RPZ Ignored When RRL Enabled
When RRL (Response Rate Limiting) is enabled (i.e. on an authoritative server) and the response rate limit is reached, BIND still returns responses for queries that would have been dropped via RPZ (Response Policy Zones) otherwise. The expected behavior certainly is that BIND skips RRL checking if the query matches an RPZ item.
For example, if
rate-limit { responses-per-second 15; window 15; }
is set in named.conf, queries for 'test.example.com' should be dropped if
*.example.com CNAME rpz-drop.
is set in the RPZ zone.
However, if the rate limit is reached, BIND ignores RPZ and returns a response (slip through) for 'test.example.com'.