diff --git a/CHANGES b/CHANGES
index b06db7e0f0..a9d83fa060 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5701.	[bug]		named-checkconf failed to detect syntactically invalid
+			key and tls names. [GL #2461]
+
 5700.	[bug]		Journals where not being removed when a catalog zone
 			was removed. [GL #2842]
 
diff --git a/bin/tests/system/checkconf/bad-primaries-key.conf b/bin/tests/system/checkconf/bad-primaries-key.conf
new file mode 100644
index 0000000000..c58f79a839
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-primaries-key.conf
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+        type secondary;
+        primaries { 1.2.3.4 key a..b; };
+};
diff --git a/bin/tests/system/checkconf/bad-primaries-tls.conf b/bin/tests/system/checkconf/bad-primaries-tls.conf
new file mode 100644
index 0000000000..abb54ba259
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-primaries-tls.conf
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+        type secondary;
+        primaries { 1.2.3.4 tls a..b; };
+};
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index d247962fc7..570a2e8ed3 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -2114,13 +2114,43 @@ resume:
 		const char *listname;
 		const cfg_obj_t *addr;
 		const cfg_obj_t *key;
+		const cfg_obj_t *tls;
 
 		addr = cfg_tuple_get(cfg_listelt_value(element),
 				     "remoteselement");
 		key = cfg_tuple_get(cfg_listelt_value(element), "key");
+		tls = cfg_tuple_get(cfg_listelt_value(element), "tls");
 
 		if (cfg_obj_issockaddr(addr)) {
 			count++;
+			if (cfg_obj_isstring(key)) {
+				const char *str = cfg_obj_asstring(key);
+				dns_fixedname_t fname;
+				dns_name_t *nm = dns_fixedname_initname(&fname);
+				tresult = dns_name_fromstring(nm, str, 0, NULL);
+				if (tresult != ISC_R_SUCCESS) {
+					cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+						    "'%s' is not a valid name",
+						    str);
+					if (result == ISC_R_SUCCESS) {
+						result = tresult;
+					}
+				}
+			}
+			if (cfg_obj_isstring(tls)) {
+				const char *str = cfg_obj_asstring(tls);
+				dns_fixedname_t fname;
+				dns_name_t *nm = dns_fixedname_initname(&fname);
+				tresult = dns_name_fromstring(nm, str, 0, NULL);
+				if (tresult != ISC_R_SUCCESS) {
+					cfg_obj_log(tls, logctx, ISC_LOG_ERROR,
+						    "'%s' is not a valid name",
+						    str);
+					if (result == ISC_R_SUCCESS) {
+						result = tresult;
+					}
+				}
+			}
 			continue;
 		}
 		if (!cfg_obj_isvoid(key)) {
@@ -2131,6 +2161,14 @@ resume:
 				result = ISC_R_FAILURE;
 			}
 		}
+		if (!cfg_obj_isvoid(tls)) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "unexpected token '%s'",
+				    cfg_obj_asstring(tls));
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
 		listname = cfg_obj_asstring(addr);
 		symvalue.as_cpointer = addr;
 		tresult = isc_symtab_define(symtab, listname, 1, symvalue,