diff --git a/packages/conformance-tests/src/resolver/dnssec.rs b/packages/conformance-tests/src/resolver/dnssec.rs
index 63400356..f408ef38 100644
--- a/packages/conformance-tests/src/resolver/dnssec.rs
+++ b/packages/conformance-tests/src/resolver/dnssec.rs
@@ -1,3 +1,4 @@
 //! DNSSEC functionality
 
+mod rfc4035;
 mod scenarios;
diff --git a/packages/conformance-tests/src/resolver/dnssec/rfc4035.rs b/packages/conformance-tests/src/resolver/dnssec/rfc4035.rs
new file mode 100644
index 00000000..289eace0
--- /dev/null
+++ b/packages/conformance-tests/src/resolver/dnssec/rfc4035.rs
@@ -0,0 +1 @@
+mod section_4;
diff --git a/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4.rs b/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4.rs
new file mode 100644
index 00000000..5779d78f
--- /dev/null
+++ b/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4.rs
@@ -0,0 +1 @@
+mod section_4_1;
diff --git a/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4/section_4_1.rs b/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4/section_4_1.rs
new file mode 100644
index 00000000..533e31b3
--- /dev/null
+++ b/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4/section_4_1.rs
@@ -0,0 +1,54 @@
+use dns_test::client::{Client, Dnssec, Recurse};
+use dns_test::name_server::NameServer;
+use dns_test::record::RecordType;
+use dns_test::tshark::{Capture, Direction};
+use dns_test::zone_file::Root;
+use dns_test::{Network, Resolver, Result, TrustAnchor, FQDN};
+
+#[test]
+#[ignore]
+fn edns_support() -> Result<()> {
+    let network = &Network::new()?;
+    let ns = NameServer::new(FQDN::ROOT, network)?.start()?;
+    let resolver = Resolver::start(
+        dns_test::subject(),
+        &[Root::new(ns.fqdn().clone(), ns.ipv4_addr())],
+        &TrustAnchor::empty(),
+        network,
+    )?;
+
+    let mut tshark = resolver.eavesdrop()?;
+
+    let client = Client::new(network)?;
+    let ans = client.dig(
+        Recurse::Yes,
+        Dnssec::Yes,
+        resolver.ipv4_addr(),
+        RecordType::SOA,
+        &FQDN::ROOT,
+    )?;
+    assert!(ans.status.is_servfail());
+
+    tshark.wait_for_capture()?;
+
+    let captures = tshark.terminate()?;
+
+    let ns_addr = ns.ipv4_addr();
+    for Capture { message, direction } in captures {
+        if let Direction::Outgoing { destination } = direction {
+            if destination == client.ipv4_addr() {
+                continue;
+            }
+
+            // sanity check
+            assert_eq!(ns_addr, destination);
+
+            if destination == ns_addr {
+                assert_eq!(Some(true), message.is_do_bit_set());
+                assert!(message.udp_payload_size().unwrap() >= 1220);
+            }
+        }
+    }
+
+    Ok(())
+}
diff --git a/packages/dns-test/src/client.rs b/packages/dns-test/src/client.rs
index f991b9f0..2119f24b 100644
--- a/packages/dns-test/src/client.rs
+++ b/packages/dns-test/src/client.rs
@@ -237,6 +237,11 @@ impl DigStatus {
     pub fn is_nxdomain(&self) -> bool {
         matches!(self, Self::NXDOMAIN)
     }
+
+    #[must_use]
+    pub fn is_servfail(&self) -> bool {
+        matches!(self, Self::SERVFAIL)
+    }
 }
 
 impl FromStr for DigStatus {