tags from tagged rpz zones are no longer honored after upgrade from 1.19.3 to 1.20.0

[jbfamyaCfC]

Describe the bug
After upgrade from 1.19.3 to 1.20.0 tagged rpz zones are always used.

To reproduce
Steps to reproduce the behavior:

1. Starting unbound with unbound.conf.txt
2. Add the following entry to rpz.test.intern:
   archive.ubuntu.com.rpz.test.intern. 300 IN CNAME install.intern.
3. Query ::1 and 127.0.0.1, both return rpz modified data.

Expected behavior
dig @127.0.0.1 archive.ubuntu.com +nocomment shouldn't return rpz modified data but it does.
with unbound 1.19.3:

dig @127.0.0.1 archive.ubuntu.com +nocomment

; <<>> DiG 9.11.36-RedHat-9.11.36-11.el8_9.1 <<>> @127.0.0.1 archive.ubuntu.com +nocomment
; (1 server found)
;; global options: +cmd
;archive.ubuntu.com. IN A
archive.ubuntu.com. 17 IN A 91.189.91.81
archive.ubuntu.com. 17 IN A 91.189.91.82
archive.ubuntu.com. 17 IN A 185.125.190.39
archive.ubuntu.com. 17 IN A 185.125.190.36
archive.ubuntu.com. 17 IN A 91.189.91.83
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 30 09:56:59 CEST 2024
;; MSG SIZE rcvd: 127

However with unbound 1.20.0 the following answer is returned:

dig @127.0.0.1 archive.ubuntu.com +nocomment

; <<>> DiG 9.11.36-RedHat-9.11.36-14.el8_10 <<>> @127.0.0.1 archive.ubuntu.com +nocomment
; (1 server found)
;; global options: +cmd
;archive.ubuntu.com. IN A
archive.ubuntu.com. 300 IN CNAME install.intern.
install.intern. 60 IN A 192.0.2.2
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 30 09:59:12 CEST 2024
;; MSG SIZE rcvd: 97

System:

• Unbound version: 1.20.0
• OS: Almalinux 8.10
• Version 1.20.0

Configure line: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-pythonmodule --with-pyunbound PYTHON=/usr/libexec/platform-python --with-libevent --with-pthreads --with-ssl --disable-rpath --disable-static --enable-relro-now --enable-pie --enable-subnet --enable-ipsecmod --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/var/run/unbound/unbound.pid --enable-sha2 --disable-gost --enable-ecdsa --enable-dnstap --with-rootkey-file=/var/lib/unbound/root.key
Linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1k FIPS 25 Mar 2021
Linked modules: dns64 python ipsecmod subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

Additional information
The same happens if using access-control-tags.

[wcawijngaards]

The functionality for RPZ CNAME handling started working better in 1.20.0, and this has a bug that tags are not handled correctly. The bugfix for this issue has the tag handling fixed in the code that deals with RPZ iterator callbacks. That also fixes tag handling for other RPZ triggers and RPZ actions.

[wcawijngaards]

Another bug fix for cases where no tag is set and also due to the query type the respip client_info is a NULL pointer, it should be handled like no tags are matched.