diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index fa34b4c7d4..06982f9aeb 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -2014,13 +2014,7 @@ named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 	}
 	maps[i] = NULL;
 
-	/* "inline-signing" is a zone-only clause, so look in maps[0] only. */
-	res = cfg_map_get(maps[0], "inline-signing", &signing);
-	if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) {
-		return (cfg_obj_asboolean(signing));
-	}
-
-	/* If inline-signing is not set, check the value in dnssec-policy. */
+	/* Check the value in dnssec-policy. */
 	policy = NULL;
 	res = named_config_get(maps, "dnssec-policy", &policy);
 	/* If no dnssec-policy found, then zone is not using inline-signing. */
@@ -2039,5 +2033,15 @@ named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 	inline_signing = dns_kasp_inlinesigning(kasp);
 	dns_kasp_detach(&kasp);
 
+	/*
+	 * The zone option 'inline-signing' may override the value in
+	 * dnssec-policy. This is a zone-only option, so look in maps[0]
+	 * only.
+	 */
+	res = cfg_map_get(maps[0], "inline-signing", &signing);
+	if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) {
+		return (cfg_obj_asboolean(signing));
+	}
+
 	return (inline_signing);
 }