diff --git a/CHANGES b/CHANGES
index 479d468e9e..bf38de9c19 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5999.	[bug]		rpz-ip rules could be ineffective in some scenarios
+			with CD=1 queries. [GL #3247]
+
 5998.	[placeholder]
 
 5997.	[cleanup]	Less ceremonial UNEXPECTED_ERROR() and FATAL_ERROR()
diff --git a/bin/tests/system/rpz/clean.sh b/bin/tests/system/rpz/clean.sh
index 8b7cad861e..5162d3e089 100644
--- a/bin/tests/system/rpz/clean.sh
+++ b/bin/tests/system/rpz/clean.sh
@@ -30,7 +30,7 @@ fi
 # from the first test pass so the second pass can be set up correctly.
 # remove those files first, then decide whether to remove the others.
 rm -f ns*/*.key ns*/*.private
-rm -f ns2/tld2s.db ns2/bl.tld2.db
+rm -f ns2/tld2s.db */bl.tld2.db */bl.tld2s.db
 rm -f ns3/bl*.db ns3/fast-expire.db ns*/empty.db
 rm -f ns3/manual-update-rpz.db
 rm -f ns3/mixed-case-rpz.db
diff --git a/bin/tests/system/rpz/ns2/base-tld2s.db b/bin/tests/system/rpz/ns2/base-tld2s.db
index 6235b49b39..77114ec928 100644
--- a/bin/tests/system/rpz/ns2/base-tld2s.db
+++ b/bin/tests/system/rpz/ns2/base-tld2s.db
@@ -23,3 +23,4 @@ a0-1-scname	CNAME	a0-1.tld2.
 
 a3-5		A	192.168.3.5
 
+a7-2		A	192.168.7.2
diff --git a/bin/tests/system/rpz/ns2/tld2.db b/bin/tests/system/rpz/ns2/tld2.db
index 63e985d34a..c6f2556db5 100644
--- a/bin/tests/system/rpz/ns2/tld2.db
+++ b/bin/tests/system/rpz/ns2/tld2.db
@@ -120,3 +120,6 @@ a6-2		A	192.168.6.2
 
 a7-1		A	192.168.7.1
 		TXT	"a7-1 tld2 text"
+
+a7-2		A	192.168.7.2
+		TXT	"a7-2 tld2 text"
diff --git a/bin/tests/system/rpz/ns6/bl.tld2s.db.in b/bin/tests/system/rpz/ns6/bl.tld2s.db.in
new file mode 100644
index 0000000000..45380504b4
--- /dev/null
+++ b/bin/tests/system/rpz/ns6/bl.tld2s.db.in
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	3600
+@		SOA	rpz.tld2.  hostmaster.ns.tld2. ( 3 3600 1200 604800 60 )
+		NS	ns2
+		NS	ns3
+ns2		A	10.53.0.2
+ns3		A	10.53.0.3
+
+32.2.7.168.192.rpz-ip	 A 1.1.1.1
+                        AAAA ::1
diff --git a/bin/tests/system/rpz/ns6/named.conf.in b/bin/tests/system/rpz/ns6/named.conf.in
index d5fa2c46a8..c0ad5c4237 100644
--- a/bin/tests/system/rpz/ns6/named.conf.in
+++ b/bin/tests/system/rpz/ns6/named.conf.in
@@ -30,6 +30,7 @@ options {
 
 	response-policy {
 	    zone "policy1" min-update-interval 0;
+	    zone "bl.tld2s" policy given;
 	} qname-wait-recurse yes
 	// add-soa yes # leave add-soa as default for unset test
 	nsip-enable yes
@@ -59,3 +60,8 @@ zone "policy1" {
 	notify-delay 0;
 	allow-transfer  { any; };
 };
+
+zone "bl.tld2s." {
+    type primary;
+    file "bl.tld2s.db";
+};
diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
index 745b96dd50..2e9d8b55e6 100644
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -168,6 +168,7 @@ $PERL -e 'for ($cnt = $val = 1; $cnt <= 3000; ++$cnt) {
 cp ns2/bl.tld2.db.in ns2/bl.tld2.db
 cp ns5/empty.db.in ns5/empty.db
 cp ns5/empty.db.in ns5/policy2.db
+cp ns6/bl.tld2s.db.in ns6/bl.tld2s.db
 
 # Run dnsrpzd to get the license and prime the static policy zones
 if test -n "$TEST_DNSRPS"; then
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 22b0ebb308..feb450efe2 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -982,6 +982,15 @@ EOF
     done
   done
 
+  if [ native = "$mode" ]; then
+    t=`expr $t + 1`
+    echo_i "checking that rewriting CD=1 queries handles pending data correctly (${t})"
+    $RNDCCMD $ns3 flush
+    $RNDCCMD $ns6 flush
+    $DIG a7-2.tld2s -p ${PORT} @$ns6 +cd > dig.out.${t}
+    grep -w "1.1.1.1" dig.out.${t} > /dev/null || setret "failed"
+  fi
+
   [ $status -ne 0 ] && pf=fail || pf=pass
   case $mode in
   native)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 679a9c6a19..acb1c6355c 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -3762,7 +3762,7 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name,
 	struct in_addr ina;
 	struct in6_addr in6a;
 	isc_result_t result;
-	unsigned int options = DNS_DBFIND_GLUEOK;
+	unsigned int options = client->query.dboptions | DNS_DBFIND_GLUEOK;
 	bool done = false;
 
 	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset");
@@ -3823,8 +3823,9 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name,
 		 * otherwise we are done.
 		 */
 		if (result == DNS_R_GLUE) {
-			options = 0;
+			options = client->query.dboptions;
 		} else {
+			options = client->query.dboptions | DNS_DBFIND_GLUEOK;
 			done = true;
 		}
 
@@ -4384,7 +4385,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 
 	dns_fixedname_init(&nsnamef);
 	dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
-	options = DNS_DBFIND_GLUEOK;
+	options = client->query.dboptions | DNS_DBFIND_GLUEOK;
 	while (st->r.label > st->popt.min_ns_labels) {
 		bool was_glue = false;
 		/*
@@ -4510,9 +4511,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 		 * glue responses, otherwise setup for the next name.
 		 */
 		if (was_glue) {
-			options = 0;
+			options = client->query.dboptions;
 		} else {
-			options = DNS_DBFIND_GLUEOK;
+			options = client->query.dboptions | DNS_DBFIND_GLUEOK;
 			st->r.label--;
 		}