diff --git a/lib/dns/rdata/in_1/svcb_64.c b/lib/dns/rdata/in_1/svcb_64.c
index 2af6de074c..8fbb99c7b7 100644
--- a/lib/dns/rdata/in_1/svcb_64.c
+++ b/lib/dns/rdata/in_1/svcb_64.c
@@ -755,7 +755,7 @@ static inline isc_result_t
 generic_fromwire_in_svcb(ARGS_FROMWIRE) {
 	dns_name_t name;
 	isc_region_t region, man = { .base = NULL, .length = 0 };
-	bool alias, first = true;
+	bool alias, first = true, have_alpn = false;
 	uint16_t lastkey = 0, mankey = 0;
 
 	UNUSED(type);
@@ -829,6 +829,15 @@ generic_fromwire_in_svcb(ARGS_FROMWIRE) {
 			}
 		}
 
+		/*
+		 * Check alpn present when no-default-alpn is set.
+		 */
+		if (key == SVCB_ALPN_KEY) {
+			have_alpn = true;
+		} else if (key == SVCB_NO_DEFAULT_ALPN_KEY && !have_alpn) {
+			return (DNS_R_FORMERR);
+		}
+
 		first = false;
 		lastkey = key;
 
diff --git a/lib/dns/tests/rdata_test.c b/lib/dns/tests/rdata_test.c
index 5d0fc9cb07..595fcf9dac 100644
--- a/lib/dns/tests/rdata_test.c
+++ b/lib/dns/tests/rdata_test.c
@@ -2719,6 +2719,10 @@ https_svcb(void **state) {
 		 */
 		WIRE_VALID_LOOP(0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x09,
 				5, 'h', '1', '\\', 'h', '2', 2, 'h', '3'),
+		/*
+		 * no-default-alpn (0x00 0x02) without alpn, alpn is required.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x01, 0x00, 0x00, 0x02, 0x00, 0x00),
 		WIRE_SENTINEL()
 	};
 	/* Test vectors from RFCXXXX */