You can put as many RPZ as you want, but one might be enough [...]
The typical use of RPZ is as a ban hammer, although as you can see it has other uses. I presume unbound processes them in a defined order (BIND does); best practice is to have two, with the first being for Allow (also known as poking holes) and the second for Block (no need to be too fine grained).
allow and deny can be in a single rpz file.
Example: I’m retrieving (daily) the most abused top level domains, parsing them into an rpz file from https://www.spamhaus.org/statistics/tlds/.
Some domains I use however need to be allowed. Todays RPZ looks like this (and it works):
$TTL 30
@ SOA jpgpi250.github.io. hostmaster.jpgpi250.github.io. 2211241509 86400 1800 604800 30
NS localhost.
;
*.surf CNAME .
*.fit CNAME .
*.ml CNAME .
*.top CNAME .
*.cyou CNAME .
*.gq CNAME .
*.cn CNAME .
*.live CNAME .
*.ga CNAME .
*.cf CNAME .
neofusgate.samsung.com.cn CNAME rpz-passthru.
dcs-vod.mp.lura.live CNAME rpz-passthru.
drm.mp.lura.live CNAME rpz-passthru.
the unbound configuration looks like this:
rpz:
name: tld
zonefile: zonefiles/tld.zone
url: http://127.0.0.1/tld.rpz
rpz-signal-nxdomain-ra: yes
rpz-log: yes
rpz-log-name: tld