diff --git a/bin/tests/system/dns64/clean.sh b/bin/tests/system/dns64/clean.sh
index 8af092d278..166b6bab97 100644
--- a/bin/tests/system/dns64/clean.sh
+++ b/bin/tests/system/dns64/clean.sh
@@ -9,12 +9,13 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-rm -f ns*/named.conf
-rm -f ns1/K*
-rm -f ns1/signed.db*
-rm -f ns1/dsset-signed.
 rm -f */named.memstats
 rm -f */named.run
+rm -f checkconf.out*
 rm -f dig.out.*
-rm -f ns*/named.lock
 rm -f ns*/managed-keys.bind*
+rm -f ns*/named.conf
+rm -f ns*/named.lock
+rm -f ns1/K*
+rm -f ns1/dsset-signed.
+rm -f ns1/signed.db*
diff --git a/bin/tests/system/dns64/conf/bad18.conf b/bin/tests/system/dns64/conf/bad18.conf
new file mode 100644
index 0000000000..82fac1ad4e
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad18.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 ::/32 { suffix ::8000:0000:0000:0000; }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/bad19.conf b/bin/tests/system/dns64/conf/bad19.conf
new file mode 100644
index 0000000000..79290c116d
--- /dev/null
+++ b/bin/tests/system/dns64/conf/bad19.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 ::/32 { suffix ::0100:0000:0000:0000; }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/warn1.conf b/bin/tests/system/dns64/conf/warn1.conf
new file mode 100644
index 0000000000..efd5d20ae3
--- /dev/null
+++ b/bin/tests/system/dns64/conf/warn1.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:0100:000f::/96 { };  /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/warn2.conf b/bin/tests/system/dns64/conf/warn2.conf
new file mode 100644
index 0000000000..0e420a5322
--- /dev/null
+++ b/bin/tests/system/dns64/conf/warn2.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:0200:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/warn3.conf b/bin/tests/system/dns64/conf/warn3.conf
new file mode 100644
index 0000000000..539b184c54
--- /dev/null
+++ b/bin/tests/system/dns64/conf/warn3.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:0400:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/warn4.conf b/bin/tests/system/dns64/conf/warn4.conf
new file mode 100644
index 0000000000..3728ecfc70
--- /dev/null
+++ b/bin/tests/system/dns64/conf/warn4.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:0800:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/warn5.conf b/bin/tests/system/dns64/conf/warn5.conf
new file mode 100644
index 0000000000..c2ac4f9d98
--- /dev/null
+++ b/bin/tests/system/dns64/conf/warn5.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:1000:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/warn6.conf b/bin/tests/system/dns64/conf/warn6.conf
new file mode 100644
index 0000000000..357ae80684
--- /dev/null
+++ b/bin/tests/system/dns64/conf/warn6.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:2000:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/warn7.conf b/bin/tests/system/dns64/conf/warn7.conf
new file mode 100644
index 0000000000..5e17457f16
--- /dev/null
+++ b/bin/tests/system/dns64/conf/warn7.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:4000:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/conf/warn8.conf b/bin/tests/system/dns64/conf/warn8.conf
new file mode 100644
index 0000000000..71966d2758
--- /dev/null
+++ b/bin/tests/system/dns64/conf/warn8.conf
@@ -0,0 +1,3 @@
+options {
+	dns64 0000:0000:0000:0000:8000:000f::/96 { }; /* bits [64..71] MBZ */
+};
diff --git a/bin/tests/system/dns64/tests.sh b/bin/tests/system/dns64/tests.sh
index ce5287efc6..ed1e8af9a0 100644
--- a/bin/tests/system/dns64/tests.sh
+++ b/bin/tests/system/dns64/tests.sh
@@ -39,6 +39,19 @@ do
         status=`expr $status + $ret`
 done
 
+for conf in conf/warn*.conf
+do
+        echo_i "checking that $conf produces a warning ($n)"
+        ret=0
+        $CHECKCONF "$conf" > checkconf.out$n || ret=1
+	l=`wc -l < checkconf.out$n`
+	grep "warning" checkconf.out$n > /dev/null || ret=1
+	test $l -ne 0 || ret=1
+	n=`expr $n + 1`
+        if [ $ret != 0 ]; then echo_i "failed"; fi
+        status=`expr $status + $ret`
+done
+
 # Check the example. domain
 
 echo_i "checking non-excluded AAAA lookup works ($n)"
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 0d0c1d38b3..fd529df660 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5145,7 +5145,9 @@ options {
 	      </para>
 	      <para>
 		Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
-		64 and 96 as per RFC 6052.
+		64 and 96 as per RFC 6052.  Bits 64..71 inclusive must
+		be zero with the most significate bit of the prefix in
+		position 0.
 	      </para>
 	      <para>
 		Additionally a reverse IP6.ARPA zone will be created for
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index f06e22d003..051b341233 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -530,6 +530,12 @@ check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 			continue;
 		}
 
+		if (na.type.in6.s6_addr[8] != 0) {
+			cfg_obj_log(map, logctx, ISC_LOG_WARNING,
+				    "warning: invalid prefix, bits [64..71] "
+				    "must be zero");
+		}
+
 		if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 &&
 		    prefixlen != 56 && prefixlen != 64 && prefixlen != 96) {
 			cfg_obj_log(map, logctx, ISC_LOG_ERROR,