diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index 67a83269e2..c32a1a9a67 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -1804,9 +1804,9 @@ int dns_packet_read_rr(
         if (r < 0)
                 return r;
 
-        /* RFC 2181, Section 8, suggests to
-         * treat a TTL with the MSB set as a zero TTL. */
-        if (rr->ttl & UINT32_C(0x80000000))
+        /* RFC 2181, Section 8, suggests to treat a TTL with the MSB set as a zero TTL. We avoid doing this
+         * for OPT records so that all 8 bits of the extended RCODE may be used .*/
+        if (key->type != DNS_TYPE_OPT && rr->ttl & UINT32_C(0x80000000))
                 rr->ttl = 0;
 
         r = dns_packet_read_uint16(p, &rdlength, NULL);
diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h
index 8f5a08e357..a2e25231df 100644
--- a/src/resolve/resolved-dns-packet.h
+++ b/src/resolve/resolved-dns-packet.h
@@ -117,7 +117,7 @@ static inline uint16_t DNS_PACKET_RCODE(DnsPacket *p) {
         uint16_t rcode;
 
         if (p->opt)
-                rcode = (uint16_t) (p->opt->ttl >> 24);
+                rcode = (uint16_t) ((p->opt->ttl >> 20) & 0xFF0);
         else
                 rcode = 0;