Answering my own question because I finally found out what my issue was, the zone file was owned by root:root and it must be root:named.

Pretty obvious but I never thought that could be the issue, because bind never complained about it. I only found it because I added another authoritative zone and it was giving me SERVFAIL result, I set correct permissions and it worked, then I did the same to the rpz zone file.

I hope that could be useful to other users.

Best regards.