diff --git a/CHANGES b/CHANGES
index b923a0a23b..c701da6e8f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5660.	[bug]		Checking of key-directory and dnssec-policy was broken.
+			The checks failed to account for key-directory
+			inheritance. [GL #2778]
+
 5659.	[bug]		'W' in wildcard expansions was being mapped to '\000'.
 			[GL #2779]
 
diff --git a/bin/tests/system/checkconf/good-key-directory.conf b/bin/tests/system/checkconf/good-key-directory.conf
new file mode 100644
index 0000000000..5b2df495d6
--- /dev/null
+++ b/bin/tests/system/checkconf/good-key-directory.conf
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "internet" {
+  keys {
+    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
+    zsk   key-directory   lifetime P90D        algorithm ecdsa256;
+  };
+
+  nsec3param iterations 15 optout no salt-length 8;
+};
+
+dnssec-policy "intranet" {
+  keys {
+    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
+    zsk   key-directory   lifetime P30D        algorithm ecdsa256;
+  };
+  nsec3param iterations 15 optout no salt-length 8;
+};
+
+dnssec-policy "localhost" {
+  keys {
+    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
+    zsk   key-directory   lifetime P30D        algorithm ecdsa256;
+  };
+  nsec3param iterations 15 optout no salt-length 8;
+};
+
+options {
+    key-directory "global/keys";
+};
+
+view "localhost" {
+    match-clients { 127.0.0.1; ::1; };
+    zone "example.com" IN {
+        type primary;
+        file "localhost/example.com.zone";
+        dnssec-policy "localhost";
+    };
+};
+
+view "external" {
+    match-clients { 0/0; };
+    key-directory "external/keys";
+    zone "example.com" IN {
+        type primary;
+        file "external/example.com.zone";
+        dnssec-policy "internet";
+    };
+};
+
+view "internal" {
+    match-clients { ::/0; };
+    key-directory "internal/keys";
+    zone "example.com" IN {
+        type primary;
+        file "internal/example.com.zone";
+        dnssec-policy "intranet";
+    };
+};
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 114c25afe6..e872dcb97c 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -53,3 +53,5 @@ Bug Fixes
   to return the correct response as the ``W`` was mapped to ``\000``.
   :gl:`#2779`
 
+- Checking of ``key-directory`` and ``dnssec-policy`` was broken.
+  The checks failed to account for key-directory inheritance. :gl:`#2778`
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 693b55ab8b..728adec440 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -3191,8 +3191,14 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	 * Warn if key-directory doesn't exist
 	 */
 	obj = NULL;
-	tresult = cfg_map_get(zoptions, "key-directory", &obj);
-	if (tresult == ISC_R_SUCCESS) {
+	(void)cfg_map_get(zoptions, "key-directory", &obj);
+	if (obj == NULL && voptions != NULL) {
+		(void)cfg_map_get(voptions, "key-directory", &obj);
+	}
+	if (obj == NULL && goptions != NULL) {
+		(void)cfg_map_get(goptions, "key-directory", &obj);
+	}
+	if (obj != NULL) {
 		dir = cfg_obj_asstring(obj);
 
 		tresult = isc_file_isdirectory(dir);