From 31290eccb1246cc1aefd8a062e36de12ca0f24e1 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Mon, 26 Jan 2026 15:34:00 +0000
Subject: [PATCH 1/2] Fix a bug in zone_loaddone()

The zone_loaddone() function disables database notifications for
a catalog zones and response policy zones (RPZ) when loading had
failed. Howerer, the 'result != ISC_R_SUCCESS' check is insufficient,
because the DNS_R_SEENINCLUDE result also indicates success.

Add a second condition for the "if" block.
---
 lib/dns/zone.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 8a6b5519c3..855ac052ce 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -17559,7 +17559,7 @@ zone_loaddone(void *arg, isc_result_t result) {
 	 * If zone loading failed, remove the update db callbacks prior
 	 * to calling the list of callbacks in the zone load structure.
 	 */
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
 		dns_zone_rpz_disable_db(zone, load->db);
 		dns_zone_catz_disable_db(zone, load->db);
 	}

From d81a2457d6fe09a01d60d4204fb80c3e2feec88d Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Mon, 26 Jan 2026 14:28:10 +0000
Subject: [PATCH 2/2] Add a new check in the RPZ system test

Check that reloading a response policy zone which has an '$INCLUDE'
directive defined is working as expected.
---
 bin/tests/system/rpz/ns2/tld2.db              |  3 +++
 bin/tests/system/rpz/ns3/include-rpz.db.in    | 14 ++++++++++++++
 bin/tests/system/rpz/ns3/include-rpz.inc-1.in | 14 ++++++++++++++
 bin/tests/system/rpz/ns3/include-rpz.inc-2.in | 16 ++++++++++++++++
 bin/tests/system/rpz/ns3/named.conf.j2        |  7 +++++++
 bin/tests/system/rpz/setup.sh                 |  3 +++
 bin/tests/system/rpz/tests.sh                 | 10 ++++++++++
 bin/tests/system/rpz/tests_sh_rpz.py          |  2 ++
 8 files changed, 69 insertions(+)
 create mode 100644 bin/tests/system/rpz/ns3/include-rpz.db.in
 create mode 100644 bin/tests/system/rpz/ns3/include-rpz.inc-1.in
 create mode 100644 bin/tests/system/rpz/ns3/include-rpz.inc-2.in

diff --git a/bin/tests/system/rpz/ns2/tld2.db b/bin/tests/system/rpz/ns2/tld2.db
index c6f2556db5..a66ee16d14 100644
--- a/bin/tests/system/rpz/ns2/tld2.db
+++ b/bin/tests/system/rpz/ns2/tld2.db
@@ -123,3 +123,6 @@ a7-1		A	192.168.7.1
 
 a7-2		A	192.168.7.2
 		TXT	"a7-2 tld2 text"
+
+a8-1		A	192.168.8.1
+		TXT	"a8-1 tld2 text"
diff --git a/bin/tests/system/rpz/ns3/include-rpz.db.in b/bin/tests/system/rpz/ns3/include-rpz.db.in
new file mode 100644
index 0000000000..5133b78964
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/include-rpz.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+$INCLUDE include-rpz.inc
diff --git a/bin/tests/system/rpz/ns3/include-rpz.inc-1.in b/bin/tests/system/rpz/ns3/include-rpz.inc-1.in
new file mode 100644
index 0000000000..5d316a89b0
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/include-rpz.inc-1.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		SOA	include-rpz.  hostmaster.ns.include-rpz. ( 1 3600 1200 604800 60 )
+	NS	ns.tld3.
diff --git a/bin/tests/system/rpz/ns3/include-rpz.inc-2.in b/bin/tests/system/rpz/ns3/include-rpz.inc-2.in
new file mode 100644
index 0000000000..4bce8532cc
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/include-rpz.inc-2.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		SOA	include-rpz.  hostmaster.ns.include-rpz. ( 2 3600 1200 604800 60 )
+	NS	ns.tld3.
+
+a8-1.tld2	CNAME	.
diff --git a/bin/tests/system/rpz/ns3/named.conf.j2 b/bin/tests/system/rpz/ns3/named.conf.j2
index cd2a29b754..2f8879b081 100644
--- a/bin/tests/system/rpz/ns3/named.conf.j2
+++ b/bin/tests/system/rpz/ns3/named.conf.j2
@@ -53,6 +53,7 @@ options {
 	    zone "bl.tld2";
 	    zone "manual-update-rpz"	ede forged;
 	    zone "mixed-case-rpz";
+	    zone "include-rpz";
 	    zone "evil-cname"  policy cname a12.tld2. ede blocked;
 	    zone "wild-cname"  ede blocked;
 	    zone "slow-rpz";
@@ -129,6 +130,12 @@ zone "mixed-case-rpz." {
 	notify no;
 };
 
+zone "include-rpz." {
+	type primary;
+	file "include-rpz.db";
+	notify no;
+};
+
 zone "slow-rpz." {
     type primary;
     file "slow-rpz.db";
diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
index 56b2a5cda2..eee949dd07 100644
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -38,6 +38,9 @@ cp ns3/wild-cname.db.in ns3/wild-cname.db
 
 cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db
 
+cp ns3/include-rpz.db.in ns3/include-rpz.db
+cp ns3/include-rpz.inc-1.in ns3/include-rpz.inc
+
 # a "big" zone (tested with '-T rpzslow' enabled to slow down loading)
 cp ns3/slow-rpz.db.in ns3/slow-rpz.db
 
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 578ed9daf9..2b3598d7af 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -707,6 +707,16 @@ sleep 1
 $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.after || setret "failed"
 grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after >/dev/null || setret "failed"
 
+t=$((t + 1))
+echo_i "checking rpz with included rules can reload (${t})"
+$DIG -p ${PORT} @$ns3 a8-1.tld2 >dig.out.$t.before || setret "failed"
+grep "status: NOERROR" dig.out.$t.before >/dev/null || setret "failed"
+cp ns3/include-rpz.inc-2.in ns3/include-rpz.inc
+rndc_reload ns3 $ns3 include-rpz
+sleep 1
+$DIG -p ${PORT} @$ns3 a8-1.tld2 >dig.out.$t.after || setret "failed"
+grep "status: NXDOMAIN" dig.out.$t.after >/dev/null || setret "failed"
+
 t=$((t + 1))
 echo_i "checking the default (unset) extended DNS error code (EDE) (${t})"
 $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t || setret "failed"
diff --git a/bin/tests/system/rpz/tests_sh_rpz.py b/bin/tests/system/rpz/tests_sh_rpz.py
index 5f6a88a21b..348546f4c5 100644
--- a/bin/tests/system/rpz/tests_sh_rpz.py
+++ b/bin/tests/system/rpz/tests_sh_rpz.py
@@ -39,6 +39,8 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/bl.tld2.db",
         "ns3/evil-cname.db",
         "ns3/fast-expire.db",
+        "ns3/include-rpz.db",
+        "ns3/include-rpz.inc",
         "ns3/manual-update-rpz.db",
         "ns3/mixed-case-rpz.db",
         "ns3/named.conf.tmp",