diff --git a/CHANGES b/CHANGES
index 65c61c93ce..1e0dbae12b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5718.	[bug]		Changing the sig signing type, by specifing
+			sig-signing-type, failed as the configuration was
+			incorrectly rejected. [GL #2906]
+
 5717.	[func]		The "cache-file" option, which was documented as
 			for testing purposes only and not to be used,
 			has been removed. [GL #2903]
diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in
index 5cdf863a1a..753e65d921 100644
--- a/bin/tests/system/autosign/ns2/named.conf.in
+++ b/bin/tests/system/autosign/ns2/named.conf.in
@@ -46,6 +46,7 @@ zone "example" {
 	allow-transfer { any; };
 	allow-update { any; };
 	auto-dnssec maintain;
+	sig-signing-type 65280;
 };
 
 zone "bar" {
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index c7bab90f1e..1e02683668 100755
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -18,9 +18,13 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
 RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s"
 
 # convert private-type records to readable form
+# $1 is the zone
+# $2 is the server
+# $3 is ignored
+# $4 is the alternate type
 showprivate () {
     echo "-- $@ --"
-    $DIG $DIGOPTS +nodnssec +short @$2 -t type65534 $1 | cut -f3 -d' ' |
+    $DIG $DIGOPTS +nodnssec +short @$2 -t ${4:-type65534} $1 | cut -f3 -d' ' |
         while read record; do
             $PERL -e 'my $rdata = pack("H*", @ARGV[0]);
                 die "invalid record" unless length($rdata) == 5;
@@ -34,11 +38,15 @@ showprivate () {
 }
 
 # check that signing records are marked as complete
+# if $3 is 1 then we are expecting "(incomplete)"
+# if $3 is 2 then we are not expecting either "(complete)" or "(incomplete)"
+# if $4 is present then that specifies any alternate type to check
 checkprivate () {
     _ret=0
     expected="${3:-0}"
     x=`showprivate "$@"`
-    echo $x | grep incomplete > /dev/null && _ret=1
+    echo $x | grep "(complete)" > /dev/null || _ret=2
+    echo $x | grep "(incomplete)" > /dev/null && _ret=1
 
     if [ $_ret = $expected ]; then
         return 0
@@ -1144,25 +1152,25 @@ echo_i "checking that signing records have been marked as complete ($n)"
 ret=0
 checkprivate . 10.53.0.1 || ret=1
 checkprivate bar 10.53.0.2 || ret=1
-checkprivate example 10.53.0.2 || ret=1
-checkprivate private.secure.example 10.53.0.3 || ret=1
+checkprivate example 10.53.0.2 0 type65280 || ret=1 # sig-signing-type 65280
+checkprivate private.secure.example 10.53.0.3 2 || ret=1 # pre-signed
 checkprivate nsec3.example 10.53.0.3 || ret=1
 checkprivate nsec3.nsec3.example 10.53.0.3 || ret=1
 checkprivate nsec3.optout.example 10.53.0.3 || ret=1
-checkprivate nsec3-to-nsec.example 10.53.0.3 || ret=1
+checkprivate nsec3-to-nsec.example 10.53.0.3 2 || ret=1 # automatically removed
 checkprivate nsec.example 10.53.0.3 || ret=1
-checkprivate oldsigs.example 10.53.0.3 || ret=1
+checkprivate oldsigs.example 10.53.0.3 2 || ret=1 # pre-signed
 checkprivate optout.example 10.53.0.3 || ret=1
 checkprivate optout.nsec3.example 10.53.0.3 || ret=1
 checkprivate optout.optout.example 10.53.0.3 || ret=1
-checkprivate prepub.example 10.53.0.3 1 || ret=1
+checkprivate prepub.example 10.53.0.3 1 || ret=1 # expecting incomplete
 checkprivate rsasha256.example 10.53.0.3 || ret=1
 checkprivate rsasha512.example 10.53.0.3 || ret=1
 checkprivate secure.example 10.53.0.3 || ret=1
 checkprivate secure.nsec3.example 10.53.0.3 || ret=1
 checkprivate secure.optout.example 10.53.0.3 || ret=1
-checkprivate secure-to-insecure2.example 10.53.0.3 || ret=1
-checkprivate secure-to-insecure.example 10.53.0.3 || ret=1
+checkprivate secure-to-insecure2.example 10.53.0.3 2|| ret=1 # automatically removed
+checkprivate secure-to-insecure.example 10.53.0.3 2 || ret=1 # automatically removed
 checkprivate ttl1.example 10.53.0.3 || ret=1
 checkprivate ttl2.example 10.53.0.3 || ret=1
 checkprivate ttl3.example 10.53.0.3 || ret=1
diff --git a/bin/tests/system/checkconf/good-sig-signing-type.conf b/bin/tests/system/checkconf/good-sig-signing-type.conf
new file mode 100644
index 0000000000..51ecc93bc7
--- /dev/null
+++ b/bin/tests/system/checkconf/good-sig-signing-type.conf
@@ -0,0 +1,5 @@
+zone example {
+	type master;
+	file "example.db";
+	sig-signing-type 65280;
+};
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 01ad26803e..5cc360624e 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -3237,8 +3237,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 					    "sig-signing-type: %u out of "
 					    "range [%u..%u]",
 					    type, 0xff00U, 0xffffU);
+				result = ISC_R_FAILURE;
 			}
-			result = ISC_R_FAILURE;
 		}
 
 		obj = NULL;