diff --git a/CHANGES b/CHANGES
index bef53cecc4..568cbe2e78 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5836.	[bug]		Quote the dns64 prefix in error messages that complain
+			about problems with it, to avoid confusion with the
+			following dns64 ACLs. [GL #3210]
+
 5834.	[cleanup]	C99 variable-length arrays are difficult to use safely,
 			so avoid them except in test code. [GL #3201]
 
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 591a4b972b..1017468d42 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -546,7 +546,14 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	return (result);
 }
 
-static const unsigned char zeros[16];
+static void
+dns64_error(const cfg_obj_t *obj, isc_log_t *logctx, isc_netaddr_t *netaddr,
+	    unsigned int prefixlen, const char *message) {
+	char buf[ISC_NETADDR_FORMATSIZE + 1];
+	isc_netaddr_format(netaddr, buf, sizeof(buf));
+	cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "dns64 prefix %s/%u %s", buf,
+		    prefixlen, message);
+}
 
 static isc_result_t
 check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
@@ -585,16 +592,15 @@ check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 
 		cfg_obj_asnetprefix(obj, &na, &prefixlen);
 		if (na.family != AF_INET6) {
-			cfg_obj_log(map, logctx, ISC_LOG_ERROR,
-				    "dns64 requires a IPv6 prefix");
+			dns64_error(map, logctx, &na, prefixlen,
+				    "must be IPv6");
 			result = ISC_R_FAILURE;
 			continue;
 		}
 
 		if (na.type.in6.s6_addr[8] != 0) {
-			cfg_obj_log(map, logctx, ISC_LOG_ERROR,
-				    "invalid prefix, bits [64..71] must be "
-				    "zero");
+			dns64_error(map, logctx, &na, prefixlen,
+				    "bits [64..71] must be zero");
 			result = ISC_R_FAILURE;
 			continue;
 		}
@@ -602,9 +608,8 @@ check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 		if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 &&
 		    prefixlen != 56 && prefixlen != 64 && prefixlen != 96)
 		{
-			cfg_obj_log(map, logctx, ISC_LOG_ERROR,
-				    "bad prefix length %u [32/40/48/56/64/96]",
-				    prefixlen);
+			dns64_error(map, logctx, &na, prefixlen,
+				    "length is not 32/40/48/56/64/96");
 			result = ISC_R_FAILURE;
 			continue;
 		}
@@ -631,6 +636,7 @@ check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 		obj = NULL;
 		(void)cfg_map_get(map, "suffix", &obj);
 		if (obj != NULL) {
+			static const unsigned char zeros[16];
 			isc_netaddr_fromsockaddr(&sa, cfg_obj_assockaddr(obj));
 			if (sa.family != AF_INET6) {
 				cfg_obj_log(map, logctx, ISC_LOG_ERROR,