diff --git a/bin/named/query.c b/bin/named/query.c
index 01fbdae6bf..f2fff90b07 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -4420,8 +4420,6 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
 		policy = DNS_RPZ_POLICY_MISS;
 		break;
 	default:
-		dns_db_detach(dbp);
-		dns_zone_detach(zonep);
 		rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef,
 			     "", result);
 		CTRACE(ISC_LOG_ERROR,
diff --git a/bin/tests/system/rpz/ns3/base.db b/bin/tests/system/rpz/ns3/base.db
index 475257a6cf..10329a5128 100644
--- a/bin/tests/system/rpz/ns3/base.db
+++ b/bin/tests/system/rpz/ns3/base.db
@@ -41,6 +41,7 @@ ns	A	10.53.0.3
 redirect	A       127.0.0.1
 *.redirect	A       127.0.0.1
 *.credirect	CNAME   google.com.
+example.com     NS	example.org.
 
 
 ; names in the RPZ TLDs that some say should not be rewritten.
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 2b21016ba2..1a67259a5e 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -548,5 +548,9 @@ $DIG +noall +answer -p 5300 @$ns3 any a3-2.tld2 > dig.out.any
 ttl=`awk '/a3-2 tld2 text/ {print $2}' dig.out.any`
 if test ${ttl:=0} -eq 0; then setret I:failed; fi
 
+echo "I:checking rpz with delegation fails correctly"
+$DIG -p 5300 @$ns3 ns example.com > dig.out.delegation
+grep "status: SERVFAIL" dig.out.delegation > /dev/null || setret "I:failed"
+
 echo "I:exit status: $status"
 exit $status