diff --git a/bin/tests/system/rpz/ns3/evil-cname.db.in b/bin/tests/system/rpz/ns3/evil-cname.db.in
new file mode 100644
index 0000000000..b3c6426017
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/evil-cname.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ test
+;   This basic file is copied to several zone files before being used.
+;   Its contents are also changed with nsupdate
+
+
+$TTL 300
+@					SOA	evil-cname.  hostmaster.ns.evil-cname. ( 1 3600 1200 604800 60 )
+					NS	ns.tld3.
+
+evil.tld2				CNAME	a12.tld2.
diff --git a/bin/tests/system/rpz/ns3/named.conf.in b/bin/tests/system/rpz/ns3/named.conf.in
index cfb66cfea8..66f65fc130 100644
--- a/bin/tests/system/rpz/ns3/named.conf.in
+++ b/bin/tests/system/rpz/ns3/named.conf.in
@@ -51,6 +51,8 @@ options {
 	    zone "bl.tld2";
 	    zone "manual-update-rpz"	ede forged;
 	    zone "mixed-case-rpz";
+	    zone "evil-cname"  policy cname a12.tld2. ede blocked;
+	    zone "wild-cname"  ede blocked;
 	}
 	add-soa yes
 	min-ns-dots 0
@@ -150,6 +152,16 @@ zone "static-stub-nomatch." {
 	server-addresses { 10.53.0.10; };
 };
 
+zone "evil-cname" {
+	type primary;
+	file "evil-cname.db";
+};
+
+zone "wild-cname" {
+	type primary;
+	file "wild-cname.db";
+};
+
 # A faulty dlz configuration to check if named with response policy zones
 # survives a certain class of failed configuration attempts (see GL #3880).
 # "dlz" is used because the dlz processing code is located in an ideal place in
diff --git a/bin/tests/system/rpz/ns3/wild-cname.db.in b/bin/tests/system/rpz/ns3/wild-cname.db.in
new file mode 100644
index 0000000000..6d746acfa5
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/wild-cname.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; RPZ test
+;   This basic file is copied to several zone files before being used.
+;   Its contents are also changed with nsupdate
+
+
+$TTL 300
+@					SOA	wild-cname.  hostmaster.ns.wild-cname. ( 1 3600 1200 604800 60 )
+					NS	ns.tld3.
+
+*.evil.tld2				CNAME	*.wc.tld4.
diff --git a/bin/tests/system/rpz/ns4/tld4.db b/bin/tests/system/rpz/ns4/tld4.db
index fca419c6dd..e65dd94a33 100644
--- a/bin/tests/system/rpz/ns4/tld4.db
+++ b/bin/tests/system/rpz/ns4/tld4.db
@@ -64,3 +64,5 @@ a3-8.tld2	A	58.58.58.58
 a3-9.sub9.tld2	A	59.59.59.59
 
 a3-10.tld2	A	60.60.60.60
+
+*.wc		A	61.61.61.61
diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
index 1345e2e13f..6286cdd245 100644
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -44,6 +44,9 @@ done
 cp ns3/manual-update-rpz.db.in ns3/manual-update-rpz.db
 cp ns8/manual-update-rpz.db.in ns8/manual-update-rpz.db
 
+cp ns3/evil-cname.db.in ns3/evil-cname.db
+cp ns3/wild-cname.db.in ns3/wild-cname.db
+
 cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db
 
 # a zone that expires quickly and then can't be refreshed
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 21f91c6e27..36c10ca95e 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -687,6 +687,16 @@ echo_i "checking the configured extended DNS error code (EDE) (${t})"
 $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t || setret "failed"
 grep -F "EDE: 4 (Forged Answer)" dig.out.$t >/dev/null || setret "failed"
 
