diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
index a24435f03e..42efae4ddb 100644
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@@ -720,6 +720,8 @@ main(int argc, char **argv) {
 
 	RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
 
+	RUNTIME_CHECK(dst_lib_init(mctx, NULL) == ISC_R_SUCCESS);
+
 	RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
 
 	if (nodeprecate) {
@@ -748,12 +750,15 @@ main(int argc, char **argv) {
 	if (print && exit_status == 0) {
 		cfg_printx(config, flags, output, NULL);
 	}
+
 	cfg_obj_destroy(parser, &config);
 
 	cfg_parser_destroy(&parser);
 
 	isc_log_destroy(&logc);
 
+	dst_lib_destroy();
+
 	isc_mem_destroy(&mctx);
 
 	return (exit_status);
diff --git a/bin/tests/system/checkconf/kasp-bad-keylen.conf b/bin/tests/system/checkconf/kasp-bad-keylen.conf
index 5ca4c34614..385de8c58a 100644
--- a/bin/tests/system/checkconf/kasp-bad-keylen.conf
+++ b/bin/tests/system/checkconf/kasp-bad-keylen.conf
@@ -13,7 +13,7 @@
 
 dnssec-policy "bad-keylen" {
 	keys {
-		csk lifetime P10Y algorithm rsasha1 511;
+		csk lifetime P10Y algorithm rsasha256 511;
 	};
 };
 
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 68ed4088d8..81e4af62f6 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -536,7 +536,11 @@ n=`expr $n + 1`
 echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
 ret=0
 $CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1
-grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
+if $FEATURETEST --have-fips-mode; then
+    grep "dnssec-policy: algorithm rsasha1 not supported in FIPS mode" < checkconf.out$n > /dev/null || ret=1
+else
+    grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
+fi
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
@@ -544,7 +548,7 @@ n=`expr $n + 1`
 echo_i "checking named-checkconf kasp key errors ($n)"
 ret=0
 $CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1
-grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-policy: key with algorithm rsasha256 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`