diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common
index f6596deb0e..5970f8e8da 100644
--- a/bin/tests/system/conf.sh.common
+++ b/bin/tests/system/conf.sh.common
@@ -292,6 +292,13 @@ keyfile_to_dskeys() {
     echo "};"
 }
 
+# keyfile_to_trusted_keys: convert key data contained in the keyfile(s)
+# provided to a "trust-keys" section suitable for including in a
+# resolver's configuration file
+keyfile_to_trusted_keys() {
+    keyfile_to_keys "trusted-keys" "" $*
+}
+
 # keyfile_to_static_keys: convert key data contained in the keyfile(s)
 # provided to a *static-key* "trust-anchors" section suitable for including in
 # a resolver's configuration file
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
index 66254b7cfe..5882789500 100644
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -46,6 +46,8 @@ cp trusted.conf ../ns6/trusted.conf
 cp trusted.conf ../ns7/trusted.conf
 cp trusted.conf ../ns9/trusted.conf
 
+keyfile_to_trusted_keys "$ksk" > trusted.keys
+
 # ...or with an initializing key.
 keyfile_to_initial_ds "$ksk" > managed.conf
 cp managed.conf ../ns4/managed.conf
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 9d7597c8e2..84e4ad627b 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -205,6 +205,15 @@ if [ -x ${DELV} ] ; then
    n=$((n+1))
    test "$ret" -eq 0 || echo_i "failed"
    status=$((status+ret))
+
+   ret=0
+   echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)"
+   "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example > delv.out$n || ret=1
+   grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
+   grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1
+   n=$((n+1))
+   test "$ret" -eq 0 || echo_i "failed"
+   status=$((status+ret))
 fi
 
 echo_i "checking positive validation NSEC3 ($n)"