diff --git a/bin/named/query.c b/bin/named/query.c
index 8444ca0af9..5259232152 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -6085,6 +6085,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	isc_boolean_t resuming;
 	int line = -1;
 	isc_boolean_t dns64_exclude, dns64;
+	isc_boolean_t nxrewrite = ISC_FALSE;
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
 
@@ -6590,29 +6591,13 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 						rpz_st->p_name);
 				goto cleanup;
 			case DNS_RPZ_POLICY_NXDOMAIN:
-				client->message->rcode = dns_rcode_nxdomain;
-				/*
-				 * Don't fall through as it will add a SOA
-				 * for the black list zone which breaks
-				 * sanity checking of result by nameservers.
-				 */
-				client->message->rcode = dns_rcode_nxdomain;
-				rpz_log_rewrite(client, ISC_FALSE,
-					         rpz_st->m.policy,
-						 rpz_st->m.type, zone,
-						 rpz_st->p_name);
-				goto cleanup;
+				result = DNS_R_NXDOMAIN;
+				nxrewrite = ISC_TRUE;
+				break;
 			case DNS_RPZ_POLICY_NODATA:
-				/*
-				 * Don't fall through as it will add a SOA
-				 * for the black list zone which breaks
-				 * sanity checking of result by nameservers.
-				 */
-				rpz_log_rewrite(client, ISC_FALSE,
-					         rpz_st->m.policy,
-						 rpz_st->m.type, zone,
-						 rpz_st->p_name);
-				goto cleanup;
+				result = DNS_R_NXRRSET;
+				nxrewrite = ISC_TRUE;
+				break;
 			case DNS_RPZ_POLICY_RECORD:
 				result = rpz_st->m.result;
 				if (qtype == dns_rdatatype_any &&
@@ -7155,15 +7140,21 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			 */
 			query_releasename(client, &fname);
 		}
+
 		/*
-		 * Add SOA.
+		 * Add SOA if NXRRSET was not generated by RPZ rewrite
 		 */
-		result = query_addsoa(client, db, version, ISC_UINT32_MAX,
-				      dns_rdataset_isassociated(rdataset));
-		if (result != ISC_R_SUCCESS) {
-			QUERY_ERROR(result);
-			goto cleanup;
+		if (!nxrewrite) {
+			isc_boolean_t associated =
+				dns_rdataset_isassociated(rdataset);
+			result = query_addsoa(client, db, version,
+					      ISC_UINT32_MAX, associated);
+			if (result != ISC_R_SUCCESS) {
+				QUERY_ERROR(result);
+				goto cleanup;
+			}
 		}
+
 		/*
 		 * Add NSEC record if we found one.
 		 */
@@ -7202,17 +7193,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		}
 
 		/*
-		 * Add SOA.  If the query was for a SOA record force the
+		 * Add SOA if NXDOMAIN was not generated by RPZ rewrite.
+		 *
+		 * If the query was for a SOA record force the
 		 * ttl to zero so that it is possible for clients to find
 		 * the containing zone of an arbitrary name with a stub
 		 * resolver and not have it cached.
 		 */
-		if (qtype == dns_rdatatype_soa &&
-		    zone != NULL &&
-		    dns_zone_getzeronosoattl(zone))
+		if (!nxrewrite && qtype == dns_rdatatype_soa &&
+		    zone != NULL && dns_zone_getzeronosoattl(zone))
 			result = query_addsoa(client, db, version, 0,
 					  dns_rdataset_isassociated(rdataset));
-		else
+		else if (!nxrewrite)
 			result = query_addsoa(client, db, version,
 					      ISC_UINT32_MAX,
 					  dns_rdataset_isassociated(rdataset));
diff --git a/bin/tests/system/dns64/tests.sh b/bin/tests/system/dns64/tests.sh
index fd90cb4d91..51907a765e 100644
--- a/bin/tests/system/dns64/tests.sh
+++ b/bin/tests/system/dns64/tests.sh
@@ -1282,6 +1282,7 @@ do
 done
 
 echo "I: checking dns64-server and dns64-contact ($n)"
+ret=0
 $DIG $DIGOPTS soa 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.a.a.a.1.0.0.2.ip6.arpa @10.53.0.2 > dig.out.ns2.test$n || ret=1
 grep "SOA.dns64.example.net..hostmaster.example.net." dig.out.ns2.test$n > /dev/null || ret=1
 n=`expr $n + 1`
@@ -1289,6 +1290,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 echo "I: checking TTL less than 600 from zone ($n)"
+ret=0
 #expect 500
 $DIG $DIGOPTS aaaa ttl-less-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
@@ -1297,6 +1299,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 echo "I: checking TTL more than 600 from zone ($n)"
+ret=0
 #expect 700
 $DIG $DIGOPTS aaaa ttl-more-than-600.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
@@ -1305,6 +1308,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 echo "I: checking TTL less than minimum from zone ($n)"
+ret=0
 #expect 1100
 $DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
@@ -1313,6 +1317,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 echo "I: checking TTL limited to minimum from zone ($n)"
+ret=0
 #expect 1200
 $DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
@@ -1321,6 +1326,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 echo "I: checking TTL less than 600 via cache ($n)"
+ret=0
 #expect 500
 $DIG $DIGOPTS aaaa ttl-less-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns1.test$n || ret=1
 grep -i "ttl-less-than-600.example..500.IN.AAAA" dig.out.ns1.test$n >/dev/null || ret=1
@@ -1329,6 +1335,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 echo "I: checking TTL more than 600 via cache ($n)"
+ret=0
 #expect 700
 $DIG $DIGOPTS aaaa ttl-more-than-600.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
 grep -i "ttl-more-than-600.example..700.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
@@ -1337,6 +1344,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 echo "I: checking TTL less than minimum via cache ($n)"
+ret=0
 #expect 1100
 $DIG $DIGOPTS aaaa ttl-less-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
 grep -i "ttl-less-than-minimum.example..1100.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
@@ -1345,6 +1353,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 echo "I: checking TTL limited to minimum via cache ($n)"
+ret=0
 #expect 1200
 $DIG $DIGOPTS aaaa ttl-more-than-minimum.example +rec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
 grep -i "ttl-more-than-minimum.example..1200.IN.AAAA" dig.out.ns2.test$n >/dev/null || ret=1
@@ -1353,6 +1362,7 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 echo "I: checking synthesis of AAAA from RPZ-remapped A ($n)"
+ret=0
 $DIG $DIGOPTS aaaa rpz.example +rec -b 10.53.0.7 @10.53.0.2 > dig.out.ns2.test$n || ret=1
 grep -i 'rpz.example.*IN.AAAA.2001:96::a0a:a0a' dig.out.ns2.test$n >/dev/null || ret=1
 n=`expr $n + 1`
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index f76f48755f..0a614e64cb 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -360,7 +360,7 @@ nxdomain a0-1s-cname.tld2s  +dnssec @$ns6  # 19
 drop a3-8.tld2 any @$ns6                   # 20 drop
 
 end_group
-ckstats $ns3 test1 ns3 23
+ckstats $ns3 test1 ns3 22
 ckstats $ns5 test1 ns5 0
 ckstats $ns6 test1 ns6 0