diff --git a/doc/Changelog b/doc/Changelog
index f132b5501..9b62c7574 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+11 July 2017: Wouter
+	- Fix #1344: RFC6761-reserved domains: test. and invalid.
+
 6 July 2017: Wouter
 	- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
 	- Fix svn hooks for tdir (selected if testcode/mini_tdir.sh exists)..
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 13c373f8f..657ee54de 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -563,6 +563,8 @@ server:
 	# local-zone: "127.in-addr.arpa." nodefault
 	# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
 	# local-zone: "onion." nodefault
+	# local-zone: "test." nodefault
+	# local-zone: "invalid." nodefault
 	# local-zone: "10.in-addr.arpa." nodefault
 	# local-zone: "16.172.in-addr.arpa." nodefault
 	# local-zone: "17.172.in-addr.arpa." nodefault
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 721cd3d76..fc9d054ef 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1048,13 +1048,13 @@ has no other effect than turning off default contents for the
 given zone.  Use \fInodefault\fR if you use exactly that zone, if you want to
 use a subzone, use \fItransparent\fR.
 .P
-The default zones are localhost, reverse 127.0.0.1 and ::1, the onion and
-the AS112 zones. The AS112 zones are reverse DNS zones for private use and
-reserved IP addresses for which the servers on the internet cannot provide
-correct answers. They are configured by default to give nxdomain (no reverse
-information) answers. The defaults can be turned off by specifying your
-own local\-zone of that name, or using the 'nodefault' type. Below is a
-list of the default zone contents.
+The default zones are localhost, reverse 127.0.0.1 and ::1, the onion, test,
+invalid and the AS112 zones. The AS112 zones are reverse DNS zones for
+private use and reserved IP addresses for which the servers on the internet
+cannot provide correct answers. They are configured by default to give
+nxdomain (no reverse information) answers. The defaults can be turned off
+by specifying your own local\-zone of that name, or using the 'nodefault'
+type. Below is a list of the default zone contents.
 .TP 10
 \h'5'\fIlocalhost\fR
 The IP4 and IP6 localhost information is given. NS and SOA records are provided
@@ -1104,6 +1104,24 @@ local\-data: "onion. 10800 IN
     SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
 .fi
 .TP 10
+\h'5'\fItest (RFC 7686)\fR
+Default content:
+.nf
+local\-zone: "test." static
+local\-data: "test. 10800 IN NS localhost."
+local\-data: "test. 10800 IN
+    SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+.fi
+.TP 10
+\h'5'\fIinvalid (RFC 7686)\fR
+Default content:
+.nf
+local\-zone: "invalid." static
+local\-data: "invalid. 10800 IN NS localhost."
+local\-data: "invalid. 10800 IN
+    SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+.fi
+.TP 10
 \h'5'\fIreverse RFC1918 local use zones\fR
 Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
 31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
diff --git a/services/localzone.c b/services/localzone.c
index a19b52526..d0c7c08f4 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -719,9 +719,9 @@ lz_nodefault(struct config_file* cfg, const char* name)
 	return 0;
 }
 
-/** enter AS112 default zone */
+/** enter (AS112) empty default zone */
 static int
-add_as112_default(struct local_zones* zones, struct config_file* cfg,
+add_empty_default(struct local_zones* zones, struct config_file* cfg,
         const char* name)
 {
 	struct local_zone* z;
@@ -816,26 +816,24 @@ int local_zone_enter_defaults(struct local_zones* zones, struct config_file* cfg
 		lock_rw_unlock(&z->lock);
 	}
 	/* onion. zone (RFC 7686) */
-	if(!lz_exists(zones, "onion.") &&
-		!lz_nodefault(cfg, "onion.")) {
-		if(!(z=lz_enter_zone(zones, "onion.", "static", 
-			LDNS_RR_CLASS_IN)) ||
-		   !lz_enter_rr_into_zone(z,
-			"onion. 10800 IN NS localhost.") ||
-		   !lz_enter_rr_into_zone(z,
-			"onion. 10800 IN SOA localhost. nobody.invalid. "
-			"1 3600 1200 604800 10800")) {
-			log_err("out of memory adding default zone");
-			if(z) { lock_rw_unlock(&z->lock); }
-			return 0;
-		}
-		lock_rw_unlock(&z->lock);
+	if(!add_empty_default(zones, cfg, "onion.")) {
+		log_err("out of memory adding default zone");
+		return 0;
+	}
+	/* test. zone (RFC 7686) */
+	if(!add_empty_default(zones, cfg, "test.")) {
+		log_err("out of memory adding default zone");
+		return 0;
+	}
+	/* invalid. zone (RFC 7686) */
+	if(!add_empty_default(zones, cfg, "invalid.")) {
+		log_err("out of memory adding default zone");
+		return 0;
 	}
-
 	/* block AS112 zones, unless asked not to */
 	if(!cfg->unblock_lan_zones) {
 		for(zstr = as112_zones; *zstr; zstr++) {
-			if(!add_as112_default(zones, cfg, *zstr)) {
+			if(!add_empty_default(zones, cfg, *zstr)) {
 				log_err("out of memory adding default zone");
 				return 0;
 			}