diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in
index 2584efb01ac78b7782ac0029b095d1f34b6b7e9b..df56ed6ff1b5bd3d12143e1cacf37fabca08e924 100644
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5in
@@ -1484,7 +1484,7 @@ Specifies if NSEC3 will be used instead of NSEC.
 .sp
 A number of additional times the hashing is performed.
 .sp
-\fIDefault:\fP 10
+\fIDefault:\fP 0
 .SS nsec3\-opt\-out
 .sp
 If set, NSEC3 records won\(aqt be created for insecure delegations.
diff --git a/doc/reference.rst b/doc/reference.rst
index be1c86c11f2fbb15116df914c3ce7587063671d3..515981a8c3ff8080fe9b66a9cf29e262e25d335b 100644
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -1613,7 +1613,7 @@ nsec3-iterations
 
 A number of additional times the hashing is performed.
 
-*Default:* 10
+*Default:* 0
 
 .. _policy_nsec3-opt-out:
 
diff --git a/src/knot/conf/schema.c b/src/knot/conf/schema.c
index 44eb9326d40e04241204428178cb5815f45eeb87..0bcd0840d75599bfb5c23f6cc624d7f48f6298f5 100644
--- a/src/knot/conf/schema.c
+++ b/src/knot/conf/schema.c
@@ -372,7 +372,7 @@ static const yp_item_t desc_policy[] = {
 	                                   CONF_IO_FRLD_ZONES },
 	{ C_REPRO_SIGNING,       YP_TBOOL, YP_VNONE, CONF_IO_FRLD_ZONES },
 	{ C_NSEC3,               YP_TBOOL, YP_VNONE, CONF_IO_FRLD_ZONES },
-	{ C_NSEC3_ITER,          YP_TINT,  YP_VINT = { 0, UINT16_MAX, 10 }, CONF_IO_FRLD_ZONES },
+	{ C_NSEC3_ITER,          YP_TINT,  YP_VINT = { 0, UINT16_MAX, 0 }, CONF_IO_FRLD_ZONES },
 	{ C_NSEC3_OPT_OUT,       YP_TBOOL, YP_VNONE, CONF_IO_FRLD_ZONES },
 	{ C_NSEC3_SALT_LEN,      YP_TINT,  YP_VINT = { 0, UINT8_MAX, 8 }, CONF_IO_FRLD_ZONES },
 	{ C_NSEC3_SALT_LIFETIME, YP_TINT,  YP_VINT = { -1, UINT32_MAX, DAYS(30), YP_STIME },
diff --git a/tests-extra/tests/dnssec/no_resign/test.py b/tests-extra/tests/dnssec/no_resign/test.py
index 6b2569182918ff1e218c7c831d8eed173168b9fe..e5b83ced51b9c6ace1bc94bd9cccc14fdbaad257 100644
--- a/tests-extra/tests/dnssec/no_resign/test.py
+++ b/tests-extra/tests/dnssec/no_resign/test.py
@@ -35,6 +35,7 @@ t.link(static_zone, master)
 master.dnssec(nsec_zone).alg = "rsasha1"
 master.dnssec(nsec3_zone).alg = "rsasha1"
 master.dnssec(nsec3_zone).nsec3 = True
+master.dnssec(nsec3_zone).nsec3_iters = 10
 master.dnssec(nsec3_zone).nsec3_salt_len = 0
 master.dnssec(static_zone).alg = "ecdsap256sha256"
 master.dnssec(nsec_zone).cds_publish = "rollover"
diff --git a/tests-extra/tools/dnstest/server.py b/tests-extra/tools/dnstest/server.py
index f506bbfc56cec915be41d7a25e0aa8cc2468cd47..7e692bbcace34eb1690707ad5af03040f0534f58 100644
--- a/tests-extra/tools/dnstest/server.py
+++ b/tests-extra/tools/dnstest/server.py
@@ -1091,7 +1091,7 @@ class Bind(Server):
                             outf.write(line)
                 #if z.dnssec.nsec3:
                     #n3flag =  1 if z.dnssec.nsec3_opt_out else 0
-                    #n3iters = z.dnssec.nsec3_iters or 10
+                    #n3iters = z.dnssec.nsec3_iters or 0
                     #outf.write("%s NSEC3PARAM 1 %d %d -\n" % (z.name, n3flag, n3iters)) # this does not work!
 
         super().start(clean)
@@ -1100,7 +1100,7 @@ class Bind(Server):
             z = self.zones[zname]
             if z.dnssec.nsec3:
                 n3flag =  1 if z.dnssec.nsec3_opt_out else 0
-                n3iters = z.dnssec.nsec3_iters or 10
+                n3iters = z.dnssec.nsec3_iters or 0
                 self.ctl("signing -nsec3param 1 %d %d - %s" % (n3flag, n3iters, z.name))
 
 class Knot(Server):