diff --git a/tests-extra/tests/dnssec/case_sensitivity/data/example.zone b/tests-extra/tests/dnssec/case_sensitivity/data/example.zone
new file mode 100644
index 0000000000000000000000000000000000000000..9d199d61e9cbf72ea4394bef57b4290cbec5fdba
--- /dev/null
+++ b/tests-extra/tests/dnssec/case_sensitivity/data/example.zone
@@ -0,0 +1,8 @@
+example.	3600 IN SOA	ns1.example. aaa.bbb.example. 1 3600 300 3600000 3600
+example.	3600 IN NS	ns1.example.
+example.	3600 IN NS	ns2.example.
+ns1.example.	3600 IN A	192.0.2.1
+ns2.example.	3600 IN AAAA	::1
+example.	3600 IN MX	1 xx.example.
+*.c.example.	3600 IN CNAME	ttt-example.
+lp.example.     3600 IN LP      5 L32-SUBnet.example.
diff --git a/tests-extra/tests/dnssec/case_sensitivity/data/modify-insensitive.awk b/tests-extra/tests/dnssec/case_sensitivity/data/modify-insensitive.awk
new file mode 100644
index 0000000000000000000000000000000000000000..165ccb0f93a094b895795ce54a9968d5842e94fd
--- /dev/null
+++ b/tests-extra/tests/dnssec/case_sensitivity/data/modify-insensitive.awk
@@ -0,0 +1,19 @@
+# expected-changes -4 +5
+
+# SOA: name server, admin contect
+$4 == "SOA" { $5 = toupper($5); $6 = toupper($6) }
+
+# NS: duplicate with different case
+$3 == "NS" && $4 ~ /^ns2\./ { print; $4 = toupper($4); }
+
+# MX: server address
+$3 == "MX" { $5 = toupper($5); }
+
+# CNAME: target
+$3 == "CNAME" { $4 = toupper($4); }
+
+# RRSIG: signer name
+$3 == "RRSIG" && $4 == "A" { $11 = toupper($11); }
+
+# output
+{ print }
diff --git a/tests-extra/tests/dnssec/case_sensitivity/data/modify-lp.awk b/tests-extra/tests/dnssec/case_sensitivity/data/modify-lp.awk
new file mode 100644
index 0000000000000000000000000000000000000000..1c96b034c3775c8cfefc448230b5666d23862494
--- /dev/null
+++ b/tests-extra/tests/dnssec/case_sensitivity/data/modify-lp.awk
@@ -0,0 +1,7 @@
+# expected-changes -1 +1
+
+# LP: signer name
+$3 == "LP" { $5 = toupper($5); }
+
+# output
+{ print }
diff --git a/tests-extra/tests/dnssec/case_sensitivity/data/modify-nsec.awk b/tests-extra/tests/dnssec/case_sensitivity/data/modify-nsec.awk
new file mode 100644
index 0000000000000000000000000000000000000000..227ea4405ac7fad52bf17cc6420118016ff04ba6
--- /dev/null
+++ b/tests-extra/tests/dnssec/case_sensitivity/data/modify-nsec.awk
@@ -0,0 +1,7 @@
+# expected-changes -1 +1
+
+# NSEC: signer name
+$1 == "example." && $3 == "NSEC" { $4 = toupper($4); }
+
+# output
+{ print }
diff --git a/tests-extra/tests/dnssec/case_sensitivity/data/modify.sh b/tests-extra/tests/dnssec/case_sensitivity/data/modify.sh
new file mode 100755
index 0000000000000000000000000000000000000000..4af265c64cc4259c65d3e942f11f7928d07a4fbf
--- /dev/null
+++ b/tests-extra/tests/dnssec/case_sensitivity/data/modify.sh
@@ -0,0 +1,60 @@
+#!/bin/sh
+#
+# Perform in-place modification of zone file using given script (awk).
+#
+
+usage()
+{
+	echo "usage: $0 <zone-file> <script>" >&2
+}
+
+if [ $# -ne 2 ]; then
+	usage
+	exit 1
+fi
+
+zonefile=$1
+script=$2
+
+#
+# Extract count of expected changes
+#
+
+add=0
+remove=0
+for change in $(grep -o -m1 'expected-changes .*' "$script" | sed 's/\s\+/\t/g'); do
+	case "$change" in
+	+*) add=${change#?} ;;
+	-*) remove=${change#?} ;;
+	esac
+done
+
+if [ $add -le 0 -a $remove -le 0 ]; then
+	echo "Marker with expected-changes is invalid." >&2
+	exit 1
+fi
+
+#
+# Update the zone file and verify number of changes
+#
+
+tmp=$(mktemp)
+
+awk -f "$script" "$zonefile" > "$tmp"
+
+update_result=$(diff -wu "$zonefile" "$tmp" | awk '
+	BEGIN { add = 0; remove = 0 }
+	NR <= 2 { next } # diff header
+	$1 ~ /^+/ { add += 1 }
+	$1 ~ /^-/ { remove += 1 }
+	END { print add, remove }
+')
+
+if [ "$update_result" != "$add $remove" ]; then
+	echo "The number of performed changes is different than expected." >&2
+	echo "$tmp" >&2
+	exit 1
+fi
+
+# cat "$tmp" && rm "$tmp"
+mv -f "$tmp" "$zonefile"
diff --git a/tests-extra/tests/dnssec/case_sensitivity/test.py b/tests-extra/tests/dnssec/case_sensitivity/test.py
new file mode 100644
index 0000000000000000000000000000000000000000..ff5fc09d1706fe8e3d7e2c36df4c13a31c2e1d51
--- /dev/null
+++ b/tests-extra/tests/dnssec/case_sensitivity/test.py
@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+
+'''Test for no resigning if the zone is properly signed.'''
+
+from dnstest.utils import set_err
+from dnstest.test import Test
+import subprocess
+
+def patch_zone(t, server, zone, script):
+    """
+    Update zone file on a master server.
+    """
+    zone = zone[0]
+    zonefile = "%s/master/%s" % (server.dir, zone.file_name)
+    modify_script = "%s/modify.sh" % t.data_dir
+    patch_script = "%s/%s" % (t.data_dir, script)
+    subprocess.check_call([modify_script, zonefile, patch_script])
+
+t = Test()
+
+server = t.server("knot")
+zone = t.zone("example.", storage=".")
+
+server.dnssec_enable = True
+server.gen_key(zone, ksk=True)
+server.gen_key(zone)
+
+t.link(zone, server)
+
+t.start()
+
+serial = server.zone_wait(zone)
+
+scripts = [
+    ("insensitive RRs", "modify-insensitive.awk", False),
+    ("NSEC RR", "modify-nsec.awk", True),
+    ("LP RR", "modify-lp.awk", True),
+]
+
+for name, script, resign in scripts:
+    server.flush()
+    server.stop()
+    patch_zone(t, server, zone, script)
+    server.start()
+
+    new_serial = server.zone_wait(zone)
+    signed = new_serial != serial
+
+    if signed != resign:
+        set_err("Invalid state after %s change" % name)
+        break
+
+    serial = new_serial
+
+t.stop()