diff --git a/doc/Changelog b/doc/Changelog
index 95e27db44..6a36adee3 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,10 @@
 13 March 2024: Wouter
 	- Fix #1029: rpz trigger clientip and action rpz-passthru not working
 	  as expected.
+	- Fix rpz that the rpz override is taken in case of clientip triggers.
+	  Fix that the clientip passthru action is logged. Fix that the
+	  clientip localdata action is logged. Fix rpz override action cname
+	  for the clientip trigger.
 
 12 March 2024: Yorgos
 	- Merge #1028: Clearer documentation for tcp-idle-timeout and
diff --git a/services/rpz.c b/services/rpz.c
index e8e7143ad..9b9e88687 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -1876,6 +1876,26 @@ nodata:
 		rrset_count, rcode, rsoa);
 }
 
+static void
+rpz_apply_clientip_cname_override_action(struct rpz* r,
+	struct query_info* qinfo, struct regional* temp)
+{
+	if(!r)
+		return;
+	qinfo->local_alias = regional_alloc_zero(temp,
+		sizeof(struct local_rrset));
+	if(qinfo->local_alias == NULL)
+		return; /* out of memory */
+	qinfo->local_alias->rrset = regional_alloc_init(temp,
+		r->cname_override, sizeof(*r->cname_override));
+	if(qinfo->local_alias->rrset == NULL) {
+		qinfo->local_alias = NULL;
+		return; /* out of memory */
+	}
+	qinfo->local_alias->rrset->rk.dname = qinfo->qname;
+	qinfo->local_alias->rrset->rk.dname_len = qinfo->qname_len;
+}
+
 /** add additional section SOA record to the reply.
  * Since this gets fed into the normal iterator answer creation, it
  * gets minimal-responses applied to it, that can remove the additional SOA
@@ -2525,7 +2545,18 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
 		az, qinfo, repinfo, taglist, taglen, stats, z_out, a_out, r_out);
 
