_nm_proxy_type_t proxy_type;
 	ISC_LINK(ns_interface_t) link;
 };
 
diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c
index b94d8600c2..d3b6f47e8a 100644
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@@ -446,7 +446,9 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
 	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
 
 	ifp = isc_mem_get(mgr->mctx, sizeof(*ifp));
-	*ifp = (ns_interface_t){ .generation = mgr->generation, .addr = *addr };
+	*ifp = (ns_interface_t){ .generation = mgr->generation,
+				 .addr = *addr,
+				 .proxy_type = ISC_NM_PROXY_NONE };
 
 	if (name == NULL) {
 		name = default_name;
@@ -530,7 +532,7 @@ ns_interface_listentls(ns_interface_t *ifp, isc_nm_proxy_type_t proxy,
 		ifp->mgr->nm, ISC_NM_LISTEN_ALL, &ifp->addr, ns_client_request,
 		ifp, ns__client_tcpconn, ifp, ifp->mgr->backlog,
 		&ifp->mgr->sctx->tcpquota, sslctx, proxy,
-		&ifp->tcplistensocket);
+		&ifp->tlslistensocket);
 
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
@@ -662,9 +664,13 @@ interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, const char *name,
 		ns_interface_create(mgr, addr, name, &ifp);
 	} else {
 		REQUIRE(!LISTENING(ifp));
+		LOCK(&mgr->lock);
+		ifp->generation = mgr->generation;
+		UNLOCK(&mgr->lock);
 	}
 
 	ifp->flags |= NS_INTERFACEFLAG_LISTENING;
+	ifp->proxy_type = elt->proxy;
 
 	if (elt->is_http) {
 		result = ns_interface_listenhttp(
@@ -733,6 +739,10 @@ ns_interface_shutdown(ns_interface_t *ifp) {
 		isc_nm_stoplistening(ifp->tcplistensocket);
 		isc_nmsocket_close(&ifp->tcplistensocket);
 	}
+	if (ifp->tlslistensocket != NULL) {
+		isc_nm_stoplistening(ifp->tlslistensocket);
+		isc_nmsocket_close(&ifp->tlslistensocket);
+	}
 	if (ifp->http_listensocket != NULL) {
 		isc_nm_stoplistening(ifp->http_listensocket);
 		isc_nmsocket_close(&ifp->http_listensocket);
@@ -788,6 +798,14 @@ find_matching_interface(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) {
 	return (ifp);
 }
 
+static void
+log_interface_shutdown(const ns_interface_t *ifp) {
+	char sabuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf));
+	isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO,
+		      "no longer listening on %s", sabuf);
+}
+
 /*%
  * Remove any interfaces whose generation number is not the current one.
  */
@@ -812,10 +830,7 @@ purge_old_interfaces(ns_interfacemgr_t *mgr) {
 	for (ifp = ISC_LIST_HEAD(interfaces); ifp != NULL; ifp = next) {
 		next = ISC_LIST_NEXT(ifp, link);
 		if (LISTENING(ifp)) {
-			char sabuf[256];
-			isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf));
-			isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO,
-				      "no longer listening on %s", sabuf);
+			log_interface_shutdown(ifp);
 			ns_interface_shutdown(ifp);
 		}
 		ISC_LIST_UNLINK(interfaces, ifp, link);
@@ -932,9 +947,8 @@ replace_listener_tlsctx(ns_interface_t *ifp, isc_tlsctx_t *newctx) {
 	isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf));
 	isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO,
 		      "updating TLS context on %s", sabuf);
-	if (ifp->tcplistensocket != NULL) {
-		/* 'tcplistensocket' is used for DoT */
-		isc_nmsocket_set_tlsctx(ifp->tcplistensocket, newctx);
+	if (ifp->tlslistensocket != NULL) {
+		isc_nmsocket_set_tlsctx(ifp->tlslistensocket, newctx);
 	} else if (ifp->http_secure_listensocket != NULL) {
 		isc_nmsocket_set_tlsctx(ifp->http_secure_listensocket, newctx);
 	}
@@ -1005,6 +1019,61 @@ update_listener_configuration(ns_interfacemgr_t *mgr, ns_interface_t *ifp,
 	UNLOCK(&mgr->lock);
 }
 
+static bool
+same_listener_type(ns_interface_t *ifp, ns_listenelt_t *new_le) {
+	bool same_transport_type = false;
+
+	if (new_le->is_http && new_le->sslctx != NULL &&
+	    ifp->http_secure_listensocket != NULL)
+	{
+		/* HTTPS/DoH */
+		same_transport_type = true;
+	} else if (new_le->is_http && new_le->sslctx == NULL &&
+		   ifp->http_listensocket != NULL)
+	{
+		/* HTTP/plain DoH */
+		same_transport_type = true;
+	} else if (new_le->sslctx != NULL && ifp->tlslistensocket != NULL) {
+		/* TLS/DoT */
+		same_transport_type = true;
+	} else if (new_le->sslctx == NULL && (ifp->udplistensocket != NULL ||
+					      ifp->tcplistensocket != NULL))
+	{
+		/* "plain" DNS/Do53 */
+		same_transport_type = true;
+	}
+
+	/*
+	 * Check if transport type of the listener has not changed. That
+	 * implies that PROXY type has not been changed as well.
+	 */
+	return (same_transport_type && new_le->proxy == ifp->proxy_type);
+}
+
+static bool
+interface_update_or_shutdown(ns_interfacemgr_t *mgr, ns_interface_t *ifp,
+			     ns_listenelt_t *le, const bool config) {
+	if (LISTENING(ifp) && config && !same_listener_type(ifp, le)) {
+		/*
+		 * DNS listener type has been changed on re-configuration. We
+		 * will need to recreate the listener anew.
+		 */
+		log_interface_shutdown(ifp);
+		ns_interface_shutdown(ifp);
+	} else {
+		LOCK(&mgr->lock);
+		ifp->generation = mgr->generation;
+		UNLOCK(&mgr->lock);
+		if (LISTENING(ifp)) {
+			if (config) {
+				update_listener_configuration(mgr, ifp, le);
+			}
+			return (true);
+		}
+	}
+	return (false);
+}
+
 static isc_result_t
 do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) {
 	isc_interfaceiter_t *iter = NULL;
@@ -1072,12 +1141,9 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) {
 
 			ifp = find_matching_interface(mgr, &listen_addr);
 			if (ifp != NULL) {
-				ifp->generation = mgr->generation;
-				if (LISTENING(ifp)) {
-					if (config) {
-						update_listener_configuration(
-							mgr, ifp, le);
-					}
+				bool cont = interface_update_or_shutdown(
+					mgr, ifp, le, config);
+				if (cont) {
 					continue;
 				}
 			}
@@ -1217,12 +1283,9 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) {
 
 			ifp = find_matching_interface(mgr, &listen_sockaddr);
 			if (ifp != NULL) {
-				ifp->generation = mgr->generation;
-				if (LISTENING(ifp)) {
-					if (config) {
-						update_listener_configuration(
-							mgr, ifp, le);
-					}
+				bool cont = interface_update_or_shutdown(
+					mgr, ifp, le, config);
+				if (cont) {
 					continue;
 				}
 			}