diff --git a/CHANGES b/CHANGES
index fda8d47666..d350cf7b0a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3656.	[bug]		Treat a all zero netmask as invalid when generating
+			the localnets acl. [RT #34687]
+
 3655.	[cleanup]	Simplify TCP message processing when requesting a
 			zone transfer.  [RT #34825]
 
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index 418107214c..ff629a9b30 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -564,15 +564,22 @@ setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) {
 		return (result);
 
 	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS,
-			      ISC_LOG_WARNING,
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING,
 			      "omitting IPv4 interface %s from "
-			      "localnets ACL: %s",
-			      interface->name,
+			      "localnets ACL: %s", interface->name,
 			      isc_result_totext(result));
 		return (ISC_R_SUCCESS);
 	}
 
+	if (prefixlen == 0U) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING,
+			      "omitting %s interface %s from localnets ACL: "
+			      "zero prefix length detected",
+			      (netaddr->family == AF_INET) ? "IPv4" : "IPv6",
+			      interface->name);
+		return (ISC_R_SUCCESS);
+	}
+
 	result = dns_iptable_addprefix(mgr->aclenv.localnets->iptable,
 				       netaddr, prefixlen, ISC_TRUE);
 	if (result != ISC_R_SUCCESS)