Why does my Bind RPZ config work for one host, but not the other (SERVFAIL)

Question

I have some hosts in a DMZ which need to use LDAP resources on the LAN. We don't forward DNS into the LAN, so instead of adding entries in individual /etc/hosts, I decided to try a Bind RPZ zone to handle DNS to keep all the workarounds in one place.

It seems to work for one host oldserver.internal.org but not the other ldap.mydom.com. I should mention that ldap.mydom.com returns an internet routable address from 8.8.8.8 (however, not usable for LDAP).

Why do I get SERVFAIL when querying ldap.mydom.com ?

# nslookup ldap.mydom.com 192.168.1.4
Server:         192.168.1.4
Address:        192.168.1.4#53

** server can't find ldap.mydom.com: SERVFAIL


####### bind server #########

# /etc/bind/named.conf.options

...
   response-policy {
               zone "rpz";
   };
...


# /etc/bind/named.conf.local
...
      zone "rpz" in {
               type master;
               file "internal.rpz_zone.rpz";
      };
...
      zone "rpz" in {
               type master;
               file "external.rpz_zone.rpz";
      };
...



# /var/cache/bind/internal.rpz_zone.rpz
$TTL    300

@       IN SOA  myns1.mydom.com. (
            postmaster.mydom.com
            2016100805  ; serial
            1h          ; refresh
            15m         ; retry
            1w          ; expiry
            1h )        ; minimum

            IN NS myns1.mydom.com.
            IN NS myns2.mydom.com.


; we want internal DNS for this host
ldap.mydom.com            A        192.168.17.53
oldserver.internal.org    A        192.168.18.85

# /var/log/named.log
08-Oct-2018 09:52:18.550 queries: client 192.168.1.21#54254 (ldap.mydom.com): view internal: query: ldap.mydom.com IN A + (192.168.1.4)