BIND, RPZ and Forwarding priorities

This can be accomplished with qname-wait-recurse. Here is the documentation from the BIND 9.10 ARM regarding the usage of this feature:

No DNS records are needed for a QNAME or Client-IP trigger. The name or IP address itself is sufficient, so in principle the query name need not be recursively resolved. However, not resolving the requested name can leak the fact that response policy rewriting is in use and that the name is listed in a policy zone to operators of servers for listed names. To prevent that information leak, by default any recursion needed for a request is done before any policy triggers are considered. Because listed domains often have slow authoritative servers, this default behavior can cost significant time. The qname-wait-recurse no option overrides that default behavior when recursion cannot change a non-error response. The option does not affect QNAME or client-IP triggers in policy zones listed after other zones containing IP, NSIP and NSDNAME triggers, because those may depend on the A, AAAA, and NS records that would be found during recursive resolution. It also does not affect DNSSEC requests (DO=1) unless break-dnssec yes is in use, because the response would depend on whether or not RRSIG records were found during resolution. Using this option can cause error responses such as SERVFAIL to appear to be rewritten, since no recursion is being done to discover problems at the authoritative server.

The syntax for enabling this feature is a little obscure. Instead of putting it in the global options {}; block, it needs to appear before the trailing semicolon in your response-policy {}; definition.

[ response-policy {
    zone zone_name
    [ policy (given | disabled | passthru | drop |
              nxdomain | nodata | cname domain) ]
    [ recursive-only yes_or_no ]
    [ max-policy-ttl number ]
    ; [...]
} [ recursive-only yes_or_no ]
  [ max-policy-ttl number ]
  [ break-dnssec yes_or_no ]
  [ min-ns-dots number ]
  [ qname-wait-recurse yes_or_no ]
  [ automatic-interface-scan yes_or_no ]
; ]

Before:

response-policy { zone "rpz"; };

After:

response-policy { zone "rpz"; } qname-wait-recurse no;