Bind with RPZ acts weirdly if a subdomain is used aside a wildcard

I'm unsure if I found a bug in bind. I've setup a simple dns server on debian 12. in *named.conf.options* zone "rpz-test" { type master; file "/etc/bind/rpz-test.zone"; check-names ignore; } in *rpz-test.zone* ;RPZ $TTL 604800 @ IN SOA rpz.zone. rpz.zone. ( 2; serial 604800; refresh 86400; retry 2419200; expire 604800; minimum ) IN NS localhost. *.com A 127.0.0.1 sub.domain.com A 127.0.0.1 Now... If I use dig to check the configuration once bind9 is started... This is what happens: **dig whatever.com @localhost -p 53** -> replies 127.0.0.1 **dig sub.domain.com @localhost -p 53** -> replies 127.0.0.1 **dig domain.com @localhost -p 53** -> breaks the wildcard and is resolved Practically if there's a subdomain of a domain declared, the main is resolved externally! Very weird, wasn't the wildcard able to overcome the subsequent declarations? Probably the problem is in my configuration, not sure if is a bug however the versions I'm using are: debian 12.2 bind 9.18.19~deb12u1