diff --git a/lib/dns/rdata/in_1/svcb_64.c b/lib/dns/rdata/in_1/svcb_64.c
index 8fbb99c7b7..e1cf27c1b7 100644
--- a/lib/dns/rdata/in_1/svcb_64.c
+++ b/lib/dns/rdata/in_1/svcb_64.c
@@ -121,7 +121,7 @@ svcb_validate(uint16_t key, isc_region_t *region) {
 				}
 				while (region->length != 0) {
 					size_t l = *region->base + 1;
-					if (l > region->length) {
+					if (l == 1U || l > region->length) {
 						return (DNS_R_FORMERR);
 					}
 					isc_region_consume(region, l);
diff --git a/lib/dns/tests/rdata_test.c b/lib/dns/tests/rdata_test.c
index 595fcf9dac..d64ffce789 100644
--- a/lib/dns/tests/rdata_test.c
+++ b/lib/dns/tests/rdata_test.c
@@ -2723,6 +2723,11 @@ https_svcb(void **state) {
 		 * no-default-alpn (0x00 0x02) without alpn, alpn is required.
 		 */
 		WIRE_INVALID(0x00, 0x00, 0x01, 0x00, 0x00, 0x02, 0x00, 0x00),
+		/*
+		 * Alpn(0x00 0x01) with zero length elements is invalid
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x05,
+			     0x00, 0x00, 0x00, 0x00, 0x00),
 		WIRE_SENTINEL()
 	};
 	/* Test vectors from RFCXXXX */