 	client_action = ((node == NULL) ? RPZ_INVALID_ACTION : node->action);
+	if(node != NULL && *r_out &&
+		(*r_out)->action_override != RPZ_NO_OVERRIDE_ACTION) {
+		client_action = (*r_out)->action_override;
+	}
 	if(client_action == RPZ_PASSTHRU_ACTION) {
+		if(*r_out && (*r_out)->log)
+			log_rpz_apply(
+				(node?"clientip":"qname"),
+				((*z_out)?(*z_out)->name:NULL),
+				(node?&node->node:NULL),
+				client_action, qinfo, repinfo, NULL,
+				(*r_out)->log_name);
 		*passthru = 1;
 		ret = 0;
 		goto done;
@@ -2543,14 +2574,12 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
 		if(client_action == RPZ_LOCAL_DATA_ACTION) {
 			rpz_apply_clientip_localdata_action(node, env, qinfo,
 				edns, repinfo, buf, temp, *a_out);
+			ret = 1;
+		} else if(client_action == RPZ_CNAME_OVERRIDE_ACTION) {
+			rpz_apply_clientip_cname_override_action(*r_out,
+				qinfo, temp);
+			ret = 0;
 		} else {
-			if(*r_out && (*r_out)->log)
-				log_rpz_apply(
-					(node?"clientip":"qname"),
-					((*z_out)?(*z_out)->name:NULL),
-					(node?&node->node:NULL),
-					client_action, qinfo, repinfo, NULL,
-					(*r_out)->log_name);
 			local_zones_zone_answer(*z_out /*likely NULL, no zone*/, env, qinfo, edns,
 				repinfo, buf, temp, 0 /* no local data used */,
 				rpz_action_to_localzone_type(client_action));
@@ -2558,8 +2587,15 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
 				LDNS_RCODE_WIRE(sldns_buffer_begin(buf))
 				== LDNS_RCODE_NXDOMAIN)
 				LDNS_RA_CLR(sldns_buffer_begin(buf));
+			ret = 1;
 		}
-		ret = 1;
+		if(*r_out && (*r_out)->log)
+			log_rpz_apply(
+				(node?"clientip":"qname"),
+				((*z_out)?(*z_out)->name:NULL),
+				(node?&node->node:NULL),
+				client_action, qinfo, repinfo, NULL,
+				(*r_out)->log_name);
 		goto done;
 	}
 	ret = -1;
diff --git a/testdata/rpz_clientip_override.rpl b/testdata/rpz_clientip_override.rpl
new file mode 100644
index 000000000..20e5213ff
--- /dev/null
+++ b/testdata/rpz_clientip_override.rpl
@@ -0,0 +1,269 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+	access-control: 192.0.0.0/8 allow
+
+rpz:
+	name: "rpz.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz.example.com"
+	rpz-action-override: "nxdomain"
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+32.1.5.0.192.rpz-client-ip CNAME rpz-passthru.
+32.2.5.0.192.rpz-client-ip A 1.2.3.5
+TEMPFILE_END
+
+rpz:
+	name: "rpz2.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz2.example.com"
+	rpz-action-override: "nodata"
+	zonefile:
+TEMPFILE_NAME rpz2.example.com
+TEMPFILE_CONTENTS rpz2.example.com
+$ORIGIN example.com.
+rpz2	3600	IN	SOA	ns1.rpz2.example.com. hostmaster.rpz2.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz2.example.com.
+	3600	IN	NS	ns2.rpz2.example.com.
+$ORIGIN rpz2.example.com.
+32.4.5.0.192.rpz-client-ip A 1.2.3.5
+TEMPFILE_END
+
+rpz:
+	name: "rpz3.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz3.example.com"
+	rpz-action-override: "passthru"
+	zonefile:
+TEMPFILE_NAME rpz3.example.com
+TEMPFILE_CONTENTS rpz3.example.com
+$ORIGIN example.com.
+rpz3	3600	IN	SOA	ns1.rpz3.example.com. hostmaster.rpz3.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz3.example.com.
+	3600	IN	NS	ns2.rpz3.example.com.
+$ORIGIN rpz3.example.com.
+32.5.5.0.192.rpz-client-ip A 1.2.3.5
+TEMPFILE_END
+
+rpz:
+	name: "rpz4.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz4.example.com"
+	rpz-action-override: "drop"
+	zonefile:
+TEMPFILE_NAME rpz4.example.com
+TEMPFILE_CONTENTS rpz4.example.com
+$ORIGIN example.com.
+rpz4	3600	IN	SOA	ns1.rpz4.example.com. hostmaster.rpz4.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz4.example.com.
+	3600	IN	NS	ns2.rpz4.example.com.
+$ORIGIN rpz4.example.com.
+32.5.5.0.192.rpz-client-ip A 1.2.3.5
+32.6.5.0.192.rpz-client-ip A 1.2.3.5
+TEMPFILE_END
+
+rpz:
+	name: "rpz5.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz5.example.com"
+	rpz-action-override: "cname"
+	rpz-cname-override: "target.a"
+	zonefile:
+TEMPFILE_NAME rpz5.example.com
+TEMPFILE_CONTENTS rpz5.example.com
+$ORIGIN example.com.
+rpz5	3600	IN	SOA	ns1.rpz5.example.com. hostmaster.rpz5.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz5.example.com.
+	3600	IN	NS	ns2.rpz5.example.com.
+$ORIGIN rpz5.example.com.
+32.7.5.0.192.rpz-client-ip A 1.2.3.5
+TEMPFILE_END
+
+rpz:
+	name: "rpz6.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz6.example.com"
+	rpz-action-override: "disabled"
+	zonefile:
+TEMPFILE_NAME rpz6.example.com
+TEMPFILE_CONTENTS rpz6.example.com
+$ORIGIN example.com.
+rpz6	3600	IN	SOA	ns1.rpz6.example.com. hostmaster.rpz6.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz6.example.com.
+	3600	IN	NS	ns2.rpz6.example.com.
+$ORIGIN rpz6.example.com.
+32.8.5.0.192.rpz-client-ip A 1.2.3.5
+TEMPFILE_END
+
+stub-zone:
+	name: "a."
+	stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ action override with trigger from clientip.
+
+; a.
+RANGE_BEGIN 0 1000
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+d.a. IN A
+SECTION ANSWER
+d.a. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+target.a. IN A
+SECTION ANSWER
+target.a. IN A 1.2.3.6
+ENTRY_END
+RANGE_END
+
+STEP 10 QUERY ADDRESS 192.0.5.2
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 20 QUERY ADDRESS 192.0.5.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 30 QUERY ADDRESS 192.0.5.3
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+d.a.	IN	A 1.2.3.4
+ENTRY_END
+
+STEP 40 QUERY ADDRESS 192.0.5.4
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 50 QUERY ADDRESS 192.0.5.5
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+d.a.	IN	A 1.2.3.4
+ENTRY_END
+
+STEP 60 QUERY ADDRESS 192.0.5.6
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+; dropped.
+
+STEP 70 QUERY ADDRESS 192.0.5.7
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 71 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+d.a. CNAME target.a.
+target.a. A 1.2.3.6
+ENTRY_END
+
+STEP 80 QUERY ADDRESS 192.0.5.8
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 81 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+d.a.	IN	A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END