+t=$((t + 1))
+echo_i "checking the configured extended DNS error code, CNAME override (EDE) (${t})"
+$DIG -p ${PORT} @$ns3 evil.tld2 >dig.out.$t || setret "failed"
+grep -F "EDE: 15 (Blocked)" dig.out.$t >/dev/null || setret "failed"
+
+t=$((t + 1))
+echo_i "checking the configured extended DNS error code, wildcard CNAME override (EDE) (${t})"
+$DIG -p ${PORT} @$ns3 foo.evil.tld2 >dig.out.$t || setret "failed"
+grep -F "EDE: 15 (Blocked)" dig.out.$t >/dev/null || setret "failed"
+
 # reload a RPZ zone that is now deliberately broken.
 t=$((t + 1))
 echo_i "checking rpz failed update will keep previous rpz rules (${t})"
diff --git a/bin/tests/system/rpz/tests_sh_rpz.py b/bin/tests/system/rpz/tests_sh_rpz.py
index 85f15e8a76..26eef24d18 100644
--- a/bin/tests/system/rpz/tests_sh_rpz.py
+++ b/bin/tests/system/rpz/tests_sh_rpz.py
@@ -36,11 +36,13 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/bl-wildcname.db",
         "ns3/bl.db",
         "ns3/bl.tld2.db",
+        "ns3/evil-cname.db",
         "ns3/fast-expire.db",
         "ns3/manual-update-rpz.db",
         "ns3/mixed-case-rpz.db",
         "ns3/named.conf.tmp",
         "ns3/named.stats",
+        "ns3/wild-cname.db",
         "ns5/bl.db",
         "ns5/empty.db",
         "ns5/empty.db.jnl",
diff --git a/lib/ns/query.c b/lib/ns/query.c
index e751dca81a..c698a93d6e 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -145,13 +145,13 @@
 #define QUERY_STALETIMEOUT(q) (((q)->dboptions & DNS_DBFIND_STALETIMEOUT) != 0)
 
 /*% Does the rdataset 'r' have an attached 'No QNAME Proof'? */
-#define NOQNAME(r) (((r)->attributes.noqname))
+#define NOQNAME(r) ((r)->attributes.noqname)
 
 /*% Does the rdataset 'r' contain a stale answer? */
-#define STALE(r) (((r)->attributes.stale))
+#define STALE(r) ((r)->attributes.stale)
 
 /*% Does the rdataset 'r' is stale and within stale-refresh-time? */
-#define STALE_WINDOW(r) (((r)->attributes.stale_window))
+#define STALE_WINDOW(r) ((r)->attributes.stale_window)
 
 #ifdef WANT_QUERYTRACE
 static void
@@ -6972,6 +6972,16 @@ query_checkrrl(query_ctx_t *qctx, isc_result_t result) {
 	return ISC_R_SUCCESS;
 }
 
+static void
+query_rpz_add_ede(query_ctx_t *qctx) {
+	if (qctx->rpz_st->m.rpz->ede != 0 &&
+	    qctx->rpz_st->m.rpz->ede != UINT16_MAX)
+	{
+		dns_ede_add(&qctx->client->edectx, qctx->rpz_st->m.rpz->ede,
+			    NULL);
+	}
+}
+
 /*%
  * Do any RPZ rewriting that may be needed for this query.
  */
@@ -7124,6 +7134,8 @@ query_checkrpz(query_ctx_t *qctx, isc_result_t result) {
 			result = dns_rdata_tostruct(&rdata, &cname, NULL);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
 			dns_rdata_reset(&rdata);
+
+			query_rpz_add_ede(qctx);
 			result = query_rpzcname(qctx, &cname.cname);
 			if (result != ISC_R_SUCCESS) {
 				return ISC_R_COMPLETE;
@@ -7137,6 +7149,7 @@ query_checkrpz(query_ctx_t *qctx, isc_result_t result) {
 			 * Add overriding CNAME from a named.conf
 			 * response-policy statement
 			 */
+			query_rpz_add_ede(qctx);
 			result = query_rpzcname(qctx,
 						&qctx->rpz_st->m.rpz->cname);
 			if (result != ISC_R_SUCCESS) {
@@ -7149,12 +7162,7 @@ query_checkrpz(query_ctx_t *qctx, isc_result_t result) {
 			UNREACHABLE();
 		}
 
-		if (qctx->rpz_st->m.rpz->ede != 0 &&
-		    qctx->rpz_st->m.rpz->ede != UINT16_MAX)
-		{
-			dns_ede_add(&qctx->client->edectx,
-				    qctx->rpz_st->m.rpz->ede, NULL);
-		}
+		query_rpz_add_ede(qctx);
 
 		/*
 		 * Turn off DNSSEC because the results of a