diff --git a/CHANGES b/CHANGES
index 19a39a4949..77989f410e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+4996.	[bug]		dig: Handle malformed ednsopt options. [GL #403]
+
 4995.	[test]		Add tests for "tcp-self" update policy. [GL !282]
 
 4994.	[bug]		Trust anchor telemetry queries were not being sent
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index 5b4e8a78c2..a09263f46e 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -1001,14 +1001,20 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 							lookup->ednsoptscnt = 0;
 							break;
 						}
-						if (value == NULL) {
+						code = NULL;
+						if (value != NULL) {
+							code = strtok_r(value,
+								        ":",
+									&last);
+						}
+						if (code == NULL) {
 							warn("ednsopt no "
 							     "code point "
 							     "specified");
 							goto exit_or_usage;
 						}
-						code = strtok_r(value, ":", &last);
-						extra = strtok_r(NULL, "\0", &last);
+						extra = strtok_r(NULL, "\0",
+								 &last);
 						save_opt(lookup, code, extra);
 						break;
 					default:
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
index 080d38e037..fa80a91019 100644
--- a/bin/tests/system/digdelv/tests.sh
+++ b/bin/tests/system/digdelv/tests.sh
@@ -493,6 +493,14 @@ if [ -x ${DIG} ] ; then
   if [ $ret != 0 ]; then echo_i "failed"; fi
   status=`expr $status + $ret`
 
+  n=`expr $n + 1`
+  echo_i "check that dig handles malformed option '+ednsopt=:' gracefully ($n)"
+  ret=0
+  $DIG $DIGOPTS @10.53.0.3 +ednsopt=: a.example > dig.out.test$n 2>&1 && ret=1
+  grep "ednsopt no code point specified" dig.out.test$n > /dev/null || ret=1
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=`expr $status + $ret`
+
   n=`expr $n + 1`
   echo_i "check that dig gracefully handles bad escape in domain name ($n)"
   ret=0