Bind9 allow zones only as part of recursive resolution

In my cloud environment, I have a bind9 server functioning as a proxy for all outgoing DNS queries generated in the environment. I'm currently trying to configure Bind to perform the following filtering as part of its name resolution flow -

1. Allow recursive resolution for some zones (let's say, aws.com and gcp.com)
2. Do not allow queries to any other zones, including those holding the CNAMEs for the previously mentioned domains (for example, if A.aws.com has a CNAME to custom.service.digitalocean.com, allow the recursive resolution but do not allow any client requests to *.service.digitalocean.com

As far as I could understand, the way to do this is by using RPZs (probably allowing a zone with the recursive-only flag, and denying all other resolutions to the same zone). However, I could not get a working configuration or find any samples.

EDIT: I have not managed to make RPZs work on forwarded zones (it seems to work on master/slave zones only).

Any ideas? Alternative ways to achieve the same functionality (without RPZs) are equally acceptable for me...

This is not how it's working.

Recursion is usually allowed on a per-view basis, which, in turn, matches specific clients. Recursion is a process of final and complete resolution of the DNS name into the IP address, and it's named recursion because the same process happens for all of the levels composing the name (for instance, foo.bar name would have 3 steps to resolve the name: one for trailing TLD ., which I did omit, one for bar part and one for foo part).

You also seem to confuse a recursive resolver with an authoritative NS. The latter serves specific DNS zones, and, in order to work properly, it should serve these zones for all the outer world (let's leave the case when you make your NS mimic some zones that it's not authoritative for). DNS server instance can comprise both of these entities for sure, but their functionality quite differs. So when your NS hosts/serves some DNS zones, it actually doesn't care whether the incoming request is recursive or not. Final part: when your authoritative NS answers with a CNAME-RR (resource record) pointing to another zone for someone, indicating there's no A-RR for the requested host, it's the requester burden to resolve it further: when you're CNAME'ing something you actually aren't obliged with anything concerning the target zone records. For instance: foo.bar is a CNAME that points to fou.baar. Now it's the requester's resolver burden to resolve the fou.baar for it's client in the appropriate zone, starting the recusion from the very beginning, and not your NS.

So, in the end, what you asking for is out-of-the-box logic that any known DNS server implementation will operate: serve only the zones that are allowed to be queried and do the recursion only for the clients (or keys, for instance) that are permitted to request the recursion.

This is simple to set up, but you may need another server, or just utilize a public resolver. I'll use an example of public resolver (cloudflare)

First, set up Forward Zones in your DNS server

Something like this in a bind config format

zone "somedomain.com" {
  type forward;
  forwarders { 1.1.1.1; };
};
zone "anotherdomain.org" {
  type forward;
  forwarders { 1.1.1.1; };
};

Second, block all other DNS queries by forwarding them to a black hole

Something like this at the top of your bind config

options {
        directory "/var/cache/bind";    
        recursion yes;    
        forwarders {
                192.168.255.254;
        };

What happens

• Queries for somedomain.com and anotherdomain.org will get forwarded to Cloudflare and get fully resolved upstream (including CNAME targets that may be other domains).

• Queries for any other domain will just get forwarded to an unresponsive server or IP, and will never resolve.