diff --git a/doc/Changelog b/doc/Changelog
index e97fb5104..678fa96be 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -3,6 +3,7 @@
 	- trunk contains 1.5.11 in development.
 	- Fix dnstap relaying "random" messages instead of resolver/forwarder
 	  responses, from Nikolay Edigaryev.
+	- Fix #836: unbound could echo back EDNS options in an error response.
 
 20 September 2016: Wouter
 	- iana portlist update.
diff --git a/services/mesh.c b/services/mesh.c
index b0434b3ff..04912383c 100644
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -878,6 +878,8 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 		comm_point_send_reply(&r->query_reply);
 	} else if(rcode) {
 		m->s.qinfo.qname = r->qname;
+		if(!edns_opt_inplace_reply(&r->edns, m->s.region))
+			r->edns.opt_list = NULL;
 		error_encode(r->query_reply.c->buffer, rcode, &m->s.qinfo,
 			r->qid, r->qflags, &r->edns);
 		comm_point_send_reply(&r->query_reply);