I have a RPZ configuration with positive answers. I redirect RPZ hits to a landing page. I also wanted the DNS response to be verbose (SOA in additional section) so that in case I forget about it, a DNS lookup makes it obvious what's going on. This page https://knot-resolver.readthedocs.io/en/stable/modules.html?highlight=genRR#query-policies helped me coming up with the following solution:

-- RPZ
-- custom response
local function mkauth_soa(answer, dname, mname)
    if mname == nil then
        mname = dname
    end
    return answer:put(dname, 900, answer:qclass(), kres.type.SOA,
        mname .. '\6daniel\10stirnimann\5gmail\3com\0\0\0\0\0\0\0\14\16\0\0\3\132\0\9\58\128\0\0\3\132')
end
local ffi = require('ffi')
local function genRR (state, req)
        local answer = req.answer
        local qry = req:current()
        if qry.stype == kres.type.A then
                ffi.C.kr_pkt_make_auth_header(answer)
                answer:rcode(kres.rcode.NOERROR)
                answer:begin(kres.section.ANSWER)
                answer:put(qry.sname, 900, answer:qclass(), kres.type.A, '\192\168\2\1')
                answer:begin(kres.section.ADDITIONAL)
                mkauth_soa(answer, '\3rpz\3int\6seckle\2ch\0')
                return kres.DONE
        elseif qry.stype == kres.type.AAAA then
                ffi.C.kr_pkt_make_auth_header(answer)
                answer:rcode(kres.rcode.NOERROR)
                answer:begin(kres.section.ANSWER)
                answer:put(qry.sname, 900, answer:qclass(), kres.type.AAAA, '\042\002\001\104\064\036\0\0\0\0\0\0\0\0\0\1')
                answer:begin(kres.section.ADDITIONAL)
                mkauth_soa(answer, '\3rpz\3int\6seckle\2ch\0')
                return kres.DONE
    else
                return state
        end
end
-- rpz policy: respond with custom function genRR
policy.add(policy.rpz(genRR, '/etc/kresd/rpz.int.seckle.ch.zone'))

Daniel

---