rpz-ip address rewrite is being bypassed by +cd queries
A customer using BIND 9.16.27-S1 has reported that an rpz-ip address rewrite is being bypassed when:
- A global 'forward only' configuration is used
- 'dnssec-validation' set to 'auto' or 'yes' (with trust-anchors)
- The +cd flag is set when querying the resolver
- No result is in cache from a prior query without +cd
Reproduced with a reduced configuration on BIND 9.16.27, which is described at https://support.isc.org/Ticket/Display.html?id=20501#txn-772518 to avoid divulging customer identity. The customer has reported the same behavior when testing on 9.11.30-S1 as well.