diff --git a/CHANGES b/CHANGES
index 6748f264ae..b6a6b314d1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,18 @@
+8.0.0-dev.768 | 2025-07-28 14:16:16 -0700
+
+  * Fix parsing of EDNS rcode (Johanna Amann, Corelight)
+
+    The EDNS rcode was incorrectly calculated. The extended rcode is formed
+    by taking the upper 8 bits of the extended rcode field, plus the lower 4
+    bits of the existing rcode.
+
+    This also adds a new trace with an extended rcode, and a testcase
+    parsing it.
+
+    Reported by dwhitemv25.
+
+    Fixes GH-4656
+
 8.0.0-dev.766 | 2025-07-28 14:15:19 -0700
 
   * Expand coverage of IRC analyzer with more commands (Tim Wojtulewicz, Corelight)
diff --git a/VERSION b/VERSION
index 407118872a..be93e715e5 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-8.0.0-dev.766
+8.0.0-dev.768
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index 9ef6a1fc79..f90ce0c393 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -1737,7 +1737,7 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_Val() {
     // unsigned int DO = ttl & 0x8000;	// "DNSSEC OK" - RFC 3225
     unsigned int z = ttl & 0xffff;
 
-    unsigned int return_error = (ercode << 8) | rcode;
+    unsigned int return_error = (ercode << 4) | rcode;
 
     r->Assign(4, return_error);
     r->Assign(5, version);
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.edns-rcode/output b/testing/btest/Baseline/scripts.base.protocols.dns.edns-rcode/output
new file mode 100644
index 0000000000..e5d92ee495
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.edns-rcode/output
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+16
diff --git a/testing/btest/Traces/dns/dns_extended_rcode.pcap b/testing/btest/Traces/dns/dns_extended_rcode.pcap
new file mode 100644
index 0000000000..e431330c09
Binary files /dev/null and b/testing/btest/Traces/dns/dns_extended_rcode.pcap differ
diff --git a/testing/btest/scripts/base/protocols/dns/edns-rcode.zeek b/testing/btest/scripts/base/protocols/dns/edns-rcode.zeek
new file mode 100644
index 0000000000..93c91f421d
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dns/edns-rcode.zeek
@@ -0,0 +1,13 @@
+# @TEST-DOC: Tests that the correct extended rcode is returned for EDNS packets. Regression test for #4656.
+# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dns_extended_rcode.pcap %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/dns
+
+redef dns_skip_all_addl=F;
+
+event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional)
+	{
+	if ( c$dns?$rcode && ans?$extended_rcode )
+		print ans$extended_rcode;
+	}