[FR] Specify if the order of entries in an RPZ file matters

[zacknewman]

Current behavior unbound.conf(5) does not state whether the order of the entries in a Response Policy Zone (RPZ) file matters. While in the Response Policy Zone Options section, it states "RPZ clauses are applied in order of configuration"; it would be nice to know if the order of entries in a given file is also adhered to.

Describe the desired feature Explicitly state whether the order of RPZ file entries matters.

Potential use-case I am using unbound as both a recursive resolver and "ad blocker". When having a wildcard entry that corresponds to one RPZ action (e.g., CNAME .), one may want to perform a different action on specific subdomains (e.g., CNAME rpz-passthru.). As an explicit example, what is the outcome of a DNS query for www.example.com based on an RPZ file that looks like below?

$ORIGIN example.
www.example.com CNAME rpz-passthru.
*.example.com CNAME .

If the order of entries matters, then the query will be resolved normally; however if the order of entries does not matter, then sometimes the response will be NXDOMAIN and other times it will be resolved normally. It would be nice to know either way.

Based on a very small sample size, it appears that the order does matter; but that can be a fluke and so I would like to know for certain if one can actually rely on that always being the case.