diff --git a/CHANGELOG b/CHANGELOG
index 0eaf4cb91..7fde6301c 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,7 +1,10 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
-o [NSE][GH#1271] The DNS library is now using ECS code (edns-client-subnet)
-  compliant with RFC 7871 [John Bond]
+o [NSE] Support for edns-client-subnet (ECS) in dns.lua has been improved by:
+  - Using ECS code compliant with RFC 7871 [John Bond]
+  - Properly trimming ECS address, as mandated by RFC 7871 [nnposter]
+  - Fixing a bug that prevented using the same ECS option table more than
+    once [nnposter]
 
 o [Ncat][GH#1267] Fixed communication with commands launched with -e or -c on
   Windows, especially when --ssl is used. [Daniel Miller]
diff --git a/nselib/dns.lua b/nselib/dns.lua
index 88e827f1b..91ccee9fd 100644
--- a/nselib/dns.lua
+++ b/nselib/dns.lua
@@ -1409,8 +1409,15 @@ function addClientSubnet(pkt,Z,subnet)
   end
   assert(family == 1 or family == 2, "Unsupported subnet family")
   local code = 8 -- https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-11
-  local scope_mask = 0 -- In requests, it MUST be set to 0 see draft
-  local data = bin.pack(">SCCA",family,subnet.mask,scope_mask,ipOps.ip_to_str(subnet.address))
+  local mask = subnet.mask
+  local scope_mask = 0 -- In requests, it MUST be set to 0
+  -- Per RFC 7871, section 6:
+  -- Address must have all insignificant bits zeroed out and insignificant bytes
+  -- must be trimmed off. (/24 IPv4 address is submitted as 3 octets, not 4.)
+  local addr = ipOps.ip_to_bin(subnet.address)
+  addr = ipOps.bin_to_ip(addr:sub(1, mask) .. ("0"):rep(#addr - mask))
+  addr = ipOps.ip_to_str(addr):sub(1, (mask + 7) // 8)
+  local data = bin.pack(">SCCA", family, mask, scope_mask, addr)
   local opt = bin.pack(">SS",code, #data) .. data
   addOPT(pkt,Z,opt)
 end