diff --git a/tests-extra/tests/dnssec/no_resign/test.py b/tests-extra/tests/dnssec/no_resign/test.py
index ab92f27cbe1e4a611f23eab6ffb88b9610f4b120..26d559c5b3cef9b269ae86eb9aaa44b1004b902b 100644
--- a/tests-extra/tests/dnssec/no_resign/test.py
+++ b/tests-extra/tests/dnssec/no_resign/test.py
@@ -13,6 +13,11 @@ def only_nsec_changed(server, zone, serial):
        for rr in msg.answer:
             if rr.rdtype not in [dns.rdatatype.SOA, dns.rdatatype.NSEC, dns.rdatatype.RRSIG]:
                 return False
+            if rr.rdtype == dns.rdatatype.RRSIG:
+                if (not rr.match(rr.name, rr.rdclass, dns.rdatatype.RRSIG, dns.rdatatype.NSEC)) and \
+                   (not rr.match(rr.name, rr.rdclass, dns.rdatatype.RRSIG, dns.rdatatype.SOA)):
+                    # RRSIG covering something else than NSEC or SOA.
+                    return False
    return True
 
 t = Test()