diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index e839f1abc3ab984e0a7e7e5d7812a02ece0134fc..070b2c08b6ba08702ca4bbf8c421addad849646a 100644
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -445,7 +445,20 @@ local function rpz_parse(action, path)
 						path, tonumber(parser.line_counter), kres.tostring.type[parser.r_type])
 				elseif is_bad == nil then
 					if new_actions[name] == nil then new_actions[name] = {} end
-					new_actions[name][parser.r_type] = { ttl=parser.r_ttl, rdata=rdata }
+					local act = new_actions[name][parser.r_type]
+					if act == nil then
+						new_actions[name][parser.r_type] = { ttl=parser.r_ttl, rdata=rdata }
+					else -- mutiple RRs: no reordering or deduplication
+						if type(act.rdata) ~= 'table' then
+							act.rdata = { act.rdata }
+						end
+						table.insert(act.rdata, rdata)
+						if parser.r_ttl ~= act.ttl then -- be conservative
+							log('[poli] RPZ %s:%d warning: different TTLs in a set (minimum taken)',
+								path, tonumber(parser.line_counter))
+							act.ttl = math.min(act.ttl, parser.r_ttl)
+						end
+					end
 				else
 					assert(is_bad == false and prefix_labels == 0)
 				end
diff --git a/modules/policy/policy.rpz.test.lua b/modules/policy/policy.rpz.test.lua
index 761282fb6db75f194bd4703ccf234416cb30573e..047b27f5cd1fb069da3754a97413e03e40f41607 100644
--- a/modules/policy/policy.rpz.test.lua
+++ b/modules/policy/policy.rpz.test.lua
@@ -39,6 +39,9 @@ local function test_rpz()
 		'case.sensitive.', kres.type.A, kres.rcode.NOERROR, '192.168.8.8')
 	check_answer('"A 192.168.8.8" and domain with uppercase and lowercase letters',
 		'CASe.SENSItivE.', kres.type.A, kres.rcode.NOERROR, '192.168.8.8')
+	check_answer('two AAAA records',
+		'two.records.', kres.type.AAAA, kres.rcode.NOERROR,
+		{'2001:db8::2', '2001:db8::1'})
 end
 
 net.ipv4 = false
diff --git a/modules/policy/policy.test.rpz b/modules/policy/policy.test.rpz
index 8c07efc2e1fb182f5f9c8e6aab3509c2a46b9137..80b7106f40170b44e2773e1ed62def6181d7c124 100644
--- a/modules/policy/policy.test.rpz
+++ b/modules/policy/policy.test.rpz
@@ -13,3 +13,6 @@ rra-zonename-suffix			A 	192.168.6.6
 testdomain.rra.testdomain.	A 	192.168.7.7
 CaSe.SeNSiTiVe		A	192.168.8.8
 
+two.records		AAAA	2001:db8::2
+two.records		AAAA	2001:db8::1
+