Our DNS RPZ blocks are implemented by replacing the original DNS response with a pointer to this web server. The DNS protocol extension for security, DNSSEC, is designed to detect and suppress this kind of data modification.
A domain may be protected by DNSSEC regardless of whether the information served from that domain is legitimate or malicious. So it may be necessary for us to block a domain that is protected by DNSSEC.
In many cases, clients of our default resolvers do not perform DNSSEC validation. These clients will be redirected to this web server, just as they would be for a blocked domain which is not protected by DNSSEC.
If a client of our default resolvers does perform DNSSEC validation, and it tries to resolve a blocked domain that is protected by DNSSEC, then instead of being redirected to this web server, there will be a DNS resolution failure.
The block still blocks, but does so in a less friendly manner.