diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index 4b0518e457..da47e8880e 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -99,6 +99,7 @@ view "first" {
 	zone "example1" {
 		type primary;
 		file "xxx";
+		inline-signing no;
 		update-policy local;
 		max-ixfr-ratio 20%;
 		notify-source 10.10.10.10 port 53 dscp 55;
@@ -120,6 +121,7 @@ view "second" {
 	zone "example1" {
 		type primary;
 		file "zzz";
+		inline-signing no;
 		update-policy local;
 		zone-statistics yes;
 	};
@@ -163,6 +165,7 @@ view "third" {
 	zone "dnssec" {
 		type primary;
 		file "file";
+		inline-signing no;
 		allow-update {
 			"any";
 		};
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index dc7854b291..7d222ed863 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -766,6 +766,17 @@ if [ $ret != 0 ]; then
 fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "check that using dnssec-policy generates a warning for dynamic zones wrt inline-signing ($n)"
+ret=0
+$CHECKCONF warn-kasp-ddns-inline-signing-no.conf >checkconf.out$n 2>/dev/null || ret=1
+grep "'inline-signing' default changed to 'yes' in 9\.20\." <checkconf.out$n >/dev/null || ret=1
+if [ $ret != 0 ]; then
+  echo_i "failed"
+  ret=1
+fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "check obsolete options generate warnings ($n)"
 ret=0
diff --git a/bin/tests/system/checkconf/warn-kasp-ddns-inline-signing-no.conf b/bin/tests/system/checkconf/warn-kasp-ddns-inline-signing-no.conf
new file mode 100644
index 0000000000..9fb37e1c2d
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-kasp-ddns-inline-signing-no.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+options {
+	dnssec-policy default;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	allow-update { any; };
+};
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 962872bdc1..075b7c7109 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -3468,6 +3468,15 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 						    : "");
 				result = ISC_R_FAILURE;
 			}
+			if (ddns && res1 != ISC_R_SUCCESS) {
+				cfg_obj_log(
+					zconfig, logctx, ISC_LOG_WARNING,
+					"'inline-signing' default changed "
+					"to 'yes' in 9.20. Before upgrading, "
+					"explicitly set 'inline-signing "
+					"no;' to your dnssec-policy or "
+					"zone configuration");
+			}
 		}
 
 		obj = NULL;