How do I get BIND (DNS) to be authoritative about a tld for more than a minute

I tried to block the .zip TLD on my laptop (running fedora 38) with bind. 1. Installing bind 2. Updating named.conf:

options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory 	"/var/named";
        dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file	"/var/named/data/named.secroots";
        recursing-file	"/var/named/data/named.recursing";
        allow-query     { localhost; };

        /* 
        - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
        - If you are building a RECURSIVE (caching) DNS server, you need to enable 
        recursion. 
        - If your recursive DNS server has a public IP address, you MUST enable access 
        control to limit queries to your legitimate users. Failing to do so will
        cause your server to become part of large scale DNS amplification 
        attacks. Implementing BCP38 within your network would greatly
        reduce such attack surface 
        */
        recursion yes;

        forwarders { 8.8.8.8; };

        dnssec-validation yes;

        managed-keys-directory "/var/named/dynamic";
        geoip-directory "/usr/share/GeoIP";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy  */
        include "/etc/crypto-policies/back-ends/bind.config";

        /* this makes it block everything */
        // response-policy { zone "zip"; };
    };

    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
    };

    zone "zip" IN {
        type master;
        file "zip-rpz";
        allow-update { none; };
    };

    zone "." IN {
        type hint;
        file "named.ca";
    };

    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";

3. Added /var/named/zip-rpz:

$TTL 1D                ; default expiration time (in seconds) of all RRs without their own TTL value
    @       IN  SOA   ns.zip. postmaster.ns.zip. ( 2020091025 7200 3600 1209600 3600 )
    @       IN      NS      ns1                    ; nameserver
    *       IN      A       127.0.0.1              ; localhost
            IN      AAAA    ::                     ; localhost

4. Apply temporarily

sudo systemctl enable named
    sudo service named restart
    resolvectl dns wlp0s20f3 127.0.0.1

However, running dig url.zip returns 127.0.0.1 only for the next minute or so – after that it shows the "correct" ip (and I can visit the site in the Browser again). Why is it getting reset? If I remove the forwarders line, same result. If I set recursion no;, I am unable to resolve anything _other_ than .zip urls (those point to 127.0.0.1)