From 95644c9309a6b578802aff6e9808611e73f250bf Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Tue, 4 Jan 2022 13:48:29 +0100
Subject: [PATCH] - Fix #596: only unset RA when NXDOMAIN is signalled.

---
 doc/Changelog  | 1 +
 services/rpz.c | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/Changelog b/doc/Changelog
index 5b8eb1658..c843a3f06 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -4,6 +4,7 @@
 	  signal that a domain is externally blocked to clients when it
 	  is blocked with NXDOMAIN by unsetting RA.
 	- Fix to add test for rpz-signal-nxdomain-ra.
+	- Fix #596: only unset RA when NXDOMAIN is signalled.
 
 22 December 2021: George
 	- contrib/aaaa-filter-iterator.patch file renewed diff content to
diff --git a/services/rpz.c b/services/rpz.c
index cb05b830c..383440a23 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -1927,7 +1927,8 @@ rpz_synthesize_qname_localdata(struct module_env* env, struct rpz* r,
 
 	ret = local_zones_zone_answer(z, env, qinfo, edns, repinfo, buf, temp,
 		0 /* no local data used */, lzt);
-	if(r->signal_nxdomain_ra)
+	if(r->signal_nxdomain_ra && LDNS_RCODE_WIRE(sldns_buffer_begin(buf))
+		== LDNS_RCODE_NXDOMAIN)
 		LDNS_RA_CLR(sldns_buffer_begin(buf));
 	if(r->log) {
 		log_rpz_apply("qname", z->name, NULL, localzone_type_to_rpz_action(lzt),