rpz-ip address rewrite is being bypassed by +cd queries

Ref: https://support.isc.org/Ticket/Display.html?id=20501

A customer using BIND 9.16.27-S1 has reported that an rpz-ip address rewrite is being bypassed when:

A global 'forward only' configuration is used
'dnssec-validation' set to 'auto' or 'yes' (with trust-anchors)
The +cd flag is set when querying the resolver
No result is in cache from a prior query without +cd

Reproduced with a reduced configuration on BIND 9.16.27, which is described at https://support.isc.org/Ticket/Display.html?id=20501#txn-772518 to avoid divulging customer identity. The customer has reported the same behavior when testing on 9.11.30-S1 as well.

Edited Apr 01, 2022 by Petr Špaček

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information